I am getting ready for DefCon and want to carry a laptop larger than my netbook (which I love but want more space and memory)
Fortunately I had a spare 120GB HD and was able to acquire a second drive cage from ebay
Installation steps
Boot from CD
launch KDE (startx at the prompt)
open a command window and run ubiquity
Follow the prompts
reboot
login as the account you created during install
change to the root user - sudo su
change your root password - passwd
start network management - /etc/init.d/wicd start
start networking - /etc/init.d/networking start
launch KDE (startx)
I am running as root since I want sound, but will likely forgo that while at Defcon for an added layer of security
Tuesday, June 23, 2009
Tuesday, May 26, 2009
finally broke down
I finally broke down this afternoon in and gave into the peer pressure...
I was actually fulfilling a joking promise I had made about a year ago when a friend said that he would not get a twitter account and I said I would wait until he did. Well, thanks to @cr0nym, I now have a twitter account
http://twitter.com/n0b0d4
I was a bit suprised that the name was still open. But now you can say you know @n0b0d4 on Twitter.
Be safe out there.
James
I was actually fulfilling a joking promise I had made about a year ago when a friend said that he would not get a twitter account and I said I would wait until he did. Well, thanks to @cr0nym, I now have a twitter account
http://twitter.com/n0b0d4
I was a bit suprised that the name was still open. But now you can say you know @n0b0d4 on Twitter.
Be safe out there.
James
Tuesday, March 31, 2009
FAA security
So the FAA came out with some statements about the security of their networks, that Martin McKeay covered nicely on his blog
So that brings me today's Security Song Parody
So that brings me today's Security Song Parody
Securing All Jet Planes
(to the tune of Leaving On A Jet Plane by John Denver and Kenneth Browder)
All my bags are hacked I'm ready to go
I'm standing here outside your door
I hate to wake on LAN to say good-bye
But the code is breaking, its early morn
The taxis waiting, hes spamming my phone
Already I'm so lonesome I could die
So kismet and smile for me
Tell me that you'll snort for me
P0wn me like you'll never let me go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go
There's so many times I've let you down
So many times Ive hacked around
I tell you now, they don't know a thing
Every place I go I'll blame Lou
Every packet I sniff I sniff for you
When I come back I'll secure token ring
So kismet and smile for me
Tell me that you'll snort for me
P0wn me like you'll never let me go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go
Now the time has come to leave you
One more time let me kismet here
And close your eyes and I'll hide the way
Dream about the hacks to come
Then I don't have to protect alone
About the times that I won't have to say
So kismet and smile for me
Tell me that you'll snort for me
P0wn me like you'll never let me go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go
I'm protecting all jet planes
protecting all jet planes
protecting all jet planes
protecting all jet planes
(to the tune of Leaving On A Jet Plane by John Denver and Kenneth Browder)
All my bags are hacked I'm ready to go
I'm standing here outside your door
I hate to wake on LAN to say good-bye
But the code is breaking, its early morn
The taxis waiting, hes spamming my phone
Already I'm so lonesome I could die
So kismet and smile for me
Tell me that you'll snort for me
P0wn me like you'll never let me go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go
There's so many times I've let you down
So many times Ive hacked around
I tell you now, they don't know a thing
Every place I go I'll blame Lou
Every packet I sniff I sniff for you
When I come back I'll secure token ring
So kismet and smile for me
Tell me that you'll snort for me
P0wn me like you'll never let me go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go
Now the time has come to leave you
One more time let me kismet here
And close your eyes and I'll hide the way
Dream about the hacks to come
Then I don't have to protect alone
About the times that I won't have to say
So kismet and smile for me
Tell me that you'll snort for me
P0wn me like you'll never let me go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go
Cause I'm protecting all jet planes
I don't know what wifi'll be letting through
Oh babe, I hate to go
I'm protecting all jet planes
protecting all jet planes
protecting all jet planes
protecting all jet planes
Have a great day
Be safe out there
James
Be safe out there
James
Monday, March 30, 2009
Six word security challenge
My latest post on the Security Catalyst blog is a challenge to you dear reader to write a 6 word sentence that tells a story about security or relates a security lesson.
So like last week with Andy IT Guy, I have reworked a song to use as a theme song
So like last week with Andy IT Guy, I have reworked a song to use as a theme song
Security Is Just Six Words Long
(to the tune of Weird Al Yankovic's - This Song Is Just 6 Words Long)
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
Dont think of any more words
So I just wrote six words
So I'll just write any six words
That come to my mind, child
You really need words
Could be just six rhymin words
You gotta write so many words
Hmm mmm
Ta do it, ta do it, ta do it, ta do it, ta do it, ta do it right, child
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
I know that your probably sore
Cuz I didnt write any more
It's just six to complete it
So thats why I gotta repeat it
Security can be just 6 words long (6 words long)
Security can be just 6 words long (6 words long)
Oh I make a lotta money
They pay me a ton o' money
They're payin me plenty o' money
To write these six words, child
I gotta fill time
3 minutes worth of time
Oh how will I fill so much time?
