IT Security, Windows Scripting and other matters

Google Analytics and Compliance

2009-07-01T06:16:00.003-05:00

I am posting a quick question, since most of what I have been finding has been product pitches. Could someone point me to information about Google Analytics and compliance - specifically HIPPA and PCI?
Thanks and be safe out there
James

Who's in FIRST

2009-06-28T16:26:00.003-05:00

In honor of my friend Martin McKeay's trip to Kyoto for the annual FIRST conference, I present a variation on Abbot and Costello's Who's on First (Special thanks to the Baseball Almanac for having the original text on line)

Without further ado -

Who's in First

McKeay: Well Costello, I'm going to Kyoto. You know I've been given a job as official podcaster for FIRST for as long as I want it.

Costello: Look McKeay, if you're the podcaster, you must know all the members.

McKeay: I certainly do.

Costello: Well you know I've never met the guys. So you'll have to tell me their names, and then I'll know who's who.

McKeay: Oh, I'll tell you their names, but you know it seems to me they give these security professionals now-a-days very peculiar names.

Costello: You mean funny names?

McKeay: Strange names, pet names...like beaker...

Costello: His brother Daffy.

McKeay: what...

Costello: And their Dutch cousin.

McKeay: Dutch?

Costello: Kees.

McKeay: Kees Leune? That his real name. Well, let's see, we have on the board, Who's in first chair, What's in second, I Don't Know is in third...

Costello: That's what I want to find out.

McKeay: I say Who's in first, What's in second, I Don't Know's in third.

Costello: Are you the podcaster?

McKeay: Yes.

Costello: You gonna be the blogger too?

McKeay: Yes.

Costello: And you don't know the fellows' names?

McKeay: Well I should.

Costello: Well then who's in first?

McKeay: Yes.

Costello: I mean the fellow's name.

McKeay: Who.

Costello: The guy in first.

McKeay: Who.

Costello: The first board member.

McKeay: Who.

Costello: The guy leading...

McKeay: Who is in first!

Costello: I'm asking YOU who's in first.

McKeay: That's the man's name.

Costello: That's who's name?

McKeay: Yes.

Costello: Well go ahead and tell me.

McKeay: That's it.

Costello: That's who?

McKeay: Yes.

PAUSE

Costello: Look, you gotta FIRST board member?

McKeay: Certainly.

Costello: Who's leading first?

McKeay: That's right.

Costello: When you pay off the first board member every month, who gets the money?

McKeay: Every dollar of it.

Costello: All I'm trying to find out is the fellow's name on first board.

McKeay: Who.

Costello: The guy that gets...

McKeay: That's it.

Costello: Who gets the money...

McKeay: He does, every dollar. Sometimes his wife comes down and collects it.

Costello: Whose wife?

McKeay: Yes.

PAUSE

McKeay: What's wrong with that?

Costello: Look, all I wanna know is when you sign up the first board member, how does he sign his name?

McKeay: Who.

Costello: The guy.

McKeay: Who.

Costello: How does he sign...

McKeay: That's how he signs it.

Costello: Who?

McKeay: Yes.

PAUSE

Costello: All I'm trying to find out is what's the guy's name on first board.

McKeay: No. What is the second on the board.

Costello: I'm not asking you who's second.

McKeay: Who's in first.

Costello: One board member at a time!

McKeay: Well, don't change the board members around.

Costello: I'm not changing nobody!

McKeay: Take it easy, buddy.

Costello: I'm only asking you, who's the guy on first board?

McKeay: That's right.

Costello: Ok.

McKeay: All right.

PAUSE

Costello: What's the guy's name on first boards chair?

McKeay: No. What is in second.

Costello: I'm not asking you who's in second.

McKeay: Who's in first.

Costello: I don't know.

McKeay: He's in third, we're not talking about him.

Costello: Now how did I get on third chair?

McKeay: Why you mentioned his name.

Costello: If I mentioned the third baseman's name, who did I say is sitting third?

McKeay: No. Who's sitting first.

Costello: What's on first?

McKeay: What's in second.

Costello: I don't know.

McKeay: He's in third.

Costello: There I go, back on third again!

PAUSE

Costello: Would you just stay on third chair and don't go off it.

McKeay: All right, what do you want to know?

