Wednesday, December 19, 2007

Slashdot comment

From a Slashdot comment:
Thousands of businesses outsource their IT security every day. Lots of it goes overseas, too. And the best part of it is that it's free. The bad part is they don't know they are outsourcing it at all.

Friday, November 16, 2007

Yes, this is me.

Yes, I'll admit it, this is me sometimes. I'm working on it. :)

Thursday, October 25, 2007

Theo de Raadt on x86 Virtualization

From: Theo de Raadt <deraadt@...>
Subject: Re: About Xen: maybe a reiterative question but ..
Date: Oct 24, 3:14 am 2007

> Virtualization seems to have a lot of security benefits.

You've been smoking something really mind altering, and I think you
should share it.

x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which
barely has correct page protection. Then running your operating
system on the other side of this brand new pile of shit.

You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.

You've seen something on the shelf, and it has all sorts of pretty
colours, and you've bought it.

That's all x86 virtualization is.

Friday, August 31, 2007

Managing your identity online

Have a look at this.
http://www.google.com/search?q=tyler+krpata

If your name is unique and you spend time online, you probably have thought about how to manage your online persona. It's important to realize that anyone who knows your name, email address, etc. will, with enough effort, find any content that you've made available online. This includes photos, message board posts, blogs, and more. Once you've recognized that, it's up to you to decide how much or how little to say, and where to say it.

I generally put my full, real name on content that I intend to be "public". That is, content that I wouldn't mind a co-worker or my mom taking a look at. I look at this as sort of an online resume. This is also content that I censor, both consciously and subconsciously. You won't find me posting much about what's going on in my life here. You can easily find out where I work and how to contact me, but not likely what I did last weekend. Generally, I try to avoid posting anything publicly online that I wouldn't want everyone to see. I find myself feeling cramped by this self-imposed censorship, but I think it's unavoidable.

Unfortunately, there's more to it than controlling your Google results. A motivated person can iteratively mine data to find your online accounts and aliases where you may not include your full name or email address. It's important in these cases to make sure that any content that you don't want made public requires a login and your approval, or simply again to self-censor.

Myspace is a prime example. Anyone who knows your full name can search for your Myspace profile, even if the profile itself does not contain any identifying information. My Myspace account was recently set to "private" so that you have to be on my friends list to view it. This is an important privacy measure, and one to be aware of.

This is my brother's comment on the issue.
I don't really put effort into keeping things segregated though. I use the same handle for message boards and LiveJournal and all that, and mostly what you get with my real name is my writing. Somebody could probably put it all together, but that wouldn't mean too much.

Let's see, shall we? I'd like to run through some simple steps where we can mine some data. (I'm not going to post his personal information here, though certainly someone with enough motivation could deduce it from my information.)

  • First, I Google his full name, and get close to 1000 hits.
  • From the second page, I pull his Amazon profile.
  • I now have his birthdate and online "nickname".
  • Luckily, this persona is unique enough that I get about 1500 hits, and some potentially objectionable content posted in forums and messageboards. (Mostly coarse humor.)
  • I'm also able to pull a LiveJournal based on this search.
  • Not only that, but someone who was looking could potentially deduce that when they see and "Tyler" in the same place, it's probably me. (And they'd be right.)
So what do I know now? I know what he likes, I know who his friends are, I know how his sense of humor works, I know his political opinions. And I suppose the question is: DOES this mean anything? How much do we want our acquaintances, co-workers, relatives, or total strangers to find out about what we really think? About how we act and speak when we're online? If I make a rude comment or post a dirty joke online, it's no longer just between me and that person; it's between me, that person, and anyone else who cares to look. How much can we be "ourselves" on the Internet when we always have to consider a potential 3rd-party observer?

Wednesday, August 8, 2007

A cool little trick

  • Go to a web site with a few images on the page. For example, go to images.google.com and search for anything. (“tie fighter” would be a cool one.)
  • Copy the following code, paste it into your browser’s address bar, and press enter (or hit “go”, however you want to do it.) .
javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=Math.sin(R*x1+i*x2+x3)*x4+x5; DIS.top=Math.cos(R*y1+i*y2+y3)*y4+y5}R++}setInterval('A()',5); void(0);

Friday, August 3, 2007

Snail Mail Scam

I won $52,000!!

