.: July 2007 Archives
Christian Matthies has posted up an explanation of DNS Pinning attacks
. While this article is really cool and informative, there are a couple of caveats.
First, this is a great article for people who already are familiar with DNS Pinning, since the author really throws out "Anti DNS Pinning" and "DNS Pinning" quite a lot, and it gets confusing which one he is actually talking about in each example. DNS Pinning is a behavior of a web browser to cache DNS requests until the window (or all windows of that browser) are closed.
Any admin supporting DNS or web servers has experienced this behavior. "That should work...did you hit refresh? Oh wait, close all your browser first and retry. Yup that did it!" Christian then explains a way to get around DNS Pinning so an attacker can redirect users without their knowledge by leveraging browser behavior and changes to DNS entries.
Second, while several web security researchers would like to say this is a Big Deal, I consider this an exotic attack
, yet. Christian mentions this can be used to attack internal servers, but that requires significant knowledge, and I don't think most corporations will have to care. Still, there is always the potential for something like this to become a common attack method in the future.
The takeaways for this is to know what DNS Pinning means, what Anti DNS Pinning means, and that there is still a grey area firmly between network and web security when it comes to DNS manipulation.
by LonerVamp 07.03.07 at 1:00 PM in /general
A few days ago I mentioned ddos mitigation
. The referenced article [pdf]
concerns UFIRT's actions in the face of a rather unique incident: a DDOS attack planned to occur in 1 week's time. Incident Response plans are important to a company's security posture, but not every imaginable incident needs to have an itemized response plan. And while issues like a DDOS likely should not be painstakingly planned out, it should at least be contemplated now and then as a sort of verbal/introspective exercise. What would you do in such a situation? Do you have extra resources, gear, or skills on your team to deal with an adhoc incident like a DDOS? Do you know where to turn for help on short notice? Can you pull a Joe Stewart out of your back pocket? :) It might be a useful exercise for an IR team, or just for a manager or techie to sit back and think about some lazy afternoon...
by LonerVamp 07.03.07 at 9:49 PM in /general
I've been ramping up my studying lately, which has taken some time away from blogging (both reading them and writing some). I've also made headway into my huge list of "pending" items that both sit on my bathroom counter and in my email box.
But I have found time to plug away at some more books. I've (finally!) started reading Tao of Network Security by Richard Bejtlich
. I've put this book off way too long (I wanted more background into TCP/IP and Linux before tackling the book, or so I tell myself) and am finally getting into it. I really dig the tone and how Bejtlich presents the topics. Thankfully, the very academic first chapters were followed-up by excellent later chapters that I found much more interesting (maybe because I already knew his positions and definitions from following his blog
Last night I also started reading Security Metrics by Andrew Jaquith
. I really dig this guy's writing, and I was amazed by the opening tones of the book. First an opening by one of the most recognizable writing styles in security, Dan Geer, which is also visionary and almost prophetic. Just reading anything he writes feels weighty; old and dustry like an important magical tome hidden in some wizard's tower. Then into Jaquith's wonderful presentations. I think this book will go fast.
Yes, I read multiple books at once. Sometimes I read novels which just require me and a chair. Other times technical books that pretty much require a computer nearby to follow along. I typically have two or three going at any given time, depending on my mood and the resources nearby. It is usually too much to be reading 2 hands-on books at a time, so I try to keep it mixed up with different flavors of books.
by LonerVamp 07.06.07 at 9:34 AM in /general
Use Snort either on an active link or as a packet inspection tool after the fact? It might be useful to throw down PE Hunter
to capture Windows binaries as they pass by. I can think of plenty of uses for this, not just in front of a honeypot, but in front of Internet-facing servers themselves. This is one of those detective tools that won't necessarily stop or prevent an attack, but can act as a watchguard for something evul going on, or to figure out what an attacker may have done on your network. The real usefulness of this tool won't be realized until it is used though. Who knows, maybe it will pick up too much junk from malware or software downloads and miss too much other stuff.