Hmm mmm
I'll throw in a solo, a solo, a solo, a solo, a solo here
(saxaphone and drum solo)
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
These words got somethin' to say
So Im typing it up today
I know if I put my mind to it
I know I could find a good rhym here
Oh ya gotta have a security
Ya need really catchy security
This song has got plenty o' security
But just 6 words, child
And so I'll sing em over
and over and over and over
and over and over and over
Hmm mmm
and over
and over
and over
and over
and over
and over again
6 words long
6 words long
6 words long
6 words long (fading)
6 words long (fading)
6 words long (fading)
6 words long
(to the tune of Weird Al Yankovic's - This Song Is Just 6 Words Long)
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
Dont think of any more words
So I just wrote six words
So I'll just write any six words
That come to my mind, child
You really need words
Could be just six rhymin words
You gotta write so many words
Hmm mmm
Ta do it, ta do it, ta do it, ta do it, ta do it, ta do it right, child
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
I know that your probably sore
Cuz I didnt write any more
It's just six to complete it
So thats why I gotta repeat it
Security can be just 6 words long (6 words long)
Security can be just 6 words long (6 words long)
Oh I make a lotta money
They pay me a ton o' money
They're payin me plenty o' money
To write these six words, child
I gotta fill time
3 minutes worth of time
Oh how will I fill so much time?
Hmm mmm
I'll throw in a solo, a solo, a solo, a solo, a solo here
(saxaphone and drum solo)
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
Security can be just 6 words long
These words got somethin' to say
So Im typing it up today
I know if I put my mind to it
I know I could find a good rhym here
Oh ya gotta have a security
Ya need really catchy security
This song has got plenty o' security
But just 6 words, child
And so I'll sing em over
and over and over and over
and over and over and over
Hmm mmm
and over
and over
and over
and over
and over
and over again
6 words long
6 words long
6 words long
6 words long (fading)
6 words long (fading)
6 words long (fading)
6 words long
Hope you enjoyed.
Now, be safe out there.
James
Now, be safe out there.
James
Monday, March 23, 2009
Skeet Security
Andy Willingham wrote a very good post over at his blog which inspired me to rewrite the lyrics to that classic Nick Rivers' song Skeet Surfing
Do you wanna come along with me?
Skeet Security can't you see?
Do you wanna come along with me?
Skeet Security it's alright
Little girl we'll have fun tonight
Skeet Security can't you see?
Do you wanna come with me?
Grab your laptop, surf into the breach
Skeet Security it's a lot of fun
Now go read Andy's post and go watch Top Secret again (or for the first time)
Skeet Security
Skeet Security
If everybody had a 12-gauge
And a motherboard too
You'd see 'em shootin' and hackin'
From here to Malibu
Because it's totally bitchin'
Ridin' the net to blast the pigeons
And it's so neat shootin' skeets
While you're coding out the heavies all day
First site, don't get tired
Second site, aim higher
Third site, pull and fire
Skeet Security, it's alright
We're loadin' up our motherboards
And loadin' up our traps
Tell the crackers we're shootin'
We're never coming back
I've got a gun rack in my Chevy
For when the SPAM and the flak get heavy
And we'll have fun with our guns
'Till our moderators takes our ammo away
First site, don't get tired
Second site, aim higher
Third site, pull and fire
Skeet Security, it's alright
First site, get the knack
Second site, pull the trap
Third site, how's that?
Skeet Security, it's alright
Sharing sunsets with my favorite girl
When we write the perl, we really write the perl
First site, don't get tired
Second site, aim higher
Third site, pull and fire
Skeet Security, it's alright
First site, get the knack
Second site, pull that trap
Third site, how's that?
I wish they all could be double-barrelled
Wish they all could be double-barrelled guns
Do you wanna come along with me?
Skeet Security can't you see?
Do you wanna come along with me?
Skeet Security it's alright
Little girl we'll have fun tonight
Skeet Security can't you see?
Do you wanna come with me?
Grab your laptop, surf into the breach
Skeet Security it's a lot of fun
Now go read Andy's post and go watch Top Secret again (or for the first time)
Thursday, February 26, 2009
The Cowtown Computer Congress Opens Their Underground Lab
IMMEDIATE RELEASE
The Cowtown Computer Congress Opens Their Underground Lab
February 24th, 2009. Kansas City, MO - The Cowtown Computer Congress (CCCKC) is happy to announce the opening of their Underground Lab to the public with a full week of events Beginning on March 2nd, the grand opening showcase the rich and vibrant community of creative minds in the Kansas City area. CCCKC, the first organization of its kind in the midwest, will serve the community by providing technology classes, donating unique projects to local organizations and technology assistance to those in need.
