Tuesday, December 9, 2008

Password generation FAIL

I recently changed jobs (I'll post more about that in the near future) and was eagerly awaiting my first paycheck.
First pay day came and went and while there were funds in my bank account, I did not receive a paper paycheck. My new employers use a pay company that gives them the option to do digital paystubs via the pay company websites.

I got around to setting up my account on the pay company website today and ran into some unusual requirements for my password:
Passwords must meet the following complexity requirements:
Must be between 7 and 12 characters.
Must contain at least 1 upper case character.
Must contain at least 1 lower case character.
Must contain at least 1 numeric character.

Cannot contain any of the following characters: []|{}'()\/.,`>-_&=

There was also a button for generating a password to meet the requirements. Well sort of ...
I pushed the button and it popped up a window that contained a potential password and buttons for accept and cancel.
First FAIL - the password I was given only contained 6 characters
Well that doesn't meet the complexity requirements - I did attempt to use it and was told that the password was not valid.
Fine, I'll just push the generate password again.
Second FAIL - the password I am given only contains 6 characters. To be more specific, the same six characters I was given before. All right it was the same password entirely.

So I turned to my old standby KeePass to generate a new password. Set the requirements to 12 characters, upper case, lower case, and numeric and generated a new password, similar to this one: HZy2SIcH1wr3 . I then copied the password into the web page twice and pushed the submit button. I then received notice that I cannot use the number 3 in the password - huh? What an odd requirement. I checked back with the requirements section and sure enough it does say that the number 3 is not valid in the password scheme. I wonder what their reasoning is for the numbers 3 and 8 not being valid. I have sent an e-mail to their support, if I get a response I will pass a long the answer they provide.

If anyone has any insight as to why, I'd love to hear it. Adam Dodge already supplied one bit of humor:
Possible meeting notes for the discussion of password requirements
Fred: "I don't know Jim, people seem to like using 3 and 8..."
Jim: "Forget 'em"

Have a good day and be safe out there.


Friday, October 31, 2008

All's quiet on the Midwestern front ...

Life has been fairly quiet in the Midwest over the last few weeks, well at least at my house. Especially since I stopped answering the phone after working hours - I live in a swing state so I am being inundated with calls for this candidate and that candidate and the surrounding support groups. It has made it a bit difficult to study...

Yes, I said study.

I am getting ready to go take the CISSP exam on November 1. I will share some of my experience in the next few days. I was long hesitant to get the certification mostly because I did not see the value and did not think I needed to have it.

Well, I recently decided that I was going to look for another opportunity and quickly discovered that although I could get my foot in the door for an interview, I was having difficulty closing the deal because somewhere along the line the company had chosen to require that the new employee be a CISSP. I also had been part of an interesting discussion at the RSA conference in April discussing the merits of getting certified. Most everyone agreed that having a CISSP was not necessarily an indicator of the capacity and capabilities of a person, but that it was a simple equation: if the company is asking that you have it, you need to have it, and if you do not, you probably won't make if past the initial resume review. I liken it back to having an MCSE in the late 90's or right after Y2K, not necessarily a ticket to the job, but it definitely gets you on to the correct platform to catch the train (or the hand cart, depending upon how many positions the company had).

If anyone is interested in attending the upcoming CSI 2008 conference in DC November 15-21, the Security Bloggers Network has been offered a discount code to give out to all of our readers - BLOG25. This will get you a 25% discount for conference regsitration.

Be safer out there,

Wednesday, October 22, 2008

MCSF talk

I found out on Monday afternoon that a late submission talk for the Midwest Consolidated Security Forum was accepted. Tickets are no longer available, but hopefully some of you are in attendance.
Michael Santarcangelo and I will be talking on podcasting and pop culture and how to use them in your security awareness programs. Our talk will be at 2:45 to 3:30
If you are attending, stop by and say hi

Be safe out there.

Cowtown Computer Congress get together

Any of my readers who are in Kansas City are invited to join Michael Santarcangelo and myself at the next Cowtown Computer Congress get together on Thursday October 23rd, 2008 around 7PM at the JavaNaut - 1615 W. 39th St.Kansas City, MO.
Michael has been invited to give a brief talk
I apologize for the somewhat late notice, I meant to post this last week when I found out about it.

Be safe out there,

Friday, August 29, 2008

Juniper SSL VPN and Firefox on Windows whitepage work around

My company does a lot work with Juniper SSL implemenations.

There has been some odd behavior in Firefox on Windows machines when connecting to Juniper SSL VPN. Immediately after login users are taken to a blank white page. The URL of the page contains data/home/starter0.cgi?check=yes . The page you should be redirected to includes data/home/starter.cgi?check=yes.

