FreeNetworkSecurity.info

Office Depot: Free 5lbs of shredding

2010-05-21T11:50:00.000-07:00

There's a Good Reason to Get An iPad - Save 30 Seconds In Airport Security Gates

2010-04-07T17:13:00.000-07:00

AppleInsider | Apple's iPad can stay in bag for airport security screenings

Thief Breaks Into Edmond Fire Truck - Oklahoma City News Story - KOCO Oklahoma City

2010-04-07T16:08:00.000-07:00

Edmond Gated Communities: Change your codes! And don't forget to update the Fire Department.

Thief Breaks Into Edmond Fire Truck - Oklahoma City News Story - KOCO Oklahoma City: "Someone broke into the garage and stole various equipment from the truck, including hand-held radios and possibly a map book with codes to gated communities.

Wheeler said that as a precaution, firefighters are calling those communities asking them to change their codes."

Last of the One Word Domain Names

2010-04-02T10:36:00.001-07:00

A compilation of the last English one word domain names available: http://www.lastwordsleft.com/

Download the Free Nmap Security Scanner for Linux/MAC/UNIX or Windows

2010-03-29T20:30:00.000-07:00

Download the Free Nmap Security Scanner for Linux/MAC/UNIX or Windows Snag the latest release of the 5.30 BETA!

Leave No Trace: How to Completely Erase Your Hard Drives, SSDs and Thumb Drives - Data wiping - Gizmodo

2010-03-10T10:35:00.000-08:00

Well written, comprehensive guide to disk wiping. Nicely done. Leave No Trace: How to Completely Erase Your Hard Drives, SSDs and Thumb Drives - Data wiping - Gizmodo

End of support for Windows XP with Service Pack (SP2) and Windows Vista without service packs - Windows Help & How-to

2010-03-01T13:17:00.000-08:00

Microsoft users! Upgrade! Microsoft is ending support for Windows Vista (without Service Packs) on April 13, 2010. Support for Windows XP with Service Pack 2 will end on July 13, 2010. End of support for Windows XP with Service Pack (SP2) and Windows Vista without service packs - Windows Help & How-to

Olympic skier Begg-Smith known as 'spam king' | Tech News on ZDNet

2010-02-21T17:31:00.000-08:00

Olympic skier Begg-Smith known as 'spam king' | Tech News on ZDNet

Skier and SPAM king. I guess we all need hobbies.

Web site offers emergency information for deaf, blind � Homepage � The Palestine Herald, Palestine, Texas

2010-02-11T16:55:00.001-08:00

Web site offers emergency information for deaf, blind � Homepage � The Palestine Herald, Palestine, Texas: "Topics include: general emergency preparedness, first aid, chemical emergencies, terrorism, flooding, hurricanes, tornadoes, earthquakes, winter storms, insect/animal hazards, infectious diseases, food safety, heat related safety, nuclear events, explosions, radiological events and more.

“The information is downloadable for people who need larger printed material, so they can read it or have for reference,” said Walker, who also pointed out that it could be printed to a Braille printer."

Con artists scam consumers with hearing impaired phone system - ABC 4.com - Salt Lake City, Utah News

2010-02-11T16:55:00.000-08:00

Con artists scam consumers with hearing impaired phone system - ABC 4.com - Salt Lake City, Utah News: "Scam artists are attempting to use the Utah's 711 hearing impaired relay system to rip off local businesses. And right now it appears those who work with the system are having a hard time stopping the unethical and illegal practice."

Google Squared: Let someone else do your brainstorming

2010-02-02T08:46:00.000-08:00

Google Squared offers a way to both query and submit lists of similar items. Plug in a few terms you can think of and it will try to build a table of similar items. This can be very helpful with brainstorming: from a simple shopping list to trying to include every facet of linux security in a report. I tried linux and security and had to submit a few applications that are involved with those two terms. When I did I got a fairly long list of similar applications to consider within the context of those two terms. This could be an ideal format for idea mapping as well. The end of writer's block?

Personal Disaster Plan: Tips to Keep Your Family Safe - Associated Content - associatedcontent.com

2010-01-25T15:51:00.000-08:00

Personal Disaster Plan: Tips to Keep Your Family Safe - Associated Content - associatedcontent.com

Good ideas for the soon to hit winter storm in Oklahoma.

Haiti - How Is Your City Disaster Recovery Plan?

2010-01-15T19:29:00.000-08:00

In a typical disaster recover (DR) plan a person would now be in charge and have complete authority over whatever resources he could muster. Those containers in the shipping yard would be broken open and any resources (like vehicles, medicines or food) be distributed. Any ships on their way to Haiti should be given priority, the military escorts would be all the paperwork needed to let them pass any given checkpoint. Buildings should be setup and clearly marked for separating wounded. Which all makes me wonder how my city's disaster plan is going???

Maximum PC Magazine Archives Are Free

2010-01-02T08:37:00.000-08:00

You can download older issues up to 11/09 of Maximum PC Magazine for free as PDF. Here's how:

Here is the link for 11/09:
http://dl.maximumpc.com/Archives/MPC1109-web.pdf for 11/09.

You can get previous issues by simply changing the URL of the download. Change 11 to whatever month and 09 to whatever year.

Weekend Vacation Day Project: Free Home Inventory Program

2009-12-20T10:54:00.000-08:00

Weekend Project:

Allstate has a nice Home Inventory Program for Free that will track room by room what you own. It can save some pictures as well. Also, it has a donation room for things you want to give away.

Pryor Daily Times - Jumping on the broadband wagon

2009-12-02T20:39:00.000-08:00

Pryor Daily Times - Jumping on the broadband wagon

Editorial Note: Does this mean that Google is revitalizing its 2007 plan for a DataCenter in Pryor?

Google Planning Oklahoma Data Center � Data Center Knowledge

Fedora 12 one page release notes - FedoraProject

2009-11-18T06:08:00.000-08:00

Fedora 12 one page release notes - FedoraProject

Fedora is the free arm of the RedHat product line. It is designed for testing the latest and greatest technologies before incorporating them into its premium products.

Moserware: A Stick Figure Guide to the Advanced Encryption Standard (AES)

2009-10-31T19:19:00.000-07:00

Moserware: A Stick Figure Guide to the Advanced Encryption Standard (AES) Only funny to those who know... still... funny.

License software giveaway - free backup, partition freeware & data recovery

2009-10-17T06:40:00.000-07:00

Free Paragon Partition Manager 32 or 64 bit until October 18th.

License software giveaway - free backup, partition freeware & data recovery

White Hat World WebEx Addresses Data Leakage

2009-10-16T10:14:00.000-07:00

While not being a huge fan of Rich Mogull and I have long since stopped listening to his podcast for various reasons, however, it is good to get different views on data leakage. Also, Rich is great about muddling through the media garbage.

White Hat World WebEx Enterprise Site

Program:
Thought Leadership Roundtable Webcast
Panelist(s) Info:
http://www.whitehatworld.com/staff.html
Duration: 1 hour
Description:
Data leakage is one of the most pressing security issues faced by nearly every organization. From stolen credit card numbers, to lost health care records, to leaks of intellectual property and trade secrets, data leaks dominate the security headlines on nearly a daily basis. And although there are a variety of approaches and tools available to limit leaks, the marketplace is confusing with conflicting messages, overlapping product feature sets, and no shortage of hype and fear-based marketing.

In this Thought Leadership Roundtable our panel of experts will cut through the hyperbole and present practical strategies for reducing data leaks. From securing content repositories, databases and discovering stored sensitive data, to preventing network leaks and tracking user activity, we will cover the range of tools and processes available to reduce losses.

SC World Congress 24/7

2009-10-15T17:33:00.000-07:00

SC World Congress 24/7

Why Is My Fedora RedHat System Out of Date?

2009-10-15T09:00:00.001-07:00

Having noticed that the usual "yum update" that I perform on my system did little more than call home I finally did some research and found that I am sorely out of date.

The Yum Upgrade FAQ spells out the steps necessary to get your system back on the cutting edge and performing regular updates again. Within an hour or so I am now back up to speed with the latest and greatest Fedora packages.

See The Fedora Yum Upgrade FAQ for more information and the exact steps.

Following these steps from a Fedora 9 system I had to do it twice to get to 11.

The buzz about Apple’s new batteries - Apple 2.0

2009-06-16T06:19:00.000-07:00

A decent explanation of Apple's new batteries and how they achieve long-life.