Well, not really.

Check out the letter and check (to cover "clearance fees"). Sadly, I'm sure MANY people out there are falling for this.

Tuesday, July 24, 2007

in ur datacenter, breakin ur web 2.0

So apparently, according to this site, either a power outage or a drunken employee (or both) knocked several popular web sites offline this evening, including LiveJournal, Craigslist, TypePad, and Technorati.

I searched Google News for the name of the datacenter, 365 Main. All I found was COMEDY GOLD.

Which makes me believe that I can no longer use Google for breaking news. I ended up finding this information on Digg, which is a big win for "Web 2.0".

(Despite the fact that Digg seems to be the only "Web 2.0" site up and running right now, that is.)

Thursday, July 19, 2007

Wikivice referers

I was checking out the HTTP referers to Wikivice, and I noticed a handful that came in from this blog.

I didn't even know a handful of people READ this blog.

I love you, whoever you are!

Oddly enough, there were even people coming in from my Twitter post (http://twitter.com/tkrpata), and I *know* nobody reads that!

(Sidenote: I hate writing "HTTP referer," because I'm never sure if I should spell it correctly, or spell it the way it shows up in the HTTP header.)

Monday, July 16, 2007

Wikivice

Today I launched a new web site called Wikivice (the free advice column that anyone can edit). The idea is that the community will collaborate to write the best answer to a given question, much like on Wikipedia the community collaborates to write the best entry on a given subject.

I'm hoping to get some traffic by word-of-mouth, and go from there. I think this has the potential to be great, but I need to build a solid user community in order for the site to be a success.

http://www.wikivice.com

Friday, July 6, 2007

My OMGWTF Calculator

A while back, I submitted an entry to the Worse than Failure Olympiad of Misguided Geeks contest. I didn't win, but I thought my entry was somewhat clever.

The contest was to implement a 4-function calculator in the most "WTF" way possible. My entry took advantage of the fact that floating point representation of the correct result of each test case was also an invalid memory address. I performed the calculations in the expected way, but instead of returning the result, I attempted to write to that memory location.
sprintf( (char *) *(int *) &r, "paula = brillant");
There was some amount of type punning that needed to happen in order to maintain the float representation of the result, as you can see.

I set up a signal handler to handle SIGSEGV (segmentation fault), and used setjmp/longjmp to return the invalid address/correct result at a known-good location in the program. I set up a similar handler for SIGFPE (floating point exception) to correctly report an error when attempting to divide by zero. The meat of it occurs in this conditional:
if(sigsetjmp(err_env, 1)) {
SetDisplayText("Err");
} else if(int result = sigsetjmp(ans_env, 1)) {
siginfo_t *sigInfo = (siginfo_t *)result;
sprintf(newText, "%g", *(float *)&sigInfo->si_addr);
SetDisplayText(newText);
} else {
DoOperation(g_Operator, op1, op2);
}
As you can see, the result is contained in the si_addr field of the appropriate siginfo_t struct.

Some of the winners obviously put a lot of thought and time into their entries, and I was very impressed at the creativity they showed. I'm also proud of my little idea, and I had a lot of fun writing it!

Tuesday, July 3, 2007

Extending IDS into the virtual environment

I'm going to just credit my colleague Nick for this idea, and maybe someday he can point to this blog post to prove that he thought of it first.

We've been exploring our options for IDS visibility into a virtual switch in order to monitor traffic between VM's; that is, traffic that never shows up on the physical NIC. I've discovered, though I need to confirm, that if you allow a virtual NIC on a VM to enter promiscuous mode on VMWare ESX server, the virtual switch port becomes effectively a span port. Based on this, I've been trying to think of an efficient way to shuttle that sniffed traffic off of the VM and get it where I need it to go.

Nick suggested that perhaps Sourcefire (and IDS vendors in general, too) should just offer a virtual version of their IPS appliance that you can just bring up on your VMWare server. This is so head-slappingly obvious that I can't believe it's not currently an option.

