IT Security and other matters

Home - Profile - Archives - Friends - RSS Feed

Update - Posted at 9:48 AM on 3/10/2008 by GenesysWave
I am going to be moving the blog over to http://genesyswave.blogspot.com over the next couple of months.
I will continue to post notifications here when I update the other site.
The new RSS feed will be http://genesyswave.blogspot.com/feeds/posts/default

I recently have added entries for Club Penguin, a strange DNS issue and my status as an RSA Peer2Peer facilitator

Access Control follow up - Posted at 2:49 PM on 1/25/2008 by GenesysWave
    This story seems to be every where now.  Including some video on CNN - http://www.cnn.com/video/#/video/crime/2008/01/24/pkg.disgruntled.employee.wtlv

It does appear that the accused used her own account to access and delete the files.  I suspect that there will be some serious consideration of separation of duties and access at that office over the next few days.  Take that to heart, learn the lesson and review your own networks (if you are the one responsible - if not, ask the person who is responsible for your network security if they are aware of the story)

The spokesperson for the Sheriff's department said it so well "the lesson to be learned here is that you can't depend on having one set of record or files and having your employees having accessibility to it.  You've got to have some type of back up."

Security is not just about preventing.  Security is also about being able to recover should something bad happen.


Access Control - Posted at 2:14 PM on 1/24/2008 by GenesysWave
    I have been reading a lot about access control lately.  I am a firm believer in least access.  Only give access to those people who need it and deny access to everyone else. 
This story in the Register is a prime example of someone having more access than they should have...
http://www.theregister.co.uk/2008/01/24/disgruntled_employee_silent_rampage/

the gist is this ...
An administrative assistant (AA) who thought she was about to be replaced went to the office between 11PM and 3 AM Sunday and deleted a large number of files from the architects office she worked for.  The firm was able to recover the files with the help of an outside company.
The story does not say how the files were deleted or whose account was used.

Assumptions I am making:
The company server was either in a common area (store room) or in a locked area that the AA had access to.
The server was logged in as administrator and not locked.
The AA's user account had access to the files
There were no time restrictions for login to the network.

Suggestions:
Server should be secured in areas that few people have access to.
Do not leave your server logged and unlocked on as an administrator, this is an invitation to having all of your files erased - oh wait.
Why does your AA have access to all of the files?   Limit access to the really important files in your company.  I know it is easier for everyone to have access to everything than to have to figure out who should have access to what, but that also makes it easier for your really important files to disappear.
If your office staff is not on site or not connecting on the weekends, turn off their access.

I relate this to having a safe in your house with a nice combination lock.  To make best use of it you aren't going to leave the safe sitting out in the middle of your floor with door sitting wide open.  You also would not give your cleaning company the combination to the safe.

Look around where you are at now, what could you do to improve the security of your company or home?

Be safe

James

(additional) a little communication could have avoided all of this - on both sides. 
The Register does close the story with "(The AA's) job was never under threat, though it probably is now."

Avoid this at all costs... - Posted at 4:44 PM on 1/15/2008 by GenesysWave
http://kracomp.blogspot.com/


Ok, that's sarcasm.  This is my friend Tim Krabec's blog.

He asked me to ask people not to read it.

So I have.

Avoid it like the plague

Dang sarcasm, keeps popping up.

Tim has worked with small business and home offices for several years and has some great insights.  Check it out.

Be safe
James.

p.s. I am coining the term anti-viral marketing to go along with this, as I am trying to encourage you to go by telling you to stay away
(OT) Does this laptop make ... - Posted at 4:41 PM on 1/15/2008 by GenesysWave
your laptop think its butt is big?

http://www.apple.com/macbookair/

Wow, I have an old Toshiba laptop that I use for writing that is about the same size.

Maybe I need one.


Does this laptop make ... - Posted at 4:41 PM on 1/15/2008 by GenesysWave
USB Wifi with VMWare and BackTrack - Posted at 12:24 PM on 1/14/2008 by GenesysWave
I read about this in a paper on the SANS Reading Room about a month ago and finally got around to trying it over the weekend.  The paper is available here - http://tinyurl.com/24o95n

In six steps you can use a wireless USB adapter within a VMware virtual machine.

