Looking for some websites that have some remote tools to do things like dns lookups, pings, port scans, string encoding, and more? Here are a few links to share. I tend to keep things like this on the “resources” part of the menu at right.

clez.net (saw this on SynJunkie today)
robtex.com (from clez)
serversniff.net (from clez)

Still don’t know terribly much about Microsoft’s out-of-band patch list. From what little I read yesterday, it really felt like it was something I should worry about from my internal systems as opposed to something trying to break in from outside my borders.

SANS almost always posts good info earliest.
Microsoft’s SVRB looks at MS08-067 (netapi32.dll).
CA update on Win32/Gimmiv.a which uses MS08-067 exploit
Tech details from ThreatExpert blog

Microsoft has an ominous out-of-band patch today for pretty much all Windows systems. While I’ve not been able to find any details enough to even give my boss and colleagues a recommendation on how to deal with this, but from authoritative(-sounding) snippets I’ve come across, it sounds like the real deal Big Deal. Sadly, this afternoon is our yearly corporate meeting so I won’t get back to this until this evening. If anyone wants to drop a link to their own blog where you reveal more details, I’d totally be appreciative of the help.

For future reference, this is where to find Passgen. Passgen helps to ensure the local admin password on your systems is unique. Thanks to Neil for posting about this moved tool.

Personally, I do like having some sort of easily-remembered but not terribly predictable scheme for the local admin account. But I’ve not had to manage desktops in years, so maybe I’m already antiquated. If someone pops 5 local admins and figures out the pattern…well…there are obviously bigger problems.

I just came across the Gartner release of the top 10 strategic technologies for 2009. Oooh, how important-sounding! I wonder if they’ve made them general enough to basically cover everything you can think of? 😉

1. Virtualization
2. Cloud Computing
3. Servers beyond blades
4. Web oriented architectures
5. Enterprise mashups
6. Specialized systems
7. Social software and social networking
8. Unified communications
9. Business intelligence
10. Green IT

What scares me is how complicated these items can be. And especially how interdependent they can be on itself and other parts. It used to be you needed a website, and your web admin had a series of basic tools to troubleshoot and support those technologies. Now, we either are placing that power in an external entity (Cloud, WOA, Mashups, Social software, even BI) that we pray will stay up and not change things, or we have to work through crazy interfaces that do the work for us, or so we hope (Virtualization, WOA, Specialized systems, UC).

It is a little scary to me to put so much dependence on complex systems, because we all know complex systems fail in complex ways, and without the knowledge or maybe even the opportunity to troubleshoot on a low level, we may suffer a negative renaissance for IT staff as we depend on others for the expert assistance. Or, at the very least, we see a gap widening between those geeks who Get It, and everyone else. I don’t think that is good for business stability.

To put it another way, the barrier of entry into a technical position can increase dramatically with almost every one of those bullet points above. And seriously, how many students come out of college (not including the nice technical institutions or hands-on post-high school orgs with better-than-basic coursework) being able to truly tackle most of those items?

This was their important-sounding but useless list last year (for 2008). Some of these just make me roll my eyes.

1. Green IT
2. Unified Communications
3. Business Process Management
4. Metadata Management
5. Virtualization 2.0
6. Mashups & Composite Applications
7. Web Platform & WOA
8. Computing Fabrics
9. Real World Web (say what?)
10. Social Software

Being in IT operations (networking, systems…) can sometimes drive me more cynical in my attitude towards security. This week has been one of those weeks. I sometimes get the feeling that IT (business) problem solutions can be insecure, but it would take an exorbitant amount of effort and time/money to fix some obvious problems. Ever have one of those problems that even 5 people meeting for 3 hours can’t even find a solution for? And sometimes things just get let go for the moment.

Kinda makes me wonder how many security folks are not necessarily doing direct security, but rather entirely doing workarounds and mitigations for poor solutions. Poor solutions are the result of cutting corners (time, money, quality) or incompetence (a harsh way of saying the people implementing it just didn’t know how to do it properly).

More arguments towards detection…

I consider the Palin Yahoo email account “hacking” incident a bit of a godsend. Yes, what happened was wrong, but it certainly brought to light some uncomfortable truths about digital security, policies, and even human nature. Warning: unpolished rambling ahead!

1) First, we get to question (all over again!) the actual security benefit of those super secret security questions. They’re not a security measure so much as a human forgetfulness safety net, although that may be arguable.

2) Palin was doing government business over public, personal communications lines. The drama continues to unfold, and this article on the Washington Post does an excellent job of illustrating the downward spiral that occurs when an important employee uses a personal, public service. (Turns out she has yet another non-compliant email address, too!)

The judge issued the orders at the request of Andree McLeod, an Anchorage activist whose pursuit of Palin’s e-mails revealed that the governor did considerable state business from a Yahoo e-mail address — an arrangement that avoided the safeguards and accountability of the state’s secure e-mail system.

This is only a portion of what happens when an employee decides to circumvent policies and use un-approved public/personal communication avenues. These policies are in place as much for entities to CYA as they are for security, and a lot of this legal wrangling over the implications of Palin’s practices has to do with her breaking known, accepted policies.

This will eventually go away and be forgotten, but it is a case-in-point about following policy and watching where the lines of personal and corporate interests lie.

3) I huddle in hacker circles, so I have to include conspiracy theory ramblings. 🙂 One has to look at the reasons why Palin and some of her associates would choose to do business over Yahoo and even that second, little-known, personal email account. In fact, why would anyone in a corporation or government have a drive to remain out-of-channel? Is it because they are evil and doing immoral things?

