terminal23

For the past few months there has been a very minor and seemingly random issue where antivirus was not able to be pushed out from a server to an XP workstation. Other small issues continued to develop as more and more XP workstations were rolled out to new employees. Some of DameWare's tools were not responding properly, and other network tools like psservice would simply return a "network path not found" even though I could ping the heck out of the device.

Today, I was attempting to "patch" systems with a registry key that would block XP SP2 from being rolled out. However, some, but not all, of the recent XP machines that I have rolled out were giving me the dreaded "network path not found" message. Finally, I took the time to tackle this odd little issue.

I checked the Event Log on a whim, and noticed a number of entries for a failure to start a DCOM server with the message "Access is denied" and an eventid of 10000. I narrowed this down to an issue with the WMI controls not having access to start up. At about the same time I realized that the normally Automatic service, RemoteRegistry, was not starting on the offending machines, but was started just fine on machines that had no issues. Putting three and three together, the DCOM event log errors were logged every time this service attempted to start, and an access denied pointed back to a security setting I implement on new machines: limiting the NTFS permissions for the C: drive.

After some googling now that I knew what to look for, I found that I needed to restore the "MACHINE\Local Service" account to Modify/Read/List Contents/Write access to the C:\%SYSTEM% folder. This change did not have to be implemented through the subdirs, but rather just on that particular directory.

Once this permission was restored, things worked great. I used DameWare to browse and set NTFS permissons on offending systems. Psservice then let me remotely start up the RemoteRegistry service, and another command line let me run the BlockXPSP2.cmd file to "patch" the system up.

Definitely pissed me off for a while that I had to be troubleshooting this issue, but so very rewarding to finally clear it up, and in the process clear up some other smallers issues from the past. Needless to say, the "install" docs for setting up new computers have been updated...

Today a user reported that her local Antivirus software popped up a message about a Bagel.X worm being present. She swiftly reported it to someone nearby who got me involved, and also took a screenshot of the warning: "File Deleted." I liked the Deleted part, but having an actual worm is not a good sign.

AC reported drvdll.OPENEXE as the offending file, and promptly deleted it, which removed any chance I had of determining the date of creation of the file.

After talking to the employee, she turns her computer off every night and had not clicked on or opened any attachments with just one exception: she had just gone to www.aol.com and downloaded a new user download of AIM software (and along with it, the Weatherbug and WildTangent installs that piggyback along), Right after installation, the AV warning came up.

I did more checking on the system, and found one more piece of evidence of an infection: In the registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run was a key to start up the offending executable file upon next reboot.

Being a Bagle worm, I attempted normal programs like netstat to see if the worm was running and terminating such processes (like it does and should) and to see if the telltale backdoor had been dropped on a high port. Nothing came back positive. I also examined the running processes using ProcExplore from SysInternals for the telltale Skynet mutex...again, no sign of it.

I determined that this worm infection was brand new, and did not execute itself. However, it was poised to execute on the next computer reboot if AV and an alert employee had not intervened.

The insertion vector? I can only guess that it piggybacked on with an AIM installation (waiting and scanning the news for this incident if it did happen) or the new exploit in AIM dealing with Away msg URL buffer overflows was somehow encountered (although I consider this latter case to be highly unlikely).

Bottomline in all of this: I am getting faster and more thorough with diagnosing desktop incidents like this...and I am becoming more confident and versed in my chosen toolkit to assist in such issues.

Next week we have a security audit for 5 days on our local network; basically inside the company from the perspective of an insider or someone who has gained some sort of access to the inside (either on the network or physical access).

Will we pass? I truly think so, since we're not morons about what is secure or not. I think companies that fail things like this are the ones who have a nonexistent or weak IT department. We, however, have enough of an IT department to more than provide the necessary baseline of defense and diligence.

Will it be pretty? I don't think so. I know there are many issues that I could come up with with our local systems, but sometimes there is just no justification in devoting the time and the limiting of user "freedom" in order to make things much more secure. I think too many people have no idea about such technical things and what security means in terms of limiting usability in the process.

Some issues I could point out immediately:
- sniffing passwords would be trivial over our wire; FTP, HTTP, and POP3 are all over the place. Email is also obviously readable. Considering we are a web app technology provider, a few months of password harvesting in such a manner would gather a huge foothold into many things.
- employees have local administrator rights on their computers, which means they can install anything they want, including worms, keyloggers, and malicious tools. They also have unfettered access to local SAM files. - wireless is in heavy, but non-critical use, which means less money is devoted to it than critical things like actual network access on the wired network, making the potential for wireless DDOS fairly high (recently released vulnerabilities inherent in 802.11b (and g I think) illustrate that once an AP drops under 20mbps, someone up to 2 km away can send traffic to the AP that basically closes it to all traffic indefinitely). I don't like such unnecessary and widespread wireless activity.
- widespread laptop use means our effective network spreads to user home networks, which tend to be far less protected. Vulnerabilities in home networks suddenly pose a threat to our protected network when someone is infected with a worm at home and brings it into the work network.

I could go on, but I think the bottom line to any issue we have stems from two causes:

- lack of manpower to implement improvements and reearch. Our team spends most of its time dealing with actual open issues, and many things rarely get looked at until it rises to emergency level (or someone higher up gets whiff of the issue and applies pressure that basically makes it critical). This also means we all do only what we know, and any learning is done "while under fire" or on our own time.
- lack of knowledge and awareness (training) in the areas of personal computing and security.

Back to the security audit, I'm quite happily excited to be going through it. Not only do I get to see what people in such jobs do, but I finally get some third-party validation and insight into my network and my systems. Perhaps their feedback reports will help fuel reasons to pursue avenues of improvement in various areas. Who knows, maybe they will be more impressed than I expect, and we'll all get a round of congrats...but honestly, I like constructive criticism on things that are wrong more than I do validation that everything is fine. I want something to be wrong, so to "keep it real" and improving.

Been looking for links to put on this site, links of active and useful sites that I can peruse and browse when I have the time; sites that will benefit me personally or professional in my chosen areas of interest.

However, it is far too often that I come across blog-like sites that have one post in the past 4 months, or a recent post about how the author has to suspend the site for this reason or that.

Now, I know people love to self-publish and feel important, but I think some people have latched onto this whole "blog" culture far too heavily and for the wrong reasons. I think people think they have some weird insights into life or an industry...insights that other people don't have and thus want to read about from them.

