.: August 2006 Archives
PHP has its share of issues and vulnerabilities. Honestly, it is the weak point of the LAMP architecture because of the potential for misconfigurations and insecure issues. The follow links go into an entry in the SANS Top 20 and the top 5 PHP security settings.
SANS Top 20
php top 5
Since I use PHP I wanted to post this site with some PHP security tips
And this is another nice list of php security issues and configurations
is a php auditing tool that I totally have to try out sometime soon.
by LonerVamp 08.01.06 at 10:14 PM in /web
on how to crack WEP using Ubuntu.
by michael 08.02.06 at 7:38 PM in /general
This is an awesome tutorial for examining and finding and exploiting the latest RealVNC Auth Vulnerability
. I have a link to a scan tool that scans for this, and I have to find it. I suppose Metasploit will have this packaged already or soon. The fun thing about this is that I imagine most IT shops do not upgrade all their old VNC instances very much and either just use the same executable stored locally or always download a new one. I would bet many admins are still blissfully ignorant of this issue, and thus still have many vulnerable installs still sitting around. I consider this a must-have scan for any VNC instances found on a target network.
Update: the scanner
by LonerVamp 08.02.06 at 9:54 PM in /tools
You can search for malware
using Google, right down to infected sites inadvertantly sharing out malware code (executables). Damn cool stuff, and damn cool site. Search for "Bagle" for a good example.
by LonerVamp 08.02.06 at 10:06 PM in /general
I need to check this out sometime. The packet challenge
at SANS is not a regular thing, I think, but could still make for an interesting exercise for me. Bejtlich
posted a couple links to answers here
by LonerVamp 08.06.06 at 12:15 AM in /general
Not sure on the quality of this content, but this site has some modules up about their training
in infosec assurance and assessments. I'll take this down if this proves to be useless fluff.
by michael 08.06.06 at 11:43 PM in /general
I certainly cannot condone evading firewalls
and other protections in the workplace or otherwise, since I'm one of those guys trying to stop these people, but these techniques can be useful not only for times when you want it, but also for knowing what people might be doing so that I can stop it. In addition, some of these techniques have the side benefit of being more secure, such as when I am at a hotspot and wanting to make connections privately to public sites.
by LonerVamp 08.08.06 at 11:19 PM in /web
So, when I get around to testing my linux firewall, I can use ftester along with this "how to"
by LonerVamp 08.08.06 at 11:30 PM in /general
The folks at F-Secure put up this series of exercises in reverse engineering and called it a khallenge
. Sounds like a fun way to get into reverse engineering a bit, someday. If I get stumped, might be able to find some hints around this blog
by LonerVamp 08.08.06 at 11:38 PM in /general
A post over at SecurityFocus went over Microsoft Office forensics
and some things to do to enhance security, most notably privacy. Because Office is so universally used, I've found that many people, techie and non-techie both, want to put their heads in the sand about issues with Office. They just don't want to hear about the issues, even as malicious persons have begun poking at the apps and more and more data is disclosed on the web and search engines.
I've long wanted a concise and listed set of items to check on and change when dealing with metadata in MS Office Word documents. Now I have it!
Update: Here is another link dealing with pesky lingering Office data
that shouldn't be there.
by LonerVamp 08.08.06 at 11:53 PM in /general
Snagged a bunch of tools and links dealing with reverse engineering malware, particularly Windows, but also other stuff. This is an area I'd love to get into some day, perhaps when I get more into coding as well. Either way, it is always useful to exercise ones ability to figure out what malware is doing, whether you use a live box and lab network or examine the code straight-up.
- the universal first choice in malware analysis
PaiMai and PyDbg
Pydasm and Pydot
by LonerVamp 08.09.06 at 7:52 PM in /tools
Quite an ingenious simple little method to hide files on an ntfs disk: alternate data streams. This article on Security Focus
makes it look a little more difficult than it is, due to the author going through the effort of describing breaking into a machine to set an ADS on a few hidden files. LNS and LADS are two tools to scan a disk for ADS...although they are certainly not swift in their scans.
Update: An ADS tutorial
by LonerVamp 08.12.06 at 10:31 AM in /general
If one must absolutely use passwords with Windows (not sure why anymore) and not pass phrases, and the password needs to be highly secure, you don't get much better than using non-printable characters. Both of these posts
go into detail on using non-printable characters to thwart most password cracking tools.
Microsoft, of course, even weighs in on their password suggestions
by michael 08.12.06 at 10:58 AM in /general
While TrueCrypt is still a great tool for Windows, Security Monkey has a nice quick bit of information
on using PointSec for Windows, filevault on Mac, and a link to a method of securing a Linux laptop. Nice quick read, almost like a hand-slap to anyone with a laptop followed by a quick, "do this, moron!"
by LonerVamp 08.12.06 at 11:07 AM in /tools
Every now and then the SANS Handler Diary offers up some nice information. They just threw out this list of switch features
that many people never know to use, and I thought it was a nice rundown to use at a later date, especially if my two switches include all of this stuff.
by LonerVamp 08.12.06 at 9:39 PM in /general
This link has a number of good pages and pieces of information on cracking WEP
and other wireless fun.
by michael 08.13.06 at 11:51 AM in /general
Just a quick listing of some secure USB drives that use hardware encryption and are recommended:
mtrust mdrive 500
kingston data traveler elite - privacy ediction
verbatim store'n go corporate - secure
by LonerVamp 08.13.06 at 12:02 PM in /general
Here is a story about a XSS pen test
along with link to the actual story
. Hopefully I can add more XSS resources here for the future.
