Monday, March 31, 2008

Open letter to SC Magazine

Thanks for your (repeated) kind offers to purchase tickets for the SC Magazine Awards banquet in San Francisco next week. I will not be able to attend because the RSA Speakers Dinner is scheduled for the same time. Please discontinue sending me notices to purchase tickets.
Respectfully,
James


side note - This is not intended to be belligerent or knock SC Magazine in any way, I am just weary of receiving the e-mails. I also promised someone that I would post this if I got another SC Magazine Awards banquet request. You can figure out the rest.

Friday, March 28, 2008

OT - power of Free

One of my favorite authors and podiobook performers Scott Sigler is fortunate enough to have one of his works being released in print on Tuesday April 1. Leading up to that he is releasing a free PDF of the book through his publishers website, available here. The novels are very well written and are enjoyable reading. I will warn you, Scott is a sick and demented individual and his novels are much the same way, so if you are easily disturbed or do not enjoy horror this is not the author for you.
The novel is also available in an audiobook format here

Thursday, March 27, 2008

Let's see where the carriers go with this

PC World has an article about a company called TapRoot that has developed a product that will allow users with 3G mobile devices to create a mobile hot spot using their phone. The main emphasis of the article is that it will be really easy to set up the WiFi connection on the phone to connect to the laptop.

I have one real problems with the assertion it will be easy to set up as compared to other methods of using your phone to connect.

I have a Windows Mobile device and I use it to connect to the Internet on a fairly regular basis. The hardest part about setting it up was finding the ActiveSync install CD for my laptop. All I need to do get to the Internet is connect the phone with a USB cable, allow it to finish syncing, launch Internet Sharing on my phone and push connect. Within seconds I am on the Internet and working. I really not sure how that qualifies as difficult. I can still place calls and use the Internet. I've done similar things with my BlackBerry and I have even used my Windows Mobile device with Linux .

There is a PDF about their product here. It is a centrally managed solution either at the carrier or the Enterprise level. From what I have read TapRoot is only going to sell to the carriers who will the resell the service to their clients. This might be a product to watch.

On the other hand I'll probably stick to using my USB cable, I always keep one around.

I did change the original title as it was based on my initial reaction to the article and that changed after doing some further reading about the product.

Be safe

James

Wednesday, March 26, 2008

Sometimes when life gives you lemons...

The past couple of days have been interesting for me.

On Monday afternoon I got a meeting request from scheduling coordinator at my employer to meet with my supervisor as soon as I got back to the office. I was in the process of troubleshooting a new VPN system at a customer at the time and did not think much of it. As the afternoon progressed it became apparent that the troubleshooting was going to take longer than I had originally thought due to some legacy configurations on the clients network (but that will be another story for another time). So I asked to schedule an appointment on Tuesday to meet with my supervisor.

On Tuesday I continued to work on the clients network and was able to navigate through the legacy configurations to interconnect the new remote sites to the rest of the network and then on a series of questions that another client had about setting up DNS records and resizing the C: drives on some of their core servers.

Over the past month or so I had noticed that many of my fellow security engineers had been sitting around the office with me and when I commented on this to my supervisor he was concerned but there should be quite a bit of work upcoming (in the pipe was the term he used). I was hopeful that this would be the case and that most of would be out working on a regular basis again.

Unfortunately the work has not materialized as they had planned/predicted and cost cutting methods need to be taken. I was one of the cost cutting methods.

It worked out very similarly to what happened to Andy last year (read about it here).

I walked into the meeting with some suspicion of what was going on as my inquiries as to what was the meeting was about were met with silence. After a brief chat about the clients I had worked on earlier in the day, my supervisor told me that he had to make a difficult decision and due to my salary as it compared to a couple of the other engineers who also had not been billable I was going to be laid off.

This is not necessarily a bad time for this to have happened. I am going to be facilitating a Peer2Peer session at the RSA Conference in San Francisco. So if you are going to be in attendance and would like to set up a meeting with me, please e-mail me using my contact information under my details.

I was also wise enough to have discussed the possibility with my wife that morning, so we were prepared for this possibly happening.