The buzz about Apple’s new batteries - Apple 2.0: "But the first MacBook Air only promised 5 hours of computer power. Apple claims the new MacBooks will deliver 7 or 8 hours on a single charge and last up to 5 years — longer than the expected life of the average laptop."

Staples.com gives away Intuit Quickbooks? After Rebate Naturally

2009-05-31T09:03:00.000-07:00

Buy Quickbooks for $90 and get a $90 VISA card Staples.com

Windows 7 Release Candidate Customer Preview Program

2009-05-05T12:12:00.000-07:00

Windows 7 Release Candidate Customer Preview Program

Download a copy of Windows 7 and try it out. The link uses a browser downloading agent which copies down an ISO.

Security and Risk Management Strategies Blog: Excuse me, can I see your information security practice license?

2009-04-13T16:53:00.000-07:00

Security and Risk Management Strategies Blog: Excuse me, can I see your information security practice license?

This is not a new concept in my world. I am also seeking to break into the field of Sign Language interpreting here in Oklahoma. The community of interpreters and Deaf here has recently been waging a war of theology regarding proposed legislation to create a licensure in the interpreting profession.

My Doodle/Sketch Interpretation of Kuhn's Paradigm Shift

2009-04-11T20:42:00.000-07:00

From Kuhn's: The Structure of Scientific Revolutions I have sketched an interpretation of his paradigm shift theory.

I know it is completely off topic, but it is in agreement with my doodling fascination.

YouTube Grows Up and Goes To College

2009-04-01T10:12:00.000-07:00

As an educational institution you can register with youtube's EDU content and start putting your educational content, such as interviews or lectures, online.

Try it out as a user here.

Register here.

If I apply, am I in good company? Directory of Universities is here.

A review on The Chronicle is here.

Reviewing an Old Article of Mine on Associated Content

2009-03-19T07:49:00.000-07:00

Dorm Room Security, Staying Safe While at College
A few tips to keep prying eyes out of your business and keeping your valuables secure.
http://www.associatedcontent.comarticle/261698/dorm_room_security_staying_safe_while.html

SC Magazine Subscription Earns CISSP CPEs

2009-03-04T10:33:00.001-08:00

Visit SC Magazine and click subscribe. Have your CISSP # to earn CPE credits.

Failing Grade or Honors Graduate? How Educational Institutions Use File Integrity Monitoring to Achieve PCI Compliance

2009-03-04T10:21:00.000-08:00

March 11, 2009 11:00 AM Pacific

The number of educational institutions that have suffered a system breach continues to increase. Schools conduct millions of transactions every year, from online tuition pay to cafeteria and bookstore purchases, making them vulnerable to the same electronic break-ins as any major retailer. That's why it is important, and now mandatory, for colleges and universities to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS).

To Register

Video Cast: Security Strategies During a Recession

2009-02-28T15:31:00.000-08:00

Security 7: Security Strategies During a Recession
sponsored by Lumension
ABSTRACT: The reduction of security budgets in today's tough economic climate means that IT managers must plan wisely and work to prioritize projects more effectively and efficiently.

Watch this expert videocast and learn more about:

How to work effectively with business and risk managers to create processes that reduce risks and costs

The pitfalls in downsizing security too quickly to reduce costs

Tips for leveraging your current security strategies to reduce the burden on your IT budget

SecuritySearch Article

Site Maintenance

2009-02-25T08:40:00.000-08:00

Sorry this blog went down for a short time. We have moved to a new domain: http://www.freenetworksecurity.info/, but the hosting is still the same. We use Afraid.org for DNS hosting now, but forward to Google's Blogger.

Adobe [Reader] 0-day Exploit Proven

2009-02-19T18:30:00.000-08:00

Shadowserver posted regarding the 0-day exploit and their results including antivirus responses and how to remove the risk from your systems.

Basically:

Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

List of Security Conferences

2009-02-10T16:00:00.000-08:00

Education may be your most effective security measure.

ISC^2's Blog just listed a database that tries to include all security conferences.

Contest Entry for Doodle

2009-02-03T16:32:00.000-08:00

I put one of my doodles into a contest, alas, I did not win. The odds were good: 41 submissions and 3 won.

ARIN Wants to Fellowship

2009-02-03T13:58:00.000-08:00

ARIN, the American Registry for Internet Numbers, who has the responsibility for allocating IP addresses to the U.S., announces a Fellowship Program with the goal "to broaden educational outreach and bring new ideas into the public policy discussions."

Membership will be limited and you must apply. A few people from each sector will be chosen and enjoy the trip on them. A list of benefits:

* Free meeting registration
* Round-trip economy class airfare to the meeting, booked directly by ARIN
* Hotel accommodations at the venue hotel, booked directly by ARIN
* A small stipend to cover meals and incidental travel expenses.

How About A Little Salt In Your Irony?

2009-02-02T17:32:00.000-08:00

Today I received a letter destined for the previous owner of my house. It is not my fault he never forwarded his mail. The letter is from BNY Mellon, apparently his investment company, stating that his information may have been compromised because of the loss of a tape. Understandably, "At the time of the incidents, we said there were no indications that the data had been accessed or misused in any way — and that remains the case." They state that they were notified by their tape backup vendor February 2008 - a year ago? The letter is dated August 27, 2008, but I received it today February 2, 2009. The previous owner of my house now has 90 days to request free consumer credit watch service. sigh

Good reason to always encrypt your backups and store the key in a separate location or locations.

Coalescence of Two Ideas

2009-01-29T16:01:00.000-08:00

I have long since lost count of how many good ideas people have to put into operation that I could have had.

One idea I am certain I thought of first was twitter and now even The President does it. sigh I have boycotted them at the moment for stealing my dream, but that may not last. You have to respect a good idea and someone putting it into operation.

Another idea I am certain was ripped from my synapses by an idea-sucking satellite is Field Notes. I have often wanted a graph paper journal of just the perfect size, yet sturdy. While it does not currently do my Getting Things Done work, it does a great job of keeping my food journal - a habit encouraged by Weight Watchers. Yes, men can do WW, too.

The two ideas have now coalesced. Double Grrr.

Google Notebook Cut

2009-01-20T13:50:00.000-08:00

Sadly, Google Notebook, a google tool I only just began using is now being cut.

I am joining those who mourn its passing. Perhaps this is a casualty of the economy?

Search Term Trending

2008-11-12T10:09:00.000-08:00

Search mega-giant Google has established a Flu tracking site that shows the trends of people across the U.S. performing searches on Flu-related terms.

I look forward to the end of this flu season to determine if the data was an accurate reflection of the virus and its spread.

I begin to ponder, for what else could we use this technology?

Aw shucks, the election already passed. That might have been a good test.

Ebay already tracks significant human events like American Idol or sporting events via their operations center using the website activity. If only they knew enough about their own data to use it for something. Scot Wingo's posting is understandably critical of their pricing structure which doesn't seem to benefit. It would be only an academic step to see if consumer purchasing trends might be predictable.

As the recession continues, it would seem Search Term Trending would be an important technology for retailers as they invest in what consumers are up to.

CodeWeavers Gives Out Free Software

2008-10-28T07:43:00.000-07:00

Today only CodeWeavers is giving away their software. Products include CrossOver Mac Pro, CrossOver Games Mac, CrossOver Linux Pro and CrossOver Games Linux. Grab a copy while you can and register for your key.

RIAA Wins Undefended Case

2008-08-28T18:36:00.000-07:00

ARSTechnica's recent article on a p2p case may cause some to reconsider their use of file-sharing networks, but it is more of a case of never defend yourself in court. Although the user went to extremes in destroying the evidence - this is apparently what sprung the trap.

Sign Language at Panera Bread, Inc

2008-08-22T14:35:00.000-07:00

Hanging out at Panera Bread, Inc. enjoying their free wifi I was approached by a person begging for food. This was the second time in 2 weeks that this same person. He handed me a card explaining he was deaf. Thankfully, I know Sign Language.

The first time I asked if he knew Sign Language (not all deaf do).

He answered, "yes."

I asked where he lived.

He spelled, "Motel." He asks for food, but I could not help him.

The second time was today and he again handed me the card and asked for food. Perhaps I am not memorable? Either way I asked him more questions.

"I remember you from last time. Do you know any other deaf?"

"Yes, I am deaf."

Again I asked if he knew any other deaf, but in a different way.

He, unfortunately, just shrugged as if he didn't understand me.

Is he really deaf?

