Monday, May 31, 2010

Capture files via SMB with Wireshark!

Taddong Security blog: new plug-in for Wireshark

I'm going to have to try this on my home network.  Wireshark is one of the great tools that you can never spend too much time in.  There's tons of options and capabilities, now just to figure out how and when to use them all.  I have heard from reputable sources (former coworkers that I'd be happy to have a beer with), that the book on the left is the one to get if you really want to understand how to use Wireshark.  I may be visiting Amazon soon... :-)

Chris
LABrat.com

Friday, May 28, 2010

Menard's EZ-Sell EZ-purchase kits (EZ-Build, EZ-Frame), not EZ put together

This is another rare personal post.  We spent a lot of time talking about the inadequacies of this kit, so I thought I'd put down some thoughts for others to glean from.  InfoSec/tech stuff will continue in the next post.  Promise.

A few weekends ago I went to my parents and helped on a project to replace a rotting out shed and put together something that looks like the picture on the left, sans the window.

Here's the link to the kit itself, sold through home improvement store Menards:
Midwest Manufacturing - E-Z Frame Yard Barn - 12'

Our experience with this was not great.  The instructions were, by their own words, suggestions of what kind of a shed could be built with the materials and sketches they provided.  The key things that need to be remembered with this build, in my opinion, is:
  • You'll need to do some guess work on what their directions mean
  • You'll need to reinforce their joints for the peak and floor "joists"
  • You'll need to reinforce the floor even if you've reinforced the joists
  • Use screws where you can and not the nails that came with the "kit"
  • Materials are not cut for you
  • You may have lots of spare parts/wood left over
  • How to build a foundation is up to you and the instructions are going to be hard to plan from
There were more issues, but I forget them all.  Let it be said that you're probably better off building one from scratch.

Chris
LABrat.com

    5 million hours of work devoured by Google Pac-Man

    Five million hours of work devoured by Google Pac-Man

    I knew this was going to happen, so its nice to see some good estimates.

    I'm still glad they did it. :-)

    Chris
    LABrat.com

    Facebook's New Privacy Guide Explained

    Facebook's New Privacy Guide Explained

    Now that Facebook has heard lots and lots and lots of feedback from users about their over-engineered security controls, they've gone and changed them.  Hopefully for the better.  The new, simpler controls are due out soon, so this article talks about what to expect and what you may consider changing when they do become available.

    Edit: And if you still want to nuke your account and leave Facebook all together, here's a nice article about that too. :-) Fed up with Facebook? Delete your profile, and here's how

    Chris
    LABrat.com

    Thursday, May 27, 2010

    Revisiting Ranum's "The Six Dumbest Ideas in Computer Security"



    A friend of mine reminded me about this article recently.  The funny thing about this is that he wrote this 4 1/2 years ago, and some of these things are still true. 


