With the publication of my book I decided to re-focus my online presence. To keep the online tutorials available for everyone, a new blog is started at flosse.2blocksaway.com. All comments on this blog have been disabled.

//flosse

Tags: book,, active, driectory,, disaster, recovery,, flosse.2blocksaway.com

I usually don’t get into these blogging for ranking things, but the Fair Review project caught my attention.

I then browsed through the directory and found something that caught my eyes: eruAnna’s blog.  Funny I thought a female geek?, let’s see what she has to say and I browsed over to her blog, which isn’t actually bad and has actually quite interesting stuff (I love the Photo Friday pic! and the themes). I think the world has enough “mySpace” pages and people should concentrate on providing actually something useful besides “I walked my cat today”. eruAnna does provide something else and actually food for the brain which is not something you find on the majority of pages.

All in all I would say a good blog and interesting read, especially if you are interested in maybe getting new wordpress themes or want to know how to (check the CONTENT tab on her site).

SANS Fire 2007 in Washington DC is well under way. I am participating there in 2 courses and since I am a huge fan of SANS Security conferences . The problem is that a lot of people do not know what to expect at the bigger conferences so I wrote a few lines regarding what goes on there.

First day
The first day you register at the registration desk. This can be done anytime after 7 am. If your class does not start until the day after, go to the desk around 10 am since then the rush is gone and you can interact with the staff easier with any questions you have. Also there are lots of signs telling you what other events are going on during the whole conference, such as the Vendor Expo, Lunch and Learns and SANS @ Night events.

Class Structure
All Sans classes are almost the same , in terms of structure and schedule. The breaks are regular and you get a lot of snacks which include soft drinks and coffee or tea. SANS Instructors are ordinary, working people and know their subjects extremely well. The classes are generally well planned though fast paced. It is therefore amazing that there is still plenty of open discussions and if there is not enough time for them, the instructors take the time to stay during breaks or after classes and make themselves available for any questions or just good on-topic conversation.

Vendor Exhibition
This is an event where a lot of security product vendors have live demos and people there for you to answer your questions. The good part about this is, that Vendors tend to send technical people along with the sales. This gives you a unique chance to actually ask really technical questions and get proper answers or even demos related to the questions. At the exhibition there is also normally the SANS raffle where you can win quite nice prices. This year included the famous “black superhero shirt”, a couple of WIIs and an iPhone.

Lunch and Learns
These sessions are usually Vendor events where, on different days or in different rooms, various vendors present their security related products while you get some food and drinks for free. These are very informational and sometimes prices can be won. Lunch and learn sessions are also a good way to ask questions to the vendors relating their products and they generally have very knowledgeable people there, not just plain marketing.

SANS@Night
these are the events that a lot of people that come to the conference enjoy a lot and many say that these events are one of the best parts of the SANS experience. SANS always manages to organize speakers for the evening events from well known organizations or then they touch subjects that are always about whats going on currently in the security field by real experts. This time they had people from the FBI speaking about cyber threats and Ed Skoudis and Tom Liston talking about security issues in virtual machines.

Networking
The best part though, outside the classes, is the chance to network with people. The people attending SANS conferences are all working in the same field. This makes networking very easy since everyone has some common base. This time I met people from al around the globe, including the United Arab Emirates. The time you spend there you have the chance to exchange experiences and different approaches and many discussions last until late at night simply because they are just so interesting and everyone is participating. It is contagious. Every night I have had either long discussions or, lucky me, got to go to dinner with some of the instructors and discuss interesting issues with them too.

If you ever want to go to a conference that is for professionals, from professionals with professionals, SANS is the way to go. The experience will stay with you and you might just find new friends that you stay in contact with, I know I have and will.

So I installed , like many other people, the WWDC 2007 Leopard preview. I am still amazed by it, its a beauty and it runs on my latest , but lowest-in-class, generation Macbook Pro like a dream (2.2ghz Core 2 Duo).

I am more then impressed by Spaces and by the new Finder. Time Machine I haven’t tested really but I started to check things that are not mentioned a lot on other sites. Applications that , within a company or even for the individual, will look very appealing and are used quite frequently.

The Terminal
Personally it was the utility I wanted the most but used the least in Tiger. Simply because it did not have tabs. I used iTerm in Tiger and it works like a dream. Terminal in Leopard finally has tabs. Apple listened to all the sour *nix faces and added tabs to the terminal. As you can see from the screenshot below, you can even choose quick color schemes of the tabs when you make them.

X11!
The included X11 is now X.org v 7.2, which is a nice development. It loads very fast on this machine and lets you get into X forwarding or other X based work really quickly.

Directory
This is a new application which I am not sure yet how usefull it is, but in the large enterprise I think it could come in quite handy. Of course you can bind your Mac to a directory service, like Active Directory. With Directory Access you can access then the data, such as users etc. from a single small application. Very handy if you need a phone number or such I guess.

Directory Utility
This is the application you use in order to bind to a directory service. Compared to the old Directory Access this looks much smoother and nicer as you can see.

Preview
Preview also got a facelift as shown below. Some functionality was added. I personally like the new preview.

Network Utility
Though nothing radical, the version number increased as you can see in the screenshot below. There are no real differences in the Interface though I have to say that a portscan on one of my machines went far faster with Leopard then with Tiger.

