“By ‘strategic advance.’ I mean making the most of favorable conditions and tilting the scales in our favor.” – The Art of War, Chapter 1: On Assessments

Definitely useful to make the most of good situations when dealing with security. If you suddenly get a budget or have a chance to make an incident into a growing experience, do it. Likewise, be ready to make the most of bad conditions. Budgets or internal issues should not stop necessary security from being cobbled together.

The supreme accomplishment is to blur the line between work and play.” -Arnold Toynbee

Thankfully, when I am with a company I like, work and play are very blurred. Ahh, the geek lifestyle! This quote can be very easily twisted and might make some people very upset because they value separating work and play, but all of us are different, and it has been my mantra in 2006 and ongoing into this year to enjoy my work so much that it feels like play, since I play what I end up doing at work anyway for now. I just want to enjoy the way I spend 1/3 of my day (which you can extrapolate to being 1/3 of the rest of my working life). I want to thoroughly enjoy my job, company, and team, and I likely won’t be settled until I find that balance.

Going on about 5 months using Ubuntu as my primary laptop and things are still relatively good; good enough to stick with it. I do have a companion laptop with Windows XP that I use to stay sharp on XP, try out new stuff, and do the few things that Linux won’t do yet (particularly run my favorite P2P program, SoulSeek).

However, there are some growing concerns, particularly in how robust Linux can be as a desktop machine.

Ubuntu is sluggish. I’ve long noticed this, but only lately is it really grinding on me. Ubuntu with Gnome is not nearly as crisp to respond as my tried and true Windows machines. Nautilus is even slower and clunky and will sometimes hang when transferring 70+ files over an SMB connection on my network. Firefox 1.5.x (the kind Ubuntu 6.06 supports) is crashing or just having problems loading some content. Firefox on Ubuntu is far slower than Firefox on Windows, even on worse hardware, both on load and in serving content.

I’m going to stick with Linux because I really want to learn it, but I will say I don’t think it is yet ready to displace other OSs on the typical desktop. It still can’t do many things out of the box and it just is not as swift as Windows (assuming Windows is relatively free of spyware/adware). Linux has a long history of being appropriate for geeks, but Windows has a long history of meeting the needs of a vast majority of common users…and that’s where the desktop market is.

I am going to see if I can get Kubuntu 6.10 up and running on another box and try it out before I think about replacing my Ubuntu 6.06 install. Perhaps KDE will be more to my liking and I’m totally willing to check it out.

An article in InformationWeek has sparked some comments through the various security bloggers. I’ve decided to play devil’s advocate for a moment when it comes to user training. Basically, I’m just making a point or two, so don’t lambaste me too hard for being wrong or pessimistic. 🙂

the vcr clock dilemma
How many people do you know have a VCR/DVD player/Oven/Microwave clock that continuously blinks or is set to the wrong time? Ever wonder why? Typically, people don’t really care to be bothered with setting it after a power outage. Some people may have faulty power and have interruptions regularly, but most people just don’t care enough or maybe even find it cumbersome to change the time.

Similarly in security, not everyone wants to care about the technical ins and outs of security. They don’t want to be bothered in their life with technical details. It just might not be their thing, or, if they are adults, they just don’t have the time to become an expert. It is easy for us geeks to live this sort of lifestyle and to wonder loudly why people don’t educate themselves about their computer, just like it is easy for them to wonder loudly why we don’t get out more. 🙂 Some people tune their own cars and motorcycles, others take it to a shop to get fixed, and still others just let it all go to hell. Are those people idiots for doing that? Maybe the latter, but what if maintaining the car costs more than just letting it go and getting another junker? Basically speaking, we can’t make people care about their computers and put in enough time to become experts in a way that mitigates their risk. We all have friends who fall into this category, I’m sure.

the trampoline illustration
Most of us have likely seen or played on a trampoline at one time. You tell your kids to watch out and stay in the middle of the trampoline so that they don’t smack something on the side rails or outright fly off onto the less forgiving ground. Do kids really listen? Perhaps, but they still make mistakes or just plain do not heed warnings. Users are the same way, and who can blame them every time? Eventually, padding appeared on the supports and even a mesh apparatus encircled the play area like a cage for monkeys (which it kinda was). Now, kids can make a mistake and not have to learn from a broken bone.

