Reading some stuff on spam and email today got me all inspired to keep a mail project in mind as the year progresses. I’d like to stand up a linux mail server on my home network someday. It’s not like I dislike my windows mail server application, but it’s done. It’s there, and implemented. And, of course, there is still spam getting through. Unless I go with Exchange (overkill, although valuable experience) and some commercial apps to help support it, my best bet it to go with Linux, a mail server, (likely sendmail), and spamassassin. The problem is those latter two are very daunting and quite bearlike in their configurations. I would need some good time to pour over the settings and how to get things working. Thankfully, I do understand SMTP and have done what would amount to first level support on a sendmail server before (bigger issues I would escalate to someone more experienced). Maybe someday I will move towards that route. I could always just leave my current Windows mail server up as backup.
So it has been a while since my last on linux as my main box, I’ve really basically just been using Linux every day. After getting past some of the usability issues with DVDs, movies, mp3s, and other media, I’ve definitely settled into a nice rhythm with Ubuntu.
My biggest issue lately has been my external firewire drive which is NTFS. Since I run Ubuntu on my laptop, and laptops shouldn’t be tethered to anything except a mouse and power, I decided it was in my best interest to stop wrestling every 4 days with Ubuntu vs NTFS (which typically I did get to work…until unplugging and replugging the drive back in and trying to remount- Nautilus is very picky and whiney), and just plug the drive into something on my network that is on all the time and likes NTFS much more (Windows). I now quite easily just smbmount over the network when I want. The added benefit is my other systems can get on it now as well.
Other than that, I’ve become very happy with my Ubuntu installation, which is kinda illustrated by the fact that I’ve not booted into Windows on this laptop since the last update a few months ago. I do cheat, however, since I have other boxes including a slightly less-powerful laptop running XP, but I definitely give Ubuntu my daily tasks. The XP box is just there for misc things and other Windows programs. Heck, I’ve even taken much more to cygwin on all my Windows boxes.
Will I stick with Linux? Yeah, I will. The reasons remain the same, though:
1) Tired of paying for an OS license at home.
2) I want much more practice with foundational Linux tools.
3) I really like being familiar with a Linux box day-to-day in addition to just knowing how to use the apps. I feel much more flexible this way. (And it adds to my skillsets.)
Will I fully ditch Windows? Never. I have older machines that love my Windows 2000 installs. My other good laptop and gaming rig both have Windows XP. And as long as my job involves any semblance of Windows, I’ll do my best to keep up with it. And Windows will always remain my backup boot option.
My goals moving forward this year in regards to Linux:
1) Become intimately familiar with BackTrack. Also adopt a couple other Livecd distros for flexibility sake. Likely Auditor, Helix, Trinity, or something related… Livecds are just too cool when it comes to laptop use.
2) Become more practised with a wider range of tools for Linux. The only difficulty here will be delving outside Debian/Ubuntu-ready packages and tracking down my own dependencies with things not in Synaptic. I might just use an older laptop as a test bed so I don’t screw up my main box too badly. 🙂 I might even look into FreeBSD.
3) Start getting familiar with running a Linux server and replacing Windows as my main server. I might look to something beyond Ubuntu for that, and might just run it from the command-line as well. This is definitely more of a “maybe by the end of the year” sort of goal.
Tail is an excellent tool for watching a log file. Tail in cygwin on Windows is ok, but the display really does kinda suck. Baretail is a similar program for Windows that can tail a log file quite nicely. The program doesn’t even use an installer and is just a bare standalone executable and works quite nicely to watch logs on Windows. Excellent little tool.
I honestly think email disclaimers are stupid. This is an entertaining list of some bad and worse email disclaimers. Honestly, we all know better than this anyway, and props to any company that just dispenses with this nonsense. I already know that Boeing (a large company that must be security-conscious) does not enforce email disclaimers. If they don’t, no one really needs to. Such wasted space and so unnecessary.
