.: January 2008 Archives
I watched fabs' presentation
on Advanced Port Scanning at the 24c3
(that looks like a heckuva venue!
), so thought I would poke around and see if Port Bunny had been released yet. Basically this should be a simple TCP port scanner that can scan faster than nmap; the presentation goes into the reasons why. It doesn't look like the tool is out yet (and I'm patient so will wait for the official release in January), but I did find a post from FX on the Recurity Lablog about retrieving faxes off a spent thermo transfer ribbon
from a fax machine. Information hides in interesting places!
by michael 01.01.08 at 10:37 AM in /general
I'm not big on generalizations, but let's face it, they happen. I clicked through to a ComputerWorld article on how Generation Y are the biggest users of our libraries
. Neat. This prompted the question: "What the hell is a Generation Y person?" I was born in '77, so I'm on the nebulous border between designations, but from reading a rather interesting article on Wikipedia for Generation Y
, I tend to fall more into Y due to my technological inclininations. Labels aside, it is at least interesting to see how the workplace culture is changing with a generation of young people, whom I still consider myself to be a member of.
by michael 01.02.08 at 1:26 PM in /general
picked a theme. Even shrdlu
picked a theme. Should I lay early claim to "Aenima
" by Tool?
Some say the end is near.
Some say we'll see armageddon soon.
I certainly hope we will.
I sure could use a vacation from this
Bullshit three ring circus sideshow of freaks.
No, I'm not quite that negative at the moment. Being at work and not having a legit means to browse my music collection, I'll have to put this topic on hold and listen for a candidate song over the next few days or week...if I even do come up with something interesting.
by michael 01.02.08 at 3:30 PM in /general
I do read a few non-security blogs, and sometimes they offer sage advice. A post by Samuel from WakeUpLater.com
(if you freelance/work-for-yourself you can wake up later) has a few excellent points (although I will argue his title doesn't match the text).
The title of the post is Stop Reading Blogs: Go Create Something
. I know from all of the blogs and sites I read regularly, I get such a huge influx of cool things and tools to use, that I end up trying out less than if I just had a shorter queue and more time to try them. My gmail box is overflowing with stuff to check out from the past year. Reading blogs is helpful, but I'm the last person to ever say I know Topic FGH just because I read about it online. I think I'll make a point this year to start culling my list of useful blogs that I read, or at least organize them in a more tiered fashion from Must Read to Only If Bored.
The post also goes into writing, Stephen King, and reading. I really love this, and I do have a special place in my heart for reading and writing. Find a space that is yours and free of distractions. Get something done. Get started and the hard part is then behind you. Do it for yourself, not others. (If you do it well, the part about the others will find its own place.)
This past year has been the first time I've had an apartment to myself, and I'm now pursuing outfitting the second bedroom to be my little workspace conducive to all of my geeky endeavors.
by michael 01.03.08 at 8:42 AM in /general
Videos from the 24th CCC
have been posted. I highly recommend Toying with Barcodes by FX. It is nice to think about the various ways technology around us can be extremely vulnerable to tampering, and barcodes are ripe. I'm sure this is old news to many tinkerers (hackers), but FX does an excellent job highlighting many issues.
Black Hat USA 2007 videos
are also up.
Tunak Tunak Tun
is an infectious music video. Some of the dance moves occur in WoW.
by michael 01.03.08 at 9:01 PM in /general
A lot of attention in the Linux world goes to accessing Windows partitions (NTFS) in Linux. From Hackosis
, I've recently been pointed to Windows tools
that can access Linux partitions. This can be useful if you dual boot and have multiple file systems on the same local disk (or if you mount another disk onto a system,
although I'm not sure why anyone would want to mount a Linux disk on a Windows system...
I guess backups and even Windows-only forensics tools might be some reasons).
allows read-only access to ext2 and ext3 from a Windows system. Ext2 Installable File System
will allow read and write access to ext2 from a Windows system.
by michael 01.04.08 at 9:32 AM in /general
There continue to be a good number of live cd distros available with a security slant. Here are some links, although some I've not even booted into yet to check out.
is a wireless pen-testing live cd that appears to make the most common wireless penetration tasks surprisingly automated.
is a platform for network security monitoring.
is a self-explanatory live cd: Digital Evidence and Forensic Toolkit.
appears to be a data capture installer. This isn't a live cd, but rather an installer that should be run on an empty or expendable hard disk.
