|
.: December 2006 Archives
Saturday saw me working most of the day on some productive stuff. On my test server I was finally able to install compatible and updated versions of Apache, MySQL, PHP, and Perl along with a new version of Movable Type. And I got it all to play nicely and properly render my website in full. Finally PHP and Apache2 ironed their issues out and I can proceed with my upgrades.
But this reminds me of the futility of trying to maintain a server and network in terms of security, and I don't even have all that much stuff installed.
My old server is a Windows 2000 Pro system that would have a 100% uptime if not for power outages and apartment moves (and update reboots). It runs MovableType1.2 I think, with 4 year old versions of PHP and Perl, a year old version of Blosxom, and Apache 1.3. I've not really updated the system itself in about 4+ years. That's heavy! And I'm a paranoid security guy who truly does know better!
Now, I will have updated versions of all of that, including a Wiki program. This means I need to keep up on:
- keeping my installs updated by applying any patches or security upgrades
- keeping my code secure by knowing how to program in a secure fashion
- remain an expert with all those technologies so that I know how to properly secure them
- for every update, be able to test it before putting into full production, or be able to spend time to recover when something royally screws up
- maintain resources for backing up the important stuff
My environment has two systems and a half dozen apps and a single OS version. And yet that's already a very big list of tasks up there. Just think how tough it is to be secure on a corporate level where every department has their own desires, software and web developers use their own systems to host things when they don't get their way on servers, and so on. It is no wonder that there are thousands of vulnerable forum sites out there running unupdated software. You can just wince when coming across an old forum site whose last 6000 posts are spam ads for Viagra.
Now, imagine turnover in the IT space. A 5-year vet of a company leaves and takes a heck of a lot of institutional knowledge with her. That might mean some systems have unknown software installed that no one else knows about, and no one else can manage. Imagine those things being used by someone for something critical, and by the time some issue arises, the company that created it (or internal developers) are no longer in business and support is not possible. Legacy is a very apt word for what we will go through as the years go by...legacy apps, systems, serers. It's not just hardware we need to worry about anymore, or bulky mainframes in basements.
Unless a corporation is very diligent and very controlling (which everyone resists vehemently), the application layer is becoming a lost battle. It is enough for IT divisions to attend to downtimes, connectivity, and failed hardware, let alone to stay abreast of the latest news on package Y or application X. And we can rest assured that we're also losing the battle of getting security packaged into software from the start.
As a side note, just think how much knowledge a tru security pro needs. Not only do I need to know how to install and secure Apache, but I need to know how to break it too. I also need to know what is bad in php (i.e. I need to know how to code it). I need to keep up with all those areas and updates. I need to have intimate knowledge not just of the OS, the apps, and the code, but the countless interactions between those two... Very, very heavy...
by LonerVamp 12.02.06 at 8:28 PM in /general -
The first Syadmin of the Year awards have just been announced. While half the stuff said is likely embellished and it is just a little pat-on-the-back kind of site, I just thought it was interesting to see what these guys did that made their peers and co-workers nominate them.
I also would like to note that not one of them (with the Air Force exception) is wearing a tie to make them work better. Nor do any of them work for recognizable large-type corporations. These guys just plain "get things done" as opposed to running the gamut of business politics. And I would be willing to bet that every single one of these guys actually truly loves their job and company. Happiness == productive == successful.
by LonerVamp 12.04.06 at 6:16 PM in /general -
I've seen a few "wide scope" posts lately about the state of security, but this one has some of the best points in it, and presents them very well. Mostly I just want to save this for my own use in the future.
Just one comment on it. Items 14 and 15 talk about how we cannot seem to agree, as a field, on best practices. Those posts are illustrated in item 2 on disclosure practices. Many of us understand both sides of the equation and even the grey area in between, but yet we still fall on all sides of the debate. Sometimes there is really no universally correct answer...especially in such a complex field as IT and security.
by LonerVamp 12.05.06 at 10:36 AM in /general -
I think I have my new "geek" blog ready to roll finally! The last step was to decide on a name for the site, and I settled on Terminal23 for my own reasons (nothing interesting, really). Now I can start porting over my Blosxom blog entries as needed, and get caught up on posting news and such. I really liked Blosxom for its simplicity and elegance. I would have stuck with it further, but I think I just wanted something new and I needed to update my blog application anyway on my personal site.
I do still need to get the wiki up and running, but that will take a bit more time and love. For now, this project has already exceeded my goals of being done by the end of this year.
by LonerVamp 12.11.06 at 8:50 AM in /terminal23 -
I made a few discoveries this weekend. First, a wireless access point has popped up in my neighborhood recently that is not encrypted, as a quick test of Netstumbler showed me. Second, my newest used laptop appears to be equipped with an Atheros card. Oh joy! I might just have to dual-boot that guy into Linux!
I hopped on the wireless network to poke around, but the Netgear AD password had been changed, and the one other system on the network was sending very few packets across. In fact, all the packets I picked up, with few exceptions, were not being decoded by Wireshark properly. They keep coming up as a Belkin MAC and something about broken packets. I'm wondering if this is something like a Netgear/Belkin combination using proprietary "speed-boosting" which is mucking up the packets. I fired up the newest Cain as well, just in case something interesting flew by.
I'm not really sure since I've not seen it before, but I've left the laptop on the network and will check it out over the next week or two. I do have an Internet connection through it. Windows Network Neighborhood gave me the computer name which happens to be a girl's name, and the AP SSID was a last name. Tonight I need to check what IP I have so I can get the service provider and IP to do some external testing, although I suspect I won't find anything useful. Given some Google searches and any possible traffic that I can decrypt, that is quite a bit of information to leak already.
