HiR Information Report

OpenBSD 5.1 Released: OAMP Updated

noreply@blogger.com (Ax0n) — Tue, 08 May 2012 04:02:00 +0000

OpenBSD 5.1 was released last week, so the update is a bit overdue. HiR's Secure OpenBSD + AMP guide has been updated. OpenBSD 4.x is officially unsupported now, so we've dropped the 4.x parts from the guide and refined the rest. Since we've started covering the setup of an AMP stack on OpenBSD, the process has gotten considerably easier. OpenBSD is a completely viable and stable environment for running almost any PHP/MySQL web app, with a little extra consideration given to the chroot environment and Suhosin hardening patches while you're setting up your applications or programming new ones.

Links: Root, Patch and Tether a Droid 2 Global

noreply@blogger.com (Ax0n) — Sun, 04 Mar 2012 04:53:00 +0000

My wife and I have identical phones. She actually got hers before I got mine. Occasionally, I have to tether for troubleshooting, and I set hers up tonight to do the same.

I encountered a number of stumbling blocks the first time around. Fortunately, other people did all the hard work. Here are links I found helpful.

Download the latest SuperOneClick package. You'll have to root your phone. There's no easier way than this: SuperOneClick - Shortfuse

Get the Android WiFi Tether APK from Google Code.

At this point, if you try to tether, you'll run into a similar issue as I've described in previous tethering posts: the authentication string will cause tethered traffic to bounce up against Verizon's wrath warning page.

You'll need to download RadioComm, and the best way to find that is Google. You'll probably find fresh links to recent versions on XDA Devs or MotorolaFans. Caveat Emptor and all that. Shady download links galore, so be on your guard with good backups and malware protection. Here are the instructions to patch your phone's baseband configuration for tethery goodness.

After that, all should work well.

Alinco DJ-C1 Hack: Internal Speaker

noreply@blogger.com (Ax0n) — Wed, 08 Feb 2012 02:38:00 +0000

The Alinco DJ-C1 was made in the 1990s and was a groundbreaking ham radio micro-transceiver about the thickness of an iPhone 4 and with a smaller footprint nearly identical to that of a credit card. It was designed to work on the 2m FM Voice band at 300mW. It featured an integrated microphone, but had no internal speaker from the factory; One had to rely on an earphone or an external speaker/microphone unit such as the one shown above.

Over time, these micro radios evolved. The DJ-C4 came out at the same time as the C1, and was made for 440 MHz (70cm FM Voice). The DJ-C5 was a bit thicker and was the first to have an integrated speaker and work on both of the above bands. The latest one, the DJ-C7, lacks resemblance to these tiny relics of the late 90s aside from being smallish.

You can still find these micro-handheld transcievers at hamfests, swap meets and online auctions. I got mine from a friend that's happened upon two C1s and a C4 in the past year. I was immediately somewhat frustrated by the lack of a built-in speaker. I opened it up and found plenty of room in the back for a piezoelectric element, similar to what you find as the alarm speaker in digital wrist watches.

I couldn't find anything to salvage a piezo speaker out of, so I coughed up a couple of bucks at Radio Shack for one. I used a tiny screwdriver to pry the back cover off and to pry the element out of the case.

Disassembly of the DJ-C1 initially looks pretty straight-forward. There are three small philips screws on the back which give you access to the battery and the back of the circuit board. You'll have to open the back up and you'll want to disconnect the battery before proceeding. Unfortunately, most of the stuff we need access to is on the other side of the circuit board. You can't get the board out from the back, so leave the screws through the circuitboard attached. To remove the front plate, carefully peel the sticker and membrane buttons off, then remove the three screws found underneath.

There aren't many places to pass wires from the back of the radio where the speaker will be to the front of the radio where they can attach to the solder pads for the audio jack, so I ran them between the legs of the transmit LED. With the front and back removed, you can slide the circuit board out of the rectangular plastic frame enough to get access to the solder pads with almost any kind of soldering iron. You can see the red and black wires here:

I taped the piezo element to the back case toward the bottom. The copper shield in the middle of the circuit board seen below will sit flush against the back case, so keep the speaker and wires clear of it. The piezo speaker is actually louder when it's taped to the back case than it is when it's hooked up to the audio jack by itself.

Gently re-assemble everything, making sure everything fits neatly inside. Re-position the speaker and wires as needed. I ended up placing a bit of tape inside to keep the speaker wires from getting in the way. Re-connect the battery, screw the front plate back on, re-attach the membrane buttons to the front, and test it before you button the thing back up.

The resulting speaker works, but isn't terribly loud. It's loud enough to get your attention from the office desk, and if you hold it up next to your ear, you can make out what's being said. This is all I expected from this hack. You'll want to hold on to that earphone or external speaker, though.

Here's some crappy cell phone video of it in action.

February 2012 KC2600 Meeting

noreply@blogger.com (Ax0n) — Fri, 03 Feb 2012 21:19:00 +0000

It's that time again! Bring your questions, projects, interesting topics of discussion, war stories and conspiracy theories. As a reminder, the official 2600 meeting start time is 5:00 PM local time, but the Greater Kansas City folks tend to start trickling in at 5:30 or so.

If people are interested, I'll go over some of the common complaints of this lock and how so many people manage to lock themselves out of it forever. I might live stream it on uStream. I might actually lock myself out of this lock forever, too, but hopefully not.

(Crossposted from KC2600)

Lock Fail 2.0

noreply@blogger.com (Ax0n) — Sat, 14 Jan 2012 20:08:00 +0000

I wonder what the combination is.

Previously.

PHP Programming: Clean URLs

noreply@blogger.com (Ax0n) — Sun, 08 Jan 2012 15:28:00 +0000

I've spent the past two weekends re-writing old, horrible, ugly code that I wrote as a kid. I still have a lot of work ahead of me, and there's still no guarantee that the code I'm writing now will be great, but it'll be better than the stuff I wrote before. I'm not a web developer by any means, but it won't keep me from having some nerdy fun on the weekend. I've learned some tricks, and figured I'd share them here in a few short entries. Today, it's so-called "Clean" URLs.