Supplies used:

Windows XP SP2 laptop

VMware Workstation 6 - http://www.vmware.com/download/ws/

Belkin Wireless G USB Network Adapter http://catalog.belkin.com/IWCatProductPage.process?Product_Id=179211

BackTrack 2.0 Final ISO - http://www.remote-exploit.org/backtrack_download.html

IronGeek's bootable CD vmx file - http://www.irongeek.com/downloads/live-cd-iso.vmx



Assumptions:

Windows is completely patched.

VMware Workstation has been installed on the laptop

Belkin Wireless drivers are not already installed on the laptop and the adapter is not connected to the laptop (yet).

Tasks

Step one - download the BackTrack 2.0 ISO to a directory on you hard drive (I used C:\Virtual)

Step two - download IronGeek's bootable CD VMX file to the same directory as the ISO.  Now open the file in a text editor.  Set the Memory to be at least 256MB by changing this section of the file:

Original
# Memory
#####
memsize = "128"
# memsize = "256"
# memsize = "512"
# memsize = "768"

Updated
# Memory
#####
# memsize = "128"
memsize = "256"
# memsize = "512"
# memsize = "768"

Configure the boot objects to use the boot CD:

Original
#####
# IDE Storage
#####
ide1:0.present = "TRUE"
#Edit line below to change ISO to boot from
ide1:0.fileName = "myiso.iso"
ide1:0.deviceType = "cdrom-image"
ide1:0.startConnected = "TRUE"
ide1:0.autodetect = "TRUE"

Updated
#####
# IDE Storage
#####
ide1:0.present = "TRUE"
#Edit line below to change ISO to boot from
ide1:0.fileName = "bt2final.iso"
ide1:0.deviceType = "cdrom-image"
ide1:0.startConnected = "TRUE"
ide1:0.autodetect = "TRUE"

The file should be in the same directory as the BackTrack iso.   Additionally you can update the display name and annotation lines in the file to display better descriptors

Step three - launch VMware Workstation, open the bootable CD VMX file and start the virtual machine.  

Step four - You will likely receive an error about the video settings not being supported - I used option 0.  Before pressing 0, I inserted the Belkin USB card, this causes Windows to recognize the card as a VMware USB device instead of the Belkin wireless device.

Step five - logon to BackTrack.

Step six - launch Wlassistant and verify that the Belkin USB card is finding other devices around you.

Final result

The BackTrack Cd is now capable of using the Belkin wireless card to scan for other resources from inside the virtual machine.

This also should work with VMPlayer (in fact IronGeek has a video tutorial on cracking WEP keys using a similar setup - http://tinyurl.com/25zz98) and just about any Windows XP or Vista workstation (PC or laptop). It may or may not work for Intel based Macs or Linux workstations.  This may also work with other wireless USB adapters.  

Your feedback would be appreciated.  As always a post to the Security Catalyst forums would be appreciated.

Be Safe
James

Where? - Posted at 6:18 PM on 1/8/2008 by GenesysWave
    Taking a queue from Andy:   I wanted to make sure to post something this week so you know I am still out here.
I have been working at a client site for the past few months that has taken up a lot of my time and is in an industry that I am not comfortable writing about at the moment.
I do have some topics burning in the back of my mind that I hope to be sharing over the next few weeks.

Be safe.

James

Way to go Don - Posted at 2:50 PM on 12/14/2007 by GenesysWave
As I was reading my regular rss feeds today, I came across a link to a paper that was posted to the SANS reading room entitled "Windows Remote Desktop Heroes and Villains" by Greg Farnham  and advised by my friend and fellow Trusted Catalyst  Don Weber.  Available here.

Don had mentioned previously that he was presenting a SANS course, but I can't recall him saying anything about advising on papers as well. 

It makes me feel very good to know that there are qualified, dedicated individuals like Don who are giving back to the security industry by supporting the people around them.  It also makes me proud to call Don a friend.

Way to go Don.

If you are interested in security and want to interact with like minded folk, I encourage you to join us at the Security Catalyst forums.  Registration is free and easy.

Be safe.

