Security Ripcord

Yes, I was not at RSA 2008 this year. Although I could have probably received a press pass like last year I would have had to shell out every dime for travel and storage….err, lodging myself. Not an option. So, I stayed put and watched from the virtual side lines. This means I may have missed the event of the year by not attending the Security Blogger Meetup (come on…how many parties have a live feed outside of PDC?). Such is the life of a person who works for a small, cost/benefit conscious, contracting company. I know there are plenty of us out there so that is enough sniveling.

Of course it is always good to be missed and Michael Farnum took a little time out to let me know that I was missed this year.

Don,

A couple of people at RSA asked me why you weren’t blogging and asked me to
get on your case. I know you are busy, but your fans miss you.

Michael R. Farnum

Yes, posts have been a little sparce recently. I did address that a little bit by explaining that my new job had a higher risk when it comes to talking about issues, situations, and most of all things that could be considered vulnerabilities. Risks like the potential to end up breaking rocks (or would that be considered a control instead of a risk, a very, very effective control). I have been trying to do a little better in the past few weeks but it does not seem like to many people have been interested in the directions, and there have been many, that I have taken. One of my major objectives when I started blogging is to never become a slave to security fashion. I feel that there are people out there covering specific topics very well. PDC has pentesting and current and emerging vulnerabilities covered. Martin and Rich have current events wrapped up. Chris and Rich have deep, stimulating, and sometimes dry…err, I mean deep….oh damn, I already used that….security product evaluations taken care of. And there are plenty of bloggers who have specific topics that they expertly handle and keep up-to-date. Don’t forget, of course, the host of Security Blogger Soup….Mike. Damn, this is turning into a link party.

I guess my draw back is that I am one of those people who try and take a little something from everything. Breath instead of depth as they say. Or, as I prefer, Jack-Of-All-Trades. This probably goes back to my USMC days when the thought process was, “Be ready for anything at any time.” But for some reason I always feel like I am trying to play catch-up to many of the people I have just listed and a few more industry experts (review the list of SANS instructors for most of them). I came into the computer industry ten years after most of them had already been expert programmers or system/network administrators. So I find myself trying to keep up with fifteen to twenty years of experience on six years of my own (not including college where I started learning what computer components were…..this is a hard drive and you store folders and files on it in the form of Ones and Zeros).

Of course, I will periodically delve into deep discussions with some of these experts. The last time I did that I realized that I am still a little out of my league. Chris definitely showed me the error in my train of though and more importantly, the way that I evaluate and analyze products. In all actuality, however, my ultimate goal of starting a conversation and learning about the topic was achieved, I just feel that I did not represent (214 babe! ….inside joke). Maybe it has made me a little gun shy, but only because I want to be sure I am better prepared next time. I would much rather stick my neck out on such posts and have the learning experience, then continue to merely continuing to provide new analogies on topics that the industry has already broken several sticks on. I had to stop myself committing that sin today, as a matter of fact. But I do not want to embarrass myself in public, because on the Internet my wife cannot do the, *in that woman whisper voice* “Could you excuse us please? He’s had a tough day. Don, what were you thinking? I’ll tell you what….”

So, thank you all for thinking of me. Hopefully you drank more than one beer and shot for me (if not please start now). Thank you Michael for taking the time out to show me some lovin’. It is always appreciated and the beach is still down here in case you and the family were thinking about it. I hope everybody keeps checking the Security Ripcord feed for new content and will periodically point a link or post a comment from time to time as it does help.

Go forth and do good things,

Don C. Weber

Security Ripcord

Well, the results are in for the Blog Disclosure poll. I let this one run a while to get more responses and partly because I was out of the loop for a while.

The original question was:

Should you tell your employer about your blog?

The winning answer, receiving 15 of the 30 votes cast:

You should tell them during your interview or before you start blogging.

So I guess you definitely want to tell your employer that you are a blogger. This makes very good sense. You don’t want them finding out after the fact as there may be strict policies about blogging. Also, as blogging is becoming a marketing initiative in some companies, it might even work in your favor during an interview or for your reviews.