The week will kick off on Monday, March 2nd with an open house for individuals and organizations who are interested in learning more about the organization and how they can take advantage the Underground Lab for meetings, classes and other activities.
The creative talents of CCCKC members will be showcased on Wednesday March, 4th. The member project showcase will be followed by a screening of Make:TV, a public television series which will be shown for the first time in the Kansas City area that night. If you're curious about what CCCKC and the maker culture are all about, this is the night to come be inspired. Projects to be showcased range from alternative methods of energy generation to a labyrinth game which is controlled with the balance board from a Nintendo Wii Fit.
Thursday, March 5th is the regular member meeting where members come together to discuss group projects being developed for donation to local organizations and plan future community service projects like our monthly free computer repair opportunities.
Friday evening will feature a slate of speakers covering topics ranging from improving home security and information management to protecting data from theft while using public wireless internet.
On Saturday the public is invited to take part in a range of free workshops on basic electronics and soldering, e-textiles and Nintendo Wii hacking. All day members will be available to assist members of the public choose, install and configure computers using the free and open source Linux operating system.
About The Cowtown Computer Congress
The Cowtown Computer Congress (CCCKC) is a not for profit technology cooperative founded to advance technology of all kinds. They are a member supported organization providing technology classes, workshops and services to the public free of charge. CCCKC brings together some of the finest minds in midwest to collaborate on research and projects for other local groups. Through their affiliate program, CCCKC gives assistance to specialized technology user groups by providing them with a facility to hold meetings and work on projects of their own.
CCCKC's Underground Lab is located 85 feet below the surface of the earth at 31st Street and Southwest Trafficway in Kansas City, Missouri.
http://www.cowtowncomputercongress.org
Further inquires should be made to:
press@cowtowncomputercongress.org or to
John Benson - President and Co-Founder
816-332-6389
The Cowtown Computer Congress Opens Their Underground Lab
February 24th, 2009. Kansas City, MO - The Cowtown Computer Congress (CCCKC) is happy to announce the opening of their Underground Lab to the public with a full week of events Beginning on March 2nd, the grand opening showcase the rich and vibrant community of creative minds in the Kansas City area. CCCKC, the first organization of its kind in the midwest, will serve the community by providing technology classes, donating unique projects to local organizations and technology assistance to those in need.
The week will kick off on Monday, March 2nd with an open house for individuals and organizations who are interested in learning more about the organization and how they can take advantage the Underground Lab for meetings, classes and other activities.
The creative talents of CCCKC members will be showcased on Wednesday March, 4th. The member project showcase will be followed by a screening of Make:TV, a public television series which will be shown for the first time in the Kansas City area that night. If you're curious about what CCCKC and the maker culture are all about, this is the night to come be inspired. Projects to be showcased range from alternative methods of energy generation to a labyrinth game which is controlled with the balance board from a Nintendo Wii Fit.
Thursday, March 5th is the regular member meeting where members come together to discuss group projects being developed for donation to local organizations and plan future community service projects like our monthly free computer repair opportunities.
Friday evening will feature a slate of speakers covering topics ranging from improving home security and information management to protecting data from theft while using public wireless internet.
On Saturday the public is invited to take part in a range of free workshops on basic electronics and soldering, e-textiles and Nintendo Wii hacking. All day members will be available to assist members of the public choose, install and configure computers using the free and open source Linux operating system.
About The Cowtown Computer Congress
The Cowtown Computer Congress (CCCKC) is a not for profit technology cooperative founded to advance technology of all kinds. They are a member supported organization providing technology classes, workshops and services to the public free of charge. CCCKC brings together some of the finest minds in midwest to collaborate on research and projects for other local groups. Through their affiliate program, CCCKC gives assistance to specialized technology user groups by providing them with a facility to hold meetings and work on projects of their own.
CCCKC's Underground Lab is located 85 feet below the surface of the earth at 31st Street and Southwest Trafficway in Kansas City, Missouri.
http://www.
Further inquires should be made to:
press@cowtowncomputercongress.
John Benson - President and Co-Founder
816-332-6389
Tuesday, December 9, 2008
Password generation FAIL
I recently changed jobs (I'll post more about that in the near future) and was eagerly awaiting my first paycheck.
First pay day came and went and while there were funds in my bank account, I did not receive a paper paycheck. My new employers use a pay company that gives them the option to do digital paystubs via the pay company websites.
I got around to setting up my account on the pay company website today and ran into some unusual requirements for my password:
Passwords must meet the following complexity requirements:
Must be between 7 and 12 characters.
Must contain at least 1 upper case character.
Must contain at least 1 lower case character.
Must contain at least 1 numeric character.
Cannot contain any of the following characters: []|{}'()\/.,`>-_&=
There was also a button for generating a password to meet the requirements. Well sort of ...
I pushed the button and it popped up a window that contained a potential password and buttons for accept and cancel.
First FAIL - the password I was given only contained 6 characters
Well that doesn't meet the complexity requirements - I did attempt to use it and was told that the password was not valid.
