May 31, 2015

'Ol Rummy

Whether you love him or hate him, Former Secretary of Defense Donald Rumsfeld has been an interesting character in the Defense Industrial Complex.  He is oft quoted from a speech he gave in 2002 in regards to the Iraq war. 

The fact that I was able to build this into a briefing at work, make a point and not get laughed at was pretty amusing.

It goes a little something like this:

"Reports that say there's -- that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things that we know that we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know."

While on the surface it seems like a Clintonesque diatribe on what "is is", but if you de-construct it, you see how that jumble of words actually has meaning and application towards Information Security and Operations Security in general.

July 05, 2014

RAND Cybersecurity Workforce Study

I read this RAND study last weekend and had a chance to share this with several people in the workplace last week.  In regards to my experience this has been one of the most on target papers in regards to hiring, training, and retaining talent in the "cyber security" space for government work. 

Anyways, here is the link:


While overall I think this is a great piece of writing, there are some problems.  First of which, if you ask three people what "cyber security" entails, you'll get three different answers.  One of the other fairly minute issue, is that the researchers make the assumption that USG employees that do jobs within the "cyber security" realm in the civilian space are 2210's.  In the real world we all know that depending on what flavor of work, different GSA categories such as 0132, 0391, 0801, 0850, 0854, 0855, 0856, 1540, 1541, 1550 or even a secondary role as a 1801 or 1811.

April 02, 2014

Incoming SMTP on a budget AKA Keep on rollin'

Sometimes you need to run a service on your home computer(s), but due to previous patterns of abuse by other customers, your broadband provider blocks certain inbound services.  I totally understand that need.  Normally you have the option to use a non-privileged and non-standard port, and as long as you don't serve up too much traffic the ISP won't try to convert you to a business account.  

The broadband provider that I have at home blocks a bunch of different ports, including Port 25, which is what I needed to run a SMTP server at home.  For a normal user, this would be silly, but I still need to receive mail on an old sub-domain that I have assigned to me, but I do not control the primary domain or the MX servers for it. 

I had access to a friend's business class service that had a spare static IP, which allowed me do a few experiments.  There are several pieces of software for Windows that will do port translation, but none that are free, and if I was willing to spend the money in the first place, I would have sprung for business class service at home that had static IP addresses and unblocked ports. 

It is more fun to tinker and try to come up solutions, even if you expend more time and effort.

I tried a few different cobbled together a few Linux solutions that worked to some extent.  

The first was an experiment using Netcat.  Basically, using Netcat you can create (as root) two different Netcat processes connected via a pipe.  One Netcat listens to the default interface on Port 25.  The other Netcat creates a connection to the server at home on a different port.  The nice thing about this solution is that it is pretty simple and also works for http and a few other protocols.  Netcat will resolve a DNS name for the output, so if you were to use a dynamic DNS service you could have a flexible solution.  The things that is terrible is that you have to run it as root and after a period of time (at the end of the connection on the incoming, or a time out on the outgoing), Netcat dies and you have to respawn the process.  The other awful thing is that this uses an incredible amount of CPU time.  

I came up with another solution that was a bit better since it was in user space.  I sat a Linux machine behind a junk pile firewall and did the simple NAT to take the public IP address and port 25 and map it to the Linux machine sitting in an RFC 1918 address range on a non-privileged port.  This allowed me to use ssh tunnels to accept traffic on that Linux machine and send it to the mail server directly over the ssh link.  The performance on this was somewhat spotty, but it performed ok.  The advantage of this is that you can connect to a Dynamic DNS host for the ssh tunnel and automate the logins if you use session keys.

That was still a bit clunky, so Googled a bit on iptables.  Most examples I would find on the web used port forwarding to do what I wanted to do, but by using a NAT table to map it from a public to private ip space.  What I was looking to do was basically to take traffic on an untrusted interface and shoot it back out that same untrusted interface on a different TCP port so it could hit my home server.  I had used the open source version of Smoothwall in the past at home and knew that used iptables, so I downloaded an ISO and spun up a system on the Public IP address that was available to me.  Bingo.  Using the port forwarding rules allow you to take inbound traffic on your red interface and forward it back out that same interface.  Most other firewalls of that grade (i.e. free or open source) limit your port forwarding to an address behind your trusted interface of on a RFC 1918 address that you are NATting to.  The beauty of this solution is that it is completely transparent and is only limited by the bandwidth constraints of the network that feeds your public ip address.  The downside is that it only works properly with a fixed ip address.  You could write a script to do an nslookup of the A record attached to your dynamic DNS and then write that into a script that would program your iptables configuration.  In the end it would take a bit more work to make things work smoothly.  

While that was a fun experiment, the best free solution I found was to use a mail redirection service from a company called Rollernet.  They accept mail for you on their mail SMTP server, run the mail against a list of domains that you own, run it through a SPAM filter, check against a valid recipient list, and finally send it off to a valid server and port combination that you own.  Right now they give you 10Mb of free mail transfer a day, and give you the option to defer mail that is beyond that cap until the next day.   You can't beat the price, as long as you are able to give up a little bit of control.  In my case that was an acceptable risk to be able to keep a mail domain that has long gone dormant, but still gets valid emails from time to time.


