The “next year” predictions has begun. McAfee issued their list of top threats for 2007. While they are driving their own market, they also take the easy road and state the obvious. It reminds me of the Top 20 Attack Targets from FBI/SANS which covered just about every broad base in the digital world that you can. Great, talk about useless.
For my part, rather than just rehash the same old, I thought I would just issue out some thoughts I had for the coming year and beyond, by going out on just a little bit more of a limb than saying, “spam will rise.”
convergence of culture on security policy – In the coming year and years we will see more of our digital culture permeating every aspect of our lives, and workplace policies will need to adjust or become obsolete or even barriers to getting good talent. Web filtering, Email filtering, IM controls, device restrictions, and the like will all be challenged as the Internet generation continues to fill more and more roles in the workplace and the digital lifestyle fills up and moves beyond just personal time. Companies need to embrace these changes and technologies now, instead of waiting until the pot boils over. It might be tough to properly handle IM, but it should be started now anyway. And dare I mention continued DRM and copyright troubles? Naa, that’s obvious.
pockets of wireless driver exploits – The wireless world did not see huge gains this year in tech, but it did collectively hold its breath for news on wireless driver vulnerabilities. Granted, we had to wait longer than expected, but they are obviously present. And who updates drivers anyway? (Only three groups in Windows: gamers, people reinstalling their system [albeit usually from a disc], and us geeks…a vast minority of users…) Because of this, and the continued trend for municipalities to roll out widespread wireless access, I expect some pockets of wireless exploits to be had, whether it be a muni, airport, or university or corporate campus. Considering how deep the vulnerabilities get and how often people do not update their drivers, I expect something like this to be wormable, especially from an airport or location where the infected laptops migrate offsite. Issues like this might not be found out for days, when it is too late.
Managed security and IT takes a strong hold – More and more companies will realize that IT and security is expensive. It is difficult to manage, and even more frustrating for the professionals who know what to do but don’t have the time to perform the needed tasks, or for the professionals who don’t know what to do but have to take time to become experts. Ask any pro who has had to juggle their daily tasks while also researching the viability of blades and/or virtual systems. Suddenly you have to be an expert. Why do all this when this can be outsourced or at least managed by a third party. And as this continues, the industry will grow as well, by experiencing scales of economy and being able to best utilize expert knowledge and quality talent properly. Why should one awesome security pro manage only one client, when they might be able to effectively manage 5 with some extra hands to help? This is a classic fully mutual economic growth where companies will fuel this and providers will get better.
More disclosure debate – The disclosure debate will get hotter, especially just today with announcements of the Week of Oracle Bugs being cancelled due to some external pressures and Vista coming out. This debate will get ugly before it gets better, especially if something else comes out that really exposes government, critical infrastructures, or large swaths of people. And if people start exposing exploits, will someone finally sue for having spoken out about it? Should we pretend they don’t exist until someone uses them and gets caught or detected? Hopefully this stays out of the mainstream media otherwise we’re all in trouble.
laptop theft and data disclosure not going away – Ever since we’ve had laptops, we’ve had lost laptops and data on those laptops. The media keeps acting like this is some new amazing trend we’ve never seen before, but it is as old as the concept of possessions. This will not be going away because we continue to make laws to disclose losses, we get better at detecting and tracking these things, and the number of mobile devices and expectations of mobile work is still growing at a huge rate. I just hope the media stops reporting every single one, thus numbing everyone about it.
the rise of the browser – The web browser is already an over-powered computer application. It has become almost bigger than the OS itself, and will keep going until all you need is an OS and a web browser to access all you need. This is dangerous and illustrates how technology is pushed and pulled without regard to security. Web 2.0 has assured this.
the decline of the OS – The OS is slowly going to fall out of vogue. People hate upgrading and the insecurities, people don’t want to pay money to have their known and accepted OS replaced with yet another interface that must be learned. And with the rise of the browser, there is a very real chance that security just gives up on the end system and moves security into the network. Next year will be a dangerous time for the OS and browser, and Vista right now holds the reins.
Mac will have malware – The Mac will finally get hit with some definitive malware, which can finally shut up all the Mac fan boys (my next laptop will be a Mac) who keep dodging around and protecting their precious “no malware on Mac” claims. This will occur next year, and we can all finally move on with life and get some great things done without this marketing zealotry always muddying the waters of the blogs and media.

