trillian vulnerability asks who is responsible for user apps

I see ISC has posted about a vulnerability just disclosed in Trillian. The vulnerability is a little exotic but does have a scary side to it. First, it involves the use of the Trillian IRC client. Thankfully, I don’t know many non-geeks who use IRC and none that use Trillian as their IRC client (I would hope!). The scary part is it is trivial to determine if someone’s IRC client is Trillian and the vulnerability is triggered by merely hovering over a link posted in chat. Yikes! I expect milworm or even Metasploit to have an exploit available soon enough.

One big question for this is: Do you know what apps your users are running? Are some of them running Trillian? And if so, who is then responsible for upgrading to more secure versions of their apps? (Then again, maybe they don’t need IRC at work anyway, so just block the ports at the firewall and hope they’re not on laptops at home being rooted?) More fuel if you don’t have a handle on corporate policy for unauthorized software.

suggested games

I’ve been an on-again, off-again PC gamer. My background is heavy into first-person shooters (FPS) from Doom 1 until FEAR. I think I spent half my college years playing Quake and UT. It’s amazing I actually got the grades I did and even graduated…I know too many people who dropped out due to their playing habits.

Here are some games I would highly recommend you play if you do any PC gaming at all. Some of these are classics that no one should be able to say they’ve not experienced.

Doom 1 and 2 – There is still no FPS PC game the has been able to recapture the hectic, hellish feel of the originals. Doom 2 is still so challenging to this day to me, that I continually play it every few months to advance a few more levels in my spare time (I strive for 100% secrets and kills when actually possible). I still have the original floppies…

Quake – Quake grabbed the baton from Doom and ran with it, propelling PC sales, bandwidth demands, and PC gaming as we know it today. Nothing ever will capture the feel of anonymously running around levels throwing out rockets and fragging fellow geeks into the late hours of the night. This was Internet gaming in its innocent infancy, and it still makes my cheeks tingle with memories. Must be experienced not just single-player, but LAN-borne with friends. Sound effects and most of the background music mixed by NIN make for an excellent backdrop as well.

Serious Sam I – The first Serious Sam had a lot of gimmicks, but one of the best things about this game is how it harkened back to the hectic pace from the original Doom games. No game has come closer to the single-player experience of Doom as this game as it throws hordes and hordes of enemies at the player and usually not enough ammo to feel comfortable. One of the only games I’ve ever actually heard the sound effects for when trying to sleep (those damned hooves…noo…always behind me…!)

Unreal Tournament – I really don’t think any game before or after has looked or sounded quite as good as this one while also being as purely fun in multi-player mode. The excellent electronica music alone is worth the ride. Sadly, if you do get on FFA games these days on the net, chances are you’ll be playing with people who have played for nearly ten years now. It won’t be pretty, but it can still be very fun! Perfect LAN party fodder as it won’t tax systems these days!

Warcraft II – Basically the father (albeit not the grandfather) of all RTS games today, Warcraft II had a perfect chemisty of fun and challenge. I still play this game through single-player mode every few years. The expansion pack is also a must.

Starcraft – The follow-up to Warcraft II is maybe even more perfect with upgraded graphics, deeper complexity in units and builds, and one of the most compelling story lines I’ve played through in a PC game. I also play this and the expansion pack regularly every few years.

Wing Commander II and III – I loved these games. I’m not a flight sim guy, so these games met my needs just right with complex, but not too complex of controls. I loved the changing experience depending on how you complete missions and the special names enemies with their own challenges and quirks. WC III particularly perfected the sense of isolation for a space fighter pilot.

those first few years are the hardest

I’m feeling talkative today…makes me wish I had IM or IRC at work! Alas, I get to only post here or comments elsewhere!

