The Power of Convergence

A graduate student pointed me to a great article today on Physical and Information Security convergence… very interesting….

The Power of Convergence

R

www.micklerandassociates.com

Defending Against L0phtCrack

Hack the ScriptKiddie: Defending Windows2000 Against L0phtCrack
http://www.sans.org/rr/whitepapers/win2k/213.php

This week I kind of got into a kick: what if an admin could hack the hacker? What kind of specific tools can we use to detect and defeat maybe eighty-percent of the problem – that being the execution of _known_ scripts and tools like L0phtcrack. So I did a little digging and found this great article that explains how Group Policies could be used on a Win2000 Server to defend against L0phtCrack. I couldn’t find anything more recent but I like the specificness of this kind of instruction.

R
www.micklerandassociates.com

Load Up on Power Tools!

Load up on Tools and PowerToys!

Hack your PocketPC Registry with Tweaks2k2!

http://www.tweaks2k2.com/portal/staticpages/
index.php?page=20050224182009983

What TweakUI did for the Windows platform, Tweak2K2 has done for the PocketPC. This product is available in both shareware and paid license.

Naturally, XP’s PowerToy’s are an often-needed yet infrequently publicized set of tools available from Microsoft:

http://www.microsoft.com/windowsxp/downloads/
powertoys/xppowertoys.mspx

Finally, a nice third party tool that I’ve needed all the time and use quite frequently is Clickyes:
http://www.snapfiles.com/get/clickyes.html

ClickYes is free. It allows you to automate mail scripting through Outlook and avoids the “Something is trying to send mail through Outlook” annoying dialog, bla bla; it surpresses the dialog and speeds mass demail distribution right up without complaint. No reg-hack – just an executable TSR that sits on the system tray. Nice tool!

R

The Six Dumbest Ideas in Computer Security

This is great – a student passed this one to me.
http://www.ranum.com/security/computer_security/editorials/dumb/

From the author:

Let me introduce you to the six dumbest ideas in computer security. What are they? They’re the anti-good ideas. They’re the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible – which is another way of saying “trying to ignore reality.” Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don’t fully understand the situation, but other times it’s just a bunch of savvy entrepreneurs with a well-marketed piece of junk they’re selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.

An excellent read (grin).

R

Google Hacking Windows!

HACK OF THE WEEK:

Google Hacking!

An interesting series on how to use Google to hack into public-facing Windows servers. From the author:

“You can profile servers, find files containing sensitive information and detect “hidden” login pages, server log files and a whole lot more. In this tip, I will describe some neat Google tools and basic queries to help you ferret out the sensitive information that, although you may not realize it, is accessible to the public. “

http://searchwindowssecurity.techtarget.com/tip/
1,289483,sid45_gci1089383,00.html

Google = Search Engine? Or Google = Hacker Tool?

R
www.micklerandassociates.com

US-CERT: Mobile Viruses Worsening

Vendors Claim Mobile Viruses Worsening: Both F-Secure and Trend Micro, mobile anti-virus product vendors, claim that attacks on mobile devices are becoming more serious. Virus that have been reported attack Symbian-based devices. During July, three new viruses and five new variants of existing viruses appeared.

Source: http://www.securitypipeline.com/news/170102188.
R
www.micklerandassociates.com

The Evolving Brain

A student passed me this one:

http://seattletimes.nwsource.com/html/nationworld/
2002482196_brain09.html

R
www.micklerandassociates.com

Proctoring a CISSP Exam

I thought I’d share this – some may find this interesting – today (Saturday Sept 10, 2005), I proctored a CISSP exam in Portland, OR.

Proctoring involves monitoring exam candidates both before and during the exam. Although I cannot go to heavily into details – proctors must sign a non disclosure – it is very much like being a chauffeur, making sure candidate’s needs are being taken care of during the process. The proctors report to the supervisor who administers the test. Proctoring for an exam earns 8 CPE points for the CISSP. CPE’s are ISC2’s answer to continuing education credits for certification renewal.

It was an interesting experience in terms of procedure as it is very scripted yet also an intriguing insight into behavior – how candidates manage the stress. Some are visibly nervous and agitated, anxious – I just escorted a shaking candidate to the restroom today – whereas others seem to take it in stride; one person’s strut got progressively spunky when I escorted them out for breaks.

This is my first experience proctoring. The administrator suggested that it’s not uncommon to have a candidate finish in an hour or so-they get six and one or two will actually leave without completing, giving up; harsh given the financial investment to sit for the exam. The early bird here did it today in under two hours, and one fellow stayed through the whole exam. Some seem to have a method to the process where others tackle it head on. One fellow had a dear in headlights look and keeps shaking his hands. Another fellow wanted a calculator for the ALE calcs-we had to disappoint him-all he could bring to the table is water. And this one guy kept putting cold water bottles on his neck, tucked in his collar, so it looked as if there were rocket launchers mounted on his shoulder. Finally, there was one woman who sat for her exam – it was a predominately male group.

