Thursday, December 10, 2009

Internet Explorer and Adobe Flash player update

It is time to make sure your patches have been run again. You will want to make sure that all of your Microsoft Windows patches have been applied. You will also want to check on any Adobe software installed on your system. Most notably Flash Player, which just had an important security fix released this past Tuesday.

The bug fixed in Internet Explorer was also a critical security issue, and should be addressed right away. This issue affects just about all versions of Internet Explorer. You can find more details about the issue on the Microsoft Security Bulletin page.

Humbly yours,


Sensei Metajunkie

Google Launches A Public DNS Service

Google recently launched a public DNS service which is an experiment in improving both the speed of DNS queries (which are required for all of your web browsing) and the security of the caching and DNS transactions (which is a major problem on the Internet today).

You can get introductory information about their Public DNS here.

When you are ready to set your DNS server configuration to point to the Google Public DNS Servers, you will want to check out this page on Using Google Public DNS.

For those of us who are particularly interested in the security aspects of these google DNS servers, we will want to read the information posted about the Security Benefits.

You all will no doubt want to read about the Privacy Issues , and how Google is addressing them. In short they are promising to only keep personally identifiable information for no more than 48 hours.

May all your holiday DNS queries be fast and secure!

Sensei Metajunkie

Wednesday, November 25, 2009

Survey Says 2/3 of Websites Have a Serious Security Flaw

According to a recent SecurityFocus report, "nearly two-thirds of Web sites have at least one serious security issue that would allow someone to remotely attack the site."

The number of known vulnerabilities increases with time. Every day we learn of new flaws in software. For the average business owner today, in this troubled economy, the flawed cyber-jutsu tactic is the old "head in the sand" trick. Unfortunately, unless you are sticking the attacker's head in the sand, this generally doesn't help.

Organizations without dedicated internal security teams must partner with Information Security Service Providers such as CyberCede Corporation. A company like CyberCede can assist a CIO or business owner in improving their situational awareness. Without knowing what is going on, you can't make informed decisions. Your chosen Information Security provider should employ individuals with well known and useful certifications such as the CISSP.

An Information Security professional should help you to know yourself and know the enemy. Many of the website vulnerabilities come from improper configuration. These issues can usually be remedied quickly. For organizations with large amounts of custom code, including web applications, and dynamic sites based upon database back-ends, the work can take longer; but, is even more important to accomplish.

How often should a vulnerability assessment be performed? Only you can decide; but, your Information Security Professional should help you assess the risks to your organization so you can make an informed decision.

Don't forget to breathe!

Sensei Metajunkie

Zero-Day exploit for Internet Explorer

Here is a security advisory issued by Microsoft: http://www.microsoft.com/technet/security/advisory/977981.mspx

If you are running MS Internet Explorer, you should keep an eye out for when they actually patch this zero-day vulnerability. In the mean time, practice safe cyber-jutsu.

This was originally posted to the Bugtraq mailing list last Friday. At the time, the exploit code was said to be "unreliable". It is getting more reliable, and the threat is growing.

The attack will probably come in the form of malicious websites being set up with the exploit code, as well as hacked websites being made use of as un-knowing agents of the malicious hackers. The style of attack is sometimes referred to as a "drive-by". If you visit the site with the vulnerable Internet Explorer browser, you will be compromised.

So, the safe cyber-jutsu move here would be to use an alternative browser, at least for the time being. Both Firefox and Safari are availble for the Windows platform. Knowing how to use more than one browser shouldn't stress your cyber-jutsu too much.

If you love Internet Explorer, it will still be there after Microsoft finds, implements, and rolls out a fix. It is said that the latest version of IE is not impacted by this. So, you could update to IE 8 as well. I still recommend having more than one brand of web-browser.

If you had two cars, and one of them had a recall for the breaks - you would drive the other car until the flawed one was fixed. This is really no different. Except the alternative browsers aren't going to cost you a dime.

Sensei Metajunkie

Tuesday, November 24, 2009

Shaolin Temple Hacks beg age-old question


I try to read the taosecurity blog, by Richard Bejtlich, when I can. For all of you fans of The Hitchhiker's Guide to the Galaxy, we could say he is a hoopy frood who really knows where his towel is.

In a recent post, Richard pointed out some information about recent hacker attacks against the Shaolin Temple in China. The temple was hacked "three times in a row", according to abbot Shi Yongxin.

This of course begs the age-old question. Which is better: Chinese Martial Arts, or Japanese Martial Arts.

So here is the answer:

It depends upon the practitioner.

That may sound like a cop-out answer, but I assure you it isn't. One must know their limitations and their strengths if one is to excel at anything in life. A short and stout person with short arms and legs, in most cases, should not be surprised if they have a hard time mastering a martial art that requires high jumping kicks through the air. Even if they learn it all, when it comes to a real combat scenario they will find that they are on the losing end against similarly trained enemies with long legs and arms. One should seek to maximize their strengths and minimize their short-comings. In the end, it is more about the practitioner than the art they choose to devote themselves to. Given any genuine system of martial arts, it is all the same at the top. They are all paths that could be called "the art of winning".

How can we apply this to our cyber-jutsu?

You must start by knowing yourself, or in the case of cyber-jutsu, knowing your information infrastructure. We have talked about this in other posts - it is the basis of all good cyber-jutsu and must be accomplished before you seek to "know the enemy".

If you are running a web server farm, and have decided that your cyber-fu or cyber-jutsu will center around your packet-filter firewall, you are making a mistake. Certainly you will want to limit the traffic through the border router or firewall; but, your attacker will certainly look for weaknesses in your web implementation.

