Posts by catch

Occasionally I find myself in the position of needing to mail small easily damageable items across the country, for econmical purposes I find the best thing to do is purchase a tin of Altoids and mail the empty tin.

The other day I was at the store and the Altoids were like $3 each! Highway robbery! Instead I purchased a box of Tic-Tacs as it would work in this particular instance. The down side is that I don't really care for Altoids or Tic-Tacs... I mean they are alright, but a single box will last me a few months.

After the Tic-Tacs were rung up, I immediately opened them, said "This is for me." and I ate one. "These are for my dead hommies!" and poured the rest out on the floor. After a moment of silence the cashier gave me my total due, which I paid and then left. The store was quite surreal during my departure.

Couldn't have said it better myself.

How obtuse and purblind can you be? First paragraph above TFM--the manual www.microsoft.com

I will agree that much, if not all, of what you said, catch, was stuff us as admins were not taught in our bachelor's or MCSA courses and would have to do graduate/specialized IT security training to learn (i.e. DBAC, RBAC, etc.), however - that does not make it foolproof as far as practicality to simply rely on OS security to avoid viruses or attacks, and I was speaking entirely of Windows, not any other OS you or your teams may have come across, created, or implemented, as Microsoft has 90% of the market today and what is really what people would want to worry about. Chances are, if you're speaking of any other OS, they have their own proprietary security or permissions or controls that probably DOES in some way allow you to do what you are trying to divulge, but are withholding. But I challenge you to do this with a typical corporate networked, multi-user Microsoft 2000 or XP Pro system.

This just keeps getting better as I read on! So now you're telling me the NSA is wrong? I'd suggest you submit a white-paper on your findings to them ASP.
In my work place, people don't argue with me. I deal almost exclusively with external clients who respect my opinions and appreciate the money I save them. Here, most just like to treat me like …

Oh dear! Your argument seems to be Because no security application is perfect, it naturally follows that no such application is worthy of implementation and use! Seems a rather irrational argument to me!

Misinformed? How about the fact I have seen things firsthand? Can you say that you are an administrator of a network that has seen such things as non-application oriented scripts that will run regardless of the permissions you lock down on your computer? How about UNIX scripts that are not bound by Windows permissions? I've seen it happen on both my home network and the one I work on at work where things are not bound by simple Windows NT permissions. Where do you get off at? What experience do you have? Are you actually a legitimate Systems Administrator, or are you just a hobbyist?
You can't lock down your Temporary Internet Files folder to have only read permissions to it or you'd never get internet pages (they are downloaded off the internet for you to view them, after all, requiring "write" permission somewhere). And little good restricting a user's account would do if they are already a standard user. And how can you restrict an admin account without reverting it to a standard user account? Far as I know, unless you know something I don't, at least with XP, it's only either/or, nothing in-between. I know there are those that would say never log in as an admin unless you're going to install stuff. Yes, …

Nah...... Seti at home (Berkeley) for life! http://setiathome.free.fr/

There is no amount of application security, NT or otherwise, that will prevent you from receiving viruses on a Windows machine.

Wrong, hence, lower assurance systems.

They come as an attachment some people actually inadvertently run, or even as a TEMPORARY INTERNET FILE off of a site you may visit, without you even knowing, and do not need for you to run them for them to do what they are going to do.

Wrong, your failure to read is affluently made clear. Restrict administrative accounts from running untrusted applications and isolate/restrict standard users in a manner that prevents the virus from being able to propagate.

Some just report back to the person's server information about you, like what sites you've visited from your history logs, and don't affect applications or application security at all.

It's indisputably luculent; you haven't a clue what you're talking about.

Some disrupt network communication - which can affect ANY computer, not just Windows PCs.

I'll give you that one, even though you've left out thousands, if not millions of high assurance systems with their own super-networks. ;)

To say that NT application security will protect you is definitely a giving in to a false hope

This is the only (somewhat) sensible thing you've said here. Not that you meant to. :)

especially without a firewall that lets that nasty traffic right in.

I don't and won't give bad advice regardless of how uneducated a user is. So please stop spreading your …

Are you in charge of "security"?...........contact your admin or manager. Are you trying to do work that you're not going get paid for? Everyone wants to be the star of a their system. ;)
In low assurance environments, AV is a good thing... but once you lock the systems down to providing exactly the rights your users require. You're ok.

