Tuesday, November 29, 2005

More typing

I've re-org'd the Asterisk page and have added a bit of work to the "sip.conf" setting descriptions. Think of it as yet another of my (ongoing) unfinished projects.

Hopefully it'll help someone. Let me know if it does?

Sunday, November 27, 2005

Needs a dash of clue

While we're on the clueless security rant, here's one that I heard on the radio tonight. A syndicated personality, known as "Troubleshooter Tom Martino", has a consumer-centered talk show. As I was driving back from the grocery store this evening, Mr. Martino was ranting that iPods are susceptible to viruses via podcasting and stating that "we need anti-virus software for our iPods".

Would someone in Denver please ring up Tom and tell him the problems with his logic? Stuff like:

  • iPods are not x86 or Windows-based. Ask him to name one ARM or MIPS based virus that's capable of self-replication.
  • Podcasts are normally delivered from static, one-way sources. For a podcast to become infected, it (theoretically) would require malicious action on the part of the podcast author. There's no two-way data feeds involved.
  • RSS feeds are not like e-mail. They don't mysteriously show up on your iTunes list. You have to subscribe to them. In other words, there's a certain amount of reputation and trust involved with podcast sources.

In short, there are too many things missing from the environment that would support malicious code. "In ain't gonna happen." Instead, Mr. Martino should be ranting about virus scanners for our cars. There are models out there that run versions of MS Windows.

Excommunicated?

I fear that I may have angered some fellow CISSP's. If I haven't said it before, I like to argue. I'm even willing to take positions that I don't necessarily believe in. However, this isn't one of those cases.

In a recent discussion, I took the stance that "risk = threat X vulnerability X asset replacement cost" is not a good formula for sound business decisions.

I will admit to having "poked fun" at their belief that the above is a "security formula". It isn't. It's a business formula, used to decide how much money is safe to throw at a department with no ROI.

I took the stance that the formula is usually a rationalization used to support a business decision that's already been made. That the formula comes from a "recognized" organization of security "professionals", makes it that much more of a problem. My argument follows...

Let's get "threat" and "vulnerability" out of the way. Both are binary in nature or, at least, that was the original intent. You either have the vulnerability or you don't. If you have the vulnerability, it's either exposed or it isn't. The formula becomes "risk = (1 or 0) X (1 or 0) X asset replacement cost".

You can state that "threat" and "vulnerability" are quantitative values ("1" or "0") unless you attempt to put a "degree" on it. If the terms "degree" or "percentage" are applied to either value, that value becomes subjective and I no longer have to argue the point. Unfortunately, you'll usually hear "degree of exposure" or threat described as a percentage (i.e., "how much of a threat is it?").

The real trouble lies within "asset replacement cost". It's an oversimplification and a subjective value hiding behind a number. (i.e., it isn't quantitative!) Don't think so? Try this:

  • The basic "asset replacement cost" works best with a standalone system. If it's connected to any other asset, networked or not, the value quickly becomes a WAG (nice version: Wild Assumed Guess) (not-so-nice: drop "um" from the middle word and add a hypen between the first two words)
  • The basic "asset replacement cost" works best with a dedicated system. In other words, it's not used for anything else. If the system is used for any additional function, "asset value" gets complicated and other systems may be dragged into the equation. If the equation is artificially limited to the system under discussion, the value loses it's integrity.
  • "Asset replacement cost" is only valid when applied to hardware or programs. It fails horribly when applied to data. Normal business types will attempt to say that data replacement cost is nil ("we have a backup, don't we?"). I've yet to see any organization, outside of federal, that will attempt to actually recover "lost" data. Oh, and a law suit does not meet the definition of "recovery". At best, an organization might take into account penalties for lack of due care and/or due dilligence.

The end result is that the formula usually ends up being "risk = estimate X guess X stubbornly narrow error", losing it's security "value" entirely and becoming a rationalization for a business action that might not improve security at all.

