.:Computer Defense:.

Alan Shimel has a link to a new blog, a co-worker of his, in his latest blog post. The blog is advertised by Alan as 'a little more technical than most, but if you are into the nuts and bolts of security and networking and general IT wizardry, The Village Elder may be just the ticket!'... my comparison would be lacking a little in that I'd say many of the posts remind me of the the Guides to (mostly) Harmless Hacking. That being said, I'm not trying to discredit the blog... however things such as "getting a website via telnet" and "sending mail via telnet" are a little 1995. The latest post, 'To sudo or not to sudo', also has me wondering. It seems to me that telling people how to essentially make sudo useless is something a security person shouldn't be doing... at this point you might as well just 'sudo su'.

That being said, it's a relatively new blog that may show some merit... It's interested me enough to make it into my blogline. There is also some saving grace in the 'realistic approach to creating passwords' post. The concept is interesting... sort of the reverse of creating a password from a phrase... You create a phrase from the complex password and use a substitution schema to handle numbers. There some issues that I have with it... The password used in the example is: i6y.iylB and the phrase used is: I got you didn't I you little sucker!. The problem here is that you have to have your schema down perfectly... For example based on the sentence and provided schema I could easily lock my account out.

Possible Passwords:

• igydiyls
• igydiylB
• igy.iyls
• igy.iylB
• i6ydiyls
• i6ydiylB
• i6y.iyls
• i6y.iylB

My preference for complex passwords has always been URLs. I try not to use my own websites because that may be too easy to guess. That being said, URLs make great passwords. Let's say you have two email accounts... one is gmail and one is yahoo. You could swap the URLs as passwords... So you visit gmail and enter your username (user@gmail.com) and your password (http://mail.yahoo.com). Now you visit yahoo and you enter your username (user@yahoo.com) and your password (http://www.gmail.com). Now if you're like me, you may capitalize certain websites (just because you're used to them capitalized)... so I type http://www.ComputerDefense.org... or I could take it a step further... http://www.ComputerDefense.org/index.php. That's a 40 character password using upper and lower case and special characters. I could add numbers by say appending the length of the string to the end of it. Even a short website is useful... CNN for example... 3 letters to remember suddenly becomes http://www.cnn.com, 18 characters and again special characters are used... Perhaps you read the US CNN page, so you use http://www.cnn.com/US/ as your password. As long as you don't use the website you're visiting as the password, you've got a rather complex password. You can have hyphens in domain names, so why not a website that uses a hypen... How about a website using SSL over a plain text website (https instead of http). If you watch people surf the net most people can type a website rather quickly... especially one they are familiar with... When people are typing off a phrase for their password they can sometimes be slowed down, making them more vulnerable to shoulder surfing... when they're typing quickly.. people are less likely to notice their password. So this is my recommendation for a difficult password that's easy to remember.

John's post is probably great method if you're given a password that is complex and cannot be changed, but as I pointed out be sure to have your schema down or you could lock yourself out. However, if you have the ability to choose your password, or change it after the fact... I highly recommend the website as a password method.

Just a short post here... The guys over at ieXwiki are maintaining a Vista RTM Software Compatibility List. It contains three categories... Works, Small Problems (work arounds usually fix these ones) and Heavy Problems (incompatible). They list is fairly in depth with plenty listed. So if you're wondering about any of your software feel free to check this out.

This is just a quick pointer to a post I wrote over on the nCircle blog... given that I write on two blogs and I have a few regular readers on this one, I like to direct the traffic whenever I do this...

The post is entitled, The Security Disconnect, and it's about a disconnect that seems to exist in the security world.

These are just some cool sites... I found them via another blog but unfortunately between finding them yesterday and going to post this today, the blog link has escaped me. I apologize to the offer of that blog and will link them if they want to contact me with the link.

Anyways... just a few links to share...

Pipl - A People Search Engine... The information that it finds is interesting.. you could do the same using google but it provides a bit more and it's free. It also directed me to A9 Lite (which lists the individual with each company they can be found with on the net). From the Pipl "What makes us different" page:

So how come the best search engines fail so miserably when it comes to people search? The answer lies in a little known but very important part of the web called "the deep web".

Also known as "invisible web", the term "deep web" refers to a vast repository of underlying content, such as documents in online databases that general-purpose web crawlers cannot reach. The deep web content is estimated at 500 times that of the surface web, yet has remained mostly untapped due to the limitations of traditional search engines.

