Copying DVDs has become amazingly easy. I picked up a Samsung DVD burner from NewEgg for $33. They forgot the software, so I had them mail that separately, which is well worth it since it is Nero and includes not only the burning utilities but also the parts to leverage the Lightscribe labels.

I installed DVD Decrypter (pretty much optional) and DVD Shrink (find them on your own, but I suggest doom9.org as a first try). I use DVD Decrytper to rip DVDs to my hard disk, and then I use DVD Shrink to remove a few unnecessary things, like foreign language audio tracks, and also to burn since it can shuttle the project off to either DVD Decrypter (which can burn) or Nero itself. That’s it! I ran a test copy of Fast and the Furious which happens to be a dual layer DVD. The ripping portion took about 15 minutes, I think, and DVD Shrink worked on the contents (about 4.5 GB on disk) for about 30 minutes. I removed two audio tracks. It then went right over and burned in about 5 minutes or so to a non-dual layer DVD.

With Nero, I was able to create a Lightscribe label in about 5 minutes and burn it on in about 15 minutes. I just did a quick Google Image search for Fast and the Furious images, picked the first one (which happened to be huge), plopped it on without resizing or playing with the brightness, and let it loose. The label isn’t breathtaking or drop-dead gorgeous. It really just looks like a badly washed out greyscale image, but the quality (if you look closely) seems pretty nice. I’ll likely use it rather than markers, and I likely will still use actual images as opposed to bland text in text boxes. I’m not really doing anything professional, just makin’ copies!

All told, that was only about an hour of time and only about 10 minutes of actual work. Since I do this on my gaming machine, it gets to dedicate its time to this task when I’m not gaming (and holy crap does the processing of DVD Shrink drop to a trickle when I fire up WoW!). I keep that system pretty slimmed down, so that 1 hour is not a bad deal really.

Blank DVDs with Lightscribe will run me about $1 per disc. Dual layer guys will be about $1.5-2 per disc. At least that was my 2 seconds estimation while standing at Best Buy. That’s still not bad at all as I estimate my typical DVD purchase is $14, give or take. This is why DVD copying pirating is still worthwhile, I guess!

Typically at home I have this stack of papers and junk printed out that I want to flip through and read. Kinda like bookmarking something later, only in the analog world. Lately, I happen to hit a glut of papers talking about covert channels (I’ll link one or two if I still happen to have them around), which are always fun to look at. I then see the focus on ids list has a current discussion on detecting covert channels (really detecting encrypted channels which, as Ron Gula recently contributed, are a separate issue).

Covert channels are fun. They can be an easy way to break something, or use something for a purpose not intended by the creators. The old school version of “hacking” (which I subscribe to) tends to love this definition. They are also difficult and technical in some cases, thus I really believe that unless a firewall or proxy incidentally is blocking the channel, no one really blocks or watches these channels. If I ever get my home network more rounded out and the major projects done, playing with covert channels is something I’d love to tinker with. (And if I would do it, so would lots of other bored kiddies on the Help Desks at their jobs!)

[As an aside, I pick on the poor kiddies on the Help Desk or Tech Support or Customer Service desks a lot. I do so for good reason, though. Typically they can hold some very technically savvy people who have some level of access above normal users. They tend to not be in heavily taxing jobs and sometimes have “leisure” time at work to do some odd things. And let’s not even think about those overnighters with even more time on their hands… Really, it’s not that I distrust them, but I remember my days down there and what I would get my fingers into, and I know it happens.]

For instance, you can stuff information into a few non-used or little-used sections of ICMP packets and shoot them out to your target. But if a company is stopping all ICMP, that incidentally stops that particular covert channel. Someone can siphon away information using DNS, but if you only allow DNS traffic to servers you control…

Stopping (or using to your benefit) covert channels is much more difficult since it requires some pretty specific knowledge of TCP/IP and perhaps packet structure and creation. This probably makes the risk of someone leveraging this attack much smaller, which also may mean it is just not worth spending time combating for many companies.

But lets say you want to detect and/or stop covert channels? I won’t get into specifics since I’ve not done this myself, but here are some approaches I would take.

First, make sure a solid egress configuration on border firewalls are present. If this isn’t done, really, any other steps are simply academic and not going to add any security or sense of security. If you’re not stopping arbitrary ports from connecting to other arbitrary ports on the Internet… Likewise, there is no reason to tackle ICMP covert channel detection if ICMP is blocked anyway.

