I dig somafm, particularly the Groove Salad station. Sometimes I get into a nice chilled state of mind at night and would love to fall asleep to some cool grooves, but don’t want XMMS (my mp3 player) to run all night long. Well, I can do this easily in a terminal shell by first finding the pid of XMMS and then using the sleep command. Elegance in simplicity.

michael@orion:~$ ps ax | grep xmms
29540 ?        SLl    0:20 /usr/bin/xmms /tmp/groovesalad.pls
30511 pts/0    R+     0:00 grep xmms
michael@orion:~$ sleep 1200; kill 29540

Yeah, I know, back to basics with Ubuntu. This took me longer than it ever should have, so I’m just posting my travails here. I wanted to make my Ubuntu server essentially headless where I don’t have a keyboard, mouse, or monitor hooked up to it. Obviously this means remote desktop capabilities.

Sadly, the obvious and most often-used tools to accomplish this either require me to remote logon with my Ubuntu laptop (yuck!) or require a session to already be logged on the server locally (yuck!). Well, I want to be able to remote in, even at the logon window after a reboot! Here are my steps.

sudo apt-get x11vnc vnc-common
sudo x11vnc -storepassword password /etc/x11vnc.pass
sudo gedit /etc/X11/gdm/Init/Default
add this at the bottom just above exit 0:
/usr/bin/x11vnc -rfbauth /etc/x11vnc.pass -o /tmp/x11vnc.log -forever -bg -rfbport 5900
sudo gedit /etc/X11/gdm/gdm.conf
change #KillInitClients=true to KillInitClients=false
reboot

I’ll probably end up changing this all up once I decide to wrap this inside SSH, but since this will always be local (unless I VPN in remotely), I’m not as concerned about this setup. I might just tunnel it through SSH just to make sure I can do so with this setup.

Richard’s post about monitoring and “management by fact” got me thinking about security for the real world admin. What is the best sort of server to monitor? That’s easy, the server that requires the least changes. If you stand up a server and don’t need to do anything beyond patches and application-level updates (for a DNS server, adding DNS records…), monitoring that box becomes amazingly easy and informative.

You can quickly tell when something is wrong. Besides, typically in troubleshooting (and it is part of Cisco’s troubleshooting methodology) is to ask pretty early on, “What changed?” This is something really near and dear to my heart, since I used to be pretty heavy into sciences back in college: observable changes causing observable results. If something weird happens, figure out what the one-off is that caused it.

There are really two problems in business that fight a never-ending battle against the unchanging server.

First, the technical ability of the admin is crucial. Take a new DNS admin tasked with standing up a DNS server. It might not take long to get the DNS server up and running, but to get it tuned for performance and security may take weeks, months, even years of small changes, mistakes, and troubleshooting. For an expert, experienced DNS admin, this “time to stable” is far shorter and much more ensured. This is partly why we need more experts (training) in the back rooms of IT, the luxury of making mistakes to become experts, and time to do proper research so we can be empowered to do more initiatives outside of our comfort zones (otherwise we just say, “no”).

Second, business sometimes likes to cut corners, especially with money and especially with IT infrastructure. If a server isn’t choking, it must have room to put more on it, right? This defeats trying to efficiently “manage by fact” in the IT back rooms. If you have an SBS box that does basically everything that can be crammed into it, the constant flux of use and changes can make creating a baseline and monitoring for oddities frustrating.

I love the idea of managing by fact, and I think for the most part of security, that should be the goal to someday reach.

Keystroke mechanics keep being talked about as a form of biometric identification. I’m still skeptical because of how variable this can be…

I live in Iowa which means we have some pretty cold winters. I certainly do type differently if I have cold fingers.

I also type vastly differently depending on my level of inebriation (of course, this can cause regular typos in passwords anyway…)

I type differently depending on my position and mood and keyboard and life. I type far differently now than I did 5 years ago, for instance. Sometimes I am in thought and might type differently, especially on some sort of password screen.

Do I think people type in differents ways enough to be able to tell who it is with an acceptable level of accuracy? Personally, I doubt it…

I just read Naming Workstations on a Windows Network and had to smile a bit. Something as simple as your workstation naming scheme can be a very complex process that is different for every single network from 10 users to 10,000. It just goes to show how varied our field is and how many different ways and opinions there can be.

