stephen r. moore

Email RFC 2142

2009-01-09T13:14:00.010-05:00

I am always amazed at the wealth of talent on the SANS alumni email list. Yesterday, someone asked "what email address do you use for security? If someone discovers a vulnerability, issue, or breach how do you expect them to easily get a hold of you?"

Great question. Having some experience in this, I generally dredge their website or use Google. What I didn't know is RFC 2142 answers this very question.

Credit to Igor Mozolevsky for this information.

Part 4 of RFC2142[1] states:

4. NETWORK OPERATIONS MAILBOX NAMES

Operations addresses are intended to provide recourse for customers,
providers and others who are experiencing difficulties with the
organization's Internet service.

MAILBOX AREA USAGE
----------- ---------------- ---------------------------
ABUSE Customer Relations Inappropriate public behavior
NOC Network Operations Network infrastructure
SECURITY Network Security Security bulletins or queries

December (IN)SECURE Magazine

2008-12-01T09:34:00.005-05:00

Check out the December edition of (IN)SECURE magazine here.

shmoocon 2009

2008-11-15T16:00:00.002-05:00

Yup. Going again!
Glad I am staying at the Wardman Park Marriott .... so the walk will be short.

Any other Indy people going?

ISP McColo Shut Down After Connection Found To Spammers

2008-11-15T15:46:00.004-05:00

I can tell you the drop in our spam was around 35% - 40% after McColo was taken offline. Other reports are as high as 75%.

Article here.

Hats off to Hurricane Electric for booting em.

Linked Armor

2007-11-04T11:18:00.000-05:00

Allen and I are starting a business. This is our logo.

shmoocon

2007-11-04T10:49:00.000-05:00

Thanks to Brian (fellow IndySec-r), I will be going to shmoocon. As you may know, tickets can be difficult to acquire. Let me know if you plan on attending.

The date for the event is Feb 15 -17th.

Thanks again Brian.

-S

SANS SEC 540

2007-11-04T00:20:00.000-04:00

Ok. Things have been crazy; let me share.

I just finished co-authoring SANS SEC 540 VoIP Security with Raul Siles and Dr. Eric Cole. Eric will be teaching the inaugural course at the SANS Cyber Defense Initiative 2007 in December.

The course is very lab intensive, so be ready (you won't be getting out of class early). I hope you enjoy it.

SANS Chicago 2007

2007-11-01T12:27:00.000-04:00

Headed to Chicago for SANS SEC 503 intrusion detection in-depth. I love Chicago and 503 was next on my list, so it worked out well.

Many things going on of late. Blog is suffering. I just finished a major project (will write more about it later), so things on the blog front should improve a little.

This has become somewhat of a pilgrimage of sorts, as I took the 401 class in Chicago this same time last year.

IDS here I come.

(IN)SECURE - September 2007

2007-09-26T12:38:00.000-04:00

The September edition of (IN)SECURE magazine is out.

I love it.

whitedust.net - sorry to see you go

2007-08-15T15:57:00.000-04:00

whitedust.net is no more. I am not sure what went down, but it was serious enough to kill the site.

14 August 2007 - 23:58 GMT

With the industry and those in it so seemingly hostile to Whitedust, and
pure apathy from anyone who thinks otherwise. Why bother. This site is
now closed permanently. It's staff have abandoned the scene and the industry
for real world projects - for good, you won't be seeing us again. You "Won".

Good luck out there. You'll need it.

-The Staff

Information Security Decisions - Chicago

2007-08-13T22:36:00.000-04:00

Over November 5th and 6th I will be attending Information Security Decisions 2007 in Chicago.

View the Information Security Decisions site here. They note "No sales pitches disguised as content!" Let's hope.

Information Security Decisions has posted a "Top 10 reasons to attend" list. You can read it here.

Here are my top reasons to go:

Ask Bruce Schneier about Alice and Bob.
Meet other security nerds (hopefully some chisec people).
Win the CTS.
Learn something new.
Enjoy a nice nerd vacation and some Chicago-land food.
Stay in the $33 a night hostel (visited for SANS Chicago in 06).

Please note, you must be approved for admission (you must work in security and sometimes buy things). Also, and this is very important, this is a free event, but if you register and do not show up --- it is $195.

Taken from the registration email:

NOTE: Once your application has been approved we will call you to confirm your attendance. Information Security Decisions is free to all attendees....
All Information Security Decisions delegates are required to reserve their conference seat by providing a valid credit card, which will not be charged.

However, if you do not call ahead to cancel or simply do not show up on November 5th, you will be charged $195 to cover the costs we incur for your attendance (meals, proceedings, etc.). This policy allows you to display your commitment to ....

I will be staying at the Hostel located just down the street. It is quite nice and would remind you of a dorm room (in fact part of the building is just that). The price is $33 a night.

View photos of the hostel here.
HI (Hostels International) Chicago site here.
View a map from the Hostel to the event Hotel here.

I have three open seats in my car. I will cover gas, but would appreciate help with the parking costs. I will be going up Sunday night and plan on leaving Tuesday evening after dinner.

Contact me if you are seriously interested.

