Thursday, December 28

How to Obscure Any URL

Well, maybe not. I found this article off of Digg and stored to view at a later time. Initially, I was very excited as you will encounter url obfuscation when working with malware and phishing.

Unfortunately, the specific techniques no longer work on Firefox 2.X or IE 6. The concept is something worth investing some time into.

I need to research if any, more recent, documents are available.

Wednesday, December 27

The new migration from D.C.

The Washington Post has a story about a new migration taking place on the east coast. It seems some of our federal agencies see it fit to move just a bit west, out of D.C. -- just enough to be outside of a blast zone (a 50 mile radius). Sounds like data center move time!

Link the the complete article here.

Blast zone or not, I welcome the move. I am pretty shocked this hasn't started sooner ... unless this is just an article to hype the local real estate markets. Hmm.

Anyone want to invest in some local data carriers in the Winchester, VA area?

Tuesday, December 26

Online Nmap Scanner

Matousec also provides an online Nmap scanner. Fun stuff.

Play with it here.
Get the old school edition here.

Personal Firewall Analysis (Windows)

Matousec has posted a very interesting leak-test report on Windows firewall software. Most all the big names made the party, but few faired very well.

In short, Comodo and Jetico own, while Windows Firewall is horrible.
Read the complete report here.

Note: they later go and slam Comodo here -- however, they slam everyone.

Bootable security distro on your USB stick

Ever use BackTrack? Here is a very nice article on how you can boot the OS from your USB stick. They even have a bit about using it with Windows and the ever-handy VMware Server.
Get the article here.
Find other fun tutorials here.

... sort of like making BackTrack something you would find on portableapps.com

Saturday, December 23

Republican Aide Tries to Hire Hackers

Yesterday, /. posted news about a Republican Aide that wanted hire hackers to change his grades. Let me lead off by saying I do not care about political affiliation or even the fact this is a government employee. So what? Not my blog.

I will assume this guy had a bad G.P.A and was looking to get into a good grad program at Foo U. I do think it is interesting he went to Texas Christian University, whose mission is evidently not shared by at least one of their former students.
Our Mission
To educate individuals to think and act as ethical leaders and responsible citizens in the global community.
Anyway, enough of that stuff. Let's get on with the humor!

Take a moment and read the entire email thread from the fine people at Attrition.org. Trust me, it is worth it. Here is also the link to the Network World news article.

I loved the humor factor - rot 26 is some pretty serious stuff! I remember a rot 13 question in the text "Puzzles for Hackers", and who asks for photos of pigeons or squirrels? Classic. Who doesn't love a squirrel? Thanks to this email thread a new form of squirrel authentication has been born! Thank you squirrels!

A bit more on my above reference to rot 13 / 26.
Check out rot13.org here.
They also have a calculator of sorts here.
With rot 13 the letter "a" would equal "n", "b" is "o", and so on. If you think about it, rot 26 would start you right back at the beginning. "a" to "n" and back to "a" -- thus the humor.

In short, rot 13 is a prepackaged Caesar-cypher with a known jump of 13 places.

I seriously wish they would have asked for a photo of a horned frog.

Monday, December 18

Gartner Highlights Key Predictions for IT Organizations in 2007 and Beyond

While reading the IT-Observer, I found a link to the 2007 Gartner Key Predictions for 2007. I was very thankful for the lead on the article, however I wanted the other predictions.

Egovernment.com wasn't afraid to fill me in ... link to article.

And the eye opener
By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses. The threat environment is changing -- financially motivated, targeted attacks are increasing, and automated malware-generation kits allow simple creation of thousands of variants quickly -- but our security processes and technologies haven't kept up.
I break it down on the following points
  1. Financially Motivated Malware? An example would be nice. If we locked down our web browsing and quit running our browsers with administrative privilege, this wouldn't be as big of an issue. No, myspace is not work appropriate -- even if you work in skip tracing.
  2. 75% will be infected -- what about the other 25%? Are they "clean" from habit or luck?
  3. Financially Motivated -- this is important. If we have monetary value associated with a risk, then follow the money. Gone are the days of nerds just playing, where attacks were loud and obvious (think Nimda, Code Red). Now we have state sponsored hacking and even mafia supported attacks -- not to mention your own employees.
Some thoughts
  1. Lock down internet access - proxy, white list -- whatever, just clean it up.
  2. Monitor your email. You would cry if you saw what was being sent outbound each day.
  3. Use psexec to limit browser rights or use another OS all together. Link here -- Thanks Allen.
  4. Start thinking from the inside out. Do you have low paid, high turnover employees, with access to valuable information? -- stuff like that.