In most dynamic web scripting languages such as PHP, dynamic pages can be accessed by passing parameters through a query string. As an example: http://foo.somesite.com/article.php?p=42

You've undoubtedly seen dynamic websites that don't pass query strings, but instead generate nice, friendly URLs that look more like this: http://foo.somesite.com/article/Hello_World

Clean URLs are easier to link to, they're better for search engine optimization, and with proper implementation provide a few security features as well. The project I'm working on is a custom CMS that was my very first Apache/PHP/MySQL project. It ended up getting kind of popular among a niche crowd, so I left it online in all its ugly glory. I have an article list script that can filter articles by category, and another script to display the articles. I'll just call them list.php and article.php here for the sake of discussion.

Removing .php from the URL

The first part of the problem is the fact that I'd rather not have ".php" show up in the URL, so that "article" and "list" would appear to be sub-directories of my site.

After playing around with a bunch of promising hacks that tended to work fine, including mod_rewrite, I decided that the most elegant way to tackle this was to rely on Apache's "FilesMatch" directive. I created symbolic links from list.php and article.php to strip the .php extension. You could just as easily rename them, though. Then I added the FilesMatch directive to .htaccess for "article" and "list" as shown below. Make sure "AllowOverride All" is set in your Apache configuration, too.

At this point, pulling up http://foo.somesite.com/list will try to run "list" as a PHP script. In my case, it shows a list of articles.

Parsing URI parameters with PHP

The next part is mostly easy. As far as I know, any PHP script will let you add a bunch of parameters to it with slashes like this: http://foo.somesite.com/index.php/testing/1/2/3/4/5. It may not render well, but it doesn't keep it from executing. Above, we got list to show a list of articles, so now it's time to set up filtering. As you can see below, the last element of the URL (split by /) is considered to be the category. The following URL would show a category of "Widgets": http://foo.somesite.com/list/Widgets

To avoid the problem of getting a category of "list" or "list.php" (remember, I chose to symlink my .php files), I included logic to check to see if the category matches the script name. If so, it assumes that it should instead display the Table Of Contents. You'll also see I am setting the title based on what happens here. As the category types are stored in the database and displayed with spaces, I am using str_replace to replace underscores in the URI with spaces. This means that I have to ensure spaces are turned into underscores elsewhere in the code and in all links to my site. That's beyond the scope of this article, though. What matters is that a URL of http://foo.somesite.com/list/Arts_and_Crafts would pull up a category of "Arts and Crafts".

$category=(end(explode('/', urldecode($_SERVER['REQUEST_URI'])))); if(($category) && ($category != 'list.php' && $type != 'list')) { $rawcat=str_replace('_', ' ', $category); $list=getlist($rawcat); $title=$rawcat." Articles"; } else { $toc=TRUE; $list=getlist(); $title="Table of Contents"; }

From here, the rest of my PHP code can query the database for articles. getlist() is a function that I wrote. If its parameter is null, it gets all of them, otherwise it (safely!) queries the database for a category.

I used similar code in the article php script, which queries the database for the title of an article, so I get nice-looking URLs for individual articles as well, such as:

http://foo.somesite.com/article/How_to_narfle_the_Garthok

Why Ham?

noreply@blogger.com (Ax0n) — Tue, 03 Jan 2012 16:26:00 +0000

Amateur radio is called "ham radio" by many. Ham isn't an acronym, but the origin of the sobriquet is a topic of debate. The most plausible explanation I heard is that professional telegraph operators considered amateur radio operators to be inferior, ham-fisted tinkerers. In this case, "ham" is actually a derogatory remark. Despite the fact, it's been adopted by the community now and is synonymous with "amateur radio." Amateur doesn't mean neophyte, however. It is the antonym of "professional radio," in that amateur stations are not commercial, and hams cannot recieve compensation for operating their equipment.

(The ham shack at MST's Amateur Radio Club, W0EEE)

Several co-workers and friends flaunted their amateur radio gear and goaded me into joining their ranks last year. Many hackers carry a ham license, or are getting interested in the hobby. Still, some people occasionally ask me "what's the point? We have smartphones and the Internet now." It's true. The telephone as we know it has indeed enjoyed evolution at a breakneck pace. My co-worker's Nexus LTE sucked 20 megabits per second out of thin air the day he got it. I don't even get that kind of pipe to my home. Still, to me, there's always been something about amateur radio that can't quite be compared with the Internet or mobile phones. I'll explain just a few of those things, from my own novice perspective.

In 1987, I saw an amateur radio demonstration that was given to my scout troop in the middle of Nebraska. With a brick-like walkie-talkie weighing more than a pound and about the size of two Wiimotes side by side (not counting the big rubber antenna on top of it), the presenter was able to communicate with others several counties away, and even place telephone calls. He said that with a bigger antenna and more powerful radio at home, he could talk to people all over the world, all without relying on telephones or even the power grid, because much his radio equipment could be powered by car batteries.

This blew my 8-year-old mind. It was nothing like my little walkie talkies at home. I wanted to be a ham, and even put in some work toward it, but I simply wasn't ready. The urge hit me in waves on occasion. In high school, I experimented with CB. In college, I took some interest in those FRS walkie-talkies that are now ubiquitous in every department store. A few classmates were amateur radio operators, and I got the itch again, but never really got the motivation to get licensed. It would go on like this for many years. For me, it took a friend in California selling me some of his used radios for cheap. At that point, I had the equipment in my hot little hands, but I didn't have a license to use them for anything other than listening. That lit a fire under me.

Aside from their size (owing to advances in surface-mount electronics and battery performance), the most basic hand-held ham radios haven't changed a whole lot in the last 20 years. For reference, my smallest radio is about the size of a closed Motorola StarTAC, but packs nearly as powerful a transmitter as the giant brick radio that had me awestruck more than 20 years ago. Most hand-helds work on the FM Voice part of the VHF band (~144 MHz) or the UHF band (~440 MHz), or both. Some operate on other bands as well. Transmit power from 300mW to 5W is common. Although these smaller radios are most often used to contact a high-power repeater, they can also be used directly between licensed amateurs over shorter distances with some rules and restrictions noted. They have more power and better antennae than FRS radios, and can be connected to an externally-mounted antenna if desired. They're great for highway convoys and outdoor activities. Many hand-held transceivers are capable of tuning in a very wide range of frequencies, so they can be used somewhat like analog non-trunking scanners and frequency counters for finding and listening to public safety, railroad, airport or rent-a-cop chatter. More on that in a separate article.

