Mark Russinovich is a Microsoft employee; you may have heard of him. On a recent blog post he describes how his Autoplay feature in Vista stopped working due to a Group Policy update. Mark, being a coveted local administrator on his laptop (a work-assigned one, as implied by the post) found the setting to re-enable AutoPlay. And to prevent Group Policy from reverting the setting back to what his admin wants, he opted to block it by adjusting permissions.

Now, Mark likely has a work-related reason to use AutoPlay, and took steps to get his work done (giving a demo of the feature) by circumventing his admins and likely corporate policy. And then posted this for others to see and learn from, both technically and by example.

Mark says,

A local administrator is the master of the computer and is able to do anything they want, including circumventing domain policies…and that’s just one more reason enterprises should strive to have their end users run as standard users.

So, is Microsoft wrong for allowing someone like Mark to run as local admin? Or is Mark wrong for circumventing that trust? For lesser employees, I would be more forgiving, but Mark full well knows what he’s doing. Likewise, if anyone qualifies for local admin rights on a corporate-issued laptop, Mark is the least of your worries. Should Mark work with his GP admin to either do this better or make Mark an exception (admins love exceptions)? Things that make you go hmmm.

I just find this all unintentionally funny…and a horrible grey area for us professionals.

Just to pull something from a mailing list and file it away for future reference, here are two tools that can help create “dictionary” files for…you know what. Note that these aren’t necessarily dictionary files of valid words, but rather huge character sets of up to x length.

Dictmake (exe!)
2004 Hacking Brute Force Dictionary Creator in zip format

PortBunny 1.0 has been released; a tool I mentioned just a few days ago. I run Ubuntu 7.04 on my laptop and wanted to try PortBunny on it.

michael@orion:~/Desktop$ tar xfz PortBunny-1.0.tar.gz
michael@orion:~/Desktop$ cd PortBunny-1.0/
michael@orion:~/Desktop/PortBunny-1.0$ make
make -C /lib/modules/2.6.20-16-386/build M=/home/michael/Desktop/PortBunny-1.0 modules
make: *** /lib/modules/2.6.20-16-386/build: No such file or directory. Stop.
make: *** [all] Error 2

Dang, I thought I had the linux-kernel-headers installed. It is easy to check if the installation is complete by looking for the existence of /lib/modules/2.6.20-16-386/build. If it is not there, it needs to be properly installed. The command ‘uname -r’ will display the current kernel version. In the command below, those are accent marks (or ticks).

sudo apt-get install linux-headers-`uname -r`

After that, a “make” and a “make install” succeed and PortBunny happily port scans whatever I point it at. It had no problems scanning the few boxes on my network as long as I didn’t have any active firewalls running, i.e. a firewall that shuns me after a threshold of port connection attempts. Good stuff!

The Winter Scripting Games 2008 are right around the corner, starting February 15. Last year, these “games” gave me the kick in the pants to try out Microsoft’s PowerShell scripting, and I must say it might be one of the better skills I acquired through last year; something I could use both at home and at work.

I plan to participate again this year in the PowerShell division(s), but I see they are also including Perl in the games this year. I think I will try to put the most effort into the Perl section since I’m horribly rusty with it.

So check it out, give them a try, and pencil in those dates to save some evenings for devoting some time to the challenges.

There continue to be a good number of live cd distros available with a security slant. Here are some links, although some I’ve not even booted into yet to check out.

Russix is a wireless pen-testing live cd that appears to make the most common wireless penetration tasks surprisingly automated.

Hex 1.0.2 is a platform for network security monitoring.

Deft v3 is a self-explanatory live cd: Digital Evidence and Forensic Toolkit.

Honeywall 1.3 appears to be a data capture installer. This isn’t a live cd, but rather an installer that should be run on an empty or expendable hard disk.

Various other firewall installs are also available as usual. IPCop 1.4.18, pfSense 1.2 RC3, SmoothWall Express 3.0, m0n0wall 1.3b7, Untangle.

A lot of attention in the Linux world goes to accessing Windows partitions (NTFS) in Linux. From Hackosis, I’ve recently been pointed to Windows tools that can access Linux partitions. This can be useful if you dual boot and have multiple file systems on the same local disk (or if you mount another disk onto a system, although I’m not sure why anyone would want to mount a Linux disk on a Windows system… I guess backups and even Windows-only forensics tools might be some reasons).

Linux Reader allows read-only access to ext2 and ext3 from a Windows system. Ext2 Installable File System will allow read and write access to ext2 from a Windows system.

Videos from the 24th CCC have been posted. I highly recommend Toying with Barcodes by FX. It is nice to think about the various ways technology around us can be extremely vulnerable to tampering, and barcodes are ripe. I’m sure this is old news to many tinkerers (hackers), but FX does an excellent job highlighting many issues.