James

Johnny Long interview at CSOonline - Posted at 7:01 AM on 11/29/2007 by GenesysWave
Johnny Long was interviewed over at CSOOnline by Katherine Walsh.  Available here
Mr Long has a new book coming out - No Tech Hacking.  CSOOnline has a preview chapter available here.
Mr Long is always interesting to read and is a genuinely nice guy from the interactions I observed at DefCon this year.  ( I failed to introduce myself at the time, but was hanging out with Larry and Cutaway in the Capture the Flag room)
Check it out
Be Safe

James

PayPal Vulnerability Disclosure statement. - Posted at 9:58 AM on 11/26/2007 by GenesysWave
Had some interesting reading over the weekend thanks to my friend Don and Jeremiah Grossman
I anticipate that there will be some clarification forthcoming from PayPal regarding certain parts of their Vulnerability Disclosure Policy
Specifically the "reasonable time" statement.  I am going to play devil's advocate on this a bit.  What is reasonable to me, may not be reasonable to someone else. 
Is PayPal going to set up this time frame with the researcher when the disclosure is made?  Will it be a flexible time frame based on how PayPal is able to respond to something?
What happens if someone else independently discovers and discloses the same vulnerability, what "proof" will the researcher need to provide to PayPal that they were not the one who disclosed the information.
These have probably been discussed internally at PayPal already and the intent of the statement was to provide a declaration that PayPal was willing to work with researchers and not supposed to be the final word on disclosure.
If you have any thoughts on this, please join the discussion on the Security Catalyst forums at http://www.securitycatalyst.org

Be safe
James

Where the heck have I been. - Posted at 9:53 AM on 11/26/2007 by GenesysWave in Blog Related
I have been a bit busy over the last month with an extended assignment at a customer site and a couple of projects at home.  I am going to aim for at least a post a week going forward, maybe a couple if I get inspired.

Be safe.
James

Security team work - Posted at 10:17 AM on 10/9/2007 by GenesysWave
My friends Paul and Larry have posted the first part of their stream from the ICE Games at the recent SANS event. 
I found it to be a fascinating listening experience.
It showed the importance of working as a team when involved in a security incident.
Red team (hackers) was collaborating out of the gate and was very successful in the first round because of this
Blue team (defenders) started out individually securing their systems and were not passing information back and forth well.  In the second round they were better organized, had leadership and worked as a team and were able to establish a better defensive stance.
This likely holds true for a lot of organizations.  As a wise friend is fond of saying " individually we are really doing great things with security, but as an organization we fail"
A focused united effort will have greater success than multiple individual efforts.  Our "enemies" coordinate their attacks, we need to coordinate our defense.
So how can you build a better team?
Rule 1.  Shut up and listen - you don't always have to be right or be loudest
Rule 2.  Be involved as a team when things are going well
Rule 3. 
Shut up and listen - you don't always have to be right or be loudest
Rule 4.  If you are not the leader, don't try to lead.  Offer suggestions if you see a better way and be ready to site your reasons
Rule 5. 
Shut up and listen - you don't always have to be right or be loudest
Rule 6.  There is no rule 6 (thanks Monty Python)
Rule 7. 
Shut up and listen - you don't always have to be right or be loudest (starting to see a pattern) - your observation of the situation will be stronger if you are not constantly talking
Rule 8.  Document what steps you have taken.  The more you know about how you stopped something the better prepared you will be when that fix gets broken (notice I said when and not if - if you are under sustained attack by a knowledgeable and determined foe, they will figure out ways to breach your defenses.)

These rules are by no mean hard and fast and are more for guidance.

( I really need a good close out like Cutaway)
James

CyberSpeak from DefCon released - Posted at 9:40 AM on 9/17/2007 by GenesysWave
I participated in an interview with Ovie and Brett of CyberSpeak at DefCon which has been finally released.
I got to talk with my friends Joe Knape, Jonathan Squire, Cutaway and a couple of others who stood in the background about the Security Catalyst Community
I want to thank Ovie and Brett for interviewing us, we got the chance to talk about the community, our own blogs, the Lost @ Con Mystery Challenge, and to Ovie and Brett.  They even offered some assistance with the Mystery Challenge. 
Thanks, gentlemen.
Take a listen.
Join the Community
Edited at 9:40 AM 09/17/2007
Failed to acknowledge Matt Yoder for introducing himself

Wow, I cannot believe that they did this. - Posted at 9:38 AM on 9/12/2007 by GenesysWave
Mark this in the astounding misuse of  technology.
WESH in Orlando posted a story about the unfortunate deaths of a 2 people and the slaughter of the animals on their farm.
Why you ask am I posting on this.
The story included a link form Google Maps that included the address of the house as well as the option to get directions to the house.
The 2 people were not identified by name in the story but are likely to be easily identified by using any of the phone number look up services that are out there.
This is an irresponsible use of technology and it sickens me.  If you are not going to identify the people involved, don't provide information that can be easily be used to identify them.
I will not post a link to the story, I will post a link to the sites feed back page instead.

