Security Ripcord

I am about to harden a Linux box and I need to re-read the documentation to Bastille. As I started typing the URL I remembered that the original URL I am use to following has been obtained by a Domain Squatter. I had originally heard about this incident while listening to PDC. I was then actually affected by it when I discovered that a link in the CIS VMware ESX Server Benchmark pointing one of Jay’s articles was broken because of the new bogus site put up by the Domain Squatter.

If you would like more information about this check out the letter Jay Beale wrote to the users of Bastille. It does seem that he will be able to get the site back through his lawyers. I am not sure if Bastille is trademarked and therefore might not fall under the Anticybersquatting Consumer Protection Act but I assume that he should, at least, have some copyright precedence to fall back on. He also points out that although the new site currently points to the actual Bastille download site he is worried about the potential for this site to distribute hacked versions of the software. To protect against this possibility he will be using his PGP key to create a signature for legitimate releases that users can use to verify the versions they obtain.

This whole thing really ticks me off. I agree that purchasing an original domain name (not a product name that has been trademarked), and selling it to somebody when they find the need for it, is perfectly legitimate. But I do not like the idea of people waiting around for a site’s domain registrations to expire, snatch them up before the original owner or organization can update the account, and then attempt to sell it back to the original owner for a large fee. One simple act by an outside individual could cost a company a lot of money either in the repurchase of the domain name or the re-branding of an entire product or line. Although for big business this might not be a problem, I can see a real impact to open source projects and small businesses.

I wish Jay the best of luck with this whole incident.

Go forth and do good things,
Cutaway

Bastille-Linux, Bastille-Unix, Linux, CISecurity, Security Ripcord, Jay Beale, domain squatter

While looking at the latest on Slashdot I noticed a reference to Microsoft's recent step into the social network sites.  "Hmmm," I thought to myself, "I wonder if they have learned the lessons about social networking/engineering security from MySpace.com."  Apparently, the answer is no.

I started looking at the Microsoft site "Aggreg8 " from the prospective of a father whose son wants to sign up for the service.  Okay, before we register with the site let's see what secureity guidance they have to offer.  What protections are they going to offer my children.  So, I browsed to the Aggreg8 site and I looked through the links they provided:

Help | Code of Conduct | Terms of Use | Privacy Statement

After reading through each of these the only things that I found useful that remotely resembled Privacy and Security help were on the help page.  The following was copied from that page:

Privacy & Security

• How do I change my Password?
• How do I change my Username?
• How do I change my email address?
• What Profile settings are required?
• What if I don’t want my name displayed in the member lists?

"Interesting," I thought to myself, "seems a little lite on the privacy and protections issues."  Well, what does MySpace.com have to offer.  So, I browsed to their site and I found their link titled: Safety Tips

'Nuff Said.  Pull your head out of your ass, Microsoft, and help us protect our families.   Start paying attention to the issues and threats that are out there before you start offering up services with inadequate protections.  But, then again, would we expect anything less from you?  I don't care if you have a "Safety Tips" page that is available for registered members.  I want to know how you are going to be protecting me and my children before hand.

Go forth and do good things,

Cutaway 

Microsoft, MySpace, Aggreg8, safety, Security Ripcord

Yesterday, November 10, 2006, was the United State Marine Corps' 231st birthday.  What better way to celebrate than to award a Marine the Congressional Medal of Honor.  Corporal Jason L. Dunham died in action protecting his fellow Marines from a deadly explosive.  He did this in a most unimaginable way for many civilians but in a way that has become almost customary to military men throughout United States history.  He jumped on a grenade and covered it with his helmet.  As stated in an article titled "First Long War Marine to Recieve Medal of Honor" on the United State Marine Corps website: 

My deepest sympathies go out to his family and I would also like to express to them the pride that I feel knowing that during my enlistment I walked among men just like him on a daily basis.  It is definitely a far cry from some of the individuals I am forced to interact with now that I have returned to the civilian sector.  A good example of this is shown in the most recent publication of the VFW magazine.  With articles titled “AWOL: Why Less Than 1% of the Population Serves in the Armed Forces” and “Phony Iraq and Afghanistan Vets: ‘I am a Liar’” you can imagine the way I feel. 

Don’t get me wrong.  I have met plenty of people who are outstanding and hard working American citizens.  But I have also been exposed to the rest in a very disheartening way.

So, for these people I will leave them with the following list of Marines that also comes from the same issue of VFW magazine.  This is a list of Marines who have awarded with, or are in nominations for, some of the highest military awards that can only be achieved under fire during enemy action.  Remember these volunteer men and women as you live, breath, walk, talk, work, bath, and do anything else related to the freedom they have helped protect and preserve.  I will leave it up to you to research how they have achieved these honors. 

