The Winter Scripting Games 2008 are right around the corner, starting February 15. Last year, these “games” gave me the kick in the pants to try out Microsoft’s PowerShell scripting, and I must say it might be one of the better skills I acquired through last year; something I could use both at home and at work.

I plan to participate again this year in the PowerShell division(s), but I see they are also including Perl in the games this year. I think I will try to put the most effort into the Perl section since I’m horribly rusty with it.

So check it out, give them a try, and pencil in those dates to save some evenings for devoting some time to the challenges.

There continue to be a good number of live cd distros available with a security slant. Here are some links, although some I’ve not even booted into yet to check out.

Russix is a wireless pen-testing live cd that appears to make the most common wireless penetration tasks surprisingly automated.

Hex 1.0.2 is a platform for network security monitoring.

Deft v3 is a self-explanatory live cd: Digital Evidence and Forensic Toolkit.

Honeywall 1.3 appears to be a data capture installer. This isn’t a live cd, but rather an installer that should be run on an empty or expendable hard disk.

Various other firewall installs are also available as usual. IPCop 1.4.18, pfSense 1.2 RC3, SmoothWall Express 3.0, m0n0wall 1.3b7, Untangle.

A lot of attention in the Linux world goes to accessing Windows partitions (NTFS) in Linux. From Hackosis, I’ve recently been pointed to Windows tools that can access Linux partitions. This can be useful if you dual boot and have multiple file systems on the same local disk (or if you mount another disk onto a system, although I’m not sure why anyone would want to mount a Linux disk on a Windows system… I guess backups and even Windows-only forensics tools might be some reasons).

Linux Reader allows read-only access to ext2 and ext3 from a Windows system. Ext2 Installable File System will allow read and write access to ext2 from a Windows system.

Videos from the 24th CCC have been posted. I highly recommend Toying with Barcodes by FX. It is nice to think about the various ways technology around us can be extremely vulnerable to tampering, and barcodes are ripe. I’m sure this is old news to many tinkerers (hackers), but FX does an excellent job highlighting many issues.

Black Hat USA 2007 videos are also up.

Tunak Tunak Tun is an infectious music video. Some of the dance moves occur in WoW.

I do read a few non-security blogs, and sometimes they offer sage advice. A post by Samuel from WakeUpLater.com (if you freelance/work-for-yourself you can wake up later) has a few excellent points (although I will argue his title doesn’t match the text).

The title of the post is Stop Reading Blogs: Go Create Something. I know from all of the blogs and sites I read regularly, I get such a huge influx of cool things and tools to use, that I end up trying out less than if I just had a shorter queue and more time to try them. My gmail box is overflowing with stuff to check out from the past year. Reading blogs is helpful, but I’m the last person to ever say I know Topic FGH just because I read about it online. I think I’ll make a point this year to start culling my list of useful blogs that I read, or at least organize them in a more tiered fashion from Must Read to Only If Bored.

The post also goes into writing, Stephen King, and reading. I really love this, and I do have a special place in my heart for reading and writing. Find a space that is yours and free of distractions. Get something done. Get started and the hard part is then behind you. Do it for yourself, not others. (If you do it well, the part about the others will find its own place.)

This past year has been the first time I’ve had an apartment to myself, and I’m now pursuing outfitting the second bedroom to be my little workspace conducive to all of my geeky endeavors.

Mike Rothman picked a theme. Even shrdlu picked a theme. Should I lay early claim to “Aenima” by Tool?
Some say the end is near.
Some say we’ll see armageddon soon.
I certainly hope we will.
I sure could use a vacation from this
Bullshit three ring circus sideshow of freaks.

No, I’m not quite that negative at the moment. Being at work and not having a legit means to browse my music collection, I’ll have to put this topic on hold and listen for a candidate song over the next few days or week…if I even do come up with something interesting.

I’m not big on generalizations, but let’s face it, they happen. I clicked through to a ComputerWorld article on how Generation Y are the biggest users of our libraries. Neat. This prompted the question: “What the hell is a Generation Y person?” I was born in ’77, so I’m on the nebulous border between designations, but from reading a rather interesting article on Wikipedia for Generation Y, I tend to fall more into Y due to my technological inclininations. Labels aside, it is at least interesting to see how the workplace culture is changing with a generation of young people, whom I still consider myself to be a member of.

