Skimming my captured spam comments these days really makes me feel like I’m browsing porn, albeit in text form. I have quite the imagination…and if the guys keep slipping Viagra into my lunch, things are gonna get wrong on a new level.

Ok, kidding! Seriously, my comment spam has skyrocketed since Thursday or Wednesday of last week, almost all about various drugs and the rest about porn. It is amazing how often I catch myself reading one when it doesn’t sound quite obviously spamlike. “Hey man, that’s an interesting post…” I’ve bumped up the filters to get most everything, but if I don’t unmoderate a post you make, feel free to stalk me and track me down or otherwise get my attention.

Joel Esler posted some questions about email signature blocks. Neat. Personally, I keep my signature lengths down to 1-3 lines or so. My name, email address, and maybe who I am if you don’t know me (title or web site). I think I got over the whole quote thing back in 1998, so I don’t do that anymore. I think after you get so many email addresses, you stop really caring to configure and tailor each one.

On a similar topic, I really have a peeve against email disclaimers like “please delete this email if you mistakenly got this…” blah blah blah legal crap. No one freakin’ needs this on every piece of email sent out. It’s useless and stupid. Maybe I should walk around with a card that says, “If I hear some secret you say near me or you hear me calling you a complete asshole, it’s ok and please ignore it if you were not the intended recipient…oh, you’re not the intended recipient, ever.” Yeah, that’d fly.

I just read an announcement that usernames can be disclosed by the way Windows Server 2003/AD responds to Terminal Services logins from those users trying to log on after their allowed hours. Kudos to the researchers for finding and reporting this, and I mean this post as no dis to them (hey, I read Sid’s site for a reason!). But I do have some commentary to offer.

First, Sid uses the phrase, “This can be exploited to help enumerate valid usernames resulting in a loss of confidentiality.” Not bad, but I think it is very arguable whether usernames are intended to be confidential or not. I mean, that’s what passwords are for, no?

Second, this is a place where a vulnerability needs further clarification once you start trying to cross the bounds from technical geeks to the lesser geeks and business itself. Is this vulnerability a Big Deal? No. What threats could take advantage of this? Well, you have long-standing insiders (yeah, those help desk guys who work all night and get bored and poke around) on a long campaign to pilfer usernames…but if they are employees, chances are they know the username format anyway. Also long-term outside attackers who already have an undiscovered foothold into the network and want to expand their influence. For some reason, this scenario tickles that part of my brain that likes to say, “You have bigger problems at this point.” Maybe someone has Terminal Services accessible to the world, in which case a random port scan could reveal it to an outside attackers who starts trying usernames to grind out more information, or outright access.

My second point is more about those people who interpret vulnerabilities in the context of their respective duties. The disclosure itself is just fine and quite appropriate. I’m simply using it as a sounding board to illustrate the ability to analyze vulnerabilities.

To the author’s credit, he lists criticality being “Less Critical,” although I really don’t know what that means. To me, this vulnerability is minor. It discloses some non-sensitive information pertinent to longer-term attacks by dedicated attackers with nothing better to do.

WiFiDEnum (and no, I’m not really sure how to say that out loud) has been released by Joshua Wright. This tool reports back wireless driver versions against known vulnerabilities. Try it out. Hopefully the tool is kept up to date as more vulns become announced (slowly). While I never expect that to be the case, I think this tool appears useful enough to Josh and his company and might get some lovin over the years. The next step may be a more hostile enumeration tool that can sniff and/or actively fingerprint a host’s wireless card and drivers (and no, I don’t know if that is even possible to a worthwhile degree).

I see there’s been some talk recently (more so than normal on the blogs I watch, anyway) about network security, web app security, host-centric security… I feel like a lottery tumbler bouncing around a lot of balls in my head, but nothing popping out down the chute quite yet. So here are some links for future thoughts. Jeremiah Grossman talking about web app vs network security. Hoff talking about host vs network security. The Jericho Forum talking about lots of things, but notably deperimeterization catches my eye. And Michael’s thoughts which have the side effect of wanting to pull out some C&C Music Factory mp3s (and yes, I have a bunch!). I also see Scott has an excellent post about this topic as well. And another from Alex, although once anyone starts talking ephemerally (in terms of relativity to business process which might be the agnostics’ way to offer up an inarguable concept? [see? obviously I’m not seeing something straight! hehe] ) about things like the Circles of Trust, it never really makes much sense to me yet (yet!).

