Wednesday, November 25

Readability

I don't remember exactly where I got this from, but I've been using it a lot lately to look at websites.  Since apparently, ad space and other random flash or movement based ads on webpages is now the norm -- making the content on a webpage impossible to read without distraction, someone made this.  It's called the Readability Experiment.  You go to this website, you configure the setup how you want, and then you drag the bookmarklet to your bookmark bar.

Next time you are on a webpage that looks something like this:



Let's see, we have a header (with an ad in it!)  Two ads below the header, and ad on the right, and a footer bar.  (I just randomly picked Cnet, because I know their stuff is laced with ads).  I mash my set-up bookmarklet.. and viola, I get this:




The actual content.



Please leave comments below.



Great Desktop Wallpaper for those of you that hate clutter.

This is an absolutely phenomenal desktop wallpaper for those of you that hate clutter.  So, if you are one of those kinds of people (re: me) that can't stand icons on your desktop and the like..  this one is for you.  Posting the link over to Merlin Mann's blog, where the awesomeness takes place.

http://www.kungfugrippe.com/post/229188592/simple-desktop-download

It simply states "Quit fiddling with your desktop, Nerd" on a black background.  Reminding you to get back to work.


Please leave comments below.

Tuesday, November 24

Readability

I don't remember exactly where I got this from, but I've been using it a lot lately to look at websites.  Since apparently, ad space and other random flash or movement based ads on webpages is now the norm -- making the content on a webpage impossible to read without distraction, someone made this.  It's called the Readability Experiment.  You go to this website, you configure the setup how you want, and then you drag the bookmarklet to your bookmark bar.

Next time you are on a webpage that looks something like this:



Let's see, we have a header (with an ad in it!)  Two ads below the header, and ad on the right, and a footer bar.  (I just randomly picked Cnet, because I know their stuff is laced with ads).  I mash my set-up bookmarklet.. and viola, I get this:




The actual content.



Please leave comments below.



Great Desktop Wallpaper for those of you that hate clutter.

This is an absolutely phenomenal desktop wallpaper for those of you that hate clutter.  So, if you are one of those kinds of people (re: me) that can't stand icons on your desktop and the like..  this one is for you.  Posting the link over to Merlin Mann's blog, where the awesomeness takes place.

http://www.kungfugrippe.com/post/229188592/simple-desktop-download

It simply states "Quit fiddling with your desktop, Nerd" on a black background.  Reminding you to get back to work.


Please leave comments below.

Applying "Getting Things Done" to IPSs

Getting Things Done, or "GTD" for short, as I've blogged about before, several times, is a method of personal organization with a focus on accomplishing tasks.  It's great for applying to email (Inbox Zero) and it's great for organization of your personal life (read some of the articles I've written before, particularly this one).

Some IDS and IPS courses and teachers will tell you to turn on everything, and log everything because that's the only way you'll find anything.  I don't disagree with that, but there are several problems with this philosophy, design, bandwidth, dropping packets, time, money, and performance.  Just to name a few.  Plus, who wants to sit there and look for everything.  Most IDS analysts I know are just trying to keep their head above water.  They want to just figure out a better way to deal with the information that is coming in, not increase the amount of information coming in.  Some people have this same problem with email, which is why I am such and advocate to Inbox Zero and GTD to learn to deal with the increased amount of information that we are being subjected to.

What if we took this same philosophy to IDS/IPS?  While this can primarily work with a Snort based device, such as Sourcefire, it can work with about anything.

Step One:  Turn everything off.
Yup.  Just as a test, create a new IPS policy and turn everything off, if you can.  (If you can't then just move on to Step 2.)  Now the focus of this exercise is only to turn on what is relavant to you, so that's what we are going to do, reset expectations.

