MetaGeek has recently updated the Wi-Spy software to Chanalyzer 2.1.6. They also have other softwares for the Mac updated. Oh, and I see Wi-Spy now has a 2.4 product which has an external antenna and has ballooned in price to $400. Ouch! Still, the original is available and the software works with both.

I’m not sure the external antenna is worth the price, and at $400, they’re really moving out of consumer-land geekery and into a more small office wireless support market. Unless I consult with wireless analysis and site surveys, I don’t think any home user will lay down that much money for this tool.

Doing things in PowerShell is often simple, but finding them out for the first time is sometimes not. This little tidbit took a good half hour of my day. I wanted to call another script from my first script. I didn’t mind if I needed to wait for execution to finish before moving on, and I had no requirements to pass variables or any information between scripts. This did the job for me:

& “d:\scripts\installwebserver.ps1”

If it can’t be done in PowerShell (yet!), there is the option of calling psexec or powershell.exe or cmd.exe directly using Invoke-Expression. MoW talks about calling a process and leveraging the WaitForExit method, which could be useful as well.

The free Windows MAC-changer tool, Technitium MAC Address Changer has had a new release. Yeah, so what, it’s easy to change a registry key, but we all know that once you know the how and why, you want to do things easy and quick, hence tools like this that automate the mundane. This tool should be up there just under the ranks of Cain and NMap as necessary free tools for Windows.

It is not breaking news that fark.com was the victim/target of a hacking attack. But take a moment to think about this attack. Someone sent spam and spoofed emails to Fark employees. The spoofed emails appeared to be from colleagues. The links contained went to websites hosting trojans and other malware, some of which seems to have stolen and sent out pilfered passwords.

Think about how your organization would be protected from an attack like this.

Users don’t check email headers, at all. They wouldn’t know these messages are spoofed unless there is something obviously wrong or they yell over the cube wall to ask. Should the users even see these emails?

If one user accidentally clicks the link, will their browser be susceptible? Their OS? Their administrative/user level on the system?

Would they know something happened and say something? What if they don’t, can you run a history search to see who in your company visited those bad sites?

Will the OS scream bloody hell if a trojan is found? If a trojan is detected by AV but no analysts are around to check the logs, does it do damage?

There’s a lot of breakdowns here that I would not be the least surprised are breakdowns in 95% of companies. And guess what…I bet Fark isn’t a Fortune 500 and not a huge employer, and they were still the victim of a targeted attack. And no, I don’t think user education is a guarantee of protection.

As a side note, I think user education is valuable, but I also think it has some dangers. It shouldn’t be used to reassign blame, for instance to some user who clicked on a link when they should have known better from their training. That’s not productive punishment or assignment of accountability or blame. Likewise, can you detect when they break down? If not, why bother training? If so, then likely you have the technological means to compensate for less user training. I’m not anti-user training, but I am against viewing at as more than an augment to a company’s security posture and culture.

In the workplace, I tend to avoid a the common conversations: money, religion, politics, and even sex. These things tend to be wedges between people. People get way too fanatic about some of them, or it becomes a decisive topic. I’m careful with whom I open up to about those things, and where and when.

Today I clicked to visit a blog site I have in my RSS reader. I clicked through from work and up popped a flat out denial screen because I was using IE as my browser. Now, we make people use IE, but some of us do get to use Firefox when we test or need something new, however I don’t make myself a complete standing exception by using IE almost all of the time like every other user. And no, this wasn’t just a warning page that let me into the site, but rather a complete, 100% denial of entry.

Seriously, take your browser and OS religion and put it elsewhere. I don’t subscribe to political or religious blogs. And while I sometimes read that particular offending blog, I decided it is not worth giving the author another feed hit, so I unsubscribed.

I don’t mind people saying Firefox is better, or reminding me that I’m on IE through a splash page. In fact, given the option, I’d use Firefox over IE anyway, which I do at home (and with a blank user-agent). But discriminating users with full denial based on browser choice is ridiculous.