-Steve

Video overview of SANS/GIAC by Stephen Northcutt

2007-07-30T01:08:00.000-04:00

A great overview for anyone thinking about taking SANS training and/or taking a GIAC certification.

Video found here.

... taken from the latest (IN)SECURE magazine.

(IN)SECURE - July 2007

2007-07-29T23:14:00.000-04:00

Check out the July edition of (IN)SECURE magazine.

Better than the 2600 quarterly (imo) and the price is right.

Password Reset Process

2007-06-06T15:30:00.000-04:00

While doing some reading on terminal23.net I found a link to another cool security site, mcgrewsecurity.

On the McGrew site, there was a link to a pdf on web security. The most interesting slide was titled "A cool experiment" and dealt with password storage for things like webmail and other online accounts.

Point being, password recovery is extremely important and should be tested prior to using any system.

From page 19 of the McGrew pdf:

Anytime you sign up for a new site, take the time to try out their password recovery system
Make note of the things it asks you
If they wind up emailing you your original password – Oh snap! They're not hashing them at all!
Otherwise, take a look at how their reset process works

Important takeaways involving recovery:

A password emailed back to you in its original form has not been hashed, as listed above.
A non-hashed email means it could be stored and sent in clear text (depending on supporting system architecture).
Systems which do not reveal the original password are best. You should not be able to directly recover the original password
Users should have to provide password "challenge" information. Just think of what your banking institution makes to fill out. They get it.... however....
With the above in mind, what happens when we start overusing the same questions?
What is your mother's maiden name?!?

Counter point

Overused passwords and weak recovery processes will lead to endless access to personal information.

Expanding upon the above information:

Think about the systems you use and the password recovery process. Is it too easy to get the password? What information do they store about you and what type of verification checks are in place to protect your information?
Think personal, self-developed, and or applications used by your employer.
Building on the previous points, think about password management in the enterprise. How does your employer manage this process? Automated? Manual?
Another fun "lab" is to test your web mail authentication process. Fire up a sniffer and see what you can find. I know yahoo mail hashes the password in memory within a java applet prior to post. The login ID is sent in the clear.
Think about other systems such as your VoIP softphones! How are those passwords stored and transmitted?

Get past the forgetfulness and eliminate the need for a password reset process.

Use a password keeper. I have been testing Password Safe for almost a year with good results. You can find the latest build here. The tool was originally a creation of Mr. Bruce Schneier.
Think about recovery, transmission, and storage of your passwords.

Cheers,
Steve

More on Virtual Machine Security

2007-05-13T22:25:00.000-04:00

A colleague of mine shared this article about vm security. Pretty good read. Tavis Ormandy is the author, with support from Google.

Read the pdf here.

I have listed the recommendations, in full, below.

The following are some simple recommendations for safely deploying virtualization in production environments:

Treat Virtual Machines like services that can be compromised; use chroot, systrace, acls, least privileged users, etc.
Disable emulated hardware you don’t need, and external services you don’t use (DHCP daemons, etc.) to reduce the attack surface exposed to hostile users.
Xen is worth watching in future; separating domains should limit the impact of a compromise.
Maintain the integrity of guest operating systems, protect the kernel using standard procedures of disabling modules, /dev/mem, /dev/port, etc.
Take advantage of the securelevels features available on BSD systems.
Keep guest software up-to-date with published vulnerabilities.
If an attacker cannot elevate their privileges within the guest, the likelihood of compromising the VMM is significantly reduced.
Keep Virtual Machine software updated to ensure all known vulnerabilities have been corrected.
Avoid guests that do not operate in protected mode, and make use of any security features offered, avoid running untrusted code with root-equivalent privileges within the guest.

(IN)SECURE - May 2007

2007-05-07T08:52:00.000-04:00

Check out the May edition of (IN)SECURE magazine.

SANS Vegas, Baby!

2007-04-29T22:02:00.000-04:00

I am 99% sure I am going to SANS Network Security 2007 in fabulous Las Vegas. This year, the event runs from September 22 through the 30th. Read more about the event here.

No gambling or strip clubs --- just nerds, SANS and $26 Vegas buffets. I love nerd vacations.

Please send me an email if you plan on attending.

-Steve

News from Steveland

2007-04-29T21:50:00.000-04:00

Lots of new and exciting things occurring in Steveland.

1. Even though I finished my degree months ago, I will finally receive my piece of paper for my MS in Information Assurance.
2. I have my OSCP exam coming up soon. Time to own or be owned.
3. I just began a new chapter in my information assurance career --- writing technical security course ware. I am thrilled to be a part of this opportunity. Unfortunately, I can not share the details at the point in time. Our time line for course completion is roughly six months.

-Steve

A great piece on VM Security

2007-04-27T14:24:00.001-04:00

Should you care, take a look at this PDF on virtual machine detecting and security by Tom Liston and Ed Skoudis. This presentation has been around for awhile, however, it is worth the read.

One area of interest is the VMware's communication channel, which is used for:

shared clip board
file sharing
time sync

... the interesting thing, per this document, VMware uses a hard-coded value to authenticate to the command channel. It is always the same value.

Another interesting item is a deeper look at the guest's .vmx file. Just as one would add or remove items on a new server, the same holds true for a guest VM. In this case you would augment the settings within the .vmx file to limit the ability to fingerprint a VM (page 23).