Normal users in a higher assurance environment should not ever be allowed to make changes to their system without going through proper change control channels. In fact at my work, every single desktop system is set up in the exact same manner, and users are only allowed to modify their profiles.

Many of the client applications can only be launched as reduced privilege processes, permissions are tightly controlled, again with the point of only allowing users access to the applications they need as defined by their role and to the internal data as defined by that same role definition.

This is the real problem, most security teams have no clue what their users need, and how to effectively support business needs... consequently to avoid calls to to tech support they give their users way too much rope. This would be a low assurance environment, and prime for AV controls.

netstat -ano 1

ctrl-alt-delete post a screenshot showing your PID's. (nockout IP's)

Hi,

All I am going to say is this: the only secure computer out there is the one that is encased in cement with no power or network connections.

I would rather secure a Linux box than a Windoze box.

Christian

Secure from what, everything but attacks?

System security is _not_ measured by the configuration, it is measured by capabilities and assurances. These are highly quantitative and not all abstract like lockdown-securing-admin skill.

Or use software that doesn't suck!

http://www.bodacion.com/

This web appliance is likely the most secure single level server on the market. It is immune from all remote server level attacks including cracker, viruses, and worms.

The system runs Java web applications, utilizes domain based access controls or "compartments", effectively has a read only operating system with no command interface.

Its encryption technology is interesting, but my knowledge on such things is limited to the bare minimum to not bomb that CBK on the CISSP.

The site makes a lot of bold claims, but the majority of them are completely true, a few of the claims have a smidge of spin. For example the server cannot effectively protect objects from subjects in the same compartment even if the subject does not have explicit rights over the object. (multi-user web hosting for a simple example)

The true benefits of this system is the fact that it has essentially no administration requirements. Essentially no security configuration, no patching, no unusual access controls, no complicated rules files... I would guess that anyone who was familiar enough with computers to use MS Office could effectively run a secure and stable HYDRA server.

Anyhow I figured this would be of interest to some of you perhaps.

a proxy server to protect myself because I have no idea about security

Your friend has no idea about "security" either.

Let me give you a rundown here about the biggest misconception about proxy servers. There is but one simple truth about proxies: they are not anonymous. If you care to test this truth, go ahead and do something stupid using an "anonymous" proxy. The term is as rediculous as the idea if you truly understand what a proxy is used for.

You may be able to duck and hide from those who don't understand how networking operates, but in the end, you will be pwn3d by those who do and by those who you will meet behind bars.

I was stupid and didn't add any security to my wirless network when I set it up. I guess I thought it would be quicker. Anyways, is there a way to just add it after you have everything set up? Or do I have to reinstall everything?

Firewalls..............................

If you are on a home network/system with no services, no firewall is required or even recommended.

Firewalls have two uses:

1. Filtering ports, either by packet type or data content.
2. Segregating network traffic.

No need #1 If you are not running any services and your network topography doesn't call for #2, running a firewall is not only unneeded, but to do so would be a poor choice. By adding a firewall in this environment you actually decrease the security of your system by increasing its complexity (reduced assurances, and just another application that needs to be trusted and kept current) and surface area. For example a number of personal firewalls had/have issues of being broken my particularly agressive nmap scans.

It is important to only add counter measures in response to threats that justify them, in this instance, I don't see that being the case here.

Are you going to take the word of a guy whos network was breached by a 13y/o? Seriously, "stealthing" under many situations can actually give back _more_ information than just having the port closed, especially on server system. This "stealthing' is just another farce from the Steve Gibson camp. If you have a system that is listening on port 80 and stealthing everything else, the attacker obviously knows that a system exists there, and using timing attacks a sophistocated attack can even determine the type of firewall you are running as stealthing adds more latency than having the port just not being open. This latency may be calculated be using a carefully constructed request to any open services. Once this is accomplished, the attacker can make a good guess about the firewall based on this data.

So try pulling your head out from where it's stuck and have a realistic attempt at doing just that, eh? regardless of your claims elsewhere, you posted a suggestion which implies that people should discontinue using AV software. If that was not your intent, then you should look carefully at the way you express yourself.

If education is the goal, ego gets in the way of it ;)

That's essentially what I said because it true. If you read your sub-cat-thread you'll find real world security standards. Read the link in the other thread. Start there if you have any more questions my PM box is always open.

