Internet Storm Center Infocon Status The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.

Aug 31, 2005

Brief Rant

<rant>
Every blog should have a good rant, so I figured it was time for me. In my day job, we've got several application vendors who have these GIANT applications that require telnet and don't support SSH. Personally, I think these people should be ashamed of themselves. One of the applications is a big financial system used by our HR department. The vendor flat-out won't support SSH. Let me repeat that: financial system, supports only telnet, won't support SSH. Am I the only one who has run into this? Not only do they not support SSH, they have no plans to support SSH. How a major vendor can have an application like this that doesn't support SSH is beyond me. Once again, we have a case of people who clearly don't understand the ramifications of their security-related decisions. I mean, their software ain't exactly cheap and they have very specific requirements in terms of the hardware and OS and whatnot. Ok, fine...up to this point, their requirements, though not the requirements that I would use for an application, are not without merit. But they think that it is just fine that the financial information from their system is floating around the local network in clear text. Now our network is switched, so that makes it a little better. But still, it only took about 10 seconds using Ettercap to demonstrate to the folks here how terrifying this fundamental lack of security really is. Everyone was suitably shocked, yet nothing changes.
</rant>

There. I feel much better now. Thank you for allowing me to vent. I'd love to hear if anyone else has run into this sort of problem or something similar.

TrueCrypt

I recently discovered a particularly cool crypto tool, TrueCrypt. It creates virtual encrypted volumes for Windows. Years ago, back in the Win98 days, I used to use a tool called ScramDisk. As with things of this nature, though, it became unsuported and didn't work on Win2K or newer. A year or so ago, I found CrossCrypt. Good program, I liked it. But when I found TrueCrypt, I dropped CrossCrypt like a hot rock. With TrueCrypt, you create a container file that can be encrypted in a number of ways (AES, Serpent, Blowfish, Twofish, etc.). Plus, it has the extra cool feature of being able to create encrypted volumes inside encrypted volumes. So once created, the volume is mounted to the drive of your choice and you use it just like any other local drive. When you're done, you unmount it, and it is an encrypted file with your files contained safely therein. At this point, people usually ask me, "So you do stuff so important that you need to keep it encrypted?" or sometimes "Why? Do you have stuff that you don't want other people to see?" In both cases, my answer is the same: that ain't the point. The simple fact is that what I do, the files that I make (usually very uninteresting Perl files or sometimes a config file or two) aren't anyone's business other than my own, so I keep them locked up. When I leave my house, I lock my door. When I leave my car, I lock that door, too. As I see it, storing files (usually work-in-progress stuff) in an encrypted format is just a logical extension of that. Take a look at TrueCrypt. For my encryption needs, it works very well.

Aug 30, 2005

wipfw

Over the last few months, I've been using wipfw as my sole firewall in Windows. It originally started as a test. I was expecting to use wipfw as the only firewall for a week or so, and then go back to using ZoneAlarm Pro. Much to my surprise, I have found no need to go back to ZoneAlarm Pro and have instead found many reasons to stick with wipfw. It is a Windows port of the ipfw firewall. It doesn't have all of the ipfw features yet. For example, you can't do traffic shaping and things along those lines. You can, however, take very tight control of your inbound and outbound network traffic. For example, we all read about the LAND attack back in March. At the time, this was a concern. (I guess Microsoft has patched this? I can't seem to exploit it any longer with hping.) However, with wipfw, I just put in a couple quick firewall rules, and I was well protected. Here was the rule I used:

"$IPFW" add deny log ip from me to me in recv eth0

It worked like a charm. I would take the rule out and would instantly be vulnerable again. Put it back in, and I could go on my merry way. I've also put in rules to have wipfw drop the sorts of traffic that will never normally occur. TCP packets with the FIN and SYN flags set, TCP flags with no flags set, TCP packets with all flags set, etc. Once the developers behind wipfw get the traffic shaping stuff in place (as well as the various other ipfw features not yet ported to wipfw), I see it as being a Windows firewall tool for those of us who like to get our hands dirty. Even in its beta stage, wipfw is a great tool and highly effective at what it does. Check it out.

Welcome!

Welcome to the InfoSec Kwoon. Before we go any further, for those unfamiliar with the term "Kwoon," it Chinese and essentially means "school" or "place of learning." Think of it as the Chinese equivalent of the Japanese term "Dojo." I'm a life-long pratitioner of Chinese martial arts and die-hard Information Security geek, so the marriage of the two seemed a natural one for me. At any rate, I hope you'll find something useful here. I have a preference for Open Source software, so you'll no doubt find me favoring Open Source over commercial, closed source software whenever possible and appropriate. I do, however, keep an open mind with regard to security products, and I rate things fairly on how well products do what it is that they claim to do.

At any rate, thanks for dropping by. Again, welcome to the InfoSec Kwoon. Kindly don't wear your street shoes onto the practice floor. Should you need me, my office is over there. No, not that one....that's the supply closet. The one on the end. Yeah, that's it. Stop by whenever you like. The door is always open.