fundamental honeypotting paper

Recently read the paperFundamental Honeypotting by Justin Mitchell. Scored this link from Andrew Hay.

As is typical of most SANS GIAC papers, the writing and layout is a bit rough at times, but I really dig the amount of information Justin presents about beginning honeypotting. I won’t litter this post with links, since the paper is filled with great links. He talks about Nepenthes and Bubblegum open proxy as the main honeypot tools. He also discusses the use of iptables and tc (traffic control), Snort, Swatch. Hell, he also has some useful tidbits about detecting whether a system is running as a guest VM or not.

I became just a little more convinced about the value of a honeypot, but not enough to ratchet that up my list of projects to do at home. It’s there, just not very high since it is more a curiosity to me since I don’t really do active malware research.

10 kinda truths we hate to admit

Mogull posted his 10 Truths We Hate To Admit over on DarkReading. Read it to get his explanations. I’ll react below. In fact, I’ll play a little bit of a devil’s advocate here.

1. Signature based desktop antivirus is an addiction, not effective security.
We really have to define “effective security” to discuss this topic. If we’re looking for perfect security solutions that don’t leave gaps, then yes, I agree. If we’re speaking about layered defenses that try to throw a wide net to catch the 80% attacks, then we have a discussion here.

2. The bad guys beat us because they’re agnostic and we’re religious.
Ahh the nature of the beast. This statement alone is arguable, but I like Mogull’s explanation in his piece.

3. Antitrust concerns force Microsoft to weaken security.
I’ve been saying this for years now; Microsoft will not be allowed to create a secure operating system. Antitrust statements aside, there is now a security industry that simply won’t allow it. That’s unfortunate, and it will take Microsoft building a new OS (beyond Vista) that has everything built in. Then again, perhaps this is tolerable since we can’t have something as big as an OS be truly secure without either skilled admins managing it or products to augment the weaknesses. Either one is an industry…

4. Vendors are like politicians – they lie to us because we ask them to.
This is a function of the rapid movement of technology. IT managers have a HUGE job to do in keeping up with the latest innovations and tools and companies and offerings and their own needs. We need yet more information sharing, more services, less products. Outsourcing security functions can help with this a lot.

5. We’re terrible at talking to, or understanding, those that fund us.
While I do buy this on one level, I also don’t buy this on other levels. I think many people think we need to align better to get more dollars, but lack of full funding is part of life in an economic system, it’s not because we speaking in tongues. I often feel this is a scapegoat for other problems… But there are also plenty of times where we just can’t make our cases and don’t align our own goals to those of the company. I just don’t like trumpeting this, I guess, because it is so situational and subjective.

6. Security researchers need to grow up.
I disagree, and I find it healthy to have such a wide range of opinions and discussions and approaces. Besides, it is not how loudly researches cry that gets them credibility, but the topics themselves. Just like the MySpace worm a year ago, even unknowns can poop out something cute and make a major impact on accident. I like our community, and wouldn’t change it at all.

7. Security companies make more money when there are more incidents.
I’m sure we could learn lessons from the pharmaceutical industry on this topic. They don’t make money unless people get sick, no? Then again, this is basic supply and demand, and not necessarily something we should combat or worry about.

8. Network security is the result of a mistake, not an industry worth perpetuating.
Good luck ultimately securing devices, apps, and people. Sadly, this just won’t happen as long as we have humans as a part of this mix. (And unless Skynet takes over, that’s a given forever!) I will say that we should strive for and keep saying we need endpoint and code security improvements, and I don’t mind keeping that perfect goal in mind, but I won’t delude myself into thinking that’s achievable or means I can denounce the network measures.

9. Disclosure is dead.
Disclosure isn’t dead, but your hidden, real point is correct: the debate about disclosure is dead. Companies do as companies do, which is economically driven. So do researchers, and there will not be a middle ground, at least not as long as both sides remain economically competitive.

10. Momentum will destroy us, until it doesn’t.
Amen to this.

11. We can’t fail.
We can’t win either. But there are those who feel the pains on a microscopic level when we do fail. C-levels and other techs can lose their jobs and credibility when they are perceived as failing. That happens, and it is unfortunate because we often work under the assumption an incident will occur. But in the end, like an invader in the body sparking a defense mechanism, society and our companies will support the concept (if not the people present!) of improving security in the face of disaster.

virus in product illustrates basic cybersec breakdown

I’ve seen a few recent reports about products being shipped that have some digital component to them, along with a stowaway: a virus.