Continue reading "Incoming SMTP on a budget AKA Keep on rollin'" »

November 28, 2013

Splunk Revisited

A few years ago I was evaluating a cool log analysis package called Splunk for a project at work.  I had a few instances running on a development machine at work and on a server at home.  I found that I was able to drill down to very specific events to debug what was happening so I could correlate problems among various devices and software packages.  When I upgraded my home server a year ago I didn't spend the time to reinstall Splunk, as I was busy with moving into a new house and having children, so it went to the back burner. 

Recently I was having a conversation on system monitoring architecture and Splunk came up.  I decided to take a look and see what a few years of maturity has done.  First of all, the basic software is now free for individual use.  While there is a reduction in enterprise features and there is no password/account authentication, the core functionality is all there. There is a 500Mb limit on the amount of data you can processes, but if you have half a gig of syslog/logfiles/etc to parse a day, then you shouldn't be so cheap and just buy a full license.   If you were paranoid, it would be very easy to use this software and to only share the management port to localhost, so you would have to use a SSH tunnel to get into the box to be able to view any of the data.  I know that is pretty hokey, but it does work as far as anyone with account access to the box gets to see your data.  Beyond that you could always run Splunk within a virtual machine. 

Beyond the cool factor of being able to drill down into your data, it runs well on pretty anaemic hardware.  The server I installed this software on is cobbled together from remnants of several dead computers that are at least six years old, yet the response time from the database with around half a million events is surprisingly fast.  

February 23, 2012

SOHO Solution

For several years I was able to use a Netscreen-10 that I bought off Craigslist for the fairly simple network infrastructure at my house.  I need to be able to deal with a few static IP addresses and a few custom rules for VPN traffic.  Up until about four months ago the pre-Juniper Netscreen-10 unit chugged along like a star.  I actually computed out the MTBF for it, and it went three years beyond what it was designed for. It kept crashing twice a day when my wife's VPN traffic was really heavy, so it had to be replaced.

So, my issue was what to replace it with.  Should I go with Cisco, Linksys/Cisco, Netgear or some other flavor of the week at Fry's.   What I end up with is not what I expected.  I ended up loading Smoothwall on a mini-itx based PC using a IDE to CF converter.  So I ended up with something that didn't cost me a penny (I already had the hardware lying around) and outperformed my previous installation. 

Smoothwall fit the bill and was free.  I'm sure that IPcop or m0n0wall would work just as well on the exact same hardware.   Smothwall is pretty cool in that it provides a snort engine for intrusion detection, which is really helpful in fending off cyber attacks.




December 30, 2011

QR Code Malware

You might have seen QR Codes affixed to advertisements in magazines or in public spaces.

They look a little something like this:

 Spectrox URL QR code

For the last several years they have been used to quickly transfer URL information, phone numbers and other types of information to people that use smartphones or PDA devices with cameras.  It turns out now that with the success of this format, people have figured ways to subvert the system to send people to malware sites and other unsavory locations.  Dark Reading as a great article on how the system works and what it being done to use it for evil purposes.



November 13, 2011

Windows phone home

When you connect your Windows 7 or Windows Vista computer to a wireless hot spot or plug in your Ethernet cable, have you ever wondered how Windows knows whether or not you have a good Internet connection?  It is a pretty easy thing to take for granted, unless you start looking at your firewall logs.  The Network Connectivity Status Indicator (NCSI) service that Microsoft uses a http connection to and transfers a text file called nsci.txt.  An in-depth breakdown of the packets using Wireshark is available at the SuperUser Blog.  The blog also contains instructions on how to edit the registry to stop your system from phoning home.





October 24, 2011

Off the grid

Sometimes you need to get off the grid and have a bit of privacy.  With the proliferation of phones that don't have removable batteries, it becomes fairly difficult.  Many other technologies such as RFID are embedded in identification documents and credit cards.  It is easy to wrap up these items in aluminum foil or in RF blocking Mylar bags, but you risk being unfashionable or as being branded a paranoid lunatic.  To control when and where your wireless devices can talk, a company called MIAmobi has created a fairly ordinary looking pouch that has a silver foil lining that blocks RF.  The company's website does not state specifics on the RF attenuation or what the frequency range that it blocks.  A similar, less expensive, less fashionable bag can be had from Ramsey (yeah, the guys who make the FM transmitter kits), which is designed for cell phone forensic testing.




August 03, 2011

Reality is scary

The only true reality is that the only secure computer is one that isn't networked, in an alarmed room with no doors and that isn't turned on.  Given enough time and money ANY intrusion is possible.  Dmitri Alperovitch's post on the McAfee Blog Central, really hits the nail on the head:

"After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators. Although we will refrain from explicitly identifying most of the victims, describing only their general industry, we feel that naming names is warranted in certain cases, not with the goal of attracting attention to a specific victim organization, but to reinforce the fact that virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm."



January 23, 2011

What keeps me up nights

There are a lot of great tools for scanning your enterprise network infrastructure or to perform penetration testing, but some are getting fairly scary.  The PWNIE EXPRESS, which is an applicance based on the SheevaPlug, allows you to drop a unit on someone's private network to perform any number of functions from legitimate penetration testing, to real world hacking.  Physically this unit looks like a larger USB phone charger and can be plugged directly into the target's ethernet network.  If the network is using simple MAC based network authentication, this unit can spoof the MAC.  If you use higher level port authentication, it wouldn't be very difficult to build a simple passive ethernet receive tap with some scrap CAT5 and a few keystone jacks. 

