I speak truth, no so much as I would, but as much as I dare; and I dare a little the more, as I grow older. -Michel de Montaigne.
If you’ve ever visited my personal site, you probably picked up that I collect and love meaningul quotes (the more zen the better!). This one came up today and reminds me of Bruce’s little speech in recent weeks.
For my Powershell moment today, I have been working with setting file permissions. I had a problem trying to get permissions changes made to one folder to propagate down to all child items. I didn’t really want to wipe out anything below, and I wasn’t using any SDDL creation/twiddling approaches this time. Just a simple AddAccessRule that needed to be pushed down to all subfolders and files and still be marked as inherited.
I finally found a solution by pulling the ACL from each child item, doing a SetAccessRuleProtection($false,$true) and then setting the ACL back onto the child item. This basically seems to force the ACL to be refreshed, which then pulls down stuff that should be inherited.
foreach ($i in get-childitem $strTarget -recurse -force)
{
$objNewACL = get-acl $i.FullName
$objNewACL.SetAccessRuleProtection($false,$true)
set-acl $i.FullName -aclobject $objNewACL
}
email (mailing lists) – Email is an important validator of people versus bots. It is also an excellent means to communicate with others and peruse email mailing lists which have some of the most traffic and information sharing of any method presented. However, you certainly do not want to use your own mail address from work, home, school, or even your own home server if you want to preserve your anonymity. Sign up for Google’s Gmail and create an anonymous account.
Do not set up POP3/SMTP on your normal mail client and instead stick solely to the web interface using a non-IE browser that is diligently patched. Using your own client may tempt you to reply, and not every email service is necessarily anonymous when you send your email directly from a client application.
Don’t send your “real” email accounts mail from this anonymous one; don’t send yourself test emails; don’t forward away from this email. Instead, copy-n-paste or test your anonymity using another anonymous mail source that allows you to view full headers. Hotmail, Yahoo, and Hushmail are other choices, although the latter either requires money or it will lock your account if you don’t log in for 3 weeks. If someone gets into your super secret email account, you don’t want your Sent items to give you away (and vice versa if you lose control of your personal account).
For some mailing lists, such as SecurityFocus, you can post replies via a web form (depending on the moderation of the list, you might have to at least provide a valid “on-the-list-already” email address. But at least this way you can check your mailing list anywhere, and always post under one address, or through a web proxy to hide your originating IP.
I also highly recommend finding a favorite throw-away email box. Pookmail is my preferred disposable (yes, I’m dropping Google search terms!) email service. You send an email with a reply address or somethingunique@pookmail.com, wait for a reply and pick it up at the website. Granted, this has zero expectation of privacy, but at least you can use this as a throw-away address. I use this when signing up for software trials and downloads and junk that require a valid email.
Saw this on the SecurityFocus pen-testers mailing list and thought I would capture them here for future reference. These are some sites/tools to help evaluate web app security scanner tools.
SPI Dynamics zero.webappsecurity.com
Cenzic crackme.cenzic.com
Foundstone SASS tools
OWASP WebGoat
OWASP SiteGenerator
Watchfire demo site
Acunetix php test site
Typically, lots of the online “hack me” or “hacker challenge” sites like some in my right menu list tend to touch on web-borne “hacks” for their challenges as opposed to anything else. May get some mileage from them as well. Most also can be Googled for solutions should you get stuck and want to just learn quickly.
I’ve seen plenty about what Bruce Schneier said recently along with the feedback. Rather than address the content directly, I just want to say that eventually, many experts become nearly an establishment in themselves. Eventually they can say big, extreme things, and rather than be pissed away like some angry kid, they instead influence. Or at least make a valid point in their extreme. They kinda become those half-senile curmudgeons that are important enough that people listen to everything they say. He can say big things and doesn’t mind if everyone else uses his words as a boilerplate.