Of note, no, I'm not all that great with Snort. It's on my medium-term project list, probably nearer the fall or winter before I can really dig my fingers into Snort more, even though I may have my own Snort box up in the next month or so just to get it up and familiarized.
by LonerVamp 07.06.07 at 12:52 PM in /general
About half a year ago
I posted about Untangle (and it has remained on my long-term projects list, sadly). I see they got some more press in ComputerWorld
as they have turned their product open source. Sounds cool, and I still want to check it out on my home network someday (yeah, one of those projects that keeps getting pushed down...).
by LonerVamp 07.06.07 at 1:19 PM in /general
People often ask me how I like my Razr phone. I tell them it'd be a really nice phone...if I wasn't on Verizon. Yes, Verizon is well known for crippling their Razr's to the point where I really do only use it for phone calls and the occassional text message. In the past I have done minor adjustments like getting my own ringtones on the phone (text yourself a .wav file renamed to .mp3 and it will let it through, and play it as a .wav file properly) I've never delved too deeply into messing with it, being my first personally-owned cell phone. John Ward over at The Digital Voice
has posted an awesome article about hacking the Razr
, and he suffered from the same crippling issues from Verizon that I do. Since my contract is quite mature now and I'm more comfortable with pushing the line on my phone, I think I will make a note to try this stuff out. He's truly right that if I can unlock all this stuff in the article, the phone will take on a whole new level of use in my life. Funny how Verizon doesn't get that...
by LonerVamp 07.06.07 at 3:54 PM in /general
I've been going over some of the pending things in my todo lists. Here's a few things.
I don't know of anything that can browse shares in Gnome on Ubuntu (Nautilus can using smb:\\server\share, but that requires knowing your target). So I installed smb4k
which is available through Synaptic. Seems I needed a bunch of other stuff, including kdelibs. While smb4k is a KDE tool, it seems to run just fine in Gnome. It can be loaded from Applications->Accessories. The initial load will throw a non-terminating KWallet error, but then happily disables itself and continues. One bonus is the ability to manage and see existing mounts.
If you see a system but aren't sure what OS it might be (if Windows, then you can try those fun admin shares!), you can check it out using an OS fingerprint tool. Yes, nmap and p0f are your typical choices, but SinFP
might be a third option. I decided to try this on Windows and followed the instructions given. Everything seemed fine, but when I tried to fingerprint anything on my network, I typically was told I cannot fingerprint a closed or filtered port, even though I know it was open and allowed. Most of the time perl.exe would then spin and I'd have to kill it. Not sure what was going on, but might revisit it at some later date on Linux, perhaps. Regardless of the results of this tool, being able to know some of the differences that operating systems display in various packets and other behavior is some pretty fundamental and "not difficult" stuff. Being written in perl, it might be nice to read through this tool's signatures and techniques.
looks like a nice way to get a full compliment of tools and applications for a web server set up quickly on either Linux or Windows (or others!). I've not tried this out as I wanted to do stuff manually with my latest build, but I might consider XAMPP in the future.
Here is a snippet of a Dan Kaminsky presentation on SSL Hell at Toorcon
. He talks about the bad things he has found about SSL through his huge scans of the Internet. I really dig that he admits security people can be wrong when trying to require SSL on every page. SSL can be intensive on servers and the hardware doesn't scale well with it. One thing I didn't like is a minor quibble. He points out that a lot of sites don't appear to use SSL (https) on their logins, but I'd like if he just said, "I sniffed this transaction to verify it wasn't secured underneath what I can see in my browser." He's probably correct in saying they were insecure, however.
I can't remember where I found this originally, but I wanted to document it on my site for future reference. This reg script should add the ability to right-click any Windows folder and launch a cmd prompt at that location. Update: Looks like I maybe found it here
@="C:\\windows\\SYSTEM32\\cmd.exe /k cd \"%1\""
@="DOS &Prompt Here"
@="C:\\windows\\SYSTEM32\\cmd.exe /k cd \"%1\""
by LonerVamp 07.07.07 at 8:37 PM in /general
There are a ton of different tools and ways to change your MAC address, let alone simply doing it manually. Here's a few I've accumulated notes about over the past 6 months.
is a standalone C++ tool run via the command line
. Does what it should do!
is probably the Mercedes of mac changers, sporting tons of information in the GUI and also being scriptable.
is also a old favorite I see mentioned a lot, but the eval version is slightly limited. For such a small tool, I just don't believe in shelling out money for it.
Speaking of Windows tools, Wirelesskeyview
is a quick .exe (no installation required) that will pull out wireless network keys and display them for you. I'm sure these are just stored in a registry entry somewhere and, if encrypted at all, are like just rot13, but still this tool makes life easy.
