How much of a demand is out there for people with strong computer forensic skills? Are most of the jobs 'outsourced' through Service Providers and security vendors, or is there an internal need inside medium-to-large Enterprises?
I have a strong background in security, networking, PCs/desktop (going all the way back to WFW 3.11), servers, databases, firewalls, IPS, etc, and was looking at adding Forensics to my skillset. I'm genuinely interested in the topic and think I'd be good at it if I put my mind to it, but I get the impression that it is its own microcosm of specialties that excludes being involved in other activities. (In other words, to be really good (and employable) at Forensics, I'd need to be -just- a systems forensics guy that also keeps up-to-date on almost EVERY new exploit as they're released and how they impact the end-system.)
So what I suppose I'm asking is: could some currently-employed Forensic guys/gals (or the people that are looking to hire them) please talk about what they think makes a good Forensic Engineer and who should/should not get into the field.
I remember when I upgraded to the AppleCat modem - I think it did 1200 or 2400 baud, and coupled with an file transfer utility (CatFur) written by a guy named "the Micron". I met the guy a few times a computer shows. (Hey K.!) IIRC, the utility took advantage of the applecat modem and doubled(?) transfer speeds when you had the same modem on both ends. It revolutionized pirating!
I -literally- have 1000+ disks of software, text files, etc up in the attic. I just wish there was an easier way to transfer them up to my PC for permanent storage. The only way I know of is to transfer them serially via modems. Why can't someone just build a USB-to-Apple drive adapter?:-)
A free/open-source tool called BotHunter has been available for a while now. Sounds like maybe the guy in TFA is just going to copy and sell their ideas.
From the site:
BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunterTM is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of in and outbound dialog warnings are found to match BotHunter's infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.
There's also a great PDF available showing a full dissection of a Storm variant.
I don't understand, so what if eBay lobbied the CIA. Maybe they were just recruiting new chefs to cook for their employees - I hear that's one of the bennies, just like at Google.
CSA and CTA (the subject of TFA) are two different products.
CSA is the Host-based Intrustion Prevention software. It stops any anomolous behavior.
CTA is their 'NAC supplicant' that reports back to the querying endpoint (NAC enabled switch, router, etc) about the status of the system (a/v version, is it running?, signature version, etc.)
CSA has CTA built into it, but not vice versa.
It makes sense that Cisco is open-sourcing this - the don't make money on agents, they make money on selling more hardware (NAC enabled switches), software (the Cisco Access Control Server, MARS reporting, not to mention just plain old IOS software support.)
M$ was in my office last week, pitching some remote backup and branch-office solutions. They brought up that they've made improvements to SMB to make it 'less chatty' over the WAN, so users at the far end of a 512Kbps or T1 circuit see better performance. Their solution is SMB2, which they said is built into the kernal on Vista and also requires Longhorn server.
I blurted out 'so that means you're locking out the Linux/Samba users, huh?' They made some comment that it would be backwardly comptable, but it was obvious that they're going to try to ensure that the protocol isn't reverse-engineered the way SMB was.
Dr. Frederick Frankenstein: Igor, would you mind telling me whose brain I did put in?
Igor: And you won't be angry?
Dr. Frederick Frankenstein: I will NOT be angry.
Igor: Abby someone.
Dr. Frederick Frankenstein: Abby someone. Abby who?
Igor: Abby Normal.
Dr. Frederick Frankenstein: Abby Normal?
Igor: I'm almost sure that was the name.
Dr. Frederick Frankenstein: Are you saying that I put an abnormal brain into a seven and a half foot long, fifty-four inch wide GORILLA? [shakes and grabs him]
Dr. Frederick Frankenstein: IS THAT WHAT YOU'RE TELLING ME?
You realize that the reason why your ISP is port blocking "normal Windows file sharing techniques" is because of how unbelievable insecure those techniques are, and how many viruses / worms have been written to take advantage of those insecurities? They're just damn sick of allowing scads of bots probing on TCP port 137 to find systems to add to their bot collective. You're right, even if Vista does improve security and/or give us a reason to move to IPv6, they're still going to block those ports, but only so they don't have to support the network traffic created by the legions of legacy WinXP and Win98 machines that will take YEARS, if ever, to upgrade.
no enterprise customers are going to install a brand new OS without months of testing
You don't think Microsoft knows this? 10 years ago maybe, but do you actually think they're THAT stupid?
