|
.: August 2007 Archives
What better time to release a blog-inspiring IT security article in the Wall Street Journal than when half the crowd is in Vegas for the week? Yes, the WSJ posted 10 Things Your IT Department Won't Tell You, which really should be reworded, 10 Ways to Circumvent Your IT Department's Restrictions. Here are some notes of mine on the article as a whole.
A. The author needs to stress further that employees should look at their corporate policies and talk to their IT staff. Sometimes it just takes user interest to get management to look at legit technological solutions to the below problems, not workers sneaking around. I wonder if the WSJ wouldn't mind if its editors sent all their email to a third party service or stored their files online? It would just be nice if the author had constantly (or at least at the beginning) reminded readers that while this is all in good fun, they can be crossing policy lines.
B. The author implies, or rather nearly flat-out states, that these items are part of a rather strict and unfriendly IT security stance. This is really not so. Some things like blocking certain websites are done almost as much for saving bandwidth costs as anything, or to prevent such things as porn viewing which can create a hostile work environment. Other things like email size requirements can be an external limitation by the Internet infrastructure at large (i.e. your target's mail servers). Likewise, storage is cheap, but try telling that to senior management when the Exchange servers start complaining and buckling and backups take too long. Alleviating that means spending money. And often management figures that money is better saved and file sizes remain reasonable. IT security is not the only force here, but rather simple economics in the IT world. Really, often it comes down to treating everyone equally and costs.
C. Contrary to what every non-IT person seems to think, IT pros do not know everything or every piece of software. Limitations are often made so that we have a finite job description. Supporting every piece of software that even 50 users can install is frustrating and a drain on company money.
D. I don't like the feeling that the author's Risks sections are skewed to the POV of the user, and not the business as a whole and how dangerous some of these practices may be. Some are properly framed while others are not.
E. That all said, I think this is an important article. It illustrates the common pains our users (and we as well!!) have when it comes to the convergence of work, culture, technology, and social lives. Each of these pain points should be fixed by IT, or at least the policy behind them transparent to the constituents. Each of these should also be examined to see if, instead of benefiting the company and our employees as people, we're holding them back and trying in vain to stem the tides of culture and progress.
1. HOW TO SEND GIANT FILES - How many companies really do need to send giant files and don't have any sort of FTP/SFTP infrastructure? No, your baby pictures in bitmap format and 10 times as big as modern monitor resolutions do not count as a business case. I am saddened to see the author tell users to look for the IE lock symbol as reassurance of validity, and that a Verisign logo further ensures the identity of the site. No, that's not enough, sorry. Oh, and if an Adobe exec runs it, it is less likely to have security holes. Say what? Anyway, IT does need a plan for transferring large files anyway, so get one. Everyone, and I mean everyone, hits the attachment max at some point. Hell, even Gmail has a max; live with it.
2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD - This one really peeves me, because I've too often seen a) malware enter because someone wanted certain software, b) computers become unusable due to crappy software or incompatibilities with business software, and c) frustrated users who then frustrate IT because they MUST have some backwater POS software installed or they will quit, or something equally outlandish. The bane of all IT is having to support everyone's crap. Yes, I'm jaded on this point, but there is usually a process of requesting and approving software for use in the business. Good IT will log all executed software, and query on why they were run. And be aware of your company size. Small companies can likely get more software approved, but large or medium companies just cannot scale IT to support every little thing.
3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS - First, web-based email is not innocuous. Second, if your company blocks these sites actively, your proxy calls will likely be logged as well. If you need a site opened up or something, ask your manager, HR, or IT. If it is Final Four season and you can't stream the first round games, well, sorry, but we can't bring the internet access to a crawl just to see a 15 seed get crushed by a 2 seed in a game that will be played regardless if you are watching or not. And no, you can't connect to GoToMyPC.
4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP - I really like the author saying, "...don't use your work computer to do anything you wouldn't want your boss to know about." That's it in a nutshell right there; that should be everyone's personal policy.
5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME - Ugh. Don't ask your IT admin to help you set up Google Desktop. Bad. Ask how you can get set up with a VPN connection from home that is secure and allows you access to your computer or a file store. The author stupidly says three things that he/she should have put together. "...top-secret financial information..." and "...search company keeps a copy of your documents on its own server..." and "...myriad state laws regulate how a company has to react when it loses private information..." If you play the "duh" game, you see that you might have to provide some answers why you are allowing top secret, possibly regulated, information to be stored on third-party servers. Good job.
6. HOW TO STORE WORK FILES ONLINE - Like web-based email services, thinking too much about this problem creates ulcers. Yes, I'd like to encourage my users to store their files on third party services, because then they can store megs and gigs of company data out there, then quit (or god forbid get fired), and leave the company with absolutely no means to recover, inventory, or secure that data. Brilliant. These services should be stopped via web filters and software install restrictions, let alone via policy. Oh, and kudos to the author to recommend USB and other portable devices in item #2, then calling them cumbersome in this one.
7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL - These "nifty tricks" can spell doom for compliance, if that is your company's game. Tracking this stuff is such a grey area it's sick. Honestly, I don't like my stuff logged for perusal by my manager or HR; I really am part of the generation whose social lives tend to revolve around electronic means. But I do prefer to have things logged just in case, from both my personal POV and from the company POV. We need to make sure our processes and actions are transparent so that employees don't think we're reading their IM/email logs to get juicy gossip details. Chances are not good for that happening, sadly.
8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY - Another ulcer about data free-flowing out the company door, but at least the author implores readers to talk to IT.
9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY - I don't see a huge problem with this, until you a) run that attachment...oops, that was a virus and screw things u, b) can't get it to work and ask IT in which case we'll tell you no and watch you closer, or c) email that really important client from...oops, your personal email hotjerkyboy69foru from hotmail. Explain that to your boss...
