Xavier Ashe
Xavier Ashe is a Client Partner with Bit9, a father of seven, a Unitarian Universalist Lay Minister Emeritus at UUCA, member of Ner Tamid, a Digitriber, an outdoor enthusiast, a travel lover and technology geek.
My LinkedIn - See my CV - The Lazy Genius - View my blog
- My Twitter Stream - Follow me!
- My Facebook - Know me, friend me.
- My Flickr Photos - Travels and family
- My Tripit - My travels
- My YouTube
- My Goodreads
- Contact Xavier
-
Info
- Summary
I have over nineteen (19) years experience in information technology with a broad background in information security, process improvement, and new business development. Strengths include:
* Creative, Business Driven Solutions
* Project Management
* Holistic Information Security
* Entrepreneurship
* Compelling Leadership
* Best Practices
* Strategic PlanningWhile keeping a focus on solving business problems, I remain to stay technically capable. I hold the following certifications:
* IBM Certified SOA Associate
* IBM Tivoli Certified
* IBM Certified Solution Advisor
* Office of Government Commerce: ITIL Foundations
* Certified Information Systems Security Professional (CISSP®)
* Microsoft Certified Systems Engineer for Windows NT, 2000, & 2003 with additional specialization in Security (MSCE:Security)
* Cisco Certified Network Associate (CCNA)
* CompTia Security+
* CompTia Network+
* CompTia A+Specialties: QRadar, QRisk Manager, SOA, ITIL, TEM, TSIEM, TCIM, TSOM, Tivoli, Consul, BigFix, Proventia, CISSP, Business Development, Information Security, Microsoft Solutions, Cisco, Juniper, and Fortinet Networking, Information Security, Disaster Recovery, Regulatory Compliance, IPSec and SSL VPN, Intrusion Detection and Prevention, Enterprise Deployment, Intelligent Device Monitoring.Experience- Feb 2013 - PresentClient Partner / Bit9
As a Client Partner for Bit9, I am the single point of contact for marquee accounts throughout the life of the relationship with Bit9. I am the engagement manager during deployments and the relationship manager otherwise. I work on our customers' behalf to ensure success. Bit9 is the leader in Trust-based Security.
- Dec 2005 - Jan 2013Senior Managing Consultant / IBM Security Systems
Xavier Ashe is a Senior Managing Consultant in IBM Software Services Security (ISSS) and specializes in Security Intelligence and Data Protection products. ISSS provides the most knowledgeable experts on IBM Security Systems technologies to accelerate your implementation, mitigate implementation risk, and increase value to the customer. Xavier focuses on the risk and governance security products including QRadar and QRisk Manager, Tivoli Endpoint Manager (TEM), Tivoli Security Operations Manager (TSOM), Tivoli Compliance Insight Manager (TCIM), Tivoli Security Information and Event Manager (TSIEM), and Tivoli Directory Integrator (TDI), Provetia SiteProtector, Network IPS, Security Server Protection, Virtual Server Protection, and IBM AppScan.
- Feb 2005 - Jul 2005Director of Security Services / Microtek Systems, Inc.
Microtek Systems, Inc. is a system integrator and reseller in the fields of information security and document management. I am responsible for business development and solution delivery in the information security division. We partner with Juniper, Fortinet, Qualys, AirTight, Patchlink, Solutionary, Lurhq, Surf Control, and SANA Security to deliver quality security solutions. In addition to product sales and support, we also provide leading edge security consulting services including Risk Assessment, Penetration Testing, Firewall Design, Compliance Assistance, and much more.
- Sept 2003 - Jun 2005Senior Infrastructure Consultant / SilverTrain, Inc.
I managed IT Infrastructure Projects in the Milwaukee Area. My roles ranged from project manager to technical lead to sales support. My practice focused on Managed Support Services, Information Security, Disaster Recovery, Business Continuity Management, and Intelligent Device Monitoring.
- 2000 - 2003Team Lead / Sprint E|Solutions
I managed a team of Tier 2 support technicians for Sprint's web hosting division, Sprint E|Solutions (also know as Sprint Hosting Services). The team was a single point of contact help desk that serviced some of the web's largest site: Barnes and Nobles, eBay, Home Depot, FBI, etc.
- 1997 - 2000Network Engineer / Extreme Logic
Extreme Logic (formally known as Omni Technology) was a Microsoft Certified Training & Education Center (CTEC) and Solutions Provider. I was the internal Network Administrator, responsible for 6 classrooms, several remote offices, and score of consultants.
- 1994 - 1996Network Administrator / Georgia Regional Hospital
- 1993 - 1994PC Technicain / The Computer Doctor
Education-
1996 - 2001Georgia Institute of TechnologyComputer Engineering
Activities: Residence Hall Organization, Co-op, Civitan, Study Abroad
Additional Information-
Honors:CISSP, ITIL, SOA, Security+, MCP+Internet, MCSE NT4, MSCE:Security 2000, A+, Network+, CCNA
-
Interests:IT Security, Emerging Technologies, Entrepreneurship, Traveling
-
Posts
- May 08, 13
Originally posted on the Bit9 Corporate Blog.
As I reviewed recent headlines, I took note of a company out of the U.K., Gamma International, that makes purpose-built spying tools. Their software offering is called FinFisher (aka FinSpy). The buzz phrase they use is “lawful intercept,” which means that its use should be bound by laws that allow spying in certain circumstances. Personally, I file it under “greyware,” considering it could be used legally or illegally to remotely control or embed cyberespionage tools within benign looking software. So how do organizations secure themselves against these kinds of tools?
Last year Morgan Marquis-Boire, a security researcher at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, and Bill Marczak, a computer science doctoral student at the University of California, Berkeley, found emails containing surveillance tools traced back to Gamma International. More recently, those researchers found the command-and-control server for FinFisher running in 36 countries. According to Mikko Hypponen of F-Secure, Gamma International even tried to sell FinFisher to the Egyptian Government under former President Mubarak.
As the New York Times reported in March:
Martin J. Muench, a Gamma Group managing director, has said his company does not disclose its customers but that Gamma Group sold its technology to governments only to monitor criminals. He said that it was most frequently used “against pedophiles, terrorists, organized crime, kidnapping and human trafficking.”
But evidence suggests the software is being sold to governments where the potential for abuse is high. “If you look at the list of countries that Gamma is selling to, many do not have a robust rule of law,” Mr. Marquis-Boire said. “Rather than catching kidnappers and drug dealers, it looks more likely that it is being used for politically motivated surveillance.”