Various other firewall installs are also available as usual. IPCop 1.4.18
, pfSense 1.2 RC3
, SmoothWall Express 3.0
, m0n0wall 1.3b7
by michael 01.04.08 at 9:47 AM in /general
The Winter Scripting Games 2008
are right around the corner, starting February 15. Last year, these "games" gave me the kick in the pants
to try out Microsoft's PowerShell scripting, and I must say it might be one of the better skills I acquired through last year; something I could use both at home and at work.
I plan to participate again this year in the PowerShell division(s), but I see they are also including Perl in the games this year. I think I will try to put the most effort into the Perl section since I'm horribly rusty with it.
So check it out, give them a try, and pencil in those dates to save some evenings for devoting some time to the challenges.
by michael 01.04.08 at 11:26 AM in /general
has been released; a tool I mentioned
just a few days ago. I run Ubuntu 7.04 on my laptop and wanted to try PortBunny on it.
michael@orion:~/Desktop$ tar xfz PortBunny-1.0.tar.gz
michael@orion:~/Desktop$ cd PortBunny-1.0/
make -C /lib/modules/2.6.20-16-386/build M=/home/michael/Desktop/PortBunny-1.0 modules
make: *** /lib/modules/2.6.20-16-386/build: No such file or directory. Stop.
make: *** [all] Error 2
Dang, I thought I had the linux-kernel-headers installed. It is easy to check if the installation is complete by looking for the existence of /lib/modules/2.6.20-16-386/build. If it is not there, it needs to be properly installed. The command 'uname -r' will display the current kernel version. In the command below, those are accent marks (or ticks).
sudo apt-get install linux-headers-`uname -r`
After that, a "make" and a "make install" succeed and PortBunny happily port scans whatever I point it at. It had no problems scanning the few boxes on my network as long as I didn't have any active firewalls running, i.e. a firewall that shuns me after a threshold of port connection attempts. Good stuff!
by michael 01.06.08 at 1:18 AM in /general
Just to pull something from a mailing list and file it away for future reference, here are two tools that can help create "dictionary" files for...you know what. Note that these aren't necessarily dictionary files of valid words, but rather huge character sets of up to x length.
2004 Hacking Brute Force Dictionary Creator
in zip format
by michael 01.07.08 at 2:10 PM in /general
Mark Russinovich is a Microsoft employee; you may have heard of him. On a recent blog post
he describes how his Autoplay feature in Vista stopped working due to a Group Policy update. Mark, being a coveted local administrator on his laptop (a work-assigned one, as implied by the post) found the setting to re-enable AutoPlay. And to prevent Group Policy from reverting the setting back to what his admin wants, he opted to block it by adjusting permissions.
Now, Mark likely has a work-related reason to use AutoPlay, and took steps to get his work done (giving a demo of the feature) by circumventing his admins and likely corporate policy. And then posted this for others to see and learn from, both technically and by example.
A local administrator is the master of the computer and is able to do anything they want, including circumventing domain policies...and that's just one more reason enterprises should strive to have their end users run as standard users.
So, is Microsoft wrong for allowing someone like Mark to run as local admin? Or is Mark wrong for circumventing that trust? For lesser employees, I would be more forgiving, but Mark full well knows what he's doing. Likewise, if anyone qualifies for local admin rights on a corporate-issued laptop, Mark is the least of your worries. Should Mark work with his GP admin to either do this better or make Mark an exception (admins love exceptions)? Things that make you go hmmm.
I just find this all unintentionally funny...and a horrible grey area for us professionals.
by michael 01.07.08 at 2:25 PM in /general
Need a reason to play with Python? Try playing the 30+ levels of The Python Challenge
. Solve the problem, move up to the next level.
by michael 01.08.08 at 9:07 AM in /general
Saw some news today about "94,000 sites hacked
" and sending users to a malware-ridden site. That's a hell of a lot, and prompted some investigation on our team. Sadly, we've found very few useful bits of information
about what happened (I suspect some common piece of software on all these sites was pwned...analytics? ads? site mgmt?). We have, however, decided to block two URLs, *.ucmal dot com and *.uc8010 dot com as they are distributing malware. The Google search linked in that first article shows an impressive array of pages and sites...
by michael 01.08.08 at 10:07 AM in /general
I mentioned yesterday
a report about tens of thousands of websites being infected by some malware. SANS has an update
which also points to the ModSecurity blog
. Turns out this was some automated process that sought out SQL Injection-vulnerable sites, injected the script, and moved on. Impressive!