Finder
The application that needed the most development and finally got it. The new Finder with it’s cover flow feature and the new sidebar just rocks. I find myself enjoying finding finder again. Its fast, much faster then the old Finder and it looks nice. Has a very smooth feel to it and is a beauty to work with.

Contradictions:
I noticed some people mentioned that you can change the transparency of the new menu bar. Personally I have yet to find where. I went thru the system preferences but didn’t find anything.

Also I read that some people really had issues with speed and instability. I have found no such issues. The installation was straight forward and the system is really stable. I have not installed iLife or anything but I do use Safari on a daily basis as well as the Terminal and other applications. Adium worked just fine, for example.

Conclusion:
Vista, you are in trouble. With Leopards launch looming for October the much heralded OS of Microsoft will yet again get a kick. Leopard is smooth and impressive to say the least. On the surface it is just a facelift with some fancy new gui and Applications. however under the hood it brings things that Vista doesn’t.
With recent games such as Prey, X3 etc. OS X is not quite that far lagging behind with great games and with the announcement at the WDC that there willb e more Mac games coming, Leopard might just be THE Os you are looking for.
Granted, Vista can do waht Time Machine can do, but can it do in a way that you and all your family members can understand it within a few moments?

I really think Leopard will arrive like a bomb and spread like wildfire. With things like the CORE interfaces and development for OS X gaining all the time, my bet is on the new big cat.

My server , Janus, was running the 64bit version of Ubuntu Server 6.06 LTS. After my article of VMWare on Ubuntu server, I read that it is actually available for Ubuntu 7.04 in a repository. Great! So, what do we do, we upgrade to feisty. Well I have heard of a few horror stories of jumping over 2 versions with apt-get. Even with dis-upgrade. Still I didn’t listen and it all bombed out at me throwing nice exceptions and perl errors at me and installing half way. It was a good way to start the evening, trust me.

So, I re-installed 6.06 and tried the old fashion way. The following steps is all you need to do to get a clean upgrade and a fully working VMWare server later on WITHOUT loosing your virtual machines or your settings.

There are 3 parts to this procedure: 1, upgrading to Edgy 2, upgrading to feisty and 3, verifying and installing left over packages.

NOTE: my situation was a 64bit system therefor parts of this will not apply to 32bit systems and are clearly marked.

Part 1:Upgrade to Edgy Eft

Edgy was the next version of Dapper and upgrading isn’t really a big deal. Personally I use nano to edit files so the commands here are nano oriented.

First edit the apt source file. To do so type:

sudo nano /etc/apt/sources.list

and in nano use the following key combinations: hit CTRL + W and then CTRL + R , this goes into search and replace mode. then type dapper to specify the word you are searching and hit enter. Next type edgy as the word you are replacing dapper with and hit enter again. You will notice all instances of dapper have been replaced with edgy. hit CTRL+X to exit and Y to accept the changes. Good stuff, now at the command line type:

sudo apt-get update

and when it is done

sudo apt-get dist-upgrade

This will take a little bit of time. You will be asked if you want to upgrade and continue and that some packages will be downloaded. On a 24mbit link the whole download took just under 3 minutes with an average speed of just 700KB/s. Once it is done upgrading it will ask you to reboot and you should do so. Wait for a while until the server is booted again and log in again via SSH.

Part 1 complete!

Part 2: Updating to Feisty

You are done with edgy but you do not want to configure and re-check it. Since you want to move to Feisty ,you need to do the exact same thing with sources.list and replace edgy with feisty but do NOT do the dist-upgrade afterwards. After you have updated the repositories install instead the upgrade manager with

 sudo apt-get install update-manager-core

, and when it is done run it:

sudo do-release-upgrade

Notice: if you try to do this straight from dapper, your system will bomb out eventually and you end up with half the packages installed and half not.

You need to follow some instructions and even though it warns you about running this over ssh, it works perfectly!

Part 3: Install the missing parts and VMWare server

Now, after Feisty Fawn is installed, which involves another few minutes of downloading, it will reboot and you should be set with a nice new running system. The problem: in the 64 bit world the updater removed some packages necessary for VMWare and other things.

These can be re-added by typing:

sudo apt-get install ia32-libs <--THIS IS FOR 64BIT ONLY

This will install all the necessary dependencies and the compatibility libs. And now comes the cool part. You can add a repository and install “commercial” software through Feisty, namely VMWare server complete with 64bit support.

add the following line at the bottom of your sources.list file:

deb http://archive.canonical.com/ubuntu feisty-commercial main

and save it. Then do the sudo apt-get update and finally install these packages:

sudo apt-get install vmware-server vmware-tools-kernel-modules

This will install the VMWare tools and server console as well as the server software. You will be prompted to enter your serial number and then it all just works. From that point on you can upgrade easily through apt-get upgrade when a new version becomes available on the Feisty repositories.

This is more like a big thank you to everyone who actually has been reading my stuff…

I published several articles on tweako.com and some of them became VERY popular. My Nokia N800 and N770 article got picked up, through tweako , by Tabletblog and Wired’s blog even.

I think this is great and again thanks to everyone. As I am currently working on a book, the articles won’t come in that size for a few weeks but they will come again.

//Flosse

Wow, finally someone that explains solutions, not just vaporware. Informit has a nice writeup about using smart-cards et all with Mac OS X. Now, if Apple would only build SC readers into their laptops.  And of course SC’s would be available for purchase for us normal folk… I would move my entire household to SC :), then when you are employed by someone your SC is imported and you have one single card to log into home or work.

