In case you missed this, the REcon 2006 presentation videos are available.

REcon is a Reverse Engineering Conference in Montreal. If you’re in that area and consider yourself part of the “in” crowd (or want to be) with reversing, you might want to check this out. Since I’m not exactly a reverser, I can’t attest to their quality. Perhaps the presentations might not be worth it, but the socializing and drinks with other geeks might be worth it.

I’ve watched the presentation by David “h1kari” Hulton on Breaking Wireless… Faster where he talks about FPGA and speeding up the cracking process (dramatically!). Of course, the chips themselves are dramatically costly, hehe. The demos don’t go over quite as smoothly as they could, but still a solid personality and presentation on wireless attacking by the author of coWPAtty.

It might be the hardest battle you will face as a security professional. It might cause the most grief, frustration, and exasperation. No, it’s not trying to make sure all your Windows servers perform smoothly. It’s not trying to fend off the dozen vendor calls that come in every day. It’s not even an entire weekend wasted because of some unknown glitch caused by someone else that brings down critical systems. And it’s not quite the often futile attempts to deter the insider attacks.

Quite possibly the hardest battle we will face is the battle to change the culture of a business from one that trusts everyone, particularly those “in the family,” to one that practices diligent security. Ever try to tell your Help Desk personnel that they should not ask for user passwords when doing some work over the user’s lunch hour so as not to disrupt their normal work day? Those same desktop people who typically are evaluated based on their customer service to those users? I’ve been in those shoes and I fully empathize. As a support person, you want to be able to bend over backwards if an important user needs you to; not to give a look of regret and explain that “security process” is tying their hands a bit and inconveniencing everyone.

Have you ever seen the look on senior management’s and human resources’ faces when you tell them they need to operate in a way where they don’t necessarily trust their own people? There’s not much more they brush off quite so quickly and easily than claims that their own people may be a threat, even an accidental one.

This battle can be easy in some compan…no. It can be easy in some organizational cultures. The military has ingrained security process very deeply. Larger corps are also a bit more successful in steering culture, especially those that might have real reason to hide things (think Boeing, Lockheed, or Microsoft, e.g.).

But the rest of us…yeah, the rest of us someday have to face those cultural battles where we should not be handing over passwords or being accomodating to persons whose username we may have seen but have never yet met when they ask for something beyond their typically level of access. Is this a new direction for the company that her department is shifting a bit and we have to compensate, or is this an attempt to get access to something she shouldn’t have? If we ask the manager to verify and/or authorize, will they just take the path of least resistance and kneejerk a “yeah sure, I approve” response? What kind of look do you get when you explain that perhaps their manager and then the data owner both need to approve access? Is it acceptance or a flash of genuine annoyance that you know will be spread around to anyone willing to hear?

And these are not things that are easily overcome with training and used education. It is one thing to educate a user about something they didn’t know previously and are open and receptive to the information. But it is another side of training altogether to tackle culture and paradigm shifts. This typically takes a lot of time and a lot of repeated training towards this aim (or just force it with technology and a big clue banana).

I admit, some places in this country might be easier to adjust attitude than Des Moines, Iowa where I live and work. We’re still a very open community and trust and customer service are pretty natural. Even “trust but verify” is a difficult adjustment. When does the line get crossed between being a helpful steward to a company versus practicing a dangerous habit?

Just like a courteous security guard who tends to recognize faces regularly, all it takes is one person out of 10,000 who walk by in a year to bury the company or disclose information that emboldens a competitor, jeopardizes a nation, and affects the livelihoods of your fellow workers. Just one person that is allowed to pass because he looks familiar (he was fired last week against his will), is dressed like a VIP, and looks like he’ll pin your manager’s ass to the wall if you inconvenience him, can be The One.

While my team has yet to convey a culture shift in the people that matter when it comes to security and customer service, at least we are still trying. We continue to implement technology to not only help cover the company’s ass in case our paranoia becomes reality, but we also try to maintain a foundation that if the direction of mgmt changes, we can quickly adjust and add on security as our openings allow.

(This post was partially inspired by Scott Wright’s recent post about the insider threat.)

Dave Aitel posted this to his mailing list today:

Next week is Shmoocon – and I’ll be there with whatever the latest
build of SILICA is in my pocket. Feel free to pull me aside for a
quick demo.