I am thankful for her support and the support I have received from the other Trusted Catalysts and other members of the Security Catalyst Community.

I'll post my resume on line within the next couple of days. Thoughts, prayers and suggestions would be appreciated, comment below.

Monday, March 24, 2008

Dirty Water

JJ has a post on her blog about the unknown status of the water glasses at hotels.
I drink a lot of water and have a water softener - reverse osmosis system at my home. I tend to notice a lot of the interesting flavors and aromas in water because of that. JJ makes a good point about figuring out where those flavors and smell are coming from, this also applies to security. Once you recognize that you have a problem, you need to figure out what is the source of the issue. How did the infected file make it into your network - e-mail (the water itself), a portable device or some other means (the glass or pitcher). If you know what is causing the issue, you have a better chance of avoiding other problems in the long run.
If your network keeps getting infected but your e-mail is not the source, it is time to start looking at other sources. An infected laptop or thumb drive could be indicative of problems at an employees home, if you don't work to fix that issue you will end up with the infection returning again.
Be Safe
James

Apple borrowing a trick from Microsoft.

Martin and Andy had interesting experiences with the Apple Updater last week.
I used to run Safari in a VM on my workstation to test out applications at a previous employer. I have not used it very frequently over the past year or so. I was prompted to update it several times over the course of the last year when I was running the VM. I was prompted over the weekend to install on main system, which did not (and does not) have Safari installed.
I am a bit disappointed that an application vendor would try to install something on my system without it having been installed before. I wonder how many people installed the software without reading what they were going to install.
This is nothing new. Microsoft has attempted similar things in the past through Windows Update - making XP Service Pack 2 a required update - the Genuine Advantage software - there are other examples.
We can also look to the web, ActiveX controls, javascript, flash can all be automatically installed if the settings in your browser are incorrect (fortunately most of these do not work if you have kept the default settings).
Is this what we can expect in the future from software vendors. I would hope not. I might have had a different reaction to this if Apple had announced that they were planning this.
I have not seen a response or announcement from Apple as yet, and would be interested in know what they have to say.
I was originally going to say that I was never going to use Safari again, but I have a iMac in my basement that I use from time to time so that would not have been an accurate statement on my part. Will I install it on Windows, probably not. Will I buy another Apple product, we'll see.
John Lilly, the CEO of Mozilla, has a different take. I can't really blame him, but I am more on the annoyed side than angry. But I don't have a horse in that race. (Sorry for the bad pun - I have to get those out of the way from time to time).

Be Safe
James

Thursday, March 20, 2008

Social Networking

I have noticed a large number of my fellow security bloggers and Security Catalyst members participate in a few different social networking sites.  I have been reluctant to get involved with most of them because of what I see as their aims.  This is not a critique of others who have joined, I just wanted to share my thinking.
I am a member of LinkedIn and the Security Catalyst Community because of their focus on career and security.
I have avoided joining FaceBook and MySpace because I am 35 and married and can't really justify joining to myself.  And probably not to my wife either.  So if you come across someone claiming to be me on either of those sites and you don't see a post here that says that I have joined, don't believe that they are me.  I did have a friend get pranked by some coworkers of his that mad it appear as though he was involved in activities outside of his marriage, his wife recently was shown the page and did not take to the joke.  I think he is still sleeping on the couch and none of his coworkers are welcome at their home at the moment.
I am not on twitter because I think that it would take up a lot more of my time than I can really justify.
I don't want to put myself too far out there.  I am a fairly private person with people I do not know and I don't know more than 1% of the Internet. 
How will I manage to not share more than I need to:
  1. I will not share anything that I am not comfortable telling my mother or my daughter
  2. I will not join sites that do not have some direct connection to my business life
  3. I will not lie or misrepresent myself to others
  4. I will take what others say about me with a grain of salt and will ignore things said by people I do not know.
  5. I will always reread before I post.
  6. I will apologize if I have said something inaccurate or incorrect.  I will not apologize for disagreeing.
Those are some basic guidelines for myself, if I come up with others that I am willing to share I will post them.  Take them or leave them, but please think before your post

