|
.: March 2007 Archives
I had planned out a couple posts. One was going to explain in no unclear terms that user training is broken and won't help. The follow-up was going to be the opposite in how technology will not ever protect us without end-user training.
I decided to put that on hold and maybe not even post it, but I did want to blab about something else I see in the IT and security communities. I see a lot of very polar opinions on how things should be. You have user training versus technological controls. ROI vs insurance. Business skills vs technical skills. Full-disclosure vs alternatives in either direction. Black hat vs white hat. Perimeter is dead vs perimeter is impoant.
The bottomline? All of these approaches are correct and all should be practiced to some extent. Just like all those diet fads, stick solely to one for a long period of time and you'll have new problems. But if you took the basic concepts from many, you can end up with a very effective approach.
There is a place for each extreme, but they are all necessary and need to be balanced. There are also people who, for instance, can be mired completely in the technical realms and leave the businesspeak to their bosses and not only be successful personally, but help drive their company to success. The balance doesn't have to be in each individual, but a department can achieve balance with imbalanced parts. Then again, even imbalance will work depending on the corporate culture, needs, and outside influences.
by michael 03.01.07 at 3:12 PM in /general - comments(2)
CNN was kind enough to post an amazingly oddly placed article about the latest RINBOT/DELBOT/SDBOT variant
This is awesome because now what is otherwise a non-event is becoming something mgmt and normal users are asking me (us) about. Yay! So here's some information to help point you in the right direction in case you get questioned.
As far as I know, only Symantec has this malware variant on their radar. Everyone else seems to be considering this one a minor blip on the radar.
In short, this malware strain is simply an infector for your run-of-the-mill botnet and is not a new threat. Variants of this bot have been around over a year, and this is the 9th (I believe) variant. The vulnerabilities this malware attacks have had available patches for months or longer.
RINBOT - Symantec/Trend name
DELBOT - Sophos name
SDBOT - McAfee name
This new variant spreads in three major fashions:
- Windows Server Service vulnerability (patched in August 2006)
- Symantec AV Client Vulnerability patched late last year
- IPC$ shares with common or no security
- some variants use email attachments
This is not a really new threat. You don't have much to worry about if you do not use Symantec applications and you have patched your servers. Obviously, you also want inbound ports stopped on your perimeter. I won't spam more links. The ones above should be sufficient.
by LonerVamp 03.02.07 at 10:54 AM in /general - comments(1)
I stayed on the down-low all weekend and didn't do much to feed the geek; instead sticking to things around and outside my apartment. However, I did upgrade Movable Type from 3.33 to 3.34. I didn't think this would be a huge improvement, but anything to do with the cgi part of the site loads very significantly faster now. Yay!
I also loaded Akismet (which has nothing to do with wireless tech), based on suggestions, and have started playing with the configuration of it and MT's built-in spam filtering. I can definitely see the improvement as I have to delete less and less comments every day. And I am pretty adamant about leaving my blog's comments open to anyone.
Eventually I need to make sure my outbound firewall (host-based on the server) is allowed outbound connections so I get proper blacklists and updates, but I decided to wait. My background in sciences in college always tugs at me in the computer world: set the stage and then change things only one at a time to see the effect on the system.
by LonerVamp 03.05.07 at 9:02 AM in /terminal23 - comments(2)
I really appreciate "how-to" sorts of posts as they can give people like myself actual insight in how to do things as opposed to the multitude of posts that teach me how to talk like I know how to do things (without actually doing things). Ack!
So this post at SANS is a welcome piece of information about de-obfuscating Javascript. It includes links to other techniques, analyzes how some current techniques are being defeated, and also includes a nice tool at the bottom.
If I were actually more into web application security, I'd totally be eating this up. But that's not really a place I can focus much time right now. Maybe some other year. Until then, I love the hands-on posts. By the way, if you are interesting in webappsec and have a chance to move into that sphere, it's quite the lucrative market right now.
by LonerVamp 03.05.07 at 9:33 AM in /web -
There is question that seems to be boiling around, both now and in the past year or so. Where is security headed? Is security moving to the network/switches? Is security moving to the application and away from the OS? Is it moving to protect data at rest and transit? End-point security? Or just to meet compiance?
These are pretty big questions because it can shape the direction of a company for the next 5 years. I wish I had more answers beyond, "If you take any one approach, you may leave yourself weak in the others. If the whole industry does this, we'll just have a wavering trend where for 10 years the network solidifies and gives way to applications and then 10 years where applications get hardened and network progress breaks down." You can even push that out to technology vs training.
Just some interesting, largely rhetorical questions I keep in mind lately and would love to see discussed at length in the community.
by LonerVamp 03.06.07 at 9:19 AM in /general -
The news of this tool is making the rounds, so I thought I'd post quick. Errata Security has partially released a tool called Ferret which purports to show what all is being leaked through your wireless connection everytime you use it.
How do you run it? Download the file and pull out the pre-compiled ferret.exe. Run it from a command line without options and it will tell you your network interfaces. Pick your interface and run 'ferret.exe -i#' to use that interface. Incidentally, you can use a wired or wireless connection if you'd like. (You might need winpcap, but I don't know since I always have it installed anyway.)
