Special Ops Security

Military Channel: Top Sniper Debut

noreply@blogger.com (Steven Andrés) — Mon, 14 Jan 2008 22:10:00 +0000

May be of some entertainment interest to our gov/mil subscribers: A friend of mine, Eric Katzenberg, produced and directed a documentary on an international sniper competition held at Fort Benning. The show, Top Sniper, premieres tonight at 7 pm (with an encore at 9pm) on the Military Channel. Sniper teams from all over the world are competing so it should be a really entertaining hour of television. If any blog readers do watch, please let us know what you thought about it.

Use Comcast? Collect $200 (thousand)

noreply@blogger.com (Steven Andrés) — Wed, 09 Jan 2008 08:01:00 +0000

Do not pass GO, do not collect $200. Collect $195,000 instead! The FCC Chairman announced today that they will investigate claims that Comcast actively interferes with the Internet traffic of their subscribers. A "coalition of consumer groups and legal scholars" -- whatever that happens to be -- is recommending a fine of $195,000 for every affected subscriber. Not a bad rate of return for a $50/month cable modem, right?

Comcast's David L. Cohen (who pulls in just under $2 mill a year before stock options) contends that it does not block file sharing but rather just "delays" some of the traffic between computers that share files. From the Associated Press article back in October, it appeared that unsolicited RST packets were being spoofed from both ends of the conversation. Correct me if I'm wrong, but beaming RST packets back and forth doesn't constitute a "delay" of traffic -- it's a reset!

R.I.P. Netscape Browser

noreply@blogger.com (Steven Andrés) — Sat, 29 Dec 2007 20:31:00 +0000

For most of us, the Netscape web browser was the first* web browser we ever used. It was the grandaddy of them all, making its debut in October 1994 to a pristine Internet free of pop-up ads, banner ads, and drive-by XSS attacks.

Sadly, the day has come for us to raise our mice in the air and bow our heads in silent appreciation for a friend that has passed away. AOL announced today that all development for Netscape will cease come February 1st, 2008.

* To be fair, NCSA Mosaic was the first browser I ever used, but it wasn't a particularly good experience. Once I got my hands on Netscape, it was the difference between DOS 4.2 command lines and Windows 3.1!

Twitter at 36,000 feet

noreply@blogger.com (Jason Ritner) — Thu, 13 Dec 2007 04:22:00 +0000

Am I the only one that doesn't want WiFi on my coast-to-coast flight? Isn't it enough that our co-workers, clients, and family can reach us via Blackberry at any time of the day or night? The sweet sanctuary of the airplane (even with its crying babies) was the only place I could be disconnected and not feel guilty about dropping off the grid.

Virgin America also provides an electrical outlet and Ethernet ports at every seat, so it definitely sounds like you're seatbealting yourself to your cubicle in the sky. Let's just hope Richard Branson springs for something better than a Linksys duct-taped to the drink cart.

Class Action for Internet Interference

noreply@blogger.com (Jason Ritner) — Fri, 16 Nov 2007 20:36:00 +0000

A San Francisco-based Comcast subscriber has filed a lawsuit and is seeking class-action status against his Internet Service Provider for actively interfering with his ability to access the Internet. We all saw this coming, but I don't see how this can end well for Comcast.

Whenever I try to explain net neutrality issues to a non-techie, I always the analogy of the phone company. If you pay the phone company $50/month to connect you to the internet-work of telephones, you expect that you can call any telephone number and speak about any topic, right? They usually nod their head. Okay, now how about if you wanted to call someone else and talk about illegal activities, such as selling copies of copyrighted work--would the phone company allow that call to take place? Most certainly they would--they are a telephony service provider as much as Comast is an Internet service provider. The whole purpose of the utility (be it telephone, electric, or Internet) is reliable connection to said service. Once the utility company (service provider) begins filtering what you can and cannot do with the service, it becomes quite a different issue.

What do you readers think of the phone company analogy? Why is it incorrect or is it right on the money?

