terminal23tag:,2010:/32010-07-29T15:15:22ZMovable Type 3.34skills for work and skills for getting worktag:www.terminal23.net,2010://3.22792010-07-29T15:00:42Z2010-07-29T15:15:22ZChuvakin has a great post over at his blog where he talks about what skills you should be focusing on, such as skills that help land you jobs or skills that help you do jobs. I think I agree with...michael
skills that help land you jobs or skills that help you do jobs. I think I agree with all the points made.
Getting past an HR filter to land a job is a sort of small-time thing. You can apply for 20 jobs and you just need to get through and hired once. After that, you have, usually, several years to either prove your worth or get booted out for not being able to do the work. The bottomline is you need to be able to do the work.
I also believe that the deeper and more versed one becomes with the "skills that help you do your job" the easier it is to demonstrate those skills to someone else. For instance, it might seem hard to demonstrate a web app weakness to a manager...unless you've done it so much you can pretty much spot them on sight (insert some allusion to MagicEye pictures that often take a lot of work to see the first time, but once you get it, you can get it faster and faster).
You know you're good with a router or firewall or load balancer when someone throws you a strange question and you figure out some interesting way to do it that wouldn't have been obvious without a few years of experience. That skill might not get you a new job, but it will certainly cement your place in a current job!]]>
possible issues with windows handling lnk filestag:www.terminal23.net,2010://3.22652010-07-16T16:49:11Z2010-07-16T17:03:12ZJust read (and had to re-read several times) a quick vulnerability announcement over on US-CERT for how Windows handles LNK files. From the sounds of this, all you need to do is view the location of the malicious LNK file...michael
US-CERT for how Windows handles LNK files. From the sounds of this, all you need to do is view the location of the malicious LNK file to have it execute code. It's still not entirely clear if this means viewing the containing folder in Windows Explorer, clicking the LNK file (duh), or something else.
This might be interesting, as it is not uncommon for users to mistakenly attempt sending .LNK files via email, rather than attaching the actual target file of their silly shortcut. And LNK files litter corporate network shares...
If this is just viewing the file sitting in a folder is enough to trigger this, it's kinda reminiscent of older issues with Windows Explorer displaying certain files like DLL files on network shares. Just the act looking in the direction of the file was enough to cause issues!]]>
network diagrams: an underappreciated arttag:www.terminal23.net,2010://3.22642010-07-12T17:12:40Z2010-07-12T17:20:09ZWhy your network diagrams suck (and they do, which is sad because it's a fundamental IT need): 1. You don't have any. 2. You pooped them out last week. 3. You tried to put everything on one drawing (VLANs, servers,...michael
1. You don't have any.
2. You pooped them out last week.
3. You tried to put everything on one drawing (VLANs, servers, network gear, port-specific connections, IP addresses, serials, virtualization...).
4. You didn't include enough info to answer questions the diagrams are meant to answer.
5. You have too many diagrams and they conflict. (Also see next.)
6. You don't update them as you make changes (if you update them at all).
7. You auto-generate them from some network scan tool or inventory tool, and they just look like ass no matter what you do (or don't say enough to be meaningful).
8. They all look and feel completely different because 4 different people maintain their own diagrams for what they control.
9. You don't make diagrams from the viewpoint of the intended audience. What works for you won't work for your contractors, auditors, developers, security/comliance, customers.]]>
passive credibility is easy with social networkingtag:www.terminal23.net,2010://3.22632010-07-07T22:25:51Z2010-07-07T22:50:16ZJust perused on DarkReading an article about a social networking experiment centered around fake profile "Robin Sage." I know the article is maybe a bit sensationalist and simplistic, but I fail to see why someone accepting a friend with a...michael
article about a social networking experiment centered around fake profile "Robin Sage." I know the article is maybe a bit sensationalist and simplistic, but I fail to see why someone accepting a friend with a fake profile is a Big Deal.
(Disclaimer: I didn't know about Robin Sage nor have any interaction with this experiment. I'm feeling left out!)
There *are* some interesting aspects, and I hope the forthcoming BlackHat USA talk will expond on some of these issues, and leave alone the silly issue with "omg I friended a bot" aspect. This is a lot like saying someone is dumb because they looked down when you pointed and said their shoe is untied.
1. People put stupid (and valuable) stuff online. Sure, Facebook and other places may seem like they're private, but really they're not when you don't properly vet friend requests. Once you have more than 50, you simply can't keep them all properly identified and you'll likely start getting into the 2+ degrees of separation; i.e. the friends of your friends, and so on. So putting even your day-to-day boring diary bits out there can be revealing when you're, say, in the military. Hell, you can even get closer to home and post that you're out of town for a weekend, which can lead to a break-in by someone close to you. Or be stalked by someone obssessed with you. Sure, most of the time nothing will happen and certainly few people are truly targets of interested parties trying to piece together information from 1,000s of sources like a nationstate espionage net, but there is still risk in throwing such activities to the digital winds.
