Figures I would miss it this year, once they changed from winter to summer dates. The 2009 Microsoft Scripting Games are currently underway. It’s too late to truly sign up, but their challenges are as good as any excuse to start learning a scripting language. Such learning endeavors are usually killed by lack of ideas on what to use as a goal for early scripts. Events like this provide the answer!

There are only two script languages in use this year, PowerShell and VBscript. No Perl like last year.

Passing along an article discussing the recent Merrick Bank vs Savvis case, where an auditor is being sued by someone who relied on their assessment results. The title says it all, “Why suing auditors won’t solve the data breach epidemic.”

I’ve added a section of links on the page (right menu for those who only see me through RSS) for security-related LiveCDs. I know, I’m missing some old ones like PHLACK, Whax, and even Knoppix-STD, but I’d like to link only actively supported and recent editions. So far I’m only listing backtrack (duh), NST, nubuntu, owasp, pentoo, and samurai.

I may adjust this section and include virtual images as well, since there are some pen-test target and tool images out there, like the recently announced Securix Network Security Monitoring virtual image (the sheriff badge logo has got to go, lol!). Really, these days there is not too much difference between a livecd and a virtual image in your pocket, assuming you control the target system.

Matthew Hackling over at Infamous Agenda has posted a list of things to know for working in infosec. I really like this list, kinda like previous lists* I’ve pointed to or referenced. I can see a few items on here I certainly could work on!

I’m totally yoinking this list because his site doesn’t look built around getting hits (no ads, good man!), and I’d love to keep this list even if the site someday dies. To every entry he says to configure or install an app, I would also suggest living with it for more than a few days or weeks. Consider that extra credit!

1. TCP/IP basics like OSI model, routing, protocols, ports, NAT
2. Construct a checkpoint firewall rule base
3. Construct a PIX firewall rule set
4. Configure a cisco router to CIS benchmark
5. Configure VLANs and port mirroring on a cisco switch
6. Deploy Microsoft security templates to a group policy object
7. Configure a WSUS server and run MBSA to check it is working
8. Use Solaris Security Toolkit
9. Administer a linux box, enable/disable services, use package managers etc.
10. Install oracle and mysql
11. Be able to construct an SQL query or two
12. Configure a web server or two (say apache and IIS)
13. Configure an application server or three (say tomcat, websphere application server, maybe BEA weblogic)
14. Be able to use a web proxy (burp, webscarab) and a fuzzer
15. Know how the following security controls of authentication, session management, input validation and authorisation are implemented securely for a number of application development frameworks
16. Configure an IDS or three (Snort, IBM solution set)
17. Know the ten domains in ISO27002 and their content
18. Be able to identify control gaps from ISO27002 in your operations
19. Be able to build a security plan to address control gaps (planned end state, costs and benefits, dates, actions and responsibilities)

* sadly, while I can visualize the page I have in mind, I have no idea where my link to it is.

I either need two more of me, or a permanent 3- or 4-day weekend to catch up on all the little notes I send myself about tools or things to check out.

It’s not the reading of RSS feeds and news that gets me bogged down. It’s all the crazy awesome stuff out there that takes some hands-on time with to really know it.

(Ok, so I have a backlog of books to read too…)

By now everyone has seen the quote from Michael Lynton, CEO of Sony Pictures Entertainment: “I’m a guy who doesn’t see anything good having come from the Internet, period.” What I didn’t know was this guy was a former CEO of AOL. A media company CEO making a statement like this pretty much tells me that this guy isn’t necessarily anti-internet, he just has absolutely no strategy for properly using it. None. He hasn’t just lost the battle; he didn’t even know one was happening until it was too late.

This was the general topic of one of the best blog posts I’ve read this year. The post is by Jason Frisvold over at the Technological Musings blog and hits every point square.

I’m pretty passionate and open about much of my opinions on media and piracy (although maybe a tiny bit less open since earning my cissp). And this article pretty much echoes, eloquently, my position on these matters.

Kinda like malware fears on a Mac, most people use what they want to use and turn an ignorant eye to any issues that may be present. Me? I’m paranoid. I’m wary about things like LogMeIn, and this post from SecureThoughts.com illustrates why this is a healthy disposition.

As one of the commentors states, LogMeIn is used by more than just home users, but also by technical support teams and maybe even by users in your office to get home or vice versa! Remote management in a controlled manner is one thing, remote management using a browser and the web just because it’s easy is entirely another.

Good bye Web 2.0. Welcome back Mainframe 2.0, I mean, Cloud Computing!

The move to virtualize centralize has been brewing for years now. That includes the desktops (say thanks to mismatched Microsoft licensing and software upgrade durations and users who want to violate bastardize lose/bloat their systems). Terminal/Server is back in sexy! Centralized, to decentralized, to centralized, to decentralized…get used to the ride!