Poker World Surprised By Hack (Security World Slaps Forehead)

noreply@blogger.com (BMK) — Tue, 23 Oct 2007 18:03:00 +0000

Yesterday morning Absolute Poker, an online poker room, released a statement that a 'trusted consultant' had compromised the system and was unfairly playing poker on the site. Essentially, the 'glitch' allowed this person--who has been linked to others within the Absolute Poker organization (can you say, conspiracy?)--to view the hole cards of other players (this means he was the only one who could see all the cards in the hand). The poker community has been blogging and sharing opinions on this issue for weeks, with plenty of uproar.

The only comment I have to these people is, "DUH"! C'mon, how can you take online gambling seriously? Obviously there has been quite a bit of attention to the fact that it is still illegal in the U.S., so the companies involved aren't the most upstanding and scrupulous. They are constantly dodging criminal prosecution and money laundering charges. So these are the people you think are hosting an honest game?

I am nearly convinced that BrickBreaker on my Blackberry cheats when I get too far in the game, so I think its only natural that humans would try and manipulate the system to make more money (obviously I was correct).

I have plenty of friends that have almost made a living out of playing online; however, when I think of online gambling I am reminded of the scene in Vegas Vacation where Clark Griswold goes to the Native American Casino and plays pick a number with the dealer. In my mind this is almost the same thing. How can one honestly believe that the Blackjack application is completely random? You cannot. At least in a real casino there are safe-guards and visual indications that the house only has a statistical advantage, not a technological one.

My only advice to the online poker players that are up in arms about this incident is to get a new hobby or drive your butt into a legal card room. While technology has made it easier to play cards online, it certainly hasn't made it more ethical.

Net Neutrality Gets Kicked In The Butt (and some other places too)

noreply@blogger.com (BMK) — Mon, 22 Oct 2007 19:58:00 +0000

Just a few weeks ago I posted on this very same blog that I would gladly pay for premium services from my broadband ISP if that meant that there would be no degradation of the basic service level. Now, I don't have false illusions that I am big industry mover and shaker, but really, did Comcast ISP have to go and do the exact opposite? According to an Oct 19th story by the Associated Press, Comcast--the 2nd largest ISP in the nation--is blocking traffic to file-sharing and peer-to-peer networks.

The article claims that 50-90% of Internet traffic is peer-to-peer applications. To me that sounds about 50-90% full of crap. While I do agree that ISPs have the right to shape their traffic, I find it hard to believe that access can be denied. Even worse, Comcast seems to be devious in their methods of blocking access, essentially resetting connections for file uploading. Shady tactics indeed!

Of course I'm sure they claim they are winning one for copyrighted material, however I use BitTorrent to download legal content. No seriously -- I do. In fact, I am downloading a live recording of Dave Matthews on my Time Warner connection right now. While I am probably in the minority of BitTorrent users it still doesn't change the fact that I want my live copies of Dave Matthews, or John Mayer, or OAR (I could go on for ages).

In all reality most Comcast subscribers won't be affected by this new policy, nor will they notice a difference (even with that 50-90% utilization freed up), but it sure would be interesting to see how many jump ship to DSL. It will be even more interesting when Comcast stops blocking everyone's access to the Special Ops Security blog, because the views expressed are not acceptable (even though they are legal and not copyrighted).

World Series Servers Overwhelmed

noreply@blogger.com (Steven Andrés) — Mon, 22 Oct 2007 18:05:00 +0000

From the "who couldn't see this one coming" department...

Ticket demand crashes Rockies' computers

Paciolan--acquired by Ticketmaster this summer and located just minutes from Special Ops Security HQ in Irvine, California--provides venue ticketing services to the Colorado Rockies professional baseball team. A little more than an hour after online ticket sales started this morning, the crushing load of 8.5 million requests crashed the entire North American ticketing system (affecting all of Paciolan's customers). This, just days after they assured uneasy fans that because MLB.com hosts their website, they would be able to handle the demand. What they failed to mention is that MLB.com only hosts the links to evenue.net (Paciolan).

For the first time in the Colorado Rockies baseball team history, they make it to the World Series... and the network engineers didn't believe that there would be overwhelming demand??

Furthermore, the system wasn't properly isolated such that a failure for one customer (the Rockies) would be isolated from other customers. Again we see that you don't always need fancy SQL injection skills to bring a system to its knees... sometimes you just need to open up your web browser (with a few million of your friends).