The bottomline is this current tool is not as revolutionary as some news and mailing lists are stating. It is really just a sniffer that is only looking for specific data including broadcasts and some application data; things that anyone running any sniffer would be looking for (such as cleartext IMs, passwords, usernames, sites you visit...). Since this is meant for wireless networks, this stuff is typically "broadcast" anyway, due to the medium.
The real beauty will be in the next part of Ferret that they release, the visual/correlating tool.
Check it out, but if you're used to looking at packet captures, don't expect to be wowed right now.
by LonerVamp 03.06.07 at 10:40 AM in /general -
If leaders can be humane and just, sharing both the gains and the troubles of the people, then the troops will be loyal and naturally identify with the interests of the leadership. -The Art of War, Chapter 1: On Assessment.
There are many ways to look at this quote. In regards to IT security, this immediately made me think about one of the biggest frustrations that senior management can give us: being above the policies. It is highly frustrating when people in leadership positions try to be above the security measures put in place due to their station or ego.
Likewise, as IT professionals we sometimes do have certain liberties and access above and beyond some policies, especially in testing or lab environments or on assessment systems, but by and large we also need to try our darnedest to not be exceptions.
by LonerVamp 03.06.07 at 10:55 AM in /general - comments(4)
I'm in a bitchy mood today and want to rant on something. This article from ComputerWorld about " How dangerous is Skype" came in at the wrong time.
First, let me just say that I am mixed in my feelings about IM and Skype in a corporate environment. I think this is a trend that, in the long run, will be a losing battle for corporate IT and security. IM is just part of our culture and life, and embracing technology for the betterment of people and the company does have weight. That's not to say I want Skype in corp nets, but I can sit on either side of the fence comfortably. Encrypted network traffic is also part of our future, and we need to start dealing with it now instead of whining about it.
Here is my take on some of the "Skype FUD" or myths that Michael Gough tackles in his article.
Myth No. 1: Skype uses a lot of bandwidth on my network. Great, I'm glad that Michael Gough tells me that a voice call takes 30kbit/sec on my network. That'd be great if I allowed only one call at a time. Scale that out with your users and get back to me.
Myth No. 2: Any computer can be a Supernode. This is one of those beefs with Skype that has been around a long time, and I hated it because it's not an issue in almost every corporate network. Michael is correct, you can't be a supernode if you're behind a NAT. But, that does mean, as Michael mentioned earlier, that your communications will be weirdly routed through someone else. Annoying, but really a non-issue in any NAT situation. (This may become a huge problem in IPv6 or it may become a big problem for Skype itself if less and less supernodes are available as people hide behind NAT or slow connections.) So, I agree with Michael: this is a myth.
Myth No. 3: Skype is susceptible to IM worms and viruses. Myth? What the crap? Is this the Apple defense about "well other IM apps have had lots and Skype none so that means security?" Yes, in part it is although he oddly mixes actual client vulnerabilities with malware sent via other IMs via file transfer. That inflates his "other IMs" numbers and keeps Skype's really low. *sigh*
He also mentions that file transfer can be turned off (which it can be on other IM apps too) and files can be scanned by anti-virus (other IM apps as well). So, I'm not sure what he's trying to say here, but I can illustrate that Skype is no different from other IM apps that have been hit with his 1,000+ issues.
I also challenge that "the main vulnerability of IM applications is their file transfer
feature." I conjecture that links to malicious sites sent via IM is more dangerous. This "myth" from Michael is completely wrong, and Skype is absolutely no different from any other IM program.
Myth No. 4: Skype is hard to stop on my network. This really is a half-myth but I slightly dislike how Michael Gough tackles it. From the start, Skype was not hard to defeat: just block it from being able to authenticate and logon the user. Easy. I'm surprised he never mentions this; maybe this has changed. I also dislike that he attempts to defend the network by controlling the OS inventory and OS outbound connections. I don't think this is the best approach, and Skype should be able to be blocked on the network by the network alone. I will admit, however, that stopping a P2P app on a network presents problems, so in a way, Michael's approach is still solid advice. The real issue, though, is Skype should not have to be that hard to block on the layers it uses.
Myth No. 5: Skype is encrypted, so I can't archive IM messages. This is a two-headed dragon and I'm surprised Michael Gough attempted to tackle this in either direction as a myth. Instead, he fumbles the ball:
This one's not really a myth. Skype sessions are encrypted, so yes, you
can't capture or archive Skype communications. The same is true of many
IM applications, though, so it's not less secure than other IM programs
that can use encryption.
Bah! Yes, Skype is encrypted so you can't archive it off the wire, but I'm not sure what settings and apps he uses to say that other IM programs are the same. I can sit down and monitor and grab IMs off the wire on every other popular IM program with default settings. Skype has this feature enabled by default whereas other IMs do not. In fact, I can turn off this setting on every IM program, but with Skype I absolutely cannot. Also, for an article that itself says it is geared to corporate networks as well as individuals, he ignores any issues with HIPAA or compliance that requires logging/archiving/monitoring of data egress via IM. For home users, this is an awesome feature to protect privacy. But this is maybe the biggest hurdle Skype has been facing when it comes to corporate use.
