Kees Leune

Starting IsleSec

2009-10-27T12:51:59Z

Over on his blog, Matt Johansen announces the startup of IsleSec. Rather than paraphrasing, here is his post verbatim:

"For those of you who are familiar with CitySec meetups, I've been pondering starting up IsleSec here on Long Island. I know there is NYSec in the city but it is a hike for us islanders.

For those of you unfamilar with CitySec meetups, they are informal meetups of local security professionals at whatever bar will tolearate us. It is a great way to meet others in the community and grow your professional network. To quote Chris Hoff while talking about BeanSec up in Boston: "Unlike other meetings, you will not be expected to pay dues, "join up", present a zero-day exploit, or defend your dissertation to attend." Show up, get some wings, drink some beer and add to your business card collection.

I wanted to write a quick post to see if there is any interest around to meet up to make sure I'm not sitting at a bar drinking alone. Feel free to post comments here or hop on the Google Group to express interest.

Judging by people's location who are interested we can adjust the bar location as necessary. I vote we start at Croxley's Ale House in Farmingdale. Following the model of other CitySec meetings we will start by meeting the third Wednesday of every month which works out perfectly because Croxley's has a 10 cent wing special on Wednesdays.

So what this all comes down to is that the first IsleSec meetup will be at 6:00 PM on Novermber 18th at Croxley's Ale House 190 Main St Farmingdale, NY 11735 (516) 293-7700. (Get Directions).

If you plan on coming please leave a comment or send out a message in the Google Group so that I know I should show up. (I'll probably show up anyway just in case but it would be nice to know ahead of time.)"

If you are a Long Island information security professional, please consider joining the li-infosec mailing list.

Ed Skoudis's COINS event in NYC: The Bad Guys are Winning: So Now What?

2009-10-24T23:55:49Z

The Learning Tree generously hosted a SANS COINS event in New York City last week. The COINS program (community of interest in network security) allows organizations to invite a SANS instructor to deliver a presentation or teach a class on a specific topic. The COINS events typically bring together individuals with a passion for the security field.

Of all the professional events that I attended, this one had by far the most fantastic view of the Statue of Liberty with the Verrazzano bridge in the background and the New Jersey coastline. The 30^th floor of One New York Plaza, New York, NY might just do that :)

The event itself was attended by about twenty participants, which gave it a nice level of direct interaction. Ed Skoudis, SANS Faculty and one of the founders of InGuardians, presented a though-provoking talk titled The Bad Guys are Winning: So Now What? about the changing information security landscape.

Many organizations expect security professionals to be generalists who are able to perform internal pentests, audit systems, ensure compliance, perform incident response and forensics, develop security policy and awareness programs and much more.

One of the key point that Skoudis drove home is that not that not all information security practitioners have to be generalists. For the sake of the presentation, Ed distinguished three main groups: Penetration Testers, Enterprise Security Professionals and Military. Each of these three groups should have different focal areas. For example, a pentester needs to have detailed knowledge and skills of how to identify and exploit vulnerabilities and of how to assess (and communicate) the business risk of those vulnerabilities. An enterprise security specialist must also know about exploiting vulnerabilities, but does not need to possess the same in-depth exploitation skills that pentesters have. Instead, they must be much more familiar with preventing and identifying attacks and responding to them.

In addition to the generalist vs. specialist-discussion, Skoudis covered some more topics.

For me, it was interesting to finally meet the primary author of the material that I teach as a SANS mentor.

Ed Skoudis will be back in New York City from November 2 - November 7, when he will be teaching his course Hacker Techniques, Exploits and Incident Handling bootcamp style.

SOURCE Boston CFP

2009-10-19T13:04:11Z

The SOURCE Boston CFP is now open.

As you may know, SOURCE Boston is one of the premier information security conferences in existence today. The small scale of the conference, combined with the high-quality talks, make it an event that allows participants to meet many highly regarded professionals and attend great talks.

I was fortunate enough to attend last year's event, when a proposal of Adam Dodge and myself to do a talk titled Information Security in Higher Education, Baby Steps was accepted.

This year, I would like to go again and I am planning to submit another talk. I haven't made up my mind yet, but I'd love some suggestions. Is there something that is on your mind and of which you would like to hear more? I'm open for a presentation, a panel, or something else!

