Public Soliloquy

What is a curmudgeon?

2011-05-27T05:57:00.000-07:00

"A Curmudgeonly Reply to an Anti-Curmudgeon Rant"

"At some point, a curmudgeon may be born; but only if the person still genuinely cares in some fashion." -jericho (attrition.org)

I was going to say something nice about this quote via twitter but after reading it 10 or 15 times started to realize the wider implications couldn’t be summarized within 140 characters. So, here goes...

I was struck by the vulnerability in that statement. It says that one becomes bitter (a curmudgeon) toward something for as long as they still care about it. The state of being a curmudgeon is really one of a cynic boldly and resiliently expressing hope in the only way that they can. A curmudgeon is twisted, harsh, and can be damaging to those around them but their unforgiving methods could also be exactly what’s necessary to impact change.

Those words have far reaching implications much beyond the security industry. It has reminded me of many things about human nature and complacency. Thanks for this.

Metasploit Class Videos posted

2010-05-13T06:59:00.000-07:00

Thanks again Adrian "Irongeek" Crenshaw for arranging this. It was great!

Email from Irongeek:
----------------
In case you missed something, wish to review, or could not make it, here are the videos from the Metasploit class we held last Saturday:

http://www.irongeek.com/i.php?page=videos/metasploit-class

After cutting out the stops, it's about 4hrs long.

Thanks to David "ReL1K" Kennedy, Martin "PureHate" Bos, Elliott "Nullthreat" Cutright, Pwrcycle for teaching.
--------------------

Indiana Cyber Security Conference

2010-05-12T18:14:00.000-07:00

Today I attended the Indiana Cyber Security Conference in Indianapolis. Upon seeing the agenda several weeks ago I was impressed that the participating local organizations were able to garner such an impressive list of speakers: Eugene Spafford, Howard Schmidt, and Dan McWhorter to name a few.

While much of the day was spent beating the same old dead horses - APT, China, overall doom-n-gloom, there were several points that caught my attention that I would like to relate here.

Howard Schmidt mentioned .gov’s desire to increase transparency for the private sector. It was refreshing to come away thinking that gov is finally starting to realize that setting on information doesn’t help those of us manning the front lines. It will be interesting to see how this unfolds.

Mr. Schmidt also mentioned the need for “trusted internet connections” and to collapse disparate endnotes into a smaller number of more manageable connections. I’m a little unclear if this extends to both gov and ISPs. The overall idea reinforced by this is one that I too share: the more complex a system, the more difficult it is to secure.

Mr. Schmidt also talked about something called “CyberScope.” I quick search turned up: “Ultimately CyberScope will result in a “cybersecurity dashboard,” not unlike the IT Dashboard (it.usaspending.gov) that currently tracks federal spending on IT projects.”
Read more here: http://csis.org/blog/fisma-cyberscope-and-federal-it-security

Dan McWhorter of Mandiant discussed his experiences in incident response. He said that attackers have a hierarchical structure much like we see in normal business with higher valued targets being assigned to teams with more competence. I had always assumed attacker organizational sophistication was increasing, but having no direct exposure to large scale incident response I had no idea as to what level it had grown. He reviewed a case study covering an attack where data was being exfiltrated that I found immensely interesting.

He also said that company’s need to redefine the “win.” I find this of particular interest being employed by a medium sized business that has never seen a large scale breach. Because of that lack of exposure when it eventually occurs management can react unpredictably because their definition of a win differs from reality.

Overall, it was an informative day. Thanks to all the organizers and sponsors.

2010-05-12T08:36:00.001-07:00

Today I am attending the Indiana Cyber Security Conference being held downtown at Indiana government center south. I'll recap the material tonight.

Louisville Metro Metasploit #sploit502

2010-05-08T16:41:00.000-07:00

Thanks to all who contributed to today's Metasploit class in Louisville.

