Backtrack 2 is maybe my favorite livecd, largely due to being security/pen-testing oriented. I have an older laptop which doesn’t do so well with 128MB RAM when running a livecd. So, I’ve permanently installed BackTrack on this laptop (which I’m using for this update right now). Here’s my steps (very abbreviated) on doing this. I largely followed this tutorial with minor adjustments.

I had to transplant the HD into another laptop that had enough RAM to properly load the livecd. After that, I booted up into BackTrack and logged in as root. Then:

fdisk /dev/hda1
d (since this is an existing drive, have to delete the first partition first)
1
n (now I want to make new partitions)
p (partition)
1
[enter]
+100M (100M boot partition)
n
p
2
[enter]
+512M (512MB swap)
n
p
3
[enter]
[enter] (will use the rest of the disk for this partition)
a
1
t
2
82 (the code for a Linux Swap)
p (one last print to make sure it all looks good, we can still back out to this point)
w (write!)

Then I went graphical with startx and followed the rest of the steps in the doc. After transplanting the drive back into my older laptop here, I was able to boot into BackTrack quite nicely (and fast compared to cd, even on this old hardware!). From here, I needed to get my wireless going. I started up K->Internet->KWifiManager which then got my Orinoco card going. I then opened a terminalL

iwconfig eth0 essid home key 7027…F9F5 (my wireless network and WEP key)
dhcpcd eth0
ifconfig (to verify I have a proper IP)
ping www.google.com

I really should have put this in my 2007 predictions, but I guess it might be a prediction that spans a few more years. But this year is going to mark a tough year for IT managers due to the ongoing cost of IT operations. Often, upper management thinks that a project will be planned, budgeted, completed, and then they all move on. Sadly, most IT projects require ongoing maintenance, monthly costs, and people to maintain them. Too many senior managers don’t get that, and it is those same senior managers who won’t ever “get” security either: you don’t achieve it, clap yourself on the back, and stamp it Project Closed.

IT costs a shitload of money over the years, and management is starting to or will start to feel that slow attrition. Security costs a ton and is only going to get bigger as regulations keep edging forward. Windows Vista is out now which is going to put pressure on companies that pay licensing fees to upgrade and hardware upgrades to prepare for it. Not only that, but companies with licensing contracts with Microsoft will start to wonder why they spend that money in the first place. Is Vista worth the last 5 years’ of software assurance? What about SQL licensing? If a company had that assurance contract the last 3 years, you have absolutely nothing to show for it. You want a disaster site and other business continuity plans? You’ll be shelling out monthly fees for that. Mobility is needed by the workforce? Good luck not spending money to secure those devices or provide for mobile needs. Also, mobile devices tend to cost more to get the same performance as a desktop machine, and their lifecycle is shorter.

IT is a huge impact on business these days. Not only can I not imagine business without IT (say, 20 years ago), but I can’t imagine how we spend so much money on it today. It is no wonder MSSPs and other outsourced IT services providers are feeling the love as businesses get sick of the constant IT drain and start to let others handle it (for better or worse).

This is why I still prefer to focus on the basics in my career. Focus on doing what needs done on the lowest levels. Use the open source and free tools, know how to do things without the fancy and expensive appliances and servers. If you know the basics and low level foo, you’ll be able to pick up on the luxury appliances and tools you’re allowed to spend money on, just fine when you get them.

If you’re not watching the toolswatch feed from Security-Database, you’re missing out on one of the better notification methods for new security tools. I love it!

The folks at nCircle have expanded their blog to more people and this has resulted in lots more posts lately. Good stuff!

It is with much sadness that I am removing a few cherished links from the side. The PacketSniffers were an awesome video cast team from Ohio that posted a series of excellent (albeit more electronics-heavy) video casts back in 2005. Sadly, they have not had any in some time. Seems they have maybe moved on from that endeavor. Also, shortly before LUHRQ was purchased, they started this excellent vidcast called “The Hookup.” This was very promising, but never progressed past 4 episodes. I think there is still room in the security sphere for a short show like that, kinda like hak5 and others, only shorter and more focused.

