|
.: January 2007 Archives
Just finished standing up an OpenSSH server on a Windows box mostly just to do it for once. I know, I know, it should be Linux. But I firmly believe this is a Windows world and like it or not, this request will someday come up just like this. I'll put a Linux one up on my next box.
All told, there are plenty of sites around that walk through setting up SSHD and Cygwin on Windows. Sadly, they all seem to leave the unsuspecting user very insecure. These commands are always listed:
mkpasswd -cl > /etc/passwd
mkgroup --local > /etc/group
These commands copy Windows users and groups over to the cygwin environment. Yes, that includes accounts like Administrator and any other group that exists. There is a reason that "root" is and should be denied login via SSH: it is an ultimately predictable account to brute! Well, I would bet that on many Windows SSH installations, Administrator is likely pretty predictable. To get around this, I just remove those users in /etc/passwd.
This just reminds me that security is not something everyone thinks about. And too often instructions that get passed around are not the most prudent instructions. That's great that a lot of people who likely shouldn't be allowed to, can now set up SSH servers on Windows and plop them onto the Internet and they work just fine. I guess it just takes a little more knowledge to know about the potential issues and then to solve them. I hear a lot about how security needs to be baked in, and while I agree, I think it will be a long time coming and will always cost either time and effort or money. (The same holds true for physical home security...)
by LonerVamp 01.01.07 at 10:45 PM in /general -
Over time, sometimes I get a few little pet peeves built up and I tend to use my blog here as a way to release those peeves. So today is deemed "rant day" and I'm going to shoot out a few small items that bother me.
community peeves
I understand that we're a worldwide community and as such, English is not everyones first language. That's cool with me. But I dislike seeing English-speakers just massacre the language. Constant grammatical errors and broken sentences make Jesus want to punch babies.
Reading comprehension. This is a big one. You can almost tell when someone has read the first three lines of a mailing list email and spits out a reply to just those three lines; completely missing the rest of the message. Sometimes they give really good answers...to the wrong questions.
People who argue that there is only one right way to do something (their way). While protocols have not hugely changed and some things are very much the way they were 10 years ago, environments and business uses are vastly different. What works in one environment will maybe not work or be acceptable in another.
Saying there is no silver bullet to security, then pointing out how everything is broken just because it has one problem or two. This creates a nice little unachievable paradox. I see this used a lot by analysts who refuse to be wrong. I think the only acceptable solution to them is if Jesus sends down a sword-bearing angel to protect the data.
workplace peeves
Making work requests without providing the reason, authority, or problem that is being fixed. "I need access to John's files." Please explain the request in context so that we're not just making willy-nilly changes that may or may not fix the problem and may or may not be authorized. I think I see this in the workplace more often than any other pet peeve of mine.
Reading comprehension. My last job was not so bad at this, but my current company is just downright terrible when it comes to email coherency and reading comprehension. I purposely send out emails that are 2-3 sentences long to get right to the point, and people still don't read. Just yesterday I got a request to stand up a new email account. I replied back asking who needs access. The response I got back was, "It doesn't work yet." Jesus is starting to kill kittens now.
I love when users engage multiple people on a problem without telling anyone, i.e. abusing support processes or authority. Sometimes some people ask each IT employee their question until someone gives them the answer they want. Sometimes people escalate everything they don't get their way on, complaining to everyone until it is done. Others with authority sometimes engage 3 people to get their important task done, without realizing those three people may be stepping on each other's toes and wasting 2 of those people's time and possibly breaking other things in the process. If 3 people are going to work on a problem, I'd rather work together and share ideas than each of us secretly working separately.
by LonerVamp 01.03.07 at 9:21 AM in /general - comments(1)
I am embarking on a new project with a good friend of mine. I have taken one of my older laptops and installed an insecure version of Windows XP onto it. The insecurity has a number of different levels, and includes some vulnerable third-party services as well. The goal of this is to give it to him for a week and have him break into it. I've even put some fake services up that give back fake banners and capture whatever he does to those services. Maybe in a few more weeks, he'll set one up for me in similar fashion. If he breaks into the box, he has to show me how he did it. If he doesn't, I'll show him what I had in mind for an attack (i.e. there has to be a known and demonstratable attack vector).
The point of this little game will be not to stump each other by creating hardened systems or to try to find some 0day (we're not that sophisticated by any means!), but rather to just practice what we know, be aware of how security holes are created and where to look for them, and show each other different tools and ways to do things. Maybe after I have done this I'll post more details, but I certainly don't intend to do something profound or amazing with this.
by LonerVamp 01.03.07 at 10:08 AM in /general -
Tracking user access in a corporate network is one of those, "Don't say that very loudly!" topics. No one likes to think about it because everyone knows they suck at it and trying to get it under control is a frustrating exercise. But what if you absolutely have to do this?
If you're like most small- and medium-sized companies, you use some sort of Windows-based file server and manual permissions management with Active Directory user accounts. Nothing could be messier when not managed properly. I've recently had the pleasure (?) of tackling such a project in my company. If you've ever utilized cacls/acls tools to dump permissions lists in folder shares, you know they can fill up all the rows in a .csv file and more, even for a medium-sized file server.
Here is my approach in four major steps: 1) take inventory, 2) file permission organization, 3) account organization, and 4) data ownership. The goal of this project is to be able to answer the following questions: Who can access data X? What does person Y all have access to? What is the process for requesting access to data Z?
1. Take inventory
The first order of business is to measure the pain. Grab a trusty Windows permission enumation tool and dump the permissions on all your file server shares, including all subdirectories. I recommend limiting yourself to folders and not including files. Windows files are very annoying in their permissions and will inject a lot of weird data into your intial acl dumps. The best tool I've come across for reporting on permissions is ScriptLogic's Enterprise Security Reporter. This is a commercial tool which does more reports than just permissions, but the ability to report permissions in configurable ways is invaluable. They have a 30-day trial on this product. You can create reports that pull out what a user has access to, as well as who all has access to a particular folder including pulling users from groups in AD. Check out your file servers and all the folders you expect to have different permissions and see how accurate things are or are not. Take a deep breath, and move on.
2. file permission organization
Next, you have to determine how you will be doing permissions in the future. Here are my recommendations:
- Do not use the DENY right! This rarely shows up in reporting tools and is just frustrating to use.
- Do not use complicated subdirectory permission changes. You want to use permission inheritance as much as possible. The reason for this is accidental changes to permissions that are pushed down to all subfolders and files will overwrite all subdirectory differences. Oops! Eliminate the possibility of this very real mistake by being as flat as possible. Do only one or two levels of permissions differences; I prefer just one level. Our file server for departmental and team folders is I: on the desktops. From there, we do I:\Accounting, I:\Sales, and so on. Each of those folders has its own permission structure, and that's it. No odd I:\Accounting\SuperSecret\ folders with different permissions. If they need that, it can become I:\SuperSecret\ and be on the same level. Anyone who has worked with complicated permissions structures will no doubt be able to tell amazing horror stories.
- Use only those permissions that you need to use. For almost everyone, this can be narrowed down to Modify and Read-Only. Don't get fancy with Change or List or others.
- Use as few explicit permissions on folders as possible.
- Do not use EVERYONE or AUTHENTICATED USERS. User Domain Users if you absolutely must have a share open to "everyone."
By following these guidelines, you accomplish a few things:
- Reduce the chance of permission inheritance mistakes.
- Improve the ability to pull accurate permissions reports.
- Decrease the amount of time and effort needed to make permissions changes and re-establish permissions (you can just push down permissions from I:\Accounting to all subdirectories and not worry about what you're wiping out).
3) account organization
While ScriptLogic has a nice tool to pull access reports, it is still yet another program for staffers to learn and, really, you can do much the same thing with some effective use of Active Directory accounts and groups.
For every folder on your file server that needs different permissions, create two groups to hold the users who will use those permissions: Read-Only and Modify. For I:\Accounting, I would make the groups Accounting Folder-Read-Only and Accounting Folder-Modify. Then anyone who needs Modify access to Accounting should be placed into the Accounting Folder-Modify group. Apply both of these groups to the explicit permissions on the folder with their respective permissions. This should mean you will have only a few explicit permissions on each folder: SYSTEM (likely), Adminstrators (likely), the Modify group, and the Read-Only group. Nice and clean!
One caveat to this approach is in the way Windows handles group tokens. When a user logs into their computer, the logon process will inform that computer which groups the user is a member of. If the user's group memberships change, their current session will not get the updated group membership information until the user logs out and logs back in (I typically just tell people to reboot, as they understand that better).
So all permissions changes will now require you to put that user or groups of users into the proper permission group, and then have them reboot. In a way, this is much easier than logging into the file server and updating permissions directly on the folders.
The biggest benefit, however, is in the ability to report on access. If you want to see what John Smith has access to, you just have to see which groups he is a member of. You'll see Accounting Folder-Modify, and it is quite obvious what he has access to. Likewise, if you check the members of the Accounting Folder-Modify group, you will see who all has access to that folder. Quick and simple!
One last note about AD organization, it really helps to have a very updated and group-based AD organization. Every employee in the company should be set to report to someone else in the Ogranization tab, and they should belong to some sort of role-based group. Accounting employees should be in the Accounting group, and so. This way you can use groups instead of individual users when placing people into their Modify and Read-Only groups. This is tough, however, if HR is not very clear about the roles people play, or if the department and team names change frequently and without warning.
4) data ownership
Lastly, if a company is going to take permissions and access seriously, then ongoing support needs to be able to question requests made for those access levels. John Smith shouldn't just be able to request access to the Sales folder to the Help Desk himself. Someone has to authorize this access. Unfortunately, while most would think his manager is an appropriate authority, in reality, his manager typically has no idea what sort of information is in the store and will likely not do anything that prevents his employee from being productive.
A solution to this is similar to the Discretionary Access Control (DAC) method where data owners are assigned to data stores. The Accounting folder would be assigned an owner. This owner is then responsible for authorizing who has access to that folder. As part of that responsibility, that data owner should also know what sort of data they are a custodian of. If there are sensitive documents in the data store that some departments should not be privvy to, the data owner should know this.
Accounting or Human Resource file shares are perfect examples of this sensitivity. The Help Desk should not be blindly granting this access just because a user requested it.
Some other tasks:
- regularly report permissions, both in AD groups and in explicit permissions. This will definitely show you how Windows "copy" screws with permissions. Likely, you'll want to regularly "re-push" inheritance down through each folder so that you can refresh the cleanliness of your permissions reports.
- reports should be given to data owners for their review
- make sure all permissions change requests are clear, explicit, and tracked, such as in a help desk ticket system. Don't assume Bob J. means Bob Jones. The requestor should be as explicit as possible so that Bob Johnson doesn't accidentally get access to HR.
There are plenty of other caveats and approaches to doing user access security in a Windows environment, and quite a lot more work than is described here, but this should at least give some good ideas on an approach that I think works pretty darn well.
by LonerVamp 01.03.07 at 1:57 PM in /general -
I can't believe what I'm reading as I catch up on news from the long weekend. There's a lot of things suddenly being found that I need to look at and/or evaluate. I would have better links, but I can't browse some sites without being flagged while at work.
VLC Media Player has a bug in even the Windows version. So much for trying to hide from Windows Media Player.
WinZip (not that I necessarily use it, I think I still just use an old cracked version 8 or 9 copy and have been looking at open source alternatives lately) has a bug in it that now has exploit code released.