David "ReL1K" Kennedy http://www.secmaniac.com/
Martin "PureHate" Bos http://tools.question-defense.com
Elliott "Nullthreat" Cutright http://twitter.com/Nullthreat
pwrcycle http://twitter.com/pwrcycle
Adrian "Irongeek" Crenshaw http://irongeek.com

I had a great time and learned a lot. I'll have plenty of new material to digest and read up on over the coming weeks.

OSSEC autoshun script

2010-05-01T17:17:00.000-07:00

Greetings!

I recently found a decent IP blacklist. Having spent quite a lot of time working with OSSEC recently, I thought it only fitting to use OSSEC to automagically block attackers based on the blacklist. I've had the "autoshun" rules in place for a couple of months with great success.

The script below creates ~900 rules in a file called shunlist.xml. All you have to do is add that xml file to your list of rules and a cron job to run this script and you should be set.

The validation that occurs after the wget is to make sure the file is simple ascii. If it's a binary or some other nasty the script will end. Feel free to play with the two commented out lists. In my experience those lists occasionally block legit traffic thus were removed. I'm working with Daniel Cid (OSSEC creator) to make active response work with this script. I’ll update here once I get it working.

rm /var/ossec/logs/blacklists/cleaned.lst
touch /var/ossec/logs/blacklists/cleaned.lst

wget http://www.autoshun.com/files/shunlist.csv -O /var/ossec/logs/blacklists/shunlist.lst
file=$(file -ib /var/ossec/logs/blacklists/shunlist.lst)
if [ "$file" == "text/plain; charset=us-ascii" ]; then
cat /var/ossec/logs/blacklists/shunlist.lst | awk 'FNR>1' | cut -d ',' -f1 >> /var/ossec/logs/blacklists/cleaned.lst
else exit
fi

#wget http://sucuri.net/blacklist/MS-iplist.txt -O /var/ossec/logs/blacklists/shunlist2.lst
#file2=$(file -ib /var/ossec/logs/blacklists/shunlist2.lst)
#if [ "$file2" == "text/plain; charset=us-ascii" ]; then
#cat /var/ossec/logs/blacklists/shunlist2.lst >> /var/ossec/logs/blacklists/cleaned.lst
#else exit
#fi

#wget https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist --no-check-certificate -O /var/ossec/logs/blacklists/shunlist3.lst
#file3=$(file -ib /var/ossec/logs/blacklists/shunlist3.lst)
#if [ "$file3" == "text/plain; charset=us-ascii" ]; then
#cat /var/ossec/logs/blacklists/shunlist3.lst | awk 'FNR>6' >> /var/ossec/logs/blacklists/cleaned.lst
#else exit
#fi

sort -u /var/ossec/logs/blacklists/cleaned.lst > /var/ossec/logs/blacklists/sorted.lst
/var/ossec/scripts/script.sh > /var/ossec/rules/shunlist.xml
/etc/init.d/ossec restart

Mod Security - OWA sanitation

2010-04-24T19:37:00.000-07:00

The post variable "destination" within OWA is vulnerable to XSS. To prevent attackers from altering this value, use the following mod security rule.

SecRule REQUEST_METHOD !POST "log,deny"
SecRule ARGS:destination "!(?:http|https)://(?:outlook..com/exchange/" "log,deny,t:urlDecode,t:lowercase"
SecRule ARGS:flags "[0-9]{1,2}"
SecRule ARGS:username "[0-9a-zA-Z].{256,}"
SecRule ARGS:password ".{256,}"
SecRule ARGS:SubmitCreds "!Log.On"
SecRule ARGS:trusted "!(0|4)"

mod security - block php requests

2010-03-07T19:44:00.000-08:00

Tired of scanners requesting php from your non-php site? Block them with this simple mod security entry:

SecRule REQUEST_URI "php$" "phase:2,deny,status:404"

Critical Firefox Vuln Part 2

2009-07-17T10:21:00.000-07:00

I needed to undo the previous post and only deploy firefox to those that already have it.

