Network Security Blog

SC Magazine: Don’t hire hackers, warns professor

Being a CISSP, I place a certain amount of value in the ethics of security practitioners and have agreed to follow a well defined Code of Ethics. In the same manner, someone who is portraying themselves as a hacker is also saying they subscribe to a certain ethical framework. Do you really want to hire someone who consciously identifies themselves with that morality?

That being said, under the right circumstances, I might give a ‘reformed hacker’ a chance at a job in security. Everyone has made mistakes in their past (yes, even me :-)), and someone who is making a real effort at betttering themselves deserves a second chance. I’d be much more careful about giving that person much system control, but I’d be willing to give them a second chance, under the right circumstances.

I realize that the word ‘hacker’ has a tremendous amount of connotations in popular culture today, many of which are counter to the original meaning. But the meanings currently in use by the general populace probably have more bearing than the original meaning. And that meaning includes the will to perform malicious acts on computers.

TaoSecurity

Richard Bejtlich write’s up last week’s Think Tank put on by Net Optics. He does a much better job writing this up than I did. He also goes into more detail than I felt appropriate, but given that he has a pretty close relationship with Net Optics, he probably knows what they’re okay with.

I talked with Richard some at the Think Tank, and we both agree that having SNMP control over your taps is a dubious idea at best. I hope they take his idea to heart and give us some way to manually disable SNMP. I don’t want this to be part of the software configuation. I want a dip switch that you have to have physical access to enable. I like the idea of SNMP traps from the switch, but write access is a no-go for me.

TheKCRAChannel.com - News - South Natomas Home Covered With Sheet Metal

Wow, just wow. Someone needs to take their happy pills.

CHANGE YOUR DEFAULT PASSWORDS!

I can’t say it enough. You should never leave a default password on any device attached to your network. Changing the default password should be part of the setup of any network device. If the vendors were at all security conscious, this would be a part of the configuration wizards they are so thoughtfully including with their network devices.

Several years ago I detected an attack against my network, and tracking it back, I saw it was originating from a server in Taiwan. A quick scan of the server revealed that it was an HP box running their remote server configuration software. A 3 second Google search found the default password, which was still in use. I did something I wouldn’t do today, which was to change the password and shut down the machine, after sending the new password to the web site administrator. Given that the site only had about 5 words in English on it, I’m not sure he was going to be able to read my email, but it did stop the attacks from the compromised machine. That being said, here are a few links to lists of default passwords. You can find these links and many more by searching for ‘default password’ into Google.

• CIRT.net Default Passwords
• GovermentSecurity.org Default Logins and Passwords
• Virus.org Default Password Database

SecurityFocus HOME News: Microsoft looks to “monkeys” to find Web

All joking aside, this is a great idea. Create a large number of virtual machines with default XP installations and then set them to browsing the web and see what pops up. I’m a little curious if the virtual machines might not have slightly different memory handling, which might invalidate some of their findings. I also wonder how many ‘Oh sh!t’ moments they’ve had when they find an exploit for vulnerabilities Microsoft didn’t even know about yet.

I just got back from the Net Optics Think Tank, and it was well worth the 200 mile (round trip) drive. The folks from Net Optics spent most of the morning telling us about some things they are going to potentially be adding to their product line, and asking for input and feedback on their ideas. The afternoon session was given by Richard Bejtlich, author of ‘The Tao of Network Security Monitoring’. Mr. Bejtlich was the main reason I went in the first place, but all things considered, I think the morning session was more productive.

The Net Optics folks are serious about getting feedback from their customers. They took notes, took videos, and pictures, and then made sure to sit with us during the lunch break to get even more feedback. I sat with their Chairman of the Board, Eldad Matityahu, during lunch, and he was intent on listening to what everyone at the table had to say. And we had a lot to say. Net Optics has several interesting ideas coming down the pipeline. I figure it’s up to them to disclose the new products, but one idea I liked was adding a second tap port to several of their existing products. This would allow you to have your IDS solution permanantly wired into the tap, and then attach a protocol analyzer or sniffer when the need arises, without removing the IDS.

Richard Bejtlich is a good speaker and a pretty nice guy to boot. He’s got a few new books in the pipeline, one on forensics with several other authors, and another book on ‘Extrusion Detection’ or monitoring traffic as it leaves the network in order to find compromised boxes. I have no idea when either one will be coming out, but hopefully before the end of the year. He is also starting to offer week long classes on network security monitoring, which I’d love to attend, but between airfare and the class price, it’s just a little out of my price range. If you don’t already have ‘The Tao of Network Security Monitoring’, pick it up. It’s well worth the price.

By the way, they were filming most of the presentation, and asked some of us to answer some questions while on film. I hope for your sake and mine that the pictures of me never see the light of day!

Have you ever done a Google search on ‘Analysis Console for Intrusion Databases’? I did and was surprised at the results. There are more than a few people out there who have their ACID servers open to the Internet. I can’t help but wonder what portion of these people knew exactly what they were doing and how many had no idea that they were opening themselves up to the entire Internet.

insidercross051105.pdf (application/pdf Object)

As an Intrusion Detection System administrator, I’ve long thought that the threat offered by a trusted insider is much greater than any threat from a hacker. After all, it’s easy to write a signature to catch malicious traffic as it crosses the network. On the other hand, it’s impossible to write a program that identifies the difference between valid usage of system privileges and the abuse of the same privileges. How is the computer going to know the difference between Johny Clerk printing out a copy of someone’s file for official business and printing the same information to take home with him?

The good news is that insider threats seem to be a lot less prevalent then those from outsiders. A hacker scanning for vulnerable systems has nothing to lose if his target picks up on his attacks. On the other hand, the insider has limited targets to choose from and is directly linked to the target. The insider also has more to lose if caught.

APP.COM - Web Extra: Online job hunters snared by fraud

I’ve never used CareerBuilder.com, but this article makes me wonder which of the job sites will be next to fall victim to this sort of scam. I receive job postings from nearly half-a-dozen different sites on a daily basis, and while I respond to very few of them, it still makes me wonder what might have already happened to the information I’ve sent out. I’d heard of identity theft from job postings, but this is the first time I’ve ever heard of the scammers actually paying off someone to reship merchandise purchased with a stolen credit card.

The CISSP and SSCP Open Study Guides Web site - Downloads

Several of my coworkers have been discussing getting the Certified Information Systems Auditor certification this year. While I see the value of the certificate, I just don’t have the time and energy required to study for another cert, especially one that doesn’t relate directly to the work I do on a daily basis. In any case, if you’re interested in taking the exam on June 11th, here’s a link to a battery of sample questions.