I hate hearing things like Anti-Virus is dead or IDS is dead. If they’re still being used in corporate and home environments, they are not dead! Now, this paper on greylisting (really, on Bit9 parity), is a noble effort, but as a paper about a “new” method to manage software and malware installation and blocking, the title is sensationalist and unnecessary. In fact, over half the paper is spent trying to convince me that anti-virus is dead. Unfortunately, while you might be able to float me a new product or paradigm, you can’t convince me anti-virus is dead (even as I don’t typically use any at home because I consider myself slightly educated in technical areas).

Anti-virus is not dead. It might be declining and changing, but it is far from dead. The day my parents remove anti-virus is the week they stumble upon malware on a website or in email, run it, and become infected with something. Thank you, move along, come again.

So I skipped down to greylisting. This is not a hugely novel new approach. In fact, the approach stinks when you turn your head in certain directions and sniff around a bit.

From a corporate or even home family perspective, I like the administrative control and tracking on blacklisting and whitelisting. I also like being able to turn it on and off for laptops that might be offsite. This is defeatable, though, and I’m not sold on it fully. I think many corporations will slowly be moving to thin clients or all laptops (while plenty will of course stay with desktops). Laptops leads to…

…From a user perspective, this is still flawed technology. Just like fake SSLs and firewall block/allow alerts, popups to users will not be understood and will eventually just always be allowed. Game over. The false assertion made in the paper is that the user will try to open a Word doc, see something else wants to start, and realize their error and know better than to continue. No, that’s not true. There’s even a good chance that I, a security-paranoid freak, would just chalk it up to a bad macro or mis-matched version warnings and click Yes before my brain kicks in and says, “No! You idiot!” The following assertion is also odd in that even if the user clicks it, they only infect themselves and not something else. I don’t buy that necessarily, or that that was even an option. If they got hosed and something spewed out copies of itself in emails to their contact list, we can just repeat the user acceptance and nothing has changed.

Ok, end rant, time to go home!

An interesting (and woefully short) question and answer from ComputerWorld, “How many firewalls do I need?”

Answer: “How many can you manage?”

Ok, so that’s very simplified and not necessarily the right answer. The thing is, firewalls should be in place on the network any time the trust or sensitivity level of the data or systems changes. If your sales workstations don’t need to be up very long and have little sensitive data, but your database server has very sensitive data and needs to be up as much as possible, you really could put a firewall in between the two. If some systems need to be accessed from the Internet but others do not, use a firewall to keep them separate (thus creating your typical DMZ. That way, much like real physical firewalls in cars or buildings, if a “fire” breaks out with an attack against your Internet-accessible servers, the next firewall will contain the “fire” from spreading to those systems that had no business being in the same group as those Internet-accessible ones.

Firewalls are awesome. They create natural choke-points to monitor and measure traffic flow. They allow barriers to access so that you don’t have everyone’s traffic scurrying around everywhere. They give natural points where traffic capturing and logging can occur (and I’ve become a big proponent of NSM and logging and traffic analysis).

And put up as many firewalls as you can manage. You can have too many, but the chances of that are far less than not having enough firewalls. Put up as many as you can and remove ones you deem unnecessary or restrictive to network stability later on. But never put up more than you can properly manage. A mismanaged or unmanaged firewall is maybe worse than no firewall at all.

I really believe that firewalls are one of the very few mandatory but not technical necessary pieces of any network (i.e. you CAN run a network without them, but just don’t). I consider them a mandatory piece of any network or host-based “defense in depth” approach and one of the most important and valuable (i.e. the value they add) and basic blocks of a network.

My own personal projects list involves learning more firewalls including getting my own home pix someday, becoming more intimately familiar with iptables and pf (if I get into BSD this year), and other standalones like Smoothwall/IPCop and so on.

