I like the idea of posting regularly the things that I’ve learned. I’ve long put off getting SSL on this site, but I think I need to get with it to secure what few logins I have (which I only use at work and home anyway…). Curiously, this week I’ve been working with SSL at work, so I learned a few things running OpenSSL. Here are the basics. (technically I relearned this since I’ve done this all years back, but had to look it all up again anyway…)

To split an exported private key/certificate from IIS (.pfx format) into a more readable format:

openssl pkcs12 -nodes -in exportedfile.pfx -out outfile.pem

If you provided a password (like a good IIS admin!) to the exported private key, you will be prompted for it. To view the private key and certificate parts, just open the resulting pem file in a text editor. Both parts are enclosed in appropriate tags.

To just view the private key and certificate from the pfx file:

openssl pkcs12 -info -nodes -in exportedfile.pfx

To make a Certificate Signing Request (CSR):

openssl req -new -newkey rsa:2048 -keyout yournewkey.pem -nodes \
-out yournewcsr.pem

Save the key because this is the private key. Provide the yournewcsr.pem contents to the preferred CA such as Verisign, Thawte, or even your local CA if you have your own PKI. Once you get the certificate back and you’re using Apache, you want to follow Apache instructions (I’ll post this another time) to place the private key file and this cert file where Apache can use them. If you’re using IIS, you probably want to convert it back into the normal pcks12/pfx format:

openssl x509 -in certnew.cer -inform DER -out yournewcert.pem \
-outform PEM

You can then import it into IIS for use with web sites. In my case at work, we just left the pieces separated for use in our new Load-Balancer/SSL Terminator. Our IPS, however, would prefer the compounded format used by IIS along with the passphrase.

What if you just want a self-signed cert? This means it is free to you, although your browser may give fairly benign complaints about the cert not being signed by someone you trust. This is ok for most sites, including mine and other internal stuff:

openssl req -x509 -days 365 -newkey rsa:2048 -keyout myselfsignedkey.pem \
-nodes -out myselfsignedcert.pem

Might want to increase the 365 days to many, many years. Ten years is pretty decent and a bit easy to calculate (3650).

All of these commands used -nodes which does not mean “nodes,” it means “No DES.” This leaves the private key unencrypted. For anyone who has studied CISSP material (or even Security+) you really don’t want to leave your private keys unencrypted. You want them encrypted:

openssl rsa -des3 -in  \
yourprivatekey.pem -out yourprivatekeyencrypted.pem

This will prompt for a passphrase and output the private key in an encrypted form. If you want to decrypt this key later:

openssl rsa -in yourprivatekeyencrypted.pem -out yourprivatekey.pem

I think that about does it for now. OpenSSL has tons of little options and modes, so if you find yourself getting an itch to learn more about SSL, check it out. Oh, and it comes in Linux and third-party Windows flavors for convenience. I actually really like the Windows version as it gives some nice, powerful tools for quick use to otherwise clunky Windows GUIs and servers.

Roger A. Grimes recently posted up an article that made a lot of simple sense. He talked about the effect of consistency, even amongst just the basic security principles, and how that can increase security. I really couldn’t agree more. Consistency is highly important. Of course, metrics are important, but also make sure to pick the right ones and be consistent with them as well.

How many of us work in computer security environments where basic
security recommendations are not applied consistently? I think it is
nearly impossible to find a company that consistently and universally
applies basic security tenets. So, we have inconsistencies, cracks in
the system, and bad things are allowed to occur. The very human nature
of purposefully allowing inconsistency as a norm leads to below-average
outcomes. Taking a personal and institutionalized interest in applying
basic security principles consistently will mitigate more risk and lead
to a more secure environment.

If you impose punishments on the troops before they have become attached, they will not be submissive. If they are not submissive they will be difficult to employ. If you do not impose punishments after the troops have become attached, they cannot be used. -The Art of War, Chapter 9: Maneuvering Armies

WSUS 3.0 has been released. I’m bouncing this link over where I found it, The Sean Blog, since he made a nice list of the pertinent downloads. If you don’t know WSUS or don’t use it and don’t do anything special for Windows patch management, you should really look into WSUS. It does one set of tasks and does it very well.