    1. "Default Permit" - I think this is changing.  We saw this with Win2008 having reduced features turned on by default. 
    2. "Enumerating Badness" - I think organizations as a whole would rather target "badness" than defining "goodness", but its a never ending challenge of trying to find all "bad".  While its challenging, you have a much better chance at enumerating your own "goodness".  The problem with this is that companies have to want to have positive control over their environment, which is entirely dependent on senior leadership in a company, and their support of senior IT leadership.  "The first lesson in management is that its always your fault."
    3. "Penetrate and Patch" - While I think security reviews of code are more common now than in the past, they're not as common as necessary.  We need better education at the collegiate level and then continuing education to hammer good programming practices into the heads of developers.  They need this because it has to be second nature to develop secure code.  Just like in IT Operations, frequently best practice and security principles go out the window when there's an urgent deadline or political pressure to get something implemented.  These guys and gals that write code need to do it securely, in their sleep, if we're going to get ahead of the "penetrate and patch" methodology.
    4. "Hacking is cool!" - I think this has changed some.  I read an article just recently about how articles and media that sensationalize suicide frequently leads to copycat and higher incidents of suicides.  This changes, though, when the right people say the right things at the right times about the incidents.  The point is that while the popular attitude is that hacking is cool (I'm one of them, admittedly.), the consequences need to be stressed more.  I think we've seen this more too.  We haven't had a good "hacker" movie in a while.  Coincidence?
    5. "Educating Users" - This is a constant problem because education itself is challenging.  Can you think of a time when it was easy to take an entire organization and get everyone thinking the same way?  If it was procedural, sure, "follow the tail in front of you" like a pack mule on the trail.  "Step1, complete this step and move to Step 2."  The primary challenge with educating users is that because of #2 above, we expect them to make decisions, on the fly, and then not give them good options to choose from.  Educating users should be based on what the company wants them to DO, not what it wants them to feel.  Make it actionable, make it relevant, make it about the company and what the company wants them to do.  As InfoSec people, we are frequently crossing the line between company threats and overall, personal information management threats.  We need to keep company education to company education and leave the personal InfoSec advice to the media and water cooler conversations.  Its not that hard, we just need to commit to clear messages and expectations of the users.  That, of course, relies on whether management has figured out #2, above, though.
    6. "Action is Better than Inaction" -  Ranum is right on with this one.  Early adoption of technology is a gamble.  Some companies are more risk averse than others.  Sometimes when you gamble, you win and sometimes you lose.  IT Operations runs more smoothly when things are predictable.  Which is going to lead to predictability and therefore more secure?  You guessed it, "pause and think".  The problem is if your company is run by sales, sales people and market timing, "pause and think" isn't going to go over well, unless you have strong senior IT leadership, and management above them that's going to let them run the IT show.  I've seen "pause and think" work much better than gambling on IT.  This is still a big issue in corporate America as a whole I think.
    What do you think?

    Chris Grant
    LABrat.com

    Wednesday, May 26, 2010

    Man infects himself with computer virus - Security- msnbc.com

    Man infects himself with computer virus
    Update: Engadget article

    Of course, the news makes this more sensational than it is, but the fact that implanted/embedded chips in people could be used to transport data and therefore malware is very real.  Additionally, software being used to manage biological functions within people also need to be scrutinized by the vendors.  And, of course, the best way to do this is to make sure that there's a review by industry experts, not by using some proprietary method of protecting the system/chips/data.

    Kinda funny that I'm commenting on this, now that I think about it, given my domain name, LABrat.com. :-)

    Chris
    LABrat.com

    Tuesday, May 25, 2010

    Hotmail Gmail Security Features

    ZDNet article: Hotmail's New Security Features vs Gmails Old Security Features

    I'm assuming that Hotmail is trying to add features that Gmail has, in order to keep its userbase.  Funny thing is that I didn't realize that Gmail had some of these features:

    • SMS password recovery options
    • Security Alerts in real-time if your account has been compromised
    I do like Hotmail's addition of a single-use passwords sent to you via SMS.  That's pretty clever.  SMS is pretty secure for the average user, so this seems like a great solution to add to the other SMS options.  More and more banks are turning to SMS as well.

    I like the author's suggestions though that someone should offer single-use, disposable accounts, ala mailinator.com, paralelling credit card companies.  I think Discover did that first.  And when will they catch up with PKI capabilities/offerings?  Google could make it a Labs feature and keep it in Beta forever, and that would be fine...

    Chris
    LABrat.com

    Happy Geek Pride Day!

    One of the poster boys of geekdom, Sheldon Cooper from The Big Bang Theory.

    I'll be celebrating by watching a few missed episodes of BBT and Chuck. :-)

    Chris
    LABrat.com

    Vulnerability Scanning Do's And Don'ts - DarkReading

    Vulnerability Scanning Do's And Don'ts - DarkReading

    This is a pretty good article about the "gotchas" around vulnerability scanning.  Its not as simple as firing up a scanner and have it comb your company's entire class A subnet.

