Oh the shame. I used APT in my blog. I USED A BUZZ WORD! How can I look myself in the mirror?
Who cares?
The fact is that one half of the info sec community is sick of hearing about APT and the other half is doing everything they can to sell themselves with "Advanced Persistent Threat". We have all these companies and pontificating "read my book" "super-star" security bloggers pushing their products, their services, their thoughts, their speeches, their dead-trees, etc.. etc.. etc.. Until I am tired hearing their BS as well. I mean honestly, do I need to be told to read your F'ing book every time something happens? It was written five years ago. Get new material.
What matters most is that APT is real, it may not directly impact everyone in information security, but it does impact every indirectly at least.
It doesn't matter if Google was full of crap with half their statements about what they will do to China next. It doesn't matter that APT uses off the shelf products as much as home brew and every idiotic inexperienced moron with an Anti-Virus setup will claim that the "enemy is at the gates" or inside for that matter.
No what matters is that it has peoples attention and they start treating things like they should. Even if it's for a little while it's more than what you had before. The worst it can do is make your job harder. Let's face it, if your job is harder are you not still employed? I can go down to the next ISSA meeting and find someone who will trade you positions if you feel like bitching about your job. Up to you.
There is no magic IDS system that will find APT. Even though it's claimed that you can scan all your months worth of traffic in just a few minutes, I highly doubt you will need to worry then. Most times they are not after the local software developer with 4 people on staff. The attackers will steal your stuff from a bigger source anyway.
There is no single firewall that will keep them out. You have to have holes to let stuff in and out. The attackers know how to find your holes and they know how to exploit them. If you think a firewall will save you, then you need to go back to 1998.
Your AV system will not always find them and clean them out. What if you are using the same tools? What if they popped a box that was out of the network, dumped your password and then crashed the hard drive? Would you even see the logs or malware that was left there? Then they have access to your network without using malware.
Scanning your logs alone will do nothing, but hurt your eyes. Can you identify every single login in your network? If you can then you probably are not a target. Can you identify every single time a user logs in and not a script? Can you identify every system the user has permission to log into? Do you have a single server that the user is assigned to? So if that user has to check out a file from another server, do they ask a local administrator to do it? We all know those local admins will NEVER elevate someones permissions to save time.
Then there is training. How many of your users know not to open every PDF they come across? Or how about those links that get sent in? That awesome flash video demonstrating the effectiveness of the military's new weapons? Who's responsible for checking it? Do you want that job or should we just send the link to the "super star" security guy? He will solve all your problems.
It takes an effort of all these things and more. It's going to take an investment of time, money, people and effort. It's not going to come out of reading one guys blog, book or sales material. It's going to take new innovative ideas. The bad guys are thinking up new ideas all the time. They can stockpile 0 days. If joe snuffy finds a 0 day do the higher ups shrug him off as inexperienced moron? But I'm sure some of you have blown off or intimidated some lower person in the food chain regarding an idea. Maybe they told you and you dismissed it or maybe they were to scared to tell you. Either way you may have lost out. YOU may be a "super star", but you don't know everything and he may not have read your book. Listen and learn.
No environment is the same as another, but if you are not looking at what you have and wondering how to make it more secure: just shut off your firewall, shut off your computers, and ship the harddrives to China/Russia/Korean/Where ever.
You don't have the money for gear is your excuse: you have systems already. Virtualize. Do what you have to.
You don't have money for software. BS! there is plenty of free stuff and if not there are plenty of scripting languages to learn that can help you.
You don't have the experience. How the hell did you get that job to begin with? Pick up some books, ask some friends, join some social network sites. Don't put your company info out there, but absorb everything you can.
Wednesday, February 17, 2010
Wednesday, November 25, 2009
Acer Aspire One D250 Windows recovery
I thought I would be smart and throw Ubuntu on my netbook as soon as I got it. While not being a big fan of Ubuntu, my prefered option of Archlinux had some issues with the D250 that I didn't want to resolve right away. So I loaded up a spare USB stick with Ubuntu and created a dualboot system.
Fortunately I was smart enough to leave the recovery partition alone.
I tried out Ubuntu 9.04 and found that I really just didn't care for the feel of it on the netbook. I have it loaded on a laptop and it works fine, but for the netbook it never "felt" right. So now comes the tricky part. How do I remove it without a CD drive? How do I get the system back online? First off don't boot into the recovery partition. That will screw up Grub and you will have to reinstall it to get it to work. (I did, and I'll include those instructions later.)
Boot into your windows load and download http://www.partitionwizard.com/ . There are others out there that are similar, but this one is FREE as in Beer and does the job quite well.
Use Partition Wizard to change the file type of the recovery partition to NTFS. Mount the drive and then run the MBR recovery program. Many times it will have MBR in the filename, but mine did not. This will remove grub and put the Acer MBR back on the system. Just remember to change the partition type back to the Compaq type that way you don't accidentally overwrite your recovery partition.
I've since purchased Windows 7 and installed that. I don't know if it's everything that Micro$oft claims it to be, but I do like it better than Vista. Vista just plain sucked. It has a lot of the look and feel of Vista, but it works.