Fine, I'll just push the generate password again.
Second FAIL - the password I am given only contains 6 characters. To be more specific, the same six characters I was given before. All right it was the same password entirely.
So I turned to my old standby KeePass to generate a new password. Set the requirements to 12 characters, upper case, lower case, and numeric and generated a new password, similar to this one: HZy2SIcH1wr3 . I then copied the password into the web page twice and pushed the submit button. I then received notice that I cannot use the number 3 in the password - huh? What an odd requirement. I checked back with the requirements section and sure enough it does say that the number 3 is not valid in the password scheme. I wonder what their reasoning is for the numbers 3 and 8 not being valid. I have sent an e-mail to their support, if I get a response I will pass a long the answer they provide.
If anyone has any insight as to why, I'd love to hear it. Adam Dodge already supplied one bit of humor:
Possible meeting notes for the discussion of password requirements
Fred: "I don't know Jim, people seem to like using 3 and 8..."
Jim: "Forget 'em"
Have a good day and be safe out there.
James
First pay day came and went and while there were funds in my bank account, I did not receive a paper paycheck. My new employers use a pay company that gives them the option to do digital paystubs via the pay company websites.
I got around to setting up my account on the pay company website today and ran into some unusual requirements for my password:
Passwords must meet the following complexity requirements:
Must be between 7 and 12 characters.
Must contain at least 1 upper case character.
Must contain at least 1 lower case character.
Must contain at least 1 numeric character.
Cannot contain any of the following characters: []|{}'()\/.,`>-_&=
There was also a button for generating a password to meet the requirements. Well sort of ...
I pushed the button and it popped up a window that contained a potential password and buttons for accept and cancel.
First FAIL - the password I was given only contained 6 characters
Well that doesn't meet the complexity requirements - I did attempt to use it and was told that the password was not valid.
Fine, I'll just push the generate password again.
Second FAIL - the password I am given only contains 6 characters. To be more specific, the same six characters I was given before. All right it was the same password entirely.
So I turned to my old standby KeePass to generate a new password. Set the requirements to 12 characters, upper case, lower case, and numeric and generated a new password, similar to this one: HZy2SIcH1wr3 . I then copied the password into the web page twice and pushed the submit button. I then received notice that I cannot use the number 3 in the password - huh? What an odd requirement. I checked back with the requirements section and sure enough it does say that the number 3 is not valid in the password scheme. I wonder what their reasoning is for the numbers 3 and 8 not being valid. I have sent an e-mail to their support, if I get a response I will pass a long the answer they provide.
If anyone has any insight as to why, I'd love to hear it. Adam Dodge already supplied one bit of humor:
Possible meeting notes for the discussion of password requirements
Fred: "I don't know Jim, people seem to like using 3 and 8..."
Jim: "Forget 'em"
Have a good day and be safe out there.
James
Friday, October 31, 2008
All's quiet on the Midwestern front ...
Life has been fairly quiet in the Midwest over the last few weeks, well at least at my house. Especially since I stopped answering the phone after working hours - I live in a swing state so I am being inundated with calls for this candidate and that candidate and the surrounding support groups. It has made it a bit difficult to study...
Yes, I said study.
I am getting ready to go take the CISSP exam on November 1. I will share some of my experience in the next few days. I was long hesitant to get the certification mostly because I did not see the value and did not think I needed to have it.
Well, I recently decided that I was going to look for another opportunity and quickly discovered that although I could get my foot in the door for an interview, I was having difficulty closing the deal because somewhere along the line the company had chosen to require that the new employee be a CISSP. I also had been part of an interesting discussion at the RSA conference in April discussing the merits of getting certified. Most everyone agreed that having a CISSP was not necessarily an indicator of the capacity and capabilities of a person, but that it was a simple equation: if the company is asking that you have it, you need to have it, and if you do not, you probably won't make if past the initial resume review. I liken it back to having an MCSE in the late 90's or right after Y2K, not necessarily a ticket to the job, but it definitely gets you on to the correct platform to catch the train (or the hand cart, depending upon how many positions the company had).
If anyone is interested in attending the upcoming CSI 2008 conference in DC November 15-21, the Security Bloggers Network has been offered a discount code to give out to all of our readers - BLOG25. This will get you a 25% discount for conference regsitration.
Be safer out there,
James
Yes, I said study.
I am getting ready to go take the CISSP exam on November 1. I will share some of my experience in the next few days. I was long hesitant to get the certification mostly because I did not see the value and did not think I needed to have it.
Well, I recently decided that I was going to look for another opportunity and quickly discovered that although I could get my foot in the door for an interview, I was having difficulty closing the deal because somewhere along the line the company had chosen to require that the new employee be a CISSP. I also had been part of an interesting discussion at the RSA conference in April discussing the merits of getting certified. Most everyone agreed that having a CISSP was not necessarily an indicator of the capacity and capabilities of a person, but that it was a simple equation: if the company is asking that you have it, you need to have it, and if you do not, you probably won't make if past the initial resume review. I liken it back to having an MCSE in the late 90's or right after Y2K, not necessarily a ticket to the job, but it definitely gets you on to the correct platform to catch the train (or the hand cart, depending upon how many positions the company had).