Second, you need to be monitoring for anomalous traffic. A sudden spike in ICMP or other weird traffic that is not normal could indicate a covert channel in use. Again, the chances are slim, but any network monitoring strategy should already be tracking anomalous traffic loads anyway. You might also want to detect for regular traffic patterns such as an HTTP request that occurs exactly every 3 seconds for hours, or something to that effect. You might see more false positives with things like Weatherbug or Firefox doing regular checks or IM keepalives, but if your company is tackling covert channels, likely they have stringent software and IP rules in place already to limit such noise.

Third, make sure packets are inspected for erroneous settings and flags. Kinda like no TCP packet has any business having both SYN and RST (I think) flags set, there is just some information that, if present, should be investigated.

Fourth, proxy all web traffic in a way that the proxy rebuilds the packets. This should take care of really funky HTTP covert channels and also allow you more logging on what is likely the busiest and least securable port on your network.

Lastly, I really don’t know what to do about steganography or hiding data inside other application layer data. I guess we have to hope that packet inspection firewalls eventually detect the normal tools and their signature/patterns, but I really wouldn’t book my paycheck on that. Image-based stego is still a technical skill, but the tools have gotten far easier to implement and there are tons of locations on the webs to drop images for offsite pick-up.

Speaking of covert channels, I can’t find the actual story, but I swear the Security Monkey had a post one time (I think a reader-submitted story) about someone hiding porn images inside a normal movie file, where a porn image would be one frame somewhere that could be extracted. Screen grab of sensitive docs instead?

Skimming my captured spam comments these days really makes me feel like I’m browsing porn, albeit in text form. I have quite the imagination…and if the guys keep slipping Viagra into my lunch, things are gonna get wrong on a new level.

Ok, kidding! Seriously, my comment spam has skyrocketed since Thursday or Wednesday of last week, almost all about various drugs and the rest about porn. It is amazing how often I catch myself reading one when it doesn’t sound quite obviously spamlike. “Hey man, that’s an interesting post…” I’ve bumped up the filters to get most everything, but if I don’t unmoderate a post you make, feel free to stalk me and track me down or otherwise get my attention.

Joel Esler posted some questions about email signature blocks. Neat. Personally, I keep my signature lengths down to 1-3 lines or so. My name, email address, and maybe who I am if you don’t know me (title or web site). I think I got over the whole quote thing back in 1998, so I don’t do that anymore. I think after you get so many email addresses, you stop really caring to configure and tailor each one.

On a similar topic, I really have a peeve against email disclaimers like “please delete this email if you mistakenly got this…” blah blah blah legal crap. No one freakin’ needs this on every piece of email sent out. It’s useless and stupid. Maybe I should walk around with a card that says, “If I hear some secret you say near me or you hear me calling you a complete asshole, it’s ok and please ignore it if you were not the intended recipient…oh, you’re not the intended recipient, ever.” Yeah, that’d fly.

I just read an announcement that usernames can be disclosed by the way Windows Server 2003/AD responds to Terminal Services logins from those users trying to log on after their allowed hours. Kudos to the researchers for finding and reporting this, and I mean this post as no dis to them (hey, I read Sid’s site for a reason!). But I do have some commentary to offer.

First, Sid uses the phrase, “This can be exploited to help enumerate valid usernames resulting in a loss of confidentiality.” Not bad, but I think it is very arguable whether usernames are intended to be confidential or not. I mean, that’s what passwords are for, no?

Second, this is a place where a vulnerability needs further clarification once you start trying to cross the bounds from technical geeks to the lesser geeks and business itself. Is this vulnerability a Big Deal? No. What threats could take advantage of this? Well, you have long-standing insiders (yeah, those help desk guys who work all night and get bored and poke around) on a long campaign to pilfer usernames…but if they are employees, chances are they know the username format anyway. Also long-term outside attackers who already have an undiscovered foothold into the network and want to expand their influence. For some reason, this scenario tickles that part of my brain that likes to say, “You have bigger problems at this point.” Maybe someone has Terminal Services accessible to the world, in which case a random port scan could reveal it to an outside attackers who starts trying usernames to grind out more information, or outright access.

My second point is more about those people who interpret vulnerabilities in the context of their respective duties. The disclosure itself is just fine and quite appropriate. I’m simply using it as a sounding board to illustrate the ability to analyze vulnerabilities.

To the author’s credit, he lists criticality being “Less Critical,” although I really don’t know what that means. To me, this vulnerability is minor. It discloses some non-sensitive information pertinent to longer-term attacks by dedicated attackers with nothing better to do.

WiFiDEnum (and no, I’m not really sure how to say that out loud) has been released by Joshua Wright. This tool reports back wireless driver versions against known vulnerabilities. Try it out. Hopefully the tool is kept up to date as more vulns become announced (slowly). While I never expect that to be the case, I think this tool appears useful enough to Josh and his company and might get some lovin over the years. The next step may be a more hostile enumeration tool that can sniff and/or actively fingerprint a host’s wireless card and drivers (and no, I don’t know if that is even possible to a worthwhile degree).