They have an early-adopter program for Enterprise customers. They give you all of the latest Beta and Release candidates of Vista, and HOURS (400+?) of dedicated, onsite consulting time from a Microsoft Engineer helping you get the build/deploy process down, ensure all of your applications work properly, etc. You give them a commitment to have X% of your desktops rolled out to Vista within Y days of release.
Now, I'm not saying this was a smart idea for my company; I'm only tangentially involved with the project, and based on everything I've read/seen I don't see much value in Vista. However, if you know you're going to release it sooner-or-later anyways, then why not take advantage of those 400 'free' consulting hours to get your apps tested and deploy processes down? If things don't work then you have a much better throat to choke (the TAP program director) then some dweeb on a helpdesk 9 months after the product is out.
I play FPS games (Doom III, Quake IV, etc) and find that I usually play the game through once w/o cheating, but on Easy/Novice mode. That lets me solve the game in a minimum amount of time, with a minimum amount of frustration.
Then, I reply the game again, in the hardest/insane mode, but this time cheating in "God" mode (all weapons, no loss of health.) That lets me see all the levels again, explore areas that I might have missed, and get right up into the bad-guy's faces, check out detail, see the 'eye candy' etc.
Don't focus on home users. You'll tire of it quickly, and you won't really learn anything of value. Focus on things that you can apply to you day job, so you can make more money during your 40-50 hours of regular work. OR, focus on getting one or two small businesses that will let you be their PC Guru that takes care of everything, and after you've built up some trust get the keys to the place so you can go in after hours.
Fixing solo PC's sucks, and doesn't really get you anywhere. Start learning how to get systems networked, ditch their piece-of-crap Belkin router, get a Linksys WRT54G and throw something like OpenWRT or SveaSoft (or not:-), and some real router/firewall experience under your belt. Better yet, convince them to get a Cisco 800-series router, if you're into networking. Convince them to do an IPSec tunnel to another location (like the owners house, and do automated backups of their data to a server you build in the guys basement.) Or perhaps work on their Windows server (or not:-), convince them to install a Linux server, or help them to some database development or some funky Excel macros, WHATEVER floats your boat. Just think about what you like / what you're good at, and use your moonlights hours to extend yor skillset. Solo end-user PC support isn't worth much more $$ than beer and/or video-game money, and trust me it will burn you out in no-time.
Yesterday evening I left my day job (sr. network engineer, 100+ routers world wide, dozen+ firewalls, IPS,etc), went to work at my next-door-neighbor's small business (10 users, one location, one server, expanding to another office with another 5 users) and pulled an all-nighter, at $75/hour, doing a ton of PC setup on the netork, adding them to the Win2k3 Domain , building a Cisco router to do an IPSec tunnel between the current and new location, etc. I made an extra $1000 in one night. (And here I am, back at my day job, posting on/. with no sleep:-) I took the skills that I have from the day job (a job which I got from years of doing PC support, server support, SOHO LAN's, remote-access VPN's, etc) and was able to max-out and provide end-to-end support, and make more $$ than I would have in a week of one-off PC support. PLUS, they were open to trying out some new Cisco IOS features that I can't try yet at the day job (e.g. SSL VPN over HTTPS for road-warrior remote access) and got to learn a ton of shit on Certificate Authorities, PKI, etc. Now I can turn those new skills around at the day job, get ahead of the other guys by being knowledgeable (and experienced!) at a new feature, etc.
Everything should be cyclical. One skill should beget another higher level skill, which should lead to more $$, which should lead to fame, fortune, and scantily clad women throwing themselves at my feet. (ok, its been 28 straight hours, gimme a break:-)
When my company was using a 3rd party "managed" firewall service, they'd always ask you three security questions before you could open a ticket, make change requests, etc. You were able to create the questions that they would ask you, and then of course specify what the correct answers were.
One of my questions was: "What is your favorite question?" My response had to be: "Shall we play a game?"
Another question I had was "What is your favorite color?" My response had to be "Red, no blue!"
Most of 'em didn't get it. I guess those two movies weren't very popular in India..
