As I look forward to the future in regards to security and technology, I relaly see a very muddy, grey haze when it comes to privacy concerns. Mark Rasch has a nice article where he makes a lot of little, very important points about privacy in the workplace. As we embrace technology more and more, and begin to mix workplace computer use with social computer use, this topic is going to continue to be complicated and muddy. In the past we only had phones that might be used for personal activities now and then, or they might be recorded although most companies did not have those capabilities. Now, we have many more avenues to mix work life with non-work life, technologically, and we also have many more possible ways to record and monitor (VoIP, IM, blogs, Email, files, cells, wireless...).

When you can get a report on the attitudes of 213 execs in regards to security, you definitely have to check it out. Sadly, the report is only open if you pay, but Dark Reading has a quick synopsis of it. The synopsis takes a look at why execs are not taking security more seriously.

I love their first conclusion that most execs see security as an operational function (part of facilities) and not a strategic one. Far too often (either due to perception, lack of taking responsibility, or just execs not even knowing their own role) no one thinks about what the true purpose of a CEO is. CEO duties should be strategic, and as such, they do not want to deal with mere operational trivialities. Those are rightly delegated down to upper level managers and such. Some small-medium companies have CEOs that tend to meddle in both areas (especially when that person holds multiple titles like CEO and President), but this should always be evaluated: Where should the buck truly stop for non-strategic issues in a company? Who is signing off on operational budgets? Unless the company purpose is in security or some other critical infrastructure that depends on computer systems, the buck will stop lower than exec levels.

Some other reasons posed: security managers tend to be separate from other business managers which in turn gives them few allies to leverage budgets and attention. They don't know how to align to business objectives.

Execs see security only under certain circumstances, with their main motivators being: meeting government and other regulations, protecting confidential information (I bet that refers to internal company information and IP as opposed to customer data), and business continuity.

What can security managers do? They can reach out to the rest of the business. They can pair up with risk managers. They can get more face time with managers so that they can get some allies to align to their initiatives. They can create metrics that execs can understand so they can get budgets to do what they need to do (e.g cost of business interruptions, vulnerability assessments, and industry benchmarks). The big theme here is to align with other business managers.

One thing this report on the research does not touch on is something I think could help as well. Security is almost always seen as a punishment vehicle, where freedoms of managers and employees are limited a bit more. Most people think they would rather be free of constraints (security function) as opposed to governed by them (oddly, I think most people thrive best under constraints and are lost like sheep without fences when given free reign). This means security is seen as a negative money sink that keeps slapping their hands when they want to do things or make money. Really, few people like security. And when they are indifferent, they are usually just denying what can happen (for instance, we all know how easy it is to have our house broken into, but we don't buy alarm systems because that is an overt acknowledgement that we could be broken into; by not buying the alarm system, we subconsiously pretend it is not a problem to worry about...denial).

I feel that security could best be aligned with IT functions (or be integrated deeply into IT functions) or with financial functions. Having a very separated security entity, I bet, can be a very isolated feeling in a company.

Thankfully, I am not a manager, nor do I expect to be one for at least another 5-8 years and all of this is just more information in my head to try and keep an eye on the big picture.

I just wanted to say I can't believe how exciting my chosen field of work is. I love it beyond words and every time I read something new (even a negative article deriding Metasploit which prompted this exclamatory post), I get just a little bit giddy. I love security/insecurity!

This article (found via Hardocp.com of all places) explains two important things. First, the difference between hygiene and motivational workplaces. Second, the nine things that developers want. Honestly, this can be expanded beyond developers and into network engineers, security professionals, and IT staff in general.

Sadly, I work for a company that is only about 450 employees small, but is firmly of the "hygiene only" mindset. The benefits are excellent, the pay is more than competitive, and everyone is just pretty comfy in their jobs. The company does not score even one point in the motivational items. Even more sadly, those are the points I value the most.

For now, I am refusing to use the term "less-than-zero-day" for a vulnerability that is unknown but actively exploited. Zero-day then refers to an exploit in the wild that is not patched yet, but is known (the time between notification of vendor and vendor-issued patch). I see no use in this cutesy term...just call anything before a patch or vendor-issued workarounds a 0day for all our sakes...

I put my Ubuntu move on hold for a few weeks, but I'm back to it now. Having set up many Windows systems in the past, I know how important it can be to document the process, especially for something new like Ubuntu (hence some of my previous posts on this subject). I've taken to keeping a log of the apps installed, changes, and commands I run.

In migrating to the new system, I'm really happy when programs include easy-to-use exports and imports to transfer information from one system, or even OS, to another. Firefox allows me to export my bookmarks (which have swelled terribly!) and then import them into Ubuntu's firefox. Wahoo! Sadly, Thunderbird does not allow this with mail and mail settings. I can do this from one Windows box to another (just copy the profile folder), but have not yet figured out how to do this over on a Linux box. Ah well, it would only take a few hours to set everything up as I had it before anyway. This just shows how valuable remote services like Gmail and Yahoo are for less technical users. Lose your system or get a new one? Just log into webmail and you're back where you were before!

So, the migration is moving forward. The last task to (nearly) fully get away from booting Windows is to utilize wine and vmware. I searched for some information and stories on installing vmware workstation and found this amazing checklist for an Ubuntu install. Much like so much coding, why reinvent the wheel and make my own when I can just borrow chunks of this guy's checklist? He even has most of the steps I've already gone through, and it looks current! Definitely an inspiration and a great help in making sure I have what I want.

