Michael Santarcangelo poses an interesting question and analogy to the IT security world: do you dance in the rain? Now, you probably won’t catch me dancing in the rain unless I’m at an ourdoor concert, but I’m definitely not a scurrier, even if I’m wearing a light shirt headed to an important meeting in the pouring rain. Screw the umbrella; enjoy nature’s weather, even if it can be temporarily painful in the winter; you won’t die. (Ok, so if you’re out in the wilderness camping or hiking, you should be careful, but in an urban setting, you’re not going to die.)

But Michael’s right, do what makes you happy and gives you passion. It might be a little weird, but happiness begets productivity, and ultimately, we’re all more than just our jobs. Keep the optimism. The enthusiasm, while looked at askance by some others, will be respected and rewarded eventually.

Considering our jobs in IT and security, we sometimes don’t get our adrenaline pumping until there is an incident. Perhaps that means we might only be happy when it rains? 🙂

Speaking of lockpicking and practice, I actually have been practicing my lockpicking recently. I’ll bring a practice lock and a few picks with me to a coffeeshop or movie theater and pick away at it for small chunks of time or before the movie starts. Sometimes I will do so while watching a movie or television at home. Today I was actually able to pick 2 of my 5-pin locks pretty quickly, multiple times. And these were locks I wasn’t terribly familiar with yet. That’s a pretty big step for me!

Practicing lockpicking has allowed me to go from being a blind raker who gets lucky, to being able to better feel the matching of the pins and which ones are not yet locked. It has also given me my own ability (technique) to determine pin-counts before applying any torque and make guesses when a pin is locked too high or which one is just barely keeping the cylinder from turning.

Of note, I have a simple 21-piece lockpick set that I ordered for about $45, plus a series of practice locks that I found on ebay. I think the locks are about a total of $100, and I have 9 of them. Three of them are cut-away locks so I can actually see the pins. Two of the locks are 3 pins, the rest 5-pins, and I even have a 5-pin spool lock. I highly recommend grabbing a couple cut-away practice locks if you are just starting out, as that really helps.

Practice, practice, practice. This recently came up in a SecurityCatalyst forums thread from Cutaway. You practice until reactions to incidents is automatic. Not only that, but you practice to become better acclimated to something, whether that be a skill or simple knowledge. If you check your internet usage levels or network utilization every day, you get a really strong feel for what to expect. This means one can isolate anomalies much quicker. If you do some lockpicking for an hour every day, eventually you will acquire a feel for doing it quicker, which can expand into being able to tackle tougher locks…

Practice, practice, practice… Professonals need to never forget the basics and the fundamentals of what we do (I know too many who hate the drudgery of such tasks…). Think of it like keeping a finger or monitor on your heartbeat for spot-evaluations or for emergency hospital stays….

The newly revived Mogull (and he’s not a zombie!) states that the $187 per lost record number is garbage. He’s right, but let’s throw two more logs in.

1. Try to tell anyone who has had their identity stolen or funds maliciously charged to their credit cards that their record is worth only $187. Even those people who have just seen a few pennies charged and flagged by the credit card company could “suffer” more in the thought of what can now happen. I’ve seen firsthand a few rather scared acquaintences after seeing such a test charge…

2. Let’s say you’re a medium-sized company but you have only a few very large clients. If you have a breach and let’s even just say 2 people, who happen to be your main client executives, decide that breach was damaging and drop your business. This could have devastating effects. Granted, this isn’t a “retail” store, but let’s just forget quoting too many statistics and numbers lest we lose sight of the real issues.

Wil Wheaton (I’ve been a closet fan of his for years, after TNG) gave an excellent keynote recently at PAX. OCMod actually has the full audio up. If you’re a gamer of any kind, or once was in your youth, this keynote is worth listening to. Scroll down to the bottom for the full audio (good quality), or just read the article for highlights. Scored this from HARDOCP. You know, the idea of opening an old school arcade would be something I’d readily do given spare cash…

It may be cute to complain about business buzzphrases, but we have our own stupid, inane little buzzwords as well. I really hate hearing meaningless maxims like “compliance is a process, not a product.” No shit, but don’t we purchase products to support processes? Maybe security should idealistic and ephemeral, something we can feel good about in our heads but not actually do anything about…but I guess that’s not me. This maxim can be used to attack any product anywhere in our field…making it rather meaningless. I prefer saying something to the effect that, “tools won’t create process, process comes first” or “a tool will not solve our problems in the absence of a process.” That sort of statement isn’t something I can use to attack the idea that NAC can be at least partially justified by compliance efforts. Let’s say I do have the process and NAC is my tool to streamline it? Fratto has a point that NAC has a number of drivers behind it, but he is wrong to denounce an arbitrary one using an inane, meaningless buzzphrase.

