Jan 28, 2011

New Critical Bug In All Current Windows Versions

New Critical Bug In All Current Windows Versions: "Trailrunner7 writes 'Microsoft is warning its users about a dangerous flaw in the way that Windows handles certain MHTML operations, which could allow an attacker to run code on vulnerable machines. The bug affects all of the current versions of Windows, from XP up through Windows 7 and Windows Server 2008. Microsoft issued an advisory about the MHTML vulnerability, which has been discussed among security researchers in recent days. There is some exploit code available for the bug, as well. In addition to the advisory, Microsoft has released a FixIt tool, which helps mitigate attacks against the vulnerability in Windows.'

Jan 25, 2011

Best Terminal App, EVAR!

This has to be the best terminal application ever. I don't think I will ever license it either. The picture degradation makes it sooo much more bettuh!

Cathode - Vintage Terminal Emulator

Jan 24, 2011

Apple hires former NSA, Navy analyst as security czar

Apple hires former NSA, Navy analyst as security czar: "In response to calls for increased security from enterprise clients, Apple has hired cybersecurity expert and author David Rice as its director of global security, a new report claims.

Jan 7, 2011

Splunk GEOIP Lookup

Here's a great Splunk feature. Using this query you can see what countries are hammering your boxes and make nice graphs for the boss.

sourcetype="linux_secure" name="Failed Password" | lookup geoip clientip as src_ip | timechart useother=false limit=5 count by client_country

You can easily change client_country with src_ip to start dropping the ban-hammer as well.

Jan 6, 2011

Useful Splunk Queries

So we finally have a working reliable installation of Splunk on site and I am starting to build some useful queries. There is so much information available it's almost too hard to make a reliable query that returns the information you need (without false positives).

sourcetype="WinEventLog:Security"  User Name: "CategoryString=Logon/Logoff" User_Name="administrator" | chart count(eval(Type="Failure Audit")) as "Login Failures" by src_ip

This will give you a nice chart showing a count of Administrator logon failures by source IP.

If you find yourself getting data that you aren't sure is real or should be ignored, I find the best way to be sure is to verify with a known failure or reproduction of the issue to be tracked. In this case, I simply attempted to log in with a bad password and my attempt showed up after a refresh.