Hopefully by the end of the week I will have a vm set up for Windows which I can pop open when I need to quickly use some Windows program without booting over to my Windows install. In addition, I'd like to get one or two things to work in Wine as well, but the VM is an easier and quicker step for me right now.

As far as getting more things to work, I've become very happy with mplayer as opposed to Totem (the default Ubuntu media player). Totem did not like Divx files (been downloading HOPE presentations) but mplayer rolled right with the punches and played them back just fine.

(Sometimes I do some thinking on my walk to my car for lunch; sadly, the time when I usually don't have anything upon which to take notes...)

Since I openly contrasted my latest two jobs earlier, I was thinking about their differences. My previous job preferred to get things done, and think about security later. My current job has a few people who prefer to wave security around as a business barrier.

But perhaps that is just something security will very often be. Something tacked on only after it is known that something will work. Why stifle a business or initiative with security when you don't even yet know if the business or initiative is even viable?

I think this is why developers and programming instructors have such a hard time with security in applications. Functionality is the key component. If it has security but is too late to save the business, what good is it? If it can be delivered on time and let the company flourish, but with less security, is that not better?

But how far do you go with security or insecurity? Therein is the art of risk (which I truly think is an art, and more difficult than anyone really expects). Do you kill a business by paralyzing it with security paranoia and control? Do you let it run rampant with zero security and not even any locks on the doors? Do you do just enough to satisfy negligence? Do you fling up stop signs or just directional cones?

Like every discussion on security, there are exceptions, there are varying levels and tolerances between technologies, companies, managers, and so on. Not only do we not have a silver bullet device to provide security (and never will), but we also don't have silver bullet methodologies or even approaches that can cover all those differences. Therein also lies friction between finance/auditors, management, and IT/security. It can be artful, subjective, which flies in the face of objective approaches...

One thing we do need, as security practioners, is the constant harping of media about security issues, whether accurate or not. Too often security is only focused upon after an incident or after some insightful awareness presented to management in dreams of angels and fire...but at least media can help keep the minds that be where they ought be.

One thing I try to be cognizant of as my career starts to move forward is what skills are going to be in demand in the future. I don't want to be awesome in Windows XP, only to find myself someday outdated like so many Windows 98 admins. Not that I support Windows XP on a desktop level right now, but that is just an illustration.

A manager just emailed out an Excel document that has maps of our building and numbers pointing to all our conference rooms (about a dozen) because people tend to ask, "Where is such-and-such room?"

It occurred to me how appropriate this issue could be solved by a web developer who knows his stuff. Carve out a small section of an intranet, tackle the issue, code up a solution, present it, and voila, a one-stop web-enabled location so that people don't have to save a tomorrow-oudated spreadsheet "hack" of a solution that might be located at some mysterious location on a file server that I may or may not have access to.

Web application coding skills are amazingly useful and awesome these days. And the work is rather exciting when you can focus down on it and really pursue it as a team that can teach each other. Gone are the days when any stay-at-home kid could pick up a few clients and create cheesy web pages using straight HTML. Now, real web design skills are in demand and needed, coupled with code that more and more resembles actual programming languages in operation, suitable to those who can think in that way (not just make pretty pictures in Paint and arrange them in tables with possibly some database backend code in php...). .Net, Java, Ruby, Python, Ajax.

In fact, before I was in IT I wanted to become a web developer. That was my idea when I switched my majors into MIS 2.5 years into college and graduated with thoughts of making web pages for a living. Thankfully, I've had opportunities elsewhere to expand myself, but I still appreciate web development.

Someday, a ways down the road, I can still see myself satisfying my coding bug and doing some more web coding and application coding. I would love to be able to just throw out a quick solution to problems using an internal web site. Given experience and practice, that kind of stuff is amazingly easy and simple to do (ongoing support is always the hard thing). And with web and application security the hot topic for the year in security, this makes sense from that viewpoint as well.

However, for now, I want to remain grounded and focused where I want. Right now I am directing my career towards networking and security, moving towards certifications and learning networking since it is still something I'm working on, plus learning Linux and more deep security topics and pursuits. I've also decided I want to make sure I know wireless security as a specialty, as I believe the future is in wireless and mobility. Web coding as a major focus has simply been pushed aside a bit for now...but someday I'd love to dive back in and learn the new stuff.

I must say, if an opportunity opened up right now in an exciting and competitively-paying (for junior level) company to start learning and participating in Ruby or Ajax development, I would seriously think about it.

Been thinking now and than about being on a pen-testing team. Oh how I would love doing that job! So, sometimes I think about the make-up of such a team. How would I design one? Now, I'm not a business manager so having a 50-person team may sound great but is likely not cost-effective. So, I'll try to give my take on a "perfect" pen-testing team and their roles, as sketched in my own head. Note that some of these roles can be combined into single people.

The Lead - You need to have a lead person, most likely a very presentable and articulate senior person who is most likely to be the face of the team to the client. This person should also have coordination and delegation duties and be almost like a manger, most likely with some managerial experience to manage the team properly, keep them motivated, but also be able to relate to client managers. This is the coach and mentor.