Incident Response and the Incident Command System

2009-09-29T16:54:48Z

Like many other professions that have a security dimension, information security professionals are (or at least, should be) trained to deal with crises. Excellent training is available from many sources, one of which is the SANS institutes security 504: Hacker Techniques, Exploits and Incident Handling. Since I am a mentor for 504, I feel that I am fairly comfortable with the material. One of the topics that I have found lacking in most training of which I am aware is that, while several (very useful) approaches to incident handling are discussed, not all that much attention is paid to how to actually organize an incident response structure.

In order to provide some more guidance to my students, I have done some research and I ended up on the FEMA site. While the Federal Emergency Management Agency is often scorned or ridiculed, they do have some interesting materials available for free.

Some background information first. FEMA's mission is to support citizens and first responders to ensure that we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. This definition has "government" written all over it, but there are some useful components for my purposes.

Specifically, the part where they mention "prepare for and respond to" (incidents) has relevance.

FEMA's emergency management institute provides many types of study in the field of emergency management, but the one that I am most interested in is the independent self study option. Under the Independent Study Program, some very interesting resources are made available for free; more specifically, some modules are offered that address the Incident Command System (ICS).

IS-100.a Introduction to Incident Command System is a module that introduces the concept of an incident command system. "The Incident Command System, or ICS, is a standardized, on-scene, all-hazard incident management concept. ICS allows its users to adopt an integrated organizational structure to match the complexities and demands of single or multiple incidents without being hindered by jurisdictional boundaries." It does not take much imagination to see how this concept can be applied to information security incidents, or to wider incidents that include information security aspects.

The ICS approach is based on a few common concepts. The ones that are most relevant to us are the use of common terminology and clear text, adoption of a modular organization, management by objective, reliance on an incident action plan, and maintaining a manageable span of control.

The training material discusses roles and responsibilities of the incident commander, delegation of authority, unified command, command staff, general staff, and much more. All concepts that are very useful when dealing with security incidents or business continuity events.

I highly recommend taking a look at the online FEMA training offerings. They are free, include a self-assessment and if you pass the online exam, they will even give you a pretty certificate in a PDF file. No pretty letters after you name though.

The Unspoken Truth About Managing Geeks

2009-09-18T17:49:49Z

My boss pointed me at an article in CIO magazine today. The article's title, The Unspoken Truth About Managing Geeks, was interesting enough to catch my attention. After reading it, I decided to put a reference up here in the hope that, even if it just came to one person's attention, the message conveyed in this work would spread wider.

See, for those of us who work in IT, there is nothing more frustrating than things (that we feel are important) are not getting done at all, or getting done in a backwards way. Much has been written about that already, and I am sure that everyone has their own war stories. The article's author, Jeff Ello, added another dimension to this.

"While everyone would like to work for a nice person who is always right, IT pros will prefer a jerk who is always right over a nice person who is always wrong. Wrong creates unnecessary work, impossible situations and major failures. Wrong is evil, and it must be defeated. Capacity for technical reasoning trumps all other professional factors, period"

The article introduces a few stereotypes that can be useful for IT managers: ego, victim mentality, insubordination, credit whoring, and antisocial behavior.

Other quote:

"What executives often fail to recognize is that every decision made that impacts IT is a technical decision. Not just some of the decisions, and not just the details of the decision, but every decision, bar none."

As a result of this observation, IT people spend a lot of time, money, and resources to fix problems that should have been done right the first time, but occurred because IT was not sufficiently involved in the decision making process.

The article hit home on many different points. Go forth and read it!

Backups for home user or small businesses

2009-09-17T13:00:00Z

I have always been slightly paranoid about making backups of my home systems. While I use a network-based service for off-site backups, running a backup (and restoring one) is constrained by the amount of network bandwidth that you have available and might take a considerable amount of time to complete successfully.

After I ran out of local disk storage on my regular Linux PC (which had two disks in RAID-1 configuration), I started shopping around for a small network attached storage solution that would be able to scale with my needs.

