Network Samurai's

April 16, 2010

Reasons, Yesterday stares, today... honesty.

Apr 16, 2010 1:58:22 PM

Today, one of our developers emailed me, out of the blue, from his personal email account. The email was gibberish, but it did have a link. I instantly knew he had gotten some type of email based virus's, which he did. Now here's the best part, he said a lot of people in his contact list that didn't have any contact with for a few years reached out to him to let him know, and he established contact with them again. Look at that... Viruses that have social impacts. MAYHEM.

Apr 16, 2010 1:57:07 PM

April 13, 2010

This weekend I was playing with Gentoo again (www.gentoo.org) for some purpose built servers. I have a fond love for this little distribution. There are some people who are considered 'purists' in the sense that they feel everything should be compiled from scratch from the get. There are others who don't wish to 're-invent the wheel' and feel that someone's already done the legwork and why should they not take advantage. I would say this, for most people distributions that are already compiled are perfect. For my particular application of purposed built, high-horsepower, servers, I felt gentoo may offer some additional advantages, such as compilation with additional CFLAGS. But I'd love feedback from everyone on their take of all this. #hardcore

Apr 13, 2010 1:17:03 PM

The former reasons:

#1. Asian eyes in the morning
#2. The way you run your fingers through my hair
#3. The flowers in your hair...

Apr 13, 2010 11:06:59 AM

Todays reason. The way you giggle with me. I really enjoy it laughing with you...

Apr 13, 2010 10:53:30 AM

April 06, 2010

Some thoughts on this TJX matter...

Last week, I read an article on thesentencing of Jeramey Jethro for sellingAlbert Gonzales, the 'TJX hacker'an IE zero day exploit. I have a fond love for reading media articles on this subject because I find so much fault in it. I am not a journalist, reporter, or writer, should I be one to judge in someone else's work? In this article Jeremy Jethro pleaded guilty and sentenced to a few years probation and fined over the conspiracy charge. His lawyer admits that the zero-day was a dud and didn't even really work. This is the part of the article I find the most interesting. What this does is set precedence that the mere sale of a potential exploit, not even a working one, can lead to a full arrest and conviction.

My questions revolve around how as an industry can we solve the issue of not only responsible disclosure but better software security without penalty of laws. I was very disappointed with a few previous laws such as the DMCA (Digital Millennium Copyright Act) which freaked out most Reverse Engineers. These guys who potentially are looking for bugs in software and not the theft of intellectual property where totally stunned by the potential affect of this law.I was as upset about that law, as that I was in this particular court case. I understand that this person did something less than satisfactory in selling a potential exploit to a person who could use it for the wrong reasons. What I do not wish to happen is an open ticket for abuse of the precedence this case brings.

Prosecutors need to start making examples out of everyone that they can actually catch. People like Albert Gonzales are going to be made examples of, he will be serving the maximum amount of time. But if there are no others to be caught right away, and if the problem becomes worse, will the prosecutors start going after researchers selling bugs in a less than responsible way? Will they go after people releasing bugs to sites like the Exploit DB? Responsible disclosure can be so difficult most researchers would probably forgo releasing of the information all together at times, or partial disclosure. I am not sure what this will imply, but I will say, we need a better way of releasing the information.

I just find it funny that this guy is arrested for selling a dud zero-day. That even more sad.

Apr 6, 2010 11:37:10 AM

March 26, 2010

This is my Boom-stick!

I always found myself a believer in the magic. I want to believe that it is magic. The further I take my career, the more I realize; it is really not magic. Arthur Clarke has his three laws of prediction. Law #3 states: any sufficientlyy advanced technology is indistinguishable from magic. I liked that idea of it being magic a lot. As an engineer in my previous life, I used to have a saying: Most people use the MRP (Magic Routing Protocol) as a standard routing protocol. The magic routing protocol concept is simple. You walk into a customer's site, ask them about their network and how it works, and they tell you, they don't know. They just hooked it up and it works, Its magic! I however didn't like magic for that reason. I liked magic for the reason that I wasn't the computer science developer guy. I was the guy that understood how to interconnect large networks. How to secure networks themselves more than someone who studied the inner workings of operating system designs for their career.