No word from Best Buy yet on exactly which virus shipped with the frames, but the company claims it is an “older virus which is easily identified and removed by current anti-virus software.”

There are two possibilities here. First, with some of these devices supposedly made in China, there may be some grand conspiracy to incite doubt in products or attack Americans…using an old, easily identifiable virus. While conspiracy theories are fun, I really don’t think most of them are anything more than fanciful imaginations.

Second, someone is failing at the very basics of digital security.

When developers made and saved this code, where were the virus scanning tools that would catch such an old virus? Clearly they were disabled, badly out of date, misconfigured, or non-existent. And I doubt this tool was made in someone’s home office and just uploaded straight into production (although that is feasible). But still, where were the checks? How long, really, would it take to make one last malware scan and visual inspection for weird files (especially executable ones!)?

Yes, there is a lot of discussion ongoing and through recent years about the failings of signature-based tools and anti-virus apps. But even with their holes, they are still cheap and a basic building block for a security regimen, even if one’s paradigm on security is absolute security with zero holes (yes, lots of people take this stance, even when they don’t realize it!). Ok, so you save money by not protecting your endpoints and contractor systems and so on, but at least scan the internal file servers and actual products you ship!

obfuscate your posts by encoding them differently

Mailing lists, especially popular ones, tend to archive posts on various locations, which of course get indexed in search engines. Ever say things on there you’d rather not care to be searched? For instance, I think we all have had weird hits on our pages by some rather nasty stuff just because we used weird word combinations over the course of 12 paragraphs. Creepy. Well, when you’re talking on mailing lists of technical people, feel free to talk technically. FD has recently been throwing out some encoded playful messages, but the exercise is not all that bad. Anyone worth reading such things should know how to decode base64, for instance…


rambling on security: physical vs ephemeral

Ever see one of those armored cars at the store or local mall that is picking up money? Ever check out those guards? Yeah, the ones that look like they’re 65, can run all of 100 feet before tripping over themselves and being winded. Same with those contracted overnight building security guards who likely can’t speak English beyond “private property.” The guy who picks up our backup tapes every day at work looks like he’s got great grandkids.

So why don’t we get more punk kids knocking over these security guards? I would expect that such brazen attacks would be successful, and there is no more liquid a product as actual monies. I surmise that many such thefts and crimes are easy to commit and even get away with.

Social stigmas of right and wrong are, in my opinion, what stops such actions. It’s also why once you do one theft or murder, you go on to more as you’ve stepped over the line of what is wrong, either for your own moral compass or that of the culture at large.

On the Internet? We lack those sorts of social pressures of right and wrong. Like an old experiment I regularly mention, we act differently when we don’t have personal stake in the situation. Put 50 people into a room and they tend to act normally; with some flirting and conversation. Put 50 people into a completely dark room, and actions take a turn for the naughty. Put 50 people on the Internet and we’re likely to have a far, far lower moral consciousness. This carries through not just sexually, but also in how badly we can treat others, and cybercrime.

So, we have this history of only doing just enough security to get by, and to make people feel better, like those armored car guards. And now we have the social stigma-stripping Internet, paired with a media that will report on every single failure no matter how impossible they are to 100% prevent. That equals a lot of turmoil right now…and we get to swirl around deep in the middle of that maelstrom. Surf’s up!
Likewise, I’m also not surprised at how bad our own coworkers and everyone else is in valuing their cyber security. Tremendous (and even asshole-like) risks are taken daily on the road by multitudes of drivers who clearly know the consequences of those taken risks. And we expect them to visualize and adhere to policies protecting ephemeral risks? Pah.

time stamping log files in powershell

I thought when I previously mentioned PowerShell’s get-date, that I covered how to make dated log files. After seeing this article from TechTarget, I checked and saw I missed it. Here’s how I do it.

new-item -type file -name “$(get-date -uformat ‘%Y%m%d%H%M%S’)-log.log”

This results in a file named: 20080125163647-log.log. Specifying a -path will create the file somewhere else. The switches in the -uformat can be further examined with “get-help get-date -full.”

malware unpacking tutorial videos

I’m not a big software de-engineering guy or reverser and I don’t see myself gaining those skills in the next couple years, but someday I might get interested in the topic. While books and blogs and personal contacts are good resources, I really like seeing everything put together and the end results. Here are two video tutorials on unpacking and examining malware from Frank Boldewin over at Offensive Security.

