Wil Wheaton (I’ve been a closet fan of his for years, after TNG) gave an excellent keynote recently at PAX. OCMod actually has the full audio up. If you’re a gamer of any kind, or once was in your youth, this keynote is worth listening to. Scroll down to the bottom for the full audio (good quality), or just read the article for highlights. Scored this from HARDOCP. You know, the idea of opening an old school arcade would be something I’d readily do given spare cash…

It may be cute to complain about business buzzphrases, but we have our own stupid, inane little buzzwords as well. I really hate hearing meaningless maxims like “compliance is a process, not a product.” No shit, but don’t we purchase products to support processes? Maybe security should idealistic and ephemeral, something we can feel good about in our heads but not actually do anything about…but I guess that’s not me. This maxim can be used to attack any product anywhere in our field…making it rather meaningless. I prefer saying something to the effect that, “tools won’t create process, process comes first” or “a tool will not solve our problems in the absence of a process.” That sort of statement isn’t something I can use to attack the idea that NAC can be at least partially justified by compliance efforts. Let’s say I do have the process and NAC is my tool to streamline it? Fratto has a point that NAC has a number of drivers behind it, but he is wrong to denounce an arbitrary one using an inane, meaningless buzzphrase.

Saw this from Rothman’s daily incites.

Roger A. Grimes wrote recently about using a honeypot in the internal network to catch maldoers (am I alone in feeling a bit naughty after seeing the pic of Roger and honey?). I think this approach is a little heavy-handed, even for a throw-away machine. A full-blown honeypot is a bit of an interesting approach to the problem of detecting intrusion. If staff cannot detect intrusions on their real systems or on the network, they’re not going to wield a honeypot correctly. And if they do catch someone probing the honeypot, they are already beyond having a problem.

Now, that’s not to say I discredit this approach. I’m all for multiple barriers, detections, defenses, and using spare time and resources (even throw-away junk) for any little bit that can help. In fact, in a previous job I had a really old workstation that I opened a share on and configured a few port listeners on. This box was a crude honeypot/detection box that could alert me if something was scanning certain ports (namely 1434) or something was depositing malicious files on the open share (we had a couple of these outbreaks when I first joined up). Not really a honeypot, but it was a box meant to simply trigger an alarm in an environment that was cash-strapped from a back room standpoint. Honeypots seem more geared towards human attackers, as opposed to automata which is more often the culprit.

So, I’m not disagreeing with the approach in total, but I would caution that honeypots internal will indicate something bigger is happening, and there really should (if you can get the budget for it) be other measures in place on the network and real systems to detect intrusions or naughty activity, even if they are just little tripwires or detectors.

The article also gives some nice tools, and I’ve already picked up that book mentioned and hope to get started on it in the coming months.

Looked for a 10/100 (0r /1000) ethernet hub lately? I hadn’t either until today. I found it surprisingly difficult to find a hub. Most searches pull up USB hubs, while the rest tend to recommend switches. Great, but I want a hub (or a network tap, but the cost difference is obvious). The only hub I did find in my quick searches today was a $40 job at CompUSA. Forty bucks?! Maybe I’m cheap about certain things, but a 10/100 hub shouldn’t be $40.

Silc is a secure chat network, much like an IRC network, only the communication channels are actually encrypted. However, you can still leak out your normal host, which steals away any shot at anonymity. But if you use Silc with Tor, you achieve not only privacy in the channel, but privacy in the connection as well. Nice! As I’ve seen it said, silc+tor may be the most secure way to communicate with someone on the net. (Yes, I guess you can add an exchange of keys to verify identities…)

First, install Silky. I am doing this work in an updated but newly installed Ubuntu system. Make sure the repositories are unlocked, which should be the first thing done with any Ubuntu install.

sudo apt-get install silky

This will actually also flag and get any dependencies like libsilc.

Start Silky either by typing “silky” into the shell or Applications->Internet->Silky. Being the first time run, it will want to generate keys. Automatic is sufficient. Close out, and let’s look into Tor.

sudo apt-get install tor privoxy tsocks

Again, the needed dependencies will be installed. We can then start Tor and call Silky.

torify silky

Click Server, and select a server or supply one you know under Preferences->Edit Preferences. Nothing special needs to be submitted, just use whatever address and port used normally. Connect, and check out the hostmask. That’s it! Other programs can start this way as well, such as “torify firefox” and then go to whatismyip.com and verify the external IP (there is a Tor extension which works beautifully, though).