If anyone is interested in attending the upcoming CSI 2008 conference in DC November 15-21, the Security Bloggers Network has been offered a discount code to give out to all of our readers - BLOG25. This will get you a 25% discount for conference regsitration.
Be safer out there,
James
Wednesday, October 22, 2008
MCSF talk
I found out on Monday afternoon that a late submission talk for the Midwest Consolidated Security Forum was accepted. Tickets are no longer available, but hopefully some of you are in attendance.
Michael Santarcangelo and I will be talking on podcasting and pop culture and how to use them in your security awareness programs. Our talk will be at 2:45 to 3:30
If you are attending, stop by and say hi
Be safe out there.
James
Michael Santarcangelo and I will be talking on podcasting and pop culture and how to use them in your security awareness programs. Our talk will be at 2:45 to 3:30
If you are attending, stop by and say hi
Be safe out there.
James
Cowtown Computer Congress get together
Any of my readers who are in Kansas City are invited to join Michael Santarcangelo and myself at the next Cowtown Computer Congress get together on Thursday October 23rd, 2008 around 7PM at the JavaNaut - 1615 W. 39th St.Kansas City, MO.
Michael has been invited to give a brief talk
I apologize for the somewhat late notice, I meant to post this last week when I found out about it.
Be safe out there,
James
Michael has been invited to give a brief talk
I apologize for the somewhat late notice, I meant to post this last week when I found out about it.
Be safe out there,
James
Friday, August 29, 2008
Juniper SSL VPN and Firefox on Windows whitepage work around
My company does a lot work with Juniper SSL implemenations.
There has been some odd behavior in Firefox on Windows machines when connecting to Juniper SSL VPN. Immediately after login users are taken to a blank white page. The URL of the page contains data/home/starter0.cgi?check=yes . The page you should be redirected to includes data/home/starter.cgi?check=yes.
Juniper’s suggested work around is to go back to the sign in screen and login again or to remove the 0 from between starter and .cgi. Both are manual solutions, wouldn’t it be easier to have an automatic solution.
Well here it is.
Download the Firefox add on Redirector - https://addons.mozilla.org/en-US/firefox/addon/5064
After installation you will need to restart Firefox
Open Redirector by right clicking on the R in the status bar in Firefox
Click Add…
The Example url is the full url you get stuck on i.e. https://this.ismyexample.com/data/home/starter0.cgi?check=yes
The Include Pattern is https://this.ismyexample.com/data/home/starter0.*
Redirect to is https://this.ismyexample.com/data/home/starter.cgi?check=yes
Set the Pattern Type to Wildcard and click Test pattern
You should get a message that indicates that the pattern matches. If not go back and check your typing.
Click Ok
Click Close
Go back and log in again. You should go right past the page you were getting stuck at previously.
Be safe
James
Wednesday, August 27, 2008
Keep a hand on your iPhone
Adam Dodge pointed me to this article on CSO Online this morning - http://www.csoonline.com/article/446281/IPhones_Can_Be_Unlocked_Without_Password
This afternoon a customer stopped by with an iPhone and was kind enough to let me test the hack out.
I was able to confirm that the simple tap sequence does work. But only if you have your home button set to go to your Favorites. My customer had his set to go to iTunes (go figure - he wanted to listen to the music on his iPhone).
So rather than remove all of your Favorites, set your home button to go to iTunes instead.
Be safe out there
James
This afternoon a customer stopped by with an iPhone and was kind enough to let me test the hack out.
I was able to confirm that the simple tap sequence does work. But only if you have your home button set to go to your Favorites. My customer had his set to go to iTunes (go figure - he wanted to listen to the music on his iPhone).
So rather than remove all of your Favorites, set your home button to go to iTunes instead.
Be safe out there
James
Wednesday, July 16, 2008
Pop Culture Security Episode 2
Michael Santarcangelo and I have released the second episode of the Security Catalyst Show: Pop Culture Security.
The show is available here. Show notes are available here.
This time we are taking a different approach, we are covering two topics using several movies.
Michael and I had a great time recording the episode and hope that you enjoy it. We also want you to take what you hear and start applying it.
Be safe out there.
James
The show is available here. Show notes are available here.
This time we are taking a different approach, we are covering two topics using several movies.
Michael and I had a great time recording the episode and hope that you enjoy it. We also want you to take what you hear and start applying it.
Be safe out there.
James
Wednesday, July 9, 2008
DNS vulnerability - patch it
I have been watching a lot of the reaction to the DNS vulnerability that was revealed by Dan Kaminsky and multiple vendors yesterday.
