Whoever occupies the battleground first and awaits the enemy will be at ease; whoever occupies the battleground afterward and must race to the conflict will be fatigued. Thus one who excels at warfare compels men and is not compelled by other men. -The Art of War, Chapter 6: Emptiness and Fullness

I expect Andy to post this up as well, since I think it can definitely be one of those rallying (or frustration) cries we have in security…and we both have the same calendar sitting on our desks!

I wasn’t sure about including that last line. The first two lines resonate throughout IT security from testing/planning your disaster recovery plans to being ready to detect and mitigate incidents to simply making sure logs are scanned for the first sign of an enemy. The last line still makes sense as we sometimes do need to dig our heels into the ground and make sure our management knows the score and the risks (properly) so they can be compelled by us to be prepared…otherwise they are compelling us into letting go of the preparedness.

Kurt’s comment put that last line into a better light for me and totally makes sense. No wonder if felt a little “off” earlier! Thanks!

I have this list of things that home users can do to be more secure. One thing I might try to fit in there is to suggest that home users figure out how to install their Operating System.

Now, this may not be about trying to teach someone the nuances of a reinstallation, especially that they should have their data backed up, accounts and software licensing information stored separately, and a list of everything they had installed or need kept available for a reinstall. However, I do believe that one problem people have with working on their computer is a simple lack of exposure to the reinstall process (or someone/someplace that can do it for them). A reinstall is not typically something people do since their computers come from Dell or Gateway which happily does the work pre-ship. But the Internet can become a safer place once people get used to the process of a reinstall or where to turn for help if they decide to do a full reinstall.

I might consider this a half-step since it might be one of the scariest things the average person will do with their computer. Trust me, people are more scared about a reinstall than they typically are about installing all sorts of random programs on their system. Sometimes they are completely worried about losing their years’ worth of settings and small tweaks and the position of their desktop icons. However, regularly performing an install or just knowing that it is not all that bad an ordeal will help in being smarter about their computer use. If nothing else, befriend a local support guy, your local Geek Squad, or become familiar with the ability of your provided Tech Support.

I liken this to having a backup solution in place. But how do you know the backup solution is working or how much it is backing up or how to work a restore in the event of an emergency if you’ve never done a restore from it? An emergency is not the best time to do a restore for the first time.

So my time with the winter scripting games is pretty much over. I just have to ask why I scored 0 on one event (I think the email submission may have line-wrapped something weird) and give my thanks and positive feedback to the organizers.

Overall, I exceeded my goals. I wanted to give a best effort towards half the Advanced division and get most of the Beginner division correct. I ended up 95/100 in the Beginner division and 90/100 in the Advanced (assuming my one score gets corrected). And I am proud to say that the two I missed were definitely tricky for someone who first installed PowerShell only days before the start of competition.

I have documented my scripting games answers and some links in my wiki (must…use…wiki…more). Thankfully, it just so happens that we’re looking to script more at work. Only one guy had previously had any experience scripting, so this makes great sense to include me as a second resource and backup. I plan to continue learning more about PowerShell and try to use it as much as possible. I just purchased Payette’s book PowerShell in Action and plan to continue to learn stuff on irc.freenode.net’s #powershell channel.

This was recently posted to a mailing list I am on in response to someone inquiring about how to proceed with security in an environment that is not really open to security. I thought this was an amazingly well-written summary of what too many other IT and security people go through. I’m sure I’ll see plenty more of this in my career also, and it helps to recognize it early before spending futile years taking it personally when things don’t work out (I take my work personally). Reprinted with permission:

I was hired for Network Security by individuals it now seems really did not understand the concept. When I initially arrived, the attitude was that I would “secure” whatever project or action was taken. It took a while to get them to understand that I needed to be a proactive, included member of things from inception.

Not only do I report to a Network Ops manager, this person – who on one hand admits they have no security background – sets the agenda for how I go about addressing this area. There are constant conflicts, up to and including my recommendations and opinions sometimes not being heard because they are perceived as unnecessary, unrealistic, or obstructing progress.

I am the only person dedicated to network security. That is not necessarily a huge issue. The larger issue is that the perception is that I alone should somehow be able to do everything, and I should be able to do everything by myself. The last major virus outbreak we experienced, after a couple of days it became obvious that I could not scan EVERY cpu by myself. However, I was turned down when I asked for help (Our helpdesk was allowed to low-priority my CPU scan tickets.) And in the end, management was thoroughly displeased with how the whole incident was handled (took too long, users were upset, etc). Meanwhile, I was a wreck from having worked about 40 hours in a three-day period. … An unwinable situation.

The entire IT dept is nearly completely reactionary. We have no CIO, and our IT leader is not seen as an equal by the other top-level executives. Basically, whatever requests or whims other departments want, we wind up trying to accommodate. Even if the wishes are counter-productive, redundant or will adversely affect the network.