One thing I have learned in my short time in IT is email boxes are not really a valid storage area, especially for those of us in the infrastructure side of IT. Since I switched jobs last year, I was able to start out with a fresh email box at the new company. I was able to put into action what I had learned late in my last job about not bothering with keeping a huge email store. One of my favorite managers at my last job had almost a zero-sized mail store because of this approach, and I agree with it. There’s little reason in saving everything, especially from a business standpoint in my role. Emails:

1) Get read and deleted.
2) Get read and acted upon.
3) Get read and saved out of band, for instance on a backed up file server folder structure. (e.g. licensing codes, personally important stuff…)
4) Get read and then printed out and deleted. They then go into my “desk queue” which goes through the same process as I don’t let things linger on my desk either. (Of note, with dual-monitors, I print out less…think about that in your next debate discussion on dual-monitor adoption…)

I do keep a certain amount of monitoring email alerts from my company’s monitoring systems just so I can do quick trend analysis by eyeballing the alerts. Those usually are small and I purge huge chunks of them every so often so that I only have a few months’ worth.

Sometimes emails build up waiting to be read, but I work hard on keeping the level managable and regularly purged if need be. The only real emails I keep around are sometimes informational or pending projects that can be done down the road. It sucks to get behind with keeping the mailbox cleaned up, and 99% of those emails that slowly build up are really not needed to be kept. Besides, I’m cognizant of storage needs in an organization, and much like reducing my waste and power usage at home to do my part to save the environment, so too do I attempt my part in saving storage space.

Does this work for people in all business roles? Nope. Does this work for me at home? Sadly, no. I tend to be the opposite and not delete much of anything other than the complete crap I get. Thankfully, I don’t really get all that much email anyway. I even have a zip of emails from 1996-2002 that I started getting when I started college. If nothing else, they are not many, they make for great memory-goads, and can help me get in touch with old buddies sometimes.

ISC posted good info about the Daylight Savings change, which I won’t regurgitate, but I will repost some links. While I never joined in with the fear of the Y2K switch, I really think this DST change will be more problematic than anticipated (anticipation is so high no one is talking about it!).

Aha! I still run Windows 2000 Pro instances so I have to follow special steps (also KB914387 and KB928388). Why do I run 2000? Good question. First, the specs on some systems, mostly older laptops and 500Mhz machines are not good enough to run XP without lots of cursing. Second, I don’t have things like XP’s Genuine Advantage sqwuacking at me and then disabling my install after 30 days. Screw that.

Along with Windows scripting, I do want to sooner get back into programming. Right now, I just kinda need a reason to put programming into practice. I can hack around with Perl and other languages just fine, and have had experience in others like VB and C. But someday when I get really down into learning one of them again, I’ll likely go the route of Python. Nicely enough, cdman just today posted about a couple freebie Python books to help out. Dive Into Python and Learning With Python.

Will I get into this this year? Honestly, I’d like to, but I’m not sure if I will have the time until late this year. I do have other plans, and I really hate overbooking my goals in a year. Thankfully, Perl has been around a long time and I suspect Python will also be as useful for that long or longer.

This isn’t on my horizon yet, but someday I will do a BIND DNS server at home, if not sooner at work. Yanked from ISC, NIST has a standards doc (pdf) and there is also a secured BIND configuration and information available as well.

I need to continue my post below before some evangelists in the security world judge me blindly. 🙂

I love Windows. Really, I do. Well, ok…I did love Windows. I loved Windows until they started doing that Genuine Advantage Crap. Suddenly half my test machines could no longer be reinstalled and wouldn’t get some updates. Microsoft is the biggest single reason I moved to Linux last year. Go figure.

Now, one of the reasons I use and have used Windows so much would be twofold: 1) It comes with new computers and has come with all computers I’ve bought (i.e. no perceived cost since I couldn’t easily avoid it). 2) I could pirate it and use it on my old and spare machines without necessarily paying for it. I would never condone this in a workplace, however, just for home personal use.

Lots of expensive software is out on the market with limited trials and big price tags that talk about things in terms of installation instances or numbers of managed devices. I hate that. I hate having the limitations (subconsious and real) of really cool software. And if I can’t use it at home and become intimately familiar and happy with it, why would I ever request my company spend money on it? Something would have to be drop-dead and immediately awesome to get that sort of request pushed through.