Of course once you loose it you are more then just screwed….

No doubt that if you are working with large and medium sized servers and infrastructures, you have come across the need to collect logs and review or analyze them. With more servers the problem escalates as you have to log into every system to check the logs. It becomes very nice once you start having different systems that have different logging mechanisms. I touched the subject with my article on configuring splunk and snare for logging.
The main issue is that, once you start logging, you can’t really do much with the logs.

The biggest problem that companies face is that log management is still done via custom hacked scripts created by an admin that may have left already.Customization and correlation is nearly impossible. Data retention is usually backing up the parsed logs and pray you will never need them again. When the day then comes to investigate a breach that might have occurred a few months back, you will hear the admins teeth grind together in pain.

Luckily there are companies that offer solutions for this problem and I am here to review 3 big ones, all in different price categories and sometimes even classes. This is not a “best product ever” review, this is a feature comparison that will give you a view of how different product fit different needs and what they offer.

If you are a large corporation that is already implementing a SOX or PCI compliant log management infrastructure, you probably will just fly over this. But if you are a company thaat needs to get up to date and wants to implement centralized log management, this is for you. Each product is reviewed by sections: Product overview, Price, compliance with regulations, documentation, administrative overhead, strengths and weaknesses and finally my personal impressions

NOTE: This article is heavily focused on log collection for Windows, though it touches other Operating Systems as well. This is because remote logging is supported by all 3 of these systems and *nix systems can log remotely out of the box.

1. Loglogic - the mother of all Log management systems

Overview
seeing the features, redundancy and the sheer volume that LogLogic can handle with their infrastructure is staggering. The infrastructure is quite nicely done and they have compliance with every major regulation you can throw at them. The Management interface is a bit tricky and not for the faint of the heart. It takes a long while to get used to and you better learn your regular expressions in order to get the most of it all.
This has good and bad sides, the good one is that you can find any correlation you want, generate any kind of report and pretty much filter ALL your logs centrally the way you want it. The bad side is that is very hard to use.
The architecture that LogLogic uses is quite interesting. LogLogics sells their own appliances. You cannot purchase the software. The windows even collector software is actually free for download but it logs only to the LogLogic back-end.
In order to collect Windows Event-Logs, for example, you set up a Event-Log collector, a Windows server with Lasso installed, and point it to all the servers with a single configuration file. Then you either have to give the service account you are using for the Lasso service full domain admin rights or tweak the security policy and the way the service works. Once that is configured, the Lasso server collects the data over standard tcp from the domain Controllers or Server you specified and forwards them in a secure manner to the LogLogic back-end. This is nice since you have no software running on the servers. Just one. the same principle goes for Other Operating system collectors, though you can configure *nix systems to log remotely and that changes things then a bit, the principle is the same though.

Compliance with regulations
Loglogic has done a very good job in designing their systems so that with a little bit of configuration can be made compliant with pretty much any regulation out there. Since every regulation is different you have to tweak the system for full compliance but, at least Loglogic 4 has support out of the box for SOX, ITIL and a host of others. Support here is the keyword as you cannot be compliant out of the box. However Loglogic provides you with a very good starting point.

Documentation
That is a bit of a downside. Documentation for Loglogic isn’t the greatest and, at least when I had an issue, their support wasn’t too eager. They kept referring me to the Administrators document even though the Information I wanted was not there. When I finally explained to the technical guy that security policy demands that the agent cannot run as domain administrator he finally pointed me into the right direction but made it clear that he had no idea how to proceed and the domain admin is the only supported way.

Price
LogLogic is expensive. You mostly get what you pay for but I am not sure if 6 or 7 figures are justified for most companies. If you are a major corporation it is a totally different story but otherwise the price-tag can be quite a shock.

Strengths and weaknesses
As mentioned above, Log logics’ approach requires no installation of an agent or major changes to the servers when they are running. You can configure and install the windows collector on a new server and bring it on-line whenever you feel like it. As long as your security settings are done correctly and the setup complies with your security policy, the machine fetches logs without the servers really knowing about it.
The real downside is the management interface and the price. Of course you get a bunch of nice shiny boxes that are tuned for performance and speed, but as I said, it comes down to need and for the medium size business LogLogic might be a bit steep. For the small business it is a definite no go.

2. Snare Server Infrastructure
First off, I would like to thank Leigh from Intersect Alliance to give me access to their demo equipment to do some testing and checking of their Server product. Snare Server is a central logging and archiving server and Snare itself is a whole infrastructure of logging and analysis software. Snare server is a proprietary appliance that runs Linux under the hood. You are presented with a nice easy to use interface on the Snare server and the icons in each menu are quite clear. I could get a lot of information without reading any kind of documentation. There are prebuilt searches and correlations as well as suspicious activity showings. From a windows Server perspective for example, I like it that it can show when the event log was cleared or when the audit policy was modified by whom.

Though the interface is a bit limited, it can be configured and customized. Out of the box this is however worlds ahead of LogLogic.

Snare server relies on the snare agents which need to be installed on all the machines you want to log from. This is an administrative overhead and according to my information Snare has played with the thought of agent-less but they decided to stick with the agents. As a side-note: Loglogics‘ Lasso is based on Snare and shares much of the same code.