Costello: Now who's sitting in third chair?

McKeay: Why do you insist on putting Who on third chair?

Costello: What am I putting in third.

McKeay: No. What is in second.

Costello: You don't want who in second?

McKeay: Who is in first.

Costello: I don't know.

McKeay & Costello Together:Third base!

PAUSE

Costello: Look, you gotta other board members?

McKeay: Sure.

Costello: The secretary's name?

McKeay: Why.

Costello: I just thought I'd ask you.

McKeay: Well, I just thought I'd tell ya.

Costello: Then tell me who's the secretary.

McKeay: Who's in first.

Costello: I'm not... stay out of the chair! I want to know what's the guy's name as secretary?

McKeay: No, What is in second.

Costello: I'm not asking you who's in second.

McKeay: Who's in first!

Costello: I don't know.

McKeay & Costello Together: Third base!

PAUSE

Costello: The secretary's name?

McKeay: Why.

Costello: Because!

McKeay: Oh, he's sergent at arms.

PAUSE

Costello: Look, You gotta chairman on this boad?

McKeay: Sure.

Costello: The chairman's name?

McKeay: Tomorrow.

Costello: You don't want to tell me today?

McKeay: I'm telling you now.

Costello: Then go ahead.

McKeay: Tomorrow!

Costello: What time?

McKeay: What time what?

Costello: What time tomorrow are you gonna tell me who's chairman?

McKeay: Now listen. Who is not chairman.

Costello: I'll break your arm, you say who's in first! I want to know what's the chairman's name?

McKeay: What's in second.

Costello: I don't know.

McKeay & Costello Together: Third chair!

PAUSE

Costello: Gotta a archivist?

McKeay: Certainly.

Costello: The archivist's name?

McKeay: Today.

Costello: Today, and tomorrow's chairman.

McKeay: Now you've got it.

Costello: All we got is a couple of days on the board.

PAUSE

Costello: You know I'm a archivist too.

McKeay: So they tell me.

Costello: I get up to the table to do some fancy archiving, Tomorrow's chairman on my board and a heavy topic comes up. Now the heavy topic comes up, me, being a good archivist, I'm gonna look for input at first chair. So I pick up the topic and open it to who?

McKeay: Now that's the first thing you've said right.

Costello: I don't even know what I'm talking about!

PAUSE

McKeay: That's all you have to do.

Costello: Is to open the topic to first chair.

McKeay: Yes!

Costello: Now who's got it?

McKeay: Naturally.

PAUSE

Costello: Look, if I open the topic to first chair, somebody's gotta get it. Now who has it?

McKeay: Naturally.

Costello: Who?

McKeay: Naturally.

Costello: Naturally?

McKeay: Naturally.

Costello: So I pick up the topic and I open it to Naturally.

McKeay: No you don't, you open the topic to Who.

Costello: Naturally.

McKeay: That's different.

Costello: That's what I said.

McKeay: You're not saying it...

Costello: I opetn the topic to Naturally.

McKeay: You throw it to Who.

Costello: Naturally.

McKeay: That's it.

Costello: That's what I said!

McKeay: You ask me.

Costello: I open the topic to who?

McKeay: Naturally.

Costello: Now you ask me.

McKeay: You open the topic to Who?

Costello: Naturally.

McKeay: That's it.

Costello: Same as you! Same as YOU! I open the topic to who. Whoever it is drops the ball and the guy runs to second. Who picks up the ball and looks to What. What looks to I Don't Know. I Don't Know looks back to Tomorrow, Triple play. Another topic comes up and it to Because. Why? I don't know! He's on third and I don't give a darn!

McKeay: What?

Costello: I said I don't give a darn!

McKeay: Oh, that's our treasurer.

Hope you enjoyed
Just as a side note, I am not related Lou Costello.