Man, Silica is about as expensive of a high class hooker, and it looks as good too! It’s sexy as all hell, and if I ever came up on a few grand to drop on a toy, I’d seriously think about this one (assuming I could get properly vetted). if any of you are at Schmoocon and see him (or maybe his wife too?) around, totally ask to see Silica in action.

Just posting a quick pair of links in case anyone is interested in reading about creating an exploit/buffer overflow. Trirat Puttaraksa discusses a Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow. Part 1 is a DoS condition and part 2 goes into actual code excution. Very interesting, although beyond my abilities for now. Browse the rest of his blog for even more dissections.

I’m in a bitchy mood today and want to rant on something. This article from ComputerWorld about “How dangerous is Skype” came in at the wrong time.

First, let me just say that I am mixed in my feelings about IM and Skype in a corporate environment. I think this is a trend that, in the long run, will be a losing battle for corporate IT and security. IM is just part of our culture and life, and embracing technology for the betterment of people and the company does have weight. That’s not to say I want Skype in corp nets, but I can sit on either side of the fence comfortably. Encrypted network traffic is also part of our future, and we need to start dealing with it now instead of whining about it.

Here is my take on some of the “Skype FUD” or myths that Michael Gough tackles in his article.

Myth No. 1: Skype uses a lot of bandwidth on my network. Great, I’m glad that Michael Gough tells me that a voice call takes 30kbit/sec on my network. That’d be great if I allowed only one call at a time. Scale that out with your users and get back to me.

Myth No. 2: Any computer can be a Supernode. This is one of those beefs with Skype that has been around a long time, and I hated it because it’s not an issue in almost every corporate network. Michael is correct, you can’t be a supernode if you’re behind a NAT. But, that does mean, as Michael mentioned earlier, that your communications will be weirdly routed through someone else. Annoying, but really a non-issue in any NAT situation. (This may become a huge problem in IPv6 or it may become a big problem for Skype itself if less and less supernodes are available as people hide behind NAT or slow connections.) So, I agree with Michael: this is a myth.

Myth No. 3: Skype is susceptible to IM worms and viruses. Myth? What the crap? Is this the Apple defense about “well other IM apps have had lots and Skype none so that means security?” Yes, in part it is although he oddly mixes actual client vulnerabilities with malware sent via other IMs via file transfer. That inflates his “other IMs” numbers and keeps Skype’s really low. *sigh*

He also mentions that file transfer can be turned off (which it can be on other IM apps too) and files can be scanned by anti-virus (other IM apps as well). So, I’m not sure what he’s trying to say here, but I can illustrate that Skype is no different from other IM apps that have been hit with his 1,000+ issues.

I also challenge that “the main vulnerability of IM applications is their file transfer
feature.” I conjecture that links to malicious sites sent via IM is more dangerous. This “myth” from Michael is completely wrong, and Skype is absolutely no different from any other IM program.

Myth No. 4: Skype is hard to stop on my network. This really is a half-myth but I slightly dislike how Michael Gough tackles it. From the start, Skype was not hard to defeat: just block it from being able to authenticate and logon the user. Easy. I’m surprised he never mentions this; maybe this has changed. I also dislike that he attempts to defend the network by controlling the OS inventory and OS outbound connections. I don’t think this is the best approach, and Skype should be able to be blocked on the network by the network alone. I will admit, however, that stopping a P2P app on a network presents problems, so in a way, Michael’s approach is still solid advice. The real issue, though, is Skype should not have to be that hard to block on the layers it uses.

Myth No. 5: Skype is encrypted, so I can’t archive IM messages. This is a two-headed dragon and I’m surprised Michael Gough attempted to tackle this in either direction as a myth. Instead, he fumbles the ball:

This one’s not really a myth. Skype sessions are encrypted, so yes, you
can’t capture or archive Skype communications. The same is true of many
IM applications, though, so it’s not less secure than other IM programs
that can use encryption.

