Love me tools; love me tool lists as well, especially with new things. The Security Mentor himself was right, this list is pretty cool and has some things I didn’t know about! If you look closely, pretty much under each of the ten entries are links to MORE similar free tools. Here are the ones that caught my eye. Note that the list is centered on Windows.

Secunia Personal Software Inspector – Holy crap! This is an awesome-sounding tool because trying to keep up with what is patched and what is out of date is one of the least-talked about futile and frustrating efforts in the IT back room! I think this one is going to be a priority to try out this weekend. I don’t know about licensing, but I bet you can buy just one copy for business and use it on a base workstation image that has all your applications installed, then use it as your reference. That’s money right there!

GMER anti-rootkit – This tool looks really cool, and if it doesn’t require an actual installation routine, will likely make it into my desktop toolkit alongside Spybot, Sysinternals tools, and so on. If it requires an install, it could still be useful as another incident response investigation tool. Now, someone needs to make Tripwire free on Windows…

File Shredder – I like the idea of File Shredder, but I’m not sure I really need it. It’s not like I am storing illegal or hugely private junk on my systems, and I certainly have no intentions of selling or giving away my disks anytime soon (like any geek, I can and will find uses for everything). Still, it’s nice to have one in the pocket if the need arises.

Other tools are iffy to me. I’m not a huge fan of loading my web browser with toolbars and plugins. Anything extremely useful really should get built into the browser eventually. I like seeing more options for IE, especially since my love for Firefix has dwindled as it has gotten bigger, slower, and buggier in the past year. Yes, loading up Firefox with testing/security plugins is awesome, but that’s a special purpose and I don’t need to browse with them always loaded. The only ones I use regularly are NoScript (only recently!), Tor, a client banner changer (I can’t think of the damned name for it right now!), and a plugin that displays the target site IP address at the bottom.

For web privacy stuff, just learn how to empty the cache and where else stuff is stored along with browser and OS tracking options. Yeah, that’s not enough, but I’ve got a bias against cleaners. For new system crapware, learn how to welcome your new system into your home with a quick enema (format and reinstall).

I have a Wi-Spy, which is an excellent (and cheap!) specturm analyzer tool. I saw a mention for it on NetGirl’s blog over at ArubaNetworks on her list of cool tools. But I didn’t know what EaKiu was in her Wi-Spy bullet. I thought about emailing or commenting, but this seemed to require more effort on my part to converse with her, so I resorted to a Google search for the tool in the hopes that the unique string was easily found. Indeed, I saw that EaKiu is software to display results from Wi-Spy! And boy does it look fucking sweet. Now I just have to find a Mac-user to try it out for me.

I’d thought that was what EaKiu was, since I’d seen mention of Mac and Linux software back on MetaGeek’s old site, but I could never find that information again on the new site design. Of note, the Linux version, while workable, is still pretty ugly compared to Mac or Windows software.

A list of 5 essential laptop security tips leaves an important one out and includes a rather dubious entry. Tip #5, install tracking software on your laptop in case it gets stolen. While a neat, feel-good type of geeky thing to install, this is pretty lame for inclusion on a top 5 list. Then again, maybe this list was meant as more of a physical security list, in which case, top 5 is really “the 5 things to do.”

Instead, I’d replace #5 with the suggestion to keep backups of all your data on the drive. It is great to not have it stolen, or offer password and encryption options in case it is stolen, but what about the data on the laptop? How much is it worth to you personally? If your laptop is stolen, minimize the damage to only the cost of the hardware and your own stress, not also to the only surviving copies of your son’s little league digital pictures or those important sales emails.

I dig BookPool.com; I’ve used them for many of my book purchases over the years, only occassionally delving into Borders/Barnes & Noble/Amazon when I have gift certs or for impulse buys. Today I pre-ordered Virtual Honeypots. This looks to be an awesome how-to sort of book about honeypots; something I’ve been eagerly waiting to delve into. It should be out any day, really. This was prompted by a welcome spam email from BookPool about a sale on Addison-Wesley and Prentice Hall books.

I’m also eagerly awaiting the Metasploit Toolkit book, despite being published by Syngress (in my opinion, the spottiest tech book publisher with quality all over the place….and I just don’t like holding their books like I do Addison-Wesley books). There’s a lot of new stuff in Metasploit 3, and I’m holding out really getting into it (like I used Metasploit 2x) until this book comes out. I may combine this with looking into Ruby or Python a bit more. Of all the tool-books out there, only BackTrack comes to mind as needing an updated book (BackTrack 3 perhaps?).