Step Two:  Use RNA
(If you don't have RNA, obviously you can skip this step, but go ahead and read it so that you know what you are missing.)  Go to your new policy, use your RNA Recommended Rules Configuration to essentially tie the IPS policy to a certain sensors or series of sensors.  RNA Recommended Rules will take the vulnerabilities that RNA has detected in Realtime (or that it received via the Host API or Qualys or Nessus or Nmap...) and uses the information to give you suggestions about what to turn on in your network.  Use the R3 (RNA Recommended Rules) to provide you those recommendations and then go over them with the common sense test.  As you know RNA tells you what you could be vulnerable to.  Your system is "Guilty until Proven Innocent", hopefully you can take the time and tell your system what your network is not vulnerable to, but lets leave that for another day right now.  Turn on the rules that are relevant to you and your network.  Don't turn on ICMP Port Unreachable.  You'll see why in Step Five.

Step Three:  Turn on any rules that are relavant.
Want to look for Spyware?  Turn on the spyware rules.  Want to look for Chat clients?  Turn on the chat rules, etc.

Step Four:  Push the policy, and wait.
Give the new policy 24 hours if you are on a slow network, or maybe just let it run over your lunch period.  Let the policy run on your network for an acceptable amount of time, you be the judge with your common sense hat.

Step Five:  Look at your alerts.
Now, go back and look at your alerts.  Time to start cleaning out.  For each event I want you to follow a flow, I want you to decide if it is an actionable alert.  Are you going to physically do something with this event?  Are you going to report it to the Desktop security people?  Are you going to block the port at the firewall?  Update the Antivirus?  What are you going to do with the event?

If you think about the next "actionable" event you are going to do with the alert, and you decide, well, I am going to do nothing with the event, then shut the rule off.  No point in running a rule if you aren't going to react to it's logging.  Do you allow AOL Instant Messenger on your network, and your AIM rules are alerting?  What are you going to do about it?  You allow it right?  So you are going to do nothing?  Okay, then shut the rule off.

What if you don't want to shut off the rule, but only want to shut it off going to a particular machine?  Well, the suppress it based on IP.  What if you don't want to shut off a rule, but it's alerting too much?  Then threshold it.  My point is, do something.

Do that for all the events in the period that you set in Step Four.  Do this once a day, and after you do it, at the end of each time, repush your policy, then do it again the next "period".  Do this for several days.  This step, in case you haven't noticed will need to be done every day.  Every update there will be new things for you to explore and catch.  Begin at the beginning.

Step Six:  What are you going to DO now?
Now, you have a bunch of alerts you intend to do something with.  Now, do you create trouble tickets?  Do you start working with various teams?  You get the point.

Step Seven: Now that your head is above water, you can experiment
After you have done the first six steps satisfactorily to a point where you can handle your IDS and IPS, you can deal with anything that comes in.  You have a process, now you have best practices.  Now, you can turn on rules that you are interested in.  Things that you don't (or might) have to deal with.  Things that you may have had on before but never got a chance to look at.  Rules that alert on obfuscated javascript for instance.  You can go play.

Warning:  Just a word before you start this process. Warn your coworkers and boss that you are about to become much more efficient and start filing more tickets.  Because you will.

Oh, and make backups of your policies before you make changes.  In fact, create new policies based off of your old ones and work off the new ones.



Please leave comments below.



Thursday, November 19

Fedora 12 allows installation of software without root privs

I posted this on the ISC this morning as well, but I just wanted to post it here as well.

A "bug" created back in November against the latest Fedora release (12) indicates that, through the GUI, desktop users of the Fedora system are able to install signed packages without root privileges or root authentication.  Yes, you just read that correctly.  (I'll give you a second re-read that sentence so I don't have to retype it.)  Yes, "it's a feature, not a bug".
In all my travels I've only ran across one company, ever, that has Fedora rolled out as an enterprise operating system on every desktop.  But what kind of security implications does this have?  I obviously don't have to explain why this is (may be) a bad idea to the readers of the ISC, as we are all security minded people.
Now, the restrictions.  This change does not affect yum on the command line.  This only affects installing things through the GUI.  (Not that helps any, as most users will be running the GUI anyway.)  You can also disable it.
create a file in:
/var/lib/polkit-1/localauthority/20-org.d  (you can name if file anything you want)
and include the following:

[NoUsersInstallAnythingWithoutPassword]
Identity=unix-user:someone;unix-user:someone_else
Action=org.freedesktop.packagekit.*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin

(the above came from the release notes for Fedora 12, found here.
Also, I found this as a solution:
pklalockdown --lockdown org.freedesktop.packagekit.package-install
Currently in the bug, there is some debate about if they should revert this feature.  So, this may be just temporary.


