A plethora of links on the just-released SSL news

Computer Forensics & Incident Response (demo)

Computer Forensics & Incident Response (explanation)

SANS, link 1

SANS, link 2

Security Fix

ZeroDay, link 1

ZeroDay, link 2

edit to add a new link:
I found this one off Slashdot, good article.

SQL Server scans

A new lesson learned. At least, I'm filing it that way so I can jog my memory for future testing engagements.

We tested at a client the other week that claimed to have one Oracle database, running on top of a Windows 2003 server. It turns out that they had another Oracle database, sitting on a Solaris machine. (The IT department didn't know about the database because they didn't administer the machine....a whole other issue.) That wasn't such a big deal, as we had the scripts to test the database with us. However, while a co-worker was interviewing the DBA, he happened to see a MS SQL Server instance on the DBA's monitor. When we got back to the office, I poured through the vulnerability scans looking for a sql server. I found five. Three instances were found on client XP workstations. And, if I had to guess, those instances probably came bundled with specific software that was installed. A whole other issue for these networks. However, I found two instances residing in the data center on servers located there. Knowing this client, I think they were just forgotten, or not included because the databases were not part of a web application. But, they definitely should have been scanned, and it was noted in our initial documentation.

So, after each testing engagement, I'm searching the vulnerability scans for SQL Servers (of any type, for databases not mentioned to us;) both in the datacenter and on the client LAN. And, I'll probably do this early, so we can scan/test the databases the next day.

Not again

Unbelievable.

And another article.

I really didn't expect to hear of this again.

I had to laugh

A great Dilbert cartoon.

All testing will be much more stringent now

When testing a site, we either are testing with the intent of writing an initial security assessment report; or, final testing to complete a DIACAP package. For one of my first engagements, we were testing for an initial assessment. So, we grab data from a representative sample of like machines. However, just this week, most likely due to external politics that I am not privy to, the decision was to create a final DIACAP package from the data collected. Obviously, the customer is not going to get the best picture of their security posture. And, there are highly important issues that will get reported instead of fixed with an initial security report.

It's been highly frustrating for me, to say the least.

However, the lesson learned is that from now on, I will test every system as if I am testing for a final DIACAP package, even if the outcome is an initial report.

When to perform the interview during an accreditation

Normally, when accrediting a system, there is a team of us security warriors; probably performing a myriad of tasks. The interview of the Sys Admins occurs when any one of us has a spare hour or two to ask the "non-technical" questions and go over documentation and process. However, for the engagement I am currently working, my partner suggested to our client that we perform the interview FIRST in order to get the interview (and pain) out of the way and allow us to test the systems during the rest of the engagement.

One lesson I think I've learned from this move: By performing the interview FIRST, we find some issues/areas where we may want to take a closer look. The customer may have inadvertently said something that gives us reason to look at a particular issue. Or, they may say something that leads to a finding we might never have found. And, if the interview is conducted late in the engagement, there might not be time to further investigate.

I'll know soon enough, as we cast our eye about the network and systems starting tomorrow.

Microsoft IE and the out-of-bound-patch

By now, the news has made it's rounds that Microsoft is releasing an out-of-bound patch for the zero-day exploit regarding IE. What I find interesting is....with so many people/news outlets/blogs/etc suggesting to switch browsers AWAY from IE, it seems MS was forced into pushing a patch out early. If the exploit did not impact IE, would the patch come so quick?

Just musing....

Be extremely detailed when taking notes

Another lesson learned here. I'm going through notes that I took on some of the systems we worked on. And, I'm finding that my notes are not as detailed as I would have liked. For example, I wrote at one point: "starting SRR script on first Solaris machine." However, it would have been better if I documented the full version number of the operating system.

Going forward, I want to try to remember to write down: machine name, IP address, OS, and version number, and specifically what is being done.

Retina and scanning network sizes

I just got back from my latest testing engagement. Overall, it was a good trip. The site was not as prepared for our testing as they thought they were. And, as such, they were not as happy with our results. Suffice to say, they have some work to do. However, it seems that the team hasn't been together that long, so there is much upside, and I'm sure they'll come together.

And again, for the second straight trip, this organization had "problem children" that seemed to flaunt the fact that they were not going to play by the established rules. Of course, it will all come out in the documentation.

The lesson learned from this trip: break up the Retina network scanning of clients into subnets. There are over 500 hosts in my .rdt file. It's my fault, I let the IASO perform the scan (although I was watching over his shoulder.) But, that file is huge. And it's impossible to load into Retina. It takes forever to load and produce reports. Besides the size advantage, scanning by subnet will aid in keeping the files manageable.

I have another trip scheduled in two weeks, so I'll get to put it all into practice.

Zone Alarm Update

I just downloaded and upgraded Zone Alarm. There was a pop-up on the screen that said Zone Alarm had fixed a security hole. It looks like I've been updated to: version 8.0.065.000, TrueVector 8.0.065.000, and Driver version 8.0.065.000. So far the biggest difference I've seen is cosmetic.

SANS Forensics blog and hidden processes

I just discovered a new blog (to me). sansforensics.wordpress.com is a great blog, from SANS, dealing with forensics. And, this post is just to jog my memory as to where to find a post on live-system memory forensics.

Here's their post on finding hidden processes.

MS08-067

In testing today, we found some servers that had some massive vulnerabilities on them. Severe enough that the organization would NOT get accreditation because of the vulnerabilities. One of the main vulnerabilities that we saw popping up were servers that were not patched for MS08-067. And just today I see a report on worms exploiting the patch. A link dump from SANS:

http://www.theregister.co.uk/2008/11/26/conficker_attacks_windows/s
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121660&source=rss_topic17s
http://news.cnet.com/8301-1009_3-10109080-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.securityfocus.com/brief/862
http://www.heise-online.co.uk/security/Windows-worm-infection-accelerates--/news/112077
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121958&source=rss_topic17
http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspxs

The AutoRun issue

I'm in San Antonio, getting ready for a testing engagement. While the flight in was a little bumpier than I would like, it was great landing in sunny and warm(er) weather. I spent about an hour at the Alamo, and I wish I could have spent more time there. Very interesting; and I admit, I remember reading about it in high school, but I really didn't know the story.

Anyway, I'm listing a couple of links regarding the AutoRuns situation. (Mostly because I'm exhausted and I really need some sleep...I need to re-read these articles.)

ThreatExpert has a post on Agent.btz and the Pentagon

ZeroDay has two posts on the issue:
- a post on affected systems in Afghanistan
- a guest post with a little historical perspective

LA Times article

Upgrade to Hardy....lost Kismet

Well, I've found a casualty since upgrading the laptop to Hardy (8.04.) I can't get Kismet to work. I'm getting a fatal error, and Kismet dies; so I know what I'm doing while the turkey cooks tomorrow. When I figure it out, I'll post up what I find out.

The Next Trip

I'm off to San Antonio next week, first thing Monday morning. I've never been to Texas, so this should be fun. It's a rather large assignment, and there are only two of us on the team. I'm a little surprised about that. I'm not happy about having to do all of the documentation, but after going through the process from the last trip, I've learned a lot. I just went through this prior post to make sure I did not forget anything this time. And, I'm as prepared as I think I can be.

I'm hoping for some good weather, and a good client, so that all runs smoothly.

Thanksgiving Incident Response

This is one of my favorite links that the ISC has published. It's that time of year again, and many of us security warriors will be visiting family and friends over the holiday. Of course, we'll get asked by many of these people to "just take a look at this small problem." You know how it goes.

The post mentions the good tools to that can be burned to a disc or copied to a usb drive such that you can bring it with you. The article was published last year (2007) so it could probably be updated, but it's a great foundation.

Have a great holiday. And hopefully you won't be staring at a monitor of a problematic machine for much of the day.

The DoD's new USB policy

This news was rampant on Friday, but I'm just getting around to posting a thought about it. If you did not hear, the DoD is prohibiting USB drives (connections?) on all DoD machines. Apparently, they are fighting a worm/malware issues that may have been exasperated by the auto-run feature of many usb drives. I agree, it's probably NOT a bad policy to have. When I was working for a company, I wish I could have enacted policy like that. It would have cut down on the headaches.

However, my question is, can't the anti-virus software be configured to scan any USB connection to the computer? Wouldn't that help in the fight? I'm pretty certain that all DoD machines are required to have AV software installed and running. Wouldn't that help mitigate the risk.

FIPS SP800-61

The FIPS document for incident handling.

New Album!!!

Woohoo!

Here's the official press release.

Incident Response Checklists

Lenny, at the SANS Internet Storm Center put together some really good cheat sheets. I'm linking them up here so I don't forget where they are. Also, from his site, he links to other cheat sheets. I printed off two sheets on a heavier card stock when I took the GCIH class, and they are firmly tucked away in the jump bag.