Here is a list of 20 things most people don’t know about Windows XP. Honestly, I didn’t know a lot of these other! A lot of them won’t mean as much to me right now since I don’t do much desktop support, but XP is gonna be around for a lot longer. (Do some soul-searching on whether your company really has a reason to move to Vista? Seriously, do you? Other than MS dropping support someday, I doubt it.)
Fred Avolio posted this excellent list of security admin errors last year. It has been languishing in my bookmarks and I thought I’d post it here for posterity. Some of these are excellent issues, although some are not necessarily the security admin’s fault.
Andy posted what is maybe the biggest question (and toughest) we should consistently ask ourselves in this field: What is the biggest problem facing security professionals today? Andy answered user awareness.
I’m not so sure I could so quickly answer just one thing as our biggest problem. If I were to tell a VP where to best spend his money, I think I would answer either technology to protect the users and data, or spend money on educating management, not all users. Managers need to lead, and unless managers are aware of the problems, users aren’t really going to give much more of a shit. Companies are economic entities, and users are entities that answer to their managers. Pressure can be applied by educating stakeholders such that they hold management accountable for security. But we all know that devolves into checklists, grades, certifications, and basically the representation (right or made up) of security…which may or may not be the real state of security.
An example of technology mitigating the user problem is in laptop encryption. Users can continue to be stupid and lose laptops because they leave them in plain sight in their cars and put data they shouldn’t on them, but if they are encrypted (technology), that user mistake is dramatically mitigated. Of course, this may perpetuate the cycle of relying on technology and ignoring user education…but that’s at least where I’d perhaps put my money first. Teach people to ignore spam and phishing and detect it and report it, or implement spam filtering good enough to minimize their exposure to those decisions, along with HIPS/detection to stop those fewer instances where they do slip through? Relying on users would keep me up at night, personally.
Complexity of our environments and technology advancements are also a huge problem right now. Environments keep growing outward and more varied. They’re also just plain growing. Trying to create an infrastructure today that can be properly and securely grown for the next 10, 5, or even 3 years is highly difficult. Our work environments creep and grow, and we don’t typically have the luxury to start over and build the house correctly to today’s threats.
For all that rambling above, I don’t mean to diss on users as being stupid and a lost cause. I do realize there are benefits to user education and I by no means would prevent user education or speak up against it. User education is truly part of a blended approach to security, and users are just another required layer to be protected and education, just like in the spam example above. I’m somewhat playing devil’s advocate, but I honestly don’t know if I would say user education is our biggest challenge. I think it is just far more complicated than that.
Update: After some more thought this evening and some time playing LEGO Star Wars (awesome!), I think one of the biggest problems we face is making sure our peers (and ourselvess) give management the best bang for the buck they can get, and give accurate and honest and truthful assessments and advice. Management needs our help to understand the reality of their state of security and how to properly tackle it. They also need us to keep hounding them so they don’t become complacent or think the task is done. So yes, in a way, education is necessary, just not necessarily user-centric as much as tackling the user base from the top. This might include heavy training for IT folks as well; those of us who are laying the blocks and doing the securing and growing and actual work. Even if management is on board, they can only spin their wheels if their people are not getting it.
RSnake posted about social engineering. For as much work as I do with networking and computers, I still maintain that the highest success rate attacks on a target are physical and social engineering attacks. The only thing stopping most people from doing more of those things are social mores and the stigma of getting caught and not being able to maintain the anonymity like we have on the Internet.
One neat thing about running one’s own email server is that I get to see all the spam that comes in. After a number of years up, my most-used email addresses are getting about 100 spam messages a day on busy days. Spam used to (as in 2 months ago) come in with names in the subject line. Typically I’m just, yeah right, unless it says Michael or the name of someone I might expect email from. Then I realize just how easy it is less knowledgable users to open spam. Typically I see mostly pharmaceutical picture ads, stock scams, and bootleg software.
The spam moved into chinese characters (wtf?) and in the past week or two I’ve seen a lot of spam sporting current news headlines in the subject line. Not bad, impressive!