My move to Linux as my main computer system is about 80% done, I think. That figure does not include things that don’t run in Linux, like Ventrilo, some games, and Soulseek (p2p network). But the rest is coming along nicely.
I can now rip new cds using Grip. I have installed XChat for some IRC socializing (I had no idea there was a Windows version of XChat…yeesh). I found that GAIM will support GoogleTalk (Jabber) although it won’t do voice chat. And I’ve shored up some problems with Totem and Mplayer not being able to play some media files like WMV files.
Basically just ironing out lots of little issues and problems this weekend. My external (NTFS) drive still is a bit picky. Sometimes I can write/delete files, but sometimes some files just won’t delete. I’m tempted to just run a backup of the data, format the drive in FAT32, and be done with it. I know I’m not really utilizing the powers of NTFS on it anyway, even in Windows. A thought to toss around…in the meantime, I’m becoming more familiar with mount/umount.

Sometimes even I get some spam mail that makes me blink and think for a moment. I received an email about an order I didn’t make on Newegg.com, a site that I frequent fairly regularly. The email came to my email account registered on the site, and had no links, only an attached .pdf.exe file. I even logged into Newegg.com just to make sure there were no purchases. I then checked the headers on the email that purportedly came from info@newegg.com and it instead came through an email server at bunsen.com, which forwards over to the official web site of The Muppets. In checking records, yup, the originating server appears to be part of the go.com network, which is part of Disney. But in checking my mail server logs, I see this email actually came from a system on a cable connection in Turkey.
While we talk a lot about security and how things can be circumvented and broken, rarely do we get down deep enough to talk about how trust is being affected.
I cannot trust the content of email.
I cannot trust the values in the email fields.
I cannot always trust the headers shown to me when I dig deeper.
I cannot trust the sender.
I possibly cannot trust Newegg.com with my info.
I might have distrusted The Muppets and Go.com and Disney.
I might not trust dns and whois information.
I might distrust foreign servers.
In the end, sometimes you can only wrap yourself in the comfort of the trust implicit in the protocols underneath the Internet, the logs of the devices and services offered…which is typically beyond the reach of your average user…

Just read here some more unnecessary security terms. “Evil twins” is already better described as a rogue AP. And “wireless phishing” is just lame.
Please, unless the method is brand new, don’t invent more terms for things that already have terms, for all our sakes.

Locutus has an awesome post about what he feels makes a good IT professional, and I totally agree with him. Here is a quick summary in his presented order:
1) A passion for the work
2) Ability to solve problems and research solutions
3) Ability to solve problems and research solutions with time and organizational pressure
I like his first point the most, as it is what I call the “geek” trait. I’m a computer geek meaning work is also my hobby is also my enjoyment. My tinkering with technology does not stop at 5pm nor start at 8am. It bleeds into every part of my day and life for the most part.
This is the whole reason why I fight to have jobs where I can treat both “lives” as similar as possible. When at home, I don’t wear a tie when ironing out a problem, so wearing one at work takes me out of my normal, and productive, state of comfort. (Not that I truly HATE it or something, it’s just a little thing.) Likewise, I might have days where my productivity would be huge at home compared to at work, or at least huge when I’m happy. And if this is my hobby and what makes me happy, it follows to help me be happy at work so that I can be productive there as well.
Ok, end rant. 🙂 I’m sure I’ll complain about this until I actually have a job that doesn’t require a tie 80%+ of the time…and even then wear one regularly.

Andy has an awesome post about the realities of small business IT. IT infrastructure is expensive, let alone trying to implement IT in a secure and scalable and proper way. Also let alone trying to afford staff or consultants to support that IT and security. This puts pressure on individuals, small companies, and even mid-sized business to spend that sort of money or accept risks. This puts more emphasis on lightweight and open source tools. Which puts more emphasis on IT staff with those kinds of skills. Which puts more weight on paying their salaries.
As Andy says, even implementing the most basic things like backups can be difficult and painful.
Ahh, the continuing conundrums of IT security.