The Interviewer - This role is an expert when it comes to policies, regulations, standards, and interviewing the proper people in a proper way to get definitive answers on a company's strength with its people and processes and policies. Someone should, at the very least, be able to interview others properly and understand regulations inside and out (COBIT, PCI, etc). This person should be able to evaluate whether reality matches policy. This guy would be as close to an auditor as the team gets, and could also be familiar with risk analysis.

The Writer - Every pen-test includes reports and deliverables, and the more polished those deliverables look, the better. Every team should have someone who is strong with writing documentation, compiling information, evaluating results, correlating the risks to the client, and dealing with information in a constructive mannger. This person can also be the information-gatherer who can utilize search engines, DNS queries, and other reconnaissance means to profile a target. Even better, this person should be adept at vulnerability assessments and determining how important particular vulnerabilities are.

The Junior - Let's get this guy out of the way early. There should always be some new blood on the team in the form of a junior guy. This guy may have any level of skill, but is the one doing the "easier" errands on the team. Host sweeps, port scans, Vuln scans, password cracking, and coffee-fetching. In fact, this guy can also do some of the widespread repetive things like exploiting various systems using automated tools, sifting through confiscated data and systems for juicy information, and might also best be suited to help support the systems for the rest of the team.

The Web - Any real pen-testing team should have someone proficient with web coding practices and languages, and the security of them. He or she should be the lead when it comes to source code analysis, web app scanning, fuzzing, SQL injections and queries, and best-practice approaches. A background in web servers and database servers would be beneficial.

The Exploit - Someone on the team should also be proficient with other coding disciplines such as Perl, Python, C++, and so on. They can work with and device exploits either pre-discovered from outside sources or custom scripts to discover new exploits. This person should also be able to evaluate and fuzz and test applications beyond web-based ones, such as web servers, email servers, DNS, etc. If a port is open on a server, this member should be the one poking at it the most. This guy should be an expert on buffer overflows (stack and heap) and most likely with malware creation and reversing.

The Packet Hound - Part of any pen-test should include networking devices and information leakage directly on the wire. Packet hounds tend to love sniffing traffic, tinker with networking devices, know the ins and outs (and arounds) of IDS/IPS and firewalls, map the network, and be able to penetrate and evaluate network devices and configurations. This guy should also be familiar with VoIP, phone systems, and wardialing. If you want a meaningful network tap in a crowded server room, this is your man.

The Wireless Expert - Anymore, wireless and mobility is a big thing. It is a benefit to have a team member who is proficient with wireless technologies to evaluate and penetration the security of mobile devices. This should include PDAs, laptops, and wireless networking.

The Social Engineer/Thief - Any team doing black box or physical assessments should have someone skilled with social engineering. There is no more successful an approach to breaking into a network than social engineering. This person should be adept at the common approaches to getting people to divulge information or do something that is otherwise a security risk, from opening email attachments to holding the door open after a smoke break. Lock-picking and physical security alarms and countermeasure knowledge is necessary; perhaps even someone with burgling experience and the willingness to get dirty with dumpster diving. (Note: since this is a rather fun and different task, other team members could enjoy helping out as long as someone on the team can act as a lead expert for this activity.)

They don't post all that often, but when they post, they post excellent stuff over at ClearnetSec. The latest post touches on an investigation at a financial institution in regards to an apparent compromise.

We desparetly need more reports like this. No, I don't need to know specifics or enough to know who the victim is, but we need to know how these things are found, what worked, what didn't, why did it stay undetected for a year, what else did the attacker do? Was it just one mistake that let them in and they could slowly own the whole network?

We have tons of journalists and media reporting on best practices and how to theoretically protect data and what should and shouldn't be done in retrospect to the big media-covered incidents. Very few of these reports seem to be written by people experienced in the trenches, experienced with the trials and realities of the network. They are all very pundit-sounding and academic dreams of puppy dogs and sunshine and flowers.

We need to move away from those media reports and theoreticals. We need to divulge information amongst ourselves and figure out the reality. It is golden when you can take out a pen tester for some beers and start shooting the shit about how they've yet to test a company that wasn't rooted, or what works most of the time and what doesn't, or where some of the oft-overlooked nooks and crannies of networks are, or the most obscure attacks they've completed.

We need more surveys and reports like Jeremiah Grossman's surveys about web application assessments and security, only we need them about actual compromises either real malicious ones or pen-tested ones. We can't wait and pretend they aren't there, nor can we wait for the budget or big media events to remind the C-levels about the risks. We need real, technical reports. Give me a tehnical report, and I can distill that down to language my parents could understand. That's what I soak up.

Every now and then an article is published this is not only a pleasure to read, but is just packed with information and true forward-thinking content. I just read such an article from Wired.com about the future of searching and computing.

This article intertwines the stories of Google, Ask.com, and other search engines with the future of technology. The rise of RAM. The age of low-cost massively parallel computing (cloud computing) and the fight it will have against decentralized computing (and information). The emphasis on network speeds. The usually unthought-of challenges and costs of electricity and cooling for such huge data centers. China and their pursuit of nuclear power.

An excellent article packed with tons of tidbits around the core themes and dressed up with beautiful writing.

We need more technical reports of incidents, damn it! However, it is fun to infer various tidbits based on traditional media reports like this article about a previous manager causing revenue loss in a movie theater chain. The man was able to cause the chain's e-commerce sites to not process online ticket sales for a period of time.