I wish more cool software was free to home users so that us geeks can become familiar with them and get them legitimately into the workplace.

Likewise, I have no clue how companies that sell an appliance to do certain things can really expect to get good market penetration without a lot of hard in-your-face sales work, and being able to get IT shops with time to spare to check out the appliance features. I’d much rather be able to get an appliance, even a stripped-down barebones POS running the software at home so that I can get really happy with it. A one-month trial is just lame for most of us already busy geeks, especially when such devices keep wanting to do everything and it takes 3 years just to realize how crappy it was underneath the surface.

Give me free junk to play with that works well, and I’ll speak highly of it to people I know, or my own company.

Ok, enough ranting on this topic. I had to get it out sometime!

At the risk of painting a hat on my head, I have to make a small rant about paying for software.

I have had two fairly “small” tasks at my job in the last 8 months (no, not the only tasks, these are just two I’m pulling out). The first was to audit and “fix” file server permissions on a Windows file server utilizing AD accounts. The second was to be able to enumerate which Exchange mailboxes a user has rights to. Our company allows two levels of managers above an employee to have full access to the employee’s mailbox. To anyone who has done either task, what sounds simple is really not all that simple at all.

For the first one, sure you can dump a huge ACL list. But can you answer the question, “What does Joe Blow have access to?” Unless you have a strict policy on user rights management using AD groups, this is much harder to answer. I really enjoy using ScriptLogic’s Enterprise Security Reporter. While I don’t use this tool nearly to its full value, I do really enjoy the ability to audit a file server and dump reports on permission levels. Would I pay for this tool? I don’t know, but until I can, I just creatively use regmon and registry editing to avoid the trial expirations.

For my Exchange rights issue, I found Vyapin’s Active Report Kit for Exchange Server. This tool will let me pull out information from AD/Exchange and lets me answer my quesion, even with the export/print-limited trial. My main question was similar to the file server one: “Whose mailboxes does John Foo have access to?” (On a side note, the supposedly limited exporting seemed to send the tool into an endless loop and built up a 2.0GB excel file before I finally decided enough.)

In the end, I really hate paying for tools to do things I really should learn how to do myself, manually, someday. Windows scripting has long been on my list of things to learn, but quite often is nearer the bottom of the list than the top. Someday I will get this down, and then I can answer my own questions and needs rather than looking for expensive software to do them for me. There really are not enough hours in my day…

Sometimes a blog post comment can be just as good as the blog post that inspired it. A comment on a post by Richard Bejtlich is an excellent real-world example of changes that occur in an environment and what can happen if everything is managed separately. I’ve seen something similar to this before, where a pix static NAT rule was put into place (on accident I hope; we never did answer this question because the tech who made the mistake had left a few months before the discovery) that basically left the balls of 2 servers out on the Internet for the wind to tickle. Eventually they fell victim to worm activity, but thankfully the damage was limited to just those two old dev servers. NSM did not lead me to the answer (we didn’t practice that), rather a lucky port scan from the outside conducted from a gut feeling revealed the issue.

I enjoy reading what breaks or didn’t work in environments. Too often such stories are so cloaked in corporate secrecy that we don’t get the opportunity to learn. How often are firewalls managed in a way that if a system is taken down and another put in its place, the firewall mappings will be reviewed and updated as well? How much chaos in a network can an IT team handle before problems like this arise? How much should policy mandate what happens and what does not happen? Or invoked policies or, better yet, inventory of systems and configs.

A post by Adam Dodge about a couple of University of Arizona departmental web servers being defaced reminded me of a sort of 5-year-ish prediction I have in my head now and then. These webservers were running Twiki and a vulnerability in that program led to the defacement and were apparently known about by the admins.