The one thing that blows me away from Snare isn’t really the fact that Snare Server is a great product, it is, but the fact that they share so much software with the world. You can download the Snare agents for free and integrate them with other log management software. You can download an even generator to stress-test your system and you can download a (heavily) stripped down version of snare server, called snare backlog for free as well.
The real kicker comes though when you think that if you buy a snare server, you get the full source code with it. Yes, that is correct. Full source code!! This could be so that they are in line with the GPL but not many companies hand this over voluntarily.

Compliance with regulations
Snare is in line with a lot of regulations and snare is used by some quite high-level agencies and government institutions. The regulations include HIPAA, SOX, GLBA, Patriot Act and even international standards like the Danish DS-484:2005 and the British BS7799 or ISO 17799.

Documentation
This is where Snare REALLY shines. Their documentation is top notch and they have a LOT OF IT. You can get any documentation regarding their products for free from their website and they are very good. You can also request a live demo from their website and test the Snare Server.

Price
The price for Snare varies but they have appliances that cater any segment and business size and are priced accordingly. This is an out of the box solution and requires little configuration to get you going.

Strengths and weaknesses
The one weakness I have found was the lack of quickly configure custom reports on the Server. You will need to actually read the documentation :). The strengths however are quite big. There is the fact that a lot of their software is free (as in beer), they are huge supporters of the GPL, Snare Server supports a lot of regulations, and the people there are very nice and helpful. They do not have the overhead that large corporations have. The source code and documentation wealth is amazing though.

3. Splunk
Overview
Splunk is the cheapest of our 3 solutions yet by no means the black sheep.
Splunk is a central log collection software. This means no appliance to buy, this can be installed on any Linux or Windows machine. There are 2 versions, Splunk and Splunk professional. The normal version is actually free for anyone which actually might be quite interesting for smaller businesses. The professional license has a few additional tools such as reporting but if you want to test Splunk, there is nothing stopping you since you get a fully functional product.

Splunk is not like the other Log management products. It has a feature or more like THE feature that I would love to see in Snare or Loglogic with the same strength. Splunk is a search engine. Think of it as Google for your Logs. Now the brilliant part is, it works just as fast and just as well as Google, just on your logs. You can get correlation between events and log entries and configure to fetch logs from pretty much anything.
Splunk is a server that receives logs from a variety of sources. it supports Snare agents as well as remote logging facilities such as syslog and correlates correctly between logs from different hosts and systems.

Compliance and regulations
Splunk also complies and can comply with the long list of regulations just like Snare server.

Documentation
The Splunk documentation is also in very good order and very easy to read and understand and this is one of its strengths. Splunk also has a good community based approach in terms of forums and FAQs to get you up and running. The community support is good and clear and everyone is very helpful.

Price
The price for0 Splunk is cheap in a sense. They pricing approach is by volume of log messages / day. It starts with 2500USD/year if you have a peak volume of 500MB of messages /day. To put this into perspective 500MB is a LOT of log entries. in comparison really quickly, a normal Apache log from 2blocksaway.com is 10MB and contains information of what over 2000 users read and viewed in a day here. So 500Mb of log traffic is quite big. Of course if you have a huge amount of servers and want to monitor every little detail then the volumes go up and so does the price but the prices are reasonable since even when you have 100GB log volume per day! the annual cost is “only” 75000 USD. I know a log of companies that don’t reach 100GB worth of logs in a year.

Strengths and weaknesses
splunks’ one huge strength is its search feature. to put it plainly, it kicks a**. It is fast and exact. Its reporting and management interface is clean and can be used even by a newcomer. To get the most of the system the documentation is excellent and the price is competitive and reasonable. What more can you expect?

Impressions on all 3 systems
After working with all 3 systems, I cannot tell you if there is a clear winner, each has its strengths and weaknesses and they all are very good. Some cater to different needs and offer different options for you but in the end they do the same thing. Pricing and support is one issue of course that a lot of companies look for and there you have to differentiate. LogLogic is clearly the corporate type of company that has a lot of sales buzzwords and that provides a corporate image and stability. Don’t get me wrong, their product infrastructure is probably the best out there, but they know it. Snare is the hybrid, they are a stable and successful company and cater corporations and small businesses alike. They wear their hats for both markets and they do it well. They have a friendly face but you know you have a stable back-end and can get the support you want. Splunk is sort of the new kid in town and is very modern and hip. they are great and I had good conversations with their staff and they know what they are doing. They are relaxed and do not have any of the corporate image. So if you like to work with people that know what they do but are very relaxed and friendly then Intersect Alliance or Splunk is for you. Splunk is very community based so if you like to interact via Internet this is the one for you.

This is a list of “guidelines” on how to write a proper tutorial. Comments are more then welcome on this subject as I think too many people think tutorials are just command steps lined up saying this will work, it worked for me. Too few tutorial writers take the time to lay out their guides properly and select a target audience. You can always write a list of commands but can you make the reader WANT to read it? Photoshop tutorials for example are generally very visual but SELDOM do I see a tutorial that actually explains the settings that are in the different windows. It’s always “in order to make THIS image…” never “in order to make an image LIKE this one…”

I enjoy writing both expert and beginners tutorials and I hope some future writers start following some for these points as they really do work for most of the people.