I see there’s been some talk recently (more so than normal on the blogs I watch, anyway) about network security, web app security, host-centric security… I feel like a lottery tumbler bouncing around a lot of balls in my head, but nothing popping out down the chute quite yet. So here are some links for future thoughts. Jeremiah Grossman talking about web app vs network security. Hoff talking about host vs network security. The Jericho Forum talking about lots of things, but notably deperimeterization catches my eye. And Michael’s thoughts which have the side effect of wanting to pull out some C&C Music Factory mp3s (and yes, I have a bunch!). I also see Scott has an excellent post about this topic as well. And another from Alex, although once anyone starts talking ephemerally (in terms of relativity to business process which might be the agnostics’ way to offer up an inarguable concept? [see? obviously I’m not seeing something straight! hehe] ) about things like the Circles of Trust, it never really makes much sense to me yet (yet!).

My initial reaction is that I am not sold on “unified” or “one method to rule them all” approaches. I’m with Michael in the link above in most regards: practice moderation and mix all of them in varying levels. Honestly, if one of these approaches was better than the others, it would be obviously apparent by now.

However, there may be some merit in a company focusing their efforts and monies in one method consistently…

I think one approach to these questions might be in looking at the extremes. What would your network or company look like from an infosec point of view if you were host-centric in your approaches? or network-centric? or data-centric? What is given up, what is scalable, what costs the most either up front or on-going? What is possible with the skillsets we have in our company/country/world right now?

LiquidMatrix posted 4 interview questions for Infosec candidates. I like the questions, personally, and I think they get to one thing I really like to pimp about myself but also value in people in infosec: the geek factor. How much of a geek are you? In other words, how much personal passion do you have for the field? I think this is highly important. Anyway, no preaching yet today, so here are my quick answers for this interview.

1. What is the hostname of your computer / essid of your wifi
How fun! For years, I have stuck to the whole vampire/goth chic with my systems. My main server is named Vampire (and always is, no matter what actual hardware is running it) and my essip is kindred. Unfortunately, the more systems I’ve had, the more I’ve had to dive away from that theme. I have systems named Nosferatu, Hunter, Samurai, Orion (my main laptop, named for personal reasons to do with stargazing), Golem (parted gaming machine), and so on…

2. Which infosec event/conference do you think is the *one* you need to attend each year
Blackhat is too expensive for me alone, and I certainly do not want to do to anything commercialized with more CSOs present than geeks. I think if I had to choose one single event, I would head to Shmoocon. Then CanSecWest and DefCon.

3. You’re doing a walk around and notice an iPod plugged into a laptop – what do you do
Yeah, it sucks reading these questions and already seeing the “good” answers, but I agree with the poster, I would first ask, “Well, what’s the policy?” I don’t want to get into pissing matches over vagueness (I wanted to use vagarity here, but the word is already laterally claimed) of policies and enforcement. If I don’t have to impact someone else and rock the boat, I won’t. So I’d ask about the policy. If there is a policy, I would likely unplug the ipod but leave it on the desk (again, depending on the policy and corporate culture standards on enforcement) and email a note to the employee mentioning it. I’d likely then make a small extra effort to follow-up later that week to see if the ipod is still present, and if so, escalate as needed, more likely with a cubicle-call in person or a quick note to their manager. Nothing overbearing or demanding, just subtle reminders of policy and why it is in place. I’d also test the waters in using technology to block the hardware ports on systems to force policy adherence. Again, though, this all depends on policy and corporate culture.

4. You’ve been asked by HR to take a copy of an outgoing employees computer – what do you do
I’ve not done one of these in a while, but my first reaction in my previous job where I did this a couple times included questions. How much do you need copied? When do you need this started and done? Does the employee know about this or should this be secret? How important is this, while I don’t need details, should I be concerned about eventual legal proceedings or is this just a CYA moment (this may dictate how stringent I follow chain-of-custody or imaging standards)? Do you need me to look at anything in particular or just make the copy? What do you want done with the copy and/or hardware after? Basically, the theme here is to ask questions and quality the request as much as possible without making it seem like you’re fishing for the juicy gossipy details of the incident; I’m not like that and never will be, even when I am privvy to those details (one of the other things I value along with geekery is integrity).

Snagged straight from the bush from the Guerilla CSO

Seems the FBI has the same challenges the private sector has when it comes to maintaining a secure environment. The GAO released a report to the FBI about security weaknesses in a critical internal network. I found this from FCW. I only skimmed the 30-odd page report, but a lot all of their weaknesses are quite familiar.