XSS Vulnerability leads to G-Mail contact list disclosure. Guess it is time to add to the list of things people should do to stay safe: always log out of web sites when you are done using them for your session. This is becoming more and more necessary.
Daylight Savings Time is changing (whoa, boy, a silent and likely more potent "y2k" issue?).
Symantec still has lots of vulnerable installations out there, and they are growing, which is a bit disconcerting.
Update: I forgot about Adobe!
by LonerVamp 01.03.07 at 4:32 PM in /general -
Just posting this here for my own benefit. Off and on since about 12/12/06 I have been seeing SYN floods (nothing huge, just a trickle) coming into my web servers on port 80 tcp and apparently coming from systems at softkit.ro and evolvatelecom.net (both European). I've not thought much of them as they are not huge and I've had other things I've been busy on, but this afternoon I did a check. I found this on the mynightwatchman.com site:
We are aware of this problem, but it is not originating from our network. As of last month we are the target of a DRDOS attack coming from the internet. From what we’ve gathered the attacker is sending source-IP spoofed SYN packets to a very large number of web servers (including yours - directed at port 80 only), the result being those servers flooding us with SYN+ACK packets afterwards.
We’d love any help from you on this matter, given that you have extensive logs on your affected servers.
Something of interest would be that we are not receiving any RST packets so this lead us to believe the attacker is probing the ports on the machines he’s using subsequently and not sending the packets blindly at random IPs.
As you can imagine, this is very disturbing for us too, but we have found absolutely no way and no support in catching this attacker. We would appreciate any support...
That pretty much sucks.
by LonerVamp 01.04.07 at 4:23 PM in /general -
First of all, I have a new link in the dashboards section. I like dashboards. Management goes gaa-gaa over dashboards. That makes me like dashboards even more! I've never linked to it (amazingly) on the menu, but I just added one for the F-Secure Worldmap which is kinda cool.
Now, that dashboard is pretty pastel-laden. However, check out the wallpaper pics of what the F-Secure internal, realtime dashboard looks like. Pardon me, but that's fuckin' awesome!
by LonerVamp 01.05.07 at 8:54 AM in /general -
I have to continue poking away at and cleaning up links on this sight and in my rss reader that are not really worth my time.
I really hate to do this, but I have to stick with my gut. I like Bruce Schneier and his work. I think the world right now needs him; absolutely needs him. He is a necessary pundit. Ptacek put it well in predicting for 2007, "Schneier will not publish a single technical result this year, but I will read his blog anyways."
I like his comments and his writing, and, as I said, the world needs him. But he basically keeps linking and saying the same things over and over. Yes, I know security is warped when it comes to the public and TSA. Yes, I know your commentors also have good responses and ideas. But I don't need to read that every day or even every week. I really do get too much Schneier. I'm sure when he publishes very interesting things, I'll hear about them from other places. (I also prefer his writing as opposed to short little posts that are just links elsewhere.)
I'm also currently evaluating the need for x number of IT/security analyst blogs. Quite honestly, analysts are quite a unique subsection of security bloggers:
- They tend to talk a lot and likely do very little. It is easy to make lists of best practices and give sage advice, but actually getting their practical advice into the reality of a business is a wholly different story.
- They tend to be right. All the time. If they speak it, you should believe it.
- They don't typically reply on other people's blogs. Instead, they reply on their own blogs to drive traffic back and forth between them.
- They are definitely a clique, where they all know each other, they all act like they're friends, and they typically don't listen to many people outside of that clique.
- Far too often they speak the obvious, make predictions that mean nothing right now, or repeat what others say (often within the clique).
- Have I mentioned that they rarely actually *do* things?
Yeah, I'm being pretty harsh and maybe a little bitter, but for me it all gets back to how I want to spend my time with blogs and research. Do I want to see the "Analyst Clique" repeat itself and argue with itself and pat itself constantly on the back in 5 places each day? Not really. I'm sure if I eliminated x-2 of the "Analyst Clique" blogs from my list, I'd still get all the important info linked back from those 2 I leave up, plus their commentary. Hopefully I can go through and remove some links this weekend. The hard part will be choosing one or two, because, despite my bitterness above, they all seem to write well, think well, and have some thought-provoking words here and there.
by LonerVamp 01.05.07 at 9:00 AM in /terminal23 -
"If you can make it clear what is to be rewarded and what punished, make your directives reliable, keep your machines in good repair, train and exercise your officers and troops, and let their strengths be known so as to overcome the opponent psychologically, this is considered very good." -The Art of War, Chapter 3: Planning the Attack
The Muse (yeah, I'm stealing a concept from my days of writing...maybe I should call this my Geek Muse?) visits at some odd times. I saw a post on Security Renaissance about a new method of staying ahead of phishers as posted on the F-Secure blog. For some reason before I even clicked on the link, I quickly thought about a device in front of the spam filters that scans every email for links and compiles them all into a greylist. That way when corporate users receive an email, any links in that email will already be either blocked or placed into a higher level of alert, perhaps on a web proxy.
For about 2 minutes I thought that was a cool idea, but then I did think about how many legitimate email links would get flagged. So maybe that is not so much a cool idea for a corporate network, but for a company whose lifeblood is email or email/spam/virus protection, a realtime catcher like that along with human bodies evaluating the trends and list of sites would be valuable. You can't always wait for the spikes in traffic or the reports from users AFTER they have received all the phishing emails and gone to those sites and turned their computer into a bomb. Either way, this is still reaction, just higher upstream than most people tend to react, and not technically prevention.
Chances are, the big boys in this field already do this, but thinking about such things makes my brain smile.
by LonerVamp 01.05.07 at 9:27 AM in /general -
IE has been beaten up over the years, and now that Firefox has gained ground, it also is under fire. While Office has been beaten up last year, now perhaps Open Office will be subjected to the lean eyes of the hacking underground. This post by Brian Krebs is timely, but I particularly love the first couple comments; the first about Open Office, and the second about a just-today-released-patch for an issue in Open Office.
As applications keep getting attacked, especially Office and web browsers, more and more people are scattering over to lesser-known and oft-times free software to accomplish their tasks, myself included. But just because it has not been hit yet, does not make it secure. It might be a little bit safer to use as the odds of an attack are lower, but obscurity alone does not necessarily provide security.
by LonerVamp 01.05.07 at 10:21 AM in /general -
Andy, ITGuy pointed out an article on Computer World 10 things to do to be more secure when using public wireless hotspots. Nice article.
The good tips that will slowly disappear as Windows fixes its wireless management:
- disable ad hoc mode
- turn off network discovery
The just plain good tips:
- turn off file sharing
- disable your wireless adapter when not in use
- turn on your firewall
- watch out for shoulder-surfers
Then Preston has a few more interesting suggestions. He suggests to encrypt your e-mail, but sadly gives no more information about how to accomplish this. For most consumers, they will stop there, give an annoyed huff, and skip that step. Encrypting one's email is not as easy to many users as it can be, and is completely email provider-specific. It might be as easy as changing a couple connection settings in the client, or as complicated as figuring out PGP or some other service that claims secure email (by simply never transmitting it off their webmail servers and forcing your recipients to make accounts to retrieve the mail...bleh!). Some users will just be out of luck when it comes to secure mail transmission and won't have corporate recourse for checking mail beyond port 110 and cleartext messages. In those cases, just don't do it.
Carry an encrypted USB drive. I'm not sure if this is worthy of a bullet point, but if someone will be going through the trouble of using an encrypted USB drive for data, why not encrypt the whole laptop disk? Besides, if an attacker takes over the system, they should be savvy enough to impersonate an admin or the user and access most encryption. It makes some sense, but I think it is more effort than is necessary. I dislike having to track multiple "portable" devices, especially ones that can be lost as easily as a USB drive. To me, data encryption on the disk is a "data at rest" issue, not a wireless security issue.
Protect yourself with a virtual private network. I'm not sure I would suggest people use a third-party VPN service. Home consumers on their own equipment, sure, but not corporate users who think it would be safe to transmit possibly-sensitive information through a third-party who may or may not be credible. Too many people think that just because they pay money for it, it must be on the up-and-up. Instead, corporate users should look into what their corporate support is for VPN use. Home users can go the *very* technical route of hosting their own VPN/proxy system, or utilize the pay-for service if they want. I think if email is encrypted, web site logins are protected via SSL, and cleartext IM service not used, most users will be fine without a VPN.
Beware phony hotspots. First, I hate the term "evil twins." We've had a better term for this for years now: "rogue AP." While there is not much most users can do to protect against the rogue AP problems, I do like his two suggestions. Ask the staff if they have a hotspot and what the name is. And if you see two of the same name, don't connect to either one. Any futher security against a rogue AP is either overkill for most users, or is really the responsibility of the hotspot establishment.
by LonerVamp 01.05.07 at 10:37 AM in /general -
I've decided that as I move forward with my site here and my posts, I'm not necessarily going to be completely PC and try to be pleasing to people. I want to take a stance and not feel like I have to assuage anyone else, especially with my own feelings and site. :)
So, where do I stand with full disclosure? First, I think we need to buck up, let people do their thing, stop quibbling about how to properly disclose, and just move forward with our goal: security. We don't sit here whining about how we can't control the environment and then let security slide until we can control the environment. It is unknown, ephemeral, ever-changing. Whether someone practices full-disclosure or protected disclosure, I don't much care: I still have to practice security and I need to be able to roll with the punches and what the environment hands me.
There are two caveats to this debate, which few people seem to address when passionately debating this topic. First, there is the entire full disclosure concept and whether we should practice it. Second, there is the question on whether security professionals should practice full disclosure or more "responsible" disclosure.
Whether an attack vector, vulnerability, or known proof-of-concept exploit is available or not, I would rather know about these items as opposed to not know about them and hope that an attacker doesn't secretly use them against me. If someone has found a hole and will report it to the vendor reasonably, it should be a security researcher's position to assume two other people in the world know about the issue as well. And are actively exploiting it or soon going to. Or maybe have been previously. We cannot squealch communication amongst ourselves and expect to keep up with attackers. I am in favor of full disclosure.
On the second part about security professionals, I have less opinion and think it is a case-by-case issue.
In the end, like nature, what doesn't kill us only makes us stronger and more resilient.
Update: I just wanted to add to this that I really don't necessarily trust vendors. Vendors are economic entities, and most of the time the media and researchers end up interfacing with the ineffectual and smoke-screening PR and Marketing sides. I don't trust that, and if I were to weigh my trust of vendors against my desire to know about the problems, the vendors do not typically win. This would change if vendors not only fessed up to holes they patch, but would also be liable for any damages incurred through direct use of those holes. Of course, then I see vendors getting slimier and doing the whole lawyer dance jig... In the end, vendors need to also get off the soapbox about responsible disclosure and just be up front and honest with the community and the world. Painting a picture of rosy security happiness where even puppies and rainbows can use their software without a care in the world is a dying approach. Security is merging with business in the back office, but what about the front office?
by LonerVamp 01.05.07 at 1:02 PM in /general -
The condition of a military force is that its esential factor is speed, taking advantage of others' failure to catch up, going by routes they do not expect, attacking where they are not on guard. -The Art of War, Chapter 11: The Nine Kinds of Terrain
Sorry Dan, but I already played that game once. :) However, I will just add two more things. First, I used to have eyesight bad enough that it was measured in feet. My parents gave me lasik surgery as a Christmas gift a few years ago, and now I don't need glasses. Second, I spent my first 2.5 years in college in the Environmental Science program taking chemistry, biology, calculus, genetics, physics classes.
