Thursday, August 31

SSL Explorer

While researching open source anti-virus solutions, I ran across ssl explorer from 3sp. SSL explorer - Community Edition is a free (as in beer) desktop-over-HTTPS tool. The tool allows for remote management of desktops, servers and intranet resources.

I just finished watching their online Flash demonstrations and I am quite impressed. From their site:
SSL-Explorer is the world's first open-source, browser-based SSL VPN solution. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser.
While the tool looks great, their self definition is not completely correct. SSL VPN - that's a problem. According to the text Protecting Your Windows Network, in order to be considered a VPN a tool must:
"authenticate the end user and assign the remote node and IP address routable on the local network" p. 202.
A few more notables:
1. you do not get two factor authentication with the community edition.
2. you can register for a full featured VMware appliance running in enterprise mode here.

Visit the ssl explorer page here.
And on SourceForge here.

Wednesday, August 30

Helix & Live View


I just finished a class on Incident Response and Computer Forensics, so this is very exciting to me.

In short, you can take Helix and create an image using dd. Depending on the incident, you may need to create a duplicate of the system in question. Live View is one way an investigator can use a .dd file for some further analysis, without altering the copy!

As part of my final project, I used Helix Live Acquisition software to create a copy of a logical drive. I remember thinking how cool it would be to take that copy and somehow run it in VMware.

Fast-forward a month, now we Live View. According to the Live View site:
Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk.
So is this forensically sound?
Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.
Sounds pretty nice.

Live View has been talked about here and here.

Get Live View here.
Get Helix here.

Thursday, August 24

Article Review: Why home firewall software is a leaky dike

Awhile back, MG.com posted an interesting article on home software firewalls . This article was also featured on Slashdot.org. To me there were a couple of points I wanted to blog about as some items just didn't add up. The point of the article was to warn readers that software based firewalls are not safe, even referencing the point that if using a router with "firewall functionality", then no software firewall is needed.

The article continues:
The configuration of a personal firewall is usually more than most users can handle anyway. To understand the system's warning, the user must understand the meaning of IP addresses, host and client names as well as ports, the BSI reports.
Huh? So the software firewall is too much, but the undefined hardware router / firewall management is suitable for most "lay" (a term used later in the article) users. And what about the idea of defense in depth?
Users who still prefer a firewall should first check whether they are using a router with firewall functionality. If so, then no firewall is needed, including the one build in to Windows XP
So what kind of firewall functionality are we talking about here? Any example? How should we configure this firewall / router? We already identified that our reader is a lay person, so hardware is the way to go? While having a router is a plus, all it is going to do is block ports. Even packet filtering and stateful-inspection firewalls are not going to provide any more protection, and that is IF they have been configured properly.

Software firewalls are mentioned as "extraneous" as long as the user abides by the basic rules of web surfing. A couple of points here; first, no "rules" list was provided and second; what about other hacking related activities, such as scanning and enumeration with nmap? A software firewall wouldn't help with that? I know first hand it will. A quick look at nmap versus Windows firewall will tell you that. While on the quick topic of the Windows firewall (or any other for that matter), it will not block outbound traffic unless told to do so. This includes most of the magic "firewall routers" discussed in the article. The thought being, "if it originates from within, it must be ok", comes to mind (which is obviously not the case). This entire theme is skillfully discussed in the book, Extrusion Detection, by Richard Bejtlich (pronounced Bate-lik*).

Here we get into usability versus security. Many of the software vendors will not ship software that is not useable, even in the face of security. An exception to this thought - just today, a colleague told me about a new laptop that shipped with MacAfee security suite. Security was enabled and set to "paranoid" by default. The only problem was the machine could not reach the default gateway and the NIC would not come online. How many people would have disabled the entire suite to get online?

The author does get points for discussing the dangers of using administrator account(s) for anything other than installing software (or using fport!), scanning attachments, and proper patch management. Furthermore, end user awareness and surfing habits are covered, which is a nice to see.