Who Needs Hackers?

noreply@blogger.com (Steven Andrés) — Thu, 20 Sep 2007 16:38:00 +0000

Last week's New York Times had an interesting article (Who Needs Hackers?) on the differences between a network architecture failure and the more sensationalized "Hollywood" hacker attacks.

"We don’t need hackers to break the systems because they’re falling apart by themselves," said Peter G. Neumann . . . Steven M. Bellovin, a professor of computer science at Columbia University, said: "Most of the problems we have day to day have nothing to do with malice. Things break. Complex systems break in complex ways."

What sounds more interesting to you: hold a briefing that says "nasty hackers infiltrated the airline's reservation system and wreaked havoc" or the "DMZ was improperly isolated at layer 2 and rapid MAC address flooding from a bargain NIC caused the switches to fail?" In the former, the organization can blame the "evil-doers"; in the latter, the problem is a lack of proper planning.

You may find it odd that as an information security company that performs penetration testing, we're pointing out an article that says "hey, hackers might not be your #1 issue." Yes, you may find it odd, until you realize that we offer--and have offered, since day one--network infrastructure design and audit services. Ah yes, I can hear the cash register "ding" from across the office.

Friends (and potential customers), the truth is that without a solid review of your foundation, a penetration test alone will not provide you with the most accurate view of your organization's security posture. Let us pour through your massive stack of Visio diagrams and router ACL's and we'll provide effective and thoughtful optimization recommendations.

CISSP, GSEC, or a little hands on

noreply@blogger.com (SHA-1) — Fri, 07 Sep 2007 15:13:00 +0000

There is nothing like feeling like you are late to the game (4th quarter, up by 20 -- put in Shaw), but I had to chime in on the recent blog cage fight between CISSP'ers and GSEC'ers. Having the painful distinction of passing the CISSP on two occasions (more on that later) and being the fourth person to complete the GSEC (#13, but they started counting at 10), I have a little history on which to build my soap box.

The differences between the two certifications and the impacts they can, and likely will, have on a security professionals career are significant:

When I was doing IT contract work for the Navy in Charleston, I stumbled upon a relatively new organization: SANS. At the time, I had little functional knowledge of security and their GSEC track seemed like a great introduction to "usable" information security. The sub-sections included OS Security (Unix/Windows), encryption, and the use of specific tools (l0phtcrack). The lessons were at times rough around the edges, but I felt like my interests were piqued, which was what I needed to make a career change. I am embarrassed to reread my paper, but it is a good reminder of where I was in IT. When my GSEC finally expired, I didn't realize it, nor did I worry about it. The GSEC to me is more of a point in time achievement. It was a tool that helped me learn and explore the field. I approached the GCIH in much the same way. FINAL THOUGHT: If you are interested in information security, getting started in the field, or have a job related need to interface with infosec staff, the GSEC is a well-rounded certification that touches on numerous practical elements of information security.

Fast forward 2+ years and I am now pulling shifts for a managed security provider. I decided that while being hands on was something I enjoyed, my interest in management was equally as strong. It was at this time that I decided to pursue the CISSP. I knew that there would be very little that I would learn that would be applicable to my current job, but also knew that most hiring managers valued the certification. I decided to skip the boot camps and simply use a study guide. I opted for Shon Harris' CISSP All-in-One Exam Guide. A month later, I was certified. I won't go into the specifics of the test, as that is an entirely different discussion. What surprised me the most, was the difficulty I had (and continue to have) in obtaining the required number of CPE credits. The perfect storm of time with the family, time in the office, and a severely limited training budget resulted in an insurmountable deficit of credits. I realize that there are many ways in which to earn CPEs, but none of them seemed to fit my life's mold. After three years, I ultimately found it easier to retake the exam. I wouldn't wish that upon anyone, so I committed myself to keeping up with the required CPEs this time around. Well I am happy to say that after the first year of my new three year cycle, I have zero credits. Something has to change and I doubt it will be our company's training budget or the amount of free time I have. Any suggestions? FINAL THOUGHT: The CISSP is virtually a must have for information security managers and above. The certification won't help you implement technical controls to improve your environments security, but it will likely extend the boundaries of your security thinking.

So what does an infosec professional do to actually learn ways to improve the security of their infrastructure? I recommend vendor specific training, LOTS of reading (books, blogs, documentation), and late nights in the office or home lab. A couple thousand dollars spent on hardware, software, and/or books can do what no certification will -- give you the skills to excel in your field.