Passive credibility.I think this is far more interesting! If you want to gain some instant "credibility" in social networks, you don't start pestering people when you have 0 followers/friends/connections. You start going after the ones who auto-follow you back. Then target the ones who seem to have so many, that there's no way they can closely monitor them all. By then, you'll have plenty of "names" that others will recognize, which can lend some immediate "credibility" for people who superficially check you out. And you can just slowly work from there. This is really all old hat, but effective.
Take Ligatt's twitter account, for instance. At least early on, almost all of his followers were celebrities or other accounts that only follow-back out of politeness. He might have 500 followers, but 490 of them were never reading a thing he wrote. Likewise look at some of the #LIGATT infiltrators trying to redeem the company's services through twitter posts. They scream "fake" because of the sub-2 followers/followees.
How does a spy not look like a spy? By having a presence in the community and with friends/neighbors such that they appear to be an average citizen. Not some loner, curmugeon who looks over his shoulder constantly and only does yard work at night or only get visitors who look like they're Russian army castoffs.
Not so much these days, but certainly in the earlier decades of the Internet we all had this ability to take on a fake persona and build up a "brand" around it. Back then it was called having an online nick/handle/screenname. Today, we have so many average people using their real names online that seem so very surprised, shocked, that such subterfuge happens! TO those of us that have done these things in the past, this is certainly not new or surprising or even that hard.
3. Assets. Sure, most people don't have anything to worry about. But plenty of people should be aware of how potentially valuable they may be to foreign agents (foreign being different/opposed to you, whether it be national or corporate). There have been decades of work done on turning assets in the meatspace of espionage, and much of that work is far easier in the online realms. ]]>
securityacts it security e-zine issue 3tag:www.terminal23.net,2010://3.22622010-07-02T16:25:04Z2010-07-02T16:36:17ZIf you're looking for a new security-related e-zine to read, check out SecurityActs. They just released their third issue (pdf). If you go to their site and want to check the previous two issues, you can fill in fake subscription...michael
SecurityActs. They just released their third issue (pdf). If you go to their site and want to check the previous two issues, you can fill in fake subscription info (once you find where to go), or just click first, second.
via InfosecRamblings.]]>
automated generic aspnet/mssql injection dropperstag:www.terminal23.net,2010://3.22562010-06-21T14:30:18Z2010-06-21T17:18:15ZEarlier this month a wave of IIS/asp.net web sites were popped via SQL injection and started serving out malicious files. Most of the attention was given to the 0day Adobe Flash exploit being used, among other methods. But I'm interested...michael
The links below give good info to the first half of this wave of attacks: attacking the server/app.
armorize sucuri nsmjunkie]]>
metasploitable virtual victim machinetag:www.terminal23.net,2010://3.22552010-06-21T14:22:01Z2010-06-21T14:27:49ZThe folks at Metasploit have announced the release of Metasploitable, a virtual machine that is pre-built with holes, missing patches, and vulnerable applications which can be used as test targets for Metasploit attacks. Many Metasploit users run their own virtual...michael
Metasploitable, a virtual machine that is pre-built with holes, missing patches, and vulnerable applications which can be used as test targets for Metasploit attacks.
Many Metasploit users run their own virtual labs with various older versions of Windows for easy testing and practice. This is usually time-consuming to set up and maintain, especially when you also include Linux distros.
Metasploitable is an Ubuntu build, so gives many testers a new target to attack than a traditional Windows box missing a few keystone patches.
I wouldn't be surprised to see this expanded further and used as the basis of a lab for training purposes...]]>
insecure 26 is availabletag:www.terminal23.net,2010://3.22542010-06-18T22:10:25Z2010-06-18T22:13:39ZInsecure 26 is available, and as usual, has plenty of interesting articles such as a lengthy one on analyzing Flash content for vulnerabilities....michael
Insecure 26 is available, and as usual, has plenty of interesting articles such as a lengthy one on analyzing Flash content for vulnerabilities.