Friday, June 29, 2007

Malicious payload based on user-agent string

Websense Security Labs has a blog post about a malicious site serving up payloads based on the HTTP user-agent string. This is something I've seen in the wild many times, and I kind of thought it was old news. The easiest way to get around this kind of simple protection is to set the user-agent string sent by wget. You'll want to use the "--user-agent" option, and there is an extensive list of user-agent strings at http://www.user-agents.org.

Pro-tip: a generally malware-ok user-agent string is
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Update: You can also do this.

Wednesday, June 27, 2007

Virtualization Threats Ahead

This is exactly a point I've been trying (and failing) to express clearly of late. From How 9 Hot Technologies Can Blow Up In Your Face on InformationWeek.
If organizations keep expanding server virtualization without taking into account what makes virtual machines different from physical ones, they'll open new doors for intruders into the data center. We can't identify the precise nature of the threats, because they haven't yet materialized. But anyone who takes comfort in that fact hasn't been paying attention to information security the past couple of years.

Thursday, June 21, 2007

Still not a zealot...

But about half of Slashdot Is Not Getting It At An Olympic Level.

In summary,

Some guy:
open source = you can see the source

Bruce Perens:
Sigh. I imagine you use some of this Open Source software sometimes. Please try to get your head around the fact that it would not be possible for such software to exist and for folks like you to benefit from it, unless it was developed. And it would not be developed without a developer community, and that community would not be able to do their work unless they had the right to modify and redistribute the software. Thus, Open Source must be more than just visible source code - it has to include the right to distribute and modify, and it also needs the right for you to use it. So, that's 4 things - source, use privilege, distribution privilege, modification privilege and there's a bit more. Years ago, I wrote down what was necessary for software to be Open Source, and OSI uses that Open Source Definition to classify licenses. It is not an arbitrary thing.

Wednesday, June 20, 2007

Spamming with Google Docs

I frequently use Google Docs and Spreadsheets to manage and share various documents. I was surprised to log in today and see a document I didn't recognize in my list. When I logged into my email, it turned out that it was a legitimate document shared amongst a group of acquaintances, but it got me thinking. Couldn't a spammer have just as easily have done the same thing, and bypassed my spam filters besides?

I downloaded a "pump and dump" spam image and created a document that looked like this. Then, I added as "viewers" another of my Gmail addresses, a non-Gmail address, and a friend's Gmail and non-Gmail addresses.

In every case, the notification email came right through as "I've shared a document with you called ..." with a link. The social engineering aspects here are:
  • the email comes from Google
  • the link goes to Google
  • the text of the email is familiar and non-threatening, especially to users of Google Docs
It is ultimately NOT difficult to convince a user to click on this link (I probably would), and it's not likely to be filtered as spam.

The additional benefit, of course, is that you can dump documents right into a Google Docs user's main document view without any filtering at all, just by "sharing" the document. Imagine logging in one day to find your list of documents shoved down to make room for a list of docs with titles like "Buy cheap Viagra online!!"

I'm not sure if Google is already watching for accounts that have a high level of document creation/sharing activity, but if not, they probably should be. Additionally, they may want to consider options to allow users to keep newly-shared/unconfirmed documents out of the default view, or to limit who to accept shared documents from at all.

Friday, June 15, 2007

Patching vs. protection

I recently received a secondhand account of a system administrator's argument against patching Office. Though not a direct quote, the sentiment was essentially this: "Shouldn't our antivirus protect us from having to patch?"

I have a little security angel on my shoulder who cringes when he hears things like this; but I've also got a devil, who asks "well...isn't it true?"

The answer, of course, is an emphatic NO. Antivirus software is able to protect against specific known threats and suspicious behavior, but the important thing it DOESN'T do is close your security holes. Antivirus addresses attacks -- patching addresses vulnerabilities. In a perfect world, we do both; certainly attempting to substitute one for the other is a terrible mistake.

Tuesday, June 12, 2007

A Quote from Dave Aitel

Two quotes in a day? This one was too good not to repeat. Dave Aitel had the courage to say it:
...people derisively say "script kiddie" and 100% of the time they mean "someone who's way better at security than I'll ever be".

Too true. There are very few people in the world who can look down on the so-called "script kiddie," and a LOT more than that who THINK they can.