Just to add one more item. Until Skype settings can be controlled centrally, that is another hold in the argument for Skype in the corporate network. Let me centrally control and force settings, file transfer allowances, and yes, adjust encryption such that I can monitor data egress (note that I don't necessarily want it cleartext). There are other considerations, but that's all I'll throw out for now. :)
by LonerVamp 03.08.07 at 10:10 AM in /general - comments(1)
Just posting a quick pair of links in case anyone is interested in reading about creating an exploit/buffer overflow. Trirat Puttaraksa discusses a Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow. Part 1 is a DoS condition and part 2 goes into actual code excution. Very interesting, although beyond my abilities for now. Browse the rest of his blog for even more dissections.
by LonerVamp 03.09.07 at 9:34 AM in /general - comments(1)
Dave Aitel posted this to his mailing list today:
Next week is Shmoocon - and I'll be there with whatever the latest
build of SILICA is in my pocket. Feel free to pull me aside for a
quick demo.
Man, Silica is about as expensive of a high class hooker, and it looks as good too! It's sexy as all hell, and if I ever came up on a few grand to drop on a toy, I'd seriously think about this one (assuming I could get properly vetted). if any of you are at Schmoocon and see him (or maybe his wife too?) around, totally ask to see Silica in action.
by LonerVamp 03.12.07 at 11:15 AM in /general - comments(1)
It might be the hardest battle you will face as a security professional. It might cause the most grief, frustration, and exasperation. No, it's not trying to make sure all your Windows servers perform smoothly. It's not trying to fend off the dozen vendor calls that come in every day. It's not even an entire weekend wasted because of some unknown glitch caused by someone else that brings down critical systems. And it's not quite the often futile attempts to deter the insider attacks.
Quite possibly the hardest battle we will face is the battle to change the culture of a business from one that trusts everyone, particularly those "in the family," to one that practices diligent security. Ever try to tell your Help Desk personnel that they should not ask for user passwords when doing some work over the user's lunch hour so as not to disrupt their normal work day? Those same desktop people who typically are evaluated based on their customer service to those users? I've been in those shoes and I fully empathize. As a support person, you want to be able to bend over backwards if an important user needs you to; not to give a look of regret and explain that "security process" is tying their hands a bit and inconveniencing everyone.
Have you ever seen the look on senior management's and human resources' faces when you tell them they need to operate in a way where they don't necessarily trust their own people? There's not much more they brush off quite so quickly and easily than claims that their own people may be a threat, even an accidental one.
This battle can be easy in some compan...no. It can be easy in some organizational cultures. The military has ingrained security process very deeply. Larger corps are also a bit more successful in steering culture, especially those that might have real reason to hide things (think Boeing, Lockheed, or Microsoft, e.g.).
But the rest of us...yeah, the rest of us someday have to face those cultural battles where we should not be handing over passwords or being accomodating to persons whose username we may have seen but have never yet met when they ask for something beyond their typically level of access. Is this a new direction for the company that her department is shifting a bit and we have to compensate, or is this an attempt to get access to something she shouldn't have? If we ask the manager to verify and/or authorize, will they just take the path of least resistance and kneejerk a "yeah sure, I approve" response? What kind of look do you get when you explain that perhaps their manager and then the data owner both need to approve access? Is it acceptance or a flash of genuine annoyance that you know will be spread around to anyone willing to hear?
And these are not things that are easily overcome with training and used education. It is one thing to educate a user about something they didn't know previously and are open and receptive to the information. But it is another side of training altogether to tackle culture and paradigm shifts. This typically takes a lot of time and a lot of repeated training towards this aim (or just force it with technology and a big clue banana).
I admit, some places in this country might be easier to adjust attitude than Des Moines, Iowa where I live and work. We're still a very open community and trust and customer service are pretty natural. Even "trust but verify" is a difficult adjustment. When does the line get crossed between being a helpful steward to a company versus practicing a dangerous habit?
Just like a courteous security guard who tends to recognize faces regularly, all it takes is one person out of 10,000 who walk by in a year to bury the company or disclose information that emboldens a competitor, jeopardizes a nation, and affects the livelihoods of your fellow workers. Just one person that is allowed to pass because he looks familiar (he was fired last week against his will), is dressed like a VIP, and looks like he'll pin your manager's ass to the wall if you inconvenience him, can be The One.
While my team has yet to convey a culture shift in the people that matter when it comes to security and customer service, at least we are still trying. We continue to implement technology to not only help cover the company's ass in case our paranoia becomes reality, but we also try to maintain a foundation that if the direction of mgmt changes, we can quickly adjust and add on security as our openings allow.
(This post was partially inspired by Scott Wright's recent post about the insider threat.)
by LonerVamp 03.13.07 at 2:12 PM in /general - comments(1)
In case you missed this, the REcon 2006 presentation videos are available.
REcon is a Reverse Engineering Conference in Montreal. If you're in that area and consider yourself part of the "in" crowd (or want to be) with reversing, you might want to check this out. Since I'm not exactly a reverser, I can't attest to their quality. Perhaps the presentations might not be worth it, but the socializing and drinks with other geeks might be worth it.
