Managing security from a data-centric point of view is like herding cats. Rambunctious cats. Cats that want to be free. Cats that spontaneously multiply. Like tribbles.

I was thinking today about how interesting something like a centralized Office suite (such as Google Apps) when it comes to making sure people are not distributing your data wantonly. For instance, how often have you seen the sales exec who has access to sensitive information in a file share forward on a copy of that document to his reports via email. Reports who shouldn’t be seeing that stuff?

This brings me to thinking about data security a bit more. Often I see people talk about the two obvious pieces: Data At Rest and Data In Motion. These are pretty obvious. Data At Rest deals much with access permissions and encryption. Data In Motion deals with encryption of the channel over which data is transmitted.

But there is more. What about Data In Use? Can your users print, copy, move, and otherwise twiddle the data they have access to? No amount of the first two pieces will stop that sales exec from making his mistake. Can they open a doc and recite the numbers to someone over the phone or take photos of it? Yes, tough if not impossible to fully stop, but a concern nonetheless? (Yes, it is arguable whether we should spend time thinking about the unfixable…)

You know, the corporate world was once a terminal environment with centralized computing. We’ve moved on from that, but so far lots of our issues can be solved with tightening back into centralized computing. We don’t like to think that way, but it’s true.

The two caveats in centralized computing? The mobility trend. The fact that users are also consumers and are used to having “the power” on their computer systems at home.

Want to RDP not into your own session, but into the existing console session? Yeah, me too, and I always seem to forget this Run command for Windows:

mstsc /v:SERVER-OR-IP /console

From Windows Incident Response I was reminded about fe3d, a 3d visualization tool for nmap scans. While possibly not very practical, it does make for feel-good eye candy in a dark room or when someone is watching you that you want to impress (managers!). The timeline on this project only goes back a few months, but I swear I saw this tool a couple years ago.

Every now and then I like posting about new and coming technologies or things that budding (or bored!) security persons can look into to get a leg up on other professionals. While I may not have bandwidth myself, I can at least identify them for my own reference or anyone else as well.

Vista. While lots of people are resisting Vista as not an entirely necessary upgrade, this is, quite frankly, the future of Windows computing. It might not be even next year, but at some point all of us will be forced to update to Vista, either to dropped support for XP or simply because all our home users’ new computers come with it installed…then remote access needs updated, QA needs test machines, web sites need to work…and so on until you have to adopt it. So get Vista today, be aware of the licensing and versions, figure out the nuances of wireless and wired and security concepts in Vista, and tinker with supporting it on a wide scale (scripts, GPO, firewall, etc). May as well start now and get moved otherwise you’ll be like me where I still run Win2000 laptops (ok ok, so I like the non-hassle of Genuine Advantage license checks that don’t exist for Win2000 and the smaller resources footprint on my old laptops…). Nonethless, it may be years away, but rest assured someday Vista will be the standard.

Macs. Macs have long been on the fringe of corporate networks, likely only used by graphics or designers. They are exceptions in corporate policy and management and typically corporate IT have no Mac experts and leave management to third party contractors or the users themselves. As Macs continue to make headway into home users (and especially security people like us) it makes sense that we become Mac-aware enough to support those users and add that to our corporate IT merit badges. Like I said, few IT geeks really can support the Macs, so one-up the rest and learn them. As a bonus, try to figure out how to make sure your monitoring and systems management can become Mac-friendly so they’re not always the exceptions to the rules.

Get on top of Longhorn now. While slated for the ever-skeptical release date of early 2008 now, like Vista, it will eventually be the de facto standard, for better or worse. Likewise, get ready for Powershell, Windows upcoming enhanced shell experience (which will also be the primary means to manage Exchange 2007).

