Escaped...From a Twisted Mind
The random musings of a twisted mind...
Monday, September 30, 2013
My Review of "Practical Anonymity" by Peter Loshin
Despite only giving it a 3 star review...Let me start with...This is not a bad book.
It did confuse me in several ways. Firstly, despite the title, this is not a book on remaining anonymous on the Internet. This is predominantly a book on setting up and using Tor to permit you to be anonymous on the Internet. The last chapter briefly covers anonymous email, but the vast majority of the book covers Tor.
Secondly, I was confused about what the target audience is. If aimed at the lay person who is worried about anonymity than it is too deep and will scare all but the most persistent off. If aimed at the technical user who wants to understand the detailed inner workings of Tor, then it is probably falls short. It does provide a fairly comprehensive discussion of the basics of Tor applicable to the novice user. This is a small portion of the book however. The majority of this book is a more detailed overview of the various features of Tor and how to set them up which is suitable to a more technical audience.
Thirdly, this book suffers from inconsistent editing, periodically repeating concepts a couple of paragraphs or pages apart, often with almost identical phrasing.
That said, the book is easy to read and reasonably well organized. The coverage of Tor is very complete and far easier to read than the Tor documentation.
If you are moderately technical and are looking for a book on the capabilities of Tor, then this is a good book to start with. If you are a computer user looking to for a way to stay anonymous on the Internet, then the first few chapters are good, but probably not worth buying the whole book. You would probably be better off with the introductory Tor documentation.
My overall rating...3 stars
Tuesday, July 19, 2011
B-Sides SK anyone?
We haven't had a good security conference in the SK in a while...so let's make one! Anybody interested in helping (organizing, speaking, sponsoring, etc.) with a Security B-Sides event in Regina please contact me. I would like to try and roll one up for spring.
For those of you not familiar with the Security B-Sides concept here is their website with an explanation.
Friday, March 04, 2011
Zoneinfo-Arthur David Olson is retiring
But while that in itself is interesting what is even more interesting is that the tz database is not just a boring database of rules for timezones, it is a historical compendium of timezone rules and the history behind them dating back hundreds of years. Given that it is just a plain-text file, anyone can read this history. Some of it is very intriguing. A brief description of some of the nuggets in the database can be found at Jon Udell's Blog or you can download a copy to peruse at nih.gov.
Friday, September 24, 2010
Seth Godin on the Fear Tax
Saturday, September 18, 2010
Tuesday, December 29, 2009
How safe are your browser passwords?
Firefox
Internet Explorer
Summary
Saturday, July 11, 2009
Interesting Post on Data Breaches
"I would estimate that payment cards represent as little as 1.2 – 1.5 percent of all data thefts. The remaining 98.x percent being occupied primarily by personally identifiable data (PII), then account credentials, company-proprietary data, and a few other categories in a distant fourth and fifth by incidence...When stolen, payment card data tends to lead to fraud. That’s the whole point of stealing it. The ensuing fraud is detectable and fraud analysis and detection tools have made it almost elementary to identify the likely source of a suspected payment card breach for almost 10 years."
The point is that compromises of payment card information are rarely detected by the company who breached the card information. Rather the breach is detected by the payment card industry and traced back to the company due to the fraud and tools utilized by the payment card industry.
No similar capabilities exists to trace the source of personally identifiable information, account credentials, intellectual property and other lost information.
Would you even know if your company was breached?
Sunday, May 17, 2009
Seth Godin on Tribes
Definitely worth a listen.
Wednesday, February 04, 2009
Mandiant Memoryze Review and other free Mandiant Tools
In followup to my ISC diary of January 2nd. Russ McRee of holisticinfosec.org has published his review of Mandiant's Memoryze tool. Russ was so impressed with Memoryze he awarded it the 2008 Toolsmith Tool of the Year!
For those of you who didn't read the first diary...Memoryze is a free tool from Mandiant to assist with Windows memory analysis. It is one small piece of Mandiant's Mandiant Intelligent Response (MIR) product, released for public consumption
Russ's review can be found at http://holisticinfosec.org/toolsmith/docs/february2009.pdf
Another outstanding free tool released by Mandiant in the last few weeks is Hilighter. Hilighter is a tool that assist in the viewing and analysis of log files and other text files. I have only played with it a little bit, but so far I am very impressed.
Mandiant has other free incident response tools available on their website as well:
Red Curtain - helps find and analyze unknown malware
Web Historian - assists with review of websites found in browser history files
First Response - incident response management software
If these first few releases are any indication it appears that the Mandiant folks are committed to providing top quality free tools to the incident response community.
Enjoy!
Friday, January 09, 2009
The Academy...Home!
Because of very persistent marketing most people in the security industry have heard of The Academy. Peter Giannoulous has done an amazing job of promoting his security video website in an almost viral way using all sorts of Web 2.0 from Linkedin to Twitter and everything inbetween.