by LonerVamp 08.15.06 at 5:57 PM in /web
This is an analysis of Mocbot
from LURHQ. Especially interesting is the follow-up
on the Spammer that this new variant downloads, as well as the graphic showing which antivirus companies properly detected the malware. I wonder if the only ones detecting are the heuristic scanners and not the signature-based scanners...?
by LonerVamp 08.15.06 at 7:15 PM in /general
Not sure what to make of this yet, but sounds like an awesome little tool. Lurhq pimps this as a "sandnet"
where you can run malware and it will even get its own little "internet" to play with if it chooses to connect out. Sweet action!
by LonerVamp 08.15.06 at 7:23 PM in /general
This paper purports not only to help cracking wep, but to be the final nail in actually outright breaking wep
. I've not read this yet, but plan to as this sounds like a very swift, albeit technical, way to break wep.
by michael 08.15.06 at 7:34 PM in /general
It really sucks when users think they're being cute by utilizing remote control services to connect from home to work or work to home PCs. These just are not cool, especially when used without permission. I always forget the sites, though, so this will start my list of sites to blacklist on firewalls/web filters whenever I set any up. These are not wanted in the corporate sphere.
LogMeIn (and secure.logmein.com)
Hamachi - p2p?
Hamachi is a particularly scary thing, but like Skype, it should require a common mediation server to get the two endpoints together, and therein lies a single point of denial on firewalls. Either way, novel idea, and something I'd like to check out on my own. If even the mediation is peer-to-peer, we should be marking the app as a highly bad app, kinda like an irc client...
has some excellent tutorials as well as the proxy stuff.
by LonerVamp 08.15.06 at 7:38 PM in /general
is the ultimate http proxy tool, and I certainly have to learn it someday.
by LonerVamp 08.15.06 at 7:48 PM in /tools
This link goes to a Microsoft doc about Windows XP Countermeasures and Threats
. Of particular interest, Chapter 7 makes an excellent reference on the services that Windows XP has, and whether they are necessary or not. Disable them if they are not necessary.
by LonerVamp 08.18.06 at 7:56 PM in /general
I've already gotten them, but this will just be a placeholder position for links to this years defcon 14
and black hat 2006
by LonerVamp 08.19.06 at 2:01 PM in /general
This was a nice read about job interviews
. I believe Google also did this sort of interview tactic, especially the "impossible question" part. The biggest takeaway from this for me is the Smart and Gets Things Done
. I think this is something I, and many people I know in IT, lose sight of sometimes. Get things done.
by LonerVamp 08.21.06 at 10:35 PM in /general
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea
by LonerVamp 08.22.06 at 7:46 PM in /general
May as well get this one off my chest early, and try to keep it short and simple. I really dislike when people spit out that "security through obscurity is worthless." I've read this a lot and heard it in person a lot too, but it is often misused. What is really meant is "security through obscurity alone is worthless." Defense in depth benefits from security through obscurity. In a way, one could argue that passwords and theoretically reversible encryption is just harder-to-guess security through obscurity. The biggest benefits of security through obscurity would be twofold:
1) Eliminate a lot of the casual kiddies and scripted attacks. Running a vulnerable web server on port 1800 does not make the web server less vulnerable, but does limit all the scripts and kiddies who only look for web servers on port 80. You can at least limit your threat exposure.
2) Force determined threats into expending at least a little bit more energy and time to find the obscurities and work through or around them.
Alone, though, security through obscurity is more of a false sense of security than anything, even though the above two benefits are still there, no one should ever sit back and breatht easy by having security only through obscurity.
(Points for me to think about: Does this mean brute-forceable passwords and encryption is, in the end, worthless? Where easy passwords and DES were years ago "unbreakable" they are now accepted as flawed...as processors continue to speed up, will today's standards eventually be scoffed at the same way? What can stand the test of time, biometrics? Or are passwords or at least encryption the standards we will always have to live with? As long as we have networks that have to communicate and trust, will there always be hashes or an exchange of keys that at some point is vulnerable?)
by LonerVamp 08.23.06 at 1:30 PM in /general
I just received email from a vendor I have dealt with in the past, ScriptLogic, whose simple tagline got me thinking: "Can you prove your IT environment is safe?"
I think I need to post that in my workspace at home and use that question as a basis for what I do in security as I move forward.
by LonerVamp 08.23.06 at 1:30 PM in /general
"Well, you know, it's a toolbox, I don't care. You put the tools in and do the job, that's all." - Sam, Ronin, when asked what kind of gun he favors.
This is not so much a security pet peeve as it is a general geek pet peeve. I really do not mind discussions about operating systems and the benefits and drawbacks of each, but the eventual bashing and impassioned arguments that can result from talking about Windows vs Mac vs Linux vs Debian vs OpenBSD are amazingly unnecessary and unwanted.
When it comes down to it, the biggest factor in the security of each OS lies in the operator. I think they each have their own place. And I dislike seeing a Windows user completely refuse to learn Linux just as much as I hate seeing a Unix/Linux user be completely useless in Windows.
And let's face it. All of these are going to be part of a security or IT person's life at some point and we'll have to at least be exposed to Macs, Windows versions, Linux boxes, etc. So basically live with it, and move on. My current job is 99% Windows, but my last job had a couple Macs, many Windows boxes, and some of our critical infrastructure systems were Linux (firewalls, DNS servers, monitoring servers, syslog...).