Repeaters are usually mounted on radio towers, tall buildings or up in mountains. They recieve on one frequency (an input frequency), then transmit what's received in real-time on the output frequency, allowing one-to-many conversations over a relatively large region within a 20-50 mile radius. Radios designed to be used with repeaters are able to automatically switch to a repeater's input frequency when transmitting. Repeaters are often linked together via high-power point-to-point radio links, telephone lines or digitally over the Internet. Some repeaters are actually built into satellites in space, covering extremely wide areas, but those can be a challenge to use as they traverse the sky. Many repeaters have redundant power, via battery and generator backup. And yes, a lot of this stuff is very similar to what existed 30 or more years ago, save for the Internet-connected repeaters.

Hams are often called upon to help where efficient communications are desired. You're likely to find amateur radio operators volunteering behind the scenes helping marathon or charity bicycle ride officials locate event participants in need of assistance, providing the National Weather Service with critical storm data from the ground, or establishing point-to-point radio links with nearby hospitals and participating in relief efforts in communities whose infrastructure has been crippled by floods, tornadoes, hurricanes or earthquakes. All of this is made possible because hams know how to communicate efficiently in groups, and their equipment isn't completely disabled by disruptions of complex infrastructure (although, as noted, infrastructure such as the power grid and telecom is often used when available.)

Many people think of morse code when they think of ham radio. Morse code is still in use, but you no longer need to know it to get licensed by the FCC. Morse code is essentially a human-comprehensible binary mode of communication. There are several other digital modes available, allowing you to blend technologies, and some common modes rely on AX.25 packet data. You can run a packet radio BBS over the air if you like, or transmit your GPS coordinates while hiking through the woods or helping disaster relief efforts. Some of these digital modes are extremely efficient, use very little bandwidth, and can be easily received from long distances, even if they aren't transmitted with much power. Conversely, hams can also enjoy many parts of the amateur bands, including parts of the 2.4 GHz spectrum (with some overlap on WiFi channels) with up to 1500 watts.

Although some hams might seem like retro-grouches with their morse code conversations, technology doesn't stand still with amateur radio! There's a very hearty "do it yourself" spirit here. Many participants might very well be considered radio hackers. They build their own transmitters, recievers and repeaters, and most of them are -- by nature -- gifted problem solvers.

Check out this video from ARRL for some more info.

What's it take to get licensed? There are three classes of amateur radio licenses in the US. In order from lowest to highest, they are Technician, General and Extra class. The exams are multiple-choice quizzes, each coming from a pool of several hundred possible questions. The Technician and General exams have 35 questions each, while the Extra exam is 50 more challenging questions covering material that's ostensibly arcane. The test to get each license requires progressively more depth of knowledge in safety (RF exposure, antenna towers, grounding), electronics, FCC rules, transciever and antenna designs and other information that proves the licensee understands the craft well enough to safely operate their own station. Each higher license class grants access to transmit on more frequencies, usually in the lower frequency bands that are more useful for reliable long-distance communication.

Since the question pools and study materials for licensing are publicly available, I studied the Technician material on my own for a few weeks before acing the technician exam. Most major metro areas have groups that give frequent classes, and all metro areas have volunteer examiners who will administer the test to those who have studied on their own.

I may upgrade to the General class license this year, but I'm honestly a lot more interested in the merge of digital technology with amateur radio. The Technician class license allows me to operate digital and "sideband" voice on the 10 meter band, but there's a lot of digital stuff in the higher frequencies that Technicians are allowed to use.

If you are interested in learning more about amateur radio but can't seem to find anything in your area, post away in the comments and I'll see if I can help you out.

Intro to javascript malware analysis

noreply@blogger.com (Ax0n) — Sat, 17 Dec 2011 00:54:00 +0000

I am by no means an expert on this stuff. A few weeks ago, I ran across some suspicious links in spam and decided to see where they led. Some of them claimed to be from financial institutions that I have absolutely no connection to, and claimed that some transaction had failed to occur. Others were variants of shipping confirmation scams, pharmacy junk, etc. I wish I could say that I have no idea how people fall for these, but the fact is that some people will literally click on anything that shows up in their inbox, open any attachment and follow any link, no matter how blatantly fake we professionals think these scams are.

What lay at the tail end of all the script="http://some-site/whatever.js" includes and document.location redirects? A webpage that'd been owned, filled with a huge pile of nonsensical jibberish that could barely pass as javascript, which happened to be part of the Blackhole Exploit Kit.

I've done my share of picking apart obfuscated javascript before, but it had been a while. I gave a presentation of this same thing at KC2600 a few weeks ago. Then, this week, a colleague of mine who missed the meeting ran into the same thing in the wild. I passed on what I'd learned, and decided it might be time to write it up with a little more detail than I did a few weeks back. He made this quick video that covers how he was able to de-obfuscate this particular sample:

By now, I've seen several different obfuscation schemes for BlackHole, but once it's decoded, it all looks about the same.

The introductory basics are simple. Minimize the potential of infection by using a non-privileged account (and perhaps an OS other than Windows) and/or minimize the impact of a successful infection by running a virtual machine that you can blow away or revert to a snapshot of a known clean state. For the malware I'm using in this example, either (or both) of the above criteria will be ample to keep things from getting out of control. Other malware may be more insidious or may target non-Windows platforms. I have a few friends that have unwittingly infected their own workstations while trying to analyze things. Play safe.

Once you have a safe lab environment, your goal is to examine a suspicious link and dissect it.

In my case, I was able to find a few links to malware in my personal mail's spam folder. For the demo at KC2600, I used Malware Domain List to find some Blackhole samples.

In the wild, there may be any number of redirects ahead of the malware. You may see a shortened URL (through goo.gl, tinyurl, etc) which goes to a sparse HTML page with several calls to javascripts hosted on various sites, and those javascripts may simply be a document.location pointing to the malware. I usually stick with curl or wget to pull down suspicious links, and then I keep looking at the content and following the redirects until I strike gold.

The javascript itself is ugly once you get to it. Sometimes, the byte array is only a few (really long) lines. Other times, like this sample, each byte of the obfuscated data is on a new line, like this:

You'll see a few interesting things. There's an "e=eval;" line near the bottom, and then "e(c);" after that. It doesn't take a coding genius to realize that this is a way to call eval(c) without triggering some IDS signatures that look for "eval(". Many samples I saw weren't quite this obvious. In fact, the script in the video has the eval alias in a different part of the script and varies in several other ways if you look closely.

