The wifi hog project. Not sure what to make of this, but gotta read it someday.

Sometimes these things are very useful, and sometimes admins should block access to them. The Your-Freedom site offers such a service to bypass content filters, firewalls, and proxies.

This looks like a fun and well-written read, an illustrated guide to cryptographic hashes.

NetworkWorld posted a rather good series of articles on the six worst security mistakes.
1. Not having a security architecture– I like this overview, but I would add the need for logging and reviews of logging, from syslog/snmp stuff to web logs, OS logs, etc. Sadly, none of the companies I have worked for have been big enough to trouble themselves with spending money on formal security architectures beyond what is done when the environments are built or enhanced. Policy and protections have been second place, at best, to functionality and getting the needs taken care of.
2. Not investing in training– This discussion was awesome and a lot of poignant stuff was mentioned. I liked the contrast of the benefit of employee training and what happens when untrained people make decisions.
3. Neglecting identity management– Since I’ve not worked in environments over with over 500 employees, I’ve not had to worry much about identity management. Sadly, gaining any type of knowledge here is difficult, as so many sources pretty much say, “you need identity management, here’s kinda what it is” but never discuss what products work, what don’t, pros and cons of each, or even how to properly implement it from user acceptance to technical specs. This is one of my biggest issues with a lot of trade mags, especially vendor/ad supported mags that otherwise get sent free. They talk in general terms without actually giving me, an IT doer, much substance. Someday I’d like to examine identity management systems, but so far I’ve not seen a need for it in current environments. If I could make my own home-brew setup with little costs (maybe a USB fob and open source software), I would love to add that to my projects list.
4. Ignoring the insider threat– Most articles talk about how the insider threat needs attention, but never explain what to do, even in the most elementary terms. This piece goes one step further than most by saying one should monitor employee network use, harden the internal network, use internal network IPS to filter at the switch level, review and test internal access controls, and limit explicit trust in pretty much everyone. This is a good start, but spending money on this can be difficult as not many people really want to think about insider attacks. HR and management like to trust their employees while IT security tends to distrust pretty much everyone. This is just a matter of having different viewpoints, and can be a hard topic to effectively discuss. I think I would add in that not just empoyee use should be monitored, but all internal system logs as well, especially for odd connections, failed authentications, IPS/IDS alerts, and mysterious local account creation. Internal routers and firewalls can help segment things quite nicely and put off the bear of hardening all systems, at least for a while.
5. Not protecting web appliances– This was a shaky article, but I like the identification of three levels to protect when it comes to web servers: the host (OS), the server infrastructure (IIS/Apache I believe he meant), and the web application. The host and the infrastructure or no-brainers, really. The web app is the dicey part. In my experience, infrastructure (network and sysadmin roles) is not married with application development, in fact, these teams tend to work in opposition to each other. Likewise, security tends to fall in the middle somewhere. Infrastructure may bring it up and even test it, but typically we are hands-off when it actually comes to code changes. Whenever talking about web site security strategies from an infrastructure viewpoint, defense in depth must always be used. Assume there will be vulnerabilities in the web app, and plan to mitigate them. If development and infrastructure work well together, it will be a cold day in hell… 🙁
6. Buying products with the most bells and whistles– This is an interesting item, and I think is a product of poor training, lack of time to make accurate assessments and decisions in the face of sales propoganda, and lack of having a security architecture or plan. Sadly, I often hear about how appliances are purchased and forced into an environment because some senior manager read about it in a magazine and demanded it, all without truly evaluating the needs, the best solutions, or determining if there is a need for more staff to properly manage. A spiffy buzzword logging device is useless if no one is looking at the log reports or investigating the reported issues.

This is social engineering at its best, and most scariest. Just think if this guy had more important things to say, or was pawning himself off as speaking on behalf of someone or something more important. Wow.

An article posted on SecurityFocus quoted:

Building on a Wall Street Journal analysis of the 20 million search queries leaked by America Online that found “free” to be the most popular search term, SiteAdvisor warned that the results produced by such searches frequently lead to malicious Web sites.
“Often, so-called ‘free’ items are anything but free,” the company, recently bought by security firm McAfee, stated in its advisory. “Free screensaver and games sites are notorious for bundling spyware and adware with downloads… Free e-card sites often share users’ e-mail addresses with third parties and can lead to a never-ending influx of spam… Ringtone sites frequently lure consumers with misleading offers of free tones that ultimately lead to automatic enrollment in paid subscriptions.”

I admit, back in the day free stuff used to be cool to download. These days, however, they are packed with spyware and other not-so-nice things. Always have to wonder, “why is this free, what are they hoping to get?” More often than not, to get something installed on your computer or get your “clicks” on their sites.
I honestly have more trust in downloading cracked commercial apps through my regular channels as opposed to free sites. However, when looking for legit free things, I put a lot of faith in SourceForge-hosted apps and anything from a website that looks like a real developer just offering out to the world some little tool he/she created to do something cool. Anything else like free screensavers and the like are just not really worth the time and effort and risk.

