Category: Incident Response

The Ethics of Publicly Disclosing Breaches

In the security research community, it is commonly held that the ethical thing to do when discovering a vulnerability is to contact the software developer. Only after a lack of response, after the vulnerability has been fixed, or after the

Tagged with:

An Analysis of the Analysis of the Attack

Over at the Apache blog, you’ll find a nice and detailed incident report on the recent, successful attack on I thought it might be worth a few minutes to share my thoughts on their write-up. First, I would like

Tagged with: , ,

Three Things to Remember When Configuring Logging

You set up a centralized logging server. Check. You installed the OSSEC manager to analyze your logs in real-time. Check. You even managed to implement high availability. Good going! Now your ready to start configuring clients. It should be as

Tagged with: , ,

A Public Lesson on How to Handle a Breach

When I first heard about this, I thought to myself, “Say it isn’t so. Tell me this is just a big misunderstanding. Tell me that my favorite place to buy cables at great prices wasn’t breached.” Alas, it seems to

Tagged with:

Real Grandpa Information Security

I recently blogged about security practices in a hospital environment that I was witness to. It was interesting to see how security worked (or perhaps didn’t work), rather than post about another standard, tool or best-practice. Today, I bring you

Tagged with:

OSSEC Presentation Available

On October 29, I gave a presentation at the Rochester Security Summit entitled “OSSEC in the Enterprise.” After a brief delay as a courtesy to the summit organizers, I’m pleased to be able to share the presentation with everyone else.┬áIt

Tagged with:

The Value of File Integrity Alerts

Tools like AIDE and the original Tripwire have long been used in the Unix world for so-called intrusion detection. They let you know when a file has changed by presenting you with an old and new checksum, but usually don’t

Tagged with: , ,

Controlled Worm Outbreak – The EICAR Worm

I have spent the last several days responding to a 0-day worm outbreak. We didn’t have signatures when the you-know-what hit the fan. Fortunately, some tooling we already had in place allowed us to contain the initial spread while we