Some of the Shmoocon 2007 presentations have been posted. There’s a few, and maybe not all of them will be interesting, so I thought I would provide my feedback here (and ongoing) on the talks I checked out, plus a quick impression of what I thought about it.

I really wish I had attended Shmoocon, but I’m not really at a place right now where I could. I really wish I had heard about it back in its first year, 2005, as I was in DC at the time on business. Sadly, I didn’t learn about Shmoocon until after I had gotten back (and I was housed in a hotel very close to it as well!). At any rate, I’ll still whore up the presentations online and still get something out of it. Overall, I really dig the vibe from Shmoocon. It is serious about security but in a fun, friendly, personal kind of way that I think best resembles early Defcon or perhaps CCC. Smart, awesome, but not hoighty and “commercialized” or too anonymous.

Opening Remarks.mp4 – If you want to learn a little bit more about Shmoocon and what it’s all about, this is a useful talk from Bruce Potter of the Shmoo Group and runs a half hour.

Hacking the Airwaves with FPGAs – h1kari.mp4 – 20 minute presentation about cracking WEP and WPA (and FileVault and Bluetooth PINs) using different hardware pieces (FPGA) to speed things up. While that is interesting, the hardware itself is pretty spendy. If you’ve not seen his talk before or know anything about FPGA, watching a longer presentation may be more helpful, but his demos are quick and do work in this one. Tools: jc-wepcrack for WEP, coWPAtty for WPA, vfcrack for FileVault, btcrack for Bluetooth PINs.

No-Tech Hacking – Johnny Long – Johnny is a very cool presence and typically includes a lot of really awesome audience participation where he presents pictures and asks for feedback. This is no different and he presents a lot of pictures and asks, “What does a hacker see?” This is about observation skills, information gathering, opening your mind. I can just also say, “the driver has candy.”

I am scripting some file syncing and having a frustrating time. The biggest issue is trying to work around a few files that are flagged as “read-only.” In the examples, assume sourcefile.txt is “read-only.”

PS> copy-item sourcefile.txt c:\sourcefile.txt -force
If this is the first time copying, this will work just fine because the destination file is new.
PS> copy-item sourcefile.txt c:\sourcefile.txt -force
This will now give an error because c:\sourcefile.txt is read only.
PS> move-item sourcefile.txt c:\sourcefile.txt -force
This will always work.

While this isn’t so bad, I don’t want to move folders over without first going through them to make sure the new folder isn’t leaving out something from the old folders, if that makes sense.

So far, my solution is way more complex than I think it should be. I read through all folders and determine if the folder is new or already exists at the destination. If it is new, I move-item it over. I then copy all non-containers that are left. Then I remove all the leftover source containers. Please excuse the variable names and lack of tabs showing up.

$shortpathdest = "\\SERVER\FILES\Installed"
$shortpathsource = "\\SERVER\FILES\ToInstall"
$items = get-childitem $shortpathsource -recurse | where  {$_.psIscontainer -eq $true}
If ($items)
{
foreach ($i in $items)
{
$fullsourcepath = $i.FullName
$fullsourcepath = $fullsourcepath.Replace($shortpathsource,"")
$fullpathdest = $shortpathdest + $fullsourcepath
If (test-path $fullpathdest){ }
Else { move-item $($i.FullName) $longpathdest -force}
}
}
$items2 = get-childitem $shortpathsource -recurse | where  {$_.psIscontainer -eq $false}

If ($items2)
{
foreach ($i in $items2)
{
$fullsourcepath = $i.FullName
$fullsourcepath = $fullsourcepath.Replace($shortpathsource,"")
$fullpathdest = $shortpathdest + $fullsourcepath
move-item $($i.FullName) $fullpathdest -force
}
}
Remove-item $shortpathsource\* -recurse -force

For any practicing sysadmin, sometimes you just have to tweak servers to milk a little bit more performance. Sometimes the good ol’ basics are still the best things to do. I liked these steps (mostly) from SearchWinComputing. I’ll just give my own notes on the steps.

1. Use a dedicated drive for the pagefile. This makes sense.

2. Keep your hard disks defragmented. I don’t do this much, but when trying to milk a bit more performance out of a server, defragging is still a low-hanging fruit to try out.

3. Use the NTFS file system. I wouldn’t think to do otherwise, not from a performance standpoint necessarily, but definitely for security.

