.:Computer Defense:.

There's an interesting post on VitalSecurity.org by paperghost. He's talking about a feature in Gmail that allows you to see all IP Addresses logged into your Gmail account and even sign out all other users. He has two interesting thoughts in the article. That there's now a privacy concern if an attacker is in your account and that password protecting this information may be a valid counter measure. The second thought is disregarded in the same sentence on the basis that the attacker has the password, however if you're the victim of sidejacking, perhaps this is the perfect defense.

I want to discuss the other point... that it's time to be paranoid, throw up the proxies and worry that your IP is being stored. I wonder if your IP Address is even an important piece of information these days? I'd prefer if not everyone knew my IP but at the same time, does it matter?

We mask packet captures because quite often those contain private IPs that could contain information on infrastructure and available resources. After all a host named dc.example.com or exchange.example.com probably tells you it's exact function. Should we worry as much about public facing IPs?

Let's picture the attacker and the victim. The victim is likely to log in from one of four places... Work, Home, Mobile, Free Wifi. Let's take a look at each of these.

Work - The attacker has access to your email and quite possibly targeted you. This means they're likely to know where you work. A simple search on a site like ARIN Whois will tell me all the public facing IPs... Sure this may speed things up... but I'm an attacker, I've got more than enough time.

Home - How often is your home IP targeted by an individual these days? Sure it may be scanned by bots and sure you may be targeted by malware, but an individual attacker? Unless they really want something specific from you, your home IP doesn't matter to them. Even if they do want it, having it shouldn't help them, a simple home router for $39.95 from Best Buy is going to keep those open ports from facing the internet.

Mobile - Since this is probably a NAT'ed IP Address what are they going to get... your cell provider?

Free Wifi - The attacker may now know where you are located if you are out and about, but twitter, Facebook and everything else under the sun already tells them that information.

So is an IP Address important private information these days? Maybe if you're breaking the law... but otherwise I don't think it matters.

I fully support the idea of adding password validation to the details section (perhaps even a different password than your login) but I definitely wouldn't want the feature going away... I love it.

The bigger issue will probably come when you can assign names to sessions ( and have it link that IP to the session for future ease of use). If your spouse happens to log in and sees another session open and it doesn't have 'Office' next to it like your previous ones, especially after you said you were going to be working late... well then you might have problems.

I wanted to write a quick little post to let everyone know about a new blog that they should keep an eye on. The Forage Security Inc. blog contains posts from a former colleague....  someone I consider to be a good friend and one of the brightest guys I know. I expect that you'll see a lot of really cool things on the blog and highly recommend adding it to your favourite feed reader ASAP.

Randy Abrams (who's a great guy to share a beer with if you ever have the chance) of ESET briefly mentioned the impact that Microsoft Security Essentials (MSE) will have on the AV market in a blog post a couple of weeks ago.

A commenter mentioned that MSE meant that his father would now install AV. Randy's response was question if he would given that there are already free AV offering available.

This got me thinking about when I stopped using AV on my home systems. I was a huge AVG 6 fan, I recommended it over everything and was fairly certain it was the best AV available to the end user. Minimal footprint, good results and not intrusive. The day that AV died for me was the day AVG 7 came out. I wasn't a fan that support for my product was discontinued and that it wouldn't autoupdate. I had to download the new version and install it, I also had to register for a serial. That wasn't free anymore, I had to provide my email address to a spam database. I did indeed download and install AVG 7, it had a larger footprint and I noticed an increase of spam (this could be coincidence but I don't believe in coincidences). I uninstalled it less than two weeks after installing it and decided to go without AV.

It was at this point that the real problem occured to me. I had set up the computers of many of my family members and on every one I'd installed AVG and set it to auto-update. They were now without AV protection. I wasn't in the same city as many of them, so I had to walk them through the upgrade on the phone (a very painful process for anyone who's ever tried it).

Why does this story matter? If there's one thing that Microsoft is good at... it's pushing updates. I, for one, will install MSE on the systems of all my family members that ask for assistance and recommend it to anyone that asks for a good, free AV solution. I may even recommend it to those willing to pay (I've always found most of the other offers in commercial AntiMalware suites to be unnecessary) if I have a good experience using it. I know that as long as the software exists they will have updates and ease of use (Microsoft is good at both in my opinion).

So in the end I actually think that MSE will steal a large chunk of the AV market, however they'll steal it from the other free vendors (AVG, Avast, etc)... the commercial vendors won't have to worry for a long, long time.

