This post talks about various Linux services in Fedora and Ubuntu (Debian) systems, along with a recommendation on turning them off or not. I really like knowing more about some of the mysterious services running. Normally with Linux, I wouldn’t do the whole “Windows thing” about disabling services because they start on their own, but with Ubuntu I think there is plenty of extra stuff that can be turned off with no ill effect. This might help guide me a bit.

Not sure where I found this, but this blog reviews the upgrade from Windows Vista to Windows XP (yes, that’s worded properly). Nice read! I’m still eyeballing parts for my 2008 gaming machine that I plan to build early next year, and I’ve really not been sold on getting a Vista license with it. I may as well stick to XP since I know everything will work just fine with it, and I don’t have any need for the graphics or security enhancements since this machine only does one thing: play games. The only real reason I would want to use Vista is to be familiar with the OS and support it if users have questions. But maybe I’ll not sweat that until my company decides to migrate to it…

For the system itself about the only thing I’ve not decided upon is the case and cooling, and the little bells and whistles that come with them.

Josh Wright earlier this year posted a couple wireless security papers which are quite valuable. First he talks about wireless framing; basically a blitz through how wireless 802.11 works. There is also a paper about 5 wireless threats we may not know about. In the list, Wright mentions 802.11n (Greenfield mode) and Bluetooth rogue APs. I think scanning for rogue APs using kismet is becoming fairly common in concerned organizations (or by concerned geeks anyway). But how does one begin to scan to find these other wireless technologies?

BTScanner can be used, plus there are other papers on pentest.co.uk.

Bluescanner should also work, although I’m not sure if this is the same tool that was absorbed into Aruba Labs…

I’m sure there’s more, I’m just not coming up with them at the moment.

AirMagnet’s Laptop Analyzer will detect 802.11n signals. I’m not sure what else is available out there for this new tech.

I’m sure pretty soon there will be scanners for detecting vulnerable wireless keyboard/mice devices (pdf)) as well…

Pandora is a free (hopefully it stays free!) streaming music service that sends out music based on your preferences, kinda like a Netflix queue that adjusts as you rate music. You start out by picking some artist or band whose style you want to listen to, and the system provides the rest.

You can listen to a few songs before being nagged about registering. You can then register for free and supply whatever information you want; there was no email validation or anything.

It worked great at home on Ubuntu + Firefox. I was in an electric mood so I chose Underworld as my initial seed and got a nice 3 hours’ worth of decent music with one exception of some Nickelback-sounding pop rock song that came in. No idea how it got in my list, but you can click a “thumbs down” for any song. It’ll log your preference and skip right to the next one.

I really dig SomaFM.com’s Groove Salad, but Pandora will definitely vie with them for my web radio pleasures as long as they stay free and have as varied a mix as they seem to have at first blush. If they do, this truly is the future of “radio” and music exposure. Much like the past decade and more where I’ve expanded my tastes and horizons through mp3 sharing (and thus spent money on those I liked!), this is serving me up that same benefit without the hassle of finding, downloading, and sorting it all myself.

Saw posted on NoticeBored a link to an August 2006 Microsoft paper describing measures to combat social engineering. It’s a 30+ page paper that goes over quite a lot of different classes of social engineering tactics like phishing, web page exploits, service desk calls, and even in-person conversation which reminds me a lot about secret Tradecrafts… Linked for my own future reference.

An article on ComputerWorld illustrates why I don’t care for media rags and prefer news straight from security professionals (blogs, email, etc).

State officials announced late last week that they have agreed to purchase about 60,000 licenses of McAfee Inc.’s SafeBoot encryption software.

Ohio officials moved to launch a hefty security policy makeover after a backup tape containing Social Security and other personal information of residents was taken from the car of a government intern in June.

What’s wrong with this picture? Well, even the article lists the features of SafeBoot, and they don’t include encrypting backup tapes. So this is a misleading article that any knowledgable IT staffer in Ohio has to be a bit annoyed about. That’s also a hell of a lot of licenses. I wonder how long and how painful that roll-out process is going to be…

It also goes to show that while Ohio may have some policy, process, and people problems when it comes to digital security (and have maybe addressed them!), the measures that seem easiest to do and report on are technological controls like the purchase of yet more software to patch the problems. Reminds me of conversations about internal security. “Upper management would rather not think about internal employees being malicious; they want to trust and empower them, not treat them as potential criminals.” Hence, technology is a far easier pill to swallow for such paradigms…

Jeremiah Grossman has written about how Full Disclosure is dead. Good article, and some interesting comments on his blog.

Is FD dead? Well, not really, but even as attackers have criminalized to realize profit, so too have “researchers” grown up and realized they can get jobs doing this fun hacking stuff. With jobs comes some professional integrity, maybe not just with proper disclosure, but with not getting into legal trouble and becoming the next rogue IT admin plastered around the presses. Heck, some of these guys get jobs for their silent disclosures, or money for reporting them and shutting up (a sort of legalized form of extortion or ridiculously cheap labor, take your pick).

We can also see this with far less people hiding behind aliases, and likewise the number of hobbyist security persons.