My current job names workstations by OS and username. I dislike this scheme. At my old job early on I inherited and used a similar method where I named the workstations after the usernames. We had a smaller company of only about 60 users, and by the time we grew up to 150, we had had a security audit which pointed out that machines named in such a way leaked too much information (Low priority, I believe). Wanted to target the CFO? Find his name, enumerate the network, and you likely also have a username that has rights on that machine.

I switched us over to naming machines “wkst###” and maintained both an Excel spreadsheet mapping workstation name to the user assigned that computer (we checked out equipment to all employees) and also inventory management software which let me regularly map MAC, IP, usernames, and workstation names together. This way if “WKST125” was doing something naughty, I could very quickly isolate it, take control, and/or check on the user. Having administrative access on switches and remote control capabilities takes away a lot of the need for user-named or even departmental-named workstations when you have an inventory of MACs and domain admin rights! I never did reuse names either, and I had a strict personal policy that no machine was re-issued without first wiping and re-imaging it (sadly, some colleagues did not adhere to such policy later on), thus a perfect opportunity to rename it. I might leave orphaned entries and artifacts this way, but I would rather have orphaned data than data that might actively be lying to me if it wasn’t kept up to date.

This is pretty low-skill, but useful. If you want to disable firefox from sending referer [sic] messages when you click links to other locations, type about:config and change the network.http.sendrefererHeader option to value 0.

Security and IT are tough these days. While we keep getting an influx of people with their MCSE and A+ certs that can do fun things with desktop support, it is all those other more specific areas of IT that still are not getting the love they should be getting. Maybe it is because they’re a layer or two out of the eyes of most normal users (and managers). Too often, us techs can do a lot of good things, but sometimes don’t get a chance to try things out when we’re already swamped with an overload of work, not enough money, and too many fires to put out.

Mark Curphey has been posting his experiences with his new start-up lately. While a lot of the content is not terribly pertinent to me at this point, I do enjoy reading him. Tech-to-tech, this paragraph really caught my eye:

Did I really transfer the domain to my account or was this someone snarfing my domain and my religious spam rules means I missed a very important mail? Alex was sat at his desk dreaming in code but saw I was panicking. We look at it and pulled up the whois records. Holy bull-shitake batman, some bastardo has snarfed my domain and the records show dummy, dummy, dummy as the new owner. We googled and others had been conned by the same trick. How could this happen? How could Gandi let someone transfer a domain without positive acknowledgement. Oh cricky, I really screwed up by being strict on spam.

Considering the theme of this post, I think it might be obvious what caught my attention. You can make an entire job out of being a spam admin or even a DNS/SSL/domain admin, even at smaller companies. But chances are, those tasks are only a very small part (a disturbingly tiny) part of our jobs. How can you get to be a spam surgeon? Do you have time to pick through what gets caught in the filters? Do you have time to even tune up the filters at all while maintaining high functionality for possibly critical emails? Just how are you tracking all your DNS and SSL purchases and expirations?

That’s tough, and I think unless you can acquire these skills somewhere or have a job that lets you have a lot of bandwidth to research and tinker with such things, outsourcing to a company that can focus on just that one thing is still a big IT need. That or understanding what techs need to ultimately be successful. Can you really maintain a spam filter effectively, or would it be more efficient to outsource to a company that specializes in spam filtering?

That is one area I think still needs work in the “business and IT must work better together” agenda. We don’t know everything in IT and we really do have to make mistakes. I’ve learned that you learn the most about technology during the troubleshooting stage as opposed to when everything is going right. Business is not terribly forgiving about such things, even if they are small but visible incidents in the whole scheme of things. Business wants to make a request, have it implemented perfectly, and then run unattended for 25 years without any further investment. IT knows better and that any new technology not only must be learned, monitored, and administered, but at some point does need to be evaluated for security, efficiency, and proper improvement.

Played briefly with OpenWRT this weekend. I have an extra Linksys WRT54G (v2.2) WAP and I loaded up the appropriate OpenWRT firmware. OpenWRT unexpectedly imported all my previous settings from the Linksys default firmware, so I didn’t really have to do much besides plug in cables.

