Internet Security Tip #6: Keep a day book

Internet Security Tip #6: Keep a day book

During an incident and when investigating potential incidents record EVERYTHING on paper.

Timestamp every note with the time, date and location of whatever you’re noting down. If you are talking to someone, record their name and any identification they provide. Keep note of who is present at any activity you are performing during the investigation. If you remember something during the day, diarise it in the day book. If you’re looking at traffic, record IP addresses and anything else you can in as much detail as you require to remember the details potentially 5 years down the track.

Make sure that your day book is stored in a way that is not able to be electronically manipulated or read. Remember you’re using it to record events that may wind up being used in evidence, if there is any potential for it to be tampered with by the person(s) you’re investigating, your evidence may be thrown out of court.

During an investigation of a confirmed compromise, your day book should be the only place you record notes.  All internal communication should be done without corporate email accounts and not using corporate PABX systems. Behave as if every corporate asset is potentially compromised until such time as you can prove that it isn’t.

About Me.

I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.

This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.

I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.

If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!

Shoot me an email – david@hooton.org or grab me on Social Media for more information.

Internet Security Tip #5: Network Monitoring

Internet Security Tip #5: Network Monitoring

If a tree falls in the woods and nobody is there to hear it, does it make a sound? If you don’t have an appropriate network and security monitoring solution operating 24 x 7 on your network, you are flying blind.

Network monitoring should monitor everything on your network, but only alert on anomalies to avoid operations teams from being overwhelmed with alarms. It is very important to not only monitor ports that you’re expecting servers to answer on, but also ports that you’re not expecting them to answer on. A server which suddenly starts answering on port 3309 that has no business doing so is more important to investigate than one which has stopped answering on an expected port, this is surely a sign of something you need to investigate.

Network monitoring should be done from more than one location. It should provide internal, external and privileged views of your network to ensure that you are completely aware of what is going on.

Monitoring is not just about ICMP packets and testing for open ports, it is also about watching logs and traffic. Security information and event management tools are great weapons that provide a very deep awareness of what is going on inside your network. These tools often provide early warnings of of issues you would otherwise be completely unaware of, allowing you to act before a compromise ever happens. They are not cheap, but there are some open source options out there.

About Me.

I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.

This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.

I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.

If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!

Shoot me an email – david@hooton.org or grab me on Social Media for more information.

Internet Security Tip #4: Backup Logs are Your Friend

Internet Security Tip #4: Backup Logs are Your Friend

Backup logs are the canary in the coal mine. They provide an amazing level of passive situational awareness. If they stop coming in from a server, theres something wrong.  If a critical operating system file is changed, you can see exactly what was changed and you can download a copy of the altered binary before you ever have to login to the potentially compromised box.

Backup logs are one of the best tools in your ongoing operational security process, and yet they are more often than not deleted or ignored entirely. One of the best security investments you can make is to build or buy a backup log parser or security event monitor that alerts you to files which have been modified unexpectedly.

One of the biggest mistakes you can ever make is to miss out on the treasure trove of information that analysing backup logs can provide.

About Me.

I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.

This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.

I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.

If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!

Shoot me an email – david@hooton.org or grab me on Social Media for more information.

Internet Security Tip #3: Always Be Patching

Internet Security Tip #3: Always Be Patching

Operating system vendors release updates regularly that fix problems with their software. Those problems might be something that stops the mouse from being able to click on a button (usability issue), or they might be a security hole that allows an attacker to take control of your machine.

Keep everything religiously updated, keep records of who does upgrades and when they are done. This is thankless work, but it is critical to ensure that your network is kept secure. I can’t tell you how many machines I log into which are running 5 or more year old web browsers, these machines are sitting ducks that will do nothing for the number of hours sleep you get a night.

I am not a fan of auto patching due to the potential risks it creates, however something is better than nothing, especially on a windows network.

About Me.

I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.

This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.

I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.

If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!

Shoot me an email – david@hooton.org or grab me on Social Media for more information.

Internet Security Tip #2: Have Good Backups

Internet Security Tip #2: Have Good Backups

Whether you’re a small business with 300 word documents and a terabyte of your receptionists MP3’s, or a global internet security firm serving fortune 500 companies, you need to have backups.

