While I’m not all caught up reading blogs, I hadn’t seen this yet so thought I’d share. This report from Tech Crunch of a Google Docs issue where some docs were shared out beyond the intention of the authors can be filed under, “Illustration of why you lose security control when using other people’s services.” While this issue may not have been leveraged by anyone, it is just one in the inevitable series of issues such services will create, especially as they want to break into the enterprise markets.

In a privacy error that underscores some of the biggest problems surrounding cloud-based services, Google has sent a notice to a number of users of its Document and Spreadsheets products stating that it may have inadvertently shared some of their documents with contacts who were never granted access to them.

It is not my choice to confuse cloud computing with Web 2.0 in the linked post…
One thing I’d love to see: Your exec team hosts and shares highly confidential docs on Google that detail an upcoming, confidential takeover. Google decides to start serving your exec team ads on Google AdSense or search results pages plastering up the name of your competitor you’re intending to purchase. Or takeover mediators…

Mubix recently posted a how-to on OzymanDNS; basically how to create an SSH tunnel over DNS.

And he has now posted thoughts on whether tutorials like this are unethical (or the situation he is in himself as a Hak5 host and mentioning how this can circumvent hotspot captive portals). I highly suggest reading both posts as he makes great points (and I love me simple tutorials).

My position is probably fairly easy. I’m fully in favor of such tutorials, but I do appreciate, and add to any advice I give, any information on whether something is potentially illegal or something you can get fired over if you do it at work. Sure, I hate those “only for educational purposes” blurbs in almost every 2600 article as much as anyone (know your audience!), but they are useful when someone truly doesn’t think about those consequences.

Sure, some teens watching Hak5 might turn into tomorrow’s black hats, but they may also turn into tomorrow’s security geeks because of the information they received in pushing systems to and beyond their limits, or challenging controls that are not fully secure, or simply trying out something new that sparks new ideas.

I appreciate that Mubix thought it over, and I do as well whenever I give advice. However, if we don’t toe the line on ethics of that nature, we’ll continue down the road of not sharing enough information, which I believe harms our collective knowledge and security.

Thanks to Douglas Haider for posting that MetaGeek is offering a “turn-in/upgrade” deal for Wi-Spy users. If you send in your ol Wi-Spy, you’ll get a discount on a newer one. That’s not bad, especially since I got mine back when they were still $99 I think.

However, I don’t use it nearly as much as other things I could buy at that price point (yay opportunity costs!).

Upgrading to the Wi-Spy 2.4x is $200, and might be worth it. Paying $400 to get a DBx which really just adds 5Ghz monitoring, might be a bit of a stretch, especially since I have yet to encounter a wireless LAN operating in that range. A full product comparison is available.

So, a total of about $300 for a device like this is right about the borderline for me. It is nice and really awesome to have when you have a use for it, but otherwise tends to sit around doing nothing special. If the device itself were just a bit cheaper, I would consider this a no-brainer. Even still, I’m really considering the 2.4x upgrade…

This is pretty slick from the Attack Research site. You can use Meterpreter plus a memory dumping tool to remotely dump memory and pull passwd hashes from it. I see Bejtlich also posted about this. Part 1 and Part 2

Defcon videos have been posted. Finally, I’ll get to see Fyodor’s talk on nmap!

I do Get It that IT needs to align with business. But that doesn’t mean I think everything is then rosy in the house and all the puppies are happy. It’s an easy thing to say, but a hard thing to adhere to (or easy, if you like statistics and can twist anything into a business value-add!).

My boss’ boss recently related a story about a VP who was tasked with turning around a company that had the right technology but the wrong business strategy. This included constantly evaluating whether the technology (and projects) is serving the strategy of the business.

That’s great, but to me that reinforces the idea that you only do enough in IT to accomplish the job, and that’s it. You let the rest languish and most likely don’t do any housekeepping. Housekeepping includes things that make security work: logging, alerts, detections, testing to make sure things you put up 6 months ago still work, audit settings, patches and updates (that don’t add any new features you care about), etc.