My mail server’s spam filters don’t catch everything, altough it tends to catch about 50% and label them as SPAM for my mail filters. I really don’t expect much when I’m using non-SpamAssassin tools that don’t cost anything.
Michael Santarcangelo has soft-launched the Security Catalyst Community forum site. This is something we do need, and I’m enthusiastic to see where this community goes. While I think this might be an excellent initiative, there are some concerns I’ll just post here because they’re really not important enough to bring up to Michael S or those forums.
First, growing a community is not easy unless you happen to have something that draws people in on its own. That’s rare, really. I’ve done community-building work back in gaming where I ran gaming leagues and competitions and basically worked hard to keep the community participating and just plain caring. It is not easy work and is not something you can just say, “I’ll build it and they will come.” Many forums and sites have sprouted with that mantra and within 6 months the only posts you see are spam posts and what might otherwise be seen as the dust and tumbleweeds of the Internet. It takes constant work by dedicated persons, constant content, and lots of posting and giving people a reason to show up. What makes this even harder? My communities were gamers with lots of leisure time. This community may be made up of a lot of very busy professional people. Hopefully this community will recruit some good people to lead the discussions and provide a reason for everyone else to slowly filter in and continue to contribute.
Second, I’m undecided about the somewhat informal policy of registering with one’s real name, or at least putting full name in the signature. I’m not sure the goal of this other than to look more professional. I don’t think we need a stuffy community, but rather one that is willing to talk openly. As information security professionals, I think we, of anyone, should be empathetic to our decisions to control or at least mitigate information leakage. Yes, I know McNealy will say my privacy is already gone, deal with it, and I agree with him. But that doesn’t mean I have to let go of every device by which I maintain at least a little control. One of those is forums and comments on other sites. The only site that I really like to tie my name, online handle, and/or contact information is either through my own pages or someone deliberaly tracking me down. I will lose this battle someday, but until the world starts getting better equipped to deal with it, I’ll still put up a fight. 🙂 We can’t let today’s inability to deal with information and identity and the internet get in the way of our professional and (oftentimes needed!) informal communication. The people who want their names posted typically are the people who are branded by their names. They have an interest in making sure their name is out there (typically analysts and experts). Also, if my name is associated with the company I work for, I can’t typically talk about certain things without people putting 2 and 2 together and knowing my company has an issue with security concept X. That sort of secrecy is one of my biggest issues and it makes it hard for any of us to properly learn from other’s mistakes. That’s really one of the biggest reasons I enjoy things like Infragard (NDAs) and other local informal groups of buds. There are many very smart people out there with very valuable ideas that may not want to be associated with their given name when online.
Kinda like McNealy saying my privacy war is already lost, so too is the war on anonymity online. Not only can you not always completely stay anonymous online, but (oddly enough), you can stay pretty damned anonymous online. I don’t think a forum community is going to be truly able to maintain the informal policy of non-anonymity. I could pick some random name and bounce through proxies to join in with a free email address and change my grammar/writing style. We shouldn’t need to do that here. Likewise, it should be enough that the moderators have the ability to check IP and logs and deal with any miscreants in due fashion.
Besides, come on, there’s plenty of Michaels running around here! Hell, at my last job we had 3 Michaels on the same team of 4 people (the odd one out had Michael as his middle name). Other than deliberate impersonators, I’ve yet to see another LonerVamp. 🙂
Nonetheless, I look forward to participating as LonerVamp in this new community and seeing where this goes. There’s a lot of vury smurt people whom I regularly read already signed up!
I know Microsoft and other sites will take pains to force people to use IE, but I didn’t think I’d find a site that would tell me their site was incompatible with IE and I should use Firefox (even though it lets me click forward and get in anyway, which makes me wonder what’s so imcompatible). AWStats, a web stats app typically for Apache and Linux, tells me such. Talk about annoying both ways.