At any rate, it is fun to have a spare system that I can just dedicate to wireless stuff. I've been wondering what to do with the system, as it is a little too big to properly carry anywhere (about 10 lbs and only fits in my backpack) for real portability, especially since I have far lighter systems. But now I think I have at least one use for it as a wireless workhorse.
by LonerVamp 12.11.06 at 1:33 PM in /general -
I am often amazed at some of the solutions to security problems that some organizations and people implement. A mailing list situation recently came through that had a web-based system developed to "hide" the URL bar from users so they couldn't see and/or manipulate the URL. This is almost certainly to obfuscate sensitive data in the URL and possibly avoid risk from manipulating that data (the classic www.domain.com?price=199 variable which can be changed to change the actual price). Now IE7 is out which forces the URL to be displayed. Kind of defeats some of that purpose, no?
Other times there can be some very creative ways to deal with security issues. SMTP "security" can be achieved by capturing emails with "SSN" in the body and saving them on the mail server for pickup by the recipient party. This really does not fix anything in SMTP or email, but rather just changes the path of the missive. Sadly, this is usually pretty annoying from the recipient's point of view.
These are sometimes just patches and workarounds to the real, deep issues of security. In the first example, the app should have been rewritten to display a sanitized URL. In the second, figure out a better way to utilize email or try to re-invent SMTP (hard sell, that).
I've found that there is an endless supply of creative and work-around ideas in the field of security, and I think a large part of that is a function of the skill in the field. As more and more auditors (people who check lists...), non-geeks, and barely competent IT support persons move into this field, the talent and skill gets a little bit more and more watered down. Instead of understanding the nuances and/or realities of a tool, too often shallow knowledge gives way to sometimes ill-conceived workarounds and obfuscations of issues.
It truly does take a technical and deeper knowledge to effectively and quickly determine security responses and measures (or how to beat them). Someone cannot take a position to secure DNS without understanding how DNS works. Likewise, how do you secure applications that depend on DNS when you don't even know DNS itself?
Web applications are teeming with this issue. If a developer knows how to program security into the product on the fly and codes with security in mind, that is a huge benefit to the developer who only knows how to make the functionality work (sometimes in equally ill-conceived ways), but then has to spend tons of time trying to boly on security down the road. Knowledge would save time and money.
I think this is where a lot of bad security comes from, just a simple lack of expert level knowledge. This itself is tough to achieve anyway, as a security guru tends to be seen as a cost, not a value-add. They add value by also doing network/systems administration, which tends to trump security when push comes to shove.
And while budgets, poor management, poor decisions, and other things influence one's ability to be educated and/or implement solid security endeavors, I still think being an expert in the basics goes a long ways. Why implement an expensive NAC solution when you can drop in an old box running arpalert (free) and check for rogue machines that way? Why spend hundreds of manhours on limiting exposure of an application on the network when you can ensure your code can withstand fuzzing attacks?
This isn't the only reason we have insecurity, obviously. There are time issues and often pressures from outside the competent developer's control. And there is much to be said about defense in depth by doing everything one can to make a more secure product, but I still believe the basics are what comes first. The obfuscation needs to come after. The creative workarounds that could be obsolete next year need to be second.
The future is still going to remain with open source tools and creative ways of being an expert with the basics. Not on spendy and fancy workarounds that too often miss the real points of insecurity or create insecurity itself. Besides, even something as epidemic as XSS is not a difficult issue to either exploit (usually) or prevent. This is basic stuff that we're still struggling with.
(On a flip side, I find it equally as bad to be both complex and an expert in it, as that means only you have the knowledge to make things work...complexity begets complexity begets less security...)
by LonerVamp 12.12.06 at 12:54 PM in /general -
There is more and more talk of people (typically people that just talk about things, i.e. analysts, as opposed to people who really *do* anything) wanting the ISPs to take up the battle against botnets and zombies. Personally, I feel that if ISPs are going to be forced into taking care of things closer to the end-user or that affect the end-user (either through detection and/or shunning after a threshhold), they're going to go balls-out and go farther than I, as a consumer, want them to go.
It is already difficult enough to shop around for an ISP that gives me a static IP (or at least very low turnover dynamic), allows me unfettered incoming and outgoing ports, and allows me to use my own mail and DNS servers as I see fit. I don't want that crap done for me. And I don't want to pay for business-class service. But if I were an ISP forced to go this route, forced to tackle a layer in the communications that I wasn't really supposed to tackle (this is like asking the physical layer to protect the sessions), I would make damn sure I log everything I can and get as far as I can and as thorough as I can before consumers start decying privacy issues and freedom of service. This is a ball I do not want to have started rolling.
Besides, I don't really think ISPs are going to dent that particular problem right now. I'd rather they were left to focus on what they do best, and provide me with uptime, reliability, and faster circuits. I don't want to have my system shunned (loss of reliability) because one of my neighbors can't stop visiting infested porn pages or out of the blue if it is my system affected.
But yes, I do think security will still head towards the switch, only the switch will be inside corporations and inside the user home.
by LonerVamp 12.12.06 at 4:20 PM in /general -
Open source software is considered by many to be the untainted version of freeware available on the web. Far too often, "freeware" packages in other smaller programs, from announced installs like Google or Yahoo toolbars to unannounced installs like spyware and adware. Open source is a much, much more trusted "standard" for web surfers to download and install programs while sleeping easier at night.
