April 2007 | June 2007

Chief Security Monkey has a story post today about being careful what you say as an IT expert:

I went back to my friend, told her that there was nothing unusual on the IDS and mentioned the targeted Word attack that had been reported [by another company] and its similarities. Unfortunately, the helpdesk tech overheard our conversation and subsequently reported back to his boss that I said we were infected and that was the cause.

Oh man, I really hate that! And some people wonder why we become a little guarded and seriously careful about what we say! I've had occassion where I've responded to spyware or virus and mentioned something about attackers or hackers and the gossip centers on just one word that you can easily guess: "We've been hacked!" I've had sales people email each other for hours escalating the issue just amongst themselves before someone had to step in and tell them to shut up because it wasn't true.

Of course, this happens in IT as a whole too. I hate having to say, "Well, in our environment we really can't implement technology X very well at all..." only to have their Geek Squad son say, "Sure they should be able to do that!" which causes me months and months of grief and point-counterpoint.

Again, I say, it's no wonder we can quickly become guarded and quiet unless absolutely sure about something.

So, to spin this back around into something positive, how does one combat this? I think it is just all about people skills and communication skills. Make sure people know you as the expert and that mistakes or misstatements can still happen, but you'll gladly offer correction as needed. Don't be afraid to be wrong and don't be so arrogent that everyone wants to hold your mistakes over your head for years to come. Learn who the drama queens are in the company, and be extra careful what you discuss with them.

Alex Hutton just posted a comment to my last post referencing a Star Wars (the best movie ever) quote. You know, I have this list of things to see and/or experience on a daily basis that make life happier. Ya know, kinda like petting a tiny kitten or watching a young puppy waddle around, they just make the soul happy. Here's my going list with this one new addition at the bottom (yes, some of these might be a little disturbing, I apologize, but they make me laugh):

- violent pelvic thrusts into the air (think: don't fuck with the jesus" from the big lebowski)
- dry heaves (from someone else, and not to be confused with actual puking; think an overweight linebacker who has run way too many sprints...)
- uncontrollable writhing on the ground (although NOT induced by a medical condition, that's just mean)
- any quote from Star Wars (or Monty Python can substitute)

(cute images from cuteoverload.com)

Web browsing (blogs, forums, web-based IRC) - When you browse the web, you leave a trail in your wake: your IP address and sometimes other bits of data that curious persons want to gather. If nothing else, you leave behind your IP in web server log files which any curious or enterprising admin likely picks through. Why do you want to stay anonymous? That was addressed in part 1 of this series.

There are five major realms when it comes to anonymity on the web:
1) general anonymity protections
2) browsing trackbacks such as what is captured in web server log files
3) browser hijacking, remote information leakage, and artifacts like cookies
4) communication channel eavesdropping
5) additional items on newsgroups and RSS


1) general anonymity protections
In general, if you want to stay anonymous online, don't connect to sites or other servers from your home IP address. Hop on a wireless hotspot or "borrow" a neighbor's wireless connection (again, I didn't suggest that...right?). This way any tracebacks will maybe point to the state or area you live in or even your local podunk ISP, but likely won't be tracked back directly to you without some legal overtures. If you're doing nothing criminal, the chances are slim that anyone will ever notice. (Although that does not necessarily make it legal or digitally ethical.)

If you insist on doing personal things such as banking or updating your own personal blog that is not so anonymous, those are things you should save your home IP and connection for. Keep in mind that I do not encourage checking your ebay auctions or transferring paypal monies through web proxies or while connected to non-trusted networks. You never know who is eavesdropping on you or collecting information on what you thought was an innocent open web proxy.


2) trackbacks via what is captured in web server log files
Browsing trackbacks include leaving behind information on log files that may contain your IP address, computer name, browser version, and so on.

The biggest means to stay anonymous with general web browsing is to use one or more anonymous web proxies. A web proxy will relay your connection from it to the site you are attempting to browse, such that the target site does not know who you are and instead records information from the web proxy server. Let's say you want to buy some condoms, but your dad works the counter at the closest drug store that sells them. Instead, you ask someone else to go inside and buy them for you. This person is acting on your behalf, i.e. your proxy. Web proxies work the same way by fetching web pages on your behalf and then delivering them to you. Honestly, once you start using proxies, they are very easy to use and you should probably use them most the time if you are concerned about your anonymity (with the exception of your bill-paying and banking...).

These can be a bit of a pain to work with. Some web proxies are located in odd places of the world and thus their latency is sometimes prohibitive. Others actually translate text for you (eternally helpful, especially if you don't speak Lithuanian...), and others are simply not meant to be open and can disappear without notice. Some are commercial and some are not and some don't even know they are open and used.

One long-standing list of web proxies has been samair.ru. Be aware that not all proxies are made equal and you will want to test out just how anonymous you appear. Do not settle for leaking any information, so typically, you want "highly anonymous" or something to that effect. Setting yourself up on a proxy is as easy as picking one out and going into the connection options of your browser. Supply the necessary IP and port as a proxy and surf away. You can check what your IP appears to be at www.whatismyip.com and you can check your actual proxy leakage at samair.ru. I highly suggest Googling up a few proxy checker tools just for second and third opinions. Also, try baselining the information you leak by using these checkers when you're not using a proxy. Identify what you want hidden, and get it hidden. (Disclaimer: I don't encourage you to use web proxies that you are not authorized to use; do as you wish.)

I also have seen a site called www.e-proxy.info (thank you Chris!) which can deliver web pages to you through a browser-based proxy. This is really pretty slick and actually works in my office, bypassing SurfControl while also not looking too obtrusive by hiding up at the top of my browser window. Sweet!

As an advanced technique, if you want to set up a series of proxy servers to route your traffic through, this is typically called chaining, in case you want some Google terms to search for.

Are these foolproof? Like almost everything in life, no they are not. But for many instances, a relatively simple step like using a web proxy gives quite a lot of gain. One potential problem comes up if you use some arcane or exotic user agent or web browser. If you leave behind an anonymous IP but a user agent like "BriansTestBrowserBar 0.4," you may as well ditch the proxy.


3) browser hijacking, remote information leakage, and artifacts like cookies
While you can remain relatively anonymous on the web using just a proxy to relay your connections, there are still means to leak information. You might run into hostile scripts that will try to hijack your system or perhaps harvest cookies from your browser, just to name a few.

To thwart such attacks, it is best to not pretend you are safer or anonymous using Windows or Internet Explorer, especially in combination. Use a non-Windows OS and Opera, Firefox, or even a graphical browser.

Keep your cache and stored cookies as clean as possible. Try not to store cookies and definitely do not store passwords in your browser. Just write them down or store them more securely out of band of your browser. In fact, it makes a lot of sense to do your anonymous web browsing from a virtual machine that you can revert to a known clean state every day.

Be sure you also do not leak information by reusing usernames and passwords. If you use the username TheAvengerr69 on 4 forums and you use the same password on each one, simple Google searches can draw the lines between them and start revealing a profile of who you are and what you do. This is especially useful to someone looking to manipulate you. Also assume that every site you sign up for has curious admins who now have your account information. Do not blindly reuse login names and/or passwords.

Here is an illustration. Think about how many forums you might have signed up for and posted one, maybe two questions, and then never revisited again. What if those forums, like the many thousands out there, do not get updated with new forum software versions. This might mean that one of those forums may get owned and leak out its database of users (sure, they just want the emails to spam, right?). Now your account information is in someone's hands just because you visited there once. Now let's say your username was DopplegangerJoe69 and your email was a hotmail address and your password "sitonyourface." In fact, that's the same password and username you use in a few places. Oh my, and that's the password you use for that hotmail account. Sucks to be you, Joe. I hope you don't store a lot of "password reminders" and "thanks for signing up here's your password" emails on that hotmail account!


4) communication channel eavesdropping
Generally, there is not much you can do to protect the communication channel from eavesdroppers, if, for instance, you are browsing the web from a public hotspot. If the site itself does not have SSL enabled, you are typically out of luck. However, some proxies can be set up to relay secured communications. Better yet, find yourself a box or shell account or buddy who doesn't know better and set yourself up an SSH tunnel which can act as your first hop. While your entire communication may not be hidden, at least you are hidden from where you physically sit to some arbitrary place on the net. The easiest way to do this might be to set up an SSH server and tunnel through your home connection. From there, relay through a web proxy to anonymize yourself. You can also utilize Tor onion routing, which I plan to go over in a separate post.

Of note, I do consider this step to be beyond most everyone but the paranoid, but it does make sense to technically-friendly people who browse from untrusted networks often. Personally, I love hotspots at coffeeshops so I tend to tunnel through SSH whenever I do anything beyond browsing the news.


5) additional items on newsgroups and RSS
Two minor tidbits on newsgroups and RSS feeds. Try to not use stand-alone clients on your box for RSS or newgroups browsing. They typically aren't as universal when it comes to proxy support, so they tend to directly connect to the target and leave behind your IP address, if nothing else. Whenever possible, sign up for Google Reader or Google Groups and leverage the extra hop that Google provides in hiding origin. Let Google's servers act as your proxy. Be aware that there is still theoretical talk about malware abusing RSS feed parsing. I don't consider this a reality yet, but the theory is sound. Newsgroups also may have messages that contain malware or malicious links. Be cautious.


