|
.: February 2007 Archives
Wired.com occassionally has stories of such depth and quality that I am amazed I don't regularly read the mag (I did back in the day about 6 years ago, but drifted away). This is one of those stories about the dark underbelly of illegal credit card and identity dealing and investigations into them. Definitely a must read. Part 1 Part 2 Part 2.5 and Part 3 (I don't understand the sequencing, honestly...)
by LonerVamp 02.01.07 at 4:30 PM in /general -
I saw this and had to try it, especially since I do enjoy Starbucks, Borders, and I tend to be places where I can see T-Mobile hotspots taunting me. Now, for 3 months, I have a trial account that I can use because T-Mobile thinks I run Vista (nope, I don't). This little hack comes from i-hacked.com.
by LonerVamp 02.01.07 at 9:44 PM in /general -
I found a Skype article from CNET posted over at InfoSecPlace and nCircle, and as usual with Skype, I have strong opinions about it. It seems Skype is looking to "partner" with some security companies to provide some additional functionality like "provide add-ons to its software to scan text sent through Skype's chat feature for malicious links."
Ugh. Let's build the frustration just a bit more and quote the article again, "Skype has caused headaches for many IT administrators because it can find ways to make a Net connection despite strong firewall controls on corporate networks."
Ugh, again. First of all, let's get this popular media misconception out of the way. Skype is not my biggest concern because it can find new ways to make a connection to the Internet. Please. If Skype is not a welcome product in a company, this can be circumvented with policy, software/OS restrictions, and even on the network by blocking the sites that Skype initially contacts for logon. Unless they changed in the last year, you couldn't necessarily block authenticated users, but you could easily block the logon process and prevent people from using the system. Not only that, but this is not a "new" headache for admins. Malware has been doing this for a long time...
Second, Skype's problem in the corporate space is not that suspicious links can be sent over the service. Skype's problem is meeting regulations that require Instant Messaging to be logged and/or loggable. And Skype falls into the grey area between phone usage and digital IMing: digital phone calls. I think there is still debate on whether Skype calls need to be monitored as well. Skype needs to deal with that issue before it should spend any more money trying to enter more than just the SOHO corporate space.
Third, Skype has the annoying habit of making outbound connections...everywhere. Anyone who sometimes (or regularly) looks at outbound connections on firewalls for anything suspicious will know that almost every Skype connection seems suspicious. Skype raises the false positive rate so much that it pretty much kills that sort of monitoring. This doesn't kill Skype, but it certain is a factor in saying no to it in a corporate network.
Fourth, Skype needs to look into making a standalone product. They might be able to have a closed IM solution for a corporation that is not open to the public, and still provide decoding capabilities only to that company. Another widespread corporate requirement is the IM network not being publicly accessible. Again, this won't kill Skype, but is another black mark.
Fifth, Andrew at nCircle mentions, rightly, that it also should be centrally managed and configured. Again, if Skype wants to break into anything beyond SOHO markets, they need to provide mangement for the staff. This is important enough to be a possible deal-breaker as well.
Skype is awesome at home and for SOHO use. It saves money, is easy to use, provides good security for the mobile crowd (for now, until the encryption is broken or other MITM attacks might arise), and tends to make employees happy; and one of the things I will thump loudly about: happy users means productive users. I hate having to sport an anti-Skype opinion in the corporate space, but the program itself forces me to be able to take either side, passionately, depending on the corporate environment (i.e. HR, senior management, and regulations).
by LonerVamp 02.02.07 at 8:19 AM in /general -
IT Audit has an article on 11 steps to an effective FTP audit. I like this article and gives some good steps to auditing FTP activity, however I think it misses a few things. While many people are likely already wondering why FTP should be so large-looking a project for such an old and probably under-utilized technology, it is still important, especially if this is a publicly open route into your network. Here are some steps I would add.
A. Audit user accounts and activity - Find out where user accounts are tracked and how expired accounts are handled. Do they linger for years and years without activity? Are client accounts even for active clients anymore? Once this audit is done, keep that list handy so that FTP admins can refer to it later and build upon it so that accounts are removed as needed and existing accounts are tracked. If an account has no activity in 4 years, raise questions on its continued need. I really like the rest of the author's monitoring suggestions. Even if there is seemingly no value in knowing who consistently is the largest transferrer of files, it becomes more important when that consistency is broken one month and some other otherwise quiet account suddenly becomes very active. As part of the account audit, be sure to verify that FTP account access is limited only to their slice of the FTP server, and not overlapping other accounts or able to access other shared spaces. Twenty vendor accounts for 20 vendors that all dump into the same folder is a big risk. Try to also identify shared accounts or those accounts used by just one person, and identify the impact of regularly changing the passwords. Keep in mind that even legitimate users might use the FTP location for malicious reasons such as storing movies or games or other copyrighted property.
B. Recommend granular firewall policies for FTP account access - Whenever possible, require clients, vendors, and FTP users to provide their external IP or IP block to be included in access to the FTP server. It is better to only allow 1,000 IPs access to the FTP server through the firewall than to have all IPs allowed through. It has been my experience that most companies are amiable to providing this information when pressed.
C. Evaluate the patching and security state of the FTP server - Determine the FTP server in use and the version, then research any known vulnerabilities in the server. Recommend patching policy, someone to track patch availability ongoing, and perhaps recommend more secure FTP server solutions. Utilizing an old, insecure version of something like WarFTP or IIS5 should not be very acceptable.
D. Recommend including firewall logs of port 21 access in the audit - It could be beneficial for finding rogue or new FTP servers to include checking firewall logs for successful incoming port 21 occurrences outside the scope of known FTP servers.
FTP servers are still a necessary evil in many corporate environments, and far too many admins put them up, add new users per corporate requests, but otherwise don't consider them with much more interest. As one of likely only a few inroads into your network, FTP servers should be taken as seriously as web and mail servers. The last thing you want to do is find out someone has been using one of your client's accounts to store gigabytes of child pornography over the last 2 years...and be told about it by the client. And even if more secured file transfer options are utilized, such as SFTP or even SSH, most of these guidelines still apply.
by LonerVamp 02.02.07 at 2:31 PM in /general -
If you're not watching the toolswatch feed from Security-Database, you're missing out on one of the better notification methods for new security tools. I love it!
The folks at nCircle have expanded their blog to more people and this has resulted in lots more posts lately. Good stuff!
It is with much sadness that I am removing a few cherished links from the side. The PacketSniffers were an awesome video cast team from Ohio that posted a series of excellent (albeit more electronics-heavy) video casts back in 2005. Sadly, they have not had any in some time. Seems they have maybe moved on from that endeavor. Also, shortly before LUHRQ was purchased, they started this excellent vidcast called " The Hookup." This was very promising, but never progressed past 4 episodes. I think there is still room in the security sphere for a short show like that, kinda like hak5 and others, only shorter and more focused.
Unfortunately, a work-related demand to cease blogging about technology has caused Securosis to become more personal and less technical. It's a shame, too, since the blog was excellent. For some reason, the latest post doesn't look reflected on the front page...so maybe it is still sorta there. Either way, if it is, I'll re-add it later. Tenable Security's blog, while really cool and interesting, is mostly useless to anyone that does not use their commercial product. If I used that product, this blog is a must-read whenever it is updated. Otherwise, I can just learn by reading and possibly gain insight into Nessus, but the useless content (to me) outweighs the good. I'm also removing Jesper Johansson mostly because, well, I don't read it. And lastly, while I read the updates and the podcast is ok, I really don't care to read Alan Shimel's blog daily anymore. This has been building, but mostly just because I'm not an analyst, I'm in the trenches. And reading what an analyst says really doesn't do me any good at all. Besides, I can follow along on other blogs and get the same effect, or pointed to his occassional excellent posts from elsewhere. I'll still listen to the podcast now and then, though.
by LonerVamp 02.02.07 at 3:35 PM in /general -
I really should have put this in my 2007 predictions, but I guess it might be a prediction that spans a few more years. But this year is going to mark a tough year for IT managers due to the ongoing cost of IT operations. Often, upper management thinks that a project will be planned, budgeted, completed, and then they all move on. Sadly, most IT projects require ongoing maintenance, monthly costs, and people to maintain them. Too many senior managers don't get that, and it is those same senior managers who won't ever "get" security either: you don't achieve it, clap yourself on the back, and stamp it Project Closed.