Read the PDF here.

Secunia Software Inspector

2007-04-06T17:54:00.000-04:00

I wanted to share a tool, created by Secunia, called Software Inspector. In short, it will scan your workstation or server and provide a patch level / vulnerability report.

Per their site:

The Secunia Software Inspector will inspect your operating system and software for insecure versions and missing security updates. A default inspection normally lasts 5-40 seconds, while a thorough inspection may take several minutes. Note: If you have anti-virus software or similar enabled, an inspection may increase significantly in duration.

This is a great tool for:

1. a quick verification of an imaged (or re-imaged) workstation or server.
2. establishing a quick baseline (or does your baseline need to be updated?)
3. a simple first step to hardening a development, security, or customer workstation / laptop.

Access the tool here. Tested on Windows only.

Remember to check the "Enable thorough ..." check box, as shown below.

RFP template from Foundstone

2007-04-06T17:34:00.000-04:00

I was out playing on the Foundstone site for free security tools and found something quite nice. They were kind enough to provide a link to a RFP template. This might not seem all that exciting, however, it is much better than creating the damn thing from scratch. It might save you some time in the future.

Offensive Security and the OSCP

2007-02-28T18:23:00.000-05:00

Take 10 minutes and check out the offensive security site. In case you do not know, these are are same people that brought you Auditor, Whoppix, Whax, and now Backtrack[2].

If you haven't used Backtrack, check it out. If you want to do more with it, consider their training, labs, and certification.

For a syllabus outline and more information, click here.
You can download a demo training session here. Warning: this starts a video with sound.

I really like the idea of this training because:

1. The tool is free.
2. People actually use this tool for real security work.
3. There are video examples that you can watch as many times as you like.
4. There are labs and exercises which support the lectures.
5. There is an applied certification (OSCP).
6. For the certification "exam" you must apply what you have learned to attack a real environment (in a somewhat controlled environment --- you vpn in).
7. The cost? $400 USD. In a day where a good IT security book is $50, this is a steal.
8. Their support so far has been excellent.

In short, I am down for this training. I have one other guy that is going to jump in on this as well. If we get 5 total (so 3 more), we get 10% off. Let me know if you are interested.

Cheers.

MSIA - Master of Science in Information Assurance

2007-02-28T18:03:00.000-05:00

I have been MIA for a month now. I even missed indysec 5. Shameful, I know. I do however have some good news --- my MSIA (Master of Science in Information Assurance) is complete --- all 36 hours.

That is right, I just received notification of my grade [A]. I can not say enough good things about Capitol College. If you are looking for a distance ed offering in IA, Capitol is a great school to consider.

I have discussed this before, but the key selling point has to be the live lectures via the web. The NSA seems to like them as well.

If you have any questions about the program, or anything else, just ask.

Stephen R. Moore, MS

(IN)SECURE - February 2007

2007-02-14T13:37:00.000-05:00

Check out the February edition of (IN)SECURE magazine.

I still haven't had time to dig in, but this edition may have some promise. The spyware, infosec career, and vista article are of interest.

Also, was it just me, or did the RSA conference get even more press this year than last?

UPDATE:
I must say I feel terrible. As I said last night, I had not had a chance to completely read the entire publication. It turns out I skipped over and left out a friend and colleague, Mr. Didier Stevens. Take a look at his article on ROT13 and its use in Windows XP, then go visit his personal blog here.

By the way, I love ROT13, which I talked about earlier in a light hearted post "Republican Aide Tries to Hire Hackers" here.

Additionally, I saw that Didier was "Dugg" on Digg for his work on "Reverse Engineering Mentoring" found here.

Cheers.

Passed the GIAC GSEC

2007-01-15T17:41:00.000-05:00

I passed both of my exams for the GIAC GSEC! I am now GSEC number 7131. Passing both exams qualifies a candidate for the GSEC Silver certification.

After passing the exams, there is an option to "Go Gold" where you complete a written practical on a selected security topic. Over the next several weeks, I will select a topic and proceed with the Gold Certification.

Despite the cost of the training, the entire experience was very well worth it. The content of the training material was top notch, the instruction was great, and the trip to Chicago was an event in itself.

Around three months ago, I accepted a new position with my currently employer on our network security team. Going for the cert (I had not passed the exams at that point in time) and knowing I paid out of pocket, showed the interviewers I was truly interested and committed to the field of information security. In this instance, certification mattered.

For those that can attend, I highly recommend the training.

See my scores here.
Search for others with the GSEC here.

ophcrack LiveCD - a nerd story

2007-01-14T14:19:00.000-05:00

Password cracking is nothing new. Ophcrack and Ophcrack LiveCD have been all over Digg, Lifehacker, and the rest of the net.

I read a couple of posts on Digg about the tool, but never had reason to test the tool. Working in NetSec, there are always new and exciting things that appear on our radar. In short, we had some vendor supplied (and supported) servers and they either lost or misplaced the local admin password.

I made a quick visit to the ophcrack page for the ISO and also downloaded the Windows Server Resource Kit tools for cdburn.exe to burn the iso.