Anyway, here's an example post that I'm going to use to dissipate this diatribe before I get carried away:

I feel exactly like decafbad wondering why he would be recycling all the news the rest of the world is talking about. Well, at least he has 889 subscribers using Bloglines (and I guess a lot more in reality) as of today, which is much.. really much more than I have :) This means there's probably more than a thousand people who care about what he says. That could be some stimulant maybe? Well, as for me, I'm actually very surprised that you're even reading this, as chances are very very little that you would. Anyways, the point of this post: there is just so much happening outside which I just want to know about. And then, having read all stuff, I'm just tired, having no idea what's interesting anough to blog about. Is there really anything that you user want me to talk about. Then please please let me know, because me is out of ideas and on the brink of quitting

Anyway, I'm happy to say that I "blog" (God knows I hate that word and term and "culture..." I keep journals damnit!) for myself, and for myself alone. Some other people might read this (although I'm trying to keep it private), but really..this is for me. I have this site to compose my thoughts, continue writing to keep in practice, assimilate the many sites and bits of information that zing past my eyes and ears on any given day that I might find useful at some point in the future. I work in a field that encompasses such knowledge and bredth of technology that it is already overwhelming (and that's not getting into how rapidly and fully it changes every day). Anything I can do to filter it for my own use will be something I will be grateful for in the future.

Hehe, this is why I "journal" and this is my manifesto.

Our onsite office security audit/pen-test has begun in earnest late this afternoon by doing some quick full scans and hitting our servers and network infrastructure.

The two testers loaded up some initial tools. The Mac user loaded Rendezvous Browser and immediately spotted some interesting things. First, he was able to locate our printers with little effort. Second, he was able to spot our two Mac computers. Third, he spotted 4 iTunes users (2 Macs, and 2 iPods). Fourth, he spotted two iTunes installs that had open guest listening. Fifth, one of the Macs had Appleshare turned on. And lastly, shared on that Appleshare was a licensed piece of software which I am unsure is licensed or not. Whew...all in minutes with one unobtrusive free tool.

Pen-testing kicked off later. The Mac user ran down an nmap scan while the PC user loaded up and struck up the ISS Internet Scanner program. They also talked about using John the Ripper, Cerberus, and kismet (wireless) for further testing.

A number of things were spotted, and I'll just go through a laundry list for my own benefit...please remember, this is just day 1/2.

we allow open email access, i.e. people can download hotmail mail. Also, SSL mail is not enforced.
Two of our switches have old firmware which is easily overrun.
Our switches have HTTP turned on, which is not cool.
Domain password policies do not seem to be working globally. Some passwords are beyond easy.
People running as local admin appeared to be of some concern, since that allows circumvention of acceptable use policies.

At any rate, I'm not terribly surprised by the results, and this sort of thing excites the heck out of me, especially to see tools and users like this running away and basically verifying what I've always known about how to use these tools effectively, but have just never had the confirmation that I'm down with the knowledge. I am, however, concerned with what they find, since every bit they find will mean additional talking about why it is bad, and additional time spent to mop it up or attempt to wrest.

I have spent far more time than I should have on getting a series of 3 logos randomly displayed up above. I used a blosxom plugin, but the plugin conveniently makes three lame mistakes: 1) Includes a typo in the part that needs included in this page, 2) Has poor documentation on what things do, for instance how to set path names, 3) has more features than I want, which just added to the headache of trying to get it to work. I've never truly written anything in Perl, but I know enough programming to be able to gut a program without breaking it, so I took all the lame features out, simplified the code to suit my exact need, and am now done. Blah! But at least I now have colors and pictures and stuff up top!

For the second time in twice as many weeks, a developer has reported the same error. When opening a table to view in Enterprise Manager, the error "the provider was not found for this property" displayed. Reinstalls of SQL 2000 client tools and MSDE did not work, but it turns out just a newer MDAC was needed. The sad part is that I solved the issue the first time two weeks ago, but was unable to do the same this time. Burnt out...

I've not heard much about VLANs until the last few days when our security pen testers mentioned possibly implementing some VLAN segmentation to control our traffic and manage groups of users. Since then I've been attempting to research them with mixed luck. My best lead is a technical article from Intel.

I have decided that VLANs don't really truly segregate people into separate groups, but rather separate (layer 3, I think it is) broadcast traffic that simply does not need to be read by every workstation. It is much like 5 years ago with the big push away from "chatty" hubs into actual switches that were much more private with their information. Broadcast traffic adds a decent amount of traffic to most networks of decent sizes, especially when you factor in some variables like wireless traffic or VOIP traffic.

Anyway, I'm still researching this, and I think the best way to truly segregate users (I have developers in mind, who tend to want the most freedom with their computers coupled with the least security) would be to create VLANs, create their own subnets, and then plop a firewall between their VLAN and the rest of the network space. But...that's just my initial understanding. I'll post more links to information as I find them.

This page has a presentation-level type of introduction to subnetting. This might be very useful to review.

After a lengthy break from blogging (3 months), which included a 2 week work trip to DC, a move from one apartment to another one, plus a number of smaller things like Christmas and New Year's, I am back and everything is up and running like it should be.

Over the past 3 months I have stopped being what I would call frenetic about my research and delving into security. I had been doing lots of reading and scouring of information, and less actual doing. Now that I have amassed a nice book collection on security related things, I am finally actually getting around to reading them for benefit. This includes much more actual "doing" as opposed to bouncing back and forth like a super bouncy ball between new tools and sites and books and articles...

I am also eliminating some of the prohibitive things on this site, such as the "sanitization" for links on the right menu. I've removed them all except for the blogs/personal sites. I still don't want this site frequently visited, mostly because of the comments section, but I really am discouraged from clicking links due to the sanitization. I figure most larger sites don't much look at referral logs, but I expect bloggers and personal sites do so much more often...hence the decision for the change.

Anyway, hopefully I can actually get down to enhancing myself and using this site much more actively and efficiently again.

Every now and then I go on a stream-of-linkage romp through blogs and security sites. Check out a site, head to the links, start spidering out and repeat. Well, today I brushed through the Nomad Mobile Research Center where I found a lot of 404 links to various people who were big in the security industry years ago. I then came across Rain Forest Puppy's site and memorandum.