You can check out the full results on the Security Ripcord Polls page where you will find the results of this and other Security Ripcord Polls.

Go forth and do good things,
Don C. Weber

poll, blogging, Security Ripcord, Don C. Weber

I have obviously taken a bit of a break. There are multiple reasons for this: holiday activity at home, increased side project activity, and a new job.

Yes, I have left my position at an educational organization and accepted the position of Information Assurance Director for a DoD contract here in Corpus Christi. I am leading a new, 15 person team, responsible for providing guidance, assessment, documentation, and monitoring on security matters. (Yes, I have simplified it a bit.) Everything has really taken off to a great start. I am getting along very well with my team and the other managers and our bosses are very enthusiastic about moving forward and getting things accomplished. This is a great opportunity for me. Albeit, it moves me further away from the technical side of security, I guess project management is just the next logical step in my career’s evolution.

Some of you may have also noticed that I have come out from behind the pseudonym of Cutaway and included my real name, Don C. Weber, to several of the pages on this website. Cutaway started out more as a marketing gimmick as anything. It quickly turned into a necessity when I accepted my last job. This helped me distance my job from the consulting I was doing. It also proved to be useful for other reasons as time went by. But now it is time to brush it all aside. Cutaway is retired, long live Don C. Weber.

What does this mean for the Security Ripcord? Nothing really. It is very possible that the focus will turn to more management style issues. But, as I try to keep up my understanding of technologies, I’ll still post the findings or confusions here.

Thank you to all who helped me (no need for names, you all know who you are) through the past year and a half of challenges. Your advice proved valuable and kept me focused as well as calm. I would also like to thank my coworkers at my last job. The challenges and progress we made has definitely helped me grow and become a better security professional. I can only hope that some of the initiatives I helped start benefit and increased the security of the overall organization.

I am very excited about what the future has in store for me and my family. I am definitely not gone and you can expect more security related content soon.

Go forth and do good things,
Don C. Weber

Cutaway, security, Security Ripcord, Don C. Weber

I have created my first WordPress plugin titled “Login Warning Banner” to address a simple security concern. From the plugin readme file:

Login Warning Banners are important aspects for system security. WordPress blogs present a unique challenge as they are designed to provide remote access to multiple users through a publicly accessible authentication mechanism. By using a pre-authentication Login Warning Banner the blog administrators can
be certain that individuals attempting to access the blog have been informed about permissible activities and potential monitoring pertaining to accessing the resource. For more information please refer to the following resources.

Resources:
- [CIAC INFORMATION BULLETIN - J-043h: Creating Login Banners] (http://www.ciac.org/ciac/bulletins/j-043.shtml)
- [Whitepaper WP-007: Login Warning Banners] (http://www.unixworks.net/papers/wp-007.pdf) by Bob Radvanovsky

You can download the Login Warning Banner plugin from the WordPress Plugin site. You can also monitor the plugin’s home page for updates and other information here at Security Ripcord.

If you have any comments or recommendations please post them in the comments section here.

Go forth and do good things,
Cutaway

WordPress, plugin, Security Ripcord, Login Warning Banner

To increase the security within my organization I decided to have PGP come down and give our administrators and IT manager a demonstration on all of the services that PGP provides. Since reading about it I have been very impressed with the way that PGP has integrated all of the aspects of encryption into a centrally managed solution. Many people, however, are not fully aware of the extent of PGP’s product line. Even after an online webcast the administrators within my organization just didn’t understand how the PGP solution could integrate with our services and centrally manage their Email, File Sharing, Full Disk Encryption, and Split-Managed Key Escrow capabilities for Windows and Macintosh notebooks, workstations, and servers as well as some PDAs.

PGP sent down Bob Adams and Nathan Daniels from their Dallas office. Bob is their Texas sales representative and Nathan was their technical expert. After briefly chatting with both I discovered that Nathan has worked for Network Associates, F-Secure, McAfee, and has been with PGP for about three years. Definitely an impressive background. Although I don’t remember the full extent of Bob’s background, I do know that he worked for IBM in their Internet Security Solutions department and he knows several people on their X-Force team.