Without further ado:
Lenny's sheets - and there are links on the left to print them out
SANS Windows cheat sheet
SANS Linux cheat sheet
Checking Windows for Signs of a Compromise
Checking Linux for Signs of a Compromise

As I mentioned before, I have the SANS' sheets printed on card stock. They work perfectly. If there are other sheets that are worth linking to, let me know. I know SANS is putting together more cheat sheets and they have a call out for ideas.

Helix v2 - and the new Bruce tune..."Working On A Dream"

I'm sure it is WAY old news, but I just discovered that there is a new version of Helix out there. First, on Friday, my office-mate asked me about computer forensics. Now, I'm not a forensics guru by any stretch of the imagination. However, I mentioned that I had used Helix in both IR and a CF situations. Later, we were trying to find rpm based live CD distributions. I found a list here. However, I did not see Helix listed. So, I quickly surfed over to Heilix's site and discovered that there is a new version out. Woo-hoo...so I have something to play with. And to answer my question, Helix is based on Ubuntu.

I heard the new studio version of "Working On A Dream" while watching Sunday Night Football. While I like the new tune, I was disappointed that they only played about 15 seconds worth of the song. NBC made it sound like we were getting the whole song prior to half time. And yes, I've heard the acoustic version as performed at he Obama rally.

AVG antivirus reporting a false positive

I recommend AVG Anti-virus to many of my clients due to its ease of use and the fact that it does not cost. As such, I thought it would be prudent to echo the news that was just reported. AVG is announcing that it's latest virus signature database erroneously tagged C:\\Windows\System32\user32.dll as suspect. The file is not suspect, and should not be removed.

Just a heads up.

Apt Get HowTo - a mental note

So that I don't lose it, I'm posting a link for an apt-get HowTo page. I can never remember the commands.

SANS Cyber Security Month - Summary and Links

SANS has been running a program where they have collected tips for the various phases of incident response for the past month. I have seen a lot of great tips submitted on the different days. In order to remember where the wrap-up post is, I am posting this link.

Enjoy.

Oops - better upgrade Ubuntu

Last night I was using my laptop when it dawned on my that I hadn't received any security updates in a while. I think I was running 7.04, but I really can't remember; I know I had a 7.04 cd on the computer desk. Anyway, I decided to upgrade to the next release up (not the newest.) This site gave me all the info I needed. (And, according to the article, it looks like 7.04 reached end of life on October 19th. Which would explain why I had not seen any updates.)

And it went smoothly. It took a little longer than I thought, but otherwise, the upgrade went well. The only issue I found was that Thunderbird would not open after the install; I was getting a path error. I ran "whereis mozilla-thunderbird" and was going to use that path in my applet launcher. However, I mistakenly removed Thunderbird from the panel. I re-added the application, and presto, it worked like a charm. So, note to self, any app that does not work after the install: remove and add the icon to the panel first (before further troubleshooting.)

My plan is to upgrade to 8.04 next so that I'm on the latest stable version. I'll move to 8.10, but I want to wait for the bugs and kinks to be worked out.

Some lessons learned from my last trip

I just got back from my latest testing trip and I've come up with a small list of things that I learned from the trip. For this trip, there were a couple of items I didn't bring, and need to remember for future trips.

Wire-bound notebook - I brought my planner, and figured that would be enough. A) The planner is just too big to carry around. B) I was carrying around more than I needed. C) A notebook will be great as I can date the pages (and number them) for each testing engagement. D) The notebook will be smaller (and lighter) than the planner.

Site Physical Security Checklist - While this is loaded on our test laptops, there was no easy way (in this particular case) to get access to a printer. I need to remember to print this out ahead of time so I can use it on site.

Notebook mouse - wired or wireless, doesn't matter. My wrists were killing me after using that pointer above the B. And the touchpads were horrible. A USB travel mouse will go along way.

Hacking Wired Keyboards

I first saw a blog on this yesterday, and didn't take the time to read it. It wasn't until I saw the video that I was amazed.

The Zero Day blog had the scoop.

And a video here.

Compromising Electromagnetic Emanations of Keyboards
Uploaded by pace303

Richard's write-up of SANS' WhatWorks in Incident Response and Forensic Solutions Summit

Richard Bejtlich wrote up his notes from the Incident Response and Forensic Solutions Summit. They can be read here.

Hopefully, the conference in July near DC takes place so I can attend.

FIOS set top box download

Our dog isn't doing well. He's pretty old, and his age has started to catch up with him. So, when he gets up to walk around at night, I usually wake up. Mostly to make sure that he is ok. Unfortunately, I'm becoming a lighter sleeper than I used to be. Anyway, last night at around 4:00 a.m., I hear the set top box to the TV in our bedroom turn on. Then, I hear the box in the living room turn on. I went out to the living room and saw "DL" on the box, and a line going around in a circle next to it.

My best guess was that Verizon was pushing out either a software or firmware update to the boxes. It only lasted a minute or two, and the boxes turned on and off a couple times at the end. It probably would have been nice to know the activity was planned.

I still love the Fios service, I just think some communication would have been nice.

The next assignment

It looks like my next assignment has been handed out. I'll be part of a team testing a lan for a research hospital. The lan is pretty big so four of us are being sent.
I'm already looking forward to it, though we will be away for a full week the last week in October.

Forensics conference update

Not so much an update by me, I could not attend. Though it was killing me not to be there.

Harlan has a write up on his blog on his thoughts of the conference. He mentions in his post that the next Forensics conference is slated for July 2009. Time to start saving those nickles and banking the vacation time.

And, while I'm at it, I can't remember where I saw it, but SANS set up a site dedicated to forensics. I just quickly went through it, I've bookmarked it so that I can dig deeper when I have a few free minutes of time.

In-House Testing Class

The last two days were spent in an in-house testing class; which I thought was really well done. And, I thought it made more sense after having been out testing once. I think it might be tougher to get a good feel for what's expected if you haven't been out. Some of the modules were less meaningful, but that's probably because the material was familiar due to a project management background. The tools modules were awesome though.
Retina
Gold Disks
Nessus
our home grown tools
AppDetective
WebInspect
the Linux/unix SRR scripts
Kismet

Plus, we went over what makes a good physical security inspection. Probably the toughest part of the class was the module on document review: COOPs, ISSPs, IR Plans, HIPAA, etc. I'm itching to go back out again, and it looks like my wish will be granted at the end of the month.

SRR scripts for IOS

I'm pretty sure my next engagement will entail more than Microsoft products. I know there are scripts for databases and different flavors of *nix for testing the various components of a site. However, are there scripts or specific actions to be taken when testing Cisco routers? I have read through the Network Security checklist so I see the vulnerabilities to test for. I'm just wondering if there are pre-defined scripts for testing IOS.

Base Security

I just got back from my first testing engagement, and I'm still trying to organize my notes from everything that I learned. I went with an accomplished tester, and was able to learn many of the tricks of the field. Fortunately, the site we were at was not that big, nor were there many machines and servers to test. I think we had 10 servers to test, and 10% of the 70+ workstations. So, it wasn't that bad. Site physical security was pretty easy to test, as the grounds were relatively pretty small.

However, getting on the base was pretty interesting. When driving on, contractors were supposed to stay to the right and go through a special checkpoint. We missed that. We ended up in the regular truck checkpoint. We were greeted by an 'older' gentleman who asked to see our IDs. Upon showing them, he asked where we were going. He seemed entirely put out by the fact that we would have to turn around and go through the regular contractor checkpoint. So, he "cleared" us right there, and called ahead to the booth and told them we were clear. We drove up, they gave us our pass, and we drove off.

The next day, we followed the proper procedure.

Label Clarrification

I have two labels that are similar and I wanted to make a distinction.

I'll use the Information Assurance label when referring to the profession or industry.

I'll use the Information Assurance Engineer label when referring to specific tasks, etc.

Uninstalling Nero 7 on Vista and burning ISOs

In order to burn the Gold Disks, we download the .iso files. Great. However, on this version of Vista, I couldn't find a method to burn the .isos to CD. I could burn files (or, I guess music too) to CDs; but not .iso images. So, while at home, I found an old Nero cdrom that had come with a drive I had bough a while ago; and I installed it on Vista. I'm scheduled to go testing next week, so I thought I would burn a couple of copies of the Gold Disks to take with me. Lo and behold, Nero 7 doesn't work properly with Vista. It doesn't recognize the burner in the laptop. Great. However, a little Googling found a great post on a free Vista iso burner.

I downloaded it, and it works like a charm. I whole heartedly reccommend it.

So, I went to uninstall Nero 7. That didn't work. It appears that there's an error in the middle of the uninstall, and it stops the process. A little more Googling found another great post on how to uninstall Nero 7. A couple of things to point out:

• The article mentions downloading Nero 7 Ultimate Edition. When I went to perform this task, and follow the links, there was only a Nero 8.
• Download Nero 8 and install that.
• Keep following the directions and download and run the Nero Removal Tool
• Then, uninstall Nero 8.

Worked like a charm. Yes, there were a couple of reboots. But, I'm glad it's all worked out.