In such a case, we might be better served by taking a more "zen-like" approach to control. The Zen Master says that you cannot control another's actions. So, you should not try to control them. Instead, just watch them. In this way, you are in control in a wider sense of the word. In your cyber-infrastructure, this translates to out-of-band IDS systems that are tuned by those who "know" your applications. It might also translate to having a robust and fast restoration process. Surely the tao of true event correlation that leads to specific knowledge rather than piles of useless data could become a part of such a cyber-jutsu strategy. How else can we better know our selves? Perhaps adding a visualization strategy to effectively and quickly communicate threats would go far in improving our cyber-jutsu.

As in hand-to-hand combat with one or more attackers, the key to success is being aware and "in the moment", and "riding the martial wind". Yes, you need techniques. But you can learn techniques anywhere. In the Bujinkan, Sensei Masaaki Hatsumi
stresses learning the "feeling" of an attack. It should be no different for cyber-jutsu.

If you are struggling to decide which new "wiz-bang" security software or security appliance to purchase, I advise you to put your purchase request down. Hire another cyber-jutsu practitioner. Hire another Systems Administrator. Hire another Information Security Professional. Invest in the talent you already have in-house. Set up attack labs that mirror your environment, and learn the "feeling" of the attack. Most of you are not even reviewing your log files with any regularity.

The path to expert cyber-jutsu is different for each of us at times. But, in common, we have a long journey toward our goal.
"Step by step, we walk the thousand mile road."
- Miyamoto Musashi
The Book of Five Rings


You can check out Richard's post at: taosecurity

You can read the original news article at: PCWorld


-- Sensei Metajunkie

Tuesday, November 17, 2009

Password Security: White Belt Education

Identification, Authentication, and Authorization are important words to consider when contemplating cyber-jutsu.

While one of the least secure methods of authentication available today, passwords are nearly ubiquitous on information systems as a means to verify the identity of an authorized user.

Words have meaning. You will find your cyber-jutsu training most illuminating if you keep a dictionary and thesaurus handy. I have physical versions of these books, as well as computerized and on-line versions. To get you started, you can investigate Merriam-Webster online. Here is a good tip: you can easily remember "m-w" for Merriam-Webster. You can reach their site by typing in m-w.com for the address. I find this faster than navigating through bookmarks.

The human brain is better than a bookmark list, but, using both is best.

What is your identity? Who are you? For the skilled cyber-jutsu practitioner, hiding ones identity may be important. For the white-belt, being able to understand "identity" is most important.

Leaving behind the philosophical question of who you are, let us consider who you are to a computer system. To a computer system, you are, in most cases, a "user". The computer system maintains a unique "user name" for each person wanting access. Some computer systems allow a special user named "guest" to log in, but we are considering only your unique identity here.

Since computer systems have become wide-spread in our lives, a new problem of identity has arisen. Many of us have too many identities to easily remember. There have been and will continue to be interesting proposals for the solution to this problem. Some current technologies include: Single Sign On (SSO), and OpenID.

Regardless of the technologies we use to help ease the problem of recalling multiple identities (i.e. user names) and authentication mechanisms (i.e. passwords), if the system uses a password to validate your identity, you need to choose and recall a lengthy and complex password.

This can be difficult if you want it to be. I, however, choose to make it a fun and/or meaningful process. The choice to suffer or rejoice is yours alone. I will share with you one method to create a password that I find rewarding.

Before I go into my technique, let us discuss what we mean by a secure password. A secure password is one that is changed before an attacker can "crack" it (i.e. reveal, or guess it). Because of the progress of technology, that time grows shorter every year. Therefore, we could say that the time of the user generated password grows short. Some replacements for the password, or enhancements to the password include bio-metrics (i.e. a human number) and tokens (i.e. something you have, like a physical key or card). If you hear someone say two-factor authentication, they are referring to two mechanisms working in concert to verify your identity. We can think about a password as "something you know". We can think about bio-metrics as "something you are". Lastly, we consider a token "something you have". By mixing and matching these "factors", we can create secure authentication.

An example of a bio-metric authentication device would be a finger-print scanner/reader. Other bio-metric authentication devices in use today include iris scanners as well as the more intrusive retinal scanners. Future bio-metric authentication devices may include genetic material "finger-printing". Such devices could work off of dead skin cells, hair, mouth-swabs or blood. A device that could quickly determine the identity of a person based upon a unique number generated by their unique DNA would be the ultimate authentication mechanism. It could also be thought of as "the number of the beast" from Revelations. For better or worse, we will most likely see such a device in our time.

A good example of a token, or "something you have" would be the device you can get from PayPal to enable two-factor authentication to their site. Remember that two-factor authentication uses two of the above factors we described. In this case, PayPal uses something you know, a password, and something you have, their token. The PayPal token can be kept on your key-ring and provides a new six digit number every minute. When I log into my PayPal account, I first enter my username, or identity. I then enter a password as the first factor that they will consider towards verification of my identity. After successfully entering my password, I am then prompted to press a small button on my token. When I press the button I am given a six digit number to enter into the website. Because they know the serial number of the token they sent me, they know what that number is going to be. They validate that the number I enter is correct, and then authorize me to use their website and conduct my online financial affairs.

Now let us consider the password generation technique. Sit quietly for a moment. Sit with your back straight. Relax your muscles, but maintain proper posture. Take a deep breath. Let your belly expand as you breathe in, rather than your chest. Take another deep belly breath. As you exhale, feel the pressures of the day leaving your body like morning mist melting off a mountain lake. Take another deep breath and feel the essential joy filling your body. As your belly fills with your breath, feel the life energy filling every molecule of your body. It is a renewing energy. Each deep breath pulls in new energy and each deep exhale releases those things you do not need in your life. Breath deep again. Allow your mind to drift toward a happy time in your youth. Capture that moment with words. Bring those words back with you as you continue to breathe. Breath deep and reflect on the phrase you have brought back with you. Breath deep and feel the healing, cleansing breath become a part of you. Come back to the present time, and create your password.