Keep in mind that Tor is not the fastest of connections, and while IRC is pretty resilient, I’ve found SILC to be a bit more picky about some slowness. I’ve found Silky can stay up for a few days, but Torify (tsocks) eventually dumps out, so it is not something I’d expect to always leave on.

Now, if someone knows how to implement irssi+silc_plugin (or any silc plugin)+tor, I’d love to hear how! That way I could possibly stay connected on a server using screen to attach whenever I want. Granted, I think I’d need two irssi’s since Freenode only wants Tor users to use their special private entrance.

More stuff to Torify can be found on the web.

Check out WikiScanner if you want to pry a little bit. Use your own company name (and variations!) to see what people at your office have been doing on Wikipedia. Kinda puts some things in our digital world into perspective. He’s pretty busy right now, so you might have to reload the query a few times. When you get good hits, you’ll see a button that says something like “Wikipedia edits, ahoy!” Click it, then click the number links to expand a new frame with the edit itself.

In a similar vein to last week’s Cisco VPN client privilege escalation vulnerability, ZoneAlarm is also susceptible to executable file replacement.

Sadly, this isn’t 1998 anymore, and I don’t personally know anyone who still uses ZoneAlarm…

Rebecca got me thinking this afternoon about her post on how business and even schools may or are forming sanctions against their users of social networking sites.

It really sucks thinking about stuff like that, and I encourage reading the post and links she gives. I really feel that while some of that stuff is useful for hiring managers looking for appropriate team members, most of that stuff should belong to the realm of the individual. The exceptions being documented and reported harassment and disclosure of sensitive information. I also don’t mind hiring managers using such sources of information to determine if a potential employee may be a good fit. That’s cool too, in my books, namely using it to learn about someone a bit more.

Take this example. I have a few Suicide Girls t-shirts (I’d link, but it’s not work safe) which I don’t mind wearing (of note, they’re the most comfortable t-shirts I’ve ever owned) out in public. I’m not a member, but I used to be back when I knew people on the site, a bit before they got “big.” So that kinda illustrates a slight individual taste for me, or at least openness (especially to comfy t-shirts!!). While out and about, I might run into people that know me well enough to know where I work. I may meet others to whom I give out business cards with have my company name on it. This is very similar to how people may stumble upon my inappropriate MySpace site (no, I don’t really have one) and connect my company to the person’s habits.

It’s just life, and that’s how we are outside of work in our personal lives. We all have some things we’d rather not air out, on either side of the fence. And I really think trying to police social networking sites (which is really trying to steal individualism away from employees and enforcing Thought Police) is futile and detrimental to our culture as a whole.

If my company president saw me out in the street on a Saturday with my Suicide Girls shirt on, the earring I can’t wear when at work, and doing a wireless site survey on open wireless networks in the area just because I can, I’d hope that he’d be able to smile, say hi, and not let that carry over professionally or try to change who I am. Anything less, is superficially shallow, in my books.

I don’t think I posted it, so I thought I would jot down installing an SSH server on Ubuntu 7.04 (Feisty).

sudo apt-get install ssh
gksudo gedit /etc/ssh/sshd_config

Change the PermitRootLogon to no and change port to desired port number. Add a new line at the bottom, “AllowUsers username” where username is your username you want to allow. You can use “DenyUsers username,” but once the AllowUsers is set, all others are denied anyway.

Next, I want to add a little brute-force protection using pam-abl. These instructions may not be current, but they worked out for me. Add “deb http://ubuntu.tolero.org/ edgy main” to your/etc/apt/sources.lists file. Remember to open it as root so you can save it. And yes, I am using edgy instead of feisty in this line.

sudo aptitude update
sudo aptitude upgrade
sudo aptitude install libpam-abl
sudo /etc/init.d/ssh restart

Run “sudo pam_abl” to list the current blacklist, and use –help for more features or manual blocking. Failed logins are collected in /var/lib/abl. SSH logs are written to /var/log/auth.log, however it might be useful to increase the logging level and location. Change “LogLevel INFO” to “LogLevel VERBOSE” to get more out of the logging.

Further hardening can be done. The files /etc/hosts.allow and /etc/hosts.deny will allow or deny the listed users respectively. These lines will allow two IP address ranges to connect but deny all others.

# /etc/hosts.allow
sshd: 10.10.10.0/255.255.255.0
sshd: 192.168.1.0/255.255.255.0

# /etc/hosts.deny
sshd: ALL

Referenced Tolero.org for the pam-abl install. I also note an Ubuntu help file.

