|
.: June 2007 Archives
Cutaway (possibly the only other guy on the Catalyst forums who gets away with using his screename!) had a really cool post that I wanted to save here. The part that caught me eye:
I think that the work Ed Skoudis, HD Moore, David Maynor, and other security researchers are doing help us identify products whose solutions have inherent, accidental, or misguided problems so that we can protect ourselves. But, unfortunately, their work does not instill the uninformed upper management with confidence in the security field. Actually, it probably has them all cussing under their breath. Of course this is where the security professional should be earning their keep by providing a buffer between the constant barrage of seemingly negative information and the actual state of the organization’s environment.
I am seeing there are numerous roles forming in IT and security. First, you have your IT geeks who actually do stuff (researchers or implementers). You have your business managers who keep an open mind about business and security (CSO/CIO). You have your trainers who deal with people. And you have your liaisons between those groups. I think those liaisons are the newest group and the subject of recent focus on "being more business knowledgable" topics.
C-levels don't like this news, but let's all face it. Security is never going to be perfect. The best illustration is to look at the security of those C-levels' homes. Are they foolproof? No. Do they make mistakes like leave windows or doors open even if they're not home? Yes. Just like everyone else. And if they do have an alarm system, does that preclude their relatives or the security installers from being able to circumvent it should they be determined to do so? Or thieves to just barge in regardless of the alarm claxons? Security is not something you can achieve and forget about. It is ongoing and risk management.
Business hates hearing that because too often they take the very human approach and think, "Gosh, why bother spending money on this junk?"
That's where I think the liaisons come in. Just like Cutaway says, they buffer most of that negativity, but I believe they also try their best, along with the trainers, to make sure everyone knows security is not like a light switch; either on or off.
by LonerVamp 06.01.07 at 1:13 PM in /general -
Alice over at the Vulnerable Minds blog reminds that the DefCon CTF quals are going on this weekend. Here are sample solutions for last year's pre-quals. I may just check to see if that Mud is open to all...
by LonerVamp 06.01.07 at 2:24 PM in /general -
I only skimmed this article (mostly because of where it came from), but I really caught this line:
No one has a business interest in catching identity thieves or malware
writers. There's no money in it, so no-one's bothered.
I would also add, while some of us would help and/or deal with threats, we just can't or don't have that authority. Bejtlich is one of the notables who talks about dealing with the threats instead of vulnerabilities. He makes a ton of sense and I agree with him, in theory, I just don't think most of us have any opportunity to deal with the threats beyond identifying them with guesses.
by LonerVamp 06.01.07 at 4:27 PM in /general - comments(1)
A while back, Rybolov (Guerilla CISO himself!) posted a link to Heidi, Geek Girl Detective. I finally got time to finish through the story over a latte this weekend and was quite entertained! Must be something about Seattle to have geeky comics ( PennyArcade being a notable one)...or maybe the town is more creative than most...maybe it's the rain. And for the record, I read the Hardy Boys and Encyclopedia Brown as a kid, not Nancy Drew.
by LonerVamp 06.04.07 at 8:35 AM in /general - comments(3)
This past week I began the motions of signing up for a new gym, for a change of pace as summer feels like it has started. So I signed up on the gym's (franchise) website and all that jazz. About a day later I get an email from a residential email address saying that my info is being forwarded somewhere and to expect a call back. This email was then sent to another residential address down in texas. And of course, my credit and personal details are in the email, nicely fomatted with HTML tags.
Really, there are still many businesses and people who have no idea how insecure digital methods can be. But even if they do, many of them have no idea what to do about it without spending money to get someone to do it for them, or devote time out of their own life to do it.
If I am happy about nothing else, at least I was able to see that my info was passed over email. This way I won't be chasing my tail should that card end up with fraudulent charges in the near future...I'll have an obvious place to begin.
by LonerVamp 06.04.07 at 1:47 PM in /general -
"Nothing great was ever achieved without enthusiasm." -Ralph Waldo Emerson
Yeah, I love quotes, and some of my favorite authors (the naturists, or maybe transcendentalists) are the most quotable. I'd not actually read this one before, but coming across it today reminds me about what I want out of work and career, and what lots of people want. An inspiration and a barometer.
by LonerVamp 06.04.07 at 1:58 PM in /terminal23 -
RSnake and also Andy linked to File-Swap with wonderment in their eyes. More like confounded amazement really. But come on, this site is awesome! It is the modern equivalent to russian roulette! Take a spin! Really, how secure in your systems do ya feel, punk?