My initial reaction is that I am not sold on “unified” or “one method to rule them all” approaches. I’m with Michael in the link above in most regards: practice moderation and mix all of them in varying levels. Honestly, if one of these approaches was better than the others, it would be obviously apparent by now.

However, there may be some merit in a company focusing their efforts and monies in one method consistently…

I think one approach to these questions might be in looking at the extremes. What would your network or company look like from an infosec point of view if you were host-centric in your approaches? or network-centric? or data-centric? What is given up, what is scalable, what costs the most either up front or on-going? What is possible with the skillsets we have in our company/country/world right now?

LiquidMatrix posted 4 interview questions for Infosec candidates. I like the questions, personally, and I think they get to one thing I really like to pimp about myself but also value in people in infosec: the geek factor. How much of a geek are you? In other words, how much personal passion do you have for the field? I think this is highly important. Anyway, no preaching yet today, so here are my quick answers for this interview.

1. What is the hostname of your computer / essid of your wifi
How fun! For years, I have stuck to the whole vampire/goth chic with my systems. My main server is named Vampire (and always is, no matter what actual hardware is running it) and my essip is kindred. Unfortunately, the more systems I’ve had, the more I’ve had to dive away from that theme. I have systems named Nosferatu, Hunter, Samurai, Orion (my main laptop, named for personal reasons to do with stargazing), Golem (parted gaming machine), and so on…

2. Which infosec event/conference do you think is the *one* you need to attend each year
Blackhat is too expensive for me alone, and I certainly do not want to do to anything commercialized with more CSOs present than geeks. I think if I had to choose one single event, I would head to Shmoocon. Then CanSecWest and DefCon.

3. You’re doing a walk around and notice an iPod plugged into a laptop – what do you do
Yeah, it sucks reading these questions and already seeing the “good” answers, but I agree with the poster, I would first ask, “Well, what’s the policy?” I don’t want to get into pissing matches over vagueness (I wanted to use vagarity here, but the word is already laterally claimed) of policies and enforcement. If I don’t have to impact someone else and rock the boat, I won’t. So I’d ask about the policy. If there is a policy, I would likely unplug the ipod but leave it on the desk (again, depending on the policy and corporate culture standards on enforcement) and email a note to the employee mentioning it. I’d likely then make a small extra effort to follow-up later that week to see if the ipod is still present, and if so, escalate as needed, more likely with a cubicle-call in person or a quick note to their manager. Nothing overbearing or demanding, just subtle reminders of policy and why it is in place. I’d also test the waters in using technology to block the hardware ports on systems to force policy adherence. Again, though, this all depends on policy and corporate culture.

4. You’ve been asked by HR to take a copy of an outgoing employees computer – what do you do
I’ve not done one of these in a while, but my first reaction in my previous job where I did this a couple times included questions. How much do you need copied? When do you need this started and done? Does the employee know about this or should this be secret? How important is this, while I don’t need details, should I be concerned about eventual legal proceedings or is this just a CYA moment (this may dictate how stringent I follow chain-of-custody or imaging standards)? Do you need me to look at anything in particular or just make the copy? What do you want done with the copy and/or hardware after? Basically, the theme here is to ask questions and quality the request as much as possible without making it seem like you’re fishing for the juicy gossipy details of the incident; I’m not like that and never will be, even when I am privvy to those details (one of the other things I value along with geekery is integrity).

Snagged straight from the bush from the Guerilla CSO

Seems the FBI has the same challenges the private sector has when it comes to maintaining a secure environment. The GAO released a report to the FBI about security weaknesses in a critical internal network. I found this from FCW. I only skimmed the 30-odd page report, but a lot all of their weaknesses are quite familiar.

I love it. There are a number of free security-related tools floating around these days and they seem to be of the “do more, have more features” variety. On my Windows systems at home I prefer to run ClamWin as my AV and Sygate Pro (a full version pre-Symantec purchase/dump) as my personal firewall. I’ve been using Comodo firewall for a while now on one laptop, but I really have no taken the time to baby it and nurture it and really get to know it, so I might just revert back to a Sygate install.