The Citizen Lab released research on the topic a few days ago titled “For Their Eyes Only: The Commercialization of Digital Spying.” The data in this report is shocking in many ways, including a mobile version of FinSpy that follows the same path as its desktop equivalent.
They also have a sample package that realistically masquerades as Mozilla’s Firefox. They copied so many details that Mozilla sent Gamma International a cease-and-desist letter, according to Wired. As you see in the screenshot below, the properties of the executable are identical. How would one ever know the difference? You could rely on virus scanners, but without a sample of the malicious code they won’t be able to detect or stop it.
The tried-and-true security tools that most of us depend on are reactive. You have to wait on security researchers to tear apart samples that they find in the wild to give you reactive protection. It’s the same old cat-and-mouse game that leaves you open to attack.
Fortunately, there is a way to end the game. The Bit9 Trust-based Security Platform takes a different approach by blocking the execution of untrusted files across endpoints and servers. Let’s look through the Citizen Lab’s research paper and see how Bit9 would stop these threats.
- In the messages sent to Bahrain dissidents, used the “right-to-left override” attack. From the research paper: “The RLO character (U+202e in unicode) controls the positioning of characters in text containing characters flowing from right to left, such as Arabic or Hebrew. The malware appears on a victim’s desktop as ‘exe.Rajab1.jpg’ (for example), along with the default Windows icon for a picture file without thumbnail. But, when the UTF-8 based filename is displayed in ANSI, the name is displayed as ‘gpj.1bajaR.exe.’ Believing that they are opening a harmless ‘.jpg,’ victims are instead tricked into running an executable ‘.exe’ file.”
- If Bit9 were installed and running in high-enforcement mode, the unknown or untrusted executable would not have executed. Even if you were running Bit9 in block-and-ask mode, the user would be alerted that a program was trying to run something other than a .jpg.
- In emails sent to the Moroccan citizen media and journalism project Mamfakinch, the payload was in a malicious java file, “adobe.jar.” This file then facilitated the installation of a multi-platform (OSX and Windows) backdoor. On Windows, it writes a number of files, including ZsROY7X.-MP. This file appears to provide the main backdoor functionality. It adds a registry key to ensure the Trojan stays persistent and runs via rundll32.
- Bit9 has the ability to track and block Java files as it does other executables, but it isn’t turned on by default. So if you had that Java option enabled, Bit9 would keep “adobe.jar” from ever executing. Let’s say you don’t have Java tracking enabled. In that case, “adobe.jar” would execute, writing out the files to the endpoint. Bit9 examines each file for its contents, finding the file “ZsROY7X.-MP” to be executable as DLL. When rundll32.exe is called to load it that execution will be blocked. The Trojan will never be able to execute with Bit9 installed.
- In an email sent to Ahmed Mansoor, a prominent UAE blogger who was imprisoned, the payload is a malicious document that looks like a Microsoft Word file, but is an RTF file that exploits a stack-based buffer overflow in the RTF format and downloads additional payloads. Using a Windows API, it downloads a second file, which is also a downloader. Then the third stage is where the backdoor is downloaded, “verimportant.doc3.” The file then writes out several files, including “V46lMhsH.shv,” which is run via “rundll32.exe.”
- This use case has a different point of injection, but the same outcome. In this case, either the second downloader or the backdoor itself would be blocked by Bit9. Since the backdoor wouldn’t execute, cleanup would be relatively easy since it wasn’t able to inject itself into other software.
- In the use case of the modified version of Firefox, the user would be tricked into installing the wrong version by DNS poisoning, link-jacking, cross-site scripting, clever emails, or other means. The user would then install what looks to be a normally functioning version of Firefox. Infecting an endpoint in this manner tricks the users into accepting changes to his or her system. They know they are installing software, so they are more likely to click “yes” to any security warnings.
- Companies using Bit9 build a trust-based security approach that ensures any software delivered and executed on an endpoint has been approved in some trusted fashion. Whatever model is deployed, it can prevent “trick the end user” attacks because the malicious version of Firefox is not signed by Mozilla. It would not be able to pass the rigors of a trust-based approach and would not be allowed to execute on the endpoint.
Malware comes in various shapes and sizes, with some written by criminals and others written by private companies. Keeping up with these advanced threats requires a new approach to security. Bit9 ensures that only trusted software can run, as opposed to relying on deep analysis of already-known threats that can take time and money to defend against while still leaving you unsecure. A trust-based approach is the most secure method to ensure your endpoints and servers are not being spied on by foreign governments using products such as FinFisher and FinSpy.
Filed under: Bit9, Security - In the messages sent to Bahrain dissidents, used the “right-to-left override” attack. From the research paper: “The RLO character (U+202e in unicode) controls the positioning of characters in text containing characters flowing from right to left, such as Arabic or Hebrew. The malware appears on a victim’s desktop as ‘exe.Rajab1.jpg’ (for example), along with the default Windows icon for a picture file without thumbnail. But, when the UTF-8 based filename is displayed in ANSI, the name is displayed as ‘gpj.1bajaR.exe.’ Believing that they are opening a harmless ‘.jpg,’ victims are instead tricked into running an executable ‘.exe’ file.”
- Mar 28, 13
Even though I am no longer an IBMer, this is still a great report to review trends. The X-Force Blog has posted their highlights, with a link at the bottom to get the full report. I’ve read through the report and here’s some bits I find interesting.
- The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose. Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems. They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems. Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.
- The 2012 bank DDoS attacks appear to be coming in part not from infected PCs, but from compromised web servers that reside in high bandwidth data centers. By using security vulnerabilities in CMS systems and other popular web frameworks, the attackers were able to create a botnet of web servers that have a much longer connected uptime, as well as having more bandwidth in general, than home PCs. Because of Section I—Threats > Rising tide of security incidents > ABC’s and DDoS’s this, they were able to use fewer bots to more effectively generate larger amounts of traffic.
- In addition to new toolkits and botnets of infected web servers, old reliable methods such as amplification attacks are being effectively used to generate high traffic. While amplification attacks such as an Internet Control Message Protocal based (ICMP) “Smurf Attack” have been used for a decade or more, attackers continue to use the same underlying principles to generate much more traffic today. In particular, DNS Amplification has been successful due to the many open or misconfigured DNS resolver servers on the Internet.