1. Know who you are targetting. A beginners tutorial needs a lot of explanations, an experts not so much. Classify yours properly and always use the lowest common denominator of your target group.
2. Write in a way that interacts with the reader, not from your point of view -> from THEIRS
3. Use screen-shots when needed but find the fine line. Use them whenever there is a dramatic change in the visuals by the action described, not always when it purely says “the next screen has one button : OK”
4. Use descriptive language and let the reader know what to expect. Do not lure them into a false sense of security by saying: ” this is very easy and you should be up and programming your own Operating System in no time”.
5. Once started, follow through out the tutorial one writing style. If you have multiple authors, make sure they all write the same style more or less.
6. Make it fun to read. monotone and scientific is not bad, but it’s not for tutorials, it’s for white papers and publications.
7. Open questions in your writing style, challenge the readers brains but keep the questions at a small level, don’t make them think they need a science degree. Things like:” …as you know , by opening the web protocols to public we open ourselves to probes and attacks…” doesn’t reveal what kind of probes or attacks but makes the reader think as you stated AS YOU KNOW… the readers brain starts working because THEY SHOULD KNOW
8. Keep the tutorial visually pleasing. This does not mean to use funky colors etc. but use images, photos or drawings frequently so that you do not end up with overly long text blobs that strain the eye and make you exert yourself by concentrating.
9. If you write something platform specific, STAY on the platform but add comments and notes regarding the same thing on other platforms. This  give the reader confidence that you have done this more then just once and know what you are doing.
10. Learning is supposed to be fun and a tutorial is a way of learning. Keep it fun, keep the reader reading and WANTING to read. If you can put a smile on the readers face with a tutorial and convey the knowledge you wanted, chances are he or she will DEFINITELY remember your tutorial and word of mouth travels…

Tutorials are guides and guides are essential to someone’s learning in a given subject. If you can make things as easy on the reader as possible you will be highly successful and your reader base will return to you for advice and guidance. If you have more ideas, please let me know…

Torrentfreak.com has a nice writeup as to how a company called Logistep is “catching” online file sharers. this is limited to P2P, gnutella and eDonkey right now. Bittorrent is a bit of a shady thing still but I am asking this: How on earth are they proofing anything with this method? the easiest thing to do , to bypass this scheme, is to use Tor. Run all your filesharing software over Tor and good luck to them in catching you.

I have used tor to browse the web for some time now and, even though sometimes its slow because your packets get routed through chine or Mongolia, it works perfectly. There is no way that anyone can check where you are surfing from or to. I experimented and surfed a test site I have for half an hour, clicking on various pages and links.

I had over 60 different IPs in my logs. Almost every request from the browser came from a different host. It is trivial to configure your applications to run through the Tor proxy on your machine and therefore getting near 100% invisibility.

As I said, sometimes the speed is an issue but for anonymity its perfect!

You can get Tor from here

• Windows version of Tor (Instructions)
• Mac version of Tor (Instructions)
• Linux version of Tor (Instructions)

Install and follow the documentation. It takes about 5 minutes to get your system running Tor and to add an extra layer of protection to your surfing habbits. Oh and consider sharing your bandwidth so others can get anonymity too!

In recent times the internet and all the computers attached to it have become more and more popular. Security is nowadays a big concern but there is no simple help or tutorial available. As I already explained in a previous post, Computer security is not a one-stop-buy. It is an ongoing topic and you really have to understand what you are doing.

The first part of course is for home users to secure their computers. One major problem is that not every home user is technologically literate. I made a small check list of things that home users should try to secure their computers. This is not exactly a full help or tutorial, more like a cheat-sheet that you can verify your settings against. This is intended for the less literate computer users and you can , actually please DO if you want to, re-distribute this list or a link to this list to all your family members that do not know about Computer Security.

1. Make sure your firewall is up and running. You can verify this easily, if you have Windows XP Service Pack 2 or Windows Vista, by opening the Control Panel and opening the FIREWALL panel. In Windows Vista it is all in the Security Center.
   
2. Make sure you have Anti Virus Software installed and updated. Many vendors and products have automatic updates enabled by default in their security products but some don’t. Make sure you do not ignore the little balloons that pop up every now and then at the bottom of the taskbar.
3. Keep your Windows machine up to date. The best thing to do is to enable the Automatic Updates feature with Windows XP Service Pack 2 or later. If you have not done it yet, UPGRADE TO SERVICE PACK 2!!!
4. Do NOT use Internet Explorer. Use Firefox or Opera. Even Internet Explorer 7 is not what marketing wants you to believe. Consider the simple facts, Firefox and Opera had “innovative features” such as popup blocking and Tabbed browsing, for many years before IE 7 came out. Firefox is stable, fast and works. Just as is Opera.
5. Do NOT trust what you receive in your email to be true. Phishing is just a way for fraudulent people to get your passwords and bank or email access. Companies and Organizations will never ask you to confirm your details online OUT OF THE BLUE. They will also never ask you to mail them your password.
6. The same goes for so called “update mails” Where Microsoft or other vendors supposedly mail you updates? Don’t you wonder where they got your email address from to begin with? Don’t install those updates!
7. Whatever comes in your email that is not from a person you really know, and even then do not open any updates unless you requested it from them, is most likely viral , or spam. This means people send out as much mail out to as many email addresses and wait to see who bites. Trust me, you will not get any millions of dollars from some son of a dead nigerian general. You will not receive any millions for winning the lottery in a random internet draw and you definitely are NOT the only person who gets these mails.
8. Do not reveal too much information about yourself on sites like myspace.com. If you feel like you need a myspace page then at least be discreet what you reveal.
9. Secure your Wireless Lan, if you have a WLAN at home, make sure it is password protected!! If you do notknow how to do it, ask anyone with more computer knowledge. The fact that you ask them to do something GOOD will not anger them, trust me.
10. Lock your workstation, at work, in a cafe, wherever. When you are not working with it, lock it. IF your laptop gets stolen it might not deter the thief much, but it wills till do something. Chances are, if the thief was an oppurtunist, he will just format the machine and not crack it. Especially with Vista’s new bitlocker enabled.