Web browsing (blogs, forums, web-based IRC) – When you browse the web, you leave a trail in your wake: your IP address and sometimes other bits of data that curious persons want to gather. If nothing else, you leave behind your IP in web server log files which any curious or enterprising admin likely picks through. Why do you want to stay anonymous? That was addressed in part 1 of this series.

There are five major realms when it comes to anonymity on the web:
1) general anonymity protections
2) browsing trackbacks such as what is captured in web server log files
3) browser hijacking, remote information leakage, and artifacts like cookies
4) communication channel eavesdropping
5) additional items on newsgroups and RSS

1) general anonymity protections
In general, if you want to stay anonymous online, don’t connect to sites or other servers from your home IP address. Hop on a wireless hotspot or “borrow” a neighbor’s wireless connection (again, I didn’t suggest that…right?). This way any tracebacks will maybe point to the state or area you live in or even your local podunk ISP, but likely won’t be tracked back directly to you without some legal overtures. If you’re doing nothing criminal, the chances are slim that anyone will ever notice. (Although that does not necessarily make it legal or digitally ethical.)

If you insist on doing personal things such as banking or updating your own personal blog that is not so anonymous, those are things you should save your home IP and connection for. Keep in mind that I do not encourage checking your ebay auctions or transferring paypal monies through web proxies or while connected to non-trusted networks. You never know who is eavesdropping on you or collecting information on what you thought was an innocent open web proxy.

2) trackbacks via what is captured in web server log files
Browsing trackbacks include leaving behind information on log files that may contain your IP address, computer name, browser version, and so on.

The biggest means to stay anonymous with general web browsing is to use one or more anonymous web proxies. A web proxy will relay your connection from it to the site you are attempting to browse, such that the target site does not know who you are and instead records information from the web proxy server. Let’s say you want to buy some condoms, but your dad works the counter at the closest drug store that sells them. Instead, you ask someone else to go inside and buy them for you. This person is acting on your behalf, i.e. your proxy. Web proxies work the same way by fetching web pages on your behalf and then delivering them to you. Honestly, once you start using proxies, they are very easy to use and you should probably use them most the time if you are concerned about your anonymity (with the exception of your bill-paying and banking…).

These can be a bit of a pain to work with. Some web proxies are located in odd places of the world and thus their latency is sometimes prohibitive. Others actually translate text for you (eternally helpful, especially if you don’t speak Lithuanian…), and others are simply not meant to be open and can disappear without notice. Some are commercial and some are not and some don’t even know they are open and used.

One long-standing list of web proxies has been samair.ru. Be aware that not all proxies are made equal and you will want to test out just how anonymous you appear. Do not settle for leaking any information, so typically, you want “highly anonymous” or something to that effect. Setting yourself up on a proxy is as easy as picking one out and going into the connection options of your browser. Supply the necessary IP and port as a proxy and surf away. You can check what your IP appears to be at www.whatismyip.com and you can check your actual proxy leakage at samair.ru. I highly suggest Googling up a few proxy checker tools just for second and third opinions. Also, try baselining the information you leak by using these checkers when you’re not using a proxy. Identify what you want hidden, and get it hidden. (Disclaimer: I don’t encourage you to use web proxies that you are not authorized to use; do as you wish.)

I also have seen a site called www.e-proxy.info (thank you Chris!) which can deliver web pages to you through a browser-based proxy. This is really pretty slick and actually works in my office, bypassing SurfControl while also not looking too obtrusive by hiding up at the top of my browser window. Sweet!

As an advanced technique, if you want to set up a series of proxy servers to route your traffic through, this is typically called chaining, in case you want some Google terms to search for.

Are these foolproof? Like almost everything in life, no they are not. But for many instances, a relatively simple step like using a web proxy gives quite a lot of gain. One potential problem comes up if you use some arcane or exotic user agent or web browser. If you leave behind an anonymous IP but a user agent like “BriansTestBrowserBar 0.4,” you may as well ditch the proxy.