Saw this from Rothman’s daily incites.

Roger A. Grimes wrote recently about using a honeypot in the internal network to catch maldoers (am I alone in feeling a bit naughty after seeing the pic of Roger and honey?). I think this approach is a little heavy-handed, even for a throw-away machine. A full-blown honeypot is a bit of an interesting approach to the problem of detecting intrusion. If staff cannot detect intrusions on their real systems or on the network, they’re not going to wield a honeypot correctly. And if they do catch someone probing the honeypot, they are already beyond having a problem.

Now, that’s not to say I discredit this approach. I’m all for multiple barriers, detections, defenses, and using spare time and resources (even throw-away junk) for any little bit that can help. In fact, in a previous job I had a really old workstation that I opened a share on and configured a few port listeners on. This box was a crude honeypot/detection box that could alert me if something was scanning certain ports (namely 1434) or something was depositing malicious files on the open share (we had a couple of these outbreaks when I first joined up). Not really a honeypot, but it was a box meant to simply trigger an alarm in an environment that was cash-strapped from a back room standpoint. Honeypots seem more geared towards human attackers, as opposed to automata which is more often the culprit.

So, I’m not disagreeing with the approach in total, but I would caution that honeypots internal will indicate something bigger is happening, and there really should (if you can get the budget for it) be other measures in place on the network and real systems to detect intrusions or naughty activity, even if they are just little tripwires or detectors.

The article also gives some nice tools, and I’ve already picked up that book mentioned and hope to get started on it in the coming months.

Looked for a 10/100 (0r /1000) ethernet hub lately? I hadn’t either until today. I found it surprisingly difficult to find a hub. Most searches pull up USB hubs, while the rest tend to recommend switches. Great, but I want a hub (or a network tap, but the cost difference is obvious). The only hub I did find in my quick searches today was a $40 job at CompUSA. Forty bucks?! Maybe I’m cheap about certain things, but a 10/100 hub shouldn’t be $40.

Silc is a secure chat network, much like an IRC network, only the communication channels are actually encrypted. However, you can still leak out your normal host, which steals away any shot at anonymity. But if you use Silc with Tor, you achieve not only privacy in the channel, but privacy in the connection as well. Nice! As I’ve seen it said, silc+tor may be the most secure way to communicate with someone on the net. (Yes, I guess you can add an exchange of keys to verify identities…)

First, install Silky. I am doing this work in an updated but newly installed Ubuntu system. Make sure the repositories are unlocked, which should be the first thing done with any Ubuntu install.

sudo apt-get install silky

This will actually also flag and get any dependencies like libsilc.

Start Silky either by typing “silky” into the shell or Applications->Internet->Silky. Being the first time run, it will want to generate keys. Automatic is sufficient. Close out, and let’s look into Tor.

sudo apt-get install tor privoxy tsocks

Again, the needed dependencies will be installed. We can then start Tor and call Silky.

torify silky

Click Server, and select a server or supply one you know under Preferences->Edit Preferences. Nothing special needs to be submitted, just use whatever address and port used normally. Connect, and check out the hostmask. That’s it! Other programs can start this way as well, such as “torify firefox” and then go to whatismyip.com and verify the external IP (there is a Tor extension which works beautifully, though).

Keep in mind that Tor is not the fastest of connections, and while IRC is pretty resilient, I’ve found SILC to be a bit more picky about some slowness. I’ve found Silky can stay up for a few days, but Torify (tsocks) eventually dumps out, so it is not something I’d expect to always leave on.

Now, if someone knows how to implement irssi+silc_plugin (or any silc plugin)+tor, I’d love to hear how! That way I could possibly stay connected on a server using screen to attach whenever I want. Granted, I think I’d need two irssi’s since Freenode only wants Tor users to use their special private entrance.

More stuff to Torify can be found on the web.

Check out WikiScanner if you want to pry a little bit. Use your own company name (and variations!) to see what people at your office have been doing on Wikipedia. Kinda puts some things in our digital world into perspective. He’s pretty busy right now, so you might have to reload the query a few times. When you get good hits, you’ll see a button that says something like “Wikipedia edits, ahoy!” Click it, then click the number links to expand a new frame with the edit itself.

In a similar vein to last week’s Cisco VPN client privilege escalation vulnerability, ZoneAlarm is also susceptible to executable file replacement.

Sadly, this isn’t 1998 anymore, and I don’t personally know anyone who still uses ZoneAlarm…

Rebecca got me thinking this afternoon about her post on how business and even schools may or are forming sanctions against their users of social networking sites.