James

Backtrack 4 pre on an Aspire 5610

2009-06-23T23:25:00.002-05:00

I am getting ready for DefCon and want to carry a laptop larger than my netbook (which I love but want more space and memory)
Fortunately I had a spare 120GB HD and was able to acquire a second drive cage from ebay
Installation steps
Boot from CD
launch KDE (startx at the prompt)
open a command window and run ubiquity
Follow the prompts
reboot
login as the account you created during install
change to the root user - sudo su
change your root password - passwd
start network management - /etc/init.d/wicd start
start networking - /etc/init.d/networking start
launch KDE (startx)

I am running as root since I want sound, but will likely forgo that while at Defcon for an added layer of security

finally broke down

2009-05-26T21:45:00.002-05:00

I finally broke down this afternoon in and gave into the peer pressure...
I was actually fulfilling a joking promise I had made about a year ago when a friend said that he would not get a twitter account and I said I would wait until he did. Well, thanks to @cr0nym, I now have a twitter account
http://twitter.com/n0b0d4
I was a bit suprised that the name was still open. But now you can say you know @n0b0d4 on Twitter.
Be safe out there.
James

FAA security

2009-03-31T06:15:00.003-05:00

So the FAA came out with some statements about the security of their networks, that Martin McKeay covered nicely on his blog
So that brings me today's Security Song Parody

Securing All Jet Planes
(to the tune of Leaving On A Jet Plane by John Denver and Kenneth Browder)

All my bags are hacked I'm ready to go
I'm standing here outside your door
I hate to wake on LAN to say good-bye
But the code is breaking, its early morn
The taxis waiting, hes spamming my phone
Already I'm so lonesome I could die

So kismet and smile for me
Tell me that you'll snort for me
P0wn me like you'll never let me go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go

There's so many times I've let you down
So many times Ive hacked around
I tell you now, they don't know a thing
Every place I go I'll blame Lou
Every packet I sniff I sniff for you
When I come back I'll secure token ring

So kismet and smile for me
Tell me that you'll snort for me
P0wn me like you'll never let me go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go

Now the time has come to leave you
One more time let me kismet here
And close your eyes and I'll hide the way
Dream about the hacks to come
Then I don't have to protect alone
About the times that I won't have to say

So kismet and smile for me
Tell me that you'll snort for me
P0wn me like you'll never let me go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go

Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go

Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go
I'm protecting all jet planes
protecting all jet planes
protecting all jet planes
protecting all jet planes

Have a great day
Be safe out there
James

Six word security challenge

2009-03-30T06:08:00.004-05:00

My latest pos t on the Security Catalyst blog is a challenge to you dear reader to write a 6 word sentence that tells a story about security or relates a security lesson.
So like last week with Andy IT Guy, I have reworked a song to use as a theme song

Security Is Just Six Words Long
(to the tune of Weird Al Yankovic's - This Song Is Just 6 Words Long)

Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long

Dont think of any more words
So I just wrote six words
So I'll just write any six words
That come to my mind, child

You really need words
Could be just six rhymin words
You gotta write so many words
Hmm mmm
Ta do it, ta do it, ta do it, ta do it, ta do it, ta do it right, child

Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long

I know that your probably sore
Cuz I didnt write any more
It's just six to complete it
So thats why I gotta repeat it

Security can be just 6 words long (6 words long)
Security can be just 6 words long (6 words long)

Oh I make a lotta money
They pay me a ton o' money
They're payin me plenty o' money
To write these six words, child

I gotta fill time
3 minutes worth of time
Oh how will I fill so much time?
Hmm mmm
I'll throw in a solo, a solo, a solo, a solo, a solo here

(saxaphone and drum solo)

Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long

These words got somethin' to say
So Im typing it up today
I know if I put my mind to it
I know I could find a good rhym here

Oh ya gotta have a security
Ya need really catchy security
This song has got plenty o' security
But just 6 words, child

And so I'll sing em over
and over and over and over
and over and over and over
Hmm mmm
and over
and over
and over
and over
and over
and over again

6 words long
6 words long
6 words long
6 words long (fading)
6 words long (fading)
6 words long (fading)
6 words long

Hope you enjoyed.
Now, be safe out there.
James

Skeet Security

2009-03-23T21:19:00.003-05:00

Andy Willingham wrote a very good post over at his blog which inspired me to rewrite the lyrics to that classic Nick Rivers' song Skeet Surfing

Skeet Security
Skeet Security
If everybody had a 12-gauge
And a motherboard too
You'd see 'em shootin' and hackin'
From here to Malibu
Because it's totally bitchin'
Ridin' the net to blast the pigeons
And it's so neat shootin' skeets
While you're coding out the heavies all day

First site, don't get tired
Second site, aim higher
Third site, pull and fire
Skeet Security, it's alright