But I wonder how long such trust will last. I download and install open source apps regularly, and in fact, unless I know the application well I don't install a closed source app when open source has alternatives. But do I look at the source code to check and make sure some spyware app isn't packaged inside it? How many other people compile the source themselves, let alone truly understand the code enough to feel safe? And if someone with programming knowledge does this, will he be able to let the rest of us know and "out" the application?
Right now we (I) have blind trust in something deemed open source, and maybe a little more trust in something open source available on SourceForge or through a package manager, but there will someday come a time when even open source is not safe from the little things installed by determined marketers. What if an application is only really "safe" if manually compiled from source, but the compiled binary version has small print in the EULA hiting at additional software...?
by LonerVamp 12.12.06 at 4:42 PM in /general -
UCLA just announced the disclosure of private data on 800,000 persons. I find it disturbing that the "attacks occurred between October 2005 and November 2006." I almost suspect that that is only as far back as backup tapes and/or logs go. And there were multiple attacks? I would be willing to put money down on the detection being accidental on the part of the network admins. Maybe someone just looking at something they normally don't, or seeing something odd when troubleshooting an extraneous error as opposed to an IDS barking alerts or alarms going off or the attacker(s) being noisy.
Information security and insecurity isn't going away, and it is very hard to ultimately protect juicy targets. IT is understaffed and underbudgeted. We complained about this 8 years ago and we still complain about it because technology and information have grown along with staffs.
We also have an inability to share information. We work in an industry that cannot disclose details without the very real fear of lawsuits. But we desparately need to share this. We need to share what broke down in UCLAs detection strategies. We need to share how they learned of the incident and investigated it. We need to share the goods and the bads, what works and what doesn't work, the internal political barriers and the champions who push through them. Otherwise this issue just cannot go away and we'll only have analysts and journalists telling us (and our management) what "should" be done with absolutely no regard to the feasiibility of those measures. (Of note, I love analysts/journalists telling companies how easy it is to encrypt full hard drives just because they were able to encrypt their own hard drive once, two weeks ago, and then didn't like it and removed it...)
If we are to start making headway, we need the details. Otherwise the details, in their silence, will kill prevention.
by LonerVamp 12.13.06 at 10:49 AM in /general -
Hopefully I can finish my one or two weekend projects I need to work on this weekend. Tonight will be spent playing Warcraft and Saturday night drinking, playing video games, and talking about hacking. That leaves Saturday afternoon and Sunday to work on getting a new mail server set up on my server along with a Spam Assassin install. I also need to point my new domain to this site and fix the inevitable pointer issues in my code.
I'm not really looking forward to Spam Assassin. While I've never done it before and really want to learn it, all indicators point to it needing a bit of work and babysitting to be worthwhile. Oh well, may as well start this weekend and slowly work on it, kinda like securing Apache and mod_security.
I'll try my best to provide a report on here about my experiences with hMailServer and SpamAssassin on my Windows box.
by LonerVamp 12.15.06 at 1:52 PM in /terminal23 -
As Adnan recently realized, I too am finding that I have too many links and news and blogs to read, which steals away my time. I am almost feeling like an analyst, talking and reading, but never actually doing anything. So I'm pruning some more links and RSS feeds. As usual, I'm posting the "death" list here, just so I can reference it again at some other later time.
I was going through this list and removing people and looking at sites, and it makes me kinda sad to remove some links and blogs, especially those to people who might still be around, but don't post every day (or even week) or might make posts that I'm just not interested in. I got into using computers and stuff by being social online in AOL chat rooms, then later in IRC and forums. This culling of links saddens me because I know all of the authors and I share common interests and I love seeing how they present themselves online; in this sort of second world avatar image. Oh well, life goes on, and I hope it finds them all happy. Of course, with this huge list of outgoing links, someday soon I have a list of incoming links as well.
WBGLinks.net was originally a huge list of white, black, and grey hat links to many other topics and sites. It since has disappeared. Wintermute has also had little to say lately. Dam Kaminsky has excellent tools, presentations, and very creative ideas, but his blog is not the place to read them. He is easily Googled anyway. The guys at Checkmate only update once a month, and if they offer up something useful enough to read, I'm sure I'll get linked to it from elsewhere. I always hoped TheSecure.net guys would come back and keep posting, but not only did they go on hiatus for a year, but their site is now gone.
Adminspotting had a fairly short, but informative life and is no longer updated. I've long hoped the author would post his new idea mentioned in the blog, but he has not. Maybe someday. Adminfoo's provider seems to have had some data recovery/corruption issues which has left this site down a while now. Backups. Reading the linked host's status page is pretty much a story all IT admins dread: corrupted data and customers getting upset. Oddly, HERT (hacker emergency response team) seems to be down or gone.