Most likely not. I’m realistic about human beings. We make mistakes, we have flaws, and we do have a tendency to cling to some sort of privacy; not just our own personal privacy but also some measure of privacy in dealings with others. We’re just really bad at it right now, because the Internet (and digital communications in general) have exposed all those water-cooler whisperings or gym-locker jokes or wine-club business conversations or conference-room meetings to logged, tagged, indexed, and archived records. We’re still not used to that…hell, we’re still not legally sure where this all falls out! Yesterday’s off-the-cuff comments are today’s e-Discovery evidence.

In the end, we do have a human need and a tendency to keep some things off the record. We have to, really. But I don’t know if there is any really defensible way to say that without opening up terrible holes.

4) I would almost wager that every single employee at some point breaks policies about using work assets for personal uses, or vice versa. So, the question becomes: Is that bad? The trouble is the answer that starts with, “That depends…”

I looked around our team meeting today and realized I’m now #2 on the seniority list in our team of 5. Sweet! Well, ok there’s 4 since we just hired a new one this week. And I’ll still be the youngest and overall least-experienced guy on the team. Doh!

This week has been as busy as the other recent weeks, although the pressure has been a bit higher. Tuesday evening at 6:30pm several square miles around our office building dropped power until 11:40pm. This gave us a great trial-by-fire exercise of moving to our would-have-been-completed-in-a-few-weeks DR location 22 miles away. Yeah, when did the “disaster” strike? In what I would call the worst time to have one: when your DR implementation is only half done!*

The end result? Things got moved. Power came back. Things got moved back. And like any good incident (hello security incidents!), this re-lit a fire under the powers-that-be to properly re-prioritize my (our) time back onto the DR project and away from other (perceived) fires. Yay!**

* Some would take the cliche of saying the worst time is when you don’t have a DR plan. But I contend that at least when you don’t have one you have no one making wrong assumptions of your capabilities since you have none!

** I really hate the state of being only concerned about something when it is front of your face burning your nose off. Like DR priorities only when a disaster strikes. Security initiatives only after a breach. Caring about Topic X only when coming off the high of Conference on Topic X. I appreciate (deeply) people who think about DR when disaster seems moons away, or security when there hasn’t been a known breach of consequence in years, or the need for Topic X when it is not the hot new thing found in a security marketing drivel security magazine.

I fill in lots of comments on other blogs and mailing lists. I swear, even in my own posts, that I’m typing things just fine but when I read them later, I see legit words replaced with other legit words. In places that I swear I typed correctly. I know my typing can suck, but in recent months I’ve begun to question my own otherwise non-dyslexic state!

I have a funny feeling that browsers are now “correcting” my typing and/or grammar and doing a piss-poor job of it. 🙁 About half the time when I type I backspace and correct typos, but other times I’ll type right through it and correct it after the end of a thought.

One positive from a high profile vulnerability that is not disclosed is it stimulates a scurry of activity and information-sharing about what it might possibly be. The result is a quick hashing out of quite a few little nuances and even issues in the subject. Robert Graham has posted excellent information about leaving TCP/IP connections open by either slowing them down or keeping them in a non-closed state from the point-of-view of the kernel. I might not know what Robert and Jack found yet, but at least I can read all sorts of excellent material on the subject.

Discussions on Skype security and its readiness for business use come up fairly regularly each year on the mailing lists and blogspace. More fuel may be added to the fire if an Arstechnica article is accurate in describing China monitoring Skype user text chats, either through their own breaking/stealing of the encryption keys or through collusion with Skype (ebay) itself.

I’ve posted about Skype security in the past here, here, and here. I’ve also ruminated on last year’s Skype “outage” which I still believe to be a result of a security flaw in their servers.

What it comes down to is whether Skype (ebay) wants to be in the corporate space or not. If they do, they absolutely need to provide visibility into the communications, unless they just want to be in the SMB and smaller world. If they want their foot in both consumerland and the corporate space, they’re doing a poor job of being transparent with their technology.

Me? I personally believe government and any large business Skype wants to get in bed with will be provided means to essentially wiretap users at will as needed. Call me paranoid. 🙂

Disclosure: I have nothing otherwise against Skype for home/consumer use whatsoever! I think it’s awesome! I just don’t think that means it needs a place in my corporate network (just like Macs for average users!).

Robert E. Lee has posted about Fyodor not being correct in describing the DOS attack that Robert and Jack Louis have found.

I had mentioned just yesterday about new rumors of a “big deal” TCP/IP implementation weakness that could result in a low cost DOS. Fyodor has posted a write-up on this situation including what he guesses is the “big deal” the authors are talking about.

Like Robert and Jack, I was stunned at how effective these techniques are at quickly taking down services. The basic attack starved web servers from servicing legitimate requests, and slightly more complex variants would sometimes take down the remote OS entirely.

I gutted this section since I actually misunderstood a couple things including Fyodor’s attack descripton. If this sounds like a pretty typicaly DOS, you wouldn’t be mistaken. This is just about opening and completing TCP connections and then either keeping those sockets open until they time out, or requesting more interesting things like large files over and over. Basically, simple resource exhaustion.

Interestingly, the researchers supposedly found this problem by scanning a huge range of internet addresses. It could follow that they scanned sequential blocks that were being served by the same network device or server, thus simply starving it of resources.

Fyodor admits he doesn’t know for sure that this is the new attack that has broken across the media waves, but it certainly does make sense. Then again, perhaps the researchers have discovered some new variant or way to do this more elegantly, or to better ensure actually taking down the target fully.

Got tossed a great link to the PCIAnswers site where they go into detail about the PCI DSS 1.2 differences. Thank everything that is sweet and pure for the people who do this for us and post about it!