IT does not seem to “talk” to the user community. It is almost like the goal is allow the users to do whatever they want, while IT does everything for them. Which would maybe be okay, except there is a culture of allowing the users to do darn near ANYTHING they want. I see a real lack of guidance coming from our IT department.

I am leaving this position. I have been unable to figure out how to simultaneously write policies (there are none), plan strategy, fight the day-to-day fires and perform proactive, pre-emptive research and analysis by myself within a reasonable timeframe to keep up with the ever growing needs of the environment. Things fall through the cracks, mistakes get made. Although some colleagues are beginning to understand that they, too, must become more security conscience in the way they approach networking, still security overall takes a back seat. No one wants to tell the big bosses “no”, that some of what they want is not feasible at the moment, or that some things will be delayed because we are trying to do them correctly now. Or tell them the real cost of implementing the latest whiz-bang technology without shoring up the holes that currently exist. — Definitely, no one wants to say that mistakes were made in the past, and now we have to correct them in order to get better and move on.

Francois [ed: the original poster], I feel for you. I, too, know that not all environments have to be like what you and I have (are) going through. The choice for me is to leave. I hope that you will be able to make your management understand that security is not one person’s job. Rather, it is a way of thinking and doing business. To paraphrase the poster, network security is not a destination – it is a journey.

I hope the poster finds a much better position to apply their obvious talents.

I just finished (finally!) Counter Hack Reloaded by Ed Skoudis. I really love Skoudis’ tone and sometimes informal tone in the way he writes. It really works for a book that is really meant to be read start to finish (as opposed to a hit-and-miss tools/attack-defense or reference book).

The book presents a number of new things to me, but the most memorable parts dealt with some of the more advanced techniques such as various covert channel attacks that I’ve really not heard much about. Of particular interest when I hit this part last autumn, Skoudis does maybe the best job I’ve read on describing buffer overflow details. I’ve read numerous other descriptions in the past and kinda knew what was going on, but for some reason Skoudis lit that little light bulb over my head on his description. Granted, I don’t see myself becoming a memory-shifting expert any time soon, but at least I really understand the details now.

Overall, this is a must-read for any IT professional with any interest in security, and should be mandatory for all security persons. It is one of the best books I’ve read in my geek collection. Some of it might be elementary such as DNS digging and nmap scanning, but there are plenty of more advanced techniques that you just don’t find in other similar books.

This post builds off my previous post on whether tools are making us dumber (a post referencing a recent Kathy Sierra post). Marcin threw me over a link to someone else who noticed that article.

Luke Kanies provides a few quotes in what at first seems like a nimble article but really is kinda confusing, like cut-backs while running in sand. Either way, I thought about these a lot:

Unfortunately, I’ve seen too many sysadmins fall in love with the tedium of knowing all the little bits of all the systems they manage and not worry so much about understanding the higher-level nature of their jobs.

I like this quote and I kind of agree. However, a case can be made that an exception to this “heightening view” approach (which, incidentally, is natural as one proceeds through business and technical experience) is the realm of security. Yes, we need to look at the high level and we need to worry less about every little thing, but it is those dozens of little things that a skilled or even just an opportunistic attacker can exploit. It is also those little bits that can give away subtle attacks or problems. We’ve seen time and again that the more automated we become in security, the more we can become susceptible to chinks in our armor that we’re not seeing because we’re viewing from too high up.

To those sysadmins who are afraid of automating themselves out of a job, you should ask yourself where your value is: Is it the tedious parts, or is it the understanding behind the job?

I picked this out because I just wanted to remind myself and anyone else that the purpose of IT and technology in business anyway is to automate. If we’re not always trying to enable business, create business, or automate business, we’re not really doing our tasks. Sometimes that is hard, but a high level view of IT is automation.

In the end, I like the article because I truly think a case can be made for keeping one’s head in the trenches of IT and also for climbing up into the scaffolding to get a new perspective. There are a lot of different and equally correct opinions and viewpoints in IT and while some see that as weakness and lack of moving forward as a unit, I see it as a healthy (hopefully respectful) heterogeniety. (Yes, I sometimes make up words, but if you know what hetergeneous means, you get it.) 🙂

Ok, I was confused with the original SecurityCatalyst post that VPNs were not security devices, but I saw this again from cdman over at Hype-Free along with the statement that NAT is also not a security measure.

Perhaps I am missing something, but is that correct? I may not consider NATs first purpose to be a security purpose, but it certainly does help. Would I rather have (or feel more secure) using a NAT device or by direct one-to-one mapping to a publicly routable IP? Would I rather have people make remote connections over the Internet alone or with VPN? These answers seem fairly obvious to me, and so do the reasons for those answers.

I understand that a VPN does not give absolute security. I also understand NAT only goes so far and its real purpose was to avoid the problem with the “limited” address space of ipv4.

