what if i moved to web app sec?

Pardon me for a moment while I think out loud. If I got into a web application security job of some sort, how long would it take me to get to a personally acceptable level of competence (for me: a decent enough expert in the field)? Given a day job that lets me focus on that topic and my propensity for self-study, I think it would take me a year to become satisfactorily proficient. This can differ, however, based on how deeply I will need to know various programming languages when it comes to code reviews. My self-study would likely be designed around working and familiarizing myself with various codes by doing some personal projects here and there… Food for my brain.

I think this way because I am open to “awesome” job opportunities lately, and if something in this space opens up, I don’t want to spend a week trying to play introspective catch-up and miss the opp.

dvd ripping and burning made simple

Copying DVDs has become amazingly easy. I picked up a Samsung DVD burner from NewEgg for $33. They forgot the software, so I had them mail that separately, which is well worth it since it is Nero and includes not only the burning utilities but also the parts to leverage the Lightscribe labels.

I installed DVD Decrypter (pretty much optional) and DVD Shrink (find them on your own, but I suggest doom9.org as a first try). I use DVD Decrytper to rip DVDs to my hard disk, and then I use DVD Shrink to remove a few unnecessary things, like foreign language audio tracks, and also to burn since it can shuttle the project off to either DVD Decrypter (which can burn) or Nero itself. That’s it! I ran a test copy of Fast and the Furious which happens to be a dual layer DVD. The ripping portion took about 15 minutes, I think, and DVD Shrink worked on the contents (about 4.5 GB on disk) for about 30 minutes. I removed two audio tracks. It then went right over and burned in about 5 minutes or so to a non-dual layer DVD.

With Nero, I was able to create a Lightscribe label in about 5 minutes and burn it on in about 15 minutes. I just did a quick Google Image search for Fast and the Furious images, picked the first one (which happened to be huge), plopped it on without resizing or playing with the brightness, and let it loose. The label isn’t breathtaking or drop-dead gorgeous. It really just looks like a badly washed out greyscale image, but the quality (if you look closely) seems pretty nice. I’ll likely use it rather than markers, and I likely will still use actual images as opposed to bland text in text boxes. I’m not really doing anything professional, just makin’ copies!

All told, that was only about an hour of time and only about 10 minutes of actual work. Since I do this on my gaming machine, it gets to dedicate its time to this task when I’m not gaming (and holy crap does the processing of DVD Shrink drop to a trickle when I fire up WoW!). I keep that system pretty slimmed down, so that 1 hour is not a bad deal really.

Blank DVDs with Lightscribe will run me about $1 per disc. Dual layer guys will be about $1.5-2 per disc. At least that was my 2 seconds estimation while standing at Best Buy. That’s still not bad at all as I estimate my typical DVD purchase is $14, give or take. This is why DVD copying pirating is still worthwhile, I guess!

owasp top 10 for 2007

The OWASP Top 10 has been updated. The PDF version is way at the bottom. Top lists of anything are tough because you have to draw lines and qualifications somewhere. I like that the authors mention some items they left out such as input validations and buffer overflows, but I’m a little concerned that those should still have been included. I guess I am not yet satisfied with why they left them out.

Then again, I have yet to give this a deeper read and maybe am just distilling the information a little slowly yet. Overall, love the OWASP stuff and this top 10 is excellent. Got linked to this from Jeremiah.

no one expects the covert channels

Typically at home I have this stack of papers and junk printed out that I want to flip through and read. Kinda like bookmarking something later, only in the analog world. Lately, I happen to hit a glut of papers talking about covert channels (I’ll link one or two if I still happen to have them around), which are always fun to look at. I then see the focus on ids list has a current discussion on detecting covert channels (really detecting encrypted channels which, as Ron Gula recently contributed, are a separate issue).

Covert channels are fun. They can be an easy way to break something, or use something for a purpose not intended by the creators. The old school version of “hacking” (which I subscribe to) tends to love this definition. They are also difficult and technical in some cases, thus I really believe that unless a firewall or proxy incidentally is blocking the channel, no one really blocks or watches these channels. If I ever get my home network more rounded out and the major projects done, playing with covert channels is something I’d love to tinker with. (And if I would do it, so would lots of other bored kiddies on the Help Desks at their jobs!)

[As an aside, I pick on the poor kiddies on the Help Desk or Tech Support or Customer Service desks a lot. I do so for good reason, though. Typically they can hold some very technically savvy people who have some level of access above normal users. They tend to not be in heavily taxing jobs and sometimes have “leisure” time at work to do some odd things. And let’s not even think about those overnighters with even more time on their hands… Really, it’s not that I distrust them, but I remember my days down there and what I would get my fingers into, and I know it happens.]

