I’ve not hid my support for the forum (or BBS) format of information exchange; in fact, I think it is one of the best formats when actively used. While I may not participate, I figured I would help post around about a new forum that is trying things out: McGrew Security BBS. We’ll see where this goes and if I find the time to participate, as it is that first year that is the most important (and hardest) for any forum to endure; kinda like trying to siphon water. You have to work at it until it becomes moreorless a self-sustaining conduit of incoming content and people.

Just for reference, a question about where to go for tutorials on Metasploit was recently posted to the pen-test mailing list on SecurityFocus. Here are some of the responses. At some point I need to explore this silc channel…

Metasploit (wiki)Book
Offensive Security 101
Metasploit Toolkit (Syngress)
milw0rm videos
IronGeek video
Tyler’s videos

I speak truth, no so much as I would, but as much as I dare; and I dare a little the more, as I grow older. -Michel de Montaigne.

If you’ve ever visited my personal site, you probably picked up that I collect and love meaningul quotes (the more zen the better!). This one came up today and reminds me of Bruce’s little speech in recent weeks.

For my Powershell moment today, I have been working with setting file permissions. I had a problem trying to get permissions changes made to one folder to propagate down to all child items. I didn’t really want to wipe out anything below, and I wasn’t using any SDDL creation/twiddling approaches this time. Just a simple AddAccessRule that needed to be pushed down to all subfolders and files and still be marked as inherited.

I finally found a solution by pulling the ACL from each child item, doing a SetAccessRuleProtection($false,$true) and then setting the ACL back onto the child item. This basically seems to force the ACL to be refreshed, which then pulls down stuff that should be inherited.

foreach ($i in get-childitem $strTarget -recurse -force)
{
$objNewACL = get-acl $i.FullName
$objNewACL.SetAccessRuleProtection($false,$true)
set-acl $i.FullName -aclobject $objNewACL
}

email (mailing lists) – Email is an important validator of people versus bots. It is also an excellent means to communicate with others and peruse email mailing lists which have some of the most traffic and information sharing of any method presented. However, you certainly do not want to use your own mail address from work, home, school, or even your own home server if you want to preserve your anonymity. Sign up for Google’s Gmail and create an anonymous account.

Do not set up POP3/SMTP on your normal mail client and instead stick solely to the web interface using a non-IE browser that is diligently patched. Using your own client may tempt you to reply, and not every email service is necessarily anonymous when you send your email directly from a client application.

Don’t send your “real” email accounts mail from this anonymous one; don’t send yourself test emails; don’t forward away from this email. Instead, copy-n-paste or test your anonymity using another anonymous mail source that allows you to view full headers. Hotmail, Yahoo, and Hushmail are other choices, although the latter either requires money or it will lock your account if you don’t log in for 3 weeks. If someone gets into your super secret email account, you don’t want your Sent items to give you away (and vice versa if you lose control of your personal account).

For some mailing lists, such as SecurityFocus, you can post replies via a web form (depending on the moderation of the list, you might have to at least provide a valid “on-the-list-already” email address. But at least this way you can check your mailing list anywhere, and always post under one address, or through a web proxy to hide your originating IP.

I also highly recommend finding a favorite throw-away email box. Pookmail is my preferred disposable (yes, I’m dropping Google search terms!) email service. You send an email with a reply address or somethingunique@pookmail.com, wait for a reply and pick it up at the website. Granted, this has zero expectation of privacy, but at least you can use this as a throw-away address. I use this when signing up for software trials and downloads and junk that require a valid email.

Saw this on the SecurityFocus pen-testers mailing list and thought I would capture them here for future reference. These are some sites/tools to help evaluate web app security scanner tools.

SPI Dynamics zero.webappsecurity.com
Cenzic crackme.cenzic.com
Foundstone SASS tools
OWASP WebGoat
OWASP SiteGenerator
Watchfire demo site
Acunetix php test site

Typically, lots of the online “hack me” or “hacker challenge” sites like some in my right menu list tend to touch on web-borne “hacks” for their challenges as opposed to anything else. May get some mileage from them as well. Most also can be Googled for solutions should you get stuck and want to just learn quickly.

I’ve seen plenty about what Bruce Schneier said recently along with the feedback. Rather than address the content directly, I just want to say that eventually, many experts become nearly an establishment in themselves. Eventually they can say big, extreme things, and rather than be pissed away like some angry kid, they instead influence. Or at least make a valid point in their extreme. They kinda become those half-senile curmudgeons that are important enough that people listen to everything they say. He can say big things and doesn’t mind if everyone else uses his words as a boilerplate.

Now, that’s not a criticism. I don’t think that is bad at all. But I think that when a lot of people my age get to be Bruce’s age with a similar long background in this field, we might also see new things or futility in old things and say stuff that might be seen by others as a bit far-fetched. But I think his extreme approach is just a direct relationship to his notoriety and influence.

For some reason, I really wanted to work a quote in here as my mind drifted from establishment to institution. Anyway, I’ll force the quote in anyway, “No, I want you to set a fire so goddamn big the gods will notice us again, that’s what I’m saying. I want all you boys to look me straight in the eye one more time and say, ‘Are we having fun or what?'”

I saw this a few months ago and can’t remember where I saw it. But I looked it up again and to save me from the trouble of losing it in the future, I’m posting this web 2.0 clip The Machine is Us/ing Us..

So, we have an intarweb that lets us post all sorts of zany things all over the place, from a ratty MySpace page to a litany of comments on news clippings and blogs and forums.

I know Dan Morrill talks now and then about making sure an employer Googles prospective employees. But what if someone has been posting using your name in various places? For instance, I make little to no effort to mask my online moniker, LonerVamp. But what if someone started using that name maliciously and posting hate and other garbage around that eventually gets indexed?