Please leave comments below.

Fedora 12 allows installation of software without root privs

I posted this on the ISC this morning as well, but I just wanted to post it here as well.

A "bug" created back in November against the latest Fedora release (12) indicates that, through the GUI, desktop users of the Fedora system are able to install signed packages without root privileges or root authentication.  Yes, you just read that correctly.  (I'll give you a second re-read that sentence so I don't have to retype it.)  Yes, "it's a feature, not a bug".
In all my travels I've only ran across one company, ever, that has Fedora rolled out as an enterprise operating system on every desktop.  But what kind of security implications does this have?  I obviously don't have to explain why this is (may be) a bad idea to the readers of the ISC, as we are all security minded people.
Now, the restrictions.  This change does not affect yum on the command line.  This only affects installing things through the GUI.  (Not that helps any, as most users will be running the GUI anyway.)  You can also disable it.
create a file in:
/var/lib/polkit-1/localauthority/20-org.d  (you can name if file anything you want)
and include the following:

[NoUsersInstallAnythingWithoutPassword]
Identity=unix-user:someone;unix-user:someone_else
Action=org.freedesktop.packagekit.*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin

(the above came from the release notes for Fedora 12, found here.
Also, I found this as a solution:
pklalockdown --lockdown org.freedesktop.packagekit.package-install
Currently in the bug, there is some debate about if they should revert this feature.  So, this may be just temporary.


Please leave comments below.

Monday, November 16

IPS's don't just send RST packets.

Commenting on an email I read earlier today, some people apparently still have the misconception that an IPS simply sends an RST packet, and therefore, shortly after a session that is taking place between two parties should die.

Nope.

A real IPS, in my opinion, has full control of the traffic.  Cable one, exits firewall, enters port 1 on IPS, cable 2, exits port 2 on IPS and goes to switch.

While the traffic is passing through the IPS, the engine (in Sourcefire's case -- Snort) makes the decision if the traffic that entered port 1 should be allowed to go out port 2 and vice versa.

Can Sourcefire's devices send RST packets?  Sure!  But why would you want to give away where your IPS was on the network?  Why not just silently drop the connection into the big bit bucket in the sky and go on about your day?

Oh.  And do this at >10 Gig a second?  Yeah it's awesome.


Please leave comments below.

Tuesday, November 10

Looking for a Label Printer?

Recently I needed a label printer for a project I was involved with, and after looking around a bit decided on buying the Brother QL-570 Label Printer.  Having not used it before, but having used successful Brother products in the past, I decided that this one was it.

This is a great printer.  It prints fast, it cuts automatically at the end of the print.  The label paper is readily available at any office supply store, and the software is dead easy to use.

I plugged it into my Mac, (running Snow Leopard) and it was immediately recognized, and the drivers were automatically updated and installed.  However, I had no software to design the labels with.  The printer comes with the software on a CD, but I usually just go to the manufacturer's website and download the software from there, because, well, often times, the software on the CD is old.

The computer installed the software (I think it had to reboot), and I was designing labels and printing in no time.  The only "tricky" part, (I guess it was tricky) was selecting what type of paper was in the machine (on the computer) so that the label printed correctly...  which, you set right when you open the program.  So, barring that, 2 second option aside, the printer was dead easy to use.  It actually fit right in my backpack, (not that I would take it with me), but I did have to on this occasion, and it was small enough to throw right in my bag.


Please leave comments below.

Looking for a Label Printer?

Recently I needed a label printer for a project I was involved with, and after looking around a bit decided on buying the Brother QL-570 Label Printer.  Having not used it before, but having used successful Brother products in the past, I decided that this one was it.