This is technology in action. Where good common sense and training and all the words in the world may not have prevented every issue, technology has vastly mitigated the risk of injury and worry to parents. (Of course, there is something that can be said about their lack of developing restraint as they bounce against the mesh cage wildly or not learning by falling…)

Training is excellent to tell someone that a stove is hot. But some people touch it anyway. If your company cannot afford to have someone test the stove or play around near the stove and misjudge a distance or handfall, then you need to isolate the heat or the stove from the curious hands (technology). Many companies and employees cannot afford a mistake that technology could have prevented.

Now, all of that aside, training is important and will help augment technology. Training lessens user outrage at changes and restrictions they do not understand (at least for some, others will refuse to get it no matter what and just want their way). Training will help in those instances where technology cannot make the decision in a situation, and employees need to make better common sense decisions. Training will allow willing learners to become educated about technology and security at work and home. And training is even more necessary when talking about implementors of technology. Can you have untrained security guards make confident decisions about letting a C-level exec into the building with contraband or without a pass? Can you have untrained network admins building your firewall rules? Training shouuld definitely be mandatory for those people who touch or work with the technological security measures. But for the typical worker bee (no offense intended) employees, the effect of their education is still arguable.

some rhetoricals
The mishandling of data is one of the biggest problems, especially when we’re talking regular employees and their security infractions. But how can technology safeguard that? How can education safeguard that? How can social engineering ever be wiped out?

I need to watch the episode that Scott Wright references for this post. Instant Messaging is a technology that is still in flux when it comes to corporate use, and I’m always curious on the views people have of it, and how companies use it.

My last company had very little interest in controlling the IT environment. As such, people used Yahoo, AIM, and MSN as they wished. Sales used it regularly, especially those people outside the offices at home or on the road. It really was very useful, even if I wasn’t so happy about it. Eventually the company moved to get a centralized (kinda compliant) IM system. We set up a Jabber server, privatized registrations, and got most everyone on that product. Sadly, too often critical business issues were communicated via IM rather than accepted and more loggable avenues of communication such as a ticketing system, phone, or in person searching for someone to assist. Eventually our team went “invisible” on the system because of the abuse and poor “handing-off” of issues via unresponded-to IM messages (and people got pissed that we would always kindly ask for a trouble ticket so that the issue would properly get logged for metrics and reporting). Also, there was widespread fear that we were logging conversations, which drove people away from Jabber. (I never did understand what people were talking about that they were scared it might be logged…besides which we never did turn on logging since no one asked us to do so.) Unfortunately, no one ever supported removing the other IM programs, so eventually Jabber fell by the wayside and only our networking team used it extensively, albeit with a lot of invisibility (hell, our team was geographically split anyway). The user-base then “found” Skype and started installing and using it, despite network team objections. Management had little interest in curbing that, despite the compliancy holes. This is an example of the users pushing technology and process due to indifferent management.

My current company has banned IM use. Not only are many systems limited in user rights and installed software, but my IPS and possibly the web proxy will actively block known IM traffic. Needless to say, we don’t use IM, but there is talk about evaluating its use, especially as we do a lot of travel business which regularly sees employees in some exotic locations.

What is the proper answer? I don’t think there is a universal answer and it will depend on the company, the business needs, and compliance issues. I do think, however, that IM will eventually continue its push into business. Email is broken as a technology and will very, very slowly be replaced with more IM/SMS technologies. I also think that IM is such an integral tool in our culture and lives that business really cannot just completely preclude it forever. I’d rather properly implement it now rather than later, do it properly, and reap the business benefits. Many people will argue about lost productivity, but I don’t think that will necessarily be the case, especially in a private IM system. Besides, if someone is going to screw around, they will screw around whether it is via IM or not.