There has been a few people who have downplayed the seriousness of the situation and for those of you still in doubt that this is a serious situation, I will point you to the retraction by Thomas Ptacek over at Matasano Chargen. Mr. Ptacek has always been one to stick to his guns when challenged about his postings and it shows the seriousness of the situation.
I think Microsoft is underplaying the seriousness of the situation by only rating the patch important. This will probably change as soon as there is an exploit in the wild. I think that is unfortunate, DNS is core to the way we traverse the Internet - you got to this blog via DNS, I posted it using DNS and all e-mail is delivered via DNS. DNS is core to the way we work.
There are servers that have been found to not be suceptible to this vulnerability. The first was DJBDNS. Dan Kaminsky did announce that there is another secure DNS server: PowerDNS made by Bret Huber. OpenDNS has stated in their blog that their implementation is secure against this vulnerabilty, which makes me feel better since I use them at home.
If you run a DNS server and you are not sure that you are vulnerable, check the CERT advisory for your vendors status. If your vendor is listed as anything other than not vulnerable, follow the link to your vendors website.
Be safe out there,
James
There has been a few people who have downplayed the seriousness of the situation and for those of you still in doubt that this is a serious situation, I will point you to the retraction by Thomas Ptacek over at Matasano Chargen. Mr. Ptacek has always been one to stick to his guns when challenged about his postings and it shows the seriousness of the situation.
I think Microsoft is underplaying the seriousness of the situation by only rating the patch important. This will probably change as soon as there is an exploit in the wild. I think that is unfortunate, DNS is core to the way we traverse the Internet - you got to this blog via DNS, I posted it using DNS and all e-mail is delivered via DNS. DNS is core to the way we work.
There are servers that have been found to not be suceptible to this vulnerability. The first was DJBDNS. Dan Kaminsky did announce that there is another secure DNS server: PowerDNS made by Bret Huber. OpenDNS has stated in their blog that their implementation is secure against this vulnerabilty, which makes me feel better since I use them at home.
If you run a DNS server and you are not sure that you are vulnerable, check the CERT advisory for your vendors status. If your vendor is listed as anything other than not vulnerable, follow the link to your vendors website.
Be safe out there,
James
Tuesday, July 8, 2008
DNS trouble in the offing
Dan Kaminsky released information today about a rather serious vulnerability in the implementation of DNS on most major platforms.
Microsoft has posted information about it on its site here.
Rich Mogul has an interview with Dan here.
Arthur over at Emergent Chaos has posted here
Why should this concern you? Microsoft is listing it as important rather than serious, but I think they are undervaluing the seriousness of this vulnerability.
Quick overview of DNS for you. DNS is like the yellow pages of the Internet. Computers work better with numbers and people work better with words. When you want to find CNN.com your browser contacts a DNS server to find out what IP address the site resides. This is similar to the physical address associated with a business in the yellow pages. Think of the IP address as directions to that particular business. A typical IP addres looks like this 192.168.140.25 The first set of numbers (refered to as an octet) is essentially the city in which the business resides. The second set of numbers is the neartest major street to the business. The third set of numbers is the street of the business and the final set of numbers is the street address of the business.
What DNS does is allow you to type in the name of the site you want to go to and have all of the "travel information" for your destination be given to you.
Now imagine someone sets about printing yellow pages with incorrect information that will bring them profit. So rather than going to the real CNN.com (64.236.91.23) your DNS server has been given spoofed information to send you to a malicious website at 172.16.91.23.
If you manage DNS servers, you should patch them as soon as possible. If you don't, you may want to make sure whoever does manage your DNS has patched their systems.
Be safe out there,
James
(Edit) - as of 2:15 PM CDT Microsoft does not appear to have released the patch for this vulnerability.
(Edit 2) appears that the patch is showing up as 2 different Knowledge Base articles: kb951746 and kb951748
Microsoft has posted information about it on its site here.
Rich Mogul has an interview with Dan here.
Arthur over at Emergent Chaos has posted here
Why should this concern you? Microsoft is listing it as important rather than serious, but I think they are undervaluing the seriousness of this vulnerability.
Quick overview of DNS for you. DNS is like the yellow pages of the Internet. Computers work better with numbers and people work better with words. When you want to find CNN.com your browser contacts a DNS server to find out what IP address the site resides. This is similar to the physical address associated with a business in the yellow pages. Think of the IP address as directions to that particular business. A typical IP addres looks like this 192.168.140.25 The first set of numbers (refered to as an octet) is essentially the city in which the business resides. The second set of numbers is the neartest major street to the business. The third set of numbers is the street of the business and the final set of numbers is the street address of the business.
What DNS does is allow you to type in the name of the site you want to go to and have all of the "travel information" for your destination be given to you.
Now imagine someone sets about printing yellow pages with incorrect information that will bring them profit. So rather than going to the real CNN.com (64.236.91.23) your DNS server has been given spoofed information to send you to a malicious website at 172.16.91.23.