Nitesh isn't around. The Microsoft Security Response Center blog is really not that useful, and when it is, other people link to it for me. Besides, with something as important as that blog could be, they will always be regulated from inside. OpenPacket.org is an awesome idea, but I suspect everyone who thinks so is just too busy doing other things as well. I'll link it up if it ever truly opens. Arved has been removed. The Geekpit has been removed. I'm not even sure what Infosec Daily is anymore, but I think it aggregates other sources I already track and doesn't look very pretty anyway. Insecure.org is not a news site and belongs under tools/resources. Of course, it's already there! SecurityWonk has disappeared. Also removing SecuritySauce. Nepenthes is a tool, and didn't belong here anyway. Kaosx has been removed. Jon Ellch's site was never really meant as a news/blog site anyway.
by LonerVamp 12.16.06 at 2:09 PM in /terminal23 - comments(1)
Ten years ago, it was still common to refer to hacking groups by their creative and rather dark names like Cult of the Dead Cow, and handles like Master of Disaster. These days, hacker criminals (note the use of the adjective "criminals" to quality an otherwise non-negative "hacker" noun) have matured their practices from just being curious and annoying and destructive to being profitable. But so have the security pros. While there are still people like Major Malfunction and Phenoelit around (and many, many others), just look at my list of links to the right, especially the blogs. I now have more real life names than I would ever have had 10 years ago.
That's not to say hackers do not have witty handles anymore, but there is that maturing going on in all facets of this industry. Curious, if nothing else. Me? I like the ability to use a handle to protect my identity online just a little bit more. Games, forums, IRC, IM...everything still asks for a unique username, so may as well blend that in with my industry handle. Better than being Avengerr26078 or Neo643389x!
by LonerVamp 12.16.06 at 3:10 PM in /general - comments(1)
I didn't get to play with SpamAssassin yet, but I did get a lot of other little things accomplished this weekend in regards to my site. I installed hMailServer and ClamWin so that I could move my mail server over to the new box. In fact, I went a step beyond my plans and am using OpenSSL and stunnel to allow SMTP and POP over SSL so that I can check things remote from a wireless hotspot. I also moved my Ventrilo server over and did some housekeeping on my websites; busywork that I've been putting off for many months but that only needed to be done once to be done for good.
With all of that aside, I'm looking forward to SpamAssassin sometime this week or next weekend, and to work on my wiki site as well.
Every time I work on my sites, I get that familiar bug to learn up a new web language and get really good at it. I love reading people like Jeremiah Grossman and RSnake, guys whose web skillz I really respect and appreciate. But I do know that takes significant dedication and time, and I know that I can't specialize in everything right now. Maybe someday I'll have an opportunity to go down that road, either for my job or in my free time once I get other things under my belt. Anyone can learn web coding, but to do it well and know the little "expert" level tricks is definitely where I would want to be, and that takes significant time. Besides, right now, web technology is simply not securable anymore. Unless you want a fairly static site with little integration and scalability, security is just not possible these days.
by LonerVamp 12.17.06 at 8:29 PM in /terminal23 -
A lack of updates should be followed by a slew of posts after the first of the year. Right now I am porting over all my old Blosxom posts over to this site, flagging them to put in my "being built" wiki, or just removing them as I figure out how to best leverage my sites. I will say that I really enjoyed the simplicity of Blosxom, especially to use as a blogging/site tool without wanting a true database backend. It was very slick, simple, lightweight, and kinda fun to work with. Unfortunately, it is not quite as robust as a true CMS/blogger. Honestly, I think the worst part about it is just being locked into something a little different and non-mainstream. Over time, who knows if there will be new features or support, and I'd hate to find myself 4 years and 2,000 posts into the future with a huge migration project to something more mainstream.
Overall, though, Blosxom is awesome, and I hope someday I can possibly find a use for it.
by LonerVamp 12.20.06 at 9:18 AM in /terminal23 -
The Open Relay Database service has called it quits finally. ORDB provided a blacklist of known and/or suspected spamming SMTP services based largely on IP addresses.
This was always a bad idea. I dislike lame workarounds for a problem inherent in the protocol itself: lack of authentication. Trying to tack on security just won't work here. You might be able to shun a large swath of spam, but you also catch a lot of dolphins in the net as well. Take me for instance. My home mail server is on a DSL or cable line. The ORDB labeled my connection as a home-based system or even "dynamic IP" and thus anyone using their blacklist dropped any email I sent. Most companies that used this blacklist also did not accept free mail services like Gmail and Hushmail. It truly made communicating with some companies extremely problematic. I never did get a response from ORDB about my reservations (to put it lightly). You can drop 100,000 spam messages and no one will care. If you drop 1 extremely important email from a VP, heads roll. This does affect most any spam protections, but shunning by IP is not the solution.
Likewise, I've heard tales of legitimate companies being placed onto the blacklist, and having a huge hell of a time trying to get off the list. There is no real definitive threshhold or line drawn where, when complaints cross it, the site is put on the blacklist. This means that the larger the institution, the more likely a few clueless people will report legitimate mail that they requested, as spam, and screw up the company. Not a cool model.
So, rather than just complain, what do I recommend? Honestly, I'm not sure. There must be signature-based detections, but that relies on someone keeping the signatures updated (outside service). This should be accompanied by automatic denial of certain types of emails, such as emails with .com attachments and so on. There should be some measure of bayesian/subjective analysis, but that can't be terribly draconian otherwise legitimate emails will be dropped. When it comes to my home network, I'd rather delete a few rogue emails than lose a few mis-categorized emails. I also believe in layered defenses, so this network-based detection can be augmented by utilizing any client-side "junk" filters. Most email programs today include some sort of manually-configurable junk filter that can "learn" as you use it. Utilize that for anything that gets through the initial procedures.