This week will by my first week "on call" at my latest job. I've avoided the task for about 8 months now, but this week the pressure is on! One of the unfotunate aspects of this job is the apparent attitude of the rest of the team that I should have been born with all the knowledge needed to do this job. I find little as frustrating as being thrust into an important role where you either attempt to do things yourself at the risk of possibly affecting critical systems or wait for some decent training. While I don't mind self-starting, I do mind when there are innumerable ways to build a server (anywhere from just setting it up and patching it to full NIST guidelines), but somehow I need to know the way they do it in-house from a cryptic checklist that makes sense only to people who have been through it multiple times. This has been my biggest frustration at this job, and one of four distinct reasons I won't be staying entirely much longer. This morning I am figuring out how to put myself on call and get the necessary alerts on my phone.
I added a bunch of links to this page. While I still want to lower the number of total links, at least now my Google Reader list matches up with the links on this page. Not every site has support for an RSS reader, but at least now when I find something not updated in Google Reader or not really worth my time, I can remove it cleanly in both places and help manage my information uptake.
by LonerVamp 01.08.07 at 9:05 AM in /terminal23 -
One of my favorite questions to ask pen-testers or other security assessors is how often they are successful and what techniques are the most successful. I imagine social engineering and physical attacks have a very high rate of success; in fact, I wouldn't bat an eyelash if pen-testers claim those are 100% successful when attempted. I'm sure there are many other ways they can own a network, but when they run into a tough cookie to break, I wouldn't be surprised if those methods combined with some wire sniffing yields positive results almost all the time. This article I read this morning caught my imagination:
Core Security Technologies has never failed in its spear phishing tests
against large organizations, Caceres said, an indication of the task DOD
faces as it attempts to battle its latest network threat. The human
factor which requires e-mail users to carefully examine their messages,
plays a critical role in defeating spear phishing, Caceres said.
I think this is why discussion on user education is still rather mixed. Most everywhere I read that user education is necessary as we build security awareness and programs in organizations, with this as proof that we need more education. Others will claim that user education is not going to solve this, and we should focus more on technology and other aspects. They will also cite these results by saying that getting intelligent users who consistently make the correct decisions is a losing battle.
At any rate, I love hearing about success rates and common means of access into networks. Jeremiah Grossman has been doing a related survey for web application specialists for a few months now, and has been quite readily and hungrily accepted.
I wonder if there are similar surveys or data for pen-testers?
Update: Of interest, Dana Epp pointed me over to a presentation on combating social engineering.
by LonerVamp 01.08.07 at 10:57 AM in /general -
I am looking to get my Security+ certification this month. Is this cert below me? Yes, no doubt. Is it nonetheless good for my resume? Yes, again no doubt. And at a one-time cost of about $200, CompTia certs are a real no-brainer and if I ever get beyond them on the resume, I can just leave them out.
For the past couple weeks over lunch I've been slowly paging through the latest edition of Exam Cram's Security+ Practice Questions. I'd buy the book, but I don't think I need to. I just do a few dozen questions every day. I'm glad I did it this way too, because some of the questions are poorly worded and even more poorly laid-out. As an example, in the section Retention Policy, the answer to the single question in the section is, yup, Retention Policy. Great, I learned a lot there! There are frequent blatant mistakes as well, despite this being at least the 2nd edition of the book. The one I was using was a 2006 release.
In the end, though, I did learn enough. I learned that I need to definitely review the Cryptography domain of the material. I probably could have said I was weak in that section before paging through this book, but at least now I know I know the other sections pretty well. Hopefully by the end of this month, I will have at least taken the Security+ exam once (yeah, I know, I'll likely pass but I don't typically get my hopes up on tests, despite a very good track record with them from school/college).
The hidden benefit to this cert is it is, in my mind, a direct precursor to the CISSP which I also qualify for and should be getting sooner than later. Likewise, my weakest area in the 10 domains would be Cryptography.
by LonerVamp 01.08.07 at 2:07 PM in /terminal23 - comments(2)
Not a huge deal, but it looks like one of those nicer sites that I don't see many people talk about has had a facelift. Whitedust doesn't display correctly for me at work on IE7, but it does look like they have ramped up their news coverage and now report quite a wide array of things in the RSS feed. Their news reminds me a lot of Rootsecure: some news, some articles, some podcasts, and so on. Always been some good stuff there despite them being a relative new-comer to the scene and UK-based.
by LonerVamp 01.08.07 at 3:49 PM in /general -
Ordinary people see the means of victory but do not know the forms by which to ensure victory. -The Art of War Chapter 4: Formation
Am digging into my inner wireless geek this month as well. This means buying a little bit more hardware. Most of this stuff is best available on eBay and I plan to get my hands on some of these things soon.
Orinoco Classic Gold wireless PCMCIA card x2
Sharp Zaurus SL-6000
AmbiCom compact flash wireless card (or similar)
The Sharp Zaurus runs on Linux and has internal wireless. This means I can run Kismet on it. I already have an older Dell Axim X5 that I picked up at my old job and totally forgot I still had (and if I want another one for some reason, they seem dirt cheap on eBay). It has no internal wireless and runs Windows PocketPC, but I can put the compact flash wireless in this guy and get it to run. It also gives me the ability to run Ministumbler if I wanted to. I'd rather use Kismet and the Zaurus, but I got lucky in already possessing a little-used Axim.
Now, why would I want both Kismet and Ministumbler? First, some people simply respond better or worse to Linux or Windows. If I don't want to show someone how to do wireless tricks, I'll glaze their eyes over with Linux. If I'm looking to impress a gir...err...a manager with pretty colors and graphs so they spend money on or for me, I may get better results on Windows and Ministumbler. Second, Ministumbler is an active recon tool, so it will only see networks that have the SSID broadcast. Kismet is passive. While it will see non-broadcast SSID networks, I'm not yet sure how it sees them if there is no traffic on them..
Now I just need to pick out a GPS unit (I don't want to spend much, I'm not an extreme outdoorsman who needs something amazing) and possibly decide if I want to explore an external antenna or hold off on that. All told, I don't expect to spend more than $60 on the wireless cards and maybe $200 on the Zaurus.
Also just saw this 2-part article on SecurityFocus about wireless forensics.
by LonerVamp 01.09.07 at 8:16 AM in /general -
It is interesting to hear us be adamant about perfection in security, whether it be perfect devices, perfect approaches, or perfect coding. Really, digital integrity pales compared to personal safety. Do we expect perfection in being safe when on the road? Do we demand that cars be built to absolutely withstand the stupidity of drivers? Do we move to diminish the role of the user when driving? Do we do much beyond laws, liability, some technological improvements, and a common understanding that green is go, red is stop, yellow is speed up and pretend not to notice anyone else, and lines are guidelines on traffic flow except in parking lots where they are so much street grafitti? Ever try to play traffic cop in your car, where the guy behind you wants to speed and basically blows out his O-ring having a caniption fit behind you while you drive the limit (yeah, me too, it's fun because I can be a dick now and then).
It is interesting that we accept a certain level of reasonality when it comes to our safety in life, but become hardassess when talking about digital security.
Have we achieved perfection in physical security, whether it be at home or in the workplace? It might sound like I am being defeatist. On the contrary, I say this all very enthusiastically.
Update: I am going to amend, but not remove my original post above. Yes, there are differences in my choice of analogy and the security world. In too many cases, we don't end up living with our bad choices on the road, but in digital insecurity, we end up living with them. Ask any identity theft victim how hellish their life has been since. Likewise, I accidentally dismissed one thing I thump a lot when it comes to the digital life: efficiency. If a traffic accident were like a digital security incident, then one accident might end up affecting every single car built in 2003 in the state that is currently on the road, and when others currently at rest get started up in the morning, they immediately suffer the same result. One obscure issue in MySpace that only 50 people even understand could result in a worm that affects many thousands of people.
by LonerVamp 01.09.07 at 12:49 PM in /general -
It amazes me how slowly wireless has been tackled, especially as everyone has completely jumped on Office products and browsers with all sorts of problems. Perhaps this year will usher in some more changes?
By way of Whitedust, I was pointed over to a pair of NetworkWorld articles. The first deals with new laws and guidelines about business-run wireless networks, both public and those intended to be private. In addition, it tackles vendors who should not default insecure or at least give users some guidance on securing those devices. These are seemingly easy and no-brainer topics, but yet implementation is such that I am astounded about the lack of attention wireless technologies receive. Heck, even insecure cell phones get more press compared to the data networks! The second talks a little bit about 802.1X (in that sort-of-technical-but-not-really-technical way the NetworkWorld writes).
More laws make me happy when it comes to securing wireless and our digital world. But more laws also make me say, "D'oh!" a few more times, since I am one of those people who likes to drive around and see what open wireless networks there are, and hopping on one when I have a need (when traveling or at a friend's place, for instance, and just hopping on an open neighbor network).
by LonerVamp 01.09.07 at 3:34 PM in /general -
I recently used a Christmas gift card to get a device that I've wanted even when they were twice the price I got it for: the Harman Kardon Drive+Play at $99 in Best Buy. This little guy allows me to plug in my ipod in the car and listen to it on my stereo system. Since my Infinity factory system does not support playing of mp3s off a data disc nor does it have any audio input options (either on the faceplate or even in the back), I can't use the Drive+Play's audio input, but I can quite happily use the FM tuner to get usually decent quality music. It is quite a lot better than no ipod or having to burn limited-length music cds. So now I have two dashboard gadgets, my RoadyXT XMRadio unit being the other.
What does this have to do with my blog? Well, while scrolling through my playlists on my ill-organized ipod (thanks to Linux and my collection growing well beyond the 20GB limits of my ipod) I saw a Podcast playlist but no Podcasts. While my work commute during the day is only about 10 minutes max, I still see the benefit to rekindling my habit of listening to more podcasts since I do like driving. So I'm going to see if I can get back on the wagon on a few choice podcasts and listen up more often.
As always, I'm also cleaning up some more external links from the menu and putting them here into a post so that I can reference them later if I ever need to. Someday I need to evaluate whether I want all those "resources" to remain here or be moved to the wiki.