Backups must never be stored on the same medium as your primary data. Backups must be stored in more than one place. Backups should ideally be kept on more than one medium. Backups should ideally collect everything on every machine and device in your network including the configurations of network switches, routers and SANs.

Sometimes due to the sheer number of PC’s on a network it is cost prohibitive to back up entire PC’s. In this situation compromises need to be made, perhaps only backing up core operating system files. There are quite a few backup platforms which can store identical operating system binaries very efficiently I would strongly urge you to investigate them if you are in this position.

If you have network based backups and are storing them onto a network attached storage, make sure you’ve got more than one storage subsystem and you can take one of them offline in the event of a compromise until the investigation is complete. Backup data is an invaluable source of forensic information for both you and the police in the event of a compromise, guard it with your life!

Test your backups regularly. Know how long it takes to restore 1Tb of data.  Know how many Tb of critical data there is on your network. Do you have a plan for restoring onto different hardware in the event of your hardware failing or being seized by police?

Remember – Practice makes perfect. You need to drill this stuff frequently and know what your options are when your primary course of action fails.

About Me.

I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.

This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.

I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.

If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!

Shoot me an email – david@hooton.org or grab me on Social Media for more information.

Internet Security Tip #1: Have a Plan

Internet Security Tip #1: Have a Plan

Have an Internet Security Incident plan that is securely documented and kept offline in multiple hard copies. Make sure the plan is regularly discussed, updated and rehearsed by your key operations team.

The plan should include everything from equipment backup and build procedures through to a customer communications and media management plan. Just the act of  creating a proper incident management plan and your staff being trained in its processes can save you thousands of dollars in downtime and confusion when an incident happens.

When you are making the plan, imagine what would happen in hollywood. Think of stuff that seems inconcevable like being in the media non stop for a fortnight and your customers being unable to contact you.

Work out how to handle these worst case scenarios in the most graceful and strategically positive way possible, document it and train your people. It often makes sense to have an external facilitator who can look at your plan from an outsiders perspective.

Now you’ve got your plan, what do you do with it? Does it sit on the shelf and gather dust? I hope not, it should become a part of your daily operations. Security is not an event, it is a culture which must be trained into your whole team.

About Me.

I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.

This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.

I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.

If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!

Shoot me an email – david@hooton.org or grab me on Social Media for more information.

10 Tips on Preparing for & Responding to Internet Security Incidents

Every connected business will have an internet security incident at some stage in its life, most likely many more than one. Sadly most businesses are unaware that they have been compromised until disaster strikes or they are notified by external parties.

The good news is that if you do a few very simple things you can avoid disaster and help the police to catch those responsible.

Internet Security: YOUR Responsibility

Lets address a line that businesses and IT managers use when talking about internet security:

“I don’t have anything of value on my network, I don’t need to be worried”

Even a small business with 3 PC’s, no server and 3 mobile phones is valuable to someone looking for spare CPU cycles and connectivity for their botnet. If your data is boring and useless to anyone but you, think about the value that the equipment and network your boring data is stored on could bring to someone else with 99,999 other boring networks like yours in their control.

The other side to that coin is responsibility. If your network is compromised, you may well be providing a gateway for other corporate networks with much more exciting data (like your bank or credit card provider), leaving you responsible for someone else’s pain and anguish.

Put simply, we are all responsible for security on the internet. Doing anything other than the right thing can leave you personally responsible for the outcomes, you DO need to be worried.

Internet Security: Be Prepared

Over the next 10 weeks I am going to be writing a series of 10 tips to help you prepare for & respond to internet security incidents.

Here are my top 10 tips for Internet Security Incident Readiness:

  1. Have a Plan
  2. Have Good Backups
  3. Always be Patching
  4. Backup Logs are Your Friend
  5. Network Monitoring
  6. Keep a Day Book
  7. If you notice something, don’t act
  8. Call for Help
  9. Protect Yourself
  10. Front Foot

Follow me on Twitter, Facebook or Linked-in to receive my internet security tip series every Monday for the rest of the year.

About Me.

I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.

This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.

I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.

If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!

Shoot me an email – david@hooton.org or grab me on Social Media for more information.