The General Public's Security Posture

I'm feeling like I made the right decision to take the full-time job and place my own company on the back burner. While I've marketed the heck out of the company, I haven't had a steady stream of clients coming in. I've tried print marketing, joining the Better Business Bureau, online marketing, brochures; all geared towards the target potential client. I've even gone so far as to teach a workshop on securing home pcs using free software (and general security safeguards.) So far, two of the classes have been canceled. And I suspect the third, scheduled for Saturday, will be as well.

I get clients, and most of them are word of mouth. The feeling I get is that people just don't care. People (and smaller businesses) don't want to worry about something that they don't think will happen to them. Or, they are above having an issue.

Sometimes, an acquaintance will say "I just got a new computer, how can I best protect myself?" And, after talking it over with them, discussing the vulnerabilities and threats, I might recommend X, Y, and Z. Or, try this, and this. I'll get a quick thanks. Then, three months later, I'll get a frantic call, "Ohmygosh, nothingworks, themachine'snotright, youhavetocomequickandhelpmeout!!!!!!" Of course, I go, and I ask "what happened with X, Y, and Z?" And the answer is invarirably, "I didn't have time," or "I didn't think it was that important."

And I think that's the beginning of the problem. People just don't care. So, I'm glad I've taken this full-time gig. The clients that pay us HAVE to meet a security baseline. They may not like our answers, but all they are doing is shooting the messanger.

Possible web security question solution

I've been suggesting this to my friends for a while. And, until a better solution comes along, I think it is a good start. I'm sure you can be pretty creative.

SANS What Works: Incident Response & Forensic Solutions

Here's a conference I would love to go to. SANS, as part of their Summit Series, What Works: Incident Response and Forensic Solutions. Unfortunately, I won't be able to attend due to work, but there's a veritable who's who in the field that's going to be there. And, I believe Richard Bejtlich from TaoSecurity is giving one of the keynotes.

Rob Lee, Drew Fahey, Bryan Sartin, Harlan Carvey, Cory Altheide, Wendi Rafferty & Ken Bradley, Ovie Carroll, Aaron Walters, Eoghan Casey, and Mike Poor & Tom Liston are secheduled to speak.

This is absolutely an event I would love to attend, and I really wish there was a DVD I could purchase of the weekend's talks.

Netstumbler doesn't work on Vista? No problem.

As I believe I've mentioned before, the laptop I'm using for work runs Vista; the Enterprise edition to be precise. I downloaded Netstumbler the other day, and found out that it doesn't work on Vista. (Of course, someone could have gotten it to work, but I haven't found any posts or pages on it.) In looking around, I found a good replacement. Vistsumbler. And, just in using it today, I've gotten great results.

Vista has a native command line version of Netstumbler. Sort of. I found out about in a SANS webcast. Ed Skoudis was talking about the activities at DefCon. At the end of the broadcast, he talked about some interesting projects he'd been working on, and he mentioned using Vista to natively war-drive. (Ed taught the SANS 504 class that I took. Highly, highly recommended.) A quick Google search turned up the following command:

netsh wlan show networks mode=bssid

I put that in a shortcut file and it worked great. I believe Viststumbler sits on top of that command and provides a graphical interface. Viststumbler also has GPS capabilities, but I haven't explored it. Running Viststumbler at home showed me a bunch more networks than I initially thought were around.

So, if you're looking for a good wireless discovery tool like Netstumbler for Vista, I recommend Vistumbler.

Sara Palin's email exploited

Catchy title, I know. It is all over the blogosphere, at least in the security circles. And those links I listed were just to the stories I read. I know there's more.

I'm not going to comment on the event as others have done a great job.

My thoughts are this: What has been Yahoo's response been to the relative ease with the ability for someone else to reset the password? I'm a Yahoo client, so to speak. One of my main email addresses is with Yahoo. I haven't received any PR from Yahoo, like they are going to change their reset strategy or something of the like. I'm really starting to think of using something else for my personal mail, and just let the junk, website registrations and confirmation emails go to Yahoo.

Security+....Not just yet

Well, I took the exam this morning. And I didn't pass. I'm still a little bent, as I've gone back and looked up some answers I'm pretty sure I got wrong. I didn't miss by much; and I learned a lot. First, I learned that I shouldn't rush this; I did not need to pass by a certain date. I was hoping to get a jump though, especially before I get real busy with work and travel. (And, I'm going to have to travel in two weeks, and I have some training next week. So, it won't be until the beginning of October that I try again.) Secondly, I'm getting a more up-to-date book. The book I used was excellent at filling in some of the gaps with information I was missing. However, there were questions on subjects more current than were in my book. I'm pretty sure that I got a lot of those questions right, but there were some I was not familiar with at all.

I really debated putting this post up. But, failure motivates me. And, I'll learn from it and move on.

On to the first assignment...

That didn't take long. It looks like I have my first testing trip coming up at the end of the month. In the meantime, I need to be brought up to speed on the actual processes for off-site testing. Who the contacts are. How to book flights/cars/hotels, etc. Procedures for on-site. Etc.

Yeah, I'm excited (and I'll be more-so after I pass Security+.) But, in the same vein, I'm a little nervous. It's the first assignment. And, I'll be by myself.

Almost out of the doldrums

I see the light at the end of the tunnel, I just hope it's not an oncoming train. I have my interim security clearance, and I finally got my CAC the other day. So now I can DO stuff. I've discovered that it is the end of the fiscal year, so a whole bunch of projects have started to come in, and, it's only a matter of time before I get out in the field and actually do anything.

At some point I need to start working with the tools that I'll be using in the field. I've used a bunch of the tools independently, but I need to learn the process for fieldwork. Over the last month, I've gotten a little acclimated to the documentation that needs to be produced; but not to the point where I can independently produce it.

For my level (Tech II,) I'm supposed to have Security+ certification (at a minimum.) Not only that, but my sponsor has a bunch of "Military Security"/information assurance classes I'm supposed to pass. Since I haven't had real "work" to do, I've spent the last two weeks working on my military classes. One of those classes is a Security+ review class. Because I've been so close to it for the past week or so, I decided to schedule an attempt at the Security+ exam for this week. So that's what I'm living, eating, sleeping, and breathing. I'll be glad when it's over.

You may have noticed, I dropped the pseudonym. I think at one time I had designs of reporting on the outrageous security consulting engagements I worked. A pseudonym would allow me to post anonymous details without compromising integrity and personal information. However, since I'm not doing that full time, I figure I'd drop the pseudonym.

Update on the IA laptop

I need to update a previous post with a couple of points:

1. The laptop has been fixed with regards to the MS updates. Apparently, the computer received the user GPOs, and not the computer GPOs. A call to tech support fixed that.

2. I asked about the Gold Disks and Vista. It seems that testing military computers that run Vista will be a manual process for the near future. As it is, I haven't come across any Vista systems yet.

Back with the Moto Q

Wow, it's been a while since I've published anything. I will try to keep the voids to a minimum.

I've been settling into the new 9-5 position; mostly waiting to get the various clearances. And what a job that is. I was granted Interim Security clearance, had an interview the other day, and found out that I should hear on the full clearance by the end of this month. I haven't been on any assignments yet, I've kept busy with busy-work, and taking the online classes that the Army mandates. Because of those classes, I may take the Security+ earlier than I anticipated.

I've blogged before about using the Moto Q. For a while, I had gotten away from it as I prefer a phone in the clam shell form factor. However, I went back to using the Q as it is much easier to text. I'm finding I still like it, but I'm running into a battery issue. It seems I'm getting less battery time than a couple of months ago.

And I just saw today on Wired's Gadget Lab blog a post on a new Blackberry. I'm not a Blackberry user, but I could become one with the new model.

Starting to study for Security+

As per DOS 8750, it looks like I'll need to get certified. I'm considered Technical II, so I need to get either Security +, SANS GSEC, SCNP, or SSCP. I last took the SANS GSEC in 2001, but in 2005 I did not recertify. Of course, in hindsight, I wish I had.

So, it's time to start studying for another exam. I had started studying for this exam a long time ago, but I put it aside when I prepared for the GCIH. It looks like it is back to the drawing board.

And, if I end up becoming a Technical III, I'll have to sit for the CISSP.

A little housekeeping

For those of you keeping score at home....

I updated my links section with the blogs I follow in Google Reader. Most of those blogs I read on a daily basis, an believe me; I've learned a TON from reading them. I encourage any reader to follow those blogs, as some they represent some of the brightest names in our field.

I'll try to keep the list current, as I discover more blogs.

Windows Vista - and Gold Disks

Two things.

Work got me a new laptop. It came in with XP Pro installed. As I was joining to the domain, the backup security officer mentioned that the IT steering committee decreed that all newly provisioned laptops are to have Vista (Enterprise) and Office 2007. So, it was back to the drawing board as I re-installed an OS and Office.