What I found most interesting is that a wireless adapter was identified as a culprit. This implies that the movie chain had wireless employed. Enough such that this former manager was able to get into it and also access the web servers or other critical infrastructure. This is terrible network design, security, and architecture.

This man was the former director of information technology. Perhaps they didn't have anyone around after they eliminated his position to ensure that passwords and access were revoked. Maybe they did change it and he just broke in on his own accord, but any time an employee is removed against his or her will, evaluation and action must be taken to ensure they do not retaliate.

After reading far too much vendor-crap this week, and publications and reports whose basis is in the industry ("We now need to get away from firewalls and IDS and protect data..." translates into "We've saturated firewall and IDS markets and need to drum up the next big market to hawk our warezin..."), I've decided that security professionals (and IT in general) need to work hard to take back our reports. We need to wade through and chase away the ghosts of all these vendors pushing their own agendas as the next big thing, and get back to reality and what really needs to happen.

For all the hype and reports, you'd think we don't need patch management, inventory control, or firewalls anymore. At all. Or that once these things are implemented, that's it. Move on. Fuh-geddaboutit! Oh wait, we need to monitor and update and take care of these things and check logs and stuff? Wha...?

Yes, we need to take this all back and let the vendors shout noise at each other in the ad-driven mags. We need to make doubly sure that all this noise doesn't blow in the face of our managers like so much thick hot air, sending them off to chase the next big thing and dragging us all with them whether it works or not.

At work my IDS popped up an alert that IP 123 performed a host sweep against our webservers on ports 80 and 443 (and maybe more, but the IDS is not that good...sigh). I check out the IP and it is a webserver for an NBA team. The website itself has little mention of how to contact someone about the site, but I do find an email in the privacy notice. Great. In the privacy notice I see a blurb about how the site is highly secure, blah blah. Great. So I sent an email to the legal address I see and get an immediate undeliverable message. Great.

By now, I have other things to be doing and so on, so I just drop the issue. This web site might be rooted, I might be seeing actual traffic from a malicious script, attacker, or something bad inside their network that I can't see. Perhaps it is legitimate traffic and someone is just spending some spare time scanning all websites on the Internets to help with the Google. But unless there are clear avenues to report these things, they can only hope their own internal detections will find if something is really wrong. :\

So, I have a VM of Windows XP running on my Ubuntu laptop now, so that I can do those few things that I need Windows for. Sadly, Windows and the Activation nag don't seem to be on the same page. No matter how many days I wait, it nags me that I have 30 days of activation left, but I am unable to activate my Windows either manually by inputting the key found on my laptop case. Well, as long as it stays perpetually on 30 days, that is at least tolerable, but I need to research why this happens and if I can fix it or redo the VM creation to alleviate the problem. I remember a popup warning about it when creating the VM, and I may have done something wrong.

Of note, the only thing I do on a daily basis that has not been moved over to Linux is my email from Thunderbird. I guess I could take some time and just move over, but it is all the older email that I need to wade through and catch up on first. I'll maybe just end up losing all that mailing list email I've built up...

Watching HOPE 6 presentations this weekend gave me more excuse to shore up Ubuntu's media-playing issues, including mp3 support. Very happy with XMMS and MPlayer.

An article just ran across my desk about a bank whose legitimate (albeit poorly implemented) email announcement to customers was mistaken for a phishing attempt. This is an example of a false positive. But just how damaging can a simple false positive be?

What we do now:
- automatic spam filters that "learn" what spam is
- manually populated spam filters
- spam blacklisting which can blacklist sources or content across a wide swath of customers
- heuristic and behavior-based virus scanning
- phishing site blacklisting
- blacklisting of DNS, domain, or IPs based on complaints or automatic alerts
- network and system shunning via IDS/IPS linked to firewalls

That's a lot of stuff reacting to security incidents. What might have happened to this company? Someone may have reported them to a phishing blacklister or alerts may have automatically done this, blocking perhaps the domain, emails, website IP, or even DNS for this bank. This could cost tons of money in lost business, public relations, and direct costs to fix or workaround the issue.

In a previous job, we sometimes were blocked from emailing AOL members because, after a complaint or two, AOL would block our email servers for 24 hours. The sad thing is, we never spammed people unless their own employer or they requested it or agreed to it. Also, one of our clients, a major financial institution at one point had their domain blacklisted for spamming. Now, they may have really been spamming, but due to that disruption in service by being placed on a blacklister, they had to change their domain name and all the infrastructure that it used. Wow!

And as much as people like this stuff, mistakes will still be made. People will make bad judgements, misconfigurations, or poor decisions like the bank email security campaign linked above. To make a mistake and cause your company millions is just a bad situation waiting to happen.

Dan Kaminsky was correct in his talks last year (BlackOps of TCP 2005) decribing how scary it is to have IDS/IPS automatically making firewall rules and shunning networks. This means that attackers can actually write your firewall rules and can do some things as disastrous as having your own network shun its own name servers and be subjected to DNS poisoning.

A quote from an ITBusiness article:

"You gotta be mobile, regardless. While it may pose great [security] risks, its a greater risk to fall behind," Levy said."

It goes without saying that you can't let your networks and systems linger and gather dust so much that we get another, "it's 2004, why are you still running Windows 98 systems?" situation. As support drops off, so to should use. Just look at SCADA systems on what not to do...