Heck, I'll stick with Windows for this whole post. The Windows firewall is still daunting to manage or maintain for most people, even those of us who are comfortable with firewalls! This kb article from Microsoft is surprisingly detailed
. I especially like the last section on enabling and checking the logging of dropped packets. Combine this with a tail program and it might turn a spare WinXP box into a network tripwire-like device.
Yesterday I posted a few OS fingerprinting tools. I missed one I had in my box called Satori
. This looks like a quick effort that may not be regularly updated, but is a passive OS fingerprinter for a few OS types. I've not had a chance to try this out yet as my Windows machines at home are limited, but it might be fun to try, even if it doesn't make any toolboxes. A related paper on the site is also interesting.
by LonerVamp 07.08.07 at 11:21 AM in /general
If you don't live on the Internet like I do, you might not know Sysinternals was "bought" by Microsoft (I'm not sure if it was actually bought or if Mark Russinovich just brought it along when he was hired by Microsoft). Now, you might know that, but did you know all those tools are offered in a single download now
? Of particular note is ProcessMonitor
which is a souped up version of Filemon/Regmon/ProcessExplorer. And if you don't know what Sysinternals is, well, I can't help you.
by LonerVamp 07.08.07 at 11:26 AM in /general
Let's stick some more with Windows tools. A few years ago it became hip to wow friends and family with tools that would undelete or recover files long through gone from hard disks. This led to the eventual realization that old computers given away and drives lost or stolen could yield a lot of data if not properly wiped. If you ask me, if there is any doubt about a whether a drive's contents are sensitive or not, just destroy the drive when it is decommission. (Besides, the powerful magnets inside the drives when disassembled make for fun toys for most anyone, if you want to score some points.)
is a tool to recover files. Also, the oldie tool Restoration
is still available for the same purpose.
Oh, and PhotoRec
is a tool to recover files from flash drives (and I bet other things!). This was described very well in an article on InformIT
You can use Eraser
as a tool to better wipe files from a Windows system. Use it in conjunction with the recovery tools above to see the differences. For full disk wipes, I prefer the bootable DBAN
Of course there are more tools! Here's a quick list I pulled from a mailing list:
another Secure Delete
and of course, shred for Linux, which should need no link.
by LonerVamp 07.08.07 at 11:37 AM in /general
Videos are kinda cool. There are a bunch of them at Security-Freak
demonstrating various tools and research. Scroll to the bottom to get past some of the topical videos and see common security tools demonstrated.
Serapis and SecureVision released this web defacement video
. This demonstrates how easy it can be to deface a website, especially after you become familiar with a particular method of attack. If you know an attack on the current phpBB version, for instance, the hard part is learning how to pull it off the first time. After that, downing 100 vulnerable instances is cake. I like this video, even though the music is maddeningly annoying. (Oh, and for anyone thinking about producing videos, I really don't like having to scroll up and down to see the whole screen...)
You can't go wrong with a good ol' BackTrack2 WEP cracking video
. There's a number of them out there, and for some reason I just like seeing them.
This video doesn't load every time for me (Ubuntu+Firefox), but when it does, it gives a demonstration of finding and manipulating out an exploit
And the MPack demonstration video
. The size is small, but still illustrates how web attack toolkits have gained traction.
And, of course, I have other videos listed in the aptly named "videos" section on the left menu.
by LonerVamp 07.08.07 at 11:54 AM in /general
Note to self: use telnet for email
more often than I do now, if nothing else then to just stay familiar with the syntax in a pinch.
by LonerVamp 07.08.07 at 7:18 PM in /general
A few years ago Microsoft started offering free shipped cds containing security updates. Sadly, they didn't do this very long, but the ability to update systems locally was a blessing for my previous job where we didn't image our systems quite as much as I wanted to. Now I see Heise Security has an article detailing some scripts to build offline ISOs of patches
. If you're like me and oftimes prefer the path of least resistance, Microsoft offers downloads of DVD ISOs as well
. Woulda thunk!
by LonerVamp 07.08.07 at 7:28 PM in /general
I have heard today that Google is planning to acquire Postini
. Hopefully they don't change Postini too much, since I've been a happy camper with them in my current job. Normally I don't report news news, but just wanted to make a quick post. Of course, I've been very happy with email service from Google as well as Postini, so it seems like a pretty strong match.
by LonerVamp 07.09.07 at 9:00 AM in /general
Do you block IM at your company either via policy, via technical controls like firewall or web filters, or all of the above?