At least I got to practice. :)

TSA's Lost Laptop and Security Professionals

2008-08-06T15:31:00.000-07:00

ISC-squared blog commented today on the recent TSA loss of a laptop, only recently disclosed. While this security professional 'Clear'ly dodged a bullet, this security professional is probably steaming mad.

You cannot assume your information is protected simply because it is in the hands of a government agency who's purpose is your security.

Symantec Blows Its Fortune 500/1000 Trumpet

2008-08-03T12:29:00.000-07:00

A Market Watch article describes Symantec as "provide[r of] ... industry-leading information security solutions, services and support to 99% of 2007 Fortune 500 and Fortune 1000 Corporations."

The article is more focused on the Democratic National Party's choice of security software and barely made it to the dark edges of my news radar, but this statement caught my eye. In today's competitive market companies must take time to carefully toot their horns as they grab for market share, but this statement tweaked my inner sense of political correctness. It wasn't until I read it a couple of more times that I understood.

It reads as if 99% of the companies listed on the 2007 Fortune 500 and 1000 exclusively reach for Symantec products when they have information security needs. Which is a wild aspiration to say the least.

Having been an information security analyst for the better part of a decade and in information technology for over 15 years I would beg to differ. While we do use Symantec products for a narrow band of limited uses we've found them to be bloatware expanding at a rate proportional to the number of viruses and trojans released into the wild. However, there is hope on the horizon for the Ivy-league Software junior cadet. I've heard from at least one reputable source that Symantec is rewriting their cash cow Antivirus to be more optimized and work so vastly different that it will be barely noticeable.

The honest opinion of this humble security analyst is this: I reach for many tools in my profession to get the job done, the least of which has Symantec on the label - but it is present in the toolbox. Whether it stays in the toolbox... time will tell...

Daily Lit: Giving Away the Classics

2008-08-02T15:30:00.000-07:00

DailyLit has come up with a clever way to distribute literature. Daily emails with bite-size chunks of books. The classics are free, but contemporary authors will cost you. Copyright infringement!? Most works are Public Domain, Creative Commons or copyright is maintained.

Couple this website and HearWho and you have a poor man's Audiobook.

Virtual Money: The Uses

2008-07-29T18:11:00.000-07:00

I recently discovered Virtual Money, Inc - a way to store money without a bank. They issue ATM cards that are not attached to a bank. Security is as good as any other ATM card - a PIN is issued. However, most VISA debit or ATM cards can also be used as a credit card, without a PIN. Payment would be accepted at any PoS that accepts ATM Cards for payments.

A nifty idea I thought.

Firefox addons: Google Sync Tanked - Introducing Weave

2008-07-04T09:15:00.000-07:00

I am a big fan of the old Google Browser Sync add-on for firefox, but when I upgraded to Firefox 3.0 I was surprised to find that add-on did not carry forward. Now it is suggested that I move to Mozilla's Weave. I will post again once I check it out.

Cyberspeak Podcast

2008-06-16T09:36:00.000-07:00

Cyberspeak has interesting content lately. Download the last 3 or so and learn about some interesting links and how to get started in cyber forensics. Mac Lockpick's new version for Any computer is discussed as well as USB drive forensics to capture live data. An excellent podcast I've recently added to my short list.

NetSec Podcast: Why I Stopped Listening

2008-02-15T13:43:00.000-08:00

Listening to podcasts have proven useful to me as a replacement for reading the latest magazines or keeping up with the news. Who has time to read? Listening is easier while I work out or drive.

However, my podcast list is trimmed tight. If something has an overall content percentage of good information of 70% or less - it gets cut.

Recently I have cut NetSecPodcast for many different reasons. First it does not contain 70% or more of good information. Mostly Martin spends his time opening a good topic, then agreeing with whatever Rich, his co-host, says. Martin has promised PCI perspectives that are not fully explored. Don't get me wrong: These guys are professionals with lots of good information contained somewhere in their brain, but the podcast does not seem to receive much of it. By way of example, their pet projects are even interesting, but all they do is mention them rather than explain anything step by step. What ever happened to the awesome antenna idea?

Rich has begun to annoy me as well. What sticks in my head is the first time he was on (or close to it) he talked about a lady who works at his local convenient internet cafe. Apparently she asked questions and offered to have him come over and help with her computer problems. Rich laughs it off because there is no way she could afford him in the first place. I'm certain Rich is very expensive due to his experience in the field. He is probably worth it. But I always help when I can. Even my old landlady still calls me. In fact I've done business with her several times since. You never know when those opportunities can pay off. This is a good principle in building your 'social' network that Rich doesn't seem to consider valuable. Manager Tools has great podcasts that show the benefits of being 'generous' with your knowledge, for example, "Building a Network".

While Rich did answer one of my personal questions I sometimes feel I am talking to myself while listening to him. I listen to podcasts for enrichment, not necessarily to confirm what I already know. When I am dealing with a subject I am not familiar with, I often use expressions like 'probably, maybe, most likely, most reasonable' especially when giving advise. I like to make it clear this is not my area and will use these 'uncertain' expressions. However, when discussing a project I should be familiar with I had better be using expressions more similar to 'because of X attack, Y server was compromised and here are the logs which prove that.' I am paid to know these things and would not use the 'uncertain' expressions.

It occurred to me the other day while listening to a podcast (that is still on my list so far) from SC Magazine that Rich, who was being interviewed about a news item, used these 'uncertain' expressions liberally. I am no expert on the topic that was dicussed and would probably have used many 'uncertain' expressions. I am uncertain whether Rich was paid for this interview, but he was brought on to be the expert. If that were the case, wouldn't he 'know?' I was unimpressed to say the least. When I give my analysis it is understood to be a best guess based on my experience or proof that I can show. Perhaps he was not prepared? These guys talk about stepping on and off planes like they go the gym. Understandably you cannot know everything and often there is little time for research. However, I would expect more fact checking on an SC Magazine gig. I am also at peace with asking for his opinion, but he stayed objective - not leaning in any particular direction as to what it could be. "All available data (which was not much) suggest... _blank_" would have been a better way to express the lack of details.

I am certain I will sign up again at some future time when perhaps I have caught up on other podcasts, but for now, they have fallen below the listening line.

Ice Storm Creates New Habitat

2008-01-24T18:55:00.000-08:00

Here in Oklahoma a recent ICE Storm wreaked havoc on many trees in the area causing downed power lines and disrupting public services.

The downed tree limbs have been piled both in residential areas and businesses alike. The city cannot cope with the problem fast enough and these branches are lying around. Stray and domestic animals have taken up shelter as well as may birds and who knows what else.

Are we destroying a new habitat by cleaning up?

MACBOOK Air - Innovation or Sacrifice?

2008-01-22T07:43:00.000-08:00

While the sleek design tempts me and the user interface advances, including an iPhone/iTouch style touch pad mouse and keyboard backlight during low-light conditions, are alluring I will probably put off purchasing a MACBOOK AIR one off for a while. Apple has sacrificed higher-powered options for thinness.

Supposedly designed for the often mobile, it lacks a DVD/CD-ROM drive. The solid-state drive is also a curiosity, but is a hefty add-on at $999 and only gets you 64gb. My 74gb Macbook is perpetually almost full. The external DVD-ROM drive is an additional option at $99. This should be included. Even an ethernet adapter is additional at $29.

The non-existant DVD-ROM may kill this product. Apple take much care in showing how easy it is to share a DVD/CD-ROM drive from another computer, even a PC, however, I can imagine so many instances where another computer is just not available.

By the time I've added just a few options that I would personally consider necessary: the external DVD-ROM, the ethernet adapter, and modem I am already at $2000.

QAST

2008-01-11T15:30:00.000-08:00

I have been learning American Sign Language (ASL) for 5 years. Many friends have encouraged me to invest in learning interpreting the language as well. It has been quite an interesting endeavor. I have become so much more sympathetic to my interpreter friends.

A few weeks ago I passed the written portion - which was not trivial. Today I took the performance portion of the QAST (Quality Assurance Screening Test) (other link) and it was mentally exhausting.

The realms of personal information security, privacy, separation of duties and least privilege are engrained throughout the process. I will know my score probably mid-February.

CISSP CREDENTIAL UPDATE - Recertification Clarification

2008-01-03T10:04:00.000-08:00

As part of their annual newsletter, ISC2 has put out a CREDENTIAL UPDATE clarification.

Computer Network Security Predictions for 2008

2007-12-27T10:53:00.000-08:00

Everyone seems to be making predictions for what is in store in the security field for the next year. Much is not based on any real data. I just hate to be left out, here are mine, without any data.

