Blog

PayPal shuts down Hackers for Charity [Digg]

Tue, 14 Jul 2009 22:32:15 PDT

I had a subscription system running under WP-MEMBER for about a year before that software flaked out on me. Multiple domains caused problems that were irreconcilable. I had donations for our work in Africa coming in (not through wp-member) and a few hundred subscribers to Informer through wp-member. All said, when I switched to Suma, [...]

Gmail Helps fight against Phishing

Mon, 13 Jul 2009 16:19:58 PDT

New in Gmail Labs, although, it shouldn’t be a lab (roll that puppy out!) Is a new feature that enables the user of the lab feature to be super-duper sure that the email from Paypal that is sitting in their inbox? Yeah, it’s really from Paypal.

Useful for those people using Ebay and using Paypal as the payment house.

The blog post doesn’t go into all the financial institutions (or websites) that they do the super-dooper secure key with, but take a look at their blog post to fully understand anyway:

http://gmailblog.blogspot.com/2009/07/new-in-labs-super-trustworthy-anti.html

Freedom and Understanding

Sun, 12 Jul 2009 09:17:36 PDT

(From an email list, someone wanted to know how to block services like MobileMe on the network. Normally I’d offer the advice on how to do it, but this time the first question I asked was “Do you local users have Admin to their own boxes?” To which the answer was “Yes.” -- I edited it to make more sense as a blog post. This is a post intended to provoke discussion, obviously my suggestions and things won’t work everywhere and in all scenarios and an all networks. Keep an open mind.)

We are in a new world, a mass world full of mobility. Take the iPhone. This is a computer, a computer I carry in my pocket, but none the less a computer. I could feasibly get away with leaving my laptop at home the majority of the time with the amount of things that I can get done on my phone. Laptops sales have increased significantly in the past few years, people are buying less and less desktop computers. Laptop speeds have caught up with desktop speeds, and things are much more convenient now.

Blackberries were that way, but the iPhone really sealed the deal. Of course now we have a plethora of devices coming out claiming to be “iPhone killers”. The Palm Pre, the things from LG, the Blackberry Storm, but there is still nothing that can touch the iPhone. You put an OS this powerful in a box this mobile, and viola, you have a mobile computing platform. And the solution to a lot of life's little problems. Why doesn’t Apple make a netbook? Wake up, they already have.

I absolutely could not get away with not being able to have MobileMe (or Google, whatever you use) sync my contacts, calendars, bookmarks, etc from the desktop up to the cloud and back down to my phone. I could not function if I didn't have realtime push for all of that kind of stuff. How would I know about that meeting that I just got invited to five minutes ago? Cause you know, no one is going to actually pick up a phone and call you about it (sarcasm).

What are the users doing that they need these sync services? Is what they are doing enhancing productivity or making their life easier? Probably. Is it a security risk? Can it be mitigated without destroying it?

I don't see a reason why not. The time has come for us a security professionals to stop nuking that which we don't understand/want to deal with, and start understanding why things are being used, how they are being used, and does it help? Instead of destroying everything, let’s figure out services and techniques that will provide our users the level of, well, not only training, but the level of convenience that is useful to them.

There are all these great companies out there starting great businesses to solve companies and life's problems, and attitudes like "we need to stop them" -- for no good reason -- just don't fly anymore. It just doesn't make sense in this day and age. Heck the Army even allows people to go to Facebook and Twitter now. Yes, they can click on bad things and people will download bad things and put them on their machines, but you know what, they are going to do it anyway, they will find a way around your control. Instead of inhibiting them, enable your users. I am not saying let them do what they want, or unblock everything. I am saying, let’s find solutions to their problems, instead of saying “no” all the time.

Yes there are security risks, but there are security risks in everything, right?

How can we make our users lives easier, more productive, and efficient without sacrificing security?

Make sure IT operates and conforms to the company policies, and you will have a much happier and much more productive workforce.

Google Chrome OS is a threat to whom?

Wed, 08 Jul 2009 18:21:01 PDT

Let me be clear, I like the idea of Google Chrome OS. Fast, “thin client”, cloud based, etc.