I did this exercise, just now, with you (I hope). This is what I brought back this time. Because I'm sharing it with you, I can't use it as a password. I'll find more though, don't worry.

The phrase I brought back was:
"We battled for hours with water-pistols. We painted the walls like two children."
I can use some of this or all of this. I can use whole words if the system I'm creating the password for doesn't limit the length, or I can use just the first letter of each word. If you are a brain, perhaps you can quickly recall the last letter of each word, or the second letter of each word. Let us start by using the first letter of each word.

  • wbfhwwpwptwltc

This is certainly unique, but let us consider for a moment our attacker. Without going into the details of how passwords are cracked (we can do that another time), let me say that we want to make the password more "complex". By complex I mean that we want to create a password that isn't all lower-case letters. In fact, we could like it to be upper-case, and lower-case, and use also numbers and/or special characters. We also want the length to vary, but never be less than eight characters. Having all passwords exactly eight characters long gives the attacker something standardized that he can use against us.

Here are some alternatives that I feel would make a good password:

  • Wb4hwW-P.
  • wB4hw/w-p.
  • Wbfhw/w-p!
  • wPtwl2c.
  • Wb4hw/w-p. Wptwl2children.

Some password security analysts will say that you should never have any word that can be found in any dictionary as any part of the password. If you follow that advice, then the last password given above would not be a valid choice. But let us look at what is good in these passwords. I am using upper and lower case letters in all of them. In the second example, I have chosen not to use an upper case letter to start the password, because I don't want to be predictable. In this second case, I chose to emphasize the "Battle" that took place. In this example I also chose to use the "/" special character that is often seen in text regarding the word "with". In the third example, I chose to replace the period with an exclamation point. In most of the examples I chose to replace the word "for" with the number "4". Some people will sometimes replace the letter "A" with the number "4", or the letter "B" with the number "8", and the letter "O" with the number "0" (zero). The only rule here - is that you need to remember what it is you are going to do. Don't over-complicate this process. Keep it fun. If it gets boring, then maybe you can add something more to it.

Try a simple phrase, and stick to the basics I've outlined, and your passwords will be much more secure until you change them. I recommend changing all of your passwords at least once per month. Choose a time of the month that will be the same every month. Then sit down, relax, and breath! :)

Sensei Metajunkie

PS -
here are a few examples that are BAD CHOICES and should NOT be used:

  • painted this is a dictionary word
  • Painted this is still a dictionary word
  • p41nt3d
    even though the last one doesn't look like it on the surface, there are dictionaries for cracking passwords that replace the common numbers for letters - don't use this type of obfuscation for a dictionary word-based password.

Friday, November 6, 2009

What is the CISSP security certification about?

Several of you have asked me about my CISSP status. There have been questions such as:

  • What is it?
  • Is it useful?
  • Was it hard to obtain?
  • Once you get it, are you done?

To start, CISSP stands for "Certified Information Systems Security Professional". It is a certification granted by the (ISC)2 (ISC squared) international organization. You can find out more about (ISC)2 at their website.

As for the question of usefulness... I think it is a very useful certification. (ISC)2 defined (and continues to update) a Common Body of Knowledge (CBK) which professionals like yours truly can use to communicate effectively on matters of Information Security.

It was not easy to obtain my CISSP, but I'm not certain I would say it was hard either. The exam was allocated five hours for completion. Many of the questions required "the best" answer of several correct answers, given a particular situation. I took four hours to complete my exam. Any one thing that I sit down to do, which takes four hours, immediately loses the ability to be called "easy". I went to an exam preparation intensive course, and purchased three books to assist in taking the exam.

The ten domains of the CBK that I was tested on included:

  • Access Control Systems and Methodology
  • Application and Systems Development Security
  • Business Continuity Planning and Disaster Recovery Planning
  • Cryptography
  • Law, Investigation, and Ethics
  • Operations Security
  • Physical Security
  • Security Architecture and Models
  • Security Management Practices
  • Telecommunications and Networking Security

The above really are Information Security in a nutshell. However - that is a very large nut.

Regarding the question of being done after the test, the answer is "no". Becoming a CISSP is really the entrance into a community or society of Information Security Professionals. Each CISSP must adhere to an Ethics Policy as well as submit information concerning their ongoing education and experience within the CBK domains.

I think if anyone would say that obtaining the CISSP certification status is "hard", it would be due to the sheer broad expanse of the topics that must be studied to be prepared for whatever the exam may choose to throw at you. There is a lot of information to be assimilated. If anyone has any particular questions about the CISSP, I'd be happy to help out where I can.

Monday, November 2, 2009

What is best in life? ... "Crush your enemies..."

"Crush your enemies. See them driven before you. Hear the lamentation of [their] women." - Conan

Ah - Conan... those were simpler times, no?

So often the question of the newbie to cyber-jutsu reaches my ears. "Sensei, how can we crush them? What is the best way to destroy them? What is the best tool to pwn with?"

For those of you who are willing to hear what I have to say, listen. Before seeking to destroy the enemy, seek to understand yourself.

What does this mean? Do you have your accurate inventory? If you have been following this blog, you may have created an inventory of every system and every application that is within your Information Infrastructure. If you did this last week, or the week before - is it still accurate? Have you devised a way to keep it up to date, up to the minute?

Which systems contain your private information? Which known vulnerabilities currently threaten those systems?

What was the last attack that failed? What was the last attack that succeeded? How do you know it failed? What damage was done by the success? How are you tracking these incidents?

It is not difficult to set up an open source intrusion detection system (IDS) such as SNORT, and have it report into an open source database such as MySQL. It is even quite easy to have a front end such as BASE (successor to ACID) to monitor the events. Slightly more advanced would be to set up Sguil. All of this should be done. However, the trick of it is to "tune" the IDS signatures you are using. The signatures must be updated regularly also. This takes time.