We're loadin' up our motherboards
And loadin' up our traps
Tell the crackers we're shootin'
We're never coming back
I've got a gun rack in my Chevy
For when the SPAM and the flak get heavy
And we'll have fun with our guns
'Till our moderators takes our ammo away

First site, don't get tired
Second site, aim higher
Third site, pull and fire
Skeet Security, it's alright

First site, get the knack
Second site, pull the trap
Third site, how's that?
Skeet Security, it's alright

Sharing sunsets with my favorite girl
When we write the perl, we really write the perl

First site, don't get tired
Second site, aim higher
Third site, pull and fire
Skeet Security, it's alright

First site, get the knack
Second site, pull that trap
Third site, how's that?

I wish they all could be double-barrelled
Wish they all could be double-barrelled guns

Skeet Security can't you see?
Do you wanna come along with me?
Skeet Security can't you see?
Do you wanna come along with me?
Skeet Security it's alright
Little girl we'll have fun tonight
Skeet Security can't you see?
Do you wanna come with me?
Grab your laptop, surf into the breach
Skeet Security it's a lot of fun

Now go read Andy's post and go watch Top Secret again (or for the first time)

The Cowtown Computer Congress Opens Their Underground Lab

2009-02-26T06:19:00.001-06:00

IMMEDIATE RELEASE

The Cowtown Computer Congress Opens Their Underground Lab

February 24th, 2009. Kansas City, MO - The Cowtown Computer Congress (CCCKC) is happy to announce the opening of their Underground Lab to the public with a full week of events Beginning on March 2nd, the grand opening showcase the rich and vibrant community of creative minds in the Kansas City area. CCCKC, the first organization of its kind in the midwest, will serve the community by providing technology classes, donating unique projects to local organizations and technology assistance to those in need.

The week will kick off on Monday, March 2nd with an open house for individuals and organizations who are interested in learning more about the organization and how they can take advantage the Underground Lab for meetings, classes and other activities.

The creative talents of CCCKC members will be showcased on Wednesday March, 4th. The member project showcase will be followed by a screening of Make:TV, a public television series which will be shown for the first time in the Kansas City area that night. If you're curious about what CCCKC and the maker culture are all about, this is the night to come be inspired. Projects to be showcased range from alternative methods of energy generation to a labyrinth game which is controlled with the balance board from a Nintendo Wii Fit.

Thursday, March 5th is the regular member meeting where members come together to discuss group projects being developed for donation to local organizations and plan future community service projects like our monthly free computer repair opportunities.

Friday evening will feature a slate of speakers covering topics ranging from improving home security and information management to protecting data from theft while using public wireless internet.

On Saturday the public is invited to take part in a range of free workshops on basic electronics and soldering, e-textiles and Nintendo Wii hacking. All day members will be available to assist members of the public choose, install and configure computers using the free and open source Linux operating system.

About The Cowtown Computer Congress

The Cowtown Computer Congress (CCCKC) is a not for profit technology cooperative founded to advance technology of all kinds. They are a member supported organization providing technology classes, workshops and services to the public free of charge. CCCKC brings together some of the finest minds in midwest to collaborate on research and projects for other local groups. Through their affiliate program, CCCKC gives assistance to specialized technology user groups by providing them with a facility to hold meetings and work on projects of their own.

CCCKC's Underground Lab is located 85 feet below the surface of the earth at 31st Street and Southwest Trafficway in Kansas City, Missouri.

http://www.cowtowncomputercongress.org

Further inquires should be made to:
press@cowtowncomputercongress.org or to
John Benson - President and Co-Founder
816-332-6389

Password generation FAIL

2008-12-09T22:53:00.002-06:00

I recently changed jobs (I'll post more about that in the near future) and was eagerly awaiting my first paycheck.
First pay day came and went and while there were funds in my bank account, I did not receive a paper paycheck. My new employers use a pay company that gives them the option to do digital paystubs via the pay company websites.