All of that could have been built into a PC based implementation, but the scary thing is that there are versions of this with a cellular data back end as well as the ability to capture traffic and save it to a SD card.  So someone could plug in a unit like this behind a network printer, capture all the web traffic to and from a specific host.  If they didn't care about coming back to retrieve it later, something like this could be easily installed above a false ceiling or below a raised floor and controlled via a cellular connection.    



What is the big picture here?  If you have important data that you do not want stolen, do be interested in who has access to your physical location and when people have access (not just people with tech jobs, but janitors, temps and other visitors).  You should also start thinking about using encryption internally as well as externally.  Do you ever do audits of your physical space and know what each piece of equipment does?  


January 12, 2011

Mark your calendars

The Internet Society has declared that June 8, 2011 will be "World IPv6 Day".


(Image courtesy of Brajeshwar Oinam on Flickr)

From their site:

"On 8 June, 2011, Google, Facebook, Yahoo!, Akamai and Limelight Networks will be amongst some of the major organisations that will offer their content over IPv6 for a 24-hour "test drive". The goal of the Test Drive Day is to motivate organizations across the industry – Internet service providers, hardware makers, operating system vendors and web companies – to prepare their services for IPv6 to ensure a successful transition as IPv4 addresses run out."

I know, this is so incredibly exciting.  I guess it takes this kind of event to get people to get IPv6 connectivity and put AAAA records on their DNS server.  I'm not sure that they will be able to outshine the press coverage of World Oceans Day, the Chemistry and Druggists Awards, or the famous Sugarcreek 5 Mile Trail Run



December 16, 2010

Wide Open: On Purpose

There are many specialty Linux distros out there that are targeted at a specific audience.  In the spirit of Damn Small Linux (DSL), comes Damn Vulnerable Linux.  This is a Linux distro that has every conceivable exploit enabled.  It serves many purposes including testing a new IDS box as well as something to wager on (i.e. how long it would take to get a rootkit installed if it is put un-firewalled directly on the Internet).


(Photo Courtesy of Darwin Bell on Flickr)

While this is done on purpose, it evokes this quote from the movie Spaceballs:

"1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"

This is actually pretty old news, but I meant to post it a while back.  Just because it is old doesn't make it any less cool. ;) 


September 27, 2010

Evading anti-virus using the GPU

This article is very interesting.

From the paper's abstract:

"Malware writers constantly seek new methods to obfuscate
their code so as to evade detection by virus scanners.
Two code-armoring techniques that pose significant challenges
to existing malicious-code detection and analysis
systems are unpacking and run-time polymorphism. In this
paper, we demonstrate how malware can increase its robustness
against detection by taking advantage of the ubiquitous
Graphics Processing Unit. We have designed and
implemented unpacking and run-time polymorphism for a
GPU, and tested them using existing graphics hardware. We
also discuss how upcoming GPU features can be utilized to
build even more robust, evasive, and functional malware."



May 27, 2010

Google Search with SSL

Google recently updated their servers to allow you connect to the main Google search page over SSL.  While this gives you the ability to do initial web searches without being viewed by your employer or network provider between your computer and Google's server, it does not proxy the connection to the search results.      





April 29, 2010

BitTorrent Privacy Threats

While many organizations use the BitTorrent protocol as an efficient way of distributing large volumes of data (i.e. Linux DVD ISO files), others use it to distribute copyrighted or protected content.  With the large volume of users and traffic (from 27% to 55% of total internet traffic depending on geographic location), some users feel a sort of anonymity in all those numbers.  Researchers at the French National Institute for Research in Computer Science and Control (INRIA) collected 100 days worth of BitTorrent traffic from one client machine and analyzed it.  Even using anonymizing networks such as Tor, they were able to retrieve as many as 70% of the original host computer IP addresses.  Mind you this is not data collection at the center of the network, but data collection and processing from a leaf node to the network.  It is definitely worth a read if you are interested in internet privacy issues.

 BT Swarm

(Photo Courtesy of Travelin' Librarian on Flickr)


February 23, 2010

Rootkit security threats on Smartphones

Now that almost everyone has a Blackberry, Android, or iPhone, they are a tasty market for hackers trying to gain backdoor access to these smartphones.  The use of rootkits is increasing in this segment.  Rutgers Today has a great YouTube segment describing this threat.




November 06, 2009

Is your data protected?

When it comes to securing your data against losses, many people have a knee jerk reaction to think about hackers or other insider threats.  This is somewhat natural these days due to legislation like HIPAA which mandate various controls for the confidentiality and integrity.  What many people don't think about these days is a full scale breach of availability (as well as total data loss).

This video shows what can happen in minutes.  While not every organization needs a full scale disaster management plan, this is the prime example of why you have current off-site backups.  Usually the fire isn't what destroys your server farm, it is the water damage after...



August 12, 2009

Cleaning up after the GeekSquad

The best part of being the resident IT person in a family, is that at every family event and trip you get to evaluate and fix people's problems.  While you can slice through the sarcasm in that sentence with a knife, I really don't mind all that much, as I don't want my family's identities to become stolen, and to be fair they do and have done some amazing things for me (take care or our son, took care of me for my first 18 years, and well... gave birth to me).  Apparently they didn't enbiggen my ability to not write run-on sentences.