Sunday, December 17

Legal Aspects of Computer Security and Information Privacy

Last week I registered for my last class at Capitol College. My thirty fourth, fifth, and sixth credits will come from IAE-671, Legal Aspects of Computer Security and Information Privacy.

Two of the texts are: No Place to Hide and Darknet : Hollywood's War Against the Digital Generation (possible yawnsville). The good news is most of our reading is provided via links to PDFs and other online information, hopefully it won't be too dated.

Our professor, David Ward, is an attorney for the Federal Communications Commission and worked on the Communications Assistance for Law Enforcement Act (CALEA).

I have high hopes for this course. It begins the first Wednesday of the new year.

Thursday, December 14

IndySec 3

IndySec 3 is December 20th.

Ain't no party like a laptop party.

Thursday, November 30

(IN)SECURE

Check out the new December edition of (IN)SECURE magazine.

Friday, November 17

From www.security-forums.com

I thought I would post a reply I made to www.security-forums.com. A poster wanted to know how he, a programmer, could go about getting into security.

Link to my post at www.security-forums.com
Registration required, I know. Dumb.

Hello,

Use your background as a web programmer to boost your chance to get into infosec. Start looking into application security, something like owasp. I would also recommend you also shore up any weakness in networking or systems administration.

Pass. Pass on the hype. As far as certs, pass on the CISSP - that is a management cert. You are not ready for it anyway. The CISSP is a management-centered cert for people with 4 years direct, full time security experience. I recognize this cert blows the doors off the HR dept door. I am not addressing this amazingly confusing fact in this post.

Read. Read blogs, read books, just read. Make best efforts to learn while reading.

Here are some of my favorites

*Protect Your Windows Network

*The TAO of Network Security Monitoring

*Inside Network Perimeter Security

*Malware: Fighting Malicious Code

*Counter Hack Reloaded

Volunteer. Find a church, school, a not for profit, or a networked dumpster that might let you help. Maybe they need some help rolling out a new AV solution, maybe they do not have one, and maybe their only server sits under a sprinkler head – who knows. Who cares?!? You do! Help them, make something better, and build your experience.

Build a lab. Learn VMware. Understand the value of a good lab. Get access to some networking equipment. Do not forget to download your favorite ISO files from the newest *.nix distro. Download / Burn / Install or if using VMware, download the distro, mount it under “use ISO Image” and boot away. Simple.

Team Up. Find someone who will have nerd-night with you. Nerd night is your officially allocated learning time, with someone who has similar interests. Build that VM server, test running IE as an unprivileged account using psexec and visit a bunch a bad sites and scan for malware …. This is something I will be testing soon, for no real reason.

Get your degree. If you do not have your BS, go get it. View the "centers of academic excellence" of the NSA. Google on it. I am working on my masters in information assurance / network security at Capitol College.

Meet people. Want to learn more and meet others in the industry? Search for local 2600 or ISSA groups. If nothing is available or if those groups do not meet your needs, start your own group. I started IndySec -> Indysec.blogspot.com

Do not quit. I put a lot of time, money, and effort to get my position in Infosec. I failed several times to land a position in Infosec. I could have quit and not swallowed my pride to try again, but then I would not have a rewarding career.

Who am I? I am a simple person that works hard.
I understand I have a lot to learn. I am also somewhat of a newbie to Infosec.

Know your goals, do your best, when unsure – ask someone who knows, and never quit.

Saturday, November 11

Google Chat

I use gmail and enjoy their in-browser chat client. In case you don't already know, that communication is in clear text ... sniff sniff.