Don Parker writes for WindowSecurity.com. While this sounds promising, the articles and writing seem more geared to a nearly complete newbie, with almost no indept analysis or contribution beyond the surface. OntheFirewall doesn't really get updated much. I'm not sure who Sid Stamm is, so I likewise don't know why I should keep him. And also removing Mr. Belva at bloginfosec, even though I look forward to seeing how virtual trust moves forward. It's just beyond me right now since I am neither an analyst nor any sort of manager.
by LonerVamp 01.10.07 at 1:33 PM in /terminal23 -
Just what I need, another feed/link/dashboard! But I will say I kinda like what Security Database has put up. I especially like the security tools alerts which are RSS-able.
by LonerVamp 01.10.07 at 2:51 PM in /general -
Ever since Joat made mention of purchasing one, I've been eyeing the Wi-Spy and have it marked up on my "to buy" list for the future. Today, though, I see Joat received an email informing him that the price was going to go up in February. In fact, it is doubling. This little tool is far too cool to let pass away at a higher price. As far as I know, anything comparable is many hundreds of dollars more expensive, so I might move this up my list and get it in the next week or so. It can be bought off ThinkGeek as well as the manuf. site.
by LonerVamp 01.11.07 at 10:21 AM in /general -
I've worked with SSL extensively, as has any sysadmin that knows what a web server and SSL certs are. But what about the real dirty guts of SSL? Sometimes, topics like this are difficult to grasp, but I found something that made enough sense to me that I re-wrote the process of an SSL session negotiation on a piece of scratch paper just to visualize it. Palisade has a question and answer about SSL which is written in very plain English for an intermediate to understand, and it actually makes complete sense to me! Other quiz questions are also available, although some are a little less interesting to me. Reading about HTTP cache smuggling is interesting (and makes sense, since you can hijack HTTP connections anyway, which can be fun on wireless with airpwn). .NET best practices are not quite as interesting to me right now.
by LonerVamp 01.11.07 at 4:41 PM in /general -
I'm still settling into what I want this blog to be, so please bear with me. I'm also ramping up my studying for the CCNA which I need to make sure I take sooner than later and get it done with, plus all my other smaller projects at home. This weekend we are scheduled to get lots of freezing rain and about 3-7 inches of snow Sunday. Unlike other parts of the country, though, we're used to it and life moves on just fine and the Internets don't disappear with the power when some flakes drop!
Turns out Andy ITGuy also has the same Art of War desk calendar that I have and posted some feedback on this entry yesterday:
"Generals in the field must already be acquainted with all the sciences of warfare before they can command their own soldiers and assess battle formations." Chapter 3: Planning the Attack
It took me an extra day to revisit this topic, but I think this is a difficult place in security management and IT management. It is difficult to know so much about the sciences of our warfare. It seems difficult enough to even brush against all the various topics that need to be dealt with. I've worked for managers that couldn't do my job for the life of them, and they never commanded the trust or respect of the teams they managed. I've also worked for managers who could do my job, and they were much more effective in all aspects. But there is still so much to be informed about these days.
by LonerVamp 01.12.07 at 8:25 AM in /general -
From Whitedust, I was pointed to this interesting article about employees who have left Google. I am inspired by hearing that a number of these people were far older than I am now when they started at Google. Sometimes one gets bogged down with that thought that only happenin' things occur to the brightest students fresh out of college doing amazing things. That's the flashy story you always hear. That if you don't jump up high enough out the doors onto the rungs of the career ladder, you'll burn out before getting up higher where you want to be. Really, that's not true, and that's something to continue to look forward to through my entire career and life, to be honest.
by LonerVamp 01.12.07 at 11:12 AM in /general -
I'll put up a better link later when I find one, but a recent presentation and paper (I printed them out yesterday but have not read them yet) on a Snort algorithmic vulnerability has been talked about and patched. The vuln would cause Snort to spike the cpu to 100% and eventually crash. Why is this useful? This is a lot like someone cutting off the alarm systems before robbing a bank. You can even do this externally if a company has Snort running outside the firewall (not uncommon in order to determine differences across the perimeter defenses) and that same server is running the inside Snort instance. Since this is an easy but technical exploit, I suspect this to be packaged eventually into attack toolkits rather quietly. I would suspect old Snort instances may stay in production for years in some cases.
by LonerVamp 01.12.07 at 11:27 AM in /general -
I didn't get but three paragraphs into Bruce Schneier's latest wired.com article about secure passwords, and I came across, "Your encryption program's key-escrow system is almost certainly more vulnerable than your password, as is any "secret question" you've set up in case you forget your password."
How often do botnet herders need to break into a system by gaining access to the password? And once they get in, how often do they actually ever care about the password? Not often, I suspect. Why care about the password if the user runs your program as their already-auth'ed credential? Why worry about laptop encryption when the user is already logged on? How often have I seen someone walk away from their laptop at Panera or Starbucks and not lock it? Point taken, though, that passwords, while targeted and popular, are maybe not the weakest link any more, just like network-borne attacks are quiet compared to fashionable web app attacks lately.
by LonerVamp 01.12.07 at 1:33 PM in /general -
I liked this article on the NYTimes site about email uses and abuses. How do you stop people from forwarding work email to a place they shouldn't, such as web-based mail services?
Well, the answer is that you can't, and you really don't need to bother trying to do so. Where I work we block port 25 outbound except when from certain servers which have strict relaying settings. We also utilize SurfControl which cuts into web-based email services such as Gmail, Yahoo, Hotmail, Hushmail, etc. The problem is that I can still just find a service so obscure that the filters don't catch it...such as my own mail server. Or I can just tunnel over something else and get there. But you still really can't stop me from e-mailing a Gmail account any more than any other account unless a company has really no business communicating with the world outside its own walls.
So what do you do? In something like this, it helps to realize and accept that prevention is impossible. In that case, how to you mitigate, minimize, log, audit, and CYA without being a barrier to the company's purpose?
1) Evaluate why your users would want to send email to their home-based email accounts, particular webmail. Most users are not malicious and are only trying to get work done in the easiest way they know how. Maybe they want to work from home. In that case, provide web-based access or, better yet, a full-featured way to connect to their work account from home without all the additional hoops of a VPN and such. People using Exchange have little excuse to not be using OWA and a nicely-featured web front end. Ask why the users are doing these things, and then provide them such easy and logical solutions so they don't try to circumvent the process.
2) Obviously, log outgoing mail. If someone does keep trying to email out sensitive information, logs are necessary to track it. There should be one or two levels of logging. First, log all mail headers incoming and outgoing so that you can track activity. Second, such as in the article's hospital example, filter and log data in mail that is leaving the network, for instance medical records and other personal information. Obviously the second level of logging is more intensive, and shouldn't be bothered with unless the company has particular need.
3) Retain the ability to monitor employee email usage down to even reading their email. While this ability shouldn't be exercised all that often (how many employees are happy about others reading their email, honestly? and how many unhappy employees are the productive employees?), the policy should keep this option open in the event of suspicious about a truly malicious user. Authorization should be limited to HR, a direct manager or two, or approved technical staff, with no party acting alone. This is easier in some organizations and more difficult in others that have different work/life balance expectations in employees. The more an organization is sympathetic to the converging role of technology at work in personal life (kinda like personal phone calls to the doctor), the less hands-on the policy should be. Some companies will actually need to have staff regularly reading actual emails for regulations complicancy, and that's fine, too, when needed.
4) Block outgiong 25 and incoming 110 (and other common ports, like Gmail's ports) to only authorized servers. This won't stop people from web-based email or completely non-standard setups (I can tunnel it on any port I want, really), but at least a huge swath of people will be prevented from storing and sending email from their workstation mail client. Besides saving storage space and resources, no one needs to accidentally send out an email to a client from their PajamaMonkey69 email account at Yahoo. Also keep tight control on mail relay settings for those approved mail servers. Attempts should be logged and investigated, especially when originating internally.
5) Software policy should drastically limit user email clients to one (maybe two) approved email client applications. Make things as standard as possible. Manage that app properly.
6) Education. Education is not a panacea, but at least educate and teach employees how to use the tools given to them, and why circumventing them can put the company, themselves, and their clients at risk needlessly. This also should help draw out difficulties they may have with the tools and maybe expose why they circumvent policies in the first place.
by LonerVamp 01.12.07 at 3:58 PM in /general -
"A military body goes through myriad transformations, in which everything is blended. Nothing is not orthodox, nothing is not unorthodox." -The Art of War, Chapter 2: On Waging Battle
It has been years since I've been on IRC regularly. I think I first got on IRC back in 1995ish when I moved from AOL over to a real ISP and thus needed to find a new place to chat. While I didn't really chat about anything technical, I stayed a near regularly in IRC until after college when around 2002 I kinda drifted away. I mostly stuck to gaming chats and once my gaming took a lull so too did my IRC days.
However, more and more I see security/technical groups with a presence on IRC, particularly freenode.net. As such, I started my next mini-project last night to get my ass back on IRC regularly. My one requirement for doing so, though, is that I want to be able to hide my host name (IP) or otherwise mask/reroute it. I don't really have any external servers available to proxy or bounce off of, but I think freenode itself will let me cloak my host name, which might be enough. Of note, I read up on bouncers and might put one up on my server just to see what that is all about.
Fun times, and it'll be nice to get back on IRC for some shoulder-rubbing. I also need to get my ass on a forum somewhere as well, but that is predicated on getting at least one of my systems up on a proxy somewhere (something I should do anyway). Yes, I like my privacy and I dislike making a target of myself...and no, I don't antagonize people or anything. I just prefer obfuscation for as long as it holds out.
If I get on freenode, I'll be authed as LonerVamp, of course.
by LonerVamp 01.15.07 at 8:53 AM in /general -
Macworld passes were hackable. This just amuses me to no end. While Apple does not directly put on Macworld (IDG World Expo does), it is interesting how security by proxy can work. I would hope IDG World Expo's developers are few in number, underpaid, and overworked to put out something like this. This reflects badly on Apple as well.
Which brings up the question of just how many and how bad can insecure practices be before they take in collateral damage? Can a mistake on IDG's part be prevented by Apple? Should companies VA or pen-test each other? Should Apple have known better? Is there really any recourse for this as we move into the future security-be-damned?
It amazes me that such simple things are still occurring today, like javascript "secrets." I'm not what you would call a web programmer, although I could likely be one given a bit more effort and a job in that field, and yet even I feel I should be better at coding and design concepts than that. Seriously, though, it makes me yearn to get back into web coding again.
If I find more details on the hack, I'll update this post.
by LonerVamp 01.15.07 at 1:37 PM in /web - comments(3)
I like this post from ISC about what amounts to transparent SSLs. What if sites continue to use SSL on the underlying form submission portion or a website login? How are consumers supposed to tell and/or look for the HTTPS connection? D'oh!
by LonerVamp 01.15.07 at 2:14 PM in / -
One of the failings of blogging, especially its use for education, is how unsupportive it is to dialogue. Yes, there are comments, but once I leave a comment somewhere, it is a crap shoot whether I ever get back there to see any further dialogue or rebuts or agreement. Fire and forget, most of the time. Sometimes I'll post a question and check back later, but mostly I don't and mostly I just plain forget. I also don't look at posts later on to see if what the author said was BS and spoken-to in the comments. I have to take posts largely at face value. How often have I posted on a Bruce Schneier topic that tends to have plenty of feedback, only to never look back at that particular comment thread again?
Forums promote repeated dialogue until a topic has run its course and slowly melts back down the priority list, replaced with newer topics. A regular reader/contributer can, in this way, watch discussions she may be interested in until they naturally conclude. Mailing lists are similar. IRC is somewhat the same way, as interaction and discussion occur right away. While those that idle don't typically re-read old logs, at least discussions at the moment have some give and take.
Running one's own blog is a bit of an exception, as here I tend to be able to see each and every comment posted, and thus have my full run of any dialogue. But how can one really capture this for readers? Email notifications on comment replies help, but only when one has already commented on a post. Anything not commented on gets no continuation. In that case, it behooves me to comment on every post on those blogs. Setting up an RSS feed for comments is another nice thing. Ha.ckers.org does this, but I have to admit there is no real kind way to present them. New comments on old posts get thrown into the middle of new comments on new posts, which really muddies the waters of trying to follow any sort of continuity. But for anyone who diligently reads the feeds, this can be an effective, if jarringly annoying, way to keep up. The author can re-post the articles based on comments and responses, but this just perpetuates the cycle until no comments are left (or all the readers have left!).