It takes time to secure your information infrastructure. It takes paying the price of perpetual vigilance. It takes time to read log files, to follow security mailing lists, to identify, track, patch, and report on known vulnerabilities. It takes time to manage a firewall and an IDS system. It takes time to educate users on how to create a significantly complex password, and remember it. It takes even more time to explain to them why they should do this.

All of this must be done before you seek to crush your enemies. Know yourself first. The better you know yourself - the faster you will learn to know your enemy.

Changing Passwords - Yes, you must

This morning I read a disturbing post by a security professional, who suggested that we don't need to change our passwords for 25 years.

His or her suggestion was based upon a belief that an attacker will not take any significant amount of time to crack your password. This simply isn't the case.

The whole notion of cryptography is based around trying to keep a secret. The practice of cryptography understands, however, that the secret can only be kept for so long. This is why we "change keys". While a password isn't directly cryptography, it does try to keep a secret. Also, sometimes an attacker will be trying to break cryptography in order to get at your password.

A good example is the Windows login password. Your password is never actually sent across the wire. In its place is a "hash" of your password. The hash is composed using a cryptographic function. Because Windows doesn't ever "change the keys", it is possible for an attacker to use tools to generate what are called "rainbow tables". A rainbow table is a pre-generated table of every possible hash that could result, given a certain set of parameters.

The parameters in question are the character set and length. For example, I could create a rainbow table set which would pre-generate the hashes for every password you could create that was up to 8 characters, and included upper and lower case letters, numbers, and special characters such as a dollar sign, period, or asterisk. It takes a long time to generate a rainbow table, but once it is completed, matching the pre-generated hash with the windows password hash that was sent across the wire can take micro-seconds to mere minutes.

The longer and more complex the password you are trying to crack (perhaps "match" would be a better word here), the longer it will take you to create your rainbow tables. Also, the larger the set of pre-generated hashes, the longer it will take the computer to search through them all to match your password.

Certainly, the longer and more complex a password is, the longer any brute-force method of cracking that password will take.

Since we can now see that there will be times when the amount of time you give an attacker to crack a password, before you change that password can be critical to security - let us all change our passwords today.

If you have any questions, please let me know. This is the place to do it - go on ... post a comment. :)

Sensei Metajunkie

Thursday, October 29, 2009

Ubuntu 9.10 Released: Why do I care?

If your cyber-jutsu is to become great, you must become aware of Linux. This is not to say that you must use Linux to be a great cyber-jutsu master. There have been and will be cyber-jutsu masters using all types of operating systems. But, using a Linux Operating System will undoubtedly improve your cyber-jutsu.

Some of the newer cyber-jutsu practitioners among you may wonder, "Whatever are Operating Systems?".

I will tell you. The words you read here will be a reflection of the truth, but true enough to start you on your path or keep you from falling off the edge. An Operating System (OS) is an interface to the hardware which makes up the physical portion of a computer system. The physical portion of the system includes, but is not limited to: the housing or case of the system, the fans that help maintain the temperature of the system, the random access memory (RAM) - or 'memory' of the system, the hard drive - or long term storage, the central processing unit (CPU), and every other printed circuit board, chip, microprocessor, graphics card, etc. It is what you would see if you took a sledge hammer to your computer. (Not recommended until the rank of black-belt)

The Operating System (OS) interfaces with the BIOS (Basic Input/Output System), which is itself a piece of hardware that facilitates communications with all the other hardware assembled within your computer housing or case. The BIOS is really the piece of hardware that pulls it all together. In fact, it was the only proprietary component of the original IBM Personal Computer. Compaq reverse-engineered the IBM BIOS, and started the PC Clone Revolution. Some might argue that the BIOS is a hybrid component composed of part hardware (the actual chip) and part software (the programmed Read Only Memory). The Operating System allows other computer programs or 'applications' that you use on a daily basis to function in concert with each other and the system as a whole. To try and give you a dependency mapping, think of it like this: Hardware -> BIOS -> OS -> Applications. Or, to think about it in the reverse order: Applications require an Operating System, which requires a BIOS, which requires hardware to function.

Microsoft Windows is an Operating System. Apple Macintosh is an Operating System. Microsoft Windows 7 would be a particular release (the current release) or version of the Microsoft Windows Operating System, just as Mac OSX Snow Leopard is the current release of Apple's Macintosh Operating System. A striking difference between the Microsoft Windows Operating System and the Apple Mac OSX Operating System, is that with each new release, the Microsoft Operating System gets larger, and requires more hardware resources (such as RAM and Hard Drive space) to run effectively; while, this most recent Apple OSX release improved performance while actually using less space. But this post isn't about which OS is better between the Microsoft and Apple brand of commercial Operating Systems. This post is about Ubuntu Linux, which just released version 9.10 of their free, open source software.

Before we can effectively talk about Ubuntu, we needed to understand what an OS was in terms that most computer users would understand. Now that you understand what an OS is, you can contemplate how much that OS costs you, when you purchase a new computer. Then you can also think about how much you have to spend every few years to upgrade to the latest version. While the recent Apple upgrade from Leopard to Snow Leopard was insanely inexpensive, most Microsoft upgrades are not. Even after paying the piper (Micro$oft), often times the casual computer user comes to find that upgrading the OS isn't a simple process, and worse, they come to find that the hardware they currently own can't operate the new OS with the same level of performance that the previous OS maintained. This leaves many users "behind the times" as new OSs are rolled out to feed the cyber-economy. Eventually, the old OS is no longer supported, and the user has no choice but to operate a system riddled with security holes, or pay to upgrade.

Enter Linux. Linux might better be termed GNU/Linux; but, Linus Torvalds, the father of the monolithic Linux Kernel, isn't a fan of that notion. Yet without the GNU Project's developed software that was a direct result of the efforts of Richard Stallman and the Free Software Movement, Linux wouldn't be of much value to the average computer user. In fact, Linux came along at just the right moment to take advantage of a large amount of software developed as a part of the GNU Project which was waiting on the completion and refinement of their own kernel (called Herd).