Now Peter has gone one step further, launching The Academy Home. This site has the same general idea...videos on how to configure security...but the audience is much different. The Academy Home is aimed at the average computer user. Finally a good quality security website aimed at your parents and grandparents who are not savvy computer professionals and sorely in need of good quality, knowledge appropriate guidance.
So please help make this endeavour successful! Let all of your non-tech-savvy friends and relatives know about The Academy Home. Maybe you will even get a couple of nights off from tech-support. (-8
SANS Log Management Survey
SANS is surveying individuals on log management practices in their organizations. The more people who take the survey the more useful the results. so please give up 10 minutes of your time to complete the survey. Even if you have not yet started a log management project...please take the survey...your information is at least as important as those who have, if not more.
Thanks in advance!
Tuesday, December 30, 2008
25C3: MD5 Collisions and SSL Certs
At the Chaos Computer Congress currently on in Berlin, a group of researchers have described an attack that utilizes MD5 collisions to create an intermediate Certificate Authority which would permit them to act as a Man-in-the-Middle in SSL transactions. While a lot of effort went into creating a huge hype for this announcement, the short answer is that the Internet is not dead yet.
That said, this is a potentially serious attack. It permits somebody who is capable of generating an MD5 collision to effectively impersonate any SSL enabled website.
There is very little the end user or any website administrator can do. The solutions to this attack lie with the certificate providers...who must stop issuing MD5 signed certs. Verisign has announced that they are no longer issuing MD5 signed certs, others will follow quickly.
If you are an administrator of an SSL enabled web server or application you should take a look at your cert and see if it is signed with MD5 or SHA-1. If it is MD5, it would not be a bad idea to replace it with a new one signed with SHA-1. This will not prevent this particular attack; even if you have a SHA-1 signed cert someone could impersonate your site using an MD5 signed cert; but it will go a long way to putting a nail in the coffin of MD5 signed certs once and for all.
How do you tell? Connect to each of your SSL enabled sites and double click on the padlock in the bottom right corner. Click "View Certificate", click the details tab, scroll all the way down to the bottom and click on "Certificate Signature Algorithm" It should say "PKCS #1 SHA-1 With RSA Encryption" or something similar. If it says MD5 then I recommend calling your cert issuer and requesting a new one signed with SHA-1.
Saturday, September 20, 2008
New (to me) nmap features!
I spent a little time today catching up on some emails I filed away for future reading. One of the emails that caught my attention was a write up on Fyodor's announcement at Defcon of new features in the new version of Nmap (was 4.75, 4.76 is out now) and the subsequent email from Fyodor on the nmap-hackers list. A few of these features caught my attention.
The first one is -top-ports. Essentially Fyodor and company spent the summer scanning the Internet and doing some research classified all the TCP and UDP ports by frequency found open.
According to their research
nmap -top-ports 10
will give you about 50% of the open ports and
nmap -top-ports 1000
will give you approximately 94% of the open ports.
The biggest difference is from a reconnaissance point of view. With the older nmap versions if you just let nmap loose with the default set of ports
nmap -sS -sU
nmap would scan over a thousand TCP and UDP ports. It wasn’t quick against one IP, it was interminably slow against a large IP range. For this reason most pentesters have a small range of 20-50 ports they used to discovery scans. With – top-ports this is largely superfluous, although their may be reasons you might want to add extra ports based on the environment being scanned.
Another option that came out of this research is the Fast Scan option (-F).
nmap -F
is perfect for discovery scans. It scans the top 100 ports of each protocol, increasing the speed from the default behaviour by an order of magnitude.
Taking a slightly different direction...I have always been an nmap command line bigot. This is partly because I have used nmap from the days when all that was available was the command line. Another reason is that I have never found an nmap GUI that I liked. Some of the new features in Zenmap have me re-evaluating that.
The two that got my attention are scan aggregation and mapping.
In short, scan aggregation is a feature that combines all scans performed from the same Zenmap window. This permits incremental scans, and analysis of the combined scan. Here is a screen shot of a couple of scans aggregated in Zenmap:
The mapping feature I still find a little lightweight, but it is an outstanding start. Here is the map from the same scan.
Some more detailed sample maps and a feature description are available at http://nmap.org/book/zenmap-topology.html.
There are other features that I haven't had time to look at yet, such as improved OS detection, rate limiting, and many, many, more.
Now if I can just get past my fear that nmap on Windows is somehow less accurate than nmap on *nix.
Friday, August 29, 2008
Cool: New Nmap features
Seriously...thanks to the Google Summer of Code and the hard work of Fyodor there a bunch of new and way cool features coming in nmap.