Now, I have this thing about user-supplied content and Web 2.0. I've been around long enough to see the days where Rotten and EbaumsWorld have spawned up to house all kinds of disgusting junk before dot-coms even thought of busting. Sadly, this file swap is just as ripe for disgusting content as it is malware content. Maybe more so since the former is far easier to achieve than the latter. Then again, use Metasploit to generate some malicious images...? Either way, some ideas may be cool to generate some "wtf," traffic hits, but a site like this simply cannot have longevity and remain relatively clean.
by LonerVamp 06.04.07 at 4:51 PM in /general -
A quick excerpt from a CIO article. Without details, it is tough to separate fantasy (or simply blind speculation) from reality, but I think this story may just ring true. The article is focused on how difficult forensics is becoming as criminals employ more antiforensics tactics. Personally, I don't think it has gotten any worse to track down criminals over the wires, there is just more money involved these days. (On-disk forensics notwithstanding.) (Update:I see more discussion here from keydet89!)
A clear illustration of this fact comes from the field investigations manager for a major credit services company. Sometime last year, he noticed a clutch of fraudulent purchases on cards that all traced back to the same aquarium. He learned quite a bit through forensics. He learned, for example, that an aquarium employee had downloaded an audio
file while eating a sandwich on her lunch break. He learned that when she played the song, a rootkit hidden inside the song installed itself on her computer. That rootkit allowed the hacker who’d planted it to establish a secure tunnel so he could work undetected and “get root”—administrator’s access to the aquarium network.
Sounds like a successful investigation. But the investigator was underwhelmed by the results. Why? Because he hadn’t caught the perpetrator and he knew he never would. What’s worse, that lunch break with the sandwich and the song download had occurred some time before he got there. In fact, the hacker had captured every card transaction at the aquarium for two years.
As a side rant, I really hate how a not-large article turns into 10 page "turns" on news sites these days. I mean, come on, everyone can see through this little "click more to serve more ads" scheme. It actually conditions me to look for the Print icon to view the printable version that, amazingly, has no ads and displays on one page.
by LonerVamp 06.05.07 at 8:39 AM in /general - comments(1)
Random link from Full-Disclosure: mlabs.secniche.org
I hate to post more rants than useful content on here, but this week has been too busy for much more than ranting. I saw an article about the dangers of unauthorized teleworkers, that is, those workers who bring work home with them and possibly work on their home computers.
The report found that 63 percent of respondents who worked from home unauthorized -- more half of the non-teleworkers surveyed -- used their home computers in doing that work. "People were saving documents on their home computers that were unprotected," said Josh Wolfe of Utimaco, a data security company that underwrote the study.
...
"We're not sure if these people are dealing with spreadsheets with Social Security numbers on them or something more mundane than that," Wolfe said.
I like security, and I like to think I have a (healthy) paranoid/security-conscious mind, but I really believe we can go too far very easily. While government employees maybe shouldn't take work home with them (and yes, I pointed out that second blurb to show that maybe all those workers had non-sensitive materials and were working on presentations or some junk), I hate when articles like this make their way to other circles and present things without proper context (I expect to see this study referenced in non-government articles soon...). Take a small start-up company. Yes, those people likely take work home with them, it happens, it is natural, and at some point every single one of us does it.
Yes, we have to be conscious of our data leaving the confines of our happy networks, but we can't obstruct our users trying to make the business successful. That's one of the (few) issues I have with data-centric security. Trying to secure the data eventually impacts the success of the business and the happiness of the people.
One other note I had from the article is about how data-centric security really only works when you can classify your data and separate the sensitive or confidential stuff out. Data-centrism is great for that classification and for being conscious of the security of your really sensitive data, but it breaks down and is ineffective and inefficient for the rest of the data. It can also be theoretically effective when you just declare "all information is sensitive so let's encrypt everything!" But that gets into a realm that is just not really going to be possible yet, at least at the level of near-perfection that statement alludes to while allowing employees to do their work and be an asset.
Maybe this is just the media being way too sensational about digital security still. We don't see dramatic reports about how people's homes are insecure because, while we have a deadbolt in front and back, our windows can be smashed, oh my. Security isn't perfect and never will be, and I'll continue to bristle when media or persons have an underlying tone that anything less than perfection is inadequate. Maybe our industry does get it, but damn if the media still stirs us up and gets our blood going still.