On a more personal note, I have used Windows versions since 95 (all but ME) and still run Windows XP today for the most part, pretty much just for easy wireless and World of Warcraft. However, I love tinkering and learning Linux versions (especially security live cds) and my next computer purchase will be a Macbook Pro. Someday after I get my Mac, I will convert a third oft-used laptop or desktop to be a permanent and oft-used Linux box so that I can really learn that as I also learn Mac. Eventually, I want to use Linux or Mac full-time, and only move to Windows for my work machine (most likely anyplace I work will provide only Windows XP, I bet), for gaming, and just to keep current on Windows (such as when Vista releases). Of course, my lab will always have a number of Windows boxes performing various roles.
I applaud how far Apple and especially Linux have come over the years to bridge the gap so that the only things I will not be able to carry over to Linux from my Windows world will be games. Even wireless is getting to be easy enough...
by LonerVamp 08.23.06 at 1:32 PM in /general
DefCon and Black Hat have become the premiere security events of the year. Not only are they amazingly fun and informative, but some of the biggest security and insecurity news of the year is now coming out of the minds of those in the culture.
In the last couple years, the dotcom bust gave way to the slow maturation of web-based application delivery, and it is now shooting off quite rapidly. Web-enabled apps have been the buzzword in development for the past two years. In addition, the browser wars with phishers, spammers, and scammers has heightened and browsers are more and more under the guns and fuzzers.
Ha.ckers.org made an excellent post that beats anything I could say. But I will add that if someone has presented it to us now, there is little doubt that these techniques have already been in use by the underground.
by LonerVamp 08.23.06 at 1:33 PM in /general
It is a statement about the security of Windows that I have a series of apps I install on any personal Windows XP build that I perform, just to secure it more. I won't leave home naked, and a Windows box by default being naked exemplifies what is wrong. I was going to post them for my own edification, but have decided to expand this to a listing of some of my favorite tools that I pretty much have on any XP system I build.
First, the initial security, after patches. I use ClamWin Antivirus because it is free. I use a cracked version of Sygate Personal Firewall instead of the XP firewall. I have also recently started trying out an app called WinPooch for digital integrity, ala Tripwire only free (I expect this to be bought up). I also install Mozilla Firefox and Thunderbird (with Enigma for PGP), not so much for esoteric purposes as for security purposes anymore. While investigating a friend's hijacked AIM account two years ago, I discovered a version of the HTA exploit in IE (still unpatched, I think), and thusly conversed with the hijacker directly about it before getting my friends AIM acocunt back. Since then, I've never trusted IE at all. That was the breaking point. The only way to notice of stop that web-based attack against IE was to be running a personal firewall, at the time Zone-Alarm. Otherwise IE was rootable with no user intervention or notification.
In other apps, I have moved from my purchased version of Trillian over to Gaim, due mostly to having used Jabber in my last job and Trillian was slow to adopt. I use a pirated copy of Microsoft Office 2003 (includes everything, Visio, Word, etc). I always move over a bunch of Sysinternals tools as well (pstools, process explorer, tcpview, regmon, and filemon). A cracked version of WinZip 9 gets slapped in pretty quick, as does a free copy of WinAmp (classic mode please). WinDump, WinPcap 3.1, and Wireshark also get installed.
If this is a wireless laptop, I always throw in Netstumbler and Cain. If I am at a wireless hotspot, you can bet I am running Cain in the background (and for this reason, I am very aware of what I myself do at hotspots because I'm not a special hacker or something, I'm a regular guy and if regular guys play with gleaned myspace and email accounts...).
After that, my toolbox gets a bit more murky depending on the uses for the particular box, but pretty much all of the above are part of the 'settling in' process of a new system. Of my few cracked products, someday once I am out of the 'cash-strapped college boy' phase and into a solid, fair-paying job that keeps me happy, all of those may be replaced with legit copies.
by LonerVamp 08.23.06 at 1:37 PM in /general
I've been pretty conscious lately of where my personal information goes. I've been interested in staying anonymous for a blog and mailing lists, so my mind is kinda turning that problem over. In addition, with this year's heightened problems with indentity theft and disclosure of personal information from places like the VA, every time I fill out a web form, my mind flitters over the thought that here is yet another place my personal information resides, ready to be indexed, stored, stolen, and used.
Just yesterday I submitted a job application to a company in the Seattle area, and at the bottom was a credit report disclosure form complete with social security number field. I immediately glanced up and noticed that the site had no SSL functionality on this particular form. I was a bit annoyed, but at least I was completing this form from my home network. If it had been somewhere else, I would have fully aborted that half hour of effort.
I order books online and provide credit card numbers. I renew my World of Warcraft account online, and there is more information. I submit less information to many sites that require logins, including job sites and corporate sites that want me to log in just to store my resume (so they say). All of this is like trying to hold so much sand in one hand...just think, all it takes is the least secure online store to be broken into and the data siphoned away...such as that site I ordered incense from recently. I wonder if that non-chain, local store has a security guru making sure their site and data are secure?
In the end, I just become more sympathetic to removing the "convenience" of sites "remembering" my account information so I don't have to put it in again for subsequent purchases I may or may not make. I think data retention of that nature should be disallowed, and transaction logs in databases expunged on a regular basis or just stored on offline, secured media. If I only had to worry about the actual transfer of the information from my system over my network, my ISP, the Internet, to the vendor, I would feel a lot better than to have account and login and payment information stored by said vendor... How often do I let a restuarant keep a copy of my credit card and signature so that I can realize the convenience of not having to reach into my pocket to get it out, wait for the return of the waitstaff, and sign the slip?
by LonerVamp 08.23.06 at 1:41 PM in /general
David Maynor and Johnny Cache presented at Black Hat last week about an exploit against wifi drivers in an undisclosed but likely large number of wireless cards and operating systems. This has caused a minor furor amonst, well, pretty much everywhere somewhere.
