A large list of papers at gomor.org. A huge array of papers from wireless to programming languages to writing buffer overflows to hardware...

OpenWRT is a Linux firmware for the Linksys WRT54G wireless Router/AP. Not sure I have available hardware that I want to try putting this on, but maybe someday I will have a spare AP to see how this works out. Still, a really cool idea.

I've known this for some time, but finally have a good post to link. Tom's Hardware has a review of a Black Hat dat talk about the dangers and uses of Google in hacking.

I firmly believe that famed Adrian Lamo, the "drifter" hacker who performed his hacks using only a web browser and open cybercafe computers, utilized search engines in smart ways to find vulnerable sites.

You can easily do a search for the title of a web admin interface page and come up with potentially unprotected hits. For instance, I once found an open Linksys WRT54G web interface by typing in some combination of text that is found on the admin web interface. Limit a search for "admin" to a particular domain or company, and you might just find pages that some admin thought were hidden because no pages linked to them and they weren't know...i.e. they thought obscurity was enough security.

Just think, using Google to look up default and running VNC installs open to the public...just connect and 0wn.

I've not had a chance to fully appreciate and check through this series of papers about pen testing wireless networks, but I didn't want to lose the link. Reminder to view the printable version to print.

Part 1
Part 2
Part 3

Just placing some links here for some wireless lan tools articles.

part 1
part 2
part 3
part 4

TGS has a nice list of tutorials that I should check out at some point.

I did not know this, but it turns out Mircrosoft keeps a list of all the ports that various MS services use. This list is available for download as an Excel spreadsheet from the Microsoft site.

The list is kinda long, so I'll just link to it at packstorm.

Universal Plug-n-Play has been a nightmare of a vulnerable and useless service running by default on Windows XP systems. Patches have come and gone, but still, this service, coupled with SSDP, are simply useless and volunteer far too much information for prying eyes as they readily display the OS of a target machine to a hostile probe. Turning off the SSDP service in Windows XP also turns off the UPnP service as well, and should be part of a base install configuration set. NIST standards include this disabling of SSDP as part of their XP procedures.

A translation for The Art of War online. Another book that I should get, but I just don't know which version to pick up... I may just read this one, formulate my own conclusions and gain my own insight from it before picking up a book that expounds on the principles for me.

Two papers popped up as mentioned on another site I visit. First a paper discussing a number of insider security incidents over the past 8 years involving about 26 insiders at financial institutions. Second, a 4 year old paper from the DoD outlining means of mitigating insider threats.

Snippets shamelessly snagged from the other site in regards to the first paper:

"- Most of the incidents in the banking and finance sector were not technically sophisticated or complex. They typically involved the exploitation of non-technical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network) by individuals who had little or no technical expertise. In 87% of the cases the insiders employed simple, legitimate user commands to carry out the incidents, and in 78% of the incidents, the insiders were authorized users with active computer accounts.

- The majority of the incidents (81%) were devised and planned in advance. Furthermore, in most cases, others had knowledge of the insider's intentions, plans, and/or activities. Those who knew were often directly involved in the planning or stood to benefit from the activity.

- Most insiders (81%) were motivated by financial gain, rather than a desire to harm the company or information system.

- Insiders in this report fit no common profile. Only 23% held a technical position, 13% had a demonstrated interest in hacking and 27% had come to the attention of a supervisor or co-worker prior to the incident.

- Most of the incidents (83%) were executed physically from within the insider's organization and took place during normal business hours."

Weplab is a tool that tests the strength of WEP encryption on a wireless network by breaking the encryption. I've not played with it, but can be useful down the road.

The online book TCP/IP Illustrated Vol 1 is available online. Note that this is an older book dating from 1994, and is also not for the faint of heart as it skips past the high-level view of TCP/IP and actually digs right down into the nuts and bolts that make it work, in conjunction with real-world illustrative examples (hence the book name!). I should read this volume at some point, but maybe not quite yet until I get some more sniffing experience under my belt.

Joat posted this, so I'm going to copy it over:

Just keep in mind the general rules of thumb for security:

• It's not "if" someone is going to break in, it's "when"...
  
• in the real world the best you can hope for is fifteen minutes of fame, in the virtual world, the best you can hope for is fifteen minutes of obscurity... (quote mine)
  
• there's no such thing as a secure online system...
  
• and adding technology rarely adds security.
  

The general rules of thumb for countering attacks:

• Log as much as practical
  
• review your logs automatically AND manually
  
• employ a consistent backup schedule
  
• use your metrics, be able to recognize what's normal and what isn't
  
• the most expensive investment in security is also the one you'll get the best return on: knowledge
  

Regardless of what personnel and what cool toys you have guarding your network, someone, somewhere, sometime will break into your network.

This site has basically a paper tackling an Introduction to Security...but it has so many links that it is just a very nice little page to link to and keep around and explore the links off of it, even if they're known sites and topis. A very nice intro-compilation.

This article is a very quick-shot laundry list of many network terms and items. The whole presentation makes my head spin because the author goes through each one in bambambambam rhythm, but still a nice little bit to read through in pieces.

Stole a bunch of links from another site describing some new spyware that adds some network traffic and unwanted ads on users' desktops and networks. 180Solutions might just hit someone I know at work someday soon.

180Solutions Analysis
Full disclosure at Seclists
Securiteam analysis of 180Solutions trojan
180Solutions : nCase

The Role of Computer Forensics in Stopping Executive Fraud is a very interesting case study article illustrating various forensic concepts and techniques based around what the author says is a very real case study involving corporate fraud.

I found especially interesting some of the actual Linux command lines they used to both wipe and image data.

# > dd if=/dev/urandom of=/dev/hda
This fills a harddrive with random numbers; can and should be repeated a number of times to sanitize a drive. DD is native to Linux.

# > dd if=/dev/hda of=/mnt/image.dd
This command copies an image of one drive to another.

# > md5sum /dev/hd
Calculates a checksum for the drive. Md5sum is native to Linux.

# > md5sum /mnt/image.dd
Calculates a checksum for the image to verify that it is the same as the drive.

Scott,

I read the "Scott's 10 Steps for Becoming a CCIE" article (Sept. 14, 2004), but what about getting into security? I want to get into security, but I don't know where to start. Do you have a list of 10 ways to accomplish the five more marketable security certifications in IT?

-- Alex

Alex,

Getting into security is a rewarding experience, but like other IT fields, it requires a lot of work!

First, I'm not sure which you consider the "five more marketable" of the various security certifications out there. I suppose that would all depend on which specific area of security you want to do work in. Here are a couple certifications to consider:

- CISSP/SSCP -- From ISC2, http://www.isc2.org
- SCNA/SCNP -- From Security Certified Program, http://www.securitycertified.net
- CISA/CISM -- From ISACA, http://www.isaca.org
- GIAC/GSEC Series -- From SANS, http://www.sans.org
- Security+ -- From CompTIA, http://www.comptia.org
- CCSA/CCSA -- From CheckPoint, http://www.checkpoint.com
- CCSP/CCIE Security -- From Cisco Systems, http://www.cisco.com/go/certification
- JNCIA-FWV/JNCIS-FWV -- From Juniper networks (formerly NetScreen's
NCSA/NCSP certifications), http://www.juniper.net/training/certification/netscreen

There are others, but the certs above are the primary ones that I can think of. The marketability of any of them certainly depends on your location and surrounding market environment.

Similar to what we, at my company, tell our clients regarding Internet security, it really isn't a matter of "if" you will be attacked but rather a matter of "when." As a security professional, you need to be thinking in this way, but you also need to balance it with a healthy dose of business sense. Being completely paranoid does make for good security, but it also leads to some decisions that make no sense, business-wise, or do not offer sufficient economic incentive. Therefore, consulting in security is concerned with costs as much as performance.

The things I recommend to keep in mind when approaching security certifications are similar to steps in previous guides I've provided in my regular column. Here's how to become a security consultant in 10 simple steps:

1. Give up your social life -- really. If you had one before, you will soon not have one, unless all of your friends like to talk about really esoteric topics and argue on the best way to protect against Internet attacks. But if you have friends like these, ask yourself serious questions about the quality of your social life.

2. Read, read, read, read and read some more! There are plenty of security books and magazines out there, but if you're relying on these for your sole sources of security information, then you're already behind the times. Don't get me wrong -- not that magazines are bad, but you need to stay more up-to-date than that!

Read things other than security magazines. Become familiar with your market and the businesses in your market. Get a sense of how they think and why. The better you can relate network security to any particular business and demonstrate your business sense (rather than technical paranoia), the more accepted you will be.

3. Learn about the bad people that keep security professionals busy. Don't idolize them, but try to think like they do. Attacks that can be anticipated are easier to defend against. You need to know the latest attacks as well as the latest strategies against them.

4. Set up your own network at home, preferably over a broadband connection from a popular provider. Do not a place a firewall at the outer edge of your network. Try to defend against various attacks with your computer alone. Don't keep anything critical on this machine, as it may frequently need to be trashed and recreated. Despite the agony, you will learn a lot from these exercises.

5. Invest in equipment. Since money may be an issue, however, what to get and where to get it is a different story. Check out eBay and used equipment resellers. Depending on which of the certifications you go after, equipment may or may not be necessary, but at some point, you'll need hands-on experience playing with actual equipment to see how things work. No matter how meticulous you are and know your books inside-out, implementing any security product for the first time in real life when a client is watching you, or in response to a security breach, is a really bad idea.

6. Realize that any of the certifications listed above are merely starting points. Each of them is different in focus and detail. Some are technical and some are managerial. Some are vendor-specific and others are broad in scope. Each of them may highlight different areas of your experience or specialties, so one is not necessarily better than the other.

I know people with only the Security+ certification, which keeps them plenty busy at work. On the other hand, I know others with a CISSP as well as some of the more technical certifications who are doing a less-than-stellar job, in my opinion. It largely comes down to your market and how well you can convey your understanding of security to your customer base.

7. Learn to be anal-retentive. Perhaps dating a librarian would help here. Whatever method you use (and believe me, being meticulous in security design and concepts does not have to translate into how you live or organize your personal life), the more structured your approach to security is, the better. The best security design is one of "no more, no less," which gives users the abilities they need to do their jobs without granting them too much access. The more separated things are in your network, the easier it will be to quarantine any bad elements that may invade your system. But don't forget that the best security arrangement is transparent to your users.

8. Depending on which certifications you are working on, purchase as much varied equipment as you can. Performing firewall designs and integration exercises requires a completely different mindset from deploying VPN integrations. Both of these are completely different thinking processes from intrusion detection or prevention implementations.

Remember that home network I told you about? Install an IDS/IPS device or software facing your broadband connection. Watch all the entertaining things people will try to do to you, and to think you aren't even a "popular" target! But research the attacks that come in and be familiar with them. Just when you think you know enough, go back and look again! Things change! Conceptually, there aren't a lot of truly new attacks out there, but every once in a while, something will strike you as being original or creative, at which point, you should take notes. But be careful that you don't emulate these attackers!

9. Keep a journal. You may need three or four of these. Note your progress: your good points and your bad points. Keep separate notes organized on different technologies. Add to them as you learn something new. There are many evolving technologies, and many different areas of theory and technical configuration. The more repetition in writing, analyzing, rewriting, compiling and configuring you do, the better the information will stick in your long-term memory.

10. Attend a class, if possible. After you have been doing this all on your own for a while and are cruising through things, try to attend a class. There are many offered throughout the world with some better than others. Make sure to take the time to evaluate the class and its instructor. There is a huge variance in the quality of instructors out there, and the knowledge learned or not learned is often due to factors like this.

The more technical the certification you pursue, the more important taking a class is. There are different classes for the myriad of different certifications out there. A training course, however, should not be the first time you are subjected to a particular set of technologies or concepts. The first time you learn something, you won't know enough to ask questions or assimilate the information yet. After you've been working with a concept for a while, you'll have developed a basic grasp to be able to handle more advanced information. Of course, the quality of instructor you learn under will determine the quality of additional information you will add to your knowledge.

Becoming a security professional is a stimulating experience, and like with many things, the more you know, the more you realize you don't know. Security is a never-ending learning experience. As long as you realize that no matter how bright you are, there is always someone out there who is smarter than you, you'll do just fine.

Enjoy the educational journey and try not to lose yourself too much in the fray. Decide what aspect of security you want to accomplish first, and then narrow your choices from there!

-- Scott

Scott Morris, quadruple CCIE and Uber-Geek can often be seen traveling around the world consulting and delivering CCIE training. For more information on him check out http://www.uber-geek.net or for CCIE training check out http://www.ipexpert.com.

TechBooksForFree has a small list of free e-books online.

A beginner's article on explaining and performing some SQL Injections on web apps.

This site has a large program that contains a small CISSP quiz set and some really cool entry/intermediate-level video tutorials on using some populat and not-as-popular scanning and penetration tools. The videos are free, some tools are linked off the site. The videos use a "tscc" TechSmith Camtasia codec, so that might need to be downloaded.

Shon Harris is featured in a full series of CISSP training webcasts on SearchSecurity.com. These are free, although you have to supply information to start the link, there is no requirement to supply legit information. Seems to work better on IE than Firefox. Webcasts are about 60 minutes each.

A SecurityFocus article on cracking WEP and other inherent issues with wireless. Includes a lot of nice tools and the links to those tools at the bottom.

Now the 50-year-old Seemayer is once again on the cutting edge: Sick of spam clogging his in-box and spyware and viruses crashing his system, Seemayer yanked out his high-speed connection.

"I'm not going to pay for something that I can't use," he said.

A small but growing number of frustrated computer owners are coming to the same conclusion. They're giving up or cutting back their use of the Internet, especially at home, where no corporate tech support team will ride to their rescue.

Article is here

About 4 years ago the IT community hit a glut of new IT folk, many of whom didn't know what they were doing, as exponentially proliferating computers and broadband made a "computer expert" out of thousands and thousands of casual computer users every month. Now, the point of this article rings a very true note as I know people personally who are online less and their taste for things Internet related has soured, all due to Spam and Spyware. As people have hit the net in droves, so too have the vultures and the advertisers followed. Unfortunately, Microsoft's products (namely IE) were not engineered for such scales of economy...the holes were too big, and it only took time and a large enough marketplace for those holes to become so big and pervasively exploited that it is starting to backlash and drive people out of the niche.

I guess on the one hand it is good to see this trend, because it just means people like me are that much more practical today. Where once was a geek that could help out now and then, people like me will soon become as necessary as white blood cells protecting a biological body. Fallout like this also scrapes off the chafe of the IT sector, leaving a heartier and overly better-skilled workforce to forge ahead into this maturing medium.

This backlash can only be temporary. The Internet is far too powerful a tool and even an integral component of life, especially for younger people. This won't last, but is just part of the growing phases... The Internet as a means of communicating, expression, information gathering and sharing, expanding marketplaces... There are times when people take a step back from consumerism and all the gadgets and toys of life, and some of them get back to being simpler, being happy in simplifying. But sometimes, some tools are just too life-changing, world-altering, that they can't just be dropped in the name of simplification...much like the steam engine, cars, airplanes, telephones.

...
There is a group at Best Buy called the Geek Squad who are available to help consumers with their computers questions and problems. However, I think there is still a very strong market for someone much more specialized: security persons. I think people can work their way into putting together printers and home networks by utilizing corporate support through vendors. However, there are few ways to "learn" how to deal with spam, spyware, adware, viruses, and malicious users/worms bouncing digital flak at their always-on broadband connections. There are few ways for people to pull themselves up out of the clutches of all this garbage and still be productive and efficient with theit time and investments online. Getting a printer online is one thing, but confidently securing a home network and family is another.

Thought this article detailing tools and conclusions made based on an intrusion to a system the author administers. Just nice to see tools and analysis in action.

Sed quis custodiet ipsos custodies?

Read an amazing artcle about defeating DDoS attacks. The main subject of the story went on to found Prolexic, a DDoS protection company which hosts a nice page of information about zombies and DDoS found here.

Ignore this post. I made the mistake of taking some old bloxsom postings and losing their publish date. So here is the data posted at an arbitrary date of Jan 1, 2006.

apprecon

AppRecon is a little Java tool that sends out discovery broadcast packets and then listens for any returns, which indicate those apps are present. Of note, currently returns back SQL Server, Symantec pcAnywhere, and Symantec Corporate Antivirus apps. Really pretty cool.

application protocol sniffing tools (msn, icq, aim...)

NextSecurity has a bunch of small tools (some freeware, most trial) to sniff various passwords and conversations on IM programs and other specialized stuff.

binary to text exe scanner

This really small and simple tool will take any .exe (installation or executable file I think), and convert the binary into words that make some sense. Again, not sure what this might do for me, but might be useful in forensics when analyzing what an unknown executable file is trying to do, or maybe better identify it. Still..might be useful to play with.

dns: bind leading the bind

This is an excellent online resource for links to BIND, which is the #1 tool on the Internet for DNS services.

chaos and clustering?

CHAOS is a tool to simplify creating a processing cluster. And a nice tutorial for using this cluster to work on password cracking. The tool sounds bootable and quite automatic, which could be pretty cool and a nice option instead of rainbow tables or just plain brute forcing or guessing passwords.

crowbar - web site brute forcer

Crowbar sounds like a web site brute forcer that should be worth a shot. This was supposedly either presented or at least mentioned at Defcon this year.

cygwin

I can't believe I don't have a link to it yet, but here is my entry for Cygwin, a more powerful shell alternative to the cmd prompt in Windows.

darwinports

Darwinports is an opensource project mostly for Mac OS X that, well, I'm not sure what it does without seeing it in action, but I had a strong recommendation for it that I didn't want to lose.

default password list link

This site has an updated list of default passwords for a variety of devices.

dsniff

Dsniff is a collection of network auditing tools: "dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI."

eagleeyeos: lock and log removable storage devices

EagleEyeOS will lock and log removable storage devices. The logging sounds like the really cool part to me...

eeye resources and tools

eEye Digital Security has a number of useful tools and scanners on their site, for free use. They include a lot of tools to scan smaller networks for specific worm or exploit vulnerabilities. Most notably, though, is nmapNT, an NT port for the *nix nmap tool.

etherpeek

Need to check out Etherpeek at some point too. Saw it mentioned on a mailing list as a recommended means to monitoring network traffic of some sort. I suspect it is similar to etherape and ethereal.

health check tool for exchange implementations

This tool for checking the health of an Exchange setup might be useful in the not-so-distant future.

firewalking: testing firewalls

There are a number of tools to test a firewall, also called "firewalking."

isic

hping / hping2

Update: And here is a tutorial on hping2.

fuzzing tools

If I ever want to get into fuzzing, that site is one of the places I'd start.

getting started with snort

This might be getting dated, but may help me someday when I get off my oinker and start looking into implementing snort full-time on my networks.

harpy - http constructor

Web site has an online HTTP constructor called HArPy. With it you can construct and send your own HTTP strings. Kinda fun to play with this and understand how web servers reply and how they log and/or block requests.

honeytrap and nepenthes

Honeytrap is a cool tool that will open a port(s) on your system and capture whatever attempts to come into it. It will do some low-level emulation of services, but mainly it is around to capture unknown vulnerabilities.

This is in contrast to nepenthes which will trigger on and capture only known vulnerabilities and exploits.

Now, neither of these tools runs natively on Windows, although one can attempt to compiled them. But there is an older post I made here for Windows port listeners which really is much the same thing, especially if I can find one that emulates known ports as opposed to just opening an port and listening for anything.

host integrity checkers

There are really not that many truly gifted host integrity checkers out there. I remember at my last job we actually had no real digital integrity processes and got minorly dinged on that whole section on a security assessment review. I looked into the topic a bit back then and realized there's just really not that much out there. Sure you can make cases for rootkit sniffers and even anti-virus and filemon, but if you want to remain honest with yourself, these don't really count.

Here is a round-up of a bunch of integrity scanners (written and conducted by the author of one of the scanners). It might be a bit biased and dated (~2002) but still gives good info.