Bonus: For the truly paranoid, watch what terms you search for in search engines. Last year there were some high profile disclosures of search terms that, while "sanitized" still revealed sensitive or private information. If I searched for "Michael Dickey" in Google from my "anonymous" web proxy that I've used for years, I've just tied that web proxy IP to that search term. Do enough of those personally identifiable searches and you can leave behind a small trail. Now, the chances of all the planets aligning to reveal your searches and shatter your web of anonymity are slim, but there are some people that are this paranoid. If you want to help prevent this, just search for personal stuff on your own home connection, just like you should be doing your banking and other sensitive stuff from your trusted home connection. Likewise, don't search for HideousPurplePeopleEater69, your super-secret online pseudonym, from your home network and tie that name to your home IP.


Do I go to these lengths myself? I definitely do not get draconian about my search terms, but I do encourage using different networks or web proxies for browsing the darker bits of the web. If I felt the need, I likely would also utilize a throw-away VM to do some browsing as well. I think myself and most tech-savvy persons can get by with following, to some degree, steps 1, 2, 3, and 5. Setting up your own remote secure access and being mindful of your searches are really for either the more technically-inclined or the ultra-paranoid.

If you would like more information about staying anonymous on the web, I suggest searching Google for "staying anonymous on the web," "onion routing," "SSH tunnel," and other keywords found scattered above.

WSUS 3.0 has been released. I'm bouncing this link over where I found it, The Sean Blog, since he made a nice list of the pertinent downloads. If you don't know WSUS or don't use it and don't do anything special for Windows patch management, you should really look into WSUS. It does one set of tasks and does it very well.

Looks like my flurry of posts early this week were just pre-empting my lack of posts through hump day. Things at work have heated up a bit, especially with me learning some new things. In particular today, I am working with Wise MSI packages for our web server deployments in addition to new SSL management now that we have a hardware load-balancer which is performing SSL termination for us. I"m utilizing tools in OpenSSL to not only convert existing IIS exported keys into readable formats but also to generate new keys via scripting.

We're also working on a new development environment: 1 of 13. Yes, 13. Don't ask, I think it's the wrong way to go and half of them won't get used or updated enough. It'll turn into our nightmare before someone gets wise and trims that back down to something simpler like "dev-staging-prod" plus a few others. Thankfully, all of the servers will be virtual.

Also into this week I've been re-turning our IPS. Our IPS management server took a final dump on Friday and wasn't about to come back on. Thankfully we do backups of the full MySQL database so I recreated the server as a virtual box, reinstalled the product manager, got it talking to the appliance IPS itself, and then restored everything from backups. Talk about slick! I only had to do minor tweaks and retuning on things not covered in the backup. Not bad, and it is nice to be able to properly validate our backup/restore procedures. Backups always bother me in the back of my head until we can actually do them once and verify things work as needed. In addition, since this box was put together before I came on board, it was also nice to see we had documentation on the build and settings (thank you Accuvant!).

Lastly, parts for my new vmware box are arriving. The case arrived yesterday and the rest should be in today when I get home. These will be married to a few extra core parts I already had on hand to be turned into a dedicated Ubuntu VMWare Server box that will run a variety of "always on" machines. (In contrast to my gaming rig which only doubles as a VMWare box now and then for throw-away VMs or testing.) This should keep me busy until the weekend as I make sure I don't have to RMA anything. I'll post pics and notes later on about this box.

If you impose punishments on the troops before they have become attached, they will not be submissive. If they are not submissive they will be difficult to employ. If you do not impose punishments after the troops have become attached, they cannot be used. -The Art of War, Chapter 9: Maneuvering Armies

I had forgotten the joy of building one's own computer, since last I put one together about 3 years ago. I got all the parts for my system last night, but the bugger won't give me any display. It started out with two long POST beeps, which the AMI BIOS specs say should be a memory or parity error. Great. After a lot of reseating (which eventually became rather redundant especially after I got out my dice and starting trying some saving rolls...) I started getting 1 long, 2 short beeps which should indicate a video display issue. Hrm, that's not making any sense...

In the end, I'll likely purchase a few more parts to swap around and see if something needs to be RMAd. I'm guessing either the motherboard has a problem or maybe one RAM module is DOA or the video card isn't compatible. The one thing I don't miss from building personal systems is the voodoo (not the card, for those old school enough...) you need to make sure all parts are compatible. A complete part list can be found on my wiki under "vmware box".

Roger A. Grimes recently posted up an article that made a lot of simple sense. He talked about the effect of consistency, even amongst just the basic security principles, and how that can increase security. I really couldn't agree more. Consistency is highly important. Of course, metrics are important, but also make sure to pick the right ones and be consistent with them as well.

How many of us work in computer security environments where basic security recommendations are not applied consistently? I think it is nearly impossible to find a company that consistently and universally applies basic security tenets. So, we have inconsistencies, cracks in the system, and bad things are allowed to occur. The very human nature of purposefully allowing inconsistency as a norm leads to below-average outcomes. Taking a personal and institutionalized interest in applying basic security principles consistently will mitigate more risk and lead to a more secure environment.

I like the idea of posting regularly the things that I've learned. I've long put off getting SSL on this site, but I think I need to get with it to secure what few logins I have (which I only use at work and home anyway...). Curiously, this week I've been working with SSL at work, so I learned a few things running OpenSSL. Here are the basics. (technically I relearned this since I've done this all years back, but had to look it all up again anyway...)

To split an exported private key/certificate from IIS (.pfx format) into a more readable format:

openssl pkcs12 -nodes -in exportedfile.pfx -out outfile.pem

If you provided a password (like a good IIS admin!) to the exported private key, you will be prompted for it. To view the private key and certificate parts, just open the resulting pem file in a text editor. Both parts are enclosed in appropriate tags.

To just view the private key and certificate from the pfx file:

openssl pkcs12 -info -nodes -in exportedfile.pfx

To make a Certificate Signing Request (CSR):

openssl req -new -newkey rsa:2048 -keyout yournewkey.pem -nodes \
 -out yournewcsr.pem

Save the key because this is the private key. Provide the yournewcsr.pem contents to the preferred CA such as Verisign, Thawte, or even your local CA if you have your own PKI. Once you get the certificate back and you're using Apache, you want to follow Apache instructions (I'll post this another time) to place the private key file and this cert file where Apache can use them. If you're using IIS, you probably want to convert it back into the normal pcks12/pfx format:

openssl x509 -in certnew.cer -inform DER -out yournewcert.pem \
 -outform PEM

You can then import it into IIS for use with web sites. In my case at work, we just left the pieces separated for use in our new Load-Balancer/SSL Terminator. Our IPS, however, would prefer the compounded format used by IIS along with the passphrase.

What if you just want a self-signed cert? This means it is free to you, although your browser may give fairly benign complaints about the cert not being signed by someone you trust. This is ok for most sites, including mine and other internal stuff:

openssl req -x509 -days 365 -newkey rsa:2048 -keyout myselfsignedkey.pem \
 -nodes -out myselfsignedcert.pem

Might want to increase the 365 days to many, many years. Ten years is pretty decent and a bit easy to calculate (3650).

All of these commands used -nodes which does not mean "nodes," it means "No DES." This leaves the private key unencrypted. For anyone who has studied CISSP material (or even Security+) you really don't want to leave your private keys unencrypted. You want them encrypted:

openssl rsa -des3 -in  \
yourprivatekey.pem -out yourprivatekeyencrypted.pem

This will prompt for a passphrase and output the private key in an encrypted form. If you want to decrypt this key later:

openssl rsa -in yourprivatekeyencrypted.pem -out yourprivatekey.pem

I think that about does it for now. OpenSSL has tons of little options and modes, so if you find yourself getting an itch to learn more about SSL, check it out. Oh, and it comes in Linux and third-party Windows flavors for convenience. I actually really like the Windows version as it gives some nice, powerful tools for quick use to otherwise clunky Windows GUIs and servers.

I've posted about baretail previously as a tail program for Windows, but now I see there is a similar tool with some more functionality to it. fLogViewer picks up and runs with the "Windows way" by taking a simple tool and putting more and more features onto it (note: Yes, I am fairly sarcastic there, but the features are appreciated nonetheless!). I kinda like this tool, although the necessity of an install and the way it uses some older system files than what I have on my XP system anyway are detractors to replacing baretail with fLogViewer.

Start the weekend off right with some off-topic reading pleasure. EW has a list of the top 25 moments in sci-fi in the past 25 years (and proper apologies for not being able to include Star Wars 1977 because it is too old). I definitely think I have a few television shows to watch as they appear on DVD. Excellent list!

Lists by IT guys cum journalists can be pretty interesting things. Either they're obvious junk or sometimes just plain wrong. I eagerly checked out this link Marcin sent me about 7 things sysadmins forget to do thinking it would be pretty stupid. I was pleasantly surprised with a few of the items. Here's some of my comments.

1. Forgetting to Delete a Former User's Account - This is one of those obvious ones, but I will defend poor sysadmins like myself and say that we don't just willy-nilly disable user accounts, even if we hear gossip that someone left. Too often, account disabling is not a breakdown of sysadmins, but a breakdown in the process of notifying sysadmins that someone has left. I really hate hearing someone "left 3 weeks ago" through the grapevine. (Or conversely, that "I have someone started tomorrow morning...") Maybe in huge environments things like identity management should be looked at to solve this issue, but in smaller or medium environments, I really think HR and IT just need to make sure there is a process for account notification that is followed. In the end, all the sysadmin lists and processes are naught if no one says so-and-so is gone.

2. Forgetting to Regularly Search for Rootkits - Ok, this is just kind of a weird one. I don't think I've ever "forgotten" to search for a rootkit so much as I just don't look for them, or if a system is so obviously overrun it gets reformatted rather than spend more time on it.