In my last job we were an ASP (application service provider, i.e. we hosted a web-delivered service) and about 150 employees. About 1/3 of the company was comprised of IT and development staff. The number of applications we, the infrastructure (network, security, sysadmin, etc) team, supported was not terribly high, maybe about 2-3 dozen different types of systems we needed to stay abreast of or at least keep secure. That’s still a lot of work to be on top of patching and securing and managing those applications properly. And it really sucked to have surprise applications (one was a wiki hosted on a developer laptop that suddenly became a burden to his system performance [gee, ya think?] and a critical piece of their own processes [ugh, thanks]) pop up in the environment.

My prediction is corporate applications will do one of three things:

1) Security will move to the network and we won’t necessarily give a crap about what goes on a system. Thin-client computing is being talked about again… If people want to run an application for their department that is buggy and 7 years old and barely supported anymore, go ahead in your own little secured network area.

2) Security and IT management will win out and corporate applications will consolidate and diminish. Rather than trying out everything under the sun and small pockets of people relying on a disparate number of applications, corporations will get rid of a lot of them and just use the really important ones. Providers that can provide a full solution will benefit. For instance, Salesforce.com provides sales with almost everything they need except corporate email and phones. That’s awesome and leaves sales really not wanting for much else other than mobile devices and access to information when they need it, anywhere.

3) We’re just plain screwed and the security function of managing all those disparate applications will be a regular task for IT/security.

This flies in the face of what I really think is coming: outsourced security. You can audit, evaluate, test, assess, monitor, and manage alerts from an outsourced entity, but how can an outside entity ever truly understand all those little apps that pop up in every corporate environment? How much clout would such an outsourced team have when saying an HR tool is outdated and should be removed as a liability and administrative drain on resources? How intimate can they REALLY get? (Answer: only as intimate as the tools let them…and they don’t get that intimate…)

I guess I can mix this all around and say a prediction will be the grinding of these two gears that don’t quite fit with each other: outsourcing security and day-to-day IT tasks vs. the disparate and complex and everchanging digital landscape of the corporate campus.

“If you hide your form, conceal your tracks, and always remain strictly prepared, then you can be invulnerable yourself.” The Art of War, Chapter 4: Formation

There’s a lot of analysts and journalists who write and talk a lot, but it’s just all blah blah blah blah, with little substance or anything that matters. And they tend to talk in circles and argue a lot about much of nothing. Brian Krebs is not such a writer. He’s one of those rare journalist gems in the security world who gets it, and has respect. He tells it like it is, and I gotta admit, I’ve enjoyed his writing, accuracy, and tenacity in sticking to his guns despite the unwashed ignorant commenting masses on his more popular topics. He wades into the whole substitute teacher porn exposure case quite deeply, and rightly, ready to get the facts out as this whole incident is one out of proportion debacle. Sic balls, chopper!

Another analyst that I have grown to like, mostly because of his style of posting bullet points and getting all his stuff in one post as much as his incites (sic), is Mike Rothman. I may not always agree and I may find his stuff not relevant to my roles, but he has gems. He had one today where he said, “Everyone needs a plan, but those that spend all day planning, spend very little time doing. So plan quick, do stuff, adapt and repeat.” We can sit and talk about how to get the perfect security plan and plan, plan, plan so that we’re not the next headline in the paper. But we could end up doing that for ten years…and get nowhere. Just do it. Get an idea or something to do and do it. It might be only part of the solution, it might even be wrong, but just do it. Evaluate it. Fix it. Adapt. Improve. But bottomline do something! A company that really wants to support its IT and security personnel will be willing to allow some levity in getting things done and making mistakes here and there. If the company is not, they either won’t ever have security, have scared admins who end up doing nothing but the barest bottom line, or they have a team of perfect Jesus Admins working for them.

