Sunday, November 4

Linked Armor

Allen and I are starting a business. This is our logo.

shmoocon

Thanks to Brian (fellow IndySec-r), I will be going to shmoocon. As you may know, tickets can be difficult to acquire. Let me know if you plan on attending.

The date for the event is Feb 15 -17th.

Thanks again Brian.

-S

SANS SEC 540

Ok. Things have been crazy; let me share.

I just finished co-authoring SANS SEC 540 VoIP Security with Raul Siles and Dr. Eric Cole. Eric will be teaching the inaugural course at the SANS Cyber Defense Initiative 2007 in December.

The course is very lab intensive, so be ready (you won't be getting out of class early). I hope you enjoy it.

Thursday, November 1

SANS Chicago 2007

Headed to Chicago for SANS SEC 503 intrusion detection in-depth. I love Chicago and 503 was next on my list, so it worked out well.

Many things going on of late. Blog is suffering. I just finished a major project (will write more about it later), so things on the blog front should improve a little.

This has become somewhat of a pilgrimage of sorts, as I took the 401 class in Chicago this same time last year.

IDS here I come.

Wednesday, September 26

(IN)SECURE - September 2007

The September edition of (IN)SECURE magazine is out.

I love it.

Wednesday, August 15

whitedust.net - sorry to see you go

whitedust.net is no more. I am not sure what went down, but it was serious enough to kill the site.

14 August 2007 - 23:58 GMT

With the industry and those in it so seemingly hostile to Whitedust, and
pure apathy from anyone who thinks otherwise. Why bother. This site is
now closed permanently. It's staff have abandoned the scene and the industry
for real world projects - for good, you won't be seeing us again. You "Won".

Good luck out there. You'll need it.

-The Staff

Monday, August 13

Information Security Decisions - Chicago





Over November 5th and 6th I will be attending Information Security Decisions 2007 in Chicago.

View the Information Security Decisions site here. They note "No sales pitches disguised as content!" Let's hope.

Information Security Decisions has posted a "Top 10 reasons to attend" list. You can read it here.

Here are my top reasons to go:
  1. Ask Bruce Schneier about Alice and Bob.
  2. Meet other security nerds (hopefully some chisec people).
  3. Win the CTS.
  4. Learn something new.
  5. Enjoy a nice nerd vacation and some Chicago-land food.
  6. Stay in the $33 a night hostel (visited for SANS Chicago in 06).
Please note, you must be approved for admission (you must work in security and sometimes buy things). Also, and this is very important, this is a free event, but if you register and do not show up --- it is $195.

Taken from the registration email:
NOTE: Once your application has been approved we will call you to confirm your attendance. Information Security Decisions is free to all attendees....
All Information Security Decisions delegates are required to reserve their conference seat by providing a valid credit card, which will not be charged.

However, if you do not call ahead to cancel or simply do not show up on November 5th, you will be charged $195 to cover the costs we incur for your attendance (meals, proceedings, etc.). This policy allows you to display your commitment to ....





I will be staying at the Hostel located just down the street. It is quite nice and would remind you of a dorm room (in fact part of the building is just that). The price is $33 a night.
  • View photos of the hostel here.
  • HI (Hostels International) Chicago site here.
  • View a map from the Hostel to the event Hotel here.
I have three open seats in my car. I will cover gas, but would appreciate help with the parking costs. I will be going up Sunday night and plan on leaving Tuesday evening after dinner.

Contact me if you are seriously interested.

-Steve

Monday, July 30

Video overview of SANS/GIAC by Stephen Northcutt

A great overview for anyone thinking about taking SANS training and/or taking a GIAC certification.

Video found here.

... taken from the latest (IN)SECURE magazine.

Sunday, July 29

(IN)SECURE - July 2007

Check out the July edition of (IN)SECURE magazine.

Better than the 2600 quarterly (imo) and the price is right.

Wednesday, June 6

Password Reset Process

While doing some reading on terminal23.net I found a link to another cool security site, mcgrewsecurity.

On the McGrew site, there was a link to a pdf on web security. The most interesting slide was titled "A cool experiment" and dealt with password storage for things like webmail and other online accounts.

Point being, password recovery is extremely important and should be tested prior to using any system.