This kinda drives home some concepts.
1) Think of an attack today that seems unlikely or something that an attacker would do manually. Plan on that attack being automated someday. Yes, web app secs will say some things aren't like that, like business process errors, but for the most part attacks can be automated, just like vuln scans can be automated. This can be done by a small number of scanners running, or even a rented botnet that can infect huge swaths of systems quickly. The next worm? We don't need to worry about the next worm when botnets can act as one at will. Just give them a vulnerability, or now even a class of vulnerability that can be scanned for, and bam, overnight firestorm. And for every site attacked in the last few weeks, that can turn into hundreds of infected visitors to that site.
2) If you check that Google search for infected sites, you've just got an inventory of sites vulnerable to SQL Injection. Do a diff on them over the next few days, and you'll filter out the sites with good response to incidents. Want to steal some info or do more targeted and nefarious things? There's your target list...
? Sure we can erect barriers in WAFs (ugh) to help block these things, but it all comes back down to secure coding, regular scans/audits, change control tripwires, and monitoring. What's worse than being hit by this attack? Being hit and never knowing it.
by michael 01.09.08 at 9:33 AM in /general
A reminder-to-self about a phrase I should start using more: intolerant of the inevitable. A security breach is inevitable and there is no silver bullet to save us. Yet we're so very intolerant of such an inevitability. It's a double standard we need to keep addressing. This is not necessarily a digital security problem, but rather a cultural one. (I had examples, but I'll keep it at this for now, for sanity.)
(If you know the place I posted about this in the comments, then you might be a stalker!)
by michael 01.09.08 at 3:26 PM in /general
Bejtlich posted an excellent email from a reader of his asking how to find competent security personnel
. What a wonderfully worded email, and rather than post a huge comment on Richard's site, I thought I would pollute my own blog with it instead! I'll try to keep it bulleted (somemthing I've been striving to do this year). I also printed out the questions; I try to always honestly answer such things as practice.
1. Unlike some commentors, I really like the questions posed. Sure, they can be vague, but part of a hiring question should be to get the analyst to analyze
. What is the interviewer *really* going after, and can you help them along by accepting and adapting to the question? While you're fiddling over details of the scenario, the incident is still happening.
2. Look for analysts in the right places
. If I knew this job and it was in my area, I'd apply or pass it on to others. Are you finding me? I would be willing to bet that the post on Bejtlich's blog produced several job candidates; I'd bet a better return than current efforts have yielded! Get to places where we hang out....Security Focus
has a job board, SecurityCatalyst Forums
, and so on. Get your own security blog and join the Security Blogger's Network
to get good exposure and post the job. Or have one of them post it up. Check with your local Infragard
(a great place to network!) or even other local professional tech groups like CIPTUG
to see if they know people interested or maybe one of them wants to cross-over.
3. I can say the term "senior" can be daunting.
Newer security-inclined persons may avoid such a job title, at least at first. On the other hand, the term "junior" might imply entry level or fresh out of college and you might deter some people away. I like more neutral titles, personally.
4. Make sure you're properly valuing this role.
A lot of people will say a manager needs to pony up and pay competitive salaries, but that is often out of the manager's hands. Perhaps the company itself needs to properly value the position/need and advertise properly. This might mean dropping the "senior" off and grooming some more green persons.
5. I think Richard is correct, there are still few people who can properly answer, let alone actually do, the answers to those questions
. However, I think there is still a good number of people willing to be groomed up into such a position or groom themselves up if given the chance.
6. "Am I setting the bar too high?" Maybe. I think accuracy in answers can be fixed, but personality in handling the questions is much more difficult
. If they don't know the difference in responses between a web attack and a client side buffer overflow, they can quickly learn via process documentation or after the first one or two incidents of each. Are they capable of detail, learning, and improvement? Then again, that's maybe the difference between the "senior" and the "not-senior" guys out there.
by michael 01.10.08 at 1:48 PM in /general
I was reading Marcin's post today
which included a mention about the boy who created a remote to change tram rail junctions
, leading to a derailment. I also recently bought my first Rubik's Cube ever, and then looked up the theory on solving it (no, I don't have the time of mathematics interest/patience to truly learn it, but I wanted to know the approach and algorithms involved...no, I would never have figured it out myself, I think). I also read about remotes turning off televisions at CES
, disrupting presentations.