Juniper’s suggested work around is to go back to the sign in screen and login again or to remove the 0 from between starter and .cgi. Both are manual solutions, wouldn’t it be easier to have an automatic solution.

Well here it is.

Download the Firefox add on Redirector - https://addons.mozilla.org/en-US/firefox/addon/5064

After installation you will need to restart Firefox

Open Redirector by right clicking on the R in the status bar in Firefox

Click Add…

The Example url is the full url you get stuck on i.e. https://this.ismyexample.com/data/home/starter0.cgi?check=yes

The Include Pattern is https://this.ismyexample.com/data/home/starter0.*

Redirect to is https://this.ismyexample.com/data/home/starter.cgi?check=yes

Set the Pattern Type to Wildcard and click Test pattern

You should get a message that indicates that the pattern matches. If not go back and check your typing.

Click Ok

Click Close

Go back and log in again. You should go right past the page you were getting stuck at previously.

Be safe


Wednesday, August 27, 2008

Keep a hand on your iPhone

Adam Dodge pointed me to this article on CSO Online this morning - http://www.csoonline.com/article/446281/IPhones_Can_Be_Unlocked_Without_Password
This afternoon a customer stopped by with an iPhone and was kind enough to let me test the hack out.
I was able to confirm that the simple tap sequence does work. But only if you have your home button set to go to your Favorites. My customer had his set to go to iTunes (go figure - he wanted to listen to the music on his iPhone).
So rather than remove all of your Favorites, set your home button to go to iTunes instead.
Be safe out there

Wednesday, July 16, 2008

Pop Culture Security Episode 2

Michael Santarcangelo and I have released the second episode of the Security Catalyst Show: Pop Culture Security.

The show is available here. Show notes are available here.

This time we are taking a different approach, we are covering two topics using several movies.

Michael and I had a great time recording the episode and hope that you enjoy it. We also want you to take what you hear and start applying it.

Be safe out there.


Wednesday, July 9, 2008

DNS vulnerability - patch it

I have been watching a lot of the reaction to the DNS vulnerability that was revealed by Dan Kaminsky and multiple vendors yesterday.

There has been a few people who have downplayed the seriousness of the situation and for those of you still in doubt that this is a serious situation, I will point you to the retraction by Thomas Ptacek over at Matasano Chargen. Mr. Ptacek has always been one to stick to his guns when challenged about his postings and it shows the seriousness of the situation.

I think Microsoft is underplaying the seriousness of the situation by only rating the patch important. This will probably change as soon as there is an exploit in the wild. I think that is unfortunate, DNS is core to the way we traverse the Internet - you got to this blog via DNS, I posted it using DNS and all e-mail is delivered via DNS. DNS is core to the way we work.

There are servers that have been found to not be suceptible to this vulnerability. The first was DJBDNS. Dan Kaminsky did announce that there is another secure DNS server: PowerDNS made by Bret Huber. OpenDNS has stated in their blog that their implementation is secure against this vulnerabilty, which makes me feel better since I use them at home.

If you run a DNS server and you are not sure that you are vulnerable, check the CERT advisory for your vendors status. If your vendor is listed as anything other than not vulnerable, follow the link to your vendors website.

Be safe out there,

Tuesday, July 8, 2008

DNS trouble in the offing

Dan Kaminsky released information today about a rather serious vulnerability in the implementation of DNS on most major platforms.

Microsoft has posted information about it on its site here.

Rich Mogul has an interview with Dan here.

Arthur over at Emergent Chaos has posted here

Why should this concern you? Microsoft is listing it as important rather than serious, but I think they are undervaluing the seriousness of this vulnerability.

Quick overview of DNS for you. DNS is like the yellow pages of the Internet. Computers work better with numbers and people work better with words. When you want to find CNN.com your browser contacts a DNS server to find out what IP address the site resides. This is similar to the physical address associated with a business in the yellow pages. Think of the IP address as directions to that particular business. A typical IP addres looks like this The first set of numbers (refered to as an octet) is essentially the city in which the business resides. The second set of numbers is the neartest major street to the business. The third set of numbers is the street of the business and the final set of numbers is the street address of the business.
What DNS does is allow you to type in the name of the site you want to go to and have all of the "travel information" for your destination be given to you.
Now imagine someone sets about printing yellow pages with incorrect information that will bring them profit. So rather than going to the real CNN.com ( your DNS server has been given spoofed information to send you to a malicious website at

If you manage DNS servers, you should patch them as soon as possible. If you don't, you may want to make sure whoever does manage your DNS has patched their systems.