PS: The rudeness is un called for.

Your post was split off because it is a side issue which is a discussion topic and which does not directly provide assistance in response to the topic starter's question.

'Over my head' or not, you're pushing a personal barrow, dude, and I've given you a separate topic to push it in. Please continue your comments there, as further discussion of this topic hijack attempt will be deleted!

Edit: by the way, think yourself fortunate. I recently closed another topic because it was the tired old LINUX>WINOWS dross, and I allowed yours because it was a fresh approach ;)

I'm not here to argue, just to educate.

Hi,

I've split this post off into its own topic, as it was not directly related to the topic in which it was posted.

Sure it was, he just doesn't know that application level security doesn't exsist. But I've pointed him in the right direction now. Plus, he learned how to label firewalls for a sane comparison so he could get more accurate help.

Your contention is based upon flawed reasoning. That's understandable, because a lot of people follow the same flawed reasoning. They contend that Linux is 'safe' because malicious software can only effect the particular user's files and not the system root. That reasoning is unsound, as was explained quite a long time ago at linuxquestions.org.

I truly find it funny that you brought a tiff from another site to this one (I've never seen that before)!
I'm new here, and you don't really know me, so you have no idea how funny this is. Your new to security aren't you? I am arguably the biggest advocate of NT security you'll ever meet. I freely and frequently state that NT security is superior to UN*X security. People like to take one of two aruments back:

1. Counting exploits.
2. Claiming exotic configurations and major architectual modifications in UN*X/Linux should be just considered the norm.

Do to this fact, I've stopped arguing the point for a while now... still funny that you'd think I meant UN*X to be more secure. My point was in fact …

This post was over catwzeles head so he didn't think it had anything to do with your post. Which couldn't be further from the truth. He's not a security expert and I don't expect him to be, so it was a honest mistake.

Basically, APPLICATION LEVEL SECURITY IS MEANINGLESS on NT.

Would you run an AV on Linux or FreeBSD or Solaris, etc? Of course not, so why run one for NT which has at least the security capabilities of those other systems? The only systems that benefit from AVs are those with poor architecture that allows random processes unmitigated access, like the Windows (SUE)line Single User Edition. Restrict administrative accounts from running untrusted applications and isolate/restrict standard users in a manner that prevents the virus from being able to propigate.This has the advantage of being immune to new viruses and trojans while requiring no upgrades. Besides, if you have your system setup in a manner that makes virus propigation not possible, why waste the time scanning?

Secondly, I would hope you are all aware that ALL firewalls are software, some just run on very limited operating systems rather than general purpose opersting systems and on specialized hardware rather than general hardware. Firewalls should be divided by type or generation, since this actually allows for a sane comparison. Lastly,before we get some replies, are you to take the word of the masses here? Something about the "least common denominator" should ring true.

Would you run an AV on Linux or FreeBSD or Solaris, etc? Of course not, so why run one for NT which has at least the security capabilities of those other systems? The only systems that benefit from AVs are those with poor architecture that allows random processes unmitigated access, like the Windows (SUE)line Single User Edition. Restrict administrative accounts from running untrusted applications and isolate/restrict standard users in a manner that prevents the virus from being able to propigate.This has the advantage of being immune to new viruses and trojans while requiring no upgrades. Besides, if you have your system setup in a manner that makes virus propigation not possible, why waste the time scanning?

Secondly, I would hope you are all aware that ALL firewalls are software, some just run on very limited operating systems rather than general purpose opersting systems and on specialized hardware rather than general hardware. Firewalls should be divided by type or generation, since this actually allows for a sane comparison. Lastly,before we get some replies, are you to take the word of the masses here? Something about the "least common denominator" should ring true.

Many of you know I have said time and time again that this whole firefox is more secure is pure hype. I have said time and time again. Use which browser you wish. Just make sure your set up right. I have seen time and time again people tell me how wrong I was which I respect completley. Thats cool. Now its my turn to make my point. Here ya go. http://www.extremetech.com/article2/0,1558,1754502,00.asp

I was given negative points from the ill-educated for explaining simple security basics in the past here. So I pretty much keep my knowledge to myself. The link below.
True security views

No security advisory section?

MD5 - Not as secure as thought.