The last one is just a light-hearted gimme; a lame contrivance of journalistic levity.
In the end, all of this comes down to a few protections by IT that can make a lot of these issues be blocked properly:
i. software restrictions based on policy and technology, including executable logging
ii. web filtering, or at least logging if not outright blocking
iii. data privacy/sensitivity training and strict adherence to least privilege access rights, better yet, full logging of all data downloaded/viewed, but good luck with that
iv. work with your users to overcome these challenges and find a happy middle ground
by LonerVamp 08.02.07 at 1:07 AM in /general - comments(1)
One last thought has been tickling my mind when it came to that WSJ article I linked to the other day. It was about control and telling people not to cross the lines or do things they're not supposed to do. Think about that for a moment. How far would we get if everyone stayed between the lines? While there are some ethical near-absolutes like murder, most everything else is such small beans that pushing the boundaries now and then can be a good thing. Like working out, you can't build muscle without first making thousands of micro-tears to induce stronger rebuilding. Growing pains, which are going to be abundant in our culture and technology for some time. Even if we don't act on them, it is good to think about them and question our policilial (yes, I make up words) stances.
Besides, even if our users know all this junk, we protect against it, right? Full disclosure?
by LonerVamp 08.03.07 at 9:34 AM in /general - comments(1)
I recently stood up an OpenVPN server at home. I've done SSH forwarding to protect my hotspot browsing habits in the past, but I thought I would try something new. I installed this on an Ubuntu 7.04 system that was running as a VMWare guest OS. I opted to go with a routed VPN solution. The alternative is a tunneled connection which makes it seem like my VPN client system is right on my home network. My routed solution will rely on the Ubuntu server and my home Linksys router to route traffic from my VPN network (10.8.1.0/24) to my home network (192.168.10.0/24). I also make sure that I force my traffic through my VPN, rather than let it seep out in the clear at the hotspot (the push commands in the server.conf file later on). From bare start to finish, this entire setup can be done in under 15 minutes.
I am not going to detail what each command does except in passing, because there is excellent documentation already available for OpenVPN. What I rarely see, however, is a quick walkthrough on how to set it all up on Ubuntu.
I start out by installing the packages that I need. OpenSSL may not be needed, but I included it anyway.
sudo -s
apt-get install openvpn openssl bridge-utils dnsmasq
mkdir /etc/openvpn/keys
mkdir /etc/openvpn/configs
nano /etc/openvpn/server.conf
Server.conf is the server configuration file. The contents describe that I will run my server on the IP 192.168.10.108 and port 1194 udp. My VPN "network" will be in the 10.8.1.0 255.255.255.0 network. OpenVPN will grab 10.8.1.1 as the server, and my client will be given a similar address. Once my client is connected to my OpenVPN server, I should be able to ping 10.8.1.1 and verify I can talk to my server.
port 1194
local 192.168.10.108
proto udp
dev tun0
ca keys/ca.crt
cert kets/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.1.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.1.1"
ifconfig-pool-persist client-adresses.txt
client-to-client
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn
verb 3
mute 20
The client-addresses.txt file is just a convenient way for me to track who gets what IP.
nano /etc/openvpn/client-addresses.txt
client1,10.8.1.6
Next I take care of the keys I need, along with some other setup. When creating the keys, I don't assign a password, and I do select yes to sign and commit changes.
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
nano ./vars
#change values at the bottom and save
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh
cd keys
cp ca.key ca.crt dh1024.pem server.key server.crt /etc/openvpn/keys
cp client1.crt client1.key ca.crt /etc/openvpn/configs
cd /etc/openvpn/configs
nano client1.conf
The file client1.conf is the client config file that needs to be given to the connecting client box. LVVPN is the name of my network adapter on the client. After installing the OpenVPN client on the Windows client, create a new TAP and give it this name.
client
dev-node LVVPN
proto udp
dev tun
remote www.terminal23.net 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
cipher AES-128-CBC
comp-lzo
verb 3
mute 20
I need to get the client files to the client. I do this by copying them to the client's home directory, then connecting via SSH to get them. Since I'm running all of this as root, I need to adjust the client1.key file so the client can grab it via SSH, otherwise I'll get a permission error. I then start the service.
cd /etc/openvpn
openvpn --genkey --secret ta.key
cd /etc/openvpn/configs
cp client1.crt client1.key client1.conf ca.crt /home/michael
chmod 604 /home/michael/client1.key
#copy files via SSH to client into openvpn/configs folder
cd..
openvpn /etc/openvpn/server.conf &
I'm never satisfied with just doing something, I usually need to verify it. I do this by making sure the service is running and that it is listening on the expected port.
netstat -a | grep 1194
ps -ax | grep vpn
Finally, I need two more commands to enable IP forwarding for my particular setup.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
Since my home Linksys router is limited to a GUI, it is a bit hard to detail what I did to set up my route. I just added a new route in the Advanced Routing section. Destination LAN IP is 10.8.1.0, subnet mask 255.255.255.0, and default gateway 192.168.10.108. This was set up to let me talk to my internal systems. I also had to port forward my VPN port to this system. This means that after I'm connected, I can ping 10.8.1.1 to verify I am on my VPNs network. I can then ping 192.168.10.1 (or a valid, responsive host on my home network) and I should get a response if forwarding is working.
