I was recently engaged to help remediate some exposures found during the preparation for PCI DSS compliance reporting. They had run an external vulnerability scan with Nessus so that they could find exposures and fix them before the “official” scan was run.

Several vulnerabilities were found that would have caused the organization to fail their external vulnerability scan. Many of the vulnerabilities were due to an open port on the server. Several cross-site scripting vulnerabilities were found. Sample code from one of the installed applications was publicly accessible.

As we were working through these issues, a common theme came up.

How do we fix Issue X so that we pass the scan?

Now think about that a minute… Approaching the vulnerabilities with this attitude is kind of like fixing a flat tire with Fix-A-Flat. It may work, but you should still have the tire looked at by a professional.

Here’s a specific example from the vulnerability scan. Port 8080 was publicly available on the web server. Several vulnerabilities were found on 8080. It was suggested that we just block 8080 at the firewall. Sure that would work to keep the problems from being found in the external vulnerability scan. But is that the right fix? No.

The right fix was to harden the server by shutting down any unneeded services and to block an unneeded ports on the firewall and uninstall the sample code from the server and institute change control on servers and firewalls and ……

My final recommendation? Take steps to think beyond compliance requirements. Checkboxes and automated scans are helpful, but nothing replaces good analysis and testing. Meeting compliance requirements is a good starting point, but don’t omit really knowing the risks your organization faces.

- Dan

In addition to taking the GSE lab exam at Network Security 2011, I also enrolled to take the Web Application Penetration Testing and Ethical Hacking course. It was a 6 day course taught by Kevin Johnson. Some portions were taught by Justin Searle. They are both great instructors.

My overall impression of the 6 days of this course is very positive. Kevin is an engaging instructor, who uses real-world examples to drive home important points. Like the rest of us, he sometimes veers off on tangents. I found these tangents entertaining!

What’s the most significant thing I learned from taking this course? First off, I came away with an awareness of some of the things that I still do not know. Second, I have a much better understanding of what good practice is when developing a web application. Third, I now know enough to be dangerous with testing, and I need to actually start using what I’ve learned.

Ok, so that was 3 things that I learned!

Here is a brief overview of what the course covered:

• The course starts at the beginning with a review of some basic web application and penetrating testing concepts.
• The next day walks through gathering information about the organization and application (recon and mapping).
• The third day covers discovering vulnerabilities and weaknesses in the application (server-side discovery).
• Day 4 addresses vulnerabilities and weaknesses in the client-side piece of the application.
• Day 5 is where exploitation of the previously discovered vulnerabilities is taught.
• Finally, Day 6 is the culmination of the learning with a Capture The Flag exercise. This was done in an isolated network environment where we had to discover and exploit vulnerabilities in some common web applications. The goal was to find certain specific pieces of information – the “Flags”.

I highly recommend this course for anyone needing a better understanding of web applications and how to find vulnerabilities in them. Much of the class is spent learning how to use automated tools such as proxies, scripting, and injection/cross-site attacks. it is very hands-on.

Beyond just the technical aspects of the course, there are always people who enhance the learning. I found the folks sitting around me to be valuable contributors to my learning. Asking questions and working together to find answers is very beneficial. Thanks Kevin, Tim, Justin, Brian, Patrick, Craig, Richard and others.

Go to the conference. Take the class. You will enjoy it.

- Dan

Taking the GSE

One of the primary reasons that I went to Las Vegas for NS2011 was to take the GIAC GSE hands-on lab exam. A huge motivation for me is that I hold several certifications, all of which need to be re-certified every 4 years. Holding the GSE would mean only having to re-certify one.

As of the time of writing this entry, I do not know whether I passed or not. If not, then I am hoping to be in Orlando in spring of 2012 to do a re-take.

Earning the GSE requires both a written exam and a hands-on lab exam. I passed the written exam in late summer. That qualified me to sit for the lab exam.

