Thursday, October 29, 2009
If your cyber-jutsu is to become great, you must become aware of Linux. This is not to say that you must use Linux to be a great cyber-jutsu master. There have been and will be cyber-jutsu masters using all types of operating systems. But, using a Linux Operating System will undoubtedly improve your cyber-jutsu.
Some of the newer cyber-jutsu practitioners among you may wonder, "Whatever are Operating Systems?".
I will tell you. The words you read here will be a reflection of the truth, but true enough to start you on your path or keep you from falling off the edge. An Operating System (OS) is an interface to the hardware which makes up the physical portion of a computer system. The physical portion of the system includes, but is not limited to: the housing or case of the system, the fans that help maintain the temperature of the system, the random access memory (RAM) - or 'memory' of the system, the hard drive - or long term storage, the central processing unit (CPU), and every other printed circuit board, chip, microprocessor, graphics card, etc. It is what you would see if you took a sledge hammer to your computer. (Not recommended until the rank of black-belt)
The Operating System (OS) interfaces with the BIOS (Basic Input/Output System), which is itself a piece of hardware that facilitates communications with all the other hardware assembled within your computer housing or case. The BIOS is really the piece of hardware that pulls it all together. In fact, it was the only proprietary component of the original IBM Personal Computer. Compaq reverse-engineered the IBM BIOS, and started the PC Clone Revolution. Some might argue that the BIOS is a hybrid component composed of part hardware (the actual chip) and part software (the programmed Read Only Memory). The Operating System allows other computer programs or 'applications' that you use on a daily basis to function in concert with each other and the system as a whole. To try and give you a dependency mapping, think of it like this: Hardware -> BIOS -> OS -> Applications. Or, to think about it in the reverse order: Applications require an Operating System, which requires a BIOS, which requires hardware to function.
Microsoft Windows is an Operating System. Apple Macintosh is an Operating System. Microsoft Windows 7 would be a particular release (the current release) or version of the Microsoft Windows Operating System, just as Mac OSX Snow Leopard is the current release of Apple's Macintosh Operating System. A striking difference between the Microsoft Windows Operating System and the Apple Mac OSX Operating System, is that with each new release, the Microsoft Operating System gets larger, and requires more hardware resources (such as RAM and Hard Drive space) to run effectively; while, this most recent Apple OSX release improved performance while actually using less space. But this post isn't about which OS is better between the Microsoft and Apple brand of commercial Operating Systems. This post is about Ubuntu Linux, which just released version 9.10 of their free, open source software.
Before we can effectively talk about Ubuntu, we needed to understand what an OS was in terms that most computer users would understand. Now that you understand what an OS is, you can contemplate how much that OS costs you, when you purchase a new computer. Then you can also think about how much you have to spend every few years to upgrade to the latest version. While the recent Apple upgrade from Leopard to Snow Leopard was insanely inexpensive, most Microsoft upgrades are not. Even after paying the piper (Micro$oft), often times the casual computer user comes to find that upgrading the OS isn't a simple process, and worse, they come to find that the hardware they currently own can't operate the new OS with the same level of performance that the previous OS maintained. This leaves many users "behind the times" as new OSs are rolled out to feed the cyber-economy. Eventually, the old OS is no longer supported, and the user has no choice but to operate a system riddled with security holes, or pay to upgrade.
Enter Linux. Linux might better be termed GNU/Linux; but, Linus Torvalds, the father of the monolithic Linux Kernel, isn't a fan of that notion. Yet without the GNU Project's developed software that was a direct result of the efforts of Richard Stallman and the Free Software Movement, Linux wouldn't be of much value to the average computer user. In fact, Linux came along at just the right moment to take advantage of a large amount of software developed as a part of the GNU Project which was waiting on the completion and refinement of their own kernel (called Herd).
GNU, which is a recursive acronym that stands for "GNU Not Unix", was working on a more complex kernel type called a micro-kernel, which differs fundamentally from a monolithic kernel in its structure and functioning. As fortune would have it, the GNU Project's micro-kernel (Herd) wasn't ready for prime-time - so the Linux monolithic kernel filled the gap.