Since most personal profiles, public records and other people-related information is stored in databases and not on static web pages, most of the higher-quality information about people is simply "invisible" to a regular search engine.

Even when a personal profile is available to search engines, some information might not appear on the page itself and will therefore be "invisible"; for example, the real name of a person will rarely appear on MySpace or Flickr profiles, and although this information is publicly available using a search form on the site itself it is still invisible to search engines.

While I may not agree with all of that... It does make for some interesting searches.

Up next we have Craigs Number.  The idea is that it gives you a free anonymous phone number to post with online auctions and ads. I could see this having malicious uses as well, but it's still an interesting site... Currently you can get a number related to the following cities:

• Atlanta
• Boston
• Chicago
• Cincinnati
• Dallas
• Detroit
• Houston
• Indianapolis
• Las Vegas
• Los Angeles
• Miami
• New Jersey
• New Orleans
• New York
• Phoenix
• Pittsburgh
• Portland
• Salt Lake City
• San Diego
• San Francisco
• Seattle
• St. Louis
• Washington DC

The numbers can last for varying times from 1 hour to 1 month and will redirect to your phone when called. It would be nice to see this startup for other countries.

Up next is the Fake Name Generator... While this may seem like an odd thing to be useful, I can think of plenty of times when I've developed web apps that had user data stored and having test data created for me which was accurate would have been much better than me randomly populating the fields. The generated data looks like this:

Carol J. Haynes
4517 Goosetown Drive
Marion, NC 28752

Email Address: Carol.J.Haynes@mytrashmail.com

Phone: 828-655-1932
Mother's maiden name: Fitzgerald
Birthday: January 12, 1942

Visa: 4532 9847 9280 7632
Expires: 6/2008

SSN: 245-30-5007

You an choose gender, name set and country. I know you're all thinking how is this useful... You generate the data and now have to enter it from the format they give you, but this isn't so... They also offer a bulk generation service, that will let you generate and receive data in MySQL, CSV, tab delimited and Excel formats... This is all done free of charge. For a fee you can also have custom data generated.

The last site we're going to look at is SlideShare.  SlideShare allows you to upload both PowerPoint and OpenOffice formatted slide shows and share links or embed them in web pages. This could be a great way for professors to make their slides available on a larger base (assuming they don't want them private)... It's also a great way to share slides on your web site or blog. You can also visit the site to search slides that have been posted there.

Enjoy!

Sometimes I provide just links in these, other times I use them to house numerous "mini-blog posts"... The last one was links, this one is "mini-blog" posts.

The first thing I want to bring up is some of the "tutorials" that have been written on the Official Google Blog.  The first was Controlling How Search Engines Access and Index Your Website. It was posted back in January and covered robots.txt, it's a great intro for anyone who's never used robots.txt before. It also provides some external links to some excellent resources. The more recent of these, The Robot Exclusion Protocol, covered using META tags to issue directions to Googlebot. It covers the NOFOLLOW, NOINDEX, NOSNIPPET and NOARCHIVE META tags. Both of these are fairly short, a single page, and definitely worth taking a couple of minutes to read.

Next up we have an interesting post on Jeff Pettorino's VeriSign Blog. While it's a common sense issue, we quite often forget how many people fail to use common sense. The article speaks to home alarm systems and why they don't work with VoIP. I always thought it made sense as to why you needed a land, or POTS, line but I guess that's because of a technical background and those without the technical background think of a phone as just being a phone. My sister for example signed up with Rogers for Internet, Cable and Phone... She signed up for home phone service and it wasn't until her and I were talking one night and I pointed out that the, so called, "Home Phone Service" was actually VoIP... so I guess to most people a phone is just a phone. For you people, Jeff's post is an excellent read.

Up next we've got an interesting bill being proposed in Massachusetts that would make retailers responsible for monetary losses due to data loss... This is a great bill and hopefully it becomes a law and then, if all goes well, hopefully other places will put similar laws in place. Right now if a business loses your credit card information, the credit card company is responsible for any loss you incur. Under the proposed law the business would be responsible. I think this would drive a lot of companies to beef up the security that they have in place and start to take data loss seriously.

An article published on Dark Reading a couple of weeks ago covered a study done by the University of Maryland which determined that the average computer on the internet is attacked every 39 seconds. A second article was published yesterday with more information from the study pointing to the top ten passwords that are attempted during these attacks.