So what is one to do? Well, slowly I've been moving back into IRC and I want to get back into forums as well. Blogs have their high points, but unless one is a real fan of a particular blog and sticks around a lot, RSS feeds are just best suited to scatter-shot news posts and catching the latest releases in podcasts or tools than for real educational dialogue.
I think this is also why I maintain my blogs more like personal journals (and I prefer the term journal to blog), where the only real reader I'm looking to keep informed is me. Letting out my own ideas, thoughts, and otherwise documenting my own life and knowledge. *shrug*
by LonerVamp 01.15.07 at 2:24 PM in /terminal23 - comments(6)
Whitedust pointed me to Emergent Chaos with an announcement that obscurity will save us and we can just hide our files someplace unexpect and be safe! Well, ok, mordaxus was nearly as sarcastic as I was in that last line.
I just have two points in mentioning this. First, I wouldn't argue against someone who says that encryption itself is simply a form of obscurity. It is obscured because a key/passphase is not known. But know that bit of information, and encryption is done. Of course, this means every password system is also a form of obscurity...but I still wouldn't argue with that person to any great length.
Second, there are plenty of places to hide files in Windows machines already. Alternate Data Streams in NTFS have never gotten the attention it deserves, especially since few tools poke around in there, and those that do are sloooow. I would bet that few people even know about ADS and fewer will ever bother to do a scan for those files. Of course, I'm not saying this is protection for passwords and financial information. I would more use ADS for hiding porn stashes...
by LonerVamp 01.16.07 at 9:41 AM in /general -
These are not meant to be related, I just wanted to save them.
"Great wisdom is not obvious, great merit is not advertised. When you see the subtle, it is easy to win -- what has it to do with bravery or cleverness?" - The Art of War, Chapter 4: Formation
and
"IT must balance three T's: time, talent and technology. Today, the tendency is to throw technology at a problem and in so doing, reduce the need for talent (expertise) and reduce time. I recall my colleague Chris Blask saying, 'Computers are fast and people are smart.' Invest first in talent. Give them time to plan and choose technology that will allow them to be smart, *fast*, and you'll have spent your own time wisely." From a blog entry by Dave Piscitello.
by LonerVamp 01.16.07 at 9:56 AM in /general -
This was an interesting enough tool to spend an hour working on. SearchWinComputing has a quick run-through on some code (batch file) that will launch various Windows domain and exchange MMC consoles as another user. Basically you run the file, type 2, supply your domain admin password, and then the AD Users and Computers MMC should launch in domain admin context. Not bad. Although this is one click, one keystroke, and one window longer than my current method (right-click a shortcut), I certainly would need 8 such shortcuts to do what this batch file does in one. I like simplicity, so 1 > 8 in this case.
However, there is some errata in the instructions. I also had to scrounge choice.exe from a site called dynawell (Google for choice.exe), and I snagged sleep.exe from the Windows Server 2003 Resource Kit, although sleep is really not all that necessary if you just take that part of the code out. Hell, it's been a long time since I delved into batch files, so maybe choice can be replaced with CASE for all I know.
Remove all the comments which are scattered in the code, typified by mixed case text. Change the paths to include the backslash such as c:\. Change the options to read :ONE instead of Option One:. Change the runas user to your domain admin or necessary admin to manage these tools. Correct the typo on option 3 "SItes."
Now, I am not one to use fancy or even simple tools that are not usually always available. I've worked on enough systems and in enough ways to know that it sucks to become really accustomed to doing something one way (such as with shortcuts), and then be like a fish out of water when in a situation where I don't have my nifty customized tools. Similar to how I rarely customize or "prettify" Windows anymore. I don't need to spend 4 more hours after a reinstall making it pretty. So little tools like this are typically only minorly used by me. I like being able to sit down at nearly any Windows machine and knowing what I have available and what I would need to do to get what I want (resource kits, third party tools like procmon, etc). Either way, I think this little script can be useful for now.
by LonerVamp 01.16.07 at 4:06 PM in /general - comments(1)
Just FYI, I am currently bouncing around IRC on irc.freenode.net as LonerVamp. I may not be hanging out much of anywhere lately until I figure out how to manage my presence there, but I am around and looking for some home channels to hang out in. I am also looking to run an IRC bouncer/proxy on my server which can keep my presence online and I can then just attach using whatever system I happen to be on at the time. I'm not sure how happy that will be, but I'll be trying it. It has certainly been a long time since I was an IRC addict (about 6 years since I was a perpetual presence), but it is comforting to be back.
I tried JBouncer which is a java-based IRC bouncer, but I don't like the user info it appends to my user when someone does a whois on me. I found the place in the code that sets those variables, but I have been unable to re-compile the java (I've never coded nor compiled java before). I hope to try out Night-Light before the weekend.
by LonerVamp 01.17.07 at 9:34 AM in /general - comments(2)
Has anyone seen or used or heard about AirPcap? At $198, it is just a little bit above my "eh, spend the extra money and see how it is" range. I saw a blurb about this in the latest Hakin9 magazine.
by LonerVamp 01.17.07 at 12:52 PM in /general -
This was too awesome to pass up putting here. By way of Mike Rothman comes a post of 16 dirty little sayings overheard in IT. I'll add my own commentary to them. What makes this an awesome list? I have heard most of them spoken, multiple times.
1. "It’s only a temporary server. It’s not for production use" This is the bane of sysadmins. This request should always be met with, "what is your hard end date, then?" Too often this uttering is just a way for someone to get something done without properly justifying or defending it and I really hate it. Too often "temporary" turns into "permanent" or even "production" without warning or planning. The only thing worse is when they use their own workstation or some other box without ANY warning. "What do you mean you used your test QA machine to host a new critical ticket system?!" Without admins being complete hard-asses, this would happen constantly.
2. "We’ve tested the backups. They read back just fine. Never restored for real though."I hate this one too, because if there is one thing I think is most important in IT, it is backups. What is worse, though, is *not* hearing this spoken but having it as the unspoken truth. Too many admins never test restores until a restore request. Always test, always verify. I learned this back in science labs in high school.
3. "Patching? yeah. That’s on our list. We’ve been looking at SUS for a while now, just haven’t got round to it."Another classic task procrastinated in our field. Funny how the fundamentals fall into that basket so often...
4. "Of course staff know about the security policy. They have to sign a form at induction. I did when I started 5 years ago." ...along with the other 55 pages of new employee information that grazed us like a gnat and we brushed it away to figure out where the nearest bathroom is and how to log into our system.
5. "We have documented procedures. Everybody just ignores them. Except me, of course."I say this a lot, both at my previous job and my current one, but I admit I sometimes go by memory as well, especially for things I know inside and out and I know the steps have not changed. Again, though, for such a detail-oriented career, IT people too often ignore documented procedures.
6. "Our apps developers do their own thing really. I think they have procedures for promoting code, but I’ve never seen them." This is common too, especially if newer admins were not involved in creating the infrastructure that the developers use to promote code. This isn't necessarily such a bad thing as long as the admins can support it (per their job) and there is some audit trail available so they can answer who screwed up production when it happens. Security should at least know how they do this, though, so that this risk is minimized.
7. "Users have been told a hundred times not to share passwords"Yeah, the only cure for this is a clue bat. The best mitigation besides that is simply constantly changing passwords and stringing someone up when something really bad happens with a hijacked account due to sharing. Or perhaps legal/HR when told, "Well, they share the account, so you can't fire one as we can't PROVE she did it, it could have been either of them."
8. "Security Policy. Hang on. We do have one somewhere… Dave! Have you seen that policy file anywhere?"Haha, yup! My last company did this every time an audit was at the doorstep. And despite me writing some up, they rarely got signed off up the chain of command and even less were enforced. In fact, they never were...
9. "We’re developers. The sys admins make our job so difficult. We have deadlines you know!"This one sucks, but as much as it pains me to see it, there is that very difficult task of making sure developers and admins are reminded that we're all on the same team trying to get to the same clouds in the sky. But both sides do also need to admit that they don't know the full picture. Too many developers have no idea about networking or systems, and many admins have no idea about proper coding and the efforts involved. Security is one thing, but preventing the business folks from getting jobs done is another thing. At the end of the day, if security is holding the business back, the business could lose revenues enough that security is shown the door.
10. "The auditors needed Internet access. WiFi was the answer"Wow, almost word-for-word I've heard this a few times. Also "guests" and "clients" could be put in there. My last job put up an open wireless to do this. Thankfully I've not experienced firsthand someone putting up wireless without asking (the last job asked), but I have heard those stories from people in companies far more critical and important than mine. Yikes! Are CFOs really that stupid? Yes. And he also thinks he's too important for parking spaces and so parks in the fire lane.
11. "Compliance? That’s an HR thing, right?"The age-old "who enforces the company policies?" question. HR or security/IT?
12. "A security breach? Don’t think we’ve ever had one. In any case, we’d just call Dave."In my last job, that would have been me, hehe. This statement just makes me cringe on a number of levels...
13. "The Managing Director wanted it"I think I've heard this more than any other utterance here. Someone in authority pulled their weight and said, "just do it," regardless of how moronic and terrible the task was. I think this right here is where 80% of our stress comes from.
14. "We had a penetration test last year. We passed with flying colours."Wow, I love this one! Who the hell actally passes pen tests with flying colors? If so, you had a vulnerability assessment, not a pen test. And the assessors sucked. No one truly passes a pen test. Every environment has issues, and if they are not technological ones, they are logical and procedural ones. Given a week on site, I really believe no pen tester should walk away stumped and with nothing to do (assuming full physical access), I've seen stumped external attacks against a really solid firewall before, but full assessments should realistically never come back like this.
15. "Yeah, so it’s SQL injection. But our developers tell us there’s nothing of value in the database anyway."I've heard similar things as well, where developers either don't think about the data or feign ignorance.
16. "Marketing are the worst offenders. We don’t support FTP so they rented a cheap web server and uploaded data to that instead." Ahh, human ingenuity. Where there is a will, someone will figure out how to do it, even if it is hokey and terrible and insecure and costly and ...so on. This is why security needs to be an enabler, and management needs to be behind security so circumvention doesn't just happen.
by LonerVamp 01.17.07 at 4:18 PM in /general - comments(1)
"The comprehensiveness of adaptive movement is limitless." -The Art of War, Chapter 5: Strategic Advance
This reminds me of recent comments from Bejtlich about IDS/IPS devices that are alert-based but have little additional knowledge for the analyst. That is not very adaptive, and as such, ends up affording little value below the surface. Being able to be adaptive in IT and especially security is an amazing ability, as opposed to have very complex, rigid, or incomplete implementations that don't afford much in terms of quick reaction, seamless changes, and ability to get the data you need. It also makes me think of on-demand sniffing needs. Can a security analyst quickly span ports into a pre-configured system set to sniff traffic, or will the analyst have to jump through hours of hoops to get this set up for an emergency?
by LonerVamp 01.18.07 at 10:46 AM in /general -
One thing I have learned in networking, security, and really IT in general is that you take any opportunity given to pick up some decent hardware. While I sometimes pick up really crappy hardware, there are always times when you get something decent for very little. And nothing is more frustrating than being inspired to do some tinkering only to find no spare boxes that I want to risk messing around on.