“IBM ISS X-Force team? Hey, do you know David Maynor and Robert Graham?” Bob knew Robert and spoke very highly of him as well as the rest of the X-Force team. (I just noticed that the X-Force team has a blog.)

Then later, was we started talking about which companies in Texas handled the sales of their product I asked if they worked with Accuvant. Nathan responded that they have been working with them recently. “Hey, do you know Michael Farnum?” Indeed Nathan has meet Michael and, of course, spoke highly of him as well.

Now, I’m not going to tell you that any of this name dropping gained my organization any bargaining collateral. But I can say that talking to these guys about people that they had met, worked with, and liked did help in the fact that we had a little more in common than before. This made everybody a little more comfortable and the meeting went very well. I guess it is just one of the extra benefits of blogging.

Go forth and do good things,
Cutaway

PGP, blogging, encryption, Accuvant, IBM, ISS, F-Secure, X-Force, Security Ripcord, Michael Farnum, David Maynor, Robert Graham

In honor of Rich Mogull’s return to the security blogsphere I have created a new poll.

I thought about limiting it to security blogs but, what the hell, I guess there are some other blog out there.

Welcom back, Rich.

Go forth and do good things,
Cutaway

securosis, blogging, poll, Security Ripcord, Rich Mogull

I have been reading a lot of articles saying that I have pointed the finger at LMH and PHC. I even received a comment to that effect.

#
jf
Comment @ 07/19/07 at 5:26 am |e

eyeroll, common everyone knows that the informant is icer/maynor which basically removes all credibility because (a) he’s a pathological liar and (b) he’s got beef with LMH. This stupid irc convo doesn’t prove anything other than you’re gullible.

So I responded

@jf

Actually the “informant” is not Maynor. Although I know him I have never talked to him via IRC. You can check out the comment my source made to Martin McKeay’s blog.

Also, I haven’t said anything in my post that proves LMH or PHC are involved. Actually, I try to follow up on the information the “informant” gave me but didn’t gather any more information than most people who knows these individuals are already aware of as old news. Now, if I had known about the Unmask program I would have performed some the actions HD Moore took as described in the article on Techzi.

The main thing this did was get this subject in the news so that the infosec sellout received more publicity then it was worth. What all of these players need to realize is that it is okay to be anonymous, it is okay to be a jerk, but the two shouldn’t be mixed.

Something I thought of afterwards. If you are trying to remain anonymous, and you could be fired for writing in a blog, you should not brag about developing a worm for any operating system. It is going to get you attention that you probably do not want as people will start looking at you a lot more closely. Infosecsellout found this out the hardway.

Go forth and do good things,
Cutaway

Unmask, infosecsellout, LMH, PHC, Techzi, Security Ripcord, HD Moore, David Maynor, Martin McKeay

Today I was minding my own business in a chatroom that I monitor when somebody posted something about infosecsellout. Normally I ignore anything pertaining to infosecsellout due to an unprofessional and childish comment posted about Alan Shimel. But this time I had to pay attention. This time somebody pointed a finger at who is behind the content posted on the infosecsellout blog site. The finger was pointed at LMH and the Phrack High Council (PHC) (yes, the link is broken but you can check out what it looked like here).

I have no way to confirm any of these statements, but here is the text of the conversation. And, yes, it has been edited to protect identities.