From here, start up the client's VPN however you like. Many people start it up by right-clicking the client1.ovpn file (rename client1.conf to client1.ovpn) and choosing to start it as an openvpn connection. I like the tool OpenVPN GUI for Windows. This is merely a personal preference since I like the sys tray interface.
by LonerVamp 08.07.07 at 12:54 AM in /general - comments(1)
I decided to screw around some more and actually recorded the creation of my OpenVPN server. I did this mostly to do something I've never done before: make a video of something and cut it.
I used VNC on a Windows box to connect to my Ubuntu 7.04 server. I then recorded that window using CamTasia Studio 3.1, which I also used to add music, edit, and produce. The music is Baja by Sasha. The codec (CinePak codec by Radius) is the only codec available by default in CamTasia that worked on both my Windows box using VLC and Windows Media Player, and also on my Ubuntu laptop using Mplayer. If it doesn't work for you, I suggest those players, or tough luck. Maybe I'll choose something better and smaller next time, but for now, this was just a learning experience for me.
The video is over 190MB and runs 12:35. I don't have a real hoster, so I'll leave this video up for a few weeks (or hours if it brings me to a crawl!). If it is not available and you want it, email me and we'll figure something out.
Suggestions are very welcome, but be aware I know this was a very amateur deal. :)
by LonerVamp 08.07.07 at 1:58 AM in /general -
In late 2006, DarkReading published the 10 most overlooked aspects of security, which I think will end up holding true for a very long time.
by LonerVamp 08.07.07 at 7:37 PM in /general -
The past weeks' worth of business days I took some vacation time, not just from work, but also from reading security blogs for the most part. I also was able to look at my own time spent here (in between rediscovering WoW pvp), and decided to shift things up a bit (or so the plan goes).
I'm really...I want to say sick or tired, but those words are too strong. I guess I'm just really bored reading security industry or business commentary (with some exceptions for those people who do excel at writing) with almost zero technical content or anything beyond feel-good vagueness (or maybe vagary), otherwise known as best practices. A lot of this is common sense and while I understand other people have things to say (I do too!), I sometimes just find myself skimming fluffy posts that really leave me with absolutely nothing new.
Sometimes it is cathartic to vent (or as most people call it, "post commentary"), and I'll likely still do so now and then, but I really see little need for it most of the time, at least on my site. I can vent just fine in person, on IRC, on IM, or in comments. And maybe Skype someday if I get back on it.
This is just me telling myself to stay technical and actionable, for now. :) I used to post a lot more information about tools and things to do, and have gotten away from that in the past year. I can see a correlation between this shift and my personal and work lives, so I think I know the problems and the measures on how to fix them.
Of course, this itself is a rant, but it is one I have the compulsion to post for my own benefit.
by LonerVamp 08.09.07 at 10:13 AM in /terminal23 -
I dig BookPool.com; I've used them for many of my book purchases over the years, only occassionally delving into Borders/Barnes & Noble/Amazon when I have gift certs or for impulse buys. Today I pre-ordered Virtual Honeypots. This looks to be an awesome how-to sort of book about honeypots; something I've been eagerly waiting to delve into. It should be out any day, really. This was prompted by a welcome spam email from BookPool about a sale on Addison-Wesley and Prentice Hall books.
I'm also eagerly awaiting the Metasploit Toolkit book, despite being published by Syngress (in my opinion, the spottiest tech book publisher with quality all over the place....and I just don't like holding their books like I do Addison-Wesley books). There's a lot of new stuff in Metasploit 3, and I'm holding out really getting into it (like I used Metasploit 2x) until this book comes out. I may combine this with looking into Ruby or Python a bit more. Of all the tool-books out there, only BackTrack comes to mind as needing an updated book (BackTrack 3 perhaps?).
I also see Wi-Foo II has been pushed back (or maybe it was really tentative at late 2007 months ago) into 2008. I'm looking forward to this book as well. The first book was awesome, but got mired down in the technical problems of getting wireless working properly in Linux, which is a requirement for the subject. These days, wireless support is much easier and better, which hopefully means less mud devoted to the intricacies and details. Other books cover it well lately anyway, like Hacking Exposed: Wireless and Syngress' Wardriving and Wireless Penetration Testing. Although not without their own minor faults, are both excellent wireless security books.
by LonerVamp 08.09.07 at 12:56 PM in /general -
A list of 5 essential laptop security tips leaves an important one out and includes a rather dubious entry. Tip #5, install tracking software on your laptop in case it gets stolen. While a neat, feel-good type of geeky thing to install, this is pretty lame for inclusion on a top 5 list. Then again, maybe this list was meant as more of a physical security list, in which case, top 5 is really " the 5 things to do."
Instead, I'd replace #5 with the suggestion to keep backups of all your data on the drive. It is great to not have it stolen, or offer password and encryption options in case it is stolen, but what about the data on the laptop? How much is it worth to you personally? If your laptop is stolen, minimize the damage to only the cost of the hardware and your own stress, not also to the only surviving copies of your son's little league digital pictures or those important sales emails.
by LonerVamp 08.09.07 at 3:05 PM in /general -
I have a Wi-Spy, which is an excellent (and cheap!) specturm analyzer tool. I saw a mention for it on NetGirl's blog over at ArubaNetworks on her list of cool tools. But I didn't know what EaKiu was in her Wi-Spy bullet. I thought about emailing or commenting, but this seemed to require more effort on my part to converse with her, so I resorted to a Google search for the tool in the hopes that the unique string was easily found. Indeed, I saw that EaKiu is software to display results from Wi-Spy! And boy does it look fucking sweet. Now I just have to find a Mac-user to try it out for me.