Samhain and Osiris are two very popular host integrity checkers (after, of course, Tripwire). They are so note-worthy that Syngress has a book out just for them: Host Integrity Monitoring Using Osiris and Samhain. AIDE is another tool I've heard good things about, but have not tried. Osiris can run on Windows as can Samhain when coupled with Cygwin.

update: an AIDE article - File Alteration Monitor (FAM) for nix - diff commands for Windows scripting

incident response tools

Just like a security or hacking event, incident response is something that *will* happen someday. This is just a pointer for me to a quick rundown of some kickass IR tools that I should become familiar with at some point.

inctrl5

Inctrl5 is an older tool developed by persons at or for PC Magazine to review software. A lot of people like me are curious about binaries they receive and how to see if they can be trusted (or to reverse engineer protections, limitations, etc) by using tools like Filemon and Regmon to see what changes the program is making. This can be time-consuming and error-prone as these tools capture a lot of stuff. Inctrl5 gets around most of the issues by taking snapshots of the registry and file system before and after an executable is run. This gives you a delta of your system and the ability to see what really changed and where. Pretty darn cool for a magazine tool!

installwatch and installrite

I'm not sure if I'll ever get a chance to drive these tools around, but InstallWatch will watch and report everything that a particular file does when installing. InstallRite is InstallWatch plus the ability to clone applications to distribute them, as an alternative to disk imaging. Not sure what that all entails, but might be useful.

networking monitoring with intellimonitor

Intellimonitor is an agentless network monitoring solution. This is a commercial app, but might just be worth the trial and purchase in a corporate environment.

leak prevention test tool

I have not tested it yet, but this open source Leak Prevention Test tool supposedly tests for information leaks on a system. Not even sure how it does that, but wanted to record this link down.

tips to securing linux-based ssh

I've done a lot on here about Windows SSH, but not a whole lot with a purely Linux SSH build. Here are some tips to securing SSH on Linux.

lsof

Lists open files, lsof, is a wonderful little tool for *nix systems.

mosquito framework

Mosquito looks like another exploit framework.

nbaudit - netbios (share) enumeration

The nbaudit tool is a security tool used to scan computers using NetBIOS, i.e. sharing files on the network. The tool will attempt to enumerate properties of those shares on the network. Usually associated with enumerating open shares on an NT network. The tool itself is a *nix/*BSD tool.

nessj - nessus client

Nessj looks like an awesome little Nessus client. This could be highly useful for cronies and managers who only want to run Windows and still utilize Nessus reports. I've known far too many of these types of people...

netbios auditing tool

Have not tested it, but the NetBIOS Auditing tool sounds interesting.

offline nt password and registry editor boot disk

The Offline NT Password and Registry Editor is an awesome little tool for recovering NT passwords by booting to a floppy or cd to begin editing passwords and registries, all without needing to boot into full-blown Windows.

From a security standpoint, this makes me nervous as all heck. I need to make a point to enable BIOS Setup password protection and to disable boot-from-cd and boot-from-floppy on all my systems someday. I will just play with this idea for now, just in case there is some reason to keep those settings. I don't want to make such a work-intensive reactionary decision without fully contemplating the consequences of it. I will note though, that I can make all the passwords the same because, honestly, how often do you see the BIOS Setup password exploited, cracked, or in the clear? You don't... :-)

omnipeek personal network analyzer

I had no idea WildPackets' OmniPeek Personal was a free tool until I saw it mentioned on a mailing list. Current version is 4.0 and it looks like a fully features network anlyzer suite. No registration or email is required to download the free version. Hopefully I can try this out and find it to not have any realistic limitations compared to their full-priced professional version.

openvpn

We use OpenVPN at work, so I thought this article on OpenVPN might be helpful and somewhat useful, since I am not the brightest on setting up something like OpenVPN.

paros 3.2.13

Paros 3.2.13 has been released. This is a really good scanner which works on Windows or nix.

pasco2

Pasco2 is an enhanced version of the first tool which analyzes IE history and cache files, a particularly nice tool for any forensics work.

windows permissions identifier

Like the desc says, the Windows Permissions Identifier is a nice tool to audit permissions quickly on a server, especially for a penetration test or security audit. However, this is free and as such is not a fully robust management and reporting tool like you might get from ScriptLogic or Quest or BitVise, I believe.

pfprintd

pfprintd is another passive probing tool. This tool sniffs the wire and determines OS based on the packets gathered. It is limited and only analyzes some packets and determines some OS's.

port look-up page

This page allows you to look up port numbers and return back services on those ports. Arguably more useful than a flatfile list.

proactive security auditor aka l0phtcrack

Proactive Security Auditor is a password auditor for Windows. Basically if one cannot find a cracked L0phtcrack 5 (widely available such as at Insecure.org.) where it attempts to crack passwords and if the password is cracked too quick, it is deemed insecure. An interesting baselining tool, perhaps.

promqryui.exe

A promiscuous mode querying tool to find Windows computers with their NICs in promiscuous mode. I don't think I or anyone would have guessed this tool actually comes from Microsoft! And amazingly, I had yet to try it out or test it! PromqryUI.exe sounds pretty fun.

putty - step-by-step

This is a quite little step-by-step tutorial on using Putty, an SSh client with port forwarding.

pwdump6 and fgdump updated

A few tools have been updated: pwdump6 (love that page!) and fgdump.

keyloggers - sc-keylog and homekeylogger

HomeKeyLogger is a nice keylogger for an always-on, one-user computer as you can hide it quite nicely and it always runs. FamilyKeyLogger is a commercial product useful for a computer that needs to be booted or has multiple users. The price is amazingly low too, so it is mostly worth it.

However, to step up to the bigs, there is SoftCentral's SC-KeyLog 2.4 app. This tool can obfuscate almost every part of a keylogger other than actually creating it as a service. It can also be packaged into an executable file to be deployed remotely and then email back the log file at specified times. The log file is encrypted and you can't do much about it without the password. A very nice and well-featured tool that can be a part of a penetration toolbox...all one needs is to copy it over and execute with prviledges, much like netcat.

Now, if I could only find a free, safe keylogger that installs as a customizably-named service...

reverse dns lookup site

This site will perform a reverse dns lookup for you, i.e. resolving an IP into a domain name (DNS). While this might not be very useful since even Windows includes nslookup which will perform both forward and reverse dns lookups, but it might be useful someday in a locked-down environment or if an OS does not have an easily-found nslookup tool.

rootkit detection tools

Two tools for detecting rootkits, one free another not as free:

Rootkit Revealer from Sysinternals

Blacklight from F-Secure

Helios (in-action videos too)

rootkit hunter project

This is a quick blurb for rootkit hunter which basically runs a number of digital integrity checks to verify that a system has not been the victim of a rootkit infection. Pretty nice tool in theory, although I have yet to try it out.

rt on windows

RT is an excellent open source (free) tool for any IT shop to track resources and requests. Even better for those not comfortable relying on a Linux solution: it can be installed on Windows.

sam spade on the web

Basically a pointer to Sam Spade.org, a site that hosts hardcore DNS online querying tools.

browser isolation: sandboxie

Application, browser, and even OS virtualization and isolation are becoming the big trends this year. In this vein, SandboxIE is an app that will sit between the OS and Internet Explorer and isolate software from messing with the OS. While this is an interesting concept, I have no clue if this will still work in IE7 and I'll stick with Firefox anyway.

sentinix

Seintinix is a Linux distro that packages all sorts of security-related tools into one package, making for an easy install. I think this may just rock. I need to try it out at work on a spare machine that I want to do basically this same thing with anyway.

windows server service buffer overrun scanner

In the past week, Microsoft release a bunch of new patches, one of which patches a critical vulnerability (buffer overrun) in the Server service.

Not a day later, an exploit was unleashed and the vulnerability itself is wormable. eEye released a scanner to scan small ranges of IPs for vulnerable servers. Nice scanner, and I hope Metasploit incorporates this exploit very soon.

snort 2.2.0 released

Snort 2.2.0 has been released.

Also, here is a Sguil installation guide. Sguil is a GUI interface for Snort to provide alerts and other functionality.

spamassassin

SpammAssassin actually can work on a win32 platform and with any email clients that I use, which means I don't have much excuse for not trying this out at some point on my home network.

speeding up a nessus scan

Nessus can take a while to scan a range of hosts, especially if that range involves a lot of down or unused IPs. This link goes into some detail on how to perform an nmap scan to populate what Nessus will scan, and since nmap does this scan much faster, the overall scan from Nessus takes far less time.

ssh server on windows 2003

Appears to be a paper on installing an SSH server on Windows 2003. There are other tools that don't require Cygwin, but I think this will be a good exercise to go through. I've long wanted my own SSH server here at home for...various reasons.

protected storage passview tool

Protected Storage PassView allows one to see a number of passwords in Windows: Outlook passwords, AutoComplete passwords in IE, Password protected sites in IE, and MSN Explorer passwords. Pretty nice for one of those "other" password revealing tools.

tcpreplay

Tcpreplay is one of those tools I've heard referenced a hell of a lot of times, but still have yet to really utilize it. I need to someday, hence this pointer.

This TCP Tunnel tool forces traffic from an application to a specified proxy server. Looks like just someone's little self-made tool, but worth checking out at some point.

the hacker's choice - hydra, amap tools, more

The Hacker's Choice, aka THC, is a top source for original security tools such as Hydra and Amap and many more. Nice site to browse and try a few things out from. They also have plenty of nice papers too.

firewall probing with ttlscan

This little tool called ttlscan sends a series of TCP SYN packets to ports on a particular server. It then returns a report of those packets. By reading the TTL flag on the packets, one can tell if the device is forwarding the packet to another server (the TTL will be one less because it hit one extra server). There is also limited OS fingerprinting available with it.

txdns digger for windows

Windows gets a tool here, in infant form, for DNS digging. DNS digging is always good to automate, and this looks like it does a nice job of it.

vmware appliance contest winners

VMware recently held a competition to create awesome virtual appliances. Some of the entries look like solid, useful things, especially the winner which looks like a network packet capture analyzer appliance which I'd love to run. Familiarizing myself with VMware player and the ability to slap in an appliance like this could be highly useful.

wapiti

Wapiti is an OS-independent web app vulnerability assessor and fuzzer tool written in python. Whew! I swear, the names of these tools have done from the vulgar and dark voodo magic arts (BackOrifice, AOHell...) into the just plain odd. Anyway, looks like a tool worth checking out for doing some web app fuzzing. Definitely does not replace Nikto or something, but can definitely take web app scanning to a new, deep level.

wget for windows

How can one complain about a wget for windows app?

wholockme?

WhoLockMe is a Windows tool to determine what process is locking a file.

winalysis

Winalysis is a tool that just might make life much simpler for the desktop support team, at least in tracking things on our network....and maybe on a few of the more accessible servers in our network. According to the marketing, Winalysis can gather event log files from multiple machines and archive them centrally, can generate alerts based on events, and analyze changes and security vulnerabilities. One thing I am looking for a way to verify the integrity of system files, basically to ensure the files have not been tampered with, but also a tool that can gather event logs for 100 or so machines, and basically put them all together and flag or send alerts on just a few specific issues such as new user creations, multiple logon failures, admin account logons, etc.

And the tool is amazingly cheap too! And a fully functional trial version! And no client installs! I might just have to try this out and see how it might fit into our whole network management scheme.

windows bootable cd

Linux CDs are nothing new to me, and they're great little tools. I found a few links to a site describing how to create a Windows bootable cd. This would be amazingly useful, and basically totally one-ups the Windows 98 boot cd that I keep in my possession. Of interest, the person who hosts this page is also the one I have bookmarked for anytime I need to create a network-enabled boot disk for Windows when I do imaging.

winpooch

Winpooch is one of those tools for Windows that you never really expect to see. Tools like this tend to be *nix only. Winpooch feels a lot like a mix between a heurhistic antivirus app and Tripwire and a host-based firewall. It monitors and can take action based on what programs do against the OS, file system, and network. If a program wants to access the Internet, Winpooch watches it and can block it. If the program wants to write a registry file or drop a file on your computer somewhere, Winpooch can log or block it as well. For those people curious about things like this, or just plain paranoid, this seems like a nice, lightweight tool for monitoring one's system. Best of all, it is open source and fully free (although I truly expect this to be bought up in the future). Has extended integration into ClamWin antivirus too, which I use!

PolarCove has a number of nice papers on their site, but of particular interest is a paper on wireless LAN discovery tools and wireless MAC spoofing detection. Both papers include exact Ethereal/Wireshark filters to use.

This post is an interesting viewpoint on myths about security and passwords. Must "out-there" is the opinion that changing passwords regularly is now dead and does not enhance security at all.

I've long kind of had an idea that makers would put backdoor passwords into BIOS implementations, but never really looked into it. Then I happened upon this posting one day which lists a lot of backdoor passwords for various BIOS platforms and versions. Pay particular attention to the mention that some BIOS lock themselves after a few incorrect attempts, so be cautious. I've not tested any of these, but it would be very fun to play with.

Not many people realize there is a component to Windows XP called the Prefetcher. Even fewer desktop/system support people realize the significance of it. This prefetcher for Windows keeps a cache of a lot of programs downloaded by Windows, and acts independently of IE. So if you clear your cache in IE, your downloaded files might still be found in the prefetcher. Most people are tipped off to this location only after a piece of malware has been downloaded (automatically or by accident) and a copy was saved in the prefetch area of Windows, generating an AV alert pointing to this location. This short link is a start to managing the prefetcher cache.

Creating services in Windows is one of those frustratingly annoying things that many people would love to do, but is typically difficult to find information on how to do it. In fact, you can't really do it unless you're a programmer or you have some extra tools from Microsoft. I guess this prevents every John Doe Idiot from completely screwing up their computers with crappy service lists. I am happy to have found this quick post on how to create your own services.

This is an awesome article on how to use RRDTool to monitor a wireless network.

This is a monster article on external attacks, largely from the point of view of Linux since this was in a Linux magazine. Many books cover this entire spectrum in hundreds of pages, but this article condenses it down nicely, albeit it is really packed with info.

Malware is an amazing little hobby to have, and these two paper cover malware analysis brilliantly.

part one
part two

RogueScanner is a rogue wireless access point detection tool. Pretty cool...and it's free! Also peek at the other free tools available here, Packtyzer (Ethereal front-end, as if there needs to be another one...) and BlueScanner which scans for BlueTooth devices. To be honest, both of the scanner tools are pretty nice for being free tools!

Wow, just wow! This is one of the hottest and best links I've seen in a long time. I HAVE to try this out. I've worked on cracking WEP before on my neighbors, but I always had to resort to using a livecd Linux install (since I don't have a permanent Linux box around). Cracking WEP with Windows XP is a huge, detailed, complete article which I am tempted to actually copy/print just to make sure I always have it.

This was found whilst checking out a site I'd not seen before: wardriving.com.

NetBIOS Null Sessions are elementary and a first stop for anyone performing system recon. They should always be turned off, and this link is a nice reminder of the issues, the dangers, and the fixes.

The paper, Insertion, Evasion, and Denial of Service: Eluding Intrusion Detection, is the definitive guide to beating IDS and has been the foundation of IDS attacks ever since. I must read this sometime, for historical reasons and more.

Having just watched Dan Kaminsky's Black Ops of TCP/IP 2005 presentation that he gave at the 22nd Chaos Communications Congress, I have a couple links on dns snooping, which he (in typical Kaminsky fashion) utilized in creative fashions. First, a paper on dns cache snooping. And second, a site on how dns snooping actually works.

I should get the Log Parser book sometime, as it goes over things on this site about the Microsoft logparser tool. This should be useful to use to perform adhoc and maybe some scripted queries against single or groups of logs.

Sans has a bit on defeating a DOS attack. They also have a webcast I'd like to check out on the same topic.

There is a fairly new blog out called Checkmate that deals with forensics and other things security. Here are some choice pieces to check out so I can catch up:

rainbow tables
timestompe
xp's built-in spyware
userassist
apache and squid logs

A thorough examination of sql injection attacks using examples.

A SANS Tool Talk Webcast: Anatomy of an Attack.

Cleaning out some old bookmarks I came across this pretty cool find: a forum tutorial on recovering and then cracking cached domain credentials on a Windows machine. Not only is this tutorial practical to follow and use, but it gives ammunition to anyone who challenges setting Windows cached credentials to 0. Sadly, this butts right up against laptop users who, when they log in at home, need the cached credential to use the system.

For possible future pen-test work that I'd love to do someday, this might be useful to test policy. If I can get my hands on a system or even get a local admin to come over and troubleshoot my system by logging in as himself, I can use that cached credential and crack it. This is exactly why I made sure to let users log in right after I had been logged into their machines to clear the 1 cached credential that I allowed my systems to retain.

This is a LinuxExposed article on wireless hacking.

PublicIP.net has open source (read: free!) tools for hotspot operators. Granted, the tools are not *quite* as feature-laden as expensive commercial tools, but I must say this looks pretty darn amazingly useful anyway, especially for small coffeeshops or local hotspots as opposed to the national franchises or hotels or something.

Airpwn is a quick C tool that can inject http content (and other content) into wireless 802.11b networks. Tested at Defcon12; supposedly the only reliable part of the tool is to replace all http images with an image/redirect of your choosing. Might be interesting to play with on a nix box.

Update: article on using airpwn.

Illustrated Guide to Crypt Hashes

NRMC has posted a presentation delivered at Schmoocon this year on Hacking the Friendly Skies. The presentation starts out like most any discussion on wireless security, but then takes a turn for the sinister by delving into FakeAP attacks. What really makes this presentation excellent are the later reports of just how many systems were found. When you combine Windows XP's affinity for associating to anything that says hello and user affinity for not patching their systems and running a firewall you get some pretty satisfying results. And if you look closely, some of the vulnerable systems were some pretty trusted/important-sounding people. Yikes!

Information Overload. Kind of hard to admit that I am nearing that point, since I completely love learning things and absorbing knowledge. But the IT, techie, world has been doing that to me lately...really kicking my ass. I want to learn so much, catch up on things over the years that I missed because I wasn't a packet geek or into coding as a child (yeah, right!). I have an entire different part of this site dedicated to postings and news and links and tidbits of knowledge that I have happened across in the past few years (I keep these separate because, well, it's just for me). I have a huge list of bookmarks in my web browser that are "pending" things to check out, usually tools, large sites, or long papers that I didn't have time to fully deal with back when I was made aware of them. I have dozens upon dozens of books that are half-started or not yet read...as if just owning them means I can somehow claim the knowledge locked away.

I don't have enough hours in my day, enough days in my life, to learn all this stuff like I want to learn it. That's frustrating beyond belief.

Couple this with my recent soul-searching about my career. I love my career to date and where it is going, but I've had some thoughts that maybe specializing a bit more would be beneficial.

Now that I was working on "that other" part of my site that will remain mysteriously locked away, I have realized that my categorizing of information is almost manic at this point. It is still a mess and I'm not happy with having all this knowledge in front of me and just not having the time to get to it. Maybe I should specialize that too?

It kinda makes sense, but while I am happier to do this with my young career, I'll likely not adopt that quite too soon with my thirst for knowledge...but I certainly need to slow down and instead of blitzing this realm, to sit back, clear off the desk, and focus on a few things at a time and truly enjoy and experience them.

This paper is very advanced using a lot of different skills, but it does demonstrate how to abuse SNMP on a Cisco router to get its configuration file, and then have some fun with Generic Routing Encapsulation (GRE).

There are scripts and various automatic ways of hardening a Linux system, but nothing is more informative and instructive than doing many of the tweaks and settings manually. I liked this post because it really delved into a few of the particulars and exactly what is going on.

Link to pictures of the CDC 2005 event at Iowa State University. The CDC is the CyberDefense Competition held at ISU where teams of students attempt to defend their networks against a team of attackers (usually area professionals) over the course of an entire weekend. The event is reminiscent of Defcon's Capture the Flag, but with a much more instructive mentality. I wish we had this much stuff in this field at ISU back when I was a student! A version of this is also being held annually where high school teams are the defenders and college students are the attackers.

This link I have not tried recently, but I believe these are still free study guides for the cissp and should still be pretty informative. I read one or two about a year or more ago, and file away the link for a time when I could more fully pursue the cissp. I believe these are from Shon Harris and hosted by this site as a sponsor.

Of note, Shon Harris also has CISSP training that you can pay for and attend.

Want to become a Chief Espionage Officer?

You can also use iptables to monitor bandwidth.

One of my favorite blogs, Security Monkey (or A Day in the Life of an Information Security Investigator), made a post about how to increases your chances of getting into the lucrative and fun field of penetration testing. The comments are nearly as good as the post itself and I definitely wanted to keep this around.

Wow, I never thought I would see an article on CNN.com that had some technical merit! CNN questions laptop security and why exactly is sensitive data finding its way to mobile devices in the first place? Excellent question!

Blue Pill and Red Pill are part of some new research into hardware abstraction and virtualization where a system can be fully controlled by an attacker if he/she can get an abstraction layer between the OS and the hardware...well, then it's game over. Thankfully, this is not easy and does require physical access. Nonetheless, cutting-edge creativity is quite interesting.

Email headers are a simple thing, but when you're in a bind and needing to read one or more, they can sometimes be such an annoyance. This paper is a fullblown discussion on email headers and what they mean. Quite a nice read, to be honest.

What pulled my attention here is a couple papers on Setting Up Cisco Pix Firewalls, but in browsing the rest of the site, all of these papers look very interesting.

Here is a list of Top 10 books as suggest by the Information Security magazine.

Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition by William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin
This perimeter security text is perfect for serious security professionals. The authors have mastered the art of applying the theoretical to actual working applications; the result is pragmatic advice from some of the finest minds in the field.

Hacking Exposed, Fifth Edition by Stuart McClure, Joel Scambray, George Kurtz
The original edition ushered in a new era of computer security publishing, offering unabashed, technically detailed and fully documented instructions on how to subvert the security of a multitude of systems. Although some scoff at the series, perhaps they just hate to see some of their secrets published.

Applied Cryptography by Bruce Schneier
Any book that the National Security Agency prefers to remain unpublished is bound to make great reading. Anyone doing serious work with cryptography needs a copy. With a comprehensive and excellent explanation of encryption of all kinds, this book is second to none.

Practical Cryptography by Bruce Schneier, Niels Ferguson
Schneier's sequel to Applied Cryptography will help you apply your newfound cryptographic skills successfully and securely. Think of them as volumes one and two of the same book.

Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, Alan Schwartz
The authors deliver an excellent introduction to a wide variety of computer and network security issues within UNIX.

