Sunday, October 3, 2010

missing sound on virtualbox

So I have a Ubuntu 10.04 host that has a Windows 7 Enterprise guest that has no sound because the Multimedia Audio Controller driver isn't auto-detected by Windows. The solution is to update the driver with the Realtek driver as told by the following blog.

Woo hoo, sound! Now to plug something into the speaker/headphone jack. :-)


Tuesday, September 28, 2010

Virtual box error NS_ERROR_FAILURE (0x80004005)

Yesterday morning I got the following error message on my Ubuntu 10.4 host, trying to start up my Windows 7 Enterprise (64-bit)Virtual Box guest.

Virtual box error NS_ERROR_FAILURE (0x80004005)

The short answer is to run

sudo '/etc/init.d/vboxdrv setup'

The results are the following, after which the VMs fire up just fine.

cgrant@desktop:~$ sudo /etc/init.d/vboxdrv setup
[sudo] password for cgrant:
* Stopping VirtualBox kernel module * done.
* Removing old VirtualBox netadp kernel module * done.
* Removing old VirtualBox netflt kernel module * done.
* Removing old VirtualBox kernel module * done.
* Recompiling VirtualBox kernel module * done.
* Starting VirtualBox kernel module * done.

Tuesday, August 10, 2010

InfoSec monitoring in the hands of non-InfoSec people

Here's what happens when you give a non-InfoSec person the tools without giving them the training and the duty that comes along with being a professional.

Girl quits her job using a whiteboard, pictures and email

Don't get me wrong, its funny, and we see this type of web usage in companies more often than not, but her conduct was still not professional. She may not be as trusted in her new job.

Saturday, August 7, 2010

Google Android apps ‘collecting personal data’

This article isn't that surprising. I'm actually surprised that its not more of an issue, meaning that we've not seen web browser history being sent back and even keyloggers being put into Android apps. With the proliferation of smartphones and people's shift to performing more and more financial transactions through their phones, this is the next ripe target for malware writers. It would seem that they've largely stuck to writing malware (viruses, keyloggers, etc) for the Windows population, but writing apps for Android apparently is quick and easy. AND there's little scrutiny to getting an application into the Google Marketplace.

Maybe Apple's model of tight control over their store is good, it just has to be tuned to look for security issues. It would be great to have a set of tools/apps that they could run an app through as a security assessment and evaluation to whether or not this application needs to gather phone numbers, voice mail numbers, etc. Control, document and push back if there's no logical reason why this information needs to be gathered. Doing this would protect the users and be doing a service to the #1 smartphone OS being sold at this time.

Sunday, August 1, 2010

The new Facebook issue is the same old Facebook issue, yet again

The Facebook Data Torrent Debacle

Security dude, Ron Bowes, did a couple of notable things. He programmatically gathered, or harvested, names and profile links of 171 million Facebook users. This was publicly available information so he did not have to break into anything to do this. He simply wrote a script to plow through all of the data he could find through Facebook's public profile directory. He then took it and provided a way for people to download the large amount of data that he gathered.

The media (I guess me too at this point) latched on to this and started talking about it. While this is interesting data, the fact of the matter is that it shouldn't be that surprising. If you've made your data public, then that means that people will be able to see it. The fact that only about a third of the total number of Facebook users are in the directory should tell you that many people have changed their settings to prevent this. If you don't want people to see your information, change your permissions so they don't. Or, as always, don't use social networking sites all together if you don't want to be discovered online.

My last thoughts on this are more from a core information security operations perspective. It would seem that Facebook doesn't have anything in place to detect large scale probing, scanning or harvesting data from their sites. There doesn't seem to be any sort of traffic analysis or monitoring of their internet property to detect when someone is working to gather all of the information they can from their site. Facebook seems to have faith in the code that their publishing to the Internet is solid and secure, and that only the information they are intentionally sharing is the only information they're actually sharing. Because of this, I guess they wouldn't necessarily need to have this level of visibility or awareness, but when is the last time any developer or company was 100% sure of their Internet-facing applications and what vulnerabilities they have? Could they have prevented this? Should they have prevented this?


Wednesday, July 28, 2010

Combining Google "mere mortal" accounts with Google Apps accounts

Looky, I'm posting under my own LABrat account on Blogger!

This has been possible as a result of new efforts from Google. It hasn't been set up globally, but you will soon be able to use more of Google's apps through your own Google Apps hosted domain. If you've never been exposed to how Google Apps work, they had offered a stripped down set of their services aimed at enterprises, or what they thought enterprises would want. For instance, Google Reader, and Google Voice wouldn't allow you to log in, even though you knew that your accounts were "Google accounts", their systems differentiated between a normal, public Google account and a Google Apps account. Google is now finally getting around to offering other services for their Google Apps customers.

From an Information Security perspective, there's some things to consider. You are now tying more and more services to one login/userid. This means you're putting all your authentication and authorization for all those services into one basket. Do you trust Google? Do you trust that the security of your userid/password is good? Reminder, they were recently the target of an attack by the Chinese government where source code was stolen for their authentication system, or so the news media outlets report. That being said, and maybe I'll regret saying this, but I'm not too concerned, given these types of events tend to create change within a company. Why does it take something really bad to make people pay attention? I'm not sure, but its human nature and happens, over and over again (*needs citations :-) but I'm sure you also recognize this).