———–

There were 11 of us who took the lab exam. It was quite a mix of folks. My brother and I both sat for the exam. Most of us were from the U.S., but there was also representation from Egypt, Australia and New Zealand. I really believe the most enjoyable part was getting to know some of the other test-takers.

I really cannot share much about the lab exam itself. We were required to agree not to share details. The GIAC GSE webpage does give a pretty decent high-level listing of what you need to know and be able to practice.

How did I feel about the exam? It was tough. I choked on some things that should have been very simple. My time management was terrible. The most difficult part was not knowing exactly what we would be expected to demonstrate.

Yep. I’ll do it again if I didn’t pass. It’s worth the work of preparation and the stress of taking the exam.

- Dan

The Travel and Town

I had the opportunity to attend SANS Network Security 2011 in Las Vegas from September 17-25. I attempted the GSE Lab exam the first two days, and then attended SEC542: Web Application Penetration Testing and Ethical Hacking.

The flight to LV was pretty uneventful. As we flew across the western plains, these circles were plentiful across the ground. These are crop circles from aliens, but rather from irrigation pivots. This area has been suffering from drought, but irrigation helps as an equalizer. When we flew across Arizona, we could see the Grand Canyon out the window. Here is a picture of some irrigation circles…

This was the first time that I had actually stayed in Las Vegas. I’ve driven through before, but never felt a need to stay. After being there for several days, there is no strong desire to make this a regular visit.

The conference was being held at Caesar’s Palace, but by the time I called to make a room reservation, there were no rooms available for the first two nights. So, I stayed across the street at Bally’s. Just like most hotels in Las Vegas, a casino is a part of the experience. No, I didn’t lose any money in the slot machines!

The cost of food at the hotel/casino restaurants was more than I really wanted to spend and generally of a style different that want I care for. So, if I was not going to starve, I needed to find someplace else to eat. Using a great variety of apps on my iPhone, I searched and finally found what I was looking for (quite like U2, I suppose) down the street.

The walk down The Strip after dark is an experience. It was packed with people! Some were down-and-out. Others were trying to give the impression of a High-Roller. Most had adequate clothing on. Others looked like they were in a “Who Can Dress The Sluttiest” contest. Some were speaking English. Many were not. Most times the sidewalk was packed shoulder-to-shoulder with people.

I took the time to walk around Caesar’s Palace where NS2011 was being held. It is an opulent place.  Here’s a picture of the sports betting area…

One end of Caesar’s Palace featured the Forum Shops. It is basically an up-scale shopping mall. As you would expect, there is a Roman theme to everything. This fountain was in the middle of an intersection…

…

When it came time to make the journey home, I was ready. There is a bus that shuttles visitors between the hotel/casino and the airport. The pickup time at the hotel was about 2 1/2 hours before my scheduled departure time so it seemed there would be plenty of time to make the flight.

So, you can imagine my surprise when we arrived at the airport and came upon one of the longest lines I have ever seen… I was even more surprised at how fast the line moved!

In the end, the trip back was uneventful. As John Denver said many years ago, “It’s good to be back home again. Sometimes this old house feels like a long lost friend.”

Check back in a couple of days for Part 2.

- Dan Strom

Some days are more interesting than others.

Monday, August 29, 2011

Interestingly, I found nothing of real interest on the Internet today! Let’s see if Tuesday is any better…

Tuesday, August 30, 2011

More research on global warming. I doubt Al Gore supports it. – Sun Causes Climate Change Shock

According to Al Gore, climate change skeptics are racist. That’s an interesting leap of logic. – Perry Vs. Gore

Wednesday, August 31, 2011

Leaders should be willing to communicate, even when it is not required. This looks like a lesson that Cook has learned from Jobs. – Like Steve Jobs, Apple CEO Tim Cook Also Responds to His Email

APOD – Roll Cloud Over Wisconsin – We had one of these pass through Manhattan a year ago. My youngest son took a picture of it. View it here.

Determining the root cause can be difficult. Read this – How to perform a root cause analysis?