- Malicious code activity overall continues to grow, helped along by the combined efforts of casual attackers, insider threats, cybercrime and Advanced Persistent Threats. Figure 7 demonstrates the “arms race” that exists in
computer security today, with the number of techniques to compromise systems constantly growing, being countered, and growing again.
Filed under: IBM, Security - Mar 26, 13
Bit9 2013 Server Security Survey Shows Concerns
about Targeted Malware Rising1,000 IT and Security Pros Worldwide are Less Confident about Stopping Threats
WALTHAM, Mass.—March 21, 2013—Bit9, the leader in Trust-based Security, today announced the results of its second annual server security survey of nearly 1,000 IT and security professionals worldwide. Key findings include:
- 52 percent of respondents said targeted malware attacks are their top server security concern, up 15 percent from the prior year.
- 25 percent of respondents said their servers were attacked in 2012, up 8 percent.
- 12 percent of the survey group ranked “too much administrative effort” required by traditional security solution as a bigger concern than actual attacks. 43 percent of respondents use more than 1 full-time employee to manage server security.
Click here to download the Bit9 2013 Server Security Survey report and the infographic The Truth about Server Security.
“These results highlight the need for greater control in identifying and stopping advanced attacks on valuable server resources—before they execute—while decreasing the security-related administrative workloads of IT and security professionals,” said Brian Hazzard, vice president of product management for Bit9. “The key to securing enterprise servers—both physical and virtual—is to allow only trusted software to execute and prevent all other files from running. That’s how the Bit9 Platform protects our customers’ servers and endpoints against targeted attacks, zero-day threats and all other types of malware.”
Filed under: Bit9 - Mar 25, 13
I live in the far outskirts of Atlanta, Georgia. It’s rural/suburban, with lots of horse farms and country clubs. You never expect to have bad things happen near you home, myself included. However, we do have some local drama that has bled in to my domain of information security. It all started with this:
Acworth Teen Accused of Posting Nude Photos to Porn Sites
Authorities are investigating an Acworth teen who allegedly posted naked photos of at least eight children on pornographic websites, according to a Cobb County criminal warrant.
Interesting. At this point I find it odd, but not too interesting. Some kids getting in trouble. Stupid trouble, but it sounds like this guy is not a pedophile. Then more information came out.
Police Seek More Victims in Acworth Teen’s Alleged Child Porn Scheme
The Acworth teen who allegedly posted naked photos of at least eight children on pornographic websites created a company to gain the trust of the juveniles.
Cobb County Police Sgt. Dana Pierce said today that authorities believe Harrison High School senior Michael William Cook operated under the company name Maxi Focus Photography between Nov. 1, 2012, and Jan. 1, 2013, the time frame that he allegedly posted to pornographic websites “naked” or “erotic” photos of people that he obtained through fraudulent means.
Okay, now that steps it up a notch. If true, this guy even got himself a fake business to entice girls. So he may be more of a predator than I first thought. At this point, it’s a wild story, but still a local quirky story. It just happens to be walking distance from my home. I was reading my security blogs this morning and came across this:
17-year-old arrested for hacking into phones, stealing and distributing explicit images of children
A US teenager has been charged with distributing child pornography he allegedly hacked out of minors’ cellphones with a bogus mobile text ad that installed phone-controlling malware.
…
According to 9News.com, Sgt. Pierce claimed that Cook sent text messages to victims from a company called “Maxi Focus Photography”.When victims clicked on a link in the text message, it installed malware that essentially gave Cook access to all information stored on the phones.
That includes access to victims’ accounts on social network sites, such as Facebook and Twitter, as well as sexually explicit photos stored on the phones.
Cook allegedly downloaded offensive pictures and sent them to pornographic websites, Pierce said.
Now things are getting very interesting. This is more than just using a fake photography “studio” to convince girls to get naked. This was a lot more sneaky, if true. I’ve done security forensics before and they almost always are child porn cases. For me, I was always helping prove that someone knowingly downloaded child porn, and usually disproving the “It must have been a Virus” defense.
This is different. If true, my neighbor was hacking into phones and stealing nude photos. In my line of work, we talk about the various type of threats we have and what are their motivations. Now we can add perverted 17 year old boys trying to find naked pictures of teenagers. What if can across your banking info? Think he’d buy himself a couple of video games?
I can think of several lessons here:
- Everything on a computer is discoverable. If you have a naked photo of yourself, it could get posted somewhere. Those files seem to live forever.
- This is even more true on phones. Did you know that many photos are automatically “backed up” onto servers (especially on non-smartphones)? Things like IM and texting are unsecure and can be read by others?
- Teach your children about security. Do you tell your children about dark alleys at night? Then tell them how to avoid getting attacked on the internet. Here’s a few good links:
- RAISING DIGITAL CITIZENS – Teach your children to become good digital citizens with these resources. This is from StaySafeOnline, part of the National Cyber Security Alliance. It’s a good overview page, but has some great links at the bottom.
- Teach your kids mobile security. This is by antivirus vendor Bullgaurd. It has a nice specific list that you can do today.
- Install Anti-Malware on your Smartphone and Tablets. Here are two of my favorite (and they’re free!):
- Lookout Mobile Security for iPhone
- Zoner AntiVirus. Download the phone version or the tablet version.
I’ll keep monitoring the situation and see how things evolve. For this kids sake, I hope it’s not true. We’ll see how the investigation goes.
Filed under: Personal Note, Security - Mar 23, 13
I just read a great article by Mark Baggett (@MarkBaggett) on the ISC Diary called Wipe the drive! Stealthy Malware Persistence Mechanism – Part 1 and Wipe the drive! Stealthy Malware Persistence – Part 2. This was from his presentation at Shmoocom 2013. He shows 4 different methods how malware can stick around even after it’s been “cleaned” by anti-malware products. I completely agree with his advice: always “Wipe the Drive”. It’s the only sure fire way to clean the system, but what if you can’t for some reason? Maybe it’s a traveling employee or an executive at a conference. Wiping and re-imaging is a costly procedure in most enterprises.
What if you had Bit9 installed? How would these 4 situations play out? Let’s go through them. Bit 9 can be run in three protection modes: Monitor-only with Advanced Treat Indicators (ATIs), Block & Ask, and Block. If you are running endpoints in Monitor-only mode with ATIs, you would get an alert on your Bit9 console for these actions. This alert could be acted upon within Bit9 or from your SIEM. For the other two modes, I’ll explain how each of these would be blocked, since that’s how most of our customers use Bit9.
