innismir.net

Over the past few months, work generously paid for me to take a SANS course online. I opted to take "SEC503: Intrusion Detection In-Depth." This was my first "certification" type course, and overall I was pleased. The course was on-target and wasted no time getting dirty into the nuts and bolts of the topic. It was very well done and despite me knowing a bunch of the basics, more often then not it was new territory for me and I had a ball learning it. There were areas which I wondered how useful they were going to be (Attacks against rsh? Really?) but I'd say 95% of the material was relevant to me in dealing with my day-to-day tasks. On the exam, I kicked ass and took names. So now, I am a GIAC Certified Intrusion Analyst. Bow before me.

I've always wondered about certifications. While there are people who have them that are very clueful, there is a sizable group who are certified who I often wonder if they really know how to use it. Now that I've gone through the process, I still wonder. I now have a sheet of paper that says I can be given a packet dump and tell you if you are doomed or not. While I feel that I am reasonably adept in studying IDS alerts and getting a reasonably good idea as to what is going on, I don't think I should be put in charge of a large IDS system any time soon.

I'm not knocking ceritifcations. They are a good thing and I believe it does show that I do (partially) know what I am talking about when it comes to these things. More then anything, it shows that I know the basics, I can sit down and field questions tossed at me, and I can answer a 150 question exam. Nothing more, nothing less. What worries me that people take these certifications as gospel and are ready to proclaim people experts by the amount of letters after their name rather then they experience on the ground.

There has been a lot of hub-bub regarding Debian's SSL PRNG issues. I've also heard some people saying how this is mostly a non issue or that just upgrading your OpenSSL package will fix it. Let me state, for the record that this issue is bad. Bad Bad. Bad Bad BAD. Just upgrading your packages won't solve it. You need to regenerate any kind of certificates on your machine after upgrading. The big thing is SSH: If you use SSH on your Debian boxes your need to regenerate your encryption keys immediately. Not doing so put you, and any of your users at risk. You're just as safe using telnet.

After googling for a bit there was no clear tutorial on exactly HOW to upgrade your keys in Debian, so I copied and pasted what I did on my Debian box to give a quick tutorial. User input in Bold:

telstar:/home/bbj# ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N ''
Generating public/private rsa key pair.
/etc/ssh/ssh_host_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
c7:87:51:db:65:7b:d1:58:65:23:85:e0:a2:70:52:68 root@telstar
telstar:/home/bbj# ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N ''
Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
9d:91:02:33:cc:13:8a:7a:67:81:29:e5:50:6d:12:51 root@telstar
telstar:/home/bbj# ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
Generating public/private dsa key pair.
/etc/ssh/ssh_host_dsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
76:1e:ac:8c:49:dd:33:d5:d5:d5:bf:87:60:6f:c0:76 root@telstar
telstar:/home/bbj#

Voila! If you open up a new SSH session you should get the "ZOMG THE HOST SSH KEY HAS CHANGED!" Warning. If you get it, your keys have changed, and you are all set. Enjoy once again being secure.

EDIT: Of course, not even 20 minutes after I posted this, milw0rm tweeted a new exploit for weak Debian keys. So, fix it. Now.

I first stumbled across this report while I was at SecureWorld in Boston this spring. One of the Keynote speakers, Bret Arsenault, General Manager of Microsoft's National Security Team, went over the 1H07 report and provided some spiffy bound hard copies for the attendees. It is really well done and a nice view of the current threats against the Windows Environment.

Now, Microsoft has released 2H07 for download. Sadly, no hard copies for me, but it's still a very good read. Available are the complete report and a "Key Findings" section suitable for 50000ft views.

• Microsoft Security Intelligence Report (July - December 2007)