Product Development – Perfection is the enemy of progress

Perfection is the enemy of progress
Perfection is the enemy of progress
Perfection is the enemy of progress

Perfection is the enemy of progress for all product development people and sadly its an enemy that many are losing their battle with. If you are a coder, hardware nerd, product developer, entrepreneur, anyone who creates products you really need to read this blog post by Andrew Chen and take it to heart.

It seems like the last year or so has increasingly thrown me into the path of people who have been afflicted by the self delusion, doubt and stalled products that Andrew’s article so eloquently discusses. This issue has become quite personal to me because I am watching so many smart people miss out on awesome opportunities with no good reason.

The first thing you need to take away from that article is that you and your customers see your products from totally different perspectives. What you see as a feature, they see as a bug and what you see as imperfection, they often don’t notice at all.

No product is a wild success on its first release. Product development requires trial, error, measurement and most importantly validation that the product is answering the needs of a large enough customer base for it to become commercially successful.

To do this you need customers! Real people who need and want your product. People who are going to give you real honest feedback in the most honest possible way – with their wallets.  If you believe that you are good enough to release a holy grail product without the failure and feedback that comes from having real customers using/breaking/loving/hating your product you’re crazy.

With the people I’ve met and spoken to so far, this behaviour comes from some or all of the following:

  • Fear of criticism
  • Lack of confidence
  • Lack of perspective
  • Inflexible assumptions

Imagine if you ran your product development process in a way that makes you the subject matter expert on your product.  You’ve spent time with and developed a group of people from your clearly defined target market (You do have one don’t you?). They have told you what ails them and what they would pay for a solution to that problem. You have bounced ideas off them and come up with a minimally featured non working pre-alpha product. They have provided you with feedback which helped you to modify your plans and release a working alpha product which they are even prepared to pay you for!  Success is surely not far off.

In this imaginary world the fears, lack of perspective and inflexible assumptions of the people I’ve been meeting don’t materialise. This is because you’ve stopped and taken the time to ensure that you’re building the right product.  You have confirmed that the problem you’re solving actually exists. You’re no longer spending your life justifying your own opinions because you know what you’re talking about and have evidence to back it.

The only thing that involving your customers doesn’t fix (at least initially) is lack of confidence. Getting out of the office and talking with customers is a critical process. Every single person who creates things must do it regularly in order to remain relevant in their role. Once you’ve done it a few times it becomes easy, you will find that the people you’re talking to become excited to talk with you because you’re helping to make their lives easier.

People with stuck or failing products more often than not have an ad-hoc and unplanned product development process and they are almost always so consumed with “doing stuff” that they miss the point of why they are building the product in the first place – to serve their customers needs. This never ends well.

If you have a product thats stalled, stop working on it now! Get out of your mums basement! Go and visit your customers! This does not mean jump on IRC and ask your mates what they think, or to email a couple of customers asking their opinion. It means physically going out to have a cup of coffee with your customers.

If you don’t know what to say, tell them you’re working on new products for your company and you’re looking for ways to make your customers lives easier. Ask them what makes their job hard or uncomfortable. Don’t offer solutions, just listen and take notes, your customers will know what you should be doing.

If you’re stuck and you need a hand breaking out of a project that just won’t finish, I have helped a bunch of businesses take products out of their mothers basements and release them into the real world. I can help you too – drop me a line.

David Cecil – ‘Evil’ the NBN hacker jailed


What started as an investigation into a misbehaving DNS server in December 2010, grew into a multinational Australian Federal Police operation & media circus covering the “NBN Hacker”, culminating in the successful arrest conviction and sentencing of David Cecil (who ran by the online moniker “Evil”) today in Orange District Court.

ITNews Article – “Evil” Platform hacker jailed: http://t.co/oGZ9S6pB

There has been much spectacular and often misinformed reporting on this case.  The sad thing is that this kind of case is not a rare event, system compromises happen all the time to businesses large and small all over the world.  What is unique about this case is that there has been an arrest and subsequent conviction.

When we discovered the problem we did what others fail to do – we took an evidence based approach, we observed, collected data and sandboxed the risk over a 7 month period and we were not afraid to stand up and be named. This approach allowed us to assist the AFP in achieving a successful conviction, ensured that we were able to protect our customers and the internet in general from the risks that the investigation was monitoring.