-----------------------------------------------------------------------------
update.bat

@ECHO OFF

if exist "C:\Program Files\Mozilla Firefox\firefox.exe" GOTO installed
if errorlevel 1 GOTO END

:installed
type "C:\Program Files\Mozilla Firefox\install.log"|findstr 3.5.1
if errorlevel 1 GOTO update

GOTO END

:update
cls
"Firefox Setup 3.5.1.exe" -ms
for /f %%a in ('dir /B "%APPDATA%\Mozilla\firefox\Profiles\*.default"') do rm "%APPDATA%\Mozilla\firefox\Profiles\%%a\user.js"
:END

Critical JavaScript vulnerability in Firefox 3.5

2009-07-14T13:46:00.000-07:00

I just finished writing a batch file and user.js file to mitigate yesterday's Firefox vuln. I didn't see where one had been previously written.

-------------------------------------------------------------------

firefox.bat

for /f %%a in ('dir /B "%APPDATA%\Mozilla\firefox\Profiles\*.default"') do xcopy /y user.js "%APPDATA%\Mozilla\firefox\Profiles\"%%a

-------------------------------------------------------------------

You will need to put the user.js file somewhere accessible and change the path for the xcopy accordingly. The batch file also assumes that your users don't already have a user.js file. If they do it'll be overwritten.

MUAHAHAH! *ahem*

OHH! Why the FOR loop? Well, because Ed Skoudis is my hero and because I dunno how many uniquely named folders exist within my users profile directories.

-------------------------------------------------------------------
user.js

//Firefox 3.5’s Just-in-time (JIT) JavaScript Vulnerability - 7.14.09
user_pref("javascript.options.jit.content", false);

-------------------------------------------------------------------

I've not tested this too much yet so don't blame me if your clients can't access lolcats anymore after applying the change. Also once Mozilla fixes this issue you'll need to switch it back.

ShmooCon 2007

2007-03-29T04:18:00.000-07:00

Landon over at Digital Bond wrote a great post about ShmooCon this year and since I still haven't had time to write my own, I'll just hijack his.

Thanks Landon! See ya at the next IndySec meeting! ;)

Spam

2007-03-28T06:27:00.001-07:00

"He said, "congress hasn't passed anything making spam illegal." I said, "Congress hasn't passed anything requiring the rest of the planet accept your traffic either."

Louisiana: SS numbers accessed

2007-03-28T06:17:00.000-07:00

'These files were previously secure,' Aguillard said..."

..."previously" apparently meaning "before our web server was booted up". Obviously the site did not require a password before allowing a web session to 'violate' or 'infiltrate' the records containing the SSNs of the school employees. Which directives to use in HTML to turn away
web crawlers has been well known to qualified webmasters for years, so that's no excuse either...not that the web crawler should have been able to access employee data without authenticating in the first place.

Just another example of careless "stewardship" of people's private information? It goes beyond carelessness when you deliberately put private information on the Web and then don't protect it.

This sort of blunder becomes more unforgiveable every day, but we have no law under which these willful privacy violations can be prosecuted - until someone's already been harmed. I'm too discouraged to even rant on about this stuff anymore. Our country does not take privacy
seriously and apparently has no will to do so in the future either.

-------------------------------------------------------------

http://www.iberianet.com/articles/2007/03/27/news/news/news15.txt

Rosters containing information, including Social Security numbers, of about 380 St. Mary Parish public school employees were accessed March 19 by a Yahoo! Web page search engine crawler.

St. Mary Parish schools Superintendent Donald Aguillard said the crawler violated the school district Web page by accessing a database that
stored 2002 through 2004 staff development rosters.

"These files were previously secure," Aguillard said. "Yahoo!'s new aggressive Web crawler infiltrated the public server and our technology department responded immediately to the breach in security by addressing the following: Contacting Yahoo! and demanding that our information be stricken from cached files, notified all workshop participants of the possibility that their personal information was revealed, while also contacting the Web page archiving services and demanding the removal of our cached pages."

Photos

2007-03-27T15:57:00.000-07:00

I have my photos hosted. check them out here

That server is password protected. If you're here then I've probably told you the pass at some time of another. If you don't remember drop me a message and I'll resend.

