TechWiseTV

This has nothing to do with our IPv6 show (Episode 23 - Viewers Choice) but it is a very entertaining tune for networking geeks:

Well...it's over. Voice Con 2008 Orlando. This was my first voice show I have been to. Truthfully, I have never been much of a voice Dude. My interest have been in Networking and Security. I have to admit that the folks at Voice Con really did a nice job running and setting up this show. Robb and I did a ton of interviews and the Cisco booth was really rocking. Not sucking up to kissing the company butt, Cisco really went all out. Contact Center was hot all over the show floor. Which was good for me, because I am not really captivated by Contact Center. I learned a lot and this field is really going to be hot especially, with enabling it SIP and Presence. I was impressed and that takes a lot, because Voice is not the interesting to me. Voice security is really taking a front and center. I tried to hack into a few voice systems (after the show floor closed) with permission from the vendors of course and I was impressed with the advancements in just a year.

Robb and I stayed at the Gaylord Hotel that I though was average. The food was mediocre and very expensive. Robb's room was next to a block group of Jr. High Cheerleaders that cheered all night and kept him awake. I might have been also, but I can sleep thru a hurricane and bunch of kids banging o pots-n-pans. Although we all (Robb, I, our Producer; Rick, Executive Producer; Brad and Production Coordinator; Terry went out and ate a good meal and smoked some seriously good cigars at the biggest cigar store I have ever seen in my life.

We also talked with the legendary Colin "Fluffy" Jennings the premier SIP geek at Cisco. Man that Dude is really tuned into the future of SIP and the future really something else. Robb and I had a great time. We both thank all of the folks that talked to us at Voice Con about TechWiseTV and recommendations moving forward. We are a customer facing show and we ALWAYS want to be about the customer.  Next up is RSA on the Spring/Summer show circuit in San Fran. I hope y'all stop by and say Hey to us.

Jimmy Ray

Our podcast on Security in a Web 2.0 World has been posted. I missed the blog entry on this due to VoiceCon last week and a few days with the family at the Kingdom of the Mouse. (can’t pass up a Disney opportunity while in Orlando...).

There are a number of security concerns with many of the technologies in use today and a combination of awareness and due diligence can go a long way in protecting both yourself and others. Jimmy Ray and I probably talk a little longer than we should on a podcast but I think the combination of both easy to understand privacy and human tendency issues plus underlying complexities in the code make this a valuable discussion for many.

Robb

Some folks just don’t get it. Ever try to explain what you do to someone that does not use a computer? It is as hard my trying to eat my mother in laws cooking making the “mmmmmmmmmmmm” sound. Now imagine trying to sell a ghost to someone. That is what it is like trying to sell security to folks that just do not “get” security.

Proving a network is ripe for attack is hard to do and even harder to catch if you are doing it in small increments. This is what we have to do most of the time if we are billable per hour. Many attacks come from Europe/Asia so when we are working, they are sleeping. Overseas hackers use this to their advantage. What I have had some success with is installing a Snort server with the C&C signature set from bleeding threats.com 

Then install this in monitor mode and come back to collect the data in a weeks time and sit down with the customer and analyze it. This hits about 3 out of 10 times. Sometime a week just isn’t long enough. A month is good, but that gets pricey. This takes a lot of effort on your part, so I would only do this if the deal size in large. If it is a small deal and not really worth the time and effort, I would get the customer (non-technical management) to review some data at some United States Government orgs like:

- "http://www.us-cert.gov/cas/tips/ST06-001.html"http://www.us-cert.gov/cas/tips/ST06-001.html

-http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm"http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm

Geek sites are good for geeks to show them solid data. My fav is:

www.shadowserver.com

I avoid vendor sites for proof points. Mainly because that is like a car dealer asking; “What can I do to put you in this car today?” But in the end, some folks just do not get it. I can think of 10 customers of mine that did not get security and thought it could not happen to them. They would argue and resist security at all turns. All ten were hacked, some of them very badly and without exception, that entire IT staff and management was fired, the company fined plus the bad press and loss of customer confidence did them in within 18 months after the attack. It is sad to see this could have been so easily prevented. I would adjust my expectations if you believe you can catch a hacker in the act. It is certainly possible but very rare. Many of the hackers I have caught have been from post analysis of my honeypots. I have config'ed my devices to email when a certain hacker groups are active on my gear, but many times, I am sleeping or watching Futurama, so it is more of a passive method...

Jimmy Ray

New podcast posted on the value of honeypots...check it out.

Nuttin' Honey

Remember that commercial where some goober is sitting down eating cereal and his wife ask him what he is stuffing his gourd with and repeats over and over "Nuttin' Honey" while she keeps getting more angry, then she goes and grabs a crowbar and...or wait maybe the is the GTA version...

Anyway, I think we all know the best knowledge is field knowledge. Field knowledge trumps book only knowledge by a factor of 100:1. When it comes to security, reading it from a book is a good start or really more of a primer on security but certainly not the best way. Consider that it takes over a year to get a book published, the material you are reading is long forgotten by hackers and they have moved on to something new. I think that is why podcasting is so popular. It is fresh, up to date and certainly takes up less space on your book shelf.

Robb and I just finished a podcast on honeypots. I would say we "demystified" honeypots, but Robb has a trademark on that word and his wife can beat up mine, so... If you are not familiar with honeypots, they are basically traps to monitor (not catch) hackers. Honeypots present a target for a hacker to hack that is very low risk to us. Now we can sit back and monitor. Honeypots give us a real world jump start into what is happening in OUR region with regards to hackers. Different areas/businesses tend to attract different types of attacks. A honeypot really levels the playing field and allows us to learn from hackers actually practicing the craft in real time. Hey it is like going fishing with Bill Dance or riding along with
NASCAR driver Jimmy Johnson.

