One of the best features of Postini is the ability to write custom content filters. I leverage these to snipe spam that Postini doesn’t catch. One of my most effective (24,000+ caught in 42 days) is a filter I’ve titled ‘invigorate:’

This will catch anything with either “viagra” or “cialis” in the subject line and a hyperlink anywhere in the body.

Sometimes the simplest things are the most effective.

This year we’ve had to take a chainsaw to our security budget and jettison literally everything except maintenance upkeep.

This presents a good opportunity to go through and clean house. One of the things I’ve started is to bring all appliances to the same software version, across the board. Another thing I’m doing is auditing configs and ensuring all security devices and appliances are syncing time and are all on GMT time zone, which makes event correlation much easier across disparate devices.

I’ve also been tuning HIPS rules and looking for places to be more creative with protection (like web browser protection rules).

This is also a good time to audit OS patching mechanisms, insuring that all hosts are checking in, downloading and installing all updates, etc. The same goes for your AV software.

Lastly, this is a great opportunity to either audit existing policies are start implementing new ones. One of the biggest hurdles in implementing policies is the flaming, bureaucratic hoops that have to be jumped through in order to get a policy implemented. Now that we have no money to purchase new gear, I can focus more time on that.

This used to be a moderately maintained blog but I’m not sure what it has become, other than a collector of Internet dust.

What to do, what to do?

I attended Black Hat for the first time this year. I took two training sessions before the briefings; Hacking By Numbers by Sensepost and Enterprise Security from Day 1 by Chris Conacher. Both presentations were well done, though Hacking by Numbers was more exciting of course, because of the hands-on.

The briefings were also very good. The DNS presentation by Dan Kaminsky was a full house and well presented but for the life of my I don’t understand the man’s icon status. Evidently there was a life-sized picture of him at the Core party for pictures. WTF?

The main point I got from his presentation though was just how wide spread the DNS problem is simply because nearly everything that uses the intarwebs relies on DNS and if you can pwn DNS, you win big time. Consider a case where I hack Comcast’s DNS server for the east coast. I then shift all traffic destined for Bank of America through my servers. So what if my certificate generates errors. A high percentage of users will click past the warning anyway. And why stop there? I’ll also set up a Sendmail server that will intercept all email to and from Bank of America. I’ll keep copies of everything and rummage through it at my leisure.

Ah but I digress. This post is about Black Hat, not DNS vulnerabilities.

I also sat in on most of Fyodor’s presentation on NMAP and scanning the Internet. He’s a good presenter and of course his material was great. Unfortunately he preceded Kaminsky so people (including myself) started walking out early to get a seat for the DNS presentation.

Black Hat has grown to such an extent that Caesars Palace is building them a structure for the meals so that we don’t have to eat in the tents any longer (which wasn’t bad at all). The organization of the conference was well done. There were very few technical glitches and for me all the presentations started pretty much on time. They kept us well fed and there was plenty of motor oil coffee to keep us caffeinated.

I kept in contact with a group of colleagues using Twitter. The group is affectionately named SecTwits by Jennifer Leggio, aka mediaphyter. Several of us posted snippets from various presentations so that people following us but not at the event could partake as well. We also used Twitter to meet each other and to organize outings (though I skipped out on these yet again, damn my priorities).

All in all I got a lot of good information out of Black Hat and will likely go again. Though next time I’ll not do the training and instead go just for briefings. That way I spend less time in Vegas and can stomach another three days to also attend Defcon, which I skipped this year. Vegas has lost it’s class and since I don’t gamble, it’s hard to take the non-stop assault on the senses.

I hope to post a summary from the DNS presentation shortly. It is a big deal and I originally thought that as long as our DNS servers are patched, we’d be okay. Silly me.

…and so far I haven’t found the Blackberry killer I sought.