I just about lost it today, in a room of 200 people, when a guy from Microsoft, conducting a talk about how to use credentials securely with WSH scripts, suggested Script Encoder as an option. Script encoder is a MS-developed tool that allows script developers and web developers obfuscate their code by “encoding” it.  This allows the developer to encode sensitive parts of the script so that anyone who gets a hold of the script cannot view it. The problem is the algorithm used by the encoder is flawed, and tools readily exist that can decode it.  It's trivial to run an...

I was visiting Richard Bejtlich's site today and noted that SANS has decided to abandon the requirement for a written practical as part of their certification process. While I didn't conduct any SANS classes like Richard did, I am very familiar with the organization.  I happen to be one of the 8000-ish security professionals they've certified over the years. Shortly after I decided to focus my computer career on security, I invested upwards of $10,000 of my own personal funds attending a number of SANS training sessions.  I even drove down to San Francisco to attend a week-long session on intrusion detection being lead...

One of Active Directory's Achilles' Heels is the fact that Domain Controllers all share ownership of the directory.  Gone is the pre-Win2k concept of a Primary DC that feeds directory information to read-only Backup DCs. This is a huge security issue because in the current design, there is no way to prevent some random domain controller in a branch office from pushing corrupt or malformed data to the rest of the forest, taking down the entire forest in the process.  But you have to have a domain controller in that branch office, and that domain controller has just as much rights...

While the Director Experts Conference officially gets under way today, I was in Vancouver yesterday to attend a special pre-conference training session on securing Active Directory. The session was conducted by Sanjay Tandon, who works for Microsoft.  He was the PM for the Active Directory Security group until a few months ago, and he's the author of a number of key papers on the subject, including the key whitepaper on delegating authority within AD. Joining Sanjay was Guido Grillenmeier, a leading HP consultant from Germany.  If anyone knows Active Directory more than Sanjay, it is apparently Guido. The session started off slowly, and...

The alarm went off at 4AM.  My brain made some very convincing argument about how I would disturb the cats sleeping on me if I got up now, and that would be cruel.  So I noted the alarm, and decided to ponder the situation further before making any hasty decisions. It was nearly 5:00 when my eyes snapped open, my subconscious finally getting through with the message that the alarm went off “a while ago“. Luckily, I was basically ready to go, and 15 minutes later I was on the road.  But man, I was tired.  I had maybe 3 hours of sleep, and...

I'll be getting up at o'dark-thirty tomorrow to make the drive up to Canada.  The Directory Experts Conference officially starts on Monday, but I decided to sit in on the special one-day active directory security training they are conducting on Sunday.  It starts at 8:00, so I need to be on the road by 5:00 or so to make it to Vancouver without having to stress about the schedule. The good news is that I am taking this entire week off from work (conferences are only partially work, but don't tell my boss), and I expect I'll have some time for...

Back in January I lamented the fact that some really great blogs seemed to drop off the face of the earth after a few brilliant posts.  (Which is ironic, given my own post count for the following month). Aaron Margosis, the author of one of the featured blogs, the Running As Non-Admin Blog, stopped by recently to let me know that he's back in business and blogging again. This is great news, because the community definitely needs some expert advice in running day-to-day Windows as a regular user (I.E.: not as Administrator). Let's hope he keeps it up, because the posts so far are...

A while back my bank sent me a letter explaining that my credit card information had been exposed when some anonymous online vendor got haxxored.  So they are issuing me a spanking new card with a new number on it, and cancelling my old card. No problem.  I don't live in California, so I don't get to know who the vendor with the shitty security is.  But whatever. So I get the new card in the mail, and look over the number.  It's identical except the last 4 digits have changed.  Even the expiration date is the same. WTF, mate? Let's ponder this for...

If you watch the news lately, you can't help but hear about some of the recent high-profile hacks of major information clearing houses. Choicepoint, the most publicized victim, announced a few weeks ago that sensitive information on 30,000 Californians was given to hackers who were posing as Choicepoint customers.  What they failed to tell everyone initially, was that number of people whose personal information was exposed is closer to half a million. Choicepoint is an information aggregator, and about the biggest one there is.  They have dossiers on 10 BILLION individuals and businesses, and those dossiers include social security numbers, credit histories,...

I recently had the privilege to witness an organized Google Hacking Contest, inspired by Johnny Long's new book “Google Hacking for Penetration Testers”. The contest pitted 8 teams of local security folks (including a team from Intel and a team from Qualys) against each other, and gave them 60 minutes to use Google to find as much personal information about people as possible. The results, frankly, were astounding.  I went into it knowing Google was a one-stop identity theft shop, but I still left shaking my head. The highest scoring team found over 2.5 million bits of sensitive information, including social security numbers,...

In an unmanned datacenter, it's bad to shutdown a system. Mostly because there isn't always someone around to hit the button and power it back on. While you can remove the Shutdown button from the user's UI via GPO, that also prevents them from restarting the system.  This was a problem for me recently.  I need to enable certain users to reboot particular systems, but prevent them from accidentally shutting them down. What I ultimately opted to do was use the GPO to remove the Shutdown/Restart buttons from the user's interface.  Then I gave them a WSH script that will restart the...