I've just finished reading The Cuckoo's Egg by Cliff Stoll. The book details some of the early hacking attempts in a very new network of computers and systems and open sharing of information back in the mid-to-late 1980s, a time when I was just discovering Atari and Nintendo and Arcade gaming. In looking at the landscape of the time, of computing, networking, and security itself, things have much changed...I mean, DRASTICALLY changed since then. And I can see how people take values from back then and futiley fight the good fight for years and years, even when the time of those networks and openness are gone. The openness and phreaking got replaced with coding and open source and free tools and grassroots hacking...and today, we have commercialization of security.

I read RFP's memo on his site and realized that this is one of the things I look for in my web romps through security links and blogs and personal sites (sites made back before "blog" was even a thought); the people who have been here already and where they are now, sometimes the dusty relics of long-forgotten websites or stories of how people have moved on, grown up, lost faith, or become part of the commercialization. The Internet and computing are still changing so much, and security even more. In 5 years from now, I could be like them or perhaps just part of the commercialization. Either way, I feel that this sort of web-trotting into the lives of other security persons from the present and past gets back to where the real security happens (or happened), where the real culture of hacking and security lies...not in the Symantecs and Microsofts of the world, but rather in the continued traditions of Black Hat and Defcon and the smaller underground groups of hackers (although slightly less underground than 5-10 years ago).

To anyone that feels like RFP, I just have to say that that kinda just happens, especially when you have a youth-fueled culture in the midst of a brand new, rapidly changing frontier like the Internet and networking. Things change so rapidly, people grow up and out of their hacking 24/7 mindsets, get married, move on in life, and into more conservative affairs. This happens, but it does not take away from the grassroots, "pure" hacking and security that has come before and still happens now.

I will say it is interesting running over sites of people whose names I know as part of the hacker scene, but their sites are outdated. Sometimes you see a resume or a post about where they've gone or what they were doing when their site got dusty. Then I realize just how weird the net is. Some sites disappear in moments, others, stick around on servers for years, decades. Just sitting there, waiting, listening, maybe logins have long been since forgotten and the servers just whirr away diligently maintaining their uptime. I've seen this in the early gaming scenes in Quake where clan pages are still sitting in cyberspace, waiting for really nothing. Links, images break over time, and they look like those old rusting cars you can find in overgrown pastures...

Some site designs I liked (for future reference): jexe and guninski. I would love a throwback design even if that throws back to a time before I was into computers, but there is something nearly romantic and appealing to the idea of a nighttime black world with the only light the soft greenish glow of a computer terminal illuminating the outline of a determined hacker...

So, I've been asking myself some questions and kind of dealing with how to present myself on the net while at the same time categorizing my own information overload by spilling things out into this log. I've decided that I don't know why I maintain my cute redirection code in place to thwart trackbacks and referral readers. On a bigger note, I'm not really sure why I keep this site secret, other than just because I don't have a desire to really share this with people.

However, I think I have decided to remove the clunky code that at least veils the referreals. I may not entirely open this site up to the world, but I guess I won't bother trying to actively obfuscate it.

Now that I should have some more time on my hands, I am looking at possibly upgrading my site a bit. I seem to alternate between back-end updates and front-end design updates, and I'm overdue for both. However, I still like the site design, so I think it is time to jump into a back-end upgrade.

I am looking at blog systems that I can install. Currently I run on Apache with PHP4 (it might be 3!) with Movable Type 1.4 using flat files instead of a database backend on a very stable Windows 2000 Pro box. Movable Type fit my bill exactly, back in the day, but then quickly went commercial and I'm not really willing to pay for something like this. I also have Perl installed, and am willing to update all of these components (I would prefer to keep Windows 2000 though, simply because it is stable, I can get it free, and I'm intimately familiar with it).

My requirements/wishlist, for my own edification:
- easy posting from anywhere (u/p login)
- optional comments...bonus: toggle comments per entry as opposed to per site
- MSDE/SQL 2000 (preferably MSDE) backend with little administration needed
- php-based, but something that requires very little tinkering and coding other than templates/layouts
- the ability to make everything very minimized/minimalistic, from archives, comments, to posts, and the whole blog itself

One thing that is a bit flexible for this version of Movable Type was not just having multiple blogs, but to be able to use them creatively. For instance, my movie list on the right is actually another blog embedded into this page.

I also have a private page where I host all my geekier things. This is almost like a knowledgebase for myself. I am currently running Blosxom which I really love for its simplicity, but I think I am ready to move to a wiki or knowledgebase system.

- easy posting and updating of posts/topics
- good support for wiki-style knowledgebase stuff
- comments system or possible collaboration
- MSDE / SQL 2000 (preferably MSDE) back-end

This upgrade may not happen for a long time simply due to other things going on, and I plan on evaluating some solutions over time, so that I can get the most out of a wiki or blog system. I also now have spare systems to test things on, which will be ideal.

Well, my main site is going to be updated in the coming months with a real blog. In recent updates here, I've noticed that a blog format, even as open as blosxom is, is just not the ideal format for me to use here. My updating style and the way I use this little site is much more akin to a wiki. In fact, it is a wiki, only not yet. So I think this can give me some experience (again) with installing a wiki and a blog. I've never fully put up a wiki myself, so this will be a good task to do.

Of course, I am not about to pay for something I could likely make on my own with enough time and energy. For blogs, Movable Type is now free for personal use again. My current site new is kept in MT, so I have no real reason to change. For the wiki front, nothing has a more rounded listing and look at CMS products as OpenSourceCMS. Wow!

I am hoping that I finally am hitting critical mass with all my links at left. With some luck and free time, I can start pruning the list of all the useless links/blogs that don't offer me much of anything, and instead focus on what I truly want to read. I've been getting behind on more than a few of these sites, and it doesn't help that the web filter at work is more stringent than I am very comfortable with. Lame. Nonetheless, I need to start blocking off some time, maybe Sunday mornings at the bookstore or some other place I find that is conducive to reading sites, and make a habit of it.