The whole Google/Google Apps account authentication merger is still in beta, but transitioning data/accounts seems to work okay, although each service has its own way of doing things. Like Blogger, for instance, I just had to set up my account and then give it admin rights. Google Voice requires you to do a transfer from one account to another, which according to their instruction page, isn't actually supported for Google Apps accounts. So, they'll need to clean up some things.

Anyway, I'm glad to see that this is happening. Makes my Google life a lot easier.


Friday, July 23, 2010

Making all your mailto: links work for Google Apps hosted email

So, one of my users on my personal Google Apps domain (my Dad) asked the same question that I had written off as a normal inconvenience of using web-based email.  Not having an actual, physical application my desktop to associate with the mailto: links on webpages means that every time I click on a link an unconfigured Outlook fires up.  Annoying.  And then my Dad asked me about it, so I had to get to the bottom of this.

After a little searching I found that there is Gmail Notifier and other like applications, but they seem to only work with Gmail accounts, not Google Apps hosted email accounts.  Then I found this article, which I'm summarizing and reprinting, just in case the Google Support Forum goes away, and to make this easier to find in search engines.

Edit the following text and make it into a reg file before applying it by replacing with your Google Apps hosted email domain.

Windows Registry Editor Version 5.00

@="URL:Mail Protocol"
"URL Protocol"=""



@="rundll32.exe url.dll,FileProtocolHandler"






"URL Protocol"=""



@="rundll32.exe url.dll,FileProtocolHandler"

Save the above text as a .reg file. Then double click on it to import it into your registry.

Lastly, go into your Internet Options in Internet Explorer and change your default MAILTO application to the new Gmail application.

All done!


Monday, July 19, 2010

Fresh security feature in the new Android 2.2

Fresh security feature in the new Android 2.2
I meant to blog about this a while back.  It looks like Android phones are prepping to become enterprise-capable, given the addition of centralized controls over security features.  Does anyone know if these have been incorporated into any commercial software?  I would hope that Exchange would soon be able to control Android phones as well as iPhones and Windows Mobile, as they do now.


New logo and CafePress store, now open! :-)

I've put together a CafePress store of the new logo you've seen on the site put onto various gear, so if you're a fan, you can buy stuff through the store with my logo on it.  I know there's tons of other things they make, but my logo, as is, only really looks good on things that are white.

Anyway, check it out. Gear at CafePress

Tuesday, July 13, 2010

How to tell the difference between Geeks and Nerds

I hear today is "embrace your geekness day".  I'm not sure if that's true or not, but regardless this is a pretty good WikiHow article about the definition of Geeks and Nerds.  I think the Internet as a whole is coming to some more solid definitions of what a geek is and also what a nerd is.  Geeks rule!

My license plate on my vehicle has GEEK on it. :-)


Somewhere 'security by obscurity' actually helps: power grids

As it turns out, the old 'security by obscurity' approach does actually work in some place, like electric power grids.  This Wired article talks about what it would really take to manipulate electricity in the United States.  While its not insurmountable to achieve domination and control over the power distribution system, it takes a whole lot of knowledge that your'e not going to gain through casual reading at home.  This was a good read.


Wednesday, July 7, 2010

How to be a better spy: Cyber security lessons from the recent russian spy arrests

How to be a better spy: Cyber security lessons from the recent russian spy arrests: "On Monday, a number of Russian nationals got arrested for espionage against the US [1]. With all the talk and attention paid to cyber spies, spear phishing, APT and new high tech satellites and drones, it is almost refreshing to see that good old fashioned human spies are still used and apparently"

This was interesting and pretty good.  Now that the information is public, however, the spies are going to learn to cover their tracks better.  Thats the risk of information sharing.


Wednesday, June 23, 2010

OpenDNS creates FamilyShield service

OpenDNS: Introducing FamilyShield Parental Controls

Previously to this, you had to sign up for an OpenDNS account, which could be a bit confusing and challenging for a regular home user.  To quote OpenDNS' Facebook comment: Its a "pre-configured, no-account-required way to use OpenDNS, with adult site blocking, phishing and malware protection on by default." 

OpenDNS is a great service.  It hasn't gotten more press, because there's only so much you can do with DNS, meaning you can do content filtering on individual URLs.  Unfortunately, that's going to be an issue no matter what, though, because other content filtering solutions won't filter out individual YouTube videos, individual MySpace profiles or other social networking / content sites.  OpenDNS is fast, effective and efficient.

I've put it on my kids' machines and its easy to get a whole house set up by simply configuring your router to point to the OpenDNS servers. 

FamilyShield’s IPs are:

In the words of Tony the Tiger, "Its great!".


Friday, June 18, 2010

Follow up: the script that harvested iPad owners' email addresses

Praetorian Prefect | 114,000 iPad Owners: The Script that Harvested Their E-mail Addresses

If you're even curious about how someone could write something to take advantage of a web site, like AT&T's and their recent iPad owner email address debacle, Praetorian Prefect got a hold of and subsequently published the code that was used to harvest 114,000 email addresses of iPad owners.