That’s it. Do not wonder why people that commit all these fraudulent activities are not in jail etc. There are certain points to consider, they might be in a country that has relaxed laws if any at all, they definitely hide their identity with free email addresses and they always use public access points. That means they go to an internet cafe and do their “work” from there. They might even hijack an open Wireless Lan and do it from there. It is rare that they are caught and for every one caught there are 3 more. What is the benefit for them? If they send out 10 million emails a day and only 3 people bite, that is good money for them.

Any other tiops you professionals have, please leave them in the comments. It can only help!

So I live in Scandinavia and I have lived here many years but I think it is time to tell the world why it is a good place to live as a geek AND why it is a bad place. The fact is that every country has good and bad points but how does Scandinavia look like from a geeks point of view?

Reasons why Scandinavia is a great place to live for a tech geek

• Technology advancement! Scandinavia is the top of the technology iceberg right now. Broadband is widely spread and means really BROAD band. 24mbit ADSL2 is nothing special, really and 2-8mbit ADSL is pretty standard.
• Mobile Phone data traffic runs at 3G speeds, this means its on par with dual ISDN and low grade ADSL. For casual browsing PERFECT Best of all the prices are NOT horrendously expensive.
• Mobile phones are a necessity. A lot of companies get rid of traditional desk-phones since mobiles allow the user to be reached anywhere. They usually give you 2 numbers though so you can turn one off after 5 pm.
• ISPs do not impose you download limits (generally speaking). Personally I know of none. I have been sharing Linux ISO torrents for weeks and no complaints. My average monthly traffic is in the neighborhood of 100GB.
• Most ISPs ALLOW you to run servers! Yes my friends, you can with your basic ADSL run your own server and normally no one will say anything. As a matter of fact, if you buy a fixed IP (around 10.12 euros/month) the ISPs most likely ?gets it? that you want to run a server.
• Work in technology and you will most likely use the newest. Scandinavia drives on Innovation right now, which makes it a perfect place to be at.
• People are very relaxed and work ethics are a bit different then in other countries. Geek work involves ungodly hours but in Scandinavia you definitely get to relax and take time off. Plus 4 ?5 weeks paid vacation per year is just great!
• Social welfare. You need to go to the hospital? No problem as long as you have social security you will get treatment and most likely it will be very good treatment. Did I mention cheap? My wife paid less then 100 euros to get her wisdom teeth removed.
• Yes, it?s dark a long time here. Yes winter is cold and its dark for some time BUT that allows you to spend more time behind the screen. Your computers keep you warm and it appears to be night most of the time. Perfect Computer geek environment.
• If you are very interested in computing and you drive yourself , you can make a name very fast because Scandinavia is so small, successes stand out.
• We got the Piratebay, Linux and DVD John! and we don?t have the DMCA, look what happened to DVD John. We are still a bit free(er) then most other countries

Reasons why Scandinavia is a BAD place to live for a tech geek

• It?s dark and when it?s dark, people get less friendly and social. For a geek this might not be a problem as IRC and IM helps but seeing some long faces outside (yes! OUTSIDE!!.. there is a world there..) isn?t always nice.
• Cost of living is higher then in other countries. Yes it is a little bit and car tax is pretty high too overall. I think Denmark has the highest VAT and car tax but they also make the most, so it evens out somehow.
• Taxation of your salary is higher then, in the US. It is also lower then some other 1^st world countries. Germany has huge taxation when you are single and have no dependencies. Scandinavia is between those 2 but doesn?t care if you have dependencies.
• Public health-care is overstretched. This doesn?t mean you will get bad service just that it might take a while, unless your arm is falling off.
• Broadband is fast. Getting a true 8mbit to Japan , for example, is a bad thing. Why? Because you get addicted to it!
• Laws are forming around the copy protection ?industry? but they aren?t there yet and will still take some time. Pirating is always illegal, and well should be, but the US is overdoing it. The bad part, Scandinavia looks like it?s following eventually the US example.
• Food and consumer goods are more expensive and less diverse. Yes the dollar/euro conversion is a bitch. Most PC manufacturer like Dell and Apple sell the same product in Europe for more euros then they cost in dollars. This is just unfair as it should be less.

These are my views and that is why I like to live here? yours might be different but I think it?s a great place to live and work. The thought of having 7.5 hour work days and your weekends to yourself at your summer cottage (with a connection over 3G to the ‘net) is just amazing. The same goes for working remotely, which is an accepted thing. sit in your backyard with a cool drink in the summer, over WLAN through ADSL with VPN to your corporate network and conduct business… You have your mobile with you anyway…

//Flosse

Over the years I have, like many other Security people out there, heard many many things regarding system and computer security. These are the top 10, starting from 10 to the top spot, myths that a lot of normal users and even managers believe.