I really only had a few requirements:

Must support disks in RAID-1 configuration
Must be able to provide a CIF volume
Must be able to support multiple users with their own privileges
Must get good reviews on places like cnet, amazon, etc.
Must have a relatively small footprint (I do not like clutter in my work areas)
Must have low heat production and a low noise level
Should be able to support rsync
Could be nice to have ssh shell access
Could be nice to have ftp support

After doing some research, I decided to purchase a Synology NAS Disk Station which I loaded with two Western Digital 1 TB Caviar Green Hard Drives. I opted for the "green" drives because they only run at 5400 rpm, which makes a little slower (not a problem for me), produce less heat and be less noisy. The solution is not the cheapest one out there, but I liked what I saw when I read the reviews and for backup solutions you usually get what you pay for.

When the shipment came in (well ahead of time; thanks Amazon!), I installed the two drives into the NAS without trouble. I was set to go when the device was hooked up to main power and my network switch. On pressing the power button, the came to life and started doing its boot sequence. Booting isn't all that fast, but that is not something that bothers me.

Installation using the provided disk was straightforward, and it became clear that this little power house has Linux under the hood. Note that as far as I can tell, installation using the provided CD-ROM is necessary; part of the initial install seems to be flashing a new firmware onto the device. Since the NAS will be connected to by several devices, I configured the device with a static IP address, but it also supports DHCP.

Anyone who is familiar with Linux logical volume management and software RAID will be immediately at home. The machine is very feature rich, but comes out of the box with just about any network services turned off: the way it should be.

The footprint on the network is nice-- no unnecessary services are running, just what you would hope for. The device offers a wide range of connectivity options: rsync, ssh, smb, ftp, telnet, etc. It can function as a BitTorrent client, a web server, a mysql server, and it even has some basic blog authoring support. I don't need most of these things, but my inner geek cannot help but grinning and uttering several "cool!"s. I haven't seen an option yet to have it send syslog data to another device.

The web-based GUI is nicely finished, but may be a little confusing for people without a strong background in managing a Linux-based storage device.

When the disks were initializing in RAID-1 (which takes a while for 1TB drives) activating the rsync server and the SMB share was as easy as checking two boxes, creating a user and assigning the appropriate privileges.

Other features include NTP, setting "power on" and "power off" times, integration with a UPS if you have one (mine is coming; our power grid is notoriously noisy and fairly unreliable), S.M.A.R.T. reporting, email notifications with a configurable SMTP server (including SSL and authentication support) and much more.

All in all, the device seems very nice for the price and it is worth taking a look at!

Two more excellent GIAC Gold Papers

2009-09-15T15:27:00Z

Since I have taken the role of a GIAC Gold adviser, I have seen many good papers pass by. Every now and then, some jump out as being clearly above average. This week has been a particularly good week and two new additions have joined the reading room.

Security Incident Handling in High Availability Environments by Algis Kibirkstis adopts the point of view of a telecommunications provider. Having done some data modeling work in large telephone exchanges myself, I have always been intrigued by the high level of requirements that this industry puts on itself. Kibirkstis provides an excellent overview of the concept of High Availability (carrier-grade reliability) and goes on to describe how the incident handling process takes place in these environments. The paper ends with a set of 8 concrete recommendations. The paper is available here.

Investigative Tree Models by Rodney Caudle ties in to my other fascination: how to use symbolic models to improve real-world situations. No, I am not talking about glossy fashion magazine models, but things like decision trees, graphs, etc. Caudle describes how to use attack trees to aid incident investigations. He takes the reader through the formal definitions of these models and clearly explains them by providing well-documented examples. The second part of the paper describes a full case study on how to use a tree model to obtain proof in an investigation into email abuse. The paper wraps up with a brief conclusion and a look forward at some possible future trends. The paper is available here.

More information about GIAC Gold certification can be found on the GIAC website.

Apache foundation publishes post-incident report

2009-09-04T14:32:53Z

The Apache foundation experienced some downtime on August 28 when unauthorized access to their servers was detected. A few days ago, the Apache infrastructure team posted a very well-written post-incident report in which more details with respect to the attack are published, and an overview of the lessons that were learned from it are shared.

The report is very well written and worth reading. Some key findings:

"The use of SSH keys facilitated this attack." Yes, SSH is more secure than telnet (or rlogin), but it must still be hardened.
"The ability to run CGI scripts in any virtual host, when most of our websites do not need this functionality, made us unnecessarily vulnerable to an attack of this nature." Very few people are not also guilty on this one. Trim down a system's configuration to only provide the minimal amount of functionality it needs to do the job.
"We will re-implement measures such as IP banning after several failed logins, on all machines." Brute force attacks are still one of the most successful attack vectors. Automatic account lockout and restricting the network space from which incoming connections are allowed in the first place seriously reduce the attack surface.
"Because they obtained root on the CentOS machine, we are not entirely sure, almost all logs on the machine were destroyed. The machine ran many stock web applications and may of had less than secure password practices -- but once they got root whatever evidence of the initial hack was destroyed." Keep critical logs on a dedicated, hardened server to facilitate post-incident analysis.