This is one of the challenges of being an IT geek. You can’t just learn Windows 98 inside and out and hope to stick with it forever. You gotta be ready to move with the world and learn new things rather than sit back and cling to the past. Ask any mainframer from the 80s and 90s who doesn’t get to work on mainframes anymore…

I don’t typically single out new links I add to my menu, but the blog at SecurityHacks has been posting some neat stuff. I still think there is “market bandwidth” for sites that show off tools or “how-to” sorts of postings in our niche blogosphere (although a forum or wiki may be more appropriate long-term information storage). They have gone over creating an SSH tunnel for Windows SMB connections ( I think if you’re going to this much trouble, may as well learn SSH transfers or implement a full VPN), SQL Injection scanners, and “recovering” Firefox stored passwords. There’s also mention of pwdumpx (not to be confused with pwdump or even fgdump…

Just about a year ago Noam Eppel released a paper that got posted pretty much everywhere and got lots of people in the security ranks talking. The paper was titled Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security. If that title didn’t smack of an extremist and very dramatic “I’m not here to listen to rebuttals” tone, then I don’t know what would.

I held my comments, and instead wanted to hear Noam’s follow-up article on what can be done to fix this. I really felt the first article was simply a dramatic flailing of arms and statistics on how everything is wrong; a device to get people all up in a lather and frothing at the mouth by saying something obvious and ignoring any real forward movement. I could make claims like, “Racism is bad, yeah, let’s all get violently upset that racism is bad!” and keep fanning those flames without actually doing anything to combat racism. Lots of Feel Good, not a lot of Forward Movement.

Noam promised in that article he would collect responses and combine those responses with a follow-up article on how to solve the issues. Under the header, “How can we fix this?” he offers, “Part Two of this article will contain a list of what we must do to address our current failure. It will incorporate your commends and feedback.” Honestly, this sounded half like he was going to use other people’s suggestions to formulate his own; Shady.

Sadly, the follow-up I had hoped for was not to be.

Instead, Noam’s follow-up consisted of some “Yay, people agree with me!” at the start, and then dogged down into the mud to simply argue at people who offered up some skepticism or disagreement with him. Basically, rather than fostering discussion, he quelled it by attacking the discussion to defend his vague position. He also offered no suggestions or solutions beyond a few weak moments in the first paper (2 factor authentication for gmail and hotmail…). This whole exercise seemed very self-serving and kinda like a cathartic rant session (not that we don’t all have those, but maybe not quite so useless and attention-pleading).

I am overall disappointed with this approach. I don’t argue that the general feeling of Noam’s article is wrong. I think we do have problems and issues, although I’m not sure we have a total failure. I had much more to say about the article, but I don’t feel it worthwhile so will just let this little anniversary end with the bullet form of what some of my points would have been:

1) You can’t use stats to measure something that is as a whole growing; you have to wait for a platuea to get meaninful stats, or perhaps ratios.

2) Noam’s expectations may not be reasonable as he implies that people should feel safe doing “normal and common” stuff online. Kinda like I should feel safe walking around a really bad neighborhood with $100 bills sticking out of my pockets? I wonder what reality Noam is envisioning in regards to information security utopias? We need to define this better if we have any hope of moving arbitrarily forward.

3) I wonder what state we’d be in if we didn’t have what security we do have now?

4) It might help to look at security and nature (Arms Race? evolution?) throughout history. It might give Noam some more perspective on reasonable expectations in security.

Turn Firefox into spyware! I saw Xavier Ashe post about FFsniFF which is an extension for Firefox. It will not display itself in the extensions list, wait for HTML forms to be submitted, and email the contents of that submitted form to some email address. On one hand this makes me say, “What the crap…?” On the other, I could pilfer info from a lot of people who otherwise trust Firefox as their browser. While I might need admin rights to install keyloggers, I wonder if I could install this extension as a normal user? I guess this might not be a huge deal as there are browser password managers galore anyway, and they have to get those passwords somehow, but FFsniFF still seems very shady…

If you do much work using Ubuntu and multiple computers, you may have noticed when using vncviewer to remotely connect to a system with a higher screen resolution, you’ll get these annoying black scrollbars. These bars seem to only scroll in one direction and then never scroll again, right?