I'd thought that was what EaKiu was, since I'd seen mention of Mac and Linux software back on MetaGeek's old site, but I could never find that information again on the new site design. Of note, the Linux version, while workable, is still pretty ugly compared to Mac or Windows software.
by LonerVamp 08.10.07 at 9:49 AM in /general - comments(4)
Love me tools; love me tool lists as well, especially with new things. The Security Mentor himself was right, this list is pretty cool and has some things I didn't know about! If you look closely, pretty much under each of the ten entries are links to MORE similar free tools. Here are the ones that caught my eye. Note that the list is centered on Windows.
Secunia Personal Software Inspector - Holy crap! This is an awesome-sounding tool because trying to keep up with what is patched and what is out of date is one of the least-talked about futile and frustrating efforts in the IT back room! I think this one is going to be a priority to try out this weekend. I don't know about licensing, but I bet you can buy just one copy for business and use it on a base workstation image that has all your applications installed, then use it as your reference. That's money right there!
GMER anti-rootkit - This tool looks really cool, and if it doesn't require an actual installation routine, will likely make it into my desktop toolkit alongside Spybot, Sysinternals tools, and so on. If it requires an install, it could still be useful as another incident response investigation tool. Now, someone needs to make Tripwire free on Windows...
File Shredder - I like the idea of File Shredder, but I'm not sure I really need it. It's not like I am storing illegal or hugely private junk on my systems, and I certainly have no intentions of selling or giving away my disks anytime soon (like any geek, I can and will find uses for everything). Still, it's nice to have one in the pocket if the need arises.
Other tools are iffy to me. I'm not a huge fan of loading my web browser with toolbars and plugins. Anything extremely useful really should get built into the browser eventually. I like seeing more options for IE, especially since my love for Firefix has dwindled as it has gotten bigger, slower, and buggier in the past year. Yes, loading up Firefox with testing/security plugins is awesome, but that's a special purpose and I don't need to browse with them always loaded. The only ones I use regularly are NoScript (only recently!), Tor, a client banner changer (I can't think of the damned name for it right now!), and a plugin that displays the target site IP address at the bottom.
For web privacy stuff, just learn how to empty the cache and where else stuff is stored along with browser and OS tracking options. Yeah, that's not enough, but I've got a bias against cleaners. For new system crapware, learn how to welcome your new system into your home with a quick enema (format and reinstall).
by LonerVamp 08.10.07 at 1:31 PM in /general - comments(4)
One paper on netcat uses is fine, but two sites in two days exceeds my Recollection Buffer and defaults back to needing a post.
Dean De Beer offered up a paper on Netcat for the Masses which gives some good initial infomation on playing with netcat.
And I found Luke posted even more uses for netcat.
by LonerVamp 08.10.07 at 2:22 PM in /tools - comments(1)
Kevin van Zonneveld has posted some notes on using crontab. I don't use crontab enough, which means I always have to look up the time settings. However, that is easily done via Google. What I really liked about Kevin's notes dealt with handling the errors and pointing them to a file rather than the user's mailbox. I can see reasons for doing it either way.
by LonerVamp 08.13.07 at 9:40 AM in /general - comments(5)
I don't usually pimp sites, but every now and then I see a blog that looks very cool to follow. RaDaJo seems to be an excellent site to add to my feed. Of note, I got linked to their ARP cache poisoning misconceptions post. As a bonus, check the comments for two more links, one to an awesome GIAC paper that is basically everything you'll ever need to know about ARP poisoning, and the Oxid.it link as well. Maybe all that is left is more details on how to detect ARP cache poisoning, but Raul Siles may have covered that in his paper. I see he has a remediation section, but I've not gotten there yet. Arpwatch/Arpalert...anomalous trends in ARP traffic...
by LonerVamp 08.13.07 at 4:26 PM in /general -
Peter Wood posted two lists to the SecurityFocus pen-test list recently, which I wanted to capture and reproduce here. Feel free to ignore this post.
First, Peter listed a bunch of tools and hardware he takes for on-site work:
1. Test laptop
2. Spare laptop
3. 4-way mains extension lead with regular plug and plug for computer room racks
4. Selection of Ethernet cables and couplers
5. Ethernet / Token Ring adapter (yes, there are still Token Ring users out there!)
6. Mini hub
7. Cisco console cable
8. Cross-over cable
9. External USB hard drive containing rainbow tables
10. USB key for backups
11. DOS bootable USB key
12. Selection of bootable CDs (Ophcrack Live, PasswordChangerPro, NTFSreader)
13. DVD containing copy of all my source files
14. Windows 2000 CD (for rebuilds!)
15. Swiss Army cyber tool
16. Spare laptop hard drive
17. Kensington lock (to comply with client policy if laptop left on site overnight)
18. Vodafone 3G card for Internet access if there's no wireless
19. Laptop mouse x2
20. Mini USB hub
21. Modem cable and adapters (just in case!)
22. Magic markers
23. Blank CDs
24. Wheelie bag to carry it all in!
Second, he listed the directories found on the above-mentioned DVD of tools:
Absinthe
AccessChk
AccessEnum
Achilles
Active-at
adminpak
Amap
APak
AppDetective
ARPsniffer
ATA HD password
Athena
ATK
Beat LM
Buffer Overflow Utility
Cachedump
cain and abel
Cerberus
C-Force
Checkpoint-Rules
Chntpw
Cisco IOS HTTP Vuln
Citrix clients
Cobra
CommView
CookieViewer
Copernic
Core Impact
CRACKERS
aefsdr
AOPB
AOPR
APDFPRP
Brutus
CacheDump
CMOSpwd
IPR (Lotus Notes)
John the Ripper
L0phtcrack
LCP
LMCrack
Lotus Notes Key
LSASecretsDump
MBSA
NTPWD
Ophcrack
Passwd - recovery FULL
POPcrack
PWLTOOL
SAMInside
AZPR
Crowbar
Crypto4
CUPASS
Data Thief
Dell laptop cmos erase
DHCP Find
Dictionaries
Dumpsec
EFSdump
Essential NetTools
Ethereal Windows Version
Exploits
FGdump
Flash Decompiler
GetAcct
GetUserInfo
GTwhois
Hydra
Hyena
IDserve
IKE-scan
iShadow
KarenWare
Katapulta
LAN Surveyor
LANguard
LDAP Miner
LG
Locksmith
Maestro
Member of
Metasploit
MingSweeper
MSRDP client
MySQL query browser
NBTdump
NBTscan
Nessus
Netalert
NetBiosSpy
Netcat
NetScanTools Pro
Network Protocols Handbook
NetworkView
niktoogle
Nmap
NT Recover
NTFS Reader
NTFSDOS
NTFSRead
Oat
ObiWaN
oracle-sql-injection
Paros
PasswordsPro
Protected Storage PassView
Protos
PsLogList
Putty
PwdChangerPro
pwdump
Rainbow crack
RegBrws
Rempass
RPC scan
RPC Tools
SAMdump
SamInside
SamSpade
ScoopLM
SecuRemote client
ShareEnum
SID
Siphon
SiteDigger
SiVuS
SmartWhois
SMB Audit Tool
SMBcrack
SNMPing
SNScan
SNSI
SOAPbox
SoapMonitor
SolarWinds
Somar
SPIKEproXy
SSL Proxy
Streams
Subnet Calculator
Superscan
SWB
Sysinternals
SysRQ2
Tamper
Tools4Ever
Trojans
twwwscan
UBCD
Ultimate Boot CD
Unicorn Scan
URL discombobulator
USB boot
USBAuditor
Visual Web Spider
VNC
VOIP TESTING
WAR DIAL
WebDAVExplorer
WebInspect
WebScarab
WebSleuth
WinSID
WIRELESS
Wireshark
WPI
Zlash
by LonerVamp 08.14.07 at 9:44 AM in /general -
I'm not sure what to think about GoToSSH.com either. While this is something I've been kinda wondering when it would find a web interface (and likely has others, I just don't know them), I'm not sure I would use it. I certainly would not use it for anything sensitive in nature. It doesn't look like it supports certificates, but simply username/password challenge instead. This may make it somewhat moot to block outbound SSH anymore... (Yes, it always has been moot since it could use any port, but still...) Might be a site worth bookmarking or blacklisting depending on your view.
Network security continues as holding sand...
Snagged from Alex.
by LonerVamp 08.14.07 at 11:13 AM in /general - comments(1)
For any other WoW players out there, thought I'd throw down an update for no other reason than I want to. My focus has shifted to simply leveling up and a bit towards pvp; something that doesn't require me to be a slave to other people 6 hours a night 6 days a week. This is fully just a distraction for me, now.
My Draenei Shaman is now level 61 on Kul'Tiras. He's been Enhancement spec while leveling with a friend who plays a Hunter. I'll respec him to Resto in a few levels, I think, and likely look into going pvp with him. I don't anticipate ownage in pvp over any pure classes, but he should do ok once I get him some gear bought through pvp. A fun class, nonetheless.
My "main" is finally getting some love again and putting on some levels and pvp honor. My 64 affliction gnome warlock on Crushridge is having tons of fun in pvp, especially since his previous raiding gear is better than any but the top level 70 pvp gear so I can save up all my points. Likewise, at 64, I don't shy away from level 70s. Being a warlock has always owned; it fits my playstyle, and I really can't enjoy a class more. At level 61, I scored my first legit, 1on1 non-BG level 70 kill...another warlock no less! And about half the time, I am top 1 or 2 in overall damage in AB or WSG. Two more talent points and I'll fully enjoy an instant cast aoe fear.
Lastly, I am also playing my level 60 priest on Crushridge as well. I happily spent his refunded (from last christmas!) talent points and made him a shadow priest (he was a backup dorf healer in raiding back in the day) to see what it is like. So far it has been fun, especially since I solo him in the Outlands. I doubt I'll ever devote too much time to him, but he's at least an option and fun.
by LonerVamp 08.14.07 at 1:29 PM in /terminal23 -
The Cisco VPN client for Windows has an interesting advisory out today. The local file cvpnd.exe (C:\Program Files\Cisco Systems\VPN Client) allows a user to replace the file with something else and have it executed with Local System privs. Replace this with a quick script the launches a shell (or does anything else you want) before launching the real cvpnd.exe. I prefer just creating a quick admin account that I control. That's a nice little pocket-exploit to keep in mind, especially since plenty of systems get an initial install of the Cisco VPN and never get updated again for the life of it.
More information is posted on Cisco's site. I saw this pass by the Full-Disclosure list. Local priv escalations don't get much easier...
by LonerVamp 08.15.07 at 12:51 PM in /general - comments(1)
Last night I finally moved my last (and main laptop) system up to Ubuntu 7.04 (Feisty). The install was painless. Started up the Update Manager, clicked the button to upgrade to 7.04, waited about 40 minutes where I also had to click Ok/Accept/Forward a couple times, and that was it.
I upgraded for a few reasons. First, some things I wanted to get working on my laptop were (supposedly) easily fixed in Feisty, but still overly complicated on Edgy, including using Silc/Tor with IRSSI and OpenVPN client management. Second, I believe in keeping software as updated as possible (within bleeding edge reasons, of course). You don't want to ever be left behind with unsupported (or unloved!) software that has reduced functionality. It's a lot like living in the past.
by LonerVamp 08.16.07 at 8:12 AM in /terminal23 - comments(1)
Networking is amazingly potent right now in our field. We have an amazingly growing number of XXXsec get-togethers in major parts of the country where like-minded geeks and security nuts can get together to hang out, share war stories, push technology to new limits, or just make new friends. Cons are still popping up here and there, and I think they truly are some of the highlights of the year for many a geek.
