Every now and then I like posting about new and coming technologies or things that budding (or bored!) security persons can look into to get a leg up on other professionals. While I may not have bandwidth myself, I can at least identify them for my own reference or anyone else as well.

Vista. While lots of people are resisting Vista as not an entirely necessary upgrade, this is, quite frankly, the future of Windows computing. It might not be even next year, but at some point all of us will be forced to update to Vista, either to dropped support for XP or simply because all our home users’ new computers come with it installed…then remote access needs updated, QA needs test machines, web sites need to work…and so on until you have to adopt it. So get Vista today, be aware of the licensing and versions, figure out the nuances of wireless and wired and security concepts in Vista, and tinker with supporting it on a wide scale (scripts, GPO, firewall, etc). May as well start now and get moved otherwise you’ll be like me where I still run Win2000 laptops (ok ok, so I like the non-hassle of Genuine Advantage license checks that don’t exist for Win2000 and the smaller resources footprint on my old laptops…). Nonethless, it may be years away, but rest assured someday Vista will be the standard.

Macs. Macs have long been on the fringe of corporate networks, likely only used by graphics or designers. They are exceptions in corporate policy and management and typically corporate IT have no Mac experts and leave management to third party contractors or the users themselves. As Macs continue to make headway into home users (and especially security people like us) it makes sense that we become Mac-aware enough to support those users and add that to our corporate IT merit badges. Like I said, few IT geeks really can support the Macs, so one-up the rest and learn them. As a bonus, try to figure out how to make sure your monitoring and systems management can become Mac-friendly so they’re not always the exceptions to the rules.

Get on top of Longhorn now. While slated for the ever-skeptical release date of early 2008 now, like Vista, it will eventually be the de facto standard, for better or worse. Likewise, get ready for Powershell, Windows upcoming enhanced shell experience (which will also be the primary means to manage Exchange 2007).

This is one of the challenges of being an IT geek. You can’t just learn Windows 98 inside and out and hope to stick with it forever. You gotta be ready to move with the world and learn new things rather than sit back and cling to the past. Ask any mainframer from the 80s and 90s who doesn’t get to work on mainframes anymore…

I don’t typically single out new links I add to my menu, but the blog at SecurityHacks has been posting some neat stuff. I still think there is “market bandwidth” for sites that show off tools or “how-to” sorts of postings in our niche blogosphere (although a forum or wiki may be more appropriate long-term information storage). They have gone over creating an SSH tunnel for Windows SMB connections ( I think if you’re going to this much trouble, may as well learn SSH transfers or implement a full VPN), SQL Injection scanners, and “recovering” Firefox stored passwords. There’s also mention of pwdumpx (not to be confused with pwdump or even fgdump…

Just about a year ago Noam Eppel released a paper that got posted pretty much everywhere and got lots of people in the security ranks talking. The paper was titled Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security. If that title didn’t smack of an extremist and very dramatic “I’m not here to listen to rebuttals” tone, then I don’t know what would.

I held my comments, and instead wanted to hear Noam’s follow-up article on what can be done to fix this. I really felt the first article was simply a dramatic flailing of arms and statistics on how everything is wrong; a device to get people all up in a lather and frothing at the mouth by saying something obvious and ignoring any real forward movement. I could make claims like, “Racism is bad, yeah, let’s all get violently upset that racism is bad!” and keep fanning those flames without actually doing anything to combat racism. Lots of Feel Good, not a lot of Forward Movement.

Noam promised in that article he would collect responses and combine those responses with a follow-up article on how to solve the issues. Under the header, “How can we fix this?” he offers, “Part Two of this article will contain a list of what we must do to address our current failure. It will incorporate your commends and feedback.” Honestly, this sounded half like he was going to use other people’s suggestions to formulate his own; Shady.

Sadly, the follow-up I had hoped for was not to be.

Instead, Noam’s follow-up consisted of some “Yay, people agree with me!” at the start, and then dogged down into the mud to simply argue at people who offered up some skepticism or disagreement with him. Basically, rather than fostering discussion, he quelled it by attacking the discussion to defend his vague position. He also offered no suggestions or solutions beyond a few weak moments in the first paper (2 factor authentication for gmail and hotmail…). This whole exercise seemed very self-serving and kinda like a cathartic rant session (not that we don’t all have those, but maybe not quite so useless and attention-pleading).

I am overall disappointed with this approach. I don’t argue that the general feeling of Noam’s article is wrong. I think we do have problems and issues, although I’m not sure we have a total failure. I had much more to say about the article, but I don’t feel it worthwhile so will just let this little anniversary end with the bullet form of what some of my points would have been:

1) You can’t use stats to measure something that is as a whole growing; you have to wait for a platuea to get meaninful stats, or perhaps ratios.