Be safe out there,

(Edit) - as of 2:15 PM CDT Microsoft does not appear to have released the patch for this vulnerability.

(Edit 2) appears that the patch is showing up as 2 different Knowledge Base articles: kb951746 and kb951748

Thursday, June 19, 2008

Patching and updating

I recently performed a series of Nessus scans for a client who had acquired a competitor. I can't offer specifics but there was a bit of a shocking revelation for me. Some companies are still not actively patching there computers. There was a computer with no patches for an old Operating System.

Microsoft provides WSUS for free.

Patch your systems.

Patching is a base level activity - it needs to be done. You don't have to have a high end software solution for all of your applications. You can even use the Windows Update website to keep you up to date (or patched with the last patches for the OS)

Be safe out there.

Interesting series of events

I was driving back from a client sit on Tuesday and saw an event that unsettled me. As I came up I-35 into downtown Kansas City, I noticed that there was a car several hundred yards ahead of me pulled over on the side of the road. As I got closer I saw the driver get out and run around to the passenger side and yank the door open. The driver then pulled the passenger out of the car and ran back around to the driver side and drove off, leaving the passenger standing on the side of the highway.

I don't really have an insight as to what was going on other than what I observed. Two adults traveling down the road, one of them was apparently angry enough to leave the other on the side of the highway.
Does the driver feel justified leaving the passenger on the side of the road?
Does the driver believe that whatever happened just prior to pulling over was so bad that endangering the passenger by leaving them on the side of the highway was the right thing to do.

(this next section is not intended to minimize the seriousness of what happened but it was part of the thought process I had afterward)

How often do we make business decisions based upon a reaction to a situation without fully thinking through the ramifications? I will own up to being guilty of this and I am going to work on thinking about the ramifications of my action before acting.

How often do our users not think about the ramifications of what they are doing? "I just wanted to do a little shopping during my lunch hour" "I downloaded some videos while I was on the road, I didn't think it would be a problem to leave them on my laptop."

We need to start working with our users to get them thinking about their actions in terms of its effect on the company. Larry Pesce spoke on this on Episode 111 or PaulDotCom Security Weekly. Michael Santarcangelo has written a book on the subject and he and I are podcasting a series on using pop culture to relate security topics to other business users.

Be safe out there.

Friday, June 13, 2008

What don't your users understand and help explaining it to them

Do you know what your users are confused about?

Do you know which acronyms you use that they are confused about?

Are you not sure how to explain a topic to your user community?

Michael Santarcangelo and I started a new podcast series in May based on the peer to peer session I facilitated at RSA Conference 2008 entitled "Pop Culture Security Awareness; finding security in the movies, TV, and other media." The premise is to use pop culture references to explain more complex topics in a way that connects you to your users and provides them with greater understanding.

Michael and I want to bring this to a larger audience and here is how you can help us. We would like to know what questions are coming up for you that you would like a clearer way of explaining. Please send your feedback to popculturesecurity@securitycatalyst.com. Better yet call our feedback number at

Friday, May 30, 2008

Kees and Andy have a couple of great points that I want to reitterate

My friend Kees Leune makes a great point about the disappearing edge.

A couple of years back it would have been fine to throw up a firewall to protect your network. Attacks were mostly inbound in nature and could be dealt with in a straight forward manner.

The siege mentality could be used to defend your network. If I put up enough outward facing defenses (firewall, anti spam, virus scanners, etc..), I can protect my castle. What we run into today is that the attacks are drawing us out to them, our trade routes and water supplies have to be monitored and checked. The cross site scripting vulnerabilities that PayPal revealed that it had shows this very well. We trust PayPal with our money, but they still have vulnerabilities.

In todays network traffic needs to be monitored for anomalies. If you are not running an IRC chat or you employees are not supposed to be accessing IRC, monitor for that traffic. It may be legitimate, but it might not be as well.

The "bad guys" knew in medeaval times that if a direct assault did not work, if you can get someone to come out and take something from you (i.e. Troy) you have a greater success. They no longer have to lob dead animals over the walls at us. They set them outside our walls and let us know that they are providing them as food to us. Today's "bad guys" are adapting as well

This leads me to what Andy Willingham talks about in this blog post.

Just because we've always done it that way does not make it the best way to do it now. On a regular basis go back and reevaluate your policies and procedures. Ask questions that have not been asked before. Ask questions that have been asked before, you may be suprised that you get a different answer. Don't just accept "let me get back to you about that" as an answer.