A quick solution is to add an "s" to your url string (nothing new here).
httpS://mail.google.com/

When I have more time I will take a look at the cookie that's set by gmail chat and the related communication / reference. During a quick test last night, Wireshark complained about some of the captured traffic not being compliant ... more to come.

Friday, November 10

NIST

NIST has a new draft on Intrusion Detection titled: "Guide to Intrusion Detection and Prevention Systems".

Here is a link to the PDF.

I have *not* had a chance to read the entire paper, however I did find Appendix C very interesting.

Snip:
The lists below provide examples of tools and resources that may be helpful.
Print Resources
  1. Bace, Rebecca, Intrusion Detection, Macmillan Technical Publishing, 2000.
  2. Bejtlich, Richard, Extrusion Detection, Addison-Wesley, 2005.
  3. Bejtlich, Richard, The Tao of Network Security Monitoring: Beyond Intrusion Detection, Addison-Wesley, 2004.
  4. Crothers, Tim, Implementing Intrusion Detection Systems: A Hands-On Guide for Securing the Network, 2002.
  5. Endorf, Carl et al, Intrusion Detection and Prevention, McGraw-Hill Osborne Media, 2003.
  6. Kruegel, Chris et al, Intrusion Detection and Correlation: Challenges and Solutions, Springer, 2004.
  7. Nazario, Jose, Defense and Detection Strategies Against Internet Worms, Artech House Publishers, 2003.
  8. Northcutt, Stephen and Novak, Judy, Network Intrusion Detection: An Analyst’s Handbook, Third Edition, New Riders, 2003.
  9. Rash, Michael et al, Intrusion Prevention and Active Response: Deployment Network and Host IPS, Syngress, 2005.
It is interesting to see who did and did not make the list. I would have added a few others, however I am not NIST. Additionally, I found this publication to be more of a management overview as opposed to a technical document. Better off reading number 2 and 3 from the above list IMO.

IndySec 2

IndySec 2 is next Thursday, November 16th @ 6:30PM

IndySec 2 Blog Link

Wednesday, October 18

Apologies and Job Change Information

Whew.

Well after several application attempts, general nerding around, and study I have my first full time position in Information Security. I will be working on the host and network protection team for a large financial firm in the Midwest.

Sorry for the lack of posts of late (looking in the mirror). It has been a mix of SANS study, job interviews, and some other "life" events.

Cheers!

Thursday, September 14

SANS Chicago

SANS Chicago is only a couple of days away - I cannot wait!

I just spoke with Scott Weil, Program Director, to verify some event details. It seems the evening labs have been canceled due to Micro Closing at 6:00 PM each night and they also load us down with books.

I am headed from Indianapolis to Chicago by train and have reserved a bunk at the local Hostel about a mile away from the training facility. As this event is being completely financed by Steve Moore Inc., being frugal was of high importance (anyone who has purchased SANS training will know what I am talking about).

FYI, the train is ~ $40 US round trip and the Hostel is $28 a night. Compared to $140 a night for a hotel, plus parking.

I will do my best to report to the blog each night and share what was learned in my GSEC training.

Saturday, September 9

Indianapolis ISWT

Last Thursday I attended the Indianapolis Information Security & Wireless Technology Conference. It was a standard event with vendors and such, with one added bonus: Kevin Mitnick.

Kevin spoke for around an hour about standard social engineering and then had some "live" interactive events. He shared information on how he stole the Microtek source code from Motorola and how he himself had been socially engineered prior to the release of his latest book The Art of Intrusion. During these events, he would call up audience members to participate in different activities.

The most interesting portion of his speech was about a phishing / IVR dupe. We all know about phishing and what it entails, however, now there are hackers who are recreating IVR systems and then phishing for marks to call in. This new attack recreates an IVR (intelligent voice response) system for purposes of data collection, such as banking logins and passwords. Kevin had used a service called IPKall to bind a POTS number to an IP. The IP was bound to a *nix based IVR software. The interesting thing is Kevin also took the steps to copy the real IVR responses (and tree logic) from a real bank. With the system recreated, one could then "spear phish" customers in the area of bank X. All password entries would give an error message, noting an incorrect password. Kevin displayed this real time as his IVR scooped up his own self-generated traffic.