Yes, that is a way to go. For example you don’t need absolutely spotless event logs on your Windows servers. But that also is a way to foster a completely reactionary culture in regards to existing technology. I think that approach works more for new technologies and projects.

It just means that someone has to value security and housekeepping. And I’ll always go back to the idea that so few people value personal security in their lack of security measures for their own home, let alone for the business they own, until they suffer for it. It’s like finding your God only when you’re deeply fearing your own mortality (or feeling excessively guilty about something and need an explanation).

Mubix posted an excellent question via Twitter today. Twitter promptly decided to poop out on me…but even so, I thought it a question worthy of blogging about.

mubixPolling the audience (serious answers please). If you could get your boss to understand one security concept fully, what would it be?

Take a few moments to think about that one. Grab a stess ball, sit back and sip some coffee, whatever it is you do when absorbing something, but just take a moment to think.

Lots of things come to mind. Trust no one! Audit and change management! Patch! Hire, retain, and train competent staff to do the heavy thinking! You can never have too much information (just bad consumption of it). Support the business securely.

I finally posted back the following:

@mubix Hard question, and worthy of a blog post. I’d say “You *will* have a security incident. Plan for it and plan to find it.”

I was hoping for something more profound like, “Wax on, wax off,” that would encapsulate a whole zen-like frame of mind where all security pieces fall into place. Alas, this was my contribution. At least I feel it states one of our fundamental laws of security, and sets the tone to properly detect, monitor, check, audit, and response to incidents.

I’ve casually used IE7 on a test work machine and on my gaming machine, i.e. not very much and certainly not enough to play around with the interface. Last evening at work we rolled it out to all desktop users. Holy sweet mother is that top bar a cluster of a mess! I normally wouldn’t mind it if I could fix it, but IE7’s customization is pretty much half-assed.

Optional menu bar? What are they smoking?
Can’t move the menu bar to the top where it belongs without a registry edit?
Can’t remove the Search box without a registry edit?
Can’t drag pieces up into the top bar?
The Home button is now broken away from the Back/Forward/Reload/Stop buttons?
Can’t edit or move the top bar?
Star (Favorites) buttons I can’t remove?

Again, I wouldn’t mind it if I were allowed to reset them all and move and disable what I want, but I don’t see a way to make this look decent at all! 🙁 I tend to be as mimimalist as possible with my browser, while still being functional. Small top bars, only 2 rows, and nothing that I don’t otherwise use regularly. I’m a computer user and thus I am fine using hotkeys or Menu bar dropdowns for occasional stuff. For tabbed browsing and a bar of Links that I only use on a work system, I’ll suffice with 3 rows of junk on the top. IE7 has me stuck with 4 at the moment.

And while I’m not against registry edits, it is obvious Microsoft did not intend for these options, and I dislike adjusting a corporate browser away from the standard settings.

We now know how to test for SSLv2. How do you fix it?

IIS6: Well, go ask Microsoft. It is a registry edit and not a GUI option.

Apache http.conf: “SSLProtocol +All -SSLv2” or even “SSLProtocol -All +SSLv3” Further cipher tinkering can be done with the SSLCipherSuite directive.

For everything else, you need to consult documentation. In my case, I have Citrix Netscaler load-balancers in front of my web servers. In the port 443/SSL vservers->SSL tab->SSL Parameters, I would uncheck “SSLv2” and uncheck “Enable SSLv2 URL.” That second one is just the redirect for browsers wanting to make SSLv2 connections when SSLv2 is not wanted. Of course, this can also be done via SSH.

A common question on security surveys and often an item auditors love to point out because it’s “easy” is the question of SSLv2/3 support. SSLv2 is insecure and shouldn’t be used. Various sources can describe (pdf) the issues better than I, but I will say I don’t know if anyone has made SSLv2 attacks very practical, even if browsers dropped to SSLv2 anymore.

So how do you check what SSL version your web site supports?

1. SSLDigger available as a free Foundstone tool
SSLDigger is a GUI tool that accepts a site (or IP) and digs on the supported SSL ciphers. A nice tool, but it actually gives no distinction between what is SSLv2 and what is SSLv3. However, it does rate ciphers on how weak they are, which can be a nice guide if you’re digging down that deeply and enabling or disabling various individual ciphers.