• Corporal Jason L. Dunham – Congressional Medal of Honor
• Sgt. 1^st Class Justin D. Lehew – Navy Cross
• 1^st Lt. Brian R. Chontosh – Navy Cross
• Lance Cpl. Joseph B. Perez – Navy Cross
• Sgt. Scott C. Montoya – Navy Cross
• Cpl. Marco Martinez – Navy Cross
• Sgt. Willie Copeland, III – Navy Cross
• Capt. Brent Morel – Navy Cross – Awarded posthumously
• Staff Sgt. Anthony Viggiani – Navy Cross
• Sgt. Robert J. Mitchell, Jr. – Navy Cross
• Sgt. Maj. Bradley A. Kasal – Navy Cross
• Sgt. Jarrett A. Kraft – Navy Cross
• Sgt. Jeremiah Workman – Navy Cross
• Lance Cpl. Todd J. Corbin – Navy Cross
• Pfc. Christopher Adlesperger – Nominated for the Congressional Medal of Honor
• Sgt. Rafael Peralta – Nominated for the Congressional Medal of Honor

To all my brothers and sisters still serving, giving their sweat, blood, and time with their family in defense of their country: I love and salute all of you. Carry on. 

And to all of the Marines: Happy Birthday.

Go forth and do good things,

Cutaway

Security Ripcord, United States Marine Corps, Congressional Medal of Honor, Cpl. Jason L. Dunham

I have known about Randal Schwartz' s situation since I started getting into security in College.  By 2002 he was already well into his life as a convicted felon.  I have since been able to read the information available on a website detailing his crime and hear him speak during several interviews.  What has struck me is that Randal is a man who knows what he did was wrong, has accepted what happened (doesn't like but accepts), and has moved on with his life.  Since this incident he has delivered many presentations on the subject and thereby educated many new and old security professionals on the importance of obtaining permission, in writing, before any action.  And I would venture to say that his work with Perl has done more for security across the technological landscape then most of us combined will ever achieve.

That said, I had kind of put Randal's situation in the back of my mind.  That is until his recent attempt at receiving a pardon from the State of Oregon.  Right off the bat I was all for this, but then I decided that I needed to be fair.  So I did a little research which you can see below.  As to the sentence, what Randal was given seems about par for the course.  He does have three felonies which has affected him in many more ways, but so it will be with most of these individuals.  What really struck me as curios is the fact that all Randal did was run the Crack program on a password file.  Yes, bad, but look at the monetary costs and personal damage (including intent) caused by these other individuals.  These people's malicious actions win the race hands down.  But Randal's sentence is "par for the course."  

I cannot make up your mind for you, but mine is made up.  Randal has served his sentence and should be pardoned.  If any of these people below spend the following 13 years of their life doing the types of actions that benefit the community as a whole as Randal has, then they should be considered as well.  Please help Randal in whatever way you are able.  Here is the information from the Network Security Blog .

If you can help Randal, either by offering up financial support (it's not cheap to apply for clemency) or by writing a letter of support, please drop me a line and I'll get you his contact information.  Actually, for the financial support, you can skip me entirely and make a paypal dontation to merlyn@stonehenge.com.

Go forth and do good things,

Cutaway 

The Department of Justice has a great site for information about computer crimes.  Be sure to check out the DOJ's Computer Crime & Intellectual Property Section . 

Randal Schwartz – 5 years of probation, 480 hours of community service, 90 days of deferred (cancellable) jail time, and $68k of restitution (source: http://www.lightlink.com/spacenka/fors/)

Lowe's credit card hacker – nine years (source: http://www.msnbc.msn.com/id/6719246/, http://wired.com/news/technology/0,71358-0.html)

Hilton PDA hacker -  11 months in juvenile facility and $10,000 in restitution(source: http://news.com.com/Hilton+hacker+sentenced+to+juvenile+hall/2100-7349_3-5865391.html, http://www.tabloidcolumn.com/paris-hilton-hacked.html,http://news.bbc.co.uk/1/hi/technology/5294412.stm)

cracker of the 1S computer software products -  2 year suspended sentence after 6 months of hearings (source: http://www.crime-research.org/news/25.04.2005/1175/)

Botnet Hacker – 3 years (source: http://seattletimes.nwsource.com/html/localnews/2003226994_botnet26m.html, http://seattlepi.nwsource.com/local/282674_botnet26.html)

DirectTV Hacker – 7 years and $24 million in restitution (source: http://www.securityfocus.com/news/10103)