Amazing.

Also, his business cards are metal and break up into a lock pick set.

For those that may complain, I understand he is a criminal, however, it behooves us all to understand how these guys think. They truly have no limits to their thinking and as a result are very creative. At times, in the professional world, we allow ourselves to become too systematic in our thinking.

IndySec Formed

IndySec has been formed. This is a work in progress - more information to come!

IndySec Blog Link

Thursday, August 31

SSL Explorer

While researching open source anti-virus solutions, I ran across ssl explorer from 3sp. SSL explorer - Community Edition is a free (as in beer) desktop-over-HTTPS tool. The tool allows for remote management of desktops, servers and intranet resources.

I just finished watching their online Flash demonstrations and I am quite impressed. From their site:
SSL-Explorer is the world's first open-source, browser-based SSL VPN solution. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser.
While the tool looks great, their self definition is not completely correct. SSL VPN - that's a problem. According to the text Protecting Your Windows Network, in order to be considered a VPN a tool must:
"authenticate the end user and assign the remote node and IP address routable on the local network" p. 202.
A few more notables:
1. you do not get two factor authentication with the community edition.
2. you can register for a full featured VMware appliance running in enterprise mode here.

Visit the ssl explorer page here.
And on SourceForge here.

Wednesday, August 30

Helix & Live View


I just finished a class on Incident Response and Computer Forensics, so this is very exciting to me.

In short, you can take Helix and create an image using dd. Depending on the incident, you may need to create a duplicate of the system in question. Live View is one way an investigator can use a .dd file for some further analysis, without altering the copy!

As part of my final project, I used Helix Live Acquisition software to create a copy of a logical drive. I remember thinking how cool it would be to take that copy and somehow run it in VMware.

Fast-forward a month, now we Live View. According to the Live View site:
Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk.
So is this forensically sound?
Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.
Sounds pretty nice.

Live View has been talked about here and here.

Get Live View here.
Get Helix here.

Thursday, August 24

Article Review: Why home firewall software is a leaky dike

Awhile back, MG.com posted an interesting article on home software firewalls . This article was also featured on Slashdot.org. To me there were a couple of points I wanted to blog about as some items just didn't add up. The point of the article was to warn readers that software based firewalls are not safe, even referencing the point that if using a router with "firewall functionality", then no software firewall is needed.

The article continues:
The configuration of a personal firewall is usually more than most users can handle anyway. To understand the system's warning, the user must understand the meaning of IP addresses, host and client names as well as ports, the BSI reports.
Huh? So the software firewall is too much, but the undefined hardware router / firewall management is suitable for most "lay" (a term used later in the article) users. And what about the idea of defense in depth?
Users who still prefer a firewall should first check whether they are using a router with firewall functionality. If so, then no firewall is needed, including the one build in to Windows XP
So what kind of firewall functionality are we talking about here? Any example? How should we configure this firewall / router? We already identified that our reader is a lay person, so hardware is the way to go? While having a router is a plus, all it is going to do is block ports. Even packet filtering and stateful-inspection firewalls are not going to provide any more protection, and that is IF they have been configured properly.

Software firewalls are mentioned as "extraneous" as long as the user abides by the basic rules of web surfing. A couple of points here; first, no "rules" list was provided and second; what about other hacking related activities, such as scanning and enumeration with nmap? A software firewall wouldn't help with that? I know first hand it will. A quick look at nmap versus Windows firewall will tell you that. While on the quick topic of the Windows firewall (or any other for that matter), it will not block outbound traffic unless told to do so. This includes most of the magic "firewall routers" discussed in the article. The thought being, "if it originates from within, it must be ok", comes to mind (which is obviously not the case). This entire theme is skillfully discussed in the book, Extrusion Detection, by Richard Bejtlich (pronounced Bate-lik*).

Here we get into usability versus security. Many of the software vendors will not ship software that is not useable, even in the face of security. An exception to this thought - just today, a colleague told me about a new laptop that shipped with MacAfee security suite. Security was enabled and set to "paranoid" by default. The only problem was the machine could not reach the default gateway and the NIC would not come online. How many people would have disabled the entire suite to get online?