For instance, you can stuff information into a few non-used or little-used sections of ICMP packets and shoot them out to your target. But if a company is stopping all ICMP, that incidentally stops that particular covert channel. Someone can siphon away information using DNS, but if you only allow DNS traffic to servers you control…

Stopping (or using to your benefit) covert channels is much more difficult since it requires some pretty specific knowledge of TCP/IP and perhaps packet structure and creation. This probably makes the risk of someone leveraging this attack much smaller, which also may mean it is just not worth spending time combating for many companies.

But lets say you want to detect and/or stop covert channels? I won’t get into specifics since I’ve not done this myself, but here are some approaches I would take.

First, make sure a solid egress configuration on border firewalls are present. If this isn’t done, really, any other steps are simply academic and not going to add any security or sense of security. If you’re not stopping arbitrary ports from connecting to other arbitrary ports on the Internet… Likewise, there is no reason to tackle ICMP covert channel detection if ICMP is blocked anyway.

Second, you need to be monitoring for anomalous traffic. A sudden spike in ICMP or other weird traffic that is not normal could indicate a covert channel in use. Again, the chances are slim, but any network monitoring strategy should already be tracking anomalous traffic loads anyway. You might also want to detect for regular traffic patterns such as an HTTP request that occurs exactly every 3 seconds for hours, or something to that effect. You might see more false positives with things like Weatherbug or Firefox doing regular checks or IM keepalives, but if your company is tackling covert channels, likely they have stringent software and IP rules in place already to limit such noise.

Third, make sure packets are inspected for erroneous settings and flags. Kinda like no TCP packet has any business having both SYN and RST (I think) flags set, there is just some information that, if present, should be investigated.

Fourth, proxy all web traffic in a way that the proxy rebuilds the packets. This should take care of really funky HTTP covert channels and also allow you more logging on what is likely the busiest and least securable port on your network.

Lastly, I really don’t know what to do about steganography or hiding data inside other application layer data. I guess we have to hope that packet inspection firewalls eventually detect the normal tools and their signature/patterns, but I really wouldn’t book my paycheck on that. Image-based stego is still a technical skill, but the tools have gotten far easier to implement and there are tons of locations on the webs to drop images for offsite pick-up.

Speaking of covert channels, I can’t find the actual story, but I swear the Security Monkey had a post one time (I think a reader-submitted story) about someone hiding porn images inside a normal movie file, where a porn image would be one frame somewhere that could be extracted. Screen grab of sensitive docs instead?

random thoughts on spam and email sig blocks

Skimming my captured spam comments these days really makes me feel like I’m browsing porn, albeit in text form. I have quite the imagination…and if the guys keep slipping Viagra into my lunch, things are gonna get wrong on a new level.

Ok, kidding! Seriously, my comment spam has skyrocketed since Thursday or Wednesday of last week, almost all about various drugs and the rest about porn. It is amazing how often I catch myself reading one when it doesn’t sound quite obviously spamlike. “Hey man, that’s an interesting post…” I’ve bumped up the filters to get most everything, but if I don’t unmoderate a post you make, feel free to stalk me and track me down or otherwise get my attention.

Joel Esler posted some questions about email signature blocks. Neat. Personally, I keep my signature lengths down to 1-3 lines or so. My name, email address, and maybe who I am if you don’t know me (title or web site). I think I got over the whole quote thing back in 1998, so I don’t do that anymore. I think after you get so many email addresses, you stop really caring to configure and tailor each one.

On a similar topic, I really have a peeve against email disclaimers like “please delete this email if you mistakenly got this…” blah blah blah legal crap. No one freakin’ needs this on every piece of email sent out. It’s useless and stupid. Maybe I should walk around with a card that says, “If I hear some secret you say near me or you hear me calling you a complete asshole, it’s ok and please ignore it if you were not the intended recipient…oh, you’re not the intended recipient, ever.” Yeah, that’d fly.

edge-security tools

I may not get to try everything out, despite my intentions, I still like to post things here in case I want to reference them later on. This site isn’t a blog, but it does have some interesting tools and papers. I got pointed here to check out wfuzz a web fuzzer/bruteforcer. But I really want to try out the Geoedge script which will do a geographical lookup on IPs (yeah, even automating a few clicks is worth it if you do a lot!). There is also an Intro to Reversing on a Mac that is only one page but at least illustrates a few simple things for Mac users. And Metagoofil will pull out meta data from docs. Now that is pretty neat. What ever happened to talking about info leakage via doc metadata?

analyzing vulnerability disclosures

I just read an announcement that usernames can be disclosed by the way Windows Server 2003/AD responds to Terminal Services logins from those users trying to log on after their allowed hours. Kudos to the researchers for finding and reporting this, and I mean this post as no dis to them (hey, I read Sid’s site for a reason!). But I do have some commentary to offer.