But I’ve read a lot today about Google Chrome OS is going to be dropping a “bomb” on Microsoft, and they should be scared.

The only way that Microsoft should be scared is if Google Chrome gets on ALL the netbooks, which is a huge market, and totally ousts Windows from the platform... which they won’t.

Microsoft has had their OS in development for 20+ years? OSX, which is Unix based, has had the underlying pinnings of their OS around for what? 30 years+? OSX, who was NextStep before, has at least been around since... 1989? So it’s 20 years old?

It’s not that I don’t hope that Google Chrome OS does well, I like the concept of the thin based OS, as I said, but I just get frustrated at the “media” who use headlines like “bomb on Microsoft”.

Come on, really? I know why they do it, I know its for headlines and sensationalism, but let’s put a dose of reality into these headlines please?

12:34:56 07/08/09 [Digg]

Wed, 08 Jul 2009 16:26:08 PDT

One geek hovered over a watch with his camera for this one moment...

RFI: DDoS Against Government and Civilian Web Sites [Digg]

Wed, 08 Jul 2009 07:52:47 PDT

SANS Internet Storm Center - A global cooperative cyber threat / internet security monitor and alert system. Featuring daily handler diaries with summarizing and analyzing new threats to networks and internet security events.

Internet Storm Center Podcast

Thu, 02 Jul 2009 09:11:15 PDT

Hey everyone, sorry it has taken so long to get around to recording another podcast episode! The audio should be a bit better on this podcast, and we are going to try and get these out more often now. Enjoy!

All the podcasts
Podcast through iTunes

A Famous Person Has Died... (COMIC) [Digg]

Thu, 25 Jun 2009 19:14:56 PDT

Typical Mainstream media reaction...watch the news tonight, and you'll see it for yourself. Justsayin'...

Michael Jackson Dies [Digg]

Thu, 25 Jun 2009 14:42:46 PDT

RIP

Internet Storm Center Podcasts from SANSFIRE 2009

Thu, 25 Jun 2009 07:01:41 PDT

Recently at SANSFIRE 2009 there were several talks presented by our Internet Storm Center Handler staff at the “SANS @Night” portion of the conference. SANS was able to record the audio from all these presentations, which we have, and are going to be putting out as podcast episodes over the next few days. I just put the first one up a few minutes ago.

I would suggest the way to get these podcast is through iTunes (if you have iTunes) if not, then you can use whatever method works best for you and follow this link:
http://isc.sans.org/podcast.xml
In order to subscribe through iTunes click here:
Podcast through iTunes
Our first presentation is by one of our wonderful Handlers by the name of Deb Hale. Deb lives out in Iowa and during the floods of last year had some pretty interesting IT challenges thrown in her direction. This is a presentation entitled:
"Iowa Floods and Tornadoes: Losses and IT lessons learned - Disaster Recovery and Restoration after the Storms"
Audio and Slides are here: https://www.sans.org/webcasts/show.php?webcastid=92513

Help the Internet Storm Center be better [Digg]

Tue, 23 Jun 2009 07:07:36 PDT

Looking for suggestions on how to improve the ISC.

State of the Internet 2009

Wed, 17 Jun 2009 20:23:45 PDT

BLUF -- State of the Internet panel from SANSFIRE 2009

Last night I had the privilege of sitting on a panel with the Internet Storm Center Handlers on our annual “State of the Internet” panel that is conducted every year at SANSFIRE.

This year, not only did we stream it live out onto the internet, but we also had it recorded. We are going to try and get the audio and put it out as a podcast as well, but for now, here’s the audio.

http://su.pr/9Wx3MP

iPhone 3.0 and Caldav

Wed, 17 Jun 2009 16:56:54 PDT

Bottom Line up Front -- Caldav and the iPhone 3.0 OS are awesome. Here’s how to make it work for you.

Finally Caldav actually works with Google. Let me back up.

You’ve read my posts talking about how to sync your calendar between MobileMe and Google Calendar using BusySync. But what if you could cut BusySync out of the middle? Even though it’s pretty quick (at max a minute), what if you could properly function with Google’s calendar via CalDav?