The rules change a bit when you talk about corporate email systems, however. No one wants their users to get even any spam mail, let alone something offensive or not appropriate. In a corporation, I really believe either the company needs to accept some measure of spam (typically smaller companies with less budgets, who also may be more needing to see emails from servers like mine) or spend the money to fully outsource it to a professional spam blocker. For comprehensive and intelligent and highly accurate spam blocking, I feel no company can do this alone. We use Postini at work, and I have to say I've been quite happy with it. Basically get a service upstream, filter emails, and then receive only the good stuff. This helps take pressure of corporate IT to become spam experts 24/7. That's just not practical.
Ultimately, I'll have more opinion on this after I play with SpamAssassin some more. I really do believe SMTP is a good protocol, but the Internet has grown larger and more depended-upon than SMTP was designed for. I consider it an already-dead technology that will linger for many, many more years simply because of the low cost and ease of usage. It will eventually be replaced with voice services or SMS and messaging services. The only effective difference between email and IM is the ability for mail to be held on the server until the user logs in and retrieves it. Yahoo does this in IM and has done it for years, and Google continues to make Gmail and GoogleTalk features more and more overlapped to achieve that switchover.
by LonerVamp 12.20.06 at 10:47 AM in /general -
One author has dubbed 2006 the year of the breach. I disagree. I think this year is the year when the blanket of ignorance has started sliding off. We've not had more data disclosures or identity thefts. We've just heard about them more than in previous years. Laptops have always been lost and data has always been on them that should either not have been or at least encrypted. This is not new. But our talking about it in mainstream circles and media is new, especially in light of erected regulations forcing such disclosures.
In addition, drivers, particular wireless ones were outed throughout the year, and all those quiet little problems with their code quality have come to light in quite dramatic fashion. This is still a fairly quiet problem, however, probably because unless you're installing a new system or a gamer, no one really regularly updates drivers. People still want to just ignore the problem.
Web 2.0 started getting beaten around a bit as application developers are still pounding out insecure code, but several researchers showed us that this is all deeper than we thought. Javascript and HTML are capable of very similar attacks and recon exploits. We all feel a bit less safe on the web as a whole. The Month of Kernel Bugs has opened eyes to kernel issues, full disclosure, and software patching processes in open and closed source projects.
While few of these issues are truly new, and nearly as many are still not really solved, at least we're talking about them in public and they are getting attention. We can no longer live with self-inflicted ignorance in management who would rather not think about a lost laptop and be even less inclined to admit to anyone that one was lost when it does happen.
by LonerVamp 12.20.06 at 3:53 PM in /general - comments(1)
Cookies are a very old (in tech terms) method of messing with a website and/or circumventing security or obscurity. Nonetheless, never underestimate them or overlook the low-hanging fruit. InformIT has a quick illustration on playing with cookies on a large website.
Sometimes it is just nice to see examples and how tools are used. For more cookie playing, I'd like to check out this firefox extension for adding and editing cookies (supposedly AnEC like the one shown in the article?).
by LonerVamp 12.20.06 at 4:11 PM in /tools -
There is a problem in IT and security with home users and small businesses. Security and any sort of halfway solid IT infrastructure is simply not possible without buying an outside service or having the luxury of an employee or employee friend with IT aptitude (and even they can be detrimental to security). Devices and software are expensive, and open source tools tend to be more advanced than many small businesses can handle (consultants that know licensed Microsoft tools are a dime a dozen, but an open source/linux guru will cost ya).
So I liked reading what Untangle (formerly Metavize) is doing. They have a server device that you can run and it looks rather robust for a tool they are offering free to small shops with 10 or less computers (that would include me at home!). This is like Smoothwall, but with other features. I look forward to checking this out, but if it is as easy and solid as it looks from the website, I'll be quite enthused to recommend it for people without a budget or IT support.
The server appears to provide firewall, antispam, antispyware, antivirus, web filtering, and various other services that make sense to be packaged into one single chokepoint device on a network. I think I will try to segment off a part of my home network and drop this in with a test laptop behind it and see how it works. I just need to find a spare system that is close to the required specs, and I think my old server that I just phased out a few weeks ago may be just the ticket.
by LonerVamp 12.21.06 at 3:48 PM in /tools -
(note: I will be removing these as I read them.) update: I've decided not to remove some, as they as "classics" and I'd like to keep the link for my future possible reference
This GIAC practical paper is a massive look at the firewall stance of a fictitious company's complicated network. Very detailed paper and I really look forward to reading it someday soon.
A paper on discovering wireless discovery tools like Stumbler.
A paper on detecting wireless lan mac spoofing. A bit dated, but still a nice little bit of knowledge to have when looking into wireless forensics and traffic.
A fictional Red Team Assessment paper. This paper is a practical for a GIAC certification. Interestingly enough, it is actually a response/engagement to a previous GIAC practical paper submitted by another certifyee.
A short paper from Joatblog on fingerprinting, but also contains a nice list of resource links at the bottom.
And this is why you block ICMP (or at least monitor it closely): ICMP tunneling. This is a vein of project I've been wanting to do for some time now, along with an SSH tunnel that I can set up from anywhere and use things like an wireless hotspot and still maintain a good measure of privacy.
A paper on how to install a secure Linux web/mail/dns server. Requires .pdf viewer.
Part 1 of a series of papers on Linux Security. Tons of links to other resources at the bottom.
NSA's 60-Minute Network Security Guide. A nice little overview type of read that covers as much as some network security books cover. Nice little inspiration and start to getting into a mindset.
An article on understanding tcp reset attacks. Have yet to read this one.