Maybe I should further limit my chosen media outlets away from journalists...hehe! Hell, I've been tracking the front page daily headlines on cnn.com and it reads more like a tabloid or YouTube front page than anything anymore...
by LonerVamp 06.08.07 at 8:16 AM in /general -
F-Secure (and Andy, whose blog I checked first!) posted about the most common registry locations that malware tries to start from on Windows. Not only is this list highly useful to check in response to an incident, but like any good baseline, this is a list of locations that all admins should be familiar with even before an incident. It doesn't help to have an incident, check one of these locations, and not know what those other 25 entries do. That is wasted time trying to isolate which one is out of place. Check these locations out now and see what is really going on with your system. I even filed this into my always-being-built wiki.
by LonerVamp 06.08.07 at 4:41 PM in /general - comments(1)
George Ou has recently taken up the torch of demystifying RAID for average users so they can reap the benefits. Unfortunately for George, I agree with his detractors that say RAID isn't going to fly in the home. Honestly, RAID makes even geek heads spin sometimes, including my own, and managing one's RAID setup is really up there with changing your own oil: not everyone does it or wants to do it. In fact, most average people really couldn't give a fuck about RAID; they just want to backup their data.
I think George should stick to the easy things when it comes to consumer-level storage. Educate people about regular backups using one of two methods: drag-n-drop or NT Backup (or both!). And for media, educate people to use one of four options: external hard disk, USB key (or two), cd burning, or dvd burning. Drag-n-dropping data is natural, and people just have to think about what they would want backed up, drag it over (or burn it), and set it aside in a safe place. If people don't understand or know what they all need, use NT Backup and in the event of a disaster (on consumer levels, i.e. a hard disk gone bad) have that on hand for techies to restore.
That really should be the extent of trying to educate the masses. Granted, it is not pretty or scalable, but it gets the job done and goes only as far as most consumers really care to go. (Honestly, I'm not sure who George's audience is, technically proficient people who already know this stuff or technically inproficient people who shouldn't be bothered with RAID...either way, he's seeming a bit lost on this effort.)
by LonerVamp 06.10.07 at 12:32 AM in /general - comments(1)
Unless you're like Marcin and aren't aware of your surroundings for weeks at a time (hehe!), you likely know about that guy who has a strain of Tuberculosis and decided to fly halfway around the world and then purposely circumvent security to come back to the US. If someone has seen that this winner of a guy has ever posted or spoken an actual apology yet, please let me know. I've yet to see one, and seeing one would assuage my anger...
To bring this back a bit, do you know who the cowboys in your organization are who know security but choose to circumvent it and take big gambles with people's welfares? Do they ever apologize? Do they ever reform?
by LonerVamp 06.10.07 at 6:40 PM in /general -
This weekend I finally (after way too long) got my OpenVPN setup to work as desired. I had plenty of workarounds ready, but I was pretty determined to get this working the way I wanted. I think my problem was twofold. First, I needed to turn on ipv4 forwarding on the Ubuntu OpenVPN server. I will be testing this today to see if that really was needed. Second, the Linksys WRT54G route was set up wrong. Not sure what I was thinking, but I corrected the problem this weekend and everything was happy. So I blew away the server VM and rebuilt it without all my little troubleshooting settings and commands to better isolate only exactly what I need to rebuild the system. I'll provide more details on my install hopefully later this week. After a few more builds, I expect to save a post-install snapshot finally.
by LonerVamp 06.11.07 at 9:13 AM in /general -
I have not been made aware of being a victim (or potential victim) in any of the large-scale data breaches so far (I don't shop at Marshals/TJX and I only use one credit card for the most part anyway...I still like cash the most!), but I know someday I will. A little closer to home, I see this morning that "more than a thousand" people have been notified about a data breach at the University of Iowa. Why this breach only exposed "more than a thousand" people, I'm not sure. All the other tired prerequisite PR notes are given such as "No evidence that personal information is being misused...". I have no evidence that I might be involved in a car accident today, but that won't stop it from possibly happening.
