Best Practices for Mitigating Advanced Persistent Threats – On Demand Video


My Keynote last year at Ahnlab’s 2013 Security Fair: My presentation title is “Best Practices for Mitigating Advanced Persistent Threats”.

I was completely surprised that this got so many hits. But I guess it is a popular subject.

Broadcast live streaming video on Ustream

Tags: , , , ,

California needs to mandate mens public urinals to be water-free!

Ok, I just got done reading that California is facing even more pressure to save water. The best thing I think the state could do is mandate the replacement of all men’s urinals to the latest waterfree technologies. The stats that I have seen is that each one can save on average 40,000 gallons a year under normal office building use. I can’t imagine why this wouldn’t be something that gets mandated immediately, and NO grandfathering please!

Tags: , , , ,

Got this on FB and thought it was hilarious.

“Dear Tech Support:
Last year I upgraded from Girlfriend 7.0 to Wife 1.0. I soon noticed that the new program began unexpected child processing that took up a lot of space and resources. In addition, Wife 1.0 installed itself into all other programs and now monitors all other system activity. Applications such as Poker Night 10.3, Football 5.0, HuntingAndFishing 7.5, and Racing 3.6. I can’t seem to keep Wife 1.0 in the background while attempting to run my favorite applications. I’m thinking about going back to Girlfriend 7.0, but the uninstall doesn’t work on Wife 1.0. Please help!
Thanks …Troubled User”
“Dear Troubled User:
This is a very common problem. Many people upgrade from Girlfriend 7.0 to Wife 1.0, thinking that it is just a Utilities and Entertainment program. Wife 1.0 is an OPERATING SYSTEM and is designed by its Creator to run EVERYTHING!!! It is also impossible to delete Wife 1.0 and to return to Girlfriend 7.0. It is impossible to uninstall, or purge the program files from the system once installed. You cannot go back to Girlfriend 7.0 because Wife 1.0 is designed not to allow this. Look in your Wife 1.0 manual under Warnings-Alimony-Child Support. I recommend that you keep Wife 1.0 installed and work on improving the configuration. I suggest installing the background application YesDear 99.0 to alleviate software augmentation.
The best course of action is to enter the command C:\APOLOGIZE because ultimately you will have to do this before the system will return to normal anyway.
Wife 1.0 is a great program, but it tends to be very high maintenance. Wife 1.0 comes with several support programs, such as CleanAndSweep 3.0, CookIt 1.5 and DoBills 4.2. However, be very careful how you use these programs. Improper use will cause the system to launch the program NagNag 9.5. Once this happens, the only way to improve the performance of Wife 1.0 is to purchase additional software. I recommend Flowers 2.1 and Diamonds 5.0, but beware because sometimes these applications can be expensive.
WARNING!!! DO NOT, under any circumstances, install SecretaryWithShortSkirt 3.3. This application is not supported by Wife 1.0 and will cause irreversible damage to the operating system. 
WARNING!!! Attempting to install NewGirlFriend 8.8 along with Wife 1.0 will crash the system.
(see Wife 1.0 manual, Apologize, High Maintenance & Secretary with Short Skirt)”

Tags: , , , , , , , , , , , , , , , , , ,

[ISN] How did the RCMP crack BlackBerry’s security?

Forwarded from: security curmudgeon On Fri, 13 Jun 2014, InfoSec News wrote: : : : By Vito Pilieci : : June 12, 2014 : : BlackBerry Ltd. has long held that its BlackBerry devices are among the most : secure in the world, but it turns out the platform isn?t as bulletproof as : many had been led to believe. [..] : PIN-to-PIN messages are encrypted with what is known as Triple Data Encryption : Standard (DES) encryption technology, which is among the best in the world. This sentence can be summed up in a simple Tumblr post.

Tags: , , , , ,

Optimized Squid.conf for

Below is my most current squid.conf configuration. The hit rate is quite good after only running for half a week. Below are my latest byte hit rate stats with some pretty effective refresh patterns with no discovered disruptions to web content operation.