First things first, I have two requirements for my calendar:
I can have my calendar pushed to me at all times.
I can have access to my wife’s calendar on my phone

My wife’s calendar is on Google Calendar. That being said, here we go...

I have to have my calendar pushed to me at all times because it’s quite frequent that I am invited to a conference call, or a meeting, you know, after it started, and I need the dial in or meeting details RIGHT NOW. I don’t have time to find a computer, log in, check the calendar (or wait for it to sync). So my solution was, I need push calendar. Fine, BusySync and MobileMe was a near perfect solution for that. I say near perfect because when I received an invite on my iPhone I couldn’t accept it, deny it, maybe it..etc.. I could do that on my iCal, but not on my phone. The only option that allows you to do this is Exchange integration with the iPhone. Well I don’t have an Exchange server. Wait, didn’t Google drop that on us awhile back? Yes, yes they did.

http://www.google.com/mobile/apple/sync.html

So I went into my Calendar settings on my iPhone 3.0 software, disabled calendar syncing with my MobileMe account, and added a new account, Exchange this time, following the directions laid out here:

http://www.google.com/support/mobile/bin/answer.py?answer=138740&topic=14252

Okay, Done. Instantly my calendar started pushing down to my iPhone. I can send events from here, I can invite people, I can be invited.. etc.. instant awesome.

Okay, but what about subscribing to my wife’s calendar?

Well, she uses Google Calendar, so now with iPhone 3.0, you can subscribe to a calendar via .ics file or, via caldav. So I subscribed to her calendar via caldav. Only you can only have one Exchange account. Not worry, Apple fixed that too:

http://www.apple.com/iphone/how-to/#calendar.subscribing-to-calendars

I went in and subscribed to my wife’s Google calendar via Caldav, and now, I have both calendars fully synced to my iPhone at all times. Good stuff.

Well, I wasn’t done. Google a long time ago enabled access and the ability to integrate iCal with CalDav. I wrote before on this blog that it wasn’t ready.

But it seems Google may have fixed some issues.

http://www.google.com/support/calendar/bin/answer.py?hl=en&answer=99358#ical

Enabled me to set up Google Calendar, to which I needed to test it. So I set up an invite for several of my coworkers for a meeting, and lo and behold, when I added the invites, it presented me with a question “Check availability”. Since my coworkers and I all use Google Calendar, I was able to view the availability of my co-workers right in iCal, make an appointment when they were all free, and guess what? When I clicked Send? It didn’t send an iCal .ics invite from my Mail.app, GOOGLE sent a Google calendar invite from the server. From the SERVER. Of course, when people responded “yes” iCal updated, my phone updated, Google Calendar updated, all instantly.

The only (and I do mean ONLY) hiccup I noticed in this whole thing is, when I am typing names for invitations in the meetings, the names don’t automatically fill in from my address book. Neither locally, or on Google Contacts. Leaving me to type the entire email address out. However, I noticed an interesting side effect. I CAN type a group name (Local address book Group Name). That will populate everyone.

So, I still have my Contacts being pushed down to me via MobileMe, because I don’t like how Google Contacts auto adds people you correspond with into your address book, well, I don’t mind that, but it pushes these “new” people down to my phone and my address book on my computer, leaving me to then have to clean them all up. And that’s just annoying.

Hope you enjoy. I’ll try and post back in a couple days to let you know how everything is working with my new set up and with iPhone 3.0 in general.

Overall though, so far, iPhone 3.0 seems speedier, and can’t wait for MMS.

Quicktime Vulnerability found by our VRT

Sat, 06 Jun 2009 14:18:10 PDT

I just wanted to throw up a quick blog post congratulating Lurene Grenier of the Sourcefire’s Vulnerability Research Team. Last week an update for Apple’s Quicktime (and iTunes) came out, and in it, lo and behold was an update for CVE-2009-0956, a vulnerability in Quicktime’s handling of movie files. So, I just wanted to congratulate her on the nice 0-day find. Good job.

