Sunday, September 30, 2007

ZoneMinder update

Dave and I managed to get a version of ZoneMinder up and running by grabbing a copy of the Blue Cherry Live CD from the web site and trying a number of different cameras. We discovered that one of the obstacles that we were facing involved the hardware (an older Dell box) that we were using as a platform. We ran into everything from not enough memory to realizing that the USB ports were only version 1.x. Dave had a very nice USB2 camera going, with the Live CD, going on his laptop. We ended up installing the Live CD (it's Ubuntu-based) to cure some of the memory issues.

Wednesday, September 26, 2007


Bad security quote of the day goes to Dale Peterson: "... and there are no zero-days in these security products."

Uh, yeah... While I concur that wireless is being used inappropriately in some areas (see my comment on his page), that statement didn't help Dale's argument much. (heh)

Getting the customer to speak

Tate Hansen, over on Clearnet Security has a post about getting the customer to provide input as part of a penetration test. It surprised me for two reasons: 1) I didn't know that it wasn't done and 2) it's so obvious an issue.

I'm not saying that I don't believe that the condition exists. People (and therefore organizations) tend to take the path of least resistance, so if the penetration testers don't ask, the customer is not going to offer up the information.

My surprise is that the question just doesn't come up. It may be because I'm the type to take a packet sniffer to a CTF contest. (Yeah, one of those that thinks that CTF is a spectator sport.)(I have Don M. at ODU and S-14 (hiya Pete!) to thank for that "bad habit".) To me, the "What did you see?" question is just so obvious that it's a "must ask".

I can also see how organizations fall into the practice of not participating in their own penetration testing. It may have something to do with that other form of security testing called the vulnerability scan. It's usually performed more often and requires no input from the customer, except during the remediation phase, and that is usually an internal process (e.g., the CIO may have some "'splaining to do" to the CIO).

The Hansen/Ranum/McGraw reference to the "badness-o-meter" is a good one. If your pen-testers have anything other than "we don't know" at the top end of the scale, the data they're providing about your level of security may be suspect. Pen-testing is an inverted business-model. The best you can hope for is: "We don't know. We failed." A few things to keep in mind:

  • This doesn't mean that someone else doesn't already know
  • It also doesn't mean that they won't know tomorrow or the day after
  • To quote a semi-cliche: "Security is a process, not an end state." (Dr. M. E. Kabay, 1998)
  • By extension, a pen-test is a snapshot of that process, not of an end state

Sunday, September 23, 2007

Security by fashion statement

Squidly1 pointed out a Dark Reading article (about the under-estimation of the "insider threat" threat) in IRC and (surprise!) it irked me.

My initial thought was "somebody is selling something". Upon reading the article (follow it to the daily blog to see the link), I discovered that I wasn't wrong. The reason for the articles existence was to make you overly paranoid about your users and get you to buy something to counteract the threat. If that purchase just happened to be the product mentioned in the article, so much the better!

My second thought was that this was another in a long line of "security by fashion statement" (bowel) movements. Think about it. We have a number of firms where "analysts" (those that aren't practitioners but are somehow (mysteriously) more knowledgeable) declare that one security method is "auld schoole" and there are much better, more modern, methods of performing such and such a function.

It's quite annoying. In the past five years, we've been told:

  • IDS's are dead, IPSs are better (thank you Gartner)
  • Anomaly detection is better than IDS/IPS
  • the firewall is dead
  • the perimeter is dead
  • SSL are the best VPN's
  • stateful inspection is better than application proxies
  • deep packet inspection is better than application proxies
  • application proxies are better than stateful inspection, packet filters, and deep packet inspection (What? You missed the resurrection of proxies by Gartner?)

And now you need to be so paranoid that your users' every key stroke needs to be monitored and analyzed for intent (yeah, that works well), to the degree that you must come up with "termination plans"? Oh and, by the way, we just happen to have this nice product that'll automate this process and make your life much easier.

A much better approach would be to have a realistic security policy and to use the tools you already have, especially the one behind your eyeballs. Most "insider threat" incidents are considered corporate embarrassments not because the incident occurred but rather because they weren't detected until after the fact. The majority of insider abuse is readily apparent, either in the virtual world (in log files) or out in the real world (people tend to talk about what so-and-so is getting away with).

