Thoughts for a New Leader

May 10, 2024 - 8 mins read

What follows is a list of thoughts crafted in an airport terminal in San Jose, California hours after completing my first attendance at the RSA Conference. This also happens to be the anniversary of my first year as a people leader in the security engineering space. (I had previously mentored and led soldiers in the US Army and in various other civilian industries including Optical Lens Manufacturing and Operational Incident Response.

RSA Day 3

May 9, 2024 - 7 mins read

Series: RSAC 2024

(Posting this a day late as I was crazy exhausted yesterday after walking nearly ten miles! I literally laid down in the room at 22:30 and woke up at 04:30 still in my clothes, lights on, etc…. I think I was effectively conferenced out, and that was only Day 3!) Great tracks today and some exciting notes. Plus I got to hit the Expo floor. Here’s the talks I made it to:

RSA Day 2

May 6, 2024 - 7 mins read

Series: RSAC 2024

Today was a great opportunity to see what RSA was all about. We walked over early to get badges and get checked in. The conference provided us with a decent swag pack, an RSA branded bag, water bottle (something I hadn’t been able to find at any of the airports along the way), a notebook, a pen, a shirt, and for newbies, a “First Timer” pin. We stepped to grab breakfast and then hit up the talk track, I had stupidly “favorited” all my talks instead of “reserving” them so I had some quick choices to make.

RSA Day 1

May 5, 2024 - 6 mins read

Series: RSAC 2024

Today was a travel day to RSA 2024. It started off simple enough, boarding at my municipal airport, then a puddle jumper to the nearest metro-airport, Atlanta. Luckily, as if there wasn’t enough anxiety around Boeing aircraft, our initial plan was inoperable and a secondary plane had to be found delaying our flight. Considering Boeing’s in the business of killing whistleblowers this week, and they make roughly 90% in Delta’s fleet (Atlanta is Delta’s home turf) it didn’t look like I was going to make it west on a non-Boeing flight.

Hello_World

May 2, 2024 - 1 min read

Hello World Welcome to my little slice of internet freedom. I hope to start moving a number of my writings here and making this a comfortable place for musings, software configuration guides, security issues and the like. After all the fight I had to get Hugo, Alpine, Proxmox, Nginx, and LetsEncrypt configure, this better be worth the trouble. Then again, is anything ever really? If anything I learned a hundred ways to not do things and thats got to be worth something.

Email

December 22, 2023 - 3 mins read

300 Emails? It was 24 hours! I would have never thought as a front line manager of a small team that I could receive as much email as I do. It’s so overwhelming, I’ve taken to putting my Out of Office as “Due to the volume of email, I will be deleting all email received in my absence. Please hold important correspondence til my return on 3 January 2024”! So, how do we communicate to our peers and leaders if they’re also receiving this much email, or multitudes more?

Velociraptor Offline Collector

December 1, 2023 - 3 mins read

This is a living document and may be incomplete. Updated 1DEC2023 Locating Evidences of Execution using Prefetch, Velociraptor, and Zimmerman’s PECmd Prefetch is a common Windows artifact used for determining the first and last incidences of a program being executed. This file is a binary blob stored at $:\Windows\Prefetch and consists of a series of files named APPLICATION-GUID.pf. These files contain the name of the executable, the last n run date time groups a hash of the executable and path, and a list of files accessed by the .

Show And Tell

November 12, 2023 - 10 mins read

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them.

2023.10.17.News You Should Know

October 17, 2023 - 4 mins read

CDW investigating ransomware gang claims of data theft (therecord.media) - #Ransomware #ThreatActor - CDW acknowledges breach of a subsidiary of a division of a business area. Threat actors miffed over $1m offer after $80m demand. HTTP/2 ‘Rapid Reset’ zero-day exploited in biggest DDoS yet • The Register - #Research #ThreatActor - Largest ever DDoS…from smallest ever botnet? 20k bots (multitudes smaller than previous botnets) were able to abuse HTTP/2 streaming to request hundreds of assets from a server over a single TCP stream (a feature of HTTP/2) then cancel those request midstream and request a hundred assets again.

LibWebP (CVE-2023-4863)

September 28, 2023 - 6 mins read

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms.