Help me out, give me ideas for new How-tos.

by kriggins on November 18, 2008

in General

My first public how-to is this one.  It walks you through setting up a bootable Backtrack 3 thumbdrive with Nessus, Firefox 3, persistent changes and the latest Nmap.

I enjoyed writing it and hope it adds value.  Here is my request of you.  What other how-tos would you like to see me work on? This, of course, assumes I did a good job on my first one :)

Now having asked for your help, let me mention the following:

  1. Topics should be information security related in some manner.
  2. Does not have to be tool or technology related.
  3. I only possess Windows, Linux and BSD based boxen. No Mac yet, so can't write one for Macs unless you want to provide me with said Mac :)

I must admit this will probably benefit me more than you. One of the best ways to learn something is to try and teach it to someone else.  I consider writing a how-to a method of teaching.

Drop a note in the comments or send me an email at kriggins _at_ infosecramblings _dot_ com with your idea.

Kevin

{ 0 comments }

Security Blogger’s Network Feed Issues

by kriggins on November 14, 2008

in General

As indicated by Alan here. The evil overlord Google has apparently decided to no longer support network feeds as part of the Feedburner service.

Alan is working on something that will give the feed a new home. Just in case that takes longer than planned.  Here is an sbn-members opml file that Jack Daniel provided and that I have grabbed a copy of so that it will be in at least two places.

You will probably need to right-click and save-as.

Kevin

{ 0 comments }

Tomorrow is Veteran’s Day

by kriggins on November 10, 2008

in General

There are several times every year when I think about the armed services of the United States. Days like Independence Day, the anniversary of D-Day, the anniversary of the attack on Pearl Harbor and others. Many times, I have wanted to let the people who serve our country in this manner know how much I appreciate that service.

On occasion I have had the opportunity to walk up to a serving member of our armed services, shake their hand and say thank you for your service. Nearly every time, the reaction is one of surprise followed by gratitude. It deeply saddens me that the first reaction is surprise.

The men and women who serve in the Armed Services of the United States of America deserve our gratitude and our respect. It is through their sacrifice that we continue to experience the freedom and security we have.

Tomorrow is Veteran's Day. I urge you to find one person who is serving or has served in the armed services and thank them. I will be. Let's make tomorrow a special day for these people to whom we owe so much.

To all those who serve and have served to guarantee the freedom and security of the United States of America, I thank you from the bottom of my heart. Your sacrifice is greatly appreciated.

Kevin

{ 0 comments }

Welcome to Infosec Ramblings’ new home…

by kriggins on November 9, 2008

in General

Hi there!  Just a quick welcome to Infosec Ramblings' new home.  Things will likely be very fluid around here for a while, so pardon the dust as I get things just the way I want them :)

Kevin

{ 0 comments }

Who needs employee exit procedures and disaster recovery plans are for whimps…

by kriggins on November 3, 2008

in General

This article talks about the conviction of Pryavrat Patel for actions he took after his long-term contract employment with Pratt-Read was terminated.

Now, what Mr. Patel did was definitely wrong, but frankly, Pratt-Read should probably put some thought into how they dealt with the situation too.  It took them two weeks to recover from the actions of Mr. Patel and, per the article, were actually using paper and pencil at one point to keep the business running.

So, how do you bake a fail-cake?

Ingredients:

  1. Long-term system administrator.
  2. No apparent backups.
  3. No apparent disaster recovery plan.

Directions:

Have system admin work on systems for 8 years.  Terminate said administrator. Leave remote access available to administrator and also leave access rights in place. Wait one month and break out pad and pencil to manage business when the systems can't be used after administrator visits via remote access.

This isn't the first story of a fired employee/contractor retaining access after being fired and causing mischief, nor will it be the last. However, it does drive home a few things we really ought to be doing in order to protect our business. Not only from situations like this, but in general.

The short list of failures I see in this story are:

  1. No process to terminate remote access and revoke access rights.
  2. Apparently, no backups.
  3. Apparently, no disaster recovery plan or a very poor one if it existed

So kids, make sure you change those passwords and disable the accounts of your departing personnel. Make double sure you change the administrative user passwords on all systems that said individual accessed, have a business continuity and disaster recovery plan, and backup your systems.  Finally, test those plans and backups.  If they don't work, you are still in the same spot as if you didn't have them in the first place.

Kevin

{ 1 comment }

Update: RSA Europe 2008 Blogger/SCC/SecurityTwits Meetup

by kriggins on October 13, 2008

in General

Hello everyone.  RSA Europe 2008 is just around the corner!  Some of us have been talking about setting up a Security Blogger/Security Catalyst/SecurityTwits meetup and have settled on a date, time and location.  We will be getting together on Tuesday the 28th at 8:00 PM.  The Novotel London Excel bar is the location.  The hotel is part of the Excel conference center, so should be easy to track down, but just in case, here's a map:

If you would like to join us or have a suggestion for a better location, please let me or Security4All know.  I can be contacted either by comments to this post or kriggins _at_ infosecramblings.com and Security4All can be contacted here.

Hope to see you there.

Update: I realized this morning that I was remiss in specifying who was paying for any food or drink you might have during this get together. Everybody will be responsible for their own tab for this event.