First, Sid uses the phrase, “This can be exploited to help enumerate valid usernames resulting in a loss of confidentiality.” Not bad, but I think it is very arguable whether usernames are intended to be confidential or not. I mean, that’s what passwords are for, no?

Second, this is a place where a vulnerability needs further clarification once you start trying to cross the bounds from technical geeks to the lesser geeks and business itself. Is this vulnerability a Big Deal? No. What threats could take advantage of this? Well, you have long-standing insiders (yeah, those help desk guys who work all night and get bored and poke around) on a long campaign to pilfer usernames…but if they are employees, chances are they know the username format anyway. Also long-term outside attackers who already have an undiscovered foothold into the network and want to expand their influence. For some reason, this scenario tickles that part of my brain that likes to say, “You have bigger problems at this point.” Maybe someone has Terminal Services accessible to the world, in which case a random port scan could reveal it to an outside attackers who starts trying usernames to grind out more information, or outright access.

My second point is more about those people who interpret vulnerabilities in the context of their respective duties. The disclosure itself is just fine and quite appropriate. I’m simply using it as a sounding board to illustrate the ability to analyze vulnerabilities.

To the author’s credit, he lists criticality being “Less Critical,” although I really don’t know what that means. To me, this vulnerability is minor. It discloses some non-sensitive information pertinent to longer-term attacks by dedicated attackers with nothing better to do.

wifidenum reports on wireless driver vulns

WiFiDEnum (and no, I’m not really sure how to say that out loud) has been released by Joshua Wright. This tool reports back wireless driver versions against known vulnerabilities. Try it out. Hopefully the tool is kept up to date as more vulns become announced (slowly). While I never expect that to be the case, I think this tool appears useful enough to Josh and his company and might get some lovin over the years. The next step may be a more hostile enumeration tool that can sniff and/or actively fingerprint a host’s wireless card and drivers (and no, I don’t know if that is even possible to a worthwhile degree).

the movement of security

I see there’s been some talk recently (more so than normal on the blogs I watch, anyway) about network security, web app security, host-centric security… I feel like a lottery tumbler bouncing around a lot of balls in my head, but nothing popping out down the chute quite yet. So here are some links for future thoughts. Jeremiah Grossman talking about web app vs network security. Hoff talking about host vs network security. The Jericho Forum talking about lots of things, but notably deperimeterization catches my eye. And Michael’s thoughts which have the side effect of wanting to pull out some C&C Music Factory mp3s (and yes, I have a bunch!). I also see Scott has an excellent post about this topic as well. And another from Alex, although once anyone starts talking ephemerally (in terms of relativity to business process which might be the agnostics’ way to offer up an inarguable concept? [see? obviously I’m not seeing something straight! hehe] ) about things like the Circles of Trust, it never really makes much sense to me yet (yet!).

My initial reaction is that I am not sold on “unified” or “one method to rule them all” approaches. I’m with Michael in the link above in most regards: practice moderation and mix all of them in varying levels. Honestly, if one of these approaches was better than the others, it would be obviously apparent by now.

However, there may be some merit in a company focusing their efforts and monies in one method consistently…

I think one approach to these questions might be in looking at the extremes. What would your network or company look like from an infosec point of view if you were host-centric in your approaches? or network-centric? or data-centric? What is given up, what is scalable, what costs the most either up front or on-going? What is possible with the skillsets we have in our company/country/world right now?

infosec interview questions

LiquidMatrix posted 4 interview questions for Infosec candidates. I like the questions, personally, and I think they get to one thing I really like to pimp about myself but also value in people in infosec: the geek factor. How much of a geek are you? In other words, how much personal passion do you have for the field? I think this is highly important. Anyway, no preaching yet today, so here are my quick answers for this interview.