TECHNIQUE #1 – File Associations Hijacking
What happens when you click on a .TXT file? The operating system checks the HKEY_CLASSES_ROOT hive for the associated extension to see what program it should launch. …
What if the attacker or his malware changes this association? Instead of launching notepad it tells the OS to launch NOTPAD.EXE. NOTPAD.EXE is wrapper around the real NOTEPAD.EXE but it also contains a malicious payload.
This is pretty straightforward. NOTPAD.EXE would be blocked because it isn’t trusted. No matter how you tricked the user into running it, Bit9 is protecting you. When you get the block alert, it’s time to wipe the drive, but only when get around to it… after all, you are protected by Bit9.
TECHNIQUE #2 BITS BACKDOOR
BITS is the Background Intelligent Transfer System. This service is used by your operating system to download patches from Microsoft or your local WSUS server. But this service can also be used to schedule the download of an attacker’s malware to reinfect your system. Once the attacker or his malware are on on your machine he execute BITSADMIN to schedule the download of http://attackersite.com/malware.exe. He schedules the job to only retry the URL once a day and automatically execute the program after it is successfully downloaded. The attacker doesn’t put anything at that URL today. Instead, he simply waits for you to finish your incident handling process and look the other way. You can scan the machine with 100 different virus scanners. Today there is no file on your system to detect. You can do memory forensics all day. Sorry, there is nothing running today. Today it is just a simple configuration change to the OS. Then when he is ready he places malware.exe on his site. Your machine dutifully downloads the new malware and executes it.
Again, this is a very easy use case. malware.exe wouldn’t be allowed to run. When you get the block alert, it’s time to wipe the drive, but only when get around to it. Bit9′s got you covered until then.
TECHNIQUE #3 – Program.exe
When Jake and I were preparing for the Shmoocon talk that we gave on this subject, I suggested we include this technique in our presentation. Jake disagreed because this thing has been around since the year 2000 and I quickly relented and agreed with him. At the time we both thought that this technique is pretty lame and we shouldn’t have to worry about a THIRTEEN YEAR OLD vulnerability. Instead I decided to do a post on the ISC to talk about the technique and see what response we got. The response for you, our awesome supporters, was incredible. ISC readers documented several dozen of these attacks in critical systems common to most corporate desktop images. You made Jake a believer (he had a vulnerable OEM application you found on his laptop). The response was such that I am now convinced that an attacker can use this technique and have a great deal of confidence that his malware will be launched. As a matter of fact, it will probably be launched by something that has system permissions. I won’t repeat the full details of the technique here since I already covered it on the ISC. You can check out this article if you missed it:
http://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464
This is the scenario. Malware or an attacker is on your machine. He has administrative or Power User access. The attacker drops a file called “program.exe” on the root of your C drive. “program.exe” is a small application that reads the command line parameters that were used to call it. It launches the real program you had intended to call and then executes its malicious payload. Simple but effective.
This one is interesting. When you install the Bit9 agent, it locally approves all files on the system. Then you setup a chain of trust. If you have program.exe on old machines or existing gold images, Bit9 will trust it.
I would advise following the link above and understanding this issue. It’s worth it to review gold images a bit closer when putting them in your trust based architecture in Bit9. When doing this review, it’s a great use case for using cloud based reputation using Bit9′s Software Reputation Service (SRS). If you have any questionable files on your image, run them through SRS. Find out what the world thinks about them. Another bit of advice for vetting gold images: review unsigned code! You can even detonate files in a FireEye MAS, if you have one.
If you do find any malware like this program.exe, globally ban it in Bit9 (and delete it from your gold image)! This will instantly protect all existing computers running the Bit9 agent. Global Bans even work on Bit9 agents running in Monitor-only mode. No need to wipe every drive immediately when you are protected with Bit9.
Technique #4 - Service Failure Recovery Startups
You can configure Windows services with an automatic recovery action. The defined action will be taken when the service crashes unexpectedly. You can see these on the recovery tab for a service using services.msc. Here you see this service first tries to restart the service, then it will …. ummm… whats that?? .. RUN A PROGRAM. Hmm.
This use case is also straightforward. The malware has tricked the user, even tricked the system, but it hasn’t been tricked by Bit9. Blocked, again.
I hope this helps shine the light on the amazing power of software whitelisting. It changes the game in end-point protection. You don’t have to go running after every trick in the book that may trick a user. You only have vet the software you trust, and you don’t have to wipe the drive immediately when an infection occurs. Bit9 gives you the freedom to have endpoint protected while you wipe the drive at your convenience.
Filed under: Bit9, Security - Mar 22, 13
Hear Michael Bilancieri telling the compelling story about our new detection and forensics capabilities and innovative new Advanced Threat Indicators.
Bit9′s Trust-based Security Platform combines real-time sensors, Advanced Threat Indicators (ATI), and the cloud-based Bit9 Software Reputation Service to immediately detect advanced threats and malware. You won’t wait for signature file updates. No testing or updating .dat files. Bit9 specializes in advanced threat detection.
Filed under: Bit9 - Mar 12, 13
Since moving from network security to endpoint security, I’ve been soaking as much wisdom on various approaches, priorities, and opinions out there. I came across this Gartner study titled “Predicts 2013: Endpoint Security Becomes Even More Important for Infrastructure Protection”. It seems to hit home with many of the viewpoints I am hearing from my customers. The Bit9 web folks have posted a copy on the Bit9 website, but here’s the gist:
Key Findings
- Most endpoint security tools are designed to allow any application to run, unless it is known to be malicious. Restricting applications that are allowed to execute to a known set of preapproved applications is gaining acceptance as a more-effective security measure for dealing with rapidly morphing malware and advanced persistent threats.
- Malware authors typically attack the easiest and most prevalent targets. Mobile devices offer a range of possibilities along these two scales.
- As computer processing is dispersed into operational technology (OT) systems, data sources and access points expand exponentially. Some of these objects will require security due to the sensitivity of the processing they perform and the data they provide, particularly for OT-centric enterprises.
- Most organizations are removing URL blocks and permitting most employees to access external social media from corporate-owned and managed endpoints and networks.
Recommendations
- Consider application control a key requirement of endpoint protection systems. Favor vendors that have mature workflow processes for dealing with change and have large installed bases of users from which to draw samples.
- Focus investments in platforms that have a default-deny application control environment, or be prepared for higher costs and more potential for infections.