Sometimes I really get something in a bunch over the latest and greatest article that makes IT and IT security sound so easy on paper. I especially dislike reading about things like that from a journalist who may or may not even know how to implement and support the given steps and commentary. While I can’t usually comment on their background and experience, sometimes it is pretty obvious when someone is writing about “good to haves” and “theoretical approaches” and “base-case scenarios.” In reality, most companies will never match those steps.
Today’s victim is an article on the 8 steps to a secure network found on zdnet.com.au.
1. Verify the current connections – Verifying the connections on the firewall is a good exercise, so that you know your common endpoints. Sadly, this works only in small networks that have tight control on installed software and desktops. In a large network, this will change too much to be of too much use. In networks that do not have tight controls, you can have a few instances of Skype that will constantly be running suspicious connections to various places in China, Taiwan, Iceland, Denmark, and so on. Investigating these is just an exercise in wishing for tighter desktop controls. It might be better to look for some common destination ports like 22, 21, or some others that would be suspicious.
2. Look at network traffic statistics – This is a good step, and any network admin should be pulling these stats or at least checking the latest numbers every morning. Sadly, this is usually the realm of a specialized network device or a Linux box doing some traffic analysis, two things beyond the reach of many admins. However, if the aptitude on the team is such to get good numbers, this is an excellent step.
3. Look at your antivirus logs – Centralized logs for host-based antivirus is either something a smaller network would love to have or unnecessary traffic storms on larger networks. Network-based antivirus may be better suited here, or something on a chokepoint like the email servers. Checking for updated signatures should be mandatory, but checking for captured viruses is less interesting. Not only that, but the logs won’t tell you the more important information: what wasn’t caught by the signatures.
4. Read the security logs on your domain servers – Reading Windows event logs, particular security logs, is about as bad a task as I can think of in IT and security. Hopefully anyone who has an interest in Windows security logs will be aggregating these somewhere and alerting when things like logon failures occur. If password policies are configured to properly lock out after 5 attempts and require admin intervention to unlock, this becomes moreorless a waste of time.
5. Check for new security patches – As much as I might take exception to most of these steps, I do like this one. Keep an inventory of important systems and software and do regular rounds of checks on security updates. This doesn’t need to happen every day, however. And hopefully you are controlling and know what is on your network…if not, good luck in getting everything adequately patched.
6. Meet and brief managers – Most of the time, the above 5 steps aren’t going to be terribly interesting. Step 1 might be interesting only because of the sheer number of “suspicious” connections that may or may not be around. Eventually this task will numb managers and the meets will turn informal and then non-existent. I think it would be more efficient to do this once a week.
7. Check more logs – Ok, I think this author is envisioning someone doing this job and only this job. All they do is check logs and security patches, kind of like a junior NOC operator or something. IDS/IPS logs should be checked, yes, but typically they are less useful than someone checking Snort or running some robust Linux tools for analysis.
8. Turn knowledge into action – This is a good step, but should be part of every piece mentioned above anyway. Take your information and work to either get better information, massage down the unnecessary information, implement changes like security patches, and research new tools to do all of these steps better.
conclusion – Over all, this sounds like a really cakewalk sort of job, and likely all that someone who followed these steps would be doing every day. Unfortunately, the reality is different and most admins seem to need to wear various hats or attend to other projects. These steps above are typically the first things to go when time is short. That’s not ideal, but that’s reality for most of us.