I think the author has good points about how to mitigate rootkits and detect them, but seriously, how many admins put forth that much effort? Rootkits are the Harry Potters of the corporate IT household. They want to be kept under the stairs or up in their room and ignored and not dealt with...and for good reason. It is almost like having mice in your building. You can put out some traps, but really, no one is going to bother much with tearing up the walls trying to find their homes.

I sound kinda defeatist here, but the effort to find and protect against rootkits is a big investment, really. I just think this isn't so much forgotten as it is just chosen not to be done.

3. Forgetting to Use a Trouble Ticket Tracking System - Here's a personal bit about me: I'm a stickler about documentation and the sharing of information. There is too often a HUGE amount of organizational knowledge that leaves when an IT worker leaves a position. That shouldn't be the case, they should keep things documented for someone else to reference.

A trouble ticket system is part of that. If I know I've worked on something before, I want to be able to search the tickets and see what remediation occurred previously. I think some of this comes from my science background where experiments have to be documented such that someone else can recreate your findings. That''s a big part of what a ticket system is to me.

Not only that, but it can be used to audit changes and requests. If Sally requested file server permission changes and was authorized to do so, but made a stupid request that caused data loss, that can be traced back to her ticket and the information in it. I also feel that, as a heavily-worked IT guy (and later on in my career, likely a manager of some sort), the ticket system is a natural means to track work loads and inefficiencies and reduce forgetfulness. Unless a ticket system has no means for internal notes (things not sent back to the requester) I really hate, hate, HATE to see tickets answered with, "Done," and absolutely no details on what was done...

There is one caveat to this, however, and would be Needy Users who have Stupid Questions but they insist on asking in person or calling in about them when their deadline is 1 hour away. Often, it might not be sysadmins who forget to use the ticket system, but users who bypass the ticket system to saddle IT with work requests. Sysadmins are then left to hopefully remember to put in the ticket themselves.

4. Forgetting to Set Up Technical Documentation and Creating a Knowledge Base - Based on my notes above, it's pretty obvious this is a sticking point with me as well. I deeply believe in the need for clear, effective documentation and maybe even a knowledge base. This should occur in IT shops of 1 person or 1,000 people. Even if I don't plan on leaving a job, there are always systems and processes that occur every 6 months or longer, and I hate to get to those points and not remember what to do. Referencing documentation helps speed up memory, get the tasks done efficiently, and improves consistency by not forgetting steps or retracing old mistakes. This can even be part of a DR/BCP or backup strategy, where network diagrams, IP distributions, config files, and other settings are documented somewhere for use in continuing the business in the case of large of small issues.

5. Forgetting the Risks of Flash Memory Drives - This also falls into "I didn't forget it, we just don't do this" category. By now, I really think everyone knows the issues with USB drives. They can introduce things not wanted and are a vehicle for data egress. You'll notice the author gives not even a single sentence on how to address this or what approach could be taken. There's likely a reason for that. Many people either don't know how to manage USB devices (do you know how to stop USB drives but allow USB mice/keyboards?) or can't get senior management to back the blocking of ports. Ever try to block USB/Firewire ports and have all the ipod users mutiny? Ever try to justify buying a certain USB brand for "official" use and tell people their personal ones won't work? This isn't so much forgotten as it is just not a battle to be fought or teams lack the knowledge to truly tackle it. There are far easier fires for most sysadmins to fight right now. The coming years should hopefully make tools to do these things easier for us admins, but they won't be getting cheaper or easier on the workforce at large, unfortunately.

Of note, for anyone who wants to limit USB drives, did you also limit floppy drives back in the day? Do you limit CD drives now? What is your basis for managing those differently? Honestly, USB drives can be argued to simply be part of our culture now, just like cell phones and the compact disc. Just be aware of that when trying to limit them and how that might affect employee happiness aka productivity, especially if your business is not subject to stringent regulations about tracking data egress.

6. Forgetting to Manage Partial Root Access - I don't really have anything to say here.

7. Forgetting Courtesy - This is a mixed bag with me. I agree, courtesy needs to be extended in a company, not just from IT, but from everyone. Each company is really just one big team trying to work together to do Great Things, but too often that courtesy breaks down somewhere, and that little ghost of rudeness gets passed around like a flatulence cloud hovers and moves unexpectedly.

Yes, some IT guys are just rude and give evil looks when asked to assist with something. But I've often seen and felt that some of that rudeness is not something IT guys inherently do, but have been trained to do by poor management or abusive users. How many IT guys have tried to do the right thing by helping people, only to get sucked into tasks that aren't their responsibility just because they happened to make eye contact at the wrong time or try to help someone else?

At my last job, we had an HR director who needed regular help with her computer. I gladly stepped up and enthusiastically helped her early on. But she was one of those people who cannot be satisfactorily helped unless you do her job for her. Sadly, I couldn't do that, and some of the things she wanted were simply not even possible. She became the "oh god, don't help her, don't get involved because you can't win! Even if you win, she'll eventually get you to do things that you just can't do and then you're in the shitter!" IT support nightmares. In fact, I think every IT guy at that company who has tried has either left that company or is still in the shitter with her (and being in HR, you know what that means...). (Hell, I even got in trouble once because she asked me to rewire an electrical outlet and I said that needed to be done by a qualified outside contractor that the CFO would set up...)

Too often I really think IT guys are conditioned to be evil eye guys and this is as much a reflection on the corporate culture and their managers as it may be their inherent personality. Some people are assholes, but a lot of us are not.

(By the way, a lot of us IT guys have a ton of things to think about as we walk the halls to get from one place to another; we're often thinking about some problem or improvement, so if you stop us in the middle of the hall with some Stupid User Question and get a queer look, that just might be us trying to switch into help mode or tie off our internal thoughts to properly come back to them later. Or we know that Needy User has just circumvented the aforementioned ticket system by asking us in person, and will give us his own Evil Look when we plead that he make a ticket request since we're currently in the middle of something for More Important Needy User...it's a no win situation for us sometimes.)

David Maynor recently caught some attention by being critical of how Airtight protects a wireless network from rogue APs (and clients). I'll let the link speak for itself on that, as well as the Airtight CTOs take on the comments section of a post on Andrew Hay's site (and Mike Rothman's for that matter).

What I found even more intriguing was the link to a 2005 paper from Joshua Wright discussing the flaws and details in wireless IDS/IPS methods of containing rogue wireless clients. Joshua Wright has an amazing ability in his papers to write very clearly and plainly, making the information easy to follow, and while the paper comes in only at 17 pages, I thought I would paraphrase his key points a bit in this post.

• Wireless IDS detect and then try to disassociate/deauthenticate (deauth from here on) rogue clients.
• Some try send deauth frames to the clients, some also to the appropriate access point.
• Some just vomit out deauth frames, others are more timed to respond efficiently.
• The deauth mechanism is not set in stone, meaning implementation of frames can be done many ways. This combined with the various features means an attacker can detect and fingerprint a wireless IDS to better attack/evade it.
• Detection/fingerprinting can be done via sequence number anomalies in the frames. Some vendors have set sequence numbers. Sometimes sequence numbers can be noticed as different between the wireless IDS frames and the real AP frames.
• Detection/fingerprinting can be done via disconnect notice bit anomalies.
• Detection/fingerprinting can be done by watching access point traffic in relation to deauth frames. If an AP really did issue a deauth, it wouldn't overlap that with assoc or other frames. If an IDS did the deauth, the APs frames may overlap, giving away the IDS.
• Detection can be done by comparing the signal strength bits of deauth and normal frames. Deauths of a different signal strength can give away the IDS presence.
• An attacker can sometimes slip data into a network by slipping in between deauths that are spaced too far apart. Some vendors allow this to be variable or simply leave more time in between deauths so as not to further saturate the wireless media.
• An attacker can modify his wireless drivers to ignore deauth frames such that if an IDS only sends deauths to the client and not the AP, the connection is never torn down because the client takes no action.

Check the paper for more details, including patching madwifi drivers to ignore deauths.

It sounds like someone traced back the TJX breach back to a store in Minnesota that employed WEP as their only(?) protection for their wireless system. While this is a simplistic announcement, it certainly is not the whole story.

This illustrates how just one weak part of a huge network (or business) like TJX can bring the whole thing down. You can roll out secured (?) wireless to 1,000 stores, but it just takes one store whose manager doesn't quite understand the technology (should they really, though?) or one overlooked site by the techs doing the setup and you suddenly become a part of security and business history.

I also wonder where the layered protections were. Did this Minnesota store get automatically bridged into the corporate network that had access to all this sensitive data whizzing by? Did no one have any logs or tripwires up on anything to monitor access? How well did the attackers cloak themselves to look like innocuous or expected systems? Was anyone watching the wireless access logs, or anomalies in data collection/transfer that most probably occurred?

I see that the article mentions software patching was lax. I see that employee logins were sniffed (NTLM or clear text to proprietary system?). Sadly, for as much as we need details to improve security both at TJX and with PCI auditors (and the rest of us!), this is so costly that I doubt we hear more details for years until the courts release it. Did they ever rotate wireless passphrases? What was the real need for wireless in the first place?

So let's say I'm in Minnesota and see a Marshall's using WEP on their wireless network. I crack WEP and do some testing and practice some patience to make sure no one's watching the access and that I don't trip any IDS. Eventually I get comfortable enough to log onto the network and perform some stealth scans to see what I can see. I bet I can see a lot, including some unpatched machines which I can get a foothold into (in a best case scenario for me, I might just be right on the full corporate network through some dedicated VPN setup). This pretty much shows me that admins at TJX aren't quite as diligent as they should be, which can put me and my cohorts at ease. From there, I can sniff on systems I own and pilfer what I can. Lack of software patching standards probably mean shared passwords everywhere too.