The "bad guys" are willing to question the way things are done, hence how they find vulnerabilities. Take a page from their book. Look at your network from a different point of view. Rethink your network.

That's enough for me today.
Be safe


Thursday, May 15, 2008

Wow, I'm on a podcast

Michael Santarcangelo invited me to take part in the May 2008 Security Roundtable discussing the RSA Conference. I was honored to be asked and got a chance to participate with some of my fellow attendees:

Dr. Anton Chauvakin | http://chuvakin.blogspot.com/

Jennifer Leggio | http://mediaphyter.wordpress.com/

Martin McKeay | http://www.mckeay.net/

Michael Santarcangelo | http://www.securitycatalyst.com/

We had a great time recording and could have probably gone on for quite a bit longer about the experiences we all had. The podcast is about an hour and we hope you enjoy it. Please provide feedback here, I am interested to know what you thought.

I was using a SnoBall microphone from BlueMic and thought the performance was very good.

I also have to apologize again for not posting in over a month.
I had a fairly lengthy post on my experience at the RSA conference and the surrounding events, and failed to post it. Then I started a new job which has taken up quite a bit of my thought cycles.
Hopefully I will get back to a regular posting cycle now.

Go out and be safer


Monday, March 31, 2008

Open letter to SC Magazine

Thanks for your (repeated) kind offers to purchase tickets for the SC Magazine Awards banquet in San Francisco next week. I will not be able to attend because the RSA Speakers Dinner is scheduled for the same time. Please discontinue sending me notices to purchase tickets.

side note - This is not intended to be belligerent or knock SC Magazine in any way, I am just weary of receiving the e-mails. I also promised someone that I would post this if I got another SC Magazine Awards banquet request. You can figure out the rest.

Friday, March 28, 2008

OT - power of Free

One of my favorite authors and podiobook performers Scott Sigler is fortunate enough to have one of his works being released in print on Tuesday April 1. Leading up to that he is releasing a free PDF of the book through his publishers website, available here. The novels are very well written and are enjoyable reading. I will warn you, Scott is a sick and demented individual and his novels are much the same way, so if you are easily disturbed or do not enjoy horror this is not the author for you.
The novel is also available in an audiobook format here

Thursday, March 27, 2008

Let's see where the carriers go with this

PC World has an article about a company called TapRoot that has developed a product that will allow users with 3G mobile devices to create a mobile hot spot using their phone. The main emphasis of the article is that it will be really easy to set up the WiFi connection on the phone to connect to the laptop.

I have one real problems with the assertion it will be easy to set up as compared to other methods of using your phone to connect.

I have a Windows Mobile device and I use it to connect to the Internet on a fairly regular basis. The hardest part about setting it up was finding the ActiveSync install CD for my laptop. All I need to do get to the Internet is connect the phone with a USB cable, allow it to finish syncing, launch Internet Sharing on my phone and push connect. Within seconds I am on the Internet and working. I really not sure how that qualifies as difficult. I can still place calls and use the Internet. I've done similar things with my BlackBerry and I have even used my Windows Mobile device with Linux .

There is a PDF about their product here. It is a centrally managed solution either at the carrier or the Enterprise level. From what I have read TapRoot is only going to sell to the carriers who will the resell the service to their clients. This might be a product to watch.

On the other hand I'll probably stick to using my USB cable, I always keep one around.

I did change the original title as it was based on my initial reaction to the article and that changed after doing some further reading about the product.

Be safe


Wednesday, March 26, 2008

Sometimes when life gives you lemons...

The past couple of days have been interesting for me.

On Monday afternoon I got a meeting request from scheduling coordinator at my employer to meet with my supervisor as soon as I got back to the office. I was in the process of troubleshooting a new VPN system at a customer at the time and did not think much of it. As the afternoon progressed it became apparent that the troubleshooting was going to take longer than I had originally thought due to some legacy configurations on the clients network (but that will be another story for another time). So I asked to schedule an appointment on Tuesday to meet with my supervisor.

On Tuesday I continued to work on the clients network and was able to navigate through the legacy configurations to interconnect the new remote sites to the rest of the network and then on a series of questions that another client had about setting up DNS records and resizing the C: drives on some of their core servers.

Over the past month or so I had noticed that many of my fellow security engineers had been sitting around the office with me and when I commented on this to my supervisor he was concerned but there should be quite a bit of work upcoming (in the pipe was the term he used). I was hopeful that this would be the case and that most of would be out working on a regular basis again.

