oh such lovely silica you have

Dave Aitel posted to DD a link to a review of SILICA. SILICA is awesome and one of those gadgets I really want to get my hands on. But at a price of $3600, it is definitely a major purchase for someone like me; just low enough to be doable, but higher than even a good laptop or gaming rig with a far fewer uses. Nonethless, if this device stays current and highly supported by Immunity for many ongoing years, I really am going to plan on picking this up in the next year or just after (my car gets paid off next summer which means some freed up monies…).

10 immutable laws of security administration

Snagged this from Sean’s blog. I swear I have seen this before or maybe even posted about it, but couldn’t find it. Either way, it’s a nice set of “laws” and in the same vein as the 10 immutable laws of security.

Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn’t about risk avoidance; it’s about risk management
Law #10: Technology is not a panacea

general update on things going on

My projects and other things have been taking up way too much of my time lately.

My bracket in the NCAA tournament (mens) has been about as bipolar as any bracket I’ve ever done. Typically I do very well in these things, but like most, picking the winner is the make-or-break decision. Pick the winner, and you’ve no doubt gained points throughout, miss the winner, and you’re sunk. This year I had only 20 hours from selection show to entry submission, and the lack of research showed through, although I was saved by a very well-seeded bracket. I did horrendously in the first two rounds, but picked 7 of the 8 Elite Eight teams and, until UNC lost, I still had all Final Four teams.

My WoW time has suffered as well, although that might not be a bad thing! My main is still level 60 and my Draenei Shaman is level 36. Yeah, I’m slow and my time/effort has dropped considerably (thankfully). If I didn’t have real life buds in game, I’d have left it long ago.

At home last night I enjoyed just how easy Linux is becoming as I continue to just be immersed into it. Much like my idling in some IRC channels or mailing lists, just hearing things for a while means I gain some understanding; or being around something. I’m not planning on taking my CCNA for a bit, yet I am already just sitting in and contributing to some local buddies doing their studying and talking, and I pick things up. Hang out with baseball fanatics for a while, and you’ll find yourself learning about baseball until, before you know it, you’re considered someone “in the know.” My Ubuntu install and SSH server took all of 15 minutes once the actual OS installer finished. Talk about easy. Next I will be playing with Squid and Snort and setting up more ubiquitous remote access, if I can (from Windows and Linux boxes without using VNC…)

At work, I’ve been busy exercising my scripting muscles by automating our installation process for web applications and servers. I’ve done all of the easy work so far, although the hard stuff I have saved may turn out really easy if I ease up on my own requirements and utilize Windows-native exe apps rather than programmtically build my own (gacutil and regsvcs). Scripting is really exciting and amazingly powerful. With Exchange 2007 on the horizon for many orgs (whose management seems to be fully PowerShell-based), I like this head-start I’m getting. Someday soon I’ll dig a bit more into Perl and/or Python to round out my scripting exposure.

no sooner do I finish my windows server…

No sooner do I finish up on my Windows server…now I’m using an older 400Mhz box to start standing up an Ubuntu server to start using stuff there. While I like stability for the things I use daily, I really want to learn more, so rather than languish my stuff on Windows for a few years, I’m moving on already.

The first thing I want to move over are the things I use cygwin/Windows for, namely my SSH server. My SSH server gets quite a few hits, strangely Amsterdam is outpacing Asia in SSH auth attempts. If you let that page load, you can see all the attempted login names. Since I am running SSH on cygwin, I don’t even use “root” or “admin.” I’m surprised that “Administrator” is not used more, since that is what cygwin pulls in (it mirrors the Windows accounts). If someone can do that small battery of attempts, it is trivial to add “administrator” to that initial slam.

Anyway, yes, my next project is to start standing up and getting more familiar with running certain apps on Linux. SSH is not going to be an issue, and I’d like to leverage Linux to analyze my Apache log files and other neat things on my network. On a more advanced note, I want to throw sendmail or another nix mail server up as well. I like my current mail server, but the image spam is just not terribly fun and spam solutions on Windows are not as impressive to me as nix solutions. Besides, I want to be exposed to more. I spent years in my comfort zone and it’s paying off to try out new things. This box also now had a 200GB HD and has always had 2 NICs which plays right into my hands to get Snort on a nix box and familiarize myself with some more monitoring tools.

That’s how my spring is shaping up, and what has been stealing my time lately.

cybersecurity defense requires a good offense?

We’ve yet to see this come to a head, but I bet it will be soon. An article I read today contained a few tidbits about cyber warfare:

History teaches us that a purely defensive posture poses significant
risks, Cartwright told the committee. He [Marine Gen. James
Cartwright, commander of the Strategic Command] added that if we apply the
principle of warfare to the cyberdomain, as we do to sea, air and land,
we realize the defense of the nation is better served by capabilities
enabling us to take the fight to our adversaries, when necessary, to
deter actions detrimental to our interests.

