.:Computer Defense:.

Randy Abrams (who's a great guy to share a beer with if you ever have the chance) of ESET briefly mentioned the impact that Microsoft Security Essentials (MSE) will have on the AV market in a blog post a couple of weeks ago.

A commenter mentioned that MSE meant that his father would now install AV. Randy's response was question if he would given that there are already free AV offering available.

This got me thinking about when I stopped using AV on my home systems. I was a huge AVG 6 fan, I recommended it over everything and was fairly certain it was the best AV available to the end user. Minimal footprint, good results and not intrusive. The day that AV died for me was the day AVG 7 came out. I wasn't a fan that support for my product was discontinued and that it wouldn't autoupdate. I had to download the new version and install it, I also had to register for a serial. That wasn't free anymore, I had to provide my email address to a spam database. I did indeed download and install AVG 7, it had a larger footprint and I noticed an increase of spam (this could be coincidence but I don't believe in coincidences). I uninstalled it less than two weeks after installing it and decided to go without AV.

It was at this point that the real problem occured to me. I had set up the computers of many of my family members and on every one I'd installed AVG and set it to auto-update. They were now without AV protection. I wasn't in the same city as many of them, so I had to walk them through the upgrade on the phone (a very painful process for anyone who's ever tried it).

Why does this story matter? If there's one thing that Microsoft is good at... it's pushing updates. I, for one, will install MSE on the systems of all my family members that ask for assistance and recommend it to anyone that asks for a good, free AV solution. I may even recommend it to those willing to pay (I've always found most of the other offers in commercial AntiMalware suites to be unnecessary) if I have a good experience using it. I know that as long as the software exists they will have updates and ease of use (Microsoft is good at both in my opinion).

So in the end I actually think that MSE will steal a large chunk of the AV market, however they'll steal it from the other free vendors (AVG, Avast, etc)... the commercial vendors won't have to worry for a long, long time.

Tonight I started thinking that one of the biggest problems affecting IT today is the lack of a clearly defined terminology (both terms and acronyms). Sure certain things have had standardization (CPE comes to mind as a great example) but generally terms are not common across the board. Let's consider a few examples.

VM - Do I mean Vulnerability Management or Virtual Machine? Depending on the industry it could mean either or both.
FP - Do I mean Fingerprint or False Positive? Again, the industry dictates the meaning or both meanings.

There was a period of time where people referred to Cross Site Scripting as CSS... occasionally I still see it places. How about RE? I'm sitting here looking at the spine of 'Reverse Engineering Code with IDA Pro'. The spine says 'RE Code with IDA Pro' but RE commonly refers to regular expressions as well. The list goes on and on, and I think it is a problem that hurts us across the industry. Now miscommunication may not occur because there's generally context around the term but it can happen. I think the bigger issue is misrepresentation outside of the industry. This could be outside of IT, or could be within disciplines of IT.

Take, for example, this blog post on the SecuriTeam blog. The title is 'Mysql authentication bypass'. I was rather excited when I saw the title in my feed reader, I thought that someone had found a way to bypass authentication and access the MySQL database directly. It turns out this wasn't the case. Instead it was talking about a method of SQL Injection that will bypass many filters/IDS and works only against MySQL, it was also a discussion that was 6 months old. A comment pointed out that this wasn't a MySQL Authentication Bypass and I tend to agree, the author disagreed in the comments.

As I see it, an Authentication Bypass is when you are bypassing the authentication process into software or a website. Prefixing it with MySQL leads me to believe we are bypassing the authentication process in mysqld. SQL Injection is so much more than simply bypassing authentication, and at the same time bypassing a filter/IDS is so much less than SQL Injection. The author of the blog post was fairly insistent that he'd titled the blost properly yet I think this is a prime example of terminology failing us.

Is there a way for us to work around this issue, or will it always exist?

I don't know about everyone else, but I tend to send hit 'Reply to All' much more frequently than just Reply. So when the Gmail labs feature to make 'Reply to All' the default became available, I was rather excited. It isn't much (a simple click on a drop down) but it made life more convienient and I rather enjoyed it. The other day I replied to an email intended for 4 people and realized that I'd sent it only to the person who sent the last email in the thread. Confused I went back into the thread and replied again, only this time did I realize that reply was the default and not 'Reply to All'

I searched Labs and discovered that the feature was gone, after some googling I came across this link. It contains a very minimal comment stating that it was removed because it was causing issues for people who had enabled it, followed by a series of responses requesting the feature be brought back. Obviously it was working for a number of people, myself included.