It should be noted that while Linksys products are administered by the web interface, OpenWRT’s web interface is really only useful to see some status information, set very general settings, and view the list of installed and available packages. Everything else should be done via an SSH connection. Set the login password in the web interface while there. This not only sets the web interface password, but also turns off telnet and enables ssh. Remember that you are essentially SSHing into a Linux box, so you SSH as root (ssh root@192.168.20.1). Hopefully through the week I’ll look into playing with this box a bit more.

This editorial on Dungeons & Dragons & Networks talks about how the boundaries present in both network troubleshooting and the D&D play format promote creativity, while tasks with less boundaries are more difficult.

If people performed preventative maintenance and worked to improve their network, they’d have fewer problems to address in the first place. But because individual problems provide intellectual boundaries and present obstacles to overcome, it is simply a much, much easier task than trying to look at the vast possibilities inherent in the network and try to come up with a vision rather than a solution.

I think there is a lot of truth in that, especially since us IT types tend to be problem-solvers a little more than we are visionaries. I think management (and IT staff ourselves!) can benefit from recognizing initiatives that might be more successful when more properly bounded. I am guessing that many managers and project managers likely know this principle already, but it can definitely help us techs when we’re not being led very much in between fires. (Article found through WhiteDust)

I see there is a vulnerability in aircrack-ng 0.7. While interesting in itself, this strikes an interesting chord.

First, this means that widespread, fairly static distributions such as BackTrack 2 have a lot of users of their Linux livecd that will continue to run vulnerable versions of aircrack-ng. That’s a bit of concern, or should be, for anyone who uses that distro. Granted, the chances of someone attacking their box with this vuln is downright slim, but unless you roll your own BackTrack, do a full local install to update aircrack-ng, or patch aircrack-ng on the fly, you’re kinda stuck with this issue.

Second, I really believe someday I will have enough time on my hands to have a more bristly defense posture on my networks. In this case, I could have not only an IDS on my wireless network, but I could actually regularly send out packets crafted for just this vulnerability. Anyone leveraging aircrack-ng 0.7 (or BackTrack2) against my wireless network might be in for a brief surprise and could give me additional information or warning about maldoers. Rather than just a fence around the grounds, it can be highly electrocuted as well.

With a lot of vulns like this, it might not make sense to send out traffic for it because you never know if people will still be using it, and the chance gets slimmer as time goes on. But BackTrack 2 is pretty static for a lot of users who never change anything and may be using this distro until a major update comes out.

Auditing permissions on a Windows server is basically hellish unless you have a very strict policy on subfolder explicit permissions and group usage. You can use tools like CACLS.exe and XCACLS.exe, but for messy folder shares, the output can be utterly unmanageable. Enter a powershell script I wrote. This script take a path as an argument and will dump out all explicit (non-inherited) permissions from the path and all subfolders inside it. Never make the mistake of re-pushing inheritance down on subfolders and wiping out all those restrictions again!

$error.clear()
$erroractionpreference = "SilentlyContinue"
function GetExplicits ($folders)
{
foreach ($i in $folders)
{
$acllist = get-acl $i.fullname
foreach ($x in $acllist.Access)
{
If ($x.IsInherited -eq $false)
{
Write-Host "$($x.IdentityReference.Value) has $($x.FileSystemRights) on $($i.fullname)"
$spacing = $true
}
}
If ($spacing){ Write-Host "";$spacing=$null }
}
}
If ($args[0]) { } Else {"usage: ./auditperms.ps1 `"`"";break}
$strpath = $args[0]
If (test-path $strpath){ } Else { "bad path, try again, cowboy!";break }
Write-Host "----------------------------------`nROOT FOLDER EXPLICITS"
$folderslist = Get-Item -path $strpath
GetExplicits $folderslist
Write-Host "----------------------------------`nSUBFOLDER EXPLICITS"
$folderslist = Get-ChildItem -path $strpath -recurse | where  {$_.psIscontainer -eq $true}
GetExplicits $folderslist

The output looks like this:

----------------------------------
ROOT FOLDER EXPLICITS
Everyone has Modify, Synchronize on \\fileserver\users\scanner
CREATOR OWNER has Modify, Synchronize on \\fileserver\users\scanner
BUILTIN\Administrators has Modify, Synchronize on \\fileserver\users\scanner
MYDOMAIN\Domain Users has Modify, Synchronize on \\fileserver\users\scanner
----------------------------------
SUBFOLDER EXPLICITS
Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\FarmBanc
Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\SalesApp
Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\SalesApp\April Visit

I saw this quote today in some news that hit my rhetorical question button:

The Ministry of National Defense located in Taipei has warned their personnel against cyber attack. Awareness at the user level is more important than ever after a recent discovery of an intelligence leak at the National Defense University.

