I have recently begun reading Andrew Jaquith’s recent book called Security Metrics on, predictably, security metrics. Andrew runs the securitymetrics.org site and mailing list. So far I have been very intrigued by his approach from my standpoint of a technical guy who likely will one day be in IT/security management. Security metrics are an inevitability, so I might as well start thinking about it in my roles.

Early on I was pleased to see Andrew tackle the problem of data sharing. It’s one of those things I firmly believe is holding us back, and illustrates our problems (and stigmas) with sharing useful information with each other. If you know where I work, I certainly can’t be very open about a damaging incident at work, especially if people at work may read my writings. And so on.

I was also pleased to see him quickly tackle the problems with ALE (Annualized Loss Expectancy) and expose it for the guesswork that it really is. Many people I’ve talked to have insinuated their disdain at something like trying to predict ALE, although few go far enough to outright challenge the general (read: CISSP) acceptance of it as gospel. Likewise, he put good solid wording to my own intuitions about scorecards, grades, and health colors, namely that they’re ambiguous and don’t mean anything. They’re really meant to start discussions, not quickly show value.

I was surprised Andrew didn’t use “pen-test” or “vuln assessment” terms when introducing his discussion on diagnostic measurements and hypotheses/subhypotheses. The method of answering diagnostic questions to prove or disprove a subhypothesis seems to be a vuln assessment to me.

One part that rubbed me slightly wrong was in the Perimeter Security and Threats section, under Attacks (pg 51-52). Andrew says, “You’ll note that [this]…leaves out such common statistics as the most commonly attacked ports and the most ‘dangerous’ external URLs. I have omitted them deliberately, because they don’t pass the ‘So what?’ test.” I’m a bit in Bejtlich’s camp when it comes to measuring and knowing your threats. Some of these measures such as top 10 ports, top 10 attacking addresses, and top 10 URLs help an organization know their threats (attackers) better. Granted, I also buy that Andrew is looking into organizational effectiveness and efficiency, and that view can still survive without looking to the external threats. Metrics paint a good picture of the past, but some measures like top 10 ports may indicate something happening right this moment that may be of some concern. Still, a minor point and not worth arguing about at all, as I accept both him and my stances as just a matter of opinion.

It’s been a busy week for vulnerabilities. Microsoft’s normal round with server and client patches. Winpcap had a disclosure and update. Sun’s Java. I just saw a Flash player disclosure on the FD mailing list. Even McAfee’s ePO and Cisco’s CallManager rang some up. It’s one of those days that reminds me of a few things.

1) Make sure that if you don’t have the abilities to update all your workstations quickly, get that base image updated with the newest packages and installs so you stop rolling out outdated systems. Befriend your image guy/girl and make sure they have time and are appreciated. Volunteer to be a tester for any pilot deploys.

2) Evaluate whether you need centralized Windows install/patch management like Altiris. Don’t overlook the need for another body to be the Altiris expert, or to carve out significant time for someone to learn and manage it. It’s not an install and forget app!

3) If you don’t do either of these, well, at least be aware of what your vulnerabilities are and make plans to mitigate or attack these issues in the future.

4) And most importantly, to all the stay-at-home “IT admins” whose experience includes 5 years of their 1 office SOHO room and 7 years of IT journalism: “Go patch your shit. Come back to me after you’re done, and start imagining doing that for 3,000 systems in 25 departments before cluttering my reader with the latest no-brainer ‘best practices’ that sound good on a dreamy sunny Saturday morning but have little basis in reality.” (Yeah, I have a pet peeve right there, hehe…)

Seems this morning has ushered in a slew of spam and possibly malicious pdf and dat emails coming in. I take it this is pretty new this morning since neither Postini nor McAfee have any blockings yet, and I’m hoping they are just spam and not some more sinister. We’re watching our inbound mail and have actually blocked all mail with attachments until we learn more. Days like this make me wish I didn’t have tons of projects and things to do and more time for incident response. 🙂

I was forwarded a list of 10 reasons not to provide free tech support by a coworker this morning. Not sure where she got it, but a quick Google search yielded the blog article I linked to, even if that wasn’t the original.

I’ve encountered most of these in my personal life at some point or other (even before I was interested in IT stuff!). I’ve even encountered some of these items on the job. People who ask personal tech questions outside of work are people just like those I work with. There are many times people at work ask business-related and non-business-related tech questions which get into these same pitfalls. I am particularly careful when managers and HR overtly ask or hint that they would like me to work on their troubled home systems. That’s usually a lot to lose and very little to gain, and the odds are on the lose side.

Manage expectations of those making the requests. Always be honest and open about your capabilities and how bad a problem is for the requestor. Some things are just not fixable or the odds are really against it. We’re not gods, and sometimes we really can’t fix everything or recover everything.

