General: March 2006 Archives

Check those switches

Yesterday, I looked into why some patches hadn't been installed on a system. Using SMS web reports, I could see that the system had a inventory that day. This indicated that the client was reporting in correctly and that my report that it was missing patches was correct. Next, web reports indicated to me that each advertisement to that system was waiting except one that was running. I checked with the head sms guy here, and found that if that one advertisement is running it will prevent the other items from running.

What I found was the Cisco VMO Client package was set with a command line [..]\viewmail.msi /quiet /norestart. The client in question was running Windows Installer 2.0 which I believe doesn't know about those switches. I asked the guy responsible for that package to changed it to /qn reboot=reallysurpress which should work on both windows installer 2 and 3.

You'd expect bad switches to cause the advertisement to exit rather than to continue to run. Hopefully this will cause it to run to completion.

By Roger on March 31, 2006 12:05 PM | | Comments (0) | TrackBacks (0)

So they want to teach me about security

Since I work at a company that provides consulting services to companies that are considered covered entities under HIPPA, I have to take some HIPPA training. I thought it was kind of funny that when I registered for the webcourse they emailed me my username and password in plaintext.

By Roger on March 31, 2006 10:04 AM | | Comments (0) | TrackBacks (0)

Oh you mean I should have reported that?

A user picks an email distribution list at random (or course its not the correct group of people) and sends the following:

I just came across the letter dated 8/4/1999 sending out AT&T calling cards. That reminded me that mine has been lost for a long time (over two or three years) and I have done without it. Is it possible to get a replacement phone credit card?

Yeah, you're just the kind of responsible person we want to issue a corporate calling card to. Apparently you really really need it since you "got by" without it for several years.

By Roger on March 29, 2006 10:01 AM | | Comments (0) | TrackBacks (0)

So this is why people don't shop online

Well, it could have been a lot worse. I had a bad feeling about an ecommerce site and made a purchase anyway. Today, I checked the order confirmation and found that the url for the order was in the format www.example.com/blahblahblah.asp?OrderId=12345

You guessed it. By changing the order ID number I was able to see pretty much every order they've ever taken. While it didn't have any credit card information, it did have the Name, Home address and mailing address for all the orders.

While you do have to have a account to access this information, you can sign up for an account without buying anything. Somehow I think the home addresses of peopel who like to buy electronics could be valuable information. Hey at least they didn't give out my credit card number and email address.

I'm going to hold off on naming names until they've had a chance to respond to my email of complaint.

By Roger on March 28, 2006 3:55 PM | | Comments (0) | TrackBacks (0)

Forensics Assignment

I got my 2nd forensics assignment turned in this weekend. And I've received the new assignment. We've got two unknown binaries that wee need to analyze. Sounds like fun.

By Roger on March 21, 2006 7:01 PM | | Comments (0) | TrackBacks (0)

Safe to Open

The SANS @Risk Consensus Security Vulnerability Alert report for this week begins "Microsoft Office documents suddenly stopped being "safe to open" last week." This is in regards to Microsoft's patch for Excel.

The question I would ask is dont you have to first be considered 'safe to open' before you can stop being safe to open? I haven't considered Office documents safe since Macro viruses became prevelent.

I guess you companies who rely on blocking "dangerous" file types instead of having a good antivirus service like Message Labs are going to have to start blocking all excel documents the way you block Access documents.

By Roger on March 20, 2006 4:22 PM | | Comments (0) | TrackBacks (0)

University of Fairfax

I've had several entries in the past where I've commented about the University of Fairfax

Their website says they are certified by the State Council of Higher Education for Virginia to operate in the Commonwealth of Virginia. I've stated that the problem with that statement is that accreditation is what separates diploma mills from Universities. Its the only way an employer really knows if the degree is legitimate. I found that the State Council of Higher Education site is updated and it still lists no accreditation for University of Fairfax.

How long does it take a new institution to get accredited?

I've sent Eric Cole who is on their faculty list an email to see if he really teaches there. He hasn't yet responded.

I'm thinking of sending the school an email and asking about this.

SANS.edu is much more upfront. I've blogged about their Masters degree program as well. They report that it is not possible to seek accreditation until the first class has graduated.