My in-laws recently moved from the third world ghetto of marginal 21.6kbps dial-up to the first world suburbs of fast cable modem broadband with one of those triple play packages.  Their local provider is Comcast, who I dislike greatly from past encounters, but was I was willing to have an open mind due to their high speed connectivity.

When I plopped down in front of the computer, the first thing I noticed was that it was incredibly slow.  Without going into the back story, Comcast contracted out with the GeekSquad to install their service.  The GeekSquad proceeded to connect an unpatched WindowsXP home system directly to an Internet connection that was not firewalled and on a public IP address.  While this is fairly negligent, this is where BestBuy/Geeksquad really missed out.  They could have easily sold them a broadband firewall and another gig of RAM.  But instead it falls on me to go install a hardware firewall and pull a bunch of rootkits off their machine.  What a missed marketing and sales opportunity.

July 27, 2009

Happy Birthday Unix

It is hard to believe that Unix is 40 years old!  How time flies.  Pretty soon it will be buying a red sports car and picking up operating systems half his age.  What a cad!


(Photo Courtesy of prettydaisies on Flickr)


July 13, 2009

Flighty data

According to an article in NetworkWorld, over 12,000 laptops go missing in airports around the United States every week, with 1200 just at LAX.  The thought of outright theft or some other sort of loss is quite unnerving. 

(Image Courtesy of dklimpke on Flickr)

If you travel often there are several things you can do to mitigate the security risks.  If you don't care about your privacy and would just pick up another laptop at Costco or Fry's if you lost it, you can skip this article.  The first item is the backup.  Everyone talks about it, but most of the time, people don't do it at all.  There are several online backup services that allow you to securely (at least for personal data) backup over the internet using an automated client.  At a minimum, make a dump of your data files to a thumb drive or DVD disk every month or so.  If you can't afford to be without your data, you can't afford not backing up.  The next issue is privacy.  Who owns the data on your laptop?  Do you have proprietary data that people would want to buy?  Do you have embarrassing photos from your buddy's bachelor party saved on your laptop?  Do you have personal information that could lead to your identity being stolen?  If so, you should consider full disk encryption.  While it does take some processor overhead, it is worth the extra processor cycles for your data's protection.  Microsoft has their new Bitlocker technology in Windows 7 and Server 2008 R2, PGP has full disk encryption for the Mac and Windows, Checkpoint has full disk encryption for Mac, Windows and Linux in their Pointsec software, and there are also free open-source alternatives such as Trucrypt.  These products render the data on your laptop useless to anyone who wishes to get the content off the machine.  You may lose the monetary value of the laptop, but usually that is much easier to bear than losing millions of customer records or your unfiled patent application.


April 17, 2009

I tweet a spy!

With more an more people using Twitter as a fun Web 2.0 communication tool, it is becoming a mainstream way of talking.  For some people it is becoming an addiction and supercedes e-mail and instant messenger as a way to communicate in groups.  Hey, if the President used it and the NASA Mars Rover is using it, it must be great, right?

Enter TwitterSpy, a cool mashup application that takes the raw public Twitter feed and allows you to filter it for content or context.  Michele Marcucci created this incredibly addicting application as a practical application of her knowledge.   


Be careful what you tweet, as there are more people than just your close friends watching!  Remember, the walls of social networking are very thin, and can be redefined by the service provider at their whim. 

April 15, 2009

Free resources for secure web browsing (in insecure locations)

If you travel often, this scenario pops up often:

You get free access to the internet at a hotel or coffee shop, but worry about people sniffing the connection.  

Even when you use SSL, it is a pain that people can do a traffic analysis on your surfing, attempt a session hijack based on your credentials, or even worse, act as a man-in-the-middle and log every bit of your surfing.  Many corporate entities require the use of a VPN to tunnel all internet traffic through the headquarters network connection, so they can filter traffic the way they want to and do their best to protect your system from malware and probing.

If you are trying to be secure on a budget, one solution that I've worked with requires three packages.

Using this scenario, you install Privoxy, which works as a personal web proxy, on a *nix or Windows on a machine that resides at your home or office.  That same machine will also need to be running a ssh server.  Depending on your network architecture, you'll either need a firewall rule to allow port 22 (ssh) through to that machine, or if you have a NAT in place, you'll need a PAT or pinhole to that system through the firewall(If you choose to use a port other than 22, you will receive far less port scans and hacking attempts on your system.)

When configuring Privoxy, you'll want to select and some high port such as 8000 or 8888 to connect to Privoxy through.  In the version I have, they use the default of port 8118.  The reason that you would use the loopback address, is that it will only accept traffic from inside the machine.  If you have the SSH server on another machine, you'll want to use the address of one of the ethernet adapters.  On many Linux installations, you'll be editing /etc/privoxy/config

#        a snippet from /etc/privoxy/config
#        listen-address


At this point you should have the firewall configured, a ssh server running, and Privoxy up and running.

The next step is to connect to your ssh/privoxy machine over the internet.  In this example we'll use putty under win32, but you could be on OS X or Linux and use ssh at the command line to do tunneling.


Once you have that ssh connection up and running, you'll need to connect your web browser to the proxy server.  On your side you'll be using your own ip loopback adapter at  Normally you would NOT want to check the box that states Local Ports accept connections from other hosts, unless you are trying to provide proxy services to a large amount of machines through one ssh connection.