Thursday, September 1, 2011

This looks like Keynesian economics to me – Non Sequitur for 9/1/11

The best quote from this article, “The way children are grouped, which now occurs by their “date of manufacture,” no longer makes sense.” – Schools need help in raising today’s children, says education advocate

Pretty cool pictures of lightning here

Small businesses have a problem. They often have no money to implement appropriate security controls. They should read this tweet from Russell Eubanks

Friday, September 2, 2011

I’ve always wondered about the Magic Eraser. Now I know… – How do magic erasers get rid of stains?

’tis the beginning of the new school year. My mind is on things like…

Doing more with less
Maximizing results while maintaining effort
Reasonable protection

So, here are the links of the week.

Monday, August 22, 2011

Since my youngest is starting college today, this is of interest – Back to School: 15 Essential iOS Apps for Students

Tuesday, August 23, 2011

I really hope this is true. Maybe it would help Verizon lower their prices! – Sprint To Sell the iPhone 5 [REPORT]

Trying to achieve privacy and security in an open wireless network. Looks like some promising research – Baking Security Into Open WiFi Networks

Wednesday, August 24, 2011

If you don’t have the time to do your own research (and very few of us do), there are many sources to help guide us in network security. Just one source is the NSA. Take a look at this guide that was referenced recently in a SANS NewsBites newsletter. – Best Practices for Keeping Your Home Network Secure

With winter coming, I’m hoping that someone I know will get one of these – Knit Vulcan Hat

This is not good for the reputation of being secure by default – Mac OS X Lion fails to check passwords when authenticating via LDAP

Have you read The Edge of Disaster by Stephen Flynn? Yesterday’s earthquake reminds me of examples from Flynn – Aging East Coast Infrastructure a Concern After Quake

Thursday, August 25, 2011

As they say in Star Trek Land, all good things… – Steve Jobs, Apple CEO, steps down

Universities seem to be a ripe environment for personal information to be lost. It’s interesting that an individual in the article blames Google for changing the way they find servers and documents. I think the real question should ask why are the universities not doing a better job of protecting the personal information of the students and staff, and why are they not aging information out of their systems. – Yale Social Security Numbers Exposed In Latest Case Of ‘Google Hacking’

If you use Facebook, you need to read this Guide to Facebook Security.

I would be glad to take your contributions toward the purchase of the Nelson Bible Reference Bundle from Logos.

Friday, August 26, 2011

Khan Academy looks to provide a series of academic videos. It is heavy on math and science. Take a look and see if it could help your student. – Khan Academy

Along the educational lines, I came across this article talking about Skype’s initiatives to connect teachers. Examples are given. If you are an educator, you should evaluate this to see if there might be application for you. – Skype Launches a Dedicated Network for Teachers

You’ve got to read this – Keynesian Economics vs. Regular Economics. If you get blocked by the WSJ paywall, then google “Keynesian Economics vs. Regular Economics” and find the cached copy from Google. Either way, it really helps understand what is driving the Obama administration.

Last week’s list was short due to being out of town.

Here’s this week’s list o’ links I found interesting…

Monday, August 15, 2011

I remember way too many of these things – 30 years of PCs (slideshow)

pentestmonkey.net had a post pointing me to A Sysadmin’s Unixersal Translator. It’s useful…

It will be interesting to see how this affects other manufacturers of Android devices – Supercharging Android: Google to Acquire Motorola Mobility

And if you cannot get enough of K-State sports, we’ve now got this – K-State Announces Ground-Breaking Launch of K-StateHD.TV

Note the subtle jab at Microsoft – Chinese Authorities Find 22 More Fake Apple Stores

Tuesday, August 16, 2011

I like this – inside information on Windows 8 as it is being developed. – Welcome to Building Windows 8

Wednesday, August 17, 2011

This interesting. It makes me wonder how this can be applied to companies… – How Musicians Are Engaging Fans With Location Tech

Yeah. I get tired of replacing batteries in my keyboard. May have to get one of these – Logitech Wireless Solar Keyboard K750 for Mac®

No real surprises in this report, but just a reminder of what still needs to be done – 2011 State of the CSO

Thursday, August 18, 2011

Could this be why Google bought Motorola? (from @martynasn on twitter)
- Larry, you’ve asked to buy Motorola. It’s done.
- Which model?
- Model?!