IT costs a shitload of money over the years, and management is starting to or will start to feel that slow attrition. Security costs a ton and is only going to get bigger as regulations keep edging forward. Windows Vista is out now which is going to put pressure on companies that pay licensing fees to upgrade and hardware upgrades to prepare for it. Not only that, but companies with licensing contracts with Microsoft will start to wonder why they spend that money in the first place. Is Vista worth the last 5 years' of software assurance? What about SQL licensing? If a company had that assurance contract the last 3 years, you have absolutely nothing to show for it. You want a disaster site and other business continuity plans? You'll be shelling out monthly fees for that. Mobility is needed by the workforce? Good luck not spending money to secure those devices or provide for mobile needs. Also, mobile devices tend to cost more to get the same performance as a desktop machine, and their lifecycle is shorter.
IT is a huge impact on business these days. Not only can I not imagine business without IT (say, 20 years ago), but I can't imagine how we spend so much money on it today. It is no wonder MSSPs and other outsourced IT services providers are feeling the love as businesses get sick of the constant IT drain and start to let others handle it (for better or worse).
This is why I still prefer to focus on the basics in my career. Focus on doing what needs done on the lowest levels. Use the open source and free tools, know how to do things without the fancy and expensive appliances and servers. If you know the basics and low level foo, you'll be able to pick up on the luxury appliances and tools you're allowed to spend money on, just fine when you get them.
by LonerVamp 02.03.07 at 9:18 PM in /general - comments(1)
Backtrack 2 is maybe my favorite livecd, largely due to being security/pen-testing oriented. I have an older laptop which doesn't do so well with 128MB RAM when running a livecd. So, I've permanently installed BackTrack on this laptop (which I'm using for this update right now). Here's my steps (very abbreviated) on doing this. I largely followed this tutorial with minor adjustments.
I had to transplant the HD into another laptop that had enough RAM to properly load the livecd. After that, I booted up into BackTrack and logged in as root. Then:
fdisk /dev/hda1
d (since this is an existing drive, have to delete the first partition first)
1
n (now I want to make new partitions)
p (partition)
1
[enter]
+100M (100M boot partition)
n
p
2
[enter]
+512M (512MB swap)
n
p
3
[enter]
[enter] (will use the rest of the disk for this partition)
a
1
t
2
82 (the code for a Linux Swap)
p (one last print to make sure it all looks good, we can still back out to this point)
w (write!)
Then I went graphical with startx and followed the rest of the steps in the doc. After transplanting the drive back into my older laptop here, I was able to boot into BackTrack quite nicely (and fast compared to cd, even on this old hardware!). From here, I needed to get my wireless going. I started up K->Internet->KWifiManager which then got my Orinoco card going. I then opened a terminalL
iwconfig eth0 essid home key 7027...F9F5 (my wireless network and WEP key)
dhcpcd eth0
ifconfig (to verify I have a proper IP)
ping www.google.com
by LonerVamp 02.04.07 at 6:26 PM in /general -
I tend to cloak myself in layers of anonymity in my professional online life. Mailing lists are not an exception. In fact, I try my best to participant on mailing lists in a way that does not disclose the company I work for, for various reasons (whether I stick to my other name or move back to LonerVamp, I'm still debating). I see other people do the same, and sometimes they use some wacky (and creative) psuedonyms that harken back to hacker days of old when handles were used more often than real names. They also typically come from email account at Gmail, Hotmail, or Yahoo.
To anyone who uses such accounts, be aware that how you use them may determine just how anonymous you remain. Using the webmail interface for each account is pretty secure when it comes to what the mailing list can see. However, if you do your email on a mail client and then POP3/SMTP up to the service, you may be revealing your home IP address in the mail headers. I am not sure if Gmail reveals this information, but I do know Hotmail reveals this. I encourage people to test such functionality well in advance of blindly trusting your security and anonymity.
Or, if the mailing list supports it, submit your replies via a web form. I know SecurityFocus has web-based submissions to its mailing lists if you so prefer. I actually prefer that method.
by LonerVamp 02.05.07 at 9:32 AM in /general - comments(1)
I'm just posting quick about a pet project of mine that is still just in the planning stages and likely won't be done until later this year at the earliest. I'd like to develop and complete a more robust home entertainment system than I currently have.
I watch movies. I listen to music (cd and mp3). But I do not watch TV, and thus also do not record shows. In fact, despite owning a plasma TV, I have not watched a television show or had it even set up with television in about 10 months. I do game, although I own none of the latest generation of consoles. I'm looking to buy into that hobby again soon. I don't typically download movies or rip them from existing media, but I am looking into doing that. There are many movies I'd love to have on hand, but wouldn't really ever pay for. Netflix is as far as I would go there, and I wouldn't mind ripping Netflix movies to digital media, or even copying them with a DVD burner (although I have little experience in that).
FurryGoat pointed me to the InFrant ReadyNAS device which I think is awesome. An alternative might be using FreeNAS, which could be a good project itself. This could act as a media repository, which is something I would certainly need.
I plan to purchase an X-Box 360, at a minimum, so I would stick to that for my DVD/media playing needs. I think I might need to get a Vista box for my Media Center, but I'm not terribly keen on that idea. I don't really have a powerful enough system right now to run Vista well, although I do have some basic parts for a good base (motherboard and CPU that are good workhorses, but bad for gaming).
Any ideas, feel free to post, but otherwise this is just a planning post for me. I think I would be best served looking into getting into DVD ripping and burning, grab a console machine, and also get a storage NAS set up.
by LonerVamp 02.05.07 at 10:07 AM in /general - comments(1)
A recent post by Ed at SecurityCurve.com pointed me over to the PCI and Data Security Compliance blog. Now, I can't speak intelligently about PCI these days, and a real auditor would run circles around me about compliance. I also don't have to deal directly with this yet in my job, but someday I will, no doubt. And while I don't have a ton of learning bandwidth right now to learn compliance, I at least can regularly peruse this blog and get used to the terminology and what is all kinda going on. So by the time I do get thrown into the PCI maelstrom, I can at least orient myself quickly. Kinda like webappsec blogs. I don't do any web app coding for my job right now, but I certanly want to be familiar with the topic.
by LonerVamp 02.05.07 at 2:17 PM in /general - comments(1)
I need to watch the episode that Scott Wright references for this post. Instant Messaging is a technology that is still in flux when it comes to corporate use, and I'm always curious on the views people have of it, and how companies use it.
My last company had very little interest in controlling the IT environment. As such, people used Yahoo, AIM, and MSN as they wished. Sales used it regularly, especially those people outside the offices at home or on the road. It really was very useful, even if I wasn't so happy about it. Eventually the company moved to get a centralized (kinda compliant) IM system. We set up a Jabber server, privatized registrations, and got most everyone on that product. Sadly, too often critical business issues were communicated via IM rather than accepted and more loggable avenues of communication such as a ticketing system, phone, or in person searching for someone to assist. Eventually our team went "invisible" on the system because of the abuse and poor "handing-off" of issues via unresponded-to IM messages (and people got pissed that we would always kindly ask for a trouble ticket so that the issue would properly get logged for metrics and reporting). Also, there was widespread fear that we were logging conversations, which drove people away from Jabber. (I never did understand what people were talking about that they were scared it might be logged...besides which we never did turn on logging since no one asked us to do so.) Unfortunately, no one ever supported removing the other IM programs, so eventually Jabber fell by the wayside and only our networking team used it extensively, albeit with a lot of invisibility (hell, our team was geographically split anyway). The user-base then "found" Skype and started installing and using it, despite network team objections. Management had little interest in curbing that, despite the compliancy holes. This is an example of the users pushing technology and process due to indifferent management.