From page 19 of the McGrew pdf:
  • Anytime you sign up for a new site, take the time to try out their password recovery system
  • Make note of the things it asks you
  • If they wind up emailing you your original password – Oh snap! They're not hashing them at all!
  • Otherwise, take a look at how their reset process works

Important takeaways involving recovery:

  • A password emailed back to you in its original form has not been hashed, as listed above.
  • A non-hashed email means it could be stored and sent in clear text (depending on supporting system architecture).
  • Systems which do not reveal the original password are best. You should not be able to directly recover the original password
  • Users should have to provide password "challenge" information. Just think of what your banking institution makes to fill out. They get it.... however....
  • With the above in mind, what happens when we start overusing the same questions?
  • What is your mother's maiden name?!?

Counter point

  • Overused passwords and weak recovery processes will lead to endless access to personal information.

Expanding upon the above information:

  • Think about the systems you use and the password recovery process. Is it too easy to get the password? What information do they store about you and what type of verification checks are in place to protect your information?
  • Think personal, self-developed, and or applications used by your employer.
  • Building on the previous points, think about password management in the enterprise. How does your employer manage this process? Automated? Manual?
  • Another fun "lab" is to test your web mail authentication process. Fire up a sniffer and see what you can find. I know yahoo mail hashes the password in memory within a java applet prior to post. The login ID is sent in the clear.
  • Think about other systems such as your VoIP softphones! How are those passwords stored and transmitted?

Get past the forgetfulness and eliminate the need for a password reset process.

  • Use a password keeper. I have been testing Password Safe for almost a year with good results. You can find the latest build here. The tool was originally a creation of Mr. Bruce Schneier.
  • Think about recovery, transmission, and storage of your passwords.
Cheers,
Steve

Sunday, May 13

More on Virtual Machine Security

A colleague of mine shared this article about vm security. Pretty good read. Tavis Ormandy is the author, with support from Google.

Read the pdf here.

I have listed the recommendations, in full, below.

The following are some simple recommendations for safely deploying virtualization in production environments:
  • Treat Virtual Machines like services that can be compromised; use chroot, systrace, acls, least privileged users, etc.
  • Disable emulated hardware you don’t need, and external services you don’t use (DHCP daemons, etc.) to reduce the attack surface exposed to hostile users.
  • Xen is worth watching in future; separating domains should limit the impact of a compromise.
  • Maintain the integrity of guest operating systems, protect the kernel using standard procedures of disabling modules, /dev/mem, /dev/port, etc.
  • Take advantage of the securelevels features available on BSD systems.
  • Keep guest software up-to-date with published vulnerabilities.
  • If an attacker cannot elevate their privileges within the guest, the likelihood of compromising the VMM is significantly reduced.
  • Keep Virtual Machine software updated to ensure all known vulnerabilities have been corrected.
  • Avoid guests that do not operate in protected mode, and make use of any security features offered, avoid running untrusted code with root-equivalent privileges within the guest.

Monday, May 7

(IN)SECURE - May 2007

Check out the May edition of (IN)SECURE magazine.

Sunday, April 29

SANS Vegas, Baby!

I am 99% sure I am going to SANS Network Security 2007 in fabulous Las Vegas. This year, the event runs from September 22 through the 30th. Read more about the event here.

No gambling or strip clubs --- just nerds, SANS and $26 Vegas buffets. I love nerd vacations.

Please send me an email if you plan on attending.

-Steve

News from Steveland

Lots of new and exciting things occurring in Steveland.


1. Even though I finished my degree months ago, I will finally receive my piece of paper for my MS in Information Assurance.
2. I have my OSCP exam coming up soon. Time to own or be owned.
3. I just began a new chapter in my information assurance career --- writing technical security course ware. I am thrilled to be a part of this opportunity. Unfortunately, I can not share the details at the point in time. Our time line for course completion is roughly six months.

-Steve

Friday, April 27

A great piece on VM Security

Should you care, take a look at this PDF on virtual machine detecting and security by Tom Liston and Ed Skoudis. This presentation has been around for awhile, however, it is worth the read.

One area of interest is the VMware's communication channel, which is used for:
  • shared clip board
  • file sharing
  • time sync
... the interesting thing, per this document, VMware uses a hard-coded value to authenticate to the command channel. It is always the same value.

Another interesting item is a deeper look at the guest's .vmx file. Just as one would add or remove items on a new server, the same holds true for a guest VM. In this case you would augment the settings within the .vmx file to limit the ability to fingerprint a VM (page 23).

Read the PDF here.

Friday, April 6

Secunia Software Inspector

I wanted to share a tool, created by Secunia, called Software Inspector. In short, it will scan your workstation or server and provide a patch level / vulnerability report.

Per their site:
The Secunia Software Inspector will inspect your operating system and software for insecure versions and missing security updates. A default inspection normally lasts 5-40 seconds, while a thorough inspection may take several minutes. Note: If you have anti-virus software or similar enabled, an inspection may increase significantly in duration.