1. What is the hostname of your computer / essid of your wifi
How fun! For years, I have stuck to the whole vampire/goth chic with my systems. My main server is named Vampire (and always is, no matter what actual hardware is running it) and my essip is kindred. Unfortunately, the more systems I’ve had, the more I’ve had to dive away from that theme. I have systems named Nosferatu, Hunter, Samurai, Orion (my main laptop, named for personal reasons to do with stargazing), Golem (parted gaming machine), and so on…

2. Which infosec event/conference do you think is the *one* you need to attend each year
Blackhat is too expensive for me alone, and I certainly do not want to do to anything commercialized with more CSOs present than geeks. I think if I had to choose one single event, I would head to Shmoocon. Then CanSecWest and DefCon.

3. You’re doing a walk around and notice an iPod plugged into a laptop – what do you do
Yeah, it sucks reading these questions and already seeing the “good” answers, but I agree with the poster, I would first ask, “Well, what’s the policy?” I don’t want to get into pissing matches over vagueness (I wanted to use vagarity here, but the word is already laterally claimed) of policies and enforcement. If I don’t have to impact someone else and rock the boat, I won’t. So I’d ask about the policy. If there is a policy, I would likely unplug the ipod but leave it on the desk (again, depending on the policy and corporate culture standards on enforcement) and email a note to the employee mentioning it. I’d likely then make a small extra effort to follow-up later that week to see if the ipod is still present, and if so, escalate as needed, more likely with a cubicle-call in person or a quick note to their manager. Nothing overbearing or demanding, just subtle reminders of policy and why it is in place. I’d also test the waters in using technology to block the hardware ports on systems to force policy adherence. Again, though, this all depends on policy and corporate culture.

4. You’ve been asked by HR to take a copy of an outgoing employees computer – what do you do
I’ve not done one of these in a while, but my first reaction in my previous job where I did this a couple times included questions. How much do you need copied? When do you need this started and done? Does the employee know about this or should this be secret? How important is this, while I don’t need details, should I be concerned about eventual legal proceedings or is this just a CYA moment (this may dictate how stringent I follow chain-of-custody or imaging standards)? Do you need me to look at anything in particular or just make the copy? What do you want done with the copy and/or hardware after? Basically, the theme here is to ask questions and quality the request as much as possible without making it seem like you’re fishing for the juicy gossipy details of the incident; I’m not like that and never will be, even when I am privvy to those details (one of the other things I value along with geekery is integrity).

Snagged straight from the bush from the Guerilla CSO

fbi has some infosec work to do

Seems the FBI has the same challenges the private sector has when it comes to maintaining a secure environment. The GAO released a report to the FBI about security weaknesses in a critical internal network. I found this from FCW. I only skimmed the 30-odd page report, but a lot all of their weaknesses are quite familiar.

random geekery from the past week

Sometimes you really just have to be able to laugh and enjoy yourself in this field. Often we can get frustrated (especially as we get more experienced!) when we do new things and they don’t work on the first or second try. Or maybe something you just don’t do all that often. Part of being jaded by users and management, I think…? Failure (i.e. troubleshooting!) becomes less tolerated.

Two things have been giving me grief all week, but thankfully I really enjoy my personal time when working on stuff. Put on some music or pop in a movie on a laptop nearby, grab a beer or tea and have some fun. (Just to inject more personality in here, I watched The Crow, one of my favorite movies ever.)

The first thing I’ve been working on is getting OpenVPN working on an Ubuntu Fiesty VM. None of the pre-fab tutorials online seem to be complete. I think every one leaves out some important steps or makes detrimental assumptions. Either way, the progress has been slow, but I’m getting there. I’m familiar with the client end, so that shouldn’t be a problem. It is just really getting the routing and bridging and junk figured out; getting the server stood up and performing.

The second happened last night. For my VM box I had bought a new DVD burner. Instead of letting this go to waste in the VM box, I swapped it with a DVD-ROM from my gaming rig a few weeks back. I had forgotten about this until yesterday, so on the way home I bought some DVD+R Lightscribe and DVD+R DL disks and vowed to get things working. I spent about 2 hours trying to get it recognized by Windows. Windows Device Manager showed an Asus CRW device. WTF? No, it’s Samsung! Firmware failed! Why the crap is this coming up as Asus?!?

It wasn’t until this morning as my alarm went off that I thought, “wait, I already have a drive in this computer and…oh god…it’s an Asus CD-RW drive. Ugh, I’m an idiot!” Yup, the drive, while powered, is probably just misjumpered or loose on the IDE cable or something else such that Windows or the BIOS were not really seeing it. I kept trying to get my Asus drive to turn into a Samsung burner. Poor bugger…kinda like treating a daughter like a son?

open windows security apps

I love it. There are a number of free security-related tools floating around these days and they seem to be of the “do more, have more features” variety. On my Windows systems at home I prefer to run ClamWin as my AV and Sygate Pro (a full version pre-Symantec purchase/dump) as my personal firewall. I’ve been using Comodo firewall for a while now on one laptop, but I really have no taken the time to baby it and nurture it and really get to know it, so I might just revert back to a Sygate install.

