Category: Incident Response

The Ethics of Publicly Disclosing Breaches

In the security research community, it is commonly held that the ethical thing to do when discovering a vulnerability is to contact the software developer. Only after a lack of response, after the vulnerability has been fixed, or after the

Posted in Dialogue, Ethics, Incident Response Tagged with:

An Analysis of the Analysis of the Apache.org Attack

Over at the Apache blog, you’ll find a nice and detailed incident report on the recent, successful attack on Apache.org. I thought it might be worth a few minutes to share my thoughts on their write-up. First, I would like

Posted in Computer Crime, Ethics, Incident Response, Intrusion Detection, Log Analysis, Secure Administration, Secure Design, Systems Hardening Tagged with: , ,

Three Things to Remember When Configuring Logging

You set up a centralized logging server. Check. You installed the OSSEC manager to analyze your logs in real-time. Check. You even managed to implement high availability. Good going! Now your ready to start configuring clients. It should be as

Posted in Incident Response, Intrusion Detection, Log Analysis, Secure Administration, Systems Hardening Tagged with: , ,

A Public Lesson on How to Handle a Breach

When I first heard about this, I thought to myself, “Say it isn’t so. Tell me this is just a big misunderstanding. Tell me that my favorite place to buy cables at great prices wasn’t breached.” Alas, it seems to

Posted in Computer Crime, Ethics, Incident Response Tagged with:

Real Grandpa Information Security

I recently blogged about security practices in a hospital environment that I was witness to. It was interesting to see how security worked (or perhaps didn’t work), rather than post about another standard, tool or best-practice. Today, I bring you

Posted in Computer Crime, Dialogue, Incident Response, Research Tagged with:

OSSEC Presentation Available

On October 29, I gave a presentation at the Rochester Security Summit entitled “OSSEC in the Enterprise.” After a brief delay as a courtesy to the summit organizers, I’m pleased to be able to share the presentation with everyone else.┬áIt

Posted in Incident Response, Intrusion Detection, Log Analysis Tagged with:

The Value of File Integrity Alerts

Tools like AIDE and the original Tripwire have long been used in the Unix world for so-called intrusion detection. They let you know when a file has changed by presenting you with an old and new checksum, but usually don’t

Posted in Incident Response, Intrusion Detection, Systems Hardening Tagged with: , ,

Controlled Worm Outbreak – The EICAR Worm

I have spent the last several days responding to a 0-day worm outbreak. We didn’t have signatures when the you-know-what hit the fan. Fortunately, some tooling we already had in place allowed us to contain the initial spread while we

Posted in Incident Response, Intrusion Detection, Research, Vulnerabilities