Friday, March 17, 2006

RSS Readers Dueling It Out on My PowerBook

I started researching free RSS readers several months ago after finding it to be too time consuming visiting such a large list of bookmarks in Firefox. Sure, Firefox has Live Bookmarks, but have you used them? I personally think they suck a bit. So, the RSS reader search began. I found quite a few commercial apps but I really didn't want to pay anything for something that is essentially an XML parser/aggregator.

After trying about a half dozen, I stuck with Pulp Fiction Lite for about 4-6 months--hard to say just how long without looking at timestamps on the files. It is a good, slightly crippled version of their commercial product. Unfortunately, even though it was the best of those I tested, I wasn't in love with it.

Recently, I came across Vienna which is a free, Open Source RSS reader for Mac OS X. With the exception of Microsoft Office, I prefer running Open Source software. Vienna has been quit functional and more user friendly than Pulp Fiction Lite. It does seem to be a little more picky about the RSS feed being fully compliant with RSS standards as a couple of my feeds have been reported as bad. Going back to the source of the feed, I was able to try one of the other versions (RSS .9, 1.0, 2.0, ATOM, etc) and got past the problem. To help solve the problems with the feeds, it has an option to Validate Feed, which sends the feed to the Feed Validator website.

Vienna has quite a few features that I haven't even delved into yet but I expect to get around to them. They include Groups, Smart Folders and Custom Styles. A very cool app, indeed. If you like freeware, Open Source apps and need a solid RSS reader, check it Vienna.

Thursday, March 16, 2006

Centralized Logging for Windows Using Syslog

I posted the following information on a couple of different blogs several months ago. Since it has a link that I reference regularly, I decided to add it here to keep handy next time I mention it.

Syslog Server: If you choose not to implement a syslog server on a *nix platform, I highly recommend Kiwi Syslog Daemon. There is a free version that should fit most shop's needs and a commercial version for more advanced setups.

Event Log to Syslog: The Snare Agent is hands-down the best event log to syslog tool out there. It is FREE and supports all Event Logs including Security, Application, System, DNS and AD.

Microsoft Solutions: Microsoft Operations Management (MOM) includes that ability to collect all the logs from servers it monitors but is quite expensive if thats all you want to do. The vaporware Microsoft Audit Collecton System (MACS) is supposed to have an agent on each server that forwards all the logs back to a cenitral MACS server and stores everything in SQL. Keep holding your breath for that one.

Microsoft Security Monitoring and Attack Detection Planning Guide is a superb guide for learning what and what not to monitor in a Windows environment. The most useful part of the guide is Appendix A - Exclude Unnecessary Events to help trim down to the events that deserve a monkey's precious attention.

Die Virtual PC, rise VMware on a Mac (via SSH)

Several weeks ago, I installed X11 on my PowerBook so I could run Ethereal. About a week after that, I trying tunneling the VMware Console over SSH into X. The console flashed a couple of times on the screen and promptly died. I tried several more times with no luck. A Google search did not turn up anything at the time. Frustration set in...

Today, while in a Windows Vista TAP meeting (don't ask), Jordan asked if I had tried tunneling the console over SSH, I replied yes, shortly thereafter, he sent me the following link to "How To Run vmware-console Remotely With Apple's X11" at the Tao of Mac site. I SSHed into my VMware server, added the xkeymap entry into my preferences file in the .vmware folder, ran vmware-console and BOOM!, there was VMware Console running in all its glory on my PowerBook. YES! I am a happy guy now.

DIE VIRTUAL PC! May you rot in peace. Long live VMware!

Wednesday, March 15, 2006

FrSIRT sells out!

Any security person (or even script kiddie) knows the name K-otic. K-otic has been the source of top notch Proof of Concept (PoC) code and exploits for quite some time. Last year, I think, is when they transitioned to a business mindset of becoming FrSIRT, the French Security Incident Response Team, and started selling vulnerability announcement services. They continued putting out exploit code that typically made its way into Metasploit very quickly.

It all ends today...unless you are customer of their VNS--Vulnerability Notification Service--you don't get squat anymore. Their website doesn't even list the pricing for their product, however, I may end up getting curious enough to give them a call or shoot them an e-mail. Either way, I am really disappointed. It was a great and well-used resource by many security professionals.

Were they like Tenable and didn't feel they were getting enough back from what they put out? Who knows. They just have a crappy little page up where the Exploits page once existed that says:

Exploits and PoCs are available to FrSIRT VNS™ subscribers only.
Public exploits section have been definitively closed.

Oh well, thanks for the good times. If anyone has a mirror of all of their code, let me know ASAP!

UPDATE 9:08pm EST: My RSS reader just notified me there was a new article at FrSIRT, so I clicked on it to simply find that someone who knows the english language better has finally updated the text to read "Public exploits sections has been definitively closed." Damn. And here I thought they saw the error of their ways and changed their mind. I guess not. Someone on the FunSec mailing list posted that them closing the section wasn't a big deal as they just took the code from milw0rm. SMACK!!

Wednesday, March 08, 2006

SANS 2006 - CISSP - Final Thoughts

After being in class for approximately 72 hrs in 6 days, I am a little burned out. The class was excellent. It really gave me an appreciation for security management. The CISSP certification is certainly designed for managers although industry and HR personnel don't seem to realize this. The more interesting parts were dealing with policy and cryptography. I really didn't know too much about cryptography before taking the class, but after a full day of it, I can say I have a good grasp on the subject. As for policy, I used to seriously dislike anything related to policy, especially, meetings that dealt with the semantics of policy. Looking at it from a managerial standpoint, it is crucial to the inner workings, efficiency and effectiveness of an IT organization. I look forward to actively participating in policy committees in the future.

I was able to attend several technical sessions during lunch and after class in the evenings. The majority of them were top-notch. I really enjoyed Joe Stewart's presentation on his tool TRUMAN for creating sandnets to accomplish behavioral malware analysis. Great presentation and I look forward to implementing this in the lab for our own testing. I also made contacts with numerous vendors regarding current work projects.

Overall, it was a fantastic, but exhausting experience. If Dr. Eric Cole had not been the instructor, I'm not sure I could have made it through. He is one of the best instructors I have had. Now, I need to continue studying and pass the CISSP exam in April.

Wednesday, March 01, 2006

SANS 2006 - CISSP 10 Domains class

What a week!?! I have been in class since Sat at 9am. Each has covered 1-2 Domains from the CISSP. Class was 9am-7pm Sat, 8am-7pm Sun-Wed and 8am-5pm Thurs. Only one day left.

There has been a lot going on in addition to the normal class. There was a Vendor Expo where vendors from all corners of the IT security market came out of the woodwork. It was cool seeing some of the ones who I have reviewed their products for NWC or SE. There was even one who I will be reviewing in the next month.

Each night has had at least on Keynote which was sometimes good, sometimes just OK. Essentially, it boils down to me being in Learning Mode for about a full 13 hrs a day.

One surprising thing is how many people are here that I know. It is pretty interesting. There is the SANS faculty and staff that I know, but I am referring to a couple of attendees from other conferences I have met before, someone from FDLE and several people from the FL Dept of Health. Very cool. It has been nice catching up.

It has also been great having "expert" sources to ask questions. I still have a couple of stumpers for some of the big name people. I hope they have good answers as I haven't found info anywhere else. I will keep you posted.

More to follow...