Friday, May 09, 2008
#
I'm sick of googling for this the few times per year I need it, so putting it here for future reference:
To identify stale computer account in your Active Directory, you can look at the last time they changed their passwords. Windows 2000 and later machines will change their computer accounts every 30 days by default. Machine accounts that have gone more than 30 days without changing their account passwords are probably no longer in use (or they have a problem preventing them from communicating with the domain controller(s)).
The easiest way to enumerate machine account password age is a free tool called NetPWAge by the folks over at SystemTools.com. Once downloaded, the syntax is simple:
NetPWAge /machines /domain:YOURDOMAINHERE /tabs > MachineAccts.txt
You can paste or import the results into Excel and do some fancy sorting to find out which machines need to get the boot.
Edited to add: I should mention that domain controllers themselves do not follow the 30-day rule, so don't go deleting them based on this scan. You know not to go deleting your domain controllers though, right?
Wednesday, May 07, 2008
#
Today I saw a picture so utterly horrifying that I cannot even bring myself to include it within this post. You'll have to click on it, and by doing so you hereby release me from any claims pertaining to damaged psyche, mental anguish, or anything else that tends to result from the vile desecration of things you allow into the ring 0 of your soul.
You've been warned: click.
More details here: http://www.prweb.com/releases/2008/04/prweb819754.htm
Sunday, May 04, 2008
#
I spent the week in Las Vegas, attending the CSI/SX and InterOp conferences.
If you don't leave Vegas broke, hungover, and tired.... well, you're doing it wrong.
Wednesday, April 16, 2008
#
2 of the ships responsible for damaging the undersea cables in the Middle East last February were caught with their proverbial pants down on satellite photos.
One was Iraqi, and the other was “Korean”.
Wait a second. Aren't there 2 Koreas? One that is relatively peaceful and the other that wants to blow our brains out with a nuke at their earliest possible convenience? I think it's relevant to distinguish between the two, don't you?
Story here: http://www.nationalterroralert.com/updates/2008/04/12/remember-the-undersea-cables-that-were-being-cut/
I have never actually used a modern Mac. My exposure to them is limited to the IIe-era, and I understand they've come a long way since then,
What I don't understand is why the majority of Mac laptop users I've observed have used the platform merely for running Windows XP in Parallel.
Case in point: Returning from RSA, I was sitting behind a Mac user that was using her vaunted MacBook Air to type a simple Word doc. In Windows XP.
Seriously? Folks, there is even a Mac version of Word. Does XP really present such a compellingly superior user experience that you cannot be troubled to run the Mac version of Word on Apple's own operating system?
I was left to conclude that the user had a MacBook Air just for the “cred”. For whatever reason, they felt compelled to do their actual work using XP.
I'll never get Mac users.
Tuesday, April 15, 2008
#
I've never told this story, not even to my family.
9/11 is why I'm in the security business. Corny as it sounds, when 9/11 happened, I decided that the way I could contribute to making the world a better place was to apply my IT knowledge to securing the world's Windows networks. I had flown out of Logan airport in Boston the day prior to the attacks. I was galvanized. I quit my job, put myself through a number of SANS courses, and focused my 15+ year old IT career towards security.
I even traded my BMW in for a Jeep, in a semi-rediculous gesture of patriotism (Jeep was subsequently acquired by Germany's Daimler Corporation, ironically).
To say that 9/11 was a defining moment for me would be an understatement.
Now the weird part:
Since 9/11, I've had a little “twitch”. A day rarely goes by when I don't look at a clock when it hits 9:11. Either in the morning or at night, my subconcious rarely misses the opportunity to note the passing of 9:11 by drawing my attention to a nearby clock at that hour. It's fucking creepy.
So tonight, as I fed “I Am Legend” into the DVD player, I glanced down at the clock and was surprised to see it read 9:12. Holy Christ, I made it through an entire day without marking 9:11. A rare thing.
A couple hours later, I logged into a computer in Seattle to service some waiting firewall tickets. Look down at the clock on the computer in Seattle, and guess what it reads.
Nine fucking eleven.