Sunday, May 04, 2008
Declaration of Independence
While not directly security related, Pamela Slim has assembled a flash movie that closely resembles my philophy on life, and is one of the most inspirational pieces I have seen in a long time. While she is trying to push the viewers towards entrepreneurial endeavours, the attitude and lifestyle she is proposing is very applicable to my life and should be applicable to most security practitioners lives. This is not an industry that is made for people who are willing to accept the status quo, but rather for those who creatively look for solutions and push the envelope of technology and conventional thinking.
Hope you enjoy it!
Rick
Wednesday, January 09, 2008
Stephen Northcutt weighs in on security predictions (sort of)!
I would like to take a chance to comment on some of these:
"Apple Will Gain Significant New Market Share"
While I expect that Apple will gain market share (I know I am hoping to go back to one), I can't see it being huge over the long term. The problem is that the people who are going to Apple are tech-savvy people looking for something better, and I expect will also have a Windows computer around. The problem is the "unwashed masses" don't have the ability to realize that there should be something better than Windows, nor are they prepared to look past the mountains of software available for Windows to make an informed decision to go to a computer system which is easier to use and easier to live with.
Information Centric Security Phase One
I have been trying to convince people to make this shift for years. Unfortunately through whatever fault decison makers aren't prepared to look past security FUD spewed by the security vendors and do a proper risk analysis. I think if you start looking at your information and classifying it you will be drawn to the conclusion that the hard crunchy shell with the soft interior is no longer applicable. The concept of perimiter security was great for its time, but it comes from a day when very little information was available online and the perimiter protected a few machines. But this is a different world, most companies are 100% connected, and all of their crown jewels live on or is accessible from their corporate LANs. The volume of information available via a breach is astronomical compared to when the perimiter security was conceived, and the sensitivity of the data stored on your corporate network is scary. It does not make sense to cast all data with the same brush any longer. Most information generated by the average corporation is mundane...however some of it is critical and the loss of that data can be fatal or at least severely harmful. Doesn't it make a lot of sense to start focusing security on the data and making sure the critical assets are better protected than your mundane information?
"even more paperwork will be devised by the clueless trying to help"
It sure seems the longer I am in security the more this is true. Nowadays it seems we spend more effort checking to see if we are compliant with whatever legislation or standard is sexy this week and less actually getting compliant, or better yet, getting secure! Standards are a wonderful thing to measure against, but the fact is they are a minimum set of controls which are great as a starting point. The fact is they don't represent reality, and they certainly don't represent your environment. We would all be better off if we spent less time doing compliance, and put more effort into doing what makes sense for us!
Thursday, January 03, 2008
GIAC, 20,000 strong
Friday, August 03, 2007
Jim Leroy died doing what he loved!
The other pilot involved in that performance and sole survivor of that fateful performance was an equally amazing pilot name Jim Leroy. Mr. Leroy died himself at an airshow in Dayton Ohio this Saturday past.
There is not much to be said about the loss of another amazing pilot that has not already been said. He was one of a kind and will be sadly missed.
I did however want to point to the amazing job the Dayton Daily News has done of coverage of this event. There is everything there from introspectives, to pictures, to video of the crash itself. A very fitting tribute.
The content is all linked from one page here.
Jim Leroy 1961-2007, may he rest in peace.
Wednesday, April 11, 2007
Reminder: Inaugural event Friday
As an aside, I noticed that this event got some press in the Canadian Information Security Newsletter put out by Robert Beggs at Digital Defence. Thanks Robert!
See you all Friday!
Wednesday, February 28, 2007
Forming a security group in Regina, SK, Canada
I am announcing here a Regina chapter of whitehats.ca. For now we are starting simply with a blog. At some point in the future hopefully it will have its own mailing list and website. But for now let's start with baby steps.
Hopefully the first meeting will be in April, in a local pub, with some good brews and good conversation.
Rick
Sunday, February 18, 2007
So you wanna get into IT Security!
- Represent yourself authentically.
- Stop using Microsoft Windows as your primary desktop.
- Attend meetings of local security group.
- Read books and subscribe to free magazines.
- Create a home lab.
- Familiarize yourself with open source security tools.
- Practice security wherever you are, and leverage that experience.
Publish
In the Internet age self-publishing is easy. Put up your own web server at home and register a URL or domain with dyndns.org, or if that is too much work pages like infosecwriters.com will publish quality papers no questions asked.
I know... You all hate writing...so why would you do this?
Firstly, it gets your name out there. The ability to be Googled is not yet essential in this industry, but it sure doesn't hurt.
Secondly, it proves that you can write something coherent and readable and gives potential employers a source besides resume and interviews to measure your ability.
Third, it shows that you are serious! Everyone knows that most people intensely dislike writing. It will show that you have the ability to complete difficult tasks. The fact that you put the effort in will weigh in your favor.