Byte Hit Ratio @ shadow

The statistics were last updated Tuesday, 17 June 2014 at 10:51

`Daily’ Graph (5 Minute Average)


Max Average Current
Median Hit Ratio (5min) 77.0 % 36.0 % 4.0 %
Median Hit Ratio (60min) 71.0 % 20.0 % 10.0 %

`Weekly’ Graph (30 Minute Average)


Max Average Current
Median Hit Ratio (5min) 73.0 % 37.0 % 25.0 %
Median Hit Ratio (60min) 61.0 % 18.0 % 0.0 %


Start squid config:

#Recommended minimum configuration:
always_direct allow all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src
acl localnet src fc00::/7
acl localnet src fe80::/10 # RFC1918 possible internal network
acl Safe_ports port 1-65535 # RFC1918 possible internal network
acl CONNECT method GET POST HEAD CONNECT PUT DELETE # RFC1918 possible internal network
#acl block-fnes urlpath_regex -i .*/fnes/echo # RFC 4193 local private network range
acl noscan dstdomain # RFC 4291 link-local (directly plugged) machines

acl video urlpath_regex -i \.(m2a|avi|mov|mpeg|mpg|a|e|1|2|3|4)|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|wmv|m3u8|flv|ts)

# Recommended minimum Access Permission configuration:
# Only allow cachemgr access from localhost

no_cache deny noscan
always_direct allow noscan
always_direct allow video

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#cache_peer parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow all

# allow localhost always proxy functionality

# And finally deny all other access to this proxy

# Squid normally listens to port 3128
http_port intercept

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
maximum_object_size 999 MB
cache_dir aufs /ssd/squid/cache0 90000 64 1024

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
# General Rules
refresh_pattern -i \.(jpg|gif|png|webp|jpeg|ico|bmp|tiff|bif|ver|pict|pixel|bs)$ 220000 90% 300000 override-expire ignore-no-store ignore-private ignore-auth refresh-ims
refresh_pattern -i \.(js|css|class|swf|wav|dat|zsci|do|ver|advcs|woff|eps|ttf|svg|svgz|ps|acsm|wma)$ 220000 90% 300000 override-expire ignore-no-store ignore-private ignore-auth refresh-ims reload-into-ims
refresh_pattern -i \.(html|htm|crl)$ 220000 90% 259200 override-expire ignore-no-store ignore-private ignore-auth refresh-ims reload-into-ims
refresh_pattern -i \.(xml|flow)$ 0 90% 100000 reload-into-ims
refresh_pattern -i \.(json)$ 1440 90% 5760 reload-into-ims
refresh_pattern -i ^http:\/\/*\(zip)$ 0 0% 0
refresh_pattern -i*\.(cab|exe|ms[i|u|f]|asf|wma|dat|zip)$ 220000 80% 259200 reload-into-ims
refresh_pattern -i*\.(cab|exe|ms[i|u|f]|asf|wma|dat|zip)$ 220000 80% 259200 reload-into-ims
refresh_pattern -i*\.(cab|exe|ms[i|u|f]|asf|wma|dat|zip)$ 220000 80% 259200 reload-into-ims
refresh_pattern -i \.(bin|deb|rpm|drpm|exe|zip|tar|tgz|bz2|ipa|bz|ram|rar|bin|uxx|gz|crl|msi|dll|hz|cab|psf|vidt|apk|wtex|hz|ipsw)$ 220000 90% 500000 override-expire ignore-no-store ignore-private ignore-auth refresh-ims
refresh_pattern -i \.(ppt|pptx|doc|docx|pdf|xls|xlsx|csv|txt)$ 220000 90% 259200 override-expire ignore-no-store ignore-private ignore-auth refresh-ims
refresh_pattern -i ^ftp: 66000 90% 259200
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern -i . 0 90% 300000
log_icp_queries off
icp_port 0
htcp_port 0
snmp_port 3401
acl snmppublic snmp_community public
snmp_access allow snmppublic all
minimum_object_size 0 KB
buffered_logs on
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/
vary_ignore_expire on
cache_swap_low 90
cache_swap_high 95
visible_hostname shadow
unique_hostname shadow-DHS
shutdown_lifetime 0 second
request_header_max_size 256 KB
half_closed_clients off
max_filedesc 65535
connect_timeout 10 second
cache_effective_group squid
#access_log /var/log/squid/access.log squid
access_log daemon:/var/log/squid/access.log buffer-size=5MB
client_db off
ipcache_size 8096
negative_dns_ttl 5 minutes
dns_v4_first on
check_hostnames off
forwarded_for delete
via off
pinger_enable off
cache_mem 2048 MB
maximum_object_size_in_memory 1 MB
#memory_replacement_policy heap GDSF
#cache_replacement_policy heap GDSF
cache_store_log none
read_ahead_gap 50 MB
#workers 2
#memory_cache_shared on

Tags: , , , , , , , , , , , , , , ,

[ISN] Vessel-tracking system vulnerable to denial-of-service, other attacks, researchers say

Forwarded from: security curmudgeon On Fri, 30 May 2014, InfoSec News wrote: : : : By Lucian Constantin : : 29 May 2014 : : Inexpensive equipment can be used to disrupt vessel-tracking systems and : important communications between ships and port authorities, according : to two security researchers. : : During the Hack in the Box conference in Amsterdam Thursday, Marco : Balduzzi, a senior research scientist at Trend Micro, and independent : security researcher Alessandro Pasta described three new attacks against : the Automatic Identification System (AIS), which is used by over 400,000 : ships worldwide. Talk about milking a vulnerability… These two disclosed the AIS vulnerabilities October 10, 2013. They are still getting mileage out of it… [...]

