.:Computer Defense:.

Guess what, this isn't a post about the recent Rogue CA presentation... just something I came across that frustrated me.

I recently went to check out adsense to see if it's ever actually made me any money. Being Canadian and using google.ca hourly (since google.com forces me to google.ca I might as well type it myself), I typed in www.google.ca/adsense. I was kicked over to https://www.google.ca/adsense and had the following appear in Firefox

I know it's obvious what the problem is, but let's look at my other screenshots since I took the time to take them.

Now why can't a company like Google get their SSL certs right? How's the general public ever supposed to trust SSL if major web-based companies are too lazy to get proper SSL certs? I'm actually rather disppointed by this. I've actually trained some of my family to not venture into sites with improper SSL certs (or at least investigate them first) and this would confuse them and set all the effort that I've made back several steps.

We always talk about educating the user, and I believe that SSL is something we can properly educate the end user about, however that requires an effort on the part of the website / vendor in question. This time Google has failed.

Two Python libraries have caught my attention lately, the first is lxml and the second is matplotlib. Ideally I wanted to write something short, just to get a feel for the basics of them. The goal was figuring out what I could do quickly so that I could play around with arguments and output, yet still have an actual result. I also wanted a nicely formatted useful XML file to parse. I ended up going with nmap's XML output. I also decided that I would plot the frequency of ports in the file.

Is this useful... perhaps? I could see a sys admin wanting a count of specific open ports on the network or a pen tester wanting to know the most common ports on a target network.

The python script is extremely basic and is called via nmap_port_frequency.py <XML Input> <png Output>. The result is an image similar to this:

The above image is the output from scanning three hosts.

One of my favourite new commands has become hexdump. From time to time I go through my nepenthes hexdump folder to take a look at what I've recently seen.

These hexdumps on their own are fairly useless:

treguly@ns:/home/nepenthes/hexdumps$ cat ffa6fd1e9b143a4bd5ac705a570e3b21.bin
D CKFDENECFDEFFCFGAAAAAAAAAAAAAAAA EGFCEPEOFECACACACACACACACACACAAA
ÿSMBrSÈÿþbPC NETWORK PROGRAM 1.0LANMAN1.0Windows for Workgroups 3.1aLM1.2X002LANMAN2.1NT LM 0.12

However, when you make use of hexdump it becomes much more readable.

treguly@ns:/home/nepenthes/hexdumps$ hexdump -C ffa6fd1e9b143a4bd5ac705a570e3b21         .bin
00000000  81 00 00 44 20 43 4b 46  44 45 4e 45 43 46 44 45  |...D CKFDENECFDE|
00000010  46 46 43 46 47 41 41 41  41 41 41 41 41 41 41 41  |FFCFGAAAAAAAAAAA|
00000020  41 41 41 41 41 00 20 45  47 46 43 45 50 45 4f 46  |AAAAA. EGFCEPEOF|
00000030  45 43 41 43 41 43 41 43  41 43 41 43 41 43 41 43  |ECACACACACACACAC|
00000040  41 43 41 43 41 41 41 00  00 00 00 85 ff 53 4d 42  |ACACAAA......SMB|
00000050  72 00 00 00 00 18 53 c8  00 00 00 00 00 00 00 00  |r.....S.........|
00000060  00 00 00 00 00 00 ff fe  00 00 00 00 00 62 00 02  |.............b..|
00000070  50 43 20 4e 45 54 57 4f  52 4b 20 50 52 4f 47 52  |PC NETWORK PROGR|
00000080  41 4d 20 31 2e 30 00 02  4c 41 4e 4d 41 4e 31 2e  |AM 1.0..LANMAN1.|
00000090  30 00 02 57 69 6e 64 6f  77 73 20 66 6f 72 20 57  |0..Windows for W|
000000a0  6f 72 6b 67 72 6f 75 70  73 20 33 2e 31 61 00 02  |orkgroups 3.1a..|
000000b0  4c 4d 31 2e 32 58 30 30  32 00 02 4c 41 4e 4d 41  |LM1.2X002..LANMA|
000000c0  4e 32 2e 31 00 02 4e 54  20 4c 4d 20 30 2e 31 32  |N2.1..NT LM 0.12|
000000d0  00                                                |.|
000000d1

Of course, you could always pipe any output you have into hexdump. I have to say that I only really like it with the -C option, otherwise I haven't found a use for it yet.