Sigh.
Never forget.
Now if you'll excuse me, I've got some firewall changes to make.
Friday, April 11, 2008
#
RSA is 50% learning and 50% networking. At roughly 17,000 attendees, it is far and away the largest gathering of information security practitioners and vendors. You make professional connections here that you cannot otherwise make.
The Peer-to-Peer sessions are networking gold. You have 20 people all struggling with some particular aspect of the business, and you generally leave with the personal contact information from at least half of them. The world's information gets more secure as a result of these short sessions, and the relationships we build after the event is over. Unfortunately, due to the small number of people permitted into them, they fill up quickly.
The Virtualization Security peer-to-peer session is a great example. I talked to one guy who told me about a network problem causing all his VM hosts to shut themselves down. I chuckled and said “Yeah, we made that mistake too.” I then told him about another hitch we had implementing VMotion that caused a similar problem, and by the fact that his eyes went wide when I described it to him, I'm guessing he's probably vulnerable to that too. Those are the little things that don't get discussed in the technical sessions.
Another great contact I made during the show was Gene Kim, author of one of my favorite books of all time, The Visible Ops Handbook. I saw him sitting at the book store, doing signings, purely by chance. I introduced myself, and told him we'd bought 30 copies of his book for our staff, and that I had won a corporate award for implementing a change management program based on his work, and he just gushed and said I made his entire week. He shouted over to one of his partners “Hey they gave this guy an award due to Visible Ops!“ I bought copy #31 from him on the spot so he could sign it (he wrote that my kung fu was awesome), along with his latest release Visible Ops Security, which I have not yet read. Gene's nervous about his new book, since he's not a security practitioner and is anxious about how the community will react. So he asked me to give him an honest review of it after I've had time to read it. Then he gave me his card, and wrote his cell phone number on it. Dude, I have Gene Kim's CELL PHONE NUMBER. How cool is that. Where the hell else would that have happened, but at RSA?
Here are some interesting links that I noted during RSA. These are mostly for my own benefit, but I won't tell anyone if you click on them. I'm not the boss of you.
Going through my notes from the week, and just wanted to throw out some interesting things I learned during the course of the week, in addition to the items in my previous posts:
- It is currently estimated that 40% of computers attached to the Internet are members of one or more botnets
- The US government recently reduced its time-to-patch from 57 days to 72 hours, and is striving for 24 hours
- Oracle is asking US universities to mandate secure coding courses in the curriculum of computer science majors
- Despite some of the high visibility projects at the federal level, information security spending is at an all-time low federally. The main culprit is last year's expiration of the Cybersecurity R&D Act.
- In the month of January, 88% of Barack Obama's campaign donations came from online sources. Security of candidate web sites, and the potential for spoofing them, is not getting enough attention.
- There were 23 critical vulnerabilities patched by Red Hat in 2007, versus 17 on Windows Vista.
- 2 out of every 3 hackers exploiting virtualized environments are explicitly targeting the command and control infrastructure, not the VM hosts themselves.
Show's over. Algore just left the stage after preaching to the crowd about global warming, and how “you IT people” can use his Intarwebs to help the fight. He was heckled a number of times during the course of his speech, but security people pounced on the hecklers fairly quickly and hustled them out of the forum. I don't remember Colin Powell getting heckled last year, but I might be repressing it.
The irony of Algore coming to a security conference and spreading his apocalyptic FUD was not lost on many of us. Hey, spreading fear uncertainty and doubt is our shtick, pal, and we've been doing it for DECADES.
OK, enough of that. I can feel my blood pressure rising, and I've recently noticed a direct correlation with my blood pressure and the number of times I use the f-bomb in my blog posts, and I'm trying to keep this one PG-rated, for christ's sake. OK, NC-17.
I gave up fairly quickly on the daily posts. There were only 15-20 minutes between sessions, which generally left you just enough time to walk from one session to the other. As luck would have it, I managed to plan things out just right so I had to walk from one end of Moscone to the other between each session. I don't know how that happened.