The admin password was cracked in about 10 minutes. The entire list of 10 accounts (including IUSR and IWAM) were cracked in maybe 25 minutes -- I wasn't keeping an exact count.

Two things:

The tool just worked. It boots up and goes. No real work involved.
This is a great way to audit local password strength. We learned the vendor-selected passwords were pretty weak.

I had a small assignment in one of my classes at Capitol College using John the Ripper. It worked well, but it was not the most expedient process.

Rainbow tables obviously speed things up. Thanks ophcrack.

This tool is obviously not hard to use. Might it change the way you manage (or think about managing) your workstations? Privilege escalation anyone? Do you know who might be on your outsourced overnight cleaning staff?

Good thing people don't store files locally on their workstations ... I mean, uh.
Here comes full drive encryption.

Firm: Seven steps for a more secure network

2007-01-13T14:03:00.000-05:00

Combine New Years resolutions and this SC magazine article and what do you get? Questionable advice.

The article starts out great.

IT security professionals should rely on personal vigilance and implemented methodologies - not just the slew of new products hitting the marketplace - to protect their networks in 2007.

Sounds good. Yes to vigilance and yes to method. Just buying things is bad. Nice work.

Now for the fun.

1. Change every password before the year's end. By taking this first step, you will enhance the security of every online commerce site visited, every computer, and every other password-protected device or website in use. Avoid easily discovered passwords, such as names or numeric series. Change your passwords at least quarterly in 2007.

Sound advice, except he didn't mention anything about pass phrases.

2. Download patches and updates. Even some off-the-shelf computer security programs offer downloadable updates or "patches" capable of detecting the newest viruses and closing "backdoors" that hackers have discovered. Operating systems should be patched and upgraded at year-end, and regularly as well.

Nice work. Patch your systems. Someone send this guy a check.

3. Hire a hacker. The holiday lull is the perfect time to conduct a "penetration test" to pinpoint weaknesses in a network's security. These tests emulate a hacker's invasion of a network; but rather than attacking databases and network tools, these scans identify specific vulnerabilities and propose solutions.

Hire a hacker? Not even going to touch the hacker versus cracker definition. A pen test over the holidays is not a bad idea, however it would depend on what type of test you are running. Blackbox, Whitebox, or something in between? At times you want ops around to assist and they can't do that while eating honey ham seven states away.

4. Conduct regular e-security check-ups. Automated, monthly remote risk assessments can be conducted for less cost than a single onsite review. These tests assure that confidential data is as secure as possible from external attack. In a hacker prone era rife with data theft, high levels of spam, and increasingly innovative computer fraud, waiting a full year between assessments is no longer a viable option.

What the hell is this guy talking about here? Isn't that our goal to protect data --- each day? And what exactly does he mean by "Automated, monthly remote risk assessments"? "Make sure things are good" would have been just as powerful. Sigh. I assume he is talking about using a service such as Qualys to scan and report on your external facing. These results can then be compared against preexisting baselines or standards to evaluate compliance and document change.

While I agree with looking at your risks from the outside in, what about from the other direction? What is being sent outbound? How about monitoring / measuring that?!? Aren't these guys an email security company?

5. Communicate your data security policy. All personnel should be briefed on the importance of protecting confidential customer data. Disseminate a policy on how and when, if ever, this data should be included in unsecured email correspondence with customers and others. Implementation of an encrypted email system would be a major security step forward.

Yes. Finally something I can agree with. I would also like to add that one should begin looking at mail filtering outbound. It helps to know how your customer service reps, execs, and IT professionals are sending their electronic communications (primarily for the unencrypted mail).

6. Keep your network virus-free. A thorough evaluation of your network is essential to protect entry points (such as email attachments, shared files, infected websites, downloads), and to minimize infection. Simply installing anti-virus (AV)software is not enough. The AV system still needs to be monitored to make sure the most recent definition files are updated on all devices and you are alerted when a device is not "up-to-date." Look to providers which offer a full suite of AV services that can keep current with fresh outbreaks.

10-4 good buddy. Also think of reporting. Metrics mean money! Remember that. When you need head count, funding, or a promotion --- you must have metrics. Also remember that one vendor for all the environment isn't always the answer. What is best for clients is not necessarily what is best for servers. Moreover, AV vendors differ greatly from platform to platform.

7. Consider "giving up" on do-it-yourself security. The New Year is a good time to consider outsourcing network security to a company dedicated to keeping up with the latest demands of computer network security.

Depending on the size and nature of the company, I agree. Small shops should think about getting some help. If noting else, a plan for security with periodic checkups. Larger shops need IT Security professionals (even if just a few) to check up on the outsourced work.

How to Obscure Any URL

2006-12-28T17:26:00.000-05:00

Well, maybe not. I found this article off of Digg and stored to view at a later time. Initially, I was very excited as you will encounter url obfuscation when working with malware and phishing.

Unfortunately, the specific techniques no longer work on Firefox 2.X or IE 6. The concept is something worth investing some time into.

I need to research if any, more recent, documents are available.

The new migration from D.C.