There are subtle differences between the Free Software Movement, and the Open Source Movement - but for the average person, they both mean powerful, maintained software, that doesn't have a cost associated with its acquisition or redistribution. Luckily the two camps are more similar than not, and continue to produce and promote free, open source software with the benefits of a huge community dedicated to peer-review. However, for a long time, using Linux was not for the casual user. The average Linux user was either a computer hacker, soon to become a computer hacker, or at least a person who would learn the meaning of the phrase: "F-disk, Format, Reinstall".
Enter Ubuntu Linux. Ubuntu Linux is a 'flavor' of linux, or perhaps more clearly stated - a particular distribution of Linux. It happens to be a very easy version of Linux to obtain, install, and use. There are several versions of Ubuntu which have been further customized for groups of people like educators, musicians, and people who like to record their television shows.
There are freely available CD and DVD disk images that one can download and "burn" from what is called an "iso" image or file, which will allow you to boot your computer from the resulting media, run the OS from within RAM, and leave your original OS in tact. This method of "live" CDs or DVDs allows one to explore the power and functionality of Ubuntu Linux without committing to replacing their current OS.
If you have enough free disk space, you can also install a free program such as VMWare Server, and then install Ubuntu as a Virtual Machine. For Macintosh users, a commercial product called VMWare Fusion works very well for this purpose. This option allows you to run your original OS, and simultaneously run Ubuntu Linux within a window on that system. This is a very powerful way to go, and is recommended for all serious cyber-justu practitioners.
For those of you who are inclined to experiment and even program, please go to http://www.ubuntu.com and download the latest version, 9.10. You can burn an installation disk, and run this new Operating System on one of your older systems. Not only are there massive free software resources awaiting you, but some of the best security tools made. For those of you who have no intentions on re-purposing your old computer hardware, I suggest you donate the computer hardware.
As we have stated, Ubuntu is Free Software. It is also Open Source, which means that the "Source Code" or lists of computer instructions that make it function, is available for download, use, and modification. CyberCede.org (the website of which is still under construction) is accepting donations of your old computer hardware. We are taking versions of Linux (Ubuntu when the minimum hardware requirements are met) and installing the Open Source Operating System onto the donated hardware, and making these re-purposed systems available to those in need. For more information about the program, please send an email to metajunkie at my google mail address (gmail dot com) with the subject header of cybercede.org charity division. We are not currently accepting large, CRT monitors; but, will happily accept functional flat screen monitors of all sizes. All donated systems will have their hard drives thoroughly and securely wiped of any and all data prior to the Ubuntu Linux installation.
So, why do we care that Ubuntu 9.10 has been released? Because, unless you are running OSX, or have some real need to run Windows (such as specific games or financial applications) - you can set yourself free through embracing the Open Source Revolution! OSX users can actually already take advantage of many GNU Project applications. OSX, after all, has a Mach Micro-kernel with a BSD subsystem at its core. For those willing to pay, I recommend the Apple line of computers running OSX. For everyone else - it is time you took a look at this Linux thing. It isn't just for computer geeks anymore.
The Ubuntu distribution really is easy to use, and brings the power of Linux to even the less gifted of cyber-jutsu practitioners. Had I not converted my Mom to being a very satisfied OSX user, she would be using Ubuntu Linux this year. She wouldn't be using Ubuntu Linux because her cyber-justsu is ready to take her into the depths of the Bourne Again Shell (BASH) - she would be running it because it is ready for her to use it without her needing to know what BASH is. Likewise, the default shell on OSX is BASH - and my mother is blissfully unaware of this fact too. ;)
If you would like to learn more about the origins of Linux and GNU, you might want to check out a movie called "Revolution OS" which was released in 2002. It is available as a streaming media title on Netflix.
You might also enjoy reading "The Cathedral and the Bazaar" by Eric Steven Raymond.
Tuesday, October 27, 2009
All students of cyber-jutsu should be on guard against a recent fishing attack received by CyberCede Corporation.
The email looks official at first glance; but, we know Facebook would never send out such a message that was not at least first requested by the end user (you). The fishers are hoping that we open the attachment they have sent us, which is pretending to be a new password for us.