Tonight I started thinking that one of the biggest problems affecting IT today is the lack of a clearly defined terminology (both terms and acronyms). Sure certain things have had standardization (CPE comes to mind as a great example) but generally terms are not common across the board. Let's consider a few examples.

VM - Do I mean Vulnerability Management or Virtual Machine? Depending on the industry it could mean either or both.
FP - Do I mean Fingerprint or False Positive? Again, the industry dictates the meaning or both meanings.

There was a period of time where people referred to Cross Site Scripting as CSS... occasionally I still see it places. How about RE? I'm sitting here looking at the spine of 'Reverse Engineering Code with IDA Pro'. The spine says 'RE Code with IDA Pro' but RE commonly refers to regular expressions as well. The list goes on and on, and I think it is a problem that hurts us across the industry. Now miscommunication may not occur because there's generally context around the term but it can happen. I think the bigger issue is misrepresentation outside of the industry. This could be outside of IT, or could be within disciplines of IT.

Take, for example, this blog post on the SecuriTeam blog. The title is 'Mysql authentication bypass'. I was rather excited when I saw the title in my feed reader, I thought that someone had found a way to bypass authentication and access the MySQL database directly. It turns out this wasn't the case. Instead it was talking about a method of SQL Injection that will bypass many filters/IDS and works only against MySQL, it was also a discussion that was 6 months old. A comment pointed out that this wasn't a MySQL Authentication Bypass and I tend to agree, the author disagreed in the comments.

As I see it, an Authentication Bypass is when you are bypassing the authentication process into software or a website. Prefixing it with MySQL leads me to believe we are bypassing the authentication process in mysqld. SQL Injection is so much more than simply bypassing authentication, and at the same time bypassing a filter/IDS is so much less than SQL Injection. The author of the blog post was fairly insistent that he'd titled the blost properly yet I think this is a prime example of terminology failing us.

Is there a way for us to work around this issue, or will it always exist?

I don't know about everyone else, but I tend to send hit 'Reply to All' much more frequently than just Reply. So when the Gmail labs feature to make 'Reply to All' the default became available, I was rather excited. It isn't much (a simple click on a drop down) but it made life more convienient and I rather enjoyed it. The other day I replied to an email intended for 4 people and realized that I'd sent it only to the person who sent the last email in the thread. Confused I went back into the thread and replied again, only this time did I realize that reply was the default and not 'Reply to All'

I searched Labs and discovered that the feature was gone, after some googling I came across this link. It contains a very minimal comment stating that it was removed because it was causing issues for people who had enabled it, followed by a series of responses requesting the feature be brought back. Obviously it was working for a number of people, myself included.

Now, I can accept that in my lifetime the beta tag on my Gmail may never disappear and I can accept that adding a Labs feature may break my "Gmail experience". What I don't get is how a feature from Labs could be pulled because it's causing some people a bad user experience? Perhaps those people just shouldn't use it. Let those of us that want to risk the alpha release (after all if Gmail is beta, Labs can only really be considered alpha). I assumed risk when I enabled the feature, I've accepted that... those people who are having issues also assumed risk... let them suffer on their own.

Anyways, this post had two purposes... the first was to inform anyone who hadn't yet noticed that their "Reply to All" feature was gone and second to rant about an alpha feature being pulled.

When you speak to individuals working in our industry, you'll get a variety of answers for what they do. This near endless list of titles includes:

• Software Engineer
• Software Developer
• Security Engineer
• Support Specialist
• Research Engineer
• Network Admin
• System Admin

The list goes on and on. Historically, I've divided those within IT into one of four groups:

• Developer
• Information Security (IS) Professional
• Information Technology (IT) Professional
• Web Developer

These days Web Developer could probably be folded into Developer since there's so much beyond simple HTML used to build web sites. That leaves us with Developer, IS Pro, and IT Pro. I tend to think that that is a fairly reasonable distinction, at a high level with one caveat. IS isn't really on the same level as the other two. Most people that you talk to have experience in either IT or Development when they move into IS. IS is a skillset that's built onto one of those two. Let's look at this another way...

Imagine this is a RPG and your Level 1 IT Worker. You can choose the abilities you upgrade and they include "Programming", "Router Config", "OSI Model", etc. The level ups for these may include "C++", "Java", "Routing Protocols", "Routed Protocols". This means you could follow the path of IT Pro, Developer or "Jack of all Trades". It isn't until you reach one of these levels that you unlock the next round of abilities (the IS skills) which may include "Packet Analysis" (requires Routing and Routed Protocols) and Binary Analysis (requires "Programming" + 1 Level UP). Only at that point do you move to "IS Pro".