Some argue that the duo are sellouts because they did not fully disclose who was affected at a "full disclosure" conference. Some argue they were protecting companies. Some take cheap shots at the video-taped demonstration for various reasons (which was done to prevent users from capturing the attack over the air and using it).
Last year Michael Lynn challenged Cisco and even his former employer ISS when he gave his presentation on a big Cisco vulnerability, after Cisco refused to fix it or even acknowledge it for quite some time.
Lynn's example brought up the age-old argument I see far too often in information security: disclosure. What is proper disclosure? Should it be full disclosure? This year it is back. Should Maynor and Cache have revealed the affected chipsets and vendors so that users could stop using them until a fix was in place?
I don't think there are any right answers, but the vultures that love to peck and squabble and argue for no real reason are back at it.
Bottomline, if these two found this problem, there are likely other people who have found out and kept it secret or sold it in private. This exploit was probably found via fuzzing of some type, since that is turning up lots of fun stuff lately. And I can only imagine the fun you could have as a spook or criminal with this sort of exploit in your hands and no one knowing about it...
by LonerVamp 08.23.06 at 1:42 PM in /general
I have a more private site that I keep as my own private little portal to security news, virus information, resources, tools, links, papers, and on and on. Every now and then I add a few sites to my links and remove a few defunct sites.
But every now and then while browsing news, I read on some site that "so and so" has more information, or "from the site of such and such." And I end up following 5 links deep to 5 different sites all reporting on the same news tidbit. Then I realize what has happened and I say to myself, "wow, there's a ton of blogs and news sites for tech news and opinions" (as I type one out here myself!). I wonder how cut-throat some of these link-relationships get? I've seen blog wars where someone feels they didn't get credited or where people of differing views post in their blogs their reactions and then wield their viewers and commentors like some botnet to swoop on the other and comment-spam them, escalating the all-out blogosphere war. Ugh.
It is sobering the effect of the web as a way to express oneself, to self-publish, to create, to share, and share with. Even the most stubborn hermit still has that need to share his or her thoughts with at least one other receptive person, and the web is such an easy outlet to masses. There are times when I feel like heading out to the mountains, just me, nature, spirituality...and an Internet connection. :)
I used to run online gaming league/tournament/community sites, and I know the amount of effort and dedication it takes to keep something popular on the web. It was tough 5 years ago when I finally "retired" from that, and I can't imagine how much tougher it is now, especially when you're not just offering up something unique and fun like digg.com. Then try to find all the digg copiers or slashdot wannabes or every other blog out there that tries to act very self-important and get fans and followers. People like me who add that blog to their short (but growing) list of weekly visits. I can't imagine how tough it might be to always put up meaningful content, opinions, and original substance on a technical blog or tech site...especially for me, someone who does not yet have something unique or original to share (someday, I think so).
But then I look back and see why I post here or even on my personal site. It is much the same way I might keep a journal (girls call it a diary, journal is more manly) next to my nightstand or in my backpack. It is a way to document my thoughts, and also comment on and document news stories. When 9/11 occurred and every blog in existence posted comments, it was not all because they wanted to be part of the news megasphere or get readers or even self-publish. That was an important event in their lives, more than worthy of being in the journal...only today's journals are more able to be public and commented on. I definitely need to lighten up on my lashback of the blog effect on the web.
At any rate, there are blogs and tech news sites all over. There are weekends where I grab something warm to drink, and spend the morning or evening following the blog links. It is much like roaming down an unknown state park path, taking in the sites. Click a link, check that person out, look at his or her link list, pick another that looks interesting, and just roam randomly. Sometimes I pick people from Iowa, sometimes security/hackers (I love wandering into the sites of people whose names I might recognize from the scene, but who have grown up or moved on and their site remains as it was 5 years prior...), sometimes just random people with cool site designs or ways of writing. Sometimes I am looking for new people to add to my bookmarks, sometimes just checking out site designs for inspiration, sometimes just bored.
I wish I could keep up with such a huge community, but there are not many jobs that pay for that kind of a hobby, and in all honesty, I wore out my "online life-living" back in high school and college with IRC, IM, forums, gaming, and other things not worth mentioning, and it really never got me all that far anyway. As it is, I am one of those people who just looks for useful and meaningful blogs and sites to bookmark on my private page, to visit again over the months and perhaps even pipe in and comment to the author, perhaps making a friend or colleague in the process. It is always a sad event when one of my links gets removed, either from lack of updates or lack of updates that are useful to me as either I or they have moved on to other topics or phases of life.
For those that know what it means, I'm feeling just a bit QQ today. :)
by LonerVamp 08.23.06 at 1:45 PM in /general
At first there was innocence, ignorance of the needs of security in networks during the days of the open networks, where network downtime and intrusions were borne more by discovery and accidents. Then there came playfulness, where security was beginning and attackers made more curious, playful attacks, toying with users or just crashing systems to see the effect.
Then came adulthood, maturity. Now, attackers are not necessarily interested in downtime or playing around. They have an agenda and they have profitable goals. Suddenly, we have maliciousness...
by LonerVamp 08.23.06 at 1:47 PM in /general
The old adage can ring true for online habits: "Don't do anything you wouldn't want your grandmother learning about." Long hailed as a place to conduct oneself with a wide measure of anonymity (read how bold kids can be in chat rooms or online games when they don't have to face people in person), we're all starting to feel the creeping implications of data retention policies, particularly illustrated recently by AOL's search data release.