Update #2: Today's the day! As indicated above, we will be in the Upper Deck Bar in the Novotel hotel.  We are going to do our best to carve out a corner to the right of the bar near the river.  Please see the About page to see a picture of me which may help you in picking out our group :)

Kevin

{ 10 comments }

It’s quicker, but don’t forget to fix it…

by kriggins on September 30, 2008

in General

Good morning/afternoon/evening everybody.

Hope your day was/is/will be great! :)

Lori MacVittie over at DevCentral, who you should all read, wrote Which security strategy takes more time: configuration or coding? recently. It's a good article with some very valid points, but it made me think of something else we need to be aware of when we make "time trade-off" choices.

I agree that WAFs, ACLs, black holing traffic, etc. are all good and
effective methods of mitigating risk and protecting against known
threats and in some case unknown threats. For example, how often have you whipped up a solution to a problem and slapped it into place?  You know it is not an appropriate long term solution, but you say to yourself, "I'll come back and do that better when I have time."

Fast forward 3 years and your quick fix is still in production causing all sorts of grief because it was never intended to be a long term solution and/or nobody knows what this things is doing and they remove it, again, causing all kinds of grief.

Maybe I'm stating the obvious, but we need to make sure we have effective policies and procedures in place to ensure that we are addressing things in an appropriate manner, independent of the "this is quicker" mentality. Again, I am not saying that quicker shouldn't be used.  It has it's place and often is the best short term choice.  I just want to remind everybody that we need to keep that long term horizon in sight also.

Agree, disagree, think I'm looney?  Leave me a note in the comments with your thoughts.

Kevin

Image courtsey of jakeliefer

{ 0 comments }

Secure system design that is impossible to break…

by kriggins on September 16, 2008

in General, Security testing

I just finished reading Cory Doctorow's Little Brother. You can buy a copy here or read it for free here. Don't let its classification as young adult deter you.  I really enjoyed it. If you are interested in privacy and government and how "it's for your own good" can escalate out of control, I highly recommend giving it a gander.

In the book, there is a terrorist attack on San Francisco which results in draconian security measures being put in place. Our protagonist is Marcus, a 17 year old, who gets picked up by those enforcing the new security measures and is sorely mistreated.  Through the book, we follow Marcus as he fights for his rights and the rights of his friends as citizens using every means at his disposal, most of them being technical in nature.  He is able to circumvent many of the controls put in place because he is a savvy, technically astute individual who has the security mindset we talk about frequently and is in many cases smarter than those who designed the systems he fights against.

So what does all this have to do with a secure system design that is impossible to break? Well, first of all, it is impossible to design a secure system that is impossible to break :) Further, as Bruce Schneier says in the afterword:

"Anyone can design a security system so strong he himself can't break it."

We see this same type of phenomenon in other areas. For me, it's proof reading.  I have the hardest time proof reading my own writing because I know what it is supposed to say. My own brain gets in my way and I read text as I intended it to be as opposed to how I actually wrote it.

If we can't design perfect systems and we are not able to sufficiently test our systems ourselves, how can we improve those designs to make them more robust and harder to break?

There are a lot of things we can do like build on the successes of other, use "best practices", etc.  However, I can think of a couple things that can significantly improve our efforts:

  1. Peer review - We should have our peers look at our designs.  They will see things that we are blind to.
  2. Testing by a third party - Yes, I am promoting third party testing of our systems, preferably by more than one person. Again, the more eyes involved in reviewing a system, the better chance that weaknesses will be found. I am not proposing that every system get a third party review. It would be prohibitively expensive.  However, important ones probably should.

This also started me thinking about our risk assessment processes and procedures.  If we develop our risk assessment processes internally, aren't we, in the context of the assertions above, creating a system that is destined to have built-in short comings?  Should we have our risk assessment processes "tested?"

I'm interested in your thoughts on both topics, so drop me a note in the comments.

Kevin

Technorati Tags: ,

{ 1 comment }

Taxonomy of coding errors…

by kriggins on July 16, 2008

in Educational, General, Tips

A quick note about something that @cji tweeted about.

Fortify has a taxonomy of coding errors that affect security. The really cool thing is the examples in many different languages.

Its right here, go check it out.

{ 0 comments }

Firefox, SQLite and DOM, oh my…

by kriggins on June 25, 2008

in General

I want to preface the following withLions, Tigers and Bears, oh my.

  1. I am probably late to the party and everybody already know all about this and
  2. There probably isn't any issue here.  Just got me to thinking.

I was reading the Firefox's Super Cookies post on the CERIAS Blog and it made me go hmmm. You should go read Pascal's post first because it is an interesting bit o' info, but here are the bits that are germane to my thoughts.

First:

DOM storage allows web sites to store all kinds of information in a persistent manner on your computer, much like cookies but with a greater capacity and efficiency.

Then:

To find out what information web sites store on your computer using DOM storage (if any)

and:

You should find a file named “webappsstore.sqlite”. To view the contents in human readable form, install sqlite3

So, this makes me think there is a sql interface somewhere in Firefox.  In light of all the SQL injections issues recently, I just have to wonder what kind of fun might exist here.

Kevin

Photo by annarchy1

{ 0 comments }

← Previous Entries

Next Entries →