2) Noam’s expectations may not be reasonable as he implies that people should feel safe doing “normal and common” stuff online. Kinda like I should feel safe walking around a really bad neighborhood with $100 bills sticking out of my pockets? I wonder what reality Noam is envisioning in regards to information security utopias? We need to define this better if we have any hope of moving arbitrarily forward.

3) I wonder what state we’d be in if we didn’t have what security we do have now?

4) It might help to look at security and nature (Arms Race? evolution?) throughout history. It might give Noam some more perspective on reasonable expectations in security.

Turn Firefox into spyware! I saw Xavier Ashe post about FFsniFF which is an extension for Firefox. It will not display itself in the extensions list, wait for HTML forms to be submitted, and email the contents of that submitted form to some email address. On one hand this makes me say, “What the crap…?” On the other, I could pilfer info from a lot of people who otherwise trust Firefox as their browser. While I might need admin rights to install keyloggers, I wonder if I could install this extension as a normal user? I guess this might not be a huge deal as there are browser password managers galore anyway, and they have to get those passwords somehow, but FFsniFF still seems very shady…

If you do much work using Ubuntu and multiple computers, you may have noticed when using vncviewer to remotely connect to a system with a higher screen resolution, you’ll get these annoying black scrollbars. These bars seem to only scroll in one direction and then never scroll again, right?

Well, wrong. Turns out these bars do work, you just have to right-click to move the bars the other direction. Middle mouse button will work them in either direction. That’s just weird and I’d rather not deal with it.

There is another solution. On your client system, go to your repositories or otherwise apt-get xvnc4viewer. This will fix those dang scrollbars. As a bonus, this seems to replace any vncviewer apps you have on the Ubuntu client. If you type vncviewer, you get xvnc4viewer. If you click Applications->Internet->Terminal Server Client and attempt a VNC connection here, you also get xvnc4server. Nice!

An article about a Cisco FTP vulnerability caught my eye today. The article gave little detail, so I checked with Secunia and sure enough saw an advisory. That’s an interesting vulnerability (impacting, but not enabled by default…so not the holy grail of network hacking), and I would hope good admins have taken some measures to already mitigate or avoid this issue.

First, don’t use the FTP server. I’d rather use an external TFTP server as opposed to one on the router itself. Second, even if the config is disclosed, limit the damage by making sure your enable and enable secret passwords are different, as are the SNMP strings and other access passwords that may be disclosed in the config. Also make sure they’re all different across other routers (minus the SNMP string of course). Third, update your IOS, of course, and hope that Cisco puts in a (long overdue) SCP/SFTP solution sooner than later.

Of additional note, I’m still itching to get my hands on the Hacking Exposed: Cisco Networks book. It taunts me weekly from the bookstore shelf, but I just don’t want to get too confused as I am hitting the running strides of my study for CCNA (which I will take in late May or early June).

Tonight I finally got around to installing vmware server on my new vmware box. I used a couple sites as my guides. Ever since starting Linux, I’ve learned to keep “journals” about what I’ve installed and the voodoo needed to get some things working for future reference. I’m getting better about putting my notes down into a more polished form early, but I still might get one or two things wrong here. I’ll try to update as needed, but I suspect eventually these notes will just get ported over to the wiki.

I needed to install a few dependencies first since this is a fresh Ubuntu 6.10 install.

sudo apt-get install xinetd
sudo apt-get install linux-headers-`uname -r` build-essential

this folder will be used to hold the vms:

mkdir /var/vm

Download both files (server and management user interface) into a temp folder get a registration key while on the site. This is free and doesn’t require any valid information, not even email. The key will appear after submitting the form (the sales teams must love that!).

tar xvfz VMware-server-*.tar.gz
cd vmware-server-distrib
sudo ./vmware-install.pl

I answer /var/vm as the location for virtual machines. I also answer “no” for NAT or host-only networking (leaving me with bridged mode) as I really just want my VMs to be grabbing an IP off my network and have full access out to the Internet (at least on this machine).

Next is the MUI.

tar xvfz VMware-mui-*.tar.gz
cd vmware-mui-distrib
sudon ./vmware-install.pl

All defaults for the MUI. This should fail to start the httpd server at the end and needs a patch.

cd /tmp
wget http://users.piuha.net/martti/comp/ubuntu/httpd.vmware.diff
cd /
sudo patch -b -p0 < /tmp/httpd.vmware.diff
sudo /etc/init.d/httpd.vmware start

This is the location once it has started: https://localhost:8333.

To create VM, you will need to use the console (not the MUI) by heading over to Applications->System Tools->VMWare Server Console in the kicker.

I’ve not hid my support for the forum (or BBS) format of information exchange; in fact, I think it is one of the best formats when actively used. While I may not participate, I figured I would help post around about a new forum that is trying things out: McGrew Security BBS. We’ll see where this goes and if I find the time to participate, as it is that first year that is the most important (and hardest) for any forum to endure; kinda like trying to siphon water. You have to work at it until it becomes moreorless a self-sustaining conduit of incoming content and people.

