menu
Webinar: Top Tips for Effective Cyber Threat Hunting Watch Now
FlowTraq > Articles by: Dr. John Murphy

Author: Dr. John Murphy

John Murphy is a Security Researcher at FlowTraq. His research has included attack graph analysis, system performance baselining, and a game-theoretic analysis of the Conficker worm, and he has extensive experience and multiple publications in the field of network behavior-based insider threat detection. John has a PhD in engineering from Dartmouth College, and engineering degrees from West Virginia University.

Quiet Asset Monitoring

Dr. John Murphy
By | December 20, 2013


Facebooktwitterlinkedin

Recommendations for Security Analysts Monitoring Point of Sale Systems

The big news this week, of course, was the large-scale attack on Target’s Point-of-Sale (POS) systems that resulted in the loss of up to 40 million credit card records over the holiday shopping season. Investigators are sensibly keeping tight lips about what they’ve learned so far about the specifics of the theft, but there are lessons to be learned here for many organizations.

At heart, this was a data exfiltration issue–toxic data entered into the system was removed without authorization–and will be investigated as such. The POS systems are supposed to be quiet assets: unlike public-facing servers or user desktops, they are supposed to communicate only with a tightly-controlled set of partners under specific conditions. If you filter out the planned communications from such an asset, you should see nothing at all:

(more…)

Google QUIC

Dr. John Murphy
By | November 14, 2013


Facebooktwitterlinkedin

If you’ve seen an uptake in UDP traffic, you’re not alone. Google’s QUIC protocol, built on top of UDP, was added into Google Chrome in the last few months. Last week Google went public with details about this newest effort to speed up the web, and people are already talking about it. According to Google, users should see only a faster load time and fewer stalled streams due to lost packets, but folks like us who watch the network should see something different: potentially, the start of a shift in web traffic from TCP to UDP ports 80 and 443. Maybe there will be a decrease in overall bandwidth use, maybe not. Depending on implementation, the multiplexing may result in (more…)

Configuring NetFlow Export on VMWare vCenter with ESXi

Dr. John Murphy
By | November 6, 2013


Facebooktwitterlinkedin

VMWare’s vSphere and related technologies allow users to create a single virtual datacenter spanning multiple ESXi hosts, and provide a convenient user interface for creating and managing those virtual switches, including NetFlow monitoring. vSphere 5.1 exports NetFlow v5; later versions export IPFIX. In order to make use of NetFlow Export on VMWare functionality with an ESXi hypervisor, it is necessary to use the vSphere Web Client, which is distributed with vCenter Server.

(more…)

Configuring NetFlow Export on Open vSwitch SDN

Dr. John Murphy
By | October 14, 2013


Facebooktwitterlinkedin

Open vSwitch is a popular open source SDN solution that can be run on any Linux-based virtualization platform, and supports a wide variety of systems such as KVM, VirtualBox, ProxMox VE, Xen Cloud Platform, XenServer, and others. Despite the intricacy of these networks, it is very easy to configure NetFlow export from any number of virtual switches.

(more…)

The Running of the iPods

Dr. John Murphy
By | September 20, 2013


Facebooktwitterlinkedin

Those who are monitoring their traffic this week may have noticed a curious increase in traffic to Apple (ASN714; top graph of sessions initiated) and Akamai (various ASNs, bottom graph of bytes transferred). One need not look far to find the culprit:
(more…)

What’s New In Q3/13

Dr. John Murphy
By | August 13, 2013


Facebooktwitterlinkedin

The FlowTraq team is proud to announce the availability of the Q3/13 release of FlowTraq. This release comes with a lot of new features aimed at improving your ability to secure and manage large networks. (more…)

FlowTraq Cloud: Getting Started

Dr. John Murphy
By | July 9, 2013


Facebooktwitterlinkedin

Opening a FlowTraq Cloud window for the first time can be like walking into a big grocery store when you’re hungry: There’s a lot to see, and you know there’s something good here… but where to start? This post is intended as a springboard to help you find interesting traffic on your network. The workspaces linked here all show your data as a FlowTraq Cloud customer, which means that anything you see, you can immediately act on. It’s easy, it’s fast, and there’s a LOT to see.

(more…)

Data Exfiltration: Focus On What Matters

Dr. John Murphy
By | June 26, 2013


Facebooktwitterlinkedin

weapon-designs-data-exfiltration

Data exfiltrations from major US weapons manufacturers have put Chinese data hacking back in the news again. The debate over the instigators of these major data leaks continues, with some sources pointing fingers at government and others blaming small private groups. These are important distinctions for diplomacy and law enforcement, but at the end of the day, all that matters is that data is being stolen. (more…)

Password Cracking Attacks? FlowTraq has you covered.

Dr. John Murphy
By | April 29, 2013


Facebooktwitterlinkedin

FlowTraq detects Password Cracking Brute Force AttemptsBrute Force Attacks Prey on Common Password Combinations

Brute-force attacks have been in the news again: we’ve seen wide reports of a massive wave of these attacks against sites run using the popular WordPress software. Brute-force attacks on password-protected software are simple but regrettably effective: an attacker gets a list of common usernames and a large set of common passwords, and makes hundreds or thousands of connections to find a pair that works. Once it does, they’ve got access to your system. It’s crude, but it’s effective: nearly one hundred thousand WordPress sites have been compromised and added to a pervasive botnet, and growing. The folks at WordPress have been quick on their feet with a fix, but that doesn’t mean all their customers are, so this may continue for some time. (more…)

Have You Been Targeted by Chinese Espionage Units?

Dr. John Murphy
By | March 28, 2013


Facebooktwitterlinkedin

Using Mandiant’s Analysis and FlowTraq to Identify Threats

Recently hacking attempts have been in the news again, this time accusations that a Chinese military unit, Unit 61398 in Shanghai, has been responsible for a large number of spear phishing and other attacks. These attacks appear to be focused on getting Windows users to run disguised EXE files, which in turn exfiltrate data. Their first-line emails are well-written and targeted, and make use of subtle tricks like naming a file “filename.pdf     .exe” so that the filename is truncated at the .pdf. There are a number of interesting articles on the subject, as well as Mandiant’s excellent analysis “APT1: Exposing One of China’s Cyber Espionage Units

(more…)

« Previous PageNext Page »