However, there is still something to be said about being on the forefront of technology and to not be sitting around playing catch-up five years behind or more. I think it could help IT perception if IT were closer to the forefront of technology and enabling and assisting employees more. This might be a bit dangerous in some cases, but I think in most cases the only real danger is just overspending on new things that may or may not work out in the long run. Thankfully, technology these days does not necessarily have to be a bad decision made that will last 20 years...or even 5 years. Everyone in business makes mistakes. IT should be held in no different regard. If we move forward with mobile devices before they become fully mainstream and it doesn't work out, so what?

I could go into a lot of the benefits and risks and goods and bads, but I think it is interesting to imagine the change in approach when it comes to just doing some things, and figuring out the security later. Perhaps this is a bad idea for most, but it is still something to always think about. Why wait 3 more years before encouraging mobility in the organization? Why not just do it now and deal with the risks, issues, and technology? Why wait for users to clamor louder for IM, and instead move forward with dealing with IM in the organization now?

Now, this is weird for me to be saying. I typically am not an early-adopter. But I do have an excuse. In college and beyond I have not had a very large amount of leisure money at my disposal in order to delve into new things. My attitude is certainly ready to change now that I am crawling out of debt such that I can see the edge clearly now.

Another quote from the same article:

"Levy suggested that access-based protections (like dual-function authentication) are imperative, and end-to-end encryption is necessary. These technical failsafes should form the foundation for rigorous employee training from the IT department, said Levy... The employees need to become experts in mobile security, he says."

I don't like this statement. I think the average user needs to get used to doing things with security in mind, but it is ridiculous to request that employees become experts in mobile security. Mobile security is tough enough for professionals working with it every day, let alone everyone else trying to do their own jobs. While training is necessary and employees do need to be at least a little bit security-conscious and accepting, it is up to technology and technology professionals to be the experts in security. We do not expect everyone to be an expert about the internal workings on their car or the proper use of complicated and ephemeral security measures. Instead, they just work, they just do their thing, and we take our cars to the professionals for anything beyond our control or understanding.

I almost always read "least privilege" or "least user access" and click into the article wondering what it will be. Without fail, it is always about that age-old discussion on whether users should be running as admins on their local machine or not.

What about the other aspect of least user privilege? Namely, the file servers. How are company file server resources allocated? How are requests for access to information handled? Not everything is in databases or web applications. So, what about this very important topic?

I wonder if this is because very few people understand the nuances of managing security permissions in anything but a tiny environment (at least, the IT journalists anyway). While it might seem easy to isolate developer files, what about when we start talking about collaboration or dynamic teams that span multiple departments?

Weird, considering I would expect many organizations to be very bad about tracking and reporting on actual user access or even managing that access at all.

We have a lot of denial about security in our society right now.

Many people will admit, sometimes after a few thoughts, that breaking into someone's house is typically not that hard. Watch "It Takes a Thief" on Discovery and you'll see that the same fundamental issues occur most of the time. But as much as people will grudgingly admit how easy it could be, that is typically just un-thinking lip service. Very few people, inside, admit they can be victimized. Very few people take the time to implement fundamental security measures that greatly impact the risks of a break-in. Something as simple as a security alarm and proper locks on doors. But yet, very few people do these things...and then shed tears and feel violated when they do suffer a break-in. Do we just like to pretend it won't happen to us? Or do we just not want to spend the money or the effort? Typically, all it takes to break into someone's house is a little bit of effort and some balls enough to overcome the internal sense of right and wrong.

Identity theft is still very easy to accomplish. But most people, while they will grudgingly admit that it is easy, still make little to no effort to protect themselves.

Security is often something that is talked about, but never truly taken seriously enough to change behaviors until after a security event. I would bet it is unanimous amongst people who have suffered a break-in that they wish they would have had more measures in place, and I bet most have them now.

At any rate, it is interesting that security can be something that sounds good when people talk about it, but they still too often end up doing nothing, and by that lack of action, end up denying that they can be victimized.

I was putting up a list of things to "predict" for next year, for my own amusement. It looks like one is coming true sooner than intended as the Month of Kernel Bugs has released a second wireless driver flaw along with Metasploit exploit.

There are three reasons this is huge right now: 1) lack of patching channels, 2) lack of hardened drivers, 3) and growing emphasis on mobility and wireless.

While Windows and other OS and software apps have various levels of seasoned updating and notifications, the driver community has no such luxury. In fact, neither do the corps who use hardware drivers like Dell, Gateway, HP, and so on. Customers are really on their own to know there is an issue, know how to find the right driver (still easier said than done on most of those sites), and install it properly (still sometimes a very arcane and archaic process).

This is a huge mess that isn't waiting to happen anymore; it's happening now. I now predict that 95% of all affected systems will not be patched until they are either rebuilt or retired to a garbage heap.

Second, drivers have long been relatively untouched in the media, and as such all their vulnerabilities and code issues have remained in the underground, if anywhere. But combine wireless proliferation, fuzzing, and virtualization, and it was just a matter of time before hardware drivers got the evil eye. Sadly, driverland is not ready for such attention, and I expect a lot of vulnerabilities to be exposed in the next few years in various hardware devices. The code is soft and not hardened over years of exploits and poking.