You can manually setup a proxy server in Firefox or IE, but I prefer to use Foxyproxy, which allows you to change settings on the fly, or also do proxying based on specific traffic rules.  So if you want to visit without going through the proxy, but only go to through the proxy, you can do that.  If you have limited upstream bandwidth on your privoxy host, this may be a good solution.

Configuration of Foxyproxy is fairly simple.  Once the add-on is installed, you'll want to create a new proxy entry.  That entry will point towards port 8888 (or whatever port you have chosen).  Once it is saved, you can turn the proxying on and off by using the right mouse button on the menu on the lower right hand side of Firefox.  You can create some fairly complex patterns for web surfing, but that is beyond the scope of this posting.  





So, what do we get from this?  If someone is sniffing your home connection, you are out of luck.  But if you configure the connection as I have stated, every web site you surf to, will be tunneled through your ssh connection, then proxyed by the privoxy machine.  If you have other applications that run outside of your browser, you may have to reconfigure them to point to the localhost proxy on your machine so that they will be secure as well.  So, someone sniffing your connection will just see ssh traffic from your machine to that host and nothing else.  Even if someone is running a rogue WiFi AP so they can perform and man-in-the-middle attack, all they will get is a bunch of garbage from your ssh connection.

April 14, 2009

Absolute Data Destruction

Some people like to work in absolutes.  They don't want to have a high statistical likelihood that data is unrecoverable, they want that data gone with 100% certainty.  Beyond smelting, most of the methods for the destruction of hard drives and other storage media include secure overwriting or degaussing.  To fill the gap, Data Devices created the Model 0301 Hard Drive, Laptop, and Cellular Phone Shredder.  The behemoth eats electronic devices and digests them into small bits of robot poop.  You have to see the video to get the real feel for this thing.

February 28, 2009

Who watches the watchmen (or your baby monitor)

Recently I had a discussion about video baby monitors with a neighbor.  I mentioned that we had bought a unit that digitally encrypted the video and audio stream, so that creepy people would not be able to watch our baby sleep.  They seemed to think that it wasn't such a big deal and that you would need a lot of equipment to spy on your neighbors.  To rebut this I have two items that are freely available in the United States for a minimal cost.  Both of these items can be outfitted with higher gain antennas to allow for the long range monitoring and reception of video signals.


  • The discontinued ICOM R3 scanner with Video (About $400 USD on eBay)
  • The AOR-STV Unit.  At approximately $900 USD, this thing can view any NTSC or PAL nannycam, baby monitor, backup camera, or analog wireless camera in production. 


AOR STV unit 

January 22, 2009

Windows 7 - Better than Beta

Over the past week I've been spending some time using and abusing Windows 7.  I'm in a period of readjustment right now, as I was using Ubuntu 8.10 as my main Internet surfing operating system for the last two months.  As many of you know, the Windows 7 public beta program allows free downloads for evaluation.  I've been working with the 64bit and 32bit versions on several different boxes.  While the O/S has been really great on newer (less than 18month old) hardware, running Windows 7 32bit on the minimum configuration (1GHz processor and 512Mb RAM) is like self administering a colonic using kerosene. 

Windows7 info 

I'm not trying to convert anyone here, but I'm mildly impressed with how stable it is on current hardware.  The driver base for older peripherals is going to be somewhat limited, but I'm sure that with time Windows 7 will have just as broad a driver base as XP does.  In my limited, totally non-scientific evaluation I would give recommend Windows 7.  I need to spend some more time with the security subsystem, as well as testing application performance of things that I use on a daily basis.  Bottom line is that if you application runs on Vista, it will most likely run just fine on Windows 7.  If it does not run well, install Virtual PC 2007 or Virtualbox and run a virtual instance of Windows XP inside Windows 7 for your legacy application. 




And in addition... somewhat interesting... the first Windows review, ever.

October 20, 2008

QWERTY security

Absolute security is a myth.  Most laymen would think that just because a computer device is wired that it has a higher level of security.  In most cases this would be true, but in the shadowy world of corporate espionage the stakes have gone one higher. At The Security and Cryptography Laboratory (LASEC) of Ecoles Polytechniques Fédérales de Lausanne, they recently released a paper called COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED KEYBOARDS.  While this is not big news in the TEMPEST world, it is an eye opener for most businesses.  The scope of keyboard technologies affected, as well as the distance that keystrokes can be read is really quite impressive.


(Photo Credit: Andrew* on Flickr)

In a nutshell: Your hard wired stuff is not safe, but it never really was.  Try to mitigate your risks as much as possible and stay informed.



October 09, 2008

Online photo safety / Identity Theft

I was searching through Flickr today and was looking at some ultrasound images of babies that are right about as far along as ours.  Some really nice shots (32,515 of them actually).  And then I gasped.  Did they?  Yes, they did.  


Parents, don't post ultrasounds on public forums with the Social Security Number of the mother attached.  I know this sounds pretty basic, but some people may gloss over it without thinking.  The hospital can protect your information with HIPAA, but when you put it out there, there is nothing they can do to help you.  Even if it is just your name, a random billing code and the medical facility name, why even risk identity theft?  There is no excuse in Flickr, as you can use Picnik (a great online photo editor) to edit it out or just crop it.  


September 03, 2008

All that glitters isn't Chrome

The big buzz for the last few days has been the newly released Chrome browser from Google. In a nutshell it is pretty slick.  On Windows XP it renders pages as fast as Firefox 3.0 and performs 2 or 3x faster than Safari.  All the normal websites I go to render just fine and work like a charm.  The only issue I ran into was with Flash video playback not working as well as it should (chunky like a monkey).