Now that the case is over and I am able to talk about more of the operational details, I plan to write up a case study covering the key learnings I took away from the case, along with some suggested processes that can be followed if you are ever confronted with a similar situation.

If you’re impatient and want the information faster than I can write it, please feel free to drop me an email or give me a call.

 


Judgement – issued today:


Date of Listing: 22 Jun 2012 before Judge A Blackmore at District Court – Crime, Orange
Appearances:
  • Cecil , David Noel, Accused
  • NSW Police, Prosecuting Authority
Offence:
Actual offence – Unauthorised access/modification of restricted data
2011/00241456-001, 2011/00241456-004, 2011/00241456-005, 2011/00241456-008, 2011/00241456-009, 2011/00241456-011, 2011/00241456-015, 2011/00241456-018, 2011/00241456-019, 2011/00241456-020, 2011/00241456-024, 2011/00241456-036, 2011/00241456-037, 2011/00241456-042, 2011/00241456-043, 2011/00241456-044, 2011/00241456-045, 2011/00241456-046

Sentence:
The offender, David Noel Cecil, is sentenced to a term of imprisonment of 6 months to commence on 5 April 2012 and expiring on 4 October 2012

This sentence is Concurrent with other sentences being served by the offender.

The offender is sentenced to a period of 6 months (fixed) full time imprisonment to commence on 5 April 2012. These 18 sentences are to be served concurrently.

Offence:
Actual offence – Cause unauthorised modification of computer data 2011/00241456-049

Sentence:
The offender, David Noel Cecil, is sentenced to a term of imprisonment of 2 years to commence on 5 July 2012 and expiring on 4 July 2014 with a non-parole period of 12 months. The offender is to be released to supervised parole when the non-parole period expires.

This sentence is Partly concurrent with other sentences being served by the offender.

There is to be a partial accumulation of the two unauthorised modification of data to cause impairment charges.

The offender is sentenced to a period of 2 years imprisonment to commence on 5 July 2012. There is to be a non-parole period of 12 months.

During the period of the recognisance the offender is to accept the direction and supervision of the NSW Probation and Parole Service.

Offence:
Actual offence – Cause unauthorised modification of computer data
2011/00241456-050

Sentence:
The offender, David Noel Cecil, is sentenced to a term of imprisonment of 2 years to commence on 5 October 2012 and expiring on 4 October 2014 with a non-parole period of 12 months. The offender is to be released to supervised parole when the non-parole period expires.

This sentence is Partly concurrent with other sentences being served by the offender.

The offender is sentenced to a period of 2 years imprisonment to commence on 5 October 2012. There is to be a non-parole period of 12 months.

During the period of the recognisance the offender is to accept the direction and supervision of the NSW Probation and Parole Service.


The demise of Fairfax

The demise of Fairfax, nice writeup by Paul Budde http://t.co/MrYicnex

This is like like watching a very large sinking ship or one of those slow motion “train hitting a broken down car” movies..  Fairfax appear to be completely lacking any understanding of their customer base and how to pivot in order to monetise a shift toward digital content.

Fairfax – I’ll give you this for free:

  • Paywall based news sites lose customers.
  • Lost customers do not come back.
  • You need to stop thinking about yourself as a print media business that trades in “words”.
  • You trade in content.
  • Content these days moves and also follows your consumers EVERYWHERE.
  • Content these days rarely costs the viewer anything.
  • Niche, customisable content and communities that develop around that niche content are what generate revenue and stickiness.
  • Build a user generated news content site, turn the news into a bidirectional communication process that users both contribute to and consume and maybe you’ll be in business in 2 or 3 years time.

Go and open up a newspaper from 80 years ago, it looks like a really weird version of the trading post and is mostly announcements and advertisements.  Compare it to a newspaper from today, there is lots of immersive content, still some adverts, and theres a teeny, tiny (dying) section at the back (classifieds)which still resembles the original newspapers.  Now is the time to find your new content type and to monetise it, FAST.

Want help?  Get out of the office, go and visit your consumers. Listen to them.  Ask them how to fix this problem. You do know who they are don’t you?

Once you’re done, ask the guys who you just fired how to fix your business..  I’m willing to bet that all the answers you need are sitting in both your customers and ex-employee’s minds.