I've watched the presentation by David "h1kari" Hulton on Breaking Wireless... Faster where he talks about FPGA and speeding up the cracking process (dramatically!). Of course, the chips themselves are dramatically costly, hehe. The demos don't go over quite as smoothly as they could, but still a solid personality and presentation on wireless attacking by the author of coWPAtty.
by LonerVamp 03.13.07 at 3:37 PM in /general -
For once I am posting a question since it is something I have yet to be able to answer properly, but the bug keeps itching at me to answer it.
How do you physically locate a wireless user? Pretend you have a wireless network and someone has been getting in. Other than getting lucky and walking around, how do you locate someone efficiently?
Now, I know expensive and expansive solutions exist for larger campus-type wireless implementations to locate users using information on their signal strength and triangulation between overlapping wireless coverage. But what about for your average techie joe who wants to do this? Is there any software and non-expensive hardware that can help?
I also know that I could attempt attacks against a laptop and see if I can turn on an annoying WAV file and increase the sound...but that's a bit too intrusive and variable.
I'll likely troll a few forums and IRC chans looking for this information over the course of the next few months as I'd really like to answer it.
by LonerVamp 03.14.07 at 10:24 AM in /general - comments(5)
I liked this post by Curphey in relation to the SourceFire IPO. In fact, I like it because of how it portrays IDS/IPS and the typical installation.
[1:20:17 AM] XXXX-XXXX says: I’ve never been at a company where i’ve heard them say they were happy with their sourcefire deployment or for that matter… convinced me they were glad they made the purchase
[1:21:58 AM] XXXX-XXXX says: The security departments gets this new toy, they quickly figure out they dont have the time to babysit it (or configure it properly) then they outsource the monitoring
[1:23:02 AM] XXXX-XXXX says: once the monitoring company gets it.. they detune it as much as possible.
[1:24:44 AM] XXXX-XXXX says: What I see happening is “what do you mean this IPS might stop legit traffic? well lets just run it in IDS mode then”
[1:24:52 AM] XXXX-XXXX says: and after talking to XXXX-XXXX sales engineers
[1:25:02 AM] XXXX-XXXX says: 90% of XXXX-XXXX deployments are in IDS mode only
[1:25:40 AM] XXXX-XXXX says: Less then 5% of XXXX-XXXX deployments take advantage of the SSL decryption and analyze features.
While we have a larger and larger IT force doing things like desktop support and making sure the business world still works in the digital world, there is still a huge shortage of the type of geeks who "get it" and can make a difference with truly technical things. This is why the dashboard IDS/IPS has been superficially successful because it doesn't require deep technical knowledge to get and click through alerts. But the knowledge of what those alerts means is pretty damn spotty and if the IDS/IPS doesn't support tools to drilldown into the mucky darkness of the real technical trenches, that solution is overall just superficial.
But how do you know your out-sourcer is decent with security? Really, we shouldn't move to make security a commodity that is driven by checklists and statistics without understanding. We need more skilled professionals, even if that means they have an inflated salary for a while and later take a small dip.
[10:15:40 AM] XXXX-XXXX says: Hey, I'm so glad you guys took over our security monitoring! We had no clue what was going on with the IDS/IPS after the installation techs left. You guys have helped us pass important compliance initiatives and haven't impacted our business at all!
[10:18:23 AM] SecMonTech04 says: No problem! Looks like we came in just in time too! You had 12,476 alerts in the last month alone, but we've totally taken care of you! Just look how much you needed us!
[10:19:49 AM] XXXX-XXXX says: Sweet mother of all that is good and pure, that's a lot! Whew! By the way, is that the number of alerts after you've tuned the monitoring?
[10:20:45 AM] SecMonTech04 says: Uh, yes.
[10:22:27 AM] XXXX-XXXX says: What did you all tune out?
[10:23:33 AM] SecMonTech04 says: Um, we ignore ARP alerts because it's really just too noisy.
[10:24:12 AM] XXXX-XXXX says: That's it?
[10:24:56 AM] SecMonTech04 says: I believe so...
[10:26:43 AM] XXXX-XXXX says: This is kind of odd. How many of those alerts are important enough to warrant further investigation or worry and wouldn't ever be tuned out by anyone?
[10:29:42 AM] SecMonTech04 says: Looks like about 3...maybe 6 if I am paranoid.
[10:30:31 AM] XXXX-XXXX says: That's it?
[10:31:21 AM] SecMonTech04 says: Oh, and we're not really monitoring much on incoming port 80 because there's too many application level attacks that we don't want to give you a false sense of security about if we said we protected port 80.
[10:32:22 AM] XXXX-XXXX says: Huh? Why the hell not??
[10:34:45 AM] SecMonTech04 says: By the way, did you read the latest alerts from the anti-virus companies? The Internet is falling apart and is being overrun by hooligans and criminals. You better be glad you have us!
[10:37:32 AM] XXXX-XXXX says: Hold on a minute, back up. You're not tuning anything out and not monitoring what might be one of our most important incoming ports. Are you actually blocking any attacks at all?
[10:39:12 AM] SecMonTech04 says: No, we're operating in IDS-only mode. We don't want to risk negatively impacting your business and cause you to distrust and dislike us.