Security Engineering by Ross Anderson
This book details security design and implementation strategies employed in real-world systems. Although many publishers employ strategies attempting to inflate the page count (and price) of a book, this 600-page masterpiece could only result from the dedication of an extremely knowledgeable veteran of the field.

The Tao of Network Security Monitoring by Richard Bejtlich
"Tao" means "The Way," and that's what this book is: the way to evolve IDS operations. The network security monitoring philosophy is both obvious and completely revolutionary.

The Art of Computer Virus Research and Defense by Peter Szor
Szor's mastery of virus/antivirus technology is unparalleled, and this comprehensive tome is the definitive work on the subject. Although parts are inaccessible to all but experienced assembly language programmers, antivirus is such a critical technology that every professional should read this book, if only to understand the problem.

A Guide to Forensic Testimony by Fred Chris Smith, Rebecca Gurley Bace
As security pros, we stand a higher-than-average chance of being called into court to testify about the results of our investigations. The authors do a good job of explaining the challenges associated with information security cases and how to give the best testimony possible.

Spam Kings by Brian McWilliams This behind-the-scenes account of real-life spammers and spam fighters is a must-read for anyone trying to squelch junk e-mail. There's a freak show in here, but also a lot of good intelligence on the inner workings of the spam kings.


And Richard Bejtlich's Top 10.

I was going to post a nice list of wireless certifications and courses, but this site sums them up better than my list would do. Definitely took in all the ones I had unearthed and more.

Dan Morrill posted a list of his top 10 information security skills to have. I really like this list, and it certainly gives me something to use as a benchmark than just what appears on my resume or certs I might hold. Considering Dan manages teams like this make him the best opinion out there, really.

Getting start with the Cisco Pix firewall

Pix failover demystified

This little trick is not necessarily wireless-only, but awesome nonetheless. Using a proxy and some other tools, one can mess with http traffic to unwanted wireless guests such as turning all images upside-down, instead of just outright denying them access. Pretty cool and fun! Reminds me a lot of airpwn, only this would be a wired version using squid.

A nice presentation on wireless security. Pretty nice detail on what is going on.

I have a ton of respect for Prolexic and what they offer to our world. But the spammers and botnets have waged a mini-war against Blue Security and anyone who seems to assist them. But instead of directly attacking Prolexic, a botnet was leveraged against upstream DNS servers for UltraDNS. Wow, just wow. This is the sort of cyberwarfare that is coming or already here where masses of zombied computers are wielded. So far much of this has been individual hackers or groups with personal beefs, but much like phishing and virus attacks, I expect things like this to take a much more organized and sinister turn in the next 4 years.

Sometimes you just need to inject some "security awareness" points into your training program. "Protect Your Workplace" posters from the federal government are an inexpensive and easy way to start.

And search this page for the security calendar.

This presentation on wireless injections was given in June 2005 at RECON. Powerpoints without presentations tend to be pretty barren in terms of being able to get the just of what the speakers is trying to say, but might be ok to check out someday.

It is interesting to see the trend of what is hot in security and networking and sysadminness. The turn of the millenium brought in virtualization, and a few years ago Metasploit broke onto the scene in a big way. Wireless and mobility have been amazingly hot in the last 6 years as well. And now that web apps are being developed by everyone, web app testing and security is catching up. In all of this, I thought it would be nice to keep track, for my own purposes, the hot topics at periodic times of the years just to see where things are moving and shaking.

1. web application / layer 7 security / fuzzing - driven by a huge focus in the past 8 months on MS Office vulnerabilities and browser exploits.

2. mobility - driven by laptops being used and lost in the field, prompting a huge number of disclosures of lost information that questionably should not have been outside the corporate/gov't environments anyway.

3. disclosure and identity theft - Just about everyone has been joining the disclosure bandwagon whether they like it or not, from the VA, Deloitte and Touche, and many universities (poor edu's will always have a tough open vs secure battle). This will only get worse and hopefully soon the media stops waving each one that happens.

5. botnets and ddos - Blue Security wanted to beat spammers by spamming them. Instead, Blue Security got DDoSed so hard, they are now out of business and have thrown in the towel. Botnets have been widely reported in the past couple years, but they still seem to grow and remain huge and potent.

4. wireless - wireless is just waiting to blow up, with hotspots getting more common and big companies with secret plans on widespread wireless for the masses. Since wireless is still hugely exploitable and fun to mess with, this is just waiting for a huge lashback and a huge outbreak in personal systems being exploited over wireless. Home users haven't been this vulnerable to being rooted since NAT was hardly used on broadband connections. This is an area that is also just waiting to explode with use and companies and wirespread access.

Mentions and tools: Metasploit is still hot and HD Moore is one of the biggest names in security right now; virtualization is still hot; Office and IE are getting hammered with exploits which is keeping Microsoft very busy; LiveCDs are all over the place now, joining the awesome Knoppix (BackTrack owns).

Tutorial on how to crack WEP using Ubuntu.

You can search for malware using Google, right down to infected sites inadvertantly sharing out malware code (executables). Damn cool stuff, and damn cool site. Search for "Bagle" for a good example.

I need to check this out sometime. The packet challenge at SANS is not a regular thing, I think, but could still make for an interesting exercise for me. Bejtlich posted a couple links to answers here and here.

Not sure on the quality of this content, but this site has some modules up about their training in infosec assurance and assessments. I'll take this down if this proves to be useless fluff.

So, when I get around to testing my linux firewall, I can use ftester along with this "how to" guide.

The folks at F-Secure put up this series of exercises in reverse engineering and called it a khallenge. Sounds like a fun way to get into reverse engineering a bit, someday. If I get stumped, might be able to find some hints around this blog.

A post over at SecurityFocus went over Microsoft Office forensics and some things to do to enhance security, most notably privacy. Because Office is so universally used, I've found that many people, techie and non-techie both, want to put their heads in the sand about issues with Office. They just don't want to hear about the issues, even as malicious persons have begun poking at the apps and more and more data is disclosed on the web and search engines.

I've long wanted a concise and listed set of items to check on and change when dealing with metadata in MS Office Word documents. Now I have it!

Update: Here is another link dealing with pesky lingering Office data that shouldn't be there.

Quite an ingenious simple little method to hide files on an ntfs disk: alternate data streams. This article on Security Focus makes it look a little more difficult than it is, due to the author going through the effort of describing breaking into a machine to set an ADS on a few hidden files. LNS and LADS are two tools to scan a disk for ADS...although they are certainly not swift in their scans.

Update: An ADS tutorial from STC

If one must absolutely use passwords with Windows (not sure why anymore) and not pass phrases, and the password needs to be highly secure, you don't get much better than using non-printable characters. Both of these posts go into detail on using non-printable characters to thwart most password cracking tools.

Microsoft, of course, even weighs in on their password suggestions.

Every now and then the SANS Handler Diary offers up some nice information. They just threw out this list of switch features that many people never know to use, and I thought it was a nice rundown to use at a later date, especially if my two switches include all of this stuff.

This link has a number of good pages and pieces of information on cracking WEP and other wireless fun.

Just a quick listing of some secure USB drives that use hardware encryption and are recommended:

mtrust mdrive 500
kingston data traveler elite - privacy ediction
verbatim store'n go corporate - secure

This is an analysis of Mocbot from LURHQ. Especially interesting is the follow-up on the Spammer that this new variant downloads, as well as the graphic showing which antivirus companies properly detected the malware. I wonder if the only ones detecting are the heuristic scanners and not the signature-based scanners...?

Not sure what to make of this yet, but sounds like an awesome little tool. Lurhq pimps this as a "sandnet" where you can run malware and it will even get its own little "internet" to play with if it chooses to connect out. Sweet action!

This paper purports not only to help cracking wep, but to be the final nail in actually outright breaking wep. I've not read this yet, but plan to as this sounds like a very swift, albeit technical, way to break wep.

It really sucks when users think they're being cute by utilizing remote control services to connect from home to work or work to home PCs. These just are not cool, especially when used without permission. I always forget the sites, though, so this will start my list of sites to blacklist on firewalls/web filters whenever I set any up. These are not wanted in the corporate sphere.

GoToMyPC
LogMeIn (and secure.logmein.com)
Hamachi - p2p?

Hamachi is a particularly scary thing, but like Skype, it should require a common mediation server to get the two endpoints together, and therein lies a single point of denial on firewalls. Either way, novel idea, and something I'd like to check out on my own. If even the mediation is peer-to-peer, we should be marking the app as a highly bad app, kinda like an irc client...

Foxy Proxy has some excellent tutorials as well as the proxy stuff.

This link goes to a Microsoft doc about Windows XP Countermeasures and Threats. Of particular interest, Chapter 7 makes an excellent reference on the services that Windows XP has, and whether they are necessary or not. Disable them if they are not necessary.

I've already gotten them, but this will just be a placeholder position for links to this years defcon 14 and black hat 2006 papers.

This was a nice read about job interviews. I believe Google also did this sort of interview tactic, especially the "impossible question" part. The biggest takeaway from this for me is the Smart and Gets Things Done. I think this is something I, and many people I know in IT, lose sight of sometimes. Get things done.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

Law #5: Weak passwords trump strong security

Law #6: A computer is only as secure as the administrator is trustworthy

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Law #9: Absolute anonymity isn't practical, in real life or on the Web

Law #10: Technology is not a panacea

May as well get this one off my chest early, and try to keep it short and simple. I really dislike when people spit out that "security through obscurity is worthless." I've read this a lot and heard it in person a lot too, but it is often misused. What is really meant is "security through obscurity alone is worthless." Defense in depth benefits from security through obscurity. In a way, one could argue that passwords and theoretically reversible encryption is just harder-to-guess security through obscurity. The biggest benefits of security through obscurity would be twofold:

1) Eliminate a lot of the casual kiddies and scripted attacks. Running a vulnerable web server on port 1800 does not make the web server less vulnerable, but does limit all the scripts and kiddies who only look for web servers on port 80. You can at least limit your threat exposure.

2) Force determined threats into expending at least a little bit more energy and time to find the obscurities and work through or around them.

Alone, though, security through obscurity is more of a false sense of security than anything, even though the above two benefits are still there, no one should ever sit back and breatht easy by having security only through obscurity.

(Points for me to think about: Does this mean brute-forceable passwords and encryption is, in the end, worthless? Where easy passwords and DES were years ago "unbreakable" they are now accepted as flawed...as processors continue to speed up, will today's standards eventually be scoffed at the same way? What can stand the test of time, biometrics? Or are passwords or at least encryption the standards we will always have to live with? As long as we have networks that have to communicate and trust, will there always be hashes or an exchange of keys that at some point is vulnerable?)

I just received email from a vendor I have dealt with in the past, ScriptLogic, whose simple tagline got me thinking: "Can you prove your IT environment is safe?"

I think I need to post that in my workspace at home and use that question as a basis for what I do in security as I move forward.

"Well, you know, it's a toolbox, I don't care. You put the tools in and do the job, that's all." - Sam, Ronin, when asked what kind of gun he favors.

This is not so much a security pet peeve as it is a general geek pet peeve. I really do not mind discussions about operating systems and the benefits and drawbacks of each, but the eventual bashing and impassioned arguments that can result from talking about Windows vs Mac vs Linux vs Debian vs OpenBSD are amazingly unnecessary and unwanted.

When it comes down to it, the biggest factor in the security of each OS lies in the operator. I think they each have their own place. And I dislike seeing a Windows user completely refuse to learn Linux just as much as I hate seeing a Unix/Linux user be completely useless in Windows.

And let's face it. All of these are going to be part of a security or IT person's life at some point and we'll have to at least be exposed to Macs, Windows versions, Linux boxes, etc. So basically live with it, and move on. My current job is 99% Windows, but my last job had a couple Macs, many Windows boxes, and some of our critical infrastructure systems were Linux (firewalls, DNS servers, monitoring servers, syslog...).

On a more personal note, I have used Windows versions since 95 (all but ME) and still run Windows XP today for the most part, pretty much just for easy wireless and World of Warcraft. However, I love tinkering and learning Linux versions (especially security live cds) and my next computer purchase will be a Macbook Pro. Someday after I get my Mac, I will convert a third oft-used laptop or desktop to be a permanent and oft-used Linux box so that I can really learn that as I also learn Mac. Eventually, I want to use Linux or Mac full-time, and only move to Windows for my work machine (most likely anyplace I work will provide only Windows XP, I bet), for gaming, and just to keep current on Windows (such as when Vista releases). Of course, my lab will always have a number of Windows boxes performing various roles.

I applaud how far Apple and especially Linux have come over the years to bridge the gap so that the only things I will not be able to carry over to Linux from my Windows world will be games. Even wireless is getting to be easy enough...

DefCon and Black Hat have become the premiere security events of the year. Not only are they amazingly fun and informative, but some of the biggest security and insecurity news of the year is now coming out of the minds of those in the culture.

In the last couple years, the dotcom bust gave way to the slow maturation of web-based application delivery, and it is now shooting off quite rapidly. Web-enabled apps have been the buzzword in development for the past two years. In addition, the browser wars with phishers, spammers, and scammers has heightened and browsers are more and more under the guns and fuzzers.

And now, it's happened. Javascript has been demonstrated to be able to not just screw with a local system, but also penetrate the local network that system is on.

Wow.

Ha.ckers.org made an excellent post that beats anything I could say. But I will add that if someone has presented it to us now, there is little doubt that these techniques have already been in use by the underground.

It is a statement about the security of Windows that I have a series of apps I install on any personal Windows XP build that I perform, just to secure it more. I won't leave home naked, and a Windows box by default being naked exemplifies what is wrong. I was going to post them for my own edification, but have decided to expand this to a listing of some of my favorite tools that I pretty much have on any XP system I build.

First, the initial security, after patches. I use ClamWin Antivirus because it is free. I use a cracked version of Sygate Personal Firewall instead of the XP firewall. I have also recently started trying out an app called WinPooch for digital integrity, ala Tripwire only free (I expect this to be bought up). I also install Mozilla Firefox and Thunderbird (with Enigma for PGP), not so much for esoteric purposes as for security purposes anymore. While investigating a friend's hijacked AIM account two years ago, I discovered a version of the HTA exploit in IE (still unpatched, I think), and thusly conversed with the hijacker directly about it before getting my friends AIM acocunt back. Since then, I've never trusted IE at all. That was the breaking point. The only way to notice of stop that web-based attack against IE was to be running a personal firewall, at the time Zone-Alarm. Otherwise IE was rootable with no user intervention or notification.

In other apps, I have moved from my purchased version of Trillian over to Gaim, due mostly to having used Jabber in my last job and Trillian was slow to adopt. I use a pirated copy of Microsoft Office 2003 (includes everything, Visio, Word, etc). I always move over a bunch of Sysinternals tools as well (pstools, process explorer, tcpview, regmon, and filemon). A cracked version of WinZip 9 gets slapped in pretty quick, as does a free copy of WinAmp (classic mode please). WinDump, WinPcap 3.1, and Wireshark also get installed.

If this is a wireless laptop, I always throw in Netstumbler and Cain. If I am at a wireless hotspot, you can bet I am running Cain in the background (and for this reason, I am very aware of what I myself do at hotspots because I'm not a special hacker or something, I'm a regular guy and if regular guys play with gleaned myspace and email accounts...).

After that, my toolbox gets a bit more murky depending on the uses for the particular box, but pretty much all of the above are part of the 'settling in' process of a new system. Of my few cracked products, someday once I am out of the 'cash-strapped college boy' phase and into a solid, fair-paying job that keeps me happy, all of those may be replaced with legit copies.

I've been pretty conscious lately of where my personal information goes. I've been interested in staying anonymous for a blog and mailing lists, so my mind is kinda turning that problem over. In addition, with this year's heightened problems with indentity theft and disclosure of personal information from places like the VA, every time I fill out a web form, my mind flitters over the thought that here is yet another place my personal information resides, ready to be indexed, stored, stolen, and used.

Just yesterday I submitted a job application to a company in the Seattle area, and at the bottom was a credit report disclosure form complete with social security number field. I immediately glanced up and noticed that the site had no SSL functionality on this particular form. I was a bit annoyed, but at least I was completing this form from my home network. If it had been somewhere else, I would have fully aborted that half hour of effort.

I order books online and provide credit card numbers. I renew my World of Warcraft account online, and there is more information. I submit less information to many sites that require logins, including job sites and corporate sites that want me to log in just to store my resume (so they say). All of this is like trying to hold so much sand in one hand...just think, all it takes is the least secure online store to be broken into and the data siphoned away...such as that site I ordered incense from recently. I wonder if that non-chain, local store has a security guru making sure their site and data are secure?

In the end, I just become more sympathetic to removing the "convenience" of sites "remembering" my account information so I don't have to put it in again for subsequent purchases I may or may not make. I think data retention of that nature should be disallowed, and transaction logs in databases expunged on a regular basis or just stored on offline, secured media. If I only had to worry about the actual transfer of the information from my system over my network, my ISP, the Internet, to the vendor, I would feel a lot better than to have account and login and payment information stored by said vendor... How often do I let a restuarant keep a copy of my credit card and signature so that I can realize the convenience of not having to reach into my pocket to get it out, wait for the return of the waitstaff, and sign the slip?

David Maynor and Johnny Cache presented at Black Hat last week about an exploit against wifi drivers in an undisclosed but likely large number of wireless cards and operating systems. This has caused a minor furor amonst, well, pretty much everywhere somewhere.

Some argue that the duo are sellouts because they did not fully disclose who was affected at a "full disclosure" conference. Some argue they were protecting companies. Some take cheap shots at the video-taped demonstration for various reasons (which was done to prevent users from capturing the attack over the air and using it).

Last year Michael Lynn challenged Cisco and even his former employer ISS when he gave his presentation on a big Cisco vulnerability, after Cisco refused to fix it or even acknowledge it for quite some time.

Lynn's example brought up the age-old argument I see far too often in information security: disclosure. What is proper disclosure? Should it be full disclosure? This year it is back. Should Maynor and Cache have revealed the affected chipsets and vendors so that users could stop using them until a fix was in place?

I don't think there are any right answers, but the vultures that love to peck and squabble and argue for no real reason are back at it.

Bottomline, if these two found this problem, there are likely other people who have found out and kept it secret or sold it in private. This exploit was probably found via fuzzing of some type, since that is turning up lots of fun stuff lately. And I can only imagine the fun you could have as a spook or criminal with this sort of exploit in your hands and no one knowing about it...

I have a more private site that I keep as my own private little portal to security news, virus information, resources, tools, links, papers, and on and on. Every now and then I add a few sites to my links and remove a few defunct sites.

But every now and then while browsing news, I read on some site that "so and so" has more information, or "from the site of such and such." And I end up following 5 links deep to 5 different sites all reporting on the same news tidbit. Then I realize what has happened and I say to myself, "wow, there's a ton of blogs and news sites for tech news and opinions" (as I type one out here myself!). I wonder how cut-throat some of these link-relationships get? I've seen blog wars where someone feels they didn't get credited or where people of differing views post in their blogs their reactions and then wield their viewers and commentors like some botnet to swoop on the other and comment-spam them, escalating the all-out blogosphere war. Ugh.

It is sobering the effect of the web as a way to express oneself, to self-publish, to create, to share, and share with. Even the most stubborn hermit still has that need to share his or her thoughts with at least one other receptive person, and the web is such an easy outlet to masses. There are times when I feel like heading out to the mountains, just me, nature, spirituality...and an Internet connection. :)

I used to run online gaming league/tournament/community sites, and I know the amount of effort and dedication it takes to keep something popular on the web. It was tough 5 years ago when I finally "retired" from that, and I can't imagine how much tougher it is now, especially when you're not just offering up something unique and fun like digg.com. Then try to find all the digg copiers or slashdot wannabes or every other blog out there that tries to act very self-important and get fans and followers. People like me who add that blog to their short (but growing) list of weekly visits. I can't imagine how tough it might be to always put up meaningful content, opinions, and original substance on a technical blog or tech site...especially for me, someone who does not yet have something unique or original to share (someday, I think so).

But then I look back and see why I post here or even on my personal site. It is much the same way I might keep a journal (girls call it a diary, journal is more manly) next to my nightstand or in my backpack. It is a way to document my thoughts, and also comment on and document news stories. When 9/11 occurred and every blog in existence posted comments, it was not all because they wanted to be part of the news megasphere or get readers or even self-publish. That was an important event in their lives, more than worthy of being in the journal...only today's journals are more able to be public and commented on. I definitely need to lighten up on my lashback of the blog effect on the web.

At any rate, there are blogs and tech news sites all over. There are weekends where I grab something warm to drink, and spend the morning or evening following the blog links. It is much like roaming down an unknown state park path, taking in the sites. Click a link, check that person out, look at his or her link list, pick another that looks interesting, and just roam randomly. Sometimes I pick people from Iowa, sometimes security/hackers (I love wandering into the sites of people whose names I might recognize from the scene, but who have grown up or moved on and their site remains as it was 5 years prior...), sometimes just random people with cool site designs or ways of writing. Sometimes I am looking for new people to add to my bookmarks, sometimes just checking out site designs for inspiration, sometimes just bored.