This has been growing on me, and I am enamored by the concept. Dan Kaminsky has been espousing the idea of "hackerspaces" on his romp through Europe. Hackerspaces are basically places set up where like-minded people can go and hang out, do things, fraternize, and all in a creative and supportive environment. Basically if you like coffee, you hang out at a coffeeshop and chill out; if you like reading, you hang out in a bookstore; if you like video games, you might try out a cyber bar or two with the buds or adopt someone's basement as your playpen. Why not a hacker/geek/technology sort of space? It is an amazing idea, especially for someone like me who lives in a "networking-starved" middle of the country.
Metalab is one that Dan posted a link for. This concept is also a project of the Hacker Foundation. I hope Dan and the Hacker Foundation both continue to bring this to our attention; heck, the idea of presenting slideshows of his romps might be a nice shift of pace for Dan to present about! :)
I also think there is room for hackerspaces as a smaller concept. For instance, I bet many of us have decked out our offices (either cleanly or cluttered and dark!) at home in a way that best suits our work and helps our creativity. For instance, I tend to have black lights and other glowing things in lieu of lights (alone with the glow of monitors or course), in my workspace.
As a side thought, it is interesting that for such a virtualized culture as we have, and as much as we work and live on the net, we still (for the most part) desire physical proximity with like-minded persons.
by LonerVamp 08.16.07 at 8:49 AM in /general - comments(1)
Someday (not soon!) I'll likely satisfy a curious project of mine in making a more aggressively defensive network. And vulnerabilities like the recently posted Wireshark MMS DoS are a perfect example of having a slightly more dangerous network to interlopers. Put up an outdated Wireshark sniffer while I randomly send out these packets and you won't get too much. Especially anyone who uses live cds with outdated software. In this case, it is not necessarily about protecting devices and data, but actively knocking off rogue intruders.
by LonerVamp 08.16.07 at 1:54 PM in /general - comments(2)
Skype was down late last week for about 3 days or so. And not just every single user, but also downloads of the software on their site. This was supposedly due to a software algorithm update or something like that. Today I read this was due to the massive reboot of Microsoft Windows computers the night previous. TheRegister also has some info up, and is a little more cohesive.
I call bullshit. This is curiously close to poc code released that supposedly (I say that because I've not tested it, nor could anyone else since the servers were down) would freeze a Skype server, then move to the next one, and so on. It was posted to SecurityLabs.ru. If true, that is certainly a critical, fatal, flaw.
1. A security issue to Skype would be a very, very big deal. One of the biggest contention points with Skype use is its security. I'd do everything in my power as well to protect that, such as shut off all servers and all users and all downloads in an effort to hide the insecurity issue.
2. The Windows reboot shouldn't have occured as late as it seemed like Skype was down. The reboot should occur Tuesday evenings in the dead of night, for automatic users, and at various times. I don't think Skype was down until Thursday...
3. Why now? Why this month? Why not the last few months?
4. And Skype is going to tell us that a mass reboot of users exposed a vulnerability in the availability of their world class system? You have really got to be kidding me... But as much as that can be egg on their face, I would weigh that less than a security incident. Nonetheless, I can't imagine the overhead of reconnecting to Skype truly caused such a showstopping event on the service's login servers. I wonder how many Skypes get turned on every morning anyway?
Ever informative, the Internet Storm Center has an ongoing post which raises similar questions and more. I really like the thought that Skype needs Windows users to log in, so that means all these millions of users all had their machine auto-login? Again, right.
by LonerVamp 08.20.07 at 12:43 PM in /general -
by LonerVamp 08.20.07 at 1:54 PM in /general -
I don't think I posted it, so I thought I would jot down installing an SSH server on Ubuntu 7.04 (Feisty).
sudo apt-get install ssh
gksudo gedit /etc/ssh/sshd_config
Change the PermitRootLogon to no and change port to desired port number. Add a new line at the bottom, "AllowUsers username" where username is your username you want to allow. You can use "DenyUsers username," but once the AllowUsers is set, all others are denied anyway.
Next, I want to add a little brute-force protection using pam-abl. These instructions may not be current, but they worked out for me. Add "deb http://ubuntu.tolero.org/ edgy main" to your/etc/apt/sources.lists file. Remember to open it as root so you can save it. And yes, I am using edgy instead of feisty in this line.
sudo aptitude update
sudo aptitude upgrade
sudo aptitude install libpam-abl
sudo /etc/init.d/ssh restart
Run "sudo pam_abl" to list the current blacklist, and use --help for more features or manual blocking. Failed logins are collected in /var/lib/abl. SSH logs are written to /var/log/auth.log, however it might be useful to increase the logging level and location. Change "LogLevel INFO" to "LogLevel VERBOSE" to get more out of the logging.
Further hardening can be done. The files /etc/hosts.allow and /etc/hosts.deny will allow or deny the listed users respectively. These lines will allow two IP address ranges to connect but deny all others.
# /etc/hosts.allow
sshd: 10.10.10.0/255.255.255.0
sshd: 192.168.1.0/255.255.255.0
# /etc/hosts.deny
sshd: ALL
Referenced Tolero.org for the pam-abl install. I also note an Ubuntu help file.
by LonerVamp 08.20.07 at 11:06 PM in /general -
Rebecca got me thinking this afternoon about her post on how business and even schools may or are forming sanctions against their users of social networking sites.