Bah! Yes, Skype is encrypted so you can’t archive it off the wire, but I’m not sure what settings and apps he uses to say that other IM programs are the same. I can sit down and monitor and grab IMs off the wire on every other popular IM program with default settings. Skype has this feature enabled by default whereas other IMs do not. In fact, I can turn off this setting on every IM program, but with Skype I absolutely cannot. Also, for an article that itself says it is geared to corporate networks as well as individuals, he ignores any issues with HIPAA or compliance that requires logging/archiving/monitoring of data egress via IM. For home users, this is an awesome feature to protect privacy. But this is maybe the biggest hurdle Skype has been facing when it comes to corporate use.

Just to add one more item. Until Skype settings can be controlled centrally, that is another hold in the argument for Skype in the corporate network. Let me centrally control and force settings, file transfer allowances, and yes, adjust encryption such that I can monitor data egress (note that I don’t necessarily want it cleartext). There are other considerations, but that’s all I’ll throw out for now. 🙂

If leaders can be humane and just, sharing both the gains and the troubles of the people, then the troops will be loyal and naturally identify with the interests of the leadership. -The Art of War, Chapter 1: On Assessment.

There are many ways to look at this quote. In regards to IT security, this immediately made me think about one of the biggest frustrations that senior management can give us: being above the policies. It is highly frustrating when people in leadership positions try to be above the security measures put in place due to their station or ego.

Likewise, as IT professionals we sometimes do have certain liberties and access above and beyond some policies, especially in testing or lab environments or on assessment systems, but by and large we also need to try our darnedest to not be exceptions.

The news of this tool is making the rounds, so I thought I’d post quick. Errata Security has partially released a tool called Ferret which purports to show what all is being leaked through your wireless connection everytime you use it.

How do you run it? Download the file and pull out the pre-compiled ferret.exe. Run it from a command line without options and it will tell you your network interfaces. Pick your interface and run ‘ferret.exe -i#’ to use that interface. Incidentally, you can use a wired or wireless connection if you’d like. (You might need winpcap, but I don’t know since I always have it installed anyway.)

The bottomline is this current tool is not as revolutionary as some news and mailing lists are stating. It is really just a sniffer that is only looking for specific data including broadcasts and some application data; things that anyone running any sniffer would be looking for (such as cleartext IMs, passwords, usernames, sites you visit…). Since this is meant for wireless networks, this stuff is typically “broadcast” anyway, due to the medium.

The real beauty will be in the next part of Ferret that they release, the visual/correlating tool.

Check it out, but if you’re used to looking at packet captures, don’t expect to be wowed right now.

There is question that seems to be boiling around, both now and in the past year or so. Where is security headed? Is security moving to the network/switches? Is security moving to the application and away from the OS? Is it moving to protect data at rest and transit? End-point security? Or just to meet compiance?

These are pretty big questions because it can shape the direction of a company for the next 5 years. I wish I had more answers beyond, “If you take any one approach, you may leave yourself weak in the others. If the whole industry does this, we’ll just have a wavering trend where for 10 years the network solidifies and gives way to applications and then 10 years where applications get hardened and network progress breaks down.” You can even push that out to technology vs training.

Just some interesting, largely rhetorical questions I keep in mind lately and would love to see discussed at length in the community.

CNN was kind enough to post an amazingly oddly placed article about the latest RINBOT/DELBOT/SDBOT variant

This is awesome because now what is otherwise a non-event is becoming something mgmt and normal users are asking me (us) about. Yay! So here’s some information to help point you in the right direction in case you get questioned.

As far as I know, only Symantec has this malware variant on their radar. Everyone else seems to be considering this one a minor blip on the radar.

In short, this malware strain is simply an infector for your run-of-the-mill botnet and is not a new threat. Variants of this bot have been around over a year, and this is the 9th (I believe) variant. The vulnerabilities this malware attacks have had available patches for months or longer.

RINBOT – Symantec/Trend name
DELBOT – Sophos name
SDBOT – McAfee name

This new variant spreads in three major fashions:
– Windows Server Service vulnerability (patched in August 2006)
– Symantec AV Client Vulnerability patched late last year
– IPC$ shares with common or no security
– some variants use email attachments

This is not a really new threat. You don’t have much to worry about if you do not use Symantec applications and you have patched your servers. Obviously, you also want inbound ports stopped on your perimeter. I won’t spam more links. The ones above should be sufficient.