Cartwright said U.S. adversaries in cyberspace include other countries,
terrorists and criminals who operate behind what he described as
technical, legal and international screens, and he said that if we are
to take the fight to our adversaries, we will need Congress help finding
solutions to penetrate these screens…

[Lt. Gen. Robert Elder Jr.,
commander of the 8th Air Force and JFCC-Global Strike and Integration] did not detail plans for going on the offensive. But when asked
about it, he said, “We will probably do some of that, by the way.”

We might be going on the offensive? Are we actually at war in a way that we can go on the offensive as if we were on the sea, air, or land? I really wonder if that will be seen as a hostile action or not, or if this is all still just contested territory. I don’t have much thought on this right now, but as the years move forward, this cyber conflict could pose ramifications on the openness and neutrality of our Internet.

powershell snippet to test server names

I’ve been doing some scripting at work and had a desire to test if a server exists before attempting to do some work against it (less errors, cleaner execution…). I hadn’t found anything that I wanted to use so I asked in the #powershell channel on irc.freenode.net. MoW, of course, knew the answer since he is the Google of PowerShell. Give him a question and he’ll throw out the answer.

shell> $ping = new-Object System.Net.NetworkInformation.Ping
shell> $ping.Send(‘localhost’).status
shell> $ping.Send(‘blah’).status
Exception calling “Send” with “1” argument(s): “An exception occurred during a Ping request.”

Update: Gaurhoth gives some information comparing Win32_PingStatus with the above method.

more pruning of links

It’s time again to prune some more links. I’ve been seriously contemplating moving a lot of my links on the right menu over to a page on my wiki. I’ve yet to do that so far, and I think I’ve talked myself into leaving them here. I just wish I had less links since they do get pretty long, however, I use a significant portion of them regularly; sort of my own little personal portal (hence why I would move the portal part to a wiki page). Of course, then my page might look a little bare…I guess I could fill the space with vertical Google ad bars! Hehe, no thanks.

Haxorthematrix seems to have gotten lost in the new year. Info-pull has disappeared as well with few updates. I know just barely over one month of no updates is really being picky, but I’m more picky with more personal blogs and especially those that have not been up more than a year. I’m very aware of the tendency of people to start strong on an endeavor, and then putter out after a few months.

SecurityBullshit is being removed, but only because Mark has merged it with his other blog, SecurityBuddha. I totally dig that name, and I think it interesting the sort of zen way of life that can be found in parts of the computer security industry, from techbuddha to securitybuddha to taosecurity…I wonder if zensecurity is taken? Considering I am highly sympathetic to the Buddhist (and related) way of life and philosophy, I really have this odd little affinity to such sites. Oh, and securityzen.net is not taken! I might have to think about grabbing something like that someday, for possible future branding. Until then, I’m really happy with Terminal23.

The O3 e-zine seems to have disappeared after 3 colorful issues through the first few quarters of last year. I really liked this zine’s focus on Open Source, but it really was just the same thing as (in)secure and uninformed (how’s that for a combo phrase?!) when you get down to it.

The list of top 10 security live cds from DarkNet is starting to look dated, especially as BackTrack2 is now out and really kinda dominates this field (minus general livecd and forensics offerings). Besides, I have moved this to my own live cd list on my wiki anyway. I don’t use VMyths, so why bother with the link, especially as I try to get this list down a bit (of course, for every one I remove, I seem to add another…). Church of the Swimming Elephant is a classic site that still has lots of useful stuff. Sadly, it continues to grow more and more dated. If you’ve not gone there, go there and browse the info and wares. Definitely harkens back to a more innocent time in hacking!

A reverse engineering site that I never really visited seems to have also disappeared. I also never visit the ProfessionalSecurityTesters site. Besides sounding a little off, the site itself just never sat well with me and I never really went back.

a wild, wild ride

Holy crap, there’s a ton of first year birthdays going on in my rss feeds reader from bloggers. Hell, even RSnake hasn’t been around a year! This is just crazy since I could have figured a lot of people had been around longer. It kinda puts some things in perspective, since I’ve been documenting my day to day “stuff” here or on my personal site since late 2001 when I installed my first news script (no blogs back then!) on my website which, itself, I had maintained since late 1996. It’s been a wild ride since then, and obviously I am not one to bang on the door for hits and visitors. 🙂

Grats to all those people with baby blogs that are starting to grow up and find their identity or realize that they had an identity long ago and can stand just fine as themselves!

my personal privacy stance on pseudonyms

Andrew Storms posted a really nice bit over at nCircle about our personal privacy stances online, namely some commentary about pseudonyms online.