I really cannot explain just how valuable a little IT experience is. Six years ago out of college I had to beg to get interviews for IT positions, and even then, a very small percentage would ever get back to me. This made sense and I knew it, for a college grad with no practical experience. In the last few months alone I’ve had calls come in with zero solicitation, which is astounding to me. It is a lot different from the “I’ll take any job, anything!” mentality of 6 years ago to the “I can be picky now and say no if I foresee minor problems” of today. Those first few years are definitely the hardest. Hrm…I’m maybe a little too positive today…better bring it back down!

twenty interview questions

This is a list of 20 web developer interview questions picked up from SEOmoz via Dan Morrill. I really like interview questions because they can give you good practice. When I am looking for a job (which I currently am) I actually do rehearse to myself (and typically write down) answers to typical questions such as my weakness, my strength, team vs work alone, why the current job is not right, what I want in a job, a manager, life, and so on. In fact, I plan to carve out a spot in my wiki to someday house these questions and my answers for future reference. And one thing I do stress in any interview is to be honest and positive. Admit a weakness, don’t cop out or cover it up. Use it as an opportunity to show the employer you know yourself and that you have a plan to address that weakness. Anyway, this looks like a long post, but here’s some answers for these questions (some are pertinent only to web developers, though!).

1. What industry sites and blogs do you read regularly?
I tend to cop out here and say that I read a lot of things, mainly blogs and online news sites, which are all in my RSS reader and listed on my website on the right. But I do try to stay concrete and mention some of my A-list links such as TaoSecurity, Jeremiah Grossman, Ha.ckers.org, Security Monkey, Internet Storm Center, Errata, F-Secure, Full Disclosure, and so on largely depending on what type of job I am working on. I do like to make sure I know a nice mix of my favorite sites to read so that I can pull them out quickly without floundering. I remember years ago someone asking me what my favorite hacking site was and kinda floundering and sputtering out PacketStorm just because the guy was a suit who thought he knew hacking. When given a chance, though, I always want to say that I read up on sites every other day if not daily for the important ones.

2. Do you prefer to work alone or on a team?
I love this question and hate it. I love it because my honest answer is both fairly equally. I hate it because that is the prototypical bullshit answer. So I feel obligated to expound! I love working alone because sometimes you can just put your head down and really concentrate on working either through a problem or something that is otherwise tedious. It is true that sometimes in IT too many hands in the kitchen make too big a mess, or will try to do things in different ways such that nothing ends up getting done with any semblance of quality. I also love working on a team because there are times when I don’t know everything and need help, times when I physically cannot get all the work done by a deadline without extra hands, and times when just talking a problem through to someone else will jog my thoughts and give me fresh ideas. I truly do enjoy both and am quite comfortable working in either environment as long as the company and manager and colleagues are supportive and get shit done. I have experience working both ways.

3. How comfortable are you with writing HTML entirely by hand?
Very. I’ve never used a WYSIWYG editor and don’t even need color-coded parsing to help out. Give me notepad and I’m fine.

7. Describe/demonstrate your level of competence in a *nix shell environment
I would put my level of competence in a *nix shell environment as beginner to intermediate, although people less than me might put me higher. I tend to place myself lower than I should be, only because there is so much power in *nix shells and so much to learn. I feel just slightly more comfortable inside a CLI as opposed to a GUI.

8. What skills and technologies are you the most interested in improving upon or learning?
For a learning junkie like me, this includes everything! I am most interested in learning whatever is needed or is tickling my muse at the moment, within reasonable bounds so that I don’t try to do too much and end up with minimal knowledge in lots of things. I do strive for expert level knowledge in the things I can tackle on a day to day basis and intermediate to high knowledge in things I do on my own or less often outside the day to day job. Specifically, I want to continue to improve my Linux exposure, wireless foo, and security assessments. I want to get hands-on into Snort and log correlation over a network.

11. Show me your code!
View source my code yourself! But keep in mind I’m not a pro web developer, nor do I update my code all that often. My old site is rife with old junk that makes me cringe. This site is slightly cleaner since it is years newer.

12. What are a few sites you admire and why? (from a webdev perspective)
Digg and Google are excellent and clean. I like sites that are clean, offer up their functions, and are not hard on the eyes and soul (ads all over, weird links, blah blah). Give me aesthetically pleasing any day, not MySpace-like. A clear, simple layout.