Unfortunately the work has not materialized as they had planned/predicted and cost cutting methods need to be taken. I was one of the cost cutting methods.

It worked out very similarly to what happened to Andy last year (read about it here).

I walked into the meeting with some suspicion of what was going on as my inquiries as to what was the meeting was about were met with silence. After a brief chat about the clients I had worked on earlier in the day, my supervisor told me that he had to make a difficult decision and due to my salary as it compared to a couple of the other engineers who also had not been billable I was going to be laid off.

This is not necessarily a bad time for this to have happened. I am going to be facilitating a Peer2Peer session at the RSA Conference in San Francisco. So if you are going to be in attendance and would like to set up a meeting with me, please e-mail me using my contact information under my details.

I was also wise enough to have discussed the possibility with my wife that morning, so we were prepared for this possibly happening.

I am thankful for her support and the support I have received from the other Trusted Catalysts and other members of the Security Catalyst Community.

I'll post my resume on line within the next couple of days. Thoughts, prayers and suggestions would be appreciated, comment below.

Monday, March 24, 2008

Dirty Water

JJ has a post on her blog about the unknown status of the water glasses at hotels.
I drink a lot of water and have a water softener - reverse osmosis system at my home. I tend to notice a lot of the interesting flavors and aromas in water because of that. JJ makes a good point about figuring out where those flavors and smell are coming from, this also applies to security. Once you recognize that you have a problem, you need to figure out what is the source of the issue. How did the infected file make it into your network - e-mail (the water itself), a portable device or some other means (the glass or pitcher). If you know what is causing the issue, you have a better chance of avoiding other problems in the long run.
If your network keeps getting infected but your e-mail is not the source, it is time to start looking at other sources. An infected laptop or thumb drive could be indicative of problems at an employees home, if you don't work to fix that issue you will end up with the infection returning again.
Be Safe

Apple borrowing a trick from Microsoft.

Martin and Andy had interesting experiences with the Apple Updater last week.
I used to run Safari in a VM on my workstation to test out applications at a previous employer. I have not used it very frequently over the past year or so. I was prompted to update it several times over the course of the last year when I was running the VM. I was prompted over the weekend to install on main system, which did not (and does not) have Safari installed.
I am a bit disappointed that an application vendor would try to install something on my system without it having been installed before. I wonder how many people installed the software without reading what they were going to install.
This is nothing new. Microsoft has attempted similar things in the past through Windows Update - making XP Service Pack 2 a required update - the Genuine Advantage software - there are other examples.
We can also look to the web, ActiveX controls, javascript, flash can all be automatically installed if the settings in your browser are incorrect (fortunately most of these do not work if you have kept the default settings).
Is this what we can expect in the future from software vendors. I would hope not. I might have had a different reaction to this if Apple had announced that they were planning this.
I have not seen a response or announcement from Apple as yet, and would be interested in know what they have to say.
I was originally going to say that I was never going to use Safari again, but I have a iMac in my basement that I use from time to time so that would not have been an accurate statement on my part. Will I install it on Windows, probably not. Will I buy another Apple product, we'll see.
John Lilly, the CEO of Mozilla, has a different take. I can't really blame him, but I am more on the annoyed side than angry. But I don't have a horse in that race. (Sorry for the bad pun - I have to get those out of the way from time to time).

Be Safe

Thursday, March 20, 2008

Social Networking

I have noticed a large number of my fellow security bloggers and Security Catalyst members participate in a few different social networking sites.  I have been reluctant to get involved with most of them because of what I see as their aims.  This is not a critique of others who have joined, I just wanted to share my thinking.
I am a member of LinkedIn and the Security Catalyst Community because of their focus on career and security.
I have avoided joining FaceBook and MySpace because I am 35 and married and can't really justify joining to myself.  And probably not to my wife either.  So if you come across someone claiming to be me on either of those sites and you don't see a post here that says that I have joined, don't believe that they are me.  I did have a friend get pranked by some coworkers of his that mad it appear as though he was involved in activities outside of his marriage, his wife recently was shown the page and did not take to the joke.  I think he is still sleeping on the couch and none of his coworkers are welcome at their home at the moment.
I am not on twitter because I think that it would take up a lot more of my time than I can really justify.
I don't want to put myself too far out there.  I am a fairly private person with people I do not know and I don't know more than 1% of the Internet. 
How will I manage to not share more than I need to:
  1. I will not share anything that I am not comfortable telling my mother or my daughter
  2. I will not join sites that do not have some direct connection to my business life
  3. I will not lie or misrepresent myself to others
  4. I will take what others say about me with a grain of salt and will ignore things said by people I do not know.
  5. I will always reread before I post.
  6. I will apologize if I have said something inaccurate or incorrect.  I will not apologize for disagreeing.
Those are some basic guidelines for myself, if I come up with others that I am willing to share I will post them.  Take them or leave them, but please think before your post