So tonight I picked up a motherboard and CPU for $40. The motherboard is an ECS K8T890-A which has dual DDR400 RAM and a Socket 939 which is for AMD 64-bit processors. This ECS may not necessarily be a gaming rig foundation, however it should suit my purposes just fine, as I have a gaming rig already (although the specs are getting really dated). This mobo has an older BIOS which does not really allow overclocking (quite ok, I don't overclock). The AGP slot is also not really a true AGP slot and instead is a modded PCI bus connection. This means pretty much only older video cards are supported (3.3V), and I'd never get the full power of an AGP card anyway. Good info here for my own future reference. The board does support SATA and RAID.
The processor is an AMD 64 3500+. This translates into a 2.2Ghz CPU. The CPU is already mounted with heatsink attached, and I've not had a chance to boot it up yet. I don't think I have a proper PSU to support this board right now, but will be collecting some parts over this winter and spring.
This mobo/CPU may make a great foundation for another always-on server that runs Linux as a vmware host and contains a few VM images of my choosing. The board still has great specs for a non-gaming machine. I just need to load it up with RAM and disk space. Unfortunately, the max RAM will be 2GB, which should only run me roughly $200-$250. And I should be able to pull 350GB+ with two disks for under $200. Another $100 for a 500W PSU. And then look into whether I can use this all in a current old chassis or buy up a new one with fans for roughly another $100 and a non-exciting graphics card (or just use on-board) for $60.
Overall, that's still not really all that bad. About $800 for a good solid box that I can utilize in multiple ways. I could even go a bit cheaper in my parts and do Kingston memory instead of Corsair and still be just fine.
by LonerVamp 01.18.07 at 10:23 PM in /general -
I know Microsoft and other sites will take pains to force people to use IE, but I didn't think I'd find a site that would tell me their site was incompatible with IE and I should use Firefox (even though it lets me click forward and get in anyway, which makes me wonder what's so imcompatible). AWStats, a web stats app typically for Apache and Linux, tells me such. Talk about annoying both ways.
by LonerVamp 01.19.07 at 8:41 AM in /general -
Michael Santarcangelo has soft-launched the Security Catalyst Community forum site. This is something we do need, and I'm enthusiastic to see where this community goes. While I think this might be an excellent initiative, there are some concerns I'll just post here because they're really not important enough to bring up to Michael S or those forums.
First, growing a community is not easy unless you happen to have something that draws people in on its own. That's rare, really. I've done community-building work back in gaming where I ran gaming leagues and competitions and basically worked hard to keep the community participating and just plain caring. It is not easy work and is not something you can just say, "I'll build it and they will come." Many forums and sites have sprouted with that mantra and within 6 months the only posts you see are spam posts and what might otherwise be seen as the dust and tumbleweeds of the Internet. It takes constant work by dedicated persons, constant content, and lots of posting and giving people a reason to show up. What makes this even harder? My communities were gamers with lots of leisure time. This community may be made up of a lot of very busy professional people. Hopefully this community will recruit some good people to lead the discussions and provide a reason for everyone else to slowly filter in and continue to contribute.
Second, I'm undecided about the somewhat informal policy of registering with one's real name, or at least putting full name in the signature. I'm not sure the goal of this other than to look more professional. I don't think we need a stuffy community, but rather one that is willing to talk openly. As information security professionals, I think we, of anyone, should be empathetic to our decisions to control or at least mitigate information leakage. Yes, I know McNealy will say my privacy is already gone, deal with it, and I agree with him. But that doesn't mean I have to let go of every device by which I maintain at least a little control. One of those is forums and comments on other sites. The only site that I really like to tie my name, online handle, and/or contact information is either through my own pages or someone deliberaly tracking me down. I will lose this battle someday, but until the world starts getting better equipped to deal with it, I'll still put up a fight. :) We can't let today's inability to deal with information and identity and the internet get in the way of our professional and (oftentimes needed!) informal communication. The people who want their names posted typically are the people who are branded by their names. They have an interest in making sure their name is out there (typically analysts and experts). Also, if my name is associated with the company I work for, I can't typically talk about certain things without people putting 2 and 2 together and knowing my company has an issue with security concept X. That sort of secrecy is one of my biggest issues and it makes it hard for any of us to properly learn from other's mistakes. That's really one of the biggest reasons I enjoy things like Infragard (NDAs) and other local informal groups of buds. There are many very smart people out there with very valuable ideas that may not want to be associated with their given name when online.
Kinda like McNealy saying my privacy war is already lost, so too is the war on anonymity online. Not only can you not always completely stay anonymous online, but (oddly enough), you can stay pretty damned anonymous online. I don't think a forum community is going to be truly able to maintain the informal policy of non-anonymity. I could pick some random name and bounce through proxies to join in with a free email address and change my grammar/writing style. We shouldn't need to do that here. Likewise, it should be enough that the moderators have the ability to check IP and logs and deal with any miscreants in due fashion.
Besides, come on, there's plenty of Michaels running around here! Hell, at my last job we had 3 Michaels on the same team of 4 people (the odd one out had Michael as his middle name). Other than deliberate impersonators, I've yet to see another LonerVamp. :)
Nonetheless, I look forward to participating as LonerVamp in this new community and seeing where this goes. There's a lot of vury smurt people whom I regularly read already signed up!
by LonerVamp 01.19.07 at 12:53 PM in /general - comments(2)
One neat thing about running one's own email server is that I get to see all the spam that comes in. After a number of years up, my most-used email addresses are getting about 100 spam messages a day on busy days. Spam used to (as in 2 months ago) come in with names in the subject line. Typically I'm just, yeah right, unless it says Michael or the name of someone I might expect email from. Then I realize just how easy it is less knowledgable users to open spam. Typically I see mostly pharmaceutical picture ads, stock scams, and bootleg software.
The spam moved into chinese characters (wtf?) and in the past week or two I've seen a lot of spam sporting current news headlines in the subject line. Not bad, impressive!
My mail server's spam filters don't catch everything, altough it tends to catch about 50% and label them as SPAM for my mail filters. I really don't expect much when I'm using non-SpamAssassin tools that don't cost anything.
by LonerVamp 01.19.07 at 2:24 PM in /general -
RSnake posted about social engineering. For as much work as I do with networking and computers, I still maintain that the highest success rate attacks on a target are physical and social engineering attacks. The only thing stopping most people from doing more of those things are social mores and the stigma of getting caught and not being able to maintain the anonymity like we have on the Internet.
by LonerVamp 01.19.07 at 2:59 PM in /general -
Andy posted what is maybe the biggest question (and toughest) we should consistently ask ourselves in this field: What is the biggest problem facing security professionals today? Andy answered user awareness.
I'm not so sure I could so quickly answer just one thing as our biggest problem. If I were to tell a VP where to best spend his money, I think I would answer either technology to protect the users and data, or spend money on educating management, not all users. Managers need to lead, and unless managers are aware of the problems, users aren't really going to give much more of a shit. Companies are economic entities, and users are entities that answer to their managers. Pressure can be applied by educating stakeholders such that they hold management accountable for security. But we all know that devolves into checklists, grades, certifications, and basically the representation (right or made up) of security...which may or may not be the real state of security.
An example of technology mitigating the user problem is in laptop encryption. Users can continue to be stupid and lose laptops because they leave them in plain sight in their cars and put data they shouldn't on them, but if they are encrypted (technology), that user mistake is dramatically mitigated. Of course, this may perpetuate the cycle of relying on technology and ignoring user education...but that's at least where I'd perhaps put my money first. Teach people to ignore spam and phishing and detect it and report it, or implement spam filtering good enough to minimize their exposure to those decisions, along with HIPS/detection to stop those fewer instances where they do slip through? Relying on users would keep me up at night, personally.
Complexity of our environments and technology advancements are also a huge problem right now. Environments keep growing outward and more varied. They're also just plain growing. Trying to create an infrastructure today that can be properly and securely grown for the next 10, 5, or even 3 years is highly difficult. Our work environments creep and grow, and we don't typically have the luxury to start over and build the house correctly to today's threats.
For all that rambling above, I don't mean to diss on users as being stupid and a lost cause. I do realize there are benefits to user education and I by no means would prevent user education or speak up against it. User education is truly part of a blended approach to security, and users are just another required layer to be protected and education, just like in the spam example above. I'm somewhat playing devil's advocate, but I honestly don't know if I would say user education is our biggest challenge. I think it is just far more complicated than that.
Update: After some more thought this evening and some time playing LEGO Star Wars (awesome!), I think one of the biggest problems we face is making sure our peers (and ourselvess) give management the best bang for the buck they can get, and give accurate and honest and truthful assessments and advice. Management needs our help to understand the reality of their state of security and how to properly tackle it. They also need us to keep hounding them so they don't become complacent or think the task is done. So yes, in a way, education is necessary, just not necessarily user-centric as much as tackling the user base from the top. This might include heavy training for IT folks as well; those of us who are laying the blocks and doing the securing and growing and actual work. Even if management is on board, they can only spin their wheels if their people are not getting it.
by LonerVamp 01.20.07 at 5:20 PM in /general -
Fred Avolio posted this excellent list of security admin errors last year. It has been languishing in my bookmarks and I thought I'd post it here for posterity. Some of these are excellent issues, although some are not necessarily the security admin's fault.
by LonerVamp 01.21.07 at 12:21 AM in /general -
Here is a list of 20 things most people don't know about Windows XP. Honestly, I didn't know a lot of these other! A lot of them won't mean as much to me right now since I don't do much desktop support, but XP is gonna be around for a lot longer. (Do some soul-searching on whether your company really has a reason to move to Vista? Seriously, do you? Other than MS dropping support someday, I doubt it.)
by LonerVamp 01.21.07 at 12:26 AM in /general -
I honestly think email disclaimers are stupid. This is an entertaining list of some bad and worse email disclaimers. Honestly, we all know better than this anyway, and props to any company that just dispenses with this nonsense. I already know that Boeing (a large company that must be security-conscious) does not enforce email disclaimers. If they don't, no one really needs to. Such wasted space and so unnecessary.
by LonerVamp 01.21.07 at 12:34 AM in /general -
Tail is an excellent tool for watching a log file. Tail in cygwin on Windows is ok, but the display really does kinda suck. Baretail is a similar program for Windows that can tail a log file quite nicely. The program doesn't even use an installer and is just a bare standalone executable and works quite nicely to watch logs on Windows. Excellent little tool.
by LonerVamp 01.21.07 at 2:55 PM in /tools - comments(1)
So it has been a while since my last on linux as my main box, I've really basically just been using Linux every day. After getting past some of the usability issues with DVDs, movies, mp3s, and other media, I've definitely settled into a nice rhythm with Ubuntu.
My biggest issue lately has been my external firewire drive which is NTFS. Since I run Ubuntu on my laptop, and laptops shouldn't be tethered to anything except a mouse and power, I decided it was in my best interest to stop wrestling every 4 days with Ubuntu vs NTFS (which typically I did get to work...until unplugging and replugging the drive back in and trying to remount- Nautilus is very picky and whiney), and just plug the drive into something on my network that is on all the time and likes NTFS much more (Windows). I now quite easily just smbmount over the network when I want. The added benefit is my other systems can get on it now as well.