[10:44:41 AM] XXXX-XXXX says: Oh god, I need some Tums...
[10:49:40 AM] XXXX-XXXX says: You realize we will need to start blocking some things?
[10:51:40 AM] SecMonTech04 says: Tell you what, we will turn in blocking (IPS mode) for all incoming ports between 55000 and 58000. Will that be enough?
[10:53:11 AM] XXXX-XXXX says: Whew, I think that will be ok...glad you guys are the experts.
[10:55:54 AM] SecMonTech04 says: Actually, we hire not only the inept techs you let go because you outsourced security, but we also employ interns who just click "ok" to every alert that comes in. They don't really know what this means either.
[10:56:30 AM] XXXX-XXXX says: ...I'll assume you meant to type that in another window.
[10:59:10 AM] SecMonTech04 says: Oops, yes I did, sorry.
by LonerVamp 03.14.07 at 12:48 PM in /general - comments(1)
I read a few bits in a row today about small business security which made me kinda sit back and decide I disagree. I read a piece from Andy, another from Rothman, and another that Rothman pointed to over at SmallBizResource. I'm sure I'll read some more in the next few days as I attempt to get caught up on my reading in this rather busy week. For now, let me rant a bit and enjoy some foam being flung from my lips.
First, security is easier than a red-headed step-child to get mad at (that's so un-PC, but that's why I'm not a professional blogger...). You can poke holes at it until you turn blue and the sky turns into pudding. That's the nature of the beast we attempt to control and tame every single day, and the grim reality is there will always be holes and improvements and places where we can say, "they don't get it" or "they're not taking care of security." By the way, eventually business is going to tire from this fact that we can always criticize and give security exceptions; eventually this will bite us in the ass as business "settles" for checklist security and nothing more. (But I guess we at least get that far, eh?)
Second, securing a Fortune 50 is a hell of a lot different than securing a 500-person company which is also different from securing a 50-person company. In fact, I really think securing those smaller companies would actually be easier given a knowledgeable geek. Just like in warfare, they are nimble, quick, have a low profile, and tend to be pretty unpredictable and all without the slow-moving girth of a politically-motivated blimp. In other words, I don't think size correlates with security on any other level than coincidental. I don't think there's causation here. (More on this later.)
I still keep my list of the top 5 things I would suggest all small businesses do, not to become compliant with PCI or some other checklist, but to rather make big strides towards security. These 5 things can make a huge move towards being more secure, especially for a small business. They're not really that hard, and I think we overestimate the number of companies who don't do them (and yes, that's coming from me, the skeptic who thinks all companies are basically fucked and full of holes, if not from an outside perspective, then from an insider).
Third, I really don't think the article on SmallBizResource paints with the right colors. The article attempts to paint that SMBs are doing poor security by holding up that many of them are "currently storing sensitive customer data that they are supposed to purge after a transaction is complete under the Payment Card Industry (PCI) Data Security Standard." So? This is a problem with checklist security. So what if they are storing data? How are they storing that data? So what if their front door is unlocked when they have a mantrap, cameras, and internal doors protecting other areas of the company? The act of storing data adds to risk and may be against a compliance regulation, but that is not necessarily insecurity at work. Likewise, not following a security guideline and instead working by common sense can be just fine...unless you want to assume that no one has good common sense. I know I don't follow some blueprint for my own home security and instead follow some common sense, but that itself doesn't mean I'm insecure. And what if they don't store that data but also don't have a properly configured firewall and anti-virus software? Yes, at least they're not going to hemorrhage millions of credentials, but they are certainly not secure.
Fourth, I said I would get back to my comment on how size does not necessarily correlate to security. I truly think security is a function of the quality and intelligence of our security and IT professionals. We need more quality people securing things and running IT and managing the data. Andy brushed up against this in his post. I don't think SMBs don't get it because they're SMBs or have less employees or less resources, per se. I think they don't get it because their IT staffers don't get it and haven't had a chance to get it. There's still an awful, awful number of IT techs who are still learning just how to DO things, let alone do them in a secure fashion.
by LonerVamp 03.14.07 at 11:46 PM in /general -
I've been refraining from posting on this since I didn't think it a big deal, but I've seen far too many other sites posting about the "59 Top Influencers in IT Security."
Absolutely no offense to anyone on that list, but here are a few things wrong:
1) That list is not new, in fact, I found and used that list about 4-6 months ago when looking for more blogs to add to my RSS feeds. It was billed as just someone's list of security blog links. It has only just now been rebranded as a "top of" list. Amazing what a simple title change can do for how distributed it can become. :)
2) Fyodor was mispelled back then as well, and I distinctly recall that.
3) If you read some of the small captions, you'll wonder if the author even reads the blogs/people they are talking about. I expecially liked Bejtlich's and Maynor's entries.
4) Some people are left off that shouldn't have been, and others were included that kinda make you go, "Hmmm." Some of the most important names made the list but only as a "here's the rest" mention.