A recent post by Ed at SecurityCurve.com pointed me over to the PCI and Data Security Compliance blog. Now, I can’t speak intelligently about PCI these days, and a real auditor would run circles around me about compliance. I also don’t have to deal directly with this yet in my job, but someday I will, no doubt. And while I don’t have a ton of learning bandwidth right now to learn compliance, I at least can regularly peruse this blog and get used to the terminology and what is all kinda going on. So by the time I do get thrown into the PCI maelstrom, I can at least orient myself quickly. Kinda like webappsec blogs. I don’t do any web app coding for my job right now, but I certanly want to be familiar with the topic.

I’m just posting quick about a pet project of mine that is still just in the planning stages and likely won’t be done until later this year at the earliest. I’d like to develop and complete a more robust home entertainment system than I currently have.

I watch movies. I listen to music (cd and mp3). But I do not watch TV, and thus also do not record shows. In fact, despite owning a plasma TV, I have not watched a television show or had it even set up with television in about 10 months. I do game, although I own none of the latest generation of consoles. I’m looking to buy into that hobby again soon. I don’t typically download movies or rip them from existing media, but I am looking into doing that. There are many movies I’d love to have on hand, but wouldn’t really ever pay for. Netflix is as far as I would go there, and I wouldn’t mind ripping Netflix movies to digital media, or even copying them with a DVD burner (although I have little experience in that).

FurryGoat pointed me to the InFrant ReadyNAS device which I think is awesome. An alternative might be using FreeNAS, which could be a good project itself. This could act as a media repository, which is something I would certainly need.

I plan to purchase an X-Box 360, at a minimum, so I would stick to that for my DVD/media playing needs. I think I might need to get a Vista box for my Media Center, but I’m not terribly keen on that idea. I don’t really have a powerful enough system right now to run Vista well, although I do have some basic parts for a good base (motherboard and CPU that are good workhorses, but bad for gaming).

Any ideas, feel free to post, but otherwise this is just a planning post for me. I think I would be best served looking into getting into DVD ripping and burning, grab a console machine, and also get a storage NAS set up.

I tend to cloak myself in layers of anonymity in my professional online life. Mailing lists are not an exception. In fact, I try my best to participant on mailing lists in a way that does not disclose the company I work for, for various reasons (whether I stick to my other name or move back to LonerVamp, I’m still debating). I see other people do the same, and sometimes they use some wacky (and creative) psuedonyms that harken back to hacker days of old when handles were used more often than real names. They also typically come from email account at Gmail, Hotmail, or Yahoo.

To anyone who uses such accounts, be aware that how you use them may determine just how anonymous you remain. Using the webmail interface for each account is pretty secure when it comes to what the mailing list can see. However, if you do your email on a mail client and then POP3/SMTP up to the service, you may be revealing your home IP address in the mail headers. I am not sure if Gmail reveals this information, but I do know Hotmail reveals this. I encourage people to test such functionality well in advance of blindly trusting your security and anonymity.

Or, if the mailing list supports it, submit your replies via a web form. I know SecurityFocus has web-based submissions to its mailing lists if you so prefer. I actually prefer that method.

Backtrack 2 is maybe my favorite livecd, largely due to being security/pen-testing oriented. I have an older laptop which doesn’t do so well with 128MB RAM when running a livecd. So, I’ve permanently installed BackTrack on this laptop (which I’m using for this update right now). Here’s my steps (very abbreviated) on doing this. I largely followed this tutorial with minor adjustments.

I had to transplant the HD into another laptop that had enough RAM to properly load the livecd. After that, I booted up into BackTrack and logged in as root. Then:

fdisk /dev/hda1
d (since this is an existing drive, have to delete the first partition first)
1
n (now I want to make new partitions)
p (partition)
1
[enter]
+100M (100M boot partition)
n
p
2
[enter]
+512M (512MB swap)
n
p
3
[enter]
[enter] (will use the rest of the disk for this partition)
a
1
t
2
82 (the code for a Linux Swap)
p (one last print to make sure it all looks good, we can still back out to this point)
w (write!)

