innismir.net

Over the past few months, work generously paid for me to take a SANS course online. I opted to take "SEC503: Intrusion Detection In-Depth." This was my first "certification" type course, and overall I was pleased. The course was on-target and wasted no time getting dirty into the nuts and bolts of the topic. It was very well done and despite me knowing a bunch of the basics, more often then not it was new territory for me and I had a ball learning it. There were areas which I wondered how useful they were going to be (Attacks against rsh? Really?) but I'd say 95% of the material was relevant to me in dealing with my day-to-day tasks. On the exam, I kicked ass and took names. So now, I am a GIAC Certified Intrusion Analyst. Bow before me.

I've always wondered about certifications. While there are people who have them that are very clueful, there is a sizable group who are certified who I often wonder if they really know how to use it. Now that I've gone through the process, I still wonder. I now have a sheet of paper that says I can be given a packet dump and tell you if you are doomed or not. While I feel that I am reasonably adept in studying IDS alerts and getting a reasonably good idea as to what is going on, I don't think I should be put in charge of a large IDS system any time soon.

I'm not knocking ceritifcations. They are a good thing and I believe it does show that I do (partially) know what I am talking about when it comes to these things. More then anything, it shows that I know the basics, I can sit down and field questions tossed at me, and I can answer a 150 question exam. Nothing more, nothing less. What worries me that people take these certifications as gospel and are ready to proclaim people experts by the amount of letters after their name rather then they experience on the ground.

One of my duties at my job is to the maintain the lab environment that we have to do our super 31337 skunk works projects in. As we all are quite lazy and don't have room for gobs of hardware, we make good use of virtualized machines to do our projects. One of the annoying issues that keeps popping its head up every time we need to install a fresh desktop install is that Windows XP does not like to run within VMware ESX server. It's frustrating and there is no real tutorial online with a definitive set of answers, just a bunch of forum posts with tidbits of info that if you arrange correctly, you can piece together what to do.

So, without further ado, here is how to make Windows XP install onto a VMware stock VM machine:

1. Download the VMware SCSI Disk image from VMware Drivers & Tools download page. Save the image somewhere where you can locate it easier.
2. Follow the normal procedure for creating a VMware machine for Windows XP.
3. Select the machine in the Virtual Infrastructure client and select "Edit Settings"
4. On the settings screen, select the SCSI controller, then in the upper right click "Change Type..."
5. On the "Change SCSI Controller Type" screen, "LSI Logic" should be selected. Change that to "BusLogic". Click OK.
6. Click OK on the settings screen.
7. Open the console of the Virtual Machine and Power it On.
8. During the VMware POST, press Escape to access the Boot Menu.
9. Click the "Virtual Floppy 0" button and select "Connect to Floppy Image..."
10. Select the floppy image that you downloaded from VMware in step 1.
11. Click the "Virtual CDROM" button and connect it to your install media
12. On the console select "CD-ROM Drive" and press Enter to boot from the CD-ROM
13. Immediately when the Windows installer boots, you will see the bottom of the screen "Press F6 if you need to install a third party SCSI or RAID driver." Press F6. Windows will continue loading the installer.
14. Windows will eventually prompt you to load additional devices. Press "S"
15. There will be only one option: "VMware SCSI controller" Press Enter.
16. That will take you back to the previous screen. You are done. Press Enter.

Windows will continue loading and now pick up the hard drive that you specified during the Virtual Machine creation process. You're all set.

There has been a lot of hub-bub regarding Debian's SSL PRNG issues. I've also heard some people saying how this is mostly a non issue or that just upgrading your OpenSSL package will fix it. Let me state, for the record that this issue is bad. Bad Bad. Bad Bad BAD. Just upgrading your packages won't solve it. You need to regenerate any kind of certificates on your machine after upgrading. The big thing is SSH: If you use SSH on your Debian boxes your need to regenerate your encryption keys immediately. Not doing so put you, and any of your users at risk. You're just as safe using telnet.