Univeristy of Washington course on modern cryptography has been placed online. Might be some good material to read on a rainy day.
by LonerVamp 12.21.06 at 11:01 PM in /general -
I read Bruce Schneier's weblog on a pretty much daily basis, and I truly appreciate what he brings to security punditry, especially things outside of strictly network and computer security.
But the more I read from Bruce, the more I am convinced that stories he points out will be forever and universal. There will never be any type of security that relies on people that cannot be circumvented, even if by accident, one time out of 1,000,000. It fuels people like this because the stories will never go away. People will always make mistakes and someone somewhere will point it out and make everyone else cry that we should have 100% perfect security and spend more money to get that last .01% failure rate removed. That's just not always realistic. The effort is nice and I do appreciate his efforts to keep people from being blissfully ignorant about what security really is versus the perception, but he is like sugar to me. Take samples of it, not heaping spoonfulls, for best enjoyment.
by LonerVamp 12.22.06 at 8:14 AM in /general -
I typically make resolutions on my birthday as that is more meaningful than a new calendar year. But one late resolution I want to make came to me as I was migrating more of my posts over to this site, including a long list of tools that I've just never gotten around to looking at. For the past year or more I've been sponging up information like there's no tomorrow, but I've been putting things into practice far, far less often than I should. And now that I have some spare systems sitting around, I need to put them to good use. So, I need to start doing and playing and tinkering with things and less just reading about it all. I've got the academic side of things down pat, and I realize that. Now I just need to do, make mistakes, screw up, fix it, move on, and overall learn stuff hands-on.
Of course, this has already begun now that I have upgraded my server and I have the infrastructure in place to keep my own notes on the things I try and experience. So I'm well on my way on this front, as long as life sees me still having enough free time to do things! :)
by LonerVamp 12.24.06 at 12:45 AM in /terminal23 - comments(1)
Maybe I am a bit old-school already, but I like the sound of this news post:
Due to an increased network threat condition, the Defense Department is
blocking all HTML-based e-mail messages...
The JTF-GNO mandated use of plain text e-mail because HTML messages pose
a threat to DOD because HTML text can be infected with spyware and, in
some cases, executable code that could enable intruders to gain access
to DOD networks, the JTF-GNO spokesman said.
In an e-mail to Federal Computer Week, a Navy user said that any HTML
messages sent to his account are automatically converted to plain text.
This is one of those battles I resoundly lost in my last job: forcing Outlook to display emails as plain text. I'm one of those people who sees absolutely no need to make emails look pretty with embedded pictures. Marketing and sales think otherwise, of course. As far as my own emailing habits go, I'm pretty strict about making my outgoing emails all plain text, and most incoming mail plain text as well. You eliminate huge swaths of attacks by turning off HTML rendering in email programs...enough that really you're left with sheer stupidity in going to links or running attachments, and you avoid all that hidden junk with javascript, remote calls, and misleading links.
If something needs to look pretty, put it in an attachment or link to the website inside the email body.
by LonerVamp 12.26.06 at 10:44 AM in /general -
KListon over at the SANS Handler Diary recently posted about worms and how we won't see an SNMP-borne "Slammer-like" Internet worm, or maybe even any worms like Slammer, despite the opening given by MS06-074.
I think he is somewhat correct. The Slammer worm exploited SQL instances and caused a huge amount of havoc because of the unintended effect of flooding most networks with packets, to the point that they were unusable. From worms like this, authors have learned that if they want to have a good worm, you don't want to overload your own pipelines. Rabbits may multiply like nothing else, but once you get 5,673 of them stampeding over a bridge to get to new food sources, the bridge will collapse and they're all dead in the water, so to speak.
I think kliston's best point was the oddity of tons of tcp 1434 ports open to the world. This defies the common sense that administrators of today have, where databases are (should!) be nestled deeply inside the network behind a few layers of protection between it and incoming Internet traffic. Firewalls have been built up quite a lot over the years, and I think many networks are much more resilient to network-borne worms coming from a public network. Unless something is able to pop apps on commonly opened ports (we're probably looking at IIS/Apache, sendmail/IIS, SSH/telnet, BIND...) that are widely used, I don't see any major outbreaks on the horizon. What we're then left with would be widespread apps running on IIS/Apache (Web 2.0 or common packages like phpBB) or perhaps IM propogation should something in a message be able to pop the app. And of course, some discovery in Cisco equipment could be catastrophic as they make up more of the bricks in our perimeters.
Now, that may nicely cover Internet-borne worms attacking over the dangerous public networks, but that is not to say there won't be pockets (sometimes LARGE pockets) of an SNMP worm. Even beyond the heyday of the Slammer worm there were still terrible outbreaks as laptops took hold and developers moved offsite with Slammer-susceptible MSDE instances. Once back into the comforts of the home network, such instances gobbled up any unpatched systems and vomited out onto the network wires. Similarly, an SNMP worm can piggy-back inside a network as well, or be delivered via email or other means. Once loose inside a network, it can still have a catastrophic effect for locally.
I have heard often that the network perimeter has disappeared. I disagree with that. Our networks have simply become more ephemeral, kind of like the kids starting to play outside the house and getting dirty by dinnertime. The house is still there; the perimeter is still there. I imagine as ipv6 starts to get realized (someday?) the calls will arise to do away with NAT and the perimeter once public address-space is again limitless. But, of course, that would pave the way for worms to come out of hibernation, so I hope that the perimeter is going nowhere even with ipv6.