3) browser hijacking, remote information leakage, and artifacts like cookies
While you can remain relatively anonymous on the web using just a proxy to relay your connections, there are still means to leak information. You might run into hostile scripts that will try to hijack your system or perhaps harvest cookies from your browser, just to name a few.

To thwart such attacks, it is best to not pretend you are safer or anonymous using Windows or Internet Explorer, especially in combination. Use a non-Windows OS and Opera, Firefox, or even a graphical browser.

Keep your cache and stored cookies as clean as possible. Try not to store cookies and definitely do not store passwords in your browser. Just write them down or store them more securely out of band of your browser. In fact, it makes a lot of sense to do your anonymous web browsing from a virtual machine that you can revert to a known clean state every day.

Be sure you also do not leak information by reusing usernames and passwords. If you use the username TheAvengerr69 on 4 forums and you use the same password on each one, simple Google searches can draw the lines between them and start revealing a profile of who you are and what you do. This is especially useful to someone looking to manipulate you. Also assume that every site you sign up for has curious admins who now have your account information. Do not blindly reuse login names and/or passwords.

Here is an illustration. Think about how many forums you might have signed up for and posted one, maybe two questions, and then never revisited again. What if those forums, like the many thousands out there, do not get updated with new forum software versions. This might mean that one of those forums may get owned and leak out its database of users (sure, they just want the emails to spam, right?). Now your account information is in someone’s hands just because you visited there once. Now let’s say your username was DopplegangerJoe69 and your email was a hotmail address and your password “sitonyourface.” In fact, that’s the same password and username you use in a few places. Oh my, and that’s the password you use for that hotmail account. Sucks to be you, Joe. I hope you don’t store a lot of “password reminders” and “thanks for signing up here’s your password” emails on that hotmail account!

4) communication channel eavesdropping
Generally, there is not much you can do to protect the communication channel from eavesdroppers, if, for instance, you are browsing the web from a public hotspot. If the site itself does not have SSL enabled, you are typically out of luck. However, some proxies can be set up to relay secured communications. Better yet, find yourself a box or shell account or buddy who doesn’t know better and set yourself up an SSH tunnel which can act as your first hop. While your entire communication may not be hidden, at least you are hidden from where you physically sit to some arbitrary place on the net. The easiest way to do this might be to set up an SSH server and tunnel through your home connection. From there, relay through a web proxy to anonymize yourself. You can also utilize Tor onion routing, which I plan to go over in a separate post.

Of note, I do consider this step to be beyond most everyone but the paranoid, but it does make sense to technically-friendly people who browse from untrusted networks often. Personally, I love hotspots at coffeeshops so I tend to tunnel through SSH whenever I do anything beyond browsing the news.

5) additional items on newsgroups and RSS
Two minor tidbits on newsgroups and RSS feeds. Try to not use stand-alone clients on your box for RSS or newgroups browsing. They typically aren’t as universal when it comes to proxy support, so they tend to directly connect to the target and leave behind your IP address, if nothing else. Whenever possible, sign up for Google Reader or Google Groups and leverage the extra hop that Google provides in hiding origin. Let Google’s servers act as your proxy. Be aware that there is still theoretical talk about malware abusing RSS feed parsing. I don’t consider this a reality yet, but the theory is sound. Newsgroups also may have messages that contain malware or malicious links. Be cautious.

Bonus: For the truly paranoid, watch what terms you search for in search engines. Last year there were some high profile disclosures of search terms that, while “sanitized” still revealed sensitive or private information. If I searched for “Michael Dickey” in Google from my “anonymous” web proxy that I’ve used for years, I’ve just tied that web proxy IP to that search term. Do enough of those personally identifiable searches and you can leave behind a small trail. Now, the chances of all the planets aligning to reveal your searches and shatter your web of anonymity are slim, but there are some people that are this paranoid. If you want to help prevent this, just search for personal stuff on your own home connection, just like you should be doing your banking and other sensitive stuff from your trusted home connection. Likewise, don’t search for HideousPurplePeopleEater69, your super-secret online pseudonym, from your home network and tie that name to your home IP.