Some ramblings for myself... Do I need 56 news sites and 234238 blog sites? Most likely not. I bet most anything of interest in the news will be covered in at least a couple of the blogs I visit. Do I need 9 antivirus sites? Actually, I do prefer a range of them. Whenever I do some research or incident response on a particular bit of malware, I prefer to look at reports from multiple sources to get the most information possible. You can't have too much info when dealing with malware infections. Do I need all the podcast/vidcast sites? Nope. Despite my best intentions to watch and listen to them all, I just simply do not. I like visual stuff, but so far have yet to even begin to catch up on the audio-only stuff. I just have no habit for it, or automatic way to download them all and get them someplace for me to listen to. Perhaps when I get a car adapter for my ipod, I'll develop this habit... Yeah, I definitely need all of this in wiki format. :)

And yup, now that my little veil has been lifted, or kimono shifted open a bit, I've seen some trackbacks from a few other sites that I visit from here, now. I guess I can't complain, and don't mind the company at all. :) It certainly makes coding just a smidgeon easier, and visiting links as well, since it doesn't take three clicks per, now. Simplify, simplify!

Just removing some links. First, Ubertechnica appears to no longer exist. I have long read Xatrix, but ever since they had some legal woes they've slowly eased up on updates. Looks like no one is maintaining the site anymore.

Since I have moved on from using SuSE extensively, I no longer need the SuSE Security page. The antiforensics section of Metasploit is looking a bit old, so there is no need to keep it on its own link. I can get there through other means if need be.

I've always hoped Erin would finish work on her site, amoebazone, especially the log part, but I guess development has stalled for other pursuits. I do still like the layout and design though, which is one of the real reasons I am making notes when removing sites. This site was here as a reminder of the design as much as wanting to see the completed work. Another largely personal site that predates real blog/journal apps is Thor's site, Hammer of God. Dunno really why I kept it or even included it, but it no longer will be.

Insidethebeltway seems to have disappeared. I really just don't read any of the blogs from the RStack white hats. The Lost Olive offered me nothing either, other than an awesome 404 page

I have been working at my current job now into my 5th month. A lot of my time has been spent getting used to the environment and culture of working here, along with a majority of the time spent supporting and working with our .NET/ASP application development team. This basically means I've been more involved in Windows systems administration than I'd like to be doing, especially for someone who is not pursuing .NET programming. Windows sysadmin is not that difficult in the long run (you can make it as difficult as you want, by adding scripting, etc), but it is not all that fun or glamorous. I'd pretty much rather be doing anything but, however, I will admit there is plenty of demand in the role in business.

Anyway, starting this week I get to begin working on and taking control of our McAfee Intrushield IPS device. This device sits inline with our external firewall and our internal DMZ firewall and logs intrusions attempts. Right now it is passive and set to IDS-mode only, as no one has had time to really sit down and configure it properly while minimizing the risk of preventing legitimate traffic. That will end up being my role here, forthcoming.

I'm not the biggest of fans of IPS devices. I believe that a company like ours which is small and has a good amount of money to spend on IT is better served by installing only an IDS system and staffing to monitor it properly, as opposed to an IPS that will automatically block traffic based on various turned-on rules.

However, this is still majorly exciting and almost as good as managing the firewall. This device straddles the two areas I would like to grow in: networking and security/insecurity. So, that was some good news in the past few weeks in regards to my job, and I'm really looking forward to talk to our Accuvant guest this week and getting my fingers deeper into this device.

I will be very disappointed in the device if I am not able to see the actual packets and payload for various detections and alerts. Installing and playing with an IDS (Snort) at home has been on my extended list of things to do, but I have some bigger fish to try lately. So to be able to do this at work is actually the first ray of sunshine that I have had at this new job.

UPDATE: I did some research on case studies for Intrushield and found one (pdf warning) that doesn't name the company, but it does name the CSO. Turns out it's the CSO from McAfee itself. While I can say, "d'oh" to see a company use itself as a case study, I have to say I like the idea that a product is in use internally. In my short career, I've already felt the irony of a company that doesn't use its own products or follow its own paradigms that it tries to sell.

I just read an article on HD Moore, one of the most influential and brightest "non-corporate" white hat security researchers, in which he answered a quick question on his favorite hangout, "A dark room full of electronics."

Not only is that cool, but it got me thinking about what my own favorite room or hangout would be. I've been doing some casual thinking lately on owning property sooner than later, and how I would plan to do some stuff with it. Right now, I'm in "money-saving" mode, so my spare apartment bedroom is acting mostly as a place to put things I don't have a place for, instead of being developed into something much cooper.

So, what would I deem as a perfect room to hang out in? Honestly, I have three major ideas on that question.

1) The dark room full of electronics. Some people feel at ease and most happy when surrounded by other people or doing social things. For people like myself, I feel similarly when surrounded by electronics and maybe a person or two of like mind. A dark room illuminated by the soft glow and unjudging winking of LED lights and monitor displays. Maybe an indirect light source or two with a narrow cone of light to important places that need lit. It would need to be cooler than warmer. I would also prefer a house as opposed to an apartment, so that I could set up a decent (but not high-end) speaker system so I can play such music from quiet classical/ambient to pound out some industrial or metal depending on my moods. A clutch of test machines, a couple separated networks (one a main network and the other a sniffed, testing one), a workbench for system surgery and parts. The monitors would preferably be displaying specific things as opposed to operating screensavers. One should play movies that I can half watch in the background, another display an active packet watch on my main system (just to watch now and then and learn more) or even my test network if I am running something, another with network monitoring, and another with a security dashboard up or even cycling through a few. That would be an awesome hangout.

2) Now, even the most hardcore of us needs to unplug every now and then. For a more unplugged experience in my abode, I would love to have an entertainment room that has a nice tv and sound system, is ideal for watching movies or sports events (about all I watch, I don't take to television anymore), and is filled with plants and a pleasing atmosphere. Something calm and idyllic, a place to relax and lounge and sprawl out in, to read a book, magazine, listen to some music, or watch a movie, or even pull a laptop into to just chill out, but not dominated by obvious electronics all over.

3) Lastly, completing the unplugging, my third preference would be the great outdoors, away from most everyone else and anything technological. Give me a breezy, amazing woodlands or mountaintop or tropical island beach, and I could find some real peace there. Give me a cabin up in the woods that I can escape to and some space to roam. Internet connection...debatable. :)

Just a note and a small rant to myself. I've been using the McAfee IntruShield IPS here at work for a few days now (been poking at it for a few weeks, really), and I must say I really dislike being so disconnected from the actual packets and wire. I really like the information on exploits and alerts that McAfee includes, and also the reporting and dashboard (they recently updated it!).