Are you sure you're blocking IM?
Let me remind you we're in what is gaggingly called the Web 2.0 years. Are you still certain about your answer?
I've mentioned Meebo.com
in the past as a web-based way to connect to all your favorite IM services. Yikes, that's scary enough to block in the firewall and filters, right? Well, now you can plop little plugins
into blog services like Blogspot that will allow you to chat away with a friend. This is only a small skip (the hop, step, and
jump have already been done!) away from being able to use outbound and inbound IM from any arbitrary website that you control.
If you've not revisited the business cases for IM lately, you might want to do so and start realizing the IM is going to be as prevalent as cell phones (and phones in general) in our lives moving forward. There is little sense to fight that, but every sense to get your organization used to having a centralized IM system or centralized standards.
PS: Yes, I saw this traffic because my IPS flagged it for me, thankfully.
by michael 07.10.07 at 2:57 PM in /general
I've seen a few postings lately musing about the Google/Postini marriage. It must be nice to have such rich and fertile material to pore and yell and talk over; like giving a hyper dog a large chewy bone to keep them occupied for hours upon hours at end while you try to get things done... Anyway, this is in response more towards Hoff/beaker
than others he references.
I don't think Google's plans are quite this grandiose (providing security, becoming an ASP-cum-ISP and providing some buzzword called "clean pipes..."), and I don't think they are going into security in itself, per se.
Postini's offerings and customers fit exactly into what Google wants to do with Gmail and now Google Apps. This means they house even more content; content very personally and professionally relevant to its users and customers. They leverage content for advertising, and so on, which is a nice side-effect to providing SaaS for small-medium companies (or maybe the vice-versa is true!).
Also, with Postini, they can control the upstream gateways for many other companies. So even if you don't let Google house your data over time, they can still scan it and gather content/information about you and your company to better leverage advertising and relevance.
Besides, what is "secure" in housing one's important data at a third party? I don't much care if it is wrapped in SSL or POPS. Yes, security is part of it, but it is just a bullet point to get companies to take them more seriously as an alternative to Exchange/Lotus Notes/ISP mail service.
I think, like people look at crimes, it is easy to take Google's plans way more complicated than they truly are. The simple answers are almost always the right ones, not the huge complex conspiracies that can be thought up. :)
PS: Providing "clean pipes" sounds awfully nice and altruistic to the rest of us, but come on. Google went public. In going public, Google went from being altruistic and "not evil" to being ultimately self-serving towards itself and its stakeholders. It will only do "clean pipes" if it can be "evil" behind the scenes and profit from it...but I don't see that truly happening unless they offer up widespread wireless access and then leech all that rich personal data from all of us...evil, really. But I don't see that happening, really either.
by LonerVamp 07.10.07 at 3:43 PM in /general
I'm not sure how real this interview is
, but I really have zero reason to not buy it as real. Either way, an interesting insight into why "hackers/crackers" do what they do.
by LonerVamp 07.10.07 at 4:01 PM in /general
I like case studies. They're the real deal in comparison to the theoreticals of many articles. Neil Carpenter recently posted about web-borne malware that eventually led to lan arp poisoning
and injection of iframes into web requests. This sort of stuff illustrates the new things we need to start thinking about when it comes to web security. A web attack against one user browser stupid sites stupidly can result in your whole LAN being victimized; the next step in onesy-twosy hijackings from web pages. What is really cool is Neil followed that post up with another one discussing how to detect arp attacks
I had to take exception to his statement that "I'd also suspect that most IDS systems would catch this." That's correct, but I don't know of any IDS systems that would catch those and not throw hundreds of other false positives at the same time. It's common to intially tune an IDS to not detect ARP.
So what else can you do to provide always-on detection of spoofed arp? You could set up a script to sniff and parse out arp requests relating to your gateways. These should be finite and quite managable. Then whitelist out the combinations for your gateway. If you get different responses, flag and alert. This way you ignore all the other arps since they will likely be false positives anyway, and only alert on what you really care about: the gateway. I bet arpwatch or some other nix arp tools could be leveraged to assist in this.
It is also time to have every company look into some sort of proxy solution for web traffic. Even if it is not robust and does active filtering or stripping of malicious files, it should at least log what is being visited and when. Multiple attempts to site xyz/123.htm accompanying every other hit is a good indicator after-the-fact.