It is a bit sobering. I have been online in some form or other since the early-mid 90's when I was barely into high school. Granted, Google was not around, but AOL sure was. And I used it, and searched using a number of search engines available at the time. How could someone like me know that 10 years later, data retention and search engine query analysis could reveal some dirty little secrets?
Not that I have much to hide, but it is still offending to have that sort of privacy illusion (?) yanked away. Have I searched for porn online? Yeah, I'll admit it. Have I searched for some not-so-legal things such as hacking or bomb-making just to see if I could find it? Probably. Have I done an ego-search looking for my own name? You bet. And have I done all of those, in some combination or other, from the same IP? Considering I've had only a handful of IPs in my online life (not counting AOL dial-up in high school), the chances are really darned good.
Scary. Just think the dirt that may be dug from such databases on politicians 20 years from now. Our president in 40 years may have an old MySpace site still lingering there, waiting to explode with traffic from mudslingers.
Step back and take that one place further. What about spyware/adware apps which remain dormant and diligently reporting user surfing habits to central servers, maybe years while users just silently huff and deal with their slowly ailing computer speeds. Or ISP traffic records that might be kept some day. Just think of all the places visited from just the one location. This now includes work-related websites, sites for stores in the area (ever look for the most local Mitsubishi dealership or the working hours for the local Papa Murphy's Pizza?), and even the things you'd not want your grandma to know you were viewing online. Even people like me who maintain a moreorless anonymous presence in security/hacking venues would be outed.
Then again, some may argue this can be good for the morality of the Internet. I remember a long time ago a study was done where people were put into a room to socialize. Later other people were also put in the same situation, only this time the lights were turned off. You can imagine the remaining senses were used, but they were used to a degree that almost all of the people in the room wouldn't have used them in broad daylight. Use your imagination. :) Maybe with the veil of anonymity removed, people will behave better? Naa...I just think they'll try all the more passionately for anonymous services, onion routing, VPNs, and privacy standards.
by LonerVamp 08.23.06 at 1:50 PM in /general
A career in information technology is a career in lifelong learning.
A career in security is a career in lifelong learning.
Sometimes the obvious things are just not consciously obvious, and once they become obvious, things just "click." That was a click there for me this morning, for some really odd reason. And I'm just glad I love learning both academically and on my own.
by LonerVamp 08.23.06 at 1:50 PM in /general
Today I happened to get called a "black hat" on a blog comment simply because of some off-the-cuff comment I made that, admittedly, is not necessarily a straight-laced, stick-in-the-mud, ne'er-do-wrong practice. However, me being called "black hat" is about as laughable, as, well, anything else I've experienced this week so far...
But it illustrates to me one of my other big pet peeves in security: hat color.
Fashionistas aside, some people are pretty obviously Black Hat. The rest of us are pretty much stuck in a quagmire of uncertainty and greyness that really has no definition. What seems like grey hat to some may be very black hat to others; what may be white hat to some may be grey hat to others, and so on.
All of this is just so much drawing lines in the sand, only to have someone else wipe it away and draw their own line in the sand, and another person wiping it away and drawing their own line in the sand. It is all about ethics and morals and how you conduct yourself. And if anyone has taken any academic coursework or even any casual discussion on the subject of ethics, one will quickly realize there are no hard and fast lines. It is all very relative and all very undefined to such a degree that arguing about it is a complete waste of time.
As it is, I have no problem with most "black hats" or "white hats" or anyone in between. Each can live their own life and that is fine with me. But what really incites my pet peeve is when people get so ensconced with rage and prejudice and blind ignorance about the whole issue of ethics that it manifests into nearly fanatical knee-jerk reactions to any hint that there might be an ethics or hat color discussion arising... That is just shallow.
White hats have to live up to a certain level of ethics and morals, right? Well, how do they feel about speeding when driving? If it is a 30mph zone and they drive 32mph, do they feel guilty? Does that guilt adjust their behavior back down to an apologetic 30mph? Do they regularly bump 10mph over the limit, whether in residential or on the freeway in the throes of a 10 hour road trip?
This is the dilemna. This is the grey area.
by LonerVamp 08.23.06 at 1:51 PM in /general
There are way too many news sites and blogs out there that I want to read. I'm at a phase in my career where I'm just sponging up everything I can. I have a growing list of sites that I use for resources and news and new stuff.
The problem is trying to manage it all. As I have gotten older, I have realized the grim reality of managing one's time. In my youth and even in college, I had a lot of free time to just while away doing nothing much. Now, I find I have to sacrifice a lot of that "nothing much." Thankfully, I shed the whole "tv watching" thing back in college, and unless it is a movie, my TV gets zero use.
Likewise, unless I'm relaxing for a few many hours on a weekend with my computer, a hot drink, and some calm music, I don't get a chance to check all the blogs I want to check or network with the people I want to network with or try all the new things people have posted about or created. Ugh!
I've tried keeping my own private blog with a list of all the interesting links and then posting about the tidbits I wanted to keep available or braindump about. The posting part has been working amazingly well and I love it. But the links part, which ends up being just a web page of bookmarks, in essence, is something that I have a bit of a problem with.