A question came to the nmap-dev mailing list regarding resolving IP Addresses in bulk. Doug replied with a command to do just that.  I decided that it was handy to keep around but I wanted to clean it up a little, so I turned it into this:

nmap -sL $1 2>/dev/null |
perl -ne 'print unless /^Host [\d.]+ /' |
grep 'not scanned' |
cut -d ' ' -f 2,3 |
sed -e 's/\(.*\) (\(.*\))/\2 resolves to \1/'

Which leads to output similar to this:

198.133.219.10 resolves to fed.cisco.com
198.133.219.11 resolves to asp-web-sj-1.cisco.com
198.133.219.12 resolves to asp-web-sj-2.cisco.com
198.133.219.13 resolves to fedtst.cisco.com
198.133.219.14 resolves to www.netimpactstudy.com
198.133.219.15 resolves to deployx-sj.cisco.com
198.133.219.16 resolves to contact-sj1.cisco.com
198.133.219.17 resolves to scc-sj-1.cisco.com
198.133.219.18 resolves to scc-sj-2.cisco.com
198.133.219.19 resolves to scc-sj-3.cisco.com
198.133.219.20 resolves to jmckerna-test.cisco.com
198.133.219.21 resolves to events.cisco.com
198.133.219.22 resolves to bam-prod-1.cisco.com
198.133.219.23 resolves to redirect.cisco.com
198.133.219.25 resolves to www.cisco.com
198.133.219.26 resolves to partners.cisco.com

Michael Arrington has an interesting post over at TechCrunch. It's a post that has drawn some controversy, controversy that I wanted to add to. Michael identifies three reasons why Netbooks aren't good enough and to put it plainly... he's wrong. I purchased my netbook (ASUS EEE PC 900) for traveling. I absolutely hate lugging around a full size laptop (and on occasion, two full size laptops). It does everything I want it to and then some.

Michael had three complaints. They were:

1. Screen Size
2. Keyboard
3. Processing Power

So let's take a look at each of these (btw, I'm typing this entire post on my netbook).

Screen Size

I think this is the most interesting as Michael uses a screenshot from a Mac to demonstrate what you see on a Netbook... he's simply cropped the photo.

Here's his post (with the title showing) and he's correct, you don't see a lot.

However, I can easily scroll down with my mouse (Michael mentions that you need to use the trackpad or keyboard to scroll and that means taking your eyes of the screen... I don't know but I can scroll with either and my eyes never leave the screen... in addition, I always travel with a physical mouse.) So here's the article if you scroll to the start of the text, more than enough is displayed at once.

Keyboard

Up next was the keyboard, which Michael describes as 80-85% of the size of a regular keyboard. This is probably true, however the comment that no adult can type on it is bullshit. I'm not a small guy, and I definitely don't have small hands, yet I can type just fine. As proof... here's a online typing test screenshot... again done on my netbook

Processing Power

These netbooks definitely aren't loaded with processing power... but I'm not going to be running multiple virtual machines, 20 firefox tabs and a video game... I use it for email, word processing, surfing the net and occasionally a flash game. While it does slow down on certain flash games... so does my desktop. Netbooks are designed for Web 2.0... they don't need a lot of processing power because other than your browser not much will generally be happening locally.

Conclusion

In the end, netbooks are good enough... and they do exactly what they are designed to do. People may want to attach unintended labels to them and designate that they be used for tasks they weren't designed for... but that isn't the netbooks fault. I highly recommend a netbook to everyone that I talk to.

I shared a while back that I had decided to pick up two dedicated servers... rather than worrying about buying hardware and paying colo fees, I went with just paying fees... high fees, but fees none-the-less. I picked up one windows machine and one linux machine and I've been playing with them quite a bit.

One of the things I got to do was remember everything I learned in school and configure various services in a working "production" state. It's one thing to setup a piece of software to test against... it's another to configure it, and lock it down to a state you're comfortable with having online.

One of the things I decided to do was to pick up an extra IP and setup nepenthes listening. I decided to register the domain scan-me.org to attach to it. The domain may seem to obvious but I figure automatted tools looking at IP addresses or links to domains (required link for any bots to pick up).

I've had it listening for about a month with nepenthes 0.2.0. I attempted to upgrade to the latest svn version so that I could include the listener for MS08-067 but my first attempt went rather poorly and I ended up with nothing listening. I'm back to 0.2.0 for now, however I do plan to attempt another upgrade in the near future.

I'm hoping mentioning the domain here will increase the number of scans and quantity of traffic that it sees (anyone that wants to feel free to repost the address). As I've seen limited samples coming in so far, however those samples do make for some fun nights (I suppose I have an odd definition of fun).

Anyways... I just wanted to share that I had nepenthes running and get a blog post out with the domain mentioned. In the upcoming weeks I hope to post some write-ups related to the samples I'm seeing.

Odd Title... but it's 3:30am.

The first thing I wanted to mention was KiTTY ( via /dev/random). It's a fork of PuTTY, which is nice given PuTTY is on a rather slow development cycle, and new features are almost non-existent. Some of the features include folders within the saved sessions box (although, not implemented as "friendly" as they could be), transparency (this didn't work for me), login scripts (also didn't work for me) and integrated scp support. The features list is actually quite a bit longer than that, feel free to read it on the KiTTY website. As mentioned, a number of the features didn't work for me. I'm going to give it a try on a second computer before I rule it out, but I wanted to mention it now. A second bad experience would most likely lead to me never using it or mentioning it here, and it may work wonderfully for others.