Bank Hacer from Russia – 3 years and $700,000 in restitution (source: http://www.cybercrime.gov/gorshkovSent.htm)

The Helpful Hacker – 6 months at home with his parents [opps, who is this punishing? Both the kid and the parents!  Good!]  (source: http://www.technewsworld.com/story/35195.html)

The Deceptive Duo Hackers – 2 years probation and $71,181 in restitution (source: http://www.internetnews.com/bus-news/article.php/3489436)

Kevin Mitnick – 46 months and $4,125 in restitution (source: http://www.usdoj.gov/criminal/cybercrime/mitnick.htm) 

Darkside Hackers – 21 months and $92,480 in restitution (source: http://www.usdoj.gov/criminal/cybercrime/miffle2.htm)

Randal Schwartz, Security Ripcord, Network Security Blog

Although this is not so security related I thought I would bring it up.  I have a serious problem with people who live in this country and then create this kind of stuff.  Blackfive once again pointed out an article that is, to me, extremely distasteful.  Now, I am not one to write letters to the editor but I couldn’t help myself in this case.

I am not sure if this will get published in its complete state because "The Arizona Republic" limits editorial comments to 200 words (Now how can you get into a good grove in under 200 words?) so I have included it here. 

I was recently made aware of your editorial comic with a blood stained Eagle, Globe and Anchor. You have, for some reason unapparent to me, placed the comments "United States Massacre Cover-up" on the ribbon the normal proudly displays the words "United States Marine Corps." It also appears to me that there is blood dripping from the claws of where the eagle is attached to the globe. I assume that you are referring to the blood spilled by Marines in combat. Well, I have a few things to say about this piece of, and I use the term loosely, art.

First, I thought that we live, and you publish, in a country where the accused are innocent until proven guilty. I understand that there is still an ongoing investigation into this matter. My understanding is that the United States Marine Corps (USMC) leadership has taken this matter very seriously and they are vigorously investigating it. So much so that some veterans are concerned that they are not backing their own men to the extent they deserve. We are one of the few nations in the world who will hold our Soldiers, Sailors, Airmen, and Marines to task for these types of improprieties. But we should do so in a dignified manner.

Second, you obviously have a problem with the USMC as a whole. This just does not make sense. Marking the USMC for the actions of a few persons would be like assuming that everybody in your newspaper is as leftest, inconsiderate, unpatriotic, dispassionate, and downright idiotic because of this editorial comic. I hope that some of your employees will take exception to this but, it appears to me, that your editors cannot.

Third, the USMC will endure this situation and your comic. It will endure this war and the next and the next. Because we believe in ourselves, our brothers and sisters, our service, and our country. Because of that freedom will ring for Americans as well as those we are able to assist. The ring will be resounding and clear compared to the dull and embarrassing thud of your editorial comic and your newspaper. And because of this your newspaper will, unfortunately, survive as well.You should be ashamed of yourselves and you owe all Marines an apology. Remember, the blood that is dripping down that globe is mixed with the blood of thousands of men and women who have served their country proudly and are disgusted by this editorial comic.

Semper Fidelis,

Don C. Weber

Former Sergeant

1st Force Reconnaissance Company

United States Marine Corps

 Please feel free to comment to this newspaper or to its sponsors as they are listed on Blackfive’s blog

Go forth and do good things,

Cutaway 

Hello all.  I understand that not blogging is a very bad practice for a blogger.  Unfortunately it has not been my intention but it was for a good cause.  I have recently accepted a new position as I.T. Security Manager for a university in Corpus Christi, Texas.  I am currently in the process of moving, selling my home, and spinning up on what is going on at my new job.  This has left me with very little personal time to devote to writing but I hope to get back into it in the near future.  I have a few good ideas in the works but they are going to take a little research and some time to complete.  Please check back soon.  

One interesting thing about my new job is finding out when people are Googling me.  I have noticed several hits to this site originating from the university's domain.  Hopefully, all find the past posts interesting and useful.  What they were hoping to find I am not sure, but as I have an open door policy they should just swing by my office.  

On another note, my sister Beverly is doing better but she is still traveling down that long road to recovery.  We have recently moved her to a new hospital in San Diego where she should get more personal care than she did in Bakersfield.  Unfortunately her cancer and its treatment has left her very weak and unable to work.  She is still accepting donations at BeverlySue.org .  If you can help please do, she has several bills that cannot be disposed of (rent, car, medical) but there is no way she can hold a job in her condition.  Please donate if you can or drop her an E-mail of encouragement.  Her E-mail address is located on her site.  Thank you to all who have helped up to this point.