Here is what I wrote to their Web and News staff
I cannot believe you included the google map of the location of the murder of 2 people you did not identify. (url of story removed)  By including the map, the address was easily identifiable and the names could easily be gleaned from any telephone number website.  This is completely irresponsible.  The map should have been a screen capture without any pertinent information.  I am very disappointed by the lack of professionalism and ethics involved in the reporting of this story.
James Costello

I encourage anyone else who is offended by this to post a response to their news teams.
http://www.wesh.com/station/290180/detail.html

If I get any response I will post it here. 

Spot the Undercover Reporter - Posted at 12:39 PM on 8/7/2007 by GenesysWave
There has been a lot of coverage of the incident already.

My take on it is that the goons (Defcon security) did a good job of letting key people know to watch out for her.  They had someone waiting at the airport for her to arrive.  They knew when she got there.  Acr0nym and a few other members of the Security Catalyst Community were shown her picture on Thursday night, as were probably quite a few others (I only know the few people who told me about her before the incident).  I overheard the conversations the goons were having immediately before the incident so I knew something was up, but was involved in the LosT @ Con Mystery Challenge at the time so I missed all of the initial hub bub.

Its unfortunate that she was trying to "show the people in Kansas" what evil/wrong doing was going on at Defcon.  I have lived in the Kansas City Metro area for the last 17 years and can say that most people here are not too concerned about Defcon.  From my experience at the event and everyone I met was there for legitimate reasons and wanted to gain greater insight into Infromation Security.  I am sure there were a few individuals with malicious intent, but I did not meet any and could not point any of them out.

Any comments can be posted over at the Security Catalyst Community


Prior post - Posted at 12:01 PM on 8/7/2007 by GenesysWave
Sorry that the last post was so long, just had a bunch of thoughts to dump out

Back from DefCon - Posted at 11:59 AM on 8/7/2007 by GenesysWave
I had an awesome time at DefCon, even though I missed a couple of presentations that I wanted to see.  I am reviewing the presentations I missed now.

I went for 3 main reasons
  • Gain knowledge
  • Compete in the LosT @ Con Mystery Challenge
  • Meet up with other members of the Trusted Catalyst and Security Catalyst Community.
Knowledge gains:

I learned how to pick a basic lock which got me thinking about physical security and how a simple lock makes people feel safe but may not offer much protection against a skilled individual.  This makes a great transition to IT Security in that many companies are looking for a golden device that is going to solve the problems that they have been experiencing.  Most people would not put just a single lock on their house, they will put multiple locks and set up lighting to increase the visibility around the house. So why are they looking for a single device to solve their problems.  Layered Security is an ongoing process, it should never stop.  If installing a lock was good enough to keep a thief out, it would never need to actually be locked.  It is an on going process to verify that the lock is in good working order and engaged when needed.  If you notice problems with your locks, you have a professional work on them or replace them.  The same should be true for your network security.

Staying with the physical to network security correlations, I saw a presentation by Matt Richard about going beyond penetration testing.  It goes to the idea that you need to be aware of what can go out of your network and could be utilized to compromise your network.  We all plan or should plan the escape routes out of our homes in case their are fires, but we should also remember that points of egress can also be used as points of ingress.  (Often referred to the Moshe Dayan problem "The Syrians will learn that the road from Damascus to Tel Aviv - is also the road from Tel Aviv to Damascus...")  Matt has developed an application called eescanner (I am unable to currently find my link to the app and will update when I find it) that can do outbound scanning to determine what is allowed out of a network.  I think it is a brilliant idea.  This presentation as has given me an idea for a presentation, but I will wait to talk about that later.