To turn this cryptic payload into something that resembles actual javascript, there's a post on SANS ISC from several years ago covering a few methods. I went with the so-called Tom Liston Method, essentially trying to wrangle the decoded stuff that was destined for the eval function into a document.write within a textarea box instead. Note: I ran into one sample of BlackHole that has a /textarea tag near the beginning, which would keep someone from using this trick to easily view the code with this trick, but I don't think it will eval the stuff behind it since it's been changed to a document.write.

In the above example (and in the video), the content that is destined for eval is stored in variable "c", so you simply replace "e(c);" with:

document.write("<textarea cols="150" rows="100">" + c + "</textarea>");

But obviously, you need to use some brain power here to figure out what trickery they're using to call eval, and what the variable is that needs to be wrapped up in the above document.write command. You may also wish to mess with the rows and columns on the textarea. I know on my netbook, that textarea size is far too unweildy. On my desktop, it's almost perfect.

Make sure the file is renamed as a .html, then load it up in your safe lab environment's browser, just in case something goes wrong.

Voila. If you scroll through recent versions of BlackHole Exploit Kit, you'll see that it tries to load an embedded java applet and a PDF, both of which are designed to exploit recent vulnerabilities in JRE and Adobe Reader. Since I don't have Windows running in a VM environment (and I'm not keen on actually infecting any of my Windows boxes) I'm not entirely sure what gets loaded from there. I'm guessing the carberp trojan, given most of what I've read lately. If that's the case, a successful infection would likely block access to anti-malware sites, try to sabotage existing security software, and start gathering sensitive data such as card numbers and online banking credentials.

UPS Battery Hackery: Not highly recommended

noreply@blogger.com (Ax0n) — Mon, 05 Dec 2011 03:48:00 +0000

Step 1: Disassemble UPS (not shown). That includes unplugging it and removing the battery, and taking the outer shell off. This was a dumpster rescue that was missing the battery entirely. Be careful. Lots of capacitors and transformers inside. See the disclaimer in the title. Not highly recommended.

Step 2: Drill a hole in the case, near where the battery wiring harness enters the battery chamber. I used a 1/2" drill bit for this.

Step 3: Make a grommet. I used some silicone air hose for my aquarium, cut a length of it, then split it. I used a few separate pieces.

Step 4: Re-assemble, Hook up a much bigger battery than what's supposed to be inside.

I accept no blame for any of the many things that could possibly go wrong with this.

Shell Script: Parse Juniper firewall logs

noreply@blogger.com (Ax0n) — Fri, 18 Nov 2011 17:47:00 +0000

Juniper firewalls (at least the ScreenOS-based one I have in the lab) have an interesting format for their syslog entries. It's a whole line full of variable=parameter type stuff. Usually, these are in a pretty predictable order, but you can't rely on the nth parameter to be the same in every log entry just due to the fact that different types of traffic have different parameters. You don't see a source or destination port on ICMP traffic, for example. This script reads a log file (I'm using Syslog-NG in the lab), splits the entry up into one parameter per line, grabs only parameters matching the list you provide on the command line, then stitches it back together into one line. I saw no benefit in trying to make the output order match the order provided on the command-line, since some columns are prone to be blank in certain situations anyway. This is quick and dirty, but it does the job for what I need, and I thought I'd share.

axon@moo:~$ ./juniper-parse.sh

Parse columns from Juniper firewall logs
Syntax:
./juniper-parse.sh logfile column [column ...]

Common columns:
action, device_id, dst, dst_port, duration, ip,
policy_id, port, proto, rcvd, reason, sent, service,
session_id, src, src_port, start_time, zone

Here, you can see some of my lab machines trying to fetch updates from an Ubuntu mirror, getting denied because I only allow requests through my proxy server:

axon@moo:~$ sudo ./juniper-parse.sh /var/log/firewall.log action policy_id proto src dst dst_port

2011-11-13T08:35:09-06:00 policy_id=12 proto=6 action=Deny src=192.168.42.75 dst=91.189.92.169 dst_port=80
2011-11-13T08:35:09-06:00 policy_id=12 proto=6 action=Deny src=192.168.42.112 dst=91.189.92.169 dst_port=80
2011-11-13T08:35:10-06:00 policy_id=12 proto=6 action=Deny src=192.168.42.171 dst=91.189.92.169 dst_port=80
2011-11-13T08:35:13-06:00 policy_id=12 proto=6 action=Deny src=192.168.42.171 dst=91.189.92.169 dst_port=80
2011-11-13T08:35:15-06:00 policy_id=12 proto=6 action=Deny src=192.168.42.77 dst=91.189.92.169 dst_port=80
2011-11-13T08:35:18-06:00 policy_id=12 proto=6 action=Deny src=192.168.42.75 dst=91.189.92.169 dst_port=80
2011-11-13T08:35:18-06:00 policy_id=12 proto=6 action=Deny src=192.168.42.77 dst=91.189.92.169 dst_port=80
...

Script below:

#!/bin/sh
#juniper-parse.sh
if [ $# -lt "2" ]
then
echo "
Parse columns from Juniper firewall logs
Syntax:
$0 logfile column [column ...]

Common columns:
action, device_id, dst, dst_port, duration, ip,
policy_id, port, proto, rcvd, reason, sent, service,
session_id, src, src_port, start_time, zone

"
exit 1
fi

filename=$1; shift
until [ $# = "0" ]
do
pattern="$pattern -e ^$1="
shift
done
while read line
do
timestamp=`echo $line | cut -f1 -d" "`
echo "$timestamp `echo $line | tr ' ' '\n' | grep $pattern | tr '\n' ' '`"
done < $filename

OpenBSD 5.0: Apache, PHP and MySQL

noreply@blogger.com (Ax0n) — Sat, 12 Nov 2011 07:52:00 +0000

The basic steps for taking a bare-bones install of OpenBSD and adding an AMP stack for web applications hadn't changed much in the past 2 years. Although 5.0 is not seen as a "major update", but simply a continuation of the normal development cycle, the OpenBSD team did a few things that make the installation a bit different this go around. I'll cover some of the recent changes to OpenBSD and its packages in this post, then you can dive right into the updated OpenBSD Chroot Apache, PHP, MySQL setup guide.

Initialization scripts: Starting with OpenBSD 4.9, the RC scripts became modular. This is similar to how NetBSD and FreeBSD have worked for many years. Individual daemons have startup scripts in /etc/rc.d, but rc.conf, rc.local and rc.conf.local still work the same, so it wouldn't surprise me if many OpenBSD users didn't even notice the change. It seems like OpenBSD 5.0 packages for most of the popular services (samba, cups, postgres, etc) are actually creating these startup scripts now. If a third-party application from packages installs a startup script in /etc/rc.d, you can add it to the pkg_scripts variable in /etc/rc.conf.local like so, and it'll magically start.

pkg_scripts="mysqld cups samba"

See the OpenBSD man page for rc.d for more details.