But I keep getting tickles to try something new. I see OSSEC has Windows agents that do things like HIDS, log analysis, registry and rootkit scanning, integrity scanning, and more on the server component. I also see CoreForce which provides a BSD-like firewall, registry and file permissions, integrity scanning, and malware prevention. Both tools are free, although the latter is Windows-bound and standalone while OSSEC likes to have a server component to shuttle data to.

It is nice to see multiple pieces getting packaged together in, hopefully, light-weight apps that won’t be hogs like NAV or your more commercial type protections. I like integrity checking, access monitoring, log scanning, and firewalling, along with the typical HIDS/behavioral analysis and malware detection/prevention. I’m just hoping these two products don’t overlap too much if I want features from both. And of course, there’s my poor ClamWin to think of.

Anyway, tools for thought. I really wish Sygate hadn’t been raped…after ZoneAlarm got dumbed down back in like 1999, Sygate was my saviour…

staying anonymous – part 4 irc

IRC – IRC is an interesting beast. Even today, this relic of the Internet is still the best place to socialize and talk with others in a realtime forum that includes more than just 1-to-1 conversation (did I qualify that enough??). But it also suffers from easily giving up your connection information as well as other anti-anonymous attacks. Pretty much anyone can just issue a /whois and they can read back your IP/hostname. Really, nothing is easier or more idly tempting as port scanning some noob on IRC to see who’s home. Note: I have not used silc yet, so I don’t really mention it here.

1) general IRC recon and host masks
When you first log into a new IRC network, do not do so using a nickname that you plan to use. Log in and poke around. Do a /whois on yourself and see what is revealed. Connect a second time with another name and whois yourself. Find web support and the main support channels and poke around to see if the network supports any built-in methods to mask your host and IP. Irc.freenode.net and others may allow you to register your nickname and also request or set up a host mask so that /whois returns only what you want it to return. If that is the case, switch over to your normal nick, register it, and get it masked.

Always use a different nickname when doing tests or when you think your masking is not high enough. While this isn’t done as much as in the past, there are still chat channels that get logged and posted right on websites for posterity.

Keep in mind that even private messages are not necessarily private when you do not own the servers and other people are the admins. You may not be as private as you wish you were.

If you plan any unattended idling, turn off auto-accepting any files or DCC communications and make sure no URLs are automatically opened or captured. Make sure your secondary nickname is not revealing in case you disconnect and reconnect automatically before your old connection has timed out.

2) bouncers and proxies
If you do not have the luxury of masking your host, you can make use of IRC bouncers or proxy connections much like web proxies. Bouncers are pretty much the same thing as a proxy, only harder to find unless you own a box or two somewhere else (or pay for a shell).

You can also use web-based IRC clients such as www.ircatwork.org. However, always test these by connecting with a different nick and /whois yourself to see if something is leaking through anyway. These can be a hassle to set up and maintain, so perhaps just familiarize yourself with IRSSI (text-based IRC) and see if you can get a shell that allows IRSSI so you can bounce off that.

Otherwise, use network and wireless connections that are not your own to communicate over IRC. Personally, I prefer using Freenode and masking my host.

3) links, DCC, other notes
Also, don’t click on any and every link in IRC…at least not without your web proxy firmly in place on a safer web browser and connection link. If I had my eye on you, I might try to get you to click a link on my website hoping you would then leave some crumbs in my server logs.

Never accept DCC Chats or Sends. These negotiate as direct connections. If you accept a DCC Chat, the person on the other end will have the ability to see your originating IP, masks or not. You can proxy DCC connections, but I prefer to just not accept them at all as there is really no reason for it when FTP and HTTP have become more than ubiquitous.

More information can be found at http://www.searchlores.org/irc_kane.htm. If I had found this before writing my post, it sure would have saved me a lot of composing!


From Whitedust.net, they have announced a new visualization tool for network traffic called Eve. Visualization tools are fun and typically look cooler than they are useful (imagine the proud managerial looks when you see this running in the NOC?), but you never know. Someday a really slick-looking visualization tool is going to be outstandingly useful. Maybe Eve will hit that mark? I dunno, but surprisingly the tool looks to run on Windows by mention of the winpcap library. If this looks slick enough, I would seriously consider a copy for the price they list, even if it just runs in the background on an old machine on my desk.