The second thing I wanted to mention is that Komodo Edit 5.0 (the free version of Komodo IDE) is now available. Some of the biggest things are limited to Komodo IDE unfortunately, such as Source Code Checkout capabiliies and the ability to "beautify" your code. It does provide some UI clean-up and an update to Firefox 3.0 in the Edit version though.

One of the problems that I had was that my favourite plugin, Sourcetree ended up attached to the left pane instead of the right pane, which is very unnatural to me. It took me a couple of hours, but I dove into plugins for the first time, opening the jar file and pulling out the javascript. After I tracked down the name of the two panes online (not easily documented), I was able to modify the code and re-archive it. If anyone wants a step by step, or just my modified file, let me know.

I've always commented that I'm not a big fan of NoScript... I find browsing "modern" websites to be almost impossible with the plugin installed. For this reason, I don't know how popular it is with "the masses". That being said, I use it because a hindrance is better than a gaping security hole.

However, I've now found what I feel to be the best feature in NoScript. The ability to force HTTPS. Sites like Linkedin have always had issues with provided adequate HTTPS support. There are other sites that are HTTPS only, yet don't redirect HTTP to HTTPS. I've always found these issues to be frustrating. NoScript has solved these problems.

I've inserted a number of common websites I visit into the force HTTPS dialog and now, even if they have flakey HTTPS support that pushes you to HTTP on every request, I'm always using HTTPS. If I type in a address manually to a site that's configured only for HTTPS, NoScript forces the connection over to HTTPS and I no longer curse and go to the address bar to add the 's'.

This is an amazing feature and has greatly increased the value of NoScript in my eyes. Given that this isn't the core focus of the plugin, it's probably the single greatest addition that could have occured.

Update

Marcin just pointed out that LinkedIn public profiles don't exist over HTTPS (treguly (http) works, treguly (https) doesn't)

To resolve this, simply add www.linkedin.com/in/ to the "never force https connections" portion of NoScript.

For the longest time I've been using Bloglines to read RSS feeds. I've used standalone readers in the past (NewsFox and Viigo) but I've found that there's no way to sync them (I read feeds on 3-4 computers, as well as my phone) and that was a real problem for me. Bloglines is very clean and fast. It's easy to use and works well when I'm on my phone. However more and more I've been noticing it "down for maintenance", and I've noticed others use Google Reader so I decided to give it a go.

I exported my feeds from Bloglines and imported them into Google Reader. I noticed right away that the layout was familiar (since it was similar to GMail), however I would prefer if I could have subscriptions at the top of the left pane, with Home, Trends, etc below them. As I browsed, I noticed that there were a few other annoyances. One of the things I enjoy about Bloglines is that if don't want to read a certain feed, I can simply click on it as I work my way through new feeds. With Google Reader, if you don't visit the article, it isn't actually marked as read. While technically more accurate, it's not what I'm accustomed to, and unfortunately there isn't a setting to change this. The other annoying issue, was related to Google Reader on my Blackberry... instead of being able to browse based on subscription, the items from the feeds are grouped together and displayed chronologically. This is horrid design compared to Bloglines mobile solution, however I'm finding I can live with the pain in order to have the standard Google Reader UI.

The thing that finally won me over to Google Reader is shortcut keys. I love keyboard shortcuts. The less often I have to use the mouse, the better and Google Reader is great for that. g + u and then you can type the name of the feed you want to read. Even better though is for when I'm browsing my feeds. I can use Shift+n (down) or Shift+p (up) to scroll through my subscription list, Shift+o will open that subscription and then n (down) or p (up) will let me scroll through items in that feed, using enter to open/close the items. It is extraordinarily handy and I highly recommend it to anyone that hasn't tried it yet.

So I spent today in training @ SecTor. I attending HD Moore's metasploit training and rather enjoyed myself... I picked up a couple of things that I'd been previously unaware of.  Since I was already onsite, I took advantage of the open registration booth and picked up my SecTor goodies.

Instead of the cooler bag (last years very cool SecTor registration goodie), there's a rather nice tote with the SecTor logo on it. Inside the bag was the usual advertising literature, a nice Leed's notebook with a metal (I think) cover, with the SecTor logo, and a pen and BlackBerry screen cleaner.

The badges are quite nice... given that the program includes a picture of the DefCon badge, I imagine they were trying to go with something along those lines. Rather than the hard plastic, "corners will cut you when you attempt to touch it" badge of last year, the badge this year is rather cool. There's a usb cable enclosed on the back of the badge and when you connect it, you find that it's a 1GB storage device. Definitely a step up.

I took pictures to attach, but I'm getting an error, so I won't be uploading them tonight... I'll try again tomorrow.

Now given that it's 2AM and I'm meeting people for breakfast in 5.5 hours, I should probably grab some sleep... but on that note... The program this year doesn't mention a breakfast, so some of us are meeting at Cora's on Spadina (not far from the MTCC) at 7:30 if anyone happens to read this between now and then and wants to join us.