The small breaks that I did have were consumed by my actual day job, which I did not have the luxury of abandoning completely for the week. Thankfully the RSA folks provided a really nice room for people to do work in between sessions, and it had about 80 powered and wired workspaces where we could sit and jack in our laptops and get some work done. They were also piping in video of current sessions, or ones recorded earlier in the day. Really thoughtful.
Day 1, while a real slog with keynotes starting at 8am and sessions going as late as 6:30pm, was probably the most informative. I attended a few duds, but there were a couple gems too
Here's a few notes from the week:
- Threats to 2008 Presidential Elections - I was disappointed in this one. The presenter covered some work he had done with typo domains with respect to presidential candidates. While there is some exposure here with regards to people errantly giving money to the wrong candidates, I don't think that's an effective election subversion technique.
- How to Win the Botnet Battle - Probably my favorite session of the entire show, mostly due to Ira Winkler calling his fellow panelists morons repeatedly throughout. I agree with Ira in many aspects of his opinions about how we're conducting the War on Botnets, but I have some fundamental disagreements with him as well. I'll be blogging about this one in the future.
- National Cyber Security Readiness - This was a pretty interesting discussion about the state of cyber security at the federal level. On the panel was Rhode Island's own James Langevin, who is truly doing God's work at the legislative level to get cybercrime bills introduced. Rhode Island owes this guy a statue or something. We gave him a Public Policy award for his efforts on the hill. For those who aren't aware, the federal government is undergoing a massive effort to reduce the number and types of connections it has to/from the Internet. Currently numbering in the thousands, the goal is 50 or less. They are also recruiting security people like mad, trying to enable an infosecurity capability into each agency within the federal government.
- Michael Chertoff spoke on Tuesday as well, and if you followed the news you saw that he announced a new initiative at the federal level to feed attack intelligence to the private sector, since the federal networks tend to see attacks before anyone else does. We'll see how that pans out, I wish him well. His recent pick for Cybersecurity Czar is making a lot more sense now.
- Security Information Visualization - Oy, was I pissed that I dragged myself out of bed early to catch this 8am dud. Highly technical content, first thing in the morning, 90% of attendees nursing head-cracking hangovers from the first night of vendor afterparties. These guys were dead on arrival in conditions such as those, but I admire their moxy. The session was more about visualizing how data is protected using various encryption or DRM mechanisms. I was expecting a talk about metrics.
- Linux vs Windows Security - This was a fairly lively debate between a guy at MS and a researcher from a Florida university. They had done some studies revolving around vulnerability severity and numbers. The MS guy made a pretty compelling case, demonstrating that by criticality, time of exposure, and time to patch, Microsoft had a very good year last year compared to Red Hat, the Linux of choice for the debate. However, they ultimately called it a draw due to the ambiguity of the current vulnerability rating systems.
- Securing Virtualization peer-to-peer session - Great session, too short by half. Peer to peer sessions are limited in size (20-ish people), and everyone sits in a circle singing kumbayah. Or something. No, the singing came after, now I remember. Seriously though, there was a circle of attendees, and we had a very frank and open discussion about the challenges we're all facing with virtualization in our datacenters. Reps from VM and Citrix were both in attendance, as well as a couple researchers, but the rest of the table was filled with practitioners like myself, struggling with the new security paradigm that comes with virtualization. What I learned: My company is farther along than most, everyone is facing the same set of issues, and there is not much of a consensus about how to handle security in this new environment.
- Virtualization and Security - A Technical Forecast - Dud. Basically this was 2 guys, one from VMWare and one from Citrix, expousing what they are doing to secure their respective virtualization products, and that we shouldn't worry about all the fud being put out by researchers right now. The Citrix guy actually came out and said it was impossible for data to leak from one VM image to another, which reminded me or Oracle's “Unbreakable“ gaffe from years past. They also didn't get some of the questions, like when one attendee commented on the fact that hackers are using VMs to cover their tracks and subvert forensic investigations on their attack platforms, and the panelists went on to talk about how you can snapshot images as frequently as 30 times per second if you needed to. Why would an attacker snapshot his own VM image, if the entire point is to dump the evidence by reverting the image, or simply throwing it out, after the deed is done? There was also very little in the way of forward-looking information.