On teh interwebs, they are saying that there might be security issues in regards to the WebKit that Google used to develop Chrome.  Specifically, a bad guy could run JAR files on your system withour asking for your permission.  It doesn't pay to be a first adopter I guess.  You can guess that Chrome would be the future browser of choice if you are a Google suite user.



August 27, 2008

ASCII Art as the new SPAM

Just when you thought that your SPAM filter was up to spec, there is a new form of unsolicited e-mails on the horizon.  Using ASCII art based SPAM, it is possible to make graphical images, like the one below and embed them in an e-mail message.  You can block inline images in the email or HTML attachments, but this poses a bigger problem. 


August 19, 2008

Gmail insecurities

For those of you who use Gmail or have Google accounts that allow you to access Google Analytics or Adsense, you might want to take note.  In a few days an exploit will be released that will allow people to access your account by using trivial and easily sniffed information.  (Article Here)  The fix is pretty easy... turn SSL on. 

Step 1. Go to to access your Gmail settings.

Step 2. Select the Radio Button to enable SSL.


Step 3. Profit?!?!



July 17, 2008

Open Source software for tracking stolen laptops

The Adenona project at the University of Washington provides an interesting software package.  The Adenona client allows a user to track the whereabouts of their laptop in a secure manner, but without spending money on a monthly service.  While you get what you pay for, one of the cool features is the ability to use Apple's iSight software to take a snapshot of the thief. 




July 15, 2008

Countdown to owned

The Internet Storm Center at SANS recently did a study of the survival time of an un-patched, un-firewalled, and un-NATted Windows machine on the Internet.  It is no surprise that the time it takes to get completely owned is around 4 minutes.  Sort of amusing in a really sad way. 


July 12, 2008


I was just reading an article in Government Technology about the so-called Generation 2.0 phenomenon of Milennials. (Article Here) The article pretty much breaks up into two sections, the first being about the security risks that are brought up by the computer savvy youth, and the second being the different work styles and habits of this generation. 

The first item begs the question: If your information is so confidential, why do you not have a stricter risk mitigation process in place already?  You can blame the 20-something guy that likes to frequent Facebook and MySpace for malware or data loss, or you can address these issues with policy and technology.  Educating the users as to what sites are appropriate for work, helping them understand your security policies and computer use policies can go a long way.  The issue is this: How many environments are running with close to zero security controls because it is "behind the firewall"?  Internal threats are more likely to cause data theft or loss than visiting a web popup, but unless you have the proper anti-virus/anti-spyware and access controls set on your network, you are skating on very thin ice.  Technology such as virtualization can allow users to be connected to several different networks from the same terminal, but without the data mingling between networks.  When the internet virtual machine gets infected with some trojan, just reload it and be on your way.  If you are concerned about employees using too much bandwidth for Youtube and other pipe cloggers, set bandwidth limitations at the firewall.

People are going to violate IT policy.  People will destroy your data out of spite.  People will steal your data for small sums of money.  Your job in the CXO position is to be flexible enough to understand how to leverage policy to fix some issues and technology to solve others.  In this day and age, people are afraid to fire people for blatant violations of company policy.  When an employee's behavior threatens day-to-day organizational operations, it has to be taken seriously.  I don't mean an environment of fear, but an environment where the employees know that their web usage can be monitored, so hey, try to do some work most of the time. Whether it is Milennials or the parents of Milennials that have gotten some great IT training at home, put into place policy and infrastructure that is blind to age, gender, race and all that good stuff.

As for the Millennial working style.  So they hop around from job to job...  I thought that was how Gen-X is characterized.  So they multitask...  if that is an efficient way of doing work, who are you to judge.  As the old saying goes, the proof is in the pudding, if this generation is willing to implement a new version of the American work ethic and be successful in their endeavors, huzzah!  If not, never fear, a whole generation of workers in China, Russia, India, and dozens of other countries with highly educated workforces will come and fill the gaps.  While I would hate to see a generation of unemployed folks that just don't like working, sooner or later they will realize that nobody REALLY likes working, then they'll figure out that you need money to do things, and then to get money you have to work.  And so the cycle of selling out to "The Man" continues.   

Don't be scared by the iPod, iPhones, skinny jeans or social networking.  The thing you should be worried about is the core business and the bottom line.  The working environment constantly evolves socially and technologically, sometimes with both happening at the same time.  



July 09, 2008

DNS Cache poisoning and a tool to check for it...

Recently an exploit called DNS Cache poisoning has put several internet Domain Name System servers at risk.  The risk is spread across multiple operating systems and multiple DNS implementation.  DoxPara Research has put together a web based tool (on their main site), which allows you to check your upstream DNS server for vulnerabilities.  I'm sure that patches will be coming soon from many vendors, but at least until then you can monitor your network traffic for suspicious behavior.  Below is an example from a machine at home:





June 12, 2008

A Study in Network Intrusion

Recently Verizon did an analysis of 500 network intrusions to see if they could determine if there were any major trends.   I found these items from the overview the most interesting:

  • Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.

  • Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.

  • The study’s findings show a marked increase in the number and type of international incidents. For example, attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise, while defacements frequently originate from the Middle East. Internet protocol (IP) addresses from Eastern Europe and Russia are commonly associated with the compromise of point-of-sale systems.