2. THCSSLCheck
THCSSLCheck is a Windows command-line tool. THCSSLCheck takes things a step further and groups ciphers based on their SSL version, which is a nice indicator. Very clean!

3. OpenSSL
Yup, OpenSSL (Windows and Linux) can also check SSL strength, and might be the easiest test to understand. It also gives some content that it receives from the website. This is helpful if you have a proxy, filter, or load-balancer in the way that redirects SSLv2 connection attempts. The above two tools simply determine whether a cipher negotiation was successful, but they do not report any context. In my case, I have load-balancers in front of my web servers that answer to SSLv2 connections with a landing page saying we don’t support SSLv2. So, yes the scan showed a positive, but it’s not a real positive. OpenSSL will catch this if you wait a bit and hit enter a few times.

openssl s_client -connect www.mysite.com:443 -ssl2

I recently got into X-Box Live (XBL) multiplayer matches in Left 4 Dead and this weekend Call of Duty: World at War.* I’ve been so far having a good time, but there is something missing in XBL multiplayer that I loved in my previous years of PC gaming.

I used to play Quake 1, Unreal Tournament I, and even the first Call of Duty, all on the PC. When you played multiplayer on those games, you would somehow get a list of servers hosting games and choose one based on various criteria, most likely latency, game settings, player population, and even reputation of the server. When you found a game that played well and was fun, you usually wrote it down or saved it as a favorite. This resulted in a list of frequented servers you played on.

Over time, I became a regular on my preferred servers, and I got to see other regular who were around on that server too. In fact, eventually you get to chatting with them and form a sort of gaming friendship (or rivalry). This was excellent as you could play with and meet several other players over time. This occurred in all three of those games I played majorly, and always resulted in clan invites, friendships made, and carry-over into IRC, forums, and IM. Sometimes you could play weeks before finally actually talking with another regular and chatting it up, having fun, etc. Every now and then you would even learn of other servers your friends liked, and thus expand your exposure.

In XBA, you typically dive into the multiplayer games and get thrown into a random game with a slot open, which is likely just an ad-hoc host in a farm of host servers. There are no server names, no preferences, no continuity to the multiplayer gaming experience; no home “turf.” If you want to make friends, you have to do so in the small window of time that you’re both in that particular game instance. And even then, you may not be playing on the same team on the next 3 maps!

Last night in Call of Duty there were over 200,000 people playing, and maybe 35,000 in my game type (Team Deathmatch since I’m new). The chances of me seeing any repeat action from players I’d seen before are exceedingly slim. Even in Left 4 Dead, I’ve only had a repeat player once (notably we both remembered each other).

The way you play repeat games is to friend people you play with, immediately. This results in a watered-down friends list full of people you barely know, friending everyone you possibly could stand to play with again. And vice-versa (considering I still suck, I doubt this is a 2-way street yet!). Even then, you still usually have to join the games as an XBL party or risk playing against them or not at all because their game is full. This can make bad choices in friending people be awkward moments where you’d rather avoid them…

I wonder how clan matches work in this setting? Maybe I’m still missing things in my limited exposure…

Still, there is something to be said about the continuity of the gaming experience and community that forms from discrete servers. It would be nice if XBL had named servers, and if capacity was larger than the named ones, then maybe ad-hoc hosts can spring up for peak times to get all those people looking for a random game. Or just have such a huge pool of “server” names that they never run out.

“Aldaraan #10” is the place to be Friday nights!

* It is already annoying enough to hear 8 year old boys talking with impunity in game, let alone a game that now and then says, “Good fucking job, marines!” I find that many of my jokes and game jabber may not be suitable…

Fun times continue with PCI DSS. Anyone with an idea of security saw all of this coming (and this can be applied to any security checklist…):

1. PCI “compliant” firms suffer breach.
2. Companies/people question PCI.
3. PCI blames firms for not being perfect every moment of every day.*
4. PCI DSS is only guidelines, checklists, that don’t actually DO the securing in and of itself

We’ve all just been waiting for more inevitable data points on the grid of this argument.