- If your enterprise is involved with OT such as supervisory control and data acquisition (SCADA) systems, process control, telemetering, sensors or similar OT, immediately try for IT/OT alignment, convergence and integration to develop plans for security oversight.
- End-user organizations should anticipate continued investments in procedures and solutions focused on managing security risks in external social media. However, solutions in this space are immature, and organizations should expect regular changes in feature sets and vendors.
Filed under: Security - Feb 18, 13
My move from running RedHat on the desktop back to Windows 7 hasn’t been too bumpy. Only one big driver corruption issue that took me a couple of days to solve, but it seems running Windows is like riding a bike. I have a need to scan a good bit of documents into a single Adobe PDF file. The driver & software package that comes with my Lexmark printer only scans to individual files. I had been using PDF Creator, which has a tool to suck up all the individual jpegs and put them in a PDF. It was clunky, and often files would be out of order.
I went on a search today to find another tool to meet my needs. I tried 5 different freeware or shareware programs. The first four didn’t function in some way. Most just errored out, one didn’t even run. I finally found NAPS (Not Another PDF Scanner). The only problem I have is that the default permissions on the program folder in which it runs keeps it from saving a config file. Running it as Administrator worked for setting up my profile. Now it runs fine as under regular permissions.
Just wanted to share to possible save someone else some time. Cheers!
UPDATE; well, NAPS ended up being too buggy for me. I went back to the developer page on Sourceforge and saw a comment that some one else has forked the project. Yay, NAPS 2 is better! Open Source FTW!
Filed under: Uncategorized - Feb 05, 13
From the very start of considering a move from IBM Security Systems to Bit9, I gave a lot of thought to my security philosophy. I really do believe strongly in IBM’s security portfolio, and I wanted to make sure moving to Bit9 didn’t undercut my security philosophy. Working for IBM taught me a lot about holistic security and how good security products are usable no matter if you have basic security maturity, or advanced. I generally focused on the network side of security, mainly in SIEM and NIPS. I’ve shied away from endpoint security (for the exception of dabbling in forensics and TEM), because it’s such a headache. Virus scan software is a joke, letting just about everything modern in. Case in point with the recent attacks at the New York Times:
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
I see this all the time. That’s why products like QRadar and IBM Security NIDS are so popular. You have to fall back to the network, if can’t get control of the endpoint. Why attack the endpoint? It’s seems to be the easiest and most successful. There’s typically three categories of attacks:
- Remote attacks launched from the internet (DoS, SQL Injection, etc.)
- Insider threats, and
- Infect an endpoint, then launch attack from within (phishing, drive-by downloads)
Network based protection is very useful at blocking and/or detecting all three of these attacks categories, but that leaves you with a perimeter based security protection. With perimeter based security, one tries to tackle the channels of infections like email and web browsing. There are tons of solutions that help with this, but nothing helps as soon as that endpoint walks out the door. Network security should be used to protect infrastructure, not endpoints.
So what can be done to protect the endpoint? IBM Tivoli Endpoint Manager does a lot to manage all the small stuff like patch management, software delivery, compliance, and virus scanning. I say small stuff, not to dismiss its importance, but they are processes that should be in place already. Having TEM take care of it all is just easier.
When I was at IBM and a customer was worried about the Insider Threat, we would use either TSIEM or QRadar to pull in system and audit logs. What we usually found near pure chaos, since it’s very hard to figure out what is what within system logs. The best approach I have found is using white list policies. We would build profiles of acceptable behavior in an environment, filter it out, then analyze the rest. It was a great approach and bled over into some of my other SIEM and NIPS scenarios.
The reason I bring this up is that one of the reasons I like Bit9′s software is that it employs a similar white list approach, but looks to be MUCH easier than the rat’s nest that is system and audit logs.
Let me summarize:
- Network security is best when focused on protecting infrastructure like hosted applications and databases. It loses effectiveness when trying to secure the endpoint.
- As for hosted applications, security vulnerability testing and security development should be a closed loop.
- Insider threats can only be managed if you are doing system and audit log analysis. It’s a costly investment, but worth it to certain business sectors like banking and military.
- Endpoint protection must include basic measures including patch management, lifecycle management, and basic written security policy.
- I believe SIEM is critical to tie it all together and should be the single pane of glass.
- Maturity in other security processes like identity management, access management, policy, compliance, encryption, and asset management help all your other security investments.
- Overall security policy governance has to be tailored to the size and type of organization.
As I write this out, I see that going after endpoint security with Bit9 fits for me. I am looking forward to learning more about its capabilities and how our customers would like to use it.
Filed under: Personal Note, Security, Uncategorized - Jan 27, 13
As I get more into my Bit9 job, I will be doing a lot more endpoint security. I’ve been on the network side of security for so long, I have some ramping up to do. A very common request is to secure USB devices. Here’s a good article on getting data off a locked down system.
High security workstations have some pretty peculiar ways of securing data. One of these is disabling any USB flash drives that may find their way into a system’s USB port. Security is a cat and mouse game, so of course there’s a way around these measures. [d3ad0ne] came up with a way of dumping files onto an SD card by using the USB HID protocol.
We’ve seen this sort of thing before where a microcontroller carries an executable to extract data. Previously, the best method was to blink the Caps Lock LED on a keyboard, sending one bit at a time to a microcontroller. [d3ad0ne]‘s build exploits the USB HID protocol, but instead of 1 bit per second, he’s getting about 10kBps.
Hack-a-Day: Extracting Data with USB HID
Filed under: Security - Jan 25, 13
I’ve been running Windows 8 on one my laptops since it’s release and put in the kitchen for my family to use. It’s a powerful laptop, i7, 12 gb RAM, nice graphics card. I’ve used it, as has my wife and my three elementary age kids. My teenagers have their own PCs and laptops. I’m now replacing this laptop (need to give it back to IBM) with another. It has Windows 7 on it. Note, neither laptops have a touchscreen.
My first thought was to reformat with a fresh Windows 8 install, since it will be the new family machine. Windows 8 has family controls built in to the OS, has PIN logons, and the Metro look and feel is very nice. But I started thinking about how many family uses it.
My wife was constantly frustrated about trying to get stuff done on it. The Metro version of IE has some shortcomings, mainly not running flash unless Microsoft approves it. She googled how to recreate a Start button, and if she uses this machine, she goes directly to the desktop. She never used one of the Metro apps, but she also has her own laptop with Windows 7. She installed Chrome and stopped using IE 10.