I wish I could keep up with such a huge community, but there are not many jobs that pay for that kind of a hobby, and in all honesty, I wore out my "online life-living" back in high school and college with IRC, IM, forums, gaming, and other things not worth mentioning, and it really never got me all that far anyway. As it is, I am one of those people who just looks for useful and meaningful blogs and sites to bookmark on my private page, to visit again over the months and perhaps even pipe in and comment to the author, perhaps making a friend or colleague in the process. It is always a sad event when one of my links gets removed, either from lack of updates or lack of updates that are useful to me as either I or they have moved on to other topics or phases of life.

For those that know what it means, I'm feeling just a bit QQ today. :)

At first there was innocence, ignorance of the needs of security in networks during the days of the open networks, where network downtime and intrusions were borne more by discovery and accidents. Then there came playfulness, where security was beginning and attackers made more curious, playful attacks, toying with users or just crashing systems to see the effect.

Then came adulthood, maturity. Now, attackers are not necessarily interested in downtime or playing around. They have an agenda and they have profitable goals. Suddenly, we have maliciousness...

The old adage can ring true for online habits: "Don't do anything you wouldn't want your grandmother learning about." Long hailed as a place to conduct oneself with a wide measure of anonymity (read how bold kids can be in chat rooms or online games when they don't have to face people in person), we're all starting to feel the creeping implications of data retention policies, particularly illustrated recently by AOL's search data release.

It is a bit sobering. I have been online in some form or other since the early-mid 90's when I was barely into high school. Granted, Google was not around, but AOL sure was. And I used it, and searched using a number of search engines available at the time. How could someone like me know that 10 years later, data retention and search engine query analysis could reveal some dirty little secrets?

Not that I have much to hide, but it is still offending to have that sort of privacy illusion (?) yanked away. Have I searched for porn online? Yeah, I'll admit it. Have I searched for some not-so-legal things such as hacking or bomb-making just to see if I could find it? Probably. Have I done an ego-search looking for my own name? You bet. And have I done all of those, in some combination or other, from the same IP? Considering I've had only a handful of IPs in my online life (not counting AOL dial-up in high school), the chances are really darned good.

Scary. Just think the dirt that may be dug from such databases on politicians 20 years from now. Our president in 40 years may have an old MySpace site still lingering there, waiting to explode with traffic from mudslingers.

Step back and take that one place further. What about spyware/adware apps which remain dormant and diligently reporting user surfing habits to central servers, maybe years while users just silently huff and deal with their slowly ailing computer speeds. Or ISP traffic records that might be kept some day. Just think of all the places visited from just the one location. This now includes work-related websites, sites for stores in the area (ever look for the most local Mitsubishi dealership or the working hours for the local Papa Murphy's Pizza?), and even the things you'd not want your grandma to know you were viewing online. Even people like me who maintain a moreorless anonymous presence in security/hacking venues would be outed.

Then again, some may argue this can be good for the morality of the Internet. I remember a long time ago a study was done where people were put into a room to socialize. Later other people were also put in the same situation, only this time the lights were turned off. You can imagine the remaining senses were used, but they were used to a degree that almost all of the people in the room wouldn't have used them in broad daylight. Use your imagination. :) Maybe with the veil of anonymity removed, people will behave better? Naa...I just think they'll try all the more passionately for anonymous services, onion routing, VPNs, and privacy standards.

A career in information technology is a career in lifelong learning.

A career in security is a career in lifelong learning.

Sometimes the obvious things are just not consciously obvious, and once they become obvious, things just "click." That was a click there for me this morning, for some really odd reason. And I'm just glad I love learning both academically and on my own.

Today I happened to get called a "black hat" on a blog comment simply because of some off-the-cuff comment I made that, admittedly, is not necessarily a straight-laced, stick-in-the-mud, ne'er-do-wrong practice. However, me being called "black hat" is about as laughable, as, well, anything else I've experienced this week so far...

But it illustrates to me one of my other big pet peeves in security: hat color.

Fashionistas aside, some people are pretty obviously Black Hat. The rest of us are pretty much stuck in a quagmire of uncertainty and greyness that really has no definition. What seems like grey hat to some may be very black hat to others; what may be white hat to some may be grey hat to others, and so on.

All of this is just so much drawing lines in the sand, only to have someone else wipe it away and draw their own line in the sand, and another person wiping it away and drawing their own line in the sand. It is all about ethics and morals and how you conduct yourself. And if anyone has taken any academic coursework or even any casual discussion on the subject of ethics, one will quickly realize there are no hard and fast lines. It is all very relative and all very undefined to such a degree that arguing about it is a complete waste of time.

As it is, I have no problem with most "black hats" or "white hats" or anyone in between. Each can live their own life and that is fine with me. But what really incites my pet peeve is when people get so ensconced with rage and prejudice and blind ignorance about the whole issue of ethics that it manifests into nearly fanatical knee-jerk reactions to any hint that there might be an ethics or hat color discussion arising... That is just shallow.

White hats have to live up to a certain level of ethics and morals, right? Well, how do they feel about speeding when driving? If it is a 30mph zone and they drive 32mph, do they feel guilty? Does that guilt adjust their behavior back down to an apologetic 30mph? Do they regularly bump 10mph over the limit, whether in residential or on the freeway in the throes of a 10 hour road trip?

This is the dilemna. This is the grey area.

There are way too many news sites and blogs out there that I want to read. I'm at a phase in my career where I'm just sponging up everything I can. I have a growing list of sites that I use for resources and news and new stuff.

The problem is trying to manage it all. As I have gotten older, I have realized the grim reality of managing one's time. In my youth and even in college, I had a lot of free time to just while away doing nothing much. Now, I find I have to sacrifice a lot of that "nothing much." Thankfully, I shed the whole "tv watching" thing back in college, and unless it is a movie, my TV gets zero use.

Likewise, unless I'm relaxing for a few many hours on a weekend with my computer, a hot drink, and some calm music, I don't get a chance to check all the blogs I want to check or network with the people I want to network with or try all the new things people have posted about or created. Ugh!

I've tried keeping my own private blog with a list of all the interesting links and then posting about the tidbits I wanted to keep available or braindump about. The posting part has been working amazingly well and I love it. But the links part, which ends up being just a web page of bookmarks, in essence, is something that I have a bit of a problem with.

Reading the news requires clicking on each one. Being that I want this page to remain private, reading at a hotspot or at work can reveal its presence, and I have to take extra coding measures to obfuscate the redirect trackback. This is just a little bit annoying. And if I ever did want to share its existence with someone else, that would mean also sharing my home web site, since they share the same IP (and box). Moving it to hosting is a bit of a chore as well, since I use a smaller, lesser-known perl publishing tool for the site content. Ideally, I would have a second IP just for this site...maybe in the future.

But reading the news there is still less than ideal.

I've tried out standalone RSS readers, and I settled on using RSSReader for a while. Unfortunately, I find that I'm not always on my home laptop in such a fashion as to pull up the app and read the news. Sometimes I'm at work, sometimes I'm in a live cd doing something else, and sometimes I just want one big long page with all the news right there so I can just scroll on down effortlessly. The one good thing I like about RSSReader? If I have populated it beforehand, I don't have to have an Internet connection to read the content later. That's really a big plus as sometimes I want to go someplaces that don't have open wireless and sometimes I just don't want to fuss with locking myself down a bit more at a hotspot.

I just started a Bloglines site yesterday and have begun populating it with news and blogs and vulnerability advisory sites. While I like the idea of a one-stop website I can go to for news, this still does tie me down to an Internet connection. I also have not been happy with the presentation of the feeds either. I like to have full content (unless fully overridden by the feed itself), I like to have posts parsed chronologically (not by site only), and I like to have them all displayed for at least a week back for blogs and less for others. With Bloglines, I've found I have to click a few times to get the Week view, and they never arrange in full chrono order. Hrmm...but I do like it for one-stop news while at work and at a hotspot. I can also maintain some anonymity there.

Maybe I should recheck RSSReader for some more view options. Other than at work, it really is a good option, as I really love the freedom to unplug somewhere like a park, and just browse news there.

The big downsides to RSS feeds? Easily, I dislike the oddball blogs or sites that have no RSS or non-compliant RSS. Some, I understand, are a functionality choice that was consciously made by the author, and that is fine. It is just hard on someone like me to remember that that site is an oddball. A new downside that is growing in popularity is the trust that apps and sites and people put into parsing RSS feeds that can possibly allow malicious code in feeds.

Someday, I also need to find a good way (on Windows and preferably without iTunes) to automatically download podcasts and load them to a folder that I can sync with my iPod. Yeah, I know, I might still be behind the times, but iTunes originally was not something I trusted on my box, so I always stuck with winamp to manage my iPod. For now though, I'm content with my site of links to pod/vidcasts and downloading them manually.

Forums I truly love. I like the usually informal and discussion-like format of a forum. Maybe it just reminds me of IRC days, but forums have a special place in my heart. Sadly, finding a well-populated one with useful information is definitely not easy to find. My list of forums is woefully small, and half of even them are filtered at work.

My last major source of information has been mailing lists. I started out getting on a number of busy mailing lists a few years ago with a gmail account, but found the web mail interface and my own lack of time very disappointing and as such I stopped reading them. I have only recently renewed my reading by pulling that gmail data down to Thunderbird and abusing filters to sort out the mailing lists. This has worked pretty well for me, but I still have yet to really work mailing list reading into my daily or weekly routine. I need to read them for a while, cull the useless ones, and settle down there. Having mailing lists post directly to a forum or blog (with thread REs being placed into comments) would be awesome, even if just for my own private viewing.

Anyway, these are just some ways I'm attempting to usher myself through this sponge phase of my career, and I can already feel it coming to a climax and settling down for me, which is very good.

There are a number of news publications and sites and posts that say things like, "organizations now need encrypted backups," or "spam is out of control," or "building a comprehensive disaster recovery plan."

I get a little happy when I see something like that, I and read into the article only to realize it is just one of those "obvious need" articles. These articles are great for new topics, but far too often they are already old news topics and offer me nothing on how to actually perform lots of these functions. Too often, I get the feeling these are written by people who can complain about the problem, but really have no idea how to fix it, nor have had any experience in what the challenges may be in encrypted all backups or trying to implement and company's first diaster recovery initiative.

So for the past month the IT world has been abuzz about how David Maynor and Johnny Cache demonstrated undisclosed attacks to root wireless laptops where they may or may not have used Apple's built-in wireless card or third-party wireless drivers for a possible third-party wireless card.

And look at where Maynor and Cache are now. In the middle of this summer's biggest IT feud which is spreading a feeling amonst the "blogosphere" that is worse than a smarmy, humid, hot, and never-ending day in the mosquito-infested bayou. Ugh.

All of this uncertainty has resulted in mudslinging, amatuer journalists (bloggers) having panic attacks, Mac fans up in knee-jerk reactionary arms, large corporations side-stepping issues, and quite a lot of upset and pissed off people all yelling at each other and only half-reading everyone else's posts before adding to the panic. And the only way to clear all of this up is for Maynor/Cache to admit they faked the whole thing (I don't think so), for Apple to admit they have been skirting the issue and finally take responsibility for it (I don't think so), or for the details to finally be released (after a fix, of course).

Until such time, we're all still left with uncertainty. But what I am certain about is our approach to "responsible disclosure" is going to be coming to a head, and I don't think corporations will be happy with the imminent conclusion.

Security practioners are paranoid people. They tend to not trust much, let alone large corporations. Hackers and the underground are far less inclined to trust corporations. This distrust promotes the use of full disclosure, whether or not you notify the corporations beforehand, although I suspect a majority of people will notify the target companies prior to full detail release.

Wireless issues aside, there was no real way for these two to publish their findings without incurring wrath from someone. I think they took the lesser of three evils, while they at least got their names out there and known in the industry.

Last year was Michael Lynn vs Cisco where Lynn finally came clean (or attempted to) with a big Cisco vulnerability which Cisco did not fix in a "proper" amount of time. This year we have Maynor and Cache with wireless driver attacks.

In the end, every security researcher is going to think three times about releasing code. I think this will lead to one extreme or another. Either vulnerabilities will be released to the highest bidder or to the parent corporation and not released until a fix released. Or exploits will be publicly released right away, giving the information to everyone at the same time. Considering security/hacking circles that are paranoid, a little untrusting of corporations, and very passionate about security/insecurity, I see the latter being the more likely.

Just thought this an awesome little idea for a contest. Defcon is definitely one of the most unusual and interesting security "conventions" around, as hackers and gov't security folks play contests that basically hone and demonstrate and teach security and anti-security skills. Quite amazing. In this contest..well..click to the article.

I am really toying with the idea of plunging fully into Linux...while also just testing with my toes again. Hrmm...

I've run Linux in the past, from Red Hat version 7 up to SuSE 9.x and various Livecd incarnations. But I've never been able to stick with an install for long enough to really immerse myself into it. Red Hat 7 was interrupted due to a need to do some resume/website work back after college when I was unemployed. SuSE was interrupted by my need for gaming...mulitiple times.

But the gap between Linux and Windows, especially the apps in Windows that I rely on a day-to-day or weekly basis, is greatly diminished now, if not gone altogether. The only real gaps would be ease of use of all the years of acquiring apps and programs to do certain tasks, the support for gaming, and the support for wireless.

The years of acquiring apps may be interrupted soon by Windows itself...who knows what Vista will be changing when it finally releases, but it will be a whole new world to learn anyway (although not entirely). The support for gaming has been getting better, but only slowly. Thankfully, having a gaming-only machine is not a bad idea, especially since any Linux that I run will not need beefy specs or expensive machines. And support for wireless has been getting better in leaps and bounds, to the point that some of my Livecds recognize my wireless laptop right from the install, and get online with absolutely no work on my part.

But, I do still game, and I do still have a lot of things on my XP laptop that I just can't part with quite yet, especially since it's the only machine that seems to accept any of my old Windows XP keys and licenses (damn Genuine Advantage, in the end, it will end up driving me away from Windows...).

So, one thing I really want to do is make sure I have Linux on a laptop, which does greatly limit my choices on my systems. I think I might give another shot to dual-booting or even just running VMWare Workstation on my laptop and carving out some space for a Linux install. I know my system is that all that robust (512MB RAM), but I think if I go ahead and wipe it off and reinstall Windows XP, it should be cleaned up enough to allow me to run a VM Linux (Ubuntu or SuSE again).

This post started out with me wondering to myself where I should put Linux and work it into my daily life, up to listing my systems and the pros and cons...but I think I already just talked myself through my plan.

This will leave me my gaming system, a possibility for less intensive games on my laptop, and leave me other lesser-speed Windows 2000 laptops for other uses. My other desktop-class systems can then still be whatever, as they are just used in my lab.

First order of business though: clean off the XP laptop, back everything up that I need or want, take inventory of what I need to replace, and start to organize up my tools and tempfolder (a dropbox for all sorts of incoming things that I've not played with, tried out, or used enough to file them away to keep or delete).

An article posted on SecurityFocus quoted:

Building on a Wall Street Journal analysis of the 20 million search queries leaked by America Online that found "free" to be the most popular search term, SiteAdvisor warned that the results produced by such searches frequently lead to malicious Web sites.

"Often, so-called 'free' items are anything but free," the company, recently bought by security firm McAfee, stated in its advisory. "Free screensaver and games sites are notorious for bundling spyware and adware with downloads... Free e-card sites often share users' e-mail addresses with third parties and can lead to a never-ending influx of spam... Ringtone sites frequently lure consumers with misleading offers of free tones that ultimately lead to automatic enrollment in paid subscriptions."

I admit, back in the day free stuff used to be cool to download. These days, however, they are packed with spyware and other not-so-nice things. Always have to wonder, "why is this free, what are they hoping to get?" More often than not, to get something installed on your computer or get your "clicks" on their sites.

I honestly have more trust in downloading cracked commercial apps through my regular channels as opposed to free sites. However, when looking for legit free things, I put a lot of faith in SourceForge-hosted apps and anything from a website that looks like a real developer just offering out to the world some little tool he/she created to do something cool. Anything else like free screensavers and the like are just not really worth the time and effort and risk.

This is social engineering at its best, and most scariest. Just think if this guy had more important things to say, or was pawning himself off as speaking on behalf of someone or something more important. Wow.

NetworkWorld posted a rather good series of articles on the six worst security mistakes.

1. Not having a security architecture- I like this overview, but I would add the need for logging and reviews of logging, from syslog/snmp stuff to web logs, OS logs, etc. Sadly, none of the companies I have worked for have been big enough to trouble themselves with spending money on formal security architectures beyond what is done when the environments are built or enhanced. Policy and protections have been second place, at best, to functionality and getting the needs taken care of.

2. Not investing in training- This discussion was awesome and a lot of poignant stuff was mentioned. I liked the contrast of the benefit of employee training and what happens when untrained people make decisions.

3. Neglecting identity management- Since I've not worked in environments over with over 500 employees, I've not had to worry much about identity management. Sadly, gaining any type of knowledge here is difficult, as so many sources pretty much say, "you need identity management, here's kinda what it is" but never discuss what products work, what don't, pros and cons of each, or even how to properly implement it from user acceptance to technical specs. This is one of my biggest issues with a lot of trade mags, especially vendor/ad supported mags that otherwise get sent free. They talk in general terms without actually giving me, an IT doer, much substance. Someday I'd like to examine identity management systems, but so far I've not seen a need for it in current environments. If I could make my own home-brew setup with little costs (maybe a USB fob and open source software), I would love to add that to my projects list.

4. Ignoring the insider threat- Most articles talk about how the insider threat needs attention, but never explain what to do, even in the most elementary terms. This piece goes one step further than most by saying one should monitor employee network use, harden the internal network, use internal network IPS to filter at the switch level, review and test internal access controls, and limit explicit trust in pretty much everyone. This is a good start, but spending money on this can be difficult as not many people really want to think about insider attacks. HR and management like to trust their employees while IT security tends to distrust pretty much everyone. This is just a matter of having different viewpoints, and can be a hard topic to effectively discuss. I think I would add in that not just empoyee use should be monitored, but all internal system logs as well, especially for odd connections, failed authentications, IPS/IDS alerts, and mysterious local account creation. Internal routers and firewalls can help segment things quite nicely and put off the bear of hardening all systems, at least for a while.

5. Not protecting web appliances- This was a shaky article, but I like the identification of three levels to protect when it comes to web servers: the host (OS), the server infrastructure (IIS/Apache I believe he meant), and the web application. The host and the infrastructure or no-brainers, really. The web app is the dicey part. In my experience, infrastructure (network and sysadmin roles) is not married with application development, in fact, these teams tend to work in opposition to each other. Likewise, security tends to fall in the middle somewhere. Infrastructure may bring it up and even test it, but typically we are hands-off when it actually comes to code changes. Whenever talking about web site security strategies from an infrastructure viewpoint, defense in depth must always be used. Assume there will be vulnerabilities in the web app, and plan to mitigate them. If development and infrastructure work well together, it will be a cold day in hell... :(

6. Buying products with the most bells and whistles- This is an interesting item, and I think is a product of poor training, lack of time to make accurate assessments and decisions in the face of sales propoganda, and lack of having a security architecture or plan. Sadly, I often hear about how appliances are purchased and forced into an environment because some senior manager read about it in a magazine and demanded it, all without truly evaluating the needs, the best solutions, or determining if there is a need for more staff to properly manage. A spiffy buzzword logging device is useless if no one is looking at the log reports or investigating the reported issues.

This looks like a fun and well-written read, an illustrated guide to cryptographic hashes.

Sometimes these things are very useful, and sometimes admins should block access to them. The Your-Freedom site offers such a service to bypass content filters, firewalls, and proxies.

The wifi hog project. Not sure what to make of this, but gotta read it someday.

This study on insider threats in IT is a bit dated, but let's be honest. People don't get outdated. This study is amazingly detailed and very important even today, 10+ years later.

Here is some more interesting spy information and insider threat character analysis.

And here is a guide to insider threat risk assessment.

I finally tracked down this link to a HUGE collection of videos (mp4 format) available through BitTorrent of presentations at the 22nd Chaos Communication Congress (223c) in Europe. Will need a Torrent client like Azureus. I have already started downloading this and am not even 1/4th through the list and it is already taking up 12GB of space. Will also need QuickTime or an alternative to QuickTime (recommended).

Updated link: videos. Be creative with the URL and you can find past years. When in doubt, hit the root site.

Stream of consciousness amazes me. In addition, the stream by which we discover new experiences is fun too. Take for instance this quick journey.

I like hacking and computers and security. Recently, I found a bunch of movies from the 22nd Chaos Computer Congress lectures from late last year. One lecture was "The Realtime Podcast." The lecturer basically ran an actual podcast on stage, but the podcast consisted of him lecturing on how to do podcasting, the tools, styles, marketing, etc. His background music was really cool. Thankfully he acknowledged it as DJ L'embrouille. The music is just this really chilled out electronic/ambient mixes. Amazingly, he releases these to the public and can be downloaded. So now I have been listening to about 10GB of his mixes and loving every minute of it. This is awesome stuff to just have playing in the background while doing some computer work.

Now, if this guy had not released this stuff freely, would I have ever heard of him? Doubt it. Would I pay to see him in person? Yup...and that would be money in his pocket due to free Internet distribution. Wake up RIAA.

