.:Computer Defense:.

Warning... this is a bit of a disjointed rant!

I won't reveal the person's name, but recently I chuckled when reading a Facebook status update from someone I knew in high school. His comment was along the lines of, "My boss asked me to label our switches with their IPs, so I asked if we should post the configs along with the usernames and passwords on the internet. My boss has a wonderful concept of 'security'".

This person is a graduate of a post-secondary computer program. Probably not unlike the program that I graduated and now teach in. I want to know who, during his education, said "labels are insecure" and drove this idea into his head to the point that he would call out his boss on Facebook over it. I want to know who this professor is because I want to see them stripped of their right to teach.

However, if we ignore that someone is passing along incorrect information, this seems to be part of a larger issue. I noticed numerous comments on Facebook laughing at the status update, perhaps by people that know nothing about computers but, even worse, they might be people that work in IT. I have to ask myself as a security professional and as a security professor if all of my efforts are wasted. Do we really have people working for companies that feel proper security means not labelling equipment?

I then realized that this likely part of a larger problem. We have people everywhere doing jobs that they aren't trained for and aren't prepared for. As we focus more and more on security, we are forcing developers, network admins and sys admins to focus on security, but we're never telling them what matters and what is involved in security. It's not unlike when I took my first job after I graduated and cried my first day. The prevoius sys admin had enabled WEP on their wifi ("for security") but had also put their Win 2K box acting as a DC and running Exchange 2K directly onto the internet. Not even a linksys router in the way, just straight into the DSL modem.

So are we wasting our efforts? Is there any point in looking at security when there are so many SMBs that have a single IT person or an outside consultant who has no idea what to do. A lot of people dislike standards like PCI but maybe this first step, a simple checklist, is exactly what we need. Maybe instead of user awareness training, we need to start talking about IT grunt training because how do we have the users trained if their likely trainers don't know what's going on.

If I were told it was a security risk to write IPs on switches, I'd really have to ask why someone is able to get access to the switches in the first place. That would be the real security risk... who cares about the IP if someone has physical access.

Lately I seem to have over extended myself. I had multiple blogs on the go and on top of my full time day job, I was developing curriculum, teaching and doing some book editing. Given my unnatural TV watching habits, that meant other things had to suffer. One of my many resolutions this year was to fix that. I have plenty of things Iwant to write about at any given time, I just never do...and everything I do leads me to more things I want to write about. So it's time to start writing again. My goal was to publish 365 blog posts this year, but since this is my first one and it's the 7th, that doesn't seem likely. I will, however, do my best to start blogging again on a regular basis.

One thing that kept me ridiculously busy this past year was my server. I had decided that a Linux box at home wasn't sufficient a couple years ago and purchased a hosted server for way too much money each month. In the end the maintenence and upkeep were draining me and I finally decided to abandon it. Primarily because I grew lax on maintaining it and it was hacked. I decided it just wasn't something I needed to have any more and that there were better ways to accomplish my goals. So now I'm in the middle of transition as I restore back-ups I'd pulled off the server and get myself up and running with various new services.

One way that I'm handling my lack of access to that shell is by increasing my usage of SDF. I've been an ARPA member of SDF since 2003, but I decided to upgrade to MetaARPA membership and take advantage of some of the additional services (more on this in the future). On top of this, I signed up for Amazon Web Services. I created myself a Micro-Linux instance that falls within the free tier for now, but I plan on playing with AWS and exploring some of the possibilities with it in the future.

I seem to have most things back up and running that I had previously, however one missing piece is that SSLFail.com is still not back up. I am hoping to get that blog back up and running and open it up to be more user contributable...I'm just not sure how to do that yet. If you have any opinions, please let me know.

*UPDATE*
Just wanted to let everyone know that I managed to throw $40.00 towards HFC, it wasn't much but I had forgotten PayPal fees and exchange rate (which is close to par but still affects $2k). Thanks again everyone!

I just wanted to let everyone know that I've reached my goal to cover my bandwidth costs. I want to thank the individuals who donated, it was definitely appreciated. I also want to thank SecurityCompass for making a donation. Additionally, I need to extend a big thank you to my employer. This is my personal blog and when I started with nCircle I pointed out that I blogged here and wouldn't stop. Even though we have our corporate blog, they were happy to allow me to bounce back and forth between the two rather than push me to blog only on blog.nCircle.com. So even though this blog is all mine, nCircle stepped up and offered me an advertising contract, featuring their logo and link on my website and in exchange they offered up cash to cover the remainder (total less donations) of my hosting fees, and in the end I believe I'm coming out slightly ahead, so I'm hoping to pass some money towards HFC (more on that once my 1and1 bill is actually paid). So once again thank you to everyone. You'll now see nCircle's logo on the page, and in the near future (once my transfer volume is straightened out) DVL will return with a nCircle sponsored download page.