]]>
asp.net application recycling notestag:www.terminal23.net,2010://3.22512010-06-14T19:59:29Z2010-06-14T20:01:19ZI cannot count how many times I get blank stares when I talk to asp.net developers about application domains and recycling (troubling, indeed). This is just a really quick link for myself on some neat information about app recycling....michael
some neat information about app recycling.]]>
hakin9 available free this monthtag:www.terminal23.net,2010://3.22502010-06-14T19:28:05Z2010-06-14T19:58:57ZVia Beijtlich, I see this month's copy of Hakin9 is availabble for free online in pdf format. Heck, you don't even have to submit any sort of fake registration!...michael
Beijtlich, I see this month's copy of Hakin9 is availabble for free online in pdf format. Heck, you don't even have to submit any sort of fake registration!]]>
ncircle on detecting tls legacy renegotiationtag:www.terminal23.net,2010://3.22492010-06-14T19:11:53Z2010-06-14T19:27:49ZWanted to point quickly over to an article at nCircle by Chris Pawlukowsky talking about Detecting TLS Legacy Session Renegotiation. I think Chris does a good job describing the issue in text form. Check the bottom of the article for...michael
Detecting TLS Legacy Session Renegotiation. I think Chris does a good job describing the issue in text form. Check the bottom of the article for even more technical details.
I expect this to come up a bit more. "Easy" findings like this make auditors squeal in delight to put something on their external non-web-app-pentest scan report. Kinda like the entries that force us to drop SSLv2 and weaker ciphers because they're, well, weak. Even though the attack itself is exotic and the probability is pretty damn low I'll ever see this in action in my lifetime.
The TLS renegotiation thing is a bit more interesting, but you gotta admit it is still a bit exotic and still does require weakness in the app itself (unless the attacker can drop down to a weaker cipher or non-encrypted channels). Sounds like something that should be added to The Middler (if it doesn't do it already). Real attacks would likey need to be tailored to each web app, but I bet there is a universal request that can be made that will throw back an error or something to prove the existence. Should *I* worry about this? No. Should someone working at a place with far higher security interests? Yes. Especially when it can be fixed easily. ]]>
the big wheel of disclosure debate keeps on turningtag:www.terminal23.net,2010://3.22482010-06-11T17:45:25Z2010-06-11T17:53:47ZAhh yesterday's 0day has predictably re-opened the "going-nowhere" debate on disclosure. I'm pro-full disclosure. I'm not anti-responsible disclosure, though, when appropriate. The bottom-line for me: I'd rather know about the issues and have them exposed so I can deal with...michael
The bottom-line for me: I'd rather know about the issues and have them exposed so I can deal with them, than to have them stifled or hidden or the exposure delayed. Disclosure improves our security (responsible or full).
(While I am happy to respect responsible disclosure folks their opinions, there isn't really an argument that would change my mind, just like I expect no argument of mine would change their ideas or those of the "no disclosure" camps. It just is as it is. I'm happy with the current state of vulnerability disclosure. Kinda like abortion rights, I think this is one of those areas where staying on the fence is the right choice, versus standing on one side or the other without any real clear, inarguable reasons [short of any bias, like the 'duh' of a vendor preferring anything *but* full disclosure...].) ]]>
windows help center 0day details releasedtag:www.terminal23.net,2010://3.22472010-06-10T20:05:48Z2010-06-10T20:10:22ZIf you haven't yet, I'd suggest reading up on the details of this announcement this morning on the full-disclosure mailing list. By leveraging a flaw in Microsoft Windows' Help Center, code can be executed by anything (I presume) that can...michael
this announcement this morning on the full-disclosure mailing list. By leveraging a flaw in Microsoft Windows' Help Center, code can be executed by anything (I presume) that can invoke Help Center.
Big deal? Not a worm or anonymous remote attack, but this is as big a deal as any recent IE, media, or document problem that leads to arbitrary code execution. In other words, a big deal, but not a drop-the-coffee-on-your-lap-and-shut-all-communications-down-deal. Honestly, I'd hope effective security folks wouldn't worry too much about this, as there should be other mitigations in place already (like running as non-admin and the like) which lessens the impact of sudden discoveries like this. Yeah...in an ideal world, right? :)]]>
and the next wikileaks source will be...?tag:www.terminal23.net,2010://3.22382010-06-09T20:20:24Z2010-06-09T21:00:25ZLiquidmatrix pointed me over to the Wired article on the growing drama between WikiLeaks, Bradley Manning, Adrian Lamo, and the Army. This has stoked a few thoughts... Part I: Dumb Criminals, Smart Criminals Manning came to the attention of the...michael
Liquidmatrix pointed me over to the Wired article on the growing drama between WikiLeaks, Bradley Manning, Adrian Lamo, and the Army. This has stoked a few thoughts...
Part I: Dumb Criminals, Smart Criminals
Manning came to the attention of the FBI and Army investigators after he contacted former hacker Adrian Lamo late last month over instant messenger and e-mail. Lamo had just been the subject of a Wired.com article. Very quickly in his exchange with the ex-hacker, Manning claimed to be the Wikileaks video leaker.
I'll start out by not even commenting on the morality of what has transpired in the above article. I'll start elsewhere.