I've read this in a few places recently, in particular regards to security software and appliances, but this video of one of the TED talks by David Pogue ties that in with my own feelings of the lashback on computers and electronics and how things are just too damned complicated. Too many buttons, too many clicks, too many features I will never use. For some people they stomach it, for others, they abandon the tech. I know too many people who are abandoning computers and the Internet because of all the complications.

Well, simplicity sells, and the above-linked talk was very well-done. Take out features, don't cram them in. The company 37signals does this as well, and has been remarkably successful, as have other post-dotcom small software companies, and even large companies like Apple with the ipod. This world needs simplicity and to get back to basics as opposed to bolting on features. Google, while maybe not as simplistic anymore overall, still has the best, most-trusted, and simple web search. Do that one thing and do it well.

I look forward to security software and appliances taking note of this trend and offering just the one or two things instead of trying to package every security measure into one device or app. I think this is short-sighted and just a way to increase their market and market share. Instead of doing things well, overwhelm others by just out-featuring them to get into as many markets at once as possible.

Linux and Unix have done this well for years, decades. Simple programs with few bells and whistles that do their designed task and no more. To do more, you combine them with other equally streamlined tools. cat firewall.log | grep denied. That's the true beauty in *nix, the command line power and simplicity. Granted, this is a geek's take on it... :) At least in the *nix world, the techs like me can still milk our creative sides in using these tools together in complex and beautiful ways as opposed to being handed a huge soundboard with 209208 dials and switches to do god-knows-what and produce 45x more reports than I'll ever use.

I have posts on how to crack wep on most any other flavor, now to add Mac too!

If I can get my hands on a pix for educational purposes, I can play around with the capture command.

I have used Linux here and there in the past 5 years, but in the past 2 years, my experience has been drastically limited to livecds (which, in their own right, are really awesome anyway!). I've long wanted to get away from Windows since I know 95% of what I'll ever know about Windows XP and previous anyway, and I really want to use a Mac or Linux box as my main OS at home for various reasons.

I've never made the jump and kept putting it off due to this reason or that, most notably two major reasons: I wanted to play WoW, which is difficult for anyone on Linux, and I wanted easy wireless access that wasn't a bitch to configure, support, or install. Wireless support has gotten better in the past few years, and my laptop really is not nearly as fun to play WoW on as my resurrected gaming rig. So...all the big barrier reasons are gone!

This weekend I went out and bought a new laptop drive, 100GB. My plan was to dual boot Windows and Ubuntu Linux and also have some room to run a VM in Ubuntu and Vm another Windows install or two plus others. The reason to dual-boot is so that I can get true wireless on both OS, since any VM is going to think it is on a wired connection. More on this later...

So I swapped my drive and put in Ubuntu 6.06 desktop. I did an install, it performed a format on my drive and was done. I literally blinked a few times and figured something screwed up or the instructions were incomplete. I rebooted Ubuntu from the livecd, saw that I had missed nothing, and on a whim decided to reboot without a cd. Sure enough, Ubuntu started up just fine and had been installed on the HD just like that. Wham! That's the shortest install of an OS I've ever had!

The sad thing, though, is the Ubuntu partition support. It is basically an all-or-none approach and I didn't get much help or options in doing manual partitioning. Unfortunately, the automatic part made me use all 100GB of the disk for ext3. Hrmm..well, I guess I can live with that for now and just swap hard drives when I want to go Windows. I may have to add in a mini-project to see if I can get an external enclosure and boot from it, but that's another project.

So, Ubuntu was working. In fact, both my wired and wireless network cards were recognized immediately. I hooked into my wired network, got an IP address, connected to my wireless AP to get my WEP key (yes I use WEP because I practice breaking my own network with various tools...long story), and configured up my wireless. Big props to Ubuntu, as it took on the first try and I had wireless on Linux with zero blood and sweat. Wow!

Now, I'm swapping back and forth between my hard drives and Windows and Linux as I move all my tasks and things I do on Windows over to Linux one by one. Hopefully in the next week or two, I will be running Ubuntu 95% of the time my laptop is powered on. The only snag may be if I figure out how to most properly carve up my disk so that I can still dual-boot Ubuntu and Windows XP. This might mean installing XP first and using it to format the disk, then seeing if Ubuntu will limit itself to whatever space is still open. I'd like to just do about 35GB for Ubuntu (ext3), 15Gb for Windows XP (NTFS), and the rest for either shared space (FAT) or VMs.

Next steps: Opening up Synaptic to allow me to install packages from the universe and multiverse, finding the root password (yeah, go figure, I couldn't find it and it never asked me for one on the install?) so I can su up, and getting some common apps installed that I use on a daily basis, such as Thunderbird, gaim (or a Linux equivalent to gaim), and mp3 player. Now that I think about it, my ipod support may be all borked up now. I use winamp+ml-ipod to manage my ipod and music as opposed to iTunes, but thankfully that is a minor gripe. I'll live. :)

A recent theft from an ATM machine in broad daylight using a key sequence which unlocked the machine and allowed the criminal to reprogram it to dispense larger bills than it thought it was doing, has had plenty of follow-up.

While this issue may bring the idea to the minds of young people in some small groups of the nation, I doubt this will turn into some sort of crime spree. However, it does illustrate exactly the failings of computer network decades ago, and something that continues today in many electronics areas outside computer networks: default passwords. When a technician or operator installs electronic equipment like ATMs, it is very unclear whether they properly change default passwords or close any backdoors. Telephone boxes, ATMs, lighted road construction signs, and many more devices are frequently left with default passwords. The only protection is usually threefold, 1) A lock on the internal workings of the device, 2) obscurity by not publicizing the passwords and backdoors and manuals widely, 3) common human conscience to not do something criminal in public.

The hacking/phreaking community has known about these things for decades. ATM boxes are a very popular target and much of these issues have been long known. A lock can be picked, broken, or just plain left unsecured. Obscurity is not a protection when used alone, and hiding passwords, manuals, and basically not teaching no-qualified people how to use devices is not protection. Frequently, this is defeated by operators leaving the manual nearby or scrawling notes with passwords inside the box. Obviously, the conscience of the person is widely variable and some people will not be deterred by it.

It is only a matter of time before more things like this are discovered out and about in less technical areas of the world. These lie in the gray forgotten area when electronics started getting smarter and thus needed passwords for operations and the widespread security paranoia of computer systems with widely publicized attacks via a very efficient Internet medium. Also, many of these systems sit in an area between white collar workers and IT staff; a lost area that is as much ignored as actually forgotten.

To put this topic to bed in my mind, here is Apple's notice about wireless security updates. This hopefully will also put other people to bed who criticized and had panic attacks and panic fanboy defense when Maynor and Cache presented about wireless driver exploits and did so on a Mac. I love Macs as much as the next person, but please, don't cannibalize our own people. We need to encourage research, not hang it out to be stoned when it discovers something important against our favorite hardware/software or isn't fully disclosed like our mischievous hearts want. This whole situation ellicited passionate, emotional responses from many people (we should have seen that coming, with the Mac vs Windows vs Linux debates), including people who should be more disassociated due to our profession. That includes journalists and bloggers who completely misrepresented and had no comprehension of even a visual, video presentation and what the implications were. Unethical journalism (brought in large part due to the clashing and greying between proper journalism and amatuer bloggers) really did not help.

[ Update: Two more links just for me. First, Matasano's commentary on the new patch, and a link from a commentor about third party accreditation when you can't trust the researchers, the press, or the company. Excellent idea!! ]

At any rate, hopefully this is back to bed, and props to Maynor and Cache for putting their necks in the noose, whether for fame or public utility (I don't much care), at least this improves our awareness about wireless issues and improves the software and drivers that power it. Ignorance is not a security blanket.

Totally unrelated: Is Amazon.com dying? Their pages the past two days load like molasses, if at all. I wonder if they are weathering some attack or what?

I've used Linux in the past, Red Hat, SuSE, Slackware, Knoppix, and various other livecds, but have never been able to make it a regular box that I use 95% of the time. Hopefully this will change.

But first, I want to just out and say it: Linux is not ready for prime time. Not even Ubuntu. Unfortunately, Windows is far easier to wield and get things done on. It might be less secure, but this is the classic usability vs security relationship. Thankfully, Ubuntu is not just for the uber-geek elite anymore, and can be adopted by hardcore geeks and even casual geeks, but it is not ready for the average consumer or user, and has a long way to go.

What better way to compare the two than by keeping score. Now, keep in mind Ubuntu is going to win in the end, as Linux will for me. I plan to stick with it and hammer away at it until I'm firmly on the "other side." It might be painful, but this is just part of learning and becoming a better geek (read: IT professional).

The install, as stated before, was amazingly fast compared to any other OS I've run. I literally thought I was still running the livecd portion of Ubuntu when I first rebooted (Ubuntu +1). However, the partition options leave a lot to be desired. While Windows is simple with partitions, Linux has always been arcane with them and knowing how many you need and how to carve them up is, in my opinion, the single biggest detractor for new users to try out Linux. Right from the start, it is complicated and difficult and unknown. Many people put it down right there without really giving it a true try. Ubuntu is an all or "know it yourself" install. Either it takes the whole disc or pre-made partition, or you have to know what you're doing. Sadly, I don't, and many people won't either (Windows +1).

So, last night I went about making sure I could do the typical things I want to do. I first updated Ubuntu, which, like Windows, prompted me with a nag screen saying there were updates. Nice! The updates were relatively quick for having 170+ updates, and of course required no reboot (Ubuntu +1).

Synaptic is really cool, and I'm happy with it. One bad point though, is that you're stuck with Ubuntu's packages and you need a little bit more knowledge to open up the universe and multiverse to more downloads. But, I always have liked having a central repository for many programs, all of which are free (Ubuntu +2, Windows +1 [how many people really catch the universe/multiverse updates without work?]). My biggest complaint about Synaptic, though, is how easy it is to do something and say, "omg, wtf did I just do?" I did this by selecting some packages and not paying close attention to the required packages or things that needed removal. After walking away to pop in a movie, I came back and hit "Apply," only to see Ubuntu quickly remove some things. I have no idea what they were, but I hope they were not important. I have learned, however, that I really should do one thing at a time, and scribble down what is added and removed, at least until I'm comfortable with this process.

sudo gedit /etc/apt/sources.list add in: deb http://us.archive.ubuntu.com/ubuntu/ dapper universe deb-src http://us.archive.ubuntu.com/ubuntu/ dapper universe deb http://us.archive.ubuntu.com/ubuntu/ dapper multiverse deb-src http://us.archive.ubuntu.com/ubuntu/ dapper multiverse save, then: sudo apt-get update

And this is the second biggest issue people have with Linux, and myself: the installs. Windows has a huge boost here with automatic installers that take care of everything. You don't need to unzip things usually (and if you do, it's easy). You don't need to compile from source code. You don't need to hunt for packages that work with your OS flavor (Windows flavors don't run concurrently, there's really only one active one at any time now, not counting Server). You don't need to wonder what the executable is or how to run it, it appears automatically in your Start->Programs list. Ubuntu is not so helpful all the time. I installed about 10 different packages from kismet and airsnort to lxdoom and tcpdump. Over half the installed packages were installed, and then promptly hidden from me. They were not in the Application list nor did I find them in the filesystem. Granted, most of the ones now found seem to be command-line apps, but this is a huge hole for most casual users. "I installed lxdoom to play it, now it doesn't appear, what gives?" (Windows +1) Not only that, but at least Synaptic takes care of linked packages or things you need before something you want. Trying to track these down and align the planets just to install one program can be a huge headache in Linux. (Windows +1)

So, an OS that is going to be a "Windows killer" better do some basic things without fuss. Ubuntu's wireless works, Firefox is installed by default, Thunderbird is installed by default, but is not the default mail program and does require being added into the Application list (Windows Start->Programs list). I installed GAIM without problem and promptly got on my IMs without issue at all. (Ubuntu +1 Windows +1)

I then popped in a DVD. Totem, the default media player threw an arcane error. Ok, I didn't want Totem anyway. So I installed mplayer. It also threw an error, even more arcane than the first. I then installed Ogle and Xine, both of which also could not read my DVDs. Wow. I did some research and it turns out encrypted DVDs are just enough of a closed format that Ubuntu decided not to include the ability to play them out of the box, or even after installing new players. In fact, I couldn't find the libraries I needed in Synaptic. D'oh. I found libdvdread3 jus fine, but libdvdcss2 had to be downloaded from some guy's FTP in Sweden. (Windows +1)

use synaptic to get libdvdread3 install libdvdcss2: sudo /usr/share/doc/libdvdread3/examples/install-css.sh

Whoa, wait a minute here...what version did I just download? What command did I have to run to make it work? I have to download some weird library that may or may not be 2 years old from some guy's FTP site in Sweden? I did more searches and found more German and other foreign sites, none of which looked commercial. This is the kind of thing in Windows that we, as security people, work to avoid: downloading from sites that make us stop and get paranoid about. (Windows +1)

After putting in the new library, though, all the players could play my DVDs without problem (I think I like the Xine interface best, but it doesn't fill my whole screen, sadly...which may be a graphics driver issue, but with the player...). However, this sort of hassle and *need* to Google up and understand uber-geek Linuxspeak to get it to work is going to keep Ubuntu from being used by my parents and friends. (Windows +1)

So that is where I stand right now. I can do most of the things I want to do on a daily basis (email, web, IM, and accessing my external drives for media like music, and dvd playing [with effort]), but where Ubuntu makes up ground on Windows in the install and ease of deployment, it loses ground in the places Linux has always lost ground: packages, not doing the necessary things out of the box, and needing to put on the geek cap just to work around things. Does Windows necessarily do this better? Perhaps not, but at least 99% of the computer-using world is used to it.

The score appears to be about how I expect, with Windows leading at this point, because this is all the hard, preventative stuff from Linux and Ubuntu so far. Windows 8 Ubuntu 5.

I diss on the blogosphere a lot for being bad reporters of news, but great reporters of experience and opinion (which in a way is news as well). I guess the difference is journalists have a level of ethics to maintain whereas bloggers can basically do whatever the heck they want.

Anyway, one question I had in my head lately are the career writers. There are bloggers and journalists in IT that I sometimes see or read and I frequently look at their bios or background, just to see where they are coming from. Often, I see they have 15-20 years of writing about IT and journalism and papers and 15+ books written or contributed to.

I don't get this sometimes. Are they career writers? Do they actually do any IT stuff either in an enterprise or at least at the consumer level? Or do they just play at home, talk to others more knowledgable, and just write about it? Those people kinda bug me...

This is just a little bit old, but there are still plenty of cars that sport the numbered keypads to unlock the driver's side door. There are really only 5 keys here, and thinking outside the box, one can quickly test that this is just a password entry, but there is no end bit or anything. It just sits and listens and waits for the proper combination no matter what preceeded it or followed it. Turns out, it only takes 3129 keypresses max to get the door to open. The article states this takes about 20 minutes. Just imagine reciting the cheat sheet into a recorder like an ipod and then just listening to the sequence as you key it in.

The more I think about it, the more it makes sense that this whole idea didn't last very long and not all that many cars used it or still use it.

Now this is a really fun-sounding idea for a metro game: players attempt to control as many payphones in an area as possible by calling from the phone to a central scorekeeper. The link gives plenty of information. This isn't necessarily something to be done in say, my state of Iowa, but would be amazingly fun in a very payphone-heavy metro area. What would be most interesting, though, is seeing how it is set up and run. Checking out the Asterisk setup behind the scenes, as well as how the payphone signatures are determined. I wonder if a game like this can be devised for DefCon? I wonder if payphone signatures can be spoofed such that a player can just adjust the variable and keep calling back from one phone?

Now what about expanding this to, say, the entire city of New York in a never-ending game where you can call up at any time? What about doing this for wireless hotspots or networks? Granted, you can spoof your IP and stuff, but what about needing to maintain a solid session with a central server from a wireless network, and submit data about that network? And note that I'm not saying open, public wireless networks... This whole idea is similar to a capture the flag competition, only mixing physical movement along with travesing the digital landscape. All the more reason to move to a more urban location. ;-)

I started read this article about Windows XP just to fill time, but by the time I got to the second page, I was noticing some subtle and poignant things being said.

The initial simplicity [of Windows XP] almost never survives contact with software installers. Most of them ignore Microsoft's programming guidelines by dumping shortcuts and icons across the Start Menu, the desktop and the "tray," that parking lot of tiny icons at the bottom-right corner. Good luck finding anything on the screen after you've let the likes of AOL Instant Messenger or RealPlayer have their way with XP.

With all that extra software, Microsoft needs to persuade other companies to play by its rules, but it's had trouble getting even its own programmers to do that. The mere presence of Windows Vista can't change this failure to communicate.

From device drivers to installed software, it all basically does whatever it wants to do, due to Microsoft's approach to system architecture. I am fully convinced that Windows is a product of consumer usability, and not of any intelligent security design or means to be solid and stable and loved for decades. Now, whether that is good or bad is another story, as Microsoft has grown rich and huge for those choices.

The operating system has done little to ensure that programs move in and move out in an orderly manner; they can throw supporting files and data all over the hard drive, then leave the junk behind when software is uninstalled. As a result, something that should have been fixed in Win 95 -- the way Windows slowly chokes on the leftovers of old programs -- remains a problem.

This is all too true, but again, what alternative is there? And with moving forward in Vista, how exactly will that fix everything? So many programs are bound to act funky or outright break with the new OS. People who have paid for these programs will clamor for support with upgrades (which thankfully software vendors have gotten consumers used to purchasing these upgrades). But, in the end, turning this huge ship that is a Windows-based community around is not going to be easy, or maybe even possible with the Windows OS architecture.

Imagine having Windows running so many important things for years, or even 20 years from now. The world is also becoming more PC-literate, but you can bet that 99% of all the next generation users are growing up with Windows, as opposed to other OS flavors, although I will give that next-gens will be better able to adapt to other OS options if they so chose to. This means that there is a very real threat to *nix servers and tools that they will slowly be bred out of existence (of note, putting *nix into the hands of developing countries can then be both a saving grace or also further stratification...).

Hopefully Windows gets some things right with Vista, but somehow I really doubt it. XP was a major step for Microsoft and it has lasted 5 years during the stabilization of the PC in our daily lives, young and old. I think it will look prettier, be larger, be more complex, will have more layers and layers of cool graphics and security apps, but it all just covers the same buggy and outdated architecture underneath.

At least it still means job security. :)

Holy crap, this paper on security checker tools for web apps is huge!

This paper discusses bypassing NAC systems. The presentation is also available.

HostGator was apparently not alone. At least two other companies had reportedly also been hit with the attack, an exploit for a previously unknown--or "zero-day"--vulnerability in a popular Web-site management application known as cPanel. (SecurityFocus)

One thing that scares me about many companies is their propensity to have what becomes a highly heterogeneous environment with lots of little things purchased and installed or freely downloaded and implemented in their environments, sometimes circumventing IT involvement. And one little thing like a third-party web-based app can cause an entire server or network to become owned and jeopardize a company's existence.

I had more of a purpose for this post, but I ended up turning myself in circles. Homogenous environments vs heterogeneous environments, simplicity vs defense in depth, all-in-one devices vs separation of duties...

In the end, companies simpy have to keep control of what they install and run in their networks, especially Internet-facing exposures, and maintain a process (with proper staff devoted to it) to keep up to date with patches and alerts for those exposures. While OS patches and "big" apps like Apache and OWA are typically tracked, far too many little things that slowly seep into the network landscape get overlooked. That ticket management system that was put in 2 years ago, or that survey "engine" on the corporate web site, or how about that php bulletin board that isn't hasn't had an update in 12 months. What about that port that was demanded to be opened 3 years ago to allow a temporary FTP server that was never cleaned up? Does marketing really need that nifty new tool on the web site, or WebDav turned on because that's the only way their contracted, at-home employee knows how to update websites?

While I like to call some of those things "network relics," I think I will also start applying a term, "network creep," to all the various little things that slowly make their way onto or into the systems and network that IT manages. This creep slowly expands the exposure for a company and unless there is strong change management, follow-up, and staffhours to devote, these creeps turn into relics.

Policy and processes (retirement of systems and apps...). Inventory and documentation. Standards. Logging and monitoring. Staff. Change management.

I'll stop now before I get to rambling too much more.

Tate over at ClearNet Security made a post about a friendly debate over the top 5 things a start-up company (read: small company) can do to start out the right way in regards to a safer computing environment. I thought this would be a good exercise in determining what my own top 5 recommendations to a similar fictional company would be. Granted, doing a top 5 instead of a top 6 or however many top picks it takes to do security right is a little limiting for no real reason, but this limit does help focus a bit more. This can also act as a general checklist for consultants or any outsourcing of solutions a start-up does, especially ones without in-home IT staff. I also try recommend free solutions as a starting point, especially for small companies without IT budgets.

1. Backups. This is the #1 thing to do to keep a business alive and running. My underlying assumption is that incidents will occur. If you don't have data backups, you will not survive many larger incidents. A requirement would be offsite backups, even if it is just at the CEOs home and maybe the CFOs home. Everything else for security should be dropped until this is done. Backups can be as simple as some batch files like Robocopy dumping data onto firewire or USB drives every night, with manual swapping of cables every day or week. Desktop systems can be set to perform regular system backups to a central storage if need be. Test backups regularly, test restore procedures regularly to ensure that they are working and to keep someone knowledgable about the process. Make sure workers copy important data to central servers every night or Friday, or a location that is backed up. Having even an elaborate file server and backup scheme is defeated internally if users keep their data on their systems and those systems are not backed up themselves.