I must say, Vista (Enterprise) has run without any hiccups despite what I had previously read and experienced. I have a Vista machine down at my own office to run the accounting software for my own company. That machine is a Home Basic machine, and I think it runs like crap. But, my Vista Enterprise laptop has been running fine. The only issue I see so far is that the group policy for automatic updates does not seem to be working. I've run gpupdate to force the policy, but I still have the option to change the automatic update settings. And, I don't think that is correct.

Secondly, does anyone know if there are DISA Gold Disks that address Vista? Vista's been out for a while so I'm surprised not to see those disks. When I read the checklist for Vista, the checklist ONLY talks about reviewing a system manually. Is there a specific reason for that? Just wondering as I start to get into the new job.

Yahoo mail spam vs. Gmail mail spam

I've had a yahoo mail account for years, and it is what I use for my primary personal mail address. At one point, Yahoo was going through some growing pains, and I opened a Gmail account. I think I sent mail to four or five people before I realized it was a pain to have to check two email addresses just to read personal mail. So, I abandoned it. However, I check it from time to time, maybe once a week. The last time I checked it, I found 400+ spam messages. 400+. I barely used the account, and barely received much mail. I just don't understand why the account gets so much spam; especially since I never publicized the email address.

Either way, the spam looks like it might contain lots interesting messages to investigate. I'll have to send them to one of the work addresses for further analysis.

But, if anyone can shed some light as to why that account gets so much spam, I would love to hear it.

First Day

First days. Uggh. What a long day.

First up was the weekly status meeting. 40 people in the room, and the only person I knew was the Security Officer. Then I got a tour of the place and learned 40 new names. Slowly, but surely, I'll get all the names down.

Next up was the new-hire conference call. That's when I was ready to slit my wrists. The new hire package that was sent to my house gave me instructions on what to do. Yet, the HR person felt it was her duty to read the entire package back to us word-for-word. I really can't complain, though.

I received my loaner laptop at lunch time. And after that it was time to start working on the security clearance form.

And that was the rest of the first day.

At least tomorrow I'll have a computer to work with. As I understand it, there's not too much I can do until I get my clearance.

Springsteen induced zombiness

I would love to post something today, but I'm a walking (typing) zombie. Fortunately, I did not have a client scheduled for today. I had the good fortune to attend the Springsteen show last night at Giant's stadium. Phenomenal show, as always.

However, a tanker truck flipped over and spilled propane shutting down exit 16W on the turnpike and creating a traffic nightmare. I applaud the Springsteen camp for starting an extra hour later, especially as I didn't miss a note of the concert. (I got to my seat just at Summertime Blues was starting.)

However, the Meadowlands complex has serious parking issues; it took us over an hour just to get out of the parking deck. That's not good. Especially after paying $20 to park.

Catch the tour at a remaining venue if you can get the opportunity. It's worth it.

Information Security Attitude - Jekyll & Hyde

Normally, I'm a laid back, easy going, trusting, fun-loving guy. At least, I like to think I am. However, when it comes to computer/information security I'm sort of a Jekyll and Hyde. I turn into someone who is cynical, paranoid, and sometimes delusional. I almost never plug into an untrusted network for fear that my information is being sniffed. And I don't trust anyone or their networks. While I like the internet and like reading all kinds of blogs/stories/sports scores/etc, there's probably zero chance that I'm going to read those stories in an airport or coffee shop. I just don't know who else is watching/listening.

Andy has a great post on what he's overheard on his commute to work. And it got me thinking about the little pieces of information you can pick up, without trying. Cell phones are probably the greatest enabler.

Sure, I could not trust my home or office internet connection, or EVERY other server that my information traverses, but you have to start trusting somewhere.

How many BIG vulnerabilities will there be?

So far in 2008, there has been the Debian vulnerability with SSL Keys and the just recently publicized DNS flaw. There are two major conferences coming up (Black Hat and DefCon.) What's the next major flaw to be released/found? Or, how many flaws/vulnerabilities will pop up before 2008 is through?

In today's news, I see that HD Moore's site became a victim of the attack. I wonder where the responsibility lay? Is it AT&T and their server or an internal issue?

Also, I see that Oracle has released mitigation to a zero-day exploit that addresses a buffer overflow. For a company to release mitigation outside of their regular schedule means the vulnerability is pretty serious.

We're half way through the year. How many more "big ones" are coming? How swamped, as information security warriors, will we be?

New position in Information Assurance

It's been a while since I posted. And there has been at least one major security announcement (the DNS patch.) I've been pretty busy, but I found the time to patch the systems I administer to that they are not susceptible to the DNS vulnerability. I can't do anything about the upstream providers though.

Part of the reason I've been busy is that I've just accepted a position in information assurance. This kind of popped up out of nowhere. I saw the posting for the job on a Friday, I sent my resume, and was called on Monday. I interviewed later in the week, and was made an offer the next day.

Yeah, I'm a little nervous. My specialty has been in incident response and vulnerabilities. Now, I'm going to have switch focus a bit and learn about certifying systems to meet a specific standard. Sure, I'll be putting a lot of my knowledge to use, just not from the same point of view. The benefits are great. And, I'll most likely be getting a security clearance for the position, which to me, is a big intangible benefit.

I'm going to try to keep my company. There certainly isn't any conflict of interest as there is ZERO chance that any of the clients would overlap.

I don't start until the middle of August, so I'm off to really start learning about the governmental information assurance field.

Firefox 3 installed

I waited to read about Firefox 3 before installing it; and I never read of any problems. So, today I installed the new version. Firefox appears to run much faster than the 2.x versions I ran in the past. Accordingly, the task manager does not show Firefox using as much memory either.

So far, so good.

203-797-3222 What's up Scholastic?

203-797-3222 calls our phone a couple of times a day. From the research I've done, I gather this is Scholastic Inc. Now, I realize that companies that you have done business with are exempt from the Do Not Call list. And I know we had to call them once regarding one of our kid's book orders.

However, this number calls us at least twice a day. They never leave a message. And, if you pick up before the third ring, there is no answer and the line goes dead. It never seems to ring more than twice.

I've come to the conclusion that I'll just file a complaint with Do Not Call, and note the circumstances.

Who manages a system that way anyway? You would think that they want to talk to someone.

Zone Alarm fix for internet connectivity

This should have gone up yesterday. I took a look at the announcement on Zone Alarm's page. I followed the link for the Zone Alarm Basic firewall, and noticed that the version for download was 7.0.483.0, which was greater than what was installed on my machine. If you have performed one of the other suggestions (lower the slider to medium, or uninstalled the MS patch) you can follow these steps to put everything back to normal.
Download the new version from Zone Alarm's site.
Once downloaded, install.
Click on Upgrade.
Let it finish. Reboot.

When the machine is rebooted and everything is back to running fine, connect to the internet to make sure there are no lingering issues. Then, either move the sensitivity slider back to high, or wait for Automatic Updates to tell you to install the patch (if it's not done in the background.)

Loss of internet access using XP Pro and Zone Alarm

I woke up this morning and groggily turned on the computer. When I couldn't access the internet I started to really wake up and wonder what was going on. I checked all of the settings in Zone Alarm, and nothing really stood out at me. I hadn't changed anything, so I was puzzled what was amiss.

Then I remembered, I had downloaded and installed two updates from Microsofts auto-update last night. And I remember reading about a potential conflict with Zone Alarm products on computers running XP. Thankfully, I had a linux machine available so that I could surf to the solution.

Here is Zone Alarm's notice on the issue.

The only thing that (really) bothers me about the problem this morning is that I'm a registered customer of Zone Alarm. I really like and heavily endorse their products. When I am at a client's site, and they have no firewall protection, I immediately recommend Zone Alarm because of the things it does. After making the changes and thinking about the situation, I'm surprised that Zone Alarm didn't send a quick email to registered customers who checked off that they want to receive these kinds of notifications. I know I receive these notes.

Anyway, I was able to recover quickly. There are a couple of solutions:
1. Download and run the latests version of the firewall you're using.
2. Move the internet zone slider to Medium.
3. Uninstall the hotfix from Microsoft.

I performed option three, but I'm going upgrade the firewall, then re-install the hotfix.

Incident Response & Forensics & Intrusion Detection

I've been way under the weather the last couple of days. The only good thing is I've had the opportunity to finish reading "Network Intrusion Detection", third edition, by Stephen Northcutt and Judy Novak. I'll post a review soon, probably when the meds are done. The book was great, and it has prompted me to start working with NIDS in order to understand them better; while gaining some insight as to what is traversing the network.

However, as I was resting, I got to thinking. I really enjoy the incident response work. However, when read various security books (or take classes) I notice that there is much crossover between the incident response, intrusion detection and forensics disciplines. I think you can definitely make a career in just one of the disciplines. But, in my opinion, a good incident handler is made better if there is a packet capture available (and can be read and understood by the handler.) Also, forensic analysis may need to be performed once an incident has been declared. Similarly, an intrusion analyst is aided if they are familiar with attack signatures and patterns. Finally, forensic analysts may have to capture the data, which draws on the IR discipline.

This is nothing earth shattering, and is probably a common testament. However, after reading the book, and in the field, the revelation sort of hit me.