Anyway, I really didn't want to post that but it's been on the top of my head the last couple days, especially since I keep reading entries about it on my favorite sites. No matter what, that list is still a great resource to plunk all those sites and blogs into your favorite RSS tool and keep up with our industry.
by LonerVamp 03.16.07 at 9:17 AM in /general - comments(1)
Has anyone else out there noticed sudden activity against MovableType's trackback (mt-tb.cgi) function? Yesterday afternoon and this afternoon my server suddenly stopped responding. Both times this was immediately preceded by a small flood of disparate sources attempting to post trackbacks (which I have disabled). My logs show nothing but onesy-twosy attempts over the past 6 months, months apart.
by LonerVamp 03.18.07 at 3:46 PM in /general -
Michael posted a comment just a bit ago that got me thinking. I'm very open to this sort of stuff right now because it is a position I am in. I am sponging up everything I can learn still on a rather broad scale, and I am also not in a job that I see myself sticking another year in. I guess, like Bridget Jones with relationships, I'm looking for something extraordinary that adds to my life, as opposed to sucks away 8 hours or more a day. There's plenty out there, so it is a waste to stay in something that doesn't fit the bill.
So part of Michael's post was:
I thought I'd be a shoe-in but alas, everyone was looking for the Exchange-SQL-Checkpoint-Oracle-Linux-Unix-and-all-the-Windows-versions guy. Sucks to be me I guess.
That's too true. I really hate those adds and people who are expecting an IT guy to know 15 mainstream things and then an additional 5 rather small tools or technologies. And then to only have 2-4 years of experience and get paid a barely competitive level. What the hell?
It is important to realize one's limitations and skills when looking for an IT job these days. Do I know all 20 tools? Or better yet, do I have the capability to learn the tools I don't know at the moment? Is the company (manager) looking for someone who can grow into those roles, or already knows them at that level?
And that's where I am today. I am keeping myself broad and rather open and knowledgable about a hell of a lot of things in IT and security, but have yet to really dive in and get to be an expert in any one (then again, I am likely harder on myself than others are on me, so others may consider me nearly expert whereas I think I have a ways to go...).
This way, when I find that job that truly adds to my life, I can adapt to it and see what opportunities are presented to me. For instance, if I happen to get a job that opens doors to web app security, I can quite happily dive into it feet first. Likewise with something like PCI/DSS.
By the way, yes, that means I may post my resume somewhere around here in the near future. If you want to see it or offer suggestions or see what I did as inspiration in your own, feel free to email or IM me and I'd be happy to give it out.
by LonerVamp 03.19.07 at 1:24 PM in /general -
George Ou posted what I hope is the last commentary on the Apple wireless debacle from last year, which I still think was the biggest security news of 2006. What I like about Ou's article is how unassuming it is (the digs on Apple aside). I watched the Maynor video last year when it broke and never once thought they were attacking Apple directly. Anyone who watched the video could have seen that.
The problem came from the "blogosphere." Everyone wants to trump others and so when news breaks they attempt to make the most sensational deal about it; a case of news "reporters" trying to make news instead of just reporting it. Pretty quickly, one post claims an attack on Apple, and another one claims lying and scandal, and everyone starts posting willy-nilly third-, fourth-, and fifth-hand information without really knowing jack. Pretty soon, small responses of wrong-doing are muffled out by the masses clamoring and all up in passionate arms about a non-issue.
Ethics in blogging is going to continue to be an interesting topic. In addition, ethics in information usage will be interesting. Throughout history the victors have always written history and made the laws and beliefs. But what about things like Wikipedia? What if they get something wrong? But what if 98% of people believe it to be fact when it really is false? Can that wronged person ever prevail, or does majority (the victor) rule? Interesting questions in our new age...
by LonerVamp 03.20.07 at 8:22 AM in /general -
Andrew Storms posted a really nice bit over at nCircle about our personal privacy stances online, namely some commentary about pseudonyms online.
Obviously I maintain a pseudonym online. In fact, I have two. "LonerVamp" is a carry-over from years long past and I keep it mostly because it is far more unique than "Michael" or even "Michael Dickey." If ever someone from my past wants to look me up, by god, they can do so just fine. And sometimes they do.
Another reason I still like this name is simply the extra layer between my time online and my real person. I really have no difference in who I am based on my screenname anymore. I think I got over that back in 1997. But anyone looking to poke around at me from either the "Michael" or the "LonerVamp" direction will have to do at least some measure of work beyond the first 5 hits on Google to put two and two together, find the bridges, and then actually cross them. Not impossible, by far, but at least not trivial for any nobody to do. Someone really has to want to do it.
I do maintain another pseudonym on a few low-usage sites and mailing lists. For instance, my MySpace identity is linked to another Gmail account and I only use it to comment on journal entries of friends or view pictures. Basically, I can maintain this because it is low interaction. When something is low interaction, I don't have to worry as much about my real self coming out in that identity.
Andrew is also mostly correct in saying if you want to "properly" enact change, you do need to step away from the veil of anonymity and put yourself out there. I agree with that, which is another reason I don't mind the connection between my real name and screenname. I accept that connection and likely always will. But I will say some perfectly anonymous people enact change, especially in IT and security, just fine from their dark corners. And I would be willing to bet that a few people with names like Tim Conners are really obfuscated pseudonyms. Why use LordofDespairXX when you can look like everyone else as Jimmy Toulouse? However, like Curphey recently mentioned, why hide your feelings and your opinions and, basically, yourself?