Then I went graphical with startx and followed the rest of the steps in the doc. After transplanting the drive back into my older laptop here, I was able to boot into BackTrack quite nicely (and fast compared to cd, even on this old hardware!). From here, I needed to get my wireless going. I started up K->Internet->KWifiManager which then got my Orinoco card going. I then opened a terminalL

iwconfig eth0 essid home key 7027…F9F5 (my wireless network and WEP key)
dhcpcd eth0
ifconfig (to verify I have a proper IP)
ping www.google.com

I really should have put this in my 2007 predictions, but I guess it might be a prediction that spans a few more years. But this year is going to mark a tough year for IT managers due to the ongoing cost of IT operations. Often, upper management thinks that a project will be planned, budgeted, completed, and then they all move on. Sadly, most IT projects require ongoing maintenance, monthly costs, and people to maintain them. Too many senior managers don’t get that, and it is those same senior managers who won’t ever “get” security either: you don’t achieve it, clap yourself on the back, and stamp it Project Closed.

IT costs a shitload of money over the years, and management is starting to or will start to feel that slow attrition. Security costs a ton and is only going to get bigger as regulations keep edging forward. Windows Vista is out now which is going to put pressure on companies that pay licensing fees to upgrade and hardware upgrades to prepare for it. Not only that, but companies with licensing contracts with Microsoft will start to wonder why they spend that money in the first place. Is Vista worth the last 5 years’ of software assurance? What about SQL licensing? If a company had that assurance contract the last 3 years, you have absolutely nothing to show for it. You want a disaster site and other business continuity plans? You’ll be shelling out monthly fees for that. Mobility is needed by the workforce? Good luck not spending money to secure those devices or provide for mobile needs. Also, mobile devices tend to cost more to get the same performance as a desktop machine, and their lifecycle is shorter.

IT is a huge impact on business these days. Not only can I not imagine business without IT (say, 20 years ago), but I can’t imagine how we spend so much money on it today. It is no wonder MSSPs and other outsourced IT services providers are feeling the love as businesses get sick of the constant IT drain and start to let others handle it (for better or worse).

This is why I still prefer to focus on the basics in my career. Focus on doing what needs done on the lowest levels. Use the open source and free tools, know how to do things without the fancy and expensive appliances and servers. If you know the basics and low level foo, you’ll be able to pick up on the luxury appliances and tools you’re allowed to spend money on, just fine when you get them.

If you’re not watching the toolswatch feed from Security-Database, you’re missing out on one of the better notification methods for new security tools. I love it!

The folks at nCircle have expanded their blog to more people and this has resulted in lots more posts lately. Good stuff!

It is with much sadness that I am removing a few cherished links from the side. The PacketSniffers were an awesome video cast team from Ohio that posted a series of excellent (albeit more electronics-heavy) video casts back in 2005. Sadly, they have not had any in some time. Seems they have maybe moved on from that endeavor. Also, shortly before LUHRQ was purchased, they started this excellent vidcast called “The Hookup.” This was very promising, but never progressed past 4 episodes. I think there is still room in the security sphere for a short show like that, kinda like hak5 and others, only shorter and more focused.

Unfortunately, a work-related demand to cease blogging about technology has caused Securosis to become more personal and less technical. It’s a shame, too, since the blog was excellent. For some reason, the latest post doesn’t look reflected on the front page…so maybe it is still sorta there. Either way, if it is, I’ll re-add it later. Tenable Security’s blog, while really cool and interesting, is mostly useless to anyone that does not use their commercial product. If I used that product, this blog is a must-read whenever it is updated. Otherwise, I can just learn by reading and possibly gain insight into Nessus, but the useless content (to me) outweighs the good. I’m also removing Jesper Johansson mostly because, well, I don’t read it. And lastly, while I read the updates and the podcast is ok, I really don’t care to read Alan Shimel’s blog daily anymore. This has been building, but mostly just because I’m not an analyst, I’m in the trenches. And reading what an analyst says really doesn’t do me any good at all. Besides, I can follow along on other blogs and get the same effect, or pointed to his occassional excellent posts from elsewhere. I’ll still listen to the podcast now and then, though.