Be safe


Tuesday, March 11, 2008

Odd experience subscribing to a magazine

This is not necessarily a direct security related post, but it is based in the mindset that I have when I am shopping and a lesson that I learned the easy way.
I recently subscribed online to a magazine I had been reading for a while. I am not going to name the magazine because the issue was with perception and not with anything that they were doing. The magazine subscription is $49 per year in US dollars, the publisher and subscription company are based in Europe and use local currency for the exchange rate.
No where in the process of setting up my subscription did I notice anything that indicated that the transaction would be in anything other than US dollars. Though my first clue should have been that the name of the processing company included the name of the country in which the publisher is based. I may have completely missed a notice related to this, but I have gone back through the process and do not see anything related to this.
What brought the exchange rate to my attention was when I was entering receipts later in the day, I took the print out from the purchase and was shocked to see that the amount was not $49 US but 114 (Local Currency to Publisher). I made a couple of calls to the New York location for the magazine and they explained that it was local currency and not US dollars.
I was a bit concerned that I had been ripped off but after verifying that the exchange rate was correct. I let the matter drop.
Then I started thinking about it. This was a legitimate purchase, how easy would it have been for them to bump up the amount they were taking from the account.
So I started reviewing what I had done to ensure that my transaction was not going to go bad.
  1. Know who you are dealing with - don't buy things from a retailer you know nothing about - do research - Google is your friend.
  2. Do not use your actual credit card number - just about every bank has an online feature to allow you to generate a temporary card for use on line. Use this service.
  3. Read your receipts - this is the one thing I know that I need to do a better job of, pay attention to what the final total you agreed to pay ended up being.
  4. Follow up with your bank - check to make sure that if you have made a purchase at a sight that makes you uncomfortable, check your statements or better yet log on to you credit cards website regularly and look for charges you do not recognize.
  5. Trust your instincts - if you don't think you should be buying it there, don't. If it costs a dollar more to get it from a major retailer, but saves you time and money by not endangering your finances, then the dollar is worth it.
Hopefully some of that will help someone.

Be safe, shop smart


Monday, March 10, 2008

Club Penguin

Martin McKeay has a good post about Club Penguin at his site.
I have been reluctant to sign up my daughter for similar clubs and admittedly have not done research to see which are the most secure. I heard of Club Penguin a few months back when they were purchased by Disney and now I think I will take a closer look before deciding.
Thanks Martin for reminding me to look into things like this.
Be safe

Monday, March 3, 2008

Strange DNS issue

I had a customer recently changed ISPs at their main office and suddenly they were unable to connect to their hosted web site. The rest of the world was able to connect to the website but their internal users were getting redirected to the internal pages on their domain contollers - specifically the default web page on an IIS implementation.

To test the process out I connected to their web site - http://www.domain-name.com and I was presented with the beautiful web site that had been crafted for them.

Then I connected into their network and logged on to a server in their environment and tried the same the process of connecting to the web site. This time I was indeed presented with the IIS default page.

The customer thought that they were having problems connecting to the Internet, but I was able to disprove this by being connected remotely to their networks and by being able to connect to other sites on the Internet.

The problem was limited to the customers web site and no other sites.
So first step was to determine where the customers network was directing traffic.
ping www.domain-name.com from my physical location answered back to the actual address

Internally to the customer ping www.domain-name.com answered back with the IP address of one of the domain controllers,,

Next tool to use was NSLookup

Here is this the output I received at my physical location.
> www.domain-name.com
Server: other.otherdomain.com

Non-authoritative answer:
domain: domainname.com
Aliases: www.domain-name.com

This looks fairly normal other than the last line, but I will get back to that in a minute.
So do the same process at the client site.