Who's using my lab?

Fortunately, I don't have anything of value in my lab.

I've mentioned before that the building my office is in is up for sale. My landlord calls me at least a day in advance when he needs to show the office. However, I've gone into my office a couple of times and found my monitor and dsl router powered on.

Understand this. I'm pretty anal about my office. Even when I go down to check mail/pay bills/check messages, I check the lab to make sure everything is off. Even if I didn't turn anything on.

I have no idea who would be turning it on, and supposedly, only the landlord has a key to the office.

Today, when I got down there, everything was ok. But, I adjusted the router's setting to turn off wireless as I don't use it. And, I hardened Vista by ensuring that logging was working properly. It doesn't appear that the Vista machine has been accessed, but now I want to know.

I guess the next step is to get a little camera.

Maybe this is (yet) another sign to get out of the office.

Credit Card scam telephone call

After getting a bunch of calls from The CI Institute, or whatever they go by, I stopped picking up the phone when the number did not display. Usually, these calls are identified by "Unknown Caller." However, for some reason, I picked one up today. Here was the conversation (one-sided, a recording....)

voice: Hello. This is your credit card company calling to let you know you can reduce your interest rate. Press 1 to speak with an operator....
me:

Maybe if I had more guts (or nothing better to do) I would have hit 1, and tried to deduce who it was. I mean, really. If they couldn't tell me my company's name or my account number, then you'd know, right? And if they did, then I would have had a problem. Anyway, I didn't want to go through with it. But, I wonder how many people do?

Wired quote on storage sizes

I thought this quote from Wired magazine interesting:

The Petabyte Age is different because more is different. Kilobytes were stored on floppy disks. Megabyites were stored on hard disks. Terabytes were stored in disk arrays. Petabytes are stored in the cloud.

I wonder what the next size up will be.

Verizon Data Breach report

I finally got a chance to read this report, and I'll say, it's excellent. You can find a copy of it here.

I'll highlight a couple of points.

90% of known vulnerabilities exploited by these attacks had patches available for at least six months prior to the breach.

I see this all the time. I can't believe how many times I've responded to an incident and I ask "do you apply the updates from Microsoft's update service?" Usually I get looked at like I have two heads. I've been one place that applied patches less than quarterly.

Investigators concluded that nearly all breaches would likely have been prevented if basic security controls had been in place at the time of the attack.

This sounds like a no-brainer, but some places I've responded to have ZERO security.

Some other points the report brought to light:

• Know where your data is. Many times the critical data is stored on the sql server. However, reports may be contained elsewhere, and there's no thought to securing that data.
• Attacks that originate from outside the company make up most of the attacks. However, the greatest damage comes from insider attacks.

As far as the origin of the attacks, the report found:

• Asia: application exploits for data compromise
• Middle East: mostly defacements
• Eastern Europe/Russia: compromises of POS systems

Internal attacks were created by:

• Sys Admins: 50% of the time
• Employees (non-sysadmins): 41% of the time
• Everyone else: 9% of the time.

This is a great point that everyone in charge of security should be aware of and remember:

Given enough time, resources and inclination, criminals can breach virtually any single organization they choose.

Of course, they go for the low hanging fruit, or where they can get the most reward.

Here's a stat on timing:

• From the point of entry to compromise - it runs from a few hours to days.
• From compromise to discovery - the average is MONTHS!!! No one is watching the fort.
• From discovery to mitigation - WEEKS!!! What? I mean some things take some time, but I would think there would be pressure to get that timeframe down.

Finally, there was a section titled Unknown Unknowns. It said that:

9 out of 10 breaches include:

• A SYSTEM unknown to the organization (or business group.)
• A system storing DATA that the organization did not know existed on that system.
• A system that had unknown network CONNECTIONS or accesibility.
• A system that had unknown accounts or PRIVLEDGES.

A great read. It's on

Wireless ATM update

I took the kids for bagels the other day. Since school is out, there are lots more kids out and about; and apparently many of them hit up the bagel store during lunchtime. (Ed. the bagels at this place are really really good.)

So, since I had to wait in line (and that line stretched out the door,) I figured I would casually check out the ATM. There's a sign on it that states that it is owned by the store. On top, is a mini-antennae, with a cord going into the kiosk. While casually looking around, I could not find an access point in plain site. What I can't answer is if the store has an access point in the back somewhere, or the signal goes "off premises."

This needs checking out. And I would NEVER ever use this ATM.

Wireless ATM?

[caveat: I don't know much on the mechanics of ATMs. I've seen the inside of one while it was being repaired, but that's about it. The machine in question was a stand alone unit in a bagel shop, not in a bank.]

The other day, I took my son to a local bagel shop for lunch. As we went in, there was a woman standing by the door, not in line to get anything, and holding her bank card and her wallet. I didn't think much of, I just looked to make sure my son wasn't cutting her in line. We place our order, wait five minutes, then leave.

On the way out, I notice that one of the managers is talking to her, and the only thing I hear as we walk by is "honestly, I can't tell you much, the machine connects wirelessly."

WHAT THE?!?

I must have mis-heard him. That can't be, can it? Like I said, I don't really know the mechanics of how they work. I have a (real) high level understanding. But, I would have thought the machine would have connected via a hard wire of some kind. I never would have guessed wireless. So.....Where's it connecting to? How many other machines connect to the same location? And really, what's the security like on that connection?

One of these days we're going to have to go down there, get bagels, and eat in the car. And I may just have to bring the laptop.

I'm still surprised by what I heard. I hope someone can set me straight and either fill me in on what I (probably) missed; or explain how the machines really work.

Passed the exam!

I forgot to write last week, but I passed the exam for SANS GCIH.

Woohoo!

I took both practice test that were alloted to me. And I'll say, if you pay attention in class, and generally know the material, you will do fine. Also, I thought the actual exam I took was harder than both of the practice tests I took; I don't know if that is done intentionally.

The center where I took the exam was fine; I was the only person taking a test at the time. I'd say it took a little over an hour and a half to complete. The proctors were surprised I passed. I had to look at them a little quizzically, as that is not the reaction you want to hear when you are finished. But, they added that they have had people sit for the same exam and run out of time.

Anyway, I whole-heartedly endorse the exam and the certification.

Now what?

Saturday, I went down to my office to take advantage of some free time to pay bills, do some accounting, etc. I noticed outside that it was getting ready to rain; so I decided to get home before the rain started. On my way back to the car, I see a guy headed for the front lawn of the office building carrying what looked like a real estate sign.

Hmm.

I go do an errand, and instead of heading right home, I circle back around my office building. Sure enough, there is a For Sale sign on the front yard of the building. Great. Then it starts pouring.

After I get home, I fired off an email to my landlord; asking what's up. He replied that he "just got an investment opportunity" and needed to sell the building.

Fast forward to today, and I get a phone call from the landlord asking me if it would be ok if he showed my office; a prospective buyer had just flown in today. Yes, he normally gives twenty four hours notice. It doesn't matter to me, so I said yes.

I can't imagine this is good. A best-case scenario has my rent doubling, probably. A worst-case scenario has me looking for new office space (though I could be doing that even in the best-case scenario.) This is not the stress I need.

I plan for all kinds of issues, and try to have some kind of fallback for some of the risks. This was one risk that I had on the "low" side of the list. It wasn't the issue I thought I would be mitigating right away.

Opt-Out phone spam?

Here's a new one...
We got a call for my wife. It was an advertisement; the last day for her to sign up for a conference. She gets mail from them all the time, so it was a company/association I was at least familiar with. They were advertising that today was the "very last day to register for their conference and take advantage of the EARLY BIRD SPECIAL." I don't think my wife knew of this conference; certainly, if she did, she wasn't planning on attending. But, at the end of the message, the recorded caller said I could opt-out of future phone calls. WHAT?!?
When did this start?

First practice test down

I took my first practice test this morning, and passed. The exam seemed pretty straight forward and the questions are what I would have expected; there were not any surprises. The class did an excellent job of preparing me for the exam. Now, on to schedule the real thing.

In other news....a friend of mine suggested I look into governmental contracting. So, I'm looking into what's available and what's looked for.

Honeypot tips?

Exam update: I'm looking to take my first practice exam in the next couple of days.

In the meantime, I'm looking into building a honeypot. Do you have any tips? Any good lessons learned to pass on?

866-201-4573 and 315-207-4761: What's the point?

These two numbers have been calling my home land line incessantly. Literally, the callerid has four or five calls from these numbers each day. Also, the callerid shows up as "Unknown Caller." Typically, I don't pick up when it says "Unknown Caller" or any of the derivatives. However, after a couple of days of this nonsense, I figured it was about time I found out who it was and what they wanted. I've answered a couple of times now, and each time the caller asks for "John." (There's no John here.) When I've inquired about a last name, I get a different last name, or something un-intelligent.