What do these mean? I think there are still a lot of things that are very hackable. While the cyberverse keeps progressing at breakneck speed, much of the analog world is still using old technology that greatly relies on hidden knowledge. In the past, much like the Rubik's Cube, I really wouldn't have easy access to solve the puzzle. These days, information sharing and problem-solving is amazingly accessible to so many people.
by michael 01.11.08 at 1:40 PM in /general
From Fortify Software comes this trailer called The New Face of Cybercrime
. The part that really spoke the loudest, in my mind, was near the end when Ranum came in to essentially say that no software is so trivial that it can be made without security in mind. Who knows when that software will be picked up and used in a way that people's lives depend upon it. It looks like this full video might be a staple of any corporate bookshelf for awareness training.
My only beef on this? It appears sponsored by Fortify Software
, and they definitely have a stake in saying the security of tomorrow is not in the network but rather in the software and the software development lifecycle. This could turn out to simply be a big budget advertisement...
by michael 01.12.08 at 3:58 PM in /general
I've long been able to identify an rss feed in my news that dealt only with PCI and be able to quickly skim it or remove it from my feeds. "PCI doesn't really affect me, although I should stay aware of it." Ok, I know that's not true, I do need to know it, and this year that becomes more obvious. Our company has a soft goal of becoming PCI compliant. And, yes, it is driven by a large client who requires it.
In that light, I'll still have to keep up to speed on PCI nuances and Q&A posts. Walt Conway over on the PCI DSS News and Information blog
recently posted his top 10 myths about PCI DSS (part 1 part 2 part 3
"And if we were compliant at that moment, we are still only one system change away from being non-compliant."
And on the myth that "PCI is inflexible with unreasonable technical, security, and business requirements,"
I hear this one a lot, and I do not agree. Nothing in PCI is not already a best practice (so much for being unreasonable), and there is the option of a compensating control for any requirement (so much for inflexibility).
I feel that PCI is tough when a) the business doesn't know what the business is doing (processing cards) or b) thinking about and doing security is way behind.
by michael 01.14.08 at 12:53 PM in /general
I've quietly been compiling a list of "laws" for my paradigm on security. I like lists of "laws;" they help put one into a proper mindset where questions are answered before they're asked, leaving time for more important things. I used to have such a list of laws when it came to dating girls back when I was in college. They were great, but I'm still unmarried so maybe they worked too well...oops!
One of my little laws (they do frollick in a quiet pasture like my little ponies) sobs a lot these days:
Security is not an enabler except in three cases. First, when the organization is in the business of security (software, hardware, services...). Second, when security is required for the business path to exist. Third, when economic forces suggest that security is the cost-effective answer (e.g. cost of security is less than the cost of fines or lawsuits for breaches).
I often hear about how security should be an enabler and not an inhibitor. I don't buy that. In regards to the second case above, this only happens when a regulation, expectation, or law exists that places an economic leverage on the organization to meet a level of security, which can then allow business to occur. This is a natural extension of the inverse relationship between usability and security. This says to me all other security efforts are not enablers, so move on to more important matters and proper frames of mind.
by michael 01.14.08 at 1:09 PM in /general
This article may make you angry, or it may make you agree with it. I'm a bit of both, but I don't particularly like the presentation. How'd I see this? My CIO passed this out today to people in her department. Michael H. Hugos (MHH) talks about IT complexity in The Recovering Complexaholic
, from the Opinion section of ComputerWorld (Nov. 5, 2007). Let's check it out a bit.
There’s a standing joke that business people never have to ask IT how long something will take and what it will cost because they already know the answers: It always takes a year and costs $1 million — and that’s just for the simple stuff.
When I first read this, I actually went the opposite direction. "Business people never have to ask IT how long something will take and what it will cost because they've already made up their minds that it will be immediate and cost nothing." Oops, he went the other way with that joke!
MHH then goes into how "consumer IT" is better than corporate IT, which I think he is confusing as the overall SaaS movement. I'm not sure I would consider that "consumer IT." Does "consumer IT" know anything about managing 50+ systems, softwares, policies, accounts, or pieces of data? Not usually. Just because you can access it from your browser at home on your own computer does not mean the solutio is "consumer IT."