There are dumb criminals and there are smart criminals. Smart criminals are the ones we (people in general, but also law enforcement) fear the most. Especially smart criminals with financial backing doing 'white collar' types of premeditated (or even random opportunistic) crimes...those are difficult to pursue!. They're typified by not being dumb enough to necessarily get caught. Not all smart criminals get away with what they do, but they tend to be the ones to get away with it if anyone does.
Dumb criminals get caught. Much like your general hacker criminals, they tend to do dumb things, have spotty skills, and more likely end up talking about what they've done by making dumb decisions or having dumb associations and misplaced trust.
Manning did a dumb thing: he talked to someone. Not only did he talk to someone, he talked to someone with a level of celebrity status (for better or worse), who has ties to the FBI (for good or bad), and has an interest in not harboring national security secrets for another criminal. Ouch.
A smarter criminal would not have talked, or if he did, he would do exactly as Liquidmatrix mentioned: either nut up or shut up.
Another thing: Just how long and how much could have been disclosed had Manning not been dumb and talked to someone? How many not-dumb Mannings are lurking in your network?
Part II: Challenges in Organizational Security
“If you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?” Manning asked.
I knew before reading the article that I wasn't going to be impressed with how Manning exfiltrated the videos (and thousands of other files) from secure locations.
The sobering thought on this is...Manning had no real beef with what he was doing. He wasn't getting paid, he didn't seem to have some external motivation. He performed what I consider a crime of opportunity. Thankfully, that's "all" it seemed to be. Sure, it was performed over many months of time and repeatedly, but I still consider all of that to be opportunistic as far as crimes go.
But this is why espionage (both national and corporate) scare me more than even anonymous Internet-borne crime: they physically influence and turn a real, living asset who has access into your secret network and information, and leverage that relationship to siphon out information. Or worse, actually perform active sabotage or other planting of access for others. This is why "cyberwar" doesn't scare me as much as rogue insiders, depending on the organization in question.
What if a nation-state had targeted and turned Manning successfully? Someone like him truly is a goldmine worth the cost to acquire.
And don't make the mistake in thinking Manning is an outlier. He's just another face on the crowd, not much different at all from the rest. The sort of guy and white-collar crime that can be really scary to address.
I haven't even touched on the fact that Manning had the warning signs of being a disgruntled worker. (Though how many people *wouldn't* have those signs to some degree, who knows, but it should increase the level of organizational paranoia nontheless!)
Part III: Information Just Wants To Be Free
“He would message me, Are people talking about it?… Are the media saying anything?” Watkins said. “That was one of his major concerns, that once he had done this, was it really going to make a difference?… He didn’t want to do this just to cause a stir…. He wanted people held accountable and wanted to see this didn’t happen again.”
Part of the underlying 'hacker ethic' deals with the tendency of information to be free, much in the same way that electrons tend towards chaos or water tends to fill whatever form it can that presents the least resistence.
Perhaps Manning will ultimately be hailed as a moral whistleblower who is exposing secrets that should be made available to the public, for the good of the public.
Perhaps...
But at least think about that when thinking about what should be held secret by a company and what effort may be needed to keep that "tendency toward freedom" that information tries to flow. (And how powerful it may make a third party who suddenly has possession of such valuable information, like WikiLeaks reportedly may be now.) If your organization truly wants to emulate the, "Do no evil," mentra, then there shouldn't be many terribly damaging pieces of information (other than patents and trade secrets and the like) inyour possession, right? Mistakes, sure, but is it better to bury them or be transparent with them?]]>
adding some new links to followtag:www.terminal23.net,2010://3.22372010-06-09T18:52:56Z2010-06-09T19:09:49ZOne thing I don't do enough is make a mention when I add new (or missed!) sits and blogs to my link menu on the right. Certainly, not even *I* keep up with what is over there, let alone anyone...michael
So here are a few new additions to my links and feed reader:
What are my requirements? Well, for my own personal feeds list, the blog has to add something to me or my knowledge. Honestly, I'm horrible with my feeds right now as I have 1000s of items unread (a few high-traffic feeds boost that up, btw, like the once-amusing "my life is average" feed), so adding more has become a small question-raising thing these days. Kinda like buying a new book. Will I really read it? Will it be worth reading? Will it then be worth keeping around after I have finished? (sectioning off one's time is one of the two big components to what I call actually growing up!)
For links on the left side, I tend to add anything that pertains to info security, including personal blogs of people who are in security but don't always talk security. I don't remove much unless it may be a blog that hasn't been updated for 5 years or a site that is simply dead and gone. Other, lower links are things I find interesting or may find interesting to reference in the future.
I also don't make a huge list of all the actual "news" sites out there. I try to get the important ones and the basic ones that end up giving me all the news I really need. Adding tons more just ends up with lots of sites all saying and linking to the same things.]]>