We’re all concerned about social media usage in schools. “Here are some guidelines for educators using social media effectively while maintaining professional boundaries.” – 3 Tips for Teachers Using Social Media in the Classroom

It’s not unusual for OS patches to cause problems. That is why many companies have policy that OS or program updates should be tested thoroughly before installing on production systems. – When Good Patches go Bad – a DNS tale that didn’t start out that way

You’ve seen it in the store and been curious about this… – How the Dyson Bladeless Fan Works

90% of the email I receive violates these 7 Tips for Writing E-mails That Won’t Get Deleted

Here’s this week’s list o’ links that I found interesting…

Monday, August 8, 2011

This has some very serious implications – Black Hat hacker details lethal wireless attack on insulin pumps

This is on my to-do list of things to watch – Off Topic: Creating Metasploit Exploit Modules Step By Step (Tutorial!)

Every system and/or network administrator should become familiar with these tools – 15 Incredibly Useful (and Free) Microsoft Tools for IT Pros

Not long ago I wrote about choosing an Android or iOS tablet. Here is an article discussing low-cost options – What $300 or less buys in a tablet

Tuesday, August 9, 2011

I’ve found the Windows Secrets newsletter useful for several years. You probably will, too. They have a free edition and a paid edition.

Wow. This is sobering and awe-inspiring. You’ve got to take the time to work your way through each installment as it is published. – World War II in Photos

From Dave Hoelzer… You Might Be Compliant… But Are You Secure??. This isn’t a new post, but it is still relevant. I’ve been thinking about this very thing as I work through the PCI DSS.

Here are some things I’ve found interesting this past week…

Monday, August 1, 2011

10 things I learnt from Daily Shooting – http://shoottokyo.com/daily-shooting/

I thought I had a great idea, then I found that someone else is already aggregating government contract opportunities. This is but one place I found – State & Local Government and Contract Opportunities – http://www.govcb.com/

Some people do find them valuable. – Do Facebook Ads Bring Customers? – http://www.inc.com/howard-greenstein/do-facebook-ads-bring-customers.html

I bought an external drive that was listed at USB 3.0 and compatible with USB 2.0. The first thing I noticed was a difference in the cable. So I headed to Wikipedia – http://en.wikipedia.org/wiki/USB_3.0

Tuesday, August 2, 2011

Years ago, I had a friend who was always providing strange facts. Seems like that friend has been replaced by the Internet. – What lives Inside Your Navel? – http://news.discovery.com/human/belly-button-organisms-110801.html

From the Freakonomics folks… – What Does Your Web Browser Say About Your I.Q.? (Hint: I.E. Users Won’t Like the Answer) – http://www.freakonomics.com/2011/08/02/what-does-your-web-browser-say-about-your-i-q-hint-i-e-users-wont-like-the-answer/

This is pretty interesting – Getting Bin Laden – http://www.newyorker.com/reporting/2011/08/08/110808fa_fact_schmidle

I enjoy reading what David Pogue writes. – The Perils of Copy Protection – http://www.scientificamerican.com/article.cfm?id=the-perils-of-copy-protection

Wednesday, August 3, 2011

What if he had succeeded? – Swedish man caught trying to split atoms at home

Thursday, August 4, 2011

Some days I just feel old. Dilbert doesn’t help. – http://dilbert.com/strips/comic/2011-08-03/

I don’t agree with some of this, but it is worthy of thought – White-hats are on the side of law, but not order

I’ve been using BackTrack 4 and a separate install for Nessus. Nessus is installed in BackTrack 5. Here’s how to begin using it. – Enabling Nessus on BackTrack 5 – The Official Guide

This is almost enough to make me subscribe to GigaOM Pro just so I can read more information – A sneak peek into Google’s servers and energy efficiency

Friday, August 5, 2011

Some folks I know can relate to this – Are You a Programmer?