However, any time I see something new or noteworthy run across the wire, my first instinct is to look at the packets and the flow before and after the actual alert triggering event. Sadly, these capabilities are far lacking. And what really is disappointing is any false positives even when the device itself is tuned up tighter. I don't really care if the IPS sees a UDP Port Scan all day when it is just a printer trying to reach out for some SNMP love because it lost contact with something.

Such is the price we pay these days for products trying to be the "silver bullet" of security or trying to be "all-in-one" and end up just disconnecting us from the real data and activity. Give me Snort and Wireshark and a portable tap (or the ability to put windump/tcpdump anywhere I want) anyway...

What I feel like is one of those Plato's cave analogies, where I'm no longer really looking at the actual subjects, and instead I am seeing only the dim shadows of the events...

I've tried a number of stand-alone and web-driven RSS readers in the past few months, but none really gave me what I wanted or presented it in a way that was compelling and simple and, well, just right.

Much to my surprise, I tried out Google Reader and was immediately hit by, "this is exactly what I wanted." I added a few of the feeds I most regularly check, and I've been amazingly happy with this layout and simple feature set. I hope SufrControl doesn't add this to the list of things denied outright (yes, web filters are evil, more on that in another future post).

I just wanted to say I can't believe how exciting my chosen field of work is. I love it beyond words and every time I read something new (even a negative article deriding Metasploit which prompted this exclamatory post), I get just a little bit giddy. I love security/insecurity!

One thing I try to be cognizant of as my career starts to move forward is what skills are going to be in demand in the future. I don't want to be awesome in Windows XP, only to find myself someday outdated like so many Windows 98 admins. Not that I support Windows XP on a desktop level right now, but that is just an illustration.

A manager just emailed out an Excel document that has maps of our building and numbers pointing to all our conference rooms (about a dozen) because people tend to ask, "Where is such-and-such room?"

It occurred to me how appropriate this issue could be solved by a web developer who knows his stuff. Carve out a small section of an intranet, tackle the issue, code up a solution, present it, and voila, a one-stop web-enabled location so that people don't have to save a tomorrow-oudated spreadsheet "hack" of a solution that might be located at some mysterious location on a file server that I may or may not have access to.

Web application coding skills are amazingly useful and awesome these days. And the work is rather exciting when you can focus down on it and really pursue it as a team that can teach each other. Gone are the days when any stay-at-home kid could pick up a few clients and create cheesy web pages using straight HTML. Now, real web design skills are in demand and needed, coupled with code that more and more resembles actual programming languages in operation, suitable to those who can think in that way (not just make pretty pictures in Paint and arrange them in tables with possibly some database backend code in php...). .Net, Java, Ruby, Python, Ajax.

In fact, before I was in IT I wanted to become a web developer. That was my idea when I switched my majors into MIS 2.5 years into college and graduated with thoughts of making web pages for a living. Thankfully, I've had opportunities elsewhere to expand myself, but I still appreciate web development.

Someday, a ways down the road, I can still see myself satisfying my coding bug and doing some more web coding and application coding. I would love to be able to just throw out a quick solution to problems using an internal web site. Given experience and practice, that kind of stuff is amazingly easy and simple to do (ongoing support is always the hard thing). And with web and application security the hot topic for the year in security, this makes sense from that viewpoint as well.

However, for now, I want to remain grounded and focused where I want. Right now I am directing my career towards networking and security, moving towards certifications and learning networking since it is still something I'm working on, plus learning Linux and more deep security topics and pursuits. I've also decided I want to make sure I know wireless security as a specialty, as I believe the future is in wireless and mobility. Web coding as a major focus has simply been pushed aside a bit for now...but someday I'd love to dive back in and learn the new stuff.

I must say, if an opportunity opened up right now in an exciting and competitively-paying (for junior level) company to start learning and participating in Ruby or Ajax development, I would seriously think about it.

Wow, it looks like I've gone an entire month without making a post here. That was certainly a quick month, and I do have a backlog of things and links and tools to look at and post about.

My reasons for the lack of posts is two-fold, really. First, I have been holding back on a lot of stuff since I really want to convert this space into more of a wiki-format. A wiki is much more appropriate for what I am using this site as. I had some issues last month in getting Apache 2 and PHP5 to get along, so I have to check and see if that was resolved.

Second, I've moved a lot of my more discussion-style technical posts to my main blog instead of here. I am not sure if that is how I will do it in the future, as all my own non-technical stuff is being diluted by the technical jargon that many of my family and friends know nothing about. Maybe I'll load it all back here once I get the wiki up, and still have a sort of techie blog/news listing on the front page.

In the meantime, I hope to post some more things here anyway, regardless of the wiki progress.

I think I have my new "geek" blog ready to roll finally! The last step was to decide on a name for the site, and I settled on Terminal23 for my own reasons (nothing interesting, really). Now I can start porting over my Blosxom blog entries as needed, and get caught up on posting news and such. I really liked Blosxom for its simplicity and elegance. I would have stuck with it further, but I think I just wanted something new and I needed to update my blog application anyway on my personal site.

I do still need to get the wiki up and running, but that will take a bit more time and love. For now, this project has already exceeded my goals of being done by the end of this year.

Hopefully I can finish my one or two weekend projects I need to work on this weekend. Tonight will be spent playing Warcraft and Saturday night drinking, playing video games, and talking about hacking. That leaves Saturday afternoon and Sunday to work on getting a new mail server set up on my server along with a Spam Assassin install. I also need to point my new domain to this site and fix the inevitable pointer issues in my code.

I'm not really looking forward to Spam Assassin. While I've never done it before and really want to learn it, all indicators point to it needing a bit of work and babysitting to be worthwhile. Oh well, may as well start this weekend and slowly work on it, kinda like securing Apache and mod_security.

I'll try my best to provide a report on here about my experiences with hMailServer and SpamAssassin on my Windows box.

As Adnan recently realized, I too am finding that I have too many links and news and blogs to read, which steals away my time. I am almost feeling like an analyst, talking and reading, but never actually doing anything. So I'm pruning some more links and RSS feeds. As usual, I'm posting the "death" list here, just so I can reference it again at some other later time.