There is an interesting paper on altering files without changing the MD5 hash. Even more interesting, a tool that can be used for POC. I'm glad to see that others in the security field feel the same way that I do about MD5.

*snip*
The full details may be acquired at the following link:

http://www.doxpara.com/md5_someday.pdf

A tool, Stripwire, has been assembled to demonstrate some of the attacks described in the paper.
It may be acquired at the following address:

http://www.doxpara.com/stripwire-1.1.tar.gz

Incidentally, the expectations management is by no means accidental --
the paper's titled "MD5 To Be Considered Harmful Someday" for a reason.
Some people have said there's no applied implications to Joux and Wang's
research. They're wrong; arbitrary payloads can be successfully
integrated into a hash collision. But the attacks are not wildly
practical, and in most cases exposure remains thankfully limited, for
now. But the risks are real enough that responsible engineers should
take note: This is not merely an academic threat, systems designed with
MD5 now need to take far more care than they would if they were
employing an unbroken hashing algorithm, and the problems are only going
to get worse.

Some highlights from the paper:

* The attack itself is pretty limited -- essentially, we can create
"doppelganger" blocks …

SuSE PRO, comes with a manual right? (No TFM though)
Most UNIX commands will work http://www.ucgbook.com/unix%20commands%20list.html

Hey im thinking of starting my own webserver and i need to know if either
Linux Ret Hat
or
Linux Ret Hat Fedora 2
will support my Nividia G-Force FX 5200 128mb if any one could tell me pretty soon if they do.
:!: And can any one tell me if Linux Ret Hat Fedora 2 comes with Webmin and usermin?
Thanx

--------------------
Darkdevil

RH has dropped all support and good luck with the VC support because I know for a fact that fx 5900 ultra is NC.

Anyone out there?

Yeah, try for the CISSP & MCSE
My current position puts me about as deep into security as one can go, from my role as system architect on the AITS project to my current work on offensive cyber warfare policies.

I have been an assistant moderator on the ACM's OS SIG for quite a while now. I have been on independent auditing teams for the NT B feasibility papers, the Standard Mail Guard and its parent system LOCK. I have consulted on the KSOS ASIC port project and am currently working on an R12k PSOS under IRIX project. And for my day job I'm on the Sr. design team for AITOS (the first OS since LOCK to formally target the NCSC A1 criteria)

If you get to where I am you will look back and thank me. ;)

Lots and LOTS of people seem to be constantly comparing the current situation with space travel, with the early 20th century aviation.

In fact, the comparison is not appropriate at all.

The early pioneers who created aeroplanes from bits of sticks and cloth, putting unreliable petrol engines on, often killed themselves. But we remember the successful ones.

The basic problem I see, is space travel is NOT aviation.

The amount of foresight to be able to predict aviation is fairly minimal. DaVinci did it in the 15th century, and probably loads of people did before him (just he wrote it down in rather more detail than them). Everyone since the beginning of human history, has watched birds flying. Everyone since the invention of paper has made paper planes. Each step was essentially just a small one.

Space travel just ISN'T that simple. They don't call it "rocket science" for nothing. It's complicated, and no amount of constant comparisons with the early aviation industry will make it simpler. Birds do fly very gracefully, but they don't usually go into orbit.

For decades, the governments of the two most industrially productive countries in the world have been pouring massive amounts of cash into space travel - mostly to figure out how to destroy each other more effectively. They have achieved much - and I don't believe that any real progress would have been made without them.

Sure, commercial companies do launch satellites with varying degrees …

i know the A+ isnt anything to brag about, but here i am. I didnt have to pay for the class, i just sign up for it. The cost of the certification test is only like $50, and if i pass they give back $30.

CISM
CISA
CISSP

Well the cost of my CISSP was worth it. If you're going to study for the CISSP, most of study books are useless.
The CISSP Prep guide is garbage. My old roommate had it, and although it is an excellent resouce book, it is a poor tool for preparing for the exam.

CISSP is geard toward consulting and not technical knowledge. Know how your encryption formats are used, not how they work. Don't worry about specific laws or HIPAA stuff as the book goes on and on about... only a few such questions are on the test and then tend to be logical and requiring no specific knowledge, same for other specific standards or guidelines.

Just know how technologies, policies, and standards are intended to be used and you will pass with flying colors.

catch

One should not have to do that though :). One can lock it down until it's almost unuseable. Give me Opera straight out of the box anytime :). Safe as houses.