Unfortunately, a work-related demand to cease blogging about technology has caused Securosis to become more personal and less technical. It’s a shame, too, since the blog was excellent. For some reason, the latest post doesn’t look reflected on the front page…so maybe it is still sorta there. Either way, if it is, I’ll re-add it later. Tenable Security’s blog, while really cool and interesting, is mostly useless to anyone that does not use their commercial product. If I used that product, this blog is a must-read whenever it is updated. Otherwise, I can just learn by reading and possibly gain insight into Nessus, but the useless content (to me) outweighs the good. I’m also removing Jesper Johansson mostly because, well, I don’t read it. And lastly, while I read the updates and the podcast is ok, I really don’t care to read Alan Shimel’s blog daily anymore. This has been building, but mostly just because I’m not an analyst, I’m in the trenches. And reading what an analyst says really doesn’t do me any good at all. Besides, I can follow along on other blogs and get the same effect, or pointed to his occassional excellent posts from elsewhere. I’ll still listen to the podcast now and then, though.

IT Audit has an article on 11 steps to an effective FTP audit. I like this article and gives some good steps to auditing FTP activity, however I think it misses a few things. While many people are likely already wondering why FTP should be so large-looking a project for such an old and probably under-utilized technology, it is still important, especially if this is a publicly open route into your network. Here are some steps I would add.

A. Audit user accounts and activity – Find out where user accounts are tracked and how expired accounts are handled. Do they linger for years and years without activity? Are client accounts even for active clients anymore? Once this audit is done, keep that list handy so that FTP admins can refer to it later and build upon it so that accounts are removed as needed and existing accounts are tracked. If an account has no activity in 4 years, raise questions on its continued need. I really like the rest of the author’s monitoring suggestions. Even if there is seemingly no value in knowing who consistently is the largest transferrer of files, it becomes more important when that consistency is broken one month and some other otherwise quiet account suddenly becomes very active. As part of the account audit, be sure to verify that FTP account access is limited only to their slice of the FTP server, and not overlapping other accounts or able to access other shared spaces. Twenty vendor accounts for 20 vendors that all dump into the same folder is a big risk. Try to also identify shared accounts or those accounts used by just one person, and identify the impact of regularly changing the passwords. Keep in mind that even legitimate users might use the FTP location for malicious reasons such as storing movies or games or other copyrighted property.

B. Recommend granular firewall policies for FTP account access – Whenever possible, require clients, vendors, and FTP users to provide their external IP or IP block to be included in access to the FTP server. It is better to only allow 1,000 IPs access to the FTP server through the firewall than to have all IPs allowed through. It has been my experience that most companies are amiable to providing this information when pressed.

C. Evaluate the patching and security state of the FTP server – Determine the FTP server in use and the version, then research any known vulnerabilities in the server. Recommend patching policy, someone to track patch availability ongoing, and perhaps recommend more secure FTP server solutions. Utilizing an old, insecure version of something like WarFTP or IIS5 should not be very acceptable.

D. Recommend including firewall logs of port 21 access in the audit – It could be beneficial for finding rogue or new FTP servers to include checking firewall logs for successful incoming port 21 occurrences outside the scope of known FTP servers.

FTP servers are still a necessary evil in many corporate environments, and far too many admins put them up, add new users per corporate requests, but otherwise don’t consider them with much more interest. As one of likely only a few inroads into your network, FTP servers should be taken as seriously as web and mail servers. The last thing you want to do is find out someone has been using one of your client’s accounts to store gigabytes of child pornography over the last 2 years…and be told about it by the client. And even if more secured file transfer options are utilized, such as SFTP or even SSH, most of these guidelines still apply.

I found a Skype article from CNET posted over at InfoSecPlace and nCircle, and as usual with Skype, I have strong opinions about it. It seems Skype is looking to “partner” with some security companies to provide some additional functionality like “provide add-ons to its software to scan text sent through Skype’s chat feature for malicious links.”

Ugh. Let’s build the frustration just a bit more and quote the article again, “Skype has caused headaches for many IT administrators because it can find ways to make a Net connection despite strong firewall controls on corporate networks.”