Side Note:
I have talked with many colleagues who are insulted when asked if they have, or would obtain, the CISSP. The feeling is that it is not an worthwhile reflection of their technical abilities. My question to anyone who feels this way is: does any one element of your resume reflect all of your abilities? Your college degree(s)? Your clearance? The answer is obviously, no. So why not enhance your marketability?

Net Neutrality Stuck In Reverse Gear

noreply@blogger.com (Steven Andrés) — Fri, 07 Sep 2007 05:06:00 +0000

Today the U.S. Dept of Justice released a statement that states ISP's should be allowed to charge a fee for "priority" web traffic (see Associated Press story).

So as not to spin off tangentially into an argument about why DoJ issued a statement that has more to do with telco lobbying than about justice, I'd like to just limit comments and discussions to the pro/con of Net Neutrality. To me, a die-hard network infrastructure junkie, I can see grains of truth in both sides of the argument.

My heart tells me to support Neutrality--the Internet is based on the egalitarian concept of everyone (no matter how wealthy) having equal access to information. My brain tells me that certainly we should be prioritizing some traffic (VoIP) and slowing down other traffic (SPAM). This brings me to another part of my anatomy: my gut. Unfortunately, my gut is telling me that although my brain has a good point, the way this will be corrupted by evil telco's is that a new batch of fat-bandwidth DoubleClick.net video adverts ("business" premiere customer) will be prioritized and my email to grandma will be delayed (since I'm only a lowly "residential" customer).

Anyone else having these conversations with parts of their body?

5 Million Reasons to Stop Using Email

noreply@blogger.com (Steven Andrés) — Wed, 05 Sep 2007 22:15:00 +0000

Today the National Security Archives at George Washington University (not to be confused with my friends at the NSA) announced that they have filed a lawsuit in U.S. District Court requiring the Executive Office of the President to recover and restore some five million mysteriously missing e-mails from March 2003 to October 2005.

Again, hoping to steer this blog and its readers' comments away from political commentary, I'd like to take this moment to ask what would YOU do if you were the I.T. administrator asked to recover these missing messages? Certainly there is a vacuum of information: as outsiders we don't know if the messages were caught on backup tapes and then later deleted or if they were never archived in the first place. But let's not let the lack of facts ruin a perfectly good round of "what if"!

Removing it from the public sector, imagine you worked at MortgageCorp and that several thousand e-mail messages were deleted from the server under your control. Now that the sub-prime lending market is in a tailspin, consumers start to fling class action lawsuits at MortgageCorp. How do you deal with the recovery of messages that, if recovered, would certainly do considerable harm to your employer and that--precisely because of this--the person who performed the deletion was probably quite crafty in covering their tracks. Would you immediately call in forensics experts? or duck the issue and tell the boss "they vanished--I can't get them back. Now it's general counsel's problem."

Virtual Switches May Expose Old L2/L3 Attacks

noreply@blogger.com (Steven Andrés) — Tue, 07 Aug 2007 06:09:00 +0000

Last week, I was lucky enough to assist Richard Bejtlich with his Black Hat 2007 training course, "TCP/IP Weapons School" (sold out both sessions!). While in class going through layer 2 and layer 3 attacks from long ago (and here I define "long" as pre-2003) I couldn't help but thinking how vulnerabilities have a sneaky way of going dormant and then creeping back up after everyone has forgotten about them.

Today, Hoff (whom I only met recently, in Richard's class) writes about VMware's Virtual Switches and the possibility of these "old" layer 2 and layer 3 attacks finding a new home betwixt virtual machines on the same physical host. Now that we've all gone to the trouble of using static MAC security settings on our shiny Cisco Catalyst switches, we have to worry about the not-so-shiny and very virtualized Vswitches??

A five-year-old "macof" attack could suddenly be relevant again. I can't wait until we come full circle and start using 8" diskettes and punch cards; I've got a box of them in the garage.