April 21, 2008


Over the past few years I've been meaning to evaluate Splunk's main product, a log aggregation and analysis tool by the same name.  Often times as a sysadmin, you have makeshift tools due to budget limitations or other types of hardships.  Many places I've worked have had enterprise level network monitoring capabilities, but unfortunately were monitoring the wrong things.  The items of the most importance on a day-to-day and hour-to-hour basis were done in shell scripts or manually at the command line.  What Splunk does is to give you the configurability of the command line, but packages it up in a nifty web based GUI that allows you do drill down to specific problems (and see the log entries associated) or just skim along at the 40k foot level through graphs and charts.

I recently built a new Ubuntu server box at home (from completely anemic old hardware) and decided that I'd try out Splunk.  Even with the most minimal of hardware Splunk was up and running in no time at all.  From downloading the debian install package to fully functional was about 25 minutes.  My system load churned for about an hour at around 2.0 while all the /var/log and other directories were indexed and pulled into the Splunk database.  It is pretty amazing, as the base version of Splunk can access anything that is local to the system, so if that machine is your syslog server, you can correlate error events over a large network in no time at all.

In the picture below you can see the log entries for a brute force attack against my ssh server (from host, which is probably just a hacked intermediary host).  Using Splunk allows me to drill down to see specific attacks by type or host, by very quickly changing the query statements.


Below you can see the ebb and flow of 'page not found' 404 errors on my webserver.  I recently started hosting a domain that had been down for about a year.  That domain hosted a bunch of jpg files, which were linked to by some idiot myspace page designer.   Once I track down the individual files that are linked to, I make a symbolic link to this file


In the extended entry, I've copied the output from the install.  Just make sure to limit access to port 8000, or whatever other port you'll be using, as there is no access control in the demo version.


In a nutshell, Splunk is like a swiss army knife that you never knew you needed, but now you crave.  While it works great as a near real time system monitoring tool, you can also import files from anywhere and process them for historical data.  It would make a great tool for network forensics timeline reconstruction as well as a fine day to day IT operations tool.  I'm sure that there are millions of other things that can be done with this, but just being able to grok so much data at one time is like having some sort of sysadmin super power.


Continue reading "SPLUNK! ZUFF! PAN!! SNUH! BORT! POOO! NEWT! MINT! ZAK!" »

April 14, 2008

Another great Anti-Malware resource

SRI International has made their Malware Threat Center available to the general public.  This site contains constantly updated information about the status of attacking hosts and bot-net clusters.  They provide information on what are the best signatures for IDS systems as well as pre-built router commands to block infected hosts from contacting you systems.  This site is definitely worth a look.



April 08, 2008

Label your media!

Those of you who work with sensitive data, and your facility allows removable media such as thumb drives, you might want to look into these units.  At Ease, has a selection of appropriately colored USB thumb drives that are labelled properly for the data that is contained within.  It makes a user think twice before leaving a secure space with sensitive info.  While this doesn't afford you an specialized data encryption, but it does lead to a higher aweness for the user.

Secure Thumbdrive 


April 03, 2008

Purloined WiFi

Open WiFi connections abound in any major metropolitan area these days.  Recently there have been several articles in regards to local laws regulating the "stealing" of WiFi from unsuspecting neighbors.  While local municipalities can make laws in regards to this, here are the problems that I have with these statutes.  First of all, the localality does not have the authority to make regulations in regards to the transmissions of wireless signals, that is left to the Federal Communications Commission (Look it up, it has been that way since the Communications Act of 1934).  Wi-Fi falls under Title 47 CFR Part 15, which designates it as an unlicensed service.  Since the wireless link itself has no "real estate" or exclusive license for the spectrum, you would need to prove that:

  1. There was due dilligence to lock down the access point with WEP/WPA or some sort of encryption or access control.
  2. There was a theft of services (i.e. bandwidth caps were exceeded, customer charged for overage)
  3. Or there was a denial of service (i.e. user could not access the bandwidth that was paid for)
  4. Or there was malicious and/or nefarious network activity going on (i.e. surfing kidding porn from the SUV or running a spam server on your internet connection)

The municipality that tried to prosecute someone in their car surfing WiFi, would have an easier time accussing the suspect of some sort of physical trespassing or loitering.  Beyond this, unless the accused was stupid enough to say "hey, I'm stealing that signal", the municipality has no probable cause to search the computer or to detain you.  What is to say that your proximity to a WiFi source is coincidence and you are just surfing the web through a 3G cellular connection.

Here is an analogy:

If you ran an extension cord to your front lawn and connected a landline phone, then a passerby uses that phone to make a call to a local number or toll free long disitance, are they commiting a crime?  You have made your connection accessible and they have not incurred any costs associated to your account.  Who then is to blame?





Continue reading "Purloined WiFi" »

March 24, 2008

When you can't melt it or crush it.


How often do these scenarios come up?

  • You want to donate a home PC that is a few years old to a charity, but you've processed your income taxes and other personal sensitive information on it.
  • You have to return a computer furnished for a project by a consulting customer at the end of a contract.  You had to run/develop proprietary software on that machine that is not included in the end deliverables. 
  • You have a new computer that you want to sell after reloading the OS, but you want to make sure that any personal information processed on that machine cannot be accessed later.  