Do I go to these lengths myself? I definitely do not get draconian about my search terms, but I do encourage using different networks or web proxies for browsing the darker bits of the web. If I felt the need, I likely would also utilize a throw-away VM to do some browsing as well. I think myself and most tech-savvy persons can get by with following, to some degree, steps 1, 2, 3, and 5. Setting up your own remote secure access and being mindful of your searches are really for either the more technically-inclined or the ultra-paranoid.

If you would like more information about staying anonymous on the web, I suggest searching Google for “staying anonymous on the web,” “onion routing,” “SSH tunnel,” and other keywords found scattered above.

Chief Security Monkey has a story post today about being careful what you say as an IT expert:

I went back to my friend, told her that there was nothing unusual on the IDS and mentioned the targeted Word attack that had been reported [by another company] and its similarities. Unfortunately, the helpdesk tech overheard our conversation and subsequently reported back to his boss that I said we were infected and that was the cause.

Oh man, I really hate that! And some people wonder why we become a little guarded and seriously careful about what we say! I’ve had occassion where I’ve responded to spyware or virus and mentioned something about attackers or hackers and the gossip centers on just one word that you can easily guess: “We’ve been hacked!” I’ve had sales people email each other for hours escalating the issue just amongst themselves before someone had to step in and tell them to shut up because it wasn’t true.

Of course, this happens in IT as a whole too. I hate having to say, “Well, in our environment we really can’t implement technology X very well at all…” only to have their Geek Squad son say, “Sure they should be able to do that!” which causes me months and months of grief and point-counterpoint.

Again, I say, it’s no wonder we can quickly become guarded and quiet unless absolutely sure about something.

So, to spin this back around into something positive, how does one combat this? I think it is just all about people skills and communication skills. Make sure people know you as the expert and that mistakes or misstatements can still happen, but you’ll gladly offer correction as needed. Don’t be afraid to be wrong and don’t be so arrogent that everyone wants to hold your mistakes over your head for years to come. Learn who the drama queens are in the company, and be extra careful what you discuss with them.

I see ISC has posted about a vulnerability just disclosed in Trillian. The vulnerability is a little exotic but does have a scary side to it. First, it involves the use of the Trillian IRC client. Thankfully, I don’t know many non-geeks who use IRC and none that use Trillian as their IRC client (I would hope!). The scary part is it is trivial to determine if someone’s IRC client is Trillian and the vulnerability is triggered by merely hovering over a link posted in chat. Yikes! I expect milworm or even Metasploit to have an exploit available soon enough.

One big question for this is: Do you know what apps your users are running? Are some of them running Trillian? And if so, who is then responsible for upgrading to more secure versions of their apps? (Then again, maybe they don’t need IRC at work anyway, so just block the ports at the firewall and hope they’re not on laptops at home being rooted?) More fuel if you don’t have a handle on corporate policy for unauthorized software.

I’ve been an on-again, off-again PC gamer. My background is heavy into first-person shooters (FPS) from Doom 1 until FEAR. I think I spent half my college years playing Quake and UT. It’s amazing I actually got the grades I did and even graduated…I know too many people who dropped out due to their playing habits.

Here are some games I would highly recommend you play if you do any PC gaming at all. Some of these are classics that no one should be able to say they’ve not experienced.

Doom 1 and 2 – There is still no FPS PC game the has been able to recapture the hectic, hellish feel of the originals. Doom 2 is still so challenging to this day to me, that I continually play it every few months to advance a few more levels in my spare time (I strive for 100% secrets and kills when actually possible). I still have the original floppies…

Quake – Quake grabbed the baton from Doom and ran with it, propelling PC sales, bandwidth demands, and PC gaming as we know it today. Nothing ever will capture the feel of anonymously running around levels throwing out rockets and fragging fellow geeks into the late hours of the night. This was Internet gaming in its innocent infancy, and it still makes my cheeks tingle with memories. Must be experienced not just single-player, but LAN-borne with friends. Sound effects and most of the background music mixed by NIN make for an excellent backdrop as well.