While this is closer to home, I will note I graduated from Iowa State University, not U of I.
by LonerVamp 06.11.07 at 9:28 AM in /general -
This morning I decided to replace part of a script I own at work with a random password generation function. This was easier than I thought it would be. This function takes a number that should be greater than 4, and returns back a random password of that length. The character sets are pretty obvious inside the function and can be adjusted as needed. The password generated assures the first 4 positions will always be a number, capital letter, lower case letter, and symbol, respectively, to meet some complexity requirements. The rest of the positions are a random character chosen from a random character set.
function RandomPassword ([int]$intPasswordLength)
{
if ($intPasswordLength -lt 4) {return "password cannot be <4 chars"}
$strNumbers = "1234567890"
$strCapitalLetters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
$strLowerLetters = "abcdefghijklmnopqrstuvwxyz"
$strSymbols = "!%^&*()+=/?{}[]~,.<>:"
$rand = new-object random
for ($a=1; $a -le $intPasswordLength; $a++)
{
if ($a -gt 4)
{
$b = $rand.next(0,4) + $a
$b = $b % 4 + 1
} else { $b = $a }
switch ($b)
{
"1" {$b = "$strNumbers"}
"2" {$b = "$strCapitalLetters"}
"3" {$b = "$strLowerLetters"}
"4" {$b = "$strSymbols"}
}
$charset = $($b)
$number = $rand.next(0,$charset.Length)
$RandomPassword += $charset[$number]
}
return $RandomPassword
}
RandomPassword 36
No doubt there are other functions and solutions to this, but I kinda just wanted my own.
by LonerVamp 06.12.07 at 9:29 AM in /general - comments(2)
Couple quotes I like. Andy already mentioned one, but I thought I would mention it again along with the previous days' quote on our Art of War calendar.
"When your strategy is deep and far-reaching, then what you gain by your calculations is much, so you can win before you even fight. When your strategic thinking is shallow and near-sighted, then what you gain by your calculations is little, so you lose before you do battle." The Art of War, Chapter 1 On Assessments
And...
"When the army is old, the soldiers are lazy, and the discipline and command are not unified, this is an opponent that has already lost." The Art of War, Chapter 4 Formation
by LonerVamp 06.12.07 at 9:59 AM in /general - comments(1)
I've been doing more scripting lately, and thought I should document (for myself) some of the stuff I've been using. Rather than spit them out here, I put them on the wiki. Here are some snippets of what I use. We use these scripts when building new development environments and servers. Nothing ground-breaking, but still useful as inspiration if anyone else is working around PowerShell.
Create Windows services
Building LDAP container and object strings
Process and create OUs
Create an Active Directory Group
Create an Active Directory User
Open and search XML files
by LonerVamp 06.13.07 at 9:26 AM in /general -
I've had an SSH server up for some time on the default port 22 tcp on a Windows box. The other day I finally moved it over to a virtual Ubuntu box where it will stay indefinitely. While SSH was running on Windows, I logged all failed attempts. I didn't expect Amsterdam to outpace Asia! Also, I suspect these were all automated attempts since root was tried the most. Using Cygwin on Windows, I don't have a "root" account. In fact, "Administrator" was never even attempted once (what the hell?). Go figure.
This brings me back to a recent thread on the Security-Basics list hosted at SecurityFocus where a lot of people got pretty heated up about whether changing the default SSH port or using port knocking is an effective security measure. There were impassioned responses on both sides of the equation, and in a way, they were all somewhat correct. But I think it is more accurate to say changing the SSH default port is not a security enhancement, technically, but does reduce the risk of that service. Risk is decreased, and in a more high-level way of defining "security," the security of the box was increased. This does not mean SSH became more secure or the box magically became more secure... Really, it just came down to semantics (mostly).
The stats above help illustrate that risk my SSH server faces. If the SSH port had been moved, I would honestly be surprised if I had a dozen failed login attempts. That illustrates reduced risk. I'd also be able to identify my threats a little better. Someone with 5 failed attempts on my obfuscated SSH port may indicate a targeted attacker as opposed to an automated worm scanning for SSH. If someone was able to port knock my SSH open to make failed attempts, that might perhaps indicate my port knock sequence was sniffed somewhere or an insider is atetmpting something fishy.
by LonerVamp 06.13.07 at 1:40 PM in /general - comments(5)
I'll always say I like lists. C-levels like lists, average people like lists, techies need to like lists. :) Over at ZDNetAsia, Scott Montgomery, global vice president for product
management at Secure Computing, gave his take on 4 damaging security habits in the corporate world. Here are my responses/takes. Overall, I like this succinct list, and with minor quibbles, it's a good list.
1. Fixed Passwords - Fixed passwords, in my mind, are adequate. They aren't the best practice and best thing to use, but they are still by far the most economical for most corporations and people. We know passwords, we're used to them, and they tend to be just fine when properly complex and rotated. If one-time passwords were so useful, why are they so difficult to roll out or scale up to our needs? They are because you need a lot of levers and gears aligned in a corporate environment to be able to effectively implement such solutions. No single-sign-on possibility in your shop? Then one-time password tokens are not yet for you.