My current company has banned IM use. Not only are many systems limited in user rights and installed software, but my IPS and possibly the web proxy will actively block known IM traffic. Needless to say, we don't use IM, but there is talk about evaluating its use, especially as we do a lot of travel business which regularly sees employees in some exotic locations.
What is the proper answer? I don't think there is a universal answer and it will depend on the company, the business needs, and compliance issues. I do think, however, that IM will eventually continue its push into business. Email is broken as a technology and will very, very slowly be replaced with more IM/SMS technologies. I also think that IM is such an integral tool in our culture and lives that business really cannot just completely preclude it forever. I'd rather properly implement it now rather than later, do it properly, and reap the business benefits. Many people will argue about lost productivity, but I don't think that will necessarily be the case, especially in a private IM system. Besides, if someone is going to screw around, they will screw around whether it is via IM or not.
by LonerVamp 02.05.07 at 2:23 PM in /general -
An article in InformationWeek has sparked some comments through the various security bloggers. I've decided to play devil's advocate for a moment when it comes to user training. Basically, I'm just making a point or two, so don't lambaste me too hard for being wrong or pessimistic. :)
the vcr clock dilemma
How many people do you know have a VCR/DVD player/Oven/Microwave clock that continuously blinks or is set to the wrong time? Ever wonder why? Typically, people don't really care to be bothered with setting it after a power outage. Some people may have faulty power and have interruptions regularly, but most people just don't care enough or maybe even find it cumbersome to change the time.
Similarly in security, not everyone wants to care about the technical ins and outs of security. They don't want to be bothered in their life with technical details. It just might not be their thing, or, if they are adults, they just don't have the time to become an expert. It is easy for us geeks to live this sort of lifestyle and to wonder loudly why people don't educate themselves about their computer, just like it is easy for them to wonder loudly why we don't get out more. :) Some people tune their own cars and motorcycles, others take it to a shop to get fixed, and still others just let it all go to hell. Are those people idiots for doing that? Maybe the latter, but what if maintaining the car costs more than just letting it go and getting another junker? Basically speaking, we can't make people care about their computers and put in enough time to become experts in a way that mitigates their risk. We all have friends who fall into this category, I'm sure.
the trampoline illustration
Most of us have likely seen or played on a trampoline at one time. You tell your kids to watch out and stay in the middle of the trampoline so that they don't smack something on the side rails or outright fly off onto the less forgiving ground. Do kids really listen? Perhaps, but they still make mistakes or just plain do not heed warnings. Users are the same way, and who can blame them every time? Eventually, padding appeared on the supports and even a mesh apparatus encircled the play area like a cage for monkeys (which it kinda was). Now, kids can make a mistake and not have to learn from a broken bone.
This is technology in action. Where good common sense and training and all the words in the world may not have prevented every issue, technology has vastly mitigated the risk of injury and worry to parents. (Of course, there is something that can be said about their lack of developing restraint as they bounce against the mesh cage wildly or not learning by falling...)
Training is excellent to tell someone that a stove is hot. But some people touch it anyway. If your company cannot afford to have someone test the stove or play around near the stove and misjudge a distance or handfall, then you need to isolate the heat or the stove from the curious hands (technology). Many companies and employees cannot afford a mistake that technology could have prevented.
Now, all of that aside, training is important and will help augment technology. Training lessens user outrage at changes and restrictions they do not understand (at least for some, others will refuse to get it no matter what and just want their way). Training will help in those instances where technology cannot make the decision in a situation, and employees need to make better common sense decisions. Training will allow willing learners to become educated about technology and security at work and home. And training is even more necessary when talking about implementors of technology. Can you have untrained security guards make confident decisions about letting a C-level exec into the building with contraband or without a pass? Can you have untrained network admins building your firewall rules? Training shouuld definitely be mandatory for those people who touch or work with the technological security measures. But for the typical worker bee (no offense intended) employees, the effect of their education is still arguable.
some rhetoricals
The mishandling of data is one of the biggest problems, especially when we're talking regular employees and their security infractions. But how can technology safeguard that? How can education safeguard that? How can social engineering ever be wiped out?
by LonerVamp 02.06.07 at 8:47 AM in /general -
Going on about 5 months using Ubuntu as my primary laptop and things are still relatively good; good enough to stick with it. I do have a companion laptop with Windows XP that I use to stay sharp on XP, try out new stuff, and do the few things that Linux won't do yet (particularly run my favorite P2P program, SoulSeek).
However, there are some growing concerns, particularly in how robust Linux can be as a desktop machine.
Ubuntu is sluggish. I've long noticed this, but only lately is it really grinding on me. Ubuntu with Gnome is not nearly as crisp to respond as my tried and true Windows machines. Nautilus is even slower and clunky and will sometimes hang when transferring 70+ files over an SMB connection on my network. Firefox 1.5.x (the kind Ubuntu 6.06 supports) is crashing or just having problems loading some content. Firefox on Ubuntu is far slower than Firefox on Windows, even on worse hardware, both on load and in serving content.
I'm going to stick with Linux because I really want to learn it, but I will say I don't think it is yet ready to displace other OSs on the typical desktop. It still can't do many things out of the box and it just is not as swift as Windows (assuming Windows is relatively free of spyware/adware). Linux has a long history of being appropriate for geeks, but Windows has a long history of meeting the needs of a vast majority of common users...and that's where the desktop market is.
I am going to see if I can get Kubuntu 6.10 up and running on another box and try it out before I think about replacing my Ubuntu 6.06 install. Perhaps KDE will be more to my liking and I'm totally willing to check it out.
by LonerVamp 02.06.07 at 9:46 AM in /general - comments(1)
"By 'strategic advance.' I mean making the most of favorable conditions and tilting the scales in our favor." - The Art of War, Chapter 1: On Assessments
Definitely useful to make the most of good situations when dealing with security. If you suddenly get a budget or have a chance to make an incident into a growing experience, do it. Likewise, be ready to make the most of bad conditions. Budgets or internal issues should not stop necessary security from being cobbled together.
The supreme accomplishment is to blur the line between work and play." -Arnold Toynbee
Thankfully, when I am with a company I like, work and play are very blurred. Ahh, the geek lifestyle! This quote can be very easily twisted and might make some people very upset because they value separating work and play, but all of us are different, and it has been my mantra in 2006 and ongoing into this year to enjoy my work so much that it feels like play, since I play what I end up doing at work anyway for now. I just want to enjoy the way I spend 1/3 of my day (which you can extrapolate to being 1/3 of the rest of my working life). I want to thoroughly enjoy my job, company, and team, and I likely won't be settled until I find that balance.
by LonerVamp 02.06.07 at 3:35 PM in /general - comments(1)
I work in a Windows environment. I'll likely work with Windows in some form or other for my entire career, unless I get completely sucked into networking. And yet I don't know Windows scripting. Oh the travesty! Seriously, I like programming, but I've never freakin' properly learned Windows scripting. I think I will be taking a good hard look at the Microsoft Scripting Games 2007 to see how things work and maybe tackle a few of the easier challenges and get my feet wet. Really, I don't need to be some guru that uses scripting day in and day out. You can get by with things like maintenence scripting quite well with just occassionally challenging oneself to script a little bit.
And I like challenges like these Games. There are some ways to learn in this field of IT security, support, and networking. One way is troubleshooting fires that are burning. You can only learn so much theory from other people, books, and mentors. But you have to put it into practice to really get it in this area (hence my occassional disdain for analysts, IT journalists, and people who jus repeat "best practices" ad nauseum). I particularly love challenges, puzzles, and friendly competitions that run the gamut of amazingly fun to very competitive to real-life-mirroring scenarios.