One simple choice for the x86 crowd is Darik's Boot and Nuke aka DBAN.  This bootable Linux CD is distributed in an ISO file.  So all you need to do is burn it to a CD, boot it up, and trash all your data.  While the algorithms are very effective, if you need 100% risk avoidance, the best option is still pulling the drives out and smelting them into slag

DBAN is totally free, but if you have a business need that requires U.S. DoD 5220.22-M, Sarbanes Oxley, HIPAA, or FISMA compliance, you might want to try the supported version called EBAN, or Enterprise Boot and Nuke

My old light weight favorite, Autoclave, was discontinued by the University of Washington in 2002, but still works really well on older machines (i.e. pre-Y2K) you may have that can only boot from a floppy disk drive.

March 07, 2008

False Alarm

This morning I was minding my own business when I received an e-mail from my firewall stating that:

From: firewall@teh.internet.tubes
Subject: NetScreen Mail Alert

Alarm Logs Reported From: homefirewall
Event Alarms:
   1. 2008-03-06 07:46:15 system-alert-00008:  IP Spoof, From 86.117xx.xx/1031 to 205.181.yy.yy/2746, protocol UDP (i/f trust) occurred 2 times

I'm thinking to myself, "oh crap, I've got malware", or even worse, "oh crap, I've got a misconfigured intruder".  I'm quite used to folks on the the internet trying to portscan my network, but traffic originating on my home network is a whole different game.

I calm down for a second and search for the netblock owner of the IP address range.  I calm down even more, as it turns out to be my wife's laptop VPN trying to connect and pass traffic back to the corporate office in Switzerland at the same time.  I am quite calm now, and sip my delicious Nespresso.  All is good in the world once again.

March 05, 2008

This Summer's Forecast: Brownouts

As Winter turns to Spring, and Spring into Summer, data center managers in California have one thing on their minds: Rolling Blackouts.  Whether it be unseasonably hot this year in California or just regular, make sure your UPS batteries are fresh, your diesel tanks are full and your web browser open to the California ISO: System Status page.  It is your taxpayer dollars at work, use it!



Link Here. 

February 27, 2008

A Safer DNS


Recently we have been hearing more about phishing and redirection attacks on internet connected client machines using hacked DNS or DHCP servers.  If you have reason to distrust the security of your network provider's DNS, or you are just fed up with advertisements popping up when you mistype a URL.  One such service that allows you to receive DNS service seperate from your network provider is called OpenDNS.

They have instructions for using their service on Windows, Mac, Unix/Linux boxes, DSL routersh, as well as corporate internal DNS servers to work with their service. 

I have found that this service works on most ISPs, but sometimes if you are at a hotel or Wi-Fi hotspot that requires logging into a captive portal for payment, authentication, or to validate the terms of service, you may need to use their DNS first before switching the settings. 
While you would have to put your trust in the providers at OpenDNS to keep their DNS servers hacker free, I would would rather use their service that rely on some random DNS server that is provided over a free WiFi connection.  This is not to be construed as an endorsement, but I have been happy with their free service.  There are a ton of other services out there, or you could even build your own DNS server and sync it to the ROOT DNS servers, but this solution is pretty mindless and mitigates a lot of security concerns.

IP addresses to use OpenDNS:

  • - Primary
  • - Secondary 

February 04, 2008

You go, Tae Bo, Meebo!

Wow, what a terrible title, eh?  My 8th grade journalistm teacher would frown upon such terrible  usage of alliteration.  Anyways... those who have the pleasure of working with me directly, know that I love Meebo's service.  Being able to aggregate all of your various IM accounts into one web interface is pretty awesome.  Many organizations have explicit policies regarding usage of P2P and instant messenger applications.  While it is a matter of symantics, it allows you to do your personal or work related IM activity on a computer that you wouldn't want to install an IM client on.  The  Meebo Repeater software package can allow you to do IM'ing from places where meebo and other  services are blocked at the firewall or internal proxy server.  Doing IM from random web cafe locations can be a bit safer using Meebo instead of using the IM software loaded on the systems on site.  I had used Trillian, GAIM and Pidgin extensively in the past, so I didn't know what to expect.  The fact that meebo uses a heavily modified GAIM as part of their infrastructure lends credibility to how awesome their service is.  

Meebo Screenshot from their photo stream

(image courtesy of the Meebo Flickr Photo Stream) 

I don't use their add-on toys, Meebo rooms or chatlog features, but I can see that many people would find that interesting and/or useful.  If I am at a location in which I want to get on the Internet, but don't have my laptop with me, my method of choice is to boot up a system with Knoppix or Damn Small Linux, then use Firefox to get to Meebo.  DSL linux will actually fit on a thumb drive as well, so you can carry a clean operating environment on you keychain.


February 01, 2008

Probing for fun and profit

While those that are sysadmins might already know the wonders of nmap, not everyone has had the pleasure of using this tool.  You know, it's the tool that totally l33t haxorz use to track midget spies and to hack into the matrix.   A computer security consulting firm called Sectegrity has provided a nice service by giving a web interface to nmap and several other probing tools.  They have things configured to only probe the host that you are accessing their website from, so you cannot light up someone else's IDS system or cause widespread panic. 


Of course other tools like Gibson Research's Shields UP service can do similar things, but it doesn't give you the command line output, so you can't feel like you are hanging out with Sandra Bullock in The Net


Continue reading "Probing for fun and profit" »