Dutch Forensics Institute opens encrypted vault of imagery

2009-09-03T12:50:12Z

The Netherlands Forensics Institute (NFI) was able to "crack the encryption" of an extremely large collection of child pornography, which provided additional evidence against a suspect. While the fact that another step towards the protection of young children has been taken is good news, it is also interesting to see that law enforcement was able to somehow break the encryption of this massive collection of data (an estimated 7.5 million images/movies).

The mainstream press releases do not disclose many details on the crack, as is common with cases that have not yet been brought before a judge. No details are available as far as the encryption algorithm used, or the key (or keys) used to protect the information. At this time, we do not know if the encryption was broken through cryptanalysis, or by bruteforcing the key.

The news is still fairly remarkable, since initial estimates by the NFI were that it would take at least multiple years to get this far. Of course, if the key was bruteforced, the matter of statistics still exists. Sometimes you just get lucky and "guess" the key early on.

Either way; I'm interested in learning more about this case, and finding out how the encryption was broken.

Long Island Information Security

2009-08-28T18:56:21Z

Long Island is the largest island in the contiguous United States with an estimated population of around 8 million people and a GDP of $115 billion (2007). For what it is worth, Wikipedia mentions that, if it would be a state, Long Island would be the 12th largest state in the USA.

Government (local, state, and federal), finance, health care, and education are all major industries in the region. Traditionally, these industries are well represented in the infosec world.

With numbers like that, it would be reasonable to expect a thriving information security community on Long Island.

Unfortunately, I have not been able to find one.

This can partially be explained by the close proximity of New York City, but even there I am fairly disappointed. It is hard to believe that we do not have well established active chapters of organizations such as NAISG, ISACA, ISSA, OWASP (although one was recently founded) here out on the island.

To fill that gap, I tried to start a group myself a while ago. Unfortunately, I have not received much response to that. I hope to revive that effort once more, and I have established the Long Island Information Security Group.

If you are on (or near) Long Island and if you are interested in information security, computer security or network security, please join this mailing list.

By doing so, I am hopeful that we can create a vibrant local community.

Security Information Event Monitoring

2009-08-24T12:42:21Z

Rocky over at Decurity blog has done a good writeup titled 'Back to School - SIEM 101'. SIEM (security information event monitoring) is often heralded as an essential network monitoring technology, and from a conceptual point of view it is almost impossible argue with that position.

The basic function of a SIEM is to collect logs from as many endpoints as possible, analyze them and alert an operator of suspicious activity. The analysis can take on many different forms, but usually boils down to a form of normalization and allows for event correlation.

In my perfect world, event normalization would eliminate most of the syntactic differences between different applications and operating systems.

Aug 24 08:45:57 hostname sshd[29358]: Failed password for user from 127.0.0.1 port 13273 ssh2

and Windows event 529 (Logon Failure - Unknown user name or bad password) are pretty much the same. Sure; they can be parameterized differently, but if I see repeated bad logon attempts for the same user across platforms, I would like to know about it. The normalization process should take care of this.

With event correlation, the SIEM is transformed from a collector/normalizer into an expert systems, which allows detailed specifications of rules like: if I see 3 or more failed logon attempts for the same user within 10 minutes, followed by a successful logon, I need to be notified.

Again, from a fairly conceptual level, SIEMs are much like a hybrid network-based IDS/host-based IDS, but with added functionality.

To learn more about basic SIEM technology, go check out Rocky's post.

Planning for a new wave of H1N1

2009-08-20T11:30:00Z

I do not watch much TV, but as far as I can tell, the media have been relatively quiet about the Swine Flu recently. Many experts agree that there is a good chance that we will see a second wave of infections, which might be larger than the previous one. Especially for business that are facing rough times and that are already running on a skeleton crew, business continuity can be serious jeopardized if a significant number of employees is going to be out sick for an extended period of time.

