Just FYI, I am currently bouncing around IRC on irc.freenode.net as LonerVamp. I may not be hanging out much of anywhere lately until I figure out how to manage my presence there, but I am around and looking for some home channels to hang out in. I am also looking to run an IRC bouncer/proxy on my server which can keep my presence online and I can then just attach using whatever system I happen to be on at the time. I’m not sure how happy that will be, but I’ll be trying it. It has certainly been a long time since I was an IRC addict (about 6 years since I was a perpetual presence), but it is comforting to be back.

I tried JBouncer which is a java-based IRC bouncer, but I don’t like the user info it appends to my user when someone does a whois on me. I found the place in the code that sets those variables, but I have been unable to re-compile the java (I’ve never coded nor compiled java before). I hope to try out Night-Light before the weekend.

This was an interesting enough tool to spend an hour working on. SearchWinComputing has a quick run-through on some code (batch file) that will launch various Windows domain and exchange MMC consoles as another user. Basically you run the file, type 2, supply your domain admin password, and then the AD Users and Computers MMC should launch in domain admin context. Not bad. Although this is one click, one keystroke, and one window longer than my current method (right-click a shortcut), I certainly would need 8 such shortcuts to do what this batch file does in one. I like simplicity, so 1 > 8 in this case.

However, there is some errata in the instructions. I also had to scrounge choice.exe from a site called dynawell (Google for choice.exe), and I snagged sleep.exe from the Windows Server 2003 Resource Kit, although sleep is really not all that necessary if you just take that part of the code out. Hell, it’s been a long time since I delved into batch files, so maybe choice can be replaced with CASE for all I know.

Remove all the comments which are scattered in the code, typified by mixed case text. Change the paths to include the backslash such as c:\. Change the options to read :ONE instead of Option One:. Change the runas user to your domain admin or necessary admin to manage these tools. Correct the typo on option 3 “SItes.”

Now, I am not one to use fancy or even simple tools that are not usually always available. I’ve worked on enough systems and in enough ways to know that it sucks to become really accustomed to doing something one way (such as with shortcuts), and then be like a fish out of water when in a situation where I don’t have my nifty customized tools. Similar to how I rarely customize or “prettify” Windows anymore. I don’t need to spend 4 more hours after a reinstall making it pretty. So little tools like this are typically only minorly used by me. I like being able to sit down at nearly any Windows machine and knowing what I have available and what I would need to do to get what I want (resource kits, third party tools like procmon, etc). Either way, I think this little script can be useful for now.

These are not meant to be related, I just wanted to save them.

“Great wisdom is not obvious, great merit is not advertised. When you see the subtle, it is easy to win — what has it to do with bravery or cleverness?” – The Art of War, Chapter 4: Formation

and

“IT must balance three T’s: time, talent and technology. Today, the tendency is to throw technology at a problem and in so doing, reduce the need for talent (expertise) and reduce time. I recall my colleague Chris Blask saying, ‘Computers are fast and people are smart.’ Invest first in talent. Give them time to plan and choose technology that will allow them to be smart, *fast*, and you’ll have spent your own time wisely.” From a blog entry by Dave Piscitello.

Whitedust pointed me to Emergent Chaos with an announcement that obscurity will save us and we can just hide our files someplace unexpect and be safe! Well, ok, mordaxus was nearly as sarcastic as I was in that last line.

I just have two points in mentioning this. First, I wouldn’t argue against someone who says that encryption itself is simply a form of obscurity. It is obscured because a key/passphase is not known. But know that bit of information, and encryption is done. Of course, this means every password system is also a form of obscurity…but I still wouldn’t argue with that person to any great length.

Second, there are plenty of places to hide files in Windows machines already. Alternate Data Streams in NTFS have never gotten the attention it deserves, especially since few tools poke around in there, and those that do are sloooow. I would bet that few people even know about ADS and fewer will ever bother to do a scan for those files. Of course, I’m not saying this is protection for passwords and financial information. I would more use ADS for hiding porn stashes…

I like this post from ISC about what amounts to transparent SSLs. What if sites continue to use SSL on the underlying form submission portion or a website login? How are consumers supposed to tell and/or look for the HTTPS connection? D’oh!