MySQL and chroot: I'm not sure why it didn't dawn on me before, but one really simple way around hard-linking MySQL's socket file into the chroot environment is to simply have your web applications connect to MySQL's TCP port on 127.0.0.1 (not localhost, because that means "use the socket file" in MySQL-ese) I think I'll be doing it this way in the future.

PHP: PHP 5.3 added a lot of features, such that PHP 5.2.x and PHP 5.3 might as well be different major version numbers when complex web applications are considered. OpenBSD 5.0 adds packages for PHP 5.3 for the first time, but PHP 5.2 is still available in the repository. For this reason, the PHP core and module packages are no longer prefixed by php5-, they're just php, php-mysql, etc. Since PHP 5.2 is still supported, the version numbers are used to distinguish them, like this:

$ sudo pkg_add php-mysql
Ambiguous: php-mysql could be php-mysql-5.2.17p3 php-mysql-5.3.6

Further, some configuration file locations have been changed. If you pay attention to the text after installing packages, this shouldn't make much difference. Hint: you can always re-read the post-install notes afterward by using pkg_info -M.

All in all, the recent changes to OpenBSD are welcome. Some of the things I outlined here are areas where OpenBSD had some catching up to do. They've managed to do a lot of proactive stuff in the realm of hardware support and (of course) security and encryption. This is still one of my favorite platforms to tinker with.

BSidesKC Videos

noreply@blogger.com (Ax0n) — Thu, 27 Oct 2011 04:19:00 +0000

I actually didn't get to present anything this year. Not for any particular reason. All the talks were awesome and they tied together pretty well. It took me a while to get UStream working on my phone, via 3G. Also, not all the videos worked or uploaded properly, so my apologies in advance for not getting all the talks, and for the crappy video quality, especially on the slides. Slides should be online soon, though.

Here are my archived UStream videos, though. There are only 4 from BSidesKC, and then some older stuff from Maker Faire.

As for my talk on remote pentest appliances: It's probably best I didn't get a spot this year. Turns out that those 1 million writes (or whatever) that USB flash drives are good for go by pretty fast when you're running a full operating system (with databases, etc) direct from the drive for a few months straight. My demo platform died a week ago. I had backups, but I have some re-thinking to do. I'd probably best stick with external 2.5" drive enclosures for this project. I'll be documenting it properly.

Bulk date conversion with GNU Date

noreply@blogger.com (Ax0n) — Wed, 12 Oct 2011 14:10:00 +0000

GNU's version of the date command (which ships with almost all Linux flavors) can accept an arbitrary date and/or timestamp as input to display. Combined with the output formatting feature found in all posix flavors of the date command, you can use it to convert almost any format of date or time to a standard format.

axon ~$ date --date "yesterday"
Tue Oct 11 07:47:33 CDT 2011

axon ~$ date --date "Saturday, August 19, 1989"
Sat Aug 19 00:00:00 CDT 1989

axon ~$ date --date "21-APR-2001" +%Y-%m-%d
2001-04-21

So if you have a bunch of dates or timestamps, one per line, that you wish to convert:

axon ~$ cat file
1/21/2011
2/5/2011
2/10/2011
2/20/2011
3/7/2011
3/22/2011
4/16/2011
4/21/2011
4/26/2011
5/21/2011
1/24/2011
2/1/2011
3/6/2011
3/9/2011
May 25, 2011
6/23/2011
7/23/2011
8/10/2011
9-SEP-2011
Sat Sep 10 00:00:00 CDT 2011

... say to ISO 8601 Year-month-date format , you can knock it out easily like this:

axon ~$ cat file | while read line; do date --date "$line" +%Y-%m-%d; done
2011-01-21
2011-02-05
2011-02-10
2011-02-20
2011-03-07
2011-03-22
2011-04-16
2011-04-21
2011-04-26
2011-05-21
2011-01-24
2011-02-01
2011-03-06
2011-03-09
2011-05-25
2011-06-23
2011-07-23
2011-08-10
2011-09-09
2011-09-10

wpa_supplicant on the command line

noreply@blogger.com (Ax0n) — Wed, 21 Sep 2011 20:06:00 +0000

Here's the quickest and dirtiest guide you'll see to getting connected to a WPA/WPA2 PSK wireless network from the command line on Linux. Obviously, replace the SSID, passphrase and interface (in my case, wlan0) with the appropriate settings for your configuration. I've never really had to bother with hopping on a WPA network on Linux without the GUI Network Manager before. I was surprised at how easy it was. Tested on BT5 and Ubuntu Server:

$ wpa_passprase mynetwork secretpassphrase > wpa_supplicant.tmp.conf
$ sudo wpa_supplicant -iwlan0 -c wpa_supplicant.tmp.conf&
$ sudo dhclient wlan0

A few notes:
* wpa_passphrase will prompt you for a password if you don't use it on the command line. You may want to clear your history out or rely on this prompting feature to keep network credentials from being stored insecurely. You should also remove the plaintext version of the password from the resulting configuration file.

* If the SSID is "hidden" (which is actually less secure!), you need to add another line to the configuration file: "scan_ssid=1"

Installing OpenVAS on BackTrack 5

noreply@blogger.com (Ax0n) — Tue, 30 Aug 2011 23:35:00 +0000

In preparation for a talk I'll be giving at BSidesKC in October, I've been playing with BackTrack 5 and OpenVAS. OpenVAS was a little bit of a pain to get compiled on Ubuntu, but now that the OpenSUSE guys have built .DEB packages of a fairly recent version of OpenVAS (4.x), it's pretty easy to install on most modern Debian-derived systems. In fact, this works on Ubuntu Server as well, and I have tested it on 10.04 LTS. You just have to do it as root, like you'd do on BackTrack, because I was too lazy to write these instructions with "sudo" in front of each line (and using "| sudo tee -a" instead of the append-redirect for adding a quick line to the sources.list file).