These sorts of blended attacks are nothing new, but it is somewhat new to have such attacks originate from the web browser, attack the network, and end with other web browsers. That's cool and scary at the same time.
by LonerVamp 07.13.07 at 9:05 AM in /general
I was forwarded a list of 10 reasons not to provide free tech support
by a coworker this morning. Not sure where she got it, but a quick Google search yielded the blog article I linked to, even if that wasn't the original.
I've encountered most of these in my personal life at some point or other (even before I was interested in IT stuff!). I've even encountered some of these items on the job. People who ask personal tech questions outside of work are people just like those I work with. There are many times people at work ask business-related and non-business-related tech questions which get into these same pitfalls. I am particularly careful when managers and HR overtly ask or hint that they would like me to work on their troubled home systems. That's usually a lot to lose and very little to gain, and the odds are on the lose side.
Manage expectations of those making the requests. Always be honest and open about your capabilities and how bad a problem is for the requestor. Some things are just not fixable or the odds are really against it. We're not gods, and sometimes we really can't fix everything or recover everything.
Nonetheless, I still help out when I can, as I do like to learn and help others, even if it is largely pro-bono.
by LonerVamp 07.13.07 at 9:31 AM in /general
Seems this morning has ushered in a slew of spam and possibly malicious pdf and dat emails coming in. I take it this is pretty new this morning since neither Postini nor McAfee have any blockings yet, and I'm hoping they are just spam and not some more sinister. We're watching our inbound mail and have actually blocked all mail with attachments until we learn more. Days like this make me wish I didn't have tons of projects and things to do and more time for incident response. :)
by LonerVamp 07.13.07 at 10:03 AM in /general
It's been a busy week for vulnerabilities. Microsoft's normal round with server and client patches. Winpcap had a disclosure and update. Sun's Java. I just saw a Flash player disclosure on the FD mailing list. Even McAfee's ePO and Cisco's CallManager rang some up. It's one of those days that reminds me of a few things.
1) Make sure that if you don't have the abilities to update all your workstations quickly, get that base image updated with the newest packages and installs so you stop rolling out outdated systems. Befriend your image guy/girl and make sure they have time and are appreciated. Volunteer to be a tester for any pilot deploys.
2) Evaluate whether you need centralized Windows install/patch management like Altiris. Don't overlook the need for another body to be the Altiris expert, or to carve out significant time for someone to learn and manage it. It's not an install and forget app!
3) If you don't do either of these, well, at least be aware of what your vulnerabilities are and make plans to mitigate or attack these issues in the future.
4) And most importantly, to all the stay-at-home "IT admins" whose experience includes 5 years of their 1 office SOHO room and 7 years of IT journalism: "Go patch your shit. Come back to me after you're done, and start imagining doing that for 3,000 systems in 25 departments before cluttering my reader with the latest no-brainer 'best practices' that sound good on a dreamy sunny Saturday morning but have little basis in reality." (Yeah, I have a pet peeve right there, hehe...)
by LonerVamp 07.13.07 at 1:01 PM in /general
I have recently begun reading Andrew Jaquith's recent book called Security Metrics
on, predictably, security metrics. Andrew runs the securitymetrics.org site and mailing list
. So far I have been very intrigued by his approach from my standpoint of a technical guy who likely will one day be in IT/security management. Security metrics are an inevitability, so I might as well start thinking about it in my roles.
Early on I was pleased to see Andrew tackle the problem of data sharing. It's one of those things I firmly believe is holding us back, and illustrates our problems (and stigmas) with sharing useful information with each other. If you know where I work, I certainly can't be very open about a damaging incident at work, especially if people at work may read my writings. And so on.
I was also pleased to see him quickly tackle the problems with ALE (Annualized Loss Expectancy) and expose it for the guesswork that it really is. Many people I've talked to have insinuated their disdain at something like trying to predict ALE, although few go far enough to outright challenge the general (read: CISSP) acceptance of it as gospel. Likewise, he put good solid wording to my own intuitions about scorecards, grades, and health colors, namely that they're ambiguous and don't mean anything. They're really meant to start discussions, not quickly show value.
I was surprised Andrew didn't use "pen-test" or "vuln assessment" terms when introducing his discussion on diagnostic measurements and hypotheses/subhypotheses. The method of answering diagnostic questions to prove or disprove a subhypothesis seems to be a vuln assessment to me.