It really sucks thinking about stuff like that, and I encourage reading the post and links she gives. I really feel that while some of that stuff is useful for hiring managers looking for appropriate team members, most of that stuff should belong to the realm of the individual. The exceptions being documented and reported harassment and disclosure of sensitive information. I also don't mind hiring managers using such sources of information to determine if a potential employee may be a good fit. That's cool too, in my books, namely using it to learn about someone a bit more.
Take this example. I have a few Suicide Girls t-shirts (I'd link, but it's not work safe) which I don't mind wearing (of note, they're the most comfortable t-shirts I've ever owned) out in public. I'm not a member, but I used to be back when I knew people on the site, a bit before they got "big." So that kinda illustrates a slight individual taste for me, or at least openness (especially to comfy t-shirts!!). While out and about, I might run into people that know me well enough to know where I work. I may meet others to whom I give out business cards with have my company name on it. This is very similar to how people may stumble upon my inappropriate MySpace site (no, I don't really have one) and connect my company to the person's habits.
It's just life, and that's how we are outside of work in our personal lives. We all have some things we'd rather not air out, on either side of the fence. And I really think trying to police social networking sites (which is really trying to steal individualism away from employees and enforcing Thought Police) is futile and detrimental to our culture as a whole.
If my company president saw me out in the street on a Saturday with my Suicide Girls shirt on, the earring I can't wear when at work, and doing a wireless site survey on open wireless networks in the area just because I can, I'd hope that he'd be able to smile, say hi, and not let that carry over professionally or try to change who I am. Anything less, is superficially shallow, in my books.
by LonerVamp 08.21.07 at 12:22 PM in /general - comments(1)
In a similar vein to last week's Cisco VPN client privilege escalation vulnerability, ZoneAlarm is also susceptible to executable file replacement.
Sadly, this isn't 1998 anymore, and I don't personally know anyone who still uses ZoneAlarm...
by LonerVamp 08.21.07 at 4:22 PM in /general - comments(1)
Check out WikiScanner if you want to pry a little bit. Use your own company name (and variations!) to see what people at your office have been doing on Wikipedia. Kinda puts some things in our digital world into perspective. He's pretty busy right now, so you might have to reload the query a few times. When you get good hits, you'll see a button that says something like "Wikipedia edits, ahoy!" Click it, then click the number links to expand a new frame with the edit itself.
by LonerVamp 08.21.07 at 4:57 PM in /general -
Silc is a secure chat network, much like an IRC network, only the communication channels are actually encrypted. However, you can still leak out your normal host, which steals away any shot at anonymity. But if you use Silc with Tor, you achieve not only privacy in the channel, but privacy in the connection as well. Nice! As I've seen it said, silc+tor may be the most secure way to communicate with someone on the net. (Yes, I guess you can add an exchange of keys to verify identities...)
First, install Silky. I am doing this work in an updated but newly installed Ubuntu system. Make sure the repositories are unlocked, which should be the first thing done with any Ubuntu install.
sudo apt-get install silky
This will actually also flag and get any dependencies like libsilc.
Start Silky either by typing "silky" into the shell or Applications->Internet->Silky. Being the first time run, it will want to generate keys. Automatic is sufficient. Close out, and let's look into Tor.
sudo apt-get install tor privoxy tsocks
Again, the needed dependencies will be installed. We can then start Tor and call Silky.
torify silky
Click Server, and select a server or supply one you know under Preferences->Edit Preferences. Nothing special needs to be submitted, just use whatever address and port used normally. Connect, and check out the hostmask. That's it! Other programs can start this way as well, such as "torify firefox" and then go to whatismyip.com and verify the external IP (there is a Tor extension which works beautifully, though).
Keep in mind that Tor is not the fastest of connections, and while IRC is pretty resilient, I've found SILC to be a bit more picky about some slowness. I've found Silky can stay up for a few days, but Torify (tsocks) eventually dumps out, so it is not something I'd expect to always leave on.
Now, if someone knows how to implement irssi+silc_plugin (or any silc plugin)+tor, I'd love to hear how! That way I could possibly stay connected on a server using screen to attach whenever I want. Granted, I think I'd need two irssi's since Freenode only wants Tor users to use their special private entrance.
More stuff to Torify can be found on the web.
by LonerVamp 08.21.07 at 10:13 PM in /general -
Looked for a 10/100 (0r /1000) ethernet hub lately? I hadn't either until today. I found it surprisingly difficult to find a hub. Most searches pull up USB hubs, while the rest tend to recommend switches. Great, but I want a hub (or a network tap, but the cost difference is obvious). The only hub I did find in my quick searches today was a $40 job at CompUSA. Forty bucks?! Maybe I'm cheap about certain things, but a 10/100 hub shouldn't be $40.
by LonerVamp 08.26.07 at 11:08 PM in /general - comments(3)
Roger A. Grimes wrote recently about using a honeypot in the internal network to catch maldoers (am I alone in feeling a bit naughty after seeing the pic of Roger and honey?). I think this approach is a little heavy-handed, even for a throw-away machine. A full-blown honeypot is a bit of an interesting approach to the problem of detecting intrusion. If staff cannot detect intrusions on their real systems or on the network, they're not going to wield a honeypot correctly. And if they do catch someone probing the honeypot, they are already beyond having a problem.
Now, that's not to say I discredit this approach. I'm all for multiple barriers, detections, defenses, and using spare time and resources (even throw-away junk) for any little bit that can help. In fact, in a previous job I had a really old workstation that I opened a share on and configured a few port listeners on. This box was a crude honeypot/detection box that could alert me if something was scanning certain ports (namely 1434) or something was depositing malicious files on the open share (we had a couple of these outbreaks when I first joined up). Not really a honeypot, but it was a box meant to simply trigger an alarm in an environment that was cash-strapped from a back room standpoint. Honeypots seem more geared towards human attackers, as opposed to automata which is more often the culprit.