I got around to setting up my account on the pay company website today and ran into some unusual requirements for my password:
Passwords must meet the following complexity requirements:
Must be between 7 and 12 characters.
Must contain at least 1 upper case character.
Must contain at least 1 lower case character.
Must contain at least 1 numeric character.
Cannot contain any of the following characters: []|{}'()\/.,`>-_&=

There was also a button for generating a password to meet the requirements. Well sort of ...
I pushed the button and it popped up a window that contained a potential password and buttons for accept and cancel.
First FAIL - the password I was given only contained 6 characters
Well that doesn't meet the complexity requirements - I did attempt to use it and was told that the password was not valid.
Fine, I'll just push the generate password again.
Second FAIL - the password I am given only contains 6 characters. To be more specific, the same six characters I was given before. All right it was the same password entirely.

So I turned to my old standby KeePass to generate a new password. Set the requirements to 12 characters, upper case, lower case, and numeric and generated a new password, similar to this one: HZy2SIcH1wr3 . I then copied the password into the web page twice and pushed the submit button. I then received notice that I cannot use the number 3 in the password - huh? What an odd requirement. I checked back with the requirements section and sure enough it does say that the number 3 is not valid in the password scheme. I wonder what their reasoning is for the numbers 3 and 8 not being valid. I have sent an e-mail to their support, if I get a response I will pass a long the answer they provide.

If anyone has any insight as to why, I'd love to hear it. Adam Dodge already supplied one bit of humor:
Possible meeting notes for the discussion of password requirements
Fred: "I don't know Jim, people seem to like using 3 and 8..."
Jim: "Forget 'em"

Have a good day and be safe out there.

James

All's quiet on the Midwestern front ...

2008-10-31T07:05:00.002-05:00

Life has been fairly quiet in the Midwest over the last few weeks, well at least at my house. Especially since I stopped answering the phone after working hours - I live in a swing state so I am being inundated with calls for this candidate and that candidate and the surrounding support groups. It has made it a bit difficult to study...

Yes, I said study.

I am getting ready to go take the CISSP exam on November 1. I will share some of my experience in the next few days. I was long hesitant to get the certification mostly because I did not see the value and did not think I needed to have it.

Well, I recently decided that I was going to look for another opportunity and quickly discovered that although I could get my foot in the door for an interview, I was having difficulty closing the deal because somewhere along the line the company had chosen to require that the new employee be a CISSP. I also had been part of an interesting discussion at the RSA conference in April discussing the merits of getting certified. Most everyone agreed that having a CISSP was not necessarily an indicator of the capacity and capabilities of a person, but that it was a simple equation: if the company is asking that you have it, you need to have it, and if you do not, you probably won't make if past the initial resume review. I liken it back to having an MCSE in the late 90's or right after Y2K, not necessarily a ticket to the job, but it definitely gets you on to the correct platform to catch the train (or the hand cart, depending upon how many positions the company had).

If anyone is interested in attending the upcoming CSI 2008 conference in DC November 15-21, the Security Bloggers Network has been offered a discount code to give out to all of our readers - BLOG25. This will get you a 25% discount for conference regsitration.

Be safer out there,
James

MCSF talk

2008-10-22T11:36:00.003-05:00

I found out on Monday afternoon that a late submission talk for the Midwest Consolidated Security Forum was accepted. Tickets are no longer available, but hopefully some of you are in attendance.
Michael Santarcangelo and I will be talking on podcasting and pop culture and how to use them in your security awareness programs. Our talk will be at 2:45 to 3:30
If you are attending, stop by and say hi

Be safe out there.
James

Cowtown Computer Congress get together

2008-10-22T11:31:00.003-05:00

Any of my readers who are in Kansas City are invited to join Michael Santarcangelo and myself at the next Cowtown Computer Congress get together on Thursday October 23rd, 2008 around 7PM at the JavaNaut - 1615 W. 39th St.Kansas City, MO.
Michael has been invited to give a brief talk
I apologize for the somewhat late notice, I meant to post this last week when I found out about it.

Be safe out there,
James

Juniper SSL VPN and Firefox on Windows whitepage work around

2008-08-29T13:49:00.003-05:00

My company does a lot work with Juniper SSL implemenations.

There has been some odd behavior in Firefox on Windows machines when connecting to Juniper SSL VPN. Immediately after login users are taken to a blank white page. The URL of the page contains data/home/starter0.cgi?check=yes . The page you should be redirected to includes data/home/starter.cgi?check=yes.