It really sucks thinking about stuff like that, and I encourage reading the post and links she gives. I really feel that while some of that stuff is useful for hiring managers looking for appropriate team members, most of that stuff should belong to the realm of the individual. The exceptions being documented and reported harassment and disclosure of sensitive information. I also don’t mind hiring managers using such sources of information to determine if a potential employee may be a good fit. That’s cool too, in my books, namely using it to learn about someone a bit more.

Take this example. I have a few Suicide Girls t-shirts (I’d link, but it’s not work safe) which I don’t mind wearing (of note, they’re the most comfortable t-shirts I’ve ever owned) out in public. I’m not a member, but I used to be back when I knew people on the site, a bit before they got “big.” So that kinda illustrates a slight individual taste for me, or at least openness (especially to comfy t-shirts!!). While out and about, I might run into people that know me well enough to know where I work. I may meet others to whom I give out business cards with have my company name on it. This is very similar to how people may stumble upon my inappropriate MySpace site (no, I don’t really have one) and connect my company to the person’s habits.

It’s just life, and that’s how we are outside of work in our personal lives. We all have some things we’d rather not air out, on either side of the fence. And I really think trying to police social networking sites (which is really trying to steal individualism away from employees and enforcing Thought Police) is futile and detrimental to our culture as a whole.

If my company president saw me out in the street on a Saturday with my Suicide Girls shirt on, the earring I can’t wear when at work, and doing a wireless site survey on open wireless networks in the area just because I can, I’d hope that he’d be able to smile, say hi, and not let that carry over professionally or try to change who I am. Anything less, is superficially shallow, in my books.

I don’t think I posted it, so I thought I would jot down installing an SSH server on Ubuntu 7.04 (Feisty).

sudo apt-get install ssh
gksudo gedit /etc/ssh/sshd_config

Change the PermitRootLogon to no and change port to desired port number. Add a new line at the bottom, “AllowUsers username” where username is your username you want to allow. You can use “DenyUsers username,” but once the AllowUsers is set, all others are denied anyway.

Next, I want to add a little brute-force protection using pam-abl. These instructions may not be current, but they worked out for me. Add “deb http://ubuntu.tolero.org/ edgy main” to your/etc/apt/sources.lists file. Remember to open it as root so you can save it. And yes, I am using edgy instead of feisty in this line.

sudo aptitude update
sudo aptitude upgrade
sudo aptitude install libpam-abl
sudo /etc/init.d/ssh restart

Run “sudo pam_abl” to list the current blacklist, and use –help for more features or manual blocking. Failed logins are collected in /var/lib/abl. SSH logs are written to /var/log/auth.log, however it might be useful to increase the logging level and location. Change “LogLevel INFO” to “LogLevel VERBOSE” to get more out of the logging.

Further hardening can be done. The files /etc/hosts.allow and /etc/hosts.deny will allow or deny the listed users respectively. These lines will allow two IP address ranges to connect but deny all others.

# /etc/hosts.allow
sshd: 10.10.10.0/255.255.255.0
sshd: 192.168.1.0/255.255.255.0

# /etc/hosts.deny
sshd: ALL

Referenced Tolero.org for the pam-abl install. I also note an Ubuntu help file.

For future reference, Cisco released a passive network mapping tool called SMART, Safe Network Mapping And Reporting Tool.

Skype was down late last week for about 3 days or so. And not just every single user, but also downloads of the software on their site. This was supposedly due to a software algorithm update or something like that. Today I read this was due to the massive reboot of Microsoft Windows computers the night previous. TheRegister also has some info up, and is a little more cohesive.

I call bullshit. This is curiously close to poc code released that supposedly (I say that because I’ve not tested it, nor could anyone else since the servers were down) would freeze a Skype server, then move to the next one, and so on. It was posted to SecurityLabs.ru. If true, that is certainly a critical, fatal, flaw.

1. A security issue to Skype would be a very, very big deal. One of the biggest contention points with Skype use is its security. I’d do everything in my power as well to protect that, such as shut off all servers and all users and all downloads in an effort to hide the insecurity issue.

2. The Windows reboot shouldn’t have occured as late as it seemed like Skype was down. The reboot should occur Tuesday evenings in the dead of night, for automatic users, and at various times. I don’t think Skype was down until Thursday…

3. Why now? Why this month? Why not the last few months?

4. And Skype is going to tell us that a mass reboot of users exposed a vulnerability in the availability of their world class system? You have really got to be kidding me… But as much as that can be egg on their face, I would weigh that less than a security incident. Nonetheless, I can’t imagine the overhead of reconnecting to Skype truly caused such a showstopping event on the service’s login servers. I wonder how many Skypes get turned on every morning anyway?

Ever informative, the Internet Storm Center has an ongoing post which raises similar questions and more. I really like the thought that Skype needs Windows users to log in, so that means all these millions of users all had their machine auto-login? Again, right.