One neat thing about running one’s own email server is that I get to see all the spam that comes in. After a number of years up, my most-used email addresses are getting about 100 spam messages a day on busy days. Spam used to (as in 2 months ago) come in with names in the subject line. Typically I’m just, yeah right, unless it says Michael or the name of someone I might expect email from. Then I realize just how easy it is less knowledgable users to open spam. Typically I see mostly pharmaceutical picture ads, stock scams, and bootleg software.

The spam moved into chinese characters (wtf?) and in the past week or two I’ve seen a lot of spam sporting current news headlines in the subject line. Not bad, impressive!

My mail server’s spam filters don’t catch everything, altough it tends to catch about 50% and label them as SPAM for my mail filters. I really don’t expect much when I’m using non-SpamAssassin tools that don’t cost anything.

Michael Santarcangelo has soft-launched the Security Catalyst Community forum site. This is something we do need, and I’m enthusiastic to see where this community goes. While I think this might be an excellent initiative, there are some concerns I’ll just post here because they’re really not important enough to bring up to Michael S or those forums.

First, growing a community is not easy unless you happen to have something that draws people in on its own. That’s rare, really. I’ve done community-building work back in gaming where I ran gaming leagues and competitions and basically worked hard to keep the community participating and just plain caring. It is not easy work and is not something you can just say, “I’ll build it and they will come.” Many forums and sites have sprouted with that mantra and within 6 months the only posts you see are spam posts and what might otherwise be seen as the dust and tumbleweeds of the Internet. It takes constant work by dedicated persons, constant content, and lots of posting and giving people a reason to show up. What makes this even harder? My communities were gamers with lots of leisure time. This community may be made up of a lot of very busy professional people. Hopefully this community will recruit some good people to lead the discussions and provide a reason for everyone else to slowly filter in and continue to contribute.

Second, I’m undecided about the somewhat informal policy of registering with one’s real name, or at least putting full name in the signature. I’m not sure the goal of this other than to look more professional. I don’t think we need a stuffy community, but rather one that is willing to talk openly. As information security professionals, I think we, of anyone, should be empathetic to our decisions to control or at least mitigate information leakage. Yes, I know McNealy will say my privacy is already gone, deal with it, and I agree with him. But that doesn’t mean I have to let go of every device by which I maintain at least a little control. One of those is forums and comments on other sites. The only site that I really like to tie my name, online handle, and/or contact information is either through my own pages or someone deliberaly tracking me down. I will lose this battle someday, but until the world starts getting better equipped to deal with it, I’ll still put up a fight. 🙂 We can’t let today’s inability to deal with information and identity and the internet get in the way of our professional and (oftentimes needed!) informal communication. The people who want their names posted typically are the people who are branded by their names. They have an interest in making sure their name is out there (typically analysts and experts). Also, if my name is associated with the company I work for, I can’t typically talk about certain things without people putting 2 and 2 together and knowing my company has an issue with security concept X. That sort of secrecy is one of my biggest issues and it makes it hard for any of us to properly learn from other’s mistakes. That’s really one of the biggest reasons I enjoy things like Infragard (NDAs) and other local informal groups of buds. There are many very smart people out there with very valuable ideas that may not want to be associated with their given name when online.

Kinda like McNealy saying my privacy war is already lost, so too is the war on anonymity online. Not only can you not always completely stay anonymous online, but (oddly enough), you can stay pretty damned anonymous online. I don’t think a forum community is going to be truly able to maintain the informal policy of non-anonymity. I could pick some random name and bounce through proxies to join in with a free email address and change my grammar/writing style. We shouldn’t need to do that here. Likewise, it should be enough that the moderators have the ability to check IP and logs and deal with any miscreants in due fashion.

Besides, come on, there’s plenty of Michaels running around here! Hell, at my last job we had 3 Michaels on the same team of 4 people (the odd one out had Michael as his middle name). Other than deliberate impersonators, I’ve yet to see another LonerVamp. 🙂

Nonetheless, I look forward to participating as LonerVamp in this new community and seeing where this goes. There’s a lot of vury smurt people whom I regularly read already signed up!

I know Microsoft and other sites will take pains to force people to use IE, but I didn’t think I’d find a site that would tell me their site was incompatible with IE and I should use Firefox (even though it lets me click forward and get in anyway, which makes me wonder what’s so imcompatible). AWStats, a web stats app typically for Apache and Linux, tells me such. Talk about annoying both ways.