2. Neglecting inbound threats from e-mail, the Web and instant messaging - Montgomery gets this one correct, and not much I can add to it other than nitpicking about the term "threat" used for an attack vector.
3. Forgetting that data traffic is two-way - I think this is another good point, although I think we can all admit trying to get our arms around egress is like trying to hold down a very large bear or herd cats. I think that is a major reason so many of us are behind here: we have other easier things to tackle. But certainly, we should keep this in mind. But always think about this: how do you stop me from uploading data to a web server that I own? How do you stop me from uploading data through an encrypted channel on port 80 outbound? These are difficult to stop in many shops, without spending some good money on solutions. Hence...they do get left behind.
4. Not encrypting data - I don't like bashing lack of encryption by using email as an example. Sadly, SMTP is broken and obsolete, but like the SSN, it is so widely used and relied upon... He also dives very deeply into the FUD by saying unencrypted mail is public like a paper. No, it's not, but he still brings up a good point. Encryption should be used whenever possible on the wire, and on the disk. We'll only slowly move in this direction due to compatibility issues.
by LonerVamp 06.13.07 at 4:05 PM in /general - comments(2)
Another interesting list, this one on 10 reasons why the Black Hats have us outgunned. I won't hit every point, but here are a few things I want to add.
Becoming a Black Hat is a career option even for those who are not super geeks. Very true, and we can see this in the news reports of the people who get caught. They tend to be on the fringe of being a geek, really, especially the stupid spammers. They don't strike me as particularly skilled at anything beyond their one opportunity and a few tools (hence maybe why they get caught!).
Not all businessmen are entirely averse to the odd hack (on a competitor) I truly wonder exactly how many executives and "high-powered" business persons have a true level of morality. I doubt many do. I expect many have fudged numbers, told white lies, and done some less-than-ethical leveraging and information gathering. When you have money and power at your disposal and you need to protect both, I think a lot of people slide down a rather immoral slope very quickly. If I were a multi-billion-dollar company in a major city with interests to protect, would it be much skin off my teeth to hire someone to sit at the airports all day and "probe" the wireless travelers? Or maybe at my competitor's airport? I still expect this "career option" to grow, whether I agree with it or not.
by LonerVamp 06.14.07 at 8:49 AM in /general - comments(3)
As I've been doing a heck of a lot of PowerShell scripting the past few weeks at work, I've come to re-appreciate the comfort of being able to work in a very bounded environment. Network/Systems/Security work is pretty damned unbounded, but when you work on a programming or scripting language, you don't have to necessarily sweat the scope or mechanics because they're created for you, for the most part. You deal with the basics, loops, variables, moving data around, manipulating data, reading and writing to objects, and so on. It's like putting together a jigsaw puzzle; there's something comforting in the ability to focus. Plus the immediate response/results of scripting are really nice.
I stayed away from scripting, and more appropriately, programming when I was in college and just out of college because I didn't want to find myself being a kickass XYZ programmer and only a kickass XYZ programmer while languages A, B, and C flew by. Maybe in another life or a future career opportunity will open up a more dedicated scripting/web dev job opp. I think I could live with that, honestly. I think it would have to be a smaller company, though, rather than just being the builder of Function A in Large, Slow, Non-Creative Company.
Maybe that's why every couple years I perform some deep rework on my web pages, or have an affinity towards scripting. Once you know the mechanics and syntax and keywords of a language, it is all downhill from there (at least for me, since the logic comes easy to me). Braindump Ruby on Rails into my head, and I could probably have a lot of fun with that language, as much as Neo with Kung-Fu.
Anyway, my PowerShell snippet today involves deleting services. Creating services is pretty easy in PS, but deleting them was left behind for WMI to pick up. And no reboot is required. (Unless you have a service open at the time you attempt to delete it, in which case Windows will hang on that and hold the service for deletion until you reboot...so make sure you're not working in the service anywhere before you try to trash it.)