Now, that’s not a criticism. I don’t think that is bad at all. But I think that when a lot of people my age get to be Bruce’s age with a similar long background in this field, we might also see new things or futility in old things and say stuff that might be seen by others as a bit far-fetched. But I think his extreme approach is just a direct relationship to his notoriety and influence.
For some reason, I really wanted to work a quote in here as my mind drifted from establishment to institution. Anyway, I’ll force the quote in anyway, “No, I want you to set a fire so goddamn big the gods will notice us again, that’s what I’m saying. I want all you boys to look me straight in the eye one more time and say, ‘Are we having fun or what?'”
I saw this a few months ago and can’t remember where I saw it. But I looked it up again and to save me from the trouble of losing it in the future, I’m posting this web 2.0 clip The Machine is Us/ing Us..
So, we have an intarweb that lets us post all sorts of zany things all over the place, from a ratty MySpace page to a litany of comments on news clippings and blogs and forums.
I know Dan Morrill talks now and then about making sure an employer Googles prospective employees. But what if someone has been posting using your name in various places? For instance, I make little to no effort to mask my online moniker, LonerVamp. But what if someone started using that name maliciously and posting hate and other garbage around that eventually gets indexed?
Phew! Swapped out my Radeon 9500 card for an equally pricey (haha!) Diamond Radeon X550 and my vmware box has signs of life. In fact, the signs were so good that I finished mounting the parts, finished up the cabling, and powered on long enough to make sure Ubuntu 6.04 loaded from CD and saw everything. Good deal!
In response to the 7 things sysadmins forget, Rebecca Herold commented and I wanted to pull it out for a separate post.
Forgetting that their sys admin job ultimately exists to support the business
No kidding! I think there are three mindsets when it comes to sysadmins (and really, IT/business in general).
1. Sysadmins who understand this concept and make decisions themselves on how their job relates to the business.
I consider these sysadmins to be empowered admins who understand their job. They can prioritize their time and make decisions frequently on their own that really do benefit the company and their own role. The sysadmin with this mindset tends to perform risk assessment and decision-making in her head and can sometimes be seen as making rash (but hopefully accurate) decisions.
2. Sysadmins who don’t care about this question and instead defer this layer of involvement in the business to their boss.
Sysadmins at this stage seem to need lots of things escalated to their manager, even when small ticket requests have slightly larger implications. They do their job well, give a nice point to their manager on their views, but ultimately let someone else make a decision for them. Some sysadmins may get forced into this position based on the company and managers they interact with. When bureaucracy does not exist, this may be a result of lack of respect and trust given to the sysadmin such that he is not allowed to make his own decisions. Other times, this is just the style the business prefers.
3. Sysadmins who forget this all the time and really think the business exists to serve their job, or better yet, they only see their job as being ultimately important.
These sysadmins are typified by saying secure this secure that, even if it impacts business negatively. They make decisions based on their job only. Sometimes this is good, especially in a large corporation where you only really have a small slice to make decisions around anyway, but typically this is a negative mindset where the admin is likely never feeling fulfilled and really never fully gets his way…ever.
I think it would be beneficial to see which sysadmin one is, and what sysadmin the company nurtures. Even something as simple as me being a #2 sysadmin but in a #1 company can lead to unhappiness and underperformance. For instance, I like making decisions quickly on my own about what security and IT initiatives to do and how to do them, but if I am in a company where my boss and other managers hate that, I likely won’t be very effective and we might all end up turning in sourpusses over time.
A goo friend of mine and I were talking this weekend and the topic came up of corporate (and beyond) cyber espionage only just starting to be a force. I really believe that as more and more people have insecurity skills and our society continues to become more digitally dependent on information as our lifeblood in business, corporate espionage (which really has always been around) will only become more and more prevalent.
I wonder how many corporations (truly!) think it would be moral/immoral to:
1) Do some cyber “recon” at tradeshows on your competitors. Or maybe just DoS them during their demos? (active and passive attacks)
2) Hire some group to perform a DoS against a competitor’s website/service during a particularly important moment.