You can drive the width of the continental USA in 48 hours? Wow
A friend of mine did this (not sure exactly how long it took him, but it was basically non-stop from Los Angeles to Boston), sustaining himself solely on Jolt (sic) soda, clove cigarettes, and an old Bob Segar tape. And oh yeah, he's a non-stop talker who just waits for you to finish so he can start talking again, about whatever it is that interests him.
I imagined being in the car with him for the trip. If that's not hell on earth, I don't know what is..
MS recognized this fact. They have an "early adopter" program for corporations, which my company is participating in. Basically, the corporation, with X number of total desktops, agrees to have some number of them (for us its 1000) upgraded to Vista within Y months of the Vista release date (for us I think its 3 months.) For that, MS commits Z number of hands-on, on-site engineering support, to help with software issues, compatability, builds, etc (Vista has a somewhat cool PXE boot process for bare-metal installs; no more Ghost images.) I forget what our Z is; I'm only tangentially involved in the process.
My point is that MS is playing both fields; they give corp's resources to figure out build issues, which gets the corps running Vista more quickly (which lets MS make bigger claims about # of deployed desktops) and in turn, I'm sure, any software related issues get pushed back to the software corps for further investigation.
And, all that being said, most of us are still wondering why we're MS's guinea-pig/bitch for an OS that/really/ doesn't get us that much. (The only thing I'm looking forward to is native 802.1x supplicant support so I can do Cisco Network Admission Control (NAC). BTW, their version, called NAP, sucks wind. Secure DHCP and private IPSec tunnels to the server. ptttttphtp!)
Here in Boston area there's a grocery store chain called "Bread & Circus", which carries "whole foods" and other natural, organic, yuppie bunny-hugger type foods. However, the price is so high on these goods that two bags of groceries can routinely run you around $100, hence the moniker "Bleed and Soak Us".
Bleed and Soak Us seems apt for what the Bush Administration is doing to us, no?
Slashdot Mirror
'Scuse me Egon? You said crossing the streams was bad!
I have a strong background in security, networking, PCs/desktop (going all the way back to WFW 3.11), servers, databases, firewalls, IPS, etc, and was looking at adding Forensics to my skillset. I'm genuinely interested in the topic and think I'd be good at it if I put my mind to it, but I get the impression that it is its own microcosm of specialties that excludes being involved in other activities. (In other words, to be really good (and employable) at Forensics, I'd need to be -just- a systems forensics guy that also keeps up-to-date on almost EVERY new exploit as they're released and how they impact the end-system.)
So what I suppose I'm asking is: could some currently-employed Forensic guys/gals (or the people that are looking to hire them) please talk about what they think makes a good Forensic Engineer and who should/should not get into the field.
If you were a Klingon I believe it would involve her flinging a chair at you and then trying to bite you. Or maybe that's Ballamer's wife.
(Sign over Marketing Department): Two Drink Minimum
I remember when I upgraded to the AppleCat modem - I think it did 1200 or 2400 baud, and coupled with an file transfer utility (CatFur) written by a guy named "the Micron". I met the guy a few times a computer shows. (Hey K.!) IIRC, the utility took advantage of the applecat modem and doubled(?) transfer speeds when you had the same modem on both ends. It revolutionized pirating! I -literally- have 1000+ disks of software, text files, etc up in the attic. I just wish there was an easier way to transfer them up to my PC for permanent storage. The only way I know of is to transfer them serially via modems. Why can't someone just build a USB-to-Apple drive adapter? :-)
Deja Moo: That strange feeling you get when you think you've eaten the same hamburger before.
http://www.cyber-ta.org/releases/botHunter/
From the site: BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunterTM is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of in and outbound dialog warnings are found to match BotHunter's infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.
There's also a great PDF available showing a full dissection of a Storm variant.
Oh, wait.. that CIA. Yeah that's bad then.
This sentence no verb.
CSA and CTA (the subject of TFA) are two different products.
CSA is the Host-based Intrustion Prevention software. It stops any anomolous behavior.
CTA is their 'NAC supplicant' that reports back to the querying endpoint (NAC enabled switch, router, etc) about the status of the system (a/v version, is it running?, signature version, etc.)