UK OGC's ITIL

noreply@blogger.com (Steven Andrés) — Mon, 02 Jul 2007 19:54:00 +0000

Gotta love government (even the foreign ones) and their acronyms. The United Kingdom's Office of Government Commerce has developed a framework of best practices to deliver IT services called the Information Technology Infrastructure Library (ITIL). On a recent engagement with a government client, we were asked if we were an ITIL-compliant practitioner. After admitting we were not, the client shared with us the wisdom of a formalized IT service delivery model that ITIL comprises in a series of eight books:

Service Delivery
Service Support
Infrastructure Management
Security Management
Business Perspective
Application Management
Software Asset Management
Planning to implement Service Management

This particular client's entire IT operations (from helpdesk to senior network engineers) had taken the certification as well as changed their business operations to fit into the framework. Now, I know that there are many readers in the "certifications are for the birds" camp, but stick with me: there are many IT shops that we walk into that lack even the most basic formalized procedures on how to do what it is they are asked to do. Formalized doesn't have to mean thick binders and triplicate carbon forms; just writing things down in a 1-2-3 list format would make a staggering difference in providing an organization with some insulation from employee turnover.
How many of your own IT organizations are sent into a tailspin for a few weeks when a key IT employee leaves, taking pertinent procedural information with him/her?

The client didn't require us to be certified but one of our D.C. office principals rose to the challenge and had a favorable experience with both the exam and (more importantly) learning the framework. I don't know if ITIL is something that will catch on in the private sector, but if you (or your customers) don't have a formalized service delivery system in place, you may want to suggest that at the next staff/consultant meeting.

Oh, and one last thing: congrats, Mark Orlando, for adding yet another set of letters behind your name for folks to ridicule you! (possible blog topic: why do online forum dwellers end up berating those that achieve certifications?)

The Lazy Way Out of Network Abuse

noreply@blogger.com (Mark Orlando) — Wed, 13 Jun 2007 17:28:00 +0000

While catching up on my reading last night, I came across this story in Wired Magazine about a stalker case involving an employee of Sandia National Labs. It was a flashy case, since the subject of the stalking happens to be the lead singer of the band Linkin Park. However, I found the most intriguing aspect of the story was that the suspect did most of the "stalking" from her desk at Sandia. This is someone who held a fairly high-level security clearance, working at one of the most secured (publicly-known) facilities in the US Government.

Oh, where to start. Forgetting all of the security principles (or lack thereof) that could be expounded upon here, this is what got to me: a statement from the National Nuclear Security Administration in response to this story read that "...the security of Sandia's network was never compromised." In my view, that statement could only be made by someone with near perfect situational awareness, a lack of which this incident demonstrated perfectly. This isn't a case of someone simply abusing the e-mail or phone system to send out a few private messages; this person, known to have access to highly confidential materials, was signing up for online Verizon and Apple accounts from work and sending numerous e-mails a day to and from non-official addresses, and the response is "The only completely effective way to prevent abuse of Internet access is to deny it entirely, and that is not a viable option for a research and development laboratory."

To me, proving statements like this wrong is one of the best parts of being a security professional. Given a business or operational requirement, it's our job to implement security controls that can enable secure operations at the lowest possible cost to productivity or mission accomplishment. Shutting off network access to control or monitor your users? Come on, that's so ten years ago.

Full-time Packet Captures with the Time Machine

noreply@blogger.com (Mark Orlando) — Mon, 11 Jun 2007 01:53:00 +0000

Researchers at Lawrence Berkeley National Laboratory, the Munich University of Technology, and the Berlin University of Technology have been working on a project that should be of great interest to IDS and security analysts everywhere. The project’s goal is to address one of the biggest shortcomings in intrusion detection and network-based incident response: how do we gather and analyze all data pertaining to an incident once an intrusion has occurred, knowing that most monitoring solutions only generate alerts and, if we’re lucky, minimal packet data? There are a few vendors that have tried to address this problem (Niksun and McAfee come to mind immediately) by throwing expensive hardware and lots of disk space into solutions designed to maintain full packet captures. Most IDS vendors include some sort of packet capture functionality in their products, but even those usually only provide such data when and if an alert is triggered.

This new project has been dubbed The Time Machine. It is designed to provide a full-time packet capture capability in Gbps environments using commodity hardware. That may be a tall order, but definitely worth a closer look knowing it comes from the same people that brought us Bro IDS, not to mention security monitoring research since the earliest days of IDS technology. The basic premise is that the Time Machine uses a packet cutoff limit to buffer up to N bytes of traffic for each connection, given what statistical analysis of network traffic has shown to be the most meaningful data for each traffic type, then indexing all captured packets for fast retrieval.