You will note that my session selection tended towards security issues surrounding virtualization. There is great work being done in that space (finally), and there were no fewer than a dozen sessions devoted to virtualization issues. The increased pressure to reduce power and cooling consumption in datacenters is driving adoption of virtualization technologies, at a rate that most people are not yet ready for. This is one area where the security community is behind the curve in a big way.
More later.
Tuesday, April 08, 2008
#
I'm at RSA all week, and I figured I best blog about it, seeing as how I maneuvered my way into the Security Blogger Meetup tomorrow night based on the premise that I do, at least occasionally, blog about information security issues.
I'm taking a break from the morning keynotes, choosing to observe the Microsoft keynote from afar, via closed circuit TV, while I get some thoughts down on virtual paper.
The first 2 talks were by EMC (parent company of RSA), and then Symantec.
The show opened with the obligatory cheesy dance number, which this year was a bastardized version of the song “Brick House”, with an information security slant to the lyrics.
After that nonsense was over, EMC's CEO came onstage (no, he wasn't one of the dancers) and talked about the transition security practitioners need to make to go from villain to hero within their respective organizations. To go from the people that say No all the time, to being a business enabler. It was an interesting talk, but we've been talking about that for years, and haven't figured out how to achieve that goal.
Next up were a couple folks from Symantec, who talked a bit about this morning's release of the 13th installment of their Internet Security Threat Report.
Things learned during this morning's sessions:
- 80% of the companies surveyed during a recent EMC/RSA study admitted that they had shied away from potential business innovations or strategic acquisitions due to concerns over information security.
- 65% of new software delivered to the average consumer is malicious. For the first time, 2007 saw development of malicious software outpace normal consumer software.
- 50 million IDs were exposed in 2007 due to various breaches, which is 3 per second, and a 300% increase over 2006
- Stolen identities are the 3rd most common item being advertised on the information black market (yes, there's an “information“ black market)
- Stolen credit card numbers sell for an average of 40 cents on the black market
- Stolen World of Warcraft accounts sell for 100 times more than stolen credit cards
I've only just downloaded Symantec's report, and will post later about that once I've had a chance to review the report in it's full 105-page glory.
Homeland Security's Michael Chertoff, who blew us off last year to testify in front of Congress, was a last-minute addition to today's keynote schedule. He speaks at 11:30, and I'll post again after I have had a chance to hear what he has to say.
Sunday, March 30, 2008
#
I'm not going to say anything here that hasn't been said by hundreds of people long before this, but it will make me feel just a little better to say it. In my own, expletive-prone fashion. Those of you with delicate sensibilities may want to turn away from the screen for a couple minutes.
I've been using Foxit Reader for quite some time now, years in fact. It's small, light, unobtrusive, and just fucking works. In other words, everything Adobe Acrobat is not.
Somewhere between version 5.0 of Adobe Acrobat (15 megs) and the current version 8.x (holy Jesus 167 fucking megs of the worst case of feature bloat I have ever seen in my entire 22 fucking years in this business), the team at Adobe just went off the friggin rails. Not only does the product work only marginally well, but it has been the cause of many browser crashes (some of my best blog rants were lost forever thanks to random Acrobat-induced browser crashes), drags system performance to its knees, and installs a bunch of needless bullshit on your computer. I recently had a rash of browser crashes that I couldn't nail down, so I randomly removed Acrobat. Crashes went away, like Jesus himself came down and touched my computer.
167 megs? Really? It takes 167 megs of code to display a pdf, does it? Foxit does it in under 3 megs.
I know what you're thinking: Just switch to Foxit and never look back.
Yeah, I tried that. Except one little thing. ADP, bless their hearts, issues W2 and pay statements in pdf format. And somewhere in the gap between Foxit's 3 megs of code and Adobe's 167 megs of kitten-killing bloat, lies the code that allows my W2 to be retrieved and opened through ADP's web site. With Foxit, I get a pretty little X where my W2 should be.