Ugh, again. First of all, let’s get this popular media misconception out of the way. Skype is not my biggest concern because it can find new ways to make a connection to the Internet. Please. If Skype is not a welcome product in a company, this can be circumvented with policy, software/OS restrictions, and even on the network by blocking the sites that Skype initially contacts for logon. Unless they changed in the last year, you couldn’t necessarily block authenticated users, but you could easily block the logon process and prevent people from using the system. Not only that, but this is not a “new” headache for admins. Malware has been doing this for a long time…

Second, Skype’s problem in the corporate space is not that suspicious links can be sent over the service. Skype’s problem is meeting regulations that require Instant Messaging to be logged and/or loggable. And Skype falls into the grey area between phone usage and digital IMing: digital phone calls. I think there is still debate on whether Skype calls need to be monitored as well. Skype needs to deal with that issue before it should spend any more money trying to enter more than just the SOHO corporate space.

Third, Skype has the annoying habit of making outbound connections…everywhere. Anyone who sometimes (or regularly) looks at outbound connections on firewalls for anything suspicious will know that almost every Skype connection seems suspicious. Skype raises the false positive rate so much that it pretty much kills that sort of monitoring. This doesn’t kill Skype, but it certain is a factor in saying no to it in a corporate network.

Fourth, Skype needs to look into making a standalone product. They might be able to have a closed IM solution for a corporation that is not open to the public, and still provide decoding capabilities only to that company. Another widespread corporate requirement is the IM network not being publicly accessible. Again, this won’t kill Skype, but is another black mark.

Fifth, Andrew at nCircle mentions, rightly, that it also should be centrally managed and configured. Again, if Skype wants to break into anything beyond SOHO markets, they need to provide mangement for the staff. This is important enough to be a possible deal-breaker as well.

Skype is awesome at home and for SOHO use. It saves money, is easy to use, provides good security for the mobile crowd (for now, until the encryption is broken or other MITM attacks might arise), and tends to make employees happy; and one of the things I will thump loudly about: happy users means productive users. I hate having to sport an anti-Skype opinion in the corporate space, but the program itself forces me to be able to take either side, passionately, depending on the corporate environment (i.e. HR, senior management, and regulations).

I saw this and had to try it, especially since I do enjoy Starbucks, Borders, and I tend to be places where I can see T-Mobile hotspots taunting me. Now, for 3 months, I have a trial account that I can use because T-Mobile thinks I run Vista (nope, I don’t). This little hack comes from i-hacked.com.

Wired.com occassionally has stories of such depth and quality that I am amazed I don’t regularly read the mag (I did back in the day about 6 years ago, but drifted away). This is one of those stories about the dark underbelly of illegal credit card and identity dealing and investigations into them. Definitely a must read. Part 1 Part 2 Part 2.5 and Part 3 (I don’t understand the sequencing, honestly…)

I hate hearing things like Anti-Virus is dead or IDS is dead. If they’re still being used in corporate and home environments, they are not dead! Now, this paper on greylisting (really, on Bit9 parity), is a noble effort, but as a paper about a “new” method to manage software and malware installation and blocking, the title is sensationalist and unnecessary. In fact, over half the paper is spent trying to convince me that anti-virus is dead. Unfortunately, while you might be able to float me a new product or paradigm, you can’t convince me anti-virus is dead (even as I don’t typically use any at home because I consider myself slightly educated in technical areas).

Anti-virus is not dead. It might be declining and changing, but it is far from dead. The day my parents remove anti-virus is the week they stumble upon malware on a website or in email, run it, and become infected with something. Thank you, move along, come again.

So I skipped down to greylisting. This is not a hugely novel new approach. In fact, the approach stinks when you turn your head in certain directions and sniff around a bit.

From a corporate or even home family perspective, I like the administrative control and tracking on blacklisting and whitelisting. I also like being able to turn it on and off for laptops that might be offsite. This is defeatable, though, and I’m not sold on it fully. I think many corporations will slowly be moving to thin clients or all laptops (while plenty will of course stay with desktops). Laptops leads to…

…From a user perspective, this is still flawed technology. Just like fake SSLs and firewall block/allow alerts, popups to users will not be understood and will eventually just always be allowed. Game over. The false assertion made in the paper is that the user will try to open a Word doc, see something else wants to start, and realize their error and know better than to continue. No, that’s not true. There’s even a good chance that I, a security-paranoid freak, would just chalk it up to a bad macro or mis-matched version warnings and click Yes before my brain kicks in and says, “No! You idiot!” The following assertion is also odd in that even if the user clicks it, they only infect themselves and not something else. I don’t buy that necessarily, or that that was even an option. If they got hosed and something spewed out copies of itself in emails to their contact list, we can just repeat the user acceptance and nothing has changed.