This is a great tool for:

1. a quick verification of an imaged (or re-imaged) workstation or server.
2. establishing a quick baseline (or does your baseline need to be updated?)
3. a simple first step to hardening a development, security, or customer workstation / laptop.

Access the tool here. Tested on Windows only.

Remember to check the "Enable thorough ..." check box, as shown below.

RFP template from Foundstone

I was out playing on the Foundstone site for free security tools and found something quite nice. They were kind enough to provide a link to a RFP template. This might not seem all that exciting, however, it is much better than creating the damn thing from scratch. It might save you some time in the future.

Wednesday, February 28

Offensive Security and the OSCP

Take 10 minutes and check out the offensive security site. In case you do not know, these are are same people that brought you Auditor, Whoppix, Whax, and now Backtrack[2].

If you haven't used Backtrack, check it out. If you want to do more with it, consider their training, labs, and certification.

For a syllabus outline and more information, click here.
You can download a demo training session here. Warning: this starts a video with sound.

I really like the idea of this training because:

1. The tool is free.
2. People actually use this tool for real security work.
3. There are video examples that you can watch as many times as you like.
4. There are labs and exercises which support the lectures.
5. There is an applied certification (OSCP).
6. For the certification "exam" you must apply what you have learned to attack a real environment (in a somewhat controlled environment --- you vpn in).
7. The cost? $400 USD. In a day where a good IT security book is $50, this is a steal.
8. Their support so far has been excellent.

In short, I am down for this training. I have one other guy that is going to jump in on this as well. If we get 5 total (so 3 more), we get 10% off. Let me know if you are interested.

Cheers.

MSIA - Master of Science in Information Assurance

I have been MIA for a month now. I even missed indysec 5. Shameful, I know. I do however have some good news --- my MSIA (Master of Science in Information Assurance) is complete --- all 36 hours.

That is right, I just received notification of my grade [A]. I can not say enough good things about Capitol College. If you are looking for a distance ed offering in IA, Capitol is a great school to consider.

I have discussed this before, but the key selling point has to be the live lectures via the web. The NSA seems to like them as well.

If you have any questions about the program, or anything else, just ask.

Stephen R. Moore, MS

Wednesday, February 14

(IN)SECURE - February 2007

Check out the February edition of (IN)SECURE magazine.

I still haven't had time to dig in, but this edition may have some promise. The spyware, infosec career, and vista article are of interest.

Also, was it just me, or did the RSA conference get even more press this year than last?

UPDATE:
I must say I feel terrible. As I said last night, I had not had a chance to completely read the entire publication. It turns out I skipped over and left out a friend and colleague, Mr. Didier Stevens. Take a look at his article on ROT13 and its use in Windows XP, then go visit his personal blog here.

By the way, I love ROT13, which I talked about earlier in a light hearted post "Republican Aide Tries to Hire Hackers" here.

Additionally, I saw that Didier was "Dugg" on Digg for his work on "Reverse Engineering Mentoring" found here.

Cheers.

Monday, January 15

Passed the GIAC GSEC

I passed both of my exams for the GIAC GSEC! I am now GSEC number 7131. Passing both exams qualifies a candidate for the GSEC Silver certification.

After passing the exams, there is an option to "Go Gold" where you complete a written practical on a selected security topic. Over the next several weeks, I will select a topic and proceed with the Gold Certification.

Despite the cost of the training, the entire experience was very well worth it. The content of the training material was top notch, the instruction was great, and the trip to Chicago was an event in itself.

Around three months ago, I accepted a new position with my currently employer on our network security team. Going for the cert (I had not passed the exams at that point in time) and knowing I paid out of pocket, showed the interviewers I was truly interested and committed to the field of information security. In this instance, certification mattered.

For those that can attend, I highly recommend the training.

See my scores here.
Search for others with the GSEC here.

Sunday, January 14

ophcrack LiveCD - a nerd story

Password cracking is nothing new. Ophcrack and Ophcrack LiveCD have been all over Digg, Lifehacker, and the rest of the net.

I read a couple of posts on Digg about the tool, but never had reason to test the tool. Working in NetSec, there are always new and exciting things that appear on our radar. In short, we had some vendor supplied (and supported) servers and they either lost or misplaced the local admin password.

I made a quick visit to the ophcrack page for the ISO and also downloaded the Windows Server Resource Kit tools for cdburn.exe to burn the iso.