“A military body goes through myriad transformations, in which everything is blended. Nothing is not orthodox, nothing is not unorthodox.” -The Art of War, Chapter 2: On Waging Battle

It has been years since I’ve been on IRC regularly. I think I first got on IRC back in 1995ish when I moved from AOL over to a real ISP and thus needed to find a new place to chat. While I didn’t really chat about anything technical, I stayed a near regularly in IRC until after college when around 2002 I kinda drifted away. I mostly stuck to gaming chats and once my gaming took a lull so too did my IRC days.

However, more and more I see security/technical groups with a presence on IRC, particularly freenode.net. As such, I started my next mini-project last night to get my ass back on IRC regularly. My one requirement for doing so, though, is that I want to be able to hide my host name (IP) or otherwise mask/reroute it. I don’t really have any external servers available to proxy or bounce off of, but I think freenode itself will let me cloak my host name, which might be enough. Of note, I read up on bouncers and might put one up on my server just to see what that is all about.

Fun times, and it’ll be nice to get back on IRC for some shoulder-rubbing. I also need to get my ass on a forum somewhere as well, but that is predicated on getting at least one of my systems up on a proxy somewhere (something I should do anyway). Yes, I like my privacy and I dislike making a target of myself…and no, I don’t antagonize people or anything. I just prefer obfuscation for as long as it holds out.

If I get on freenode, I’ll be authed as LonerVamp, of course.

I liked this article on the NYTimes site about email uses and abuses. How do you stop people from forwarding work email to a place they shouldn’t, such as web-based mail services?

Well, the answer is that you can’t, and you really don’t need to bother trying to do so. Where I work we block port 25 outbound except when from certain servers which have strict relaying settings. We also utilize SurfControl which cuts into web-based email services such as Gmail, Yahoo, Hotmail, Hushmail, etc. The problem is that I can still just find a service so obscure that the filters don’t catch it…such as my own mail server. Or I can just tunnel over something else and get there. But you still really can’t stop me from e-mailing a Gmail account any more than any other account unless a company has really no business communicating with the world outside its own walls.

So what do you do? In something like this, it helps to realize and accept that prevention is impossible. In that case, how to you mitigate, minimize, log, audit, and CYA without being a barrier to the company’s purpose?

1) Evaluate why your users would want to send email to their home-based email accounts, particular webmail. Most users are not malicious and are only trying to get work done in the easiest way they know how. Maybe they want to work from home. In that case, provide web-based access or, better yet, a full-featured way to connect to their work account from home without all the additional hoops of a VPN and such. People using Exchange have little excuse to not be using OWA and a nicely-featured web front end. Ask why the users are doing these things, and then provide them such easy and logical solutions so they don’t try to circumvent the process.

2) Obviously, log outgoing mail. If someone does keep trying to email out sensitive information, logs are necessary to track it. There should be one or two levels of logging. First, log all mail headers incoming and outgoing so that you can track activity. Second, such as in the article’s hospital example, filter and log data in mail that is leaving the network, for instance medical records and other personal information. Obviously the second level of logging is more intensive, and shouldn’t be bothered with unless the company has particular need.

3) Retain the ability to monitor employee email usage down to even reading their email. While this ability shouldn’t be exercised all that often (how many employees are happy about others reading their email, honestly? and how many unhappy employees are the productive employees?), the policy should keep this option open in the event of suspicious about a truly malicious user. Authorization should be limited to HR, a direct manager or two, or approved technical staff, with no party acting alone. This is easier in some organizations and more difficult in others that have different work/life balance expectations in employees. The more an organization is sympathetic to the converging role of technology at work in personal life (kinda like personal phone calls to the doctor), the less hands-on the policy should be. Some companies will actually need to have staff regularly reading actual emails for regulations complicancy, and that’s fine, too, when needed.

4) Block outgiong 25 and incoming 110 (and other common ports, like Gmail’s ports) to only authorized servers. This won’t stop people from web-based email or completely non-standard setups (I can tunnel it on any port I want, really), but at least a huge swath of people will be prevented from storing and sending email from their workstation mail client. Besides saving storage space and resources, no one needs to accidentally send out an email to a client from their PajamaMonkey69 email account at Yahoo. Also keep tight control on mail relay settings for those approved mail servers. Attempts should be logged and investigated, especially when originating internally.

5) Software policy should drastically limit user email clients to one (maybe two) approved email client applications. Make things as standard as possible. Manage that app properly.