He also opines about how IT makes things so complex, that nothing gets done and when it does, costs a lot of money. I think business as a whole is as guilty of this as IT. Business can often not make decisions and leaves such things to IT to sort out. IT then has to cover all the bases and make processes so robust that they become complex monsters, just to CYA in case something doesn't meet some unspoken requirement. Business can condition IT to overanalyze and overcomplexitize solutions just as much as an IT person can get caught it in themself. This is basic psychology 101 conditioning.
I truly think complex IT can be just as successful as cowboy IT (come on, that's what MHH kinda sounds like he wants...get things done, think about it later), but it all depends on the personality of management and aligning IT to that personality. If the org is a large slow-moving organization that expects this project only to be done once, you might need to make it complex and large. If the company is small, fast-moving, and likely to revamp the whole architecture in 3 years when it makes a big break and growth spurt, then keep it simple.
I really buy into the idea that we just need to Get Shit Done. I also buy into the desire (not need, mind you!) to keep things from becoming complex. IT people really do hate complexity as much as anyone. It makes problems difficult to diagnose, compounds itself over time (try to build a complimentary system to an already complex system...it becomes complex itself), and typically promotes instability and insecurity. Besides, we want to accomlish things as well, not just let something stupid drag on for 12 months.
Yes, IT can perpetuate the problem, but I think the problem is not something you can lay on IT alone, but rather everyone involved. I think this is called 'alignment,' but I could be stepping outside my pay grade there.
MHH asks a few rhetoricals: "What is our objection to this stuff? That it’s not scalable in the enterprise? That it’s not robust? Or that it doesn’t feed our addiction to complexity?" These questions depend on what management wants, and trust me, if IT has been bitten by mgmt in the past, they WILL know how to approach these answers. When I propose "consumer IT" as a solution to problem A, will management later get frustrated that it can't be tailored to what our processes are (instead we have to use the product the same as everyone else)? That's a valid concern, especially when IT knows Mgmt can't stay within the lines of the solution...
by michael 01.14.08 at 3:32 PM in /general
I had a lot of work going on in the latter half of last year, and am only now recovering enough to tinker with things at home again, hence my lack of interesting technical posts and such. I've gotten myself back on the wagon by beginning the migration of my webserver from WAMP to LAMP, and this blog itself from MT 3.34 to MT4 (which I hope will fix my comment rss feed). So far testing has been positive, and I'm sure I'll post some sort of step-by-step on what I did to migrate in case anyone wants to copy meh.
One thing I've wanted to do this year on this site is make less rant/discussion posts and more technically useful posts. I've gotten away from it lately, and it definitely makes me feel a bit guilty.
by michael 01.14.08 at 4:19 PM in /general
Jeff Hayes just wrote a nice post about hiring and retaining "Millenials
," those workers aged 18-30 (whew, that includes me just barely!). I like what he says, and I really think you can make some relatively small expenses to really keep employees happy and productive. I know Joel Spolsky
advocates doing the little things to create a good working atmosphere. Dotcom excess is typified by $900 Aeron chairs
, but is $900 really all that bad compared to the productivity that can be gained from a developer paid $70,000 a year? Perspective...
I would also add that people myself and younger really do use the Internet as an integral part of our social lives. This means those of us geeks who work in technology have very blurred lines when it comes to work and home life. I'm on a computer at work, I'm on one at home. So please don't stress at me if I do some personal things during the day, since I'll likely do some work stuff at home when inspired. It's not just a 9-to-5 geek thing; it's a lifestyle that encompasses everything that is me and what I do.
by michael 01.14.08 at 4:38 PM in /general
The online book, Certified Wireless Analysis Professional study guide
is up, offered from CWNP. This looks pretty darn detailed.
by michael 01.15.08 at 9:04 AM in /general
In my last job our developers worked primarily in ColdFusion, most recently MX 7. I picked up some research on the SecurityFocus pen-test mailing list about some ColdFusion MX insecurity tidbits [pdf] that I wanted to save. I really like that one can brute force the admin password from a secondary page (no username, no logon logging) and then upload and execute files.