For future reference, Cisco released a passive network mapping tool called SMART, Safe Network Mapping And Reporting Tool.

Skype was down late last week for about 3 days or so. And not just every single user, but also downloads of the software on their site. This was supposedly due to a software algorithm update or something like that. Today I read this was due to the massive reboot of Microsoft Windows computers the night previous. TheRegister also has some info up, and is a little more cohesive.

I call bullshit. This is curiously close to poc code released that supposedly (I say that because I’ve not tested it, nor could anyone else since the servers were down) would freeze a Skype server, then move to the next one, and so on. It was posted to SecurityLabs.ru. If true, that is certainly a critical, fatal, flaw.

1. A security issue to Skype would be a very, very big deal. One of the biggest contention points with Skype use is its security. I’d do everything in my power as well to protect that, such as shut off all servers and all users and all downloads in an effort to hide the insecurity issue.

2. The Windows reboot shouldn’t have occured as late as it seemed like Skype was down. The reboot should occur Tuesday evenings in the dead of night, for automatic users, and at various times. I don’t think Skype was down until Thursday…

3. Why now? Why this month? Why not the last few months?

4. And Skype is going to tell us that a mass reboot of users exposed a vulnerability in the availability of their world class system? You have really got to be kidding me… But as much as that can be egg on their face, I would weigh that less than a security incident. Nonetheless, I can’t imagine the overhead of reconnecting to Skype truly caused such a showstopping event on the service’s login servers. I wonder how many Skypes get turned on every morning anyway?

Ever informative, the Internet Storm Center has an ongoing post which raises similar questions and more. I really like the thought that Skype needs Windows users to log in, so that means all these millions of users all had their machine auto-login? Again, right.

Someday (not soon!) I’ll likely satisfy a curious project of mine in making a more aggressively defensive network. And vulnerabilities like the recently posted Wireshark MMS DoS are a perfect example of having a slightly more dangerous network to interlopers. Put up an outdated Wireshark sniffer while I randomly send out these packets and you won’t get too much. Especially anyone who uses live cds with outdated software. In this case, it is not necessarily about protecting devices and data, but actively knocking off rogue intruders.

Networking is amazingly potent right now in our field. We have an amazingly growing number of XXXsec get-togethers in major parts of the country where like-minded geeks and security nuts can get together to hang out, share war stories, push technology to new limits, or just make new friends. Cons are still popping up here and there, and I think they truly are some of the highlights of the year for many a geek.

This has been growing on me, and I am enamored by the concept. Dan Kaminsky has been espousing the idea of “hackerspaces” on his romp through Europe. Hackerspaces are basically places set up where like-minded people can go and hang out, do things, fraternize, and all in a creative and supportive environment. Basically if you like coffee, you hang out at a coffeeshop and chill out; if you like reading, you hang out in a bookstore; if you like video games, you might try out a cyber bar or two with the buds or adopt someone’s basement as your playpen. Why not a hacker/geek/technology sort of space? It is an amazing idea, especially for someone like me who lives in a “networking-starved” middle of the country.

Metalab is one that Dan posted a link for. This concept is also a project of the Hacker Foundation. I hope Dan and the Hacker Foundation both continue to bring this to our attention; heck, the idea of presenting slideshows of his romps might be a nice shift of pace for Dan to present about! 🙂

I also think there is room for hackerspaces as a smaller concept. For instance, I bet many of us have decked out our offices (either cleanly or cluttered and dark!) at home in a way that best suits our work and helps our creativity. For instance, I tend to have black lights and other glowing things in lieu of lights (alone with the glow of monitors or course), in my workspace.

As a side thought, it is interesting that for such a virtualized culture as we have, and as much as we work and live on the net, we still (for the most part) desire physical proximity with like-minded persons.

The Cisco VPN client for Windows has an interesting advisory out today. The local file cvpnd.exe (C:\Program Files\Cisco Systems\VPN Client) allows a user to replace the file with something else and have it executed with Local System privs. Replace this with a quick script the launches a shell (or does anything else you want) before launching the real cvpnd.exe. I prefer just creating a quick admin account that I control. That’s a nice little pocket-exploit to keep in mind, especially since plenty of systems get an initial install of the Cisco VPN and never get updated again for the life of it.

More information is posted on Cisco’s site. I saw this pass by the Full-Disclosure list. Local priv escalations don’t get much easier…