I google searched the numbers and got a hit for each number. The results are a message board with similar complaints. When I last checked the message board, there was no real answer to the problem. Were they just verifying that my number was a legitimate number? A residential number? I'm never asked anything else, no name, no address, nothing.

After my searches, and with what I (don't) know; I've just started filing a complaint with the Do Not Call list. I figure, if I add the number each time I get a call, something will get done.

If I had the time, and I thought I could pull it off as well, I'd try this.

Running Cheops-ng in Ubuntu

One piece of software I never ran in the class was Cheops-ng. I decided to give it a whirl today, so that I could get familiar with mapping a network. Well, I couldn't get it to run. I was able to install it through apt-get. But, on running it, I was only able to map hosts when I was physically plugged into the network with a network cable. I was unable to scan using the wireless card.

Further, when I mapped the network, I received the following types of errors when I checked the operating system:

File gui-handlers.c, Line 552 (do_os_scan): Unable to send OS-scan event

It took me a while to figure out that mapping was only working using a cable. I'll have to see if there is a setting I can toggle to use the wireless card.

AVG Antivirus - upgrade to version 8

I knew it was coming, I just didn't know when. However, this morning was greeted to a pop-up from AVG that I would not be getting updates to the 7.5 version of the software after May 31st. And, I would need to update to version 8.

I just spent a few minutes updating. I encountered no (perceivable) issues as of yet. The only thing I noticed during the upgrade was a note...should version 8 not work properly, you would need to uninstall 8, and re-install version 7.5. So, far, it looks good. In doing a google search, I noticed little icons next to sites. When I mouse over them, the icons tell me if the site is "safe". And, by safe, I believe it means that there is no malicious code on the site. This will bear further investigation.

Hello World (part 2)

I thought this humorous.....
A collection of Hello World programs, in many languages.

Enjoy.

Kraken, the friendly bot?

Slashdot had another post today, dealing with the Kraken Bot. (I'm linking the articles here so I can read them in depth a little later.) It seems the Kraken botnet was infiltrated, and the authors of the papers realized they would be able to re-seed the commands to patch (cleanse?) the impacted bots. Slashdot rightly ponders the risks/benefits of a "friendly worm." The articles are:

Owning Kraken Zombies

and

Kraken Botnet Infiltration

Interesting...

I saw this on Slashdot this morning. It seems Microsoft has collaborated to create a device to allow law enforcement to bypass windows security; including the decryption of passwords. Yes, I know there are other tools that will basically accomplish the same thing. None of these other options, as far as I know, were created (even in part) by the operating system manufacturer.

...Studying...

I'm really starting to study for the exam portion of the SANS SEC 504 course. Posts might not be as prolific (if they were) as before. I'll try to weigh in on some issues when I can.

Foreign Used Gear

Slashdot had an interesting post this morning. In it, they discussed used gear coming into the country from foreign nations; and the security implications of that used gear. One article talked specifically mentioned the security of getting gear that may have been "reprogrammed" to do other task than what the product was initially intended; and some of those tasks could be nefarious.

A second article displayed the slides (and included a link to the original PowerPoint presentation) that showed fears that the FBI believes foreign hackers may have planted back doors into governmental networks using used gear.

This is something I've always wondered about, but on a more personal level. When I wanted to experiment with linux on a laptop, I searched eBay for a laptop that was not to pricey (and met my specs) such that I would not have a problem if my experimentation failed. Or had bad results. However, I knew that once I got linux up and running, I would be using the laptop quite a bit. I found plenty of laptops. And being a paranoid security professional, I assumed that hard drives were not wiped. Most of these laptops (if not all) came preloaded with Windows XP. And, while some of the descriptions said that the computer had been "reformatted, with the operating system reinstalled," what's to say that small malicious software wasn't also loaded. Maybe that software phoned home with interesting information from the new owner. Yes, I was installing linux, so I wasn't too worried. (Note: I purchased a new hard drive and swapped out the one that came with the laptop.) But the general public probably doesn't follow that tactic.

I suppose the same thing could be said for phones bought second hand. How about DVRs with malicious software pre-installed. Unfortunately, the drawback is that a fiscally responsible person or corporation gets pushed into the arena of only buying new gear. And sometimes that doesn't make sense/cents.

Slashdot security articles

Slashdot has a slew of articles on security for today. I can't get to them all now, so I'm linking to them, and hope to comment later.

Cybersecurity and Piracy on the High Seas

Windows Update Can Hurt Security

Storm Dismantled at USENIX LEET Workshop

The weather has been absolutely gorgeous here, and it's difficult to get the reading done.

Culture vs. What's Right

Slashdot had an interesting post yesterday that I did not get a chance to comment on. I have seen similar situations, though not directly ethicically related. A company I used to work for refuses to take security serious because of the amount of extra work it would induce. I left over half a year ago, and I guarantee the workstations have not been patched since I left. As for the servers, I don't think they were ever patched in my three-plus years of working there. I explained, and I preached. But the culture was not to take it seriously. In patching the machines, the company would be filling a big hole. But there are applications that would need testing, and minor issues would need to be fixed; and the time is not considered well spent by doing these activities. I know the big fear in patching the servers is that the enterprise applications will fail to work after patching.

I've seen clients that don't want to implement any kind of security, but more out of ignorance than anything else. Typically, I've been to these clients in order to fix a problem; a problem that might not have occurred if basic security practices were employed.

Fortunately, I haven't had to deal with outright ethics dilemmas. I can only imagine the headaches there.

Chamber of Commerce

I joined my local chamber of commerce the other day. It should be interesting, as marketing is not my forte. Yet, if I'm going to run a successful business, I'm going to have to effectively market it. I have a breakfast "networking" meeting coming up where I suppose I'm supposed to "press the flesh" and hand out business cards and brochures.

So, I'm in the middle of creating a brochure that conveys the importance of security and what companies should be doing. I don't want to scare and shock potential clients, however, I know a lot businesses (some that I deal with) don't take their computer security seriously at all.

We'll see.

mini-book review: Incident Response & Computer Forensics (2nd Ed.) by Mandia, Prosise and Pepe

Before I took the SANS 504 course I had picked up the book Incident Response & Computer Forensic (2nd Ed.) by Kevin Mandia, Chris Prosise and Matt Pepe. I was well into the book before the class started, and I'm glad class began while reading the book. The book almost makes a perfect companion for the class. The book helped me re-enforce many of the concepts taught in the class.

I'll start out by saying the book is excellent, well written, easy to read; and chock full of sites to pick up the tools used in the examples written about in the book. I learned many new tactics that I have already put into practice and I believe have made me a better security warrior. Rest assured, the authors are well versed in the field and they rely on their vast experience to convey their points. Many chapters contain real-world anecdotes to cases the authors worked on/witnessed and lend credence to the points being discussed.

The book is divided up into four logical sections: an introduction to incident response, collecting data, analyzing data, and an appendix (one chapter of which contains common sample forms.) The introductory chapters explain the basics of IR, what to expect, creating a team, and establishing the processes. Specific chapters deal with preparing for incidents and what to do after an incident has been declared. I really liked the chapters on data acquisition as it applies the most to what I do. Chapters deal with Windows, unix/linux, network data collection, and an important chapter on evidence and evidence handling. (The latter chapter is important for everyone, but the authors stress why this would be important in a corporate setting.) I especially liked the tools discussed and the scripts that are presented with the methodology for using them. The next section presented how to analyze the data that has been collected. While there is heavy presentation on forensics duplication (and rightly so,) there are chapters on Windows analysis, unix/linux analysis, and network analysis. From the network analysis chapter, the points on network data capture and reconstruction helped me the most.

My only complaint about the book is no fault of the author's. The book is copyright 2003. And, while the processes and methodologies could be considered timeless, unfortunately; the links to some of the software is not. In the five years, some companies have gone out of business, some have been absorbed by other (larger) companies. And some tools are no longer available. A great benefit of the book is that much of the software is free (and open source.) However, there are instances where the software linked to now costs.

All in all, I highly recommend the book to anyone looking to get into the field, or, anyone charged with setting up (or running) an incident handling team in their company. The methodologies and processes should be employed in any company where an incident response team works so that incidents can come to their proper conclusion. Many tools are presented in the chapters along with insights on how to get the most out of those tools.

SANS: ADSL Router / Cable Modem / Home Wireless AP Hardening in 5 Steps

(This is probably for my own edification, so I don't lose the article, and can easily remember where it can be found.)

SANS has a great, simplistic article on securing a home access point that everyone with a wireless access point should read. And follow.

Whitepapers on IFRAME attacks

One thing I'm learning in this industry/profession is that there is never-ending research. I'm always learning and reading to learn more. The pile of books next to my bed is constantly getting bigger, faster than I can read them. (And it gets in the way of the pleasure reading sometimes. I guess that's what vacations are for. Vacations?) Fortunately, I like to read, and like to broaden my horizons.