Lastly, we've got a post from Mitchell Ashley on a third type of hat that should accompany white hat and black hat... I would argue that this is actually the fourth type of hat, as the third type was grey hat.  While I agree that this described "yellow hat" does indeed exist, I wonder if we should introduce yet another hat... perhaps we should have the "green hat"... The hat of jealousy and envy... The "green hat" isn't unlike the yellow hat, except that instead of finding flaws in their competitors software and publishing them irresponsibly to make themselves look good, they verbally attack them with no real basis for the attack. Without naming names, I can think of individuals at a few different companies who regularly resort to this and I think we should label them green hats.

There was an article on The Register today regarding the former judge who's been sentenced to 27 months in prison for possession of child pornography. This, in itself, may not be overly newsworthy... Another scumbag went down and the story would be over normally but this story is different. This conviction spawned from the determination of one computer "hacker" to work to stop child porn and child abuse. It's also a story that raises plenty of moral and ethical concerns.

The evidence in this case surfaced via a trojan that was posted to news groups by the hacker, who's handle is Omni-Potent, and downloaded by some 3000 perverts and pedophiles. He then monitored the actions of these individuals and at varying points turned information over to the authorities.

Now a comment was made on my Windows XP Black Edition post and the author of that comment was fairly certain it was against the law in Canada to place malware on a persons machine. If this is true than Omni-Potent has a) violated the law and should be arrested and b) anything he turned over to the authorities is most likely invalid. That's not to say I think that the perverts and pedophiles should be getting away with what they are doing, and I've seen it mentioned, in regards to this issue, the ends justify the means. The problem is, where do you draw the line?

I told this story to my fiance and asked her what she thought of the issue. She said that it was fine because of what the former judge was doing... so I asked her if she'd want people watching everything she did online and her comment was, "No, but I'm not doing anything wrong." My response was along the lines of, "They won't know that until they've already watched" and all she could say was, "Oh, I wouldn't want that"..

Sure it's great that another scumbag is locked up but where do we draw the line on the violation of privacy? I don't think you can say they crossed the line so it's ok because you don't know they've crossed the line until you've violated their privacy and I, personally, don't want my privacy being violated just so someone can "check and see if I'm breaking the law". Another argument could be made that the judge had downloaded the trojan which was placed on a newsgroup known for pedophilia. This is true but how many home computers have malware on them already that's accessing illegal information such as this... Do those people deserve to be monitored because of something on their computer that they are unaware of?

There's also the fact that this was done internationally and that if a civilian can get away with this, what can your own government get away from. Who draws the line on who can and cannot monitor your daily computer usage... on who can violate your privacy and when it's ok to have your privacy violated. To me this raises a great deal of concern on the issue of personal privacy and what other individuals are allowed to monitor without fear of punishment.

I know I'm a little slow and by now most of you are probably aware of this... I got the email three days ago and put it to the side (I was out of town for two of them)... Anyways I'm writing about it now.

OWASP has released a new guide which is best described in the release email:

The OWASP Testing Guide includes a "best practice" penetration testing
framework which users can implement in their own organizations and a
"low level" penetration testing guide that describes techniques for
testing most common web application and web service security issues.

It can be downloaded in both PDF and DOC and it can also be viewed from the OWASP website..

OWASP is currently looking for assistance with this "272 pages high quality document, with 46 controls divided into 8 categories".

Some of the help they are looking for:

*** Continuously Improve the Guide.
The Guide is a "live" document: we always need your feedback! Please
join our testing mailing list and share your ideas with us. The next
step is to begin working on the new version: one issue that will be
improved is the client side testing.
http://lists.owasp.org/mailman/listinfo/owasp-testing

*** Promote the Testing Guide
We would like to have some more media coverage on the guide, so
please, if you know somebody in there put them in touch. If you have
the chance, you can write an article about the Testing Guide and the
new OWASP Projects. Also you can pick up the OWASP Testing Guide
presentations and talk about it in local conferences and Chapter
meetings.
http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_Presentation.zip

*** Translate the Guide into your Local Language
If you'd like to translate the Testing Guide in your local language,
please contact us.

*** Add 'Quotes' to the Guide.
If you've used the guide and can share your experience, we'd love to
hear from you. You can add your quote to the OWASP wiki here:
http://www.owasp.org/index.php/Testing_Guide_Quotes

I will provide additional thoughts and feedback when I've had time to full read and digest the document.

Just a few quickies today:

Sid @ SecuriTeam has an interesting post on how he found out that his router was open to the world to FTP into.  It's worth a read... and it also introduced me to nmap online... Something I'd be previously unaware of.