After googling for a bit there was no clear tutorial on exactly HOW to upgrade your keys in Debian, so I copied and pasted what I did on my Debian box to give a quick tutorial. User input in Bold:

telstar:/home/bbj# ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N ''
Generating public/private rsa key pair.
/etc/ssh/ssh_host_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
c7:87:51:db:65:7b:d1:58:65:23:85:e0:a2:70:52:68 root@telstar
telstar:/home/bbj# ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N ''
Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
9d:91:02:33:cc:13:8a:7a:67:81:29:e5:50:6d:12:51 root@telstar
telstar:/home/bbj# ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
Generating public/private dsa key pair.
/etc/ssh/ssh_host_dsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
76:1e:ac:8c:49:dd:33:d5:d5:d5:bf:87:60:6f:c0:76 root@telstar
telstar:/home/bbj#

Voila! If you open up a new SSH session you should get the "ZOMG THE HOST SSH KEY HAS CHANGED!" Warning. If you get it, your keys have changed, and you are all set. Enjoy once again being secure.

EDIT: Of course, not even 20 minutes after I posted this, milw0rm tweeted a new exploit for weak Debian keys. So, fix it. Now.

I first stumbled across this report while I was at SecureWorld in Boston this spring. One of the Keynote speakers, Bret Arsenault, General Manager of Microsoft's National Security Team, went over the 1H07 report and provided some spiffy bound hard copies for the attendees. It is really well done and a nice view of the current threats against the Windows Environment.

Now, Microsoft has released 2H07 for download. Sadly, no hard copies for me, but it's still a very good read. Available are the complete report and a "Key Findings" section suitable for 50000ft views.

• Microsoft Security Intelligence Report (July - December 2007)

I am a big fan of Prelude IDS to correlate reports from my honeypot/nepenthes/snort setup at my house. One of the things that was quite repetitive was finding the locations of IPs. So, I sat down and coded up a patch that grafted GeoIP onto Prelude's Prewikka web interface. After a bit of effort figuring out Python and the template engine, I ended up with this:

Of course, my patch doesn't blur out the names like the screenshot, but it does add the spiffy little flags to show you what countries are attacking you.

You will need:

• A working GeoIP installation
• The GeoIP Python module
• A set of flag icons in PNG format. I recommend FamFamFam's icons
• My patch
• Prewikka 0.9.14 source tree.

The GeoIP libraries are available from the link above. Installing them is pretty straightforward. Once that is done, untar the Prewikka tarball and apply the patch for Prewikka in the source directory. Then install as normal.

Unzip the flags archive somewhere on your system. Move the contents "png" directory to your web root under the folder "/images/flags". You may need to make an adjustment to your Apache installation if Prewikka is running in the root web directory like I had to. I made an alias in my Apache configuration pointing /images/ back over to /var/www/images.

Alias /images/ /var/www/images/

With any luck, it should work. As always, your mileage may vary.

Share and enjoy!

Stacy Thayer, one of the Security Twits that I follow, posted a blog entry regarding an encounter she had with some neanderthal at RSA 2008. Quite frankly, it made me shake my head. The idea of judging someone's knowledge based on their body parts is far too common in some technical circles, and what drives me nuts is that it often happens to people who tout the "hacker ethic".

As a brief side, the Hacker Ethic was a term coined by Steven Levy in his excellent book Hackers: Heroes of the Computer Revolution (If you haven't read this book and are involved in IT, click the link and order it. Now. Go ahead, we'll wait. Back? Cool.). One of the key points that I always feel is one of the great equalizers in computers is the fact that people are often accepted by their knowledge, rather then their position or their alphabet soup after their name. (However, they are not mutually exclusive)

HACKERS SHOULD BE JUDGED BY THEIR HACKING, NOT BOGUS CRITERIA SUCH AS DEGREES, AGE, RACE, OR POSITION.