I also see Wi-Foo II has been pushed back (or maybe it was really tentative at late 2007 months ago) into 2008. I’m looking forward to this book as well. The first book was awesome, but got mired down in the technical problems of getting wireless working properly in Linux, which is a requirement for the subject. These days, wireless support is much easier and better, which hopefully means less mud devoted to the intricacies and details. Other books cover it well lately anyway, like Hacking Exposed: Wireless and Syngress’ Wardriving and Wireless Penetration Testing. Although not without their own minor faults, are both excellent wireless security books.

In late 2006, DarkReading published the 10 most overlooked aspects of security, which I think will end up holding true for a very long time.

I decided to screw around some more and actually recorded the creation of my OpenVPN server. I did this mostly to do something I’ve never done before: make a video of something and cut it.

I used VNC on a Windows box to connect to my Ubuntu 7.04 server. I then recorded that window using CamTasia Studio 3.1, which I also used to add music, edit, and produce. The music is Baja by Sasha. The codec (CinePak codec by Radius) is the only codec available by default in CamTasia that worked on both my Windows box using VLC and Windows Media Player, and also on my Ubuntu laptop using Mplayer. If it doesn’t work for you, I suggest those players, or tough luck. Maybe I’ll choose something better and smaller next time, but for now, this was just a learning experience for me.

The video is over 190MB and runs 12:35. I don’t have a real hoster, so I’ll leave this video up for a few weeks (or hours if it brings me to a crawl!). If it is not available and you want it, email me and we’ll figure something out.

Suggestions are very welcome, but be aware I know this was a very amateur deal. 🙂

I recently stood up an OpenVPN server at home. I’ve done SSH forwarding to protect my hotspot browsing habits in the past, but I thought I would try something new. I installed this on an Ubuntu 7.04 system that was running as a VMWare guest OS. I opted to go with a routed VPN solution. The alternative is a tunneled connection which makes it seem like my VPN client system is right on my home network. My routed solution will rely on the Ubuntu server and my home Linksys router to route traffic from my VPN network (10.8.1.0/24) to my home network (192.168.10.0/24). I also make sure that I force my traffic through my VPN, rather than let it seep out in the clear at the hotspot (the push commands in the server.conf file later on). From bare start to finish, this entire setup can be done in under 15 minutes.

I am not going to detail what each command does except in passing, because there is excellent documentation already available for OpenVPN. What I rarely see, however, is a quick walkthrough on how to set it all up on Ubuntu.

I start out by installing the packages that I need. OpenSSL may not be needed, but I included it anyway.

sudo -s
apt-get install openvpn openssl bridge-utils dnsmasq
mkdir /etc/openvpn/keys
mkdir /etc/openvpn/configs
nano /etc/openvpn/server.conf

Server.conf is the server configuration file. The contents describe that I will run my server on the IP 192.168.10.108 and port 1194 udp. My VPN “network” will be in the 10.8.1.0 255.255.255.0 network. OpenVPN will grab 10.8.1.1 as the server, and my client will be given a similar address. Once my client is connected to my OpenVPN server, I should be able to ping 10.8.1.1 and verify I can talk to my server.

port 1194
local 192.168.10.108
proto udp
dev tun0
ca keys/ca.crt
cert kets/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.1.0 255.255.255.0
push “route 192.168.10.0 255.255.255.0”
push “redirect-gateway def1”
push “dhcp-option DNS 10.8.1.1”
ifconfig-pool-persist client-adresses.txt
client-to-client
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn
verb 3
mute 20

The client-addresses.txt file is just a convenient way for me to track who gets what IP.

nano /etc/openvpn/client-addresses.txt

client1,10.8.1.6

Next I take care of the keys I need, along with some other setup. When creating the keys, I don’t assign a password, and I do select yes to sign and commit changes.