Threat Analysis: Auditors, Obv

This actually came from a spam email. I assume it originated elsewhere, but I'd never heard it before:
"Hackers may find you; auditors WILL find you."

Thursday, June 7, 2007

Career Goals

This is an email I wrote in a conversation with a friend working in IT security who is considering whether to major in computer science or something more "business and IT" oriented. He asked my advice, so I asked what his career goals were. He replied that he didn't have any, and this was my response.

I didn't edit before posting, so forgive any errors in spelling, grammar, or punctuation.

Goals are critical…they don’t have to be extremely specific, but if you’re doing something like declaring a major, your goals should be at least specific enough to allow you to do so.

So, my long-term career goals are pretty simple, being basically along the lines of “work in IT in a hands-on technical role” which could include programming, systems administration, etc. Point being that it’s not incredibly specific (notice it doesn’t even specify IT security), but it’s enough to let me know that a comp sci degree is in line with my goals.

Keep in mind that career goals don’t need to necessarily be about a specific type of work. Mine are, but only because I’m passionate about IT. Some people may not care what type of work they do, but want to make as much money as possible, for example. Others might want to help people, and would be equally satisfied as a doctor or as a guidance counselor.

Ultimately what I’m getting at is that you should determine what you want your career to accomplish in the larger context of your life, not necessarily what field you want to be in.

That being said, if you’re into pursuing security further, and you’re finding that you prefer the technical aspects of it to the regulatory/administrative aspects (hate to meet the person who preferred the latter), I would definitely major in computer science. Security can be as technical as you can make it, being by necessity and by definition at the cutting edge of technology. The better equipped you are to deal with technology, the more opportunity you have in security. That being said, a computer science degree lays the groundwork, but it’s really important to put in additional work doing certs/training, and definitely to do your own projects/research. A potential employer for, say, a pen-testing job will most likely be more impressed by someone who says “I don’t have a degree, but I discovered 3 remote roots last year and developed and released Tool X and Tool Y.”

Friday, May 25, 2007

RSA ACE/Server, Progress DB ODBC connection

I'm in the process of trying to enable an ODBC connection to the Progress database embedded in RSA's ACE/Server.

According to the version file on the server, I am running:
PROGRESS PATCH Version 8.3D10 as of September 24, 2001

I ordered the database client and the ODBC driver from Progress, installed, and attempted to set up an ODBC data source.

I initially received an error "Specified driver could not be loaded due to system error 126" when trying to test the connection. I found a tip on a messageboard which instructed me to copy prosql32.dll into c:\windows\system32, which resolved the error.

I received a couple of error messages which were resolved by setting appropriate environment variables:
DLC = C:\DLC
IDLC = %DLC%
PROCFG = %DLC%\PROGRESS.CFG
PROMSGS = %DLC%\PROMSGS
PATH = %PATH%;%DLC%\BIN

I then started receiving:
[MERANT][ODBC PROGRESS driver][PROGRESS]A PROGRESS database server cannot handle a non-Progress database connection. (2664)

I followed the instructions in Progress Knowledge Base article 17204. I am running the oibroker on localhost (it is not available on the server), and have the OID/OIB options hostname set appropriately. The Database Options tab points to the remote host. I am able to connect, but I am not able to authenticate. Error:
[MERANT][ODBC PROGRESS driver][PROGRESS]** Disconnected by the server, code 36. (706)[MERANT][ODBC PROGRESS driver][PROGRESS]** Server rejected login. (700)

The sdserv.lg file on the ACE server says:
14:31:07 SRV 4: Login by my_username rejected: secure client required.

Oddly, it is passing the username that I am logged into the PC with, not the username I entered in the login field.

I think this could potentially work if I had _prooibk (the OI broker binary) available on the server, but it's not there.

I'm out of ideas for now. Waiting for a response back from support. Hopefully they will have some ideas.

EDIT: Support confirmed that the server is requiring an SSL connection, and the SQL-89 ODBC driver does not support SSL. On to plan B...

Tuesday, May 22, 2007

Reversing Drawball

I've spent some time lately trying to reverse-engineer the protocol for drawball.com. Granted, the client is in Flash, so in theory I could just decompile it and reverse it that way, but what fun is that?