If you manage DNS servers, you should patch them as soon as possible. If you don't, you may want to make sure whoever does manage your DNS has patched their systems.
Be safe out there,
James
(Edit) - as of 2:15 PM CDT Microsoft does not appear to have released the patch for this vulnerability.
(Edit 2) appears that the patch is showing up as 2 different Knowledge Base articles: kb951746 and kb951748
Thursday, June 19, 2008
Patching and updating
I recently performed a series of Nessus scans for a client who had acquired a competitor. I can't offer specifics but there was a bit of a shocking revelation for me. Some companies are still not actively patching there computers. There was a computer with no patches for an old Operating System.
Microsoft provides WSUS for free.
Patch your systems.
Patching is a base level activity - it needs to be done. You don't have to have a high end software solution for all of your applications. You can even use the Windows Update website to keep you up to date (or patched with the last patches for the OS)
Be safe out there.
James
Microsoft provides WSUS for free.
Patch your systems.
Patching is a base level activity - it needs to be done. You don't have to have a high end software solution for all of your applications. You can even use the Windows Update website to keep you up to date (or patched with the last patches for the OS)
Be safe out there.
James
Interesting series of events
I was driving back from a client sit on Tuesday and saw an event that unsettled me. As I came up I-35 into downtown Kansas City, I noticed that there was a car several hundred yards ahead of me pulled over on the side of the road. As I got closer I saw the driver get out and run around to the passenger side and yank the door open. The driver then pulled the passenger out of the car and ran back around to the driver side and drove off, leaving the passenger standing on the side of the highway.
I don't really have an insight as to what was going on other than what I observed. Two adults traveling down the road, one of them was apparently angry enough to leave the other on the side of the highway.
Does the driver feel justified leaving the passenger on the side of the road?
Does the driver believe that whatever happened just prior to pulling over was so bad that endangering the passenger by leaving them on the side of the highway was the right thing to do.
(this next section is not intended to minimize the seriousness of what happened but it was part of the thought process I had afterward)
How often do we make business decisions based upon a reaction to a situation without fully thinking through the ramifications? I will own up to being guilty of this and I am going to work on thinking about the ramifications of my action before acting.
How often do our users not think about the ramifications of what they are doing? "I just wanted to do a little shopping during my lunch hour" "I downloaded some videos while I was on the road, I didn't think it would be a problem to leave them on my laptop."
We need to start working with our users to get them thinking about their actions in terms of its effect on the company. Larry Pesce spoke on this on Episode 111 or PaulDotCom Security Weekly. Michael Santarcangelo has written a book on the subject and he and I are podcasting a series on using pop culture to relate security topics to other business users.
Be safe out there.
James
I don't really have an insight as to what was going on other than what I observed. Two adults traveling down the road, one of them was apparently angry enough to leave the other on the side of the highway.
Does the driver feel justified leaving the passenger on the side of the road?
Does the driver believe that whatever happened just prior to pulling over was so bad that endangering the passenger by leaving them on the side of the highway was the right thing to do.
(this next section is not intended to minimize the seriousness of what happened but it was part of the thought process I had afterward)
How often do we make business decisions based upon a reaction to a situation without fully thinking through the ramifications? I will own up to being guilty of this and I am going to work on thinking about the ramifications of my action before acting.
How often do our users not think about the ramifications of what they are doing? "I just wanted to do a little shopping during my lunch hour" "I downloaded some videos while I was on the road, I didn't think it would be a problem to leave them on my laptop."
We need to start working with our users to get them thinking about their actions in terms of its effect on the company. Larry Pesce spoke on this on Episode 111 or PaulDotCom Security Weekly. Michael Santarcangelo has written a book on the subject and he and I are podcasting a series on using pop culture to relate security topics to other business users.
Be safe out there.
James
Friday, June 13, 2008
What don't your users understand and help explaining it to them
Do you know what your users are confused about?
Do you know which acronyms you use that they are confused about?
Are you not sure how to explain a topic to your user community?
Michael Santarcangelo and I started a new podcast series in May based on the peer to peer session I facilitated at RSA Conference 2008 entitled "Pop Culture Security Awareness; finding security in the movies, TV, and other media." The premise is to use pop culture references to explain more complex topics in a way that connects you to your users and provides them with greater understanding.
Michael and I want to bring this to a larger audience and here is how you can help us. We would like to know what questions are coming up for you that you would like a clearer way of explaining. Please send your feedback to popculturesecurity@securitycatalyst.com. Better yet call our feedback number at 206-350-8346.
Do you know which acronyms you use that they are confused about?
Are you not sure how to explain a topic to your user community?
Michael Santarcangelo and I started a new podcast series in May based on the peer to peer session I facilitated at RSA Conference 2008 entitled "Pop Culture Security Awareness; finding security in the movies, TV, and other media." The premise is to use pop culture references to explain more complex topics in a way that connects you to your users and provides them with greater understanding.