Tags: , , , , , , , , , , , , ,

China Indictments and China/US Relations

Although I am a proponent of global security cooperation. I do think that all countries need to cooperate and understand that in order for free trade and development across the globe, they need to participate fairly with each other in all markets. What this means is that all countries need to provide a fair working order for information flow, competitiveness and intellectual property protection for all organizations globally. It matters not which country we talk about here, we all must play fair with our intelligence programs. Intelligence gathering should be about increasing transparency between national political factions and each country’s military and not EVER used for economic advantage. I for one am for more cooperation and collaboration between Asian countries and the United States as well as Europe, but this means that Asian countries do have to play fair and by the same rules.

My take, is there needs to be an international agreement established to depict the “appropriate” uses of intelligence agencies and their intelligence gathering efforts. These rules must establish a ban on any use of intelligence gathering for intellectual property theft or economic advantage (beyond providing insight into legal and political constructs to govern fair competition). It is of course important for countries globally to monitor each other and part of the unique way that we understand and collaborate globally with every nation and I don’t propose we end our intelligence gathering efforts. I do think it is also understandable that intelligence gathering continue to include political and military planning as well as anti-terrorist goals, however commercial entity intellectual property should have mandatory protections established. Although gathering Intellectual property may be useful to nation state intelligence efforts, the most important part is that no data retrieved should be allowed to be disseminated to commercial entities in-country for economic advantage and must be codified in law.

A fair playing field with fair competition would mean that organizations globally including governments must properly license or develop their own intellectual property and not steal and duplicate the technology. Since we are now in the information age and a significant portion of trade is based on intellectual property, it is important that we properly protect and value information so that it can retain it’s value. It is important to note that even US entities must respect these same guidelines and protect the intellectual property gathered during their own intelligence gathering efforts (which I do believe to be the case).  Intellectual property can be traded legally by organizations through license or sales of  specific intellectual property. Alternatively companies globally and certainly gain economic advantage through fair competition for employees and engineers responsible for the development of technologies and patents.

Actions UN countries should take:

  • Establish international intelligence gathering and dissemination laws.
  • Ensure intellectual property rights can be enforced globally and allow efficient civil proceedings that can take place in a timely fashion.
  • Establish a cooperative structure that all participants remain committed.
  • Each country should establish laws governing their intelligence gathering efforts aligned to the international laws respecting these critical aspects to protect intellectual property and limit use of intelligence gathered to limit dissemination of intellectuwl property to commercial entities.

Tags: , , , , , , , , , , , , , , , , , , , , , , ,

Encase Forensics Book:Computer Forensics and Digital Investigation with EnCase Forensic v7

My friend Suzanne Widup just published her book! Check it out….

Computer Forensics and Digital Investigation with EnCase Forensic v7

Conduct repeatable, defensible investigations with EnCase Forensic v7

Maximize the powerful tools and features of the industry-leading digital investigation software. Computer Forensics and Digital Investigation with EnCase Forensic v7 reveals, step by step, how to detect illicit activity, capture and verify evidence, recover deleted and encrypted artifacts, prepare court-ready documents, and ensure legal and regulatory compliance. The book illustrates each concept using downloadable evidence from the National Institute of Standards and Technology CFReDS. Customizable sample procedures are included throughout this practical guide.

  • Install EnCase Forensic v7 and customize the user interface
  • Prepare your investigation and set up a new case
  • Collect and verify evidence from suspect computers and networks
  • Use the EnCase Evidence Processor and Case Analyzer
  • Uncover clues using keyword searches and filter results through GREP
  • Work with bookmarks, timelines, hash sets, and libraries
  • Handle case closure, final disposition, and evidence destruction
  • Carry out field investigations using EnCase Portable
  • Learn to program in EnCase EnScript

Buy the book by clicking here.

Tags: , , , , , , , , , , , , , , , , , , ,

Advanced Persistent Security