The capability to keep full packet captures for all connections in the event of an intrusion or event of interest, using an open source utility and commodity hardware, is a welcome proposition and one we plan to research further. The Time Machine is still in early stages of development but can be downloaded from:

http://www.net.t-labs.tu-berlin.de/research/tm/#download.

We’re already working on taking it for a spin, so look for future write-ups on this cool new toy.

MISSION: Block sites with OpenDNS

noreply@blogger.com (Jason Ritner) — Tue, 22 May 2007 18:42:00 +0000

MISSION: Block troublesome websites with minimal effort
EXECUTION TIME: 90 seconds
TOOLS: Requires use of OpenDNS.com name servers

This is Jason, the new guy at Special Ops Security, and I'll be posting blog items that are more of your "basic training" type than the other guys. In light of the recent DoD blocking prominent websites, I wanted to post a very quick and easy way to block sites on your corporate network. Now, this is definitely not a 100% solution; for that, you need to blacklist the URL in your firewall, router, WebSense device, or other content filtering technology.

Even then, your users can use proxy server to get around the blocking. Think of this as an 80% solution that takes seconds versus opening up your firewall and needing more skilled engineers to change rulesets.

OpenDNS provides these really fast DNS resolvers that have really large caches. These guys are great and you should definitely use them for your corporate network's DNS resolver instead of your ISP's. I guarantee they are faster. More on that in another posting.

If you're a current OpenDNS user, the graphic above should confirm that by saying "Sweet!" If the graphic above says "Get Started" then your network does not use OpenDNS yet and that is a pre-requisite for this great feature to work.

Once you've signed up with OpenDNS (it's free and takes just a couple of minutes), you can login to your account and add sites to the "blocked" list. If you block craigslist.org then you’ll also be blocking la.craigslist.org (Craigslist Los Angeles) and sfbay.craigslist.org (Craigslist San Francisco), etc. If, instead, you just blocked newyork.craigslist.org then the rest of the Craigslist properties would load just fine.

When you try to visit a domain that is blocked you’ll see a page that looks like the one to the left. The nice part about this is that it lets the user know the site is blocked and gives them the feedback that they shouldn't be accessing it. You can even replace the OpenDNS logo with your company's own. This feedback page is much better than a browser error ("web server not responding") that would result from firewall or router blocking.

This feature can be used to steer employees away from social networking sites at work or to preemptively block malicious malware sites. Hopefully I haven't alienated all of the really technical subscribers to our blog--just want to have content for the experts as well as the beginners.

Need to lower morale? Block MySpace!

noreply@blogger.com (Steven Andrés) — Tue, 15 May 2007 21:30:00 +0000

Just yesterday, U.S. Army General Bell announced that eleven popular websites were being blocked across the entire DoD NIPRNET by May 14th:

Social Networking Sites

Video/Photo Sharing

Streaming Music

No sooner did the announcement come out was there reaction in the press that this was an attempt to squelch unfavorable portrayals of the current war from the soldier's point of view. In light of the fact that the U.S. Army has itself produced promotional videos and posted them on YouTube to encourage recruitment, this seems rather odd.

Now, our intention is not to turn this into a political ideology blog--there are plenty available if that is what you desire. Instead, we want to tackle the assertion from General Bell that these sites are taking away valuable bandwidth from military networks for recreational use. We see this argument used a lot in large corporations that install website blocking systems. We believe this is wholeheartedly a knee-jerk reaction and extremely poorly executed.

If the intentions are genuine and are merely intended to conserve bandwidth, the correct way to address this from an IT perspective is to QoS the network and place these "recreational websites" in a priority class such that it does not take up more than... 25% or 10% of the available pipe.

By blocking the sites, morale suffers. As the Associated Press article points out, many soldiers use these social network services and photo sharing sites to keep in touch with their families and friends stateside. Cutting off that important link is a poorly executed plan to reduce bandwidth consumption.