Be safe

James

Tuesday, March 11, 2008

Odd experience subscribing to a magazine

This is not necessarily a direct security related post, but it is based in the mindset that I have when I am shopping and a lesson that I learned the easy way.
I recently subscribed online to a magazine I had been reading for a while. I am not going to name the magazine because the issue was with perception and not with anything that they were doing. The magazine subscription is $49 per year in US dollars, the publisher and subscription company are based in Europe and use local currency for the exchange rate.
No where in the process of setting up my subscription did I notice anything that indicated that the transaction would be in anything other than US dollars. Though my first clue should have been that the name of the processing company included the name of the country in which the publisher is based. I may have completely missed a notice related to this, but I have gone back through the process and do not see anything related to this.
What brought the exchange rate to my attention was when I was entering receipts later in the day, I took the print out from the purchase and was shocked to see that the amount was not $49 US but 114 (Local Currency to Publisher). I made a couple of calls to the New York location for the magazine and they explained that it was local currency and not US dollars.
I was a bit concerned that I had been ripped off but after verifying that the exchange rate was correct. I let the matter drop.
Then I started thinking about it. This was a legitimate purchase, how easy would it have been for them to bump up the amount they were taking from the account.
So I started reviewing what I had done to ensure that my transaction was not going to go bad.
  1. Know who you are dealing with - don't buy things from a retailer you know nothing about - do research - Google is your friend.
  2. Do not use your actual credit card number - just about every bank has an online feature to allow you to generate a temporary card for use on line. Use this service.
  3. Read your receipts - this is the one thing I know that I need to do a better job of, pay attention to what the final total you agreed to pay ended up being.
  4. Follow up with your bank - check to make sure that if you have made a purchase at a sight that makes you uncomfortable, check your statements or better yet log on to you credit cards website regularly and look for charges you do not recognize.
  5. Trust your instincts - if you don't think you should be buying it there, don't. If it costs a dollar more to get it from a major retailer, but saves you time and money by not endangering your finances, then the dollar is worth it.
Hopefully some of that will help someone.

Be safe, shop smart

James

Monday, March 10, 2008

Club Penguin

Martin McKeay has a good post about Club Penguin at his site.
I have been reluctant to sign up my daughter for similar clubs and admittedly have not done research to see which are the most secure. I heard of Club Penguin a few months back when they were purchased by Disney and now I think I will take a closer look before deciding.
Thanks Martin for reminding me to look into things like this.
Be safe
James

Monday, March 3, 2008

Strange DNS issue

I had a customer recently changed ISPs at their main office and suddenly they were unable to connect to their hosted web site. The rest of the world was able to connect to the website but their internal users were getting redirected to the internal pages on their domain contollers - specifically the default web page on an IIS implementation.

To test the process out I connected to their web site - http://www.domain-name.com and I was presented with the beautiful web site that had been crafted for them.

Then I connected into their network and logged on to a server in their environment and tried the same the process of connecting to the web site. This time I was indeed presented with the IIS default page.

The customer thought that they were having problems connecting to the Internet, but I was able to disprove this by being connected remotely to their networks and by being able to connect to other sites on the Internet.

The problem was limited to the customers web site and no other sites.
So first step was to determine where the customers network was directing traffic.
ping www.domain-name.com from my physical location answered back to the actual address 5.16.85.3

Internally to the customer ping www.domain-name.com answered back with the IP address of one of the domain controllers 127.1.0.21, 127.1.0.19, 127.1.0.18.