While I'm not a developer, I have a lot of respect for those that are.  Reading through this, even if you're not a developer, you can see how it works.


Thursday, June 17, 2010

How you can tune IIS to help with SQL injection issues

Given all the press around SQL injection and IIS sites recently, I thought I'd cover the topic.

The first thing to do is grill your vendor about the security of their product.  Ask them if they have processes in their development team to check for opportunities for SQL injection.  Ask them if they've had their application systematically tested using one of the many source code scanners.  Ask them if they've had a third party validate their application, or if they've had a penetration test done.  These same things could be used for an internal development team to ensure code and applications that end up being published to the Internet, or internally(!), are protected from attacks of this nature.

While there isn't much press for SQL injection on internal web applications, think about how damaging those could be?  Is there a web-based database internally that, if compromised or published on the Internet, would lead to damage to your reputation or, even, compromise your clients accounts?  Its worth checking to see if your internal apps have SQL injection issues too.

This link I ran across might be helpful for people running IIS.  Even if you have apps that you have no control over, you may be able to prevent SQL Injection through tuning IIS.  How IIS can help with SQL Injection

As a side note, I've also used software-based application firewalls, like eEye SecureIIS, to help protect applications running on IIS.

What have you done that's worked to prevent issues with your IIS-hosted applications?


Tuesday, June 15, 2010

The end of the Mac is near? iOS devices king

This recent Newsweek article "R.I.P., Macintosh" has me thinking about whether Apple is going to continue to release new laptop and desktop hardware as well as their (now) "classic" operating system, OS X.  The author, Daniel Lyons, makes a great point by saying that Apple has entirely ignored any of their traditional hardware platforms in favor of updates to the iPhone, release of the iPad and shifting consumer focus to their mobile operating system by renaming it then calling a press conference to discuss it. 

I hope for the best and fear the worst, but suspect that there could be an exit strategy here for Apple.  Shifting their focus to their proprietary devices (sound familiar) and away from the hardware and software that have become largely commodity gives Apple the ability to keep tight control over everything that goes onto their systems.  No longer do they need to be associated with Open Source, no longer do they need to be associated with standard Intel processors and motherboards.  They can double their efforts into making proprietary hardware with proprietary operating systems.

I'm not excited about it.


Thursday, June 10, 2010

iPad owners' iTunes email accounts exposed iPad owners' iTunes email accounts exposed

1) Find AT&T web site that shows iPad user info
2) Guess the "secret" numbers for iPad SIM cards
3) Write script to do this over and over, really fast
4) Profit!

The lesson learned isn't necessarily the obvious ones of writing secure code, or authenticating people to a web site.  The lesson here is DON'T ASSOCIATE YOUR PERSONAL STUFF WITH YOUR WORK EMAIL!  Sheesh.  Why do people do this?  Keep work email for work and keep personal email for personal things, including your freakin' iPad.  Email address are cheap and easy. 

Managing two email addresses isn't hard either.  Really, its not.  Don't try to convince me that it is.  Use the tools you have available to you and creat filters, create rules, unsubscribe from and resubscribe to things and get it done.  This kind of thing will continue until people separate work and personal technology use out.  It puts you at risk and it puts your company at risk, just like this. 


Wednesday, June 9, 2010

New IIS / ASP.NET hack...114,000 sites!

securi: Mass Infection of IIS ASP sites -

According to securi via Google searches, there's 114,000 sites that have been hacked in the last day, all pointing to malware hosted at  "it looks like a SQL injection attack against a third party ad management script."  If you can't get into the site itself, hack the third party app that's putting code on these sites too.  Clever but not unexpected. Be very critical of the third-party apps you use on your site, including advertisers.


Monday, June 7, 2010

Test drive: LastPass for IE / Firefox / Windows Mobile / Android A closer look at LastPass

I've been using LastPass for a bit now and have been pretty pleased with both the security model and the capabilities of the tools they provide.  I have to agree, though, that its not for the technically challenged because there's little help to understand the user interface or the whole package.   LastPass can be confused by a site, for example, asking you to save things under similar names of other sites you've already saved, but lets talk about the software and then we'll get into the issues.

First thing to understand is that LastPass is designed as a major enhancement to the functionality of what web browsers already have built into them, password saving functionality for web sites you visit as well as storing other information you'd use on the web in a secure manner.  There are several nice things about how LastPass does it, however.
  • available on tons of mobile devices, web browsers and operating systems including IE, Firefox, Chrome and mobile devices (mobile devices are part of Premium services, $12/yr at this time)
  • your web site / password database is synced across all platforms
  • all passwords are encrypted on the local system, so no passwords are stored at, just the encrypted bits
  • stores shopping "profiles", as I'll call them, including your shipping and credit card information, if you choose to keep it there
All that being said, however, LastPass is not a direct replacement for something like eWallet, KeePass or Password Safe, which are all designed to manage lots of tidbits of information.  I have used all three of those products before LastPass and found eWallet most to my liking because it would allow me to easily store and categorize things like SSNs, VINs from my vehicles, frequent flier numbers, gym locker combinations, etc, into one application and storage place.  LastPass is geared almost exclusively to web sites and only has one option to store "Secure Notes" for absolutely anything else.