CSA has CTA built into it, but not vice versa.
It makes sense that Cisco is open-sourcing this - the don't make money on agents, they make money on selling more hardware (NAC enabled switches), software (the Cisco Access Control Server, MARS reporting, not to mention just plain old IOS software support.)
http://www.piratelaws.com/
M$ was in my office last week, pitching some remote backup and branch-office solutions. They brought up that they've made improvements to SMB to make it 'less chatty' over the WAN, so users at the far end of a 512Kbps or T1 circuit see better performance. Their solution is SMB2, which they said is built into the kernal on Vista and also requires Longhorn server.
I blurted out 'so that means you're locking out the Linux/Samba users, huh?' They made some comment that it would be backwardly comptable, but it was obvious that they're going to try to ensure that the protocol isn't reverse-engineered the way SMB was.
Dr. Frederick Frankenstein: Igor, would you mind telling me whose brain I did put in?
Igor: And you won't be angry?
Dr. Frederick Frankenstein: I will NOT be angry.
Igor: Abby someone.
Dr. Frederick Frankenstein: Abby someone. Abby who?
Igor: Abby Normal.
Dr. Frederick Frankenstein: Abby Normal?
Igor: I'm almost sure that was the name.
Dr. Frederick Frankenstein: Are you saying that I put an abnormal brain into a seven and a half foot long, fifty-four inch wide GORILLA?
[shakes and grabs him]
Dr. Frederick Frankenstein: IS THAT WHAT YOU'RE TELLING ME?
normal Windows file sharing techniques
You realize that the reason why your ISP is port blocking "normal Windows file sharing techniques" is because of how unbelievable insecure those techniques are, and how many viruses / worms have been written to take advantage of those insecurities? They're just damn sick of allowing scads of bots probing on TCP port 137 to find systems to add to their bot collective. You're right, even if Vista does improve security and/or give us a reason to move to IPv6, they're still going to block those ports, but only so they don't have to support the network traffic created by the legions of legacy WinXP and Win98 machines that will take YEARS, if ever, to upgrade.
no enterprise customers are going to install a brand new OS without months of testing
You don't think Microsoft knows this? 10 years ago maybe, but do you actually think they're THAT stupid?
They have an early-adopter program for Enterprise customers. They give you all of the latest Beta and Release candidates of Vista, and HOURS (400+?) of dedicated, onsite consulting time from a Microsoft Engineer helping you get the build/deploy process down, ensure all of your applications work properly, etc. You give them a commitment to have X% of your desktops rolled out to Vista within Y days of release.
Now, I'm not saying this was a smart idea for my company; I'm only tangentially involved with the project, and based on everything I've read/seen I don't see much value in Vista. However, if you know you're going to release it sooner-or-later anyways, then why not take advantage of those 400 'free' consulting hours to get your apps tested and deploy processes down? If things don't work then you have a much better throat to choke (the TAP program director) then some dweeb on a helpdesk 9 months after the product is out.
Time Flies like an arrow.
Fruit Flies like a bannana.
I play FPS games (Doom III, Quake IV, etc) and find that I usually play the game through once w/o cheating, but on Easy/Novice mode. That lets me solve the game in a minimum amount of time, with a minimum amount of frustration.
Then, I reply the game again, in the hardest/insane mode, but this time cheating in "God" mode (all weapons, no loss of health.) That lets me see all the levels again, explore areas that I might have missed, and get right up into the bad-guy's faces, check out detail, see the 'eye candy' etc.
Don't focus on home users. You'll tire of it quickly, and you won't really learn anything of value. Focus on things that you can apply to you day job, so you can make more money during your 40-50 hours of regular work. OR, focus on getting one or two small businesses that will let you be their PC Guru that takes care of everything, and after you've built up some trust get the keys to the place so you can go in after hours.
:-), and some real router/firewall experience under your belt. Better yet, convince them to get a Cisco 800-series router, if you're into networking. Convince them to do an IPSec tunnel to another location (like the owners house, and do automated backups of their data to a server you build in the guys basement.) Or perhaps work on their Windows server (or not :-), convince them to install a Linux server, or help them to some database development or some funky Excel macros, WHATEVER floats your boat. Just think about what you like / what you're good at, and use your moonlights hours to extend yor skillset. Solo end-user PC support isn't worth much more $$ than beer and/or video-game money, and trust me it will burn you out in no-time.