The Register posted an article about Max Butler being busted again by authorities. Two things about this article.

1) As if we don’t need more awareness of wireless insecurity…oh wait, obviously we do. Max would go to hotels and intercept wireless communications. Hello there, ripe opportunities!

2) In the bootnote, I see, “Some kids think they can’t get into trouble for hacking computer systems…” Now, let’s look at crime in general, let alone digital crime. I’d be willing to say that people are not so much caught breaking into something as they are caught bragging about it or trying to sell any goods they stole from said breaking or hacking. If I intercept and break into your wireless network from a hotel room, unless I’m stupid and visited my gmail account on your network, you likely aren’t going to have anything on me. If I steal your wallet, I’m a ghost. Until I show up at the grocery store and attempt to use that credit card or cash that paycheck you received….

However, I would say an exception would be when you discover a break-in while it is in progress. A guard seeing someone climb a fence could stop a theft and arrest the intruder. The same might be said about a digital break-in, possibly. But still, a breakin where I actually get away means I’m a ghost.

I want to brainstorm a moment. The steps of a theft?

a) Someone decides to commit a crime. Often, crime occurs in a moment of opportunity or desparation. I don’t plan to steal someone’s wallet, but when I see it just lying there, or that accountant computer sitting unlocked… Or I can’t pay my bills and absolutely need money or go homeless… Otherwise, commiting a crime typically means overcoming some internal moral compass and disregarding external moral judgements. Many people don’t run red lights because that’s Just Bad or because other people are watching. Same with many crimes. They don’t occur because they are Just Bad. Which is why the first time is the hardest, and repeating offenses are so important to watch. Other than maintaining cultural morals, you can’t do much about this. The digital age has largely removed the “people are watching” barrier (the external moral judgements), especially on the Internet. Just ask any child predator.

b) Someone is breaking in. You have a great chance to catch someone here, or thwart their attempts. Guards, alarms, dilligence, logging, monitoring, razorwire, locks.

c) Someone has broken in and left. This is the ghost stage. Unless they left behind some solid evidence, they’re a ghost. Take inventory and try to determine motive or start cleaning up.

d) Profiting from the crime. This is the next chance to really catch someone when they attempt to sell the goods or do something with their ill-gotten gains. Whether it is bragging or selling credit cards, this is the next tripwire where you can catch someone. Of course, if the goods are not trackable, such as common cash, then you’re still out of luck. If I steal your wallet, grab the cash, then burn the rest, you’re still out of luck when I buy some 40s with the cash.

I’ve previously mentioned that I’m getting into lockpicking, and I continue to practice in small pieces of spare time. Last week I picked my first non-practice lock, a 5-pin dead bolt in my apartment. Just tonight I sat down to try it again and picked it three times in 6 minutes. I’m a little scared, but happy with my progress!

I’ve been able to start to actually feel the various “gives” when a pin is set, as well as the sounds. Sometimes there is a small give in the torque when a pin clears. Sometimes a small click. Sometimes it is the lack of tactile response from the pin when it is set and the spring no longer pushes down on the pick. All of these evidences are getting more and more common. I’m even surprised more and more at how easy raking a lock open can be. Raking involves moving a jagged rake pick in and out of the key way such that several pins quickly set, as opposed to picking the pins one by one. Insert torque, slide in a rake pick, and before I’ve even completed two “rakes” the lock is open. I’ve done that a few times much to my surprise. If you know what a bumping is, raking is smack in the middle of the spectrum between bumping and pin-by-pin picking.

Sunday evening I watched War in the theater and for the first third of the movie and through the previews had a lock and pick in my hands just opening it over and over, while not trying to create a pattern of it. I don’t want to unlock my locks just because I follow the same pattern each time, but rather to open them through actual semi-conscious effort.

So far it has been working, and is quite a nice little idle activity. I might move up to my cut out spool pin lock this week. You can see a picture of a spool pin towards the bottom of this really interesting page on lockpicking. This page looks like something nice to read. I especially enjoyed skimming down to the part about unset/unbinding pins and the various states, plus how they feel so as to identify the state.