6) Education. Education is not a panacea, but at least educate and teach employees how to use the tools given to them, and why circumventing them can put the company, themselves, and their clients at risk needlessly. This also should help draw out difficulties they may have with the tools and maybe expose why they circumvent policies in the first place.

I didn’t get but three paragraphs into Bruce Schneier’s latest wired.com article about secure passwords, and I came across, “Your encryption program’s key-escrow system is almost certainly more vulnerable than your password, as is any “secret question” you’ve set up in case you forget your password.”

How often do botnet herders need to break into a system by gaining access to the password? And once they get in, how often do they actually ever care about the password? Not often, I suspect. Why care about the password if the user runs your program as their already-auth’ed credential? Why worry about laptop encryption when the user is already logged on? How often have I seen someone walk away from their laptop at Panera or Starbucks and not lock it? Point taken, though, that passwords, while targeted and popular, are maybe not the weakest link any more, just like network-borne attacks are quiet compared to fashionable web app attacks lately.

I’ll put up a better link later when I find one, but a recent presentation and paper (I printed them out yesterday but have not read them yet) on a Snort algorithmic vulnerability has been talked about and patched. The vuln would cause Snort to spike the cpu to 100% and eventually crash. Why is this useful? This is a lot like someone cutting off the alarm systems before robbing a bank. You can even do this externally if a company has Snort running outside the firewall (not uncommon in order to determine differences across the perimeter defenses) and that same server is running the inside Snort instance. Since this is an easy but technical exploit, I suspect this to be packaged eventually into attack toolkits rather quietly. I would suspect old Snort instances may stay in production for years in some cases.

From Whitedust, I was pointed to this interesting article about employees who have left Google. I am inspired by hearing that a number of these people were far older than I am now when they started at Google. Sometimes one gets bogged down with that thought that only happenin’ things occur to the brightest students fresh out of college doing amazing things. That’s the flashy story you always hear. That if you don’t jump up high enough out the doors onto the rungs of the career ladder, you’ll burn out before getting up higher where you want to be. Really, that’s not true, and that’s something to continue to look forward to through my entire career and life, to be honest.

I’m still settling into what I want this blog to be, so please bear with me. I’m also ramping up my studying for the CCNA which I need to make sure I take sooner than later and get it done with, plus all my other smaller projects at home. This weekend we are scheduled to get lots of freezing rain and about 3-7 inches of snow Sunday. Unlike other parts of the country, though, we’re used to it and life moves on just fine and the Internets don’t disappear with the power when some flakes drop!

Turns out Andy ITGuy also has the same Art of War desk calendar that I have and posted some feedback on this entry yesterday:

“Generals in the field must already be acquainted with all the sciences of warfare before they can command their own soldiers and assess battle formations.” Chapter 3: Planning the Attack

It took me an extra day to revisit this topic, but I think this is a difficult place in security management and IT management. It is difficult to know so much about the sciences of our warfare. It seems difficult enough to even brush against all the various topics that need to be dealt with. I’ve worked for managers that couldn’t do my job for the life of them, and they never commanded the trust or respect of the teams they managed. I’ve also worked for managers who could do my job, and they were much more effective in all aspects. But there is still so much to be informed about these days.

I’ve worked with SSL extensively, as has any sysadmin that knows what a web server and SSL certs are. But what about the real dirty guts of SSL? Sometimes, topics like this are difficult to grasp, but I found something that made enough sense to me that I re-wrote the process of an SSL session negotiation on a piece of scratch paper just to visualize it. Palisade has a question and answer about SSL which is written in very plain English for an intermediate to understand, and it actually makes complete sense to me! Other quiz questions are also available, although some are a little less interesting to me. Reading about HTTP cache smuggling is interesting (and makes sense, since you can hijack HTTP connections anyway, which can be fun on wireless with airpwn). .NET best practices are not quite as interesting to me right now.

Ever since Joat made mention of purchasing one, I’ve been eyeing the Wi-Spy and have it marked up on my “to buy” list for the future. Today, though, I see Joat received an email informing him that the price was going to go up in February. In fact, it is doubling. This little tool is far too cool to let pass away at a higher price. As far as I know, anything comparable is many hundreds of dollars more expensive, so I might move this up my list and get it in the next week or so. It can be bought off ThinkGeek as well as the manuf. site.