Fortunately I was smart enough to leave the recovery partition alone.
I tried out Ubuntu 9.04 and found that I really just didn't care for the feel of it on the netbook. I have it loaded on a laptop and it works fine, but for the netbook it never "felt" right. So now comes the tricky part. How do I remove it without a CD drive? How do I get the system back online? First off don't boot into the recovery partition. That will screw up Grub and you will have to reinstall it to get it to work. (I did, and I'll include those instructions later.)
Boot into your windows load and download http://www.partitionwizard.com/ . There are others out there that are similar, but this one is FREE as in Beer and does the job quite well.
Use Partition Wizard to change the file type of the recovery partition to NTFS. Mount the drive and then run the MBR recovery program. Many times it will have MBR in the filename, but mine did not. This will remove grub and put the Acer MBR back on the system. Just remember to change the partition type back to the Compaq type that way you don't accidentally overwrite your recovery partition.
I've since purchased Windows 7 and installed that. I don't know if it's everything that Micro$oft claims it to be, but I do like it better than Vista. Vista just plain sucked. It has a lot of the look and feel of Vista, but it works.
Wednesday, September 9, 2009
Volatility
So the group I am working with is more fledgling than we would like to be. Granted I work with some really brilliant folks. They honestly make me feel stupid with the amount of knowledge they have, but one thing we are lacking is a good memory analysis technique. We spend countless hours pouring through the process dumps off of a box and then I'm not sure that it does any good. Let's face it, after multiple hours of looking at useless lines of code/commands/garbage you may miss the important stuff. Fortunately we always have an idea of what we are looking for. When will our luck run out?
So I have been looking at Volatility. I'm impressed and I'm disappointed.
The first disappointment that I have is with the connections command. I've dealt with numerous pieces of Malware that beacon, establish a connection as needed and then drop off to only connect again if the beacon returns a specific reply. It doesn't establish a connection nor does it listen on a port. I've found no way for Volatility to give me information on any connection attempts or IPs that the Malware is trying to talk to on an irregular basis.
The second disappointment is I haven't found a way to find any commands issued to a program. Many times memory will retain the list of commands and at times the passwords to specific encryption that was typed from a terminal and executed on the software. If would be very helpful if there were a way for Volatility to gather this information and which commands were executed on which pieces of Malware. Now this becomes an issue with privacy. Not sure how to get around that.
Now what impresses me is that amount of information that you can recover from memory by issuing a few commands. Many of the items that you would usually need SysInternals for you can now get from memory. Many times if there is a rootkit or a hidden piece of malware then you won't get any return from the SysInternals tools.
Example: There are ways to configure a secondary route. Possibly VPN subversion or just a forced route to a malicious site. SysInternals does not always show this location. Using Volatility you have a possibility to pull this information back. Does it always? No. This is where it's not always best to just rely on this tool to do the work for you.
Definitely has potential and I'll continue to watch, but I can't rely on it just yet.
So I have been looking at Volatility. I'm impressed and I'm disappointed.
The first disappointment that I have is with the connections command. I've dealt with numerous pieces of Malware that beacon, establish a connection as needed and then drop off to only connect again if the beacon returns a specific reply. It doesn't establish a connection nor does it listen on a port. I've found no way for Volatility to give me information on any connection attempts or IPs that the Malware is trying to talk to on an irregular basis.
The second disappointment is I haven't found a way to find any commands issued to a program. Many times memory will retain the list of commands and at times the passwords to specific encryption that was typed from a terminal and executed on the software. If would be very helpful if there were a way for Volatility to gather this information and which commands were executed on which pieces of Malware. Now this becomes an issue with privacy. Not sure how to get around that.
Now what impresses me is that amount of information that you can recover from memory by issuing a few commands. Many of the items that you would usually need SysInternals for you can now get from memory. Many times if there is a rootkit or a hidden piece of malware then you won't get any return from the SysInternals tools.
Example: There are ways to configure a secondary route. Possibly VPN subversion or just a forced route to a malicious site. SysInternals does not always show this location. Using Volatility you have a possibility to pull this information back. Does it always? No. This is where it's not always best to just rely on this tool to do the work for you.
Definitely has potential and I'll continue to watch, but I can't rely on it just yet.
Wednesday, September 2, 2009
Certifications in IT and Security specifically
Over the past 10 years or maybe a little less I have held a handful of different certifications. I only place CISSP on my business cards and email block simply for the fact it's considered the "Number One" security certification and lends a little credibility to those people who are not familiar. Let's face it how many times have you had to talk to someone and they act like you are the most incompetent person because you tell them they need to fix something. Having a little credibility helps...a little.
That being said I was listening to a podcast this morning on my drive to work and the speaker made a joke out of "at least he's not a CISSP". Interesting. Is it he's not a CISSP because he doesn't want to be? Or is it he's not a CISSP because he hasn't taken the test?
I know there are plenty of people who hold their certifications like some badge that suddenly gives them access to all the knowledge that could possibly be possessed. I am truly ashamed to be grouped with those people.