2006-12-27T17:50:00.000-05:00

The Washington Post has a story about a new migration taking place on the east coast. It seems some of our federal agencies see it fit to move just a bit west, out of D.C. -- just enough to be outside of a blast zone (a 50 mile radius). Sounds like data center move time!

Link the the complete article here.

Blast zone or not, I welcome the move. I am pretty shocked this hasn't started sooner ... unless this is just an article to hype the local real estate markets. Hmm.

Anyone want to invest in some local data carriers in the Winchester, VA area?

Online Nmap Scanner

2006-12-26T23:28:00.000-05:00

Matousec also provides an online Nmap scanner. Fun stuff.

Play with it here.
Get the old school edition here.

Personal Firewall Analysis (Windows)

2006-12-26T22:52:00.000-05:00

Matousec has posted a very interesting leak-test report on Windows firewall software. Most all the big names made the party, but few faired very well.

In short, Comodo and Jetico own, while Windows Firewall is horrible.
Read the complete report here.

Note: they later go and slam Comodo here -- however, they slam everyone.

Bootable security distro on your USB stick

2006-12-26T21:38:00.000-05:00

Ever use BackTrack? Here is a very nice article on how you can boot the OS from your USB stick. They even have a bit about using it with Windows and the ever-handy VMware Server.
Get the article here.
Find other fun tutorials here.

... sort of like making BackTrack something you would find on portableapps.com

Republican Aide Tries to Hire Hackers

2006-12-23T11:50:00.000-05:00

Yesterday, /. posted news about a Republican Aide that wanted hire hackers to change his grades. Let me lead off by saying I do not care about political affiliation or even the fact this is a government employee. So what? Not my blog.

I will assume this guy had a bad G.P.A and was looking to get into a good grad program at Foo U. I do think it is interesting he went to Texas Christian University, whose mission is evidently not shared by at least one of their former students.

Our Mission
To educate individuals to think and act as ethical leaders and responsible citizens in the global community.

Anyway, enough of that stuff. Let's get on with the humor!

Take a moment and read the entire email thread from the fine people at Attrition.org. Trust me, it is worth it. Here is also the link to the Network World news article.

I loved the humor factor - rot 26 is some pretty serious stuff! I remember a rot 13 question in the text "Puzzles for Hackers", and who asks for photos of pigeons or squirrels? Classic. Who doesn't love a squirrel? Thanks to this email thread a new form of squirrel authentication has been born! Thank you squirrels!

A bit more on my above reference to rot 13 / 26.
Check out rot13.org here.
They also have a calculator of sorts here.
With rot 13 the letter "a" would equal "n", "b" is "o", and so on. If you think about it, rot 26 would start you right back at the beginning. "a" to "n" and back to "a" -- thus the humor.

In short, rot 13 is a prepackaged Caesar-cypher with a known jump of 13 places.

I seriously wish they would have asked for a photo of a horned frog.

Gartner Highlights Key Predictions for IT Organizations in 2007 and Beyond

2006-12-18T18:35:00.000-05:00

While reading the IT-Observer, I found a link to the 2007 Gartner Key Predictions for 2007. I was very thankful for the lead on the article, however I wanted the other predictions.

Egovernment.com wasn't afraid to fill me in ... link to article.

And the eye opener

By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses. The threat environment is changing -- financially motivated, targeted attacks are increasing, and automated malware-generation kits allow simple creation of thousands of variants quickly -- but our security processes and technologies haven't kept up.

I break it down on the following points

Financially Motivated Malware? An example would be nice. If we locked down our web browsing and quit running our browsers with administrative privilege, this wouldn't be as big of an issue. No, myspace is not work appropriate -- even if you work in skip tracing.
75% will be infected -- what about the other 25%? Are they "clean" from habit or luck?
Financially Motivated -- this is important. If we have monetary value associated with a risk, then follow the money. Gone are the days of nerds just playing, where attacks were loud and obvious (think Nimda, Code Red). Now we have state sponsored hacking and even mafia supported attacks -- not to mention your own employees.

Some thoughts

Lock down internet access - proxy, white list -- whatever, just clean it up.
Monitor your email. You would cry if you saw what was being sent outbound each day.
Use psexec to limit browser rights or use another OS all together. Link here -- Thanks Allen.
Start thinking from the inside out. Do you have low paid, high turnover employees, with access to valuable information? -- stuff like that.

Legal Aspects of Computer Security and Information Privacy

2006-12-17T12:38:00.000-05:00

Last week I registered for my last class at Capitol College. My thirty fourth, fifth, and sixth credits will come from IAE-671, Legal Aspects of Computer Security and Information Privacy.

Two of the texts are: No Place to Hide and Darknet : Hollywood's War Against the Digital Generation (possible yawnsville). The good news is most of our reading is provided via links to PDFs and other online information, hopefully it won't be too dated.

Our professor, David Ward, is an attorney for the Federal Communications Commission and worked on the Communications Assistance for Law Enforcement Act (CALEA).

I have high hopes for this course. It begins the first Wednesday of the new year.

IndySec 3

2006-12-14T23:31:00.000-05:00

IndySec 3 is December 20th.

Ain't no party like a laptop party.

(IN)SECURE

2006-11-30T19:43:00.000-05:00

Check out the new December edition of (IN)SECURE magazine.