Now, I can accept that in my lifetime the beta tag on my Gmail may never disappear and I can accept that adding a Labs feature may break my "Gmail experience". What I don't get is how a feature from Labs could be pulled because it's causing some people a bad user experience? Perhaps those people just shouldn't use it. Let those of us that want to risk the alpha release (after all if Gmail is beta, Labs can only really be considered alpha). I assumed risk when I enabled the feature, I've accepted that... those people who are having issues also assumed risk... let them suffer on their own.

Anyways, this post had two purposes... the first was to inform anyone who hadn't yet noticed that their "Reply to All" feature was gone and second to rant about an alpha feature being pulled.

When you speak to individuals working in our industry, you'll get a variety of answers for what they do. This near endless list of titles includes:

• Software Engineer
• Software Developer
• Security Engineer
• Support Specialist
• Research Engineer
• Network Admin
• System Admin

The list goes on and on. Historically, I've divided those within IT into one of four groups:

• Developer
• Information Security (IS) Professional
• Information Technology (IT) Professional
• Web Developer

These days Web Developer could probably be folded into Developer since there's so much beyond simple HTML used to build web sites. That leaves us with Developer, IS Pro, and IT Pro. I tend to think that that is a fairly reasonable distinction, at a high level with one caveat. IS isn't really on the same level as the other two. Most people that you talk to have experience in either IT or Development when they move into IS. IS is a skillset that's built onto one of those two. Let's look at this another way...

Imagine this is a RPG and your Level 1 IT Worker. You can choose the abilities you upgrade and they include "Programming", "Router Config", "OSI Model", etc. The level ups for these may include "C++", "Java", "Routing Protocols", "Routed Protocols". This means you could follow the path of IT Pro, Developer or "Jack of all Trades". It isn't until you reach one of these levels that you unlock the next round of abilities (the IS skills) which may include "Packet Analysis" (requires Routing and Routed Protocols) and Binary Analysis (requires "Programming" + 1 Level UP). Only at that point do you move to "IS Pro".

You're probably saying to yourself, "WTF is he talking about?" After all, I'm reading this and thinking that. What I'm talking about is this blog post, 'what do you need to know to work in infosec'. To put it plainly, the list is wrong. Well the list isn't wrong, the list is correct, but the title is wrong. With the exception of one or two items, this list reads more like a "what do you need to know to be a sysadmin" or "what do you need to know to work at a helpdesk"

Now as I said, IT is a stepping stone to IS, so yes, at one point or another you probably learned many of these if you now work in IS, but these aren't the things you need to know to work in IS, these are the things you need to know to work in IT.

So let's take a look at the 'What you need to know...  ' list and figure out where the line items fit. If we take the ones you really need to know to work in IS we've got maybe 5-7 items (1, 11, 14, 15, 17, 18 and 19) - I'll let you decide if it's some or all.  Let's think about some of the others. Numbers 2 -5 are all networking related, I know people in IS who've never touched them... now as a network admin or member of the network group (which would fall under IT) these would be important skills. With numbers 6 - 9, we're looking at a sys admin, or help desk employee (again positions I'd consider to be IT related). Now 10, 12, 13, and 16. These could be argued a few ways but I'm going to call them help desk or support type things and bundle that up into the IT category.

So what's my point? To state that I disagree with a definition of infosec that "needs" all those abilities. Then again, people may even disagree with the 5-7 I felt could be kept. In the end that list is a great list if you want to go get the title of Network Admin or Sys Admin, or even in some cases Security Admin but even at that, working in a enterprise security group where you may deal with all those tasks (it seems doubtful that you'd rely on the security team to install software though) that's one very small aspect of infosec.

One of the coolest booth prizes at RSA had to be from an appliance builder that was having a draw for a free prototype appliance ($2000 value). Thinking this would be an awesome win, i quickly filled out the form and placed it in the fish bowl. That was the last I heard of this until yesterday. I came into the office and had a voicemail from last week. It went something like this (close approximation):

Hi Tyler, it's Ed ******** calling from MBX Systems. I just wanted to let you know that we drew your name for the RSA drawing and it would be great if you could give us a call back to go over the details.

Now at this point I'm rather excited... I've got plans for this win. I'm thinking ComputerDefense.org appliance installed in a rack somewhere instead of a hosted page for this blog. I call back and end up having to leave a voicemail. After a brief game of phone tag, I finally get Ed on the phone. He does some standard sales guy talk and then asks how he can meet my needs, and since I just want my free system that I won, I ask how it works. At this point I'm informed that someone else won the free prototype... I've won a free eval! W00T! Stop the presses... a FREE eval! Needless to say the phone call quickly ended.