14. I just pulled up the website you built and the browser is displaying a blank page. Walk me through the steps you’d take to troubleshoot the problem.
Blame the network guys! Hehe, kidding. I would first replicate the problem on my end so that I can see what is going on. Then try to do a view source to make sure I’m hitting the right location and what the browser is being presented. If the problem is network-related, drop into a CLI and start investigating DNS and IP connectivity. If the probem appears to be code-related, check the code from the View Source and make adjustments. Possibly get on the server and try to pull the page up local to the server, check the logs, fashion test pages to troubleshoot IIS/Apache functionality…

16. Do you find any particular languages or technologies intimidating?
I really like this question and have sadly never heard this in an interview! I am currently most intimidated in general in just doing something new for the first time that I’m unproven with. For instance, being challenged to do something that might not be possible can be really intriguing yet frustrating. I’m aware of this intimidation and work to keep it cornered as much as possible. In specific, I am most intimidated lately by ordering the proper equipment that is compatible and not over-budget for the needs. I think that’s largely inexperience coupled with spending someone else’s money.

ten top open source security tools

An article out of IT Management on Earthweb (hell, I can barely found out what this site is called…it management? earthweb? datamation? I think that’s an ad in the traditional site header slot, but am not sure…ugh!) outlines 10 top open source security tools. While I can usually nitpick something in most lists from unknown sites, I was pleasantly surprised by the well-rounded list presented. Then again, some of these can be fairly easy when you have lists like Insecure.org’s top tools list.

I also am saddened but have to say (almost as a reminder to myself) that I need to someday actually read the Open Source Security Tools: A Practical Guide to Security Applications. Books don’t get younger on their own!

csum: independence day

CSUM rates: Independence Day (1996)

Situation: Towards the end of the film, Will Smith’s character makes a last ditch attack against an invading alien army by injecting a computer virus into the alien mothership’s systems. The virus is successful and the invasion is defeated.

Inaccuracy: 5
Ok, while I will say that one could argue the universality of the binary system, I don’t think it is even possible that a wholly distinct civilization will have advanced independent of the human race and end up with compatible machine code. Hell, Windows and Macs don’t even have viruses that are compatible on either system (a few exceptions exist with third-party apps) let alone entirely different civilizations. I think the biggest joke at the time of this movie was the question, “Are the aliens running Windows or something?!”

Criticality: 5
Maybe the budget disintegrated by the end of the film and they needed a one-shot deal to blow up the aliens; all of them. I don’t know, but this is a pretty darned critical contrivance because it is the vehicle for Will Smith to save the world; the climax of the film. It’s a shame it had to be so ignorant.

Ease of correction: 4
The year is 1995/1996, and I think it was obvious the producers wanted to capitalize on the emergence of computers and the Internet, and with it viruses. Unfortunately, there is no salvage to getting an earth computer virus to disrupt alien technology, so there is really no saving this idea. The writers needed another entirely different solution to save this; even Will Smith flying into the center of the ship and destroying the Mother Brain would have been more believable.

CSUM ICE Score: 100 (F) I will never forgive Independence Day for this amazingly ridiculous use of a virus in a film.

computer and security use in movies

As computer and security hobbyists and professionals, I’m sure we all go to movies and take special note when something in our field comes up, from door locks to computer terminals displaying code to fuzzy images being blown up to reveal faces. Some of these make us cringe in wild distaste which pulls us out of the suspension of disbelief in the film experience while others make us smile and slightly nod in agreement, making a mental note to share with our other geek buddies.

I have made a new category for this site called, simply, movies. In this category I want to make mention of movies that utilize a particular bit of computer use or security use and point out what is inaccurate about it. In fact, I’m going to call it Computer and Security Use in Movies (CSUM).

Just to get a few ground rules out of the way, I will largely exclude sci-fi movies that assume advancements in technology make certain things possible or different from how we know computer security today. I also only want items that seem important to some degree to the plot of the film, and not just some extraneous bells-n-whistles item from the background. For instance, nothing from Star Trek will count.

I will score each incident based on some criteria, modeled after a security assessment:

Inaccuracy: 1-5 (5 being ridiculously inaccurate and 1 being only minorly inaccurate)
Inaccuracy is used to scale exactly how ridiculous a particular use of computers and security is portrayed. Something that is not ridiculous at all, and, in fact, might be entirely accurate may be able to score a rare 0 in this category, thus ensuring a total score of 1. A 1 is the ultimate score.

Criticality to plot: 1-5 (5 being critical to the plot or film experience and 1 being trivial)
If an inaccuracy is highly critical to a plot, it becomes less forgiving by the audience. Likewise, inaccuracies in smaller, less important parts of the film can be overlooked. This is a scale on how important the situation is for the movie as a whole.