Lurene can also be found on Twitter.

Working with Gmail Filters

Wed, 03 Jun 2009 18:46:00 PDT

Bottom line up front: Ways of using Gmail filters that you may not have thought of.

When my company went from using an IMAP server (which I used to filter using procmail rules) to using Google’s Gmail Cloud architecture for our email, I was excited. I’d been using my Google Gmail account for years, and up until that point, had always done so through IMAP.

After I moved my incredible amount of email up to Google’s servers, I found out that IMAP (Mail.app, Thunderbird, Mutt, etc) wasn’t cutting it very well and I would need to do something different.

Over the past couple of months I’ve been playing with just about every Mac-based email client there is (even Postbox, which seems to be everyone’s biggest “thing” right now), and I keep coming back to the same thing.

Google’s Web browsing Gmail experience. Of course, with the keyboard shortcuts.

I started off just dumping every email into my Inbox and labeling things manually (well, except for listservers). Occasionally using the “Filter Messages like this” button in Gmail.

Well, after using that method for awhile, I got to the point where my Gmail filters were gigantic. I had pages of filters. Sometimes 10-20 for the same label. So I decided I had to do something. I started playing with my filters in much the same way that I used to configure my Procmail rules.

Now, let me start off by saying that Gmail’s filters are not as powerful as Procmail rules and only support some simple regular expressions. For instance, I can’t write a rule in Procmail to handle complex email addresses like “handlers-1234567@address.here.com” Where the 7-digit number is a random ticket number. In procmail I used to be able to do things like “handlers\-\d{7}@address.here.com”, so I tried some experimenting to see what I could come up with, that works.

Well I found out that Parenthetical “Or” statements work fine. For example I have a rule that filters email some of the Snort lists I belong to that looks like this:

(list:("snort-users.lists.sourceforge.net"|"snort-sigs.lists.sourceforge.net"|"chisug.lists.snort.org"|"snort-devel.lists.sourceforge.net"|"snort-inline-users.lists.sourceforge.net"))

So, the filter string is to look at the “list” headers of the email and sort on “snort-users.lists.sourceforge.net” OR “snort-sigs.lists.sourceforge.net”. You get the point. Putting parenthesis around the group and saying “|” (pipe, or) in between each one. Allowed to me to take five list sorting lines and reduce it to one.

What I found out is, you can do this with anything, not just “list”, you can do it on From, To. etc. So I went crazy with consolidation. Heck I have one filter that filters, what I call, “bulk” email. Marketing stuff from companies, websites that I’ve signed up with, advertisements, twitter notices, facebook notices, etc. Skips the inbox, and labels it as “bulk”. Do I want to read it? I might need to look through some of it, but I don’t need it in my inbox. (By the way, this filter has about 75 “or” statements in it, it’s 10 lines long)

As I mentioned before, you can do this with a lot of things. I have a filter that deletes email from certain people. Email comes in with that “From” address? Do not pass Go, do not collect 200 dollars. Go straight to the Delete.

I can’t stop these people from sending me email, but I can certainly delete it automatically.

You can even do complex nested parenthetical groups. For example, my ISC handler email addresses can start with “handler” or “handlers”@domain.sans.org you can even write to isc@domain.sans.org (not the real email address, I’m doing to that eliminate spam, to contact us, go to our website at http://isc.sans.org)

So I have a rule that says:

to:(((handler|handlers)@domain.sans.ccc|(isc|anotheralias)@anotherdomain.sans.ccc))

What I have found is, by doing these groupings, it makes my filters and labels easier to sort and use.

All the email I possibly can, I filter using these methods, tag it with a label and “Skip Inbox”.

Found out I read email much less often now, and when I do it’s sorted much more accurately and efficiently.

Give it a shot.

Sourcefire on Twitter

Sun, 31 May 2009 14:29:02 PDT

Bottom line up front: A list of Sourcefire employees on Twitter.