Today, I was looking over the new SIFT 2.0 workstation from SANS. The SIFT workstation has a nice listing of all of the software it includes, and some of it peaked my interest. In the RAM analysis section, their are a few tools called pdymail, pdgmail, and pdfbook. These python scripts are used to parse RAM and extract Yahoo! mail (pdymail) email, gmail (pdgmail) emails, and Facebook (pdfbook) chats. I was interested in knowing some of the magic, not all of it, but just some of the magic behind them. Happily, I opened the link to the SANS Forensic blog about pdfbook (http://blogs.sans.org/computer-forensics/2009/11/20/facebook-memory-forensics/) and I noticed the first thing you do was run string against a memory dump.

Strings. Just plain old, pull out the strings from a file, strings. I can't tell you I was a bit heartbroken at that thought. I had considered it was a bit of magic to do this. Maybe it was that you pulled apart pieces of memory, did some fascinating carving of data, look for footers and headers, anything. Nope. Its just plain old strings. The process is explained more and more thoroughly in the blog posts. This article here wasn't meant to be super technical in nature. It is more an expression of my realization.

With that a little bit more of the magic has gone away. I guess I have always been a magician and not so much the audience. Now, back away from my Boom-stick!

Mar 26, 2010 5:16:59 PM | Research, Science, Security

March 24, 2010

The silence on the blog these last few days is due to the fact I am working on some code. I will be updating everyone soon :D

Mar 24, 2010 1:28:31 PM

March 22, 2010

Not everything can be purchased.

I remember vaguely having been rather naive and somewhat untrained early-on in my career. I had a notion that everything could be purchased, and that the intellectual property came more from integration than actual product. Integration is a delicate thing, how do you insert a new gizmo in your architecture without major disruption? It is almost like trying to insert a new section of building in an already constructed tower, without anyone noticing. Although it is a unique challenge, due to the fact every environment is that much different than the others, it is not the same thing as product design. My notions of integration however was not unique, I recall now, that many 'vendors' were calling themselves integrations, hocking their services daily.

One after the other, they would all pitch, product X married to product Y to build a better security construct, a better mousetrap. It was all part of the act wasn't it? My job at the time was engineering and architecture. Suggest it, design it, select it, fit it in, make it bigger, and build it better. Many of my peers felt the same way as I did in the own naivety. They even said, well you don't have firewall from company x? Lets see how well that serves you!' As if say one product would serve as the silver bullet vs. another. Every year that went by it was a new 'flavor of the month'. One year it was stateful inspection firewalls, then it was IDS, then IPS, then UTM, and so and so on and so on.

I fool heatedly fell into the widget and gadget to solve all of life's problems. If I purchased now, I can also get another one for half off. I wonder what else they'll throw in! Sometimes, the products we paid hundreds of thousands even got shelved. What a colossal waste of money, and the management would just turn a blind eye to it.

Last week, I was having a conversation with someone in the office asking us to finish the design of the security for a large portion of our network. The conversation started off with the statement, 'I generally don't buy products because often times they will not work for what we are doing and we typically have to build it ourselves'. While most people will not fall into that category, we actually do. Without hesitation I said, you are right, we are going to have to cook something custom. I stopped over the weekend to think about this. It took me almost 10 years to come to the realization that not everything can be purchased. Sometimes, the best investment must come from within you and expressed in your growth.

I can remember a few years ago I felt that I had reached a tipping point in my career. I could go one of two ways, a continual plateaued growth, or, what I felt was the next sharpest level. I decided to pick up some type of programming to be able to build the better mousetrap. I have come to realize a few things in my journey. The biggest thing I'd like to mention to everyone is, invest in yourself and your employees. The way to invest is to work on the foundational knowledge you need to be an outstanding professional. I would tend to ask myself the following questions:

Do you know fundamentally how computers, networks, and systems work?
Are you fluent in at least one programming language?
How well do you network, socialize, present, or peer with others?
Have you surrounded yourself with like minded individuals to spur thought and growth?

These items above may seem, silly, ridiculous, out of bounds with information security, or even plain dumb to talk about. I would say these are foundational pillars for many years to come. If you believe it can all be purchased then go about your business and see how far it will take you. All I'm saying is, if you did know how things worked, and how to improve on their design, you've just build a better mousetrap. How's that for integration, b*tches!

Mar 22, 2010 10:49:22 AM | Security

March 20, 2010

Day at scottie's.

Day at scotties.
Originally uploaded by mosesRENEGADE

Sometimes, you just gotta sit back and enjoy a beautiful gorgeous day before getting back in the grind. I hope everyone had a good Saturday, if not get out, it will refocus you in your efforts.

Happy hacking.

Mar 20, 2010 6:17:22 PM