Good:

Training: Security awareness will be provided on a more widespread basis as the corporate environment is increasingly considering security a priority.

Funding: Should go up slightly and may see a change in the models. Corporate could perhaps benefit from government or vice versa. You get the idea. Either way, we get what we need - maybe not what we want.

State-level: Security awareness at the state level has increased in recent times. I suspect multiple entities attached to state sponsored networks will work collaborate at some point. Perhaps a state-wide intrusion protection system could be implemented? All the attacks seen at a major university: causing widespread blocking influences the state's protection system to also block the same sources, which in turn protects the library systems computers which hadn't even been targeted. We toyed with this idea years ago and have since dropped the ball. I would sure be excited about working on such a system. The benefits are obvious, local, immediate and benefit all interested parties.

Anti-virus software: AV software needs to adapt. The scan'em, tag'em and bag'em approach is slowing the industry down and corporations are slowly realizing it. What direction will it go?

Vista rebirth: I am uncertain whether this goes in the bad or good pile, but I will be positive and opt for good. Vista needs to follow OS/2 - (who?). I loved OS/2 and was sad to see it go. I cannot say that for Vista, but it does need to go. Every time I meet a new person and they find out I am a computer security professional they do not get much further than 'computer' and ask me how to remove Vista and go back to XP. Is there a way? Mostly I tell them to return the computer and have it removed - I like the approach that costs the retailers more money rather than the customer. I gave Vista a huge college try and I just hate it. Often I find myself on a friend's computer trying to solve some problem and I get the college-dorm room feel: nothing is where I left it. Where did my roommate put the network settings? Did you wear my control panel last?

Bad:

Hacking for money has been around for a while - this is the year it will get national, if not global, attention.

Hacking groups, which already resemble mafia-style organizations, will evolve and eat the host the feeds them. In other words, mafia supported hacking groups will become hacking groups that support the mafia. They will graduate to a major source of funding for the mafia in the very least.

Voting associated hacking attacks will more than double and could cause a major state or region-wide incident.

Gall Bladder Issues

2007-12-20T13:12:00.000-08:00

My gall bladder issues seem to be over. I've had the little critter removed. The serious pain occasionally was a big motivator. Some things I learned about the experience is having the operation at a surgical center, instead of a hospital, saved a lot of money. The staff was exemplary. It seems my last gall bladder attack the weekend before the operation caused it to be inflamed and complicated the surgery slightly.

Vista Service Pack 1 Whitepaper

2007-12-18T07:53:00.000-08:00

White paper for Vista Service Pack 1 - I have heard there are over 300 fixes.

I would wonder if it includes a reversion back to XP since that is the most requested change I have been hearing.

Who Will Shovel The Snow?

2007-12-07T11:38:00.000-08:00

Recently, KSTP.com - a Minnesota news station - reported there are many calls coming into the city asking for snow removal. The reason there is so much snow to be shoveled: Foreclosures. The city charges to remove snow, but who gets the bill? Deservedly so, the bank that foreclosed on their customers.

I wonder if the bank would somehow try to line item that on the victim of the bad loan.

News Commentary on "Hacker finds 492,000 unprotected Oracle, SQL database servers"

2007-11-19T11:17:00.000-08:00

Hacker finds 492,000 unprotected Oracle, SQL database servers by ZDNet's Ryan Naraine -- A survey by renowned database hacker David Litchfield has found a whopping 492,000 Microsoft SQL and Oracle database servers directly accessible to the Internet without firewall protection.

Not having verified any kind of similar results and not being able to look at his results I cannot dispute what he found. However, I'm finding it difficult to believe that he picked 1.1 million IP addresses 'at random' and then of these, almost 32% were active open MS SQL servers. Some of this other statistics I'm also finding hard to swallow.

Not having verified the results, I can only give my option: FUD (Fear Uncertainty and Doubt), possibly with the goal of selling his products.

XBOX Is Now 5 Years Old, Hackers Celebrate In Their Special Way

2007-11-14T15:51:00.000-08:00

Today, the 5 year anniversary of the Xbox, the University was attacked with UDP floods to the ports used by XBox Live - port 3074.

Thanks to our forensic specialist for showing a text dump of the packets, which revealed:

····X-R own you
*****!··········
················
················
················
················
············X-R
own you *****!··
················
················
················
················
················
····X-R own you
*****!··········
················

Replace ***** with the derogatory term normally reserved for female canines.

Walmart And Google Bring Linux To The Masses

2007-11-04T05:10:00.000-08:00

I would have never imagined I would be tying in a title like that. Google and Walmart have indeed put together an Operating System called gOS and are selling it on a computer for less than $200. Personally I am looking forward to those who have never owned a computer before to begin this journey on a Linux-based distribution, however, I fear the backlash when they attempt to put in a their favorite Windows program and it will not install.

I can only wonder what security is included: iptables as a firewall? SECLinux? Automatic updating?

In the near future I may download a copy and write up a review.

Network Security Podcast Available

2007-11-02T06:51:00.000-07:00

New podcast from Martin's site which you can download here.

Topics I found interesting:

Glenn Flieshman from TIDBITS and WI-FI Networking News is interviewed about Apple's new O/S Leopard. Leopard isn't as secure out of the box as its predecessor, Tiger.

As a new MAC user I am personally interested in this topic.

Don't use back to my MAC due to uncertain (if any) expiration of the kerberos ticket.

Be wary of the firewall's Allow-All default and recheck your settings after an upgrade.

Expect some fixes coming out in the immediate future.

ISC-Squared Changes Their CPE Requirements

2007-11-02T06:40:00.001-07:00

Security certification organization ISC-squared has adjusted their CPE requirements. Any who do not comply will suffer the "Suspension" rules.

From a recent email to members:

CISSP - CISSPs must earn and submit a total of 120 CPEs by the end of their three-year certification cycle. With the new changes, a minimum of 20 CPEs must be earned and posted and the US$85 AMF paid during each year of the three-year certification cycle before the anniversary date. For CISSPs who hold one or more concentrations, CPEs submitted for the CISSP concentration(s) will be counted
toward the annual minimum CPEs required for the CISSP.

SSCP - SSCPs must earn and submit a total of 60 CPEs by the end of their three-year certification cycle. Under the new requirements, a minimum of 10 CPEs must be posted and the US$65 AMF paid during each year of the three-year certification cycle before the anniversary date.

CAP - CAPs must earn and submit a total of 60 CPEs by the end of the three-year certification cycle. Under the new rules, a minimum of 10 CPEs must be posted and US$65 paid during each year of the three-year certification cycle before the anniversary date.

Review: JkDefrag v3.26

2007-10-27T11:32:00.000-07:00

It is such a joy when I find great tools out in the public domain. Recently I discovered JkDefrag v3.26 - a tool for defragging your harddisks. It comes with a commandline version as well as screen saver and gui versions. This great program is free for the download and doesn't even contain an install program - which is great for booting from a thumb drive and running it. The screen saver version can start up a different screen saver when it completes, for those who don't want to give up a beloved other screen saver.

TSA Contactor Employee's Laptop Stolen

2007-10-26T16:31:00.000-07:00

The personal data including social security numbers of 3,930 people are now compromised due to a Transportation Security Administration Contactor Employee's laptop being stolen.

The contractor has supplied each employee with 1 year of identify theft protection. Is this enough? Laughably, no.

Certainly the 3,930 people should be protected, but what other implications exist?

Do these thieves know the value of this information? Could the routes, dates and location of all hazardous cargo in the US be useful to others? Certainly and in more ways than just terrorism.

SC Magazine article.

SC Magazine Podcast Oct 23rd, 2007

2007-10-23T17:27:00.000-07:00

The SC Magazine Podcast for this week is available. I'm trying to imbed this into this post for the convenience of the readers. If this doesn't work I'll try to repost another way.

This week's topic is appropriate since I've personally noted the increase in spam and a new tactic - using voices ala sound file.

You can always subscribe to this podcast through itunes.

You can download this particular podcast here.

Network Security Podcast Available

2007-10-19T11:16:00.000-07:00

The latest Network Security Podcast is available.

Much on Apple's new Leopard OS - a topic near and dear to my heart since I am a new Apple convert. I recently acquired (via my employer) a MacBook and have been acclimating to the experience.

Rich presents a great overview of some of the new security features. Personally I'm looking forward to the integration of contacts with mapping (google or yahoo). He also comments on recent iPhone exploits.