by michael 01.16.08 at 11:25 AM in /general
Picked up from joat
(makers of the Wi-Spy wireless spectrum analyzer USB device) may be gearing up to release Chanalyzer 3.0 soon
. Also, they have a Netstumbler replacement for Windows called Inssider
As much as my Wi-Spy is a cool little toy
, the price is still somewhat high. I got mine back when it was only $99, but now that same device is $199 and the higher quality one with an external antenna if $399. Not sure I can recommend this to anyone but people serious about their wireless spectrum needs. I would suggest it to anyone with a wireless network in their business, however. Cheap price for this sort of tool.
by michael 01.18.08 at 8:50 AM in /general
This piece is an excellent telling of the drama surrounding MediaDefender
last year (they had a half year of email stolen and posted online, which the P2P community trumpeted around like a war trophy). Yoinked this from elamb.org
by michael 01.18.08 at 11:22 AM in /general
is a python tool that will compare two packet captures (one from the src system and one from the dst system) and highlight suspicious, mangled or possibly injected packets. It requires pcapy
and, of course, python
. Saw this over on Nate Lawson's blog
in discussing how to detect TCP RSTs, which is apparently being used by Comcast to combat BitTorrent file sharing.
by michael 01.18.08 at 3:09 PM in /general
SANS posted about the possibility that attackers could subvert the administrative process
, for example being able to inject website URLs into logs which an admin will then investigate and potentially have his box pwned.
I find such avenues of recon and exploitation to be quite viable, especially for non-professional admins (the blog author who blindly follows every referrer link for the ego boost). I also like this idea for profiling administrative practices. Are there admins following up on alerts or log entries?
For myself, I try to be careful with what I view from work when investigating alerts. The last thing I want is to see a scan from an IP, open it in a browser, and be inundated with porn popups. I'd definitely recommend investigating from a Linux VM. At my previous job, our wireless network was physically separated from the main network, and got to the Internet through a generic DSL connection. This is an excellent, non-tracable connection to poke around. Any tracing would lead back to my DSL provider, and pretty much stop dead there. Paranoid? Sure. But I'd rather keep such things in mind than be a security professional living in ignorance...
by michael 01.22.08 at 11:13 AM in /general
If I lived in NYC, I'd totally jump on applying for this Systems Administrator job
over at FogCreek. Even if the job wasn't for me, I really would like to say I have experienced a company like FogCreek and see, firsthand, what all the quiet hype is about over there. Joel's blog
is one of the very few non-security sites I regularly read.
By the way, in that above job, you'd work with Michael
. And it looks like he has a brand new security blog, Michael on Security
. Good times! I really like to see a sysadmin who is aware and interested in security. This can help ensure, especially for small business where he likely does everything, that what they do will be done with at least some security in mind!
by michael 01.22.08 at 1:05 PM in /general
Sadly, the article "10 Things Your IT Department Won't Tell You
," by a wildly brilliant (ugh) Wall Street Journal writer, written last summer
, has resurfaced on MSN as one of the most popular news articles of the week in the Tech section. Wonderful. Prominent enough that I heard about this from someone else (my manager).
My initial reaction still holds up
, although I will admit one thing. As IT, we need to make sure we listen to the needs of our business users, not just from the perspective of the company dollar, but also the perspective of the employee's happiness (at least in as much as our company/HR lets us be sensitive to that). Sure, it might be a solution to ban IM and webmail and filter sites, but does that mean the company is fighting a war against culture and social lives? The extreme of that is the RIAA clinging to an old business model. I'm not saying we should capitulate to the users, but we should always make sure we find the right balance for our users and our business.
by michael 01.23.08 at 9:43 AM in /general
OpenID is getting more attention this week with Yahoo announcing their use of it. It is getting a little late for predictions, but I'll throw out a long term prediction that any true SSO of this magnitude will not come out of the US, but rather Europe.
The US does not have a history of cooperation, but rather captilistic competition. Rather than one "universal" ID, we'll have 5 of them all competing. If Yahoo adopts OpenID, then Microsoft will use their own and Google will use anothe...oh wait, they already do! We have no hope of having any type of "universal" ID coming out of private industry in the US.
