I have not been made aware of being a victim (or potential victim) in any of the large-scale data breaches so far (I don’t shop at Marshals/TJX and I only use one credit card for the most part anyway…I still like cash the most!), but I know someday I will. A little closer to home, I see this morning that “more than a thousand” people have been notified about a data breach at the University of Iowa. Why this breach only exposed “more than a thousand” people, I’m not sure. All the other tired prerequisite PR notes are given such as “No evidence that personal information is being misused…”. I have no evidence that I might be involved in a car accident today, but that won’t stop it from possibly happening.

While this is closer to home, I will note I graduated from Iowa State University, not U of I.

This weekend I finally (after way too long) got my OpenVPN setup to work as desired. I had plenty of workarounds ready, but I was pretty determined to get this working the way I wanted. I think my problem was twofold. First, I needed to turn on ipv4 forwarding on the Ubuntu OpenVPN server. I will be testing this today to see if that really was needed. Second, the Linksys WRT54G route was set up wrong. Not sure what I was thinking, but I corrected the problem this weekend and everything was happy. So I blew away the server VM and rebuilt it without all my little troubleshooting settings and commands to better isolate only exactly what I need to rebuild the system. I’ll provide more details on my install hopefully later this week. After a few more builds, I expect to save a post-install snapshot finally.

Unless you’re like Marcin and aren’t aware of your surroundings for weeks at a time (hehe!), you likely know about that guy who has a strain of Tuberculosis and decided to fly halfway around the world and then purposely circumvent security to come back to the US. If someone has seen that this winner of a guy has ever posted or spoken an actual apology yet, please let me know. I’ve yet to see one, and seeing one would assuage my anger…

To bring this back a bit, do you know who the cowboys in your organization are who know security but choose to circumvent it and take big gambles with people’s welfares? Do they ever apologize? Do they ever reform?

George Ou has recently taken up the torch of demystifying RAID for average users so they can reap the benefits. Unfortunately for George, I agree with his detractors that say RAID isn’t going to fly in the home. Honestly, RAID makes even geek heads spin sometimes, including my own, and managing one’s RAID setup is really up there with changing your own oil: not everyone does it or wants to do it. In fact, most average people really couldn’t give a fuck about RAID; they just want to backup their data.

I think George should stick to the easy things when it comes to consumer-level storage. Educate people about regular backups using one of two methods: drag-n-drop or NT Backup (or both!). And for media, educate people to use one of four options: external hard disk, USB key (or two), cd burning, or dvd burning. Drag-n-dropping data is natural, and people just have to think about what they would want backed up, drag it over (or burn it), and set it aside in a safe place. If people don’t understand or know what they all need, use NT Backup and in the event of a disaster (on consumer levels, i.e. a hard disk gone bad) have that on hand for techies to restore.

That really should be the extent of trying to educate the masses. Granted, it is not pretty or scalable, but it gets the job done and goes only as far as most consumers really care to go. (Honestly, I’m not sure who George’s audience is, technically proficient people who already know this stuff or technically inproficient people who shouldn’t be bothered with RAID…either way, he’s seeming a bit lost on this effort.)

F-Secure (and Andy, whose blog I checked first!) posted about the most common registry locations that malware tries to start from on Windows. Not only is this list highly useful to check in response to an incident, but like any good baseline, this is a list of locations that all admins should be familiar with even before an incident. It doesn’t help to have an incident, check one of these locations, and not know what those other 25 entries do. That is wasted time trying to isolate which one is out of place. Check these locations out now and see what is really going on with your system. I even filed this into my always-being-built wiki.

Random link from Full-Disclosure: mlabs.secniche.org

I hate to post more rants than useful content on here, but this week has been too busy for much more than ranting. I saw an article about the dangers of unauthorized teleworkers, that is, those workers who bring work home with them and possibly work on their home computers.

The report found that 63 percent of respondents who worked from home unauthorized — more half of the non-teleworkers surveyed — used their home computers in doing that work. “People were saving documents on their home computers that were unprotected,” said Josh Wolfe of Utimaco, a data security company that underwrote the study.

…

“We’re not sure if these people are dealing with spreadsheets with Social Security numbers on them or something more mundane than that,” Wolfe said.