Not listed on the show notes is Martin introducing us to the Payment Card Industry standard standard as an SLA.

Decent production quality. Seems Rich is on the good end this time and poor Martin is stuck in a tunnel?

Gall Bladder Issues

2007-10-19T10:59:00.000-07:00

Looks like I will be getting my gall bladder removed Monday morning, October 22. Once I have completed the article about the experience I will submit it to my AC page.

SC Magazine Podcast Available: The year in Phishing

2007-10-19T10:53:00.000-07:00

The latest SC Magazine Podcast is available. David Ulevitch, OpenDNS & PhishTank CEO, criticizes Internet Service Providers for allowing their customers to become victims of botnets and thereby allowing them to send out phishing emails. PhishTank provides data for locating and squashing phishing data.

Production quality is low, as is typical for SC Magazine podcasts. Popping and static are free! I feel like I'm at Sonic ordering a burger. I wish I could! :)

Tulsa, Oklahoma Event

2007-10-16T14:44:00.000-07:00

Ziff Davis Media and APC Cordially Invite You to a Live Data Center Tour and Showcase Dinner

Tuesday, October 23, 2007
Tulsa, OK

EVENT DETAILS:
Check in:
5:00 PM
Tour and Discussion:
5:00 PM - 6:30 PM
Showcase Dinner:
6:30 PM

LOCATION DETAILS:
Cimarex
15 East 5th Street, Ste. 1100
Tulsa, OK 74103

To register please call 1.888.215.4542 or email events@ziffdavis.com and reference event # 7206.

Register here.

Network Security Podcast Available

2007-10-10T12:05:00.000-07:00

Network Security Podcast is available.

Topics this week:
Show Notes:

* Microsoft AutoRuns
* PGP Flaw not really a flaw at all
o Securosis: Slashdot bias and much ado about nothing PGP encryption issue
o Slashdot: Undocumented bypass in PGP whole disk encryption
o Securology: PGP whole disk encryption - barely acknowledged intentional bypass
* Retailers vs. PCI
o Securosis: Retailers btch slap PCI Security Standards Council
o Techtarget: National Retail Federation takes aim at PCI DSS Council
o SC Magazine: Retail Lobby offers alternative to PCI standards
o Network Security Blog: Merchants mad about credit card retention
* iPhone Jailbreak (missed the link on this one)
o Suit against Apple for bricking iPhones
* Six tick to Midnight: One plausible journey from here to a total surveillance society
o Tech Liberation Front
o Onstar to stop supports
* RSA Speaking on Security interviews Shon Harris and I get a mention too.
* CIO.com: Hacker Economics 1: Malware as a service
* Tonight's Music: The Moon is Full by Albert Colins, Johny Copeland and Robert Cray

Network Security Podcast Available:

2007-10-10T12:00:00.000-07:00

Network Security Podcast is available. Sorry for the late post on this. It has been a busy week for me.

Show Notes:

* Microsoft's Stealth Update
o Brian Kreb's Security Fix
o Rich: Lessons on Software Updates: Microsoft and Apple Both Muck it Up

* Interview with a convicted hacker: Robert Moor tells how he broke into routers and stole VoIP service.

* FUD and SCADA or Oh FUD
o DevCentral: Sometimes, even the experts are wrong. (M: I think he means me.)
o Rich: Yes, Hackers can take down the power grid. Maybe.
o Schneier: Staged attack causes generator to self-destruct

* Gap losses 800,000 records

* PCI is a TLA
o PCI Security Standards Council
o PCI DSS Compliance Demystified
o PCI Standards Group on Yahoo
o TrustWave
* Tonight's Music: On a podcast by Cruisebox

SC Magazine Podcast Available: What Are Your Plans for Cyber Security Awareness Month?

2007-10-09T16:20:00.000-07:00

Washkuch interviews Tim Bennett, president of Cyber Security Industry Alliance about the Cyber Security Awareness Month coming up.

Is organized crime really taking over hacking?

Download the podcast.

Tulsa Tech Fest

2007-10-05T08:02:00.000-07:00

Although I have already committed to another appointment on those days, Tulsa Tech Fest would have been on my todo list. I hope someone is able to check it out and report back.

During the conference, you can enjoy:

• 16 simultaneous tracks with lectures by local, regional, and national experts
• Free lunch on Friday and Saturday and snacks throughout both days
• Tulsa Techfest Raffles including a laptop and desktop computer, free tech training for CISSP and MCSE certifications, and much more
• You can also earn CPE credits for (ISC)2’s CISSP, CLEET Law Enforcement (pending), CISA (pending)

Speaker Spotlight: Peiter Zatko, better known as Mudge, the hacker who testified to the Senate that he could "take the Internet down in 30 minutes", has been a pioneer of the commercial information security and warfare sector since the 1980s. The leader of the hacker think-tank "L0pht", he founded @stake and Intrusic and currently works as a Division Scientist for BBN Technologies (the company that designed and built the Internet).

Book: Making Things Talk

2007-10-03T10:24:00.000-07:00

Recently added to my book wishlist, Making Things Talk: Practical Methods for Connecting Physical Objects has many security implications. If do-it-yourself projects could communicate then they may also be remotely alterable or modified to perform other tasks both positive and negative. Either way, it is an intriguing concept for those who fancy them tinkerers or inventors.

The publisher's site and a recent review by Daniel Terdiman on his geek culture blog.

SC Magazine Podcast Available: IT-ISAC officials speak out on cybercrime trends

2007-10-01T12:33:00.000-07:00

The latest episode of the SC Magazine Podcast is Available Here for download.

This week Frank Washkuch interviews executives with IT-ISAC, Information Technology - Information Sharing and Analysis Center, a membership-oriented, community-based organization with a mission to share information about electronic threats. IT-ISAC executive director, Scott Algeier, and IT-ISAC treasurer, Rob Clyde, answer Frank's questions.

Sample of questions asked: How does IT-ISAC work with the US Government? What are the most pressing security trends?

Production quality is still low. Frank really needs a new mic or to lower the gain on his current mic.

Label Your Servers Properly

2007-10-01T11:55:00.000-07:00

A recent networking outage was caused by improperly labeling a server. Hardware managers or operations center personnel often do not know or think to see if a server is down before unplugging it. Even a planned outage of a back server can cause a severe outage if the primary/backups are mislabeled. Take the time to properly label and regularly inspect printed labels on the front of servers or operations center equipment as a measure to reduce downtime.

Many inexpensive products will do the trick, this is one I own.

User of Ebay Forums Posted Credit Card Information

2007-09-26T10:08:00.000-07:00

Someone posted massive amounts of credit card information belonging to ebay users. The extent of the damage is still being assessed and ebay has removed the forums from public view. Someone posted a YouTube video that shows someone looking at the posts before it was taken offline.

Ubuntu for Windows Users

2007-09-26T09:37:00.001-07:00

Found a Great Article with a goal of getting people who are hooked on Microsoft Office Products moved into production on Ubuntu - the easy to install and run linux. Great job Eric!

Recycle / Repurpose Old Hardware

2007-09-26T09:29:00.001-07:00

A great way to save money on hardware is to recycle/repurpose it for other uses. Lifehacker put together a nice collection, top 10 in fact, of ways to accomplish this.

Personally I repurposed an old box as a personal webserver and am quite happy with it.

Network Security Podcast Available: Episode 78

2007-09-25T20:51:00.000-07:00

Network Security Podcast Episode 78 is available. This podcast includes the following topics:

# Rich's blog entry on TD Ameritrade
# Hacking Sermo.com, the social network for doctors parts 1 & 2
# Brian Krebs: Is Cyber crime really the FBI's #3 priority?
# PCI Extends its reach to application security
# Tonight's music: Dragons by The Switch

This podcast also includes: a personal lesson in why to neuter cats, Martin gets a job - Yeah Martin! - and not too far from my location. I've driven there to ski as well as attend events and training.

Halo 3's impact on the security world - mainly a notable pause in the world's hacking activity due to Halo 3's release.

Home network ideas.

Rich and Martin were also kind enough to respond to my query about blogging using your real name. Thanks Guys!

TD Ameritrade criticism.

A segway into privacy and the security round table discussion.

Cybercrime is 3rd on top 10 priority list and not getting a matching budget.

Welcome to the c level (formerly talking to the suits) speaking in terms of making security priorities business priorities. I'm starting to like this segment a lot.

Production quality was excellent as always.