One part that rubbed me slightly wrong was in the Perimeter Security and Threats section, under Attacks (pg 51-52). Andrew says, "You'll note that [this]...leaves out such common statistics as the most commonly attacked ports and the most 'dangerous' external URLs. I have omitted them deliberately, because they don't pass the 'So what?' test."
I'm a bit in Bejtlich's camp when it comes to measuring and knowing your threats. Some of these measures such as top 10 ports, top 10 attacking addresses, and top 10 URLs help an organization know their threats (attackers) better. Granted, I also buy that Andrew is looking into organizational effectiveness and efficiency, and that view can still survive without looking to the external threats. Metrics paint a good picture of the past, but some measures like top 10 ports may indicate something happening right this moment that may be of some concern. Still, a minor point and not worth arguing about at all, as I accept both him and my stances as just a matter of opinion.
by LonerVamp 07.15.07 at 12:52 AM in /general
ICMP can be blocked or allowed, or one can instead allow the good stuff and block the unnecessary stuff. This paper should give the quick details on which is which
. Gleaned from Shane Castle on the Security Catalyst forums
by LonerVamp 07.17.07 at 3:01 PM in /general
I've been quiet this week and weekend for really one reason: took a stab at the CCNA test yesterday. I didn't pass, but I didn't expect to pass either. I was finding myself spinning my wheels more and more with my studying, especially since I'm not getting very much of a chance at work to get hands-on with the equipment we have. So I used the test period to get myself re-oriented on where I stand. I scored a 783 and needed 849 to pass. I was pretty happy as I felt I would do worse than that, even when taking the test. The bottom line, though, is that I get a chance to mix things up and refocus on what I stumbled on, what I didn't expect, and what wasn't tested that I did expect. Things look good, and I plan to retake the test in a couple weeks or so. Kinda like running a long race, passing the starting line and getting a look at the time to see whether I'm on pace or not and what I need to do to stay on pace to win out.
What I expected that didn't happen: More detailed WAN questions on implementation commands and the minutae of such settings. Instead, I got two questions about what DLCIs do and how they relate to the local and remote routers, and one question about which WAN technology to choose given a situation. Heck, I even only got one OSPF question and one EIGRP question... Not much there with my luck of the draw.
What I didn't expect: To not only be tested heavily on switch commands, but to actually stumble and not know those answers as quickly or accurately as I should. Definitely focusing on switches for a while, since I even have some at home! Ugh to having missed those! Switches, VTP, VLANs, STP.
by LonerVamp 07.17.07 at 3:07 PM in /terminal23
Computer help questions come in many flavors, and while many requests get dodged, there are times when influential or attractive (wink wink) people ask favors that you don't want to dodge and would rather have a quick and impressive answer. One such situation involves the inevitable accidental file deletion or damaged disk recovery. Two such tools were recently posted to SearchWinComputing
, Unstoppable Copier (gui)
and Bad Block Copy (cli)
. There are other tools, but I've mentioned them elsewhere
on here before (and recently too!). I'm sure there are other forensics tools that do this sort of stuff very nicely, but are likely cost-prohibitive for home users.
by LonerVamp 07.19.07 at 3:34 PM in /general
There's an endless number of proxies out on the Internet to use for anonymous or filter-bypassing activities. Like using Google translate, you can use this unofficial-looking Google wireless tool
that displays a web page how a mobile use would see it, without needing the mobile device in hand. Kinda cute, and interesting. Saw this from Planet-WebSecurity
who linked to The Hacker Webzine
, and so on...
I should start considering a category called survival skills for the cyber age. This would be part of it...
by LonerVamp 07.20.07 at 1:34 PM in /web
More fun web server tricks from Full-Disclosure today. Falling under the headings of "information disclosure" and "service fingerprinting" is an enabled server-status page in Apache. Go to your website and add "/server-status/" to the end to get the information, kinda like on apache's site: http://www.apache.org/server-status
by LonerVamp 07.23.07 at 1:58 AM in /general
A drunk employee knocks out the power for 365 Main. That's awesome. I'll just take this time to say if you ever see my work desk, that's iced tea in that cup, not beer! I can also happily say that I am not an easily irritable or angry or berzerk-prone kind of guy at all, whether sober or drunk. If you're a not-so-happy drunk, just keep that in mind if you're on call or working the next day... In the immortal words of Socrates (and later expounded by Thoreau), "Know thyself."