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
nano ./vars
#change values at the bottom and save
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh
cd keys
cp ca.key ca.crt dh1024.pem server.key server.crt /etc/openvpn/keys
cp client1.crt client1.key ca.crt /etc/openvpn/configs
cd /etc/openvpn/configs
nano client1.conf

The file client1.conf is the client config file that needs to be given to the connecting client box. LVVPN is the name of my network adapter on the client. After installing the OpenVPN client on the Windows client, create a new TAP and give it this name.

client
dev-node LVVPN
proto udp
dev tun
remote www.terminal23.net 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
cipher AES-128-CBC
comp-lzo
verb 3
mute 20

I need to get the client files to the client. I do this by copying them to the client’s home directory, then connecting via SSH to get them. Since I’m running all of this as root, I need to adjust the client1.key file so the client can grab it via SSH, otherwise I’ll get a permission error. I then start the service.

cd /etc/openvpn
openvpn –genkey –secret ta.key
cd /etc/openvpn/configs
cp client1.crt client1.key client1.conf ca.crt /home/michael
chmod 604 /home/michael/client1.key
#copy files via SSH to client into openvpn/configs folder
cd..
openvpn /etc/openvpn/server.conf &

I’m never satisfied with just doing something, I usually need to verify it. I do this by making sure the service is running and that it is listening on the expected port.

netstat -a | grep 1194
ps -ax | grep vpn

Finally, I need two more commands to enable IP forwarding for my particular setup.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE

Since my home Linksys router is limited to a GUI, it is a bit hard to detail what I did to set up my route. I just added a new route in the Advanced Routing section. Destination LAN IP is 10.8.1.0, subnet mask 255.255.255.0, and default gateway 192.168.10.108. This was set up to let me talk to my internal systems. I also had to port forward my VPN port to this system. This means that after I’m connected, I can ping 10.8.1.1 to verify I am on my VPNs network. I can then ping 192.168.10.1 (or a valid, responsive host on my home network) and I should get a response if forwarding is working.

From here, start up the client’s VPN however you like. Many people start it up by right-clicking the client1.ovpn file (rename client1.conf to client1.ovpn) and choosing to start it as an openvpn connection. I like the tool OpenVPN GUI for Windows. This is merely a personal preference since I like the sys tray interface.

One last thought has been tickling my mind when it came to that WSJ article I linked to the other day. It was about control and telling people not to cross the lines or do things they’re not supposed to do. Think about that for a moment. How far would we get if everyone stayed between the lines? While there are some ethical near-absolutes like murder, most everything else is such small beans that pushing the boundaries now and then can be a good thing. Like working out, you can’t build muscle without first making thousands of micro-tears to induce stronger rebuilding. Growing pains, which are going to be abundant in our culture and technology for some time. Even if we don’t act on them, it is good to think about them and question our policilial (yes, I make up words) stances.

Besides, even if our users know all this junk, we protect against it, right? Full disclosure?

What better time to release a blog-inspiring IT security article in the Wall Street Journal than when half the crowd is in Vegas for the week? Yes, the WSJ posted 10 Things Your IT Department Won’t Tell You, which really should be reworded, 10 Ways to Circumvent Your IT Department’s Restrictions. Here are some notes of mine on the article as a whole.

A. The author needs to stress further that employees should look at their corporate policies and talk to their IT staff. Sometimes it just takes user interest to get management to look at legit technological solutions to the below problems, not workers sneaking around. I wonder if the WSJ wouldn’t mind if its editors sent all their email to a third party service or stored their files online? It would just be nice if the author had constantly (or at least at the beginning) reminded readers that while this is all in good fun, they can be crossing policy lines.

B. The author implies, or rather nearly flat-out states, that these items are part of a rather strict and unfriendly IT security stance. This is really not so. Some things like blocking certain websites are done almost as much for saving bandwidth costs as anything, or to prevent such things as porn viewing which can create a hostile work environment. Other things like email size requirements can be an external limitation by the Internet infrastructure at large (i.e. your target’s mail servers). Likewise, storage is cheap, but try telling that to senior management when the Exchange servers start complaining and buckling and backups take too long. Alleviating that means spending money. And often management figures that money is better saved and file sizes remain reasonable. IT security is not the only force here, but rather simple economics in the IT world. Really, often it comes down to treating everyone equally and costs.

C. Contrary to what every non-IT person seems to think, IT pros do not know everything or every piece of software. Limitations are often made so that we have a finite job description. Supporting every piece of software that even 50 users can install is frustrating and a drain on company money.

D. I don’t like the feeling that the author’s Risks sections are skewed to the POV of the user, and not the business as a whole and how dangerous some of these practices may be. Some are properly framed while others are not.