Security Round Table Podcast Available

2007-09-25T18:11:00.000-07:00

The next Security Round Table Podcast addresses privacy. Tune in by downloading the mp3 or iTunes.

SC Magazine Podcast Available: TD Ameritrade Commentary

2007-09-25T17:52:00.000-07:00

SC Magazine online editor Frank Washkuch interviews Rich Sutton, directory 8e6 Labs about the TD Ameritrade data breach and what we should do about it.

I enjoyed the reasoning and conjecture on just how such a breach was accomplished. Their conclusion: an insider. After listening to the podcast, I'd have to agree.

It was suggested in this podcast that one could present this as a case in presentations or proposals for security budgets - an interesting short segway given my question just recently posted to Rich Mogull on Martin McKeay's Network Security Podcast.

The production quality of this podcast is par for SC Magazine's usual - weezy microphone at 100 yards?

Getting Things Done (GTD) System Inventor Speaks Publicly in a Short video

2007-09-24T08:13:00.000-07:00

David Allen, inventor of the Getting Things Done (GTD) - a system of managing time and tasks (stuff) that I use personally, gives us a <5 minute preview of what it is all about.

Check the video out, then do your research. Many have taken his system and altered it to suit their needs - which is encouraged.

Full Video

Podcast Available from Network Security

2007-09-19T13:25:00.000-07:00

Martin McKeay's new Podcast for this week is available.

Both Martin and Rich Mogull, now a permanent fixture in the tag team, get a little wordy (and they know it), but they do make a good team and I enjoy the balance. It might be slightly better for a good co-host to have divergent opinions. These two are in too much agreement. :)

Naturally they did an awesome job responding to my query regarding proving ROI with calculated risk. Excellent points! Thanks guys!

Good review of the news:

The Ameritrade Disclosure, 6 million customers hit with spam, and their opinions as to its disclosure - was it preemptive?

Introducing Security Mike's Guide to Internet Security - a man with the heart of a teacher. Well in line with the mission of this blog, to provide the means for inexpensive security practices.

Rich's FileVault problems - I am nearly a MAC convert - co-workers have long said I should make the plunge. This story is not good news for me. :( But, this may not stop my attempt to go MAC some day.

The Tor madness seems to me the risk you accept when running something that allows others to take advantage of you. You won't find me running a tor server, nor using it. Although Rich's idea of using it to do security research intrigued me for a time. I doubt I ever will. What would someone uncover about me? The fact that I do security research? duh.

Divorce + Technology = bad? Naturally, divorce + anything = bad! I have to go with Dave Ramsey's, friend I forget his name, who says that divorce turns marriage into a 'business transaction,' but I would add the word hostile to 'business transaction.'

I hope the Denver trip works out well for Martin, that isn't but a short drive from here - one I have made a few times. I enjoy Denver every time I go whether it is skiing or a business meeting. I would consider working (skiing) there myself. :)

Production quality on this podcast was the best yet - even far off Rich sounded great.

SC Magazine Podcast Available: Businesses face a new threat from employee Skype use

2007-09-18T15:50:00.000-07:00

SC Magazine's latest Podcast is available for download. This week is an interview with Irwin Lazar, principal analyst and program director for collaboration and convergence at Nemertes Research. They speak about the recent Skype worm and whether this is a real threat to the Enterprise because of skype use on the campus. Do malware-writers seek to exploit companies whose employees use the Instant Messaging (IM) or Voice over IP (VoIP) application? Naturally they will try anything, but is this an indication of things to come?

Includes an honest opinion of Skype and its future both in the enterprise and home use.

Network Security Podcast Available For This Week

2007-09-12T09:31:00.000-07:00

Martin McKeay, now with permanent(?) co-host Rich Mogull, have completed this week's volume of the Network Security Podcast.

This week's line up includes: fighting viruses with your USB Drive - keeping a tool in your pocket for those emergency uses of public (assumed infected) computers, customizing google to force gmail to use SSL at all time, the Indian government forcing public computers to install keyloggers (feel free to cringe on that one), a nice intro to Data Loss (Leak) Prevention tools and techniques and a new segment on interfacing with the business people (suits) regarding Return on Investment (ROI). While I don't agree 100% on everything I enjoy hearing what others in the industry have to say on these matters.

A great episode with some nice commentary.

I'll hold my opinion on the new tag team for a few more episodes - let's see how well it works.

ROI for network security is more tangible than Rich and Martin suggest. We need look no further than the billions paid for data leaks in the news. Crunching this down to dollars is more granular than a SWAG by converting it to risk. Suits 'usually' understand risk. I actually enjoy the deer in the headlights look you get when you mention the compromises and data leaks in the media.

The production quality of this episode is par for Martin's earlier podcasts. Although Rich is obviously via phone of some sort (skype?) the production quality is excellent as always.

Podcast Available: Bank of India Website Hacked

2007-09-10T12:35:00.000-07:00

SC Magazine's Podcast Available

Bank of India's Website was hacked. What does this mean for the rest of the world?

Sunbelt Software CEO Alex Eckelberry talks about how it may have been accomplished and what we can learn from this. Russian Business Network (RBN) - a hacking gang - seem to be the culprits.

Editor's Note: This podcast's production quality is highly improved from previous SC Magazine podcasts. I also don't care for his negative viewpoint of educational institutions (poorly coded, open source and unpatched systems) as if financial institutions would never have such problems. Such a discussion is beyond the scope of this presentation unless they can prove this hack resulted from such a location.

Twitter - What Are The Security Implications?

2007-09-07T18:45:00.001-07:00

Twitter.com is a site born out of the social networking phenomenon that allows you to waste even more time updating everyone else about your favorite subject: you. How? It allows you to easily update everyone who 'follows' you to know what you are doing. You send an text message to a special number to let everyone know what you are doing and the 'followers' will get that update. Naturally it has the same purpose as all other social networking sites: to keep in touch with others.

Stalking is the first security problem that comes to my mind. "Who 'follows' my 16 year old?" - any sane father's first question.

Other nefarious purposes come to mind: drug dealers broadcasting out their locations for their clients. You can easily expand this to other avenues of criminal activity: pornography, scamming, even scalping tickets.

AOL Changes Their Free Anti-Virus Software

2007-09-07T18:31:00.000-07:00

If you have an AOL email address and need anti-virus, anti-spyware or firewall software, download the free suite from AOL. I'd appreciate a review from someone who used their older version so they can say what has changed in the new suite.

Network Security Podcast Available:

2007-09-06T15:10:00.001-07:00

New Podcast Available from Martin McKeay details include point of sales (POS) vulnerabilities and the CISSP exam - does it work? Comparing CISSP and GSEC certifications. And more from Winn Shwartau and InfowarCon 2007.

SC Magazine Podcast Available: How an all-volunteer security organization helps to keep the bad guys in check

2007-09-06T15:05:00.000-07:00

New Podcast Available: Frank Washkuch, online editor and reporter, sits down with Andre DiMino, co-founder and director of the Shadowserver Foundation. Andre talks about fresh intelligence his all-volunteer group has gathered on botnets and other recent attack trends.

See the Shadow Server Foundation for more information on this foundation and their volunteer work.

Moving From Windows to Linux - Things to Consider

2007-09-05T05:28:00.000-07:00

Considering moving from Windows to Linux for a destktop/laptop operating environment? A computerworld article makes some suggestions.

Do Websites Need a Publicist?

2007-09-01T20:07:00.000-07:00

When Princess Diana stepped out of any building she was overwhelmed with Paparazzi - hot-headed opportunists searching for any scrap of data to publish with the goal of making a buck (or less). From the celebrities’ point of view, some media coverage is welcome and planned, but others are not. Hired According to Wikipedia.org Publicists are given the responsibility to provide the bridge between media and celebrities.
It occurs to me that this is much like setting up a public website. If you setup a website (or any computer) on any public network, such as Internet, you have only minutes to wait until your system is inundated with unwanted traffic – often drones belonging to script kiddies. Some traffic is welcome such as that from search engines or similar indexing services while the unwanted drones poke away at every nook and cranny of every file on your site for any scrap of useful information and/or exploitable vulnerability.
Do our websites, servers or any computer we setup require publicists? Could we see this as a new service emerging on the hosting market?
Along with that domain name, will hosting services (agents) provide publicity (search engine submission) for your website (celebrity) while fending off the annoyance of paparazzi (spam)?
Given the pattern of the times is to copy and proliferate to the maximum the market will bear, some see even publicists as a plague.