GNU, which is a recursive acronym that stands for "GNU Not Unix", was working on a more complex kernel type called a micro-kernel, which differs fundamentally from a monolithic kernel in its structure and functioning. As fortune would have it, the GNU Project's micro-kernel (Herd) wasn't ready for prime-time - so the Linux monolithic kernel filled the gap.

There are subtle differences between the Free Software Movement, and the Open Source Movement - but for the average person, they both mean powerful, maintained software, that doesn't have a cost associated with its acquisition or redistribution. Luckily the two camps are more similar than not, and continue to produce and promote free, open source software with the benefits of a huge community dedicated to peer-review. However, for a long time, using Linux was not for the casual user. The average Linux user was either a computer hacker, soon to become a computer hacker, or at least a person who would learn the meaning of the phrase: "F-disk, Format, Reinstall".

Enter Ubuntu Linux. Ubuntu Linux is a 'flavor' of linux, or perhaps more clearly stated - a particular distribution of Linux. It happens to be a very easy version of Linux to obtain, install, and use. There are several versions of Ubuntu which have been further customized for groups of people like educators, musicians, and people who like to record their television shows.

There are freely available CD and DVD disk images that one can download and "burn" from what is called an "iso" image or file, which will allow you to boot your computer from the resulting media, run the OS from within RAM, and leave your original OS in tact. This method of "live" CDs or DVDs allows one to explore the power and functionality of Ubuntu Linux without committing to replacing their current OS.

If you have enough free disk space, you can also install a free program such as VMWare Server, and then install Ubuntu as a Virtual Machine. For Macintosh users, a commercial product called VMWare Fusion works very well for this purpose. This option allows you to run your original OS, and simultaneously run Ubuntu Linux within a window on that system. This is a very powerful way to go, and is recommended for all serious cyber-justu practitioners.

For those of you who are inclined to experiment and even program, please go to http://www.ubuntu.com and download the latest version, 9.10. You can burn an installation disk, and run this new Operating System on one of your older systems. Not only are there massive free software resources awaiting you, but some of the best security tools made. For those of you who have no intentions on re-purposing your old computer hardware, I suggest you donate the computer hardware.

As we have stated, Ubuntu is Free Software. It is also Open Source, which means that the "Source Code" or lists of computer instructions that make it function, is available for download, use, and modification. CyberCede.org (the website of which is still under construction) is accepting donations of your old computer hardware. We are taking versions of Linux (Ubuntu when the minimum hardware requirements are met) and installing the Open Source Operating System onto the donated hardware, and making these re-purposed systems available to those in need. For more information about the program, please send an email to metajunkie at my google mail address (gmail dot com) with the subject header of cybercede.org charity division. We are not currently accepting large, CRT monitors; but, will happily accept functional flat screen monitors of all sizes. All donated systems will have their hard drives thoroughly and securely wiped of any and all data prior to the Ubuntu Linux installation.

So, why do we care that Ubuntu 9.10 has been released? Because, unless you are running OSX, or have some real need to run Windows (such as specific games or financial applications) - you can set yourself free through embracing the Open Source Revolution! OSX users can actually already take advantage of many GNU Project applications. OSX, after all, has a Mach Micro-kernel with a BSD subsystem at its core. For those willing to pay, I recommend the Apple line of computers running OSX. For everyone else - it is time you took a look at this Linux thing. It isn't just for computer geeks anymore.

The Ubuntu distribution really is easy to use, and brings the power of Linux to even the less gifted of cyber-jutsu practitioners. Had I not converted my Mom to being a very satisfied OSX user, she would be using Ubuntu Linux this year. She wouldn't be using Ubuntu Linux because her cyber-justsu is ready to take her into the depths of the Bourne Again Shell (BASH) - she would be running it because it is ready for her to use it without her needing to know what BASH is. Likewise, the default shell on OSX is BASH - and my mother is blissfully unaware of this fact too. ;)

Sensei Metajunkie


PS
If you would like to learn more about the origins of Linux and GNU, you might want to check out a movie called "Revolution OS" which was released in 2002. It is available as a streaming media title on Netflix.

You might also enjoy reading "The Cathedral and the Bazaar" by Eric Steven Raymond.



Tuesday, October 27, 2009

Security Warning: Facebook Fishing Attempt



All students of cyber-jutsu should be on guard against a recent fishing attack received by CyberCede Corporation.

The email looks official at first glance; but, we know Facebook would never send out such a message that was not at least first requested by the end user (you). The fishers are hoping that we open the attachment they have sent us, which is pretending to be a new password for us.

A closer examination of this email, in fact shows us that it is bogus. Here we are using Apple's Mail program. Within that application we can view the "long headers" as an option off of the "View" menu, by following the "Message" delta which opens a sub-menu. Users of other email programs should have some similar way to view more details regarding the transmission and receipt of the message.

We've blacked out some of the address particulars so as not to add to the amount of spam we are already processing, and I've circled the "Reply to" and "Return Path" fields in red. (see below)



We can see that the "Reply to" and "Return Path" fields are not consistent with the facade that this email is from Facebook.

We call this a "fishing attack", because the malicious agents are sending this email to potentially hundreds of thousands or more people in hopes that someone will "bite". Just like fishing, many fish may pass by the bait. All it takes is one big one on the hook to make the day pay off.

Exactly what the payload is, has not yet been determined. The payload is the file that they have sent. Since it is in "zip file" format, it could be a buffer overflow attack against a popular "unzip" program. Or the zipped file could be a less creative trojan horse or other malicious executable.

Regardless of what the payload is - we know this is not from Facebook. We all know to just delete the mail without replying to it or opening the attachment.