Juniper’s suggested work around is to go back to the sign in screen and login again or to remove the 0 from between starter and .cgi. Both are manual solutions, wouldn’t it be easier to have an automatic solution.

Well here it is.

Download the Firefox add on Redirector - https://addons.mozilla.org/en-US/firefox/addon/5064

After installation you will need to restart Firefox

Open Redirector by right clicking on the R in the status bar in Firefox

Click Add…

The Example url is the full url you get stuck on i.e. https://this.ismyexample.com/data/home/starter0.cgi?check=yes

The Include Pattern is https://this.ismyexample.com/data/home/starter0.*

Redirect to is https://this.ismyexample.com/data/home/starter.cgi?check=yes

Set the Pattern Type to Wildcard and click Test pattern

You should get a message that indicates that the pattern matches. If not go back and check your typing.

Click Ok

Click Close

Go back and log in again. You should go right past the page you were getting stuck at previously.

Be safe

James

Keep a hand on your iPhone

2008-08-27T14:16:00.002-05:00

Adam Dodge pointed me to this article on CSO Online this morning - http://www.csoonline.com/article/446281/IPhones_Can_Be_Unlocked_Without_Password
This afternoon a customer stopped by with an iPhone and was kind enough to let me test the hack out.
I was able to confirm that the simple tap sequence does work. But only if you have your home button set to go to your Favorites. My customer had his set to go to iTunes (go figure - he wanted to listen to the music on his iPhone).
So rather than remove all of your Favorites, set your home button to go to iTunes instead.
Be safe out there
James

Pop Culture Security Episode 2

2008-07-16T22:01:00.003-05:00

Michael Santarcangelo and I have released the second episode of the Security Catalyst Show: Pop Culture Security.

The show is available here. Show notes are available here.

This time we are taking a different approach, we are covering two topics using several movies.

Michael and I had a great time recording the episode and hope that you enjoy it. We also want you to take what you hear and start applying it.

Be safe out there.

James

DNS vulnerability - patch it

2008-07-09T20:06:00.003-05:00

I have been watching a lot of the reaction to the DNS vulnerability that was revealed by Dan Kaminsky and multiple vendors yesterday.

There has been a few people who have downplayed the seriousness of the situation and for those of you still in doubt that this is a serious situation, I will point you to the retraction by Thomas Ptacek over at Matasano Chargen. Mr. Ptacek has always been one to stick to his guns when challenged about his postings and it shows the seriousness of the situation.

I think Microsoft is underplaying the seriousness of the situation by only rating the patch important. This will probably change as soon as there is an exploit in the wild. I think that is unfortunate, DNS is core to the way we traverse the Internet - you got to this blog via DNS, I posted it using DNS and all e-mail is delivered via DNS. DNS is core to the way we work.

There are servers that have been found to not be suceptible to this vulnerability. The first was DJBDNS. Dan Kaminsky did announce that there is another secure DNS server: PowerDNS made by Bret Huber. OpenDNS has stated in their blog that their implementation is secure against this vulnerabilty, which makes me feel better since I use them at home.

If you run a DNS server and you are not sure that you are vulnerable, check the CERT advisory for your vendors status. If your vendor is listed as anything other than not vulnerable, follow the link to your vendors website.

Be safe out there,
James

DNS trouble in the offing

2008-07-08T13:34:00.004-05:00

Dan Kaminsky released information today about a rather serious vulnerability in the implementation of DNS on most major platforms.

Microsoft has posted information about it on its site here.

Rich Mogul has an interview with Dan here.

Arthur over at Emergent Chaos has posted here

Why should this concern you? Microsoft is listing it as important rather than serious, but I think they are undervaluing the seriousness of this vulnerability.

Quick overview of DNS for you. DNS is like the yellow pages of the Internet. Computers work better with numbers and people work better with words. When you want to find CNN.com your browser contacts a DNS server to find out what IP address the site resides. This is similar to the physical address associated with a business in the yellow pages. Think of the IP address as directions to that particular business. A typical IP addres looks like this 192.168.140.25 The first set of numbers (refered to as an octet) is essentially the city in which the business resides. The second set of numbers is the neartest major street to the business. The third set of numbers is the street of the business and the final set of numbers is the street address of the business.
What DNS does is allow you to type in the name of the site you want to go to and have all of the "travel information" for your destination be given to you.
Now imagine someone sets about printing yellow pages with incorrect information that will bring them profit. So rather than going to the real CNN.com (64.236.91.23) your DNS server has been given spoofed information to send you to a malicious website at 172.16.91.23.