Reading the news requires clicking on each one. Being that I want this page to remain private, reading at a hotspot or at work can reveal its presence, and I have to take extra coding measures to obfuscate the redirect trackback. This is just a little bit annoying. And if I ever did want to share its existence with someone else, that would mean also sharing my home web site, since they share the same IP (and box). Moving it to hosting is a bit of a chore as well, since I use a smaller, lesser-known perl publishing tool for the site content. Ideally, I would have a second IP just for this site...maybe in the future.
But reading the news there is still less than ideal.
I've tried out standalone RSS readers, and I settled on using RSSReader for a while. Unfortunately, I find that I'm not always on my home laptop in such a fashion as to pull up the app and read the news. Sometimes I'm at work, sometimes I'm in a live cd doing something else, and sometimes I just want one big long page with all the news right there so I can just scroll on down effortlessly. The one good thing I like about RSSReader? If I have populated it beforehand, I don't have to have an Internet connection to read the content later. That's really a big plus as sometimes I want to go someplaces that don't have open wireless and sometimes I just don't want to fuss with locking myself down a bit more at a hotspot.
I just started a Bloglines site yesterday and have begun populating it with news and blogs and vulnerability advisory sites. While I like the idea of a one-stop website I can go to for news, this still does tie me down to an Internet connection. I also have not been happy with the presentation of the feeds either. I like to have full content (unless fully overridden by the feed itself), I like to have posts parsed chronologically (not by site only), and I like to have them all displayed for at least a week back for blogs and less for others. With Bloglines, I've found I have to click a few times to get the Week view, and they never arrange in full chrono order. Hrmm...but I do like it for one-stop news while at work and at a hotspot. I can also maintain some anonymity there.
Maybe I should recheck RSSReader for some more view options. Other than at work, it really is a good option, as I really love the freedom to unplug somewhere like a park, and just browse news there.
The big downsides to RSS feeds? Easily, I dislike the oddball blogs or sites that have no RSS or non-compliant RSS. Some, I understand, are a functionality choice that was consciously made by the author, and that is fine. It is just hard on someone like me to remember that that site is an oddball. A new downside that is growing in popularity is the trust that apps and sites and people put into parsing RSS feeds that can possibly allow malicious code in feeds.
Someday, I also need to find a good way (on Windows and preferably without iTunes) to automatically download podcasts and load them to a folder that I can sync with my iPod. Yeah, I know, I might still be behind the times, but iTunes originally was not something I trusted on my box, so I always stuck with winamp to manage my iPod. For now though, I'm content with my site of links to pod/vidcasts and downloading them manually.
Forums I truly love. I like the usually informal and discussion-like format of a forum. Maybe it just reminds me of IRC days, but forums have a special place in my heart. Sadly, finding a well-populated one with useful information is definitely not easy to find. My list of forums is woefully small, and half of even them are filtered at work.
My last major source of information has been mailing lists. I started out getting on a number of busy mailing lists a few years ago with a gmail account, but found the web mail interface and my own lack of time very disappointing and as such I stopped reading them. I have only recently renewed my reading by pulling that gmail data down to Thunderbird and abusing filters to sort out the mailing lists. This has worked pretty well for me, but I still have yet to really work mailing list reading into my daily or weekly routine. I need to read them for a while, cull the useless ones, and settle down there. Having mailing lists post directly to a forum or blog (with thread REs being placed into comments) would be awesome, even if just for my own private viewing.
Anyway, these are just some ways I'm attempting to usher myself through this sponge phase of my career, and I can already feel it coming to a climax and settling down for me, which is very good.
by LonerVamp 08.23.06 at 1:52 PM in /general
So, I've been asking myself some questions and kind of dealing with how to present myself on the net while at the same time categorizing my own information overload by spilling things out into this log. I've decided that I don't know why I maintain my cute redirection code in place to thwart trackbacks and referral readers. On a bigger note, I'm not really sure why I keep this site secret, other than just because I don't have a desire to really share this with people.
However, I think I have decided to remove the clunky code that at least veils the referreals. I may not entirely open this site up to the world, but I guess I won't bother trying to actively obfuscate it.
by LonerVamp 08.23.06 at 8:33 PM in /terminal23
There are a number of news publications and sites and posts that say things like, "organizations now need encrypted backups," or "spam is out of control," or "building a comprehensive disaster recovery plan."
I get a little happy when I see something like that, I and read into the article only to realize it is just one of those "obvious need" articles. These articles are great for new topics, but far too often they are already old news topics and offer me nothing on how to actually perform lots of these functions. Too often, I get the feeling these are written by people who can complain about the problem, but really have no idea how to fix it, nor have had any experience in what the challenges may be in encrypted all backups or trying to implement and company's first diaster recovery initiative.
by LonerVamp 08.24.06 at 2:55 PM in /general
So for the past month the IT world has been abuzz about how David Maynor and Johnny Cache demonstrated undisclosed attacks to root wireless laptops where they may or may not have used Apple's built-in wireless card or third-party wireless drivers for a possible third-party wireless card.
And look at where Maynor and Cache are now. In the middle of this summer's biggest IT feud which is spreading a feeling amonst the "blogosphere" that is worse than a smarmy, humid, hot, and never-ending day in the mosquito-infested bayou. Ugh.
All of this uncertainty has resulted in mudslinging, amatuer journalists (bloggers) having panic attacks, Mac fans up in knee-jerk reactionary arms, large corporations side-stepping issues, and quite a lot of upset and pissed off people all yelling at each other and only half-reading everyone else's posts before adding to the panic. And the only way to clear all of this up is for Maynor/Cache to admit they faked the whole thing (I don't think so), for Apple to admit they have been skirting the issue and finally take responsibility for it (I don't think so), or for the details to finally be released (after a fix, of course).