IT Audit has an article on 11 steps to an effective FTP audit. I like this article and gives some good steps to auditing FTP activity, however I think it misses a few things. While many people are likely already wondering why FTP should be so large-looking a project for such an old and probably under-utilized technology, it is still important, especially if this is a publicly open route into your network. Here are some steps I would add.

A. Audit user accounts and activity – Find out where user accounts are tracked and how expired accounts are handled. Do they linger for years and years without activity? Are client accounts even for active clients anymore? Once this audit is done, keep that list handy so that FTP admins can refer to it later and build upon it so that accounts are removed as needed and existing accounts are tracked. If an account has no activity in 4 years, raise questions on its continued need. I really like the rest of the author’s monitoring suggestions. Even if there is seemingly no value in knowing who consistently is the largest transferrer of files, it becomes more important when that consistency is broken one month and some other otherwise quiet account suddenly becomes very active. As part of the account audit, be sure to verify that FTP account access is limited only to their slice of the FTP server, and not overlapping other accounts or able to access other shared spaces. Twenty vendor accounts for 20 vendors that all dump into the same folder is a big risk. Try to also identify shared accounts or those accounts used by just one person, and identify the impact of regularly changing the passwords. Keep in mind that even legitimate users might use the FTP location for malicious reasons such as storing movies or games or other copyrighted property.

B. Recommend granular firewall policies for FTP account access – Whenever possible, require clients, vendors, and FTP users to provide their external IP or IP block to be included in access to the FTP server. It is better to only allow 1,000 IPs access to the FTP server through the firewall than to have all IPs allowed through. It has been my experience that most companies are amiable to providing this information when pressed.

C. Evaluate the patching and security state of the FTP server – Determine the FTP server in use and the version, then research any known vulnerabilities in the server. Recommend patching policy, someone to track patch availability ongoing, and perhaps recommend more secure FTP server solutions. Utilizing an old, insecure version of something like WarFTP or IIS5 should not be very acceptable.

D. Recommend including firewall logs of port 21 access in the audit – It could be beneficial for finding rogue or new FTP servers to include checking firewall logs for successful incoming port 21 occurrences outside the scope of known FTP servers.

FTP servers are still a necessary evil in many corporate environments, and far too many admins put them up, add new users per corporate requests, but otherwise don’t consider them with much more interest. As one of likely only a few inroads into your network, FTP servers should be taken as seriously as web and mail servers. The last thing you want to do is find out someone has been using one of your client’s accounts to store gigabytes of child pornography over the last 2 years…and be told about it by the client. And even if more secured file transfer options are utilized, such as SFTP or even SSH, most of these guidelines still apply.

I found a Skype article from CNET posted over at InfoSecPlace and nCircle, and as usual with Skype, I have strong opinions about it. It seems Skype is looking to “partner” with some security companies to provide some additional functionality like “provide add-ons to its software to scan text sent through Skype’s chat feature for malicious links.”

Ugh. Let’s build the frustration just a bit more and quote the article again, “Skype has caused headaches for many IT administrators because it can find ways to make a Net connection despite strong firewall controls on corporate networks.”

Ugh, again. First of all, let’s get this popular media misconception out of the way. Skype is not my biggest concern because it can find new ways to make a connection to the Internet. Please. If Skype is not a welcome product in a company, this can be circumvented with policy, software/OS restrictions, and even on the network by blocking the sites that Skype initially contacts for logon. Unless they changed in the last year, you couldn’t necessarily block authenticated users, but you could easily block the logon process and prevent people from using the system. Not only that, but this is not a “new” headache for admins. Malware has been doing this for a long time…

Second, Skype’s problem in the corporate space is not that suspicious links can be sent over the service. Skype’s problem is meeting regulations that require Instant Messaging to be logged and/or loggable. And Skype falls into the grey area between phone usage and digital IMing: digital phone calls. I think there is still debate on whether Skype calls need to be monitored as well. Skype needs to deal with that issue before it should spend any more money trying to enter more than just the SOHO corporate space.