I like security, and I like to think I have a (healthy) paranoid/security-conscious mind, but I really believe we can go too far very easily. While government employees maybe shouldn’t take work home with them (and yes, I pointed out that second blurb to show that maybe all those workers had non-sensitive materials and were working on presentations or some junk), I hate when articles like this make their way to other circles and present things without proper context (I expect to see this study referenced in non-government articles soon…). Take a small start-up company. Yes, those people likely take work home with them, it happens, it is natural, and at some point every single one of us does it.

Yes, we have to be conscious of our data leaving the confines of our happy networks, but we can’t obstruct our users trying to make the business successful. That’s one of the (few) issues I have with data-centric security. Trying to secure the data eventually impacts the success of the business and the happiness of the people.

One other note I had from the article is about how data-centric security really only works when you can classify your data and separate the sensitive or confidential stuff out. Data-centrism is great for that classification and for being conscious of the security of your really sensitive data, but it breaks down and is ineffective and inefficient for the rest of the data. It can also be theoretically effective when you just declare “all information is sensitive so let’s encrypt everything!” But that gets into a realm that is just not really going to be possible yet, at least at the level of near-perfection that statement alludes to while allowing employees to do their work and be an asset.

Maybe this is just the media being way too sensational about digital security still. We don’t see dramatic reports about how people’s homes are insecure because, while we have a deadbolt in front and back, our windows can be smashed, oh my. Security isn’t perfect and never will be, and I’ll continue to bristle when media or persons have an underlying tone that anything less than perfection is inadequate. Maybe our industry does get it, but damn if the media still stirs us up and gets our blood going still.

Maybe I should further limit my chosen media outlets away from journalists…hehe! Hell, I’ve been tracking the front page daily headlines on cnn.com and it reads more like a tabloid or YouTube front page than anything anymore…

A quick excerpt from a CIO article. Without details, it is tough to separate fantasy (or simply blind speculation) from reality, but I think this story may just ring true. The article is focused on how difficult forensics is becoming as criminals employ more antiforensics tactics. Personally, I don’t think it has gotten any worse to track down criminals over the wires, there is just more money involved these days. (On-disk forensics notwithstanding.) (Update:I see more discussion here from keydet89!)

A clear illustration of this fact comes from the field investigations manager for a major credit services company. Sometime last year, he noticed a clutch of fraudulent purchases on cards that all traced back to the same aquarium. He learned quite a bit through forensics. He learned, for example, that an aquarium employee had downloaded an audio
file while eating a sandwich on her lunch break. He learned that when she played the song, a rootkit hidden inside the song installed itself on her computer. That rootkit allowed the hacker who’d planted it to establish a secure tunnel so he could work undetected and “get root”—administrator’s access to the aquarium network.

Sounds like a successful investigation. But the investigator was underwhelmed by the results. Why? Because he hadn’t caught the perpetrator and he knew he never would. What’s worse, that lunch break with the sandwich and the song download had occurred some time before he got there. In fact, the hacker had captured every card transaction at the aquarium for two years.

As a side rant, I really hate how a not-large article turns into 10 page “turns” on news sites these days. I mean, come on, everyone can see through this little “click more to serve more ads” scheme. It actually conditions me to look for the Print icon to view the printable version that, amazingly, has no ads and displays on one page.

RSnake and also Andy linked to File-Swap with wonderment in their eyes. More like confounded amazement really. But come on, this site is awesome! It is the modern equivalent to russian roulette! Take a spin! Really, how secure in your systems do ya feel, punk?

Now, I have this thing about user-supplied content and Web 2.0. I’ve been around long enough to see the days where Rotten and EbaumsWorld have spawned up to house all kinds of disgusting junk before dot-coms even thought of busting. Sadly, this file swap is just as ripe for disgusting content as it is malware content. Maybe more so since the former is far easier to achieve than the latter. Then again, use Metasploit to generate some malicious images…? Either way, some ideas may be cool to generate some “wtf,” traffic hits, but a site like this simply cannot have longevity and remain relatively clean.

This past week I began the motions of signing up for a new gym, for a change of pace as summer feels like it has started. So I signed up on the gym’s (franchise) website and all that jazz. About a day later I get an email from a residential email address saying that my info is being forwarded somewhere and to expect a call back. This email was then sent to another residential address down in texas. And of course, my credit and personal details are in the email, nicely fomatted with HTML tags.

Really, there are still many businesses and people who have no idea how insecure digital methods can be. But even if they do, many of them have no idea what to do about it without spending money to get someone to do it for them, or devote time out of their own life to do it.