Ahh, summer’s beginning to give up her fight [1], portending my favorite season, Autumn! I’ve also been busy at work and at play, which has limited my posting energy. Not only that, but holy crap have some of my feeds been posting a ton the past couple weeks! It is tiring trying to keep up with them, or even to scroll through the articles I don’t care to read.

Today’s news comes from Marcin who reviews the question of going with a series of best of breed solutions or all-in-one security packages? You’ll almost certainly have cost and support benefits from an all-in-one solution, but it may still have small gaps, and certainly tends to be weaker in some areas, if not weaker than the whole of a series of best of breeds put together.

What I would choose is as good in the best of breed as I can afford in time and money based on my company size. As a techie, I’d much prefer best of breed over all-in-one behemoths. I tend to find best of breeds to be more trustworthy and much more surgical in their approaches. In a way, that illustrates a comparison. Would you prefer a specialized surgeon to perform operation X, or a more commoditized but affordable provider? What about for a routine operation? Do you want a common product or something specialized? Agility?

Compliance promotes this idea as does the maturing of the security industry, but should we really settle for “Good Enough” security? Perhaps that is pragmatic, but I’d still like to think anything I secure is better than the typical Good Enough…

[1] If you know this song, props to you, you have some taste!

Upon recommendation in the Security Catalyst Forums, I picked up a copy of The Practice of System and Network Adminsitration by Thomas Limoncelli, et al.

So far I am impressed by the book. This is an ideal book to give any manager or beginner/intermediate SA/NA. It stays technical, but so far all of the advice is very general and common sense for any IT shop. Do automation, do this, don’t do this, this is why this is a bad idea, these are universal steps to get yourself out of the hole…

There are moments of mangled sentences and some of the topics seem a bit dated (Windows NT…) but this is so far a book I think I’d like to see on the shelf of any manager (or SA team library) I might have for the foreseeable future. It may not tell you how to automate deployments of Windows XP workstations, for example, but it will give you the reasons why this is a good idea and approaches to take to get shit done.

It is also nice to see some things I’ve learned on my own to be echoed in this book, validating my own common sense and reinforcing confidence. Despite being a big book (over 1000 pages), it can be read in chunks and is an easy read nonetheless.

I have adopted the use of xml files as configuration files for any PowerShell scripts I’ve been writing for work lately. Today I just found an odd bit of behavior when working with building a new xml file (if the script runs and sees no existing xml config file, it creates one). Normally, adding child objects in xml is fairly straightforward. Assume this is the existing xml.

<installcontrol>
   <serverlist>
      <server>
         <servername>ALDARAAN</servername>
         <servername>TATOOINE</servername>
      </server>
   </serverlist>
<installcontrol>

We can use this script to add a new child server, DANTOOINE.

$xmlFile = Get-Content $xpath
$objNewServer = $xmlFile.CreateElement(“server”)
$objNewServerName = $xmlFile.CreateElement(“servername”)
$objNewServerName.Set_InnerText(“DANTOOINE”)
$objNewServer.AppendChild($objNewServerName)
$xmlFile.installcontrol.serverlist.appendchild($objNewServer)
$xmlFile.Save(“$xpath”)

This is great, but what if there are no child objects already present, such as in this xml file.

<installcontrol>
   <serverlist>
      <server>
      </server>
    </serverlist>
<installcontrol>

Powershell complains that it can’t add append a child to a string. The script needs to change slightly to accomodate. The following snippet will work both for empty parents and also populated parents. The difference is in the 6th line.

$xmlFile = Get-Content $xpath
$objNewServer = $xmlFile.CreateElement(“server”)
$objNewServerName = $xmlFile.CreateElement(“servername”)
$objNewServerName.Set_InnerText(“DANTOOINE”)
$objNewServer.AppendChild($objNewServerName)
$xmlFile.installcontrol[“serverlist”].appendchild($objNewServer)
$xmlFile.Save(“$xpath”)

I’ve been working again with PowerShell, doing some new things. There are still a few nuances to a newbie like me. For instance, while it is easy to create arrays, it is a bit more arcane to remove items from an array. Thankfully, I found a site that gave me the answers I need.