After my last review of Note applications, I was asked to review a few more apps, some by the author and others by friends who wanted to know if programs were worth buying (I guess they prefer I spend my money ).

As last time, I'm using the Pogo Sketch for all on screen activities and I'll use the same chart as last time:

• P -- Pen Function
• E -- Eraser Function
• T -- Text (Keyboard) Function
• U -- Undo Function
• R -- Redo Function
• C -- Colour Support

neuNotes (Free) -- PEURC

The author of neuNotes commented on my last post and suggested I look at the software. I'd have to say that if I wanted notebook style software (similar to PaperDesk and Penultimate) that this is by far the best free option. I've come to like Sundry Notes more and more lately but it's still got a lot of feature bloat, and Adobe Ideas is really more of a whiteboard, neuNotes finds a nice middle ground. I can draw in multiple colours and also select the transparency, which means I can use it as a highlighter. It allows for multiple notebooks with multiple pages and several transmission options (Mail Page as PDF, PNG, or JPG; Tweet Page; Mail All Pages as PDF).

The feel of the software isn't quite as refined as some of the other apps, the icons and colours made it feel a little juvenile but that's a pretty minor sticking point.  I've spent so much money on note taking apps, that I'm not sure this one will make the cut in the end on my iPad, but if you haven't spent money on an app yet, this is probably a good starting point.

The transparency, multiple pages and email options were all high wins for me, while the lack of paper types (lined paper can be useful) and look of the software were the primary cons. As an added benefit, you can replace a page out of a notebook with an imported image and mark up the image, and you can name each page individually.

Note Taker HD ($4.99) -- PEURC

The biggest sticking point on this software has to be the price. It, along with Notes Plus, take the cake as the most expensive pieces of notebook software. From a features standpoint, they'd almost seem worth it (they have some of the nicer features) but there are some basics that are definitely lacking in both cases. Additionally the Note Taker HD UI takes some getting used to. While the colour and icons of neuNotes were bothersome for me, in this case it's the buttons themselves, they don't fit the typical iPad buttons that I've become accustomed to and the UI layout is a little wonky.

Where Note Taker HD is nice is in the edit modes. You can mark up an entire page, or you can switch edit modes and write in a small zoom box so that you can take notes like you would on paper (and the functionality works quite well). Another point that many people may like is that Note Taker HD is like a single notebook. You add pages, title pages and work with pages, just as if you had a real notebook that you carried around to scribble in. While this may not be quite as organized as multiple notebooks, the tagging and favourites features help to make up for that.

While I really like the zoomed writing features, I'd want the UI to feel a little more 'iPad-like' to make this a part of my daily use.  Given that this app only supports lined paper, I'd say that it's really meant to be treated like a notebook that you carry around and scribble down random thoughts in, and in that case, for people that do that... this might just be the perfect app.

Notes Plus ($4.99) -- PETURC

While I'll likely keep a few of the other apps (Penultimate and Adobe ideas) this may soon become my primary note taking tool.  You have multiple notebooks with multiple pages; multiple pen, text and paper options, group select and move (try the erase tool out and drag instead of deleting).  The software also contains zoom and write functionality like Note Taker HD. The UI also has a very professional look and feel that improves the overall user experience.

If I was to nitpick, it'd be that the only email option is PDF. I'd like to be able to email a specific page as an image (PNG or JPG preferably). I'd also like a real eraser, so that I could "tidy" my notes. The only option write now is to use the group select and delete the highlighted chunk of writing.

The ability to intermingle typing and hand writing is also a nice feature. While the cost is a little high, in this case it may almost be justifiable. I wouldn't recommend this software if you aren't serious about taking notes (then the cost isn't justified) but if you are, this is the option for you.

Ghostwriter Notes ($1.99) -- PEUC

This is pretty standard note taking software. You have the ability to select from a few pen colours/types and a couple of types of paper. The zoom functionality is the only way to enter input with this software, which means no drawing diagrams (unless you can do that while zoomed into a couple of lines). This software may actually be the closest representation to pen and paper and the pen strokes are quite nice (no blocky text with this app).