2. Network firewall on the Internet link. Put up a network firewall on the Internet link and be draconian in the rules. Default Deny, and limited access elsewhere, even if it means nearly zero access from the outside. Small start-ups might be able to contract out to a local Linux expert or friend of the company to throw in a largely free Linux solution. Something like SmoothWall/IPCop may be better, as a slightly tech-savvy worker may be able to understand and work the web-based configs better than Linux iptables and such. But, if possible, invest in a Cisco Pix or Juniper NetScreen or Windows SMS/ISA solution and contract someone to set it up for you.

3. Desktop Antivirus. Evaluate some robust and light-weight products for Antivirus protection. For the most protection, I would not pick Norton of McAfee (most malware that is truly dangerous looks for and disables them anyway), but rather look into Kaspersky or F-Secure instead. For freeness, AVG and ClamWin are decent enough. A good case can be made for network-based Antivirus on the gateway in a smaller company, but most new desktop/laptop systems come with host-based AV anymore, so may already get half done without the extra burden. Obviously, the apps should be set to regularly scan the systems, automatically clean/delete, provide realtime scanning and stopping of virus execution, and be set to update no more than daily, every 8 hours if possible.

4. Patch Management. Turn on your Windows Automatic Updates to force installation upon a subsequent reboot. Try to do this with Office if at all possible. Updates should be done as soon as possible, preferably once a week on a Thursday or Wednesday. Workers should regularly do manual updates, even if it just verifies that automatic updates are working just fine.

5. Man, the dreaded last spot. Do I use physical security here, as losing the time and equipment for a small company can cost dearly? I guess when it comes down to such a short list, I have to look at what will best help the company survive and prosper to a point where the luxuries of security can be afforded. I would side with physical security here. Make sure doors are locked properly and possibly invest in an alarm system. If the company is in a business park, get to know the security stance of the business park owners and possibly work with them to provide for alarms or anything else they may do for you. If possible, lock down all systems at the desktop and secure any server equipment behind another locked door or at least out of sight behind some other door. The costs of these protections far outweighs the loss incurred in their absence.

I will cheat and put in a 5.5, since it is not only dealing with security, but insurance purposes as well. Inventory all systems and keep that up to date. This can just be some spreadsheet available with dates of purchase, serials, hardware details, software licenses, etc. Starting this early helps. Inventory can be morphed into talking about baselining an environment. Know what you have and what is normal in your environment. What systems are expected, what software is expected, what sort of traffic levels you expect, what log entries are normal. This baseline effort can then lead to quickly recognizing when something is abnormal and needs investigating.

A really close next consideration is to acquire desktop/security help either with some low-cost outsourcing or just hire a guy internally to manage systems, clean spyware, try out new software, help test new products, etc. This can help provide a company with someone to turn to for slightly more authority than your average user, and help a budding IT professional get his chops cut on some real experience. There are plenty of IT professionals out there who would be glad to consult either on the side of their daytime gig (be open to only getting support outside business hours) or add you as part of their already established clientele.

Lastly, if the small company insists on a wireless network, then I have to include wireless security as part of the list. The wireless network must not remain open and needs to be protected using WPA. Yes, this might be a hassle with visiting guests and potential clients, but the consequences of some high school kid driving by and mucking in your network can be dire.

A Canadian article discussed the results of an IT security survey. A couple blurbs caught my attention.

According to the 2006 Global State of Information Security survey, 53 per cent of Canadian companies surveyed said their reputation was driving their information security spending. The global average was 41 per cent.

"Poor information security that loses data such as customer profiles can seriously affect a company's brand," says Greg Murray of PricewaterhouseCoopers. "The cost of handling the public relations issues associated with losing customer identities can be devastating."

Now, while companies are economic entities, and realistically, this may be the real deal honest truth when execs look at IT security and the effects, I can't help but think of how unethical this attitude seems to be. So, in the absence of a government forcing disclosure of losses, these companies would not divulge the information. In addition, if customers do not care or the company would not be affected financially, they wouldn't disclose it. That attitude is also degrading to security/IT staff for those companies. "I only do good just because it helps me avoid getting into trouble." It's a classic example of negative reinforcement. I would prefer that we didn't need that reinforcement and that the actions were done ethically due to the company just being that way. But that may be way too idealistic of me to expect... (Then again, avoiding negligence issues can also be the same way, so maybe I'm being nitpicky on something I really should not be...quite likely in fact, so I will strike this whole paragraph, but leave it for future reference by me.)

Mr. Murray was surprised to find that 61 per cent of Canadian respondents surveyed have limited or no security training for the end-users of technology – their employees.

Training is a fun debate and can go both ways. Fundamental training should be necessary for employees. I've known way too many people who truly didn't know something like surfing web pages willy-nilly was bad, and they were genuinely receptive to the information. Some of whom may even have changed their behaviors due to the new knowledge. But much like teenage pregnancy and drug use and various crimes, you can only inform the "general public" so much. Security will not become suddenly solid when all users are given excessive amounts of training in the workplace. I mean, if that were possible, perhaps we could have had a much different president these past 6 years if we had just informed the US public more? ;-)

For want of a nail, the shoe was lost; For want of the shoe, the horse was lost; For want of the horse, the rider was lost; For want of the rider, the battle was lost; For want of the battle, the kingdom was lost; And all for the want of a horseshoe nail.

For one missed log entry or one shortcut taken...

Brian Krebs, WashingtonPost.com, writes:

...far too many sites are compromised each month by hackers and scammers while their owners remain completely oblivious or in denial.

Logging and monitoring are hugely important, especially for catching break-ins and data theft. Data destruction is easy to see, but data theft is just copying data silently.

IT and business are becoming more and more enamored with feeling secure, or rather the attitude of, "We'll look at the logs when something bad happens or we suspect something bad has happened," which really means, "If we don't look at the logs, nothing's wrong, so let's just go about our business." Or a company will throw in an IDS/IPS device or log parser, but not devote the on-going manhours or staff to properly understand the device and be able to accurately monitor/parse while also being given ample time to investigate and acknowledge the various alerts.

Data theft will not necessarily get better soon. Large-scale regulations like PCI and others are really pushing the standards higher, but they are still ambiguous at times, and can make companies look better on paper than they really are in practice. Legislature and laws on disclosure of breaches has only really results in negative reinforcement for business, but a feeding frenzy for media as companies and agencies now have to divulge incidents that have always been happening anyway. This makes it seem like it is on the rise, when in fact we're just getting the problem more out in the open finally. I don't see this dying off for at least another 6 years. Once all the big businesses are shored up, we'll see tons of smaller businesses like those mentioned in the article posted above.

I foresee for a number of years, yet, businesses stepping as lightly as possible on this issue. Doing just enough to avoid negligence and satisfy regulations, but not enough to really have to admit to any problems or divule them. "Yes, we log and monitor, but we don't see anything, so everything is a-ok! I'm sorry you had your data stolen, but we do what we can, so better luck next time."

While this may feel good today, this is not a scalable or sustainable approach.

From my vantage point in IT, I can also say that logging and monitoring and even security are not high on the lists of execs to spend money on, managers to raise issues about, or staffers to spend time on. Our #1 priority is making sure the network and systems are up for the company. This can be 100% time utilization. Our #2 priority tends to be projects that either enhance the functionality (not security necessarily) of the current network and systems or projects that are directly related to revenue-generating people or processes or clients.

Security is not yet up there, let alone logging and monitoring and responding to those logs in an ethical fashion. This is true also of software and web application developers. Functionality and deadlines and bottom-lines first, then maybe performance. Security added later (and too often just never added).

Companies and home users are definitely different entities with different approaches to computer security. Not only are some of the items different, but the solutions as well. What is important to a business may not be important at all to a home user, and the reverse is true as well. Home users value system performance, ease of use, stability, security of their personal data, and security with their identities. Home users can both be the hardest to break into and the easiest to break into, from a security standpoint.

Not every home user is technically inclined or even wants to learn to use new programs and such for being secure. For this reason, many of the best pieces of advice for home users is behavioral. Rather than "learn Linux and implement a highly guarded firewall" most users will read that and not even try. That's just too much effort to ask of most people.

You can also go crazy trying to keep up with the latest security news, updates, vulnerabilities, and patches. But why bother? Unless you're a geek or an IT professional, there is no reason to spend personal time being paranoid. Instead, home users can benefit from education and careful habits when working or playing on their computers.

For homes user, I assume the user is just operating one or a couple systems for the primary purpose of surfing the web, gaming, entertainment, and personal uses. No servers, web servers, mail servers, etc, are assumed. Once you get real servers with open services, the game changes quite a bit, and most home users do not do those things anyway.

1. Backups. Always back up important data to a second hard drive or system. If possible, do it twice and keep one set offsite somewhere. Windows has built-in mechanisms for automatic backups, but if you don't mind doing it, at least just drag-n-drop all the important stuff over. Imagine if your hard drive dies in the next hour and no data is recoverable. What is your pain? What will you miss? What cannot be recreated? Back that up. USB or Firewire drives are cheap and easy to get. Buy a spacious one and use it for backing up data regularly. If you can back your data up to a drive stored offsite or in a fireproof safe, that is even better.

2. Firewall or NAT the Internet link. Actually, it is much easier and more common for home users to simply operate behind a NAT device such as a typical cable router or wireless router from Best Buy. That is typically enough, but if the opportunity is there, run behind a Linux firewall, either iptables or SmoothWall/IPCop or something. This one step is enough to stop any curious Internet-side parties from getting into your systems. If you're not sure if you are protected by a NAT device, ask someone you know to check, or call your ISP and ask their support if they know. Be ready to let them know what your cable modem or DSL router model is. If you are not behind a NAT device, ask about how you can implement one. Most ISPs have recommendations and instructions on this.

3. Turn on Windows Automatic Updates. Every now and then perform a manual Windows Update, but otherwise just turn on Automatic Updates to automatically download and install on at least a weekly basis at a time when the computer will be on (like 8pm or something). Not only will this apply necessary patches, but can enhance or fix features like wireless options.

4. Practice safe computing. Do some common sense things to stay safer online. First, don't install every new and neat free program that tells you to install something or that you need something. Chances are, there is a reason it is free and enticing. Treat it like you would any advertising on television or radio and just be wary. Second, do not open any email attachments that are not sent from known people and are expected. Just delete those emails. Likewise, do not click on any links in emails unless from known people and the email is expected. when in doubt, just delete the message or type in the address to your web browser as opposed to copying it or clicking it. Third, do not frequent questionable sites, especially when using IE. If you are visiting a site you wouldn't want your parents or kids to know you were visiting, chances are you shouldn't be there. Avoid that darker and more dangerous side of the web. Fourth, always close pop-up windows. Never click inside them or respond to ads on sites. Just never do it. Fifth, if possible, use only one credit card for online purchases, keep the credit limit as low as you can while allowing you to do what you need, and always go over the monthly statements.

5. Protect your passwords. Write down all your passwords and put them someplace safe, but easy to get to while at your computer. I know, many security people will look aghast at this suggestion, but when it comes to home users, there is little real reason to trouble people with anything more complicated. Get an envelope and write down your passwords on paper inside it, and keep it tucked safely into a drawer or even inside a book. I suggest making two copies of this and storing it somewhere offsite, especially if you do lots of banking and other monetary things online. You don't want to lose your accounts because you lost your passwords in a fire or something. I do suggest not sharing passwords amongst spouses, roommates, or even your kids. Don't let them find or use those logins. Also, do not use the same password for everything. I find it best to have 3-7 different passwords. For anything you don't care about, use your first password. For more sensitive things, use other passwords. You can use multiple, but just think if one password is swiped by a hacker and is linked to your email account which has the same password. You can't usually protect yourself from lost accounts on various websites or even forums. They may be run be unethical people or they may be victims themselves of a break-in that divulges your personal information. More technically inclined users can look into using a program like PasswordSafe to store their passwords securely on their computer. Be sure to make a backup of the storage file.

6. Don't use Outlook or IE. Yes, IE and Outlook are easy to use and everyone uses them, making getting informal support painless. But just like ease of use is high for users, ease of use for malware is even higher. IE has had holes for years, unpatched, deep holes, and will continue to have them because it is so deeply married into Windows itself. Ask any IT pro to uninstall IE for you, and you will get the wide-eyed response that they can't. To make an analogy, IE is so deeply rooted into Windows, you cannot separate it out. That's dangerous, and Outlook is no better. Instead, use something less mainstream and exploitable. I recommend Firefox as default web browser and Thunderbird as an email client. Both are free, easy to use once someone opens their mind up and accepts a little bit of change, and suffice for 98% of everything users do with email and web surfing. This software switch will nearly eliminate the risk from email worms (although will not stop spam or malware attachments designed for the user to execute as opposed to running from a preview pane or through Outlook's tools) and drastically lower adware and spyware infections from web surfing.

7. Run antivirus software. Many new computers for most users come with antivirus software. Be sure it is set to update automatically, and pay for the protection if required. For somewhat technically inclined home users that practice safe common sense computing, this software may not be entirely necessary, but I suggest it for decent protection, detection of most malware, and peace of mind. I suggest F-Secure or Kaspersky as opposed to Norton or McAfee, but chances are the latter two came with the new PC. If so, stick with what is pre-installed. And yes, make sure it downloads new updates or signatures on a daily basis.

8. For wireless at home: secure your wireless. If you run wireless at home, be sure it is secured by at least WEP encryption. If available, use WPA encryption. This will prevent a huge majority of neighbors from hopping onto your wireless connection. Not only can they use your Internet link for their own traffic (legal or illega), but they can also probe at your network and computers and sniff your traffic if they get on. And yes, trust me, young adults and kids are curious creatures and will try these things if they have that sort of knowledge. Turning on encryption will prevent any but the most determined attackers.

9. For laptop users: be paranoid when at hotspots. Lots of people get fancy with recommending Tor even SSH proxying for secure access at wireless hotspots. But lets face it, only the technically inclined bother with such things. For all other users, just assume the wireless hotspot is not a safe network. Do not stay on wireless hotspot networks for too long. Do not log into email through Outlook or Thunderbird when at a hotspot. Do not log into a website that is not SSL-enabled. If you use IM, assume your conversations are being read by someone sitting near you, and, in some cases, assume they now have your login account and password. If you do not go to hotspots very often or you had to chat in IM or check email, once you get home immediately change your passwords for those systems. Hotspots are fun places for geeks like me who are curious about other people, and for people who would love to do you harm or mischief. Be safe when not at home. Now, what counts as a wireless hotspot? Any wireless network that is not your home network.

10. Get help. Like mentioned for small businesses, home users will benefit the most by befriending technically inclined friends and family, or even paying for the service of a home consultant or contractor to help you out. Always be nice to your experts, though, as we do tend to get tired of high maintenance users, especially if we're not being compensated for our time. I strongly suggest just asking your technical friends questions as opposed to asking them to actually do things for you. You can get really good return, though, for paying someone a little bit of money to spend an evening or some hours tuning your system and giving you some education on what the best things to do are. All the steps above are either behavioral (education), one-time deals where you set it up and that is it, or a few that require some additional changes or on-going action. Spend some money, hire up someone on the side that knows their stuff. If nothing else, befriend them and make a night of it with pizza, beer, and maybe hang out for a movie or something while they do their wizardry.

PS: I added a "1/2" extra step in a later post on getting to know how to reinstall your operating system.

These security and networking posters might be worth the money someday. Kinda spendy, though...

The weirdness of this whole debacle between Maynor/Cache and Apple involving possible Apple wireless driver exploits continues. There are some fishy things going on here, and Apple is being very shifty in their dealings.

I previously likened the weight and importance of this situation to what Michael Lynn went through with ISS and Cisco last year, and the similarities continue to grow. David Maynor has been forced to pull out of his revelatory Toorcon presentation which was probably going to finally pull the veil back on this situation.

Now, SecureWorks and Apple are working through a third party, CERT, on security issues. Sadly, there is the possibility that Applie may stiff-arm CERT as well, which kinda digs at a suggestion I read and agreed with that perhaps security issues need to be verified by a third party so that full disclosure and corporate protections can coexist.

Unfortunately, the integrity of a third party is then in question, as are the rules of engagement for that third party. As Brian Krebs' mentions, what if CERT decides to just never authorize the release of information? We're back to having no real solution for the full disclosure debate.

If this keeps up, full disclosure will just plain happen, and corporations affected will simply be alienated from the research communities. Also, complete non-disclosure will happen by those who can't afford to fully disclose and possibly be attacked legally, which threatens the health of our systems and networks when corporations just stifle any problems with their products. In that case, one may as well sell the exploit to someone else.

Not only that, but just look at Brian Krebs' comments to see exactly how enflamed and impassioned even the security industry can be, on both sides of the issue.

A little closer to home, it seems University of Iowa has had to notify 14,500 persons that their data might have been disclosed. I like that the announcement qualified that the likelihood of disclosure was low. In other words, an attack was detected, but the extent of the breach was unknown, but this data was accessible on the system.

This makes me shake my head and wonder when this disclosure storm will end. Disclosing possible data thefts and leaks is just not a scalable or long term solution. It is not even a short term solution. Very quickly we will all become numb to this activity, not care, and even if we understand what to do by reading the letters and FAQs, we still won't do much more or change our behavior as users and consumers.

But there are other reasons why this is a poor decision. For instance, there is this huge grey area on defining what is a disclosure. What if a system was broken into, but all indications point to the system being used to house pirated movies, but *may* have had data disclosed? Do you have to disclose it if there is a reasonable expectation? What about a networked system that is not fully patched and is noticed to be out of date? Theoretically, it could have been attacked. What if the hosting company would not have detected such an attack? Is it reasonable to assume that system was never accessed fraudulently? And just where to 0day attacks fall into this picture? What if there may be the potential for disclosure in the future, which is not all that unlikely given a Windows architecture and the mishmash inner organization of most IT infrastructure from the perspective of the malicious insider. Should we disclose when information is just simply being stored in a non-optimal way?

And that is not even to begin to get into the grey areas within organizations on disclosure and reasonable expectations. Who is held accountable for hardening systems, detecting problems, escalating them to those that need to know, and then disclosing them? How much grey area or liberty will be taken with interpreting the regulations and expectations?

No matter the answers, the current practice of forcing disclosure of possible data thefts and possible identity theft are not very good procedures and may do more harm in the long run than good. But at least it drives home to C-levels the need to pay attention to this stuff, and not just treat IT like some arcane entity working behind a large screen. The handling of information and data access is only going to become more and more important over the next 10 years (and anyone having tried to track access to data and permissions in anything but small corporations will be able to relate exactly how difficult this may be).

And yes, at least this is the start and it is something, as opposed to diving straight into analysis paralysis and doing nothing.

Having started a new job this past spring, I've had some firsthand experience in starting out in a new IT (networking/sysadmin) role. And I have since become pretty sensitive about what I think is one of the most important things with new IT hires.

Recently, more talk has surfaced about IT hiring the right people and then training them for their job, as opposed to hiring only people trained for the job and hoping they have the ethics and soft skills needed to do a quality and loyal job.

One of the biggest challenges, and in my mind, mistakes, in managing my new employment has been lack of real training when starting the job.

Let's face it, even in the midst of regulations and standards flying around about how IT should secure and run their operations, there are no two shops that do something even as simple as track and allocate IP addresses the same, let alone all the other little stuff and multitude of settings in servers and devices (one of the reasons I really do not enjoy Windows Sysadmin work as much as networking). This means that any new people are either going to sit back and wait to be shown what to do, or will attempt to dive right in and possibly screw something big up either right away or maybe not even detectable for months or years. While I do believe in just getting things done, I've seen what happens to people (especially in my last job) when they make a simple mistake or move forward too quickly and how that will paint them in the eyes of the people who matter and write the checks, even if those same people were the ones who put the pressure on getting things done quickly.

So I feel that job training early on is paramount, especially for any Windows Sysadmin type of support work that is not very finite or narrow.

Training will also acclimate new employees with existing employees to gain some team cameraderie, which will more quickly open the avenues of discussion, collaboration, and comfort in asking for help when needed.

I think the best form of training is not necessarily documentation, although that is highly important, but actually just doing some shadowing of coworkers for not just a half day or even a day, but for a few weeks, to get used to the tasks, load, culture, and attitudes of the job role and team. In this way, also, the new employee made confide their own comforts, interests, and desires to their colleagues more than a manager, and thus their niche in the team may more quickly develop. This might bog down the existing employee who is being shadowed and sharing some of his workload with the new person, but in the long run, this is far better and I think will lead to a happier worker.

I feel that very, very few IT sysadmins and networking people can step into a job and do an effective job without lots of experience or in a contractual role that is narrow by definition.

Unfortunately, with my current job I had about a week and a half of corporate training with HR, phone systems, and other general stuff like benefits and customer service. This is all good and fine, but I had maybe a half day with the most senior analyst that I work with, and got shown the physical data center and where some things are. That was about it, for the most part...which has left me, 6 months later, still feeling disengaged and not entirely happy or comfortable with the job and network I work in. It is definitely an uphill battle that I am having to slowly tackle as the tasks slowly mount.