My boys (ages 6 and 8) love the Bing app. They can spend hours just searching various star wars names and looking at the image results. But IE has problems with various sites like starwars.com and lego.com. I put a Chrome icon on their Metro home page. It of course runs in the desktop.
My 10 year old daughter does a lot of homework online. Half of her sites don’t work in IE 10, so she uses chrome, too. My 8 year old boy attends an online school. Again, IE 10 doesn’t work. Word processing is via Symphony, on the desktop.
Even though I installed a bunch of free Metro games for the kids, they don’t use them. They want the games on PBS, Star Wars, Lego, American Girl, and other web sites. They each got their own Android tablets for Hanukkah, so all those Metro games have similar ports on Android and are more fun to play on a touchscreen device.
The only positive things out of Windows 8 is the Bing Search app, parental controls built it, and my kids learning how to use the new OS. But in the end, most just go to the desktop and launch Chrome. The new laptop has a fingerprint scanner, so there’s no reason for a password or PIN.
I think I will leave Windows 7 on the new family laptop. I get my new work PC next week. I will contemplate putting Windows 8 on there for a while and see how it works for work.
Filed under: Other Technology, Personal Note - Jan 11, 13
As of February 1st, I will be leaving IBM. It’s been a great 7 years. I never thought I could enjoy working for a large company, or working so long in the same position. Man was I wrong. IBM really has some great people, and I had the best quality of life during my tenure. Even though I was in the same position, life was rarely dull with constant acquisitions (nearly one per year that affected me!). I started off working with NeuSecure/TSOM, then TDI, then TCIM, then TSIEM, then AppScan, then Proventia and SiteProtector, then BigFix/TEM, and finally QRadar. That’s a busy seven years!
Well, what’s next? I have accepted a position at Bit9 as a client partner. I am excited about this on several fronts. One, I think the technology is amazing. I’ve never been a big supporter of virus scan products. They just never seem to offer adequate protection. Bit9′s approach is to whitelist the good stuff as opposed to trying to find all the bad stuff. I really think this is a better way to secure endpoints. I’ll be posting more on my security philosophy soon.
Secondly, I’m excited to be moving to a small company. Not only is moving to a start-up* exciting, the people there are too. Everyone I’ve talked to so far seems to be on the same page as me when it comes to security philosophy, business philosophy, and look to be very fun to work with. I was lucky to find a good crew at IBM, and it looks like my luck continues at Bit9.
Also the client partner role looks to be very fulfilling. When I look back on my time at IBM, I really enjoyed the time that I could form long-term relationships with my customers. That’s also where I found the greatest success. This position looks to mix engagement management, relationship management, and technical account management. I’m also planning on doing some evangelist work too.
I am so excited to get started at Bit9 in February. I will have to spend some time deprogramming myself as an IBMer, but I think this is a good move with a good company with a great product.
* Bit9′s been around for about 7 years and can hardly be called a start-up anymore. But every company seems like start-up when coming from IBM.
Filed under: Bit9, ISS, Personal Note - Dec 14, 12
What is it?
A way to grab Seculert’s Crime Servers and Threat Intelligence Records (via their API) and push them into QRadar’s Remote Networks, which then you can build Rules upon. The beauty of this is that in reality it shows you how to more generally push custom “BAD” IPs/Networks into QRadar and auto-deploy them. You can use any list of IPs/networks. If it’s CSV, it should be an absolute breeze to import.
How does it work?
You need to go into ‘seculert_qradar.pl’ and edit the ‘#START USER CONFIG’ section. The first variable you will see is the “seculert” api key – which you can get from your Seculert account (fantastic service http://seculert.com), but again, this can be easily be any CSV list. The idea is that you download both feeds and convert them into the “IP” format that QRadar understands with the “Network” (in this case ‘SECULERT’) ID and the Sub-ID (in this case ‘CS’ and ‘TIR’). Then you pull the existing remotenet.conf file, and prune out the old SECULERT list, and then merge in the new one that you just pulled. Then you upload the new file back to QRadar and auto-trigger the deployment (here is the real qradar magic).
Read more and get the script on GitHub.
Filed under: IBM, QRadar, Security Intelligence - Dec 01, 12
I have an older Roku, an N1000. It’s only 720p and no WiFi. I dug it out once I freed up my Ethernet over power adapters. Now want some streaming love in my bedroom. Unfortunately, I could not find the power adapter! I dug through my big box of extra adapters, but nothing was 5v and 2A. I went to Radio Shack to see what they had. They wanted $45 for the adapter kit!! Can you believe that?! I’m not sure this Roku is even worth that much.
I hit the interwebs and was happy to find a D-Link AF1205-B Power Adapter DC 5V 2A 120V for only $9. I got it today, and it works! So if you are looking for a power adapter for a Roku N1000, the D-Link adapter is the winner!
Filed under: Other Technology - Nov 06, 12
IBM Tivoli Endpoint Manager (TEM), built on BigFix technology, is one of my favorite IBM products to work with. It has an elegant architecture that makes things work so well. I usually only deal with the security functions of the tool, but it can do so much more. The Mobile Device Manager (MDM) is one of those features that I don’t get to deploy often, but I try to stay abreast of its capabilities.
Mobile Device Management Release Notes
Site Version 47 – Nov 1 2012
MDM Feature Release 1.3New Features:- Integrated SAFE support - Integrated Samsung Approved For Enterprise (SAFE) Phase One APIs to enabled additional management capabilities (such as selective app wipe, application blacklisting, and device encryption) to SAFE enabled android devices.
- Self Service Portal Redesign - Reworked the Self Service Portal (SSP) to be easier to use and much more end user friendly.
- Mobile Security Configuration Management Sites – MDM now includes a new batch of Center for Internet Security (CIS) Checklist sites for iOS 5.0.1, and Android 2.3, 4. These can be enabled through the normal License Overview dashboard in BES Support.
- Expanded Proxy Agent Capabilities – The Proxy Agent for iOS, Lotus, and MS Exchanged managed devices now supports Multiple Action Groups, Baselines, and “createfile” commands.
- Change Notification Dashboard - New notification dashboard to help users stay on top of the changes and improvements made to the MDM site.
Filed under: IBM - Oct 30, 12
The new IBM Security Access Manager for Cloud and Mobile bundle brings together market leading capabilities of IBM Tivoli Federated Identity Manager Business Gateway (TFIM-BG) and IBM Tivoli Security Policy Manager (TSPM).
