Read some concepts lately that I wanted to remind myself about, and don’t really want to bother figuring out where I first saw them.

Time-to-penetrate. Locks are rated by how long they take to fall to an expert. How long will your network/security last? To drive-by scripts/kids/worms? To experts?

Increasing attacker’s costs. I read about border security between the US and Mexico and how border authorities want to make it more expensive for drug cartels to get drugs over the border. Not stop it, but make it more difficult/expensive. If you rightly believe in the inevitability of insecurity, then you really want to keep the bar raised as far as possible (this is an argument that can formulate a defense to ‘security through obscurity,’ in moderation).

I’ve read but really didn’t digest that Twitter use has exploded this year. It was only maybe half a year ago when the most-followed people on Twitter were all excited about 40,000 followers. Now celebrities are topping 300,000 with ease! That’s crazy.

What’s interesting is how this may change culture a bit. On one hand, all of us norms get to see all the silly crap that celebrities think they want to tweet about (and mispell!). Kinda like what will be known as the Kevin Rose effect: it will make celebrities be much more down-to-earth, almost like you know them.

On the other hand, they lose more privacy indirectly as well, such as checking out the few privileged people your favorite celebs are following, some of whom may be unaccustomed to the attention, etc. Not to mention vulnerable to social attacks.

Bear with me as I ramble a bit in this post. Something unpolished but didn’t really want to lose. I’ll reserve the ability to completely change my opinion!

Which one of these will realistically get us the farthest in security? Choose only one.

• administration: managers/execs/policywriters
• techs in the trenches
• auditors/testers
• secure code/architecture i.e. “build it secure”

Yes, the best answer is clearly a combination of all of the above.

But for the sake of argument, let’s say you can only pick one horse to put your money behind. Which one gives you the most realistic chance?

– administration: managers/execs/policywriters – This is your typical layer where policies get written, strategies formulated, and employees managed. To me, this is a necessary layer, but alone they don’t do a whole lot without the support of everyone else, much like a policy with no enforcement. There is also the devil of being too abstracted from the real goings-on to be effective, or to live in the correct reality. Do they say security is working but have really no way to back that up? This isn’t always the case, but it is the devil they must battle. And that’s assuming their employees are even following the decrees made… A good aspect on this might be the guys who manage appliances on a broad level to create statistics or whatnot. But do we really want to lean heavily on Big Boxes?

– techs in the trenches – This is where I’d put my money. The people on the ground and in the trenches. Sure, they may have some weaknesses like enforcing security with no real policy or guidance, or a lack of focus, but to me they’re the ones who will always do the implementations, detections, and investigations. These would be the guys and gals who, if you gave them 8 hours a day to “do security” and left them in a room, they’d implement all sorts of wild things that can be extremely effective. If you get them even slightly working with the rest of business rather than just in their caves, they can be a real force.

– auditors/testers – This is your group of people who both point out all the wrong things you do, but also hopefully point out how you can do things correctly. A powerful group, but I think they ultimately rely on finger-pointing and may not, directly, actually get anything done. Given a high degree of intelligence and knowledge, though, and those rare individuals are exceedingly valuable. On the testing side, their research and automation are hideously valuable.

– secure code/architecture i.e. “build it secure” – This is a great approach, but I think the “realistic” part really kills this. I’ve talked about the caveats in this group before (and can’t find the post[s]), so I won’t get into detail. But if technology didn’t change and economics shifted to value security, this could be a powerful group. Sadly, while important, I wouldn’t bet on it as my horse because it just isn’t realistic alone. Technology changes faster than we can learn it enough to secure it properly upon creation; economics pushes function before security; etc.

These are the kinds of articles I don’t like to read. This is about Peerhboy, a terrorist group ‘hacker’ arrested in India.

The implications I don’t like in this article are twofold.

First, this guy got some ‘training’ and this seems to be implied as bad. Does this mean any ‘hacking’ or security training will mark you as evil?

Second, the only wireless ‘hacking’ alluded to in this article is the use of unsecured wireless access points. Yes, a concern, but hardly worthy of eye-catching ‘hacking’ adventures.

Curious about the Cybersecurity Act of 2009 (US)? You probably should be. There’s a soon-to-be-growing series of posts about it by Mr. Smith. There are a few parts that seem a bit out there and I’ll be happy when they start getting clarified.

Mr. Graham posts about setting up Firefox with Hamster. If you’ve forgotten what these tools do, they sidejack, i.e. hijack, sniffed http sessions, i.e. cookies.