There has been a lot of articles and posts lately about users and the user experience and how IT interacts with users.

My "first" read on this came a few months ago in Network World, What users hate about IT pros, to which I rough-drafted a response essay I never did post on here on exactly the opposite topic, What IT pros hate about users. In the past few weeks, even more posts:

the snide IT attitude | counterproductive approaches to IT | dan morrill #1 | locutus | dan morrill #2

So who is right and who is not? Honestly, they are all right, to an extent.

There are problems with IT staff and "normal" users meeting together to work effectively and create proper solutions for a business. But the subject is far more complicated than so many writers are trying to make it out to be. In order to really look at a solution that works for a given business, the IT roles need to be better defined, the corporate culture needs to be evaluated, and then the exceptions need to be acknowledged.

IT should be sliced into smaller chunks as there are vastly different roles in an organization. What is important to, and how that employee relates to such things like users, differs even in our own field. Internal application developers will be different from those that develop applications sold to external users. IT shops that host services for external clients differ to those that just host internal infrastructure. A networker is different from a help desk jockey is different from a CIO. In fact, in each of those areas there are even still different roles that the workers and managers each fit. A help desk jockey is different from a help desk manager.

Does a backend networker need to be attentive and aligned with business needs as much as his or her manager? Or perhaps the user-facing help desk jockey? What about an application developer creating a standard application that will be used by 100,000 customers versus the internal application developer creating a system to be used by 10 people all located inside the company?

Once those chunks are defined, one can then look at a target corporate culture and managerial paradigm. Only then can real statements about IT, users, and the relationship of them be effectively made. Are the users technical in nature or not? Does the corporate culture encourage worker to worker interaction across boundaries, or does all of that occur only through manager levels? Can a beer be involved? Is it important to a business to have a customized service or a standardized product?

Lastly, look for the exceptions. It is true, sometimes customers make unrealistic demands that are a detriment to IT or even the business. When a customer gets on a metro rail system, do they expect to be allowed to guide the train and stop it at exactly where they want to get off? No, and to demand such when getting on the train is unrealistic. Likewise, users getting on the IT train need to plan and make requests properly as well, or at least be open to the possibility that their (and every other user) request may not be met. While the metro rail customer may be able to appeal to the train boards to add a new stop that happens to be closer to their home, what if every user made that request no matter what part of the city they were in and are not satisfied until the train stops within a block of their house? In that case, many someones will be disappointed in their request.

There is something to be said about being a good IT provider, but also about being a good IT customer.

But what if there are to be general, blanket comments and attitudes made? Is there some credo that all IT people can live by to do their work effectively and prosperously in the business world?

Perhaps. In the end, it is not about making a better widget, improving uptime, or meeting every customer demand both internal and external. It all gets back to the things that matter in life, the soft skills of working well with people and users and IT pros. Be respectful, professional, and honest. Work together to make great things happen in a company.

To bring this back to information security, Dan Morrill says something I think is important and cannot be said enough. If we end up being roadblocks to users, users will adapt and do things some other way which may introduce security and audit issues, widen the gulf between them and IT, and cost the business money.

The real bugbear is trying to figure out how to best work with the users in a given role with a given corporate culture and with the exceptions that will occur.

Go figure. Just this morning read an internal IT newsletter about this same subject. All of this information is second-hand, but I may just check out this book soon. The book "The Geek Gap: Why Business and Technology Professionals Don't Understand Each Other and Why They Need Each Other to Survive," by Pfleging and Minda Zetlin, claims that the "geek-suit" divide is inevitable. Here are some bullets points as to why:

• The tech worker, “the geek”, is a problem solver; the business person, “the suit”, is a people influencer. The geek likes to fix things, the suit relies more on people skills. Geeks and suits also interact with technology differently; the former are more interested in process while the latter are more consumed with use.

• To geeks, a piece of technology is a thing of beauty in its own right, a wonderfully fascinating puzzle. To suits, it's a tool that is only worthwhile if it helps them accomplish their objectives.

• The moment geeks are likeliest to lose interest in a project is when it's running perfectly ('Hooray! Now I can stop working on it!'). That's the moment suits are likeliest to start taking interest in the same project ('Hooray! Now I can start working with it!').

• Technology and business people differ in terms of career aspirations and lifelong goals, and relate differently to their workplaces. Tech people typically do not identify themselves by where they work but by what they do. It's more important to them that they are in the ‘community’ of, say, .Net programmers or database administrators rather than at the company where they work. Business people are much more about climbing their company's ladder.

The authors do go on to give points about how IT and business can help bridge that nearly inevitable gap, including cross-functional teams, intermingling, job exchanges, and business people doing what IT people now are doing: learning about how the other side works.

Since I spend most of my lunch periods nursing a latte at a nearby Barnes & Noble and recouping the cost by reading magazines and books, I may skim this to see if it is worthwhile to fully read and have on my shelf.

I've reformatted my new laptop harddrive, installed Windows, carved up the partitions to give Windows roughly 20GB, Ubuntu 30 GB, and the other 50GB for eventualy virtual machines.

I did this because originally Ubuntu just decided to take the whole disk, and I've had experience with Windows just not playing nice with Grub if it isn't loaded first. So now my system is in a moreorless state of completion to move forward again.

This also means I've spent a bit more time in Windows again, getting the new install configured up and things back to normal with email and such. Thankfully, since I build systems so much at work and home I've learned not to get fancy. Back in the day I worked with such things as WindowBlinds to make my Windows all fancy and neat and pretty and slick. But I quickly realized I don't want to spend a week redoing all that fancy crap every time I format.

Anyway, now that Windows is situated and my old drive is mounted in a USB enclosure fitted for laptop drives, I am now back into Ubuntu and moving forward with getting things installed and using it for more every day use. Next step this week sometime: get my email ported over from Thunderbird to...Thunderbird! Piece of cake!

This article got me thinking about how Microsoft is packaging some things into Vista that will put some current software makers into a real bind, such as free antivirus protection and free pdf creation/reading programs, and no doubt more.

Immediately I bristle at the notion that Microsoft can make these things better than those who specialize in it. I immediately think about all the monopoly issues that may arise, especially if Microsoft toes the line too far (particularly in Europe) and prevents competing products from being installed.

But the more I think about it, the more I truly think they have a good approach. The average consumer couldn't give two rat asses about needing third-party antivirus, firewalls, email spam blockers, a secure web browser with pop-up blocker and decent enough features for your average middle-aged worker or teenage myspace rat (now displacing mall rats). When I buy a car, I might add on little package deals like ABS and Airbags, but I certainly don't have to shop at Sears and pick from multitudes of vendors and pray I pick something compatible that does that job I want.

Consumers just want things to work with as much security as can be put in without getting too anal about it. This is the niche the Mac has enjoyed for quite some time: elegant simplicity and usability. Microsoft needs security in their OS, and they really cannot get away with just letting third-party software makers do the hard work they should be doing. Not only is it a bad long-term approach, but it also stymies the average consumer who doesn't want to constantly tinker with firewall settings and spyware scans and keeping up to date with 6 different programs and pay for those upgrades every other year...they just want it to work.

We just want it to work, not overpower out lives with complexity (like the VCR clock), and not be a completely leaky hole. Security holes will always exist, especially in the market leader, but let's get serious about what the future is. So far, that future still has Microsoft on the forefront, even if I think Vista is going to be ugly, complex, large, buggy, and still clinging to that old underlying architecture and assumptions that made Windows 98 and XP bad. But hey, they're moving in the right direction and once that big ship gets turned the right way and starts plowing along, they'll do some more great things.

In the meantime, I'll stick to older Windows OS and Linux and pine for a Macbook in the near future.

Spamhaus' recent continuing issues help convince me that spam blacklisting on a global or huge scale is just not worth it. Right now there are lots of firms doing a million little workarounds and hacks to offer up services for safe email, secure email, spam-free email, etc. All of these are built on an insecure protocol and are almost all really bad approaches that will work for a few years and for a decent scale, but are not the approach that will last.

Spamhaus was forced to take a company off their blacklist and pay millions of dollars in compensation to a mass-mailing company that won a suit again them (so I read). I've seen the cost, firsthand, to a company that gets wrongfully blacklisted (or rightfully blacklisted), and it is just not pretty.

Instead of the workarounds and hacks, someone needs to make a better protocol or force more use of the secure versions of those protocols. Let's face it, eventually all traffic is going to be encrypted or obfuscated in some fashion, even if it takes 50 years.

Better yet, adopt something new, like instant messaging over P2P or something similar. Email is surprisingly hanging on despite IM and texting and cell phone use. Will it really still be around in 15 years? I'm skeptical...

This topic has been buzzing around in my head a while now, and is finally ready to trickle out. But first, I need to set the stage. (This is going to sound more preachy then I intend, and has also become the unfortunate victim of me being interrupted a couple times at work and unable to put all of this down coherently...sigh. )

- You are never 100% secure, nor is there any silver bullet device, application, or methodology to security in this information age.

- Technology keeps moving at a fast pace, faster than it takes for any security team to dig solid trenches and fox holes and fortify the hills.

- And it keeps getting more complex, sometimes piling more complexity on top of insecure technologies. Complexity yields less security.

- Just today I read a couple doom-and-gloom articles by Richard Grimes, one recent and one from a few months ago. He has a point that security is largely lip service until AFTER "the big one."

- Also some talk about more appropriate consulting and pen-testing from Dan Morrill and Wendy.

- Let's face it, with so many different technologies, business needs, solutions (in-house and out-house), people, and problems, no two corporate networks are alike. Not even close.

Based on all of this, I am convinced of a number of things. First, we should all continue to share as much information as possible, and keep working at those communication lines. One thing that I don't think there is enough of, is on-site tours and demonstrations. Case studies are one thing, but get me and some buddies in the industry into each other's NOCs and systems and let's see first hand what is working or not working. I would love to see how a company like Boeing manages and works their campus wireless systems. Yes, it might be a security concern to let me know, but like Schneier would say about crypto algorithms, if disclosure hurts it, it's not secure anyway. Many corps have some excellent processes and setups, but they can never get talked about in meaningful ways that can help the rest of us. This is one reason I would love to become a pen-tester, assessor, or consultant...so I can see these solutions and build upon other people's hard work and loving efforts.

Second, we need to look to securing our own islands first, before we're going to be able to help with the whole world's picture. What works for one island may not necessarily work for another island. We need to be aware of that, such that not only is there no one device or application that can give 100% security, but there is also no such device or application that is appropriate for all environments (something the sales people don't understand). If we can't handle the microcosm of our own networks, we have no hope to make sense of the macrocosm of the Internet and the world's networks. Your island may be the only place you'll be able to experience a wave of security nirvana...at least for a few moments. Besides, if internally we are unable to quickly show who has access to our client XYZ's data that we are a custodian of, how can we begin to counsel other islands on how they should handle information?

Third, we need to fight the battle of complexity. Technology will move on and keep getting complex, but many attacks and defenses and competencies of security and security professionals remain grounded in simple basics. We need to keep those basics at the forefront of our minds, not make the security process so complex that we all stand up so high on rickety scaffolding as our foundation to climb to the clouds. Yes, it can be complex and full of frills and thrills, but never compromise the basics for those complexities.

Yes, security seems like a losing battle, but that is what makes this field exciting, ever-changing, a challenge, and a solid career. :)

I am going to deem today analogy Thursday, as I was looking for some ideas on analogies for how dangerous the Internet is, namely the web. It is just an odd situation that the Internet is inherently bad and malicious and that users need to take care when surfing. Yeah, like many people really truly take care...

What if television surfing were as dangerous as web surfing? This means that as you flip channels into some of those more obscure higher-digit stations, one may just hijack your television box and switch channels around, or just force them to switch much slower or only view their station until you reset the box and start from scratch. Oops!

What if shopping in a mall were as bad as surfing for places to shop online? Outside of some shops we'd have people jumping up in front of you with signs and coupons and good deals in hand, sometimes getting right in your face and flashing their goofy colorful smiles, causing young children to begin crying. In addition, random stores may put things in your pockets that you won't realize melted in the hot sun until you get home and put your hand in there. Oops! They might even put an RFID tag on you while you're not paying attention, and then follow you around through the rest of the mall. And city. And into your home, happily writing down everything you do on the off chance that they will learn how to market better to you. Who knows when you get into those stores!

And those free samples of chicken at the grocery store? Yeah, nothing is free. In fact, those samples contain powerful lingering doses of laxatives that will force you to stay on the pot for an hour each day for a month. But hey, the grocery store offers toilet paper and other remedies for a fee to help deal with that!

What if browsing a library for books to read were like browsing web sites? Every now and then, a book would take it upon itself to grab your arm and not let go, despite the alarms you cause when you walk out of the building and the nasty looks you get. In fact, some books may look like children's books, but inside are pop-up porn cut-outs. Oh, those long-lost joys of pop-up books! Yay!

Now, the one place where an analogy is a lot more appropriate for the web would be roaming around in nature. You never know if you might turn a bend and run into a bear, a rattlesnake, or even swim up on a stringray. You might just get chomped, bit, or speared if you're not constantly careful and aware of the dangers. And the more dangerous a particular area seems, the more likely it is dangerous. Thankfully nature typically provides warnings such as a snake's rattle or colorful markings on dangerous creatures. Likewise, web sites give off warnings too, if you know how to look for them. And would you stick your hand in a strange hole in the ground or sleazy looking pond without first doing some risk analysis on the odds of a badger or water-borne parasite present? And lets not even think about ninjas and how they might stealth up on the trail when you least expect it.

The web isn't what it used to be. While it has become prettier (not including MySpace pages which is the new GeoCities) and more useful and informative, it has certainly become a lot more dangerous, insidious, and complex.

A researcher has posed that it is worthwhile to get a 30-inch Apple monitor ($1999) because it improves worker productivity.

I really think some researchers are just not that thorough. Yes, you can likely get more work done with more desktop real estate, but how does this compare to a dual monitor setup with, say, 2 17-inch or 19-inch monitors, which would cost far less than $1999? I think unless you need contiguous screenspace (such as with Autocad, Photoshop, or maybe movie editing), the dual or even triple monitor approach is much more worthwhile than one huge single screen.

Do we even need dual monitors? Not necessarily. I currently work on just my laptop screen, although I certainly would make full use of dual monitors like at my last job or at home. As a networking and security geek, I could actually make use of 10 monitors if I had them, displaying things like dashboards, traffic sniffing, alerts, remote control sessions, etc. But for your normal workers, one monitor, maybe two, is sufficient for their job. Eventually, I get into the realm of wanting separate systems as opposed to more desktops or monitors.

I will say, if you want to impress pretty much anyone at work, grab a spare system or two, set it up next to you, and have it running pretty graphs, traces, and dashboards nearby. People seem to think that amazing, even if it is just gibberish. :)

From a CNET article,

"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal. It can't work if it interferes."

His first sentence is correct. It is true, user education will not solve our problems. If education solved our problems, we would have a different president right now.

Indeed, as I always say, security is a secondary goal, even for developers and network administrators, let alone your average regular user. Functionality is always first, i.e. getting things done. "Getting it done securely," while a way for managers to package in security as just as important to getting it done, is still just a qualifier to "getting it done."

The second sentence is correct as well, we need to embed the process as much as possible. The systems needs to be more protected from dumb users or just simple mistakes in judgement. The network needs to be more protected. This is the real key where prevention systems come into play. Detection works wonders, but the assumption that users will make mistakes means you need prevention, mitigation and incident response, and audit trails (detection and logging).

And then his last few sentences are the real problem. We have to do these security things without impacting the user's primary goal of getting things done.

Now, I really believe education will not solve our problems, but it will go a LONG way toward helping. Just because education doesn't solve all our problems is not a valid argument to say we should throw our hands in the air and not do any education. I like the mention in the article about giving users some education while actually attending to a problem. This is highly effective and focused education that can have an impact. Education makes an impact and some people do want to learn and be better about it, but it is true, it won't solve ALL our problems. But the speaker is correct, we shouldn't hold up education as the root solution to our problems.

It is highly important to make sure security does not unduly interfere with employees getting their jobs done. However, this goes both ways. Employees need to be receptive to changes in their job. A security-induced change may not even impact users if they were to just adopt the new way of doing their job. Sometimes this battle between security and usability is just human nature being stubborn and unwilling to change, even if those changes result in less work for the user.

I've slowly become a minor proponent of having less rules and less impact on users. I detest rules and limitations on my computer use at work, which impacts my happiness and thus my productivity. Now, I may be a bit more progressive in my use of the Internet than many people that I work with, but slowly, attitudes will change as more and more people enter the business world that have grown up with a computer in their rooms and their social lives have long incorporated the use of a computer through web pages, blogs, IM use, email, music, and so on.

We still need education, but we also need to make sure we do our professional diligence on the back systems and networks before dictating what users can and cannot do. And I truly believe we need less rules, overall, in our businesses. We just need smarter rules and enhanced incident response. Rules stifle innovation and happiness, and we need both in our businesses.

Read this article on DarkReading.com about whitelisting of applications. I like this point:

But whitelisting has a down side. These endpoint tools come with plenty of administrative overhead as well as security risks. "The institutional overhead in maintaining them is extreme," says Thomas Ptacek, a researcher with Matasano Security. "Some poor group of souls in IT is charged with deciding which applications every sales person or project manager can run, and has to backstop all the ensuing arguments."

What are the pros and cons of application whitelisting, and where do I stand?

PROS
First, when machines are imaged or supported by IT, they should have a list of applications that need to be loaded for new hires or replacement machines.

They should also have a list of applications to expect, that IT may or may not have to provide at least a little bit of support for (yes, we'll help you with Outlook, no we won't help you with Alefox or IE toolbars). Related to support, security persons responsible for keeping up to date on patches need a list of applications they should be checking. IT should not be expected to be knowledgable on patches for every toolbar app that may be used in the corporate environment.

Additionally, disaster recovery may require knowledge of what is necessary for groups such as sales people to do their jobs.

Much like firewall rules, default deny with a whitelist of allowances is much easier to maintain than a blacklist. You can blacklist categories of applications (P2P, IM, etc), but even those lines continue to blur. However, we already do see lines blurring in those categories.

CONS
Take this scenario. Sales requests a new application on their machine. Those "poor souls" in IT then have to research it and either add it to the whitelist or explain why it should not be allowed. With strong policies and management support of policies, this might be ok, but I believe most companies will put those "poor souls" in the unfortunate position of either saying "yes" to requests or being in a hard place when trying to say, "no." The end result is wasted resources, unnecessary negative feelings towards IT by the sales group, and overall less authority. What if the sales group has already been using the application for 4 months? Those "poor souls" really are poor souls.

(Honestly, those "poor souls" need to be backed heavily by a manager-level person, otherwise anyone smart enough to do proper evaluations and even backstop the ensuing arguments is not going to be in this sort of a position for very long.)

And what if each department is asked to create such a whitelist of programs that are needed? I've seen managers throw back every single program they can think of, whether it is really necessary or not. "All of them." Many managers and business users do not care to be bothered by such things, but will detest IT making the decisons for them.

As long as users run Windows, run as Administrator, and all sorts of things want to get installed or used (some even as benign as a proprietary web player like Flash or similar), trying to maintain a whitelist of programs that are necessary is difficult.

Whitelisting will stifle innovation and the ability to try out new applications and tools.

So, where do I stand in all of this?

I think some whitelisting is necessary, but it cannot end up being heavy-handed unless the company has some serious security requirements, small niches for their computer use, or is a majorly large network where application management is nearly impossible. IT certainly needs to maintain a list for proper imaging and support of workstations.

This goes back to what I said in my previous post: less rules.

Less rules. Smarter rules. Better mitigation, response, tracking. Better perception of organizational IT. Let people, within reason, do as they wish on their workstations in order to have a productive, happy life with the company.

This paper about the use of Google Desktop in forensics is concise and informative. The most interesting aspect of this is just how much Google Desktop indexes and makes copies of. Email, local files, network files, and even web surfing histories are stored independent of those applications of the OS. This means that even a laptop that shouldn't have sensitive data on it may still contain copies of open network share files that the user has access to, confidential emails, or even files from other users on the same system. In addition, web surfing history and some artifacts are also retained, even if the user attempts to clear those things in the browser options or with a third-party privacy tool.

The only limitation so far is that inability to just read the files. You have to copy the files to a separate machine, make them Read Only, and then open those files in that machine's Google Desktop Search tool. But still, this can act as a powerful tool to find some artifacts. It can also act as a surprising vector for data leakage in an organization.

I think one barometer of how IT and security are moving more in tune with the business world instead of being some back room geek department, is how often I read buzzwords and newly created words.

I just read the Websense H1 2006 Security Trends Report and was amazed at all the new words I found.

We have malware, adware, and spyware. I guess I should have seen crimeware coming. Websense I guess crimeware is software use to commit a crime? I think I will stick to malware as my term of choice. I have also seen eCrime.

I also gleefully read how a host with multiple phishing sites is termed to be host to numerous phishes. Phishes...does that mean the host can be called a phish tank, or perhaps a pond? And would abandoned sites be phishheads? The report also referenced spear phishing, which is a more targeted phishing attack. Honestly, I think almost all phishing attacks are a bit targeted. While that term I have heard before, it still amused me since I started looking for these creative terms.