If you manage DNS servers, you should patch them as soon as possible. If you don't, you may want to make sure whoever does manage your DNS has patched their systems.

Be safe out there,
James

(Edit) - as of 2:15 PM CDT Microsoft does not appear to have released the patch for this vulnerability.

(Edit 2) appears that the patch is showing up as 2 different Knowledge Base articles: kb951746 and kb951748

Patching and updating

2008-06-19T19:53:00.002-05:00

I recently performed a series of Nessus scans for a client who had acquired a competitor. I can't offer specifics but there was a bit of a shocking revelation for me. Some companies are still not actively patching there computers. There was a computer with no patches for an old Operating System.

Microsoft provides WSUS for free.

Patch your systems.

Patching is a base level activity - it needs to be done. You don't have to have a high end software solution for all of your applications. You can even use the Windows Update website to keep you up to date (or patched with the last patches for the OS)

Be safe out there.
James

Interesting series of events

2008-06-19T19:15:00.002-05:00

I was driving back from a client sit on Tuesday and saw an event that unsettled me. As I came up I-35 into downtown Kansas City, I noticed that there was a car several hundred yards ahead of me pulled over on the side of the road. As I got closer I saw the driver get out and run around to the passenger side and yank the door open. The driver then pulled the passenger out of the car and ran back around to the driver side and drove off, leaving the passenger standing on the side of the highway.

I don't really have an insight as to what was going on other than what I observed. Two adults traveling down the road, one of them was apparently angry enough to leave the other on the side of the highway.
Does the driver feel justified leaving the passenger on the side of the road?
Does the driver believe that whatever happened just prior to pulling over was so bad that endangering the passenger by leaving them on the side of the highway was the right thing to do.

(this next section is not intended to minimize the seriousness of what happened but it was part of the thought process I had afterward)

How often do we make business decisions based upon a reaction to a situation without fully thinking through the ramifications? I will own up to being guilty of this and I am going to work on thinking about the ramifications of my action before acting.

How often do our users not think about the ramifications of what they are doing? "I just wanted to do a little shopping during my lunch hour" "I downloaded some videos while I was on the road, I didn't think it would be a problem to leave them on my laptop."

We need to start working with our users to get them thinking about their actions in terms of its effect on the company. Larry Pesce spoke on this on Episode 111 or PaulDotCom Security Weekly. Michael Santarcangelo has written a book on the subject and he and I are podcasting a series on using pop culture to relate security topics to other business users.

Be safe out there.
James

What don't your users understand and help explaining it to them

2008-06-13T09:12:00.003-05:00

Do you know what your users are confused about?

Do you know which acronyms you use that they are confused about?

Are you not sure how to explain a topic to your user community?

Michael Santarcangelo and I started a new podcast series in May based on the peer to peer session I facilitated at RSA Conference 2008 entitled "Pop Culture Security Awareness; finding security in the movies, TV, and other media." The premise is to use pop culture references to explain more complex topics in a way that connects you to your users and provides them with greater understanding.

Michael and I want to bring this to a larger audience and here is how you can help us. We would like to know what questions are coming up for you that you would like a clearer way of explaining. Please send your feedback to popculturesecurity@securitycatalyst.com. Better yet call our feedback number at 206-350-8346.

Kees and Andy have a couple of great points that I want to reitterate

2008-05-30T13:07:00.001-05:00

My friend Kees Leune makes a great point about the disappearing edge.

A couple of years back it would have been fine to throw up a firewall to protect your network. Attacks were mostly inbound in nature and could be dealt with in a straight forward manner.

The siege mentality could be used to defend your network. If I put up enough outward facing defenses (firewall, anti spam, virus scanners, etc..), I can protect my castle. What we run into today is that the attacks are drawing us out to them, our trade routes and water supplies have to be monitored and checked. The cross site scripting vulnerabilities that PayPal revealed that it had shows this very well. We trust PayPal with our money, but they still have vulnerabilities.