Serious Sam I – The first Serious Sam had a lot of gimmicks, but one of the best things about this game is how it harkened back to the hectic pace from the original Doom games. No game has come closer to the single-player experience of Doom as this game as it throws hordes and hordes of enemies at the player and usually not enough ammo to feel comfortable. One of the only games I’ve ever actually heard the sound effects for when trying to sleep (those damned hooves…noo…always behind me…!)

Unreal Tournament – I really don’t think any game before or after has looked or sounded quite as good as this one while also being as purely fun in multi-player mode. The excellent electronica music alone is worth the ride. Sadly, if you do get on FFA games these days on the net, chances are you’ll be playing with people who have played for nearly ten years now. It won’t be pretty, but it can still be very fun! Perfect LAN party fodder as it won’t tax systems these days!

Warcraft II – Basically the father (albeit not the grandfather) of all RTS games today, Warcraft II had a perfect chemisty of fun and challenge. I still play this game through single-player mode every few years. The expansion pack is also a must.

Starcraft – The follow-up to Warcraft II is maybe even more perfect with upgraded graphics, deeper complexity in units and builds, and one of the most compelling story lines I’ve played through in a PC game. I also play this and the expansion pack regularly every few years.

Wing Commander II and III – I loved these games. I’m not a flight sim guy, so these games met my needs just right with complex, but not too complex of controls. I loved the changing experience depending on how you complete missions and the special names enemies with their own challenges and quirks. WC III particularly perfected the sense of isolation for a space fighter pilot.

This is a list of 20 web developer interview questions picked up from SEOmoz via Dan Morrill. I really like interview questions because they can give you good practice. When I am looking for a job (which I currently am) I actually do rehearse to myself (and typically write down) answers to typical questions such as my weakness, my strength, team vs work alone, why the current job is not right, what I want in a job, a manager, life, and so on. In fact, I plan to carve out a spot in my wiki to someday house these questions and my answers for future reference. And one thing I do stress in any interview is to be honest and positive. Admit a weakness, don’t cop out or cover it up. Use it as an opportunity to show the employer you know yourself and that you have a plan to address that weakness. Anyway, this looks like a long post, but here’s some answers for these questions (some are pertinent only to web developers, though!).

1. What industry sites and blogs do you read regularly?
I tend to cop out here and say that I read a lot of things, mainly blogs and online news sites, which are all in my RSS reader and listed on my website on the right. But I do try to stay concrete and mention some of my A-list links such as TaoSecurity, Jeremiah Grossman, Ha.ckers.org, Security Monkey, Internet Storm Center, Errata, F-Secure, Full Disclosure, and so on largely depending on what type of job I am working on. I do like to make sure I know a nice mix of my favorite sites to read so that I can pull them out quickly without floundering. I remember years ago someone asking me what my favorite hacking site was and kinda floundering and sputtering out PacketStorm just because the guy was a suit who thought he knew hacking. When given a chance, though, I always want to say that I read up on sites every other day if not daily for the important ones.

2. Do you prefer to work alone or on a team?
I love this question and hate it. I love it because my honest answer is both fairly equally. I hate it because that is the prototypical bullshit answer. So I feel obligated to expound! I love working alone because sometimes you can just put your head down and really concentrate on working either through a problem or something that is otherwise tedious. It is true that sometimes in IT too many hands in the kitchen make too big a mess, or will try to do things in different ways such that nothing ends up getting done with any semblance of quality. I also love working on a team because there are times when I don’t know everything and need help, times when I physically cannot get all the work done by a deadline without extra hands, and times when just talking a problem through to someone else will jog my thoughts and give me fresh ideas. I truly do enjoy both and am quite comfortable working in either environment as long as the company and manager and colleagues are supportive and get shit done. I have experience working both ways.

3. How comfortable are you with writing HTML entirely by hand?
Very. I’ve never used a WYSIWYG editor and don’t even need color-coded parsing to help out. Give me notepad and I’m fine.

7. Describe/demonstrate your level of competence in a *nix shell environment
I would put my level of competence in a *nix shell environment as beginner to intermediate, although people less than me might put me higher. I tend to place myself lower than I should be, only because there is so much power in *nix shells and so much to learn. I feel just slightly more comfortable inside a CLI as opposed to a GUI.