Stay safe,

Sensei Metajunkie

Thursday, October 22, 2009

Reports of Chinese Cyberspying against U.S. Corporations

Today the Wall Street Journal ran a story about a report that the US-China Economic and Security Review Commission contracted Northrop Grumman Corp. to create. The report, which I have not yet read, was supposed to have been released today.

The report indicates that Chinese espionage operations via cyberspace are on the rise, and that the People's Liberation Army (PLA) has been recruiting members for cyber-warfare militia units.

According to the article, Chinese Cyber-spies steal $40 - $50 billion per year in intellectual property from US organizations.

I have two fundamental questions:

1. Can we trust a company like Northrop Grumman Corp. to create such a report, since they are a part of our Military Industrial Complex, and have launched an advertising campaign describing themselves as "the face of cyber-security"?

2. If the reports are accurate - shouldn't we be building our own cyber-warfare militia units?


I think it is proper to hope for the best, but be prepared for the worst. So...

CyberCede is now accepting applications for participants in its cyber-warfare militia. Please send an e-mail with "cybercede cyber-warfare militia" in the subject line to "metajunkie at gmail.com" to express interest.

Sensei Metajunkie

Google AdSense Account Disabled

Some of you may have noticed that the cyber-justsu dojo walls seem a little bare. The Google Advertisements are missing.

Google has disabled our AdSense account.

In an email, they have asserted that our "AdSense account has posed a significant risk to [their] AdWords advertisers".

This would appear to happen frequently enough, that they have a FAQ established to provide more information.

From the FAQ:

"Because we have a need to protect our proprietary detection system, we're unable to provide our publishers with any information about their account activity, including any web pages, users, or third-party services that may have been involved.

As you may know, Google treats invalid click activity very seriously, analyzing all clicks and impressions to determine whether they fit a pattern of use that may artificially drive up an advertiser's costs or a publisher's earnings. If we determine that an AdSense account may pose a risk to our AdWords advertisers, we may disable that account to protect our advertisers' interests.

Lastly, please note that as outlined in our Terms and Conditions, Google will use its sole discretion when determining instances of invalid click activity."

So, we really have no idea why our account was disabled. If any of our readers have been randomly or blindly clicking on advertisements, you have not helped us. In fact, you may have shut down what might have been a great source of passive income for our blogs.

We have petitioned google to reinstate our account. If that happens, I encourage you all to only click on advertisements which are of interest to you. Don't be afraid to click on advertisements, that is why they are there - but please refrain from just clicking because you know it is generating revenue for us.

I don't usually cross-post between these blogs - but I will put this message on all of the blogs.

Thank you for your understanding and cooperation.

Sensei Metajunkie


Wednesday, October 21, 2009

Metasploit acquired by Rapid7

Metasploit has been acquired by an information security company called Rapid7. Rapid7 is the self-proclaimed leading provider of vulnerability management, compliance and penetration testing solutions.

Well... if they weren't before, acquiring Metasploit will certainly give them a boost.

Let us hope that what is free today stays free tomorrow, and that new features won't be withheld from the open source community, and reserved for "paying customers only". While I'm happy for the founder of Metasploit, HD Moore, who will be hired as the CSO (Chief Security Officer) of Rapid7, I can't help but think we've lost another great free tool. I hope they prove me wrong.

You can read more details about the acquisition here.

I'm glad I told you all to install this last week. There is no telling if there will be any lapse in the ability to download the framework software.

Friday, October 16, 2009

Utility: Google Translate for International Communications

During a recent viewing of the developer video of Google Wave - which is going to change the way we all communicate and collaborate online, I saw them use an application with a Wave for translation between English and French.

I am happy to say, we don't need to wait for Google Wave to be released to translate in-between various languages.

You can check out Google Translate at:

http://translate.google.com

This can be important to your cyber-jutsu. Especially if you are working with cyber-jutsu practitioners in other countries.

Thursday, October 15, 2009

Green Belt Exercise: Install Metasploit


Metasploit is an amazingly powerful and free security tool that must be on the weapons rack of the penetration tester. For the casual cyber-jutsu practitioner, who is not seeking to engage in hard core hacking, contract penetration testing, or cyber-warfare, Metasploit is not a required tool. However, we'll be looking at this tool in detail. Green belts interested in becoming CyberCede Samurai should understand what Metasploit is, and learn to execute reconnaissance and attacks to deliver payloads from within the framework.
To emphasize the importance of your familiarity with this tool: Green Belts seeking their Black belts, and ultimately the title of CyberCede Samurai, will endeavor to write their own exploit in Ruby for use within the Metasploit Framework (msf) or modify/enhance a previously written Metasploit exploit for use against a particular target. Actual Ruby code should be posted in the applicable hacking code blog, when the time comes.

You should download and install Metasploit if you have not already done so.

Don't forget to breathe!

Wednesday, October 14, 2009

Black Belt Topic: New Technology - Google Wave

Greetings cyber-jutsu practitioners. I trust you are following my advice on breathing exercises and daily exercise. Your mind and body must be sharp, in order to master the ways of cyber-jutsu. If you have not yet applied the Microsoft and Adobe patches from yesterday, please see the Black Tuesday post and do so immediately.

Because some of the black belt students have brought up this new technology topic, I will touch on it briefly. The question is: What will the Google Wave protocol and service mean to an organizations information security stance?

Students who have not yet learned of the Google Wave should seek further knowledge at: http://wave.google.com/help/wave/about.html#video. This is a long video. It is approximately an hour and a half in duration.

Until the service is released, it will be difficult to evaluate the security of Google Wave. Briefly, I will say that Google plans to make this technology open source. Organizations will be able to create their own Wave servers and "Federate" them with the Google Wave servers and others. This is a very good thing. Black belts in cyber-jutsu will have opportunities to dig down deep and understand the new protocol being developed for this Wave technology.

