Digital Choke Daynotes

Today was 'now apply what you learned' day in the information security class sponsored by the SANS Institute. Good class; any SANS class is intense, well-taught, and worth the expense.

Our job today was to hack into several machines, getting access to four files, each with a hint to the final prize that must be accessed. The machines were a mix of Windows 2000 and LInux servers, typical of what you might find in a corporate environment. The servers were at various patch levels, most with security holes to allow us to apply what we learned in the previous five days.

Each student used their own laptop, but could work together in a small 2-3 person group if they wished. We were all hooked up via simple hubs to a switch, the servers were connected to the switch. The only limitations to our efforts were to not hack each other, and not destroy (or fix) any vulnerabilities we found.

So, the class attacked. Some were faster than others, but most were able to use commonly available tools and exploits to get access to the systems, and "capture the flag".

Lessons learned. Patches and updates are important. Good password security policies are important. Good system administrator practices are important. User education is important. Good firewalls and system logging (read the logs!) are important.

If you don't do these things, your system can be an easy target. And, although this class was built for corporate security, most of the same lessons can be applied to home systems.

So, the class was excellent. Ed Skoudis, our instructor (and author of an excellent book "Malware: Fighting Malicious Code") was excellent. This guy knows his way around computer security, penetration testing, and white and black hat techniques. (He also wrote a book about hacking called "Counterhack".) The link is to his site where you will find information about his books, and some interesting hacking scenarios. Even if you aren't deep into information security, you might find his site interesting.

Tonight, a bit of relaxation and winding down. Tomorrow, the four hour drive back home. And then considering how to apply and expand on knowlege gained.

It's "Patch Tuesday". Here's what I sent as an alert to Dr. Jerry Pournelle:

It's the second Tuesday of the month, so time for the monthly Microsoft patches. This set includes several patches that mostly have to do with closing the ability to remotely execute a program.

They can be classified in two ways, depending on one's outlook:

"Wow ! Look at all the patches that Microsoft released. They sure have a lot of security holes. I better use something else!"

"Wow ! Lots of patches from Microsoft this month. They seem to be making progress in identifying and fixing security holes."

I use (as we do at work) Microsoft products. The patches fix holes. Install the patches on all workstations. Test them on the servers. I feel that you need to be a bit more careful with servers to make sure that patches don't break things. But I don't think it is wise to delay testing patches on servers. Witness the problems that those 'major sites' (and we still don't know who they were) had that didn't fully install the April patches, and were then the source of the 'download.ject' worm.

As for all the user workstations here at work, they will get the patches immediately after a quick test on a couple of test systems. And at home, I'll install them right away. (In fact, the home systems are set up for "automatic-do-it-now-don't-ask" installation of patches.)

For more information about the updates, one place to look is the Internet Storm Center's "Handler's Diary" for today. Good information there; it's one of the places that I check daily. The information is sometimes technical, but always useful.

So, the recommendation here is to get the patches. Of course, you're set up for automatic download and install the updates, right? So, you'll be all set by tomorrow morning. (I've got automatic update set to check daily, even though the updates are normally once a month.)

Then there is the pending XP Service Patch 2 (XP/SP2) set for release next month (August):

As for XP-SP2 update, Microsoft has announced it will be ready next month. The size will range from 60-95MB. Steve Ballmer says it will be installed on all new computers sold 'this fall'.

I'd like to see the update CD's sitting on the counter at all big computer shops. The stores could promote it "Come in and get your free XP-SP2 CD's, and we'll give you 10% off any single item". That could increase traffic and sales, more than offsetting the cost of in-house duplication. I'd also like to see the CD image available on public web sites. People could burn a CD at work (with their high-speed connection) then take it home and install. And it should be available to anyone, even those that have 'neglected' to pay for their copy of Windows.

In any case, as soon as it's publicly available, I'll be downloading and installing at home.

I'd recommend that you do the same when the time comes. If you are a network guy at work, then you ought to be looking at the Release Candidate to see it's effect on your test network. It is inevitable that users, especially the travelling user and home worker connecting to your network, will install the updates. I don't think that there will be major problems with the update; I think that Microsoft has done enough testing to ensure that any problems will be minimal.

... more later ...
Last Week	Next Week	Prior Weeks	mail	bookmark	The Digital Choke story