Until such time, we're all still left with uncertainty. But what I am certain about is our approach to "responsible disclosure" is going to be coming to a head, and I don't think corporations will be happy with the imminent conclusion.
Security practioners are paranoid people. They tend to not trust much, let alone large corporations. Hackers and the underground are far less inclined to trust corporations. This distrust promotes the use of full disclosure, whether or not you notify the corporations beforehand, although I suspect a majority of people will notify the target companies prior to full detail release.
Wireless issues aside, there was no real way for these two to publish their findings without incurring wrath from someone. I think they took the lesser of three evils, while they at least got their names out there and known in the industry.
Last year was Michael Lynn vs Cisco where Lynn finally came clean (or attempted to) with a big Cisco vulnerability which Cisco did not fix in a "proper" amount of time. This year we have Maynor and Cache with wireless driver attacks.
In the end, every security researcher is going to think three times about releasing code. I think this will lead to one extreme or another. Either vulnerabilities will be released to the highest bidder or to the parent corporation and not released until a fix released. Or exploits will be publicly released right away, giving the information to everyone at the same time. Considering security/hacking circles that are paranoid, a little untrusting of corporations, and very passionate about security/insecurity, I see the latter being the more likely.
by LonerVamp 08.24.06 at 3:22 PM in /general
Now that I should have some more time on my hands, I am looking at possibly upgrading my site a bit. I seem to alternate between back-end updates and front-end design updates, and I'm overdue for both. However, I still like the site design, so I think it is time to jump into a back-end upgrade.
I am looking at blog systems that I can install. Currently I run on Apache with PHP4 (it might be 3!) with Movable Type 1.4 using flat files instead of a database backend on a very stable Windows 2000 Pro box. Movable Type fit my bill exactly, back in the day, but then quickly went commercial and I'm not really willing to pay for something like this. I also have Perl installed, and am willing to update all of these components (I would prefer to keep Windows 2000 though, simply because it is stable, I can get it free, and I'm intimately familiar with it).
My requirements/wishlist, for my own edification:
- easy posting from anywhere (u/p login)
- optional comments...bonus: toggle comments per entry as opposed to per site
- MSDE/SQL 2000 (preferably MSDE) backend with little administration needed
- php-based, but something that requires very little tinkering and coding other than templates/layouts
- the ability to make everything very minimized/minimalistic, from archives, comments, to posts, and the whole blog itself
One thing that is a bit flexible for this version of Movable Type was not just having multiple blogs, but to be able to use them creatively. For instance, my movie list on the right is actually another blog embedded into this page.
I also have a private page where I host all my geekier things. This is almost like a knowledgebase for myself. I am currently running Blosxom which I really love for its simplicity, but I think I am ready to move to a wiki or knowledgebase system.
- easy posting and updating of posts/topics
- good support for wiki-style knowledgebase stuff
- comments system or possible collaboration
- MSDE / SQL 2000 (preferably MSDE) back-end
This upgrade may not happen for a long time simply due to other things going on, and I plan on evaluating some solutions over time, so that I can get the most out of a wiki or blog system. I also now have spare systems to test things on, which will be ideal.
by LonerVamp 08.25.06 at 9:41 AM in /terminal23
Just thought this an awesome little idea for a contest
. Defcon is definitely one of the most unusual and interesting security "conventions" around, as hackers and gov't security folks play contests that basically hone and demonstrate and teach security and anti-security skills. Quite amazing. In this contest..well..click to the article.
by LonerVamp 08.25.06 at 6:07 PM in /general
I am really toying with the idea of plunging fully into Linux...while also just testing with my toes again. Hrmm...
I've run Linux in the past, from Red Hat version 7 up to SuSE 9.x and various Livecd incarnations. But I've never been able to stick with an install for long enough to really immerse myself into it. Red Hat 7 was interrupted due to a need to do some resume/website work back after college when I was unemployed. SuSE was interrupted by my need for gaming...mulitiple times.
But the gap between Linux and Windows, especially the apps in Windows that I rely on a day-to-day or weekly basis, is greatly diminished now, if not gone altogether. The only real gaps would be ease of use of all the years of acquiring apps and programs to do certain tasks, the support for gaming, and the support for wireless.
The years of acquiring apps may be interrupted soon by Windows itself...who knows what Vista will be changing when it finally releases, but it will be a whole new world to learn anyway (although not entirely). The support for gaming has been getting better, but only slowly. Thankfully, having a gaming-only machine is not a bad idea, especially since any Linux that I run will not need beefy specs or expensive machines. And support for wireless has been getting better in leaps and bounds, to the point that some of my Livecds recognize my wireless laptop right from the install, and get online with absolutely no work on my part.
But, I do still game, and I do still have a lot of things on my XP laptop that I just can't part with quite yet, especially since it's the only machine that seems to accept any of my old Windows XP keys and licenses (damn Genuine Advantage, in the end, it will end up driving me away from Windows...).
So, one thing I really want to do is make sure I have Linux on a laptop, which does greatly limit my choices on my systems. I think I might give another shot to dual-booting or even just running VMWare Workstation on my laptop and carving out some space for a Linux install. I know my system is that all that robust (512MB RAM), but I think if I go ahead and wipe it off and reinstall Windows XP, it should be cleaned up enough to allow me to run a VM Linux (Ubuntu or SuSE again).
