Tuesday, May 09, 2006

Honeypots are not entrapment...usually.

I was listening to one of my favorite podcasts, PaulDotCom Security Weekly (episode 26), where they were talking about an e-mail from reader who described a slick little honeypot that was created to catch students who were trying to break into systems. There were two machines running from bootable CD's and a shell script that logged into an Administrator account from one to the other every hour and a half. The machine getting logged into check at a particular interval to see who was logged in and gathered all relevant data if they were. Well, they busted a kid shortly after setting it up and he was expelled.

So, entrapment or not? Hell no! Why not?

Well, first, the sysadmin who implemented this solution is not law enforcement--this is an important detail in the definition of entrapment.

Second, the sysadmin did not trick the student into doing anything he wouldn't normally have done.

You say, "The student wouldn't normally have logged into that system." Bull crap! How did the student end up with the password? He sniffed it. Why was he sniffing the network? To break into a system. If it wasn't this system, it might have been a more important system that might have taken longer because that password sniffed on the wire would have been encrypted.

This is a beautiful example of how to use a honeypot. It provided low hanging fruit that prevented an attacker from getting into a critical system.

I say, "Bravo. Well done. And, you're wrong, Twitchy!" ;-)

Monday, May 01, 2006

To Forensicize or Not To Forensicize!

If you don't listen to the PaulDotCom Security Weekly Podcast, then you may not be familiar with the term "forensicize" as defined by Twitchy. I recommend you start listening and begin developing your kung-fu!

I have had the pleasure of partipating in more cases requiring forensic analysis. This isn't common in most university environments. Why not? Well, I think it is primarily because most known compromises deal with student/staff/faculty desktops and laptops. Some underpaid university employee is tasked to figure out what is wrong so they run antivirus, antispyware, anti-whatever and finally realize the machine is too screwed up to do anything with so they reinstall Windows. OR, some wise administrator has decided that too much time has been wasted with figuring out why the systems are hosed up, so at the first sign of trouble, the OS is wiped and reinstalled via Ghost/RIS/etc.

So, what about the compromises that deal with servers or systems that could have sensitive information on them? Again, another unfortunate truth rears its ugly head--lack of knowledge of proper incident response and forensic procedures. I would guess that 90% of system administrators and support staff run McAfee or Symantec when they are told that a system may be compromised. Not only is that useless, but it could be damaging because the filesystem timeline is now destroyed. Now, ask each one of those administrators how to create a forensically sound copy of the hard drive or how to write-block a drive and all but 4-5% could answer it correctly (I am probably being generous with those numbers).

This really isn't where I was planning on going with this posting but my frustrations slowly creeped to the surface as I was writing. You can expect more and more on the topic of forensics as I get closer to my talk for the GatorLUG this month and start writing detailed forensics procedures for our university.

No more worms in my Apple...

What a cheesy title!?! About a month ago, my laptop developed a horizontal line across the LCD display. I can't even begin to tell you how disappointed I was when I opened up my PowerBook to find the line. Thankfully, a quick call to Apple Support, and they had a shipping box delivered to my office the following day. Unfortunately, my PowerBook has become my primary desktop and mobile machine for everything--meeting notes, e-mail, documents, etc. Our OPS programmer recently left, so I was able to confiscate his old desktop, install Ubuntu and get a working machine for the interim while my laptop was away being repaired.

What about my sensitive data? During the phone call with Apple Support, the guy asked for my administrative password--I said, "No." He then asked if I would create a user with administrative rights with a certain user name and password--I said, "Sure." Before shipping it off, I backed up all my data to an external firewire drive, deleted my user account and home folder, then ran "dd if=/dev/urandom of=./random.dd bs=1024k count=7000000" in order to "wipe" my data on the remaining part of the hard drive.

Today, I received my laptop back with a beautiful new LCD. I logged in, recreated my account, copied the contents from the backup, "chown"ed it back to jsawyer:jsawyer and then deleted the temp account. Everything works fantastic, and I am happily productive once again.

Google Mac OS X Widgets

I am always looking for a better, more efficient way to enable me to blog more often. Last week, I came across Google Mac Dashboard Widgets. There are three: Blogger, GMail and Search History. Check them out!

Note: This post was done via the Widget. It is definitely a quick and easy way to blog via Blogger, but it doesn't allow any advanced editing. Hopefully, they will add advanced editing in upcoming versions.