You're probably saying to yourself, "WTF is he talking about?" After all, I'm reading this and thinking that. What I'm talking about is this blog post, 'what do you need to know to work in infosec'. To put it plainly, the list is wrong. Well the list isn't wrong, the list is correct, but the title is wrong. With the exception of one or two items, this list reads more like a "what do you need to know to be a sysadmin" or "what do you need to know to work at a helpdesk"

Now as I said, IT is a stepping stone to IS, so yes, at one point or another you probably learned many of these if you now work in IS, but these aren't the things you need to know to work in IS, these are the things you need to know to work in IT.

So let's take a look at the 'What you need to know...  ' list and figure out where the line items fit. If we take the ones you really need to know to work in IS we've got maybe 5-7 items (1, 11, 14, 15, 17, 18 and 19) - I'll let you decide if it's some or all.  Let's think about some of the others. Numbers 2 -5 are all networking related, I know people in IS who've never touched them... now as a network admin or member of the network group (which would fall under IT) these would be important skills. With numbers 6 - 9, we're looking at a sys admin, or help desk employee (again positions I'd consider to be IT related). Now 10, 12, 13, and 16. These could be argued a few ways but I'm going to call them help desk or support type things and bundle that up into the IT category.

So what's my point? To state that I disagree with a definition of infosec that "needs" all those abilities. Then again, people may even disagree with the 5-7 I felt could be kept. In the end that list is a great list if you want to go get the title of Network Admin or Sys Admin, or even in some cases Security Admin but even at that, working in a enterprise security group where you may deal with all those tasks (it seems doubtful that you'd rely on the security team to install software though) that's one very small aspect of infosec.

I use Windows XP on all of my 4 primary machines (work, work, laptop & home). The only reason I like Windows XP is because it holds PuTTY windows so nicely and allows me to Alt-Tab between them. No Linux distro or Window Manager has ever really had the Alt-Tab experience that Windows XP provides.

The main problem with XP is that to do anything remotely useful with it you need a decent terminal/shell. I love rxvt/bash and the best rxvt you can find for Windows is via cygwin. Out of the box cygwin is an ugly brute - bash in cmd.exe != a real term.

Install rxvt via cygwin, then add some Consolas fonts (from Windows Vista) and edit your .Xdefaults to get a much nicer term.

Download a sadistic editor. Drop in a beautiful colour-scheme (brookstream). You now have a sweet shell and editor.

Install Python via cygwin and away you go.

Perfection?

I was attempting to connect to a remote MySQL DB when my sweet setup failed me.

Nothing in cygwin's repository could help -- there is basically no support in cygwin for MySQL (odd). There is tons of support for Python and Postgres, so this MySQL FAIL surprised me.

After an entire morning of Googleing it turns out the people at Cygwin Ports have solved this problem. For the sake of your sanity follow these simple steps to get Cygwin + Python + MySQL working.

1. Follow the steps above to create a sweet cygwin development environment.
2. Follow the overly convoluted steps to enable cygwin ports in your setup.exe
3. Install the following package "python-mysql" including the crucial dependancy "libmysqlclient-devel"
4. Test your setup

Rejoice?

This process has saved you the experience of python eggs, installing gcc, compiling anything from source and best of all it just works.

Enjoy!

- Graver

One last note - if you have ever found a slick PNG that you wanted as an ICO (for Windows XP) check out this online converter site!

One of the coolest booth prizes at RSA had to be from an appliance builder that was having a draw for a free prototype appliance ($2000 value). Thinking this would be an awesome win, i quickly filled out the form and placed it in the fish bowl. That was the last I heard of this until yesterday. I came into the office and had a voicemail from last week. It went something like this (close approximation):

Hi Tyler, it's Ed ******** calling from MBX Systems. I just wanted to let you know that we drew your name for the RSA drawing and it would be great if you could give us a call back to go over the details.

Now at this point I'm rather excited... I've got plans for this win. I'm thinking ComputerDefense.org appliance installed in a rack somewhere instead of a hosted page for this blog. I call back and end up having to leave a voicemail. After a brief game of phone tag, I finally get Ed on the phone. He does some standard sales guy talk and then asks how he can meet my needs, and since I just want my free system that I won, I ask how it works. At this point I'm informed that someone else won the free prototype... I've won a free eval! W00T! Stop the presses... a FREE eval! Needless to say the phone call quickly ended.