8. What skills and technologies are you the most interested in improving upon or learning?
For a learning junkie like me, this includes everything! I am most interested in learning whatever is needed or is tickling my muse at the moment, within reasonable bounds so that I don’t try to do too much and end up with minimal knowledge in lots of things. I do strive for expert level knowledge in the things I can tackle on a day to day basis and intermediate to high knowledge in things I do on my own or less often outside the day to day job. Specifically, I want to continue to improve my Linux exposure, wireless foo, and security assessments. I want to get hands-on into Snort and log correlation over a network.

11. Show me your code!
View source my code yourself! But keep in mind I’m not a pro web developer, nor do I update my code all that often. My old site is rife with old junk that makes me cringe. This site is slightly cleaner since it is years newer.

12. What are a few sites you admire and why? (from a webdev perspective)
Digg and Google are excellent and clean. I like sites that are clean, offer up their functions, and are not hard on the eyes and soul (ads all over, weird links, blah blah). Give me aesthetically pleasing any day, not MySpace-like. A clear, simple layout.

14. I just pulled up the website you built and the browser is displaying a blank page. Walk me through the steps you’d take to troubleshoot the problem.
Blame the network guys! Hehe, kidding. I would first replicate the problem on my end so that I can see what is going on. Then try to do a view source to make sure I’m hitting the right location and what the browser is being presented. If the problem is network-related, drop into a CLI and start investigating DNS and IP connectivity. If the probem appears to be code-related, check the code from the View Source and make adjustments. Possibly get on the server and try to pull the page up local to the server, check the logs, fashion test pages to troubleshoot IIS/Apache functionality…

16. Do you find any particular languages or technologies intimidating?
I really like this question and have sadly never heard this in an interview! I am currently most intimidated in general in just doing something new for the first time that I’m unproven with. For instance, being challenged to do something that might not be possible can be really intriguing yet frustrating. I’m aware of this intimidation and work to keep it cornered as much as possible. In specific, I am most intimidated lately by ordering the proper equipment that is compatible and not over-budget for the needs. I think that’s largely inexperience coupled with spending someone else’s money.

An article out of IT Management on Earthweb (hell, I can barely found out what this site is called…it management? earthweb? datamation? I think that’s an ad in the traditional site header slot, but am not sure…ugh!) outlines 10 top open source security tools. While I can usually nitpick something in most lists from unknown sites, I was pleasantly surprised by the well-rounded list presented. Then again, some of these can be fairly easy when you have lists like Insecure.org’s top tools list.

I also am saddened but have to say (almost as a reminder to myself) that I need to someday actually read the Open Source Security Tools: A Practical Guide to Security Applications. Books don’t get younger on their own!

CSUM rates: Independence Day (1996)

Situation: Towards the end of the film, Will Smith’s character makes a last ditch attack against an invading alien army by injecting a computer virus into the alien mothership’s systems. The virus is successful and the invasion is defeated.

Inaccuracy: 5
Ok, while I will say that one could argue the universality of the binary system, I don’t think it is even possible that a wholly distinct civilization will have advanced independent of the human race and end up with compatible machine code. Hell, Windows and Macs don’t even have viruses that are compatible on either system (a few exceptions exist with third-party apps) let alone entirely different civilizations. I think the biggest joke at the time of this movie was the question, “Are the aliens running Windows or something?!”

Criticality: 5
Maybe the budget disintegrated by the end of the film and they needed a one-shot deal to blow up the aliens; all of them. I don’t know, but this is a pretty darned critical contrivance because it is the vehicle for Will Smith to save the world; the climax of the film. It’s a shame it had to be so ignorant.

Ease of correction: 4
The year is 1995/1996, and I think it was obvious the producers wanted to capitalize on the emergence of computers and the Internet, and with it viruses. Unfortunately, there is no salvage to getting an earth computer virus to disrupt alien technology, so there is really no saving this idea. The writers needed another entirely different solution to save this; even Will Smith flying into the center of the ship and destroying the Mother Brain would have been more believable.

CSUM ICE Score: 100 (F) I will never forgive Independence Day for this amazingly ridiculous use of a virus in a film.