Over the past couple of weeks, I've been reading the various reports (Symantic's is here, in pdf, Panda's is here, in pdf) that have been released on the state of the industry and what to expect for the rest of the year or the short-term. Frequently, I have read of IFRAME attacks. I used to be a web application developer, so the term IFRAME was familiar. I had never really used one, so I figured I would learn what they are. A quick Google search turned up a treasure trove of papers; two I'll highlight here.

I believe the two papers belong together, so I'll list them first. These papers are:
All Your IFRAMEs Point to Us
The Ghost In The Browser

I started by reading All Your IFRAMEs Point to us first, but the first citation was to The Ghost In The Browser; so I stopped and read that first. I'm glad I did.

The Ghost In The Browser was a little more technical. While it contained some of the same analysis covered more in depth in the other paper, it laid out definitions and explained how the IFRAME attack in detail. Snippets of code were included to show what you could look for in the source of the attacks. Also included were various attack vectors. This was exactly what I was looking for.

The second paper, All Your IFRAMEs Point To Us, to me, seemed a higher level. While the attack was briefly laid out, the paper discussed the prevalence of the IFRAME attacks and how they are so pervasive across the internet. If I didn't know better, after reading the article, I might never surf the web. It's not just the "grayer" areas of the internet where these attacks live. Ads are just as prevalent. Be advised, there are a couple of sections with some good-sized math included.

Further, for both articles, if I didn't know any better, I would never surf the web again. It really seems pretty grim. If you are not proactive and protective of your system.

From both articles, it is IMPERATIVE that you keep your systems patched; as the IFRAME attacks test for multiple vulnerabilities. Second, you must have some sort of anti-virus on your machine. But, to those of us in the security field, what I've typed is preaching to the choir.

Finally, one last point I would like to make. The references section in the paper All Your IFRAMES Point To Us is phenomenal. Listed are many articles, both in PDF and as web pages, covering all kinds of information. I plan on reading the papers on botnets next.

Interviewing for the school district's new admin

I was asked to help interview candidates for our local school system's new administrator. I couldn't make Monday's interview; another member of the Tech Advisory Board attended Monday's interviews.

The interviews were conducted by the Supervisor of Curriculum and Technology, and were attended by one of the principals, and the person in charge of the computer classrooms in each school. There was a clear agenda for each candidate and the interviews went smoothly. I was impressed with the precision and efficiency with which the group worked. I only saw a handful of candidates today. Yes, there were the people not really qualified (and I'm surprised they were even given an interview;) and there were very qualified and talented individuals.

What surprised me (pleasantly) was a question by one of the principals. She asked the first candidate "How do you feel, and what do you know about Open Source?" I almost fell out of my chair. Mostly because it is a great question, and I was surprised it came from the principal. (The first candidate couldn't answer the question, the second had heard of it but didn't use it, and the third, well......wasn't even in the right ballpark.)

I'm glad to see the school looking in the Open Source direction. I know that there are state contracts and regulations, but I know that the school district has monetary constraints. Dropping OpenOffice.org onto desktops is a lot cheaper than spending for X number of dollars on MS Office. Getting kids exposed to an alternative environment, I believe, will help the kids when situations are not ideal or what they expect.

The next step is to recommend two names to the Board of Ed, and they take it from there. I may have to go to the next round of interviews, just so that there is someone with technology experience there as the interviewers will be the Superintendent, the other principal, and Board of Ed members.

PandaLabs 1st Quarter 2008 report and MBR Trojans

Panda Labs has issued their first quarter quarterly report. You can see it here. Under the first quarter trend, it is noted that trojans are making up the biggest percentage of distribution channels for malware. Also noted were new methods for distributing malware through exploits.

To me, one of the biggest announcements in the document is that we are seeing a return of MBR exploits; though not with a virus but a rootkit. If I have it right, a rootkit hidden in the MBR will be active every time the system starts up. This would be tough to detect.

From the article (p. 19):

Stealth techniques aimed at carrying out almost-invisible silent infections are evolving.

Other topics discussed in the article are: a recap of Storm Worm over the last year, Multi-AV scanners, Web 2.0 attacks, and the latest attacks on mobile phones.

The article is definitely a great read. I have already sent it to a couple of sys admins that I know don't take security that serious.

Hydan on Ubuntu, part II

Well, I got Hydan running, sort of. I needed to install the following package: libcurl3-openssl-dev.
I thought it might be openssl, as that is what the error indicated. However, it looks like Ubuntu comes with openssl installed. The dev library needs to be added. Following installation, Hydan compiles.

So, I've tried working on a file that I know has text hidden in it, and I receive the following error(?):

./hydan-decode [filename]
Password: [entered]
hdn_crypto_decrypt: Error allocating memory for duplicating decryption. Requested -77012715 bytes.

What I'm unsure of is this: Is there another problem with Hydan, or is there an issue with running on Ubuntu.

Hydan steganography software on Ubuntu 7.04

First off, I finished the SANS 504 class, and it was one of the best security classes I have taken. And, it didn't hurt that Ed Skoudis taught the class. If you ever have a chance to take this class, I wholeheartedly recommend it. I haven't started studying for the exam, I plan on it; however the class alone was worth the money. I took it in the @Home format, which meant I got to learn from the confines of my home. Don't worry about that format. The software that facilitates the class is excellent. You hear the professor fine, see the slides that are presented, and, can interact via an online chat feature. Plus, the class is recorded, so on the off chance that you should miss one (I didn't) you could grab the audio at a later date.

7.04 laptop, and the The class recommends an XP laptop with VMWare on it so that you could run Red Hat linux for the linux portions of the class. I did 90% of the class on my UbuntuXP exercises I completed on a separate XP computer. (That went for the capture the flag game at the end, as well.) Almost all of the linux tools discussed in class were able to be fetched from the Ubuntu repositories, either from the package manager or using "sudo apt-get install...."

I was unsuccessful with one tool in particular: the Hydan steganography tool. This tool I have only found in a .tar.gz format. I downloaded the latest version, extracted it, and followed the directions in the readme. Basically, it was just cd to the hydan directory, and "sudo make." (Actually, it was just "make," but with Ubuntu I needed the sudo command.) However, I received the following errors:

cd libdisasm/src/arch/i386/libdisasm && make libdisasm
make[1]: Entering directory `/test/hydan/libdisasm/src/arch/i386/libdisasm'
gcc -I. -O3 -ggdb -c -o libdis.o libdis.c
gcc -I. -O3 -ggdb -c -o i386_invariant.o i386_invariant.c
i386_invariant.c: In function ‘disasm_invariant_modrm’:
i386_invariant.c:45: warning: incompatible implicit declaration of built-in function ‘memset’
i386_invariant.c:52: warning: incompatible implicit declaration of built-in function ‘memset’
i386_invariant.c:55: warning: incompatible implicit declaration of built-in function ‘memset’
i386_invariant.c: In function ‘disasm_invariant_decode’:
i386_invariant.c:155: warning: incompatible implicit declaration of built-in function ‘memset’
i386_invariant.c:165: warning: incompatible implicit declaration of built-in function ‘memcpy’
i386_invariant.c: In function ‘disasm_invariant’:
i386_invariant.c:233: warning: incompatible implicit declaration of built-in function ‘memcpy’
gcc -I. -O3 -ggdb -c -o vm.o vm.c
vm.c: In function ‘vm_add_regtbl_entry’:
vm.c:17: warning: incompatible implicit declaration of built-in function ‘strncpy’
gcc -I. -O3 -ggdb -c -o bastard.o bastard.c
bastard.c: In function ‘addrexp_get’:
bastard.c:22: warning: incompatible implicit declaration of built-in function ‘memcpy’
bastard.c: In function ‘addrexp_new’:
bastard.c:40: warning: incompatible implicit declaration of built-in function ‘calloc’
gcc -I. -O3 -ggdb -c -o i386.o i386.c
# make .a
ar rc libdisasm.a libdis.o i386_invariant.o vm.o bastard.o i386.o
ranlib libdisasm.a
make[1]: Leaving directory `/test/hydan/libdisasm/src/arch/i386/libdisasm'
gcc -Wall -Ilibdisasm/src/arch/i386/libdisasm -g -DVARBITS -c -o hdn_common.o hdn_common.c
In file included from hdn_common.h:12,
from hdn_common.c:9:
hydan.h:24:25: error: openssl/evp.h: No such file or directory
hdn_common.c: In function ‘hdn_disassemble_all’:
hdn_common.c:32: warning: pointer targets in assignment differ in signedness
hdn_common.c:37: warning: pointer targets in passing argument 1 of ‘x86_disasm’ differ in signedness
make: *** [hdn_common.o] Error 1

I'm not the best at interpreting the make errors. Anyone out there have any ideas? What I'm not sure is if the error is because of Ubuntu, or if there is something else wrong.

I think I'd make a lousy hacker

We're at the practical portion of the class. Last night, and tomorrow night, we're playing capture the flag. It's really pretty cool, and I've never done it before. But, I've come to the realization that I'm not that great at it. I have captured one flag so far, and I've seen a second. I admit, it was pretty cool to break into that first server and capture the flag. For a while, I had shell access to a second server; but the password I used last night doesn't seem to work today. I don't know if the password was change by someone else or what.