Third, Skype has the annoying habit of making outbound connections…everywhere. Anyone who sometimes (or regularly) looks at outbound connections on firewalls for anything suspicious will know that almost every Skype connection seems suspicious. Skype raises the false positive rate so much that it pretty much kills that sort of monitoring. This doesn’t kill Skype, but it certain is a factor in saying no to it in a corporate network.

Fourth, Skype needs to look into making a standalone product. They might be able to have a closed IM solution for a corporation that is not open to the public, and still provide decoding capabilities only to that company. Another widespread corporate requirement is the IM network not being publicly accessible. Again, this won’t kill Skype, but is another black mark.

Fifth, Andrew at nCircle mentions, rightly, that it also should be centrally managed and configured. Again, if Skype wants to break into anything beyond SOHO markets, they need to provide mangement for the staff. This is important enough to be a possible deal-breaker as well.

Skype is awesome at home and for SOHO use. It saves money, is easy to use, provides good security for the mobile crowd (for now, until the encryption is broken or other MITM attacks might arise), and tends to make employees happy; and one of the things I will thump loudly about: happy users means productive users. I hate having to sport an anti-Skype opinion in the corporate space, but the program itself forces me to be able to take either side, passionately, depending on the corporate environment (i.e. HR, senior management, and regulations).

I saw this and had to try it, especially since I do enjoy Starbucks, Borders, and I tend to be places where I can see T-Mobile hotspots taunting me. Now, for 3 months, I have a trial account that I can use because T-Mobile thinks I run Vista (nope, I don’t). This little hack comes from i-hacked.com.

Wired.com occassionally has stories of such depth and quality that I am amazed I don’t regularly read the mag (I did back in the day about 6 years ago, but drifted away). This is one of those stories about the dark underbelly of illegal credit card and identity dealing and investigations into them. Definitely a must read. Part 1 Part 2 Part 2.5 and Part 3 (I don’t understand the sequencing, honestly…)

I hate hearing things like Anti-Virus is dead or IDS is dead. If they’re still being used in corporate and home environments, they are not dead! Now, this paper on greylisting (really, on Bit9 parity), is a noble effort, but as a paper about a “new” method to manage software and malware installation and blocking, the title is sensationalist and unnecessary. In fact, over half the paper is spent trying to convince me that anti-virus is dead. Unfortunately, while you might be able to float me a new product or paradigm, you can’t convince me anti-virus is dead (even as I don’t typically use any at home because I consider myself slightly educated in technical areas).

Anti-virus is not dead. It might be declining and changing, but it is far from dead. The day my parents remove anti-virus is the week they stumble upon malware on a website or in email, run it, and become infected with something. Thank you, move along, come again.

So I skipped down to greylisting. This is not a hugely novel new approach. In fact, the approach stinks when you turn your head in certain directions and sniff around a bit.

From a corporate or even home family perspective, I like the administrative control and tracking on blacklisting and whitelisting. I also like being able to turn it on and off for laptops that might be offsite. This is defeatable, though, and I’m not sold on it fully. I think many corporations will slowly be moving to thin clients or all laptops (while plenty will of course stay with desktops). Laptops leads to…

…From a user perspective, this is still flawed technology. Just like fake SSLs and firewall block/allow alerts, popups to users will not be understood and will eventually just always be allowed. Game over. The false assertion made in the paper is that the user will try to open a Word doc, see something else wants to start, and realize their error and know better than to continue. No, that’s not true. There’s even a good chance that I, a security-paranoid freak, would just chalk it up to a bad macro or mis-matched version warnings and click Yes before my brain kicks in and says, “No! You idiot!” The following assertion is also odd in that even if the user clicks it, they only infect themselves and not something else. I don’t buy that necessarily, or that that was even an option. If they got hosed and something spewed out copies of itself in emails to their contact list, we can just repeat the user acceptance and nothing has changed.

Ok, end rant, time to go home!