I was going through this list and removing people and looking at sites, and it makes me kinda sad to remove some links and blogs, especially those to people who might still be around, but don't post every day (or even week) or might make posts that I'm just not interested in. I got into using computers and stuff by being social online in AOL chat rooms, then later in IRC and forums. This culling of links saddens me because I know all of the authors and I share common interests and I love seeing how they present themselves online; in this sort of second world avatar image. Oh well, life goes on, and I hope it finds them all happy. Of course, with this huge list of outgoing links, someday soon I have a list of incoming links as well.

WBGLinks.net was originally a huge list of white, black, and grey hat links to many other topics and sites. It since has disappeared. Wintermute has also had little to say lately. Dam Kaminsky has excellent tools, presentations, and very creative ideas, but his blog is not the place to read them. He is easily Googled anyway. The guys at Checkmate only update once a month, and if they offer up something useful enough to read, I'm sure I'll get linked to it from elsewhere. I always hoped TheSecure.net guys would come back and keep posting, but not only did they go on hiatus for a year, but their site is now gone.

Adminspotting had a fairly short, but informative life and is no longer updated. I've long hoped the author would post his new idea mentioned in the blog, but he has not. Maybe someday. Adminfoo's provider seems to have had some data recovery/corruption issues which has left this site down a while now. Backups. Reading the linked host's status page is pretty much a story all IT admins dread: corrupted data and customers getting upset. Oddly, HERT (hacker emergency response team) seems to be down or gone.

Nitesh isn't around. The Microsoft Security Response Center blog is really not that useful, and when it is, other people link to it for me. Besides, with something as important as that blog could be, they will always be regulated from inside. OpenPacket.org is an awesome idea, but I suspect everyone who thinks so is just too busy doing other things as well. I'll link it up if it ever truly opens. Arved has been removed. The Geekpit has been removed. I'm not even sure what Infosec Daily is anymore, but I think it aggregates other sources I already track and doesn't look very pretty anyway. Insecure.org is not a news site and belongs under tools/resources. Of course, it's already there! SecurityWonk has disappeared. Also removing SecuritySauce. Nepenthes is a tool, and didn't belong here anyway. Kaosx has been removed. Jon Ellch's site was never really meant as a news/blog site anyway.

I didn't get to play with SpamAssassin yet, but I did get a lot of other little things accomplished this weekend in regards to my site. I installed hMailServer and ClamWin so that I could move my mail server over to the new box. In fact, I went a step beyond my plans and am using OpenSSL and stunnel to allow SMTP and POP over SSL so that I can check things remote from a wireless hotspot. I also moved my Ventrilo server over and did some housekeeping on my websites; busywork that I've been putting off for many months but that only needed to be done once to be done for good.

With all of that aside, I'm looking forward to SpamAssassin sometime this week or next weekend, and to work on my wiki site as well.

Every time I work on my sites, I get that familiar bug to learn up a new web language and get really good at it. I love reading people like Jeremiah Grossman and RSnake, guys whose web skillz I really respect and appreciate. But I do know that takes significant dedication and time, and I know that I can't specialize in everything right now. Maybe someday I'll have an opportunity to go down that road, either for my job or in my free time once I get other things under my belt. Anyone can learn web coding, but to do it well and know the little "expert" level tricks is definitely where I would want to be, and that takes significant time. Besides, right now, web technology is simply not securable anymore. Unless you want a fairly static site with little integration and scalability, security is just not possible these days.

A lack of updates should be followed by a slew of posts after the first of the year. Right now I am porting over all my old Blosxom posts over to this site, flagging them to put in my "being built" wiki, or just removing them as I figure out how to best leverage my sites. I will say that I really enjoyed the simplicity of Blosxom, especially to use as a blogging/site tool without wanting a true database backend. It was very slick, simple, lightweight, and kinda fun to work with. Unfortunately, it is not quite as robust as a true CMS/blogger. Honestly, I think the worst part about it is just being locked into something a little different and non-mainstream. Over time, who knows if there will be new features or support, and I'd hate to find myself 4 years and 2,000 posts into the future with a huge migration project to something more mainstream.

Overall, though, Blosxom is awesome, and I hope someday I can possibly find a use for it.

I typically make resolutions on my birthday as that is more meaningful than a new calendar year. But one late resolution I want to make came to me as I was migrating more of my posts over to this site, including a long list of tools that I've just never gotten around to looking at. For the past year or more I've been sponging up information like there's no tomorrow, but I've been putting things into practice far, far less often than I should. And now that I have some spare systems sitting around, I need to put them to good use. So, I need to start doing and playing and tinkering with things and less just reading about it all. I've got the academic side of things down pat, and I realize that. Now I just need to do, make mistakes, screw up, fix it, move on, and overall learn stuff hands-on.

Of course, this has already begun now that I have upgraded my server and I have the infrastructure in place to keep my own notes on the things I try and experience. So I'm well on my way on this front, as long as life sees me still having enough free time to do things! :)

Yes, blogs are social networks, as are IM, IRC, and mailing lists. Michael over at MCWResearch tagged me. This means I'm supposed to reveal 5 things about me that few people know, and tag 5 other people to do the same thing. Well, I'm a party-pooper and typically delete chain mails so I won't tag other people, but, I am a good sport so I'll play along with the 5 revelations. Besides, it's still technically "The Holidays" and I have a nice three-day weekend again. I will, however, post 5 links at the bottom that trace back the path this tagging has taken to get to me.

1. I regularly play World of Warcraft. I have a 60 warlock and 60 priest on Crushridge Alliance and a growing 30-something rogue on Terenas Horde. The warlock is my main and amassed 7/8 tier 2 and 1/9 tier 3 before I retired from high-end raiding about 5 months ago.

2. I used to get paid not only to play computer games, but to run online leagues and tournaments. I ran or helped run events for Quake 1, QuakeWorld, Unreal Tournament, some SegaNet stuff before they died, and even a live CPL event. I've also made money competing in events in Unreal Tournament ($2500 about 5 years ago in college). Sadly, little of this history is linkable anymore.

3. While you can see a picture of my car online, what you can't see is my license plate (1NF0S3C or 1NFOS3C) or the black "hack the planet" sticker next to it.

4. I lost my virginity at ag...err, wait. I mean to say that I started authoring my own web site back in 1996 hosted at my alma mater Iowa State U. My college roommate and good friend taught me the ropes (i.e. he showed me how to View Source in IE and upload files to the server).