Organizations can do a few things to reduce the chance that they are confronted with significant employee absence. The centers for disease control (CDC) recommend the following:

Wash your hands often and thoroughly.
Cover your nose and mouth with a tissue when you cough or sneeze. Throw the tissue in the trash after you use it.
Avoid touching your eyes, nose or mouth. Germs spread this way.
Try to avoid close contact with sick people.
If you are sick with flu-like illness, stay home for at least 24 hours after your fever is gone except to get medical care or for other necessities. Keep away from others as much as possible to keep from making others sick.

Talk to your employer to see if she or he is willing to put up alcohol-based soap dispensers by the entrances to your work area and use it every time you enter your workplace. If they do, make sure they are refilled when empty and fixed if they are broken.

Alternatively, obtain a bottle of alcohol-based hand sanitizer and wash your hands every time you return to your desk. This is a very low-cost solution, but one that is extremely effective. These measures will not provide 100% protection, but they will reduce your chance of getting sick.

Business should start to verify that employees who are able to work from home have the ability to do so. Verify that everyone as their authentication credentials lined up, and if you use a secondary form of authentication, double check that your licenses are sufficient and not about to expire. Remind employees of the organization's policy for telecommuting and have workers test their remote access. If revenue streams allow, a great way to test this is through by granting employees a 'telecommute day'.

While a lot of these precautions might turn out to be unnecessary, when it comes to human safety, it is better to be over-prepared.

MS09-039 actively exploited in Higher Education

2009-08-19T13:41:34Z

Doug Pearson of REN-ISAC just sent an announcement to the public EDUCAUSE security listserv that MS09-039 is actively being exploited in the higher education arena.

The message confirms earlier speculation by the Internet Storm Center that exploits for the WINS vulnerability are live on the Internet and spreading.

On interesting item in the REN-ISAC bulletin in the explicit warning not to just rely on perimeter firewalls for protection as successful WINS server compromises have been seen originating from inside the organization.

Once again: it is time to patch, block, or disable unused services.

Modems

2009-08-18T18:40:23Z

It had been in the back of my mind for a long time to war-dial my own organization, just to see if there are any unauthorized modems attached to computers on our network.

The modem attack vector has been long ignored, but if present, it offers a great vector into a network. More commonly than not, locally attached modems are not subject to firewalls, intrusion detection systems, or any other of security controls.

Since I only looked at phone numbers of which we knew a modem was attached, my little exercise was not a true wardialing effort, nor did it provide full coverage. Yet, it yielded pretty useful results. I had (note: past tense!) just over 20 telephone DiDs that were marked as modem lines. When dialed, not one of those lines actually picked up (yay!). Most lines either went to voicemail (shouldn't happen on a modem line), were off the hook, or were disconnected altogether.

All in all, this effort allowed us to reclaim a bunch of unused DiDs, and it confirmed that on our registered modem lines nobody had configured their modem to auto-answer.

The next step will be to identify rogue modem lines.

Fortunately, I do not expect to find that many (if at all). Our field support technicians have been looking out for the presence of modems for a year or two now, and as machines are swapped out on their regular schedule, legacy modems are removed.

Let's see what we come up with in the next few months, but this is one attack vector that should be mostly closed.

Defcon 17 takes over the Riviera

2009-08-01T19:21:47Z

DefCon 17 has been off to a good start. The organization's expectation of an attendance around 6,000 people (2,000 less than last year) was torpedoed when an estimated 10,000 people showed up. DefCon does not pre-register, which makes estimating such numbers extremely hard.

For those who have never been to a DefCon before, the experience is daunting. Despite good efforts of the organizers to get them delivered to Las Vegas well in time, many of the badges arrived late again. The consequence was that many attendees had to line up twice: once to register and once to swap out the temporary badge for a permanent one. Even at that, the attendance is so much larger that many people have been unable to obtain an electronic badge. The DefCon security Goons do an excellent job at herding the lines through the Riviera's conference center, allowing the masses to flow as much as possible.

The talks at Defcon are interesting, although not nearly as interesting as the people who you are able to meet. Just about anyone who matters makes an appearance at DefCon and BlackHat.

Presentations topics range from highly technical talks to ones in which the presenter speculates on how to perform a denial-of-service attack on an air traffic control tower.

Like BlackHat, DefCon is a very interesting event and well worth the trip out here.