A closer examination of this email, in fact shows us that it is bogus. Here we are using Apple's Mail program. Within that application we can view the "long headers" as an option off of the "View" menu, by following the "Message" delta which opens a sub-menu. Users of other email programs should have some similar way to view more details regarding the transmission and receipt of the message.
We've blacked out some of the address particulars so as not to add to the amount of spam we are already processing, and I've circled the "Reply to" and "Return Path" fields in red. (see below)
We can see that the "Reply to" and "Return Path" fields are not consistent with the facade that this email is from Facebook.
We call this a "fishing attack", because the malicious agents are sending this email to potentially hundreds of thousands or more people in hopes that someone will "bite". Just like fishing, many fish may pass by the bait. All it takes is one big one on the hook to make the day pay off.
Exactly what the payload is, has not yet been determined. The payload is the file that they have sent. Since it is in "zip file" format, it could be a buffer overflow attack against a popular "unzip" program. Or the zipped file could be a less creative trojan horse or other malicious executable.
Regardless of what the payload is - we know this is not from Facebook. We all know to just delete the mail without replying to it or opening the attachment.
Thursday, October 22, 2009
Today the Wall Street Journal ran a story about a report that the US-China Economic and Security Review Commission contracted Northrop Grumman Corp. to create. The report, which I have not yet read, was supposed to have been released today.
The report indicates that Chinese espionage operations via cyberspace are on the rise, and that the People's Liberation Army (PLA) has been recruiting members for cyber-warfare militia units.
According to the article, Chinese Cyber-spies steal $40 - $50 billion per year in intellectual property from US organizations.
I have two fundamental questions:
1. Can we trust a company like Northrop Grumman Corp. to create such a report, since they are a part of our Military Industrial Complex, and have launched an advertising campaign describing themselves as "the face of cyber-security"?
2. If the reports are accurate - shouldn't we be building our own cyber-warfare militia units?
I think it is proper to hope for the best, but be prepared for the worst. So...
CyberCede is now accepting applications for participants in its cyber-warfare militia. Please send an e-mail with "cybercede cyber-warfare militia" in the subject line to "metajunkie at gmail.com" to express interest.
Wednesday, October 21, 2009
Metasploit has been acquired by an information security company called Rapid7. Rapid7 is the self-proclaimed leading provider of vulnerability management, compliance and penetration testing solutions.
Well... if they weren't before, acquiring Metasploit will certainly give them a boost.
Let us hope that what is free today stays free tomorrow, and that new features won't be withheld from the open source community, and reserved for "paying customers only". While I'm happy for the founder of Metasploit, HD Moore, who will be hired as the CSO (Chief Security Officer) of Rapid7, I can't help but think we've lost another great free tool. I hope they prove me wrong.
You can read more details about the acquisition here.
I'm glad I told you all to install this last week. There is no telling if there will be any lapse in the ability to download the framework software.
Friday, October 16, 2009
During a recent viewing of the developer video of Google Wave - which is going to change the way we all communicate and collaborate online, I saw them use an application with a Wave for translation between English and French.
I am happy to say, we don't need to wait for Google Wave to be released to translate in-between various languages.
You can check out Google Translate at:
I am happy to say, we don't need to wait for Google Wave to be released to translate in-between various languages.
You can check out Google Translate at:
This can be important to your cyber-jutsu. Especially if you are working with cyber-jutsu practitioners in other countries.
Thursday, October 15, 2009
Metasploit is an amazingly powerful and free security tool that must be on the weapons rack of the penetration tester. For the casual cyber-jutsu practitioner, who is not seeking to engage in hard core hacking, contract penetration testing, or cyber-warfare, Metasploit is not a required tool. However, we'll be looking at this tool in detail. Green belts interested in becoming CyberCede Samurai should understand what Metasploit is, and learn to execute reconnaissance and attacks to deliver payloads from within the framework.
To emphasize the importance of your familiarity with this tool: Green Belts seeking their Black belts, and ultimately the title of CyberCede Samurai, will endeavor to write their own exploit in Ruby for use within the Metasploit Framework (msf) or modify/enhance a previously written Metasploit exploit for use against a particular target. Actual Ruby code should be posted in the applicable hacking code blog, when the time comes.
