|
.: April 2009 Archives
I like stories of things that work and don't work in security. The SANS Internet Storm Center reported this story of a router hack.
Three concepts stand up pretty loudly here, and are echoed in the lessons learned part of the story.
1. Monitor for changes! Having a script pull configs and compare them for changes, then raise an alarm is really small effort for huge gains. This can also work as an internal change management control as well.
2. Logs are vital.
3. We make mistakes as humans, and we need to assume they will be made and those mistakes will be found by an attacker eventually. Always review devices, configs, settings, logs, scripts, etc. Reviewing this stuff is boring and often reveals nothing, but that one time it does reveal something like an unremoved test account or access, will save bundles. If that attacker had more time and had simple done more, he may have already captured some data or dug in deeper into your network, past the config-protected routers. At least the Rancid script cut this off, but there was still a window of time where the attacker was in control and could have done more.
by michael 04.01.09 at 8:58 AM in /general -
CSO has another article up with a story of a not-quite-data-breach. I apologize for no attribution since I don't recall where I got linked to this from.
While this does drive home code reviews and data access control concepts, it also, to me, drives home another aspect.
I fully agree we need to build things securely and correctly the first time and we need code reviews and less willy-nilly development. And while that is all a great goal to keep in mind, I will always concede that it is neither perfectly, humanely, or economically possible to rely on that paradigm. Kinda like saying our endpoints really do need to be secure, but really, will they ever be satisfactorily secure with non-geek users at the helm?
This is why I will always put so much weight back onto the network as a place to detect and monitor everything else. The company in question should have easily been able to notice outgoing data to their vendor from their webservers (1 terabyte in 6 months!).
Now, they may not have been able to know what was going on since it was wrapped in SSL, but I doubt it would take much effort to get between that and decrypt it anyway, depending on how well it was coded to look for valid certs (chances are, not at all). Or at least start digging into the web servers deeper to see what is going on.
But the fact remains that proper network monitoring can detect bad things like this extruding from an enterprise.
(Likewise, proper network controls like firewalls should also be able to notice or log blocked outgoing 80/443 traffic from the webservers. While some apps do end up needing a hole open to a third-party, it should be a pinhole, not a total allowance. But again, we're ultimately talking network still.)
by michael 04.01.09 at 1:05 PM in /general -
I don't use Digg.com. But I have watched the podcast Diggnation since about the 6th episode (currently 196 episodes). I didn't watch TechTV at all (never once!). But I grew into being a fan of Kevin Rose's from his too-short series The Broken (which dealt pretty much with hacking and I think was the entire inspiration behind things like, oh, Hak5!). I find his story and progress in business to be utterly fascinating. The dotcom bubble burst nearly a decade ago, but people like Kevin (it's poignant that I reference him by first name as if I know him) are the embodiment of this extended surge of tech and web culture and business.
I only just read an Inc magazine article from last November about Kevin, along with a series of 10 questions for him. I find what he does and has done remarkable. Maybe partly because I'm on the fringe of his audience (I don't click ads, I don't read Slashdot, and only infrequently used to read Fark...), or maybe because of his age (born 1977), or maybe because he's just a fellow geek pursuing his passions.
Or really, it might just be because he was the right guy at the right time and place and did the right things. He got into the geek culture with TechTV and did what I think most geeks find fascinating: talked about hacking stuff. This got him a following, and then he leveraged that following along with his technical ability (which we have to admit was not beyond any of us), passion for social media (not beyond any of us), and his ability to interact with people online in a positive way to attract users (not beyond any of us who've been around the nets for 10 years). Anyone who has tried to build a forum or community or site knows that it either takes a solid core following or a lot of extremely involved (and present!) work, let alone the relevant content.
And beyond that, he still maintains an image of the guy you can see at a bar, poke on the shoulder, offer a beer to, and he'll happily accept and be immediately down with any geeky, friendly banter that may occur. As opposed to someone in a tie whom you can't approach without an appointment and would look at you like one of the little people for even thinking he might want to drink a beer. Old media meet new media.