One thing I have learned in networking, security, and really IT in general is that you take any opportunity given to pick up some decent hardware. While I sometimes pick up really crappy hardware, there are always times when you get something decent for very little. And nothing is more frustrating than being inspired to do some tinkering only to find no spare boxes that I want to risk messing around on.

So tonight I picked up a motherboard and CPU for $40. The motherboard is an ECS K8T890-A which has dual DDR400 RAM and a Socket 939 which is for AMD 64-bit processors. This ECS may not necessarily be a gaming rig foundation, however it should suit my purposes just fine, as I have a gaming rig already (although the specs are getting really dated). This mobo has an older BIOS which does not really allow overclocking (quite ok, I don’t overclock). The AGP slot is also not really a true AGP slot and instead is a modded PCI bus connection. This means pretty much only older video cards are supported (3.3V), and I’d never get the full power of an AGP card anyway. Good info here for my own future reference. The board does support SATA and RAID.

The processor is an AMD 64 3500+. This translates into a 2.2Ghz CPU. The CPU is already mounted with heatsink attached, and I’ve not had a chance to boot it up yet. I don’t think I have a proper PSU to support this board right now, but will be collecting some parts over this winter and spring.

This mobo/CPU may make a great foundation for another always-on server that runs Linux as a vmware host and contains a few VM images of my choosing. The board still has great specs for a non-gaming machine. I just need to load it up with RAM and disk space. Unfortunately, the max RAM will be 2GB, which should only run me roughly $200-$250. And I should be able to pull 350GB+ with two disks for under $200. Another $100 for a 500W PSU. And then look into whether I can use this all in a current old chassis or buy up a new one with fans for roughly another $100 and a non-exciting graphics card (or just use on-board) for $60.

Overall, that’s still not really all that bad. About $800 for a good solid box that I can utilize in multiple ways. I could even go a bit cheaper in my parts and do Kingston memory instead of Corsair and still be just fine.

“The comprehensiveness of adaptive movement is limitless.” -The Art of War, Chapter 5: Strategic Advance

This reminds me of recent comments from Bejtlich about IDS/IPS devices that are alert-based but have little additional knowledge for the analyst. That is not very adaptive, and as such, ends up affording little value below the surface. Being able to be adaptive in IT and especially security is an amazing ability, as opposed to have very complex, rigid, or incomplete implementations that don’t afford much in terms of quick reaction, seamless changes, and ability to get the data you need. It also makes me think of on-demand sniffing needs. Can a security analyst quickly span ports into a pre-configured system set to sniff traffic, or will the analyst have to jump through hours of hoops to get this set up for an emergency?

This was too awesome to pass up putting here. By way of Mike Rothman comes a post of 16 dirty little sayings overheard in IT. I’ll add my own commentary to them. What makes this an awesome list? I have heard most of them spoken, multiple times.

1. “It’s only a temporary server. It’s not for production use” This is the bane of sysadmins. This request should always be met with, “what is your hard end date, then?” Too often this uttering is just a way for someone to get something done without properly justifying or defending it and I really hate it. Too often “temporary” turns into “permanent” or even “production” without warning or planning. The only thing worse is when they use their own workstation or some other box without ANY warning. “What do you mean you used your test QA machine to host a new critical ticket system?!” Without admins being complete hard-asses, this would happen constantly.

2. “We’ve tested the backups. They read back just fine. Never restored for real though.”I hate this one too, because if there is one thing I think is most important in IT, it is backups. What is worse, though, is *not* hearing this spoken but having it as the unspoken truth. Too many admins never test restores until a restore request. Always test, always verify. I learned this back in science labs in high school.

3. “Patching? yeah. That’s on our list. We’ve been looking at SUS for a while now, just haven’t got round to it.”Another classic task procrastinated in our field. Funny how the fundamentals fall into that basket so often…

4. “Of course staff know about the security policy. They have to sign a form at induction. I did when I started 5 years ago.” …along with the other 55 pages of new employee information that grazed us like a gnat and we brushed it away to figure out where the nearest bathroom is and how to log into our system.

5. “We have documented procedures. Everybody just ignores them. Except me, of course.”I say this a lot, both at my previous job and my current one, but I admit I sometimes go by memory as well, especially for things I know inside and out and I know the steps have not changed. Again, though, for such a detail-oriented career, IT people too often ignore documented procedures.

6. “Our apps developers do their own thing really. I think they have procedures for promoting code, but I’ve never seen them.” This is common too, especially if newer admins were not involved in creating the infrastructure that the developers use to promote code. This isn’t necessarily such a bad thing as long as the admins can support it (per their job) and there is some audit trail available so they can answer who screwed up production when it happens. Security should at least know how they do this, though, so that this risk is minimized.