From www.security-forums.com

2006-11-17T18:18:00.000-05:00

I thought I would post a reply I made to www.security-forums.com. A poster wanted to know how he, a programmer, could go about getting into security.

Link to my post at www.security-forums.com
Registration required, I know. Dumb.

Hello,

Use your background as a web programmer to boost your chance to get into infosec. Start looking into application security, something like owasp. I would also recommend you also shore up any weakness in networking or systems administration.

Pass. Pass on the hype. As far as certs, pass on the CISSP - that is a management cert. You are not ready for it anyway. The CISSP is a management-centered cert for people with 4 years direct, full time security experience. I recognize this cert blows the doors off the HR dept door. I am not addressing this amazingly confusing fact in this post.

Read. Read blogs, read books, just read. Make best efforts to learn while reading.

Here are some of my favorites

*Protect Your Windows Network

*The TAO of Network Security Monitoring

*Inside Network Perimeter Security

*Malware: Fighting Malicious Code

*Counter Hack Reloaded

Volunteer. Find a church, school, a not for profit, or a networked dumpster that might let you help. Maybe they need some help rolling out a new AV solution, maybe they do not have one, and maybe their only server sits under a sprinkler head – who knows. Who cares?!? You do! Help them, make something better, and build your experience.

Build a lab. Learn VMware. Understand the value of a good lab. Get access to some networking equipment. Do not forget to download your favorite ISO files from the newest *.nix distro. Download / Burn / Install or if using VMware, download the distro, mount it under “use ISO Image” and boot away. Simple.

Team Up. Find someone who will have nerd-night with you. Nerd night is your officially allocated learning time, with someone who has similar interests. Build that VM server, test running IE as an unprivileged account using psexec and visit a bunch a bad sites and scan for malware …. This is something I will be testing soon, for no real reason.

Get your degree. If you do not have your BS, go get it. View the "centers of academic excellence" of the NSA. Google on it. I am working on my masters in information assurance / network security at Capitol College.

Meet people. Want to learn more and meet others in the industry? Search for local 2600 or ISSA groups. If nothing is available or if those groups do not meet your needs, start your own group. I started IndySec -> Indysec.blogspot.com

Do not quit. I put a lot of time, money, and effort to get my position in Infosec. I failed several times to land a position in Infosec. I could have quit and not swallowed my pride to try again, but then I would not have a rewarding career.

Who am I? I am a simple person that works hard.
I understand I have a lot to learn. I am also somewhat of a newbie to Infosec.

Know your goals, do your best, when unsure – ask someone who knows, and never quit.

Google Chat

2006-11-11T17:07:00.000-05:00

I use gmail and enjoy their in-browser chat client. In case you don't already know, that communication is in clear text ... sniff sniff.

A quick solution is to add an "s" to your url string (nothing new here).
httpS://mail.google.com/

When I have more time I will take a look at the cookie that's set by gmail chat and the related communication / reference. During a quick test last night, Wireshark complained about some of the captured traffic not being compliant ... more to come.

NIST

2006-11-10T15:54:00.000-05:00

NIST has a new draft on Intrusion Detection titled: "Guide to Intrusion Detection and Prevention Systems".

Here is a link to the PDF.

I have *not* had a chance to read the entire paper, however I did find Appendix C very interesting.

Snip:

The lists below provide examples of tools and resources that may be helpful.
Print Resources
Bace, Rebecca, Intrusion Detection, Macmillan Technical Publishing, 2000.
Bejtlich, Richard, Extrusion Detection, Addison-Wesley, 2005.
Bejtlich, Richard, The Tao of Network Security Monitoring: Beyond Intrusion Detection, Addison-Wesley, 2004.
Crothers, Tim, Implementing Intrusion Detection Systems: A Hands-On Guide for Securing the Network, 2002.
Endorf, Carl et al, Intrusion Detection and Prevention, McGraw-Hill Osborne Media, 2003.
Kruegel, Chris et al, Intrusion Detection and Correlation: Challenges and Solutions, Springer, 2004.
Nazario, Jose, Defense and Detection Strategies Against Internet Worms, Artech House Publishers, 2003.
Northcutt, Stephen and Novak, Judy, Network Intrusion Detection: An Analyst’s Handbook, Third Edition, New Riders, 2003.
Rash, Michael et al, Intrusion Prevention and Active Response: Deployment Network and Host IPS, Syngress, 2005.

It is interesting to see who did and did not make the list. I would have added a few others, however I am not NIST. Additionally, I found this publication to be more of a management overview as opposed to a technical document. Better off reading number 2 and 3 from the above list IMO.

IndySec 2

2006-11-10T10:29:00.000-05:00

IndySec 2 is next Thursday, November 16th @ 6:30PM

IndySec 2 Blog Link

Apologies and Job Change Information

2006-10-18T10:22:00.000-04:00

Whew.

Well after several application attempts, general nerding around, and study I have my first full time position in Information Security. I will be working on the host and network protection team for a large financial firm in the Midwest.

Sorry for the lack of posts of late (looking in the mirror). It has been a mix of SANS study, job interviews, and some other "life" events.

Cheers!