Is FD dead? I don’t think so, but the pool of people who *can* provide FD has greatly diminished. Should FD die? No, because in many cases I prefer FD to staying hidden in the darkness of naievity. We certainly need it, and if FD does ever appear to die, I’ll be willing to bet yet another cyclical counter-counter…counter-culture will emerge fighting against The System and not playing as complacently as the rest of us aging geeks are doing.

I started out the week pointing towards people doing some thinking. I figure I’ll end the week the same way.

Bruce Schneier posted an article about home user security knowledge I really like, since I’ve been saying the same thing, roughly.

At work, I have an entire IT department I can call on if I have a problem. They filter my net connection so that I don’t see spam, and most attacks are blocked before they even get to my computer. They tell me which updates to install on my system and when. And they’re available to help me recover if something untoward does happen to my system. Home users have none of this support. They’re on their own.

Absolutely true. When I purchase a car, do I have a manual on how to tune and maintain it or troubleshoot it when things go wrong? Do I even get to see the standard specs for safety and security? Hell, do I get a lesson in changing my oil? Nope. And we expect people to “get” the much more ephemeral workings of a computer when not everyone has nearly the logical mind that most techies have? Yikes!

If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There simply isn’t any other way.

I agree, although that doesn’t mean we should dump user awareness totally. But really, corporations (and us geeks!) need to buck up and help their own employees at least a little. Training at work about security and computer usage will carry over into their home life. If nothing else, perhaps they can bounce home computer questions off the cyber talent present in the organization. I know us techs hate troubleshooting home PCs, but giving free advice is not nearly as painful.

What digs at this approach, however, is while advice is free, most people just want someone else to do it and do the thinking, the dirty work. Not everyone is into computers as much as us geeks, and they simply don’t want to be. Just like I don’t change my own oil, and really don’t want to be troubled with it, despite how necessary it is to protect my investment. Anything beyond “don’t install random things,” and “don’t click links in email,” is still too much to trust most end users to understand.

Sadly, we have a huge computer security industry now, and they simply will not let someone like Microsoft put out a solid, more secure OS. Which puts us in a real bind… In the end, insecurity may just be a permanent reality, just like crime in general is a permanent reality, or home insecurity is a permanent reality (when assuming cost is realistic).

April Fool’s Day idea for sites bigger than mine: Replace the site front page with a fake Websense/SurfControl blocked message and get everyone to ask their admins what’s up. “I swear, we’re not blocking it! I don’t know what’s going on!”

An interesting look at the Ron Paul spam event a month ago, including the web interface for the Ron Paul spam job.

As this year has gone by, one thing has become pretty solidified in my mind: training for security and IT/developers is necessary. I’d rather have training for them than for users in general. Not all security measures can be adopted in every organization, so not just technical training, but training to be aware of the risks and how they affect the business needs. For instance I can see some organizations thriving while users run as local admins. Why? Because the risks are known and dealt with in other, often-times more creative ways. And yes, this may incorporate user awareness training. I’m not against user awareness, I just put it lower on the priority list.

If you can’t build things securely, or secure them accurately and quickly, then business needs will almost always win over security. From tasks to projects to software.

One might think training should be for manager levels as well. But I would counter that managers can learn a hell of a lot from their employees, with good, trusting communication.

Just a quick link to a 2-page pocket reference card [pdf] from Joshua Wwright for 802.11 headers, wireshark filters, and kismet keys.

Does information really just want to be free? Or systems that is?

In the beginning we had ports on systems running their own services. Port 80 had HTTP. We blocked ports we wanted to stop.

Then services started tunneling themselves through port 80. We started inspecting traffic over port 80 and denying what was obviously an improper request, usually HTTP. We even added software installation denials.br>
Applications started going to the web, because then they look like the normal HTTP traffic we didn’t want to block, and used an application on the desktop they knew we couldn’t fully deny. We need more application-aware blocking (deeper inspection, HIPS, and even DLP types of technology).

Soon, I suppose Google will offer up the OS on the web, and we’ll connect to a portal that will offer us everything we need, a veritable AOL “walled garden” on the web. What then? Vista is portending the death of the OS as we know it…right? A return to dummy terminals, only this time enabled on the Internet through the browser?

Is security to blame for part of this?
(Let’s say we do get back to client-server types of architecture, does that mean we’re done with endpoint security because the endpoints will become expendable plastic? Will the Web OS go the way of AOL? Sure, it may eventually offer a ton, but do users really want the freedom to do what they want, even if those choices and risks are bad? Do you want to decorate your house one way, and just adhere to slim building and fire codes or rather have a cookie-cutter home with small cosmetic differences? Ahh…)

Over on Chris Shiflett’s blog is a guest post from Elizabeth Naramore, php/web developer, in which she talks about commenting and documenting code, using a dishwasher as a common analogy. The post is well-written and can apply not just to code documentation, but security process documentation as well. Many of my colleagues hate doing documentation and as such we have painfully little of it, but I’ll always do my best with it because I think it is especially valuable. I think some people think it is so simple, they never get around to it, and as such, this “simple” thing never gets done.