So, why is “cloud” so confusing? I’ll take a stab that doesn’t include the reason that everyone is using “cloud” to describe anything and everything (my toilet is Cloud-driven because it has a soft seat and flushes away my products to a central hub…)

Web-driven
The “cloud” is web-driven because firewalls tend to only be allowing 80/443 through with impunity. Make firewall requests of network admins? Security evals from the security teams? Move faster! Skirt any and all barriers security or business-related! It sure is easier to just pump everything through what’s open, right? In my opinion, that’s one of the only reasons. Much like a river carves a course of least resistence.

Outsourcing 2.0:
IT is painful internally. And costly. And often not line-of-business/revenue-generating. Homegrown apps just aren’t all that agile, and it takes a ton of experience and knowledge to create them properly. Internal IT is not all that glamorous anymore, but “cloud” certainly seems like it for now. Just wait until we collectively realize it is less agile/customized! Oh, and any advantages you thought you had in your technology are now a moot point; get over it. That or just realize you got marketing-fed into re-consuming the same old web you were using yesterday. Yeah, sure, those are new donuts because I say so (they’re taste stale because they’re healthy!).

Confuser Catalyst for all this:
The over-bloated web browsers, of course! They’re out of control and starting to get such a big head to want to be OS in themselves! Or at least try to pave the way for market share as they futiley attempt to flank the OS giants. You use the web and you like the web, so cloud / browser-OS must be good!

Leverage the power of Amazon’s computing cloud power all over port 80/443! Your competitor already does it, so we’ll give you a start-up discount and you can just use the exact same translations and maps and apps that we already built for them!

In regards to my previous post on what should be called Merrick Bank v Savvis, here is another blog post from Dave Navetta that goes into glorious detail about this case and why we should be watching it. An excellent article.

Please note that a potential analogue for security assessors are lawsuits by investors against accountants. Both engage in attestation services that are known to some degree to be relied upon by third parties. There are numerous cases going both ways (some finding liability/some not) with respect to accountant liability to investors who relied on inaccurate financial statements.

The subtitle for this post should be, Compliance is not secure! Compliance is not secure! Compliance is not secure! And because no one wants to spend money, we’re all going to suffer for it.

Wired has an article posted on a lawsuit CardSystems has filed against its auditor, Savvis.

In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.

and

More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.

They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies.

The number of ways this is all so fucked up makes my head spin and makes me want to vomit out all the reasons in a babble of words and rants. So much so that it is hard to begin to even plan to be concise!

This lawsuit may result in finally punching the elephant in the room: Compliance is a one-time deal and it fails without continuous internal rigor (i.e. staff/money).

So many experts understand this concept, but so many middle-men and legalists choose to ignore it, probably because their management squeezes on the budgets from top-down. Secure vs profits.

The use of the analogy between digital security and physical law enforcement is over-used, but can still be used in parts. For instance, if you are robbed, can you sue the police department? Is the aim of law enforcement (i.e. security) such that it prevents all crime, or that it simply responds to, detects, and maybe contains the crime?

To take another tact, one can draw parallels between digital security and accounting practices. Why do accounting departments go through audits and make changes? Often you’ll hear, “because we have to.” Someday, if we can’t do this shit ourselves, we’ll “have to” go through transparent digital security audits just like financial audits. And we won’t be able to say no.

And it will both not be pretty nor all that much more effective than what we have now for digital security.

Conflict of Interest
There’s another elephant in this room. Yeah, really, there is. And that is the elephant of conflict of interest. (Maybe the biggest elephant is simply greed and cost-avoidance!).

It could be easy to point a finger at auditors and say they have a conflict of interest in certifying their clients, even if their security sucks. But the real blame may lie with the client who, when handed a failure audit, may immediately go elsewhere. In this way, they’re not buying a real audit so much as they’re demonstrating that they just want to buy a rubber stamp of compliance. This subtle attitude in turn punishes the quality auditors and rewards that crappy ones!

Another possible end result: internal solutions
Prepare while I ramble just a little bit.

Card industry smacks Payment processors.
Payment processor takes shortcuts whenever possible.
Payment processor pays for an audit pass.
Payment processor gets hacked.
Payment processor sues auditor (i.e. passes the blame).
Auditors protect themselves by demanding unfettered 24/7 access otherwise no guarantees.
Payment processor may as well staff internally (so they can pass the blame).
No 24/7 operation can prevent internal employees acting in unexpected ways.
This leads to vicious circle of management (secure it!) vs employees/staff (not possible!).
Eventually we pass the blame to employees.

And all this because no one can guarantee security.
And too much of our legal and business foundation cannot handle lack of blame/guarantee.

The Silver Lining: Natural Selection
One common complaint these days, especially amongst the truly skilled pen testers and auditors, is the number of crappy firms and people doing audits. If we get no other benefit from CardSystems vs Savvis, at least it should scare off the firms that know their products and services are incompetent.
And finally some subtext: smaller is better?
So, can one say that we should be able to trust smaller audit firms more? If you hire a small team of auditors, will they have less conflict of interest and possibly higher standards than a large firm trying to churn through clients for profit? This might just be a personal slant…

Microsoft’s .NET silently installs Firefox add-on which increases functionality reduces your security.