The ready acceptance of twelve-year-old Peter Deutsch in the TX-0 community (though not by non-hacker graduate students) was a good example. Likewise, people who trotted in with seemingly impressive credentials were not taken seriously until they proved themselves at the console of a computer. This meritocratic trait was not necessarily rooted in the inherent goodness of hacker hearts--it was mainly that hackers cared less about someone's superficial characteristics than they did about his potential to advance the general state of hacking, to create new programs to admire, to talk about that new feature in the system.

This is often a very common theme technical circles. Unless, of course, you seem to of the female persuasion at which point it seems to be thrown out the window. I really experienced this in college. The handful of women in our classes were leered at, harassed, and generally made uncomfortable by some of our more "vocal" geeks who probably thought that it was some part of the mating ritual. To be 100% honest, I was dismissive of some of them until I came to the conclusion they could hold their own. Since then, I've had the pleasure to meet and work with some talented women, some of who can kick my ass technically.

The computer industry is very male dominated. Conferences have booth babes and the likes of Vanna Vinyl, which I'm sure doesn't encourage women to get involved in the field. However, shouldn't people who subscribe to the hacker ethic start equally applying it equally to both sexes?

Also, since we're on the topic:

Talented Women in Computers who's weblogs I read, and so should you:

• Jennifer Jabbusch - http://securityuncorked.squarespace.com/
• Jennifer Leggio - http://mediaphyter.wordpress.com/
• Stacy Thayer - http://www.stacythayer.com/

After upgrading to General in December, I could finally join the so-called "real hams" (whatever) on HF. However, since I live in a condo, the antenna situation somewhat limited me. After thinking most of the winter, and silently sneaking a ground plane outside to see if any of my neighbors would complain (they haven't so far, but we'll see what happens when more people venture outside during the spring), I decided to go all in and find a antenna that I could set up outside my office.

I knew that a permanent setup was out of the question. I also new that I was rather space limited. I also had a slight issue that I didn't know anything about antenna design. Thankfully I knew I was more or less out of luck until spring time as I didn't want to go around stringing up an antenna trudging through a foot of snow. So, I just read up and asked stupid questions in #hamradio and #amsat about what I should be doing. Thankfully, everyone in both channels were extremely helpful.

As April rolled around, I finally decided it was time. I had a few requirements:

1. It had to be cheap
2. It had to be easy to set up and break down
3. It had to be simple
4. It had to not require a tuner

Number 1 and Number 4 basically limited my options severely. I would have likely gotten hit if I approached my wife to buy another thing for my "static box" that cost more then a few dolalrs. So, after doing my research, the only option was to build a resonant dipole.

Last Saturday, my way-more-mechanically-inclined friend Steve, KB1MEH came down and we set out to build and antenna. Steve had some 18AWG wire at his house so all we needed at Home Depot and Radio shack was some PVC for the insulator and T connector, along with soldering supplies (Have I mentioned I never soldered before? I haven't.), and some PL-259 connectors. My only other investment was a cheap SWR meter for HF, courtesy of eBay.

The afternoon was spent cutting wire (the 18AWG wire was in a three conductor wire, so it had to be cut open and removed), soldering (Hey! This is easy!), drilling holes, and listening to the Scituate repeater.

Finally, around 4PM, the antenna was finished. We strung it up outside and plugged it into the SWR meter. Flipping my TS-120S (who hasn't transmitted once since I got the thing back in 1996) I saw a S4 noise floor. I wasn't sure if that was good or bad. Tuning around, I heard two or three signals way down in the noise, but nothing really intelligible. I now braced myself and hope my radio didn't explode. I IDed myself, calibrated the SWR meter, and checked the SWR. Hmmm... 1:1.4... Not Great, but well within tolerance. We'll fix it later. Tuning up and down the band there was nothing really on. I had heard the regulars on Scituate mention that the band was dead, but they were also talking about a Beirut station that were all trying to work. I nervously tuned to an open frequency and called a few CQs... No response. Uh Oh...