Pats on the back are over. The author says JavaScript should be disabled, but fails to mention ActiveX ... hmm. Backups? Covered, but mentions nothing about offsite storage.
Backups are the safe way to go, Wolf recommends. "All important data should be regularly burned to CD or stored on a USB stick," Wolf says.
My problem with this article was the incomplete answers and misleading information. I meant not to criticize, but to discuss a noteworthy article.

Should you choose, you may read the full article here.

*update: The author of Extrusion Detection, Richard Bejtlich, was kind enough to correct my error. His last name is pronounced "Bate-lik", not "bay-lic" as previously noted. Even podcasts could not save me! Thank you Mr. Bejtlich.

Wednesday, August 23

CCNA

I have decided to go for my CCNA to help round out my routing and networking skills. Why a cert? I view certs as a way to organize my studies, enjoy learning, and set a level of achievement. Simple.

So far, my primary study method has been this book by Sybex; however, I will be purchasing some 2501 routers for the hands on exercises.

As it stands I am on my first reading pass. After complete my SANS training and testing, I will concentrate my studies on the CCNA. So far, I have enjoyed my new learning opportunity. I know it will be worth the effort.

New Laptop

For academic, training, and business purposes, I finally broke down and bought a laptop. My current employer provides a very nice Dell Latitude D800; however, there are limits and strict rules as to how this hardware can be used (no SNORT allowed!). Another motivating factor was my scheduled SANS training in Chicago. For those of you who aren't aware, SANS requires a laptop for most of the "boot camp" style training.

I ended up choosing the Dell e1505 primarily based on features and value. The e1405 is slightly smaller and around $100 more, while the e1705 is interesting, but it's just too big for my needs. From my perspective, the only important additions were the additional memory (2 GB) for running virtual machines and the WSXGA+ display for better resolution (1680x1050) and additional real-estate.

Desktop space comes at a premium while doing lab work.

My next step is to research the newer EVDO services.

Thursday, August 17

NSA Wiretaps Unconstitutional

I have not had a chance to read all 44 pages of the .pdf, but I found this article, on CNN.com, quite interesting.

A U.S. District Judge has struck down the National Security Agency’s warrentless wiretapping (and electronic surveillance) program, which was said to be a violation of privacy. Furthermore, she states:
The president of the United States ... has undisputedly violated the Fourth in failing to procure judicial orders.

Tuesday, August 15

Capitol College

I am a student at Capitol College, Graduate School of Network Security and Information Assurance.

Currently I am completing my final paper for IAE-675 Computer Forensics and Incident Handling.

I researched live acquisition of forensic data on compromised hosts, using Helix from e-fense. On August 9, I presented my findings to my peers.

Capitol offers online, live graduate classes in Information Assurance. Download a PDF fact sheet here.

Monday, August 14

ISSA


I am a student member of the Information Systems Security Association. The ISSA is looking for volunteers to help with various activities. As they are a worthwhile organization, I offered to volunteer my time.

My query went to Mr. Tierney to learn more about their certification programs committee. I have a natural interest in teaching, education and the value of certifications. I will send an update when I receive a reply.

What is the Certification Programs Committee? From their web site:

Certification Programs Committee: To evaluate and report to the membership on industry certification programs, and to offer suggestions for their improvement.

SANS GSEC

I will be going to SANS Chicago GSEC training. This is something I have wanted to do for quite some time, but couldn't spare the money.

From this event I hope to meet some new security professionals, add to my skills and bolster my security marketability.

Learn more about the class here. After the 6 days training, I will sit for the exam and begin working on my research paper.

The training runs from Monday September 18, 2006 to Saturday September 23, 2006.

Per the GIAC site:
GIAC Security Essentials Certification graduates have been taught the knowledge, skills and abilities required to incorporate good information security practice in any organization. The GSEC tests the essential knowledge and skills required of any individual with security responsibilities within an organization.