In any case, I enjoyed the argument, though it would have been better demonstrated if a white-board was involved. I also won't deny that I enjoyed tormenting two people who actually needed it. Many people who obtain certifications often "stop" once they get them. If a person stops thinking about (and practicing) security, the certification becomes little more than a badge to hang on the wall.

Thoughts?

Saturday, November 26, 2005

1st Responder Std.

What comes out of the "First Responder Standard" should be interesting to watch. Various groups have attempted this. The main stumbling block is the lack of a common infrastructure (e.g., radio frequencies, communications protocols, etc.).

Friday, November 25, 2005

VoIP

I highly recommend O'Reilly's book, "Switching to VoIP" by Ted Wallingford. If you're messing around with Asterisk, it's a good book to have. While there's not a whole lot on setting up Asterisk, it is a good reference for theory and troubleshooting.

Thursday, November 24, 2005

Happy B-Day!

Happy Birthday to son Jonathan! Happy Bird-Day to everyone!

I finally get it!

Microsoft's Office 12 product looks like it's going to be a pretty slick product. After a "first look", I like it.

However, I could have gone without the marketing approach that the Redmond Dog & Pony Show used. They seem to have taken a page from the Presidential Race strategy guide, where you say little about what you can do and verbally deride all of your competitors.

The part that struck me as a bit odd was about interoperability, a point which they stress repeatedly when talking about the Office 12 product. It's taken me almost a month, but I think that I've finally figured out what they meant by the term: they're not talking about platform interoperability, they're talking about interoperability between Office 12 products! [*sarcasm on*] Now there's something new. [*sarcasm off*]

Just call me "slow" this month.

Microsoft almost "gets it". They've said that they're going to allow others to "use" their document format via a free license. The only restriction appears to be "with attribution to Microsoft". What "attribution" means may be a sticky point in the future. I need to find a copy of the EULA and license agreements they're using.

Update: Is this a case of schizophrenia? How can something be patented and open source at the same time? Seems that the open source format has been submitted for patent in certain countries... This will be interesting to watch as it unfolds.

Wednesday, November 23, 2005

Tuesday, November 22, 2005

Sleuth Kit Informer

It happened almost a week ago but... Brian Carrier has posted a new
issue of "<a href="http://www.sleuthkit.org/informer/sleuthkit-
informer-21.html">The Sleuth Kit Informer", a newsletter he writes in
conjunction with the Sleuth Kit. This issue talks about the new license
for the Sleuth Kit and about changes to the ils tool.

Monday, November 21, 2005

Getting good from evil

I hereby nominate the five authors of Opportunistic
Measurement: Extracting Insight from Spurious Traffic
for
whatever award you'd give for using-evil-for-good ideas. The paper
discusses the shortcomings in current network visibility techniques and
suggests extracting data from the noise generated by infections, spam,
and denial of service attacks.

Sunday, November 20, 2005

Synthetic Diversity

Monoculture is a recognized problem when discussing malicious code.
It's what amplifies the effects of malicious code to the point where it
can have devastating effects.

Here is another
paper from last year's WORM, this one describing a method called
synthetic diversity as a method for combating malicious code.

It's an
interesting read but I disagree with most of it for a number of
reasons:

  • Synthetic diversity within a program can only go so far.
    While the techniques may reduce the number of attack points within a
    program, it won't remove them entirely. Add millions of users to that
    situation and diversity within a program that does the same function,
    time after time, becomes a bit shallow.
  • As always, adding
    complexity isn't a good response to lessen vulnerabilities. The KISS
    principle is better.
  • Diversity can only be provided via a small
    number of methods. It wouldn't take long for the "bad guys" to adapt.
    Even if more methods were developed, it would lead to an already
    familiar type of arms race.

Anyone care to argue for or
against?