Ease of correction: 1-5 (5 being extremely difficult or impossible to correct without the plot or film experience falling apart, 1 being extremely easy to fix without impacting the film)
If an inaccuracy is easy to correct, it really shouldn’t have been a mistake in the first place, and might just be the fault of the technical advisor or writer, or maybe even an artistic decision because the real deal is boring to portray. Something that is extremely difficult to correct means that inaccuracy is so deep, there really is no way to save or spin it without running into major problems. This is essentially the scale of how badly wrong a movie gets this situation.

The total is the product of all three numbers multiplied together to give a score from 1 to 125. Hopefully no movie scores 125 as that would be a ridiculously innaccurate, critical situation in the film that has zero hope of being fixed without the film falling apart. Feedback and suggestions on better scoring are welcome!

ubuntu vs linux

Network Computing has a nice comparison between Vista and Ubuntu. I’ve yet to even see Vista, really, but I can say I was disappointed that they didn’t include DVD playback with the multimedia testing. Due to the proprietary encryption with any DVD playback, free and legit Linux distros tend to not be able to do this out of the box. I was happy to see mention of Ubuntu’s occassional (and very frustrating) hardware issues (namely wireless or sound issues from what I’ve heard) which can send people back to Windows quickly.

I think Ubuntu is a nice alternative for light users who don’t install their own things and only need major things like email, web browsing, maybe some IM, music, picture viewing, and office productivity. Basically you don’t need much more beyond what is installed by default. If you need more, you might be in for some learning curve issues.

ubuntu and snort

Snort is another item I want to start working with regularly as well. I know I won’t become a Snort guru quickly, and just like any type of packet-watching role, it just comes with time and experience. This Ubuntu + Snort + Postgre tutorial may be helpful, even though I already have my Ubuntu “server” box upgraded to Feisty Fawn and might swap out Postgre for MySQL instead. Sadly, just last night I noticed my Ubuntu box (which has a decently new 200GB HD that has already developed a loud whine when it spins) may not be faring so well anymore after power outages. I had one this weekend and the console might be stuck on a BIOS or GRUB warning since it is silent on my network. I have to check it out tonight. Hmm…it might be old enough that it still requires something plugged into the keyboard port in order to boot properly… Got this link from Andrew Hay.

snare and splunk logging

I like tutorials on sites. Even if I don’t get around to trying out new things, it is nice to have the knowledge fly by my sight and to tuck the link away into my pocket (or a site post) for a rainy day when I decide I want to try it out. This link talks about using Snare and Splunk as a central multi-system log-gathering solution (a cheap alternative to LogLogic). I do need logging someday and definitely have plenty of options, including this combo.

live-fire experience from cyber defense competitions

Texas A&M has won the 2007 Collegiate Cyber Defense Competition. I really feel that live defense and attacking competitions help everyone involved, including spectators. Even if it is just amongst friends or at a con or even something as organized as collegiate level activity, this kind of live-fire stuff needs to grow and will continue to grow in popularity and exposure. If you get a chance to go to one of these events either as a participant or to hang out, I encourage you to go. Don’t do like I did last year and skip out on a local CyberDefense competition for no real good reasons.

the education-technology see-saw

Andy ITGuy is a proponent of training, which is awesome and wholly commendable. I totally understand that, but I’m feeling picky today. Maybe today is Picky Wednesday, I dunno. But I noticed Andy posted this (he’s going to love that I’m pulling out an anecdote and unfairly focusing on it, hehe) and I want to make a point too.

My favorite quote from the post is this,

“My dear friend, education is the key..not more locks and bolts.”

The same holds true for Information Security. If our users don’t know how to spot and handle phishers then we might as well just put up an open WI-FI to our network and post it in the paper.

I’m not sure I would say that user education is key and that without it we may as well put up open wifi. I think user education is very important, but it won’t solve IT security any more than education has solved drug use, teen pregnancy, or STDs. I won’t be able to dispense with logging utilities or AV or LUA or spam scrubbing just because I have a good training regimen.