There are a few different types of honeypots and methods to consider when building a "honeynet" Robb and I go over this and discuss some of our tips and tricks in creating a honeynet. Nothing beats learning the tricks of the trade by the folks that trade in it. Robb and I both strongly recommend setting up a honeypot to increase your skill set. But heed the cautious we bring up in the podcast.

Hey, Robb and I will be in Orlando at Voice Con next week. Stop by the booth and say hey ya. Robb has an open AMEX card so we will make him buy the beer!

Jimmy Ray

I always thought well Jimmy Ray has the brains on the team but it least I have the looks...(in my mind anyway)...but it was JR that got his darn picture in Network World.  The writer Mathew used quotes from both of us a few weeks back which was way cool.

Check out the article: Should You Hire A Convicted Hacker?  Cisco and many other majors won't employee any ex-cons; nevertheless, security experts from the dark side are finding their expertise is in quiet demand.  InformationWeek (March 11, 2008)

I love Astronomy. As a young barefoot punk kid running thru the hills of Tennessee, I stopped many times to stare in wonder at the night sky. I lived way back in the woods so the sky was full of stars unhindered by light pollution of a big city. When I was in the United States Navy, I used to walk out on the deck at night and stare up at the sky and it was amazing. (plus I worn night vision glasses and used to scare the crap out of crew members...blog for later...) Navy ships run under a condition called; "Darken Ship" at night, so they actively try to make the ship as dark as possible. This means hundreds of miles out to sea with the only light being the stars...well...lets just say it is an experience that will leave you speechless.
So I jumped into the study of Astronomy bigtime. I love the absolutely huge numbers. I love it so much I have actually applied for a Grad program in Physics. The distances are measure by units of light, the cold is measured in Kelvins, it is just a study of massive numbers I am hooked. However, I am a networking Dude and like any networker, I look for trends. I started to notice a trend in astronomy that when something can not be explained, astronomers say an asteroid hit it.  These deviants of the galaxy seemed to cause many problems. For example:
    - Tilt of Uranus is 60 degrees. Asteroid must  hit it
    - Rings of Saturn are there because many asteroids hit they just happened to be close to Saturn
    - Dinosaurs died because of an asteroid
    - TechWiseTV guest farted on camera because they were thinking about asteroids...OK that was me
The mantra of some astronomers seems to be, if you can not explain it. Then a asteroid hit it. I think in the end, this is the problem I have with network analysis. It is junk science that has not been researched that well other then to grab a quick headline that is designed to be scanned and not read. For example in June 2003, Gartner stated:
Information Security Hype Cycle, IDSs have failed to provide value relative to its costs and will be obsolete by 2005. The Gartner Information Security Hype Cycle shows that IDS technology does not add an additional layer of security as promised by vendors. In many cases IDS implementation has proven to be costly and an ineffective investment.
Interesting...
Then just last month Robert Jamison the Undersec to National Protections Programs stated:
"Our adversaries are very adept at hiding attacks in normal traffic. The only true way to protect our networks is to have an intrusion detection system."
Junk science. Now all the folks that listened to this, are having to go back redo/relearn and retool their networks. Unless an asteroid hits the data center...

Jimmy Ray

We had a lot of fun working with Alok Agrawal on Network Admission Control Design. We taped this back in February, you can read our blog notes as well as the show notes on the wiki. You can register to see it live today at 10 PST or come back for the archive which should be posted by tomorrow.

Great Podcast on 'Becoming a Hacker' released today. Check it out!  This is based on one of the top questions that Jimmy Ray gets whenever he demonstrates his hacking prowess.  What does it mean to be a hacker and what does it take?  This is interesting stuff based on the Feb 4 Blog Entry ‘I wanna be a hacker in 5 steps or less’ Check it out and let us know what you think. 

Now Jimmy Ray is one of the most ethical hackers I know. He likes to dig in and see how things work.  He likes to see how things fail and he is very good about learning from others. 

He also knows how to find wireless access when he needs it.  Note that he is on his porch in Wisconsin...he is usually in the code cave (see picture above) with no windows...must be a warm day, but notice the pale skin...dead giveaway...

All our podcasts can be found here.

I love this picture. It is a picture of
Earth taken by Voyager 1 in June 1990, before Voyager disappeared into the vastness of space only to resurface in the 24th century to attack Earth looking for the creator. This picture taken from approx 4 billion miles away.  Consider that all of history, all the advancements and failures have been accomplished right here.

Sometimes, it is the little things that really matter. This is no more true then in the area of wireless. Many of us know the more common wireless attacks today, but it is the little things we overlook that get us.

I have been playing around with using RTS/CTS to attack wireless networks. This attack is a little different because RTS/CTS frames are control frames and not management or data frames like most of us are used to attacking.

RTS is a request to send frame that is sent by the client to the AP to let the AP know that the client has a large transfer to send and it does want the other clients to cut it off during transmission. That would be cool to have around the supper table with in-laws! When I start telling a gripping tale of my latest fishing exploit that I know everyone is just dying to hear, I do not need drunk cousin Frank to interrupt my transmission with another song he learned on the air guitar.

RTS <AP: Frank>

...One time I was using a Rapala bait and...

CTS is sent by the AP to tell the clients to shut up a second so a client can transmit.

CTS <The rest of you goobers>

Now you can most likely see the DOS attack here. Send an AP a RTS frame and allow it to send CTS frames for you to act as an auto destruct. Kings to Queen level 1...

Keep a look out for this one on your network. Here in the Code Cave, I have been playing with this and I am amazed at how easy this attack is. It is easy to see when it is happening and there are some countermeasures which we will have to demo in the next show.

Jimmy Ray