Michael and I want to bring this to a larger audience and here is how you can help us. We would like to know what questions are coming up for you that you would like a clearer way of explaining. Please send your feedback to popculturesecurity@securitycatalyst.com. Better yet call our feedback number at 206-350-8346.
Friday, May 30, 2008
Kees and Andy have a couple of great points that I want to reitterate
My friend Kees Leune makes a great point about the disappearing edge.
A couple of years back it would have been fine to throw up a firewall to protect your network. Attacks were mostly inbound in nature and could be dealt with in a straight forward manner.
The siege mentality could be used to defend your network. If I put up enough outward facing defenses (firewall, anti spam, virus scanners, etc..), I can protect my castle. What we run into today is that the attacks are drawing us out to them, our trade routes and water supplies have to be monitored and checked. The cross site scripting vulnerabilities that PayPal revealed that it had shows this very well. We trust PayPal with our money, but they still have vulnerabilities.
In todays network traffic needs to be monitored for anomalies. If you are not running an IRC chat or you employees are not supposed to be accessing IRC, monitor for that traffic. It may be legitimate, but it might not be as well.
The "bad guys" knew in medeaval times that if a direct assault did not work, if you can get someone to come out and take something from you (i.e. Troy) you have a greater success. They no longer have to lob dead animals over the walls at us. They set them outside our walls and let us know that they are providing them as food to us. Today's "bad guys" are adapting as well
This leads me to what Andy Willingham talks about in this blog post.
Just because we've always done it that way does not make it the best way to do it now. On a regular basis go back and reevaluate your policies and procedures. Ask questions that have not been asked before. Ask questions that have been asked before, you may be suprised that you get a different answer. Don't just accept "let me get back to you about that" as an answer.
The "bad guys" are willing to question the way things are done, hence how they find vulnerabilities. Take a page from their book. Look at your network from a different point of view. Rethink your network.
That's enough for me today.
Be safe
James
A couple of years back it would have been fine to throw up a firewall to protect your network. Attacks were mostly inbound in nature and could be dealt with in a straight forward manner.
The siege mentality could be used to defend your network. If I put up enough outward facing defenses (firewall, anti spam, virus scanners, etc..), I can protect my castle. What we run into today is that the attacks are drawing us out to them, our trade routes and water supplies have to be monitored and checked. The cross site scripting vulnerabilities that PayPal revealed that it had shows this very well. We trust PayPal with our money, but they still have vulnerabilities.
In todays network traffic needs to be monitored for anomalies. If you are not running an IRC chat or you employees are not supposed to be accessing IRC, monitor for that traffic. It may be legitimate, but it might not be as well.
The "bad guys" knew in medeaval times that if a direct assault did not work, if you can get someone to come out and take something from you (i.e. Troy) you have a greater success. They no longer have to lob dead animals over the walls at us. They set them outside our walls and let us know that they are providing them as food to us. Today's "bad guys" are adapting as well
This leads me to what Andy Willingham talks about in this blog post.
Just because we've always done it that way does not make it the best way to do it now. On a regular basis go back and reevaluate your policies and procedures. Ask questions that have not been asked before. Ask questions that have been asked before, you may be suprised that you get a different answer. Don't just accept "let me get back to you about that" as an answer.
The "bad guys" are willing to question the way things are done, hence how they find vulnerabilities. Take a page from their book. Look at your network from a different point of view. Rethink your network.
That's enough for me today.
Be safe
James
Thursday, May 15, 2008
Wow, I'm on a podcast
Michael Santarcangelo invited me to take part in the May 2008 Security Roundtable discussing the RSA Conference. I was honored to be asked and got a chance to participate with some of my fellow attendees:
I was using a SnoBall microphone from BlueMic and thought the performance was very good.
I also have to apologize again for not posting in over a month.
I had a fairly lengthy post on my experience at the RSA conference and the surrounding events, and failed to post it. Then I started a new job which has taken up quite a bit of my thought cycles.
Hopefully I will get back to a regular posting cycle now.
Go out and be safer
James
Dr. Anton Chauvakin | http://chuvakin.blogspot.com/
Jennifer Leggio | http://mediaphyter.wordpress.com/
Martin McKeay | http://www.mckeay.net/
Michael Santarcangelo | http://www.securitycatalyst.com/
We had a great time recording and could have probably gone on for quite a bit longer about the experiences we all had. The podcast is about an hour and we hope you enjoy it. Please provide feedback here, I am interested to know what you thought.I was using a SnoBall microphone from BlueMic and thought the performance was very good.
I also have to apologize again for not posting in over a month.
I had a fairly lengthy post on my experience at the RSA conference and the surrounding events, and failed to post it. Then I started a new job which has taken up quite a bit of my thought cycles.
Hopefully I will get back to a regular posting cycle now.
Go out and be safer
James
Subscribe to:
Posts (Atom)