    Here are the things I look out for when performing vulnerability scans on the organziation:
    • legacy hardware/software, such as mainframes, miniframes - I've tipped over some mainframe programs with nessus, back in the day
    • small software/hardware vendors - I've tipped over a database High Availability solution before with nessus
    • sizing of network connections and the size of your scan - don't saturate your network links
    • choose a maintenenace window or an off-production time to run scans
    • make sure you notify people that you're scanning
      • don't assume that your scan won't be noticed
      • don't assume that your scan won't cause an issue
      • people like to be notified should they notice something odd
    • make sure that people are available, should you knock something over, and/or test the system once your scan is done to ensure that the services come back or are still functioning appropriately

    Chris
    LABrat.com

    Saturday, May 22, 2010

    Even with Steam, Mac isn't a gaming platform like Windows is

    Arstechnica: Mac lags Windows in gaming performance, excels at stability

    So the Mac isn't for a hardcore gamer, but it appears that if you want to play games for long periods of time, a Mac might be the better way to do it, at least when you're using Steam.  What I find interesting about this is that they're committed to getting games running faster on the Mac, which is a real niche market.  Secondly, that they're probably going to reach that goal faster than improvements that are necessary on Windows, due to the proliferation of inumerable hardware vendors and configurations.  I hope for the best!  It would be great to have Apple as a reasonable gaming platform.  Not that I'm a gamer, but it removes one more argument from the Mac vs Windows debate.

    Friday, May 21, 2010

    Google has an SSL version of their homepage!

    Hey, hey, Google now is offering up https://google.com/ so you can do your searches wrapped in SSL rather than the normal, non-SSL way.  This will protect you if you're not running through an proxy server with an SSL cert you trust and not if you're the victim of SSL MITM attacks or well, you get the picture.  Its good.  Just check your SSL cert to make sure you're talking to Google directly and that your root CA certs on your box haven't been modified. :-)

    Chris
    LABrat.com

    Google's homepage has a playable version of Pac-Man!!!!!!

    I kid you not!  Just go to Google.com today and click on the logo on the top.  http://google.com/

    That is aweosme!!!

    Chris
    LABrat.com

    Wednesday, May 19, 2010

    ReclaimPrivacy.org | Facebook Privacy Scanner

    ReclaimPrivacy.org | Facebook Privacy Scanner

    Given the changes in Facebook privacy settings recently, you really should take the time to go check how your information is being shared.  You can do this through slogging through the Facebook privacy settings, or if you know you want to lock things down, go and let this free, open source Facebook Privacy Scanner take a look for you and then fix things if you want to.

    Well worth the look.
    Chris
    LABrat.com

    Monday, May 17, 2010

    Symantec triggers on World of Warcraft update

    Another AV false positive affects gamers this time instead of companies. This time its from Symantec and it flags update files created by World of Warcraft. Doubt we'll hear much about this in the mainstream press, but we'll see commentary in the InfoSec circles.

    Symantec triggers on World of Warcraft update: "We have had a couple of reports over the last 24 hour of users experiencing issues with Symantec anti-virus products triggering on scan.dll.new which is a component of World of Warcraft. "

    Chris
    LABrat.com

    New HTML Version Comes With Security Risks Of Its Own - DarkReading

    New HTML Version Comes With Security Risks Of Its Own - DarkReading

    I commented about HTML5 being touted as the answer to the next generation of web apps (think Web 3.0), but while it may solve Adobe Flash problems, it may create other challenges, such as client-side data issues that could be accessed through SQL injection, apparently.  Good article.

    Chris
    LABrat.com

    Sunday, May 16, 2010

    For Security Pros, Building Vendor Relationships Is A Lesson In Diplomacy - security business/Security - DarkReading

    For Security Pros, Building Vendor Relationships Is A Lesson In Diplomacy - security business/Security - DarkReading

    John Sawyer writes about the common challenge of discussing an organization's security posture and tools with security vendors. I'd add to this and say that your organization should have a standardized approach to dealing with any and all software vendors. Sales people and vendors want to know what you're running so they can launch a full on attack at what's wrong with your current environment. Do this, first decide what problem you're trying to solve, then secondly, talk to vendors. This way you will know what you're trying to do and you'll be able to critically evaluate whether that vendor's solution is going to answer your need. Because of this, you won't need to listen to what will likely be irrelevant sales jargon dealing with other vendors and be able to focus and concentrate on your own issues, rather than the marketing hype.

    Chris
    LABrat.com

    Wednesday, May 12, 2010

    Fail: Volvo Collision Detection System (video)

    Sometimes technology doesn't work and doesn't work at really embarrassing times. Volvo demonstrated their Collision Detection System for the press, although it didn't work quite as described when it came to show time.