Other than that, I've become very happy with my Ubuntu installation, which is kinda illustrated by the fact that I've not booted into Windows on this laptop since the last update a few months ago. I do cheat, however, since I have other boxes including a slightly less-powerful laptop running XP, but I definitely give Ubuntu my daily tasks. The XP box is just there for misc things and other Windows programs. Heck, I've even taken much more to cygwin on all my Windows boxes.
Will I stick with Linux? Yeah, I will. The reasons remain the same, though:
1) Tired of paying for an OS license at home.
2) I want much more practice with foundational Linux tools.
3) I really like being familiar with a Linux box day-to-day in addition to just knowing how to use the apps. I feel much more flexible this way. (And it adds to my skillsets.)
Will I fully ditch Windows? Never. I have older machines that love my Windows 2000 installs. My other good laptop and gaming rig both have Windows XP. And as long as my job involves any semblance of Windows, I'll do my best to keep up with it. And Windows will always remain my backup boot option.
My goals moving forward this year in regards to Linux:
1) Become intimately familiar with BackTrack. Also adopt a couple other Livecd distros for flexibility sake. Likely Auditor, Helix, Trinity, or something related... Livecds are just too cool when it comes to laptop use.
2) Become more practised with a wider range of tools for Linux. The only difficulty here will be delving outside Debian/Ubuntu-ready packages and tracking down my own dependencies with things not in Synaptic. I might just use an older laptop as a test bed so I don't screw up my main box too badly. :) I might even look into FreeBSD.
3) Start getting familiar with running a Linux server and replacing Windows as my main server. I might look to something beyond Ubuntu for that, and might just run it from the command-line as well. This is definitely more of a "maybe by the end of the year" sort of goal.
by LonerVamp 01.22.07 at 1:18 PM in /terminal23 - comments(1)
Reading some stuff on spam and email today got me all inspired to keep a mail project in mind as the year progresses. I'd like to stand up a linux mail server on my home network someday. It's not like I dislike my windows mail server application, but it's done. It's there, and implemented. And, of course, there is still spam getting through. Unless I go with Exchange (overkill, although valuable experience) and some commercial apps to help support it, my best bet it to go with Linux, a mail server, (likely sendmail), and spamassassin. The problem is those latter two are very daunting and quite bearlike in their configurations. I would need some good time to pour over the settings and how to get things working. Thankfully, I do understand SMTP and have done what would amount to first level support on a sendmail server before (bigger issues I would escalate to someone more experienced). Maybe someday I will move towards that route. I could always just leave my current Windows mail server up as backup.
by LonerVamp 01.23.07 at 2:07 PM in /terminal23 - comments(3)
This is the best laugh I've had in weeks: CNNs 101 dumbest moments in business in 2006. The Chevy Tahoe viral act gaffe sets the stage, especially once I went to www.youtube.com and looked up some of those Chevy Tahoe ads. It just gets better as well! I didn't realize so many funny and awesome things happened in 2006! And yes, there are IT and security-related incidents listed.
by LonerVamp 01.23.07 at 6:17 PM in /general -
"Someone unfamiliar with the mountains and forests, gorges and defiles, the shape of marshes and wetlands cannot advance the army. One who does not employ local guides cannot gain advantages of terrain. -The Art of War, Chapter 7: Armed Contest
Amen to that.
I read Shark Tales off and on, and saw this one today. While amusing, it also comes with a pang of sadness at how often no one ever know what IT does to keep the ball rolling. IT (all of it, including security) is too often seen as a utility. No one cares until it isn't working. I mean, when was the last time you called up your electricity/internet provider and thanked them for providing the utility that day?
by LonerVamp 01.24.07 at 1:20 PM in /general -
Can't believe I originally missed an article on wardriving! And not a bad one either, considering the ComputerWorld source. The first page is interesting with the setting up of a rather cheap van office. I kinda like that idea, especially considering my car has zero room as it is. I was also enthused about someday getting together some cheap mobile rig (if I got more into wardriving/wireless assessments that is) after watching an episode where the packetsniffers mounted a laptop in their truck. While a front-seat-mounted laptop is borderline illegal (something about a tv or computer screen being visible to the driver), the idea of a mobile wardriving pad is pretty cool. Shag... At any rate, I like a good article with some good technical tips and hardware suggestions. Unlike many ____World articles, it really sounds like this author is definitely speaking from experience. I might have to hunt this guy down when I make it out to Seattle soon.
by LonerVamp 01.24.07 at 4:22 PM in /general -
I'm sure everyone is going to be posting and abuzz about how MySpace got GoDaddy to drop Seclists.org. But what really makes me frustrated and angry is how often people make assumptions and how ignorant so many people can be (and apparently illiterate). Reading the comments here and here is just an exercise in working up a large frustration level with people who think Fyodor was the one who phished those accounts and then posted them on the site for everyone to grab. And so on. That frustration is what prompted this post, not the news item itself.
Big kudos to Fyodor for digging quickly to the heart of the matter in saying MySpace should have taken action to protect its users whose accounts were compromised, not trying to patch up an unpatchable leak.
Personally, despite my knowledge that security sucks still and botnets and phishing are out of control, I am not convinved that ISPs and registrars should be the police of the Internet. There is still a lot of vigilantism out there with non-official sources tracking down and raising cain about phishing sites and botnets and spambots and illegal or copyrighted material, which can end up with a lot of collateral damage as legitimate persons and innocent victims are infringed upon, especially with amatuer cowboys on their missions. I will say, however, that some of that is necessary and legitimate. F-Secure notifying an ISP or registrar about a known phishing site that is doing nothing but phishing is one thing, but non-experts doing it? I'm not sold on that idea.
Shame on MySpace for even pursuing this without at least a little bit of thought or investigation. They could have contact Fyodor themselves, they could have checked into the mailing list, they could have asked around or browsed the archives themselves to see what the whole story was. They could have (and should have!) notified their own users about the accounts and forced a password change. Wiping out a site when the accounts are already leaked and public domain does absolutely nothing to the integrity and security of MySpace and its users.
Shame on GoDaddy for their impatient reactions and also their own lack of follow-thru and investigation. GoDaddy should have experience and relations with known experts and groups who report phishing sites and other TOS violations. I doubt MySpace would or should be amongst those groups. Due process. As a customer of GoDaddy, I would expect due process and not a knee-jerk reaction based on which way the winds are blowing.
by LonerVamp 01.26.07 at 10:37 AM in /general -
"If you hide your form, conceal your tracks, and always remain strictly prepared, then you can be invulnerable yourself." The Art of War, Chapter 4: Formation
There's a lot of analysts and journalists who write and talk a lot, but it's just all blah blah blah blah, with little substance or anything that matters. And they tend to talk in circles and argue a lot about much of nothing. Brian Krebs is not such a writer. He's one of those rare journalist gems in the security world who gets it, and has respect. He tells it like it is, and I gotta admit, I've enjoyed his writing, accuracy, and tenacity in sticking to his guns despite the unwashed ignorant commenting masses on his more popular topics. He wades into the whole substitute teacher porn exposure case quite deeply, and rightly, ready to get the facts out as this whole incident is one out of proportion debacle. Sic balls, chopper!
Another analyst that I have grown to like, mostly because of his style of posting bullet points and getting all his stuff in one post as much as his incites (sic), is Mike Rothman. I may not always agree and I may find his stuff not relevant to my roles, but he has gems. He had one today where he said, "Everyone needs a plan, but those that spend all day planning, spend very little time doing. So plan quick, do stuff, adapt and repeat." We can sit and talk about how to get the perfect security plan and plan, plan, plan so that we're not the next headline in the paper. But we could end up doing that for ten years...and get nowhere. Just do it. Get an idea or something to do and do it. It might be only part of the solution, it might even be wrong, but just do it. Evaluate it. Fix it. Adapt. Improve. But bottomline do something! A company that really wants to support its IT and security personnel will be willing to allow some levity in getting things done and making mistakes here and there. If the company is not, they either won't ever have security, have scared admins who end up doing nothing but the barest bottom line, or they have a team of perfect Jesus Admins working for them.
Laptop encryption is a big deal these days. But one must always keep in mind that the best way to keep sensitive information safe is to not have it on insecure devices and to physically destroy media when no longer used. Encryption, if you want to get really technical, is just obfuscation. It cannot realistically be broken today...but the key word there is "today." If that drive is important enough, an attacker can keep hold of it for years and continuously work against it. Encryption is a huge step up from bare data, but it is still not a complete substitute for sound information storage and usage practices. Either way, full-disk encryption will soon become standard on every hard drive, and users can turn it off if they want on the hardware. Kinda like providing a lock and key on a computer case. If you want to take the trouble to supply the key each time you want in, go for it, otherwise just don't lock it.
by LonerVamp 01.26.07 at 11:05 AM in /general -
A post by Adam Dodge about a couple of University of Arizona departmental web servers being defaced reminded me of a sort of 5-year-ish prediction I have in my head now and then. These webservers were running Twiki and a vulnerability in that program led to the defacement and were apparently known about by the admins.
In my last job we were an ASP (application service provider, i.e. we hosted a web-delivered service) and about 150 employees. About 1/3 of the company was comprised of IT and development staff. The number of applications we, the infrastructure (network, security, sysadmin, etc) team, supported was not terribly high, maybe about 2-3 dozen different types of systems we needed to stay abreast of or at least keep secure. That's still a lot of work to be on top of patching and securing and managing those applications properly. And it really sucked to have surprise applications (one was a wiki hosted on a developer laptop that suddenly became a burden to his system performance [gee, ya think?] and a critical piece of their own processes [ugh, thanks]) pop up in the environment.
My prediction is corporate applications will do one of three things:
1) Security will move to the network and we won't necessarily give a crap about what goes on a system. Thin-client computing is being talked about again... If people want to run an application for their department that is buggy and 7 years old and barely supported anymore, go ahead in your own little secured network area.
2) Security and IT management will win out and corporate applications will consolidate and diminish. Rather than trying out everything under the sun and small pockets of people relying on a disparate number of applications, corporations will get rid of a lot of them and just use the really important ones. Providers that can provide a full solution will benefit. For instance, Salesforce.com provides sales with almost everything they need except corporate email and phones. That's awesome and leaves sales really not wanting for much else other than mobile devices and access to information when they need it, anywhere.
3) We're just plain screwed and the security function of managing all those disparate applications will be a regular task for IT/security.
This flies in the face of what I really think is coming: outsourced security. You can audit, evaluate, test, assess, monitor, and manage alerts from an outsourced entity, but how can an outside entity ever truly understand all those little apps that pop up in every corporate environment? How much clout would such an outsourced team have when saying an HR tool is outdated and should be removed as a liability and administrative drain on resources? How intimate can they REALLY get? (Answer: only as intimate as the tools let them...and they don't get that intimate...)
I guess I can mix this all around and say a prediction will be the grinding of these two gears that don't quite fit with each other: outsourcing security and day-to-day IT tasks vs. the disparate and complex and everchanging digital landscape of the corporate campus.
by LonerVamp 01.26.07 at 2:10 PM in /general -
Sometimes a blog post comment can be just as good as the blog post that inspired it. A comment on a post by Richard Bejtlich is an excellent real-world example of changes that occur in an environment and what can happen if everything is managed separately. I've seen something similar to this before, where a pix static NAT rule was put into place (on accident I hope; we never did answer this question because the tech who made the mistake had left a few months before the discovery) that basically left the balls of 2 servers out on the Internet for the wind to tickle. Eventually they fell victim to worm activity, but thankfully the damage was limited to just those two old dev servers. NSM did not lead me to the answer (we didn't practice that), rather a lucky port scan from the outside conducted from a gut feeling revealed the issue.