/. with no sleep :-) I took the skills that I have from the day job (a job which I got from years of doing PC support, server support, SOHO LAN's, remote-access VPN's, etc) and was able to max-out and provide end-to-end support, and make more $$ than I would have in a week of one-off PC support. PLUS, they were open to trying out some new Cisco IOS features that I can't try yet at the day job (e.g. SSL VPN over HTTPS for road-warrior remote access) and got to learn a ton of shit on Certificate Authorities, PKI, etc. Now I can turn those new skills around at the day job, get ahead of the other guys by being knowledgeable (and experienced!) at a new feature, etc.
:-)
Fixing solo PC's sucks, and doesn't really get you anywhere. Start learning how to get systems networked, ditch their piece-of-crap Belkin router, get a Linksys WRT54G and throw something like OpenWRT or SveaSoft (or not
Yesterday evening I left my day job (sr. network engineer, 100+ routers world wide, dozen+ firewalls, IPS,etc), went to work at my next-door-neighbor's small business (10 users, one location, one server, expanding to another office with another 5 users) and pulled an all-nighter, at $75/hour, doing a ton of PC setup on the netork, adding them to the Win2k3 Domain , building a Cisco router to do an IPSec tunnel between the current and new location, etc. I made an extra $1000 in one night. (And here I am, back at my day job, posting on
Everything should be cyclical. One skill should beget another higher level skill, which should lead to more $$, which should lead to fame, fortune, and scantily clad women throwing themselves at my feet. (ok, its been 28 straight hours, gimme a break
When my company was using a 3rd party "managed" firewall service, they'd always ask you three security questions before you could open a ticket, make change requests, etc. You were able to create the questions that they would ask you, and then of course specify what the correct answers were.
One of my questions was: "What is your favorite question?"
My response had to be: "Shall we play a game?"
Another question I had was "What is your favorite color?"
My response had to be "Red, no blue!"
Most of 'em didn't get it. I guess those two movies weren't very popular in India..
A friend of mine did this (not sure exactly how long it took him, but it was basically non-stop from Los Angeles to Boston), sustaining himself solely on Jolt (sic) soda, clove cigarettes, and an old Bob Segar tape. And oh yeah, he's a non-stop talker who just waits for you to finish so he can start talking again, about whatever it is that interests him.
I imagined being in the car with him for the trip. If that's not hell on earth, I don't know what is..
to remove all vestiges of Clippy.
MS recognized this fact. They have an "early adopter" program for corporations, which my company is participating in. Basically, the corporation, with X number of total desktops, agrees to have some number of them (for us its 1000) upgraded to Vista within Y months of the Vista release date (for us I think its 3 months.) For that, MS commits Z number of hands-on, on-site engineering support, to help with software issues, compatability, builds, etc (Vista has a somewhat cool PXE boot process for bare-metal installs; no more Ghost images.) I forget what our Z is; I'm only tangentially involved in the process. My point is that MS is playing both fields; they give corp's resources to figure out build issues, which gets the corps running Vista more quickly (which lets MS make bigger claims about # of deployed desktops) and in turn, I'm sure, any software related issues get pushed back to the software corps for further investigation. And, all that being said, most of us are still wondering why we're MS's guinea-pig/bitch for an OS that /really/ doesn't get us that much. (The only thing I'm looking forward to is native 802.1x supplicant support so I can do Cisco Network Admission Control (NAC). BTW, their version, called NAP, sucks wind. Secure DHCP and private IPSec tunnels to the server. ptttttphtp!)
Here in Boston area there's a grocery store chain called "Bread & Circus", which carries "whole foods" and other natural, organic, yuppie bunny-hugger type foods. However, the price is so high on these goods that two bags of groceries can routinely run you around $100, hence the moniker "Bleed and Soak Us". Bleed and Soak Us seems apt for what the Bush Administration is doing to us, no?
But Nancy Reagan told me to just say no to drugs! Oh the conundrum!
there weren't any twelve-step programs for coffee drinkers
I'm on the 6-step program.
Its every OTHER day at time.