SANS Chicago

2006-09-14T16:44:00.000-04:00

SANS Chicago is only a couple of days away - I cannot wait!

I just spoke with Scott Weil, Program Director, to verify some event details. It seems the evening labs have been canceled due to Micro Closing at 6:00 PM each night and they also load us down with books.

I am headed from Indianapolis to Chicago by train and have reserved a bunk at the local Hostel about a mile away from the training facility. As this event is being completely financed by Steve Moore Inc., being frugal was of high importance (anyone who has purchased SANS training will know what I am talking about).

FYI, the train is ~ $40 US round trip and the Hostel is $28 a night. Compared to $140 a night for a hotel, plus parking.

I will do my best to report to the blog each night and share what was learned in my GSEC training.

Indianapolis ISWT

2006-09-09T12:25:00.000-04:00

Last Thursday I attended the Indianapolis Information Security & Wireless Technology Conference. It was a standard event with vendors and such, with one added bonus: Kevin Mitnick.

Kevin spoke for around an hour about standard social engineering and then had some "live" interactive events. He shared information on how he stole the Microtek source code from Motorola and how he himself had been socially engineered prior to the release of his latest book The Art of Intrusion. During these events, he would call up audience members to participate in different activities.

The most interesting portion of his speech was about a phishing / IVR dupe. We all know about phishing and what it entails, however, now there are hackers who are recreating IVR systems and then phishing for marks to call in. This new attack recreates an IVR (intelligent voice response) system for purposes of data collection, such as banking logins and passwords. Kevin had used a service called IPKall to bind a POTS number to an IP. The IP was bound to a *nix based IVR software. The interesting thing is Kevin also took the steps to copy the real IVR responses (and tree logic) from a real bank. With the system recreated, one could then "spear phish" customers in the area of bank X. All password entries would give an error message, noting an incorrect password. Kevin displayed this real time as his IVR scooped up his own self-generated traffic.

Amazing.

Also, his business cards are metal and break up into a lock pick set.

For those that may complain, I understand he is a criminal, however, it behooves us all to understand how these guys think. They truly have no limits to their thinking and as a result are very creative. At times, in the professional world, we allow ourselves to become too systematic in our thinking.

IndySec Formed

2006-09-09T11:37:00.000-04:00

IndySec has been formed. This is a work in progress - more information to come!

IndySec Blog Link

SSL Explorer

2006-08-31T13:54:00.000-04:00

While researching open source anti-virus solutions, I ran across ssl explorer from 3sp. SSL explorer - Community Edition is a free (as in beer) desktop-over-HTTPS tool. The tool allows for remote management of desktops, servers and intranet resources.

I just finished watching their online Flash demonstrations and I am quite impressed. From their site:

SSL-Explorer is the world's first open-source, browser-based SSL VPN solution. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser.

While the tool looks great, their self definition is not completely correct. SSL VPN - that's a problem. According to the text Protecting Your Windows Network, in order to be considered a VPN a tool must:

"authenticate the end user and assign the remote node and IP address routable on the local network" p. 202.

A few more notables:
1. you do not get two factor authentication with the community edition.
2. you can register for a full featured VMware appliance running in enterprise mode here.

Visit the ssl explorer page here.
And on SourceForge here.

Helix & Live View

2006-08-30T15:17:00.002-04:00

I just finished a class on Incident Response and Computer Forensics, so this is very exciting to me.

In short, you can take Helix and create an image using dd. Depending on the incident, you may need to create a duplicate of the system in question. Live View is one way an investigator can use a .dd file for some further analysis, without altering the copy!

As part of my final project, I used Helix Live Acquisition software to create a copy of a logical drive. I remember thinking how cool it would be to take that copy and somehow run it in VMware.

Fast-forward a month, now we Live View. According to the Live View site:

Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk.

So is this forensically sound?

Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.

Sounds pretty nice.

Live View has been talked about here and here.

Get Live View here.
Get Helix here.

Article Review: Why home firewall software is a leaky dike

2006-08-24T16:14:00.000-04:00

Awhile back, MG.com posted an interesting article on home software firewalls . This article was also featured on Slashdot.org. To me there were a couple of points I wanted to blog about as some items just didn't add up. The point of the article was to warn readers that software based firewalls are not safe, even referencing the point that if using a router with "firewall functionality", then no software firewall is needed.

The article continues:

The configuration of a personal firewall is usually more than most users can handle anyway. To understand the system's warning, the user must understand the meaning of IP addresses, host and client names as well as ports, the BSI reports.

Huh? So the software firewall is too much, but the undefined hardware router / firewall management is suitable for most "lay" (a term used later in the article) users. And what about the idea of defense in depth?

Users who still prefer a firewall should first check whether they are using a router with firewall functionality. If so, then no firewall is needed, including the one build in to Windows XP

So what kind of firewall functionality are we talking about here? Any example? How should we configure this firewall / router? We already identified that our reader is a lay person, so hardware is the way to go? While having a router is a plus, all it is going to do is block ports. Even packet filtering and stateful-inspection firewalls are not going to provide any more protection, and that is IF they have been configured properly.