Believe it or not this is not rocket science. I am not suggesting a 50 page treatise on detecting the PDF exploit using Snort. I am talking 5-10 pages on stuff you know. Write as you read... and learn. Consolidate learning from different sources into new views on a subject. Remember there are lots of people at the same level of knowledge as you and lots even lower who will be happy to read what you write to expand their knowledge.
Volunteer
Security organizations and conferences are always looking for people to help out. Volunteer for anything local to you. This is a great chance to meet people in the local security industry, and possibly even get the chance to learn some things.
Another place you can volunteer is community and open source projects. If you have coding skills volunteer for any of the open source security initiatives over at sourceforge or similar places. If you can't code, there are always community projects that are looking for a minimal amount of expertise and lots of enthusiasm to organize documentation, coordinate work etc. Or in a similar vein there are a number of consensus projects like the SANS Top 20 that are looking for opinions.
You are limited only by your imagination and your enthusiasm.
Rick
Friday, February 09, 2007
Witty comments
Today I was catching up on some long neglected blog reading and got a chuckle compliments of the lovely people at F-Secure. They ran a contest for witty sayings for laptop stickers. The results are in and some are worth a chuckle...
I lost my password, can you tell me yours? — Azham R. of Malaysia
This is not the wireless access point you're looking for. — Matt L. of Australia
I just click OK to make the box go away. — Justin R. of UK
My botnet can beat up your botnet. — David B. of USA
Password is on a Post-it note on the display. — Ken T. of Germany
Have a good one!
Rick
Thursday, November 23, 2006
More Security Absurdity
"Security Professionals are in the best position to create change and that is why we are responsible for this situation."
"I think the security community needs to redefine their definition of success. And I think they need to understand the unique position they are in to improve security and to accept that responsibility."
"In order for Best Practices to be relevant, they need to be attainable, practical, implementable and manageable. Today's security Best Practices are counterintuitive, difficult to implement, quickly outdated by new threats, and are constantly changing....Security is a process to be evaluated on a constant basis. There is nothing that will put you into a "state of security" - no best practice, no security guideline, no security checklist."
"My idea of security is that a user should be free to conduct, "normal and common" activities and not have to expect that he/she will be a victim of crime. If a man parks his expensive car in a bad neighborhood in the middle of the night and leaves it unlocked with the windows rolled down and with a $100 bill on the dashboard of the car, then that is irresponsible behavior and it is likely a crime will happen. However, if the man carries out what is considered normal activities - i.e., parks in the daytime on a busy street and locks it with a good security system - then that is normal and common behavior and a crime should not be expected."
The solution won't be easy, but it begins with participation and collaboration between all of the groups involved in security and ends with an Internet that looks much different than today. Each player has a part to play...Software vendors, security vendors, lawmakers, executives and most of all the security practitioners. Ultimately the key to any solution involves the active participation of the security community.
Rick
Wednesday, November 01, 2006
Extreme password security or Microsoft screw-up? You be the judge!
"Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes."
Definitely extreme, but secure... (-8
Rick
Thursday, October 26, 2006
Looking for a Job in Security?
On that note, compliments of The Security Monkey, a somewhat tongue-in-cheek guide for those looking to break into the security industry.
Rick
Monday, October 23, 2006
Top 10 Security Myths decomposed.
- Security through obscurity is a bad idea.
- Strong passwords are strong.
- Altruistic bugfinding is beneficial.
- You can't quantify risk.
- You can't get ROI from security.
- Security is about process, not product.
- SSNs are secret.
- Program x is more secure than program y.
- Stand up to your boss and "just say no."
- Security is failing.
Rick
Friday, October 20, 2006
PHPSecInfo - What a great idea!
From the web page...
"The idea behind PHPSecInfo is to provide an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach."
Good on ya!
Rick
Thursday, October 19, 2006
NIST Guide to Integrating Forensic Techniques into Incident Response
Rick
Finally a map I can read! (-8
Rick
Sunday, October 15, 2006
Hilariously Funny?
Complements of Bruce Schneier...Although the book "A Million Random Digits with 100,000 Normal Deviates" is not my type of bedtime reading...the reader comments to the book are worth every second. What a way to liven up a really dull topic!
http://www.amazon.com/Million-Random-Digits-Normal...
I understand that in 1955 when this book was originally published that generating random numbers was near impossible, but what prompted the publisher to republish it in 2002, when generating random numbers is pretty easy, is beyond me. Somebody smarter than me must know the answer. Please bring me into the loop.
Rick
Thursday, October 12, 2006
Payment Card Industry Standards Changes
Reminder: End of XP SP1 support
I have great trepidation in saying this, but if you have a compelling reason you need to stay on SP1 I suggest you become familiar with ZERT.
Rick
NIST Guide to Log Management is final
Rick
Friday, October 06, 2006
More Security Stupidity
Rick