This is also important because of the growing prevalence of widespread wireless capabilities and laptops roaming around all over. And how default settings leave wireless network cards turned on. All it takes is a running laptop with an active wireless network card to be exploited. It doesn't even need to be associated with a network, and it can be rooted. It can then, possibly, spread.

I also predict there will be some wormable exploits popping up, but thankfully should only be problems in larger hotspots like airports or college campuses or muni-wifi implementations. However, this could still slowly spread from laptop to laptop in an apartment complex or metro area.

If we're in web 2.0 right now with Gmail, Ajax, Ruby, YouTube, Flickr, and so on, what was before that?

web 0.1 - The first web sites; not much to speak of, and I doubt any still exist.

web 0.5 - Around 1995-1998ish with the annoying proliferation of flaming torches, animated rainbow lines, embedded midi, and terrible design. GeoCities is a household name (albeit in geek households).

web 1.0 - Everyone can be a web designer, and designs actually started to mature and not look quite so "GeoCities." Embedded midi is out. Animated gif attacks are out. Stylesheets and databases are in.

web 2.0 - Not everyone can be a web designer. Programmers and extra-mile languages are taking over to offer full application-style sites. Objects are in, playing with code is out. The tools are sophisticated enough that web newbies don't need to code, they can click buttons, sliders, toggles, and otherwise drag-n-drop content.

So, where does MySpace fit in? The answer is, it doesn't. MySpace resembles web 0.5 with annoying embedded musics, terrible designs, and atrocious layouts. It really is a modern GeoCities (now, there are many people with very nice-looking sites, but random browsing on MySpace is an exercise in ugly).

But so many people and bands and groups are posting there and using them to host their official sites. This means that MySpace either needs a makeover to become Web 2.0 compliant, or someone will take that space over and offer exactly what MySpace offers, only easier, prettier, slicker, sexier, and modern. Considering the "ugly" stigma that MySpace has, getting people onto a new service that is better shouldn't be much harder than Google toppling Yahoo back when Yahoo went out of style and Google was "it."

This presentation discusses new techniques associated with malware detecting the use of a virtual machine. Researchers typically examine malware on virtual machines. If malware can detect use of a virtual machine and then prohibit execution, reverse engineering the malware becomes a little bit more difficult. Could this mean running a thin client connected to a desktop virtual machine might be more secure? Perhaps, but I think it will be more likely to result in some really bad malware should any of the virtual drivers or virtualization software have any vulnerabilities discovered. It is a bit disappointing still that the virtual machines can be detected (beyond just the drivers saying "vmware display driver," for instance. Then again, it might be asking a little too much to expect VMs to be indistinguishable from physical systems.

Just a couple ideas for office pranks on the managers.

1) Order up some jars or vases (the more magical or Alladin-like the better, add in cork tops too!) and fill them with colored sand. Either solid colors or even do that cool layering for a more rainbow-like effect. Keep the jars of sand on your desk and label them: "Malware cleaning," "speed booster," "erorr fixing." Then when your manager comes by asking about an error or problem on a server, wordlessly choose the appropriate jar of sand and disappear into the server room...

2) Get a bit of white sand or salt and make a line of it on a server room desk (I don't recommend in your cube in case someone reports you!) like it is a line of cocaine. When the manager finds it or walks in while you're slaving away on some important downtime, let your manager know that they're driving you so hard you have to do cocaine just to keep things running.

I took the time needed to get Thunderbird all set up with my email on my Linux install. This was very easy since I use Thunderbird on Windows and was already quite familiar with the app. Good times!

I still need to get my hands on a legit or properly cracked (and still working) version of Windows XP Pro so that I can finish my VM install. I really want this so that I can run a few random little things that I need to run in Windows (like Ventrilo).

Next on my list is to iron out mounting my external hard drive with write access. The drive is saved in NTFS, a Windows standard. While there are tools and ways for Linux to write to NTFS properly, there is still (after numerous years) disclaimers saying that the whole drive may still get hosed up. So I need to dig out another drive and perform a full backup of this external drive. I need to do this anyway as it has been a while since I backed it up. Either way, this shouldn't be a huge deal. Copy data over, install the NTFS tools on Ubuntu, mount the drive, test out write/delete/move functions. Done!

I also started playing with the new tools that Linux opens up to me. I installed kismet and played with it a bit, far deeper than I've ever played with it before on livecds like BackTrack. I even got to figure out how to edit shortcuts, the Gnome desktop layout, and application menus. More good times!

Sometimes I really get something in a bunch over the latest and greatest article that makes IT and IT security sound so easy on paper. I especially dislike reading about things like that from a journalist who may or may not even know how to implement and support the given steps and commentary. While I can't usually comment on their background and experience, sometimes it is pretty obvious when someone is writing about "good to haves" and "theoretical approaches" and "base-case scenarios." In reality, most companies will never match those steps.

Today's victim is an article on the 8 steps to a secure network found on zdnet.com.au.

1. Verify the current connections - Verifying the connections on the firewall is a good exercise, so that you know your common endpoints. Sadly, this works only in small networks that have tight control on installed software and desktops. In a large network, this will change too much to be of too much use. In networks that do not have tight controls, you can have a few instances of Skype that will constantly be running suspicious connections to various places in China, Taiwan, Iceland, Denmark, and so on. Investigating these is just an exercise in wishing for tighter desktop controls. It might be better to look for some common destination ports like 22, 21, or some others that would be suspicious.