This is pretty cool – Steelers coach sells Mercedes to team cafeteria worker for $20

We, too, have seen an increase in the cost of detection and recovery following an incident – The cost of cyber attacks is up 56%, study reveals

Many people claim creativity. How many of these characteristics do you possess? – 9 Attitudes of Highly Creative People

Things I found interesting this past week…

Monday, July 25, 2011

Now, if only Washington could resolve the debt ceiling and budget cuts issues… – Agreement in place; players will vote once document is done – http://www.nfl.com/news/story/09000d5d820f4c7f/article/with-agreement-in-place-players-will-vote-once-document-is-completed

This is one reason why I choose to use a Mac – McDonalds Wi-Fi Guide

Once again, those British newspapers tell us what we already know. I would have almost expected this in The Onion – Monday mornings so depressing you won’t crack a smile until 11.16am – http://www.telegraph.co.uk/news/newstopics/howaboutthat/8658968/Monday-mornings-so-depressing-you-wont-crack-a-smile-until-11.16am.html

Here’s another list of mistakes we make in information security – The 5 biggest IT security mistakes – http://www.networkworld.com/news/2011/072511-security-mistakes.html

Tuesday, July 26, 2011

By correlating information from disparate sources, you can infer much. This article shows that it is not just Google, Twitter and FaceBook that have private information about us, but the credit card companies do also. Seems like the privacy horse left the barn sometime in the 1980s… – Amex knows what you do not – http://www.stephencolman.com.au/blog/2011/07/14/amex-knows-what-you-do-not/

We’re hurting, but someone else is hurting worse. That always makes it better, right? – Apple COO Says iPads Are Hurting Mac SalesBut, he adds, they’re hurting Windows even more – http://technology.inc.com/2011/07/26/apple-coo-says-ipads-are-hurting-mac-sales/

Wednesday, July 27, 2011

Years ago, an old friend give me advice similar to #10 – 10 Public Speaking Tips For Introverts – http://www.psychologytoday.com/blog/quiet-the-power-introverts/201107/10-public-speaking-tips-introverts

Another interesting perspective for my job-seeking friends – A Simple Strategy for Acing a Job Interview – http://blogs.cio.com/careers/16404/simple-strategy-acing-job-interview

Thursday, July 28, 2011

And now for some good news from Arlan at Farm Futures – Unemployment claims drop

This would seem – Restaurant Breach Leads to Fraud – http://www.bankinfosecurity.com/articles.php?art_id=3899

Google+ is forcing Facebook to advance in many ways. This is new – Facebook for Business – https://www.facebook.com/business

I enjoy the photography tips and ideas from Kent Weakley. This one is especially important for the non-professional photographer who primarily uses the lens that came with the camera body – 5 Ways to Max Out Your Kit Lens – http://kentweakley.com/blog/5-ways-max-out-kit-lens/

BibleReader on iOS is one of the most used applications I have on my iPad2. I learned some things from these videos – BibleReader 5 Video Tutorials & Reviews – http://olivetree.com/learningcenter/br5/

Friday, July 28, 2011

Brian Krebs has some good advice here – Is Your Voicemail Wide Open? – http://krebsonsecurity.com/2011/07/is-your-voicemail-wide-open/

It feels good to reminisce a little about the Good Old Days – MS-DOS Turns 30: PCMag’s Original Interview With Bill Gates – http://www.pcmag.com/article2/0,2817,2389282,00.asp

No surprise here – Most organizations do not follow security best practices, survey finds – http://www.infosecurity-us.com/view/19737/most-organizations-do-not-follow-security-best-practices-survey-finds/