This will be a rough post just to get my install notes down. The instructions on OpenVAS' website do not currently work as designed (however, I'm basing this post on them) and at the time of writing, the OpenSUSE build packages are broken in a number of ways that are easily fixed. For example, the openvas-scanner package provides a startup script in /etc/init.d, but the greenbone-security-assistant, openvas-manager and openvas-administrator packages do not. Some of the binaries are built to read files from /var/lib/openvas while others go for /usr/local/var/lib/openvas. Whatever. We'll deal with it. Also, a lot of these command lines are insanely long and probably will get cut off or line-wrapped by HiR's template. Copy. Paste. View Source. I trust our readers to be smart enough to figure that out.

Before starting, I recommend making sure you're up to date:


apt-get update && apt-get upgrade

Add the OpenVAS branch of the OpenSUSE Build Service to your apt sources, get the apt key and update your repository cache:


echo "deb http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/Debian_5.0/ ./" >> /etc/apt/sources.list

apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys BED1E87979EAFD54

apt-get update

Next, install all the fun packages and dependencies needed in one run of things. Consider adding "gsd" to this package list if you think you'll want to use the Greenbone Security Desktop GUI interface. I plan on doing no such thing.


apt-get -y install greenbone-security-assistant openvas-cli openvas-manager openvas-scanner openvas-administrator sqlite3 xsltproc texlive-latex-base texlive-latex-extra texlive-latex-recommended htmldoc alien rpm nsis fakeroot

Make some directories and some symlinks to compensate for the clustercoitus of path discrepancies in the OBS packages.


mkdir -p /var/lib/openvas/private /var/lib/openvas/CA

mkdir -p /usr/local/var/lib/openvas /usr/local/var/lib/openvas/users

ln -s /var/lib/openvas/users /usr/local/var/lib/openvas/users

ln -s /var/lib/openvas/CA /usr/local/var/lib/openvas/CA

ln -s /var/lib/openvas/private /usr/local/var/lib/openvas/private

Make the openvas server cert, fetch the latest NVT plugins, and make the client cert used by openvas-manager:


openvas-mkcert -q

openvas-nvt-sync

openvas-mkcert-client -n om -i

Start the OpenVAS Services manually, rebuilding the OpenVAS Manager database once your get openvassd started (it'll take a good couple of minutes to load all the plugins), and all that jazz. Hey, Greenbone Security Assistant (the Web UI) works over https when you install it this way! It would only do HTTP when I installed it from source.


openvassd

openvasmd --rebuild

openvasmd

openvasad

gsad

Add an admin-level account for yourself. I suggest a different username for the -u argument. -r specifies the role, and you want to leave that value set to "Admin" if you want to be able to do much with OpenVAS.


openvasad -c add_user -n axon -r Admin

At this point, you should be good to go. Hit https: on your machine and have a blast.

Look for another article related to BackTrack 5 and OpenVAS right after BSidesKC. I've got something fun up my sleeve. If you're anywhere in the region, you should probably just show up. It'll be a good time.

Store extra MicroSD cards in the original case

noreply@blogger.com (Ax0n) — Mon, 29 Aug 2011 13:53:00 +0000

This is quick and silly, but useful to me. Maybe it'll help others.

A lot of my gadgets use MicroSD and SD cards. I've found you can get MicroSD's pretty cheap, so now I just buy those and carry an SD adapter around for the times I need to put a MicroSD into my digital camera or laptop. I bought my SD Card Adapter in a set (with two 8GB microSDs included), so it had space for the adapter with one MicroSD already inserted, and another space for one MicroSD card. The case is conveniently-sized, but I wanted it to be able to hold more MicroSD's.

I started by placing one MicroSD on the inside edge of the open case, resting on the plastic tabs that are designed to hold the original MicroSD in place. I faced the new one pointing the opposite direction (broad end to the right) from how the original MicroSD is supposed to sit (broad end to the left). Then, as shown below, I made two slices in the plastic with a box cutter to trim the tabs to the right length to allow more MicroSD cards to fit in the case.

Not shown: I removed the SD card and used the box cutter to cut the tabs loose from the bottom of the case.

Now, two SD cards can fit stacked on top of one another in the space next to the original MicroSD. With one SD card in the adapter, another in the original spot and two stacked next to it, I can now carry a total of four MicroSD's and the adapter in this small and convenient case.

Side note: I saw 64GB MicroSD's for the first time over the weekend. That's about 2,500 times the capacity of the hard drive I helped dad install into our first real desktop PC, and it's half the physical size of a postage stamp. The future: we're living in it.

xkcd on password strength

noreply@blogger.com (Ax0n) — Wed, 10 Aug 2011 14:48:00 +0000

So much win.

Awesome HNN Schwag!

noreply@blogger.com (Ax0n) — Fri, 05 Aug 2011 12:35:00 +0000

HNN came into existence around the same time we did. They went dormant around the time time we did. They came back a while after we did. Back when HiR was just getting started, HNN would diligently and without fail link to our new e-Zine releases. They've always been better at maintaining a consistent news schedule than we have, though.

We were surprised and thrilled to get this little care package in the mail this week:

Thanks!

Banned by Google+

noreply@blogger.com (Ax0n) — Thu, 28 Jul 2011 15:19:00 +0000

That didn't take as long as I thought it might. A rundown of what happens: Your google profile goes wonky as shown in the photo. GMail, Docs, Picasa, Voice and Talk all work fine, although anywhere you would expect to see your profile photo, it will be missing. You can view other people's content in Buzz, Reader ans Plus, but you cannot share, post, comment or otherwise produce any content on those services, nor, apparently, can you follow new contacts either.

Most people that I collaborate with elsewhere know me as ax0n. My real name, address, phone number etc are no secret, but most people don't even know who I am by my given name.

By for now, Google+.

Lock Fail

noreply@blogger.com (Ax0n) — Mon, 25 Jul 2011 01:01:00 +0000

Simplex-style pushbutton locks are ubiquitous in the medical industry. They're used on medicine carts, cabinets, lockers and doors. This is a cabinet that is designed to hold a thin-client workstation and/or patient record portfolios, and restrict access to ethernet ports.

Yep. You can open this one by sliding the exposed latch with your finger.

Also: if you happen to shoulder-surf the code for one of these, you can almost guarantee every other cabinet in the same hospital uses the same code.

Sysadmin Sunday: parse strings with spaces using shell script

noreply@blogger.com (Ax0n) — Mon, 18 Jul 2011 00:29:00 +0000

I run into this once in a while: I'm trying to perform some operation on a bunch of files or a big line of text, and a space in the filename or text file janks everything up. Take for example all these recordings from a podcast that got batch-named with spaces in them.