Software firewalls are mentioned as "extraneous" as long as the user abides by the basic rules of web surfing. A couple of points here; first, no "rules" list was provided and second; what about other hacking related activities, such as scanning and enumeration with nmap? A software firewall wouldn't help with that? I know first hand it will. A quick look at nmap versus Windows firewall will tell you that. While on the quick topic of the Windows firewall (or any other for that matter), it will not block outbound traffic unless told to do so. This includes most of the magic "firewall routers" discussed in the article. The thought being, "if it originates from within, it must be ok", comes to mind (which is obviously not the case). This entire theme is skillfully discussed in the book, Extrusion Detection, by Richard Bejtlich (pronounced Bate-lik*).

Here we get into usability versus security. Many of the software vendors will not ship software that is not useable, even in the face of security. An exception to this thought - just today, a colleague told me about a new laptop that shipped with MacAfee security suite. Security was enabled and set to "paranoid" by default. The only problem was the machine could not reach the default gateway and the NIC would not come online. How many people would have disabled the entire suite to get online?

The author does get points for discussing the dangers of using administrator account(s) for anything other than installing software (or using fport!), scanning attachments, and proper patch management. Furthermore, end user awareness and surfing habits are covered, which is a nice to see.

Pats on the back are over. The author says JavaScript should be disabled, but fails to mention ActiveX ... hmm. Backups? Covered, but mentions nothing about offsite storage.

Backups are the safe way to go, Wolf recommends. "All important data should be regularly burned to CD or stored on a USB stick," Wolf says.

My problem with this article was the incomplete answers and misleading information. I meant not to criticize, but to discuss a noteworthy article.

Should you choose, you may read the full article here.

*update: The author of Extrusion Detection, Richard Bejtlich, was kind enough to correct my error. His last name is pronounced "Bate-lik", not "bay-lic" as previously noted. Even podcasts could not save me! Thank you Mr. Bejtlich.

CCNA

2006-08-23T09:43:00.001-04:00

I have decided to go for my CCNA to help round out my routing and networking skills. Why a cert? I view certs as a way to organize my studies, enjoy learning, and set a level of achievement. Simple.

So far, my primary study method has been this book by Sybex; however, I will be purchasing some 2501 routers for the hands on exercises.

As it stands I am on my first reading pass. After complete my SANS training and testing, I will concentrate my studies on the CCNA. So far, I have enjoyed my new learning opportunity. I know it will be worth the effort.

New Laptop

2006-08-23T09:08:00.000-04:00

For academic, training, and business purposes, I finally broke down and bought a laptop. My current employer provides a very nice Dell Latitude D800; however, there are limits and strict rules as to how this hardware can be used (no SNORT allowed!). Another motivating factor was my scheduled SANS training in Chicago. For those of you who aren't aware, SANS requires a laptop for most of the "boot camp" style training.

I ended up choosing the Dell e1505 primarily based on features and value. The e1405 is slightly smaller and around $100 more, while the e1705 is interesting, but it's just too big for my needs. From my perspective, the only important additions were the additional memory (2 GB) for running virtual machines and the WSXGA+ display for better resolution (1680x1050) and additional real-estate.

Desktop space comes at a premium while doing lab work.

My next step is to research the newer EVDO services.

NSA Wiretaps Unconstitutional

2006-08-17T13:34:00.000-04:00

I have not had a chance to read all 44 pages of the .pdf, but I found this article, on CNN.com, quite interesting.

A U.S. District Judge has struck down the National Security Agency’s warrentless wiretapping (and electronic surveillance) program, which was said to be a violation of privacy. Furthermore, she states:

The president of the United States ... has undisputedly violated the Fourth in failing to procure judicial orders.

Capitol College

2006-08-15T11:11:00.000-04:00

I am a student at Capitol College, Graduate School of Network Security and Information Assurance.

Currently I am completing my final paper for IAE-675 Computer Forensics and Incident Handling.

I researched live acquisition of forensic data on compromised hosts, using Helix from e-fense. On August 9, I presented my findings to my peers.

Capitol offers online, live graduate classes in Information Assurance. Download a PDF fact sheet here.

ISSA

2006-08-14T23:35:00.000-04:00

I am a student member of the Information Systems Security Association. The ISSA is looking for volunteers to help with various activities. As they are a worthwhile organization, I offered to volunteer my time.

My query went to Mr. Tierney to learn more about their certification programs committee. I have a natural interest in teaching, education and the value of certifications. I will send an update when I receive a reply.

What is the Certification Programs Committee? From their web site:

Certification Programs Committee: To evaluate and report to the membership on industry certification programs, and to offer suggestions for their improvement.

SANS GSEC

2006-08-14T23:06:00.000-04:00

I will be going to SANS Chicago GSEC training. This is something I have wanted to do for quite some time, but couldn't spare the money.

From this event I hope to meet some new security professionals, add to my skills and bolster my security marketability.

Learn more about the class here. After the 6 days training, I will sit for the exam and begin working on my research paper.

The training runs from Monday September 18, 2006 to Saturday September 23, 2006.

Per the GIAC site:

GIAC Security Essentials Certification graduates have been taught the knowledge, skills and abilities required to incorporate good information security practice in any organization. The GSEC tests the essential knowledge and skills required of any individual with security responsibilities within an organization.