Brian Krebs has a nice write-up on the flaw in Google Desktop which prompted a quick patch.

I'm a little behind on this one, but apparently Stefan Esser has been making mention of March being the Month of PHP Bugs. Haven't we seen enough of these already?

The beta of Nessus 3.2 has been made available for Linux, FreeBSD and Solaris.

That's all... short and sweet.

I keep seeing these stories of Vista upgrade woes and Vista install woes and Vista "doesn't make my coffee in the morning" woes and I can't help but be reminded of 'PEBKAC'. One of these stories that most recently caught my attention was on vnunet written by Clive Longbottom. Now Mr. Longbottom installed Vista on his Thinkpad X60 (A rather nice laptop with a core duo) and he tells us that he has 1GB of RAM. Now for comparison I have Vista installed on my Thankpad T43p, a decent laptop with a Pentium M processor and 1GB of RAM... so in the end, lower specs than the X60.

So why talk about this? First because vnunet referred to Mr. Longbottom as an industry expert and being in the IT industry, I find that rather insulting. The other reason is his claim that Vista was utilizing 80% of his available memory... Now as I pointed out we have similar systems (although he has more processing power) and my system is currently sitting at 49% Memory usage. This includes the Lenovo Tools (such as ActiveProtection) installed and running. Media Center's tray application, Windows Defender, Automatic Updates, VMWare Server and Subsystem for Unix Application all running. Since I haven't actually tweaked service for improved performance, a quick look at the Resource Monitor shows me plenty of places where I could lower that memory usage. Perhaps Mr. Longbottom shouldn't be loading on so many additional applications.

Now let's look at the actual article... At one point Clive comments on his WPA settings not being remembered during the upgrade and that he had to enter them himself. I'd have to say that if that's your complaint when you finish an upgrade... your upgrade went swimmingly well.

His next complaint about the upgrade is with the Lenovo software and some of the actions that it took (offering non-Vista compliant software and his XP software not working with Vista). The first one is Lenovo's problem (and yes they have several problems but that's the joy of dealing with a not-so-great company like them). The second part is what I find interesting. For years people have complained about how much of the Window code was legacy and a lot of security flaws that have existed in newer Windows operating systems have been present due to that legacy code. Microsoft has finally decided to do something about it, ending some of the backwards compatibility (but not all of it) and now people complain about that. All because vendors couldn't be bothered to release Vista compatible applications (and they had plenty of time to do it).

In the end, Mr. Longbottom's article provides nothing relevant to any ongoing discussions regarding Vista... he points out that PEBKAC is true and that he indeed was the issue. The one good suggestion tha the makes is that a full install should be done instead of the upgrade, but he then ruins that by stating that only "techies" should perform upgrades since they'll have hours to spend on it. I find this a) derogatory to the technologically inclined and b) to be a load of crap. Technical people have always recommended full installs over upgrades, which are known to have problems... XP Home to XP Pro was a famous example... People bought machines with XP Home on them and then upgraded them to XP Pro and PPPoE would no longer function correctly.... SuSE has a long history of upgrades failing to work correctly and incorrect library versions and broken dependencies to be left behind after the upgrade is "complete".

So the ultimate recommendation: Install the software from scratch... upgrade only if you "really, really" have to. Also do some background research, don't rely on the Vista Upgrade Advisor... while I found it to be completely accurate given the software I use, others, such as Mr. Longbottom, have apparently had issues. This is to be expected... you can't expect the advisor to be aware of every application in existence and it's ability to work with Vista... So do your own research. Think of it like buying a car or a house... you're making an investment into something that you will rely and depend on... Checking to see if Diskeeper will run on Vista is no different than checking to see if the house you want to buy has gas, oil or electric heat. Do your research and if you don't, you only have yourself to blame.

A couple of years ago I posted a tip on a forum I frequent on how to disable debug mode with VMWare Betas.  It's recently come to my attention that not everyone who uses VMWare is aware of this ability, so I thought I'd share the tip once again.

VMWare Betas ship with debugging information turned on, the idea being that you can report any problems back to VMWare. The problem is that debugging information turned on means a decrease in performance.

To disable debugging under Linux:

cd /usr/lib/vmware
mv bin-debug bin-debug.bak
mkdir bin-debug
cd bin
cp vmware-vmx* ../bin-debug

To disable debugging under Windows:

Browse to your installation directory.
Rename bin-debug to bin-debug.bak
Create a copy of bin
Rename the copy of bin to bin-debug

You'll now have the option to disable debugging in your VM Options.