In fact, in the sidebar menu way towards the bottom I have links to various "hacking" and other challenges mixed into the "cons/training" section. I have been putting off moving the actual challenge type items down to the new challenges section. I love those things, and even if I'm late to the party or don't know the answers, reading the practical solutions offers some excellent insight.
Anyway, I'll see how my schedule looks and give the Microsoft Scripting Games a try my hands at it.
Someday, I may actually post my answers to various challenges past and present on either this blog, or more likely on my wiki. I find that while reading is great theory, and hands-on is great experience, being able to regurgitate the steps and lessons on virtual paper for others to understand is the last step. When you can teach someone something, you reinforce your learning of it, even if the audience is non-existent and you're just recording it down in a place no one else will look, or describing it to a loved one who really doesn't care but is a willing sounding board.
Some *real* quick links from a Google search:
Windows PowerShell
Getting started (vbscript)
PowerShell blog and links
PowerShell FAQ
by LonerVamp 02.08.07 at 9:14 AM in /general - comments(2)
Two sites I like to peruse for new ideas on things to try: AskApache.com and Howtoforge.com. Here are some links from there and elsewhere just for my own note, maybe for this weekend. I cannot attest to the quality of this information yet.
on favicons
on robots.txt
sniffing undetected?
bypassing VLANs?
odysseus and telemachus
by LonerVamp 02.08.07 at 11:02 AM in /general - comments(1)
"Therefore, the business of waging war lies in carefully studying the designs of the enemy." -The Art of War, The Nine Kinds of Terrain
Carefully studying the enemy motivations and plans and mindset but also knowing their machinations, technology, techniques, and habits. Every now and then I hear about how evil it is to have "hacking" books that shouldn't be teaching all the techniques and steps. I don't buy that and think that we need knowledge and study not only of security, but of insecurity so that we can assess risk and protections properly.
Another aspect of this quote is carefully studying a war in progress so that you can move intelligently. If you have an attacker in your network doing something bad, carefully study them so you know what they want, what defenses they may have already dug in, and be best able to defeat them. Just like a chess game that has developed from the start game into one side moving into an offensive position. Play as many steps ahead as your time and brain allow.
by LonerVamp 02.09.07 at 1:34 PM in /general - comments(1)
Just a quick word of advice, both to anyone reading and myself as well. If you find yourself at a point in your career where you have some good experience/knowledge and some free time to spend either in your job or just at home when geeking out, keep your eyes open for new things and grab onto them with both hands. Look for something new, learn it, and become one of the early gurus. Things like PCI knowledge, PowerShell, wireless technologies, FDE, Python, AJAX, VMWare, and many other things I have had the chance to see kinda appear and grow in my time in IT. And those people who latched on early and became gurus definitely end up being go-to guys either in their own company, the community, and possibly beyond. People you know normally suddenly are the "first" to really offer good insight and knowledge get noticed for that.
Just a note to look for in the future as technologies, languages, and practices continue to move forward. This might not mean you can become a highly paid consultant or start your own business, but at least keeping the above in mind might really grow you professionally and get you noticed in the community.
by LonerVamp 02.09.07 at 4:35 PM in /general - comments(1)
"Thus in war, I have heard tell of a foolish haste, but I have yet to see a case of cleverly dragging on the hostilities. -The Art of War, Chapter 2: On Waging Battle
I take this to mean, do. Don't wait around and throw sticks at information security. Do things. Get to work. Perform some action.
They have begun! I started in on the Beginner challenges and finished the first two rather quickly. Just for my own benefit (ego) I'll post my own answers here after the deadlines. If nothing else, it will be just for me to document my own code and dive into PowerShell.
Since I did the two first beginner events, I thought I'd try out the Advanced ones. These are a lot more complicated for me as a beginner, but at least I know the logic and can think through things like how to get from problem A to solution B. Now I just have to look up each little step like getting input into an array, any nuances with variable types (if any) that PowerShell may have, proper syntax for ForEach loops and Switches, and basically working with arrays. I also need to see how it performs with null values or the ends of arrays. Thankfully, the PowerShell syntax so far seems very familiar and standard. I think I might be fine with a couple of the Advanced problems.
by LonerVamp 02.12.07 at 4:02 PM in /general -
So, the FBI is still losing laptops with sensitive information. What I really hate about this sensationalist news is things have been lost or stolen for decades upon decades. We have laptops and mobile devices and they will get lost. That's fact and that's going to be absolute. This is a classic example of a security incident that will happen. That means the real story here is about damage mitigation, disk encryption, and data management.
by LonerVamp 02.14.07 at 4:30 PM in /general -
This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won't be upset if you skip this post. I'm posting only because this will mark my first exposure to PowerShell.
The games have begun. Event 1 in the Beginner's section basically wanted the creation of a message box (dialogue box, pop up box, et al) that changed a few attributes and did something based on the return behavior. My code looked like this:
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$answer = [System.Windows.Forms.MessageBox]::Show("Do you want to continue?", "Continue Processing", "YesNo", "Question")
if ($answer -eq "yes")
{echo "Yes - Processing will continue..."}
else
{echo "No - Processing stopped"}
Nothing really special there. The only bad part is that I wasn't able to bring the pop up box to the front, although some Googling turned up that this is a known issue that can be solved with vbscript.
Beginner Event 2 was a series of questions, each scored independently. In one column were ten classes, and in a second column were ten properties. The question is to match the classes with their properties. Not so bad. While I could eyeball this list and likely get an easy 8 of 10 correct, a couple would have required guesses. However, there is an easier way to do this:
get-wmiobject [class] | get-member
Replace [class] with the class name and look through the list for the matching terms.
Now, because of my success in the Beginner Events, I thought I would try my hand at the Advanced Events, which are definitely more up my alley as long as they stay in the "logic" arena as opposed to knowing my way around all the various obscure commands and methods and objects in PowerShell that I don't know yet.
Event A1 wanted to convert from Roman Numerals to regular numbers. This actually proved more interesting than I thought it would be, and my eventual program, while satisfying the requirements, would not hold up to invalid input, error checking, or additional roman numerals above M.
$r = Read-Host "Please enter a Roman numeral:"
$a1 = $r.ToCharArray()
$a2 = @()
$value = 0
for ($i=0;$i -le $a1.length;$i++){
Switch ($a1[$i]){
"M" {$a2 += 1000}
"D" {$a2 += 500}
"C" {$a2 += 100}
"L" {$a2 += 50}
"X" {$a2 += 10}
"V" {$a2 += 5}
"I" {$a2 += 1}
}
}
for ($i=0;$i -le $a2.length;$i++){
$v1 = $a2[$i-1]
$v2 = $a2[$i]
$v3 = $a2[$i+1]
if ($flip -eq 1){$value += ($v2 - $a2[$i-1]);$flip=0}
elseif ($v2 -ge $v3){$value += $v2}
else {$flip=1}
}
Write-Host $value
Event A2 was simpler even though I had more trouble finding the information I needed (syntax, really). Find the number that when multiplied by 3 would give the smallest answer that consists of nothing but 4s. The answer is 148, and while I could create a script to find this by iterating through every number by multiplying it by 3 and check if the answer is all 4s, or even start with 10 4s and divide them by 3 all the way down to the lowest, but I eventually decided I wanted to just build a string of growing 4s and check each one to see if it was evenly divisible. Sadly, when I submitted my entry I made the mistake and echoed out "444" instead of the needed "148." D'oh! I was too excited about figuring this one out!
$a = @()
do {
$a += 4
$b = [String]::join("",$a)
$m = $b % 3
if ($m -eq 0){
$x = $b / 3
write-Host $x}
}
until ($m -eq 0)
Not too shabby there, I hope! So far, that is very encouraging and my goal has expanded to not just completing the Beginner section, but to complete at least half of the points from the Advanced.
by LonerVamp 02.15.07 at 12:10 PM in /general - comments(1)
Of course it is only a matter of time, but I have slowly seen a few comment spam posts on my blog here. This is an itneresting way to see the growth of comment spam and make a few observations.