Screen scraping applies to those malware components that take screenshots of the users screen, a means to thwart captchas and virtual keypads kinda like a keylogger for the whole screen itself. Screen scraping just does not sound fun, and reminds me of a windowwasher or perhaps a visit to the dentist.

Now, while I might poke fun at the report for the terms used, the information presented is excellent and a very good read on the trends that Websense has been experiencing so far this year.

All of the HITB2006 papers are online now.

A quick pointer to an archive of Black Hat media presentations. Save the interesting ones, since they do cycle them regularly.

Black Hat 2006 papers and media are available. Scroll down for the video portions. Also, the archives are a good place to be for even more media.

Defcon 14 presentations

Black hat 2006 presentations

I know this is ComputerWorld, one of the ad-driven free mags that tend to review products and state the obvious, but this quick article on 10 tips to secure VPNs is a pretty good and quick read with some specific technical details as well as common sense items that are sometimes hard to get management levels to listen to (such as only opening the VPN to those who truly need it). I like that some of the points are actually alternatives, such as secured mail or SSL/passworded web sites when, really, the need is smaller than the justification for a full VPN solution. Unfortunately, in other instances like jailing users from the rest of the network are a bit more advanced and complicated.

Of note, this response was given on Infosec News and deserves to be read in conjunction with the original article as the author makes some excellent points.

Screencapture in Linux can be tricky. Here are two resources to check out.

Wikipedia entry
vnc2swf

DD-WRT is a replacement firmware for some WAPs, including the models I have extras of. Adding to my personal project list.

About 6 months ago I started delving into the world of podcasting and began to quickly try and figure out which computer security-related podcasts were worth the trouble to download and check out.

I never did find a groove with my checks and samples. I don't have ipod-support in my car, and really don't find myself just listening to them in the background while I do other things. If my car were more equipped, I may have checked into things more. I also didn't have the habit of listening to them otherwise, or the time to download them and catch up or keep track of all of their release times. I don't use iTunes for my own personal reasons (I would if I had a Mac), and none of the other downloaders were really all that excellent. Doppler was the best, but there was always that one odd podcast that Doppler couldn't track and auto-download, which eroded the whole experience. As such, I just this weekend deleted all the old ones I had downloaded and have shelved the pursuit.

But now I see Chris Brunner did some of the hard work for me of culling out the less useful podcasts, and created a list of them on his own site. I need to update my own geek site links with a few of these new ones that I didn't have, and check into trying to resurrect this habit pursuit. I'd love to keep up with security through this media as well as print news.

A recent SANS Handler Diary entry reminded me the importance of keeping at hand a list of The Questions that we should ask as IT and security professionals. I need to keep updating this list, as they will all likely be questions I will want to keep at hand throughout my entire career.

- If hard drive X were to die right now, could you confidently rebuild it using backups or other documented knowledge? This applies to any system from the most critical server to the least important spare system to any employee workstations.

- If incident X were to happen right now, what is your response procedure? Apply this to the most benign alert up to a major hacking incident that is right now being executed, successfully. Would you have an available audit trail?

- How do you know your network or systems are secure?

- How do you know that there are no rogue wireless access points giving access to your network (or that your users might be hopping onto nearby)?

- Are network diagrams, documentations, and inventory up to date? Include process documentation.

- If one of your users (CFO to call center ops) is specifically targeted by a 0day emailed exploit, how will they react? Is user education appropriate and is IT held in enough regard to have incidents reported?

- If a complete network audit were to be done now, what might you be surprised to see still in service, accessible, or configured? Yes, even networks need flushed and cleaned out and retooled regularly.

I hope to add more.

eWeek poses the question on whether the botnets have already won. Botnets are not new, but they have been hot news for the past year or so. Unfortunately, while technology likes to move quickly, and vulnerabilities appear and disappear even more quickly, botnets are a fact of life on the wire that is not going to go away any time soon. In fact, I firmly believe we've only just begun to see the power, effects, and changing landscape of the wire that botnets are catalyzing. The article mentioned is an excellent look at the situation.

Defending against botnets is difficult, if not even outright impossible right now. Traffic jamming at ISPs or even local networks is useless when the bots tunnel through common ports. Traffic inspection is useless when the bot traffic becomes encrypted or the attacks themselves are real traffic. Shutting down C&C servers is futile now that botnets can work with existing dynamic features on the Internet, can become smaller automous units, or just plain efficiently change servers in an instant. Centralized tracking, detection, and disinfection of bots is not cost-effective for anyone because many home users who are infected have no idea they are infected nor have any idea how to fix it without a lot of hand-holding. Besides, it is a common fact that securing every system on the Internet is just not going to happen. Coordinating efforts across nations and continents is not supportable at this time, and even if an effort got underway, laws are still far behind technology. Botnet code can be reverse engineered and attacked directly, but much like signature-based detection, is thwarted by even as little as a single bit change, let alone polymorphic code. And attempting all of these things is still tough to do in as lucrative and profitable a way as the attackers. The article even mentioned that some significant work is done by volunteers.

To strike up a poor analogy, imagine that cars are able to be controlled remotely (not all that far away considering we can monitor the status of cars now and unlock them from a central system or intall navigation systems), and I have a way to control half the cars in your neighborhood. What would happen if I have them all play demolition derby with your house? Imagine that some of them are unmanned, but some are manned with trapped drivers. You can build walls, attack each one with rockets, put mines up all over, build a basement they can't get into, build fake houses so they may or may not get your real one...

So, what about beating botnets? Where are some of the weak points to attack? Well, first of all a botnet might be able to be wielded against a botnet, although to what aim, that is a bit unknown as are the ethical implications. However, it is only a matter of time before a government decides to have its own botnet for cyberdefense and attack reasons. Whereas so many simluations talk about targeted attacks and actual hacker penetrations shutting down systems, something as simple as a coordinated, specific DDoS attack by a botnet can stranglehold critical services. Ask any company that has gone out of business due to a sustained DDoS on their systems.

Botnets, in the end, are still controlled by one or a small number of skilled people. Those people need to be ferreted out and shut down or neutralized or brought to justice. While law enforcement is still largely powerless against foreign-based attackers, I can foresee a time when more secretive agencies or corporate-sponsored groups clash on the cyber battlefield as both attempt to protect their interests. Still, take out the people doing the intelligent coding...

Corporate IT security can move outward to protect employees even at home or on home networks. The real skill in cleaning infections and increasing security at work or at home still lie with IT professionals getting their hands dirty and educating users, even just a little bit. While corporate entities can do a decent job internally, so often we shy away from opening the doors to home support (and mostly rightly so...). It definitely would take a commitment from top management, but does make sense even from an HR perspective.

Better Operating Systems and security products for the home would be a step in the right direction, but will never be more than a variably-sized speedbump for botnets and attackers. Still, some protection is better than none, and a secure or less popular OS is better than putting oneself in the midst of the low-hanging fruit masses.

No matter how this plays out, the botnet war is worth watching. This is still only the beginning and is a major issue that few people want to talk about because of how debilitating it can be and how nearly impossible it can be to defend against or prevent. But this is a topic that will be shaping our security and maybe even our networking as a whole for the next ten years. Mark my words. :)

I am amused and irritated by regular news reports lately that come in one of two flavors.

First, the articles about how information disclosure occurred at an organization and that X amount of people were notified, a hotline set up, and a web site created with answers to common questions that the possible victims may have. While all of this is good and detailed, rarely is there any discussion on two things I most want to know: How did the attack occur, and what assurances are there that the information on the system was all that was exposed? My guess is that these are cloudy questions with even cloudier answers...which troubles me.

Second, articles that state an organization thrwarted or repelled a hacker attack. Ok, how do you know there was a hacker attack? Who was it? What did you do to thwart it? Was there even an incident at all? I guess if I wanted to drum up my IT team, I could spread word that when Snort gave an alert about a sendmail.pl exploit attempt against my server (captured in IIS logs) that doesn't even affect anything on my server nor would ever potentially affect it because we don't run sendmail, I can go ahead and raise the flags and drop confetti because my team...hell...*I* saved the day and thwarted a hack attempt!

As a technical individual, I am quickly requiring details, or it didn't happen. Screenshots or it didn't happen!

I love articles like this short bit about password security from eWeek because there are simple parts to them that I like and other parts that I really disagree with.

What I agree with: Yes, I truly think biometrics will continue to increase in widespread use, even down to individual systems. But unlike passwords, the simple use of these things can provide false positives or true negatives and will not reduce any dependency on help desks. In fact, help desks might be even more encumbered as fixing biometric logon issues is a bit more complex and dangerous than just resetting someone's password.

Yes, I think single sign-on technologies should be focused on as much as possible, even though they tend to be a luxury for many IT departments as opposed to what just happens. But single sign-on technologies should not be confused with actual authentication technologies. They are separate entities.

And yes, users tend to write down their passwords just like people put spare keys under their car, under the doormat or nearby garden rock or on the back door frame.

What I don't agree with: Passwords written down on paper are better than easy to remember passwords that are not written down, especially passwords that are too simple. While a complex password might be written down on paper next to a desk, an attacker still must have local access (either personally or through an insider) to the physical facility to read the paper. A simple password on a networked system can be guessed or cracked. So I find it dubious to dismiss passwords simply because they can be written down. For technical peope who are comfortable with passwords and password safety, they are just fine.

No IT help desk should complain about user password reset requests. That is why that business function is there, and any alternative is going to be more of a headache than verifying the user and resetting the password. This should not be an argument for alternative forms of authentication.

In the end, there is no 100% perfect authentication system, which is why I dislike articles like these which try to dismiss one because it is not 100% perfect, and market others (whether a new idea or just the same old rote from 2 years ago, like this article). Yes, passwords have issues and there are risks associated with any level of their use, but they are easy and are going to continue to be used for many, many years to come for a variety of things (although perhaps the highest security for information and perhaps corporate use may shift as higher order tech lowers in cost).

I just have to say I think more blogs should email commentors on responses to their comments. Too often I make a comment that I'd love more dialogue about, only to never remember to hit that blog again until more news has buried what I commented about. I don't like fire and forget blog comments...but I frequnetly forget to check back. I imagine I am not alone.

Then again, perhaps that would get spammy with lots of commentors...and that might be open for abuse as well.

Dang, well, the idea SOUNDED good... Hmph.

The more I work in small-medium companies that act as ASPs (application service provider, i.e. we host servers that our clients use), the more I realize there comes a point where process outweighs getting things done.

Instead of fielding requests as they come in and just getting the work done, change management starts to tickle the back of the throat and more and more, documentation and process need to be invoked. When a request comes in, a process is begun to deal with that request and tie it into any other processes.

For example, an SSL renewal is not just an SSL renewal anymore. Not only does it need to take place on the web server, but the new SSL needs to be imported into our IDS/IPS to decrypt the traffic. While one person doing all of this can keep track of it, eventually as growth continues, multiple people doing these things means they may possibly get lost. Ack! ...And this is one of the simple ones.

What makes all of this even more fun is the propensity for people to want to avoid documentation and process and change management. It slows things down and sometimes brings out some weaknesses in how people document and write and attend to detail. In fact, out of about 25 IT people I have worked with extensively, only about 4 have not heavily resisted these tasks (this includes.

This is kind of a reason I include a line on my resume below my college degree that states I have also have a background in "environmental sciences." There is nothing like lab work in genetics, biology, physics, or chemistry to ground oneself in documenting observations and drawing valid conclusions which can be recreated and clearly conveyed to others. Having had an interesting 2.5 years of that work, it does make a difference when troubleshooting networks and documenting process.

Mostly posting this here just to save this link for myself. This is a nice list of some of the more dangerous things users do online. This is not everything, but hits many points, in order of descending severity:

- Clicking on email attachments from unknown senders
- Installing unauthorized applications
- Turning off or disabling automated security tools
- Opening HTML or plain-text messages from unknown senders
- Surfing gambling, porn, or other legally-risky Websites
- Giving out passwords, tokens, or smart cards
- Random surfing of unknown, untrusted Websites
- Attaching to an unknown, untrustworthy WiFi network
- Filling out Web scripts, forms, or registration pages
- Participating in chat rooms or social networking sites

Somethings I would add: participating in P2P or IM services at work; not evaluating information that they send out via email whether their audience should be reading it or not; purchasing and installing random devices on their computers (ipod, wireless APs, mobile handhelds...); and the list can go on...

Thought for the weekend.

Microsoft wants to fortify its own operating system, Windows Vista. But will it be forced to keep the OS insecure because there is a big market for companies that secure Windows? Imagine the extreme. What if Vista were a highly secure OS? Would these companies curse Microsoft for putting out a good, solid product?

Talk about a bad situation...

Just wanted to again mention that Google Reader is amazingly awesome. It has certainly solved my problems with managing news sites, reading news daily, blogs, and rss feeds.

Google is doing something right with their "web 2.0" apps or pseudo-web 2.0 apps depending on whom you ask. I really appreciate the ability to look at my news sites from any system from any net connection. I think as the world becomes more mobile and people begin to have multiple computers (and devices) both personal and even counting their system at work, the freedom and demand to be able to access things remotely is going to increase dramatically. And it is not enough to push VPN technology and remote control solutions (all those RemoteToMyPCAnywhere sites can go to hell, really). In the end, the most-used apps are going to slowly creep towards being web-delivered just like webmail is. I can access Gmail from anywhere and get the same experience as if I were on my personal machine. I can do the same exact things from my Linux and Windows boxes, just by using a web browser.

Google has a good head-start here by identifying the most-used apps on computers, and attempting to replace them with web-driven alternatives. Email, IM, voip, Office, news (RSS), entertainment, and so on.

It is no longer about being able to roam from computer to computer in a corporate environment and have my own profile and settings and apps available. It is about roaming anywhere in the world and still having everything I need.

Ira Winkler from ComputerWorld has a rather controversial article up about the separation of ethics from computer security. This is IT journalism at its most typical: they can write about it, but they don't know it. He does have some points, but otherwise he also has dubious claims.

There are a few things Ira conveniently leaves out or is not even aware of in regards to this subject.

1. The methods to detect, investigate, and enforce ethical behavior on computer systems utilize many of the same functions that computer security uses. This means there is a natural integration of the two. Computer security requires virus scanning and data/file inspection of some sort. Unethical copyright distribution will utilize similar tools and the same staff.

2. There is a tendency to generalize. If someone is visiting bad web sites that are unethical to visit inside the corporate network, there could be security implications. Too often, those same sites house malware and other bad things. This is just a tendency, but that is what computer security is about. It is not just 100% black and white. The twin goals of ethics and security help to fully dictate that those sites are offlimits and against policy. In short, why make two policies when they support each other?

3. If there are too many points to make when educating users on computer security and ethics, that is not an argument to separate the two entirely. It just means the education needs to be structured better to accomodate making only one or two points. Perhaps ethics can be split off during the education process, but this is simply not an a valid supporting argument. It would be difficult to teach users about email security, password complexity, phishing attacks, and proper data usage in the copy room at one time as well. So does that mean those should not be computer security as well?

4. What does Enron have to do with this discussion other than being an excuse to bring up a popular culture/media example?

5. What does physical security have to do with this argument? Yes, security staffers may be disdained for being those who mete our punishments, but it makes no sense in an argument to separate ethics and computer security. The argument would be to minimize our negative impact on users. Well, by that token, should we separate out incident response, since that tends to be negative? What about when a virus is detected on a machine and we have to go inform the user and slap their wrist for downloading it in their email and saving it? This argument makes no sense.

6. Ira would have been better served by not bringing up phishing attack examples and how those are mechanical in nature but ethical decisions are not as straight-forward. Tell that to the people doing studies on how difficult it can be to detect phishing websites. In fact, I would conjecture that most unethical behavior in a workplace is *easier* to determine than some of the "mechanical" computer security issues, especially for non-technical people.

The best part of the article is how Ira even attacks his own argument and makes no real effort to address it. The ending feels very bipolar like he had an argument, didn't win, but then just moved on.

Now, all that said, there is merit to saying ethics should be separated in part from computer security itself. IT staffers may detect and report on unethical behavior, but ethics is still ultimately up to legal, HR, and corporate executives to determine. But that is not enough to say that ethics and computer security should be fully separate. There is too much at stake for business and security staff to try to fully separate these spheres in anything but a very large company that can have separate ethics staff. Even then, those teams will work closely together anyway.

In my previous post, one bullet point was brought up about physical security and computer security and Ira Winkler brought up that physical security is often welcomed while computer security staffers are often not liked. Why is this?

The biggest single reason is simply rooted in culture. At home and outside work, people use computers in their daily lives to do many, many things. From looking at maps for driving directions, popular news, entertainment, distractions, looking up information on a topic, meeting new people, remeeting old friends, and on and on. Computers are used at home in a variety of ways, many of which are not necessarily safe, ethical, or healthy.

Physical security is present to make sure people don't go where they should not be going, etc. This is not necessarily bad for people as they are not being limited in a way that takes something they would have already had. They didn't have that access anyway, so there is no loss. But when security imposes computer limits (or the technology imposes those limits), no matter the benefit to the company, those actions involve taking away what users would normally be able to do.

Another lesser reason is the presence of physical security and the smiles they can give. Unfortunately, computer security staffers can't smile through the computer as user data flows by their gates. Thus it can be easier to get mad at the unseen people in the security cubes. Likewise, as part of the general masses, people feel a bit safer and unconsciously accept the security of physical security guards and locks much easier than they do technical security measures and limitations. (This is the only stable reason for most of the TSA regulations; they shallowly make people feel safer without being really all that effective once you start thinking about it.)

There have been a load of posts and discussion on high-profile blogs and mailing lists about the value of IDS/IPS. Richard Bejtlich, Thomas Ptacek, Alan Shimel, Amrit, and others such as the Daily Dave have all chimed in along with their respective gaggle of comments. Lots of people get pretty vehement and passionate about this subject.

An IDS and an IPS are two wholly different things. Any discussion needs to start by laying the groundwork on which one is being talked about. The next step is to describe how the discussors define an IDS/IPS. Lastly, review their respective expectations of those IDS/IPS devices.

I really like Alan Shimel's descriptions of the "trough of disillusionment" and "peak of inflated expectations." I really think there are some skewed expectations of what an IDS and IPS are supposed to do. Of the two devices, I really believe IPS is the one that has had such high expectations that it will not be delivering satisfactorily, ever. IDS, on the other hand, has been mistaken to be IPS very often.

To me, an IDS is lumped with other functions such as logging, syslog analysis, intrusion response, snmp monitoring, and other network/performance monitoring. All of these functions tend to detect or record, providing information or alerts during and after the fact. They are passive technologies that do not take specific action beyond ringing bells and blowing whistles.

IPSs are in the same category as firewalls, antivirus apps, spyware cleaners, web filtering proxies, and spam gateways. They take IDS one step further by actually performing some action based on the alerts, from changing firewall rules to dropping traffic to throwing out TCP resets. As such, they fall into the problem of stopping things that should be allowed, or allowing things it didn't know where problems.

IDS/IPS functions are not on my list of the top things to have in a corporate or home user environment. An IDS can detect and alert to events happening that may or may not be malicious or problems. This is certainly a valuable function, but not so valuable as to trump very many other things. IDS technologies tend to be the pet projects of geeky admins that have some time on their hands. The rest of us tend to have other fires that need putting out over babysitting an IDS/IPS device.

Personally, I like IDS for the knowledge and monitoring it can provide about the network. And that is what the real expectation of an IDS should be. The information it provides to better inform those who perform subsequent actions, but only in correlation to how well the device, network, and tuning is understood. IPS devices I can do without unless the environment is so huge that it needs automated responses, but even then the environment is likely so huge that only a handful of IPS-enabled (active) rules will be enabled.

There is a challenge floating around about whether there are any instances where a company was "saved" (benefitted) from having an IDS/IPS device in use. I have not had one personally, but I can certainly think of situations where someone might be throwing internal exploits at LAN systems in an attempt to break into a system, or maybe a worm trying to propogate over the network. An IDS can alert on an otherwise possibly overlooked situation and flag it for investigation. However, as much as an IDS can be helpful, every other layer of technology steals a little bit of its thunder. Network or even host-based firewalls and antivirus will lower the value of the IDS because a lot of malicious stuff is stopped before it traverses the network.

Think of it this way. An IDS/IPS is like a home security alarm system. The IDS will log attempts to break in, possibly track where the thief moves throughout the house, maybe even determining the method of breakin, and will alert the owner that a break-in is occurring and has occurred. An IPS does all of this, but also rings a loud alarm through the house, turns on all the lights and a spotlight, seals away the family valuables, locks all the entry points, and lets loose dogs to chase the intruder away, actively preventing the success of the attack. In light of this analogy, both systems will have had a very valuable effect at some point (that is not to say the IDS/IPS tends to warn when even an insect alights on the window pane or that they don't detect hispanic intruders...).

Update: More posts are popping up on this topic. The Digital Voice has chimed in as well, with a nice post and viewpoint. TechBuddha has some thoughts as well, about finding your own truths and relax a little bit when it comes to arguments like this. Sawaba at SecuriTeam chimes in.

The weather in the midwest has just recently taken a dip into the cold ranges wit