This is a great printer.  It prints fast, it cuts automatically at the end of the print.  The label paper is readily available at any office supply store, and the software is dead easy to use.

I plugged it into my Mac, (running Snow Leopard) and it was immediately recognized, and the drivers were automatically updated and installed.  However, I had no software to design the labels with.  The printer comes with the software on a CD, but I usually just go to the manufacturer's website and download the software from there, because, well, often times, the software on the CD is old.

The computer installed the software (I think it had to reboot), and I was designing labels and printing in no time.  The only "tricky" part, (I guess it was tricky) was selecting what type of paper was in the machine (on the computer) so that the label printed correctly...  which, you set right when you open the program.  So, barring that, 2 second option aside, the printer was dead easy to use.  It actually fit right in my backpack, (not that I would take it with me), but I did have to on this occasion, and it was small enough to throw right in my bag.


Please leave comments below.

Friday, November 6

Shootings at Fort Hood

For those of you that have not heard, yesterday, apparently, a psychiatrist decided to take it upon himself to start offing soldiers, and wound up with 12 dead.

I would like to send my condolences out to the families of the victims of this senselessness.  We have enough people trying to kill our soldiers abroad, why must we have our own do the same here at home?

I don't know how the guy managed to get 12 people, of course, I wasn't there, and I am just armchair quarterbacking, but 12?  I mean, after the first one or two, that guy should have been tackled to the ground and caught a beat down from some fellow soldiers.

I don't know the situation, or how it took place, if that was even possible, but I also give kudos to the officer that ended the madman's spree by not only taking a bullet herself, but putting four bullets in the shooter.  Good job.


Please leave comments below.

Shootings at Fort Hood

For those of you that have not heard, yesterday, apparently, a psychiatrist decided to take it upon himself to start offing soldiers, and wound up with 12 dead.

I would like to send my condolences out to the families of the victims of this senselessness.  We have enough people trying to kill our soldiers abroad, why must we have our own do the same here at home?

I don't know how the guy managed to get 12 people, of course, I wasn't there, and I am just armchair quarterbacking, but 12?  I mean, after the first one or two, that guy should have been tackled to the ground and caught a beat down from some fellow soldiers.

I don't know the situation, or how it took place, if that was even possible, but I also give kudos to the officer that ended the madman's spree by not only taking a bullet herself, but putting four bullets in the shooter.  Good job.


Please leave comments below.

Dojocon

Drove down to Dojocon at Capitol College in Maryland today.  Did the old, "Man the Sourcefire Booth" bit.  Except this time, it was for VRT, instead of at a big Orange Sourcefire booth full of literature about product, the questions this time were about Snort and VRT rules.  Quite a bit different from normal, great though.

Dojocon did quite well (It's still going on), 150-200 people there, I would guess, (I'm not good at people estimation), lots of good presentations and lots of good questions at the end of the talks. Food and drinks and snacks were provided (which is a nice change from other conferences I've been to).

I recommend going if you can next time they have it, great resources of information there, Marcus does a great job.


Please leave comments below.

Wednesday, November 4

Hey Jude

Don't know where this originally came from, I saw it on KungFu Grippe.





Please leave comments below.

Hey Jude

Don't know where this originally came from, I saw it on KungFu Grippe.





Please leave comments below.

Tuesday, November 3

Lots going on, thus lack of posts

So...  lately I haven't been posting a lot, been doing a lot of things for work, plus I just got back from a vacation to Disney World, I got my Mustang back, and am traveling for work.

Just for those of you that read the blog and will be there, I'll be at DojoCon on Friday, November 6th with the VRT.  Stop by and say hello if you'll be there.


Please leave comments below.

Lots going on, thus lack of posts

So...  lately I haven't been posting a lot, been doing a lot of things for work, plus I just got back from a vacation to Disney World, I got my Mustang back, and am traveling for work.

Just for those of you that read the blog and will be there, I'll be at DojoCon on Friday, November 6th with the VRT.  Stop by and say hello if you'll be there.


Please leave comments below.