Thanks for the clarification, dre. Damn, I thought this felt too funny to be true. :)
by LonerVamp 07.25.07 at 12:46 PM in /terminal23
This article about the government's opinion on P2P networks
(they claim it is the cause of sensitive gov't data being disclosed and is thus evil) is exactly what I thought when I first heard this story today. The use of P2P networks and applications is not the issue here. The issue is data protection and system control. Don't let your organization-owned systems have P2P software on them (there are plenty of ways to tackle this both on the systems and the network!). And keep track of your data so people don't bring it home and put it on little Stacy's computer running 3 default all-shared P2P apps 24/7. Pound in that this activity is against policy. Stop slapping wrists and start meting out real punishments to the employees for such violations.
by LonerVamp 07.25.07 at 12:52 PM in /general
I've recently read two interested papers dealing with DNS-related attacks. First, Andrew Hay
pointed over to a paper from the HoneyNet Project
titled Know Your Enemy: Fast-Flux Service Networks
. The HonetyNet Project is uniquely poised to do some things that most of us cannot autonomously do: monitor and trend threats. This position has allowed them to see Fast-Flux attacks first-hand, where DNS entries are changed dynamically to hide the source of malware downloads and controls. I'd be willing to bet this concept has been in use for quite some time, only many researchers fire off one or two lookups, report to the resulting domains, and that's it. They likely never see the changes, and thus never realized they were not really doing much good.
I also see that Trusteer has a paper hosted describing cache poisoning against BIND 9 by leveraging predictable transaction IDs to update DNS caching servers surrepticiously
. While this seems a bit exotic, I wouldn't consider it too exotic. In fact, getting an outbound connection by an internal user shouldn't be a huge problem, and that could be a big payoff if you can poison some major DNS entries. I think the biggest problem is just making sure you're attacking a BIND 9 DNS caching server. I'll dive into this paper more than my casual glance tonight. Considering our malware prevalence today, I think this can be easily leveraged by existing maldoers, but may require a bit more targeting than blanket blind malware. I'm interested if the paper goes into countermeasures or how to combat this.
Lastly, this paper hosted by InfosecWriters
is an excellent primer on DNS and DNS security
. I recently read a DNS paper that was really well written, and I think this was it. I'm not sure where I got the link from, however.
by LonerVamp 07.25.07 at 1:57 PM in /general
A quick note that Marcin has posted an interview with Richard Bejtlich
over on his blog, ts/sci-security
. Richard hosts what is definitely one of my favorite blogs, writes excellent books, and basically is one of those zen masters of his field of expertise, namely network monitoring and everything that goes into that discipline. Of all the people I would love to learn from and work side-by-side with for a few years to sponge up information, he's near the top of the list, truly. I'd even fetch his coffee, give him massages, and frollic...er...someone stop this downward spiral..!
by LonerVamp 07.26.07 at 9:06 AM in /general
Reading the Bejtlich interview
sparked a thought. I read this in response to what makes a good network security analyst:
First, you need to want to beat the bad guys. If you are entering the security field because you heard a commercial on the radio advertising higher pay, you will not get far.
For some reason, this made me think of mention that Marcin made recently along with pdp about the movie Hackers
and/or that old "hacking" culture that seems missing lately.
I need to give pdp proper kudos for coming out
(hehe, read *that* link out of context why don't ya?) about the movie's influence on his life personally. There are few things more chic in digital security than bashing CISSP-holders, but bashing the movie Hackers is one of them. I love the movie for what it is, even if the details are dramatized heavily.
At any rate, pdp and Marcin are both (independently and cooperatively at the same time, I think) looking to revive a little bit of that curious innocence
and culture that the hacking scene has seen slowly disappear
. This sounds fun and cool, and while the industry, technology, and hackers-turned-professionals have largely matured, we can still have a hell of a lot of fun in our little geek circles and keep things immature and fun as a way to keep our lives from becoming overgrown with the burden of the daily IT/security overwork. Embrace your inner deviate, if not in action, at least in thought.