One thing I have learned in networking, security, and really IT in general is that you take any opportunity given to pick up some decent hardware. While I sometimes pick up really crappy hardware, there are always times when you get something decent for very little. And nothing is more frustrating than being inspired to do some tinkering only to find no spare boxes that I want to risk messing around on.
So tonight I picked up a motherboard and CPU for $40. The motherboard is an ECS K8T890-A which has dual DDR400 RAM and a Socket 939 which is for AMD 64-bit processors. This ECS may not necessarily be a gaming rig foundation, however it should suit my purposes just fine, as I have a gaming rig already (although the specs are getting really dated). This mobo has an older BIOS which does not really allow overclocking (quite ok, I don’t overclock). The AGP slot is also not really a true AGP slot and instead is a modded PCI bus connection. This means pretty much only older video cards are supported (3.3V), and I’d never get the full power of an AGP card anyway. Good info here for my own future reference. The board does support SATA and RAID.
The processor is an AMD 64 3500+. This translates into a 2.2Ghz CPU. The CPU is already mounted with heatsink attached, and I’ve not had a chance to boot it up yet. I don’t think I have a proper PSU to support this board right now, but will be collecting some parts over this winter and spring.
This mobo/CPU may make a great foundation for another always-on server that runs Linux as a vmware host and contains a few VM images of my choosing. The board still has great specs for a non-gaming machine. I just need to load it up with RAM and disk space. Unfortunately, the max RAM will be 2GB, which should only run me roughly $200-$250. And I should be able to pull 350GB+ with two disks for under $200. Another $100 for a 500W PSU. And then look into whether I can use this all in a current old chassis or buy up a new one with fans for roughly another $100 and a non-exciting graphics card (or just use on-board) for $60.
Overall, that’s still not really all that bad. About $800 for a good solid box that I can utilize in multiple ways. I could even go a bit cheaper in my parts and do Kingston memory instead of Corsair and still be just fine.
“The comprehensiveness of adaptive movement is limitless.” -The Art of War, Chapter 5: Strategic Advance
This reminds me of recent comments from Bejtlich about IDS/IPS devices that are alert-based but have little additional knowledge for the analyst. That is not very adaptive, and as such, ends up affording little value below the surface. Being able to be adaptive in IT and especially security is an amazing ability, as opposed to have very complex, rigid, or incomplete implementations that don’t afford much in terms of quick reaction, seamless changes, and ability to get the data you need. It also makes me think of on-demand sniffing needs. Can a security analyst quickly span ports into a pre-configured system set to sniff traffic, or will the analyst have to jump through hours of hoops to get this set up for an emergency?
This was too awesome to pass up putting here. By way of Mike Rothman comes a post of 16 dirty little sayings overheard in IT. I’ll add my own commentary to them. What makes this an awesome list? I have heard most of them spoken, multiple times.
1. “It’s only a temporary server. It’s not for production use” This is the bane of sysadmins. This request should always be met with, “what is your hard end date, then?” Too often this uttering is just a way for someone to get something done without properly justifying or defending it and I really hate it. Too often “temporary” turns into “permanent” or even “production” without warning or planning. The only thing worse is when they use their own workstation or some other box without ANY warning. “What do you mean you used your test QA machine to host a new critical ticket system?!” Without admins being complete hard-asses, this would happen constantly.
2. “We’ve tested the backups. They read back just fine. Never restored for real though.”I hate this one too, because if there is one thing I think is most important in IT, it is backups. What is worse, though, is *not* hearing this spoken but having it as the unspoken truth. Too many admins never test restores until a restore request. Always test, always verify. I learned this back in science labs in high school.
3. “Patching? yeah. That’s on our list. We’ve been looking at SUS for a while now, just haven’t got round to it.”Another classic task procrastinated in our field. Funny how the fundamentals fall into that basket so often…
4. “Of course staff know about the security policy. They have to sign a form at induction. I did when I started 5 years ago.” …along with the other 55 pages of new employee information that grazed us like a gnat and we brushed it away to figure out where the nearest bathroom is and how to log into our system.