First, I've only seen comment spam on just a few of my posts, and typically over a week I'll get about 10 comments on just those posts, no others. Odd, especially since two of them even pre-date this URL and site (posts ported over from my older site). I would almost think I am just getting collateral damage from a link to my site from somewhere else, but no one links to those posts that I can see. I might have to analyze my logs a bit deeper just out of curiosity. They are also almost all in chunks and only yesterday did they start getting past the junk comment filters in MovableType.
1/09 - 1/21 spam came to html in email from 12/2006
1/22 spam came to malware analysis: free video codec from 11/2006
1/31 - 2/07 spam came to illustrated guide to cryptography from 6/2006
2/02 - today spam came to remoteregistry issues from 8/2004
2/13 - today spam came to turn off ssdp and upnp from 8/2004
Second, I thought about changing their spam comments to something like, "My IP is blah and I tried to post comment spam." But that itself is spammy and won't scale. Or post regularly about my spammers, but again that is spammy itself and likely are just "innocent" bots.
I think I'll just keep deleting them, but I am happy with MTs ability to score comments and hold them Unpublished if there is too much HTML in the comments. Also, there are limits to the length of certain fields which no legitimate poster should bump against, but spammers might hit. Still, some do get through, though. I also like that I can subscribe to an RSS comments feed which will show me published and unpublished comments readily and I can catch these things.
by LonerVamp 02.15.07 at 12:59 PM in /general - comments(3)
Mike Rothman mentioned fuzzing today which prompted me to post a thought of my own. Fuzzing is not a security posture.
Fuzzing pretty much means throwing all sorts of "things" at an application either in input fields or network ports, and so on. This is something any dummy can run. But fuzzing results are an order of magnitude more difficult to determine if an issue is really a vulnerability. This isn't the same as looking at an open port reported by Nessus or a missing patch reported by MBSA. Not only that, but fuzzing is not as fast as even an nmap scan on a network. The setup and execution are longer.
Once you get the results, oftimes you will need some memory management skills to determine if a bug will actually pop the stack properly, and then craft an exploit to prove the issue. Otherwise you might just have found some lame bug that closes the application (DoS), or less. If we raised the alarm on every issue a fuzzing found, we wouldn't be having "Month of X Bugs," but rather multiple "Years of X Bugs." Check out the comments on some of those posts to see the contention some people make on whether a fuzzed result is truly exploitable or not.
Fuzzing is not terribly difficult. Interpreting the results takes an expert, unlike other scanning methods. Fuzzing won't be a part of most IT shops or even developer circles for a long time until they start learning what happens in the OS/memory and not just doing their interpreted coding to do task A and move item B. Even QA will be hard-pressed to be given training and time to perform real fuzzing in all but the most critical and rich organizations.
by LonerVamp 02.15.07 at 1:20 PM in /general -
This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won't be upset if you skip this post. I'm posting only because this will mark my first exposure to PowerShell.
Beginner Event 3 was a pretty easy exercise in picking out what item in a series is not like the others. I'm sure this can be done in less code, but this made the quickest sense to me with the least effort.
$a1 = "monday", "MONDAY", "monday"
$a2 = "TUESDAY", "tuesday", "tuesday"
$a3 = "WEDNESDAY", "wednesday", "wednesday"
$a4 = "thursday", "thursday", "THURSDAY"
$a5 = "friday", "FRIDAY", "friday"
$x1a = [String]::Compare($a1[0],$a1[1],$False)
$x1b = [String]::Compare($a1[1],$a1[2],$False)
$x1c = [String]::Compare($a1[0],$a1[2],$False)
if ($x1a -eq 0){"a1: third"}
elseif ($x2b -eq 0){"a1: first"}
else{"a1: second"}
$x2a = [String]::Compare($a2[0],$a2[1],$False)
$x2b = [String]::Compare($a2[1],$a2[2],$False)
$x2c = [String]::Compare($a2[0],$a2[2],$False)
if ($x2a -eq 0){"a2: third"}
elseif ($x2b -eq 0){"a2: first"}
else{"a2: second"}
$x3a = [String]::Compare($a3[0],$a3[1],$False)
$x3b = [String]::Compare($a3[1],$a3[2],$False)
$x3c = [String]::Compare($a3[0],$a3[2],$False)
if ($x3a -eq 0){"a3: third"}
elseif ($x3b -eq 0){"a3: first"}
else{"a3: second"}
$x4a = [String]::Compare($a4[0],$a4[1],$False)
$x4b = [String]::Compare($a4[1],$a4[2],$False)
$x4c = [String]::Compare($a4[0],$a4[2],$False)
if ($x4a -eq 0){"a4: third"}
elseif ($x4b -eq 0){"a4: first"}
else{"a4: second"}
$x5a = [String]::Compare($a5[0],$a5[1],$False)
$x5b = [String]::Compare($a5[1],$a5[2],$False)
$x5c = [String]::Compare($a5[0],$a5[2],$False)
if ($x5a -eq 0){"a5: third"}
elseif ($x5b -eq 0){"a5: first"}
else{"a5: second"}
Beginner Event 4 just wanted a nicely formatted list of running services.
get-service | where-object {$_.status-eq "running"} | format-table
-property DisplayName, Status -auto
Advanced Event 3 involved a program to make change in various demoninations. Not too bad, and I was pretty happy with my initial formating of the input.
$a = Read-Host "Enter your dollars"
$a = $a -replace("\$","")
$a = $a -replace("\.","")
$a = 5000 - $a
$change = $a / 100
$change = "{0:N2}" -f $change
$tens = $a / 1000
$tens = [math]::truncate($tens)
$a = $a - $tens * 1000
$fives = $a / 500
$fives = [math]::truncate($fives)
$a = $a - $fives * 500
$ones = $a / 100
$ones = [math]::truncate($ones)
$a = $a - $ones * 100
$quarters = $a / 25
$quarters = [math]::truncate($quarters)
$a = $a - $quarters * 25
$dimes = $a / 10
$dimes = [math]::truncate($dimes)
$a = $a - $dimes * 10
$nickels = $a / 5
$nickels = [math]::truncate($nickels)
$a = $a - $nickels * 5
$pennies = $a / 1
$pennies = [math]::truncate($pennies)
Write-Host "Change returned: $change"
Write-Host "Tens: $tens"
Write-Host "Fives: $fives"
Write-Host "Ones: $ones"
Write-Host "Quarters: $quarters"
Write-Host "Dimes: $dimes"
Write-Host "Nickels: $nickels"
Write-Host "Pennies: $pennies"
Advanced Event 4 was also fairly easy and fun in attempting to map out the various chinese new year animals. I did it a slightly harder way than they gave in their answer.
$a = Read-Host "Enter your year"
$a = $a -1900
$b = $a / 12
$b = [math]::truncate($b)
$b = $b * 12
$a = $a - $b
switch($a)
{
"0"{$answer="Rat"}
"1"{$answer="Ox"}
"2"{$answer="Tiger"}
"3"{$answer="Rabbit"}
"4"{$answer="Dragon"}
"5"{$answer="Snake"}
"6"{$answer="Horse"}
"7"{$answer="Goat"}
"8"{$answer="Monkey"}
"9"{$answer="Rooster"}
"10"{$answer="Dog"}
"11"{$answer="Pig"}
}
Write-Host $answer
by LonerVamp 02.18.07 at 11:12 PM in /general -
This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won't be upset if you skip this post. I'm posting only because this will mark my first exposure to PowerShell.
Beginner Event 5 can be done rather easily in vbscript. I needed to convert a string into a hexadecimal array and then back into a string. I was able to make the first conversion, but couldn't work out how to go backwards. I actually couldn't get from hex to ASCII code, but I could easily get the rest of the way back to a real string of readable characters. Oh well.
$r = "It was the best of times...you know the rest."