Nonetheless, I still help out when I can, as I do like to learn and help others, even if it is largely pro-bono.

I like case studies. They’re the real deal in comparison to the theoreticals of many articles. Neil Carpenter recently posted about web-borne malware that eventually led to lan arp poisoning and injection of iframes into web requests. This sort of stuff illustrates the new things we need to start thinking about when it comes to web security. A web attack against one user browser stupid sites stupidly can result in your whole LAN being victimized; the next step in onesy-twosy hijackings from web pages. What is really cool is Neil followed that post up with another one discussing how to detect arp attacks like this.

I had to take exception to his statement that “I’d also suspect that most IDS systems would catch this.” That’s correct, but I don’t know of any IDS systems that would catch those and not throw hundreds of other false positives at the same time. It’s common to intially tune an IDS to not detect ARP.

So what else can you do to provide always-on detection of spoofed arp? You could set up a script to sniff and parse out arp requests relating to your gateways. These should be finite and quite managable. Then whitelist out the combinations for your gateway. If you get different responses, flag and alert. This way you ignore all the other arps since they will likely be false positives anyway, and only alert on what you really care about: the gateway. I bet arpwatch or some other nix arp tools could be leveraged to assist in this.

It is also time to have every company look into some sort of proxy solution for web traffic. Even if it is not robust and does active filtering or stripping of malicious files, it should at least log what is being visited and when. Multiple attempts to site xyz/123.htm accompanying every other hit is a good indicator after-the-fact.

These sorts of blended attacks are nothing new, but it is somewhat new to have such attacks originate from the web browser, attack the network, and end with other web browsers. That’s cool and scary at the same time.

I’m not sure how real this interview is, but I really have zero reason to not buy it as real. Either way, an interesting insight into why “hackers/crackers” do what they do.

I’ve seen a few postings lately musing about the Google/Postini marriage. It must be nice to have such rich and fertile material to pore and yell and talk over; like giving a hyper dog a large chewy bone to keep them occupied for hours upon hours at end while you try to get things done… Anyway, this is in response more towards Hoff/beaker than others he references.

I don’t think Google’s plans are quite this grandiose (providing security, becoming an ASP-cum-ISP and providing some buzzword called “clean pipes…”), and I don’t think they are going into security in itself, per se.

Postini’s offerings and customers fit exactly into what Google wants to do with Gmail and now Google Apps. This means they house even more content; content very personally and professionally relevant to its users and customers. They leverage content for advertising, and so on, which is a nice side-effect to providing SaaS for small-medium companies (or maybe the vice-versa is true!).

Also, with Postini, they can control the upstream gateways for many other companies. So even if you don’t let Google house your data over time, they can still scan it and gather content/information about you and your company to better leverage advertising and relevance.

Besides, what is “secure” in housing one’s important data at a third party? I don’t much care if it is wrapped in SSL or POPS. Yes, security is part of it, but it is just a bullet point to get companies to take them more seriously as an alternative to Exchange/Lotus Notes/ISP mail service.

I think, like people look at crimes, it is easy to take Google’s plans way more complicated than they truly are. The simple answers are almost always the right ones, not the huge complex conspiracies that can be thought up. 🙂

PS: Providing “clean pipes” sounds awfully nice and altruistic to the rest of us, but come on. Google went public. In going public, Google went from being altruistic and “not evil” to being ultimately self-serving towards itself and its stakeholders. It will only do “clean pipes” if it can be “evil” behind the scenes and profit from it…but I don’t see that truly happening unless they offer up widespread wireless access and then leech all that rich personal data from all of us…evil, really. But I don’t see that happening, really either.

Do you block IM at your company either via policy, via technical controls like firewall or web filters, or all of the above?

Are you sure you’re blocking IM?

Let me remind you we’re in what is gaggingly called the Web 2.0 years. Are you still certain about your answer?

I’ve mentioned Meebo.com in the past as a web-based way to connect to all your favorite IM services. Yikes, that’s scary enough to block in the firewall and filters, right? Well, now you can plop little plugins into blog services like Blogspot that will allow you to chat away with a friend. This is only a small skip (the hop, step, and jump have already been done!) away from being able to use outbound and inbound IM from any arbitrary website that you control.

If you’ve not revisited the business cases for IM lately, you might want to do so and start realizing the IM is going to be as prevalent as cell phones (and phones in general) in our lives moving forward. There is little sense to fight that, but every sense to get your organization used to having a centralized IM system or centralized standards.

PS: Yes, I saw this traffic because my IPS flagged it for me, thankfully.