3) Perform recon to continually footprint and find systems and sensitive information. Do you know how often a company can give away new projects just by their public DNS entries?
4) Perform dumpster diving regularly?
5) Feel ok with profiling and possibly probing employees home networks (particularly wireless)? Think c-levels and remote sales, for starters.
6) Send malicious emails to targeted persons in a rival company hoping to root the system? Do you know how quickly someone running as local admin can have a malicious program installed which can then sniff and or grab email account passwords for very important people and then send it back to someone who can log into webmail whenever they want?
7) Try to guess some webmail passwords of important people?
8) Pay for someone who has information about a rival because this person just sits at major airports and attempts wireless attacks against travelers, looking for juicy connections and info to sell?
I really think this is only going to get worse and much more commonplace. Besides, much of this stuff is still way too easy to perform, and in a way that is still way too anonymous. And I think anyone who has been online any amount of time knows that laws are more “easily” broken when you’re not standing in front of a police officer. Physical presence is a barrier that most often protects our physical safety, but that deterrent is completely absent online.
It sounds like someone traced back the TJX breach back to a store in Minnesota that employed WEP as their only(?) protection for their wireless system. While this is a simplistic announcement, it certainly is not the whole story.
This illustrates how just one weak part of a huge network (or business) like TJX can bring the whole thing down. You can roll out secured (?) wireless to 1,000 stores, but it just takes one store whose manager doesn’t quite understand the technology (should they really, though?) or one overlooked site by the techs doing the setup and you suddenly become a part of security and business history.
I also wonder where the layered protections were. Did this Minnesota store get automatically bridged into the corporate network that had access to all this sensitive data whizzing by? Did no one have any logs or tripwires up on anything to monitor access? How well did the attackers cloak themselves to look like innocuous or expected systems? Was anyone watching the wireless access logs, or anomalies in data collection/transfer that most probably occurred?
I see that the article mentions software patching was lax. I see that employee logins were sniffed (NTLM or clear text to proprietary system?). Sadly, for as much as we need details to improve security both at TJX and with PCI auditors (and the rest of us!), this is so costly that I doubt we hear more details for years until the courts release it. Did they ever rotate wireless passphrases? What was the real need for wireless in the first place?
So let’s say I’m in Minnesota and see a Marshall’s using WEP on their wireless network. I crack WEP and do some testing and practice some patience to make sure no one’s watching the access and that I don’t trip any IDS. Eventually I get comfortable enough to log onto the network and perform some stealth scans to see what I can see. I bet I can see a lot, including some unpatched machines which I can get a foothold into (in a best case scenario for me, I might just be right on the full corporate network through some dedicated VPN setup). This pretty much shows me that admins at TJX aren’t quite as diligent as they should be, which can put me and my cohorts at ease. From there, I can sniff on systems I own and pilfer what I can. Lack of software patching standards probably mean shared passwords everywhere too.
Blah blah blah…there’s plenty of places where TJX should have detected and or slowed down these attackers. Death by a 1000 cuts is becoming a pet phrase of mine…
David Maynor recently caught some attention by being critical of how Airtight protects a wireless network from rogue APs (and clients). I’ll let the link speak for itself on that, as well as the Airtight CTOs take on the comments section of a post on Andrew Hay’s site (and Mike Rothman’s for that matter).
What I found even more intriguing was the link to a 2005 paper from Joshua Wright discussing the flaws and details in wireless IDS/IPS methods of containing rogue wireless clients. Joshua Wright has an amazing ability in his papers to write very clearly and plainly, making the information easy to follow, and while the paper comes in only at 17 pages, I thought I would paraphrase his key points a bit in this post.
Check the paper for more details, including patching madwifi drivers to ignore deauths.
Lists by IT guys cum journalists can be pretty interesting things. Either they’re obvious junk or sometimes just plain wrong. I eagerly checked out this link Marcin sent me about 7 things sysadmins forget to do thinking it would be pretty stupid. I was pleasantly surprised with a few of the items. Here’s some of my comments.