Oh man, was that a man-crush post? At any rate, I wanted to post the article link and just kinda gush for a moment about someone I respect, not because he has tens of thousands of followers, but simply because he's ultra successful as a geek and appears to stay extremely grounded.
by michael 04.01.09 at 4:14 PM in /general - comments(2)
If you work in IT and are not focused solely on the desktop side (systems, network, security, admin, management...) then you really have to be aware of what PCI DSS is and where it may or may not be going. Anton has posted a link to this week's Congressional hearing on PCI along with various links and reactions to it. I suggest at least skimming it to get an idea of what happened, even if it does feel like watching C-SPAN during summer vacation.
Here's a really brief itinary of what happened in case you want to skip around (heh, and what I sent my boss).
Gov't: Chairwoman Clarke reads a prepared statement
Gov't: Chairman Thompson reads a prepared statement
-recess for about 30-40 minutes-
Gov't: Rita Glavin from DoJ reads statement and answers some questions
Witnesses/Panel statements in order:
PCI Council: Bob Russo
VISA: Joseph Majka
Merchant: Michael Jones (CIO Michael's Stores)
Merchant: Dave Hogan (CIO National Retail Federation)
Followed by questions for the group. (starts with about 22 minutes left)
If nothing else, at least skip out to the final 20 minutes of questions.
by michael 04.02.09 at 5:01 PM in /general -
My company is in an industry that has had to deal a bit of negative press in the last 8 months or so (the industry, not my company). One thing I learned today in a corporate meeting is that you can decrease media coverage by complicating a topic. That certainly makes sense, and I bet is a strategy they teach in PR school early on (living with a couple PR girls in college didn't rub off I guess!).
But the principle goes beyond just PR and general media coverage. The point is complex topics make for bad news bites, bad readability, bad audience understanding, and bad digestability.
Kinda sounds like the fight we have to do to for budgets, management presentations, visualization of effectiveness (scorecards!) and...damnit...compliance. Hell, it even relates to security awareness!
by michael 04.03.09 at 3:30 PM in /general -
When I tested for my CISSP a few weeks ago, I was struck by how little information there is about the logistics of the exam itself. The admission information pretty much says, "Dress: Business Casual" and that's about it! Many CISSP books go into some detail in the intro sections, but you never know if they're up-to-date or not. So I wanted to post some info based on my recent experience.
The environment. Get there early and be prepared to put your coat, bags, food along a side or back wall. Turn your cell phones off or turn off all alarms/rings/vibrations! Bring a simple wristwatch if you have one, but there should always be a clock visible. The only things allowed at the desk were pencils, something to drink, your admission papers (which were collected after filling in the first part of the answer sheet), and for women their purse. We had pencils provided for us along with a pencil sharpener, but I would always recommend bringing at least a few of your own just in case. The test is a bubble-sheet test so you need a #2 pencil. You can write all you want on the question booklet.
The admissions doc says the dress is business casual, but at my location there were t-shirts, shorts, etc. I can't imagine proctors would turn anyone away for their dress and indeed none were. So dress dress comfortably.
The exam. I can't speak about specific topics/questions/answers, but I can talk about general stuff. Unlike almost every practice exam out there, there are no multiple-answer questions. There are very few (I don't recall any!) negative questions (e.g. 'which of the following is NOT...'). There are some scenarios that have more than 1 question regarding it. There are plenty of "best answer" questions.
Feel free to get up and walk around, or get a proctor's attention if you want to go to the bathroom. Only one person was allowed out at any time, and you have to sign out and back in. You can get up and move to the back and have a bite to eat if you need to, or just stetch your legs. I took my test in downtown Minneapolis and we had a nice 8th floor corner office view of the NE part of downtown, so the ability to look up and out for a bit was really nice!
The test is 250 questions, which means you should plan at least 3 hours. This is a lot of sitting, so if you need to, get up to get your blood flowing. If you don't work fast, I think you get a total of 6 hours. Think: 9am to 3pm.
Studying. My really quick suggestion for what to study with, I'd suggest the official CISSP book plus an additional supplement. The official book because, well, it absolutely has all the material! And a second book for something that is far better to read. (I used the Stewart, Tittel, Chapple book). I don't suggest practice tests as they are often focusing on stupid minutiae or awkward question structures. And when at all possible, try to relate or bring home topics to something at your job now, or past jobs. Relevancy makes dry topics far more memorable.