The frustration in these really do offer some security, whether by design or by coincidence. We try very hard to tell people and organizations to do secure things, but to say a VPN is not a security device? Talk about confusing everyone, including the techs.

This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won’t be upset if you skip this post. I’m posting only because this will mark my first exposure to PowerShell.

So, these are the final scripting games events! I’m actually enthused because I finished all four of these over 24 hours early and am very happy with the results.

Beginner event 9 wanted a list to be read and only certain values displayed from those lists. I ended up using the same code for each list. I assumed the first entry was a value I always wanted, and then any entry after a blank line was another one that I wanted.

$firstline = 1
$names = @()

foreach ($i in Get-Content List.txt){
if ($firstline -eq 1){$names+=$i;$firstline=0}else { }
if ($switch){$names+=$i;$switch=0}else { }
if($i){ }else {$switch=1}
}
Write-Host “—————“
Write-Host “List.txt names:”
$names

$firstline = 1
$names = @()

foreach ($i in Get-Content List2.txt){
if ($firstline -eq 1){$names+=$i;$firstline=0}else { }
if ($switch){$names+=$i;$switch=0}else { }
if($i){ }else { $switch=1 }
}
Write-Host “—————“
Write-Host “List2.txt names:”
$names
Write-Host “—————“

Beginner event 10 only wanted to have a bunch of terms unscrambled. This was rather easy and not even worth posting the scores here.

Advanced event 9 was an awesome little challenge. There were really two parts to this for me. First, figure out how to create a string and then force it to be valued like an expression. Eventually someone on IRC clued me into “invoke-expression” which was exactly what I was looking for. Second, figure out how to iterate through all 4 signs in all 4 places in the challenge equation. Basically, 4 nested loops. Here’s the surprisingly short code:

$signs = “+”,”-“,”*”,”/”

foreach($a in $signs){
foreach($b in $signs){
foreach($c in $signs){
foreach($d in $signs){

$equation += “12”+$a+”8″+$b+”4″+$c+”2″+$d+”9″
$guess = invoke-expression $equation

if($guess -eq 23){Write-Host “The answer is $equation”;exit}else { }

$equation = “”
}
}
}
}

Advanced event 10 introduced something new for me: colors! Holy crap, I can change the display colors! Now THIS can get fun! I also had to learn how to create a random number generator and be able to pull items out of an array without duplicating any. I think there were a number of ways to do this, but this method was the one I chose to tackle. Thankfully, it all worked out!

[collections.arraylist]$a = 1..20
$r = $a |% {$R = new-object random}{$R.next(0,$a.count) |%{$a[$_];$a.removeat($_)}}
for($i=0; $i -lt $r.count;$i++){
if ($r[$i] -le 5){$r[$i] = “BLUE”}
elseif($r[$i] -le 10){$r[$i] = “GREEN”}
elseif($r[$i] -le 15){$r[$i] = “RED”}
elseif($r[$i] -le 20){$r[$i] = “YELLOW”}
else {Write-Host “Error: round $i value $r[$i]”}
}

$score = 0

for($i=0; $i -lt $r.count;$i++){

$guess = Read-Host “Guess the next color (R, B, G, or Y)”

Switch($guess)
{
“R”{$guess = “RED”}
“B”{$guess = “BLUE”}
“Y”{$guess = “YELLOW”}
“G”{$guess = “GREEN”}
}

Write-Host $r[$i] -fore $r[$i]

if ($guess -eq $r[$i]){Write-Host “yay!”;$score++}
else {Write-Host “boo!”}

$total++
Write-Host “You have gotten $score out of $total correct.”
}

if ($score -ge 6){ Write-Host “YAY! You win teh prize! You have ESP!” -back “magenta” -fore “DarkBlue” }
else { Write-Host “boo! you lose! your guesses suck!”}

Scores to Advanced and Beginner divisions are posted.

I see SecuriTeam has gotten a facelift recently, nice! (One of the downsides to running an RSS reader is you lose the visual connection with the site…) The post that drew me there was a post from Sid detailing his discovery that his home router was essentially backdoored.

The takeaways from this article include: change your admin password on the router; be at least a little bit knowledgable about the router; scan your home connection remotely every now and then, even if that means nmapping yourself from a local hotspot. ISPs really should not do something like this. While it at first seems like a good idea, all it takes is one curious person to get that password and suddenly that opens up the digital worlds of every other user on the ISP. I know not everyone has the aptitude to do such tests, but there is little excuse for those of us who do.

There are a few blogs that I read regularly that are not strictly tech/infosec type blogs. Creating Passionate Users is a bit of a cheat since Kathy Sierra has a technical background and does talk about some technical things. My reason for mentioning this is her post about whether tools are making us dumber.