I watched fabs’ presentation on Advanced Port Scanning at the 24c3 (that looks like a heckuva venue!), so thought I would poke around and see if Port Bunny had been released yet. Basically this should be a simple TCP port scanner that can scan faster than nmap; the presentation goes into the reasons why. It doesn’t look like the tool is out yet (and I’m patient so will wait for the official release in January), but I did find a post from FX on the Recurity Lablog about retrieving faxes off a spent thermo transfer ribbon from a fax machine. Information hides in interesting places!

I like this list of threats and risks and whatnot from the CISSPForum [pdf]. It is a small 8-page document (1 page intro, 2 pages references and closing) which is a nice blitz on the topic. I really dig that each section is a printed page, so can be easily posted and/or digested over time. Totally recommend reading it through once.

Some topics in the security field are important enough to always be visited, even if a solution or consensus is not met. Such topics can lead to formulating entire paradigms on how we approach our daily security decisions personally and professionally. In fact, these discussions are important to me whether I agree with them or they run fully counter to my own views and I certainly do love bookmarking excellent essays.

Kurt Wismer has recently posted a couple such topics that I think are especially important to keep in mind. First, Kurt talks about why vulnerabilities are just never going to go away, and what that means to our approaches. Second, he probes the question on what average users need to know about their computer security.

Andy ITGuy posted a picture of a login and password taped to a keyboard. Awesome! So, how does one combat this besides just waving the policy around (since I’m not gonna bet my salary that that will work)?

First, I love the idea of walkarounds. I know it sounds juvenile, but some night do a walkaround inspection of the premises, especially cubicles/workplaces. THis can be done in phases of small random samples, as well.

Second, document and fix any mistakes. That login information on the keyboard? Photograph it and remove it and destroy it. That way the next time someone needs to get on there, they have to ask someone or make a cognizant effort to recall the information. That might be all the goading they need!

Third, maybe write up people who break the rules, but that is difficult at times to get managers and HR to get behind and put some teeth into. Instead, dock teams of people (or departments) points for policy breaks and reward the teams who break the least rules. Give em an extra day off, a pizza lunch, or whathaveyou. And no, a luncheon with the CEO is NOT a reward (yes, I’ve seen that!). Make it something people want just enough to add a little social pressure to comply. And try to keep it on the positive side of conditioning.

WatchGuard has produced a user awareness training video dealing with good password habits. A good quality video, although I don’t think we need to bug users’ eyes out with 14+ character passwords. With proper regular rotation (60 days), they don’t necessarily need to be insane lengths unless the accounts are especially sensitive.

In case you’ve been too busy to keep up with the popular news, a video has been created where several wireless keyboards were recorded and their keystrokes decrypted. Nice video, and of course I’d love to get my hands on the gear/software.

You use Google as your search engine, and you do searches for all sorts of stuff from your home connection with a predictable IP address. The resultant data kept by Google will likely eventually be sanitized with a unique identifier that won’t be tied to you. But as we’ve seen in the past, we can analyze all the searches I’ve done with that unique identifier and create a very real profile of me. Most likely you’ll find my habits, purchasing trends, most likely where I live thereabouts, and so on.

With RFID still being talked about, can you still have a problem with encrypted RFID tags or passports and such? Sure. While I might walk around with my RFID-enabled passport, various stores I shop at won’t be able to decrypt my passport information, but what if they could detect and copy it? They can track me without really knowing me. Get a wide enough subset of data by someone/something that can get long-range detection, and you can easily see where I work (I spend 8 daytime hours there), where I live (I spent 14 evening hours there), where I can to lunch, and my favored shops…

I wonder when cell phone tracking will become a marketing data set? It’s on me all the time and it is on. You can see every place I go by tracking it…again, even if you don’t know me.

Without knowing me, you can still know me…and given the ease of reading RFID devices and/or cloning of them… Hrmm…I bet in ten years I could get a Harry Potter-esque clock that lets me know when my kids are within proximity of my house and pop their portrait out when they’re home.

Want to look someone up? Well, this blog post doles out some links to some fun people searching sites. As much as I’d like to say it found me out, there are quite a lot of people who share my name, and the only information I found on me was dated at least 4 years ago. Almost tempted to add this as a “people search” menu item on the right…but not really sure I’d use it unless I was a hiring manager or something….