2. Look at network traffic statistics - This is a good step, and any network admin should be pulling these stats or at least checking the latest numbers every morning. Sadly, this is usually the realm of a specialized network device or a Linux box doing some traffic analysis, two things beyond the reach of many admins. However, if the aptitude on the team is such to get good numbers, this is an excellent step.

3. Look at your antivirus logs - Centralized logs for host-based antivirus is either something a smaller network would love to have or unnecessary traffic storms on larger networks. Network-based antivirus may be better suited here, or something on a chokepoint like the email servers. Checking for updated signatures should be mandatory, but checking for captured viruses is less interesting. Not only that, but the logs won't tell you the more important information: what wasn't caught by the signatures.

4. Read the security logs on your domain servers - Reading Windows event logs, particular security logs, is about as bad a task as I can think of in IT and security. Hopefully anyone who has an interest in Windows security logs will be aggregating these somewhere and alerting when things like logon failures occur. If password policies are configured to properly lock out after 5 attempts and require admin intervention to unlock, this becomes moreorless a waste of time.

5. Check for new security patches - As much as I might take exception to most of these steps, I do like this one. Keep an inventory of important systems and software and do regular rounds of checks on security updates. This doesn't need to happen every day, however. And hopefully you are controlling and know what is on your network...if not, good luck in getting everything adequately patched.

6. Meet and brief managers - Most of the time, the above 5 steps aren't going to be terribly interesting. Step 1 might be interesting only because of the sheer number of "suspicious" connections that may or may not be around. Eventually this task will numb managers and the meets will turn informal and then non-existent. I think it would be more efficient to do this once a week.

7. Check more logs - Ok, I think this author is envisioning someone doing this job and only this job. All they do is check logs and security patches, kind of like a junior NOC operator or something. IDS/IPS logs should be checked, yes, but typically they are less useful than someone checking Snort or running some robust Linux tools for analysis.

8. Turn knowledge into action - This is a good step, but should be part of every piece mentioned above anyway. Take your information and work to either get better information, massage down the unnecessary information, implement changes like security patches, and research new tools to do all of these steps better.

conclusion - Over all, this sounds like a really cakewalk sort of job, and likely all that someone who followed these steps would be doing every day. Unfortunately, the reality is different and most admins seem to need to wear various hats or attend to other projects. These steps above are typically the first things to go when time is short. That's not ideal, but that's reality for most of us.

Andy has an awesome post about the realities of small business IT. IT infrastructure is expensive, let alone trying to implement IT in a secure and scalable and proper way. Also let alone trying to afford staff or consultants to support that IT and security. This puts pressure on individuals, small companies, and even mid-sized business to spend that sort of money or accept risks. This puts more emphasis on lightweight and open source tools. Which puts more emphasis on IT staff with those kinds of skills. Which puts more weight on paying their salaries.

As Andy says, even implementing the most basic things like backups can be difficult and painful.

Ahh, the continuing conundrums of IT security.

Locutus has an awesome post about what he feels makes a good IT professional, and I totally agree with him. Here is a quick summary in his presented order:

1) A passion for the work
2) Ability to solve problems and research solutions
3) Ability to solve problems and research solutions with time and organizational pressure

I like his first point the most, as it is what I call the "geek" trait. I'm a computer geek meaning work is also my hobby is also my enjoyment. My tinkering with technology does not stop at 5pm nor start at 8am. It bleeds into every part of my day and life for the most part.

This is the whole reason why I fight to have jobs where I can treat both "lives" as similar as possible. When at home, I don't wear a tie when ironing out a problem, so wearing one at work takes me out of my normal, and productive, state of comfort. (Not that I truly HATE it or something, it's just a little thing.) Likewise, I might have days where my productivity would be huge at home compared to at work, or at least huge when I'm happy. And if this is my hobby and what makes me happy, it follows to help me be happy at work so that I can be productive there as well.

Ok, end rant. :) I'm sure I'll complain about this until I actually have a job that doesn't require a tie 80%+ of the time...and even then wear one regularly.

Just read here some more unnecessary security terms. "Evil twins" is already better described as a rogue AP. And "wireless phishing" is just lame.

Please, unless the method is brand new, don't invent more terms for things that already have terms, for all our sakes.

Sometimes even I get some spam mail that makes me blink and think for a moment. I received an email about an order I didn't make on Newegg.com, a site that I frequent fairly regularly. The email came to my email account registered on the site, and had no links, only an attached .pdf.exe file. I even logged into Newegg.com just to make sure there were no purchases. I then checked the headers on the email that purportedly came from info@newegg.com and it instead came through an email server at bunsen.com, which forwards over to the official web site of The Muppets. In checking records, yup, the originating server appears to be part of the go.com network, which is part of Disney. But in checking my mail server logs, I see this email actually came from a system on a cable connection in Turkey.

While we talk a lot about security and how things can be circumvented and broken, rarely do we get down deep enough to talk about how trust is being affected.

I cannot trust the content of email.
I cannot trust the values in the email fields.
I cannot always trust the headers shown to me when I dig deeper.
I cannot trust the sender.
I possibly cannot trust Newegg.com with my info.
I might have distrusted The Muppets and Go.com and Disney.
I might not trust dns and whois information.
I might distrust foreign servers.