We call people dumbed down by tools “script kiddies.” They are the people who utilize other people’s tools without knowing what is really going on underneath the hood. Tracert is composed of pings? Teardrops just make computers blue screen, right?

You can then push this up to the enterprise as well. I use an IPS/IDS “alert-based” system from a major vendor of securty products. Sadly, the appliance takes out all the ability to trace sessions and capture/read packets and interpret one’s own attacks. If the appliance is doing something weird, someone without that additional knowledge is really pretty lost and the appliance loses a lot of value.

This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won’t be upset if you skip this post. I’m posting only because this will mark my first exposure to PowerShell.

I’ve found my creativity stimulated quite a lot by these games. Also, since I’ve started doing these games, I think this group of 4 events were the easiest so far. The first few might have been easy, but they required more effort since those were my first looks at PowerShell at all. By the way, MoW is also posting his responses and I must say, his code is far more elegant and experienced than mine. It’s awesome!

Beginner Event 7 involves taking a bit of code that throws an error, and manage that error. First, prevent the ugly error from displaying to the user, and then also handle the error later. This is a good Beginner topic and one of those things that often gets overlooked but is very necessary for good scripting and coding: error handling.

$error.clear()
$erroractionpreference = “SilentlyContinue”

######## START UNCHANGED CODE #########

$a = 5
$b = 6
$c = “seven”
$d = 8

$x = $a + $b
$x = $x + $c
$x = $x + $d

$x

######## END UNCHANGED CODE #########

if ($error.Count -gt 0)
{ Write-Host “An error has occurred.” }

# This would display the errors, but not required
# for ($i=0;$i -lt $error.Count;$i++)
# { $error[$i] }

Beginner Event 8 is a “simple” game of jacks. This is another excellent Beginner event in that it focuses on something rather basic but necessary: nested loops. This is simply about thinking through the logic of the problem, and then setting up counters and loops to achieve the answer.

$jacksingame = 10
$i = 1

do {
$jacks = 10
$bounces = 0

do { $bounces++;$bouncestotal++;$jacks -= ($i * 1); } until ($jacks -le 0)

$jackspickedup += 10
$i++
} until ($i -gt $jacksingame)

Write-host “Total jacks: $jackspickedup”
Write-host “Total pick-ups: $bouncestotal”

Advanced Event 7 wants a text file read, encrypted, and then also optionally decrypted using arguments when starting the script. Since I am still smarting from the rather nasty Beginner challenge to convert text to hex and back to text again, I decided to yoink that code, drop the hex part, and use the decimal values. Then increment the values by one before converting back into ASCII. Instant, if weak, encryption! (I also thought about using a simple cipher substitution or ROT13 Switch, but decided this was easier.)

if ($args[0] -eq “e”) {

$input = [string]::join([environment]::newline, (get-content -path Alice2.txt))
for($i=0;$i -lt $input.length;$i++)
{
[int[]]$a = $a + [int] $input[$i]
$a[$i] += 1
$e = $e + [char] $a[$i]
}

$encodedfile = New-Item -type file “Encoded.txt” -Force
Set-Content Encoded.txt $e

} elseif ($args[0] -eq “d”) {

if (Test-Path Encoded.txt) {

$input2 = [string]::join([environment]::newline, (get-content -path Encoded.txt))
for($i=0;$i -lt $input2.length;$i++)
{
[int[]]$x = $x + [int] $input2[$i]
$x[$i] -= 1
$y = $y + [char] $x[$i]
}

$y

} else { Write-Host “Encoded.txt not found. You probably need to use argument ‘e’ first to encode a file.”}

} else { Write-Host “Please provide an argument ‘e’ (to encode) or ‘d’ (to decode) ” }

Advanced Event 8 provided small pieces of code with the question: “Is this a valid piece of code?” Not too hard and kinda fun! I won’t post my answers here, since there’s nothing really novel in the answers.

“One whose upper and lower ranks have the same desires will be victorious.” The Art of War, Chapter 3: Planning the Attack

It is frustrating (both for techs and for management) when they cannot agree on their goals for security. Unless they can agree, they won’t succeed.

I saw this fly past on the Security Focus security-basics mailing list from an anonymous poster. I simply wanted to capture the moment here and let it sink it.

I work for one of the biggest universities in the US and they barely care about security, so I think you may be in for an up hill battle. I’ve been trying for years without any luck, the same story comes back from managment over and over, “we never had any security problems so why should we invest money to prevent them” and thats a direct quote from more than one person in managment.

It seems that whenever Joel posts a significant new article on his site, I end up copying the link from here, almost like a little RSS/mirror service. I think it’s because this guy just “gets it.” I’ve yet to see bad advice from him and everything he says is majorly refreshing and awesome. I could gladly work in a company like that, even adjusting my career path for a company like the one he runs.

Anyway, I’m gushing, which is not something I usually do. Joel talks this time about remarkable Customer Service.