Blah blah blah...there's plenty of places where TJX should have detected and or slowed down these attackers. Death by a 1000 cuts is becoming a pet phrase of mine...

A goo friend of mine and I were talking this weekend and the topic came up of corporate (and beyond) cyber espionage only just starting to be a force. I really believe that as more and more people have insecurity skills and our society continues to become more digitally dependent on information as our lifeblood in business, corporate espionage (which really has always been around) will only become more and more prevalent.

I wonder how many corporations (truly!) think it would be moral/immoral to:

1) Do some cyber "recon" at tradeshows on your competitors. Or maybe just DoS them during their demos? (active and passive attacks)

2) Hire some group to perform a DoS against a competitor's website/service during a particularly important moment.

3) Perform recon to continually footprint and find systems and sensitive information. Do you know how often a company can give away new projects just by their public DNS entries?

4) Perform dumpster diving regularly?

5) Feel ok with profiling and possibly probing employees home networks (particularly wireless)? Think c-levels and remote sales, for starters.

6) Send malicious emails to targeted persons in a rival company hoping to root the system? Do you know how quickly someone running as local admin can have a malicious program installed which can then sniff and or grab email account passwords for very important people and then send it back to someone who can log into webmail whenever they want?

7) Try to guess some webmail passwords of important people?

8) Pay for someone who has information about a rival because this person just sits at major airports and attempts wireless attacks against travelers, looking for juicy connections and info to sell?

I really think this is only going to get worse and much more commonplace. Besides, much of this stuff is still way too easy to perform, and in a way that is still way too anonymous. And I think anyone who has been online any amount of time knows that laws are more "easily" broken when you're not standing in front of a police officer. Physical presence is a barrier that most often protects our physical safety, but that deterrent is completely absent online.

In response to the 7 things sysadmins forget, Rebecca Herold commented and I wanted to pull it out for a separate post.

Forgetting that their sys admin job ultimately exists to support the business

No kidding! I think there are three mindsets when it comes to sysadmins (and really, IT/business in general).

1. Sysadmins who understand this concept and make decisions themselves on how their job relates to the business.

I consider these sysadmins to be empowered admins who understand their job. They can prioritize their time and make decisions frequently on their own that really do benefit the company and their own role. The sysadmin with this mindset tends to perform risk assessment and decision-making in her head and can sometimes be seen as making rash (but hopefully accurate) decisions.

2. Sysadmins who don't care about this question and instead defer this layer of involvement in the business to their boss.

Sysadmins at this stage seem to need lots of things escalated to their manager, even when small ticket requests have slightly larger implications. They do their job well, give a nice point to their manager on their views, but ultimately let someone else make a decision for them. Some sysadmins may get forced into this position based on the company and managers they interact with. When bureaucracy does not exist, this may be a result of lack of respect and trust given to the sysadmin such that he is not allowed to make his own decisions. Other times, this is just the style the business prefers.

3. Sysadmins who forget this all the time and really think the business exists to serve their job, or better yet, they only see their job as being ultimately important.

These sysadmins are typified by saying secure this secure that, even if it impacts business negatively. They make decisions based on their job only. Sometimes this is good, especially in a large corporation where you only really have a small slice to make decisions around anyway, but typically this is a negative mindset where the admin is likely never feeling fulfilled and really never fully gets his way...ever.

I think it would be beneficial to see which sysadmin one is, and what sysadmin the company nurtures. Even something as simple as me being a #2 sysadmin but in a #1 company can lead to unhappiness and underperformance. For instance, I like making decisions quickly on my own about what security and IT initiatives to do and how to do them, but if I am in a company where my boss and other managers hate that, I likely won't be very effective and we might all end up turning in sourpusses over time.

Phew! Swapped out my Radeon 9500 card for an equally pricey (haha!) Diamond Radeon X550 and my vmware box has signs of life. In fact, the signs were so good that I finished mounting the parts, finished up the cabling, and powered on long enough to make sure Ubuntu 6.04 loaded from CD and saw everything. Good deal!

So, we have an intarweb that lets us post all sorts of zany things all over the place, from a ratty MySpace page to a litany of comments on news clippings and blogs and forums.

I know Dan Morrill talks now and then about making sure an employer Googles prospective employees. But what if someone has been posting using your name in various places? For instance, I make little to no effort to mask my online moniker, LonerVamp. But what if someone started using that name maliciously and posting hate and other garbage around that eventually gets indexed?

I saw this a few months ago and can't remember where I saw it. But I looked it up again and to save me from the trouble of losing it in the future, I'm posting this web 2.0 clip The Machine is Us/ing Us..

I've seen plenty about what Bruce Schneier said recently along with the feedback. Rather than address the content directly, I just want to say that eventually, many experts become nearly an establishment in themselves. Eventually they can say big, extreme things, and rather than be pissed away like some angry kid, they instead influence. Or at least make a valid point in their extreme. They kinda become those half-senile curmudgeons that are important enough that people listen to everything they say. He can say big things and doesn't mind if everyone else uses his words as a boilerplate.

Now, that's not a criticism. I don't think that is bad at all. But I think that when a lot of people my age get to be Bruce's age with a similar long background in this field, we might also see new things or futility in old things and say stuff that might be seen by others as a bit far-fetched. But I think his extreme approach is just a direct relationship to his notoriety and influence.

For some reason, I really wanted to work a quote in here as my mind drifted from establishment to institution. Anyway, I'll force the quote in anyway, "No, I want you to set a fire so goddamn big the gods will notice us again, that's what I'm saying. I want all you boys to look me straight in the eye one more time and say, 'Are we having fun or what?'"

Saw this on the SecurityFocus pen-testers mailing list and thought I would capture them here for future reference. These are some sites/tools to help evaluate web app security scanner tools.

SPI Dynamics zero.webappsecurity.com
Cenzic crackme.cenzic.com
Foundstone SASS tools
OWASP WebGoat
OWASP SiteGenerator
Watchfire demo site
Acunetix php test site

Typically, lots of the online "hack me" or "hacker challenge" sites like some in my right menu list tend to touch on web-borne "hacks" for their challenges as opposed to anything else. May get some mileage from them as well. Most also can be Googled for solutions should you get stuck and want to just learn quickly.

email (mailing lists) - Email is an important validator of people versus bots. It is also an excellent means to communicate with others and peruse email mailing lists which have some of the most traffic and information sharing of any method presented. However, you certainly do not want to use your own mail address from work, home, school, or even your own home server if you want to preserve your anonymity. Sign up for Google's Gmail and create an anonymous account.

Do not set up POP3/SMTP on your normal mail client and instead stick solely to the web interface using a non-IE browser that is diligently patched. Using your own client may tempt you to reply, and not every email service is necessarily anonymous when you send your email directly from a client application.

Don't send your "real" email accounts mail from this anonymous one; don't send yourself test emails; don't forward away from this email. Instead, copy-n-paste or test your anonymity using another anonymous mail source that allows you to view full headers. Hotmail, Yahoo, and Hushmail are other choices, although the latter either requires money or it will lock your account if you don't log in for 3 weeks. If someone gets into your super secret email account, you don't want your Sent items to give you away (and vice versa if you lose control of your personal account).

For some mailing lists, such as SecurityFocus, you can post replies via a web form (depending on the moderation of the list, you might have to at least provide a valid "on-the-list-already" email address. But at least this way you can check your mailing list anywhere, and always post under one address, or through a web proxy to hide your originating IP.

I also highly recommend finding a favorite throw-away email box. Pookmail is my preferred disposable (yes, I'm dropping Google search terms!) email service. You send an email with a reply address or somethingunique@pookmail.com, wait for a reply and pick it up at the website. Granted, this has zero expectation of privacy, but at least you can use this as a throw-away address. I use this when signing up for software trials and downloads and junk that require a valid email.

For my Powershell moment today, I have been working with setting file permissions. I had a problem trying to get permissions changes made to one folder to propagate down to all child items. I didn't really want to wipe out anything below, and I wasn't using any SDDL creation/twiddling approaches this time. Just a simple AddAccessRule that needed to be pushed down to all subfolders and files and still be marked as inherited.

I finally found a solution by pulling the ACL from each child item, doing a SetAccessRuleProtection($false,$true) and then setting the ACL back onto the child item. This basically seems to force the ACL to be refreshed, which then pulls down stuff that should be inherited.

foreach ($i in get-childitem $strTarget -recurse -force)
   {
      $objNewACL = get-acl $i.FullName
      $objNewACL.SetAccessRuleProtection($false,$true)
      set-acl $i.FullName -aclobject $objNewACL
   }

I speak truth, no so much as I would, but as much as I dare; and I dare a little the more, as I grow older. -Michel de Montaigne.

If you've ever visited my personal site, you probably picked up that I collect and love meaningul quotes (the more zen the better!). This one came up today and reminds me of Bruce's little speech in recent weeks.

Just for reference, a question about where to go for tutorials on Metasploit was recently posted to the pen-test mailing list on SecurityFocus. Here are some of the responses. At some point I need to explore this silc channel...

Metasploit (wiki)Book
Offensive Security 101
Metasploit Toolkit (Syngress)
milw0rm videos
IronGeek video
Tyler's videos

There isn't much detail posted yet, but it appears the akismet plugin for Wordpress 2.1.3 (and probably others) has some vulnerability in it. Right now, the only mitigation really is to turn off the plugin unless details/updates are released to see if I am vulnerable (I don't use Wordpress).