Kliston's third leg mentions something lots of people have repeated all year long: malware authors have become more interested in profit than notoriety. Well, how about being paid to disrupt a competitor's network? And you just happen to have the ability to create an SNMP worm? And what if that competitor has poor network design and utilizes SNMP on his internal servers, and has a long cycle before those servers get patched? You might be able to realize this financial gain by sending your worm packaged into an attachment over email or perhaps scatter some USB flash drives in the parking lot (with eye-catching glitter-bits painted on to attract attention) with the worm autorunnable. All it might take is one execution and bam, their servers go from the same ol' grind to being tickled lightly to flat out all raising a new flag of ownership. Dramatic, yes.
Or, hang out at a local wireless hotspot that the employees frequent. With their laptops. Once away from the hardened corporate network, those devices may be ripe for the picking...and planting of a worm. Maybe corporate epionage is already here, but I suspect it will continue to get worse, whether the media picks up on it or not.
by LonerVamp 12.26.06 at 1:47 PM in /general - comments(1)
The Chaos Communication Congress, now in its 23rd year, has always been one of those conferences that gives me goosebumps to think about the innovation, creativity, and genius all packed into one place for a short amount of time. I enjoy watching many of the presentations after the fact as they are quite open about distributing them. They feature some amazing ideas and technologies and tend to be a bit more open about challenging governments than US cons. One of this year's bigger attractions is RFID tracking. I think it will be interesting to see tracking being brought more and more into our mainstream thinking. Much like the ipod+Nike revelation recently.
Also, DNS should be propogated by now for wiki.terminal23.net. Mediawiki freaked out last night when I changed the URL and Virtualhost for the site, but a quick reinstall made it happy again. I don't have much there and it will just be intended as a resource for me to track tools and tutorials, but I have started moving down that road enough to link it up from here.
by LonerVamp 12.28.06 at 8:30 AM in /general -
Somehow this site slipped through my RSS feeds net, but the Security Catalyst has had a few interesting updates in the past month.
First, David Stern talks about VPN not being a security device. I think this can be confusing because I think I was linked to this post via someone saying VPNs offer no security and citing David. VPNs do provide security by encrypting traffic over a public network. Although I do understand what David is trying to say. Typically, VPNs do not use more sophisticated authentication than other remote access methods, nor provide any further traffic protection beyond the VPN endpoint. If you let me VPN into your network, you'll have to deal with the fact that I might make connection attempts to Gmail or spew out Slammer traffic. Point made, but I think his point can be far too easily mistaken. At least the post made me sit back with a screwy look on my face for a few minutes! I tend to be a natural skeptic.
Second, is a post about explaining SSL security. This made me giggle: get a group of nearby people together and go over the security that SSL provides. Now, yes, I can explain SSL accurately, but I gotta be honest, even at work about zero of those people are going to give a shit about the details, even if spoken in elementary terms. I've worked at web-tech companies where I filled requests from people (developers and managers) for SSL certs, who themselves couldn't care less about the technical reasons. "The client requires SSL and Sysadmins get annoyed when we don't put them on," was the only real care; just a checkmark to filling the client's needs. Again, though, I see the point: education. But I doubt many people truly care what SSL is and how it truly works.
Here is a case in point. Go to MySpace.com and log in with your username (come on, everyone has one). Notice there is no https/SSL transaction? Yup, that's how much people truly care about SSL: MySpace.com's popularity doesn't seem so affected. (I discovered this one over a year ago at a wireless hotspot whose traffic I was snooping on...) Yes, perhaps it is not a banking site...
by LonerVamp 12.29.06 at 11:21 AM in /general -
One piece of marketing schwag I like to get are various small USB drives. I have a handful of Dell 64 MB keys that I use regularly, especially when with buds offsite. I wonder how hard it would be to order some USB keys printed with another company's logo, and then give them away at a tradeshow. Oh, I should mention that they can then be loaded with some malicious apps to infect any system they are plugged into and then call home after a few weeks. Or try to delete all files on the network the vitim has access to. I wonder what kind of lashback that might send to the company whose logo is on those drives? We've had Sony putting rootkits on cds and some ipods delivering trojans, so when are we going to see the first high-profile case of USB exploitation? And I'm not talking a pen-test effort, but an actual criminal case.
by LonerVamp 12.29.06 at 1:29 PM in /general -
Yes, blogs are social networks, as are IM, IRC, and mailing lists. Michael over at MCWResearch tagged me. This means I'm supposed to reveal 5 things about me that few people know, and tag 5 other people to do the same thing. Well, I'm a party-pooper and typically delete chain mails so I won't tag other people, but, I am a good sport so I'll play along with the 5 revelations. Besides, it's still technically "The Holidays" and I have a nice three-day weekend again. I will, however, post 5 links at the bottom that trace back the path this tagging has taken to get to me.
1. I regularly play World of Warcraft. I have a 60 warlock and 60 priest on Crushridge Alliance and a growing 30-something rogue on Terenas Horde. The warlock is my main and amassed 7/8 tier 2 and 1/9 tier 3 before I retired from high-end raiding about 5 months ago.
2. I used to get paid not only to play computer games, but to run online leagues and tournaments. I ran or helped run events for Quake 1, QuakeWorld, Unreal Tournament, some SegaNet stuff before they died, and even a live CPL event. I've also made money competing in events in Unreal Tournament ($2500 about 5 years ago in college). Sadly, little of this history is linkable anymore.
3. While you can see a picture of my car online, what you can't see is my license plate (1NF0S3C or 1NFOS3C) or the black "hack the planet" sticker next to it.