This was, to date, the sneakiest trick I've seen to get someone on the phone. At this point I may not be directly involved in appliance purchasing but I'm a big fan of the vendor space and who knows where I'll be in 1, 5 or even 10 years. I do, however, know who I won't be doing business with.

You know, if I'd won and their systems were half as good as their marketing material claims, I probably would have written up a blog post praising them... at the very least they would have gotten positive mention just because I'd won it. Since I didn't win, they could not contacted me or gone with a standard sales call and I wouldn't have had anything bad to say about them, at least I'd know the name should I ever be in the position to purcahses appliances in the future. Instead they took this sleazy approach and now I'm going to always know who I'm not doing business with.

Note: this was a series of posts following RSA but some personal issues delayed this and now I'm posting a single post on the subject.

This was my first year at RSA, and via the wonder of blogging, I had a press pass.  I also, unfortunately, had an exhibitor badge. That isn't to say I didn't want to be at the booth (I actually love being at the booth -- although, while many people walked by and loved our shirts, I wasn't a huge fan... just a huge pumpkin ), it just meant I had less time to use the press pass. I also didn't have a lot of time to post while at RSA, so now I'm doing my blog posts... based on a few notes and lots of foggy memories.

I have an interesting flight story to share, but I feel as thought it might be better sent to the consumerist, I'm not entirely sure yet.

Anyways, day one I met with a few interesting people. First I meant with some people from Commtouch to discuss their technology and what they do. It sounded rather interesting and I look forward to testing it out at some point in the future. Following that, I met with Michael Sutton from Zscaler, who'd I'd met once previously. I really enjoyed this discussion and think we'll see some really cool things out of Zscaler in the future.

I spent the morning at the nCircle booth and expected to see masses of peopel everywhere after hearing about the number of people last year. I later heard it discussed that there were fewer people, so that might explain it. Working the booth is something I really enjoy. Being an engineer leaves you with few chances to interact with customers, something I love doing. The booth over the three days that I was there lead to some very interesting discussions with intriguing contacts.

Tuesday afternoon was spent walking the booths. A few vendors said they'd send me samples of their hardware to play with and review, however I've had no contact from them yet. This is disappointing because I was really looking forward to seeing some of the hardware in action.

Wednesday was the day that I was really looking forward to. The Securosis breakfast, the WASC meetup and the Security Bloggers Meetup. All three of these were amazing and they gave me a chance to finally meet up with the people that I talk to and hadn't be able to connect with at past conferences. I also had the opportunity to do a video interview with Martin McKeay, which I'm eager to see... I just hope it was shot in wide screen so that Martin can fit in the frame next to me .

Thursday brought more of the same with booth duty and visits to other booths. It also brought dinner at Basil Thai which was incredible. Ever since I was in San Francisco last year, I'd looked forward to returning to eat at Chevy's (which I just learned is a chain), which I managed to do twice but Basil Thai was even better. I'm already excited about my next trip to San Francisco just to go back.

Friday was my final day in San Francisco (I was flying back on the red-eye). Friday also held the highlight of the week -- the Mythbusters. It was incredible and my only complaint was that the moderator was too chatty.

Anyways, shorter than I wanted it to be but I had to mention that I did enjoy RSA and I'm eager to attend again next year.

Q. What is your role at $vendor?
A. Director Product Management

Q. What got you into IT/IS?
A. started programming in 5th grade on a Commodore Pet, got an Atari 800, self-taught assembly...many yrs later studied CS and went into a startup in early client-server out of college.

Q. What do you do outside of IT/IS?
A. 6yr+4-yr old twins...Reminisce about free time. Think about education reform and getting rid of incompetent politicians.

Q. What are  you most looking forward to / what did you most enjoy about RSA this year?
A. Low expectations. Most enjoyed meeting up with past colleagues.

Q. Was this your first time at RSA? Will you return?
A. 3rd or 4th. Will return.

Q. What will you be doing at your both?
A. usual booth duty, fishing for real customers amidst the noise of vendors/partners/exhibitors.

Q. Is there any swag available at your booth?
A. yeah, come take a look. cheap stuff if you're a vendor/partner/exhibitor. Good stuff if you have budget.

Q. If people wanted to chat with you when could they stop by the booth?
A. anytime

Q. Prediction for the future of IT/IS during 2009 and into 2010?
A. Budget cuts, heavy emphasis on quick, real ROI. Small companies go away.

Q. Any comments?