One of the biggest challenges right now comes in keeping secure while we’re constantly connecting to systems of unknown trustworthiness. Even when I connect to this site, on a server that I built and administer myself, which I pay for entirely from my own pocket, there’s still that little doubt in my mind.
Most other sites provide much stronger reasons to doubt them, least of all because I have zero clue how good or bad they may be. There are companies that I trust more to maintain secure networks, and some I trust less. My experience as a pen tester has informed this a bit further, such that about a year ago I changed how I handle my browsing.
Continue reading “Safer browsing without too much annoyance”
In the IT world, and especially in security, we write a lot of reports. We often get the technical information right but the presentation can be a little dry, which can limit the impact. The following began as suggestions for writing penetration test reports (roughly along the lines of the SANS SEC560 template), but they can apply to other reports as well.
Continue reading “Tips for writing effective reports”
I get a lot of people asking me how they can get involved in security. Some of them are IT pros who have been in their careers for many years while others are new, like a help desk novice. But they all want to get involved because security is the exciting place to be. It’s the hot place that isn’t going away, unlike the rest of IT that, it seems, management seeks to automate out of existence.
Well, they’re right. Or some of them are, at least. It’s currently the sector least likely to be automated out of existence, but that’s largely because it’s currently too complex to do. I remember when a lot of IT was like that. We did much of our work by hand, as scripting was a luxury, especially on Windows. Security will come to that point, too, but it will probably be a little while. There are simply too many legacy systems around for it to be otherwise.
Anyway, here are some tips for getting involved in security. These are based on my own experiences coming up from informal desktop support through servers and then into security.
- Start thinking like security people. Security people by and large think…differently. The hacker ethos is there, and it’s not just about breaking into systems. It’s about changing things to get the desired outcome. This applies to offense, defense, and things that have nothing to do with either.
Here’s the hard part: If you don’t know how to do this, by all means, ask. We’re usually happy to explain how we approach our work. Have lunch with security people you know. Read papers, books, and weblogs. Watch videos from past conferences. Even better, attend conferences like DerbyCon and your local BSides, places that are welcoming to people who are new to the field.
Once there, ask to join a conversation. There’s a good chance you’ll be able to join, even if just to listen. Don’t pretend you’re better at something than you are, because you’ll be found out in about nine seconds and shunned. And they will remember you if they see you again, like across the table in an interview. Security is a much smaller field than people think.
- Integrate security into your daily work. If you work on the help desk, start asking yourself how the callers’ actions could cause security problems, taking notes about your thoughts and running them by your security staff (another reason to have lunch with them). If you’re further along, learn how to harden the systems you maintain. Don’t change anything without permission, of course, but read about others’ experiences, and realize that one size does not fit all. Just because a respected guide recommends wiping the page file on reboot doesn’t mean it’s a good idea for your environment. The more you do this, the more you start thinking like security, the better you’ll get on with them, and the better chance you have at joining them one day.
- Integrate security into your daily life. This isn’t just hardening your home systems. Learn to spot security issues as you go through life. I have some friends who think it’s sad and/or paranoid, but when I walk into a building, the first thing I do is start looking for ways to subvert the security in case of an emergency. This develops mental reflexes that are necessary in any security role, as the ability to spot something amiss and react to it is critical regardless which side you’re on.
- Set up a lab and tinker. Scrape together a system at home and install a free hypervisor like VMWare ESXi, KVM, or Xen. Or get a copy of VMWare Workstation (or Player if you can’t afford it) or VirtualBox and install it on your workstation. Download ISOs of older software like CentOS 5.0 and start looking up exploits against them. Once you find them, look for ways to mitigate them without patching because patching is not always a solution for a number of reasons.
- Learn multiple operating systems. You’re going to be interacting with a lot of different gear from different times. If you’re most comfortable on Windows, start learning Linux. When you do, it’s best to dive in, spending at least a week using it as your sole operating system to force yourself to learn how it works. Then find other environments that you don’t know and learn how they work. You’re not necessarily going for mastery, but some familiarity with how they work goes a long way.
- Learn a scripting language. Even if you’re not a developer, you need to learn something about automation. You have two primary choices based on default installations: Python for Linux and PowerShell for Windows. A third option, primarily for Linux, is Ruby, which is in some ways easier and more compact (and Metasploit is written in it). Regardless, you need not be an expert (though it helps), but you should be able to read a script and describe its flow. Find an idea and start writing it yourself. You’ll likely do it badly, but if it’s yours, you’ll have more passion and drive to finish it, and that will help you learn.
- Keep your eyes open. Security opportunities won’t always be as obvious as position postings. Have lunch with security people. Volunteer to work on security projects (even if security people aren’t involved). Volunteer your time with non-profits: the smaller ones, especially, can use some help. Go to conferences (the point bears repeating). There’s value in who knows you as they might pass word of a new opportunity along.