    This is a good lesson in technology.  Its really cool and sophisticated, but in order to make it consistent, there needs to be a lot of testing, and more importantly, you should have a backup plan and not rely on one technology entirely.  Backup plan: person watching the road and using the brakes!

    Chris
    LABrat.com

    Personal: My sister is in New York Times Magazine!

    This is a departure from my norm, because I'm proud of my sister.  So sue me.  Tune in later for more InfoSec stuff if you can't stand it.  :-)

    My sister, Stephanie Grant is in a New York Times Magazine article about paying off debts and net worth.  Its a good read.  
    And here's her blog: Superpositron

    Edit: and she's on the front page of the NYTimes.com site! :-)

    Chris
    LABrat.com

    Tuesday, May 11, 2010

    Sound familiar to you and your enterprise? IE6 hard to kill


    IE6 is what's holding us all back, honestly.  Security fails on PCs because of IE6 and so does full adoption of Web2.0.  With HTML5 as the new standard that creates new opportunities for full, rich web apps (yes, I' m sure security isues too), can we please stop using IE6?

    Application vendors, please, please, please, update to IE8 or Firefox 3.6?

    http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=224701008

    Chris
    LABrat.com

    Month of PHP Security has started

    Long one of the most favored OSS projects, PHP has provided new web content and capabilities for a long time.  One could even argue that PHP made Web 2.0 possible.  Well, all of that speed and urgency for providing features has left the code buggy.  Imagine that...


    Here's the start of the Month of PHP Security [issues]:
    Bugtraq: http://seclists.org/bugtraq/2010/May/61


    Chris
    LABrat.com

    MSFT releases two Critical patches today

    http://www.microsoft.com/technet/security/bulletin/ms10-may.mspx


    Yes, two patches, both critical and both remote code execution capable.  One for Windows 2000 all the way up to Windows 2008 R2 and the other for Office XP-2007.


    A patching we will go, a patching we will go, high ho the dairy-o....oh, sorry.


    Chris
    LABrat.com

    Monday, May 10, 2010

    Regulating the Internet


     It seems that there might finally be a solution to the problem of regulating the Internet.  In recent years, large providers have pushed their limits on whether or not they can govern how users utilize their service.  People like Comcast have determined whether or not they would allow Bittorrent traffic, and to what extent, meaning how much bandwidth is a user allowed to use.  As an ISP, it wasn't regulated like a phone company or a cable provider, which seemed accurate not but not "right".  Soon, the FCC will have the ability to regulate ISPs and then enforce new rules, including preventing them from summarily dismissing certain classes of traffic, presumably.  All in all, this is probably a good thing for net neutrality efforts.

    FCC outlines new 'third way' internet regulatory plan, will split access from content

    Chris
    LABrat.com

    Thursday, May 6, 2010

    Flash drive with fake Facebook login...

    I find myself thinking "does anyone fall for this stuff?"  Well, obviously the answer to that is "YES!!"  Uh, yeah, don't just use something because someone tells you.  People, wake up, this stuff isn't real!!! :-)

    Sunbelt Blog: Facebook Remote Login + Flash drive = stolen credentials



    Chris LABrat.com

    Securing WHS and your network


    Home Server Land: Securing Your WHS and Network

    This is 16(!) part series published by HomeServerLand.com, a site that I just recently discovered and its pretty extensive.  I'm a little confused on whether its developed and maintained by HP or not.

    Most of the content is in the form of PDF documents of risks to running your own IT and how it fits into using your WHS box.  I imagine you could use this to evaluate if you have any of the issues and some suggested ideas of how to remedy them.  What this does not do a good job at, however, is really getting into a discussion of how this all fits together so that someone could make these types of decisions in the future.

    Certainly this is something that the small business owner or uninitiated home IT person could use to review their overall security posture and make some changes.  Fortunately, WHS alone is pretty secure.  Its just when you start asking it to do a bunch of other things with add-ons and treating it like a standard Windows Server that you start running into security and stability issues, in my opinion.

    YMMV :-)

    Chris
    LABrat.com

    Hackers and Hollywood

    This is a great site that ties all of those information security cult-like "hacker" movies together and starts to look at them as a whole, looking for trends and what a "Hollywood hacker" is compared to what they actually are. 