The LosT @ Con Mystery Challenge:

The concept is that a team of 5 is given a box which they must access and then solve any problems related to the box.  Last year the solution to the problem was made in 2.5 hours.  This year was a bit more complex and the teams struggled (including the Security Catalyst team).  First we were given a sheet of text with some clues on it, a note pad with another clue and the letters of the alphabet except for the letter e on cut outs that included pictures of books.  9 hours after starting the first teams broke the code (with clues from LosT) that it was a 1 time pad cypher of the text on the sheet using the first paragraph of the 21st chapter of a book called Gadsby by Ernest Vincent Wright.  This then gave us a clue to a picture and phrase we would have to present to LosT.  We were then given a large metal box with a circuit board with an LCD discplay  attached to the outside  and three locks.  We were told that we needed to get inside without killing the sequence that was running on the circuit or tipping the box over.  We were then told we needed to start on the bottom of the box with the Brinks R70 lock.  We took off with our box and started trying to get inside.  After about an hour of trying to open the R70 we decided that it was time to forget what LosT had said about going in the bottom and go in through the top.  After using Bell Splices to add a second battery and by pass some wires that were preventing the locks on top from being easily removed, we accessed the box and found components to make a circuit board that would translate light inpulses to sound.  We built that and were ready to go find out if we had the solution.  Unfortunately LosT had packed up for the night and we had to wait until the next morning.  We told ourselves that the bottom of the box was a red herring because we could see that there was no space for any parts and we thought all we needed was the piece we had just built.  However when we arrived the next morning 2 other teams had much more complicated devices and we went back and tried to get into the bottom.  Eventually a member of one of the other teams told us that he thought the instructions in the locked section were useless and that all we needed was the piece we built.  By the time this had happened 2 other teams had already solved the puzzle so we were left to try for 3rd place.  We were then able to use our device to pick up a broadcast from an led that LosT had placed in black skull with a pirate patch (show on the the document for building the circuit)  which gave us a sequence of Hex that needed to be translated into a phone number that was to be dialed on a special phone that LosT had sitting at the table.  After one more puzzle we were able to secure 3rd place.  If we had trusted our initial insticts we could have won, but we made a poor decision and ended up in third.

So what I learned was cyphering, lock picking, electronic fabrication, social engineering and to do a better job of trusting my own instincts.

Team Security Catalyst will be back next year and we will win.

One really cool thing is that the winning team gave their black badge (lifetime entry to Defcon) to LosT for running such an awesome contest.   I think that was a really classy move on their part and a great tribute to LosT

Meet up with other members of the Trusted Catalyst and Security Catalyst Community.

I had the opportunity to meet face to face with members of the Trusted Catayst and Security Catalyst communities.  I have been talking with Larry Pesce, Mike Henry, Jonathan Squire, Cutaway, Martin McKeay, David Mortman, Adam Dodge, Acr0nym, Perry Carpenter, Marcin Wielgoszwski  and others within the community for the last several months and have developed good frienships with them .  This was my first opportunity to meet any of them.  It made the weekend all the more  fun  and increased the opportunities to learn.  Plus  several of us go the chance to be on CyberSpeak with Ovie and Brett.  I got to meet Andy Lockhart (should have brought my  copy of his book for him to sign) and the group from 303  (hey bluknight and Databeast).  I was able to participate in conversations with Johnny Long and  Joe Grand  ( he has something big coming up  but I can't say what  yet -  those who know were asked to keep it quiet, so I will honor that).

I did get Larry to sign  the print outs of the covers of his two books and while we were hanging out in the vendor area I kept telling people who were looking at the book that I could arrange to get it signed for them.

I know that I missed meeting Amrit Williams and  Mike  Murray (though I did make one of Mike's presentations) and will have to catch up with them the next time we are in the  same city.   If there are other  members of the Security Catalyst Community I missed ,  drop me  a message through the  forums and  I will  remember to call and say Hi if  I am ever in town.


Please leave any feedback you have at the Security Catalyst Forums.

Viva Las Vegas - Posted at 7:50 AM on 8/3/2007 by GenesysWave
I flew into Las Vegas yesterday for Defcon.  This is my first time attending and the schedule looks very solid. 

I am going to try to attend a Q and A with Bruce Schneier, a panel discussion on Disclosure led by David Mortman and presentations by Bruce Potter, H.D Moore, Mike Murray and Johnny Long

I will follow up after the presentations with my thoughts.

Hope Andy doesn't get jealous

How to give me feedback - Posted at 1:48 PM on 7/20/2007 by GenesysWave
I  would like to encourage anyone who would like to provide feedback on my posts to join the Security Catalyst Community and post responses there..
Thanks
James


Last Page :: Next Page
Login | Browse Blog Directory | Free Blog Hosting Blogger Team - Start Your Own Blog