I think the bottom line is to just have enthusiastic, lifelong passion about this field. Live it, embrace it...but that last might be my hedonist side talking.
by LonerVamp 07.26.07 at 9:13 AM in /general
I didn't even know this was around. Blackdust.whitedust.net
is a Google search proxy to anonymize your searches. Of course, if you search for personally identifiable stuff, like your name, that's not necessarily very anonymous anyway, and no proxy will save you. And if I search for "HIV treatments" just before you search for your name, a search anonymized might actually hurt you should the information get out into ignorant hands. Basically you can take it or leave it, but I like the non-standard colors as something new. Saw this over at ComradeSmack
by LonerVamp 07.26.07 at 10:48 AM in /web
This article on Boeing and SOX is a pretty amazing example
of how regulations affect the bottomline and the IT department. It also seems to illustrate how NOT to deal with audits, namely, treat them as a good thing, not just something to do to avoid a fine or bad news for the stakeholders. Once you start treating regulation and security like a bad step-father, you get auditors yelling at each other, overturning rulings by others, and otherwise get so much in-fighting that you paralyze yourself.
Of course, it is easy for me as an armchair quarterback to say these things, and I'm sure the problems are way deeper than I could imagine. So here are some choice quotes I pulled out that apply to this generalization as well as overall IT/security intermingling.
The level of rigor -- for example, documenting every single approval for a coding change -- was foreign to the get-things-done culture of Boeing's computer professionals.
This is foreign to many shops. In fact, in my two major jobs, both have struggled to some degree with change management both in coding and also the infrastructure side. This is weak everywhere in the "just get it done" mentality that all business is permeated with.
Senior managers said that compliance was always a top priority. But junior managers said they didn't have enough resources. Auditors said that the information technology department was too resistant to change. IT workers said that auditors kept changing their minds about what they wanted and were too eager to fail controls.
That age-old gap between levels of management living in different worlds, or just plain not listening or providing proper resources to get things done. No one is working together, and it really sounds like making money and getting things done is top priority, not security or the audit. If security was the top priority, these friction points wouldn't exist.
Either way, for all of us in IT and security, this is our reality and our balancing act. If you can't adapt and deal with not having enough resources for perfect security, you need a better line of work.
by LonerVamp 07.27.07 at 2:20 PM in /general
I just recently finished reading the excellent book, Security Metrics, Replacing Fear, Uncertainty, and Doubt, by Andrew Jaquith
. Andrew has written a book, not that I would like to write someday, but a book about a topic that hasn't been written about before, and he certainly has something (many things!) to say about it.
In fact, I have to make mention of a phrase that toally made me happy to see, since I rarely get such literary enjoyment from technical texts. On page 118, we have this gem: "perfidious outsourcers pilfering proprietary secrets."
This book is definitely worthwhile for anyone who ever has to present security metrics as a part of their job. I would also recommend it for any security operations people who want to understand why some metrics should be gathered and how to better give your analysts and managers what they want. Likewise, any security operations people are likely the future analysts and managers anyway, so this makes for a very good early orientation to the important questions and how to appropriately answer them, let alone self-evaluate their own systems according to more appropriate metrics.
by LonerVamp 07.30.07 at 2:40 PM in /general
I have protection on my SSH ports, but I wouldn't mind more. Honestly, it can't really hurt. This article by Kevin van Zonneveld on adding brute force protection to iptables (and your Ubuntu install) to help secure your SSH
is a welcome addition. Far too often I read tidbits like this that stop at the first step: adding the iptables rules, and leave out all this other good stuff that Kevin goes into, like rummaging in cron to clean up rules, persisting the rules, and so on. I plan on adding this to my server in the next few. Thanks Kevin!
As a side note, it's been over a year since I've been tinkering with iptables, so this will get me back on track as I've become rusty...
by LonerVamp 07.31.07 at 12:47 PM in /general
Here is a quick paper (notes) about pen-testing a Windows Active Directory network
. While I do know this paper covers only the lowest-hanging fruit, it seems that all too often, these lowest-hanging fruit are the most common fruit found in the wild.
I will add to make sure and grab the cached logins on the workstations attacked as well. Often, systems cache the default last 10 accounts, which almost always includes at least one admin-type account from desktop support or the person who made the image in the first place.
If you crack the local admin password, don't just use it on other systems, but try to change obvious things in the password. If they're not the same across the department or even the company, often desktop support has some sort of predictable password scheme based on the computer name or user name or department. Heck, even I had a predictable one back when I did support, but you really had to work to guess it and I left plenty of red herrings laying around (like having the second half of the hash crack into a known word or just lower-case letters to throw off how complex the first half was...)
by LonerVamp 07.31.07 at 4:49 PM in /general