$service = gwmi win32_service | ? {$_.name -match "ServiceName"}
$service.delete()
Since this is short, I tend to do this manually, and I try to always make sure $service returns the proper service by calling it once just before the delete. And you do this to remote computers by adding "-computer 'computername'" before the pipe (and with double quotes instead of my grammatically correct singles).
by LonerVamp 06.15.07 at 4:27 PM in /general -
The Swear Jar (work safe) (heard this in the office and also from FurryGoat). Seriously, if you can't have this bit of fun in your office at some point, I wouldn't want to work there. People don't do great things by being in an oppressive or unfun environment. Hell, people just aren't optimally productive in such environments. (Ok, minus the lobby area announcement, hehe.)
by LonerVamp 06.15.07 at 7:00 PM in /general -
There's a bunch of different ways to play with the registry in PowerShell. My latest script snippet that I wanted to preserve on here deals with a couple ways to add registry keys and values. For as cool as this is, however, I don't believe PowerShell is able to make such changes to remote registries without using other methods. When in doubt, I guess I could just Invoke-Expression psexec.exe someregfile.reg and have it done there, but hopefully PowerShell gets remote registry scripting ability eventually, as this would be the next way to script mass registry changes to people beyond Group Policy.
by LonerVamp 06.18.07 at 2:31 PM in /general -
Anyone know anyone at Google or in the Omaha area with any ties to Google's expansion to Council Bluffs? That's not really a place I care to live (I'm originally from Sioux City about 90 miles up the river although I live in Des Moines now), but a stint at Google? That'd potentially be pretty sweet. And really, the Omaha/Council Bluffs pair is not a bad place at all.
by LonerVamp 06.19.07 at 12:48 PM in /general -
Dan Morrill pointed over to ComputerWorld's annual best places to work survey. I clicked the list of 100 companies expecting to see ComputerWorld advertisers, the same old big guns like Google and Microsoft and Yahoo!, and others large companies that can have lots of day-to-day IT grunts write in praises on the surveys (seriously, there are tons of little surveys on Best Company for ____ that are simply getting 80 of your own employees to write in and overwhelm the voting...), but, I was pleasantly surprised to continuously say, "who? who are they? huh?" to many entries. This intrigues me a lot, and makes me kinda wonder what some of these smaller, unexpected entrants do with their IT operations and workforce to be such good places to work. Almost anyone should be able to take the top 20 in this list and get good material from them for case studies... Any by "smaller" I mean smaller than the biggest companies that I expected.
I really think there are many, many smaller and start-up type companies that are amazing places to work for, especially if they have predictable income (which sometimes is tough because so many want to be Yahoo rather than a long-term small company that maintains a solid existence without trying to eat the whole cake...). Hrm, yes, I still have a bug to find something better...
by LonerVamp 06.19.07 at 1:01 PM in /general -
If you didn't think auditing and security was going to be a growing field, add this to the reasons you should stop being naive. ComputerWorld posted a series of questions and requests reportedly made by HHS to Piedmont Hospital as part of a (surprise?) HIPAA audit. Keep in mind that it seems Piedmont only had 10 days to submit the answers. That basically means having it all done and ready, not trying to slap it together during a couple 120 hour weeks. (And even if they did that, any even minor interview with IT techs will reveal the wide-eyes and confusion about the superficiality of anything slapped together.)
Likewise, if these questions don't make you gulp at least a dozen times, you might be living in a dream world. Lots of people talk about security enabling business and ROI and things like that, but there is still going to be a growing field of people just taking care of the back rooms, because these things simply cannot be tacked onto "enabling" projects or expensed properly by a project or business initiative.
I am also very confident that these questions en masse cannot and never will be answered or tracked by any one product no matter how unified it is. Technology changes too quickly and there is too much of it. By the time products dig in and solve something like Windows 2000, then Windows XP is released. And then Vista. And then wireless. And then new attack vectors arise like wireless driver attacks, plus "arguable" attacks like DRM-justified rootkits. And then businesses that simply have to retool their infrastructure every 4-5 years, plus all the homegrown glue that holds everything together. And the changing landscape of almost every business. And the fact that while each company only has a handful of problems when it comes to IT, there are unlimited solutions free and commercial... Oh man, headache...!
A product can never do all this, nor can a CSO/CISO alone. There will continue to be backroom people, unless we want to just do security on a superficial surface level or make our networks much more homogenous such that Company A's setup is almost exactly the same as Company B's setup. No product can do that, although you can argue that service providers may have a chance...but no service provider will be able to scale up to provide for every company even in their own city, let alone make a dent on larger companies or on a wider scale.