I am really toying with the idea of plunging fully into Linux…while also just testing with my toes again. Hrmm…
I’ve run Linux in the past, from Red Hat version 7 up to SuSE 9.x and various Livecd incarnations. But I’ve never been able to stick with an install for long enough to really immerse myself into it. Red Hat 7 was interrupted due to a need to do some resume/website work back after college when I was unemployed. SuSE was interrupted by my need for gaming…mulitiple times.
But the gap between Linux and Windows, especially the apps in Windows that I rely on a day-to-day or weekly basis, is greatly diminished now, if not gone altogether. The only real gaps would be ease of use of all the years of acquiring apps and programs to do certain tasks, the support for gaming, and the support for wireless.
The years of acquiring apps may be interrupted soon by Windows itself…who knows what Vista will be changing when it finally releases, but it will be a whole new world to learn anyway (although not entirely). The support for gaming has been getting better, but only slowly. Thankfully, having a gaming-only machine is not a bad idea, especially since any Linux that I run will not need beefy specs or expensive machines. And support for wireless has been getting better in leaps and bounds, to the point that some of my Livecds recognize my wireless laptop right from the install, and get online with absolutely no work on my part.
But, I do still game, and I do still have a lot of things on my XP laptop that I just can’t part with quite yet, especially since it’s the only machine that seems to accept any of my old Windows XP keys and licenses (damn Genuine Advantage, in the end, it will end up driving me away from Windows…).
So, one thing I really want to do is make sure I have Linux on a laptop, which does greatly limit my choices on my systems. I think I might give another shot to dual-booting or even just running VMWare Workstation on my laptop and carving out some space for a Linux install. I know my system is that all that robust (512MB RAM), but I think if I go ahead and wipe it off and reinstall Windows XP, it should be cleaned up enough to allow me to run a VM Linux (Ubuntu or SuSE again).
This post started out with me wondering to myself where I should put Linux and work it into my daily life, up to listing my systems and the pros and cons…but I think I already just talked myself through my plan.
This will leave me my gaming system, a possibility for less intensive games on my laptop, and leave me other lesser-speed Windows 2000 laptops for other uses. My other desktop-class systems can then still be whatever, as they are just used in my lab.
First order of business though: clean off the XP laptop, back everything up that I need or want, take inventory of what I need to replace, and start to organize up my tools and tempfolder (a dropbox for all sorts of incoming things that I’ve not played with, tried out, or used enough to file them away to keep or delete).

Just thought this an awesome little idea for a contest. Defcon is definitely one of the most unusual and interesting security “conventions” around, as hackers and gov’t security folks play contests that basically hone and demonstrate and teach security and anti-security skills. Quite amazing. In this contest..well..click to the article.

So for the past month the IT world has been abuzz about how David Maynor and Johnny Cache demonstrated undisclosed attacks to root wireless laptops where they may or may not have used Apple’s built-in wireless card or third-party wireless drivers for a possible third-party wireless card.
And look at where Maynor and Cache are now. In the middle of this summer’s biggest IT feud which is spreading a feeling amonst the “blogosphere” that is worse than a smarmy, humid, hot, and never-ending day in the mosquito-infested bayou. Ugh.
All of this uncertainty has resulted in mudslinging, amatuer journalists (bloggers) having panic attacks, Mac fans up in knee-jerk reactionary arms, large corporations side-stepping issues, and quite a lot of upset and pissed off people all yelling at each other and only half-reading everyone else’s posts before adding to the panic. And the only way to clear all of this up is for Maynor/Cache to admit they faked the whole thing (I don’t think so), for Apple to admit they have been skirting the issue and finally take responsibility for it (I don’t think so), or for the details to finally be released (after a fix, of course).
Until such time, we’re all still left with uncertainty. But what I am certain about is our approach to “responsible disclosure” is going to be coming to a head, and I don’t think corporations will be happy with the imminent conclusion.
Security practioners are paranoid people. They tend to not trust much, let alone large corporations. Hackers and the underground are far less inclined to trust corporations. This distrust promotes the use of full disclosure, whether or not you notify the corporations beforehand, although I suspect a majority of people will notify the target companies prior to full detail release.
Wireless issues aside, there was no real way for these two to publish their findings without incurring wrath from someone. I think they took the lesser of three evils, while they at least got their names out there and known in the industry.
Last year was Michael Lynn vs Cisco where Lynn finally came clean (or attempted to) with a big Cisco vulnerability which Cisco did not fix in a “proper” amount of time. This year we have Maynor and Cache with wireless driver attacks.
In the end, every security researcher is going to think three times about releasing code. I think this will lead to one extreme or another. Either vulnerabilities will be released to the highest bidder or to the parent corporation and not released until a fix released. Or exploits will be publicly released right away, giving the information to everyone at the same time. Considering security/hacking circles that are paranoid, a little untrusting of corporations, and very passionate about security/insecurity, I see the latter being the more likely.

There are a number of news publications and sites and posts that say things like, “organizations now need encrypted backups,” or “spam is out of control,” or “building a comprehensive disaster recovery plan.”
I get a little happy when I see something like that, I and read into the article only to realize it is just one of those “obvious need” articles. These articles are great for new topics, but far too often they are already old news topics and offer me nothing on how to actually perform lots of these functions. Too often, I get the feeling these are written by people who can complain about the problem, but really have no idea how to fix it, nor have had any experience in what the challenges may be in encrypted all backups or trying to implement and company’s first diaster recovery initiative.