$a = $r.ToCharArray()
$h = @()
$v = @()
for ($i=0;$i -le $a.length;$i++){
$x = [int][char]$a[$i]
$h += "{0:X}" -f $x
}
$h
for ($i=0;$i -le $h.length;$i++){
# $y = [byte]$h[$i]
# $y = "{0:D}" -f $h[$i]
# $y = [Convert]::ToString($h[$i],16)
#this is the last part $y = [char][int]$h[$i]
$y
}
Beginner Event 6 just wanted some key words to be filled into an incomplete script found at the link above. I think my answers were correct...and if not, the program did run as expected anyway.
1. -eq
2. }
3. foreach
4. continue (although this can just be left blank too)
5. While
6. Switch
Advanced Event 5 wanted an Access database opened, then some math computations made, namely the min, max, mode, median, and mean values. Now, this can be very easy in other languages, but for some reason either PowerShell does not have these helpers built in yet, or I wasn't able to find how to do it properly. Either way, here it is. If you really delve into my code, you can see that by the time I did the median, I was using better techniques than I had been using earlier. If I wanted to, I could rewrite the max and min sections much smaller now, I think.
$adOpenStatic = 3
$adLockOptimistic = 3
$objConnection = New-Object -comobject ADODB.Connection
$objRecordset = New-Object -comobject ADODB.Recordset
$objConnection.Open("Provider = Microsoft.Jet.OLEDB.4.0 ; Data Source =
/scores.mdb")
$objRecordset.Open("Select * from Results",
$objConnection,$adOpenStatic,$adLockOptimistic)
####### START MEAN #######
$objRecordset.MoveFirst()
$i,$avg = 0
do {
$avg += $objRecordset.Fields.Item("Score").Value
$i++;$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)
$avg = [math]::truncate($avg / $i)
####### START MIN #######
$objRecordset.MoveFirst()
$max = 0
do {
if ($objRecordset.Fields.Item("Score").Value -gt $max)
{ $max = $objRecordset.Fields.Item("Score").Value}
else { }
$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)
####### START MAX #######
$objRecordset.MoveFirst()
$min = $max
do {
if ($objRecordset.Fields.Item("Score").Value -lt $min)
{ $min = $objRecordset.Fields.Item("Score").Value}
else { }
$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)
####### START MODE #######
[int[]]$modearray = @()
for ($n=0;$n -le $max;$n++)
{$modearray += 0
}
$objRecordset.MoveFirst()
do {
$n = $objRecordset.Fields.Item("Score").Value
$modearray[$n] = $modearray[$n] + 1
$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)
$modemax = 0
for ($n=0;$n -le $modearray.length;$n++)
{
if ($modearray[$n] -gt $modemax)
{ $mode = $n; $modemax = $modearray[$n]}
else { }
}
####### START MEDIAN #######
[int[]]$medianarray = @()
for ($n=0;$n -lt $i;$n++)
{$medianarray += 0}
$n = 0
$objRecordset.MoveFirst()
do {
$medianarray[$n] = $objRecordset.Fields.Item("Score").Value
$n++;$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)
$medianarray = $medianarray | sort
$median = $medianarray[$medianarray.length/2]
####### START OUTPUT #######
Write-host "Mean: $avg"
Write-host "Mode: $mode"
Write-host "Median: $median"
Write-Host "Highest score: $max"
Write-Host "Lowest score: $min"
$objRecordset.Close()
$objConnection.Close()
Advanced Event 6 wanted a nicely formatted 75-column block of text. I really didn't know what to do here.
by LonerVamp 02.19.07 at 10:14 AM in /general - comments(1)
It seems that whenever Joel posts a significant new article on his site, I end up copying the link from here, almost like a little RSS/mirror service. I think it's because this guy just "gets it." I've yet to see bad advice from him and everything he says is majorly refreshing and awesome. I could gladly work in a company like that, even adjusting my career path for a company like the one he runs.
Anyway, I'm gushing, which is not something I usually do. Joel talks this time about remarkable Customer Service.
by LonerVamp 02.19.07 at 4:28 PM in /general -
I saw this fly past on the Security Focus security-basics mailing list from an anonymous poster. I simply wanted to capture the moment here and let it sink it.
I work for one of the biggest universities in the US and they barely care about security, so I think you may be in for an up hill battle. I've been trying for years without any luck, the same story comes back from managment over and over, "we never had any security problems so why should we invest money to prevent them" and thats a direct quote from more than one person in managment.
by LonerVamp 02.19.07 at 4:50 PM in /general - comments(1)
"One whose upper and lower ranks have the same desires will be victorious." The Art of War, Chapter 3: Planning the Attack
It is frustrating (both for techs and for management) when they cannot agree on their goals for security. Unless they can agree, they won't succeed.
by LonerVamp 02.20.07 at 10:48 AM in /general - comments(2)
This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won't be upset if you skip this post. I'm posting only because this will mark my first exposure to PowerShell.
I've found my creativity stimulated quite a lot by these games. Also, since I've started doing these games, I think this group of 4 events were the easiest so far. The first few might have been easy, but they required more effort since those were my first looks at PowerShell at all. By the way, MoW is also posting his responses and I must say, his code is far more elegant and experienced than mine. It's awesome!
Beginner Event 7 involves taking a bit of code that throws an error, and manage that error. First, prevent the ugly error from displaying to the user, and then also handle the error later. This is a good Beginner topic and one of those things that often gets overlooked but is very necessary for good scripting and coding: error handling.
$error.clear()
$erroractionpreference = "SilentlyContinue"
######## START UNCHANGED CODE #########
$a = 5
$b = 6
$c = "seven"
$d = 8
$x = $a + $b
$x = $x + $c
$x = $x + $d
$x
######## END UNCHANGED CODE #########
if ($error.Count -gt 0)
{ Write-Host "An error has occurred." }
# This would display the errors, but not required
# for ($i=0;$i -lt $error.Count;$i++)
# { $error[$i] }
Beginner Event 8 is a "simple" game of jacks. This is another excellent Beginner event in that it focuses on something rather basic but necessary: nested loops. This is simply about thinking through the logic of the problem, and then setting up counters and loops to achieve the answer.
$jacksingame = 10
$i = 1
do {
$jacks = 10
$bounces = 0
do { $bounces++;$bouncestotal++;$jacks -= ($i * 1); } until ($jacks -le 0)
$jackspickedup += 10
$i++
} until ($i -gt $jacksingame)
Write-host "Total jacks: $jackspickedup"
Write-host "Total pick-ups: $bouncestotal"
Advanced Event 7 wants a text file read, encrypted, and then also optionally decrypted using arguments when starting the script. Since I am still smarting from the rather nasty Beginner challenge to convert text to hex and back to text again, I decided to yoink that code, drop the hex part, and use the decimal values. Then increment the values by one before converting back into ASCII. Instant, if weak, encryption! (I also thought about using a simple cipher substitution or ROT13 Switch, but decided this was easier.)
if ($args[0] -eq "e") {
$input = [string]::join([environment]::newline, (get-content -path Alice2.txt))
for($i=0;$i -lt $input.length;$i++)
{
[int[]]$a = $a + [int] $input[$i]
$a[$i] += 1
$e = $e + [char] $a[$i]
}
$encodedfile = New-Item -type file "Encoded.txt" -Force
Set-Content Encoded.txt $e
} elseif ($args[0] -eq "d") {
if (Test-Path Encoded.txt) {
$input2 = [string]::join([environment]::newline, (get-content -path Encoded.txt))
for($i=0;$i -lt $input2.length;$i++)
{
[int[]]$x = $x + [int] $input2[$i]
$x[$i] -= 1
$y = $y + [char] $x[$i]
}
$y
} else { Write-Host "Encoded.txt not found. You probably need to use argument 'e' first to encode a file."}
} else { Write-Host "Please provide an argument 'e' (to encode) or 'd' (to decode) " }
Advanced Event 8 provided small pieces of code with the question: "Is this a valid piece of code?" Not too hard and kinda fun! I won't post my answers here, since there's nothing really novel in the answers.
by LonerVamp 02.21.07 at 10:12 AM in /general -
There are a few blogs that I read regularly that are not strictly tech/infosec type blogs. Creating Passionate Users is a bit of a cheat since Kathy Sierra has a technical background and does talk about some technical things. My reason for mentioning this is her post about whether tools are making us dumber.