Also, if you want to take the CISSP, there is little reason to not take the CompTia Security+ cert beforehand. The technical concepts overlap greatly and it is quite a bit cheaper and easier as a sort of warm-up.
by michael 04.04.09 at 3:36 PM in /general - comments(3)
I just wanted to quote an article quick that talks about the US Interior Dept's lack of security despite warnings in the past. This part spoke to network monitoring and being able to see what is leaving a network:
"According to the Department's own analysis, nearly 70% of the network traffic leaving the Department through a single one of its Internet gateways during the month of January 2008 was bound for known hostile countries and the Department lacked the capability to even determine what the traffic was," the report reads.
by michael 04.06.09 at 9:22 AM in /general -
Oh, I mentioned I took the CISSP exam in an earlier post. I neglected to say I passed!
So, what's next? I'm not really sure, but I'm looking forward to something new. I know last year I started the OSCP course right at the same time a coworker left the organization which swamped me for about 8 months. Needless to say, I didn't get time at all to dive into it. However, I don't feel at all bad about any wasted money as it goes to the same people who deserve it for maintaining/creating BackTrack. I have absolutely no problem helping them out. But I'd like to tackle it again with some actual devoted time!
Longer-term, I may want to stick with the idea of alternating between hands-on, technical studies with courses that are more about book-study or less technical.
by michael 04.07.09 at 8:17 AM in /general - comments(4)
RSnake (ha.ckers.org) has posted a nice list of purposely vulnerable sites, apps, and other ways to challenge one's hacking skill. I have a small list on the right menu "things to do" section. Maybe someday I'll go through his and transpose them to my menu, but for now a simple single link to his will suffice.
This really just reminds me that there ought to be 36 hours to every day...and I also see some of my links are now defunct. Ick.
by michael 04.07.09 at 2:17 PM in /general -
Details on a 2008 Fedora intrusion. Nope, not necessarily a technical vulnerability but rather a people/key/procedural one, for the most part. And yes, keys without passwords make life breezier, but also riskier.
Also interesting is the timely, and lucky, discovery of the intrusion. It sounds like something like this could have persisted for a while, until whatever discovery/detection/tripwires they have laying around were triggered. Then again, maybe that failed cron job failed because of the actions of the intruder. That almost sounds reasonable considering the near-immediate detection. Maybe the cron does some sanity check...or it was just coincidence that an admin's eye was pulled over to the logs at such a convenient time. :)
Nonetheless, kudos and beers for giving details not just for our own knowledge, but as a sort of lesson-learned-through-others deal.
by michael 04.07.09 at 11:02 PM in /general -
System security belongs to systems admins. The network to the network dudes. And the developers get to reign over the security of the apps they write. But where does something like the .NET framework fall? Sort of in between the cracks between system admins and developers. Developers don't write it or manage the code, and systems admins most likely don't know it very well either. (And I'm not even delving into consumer systems, just servers.)
Enter: .NET rootkits.
A .NET rootkit modifies the core framework DLLs from Microsoft (located in the GAC). A .NET rootkit may only be a symptom of a bigger problem: someone already owns your box hard enough to be able to replace framework files. But it might also be something that rogue developers can sneak into a production system. Even a sysadmin may taint something like an image base that other servers are built from.
It is probably a good idea to add some framework DLLs (or all of them) to any tripwire or digital integrity monitoring you have. If they change, an alert gets thrown. Caveat: I have not implemented such measures myself, so I don't know if they change too often naturally. I assume they don't.
Traffic egress should also be monitored. One purpose to rootkit an application is to siphon off its data. It can accumlate on the server (disk usage monitoring!), but ultimately it needs to get somewhere else to be useful to an attacker.
This doesn't stop with .NET frameworks, but really any framework environment, such as Java.
by michael 04.08.09 at 10:40 AM in /general - comments(1)
If you have a Cisco ASA or Pix around, you might want to think about patching it. Cisco has released information on several vulnerabilities. Particularly interesting are a couple remote DoS attacks and an ACL implicit deny bypass.
The latter is a bit vague and scores low on the Cisco metrics for impact. In some postings I read it as an ACL to get into the device, but in other wordings I get the impression it affects firewall rules for traversing the box. Either way, hopefully you use explicit DENY and don't rely on the implicit one.
by michael 04.08.09 at 4:11 PM in /general -
Gnucitizen has a security buzzword generator available which generates often amusing and often non-sensical buzzword-sounding security phrases. It's a little mean, but I suppose you could test some against anyone and see if they'll admit to not knowing wtf you're talking about.