So, I'm not disagreeing with the approach in total, but I would caution that honeypots internal will indicate something bigger is happening, and there really should (if you can get the budget for it) be other measures in place on the network and real systems to detect intrusions or naughty activity, even if they are just little tripwires or detectors.
The article also gives some nice tools, and I've already picked up that book mentioned and hope to get started on it in the coming months.
by LonerVamp 08.27.07 at 12:44 PM in /general - comments(1)
It may be cute to complain about business buzzphrases, but we have our own stupid, inane little buzzwords as well. I really hate hearing meaningless maxims like "compliance is a process, not a product." No shit, but don't we purchase products to support processes? Maybe security should idealistic and ephemeral, something we can feel good about in our heads but not actually do anything about...but I guess that's not me. This maxim can be used to attack any product anywhere in our field...making it rather meaningless. I prefer saying something to the effect that, "tools won't create process, process comes first" or "a tool will not solve our problems in the absence of a process." That sort of statement isn't something I can use to attack the idea that NAC can be at least partially justified by compliance efforts. Let's say I do have the process and NAC is my tool to streamline it? Fratto has a point that NAC has a number of drivers behind it, but he is wrong to denounce an arbitrary one using an inane, meaningless buzzphrase.
Saw this from Rothman's daily incites.
by LonerVamp 08.27.07 at 1:03 PM in /general - comments(1)
Wil Wheaton (I've been a closet fan of his for years, after TNG) gave an excellent keynote recently at PAX. OCMod actually has the full audio up. If you're a gamer of any kind, or once was in your youth, this keynote is worth listening to. Scroll down to the bottom for the full audio (good quality), or just read the article for highlights. Scored this from HARDOCP. You know, the idea of opening an old school arcade would be something I'd readily do given spare cash...
by michael 08.28.07 at 10:22 AM in /general -
The newly revived Mogull (and he's not a zombie!) states that the $187 per lost record number is garbage. He's right, but let's throw two more logs in.
1. Try to tell anyone who has had their identity stolen or funds maliciously charged to their credit cards that their record is worth only $187. Even those people who have just seen a few pennies charged and flagged by the credit card company could "suffer" more in the thought of what can now happen. I've seen firsthand a few rather scared acquaintences after seeing such a test charge...
2. Let's say you're a medium-sized company but you have only a few very large clients. If you have a breach and let's even just say 2 people, who happen to be your main client executives, decide that breach was damaging and drop your business. This could have devastating effects. Granted, this isn't a "retail" store, but let's just forget quoting too many statistics and numbers lest we lose sight of the real issues.
by michael 08.28.07 at 3:49 PM in /general -
Practice, practice, practice. This recently came up in a SecurityCatalyst forums thread from Cutaway. You practice until reactions to incidents is automatic. Not only that, but you practice to become better acclimated to something, whether that be a skill or simple knowledge. If you check your internet usage levels or network utilization every day, you get a really strong feel for what to expect. This means one can isolate anomalies much quicker. If you do some lockpicking for an hour every day, eventually you will acquire a feel for doing it quicker, which can expand into being able to tackle tougher locks...
Practice, practice, practice... Professonals need to never forget the basics and the fundamentals of what we do (I know too many who hate the drudgery of such tasks...). Think of it like keeping a finger or monitor on your heartbeat for spot-evaluations or for emergency hospital stays....
by michael 08.31.07 at 1:19 PM in /general -
Speaking of lockpicking and practice, I actually have been practicing my lockpicking recently. I'll bring a practice lock and a few picks with me to a coffeeshop or movie theater and pick away at it for small chunks of time or before the movie starts. Sometimes I will do so while watching a movie or television at home. Today I was actually able to pick 2 of my 5-pin locks pretty quickly, multiple times. And these were locks I wasn't terribly familiar with yet. That's a pretty big step for me!
Practicing lockpicking has allowed me to go from being a blind raker who gets lucky, to being able to better feel the matching of the pins and which ones are not yet locked. It has also given me my own ability (technique) to determine pin-counts before applying any torque and make guesses when a pin is locked too high or which one is just barely keeping the cylinder from turning.
Of note, I have a simple 21-piece lockpick set that I ordered for about $45, plus a series of practice locks that I found on ebay. I think the locks are about a total of $100, and I have 9 of them. Three of them are cut-away locks so I can actually see the pins. Two of the locks are 3 pins, the rest 5-pins, and I even have a 5-pin spool lock. I highly recommend grabbing a couple cut-away practice locks if you are just starting out, as that really helps.
by michael 08.31.07 at 1:37 PM in /general - comments(2)
Michael Santarcangelo poses an interesting question and analogy to the IT security world: do you dance in the rain? Now, you probably won't catch me dancing in the rain unless I'm at an ourdoor concert, but I'm definitely not a scurrier, even if I'm wearing a light shirt headed to an important meeting in the pouring rain. Screw the umbrella; enjoy nature's weather, even if it can be temporarily painful in the winter; you won't die. (Ok, so if you're out in the wilderness camping or hiking, you should be careful, but in an urban setting, you're not going to die.)
But Michael's right, do what makes you happy and gives you passion. It might be a little weird, but happiness begets productivity, and ultimately, we're all more than just our jobs. Keep the optimism. The enthusiasm, while looked at askance by some others, will be respected and rewarded eventually.
Considering our jobs in IT and security, we sometimes don't get our adrenaline pumping until there is an incident. Perhaps that means we might only be happy when it rains? :)
by michael 08.31.07 at 2:39 PM in /general - comments(2)
|