4. Avoid running 16-bit applications. Ok.

5. Look for memory leaks. Basically need to continuously monitor memory usage to catch this. Sometime apps (like ASP) will automatically recycle themselves and clean up, thus lowering the indications of a memory leak. Once a process is identified that has a leak, research it on Google or with your own teams if it is homegrown.

6. Remove seldom-used utilities. I would also suggest making sure server software is inventoried and reviewed regularly. That way when some piece is no longer needed, it can be identified and removed. But yes, it sucks to see unused things running on a server.

7. Disable unused services. A tried-and-true best practice for…just about everything.

8. Log off. Makes sense to me!

9. Compress the hard disk. The author makes a decent case for this, but I would definitely only do this in conjunction with baselining performance and testing after each change otherwise this could be detrimental.

10. Adjust the server response. i.e. Adjust background applications for a higher priority.

WEP is already known to be broken and weak, but I see Aircrack-ptw is a new tool out that purports to break WEP (most implementations anyway) much quicker. I have not yet tried it, because BackTrack 2 decided to be a bugger about my Hermes Orinoco card and I have yet to replace it or find a solution (Whoppix and BT1 are fine with it, go figure), but once I get that squared away I plan to check this tool out. There is a paper linked on the site, and while some of it gets into some deeper mathematical (mathematical sure sounds more haughty than “math,” eh?) theory, some sections are still concise and informative (1, 5, 8, and 9).

Update: I see ISC has also been made aware of this, although they link just to the paper.

If you’re a sec geek, you’re also likely a gaming geek on some level. And if you do any amount of PC gaming, you’ll likely be building your own systems unless you have extra money to throw at pre-built systems from vendors. And while I’m not in the market to fully upgrade my gaming rig right now, it really helps to casually read up and stay at least somewhat current with what is going on in the PC building gaming market. This article by Corsair is not just a guide to buying bargain gaming parts that still scream performance, but they guys actually go through (with lots of awesome screenshots) overclocking, BIOS settings, benchmarking tools and examples, and even suggestions on different parts. (Personally, I’d swap that frickin’ huge heatsink with a watercooling model.)

In true HardOCP fashion, you can also head to the comments of their news byte on the article and check out some reactions.

On third thought, it wouldn’t hurt to maybe pick up a few parts now and file this guide away…

I almost bought a Linux-based PDA earlier this year (Zaurus 5500 or 6000) and I still might, but after reading what is now available for Windows Mobile from both Justin Clark and Andre Gironda, I might have to add a newer Windows Mobile device for myself this year. I hadn’t realized tools had come this far! There are more notes here and likely elsewhere if I were to look.

If you have time to check this out or you don’t and still want to learn something (shame on you!) then pick up Applied Sec’s Shmoocon challenge notes and the solutions. I don’t think they’ll be up for a terribly long time, especially the server, so don’t delay. Upon first glance, these challenges look to be a little more varied and interesting than most of the web-based “hacker challenge” sites out there.

OmniNerd posted a rather lengthy article comparing various default installations of most modern operating systems (released in 2006, I think) using nmap and nessus to determine the vulnerability of said distributions to remote attacks. While simplistic in assessment and lengthy in discourse, the biggest takeaway I got from this article in my brief skim aligns with what I believe anyway. Operating systems have weaknesses, strengths, and problems, but ultimately it is a knowledgeable and diligent admin that makes a system secure (or more secure, if you will), and normal users can turn an OS into swiss cheese very easily.

PowerShell is pretty cool so far, even if the remote capability requires some heavy scripting/.NET experience for now. I just found out today that I can actually write functions, put them into my profile file (%My Documents%\WindowsPowerShell\Microsoft.PowerShell_Profile.ps1), and have them load on start-up. This means my little function to start and stop remote services can be a simple one-line job and always preloaded, kinda like my own little command shell. Type $profile to make sure you have the right location. Mine is weird since I start mine with network admin privs as opposed to my normal workstation account.

Windows PowerShell
Copyright (C) 2006 Microsoft Corporation. All rights reserved.

RemoteServices loaded

PS C:\Documents and Settings\mdickey> remoteservices
usage: RemoteServices [servername] [Stop|Start|Check|List|GetName] [service name]

From an article:

About 11 buildings have lost air conditioning because of the failure,
Stone said. The problem threatens to overheat computer servers, and
officials are warning that the state’s main web page will be out of
service periodically throughout the day.

It is hard to realize how important cooling is in a data center or even a small switch room until the AC cooling said room goes out. It can heat up pretty fast if you’re not decisive and that can really cripple business.