5. “We have documented procedures. Everybody just ignores them. Except me, of course.”I say this a lot, both at my previous job and my current one, but I admit I sometimes go by memory as well, especially for things I know inside and out and I know the steps have not changed. Again, though, for such a detail-oriented career, IT people too often ignore documented procedures.
6. “Our apps developers do their own thing really. I think they have procedures for promoting code, but I’ve never seen them.” This is common too, especially if newer admins were not involved in creating the infrastructure that the developers use to promote code. This isn’t necessarily such a bad thing as long as the admins can support it (per their job) and there is some audit trail available so they can answer who screwed up production when it happens. Security should at least know how they do this, though, so that this risk is minimized.
7. “Users have been told a hundred times not to share passwords”Yeah, the only cure for this is a clue bat. The best mitigation besides that is simply constantly changing passwords and stringing someone up when something really bad happens with a hijacked account due to sharing. Or perhaps legal/HR when told, “Well, they share the account, so you can’t fire one as we can’t PROVE she did it, it could have been either of them.”
8. “Security Policy. Hang on. We do have one somewhere… Dave! Have you seen that policy file anywhere?”Haha, yup! My last company did this every time an audit was at the doorstep. And despite me writing some up, they rarely got signed off up the chain of command and even less were enforced. In fact, they never were…
9. “We’re developers. The sys admins make our job so difficult. We have deadlines you know!”This one sucks, but as much as it pains me to see it, there is that very difficult task of making sure developers and admins are reminded that we’re all on the same team trying to get to the same clouds in the sky. But both sides do also need to admit that they don’t know the full picture. Too many developers have no idea about networking or systems, and many admins have no idea about proper coding and the efforts involved. Security is one thing, but preventing the business folks from getting jobs done is another thing. At the end of the day, if security is holding the business back, the business could lose revenues enough that security is shown the door.
10. “The auditors needed Internet access. WiFi was the answer”Wow, almost word-for-word I’ve heard this a few times. Also “guests” and “clients” could be put in there. My last job put up an open wireless to do this. Thankfully I’ve not experienced firsthand someone putting up wireless without asking (the last job asked), but I have heard those stories from people in companies far more critical and important than mine. Yikes! Are CFOs really that stupid? Yes. And he also thinks he’s too important for parking spaces and so parks in the fire lane.
11. “Compliance? That’s an HR thing, right?”The age-old “who enforces the company policies?” question. HR or security/IT?
12. “A security breach? Don’t think we’ve ever had one. In any case, we’d just call Dave.”In my last job, that would have been me, hehe. This statement just makes me cringe on a number of levels…
13. “The Managing Director wanted it”I think I’ve heard this more than any other utterance here. Someone in authority pulled their weight and said, “just do it,” regardless of how moronic and terrible the task was. I think this right here is where 80% of our stress comes from.
14. “We had a penetration test last year. We passed with flying colours.”Wow, I love this one! Who the hell actally passes pen tests with flying colors? If so, you had a vulnerability assessment, not a pen test. And the assessors sucked. No one truly passes a pen test. Every environment has issues, and if they are not technological ones, they are logical and procedural ones. Given a week on site, I really believe no pen tester should walk away stumped and with nothing to do (assuming full physical access), I’ve seen stumped external attacks against a really solid firewall before, but full assessments should realistically never come back like this.
15. “Yeah, so it’s SQL injection. But our developers tell us there’s nothing of value in the database anyway.”I’ve heard similar things as well, where developers either don’t think about the data or feign ignorance.
16. “Marketing are the worst offenders. We don’t support FTP so they rented a cheap web server and uploaded data to that instead.” Ahh, human ingenuity. Where there is a will, someone will figure out how to do it, even if it is hokey and terrible and insecure and costly and …so on. This is why security needs to be an enabler, and management needs to be behind security so circumvention doesn’t just happen.
Has anyone seen or used or heard about AirPcap? At $198, it is just a little bit above my “eh, spend the extra money and see how it is” range. I saw a blurb about this in the latest Hakin9 magazine.