Obviously I maintain a pseudonym online. In fact, I have two. “LonerVamp” is a carry-over from years long past and I keep it mostly because it is far more unique than “Michael” or even “Michael Dickey.” If ever someone from my past wants to look me up, by god, they can do so just fine. And sometimes they do.

Another reason I still like this name is simply the extra layer between my time online and my real person. I really have no difference in who I am based on my screenname anymore. I think I got over that back in 1997. But anyone looking to poke around at me from either the “Michael” or the “LonerVamp” direction will have to do at least some measure of work beyond the first 5 hits on Google to put two and two together, find the bridges, and then actually cross them. Not impossible, by far, but at least not trivial for any nobody to do. Someone really has to want to do it.

I do maintain another pseudonym on a few low-usage sites and mailing lists. For instance, my MySpace identity is linked to another Gmail account and I only use it to comment on journal entries of friends or view pictures. Basically, I can maintain this because it is low interaction. When something is low interaction, I don’t have to worry as much about my real self coming out in that identity.

Andrew is also mostly correct in saying if you want to “properly” enact change, you do need to step away from the veil of anonymity and put yourself out there. I agree with that, which is another reason I don’t mind the connection between my real name and screenname. I accept that connection and likely always will. But I will say some perfectly anonymous people enact change, especially in IT and security, just fine from their dark corners. And I would be willing to bet that a few people with names like Tim Conners are really obfuscated pseudonyms. Why use LordofDespairXX when you can look like everyone else as Jimmy Toulouse? However, like Curphey recently mentioned, why hide your feelings and your opinions and, basically, yourself?

By the way, if you call me LV, Loner, or LonerVamp at a con or meetup or even in IM someday, that is fine. I’m used to it and have always been called that at gaming LANs anyway. In fact, if I have a name-tag, that will be the prominent name although both will likely be present.

just a little more apple wireless drama

George Ou posted what I hope is the last commentary on the Apple wireless debacle from last year, which I still think was the biggest security news of 2006. What I like about Ou’s article is how unassuming it is (the digs on Apple aside). I watched the Maynor video last year when it broke and never once thought they were attacking Apple directly. Anyone who watched the video could have seen that.

The problem came from the “blogosphere.” Everyone wants to trump others and so when news breaks they attempt to make the most sensational deal about it; a case of news “reporters” trying to make news instead of just reporting it. Pretty quickly, one post claims an attack on Apple, and another one claims lying and scandal, and everyone starts posting willy-nilly third-, fourth-, and fifth-hand information without really knowing jack. Pretty soon, small responses of wrong-doing are muffled out by the masses clamoring and all up in passionate arms about a non-issue.

Ethics in blogging is going to continue to be an interesting topic. In addition, ethics in information usage will be interesting. Throughout history the victors have always written history and made the laws and beliefs. But what about things like Wikipedia? What if they get something wrong? But what if 98% of people believe it to be fact when it really is false? Can that wronged person ever prevail, or does majority (the victor) rule? Interesting questions in our new age…

career skills and scope – a small ramble

Michael posted a comment just a bit ago that got me thinking. I’m very open to this sort of stuff right now because it is a position I am in. I am sponging up everything I can learn still on a rather broad scale, and I am also not in a job that I see myself sticking another year in. I guess, like Bridget Jones with relationships, I’m looking for something extraordinary that adds to my life, as opposed to sucks away 8 hours or more a day. There’s plenty out there, so it is a waste to stay in something that doesn’t fit the bill.

So part of Michael’s post was:

I thought I’d be a shoe-in but alas, everyone was looking for the Exchange-SQL-Checkpoint-Oracle-Linux-Unix-and-all-the-Windows-versions guy. Sucks to be me I guess.

That’s too true. I really hate those adds and people who are expecting an IT guy to know 15 mainstream things and then an additional 5 rather small tools or technologies. And then to only have 2-4 years of experience and get paid a barely competitive level. What the hell?

It is important to realize one’s limitations and skills when looking for an IT job these days. Do I know all 20 tools? Or better yet, do I have the capability to learn the tools I don’t know at the moment? Is the company (manager) looking for someone who can grow into those roles, or already knows them at that level?

And that’s where I am today. I am keeping myself broad and rather open and knowledgable about a hell of a lot of things in IT and security, but have yet to really dive in and get to be an expert in any one (then again, I am likely harder on myself than others are on me, so others may consider me nearly expert whereas I think I have a ways to go…).

This way, when I find that job that truly adds to my life, I can adapt to it and see what opportunities are presented to me. For instance, if I happen to get a job that opens doors to web app security, I can quite happily dive into it feet first. Likewise with something like PCI/DSS.