I took the time needed to get Thunderbird all set up with my email on my Linux install. This was very easy since I use Thunderbird on Windows and was already quite familiar with the app. Good times!
I still need to get my hands on a legit or properly cracked (and still working) version of Windows XP Pro so that I can finish my VM install. I really want this so that I can run a few random little things that I need to run in Windows (like Ventrilo).
Next on my list is to iron out mounting my external hard drive with write access. The drive is saved in NTFS, a Windows standard. While there are tools and ways for Linux to write to NTFS properly, there is still (after numerous years) disclaimers saying that the whole drive may still get hosed up. So I need to dig out another drive and perform a full backup of this external drive. I need to do this anyway as it has been a while since I backed it up. Either way, this shouldn’t be a huge deal. Copy data over, install the NTFS tools on Ubuntu, mount the drive, test out write/delete/move functions. Done!
I also started playing with the new tools that Linux opens up to me. I installed kismet and played with it a bit, far deeper than I’ve ever played with it before on livecds like BackTrack. I even got to figure out how to edit shortcuts, the Gnome desktop layout, and application menus. More good times!

Just a couple ideas for office pranks on the managers.
1) Order up some jars or vases (the more magical or Alladin-like the better, add in cork tops too!) and fill them with colored sand. Either solid colors or even do that cool layering for a more rainbow-like effect. Keep the jars of sand on your desk and label them: “Malware cleaning,” “speed booster,” “erorr fixing.” Then when your manager comes by asking about an error or problem on a server, wordlessly choose the appropriate jar of sand and disappear into the server room…
2) Get a bit of white sand or salt and make a line of it on a server room desk (I don’t recommend in your cube in case someone reports you!) like it is a line of cocaine. When the manager finds it or walks in while you’re slaving away on some important downtime, let your manager know that they’re driving you so hard you have to do cocaine just to keep things running.

This presentation discusses new techniques associated with malware detecting the use of a virtual machine. Researchers typically examine malware on virtual machines. If malware can detect use of a virtual machine and then prohibit execution, reverse engineering the malware becomes a little bit more difficult. Could this mean running a thin client connected to a desktop virtual machine might be more secure? Perhaps, but I think it will be more likely to result in some really bad malware should any of the virtual drivers or virtualization software have any vulnerabilities discovered. It is a bit disappointing still that the virtual machines can be detected (beyond just the drivers saying “vmware display driver,” for instance. Then again, it might be asking a little too much to expect VMs to be indistinguishable from physical systems.

Running malware in a virtual machine is common for researchers looking to examine the effects and even reverse engineer the malware. This presentation goes into some of the new techniques associated with malware detecting the use of a virtual machine in order to stop execution and prevent reversing. Of note, if we can have malware execution stopped by virtual machines, could end users be a bit safer by using desktop systems as virtual machines (with a thin client front end)? Or perhaps will malware be able to specifically sniff out and target virtual machines if some vulnerability were found in the, say, virtualized drivers?

This malware analysis is amazingly interesting to read. While not too deep, technically, this is the kind of analysis that is not really beyond any typical sysadmin or desktop support person.

A few points on why this is significant.

1) The malware is downloaded via social engineering someone to download a free codec in order to play some video. This is not atypical behavior, in fact, I see this every now and then on legitimate (non-porn) movies and happily go searching for codes or just let it auto-check and install. A typical user will be fooled by this attempt, as could any user searching for the codec randomly (if you need a divx codec, you hit divx.com, you don’t randomly search for and install the myriad odd “divx” codecs from mysterious sites).

2) The malware took over the DNS queries of the system and even actively took over browsing targets in IE. It is possible this malware could return commands via DNS responses? It is definitely possible, as the analysis authors mentions (I really like when authors illustrate just how bad things could get with a piece of malware), that false DNS requests can be given. You want Windows Update? No, you want our site to download false Updates with more malware! I’d really like to see some packet captures of the results, if they are abnormal in any way.

3) Just goes to show that if malware can get you to execute a file on your system, that system is no longer your system.