1. Forgetting to Delete a Former User’s Account – This is one of those obvious ones, but I will defend poor sysadmins like myself and say that we don’t just willy-nilly disable user accounts, even if we hear gossip that someone left. Too often, account disabling is not a breakdown of sysadmins, but a breakdown in the process of notifying sysadmins that someone has left. I really hate hearing someone “left 3 weeks ago” through the grapevine. (Or conversely, that “I have someone started tomorrow morning…”) Maybe in huge environments things like identity management should be looked at to solve this issue, but in smaller or medium environments, I really think HR and IT just need to make sure there is a process for account notification that is followed. In the end, all the sysadmin lists and processes are naught if no one says so-and-so is gone.
2. Forgetting to Regularly Search for Rootkits – Ok, this is just kind of a weird one. I don’t think I’ve ever “forgotten” to search for a rootkit so much as I just don’t look for them, or if a system is so obviously overrun it gets reformatted rather than spend more time on it.
I think the author has good points about how to mitigate rootkits and detect them, but seriously, how many admins put forth that much effort? Rootkits are the Harry Potters of the corporate IT household. They want to be kept under the stairs or up in their room and ignored and not dealt with…and for good reason. It is almost like having mice in your building. You can put out some traps, but really, no one is going to bother much with tearing up the walls trying to find their homes.
I sound kinda defeatist here, but the effort to find and protect against rootkits is a big investment, really. I just think this isn’t so much forgotten as it is just chosen not to be done.
3. Forgetting to Use a Trouble Ticket Tracking System – Here’s a personal bit about me: I’m a stickler about documentation and the sharing of information. There is too often a HUGE amount of organizational knowledge that leaves when an IT worker leaves a position. That shouldn’t be the case, they should keep things documented for someone else to reference.
A trouble ticket system is part of that. If I know I’ve worked on something before, I want to be able to search the tickets and see what remediation occurred previously. I think some of this comes from my science background where experiments have to be documented such that someone else can recreate your findings. That”s a big part of what a ticket system is to me.
Not only that, but it can be used to audit changes and requests. If Sally requested file server permission changes and was authorized to do so, but made a stupid request that caused data loss, that can be traced back to her ticket and the information in it. I also feel that, as a heavily-worked IT guy (and later on in my career, likely a manager of some sort), the ticket system is a natural means to track work loads and inefficiencies and reduce forgetfulness. Unless a ticket system has no means for internal notes (things not sent back to the requester) I really hate, hate, HATE to see tickets answered with, “Done,” and absolutely no details on what was done…
There is one caveat to this, however, and would be Needy Users who have Stupid Questions but they insist on asking in person or calling in about them when their deadline is 1 hour away. Often, it might not be sysadmins who forget to use the ticket system, but users who bypass the ticket system to saddle IT with work requests. Sysadmins are then left to hopefully remember to put in the ticket themselves.
4. Forgetting to Set Up Technical Documentation and Creating a Knowledge Base – Based on my notes above, it’s pretty obvious this is a sticking point with me as well. I deeply believe in the need for clear, effective documentation and maybe even a knowledge base. This should occur in IT shops of 1 person or 1,000 people. Even if I don’t plan on leaving a job, there are always systems and processes that occur every 6 months or longer, and I hate to get to those points and not remember what to do. Referencing documentation helps speed up memory, get the tasks done efficiently, and improves consistency by not forgetting steps or retracing old mistakes. This can even be part of a DR/BCP or backup strategy, where network diagrams, IP distributions, config files, and other settings are documented somewhere for use in continuing the business in the case of large of small issues.