Laptop encryption is a big deal these days. But one must always keep in mind that the best way to keep sensitive information safe is to not have it on insecure devices and to physically destroy media when no longer used. Encryption, if you want to get really technical, is just obfuscation. It cannot realistically be broken today…but the key word there is “today.” If that drive is important enough, an attacker can keep hold of it for years and continuously work against it. Encryption is a huge step up from bare data, but it is still not a complete substitute for sound information storage and usage practices. Either way, full-disk encryption will soon become standard on every hard drive, and users can turn it off if they want on the hardware. Kinda like providing a lock and key on a computer case. If you want to take the trouble to supply the key each time you want in, go for it, otherwise just don’t lock it.

I’m sure everyone is going to be posting and abuzz about how MySpace got GoDaddy to drop Seclists.org. But what really makes me frustrated and angry is how often people make assumptions and how ignorant so many people can be (and apparently illiterate). Reading the comments here and here is just an exercise in working up a large frustration level with people who think Fyodor was the one who phished those accounts and then posted them on the site for everyone to grab. And so on. That frustration is what prompted this post, not the news item itself.

Big kudos to Fyodor for digging quickly to the heart of the matter in saying MySpace should have taken action to protect its users whose accounts were compromised, not trying to patch up an unpatchable leak.

Personally, despite my knowledge that security sucks still and botnets and phishing are out of control, I am not convinved that ISPs and registrars should be the police of the Internet. There is still a lot of vigilantism out there with non-official sources tracking down and raising cain about phishing sites and botnets and spambots and illegal or copyrighted material, which can end up with a lot of collateral damage as legitimate persons and innocent victims are infringed upon, especially with amatuer cowboys on their missions. I will say, however, that some of that is necessary and legitimate. F-Secure notifying an ISP or registrar about a known phishing site that is doing nothing but phishing is one thing, but non-experts doing it? I’m not sold on that idea.

Shame on MySpace for even pursuing this without at least a little bit of thought or investigation. They could have contact Fyodor themselves, they could have checked into the mailing list, they could have asked around or browsed the archives themselves to see what the whole story was. They could have (and should have!) notified their own users about the accounts and forced a password change. Wiping out a site when the accounts are already leaked and public domain does absolutely nothing to the integrity and security of MySpace and its users.

Shame on GoDaddy for their impatient reactions and also their own lack of follow-thru and investigation. GoDaddy should have experience and relations with known experts and groups who report phishing sites and other TOS violations. I doubt MySpace would or should be amongst those groups. Due process. As a customer of GoDaddy, I would expect due process and not a knee-jerk reaction based on which way the winds are blowing.

Can’t believe I originally missed an article on wardriving! And not a bad one either, considering the ComputerWorld source. The first page is interesting with the setting up of a rather cheap van office. I kinda like that idea, especially considering my car has zero room as it is. I was also enthused about someday getting together some cheap mobile rig (if I got more into wardriving/wireless assessments that is) after watching an episode where the packetsniffers mounted a laptop in their truck. While a front-seat-mounted laptop is borderline illegal (something about a tv or computer screen being visible to the driver), the idea of a mobile wardriving pad is pretty cool. Shag… At any rate, I like a good article with some good technical tips and hardware suggestions. Unlike many ____World articles, it really sounds like this author is definitely speaking from experience. I might have to hunt this guy down when I make it out to Seattle soon.

“Someone unfamiliar with the mountains and forests, gorges and defiles, the shape of marshes and wetlands cannot advance the army. One who does not employ local guides cannot gain advantages of terrain. -The Art of War, Chapter 7: Armed Contest

Amen to that.

I read Shark Tales off and on, and saw this one today. While amusing, it also comes with a pang of sadness at how often no one ever know what IT does to keep the ball rolling. IT (all of it, including security) is too often seen as a utility. No one cares until it isn’t working. I mean, when was the last time you called up your electricity/internet provider and thanked them for providing the utility that day?

This is the best laugh I’ve had in weeks: CNNs 101 dumbest moments in business in 2006. The Chevy Tahoe viral act gaffe sets the stage, especially once I went to www.youtube.com and looked up some of those Chevy Tahoe ads. It just gets better as well! I didn’t realize so many funny and awesome things happened in 2006! And yes, there are IT and security-related incidents listed.