E. That all said, I think this is an important article. It illustrates the common pains our users (and we as well!!) have when it comes to the convergence of work, culture, technology, and social lives. Each of these pain points should be fixed by IT, or at least the policy behind them transparent to the constituents. Each of these should also be examined to see if, instead of benefiting the company and our employees as people, we’re holding them back and trying in vain to stem the tides of culture and progress.

1. HOW TO SEND GIANT FILES – How many companies really do need to send giant files and don’t have any sort of FTP/SFTP infrastructure? No, your baby pictures in bitmap format and 10 times as big as modern monitor resolutions do not count as a business case. I am saddened to see the author tell users to look for the IE lock symbol as reassurance of validity, and that a Verisign logo further ensures the identity of the site. No, that’s not enough, sorry. Oh, and if an Adobe exec runs it, it is less likely to have security holes. Say what? Anyway, IT does need a plan for transferring large files anyway, so get one. Everyone, and I mean everyone, hits the attachment max at some point. Hell, even Gmail has a max; live with it.

2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON’T LET YOU DOWNLOAD – This one really peeves me, because I’ve too often seen a) malware enter because someone wanted certain software, b) computers become unusable due to crappy software or incompatibilities with business software, and c) frustrated users who then frustrate IT because they MUST have some backwater POS software installed or they will quit, or something equally outlandish. The bane of all IT is having to support everyone’s crap. Yes, I’m jaded on this point, but there is usually a process of requesting and approving software for use in the business. Good IT will log all executed software, and query on why they were run. And be aware of your company size. Small companies can likely get more software approved, but large or medium companies just cannot scale IT to support every little thing.

3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS – First, web-based email is not innocuous. Second, if your company blocks these sites actively, your proxy calls will likely be logged as well. If you need a site opened up or something, ask your manager, HR, or IT. If it is Final Four season and you can’t stream the first round games, well, sorry, but we can’t bring the internet access to a crawl just to see a 15 seed get crushed by a 2 seed in a game that will be played regardless if you are watching or not. And no, you can’t connect to GoToMyPC.

4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP – I really like the author saying, “…don’t use your work computer to do anything you wouldn’t want your boss to know about.” That’s it in a nutshell right there; that should be everyone’s personal policy.

5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME – Ugh. Don’t ask your IT admin to help you set up Google Desktop. Bad. Ask how you can get set up with a VPN connection from home that is secure and allows you access to your computer or a file store. The author stupidly says three things that he/she should have put together. “…top-secret financial information…” and “…search company keeps a copy of your documents on its own server…” and “…myriad state laws regulate how a company has to react when it loses private information…” If you play the “duh” game, you see that you might have to provide some answers why you are allowing top secret, possibly regulated, information to be stored on third-party servers. Good job.

6. HOW TO STORE WORK FILES ONLINE – Like web-based email services, thinking too much about this problem creates ulcers. Yes, I’d like to encourage my users to store their files on third party services, because then they can store megs and gigs of company data out there, then quit (or god forbid get fired), and leave the company with absolutely no means to recover, inventory, or secure that data. Brilliant. These services should be stopped via web filters and software install restrictions, let alone via policy. Oh, and kudos to the author to recommend USB and other portable devices in item #2, then calling them cumbersome in this one.

7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL – These “nifty tricks” can spell doom for compliance, if that is your company’s game. Tracking this stuff is such a grey area it’s sick. Honestly, I don’t like my stuff logged for perusal by my manager or HR; I really am part of the generation whose social lives tend to revolve around electronic means. But I do prefer to have things logged just in case, from both my personal POV and from the company POV. We need to make sure our processes and actions are transparent so that employees don’t think we’re reading their IM/email logs to get juicy gossip details. Chances are not good for that happening, sadly.

8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON’T SPRING FOR A BLACKBERRY – Another ulcer about data free-flowing out the company door, but at least the author implores readers to talk to IT.

9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY – I don’t see a huge problem with this, until you a) run that attachment…oops, that was a virus and screw things u, b) can’t get it to work and ask IT in which case we’ll tell you no and watch you closer, or c) email that really important client from…oops, your personal email hotjerkyboy69foru from hotmail. Explain that to your boss…

The last one is just a light-hearted gimme; a lame contrivance of journalistic levity.