Well, wrong. Turns out these bars do work, you just have to right-click to move the bars the other direction. Middle mouse button will work them in either direction. That’s just weird and I’d rather not deal with it.

There is another solution. On your client system, go to your repositories or otherwise apt-get xvnc4viewer. This will fix those dang scrollbars. As a bonus, this seems to replace any vncviewer apps you have on the Ubuntu client. If you type vncviewer, you get xvnc4viewer. If you click Applications->Internet->Terminal Server Client and attempt a VNC connection here, you also get xvnc4server. Nice!

An article about a Cisco FTP vulnerability caught my eye today. The article gave little detail, so I checked with Secunia and sure enough saw an advisory. That’s an interesting vulnerability (impacting, but not enabled by default…so not the holy grail of network hacking), and I would hope good admins have taken some measures to already mitigate or avoid this issue.

First, don’t use the FTP server. I’d rather use an external TFTP server as opposed to one on the router itself. Second, even if the config is disclosed, limit the damage by making sure your enable and enable secret passwords are different, as are the SNMP strings and other access passwords that may be disclosed in the config. Also make sure they’re all different across other routers (minus the SNMP string of course). Third, update your IOS, of course, and hope that Cisco puts in a (long overdue) SCP/SFTP solution sooner than later.

Of additional note, I’m still itching to get my hands on the Hacking Exposed: Cisco Networks book. It taunts me weekly from the bookstore shelf, but I just don’t want to get too confused as I am hitting the running strides of my study for CCNA (which I will take in late May or early June).

Tonight I finally got around to installing vmware server on my new vmware box. I used a couple sites as my guides. Ever since starting Linux, I’ve learned to keep “journals” about what I’ve installed and the voodoo needed to get some things working for future reference. I’m getting better about putting my notes down into a more polished form early, but I still might get one or two things wrong here. I’ll try to update as needed, but I suspect eventually these notes will just get ported over to the wiki.

I needed to install a few dependencies first since this is a fresh Ubuntu 6.10 install.

sudo apt-get install xinetd
sudo apt-get install linux-headers-`uname -r` build-essential

this folder will be used to hold the vms:

mkdir /var/vm

Download both files (server and management user interface) into a temp folder get a registration key while on the site. This is free and doesn’t require any valid information, not even email. The key will appear after submitting the form (the sales teams must love that!).

tar xvfz VMware-server-*.tar.gz
cd vmware-server-distrib
sudo ./vmware-install.pl

I answer /var/vm as the location for virtual machines. I also answer “no” for NAT or host-only networking (leaving me with bridged mode) as I really just want my VMs to be grabbing an IP off my network and have full access out to the Internet (at least on this machine).

Next is the MUI.

tar xvfz VMware-mui-*.tar.gz
cd vmware-mui-distrib
sudon ./vmware-install.pl

All defaults for the MUI. This should fail to start the httpd server at the end and needs a patch.

cd /tmp
wget http://users.piuha.net/martti/comp/ubuntu/httpd.vmware.diff
cd /
sudo patch -b -p0 < /tmp/httpd.vmware.diff
sudo /etc/init.d/httpd.vmware start

This is the location once it has started: https://localhost:8333.

To create VM, you will need to use the console (not the MUI) by heading over to Applications->System Tools->VMWare Server Console in the kicker.

I’ve not hid my support for the forum (or BBS) format of information exchange; in fact, I think it is one of the best formats when actively used. While I may not participate, I figured I would help post around about a new forum that is trying things out: McGrew Security BBS. We’ll see where this goes and if I find the time to participate, as it is that first year that is the most important (and hardest) for any forum to endure; kinda like trying to siphon water. You have to work at it until it becomes moreorless a self-sustaining conduit of incoming content and people.

Just for reference, a question about where to go for tutorials on Metasploit was recently posted to the pen-test mailing list on SecurityFocus. Here are some of the responses. At some point I need to explore this silc channel…

Metasploit (wiki)Book
Offensive Security 101
Metasploit Toolkit (Syngress)
milw0rm videos
IronGeek video
Tyler’s videos