I know I'm slightly keeping Rothman in mind when I say the back room is not going away, but I firmly believe all of this just goes back to being as pragmatic as possible when managing security. I still need to get my hands on his book... :)
Update: I know that these questions may be no different than people are being treated to with SOX and HIPAA, but still, how many have really been able to take either of those 100% seriously and adhere to them? Like PCI, it's all about the teeth...maybe cyberinsurance will add the teeth, I dunno. But I would amateurishly estimate that 98% of all businesses would have major infractions from any audit performed, PCI, SOX, or HIPAA.
by LonerVamp 06.20.07 at 12:59 PM in /general -
There is talk about the iPhone's implications to security. I think it is important that anyone discussing this make it clear where their perspective lies: from the eyes of an autonomous home consumer or the eyes of corporate IT. From the eyes of a home user, my condolences, but I really expect this device to be no different than any other, and likely exploitable. For the business perspective, this is no different from any other phone or USB key fob on the market.
- 1. Limit/disable USB/Bluetooth ports on your laptops and desktops.
- 2. Only officially support the use of approved devices, of which there should be few, and they should be manageable from something like a BES server.
- 3. Make sure you know what MACs are on your network, and if an iPhone is able to get onto your Ethernet network, be sure you have alarms and possibly port security on your network.
- 4. (Optionally) Disallow, by policy, the use of home phone devices to transmit corporate email to and from. You might not be able to effectively audit this, but you better let people know they shouldn't be doing it in the event you find out they are.
If you don't already do the above corporate security measures, you have no business worrying about the iPhone. If you already do the above corporate business measures, you have no business worrying about the iPhone beyond deciding how long to wait before allowing it as an approved device for syncing and official use (or when to put the final "PERMA-DENIED" stamp down.
by LonerVamp 06.20.07 at 2:42 PM in /general -
Workplace geek humor time! One of those sounds that just always makes me grin in eerie pleasure when sitting in my cubicle is the sound of print job white noise unceremoniously turning into a printer quietly eating the paper. Not just printing, but jamming up and eating the paper; the pleasant crinkling that indicates things are not well...sure to give me a grin!
Bonus points if someone walks over in the next 15 minutes and starts swearing softly and sounding like they're banging every lid tray and movable plastic piece on the printer...that sadistic side of geek humor, that!
by LonerVamp 06.21.07 at 1:06 PM in /general -
Mr. Buddha, Mark Curphey, mentioned dashboards recently, which got me all giddy at the link he provided to a site about information dashboards. I love me some dashboards. I love them enough that I have a section of my menu on the right devoted to security dashboards. Dashboards are used to distill relevant information down to a, hopefully, more visual representation of your reality. Not only that, but have you ever had someone in the management chain above you go gaa-gaa over the pretty pictures and lights and trends on your desk, even when they have no friggen clue what it all means? People seem to react positively to seeing things like this on a network or security admin's desk. At a previous job, I didn't get too many people walking by wondering what I had up my sleeve for that day, but whenever I turned on a dashboard, I had plenty of people from various job roles wander over and ask what all the lights and colors were for and how "cool" it was. In my mind, it has become part of selling oneself as a technical and security expert.
Now, I want dashbaords at home, someday. I don't know if I will ever become proficient enough to roll my own, but I have plenty of spare systems and monitors around to utilize their extra cycles to display neat metrics and dashboards. Due to my current refusal to "settle," I don't have big furniture in my apartment like a desk or two, so the whole dashboard setup needs to wait a bit more.
But I thought it worthwhile to write down, for myself, a bit of a wishlist on dashboards I'd like to see on my desk over time. Note that this is at home, although many of these things should be able to scale up to enterprise use. Suggestions for tools are welcome.
- visual traffic monitoring - like etherape or eve or plenty other tools that give a pretty view of what and where traffic is on the network.
- less visual traffic monitoring - like a tcpdump scrolling by on a monitor; only tailored down to watch only things really important (and not my workstation streaming web radio...)
- traffic summary - a summary of traffic levels to web, mail, VPN, SSH servers and so on; even as pared down as simple daily log file sizing.
- system monitoring - on a basic level, what is up and what is currently down. On a deeper level, system health such as CPU, RAM, and disk usage, running processes, and so on.
- service monitoring - on an even deeper level, any time traffic to something comes in it can log, throw a visual cue, or send a quick message, for instance a login attempt on SSH or VPN.
- arp watching - roll your own basic NAC rogue detection on a network by monitoring arp requests in a DHCP network, using arpwatch or arpalert (I think those are the names).
- security monitoring - tripwire-like integrity detection on important systems, account creation events
- IDS - things like Snort alerts, although these aren't as useful on a dashboard, per se.
- threat/vulnerability/external - It is nice to monitor one's own realms, but none of us are islands. We need to know about changing threats, new vulnerabilities, or maybe some trend or new attack vector affecting the security health of the Internet as a whole. There are plenty of these sorts of dashboards available, since they lend themselves well to the web.