But in the same token there are tons of people who are jealous of those people who are certified or scared to take the test and make every effort to mock the people who were successful enough to pass the test. After I passed my CISSP I told some people who were genuinely interested in my results. One of them decided to announce it to the office. Interestingly enough out of the blue someone walks up to me and states "just because you have the CISSP doesn't mean you know anything". At no point have I declared "I am supreme commander of all security knowledge", but I was a challenge to this person and basically told where my place was.
When I as a more junior network engineer I completed my CCNA, CCDA and started on my CCNP. I was only about 3 years into working with Cisco, but I considered myself decent for what I had accomplished. After passing my first CCNP exam a project manager approached me and told me "congrats, now we just need to get you some skill to go with the certifications". At the time I was the only one on the team who could spell Cisco, but I had rubbed this guy the wrong way and it was later proven in a court case (that I wasn't involved in) that this man had some 'racial' issues. However it definitely put a chip in my confidence. I passed one more and never advanced any further.
The reason I go for certifications is plain and simple. My own personal challenge. If I have to study say Encase (my current project) then why shouldn't I attempt the EnCe? It's not to rub it in someone's face. I'm currently the most versed person on EnCase in my office. So what does it accomplish? Nothing, but my own personal satisfaction. I can put it on my resume. It may give someone who asks my advice a little confidence in my answer, but it doesn't prove I have the right to hold my nose in the air and piss in someone's grapenuts. I can do that without a cert. Just means I know enough to pass the test and can retain the information I have read/heard/learned.
With all that being said a certification means as much as anything else. I know people with EE degrees, Masters and a couple borderline PhD's that are complete and utter morons. I know people who haven't finished 9th grade who are sharper than most Doctors.
So if you know of someone that is studying for a certification do one of two things: help them/support them or shut the hell up. If it isn't worth anything let the market decide. If it's on DoD 8570.1 it will only help them find a job. If they pass and get a big head on their shoulders, give them a difficult task. If they complete it well again shut the hell up or prove you're better. If they fail explain why they failed, show them how much they have to learn and help them learn it.
So to summarize if you are not helping someone advance their knowledge, but only complaining about someone elses achievements you're the problem. Not the certification. If you don't want to take the test, fine. I don't judge on what alphabet soup you have behind your name. But if you only look better when you someone else falls on their face perhaps you're the reason IT is beginning to look more like the office politics that everyone goes to IT to avoid.
That being said I was listening to a podcast this morning on my drive to work and the speaker made a joke out of "at least he's not a CISSP". Interesting. Is it he's not a CISSP because he doesn't want to be? Or is it he's not a CISSP because he hasn't taken the test?
I know there are plenty of people who hold their certifications like some badge that suddenly gives them access to all the knowledge that could possibly be possessed. I am truly ashamed to be grouped with those people.
But in the same token there are tons of people who are jealous of those people who are certified or scared to take the test and make every effort to mock the people who were successful enough to pass the test. After I passed my CISSP I told some people who were genuinely interested in my results. One of them decided to announce it to the office. Interestingly enough out of the blue someone walks up to me and states "just because you have the CISSP doesn't mean you know anything". At no point have I declared "I am supreme commander of all security knowledge", but I was a challenge to this person and basically told where my place was.
When I as a more junior network engineer I completed my CCNA, CCDA and started on my CCNP. I was only about 3 years into working with Cisco, but I considered myself decent for what I had accomplished. After passing my first CCNP exam a project manager approached me and told me "congrats, now we just need to get you some skill to go with the certifications". At the time I was the only one on the team who could spell Cisco, but I had rubbed this guy the wrong way and it was later proven in a court case (that I wasn't involved in) that this man had some 'racial' issues. However it definitely put a chip in my confidence. I passed one more and never advanced any further.
The reason I go for certifications is plain and simple. My own personal challenge. If I have to study say Encase (my current project) then why shouldn't I attempt the EnCe? It's not to rub it in someone's face. I'm currently the most versed person on EnCase in my office. So what does it accomplish? Nothing, but my own personal satisfaction. I can put it on my resume. It may give someone who asks my advice a little confidence in my answer, but it doesn't prove I have the right to hold my nose in the air and piss in someone's grapenuts. I can do that without a cert. Just means I know enough to pass the test and can retain the information I have read/heard/learned.
With all that being said a certification means as much as anything else. I know people with EE degrees, Masters and a couple borderline PhD's that are complete and utter morons. I know people who haven't finished 9th grade who are sharper than most Doctors.
So if you know of someone that is studying for a certification do one of two things: help them/support them or shut the hell up. If it isn't worth anything let the market decide. If it's on DoD 8570.1 it will only help them find a job. If they pass and get a big head on their shoulders, give them a difficult task. If they complete it well again shut the hell up or prove you're better. If they fail explain why they failed, show them how much they have to learn and help them learn it.
So to summarize if you are not helping someone advance their knowledge, but only complaining about someone elses achievements you're the problem. Not the certification. If you don't want to take the test, fine. I don't judge on what alphabet soup you have behind your name. But if you only look better when you someone else falls on their face perhaps you're the reason IT is beginning to look more like the office politics that everyone goes to IT to avoid.
Subscribe to:
Posts (Atom)