Here's what I've found so far:

(All communication is in the form of null-terminated strings. The server listens on port 8007.)

Handshake

Upon connecting, the client sends what seems to be an arbitrary 7-byte alpha (mixed upper and lower) string. One string can be reused a few times before a new one is required. I assume it's based on time somehow. For the time being, I've just been using Wireshark to retrieve the key generated and sent by the client. I need to spend more time on this one. I really need to figure out how this is generated, because it's a huge pain to open up the actual client and get a new key every time.
EDIT: Duh, got it. "View Source," idiot: <param name="FlashVars" value="l=myvalue">

The server responds with a 14-character string consisting of all uppercase letters.

The client responds with a 7-character string of printable ASCII characters. If the incorrect string is sent, the server disconnects. I figured out that the string is generated by taking each character of the first string sent by the client and subtracting the numeric value (0-25) of every other character in the server response. That's not a very clear explanation...will post the Perl function that performs this operation once I clean it up a bit.

EDIT: Here it is.

sub decode {
my @seed = split //, shift;
my @chal = split //, shift;
my $response;

while(@seed) {
# get the numeric (0-25) value of the next character of @chal
my $num = ord(shift @chal) - 65;
# throw away the next character of @chal
shift @chal;
# subtract $num from the next character of @seed, add to response
$response .= chr(ord(shift @seed) - $num);
}
return $response;
}


Ink

The client asks the server how much ink it has left by sending a lowercase "i". The server responds with the letter "i", and what appears to be a 4-byte integer. The first byte is always 01; I think it's just there to avoid having any nulls in the response, since communications are in the form of null-terminated strings.

Drawing

To draw, the client sends a packet containing the following data:
  • ASCII "a" (0x61)
  • 0x1 (seems to be constant, not sure what it's for)
  • 0x1 (same)
  • a 1-byte sequence number, must start with 1 and increment with each transmission
  • 0x2 (constant, not sure)
  • color - 4-byte integer, don't know how it's being represented. black is 0x01010101, white is 0x09191908
  • a sequence of (x,y) coordinates where each coordinate is 3 bytes. the minimum number of coordinate pairs is 2, and the minimum line length is 2 pixels. this will draw a line between each coordinate.
I've successfully managed to automate drawing onto the ball, but I'm not going to be able to do anything really useful until I can figure out how the initial seed is generated.

Update: I may have been banned...I can load and navigate the site normally, and I seem to have a normal amount of ink, but any attempt to draw results in an immediate disconnection.

Monday, April 23, 2007

Win32 Perl + Subversion line break hell

News to me: when Perl writes to a file handle on Win32, it replaces LF with CRLF unless you explicitly call binmode on the file handle. In addition to that, Subversion's "native" setting for eol-style does the same.

To switch SVN over to LF only:
svn propset svn:eol-style LF <filename>

Tuesday, April 17, 2007

Free as in speech

I swear I am not a GNU zealot. I use plenty of non-free software, and I have no qualms about it. I do, however, understand and mostly agree with the philosophy behind free software. Practically speaking, I am willing to trade some of my freedom for convenience. I'm not whether that makes me a hypocrite, or whether I am just exercising a different, related freedom.

Edit: In case the link disappears at some point, here are my comments.

In response to:
Do you buy the idea that being "open" makes software more secure, or automatically makes it "better" or somehow morally superior to closed source software?"

I wrote:
The idea of being "open" or "free" (as in speech) is a license issue. It does not make the software anything. It can be good, bad, or indifferent. Whether software is secure or not is not related to whether it's free or not. However, there are inherent characteristics of open/free software that give the user the FREEDOM to be more secure than with closed source, whether or not he or she chooses to exercise that freedom. Non-free software robs you of that freedom. It forces you to make the choice to accept the vendor's security mistakes or not use the software at all. (To quickly address the obvious rebuttal, the freedom to make that choice is not a freedom any more than, say, the freedom to eat rotten meat or starve.)

As far as being morally superior, YES, free software is morally superior to closed software. Richard Stallman has developed and documented this argument well enough that it's not worth repeating here, but I highly recommend you read through and understand the information at http://www.gnu.org/philosophy/.