- Don’t whine. Very few people got into security purely by luck. Many of those who did failed to get anywhere. Getting into security usually takes work. Getting ahead in security takes more work. What will irritate security people is when someone whines incessantly that they can’t do something but clearly haven’t put forth any real effort. Show you’ve put forth the effort and you stand a chance of getting in and/or getting ahead.
That’s what I usually tell people, though this is (amazingly) a much shorter version of the discussions I usually have. I’m happy to talk with anyone who wants to get into security. We still need all the help we can get.
I’ve been puzzling over why Wireshark seems to lock up when launching on Windows 8.1 and dumpcap.exe sits in the background even after Wireshark is forced to close. Some experiments from the command line showed that any time dumpcap.exe tries to use some aspect of its capture behavior (including just listing interfaces), it locks up. Various tools suggested that it was waiting for some external event to allow it to close.
I finally learned from an Ask Wireshark post that it was due to WinPCAP not starting on demand. The solution is simple:
- Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Start to value 0x03 (SERVICE_DEMAND_START).
- Enjoy packet capturing goodness.
I believe this is an issue with WinPCAP and not Wireshark. There’s an alternate solution of running Wireshark in Windows 7 compatibility mode, but I try not to run things in compatibility mode unless there’s really no other way to do it.
For anyone that happens to be struggling with getting Fedora 19 installed on the Asus 1015E, at least with BIOS revision 303, it appears that there’s something in the installer kernel (3.9) that doesn’t agree with the system. Fedora 20 (kernel version 3.11) does work, though since it’s currently in pre-Alpha state, you’re installing it at your own risk.
Other than that, it’s a great little $200 notebook.
I ran into a problem a few weeks ago with my Linux system. After performing a kernel update and rebooting, I couldn’t remember the disk encryption password. I tried for an hour or more, running through all of the passwords I could think of, including with new combinations and possible miskeys, but nothing worked. Finally, I shut it off in frustration.
Last night, I figured I’d take another crack at it. After nearly 30 minutes, I finally stumbled across the right password, and it was something that I’d tried before several times both last night and during the previous failure but apparently managed to miskey it a few dozen times. Success!
Until I tried to log in.
Password for my account? Wasn’t happening. Couldn’t remember what it was. Worse, I couldn’t remember the root password, either. OK, I figure. I’ll just reboot into single-user mode and reset the password.
It wasn’t quite that simple.
Continue reading “Recovering root password on Fedora 19”
Here are some links I found a while back to free ebooks from Microsoft on a ton of topics including Windows (desktop and server), SQL Server, SCCM, Sharepoint, and application development. The selection covers the range from beginners to advanced.
Large collection of Free Microsoft eBooks for you, including: SharePoint, Visual Studio, Windows Phone, Windows 8, Office 365, Office 2010, SQL Server 2012, Azure, and more.
Another large collection of Free Microsoft eBooks and Resource Kits for you, including: SharePoint 2013, Office 2013, Office 365, Duet 2.0, Azure, Cloud, Windows Phone, Lync, Dynamics CRM, and more.
Huge collection of Free Microsoft eBooks for you, including: Office, Office 365, SharePoint, SQL Server, System Center, Visual Studio, Web Development, Windows, Windows Azure, and Windows Server
A few weeks ago, when building my new computer, I decided to go with Windows 8, primarily for the under-the-hood improvements. I won’t get into the overall experience, but I did run into a few issues getting security software installed, especially gpg4win, which I chose to enable PGP e-mail encryption.
The OpenPGP specification (encapsulated in RFC 4880) was created by Phil Zimmerman back in 1991 and is pretty much the standard for encrypting messages sent via the Internet. However, implementing encryption is hard, and implementing encryption implementations isn’t always easy, either. While Linux has several options built into most distros to handle this, Windows ends up with two primary options: PGP and gpg4win. We’ll have a look at them and how to install the latter after the break.
Continue reading “Setting up gpg4win on Windows 8”
What if I told you that my shortest important passwords are in the neighborhood of 20-25 characters? Would you think to yourself, “You’re insane!” Some of you would, because some have said it out loud to me when they see me typing in my passwords. My secret for many of them is to use a pass phrase. This is easy for me to remember and so complex that it’s almost impossible for a computer, or even a lot of computers, to get through it.
Continue reading “Password Complexity: Easier for you, harder for bad guys with passphrases”
Over the last year, we’ve seen news stories of sites getting hacked and passwords getting stolen and we’ll doubtless see more in the future. These range from the relatively irritating to the level of possible identity theft. In every case, especially when the passwords have been published, we see the usual advice from the experts: use complex passwords, don’t share your passwords, don’t use the same password on multiple sites… It’s basically the same list trotted out all the time, but I see few explanations of why people should do these things. It’s not bad advice at one level, but doing something out of blind obedience has actually made security worse on occasion, and passwords are part of that mess.
Continue reading “Password Complexity: Hows and Whys Explained”