5. I don't yet have the budget for a cat, but I do currently have some fish: 6 tetras and 3 corydoras. I plan to double the number of both after I clean up the tank a bit more and get rid of my snail problem. And I love to have bettas on my desk at work.

So, with that out of the way, I won't pass the chain-letter on, but I will stick to the spirit by providing 5 links that led to me. MCWResearch got tagged by Michael Farnum. He got it from Ian Lamont who was sniped by Richi Jennings. And Richi was tagged by Ann Elisabeth Nordbo to start off this little 5-hit combo.

I have to continue poking away at and cleaning up links on this sight and in my rss reader that are not really worth my time.

I really hate to do this, but I have to stick with my gut. I like Bruce Schneier and his work. I think the world right now needs him; absolutely needs him. He is a necessarypundit. Ptacek put it well in predicting for 2007, "Schneier will not publish a single technical result this year, but I will read his blog anyways."

I like his comments and his writing, and, as I said, the world needs him. But he basically keeps linking and saying the same things over and over. Yes, I know security is warped when it comes to the public and TSA. Yes, I know your commentors also have good responses and ideas. But I don't need to read that every day or even every week. I really do get too much Schneier. I'm sure when he publishes very interesting things, I'll hear about them from other places. (I also prefer his writing as opposed to short little posts that are just links elsewhere.)

I'm also currently evaluating the need for x number of IT/security analyst blogs. Quite honestly, analysts are quite a unique subsection of security bloggers:

- They tend to talk a lot and likely do very little. It is easy to make lists of best practices and give sage advice, but actually getting their practical advice into the reality of a business is a wholly different story.
- They tend to be right. All the time. If they speak it, you should believe it.
- They don't typically reply on other people's blogs. Instead, they reply on their own blogs to drive traffic back and forth between them.
- They are definitely a clique, where they all know each other, they all act like they're friends, and they typically don't listen to many people outside of that clique.
- Far too often they speak the obvious, make predictions that mean nothing right now, or repeat what others say (often within the clique).
- Have I mentioned that they rarely actually *do* things?

Yeah, I'm being pretty harsh and maybe a little bitter, but for me it all gets back to how I want to spend my time with blogs and research. Do I want to see the "Analyst Clique" repeat itself and argue with itself and pat itself constantly on the back in 5 places each day? Not really. I'm sure if I eliminated x-2 of the "Analyst Clique" blogs from my list, I'd still get all the important info linked back from those 2 I leave up, plus their commentary. Hopefully I can go through and remove some links this weekend. The hard part will be choosing one or two, because, despite my bitterness above, they all seem to write well, think well, and have some thought-provoking words here and there.

The condition of a military force is that its esential factor is speed, taking advantage of others' failure to catch up, going by routes they do not expect, attacking where they are not on guard. -The Art of War, Chapter 11: The Nine Kinds of Terrain

Sorry Dan, but I already played that game once. :) However, I will just add two more things. First, I used to have eyesight bad enough that it was measured in feet. My parents gave me lasik surgery as a Christmas gift a few years ago, and now I don't need glasses. Second, I spent my first 2.5 years in college in the Environmental Science program taking chemistry, biology, calculus, genetics, physics classes.

This week will by my first week "on call" at my latest job. I've avoided the task for about 8 months now, but this week the pressure is on! One of the unfotunate aspects of this job is the apparent attitude of the rest of the team that I should have been born with all the knowledge needed to do this job. I find little as frustrating as being thrust into an important role where you either attempt to do things yourself at the risk of possibly affecting critical systems or wait for some decent training. While I don't mind self-starting, I do mind when there are innumerable ways to build a server (anywhere from just setting it up and patching it to full NIST guidelines), but somehow I need to know the way they do it in-house from a cryptic checklist that makes sense only to people who have been through it multiple times. This has been my biggest frustration at this job, and one of four distinct reasons I won't be staying entirely much longer. This morning I am figuring out how to put myself on call and get the necessary alerts on my phone.

I added a bunch of links to this page. While I still want to lower the number of total links, at least now my Google Reader list matches up with the links on this page. Not every site has support for an RSS reader, but at least now when I find something not updated in Google Reader or not really worth my time, I can remove it cleanly in both places and help manage my information uptake.

I am looking to get my Security+ certification this month. Is this cert below me? Yes, no doubt. Is it nonetheless good for my resume? Yes, again no doubt. And at a one-time cost of about $200, CompTia certs are a real no-brainer and if I ever get beyond them on the resume, I can just leave them out.

For the past couple weeks over lunch I've been slowly paging through the latest edition of Exam Cram's Security+ Practice Questions. I'd buy the book, but I don't think I need to. I just do a few dozen questions every day. I'm glad I did it this way too, because some of the questions are poorly worded and even more poorly laid-out. As an example, in the section Retention Policy, the answer to the single question in the section is, yup, Retention Policy. Great, I learned a lot there! There are frequent blatant mistakes as well, despite this being at least the 2nd edition of the book. The one I was using was a 2006 release.

In the end, though, I did learn enough. I learned that I need to definitely review the Cryptography domain of the material. I probably could have said I was weak in that section before paging through this book, but at least now I know I know the other sections pretty well. Hopefully by the end of this month, I will have at least taken the Security+ exam once (yeah, I know, I'll likely pass but I don't typically get my hopes up on tests, despite a very good track record with them from school/college).

The hidden benefit to this cert is it is, in my mind, a direct precursor to the CISSP which I also qualify for and should be getting sooner than later. Likewise, my weakest area in the 10 domains would be Cryptography.

I recently used a Christmas gift card to get a device that I've wanted even when they were twice the price I got it for: the Harman Kardon Drive+Play at $99 in Best Buy. This little guy allows me to plug in my ipod in the car and listen to it on my stereo system. Since my Infinity factory system does not support playing of mp3s off a data disc nor does it have any audio input options (either on the faceplate or even in the back), I can't use the Drive+Play's audio input, but I can quite happily use the FM tuner to get usually decent quality music. It is quite a lot better than no ipod or having to burn limited-length music cds. So now I have two dashboard gadgets, my RoadyXT XMRadio unit being the other.