Next tool to use was NSLookup

Here is this the output I received at my physical location.
C:\nslookup
> www.domain-name.com
Server: other.otherdomain.com
Address: 10.1.1.200

Non-authoritative answer:
domain: domainname.com
Address: 5.16.85.3
Aliases: www.domain-name.com

This looks fairly normal other than the last line, but I will get back to that in a minute.
So do the same process at the client site.

c:\nslookup
> www.domain-name.com
Server: domaindc1.domainname.com
Address: 127.1.0.19

Non-authoritative answer:
domain: domainname.com
Addresses: 127.1.0.21, 127.1.0.19, 127.1.0.18
Aliases: www.domain-name.com

Again the alias shows up. So I paid a visit to may friends at Central Ops a visit

DNS records
name class type data time to live
www.domain-name.com IN CNAME domainname.com 86400s (1.00:00:00)
domainname.com IN NS dns030.b.register.com 86400s (1.00:00:00)
domainname.com IN NS dns010.d.register.com 86400s (1.00:00:00)
domainname.com IN A 5.16.85.3 86400s (1.00:00:00)
domainname.com IN NS dns036.c.register.com 86400s (1.00:00:00)
domainname.com IN SOA
server: dns109.a.register.com
email: root.register.com
serial: 200007331
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 86400
86400s (1.00:00:00)
domainname.com IN NS dns109.a.register.com 86400s (1.00:00:00)
domain-name.com IN A 5.16.85.3 86400s (1.00:00:00)
domain-name.com IN MX
preference: 10
exchange: mail.domain-name.com
86400s (1.00:00:00)
domain-name.com IN SOA
server: domain-name.com
email: hostmaster.primary.net
serial: 1203777421
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 86400
86400s (1.00:00:00)
domain-name.com IN NS dns2.primary.net 86400s (1.00:00:00)
domain-name.com IN NS dns1.primary.net 86400s (1.00:00:00)
3.85.16.5.in-addr.arpa IN PTR static-5.16.85.3.primarynetwork.com 86400s (1.00:00:00)


The key here CNAME -what this is telling us is that www.domain-name.com is redirecting to domainname.com for resolution. This works fine out on the Internet but not at the clients office because their internal domain is .... domainname.com.

Here is how this process works on the Internet.
Internet user requests a connection to http://www.domain-name.com and his/her domain name server requests more information from the root dns servers. The root dns server then redirects the request to the specific server that handles .com domains which in turn forwards the request to the server that handles domain-name.com. The server that handles domain-name.com then provides back the alias for www.domain-name.com as domainname.com and the process starts again to request domainname.com. This works because the local dns server has to go out and request this information because it did not know it before. (i.e. its local cache does not contain the information.

Same process occurs at the client site until the alias of domainname.com is given. The local server has a zone record for the domain domainname.com and considers itself an authoritative responder for the domain (which it legitimately is for the internal network).

The fix.
To fix this in the clients office network I added a small zone for www.domain-name.com to the dns servers and pointed its parent/root record to the IP address of the server.
Client PCs were then able to connect to the hosted web site.

Customer was happy and I had an interesting story.

Be safe.

James

RSA peer to peer facilitator

I am proud to announce (and a bit ashamed for waiting so long to do so) that my submission to facilitate a peer to peer discussion was accepted and I will be facilitating my session on Thursday April 10th at 3:50 PM. If you are going to attend RSA please take a look at my session and sign up.
There is a possibility that it could be given a second time, but only if enough people sign up for the session.

Title: Pop Culture Security Awareness: Finding Security in Media, News and Books

Overview - The discussion will focus on making security awareness training more relevant by relating it to pop culture references not specifically grounded in the computer industry. The session will encourage participants to pick out and discuss the merits of these examples and use the examples to improve communications with non technical and limited technical audiences.

So if this sounds interesting to you and you are attending please sign up. I know there are still seats available. The session is running against a couple of Key Note sessions and I know that the other session at the time is already full.

I do plan on keeping this light and fun, but it does have the potential for creating some serious impact for your organization.

I am going allow feedback on this entry so let me know what you think.

Be safe.

James

Wow, I really missed an entire month

I spent the last couple of months at a client site for a company that asked me to not blog about my experiences while I was there and I guess I just sort of kept going with that for a little bit longer.
I am going to post more regularly starting this week so look forward to:
creating a fail-over solution using a wireless bridge and a T1 connection between to sites using Cisco 3500 series switches.
troubleshooting a DNS problem that is only effecting one client while the rest of the world is able to connect to their hosted web site
pop culture and security