> www.domain-name.com
Server: domaindc1.domainname.com

Non-authoritative answer:
domain: domainname.com
Aliases: www.domain-name.com

Again the alias shows up. So I paid a visit to may friends at Central Ops a visit

DNS records
name class type data time to live
www.domain-name.com IN CNAME domainname.com 86400s (1.00:00:00)
domainname.com IN NS dns030.b.register.com 86400s (1.00:00:00)
domainname.com IN NS dns010.d.register.com 86400s (1.00:00:00)
domainname.com IN A 86400s (1.00:00:00)
domainname.com IN NS dns036.c.register.com 86400s (1.00:00:00)
domainname.com IN SOA
server: dns109.a.register.com
email: root.register.com
serial: 200007331
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 86400
86400s (1.00:00:00)
domainname.com IN NS dns109.a.register.com 86400s (1.00:00:00)
domain-name.com IN A 86400s (1.00:00:00)
domain-name.com IN MX
preference: 10
exchange: mail.domain-name.com
86400s (1.00:00:00)
domain-name.com IN SOA
server: domain-name.com
email: hostmaster.primary.net
serial: 1203777421
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 86400
86400s (1.00:00:00)
domain-name.com IN NS dns2.primary.net 86400s (1.00:00:00)
domain-name.com IN NS dns1.primary.net 86400s (1.00:00:00) IN PTR static- 86400s (1.00:00:00)

The key here CNAME -what this is telling us is that www.domain-name.com is redirecting to domainname.com for resolution. This works fine out on the Internet but not at the clients office because their internal domain is .... domainname.com.

Here is how this process works on the Internet.
Internet user requests a connection to http://www.domain-name.com and his/her domain name server requests more information from the root dns servers. The root dns server then redirects the request to the specific server that handles .com domains which in turn forwards the request to the server that handles domain-name.com. The server that handles domain-name.com then provides back the alias for www.domain-name.com as domainname.com and the process starts again to request domainname.com. This works because the local dns server has to go out and request this information because it did not know it before. (i.e. its local cache does not contain the information.

Same process occurs at the client site until the alias of domainname.com is given. The local server has a zone record for the domain domainname.com and considers itself an authoritative responder for the domain (which it legitimately is for the internal network).

The fix.
To fix this in the clients office network I added a small zone for www.domain-name.com to the dns servers and pointed its parent/root record to the IP address of the server.
Client PCs were then able to connect to the hosted web site.

Customer was happy and I had an interesting story.

Be safe.


RSA peer to peer facilitator

I am proud to announce (and a bit ashamed for waiting so long to do so) that my submission to facilitate a peer to peer discussion was accepted and I will be facilitating my session on Thursday April 10th at 3:50 PM. If you are going to attend RSA please take a look at my session and sign up.
There is a possibility that it could be given a second time, but only if enough people sign up for the session.

Title: Pop Culture Security Awareness: Finding Security in Media, News and Books

Overview - The discussion will focus on making security awareness training more relevant by relating it to pop culture references not specifically grounded in the computer industry. The session will encourage participants to pick out and discuss the merits of these examples and use the examples to improve communications with non technical and limited technical audiences.

So if this sounds interesting to you and you are attending please sign up. I know there are still seats available. The session is running against a couple of Key Note sessions and I know that the other session at the time is already full.

I do plan on keeping this light and fun, but it does have the potential for creating some serious impact for your organization.

I am going allow feedback on this entry so let me know what you think.

Be safe.


Wow, I really missed an entire month

I spent the last couple of months at a client site for a company that asked me to not blog about my experiences while I was there and I guess I just sort of kept going with that for a little bit longer.
I am going to post more regularly starting this week so look forward to:
creating a fail-over solution using a wireless bridge and a T1 connection between to sites using Cisco 3500 series switches.
troubleshooting a DNS problem that is only effecting one client while the rest of the world is able to connect to their hosted web site
pop culture and security

Friday, January 25, 2008

Access Control follow up

This story seems to be every where now. Including some video on CNN - http://www.cnn.com/video/#/video/crime/2008/01/24/pkg.disgruntled.employee.wtlv

It does appear that the accused used her own account to access and delete the files. I suspect that there will be some serious consideration of separation of duties and access at that office over the next few days. Take that to heart, learn the lesson and review your own networks (if you are the one responsible - if not, ask the person who is responsible for your network security if they are aware of the story)

The spokesperson for the Sheriff's department said it so well "the lesson to be learned here is that you can't depend on having one set of record or files and having your employees having accessibility to it. You've got to have some type of back up."

Security is not just about preventing. Security is also about being able to recover should something bad happen.

Be safe

Thursday, January 24, 2008

Access Control

I have been reading a lot about access control lately. I am a firm believer in least access. Only give access to those people who need it and deny access to everyone else.
This story in the Register is a prime example of someone having more access than they should have...

the gist is this ...
An administrative assistant (AA) who thought she was about to be replaced went to the office between 11PM and 3 AM Sunday and deleted a large number of files from the architects office she worked for. The firm was able to recover the files with the help of an outside company.
The story does not say how the files were deleted or whose account was used.