But I keep getting tickles to try something new. I see OSSEC has Windows agents that do things like HIDS, log analysis, registry and rootkit scanning, integrity scanning, and more on the server component. I also see CoreForce which provides a BSD-like firewall, registry and file permissions, integrity scanning, and malware prevention. Both tools are free, although the latter is Windows-bound and standalone while OSSEC likes to have a server component to shuttle data to.

It is nice to see multiple pieces getting packaged together in, hopefully, light-weight apps that won’t be hogs like NAV or your more commercial type protections. I like integrity checking, access monitoring, log scanning, and firewalling, along with the typical HIDS/behavioral analysis and malware detection/prevention. I’m just hoping these two products don’t overlap too much if I want features from both. And of course, there’s my poor ClamWin to think of.

Anyway, tools for thought. I really wish Sygate hadn’t been raped…after ZoneAlarm got dumbed down back in like 1999, Sygate was my saviour…

IRC – IRC is an interesting beast. Even today, this relic of the Internet is still the best place to socialize and talk with others in a realtime forum that includes more than just 1-to-1 conversation (did I qualify that enough??). But it also suffers from easily giving up your connection information as well as other anti-anonymous attacks. Pretty much anyone can just issue a /whois and they can read back your IP/hostname. Really, nothing is easier or more idly tempting as port scanning some noob on IRC to see who’s home. Note: I have not used silc yet, so I don’t really mention it here.

1) general IRC recon and host masks
When you first log into a new IRC network, do not do so using a nickname that you plan to use. Log in and poke around. Do a /whois on yourself and see what is revealed. Connect a second time with another name and whois yourself. Find web support and the main support channels and poke around to see if the network supports any built-in methods to mask your host and IP. Irc.freenode.net and others may allow you to register your nickname and also request or set up a host mask so that /whois returns only what you want it to return. If that is the case, switch over to your normal nick, register it, and get it masked.

Always use a different nickname when doing tests or when you think your masking is not high enough. While this isn’t done as much as in the past, there are still chat channels that get logged and posted right on websites for posterity.

Keep in mind that even private messages are not necessarily private when you do not own the servers and other people are the admins. You may not be as private as you wish you were.

If you plan any unattended idling, turn off auto-accepting any files or DCC communications and make sure no URLs are automatically opened or captured. Make sure your secondary nickname is not revealing in case you disconnect and reconnect automatically before your old connection has timed out.

2) bouncers and proxies
If you do not have the luxury of masking your host, you can make use of IRC bouncers or proxy connections much like web proxies. Bouncers are pretty much the same thing as a proxy, only harder to find unless you own a box or two somewhere else (or pay for a shell).

You can also use web-based IRC clients such as www.ircatwork.org. However, always test these by connecting with a different nick and /whois yourself to see if something is leaking through anyway. These can be a hassle to set up and maintain, so perhaps just familiarize yourself with IRSSI (text-based IRC) and see if you can get a shell that allows IRSSI so you can bounce off that.

Otherwise, use network and wireless connections that are not your own to communicate over IRC. Personally, I prefer using Freenode and masking my host.

3) links, DCC, other notes
Also, don’t click on any and every link in IRC…at least not without your web proxy firmly in place on a safer web browser and connection link. If I had my eye on you, I might try to get you to click a link on my website hoping you would then leave some crumbs in my server logs.

Never accept DCC Chats or Sends. These negotiate as direct connections. If you accept a DCC Chat, the person on the other end will have the ability to see your originating IP, masks or not. You can proxy DCC connections, but I prefer to just not accept them at all as there is really no reason for it when FTP and HTTP have become more than ubiquitous.

More information can be found at http://www.searchlores.org/irc_kane.htm. If I had found this before writing my post, it sure would have saved me a lot of composing!