One thing that has been great to see, is everyone elses tools littered around the place. I've enjoyed going from directory to directory and seeing, and analyzing, the tools I've found. Many people have not even bothered to hide their tools.

The game ends tomorrow. I'll keep plugging along, but I don't have high hopes. At some point in tomorrow's class, answers will be revealed to us. I'll try them out over the weekend to see what else I can learn.

Keyloggers (continued)

Irongeek has another video up regarding keyloggers.

Webkinz, NeoPets, Club Penguin, etc. internal security

I sat down to type out a quick post questioning the security of these sites, as my youngest has been enjoying Club Penguin of late. In going through the security blogs I read, I came across the following posts:
Martin has a great post
and
Brian's post from the Washington Post.

Martin's post was along the lines of what I was going to post. But, I was going to go a step further. There are laws regarding data breaches and customer notification if there are data breaches. How do those laws impact these sites? What happens if those sites suffer a data breach. Do we get notified? It seems that every stuffed animal maker has a online site related to the animal. My kids are huge into the Webkinz. My youngest likes Club Penguin, but my oldest has moved on to UB Funkeys. They've been on Ty's Beenie Baby site if I can remember correctly. And I know my oldest has been on NeoPets; but I think that will stop for a bit.

Local school district considers security

The Board of Education for my town has a committee that was formed almost two years ago called the Tech Advisory Committee. It consists of members of the school board, the technology staff, and a few volunteer community members; most of whom have kids in the district and have some tech experience. I think there are three of us in that category now. We are steered by the Supervisor of Curriculum, Instruction, and Technology. Generally, the meetings have a few topics that the school district is interested in, and our group serves as a sounding board for those ideas. We weigh in on what we have seen in our respective companies, and we give opinions and brainstorm. A couple of projects I've seen accomplished:

• The backup process was overhauled and outsourced (to some degree) freeing up time, space, and actually saving some money.

• The school system dropped a costly T1 line and switched to Fios, saving lots of money, and not seeing any apparent degradation of service.

• We've made recommendations on architecture and technologies.

Through it all, the district has been cognizant of security and considered it in all phases of its projects. Sure, the threat vectors have been different than your typical business; but there are threats none the less. It has impressed me that the decision makers are considering security up front, and not as an afterthought; or after a major/minor incident. Can they do better? Everyone could do better, but they are light years ahead of what I see day to day.

I enjoy being part of this group, and I'm glad to see the group be effective in its mission.

WMIC update

I have since found two great articles on WMIC. They can be found:
here
and
here.

The first article is probably the best piece of documentation I have found on WMIC.

Leap Day, Leap Year and WMIC

It's not often that I get to post on Leap Day, so I thought I would take advantage of the occurrence.

Class has been talking a lot about Windows command-line tools. One such tool that has been getting a lot of time is WMIC. I've printed the help, but there doesn't seem to be a lot there. Also, I'm in the process of going through the knowledge base:
here
here
here
and here

If anyone knows of other good sources to read up on WMIC, I'd love to know of them.

The Linkin Park Stalker

First off, if you haven't signed up for the various newsletters from SANS, you should. They're great. Not only is there a list for recent vulnerabilities that have been released, but they have newsletters for relevant security news.

In today's NewsBites (Vol 10, No. 16), there is an article on the internet stalker that had been harassing the lead singer of Linkin Park, and his wife. I'm going to quote the article here:

--Internet Stalker Gets Prison Time
(February 21, 2008)
Devon Townsend has been sentenced to two years in prison for using
computers at her workplace to access private information about Linkin
Park lead singer Chester Bennington.  Townsend was employed at Sandia
National Laboratories; from computers there, she managed to access
Bennington's email account, phone numbers, phone bill records, and
family photographs.  She used some of the information she found to
threaten Bennington's wife.

There were two articles that the note linked to:
Link 1
Link 2

However, I remember a truly great article from Wired Magazine detailing the story. A little searching and I was able to find it. Click here to read the article.

F-Secure Blacklight Rootkit Elimination

I've just recently downloaded and been running F-Secure's Blacklight Rootkit Elimination tool. And, I have to say, I like it. I've been using it on the home network, but the real test when it accompanies me out in the field. For quite a while, I had been using Trend Micro's Rootkit Buster, but when I built a new machine, I decided to try F-Secure. Of course, I haven't found anything, so I'll be putting it through its paces in the field. As I see more action, I'll report in on the results.

Getting Nessus running on Ubuntu (Feisty) on a Thinkpad T40

Notes for myself, hopefully, they'll help someone else.

I noticed that Nessus was available from the Ubuntu repositories.
I added it through Add/Remove, but realized that it did not include the server package.
Type: "sudo apt-get install nessusd" to grab and install the server.
Next, run: nessus-mkcert to create a certificate.
Next, run: nessus-adduser in order to create a user to run the scans from.

I ran Nessus, both the server and the client. However, the scan was limited because I did not have many of the plug-ins. To get the plug-ins, I went to http://www.nessus.org and register for free. (Free gets the newest plug-ins after they have been out for a week.) You will receive the key to unlock the program in the email that was used to register. To activate it, type:

sudo nessus-fetch --register

(In the future, to update the plug-ins: sudo nessus-update-plugins)

That done, it's time to run Nessus.
To start the server and put it in the background, type:
sudo nessusd -D

Wait for the command prompt to come back (plug-ins will be loaded.)

Then, you are able to run the client program from Applications -> Internet -> Nessus

That should do it.

Kismet on a Thinkpad T40

It took me a bit, but I finally got Kismet installed and running on my Thinkpad T40. I believe the on-board wireless chip is a Cisco, and as such was not easily detected. There were a couple of things I needed to fix.

Mainly, I had to edit the read-only kismet.conf file.
In the file, there were two settings that needed to be changed. The first was the user Kismet would drop into if needed. I run Ubuntu, and to get Kismet to work properly, I start it with sudo. Secondly, you need to add a source record. This was the hardest part for me. A quick check at the ThinkWiki showed me that the wireless card could have been one of three manufacturers. A little trial and error got me to the Cisco card (and even that had some tricky conventions.) In my case, I set the source = "cisco_wifix,eth1:wifi0,Cisco" That middle parameter was the tricky part. For the Cisco card, you have to list both configurations. You can get a listing of the different chipsets and parameters at Kismet's documentation page.

To get Kismet running, I just typed 'sudo kismet' and away I went.

Network Taps

In the class last night, we briefly discussed network taps. The name that came up was Net Optics. However, reading this page on Wikipedia, I see other manufacturers. A couple of people in the class mentioned Net Optics as being very good, although they mentioned they were pricey. Wikipedia's page lists some other vendors: Comcraft, Datacom Systems, Network Critical, and VSS Monitoring. None of those names were mentioned so I'm wondering if anyone has any experience with them. Any thoughts would be appreciated.

[edit: I just saw this in my drafts folder...I don't know why it was never published.]

Network Taps

In the class last night, we briefly discussed network taps. The name that came up was Net Optics. However, reading this page on Wikipedia, I see other manufacturers. A couple of people in the class mentioned Net Optics as being very good, although they mentioned they were pricey. Wikipedia's page lists some other vendors: Comcraft, Datacom Systems, Network Critical, and VSS Monitoring. None of those names were mentioned so I'm wondering if anyone has any experience with them. Any thoughts would be appreciated.

5th Cable Cut

I'm not sure even what to write, or believe any more.

In other (un)related news.. .the GCIH class is AWESOME.

GIAC certification coursework materials arrived

Woohoo!
The course books and cd of software arrived the other day. I just quickly thumbed through them, and they really look great. The class looks like it will be a lot of fun.

It Looks Like the Middle East Cable Cuts were accidental

SANS NewsBytes reports that the cut to the Middle East data cable was accidental. They site three articles, which I've listed below:
The New York Times
BBC
and news.smh.com.au

I'm excited to read they were accidentally cut.

Middle East cable - Part II

CNN.com has a story on the cable being cut. In it, it is postulated that it was possible that a boat anchor had cut the cable. You can read the story here.

Middle East Cable cuts

A read a while ago of the potential cable cut in the Mid-East here from SANS. Normally, I wouldn't dwell too much on it. However, as it happens, I have a very old friend working in Djibouti that I have just re-connected with. So, I was a little surprised when I read of the cable cut. My first thought was "how, exactly, does a cable get cut?" Ok, I can believe an earthquake would do the trick. But, outside of that, what would cut a cable? A person? A fish? A boat/sub? Something else?

Now, I read on the SANS Internet Storm Center that apparently more cables to the Middle East have been cut. You can read the new article here. Now, I am suspicious. One cable? Ok. But the backup cables as well? I have to wonder. The post talks about backups going down. Sometimes our backup systems are rarely used until they get called into service. And that's not when you want to find out there's a problem with them.

As it is, I hope connectivity isn't down for a long time. I enjoy hearing from my friend.