[3:37pm] [informant] okay- i have permission to officially leak it. we think
sellout is LMH and the PHC kids. spread the word
[3:37pm] [cutaway] HA
[3:37pm] [informant] and we think some of them engage in illegal hacks
[3:37pm] [cutaway] HA
[3:38pm] [cutaway] seriously on that last one?
[3:38pm] [informant] yep, btu no evidence
[3:38pm] [cutaway] That would be an interesting blog post
[3:38pm] [informant] yes it would
[3:38pm] [cutaway] Ou would love to drop that
[3:38pm] [informant] if you look up the phrack high club stuff, they state
clearly their goal is to trash the infosec industry
[3:39pm] [informant] what better way to do that than pretend to be insiders,
and make up a bunch of BS and disinformation
[3:39pm] [informant] a disinformation campaign against the infosec industry
[3:39pm] [informant] almost ingenious
[3:39pm] [informant] feel free to leak to ou if you want
[3:40pm] [innocent.bystander] I don’t think I want to be the one to post that.
that is sort of like saying - that group of kids is robbing houses - from
your front porch
[3:40pm] [cutaway] I just might wait on that one
[3:40pm] [cutaway] I was just thinking that
[3:40pm] [innocent.bystander] sort of invites them to come on in
[3:40pm] [informant] yeah, no proof on the illegal stuff
[3:40pm] [cutaway] but what points you in that direction?
[3:40pm] [informant] but we’re pretty sure they do it
[3:41pm] [cutaway] stuff they say or reference in the infosellout blog?
[3:41pm] [informant] when you hear enough rumors from enough sources, and
track that to behavior, eventually a rough picture emerges
[3:41pm] [informant] look at the language on the blog and the pHC stuff
[3:42pm] [cutaway] I am trying to think how to present it when I don’t
read sellout and I don’t have references to specifics
[3:42pm] [cutaway] not that I am asking you for any
[3:42pm] [cutaway] just thinking outloud
[3:43pm] [cutaway] Hmm, I’m going to have to play with that tonight
[3:43pm] [innocent.bystander] gotta go offline for some testing, back in a few
[3:43pm] [cutaway] If I don’t come up with something I’ll ping Ou
[3:43pm] innocent.bystander left the chat room.
[3:43pm] [cutaway] Unknown source of course
[3:43pm] [informant] of course
[3:44pm] [informant] you could just say you got an anonymous email, and that
they’re goal has been to sow chaos

Interesting, yes. Proving illegal activity….well….I doubt I even want to start digging around for that information. But I thought I would check into the claim of PHC trying to discredit the information security industry. First I started with the latest edition of Phrack where I found this:

Q: And about PHC?
A: Well, thats an interesting question. To be honest, PHC did not just do
those bad things we were used to learn from the web or irc, we like some
of them and even know very well a few others. Also, the two attempted
issues 62 and 63 of PHC had an incontestable renew in the spirit and
there were even some useful information on honeypots and protecting
exploits.

However, we have a problem with unjustified arrogance. If it’s true
the security world has a problem with white/black hats, we think that
the good way to resolve the problem is not to fight everyone,
especially such a poor demonstrative way. It’s not our conception of
hacking. Take the first 20 issues of Phrack and try to find unjustified
arrogant word/sentence/paragraph: you won’t find any. The essence of
hacking is different : it’s learning. Hacking to learn.

You can be a blackhat and working in the IT industry, it’s
not incompatible. We have nothing against PHC and we think the
Underground needs a group like PHC. But the Underground needs a magazine
like Phrack as well. The main battle of PHC is fighting whitehats but
it’s not Phrack’s battle. It’s never been the purpose of Phrack.
If we have to fight against something, it’s against the society and
not targeting whitehats personally (that doesn’t mean that we support
whitehat…). Phrack is about fighting the society by releasing
information about technologies that we are not supposed to learn. And
these technologies are not only Unix-related and/or software
vulnerabilities.

We agree with them when they say that recent issues of Phrack helped
probably too much the security industry and that there was a lack of
spirit. We’re doing our best to change it. But we still need technical
articles. If they want to change something in the Underground, they are
welcome to contribute to Phrack. Like everyone in the Underground
community.