Attempting to totally automate the process, in either the virtual or real worlds, is just a way of abstracting yourself further away from the problem. Network monitoring and management of people have at least one thing in common, they "automate" poorly in that an automated process can only handle "known" issues. Unique issues can always crash automated processes. (It's why we have web-based time sheets but still have entire HR departments.)

You want to properly deal with the "insider threat"? It's easy. Show "trust" in your users. It's okay to "verify" but a certain degree of monitoring but it has to be at a level that your users are comfortable with.

Also, use the tools that you already have. Automated log file reduction is fine, but you still need human review of the remaining entries.

The firewall, the IDS, and security boundaries are still valuable. So's enforceable policies, deep packet inspection, stateful firewalls, and anomaly analysis. They each have their place in your toolset.

Companies such as Gartner like to bank on the fact that you've forgotten that none of these technologies are mutually exclusive. While "layered defenses" may be an offensive term to some, the existence of multiple protections which co-support an overall security policy is still a good idea. Just don't take the human factor out of it.

I've got news for you: If you run a totalitarian environment (AKA micro-manged, micro-monitored), every single one of your users will be evil and you'll end up wondering why your organization has such a high turn-over rate.

Save your cash. Also, keep in mind that the less flexible a system is (the degree of tolerance it has), the more brittle it is and the more spectacular the failure will be when it does go. This goes for machine systems as well as for people.

Thursday, September 20, 2007

FC7, an NVidia 6340 LE, and a SyncMaster 940BW

For the better part of this year, I've stuck with the commercial version of Mandriva 2007 because it was one of the few distros that automatically recognizes my video card and monitor. For those that know me, this is an extremely long time for me to stick with one distro.

Not any more. I've needed to install Fedora for a few toolsets that I've wanted to play with and finally had the time (I took a day off) to install Fedora and figure out how to get the video configured properly (usually it'd come up with bars on the side and no mouse cursor).

Fixing both of those problems was pretty straight forward. The mouse involved turning off the hardware driven cursor. The video involved trashing the Fedora drivers and grabbing the binary off of NVidia's site and letting it compile new modules.

I've stuck my notes in the wiki.

Sunday, September 16, 2007


Thanks to Mubix, I've added,,, and Maltego (formerly Evolution) to the network forensics wiki page. The last three are intriguing in that they provide a number of other functions. I'm especially interested in Maltego as it supposedly does some basic relationship linking and has both a GUI and a web interface.

Saturday, September 15, 2007

Shmoocon CFP is open

Step 1: Announce date of con (done)
Step 2: Annouce CFP (in progress)
Step 3: Devise ticket sales scheme that (hopefully) won't anger the natives (TBD)

Wednesday, September 12, 2007

Memory limitations

Note to self: Zoneminder cannot display video on top of the Beryl/Emerald window manager. There's not enough video memory to support both.

Monday, September 10, 2007


I forgot to copy .config before compiling! Aaauuugh!

Shmoocon CFP

For those not watching for it, the Shmoocon Call For Papers is now open.

Need to choose

I'm also having to decide (shortly) on a topic for this semester's term paper. As I blogged previously, Rob has encouraged me to work on one of the IPv6 vulnerabilities. I've tried to counter with an analysis of FastFlux. Both look interesting.

The IPv6 work would be more directely related to the "Attacks" class. Rob suggested it knowing that I'm one of the few students with IPv6 at home.

I'm interested in the FastFlux problem but I'm wary of where it might lead (remember, the problem is based on problems within the domain registration infrastructure). Then, too, it may also run into one of any number of dead ends as there is a massive bureaucracy between ICANN and the hosting providers, with the registrars in the middle). Without the ability to subpoena a number of people, investigation is limited to what you can extract via the local terminal window. Corruption at the hosting provider or registrar makes it that much more difficult.

I'm a bit discouraged but not yet put off by that. Initial investigation of two FastFlux domains shows a massive number of systems attached to the Storm Worm (amazing since, for most of those boxes, someone had to click on "Click here" to get infected).

In any case, I've got to choose soon. Rob's deadline is coming up fast.