Ok, end rant, time to go home!

An interesting (and woefully short) question and answer from ComputerWorld, “How many firewalls do I need?”

Answer: “How many can you manage?”

Ok, so that’s very simplified and not necessarily the right answer. The thing is, firewalls should be in place on the network any time the trust or sensitivity level of the data or systems changes. If your sales workstations don’t need to be up very long and have little sensitive data, but your database server has very sensitive data and needs to be up as much as possible, you really could put a firewall in between the two. If some systems need to be accessed from the Internet but others do not, use a firewall to keep them separate (thus creating your typical DMZ. That way, much like real physical firewalls in cars or buildings, if a “fire” breaks out with an attack against your Internet-accessible servers, the next firewall will contain the “fire” from spreading to those systems that had no business being in the same group as those Internet-accessible ones.

Firewalls are awesome. They create natural choke-points to monitor and measure traffic flow. They allow barriers to access so that you don’t have everyone’s traffic scurrying around everywhere. They give natural points where traffic capturing and logging can occur (and I’ve become a big proponent of NSM and logging and traffic analysis).

And put up as many firewalls as you can manage. You can have too many, but the chances of that are far less than not having enough firewalls. Put up as many as you can and remove ones you deem unnecessary or restrictive to network stability later on. But never put up more than you can properly manage. A mismanaged or unmanaged firewall is maybe worse than no firewall at all.

I really believe that firewalls are one of the very few mandatory but not technical necessary pieces of any network (i.e. you CAN run a network without them, but just don’t). I consider them a mandatory piece of any network or host-based “defense in depth” approach and one of the most important and valuable (i.e. the value they add) and basic blocks of a network.

My own personal projects list involves learning more firewalls including getting my own home pix someday, becoming more intimately familiar with iptables and pf (if I get into BSD this year), and other standalones like Smoothwall/IPCop and so on.

One thing I have learned in my short time in IT is email boxes are not really a valid storage area, especially for those of us in the infrastructure side of IT. Since I switched jobs last year, I was able to start out with a fresh email box at the new company. I was able to put into action what I had learned late in my last job about not bothering with keeping a huge email store. One of my favorite managers at my last job had almost a zero-sized mail store because of this approach, and I agree with it. There’s little reason in saving everything, especially from a business standpoint in my role. Emails:

1) Get read and deleted.
2) Get read and acted upon.
3) Get read and saved out of band, for instance on a backed up file server folder structure. (e.g. licensing codes, personally important stuff…)
4) Get read and then printed out and deleted. They then go into my “desk queue” which goes through the same process as I don’t let things linger on my desk either. (Of note, with dual-monitors, I print out less…think about that in your next debate discussion on dual-monitor adoption…)

I do keep a certain amount of monitoring email alerts from my company’s monitoring systems just so I can do quick trend analysis by eyeballing the alerts. Those usually are small and I purge huge chunks of them every so often so that I only have a few months’ worth.

Sometimes emails build up waiting to be read, but I work hard on keeping the level managable and regularly purged if need be. The only real emails I keep around are sometimes informational or pending projects that can be done down the road. It sucks to get behind with keeping the mailbox cleaned up, and 99% of those emails that slowly build up are really not needed to be kept. Besides, I’m cognizant of storage needs in an organization, and much like reducing my waste and power usage at home to do my part to save the environment, so too do I attempt my part in saving storage space.

Does this work for people in all business roles? Nope. Does this work for me at home? Sadly, no. I tend to be the opposite and not delete much of anything other than the complete crap I get. Thankfully, I don’t really get all that much email anyway. I even have a zip of emails from 1996-2002 that I started getting when I started college. If nothing else, they are not many, they make for great memory-goads, and can help me get in touch with old buddies sometimes.

ISC posted good info about the Daylight Savings change, which I won’t regurgitate, but I will repost some links. While I never joined in with the fear of the Y2K switch, I really think this DST change will be more problematic than anticipated (anticipation is so high no one is talking about it!).

Aha! I still run Windows 2000 Pro instances so I have to follow special steps (also KB914387 and KB928388). Why do I run 2000? Good question. First, the specs on some systems, mostly older laptops and 500Mhz machines are not good enough to run XP without lots of cursing. Second, I don’t have things like XP’s Genuine Advantage sqwuacking at me and then disabling my install after 30 days. Screw that.