Black Hat USA 2007 videos are also up.

Tunak Tunak Tun is an infectious music video. Some of the dance moves occur in WoW.

I do read a few non-security blogs, and sometimes they offer sage advice. A post by Samuel from WakeUpLater.com (if you freelance/work-for-yourself you can wake up later) has a few excellent points (although I will argue his title doesn’t match the text).

The title of the post is Stop Reading Blogs: Go Create Something. I know from all of the blogs and sites I read regularly, I get such a huge influx of cool things and tools to use, that I end up trying out less than if I just had a shorter queue and more time to try them. My gmail box is overflowing with stuff to check out from the past year. Reading blogs is helpful, but I’m the last person to ever say I know Topic FGH just because I read about it online. I think I’ll make a point this year to start culling my list of useful blogs that I read, or at least organize them in a more tiered fashion from Must Read to Only If Bored.

The post also goes into writing, Stephen King, and reading. I really love this, and I do have a special place in my heart for reading and writing. Find a space that is yours and free of distractions. Get something done. Get started and the hard part is then behind you. Do it for yourself, not others. (If you do it well, the part about the others will find its own place.)

This past year has been the first time I’ve had an apartment to myself, and I’m now pursuing outfitting the second bedroom to be my little workspace conducive to all of my geeky endeavors.

Mike Rothman picked a theme. Even shrdlu picked a theme. Should I lay early claim to “Aenima” by Tool?
Some say the end is near.
Some say we’ll see armageddon soon.
I certainly hope we will.
I sure could use a vacation from this
Bullshit three ring circus sideshow of freaks.

No, I’m not quite that negative at the moment. Being at work and not having a legit means to browse my music collection, I’ll have to put this topic on hold and listen for a candidate song over the next few days or week…if I even do come up with something interesting.

I’m not big on generalizations, but let’s face it, they happen. I clicked through to a ComputerWorld article on how Generation Y are the biggest users of our libraries. Neat. This prompted the question: “What the hell is a Generation Y person?” I was born in ’77, so I’m on the nebulous border between designations, but from reading a rather interesting article on Wikipedia for Generation Y, I tend to fall more into Y due to my technological inclininations. Labels aside, it is at least interesting to see how the workplace culture is changing with a generation of young people, whom I still consider myself to be a member of.

I watched fabs’ presentation on Advanced Port Scanning at the 24c3 (that looks like a heckuva venue!), so thought I would poke around and see if Port Bunny had been released yet. Basically this should be a simple TCP port scanner that can scan faster than nmap; the presentation goes into the reasons why. It doesn’t look like the tool is out yet (and I’m patient so will wait for the official release in January), but I did find a post from FX on the Recurity Lablog about retrieving faxes off a spent thermo transfer ribbon from a fax machine. Information hides in interesting places!

I like this list of threats and risks and whatnot from the CISSPForum [pdf]. It is a small 8-page document (1 page intro, 2 pages references and closing) which is a nice blitz on the topic. I really dig that each section is a printed page, so can be easily posted and/or digested over time. Totally recommend reading it through once.

Some topics in the security field are important enough to always be visited, even if a solution or consensus is not met. Such topics can lead to formulating entire paradigms on how we approach our daily security decisions personally and professionally. In fact, these discussions are important to me whether I agree with them or they run fully counter to my own views and I certainly do love bookmarking excellent essays.

Kurt Wismer has recently posted a couple such topics that I think are especially important to keep in mind. First, Kurt talks about why vulnerabilities are just never going to go away, and what that means to our approaches. Second, he probes the question on what average users need to know about their computer security.

Andy ITGuy posted a picture of a login and password taped to a keyboard. Awesome! So, how does one combat this besides just waving the policy around (since I’m not gonna bet my salary that that will work)?

First, I love the idea of walkarounds. I know it sounds juvenile, but some night do a walkaround inspection of the premises, especially cubicles/workplaces. THis can be done in phases of small random samples, as well.

Second, document and fix any mistakes. That login information on the keyboard? Photograph it and remove it and destroy it. That way the next time someone needs to get on there, they have to ask someone or make a cognizant effort to recall the information. That might be all the goading they need!

Third, maybe write up people who break the rules, but that is difficult at times to get managers and HR to get behind and put some teeth into. Instead, dock teams of people (or departments) points for policy breaks and reward the teams who break the least rules. Give em an extra day off, a pizza lunch, or whathaveyou. And no, a luncheon with the CEO is NOT a reward (yes, I’ve seen that!). Make it something people want just enough to add a little social pressure to comply. And try to keep it on the positive side of conditioning.

WatchGuard has produced a user awareness training video dealing with good password habits. A good quality video, although I don’t think we need to bug users’ eyes out with 14+ character passwords. With proper regular rotation (60 days), they don’t necessarily need to be insane lengths unless the accounts are especially sensitive.