This was, to date, the sneakiest trick I've seen to get someone on the phone. At this point I may not be directly involved in appliance purchasing but I'm a big fan of the vendor space and who knows where I'll be in 1, 5 or even 10 years. I do, however, know who I won't be doing business with.

You know, if I'd won and their systems were half as good as their marketing material claims, I probably would have written up a blog post praising them... at the very least they would have gotten positive mention just because I'd won it. Since I didn't win, they could not contacted me or gone with a standard sales call and I wouldn't have had anything bad to say about them, at least I'd know the name should I ever be in the position to purcahses appliances in the future. Instead they took this sleazy approach and now I'm going to always know who I'm not doing business with.

A recent SANS ISC diary entry mentions an interesting configuration point that I had been previously unaware of. It seems that AddType doesn't just enable the extension, it enables all files containing that string.

Example: AddType application/x-httpd-php .php

In the above example, both phpinfo.php and phpinfo.php.bak would be parsed as PHP.  I found this to be rather interesting and started testing with a few servers I have handy.

It appears as though this isn't the case 100% of the time.

I tested 3 servers running Apache 1.3.34, 2.2.4 and 2.2.8. It was true on the server running Apache 1.3.34, however it wasn't true on the two Apache 2.2 systems.

I contacted the handlers at ISC to follow-up with them, however I haven't heard anything confirming one way or another. Has anyone else tested this on their servers?

One of the patches released yesterday has a serious flaw, in that an already compromised host will not have the patch properly applied. I provided a full write-up on this yesterday on the nCircle blog and felt that the importance of the issue warranted posting a link here to increase awareness.

[Update: Due to Bandwidth concerns and the popularity of DVL, I've had to remove the public mirror. If you really require a direct download and can't get one... contact me and I'll share a private link. I just need to limit the number of downloads.]

DVL 1.5 is out, and I have mirrored it again.

There is also a call out for people to create training materials, so if you can, swing by the DVL forums and volunteer to make a video or two. However, I'm unsure of where to find the forums (there's no link on the main page and I'm not a user). Please share a link if you know how to get to them.

So I mentioned some of this to someone the other day and they were surprised by it (and a Blackberry user) so I thought I'd do up a quick post about it... some people may not realize how much information can be determined about you. Note, these are based on my observations.

Blackberry IM Status:

• Active -- User can be sent messages and will receive them immediately
• Contact is Unreachable (Icon: (- (not quite sure on this one but that's what it looks like) )
  • Out of cell range
  • Phone is no longer active
  • On a phone call
• Pending -- They haven't authorized you yet. (Icon: Green +)
• Unavailable -- Set by the user (Icon: Red X)

Blackberry IM  Icon:

• Clock -- Waiting to Sent
• Bulls Eye Circles -- Sending
• Checkmark -- Sent successfully
• D -- Delivered
• R -- Read

Now... you'd think that this limits what you know, but it really doesn't. Generally you'll know if one of your Blackberry IM contacts has had their phone deactivated and depending on where you live, you may also know when they are in or out of cell range (the exception may be if they turn their phone off).

Something that was recently pointed out to me is that GSM will continue to deliver messages while you're on the phone, while CDMA (which is what both the Blackberries in my house are) won't.

This means that you can further determine:

• Unreachable + Checkmark == Phone Off or CDMA on a Call
• Unreachable + D == GSM on a Call

I know, to most people this probably doesn't seem like much, but I figured it was worth sharing... if one person learns something new... mission accomplished.

Those of you that follow me on twitter may have noticed that yesterday I was posting quite a bit more frequently and most of them contained the word 'test'. I was playing around with twyt and decided to build a curses-based Twitter GUI. I've never done any curses programming before, so this was my way of learning the functionality. I implemented command-line support in a style I found more to my liking (even though twyt already has this) and then started buliding the curses GUI. If I go very far with this, I may eventually rewrite the API to fit in with the rest of my code, but for now I'll use twyt on the backend.

The code is very basic, but already it can do a few things:

• Display latest friends list updates.
• Display recent replies.
• Display recent sent and received DMs.
• Update your status.
• Send a DM.

Unfortunately the next update is most likely a week away, but when I get around to it, I plan on splitting the screen into multiple windows with your current status always displayed, along with a regularly updated friends list. Right now everything is jammed into a single window.

I do need to figure out how to get Twitter to display my client name (apparently I need to contact them for that) but so far, so good. Anyone wishing to take a look at my (very alpha) code, can check it out here.

For those of you wondering about the name... TwCuP kinda reminds me of 'hiccup', so I found it slightly amusing at ~4am when I was trying to come up with a name.

Eventually this will (hopefully) be a client that can be left idling in a screen session... that's my goal anyways.