Testing LastPass on 2 mobile devices, Windows Mobile 6.5 and Android 2.1, the mobile UI needs some help too, although all my information was there, so I guess I can't complain too much.  The automatic web-fill options are not available on mobile platforms because they don't have the browser hooks for add-ons that are available on full-fledged PC platforms.

In the end, I have mostly migrated my eWallet information to LastPass.  I had several, several things that didn't import correctly, but upon emailing technical support, they had a developer contact me directly and we worked over several email dialogs to resolve issues with the import  of the eWallet export file.  eWallet is a lot more polished, but doesn't offer a toolbar to generate and capture passwords/logins.  I hope LastPass improves through interest/development.  There's a lot of promise here.


Sunday, June 6, 2010

Guess what? New patch for Flash, Acrobat and Reader

This just in yet another vulnerability and therefore another update for Flash ...AND... Acrobat and Acrobat Reader.  Another day, another issue with one of the pieces of software that gets installed on systems within the first wave of software installs (Office, Firefox, Flash, Acrobat, etc .)  Maybe its time to look for alternatives to Acrobat Reader for PDF files.


Friday, June 4, 2010

Default Database Passwords Still In Use - DarkReading

Default Database Passwords Still In Use - DarkReading

In my experience, developers and database administrators are the first to not be exited about good information security practices, so this article does not surprise me at all.  I've been thinking of figuring out how to write a nessus module and make sure the Oracle default passwords are all included.  I should double check the ones that are already in it, but I know there's room for improvement, for sure.


Employees Put Personal Security, Interests Above Company's, Survey Says - data leak prevention/Security - DarkReading

Employees Put Personal Security, Interests Above Company's 

Surprise, surprise.  The lesson here is that if IT doesn't answer the needs of its customers, namely the employees, the employees will turn on them and start to create their own "creative" solutions.  The only way to make an enterprise truly secure is to make sure that people are also involved in protecting the data.  The only way to do this is to meet their needs, or at least listen to them, as well as making sure yours are also satisfied.


Thursday, June 3, 2010

New Mac malware - OSX/Onionspy

SANS: New Mac malware - OSX/Onionspy

Yes, as Macs become more popular, malware is going to be written for them.  Two more things that make this even more interesting is in the comments of this SANS Diary article.  #1) it would seem to detect and remove it you have to buy the anti-virus software of the company that discovered the malware.  #2) the last comment seems to indicate that the makers of the malware have read the SANS Diary article and are stating that more malware for Macs is going to be released soon.  Not trying to spread rumors, fear or panic, but maybe its about time to start investing in anti-virus for your Mac.


Facebook “joke” leads to firing.

SANS: Facebook “joke” leads to firing:
About: Firing Dispatcher for Facebook drug joke

This is a sign of the times.  When social networks and off-of-work comments lead to trouble at work.  There is some sage advice from Marcus Ranum (writer of firewalls and legendary IDS products) who said recently "If you don't want to make something public don't blog, facebook, tweet, or otherwise publicly announce it! Three people can keep a secret if two of them are dead and nobody has published it
on the Internet for all their 'friends' to see."


SPAM pretending to be from Habitat for Humanity

SPAM pretending to be from Habitat for Humanity

Now this is just sad, but unfortunately, crooks will try anything to launder the money, including impersonating a reputable, good charity.  They're not trying to ask for your donations, they're trying to get you to receive money and then send it back the crooks.

This is inline, however, with what the crooks are focusing on these days.  Finding ways to move the money they've gathered through renting out botnets or the like, and getting it to them without their real names being used.  In the middle is unsuspecting "money mules" that receive money from one source and are willing to send it out to someone else.  The "mules" can believe they have, technically, not done anything wrong, but are then accessories to a crime.


Wednesday, June 2, 2010

Technology News: Community: Should Hacking Be Encouraged?

Technology News: Community: Should Hacking Be Encouraged?

What makes geniuses smart?  What makes a child successful at learning new things?  I'd argue that they're good at recognizing and learning new patterns.  Think about it a little.  Humans are, by nature, pattern matching machines.  Something happens, we learn from it, it happens again, we react the same or differently based on whether the result was desirable or not.  This is true in life and in learning.  I've found the most clever people in the world seem to be adept at learning new systems and then using all that built up knowledge about how things work to extend existing "patterns" into new patterns, new ideas, new products, new systems.  Hacking is simply a way to understand a pattern of something and see if some of the other "patterns" of breaking things apply, hopefully, leading to a new product or system that doesn't fail in those conditions.

Even if we're talking about "hacking" in the "clever manipulation of something to do something other than its original intended purpose", we should encourage the process of thinking outside the box and coming up with something new, interesting and creative, albiet in a legal way. :-)


Hacking The Security Infrastructure - DarkReading

Hacking The Security Infrastructure - DarkReading

It is interesting to note that now we've moved from hacking OSes, to hacking applications, to hacking security consoles.  This goes to show that you can find security holes in just about anything.  You can't assume that anything is secure, by default, or within a single protection mechanism.  The key is "defense in depth" and separation of key user and management systems.  There's no way to protect yourself 100%, but you should make it challenging to get to those management systems that are monitoring and/or maintaining the security infrastructure of the organization.