This post started out with me wondering to myself where I should put Linux and work it into my daily life, up to listing my systems and the pros and cons...but I think I already just talked myself through my plan.
This will leave me my gaming system, a possibility for less intensive games on my laptop, and leave me other lesser-speed Windows 2000 laptops for other uses. My other desktop-class systems can then still be whatever, as they are just used in my lab.
First order of business though: clean off the XP laptop, back everything up that I need or want, take inventory of what I need to replace, and start to organize up my tools and tempfolder (a dropbox for all sorts of incoming things that I've not played with, tried out, or used enough to file them away to keep or delete).
by LonerVamp 08.28.06 at 1:23 PM in /general
An article posted on SecurityFocus quoted:
Building on a Wall Street Journal analysis of the 20 million search queries leaked by America Online that found "free" to be the most popular search term, SiteAdvisor warned that the results produced by such searches frequently lead to malicious Web sites.
"Often, so-called 'free' items are anything but free," the company, recently bought by security firm McAfee, stated in its advisory. "Free screensaver and games sites are notorious for bundling spyware and adware with downloads... Free e-card sites often share users' e-mail addresses with third parties and can lead to a never-ending influx of spam... Ringtone sites frequently lure consumers with misleading offers of free tones that ultimately lead to automatic enrollment in paid subscriptions."
I admit, back in the day free stuff used to be cool to download. These days, however, they are packed with spyware and other not-so-nice things. Always have to wonder, "why is this free, what are they hoping to get?" More often than not, to get something installed on your computer or get your "clicks" on their sites.
I honestly have more trust in downloading cracked commercial apps through my regular channels as opposed to free sites. However, when looking for legit free things, I put a lot of faith in SourceForge-hosted apps and anything from a website that looks like a real developer just offering out to the world some little tool he/she created to do something cool. Anything else like free screensavers and the like are just not really worth the time and effort and risk.
by LonerVamp 08.28.06 at 2:13 PM in /general
This is social engineering at its best, and most scariest. Just think if this guy had more important things to say, or was pawning himself off as speaking on behalf of someone or something more important. Wow.
by LonerVamp 08.28.06 at 5:43 PM in /general
NetworkWorld posted a rather good series of articles on the six worst security mistakes.
1. Not having a security architecture- I like this overview, but I would add the need for logging and reviews of logging, from syslog/snmp stuff to web logs, OS logs, etc. Sadly, none of the companies I have worked for have been big enough to trouble themselves with spending money on formal security architectures beyond what is done when the environments are built or enhanced. Policy and protections have been second place, at best, to functionality and getting the needs taken care of.
2. Not investing in training- This discussion was awesome and a lot of poignant stuff was mentioned. I liked the contrast of the benefit of employee training and what happens when untrained people make decisions.
3. Neglecting identity management- Since I've not worked in environments over with over 500 employees, I've not had to worry much about identity management. Sadly, gaining any type of knowledge here is difficult, as so many sources pretty much say, "you need identity management, here's kinda what it is" but never discuss what products work, what don't, pros and cons of each, or even how to properly implement it from user acceptance to technical specs. This is one of my biggest issues with a lot of trade mags, especially vendor/ad supported mags that otherwise get sent free. They talk in general terms without actually giving me, an IT doer, much substance. Someday I'd like to examine identity management systems, but so far I've not seen a need for it in current environments. If I could make my own home-brew setup with little costs (maybe a USB fob and open source software), I would love to add that to my projects list.
4. Ignoring the insider threat- Most articles talk about how the insider threat needs attention, but never explain what to do, even in the most elementary terms. This piece goes one step further than most by saying one should monitor employee network use, harden the internal network, use internal network IPS to filter at the switch level, review and test internal access controls, and limit explicit trust in pretty much everyone. This is a good start, but spending money on this can be difficult as not many people really want to think about insider attacks. HR and management like to trust their employees while IT security tends to distrust pretty much everyone. This is just a matter of having different viewpoints, and can be a hard topic to effectively discuss. I think I would add in that not just empoyee use should be monitored, but all internal system logs as well, especially for odd connections, failed authentications, IPS/IDS alerts, and mysterious local account creation. Internal routers and firewalls can help segment things quite nicely and put off the bear of hardening all systems, at least for a while.
5. Not protecting web appliances- This was a shaky article, but I like the identification of three levels to protect when it comes to web servers: the host (OS), the server infrastructure (IIS/Apache I believe he meant), and the web application. The host and the infrastructure or no-brainers, really. The web app is the dicey part. In my experience, infrastructure (network and sysadmin roles) is not married with application development, in fact, these teams tend to work in opposition to each other. Likewise, security tends to fall in the middle somewhere. Infrastructure may bring it up and even test it, but typically we are hands-off when it actually comes to code changes. Whenever talking about web site security strategies from an infrastructure viewpoint, defense in depth must always be used. Assume there will be vulnerabilities in the web app, and plan to mitigate them. If development and infrastructure work well together, it will be a cold day in hell... :(
6. Buying products with the most bells and whistles- This is an interesting item, and I think is a product of poor training, lack of time to make accurate assessments and decisions in the face of sales propoganda, and lack of having a security architecture or plan. Sadly, I often hear about how appliances are purchased and forced into an environment because some senior manager read about it in a magazine and demanded it, all without truly evaluating the needs, the best solutions, or determining if there is a need for more staff to properly manage. A spiffy buzzword logging device is useless if no one is looking at the log reports or investigating the reported issues.
by LonerVamp 08.30.06 at 3:13 PM in /general