The admin password was cracked in about 10 minutes. The entire list of 10 accounts (including IUSR and IWAM) were cracked in maybe 25 minutes -- I wasn't keeping an exact count.

Two things:
  1. The tool just worked. It boots up and goes. No real work involved.
  2. This is a great way to audit local password strength. We learned the vendor-selected passwords were pretty weak.
I had a small assignment in one of my classes at Capitol College using John the Ripper. It worked well, but it was not the most expedient process.

Rainbow tables obviously speed things up. Thanks ophcrack.

This tool is obviously not hard to use. Might it change the way you manage (or think about managing) your workstations? Privilege escalation anyone? Do you know who might be on your outsourced overnight cleaning staff?

Good thing people don't store files locally on their workstations ... I mean, uh.
Here comes full drive encryption.

Saturday, January 13

Firm: Seven steps for a more secure network

Combine New Years resolutions and this SC magazine article and what do you get? Questionable advice.

The article starts out great.
IT security professionals should rely on personal vigilance and implemented methodologies - not just the slew of new products hitting the marketplace - to protect their networks in 2007.
Sounds good. Yes to vigilance and yes to method. Just buying things is bad. Nice work.

Now for the fun.
1. Change every password before the year's end. By taking this first step, you will enhance the security of every online commerce site visited, every computer, and every other password-protected device or website in use. Avoid easily discovered passwords, such as names or numeric series. Change your passwords at least quarterly in 2007.
Sound advice, except he didn't mention anything about pass phrases.
2. Download patches and updates. Even some off-the-shelf computer security programs offer downloadable updates or "patches" capable of detecting the newest viruses and closing "backdoors" that hackers have discovered. Operating systems should be patched and upgraded at year-end, and regularly as well.
Nice work. Patch your systems. Someone send this guy a check.
3. Hire a hacker. The holiday lull is the perfect time to conduct a "penetration test" to pinpoint weaknesses in a network's security. These tests emulate a hacker's invasion of a network; but rather than attacking databases and network tools, these scans identify specific vulnerabilities and propose solutions.
Hire a hacker? Not even going to touch the hacker versus cracker definition. A pen test over the holidays is not a bad idea, however it would depend on what type of test you are running. Blackbox, Whitebox, or something in between? At times you want ops around to assist and they can't do that while eating honey ham seven states away.
4. Conduct regular e-security check-ups. Automated, monthly remote risk assessments can be conducted for less cost than a single onsite review. These tests assure that confidential data is as secure as possible from external attack. In a hacker prone era rife with data theft, high levels of spam, and increasingly innovative computer fraud, waiting a full year between assessments is no longer a viable option.
What the hell is this guy talking about here? Isn't that our goal to protect data --- each day? And what exactly does he mean by "Automated, monthly remote risk assessments"? "Make sure things are good" would have been just as powerful. Sigh. I assume he is talking about using a service such as Qualys to scan and report on your external facing. These results can then be compared against preexisting baselines or standards to evaluate compliance and document change.

While I agree with looking at your risks from the outside in, what about from the other direction? What is being sent outbound? How about monitoring / measuring that?!? Aren't these guys an email security company?
5. Communicate your data security policy. All personnel should be briefed on the importance of protecting confidential customer data. Disseminate a policy on how and when, if ever, this data should be included in unsecured email correspondence with customers and others. Implementation of an encrypted email system would be a major security step forward.
Yes. Finally something I can agree with. I would also like to add that one should begin looking at mail filtering outbound. It helps to know how your customer service reps, execs, and IT professionals are sending their electronic communications (primarily for the unencrypted mail).
6. Keep your network virus-free. A thorough evaluation of your network is essential to protect entry points (such as email attachments, shared files, infected websites, downloads), and to minimize infection. Simply installing anti-virus (AV)software is not enough. The AV system still needs to be monitored to make sure the most recent definition files are updated on all devices and you are alerted when a device is not "up-to-date." Look to providers which offer a full suite of AV services that can keep current with fresh outbreaks.
10-4 good buddy. Also think of reporting. Metrics mean money! Remember that. When you need head count, funding, or a promotion --- you must have metrics. Also remember that one vendor for all the environment isn't always the answer. What is best for clients is not necessarily what is best for servers. Moreover, AV vendors differ greatly from platform to platform.
7. Consider "giving up" on do-it-yourself security. The New Year is a good time to consider outsourcing network security to a company dedicated to keeping up with the latest demands of computer network security.
Depending on the size and nature of the company, I agree. Small shops should think about getting some help. If noting else, a plan for security with periodic checkups. Larger shops need IT Security professionals (even if just a few) to check up on the outsourced work.