In response to the 7 things sysadmins forget, Rebecca Herold commented and I wanted to pull it out for a separate post.

Forgetting that their sys admin job ultimately exists to support the business

No kidding! I think there are three mindsets when it comes to sysadmins (and really, IT/business in general).

1. Sysadmins who understand this concept and make decisions themselves on how their job relates to the business.

I consider these sysadmins to be empowered admins who understand their job. They can prioritize their time and make decisions frequently on their own that really do benefit the company and their own role. The sysadmin with this mindset tends to perform risk assessment and decision-making in her head and can sometimes be seen as making rash (but hopefully accurate) decisions.

2. Sysadmins who don’t care about this question and instead defer this layer of involvement in the business to their boss.

Sysadmins at this stage seem to need lots of things escalated to their manager, even when small ticket requests have slightly larger implications. They do their job well, give a nice point to their manager on their views, but ultimately let someone else make a decision for them. Some sysadmins may get forced into this position based on the company and managers they interact with. When bureaucracy does not exist, this may be a result of lack of respect and trust given to the sysadmin such that he is not allowed to make his own decisions. Other times, this is just the style the business prefers.

3. Sysadmins who forget this all the time and really think the business exists to serve their job, or better yet, they only see their job as being ultimately important.

These sysadmins are typified by saying secure this secure that, even if it impacts business negatively. They make decisions based on their job only. Sometimes this is good, especially in a large corporation where you only really have a small slice to make decisions around anyway, but typically this is a negative mindset where the admin is likely never feeling fulfilled and really never fully gets his way…ever.

I think it would be beneficial to see which sysadmin one is, and what sysadmin the company nurtures. Even something as simple as me being a #2 sysadmin but in a #1 company can lead to unhappiness and underperformance. For instance, I like making decisions quickly on my own about what security and IT initiatives to do and how to do them, but if I am in a company where my boss and other managers hate that, I likely won’t be very effective and we might all end up turning in sourpusses over time.

A goo friend of mine and I were talking this weekend and the topic came up of corporate (and beyond) cyber espionage only just starting to be a force. I really believe that as more and more people have insecurity skills and our society continues to become more digitally dependent on information as our lifeblood in business, corporate espionage (which really has always been around) will only become more and more prevalent.

I wonder how many corporations (truly!) think it would be moral/immoral to:

1) Do some cyber “recon” at tradeshows on your competitors. Or maybe just DoS them during their demos? (active and passive attacks)

2) Hire some group to perform a DoS against a competitor’s website/service during a particularly important moment.

3) Perform recon to continually footprint and find systems and sensitive information. Do you know how often a company can give away new projects just by their public DNS entries?

4) Perform dumpster diving regularly?

5) Feel ok with profiling and possibly probing employees home networks (particularly wireless)? Think c-levels and remote sales, for starters.

6) Send malicious emails to targeted persons in a rival company hoping to root the system? Do you know how quickly someone running as local admin can have a malicious program installed which can then sniff and or grab email account passwords for very important people and then send it back to someone who can log into webmail whenever they want?

7) Try to guess some webmail passwords of important people?

8) Pay for someone who has information about a rival because this person just sits at major airports and attempts wireless attacks against travelers, looking for juicy connections and info to sell?

I really think this is only going to get worse and much more commonplace. Besides, much of this stuff is still way too easy to perform, and in a way that is still way too anonymous. And I think anyone who has been online any amount of time knows that laws are more “easily” broken when you’re not standing in front of a police officer. Physical presence is a barrier that most often protects our physical safety, but that deterrent is completely absent online.

It sounds like someone traced back the TJX breach back to a store in Minnesota that employed WEP as their only(?) protection for their wireless system. While this is a simplistic announcement, it certainly is not the whole story.

This illustrates how just one weak part of a huge network (or business) like TJX can bring the whole thing down. You can roll out secured (?) wireless to 1,000 stores, but it just takes one store whose manager doesn’t quite understand the technology (should they really, though?) or one overlooked site by the techs doing the setup and you suddenly become a part of security and business history.

I also wonder where the layered protections were. Did this Minnesota store get automatically bridged into the corporate network that had access to all this sensitive data whizzing by? Did no one have any logs or tripwires up on anything to monitor access? How well did the attackers cloak themselves to look like innocuous or expected systems? Was anyone watching the wireless access logs, or anomalies in data collection/transfer that most probably occurred?

I see that the article mentions software patching was lax. I see that employee logins were sniffed (NTLM or clear text to proprietary system?). Sadly, for as much as we need details to improve security both at TJX and with PCI auditors (and the rest of us!), this is so costly that I doubt we hear more details for years until the courts release it. Did they ever rotate wireless passphrases? What was the real need for wireless in the first place?

So let’s say I’m in Minnesota and see a Marshall’s using WEP on their wireless network. I crack WEP and do some testing and practice some patience to make sure no one’s watching the access and that I don’t trip any IDS. Eventually I get comfortable enough to log onto the network and perform some stealth scans to see what I can see. I bet I can see a lot, including some unpatched machines which I can get a foothold into (in a best case scenario for me, I might just be right on the full corporate network through some dedicated VPN setup). This pretty much shows me that admins at TJX aren’t quite as diligent as they should be, which can put me and my cohorts at ease. From there, I can sniff on systems I own and pilfer what I can. Lack of software patching standards probably mean shared passwords everywhere too.

Blah blah blah…there’s plenty of places where TJX should have detected and or slowed down these attackers. Death by a 1000 cuts is becoming a pet phrase of mine…