If some universal ID system does appear in the US, it'll be government-backed, controversial, and take 20+ years to develop. The US is better off adding passwords to the SSN or biometrics or RFID ID/passport cards...
by michael 01.23.08 at 11:49 AM in /general
I'm not a big software de-engineering guy or reverser and I don't see myself gaining those skills in the next couple years, but someday I might get interested in the topic. While books and blogs and personal contacts are good resources, I really like seeing everything put together and the end results. Here are two video tutorials on unpacking and examining malware from Frank Boldewin
over at Offensive Security
Practical COM code reconstruction with IDA PRO
More advanced unpacking - Part I
by michael 01.24.08 at 1:45 PM in /general
I thought when I previously mentioned PowerShell's get-date
, that I covered how to make dated log files. After seeing this article from TechTarget
, I checked and saw I missed it. Here's how I do it.
new-item -type file -name "$(get-date -uformat '%Y%m%d%H%M%S')-log.log"
This results in a file named: 20080125163647-log.log. Specifying a -path will create the file somewhere else. The switches in the -uformat can be further examined with "get-help get-date -full."
by michael 01.25.08 at 4:39 PM in /general
Ever see one of those armored cars at the store or local mall that is picking up money? Ever check out those guards? Yeah, the ones that look like they're 65, can run all of 100 feet before tripping over themselves and being winded. Same with those contracted overnight building security guards who likely can't speak English beyond "private property." The guy who picks up our backup tapes every day at work looks like he's got great grandkids.
So why don't we get more punk kids knocking over these security guards? I would expect that such brazen attacks would be successful, and there is no more liquid a product as actual monies. I surmise that many such thefts and crimes are easy to commit and even get away with.
Social stigmas of right and wrong are, in my opinion, what stops such actions. It's also why once you do one theft or murder, you go on to more as you've stepped over the line of what is wrong, either for your own moral compass or that of the culture at large.
On the Internet? We lack those sorts of social pressures of right and wrong. Like an old experiment I regularly mention, we act differently when we don't have personal stake in the situation. Put 50 people into a room and they tend to act normally; with some flirting and conversation. Put 50 people into a completely dark room, and actions take a turn for the naughty. Put 50 people on the Internet and we're likely to have a far, far lower moral consciousness. This carries through not just sexually, but also in how badly we can treat others, and cybercrime.
So, we have this history of only doing just enough security to get by, and to make people feel better, like those armored car guards. And now we have the social stigma-stripping Internet, paired with a media that will report on every single failure no matter how impossible they are to 100% prevent. That equals a lot of turmoil right now...and we get to swirl around deep in the middle of that maelstrom. Surf's up!
Likewise, I'm also not surprised at how bad our own coworkers and everyone else is in valuing their cyber security. Tremendous (and even asshole-like) risks are taken daily on the road by multitudes of drivers who clearly know the consequences of those taken risks. And we expect them to visualize and adhere to policies protecting ephemeral risks? Pah.
by michael 01.28.08 at 12:37 PM in /general
Mailing lists, especially popular ones, tend to archive posts on various locations, which of course get indexed in search engines. Ever say things on there you'd rather not care to be searched? For instance, I think we all have had weird hits on our pages by some rather nasty stuff just because we used weird word combinations over the course of 12 paragraphs. Creepy. Well, when you're talking on mailing lists of technical people, feel free to talk technically. FD has recently been throwing out some encoded playful messages, but the exercise is not all that bad. Anyone worth reading such things should know how to decode base64
, for instance...
by michael 01.28.08 at 1:12 PM in /general
I've seen a few recent reports about products being shipped that have some digital component to them, along with a stowaway: a virus
No word from Best Buy yet on exactly which virus shipped with the frames, but the company claims it is an "older virus which is easily identified and removed by current anti-virus software."
There are two possibilities here. First, with some of these devices supposedly made in China, there may be some grand conspiracy to incite doubt in products or attack Americans...using an old, easily identifiable virus. While conspiracy theories are fun, I really don't think most of them are anything more than fanciful imaginations.
Second, someone is failing at the very basics of digital security.
When developers made and saved this code, where were the virus scanning tools that would catch such an old virus? Clearly they were disabled, badly out of date, misconfigured, or non-existent. And I doubt this tool was made in someone's home office and just uploaded straight into production (although that is feasible). But still, where were the checks? How long, really, would it take to make one last malware scan and visual inspection for weird files (especially executable ones!)?
Yes, there is a lot of discussion ongoing and through recent years about the failings of signature-based tools and anti-virus apps. But even with their holes, they are still cheap and a basic building block for a security regimen, even if one's paradigm on security is absolute security with zero holes (yes, lots of people take this stance, even when they don't realize it!). Ok, so you save money by not protecting your endpoints and contractor systems and so on, but at least scan the internal file servers and actual products you ship!
by michael 01.29.08 at 8:13 AM in /general
Mogull posted his 10 Truths We Hate To Admit
over on DarkReading. Read it to get his explanations. I'll react below. In fact, I'll play a little bit of a devil's advocate here.