"Yes, we need to be concerned about Indirect Server Reversing."
"I think our government needs to worry about Extraterrestrial Memory Routing."
"Our solution does provide protection against JavaScript Stalking."
"So, what are you doing about Backend Shellcode Sidejacking?"
by michael 04.09.09 at 9:26 AM in /general - comments(2)
Interested in command line codes? Check out the Command Line Kung Fu blog. I especially dig this ping beep post that will beep for any lost packets.
If you want to hear from the authors and why they made this, check out the first part of Pauldotcom episode 146.
by michael 04.09.09 at 10:29 AM in /general -
When looking for new blogs to follow (or design ideas), I tend to just stumble around the links on other people's blogs. If you're looking for new blogs to follow, the RSA Social Security Awards nomination list (pdf) is an excellent source.
In fact, I had no idea there were that many podcasts out there now!
by michael 04.10.09 at 8:48 AM in /general -
I posted yesterday to patch your ASA boxes. Milw0rm has a reason why.
As the Packetninjas blog says, this is remotely exploitable, requires no authentication, and can even be spoofed.
by michael 04.10.09 at 10:55 AM in /general -
I've long used pookmail as a throw-away email box for various things, mostly just to sign up for downloads or worthless one-time-use accounts. I see they're no longer offering that service.
I know about Mailinator and am using it now, but does anyone know any others? Mostly I just want a couple back-up options.
On a similar note, I should someday get myself a PO Box; one that supports a non-obvious PO Box-like address...
Isn't that funny? Some companies won't ship products to a PO Box, so you have to obfuscate it like 1234 Hickory Lane #9870-B. Same thing happens in the digital world with spoofing and forwarding all the time, or services that obfuscate the originator (PayPal? Mailinator?). Why don't companies just allow shipping to a PO Box? It obviously is a need, even as much as it is abused... Maybe most people don't go through such hoops, I guess.
by michael 04.10.09 at 2:17 PM in /general - comments(3)
Mr. Graham posts about setting up Firefox with Hamster. If you've forgotten what these tools do, they sidejack, i.e. hijack, sniffed http sessions, i.e. cookies.
by michael 04.10.09 at 2:36 PM in /general -
Curious about the Cybersecurity Act of 2009 (US)? You probably should be. There's a soon-to-be-growing series of posts about it by Mr. Smith. There are a few parts that seem a bit out there and I'll be happy when they start getting clarified.
by michael 04.14.09 at 9:14 AM in /general -
These are the kinds of articles I don't like to read. This is about Peerhboy, a terrorist group 'hacker' arrested in India.
The implications I don't like in this article are twofold.
First, this guy got some 'training' and this seems to be implied as bad. Does this mean any 'hacking' or security training will mark you as evil?
Second, the only wireless 'hacking' alluded to in this article is the use of unsecured wireless access points. Yes, a concern, but hardly worthy of eye-catching 'hacking' adventures.
by michael 04.15.09 at 11:31 AM in /general -
Bear with me as I ramble a bit in this post. Something unpolished but didn't really want to lose. I'll reserve the ability to completely change my opinion!
Which one of these will realistically get us the farthest in security? Choose only one.
- administration: managers/execs/policywriters
- techs in the trenches
- auditors/testers
- secure code/architecture i.e. "build it secure"
Yes, the best answer is clearly a combination of all of the above.
But for the sake of argument, let's say you can only pick one horse to put your money behind. Which one gives you the most realistic chance?
- administration: managers/execs/policywriters - This is your typical layer where policies get written, strategies formulated, and employees managed. To me, this is a necessary layer, but alone they don't do a whole lot without the support of everyone else, much like a policy with no enforcement. There is also the devil of being too abstracted from the real goings-on to be effective, or to live in the correct reality. Do they say security is working but have really no way to back that up? This isn't always the case, but it is the devil they must battle. And that's assuming their employees are even following the decrees made... A good aspect on this might be the guys who manage appliances on a broad level to create statistics or whatnot. But do we really want to lean heavily on Big Boxes?