By Roger on March 18, 2006 3:32 PM | | Comments (0) | TrackBacks (0)

Another long weekend

This weekend I have another project for school due. In it, I must analyze Linux image created using dd. I'll be looking at the image using sleuthkit primarily as well as mounting the image as a read only file system. I need to be able to determine what happened an when. From a cursory glance, it looks like I might be having to recovery deleted files as well. Oh joy.

Right now I'm having some problems with the mounted image. I'm trying to copy a couple files off and I'm not able to do it. I need the password and group files to make mactime display the actual user and group names instead of numbers. Hopefully when I do that I can construct some sort of timeline of activity.

By Roger on March 17, 2006 9:37 PM | | Comments (0) | TrackBacks (0)

FrSIRT Closes Public Exploits Section

The public exploits section at the French Security Incitent Response Team website has gone members only.

That website had been a good site for exploit code for the non-grayhat to learn what exploits are easily available. All too often patching cant occur until justified by a credible threat. that site would act as a barmoeter in a way not matched by even pay services like Symantec Deepsight. I'm going to miss that.

By Roger on March 16, 2006 7:00 PM | | Comments (0) | TrackBacks (0)

Promotion

Yet another reason today was a good day. I got my promotion. To be honest, I felt I deserved this a year ago. But its hey its more money and a better title. When I consider what I started at and what I make now, it pretty incredible. But sometimes I think about what I'd get if I was willing to risk finding a new job...

My manager came by my office with the Employee Action Notice. She remembered that I have a query in sharepoint to look for changes to the entry on the phone book amongst people in my department with a certain job title. Occasionally I get an alert about a new fax number, but generally any alert is about promotions. Last round of promotions, I was notified before the people receiving the promotion. So she came by before it got in the system.

By Roger on March 11, 2006 1:29 AM | | Comments (4) | TrackBacks (0)

I Had a Bad Experience with the CIA, and now I'm going to show you my feminine side

I got an email from a collegue today asking if I wanted to give a guest lecture over at the place on route 123 where if I tell you I have to kill you. He teaches a class to JHU Masters students there and he was asking if I'd like to come in and talk abuut some component of network security.

It sounds pretty dang cool. The idea scares me. I'm not much for public speaking. At least the first time in any new situation will cause me to be a bit nervous. So I think any time I get to practice that is a good thing.

By Roger on March 11, 2006 1:26 AM | | Comments (0) | TrackBacks (0)

Pen Test Challenge

Part 3 of our Secure Operations project started today. And dont tell anyone but we're hacking. Yes, that's right. The thing that people get all upset about when they hear that Universities are teaching. Here's the thing, we're a group of Information Security professionals working on our Masters. We're doing this all on a private network that we have to vpn to get to. I dont think we slogged through Z, Formal Methods, C++ and the Foundations of Computer Science just to go wild. This is minor league stuff compared to the hacking skills taught for a lot less money at Blackhat. Having some skills is the difference betwen being a complete security poser and someone who has their stuff together.

So I've been pretty happy. I dont know how many "kills" other people have. But AFAIK my server hasn't been hit, and I've taken out some people I didn't expect to get.

By Roger on March 11, 2006 1:20 AM | | Comments (0) | TrackBacks (0)

Listserv Vulnerability

The ISC reports a vulnerability in Listserv software. NGSSoftware says they will disclose the details of the vulnerability in June. The upgrade is available now.

Here's the problem are people back on 1.8 effected? What is the vulnerability? If it is in the web site, fine, we dont expose that to the internet. But if the problem accessible via smtp, then there is a problem we need to deal with now.

You see, limited disclosure really doesn't help when a product is a pain to upgrade like listserv.

By Roger on March 6, 2006 12:42 AM | | Comments (0) | TrackBacks (0)

Steve Gibson Discovers ARP Cache poisoning

http://www.grc.com/nat/arp.htm

Several years late. Welcome to the party pal.

By Roger on March 4, 2006 5:43 PM | | Comments (0) | TrackBacks (0)
« General: February 2006 | Main Index | Archives | General: April 2006 »

Search