Next I found this post to Full Disclosure:

—– Original Message —–
From: Phrack High Council
To: full-disclosure_at_lists.grok.org.uk
Sent: Thursday, November 24, 2005 1:29 PM
Subject: [Full-disclosure] Return of the Phrack High Council

Dear FD Reader,

It’s been a very long time since we last spoke, but just like the Pheonix (not the city, you dumbfuck!) i was reborn from my own ash. We, the PHC, been for too long in the underground (gathering informations, snooping whitehat tty’s, backdooring various boxes, etc.) to be able to keep up with the amount of bullshit that goes to this list on a daily basis. But NOW, the Phrack High Council is once more into the lights! We’ve been in the underground gathering informations about *YOU* and your fellow ‘ethical hackers’.

You should expect to find your mail spool and porn collection on our web page soon enough. Don’t assume you are safe because you are NOT! No, we don’t like you and no, we won’t stop. But, for now, we proudly present the inside of the Star Hackademy (www.thehackademy.net) and an early _final_ PDF version of their lame zine (thanks core, you are a real pal). We couldn’t get our hands on the hardcover; it’s scheduled to be released sometime in december. Sorry!

PHC is not a hacking group, it’s a state of mind. PHC is not a group of people, it’s a movement of people. We do not exist!

Please enjoy visiting http://phrack.efnet.ru as the next home of your mailspool *g* and remember ….

…. “keep pr0j3kt m4yh3m alive!”

The “keep pr0j3kt m4yh3m alive!” quote lead me to a mirror of the Phrack RU site index page:

Phrack High Council - 2005
“Keep pr0j3kt m4yh3m alive!”

Official Note

It’s been a long time, indeed. Two years of underground, now PHC is back into the scene. I bet
many of you have no fuckin clue *WHY* suddenly, the anti-infosec movement slowed down. Some of you
thought it might’ve been the fedz. Some others said PHC members got security jobs. There were also
some voices stating we have no exploits left. HAHAHAHA! Get real, son! We sit our asses on more
goodies than ISS and iDefense, altogether.

PHC is *NOT* a hacking group, it’s a state of mind! Stop asking about us,
we know all about YOU!

PHC was never *GONE*, we just reached a new state of mind, a new underground level. You, our
faithful follower, our friend, our brother, know where we’ve been. We’ve been scooping the infosec,
getting inside informations, KNOWING OUR ENEMY (thx Spitzc0q), puttin their lifes into misery! But,
in the mean time, we also had our eyes on the scene: some of you kept pr0j3kt m4yh3m alive. The rest
acted like sheeps left w/o sheppard: bowed yer heads to them wolves! This is your last chance: you
either change or become a target. Everyone can be a target: security professionals, CISSP (hi
Johnson aka [t]hief, still playing the ‘hacker’?), security companies, bugtraq wannabeez, all kinds
of wannabeez, them bitches, non-believers, haters, etc.

Gray is not a choice anymore. It’s US or THEM. It’s not a game. The IT Security industry is
affecting our day-to-day life. More and more east-europeans, chinese, indians, pakistani, etc.
think they will find milk and honey working at a security company; you fuckin twats! They’re just
exploiting you. You’re serving a cause that’s not yours, making your boss rich! If you don’t see
our point, then fuck you, you made it to our target list.

Everybody should remember gayh1tler’s last wish: keep pr0j3kt m4yh3m alive! Each and every of
you should follow his words of wisdom. You have no right to do otherwise! And if you do, we see you,
we know who you are and your ass is blast.

It’s the WHITEHAT HOLOCAUST! WHITEHATS, STEP INTO MY OVEN!!!!

- Phrack High Council, 2005 AD

Finally I figured I should check the infosecsellout site to see if I could locate any blantant FUD. The only thing that really stood out was the recent claim of a worm for OS X. Although this may or may not be an attempt to generate bogus information I did not see anything else that could not be described as just another person’s opinion.

Apparently, this information has also gotten around a bit already. It seems that infosecsellout has posted an email from LMH and/or the crew at info-pull that claims they are not affiliated with infosecsellout despite David Maynor’s opinion.