- techs in the trenches - This is where I'd put my money. The people on the ground and in the trenches. Sure, they may have some weaknesses like enforcing security with no real policy or guidance, or a lack of focus, but to me they're the ones who will always do the implementations, detections, and investigations. These would be the guys and gals who, if you gave them 8 hours a day to "do security" and left them in a room, they'd implement all sorts of wild things that can be extremely effective. If you get them even slightly working with the rest of business rather than just in their caves, they can be a real force.
- auditors/testers - This is your group of people who both point out all the wrong things you do, but also hopefully point out how you can do things correctly. A powerful group, but I think they ultimately rely on finger-pointing and may not, directly, actually get anything done. Given a high degree of intelligence and knowledge, though, and those rare individuals are exceedingly valuable. On the testing side, their research and automation are hideously valuable.
- secure code/architecture i.e. "build it secure" - This is a great approach, but I think the "realistic" part really kills this. I've talked about the caveats in this group before (and can't find the post[s]), so I won't get into detail. But if technology didn't change and economics shifted to value security, this could be a powerful group. Sadly, while important, I wouldn't bet on it as my horse because it just isn't realistic alone. Technology changes faster than we can learn it enough to secure it properly upon creation; economics pushes function before security; etc.
by michael 04.15.09 at 2:16 PM in /general - comments(2)
I've read but really didn't digest that Twitter use has exploded this year. It was only maybe half a year ago when the most-followed people on Twitter were all excited about 40,000 followers. Now celebrities are topping 300,000 with ease! That's crazy.
What's interesting is how this may change culture a bit. On one hand, all of us norms get to see all the silly crap that celebrities think they want to tweet about (and mispell!). Kinda like what will be known as the Kevin Rose effect: it will make celebrities be much more down-to-earth, almost like you know them.
On the other hand, they lose more privacy indirectly as well, such as checking out the few privileged people your favorite celebs are following, some of whom may be unaccustomed to the attention, etc. Not to mention vulnerable to social attacks.
by michael 04.16.09 at 6:24 PM in /general -
Read some concepts lately that I wanted to remind myself about, and don't really want to bother figuring out where I first saw them.
Time-to-penetrate. Locks are rated by how long they take to fall to an expert. How long will your network/security last? To drive-by scripts/kids/worms? To experts?
Increasing attacker's costs. I read about border security between the US and Mexico and how border authorities want to make it more expensive for drug cartels to get drugs over the border. Not stop it, but make it more difficult/expensive. If you rightly believe in the inevitability of insecurity, then you really want to keep the bar raised as far as possible (this is an argument that can formulate a defense to 'security through obscurity,' in moderation).
by michael 04.17.09 at 2:08 PM in /general - comments(1)
You have 100 zombies beating against your door. There is a chance one of them will beat his fists in the right spot to either smash a hinge or bump the handle in a way that the door springs open.
Your buddy across the street has only 5 zombies beating on his door, but is in the same predicament: they have a chance to smash and hinge or bump the handle.
Which door would you rather be behind?
If you choose the one with 5 zombies, then I'd say that is a less risky situation entirely because there are fewer zombies beating on the door.
If you move your SSH server from default port 22 to some obscure port like 38724, I can predict you will have fewer zombies beating on the door of your SSH server. You've lowered your risk. You've increased your security (depending on your definition of security).
(Obviously, I'm yet again annoyed at the insistence by some that there is no value in security through obscurity. Those people are confusing "security only through obscurity" as being the same as "no security value in obscurity." I think most people say they like "security through obscurity" as an additive value to an overall posture. Not as the only measure.)
by michael 04.21.09 at 9:57 AM in /general - comments(1)
For every annoying idiot or asshole on the net tubes, there are still swaths of users on various sites who have a great sense of humor and demonstrate this on forums and news comments.
My best laugh so far today was seeing that email used to be very scary. While the picture and caption itself are fun enough to pass on, it is the comments that made my day. Things like:
so since he doesnt have a computer that email flails around the office like an angry ghost that is trapped between worlds?
by michael 04.21.09 at 10:38 AM in /general -
Human nature is silly, isn't it? Too many companies do next to nothing about security until they're burned by it. And I read today that a Congresswoman who used to be a staunch supporter of warrantless wiretapping has changed her tune after being the subject of a wiretapping herself. Go fucking figure. Way to demonstrate that you've not really thought through the subject over the last several years. Of course, she'll blame those who did it by insinuating they should be held to higher standards and this was an obvious mistake... (which only strengthens my disdain...)