A few quick diagnostics yielded no amazing results. Disheartened, Steve and I took the antenna down and he left for the day. I hoped that the band was just bad today and that I had not screwed up the antenna somehow.

The next day I had a free afternoon, so I set up the antenna again. I was pleased to see only a S3 noise floor that day, so there may be a small bit of hope. I nervously tuned up and down the band and stumbled across a Georgia station, K4HYB, coming in S9+. Working some kind of contest, I waited him to exchange his information and hear him say:

"This is K4HYB, QRZ?"
I nervously keyed the mic... "November One Whiskey Bravo Victor"
"November One Question Mark, K4HYB"
Holy @#$^!!! Me? Did it work? "November One Whiskey Bravo Victor"
"November One... Again?"
"November One Whiskey Bravo Victor... November One Whiskey Bravo Victor"
"November One Whiskey Bravo Victor. You are 5 by 9 in Spartanville Georgia. Your location?"

I gave my location we parted ways. I was elated that the antenna worked. I quickly tuned around looking for someone, anyone to talk to. After some looking, I was rewarded with EA1JJ calling CQ North America. I worked him my first try rewarded another 5 by 9. After some waiting and trying, I also worked Ken, G0IBS in England and had a brief QSO. Unfortunately, he faded away into the ether, so I had to break it off.

So, the Antenna is a success. I still need to trim to see if I can get better SWR, but I can fold it up into a 1' round circle for storage, and can have it and functioning in about 5 minutes of work. It also cost me peanuts. So, if you want to work on 20m some day, drop me an e-mail!

With the 2nd repeater on AO-51 active, a repeater that is vastly underutilized I might add, a bunch of us in #amsat tried to all get on the 2nd repeater during one of the middle US passes.

We had moderate success, with KB2HSH, N3CRT, and KI4BKE getting on. Plus, we had Drew, KO4MA come on. Plus, with us using the 2nd repeater, we could actually talk! Amazing!

• Mar 24th, 20:15EDT AO-51 pass (MP3, 10:28, 4.2MB)

I've typed up a fairly simple "do's and don'ts" guide to working AO-51. The guide focuses more on etiquette and operational guidelines rather then technical ideas, because there are already some excellent guides out there for the new user to read up on. That, and my technical setup leaves much to be desired.

This was more or less concieved one night in #amsat while discussing the operational issues on AO-51. The satellite is a very good, very easy satellite to get into, however, the more people jam on, the harder it is for people to use it. So, myself, John (KB2HSH), Charles (N3CRT), and Mark (KF6KYI) all tossed around ideas on what is more a less a good "code of conduct" for AO-51 operation.

• The Courteous Ham's Guide to AO-51 PDF (35K)
• The Courteous Ham's Guide to AO-51 DOC (38K)

Share and Enjoy!

As previously mentioned, I'll be going to SOURCE Boston tommorow. I'll be attempting to the conference on my somewhat shiny and new Twitter Feed. Per haps I may even, *gulp* "live blog" (Ugh. I feel dirty for saying that).

Truth be told, I'm not 100% sure what to expect. Most of my previous "security" conferences have been either DEFCON or HOPE, which I assume will be slightly more "low brow" then SOURCE. For example, I'm not expecting SOURCE to have A room full of hammocks you can crash on. But, from what I can gather, and from what the schedule says, it will be a pretty good time. It looks like it's going to be a good mix of business types and security geeks, and it's approaching the idea with the right attitude (Pub crawl anyone?). Another plus, any conference where I don't expect the conference attendees to smell like week-old BO == Win. (Hooray!)

I'll be staying mostly on the Security Technology track, with possibly heading over to the Application Security track if something over there catches my interest. I'll be attending the pre-conference gathering tonight, along with the reception tomorrow night and the pub crawl on Thursday. If anyone of the four of you who read this want to meet up, IM, text, tweet, comment, or poke me at the conference.