I enjoy reading what breaks or didn't work in environments. Too often such stories are so cloaked in corporate secrecy that we don't get the opportunity to learn. How often are firewalls managed in a way that if a system is taken down and another put in its place, the firewall mappings will be reviewed and updated as well? How much chaos in a network can an IT team handle before problems like this arise? How much should policy mandate what happens and what does not happen? Or invoked policies or, better yet, inventory of systems and configs.
by LonerVamp 01.29.07 at 2:39 PM in /general -
At the risk of painting a hat on my head, I have to make a small rant about paying for software.
I have had two fairly "small" tasks at my job in the last 8 months (no, not the only tasks, these are just two I'm pulling out). The first was to audit and "fix" file server permissions on a Windows file server utilizing AD accounts. The second was to be able to enumerate which Exchange mailboxes a user has rights to. Our company allows two levels of managers above an employee to have full access to the employee's mailbox. To anyone who has done either task, what sounds simple is really not all that simple at all.
For the first one, sure you can dump a huge ACL list. But can you answer the question, "What does Joe Blow have access to?" Unless you have a strict policy on user rights management using AD groups, this is much harder to answer. I really enjoy using ScriptLogic's Enterprise Security Reporter. While I don't use this tool nearly to its full value, I do really enjoy the ability to audit a file server and dump reports on permission levels. Would I pay for this tool? I don't know, but until I can, I just creatively use regmon and registry editing to avoid the trial expirations.
For my Exchange rights issue, I found Vyapin's Active Report Kit for Exchange Server. This tool will let me pull out information from AD/Exchange and lets me answer my quesion, even with the export/print-limited trial. My main question was similar to the file server one: "Whose mailboxes does John Foo have access to?" (On a side note, the supposedly limited exporting seemed to send the tool into an endless loop and built up a 2.0GB excel file before I finally decided enough.)
In the end, I really hate paying for tools to do things I really should learn how to do myself, manually, someday. Windows scripting has long been on my list of things to learn, but quite often is nearer the bottom of the list than the top. Someday I will get this down, and then I can answer my own questions and needs rather than looking for expensive software to do them for me. There really are not enough hours in my day...
by LonerVamp 01.30.07 at 10:48 AM in /general - comments(1)
I need to continue my post below before some evangelists in the security world judge me blindly. :)
I love Windows. Really, I do. Well, ok...I did love Windows. I loved Windows until they started doing that Genuine Advantage Crap. Suddenly half my test machines could no longer be reinstalled and wouldn't get some updates. Microsoft is the biggest single reason I moved to Linux last year. Go figure.
Now, one of the reasons I use and have used Windows so much would be twofold: 1) It comes with new computers and has come with all computers I've bought (i.e. no perceived cost since I couldn't easily avoid it). 2) I could pirate it and use it on my old and spare machines without necessarily paying for it. I would never condone this in a workplace, however, just for home personal use.
Lots of expensive software is out on the market with limited trials and big price tags that talk about things in terms of installation instances or numbers of managed devices. I hate that. I hate having the limitations (subconsious and real) of really cool software. And if I can't use it at home and become intimately familiar and happy with it, why would I ever request my company spend money on it? Something would have to be drop-dead and immediately awesome to get that sort of request pushed through.
I wish more cool software was free to home users so that us geeks can become familiar with them and get them legitimately into the workplace.
Likewise, I have no clue how companies that sell an appliance to do certain things can really expect to get good market penetration without a lot of hard in-your-face sales work, and being able to get IT shops with time to spare to check out the appliance features. I'd much rather be able to get an appliance, even a stripped-down barebones POS running the software at home so that I can get really happy with it. A one-month trial is just lame for most of us already busy geeks, especially when such devices keep wanting to do everything and it takes 3 years just to realize how crappy it was underneath the surface.
Give me free junk to play with that works well, and I'll speak highly of it to people I know, or my own company.
Ok, enough ranting on this topic. I had to get it out sometime!
by LonerVamp 01.30.07 at 1:26 PM in /general -
This isn't on my horizon yet, but someday I will do a BIND DNS server at home, if not sooner at work. Yanked from ISC, NIST has a standards doc (pdf) and there is also a secured BIND configuration and information available as well.
by LonerVamp 01.30.07 at 2:14 PM in /general -
Along with Windows scripting, I do want to sooner get back into programming. Right now, I just kinda need a reason to put programming into practice. I can hack around with Perl and other languages just fine, and have had experience in others like VB and C. But someday when I get really down into learning one of them again, I'll likely go the route of Python. Nicely enough, cdman just today posted about a couple freebie Python books to help out. Dive Into Python and Learning With Python.
Will I get into this this year? Honestly, I'd like to, but I'm not sure if I will have the time until late this year. I do have other plans, and I really hate overbooking my goals in a year. Thankfully, Perl has been around a long time and I suspect Python will also be as useful for that long or longer.
by LonerVamp 01.30.07 at 3:01 PM in /general - comments(1)
ISC posted good info about the Daylight Savings change, which I won't regurgitate, but I will repost some links. While I never joined in with the fear of the Y2K switch, I really think this DST change will be more problematic than anticipated (anticipation is so high no one is talking about it!).
Aha! I still run Windows 2000 Pro instances so I have to follow special steps (also KB914387 and KB928388). Why do I run 2000? Good question. First, the specs on some systems, mostly older laptops and 500Mhz machines are not good enough to run XP without lots of cursing. Second, I don't have things like XP's Genuine Advantage sqwuacking at me and then disabling my install after 30 days. Screw that.
by LonerVamp 01.31.07 at 12:47 PM in /general -
One thing I have learned in my short time in IT is email boxes are not really a valid storage area, especially for those of us in the infrastructure side of IT. Since I switched jobs last year, I was able to start out with a fresh email box at the new company. I was able to put into action what I had learned late in my last job about not bothering with keeping a huge email store. One of my favorite managers at my last job had almost a zero-sized mail store because of this approach, and I agree with it. There's little reason in saving everything, especially from a business standpoint in my role. Emails:
1) Get read and deleted.
2) Get read and acted upon.
3) Get read and saved out of band, for instance on a backed up file server folder structure. (e.g. licensing codes, personally important stuff...)
4) Get read and then printed out and deleted. They then go into my "desk queue" which goes through the same process as I don't let things linger on my desk either. (Of note, with dual-monitors, I print out less...think about that in your next debate discussion on dual-monitor adoption...)
I do keep a certain amount of monitoring email alerts from my company's monitoring systems just so I can do quick trend analysis by eyeballing the alerts. Those usually are small and I purge huge chunks of them every so often so that I only have a few months' worth.
Sometimes emails build up waiting to be read, but I work hard on keeping the level managable and regularly purged if need be. The only real emails I keep around are sometimes informational or pending projects that can be done down the road. It sucks to get behind with keeping the mailbox cleaned up, and 99% of those emails that slowly build up are really not needed to be kept. Besides, I'm cognizant of storage needs in an organization, and much like reducing my waste and power usage at home to do my part to save the environment, so too do I attempt my part in saving storage space.
Does this work for people in all business roles? Nope. Does this work for me at home? Sadly, no. I tend to be the opposite and not delete much of anything other than the complete crap I get. Thankfully, I don't really get all that much email anyway. I even have a zip of emails from 1996-2002 that I started getting when I started college. If nothing else, they are not many, they make for great memory-goads, and can help me get in touch with old buddies sometimes.
by LonerVamp 01.31.07 at 1:03 PM in /general -
An interesting (and woefully short) question and answer from ComputerWorld, "How many firewalls do I need?"
Answer: "How many can you manage?"
Ok, so that's very simplified and not necessarily the right answer. The thing is, firewalls should be in place on the network any time the trust or sensitivity level of the data or systems changes. If your sales workstations don't need to be up very long and have little sensitive data, but your database server has very sensitive data and needs to be up as much as possible, you really could put a firewall in between the two. If some systems need to be accessed from the Internet but others do not, use a firewall to keep them separate (thus creating your typical DMZ. That way, much like real physical firewalls in cars or buildings, if a "fire" breaks out with an attack against your Internet-accessible servers, the next firewall will contain the "fire" from spreading to those systems that had no business being in the same group as those Internet-accessible ones.
Firewalls are awesome. They create natural choke-points to monitor and measure traffic flow. They allow barriers to access so that you don't have everyone's traffic scurrying around everywhere. They give natural points where traffic capturing and logging can occur (and I've become a big proponent of NSM and logging and traffic analysis).
And put up as many firewalls as you can manage. You can have too many, but the chances of that are far less than not having enough firewalls. Put up as many as you can and remove ones you deem unnecessary or restrictive to network stability later on. But never put up more than you can properly manage. A mismanaged or unmanaged firewall is maybe worse than no firewall at all.
I really believe that firewalls are one of the very few mandatory but not technical necessary pieces of any network (i.e. you CAN run a network without them, but just don't). I consider them a mandatory piece of any network or host-based "defense in depth" approach and one of the most important and valuable (i.e. the value they add) and basic blocks of a network.
My own personal projects list involves learning more firewalls including getting my own home pix someday, becoming more intimately familiar with iptables and pf (if I get into BSD this year), and other standalones like Smoothwall/IPCop and so on.
by LonerVamp 01.31.07 at 1:19 PM in /general -
I hate hearing things like Anti-Virus is dead or IDS is dead. If they're still being used in corporate and home environments, they are not dead! Now, this paper on greylisting (really, on Bit9 parity), is a noble effort, but as a paper about a "new" method to manage software and malware installation and blocking, the title is sensationalist and unnecessary. In fact, over half the paper is spent trying to convince me that anti-virus is dead. Unfortunately, while you might be able to float me a new product or paradigm, you can't convince me anti-virus is dead (even as I don't typically use any at home because I consider myself slightly educated in technical areas).
Anti-virus is not dead. It might be declining and changing, but it is far from dead. The day my parents remove anti-virus is the week they stumble upon malware on a website or in email, run it, and become infected with something. Thank you, move along, come again.
So I skipped down to greylisting. This is not a hugely novel new approach. In fact, the approach stinks when you turn your head in certain directions and sniff around a bit.
From a corporate or even home family perspective, I like the administrative control and tracking on blacklisting and whitelisting. I also like being able to turn it on and off for laptops that might be offsite. This is defeatable, though, and I'm not sold on it fully. I think many corporations will slowly be moving to thin clients or all laptops (while plenty will of course stay with desktops). Laptops leads to...
...From a user perspective, this is still flawed technology. Just like fake SSLs and firewall block/allow alerts, popups to users will not be understood and will eventually just always be allowed. Game over. The false assertion made in the paper is that the user will try to open a Word doc, see something else wants to start, and realize their error and know better than to continue. No, that's not true. There's even a good chance that I, a security-paranoid freak, would just chalk it up to a bad macro or mis-matched version warnings and click Yes before my brain kicks in and says, "No! You idiot!" The following assertion is also odd in that even if the user clicks it, they only infect themselves and not something else. I don't buy that necessarily, or that that was even an option. If they got hosed and something spewed out copies of itself in emails to their contact list, we can just repeat the user acceptance and nothing has changed.
Ok, end rant, time to go home!
by LonerVamp 01.31.07 at 4:19 PM in /general -
|