In the end, sometimes you can only wrap yourself in the comfort of the trust implicit in the protocols underneath the Internet, the logs of the devices and services offered...which is typically beyond the reach of your average user...

My move to Linux as my main computer system is about 80% done, I think. That figure does not include things that don't run in Linux, like Ventrilo, some games, and Soulseek (p2p network). But the rest is coming along nicely.

I can now rip new cds using Grip. I have installed XChat for some IRC socializing (I had no idea there was a Windows version of XChat...yeesh). I found that GAIM will support GoogleTalk (Jabber) although it won't do voice chat. And I've shored up some problems with Totem and Mplayer not being able to play some media files like WMV files.

Basically just ironing out lots of little issues and problems this weekend. My external (NTFS) drive still is a bit picky. Sometimes I can write/delete files, but sometimes some files just won't delete. I'm tempted to just run a backup of the data, format the drive in FAT32, and be done with it. I know I'm not really utilizing the powers of NTFS on it anyway, even in Windows. A thought to toss around...in the meantime, I'm becoming more familiar with mount/umount.

The "next year" predictions has begun. McAfee issued their list of top threats for 2007. While they are driving their own market, they also take the easy road and state the obvious. It reminds me of the Top 20 Attack Targets from FBI/SANS which covered just about every broad base in the digital world that you can. Great, talk about useless.

For my part, rather than just rehash the same old, I thought I would just issue out some thoughts I had for the coming year and beyond, by going out on just a little bit more of a limb than saying, "spam will rise."

convergence of culture on security policy - In the coming year and years we will see more of our digital culture permeating every aspect of our lives, and workplace policies will need to adjust or become obsolete or even barriers to getting good talent. Web filtering, Email filtering, IM controls, device restrictions, and the like will all be challenged as the Internet generation continues to fill more and more roles in the workplace and the digital lifestyle fills up and moves beyond just personal time. Companies need to embrace these changes and technologies now, instead of waiting until the pot boils over. It might be tough to properly handle IM, but it should be started now anyway. And dare I mention continued DRM and copyright troubles? Naa, that's obvious.

pockets of wireless driver exploits - The wireless world did not see huge gains this year in tech, but it did collectively hold its breath for news on wireless driver vulnerabilities. Granted, we had to wait longer than expected, but they are obviously present. And who updates drivers anyway? (Only three groups in Windows: gamers, people reinstalling their system [albeit usually from a disc], and us geeks...a vast minority of users...) Because of this, and the continued trend for municipalities to roll out widespread wireless access, I expect some pockets of wireless exploits to be had, whether it be a muni, airport, or university or corporate campus. Considering how deep the vulnerabilities get and how often people do not update their drivers, I expect something like this to be wormable, especially from an airport or location where the infected laptops migrate offsite. Issues like this might not be found out for days, when it is too late.

Managed security and IT takes a strong hold - More and more companies will realize that IT and security is expensive. It is difficult to manage, and even more frustrating for the professionals who know what to do but don't have the time to perform the needed tasks, or for the professionals who don't know what to do but have to take time to become experts. Ask any pro who has had to juggle their daily tasks while also researching the viability of blades and/or virtual systems. Suddenly you have to be an expert. Why do all this when this can be outsourced or at least managed by a third party. And as this continues, the industry will grow as well, by experiencing scales of economy and being able to best utilize expert knowledge and quality talent properly. Why should one awesome security pro manage only one client, when they might be able to effectively manage 5 with some extra hands to help? This is a classic fully mutual economic growth where companies will fuel this and providers will get better.

More disclosure debate - The disclosure debate will get hotter, especially just today with announcements of the Week of Oracle Bugs being cancelled due to some external pressures and Vista coming out. This debate will get ugly before it gets better, especially if something else comes out that really exposes government, critical infrastructures, or large swaths of people. And if people start exposing exploits, will someone finally sue for having spoken out about it? Should we pretend they don't exist until someone uses them and gets caught or detected? Hopefully this stays out of the mainstream media otherwise we're all in trouble.

laptop theft and data disclosure not going away - Ever since we've had laptops, we've had lost laptops and data on those laptops. The media keeps acting like this is some new amazing trend we've never seen before, but it is as old as the concept of possessions. This will not be going away because we continue to make laws to disclose losses, we get better at detecting and tracking these things, and the number of mobile devices and expectations of mobile work is still growing at a huge rate. I just hope the media stops reporting every single one, thus numbing everyone about it.

the rise of the browser - The web browser is already an over-powered computer application. It has become almost bigger than the OS itself, and will keep going until all you need is an OS and a web browser to access all you need. This is dangerous and illustrates how technology is pushed and pulled without regard to security. Web 2.0 has assured this.

the decline of the OS - The OS is slowly going to fall out of vogue. People hate upgrading and the insecurities, people don't want to pay money to have their known and accepted OS replaced with yet another interface that must be learned. And with the rise of the browser, there is a very real chance that security just gives up on the end system and moves security into the network. Next year will be a dangerous time for the OS and browser, and Vista right now holds the reins.

Mac will have malware - The Mac will finally get hit with some definitive malware, which can finally shut up all the Mac fan boys (my next laptop will be a Mac) who keep dodging around and protecting their precious "no malware on Mac" claims. This will occur next year, and we can all finally move on with life and get some great things done without this marketing zealotry always muddying the waters of the blogs and media.