10 . When I save a file to My Documents, no-one can see and access it

This might be true if your disk is encrypted but as long as there are incompetent administrators and office users, ANY data you have on your laptop is not too much of a challenge.

9. My data is backed up automatically!

I hear this one over and over among users that swear to me that their entire PC is backed up all the time to “that big computer” (server). If you try to explain to them that only their home drive is backed up, they get even more confused since they don’t bring their home PC to work.

8. Hey, I will get rich!

Wow so some 491 emails got passed the companies spam filter and the user just has dollar signs in their eyes. Trying to convince them that they are in fact NOT gonna get rich is a hard job. My parents got that fever too after they got the first scam mail. Granted, it’s my fault for not telling them about the bad side of the ‘net. But people are suspicious about deals that float in via snail mail, why not via email?

7. Some one has hijacked my account, find him!

It seems that those normal users that do understand something about the internet, seem to think that we security professionals have some sort of backdoor into that internet and we can find anyone, at any given time and kill their machines. Especially if their email or Xbox Live account joe@something.com with password joe got “hacked”.

6. No-one can see my password online

“When I type in my password at site XXXX its all in stars (””’) that means that no-one can see my password” <- I love this one. Generally when people believe that about their online “experience” it is VERY difficult to explain to them the contrary.

<<– The next five are my top 5, i get a smile every time i think about them –>>

5. Arghh I have been hacked, this firewall thing said so

Actually it didn’t, it said that someone has MAYBE tried to connect to your PC and that the firewall has blocked it. I have to agree though, for consumer products some personal firewall products have REALLY bad wording of the alerts.

4. Our backups are safe, we have tapes

Great, and where are they? Neatly stacked on the shelf next to the server. Great in case of a fire or even water damage. Some people think its just too much work to put the tapes into a strong box (vault) or even take them OFF-SITE! Personally, for small companies, I always ask one of the managers to have one tape set at home and bring another one in the next week, that way you have a almost 2 week roll back.

3. My laptop is secure, I use a good password

Classic, and even some officials in press statements keep saying: The data is safe, it is password protected. Someone help me out, how long does it take to boot off of a knoppix cd? Or lets make it hard and the bios has boot from cd disabled, how long does it take to take the drive out and put it into another machine?

2. I have a fire… thing, I am safe!

Another classic. I went to client and the CEO straight up told me that they are now completely immune to hacking attempts and data theft. they had purchased a Fortigate firewall. While I think Fortigate firewalls are great, I pointed out that he still had an open WLAN access point and he just smiled at me saying, without blinking,: “Yea but for that they would have to be in the office here, and then we have them nailed!”. You can’t believe the amount of will power it took to keep a straight face.

1. My company / home WLAN is not worth hacking or cracking.

Amazing how many people cannot “deal with securing the Wireless internet” so they just accept the defaults out of the box (This also goes for a lot of small companies that don’t have a dedicated IT guy). Then their neighbor or someone else uses it and ti becomes slow. The next logical step? Call the ISP and ask for more bandwidth. I have seen this quite a few times.

Honorary mention: No-one can see my password online

“When I type in my password at site XXXX its all in stars (””’) that means that no-one can see my password” <- I love this one. Generally when people believe that about their online “experience” it is VERY difficult to explain to them the contrary.

These are pretty much the top ten myths that I have, over the years, been told by users. Amazing really. With things like this we security professionals wonder why there is so much spam and scams?

The task sounds simple: Manage all events and logs from all your servers centrally and make them easily accessible.

The problem is a bit more complex: You have different operating systems and different logging facilities in all your (branch) offices.

The way to go: Unless you are a big corporation and can afford the LogLogic product line, you will have to resort to something more.. cost effective.

The solution to your problem: Enter the world of Snare and Splunk.

No, they are not some cartoon characters. Snare is a free (as in BEER) log agent for many different Operating Systems (Windows, OS X, Linux, Solaris etc.) and Splunk is a logging server that can take many different log inputs.

Now what does that mean? It’s simple really, you can install and get the SNARE agent for almost every major OS out there (check resources at the end of this how-to) and it will happily collect the logs and events from that machine, based on your criteria, and forward it to a central log collecting server. Of course they want you to buy the SNARE Server but Splunk can index and handle SNARE data easily and I will show you how.

First off, we are using my trusty old server, Shorty. It is running a few VMWare machines, which we will use for logging purposes, and Splunk.
Splunk is a bit hard to describe. It is a central logging facility that collects your logs and you can search or view them much like you would use Google. So yes, it is kind of like your own private search engine for your logs. You can view them also by host and criticality. But most importantly you can search for specific keywords and it will show you all occurrances. For example, if you want to see where Paul has logged in lately, you can type in paul logon and it will display all the log events that paul caused by logging on.