1. Signature based desktop antivirus is an addiction, not effective security.
We really have to define "effective security" to discuss this topic. If we're looking for perfect security solutions that don't leave gaps, then yes, I agree. If we're speaking about layered defenses that try to throw a wide net to catch the 80% attacks, then we have a discussion here.
2. The bad guys beat us because they're agnostic and we're religious.
Ahh the nature of the beast. This statement alone is arguable, but I like Mogull's explanation in his piece.
3. Antitrust concerns force Microsoft to weaken security.
I've been saying this for years now; Microsoft will not be allowed to create a secure operating system. Antitrust statements aside, there is now a security industry that simply won't allow it. That's unfortunate, and it will take Microsoft building a new OS (beyond Vista) that has everything built in. Then again, perhaps this is tolerable since we can't have something as big as an OS be truly secure without either skilled admins managing it or products to augment the weaknesses. Either one is an industry...
4. Vendors are like politicians – they lie to us because we ask them to.
This is a function of the rapid movement of technology. IT managers have a HUGE job to do in keeping up with the latest innovations and tools and companies and offerings and their own needs. We need yet more information sharing, more services, less products. Outsourcing security functions can help with this a lot.
5. We're terrible at talking to, or understanding, those that fund us.
While I do buy this on one level, I also don't buy this on other levels. I think many people think we need to align better to get more dollars, but lack of full funding is part of life in an economic system, it's not because we speaking in tongues. I often feel this is a scapegoat for other problems... But there are also plenty of times where we just can't make our cases and don't align our own goals to those of the company. I just don't like trumpeting this, I guess, because it is so situational and subjective.
6. Security researchers need to grow up.
I disagree, and I find it healthy to have such a wide range of opinions and discussions and approaces. Besides, it is not how loudly researches cry that gets them credibility, but the topics themselves. Just like the MySpace worm a year ago, even unknowns can poop out something cute and make a major impact on accident. I like our community, and wouldn't change it at all.
7. Security companies make more money when there are more incidents.
I'm sure we could learn lessons from the pharmaceutical industry on this topic. They don't make money unless people get sick, no? Then again, this is basic supply and demand, and not necessarily something we should combat or worry about.
8. Network security is the result of a mistake, not an industry worth perpetuating.
Good luck ultimately securing devices, apps, and people. Sadly, this just won't happen as long as we have humans as a part of this mix. (And unless Skynet takes over, that's a given forever!) I will say that we should strive for and keep saying we need endpoint and code security improvements, and I don't mind keeping that perfect goal in mind, but I won't delude myself into thinking that's achievable or means I can denounce the network measures.
9. Disclosure is dead.
Disclosure isn't dead, but your hidden, real point is correct: the debate
about disclosure is dead. Companies do as companies do, which is economically driven. So do researchers, and there will not be a middle ground, at least not as long as both sides remain economically competitive.
10. Momentum will destroy us, until it doesn't.
Amen to this.
11. We can't fail.
We can't win either. But there are those who feel the pains on a microscopic level when we do fail. C-levels and other techs can lose their jobs and credibility when they are perceived as failing. That happens, and it is unfortunate because we often work under the assumption an incident will occur. But in the end, like an invader in the body sparking a defense mechanism, society and our companies will support the concept (if not the people present!) of improving security in the face of disaster.
by michael 01.31.08 at 12:55 PM in /general
Recently read the paperFundamental Honeypotting
by Justin Mitchell. Scored this link from Andrew Hay
As is typical of most SANS GIAC papers, the writing and layout is a bit rough at times, but I really dig the amount of information Justin presents about beginning honeypotting. I won't litter this post with links, since the paper is filled with great links. He talks about Nepenthes and Bubblegum open proxy as the main honeypot tools. He also discusses the use of iptables and tc (traffic control), Snort, Swatch. Hell, he also has some useful tidbits about detecting whether a system is running as a guest VM or not.
I became just a little more convinced about the value of a honeypot, but not enough to ratchet that up my list of projects to do at home. It's there, just not very high since it is more a curiosity to me since I don't really do active malware research.
by michael 01.31.08 at 3:54 PM in /general