You should download and install Metasploit if you have not already done so.
Don't forget to breathe!
Wednesday, October 14, 2009
Greetings cyber-jutsu practitioners. I trust you are following my advice on breathing exercises and daily exercise. Your mind and body must be sharp, in order to master the ways of cyber-jutsu. If you have not yet applied the Microsoft and Adobe patches from yesterday, please see the Black Tuesday post and do so immediately.
Because some of the black belt students have brought up this new technology topic, I will touch on it briefly. The question is: What will the Google Wave protocol and service mean to an organizations information security stance?
Students who have not yet learned of the Google Wave should seek further knowledge at: http://wave.google.com/help/wave/about.html#video. This is a long video. It is approximately an hour and a half in duration.
Until the service is released, it will be difficult to evaluate the security of Google Wave. Briefly, I will say that Google plans to make this technology open source. Organizations will be able to create their own Wave servers and "Federate" them with the Google Wave servers and others. This is a very good thing. Black belts in cyber-jutsu will have opportunities to dig down deep and understand the new protocol being developed for this Wave technology.
This Google Wave technology will most likely change the way we communicate on the Internet. Some features that are shown in the lengthy video include 'real time' chatting. By this, I mean, character by character transfer of information. This is nothing new for anyone who is old enough to have run or used a true-modem connected BBS (Bulletin Board System). Your sensei ran many such systems back in the 1980's, before there was a World Wide Web. In those days I was not a sensei, but a weenie. In those days my title was "sysop".
But, I digress...
The development video also shows using Google Wave to collaborate on documents instantly with many people making changes at the same time. It will change the way we share pictures, and even the way I maintain this weblog. It allows for the creation of new apps by third parties, such as games. It is, without a doubt as ground breaking a technology as Google Maps. In fact the two brothers who spawned Google Maps, are also responsible for the genesis of this new Google Wave to come.
Black Belts should seek the white papers that Google is releasing regarding this new technology. There are also some planned enhancements to the HTML standards - in order to facilitate a pure open source solution.
Why is this important to our cyber-jutsu? Once black belts watch the video, it should be clear to them. For the sake of the white and green belts who have read this post I will say this:
Anything which facilitates better, faster, and more manageable communications will impact our cyber-jutsu. This new technology will be a tool, not unlike a sword, which must be learned. From an Information Security stance, we will need to find ways to better monitor the waves which enter and leave our organizations. Today, we have serious issues in businesses that have chosen to allow unfettered access to the World Wide Web via often unpatched web browsers. More technology means more responsibility.
Currently, you must be invited to participate in these early days of Google Wave trials. If anyone receives an invitation, please let me know. I, like you, am eager to learn more of what this future will hold.
Your humble sensei,
Tuesday, October 13, 2009
Today both Microsoft and Adobe released a large number of patches. If you are running any version of Microsoft Windows, you should run your Windows Update or Microsoft Update program. This will allow you to download and install the latest patches from Microsoft.
Today was Microsoft's October Black Tuesday for 2009. They identified and released approximately 15 Critical patches. When a patch is rated Critical, it means you have to install it 'now'.
If you have been practicing your breathing exercises as previously suggested, you will have an idea of what 'now' means. Now is only experienced in the present moment. Your breath is always in the present moment. Follow your breath. Apply the Microsoft patches 'now'.
Just as serious, Adobe is in the process of releasing patches for 29 identified vulnerabilities. If you have any Adobe products installed, and I know you do - because I do not know a single person who has not used Adobe Acrobat Reader, and most people use the Flash plug-ins for their favorite browser; then, you need to go to: http://www.adobe.com/support/security/bulletins/apsb09-15.html
This is a very good example of why you need to 'know yourself' as Sun-Tzu said. In this case 'knowing yourself' is knowing what you have installed on your computer. As you see, you must patch. You may also note that using the automatic patching methods provided by Microsoft does not patch everything you have installed. There is additional effort in order to patch all other software, in this case the Adobe software.
When I say "patch all of your software" - do you know which software I mean?