If I am happy about nothing else, at least I was able to see that my info was passed over email. This way I won’t be chasing my tail should that card end up with fraudulent charges in the near future…I’ll have an obvious place to begin.

A while back, Rybolov (Guerilla CISO himself!) posted a link to Heidi, Geek Girl Detective. I finally got time to finish through the story over a latte this weekend and was quite entertained! Must be something about Seattle to have geeky comics (PennyArcade being a notable one)…or maybe the town is more creative than most…maybe it’s the rain. And for the record, I read the Hardy Boys and Encyclopedia Brown as a kid, not Nancy Drew.

I only skimmed this article (mostly because of where it came from), but I really caught this line:

No one has a business interest in catching identity thieves or malware
writers. There’s no money in it, so no-one’s bothered.

I would also add, while some of us would help and/or deal with threats, we just can’t or don’t have that authority. Bejtlich is one of the notables who talks about dealing with the threats instead of vulnerabilities. He makes a ton of sense and I agree with him, in theory, I just don’t think most of us have any opportunity to deal with the threats beyond identifying them with guesses.

Alice over at the Vulnerable Minds blog reminds that the DefCon CTF quals are going on this weekend. Here are sample solutions for last year’s pre-quals. I may just check to see if that Mud is open to all…

Cutaway (possibly the only other guy on the Catalyst forums who gets away with using his screename!) had a really cool post that I wanted to save here. The part that caught me eye:

I think that the work Ed Skoudis, HD Moore, David Maynor, and other security researchers are doing help us identify products whose solutions have inherent, accidental, or misguided problems so that we can protect ourselves. But, unfortunately, their work does not instill the uninformed upper management with confidence in the security field. Actually, it probably has them all cussing under their breath. Of course this is where the security professional should be earning their keep by providing a buffer between the constant barrage of seemingly negative information and the actual state of the organization’s environment.

I am seeing there are numerous roles forming in IT and security. First, you have your IT geeks who actually do stuff (researchers or implementers). You have your business managers who keep an open mind about business and security (CSO/CIO). You have your trainers who deal with people. And you have your liaisons between those groups. I think those liaisons are the newest group and the subject of recent focus on “being more business knowledgable” topics.

C-levels don’t like this news, but let’s all face it. Security is never going to be perfect. The best illustration is to look at the security of those C-levels’ homes. Are they foolproof? No. Do they make mistakes like leave windows or doors open even if they’re not home? Yes. Just like everyone else. And if they do have an alarm system, does that preclude their relatives or the security installers from being able to circumvent it should they be determined to do so? Or thieves to just barge in regardless of the alarm claxons? Security is not something you can achieve and forget about. It is ongoing and risk management.

Business hates hearing that because too often they take the very human approach and think, “Gosh, why bother spending money on this junk?”

That’s where I think the liaisons come in. Just like Cutaway says, they buffer most of that negativity, but I believe they also try their best, along with the trainers, to make sure everyone knows security is not like a light switch; either on or off.

Copying DVDs has become amazingly easy. I picked up a Samsung DVD burner from NewEgg for $33. They forgot the software, so I had them mail that separately, which is well worth it since it is Nero and includes not only the burning utilities but also the parts to leverage the Lightscribe labels.

I installed DVD Decrypter (pretty much optional) and DVD Shrink (find them on your own, but I suggest doom9.org as a first try). I use DVD Decrytper to rip DVDs to my hard disk, and then I use DVD Shrink to remove a few unnecessary things, like foreign language audio tracks, and also to burn since it can shuttle the project off to either DVD Decrypter (which can burn) or Nero itself. That’s it! I ran a test copy of Fast and the Furious which happens to be a dual layer DVD. The ripping portion took about 15 minutes, I think, and DVD Shrink worked on the contents (about 4.5 GB on disk) for about 30 minutes. I removed two audio tracks. It then went right over and burned in about 5 minutes or so to a non-dual layer DVD.

With Nero, I was able to create a Lightscribe label in about 5 minutes and burn it on in about 15 minutes. I just did a quick Google Image search for Fast and the Furious images, picked the first one (which happened to be huge), plopped it on without resizing or playing with the brightness, and let it loose. The label isn’t breathtaking or drop-dead gorgeous. It really just looks like a badly washed out greyscale image, but the quality (if you look closely) seems pretty nice. I’ll likely use it rather than markers, and I likely will still use actual images as opposed to bland text in text boxes. I’m not really doing anything professional, just makin’ copies!