Coincidentally, when looking for an image to use for this post, I ran across a different discussion of hacking the physical infrastructure in Linux Journal that's an easy, thought provoking, 1 page read.

Tuesday, June 1, 2010

protecting data, by not having any

CNET: A world without records...

This article raises an interesting point that should be considered when considering a data retention plan.  Why keep the data in the first place?  I can understand regulatory efforts, certainly.  Keep what you need to keep, but if you don't fall under these requirements, don't keep what you don't need to keep.

I worked with a company a while back that had a policy of deleting off emails that were older than 90 PST excuses.  Seems an elegantly simple solution and one that isn't asked often enough.

Maybe we're just "collectors" by nature, and we need to learn to be able to "uncollect", for our own good.


A SANS tutorial on computer forensics, Part 1

SANS Computer Forensics Blog: Part 1 Organized Chaos and Panic

I was fortunate enough to be able to take the SANS SEC508 class a couple years ago and thoroughly amazed at what I learned, not only from a technical level, but from the stories that Rob Lee could tell us from his experience.  Now, through the SANS Computer Forensics blog, you can get an overview of how to do some of the same things that we did in class in lab exercises.  When I took the class Helix was still free, but I suspect the Pro version has more capabilities too.

During class, Rob Lee and others had talked about the books at the left. I have purchased them and am working on reading through them.  So far, both are excellent resources.


Capture files via SMB with Wireshark!

Taddong Security blog: new plug-in for Wireshark

I'm going to have to try this on my home network.  Wireshark is one of the great tools that you can never spend too much time in.  There's tons of options and capabilities, now just to figure out how and when to use them all.  I have heard from reputable sources (former coworkers that I'd be happy to have a beer with), that the book on the left is the one to get if you really want to understand how to use Wireshark.  I may be visiting Amazon soon... :-)


Friday, May 28, 2010

Menard's EZ-Sell EZ-purchase kits (EZ-Build, EZ-Frame), not EZ put together

This is another rare personal post.  We spent a lot of time talking about the inadequacies of this kit, so I thought I'd put down some thoughts for others to glean from.  InfoSec/tech stuff will continue in the next post.  Promise.

A few weekends ago I went to my parents and helped on a project to replace a rotting out shed and put together something that looks like the picture on the left, sans the window.

Here's the link to the kit itself, sold through home improvement store Menards:
Midwest Manufacturing - E-Z Frame Yard Barn - 12'

Our experience with this was not great.  The instructions were, by their own words, suggestions of what kind of a shed could be built with the materials and sketches they provided.  The key things that need to be remembered with this build, in my opinion, is:
  • You'll need to do some guess work on what their directions mean
  • You'll need to reinforce their joints for the peak and floor "joists"
  • You'll need to reinforce the floor even if you've reinforced the joists
  • Use screws where you can and not the nails that came with the "kit"
  • Materials are not cut for you
  • You may have lots of spare parts/wood left over
  • How to build a foundation is up to you and the instructions are going to be hard to plan from
There were more issues, but I forget them all.  Let it be said that you're probably better off building one from scratch.


    5 million hours of work devoured by Google Pac-Man

    Five million hours of work devoured by Google Pac-Man

    I knew this was going to happen, so its nice to see some good estimates.

    I'm still glad they did it. :-)


    Facebook's New Privacy Guide Explained

    Facebook's New Privacy Guide Explained

    Now that Facebook has heard lots and lots and lots of feedback from users about their over-engineered security controls, they've gone and changed them.  Hopefully for the better.  The new, simpler controls are due out soon, so this article talks about what to expect and what you may consider changing when they do become available.

    Edit: And if you still want to nuke your account and leave Facebook all together, here's a nice article about that too. :-) Fed up with Facebook? Delete your profile, and here's how


    Thursday, May 27, 2010

    Revisiting Ranum's "The Six Dumbest Ideas in Computer Security"

    A friend of mine reminded me about this article recently.  The funny thing about this is that he wrote this 4 1/2 years ago, and some of these things are still true. 