In the end, all of this comes down to a few protections by IT that can make a lot of these issues be blocked properly:
i. software restrictions based on policy and technology, including executable logging
ii. web filtering, or at least logging if not outright blocking
iii. data privacy/sensitivity training and strict adherence to least privilege access rights, better yet, full logging of all data downloaded/viewed, but good luck with that
iv. work with your users to overcome these challenges and find a happy middle ground

Here is a quick paper (notes) about pen-testing a Windows Active Directory network. While I do know this paper covers only the lowest-hanging fruit, it seems that all too often, these lowest-hanging fruit are the most common fruit found in the wild.

I will add to make sure and grab the cached logins on the workstations attacked as well. Often, systems cache the default last 10 accounts, which almost always includes at least one admin-type account from desktop support or the person who made the image in the first place.

If you crack the local admin password, don’t just use it on other systems, but try to change obvious things in the password. If they’re not the same across the department or even the company, often desktop support has some sort of predictable password scheme based on the computer name or user name or department. Heck, even I had a predictable one back when I did support, but you really had to work to guess it and I left plenty of red herrings laying around (like having the second half of the hash crack into a known word or just lower-case letters to throw off how complex the first half was…)

I have protection on my SSH ports, but I wouldn’t mind more. Honestly, it can’t really hurt. This article by Kevin van Zonneveld on adding brute force protection to iptables (and your Ubuntu install) to help secure your SSH is a welcome addition. Far too often I read tidbits like this that stop at the first step: adding the iptables rules, and leave out all this other good stuff that Kevin goes into, like rummaging in cron to clean up rules, persisting the rules, and so on. I plan on adding this to my server in the next few. Thanks Kevin!

As a side note, it’s been over a year since I’ve been tinkering with iptables, so this will get me back on track as I’ve become rusty…

I just recently finished reading the excellent book, Security Metrics, Replacing Fear, Uncertainty, and Doubt, by Andrew Jaquith. Andrew has written a book, not that I would like to write someday, but a book about a topic that hasn’t been written about before, and he certainly has something (many things!) to say about it.

In fact, I have to make mention of a phrase that toally made me happy to see, since I rarely get such literary enjoyment from technical texts. On page 118, we have this gem: “perfidious outsourcers pilfering proprietary secrets.”

This book is definitely worthwhile for anyone who ever has to present security metrics as a part of their job. I would also recommend it for any security operations people who want to understand why some metrics should be gathered and how to better give your analysts and managers what they want. Likewise, any security operations people are likely the future analysts and managers anyway, so this makes for a very good early orientation to the important questions and how to appropriately answer them, let alone self-evaluate their own systems according to more appropriate metrics.

This Posted in general

Reading the Bejtlich interview sparked a thought. I read this in response to what makes a good network security analyst:

First, you need to want to beat the bad guys. If you are entering the security field because you heard a commercial on the radio advertising higher pay, you will not get far.

For some reason, this made me think of mention that Marcin made recently along with pdp about the movie Hackers and/or that old “hacking” culture that seems missing lately.

I need to give pdp proper kudos for coming out (hehe, read *that* link out of context why don’t ya?) about the movie’s influence on his life personally. There are few things more chic in digital security than bashing CISSP-holders, but bashing the movie Hackers is one of them. I love the movie for what it is, even if the details are dramatized heavily.

At any rate, pdp and Marcin are both (independently and cooperatively at the same time, I think) looking to revive a little bit of that curious innocence and culture that the hacking scene has seen slowly disappear. This sounds fun and cool, and while the industry, technology, and hackers-turned-professionals have largely matured, we can still have a hell of a lot of fun in our little geek circles and keep things immature and fun as a way to keep our lives from becoming overgrown with the burden of the daily IT/security overwork. Embrace your inner deviate, if not in action, at least in thought.

I think the bottom line is to just have enthusiastic, lifelong passion about this field. Live it, embrace it…but that last might be my hedonist side talking.

A quick note that Marcin has posted an interview with Richard Bejtlich over on his blog, ts/sci-security. Richard hosts what is definitely one of my favorite blogs, writes excellent books, and basically is one of those zen masters of his field of expertise, namely network monitoring and everything that goes into that discipline. Of all the people I would love to learn from and work side-by-side with for a few years to sponge up information, he’s near the top of the list, truly. I’d even fetch his coffee, give him massages, and frollic…er…someone stop this downward spiral..!