What would you do differently in your job if you received a warning from your boss or from upper management or the security team to be wary of cyberattacks? What will your own employees do differently? Will they even know what that means or what to even begin to do?

I can imagine my mom getting that notice where she works and basically have zero change in behavior because it really means nothing to her (works in a hospital). Should she stop more strangers in the hallways and challenge for ID? Should she refrain from email communication? If the computer crashes unexpectedly, should she more quickly call up IT to report it and investigate?

Does your security training equip employees to be able to process and respond to such a warning? Maybe the company shouldn’t even give these warnings and instead only raise the warning level of technical/security staff? Did you send out a warning to employees the other week to be on the lookout for any ANI/cursor files sent via email or posted on websites? Does that really change anyone’s behavior or do they just talk to their immediate peers about how stupid that email was for 5 minutes?

So, a while back I got a Wi-Spy, which works great on Windows XP. I saw that there are some wispy tools for Linux, so I thought I would try them out on my Ubuntu laptop. I downloaded the files and extracted to /home/michael/wispy.

michael@orion:/$ cd /home/michael/wispy
michael@orion:~/wispy$ sudo apt-get install libusb-dev libncurses5-dev libgtk2.0-dev
michael@orion:~/wispy$ ./configure
michael@orion:~/wispy$ make
michael@orion:~/wispy$ sudo ./wispy_gtk

This worked out just fine (and yes, libgtk2.0-dev installed a ton of stuff), but the colors look horrid. The whole spectromap takes on this lemony-green color even when nothing much is happening. Very ugly, but then again, this is just a quick set of tools whipped together and really is no replacement for using Chanalyzer on Windows. Still, this is nice in case I ever do want to see what’s going on and only have my Ubuntu with me.

The latest 2600 is out. If you don’t typically buy it or have the money, just sit down at the bookstore and flip through it and read what you want.

I also see one of the books I’ve really wanted in the last year has been released. Hacking Exposed: Wireless is currently available and in an odd green color. Anyone aware why this one is green? I didn’t pick it up long enough to find out why, but I’ll be buying the book regardless.

On the wireless front, I got my latest Orinoco wireless PCMCIA card on Friday and am very pleased with its performance. It is the Atheros chipset (8470-WD) which means it plays very nicely with BackTrack 2 and monitor mode. In fact, it plugs in and works just fine unless I’ve been juggling cards on that laptop and the last config still has a different card (my BackTrack is fully installed locally, so my settings are saved).

More Shmoocon 2007 presentations.

Hacker Potpourri – Simple Nomad.mp4 – Simple Nomad (old skewl) talks about some greylisting of spam mail, OS fingerprinting using PPTP, finding firewalling devices (using FIN flags, UDP port 0 packets, hop counting) and DVR hacking, but the real meat of this talk is about profiling IDS/IPS systems which starts at 32:45. You can use reverse-lookups to profile some IDS/IPS systems, the timing of reports, and whether admins are doing manual checks. Can fiddle with the DNS replies to profile the investigator some more. Abuse the signature sets to further narrow what IDS is in use or how they block things (vulnerability vs exploit). You can really do a lot of information gathering by knowing signatures for various IDS products and doing tests to see if your attacks are either blocked, allowed, or logged and then either manually or automatically investigated. Very cool.

Extend Your Code Into the Real World – Ryan Clarke.mp4 – I really dig Clarke’s enthusiasm and energy. I’d love to hang out with this guy and tinker with electronics and hardware on the weekends. His talk is a beginner blitz into hardware hacking. I consider this talk mandatory for any security or tech guys as Clarke really shows off where some things are going. Very exciting!

When it comes to computers and “hacking” and electronics, I can’t do everything despite my desires and best efforts, but for the things I’m not diving into at the time, I love talks like this because they can give me a nice taste of what I’m missing and keep me at a level that I could dive in if my life ever finds me in a place where I can do it (or have friends who do it that I can learn from).