- wireless - kismet just to keep an eye open for new clients and the wireless network in the area
- wireless spectrum analyzer - run the pretty Wi-Spy tool in a corner to monitor the health of the wireless frequency range.
Ok, so all of this is pretty personal to me, because I am a firm believer in keeping one's fingers not just in the trenches of the back room, but making sure they are constantly feeling for a pulse, temperature, clamminess, etc. So much about security and IT in general has a fundamental base of monitoring for changes and abnormalities. It's the part of me that is a control/information freak which lends itself well to the field. And yes, I like having a few non-screensaver'd monitors around me showing me what is going on at all times.
by LonerVamp 06.25.07 at 3:47 PM in /general -
By way of the SecuriTeam blog, I see Joe Stewart has posted a quick technical article about thwarting an HTTP DDoS attack using iptables tarpitting. I also like the cite to a report by Jordan Wiens [pdf] about tarpitting DDoS worms (I've not read it yet). I especially like the graph showing the effects of no action, connection dropping, and tarpitting. As a question to myself, I wonder if the attacked system needs to keep track of those sessions as well, and if that might bleed the server a bit over time? Obviously, this is still better than having the server fall over in the first 5 minutes, while tarpitting likely can allow the server to hold out far longer, even if it still bleeds.
One thing that Joe leaves unspoken is tarpitting is not to be used for all HTTP requests. Some of those requests are legitimate users and you certainly don't want to tarpit them. Tarpitting should be triggered after a connection is determined to be part of the DDoS, so there is some front-end work to be done. I expect Wiens covers this in the longer paper.
by LonerVamp 06.26.07 at 1:15 PM in /general - comments(5)
A smooth sea never made a skillful mariner. -English proverb
by LonerVamp 06.26.07 at 1:37 PM in /general -
Item #1: As much as I think SMTP is broken, spam filters make it even more so. I run my own home mail server for one of my domains, which means sometimes my mail gets dropped because I am using a DHCP/residential service. In other words, my ISP address space is blacklisted by some services. Lame. So then I try Hushmail or Gmail, which is also sometimes blocked. A pretty big WTF situation...
Item #2: You have a Yahoo and Gmail email account. Service is excellent and you nearly live by these email accounts. What one thing would make it better? Being able to replace @gmail.com with your domain, of course.
Conclusion: Enter Google Apps. I just got signed up for a beta service through Google Apps using the domain name terminal23.net. I went through all I needed to go through and about 25 minutes later, I have a couple working email addresses on this domain, and I can add new ones within seconds. Rock on! The interface is exactly like Gmail, although I could change the top logo if I wanted to, and I can stay logged into it and Gmail at the same time. Slick!
Feel free to check it out. It took maybe 2 weeks to get approved and an invite emailed out, but it is well worth the wait. This will make an excellent backup to my normal domain and home mail server.
by LonerVamp 06.26.07 at 9:23 PM in /terminal23 -
Via elamb, The Register has an article on hacking World of Warcraft, and also mentions an upcoming book I didn't know about, Exploiting Online Games: Cheating Massively Distributed Systems, by Gary McGraw and Greg Hoglund.
Exploiting games like this, as I'm sure the authors posit, is something that might not interest a lot of people, but should still be watched. Things like WoW (12 million users! This has become a social network in itself, really!) and Second Life bleed over into the real world, both in relationships with fellow people and business realms. But beyond that, the distributed worlds of gaming on such a large level will, just like the hardware gaming pushes, eventually find more mainstream uses. Being able to know these risks (like offloading some of the work to the client machines), at least just being aware of them, should prove useful someday.
I'll get this book regardless, since I play WoW [0] and I've seen things in past games that exemplify the issues with cheating [1]. It helps a lot to know what is possible out there, and can put the whole gaming world/experience into more of a perspective. The book also looks like it will explore the issues that the game software presents to the users, for instance how far the game software can go in monitoring the user. Thankfully I run gaming on a separate box which does nothing but burn discs and run games, but I'm a rarity in that setup.
[0] I have a 60 Warlock (main) and 60 Priest on Crushridge Alliance, and a 55 Shaman on Kul'Tiras Alliance. Obviously I've focused on the Shammy since BC.
[1] Aimbots in Quake 1 (yes, some people earned money using them); farm bots in Diablo II/Battlenet.
by LonerVamp 06.27.07 at 8:37 AM in /general -
|