We call people dumbed down by tools "script kiddies." They are the people who utilize other people's tools without knowing what is really going on underneath the hood. Tracert is composed of pings? Teardrops just make computers blue screen, right?
You can then push this up to the enterprise as well. I use an IPS/IDS "alert-based" system from a major vendor of securty products. Sadly, the appliance takes out all the ability to trace sessions and capture/read packets and interpret one's own attacks. If the appliance is doing something weird, someone without that additional knowledge is really pretty lost and the appliance loses a lot of value.
by LonerVamp 02.22.07 at 10:40 AM in /general -
I see SecuriTeam has gotten a facelift recently, nice! (One of the downsides to running an RSS reader is you lose the visual connection with the site...) The post that drew me there was a post from Sid detailing his discovery that his home router was essentially backdoored.
The takeaways from this article include: change your admin password on the router; be at least a little bit knowledgable about the router; scan your home connection remotely every now and then, even if that means nmapping yourself from a local hotspot. ISPs really should not do something like this. While it at first seems like a good idea, all it takes is one curious person to get that password and suddenly that opens up the digital worlds of every other user on the ISP. I know not everyone has the aptitude to do such tests, but there is little excuse for those of us who do.
by LonerVamp 02.23.07 at 8:47 AM in /general -
Holy crap! Also from SecuriTeam is an announcement that the OWASP Testing Guide has been released. This guide looks absolutely PACKED with wepapp testing steps and details.
by LonerVamp 02.23.07 at 8:52 AM in /web -
This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won't be upset if you skip this post. I'm posting only because this will mark my first exposure to PowerShell.
So, these are the final scripting games events! I'm actually enthused because I finished all four of these over 24 hours early and am very happy with the results.
Beginner event 9 wanted a list to be read and only certain values displayed from those lists. I ended up using the same code for each list. I assumed the first entry was a value I always wanted, and then any entry after a blank line was another one that I wanted.
$firstline = 1
$names = @()
foreach ($i in Get-Content List.txt){
if ($firstline -eq 1){$names+=$i;$firstline=0}else { }
if ($switch){$names+=$i;$switch=0}else { }
if($i){ }else {$switch=1}
}
Write-Host "---------------"
Write-Host "List.txt names:"
$names
$firstline = 1
$names = @()
foreach ($i in Get-Content List2.txt){
if ($firstline -eq 1){$names+=$i;$firstline=0}else { }
if ($switch){$names+=$i;$switch=0}else { }
if($i){ }else { $switch=1 }
}
Write-Host "---------------"
Write-Host "List2.txt names:"
$names
Write-Host "---------------"
Beginner event 10 only wanted to have a bunch of terms unscrambled. This was rather easy and not even worth posting the scores here.
Advanced event 9 was an awesome little challenge. There were really two parts to this for me. First, figure out how to create a string and then force it to be valued like an expression. Eventually someone on IRC clued me into "invoke-expression" which was exactly what I was looking for. Second, figure out how to iterate through all 4 signs in all 4 places in the challenge equation. Basically, 4 nested loops. Here's the surprisingly short code:
$signs = "+","-","*","/"
foreach($a in $signs){
foreach($b in $signs){
foreach($c in $signs){
foreach($d in $signs){
$equation += "12"+$a+"8"+$b+"4"+$c+"2"+$d+"9"
$guess = invoke-expression $equation
if($guess -eq 23){Write-Host "The answer is $equation";exit}else { }
$equation = ""
}
}
}
}
Advanced event 10 introduced something new for me: colors! Holy crap, I can change the display colors! Now THIS can get fun! I also had to learn how to create a random number generator and be able to pull items out of an array without duplicating any. I think there were a number of ways to do this, but this method was the one I chose to tackle. Thankfully, it all worked out!
[collections.arraylist]$a = 1..20
$r = $a |% {$R = new-object random}{$R.next(0,$a.count) |%{$a[$_];$a.removeat($_)}}
for($i=0; $i -lt $r.count;$i++){
if ($r[$i] -le 5){$r[$i] = "BLUE"}
elseif($r[$i] -le 10){$r[$i] = "GREEN"}
elseif($r[$i] -le 15){$r[$i] = "RED"}
elseif($r[$i] -le 20){$r[$i] = "YELLOW"}
else {Write-Host "Error: round $i value $r[$i]"}
}
$score = 0
for($i=0; $i -lt $r.count;$i++){
$guess = Read-Host "Guess the next color (R, B, G, or Y)"
Switch($guess)
{
"R"{$guess = "RED"}
"B"{$guess = "BLUE"}
"Y"{$guess = "YELLOW"}
"G"{$guess = "GREEN"}
}
Write-Host $r[$i] -fore $r[$i]
if ($guess -eq $r[$i]){Write-Host "yay!";$score++}
else {Write-Host "boo!"}
$total++
Write-Host "You have gotten $score out of $total correct."
}
if ($score -ge 6){ Write-Host "YAY! You win teh prize! You have ESP!" -back "magenta" -fore "DarkBlue" }
else { Write-Host "boo! you lose! your guesses suck!"}
Scores to Advanced and Beginner divisions are posted.
by LonerVamp 02.23.07 at 10:06 AM in /general - comments(1)
Ok, I was confused with the original SecurityCatalyst post that VPNs were not security devices, but I saw this again from cdman over at Hype-Free along with the statement that NAT is also not a security measure.
Perhaps I am missing something, but is that correct? I may not consider NATs first purpose to be a security purpose, but it certainly does help. Would I rather have (or feel more secure) using a NAT device or by direct one-to-one mapping to a publicly routable IP? Would I rather have people make remote connections over the Internet alone or with VPN? These answers seem fairly obvious to me, and so do the reasons for those answers.
I understand that a VPN does not give absolute security. I also understand NAT only goes so far and its real purpose was to avoid the problem with the "limited" address space of ipv4.
The frustration in these really do offer some security, whether by design or by coincidence. We try very hard to tell people and organizations to do secure things, but to say a VPN is not a security device? Talk about confusing everyone, including the techs.
by LonerVamp 02.23.07 at 1:05 PM in / - comments(3)
This post builds off my previous post on whether tools are making us dumber (a post referencing a recent Kathy Sierra post). Marcin threw me over a link to someone else who noticed that article.
Luke Kanies provides a few quotes in what at first seems like a nimble article but really is kinda confusing, like cut-backs while running in sand. Either way, I thought about these a lot:
Unfortunately, I’ve seen too many sysadmins fall in love with the tedium of knowing all the little bits of all the systems they manage and not worry so much about understanding the higher-level nature of their jobs.
I like this quote and I kind of agree. However, a case can be made that an exception to this "heightening view" approach (which, incidentally, is natural as one proceeds through business and technical experience) is the realm of security. Yes, we need to look at the high level and we need to worry less about every little thing, but it is those dozens of little things that a skilled or even just an opportunistic attacker can exploit. It is also those little bits that can give away subtle attacks or problems. We've seen time and again that the more automated we become in security, the more we can become susceptible to chinks in our armor that we're not seeing because we're viewing from too high up.
To those sysadmins who are afraid of automating themselves out of a job, you should ask yourself where your value is: Is it the tedious parts, or is it the understanding behind the job?
I picked this out because I just wanted to remind myself and anyone else that the purpose of IT and technology in business anyway is to automate. If we're not always trying to enable business, create business, or automate business, we're not really doing our tasks. Sometimes that is hard, but a high level view of IT is automation.