Just for reference, a question about where to go for tutorials on Metasploit was recently posted to the pen-test mailing list on SecurityFocus. Here are some of the responses. At some point I need to explore this silc channel…

Metasploit (wiki)Book
Offensive Security 101
Metasploit Toolkit (Syngress)
milw0rm videos
IronGeek video
Tyler’s videos

I speak truth, no so much as I would, but as much as I dare; and I dare a little the more, as I grow older. -Michel de Montaigne.

If you’ve ever visited my personal site, you probably picked up that I collect and love meaningul quotes (the more zen the better!). This one came up today and reminds me of Bruce’s little speech in recent weeks.

For my Powershell moment today, I have been working with setting file permissions. I had a problem trying to get permissions changes made to one folder to propagate down to all child items. I didn’t really want to wipe out anything below, and I wasn’t using any SDDL creation/twiddling approaches this time. Just a simple AddAccessRule that needed to be pushed down to all subfolders and files and still be marked as inherited.

I finally found a solution by pulling the ACL from each child item, doing a SetAccessRuleProtection($false,$true) and then setting the ACL back onto the child item. This basically seems to force the ACL to be refreshed, which then pulls down stuff that should be inherited.

foreach ($i in get-childitem $strTarget -recurse -force)
{
$objNewACL = get-acl $i.FullName
$objNewACL.SetAccessRuleProtection($false,$true)
set-acl $i.FullName -aclobject $objNewACL
}

email (mailing lists) – Email is an important validator of people versus bots. It is also an excellent means to communicate with others and peruse email mailing lists which have some of the most traffic and information sharing of any method presented. However, you certainly do not want to use your own mail address from work, home, school, or even your own home server if you want to preserve your anonymity. Sign up for Google’s Gmail and create an anonymous account.

Do not set up POP3/SMTP on your normal mail client and instead stick solely to the web interface using a non-IE browser that is diligently patched. Using your own client may tempt you to reply, and not every email service is necessarily anonymous when you send your email directly from a client application.

Don’t send your “real” email accounts mail from this anonymous one; don’t send yourself test emails; don’t forward away from this email. Instead, copy-n-paste or test your anonymity using another anonymous mail source that allows you to view full headers. Hotmail, Yahoo, and Hushmail are other choices, although the latter either requires money or it will lock your account if you don’t log in for 3 weeks. If someone gets into your super secret email account, you don’t want your Sent items to give you away (and vice versa if you lose control of your personal account).

For some mailing lists, such as SecurityFocus, you can post replies via a web form (depending on the moderation of the list, you might have to at least provide a valid “on-the-list-already” email address. But at least this way you can check your mailing list anywhere, and always post under one address, or through a web proxy to hide your originating IP.

I also highly recommend finding a favorite throw-away email box. Pookmail is my preferred disposable (yes, I’m dropping Google search terms!) email service. You send an email with a reply address or somethingunique@pookmail.com, wait for a reply and pick it up at the website. Granted, this has zero expectation of privacy, but at least you can use this as a throw-away address. I use this when signing up for software trials and downloads and junk that require a valid email.

Saw this on the SecurityFocus pen-testers mailing list and thought I would capture them here for future reference. These are some sites/tools to help evaluate web app security scanner tools.

SPI Dynamics zero.webappsecurity.com
Cenzic crackme.cenzic.com
Foundstone SASS tools
OWASP WebGoat
OWASP SiteGenerator
Watchfire demo site
Acunetix php test site

Typically, lots of the online “hack me” or “hacker challenge” sites like some in my right menu list tend to touch on web-borne “hacks” for their challenges as opposed to anything else. May get some mileage from them as well. Most also can be Googled for solutions should you get stuck and want to just learn quickly.

I’ve seen plenty about what Bruce Schneier said recently along with the feedback. Rather than address the content directly, I just want to say that eventually, many experts become nearly an establishment in themselves. Eventually they can say big, extreme things, and rather than be pissed away like some angry kid, they instead influence. Or at least make a valid point in their extreme. They kinda become those half-senile curmudgeons that are important enough that people listen to everything they say. He can say big things and doesn’t mind if everyone else uses his words as a boilerplate.

Now, that’s not a criticism. I don’t think that is bad at all. But I think that when a lot of people my age get to be Bruce’s age with a similar long background in this field, we might also see new things or futility in old things and say stuff that might be seen by others as a bit far-fetched. But I think his extreme approach is just a direct relationship to his notoriety and influence.

For some reason, I really wanted to work a quote in here as my mind drifted from establishment to institution. Anyway, I’ll force the quote in anyway, “No, I want you to set a fire so goddamn big the gods will notice us again, that’s what I’m saying. I want all you boys to look me straight in the eye one more time and say, ‘Are we having fun or what?'”

I saw this a few months ago and can’t remember where I saw it. But I looked it up again and to save me from the trouble of losing it in the future, I’m posting this web 2.0 clip The Machine is Us/ing Us..