Do you have a list of every single program you have currently installed on your computer? If not - you must have delegated that responsibility to someone else. You should make certain that person is patching 'all' of your software. If you are complying with a regulation such as HIPAA or SOX, making certain extends to having documented validation. If you are just a lone home computer user - the idea that someone else is responsible for patching your system is probably just fantasy.
As an exercise that will enhance your cyber-jutsu, create a spreadsheet or a database to track every piece of software installed on your computer. As we have said before, all things which are 'extra' must be cut away. If you see there is software on your computer that you do not use - uninstall it. Don't be a pack-rat with software. If you don't use it - you won't remember to patch it.
Complete your list of all installed software, and you will be closer to 'knowing yourself', and your cyber-jutsu will have improved. If you are responsible for many computers, I suggest you use a database such as MySQL which was recently acquired by Sun Microsystems, who in turn recently merged with Oracle.
All Green and Black Belt students should have already found White Belt students to patch their systems for them, or already have done it themselves. To leave a system unpatched is irresponsible - to not know that your system is unpatched is ignorance.
Daily activities are very important to all systems.
Your body is a system, and it requires things every day in order to stay healthy. Daily physical activities such as stretching, and walking can prolong a healthy life. Proper stretching increases blood flow to parts of the body which may not otherwise receive enough nutrients. Joints are better lubricated, the subtle parts of the anatomy are encouraged to transmit energy, and stress can be melted away through the activity of stretching your entire body. Likewise, a mild activity such as walking will burn "extra" calories away. All things which are "extra" must be cut away. In this case, we burn them away, naturally, within the system that is our body.
Not unlike the human body, computers are systems which need daily activities performed for a healthy long life. Some might argue that some systems are more important than others, but this is not so. Just as every human life is important, so too, the well-being of every computer system is important when considering information security and cyber-jutsu. The unhealthy human body may contract and mutate a strong virus that will then infect many people. So too, an unprotected or unpatched computer system may be attacked, exploited, and infected, ultimately becoming the downfall of neighboring computer systems.
On the subject of patches, it is very important to understand what I mean. All software programs have flaws, because that is the nature of computer programs. The creators of computer programs, humans, are not perfect; so, why would their programs be without flaws?
Even when a programmer creates a program that is perfect by today's standards, tomorrow may yield a new standard or change to a standard. Therefore, sometimes, the programmer must "fix" his code today, which was perceived flawless yesterday. However, most programmers work in teams, which are led by managers, who are hired by directors, who report to small groups of people expecting a profit from their investment. This is neither good, nor bad. It just is. The reality is that there is more money in releasing the next new software program than there is in fixing an already released, but flawed software program. Seek not to place blame, but to understand. When software companies do fix flaws, those fixes are, generally speaking, released to the public as patches.
Understanding all of this is important for you to perfect your cyber-jutsu. You must understand that the flaws we are talking about do not prevent the computer program from performing the function they were designed to do. If that were the case, all the customers would scream, and the board would be unhappy if many people were screaming. So too, the directors would shift priorities from the new program being developed back to fixing the previous, flawed program. The managers would manage. The programmers would switch their focus and try to fix the issue. However, breaking one's concentration while programming can lead to more mistakes. Also, the user of the program would implement the patch as soon as it was released. I have seen all of this. This is very clear. But these flaws that we speak of for the sake of our cyber-jutsu, these 'bugs' are not of a type that cause a program to clearly malfunction.
You may ask, "If the program performs the function is was designed to do, then how can we call it flawed?" Herein is the heart of the matter. The "flaw" that we refer to regarding security issues with computer programs is often called a "vulnerability". This type of programming flaw does not stop the program from performing as expected; but, it does create an opportunity for an attacker to force the program to perform in a way that was not anticipated or desired. An attacker, who knows of a vulnerability, can provide the program with input designed to exploit this vulnerability. If an attacker succeeds in exploiting a vulnerability, that attacker has forced the computer program to do something it was not designed to do. In the worst cases, the attacker can take complete control of the exploited computer system without the knowledge of its legitimate user. The best way to defeat such an attacker is to remove the vulnerability by applying the patch provided by the software vendor, when one is available.