If we’re in web 2.0 right now with Gmail, Ajax, Ruby, YouTube, Flickr, and so on, what was before that?
web 0.1 – The first web sites; not much to speak of, and I doubt any still exist.
web 0.5 – Around 1995-1998ish with the annoying proliferation of flaming torches, animated rainbow lines, embedded midi, and terrible design. GeoCities is a household name (albeit in geek households).
web 1.0 – Everyone can be a web designer, and designs actually started to mature and not look quite so “GeoCities.” Embedded midi is out. Animated gif attacks are out. Stylesheets and databases are in.
web 2.0 – Not everyone can be a web designer. Programmers and extra-mile languages are taking over to offer full application-style sites. Objects are in, playing with code is out. The tools are sophisticated enough that web newbies don’t need to code, they can click buttons, sliders, toggles, and otherwise drag-n-drop content.
So, where does MySpace fit in? The answer is, it doesn’t. MySpace resembles web 0.5 with annoying embedded musics, terrible designs, and atrocious layouts. It really is a modern GeoCities (now, there are many people with very nice-looking sites, but random browsing on MySpace is an exercise in ugly).
But so many people and bands and groups are posting there and using them to host their official sites. This means that MySpace either needs a makeover to become Web 2.0 compliant, or someone will take that space over and offer exactly what MySpace offers, only easier, prettier, slicker, sexier, and modern. Considering the “ugly” stigma that MySpace has, getting people onto a new service that is better shouldn’t be much harder than Google toppling Yahoo back when Yahoo went out of style and Google was “it.”

I was putting up a list of things to “predict” for next year, for my own amusement. It looks like one is coming true sooner than intended as the Month of Kernel Bugs has released a second wireless driver flaw along with Metasploit exploit.
There are three reasons this is huge right now: 1) lack of patching channels, 2) lack of hardened drivers, 3) and growing emphasis on mobility and wireless.
While Windows and other OS and software apps have various levels of seasoned updating and notifications, the driver community has no such luxury. In fact, neither do the corps who use hardware drivers like Dell, Gateway, HP, and so on. Customers are really on their own to know there is an issue, know how to find the right driver (still easier said than done on most of those sites), and install it properly (still sometimes a very arcane and archaic process).
This is a huge mess that isn’t waiting to happen anymore; it’s happening now. I now predict that 95% of all affected systems will not be patched until they are either rebuilt or retired to a garbage heap.
Second, drivers have long been relatively untouched in the media, and as such all their vulnerabilities and code issues have remained in the underground, if anywhere. But combine wireless proliferation, fuzzing, and virtualization, and it was just a matter of time before hardware drivers got the evil eye. Sadly, driverland is not ready for such attention, and I expect a lot of vulnerabilities to be exposed in the next few years in various hardware devices. The code is soft and not hardened over years of exploits and poking.
This is also important because of the growing prevalence of widespread wireless capabilities and laptops roaming around all over. And how default settings leave wireless network cards turned on. All it takes is a running laptop with an active wireless network card to be exploited. It doesn’t even need to be associated with a network, and it can be rooted. It can then, possibly, spread.
I also predict there will be some wormable exploits popping up, but thankfully should only be problems in larger hotspots like airports or college campuses or muni-wifi implementations. However, this could still slowly spread from laptop to laptop in an apartment complex or metro area.

We have a lot of denial about security in our society right now.
Many people will admit, sometimes after a few thoughts, that breaking into someone’s house is typically not that hard. Watch “It Takes a Thief” on Discovery and you’ll see that the same fundamental issues occur most of the time. But as much as people will grudgingly admit how easy it could be, that is typically just un-thinking lip service. Very few people, inside, admit they can be victimized. Very few people take the time to implement fundamental security measures that greatly impact the risks of a break-in. Something as simple as a security alarm and proper locks on doors. But yet, very few people do these things…and then shed tears and feel violated when they do suffer a break-in. Do we just like to pretend it won’t happen to us? Or do we just not want to spend the money or the effort? Typically, all it takes to break into someone’s house is a little bit of effort and some balls enough to overcome the internal sense of right and wrong.
Identity theft is still very easy to accomplish. But most people, while they will grudgingly admit that it is easy, still make little to no effort to protect themselves.
Security is often something that is talked about, but never truly taken seriously enough to change behaviors until after a security event. I would bet it is unanimous amongst people who have suffered a break-in that they wish they would have had more measures in place, and I bet most have them now.
At any rate, it is interesting that security can be something that sounds good when people talk about it, but they still too often end up doing nothing, and by that lack of action, end up denying that they can be victimized.