Ok, let's try this again.

I don't know why you're hung up on the settings being default? The settings should be such that they fit most appropriately within the system. Locking a system down (hardening) has more easily calculated consequences than disabling security features, this is why high security systems ship in a completely unhardened state and provide a TFM for the system owners/custodians to harden as appropriate. The fact is IE has the functionality to be locked down, default or not is unimportant.

Take note,

Web browsers face two types of attacks:

1. Arbitrary code execution
2. spoofing and other contained exploits

#1 is defeated by running the browser via a less privileged user, such as a guest account. #2 is defeated by by proper configuration, and again simple security math tells us that it is better for a system to be issued in as unhardened of a state as possible so that once it's final configuration has been determined hardening can ensure more complete coverage using the fewest resources.

Now #1 is completely defeated, #2 is an area that is still likely to effect the browser, any browser in fact, but to a greatly reduced extent if the browser is locked down.

All this being said there is no …

Just looking at all the difficulties people are having with MS Windows :) Now seems like a good time to switch to Linux :) :) :) -- I don't have any of these problems. But, I also don't play video games or use Photoshop either ;)

Don't confuse lazy admins and a completely unhardened default configuration for "insecure." Remember the DOD-STD-5200.28 C2 and ISO 15408 CAPP/EAL4 evaluations? The Windows NT line is as secure as a commercial software should be. (and scores higher than Linux on both evaluations) They (Microsoft) have chosen a different marketing approach utilizing an insecure default configuration, which as any student of IS security would tell you is superior as it is more efficient to calculate the consequences of locking things than it is when unlocking things.

Need I remind you, no linux system has been formally validated at this time to handle data above unclassified. As I am sure you are aware there are standards that organizations must follow when dealing with data above the unclassified level. (By the way, NT does qualify)

I prefer IE.

IE is the most secure web browsing solution (not client) availible for windows.

By running IE as a less privileged user and locking it down (with regard to scripts and the like) IE will be safe to browse with.

The reason why it is more secure than other locked down browsers run as a less privileged user is that since you can't remove IE you've up the system's complexity by adding the second browser. Giving the entire system less assurance, in pracitcal terms it means that many expolits will be able to target the application they wish and this means that your new browser and IE are valid targets. (This however does not include browsing exlpoits, but since comparing those merely comes down to a conversation about bug counts as most browsers offer the same types of security mechanism there really is no point.)

catch

Hello there,
I need some mega help on another problem. I went over to have a look at my brother-in-law's 'sick' computer. It is Windows Me

Windows ME is the type of development that offers the lowest level of assurance and falls under the lowest maturity level of the software development capability maturity model at best. I'm sorry to notify you but Windows ME offers no security at all.

I sware to freakin god McAfee sucks totally. They have all of the updates, except for the latest virus update I need. I was supposed to get free Virus updates until next May, now look. They no longer support my version, well I'd be dam**d. Really, who agrees with me that this sucks. Basically, it tells me I have to pay $70 for a whole new copy of Internet Security Suite 2005. I could just cry, literally :sad:

If you are on a home network/system with no services, no firewall is required or even recommended.

Firewalls have two uses:

1. Filtering ports, either by packet type or data content.
2. Segregating network traffic.

I believe you have no need for #1 if you are not running any services and your network topography doesn't call for #2, running a firewall is not only unneeded, but to do so would be a poor choice. By adding a firewall in this environment you actually decrease the security of your system by increasing its complexity (reduced assurances, and just another application that needs to be trusted and kept current) and surface area. For example a number of personal firewalls had/have issues of being broken by my particularly agressive nmap scans.

It is important to only add counter measures in response to threats that justify them.

hmmmm, RPC, maybe you could send a screen shot of your WTM & netstat -ano >"C:\Documents and Settings\svines1972\Desktop\netstat_results.txt"

I know I'm properly connected to the internet and there aren't any problems there however everytime I try to log in to my hotmail account an error page shows up saying this page cannot be displayed. No matter how many times I try to log in the error page always comes up. As for my messenger, it says that I am currently NOT connected to the .NET Messenging service. I assume it's because it can't detect my default connection and I don't have a proxy server. How can I connected to my messenger and hotmail account?

http://webmessenger.msn.com
http://www.e-messenger.net
http://www.wbmsn.net