I have heard today that Google is planning to acquire Postini. Hopefully they don’t change Postini too much, since I’ve been a happy camper with them in my current job. Normally I don’t report news news, but just wanted to make a quick post. Of course, I’ve been very happy with email service from Google as well as Postini, so it seems like a pretty strong match.

A few years ago Microsoft started offering free shipped cds containing security updates. Sadly, they didn’t do this very long, but the ability to update systems locally was a blessing for my previous job where we didn’t image our systems quite as much as I wanted to. Now I see Heise Security has an article detailing some scripts to build offline ISOs of patches. If you’re like me and oftimes prefer the path of least resistance, Microsoft offers downloads of DVD ISOs as well. Woulda thunk!

Note to self: use telnet for email more often than I do now, if nothing else then to just stay familiar with the syntax in a pinch.

Videos are kinda cool. There are a bunch of them at Security-Freak demonstrating various tools and research. Scroll to the bottom to get past some of the topical videos and see common security tools demonstrated.

Serapis and SecureVision released this web defacement video. This demonstrates how easy it can be to deface a website, especially after you become familiar with a particular method of attack. If you know an attack on the current phpBB version, for instance, the hard part is learning how to pull it off the first time. After that, downing 100 vulnerable instances is cake. I like this video, even though the music is maddeningly annoying. (Oh, and for anyone thinking about producing videos, I really don’t like having to scroll up and down to see the whole screen…)

You can’t go wrong with a good ol’ BackTrack2 WEP cracking video. There’s a number of them out there, and for some reason I just like seeing them.

This video doesn’t load every time for me (Ubuntu+Firefox), but when it does, it gives a demonstration of finding and manipulating out an exploit.

And the MPack demonstration video. The size is small, but still illustrates how web attack toolkits have gained traction.

And, of course, I have other videos listed in the aptly named “videos” section on the left menu.

Let’s stick some more with Windows tools. A few years ago it became hip to wow friends and family with tools that would undelete or recover files long through gone from hard disks. This led to the eventual realization that old computers given away and drives lost or stolen could yield a lot of data if not properly wiped. If you ask me, if there is any doubt about a whether a drive’s contents are sensitive or not, just destroy the drive when it is decommission. (Besides, the powerful magnets inside the drives when disassembled make for fun toys for most anyone, if you want to score some points.)

Anyway, FreeUndelete is a tool to recover files. Also, the oldie tool Restoration is still available for the same purpose.

Oh, and PhotoRec is a tool to recover files from flash drives (and I bet other things!). This was described very well in an article on InformIT.

You can use Eraser as a tool to better wipe files from a Windows system. Use it in conjunction with the recovery tools above to see the differences. For full disk wipes, I prefer the bootable DBAN disc.

Of course there are more tools! Here’s a quick list I pulled from a mailing list:
OverWrite
SecureDelete
another Secure Delete
WipeDisk
AutoClave
Wipe (Linux)
and of course, shred for Linux, which should need no link.

If you don’t live on the Internet like I do, you might not know Sysinternals was “bought” by Microsoft (I’m not sure if it was actually bought or if Mark Russinovich just brought it along when he was hired by Microsoft). Now, you might know that, but did you know all those tools are offered in a single download now? Of particular note is ProcessMonitor which is a souped up version of Filemon/Regmon/ProcessExplorer. And if you don’t know what Sysinternals is, well, I can’t help you.

There are a ton of different tools and ways to change your MAC address, let alone simply doing it manually. Here’s a few I’ve accumulated notes about over the past 6 months.
Macshift is a standalone C++ tool run via the command line. Does what it should do!

Technitium is probably the Mercedes of mac changers, sporting tons of information in the GUI and also being scriptable.

Smac is also a old favorite I see mentioned a lot, but the eval version is slightly limited. For such a small tool, I just don’t believe in shelling out money for it.

Speaking of Windows tools, Wirelesskeyview is a quick .exe (no installation required) that will pull out wireless network keys and display them for you. I’m sure these are just stored in a registry entry somewhere and, if encrypted at all, are like just rot13, but still this tool makes life easy.

Heck, I’ll stick with Windows for this whole post. The Windows firewall is still daunting to manage or maintain for most people, even those of us who are comfortable with firewalls! This kb article from Microsoft is surprisingly detailed. I especially like the last section on enabling and checking the logging of dropped packets. Combine this with a tail program and it might turn a spare WinXP box into a network tripwire-like device.

Yesterday I posted a few OS fingerprinting tools. I missed one I had in my box called Satori. This looks like a quick effort that may not be regularly updated, but is a passive OS fingerprinter for a few OS types. I’ve not had a chance to try this out yet as my Windows machines at home are limited, but it might be fun to try, even if it doesn’t make any toolboxes. A related paper on the site is also interesting.