You may ask, "Why is this important to my cyber-jutsu?" I would answer, "All of your systems must be healthy, if you are to master cyber-jutsu".
If I told you to patch your systems, and you did not understand the systems as I understand the systems, what would you patch? What systems are we talking about? Are not all of the systems working together? Are not the human systems working within the systems that create programs? If your mind is not sharp, and focussed, will you not error? All of us, our cyber-jutsu must start with the maintenance of the human system, for it is our foundation.
If you are a programmer, and work within the system that creates programs (i.e. a software company), you can effectuate cyber-jutsu in that system to help reduce vulnerabilities. But, if you are like most cyber-jutsu practitioners, you are a user of the output of such a software vendor. In such a case you cannot always easily impact the way they do business. Therefore, you must understand, and not have false expectations of vulnerability-free software. You must be aware of what you have installed within your computer system. You must be aware of the boundaries of the cyberspace that you control.
Each of us can only impact the systems we are responsible for. Each of us is responsible for the system which is the human body we exist within. So too, each of us is responsible, to varying degrees based upon ownership, for the computer system(s) we interface with. No company intranet can be secure without someone taking responsibility for each and every computer system connected to it. In your home, you own and are responsible for your computer. At work, the IT department may own the responsibility of maintaining your system(s). But, you still own your actions when you interface with that computer.
When I tell you that you must look for patches to your system every day, does it sound extreme? When I say "patch your system", what do you perceive as your "system"? If I told you that your computer system was every single program running on it, and every single computer that you are connected to, and all of the programs those systems are running, would it sound extreme? It might sound extreme to one who owns yet denies their responsibility; but, it would be no less true.
If perpetual maintenance of the systems you are responsible for sounds extreme or unrealistic, you must examine your desire for healthy systems. What is the goal of your cyber-jutsu? Do you want to 'seem' secure, or do you want to be secure? Do you want to say that you are 'managing risk', while you are really staying ignorant to the threats within your cyberspace? If so, you are not alone. I have met many CIOs and IT Directors who play this game within their minds, and spread lies in board rooms about the impossibility of really being secure as a means to shirk their responsibilities. Am I promising a perfect and impenetrable system? Of course I am not. But to avoid doing what is known to be effective for the gain of the money not spent doing it, is irresponsible at best - and in the worst cases, it is criminal. To continue to deploy more and more systems in an effort to make things easier and save money, without also engaging someone who can be responsible for each new system leads to an unbalanced state. When we defend, we must maintain our center, we must maintain balance. When we attack, we seek first to unbalance our opponent. Truly starting in an unbalanced state is poor cyber-jutsu.
All are welcome here in this cyber-jutsu dojo, if they have a desire to learn and apply the art. I have much to teach you. I hope you find here what you seek.
Monday, October 12, 2009
Welcome to the cyber-dojo. I cannot stress enough, the importance of breathing properly.
While I prepare information to help you in cyberspace, please practice this simple form of meditation.
Sit comfortably with your spine straight. Proper posture is important, for it leads to proper balance. Inhale as deeply as you can, allowing your belly to expand. Pause for a moment when you are filled with life-granting air. Then, exhale as deeply as you inhaled, emptying your lungs as far as you comfortably can. Repeat.
Allow your thoughts to come and go, as if they were clouds passing by quickly, high overhead. Focus only on your breath. Everything else is "extra". All things which are "extra" must be cut away. Breath deeply. Count your breaths from one to ten. When you reach your tenth breath, start counting again at one.
Do this every day, for one minute per each year of your life (e.g. if you are 20 years old, spend 20 minutes per day on this meditation). In this way your cyber-jutsu training will begin. You will develop focus. You will need focus in order to master the art of cyber-jutsu.
Topics will include, but not be limited to:
- Information Security
- Bot Nets
- Strategies for victory in cyberspace
- Tactics for victory in cyberspace
- Offensive and Defensive Techniques for use in cyberspace
- Compliance with regulations such as HIPAA, HITECH, GLBA, and SOX
- Balance, Awareness, Reaction
- Intrusion Detection Systems
- Network Security Monitoring
- The way of the warrior
I hope all of my cyber-students and readers find what they seek here at the Cyber-Jutsu Dojo.