Monitoring Your Network Core: Part I: Arp Cache Data For Forensics?

2007-08-30T17:52:00.000-07:00

Monitoring Your Core Network with an Arp Cache Database

I work on the campus of a major U.S. university. Our ‘open door’ network demands that we allow unknown entities on our campus - leaving our security posture weak at best. One way we combat this is to be able to produce forensic data about who is on our network and over what period of time. The method we use yields a mountain of valuable data, not only for the forensic purposes originally designed, but also usage and growth data. I am pleased to present this first in a multi-part serious of articles on how we accomplish this as well as the benefits.

The first goal in any network is to know who is on your network. No doubt your network is probably diverse with many departments often purchasing their own equipment. Even if you have policies against such things you may often suffer because someone at sometime in the past purchased a non-standard piece of equipment. This unfortunately always results in a non-heterogeneous network design. The first step then would be to control your CORE. This would be the primary switches or routers that all networks in all departments receive their network services. This CORE set of network nodes will be the primary concentration point of this paper and will henceforth, be know as the core. Likely, your core is at least homogenous. If that is the case, it will work.

Begin by determining the brand and type and how this relates to its SNMP query to obtain the ARP cache. For the sake of brevity, I cannot list all vendors and their SNMP OIDs. I’ll focus on one single vendor and type and show you how the logic is developed. From there you should be able to make any modifications desired.

Linux has a great package available which includes the necessary utilities you’ll need.

For Redhat users this would be the package titled: net-snmp-utils. For the purpose of this article I would also assume you have a network connection with all appropriate access to these core switches, root access to the Linux host, a mysql server up and running with a database schema provided later. Mysql server 4.1 or higher is suggested because of the specific command needed to provide database updating. INSERT … ON DUPLICATE KEY UPDATE is the specific command needed.

This will create the necessary table. I’ll assume you are using the database named arpcache for the rest of this paper.


CREATE TABLE `arp` (
`id` bigint(20) NOT NULL auto_increment,
`sourceip` varchar(12) default NULL,
`ipaddress` varchar(12) default NULL,
`macaddress` varchar(12) default NULL,
`arp` varchar(24) default NULL,
`firstseen` datetime default NULL,
`lastseen` datetime default NULL,
PRIMARY KEY  (`id`),
UNIQUE KEY `arp` (`arp`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

Create a directory from which we can work and move to that directory.


mkdir -p /var/data/arpcache
cd /var/data/arpcache

Create a file with the IP addresses of all the core switches that we will poll. If you have multiple vendors that will not respond to the same SNMP commands, create multiple files. Name them appropriately.


cat > core.dat
10.0.0.1
10.0.0.2
10.0.0.3

Anytime you change your core design you will need to edit this file. Comment out any changes by starting the line with ‘#’ to denote a comment line. These lines will be skipped.

Create a temporary directory underneath your arpcache directory.


mkdir –p /var/data/arpcache/tmp

Create a bash command file to do all the work, which I will annotate with each line.


vi arpdownload.sh

And enter the following lines:


#!/bin/bash
#
# arpdownload.sh written by lmj http://freenetworksecurity.blogspot.com
#
#
# SETUP SOME VARIABLES
#
TMP="/var/data/arpcache/tmp"
CORE="/var/data/core.dat"
LOCKFILE="/var/lock/arpdownload.lock"
OUTPUT=$TMP/mysql.in
#
# Keeps the cron’d process from running over itself.
#
if [ -f $LOCKFILE ]; then
echo "Lockfile exists "$LOCKFILE
else
#
touch $LOCKFILE
#
# remove any stale data
#
[ -f $OUTPUT ] && rm –f $OUTPUT
#
# primary loop
#
for core in `cat $CORE | grep –v "^#"`
do
# ping the switch first to save time
ping –w 2 –q –c 1 $core > /dev/null 2>&1
if [ $? –eq 0 ]; then
# we will need this variable later.
export core0=`echo $core | awk -F'.' '{printf "%03d%03d%03d%03d\n",$1,$2,$3,$4}'`
# ping was successful, poll for data
#
snmpwalk $i -v 2c -c community_string at.atTable.atEntry.atPhysAddress | grep "Hex-STRING" > $TMP/$core.1

Note: substitute "community_string" with your real one.

The goal of this command it to produce some output we can massage to get exactly what we want. I piped it through a command to only pull out the lines I care about. My output looks like this at this point:


RFC1213-MIB::atPhysAddress.1.1.127.0.0.11 = Hex-STRING: 00 00 11 00 00 00
RFC1213-MIB::atPhysAddress.1.1.127.0.0.22 = Hex-STRING: 00 00 22 00 00 00
RFC1213-MIB::atPhysAddress.3.1.192.168.1.9 = Hex-STRING: 00 0B DB 87 84 E8
RFC1213-MIB::atPhysAddress.3.1.192.168.1.10 = Hex-STRING: 00 0D 92 B8 9C EA
RFC1213-MIB::atPhysAddress.3.1.192.168.1.20 = Hex-STRING: 00 B2 1F 6F 26 18

Your mileage may vary and you may need to add more grep pipes to isolate out only the lines you need to process. Still this output is not perfect, so we continue…


awk '{print $1"."$4"."$5"."$6"."$7"."$8"."$9}' $TMP/$core.1 > $TMP/$core.2

Now our output is slightly modified, but we aren’t even close to done…


RFC1213-MIB::atPhysAddress.1.1.127.0.0.11.00.00.11.00.00.00
RFC1213-MIB::atPhysAddress.1.1.127.0.0.22.00.00.22.00.00.00
RFC1213-MIB::atPhysAddress.3.1.192.168.1.9.00.0B.DB.87.84.E8
RFC1213-MIB::atPhysAddress.3.1.192.168.1.10.00.0D.92.B8.9C.EA
RFC1213-MIB::atPhysAddress.3.1.192.168.1.20.00.B2.1F.6F.26.18


tr "[A-F]" "[a-f]" < $TMP/$core.2 > $TMP/$core.3

Output is modified, but still not done…


Rfc1213-MIb::atPhysaddress.1.1.127.0.0.11.00.00.11.00.00.00
Rfc1213-MIb::atPhysaddress.1.1.127.0.0.22.00.00.22.00.00.00
Rfc1213-MIb::atPhysaddress.3.1.192.168.1.9.00.0b.db.87.84.e8
Rfc1213-MIb::atPhysaddress.3.1.192.168.1.10.00.0d.92.b8.9c.ea
Rfc1213-MIb::atPhysaddress.3.1.192.168.1.20.00.b2.1f.6f.26.18


tr "." " " < $TMP/$core.3 > $TMP/$core.4

Better, but still not done.


Rfc1213-MIb::atPhysaddress 1 1 127 0 0 11 00 00 11 00 00 00
Rfc1213-MIb::atPhysaddress 1 1 127 0 0 22 00 00 22 00 00 00
Rfc1213-MIb::atPhysaddress 3 1 192 168 1 9 00 0b db 87 84 e8
Rfc1213-MIb::atPhysaddress 3 1 192 168 1 10 00 0d 92 b8 9c ea
Rfc1213-MIb::atPhysaddress 3 1 192 168 1 20 00 b2 1f 6f 26 18

… and now all our variable we want are primed for the picking… We might also create our SQL input.


awk '{printf "INSERT DELAYED INTO arp SET id=NULL,sourceip=\"%s\",ipaddress=\"%03d%03d%03d%03d\",macaddress=\"%s%s%s%s%s%s\",arp=\"%03d%03d%03d%03d%s%s%s%s%s%s\",firstseen=NOW(),lastseen=NOW() ON DUPLICATE KEY UPDATE lastseen=NOW();\n", ENVIRON["core0"], $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $4, $5, $6, $7, $8,
$9, $10, $11, $12, $13}' $TMP/$core.4 >$TMP/$core.5

This will produce output like the following:


INSERT DELAYED INTO arp SET id=NULL,sourceip="010000000001",ipaddress="127000000011",macaddress="000011000000",arp="127000000011000011000000",firstseen=NOW(),lastseen=NOW() ON DUPLICATE KEY UPDATE lastseen=NOW();

Perfect for our purposes. Let’s copy this file to the output file.


cat $TMP/$core.5 >> $OUTPUT

# import the data into mysql
mysql arpcache < $OUTPUT else  echo “Could not reach “$core done # end of arpdownload.sh

Running this in a cron job every 5 to 10 minutes will give you a running snapshot of who is on your network. Type "crontab -e" as root and enter an entry like the following:


# download the arp cache from the routers every 5 minutes
0-59/5 * * * * /var/data/arpcache/arpdownload.sh

What kind of data will this yield? One could be curious about a particular IP address. Who, over time, has used this IP address (the original forensic purpose)?


mysql arpcache -e "SELECT macaddress,firstseen,lastseen FROM arp WHERE ipaddress='192168161052'"


+--------------+---------------------+---------------------+
| macaddress   | firstseen           | lastseen            | +--------------+---------------------+---------------------+
| 000dxxx596de | 2006-12-15 13:25:32 | 2006-12-15 17:30:38 |
| 000dxxxda7c4 | 2006-08-25 11:26:18 | 2006-12-09 21:40:27 |
| 0014xxxfd5f7 | 2007-01-22 12:45:36 | 2007-04-30 18:15:44 |
| 0003xxx41dfc | 2007-05-11 16:10:37 | 2007-05-11 20:05:33 | +--------------+---------------------+---------------------+

Want to know where a particular host has been?


mysql arpcache -e "SELECT ipaddress,firstseen,lastseen FROM arp WHERE macaddress='000dxxx596de'"


+--------------+---------------------+---------------------+
| ipaddress    | firstseen           | lastseen
+--------------+---------------------+---------------------+
| 192168161052 | 2006-12-15 13:25:32 | 2006-12-15 17:30:38 |
| 010xxx019155 | 2006-12-10 18:30:12 | 2006-12-11 01:25:09 |
| 010xxx016107 | 2006-11-28 16:30:14 | 2006-11-28 22:45:10 |
| 010xxx027222 | 2006-09-29 13:20:10 | 2006-09-29 19:05:09 |
| 010xxx029224 | 2007-01-23 10:25:08 | 2007-01-23 15:45:10 |
| 010xxx031227 | 2007-01-25 10:25:10 | 2007-01-25 15:45:11 |
| 010xxx027184 | 2007-02-08 10:35:10 | 2007-02-08 14:30:12 |
| 010xxx023146 | 2007-04-24 10:45:09 | 2007-04-24 14:45:11 |
| 010xxx018169 | 2007-05-08 08:00:11 | 2007-05-08 16:15:11 |
| 010xxx030178 | 2007-06-04 10:25:10 | 2007-06-08 14:25:10 | +--------------+---------------------+---------------------+

How many were potentially on at a given point, remove the COUNT() if you want to know who they were.


mysql arpcache -e "SELECT count(macaddress) FROM arp WHERE lastseen > '2007-04-15' AND firstseen < '2007-04-15'"


+-------------------+
| count(macaddress) |
+-------------------+
|             23849 |
+-------------------+

Because of the nature of the specific INSERT statement explained above this database should be self optimizing. It will only insert records when a particular IP ADDRESS and MAC ADDRESS relationship change. On to an advanced topic… How can we use this data to protect us against attacks that specifically use ARP poisoning to capture traffic? Specifically the NetSniff Trojan? (READ MORE)

With some slight modification of our original script we can include a simple check to see if any single mac addresses are hording multiple ip addresses. Inside the loop above insert the following line, after the "tr "." " " < $TMP/$core.3 > $TMP/$core.4" line:


awk '{printf "%03d%03d%03d%03d %s%s%s%s%s%s\n",$4,$5,$6,$7,$8,$9,$10,$11,$12,$13}' $TMP/$core.4 > $TMP/$core.check

This stores relevant data into a separate file called $core.check which we will deal with at the end of the file.

Now add this at the end of the file:


cat $TMP/*.check > $TMP/check.all
/var/data/arpcache/check.sh $TMP/check.all > $TMP/email.txt
if [ -s $TMP/email.txt ]; then
rm -f $TMP/email-ad.tmp
echo "SUBJECT: ARP Download Report” >> $TMP/email-ad.tmp
echo "Content-type: text/plain" >> $TMP/email-ad.tmp
echo >> $TMP/email-ad.tmp
echo "" >> $TMP/email-ad.tmp
echo "ARP Cache retrieval report:" >> $TMP/email-ad.tmp
echo "" >> $TMP/email-ad.tmp
echo "" >> $TMP/email-ad.tmp
cat $TMP/email.txt >> $TMP/email-ad.tmp
/usr/sbin/sendmail -r security@example.edu security@example.edu < $TMP/email-ad.tmp fi

Notice we are calling an external script /var/data/arpcache/check.sh, which is here:


#!/bin/bash
# Check for duplicate MACS
#
TMP=/var/data/arpcache/tmp
#
# MAC addresses that we know about that take up multiple MAC addresses
# such as firewalls, vpn concentrators, modempools, etc, one per line
# these mac addresses would be in this format:
# 0000xxx7ac04
# 0000xxx7ac07
# 0000xxx7ac0a
# 0000xxx7acff
WHITELIST=/var/data/arpcache/check.whitelist
#
CHECKFILE=$1
#
# threshold of how many macs an IP can legally have before we alert
#
LIMIT=20
let LIMIT=$LIMIT-1

if [ -f $CHECKFILE ]; then
sort -k 2 -k 1 < $CHECKFILE > $CHECKFILE.1
awk '{print $2}' $CHECKFILE.1 | sort -u > $CHECKFILE.2
grep -v -f $WHITELIST $CHECKFILE.2 > $CHECKFILE.3
mv -f $CHECKFILE.3 $CHECKFILE.4
for mac in `cat $CHECKFILE.4`;
do
SL=`expr length $mac`
if [ $SL -eq 12 ]; then
grep -w $mac $CHECKFILE.1 > $CHECKFILE.check.1
CNT=`wc -l $CHECKFILE.check.1 | awk '{print $1}'`
if [ $CNT -gt $LIMIT ]; then
echo "MAC Address "$mac" appears "$CNT" times:"
cat $CHECKFILE.check.1 | awk '{printf " %d.%d.%d.%d\t%s:%s:%s:%s:%s:%s\n",substr($1,1,3),substr($1,4,3),substr($1,7,3),substr($1,10,3),substr($2,1,2),substr($2,3,2),substr($2,5,2),substr($2,7,2),substr($2,9,2),substr($2,11,2)}' | awk '{printf " %-16s %16s\n",$1,$2}'
fi
fi
done
else
echo "No file to check"
fi

A great use for this data: How about a search for any stolen data that might appear in our arpcache? I'll leave that for next time.

How Do Security Procedures Illustratively Fit Into Your Secured Environment?

2007-08-23T20:48:00.001-07:00

When asked recently to illustrate how Security Procedures are integral to the overall Security Environment I meditated on this topic briefly and I envisioned an illustrative comparison: an armored car. The illustration came to me, no surprise, while driving behind one.

How is your security environment like an armored car? Imagine you’ve taken every conceivable risk to your money and mitigated that risk with an appropriate counter-measure: for an armed bandit, you have an armed security guard trained to deal with such a person; for a nail in the road, extra thick tires; for a direct assault, armor plating; the list goes on.

Security procedures protect you from indirect assault. Could someone manufacture a key to the armored vehicle? Rotate keys and locks. Could a disreputable individual become a guard? Background checks will mitigate that possibility. Could an organization plan a direct heist against the entire vehicle itself? Drive random routes to pickup and drop-off destinations at varying times.

Security procedures are no doubt an integral part of the Security Environment and a potential risk if not properly reviewed and audited along with all other security processes.

Network Security Podcast for 2007-08-21

2007-08-22T08:35:00.000-07:00

The new Network Security Podcast is available from Martin McKeay is available with some interesting insights into how the same security principles are rehashed again and again in an interview with Winn Schwartau the brains behind Pearl Harbor Dot Com as well as many other books. Are security professionals doing all they can to secure their working environments and if so, what is the problem?

Download the PodCast Here: NetSec Podcast or from Martin's site .

Product Recall Site

2007-08-21T08:06:00.000-07:00

Excellent resource for searching for product recalls, including network and computer hardware. Do a specific firm search for companies, such as Cisco or Juniper.

SC Magazine Podcast Available: The TJX breach and what we can learn from it.

2007-08-21T07:03:00.000-07:00

Download SC Magazine Podcasts

Aug. 20, 2007: The legacy of the TJX breach

Online Editor Frank Washkuch talks with Mary Monahan, partner at Javelin Strategy and Research, about TJX and other major data breaches.

Podcast

Includes some details of how the breach was accomplished and how the compromised data was sold and used.