So, I am forced to reinstall that hellspawn of a program, Acrobat, so I can do my fucking TAXES. Talk about salt on the wound.
So I go, kicking and screaming, to Adobe's site, and download Acrobat (no, thanks, I don't want any of your free fucking tagalong offers), and install it so I can download my W2 so I can figure out how much money I owe Uncle Sam this year.
And what does it do, the very first second it finishes installing on my computer, before I could even get off a mouse-click? CRASHES MY FUCKING BROWSER THAT GOD-DAMNED FUCKING PIECE OF SHIT.
Whew. Done. I don't know about you, but I feel better.
Wednesday, March 26, 2008
#
You heard me. HD-DVD.
I know what you're thinking: “Dude, the format war is over. And HD-DVD lost.”
Yeah. I know.
Thing is, I bought a new-hotness 1080p plasma for my OKC house a couple months back, and was driving it with an old-and-busted 720p DVD player that I bought about 6 years ago.
I'm not convinced Blu-Ray is worth the premium they are charging (prices went up recently, in fact), but I wanted 1080p performance. The Toshiba HD-DVD's 1080p upconverting has always been well regarded, and when the local electronics outlets started their fire sales on HD-DVD gear, it seemed like a good time to upgrade. Walmart and Circuit City are selling the A3 box (1080i) for 75 bucks, and the 1080p-capable A30 is only $130 smackers at Circuit City. Given that most new 1080p upconverting DVD players are pushing 100 bones without the ability to play HD-DVD movies, it's a great deal. Plus you get 2 free HD-DVD movies in the box, and a coupon for a bunch more.
Now I can watch all my regular DVDs in 1080p while I wait for the fire sale to start on the HD-DVD movies...
“All animals are equal“ was the first version of the farm's “rules” in the movie Animal Farm. It was soon revised with “some animals are more equal than others“ when the ruling class (pigs) found it inconvenient to adhere to all the rules they were imposing upon the rest of the farm.
This attitude runs rampant in politics, especially when it comes to gun control. Here are some examples:
- Diane Feinstein - Staunch advocate of a wholesale ban on guns, once saught to ban guns entirely from San Francisco. “Banning guns addresses a fundamental need for all Americans to feel safe.“ Yet, when she felt threatened, she got a concealed weapons license, purchased a .38 revolver and carried it around with her. “I know the urge to arm yourself because that’s what I did. I was trained in firearms. I’d walk to the hospital when my husband was sick. I carried a concealed weapon. I made the determination that if somebody was going to try to take me out, I was going to take them with me.” While she takes steps necessary to preserve her own life, she actively seeks to forbid the rest of America from doing so. She's more equal than us, apparently.
- Ted Kennedy - Good old Ted. We have so much fun with this guy, it should be against the law. “Ted Kennedy's car has killed more people than my gun“ is one of my all-time favorite bumper stickers. Proposed legislation that would have made it illegal to buy, manufacture or import handguns. Bodyguard busted for carrying an unregistered handgun, 2 machines guns, and 140ish rounds of ammunition into the US Capitol building. I guess if you can afford to pay for bodyguards with automatic weapons, you don't need to worry about your right to protect yourself with a concealed weapon. More equal than us.
- Carol Mosely-Braun - Active anti-gun supporter. Owns a .22 caliber handgun. More equal than us.
- Stephen Solarz - Introduced federal legislation to ban handguns. Bodyguards arrested with handguns, brass knuckles and a blackjack, at the US Capitol Building. More equal than us.
Apparently only the ruling class elite get to avail themselves of their inherent right to defend themselves. They are more equal than us, after all.
Sunday, March 23, 2008
#
I have updated the Conferences list on the right-hand nav frame to just list the 2 conferences on my schedule for this year, both happening in April, as luck would have it.
Speaking of RSA:
I've received an invitation to attend the 2nd annual Security Bloggers Meetup during the RSA show. There may have been a little whining on my part immediately preceding the invite, I can't be responsible for remembering the exact sequence of events. The important thing, I think you'll all agree, is that I'll be there.