Saturday, November 19, 2005

Friday, November 18, 2005

It's over

I hereby declare the novelty of podcasting as officially dead and that the technology is now mainstream. While searching for additional content to listen to during this week's commutes, I noticed that the "ususal suspects" also have their own podcasts. The "usual suspects" include the panorama of pseudo-science, fake grass-roots sock puppet, conspiracy theorist, and hate types.

The good news is that I did find some new security and tech-related casts to listen to (for a list, see my Bloglines subscriptions link at the top of this page).

NOC Notes

Here is a collection of
notes that relate to network operations.

Thursday, November 17, 2005

AWK

AWK is one of those "things" that you very quickly (you wouldn't believe
how quickly) forget if you don't use it continuously. It's also a very
powerful tool to have. Here is a tutorial for
it.

Wednesday, November 16, 2005

It ain't getting any better

I've loved Zyxel modems for many years. However, they've lost points
with me for thinking that undocumented

or hidden equates to secure. What's that old line about repeating
history? [*sigh*]

GraphViz

O'Reilly has a quick
tutorial
for GraphViz. This is valuable if you draw a lot of flow
charts or relationship drawings.

Tuesday, November 15, 2005

DNS poisoning

It's a bit dated but SANS has a good piece on
DNS poisoning. It describes some of the issues and lists a few
mitigations.

Monday, November 14, 2005

Watch your head

Too much time on your hands? Why not entertain yourself by watching the headers of the sites that you visit and see what sort of extra kruft is included?

Sunday, November 13, 2005

Dangerous Jokes

Everyone should steer clear of the "<a href="http://www.groklaw.net/article.php?
story=20051112154004597">Nothing joke". The joke has been stretched
so far that when it does fail, Nothing will be funny.

Nothing is
sacred. According to the theory of relativity: Nothing travels faster
than light, Nothing existed before the Big Bang and Nothing can have
negative mass. In the real world, Nothing is perfectly symmetrical and,
for most of the time, Nothing changes.

When you're sick: Nothing
tastes good, Nothing is interesting and Nothing really matters. Then
again, Nothing is better than sleep to help you get better.

A lot of
parents end up sending their kids to college to learn Nothing. Many of
those students think that Nothing is harder to learn than Calculus. If
those students learn Nothing, their parents tell them that they're good
for Nothing.

That's about it for the puns. (I'm hiding Nothing.)
Please contribute Nothing to further the joke.

SCO: you started this!

Priorities!

Hmm... I may be in trouble here: It's roughly six weeks until Christmas
and roughly nine weeks until ShmooCon. I have more shopping done for
the latter than for the former.

(If you're married, ignore the rest
of this. You already know the futility of the thought(s).
) How can
it be my fault though? She still hasn't filled out her wish list!

Cables and stuff

Some of it is vendor-centered but this site has a lot of
good hardware info.

Saturday, November 12, 2005

Blogroll

I've disabled the blogroll provided by Blogrolling.com as issues with
their server(s) were preventing this page from loading. If things don't
clear up soon, I'll probably move to a static list.

Skype

OpenRCE has a pointer to a quick
binary analysis of Skype. Short but very interesting.

Friday, November 11, 2005

FUD

Let's see if I can re-explain it (without shouting) for those that still
think that I'm anti-MS: it's the marketing aspect that I like to poke
fun at, not the tech.

Example: the ongoing OpenDocument bickering.
The marketing department would like you to think that Massachusetts is
going to require Linux and OpenOffice. I doubt anyone who reads this
blog is confused but just in case, THEY'RE NOT THE SAME!!
(sorry)

OpenDocument is a document format, not a program. MS Office
could save files in OpenDocument format with no more difficulty than
saving in .RTF or .TXT formats. If MS doesn't adopt the format, we'll probably see it as a third party plug-in.

So what's the controversy? Why the
smoke and mirrors from Redmund? How about the "free
flow of data in and out
"? With the OpenDocument format, MS no
longer owns any part of your documents, rather than the current
proprietary format where they own the font, the metadata format, and the file storage format.