Heck, I already get enough spam, and I have been watching as it slowly spreads from a couple core posts to other older posts. Oddly, this weekend about 30 spam comments got through (even as my own comments get moderated!). It's really just a losing proposition in the end, unless someone really babysits their blog or enforces registration (blech!). At least I babysit for now. I should try to go through my junk list (1399 spam comments saved) and see if there is any sort of IP correlation or what. I kinda doubt it, but maybe I can at least filter some more keywords beyond the obvious...

An idea for a rainy day (or bored student!): a web proxy "honeypot." (Snargled from Grossman.) Now, rather than rolling theirs and instead rolling your own, I suppose it wouldn't be all that hard to stand it up, but it might be a bit harder trying to attract malicious users. Perhaps dropping the open proxy address to some anon proxy lists, astalavista, and perhaps other places you might eventually get some hits...

Running one's own open web proxy might drive home the fact that web proxies may give anonymity to the destination, it does absolutely nothing for the privacy of data or anonymity from the point of view of the proxy device.

Oh, and how fuckin' sweet is it that you can package your wares into a VM and distribute it that way? Copy over the VM, start it up, and bam, all that configuration and setup is pretty much done, just give it an IP!

I've not hid my support for the forum (or BBS) format of information exchange; in fact, I think it is one of the best formats when actively used. While I may not participate, I figured I would help post around about a new forum that is trying things out: McGrew Security BBS. We'll see where this goes and if I find the time to participate, as it is that first year that is the most important (and hardest) for any forum to endure; kinda like trying to siphon water. You have to work at it until it becomes moreorless a self-sustaining conduit of incoming content and people.

Tonight I finally got around to installing vmware server on my new vmware box. I used a couple sites as my guides. Ever since starting Linux, I've learned to keep "journals" about what I've installed and the voodoo needed to get some things working for future reference. I'm getting better about putting my notes down into a more polished form early, but I still might get one or two things wrong here. I'll try to update as needed, but I suspect eventually these notes will just get ported over to the wiki.

I needed to install a few dependencies first since this is a fresh Ubuntu 6.10 install.

sudo apt-get install xinetd
sudo apt-get install linux-headers-`uname -r` build-essential

this folder will be used to hold the vms:

mkdir /var/vm

Download both files (server and management user interface) into a temp folder get a registration key while on the site. This is free and doesn't require any valid information, not even email. The key will appear after submitting the form (the sales teams must love that!).

tar xvfz VMware-server-*.tar.gz
cd vmware-server-distrib
sudo ./vmware-install.pl

I answer /var/vm as the location for virtual machines. I also answer "no" for NAT or host-only networking (leaving me with bridged mode) as I really just want my VMs to be grabbing an IP off my network and have full access out to the Internet (at least on this machine).

Next is the MUI.

tar xvfz VMware-mui-*.tar.gz
cd vmware-mui-distrib
sudon ./vmware-install.pl

All defaults for the MUI. This should fail to start the httpd server at the end and needs a patch.

cd /tmp
wget http://users.piuha.net/martti/comp/ubuntu/httpd.vmware.diff
cd /
sudo patch -b -p0 < /tmp/httpd.vmware.diff
sudo /etc/init.d/httpd.vmware start

This is the location once it has started: https://localhost:8333.

To create VM, you will need to use the console (not the MUI) by heading over to Applications->System Tools->VMWare Server Console in the kicker.

An article about a Cisco FTP vulnerability caught my eye today. The article gave little detail, so I checked with Secunia and sure enough saw an advisory. That's an interesting vulnerability (impacting, but not enabled by default...so not the holy grail of network hacking), and I would hope good admins have taken some measures to already mitigate or avoid this issue.

First, don't use the FTP server. I'd rather use an external TFTP server as opposed to one on the router itself. Second, even if the config is disclosed, limit the damage by making sure your enable and enable secret passwords are different, as are the SNMP strings and other access passwords that may be disclosed in the config. Also make sure they're all different across other routers (minus the SNMP string of course). Third, update your IOS, of course, and hope that Cisco puts in a (long overdue) SCP/SFTP solution sooner than later.

Of additional note, I'm still itching to get my hands on the Hacking Exposed: Cisco Networks book. It taunts me weekly from the bookstore shelf, but I just don't want to get too confused as I am hitting the running strides of my study for CCNA (which I will take in late May or early June).

If you do much work using Ubuntu and multiple computers, you may have noticed when using vncviewer to remotely connect to a system with a higher screen resolution, you'll get these annoying black scrollbars. These bars seem to only scroll in one direction and then never scroll again, right?

Well, wrong. Turns out these bars do work, you just have to right-click to move the bars the other direction. Middle mouse button will work them in either direction. That's just weird and I'd rather not deal with it.

There is another solution. On your client system, go to your repositories or otherwise apt-get xvnc4viewer. This will fix those dang scrollbars. As a bonus, this seems to replace any vncviewer apps you have on the Ubuntu client. If you type vncviewer, you get xvnc4viewer. If you click Applications->Internet->Terminal Server Client and attempt a VNC connection here, you also get xvnc4server. Nice!

Turn Firefox into spyware! I saw Xavier Ashe post about FFsniFF which is an extension for Firefox. It will not display itself in the extensions list, wait for HTML forms to be submitted, and email the contents of that submitted form to some email address. On one hand this makes me say, "What the crap...?" On the other, I could pilfer info from a lot of people who otherwise trust Firefox as their browser. While I might need admin rights to install keyloggers, I wonder if I could install this extension as a normal user? I guess this might not be a huge deal as there are browser password managers galore anyway, and they have to get those passwords somehow, but FFsniFF still seems very shady...

Just about a year ago Noam Eppel released a paper that got posted pretty much everywhere and got lots of people in the security ranks talking. The paper was titled Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security. If that title didn't smack of an extremist and very dramatic "I'm not here to listen to rebuttals" tone, then I don't know what would.

I held my comments, and instead wanted to hear Noam's follow-up article on what can be done to fix this. I really felt the first article was simply a dramatic flailing of arms and statistics on how everything is wrong; a device to get people all up in a lather and frothing at the mouth by saying something obvious and ignoring any real forward movement. I could make claims like, "Racism is bad, yeah, let's all get violently upset that racism is bad!" and keep fanning those flames without actually doing anything to combat racism. Lots of Feel Good, not a lot of Forward Movement.

Noam promised in that article he would collect responses and combine those responses with a follow-up article on how to solve the issues. Under the header, "How can we fix this?" he offers, "Part Two of this article will contain a list of what we must do to address our current failure. It will incorporate your commends and feedback." Honestly, this sounded half like he was going to use other people's suggestions to formulate his own; Shady.

Sadly, the follow-up I had hoped for was not to be.

Instead, Noam's follow-up consisted of some "Yay, people agree with me!" at the start, and then dogged down into the mud to simply argue at people who offered up some skepticism or disagreement with him. Basically, rather than fostering discussion, he quelled it by attacking the discussion to defend his vague position. He also offered no suggestions or solutions beyond a few weak moments in the first paper (2 factor authentication for gmail and hotmail...). This whole exercise seemed very self-serving and kinda like a cathartic rant session (not that we don't all have those, but maybe not quite so useless and attention-pleading).

I am overall disappointed with this approach. I don't argue that the general feeling of Noam's article is wrong. I think we do have problems and issues, although I'm not sure we have a total failure. I had much more to say about the article, but I don't feel it worthwhile so will just let this little anniversary end with the bullet form of what some of my points would have been:

1) You can't use stats to measure something that is as a whole growing; you have to wait for a platuea to get meaninful stats, or perhaps ratios.

2) Noam's expectations may not be reasonable as he implies that people should feel safe doing "normal and common" stuff online. Kinda like I should feel safe walking around a really bad neighborhood with $100 bills sticking out of my pockets? I wonder what reality Noam is envisioning in regards to information security utopias? We need to define this better if we have any hope of moving arbitrarily forward.

3) I wonder what state we'd be in if we didn't have what security we do have now?

4) It might help to look at security and nature (Arms Race? evolution?) throughout history. It might give Noam some more perspective on reasonable expectations in security.

Sometimes life turns into a pinball machine for small stretches; shot up the lane and into play, rolling and bouncing around and not really able to do anything about it. That's the story of my weekend and likely the rest of this week. I'm a pretty laid-back guy, but sometimes life's little needs and emergencies require immediate attention. And no, none of my issues are hugely important. :)

My vmware box has just been cleared from the infirmary. Last week, fairly randomly, two things kept occurring that might have been related. Every few hours the kernal would throw some irq alerts to do with my video card. At other random intervals, the networking on the box would "lose itself." Once I would get on the console and attempted to access the network, the system would realize that eth0 had timed out, bring it back up, and all was well for another random period. I added "irqpoll" to the startup parameters for reasons I cannot explain, and all was solid all weekend. So now the system is cleared and back to building vms. The IRQ alerts still come in, but so far I've seen no reason to pursue fixing those.

Tomorrow I have a major service appt for my car, but yesterday my battery decided it had had enough. It had corroded enough to affect the leads and died in the afternoon. Sunday afternoons are maybe the worst time to have a car issue since few shops are open. I waited until this morning to get a jump, drove it in to the shop, and got the battery replaced. Since this is the first time I've had it die on me, at least I got to see the effects on my car of a dead and/or weak battery: what things worked and what didn't (beyond the obvious lack of action upon key-turn).

I also am hoping to ramp up more focused CCNA studying. I finished the book I have at the dealership this morning, albeit in between being distracted by Regis and other stupid morning television. I'm pretty happy with the knowledge I gained, and I just need to look into some more detailed things like making sure I can quickly calculate subnets (evil).