By deliberately blocking the sites, it's a bit of using a chain saw to perform a root canal. The result is achieved, but with high levels of discomfort to the patient (or the soldier, or the corporate network employee). When the performance of these recreational sites becomes less than stellar, employees (or soldiers) will naturally make their own decision to either have more patience for the site to load, learn how to use an anonymous proxy server, or simply find another form of recreation. The important part is that the decision will be left up to the soldier or the employee, therefore empowering the workforce.

Some of our blog subscribers have .mil email addresses -- we'd love to hear your thoughts on this issue. If you are unable or uncomfortable posting to the blog from that address (and do not have a personal email account), please contact us and we will post your response anonymously.

MISSION: Gather Intel

noreply@blogger.com (Mark Orlando) — Sun, 06 May 2007 17:24:00 +0000

MISSION: Gather global security intelligence
EXECUTION TIME: 15 minutes
TOOLS: RSS feed aggregator of choice or customizable home page

Situational awareness is a key element of deploying and maintaining effective security measures. Part of that recurring effort should be intelligence gathering. Putting together a comprehensive list of security-related RSS feeds can be a great alternative to hitting numerous sites each day or trying to sift through busy “dashboard” pages. There are many great security related sites out there that support RSS; the key is not to add as many as you can, but rather to identify dependable sources of information that focus on issues pertinent to your mission. Here are some of our favorites:

Special Ops, of course! (Security how-to’s and news items)
URL: http://feeds.feedburner.com/SpecialOpsSecurity

SecuriTeam (Various security advisories and vulnerabilities)
URL: http://www.securiteam.com/securiteam.rss

TaoSecurity (Network Security Monitoring-centric postings by Richard Bejtlich)
URL: http://taosecurity.blogspot.com/feeds/posts/default

SANS Internet Storm Center (ISC Handlers diary, security items of note)
URL: http://isc.sans.org/rssfeed.xml

GeeKool (Another NSM-centric blog with an emphasis on technical information and how-to’s)
URL: http://geek00l.blogspot.com/feeds/posts/default

Zone-H (Emerging threats, defacements, items of note - Global)
URL: http://www.zone-h.org/index2.php?option=com_rss&no_html=1

Security Fix (Security news)
URL: http://blog.washingtonpost.com/securityfix/index.xml

Of course, there are many, many more, including several vendor blogs that actually have some pretty good info. Please add a comment with your favorites!

Do U know about U3?

noreply@blogger.com (SHA-1) — Tue, 17 Apr 2007 00:54:00 +0000

U3 is an open-standard allowing for application portability. Sounds great doesn't it? Don't just take your data from computer to computer. Now take the whole application itself. No need to sit through a long install process on a shared PC. No more tweaking application settings in multiple places. What could possibly go wrong?

Enter our old friend, the Windows auto-run feature. By manipulating USB sticks using the U3 technology, some intelligent folks were able to bypass previous roadblocks to USB attacks based on auto-run. The solution? Turn it off.

- Enable or Disable Automatically Running CD-ROMs
- Select the Drive Types to Start Automatically

It is always safer to disable auto-run for as many devices as possible. For all devices, do the following in Windows 2000/XP/2003:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\{DWORD}NoDriveTypeAutoRun = 255 (decimal)

Configuring this registry key will not prevent all U3 attacks. Some basic social engineering could easily result in a user executing malicious code on a USB stick planted in a variety of locations. If you are waiting for the registry key to prevent this, I wouldn't hold your breath. Educating your users is the best defense.

[USB Stewie from Urban Outfitters.com]

Death of a Newsletter

noreply@blogger.com (Steven Andrés) — Tue, 10 Apr 2007 00:33:00 +0000

With the recent news that our email distribution service is going belly-up, we've decided that our little blogging experiment here will become the full-time replacement for our monthly newsletter. More and more companies are transitioning to what many are calling Corporate Blogging, with rich content provided by many including CEOs. Everyone seems to be getting into the act, even the slow-to-change Fortune 500 (see www.socialtext.net/bizblogs/)

For our part, we've signed up with FeedBurner to distribute our blog via email. If you were already one of the lucky thousands* to be on our original newsletter mailing list, we will be manually importing your subscription into FeedBurner. This means that you will receive an email from confirmations@emailenfuego.net asking you to confirm your intent to subscribe to our blog (part of the whole double-opt-in good citizenship that we practice here at Special Ops).