I’ve seen this same story, moreorless, in a few places now. I’m disappointed with Microsoft, but I can’t necessarily throw a ton of blame at them. This is a result of the popular clamoring for features, features, features, ease of use, features, convenience, features, and economics. In general, we simply just can’t trust the popular software anymore unless you are an absolute expert in running things smartly (and only the biggest paranoid security geeks do that).

Tech progress hinders security. And it doesn’t help that more people are clamoring for security.

In the short term, this will result in ridiculous needs and demands from the security side and it will not just hamper convenience and business, but it’s going to start killing off business initiatives because the demands are too high.

(Yes, this is the general basis for my past two weeks’ worth of funk…it’ll pass soon!)

Installing VMWare on Ubuntu is surprisingly easy these days. It has been a couple major releases since I did so, but this weekend I rebuilt my VM host box.

I installed Ubuntu 9.04 server and chose the Virtual Host option. I really don’t have a good reason why other than that’s what the box would be. Once done, this leaves the box at a command line prompt.

After a little reading, I found out that VMWare Server 2 now installs with a web-based admin interface and not the normal GUI-required interface. Whoa, big improvement! I don’t need Gnome anymore!

The rest of the installation went smoothly with the only difficulty coming from downloading the VMWare Server 2 tarball through Lynx (hint: sign up for a throw-away account on a different box, then just sign in on Lynx). But after that, no more magic tricks to get VMWare to work on Ubuntu. I accepted all defaults other than VM storage location. I had a passwd set for root, so I could use root for now as the login.

I’ve long wondered when we’d see more P2P client attacks; I mean really, thousands of clients always-on and accepting traffic through the network?

Seems my P2P network of choice, SoulSeek, has an exposed vulnerability in the client app since at least July 2008. Pretty nifty! The software accepts and processes queries for your shared files. Seems this query length isn’t handled properly.

Just think, I could continue to be using rootable software for years if not for some measure of full disclosure. Pah.

I like SoulSeek and have used it for about 6 years now as my primary music exposure tool, although I am open to new places since my searches are not always as successful as they used to be. What’s more, there has not been a whole lot of movement from SoulSeek developers or the community in quite some time, although the forums still have a trickling of activity. It is not surprising that the exploit author was getting no response. I’ve had the feeling in the past year that this is a bit of a headless beast anymore.

Of note, the exploit author mentions using a Python-based SoulSeek client. This probably means there is plenty of documentation on what SoulSeek does and how to interact with it.

Snagged a link from I-Hacked.com which goes to an interview with an FBI agent who was undercover for 2 years to ilfiltrate a major cybercriminal group/forum. Amazing read!

(By the way, using a name referenced to Teenage Mutant Ninja Turtles is automatically awesome.)

I find it interesting to hear that cyber criminals often do not match the perception we have of thugs and hooligans and otherwise very scary people who commit crimes. A lot of these guys are, as he said, just misguided people who are otherwise very nice and normal. This should speak loads about how we define and view the moral right/wrong lines these days. Being a physical criminal (not including white collar corporate crime) seems to have certain physical traits or maybe even pyschological (arrogence) ones. You can often “feel” that someone is a criminal just by how they dress, carry themselves, interact with others. Being a criminal in cyberspace may be just as easy, morally, as playing an avatar in Second Life or character in World of Warcraft. (Granted, this will probably change as organized crime brings the physical bluntness into the cyber ranks, as alluded to in the interview.)

One question that didn’t get asked that I would have asked: “Do you work alone undercover or do you have a team of technical experts helping out as well giving you advice and walking you through things like securing the servers?” Really, it would seem easy to turn around and ask your cadre of geeks various questions, since they can’t see into his office. You’d just have to be careful that only one person ever did the “talking.”

I’ve been working for a while on a way to keep a perpetually running script on a server running, even though it does have a slow memory leak (not surprising since I don’t think scripts are meant to run forever). My previous attempts are ok, but leave some small issues on the table.

It might be easy to suggest just setting a Scheduled Task up. Well, yeah, that is easy, but it is my policy to not run Task Scheduler on servers unless absolutely necessary, and never on externally accessible servers.

As another alternative, I have decided to have the script that is infinitely running check its own memory use, respawn a new copy if the memory use is too high, and then kill itself. This is actually pretty easy once I started looking into it.

# spawn new process
$spawner = New-Object system.Diagnostics.ProcessStartInfo
$spawner.FileName = “powershell.exe”
$spawner.windowStyle =”Normal”
$spawner.Arguments = “-noexit -noprofile -command cd d:\path `; ./script.ps1”
[system.Diagnostics.Process]::Start($spawner)

# kill myself
Stop-Process $pid

The only fun trick here is $pid, which is an automatic variable that holds the ProcessID of the host Powershell.exe process. Also notice the two commands in the arguments section. I first change my directory (cd) over to a path. If I don’t do this, it starts in a default path. Then I start up my script like normal.

Checking memory is pretty simple as well.

$Process = Get-WmiObject win32_process | where {$_.ProcessID -match $pid}
$Memory = $Process.WorkingSetSize / 1024 / 1000 }