Since Twitter is the latest bandwagon for the tech industry (as well as everyone else, including CNN) to jump on, not saying we have a bunch of bandwagon followers (I’m certainly one), but at Sourcefire, we have several people who have joined Twitter and post often. (And even more who don’t post very much at all.) So I thought I’d compile a quick list.

These people are all humans, not bots, and they have their own opinions, their opinions may or may not represent Sourcefire as a whole, but they are entitled to their opinions just like you all are. I’d recommend if you need to contact someone from Sourcefire, Twitter is not how you do it. Either through Support (if you are a customer) or via email. I have no idea when anybody checks their Twitter account, if, at all.

I thought I’d throw this together because recently our Marketing department did an email blast out to a bunch of people, recommending they follow several of us on Twitter. However, there were only three people listed. I thought it was cool for Marketing to hand me an extra 60 or so followers, but I thought I would help out everyone else that would like some followers on Twitter too.

Follow at your own risk, there are the people’s own accounts, not work related accounts.

http://twitter.com/mroesch -- Marty Roesch, Creator of Snort and Sourcefire Chief Technical Officer.
http://twitter.com/VRT_Sourcefire -- The Sourcefire Vulnerability Research Team.
http://twitter.com/btpollard -- Sourcefire’s Vice President of IT, also a musician in his spare time, also runs 140-seconds.com
http://twitter.com/kmx2600 -- Matt Wachinski Senior Director of the Vulnerability Research Team
http://twitter.com/pusscat -- Lurene Grenier, Team Lead in the VRT, also author of God-knows-what in Metasploit.
http://twitter.com/awilliams -- Andrew Williams, Team Lead in Product Development
http://twitter.com/leonward -- Leon Ward, Security Engineer over in the UK.
http://twitter.com/vrybdpkt -- Jason Brvenik, Senior Director of Security Engineering
http://twitter.com/ericlhoward -- Eric Howard, Security Engineer in the USA.
http://twitter.com/enhancedx -- JJ Cummings, also the Author of PulledPork, Professional Services (like me)
http://twitter.com/cjacob -- Director of Security Engineering, Eastern Division
http://twitter.com/jnaylor01 -- IT Support Engineer, got me a new MacBook Pro to replace my powerbook. So awesome.
http://twitter.com/tryke -- Ryan Jordan, one of our Software Engineers on Snort
http://twitter.com/dbruzek -- Dina Bruzek, Senior Director of Product Development
http://twitter.com/kpyke -- Matt Olney, one of our Sourcefire VRT Members and great photographer.
http://twitter.com/jamesjtucker -- James Tucker, one of our Security Engineers in Sweden.
http://twitter.com/tedbedwell -- Ted Bedwell, Manager in Product Development
http://twitter.com/kschar -- Ken Schar, Security Engineer in Arizona
http://twitter.com/torontomiller -- Marti Toronto Miller -- One of the (many) awesome people in HR.
http://twitter.com/jjtucker -- Jenn Tucker (I think) -- One of our Engineering Administrators.
http://twitter.com/pieterclaassen -- Pieter Claassen, one of our Security Engineer in like, Norway, or something.
http://twitter.com/evilcazz -- Brian Caswell -- One of our VRT Engineers, as well as one of the Shmoo.
http://twitter.com/allenmale -- International Sales person, Allen Male. Man of Mystery.
http://twitter.com/CelticRaven -- Jason Keller -- One of our Professional Services guys.
http://twitter.com/chriskelley -- Manager of Recruiting -- Chris Kelley. If you want to work for us, this is the guy to suck up to.
http://twitter.com/linuxgeek247 -- I am pretty sure this is Christopher McBee. He’s in IT, he also plays Xbox with the group, therefore, cool.
http://twitter.com/mguiterman -- Mike Guiterman, Marketing guy in charge of Snort.
http://twitter.com/alanptak -- Alan Ptak, Another Professional Services guy.
http://twitter.com/mbrannig -- Matt Brannigan, Principle Engineer in Product Development
http://twitter.com/joelesler -- Me.

Well, that’s pretty much all I can find right now on my list. I know there are more, and to those people I missed, I apologize. I’ll add you if you want.