All told, that was only about an hour of time and only about 10 minutes of actual work. Since I do this on my gaming machine, it gets to dedicate its time to this task when I’m not gaming (and holy crap does the processing of DVD Shrink drop to a trickle when I fire up WoW!). I keep that system pretty slimmed down, so that 1 hour is not a bad deal really.

Blank DVDs with Lightscribe will run me about $1 per disc. Dual layer guys will be about $1.5-2 per disc. At least that was my 2 seconds estimation while standing at Best Buy. That’s still not bad at all as I estimate my typical DVD purchase is $14, give or take. This is why DVD copying pirating is still worthwhile, I guess!

Typically at home I have this stack of papers and junk printed out that I want to flip through and read. Kinda like bookmarking something later, only in the analog world. Lately, I happen to hit a glut of papers talking about covert channels (I’ll link one or two if I still happen to have them around), which are always fun to look at. I then see the focus on ids list has a current discussion on detecting covert channels (really detecting encrypted channels which, as Ron Gula recently contributed, are a separate issue).

Covert channels are fun. They can be an easy way to break something, or use something for a purpose not intended by the creators. The old school version of “hacking” (which I subscribe to) tends to love this definition. They are also difficult and technical in some cases, thus I really believe that unless a firewall or proxy incidentally is blocking the channel, no one really blocks or watches these channels. If I ever get my home network more rounded out and the major projects done, playing with covert channels is something I’d love to tinker with. (And if I would do it, so would lots of other bored kiddies on the Help Desks at their jobs!)

[As an aside, I pick on the poor kiddies on the Help Desk or Tech Support or Customer Service desks a lot. I do so for good reason, though. Typically they can hold some very technically savvy people who have some level of access above normal users. They tend to not be in heavily taxing jobs and sometimes have “leisure” time at work to do some odd things. And let’s not even think about those overnighters with even more time on their hands… Really, it’s not that I distrust them, but I remember my days down there and what I would get my fingers into, and I know it happens.]

For instance, you can stuff information into a few non-used or little-used sections of ICMP packets and shoot them out to your target. But if a company is stopping all ICMP, that incidentally stops that particular covert channel. Someone can siphon away information using DNS, but if you only allow DNS traffic to servers you control…

Stopping (or using to your benefit) covert channels is much more difficult since it requires some pretty specific knowledge of TCP/IP and perhaps packet structure and creation. This probably makes the risk of someone leveraging this attack much smaller, which also may mean it is just not worth spending time combating for many companies.

But lets say you want to detect and/or stop covert channels? I won’t get into specifics since I’ve not done this myself, but here are some approaches I would take.

First, make sure a solid egress configuration on border firewalls are present. If this isn’t done, really, any other steps are simply academic and not going to add any security or sense of security. If you’re not stopping arbitrary ports from connecting to other arbitrary ports on the Internet… Likewise, there is no reason to tackle ICMP covert channel detection if ICMP is blocked anyway.

Second, you need to be monitoring for anomalous traffic. A sudden spike in ICMP or other weird traffic that is not normal could indicate a covert channel in use. Again, the chances are slim, but any network monitoring strategy should already be tracking anomalous traffic loads anyway. You might also want to detect for regular traffic patterns such as an HTTP request that occurs exactly every 3 seconds for hours, or something to that effect. You might see more false positives with things like Weatherbug or Firefox doing regular checks or IM keepalives, but if your company is tackling covert channels, likely they have stringent software and IP rules in place already to limit such noise.

Third, make sure packets are inspected for erroneous settings and flags. Kinda like no TCP packet has any business having both SYN and RST (I think) flags set, there is just some information that, if present, should be investigated.

Fourth, proxy all web traffic in a way that the proxy rebuilds the packets. This should take care of really funky HTTP covert channels and also allow you more logging on what is likely the busiest and least securable port on your network.

Lastly, I really don’t know what to do about steganography or hiding data inside other application layer data. I guess we have to hope that packet inspection firewalls eventually detect the normal tools and their signature/patterns, but I really wouldn’t book my paycheck on that. Image-based stego is still a technical skill, but the tools have gotten far easier to implement and there are tons of locations on the webs to drop images for offsite pick-up.

Speaking of covert channels, I can’t find the actual story, but I swear the Security Monkey had a post one time (I think a reader-submitted story) about someone hiding porn images inside a normal movie file, where a porn image would be one frame somewhere that could be extracted. Screen grab of sensitive docs instead?