Edited 10/18/2004: This blog has gained far more attention than I could have ever imagined when I decided to create a small personal blog devoted to security incident response. I never imagined my first ever post would be as controversial or as widely...

Okay it's time for another shameless 'wow - Vista rocks' type blog post. :) So I have a notebook and a desktop that I use with Vista daily. I've never really sat down to investigate 'hybrid sleep' or what it is or how it works until this weekend (I admit...

This is going to be a looooong blog - but its one that I've been meaning to post for a loooong time now. My hope is that you will learn something you didn't peviously know about DEP and Vista or both and that you will, after reading this blog, re-configure...

So the war between the miscreants and the first responders / incident responders is just that - it's a war with casulaties (servers, workstations, work life / home life balance) and it is complete with an arms race in the form of stealthing (miscreants...

Okay, yes, I admit - I'm a little too excited about Halo 2 (note to XBox geeks out there, schedule your vacation NOW for around the launch of Halo 2 in November and make sure your XB live account is paid and up to date), but that is a fitting title for...

Interesting information from RSA, it's nice to see someone other than me notice the pure creamy goodness of WS2003 for once (I've noticed it from the incident response side of things by noting a marked absence of WS2003 hacking cases over the last 2 years...

So over the last week we've started to get cases where Rootkit Revealer (having been downloaded by the customer) is not detecting any hidden files / folders / registry entries on the customers machine; yet our own rootkit tools we supply with our IR toolkit...

Edited 2/25/2005 to examine the multiple definitions of the word 'rootkit', added information on a LUA-friendly rootkit for the LUA folks to ponder (LUA - Limitted User Account), and added some thoughts on how they could mess with AV software. :) So this...

I've gotten some really great feedback on my blog now that I'm actually blogging about incident response topics - I appreciate the feedback, keep it coming! So we here in PSS Security are tied into the security incident response community fairly well...

So at HITB in Dubai this week - some researchers announced a proof of concept 'bootkit' for Vista. A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the...

Okay - so here is my analysis of a recent WINS hack a customer experienced. The customer caught this by analyzing their netflow data from their routers . . . they suddenly started sending tremendous amounts of packet love and affection to various IP's...

UPDATE 7/10/2007 : Mea culpa! So after I originally blogged this, I went to the ReadyBoost team to find out more about possible performance issues with ReadyBoost and they were kind enough to help me troubleshoot things further. Before starting some tracing...

A couple weeks ago I did a lightening talk with David LeBlanc at Bluehat for MSFT employees about MOICE. MOICE is the Microsoft Office Isolated Conversion Environment. What the hack is that?!? Well it's no secret that Office was used in some targetted...

My last blog post was about miscreant hiding techniques . . . unfortunately one can probably write a book devoted to some of the more popular techniques . . . I'm just going to blog from time to time about the ones my team is encountering (call it miscreant...

At long last - a blog post about Incident Response in the self-proclaimed 'Incident Response' blog! Before I finally crash for the night there are two things I wanted to bring to the attention of folks interested in Windows IR that my team has come across...

After nearly 7 years in Product Support Services helping our customers on issues ranging from debugging IIS failures, to identifying performance issues to helping customers with security investigations I have taken on a new challenge and accepted a job...

So it seems that there is a new MySQL bot that is spreading to Windows machines running MySQL with weak SA (or whatever MySQL's equivalent is) passwords. You can read more about it here http://news.zdnet.com/2100-1009_22-5553570.html and here: http:/...

So today Jesper Johannson a gentlemen whom I have the pleasure of speaking with on occasion has posted his 2nd installment on the topic of passwords here . I encourage you all to read it - in this installment he goes deep into the math and science behind...

EDITED: 7/22/2007 I have traced the problem to Urge . . . I buy music from MTV Urge and it installs some components that appear to be responsible for the crash. Moreover I discovered that there are two dllhosts on a 64bit version of Windows - there is...

So yesterday this hilarious URL probably arrived in your inbox via your own personal friend network - and if it didn't, allow me to share it with you now (it's almost as entertaining as the Star Wars Kid ): http://www.microsoft.com/athome/security/children...

Sysinternals yesterday released a new version of Rootkit revealer after receiving feedback that people using rootkits were starting to add Rootkit Revealer to the 'root process' to continue to avoid detection. The new version uses a randomly named executable...

(Edited to fix idiotic bug – I meant to refer to the ‘Default User’ profile on disk not the ‘All Users’ profile! I blame Vista.) (Edited again to make the hyperlinks a more viewable color and to fix some font size issues with the shellcode that happened...

So the Hak5 folks have produced complete hash tables for the LM version of the password hash used by Windows and the tables are good for all valid characters that can be used in an LM password for the 1-7 password length. The "1-7 characters" part might...

This weekend, fellow racing enthusiast and driver Terry Pudwell has agreed to display the 2007 FIRST conferrence logo on his awesome GT car in the FIA GT race at Silverstone to promote awareness of the conferrence! The car featuring the logo will be...

So it hasn't even been out 24 hours yet but Chrome is, as predicted, getting scrutinized heavily and well . . . it's falling down at a pretty alarming rate (as say compared to say - IE8 beta 2 which has been out longer :)) So yesterday Aviv Raff discovered...