In todays network traffic needs to be monitored for anomalies. If you are not running an IRC chat or you employees are not supposed to be accessing IRC, monitor for that traffic. It may be legitimate, but it might not be as well.

The "bad guys" knew in medeaval times that if a direct assault did not work, if you can get someone to come out and take something from you (i.e. Troy) you have a greater success. They no longer have to lob dead animals over the walls at us. They set them outside our walls and let us know that they are providing them as food to us. Today's "bad guys" are adapting as well

This leads me to what Andy Willingham talks about in this blog post.

Just because we've always done it that way does not make it the best way to do it now. On a regular basis go back and reevaluate your policies and procedures. Ask questions that have not been asked before. Ask questions that have been asked before, you may be suprised that you get a different answer. Don't just accept "let me get back to you about that" as an answer.

The "bad guys" are willing to question the way things are done, hence how they find vulnerabilities. Take a page from their book. Look at your network from a different point of view. Rethink your network.

That's enough for me today.
Be safe

James

Wow, I'm on a podcast

2008-05-15T05:55:00.003-05:00

Michael Santarcangelo invited me to take part in the May 2008 Security Roundtable discussing the RSA Conference. I was honored to be asked and got a chance to participate with some of my fellow attendees:

Dr. Anton Chauvakin | http://chuvakin.blogspot.com/

Jennifer Leggio | http://mediaphyter.wordpress.com/

Martin McKeay | http://www.mckeay.net/

Michael Santarcangelo | http://www.securitycatalyst.com/

We had a great time recording and could have probably gone on for quite a bit longer about the experiences we all had. The podcast is about an hour and we hope you enjoy it. Please provide feedback here, I am interested to know what you thought.

I was using a SnoBall microphone from BlueMic and thought the performance was very good.

I also have to apologize again for not posting in over a month.
I had a fairly lengthy post on my experience at the RSA conference and the surrounding events, and failed to post it. Then I started a new job which has taken up quite a bit of my thought cycles.
Hopefully I will get back to a regular posting cycle now.

Go out and be safer

James

Open letter to SC Magazine

2008-03-31T14:30:00.000-05:00

Thanks for your (repeated) kind offers to purchase tickets for the SC Magazine Awards banquet in San Francisco next week. I will not be able to attend because the RSA Speakers Dinner is scheduled for the same time. Please discontinue sending me notices to purchase tickets.
Respectfully,
James

side note - This is not intended to be belligerent or knock SC Magazine in any way, I am just weary of receiving the e-mails. I also promised someone that I would post this if I got another SC Magazine Awards banquet request. You can figure out the rest.

OT - power of Free

2008-03-28T07:04:00.000-05:00

One of my favorite authors and podiobook performers Scott Sigler is fortunate enough to have one of his works being released in print on Tuesday April 1. Leading up to that he is releasing a free PDF of the book through his publishers website, available here. The novels are very well written and are enjoyable reading. I will warn you, Scott is a sick and demented individual and his novels are much the same way, so if you are easily disturbed or do not enjoy horror this is not the author for you.
The novel is also available in an audiobook format here

Let's see where the carriers go with this

2008-03-27T10:36:00.003-05:00

PC World has an article about a company called TapRoot that has developed a product that will allow users with 3G mobile devices to create a mobile hot spot using their phone. The main emphasis of the article is that it will be really easy to set up the WiFi connection on the phone to connect to the laptop.

I have one real problems with the assertion it will be easy to set up as compared to other methods of using your phone to connect.

I have a Windows Mobile device and I use it to connect to the Internet on a fairly regular basis. The hardest part about setting it up was finding the ActiveSync install CD for my laptop. All I need to do get to the Internet is connect the phone with a USB cable, allow it to finish syncing, launch Internet Sharing on my phone and push connect. Within seconds I am on the Internet and working. I really not sure how that qualifies as difficult. I can still place calls and use the Internet. I've done similar things with my BlackBerry and I have even used my Windows Mobile device with Linux .

There is a PDF about their product here. It is a centrally managed solution either at the carrier or the Enterprise level. From what I have read TapRoot is only going to sell to the carriers who will the resell the service to their clients. This might be a product to watch.

On the other hand I'll probably stick to using my USB cable, I always keep one around.

I did change the original title as it was based on my initial reaction to the article and that changed after doing some further reading about the product.

Be safe

James