7. “Users have been told a hundred times not to share passwords”Yeah, the only cure for this is a clue bat. The best mitigation besides that is simply constantly changing passwords and stringing someone up when something really bad happens with a hijacked account due to sharing. Or perhaps legal/HR when told, “Well, they share the account, so you can’t fire one as we can’t PROVE she did it, it could have been either of them.”

8. “Security Policy. Hang on. We do have one somewhere… Dave! Have you seen that policy file anywhere?”Haha, yup! My last company did this every time an audit was at the doorstep. And despite me writing some up, they rarely got signed off up the chain of command and even less were enforced. In fact, they never were…

9. “We’re developers. The sys admins make our job so difficult. We have deadlines you know!”This one sucks, but as much as it pains me to see it, there is that very difficult task of making sure developers and admins are reminded that we’re all on the same team trying to get to the same clouds in the sky. But both sides do also need to admit that they don’t know the full picture. Too many developers have no idea about networking or systems, and many admins have no idea about proper coding and the efforts involved. Security is one thing, but preventing the business folks from getting jobs done is another thing. At the end of the day, if security is holding the business back, the business could lose revenues enough that security is shown the door.

10. “The auditors needed Internet access. WiFi was the answer”Wow, almost word-for-word I’ve heard this a few times. Also “guests” and “clients” could be put in there. My last job put up an open wireless to do this. Thankfully I’ve not experienced firsthand someone putting up wireless without asking (the last job asked), but I have heard those stories from people in companies far more critical and important than mine. Yikes! Are CFOs really that stupid? Yes. And he also thinks he’s too important for parking spaces and so parks in the fire lane.

11. “Compliance? That’s an HR thing, right?”The age-old “who enforces the company policies?” question. HR or security/IT?

12. “A security breach? Don’t think we’ve ever had one. In any case, we’d just call Dave.”In my last job, that would have been me, hehe. This statement just makes me cringe on a number of levels…

13. “The Managing Director wanted it”I think I’ve heard this more than any other utterance here. Someone in authority pulled their weight and said, “just do it,” regardless of how moronic and terrible the task was. I think this right here is where 80% of our stress comes from.

14. “We had a penetration test last year. We passed with flying colours.”Wow, I love this one! Who the hell actally passes pen tests with flying colors? If so, you had a vulnerability assessment, not a pen test. And the assessors sucked. No one truly passes a pen test. Every environment has issues, and if they are not technological ones, they are logical and procedural ones. Given a week on site, I really believe no pen tester should walk away stumped and with nothing to do (assuming full physical access), I’ve seen stumped external attacks against a really solid firewall before, but full assessments should realistically never come back like this.

15. “Yeah, so it’s SQL injection. But our developers tell us there’s nothing of value in the database anyway.”I’ve heard similar things as well, where developers either don’t think about the data or feign ignorance.

16. “Marketing are the worst offenders. We don’t support FTP so they rented a cheap web server and uploaded data to that instead.” Ahh, human ingenuity. Where there is a will, someone will figure out how to do it, even if it is hokey and terrible and insecure and costly and …so on. This is why security needs to be an enabler, and management needs to be behind security so circumvention doesn’t just happen.

Has anyone seen or used or heard about AirPcap? At $198, it is just a little bit above my “eh, spend the extra money and see how it is” range. I saw a blurb about this in the latest Hakin9 magazine.

Just FYI, I am currently bouncing around IRC on irc.freenode.net as LonerVamp. I may not be hanging out much of anywhere lately until I figure out how to manage my presence there, but I am around and looking for some home channels to hang out in. I am also looking to run an IRC bouncer/proxy on my server which can keep my presence online and I can then just attach using whatever system I happen to be on at the time. I’m not sure how happy that will be, but I’ll be trying it. It has certainly been a long time since I was an IRC addict (about 6 years since I was a perpetual presence), but it is comforting to be back.

I tried JBouncer which is a java-based IRC bouncer, but I don’t like the user info it appends to my user when someone does a whois on me. I found the place in the code that sets those variables, but I have been unable to re-compile the java (I’ve never coded nor compiled java before). I hope to try out Night-Light before the weekend.

This was an interesting enough tool to spend an hour working on. SearchWinComputing has a quick run-through on some code (batch file) that will launch various Windows domain and exchange MMC consoles as another user. Basically you run the file, type 2, supply your domain admin password, and then the AD Users and Computers MMC should launch in domain admin context. Not bad. Although this is one click, one keystroke, and one window longer than my current method (right-click a shortcut), I certainly would need 8 such shortcuts to do what this batch file does in one. I like simplicity, so 1 > 8 in this case.