And in response to the following:
My feeling is that people should use whatever is best for them (however you define "best"). About morality...I think that if two parties willingly agree to licensing terms (whether proprietary, GPL, or anything else) then there is no moral issue. Maybe someone external to that situation would see it as immoral, but that's like some redneck getting offended by a gay couple because it goes against his belief system. Of course the hole in this argument is that proprietary software usually doesn't present a license until installation and most retailers won't accept opened software for return. Regardless, there are always going to be people who get offended by other people due to various belief systems. I could not care less if somebody else uses/writes proprietary, GPL, or other software; my only concern is what I use/write. Issuing a blanket statement like "proprietary software is immoral" is no better than saying that "homosexuality is immoral". For certain belief systems it may be true, but it may not be true for the only belief system that matters: mine. Murder is virtually the only thing seen as immoral by all civilizations. Everything else is up for debate.

I wrote:
Comparing the morality judgement against proprietary software to bigotry against homosexuals is a weak straw man argument. You clearly are not familiar with the reasoning behind the belief that proprietary software is evil/immoral, certainly not enough to decide whether you are for or against such an argument in a rational and objective manner. If you believe that people are entitled to freedom, then proprietary software is inherently immoral. You have the right to believe that people are NOT entitled to freedom, but I would argue THAT would be much more analagous to saying something like "homosexuality is immoral."

Thursday, April 5, 2007

QOTD

"I gave up Perl for Ruby."
"That's like giving up herpes for rabies."
- Anonymous message board exchange

Undocumented builds and backwards incompatibility

So I spent a lot of yesterday trying to, without any documentation at all, build a Windows executable out of a Python program whose GUI is based on an older version of Qt/PyQt. Unfortunately PyQt 4 is apparently NOT backwards-compatible with PyQt 3, such that the existing scripts would not work with PyQt 4 as they were written. It was an absolute nightmare getting the older versions compiled, installed, and working, and it made me want to document some general thoughts.

My primary function has never been as a developer, but I've still always written code as part of my job responsibilities. People like me (and like the person who wrote the Python program, I imagine), don't generally have the same experience in formal software development processes as "Computer Programmers (TM)". This tends to cause problems.

The interesting thing is that the problems seem to come from dependencies, building, and things of that nature than with the code itself. I think most of the actual code I write, and a lot of the code of this sort that I've read, is more or less self-documenting. I'm talking mostly about utility programs, generally less than 1000 lines and often less than 250 lines.

Notes to self, and other interested parties:
  • Document your build process if it's anything more complicated than "cc file.c". (I will be forever in your gratitude if you leave me a Makefile.)
  • Use some sort of central code repository. Digging through backups of old PC's to recover code is no fun for anyone.
  • Related: don't just leave your code, if at all possible...leave the libraries, utilities, and other related items somewhere where I can find them. At worst, leave me links to go get them.
  • Create a README file! If you have to solve any problems or come across anything quirky, NOTE THEM IN THE README!
  • A function called "GetUsername" does not need a comment that reads "Gets the username."

Misc:
  • Thomas Ptacek is writing a great series of arguments against DNSSEC over at the Matasano Chargen blog. That's one of my favorite blogs, by the way, and I highly suggest that anyone in information security make it a daily read.
  • I don't have anything to add about the ANI vulnerability (MS07-017), other than to wonder when we're going to stop seeing this kind of thing. Weren't we doing this with WMF at this time last year?
  • I have thoughts on Fortify's interesting JavaScript hijacking "Web 2.0" advisory, but I think I'll write a separate post 2.0 on that subject 2.0.
  • The Blogger "Compose" interface is terrible. What should I be using instead? Should I just use a text editor and then paste it in?

Tuesday, March 27, 2007

SecureWorld Boston

I attended SecureWorld Boston this month. I'm a little late in posting about it, but here are my thoughts.