This Google Wave technology will most likely change the way we communicate on the Internet. Some features that are shown in the lengthy video include 'real time' chatting. By this, I mean, character by character transfer of information. This is nothing new for anyone who is old enough to have run or used a true-modem connected BBS (Bulletin Board System). Your sensei ran many such systems back in the 1980's, before there was a World Wide Web. In those days I was not a sensei, but a weenie. In those days my title was "sysop".

But, I digress...

The development video also shows using Google Wave to collaborate on documents instantly with many people making changes at the same time. It will change the way we share pictures, and even the way I maintain this weblog. It allows for the creation of new apps by third parties, such as games. It is, without a doubt as ground breaking a technology as Google Maps. In fact the two brothers who spawned Google Maps, are also responsible for the genesis of this new Google Wave to come.

Black Belts should seek the white papers that Google is releasing regarding this new technology. There are also some planned enhancements to the HTML standards - in order to facilitate a pure open source solution.

Why is this important to our cyber-jutsu? Once black belts watch the video, it should be clear to them. For the sake of the white and green belts who have read this post I will say this:
Anything which facilitates better, faster, and more manageable communications will impact our cyber-jutsu. This new technology will be a tool, not unlike a sword, which must be learned. From an Information Security stance, we will need to find ways to better monitor the waves which enter and leave our organizations. Today, we have serious issues in businesses that have chosen to allow unfettered access to the World Wide Web via often unpatched web browsers. More technology means more responsibility.

Currently, you must be invited to participate in these early days of Google Wave trials. If anyone receives an invitation, please let me know. I, like you, am eager to learn more of what this future will hold.

Your humble sensei,

Metajunkie

Tuesday, October 13, 2009

White Belt Exercise: Patching for Microsoft's Black Tuesday

Today both Microsoft and Adobe released a large number of patches. If you are running any version of Microsoft Windows, you should run your Windows Update or Microsoft Update program. This will allow you to download and install the latest patches from Microsoft.

Today was Microsoft's October Black Tuesday for 2009. They identified and released approximately 15 Critical patches. When a patch is rated Critical, it means you have to install it 'now'.

If you have been practicing your breathing exercises as previously suggested, you will have an idea of what 'now' means. Now is only experienced in the present moment. Your breath is always in the present moment. Follow your breath. Apply the Microsoft patches 'now'.

Just as serious, Adobe is in the process of releasing patches for 29 identified vulnerabilities. If you have any Adobe products installed, and I know you do - because I do not know a single person who has not used Adobe Acrobat Reader, and most people use the Flash plug-ins for their favorite browser; then, you need to go to: http://www.adobe.com/support/security/bulletins/apsb09-15.html

This is a very good example of why you need to 'know yourself' as Sun-Tzu said. In this case 'knowing yourself' is knowing what you have installed on your computer. As you see, you must patch. You may also note that using the automatic patching methods provided by Microsoft does not patch everything you have installed. There is additional effort in order to patch all other software, in this case the Adobe software.

When I say "patch all of your software" - do you know which software I mean?

Do you have a list of every single program you have currently installed on your computer? If not - you must have delegated that responsibility to someone else. You should make certain that person is patching 'all' of your software. If you are complying with a regulation such as HIPAA or SOX, making certain extends to having documented validation. If you are just a lone home computer user - the idea that someone else is responsible for patching your system is probably just fantasy.

As an exercise that will enhance your cyber-jutsu, create a spreadsheet or a database to track every piece of software installed on your computer. As we have said before, all things which are 'extra' must be cut away. If you see there is software on your computer that you do not use - uninstall it. Don't be a pack-rat with software. If you don't use it - you won't remember to patch it.

Complete your list of all installed software, and you will be closer to 'knowing yourself', and your cyber-jutsu will have improved. If you are responsible for many computers, I suggest you use a database such as MySQL which was recently acquired by Sun Microsystems, who in turn recently merged with Oracle.

All Green and Black Belt students should have already found White Belt students to patch their systems for them, or already have done it themselves. To leave a system unpatched is irresponsible - to not know that your system is unpatched is ignorance.

A Healthy Body - A Healthy System

Daily activities are very important to all systems.

Your body is a system, and it requires things every day in order to stay healthy. Daily physical activities such as stretching, and walking can prolong a healthy life. Proper stretching increases blood flow to parts of the body which may not otherwise receive enough nutrients. Joints are better lubricated, the subtle parts of the anatomy are encouraged to transmit energy, and stress can be melted away through the activity of stretching your entire body. Likewise, a mild activity such as walking will burn "extra" calories away. All things which are "extra" must be cut away. In this case, we burn them away, naturally, within the system that is our body.

Not unlike the human body, computers are systems which need daily activities performed for a healthy long life. Some might argue that some systems are more important than others, but this is not so. Just as every human life is important, so too, the well-being of every computer system is important when considering information security and cyber-jutsu. The unhealthy human body may contract and mutate a strong virus that will then infect many people. So too, an unprotected or unpatched computer system may be attacked, exploited, and infected, ultimately becoming the downfall of neighboring computer systems.

On the subject of patches, it is very important to understand what I mean. All software programs have flaws, because that is the nature of computer programs. The creators of computer programs, humans, are not perfect; so, why would their programs be without flaws?

Even when a programmer creates a program that is perfect by today's standards, tomorrow may yield a new standard or change to a standard. Therefore, sometimes, the programmer must "fix" his code today, which was perceived flawless yesterday. However, most programmers work in teams, which are led by managers, who are hired by directors, who report to small groups of people expecting a profit from their investment. This is neither good, nor bad. It just is. The reality is that there is more money in releasing the next new software program than there is in fixing an already released, but flawed software program. Seek not to place blame, but to understand. When software companies do fix flaws, those fixes are, generally speaking, released to the public as patches.