Practical COM code reconstruction with IDA PRO
More advanced unpacking – Part I

universal id thoughts

OpenID is getting more attention this week with Yahoo announcing their use of it. It is getting a little late for predictions, but I’ll throw out a long term prediction that any true SSO of this magnitude will not come out of the US, but rather Europe.

The US does not have a history of cooperation, but rather captilistic competition. Rather than one “universal” ID, we’ll have 5 of them all competing. If Yahoo adopts OpenID, then Microsoft will use their own and Google will use anothe…oh wait, they already do! We have no hope of having any type of “universal” ID coming out of private industry in the US.

If some universal ID system does appear in the US, it’ll be government-backed, controversial, and take 20+ years to develop. The US is better off adding passwords to the SSN or biometrics or RFID ID/passport cards…

zombie article? well, it won’t die!

Sadly, the article “10 Things Your IT Department Won’t Tell You,” by a wildly brilliant (ugh) Wall Street Journal writer, written last summer, has resurfaced on MSN as one of the most popular news articles of the week in the Tech section. Wonderful. Prominent enough that I heard about this from someone else (my manager).

My initial reaction still holds up, although I will admit one thing. As IT, we need to make sure we listen to the needs of our business users, not just from the perspective of the company dollar, but also the perspective of the employee’s happiness (at least in as much as our company/HR lets us be sensitive to that). Sure, it might be a solution to ban IM and webmail and filter sites, but does that mean the company is fighting a war against culture and social lives? The extreme of that is the RIAA clinging to an old business model. I’m not saying we should capitulate to the users, but we should always make sure we find the right balance for our users and our business.

sysadmin job over in new york

If I lived in NYC, I’d totally jump on applying for this Systems Administrator job over at FogCreek. Even if the job wasn’t for me, I really would like to say I have experienced a company like FogCreek and see, firsthand, what all the quiet hype is about over there. Joel’s blog is one of the very few non-security sites I regularly read.

By the way, in that above job, you’d work with Michael. And it looks like he has a brand new security blog, Michael on Security. Good times! I really like to see a sysadmin who is aware and interested in security. This can help ensure, especially for small business where he likely does everything, that what they do will be done with at least some security in mind!

securely investigate your security alerts

SANS posted about the possibility that attackers could subvert the administrative process, for example being able to inject website URLs into logs which an admin will then investigate and potentially have his box pwned.

I find such avenues of recon and exploitation to be quite viable, especially for non-professional admins (the blog author who blindly follows every referrer link for the ego boost). I also like this idea for profiling administrative practices. Are there admins following up on alerts or log entries?

For myself, I try to be careful with what I view from work when investigating alerts. The last thing I want is to see a scan from an IP, open it in a browser, and be inundated with porn popups. I’d definitely recommend investigating from a Linux VM. At my previous job, our wireless network was physically separated from the main network, and got to the Internet through a generic DSL connection. This is an excellent, non-tracable connection to poke around. Any tracing would lead back to my DSL provider, and pretty much stop dead there. Paranoid? Sure. But I’d rather keep such things in mind than be a security professional living in ignorance…

pcapdiff compares two packet captures for anomalies

pcapdiff is a python tool that will compare two packet captures (one from the src system and one from the dst system) and highlight suspicious, mangled or possibly injected packets. It requires pcapy and, of course, python. Saw this over on Nate Lawson’s blog in discussing how to detect TCP RSTs, which is apparently being used by Comcast to combat BitTorrent file sharing.

new chanalyzer 3.0 software for wi-spy

Picked up from joat that MetaGeek (makers of the Wi-Spy wireless spectrum analyzer USB device) may be gearing up to release Chanalyzer 3.0 soon. Also, they have a Netstumbler replacement for Windows called Inssider.

As much as my Wi-Spy is a cool little toy, the price is still somewhat high. I got mine back when it was only $99, but now that same device is $199 and the higher quality one with an external antenna if $399. Not sure I can recommend this to anyone but people serious about their wireless spectrum needs. I would suggest it to anyone with a wireless network in their business, however. Cheap price for this sort of tool.