Chimera:Recordings axon$ ls

(110) - .mp3 (12) - .mp3 (18) - .mp3 (39) - .mp3 (79) - .mp3

(111) - .mp3 (15) - .mp3 (3) - .mp3 (70) - .mp3

I really don't want spaces in the names. No problem, just use ls -1 (the number one) to list the files on their own line, and use sed or something for renaming them and changing every space to a null character, right?

Chimera:Recordings axon$ for file in `ls -1`

> do mv "$file" `echo $file | sed s/" "//g`

> done

mv: rename (110) to (110): No such file or directory

mv: rename - to -: No such file or directory

mv: rename .mp3 to .mp3: No such file or directory

mv: rename (111) to (111): No such file or directory

mv: rename - to -: No such file or directory

mv: rename .mp3 to .mp3: No such file or directory

[truncated]

That did not go as planned...

There are a few interesting ways to solve this one. The actual reason for this problem is your shell's internal field separator. When iterating over some input (here, the results of "ls -1"), the shell interprets any kind of whitespace as a field separator, including spaces, tabs and newline characters.

Although there are some other clever ways to get around this limitation when dealing with filenames specifically, my favorite solution to this problem works on any whole line of input regardless its source, whether reading a text file and operating on it one line at a time or taking filenames as input from another command such as ls or find. You simply have to use something that can accept spaces and requires a newline character in order to set a variable. Of course, I'm talking about a rather unsavory (but totally viable) use of the read command, which most unixy shell-script writers are familiar with when they require user input. Check it:

Chimera:Recordings axon$ ls -1 | while read file

> do mv "$file" `echo $file | sed s/" "//g`

> done

Chimera:Recordings axon$ ls -1

(110)-.mp3

(111)-.mp3

(12)-.mp3

(15)-.mp3

(18)-.mp3

(3)-.mp3

(39)-.mp3

(70)-.mp3

(79)-.mp3

You can also remap the $IFS variable to contain a newline, but be sure to unset it afterwards (if using BASH, this will set it back to default), or your shell will act differently than you likely expect when you're done. Messing with the internal field separator can be useful for other things (such as parsing /etc/passwd or handling CSV files) but honestly I'd probably be more inclined to use awk for those. If we remap IFS to a newline, our original script that errored out above works just fine.

Chimera:Recordings axon$ IFS=`echo -en "\n\b"`

Chimera:Recordings axon$ for file in `ls -1`

> do mv "$file" `echo $file | sed s/" "//g`

> done

Chimera:Recordings axon$ ls -1

(110)-.mp3

(111)-.mp3

(12)-.mp3

(15)-.mp3

(18)-.mp3

(3)-.mp3

(39)-.mp3

(70)-.mp3

(79)-.mp3

Chimera:Recordings axon$ unset IFS

OAMP Update: Secure OpenBSD, Apache, MySQL and PHP

noreply@blogger.com (Ax0n) — Mon, 23 May 2011 20:21:00 +0000

I got tired of essentially re-writing the same article over and over again, yet it seems with each release of OpenBSD and each OAMP install I do, things get just a little more refined. So I present to you a living document on its own page here at HiR Information Report. It's been written so that it is not specific to a distinct architecture or version of OpenBSD, so long as the proper packages exist on the OpenBSD mirror sites. This has been updated and tested on OpenBSD 4.8 and the recently-released OpenBSD 4.9, i386 architecture only.

Secure OpenBSD, Chroot Apache, MySQL and Suhosin Hardened PHP Installation Guide

Why I'm coming home to OpenBSD

noreply@blogger.com (Ax0n) — Thu, 19 May 2011 22:11:00 +0000

Although those who know me will tell you I love OpenBSD, I'm generally an operating system agnostic. I enjoy tinkering with OSes, and always have. There have been a few I tried and couldn't enjoy for the life of me (Mac OS versions prior to OS X, PalmOS, HP-UX and plan9 among them) but since 1997, OpenBSD has always felt like home to me, and I've long been a little bit of a fan.

Not long ago, my primary computer was a 13" MacBook that was bought for me by one of my consulting customers in late 2006, and prior to that, I was using OpenBSD on a crappy old Dell desktop and OS X on a G3 PowerBook. OS X is just unixy enough to geek out on. I could get most BSD-type stuff to compile. My MacBook also ran Windows 7 pretty well. I got switched on to it when my wife upgraded to 7 from Vista. It also ran OpenBSD, Backtrack and Ubuntu in VirtualBox like a champ.

When the MacBook started showing its age about 6 months ago, I went to a Toshiba NB305 netbook. It came with Windows 7 Starter edition, which really isn't much of an operating system at all. It's basically a kernel meant to launch Internet Explorer. Not amused. I didn't feel like paying to "unlock" Windows Home Premium.

Figuring that the hardware and all of the funky function keys would probably work best under Ubuntu, I went that route. Webcam aside (I never use it anyway) the hardware worked pretty well. I had to wait around for patches to get the screen brightness keys to work. Power management was always funky right after getting unplugged. Otherwise, Ubuntu worked pretty well for me. I set it up to dual-boot alongside Windows 7 Starter, just so I could use my radio programming software.

3 months ago, Ubuntu managed to corrupt the partition table on the hard drive. Recovery involved spending 4 hours restoring Windows 7 starter edition from the factory media and re-installing Ubuntu. A few days ago, the same thing happened. A co-worker has had similar trouble lately, as well.

There are a bunch of distros out there -- probably too many. Netbook-specific distributions are hot stuff. Frogman's on a Crunchbang kick. More than one person tried to tell me to go to Gentoo, Debian, Arch or some other flavor of Linux. I've used them before. Every few years, Linux has to piss me off, I suppose.

Faced with the prospect of a half-day wasted getting my netbook back to the way I thought I liked it, I decided to see what OpenBSD offered, since I haven't run it on the desktop outside of a VM in several years. The install is always quick, so if anything, it wouldn't be too much of a waste of my time.

As expected, Xorg didn't need any configuring to determine and use my display to its maximum potential. X has come a long way since the late 1990s. I was worried about things like power management (suspend, resume), hardware drivers, support for WPA2 and of course the function keys for display brightness, volume and the like, since they gave me a bit of trouble on Ubuntu.

You know what, though? Everything worked right out of the box. I had to enable apmd in /etc/rc.conf to get suspend to work, but that was it. I also found a pretty neat trick to get most flash videos to play in Firefox, with only open source tools and not actually using anything from Adobe. Youtube, vimeo, blip and even Badgers all work great. Let's face it, life would suck if you couldn't watch Lolcats, Badgers and Mythbusters.