In the end, I like the article because I truly think a case can be made for keeping one's head in the trenches of IT and also for climbing up into the scaffolding to get a new perspective. There are a lot of different and equally correct opinions and viewpoints in IT and while some see that as weakness and lack of moving forward as a unit, I see it as a healthy (hopefully respectful) heterogeniety. (Yes, I sometimes make up words, but if you know what hetergeneous means, you get it.) :)
by LonerVamp 02.25.07 at 7:51 PM in /general -
I just finished (finally!) Counter Hack Reloaded by Ed Skoudis. I really love Skoudis' tone and sometimes informal tone in the way he writes. It really works for a book that is really meant to be read start to finish (as opposed to a hit-and-miss tools/attack-defense or reference book).
The book presents a number of new things to me, but the most memorable parts dealt with some of the more advanced techniques such as various covert channel attacks that I've really not heard much about. Of particular interest when I hit this part last autumn, Skoudis does maybe the best job I've read on describing buffer overflow details. I've read numerous other descriptions in the past and kinda knew what was going on, but for some reason Skoudis lit that little light bulb over my head on his description. Granted, I don't see myself becoming a memory-shifting expert any time soon, but at least I really understand the details now.
Overall, this is a must-read for any IT professional with any interest in security, and should be mandatory for all security persons. It is one of the best books I've read in my geek collection. Some of it might be elementary such as DNS digging and nmap scanning, but there are plenty of more advanced techniques that you just don't find in other similar books.
by LonerVamp 02.25.07 at 10:40 PM in /general - comments(1)
This was recently posted to a mailing list I am on in response to someone inquiring about how to proceed with security in an environment that is not really open to security. I thought this was an amazingly well-written summary of what too many other IT and security people go through. I'm sure I'll see plenty more of this in my career also, and it helps to recognize it early before spending futile years taking it personally when things don't work out (I take my work personally). Reprinted with permission:
I was hired for Network Security by individuals it now seems really did not understand the concept. When I initially arrived, the attitude was that I would "secure" whatever project or action was taken. It took a while to get them to understand that I needed to be a proactive, included member of things from inception.
Not only do I report to a Network Ops manager, this person - who on one hand admits they have no security background - sets the agenda for how I go about addressing this area. There are constant conflicts, up to and including my recommendations and opinions sometimes not being heard because they are perceived as unnecessary, unrealistic, or obstructing progress.
I am the only person dedicated to network security. That is not necessarily a huge issue. The larger issue is that the perception is that I alone should somehow be able to do everything, and I should be able to do everything by myself. The last major virus outbreak we experienced, after a couple of days it became obvious that I could not scan EVERY cpu by myself. However, I was turned down when I asked for help (Our helpdesk was allowed to low-priority my CPU scan tickets.) And in the end, management was thoroughly displeased with how the whole incident was handled (took too long, users were upset, etc). Meanwhile, I was a wreck from having worked about 40 hours in a three-day period. ... An unwinable situation.
The entire IT dept is nearly completely reactionary. We have no CIO, and our IT leader is not seen as an equal by the other top-level executives. Basically, whatever requests or whims other departments want, we wind up trying to accommodate. Even if the wishes are counter-productive, redundant or will adversely affect the network.
IT does not seem to "talk" to the user community. It is almost like the goal is allow the users to do whatever they want, while IT does everything for them. Which would maybe be okay, except there is a culture of allowing the users to do darn near ANYTHING they want. I see a real lack of guidance coming from our IT department.
I am leaving this position. I have been unable to figure out how to simultaneously write policies (there are none), plan strategy, fight the day-to-day fires and perform proactive, pre-emptive research and analysis by myself within a reasonable timeframe to keep up with the ever growing needs of the environment. Things fall through the cracks, mistakes get made. Although some colleagues are beginning to understand that they, too, must become more security conscience in the way they approach networking, still security overall takes a back seat. No one wants to tell the big bosses "no", that some of what they want is not feasible at the moment, or that some things will be delayed because we are trying to do them correctly now. Or tell them the real cost of implementing the latest whiz-bang technology without shoring up the holes that currently exist. -- Definitely, no one wants to say that mistakes were made in the past, and now we have to correct them in order to get better and move on.
Francois [ed: the original poster], I feel for you. I, too, know that not all environments have to be like what you and I have (are) going through. The choice for me is to leave. I hope that you will be able to make your management understand that security is not one person's job. Rather, it is a way of thinking and doing business. To paraphrase the poster, network security is not a destination - it is a journey.
I hope the poster finds a much better position to apply their obvious talents.
by LonerVamp 02.26.07 at 2:11 PM in /general - comments(1)
So my time with the winter scripting games is pretty much over. I just have to ask why I scored 0 on one event (I think the email submission may have line-wrapped something weird) and give my thanks and positive feedback to the organizers.
Overall, I exceeded my goals. I wanted to give a best effort towards half the Advanced division and get most of the Beginner division correct. I ended up 95/100 in the Beginner division and 90/100 in the Advanced (assuming my one score gets corrected). And I am proud to say that the two I missed were definitely tricky for someone who first installed PowerShell only days before the start of competition.
I have documented my scripting games answers and some links in my wiki (must...use...wiki...more). Thankfully, it just so happens that we're looking to script more at work. Only one guy had previously had any experience scripting, so this makes great sense to include me as a second resource and backup. I plan to continue learning more about PowerShell and try to use it as much as possible. I just purchased Payette's book PowerShell in Action and plan to continue to learn stuff on irc.freenode.net's #powershell channel.
by LonerVamp 02.26.07 at 4:09 PM in /general -
I have this list of things that home users can do to be more secure. One thing I might try to fit in there is to suggest that home users figure out how to install their Operating System.
Now, this may not be about trying to teach someone the nuances of a reinstallation, especially that they should have their data backed up, accounts and software licensing information stored separately, and a list of everything they had installed or need kept available for a reinstall. However, I do believe that one problem people have with working on their computer is a simple lack of exposure to the reinstall process (or someone/someplace that can do it for them). A reinstall is not typically something people do since their computers come from Dell or Gateway which happily does the work pre-ship. But the Internet can become a safer place once people get used to the process of a reinstall or where to turn for help if they decide to do a full reinstall.
I might consider this a half-step since it might be one of the scariest things the average person will do with their computer. Trust me, people are more scared about a reinstall than they typically are about installing all sorts of random programs on their system. Sometimes they are completely worried about losing their years' worth of settings and small tweaks and the position of their desktop icons. However, regularly performing an install or just knowing that it is not all that bad an ordeal will help in being smarter about their computer use. If nothing else, befriend a local support guy, your local Geek Squad, or become familiar with the ability of your provided Tech Support.
I liken this to having a backup solution in place. But how do you know the backup solution is working or how much it is backing up or how to work a restore in the event of an emergency if you've never done a restore from it? An emergency is not the best time to do a restore for the first time.
by LonerVamp 02.28.07 at 10:54 AM in /general - comments(1)
Whoever occupies the battleground first and awaits the enemy will be at ease; whoever occupies the battleground afterward and must race to the conflict will be fatigued. Thus one who excels at warfare compels men and is not compelled by other men. -The Art of War, Chapter 6: Emptiness and Fullness
I expect Andy to post this up as well, since I think it can definitely be one of those rallying (or frustration) cries we have in security...and we both have the same calendar sitting on our desks!
I wasn't sure about including that last line. The first two lines resonate throughout IT security from testing/planning your disaster recovery plans to being ready to detect and mitigate incidents to simply making sure logs are scanned for the first sign of an enemy. The last line still makes sense as we sometimes do need to dig our heels into the ground and make sure our management knows the score and the risks (properly) so they can be compelled by us to be prepared...otherwise they are compelling us into letting go of the preparedness.
Kurt's comment put that last line into a better light for me and totally makes sense. No wonder if felt a little "off" earlier! Thanks!
by LonerVamp 02.28.07 at 11:05 AM in /general - comments(3)
|