So yes, that’s my point for the day. Security by technology and security by education need to be balanced just as much as security is balanced against usability. In the end, however, I’ll take slightly more technology than education only because that is the one that can be auditable and has hard-drawn lines that I can trust (that and I likely have more budget right now than Andy might have…and that does matter).

new headers take two

I guess I forgot which pages I had imported into MT as templates. In redeploying my entire site last night, MT replaced my random image code! Oops, anyway, they are up again although I won’t be able to edit any sizes or remove any until after work. 🙂

new header images posted

If you come to my site every now and then you may have noticed my head images changed slightly, randomly. Well, I added some more images (stolen shamelessly from other places on the net, you’ll recognize some I’m sure) to the rotation. Where before I had 3, I now have 43. I’ve not had time to QA anything and I already see a couple I want to remove or need to resize, but all in all, get out of your RSS shell and click through to check it out if you want. The change of scenery is really just helpful to someone like me who has to view the page daily, hehe.

staying anonymous – part 1 intro

So you want to interact with the less “white hat” types of security professionals but you don’t want to hang your balls out there and allow people to track back to you? Looking to not put your name which might be attached to your company into the limelight if you just happen to get noticed and on the wrong side of some punk kid who decides to have some fun at the possible expense of your career? Or you are just a rightfully paranoid security guy looking to rub shoulders and learn new things without the possible collateral damage of having to defend your own network at home? Well, here are some tips on staying anonymous online.

For this series of posts, I will try not to get fancy and technically challenging. I know you can leverage even better means of anonymity online by routing through SSH connections and shells, scrubbing packets and information, “borrowing” other computers in disparate parts of the world and using them to bounce your connections, or fancy P2P nets and encryption. Some of that is just not as practical for quick approaches. Of note, not all of the stuff mentioned here is technically legal, although the illegality may still be pretty grey. Open mail relays, web proxies, and nearby wireless networks may not necessarily be freely open, so just be aware of that.

Keep in mind that this guide is not meant to protect you if you want to do illegal and bad things. This guide is meant for non-criminals to add an extra layer or two of protection between yourself and other nosy persons. If you already live in the darker corners of the Internet, this guide will not give you any additional information. I also am not entirely encouraging people to push the lines of legality with some of these ideas and steps. Common sense is your friend.

This series is not meant to protect your identity from credit card thieves or allow you to live out your life in places the IRS cannot find you. This is not about hiding your search queries in Google because you think they and the DHS are tracking you. This is simply about being anonymous on the Internet in regards to how other people find or interact with you and you with them.

I’ll start off with some ground rules.

First, don’t be stupid and immature and pick fights. What some newbies do in communities is pick fights and/or act stupid in an effort to quickly get noticed. This is not the way to go. If you have something useful and novel to offer the community, go for it. But most people new to these communities are better served by sitting back and offering tidbits and discussion as they have an opportunity to do so. Be positive, supportive, friendly, and outgoing when it appears to be welcomed. Learn the tone, the names, and what goes on. That’s really the biggest bit of advice for interacting in a community outside the white hats and office cubicles: don’t be a dumbass. And if someone pounces on you trying to be a pest, just let it slide. This isn’t prison where you need to offer a beatdown to the first person who challenges you or forever be branded easy pickings.

Second, pick a nickname (screename, handle, nick…). If you want to maintain a distance between yourself and the community (which is sometimes prudent considering the curious nature of many crackers), you definitely need to not be known by your real name. Pick a nickname and stick to it. Better yet, pick a fully fake name. I go by Michael Dickey pretty much everywhere in life. But what if I picked Wally Harrison as my name online? I could hide in the noise of Google searches for other people. If you pick something really unique, you’ll be a bit more easily searchable and one slip-up could ruin all of this work. Of course, don’t pick a name that someone else is already using. Using StankDawg might not be kosher with StankDawg.

Third, be aware that staying anonymous is a heck of a lot of work. It is not easy. The more you want to be involved and known, the more you will leak information and screw up. True, full anonymity is not easy at all; in fact, I couldn’t do it, myself. And if you want to make a go of it, be prepared for hard work, lots of time spent troubleshooting your own tactics, and prepare for your failures and slip-ups. True anonymity might not mean making absolutely zero mistakes, but it should be your goal to never show up in any logs with data that might be tied to you. Be aware of your information.

As a general rule, don’t communicate or browse from home as much as is convenient to you. If you have nearby hotspots and open wireless, use them. If a neighbor has wireless, “borrow” their connection if you are feeling too paranoid (I didn’t encourage that…right?).

Lastly, as part of this series of posts (a first for me), I encourage feedback, both in the form of suggestions, corrections, or even challenges saying my advice is crap. And even if you aren’t looking to be anonymous, at least be aware of the ways some of your own users might be trying to stay anonymous.