It's way too soon to tell if OpenBSD will be any more reliable than Ubuntu in the long run, but I feel much more at home for the time being.

Moar useful OpenBSD resources I ran across this week:

OpenBSDsupport: OpenBSD Desktop For Windows Users

Using WPA on OpenBSD

That reminds me, I'm behind schedule on my OAMP guide for OpenBSD 4.9, but I'm pretty sure the existing instructions haven't changed, save for version numbers.

Using Severe Weather WX Alert on Yaesu Handhelds

noreply@blogger.com (Ax0n) — Mon, 25 Apr 2011 14:19:00 +0000

I have a Yaesu VX-7R and VX-2, both of which are great handheld radios. Deep in the menu system, each one has a "WX Alert" option. It's item 20 in the VX-7R's menu, and the VX-2's menu items are in alphabetical order, so look for "WX ALT" there. After enabling this option, my radios still failed to alert me when the National Weather Service issued alerts via their NOAA Weather Radio system. What gives? The manuals that came with my radios are very vague about how to use this feature, and Googling around, it seems like a lot of people have the same problem.

The trick is that you have to be scanning!

On the VX-7R, you have to be scanning the weather band for this to work. If you scan the weather band with WX Alert enabled, it will silently pause on any NOAA Weather Radio stations it finds, listening for the alert tone without breaking squelch. If it finds one, it will stop, open the squelch and play the weather alert. I recommend using the SUB band for this. Here's how you do it.

* Press [F] then [0] to enter the menu, and scroll to item 20. Enable WX Alert by pressing the [MAIN] or [SUB] buttons, then momentarily press PTT to exit the menu.
* If you have only the MAIN tuner up, press and hold the [MAIN] or [SUB] button to see the dual tuners. Momentarily press [SUB] to select the SUB tuner.
* Press [F] then [3] to move the SUB tuner to the WX band.
* Press [F] then [1] to start scanning the WX band for weather alerts.
* Press [MAIN] to start controlling the MAIN tuner, and use the radio as normal.

On the VX-2:
* Press and hold the H/L button to enter the menu, scroll to "WX ALT"
* Press H/L momentarily, then use the VFO knob to enable it.
* Press PTT Momentarily to save the setting.
* Press [F] followed by the [WIRES] button in the bottom left corner to enter special memory mode
* If needed, press [BAND] repeatedly until the weather band shows up.
* Press and hold the [BAND] key to scan the weather band.

The VX-2 will silently pause on any NOAA Weather Radio stations it finds, listening for the alert tone without breaking squelch. If it finds one, it will stop, open the squelch and play the weather alert. I also found that if this option is enabled on the VX-2 and you're scanning other memory frequencies, the radio will occasionally jump over to the weather band and listen for the alert tone. You should probably have the WX band tuned to the frequency of the nearest weather radio transmitter, because I don't think it scans the whole weather band, only the station that was last used in the WX Special memory mode.

Of course, not all Yaesu radios have these features, and these steps may not work exactly the same for all Yaesu radios that support WX Alert.

The Real Insider Threat

noreply@blogger.com (Ax0n) — Tue, 19 Apr 2011 03:15:00 +0000

Today, I saw this interesting piece on insider threats posted to CERT, and was somewhat baffled. I stewed on it a bit, but a Google Reader comment by Carnal0wnage spun up my rant engine. Here, people are actually being urged to spy on their peers then name them and shame then, as if it's totally normal to put bear traps in the server room and roll your own ECHELON, lynching in the commons anyone who dares to raise the ire of the great and awesome security team. They titled their session "What's working to stop these attacks?" It's us versus them.

When I was still a student, years before my real career in information security would take hold, it was commonplace to hear that some unfathomable percent of attacks are from malicious insiders. Maybe it was true in the 1990s. After years of leaving corporate workstations and academic lab computers hanging out on the Internet with public IP addresses and no firewalls, administrators were finally getting a clue, NATting workstations and putting up chintzy first-generation port-blocking firewalls. Students and curious employees were suddenly the ones with unrestricted access to internal systems protected -- if you wish to call it that -- by these prototypical security systems. Maybe this logic made sense back then.

Be that as it may, I've seen more data loss from people bypassing draconian security policy than I've seen data loss from the rare disgruntled trade-secret packrat with one hand in the cookie jar and one foot out the door. That's not to say these things don't happen. They do! But they're not the typical modern insider threat.

At my last job, I would occasionally have the option to work remotely for server maintenance, or instead drive 15 miles to the office at 11:00 PM on a Saturday night, and stay there until 4:00 AM Sunday morning. Working from home meant this:

Firing up some proprietary piece of VPN software that only ran on Windows.
Using a 2-factor authentication token to get into the VPN.
Using RDP to access a "secure" sandbox server, which was pretty much the only thing the VPN would let you access remotely. This required the use of the 2-factor token again, but you had to wait to make sure you didn't use the same one-time key twice in a row.
Using RDP from that server to get to my desktop, which also ran Windows.
SSHing from my workstation to a central administration server that was dual-homed and could actually access the servers I needed to work on.
Performing the work on the servers.

Let's say, I usually drove to the office. How much do you want to bet that people in high-level positions were taking sensitive information home with them on external drives instead of trying to navigate that rat-maze of security on a daily basis? What about the CFO that always uses an aircard for his laptop -- even at the office -- mixing business with casual recreational web surfing just because he can't get to the things he "needs" ever since that [expletive] proxy started getting in his way.

That's how data gets lost, and there's your real insider threat.

While security sometimes impacts usability, it doesn't always have to. It's certainly not a linear scale. I could provide dozens of examples where making something harder to use causes people to make poor security decisions, but they're mostly cliché. Security is hard, and the human element of it is the most nuanced and unpredictable part.

Don't force security rhetoric down peoples' throats and try to pass it off as "awareness training." Work with people. Figure out what they want, and work to deliver solutions that provide an adequate level of risk protection while impacting usability as little as possible. Automate or document the hard parts for them. Explain things to them in terms that they can understand. I'd bet your job description called for excellent written and verbal communication skills. Put them to good use!

While threat management and network monitoring are always part of a complete information security breakfast, trusting and empowering your co-workers while providing them with education that meets them where they are will probably go a lot further toward minimizing the insider threat than playing Big Brother ever will.