And this week one teammate of mine is off on a cruise which leaves me caring for all his duties for the next week+. A bit hectic and overwhelming, but things should be fine, albeit busy.

I don't typically single out new links I add to my menu, but the blog at SecurityHacks has been posting some neat stuff. I still think there is "market bandwidth" for sites that show off tools or "how-to" sorts of postings in our niche blogosphere (although a forum or wiki may be more appropriate long-term information storage). They have gone over creating an SSH tunnel for Windows SMB connections ( I think if you're going to this much trouble, may as well learn SSH transfers or implement a full VPN), SQL Injection scanners, and "recovering" Firefox stored passwords. There's also mention of pwdumpx (not to be confused with pwdump or even fgdump...

Every now and then I like posting about new and coming technologies or things that budding (or bored!) security persons can look into to get a leg up on other professionals. While I may not have bandwidth myself, I can at least identify them for my own reference or anyone else as well.

Vista. While lots of people are resisting Vista as not an entirely necessary upgrade, this is, quite frankly, the future of Windows computing. It might not be even next year, but at some point all of us will be forced to update to Vista, either to dropped support for XP or simply because all our home users' new computers come with it installed...then remote access needs updated, QA needs test machines, web sites need to work...and so on until you have to adopt it. So get Vista today, be aware of the licensing and versions, figure out the nuances of wireless and wired and security concepts in Vista, and tinker with supporting it on a wide scale (scripts, GPO, firewall, etc). May as well start now and get moved otherwise you'll be like me where I still run Win2000 laptops (ok ok, so I like the non-hassle of Genuine Advantage license checks that don't exist for Win2000 and the smaller resources footprint on my old laptops...). Nonethless, it may be years away, but rest assured someday Vista will be the standard.

Macs. Macs have long been on the fringe of corporate networks, likely only used by graphics or designers. They are exceptions in corporate policy and management and typically corporate IT have no Mac experts and leave management to third party contractors or the users themselves. As Macs continue to make headway into home users (and especially security people like us) it makes sense that we become Mac-aware enough to support those users and add that to our corporate IT merit badges. Like I said, few IT geeks really can support the Macs, so one-up the rest and learn them. As a bonus, try to figure out how to make sure your monitoring and systems management can become Mac-friendly so they're not always the exceptions to the rules.

Get on top of Longhorn now. While slated for the ever-skeptical release date of early 2008 now, like Vista, it will eventually be the de facto standard, for better or worse. Likewise, get ready for Powershell, Windows upcoming enhanced shell experience (which will also be the primary means to manage Exchange 2007).

This is one of the challenges of being an IT geek. You can't just learn Windows 98 inside and out and hope to stick with it forever. You gotta be ready to move with the world and learn new things rather than sit back and cling to the past. Ask any mainframer from the 80s and 90s who doesn't get to work on mainframes anymore...

From Windows Incident Response I was reminded about fe3d, a 3d visualization tool for nmap scans. While possibly not very practical, it does make for feel-good eye candy in a dark room or when someone is watching you that you want to impress (managers!). The timeline on this project only goes back a few months, but I swear I saw this tool a couple years ago.

Want to RDP not into your own session, but into the existing console session? Yeah, me too, and I always seem to forget this Run command for Windows:

mstsc /v:SERVER-OR-IP /console

Managing security from a data-centric point of view is like herding cats. Rambunctious cats. Cats that want to be free. Cats that spontaneously multiply. Like tribbles.

I was thinking today about how interesting something like a centralized Office suite (such as Google Apps) when it comes to making sure people are not distributing your data wantonly. For instance, how often have you seen the sales exec who has access to sensitive information in a file share forward on a copy of that document to his reports via email. Reports who shouldn't be seeing that stuff?

This brings me to thinking about data security a bit more. Often I see people talk about the two obvious pieces: Data At Rest and Data In Motion. These are pretty obvious. Data At Rest deals much with access permissions and encryption. Data In Motion deals with encryption of the channel over which data is transmitted.

But there is more. What about Data In Use? Can your users print, copy, move, and otherwise twiddle the data they have access to? No amount of the first two pieces will stop that sales exec from making his mistake. Can they open a doc and recite the numbers to someone over the phone or take photos of it? Yes, tough if not impossible to fully stop, but a concern nonetheless? (Yes, it is arguable whether we should spend time thinking about the unfixable...)

You know, the corporate world was once a terminal environment with centralized computing. We've moved on from that, but so far lots of our issues can be solved with tightening back into centralized computing. We don't like to think that way, but it's true.

The two caveats in centralized computing? The mobility trend. The fact that users are also consumers and are used to having "the power" on their computer systems at home.

IP addresses are running out! While I'm not about to start crying that the sky is falling, the article linked mentions that we will be out of IPv4 addresses in 2012 or 2013.

Considering most shops spec their network gear lifecycle to 4 or more years, now is the time to start paying attention to the needs on the infrastructure. We can all do out part today to ease the pains of this changeover. Any gear you buy today on your network, particularly the critical and perimeter infrastructure should either have IPv6 support today or have an aggressive roadmap to get there soon.

Also, for those budding (or bored!) security persons (again!), study up on IPv6 now. Learn how it works and how to implement and troubleshoot it.

If you don't watch Diggnation and you even remotely like my blog, watch it. Here's some gems from this past week.

Top 15 quotes from Han Solo that you can use in daily life - omg I love it!
You know you're in college when... - Too true...ahh memories!
10 reasons it doesn't pay to be the computer guy - More memories...eek!

Simple things feel good. They really do! Keep life simple. Flashing across the full-disclosure list this week was a simple way to enumerate whether an Apache web server is running on Windows or not.

If you make a call to a page that does not exist, you get a typical 404 error, like this page that doesn't exist. (Yeah, in a few months I'll regret putting up a purposely dead link when I see it in the logs...). But try hitting a link to domain/AUX. You get a far different error on my site because, yes, stone me now, I run Apache on Windows. Try it on someone else's site that you know is running Apache on nix, and you'll just get the normal 404 error.

So next time you're curious about a web site and you've confirmed it runs Apache, try the "on Windows?" test so you don't look stupid trying to use "root" on the listening SSH port or throw in a battery of nix-only vulns to the website.

MadWifi drivers have been updated to 0.9.3.1. This is really one of the only downsides of something like the BackTrack livecd. Anyone using the BT2 version will have "vulnerable" madwifi drivers unless you roll your own distro (I don't know how) or always patch after boot (annoying). Nonethless, if you're heading into any hostile territory (read: less formal security conference), it really is not good form to not be patched. Reading those fixes tells me it should be fairly trivial for someone to bump all vulnerable madwifi driver-using laptops off the network indefinitely.

Some random project for another year is make a more "bristly" wireless network defense drone. In other words, it would just permanently output things like beacon intervals of 0 just to dog anyone with vulnerable drivers that shouldn't be snooping around.

From Whitedust.net, they have announced a new visualization tool for network traffic called Eve. Visualization tools are fun and typically look cooler than they are useful (imagine the proud managerial looks when you see this running in the NOC?), but you never know. Someday a really slick-looking visualization tool is going to be outstandingly useful. Maybe Eve will hit that mark? I dunno, but surprisingly the tool looks to run on Windows by mention of the winpcap library. If this looks slick enough, I would seriously consider a copy for the price they list, even if it just runs in the background on an old machine on my desk.

IRC - IRC is an interesting beast. Even today, this relic of the Internet is still the best place to socialize and talk with others in a realtime forum that includes more than just 1-to-1 conversation (did I qualify that enough??). But it also suffers from easily giving up your connection information as well as other anti-anonymous attacks. Pretty much anyone can just issue a /whois and they can read back your IP/hostname. Really, nothing is easier or more idly tempting as port scanning some noob on IRC to see who's home. Note: I have not used silc yet, so I don't really mention it here.

1) general IRC recon and host masks
When you first log into a new IRC network, do not do so using a nickname that you plan to use. Log in and poke around. Do a /whois on yourself and see what is revealed. Connect a second time with another name and whois yourself. Find web support and the main support channels and poke around to see if the network supports any built-in methods to mask your host and IP. Irc.freenode.net and others may allow you to register your nickname and also request or set up a host mask so that /whois returns only what you want it to return. If that is the case, switch over to your normal nick, register it, and get it masked.

Always use a different nickname when doing tests or when you think your masking is not high enough. While this isn't done as much as in the past, there are still chat channels that get logged and posted right on websites for posterity.

Keep in mind that even private messages are not necessarily private when you do not own the servers and other people are the admins. You may not be as private as you wish you were.

If you plan any unattended idling, turn off auto-accepting any files or DCC communications and make sure no URLs are automatically opened or captured. Make sure your secondary nickname is not revealing in case you disconnect and reconnect automatically before your old connection has timed out.


2) bouncers and proxies If you do not have the luxury of masking your host, you can make use of IRC bouncers or proxy connections much like web proxies. Bouncers are pretty much the same thing as a proxy, only harder to find unless you own a box or two somewhere else (or pay for a shell).

You can also use web-based IRC clients such as www.ircatwork.org. However, always test these by connecting with a different nick and /whois yourself to see if something is leaking through anyway. These can be a hassle to set up and maintain, so perhaps just familiarize yourself with IRSSI (text-based IRC) and see if you can get a shell that allows IRSSI so you can bounce off that.

Otherwise, use network and wireless connections that are not your own to communicate over IRC. Personally, I prefer using Freenode and masking my host.