    Damian Gordon's Hacker Movies

    At the very least, its a way to get a shopping list for information security-related movies and movie clips! :-)

    Chris
    LABrat.com

    Wednesday, May 5, 2010

    You may have noticed...I moved to Blogger.

    Hey all,

    As you may have noticed, I moved from e107 to Blogger for LABrat.com.  I did this for a few reasons. 
    1. I vowed to update LABrat.com with more blogging content.  I need to write more.  I enjoy writing and enjoy information security, so the end result is that I needed to get on my web site more and make it more useful, hopefully.
    2. There are no blogging add-ons for web browsers for e107.  Because they are a 2nd/3rd tier product, add-ons to make blogging easy aren't easy to find, if there are any. I spent some time looking but kept running into Blogger and WordPress add-ons.  This makes accomplishing goal #1 of writing more on the blog significantly more challenging.  Blogger provides simple things like a javascript bookmark to use, an IE 8 "Accelerator" and a Word add-in to make it easy to write a blog post about a link.  Third parties have also provided nice hooks and add-ons to allow blogging easily, such as ScribeFire.
    3. e107 is a 2nd or 3rd tier CMS/blogging platform.  Yes it has many more capabilities than a standard blog, that's true.  Its not great at any of them, its just good at most of them.  I used the forums for a while.  I used the custom pages/menus/etc for a while.  In the end, I found that I really just wanted a blog and didn't have a need to provide a forum.  Again, more of a CMS platform than a blogging platform, like I was trying to make it into.
    4. e107 has only had security and base maintenance updates in quite a while.  New development seems to be stalled.  If you're into php and MySQL this could be the system for you, but its not for someone who's ready to move into blogging only. 
    5. I no longer have to pay for running a Linux host with a MySQL database.  This is a minor issue since it was something like $50/yr, but certainly it can be listed as an advantage to save money.  We'll see if I actually get rid of my hosting provider or if I keep it around in order to have a real web server that I can use to host files in a pinch.
    6. Blogger seemed to be more streamlined and less complicated than WordPress.  I had considered WP on my hosting provider but I ran into another stumbling block with using WordPress.  1&1's hosted MySQL was too old to install the most recent (and therefore most secure) version of WP.  I can't install an old version of software, knowing there are security issues with it.  It goes against my nature. (I found out later that my podcast and almost lifelong buddy, Nem, would have hosted a WordPress site for me on his hosting provider.  Who knows maybe Blogger won't work out.  I have a backup plan. :-) )
    7. My sister (http://superpositron.blogspot.com/), soon to be featured in a New York Times Magazine article(!), and my good friend (http://moener.blogspot.com/) are both using Blogger.  Not a huge factor, but helped me think about it.
    8. Blogger is run and managed by Google, which I'm already using on a daily basis for my Google Apps hosted email for my family.  This also means that there's a built-in community of users that already have gmail or google accounts that can comment on content without creating yet another login for another web site.  Something I know I enjoy very much (not as bad now that I'm using LastPass.com for many sites).

    So, that's it.  Thanks for reading.  Explore, contribute, have fun.

    Chris

    DNSSEC and you...do not panic

    DNSSEC...not a bang but a whimper?

    This SANS Diary entry points out that there will be changes in the root DNS servers soon that will spell the beginning of the end for the threat of DNS cache poisoning, by way of signed responses. There is a lot of FUD around the change in DNS to utilize EDNS, but the reality is that if systems don't support EDNS they will fall back to regular DNS.

    Monday, May 3, 2010

    Be like Bond, electric lock pick rocks your locks!


    You too can act like a super spy like Chuck, for example, with this super duper auto-lock picking tool.  Just like on TV! :-)  I didn't realize these things actually existed.

    Saturday, May 1, 2010

    Apple and MSFT really like HTML5 and not Flash

    Both Apple, Steve Jobs specifically, and now Microsoft, not Steve Ballmer specifically it was Dan Hachamovich general manager of IE, have said that Flash isn't cutting it on the mobile phone or regular PCs, for that matter.  HTML5 with the H.264 codec is the future.  Its going to be built into IE9 natively, actually.

    Its about time there's some standards here.  Flash, Silverlight, Shockwave, QuickTime, etc.  Hopefully in the future we'll get a reprieve from loading all of this other software that could have security issues into our boxes.