What does this have to do with my blog? Well, while scrolling through my playlists on my ill-organized ipod (thanks to Linux and my collection growing well beyond the 20GB limits of my ipod) I saw a Podcast playlist but no Podcasts. While my work commute during the day is only about 10 minutes max, I still see the benefit to rekindling my habit of listening to more podcasts since I do like driving. So I'm going to see if I can get back on the wagon on a few choice podcasts and listen up more often.

As always, I'm also cleaning up some more external links from the menu and putting them here into a post so that I can reference them later if I ever need to. Someday I need to evaluate whether I want all those "resources" to remain here or be moved to the wiki.

Don Parker writes for WindowSecurity.com. While this sounds promising, the articles and writing seem more geared to a nearly complete newbie, with almost no indept analysis or contribution beyond the surface. OntheFirewall doesn't really get updated much. I'm not sure who Sid Stamm is, so I likewise don't know why I should keep him. And also removing Mr. Belva at bloginfosec, even though I look forward to seeing how virtual trust moves forward. It's just beyond me right now since I am neither an analyst nor any sort of manager.

One of the failings of blogging, especially its use for education, is how unsupportive it is to dialogue. Yes, there are comments, but once I leave a comment somewhere, it is a crap shoot whether I ever get back there to see any further dialogue or rebuts or agreement. Fire and forget, most of the time. Sometimes I'll post a question and check back later, but mostly I don't and mostly I just plain forget. I also don't look at posts later on to see if what the author said was BS and spoken-to in the comments. I have to take posts largely at face value. How often have I posted on a Bruce Schneier topic that tends to have plenty of feedback, only to never look back at that particular comment thread again?

Forums promote repeated dialogue until a topic has run its course and slowly melts back down the priority list, replaced with newer topics. A regular reader/contributer can, in this way, watch discussions she may be interested in until they naturally conclude. Mailing lists are similar. IRC is somewhat the same way, as interaction and discussion occur right away. While those that idle don't typically re-read old logs, at least discussions at the moment have some give and take.

Running one's own blog is a bit of an exception, as here I tend to be able to see each and every comment posted, and thus have my full run of any dialogue. But how can one really capture this for readers? Email notifications on comment replies help, but only when one has already commented on a post. Anything not commented on gets no continuation. In that case, it behooves me to comment on every post on those blogs. Setting up an RSS feed for comments is another nice thing. Ha.ckers.org does this, but I have to admit there is no real kind way to present them. New comments on old posts get thrown into the middle of new comments on new posts, which really muddies the waters of trying to follow any sort of continuity. But for anyone who diligently reads the feeds, this can be an effective, if jarringly annoying, way to keep up. The author can re-post the articles based on comments and responses, but this just perpetuates the cycle until no comments are left (or all the readers have left!).

So what is one to do? Well, slowly I've been moving back into IRC and I want to get back into forums as well. Blogs have their high points, but unless one is a real fan of a particular blog and sticks around a lot, RSS feeds are just best suited to scatter-shot news posts and catching the latest releases in podcasts or tools than for real educational dialogue.

I think this is also why I maintain my blogs more like personal journals (and I prefer the term journal to blog), where the only real reader I'm looking to keep informed is me. Letting out my own ideas, thoughts, and otherwise documenting my own life and knowledge. *shrug*

So it has been a while since my last on linux as my main box, I've really basically just been using Linux every day. After getting past some of the usability issues with DVDs, movies, mp3s, and other media, I've definitely settled into a nice rhythm with Ubuntu.

My biggest issue lately has been my external firewire drive which is NTFS. Since I run Ubuntu on my laptop, and laptops shouldn't be tethered to anything except a mouse and power, I decided it was in my best interest to stop wrestling every 4 days with Ubuntu vs NTFS (which typically I did get to work...until unplugging and replugging the drive back in and trying to remount- Nautilus is very picky and whiney), and just plug the drive into something on my network that is on all the time and likes NTFS much more (Windows). I now quite easily just smbmount over the network when I want. The added benefit is my other systems can get on it now as well.

Other than that, I've become very happy with my Ubuntu installation, which is kinda illustrated by the fact that I've not booted into Windows on this laptop since the last update a few months ago. I do cheat, however, since I have other boxes including a slightly less-powerful laptop running XP, but I definitely give Ubuntu my daily tasks. The XP box is just there for misc things and other Windows programs. Heck, I've even taken much more to cygwin on all my Windows boxes.

Will I stick with Linux? Yeah, I will. The reasons remain the same, though:

1) Tired of paying for an OS license at home.

2) I want much more practice with foundational Linux tools.

3) I really like being familiar with a Linux box day-to-day in addition to just knowing how to use the apps. I feel much more flexible this way. (And it adds to my skillsets.)

Will I fully ditch Windows? Never. I have older machines that love my Windows 2000 installs. My other good laptop and gaming rig both have Windows XP. And as long as my job involves any semblance of Windows, I'll do my best to keep up with it. And Windows will always remain my backup boot option.

My goals moving forward this year in regards to Linux:

1) Become intimately familiar with BackTrack. Also adopt a couple other Livecd distros for flexibility sake. Likely Auditor, Helix, Trinity, or something related... Livecds are just too cool when it comes to laptop use.

2) Become more practised with a wider range of tools for Linux. The only difficulty here will be delving outside Debian/Ubuntu-ready packages and tracking down my own dependencies with things not in Synaptic. I might just use an older laptop as a test bed so I don't screw up my main box too badly. :) I might even look into FreeBSD.

3) Start getting familiar with running a Linux server and replacing Windows as my main server. I might look to something beyond Ubuntu for that, and might just run it from the command-line as well. This is definitely more of a "maybe by the end of the year" sort of goal.

Reading some stuff on spam and email today got me all inspired to keep a mail project in mind as the year progresses. I'd like to stand up a linux mail server on my home network someday. It's not like I dislike my windows mail server application, but it's done. It's there, and implemented. And, of course, there is still spam getting through. Unless I go with Exchange (overkill, although valuable experience) and some commercial apps to help support it, my best bet it to go with Linux, a mail server, (likely sendmail), and spamassassin. The problem is those latter two are very daunting and quite bearlike in their configurations. I would need some good time to pour over the settings and how to get things working. Thankfully, I do understand SMTP and have done what would amount to first level support on a sendmail server before (bigger issues I would escalate to someone more experienced). Maybe someday I will move towards that route. I could always just leave my current Windows mail server up as backup.