3) links, DCC, other notes
Also, don't click on any and every link in IRC...at least not without your web proxy firmly in place on a safer web browser and connection link. If I had my eye on you, I might try to get you to click a link on my website hoping you would then leave some crumbs in my server logs.

Never accept DCC Chats or Sends. These negotiate as direct connections. If you accept a DCC Chat, the person on the other end will have the ability to see your originating IP, masks or not. You can proxy DCC connections, but I prefer to just not accept them at all as there is really no reason for it when FTP and HTTP have become more than ubiquitous.

More information can be found at http://www.searchlores.org/irc_kane.htm. If I had found this before writing my post, it sure would have saved me a lot of composing!

I love it. There are a number of free security-related tools floating around these days and they seem to be of the "do more, have more features" variety. On my Windows systems at home I prefer to run ClamWin as my AV and Sygate Pro (a full version pre-Symantec purchase/dump) as my personal firewall. I've been using Comodo firewall for a while now on one laptop, but I really have no taken the time to baby it and nurture it and really get to know it, so I might just revert back to a Sygate install.

But I keep getting tickles to try something new. I see OSSEC has Windows agents that do things like HIDS, log analysis, registry and rootkit scanning, integrity scanning, and more on the server component. I also see CoreForce which provides a BSD-like firewall, registry and file permissions, integrity scanning, and malware prevention. Both tools are free, although the latter is Windows-bound and standalone while OSSEC likes to have a server component to shuttle data to.

It is nice to see multiple pieces getting packaged together in, hopefully, light-weight apps that won't be hogs like NAV or your more commercial type protections. I like integrity checking, access monitoring, log scanning, and firewalling, along with the typical HIDS/behavioral analysis and malware detection/prevention. I'm just hoping these two products don't overlap too much if I want features from both. And of course, there's my poor ClamWin to think of.

Anyway, tools for thought. I really wish Sygate hadn't been raped...after ZoneAlarm got dumbed down back in like 1999, Sygate was my saviour...

Sometimes you really just have to be able to laugh and enjoy yourself in this field. Often we can get frustrated (especially as we get more experienced!) when we do new things and they don't work on the first or second try. Or maybe something you just don't do all that often. Part of being jaded by users and management, I think...? Failure (i.e. troubleshooting!) becomes less tolerated.

Two things have been giving me grief all week, but thankfully I really enjoy my personal time when working on stuff. Put on some music or pop in a movie on a laptop nearby, grab a beer or tea and have some fun. (Just to inject more personality in here, I watched The Crow, one of my favorite movies ever.)

The first thing I've been working on is getting OpenVPN working on an Ubuntu Fiesty VM. None of the pre-fab tutorials online seem to be complete. I think every one leaves out some important steps or makes detrimental assumptions. Either way, the progress has been slow, but I'm getting there. I'm familiar with the client end, so that shouldn't be a problem. It is just really getting the routing and bridging and junk figured out; getting the server stood up and performing.

The second happened last night. For my VM box I had bought a new DVD burner. Instead of letting this go to waste in the VM box, I swapped it with a DVD-ROM from my gaming rig a few weeks back. I had forgotten about this until yesterday, so on the way home I bought some DVD+R Lightscribe and DVD+R DL disks and vowed to get things working. I spent about 2 hours trying to get it recognized by Windows. Windows Device Manager showed an Asus CRW device. WTF? No, it's Samsung! Firmware failed! Why the crap is this coming up as Asus?!?

It wasn't until this morning as my alarm went off that I thought, "wait, I already have a drive in this computer and...oh god...it's an Asus CD-RW drive. Ugh, I'm an idiot!" Yup, the drive, while powered, is probably just misjumpered or loose on the IDE cable or something else such that Windows or the BIOS were not really seeing it. I kept trying to get my Asus drive to turn into a Samsung burner. Poor bugger...kinda like treating a daughter like a son?

Seems the FBI has the same challenges the private sector has when it comes to maintaining a secure environment. The GAO released a report to the FBI about security weaknesses in a critical internal network. I found this from FCW. I only skimmed the 30-odd page report, but a lot all of their weaknesses are quite familiar.

LiquidMatrix posted 4 interview questions for Infosec candidates. I like the questions, personally, and I think they get to one thing I really like to pimp about myself but also value in people in infosec: the geek factor. How much of a geek are you? In other words, how much personal passion do you have for the field? I think this is highly important. Anyway, no preaching yet today, so here are my quick answers for this interview.

1. What is the hostname of your computer / essid of your wifi
How fun! For years, I have stuck to the whole vampire/goth chic with my systems. My main server is named Vampire (and always is, no matter what actual hardware is running it) and my essip is kindred. Unfortunately, the more systems I've had, the more I've had to dive away from that theme. I have systems named Nosferatu, Hunter, Samurai, Orion (my main laptop, named for personal reasons to do with stargazing), Golem (parted gaming machine), and so on...

2. Which infosec event/conference do you think is the *one* you need to attend each year
Blackhat is too expensive for me alone, and I certainly do not want to do to anything commercialized with more CSOs present than geeks. I think if I had to choose one single event, I would head to Shmoocon. Then CanSecWest and DefCon.

3. You’re doing a walk around and notice an iPod plugged into a laptop - what do you do
Yeah, it sucks reading these questions and already seeing the "good" answers, but I agree with the poster, I would first ask, "Well, what's the policy?" I don't want to get into pissing matches over vagueness (I wanted to use vagarity here, but the word is already laterally claimed) of policies and enforcement. If I don't have to impact someone else and rock the boat, I won't. So I'd ask about the policy. If there is a policy, I would likely unplug the ipod but leave it on the desk (again, depending on the policy and corporate culture standards on enforcement) and email a note to the employee mentioning it. I'd likely then make a small extra effort to follow-up later that week to see if the ipod is still present, and if so, escalate as needed, more likely with a cubicle-call in person or a quick note to their manager. Nothing overbearing or demanding, just subtle reminders of policy and why it is in place. I'd also test the waters in using technology to block the hardware ports on systems to force policy adherence. Again, though, this all depends on policy and corporate culture.

4. You’ve been asked by HR to take a copy of an outgoing employees computer - what do you do
I've not done one of these in a while, but my first reaction in my previous job where I did this a couple times included questions. How much do you need copied? When do you need this started and done? Does the employee know about this or should this be secret? How important is this, while I don't need details, should I be concerned about eventual legal proceedings or is this just a CYA moment (this may dictate how stringent I follow chain-of-custody or imaging standards)? Do you need me to look at anything in particular or just make the copy? What do you want done with the copy and/or hardware after? Basically, the theme here is to ask questions and quality the request as much as possible without making it seem like you're fishing for the juicy gossipy details of the incident; I'm not like that and never will be, even when I am privvy to those details (one of the other things I value along with geekery is integrity).

Snagged straight from the bush from the Guerilla CSO

I see there's been some talk recently (more so than normal on the blogs I watch, anyway) about network security, web app security, host-centric security... I feel like a lottery tumbler bouncing around a lot of balls in my head, but nothing popping out down the chute quite yet. So here are some links for future thoughts. Jeremiah Grossman talking about web app vs network security. Hoff talking about host vs network security. The Jericho Forum talking about lots of things, but notably deperimeterization catches my eye. And Michael's thoughts which have the side effect of wanting to pull out some C&C Music Factory mp3s (and yes, I have a bunch!). I also see Scott has an excellent post about this topic as well. And another from Alex, although once anyone starts talking ephemerally (in terms of relativity to business process which might be the agnostics' way to offer up an inarguable concept? [see? obviously I'm not seeing something straight! hehe] ) about things like the Circles of Trust, it never really makes much sense to me yet (yet!).

My initial reaction is that I am not sold on "unified" or "one method to rule them all" approaches. I'm with Michael in the link above in most regards: practice moderation and mix all of them in varying levels. Honestly, if one of these approaches was better than the others, it would be obviously apparent by now.

However, there may be some merit in a company focusing their efforts and monies in one method consistently...

I think one approach to these questions might be in looking at the extremes. What would your network or company look like from an infosec point of view if you were host-centric in your approaches? or network-centric? or data-centric? What is given up, what is scalable, what costs the most either up front or on-going? What is possible with the skillsets we have in our company/country/world right now?

WiFiDEnum (and no, I'm not really sure how to say that out loud) has been released by Joshua Wright. This tool reports back wireless driver versions against known vulnerabilities. Try it out. Hopefully the tool is kept up to date as more vulns become announced (slowly). While I never expect that to be the case, I think this tool appears useful enough to Josh and his company and might get some lovin over the years. The next step may be a more hostile enumeration tool that can sniff and/or actively fingerprint a host's wireless card and drivers (and no, I don't know if that is even possible to a worthwhile degree).

I just read an announcement that usernames can be disclosed by the way Windows Server 2003/AD responds to Terminal Services logins from those users trying to log on after their allowed hours. Kudos to the researchers for finding and reporting this, and I mean this post as no dis to them (hey, I read Sid's site for a reason!). But I do have some commentary to offer.

First, Sid uses the phrase, "This can be exploited to help enumerate valid usernames resulting in a loss of confidentiality." Not bad, but I think it is very arguable whether usernames are intended to be confidential or not. I mean, that's what passwords are for, no?