You're limited in what you can do with this software, but along side Adobe Ideas or Penultimate you may end up with a nice pair of apps.  There's a catch though... wait a version or two. Current the software has some lag issues (not sure why) but you end up with pen strokes that aren't acknowledged with leaves you with half written characters, or the zoom window lags and you don't see what you've written until you're down a line or two. Either way it could be very annoying to use in a real-world situation and risk encountering this problem

iBrainstorm (Free) -- PE

This is the last piece of software I'll look at, I've almost got more note taking software on my iPad that I do games (almost, but not quite ). This software is clearly a competitor to Adobe Ideas and perhaps the two belong in their own category but I'll lump them in here. The easiest way to sum this app up is to say that when I'm done the review, Adobe Ideas will be staying on the iPad.

iBrainstorm has a single screen, no clear page and no new page. If you want to start over you sit with the tiny eraser and wipe it all out. It also have buttons that seemly do nothing, and occasionally the screen greys out for no reason. Those issues aside, it actually has a few cool features.

The first cool feature is the ability to insert a Sticky Note. The tool itself is all freehand, but you can add a Sticky Note, and type a note to go along with your drawing. The other cool aspect, which I couldn't test, is the ability to connect multiple devices to bring along group think functionality. I'll hopefully get a few people running this in the future and test it out and if it's amazing, I'll write more about it.

**Update on this on another blog post -- fees have been paid in full, should anyone chose to donate at this point, I'll use it to pay future fees**

Every now and then I encounter websites that have donate buttons, especially if they provide a service. I've always wondered about this but figured "Hey, if people want to give money why not". I've decided today to become one of these "Cyber Pan Handlers"

For quite a while I've been hosting DamnVulnerableLinux without any problems. About 6 months ago, my transfer limit was exceeded due to DVL and I had to pay a bit extra. I decided that I would stop hosting DVL and it went to being only available via torrent. A couple of months later my hosting provider, 1and1, sent out an email stating that all hosting accounts had been upgraded to unlimited transfer, so I re-enabled my hosting of DVL. This month DVL appeared on Slashdot and what followed was a bill for a couple of thousand dollars. 1and1 is claiming that my account is a grandfathered account that no longer exists, and is therefore not eligible for the unlimited transfer. Yet they had still sent me the email and when I had checked at that time my account stated unlimited. I'm guessing that they made a mistake in their system when they initially implemented it and then silently fixed it. Either way, they are unwilling to honor the email they sent me and the DVL direct download has been removed. Should I come out of this, I will upgrade my account (which will increase my current monthly costs) and resume hosting DVL for download.

In the mean time, I'm going to ask for donations to help cover this large bill. During this push, there were over 30K downloads of DVL. I'm hoping that some of those downloaders (or anyone else) will realize the value they gained from the direct download and donate a few bucks to help cover costs. I just don't have the cash to cover it right now, and not only will the DVL direct download go away, a number of other things will as well:

• ComputerDefense.org blog, hosted web pages, mailing lists, and email addresses
• SSLFail.com blog, hosted web pages and email addresses
• Hosted DNS
• Shell Accounts
• SecurityBloggers.net domain name and associated email forwards / url redirects
• Hosted Domains

If you are someone affected by any of these services, maybe you want to donate too

As I said, once I manage to get this worked out, the DVL direct download will resume. Those who donate, I'm also willing to consider any requests you have for a shell account, dns hosting, email or whatever else. If any companies want to donate... Well, I'll add a banner with your logo to the top of CDO.org and SSLFail.com. Let's say for companies, every $20 buys you a month of banner

Anyways... that's it... figured I'd give this a try.... now for the lovely download button.

Thanks For Reading!
Tyler.

One of the biggest reasons to get an iPad, in my opinion anyways, is that a tablet seems like the perfect note taking platform. So I was rather surprised when I first turned it on and encountered Notes, the built in software. If Apple's goal was notepad, then sure... mission accomplished but I expected more from a company that does graphics and media so well. This lead to the search for the perfect note taking tool and I've played with a few at this point, so I figured they were worth comparing. All on screen writing was done using the Pogo Sketch, an absolutely amazing stylus that I recommend for anyone using one of these tools.