Day 1

2007-03-26T19:17:00.000-07:00

The labs began with us gathering our equipment and getting assigned to our future teams. I was first assigned to the Firewall/Intrusion Detection System team that was responsible for setting up and configuring a Cisco ASA firewall device. We updated the software on the device to the latest version and commenced configuration. We soon realized there really wasn't a need for 6 team members as it only took one guy to configure the firewall and we had two vendors present that were configuring their IDS solutions. I offered my hand to the other teams and was soon picked up by the DNS/DHCP team.

The DNS/DHCP team was tasked with building those services on Linux servers using Bind 9. My specific role was to secure those servers from any access other than the specific services offered. We had two physical server devices and while one guy configured one server, I worked to secure the other and vise versa. All systems used one flavor of Linux or another, there were no Windows servers.

After both machines were configured I (along with several vendors) performed penetration testing and port scanning to verify that the systems were locked down as much as possible.

Then, after those servers were deemed secure I was tasked with doing the same on the registration server. This was the main server that housed the registration data to which attendees would be verified. I performed the same securing process on this system that I had on the pervious ones.

At around 9 pm that night after configuration and scanning was complete we called it a day.

0-Day

2007-03-21T04:24:00.000-07:00

So, today it begins...

I plan to update this blog with information as the con progresses as much for my own archival purposes as others.

ShmooCon Labs

2007-03-20T20:38:00.000-07:00

I'm in...

How to kill even more brain cells before a hacker con

So what happens when you take competing security vendors, con attendees, cutting edge security researchers, put them all in a room and ask them build an enterprise class network? No this is not the beginning of bad joke, it is Shmoocon Labs; a new addition to Shmoocon aiming to provide a very unique educational experience to all involved.

How It Works

Every year at Shmoocon we put a ton of work into the design and setup of our conference network. This year our NOC team is opening up this project as a pre conference event. As a participant you will get hands on time implementing cutting edge security tools in a real world environment. As a vendor you will get a chance to implement your gear in an untrusted, potentially hostile environment of 1000+ hackers.

This is not your normal vendor dog and pony show. We are building a network that needs to be up and running in time for the conference so be prepared to jump in the fire. During Shmoocon various aspects of the network will be made available for attendees to hack on and all vendors should expect their products to get looked over with a fine tooth comb or a 20 pound hammer.

Shmoocon labs will run for the day and half prior to the start of Shmoocon. Shmoocon starts in earnest on the afternoon of March 23rd. The labs will start at the crack of dawn on the 22nd and have 32 hours to get the network up and running.

The Network

We are open to implementing almost anything network and security related, some things we plan on implementing are:

802.11 network access
High availability firewalls
VoIP implementation and security
Intrusion detection and intrusion prevention
Wireless intrusion detection
Network access control
Network and host monitoring
Centralized logging
Traffic analyzers
Vulnerability assessment

Keep in mind this network will be in production so as a vendor if you cannot get your products playing nicely on the network we wont hold any punches about keeping it off network.

Registration

Registration is open to conference attendees but we are limiting attendance to 30 people. Also, note that there will be a $50 charge to help us There are no hard and steadfast prerequisites, however we expect this event to be best suited towards people with background as Network Engineers, System Adminisrators and Security Engineers. We are looking for individuals who either are experts in one of the areas outlined above or people that are interested in learning more through hands on design, configuration, and deploying of these technologies.

This is not a "first come, first served" event... rather we are trying to find the right mix of individuals to make the network usable and help as many people learn from this process as possible. There is an application process for attending. If you are interested in attending, please send the following information to shmooconlabs@shmoocon.org:

Summary of work/academic experience
Why you are interested in attending the labs
If you feel you are able to serve as a lead in one of the technology areas
If you are able to show up a day early to help stage the lab

In order to cover our costs of running the lab, there will be a $50 fee for each attendee. This basically will pay for space, food, and incidentals (zipties, cables, etc).

On Feb 15th, we will finalize the attendee list for the labs. If you have any question please email shmooconlabs@shmoocon.org.

First post

2006-10-31T09:14:00.000-08:00