Understanding all of this is important for you to perfect your cyber-jutsu. You must understand that the flaws we are talking about do not prevent the computer program from performing the function they were designed to do. If that were the case, all the customers would scream, and the board would be unhappy if many people were screaming. So too, the directors would shift priorities from the new program being developed back to fixing the previous, flawed program. The managers would manage. The programmers would switch their focus and try to fix the issue. However, breaking one's concentration while programming can lead to more mistakes. Also, the user of the program would implement the patch as soon as it was released. I have seen all of this. This is very clear. But these flaws that we speak of for the sake of our cyber-jutsu, these 'bugs' are not of a type that cause a program to clearly malfunction.

You may ask, "If the program performs the function is was designed to do, then how can we call it flawed?" Herein is the heart of the matter. The "flaw" that we refer to regarding security issues with computer programs is often called a "vulnerability". This type of programming flaw does not stop the program from performing as expected; but, it does create an opportunity for an attacker to force the program to perform in a way that was not anticipated or desired. An attacker, who knows of a vulnerability, can provide the program with input designed to exploit this vulnerability. If an attacker succeeds in exploiting a vulnerability, that attacker has forced the computer program to do something it was not designed to do. In the worst cases, the attacker can take complete control of the exploited computer system without the knowledge of its legitimate user. The best way to defeat such an attacker is to remove the vulnerability by applying the patch provided by the software vendor, when one is available.

You may ask, "Why is this important to my cyber-jutsu?" I would answer, "All of your systems must be healthy, if you are to master cyber-jutsu".

If I told you to patch your systems, and you did not understand the systems as I understand the systems, what would you patch? What systems are we talking about? Are not all of the systems working together? Are not the human systems working within the systems that create programs? If your mind is not sharp, and focussed, will you not error? All of us, our cyber-jutsu must start with the maintenance of the human system, for it is our foundation.

If you are a programmer, and work within the system that creates programs (i.e. a software company), you can effectuate cyber-jutsu in that system to help reduce vulnerabilities. But, if you are like most cyber-jutsu practitioners, you are a user of the output of such a software vendor. In such a case you cannot always easily impact the way they do business. Therefore, you must understand, and not have false expectations of vulnerability-free software. You must be aware of what you have installed within your computer system. You must be aware of the boundaries of the cyberspace that you control.

Each of us can only impact the systems we are responsible for. Each of us is responsible for the system which is the human body we exist within. So too, each of us is responsible, to varying degrees based upon ownership, for the computer system(s) we interface with. No company intranet can be secure without someone taking responsibility for each and every computer system connected to it. In your home, you own and are responsible for your computer. At work, the IT department may own the responsibility of maintaining your system(s). But, you still own your actions when you interface with that computer.

When I tell you that you must look for patches to your system every day, does it sound extreme? When I say "patch your system", what do you perceive as your "system"? If I told you that your computer system was every single program running on it, and every single computer that you are connected to, and all of the programs those systems are running, would it sound extreme? It might sound extreme to one who owns yet denies their responsibility; but, it would be no less true.

If perpetual maintenance of the systems you are responsible for sounds extreme or unrealistic, you must examine your desire for healthy systems. What is the goal of your cyber-jutsu? Do you want to 'seem' secure, or do you want to be secure? Do you want to say that you are 'managing risk', while you are really staying ignorant to the threats within your cyberspace? If so, you are not alone. I have met many CIOs and IT Directors who play this game within their minds, and spread lies in board rooms about the impossibility of really being secure as a means to shirk their responsibilities. Am I promising a perfect and impenetrable system? Of course I am not. But to avoid doing what is known to be effective for the gain of the money not spent doing it, is irresponsible at best - and in the worst cases, it is criminal. To continue to deploy more and more systems in an effort to make things easier and save money, without also engaging someone who can be responsible for each new system leads to an unbalanced state. When we defend, we must maintain our center, we must maintain balance. When we attack, we seek first to unbalance our opponent. Truly starting in an unbalanced state is poor cyber-jutsu.

All are welcome here in this cyber-jutsu dojo, if they have a desire to learn and apply the art. I have much to teach you. I hope you find here what you seek.

Humbly,

Sensei Metajunkie

Monday, October 12, 2009

Welcome to the cyber-dojo

Welcome to the cyber-dojo. I cannot stress enough, the importance of breathing properly.

While I prepare information to help you in cyberspace, please practice this simple form of meditation.

Sit comfortably with your spine straight. Proper posture is important, for it leads to proper balance. Inhale as deeply as you can, allowing your belly to expand. Pause for a moment when you are filled with life-granting air. Then, exhale as deeply as you inhaled, emptying your lungs as far as you comfortably can. Repeat.

Allow your thoughts to come and go, as if they were clouds passing by quickly, high overhead. Focus only on your breath. Everything else is "extra". All things which are "extra" must be cut away. Breath deeply. Count your breaths from one to ten. When you reach your tenth breath, start counting again at one.

Do this every day, for one minute per each year of your life (e.g. if you are 20 years old, spend 20 minutes per day on this meditation). In this way your cyber-jutsu training will begin. You will develop focus. You will need focus in order to master the art of cyber-jutsu.

Topics will include, but not be limited to:

  • Cybersecurity
  • Information Security
  • Cyber-Warfare
  • Bot Nets
  • Malware
  • Strategies for victory in cyberspace
  • Tactics for victory in cyberspace
  • Offensive and Defensive Techniques for use in cyberspace
  • Compliance with regulations such as HIPAA, HITECH, GLBA, and SOX
  • Balance, Awareness, Reaction
  • Intrusion Detection Systems
  • Network Security Monitoring
  • The way of the warrior

I hope all of my cyber-students and readers find what they seek here at the Cyber-Jutsu Dojo.

Humbly Yours,

Sensei Metajunkie