There are a number of common features, so as I walk through these tools, next to their names I'm going to list a series of letters, the letters stand for:

• P -- Pen Function
• E -- Eraser Function
• T -- Text (Keyboard) Function
• U -- Undo Function
• R -- Redo Function
• C -- Colour Support

In playing with my iPad, I determined that editing code in vi via SSH just wasn't going to be possible (the on screen keyboard just doesn't work well for vi keyboard commands). That meant I had to look at AppStore alternatives. I came across two that advertised what I wanted to do; for i ($9.99) and Monkey Wrench ($6.99). Given that I'm used to Komodo IDE, which has a price tag of $245 I wasn't expecting much.

I decided to play with for i first and was impressed with a number of things. One of which was the addition of an extra row to the keyboard with most of the commonly used programming characters. This meant I wouldn't have to switch to numeric and then to symbols. It also included a tab key which was useful, since I work primarily with Python.  I wrote out a few lines of code and was happy with the speed. I couldn't type as quickly as I can on a keyboard, but I was quicker than some people I've seen attempt to write Python. Syntax highlighting, a built in web server (for file sharing), and some settings were all nice to have, along with the exceptional language support.

After I wrote out my quick demo script, I switched over to Monkey Wrench to do a comparison. The first thing I noticed was that it didn't look quite as nice. I'm not sure what it was, but it looked outdated.  What I did like about Monkey Wrench was the line numbering, however it was mostly a viewer and it felt like code editing was added as an after thought. I also didn't like that Monkey Wrench was written primarily for use with FTP and then local files were thrown in afterward. There was no need to select a language as I had in for i, I simply typed... syntax formatting need not apply right now (but it is listed as a planned future improvement). The keyboard, while it added extra characters, didn't had enough of them and coding was almost a pain (keys like = / ( and ) were missing ).

for i Pros

• Syntax Highlighting for numerous languages
• Attractive Interface
• Enhanced Keyboard
• Wifi File Sharing

for i Cons

• Lack of Line Numbering
• No SFTP support
• Copy/Paste support was extremely poor and inaccurate

Monkey Wrench Pros

• Line Numbering

Monkey Wrench Cons

• UI felt more like a viewer than an editor
• Lacking certain enhanced keyboard functionality
• No Syntax Highlighting
• Had to enter typing mode
• Wedged in a viewer and an editor instead of sharing the space for a single window.

In the end, I'll use for i for now but I'll keep both up-to-date and see what happens with them in the future. Either way, it's nice to see this type of app available... now if only Python was in the AppStore.

I experienced a ‘brief’ period of downtime ( ~24 hours) the other day on a server that I have hosted with 1and1. When I contacted them to find out about the outage, I was informed that my IP has been blackholed due to a DoS attack. I was surprised to discover that they hadn’t contacted me when they’d taken this action and, if I didn’t access my server daily, I wonder how long they would have continued to blackhole the IP. I asked for proof that my server was under attack and they sent me a snippet of the log:

12:57:25.528325 IP 64.233.180.94.53615 > 74.208.78.XXX.53:  5038 A? www.securitybloggers.net. (42)
12:57:25.586218 IP 64.233.180.94.38886 > 74.208.78.XXX.53:  27266 A? www.securitybloggers.net. (42)
12:57:25.606691 IP 64.233.180.94.50898 > 74.208.78.XXX.53:  5454 AAAA? www.securitybloggers.net. (42)
12:57:25.653284 IP 64.233.180.94.32922 > 74.208.78.XXX.53:  16830 A? www.securitybloggers.net. (42)

That IP, for those of you running to look it up, resolves to ni-out-f94.1e100.net. It turns out that 1e100.net is a Google domain. So, if I believe my hosting provider, I was DoSed by Google. I emailed 1and1 to point out that it was a Google domain and simply DNS traffic, and shortly after that my server was back up… at least in theory. In the end I had to reboot my server before it would respond… but at least I got it up at running.

Nothing exciting... just my latest pain.

This would normally go on SSLFail.com but due to a server outage, I decided to just post it here...

Tim Callan, SSL Evangelist for Verisign, has posted a brief comment that Twitter now enjoys the added cost... um... protection... of EV SSL. I decided to check this out, so I visited https://www.twitter.com and was greeted by my biggest internet pet peeve, a website where only the www or non-www version works properly.

I decided to remedy this and use https://twitter.com, however I still couldn't get any green demonstrating EV SSL

Of course, this was probably just a Firefox problem... I'll use the new kid in town, Chrome...