By the way, if you call me LV, Loner, or LonerVamp at a con or meetup or even in IM someday, that is fine. I'm used to it and have always been called that at gaming LANs anyway. In fact, if I have a name-tag, that will be the prominent name although both will likely be present.
by LonerVamp 03.22.07 at 12:44 PM in /terminal23 - comments(1)
Holy crap, there's a ton of first year birthdays going on in my rss feeds reader from bloggers. Hell, even RSnake hasn't been around a year! This is just crazy since I could have figured a lot of people had been around longer. It kinda puts some things in perspective, since I've been documenting my day to day "stuff" here or on my personal site since late 2001 when I installed my first news script (no blogs back then!) on my website which, itself, I had maintained since late 1996. It's been a wild ride since then, and obviously I am not one to bang on the door for hits and visitors. :)
Grats to all those people with baby blogs that are starting to grow up and find their identity or realize that they had an identity long ago and can stand just fine as themselves!
by LonerVamp 03.22.07 at 7:16 PM in /general - comments(1)
It's time again to prune some more links. I've been seriously contemplating moving a lot of my links on the right menu over to a page on my wiki. I've yet to do that so far, and I think I've talked myself into leaving them here. I just wish I had less links since they do get pretty long, however, I use a significant portion of them regularly; sort of my own little personal portal (hence why I would move the portal part to a wiki page). Of course, then my page might look a little bare...I guess I could fill the space with vertical Google ad bars! Hehe, no thanks.
Haxorthematrix seems to have gotten lost in the new year. Info-pull has disappeared as well with few updates. I know just barely over one month of no updates is really being picky, but I'm more picky with more personal blogs and especially those that have not been up more than a year. I'm very aware of the tendency of people to start strong on an endeavor, and then putter out after a few months.
SecurityBullshit is being removed, but only because Mark has merged it with his other blog, SecurityBuddha. I totally dig that name, and I think it interesting the sort of zen way of life that can be found in parts of the computer security industry, from techbuddha to securitybuddha to taosecurity...I wonder if zensecurity is taken? Considering I am highly sympathetic to the Buddhist (and related) way of life and philosophy, I really have this odd little affinity to such sites. Oh, and securityzen.net is not taken! I might have to think about grabbing something like that someday, for possible future branding. Until then, I'm really happy with Terminal23.
The O3 e-zine seems to have disappeared after 3 colorful issues through the first few quarters of last year. I really liked this zine's focus on Open Source, but it really was just the same thing as (in)secure and uninformed (how's that for a combo phrase?!) when you get down to it.
The list of top 10 security live cds from DarkNet is starting to look dated, especially as BackTrack2 is now out and really kinda dominates this field (minus general livecd and forensics offerings). Besides, I have moved this to my own live cd list on my wiki anyway. I don't use VMyths, so why bother with the link, especially as I try to get this list down a bit (of course, for every one I remove, I seem to add another...). Church of the Swimming Elephant is a classic site that still has lots of useful stuff. Sadly, it continues to grow more and more dated. If you've not gone there, go there and browse the info and wares. Definitely harkens back to a more innocent time in hacking!
A reverse engineering site that I never really visited seems to have also disappeared. I also never visit the ProfessionalSecurityTesters site. Besides sounding a little off, the site itself just never sat well with me and I never really went back.
by LonerVamp 03.23.07 at 9:26 AM in /general - comments(2)
I've been doing some scripting at work and had a desire to test if a server exists before attempting to do some work against it (less errors, cleaner execution...). I hadn't found anything that I wanted to use so I asked in the #powershell channel on irc.freenode.net. MoW, of course, knew the answer since he is the Google of PowerShell. Give him a question and he'll throw out the answer.
shell> $ping = new-Object System.Net.NetworkInformation.Ping
shell> $ping.Send('localhost').status
Success
shell> $ping.Send('blah').status
Exception calling "Send" with "1" argument(s): "An exception occurred during a Ping request."
Update: Gaurhoth gives some information comparing Win32_PingStatus with the above method.
by LonerVamp 03.23.07 at 9:26 AM in /general -
We've yet to see this come to a head, but I bet it will be soon. An article I read today contained a few tidbits about cyber warfare:
History teaches us that a purely defensive posture poses significant
risks, Cartwright told the committee. He [Marine Gen. James
Cartwright, commander of the Strategic Command] added that if we apply the
principle of warfare to the cyberdomain, as we do to sea, air and land,
we realize the defense of the nation is better served by capabilities
enabling us to take the fight to our adversaries, when necessary, to
deter actions detrimental to our interests.
Cartwright said U.S. adversaries in cyberspace include other countries,
terrorists and criminals who operate behind what he described as
technical, legal and international screens, and he said that if we are
to take the fight to our adversaries, we will need Congress help finding
solutions to penetrate these screens...
[Lt. Gen. Robert Elder Jr.,
commander of the 8th Air Force and JFCC-Global Strike and Integration] did not detail plans for going on the offensive. But when asked
about it, he said, "We will probably do some of that, by the way."