My own experience suggested that most stay for 3 to 4 hours, and some for the duration. Myself, I found the mythology surrounding the exam mightier the dragon. The early AM drive to Seattle was tough – no sleep the day earlier, wife drove, thankfully, because I was able to clear my head. I was reviewing my notes after arriving at the testing facility – a Marriott. I had read a light book on the exam (Meyer’s CISSP Passport), the Official ISC2′S Guide, and some accumulated notes from the ‘net. Combined with my background notes I prepared, I had a binder of principals and points that I studied relentlessly for two weeks beforehand. Generally speaking, the ‘net materials were over-hyped and too broad, nearly out of scope, and made me sufficiently paranoid. The Official guide was too extensive to memorize, but accurate and thorough. The Passport book helped to focus and prioritize the official content and offer perspective. The three opinion approach worked well enough to provide clarity and contrast.

On the day, the time was intense but good test taking skills ruled the day. moving back and forth through the test gave a lay of the land and allowed some measure of confidence, spending an hour to review the material to scope out the range of questions, hitting the stuff I knew right away. I also jotted notes and difficulty rankings in the margin of the test booklets – this is permissible. I also found myself working through the math of passing the exam- x-percent needed to pass, x-questions dead right, x maybe’s, and x totally unsure. It wasn’t until my dead rights passed 80-percent that I could breathe easier and allowed me to manage my time more proactively.

Today it was difficult to say how the candidates are doing as the day progressed – as a proctor, I sat in the back and walked the room, escorting those for breaks and securing their exams when they stepped away from their table. All were focused. My fellow proctor was the chief security officer of the State of Oregon. We both take turns answering issues, handing out question comment forms, picking up tests, and naturally we’re not allowed to talk to candidates about anything material, of course, so time passes slowly and in silence.

At lunch, I walked down the block to a sandwich shop and hopped on an unsecured WAP. The sandwich was tiny and overpriced, yet, my email was deliciously free. When I had returned, the administrator had given the half time warning and about 1/3rd the candidates were gone by that time.

Like I was saying, the proctor earns 8 CPE’s for handling the exam. After proctoring for three times, the proctor can then become an administrator. The administrator is sent a serialized tote with all of the materials to conduct the exam from ISC2. After an inventory and correction process with ISC2, the administrator will arrive at the pre-booked venue and deliver the exam. Then the administrator collects the materials, performs a form inventory and checklist, then, seals the tote and FexEx’s it back to ISC2. Looked like a very organized supply chain.

I learned that as an administrator of an exam, you’ve an option of receiving the 8 CPE’s for the work you perform or a $100 honorarium – just seems easier to receive the CPE’s. I’m probably going to pursue this as delivering an exam seems an extension of my own career in education.

Anyway, it was an interesting time from the perspective of the test proctor instead of the candidate and it earned me a little CPE along the way. And everyone needs their CPE’s.

R

Password Cache on WindowsXP Home

Had an interesting problem this week that I wanted to bring up.

I created a standard printer share on a WindowsXP Professional box that was joined to a local domain. Another computer on the local subnet, running WindowsXP Home and not a member of the first box’s domain – as Home cannot join domain security contexts – connected to the share using a UNC. I was challenged and I used a local user account on the Pro box to establish the connection, opting to “save password” to the user’s local cache to preserve connectivity to the share. All worked fine; I could print a test page.

Until, that is, a reboot on the Home PC. The printer’s *.pif read “Access Denied” – trying to access properties, the message: “The print spool service is not running”was displayed.

I struggled with this for a while because the target XP machine’s spooler was fine. I then learned it was because of a password cache issue with a HOME machine connecting to a PRO machine that was a part of a domain. By creating a login batch file for the startup folder, I reproduced a net use command:

net use \\computer\printershare /USER:[local_account] [password] /PERSISTENT:yes

This re-cached the login credential of a local user account on the PRO machine and allowed for printing. Why this limitation exists, -shrug-, no idea, but that’s how I worked around it.

R
www.micklerandassociates.com

Hacking Wireless… Keyboards?

From one of my graduate students this week:

I just got finished reading some articles on wireless keyboards and mice. What do you think the probability of them being hacked are? A lot of things in security make me uneasy but I was not really sure on what’s up with the keyboards and mice.

Here is some information I read below—Wireless keyboards are insecure and hackers can sniff-out every password you type on them. The problem arises because each transmitter/receiver pair does not appear to be hard-coded to match each other. An attacker is able to sniff the connect-sequence of a victim’s device from far and to lock-in to the code of the victim’s devices or to take control of a victim’s device.http://www.theregister.co.uk
/2001/06/30/type_me_your_password/This article mentioned that “a machine began to receive “ghost” keystrokes from a neighbor’s PC over a distance of more than 485 feet away and through two walls

”http://www.extremetech.com/article2/0,1697,704084,00.asphttp:
//www.theregister.co.uk/2003/01/21/qwertyoops/Man in the middle attack for Logitech products- Make it possible for a remote user to gain unauthorized access to resources.

It is possible for a user with equipment capable of monitoring the frequencies used to communicate between the base receiver and devices to watch the session. Additionally, a user with similar equipment that has been altered may be able to gain control of the session. This problem makes it possible for a remote user to gain console access to an unauthorized system, either by watching keystrokes, or by session hijacking.)http://new.remote-exploit.org/index.php/
Wlan_defaultshttp://www.securityfocus.com/bid/2738What you need for “wartyping” – http://www.wartyping.com/?page=equipment