Monday, November 30, 2009

Mobile Communications Security Symposium

REGISTER ASAP - The Capitol College Innovation and Leadership Institute will host the Mobile Communications Security Symposium on December 4, 2009 from 8 a.m. to 12 p.m., on campus, in the Avrum Gudelsky Memorial Auditorium. There is no cost to attend this event. To learn more about the program and the speakers, please visit

To register for the symposium:

Send an email to
Subject: Register, Mobile Comm. Security Symposium


Wednesday, November 25, 2009

Marcus' Mailbag: Policy, Enforcement, and Monitoring

I received the following email on Commercial vs. Open Source, Policy, Enforcement, and Security Monitoring. I'm posting this email in order to share some of the views. It could be perceived as a bit of a rant, but I'm posting it below because it could spark some thought and conversation. Let me know what you think. If you have problem with the grammar, please rely on context clues. _MJC_ :)

=-=-=-=- BEGIN E-MAIL -=-=-=-=

In the Network security field they are vendors that sell products. They claim the products will catch the bad guys, disassemble malware and save the world. All we need to do is buy their products.

Then they are those Open Source vendors that sell support of some open source tool like Clam AV or Snort all we need to do is use it right and we are safe and they sell themselves as consultants. This model for doing business is not new, In the Financial services industry you have those who claim to be financial planners and when you go and see them they do a budget workup with you and then sell you commission based products like life or medical insurance. Then you have those who claim to be fee based financial planners (much like the open source pimps) and sell you things like Term insurance or no load mutual funds you supposedly pay for their expertise.

The problem with these approaches is they are PRODUCT based. The real solution is a mindset and action to get the desired results not some product Open Source or otherwise.

Network Security is not brain surgery. You need policy, enforcement and monitoring. If those 3 are not done then things break down.

Policy that is not enforced is useless, it's just as bad as if there was no policy at all. In fact if you have a policy you are lured into a sense of false security. If there is no Policy users know they are left to fend for themselves. At [ XYZ ] we don't have a problem in areas like Europe where privacy laws demand they users not be monitored or punished for breaking policy. It's the areas where we have the strictest policies that we have problems.

Enforcement - If policies are not enforced then it is useless. Same with dealing with problem areas of the network. If management turns a blind eye towards tunneling and insists on using systems that are not locked down. Giving most users admin rights and walking on egg shells and not going after employees equally for violations you will never secure the network.

Monitoring - I know a few companies we work with and problems arise and you find out that they have a special internet connection that is not being monitoring. They have this special RESEARCH network they can surf porn on. They tether their laptops with their Blackberries or use a SSL tunnel to do whatever they want on the network. Especially in the technical companies the very ones that should be examples and protecting their networks are doing these things. I have seen individuals have their IP addresses Whitelisted so they could watch movies all day claiming they are doing company business then we all wonder how malware got on the network.

Products do not protect or defend the real network. They point out the obvious and until someone pokes their finger at the sore and lets the world know they need to change network security is a charade. Even DojoSec with it open source pimps is not making things better unless it goes after the above mentioned issues.

That's my 2 cents...

=-=-=-=- END E-MAIL -=-=-=-=

Tuesday, November 24, 2009

Virtualization is Great for Forensics

The rumblings suggesting that "The Cloud" and Virtualization is an enormous hindrance to digital investigations are exaggerated. These claims sound like scare tactics to me, I think virtualization makes incident response to computer crime much more efficient. The goal of incident response is to preserve as much information as possible. Software such as Live View from CERT is great because it allows investigators to boot disk images.

Virtualization is cutting out the middle man here, as an investigator I'd rather have a virtual machine instead of a disk image. Virtual machine copies provided by service providers provide a "self contained crime scene", since the virtual machine is frozen in time including the memory. At DojoCon 2009, Richard Bejtlich shared a story were investigators responded to an incident working with a Cloud Provider and were greeted with a shrink wrapped crime scene.

Anyone who as ever used a product such as VMware may have copied and moved images, this is a good thing. It seems that when some are dedicated to screaming about problems, they may be ignoring a great solution staring them right in the face.


Monday, November 23, 2009

Google Hacking Renders Redaction Futile

Lately, I've been looking at tons of SQL injections and SWF login blog posts and screen captures. I notice most hackers attempt to redact the compromised URLs. However, in most cases there is enough information from the screen captures to find the sites.

The attempt to redact the information is an attempt to protect the innocent. The latest instance of this was a blog post on a Symantec SQL Injection that yielded tons of information including serials and passwords. The image below is a screen capture posted within the blog post.

Next, I visit Google and type: intitle:Teacher Sima

This is just basic Google Hacking here, nothing advanced. This is something I've been instinctively doing when I see something like this.

So the question is "Why redact?"