From Whitedust.net, they have announced a new visualization tool for network traffic called Eve. Visualization tools are fun and typically look cooler than they are useful (imagine the proud managerial looks when you see this running in the NOC?), but you never know. Someday a really slick-looking visualization tool is going to be outstandingly useful. Maybe Eve will hit that mark? I dunno, but surprisingly the tool looks to run on Windows by mention of the winpcap library. If this looks slick enough, I would seriously consider a copy for the price they list, even if it just runs in the background on an old machine on my desk.

MadWifi drivers have been updated to 0.9.3.1. This is really one of the only downsides of something like the BackTrack livecd. Anyone using the BT2 version will have “vulnerable” madwifi drivers unless you roll your own distro (I don’t know how) or always patch after boot (annoying). Nonethless, if you’re heading into any hostile territory (read: less formal security conference), it really is not good form to not be patched. Reading those fixes tells me it should be fairly trivial for someone to bump all vulnerable madwifi driver-using laptops off the network indefinitely.

Some random project for another year is make a more “bristly” wireless network defense drone. In other words, it would just permanently output things like beacon intervals of 0 just to dog anyone with vulnerable drivers that shouldn’t be snooping around.

Simple things feel good. They really do! Keep life simple. Flashing across the full-disclosure list this week was a simple way to enumerate whether an Apache web server is running on Windows or not.

If you make a call to a page that does not exist, you get a typical 404 error, like this page that doesn’t exist. (Yeah, in a few months I’ll regret putting up a purposely dead link when I see it in the logs…). But try hitting a link to domain/AUX. You get a far different error on my site because, yes, stone me now, I run Apache on Windows. Try it on someone else’s site that you know is running Apache on nix, and you’ll just get the normal 404 error.

So next time you’re curious about a web site and you’ve confirmed it runs Apache, try the “on Windows?” test so you don’t look stupid trying to use “root” on the listening SSH port or throw in a battery of nix-only vulns to the website.

IP addresses are running out! While I’m not about to start crying that the sky is falling, the article linked mentions that we will be out of IPv4 addresses in 2012 or 2013.

Considering most shops spec their network gear lifecycle to 4 or more years, now is the time to start paying attention to the needs on the infrastructure. We can all do out part today to ease the pains of this changeover. Any gear you buy today on your network, particularly the critical and perimeter infrastructure should either have IPv6 support today or have an aggressive roadmap to get there soon.

Also, for those budding (or bored!) security persons (again!), study up on IPv6 now. Learn how it works and how to implement and troubleshoot it.

Managing security from a data-centric point of view is like herding cats. Rambunctious cats. Cats that want to be free. Cats that spontaneously multiply. Like tribbles.

I was thinking today about how interesting something like a centralized Office suite (such as Google Apps) when it comes to making sure people are not distributing your data wantonly. For instance, how often have you seen the sales exec who has access to sensitive information in a file share forward on a copy of that document to his reports via email. Reports who shouldn’t be seeing that stuff?

This brings me to thinking about data security a bit more. Often I see people talk about the two obvious pieces: Data At Rest and Data In Motion. These are pretty obvious. Data At Rest deals much with access permissions and encryption. Data In Motion deals with encryption of the channel over which data is transmitted.

But there is more. What about Data In Use? Can your users print, copy, move, and otherwise twiddle the data they have access to? No amount of the first two pieces will stop that sales exec from making his mistake. Can they open a doc and recite the numbers to someone over the phone or take photos of it? Yes, tough if not impossible to fully stop, but a concern nonetheless? (Yes, it is arguable whether we should spend time thinking about the unfixable…)

You know, the corporate world was once a terminal environment with centralized computing. We’ve moved on from that, but so far lots of our issues can be solved with tightening back into centralized computing. We don’t like to think that way, but it’s true.

The two caveats in centralized computing? The mobility trend. The fact that users are also consumers and are used to having “the power” on their computer systems at home.

Want to RDP not into your own session, but into the existing console session? Yeah, me too, and I always seem to forget this Run command for Windows:

mstsc /v:SERVER-OR-IP /console

From Windows Incident Response I was reminded about fe3d, a 3d visualization tool for nmap scans. While possibly not very practical, it does make for feel-good eye candy in a dark room or when someone is watching you that you want to impress (managers!). The timeline on this project only goes back a few months, but I swear I saw this tool a couple years ago.