You know, I am starting to wish I had ignored the original message about infosecsellout. Although I cannot say that there is any specific misinformation associated with the blog. The completely unprofessional attitude and behavior of its author(s) just reminds me of why I started, and should have continued, ignoring this blog, all conversations associated with it, and any claims about who the author(s) may or may not be. I’m also glad I did not bother George Ou with this. Infosecsellout does not need any more publicity than it already gets. I have also come to realize, it is just not that interesting. Although I would like to blame infosecsellout for wasting my time again, I can really only blame myself.

Go forth and do good things,
Cutaway

Phrack, PHC, LMH, Security Ripcord, Infosec Sellout, David Maynor, Alan Shimel, George Ou

Some of you may have noticed that the site was down for a couple of days. This was because of an apparent flaw with Wordpress. While I was attending the ACUTA conference in San Diego I decided to catch up on the news. I am glad that I did because I noticed that Darknet had an entry about a newly discovered security vulnerability with all versions of Wordpress below 2.0.4 . Unfortunately his actual site was down and I was not able to read the full article. So I made a quick judgment call and decided to take the site down until I understood more about what was actually happening.

Now that the Darknet site is back up, and I am able to get online, I see that the problem lies in allowing anybody to register for an account. I am not actually sure of the exact problem except that it would lead to escalated privileges for the user. As stated in his article the temporary fix for the problem is to not check the "Anyone can register" box in the "Options" management tab. I have verified that I had already disabled this setting and now that site is back up. I will, however, update to the new version of Wordpress which is version 2.0.4 once I get a chance (i.e. after I back everything up ). You should do this as well.

Go forth and do good things.
Cutaway

security, Darknet, Wordpress, Cutaway Security, Security Ripcord

First of all I would like to say that I am very impressed with the responses that I have received from the established podcasters out there.  I've had responses from Martin McKeay , Dan Kuykendall , Michael Santarcangelo , and (another new guy on the podcasting block) Alan Shimel.  I contacted them for a few promos so that I can start practicing leadins and I figured that they will get back to me in a few days.  Well, I was about to log off when the emails from the West Coast started coming in.  They started offering advice and suddenly DDOSed my host's server.  Luckily Martin had a solution, LibSyn and a few hours later I was up and running.  Little did I know that he was going to plug me and Alan the next day.  So, what was suppose to be a leisurely introduction into podcasting has built up a bit of steam.  No stopping now.

Luckily, as I stated, I was given a few words of advice that I was told I could pass onto all of you.  

Advice from Martin McKeay:

Some input:

-> Get your podcast to a hosted environment.  Don't try to host them
yourself.  Libsyn accounts start as low as $5 month.  Your current
bandwidth is too low to host the podcast, a problem which is very
clear when I tried to stream it.
->  Show notes!  It makes it a lot easier when you go to record.
-> If you're going to be doing this a while get a decent mic.  I've
heard a lot of good things about the Blue Snowball mic, which is
around $140.  Or you can get a M-audio MobilePre USB preamp and a
decent mic.  I've got a Audio Technica AT2020.  Check out Dan's
podcast setup at Mighty Seek
-> Something I just found out:  Don't export to mp3 from Audacity.
It's a great program but the LAME encoder introduces sound artifacts
into your audio.  Export to a WAV file and then open the file with
iTunes and use that to export to MP3.  I use Audacity to record, but
when I'm doing my encoding, I'm now using Adobe Audition.  As of
today, that is. I've also used Propaganda, which has a demo, is cheap,
but is fairly limited.  It's encoding is also better than Audacity's.

Relax and have fun.

 I have to say that without Dan's Podpress I would have been completely dead in the water.  Even after I DDOSed myself and updated to LibSyn it let me quickly and easily point to the file located on my LibSyn account.

 So, if you are going to try this, I am here to tell you, there is a lot of support in this community.  I'm sure they will be watching me closely.  Hopefully I can contribute.  

Time to start working.   Thanks to all who have listened already. 

Go forth and do good things,

Cutaway 

Podpress, podcast, StillSecure, LibSyn, The Security Catalyst, Network Security Blog, Mighty Seek