    1. "Default Permit" - I think this is changing.  We saw this with Win2008 having reduced features turned on by default. 
    2. "Enumerating Badness" - I think organizations as a whole would rather target "badness" than defining "goodness", but its a never ending challenge of trying to find all "bad".  While its challenging, you have a much better chance at enumerating your own "goodness".  The problem with this is that companies have to want to have positive control over their environment, which is entirely dependent on senior leadership in a company, and their support of senior IT leadership.  "The first lesson in management is that its always your fault."
    3. "Penetrate and Patch" - While I think security reviews of code are more common now than in the past, they're not as common as necessary.  We need better education at the collegiate level and then continuing education to hammer good programming practices into the heads of developers.  They need this because it has to be second nature to develop secure code.  Just like in IT Operations, frequently best practice and security principles go out the window when there's an urgent deadline or political pressure to get something implemented.  These guys and gals that write code need to do it securely, in their sleep, if we're going to get ahead of the "penetrate and patch" methodology.
    4. "Hacking is cool!" - I think this has changed some.  I read an article just recently about how articles and media that sensationalize suicide frequently leads to copycat and higher incidents of suicides.  This changes, though, when the right people say the right things at the right times about the incidents.  The point is that while the popular attitude is that hacking is cool (I'm one of them, admittedly.), the consequences need to be stressed more.  I think we've seen this more too.  We haven't had a good "hacker" movie in a while.  Coincidence?
    5. "Educating Users" - This is a constant problem because education itself is challenging.  Can you think of a time when it was easy to take an entire organization and get everyone thinking the same way?  If it was procedural, sure, "follow the tail in front of you" like a pack mule on the trail.  "Step1, complete this step and move to Step 2."  The primary challenge with educating users is that because of #2 above, we expect them to make decisions, on the fly, and then not give them good options to choose from.  Educating users should be based on what the company wants them to DO, not what it wants them to feel.  Make it actionable, make it relevant, make it about the company and what the company wants them to do.  As InfoSec people, we are frequently crossing the line between company threats and overall, personal information management threats.  We need to keep company education to company education and leave the personal InfoSec advice to the media and water cooler conversations.  Its not that hard, we just need to commit to clear messages and expectations of the users.  That, of course, relies on whether management has figured out #2, above, though.
    6. "Action is Better than Inaction" -  Ranum is right on with this one.  Early adoption of technology is a gamble.  Some companies are more risk averse than others.  Sometimes when you gamble, you win and sometimes you lose.  IT Operations runs more smoothly when things are predictable.  Which is going to lead to predictability and therefore more secure?  You guessed it, "pause and think".  The problem is if your company is run by sales, sales people and market timing, "pause and think" isn't going to go over well, unless you have strong senior IT leadership, and management above them that's going to let them run the IT show.  I've seen "pause and think" work much better than gambling on IT.  This is still a big issue in corporate America as a whole I think.
    What do you think?

    Chris Grant

    Wednesday, May 26, 2010

    Man infects himself with computer virus - Security-

    Man infects himself with computer virus
    Update: Engadget article

    Of course, the news makes this more sensational than it is, but the fact that implanted/embedded chips in people could be used to transport data and therefore malware is very real.  Additionally, software being used to manage biological functions within people also need to be scrutinized by the vendors.  And, of course, the best way to do this is to make sure that there's a review by industry experts, not by using some proprietary method of protecting the system/chips/data.

    Kinda funny that I'm commenting on this, now that I think about it, given my domain name, :-)


    Tuesday, May 25, 2010

    Hotmail Gmail Security Features

    ZDNet article: Hotmail's New Security Features vs Gmails Old Security Features

    I'm assuming that Hotmail is trying to add features that Gmail has, in order to keep its userbase.  Funny thing is that I didn't realize that Gmail had some of these features:

    • SMS password recovery options
    • Security Alerts in real-time if your account has been compromised
    I do like Hotmail's addition of a single-use passwords sent to you via SMS.  That's pretty clever.  SMS is pretty secure for the average user, so this seems like a great solution to add to the other SMS options.  More and more banks are turning to SMS as well.

    I like the author's suggestions though that someone should offer single-use, disposable accounts, ala, paralelling credit card companies.  I think Discover did that first.  And when will they catch up with PKI capabilities/offerings?  Google could make it a Labs feature and keep it in Beta forever, and that would be fine...


    Happy Geek Pride Day!

    One of the poster boys of geekdom, Sheldon Cooper from The Big Bang Theory.

    I'll be celebrating by watching a few missed episodes of BBT and Chuck. :-)


    Vulnerability Scanning Do's And Don'ts - DarkReading

    Vulnerability Scanning Do's And Don'ts - DarkReading

    This is a pretty good article about the "gotchas" around vulnerability scanning.  Its not as simple as firing up a scanner and have it comb your company's entire class A subnet.

    Here are the things I look out for when performing vulnerability scans on the organziation:
    • legacy hardware/software, such as mainframes, miniframes - I've tipped over some mainframe programs with nessus, back in the day
    • small software/hardware vendors - I've tipped over a database High Availability solution before with nessus
    • sizing of network connections and the size of your scan - don't saturate your network links
    • choose a maintenenace window or an off-production time to run scans
    • make sure you notify people that you're scanning
      • don't assume that your scan won't be noticed
      • don't assume that your scan won't cause an issue
      • people like to be notified should they notice something odd
    • make sure that people are available, should you knock something over, and/or test the system once your scan is done to ensure that the services come back or are still functioning appropriately


    Saturday, May 22, 2010

    Even with Steam, Mac isn't a gaming platform like Windows is

    Arstechnica: Mac lags Windows in gaming performance, excels at stability

    So the Mac isn't for a hardcore gamer, but it appears that if you want to play games for long periods of time, a Mac might be the better way to do it, at least when you're using Steam.  What I find interesting about this is that they're committed to getting games running faster on the Mac, which is a real niche market.  Secondly, that they're probably going to reach that goal faster than improvements that are necessary on Windows, due to the proliferation of inumerable hardware vendors and configurations.  I hope for the best!  It would be great to have Apple as a reasonable gaming platform.  Not that I'm a gamer, but it removes one more argument from the Mac vs Windows debate.