I'm really restraining myself here as this topic of personal responsibility, empathy, and forward-thinking is something I feel especially strongly about.
by michael 04.22.09 at 8:45 AM in /general - comments(1)
I had not heard of OAuth before reading a post today on LiquidMatrix about an OAuth vulnerability, found right after a pretty large round of exposure from Twitter adoption.
A big vuln and the pulling back of support is a big deal, but I'd just like to point to OAuth's own explanation of the security bug.
This article discussing the details of the bug is excellent (especially given a very confusing bug). It gives detail, it remains honest and open, it demonstrates understanding of the issue. I wish all vendors, closed and open, would be more like this. Yes, fine, it makes the sales and marketing teams feel squeamish, but this sort of open cultural attitude is going to make a difference. Maybe not today, maybe not even in ten years, but someday it will be necessary as the world grows up into technology and efficient information-sharing.
So, regardless of what I think about OAuth or the vuln, props for a great disclosure discussion.
Update 1:37pm: So I saw this Google Group posting, and I have to shake my head and think, "Really? Did you just try to say this? Fail." The statement, "Please do not speculate or publicly discuss the actual details of this or other threats." Hopefully someone smacks his hand and tells him not to try that tact again.
by michael 04.23.09 at 8:46 AM in /general -
Getting a list of servers can be a pretty valuable first task for working with large numbers of computers. Yesterday I had a reason to get a list of them all, and thankfully all of my servers are in the same OU tree in AD (/Machines/Servers). I also see SynJunkie did a similar thing this week, but I prefer not to use third-party cmdlets. :)
$blagh = [ADSI]"LDAP://ou=Servers,ou=Machines,dc=my,dc=domain,dc=com"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $blagh
$objSearcher.Filter = "(objectCategory=computer)"
$PropList = "name","cn","lastlogon"
foreach ($i in $PropList){$objSearcher.PropertiesToLoad.Add($i)}
$Results = $objSearcher.FindAll()
Write-Host "found $($Results.Count) servers"
$Results
What this does is look for all computer objects under Machines/Servers in my domain my.domain.com. For all computers that it finds, it pulls out the name, cn, and lastlogon properties.
To find a list of all the properies that can be pulled out, after that above script do this:
$Results[0].Properties
Based on the properties I pulled, it should be obvious I was looking for signs of dead computer accounts. This can easily be changed to look for user accounts, properties in them, and other OUs.
by michael 04.24.09 at 11:25 AM in /terminal23 -
It wasn't too long ago that I was musing about EthicalHacker.net's latest challenge dealing with some wireless hijinks.
A similar topic just came up on the SecurityFocus IDS mailing list in regards to PCI 11.1 about wireless IDS. It was mentioned that an option would be to use something like RogueScanner on the wired side to detect wireless devices. I don't know why I hadn't thought of that right away, but yes, you can poll your wired network, gather MAC addresses, and compare them against what they should be. If you see any that are obvious wireless products, you go over and yank it out.
Now, that's great, but keep in mind not a foolproof detection. MACs can be changed even on some home consumer wireless routers, firewalls may prevent the polling up front (although a switch MAC table may give more away), extra unmanaged hops can get in the way, and a laptop acting as a router with a second wireless interface may only show up as a regular laptop. But you do get the obvious low-hanging fruit covered.
I have wondered if it could be possible to push traffic from the wired network out through the wireless side. A silent AP can stay relatively hidden, but if you can force it to throw something out now and then, it can be picked up.
by michael 04.27.09 at 11:21 AM in /general -
If you haven't patched your Linux systems lately (for instance Ubuntu 8.04/8.10), you might want to do so. HD Moore threw this out on Twitter.
There are seminal vuln-exploit instances that get used as easy attacks in testing, especially your personal labs. Years ago it was LSASS attacks. In recent months, MS06-087 is an easy route. For some Linux flavors, this should be one of the first scripts grabbed to pwn a box and move on.
Update after reading more: You need to be running SCTP on the target box. Yeah, I haven't heard of SCTP either.
by michael 04.28.09 at 11:32 AM in /general -
|