How do you plan for such an event?

– Make sure you have redundant cooling solutions; while you might not need multiple heavy industry coolers, at least have something available to either vet warm air or introduce cool air. While normal fans are absolutely no replacement to AC cooling, moving air is better than stagnating warm air.

– Keep AC repair service numbers or contracts readily available for quick remediation.

– In your inventory of servers and systems and services, make sure you know which ones are critical and which ones are expendable over short periods of time. Just like trying to milk juice out of your UPS in a power outage, you want to milk the temperature in your server room as long as possible. Shut down all unnecessary servers and devices to minimize heat generation. Be ready to determine when critical temps are reached that will almost certainly damage equipment and/or data and be prepared to invoke a business continuity plan or…be ready to have the company take the day off…

Dave Aitel posted to DD a link to a review of SILICA. SILICA is awesome and one of those gadgets I really want to get my hands on. But at a price of $3600, it is definitely a major purchase for someone like me; just low enough to be doable, but higher than even a good laptop or gaming rig with a far fewer uses. Nonethless, if this device stays current and highly supported by Immunity for many ongoing years, I really am going to plan on picking this up in the next year or just after (my car gets paid off next summer which means some freed up monies…).

There is some interesting talk going on about mesh security over on Nate Lawson’s blog. Really cool stuff, although I don’t understand it quite well enough yet to regurgitate the topic on here, so just check out the link. Also, Matasano and Bejtlich have added to the discussion.

Snagged this from Sean’s blog. I swear I have seen this before or maybe even posted about it, but couldn’t find it. Either way, it’s a nice set of “laws” and in the same vein as the 10 immutable laws of security.

Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn’t about risk avoidance; it’s about risk management
Law #10: Technology is not a panacea

No sooner do I finish up on my Windows server…now I’m using an older 400Mhz box to start standing up an Ubuntu server to start using stuff there. While I like stability for the things I use daily, I really want to learn more, so rather than languish my stuff on Windows for a few years, I’m moving on already.

The first thing I want to move over are the things I use cygwin/Windows for, namely my SSH server. My SSH server gets quite a few hits, strangely Amsterdam is outpacing Asia in SSH auth attempts. If you let that page load, you can see all the attempted login names. Since I am running SSH on cygwin, I don’t even use “root” or “admin.” I’m surprised that “Administrator” is not used more, since that is what cygwin pulls in (it mirrors the Windows accounts). If someone can do that small battery of attempts, it is trivial to add “administrator” to that initial slam.

Anyway, yes, my next project is to start standing up and getting more familiar with running certain apps on Linux. SSH is not going to be an issue, and I’d like to leverage Linux to analyze my Apache log files and other neat things on my network. On a more advanced note, I want to throw sendmail or another nix mail server up as well. I like my current mail server, but the image spam is just not terribly fun and spam solutions on Windows are not as impressive to me as nix solutions. Besides, I want to be exposed to more. I spent years in my comfort zone and it’s paying off to try out new things. This box also now had a 200GB HD and has always had 2 NICs which plays right into my hands to get Snort on a nix box and familiarize myself with some more monitoring tools.

That’s how my spring is shaping up, and what has been stealing my time lately.

We’ve yet to see this come to a head, but I bet it will be soon. An article I read today contained a few tidbits about cyber warfare:

History teaches us that a purely defensive posture poses significant
risks, Cartwright told the committee. He [Marine Gen. James
Cartwright, commander of the Strategic Command] added that if we apply the
principle of warfare to the cyberdomain, as we do to sea, air and land,
we realize the defense of the nation is better served by capabilities
enabling us to take the fight to our adversaries, when necessary, to
deter actions detrimental to our interests.

Cartwright said U.S. adversaries in cyberspace include other countries,
terrorists and criminals who operate behind what he described as
technical, legal and international screens, and he said that if we are
to take the fight to our adversaries, we will need Congress help finding
solutions to penetrate these screens…

[Lt. Gen. Robert Elder Jr.,
commander of the 8th Air Force and JFCC-Global Strike and Integration] did not detail plans for going on the offensive. But when asked
about it, he said, “We will probably do some of that, by the way.”

We might be going on the offensive? Are we actually at war in a way that we can go on the offensive as if we were on the sea, air, or land? I really wonder if that will be seen as a hostile action or not, or if this is all still just contested territory. I don’t have much thought on this right now, but as the years move forward, this cyber conflict could pose ramifications on the openness and neutrality of our Internet.