    Google has an SSL version of their homepage!

    Hey, hey, Google now is offering up so you can do your searches wrapped in SSL rather than the normal, non-SSL way.  This will protect you if you're not running through an proxy server with an SSL cert you trust and not if you're the victim of SSL MITM attacks or well, you get the picture.  Its good.  Just check your SSL cert to make sure you're talking to Google directly and that your root CA certs on your box haven't been modified. :-)


    Friday, May 21, 2010

    Google's homepage has a playable version of Pac-Man!!!!!!

    I kid you not!  Just go to today and click on the logo on the top.

    That is aweosme!!!


    Wednesday, May 19, 2010 | Facebook Privacy Scanner | Facebook Privacy Scanner

    Given the changes in Facebook privacy settings recently, you really should take the time to go check how your information is being shared.  You can do this through slogging through the Facebook privacy settings, or if you know you want to lock things down, go and let this free, open source Facebook Privacy Scanner take a look for you and then fix things if you want to.

    Well worth the look.

    Monday, May 17, 2010

    Symantec triggers on World of Warcraft update

    Another AV false positive affects gamers this time instead of companies. This time its from Symantec and it flags update files created by World of Warcraft. Doubt we'll hear much about this in the mainstream press, but we'll see commentary in the InfoSec circles.

    Symantec triggers on World of Warcraft update: "We have had a couple of reports over the last 24 hour of users experiencing issues with Symantec anti-virus products triggering on which is a component of World of Warcraft. "


    New HTML Version Comes With Security Risks Of Its Own - DarkReading

    New HTML Version Comes With Security Risks Of Its Own - DarkReading

    I commented about HTML5 being touted as the answer to the next generation of web apps (think Web 3.0), but while it may solve Adobe Flash problems, it may create other challenges, such as client-side data issues that could be accessed through SQL injection, apparently.  Good article.


    Sunday, May 16, 2010

    For Security Pros, Building Vendor Relationships Is A Lesson In Diplomacy - security business/Security - DarkReading

    For Security Pros, Building Vendor Relationships Is A Lesson In Diplomacy - security business/Security - DarkReading

    John Sawyer writes about the common challenge of discussing an organization's security posture and tools with security vendors. I'd add to this and say that your organization should have a standardized approach to dealing with any and all software vendors. Sales people and vendors want to know what you're running so they can launch a full on attack at what's wrong with your current environment. Do this, first decide what problem you're trying to solve, then secondly, talk to vendors. This way you will know what you're trying to do and you'll be able to critically evaluate whether that vendor's solution is going to answer your need. Because of this, you won't need to listen to what will likely be irrelevant sales jargon dealing with other vendors and be able to focus and concentrate on your own issues, rather than the marketing hype.


    Wednesday, May 12, 2010

    Fail: Volvo Collision Detection System (video)

    Sometimes technology doesn't work and doesn't work at really embarrassing times. Volvo demonstrated their Collision Detection System for the press, although it didn't work quite as described when it came to show time.

    This is a good lesson in technology.  Its really cool and sophisticated, but in order to make it consistent, there needs to be a lot of testing, and more importantly, you should have a backup plan and not rely on one technology entirely.  Backup plan: person watching the road and using the brakes!


    Personal: My sister is in New York Times Magazine!

    This is a departure from my norm, because I'm proud of my sister.  So sue me.  Tune in later for more InfoSec stuff if you can't stand it.  :-)

    My sister, Stephanie Grant is in a New York Times Magazine article about paying off debts and net worth.  Its a good read.  
    And here's her blog: Superpositron

    Edit: and she's on the front page of the site! :-)


    Tuesday, May 11, 2010

    Sound familiar to you and your enterprise? IE6 hard to kill

    IE6 is what's holding us all back, honestly.  Security fails on PCs because of IE6 and so does full adoption of Web2.0.  With HTML5 as the new standard that creates new opportunities for full, rich web apps (yes, I' m sure security isues too), can we please stop using IE6?

    Application vendors, please, please, please, update to IE8 or Firefox 3.6?


    Month of PHP Security has started

    Long one of the most favored OSS projects, PHP has provided new web content and capabilities for a long time.  One could even argue that PHP made Web 2.0 possible.  Well, all of that speed and urgency for providing features has left the code buggy.  Imagine that...

    Here's the start of the Month of PHP Security [issues]:


    MSFT releases two Critical patches today

    Yes, two patches, both critical and both remote code execution capable.  One for Windows 2000 all the way up to Windows 2008 R2 and the other for Office XP-2007.

    A patching we will go, a patching we will go, high ho the dairy-o....oh, sorry.