Assumptions I am making:
The company server was either in a common area (store room) or in a locked area that the AA had access to.
The server was logged in as administrator and not locked.
The AA's user account had access to the files
There were no time restrictions for login to the network.

Server should be secured in areas that few people have access to.
Do not leave your server logged and unlocked on as an administrator, this is an invitation to having all of your files erased - oh wait.
Why does your AA have access to all of the files? Limit access to the really important files in your company. I know it is easier for everyone to have access to everything than to have to figure out who should have access to what, but that also makes it easier for your really important files to disappear.
If your office staff is not on site or not connecting on the weekends, turn off their access.

I relate this to having a safe in your house with a nice combination lock. To make best use of it you aren't going to leave the safe sitting out in the middle of your floor with door sitting wide open. You also would not give your cleaning company the combination to the safe.

Look around where you are at now, what could you do to improve the security of your company or home?

Be safe


(additional) a little communication could have avoided all of this - on both sides.
The Register does close the story with "(The AA's) job was never under threat, though it probably is now."

Tuesday, January 15, 2008

Avoid this at all costs...

Ok, that's sarcasm. This is my friend Tim Krabec's blog.

He asked me to ask people not to read it.

So I have.

Avoid it like the plague

Dang sarcasm, keeps popping up.

Tim has worked with small business and home offices for several years and has some great insights. Check it out.

Be safe

p.s. I am coining the term anti-viral marketing to go along with this, as I am trying to encourage you to go by telling you to stay away

Monday, January 14, 2008

USB Wifi with VMWare and BackTrack

I also posted this to my original blog but wanted to post it here as well.

I read about this in a paper on the SANS Reading Room about a month ago and finally got around to trying it over the weekend. The paper is available here - http://tinyurl.com/24o95n

In six steps you can use a wireless USB adapter within a VMware virtual machine.

Supplies used:

Windows XP SP2 laptop

VMware Workstation 6 - http://www.vmware.com/download/ws/

Belkin Wireless G USB Network Adapter http://catalog.belkin.com/IWCatProductPage.process?Product_Id=179211

BackTrack 2.0 Final ISO - http://www.remote-exploit.org/backtrack_download.html

IronGeek's bootable CD vmx file - http://www.irongeek.com/downloads/live-cd-iso.vmx


Windows is completely patched.

VMware Workstation has been installed on the laptop

Belkin Wireless drivers are not already installed on the laptop and the adapter is not connected to the laptop (yet).


Step one - download the BackTrack 2.0 ISO to a directory on you hard drive (I used C:\Virtual)

Step two - download IronGeek's bootable CD VMX file to the same directory as the ISO. Now open the file in a text editor. Set the Memory to be at least 256MB by changing this section of the file:

# Memory
memsize = "128"
# memsize = "256"
# memsize = "512"
# memsize = "768"

# Memory
# memsize = "128"
memsize = "256"
# memsize = "512"
# memsize = "768"

Configure the boot objects to use the boot CD:

# IDE Storage
ide1:0.present = "TRUE"
#Edit line below to change ISO to boot from
ide1:0.fileName = "myiso.iso"
ide1:0.deviceType = "cdrom-image"
ide1:0.startConnected = "TRUE"
ide1:0.autodetect = "TRUE"

# IDE Storage
ide1:0.present = "TRUE"
#Edit line below to change ISO to boot from
ide1:0.fileName = "bt2final.iso"
ide1:0.deviceType = "cdrom-image"
ide1:0.startConnected = "TRUE"
ide1:0.autodetect = "TRUE"

The file should be in the same directory as the BackTrack iso. Additionally you can update the display name and annotation lines in the file to display better descriptors

Step three - launch VMware Workstation, open the bootable CD VMX file and start the virtual machine.

Step four - You will likely receive an error about the video settings not being supported - I used option 0. Before pressing 0, I inserted the Belkin USB card, this causes Windows to recognize the card as a VMware USB device instead of the Belkin wireless device.

Step five - logon to BackTrack.

Step six - launch Wlassistant and verify that the Belkin USB card is finding other devices around you.

Final result

The BackTrack Cd is now capable of using the Belkin wireless card to scan for other resources from inside the virtual machine without the drivers ever being installed on the XP or Vista host.

This also should work with VMPlayer (in fact IronGeek has a video tutorial on cracking WEP keys using a similar setup - http://tinyurl.com/25zz98) and just about any Windows XP or Vista workstation (PC or laptop). It may or may not work for Intel based Macs or Linux workstations. This may also work with other wireless USB adapters.

Your feedback would be appreciated.

Be Safe