The author does get points for discussing the dangers of using administrator account(s) for anything other than installing software (or using fport!), scanning attachments, and proper patch management. Furthermore, end user awareness and surfing habits are covered, which is a nice to see.

Pats on the back are over. The author says JavaScript should be disabled, but fails to mention ActiveX ... hmm. Backups? Covered, but mentions nothing about offsite storage.
Backups are the safe way to go, Wolf recommends. "All important data should be regularly burned to CD or stored on a USB stick," Wolf says.
My problem with this article was the incomplete answers and misleading information. I meant not to criticize, but to discuss a noteworthy article.

Should you choose, you may read the full article here.

*update: The author of Extrusion Detection, Richard Bejtlich, was kind enough to correct my error. His last name is pronounced "Bate-lik", not "bay-lic" as previously noted. Even podcasts could not save me! Thank you Mr. Bejtlich.

Wednesday, August 23

CCNA

I have decided to go for my CCNA to help round out my routing and networking skills. Why a cert? I view certs as a way to organize my studies, enjoy learning, and set a level of achievement. Simple.

So far, my primary study method has been this book by Sybex; however, I will be purchasing some 2501 routers for the hands on exercises.

As it stands I am on my first reading pass. After complete my SANS training and testing, I will concentrate my studies on the CCNA. So far, I have enjoyed my new learning opportunity. I know it will be worth the effort.

New Laptop

For academic, training, and business purposes, I finally broke down and bought a laptop. My current employer provides a very nice Dell Latitude D800; however, there are limits and strict rules as to how this hardware can be used (no SNORT allowed!). Another motivating factor was my scheduled SANS training in Chicago. For those of you who aren't aware, SANS requires a laptop for most of the "boot camp" style training.

I ended up choosing the Dell e1505 primarily based on features and value. The e1405 is slightly smaller and around $100 more, while the e1705 is interesting, but it's just too big for my needs. From my perspective, the only important additions were the additional memory (2 GB) for running virtual machines and the WSXGA+ display for better resolution (1680x1050) and additional real-estate.

Desktop space comes at a premium while doing lab work.

My next step is to research the newer EVDO services.

Thursday, August 17

NSA Wiretaps Unconstitutional

I have not had a chance to read all 44 pages of the .pdf, but I found this article, on CNN.com, quite interesting.

A U.S. District Judge has struck down the National Security Agency’s warrentless wiretapping (and electronic surveillance) program, which was said to be a violation of privacy. Furthermore, she states:
The president of the United States ... has undisputedly violated the Fourth in failing to procure judicial orders.

Tuesday, August 15

Capitol College

I am a student at Capitol College, Graduate School of Network Security and Information Assurance.

Currently I am completing my final paper for IAE-675 Computer Forensics and Incident Handling.

I researched live acquisition of forensic data on compromised hosts, using Helix from e-fense. On August 9, I presented my findings to my peers.

Capitol offers online, live graduate classes in Information Assurance. Download a PDF fact sheet here.

Monday, August 14

ISSA


I am a student member of the Information Systems Security Association. The ISSA is looking for volunteers to help with various activities. As they are a worthwhile organization, I offered to volunteer my time.

My query went to Mr. Tierney to learn more about their certification programs committee. I have a natural interest in teaching, education and the value of certifications. I will send an update when I receive a reply.

What is the Certification Programs Committee? From their web site:

Certification Programs Committee: To evaluate and report to the membership on industry certification programs, and to offer suggestions for their improvement.

SANS GSEC

I will be going to SANS Chicago GSEC training. This is something I have wanted to do for quite some time, but couldn't spare the money.

From this event I hope to meet some new security professionals, add to my skills and bolster my security marketability.

Learn more about the class here. After the 6 days training, I will sit for the exam and begin working on my research paper.

The training runs from Monday September 18, 2006 to Saturday September 23, 2006.

Per the GIAC site:
GIAC Security Essentials Certification graduates have been taught the knowledge, skills and abilities required to incorporate good information security practice in any organization. The GSEC tests the essential knowledge and skills required of any individual with security responsibilities within an organization.