5. Forgetting the Risks of Flash Memory Drives – This also falls into “I didn’t forget it, we just don’t do this” category. By now, I really think everyone knows the issues with USB drives. They can introduce things not wanted and are a vehicle for data egress. You’ll notice the author gives not even a single sentence on how to address this or what approach could be taken. There’s likely a reason for that. Many people either don’t know how to manage USB devices (do you know how to stop USB drives but allow USB mice/keyboards?) or can’t get senior management to back the blocking of ports. Ever try to block USB/Firewire ports and have all the ipod users mutiny? Ever try to justify buying a certain USB brand for “official” use and tell people their personal ones won’t work? This isn’t so much forgotten as it is just not a battle to be fought or teams lack the knowledge to truly tackle it. There are far easier fires for most sysadmins to fight right now. The coming years should hopefully make tools to do these things easier for us admins, but they won’t be getting cheaper or easier on the workforce at large, unfortunately.
Of note, for anyone who wants to limit USB drives, did you also limit floppy drives back in the day? Do you limit CD drives now? What is your basis for managing those differently? Honestly, USB drives can be argued to simply be part of our culture now, just like cell phones and the compact disc. Just be aware of that when trying to limit them and how that might affect employee happiness aka productivity, especially if your business is not subject to stringent regulations about tracking data egress.
6. Forgetting to Manage Partial Root Access – I don’t really have anything to say here.
7. Forgetting Courtesy – This is a mixed bag with me. I agree, courtesy needs to be extended in a company, not just from IT, but from everyone. Each company is really just one big team trying to work together to do Great Things, but too often that courtesy breaks down somewhere, and that little ghost of rudeness gets passed around like a flatulence cloud hovers and moves unexpectedly.
Yes, some IT guys are just rude and give evil looks when asked to assist with something. But I’ve often seen and felt that some of that rudeness is not something IT guys inherently do, but have been trained to do by poor management or abusive users. How many IT guys have tried to do the right thing by helping people, only to get sucked into tasks that aren’t their responsibility just because they happened to make eye contact at the wrong time or try to help someone else?
At my last job, we had an HR director who needed regular help with her computer. I gladly stepped up and enthusiastically helped her early on. But she was one of those people who cannot be satisfactorily helped unless you do her job for her. Sadly, I couldn’t do that, and some of the things she wanted were simply not even possible. She became the “oh god, don’t help her, don’t get involved because you can’t win! Even if you win, she’ll eventually get you to do things that you just can’t do and then you’re in the shitter!” IT support nightmares. In fact, I think every IT guy at that company who has tried has either left that company or is still in the shitter with her (and being in HR, you know what that means…). (Hell, I even got in trouble once because she asked me to rewire an electrical outlet and I said that needed to be done by a qualified outside contractor that the CFO would set up…)
Too often I really think IT guys are conditioned to be evil eye guys and this is as much a reflection on the corporate culture and their managers as it may be their inherent personality. Some people are assholes, but a lot of us are not.
(By the way, a lot of us IT guys have a ton of things to think about as we walk the halls to get from one place to another; we’re often thinking about some problem or improvement, so if you stop us in the middle of the hall with some Stupid User Question and get a queer look, that just might be us trying to switch into help mode or tie off our internal thoughts to properly come back to them later. Or we know that Needy User has just circumvented the aforementioned ticket system by asking us in person, and will give us his own Evil Look when we plead that he make a ticket request since we’re currently in the middle of something for More Important Needy User…it’s a no win situation for us sometimes.)
Start the weekend off right with some off-topic reading pleasure. EW has a list of the top 25 moments in sci-fi in the past 25 years (and proper apologies for not being able to include Star Wars 1977 because it is too old). I definitely think I have a few television shows to watch as they appear on DVD. Excellent list!
I’ve posted about baretail previously as a tail program for Windows, but now I see there is a similar tool with some more functionality to it. fLogViewer picks up and runs with the “Windows way” by taking a simple tool and putting more and more features onto it (note: Yes, I am fairly sarcastic there, but the features are appreciated nonetheless!). I kinda like this tool, although the necessity of an install and the way it uses some older system files than what I have on my XP system anyway are detractors to replacing baretail with fLogViewer.