    Monday, May 10, 2010

    Regulating the Internet

     It seems that there might finally be a solution to the problem of regulating the Internet.  In recent years, large providers have pushed their limits on whether or not they can govern how users utilize their service.  People like Comcast have determined whether or not they would allow Bittorrent traffic, and to what extent, meaning how much bandwidth is a user allowed to use.  As an ISP, it wasn't regulated like a phone company or a cable provider, which seemed accurate not but not "right".  Soon, the FCC will have the ability to regulate ISPs and then enforce new rules, including preventing them from summarily dismissing certain classes of traffic, presumably.  All in all, this is probably a good thing for net neutrality efforts.

    FCC outlines new 'third way' internet regulatory plan, will split access from content


    Thursday, May 6, 2010

    Flash drive with fake Facebook login...

    I find myself thinking "does anyone fall for this stuff?"  Well, obviously the answer to that is "YES!!"  Uh, yeah, don't just use something because someone tells you.  People, wake up, this stuff isn't real!!! :-)

    Sunbelt Blog: Facebook Remote Login + Flash drive = stolen credentials


    Securing WHS and your network

    Home Server Land: Securing Your WHS and Network

    This is 16(!) part series published by, a site that I just recently discovered and its pretty extensive.  I'm a little confused on whether its developed and maintained by HP or not.

    Most of the content is in the form of PDF documents of risks to running your own IT and how it fits into using your WHS box.  I imagine you could use this to evaluate if you have any of the issues and some suggested ideas of how to remedy them.  What this does not do a good job at, however, is really getting into a discussion of how this all fits together so that someone could make these types of decisions in the future.

    Certainly this is something that the small business owner or uninitiated home IT person could use to review their overall security posture and make some changes.  Fortunately, WHS alone is pretty secure.  Its just when you start asking it to do a bunch of other things with add-ons and treating it like a standard Windows Server that you start running into security and stability issues, in my opinion.

    YMMV :-)


    Hackers and Hollywood

    This is a great site that ties all of those information security cult-like "hacker" movies together and starts to look at them as a whole, looking for trends and what a "Hollywood hacker" is compared to what they actually are. 

    Damian Gordon's Hacker Movies

    At the very least, its a way to get a shopping list for information security-related movies and movie clips! :-)


    Wednesday, May 5, 2010

    You may have noticed...I moved to Blogger.

    Hey all,

    As you may have noticed, I moved from e107 to Blogger for  I did this for a few reasons. 
    1. I vowed to update with more blogging content.  I need to write more.  I enjoy writing and enjoy information security, so the end result is that I needed to get on my web site more and make it more useful, hopefully.
    2. There are no blogging add-ons for web browsers for e107.  Because they are a 2nd/3rd tier product, add-ons to make blogging easy aren't easy to find, if there are any. I spent some time looking but kept running into Blogger and WordPress add-ons.  This makes accomplishing goal #1 of writing more on the blog significantly more challenging.  Blogger provides simple things like a javascript bookmark to use, an IE 8 "Accelerator" and a Word add-in to make it easy to write a blog post about a link.  Third parties have also provided nice hooks and add-ons to allow blogging easily, such as ScribeFire.
    3. e107 is a 2nd or 3rd tier CMS/blogging platform.  Yes it has many more capabilities than a standard blog, that's true.  Its not great at any of them, its just good at most of them.  I used the forums for a while.  I used the custom pages/menus/etc for a while.  In the end, I found that I really just wanted a blog and didn't have a need to provide a forum.  Again, more of a CMS platform than a blogging platform, like I was trying to make it into.
    4. e107 has only had security and base maintenance updates in quite a while.  New development seems to be stalled.  If you're into php and MySQL this could be the system for you, but its not for someone who's ready to move into blogging only. 
    5. I no longer have to pay for running a Linux host with a MySQL database.  This is a minor issue since it was something like $50/yr, but certainly it can be listed as an advantage to save money.  We'll see if I actually get rid of my hosting provider or if I keep it around in order to have a real web server that I can use to host files in a pinch.
    6. Blogger seemed to be more streamlined and less complicated than WordPress.  I had considered WP on my hosting provider but I ran into another stumbling block with using WordPress.  1&1's hosted MySQL was too old to install the most recent (and therefore most secure) version of WP.  I can't install an old version of software, knowing there are security issues with it.  It goes against my nature. (I found out later that my podcast and almost lifelong buddy, Nem, would have hosted a WordPress site for me on his hosting provider.  Who knows maybe Blogger won't work out.  I have a backup plan. :-) )
    7. My sister (, soon to be featured in a New York Times Magazine article(!), and my good friend ( are both using Blogger.  Not a huge factor, but helped me think about it.
    8. Blogger is run and managed by Google, which I'm already using on a daily basis for my Google Apps hosted email for my family.  This also means that there's a built-in community of users that already have gmail or google accounts that can comment on content without creating yet another login for another web site.  Something I know I enjoy very much (not as bad now that I'm using for many sites).

    So, that's it.  Thanks for reading.  Explore, contribute, have fun.


    DNSSEC and not panic

    DNSSEC...not a bang but a whimper?

    This SANS Diary entry points out that there will be changes in the root DNS servers soon that will spell the beginning of the end for the threat of DNS cache poisoning, by way of signed responses. There is a lot of FUD around the change in DNS to utilize EDNS, but the reality is that if systems don't support EDNS they will fall back to regular DNS.