I had planned out a couple posts. One was going to explain in no unclear terms that user training is broken and won’t help. The follow-up was going to be the opposite in how technology will not ever protect us without end-user training.

I decided to put that on hold and maybe not even post it, but I did want to blab about something else I see in the IT and security communities. I see a lot of very polar opinions on how things should be. You have user training versus technological controls. ROI vs insurance. Business skills vs technical skills. Full-disclosure vs alternatives in either direction. Black hat vs white hat. Perimeter is dead vs perimeter is impoant.

The bottomline? All of these approaches are correct and all should be practiced to some extent. Just like all those diet fads, stick solely to one for a long period of time and you’ll have new problems. But if you took the basic concepts from many, you can end up with a very effective approach.

There is a place for each extreme, but they are all necessary and need to be balanced. There are also people who, for instance, can be mired completely in the technical realms and leave the businesspeak to their bosses and not only be successful personally, but help drive their company to success. The balance doesn’t have to be in each individual, but a department can achieve balance with imbalanced parts. Then again, even imbalance will work depending on the corporate culture, needs, and outside influences.

Whoever occupies the battleground first and awaits the enemy will be at ease; whoever occupies the battleground afterward and must race to the conflict will be fatigued. Thus one who excels at warfare compels men and is not compelled by other men. -The Art of War, Chapter 6: Emptiness and Fullness

I expect Andy to post this up as well, since I think it can definitely be one of those rallying (or frustration) cries we have in security…and we both have the same calendar sitting on our desks!

I wasn’t sure about including that last line. The first two lines resonate throughout IT security from testing/planning your disaster recovery plans to being ready to detect and mitigate incidents to simply making sure logs are scanned for the first sign of an enemy. The last line still makes sense as we sometimes do need to dig our heels into the ground and make sure our management knows the score and the risks (properly) so they can be compelled by us to be prepared…otherwise they are compelling us into letting go of the preparedness.

Kurt’s comment put that last line into a better light for me and totally makes sense. No wonder if felt a little “off” earlier! Thanks!

I have this list of things that home users can do to be more secure. One thing I might try to fit in there is to suggest that home users figure out how to install their Operating System.

Now, this may not be about trying to teach someone the nuances of a reinstallation, especially that they should have their data backed up, accounts and software licensing information stored separately, and a list of everything they had installed or need kept available for a reinstall. However, I do believe that one problem people have with working on their computer is a simple lack of exposure to the reinstall process (or someone/someplace that can do it for them). A reinstall is not typically something people do since their computers come from Dell or Gateway which happily does the work pre-ship. But the Internet can become a safer place once people get used to the process of a reinstall or where to turn for help if they decide to do a full reinstall.

I might consider this a half-step since it might be one of the scariest things the average person will do with their computer. Trust me, people are more scared about a reinstall than they typically are about installing all sorts of random programs on their system. Sometimes they are completely worried about losing their years’ worth of settings and small tweaks and the position of their desktop icons. However, regularly performing an install or just knowing that it is not all that bad an ordeal will help in being smarter about their computer use. If nothing else, befriend a local support guy, your local Geek Squad, or become familiar with the ability of your provided Tech Support.

I liken this to having a backup solution in place. But how do you know the backup solution is working or how much it is backing up or how to work a restore in the event of an emergency if you’ve never done a restore from it? An emergency is not the best time to do a restore for the first time.

So my time with the winter scripting games is pretty much over. I just have to ask why I scored 0 on one event (I think the email submission may have line-wrapped something weird) and give my thanks and positive feedback to the organizers.

Overall, I exceeded my goals. I wanted to give a best effort towards half the Advanced division and get most of the Beginner division correct. I ended up 95/100 in the Beginner division and 90/100 in the Advanced (assuming my one score gets corrected). And I am proud to say that the two I missed were definitely tricky for someone who first installed PowerShell only days before the start of competition.

I have documented my scripting games answers and some links in my wiki (must…use…wiki…more). Thankfully, it just so happens that we’re looking to script more at work. Only one guy had previously had any experience scripting, so this makes great sense to include me as a second resource and backup. I plan to continue learning more about PowerShell and try to use it as much as possible. I just purchased Payette’s book PowerShell in Action and plan to continue to learn stuff on irc.freenode.net’s #powershell channel.