I love it. There are a number of free security-related tools floating around these days and they seem to be of the “do more, have more features” variety. On my Windows systems at home I prefer to run ClamWin as my AV and Sygate Pro (a full version pre-Symantec purchase/dump) as my personal firewall. I’ve been using Comodo firewall for a while now on one laptop, but I really have no taken the time to baby it and nurture it and really get to know it, so I might just revert back to a Sygate install.

But I keep getting tickles to try something new. I see OSSEC has Windows agents that do things like HIDS, log analysis, registry and rootkit scanning, integrity scanning, and more on the server component. I also see CoreForce which provides a BSD-like firewall, registry and file permissions, integrity scanning, and malware prevention. Both tools are free, although the latter is Windows-bound and standalone while OSSEC likes to have a server component to shuttle data to.

It is nice to see multiple pieces getting packaged together in, hopefully, light-weight apps that won’t be hogs like NAV or your more commercial type protections. I like integrity checking, access monitoring, log scanning, and firewalling, along with the typical HIDS/behavioral analysis and malware detection/prevention. I’m just hoping these two products don’t overlap too much if I want features from both. And of course, there’s my poor ClamWin to think of.

Anyway, tools for thought. I really wish Sygate hadn’t been raped…after ZoneAlarm got dumbed down back in like 1999, Sygate was my saviour…

IRC – IRC is an interesting beast. Even today, this relic of the Internet is still the best place to socialize and talk with others in a realtime forum that includes more than just 1-to-1 conversation (did I qualify that enough??). But it also suffers from easily giving up your connection information as well as other anti-anonymous attacks. Pretty much anyone can just issue a /whois and they can read back your IP/hostname. Really, nothing is easier or more idly tempting as port scanning some noob on IRC to see who’s home. Note: I have not used silc yet, so I don’t really mention it here.

1) general IRC recon and host masks
When you first log into a new IRC network, do not do so using a nickname that you plan to use. Log in and poke around. Do a /whois on yourself and see what is revealed. Connect a second time with another name and whois yourself. Find web support and the main support channels and poke around to see if the network supports any built-in methods to mask your host and IP. Irc.freenode.net and others may allow you to register your nickname and also request or set up a host mask so that /whois returns only what you want it to return. If that is the case, switch over to your normal nick, register it, and get it masked.

Always use a different nickname when doing tests or when you think your masking is not high enough. While this isn’t done as much as in the past, there are still chat channels that get logged and posted right on websites for posterity.

Keep in mind that even private messages are not necessarily private when you do not own the servers and other people are the admins. You may not be as private as you wish you were.

If you plan any unattended idling, turn off auto-accepting any files or DCC communications and make sure no URLs are automatically opened or captured. Make sure your secondary nickname is not revealing in case you disconnect and reconnect automatically before your old connection has timed out.

2) bouncers and proxies
If you do not have the luxury of masking your host, you can make use of IRC bouncers or proxy connections much like web proxies. Bouncers are pretty much the same thing as a proxy, only harder to find unless you own a box or two somewhere else (or pay for a shell).

You can also use web-based IRC clients such as www.ircatwork.org. However, always test these by connecting with a different nick and /whois yourself to see if something is leaking through anyway. These can be a hassle to set up and maintain, so perhaps just familiarize yourself with IRSSI (text-based IRC) and see if you can get a shell that allows IRSSI so you can bounce off that.

Otherwise, use network and wireless connections that are not your own to communicate over IRC. Personally, I prefer using Freenode and masking my host.

3) links, DCC, other notes
Also, don’t click on any and every link in IRC…at least not without your web proxy firmly in place on a safer web browser and connection link. If I had my eye on you, I might try to get you to click a link on my website hoping you would then leave some crumbs in my server logs.

Never accept DCC Chats or Sends. These negotiate as direct connections. If you accept a DCC Chat, the person on the other end will have the ability to see your originating IP, masks or not. You can proxy DCC connections, but I prefer to just not accept them at all as there is really no reason for it when FTP and HTTP have become more than ubiquitous.

More information can be found at http://www.searchlores.org/irc_kane.htm. If I had found this before writing my post, it sure would have saved me a lot of composing!

From Whitedust.net, they have announced a new visualization tool for network traffic called Eve. Visualization tools are fun and typically look cooler than they are useful (imagine the proud managerial looks when you see this running in the NOC?), but you never know. Someday a really slick-looking visualization tool is going to be outstandingly useful. Maybe Eve will hit that mark? I dunno, but surprisingly the tool looks to run on Windows by mention of the winpcap library. If this looks slick enough, I would seriously consider a copy for the price they list, even if it just runs in the background on an old machine on my desk.