If you do not want to continue receiving updated company information, security advice, and free assessment tool information, simply delete the email and your invitation will expire. If you do wish to remain the envy of your info sec comrades and stay on top of Special Ops happenings, please click on the link provided in the email right away.

*Okay, so perhaps "thousands" is an overstatement, but at 973 subscribers I couldn't help myself!

ListBuilder Stops Building

noreply@blogger.com (Steven Andrés) — Tue, 03 Apr 2007 15:00:00 +0000

There are many companies out there that provide email distribution services for small businesses like ours. Shortly after we subscribed to ListBuilder.com, they were acquired by Microsoft and quickly renamed "bCentral" (presumably the little "b" is for Small Business). We use this service to send out our monthly email newsletters to keep our customers and supporters in the loop on Special Ops happenings.

After last month's newsletter, one of our smart readers from across the pond--Callum Millard--pointed out that simply tossing an apostrophe into the "unsubscribe" link included in the emails generated a pretty nasty ASP.NET error. Tsk tsk tsk--how many times do we have to have to play the apostrophe game to prove to web developers that they must sanitize web input??

We escalated the embarrassing web application vulnerability to our contacts at bCentral. We expected some resolution, but never this:

Microsoft retiring List Builder Service

Effective 12:00 noon PDT on June 1st 2007 Microsoft will retire its List Builder service. ... To continue serving your subscribers with newsletters and other customer communications, we invite you to learn how you can sign up for e-mail marketing services with Constant Contact.

While we would have liked to see them correct the problem, apparently shutting down the entire subdivision was their response!

Optimus Prime, Holding on Line 3

noreply@blogger.com (Steven Andrés) — Sun, 01 Apr 2007 16:00:00 +0000

To assist with our Accounts Receivables, our receptionist has volunteered to don the Optimus Prime Voice Changer helmet scheduled to be released later this summer along with the new Transformers movie. While we don't know if this will help with our billing, we are certain that she will prevail over the decepticons.

p.s. Happy April Fool's Day!

ShmooCon After Action Report

noreply@blogger.com (Mark) — Tue, 27 Mar 2007 15:30:00 +0000

Greetings from Special Ops East, fresh from the District and another ShmooCon. If you want to read a good recap, check out Richard Bejtlich's posting(s) on the TaoSecurity blog or just go to the ShmooCon site.

Our take is that, unfortunately, a great deal of the material presented this weekend sounded eerily familiar, and it isn't necessarily because we were at Black Hat and RSA. We like Shmoo, but the real advantage for us is meeting and interacting with other people in the industry. We recently had a client ask us what sorts of things we do to stay current in the field of security and attending events like ShmooCon is high on that list. You want to check out what other people are working on, what you need to be worried about, or what you haven't even considered! That's what gets you through the coming year, not the exploit or tool du jour.

The best conference stories always start out, “So I had drinks/lunch/dinner/a soda with so-and-so and we discussed (insert utility/research/project/methodology here).” We'd like to see more of the big shows incorporate social and collaborative elements to facilitate more of this kind of interaction between attendees. Shmoo definitely seems to have the right idea with the ShmooCon labs and “Hack or Halo” events. There are also plenty of regional discussion groups like Nova Sec (here in the DC area) whose sole purpose is this kind of collaboration.

If we have one piece of advice for you coming out of ShmooCon, this is it- find one of these groups in your area and start going to meetings! And at the next con, find Steve and introduce yourself; the drinks are on him.

Remote Wrangler

noreply@blogger.com (Steven Andrés) — Thu, 15 Mar 2007 00:10:00 +0000

Don't you just hate having your Plasma TV remote, the DVD remote, the entertainment system remote, the DirecTV remote, and your Mac Mini remote all strewn about on the coffee table? What's worse is when the remotes (on their own power) march from the table to hide in between the cushions of the sofa. Wouldn't it be great to have the remotes easily accessible and centimeters away from you at all times while you enjoy the latest round of American Idol? Well thankfully someone (some very lonely and insane person) has invented the Multimedia Remote Control Wrangler. Finally -- a way to combine your love for wrestling (or athletic supporters) with Velcro and remote controls. I love the 21st century.