Take care and stay tuned,

Cutaway 

Security Ripcord, BeverlySue.org, Cutaway Security, Corpus Christi, Texas, Security Manager

As you can see I have not blogged in a while. There are several reasons for this but the main reason is that my sister, Beverly, has been diagnosed with Acute Myeloid Leukemia (AML). She is 25 and lives and goes to school in Bakersfield, California where as I live and work in Dallas, Texas. To say that this has been a trial would be correct. Having a crash course in any new topic is hard, but when it is this important the pressure really kicks in.

For now everything is going well. Leukemia, as it turns out, is a waiting game. First you have to wait for lab results of the bone biopsy, then you have to take your chemotherapy while you are waiting your diagnosis, then you have to wait for the results of another bone biopsy. You also have to wait for paper work. Paperwork from the state, paperwork from the federal government, from you school, from you work, from the hospital, from …

Fortunately there are many resources on the Internet that are very helpful and clear enough so that a non-medical person can understand. Some of these links include:

• The Leukemia and Lymphoma Society – these people can help with just about anything. They are a great place for people to voluneer as well. They offer finacial assistance.
• American Cancer Society – I didn’t think these people could help, at first, because there is the LLS. Don’t make this mistake. They also offer finacial assistance.
• A.P. John – What is Acute Myeloid Leukemia – this is an excellent description of the cancer and its aspects.
• Pathology Outlines – Some gritty details if you are a labtech.

As I stated above, we are playing the waiting game. We are currently trying to find a way to get her out to Texas without a break in her treatment and without losing her benefits. I have set up a site for her so that people can find out who she is and how she is doing. It is BeverlySue.Org and although it is a bit rough right now I am planning on making some updates soon. I have set her up with a PayPal account so that people, who are able, can help her out. Donations will go towards paying her bills while she cannot support herself and eventually help with her move to Texas expenses.

If you find it in your heart please visit the site and help her out. Please refer your friends and family as well. Check back often and drop her an E-mail of encouragement when you can (the address will be posted on the site soon).

Thanks to all who read this to the bottom. I know that it is not very technical and I will try to return to more security related posts in the near future. On a quick side note I wanted to thank Martin McKeay of Network Security Blog for posting my first comment. I really enjoy his input to the community and I highly recommend his podcast.

Thanks to all,
Cutaway

I have to agree with Richard Bejtlich and the recent article in The Jem Report by Jem Matzan that we need to support OpenSSH better. I know that I use it and my employer (through a third party OS mentioned in Jem Matzan’s article) uses it. Of course up until this point we were both the same in the fact that we both have not supported the project. As of tonight that will change.

Richard and Jem, thank you for shaming us into reality. I hope your efforts work. And thank you OpenSSH for keeping the world safe (dramatic? Maybe, but then again, maybe not!)
Please donate to OpenSSH as soon as you can find the time. Especially if you are using it right now!

Cutaway

Okay, I am getting a little sick and tired of the constant chatter about “this operating system is better than that operating system.” It is like the white noise in the background of any room where there is more than one technically savvy person. People just need to get over the fact that there is more than one tool out there and that a job can usually be done by any one of those tools. Sure, many times one of those tools does a better job than the rest, but guess what, that is true of everything else in life.

“Where is this coming from?” you ask. Well, this past week I had an interview for an Security Manager position and one of the system administrators asked the question, “So, how are you going to treat my linux server if you are hired to this position?” I told him that I didn’t have a problem with one operating system over another. I explained that any job can be done by any operating system and that a good security administrator will have to be ready to evaluate any system to determine how it is affecting the security of the environment. A pretty good answer in my mind but it seems that the statement “any job can be done by any operating system” raised a few hairs and ruffled a few tail feathers.

Look, in my heart of hearts I am a Linux man. However, I working in a Solaris and IRIX mixed environment that is moving to a Solaris and SUSE mix and periodically a Windows system will rear its ugly head. Do I mind? No. I am happy to secure or provided suggestions when securing any operating system. Has this hurt me a little in the fact that I am not completely conversant in any one operating system. Maybe, but I am ready for all encounters and I will overcome either with the knowledge in my head or a little bit of SANS Reading Room and/or Google.
Please get over it,

Cutaway

Up – down – up -down. First the site is up and then it is back down again. Although this has been the recent behavior for this site I am hoping that the problem is fixed.

It seems that the hard drive the web server was spinning decided it had had enough and it was not going to serve up any more bits. So, with a little hard work all of the original posts have been entered into the new and improved Wordpress blogging software. Unfortunately I did not have time for to update the links. Maybe I’ll have time later. Then again maybe not!

Please stay with us and don’t let the most recent activity drive you away….Hello….Hello out there??? Shit, oh well.

Take care,

Cutaway