Hrm... now I'm confused, perhaps Firefox and Chrome both have some sort of problem, because I should be getting the glorious green that is EV SSL somewhere in my address bar. I figured I'd try Internet Explorer first though because I don't want to be accused of prematurely pointing out why Tim's comment is wrong and why EV SSL is useless.

Again, mixed content errors... this time complete with the famous IE pop-up.

Alas, all is not lost... EV SSL and the glorious green bar is available on Twitter. You simply need to provide your credentials on the page with the "broken SSL" and then, after login, you'll be presented with the wonderful green bar.

Now maybe it's just me... but it seems that this is sending the wrong message to most users.

It's been a while since I posted here (I'll add another post with links to my recent postings) but maybe this one will irritate enough people to make up for it

--

Last weekend involved more playing with my iPad and given that it’s my first Apple product since the original iPod mini, there are many things that I’d never played with. I decided that an interesting first step would be figure out why it’s so popular to jailbreak iDevices. It only took me about 30 seconds on Google to come across Spirit and the process was incredibly painless. I downloaded the app, connected my iPad and clicked Jailbreak. In a matter of minutes I had a jailbroken iPad with Cydia installed (GUI apt-get like program similar to Synaptic on Ubuntu).

Given that I spend a lot of time with Python and I’m a big fan of Metasploit and Nmap, I decided that I’d start with those apps. It was pretty impressive, to just click and install (although I did have to modify msfconsole to get it to run on its own). If I was a pentester, I’d see some serious benefits to a jailbroken iPad. However, I’m not so I continued to dig around. I had to install openssh-server and SSH into my host (there’s no terminal software for the iPad like there is for the iPhone) but that was easy enough. Now it’s time to investigate.

My biggest complaints about the iPad are:

1. Inability to play DRM wma files.
2. Inability to multitask.
3. No decent text editor.
4. No way to have portable python.

#4 was solved immediately but wouldn’t be useful without a Bluetooth keyboard and that limits the portable aspect. #1 is wishful thinking; it’s just never going to happen. That leaves #2 and #3, so we’ll explore those in more detail.

The inability to multitask is a big one for me. I’d like to have a browser and a game and email and IM open… but Mr. Jobs doesn’t want me to have that freedom. Multitasking is supposed to be one of the big things that jailbreaking gives you… I’m afraid we’ve been mislead. ProSwitcher was the first app I tried, and as soon I installed it I experienced my first stability issue… Switchboard crashed when I tried to open an app. So next I tried Multifl0w and was disappointed when the repository failed and I couldn’t try it. That left Backgrounder; which, based on what I’d read online, was my best chance. It allowed me to background applications (a partial win) however my chat still logged me off when the Window was in the background, so ultimately it was another fail. I suppose that I could have gone with full console applications, install screen and run a different console app in each window but that feels like it’s defeating the purpose of having an iPad (besides, I’ll SSH into a shell account for that functionality).

A decent text editor is something else I was excited for. I’ve recently stumbled across a source code editor in the AppStore that might solve my problems but I couldn’t bring myself to spend $10 on it just yet. In the meantime the first thought I had was ‘finally… vi’. Vi IMproved was available and I quickly installed it. It was useful but, similar to python, wasn’t overly useful without a real keyboard (the lack of ‘:’ on the main keyboard made it especially painful to use).

So all my dream iPad situations faded away but I figured I should still check to see what else was in Cydia. I have to say, I was impressed… Impressed by the sheer amount of crap that existed. I couldn’t find any useful functionality. There was software that would make the annoying mosquito sound (that’s only heard by people under 30) and software that allowed you to “shake body parts” and even software that simulated Bluetooth functionality. It didn’t give you Bluetooth functionality… It just looked like it was doing something. No software to add DUN support so that I could tether with my Blackberry. No cool office suites or useful tools, just a whole lot of useless, mindless programs.

Needless to say, my jailbroken iPad lasted less than 2 hours, at that point I did a full restore of the original OS and I’m happy that I did it. In those two hours I had the iPad crash once and Springboard about a half dozen times. I found no useful software and couldn’t accomplish any of the tasks I wanted to.

Should Python ever make it into the AppStore, even with a price tag, I’ll happily pay for it but I’m going to stick with my iPad in its default configuration. Should I ever get into pentesting, I’d probably change my mind, but it just doesn’t seem useful for anyone else to even consider.