MS's risk in adopting the OpenDocument format?
Loss of user "lock in" (many companies initially adopt MS Office because
it's considered the "industry standard"), loss of font "lock in" (many
fonts are proprietary to MS Office), loss of feature "lock in" (a common
format is just that: common, and people will come to prefer
interoperability over proprietary features)(will anyone miss fighting
Words auto-formatter?).

I've had to explain this issue multiple times
this week. Hopefully those in the State Government can recognize the
difference. Unfortunately, it's entirely possible that one or more of
those people can be hired to influence the rest.

Update: Here's yet another view and reason for "the stink".

Thursday, November 10, 2005

Wednesday, November 9, 2005

Google searches

Not a whole lot of time to post this week.

Was playing with the logs
offline. Odd thing: out of the 800 or so Google referrals in the last
month, over half of them were queries about dsniff.

Okay, what are
y'all up to?

Tuesday, November 8, 2005

Have you voted today?

If not, stop reading this and get out there. I don't know about the
other 49 states but Virginia has lived through a very nasty election
campaign for Governor. Nothing but negative ads during prime time. I
swear, if the independent had bought one commercial last night and did one
"clean" commercial, he'd probably be Governor Elect tomorrow.

Monday, November 7, 2005

Exchange Msg IDs

I'm looking for a technical reference that explains just how the message
ID for an e-mail passing through an Exchange box is created. Is it
entirely random or is at least part of it "readable" in a manner similar
to those generated by Sendmail?

Sunday, November 6, 2005

Einstein quotes

Jim's Pond has a set of
Einstein quotes that I'm enamoured of:
  • Any intelligent fool
    can make things bigger and more complex... It takes a touch of genius -
    and a lot of courage to move in the opposite
    direction.
  • Anyone who has never made a mistake has never
    tried anything new.
  • Problems cannot be solved by the same
    level of thinking that created them.

Saturday, November 5, 2005

Cox

This is getting really, really old. All along, I've had to put up with stupid-big levels of arp storms. For the last 2 months, I've had to live with periodic outages (6-7 times per day). I'm not the only one. Three other Cox users at the local user group meeting are also noticing it. And it must be wider spread than I thought as Leo Laporte is having to answer questions about it.

Hey Cox! WTF?

Friday, November 4, 2005

Tracking MS systems

Because Arthur asked, I'm adding my scripts for tracking Windows systems
to the wiki. The scripts are short and sweet, describing them is a bit
involved. Keep tabs on my work here.

Thursday, November 3, 2005

VoIP Threat Taxonomy

Cool. The VoIP Threat Taxonomy document is on the streets.

I contributed by providing a little bit of content and a whole lot of argument. (My name is on page 6!) Those that know me want the subtitle "Loudly & At-Length: Yet More Evidence That Tim (err.. joat) Likes to Argue"

(heh)

Wednesday, November 2, 2005

Jeez!

[*sigh*] How many times must we see this happen? Sony should be ashamed of themselves. Sorry, it's probably already blogged to death, but I couldn't resist. Is there any sort of EULA embedded in the packaging or can we sue Sony for doing what two people were sent to jail for last month?

Tuesday, November 1, 2005

More cookies

InfoSec Writers has part
two on their article about cookies. (Part 1 was blogged last Saturday.)

Find Rogue Shares

Iron Geek has an article about finding rogue shares within your network. The idea is aimed more at the corporate network rather than the home network. IG used Windows-based tools but you can gain similar capabilities with *nix-based tools. With a bit of Perl, you can tie MySQL to nbtscan, nmblookup, and smbclient to get (and maintain) a pretty good picture of your network. With a bit more Perl coding, you can watch for unauthorized systems being plugged into your network and, depending on the OS employed, you can even grab MAC addresses remotely (yes, from outside of the local network segment).

I still have some of the scripts laying around here. If anyone wants 'em, let me know. The majority of them are just wrappers for the tools named above, most of 'em aren't pretty.