  • The conference in general was not particularly high-tech. I know it's not intended to be a Black-Hat-style cutting-edge techie event, but I still would like to see a presentation or two where I can learn something I don't already know from a technical standpoint.
  • The very first thing I did there was to drag an old co-worker over to see a demo of CORE Impact. I believe that is hands-down the coolest product going in the security space. It's hard for organizations that don't specialize in pen-testing to justify the price tag, but it sure is nifty. (I am 100% green with envy at the developers who get to write exploits for CORE Impact as a full-time job.)
  • I spent some time chatting with the Feds. I don't think they realize how in awe most of us IT folks are of their position. Their cybercrime people have a tough and thankless job, that's for sure.
  • In making the rounds of the vendor booths, I came across two products that I wasn't familar with that impressed me.
    • BeyondTrust Privilege Manager allows you to granularly assign administrative rights to users. So, where previously you would need to give a user full admin rights to his PC to install or run certain applications, you can now set that account to run as a normal user with elevated privileges only for specific applications. You can manage rights from a central console, and you can assign privileges either by workstation or by username (a huge benefit in an environment where users log onto and share multiple workstations). I'm not sure how much of this you can do with Windows out of the box, not being much of a Windows guy myself, but it seems like something that any organization could benefit from.
    • LogLogic is a log management/SEM product, and the thing that really struck me about it was the interface. I've used Network Intelligence Envision, as well as Splunk, and I find them both difficult to get useful information out of because the interfaces are a pain to work with. LogLogic looks simple, attractive, and to the point. Every question I could come up with was met with "yes, we do that"; it seems like a full-featured, if pricey, solution.
  • I accidentally found myself in a panel on IP-based video surveillance. (I got the room number I was looking for wrong.) When I realized I was in the wrong room, I decided I would stay and possibly learn something about an area that I know little to nothing about. The major thing I took out of the panel was that there seems to be little to no thought given to the data security side of putting a bunch of new endpoints on the network (cameras, DVRs, etc). It may just have been that there wasn't enough time to get into that...I found that the panels in general were to short to get any kind of depth on their subjects.
  • I also attended a panel on compliance, specifically about whether IT should own it or not. Again, there wasn't enough time allotted to get into any kind of depth on the subject, but I think the answer, as expected, was that nobody really knows. Certainly we don't WANT it, but where else is it going to go? More to the point, I think there are too many aspects to compliance to call it an "it." There are technological and procedural controls that need to be designed, implemented, tested, and validated, and I really believe it involves defining the steps involved in all of those in detail to find the best places to put them.
  • There were a couple of sessions that discussed things like business risk and asset value, basically "how do we justify the money that goes into security?" As IT people, we are still not used to tackling the question of value from a risk perspective. (At least, I'm not, and I don't think I'm alone.) A good, solid, simple methodology that allowed us to get in the ballpark without wasting hundreds of hours in meetings across the organization would go a long way.
  • And I got a new laptop backpack, thanks to Michael Ford's encyclopedic knowledge of geek movie trivia!

Friday, February 23, 2007

Funnypot

A while ago, I started a project that tried to extract some humor from the concept of a honeypot. The idea was simple: I put up an SSH server with an easy root password, and created a shell for the root account that would (in theory) induce hapless hackers to type funny things. You can read some of the results at The Funnypot.

The problem was that, for the most part, the attackers either didn't understand what was going on or assumed that there was some magic command they could type that would cause the system to start behaving normally. I'm not sure why you'd keep trying UNIX commands once that shell started responding with lines like "Are you sure you know what you're doing?" I suppose in some cases it was just a script, rather than a human being on the other end of the connection.

Eventually I brought the server down and never bothered putting it back up. I still feel like there's some mileage I can get out of the concept, if I can just be a little funnier. Maybe I need to allow, or at least appear to allow, certain commands to work in order to encourage the intruders. Perhaps some detailed and useful (and by that I mean "silly and ridiculous") help messages would be good, too. I wonder what I could get people to enter in if I put up a help message that said something like "enter your email address and email password at the command prompt to enable the bash shell."

Thursday, February 22, 2007

Into the Blogosphere

For some time now I've been thinking I should start a blog, so here it is. I have a real problem with remembering to write down or otherwise record my ideas and opinions, so hopefully I can learn to stick with this. I imagine I'll mostly be writing about technology, specifically in the realm of IT security, but I won't necessarily limit myself to that. So there's the introductory post; I hope to make my first post with Actual Content(tm) soon.