I’ve long used pookmail as a throw-away email box for various things, mostly just to sign up for downloads or worthless one-time-use accounts. I see they’re no longer offering that service.

I know about Mailinator and am using it now, but does anyone know any others? Mostly I just want a couple back-up options.

On a similar note, I should someday get myself a PO Box; one that supports a non-obvious PO Box-like address…

Isn’t that funny? Some companies won’t ship products to a PO Box, so you have to obfuscate it like 1234 Hickory Lane #9870-B. Same thing happens in the digital world with spoofing and forwarding all the time, or services that obfuscate the originator (PayPal? Mailinator?). Why don’t companies just allow shipping to a PO Box? It obviously is a need, even as much as it is abused… Maybe most people don’t go through such hoops, I guess.

I posted yesterday to patch your ASA boxes. Milw0rm has a reason why.

As the Packetninjas blog says, this is remotely exploitable, requires no authentication, and can even be spoofed.

When looking for new blogs to follow (or design ideas), I tend to just stumble around the links on other people’s blogs. If you’re looking for new blogs to follow, the RSA Social Security Awards nomination list (pdf) is an excellent source.

In fact, I had no idea there were that many podcasts out there now!

Interested in command line codes? Check out the Command Line Kung Fu blog. I especially dig this ping beep post that will beep for any lost packets.

If you want to hear from the authors and why they made this, check out the first part of Pauldotcom episode 146.

Gnucitizen has a security buzzword generator available which generates often amusing and often non-sensical buzzword-sounding security phrases. It’s a little mean, but I suppose you could test some against anyone and see if they’ll admit to not knowing wtf you’re talking about.

“Yes, we need to be concerned about Indirect Server Reversing.”
“I think our government needs to worry about Extraterrestrial Memory Routing.”
“Our solution does provide protection against JavaScript Stalking.”
“So, what are you doing about Backend Shellcode Sidejacking?”

If you have a Cisco ASA or Pix around, you might want to think about patching it. Cisco has released information on several vulnerabilities. Particularly interesting are a couple remote DoS attacks and an ACL implicit deny bypass.

The latter is a bit vague and scores low on the Cisco metrics for impact. In some postings I read it as an ACL to get into the device, but in other wordings I get the impression it affects firewall rules for traversing the box. Either way, hopefully you use explicit DENY and don’t rely on the implicit one.

System security belongs to systems admins. The network to the network dudes. And the developers get to reign over the security of the apps they write. But where does something like the .NET framework fall? Sort of in between the cracks between system admins and developers. Developers don’t write it or manage the code, and systems admins most likely don’t know it very well either. (And I’m not even delving into consumer systems, just servers.)

Enter: .NET rootkits.

A .NET rootkit modifies the core framework DLLs from Microsoft (located in the GAC). A .NET rootkit may only be a symptom of a bigger problem: someone already owns your box hard enough to be able to replace framework files. But it might also be something that rogue developers can sneak into a production system. Even a sysadmin may taint something like an image base that other servers are built from.

It is probably a good idea to add some framework DLLs (or all of them) to any tripwire or digital integrity monitoring you have. If they change, an alert gets thrown. Caveat: I have not implemented such measures myself, so I don’t know if they change too often naturally. I assume they don’t.

Traffic egress should also be monitored. One purpose to rootkit an application is to siphon off its data. It can accumlate on the server (disk usage monitoring!), but ultimately it needs to get somewhere else to be useful to an attacker.

This doesn’t stop with .NET frameworks, but really any framework environment, such as Java.

Details on a 2008 Fedora intrusion. Nope, not necessarily a technical vulnerability but rather a people/key/procedural one, for the most part. And yes, keys without passwords make life breezier, but also riskier.

Also interesting is the timely, and lucky, discovery of the intrusion. It sounds like something like this could have persisted for a while, until whatever discovery/detection/tripwires they have laying around were triggered. Then again, maybe that failed cron job failed because of the actions of the intruder. That almost sounds reasonable considering the near-immediate detection. Maybe the cron does some sanity check…or it was just coincidence that an admin’s eye was pulled over to the logs at such a convenient time. 🙂

Nonetheless, kudos and beers for giving details not just for our own knowledge, but as a sort of lesson-learned-through-others deal.

RSnake (ha.ckers.org) has posted a nice list of purposely vulnerable sites, apps, and other ways to challenge one’s hacking skill. I have a small list on the right menu “things to do” section. Maybe someday I’ll go through his and transpose them to my menu, but for now a simple single link to his will suffice.

This really just reminds me that there ought to be 36 hours to every day…and I also see some of my links are now defunct. Ick.