Along with Windows scripting, I do want to sooner get back into programming. Right now, I just kinda need a reason to put programming into practice. I can hack around with Perl and other languages just fine, and have had experience in others like VB and C. But someday when I get really down into learning one of them again, I’ll likely go the route of Python. Nicely enough, cdman just today posted about a couple freebie Python books to help out. Dive Into Python and Learning With Python.

Will I get into this this year? Honestly, I’d like to, but I’m not sure if I will have the time until late this year. I do have other plans, and I really hate overbooking my goals in a year. Thankfully, Perl has been around a long time and I suspect Python will also be as useful for that long or longer.

This isn’t on my horizon yet, but someday I will do a BIND DNS server at home, if not sooner at work. Yanked from ISC, NIST has a standards doc (pdf) and there is also a secured BIND configuration and information available as well.

I need to continue my post below before some evangelists in the security world judge me blindly. 🙂

I love Windows. Really, I do. Well, ok…I did love Windows. I loved Windows until they started doing that Genuine Advantage Crap. Suddenly half my test machines could no longer be reinstalled and wouldn’t get some updates. Microsoft is the biggest single reason I moved to Linux last year. Go figure.

Now, one of the reasons I use and have used Windows so much would be twofold: 1) It comes with new computers and has come with all computers I’ve bought (i.e. no perceived cost since I couldn’t easily avoid it). 2) I could pirate it and use it on my old and spare machines without necessarily paying for it. I would never condone this in a workplace, however, just for home personal use.

Lots of expensive software is out on the market with limited trials and big price tags that talk about things in terms of installation instances or numbers of managed devices. I hate that. I hate having the limitations (subconsious and real) of really cool software. And if I can’t use it at home and become intimately familiar and happy with it, why would I ever request my company spend money on it? Something would have to be drop-dead and immediately awesome to get that sort of request pushed through.

I wish more cool software was free to home users so that us geeks can become familiar with them and get them legitimately into the workplace.

Likewise, I have no clue how companies that sell an appliance to do certain things can really expect to get good market penetration without a lot of hard in-your-face sales work, and being able to get IT shops with time to spare to check out the appliance features. I’d much rather be able to get an appliance, even a stripped-down barebones POS running the software at home so that I can get really happy with it. A one-month trial is just lame for most of us already busy geeks, especially when such devices keep wanting to do everything and it takes 3 years just to realize how crappy it was underneath the surface.

Give me free junk to play with that works well, and I’ll speak highly of it to people I know, or my own company.

Ok, enough ranting on this topic. I had to get it out sometime!

At the risk of painting a hat on my head, I have to make a small rant about paying for software.

I have had two fairly “small” tasks at my job in the last 8 months (no, not the only tasks, these are just two I’m pulling out). The first was to audit and “fix” file server permissions on a Windows file server utilizing AD accounts. The second was to be able to enumerate which Exchange mailboxes a user has rights to. Our company allows two levels of managers above an employee to have full access to the employee’s mailbox. To anyone who has done either task, what sounds simple is really not all that simple at all.

For the first one, sure you can dump a huge ACL list. But can you answer the question, “What does Joe Blow have access to?” Unless you have a strict policy on user rights management using AD groups, this is much harder to answer. I really enjoy using ScriptLogic’s Enterprise Security Reporter. While I don’t use this tool nearly to its full value, I do really enjoy the ability to audit a file server and dump reports on permission levels. Would I pay for this tool? I don’t know, but until I can, I just creatively use regmon and registry editing to avoid the trial expirations.

For my Exchange rights issue, I found Vyapin’s Active Report Kit for Exchange Server. This tool will let me pull out information from AD/Exchange and lets me answer my quesion, even with the export/print-limited trial. My main question was similar to the file server one: “Whose mailboxes does John Foo have access to?” (On a side note, the supposedly limited exporting seemed to send the tool into an endless loop and built up a 2.0GB excel file before I finally decided enough.)

In the end, I really hate paying for tools to do things I really should learn how to do myself, manually, someday. Windows scripting has long been on my list of things to learn, but quite often is nearer the bottom of the list than the top. Someday I will get this down, and then I can answer my own questions and needs rather than looking for expensive software to do them for me. There really are not enough hours in my day…