We might be going on the offensive? Are we actually at war in a way that we can go on the offensive as if we were on the sea, air, or land? I really wonder if that will be seen as a hostile action or not, or if this is all still just contested territory. I don't have much thought on this right now, but as the years move forward, this cyber conflict could pose ramifications on the openness and neutrality of our Internet.
by LonerVamp 03.23.07 at 4:06 PM in /general - comments(1)
No sooner do I finish up on my Windows server...now I'm using an older 400Mhz box to start standing up an Ubuntu server to start using stuff there. While I like stability for the things I use daily, I really want to learn more, so rather than languish my stuff on Windows for a few years, I'm moving on already.
The first thing I want to move over are the things I use cygwin/Windows for, namely my SSH server. My SSH server gets quite a few hits, strangely Amsterdam is outpacing Asia in SSH auth attempts. If you let that page load, you can see all the attempted login names. Since I am running SSH on cygwin, I don't even use "root" or "admin." I'm surprised that "Administrator" is not used more, since that is what cygwin pulls in (it mirrors the Windows accounts). If someone can do that small battery of attempts, it is trivial to add "administrator" to that initial slam.
Anyway, yes, my next project is to start standing up and getting more familiar with running certain apps on Linux. SSH is not going to be an issue, and I'd like to leverage Linux to analyze my Apache log files and other neat things on my network. On a more advanced note, I want to throw sendmail or another nix mail server up as well. I like my current mail server, but the image spam is just not terribly fun and spam solutions on Windows are not as impressive to me as nix solutions. Besides, I want to be exposed to more. I spent years in my comfort zone and it's paying off to try out new things. This box also now had a 200GB HD and has always had 2 NICs which plays right into my hands to get Snort on a nix box and familiarize myself with some more monitoring tools.
That's how my spring is shaping up, and what has been stealing my time lately.
by LonerVamp 03.26.07 at 3:36 PM in /general -
My projects and other things have been taking up way too much of my time lately.
My bracket in the NCAA tournament (mens) has been about as bipolar as any bracket I've ever done. Typically I do very well in these things, but like most, picking the winner is the make-or-break decision. Pick the winner, and you've no doubt gained points throughout, miss the winner, and you're sunk. This year I had only 20 hours from selection show to entry submission, and the lack of research showed through, although I was saved by a very well-seeded bracket. I did horrendously in the first two rounds, but picked 7 of the 8 Elite Eight teams and, until UNC lost, I still had all Final Four teams.
My WoW time has suffered as well, although that might not be a bad thing! My main is still level 60 and my Draenei Shaman is level 36. Yeah, I'm slow and my time/effort has dropped considerably (thankfully). If I didn't have real life buds in game, I'd have left it long ago.
At home last night I enjoyed just how easy Linux is becoming as I continue to just be immersed into it. Much like my idling in some IRC channels or mailing lists, just hearing things for a while means I gain some understanding; or being around something. I'm not planning on taking my CCNA for a bit, yet I am already just sitting in and contributing to some local buddies doing their studying and talking, and I pick things up. Hang out with baseball fanatics for a while, and you'll find yourself learning about baseball until, before you know it, you're considered someone "in the know." My Ubuntu install and SSH server took all of 15 minutes once the actual OS installer finished. Talk about easy. Next I will be playing with Squid and Snort and setting up more ubiquitous remote access, if I can (from Windows and Linux boxes without using VNC...)
At work, I've been busy exercising my scripting muscles by automating our installation process for web applications and servers. I've done all of the easy work so far, although the hard stuff I have saved may turn out really easy if I ease up on my own requirements and utilize Windows-native exe apps rather than programmtically build my own (gacutil and regsvcs). Scripting is really exciting and amazingly powerful. With Exchange 2007 on the horizon for many orgs (whose management seems to be fully PowerShell-based), I like this head-start I'm getting. Someday soon I'll dig a bit more into Perl and/or Python to round out my scripting exposure.
by LonerVamp 03.27.07 at 1:02 PM in /terminal23 -
Snagged this from Sean's blog. I swear I have seen this before or maybe even posted about it, but couldn't find it. Either way, it's a nice set of "laws" and in the same vein as the 10 immutable laws of security.
Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don't keep up with security fixes, your network won't be yours for long
Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn't about risk avoidance; it's about risk management
Law #10: Technology is not a panacea
by LonerVamp 03.29.07 at 8:20 AM in /general -
There is some interesting talk going on about mesh security over on Nate Lawson's blog. Really cool stuff, although I don't understand it quite well enough yet to regurgitate the topic on here, so just check out the link. Also, Matasano and Bejtlich have added to the discussion.
by LonerVamp 03.29.07 at 8:56 PM in /general -
Dave Aitel posted to DD a link to a review of SILICA. SILICA is awesome and one of those gadgets I really want to get my hands on. But at a price of $3600, it is definitely a major purchase for someone like me; just low enough to be doable, but higher than even a good laptop or gaming rig with a far fewer uses. Nonethless, if this device stays current and highly supported by Immunity for many ongoing years, I really am going to plan on picking this up in the next year or just after (my car gets paid off next summer which means some freed up monies...).
by LonerVamp 03.30.07 at 1:05 PM in /general -
|