4. I lost my virginity at ag...err, wait. I mean to say that I started authoring my own web site back in 1996 hosted at my alma mater Iowa State U. My college roommate and good friend taught me the ropes (i.e. he showed me how to View Source in IE and upload files to the server).
5. I don't yet have the budget for a cat, but I do currently have some fish: 6 tetras and 3 corydoras. I plan to double the number of both after I clean up the tank a bit more and get rid of my snail problem. And I love to have bettas on my desk at work.
So, with that out of the way, I won't pass the chain-letter on, but I will stick to the spirit by providing 5 links that led to me. MCWResearch got tagged by Michael Farnum. He got it from Ian Lamont who was sniped by Richi Jennings. And Richi was tagged by Ann Elisabeth Nordbo to start off this little 5-hit combo.
by LonerVamp 12.29.06 at 2:02 PM in /terminal23 - comments(3)
I'm not an author like Bejtlich, but I do appreciate when he reviews books. I like reading reviews just so I can quickly weed out the bad apples and the good apples before buying something I'll wish I could take back. For my part, here are a couple of Ubuntu books. Just as background, I've run various Linux distros in the past for small periods of time, and I've supported Slackware boxes in a previous job, but I still consider myself a fairly new *nix user. Currently I dual-boot Ubuntu and WinXP on my main laptop, but I use Ubuntu 99% of the time lately.
Ubuntu Hacks is part of the really cool O'Reilly series of Hacks books. I've long enjoyed them because they take a specific question and answer it very succinctly and quickly. The authors don't spend a chapter or 15 pages over specific topics and thus don't get into much detail, but they get the hacks done. Ubuntu Hacks is no different and is really excellent to have for an Ubuntu newbie. I would recommend it for anyone with at least some familiarity with the Linux world. It might be worthy of being the only Ubuntu reference you need other than Google. Don't wait too long to get this though; like other Hacks books (and many "how to" geek books anyway) it will get outdated quickly.
Ubuntu Unleashed is a much thicker book that covers far more topics with far more depth than Hacks. Sadly, the authors seem to have just taken their Fedora Core Unleashed book and repackaged it as Ubuntu with some spotty word replacements and some Ubuntu specifics. It sucks to read about using Yum or Ubuntu Core in an Ubuntu book. Still, the book works for a newer Linux user like myself, but I wouldn't really recommend it due to the copied nature. In some places Hacks does in 2 pages what Unleashed barely gets correct in 10. With Ubuntu books dominating the Linux shelves at the bookstores, there are better Ubuntu books available than this one.
by LonerVamp 12.30.06 at 8:12 PM in /general -
I'm not one for predictions, mostly because everyone else does them and I'm not necessarily an analyst. But I thought I would spit out what's on my mind. And no, I'll refrain from the obvious and take some more ballsy moves.
1. Efficiency is the name of the game with technology, not only in business but in criminality as well. Think of all the scams and attacks that have been performed for decades (plagiarism, fraud, identity theft, data theft, credit card skimming, phone phreaking, spam/junk mail, music/movie bootlegging/copying...). If there are some out there still untapped as a technological attack, they will start getting tapped. As phones and VoIP converge and cross international lines, so to will we start to feel the return of phone scams and telemarketers as call prices plummet and laws are unable to cross borders.
2. Several people made headlines this year, and maybe you could say they broke out. HDM, LMH, Jeremiah Grossman, and RSnake are the memorable names. The first two are pushing fuzzing; the latter two are abusing web attacks. That foursome and their lesser-known buddies and pals are the nucleus of active white hat hacking and disclosure. None of them are done yet, and I think 2007 will see a lot more activity and revelations from all four. What ports do people open on firewalls? BitTorrent and P2P. Fuzz those apps and we might find another worm for home systems.
3. With the widespread dismissal at how potentially dangerous wireless driver attacks can be, I still expect to see this minorly erupt. Granted, we won't see huge wormable activity, but damn is it nice that drivers are rarely updated and they are insecure still. I expect more news here and maybe a few landmark incidents in the wild. I wouldn't be surprised if governments and corporations are not already abusing this front in more targeted attacks.
4. You can't predict something in 2007 without thinking about botnets. Nothing scales better right now in the threat landscape than botnets. From DDoS to extrortion to DNS attacks to just taking your 20,000 infected hosts and stealing host information; It's going to be worth money to someone. I expect these to get more sophisticated as botherders realize the true power they have. I wouldn't be surprised to see some of the compromised systems get special attention as a stepping-stone into behind-the-firewall recon and attacks. A .gov bot? Cha-ching! We have no real counter to botnets right now, and this war can only escalate. How about that SNMP worm that people think won't come? Release that via the bots and you can have a lot of fucked up networks despite strong firewalls.
5. Regulations and standards will start to be questioned as data disclosures and high-profile attacks won't go away. Just like government report cards being useless, so too will standards compliance checkmarks. Just like "Hacker Safe" meant nothing to some websites that were still full of holes, so too will "XYC 21300 compliant" mean nothing. Organizations are too different and complex and the threats too different for standards to really be effective. Mgmt won't understand that for a few years yet. (On a similar note, as security moves into unified super-applications that try to do everything from one mgmt console, the skills of admins to understand the underlying technology and do things with free lower-level tools will become dangerously low in many organizations...maybe not in 2007, but ongoing.)
6. Lastly, da bears will finally win another Super Bowl.
by LonerVamp 12.30.06 at 10:14 PM in /general -
|