To remove the first item in an array, reassign only items 1 through the length of the array back into the array (or a new array). Remember that arrays are indexed with the first item as 0, not 1.

$array = $array[1..$array.Length]

Michael Santarcangelo poses an interesting question and analogy to the IT security world: do you dance in the rain? Now, you probably won’t catch me dancing in the rain unless I’m at an ourdoor concert, but I’m definitely not a scurrier, even if I’m wearing a light shirt headed to an important meeting in the pouring rain. Screw the umbrella; enjoy nature’s weather, even if it can be temporarily painful in the winter; you won’t die. (Ok, so if you’re out in the wilderness camping or hiking, you should be careful, but in an urban setting, you’re not going to die.)

But Michael’s right, do what makes you happy and gives you passion. It might be a little weird, but happiness begets productivity, and ultimately, we’re all more than just our jobs. Keep the optimism. The enthusiasm, while looked at askance by some others, will be respected and rewarded eventually.

Considering our jobs in IT and security, we sometimes don’t get our adrenaline pumping until there is an incident. Perhaps that means we might only be happy when it rains? 🙂

Speaking of lockpicking and practice, I actually have been practicing my lockpicking recently. I’ll bring a practice lock and a few picks with me to a coffeeshop or movie theater and pick away at it for small chunks of time or before the movie starts. Sometimes I will do so while watching a movie or television at home. Today I was actually able to pick 2 of my 5-pin locks pretty quickly, multiple times. And these were locks I wasn’t terribly familiar with yet. That’s a pretty big step for me!

Practicing lockpicking has allowed me to go from being a blind raker who gets lucky, to being able to better feel the matching of the pins and which ones are not yet locked. It has also given me my own ability (technique) to determine pin-counts before applying any torque and make guesses when a pin is locked too high or which one is just barely keeping the cylinder from turning.

Of note, I have a simple 21-piece lockpick set that I ordered for about $45, plus a series of practice locks that I found on ebay. I think the locks are about a total of $100, and I have 9 of them. Three of them are cut-away locks so I can actually see the pins. Two of the locks are 3 pins, the rest 5-pins, and I even have a 5-pin spool lock. I highly recommend grabbing a couple cut-away practice locks if you are just starting out, as that really helps.

Practice, practice, practice. This recently came up in a SecurityCatalyst forums thread from Cutaway. You practice until reactions to incidents is automatic. Not only that, but you practice to become better acclimated to something, whether that be a skill or simple knowledge. If you check your internet usage levels or network utilization every day, you get a really strong feel for what to expect. This means one can isolate anomalies much quicker. If you do some lockpicking for an hour every day, eventually you will acquire a feel for doing it quicker, which can expand into being able to tackle tougher locks…

Practice, practice, practice… Professonals need to never forget the basics and the fundamentals of what we do (I know too many who hate the drudgery of such tasks…). Think of it like keeping a finger or monitor on your heartbeat for spot-evaluations or for emergency hospital stays….

The newly revived Mogull (and he’s not a zombie!) states that the $187 per lost record number is garbage. He’s right, but let’s throw two more logs in.

1. Try to tell anyone who has had their identity stolen or funds maliciously charged to their credit cards that their record is worth only $187. Even those people who have just seen a few pennies charged and flagged by the credit card company could “suffer” more in the thought of what can now happen. I’ve seen firsthand a few rather scared acquaintences after seeing such a test charge…

2. Let’s say you’re a medium-sized company but you have only a few very large clients. If you have a breach and let’s even just say 2 people, who happen to be your main client executives, decide that breach was damaging and drop your business. This could have devastating effects. Granted, this isn’t a “retail” store, but let’s just forget quoting too many statistics and numbers lest we lose sight of the real issues.