IBM Security Access Manager for Cloud and Mobile provides the following key capabilities:
- Helps detect and prevent user access fraud by enforcing risk-based access control
- Reduces costs and complexity by enabling single sign-on and federation for cloud and on-premise applications
- Improves security posture and helps demonstrates compliance through centralized policy management
IBM Security Access Manager for Cloud and Mobile extends user access protection to mobile and cloud environments using federated single sign-on, user authentication, and risk scoring based on location, device, access pattern, etc. IBM Security Access Manager for Cloud and Mobile provides risk-based access control from mobile end points such as smartphones and tablets so that users don’t inadvertently expose your sensitive IT assets in an unsafe environment.
IBM Security Access Manager for Cloud and Mobile helps enterprises adopting cloud-based services leverage single sign-on for secure information sharing across private, public and hybrid cloud environments. Using IBM Security Access Manager for Cloud and Mobile, enterprises can implement a powerful mediation service for Cloud, SaaS and web services, while reducing administrative costs, establishing trust and facilitating compliance.
IBM Security Access Manager for Cloud and Mobile highlights:- Risk-based access control for anytime/anywhere access from mobile devices
- Cloud Single Sign-On and Federation with easy onboarding of applications
- Centralized Policy Management and Fine-grained Access Control
Filed under: IBM, Security - Oct 29, 12
Stolen from the QRadar 7.1 Release notes:
- Upgraded Operating System – QRadar 7.1 includes a substantial upgrade to the operating system. During the upgrade process on your system, the following operating system updates occur:
- For systems that previously used the CentOS operating system, the operating system is replaced with the Red Hat Linux 6.2 operating system.
- For systems that previously used the Red Hat Linux 5.7 operating system, the operating system is upgraded to the Red Hat Linux 6.2 operating system.
If your system is configured with off-board storage solutions, you are required to remount your storage solutions during the upgrade process. We recommend that you carefully read the Upgrading to QRadar Release 7.1 Guide and the Reconfiguring Offboard Storage After Upgrading to QRadar 7.1 Technical Note.
- New WinCollect Agent – QRadar 7.1 introduces WinCollect and the WinCollect agent for collecting and managing Windows-based events using the Admin tab in QRadar. For more information on WinCollect, see the WinCollect User Guide.
- New Vulnerability Details Page on the Assets Tab – QRadar 7.1 introduces the Research Vulnerability Details window, which you can access from the Assets tab. The Research Vulnerability Details window provides information about known vulnerabilities detected by third-party scanners. Vulnerability information and identifiers are sourced from external references, such as the Open Source Vulnerability Database (OSVDB) and National Vulnerability Database (NVDB). QRadar 7.1 also includes the ability to import vulnerability data from scanners that do not store data with OSVDB or NVDB references, such as IBM Appscan Enterprise.
- New Index Management – The Index Management feature is accessed from the Admin tab. Index Management allows you to control database indexing event properties. By enabling indexing on event properties, you can optimize the speed of your searches.
- New Dedicated Event Collector Appliance and Supporting Store and Forward – QRadar 7.1 introduces the QRadar 1501 appliance, which is a dedicated Event Collector. This appliance is also available as the QRadar 1590 virtual appliance.
- Using Store and Forward accessed from the Admin tab, you can now store events on your dedicated Event Collector during your business hours. These events can be forwarded to an Event Processor during periods of time when the transmission does not negatively affect your network bandwidth. For example, you can configure a dedicated Event Collector to only forward events to an Event Processor during non-business hours, such as midnight until 6 AM.
- Updated VFlow Collector Installation Procedure – The VFlow Collector installation procedure is updated to make the process consistent with the virtual appliance installation process. For more information, see the QRadar Installation Guide.
Filed under: IBM, QRadar, Security, Security Intelligence - Upgraded Operating System – QRadar 7.1 includes a substantial upgrade to the operating system. During the upgrade process on your system, the following operating system updates occur:
- Oct 08, 12
It’s been interesting to watch the firewall and IPS space over the years. First we had firewall vendors adding IPS features. Then we had IPS vendors adding firewalls features. Personally, I’ve always thought it made sense to use an IPS with firewall features because I’ve never seen a firewall with an IPS worth using. Now application aware firewalls have proven useful, it’s time for IPS vendors to add more application awareness. Hey look, I work for an IPS vendor
IBM’s Security Network Protection XGS 5000 is a next generation intrusion prevention system, adding tons of features to IPS like web content, application and application action control, protocol analysis based intrusion prevention, URL filtering, Injection Logic Protection, Shell Code Heuristics, and virtual patch.
Marketing bullet points:
- Help stop threats from compromising unpatched vulnerabilities without sacrificing high-speed network performance.
- Help protect networks, servers, desktops, and business critical applications from malicious threats.
- Conserve network bandwidth and provide insight into what users are doing on the corporate network. It helps control user bandwidth consumption by limiting or eliminating access to nonbusiness critical applications.
- Help enforce compliance and internal corporate usage of nonbusiness critical applications such as social networking, peer to peer file transfers, instant messaging traffic, and streaming media.
- Provide an extensible security platform that can grow as threats evolve, help consolidate network protection technologies, and help reduce the cost of deploying and managing point solutions.
You can get lots of print literature here, but who wants to read when you can watch videos on YouTube.
IBM Security NextGen IPS Use Case Videos
- NextGen IPS Overview (8:15)
- Complying with GRC Mandates (4:46)
- Protecting Intellectual Property (6:19)
IBM Security NextGen IPS How to Videos
- Understanding NextGen IPS Terminology (3:37)
- Configuring IPS Policies (2:27)
- Configuring QRadar Integration (1:25)
- Identifying Network Usage (3:32)
- Configuring Specific URL Control (3:34)
- Configuring URL Category Control (2:36)
- Management Dashboard Overview (3:22)
- Configuring Web Application Control (3:03)
- Configuring User Authentication Control (4:02)
Filed under: IBM, ISS, Security - Oct 05, 12
The QRadar Product Management team is very glad to announce the General Availability (GA) of QRadar SIEM and Risk Manager Version 7.1. Another major milestone of the QRadar product, QRadar 7.1 delivers several new key features to meet the needs of our current and future customers, a new appliance and new tools to provide more flexibility in deploying the QRadar solution, and great usability features to increase the visibility to more security intelligence data, as well as the ability to better optimize and tune QRadar.