However, there is some errata in the instructions. I also had to scrounge choice.exe from a site called dynawell (Google for choice.exe), and I snagged sleep.exe from the Windows Server 2003 Resource Kit, although sleep is really not all that necessary if you just take that part of the code out. Hell, it’s been a long time since I delved into batch files, so maybe choice can be replaced with CASE for all I know.

Remove all the comments which are scattered in the code, typified by mixed case text. Change the paths to include the backslash such as c:\. Change the options to read :ONE instead of Option One:. Change the runas user to your domain admin or necessary admin to manage these tools. Correct the typo on option 3 “SItes.”

Now, I am not one to use fancy or even simple tools that are not usually always available. I’ve worked on enough systems and in enough ways to know that it sucks to become really accustomed to doing something one way (such as with shortcuts), and then be like a fish out of water when in a situation where I don’t have my nifty customized tools. Similar to how I rarely customize or “prettify” Windows anymore. I don’t need to spend 4 more hours after a reinstall making it pretty. So little tools like this are typically only minorly used by me. I like being able to sit down at nearly any Windows machine and knowing what I have available and what I would need to do to get what I want (resource kits, third party tools like procmon, etc). Either way, I think this little script can be useful for now.

These are not meant to be related, I just wanted to save them.

“Great wisdom is not obvious, great merit is not advertised. When you see the subtle, it is easy to win — what has it to do with bravery or cleverness?” – The Art of War, Chapter 4: Formation

and

“IT must balance three T’s: time, talent and technology. Today, the tendency is to throw technology at a problem and in so doing, reduce the need for talent (expertise) and reduce time. I recall my colleague Chris Blask saying, ‘Computers are fast and people are smart.’ Invest first in talent. Give them time to plan and choose technology that will allow them to be smart, *fast*, and you’ll have spent your own time wisely.” From a blog entry by Dave Piscitello.

Whitedust pointed me to Emergent Chaos with an announcement that obscurity will save us and we can just hide our files someplace unexpect and be safe! Well, ok, mordaxus was nearly as sarcastic as I was in that last line.

I just have two points in mentioning this. First, I wouldn’t argue against someone who says that encryption itself is simply a form of obscurity. It is obscured because a key/passphase is not known. But know that bit of information, and encryption is done. Of course, this means every password system is also a form of obscurity…but I still wouldn’t argue with that person to any great length.

Second, there are plenty of places to hide files in Windows machines already. Alternate Data Streams in NTFS have never gotten the attention it deserves, especially since few tools poke around in there, and those that do are sloooow. I would bet that few people even know about ADS and fewer will ever bother to do a scan for those files. Of course, I’m not saying this is protection for passwords and financial information. I would more use ADS for hiding porn stashes…

I like this post from ISC about what amounts to transparent SSLs. What if sites continue to use SSL on the underlying form submission portion or a website login? How are consumers supposed to tell and/or look for the HTTPS connection? D’oh!

“A military body goes through myriad transformations, in which everything is blended. Nothing is not orthodox, nothing is not unorthodox.” -The Art of War, Chapter 2: On Waging Battle

It has been years since I’ve been on IRC regularly. I think I first got on IRC back in 1995ish when I moved from AOL over to a real ISP and thus needed to find a new place to chat. While I didn’t really chat about anything technical, I stayed a near regularly in IRC until after college when around 2002 I kinda drifted away. I mostly stuck to gaming chats and once my gaming took a lull so too did my IRC days.

However, more and more I see security/technical groups with a presence on IRC, particularly freenode.net. As such, I started my next mini-project last night to get my ass back on IRC regularly. My one requirement for doing so, though, is that I want to be able to hide my host name (IP) or otherwise mask/reroute it. I don’t really have any external servers available to proxy or bounce off of, but I think freenode itself will let me cloak my host name, which might be enough. Of note, I read up on bouncers and might put one up on my server just to see what that is all about.

Fun times, and it’ll be nice to get back on IRC for some shoulder-rubbing. I also need to get my ass on a forum somewhere as well, but that is predicated on getting at least one of my systems up on a proxy somewhere (something I should do anyway). Yes, I like my privacy and I dislike making a target of myself…and no, I don’t antagonize people or anything. I just prefer obfuscation for as long as it holds out.

If I get on freenode, I’ll be authed as LonerVamp, of course.