By the way, yes, that means I may post my resume somewhere around here in the near future. If you want to see it or offer suggestions or see what I did as inspiration in your own, feel free to email or IM me and I’d be happy to give it out.

trackback spam attempts

Has anyone else out there noticed sudden activity against MovableType’s trackback (mt-tb.cgi) function? Yesterday afternoon and this afternoon my server suddenly stopped responding. Both times this was immediately preceded by a small flood of disparate sources attempting to post trackbacks (which I have disabled). My logs show nothing but onesy-twosy attempts over the past 6 months, months apart.

the amazing ability to post best ofs and top lists on the webs

I’ve been refraining from posting on this since I didn’t think it a big deal, but I’ve seen far too many other sites posting about the “59 Top Influencers in IT Security.”

Absolutely no offense to anyone on that list, but here are a few things wrong:

1) That list is not new, in fact, I found and used that list about 4-6 months ago when looking for more blogs to add to my RSS feeds. It was billed as just someone’s list of security blog links. It has only just now been rebranded as a “top of” list. Amazing what a simple title change can do for how distributed it can become. 🙂

2) Fyodor was mispelled back then as well, and I distinctly recall that.

3) If you read some of the small captions, you’ll wonder if the author even reads the blogs/people they are talking about. I expecially liked Bejtlich’s and Maynor’s entries.

4) Some people are left off that shouldn’t have been, and others were included that kinda make you go, “Hmmm.” Some of the most important names made the list but only as a “here’s the rest” mention.

Anyway, I really didn’t want to post that but it’s been on the top of my head the last couple days, especially since I keep reading entries about it on my favorite sites. No matter what, that list is still a great resource to plunk all those sites and blogs into your favorite RSS tool and keep up with our industry.

beating up on small business security

I read a few bits in a row today about small business security which made me kinda sit back and decide I disagree. I read a piece from Andy, another from Rothman, and another that Rothman pointed to over at SmallBizResource. I’m sure I’ll read some more in the next few days as I attempt to get caught up on my reading in this rather busy week. For now, let me rant a bit and enjoy some foam being flung from my lips.

First, security is easier than a red-headed step-child to get mad at (that’s so un-PC, but that’s why I’m not a professional blogger…). You can poke holes at it until you turn blue and the sky turns into pudding. That’s the nature of the beast we attempt to control and tame every single day, and the grim reality is there will always be holes and improvements and places where we can say, “they don’t get it” or “they’re not taking care of security.” By the way, eventually business is going to tire from this fact that we can always criticize and give security exceptions; eventually this will bite us in the ass as business “settles” for checklist security and nothing more. (But I guess we at least get that far, eh?)

Second, securing a Fortune 50 is a hell of a lot different than securing a 500-person company which is also different from securing a 50-person company. In fact, I really think securing those smaller companies would actually be easier given a knowledgeable geek. Just like in warfare, they are nimble, quick, have a low profile, and tend to be pretty unpredictable and all without the slow-moving girth of a politically-motivated blimp. In other words, I don’t think size correlates with security on any other level than coincidental. I don’t think there’s causation here. (More on this later.)

I still keep my list of the top 5 things I would suggest all small businesses do, not to become compliant with PCI or some other checklist, but to rather make big strides towards security. These 5 things can make a huge move towards being more secure, especially for a small business. They’re not really that hard, and I think we overestimate the number of companies who don’t do them (and yes, that’s coming from me, the skeptic who thinks all companies are basically fucked and full of holes, if not from an outside perspective, then from an insider).

Third, I really don’t think the article on SmallBizResource paints with the right colors. The article attempts to paint that SMBs are doing poor security by holding up that many of them are “currently storing sensitive customer data that they are supposed to purge after a transaction is complete under the Payment Card Industry (PCI) Data Security Standard.” So? This is a problem with checklist security. So what if they are storing data? How are they storing that data? So what if their front door is unlocked when they have a mantrap, cameras, and internal doors protecting other areas of the company? The act of storing data adds to risk and may be against a compliance regulation, but that is not necessarily insecurity at work. Likewise, not following a security guideline and instead working by common sense can be just fine…unless you want to assume that no one has good common sense. I know I don’t follow some blueprint for my own home security and instead follow some common sense, but that itself doesn’t mean I’m insecure. And what if they don’t store that data but also don’t have a properly configured firewall and anti-virus software? Yes, at least they’re not going to hemorrhage millions of credentials, but they are certainly not secure.

Fourth, I said I would get back to my comment on how size does not necessarily correlate to security. I truly think security is a function of the quality and intelligence of our security and IT professionals. We need more quality people securing things and running IT and managing the data. Andy brushed up against this in his post. I don’t think SMBs don’t get it because they’re SMBs or have less employees or less resources, per se. I think they don’t get it because their IT staffers don’t get it and haven’t had a chance to get it. There’s still an awful, awful number of IT techs who are still learning just how to DO things, let alone do them in a secure fashion.