Second, this is a place where a vulnerability needs further clarification once you start trying to cross the bounds from technical geeks to the lesser geeks and business itself. Is this vulnerability a Big Deal? No. What threats could take advantage of this? Well, you have long-standing insiders (yeah, those help desk guys who work all night and get bored and poke around) on a long campaign to pilfer usernames...but if they are employees, chances are they know the username format anyway. Also long-term outside attackers who already have an undiscovered foothold into the network and want to expand their influence. For some reason, this scenario tickles that part of my brain that likes to say, "You have bigger problems at this point." Maybe someone has Terminal Services accessible to the world, in which case a random port scan could reveal it to an outside attackers who starts trying usernames to grind out more information, or outright access.

My second point is more about those people who interpret vulnerabilities in the context of their respective duties. The disclosure itself is just fine and quite appropriate. I'm simply using it as a sounding board to illustrate the ability to analyze vulnerabilities.

To the author's credit, he lists criticality being "Less Critical," although I really don't know what that means. To me, this vulnerability is minor. It discloses some non-sensitive information pertinent to longer-term attacks by dedicated attackers with nothing better to do.

I may not get to try everything out, despite my intentions, I still like to post things here in case I want to reference them later on. This site isn't a blog, but it does have some interesting tools and papers. I got pointed here to check out wfuzz a web fuzzer/bruteforcer. But I really want to try out the Geoedge script which will do a geographical lookup on IPs (yeah, even automating a few clicks is worth it if you do a lot!). There is also an Intro to Reversing on a Mac that is only one page but at least illustrates a few simple things for Mac users. And Metagoofil will pull out meta data from docs. Now that is pretty neat. What ever happened to talking about info leakage via doc metadata?

Skimming my captured spam comments these days really makes me feel like I'm browsing porn, albeit in text form. I have quite the imagination...and if the guys keep slipping Viagra into my lunch, things are gonna get wrong on a new level.

Ok, kidding! Seriously, my comment spam has skyrocketed since Thursday or Wednesday of last week, almost all about various drugs and the rest about porn. It is amazing how often I catch myself reading one when it doesn't sound quite obviously spamlike. "Hey man, that's an interesting post..." I've bumped up the filters to get most everything, but if I don't unmoderate a post you make, feel free to stalk me and track me down or otherwise get my attention.

Joel Esler posted some questions about email signature blocks. Neat. Personally, I keep my signature lengths down to 1-3 lines or so. My name, email address, and maybe who I am if you don't know me (title or web site). I think I got over the whole quote thing back in 1998, so I don't do that anymore. I think after you get so many email addresses, you stop really caring to configure and tailor each one.

On a similar topic, I really have a peeve against email disclaimers like "please delete this email if you mistakenly got this..." blah blah blah legal crap. No one freakin' needs this on every piece of email sent out. It's useless and stupid. Maybe I should walk around with a card that says, "If I hear some secret you say near me or you hear me calling you a complete asshole, it's ok and please ignore it if you were not the intended recipient...oh, you're not the intended recipient, ever." Yeah, that'd fly.

Typically at home I have this stack of papers and junk printed out that I want to flip through and read. Kinda like bookmarking something later, only in the analog world. Lately, I happen to hit a glut of papers talking about covert channels (I'll link one or two if I still happen to have them around), which are always fun to look at. I then see the focus on ids list has a current discussion on detecting covert channels (really detecting encrypted channels which, as Ron Gula recently contributed, are a separate issue).

Covert channels are fun. They can be an easy way to break something, or use something for a purpose not intended by the creators. The old school version of "hacking" (which I subscribe to) tends to love this definition. They are also difficult and technical in some cases, thus I really believe that unless a firewall or proxy incidentally is blocking the channel, no one really blocks or watches these channels. If I ever get my home network more rounded out and the major projects done, playing with covert channels is something I'd love to tinker with. (And if I would do it, so would lots of other bored kiddies on the Help Desks at their jobs!)

[As an aside, I pick on the poor kiddies on the Help Desk or Tech Support or Customer Service desks a lot. I do so for good reason, though. Typically they can hold some very technically savvy people who have some level of access above normal users. They tend to not be in heavily taxing jobs and sometimes have "leisure" time at work to do some odd things. And let's not even think about those overnighters with even more time on their hands... Really, it's not that I distrust them, but I remember my days down there and what I would get my fingers into, and I know it happens.]

For instance, you can stuff information into a few non-used or little-used sections of ICMP packets and shoot them out to your target. But if a company is stopping all ICMP, that incidentally stops that particular covert channel. Someone can siphon away information using DNS, but if you only allow DNS traffic to servers you control...

Stopping (or using to your benefit) covert channels is much more difficult since it requires some pretty specific knowledge of TCP/IP and perhaps packet structure and creation. This probably makes the risk of someone leveraging this attack much smaller, which also may mean it is just not worth spending time combating for many companies.

But lets say you want to detect and/or stop covert channels? I won't get into specifics since I've not done this myself, but here are some approaches I would take.

First, make sure a solid egress configuration on border firewalls are present. If this isn't done, really, any other steps are simply academic and not going to add any security or sense of security. If you're not stopping arbitrary ports from connecting to other arbitrary ports on the Internet... Likewise, there is no reason to tackle ICMP covert channel detection if ICMP is blocked anyway.

Second, you need to be monitoring for anomalous traffic. A sudden spike in ICMP or other weird traffic that is not normal could indicate a covert channel in use. Again, the chances are slim, but any network monitoring strategy should already be tracking anomalous traffic loads anyway. You might also want to detect for regular traffic patterns such as an HTTP request that occurs exactly every 3 seconds for hours, or something to that effect. You might see more false positives with things like Weatherbug or Firefox doing regular checks or IM keepalives, but if your company is tackling covert channels, likely they have stringent software and IP rules in place already to limit such noise.

Third, make sure packets are inspected for erroneous settings and flags. Kinda like no TCP packet has any business having both SYN and RST (I think) flags set, there is just some information that, if present, should be investigated.

Fourth, proxy all web traffic in a way that the proxy rebuilds the packets. This should take care of really funky HTTP covert channels and also allow you more logging on what is likely the busiest and least securable port on your network.

Lastly, I really don't know what to do about steganography or hiding data inside other application layer data. I guess we have to hope that packet inspection firewalls eventually detect the normal tools and their signature/patterns, but I really wouldn't book my paycheck on that. Image-based stego is still a technical skill, but the tools have gotten far easier to implement and there are tons of locations on the webs to drop images for offsite pick-up.

Speaking of covert channels, I can't find the actual story, but I swear the Security Monkey had a post one time (I think a reader-submitted story) about someone hiding porn images inside a normal movie file, where a porn image would be one frame somewhere that could be extracted. Screen grab of sensitive docs instead?

The OWASP Top 10 has been updated. The PDF version is way at the bottom. Top lists of anything are tough because you have to draw lines and qualifications somewhere. I like that the authors mention some items they left out such as input validations and buffer overflows, but I'm a little concerned that those should still have been included. I guess I am not yet satisfied with why they left them out.

Then again, I have yet to give this a deeper read and maybe am just distilling the information a little slowly yet. Overall, love the OWASP stuff and this top 10 is excellent. Got linked to this from Jeremiah.

Copying DVDs has become amazingly easy. I picked up a Samsung DVD burner from NewEgg for $33. They forgot the software, so I had them mail that separately, which is well worth it since it is Nero and includes not only the burning utilities but also the parts to leverage the Lightscribe labels.

I installed DVD Decrypter (pretty much optional) and DVD Shrink (find them on your own, but I suggest doom9.org as a first try). I use DVD Decrytper to rip DVDs to my hard disk, and then I use DVD Shrink to remove a few unnecessary things, like foreign language audio tracks, and also to burn since it can shuttle the project off to either DVD Decrypter (which can burn) or Nero itself. That's it! I ran a test copy of Fast and the Furious which happens to be a dual layer DVD. The ripping portion took about 15 minutes, I think, and DVD Shrink worked on the contents (about 4.5 GB on disk) for about 30 minutes. I removed two audio tracks. It then went right over and burned in about 5 minutes or so to a non-dual layer DVD.

With Nero, I was able to create a Lightscribe label in about 5 minutes and burn it on in about 15 minutes. I just did a quick Google Image search for Fast and the Furious images, picked the first one (which happened to be huge), plopped it on without resizing or playing with the brightness, and let it loose. The label isn't breathtaking or drop-dead gorgeous. It really just looks like a badly washed out greyscale image, but the quality (if you look closely) seems pretty nice. I'll likely use it rather than markers, and I likely will still use actual images as opposed to bland text in text boxes. I'm not really doing anything professional, just makin' copies!

All told, that was only about an hour of time and only about 10 minutes of actual work. Since I do this on my gaming machine, it gets to dedicate its time to this task when I'm not gaming (and holy crap does the processing of DVD Shrink drop to a trickle when I fire up WoW!). I keep that system pretty slimmed down, so that 1 hour is not a bad deal really.

Blank DVDs with Lightscribe will run me about $1 per disc. Dual layer guys will be about $1.5-2 per disc. At least that was my 2 seconds estimation while standing at Best Buy. That's still not bad at all as I estimate my typical DVD purchase is $14, give or take. This is why DVD copying pirating is still worthwhile, I guess!

Pardon me for a moment while I think out loud. If I got into a web application security job of some sort, how long would it take me to get to a personally acceptable level of competence (for me: a decent enough expert in the field)? Given a day job that lets me focus on that topic and my propensity for self-study, I think it would take me a year to become satisfactorily proficient. This can differ, however, based on how deeply I will need to know various programming languages when it comes to code reviews. My self-study would likely be designed around working and familiarizing myself with various codes by doing some personal projects here and there... Food for my brain.

I think this way because I am open to "awesome" job opportunities lately, and if something in this space opens up, I don't want to spend a week trying to play introspective catch-up and miss the opp.