I'm offline for a bit, while working on getting one or more Zoneminder boxes up and running. Getting a system up and running, with the MythTV plugin, is an exercise in taking two steps backward for every three forward (i.e., the distance from point A to point B is the same but you travel 5x the distance to get there).

So far the install has included:

  • installing the system from scratch
  • turning off/removing unneeded services/software
  • setting up access to the PLF repositories
  • adding needed RPMs
  • configuring the new services
  • building the kernel from source (no install, just need the syms for compiling other stuff)
  • All this before even compiling pvrusb2, MythTV and Zoneminder. Luckily, most of the above could be done by sitting down at the console every 20 minutes or so. It is a bit tedious though. Makes me think that I should have tried one of the Zoneminder LiveCD's first. (I didn't because there's a number of things I want to do that probably aren't in the LiveCD.)

    Thursday, September 6, 2007

    Where's stupid?

    If I asked you to point out the IP addresses of one hundred stupid people, could you do it? (Doug, you're not allowed to answer.)

    How about a thousand?

    Ten thousand?

    Seven hundred fifty thousand?

    It's actually very easy to do. Remember Gnutella? Google does. Sheesh! And you thought the RIAA had to do something sneaky to get it's target IP addresses.

    Hint: If you must view those links, I recommend clicking on the "Cached" link as most of those entries are offline at the moment.

    Wednesday, September 5, 2007

    Request for help

    If any reader is an expert with Alsa, I could use a hand. I'm having a nightmare of a time getting Alsa to work with multiple input/output options. The current set up involves a built-in sound card, a Logitech USB headset, and IDJC (which requires jackd). That means at least three outputs and three inputs (not counting any other software-based sources/loads). I can get IDJC to work with either the sound card or the headset, but not both.

    Any help (or pointers to documents other than the ALSA wiki) would be greatly appreciated.

    Sunday, September 2, 2007

    New(er) Asterisk Book

    Dave, of The Asterisk Blog, has pointed out that Asterisk: The Future of Telephony, 2nd Edition has hit the streets. I highly recommend the book, in either edition.

    Shmoocon '08

    Heads up folks! Shmoocon '08, Wardman Park Marriot, 15-17 Feb. This year does not bode well for conference facility sharing (remember, 2008 is an election year and they stated at the last conference that all but three weekends were booked for 2008).

    Saturday, September 1, 2007

    Porn Glossary?

    Yikes! More developments in why I get weird browser referral entries: seems that SpraakService (a Norwegian version of Babelfish) has my glossary listed as "The Free Encyclopedia: Glossary of Porn" (hit ctrl-F and search for "joat"). The intent of the glossary is to support the wiki and to provide non-dangerous links to definitions for use at my job (I no longer work there though).

    I learned about all this via the installation of Google analytics. It adds a number of behind-the-scenes accounting features that have confirmed a number of suspicions about visitors to the site and has pointed out a few other new data bits (such as SpraakService).

    Looks like the wiki may have picked something up in the translation... (heh)

    The end of a long week

    Wow. I survived yet another really long week. The week started with me sitting in the emergency room, last Saturday night. It was my son's semi-annual pilgrimage to get treated for asthma/pneumonia. The SANS class started Sunday morning and I've been in sleep deficit ever since (I managed to annoy the instructor by standing in the back of the room a lot and making a large number of trips out of the room to recycle the massive amounts of coffee that I was drinking).

    In any case, the CTF was today. I captured two of the team flags. We didn't take first (or even second) but we had a very good time as we were doing it (translation: the rules didn't prohibit adding content to the web pages). To whomever it was that left the ptrace-kmod exploit laying around in one of the user accounts, thank you. I was able to repair the bug in the source code and use it.

    In any case, my son is fine (if you don't count him being a 200 pound assinine eating machine when he's on steroids) and I have roughly three months to recert GSEC and six months to do my GCIH.

    I also picked up quite a few topics for research during the SANS class (tracking FastFlux, tracking browser header alteration by spamware, etc.). I'll need them as I decided to crash Rob's Attacks class since we couldn't get enough participants for the Continuing Case Studies in Forensics. Maybe next year?

    Thanks to the others in the fourth row/left side of Ed Skoudis's class this year. I enjoyed the class/exercise.