The new features of QRadar SIEM 7.1 consist of:
- Index Management: More refined control over the creation of indexes used for searches and exposure of field and index usage statistics, enabling more efficient storage utilization and performance optimization.
- Store and Forward: Capability of collecting and storing events by a new appliance, Event Collector (EC), in a remote location and forwarding events to an upstream Event Processor for analysis based on a pre-determined policy, allowing effective log collection at remote network locations with unreliable network connections or bandwidth constraints.
- Import/Export of Security Contents: Ability to export security and configuration content on a QRadar system to an external, portable format which then can be imported into another QRadar system, with a command line interface, enabling quick deployment of a new QRadar system or sharing of security contents across systems.
- Vulnerability Details Screen – Enhanced GUI screens to display detailed vulnerability data imported from third party vulnerability scanner products, allowing customers to fully explore the nature and relevance of vulnerabilities on the hosts involved in QRadar detected incidents and offenses.
- WinCollect: Complete centralized control of local and remote Windows event collection, with bulk adding of servers, per server troubleshooting, automated deployment and update of policy and agent itself. Also includes tuning for different environments and support for latest capabilities like XPath queries.
The new features of QRM 7.1 consist of:
- P2P Networks: Support for point-to-point networks, such as VPNs and serial links. This allows customers to add these links to their QRM network topology.
- Firewall Rule Reporting: Perform comprehensive reporting on firewall rules, including shadowed, most and least used rule reports. Reports can be generated across multiple firewalls and is full integrated into the QRadar reporting engine.
- Enhanced Policy Monitoring: Monitor policy question passes and failures, typically required for compliance reporting. Customers can now generate reports that show that network policies have been in compliance over a given period of time, in addition to those which were not compliant.
Filed under: IBM, QRadar - Sep 17, 12
The way that QRadar assigns severity is based on the QID. So each event that has a specific event name gets mapped to a specific QID, then gets a specific severity. This is a very good model for many scenarios. However, there are other situations that require parsing the severity out of the event and overriding the QID set severity. For example, you may get a more generic QID like “Threat Detected”. These all get put in at a high severity, which throws off several out-of-the-box rules and makes your magnitude score less useful.
To change this, it will take several steps. First you must create a Custom Extracted Property to pull out the new severity. Be sure to check the box for “Optimize for rules and reports”. I’ll use Snort and Palo Alto as an example. I created a new property called “Event Severity” and used this regex:
\[Priority:\s+(\d+)
Here’s one for Palo Alto:
\(\d+\),.*?,(\w+)
Snort uses a number 1-5 and Palo Alto has 5 different text strings (low, medium, high, etc.). The next step is to create five rules for each log source type. Here’s an example of the snort rule.
Apply Snort Severity Adjustment – 1 on events which are detected by the Local system
and when the event(s) were detected by one or more of Snort Open Source IDS
and when the event matches Priority is 1Or Palo Alto:
Apply PASeries Severity Adjustment – Low on events which are detected by the Local system
and when the event(s) were detected by one or more of Palo Alto PA Series
and when the event matches PA Severity is lowThe rule response for these rules is to set the Severity to the appropriate number and annotate the event. Both of these examples have 5 levels of severity, so I used 2, 4, 6, 8, and 10 in QRadar. Create all five rules and you are set!
Now you should get better magnitude scores and less false positives from rules like “Exploit: Exploits Events with High Magnitude Become Offenses”.
Filed under: QRadar
-
Tweets
- The Eight Most Common Causes Of Data Breaches -- Dark Reading http://t.co/cyjdB5CfXJ
- @Bit9, @FireEye, @PaloAlto Networks team to hit zero-day malware - Network World http://t.co/dpWMnSrRPp
- Do ATMs Face New Malware Threat? - BankInfoSecurity http://t.co/FTTkCSchg6
- New video from @Bit9! Bit9 Connector for Network Security Devices http://t.co/IQdt25vE36
- Nah, we're not at war - Chinese hackers who breached Google gained access to sensitive data, U.S. officials say http://t.co/EuxurPDZG0
- Mac malware signed with Apple ID infects activist’s laptop | Ars Technica http://t.co/BEyJHq4FW6
- Mounties say crooks passing fake polymer bank notes in British Columbia http://t.co/ZVvTrDeWGw
- Six tips to bombproof your password http://t.co/dWt9w0414W
- 4 of 5 stars to Knife of Dreams by Robert Jordan http://t.co/Y5OxKBWq19
- DHS: Critical infrastructure threats up 68% in 2012 http://t.co/nRs06oYvjK
- How the FBI’s online wiretapping plan could get your computer hacked http://t.co/J3vkS3Jdds
- Mac malware signed with Apple ID infects activist's laptop http://t.co/VU0LUPHdHn
- For my music geeks out there... http://t.co/alIZtuA0P3
- RT @FSecure: REMINDER: Mac Malware does exist. http://t.co/Vn0FlRWJwt
- Wannabe hacker, you're hired: Brit bosses mull cyber-apprenticeships • The Register http://t.co/zVOsTHtdxc
- Social Roulette is forced by Facebook to commit its own social suicide | Naked Security http://t.co/XBQdxO2U7z
- Hotel Lock Hack Still Being Used In Burglaries, Months After Lock Firm's Fix http://t.co/McEy2KyAmQ
- New versatile and remote-controlled "Android.MouaBot" malware found in the wild http://t.co/rAqO5A5i8r
- Following hackings, students and admins tighten security http://t.co/UKxqOPCago
- UK-based Lulzsec hackers await sentence after guilty pleas http://t.co/oF89L29Mva
-
Status
- Watching the pilot episode of Star Trek Next Generation on Hulu. I'm so geeking out right now.
- On a call about @Symantec CSP. They are attacking "signature based tools" as useless. Even virus scan vendor knows that virus scanners suck.
- Happy vernal equinox! Let your days be as long as your nights!
- My name is John Baptista Xavier Ashe. My Irish family hails from Convoy (Conmhaigh) on the river Deele. I am a descendant of John Baptista Ashe, Speaker of the North Carolina Colonial Assembly, who was the father of Samuel Ashe, the ninth Governor of North Carolina, namesake of Asheville, and namesake of the liberty ship SS Samuel Ashe. Samuel's son, John Baptista Ashe serve in the Continental Congress. I am John Baptista Xavier Ashe, and am proud of my Irish and American heritage.
- Why is spell checking better on google.com than in Gmail?
-
Uncategorized