The argument revolves around how PCI markets their DSS and how people accept it. If PCI markets it as a rubber stamp approval of ultimate security, they fail. If people expect PCI to be perfect, they fail. PCI can fix this by simply adding the byline: “…this is where you start with security, but this is not alone a guarantee of security.”

Of course, we all know how that will be taken: “If it’s not perfect, it’s useless!” Which is an immature (or common business) argument in a realm where perfection is not possible. Sadly, and this is where the media sucks (and rightly milks it for the hits/attention) and the General Public only has immature thoughts about security. But still, PCI fails for allowing the perception that its DSS will save you, even if that was their intention in the first place.

PCI is no better than any checklist or list of best practices.

* PCI can weasel out of any blame any given day. Just blame the QSA and/or the firm. This is another “law” of security, not just cyber but every sort of security from war efforts to the war on drugs: You can always naysay because there is no ultimate “win” and no ultimate definitions. Another “law” illustrates this, “You *will* suffer a security incident.”

I recently got back on sat radio with Sirius/XM. Now I see they’re floundering? I can’t say I’m totally surprised. While the idea of “commercial-less” music and radio is brilliant and necessary, as well as the beauty of being able to listen to what I want as opposed to what happens to be in my midwestern farm-state area, that has to balance with the fact that it costs money vs free FM/AM radio, and household budgets are tightening.

I don’t think sat radio has a real market anymore; it was a transitional piece kinda like Blu-ray today. What I think will be the future is all of the web-based podcast and radio stations (like my favorite somafm). All it takes is the ability for my car to get on an internet connection and pump out a stream into my receiver. That’s it! Sat radio is still a closed system, even if they do have 3000 channels. Give me an open system like the Internet to choose my station… With Sirius/XM, I’m paying for 297 channels I typically don’t listen to, and the 3 I do listen to are sometimes playing things that suck and make me go back to my ipod or cowon or a disc. The most expensive channels (Howard Stern, Martha Stewart) I’ve never and never will listen to.

And it doesn’t even have to be a subscription fee system! Just charge for the cables/receiver to handle streams, and then pay for what many of us already have: sat data connections through something like our phones. If our fav stations want donations or fees, then so be it.

I get some “ok” stations on sat radio, but I’ll get exactly what I want at all times when given the freedom of selection from the entire Internet. Seriously, Pandora streamed to my car? Hawt.

Can Sirius/XM save themselves? Sure, but only if the music/radio industry as a whole doesn’t stop them. Sirius/XM already has all the logistics to beam me somafm or Pandora. They just need to license it. And that’s where I think the industry will politically block them. I don’t think the general music industry dare reverse their years-long fights against online broadcasters…bastards.

Last night I finished reading Little Brother by Cory Doctorow. The book is centered around security, privacy, and hacking as a survival trait. The technical bits and pieces are excellent, and the entire premise is easily plausible. It is an easy read, engaging, and technically awesome. The book is firmly geared towards teenagers. While there are some underage drinking, drug references, and minor sexual content, this is nothing compared to what goes on in the lives and minds of maturing teens today. Even so, I would recommend it to any teen with a passing interest in technology (even if you just use MySpace for fun), as well as any adult who has such interest in protecting privacy, freedom, and digital security.

On a side note, it makes me smile with enthusiasm at what it must be like to be a teenager or younger, growing up firmly in the midst of all this social networking and technology surrounding every facet of our days. I get a bit giddy at what someone with unlimited time and imagination can do with electronics and our digital world; it’s awesome!

In my previous post I reacted to Rich Mogull delving into the idea of a government agency being allowed to clean or isolate compromised systems. I wanted to pull out one idea and just bring it up without hopefully beating it to death; a “something to think about” moment.

Compare and contrast the feelings of a government having the ability to control, clean, or isolate your computer system with the ability for a corporate security officer to control, clean, or isolate your computer system at work. I won’t wax on about it, but just sit back and think about it beyond just who owns the assets, but also the value of some measure of privacy both at home or at work. It’s a good exercise! We get very passionate about privacy at home, so should we bother with thinking about it a litle bit for workers at work?