Now on to the good part, this is all based on Ubuntu but Splunk is available in many flavors. This will install the free version of Splunk which is pretty much all we need.
If you want to get the Ubuntu (Debian) Splunk package with a browser, use this link and if you want to get it straight to your server that has only wget installed you can use this line (remove the \ and make it one line):

wget 'http://www.splunk.com/index.php/download_track?file=/2.2/linux/splunk-2.2-15292-linux-2.6-intel.deb

\&ac=&wget=true&name=wget'

Once you have it, it is really simple to install:

sudo dpkg -i splunk-2.2-15292-linux-2.6-intel.deb

Or whatever the version is you are using. This works on Debian AND Ubuntu (or any *buntu) and once it is installed, you are pretty much done. You can start it right away and it will tell you how to do that, by typing:

/opt/splunk/bin/splunk start

A lot of things will happen, such as sanity checks and database checks, but in the end you should see this:

All index checks passed
Starting splunkd...
Starting splunkweb...Generating certs for splunkweb server

Splunk Server started. The web interface is at http://localhost:8000

Wow! You are done. You can now access the Splunk web interface from port 8000 on you server. Now you have a nice logging server with a clean interface but you have no data coming in, yet. A good thing to add right away is the local logs. You WANT to know when someone is messing with your log server. So to add all local logs, just type the following line at the command prompt:

/opt/splunk/bin/splunk add tail /var/log

If you now log into your Splunk server you should see quite a few events already piled up, as it imports all the log messages it can find from all the live logs on your local server. It should look something like this:

From now on it gets pretty easy, you need to download the agent you want to install on the servers (such as SNARE for Windows) and configure it to log remotely :).
Ok small steps first. Splunk is so flexible, it allows you to get logs from different servers on different ports if you want to. But for brevity sake we will concentrate on UDP traffic.

So first off, log into your Splunk server and click on the little ADMIN button on the top left hand corner:

On the resulting screen, click on Data Inputs:

And then on the Network Ports line click on ADD INPUT.

Now, click on UDP and enter 3000, for example. Select YES in Accept connections from all hosts, and in Source type leave SELECT FROM LIST and then select in the Source Type: windows_snare_syslog. Click on Add and you will be presented with a screen like this:

Very good , you can now close the browser window if you want to.
You need to log into your Windows Machine now, in my case a Virtual Windows 2003 Server. Download the SNARE agent (URLs at the end) and run the setup once you have it:

You can pretty much accept the defaults as you need to configure the service anyway through its web interface later. Once you have complete the setup, the configuration web interface will come up.

NOTE: These steps are the same for any OS that you install SNARE on

The first thing to do is to set a password for the remote configuration:

The most important screen however is the Network configuration in the SNARE configuration screen:

The important bits are the Destination SNARE server address where you put the IP address or DNS name of your Splunkserver. Then the Destination port, set it to 3000 as we configured the Data Input on Splunk. Also select the Perform a scan of ALL objectives and Enable Syslog Header. The Syslog facility I use is Daemon and the Priority Information. Then simply click Change Configuration and close the browser window once it says that the configuration has been changed. NOTICE: you need to restart the SNARE service on the Windows machine now.

If you wait about 5 minutes, you can log into your Splunk interface and lo and behold events from the Windows Machine are coming in (the 10.0.0.101 IP):

Now, to test your setup just type user logon in the search and as you can see we are getting the results nicely listed. You can play around or just read the excellent documentation on Splunks website.

Resources:

• Snare agents for the different Operating Systems
• Snare guides and documentation for agents and white papers
• Splunk website (Documentation)
• Splunk website (Downloads for the different Operating Systems)

PS: if you do find this helpfull, I don’t mind if you click on any of the nice google ads in order to pay for the hosting. No donation required, and I will never ask for one.

As promised, here is the roundup for March 2007 following the same principles and Operating Systems as in the original article EXCEPT that we added Windows Vista now.

Overall there hasn’t been much going on this month , EXCEPT a couple of days ago, the Windows animated cursor flaw. Granted the vulnerabilities and fixes ware a bit off, since Microsoft has Patch Tuesday (and 0day Wednesday :)). But still, if something that shows up as EXTREMELY critical it might be good to put some sort of patch out right away.

Without further delay, the amount of advisories coming for each Operating System:

Looks like Ubuntu, as we saw in the past, takes the lead with the amount of advisories. What beats me , is that the amount differs so much between RedHat and Ubuntu. They are bundling much of the same software, so why does RedHat have much fewer advisories? FreeBSD, however takes a clear win for NO advisories found! Well done FreeBSD!

Next up the patches that have been released by each vendor:

Here Ubuntu, RedHat, Mac OS X and OpenBSD all shine since they all have patches available for ALL advisories. The Windows versions however have unpatched advisories and for the less critical vulnerability, there is a Partial Fix available. Let’s see how they will do in April on Patch Tuesday.

Finally the criticality of these Advisories:

Suffice to say, the Windows versions are the only ones who got an EXTREMELY critical advisory. But that does not mean the others are off the hook. All of the *nices had HIGH advisories with Ubuntu having 4! Thank god patches are available already for them.

A complete overview for this month, per OS, can be found on Secunia directly by clicking on these links:

• Windows XP advisories 
• RedHat Enterprise 4 advisories
• Windows Vista advisories
• OpenBSD 4.0 advisories
• FreeBSD 6.X advisories
• Mac OS X 10.4 advisories
• Windows 2003 Server Standard Edition advisories
• Ubuntu Linux 6.06 advisories

Conclusion:

The clear winner is FreeBSD of course followed by OpenBSD and Mac OS X which both had 1 Advisory.  With OpenBSD , however I believe this to be exceptional and I am looking forward to April. Until then, enjoy!