|
Varkk posted:It will help with the script kiddies who setup a scan of an IP range looking for vulnerable SSH boxes. They won't spend much time scanning every single port on every IP instead go for a few highly likely ones on each IP. Considering people who have SSH listening on the default port on the open internet are also more likely to have an outdated SSH or a weak password etc. Sure if someone does a full port scan of your IP they will find SSH listening on port 34561 or whatever but by the time they hit that port hopefully your firewall has already detected the port scan attempt and started dropping their packets. This. Changing the ports is only a (small) part of an effective security posture.
|
| # ? Jan 30, 2013 22:41 |
|
|
|
| # ? May 22, 2013 11:26 |
|
|
Our auditors (thankfully) never recommended obscuring ports in that matter as a security measure.
|
| # ? Jan 30, 2013 22:46 |
|
|
Changing the ports only gets rid of those looking for SSH services to pop. If someone is directly attacking you, it is unlikely that changing the port will succeed at obscuring anything.
|
| # ? Jan 30, 2013 22:57 |
|
|
Varkk posted:It will help with the script kiddies who setup a scan of an IP range looking for vulnerable SSH boxes. They won't spend much time scanning every single port on every IP instead go for a few highly likely ones on each IP. Considering people who have SSH listening on the default port on the open internet are also more likely to have an outdated SSH or a weak password etc. Sure if someone does a full port scan of your IP they will find SSH listening on port 34561 or whatever but by the time they hit that port hopefully your firewall has already detected the port scan attempt and started dropping their packets. You can do simulataneous TCP Pings that can scan almost all ports at once. It doesn't actually take that long to scan an IP and 65000 ports. The only thing like this that even approaches security is to have something like port knocking enabled. But that is also a user burden to do. In general changing the default ssh port (or anytihng else) reeks of security by obscurity.
|
| # ? Jan 31, 2013 04:41 |
|
|
Powercrazy posted:You can do simulataneous TCP Pings that can scan almost all ports at once. It doesn't actually take that long to scan an IP and 65000 ports.
|
| # ? Jan 31, 2013 13:48 |
|
|
Manos posted:Port knocking is a pretty terrible idea as well: http://bsdly.blogspot.com/2012/04/w...t-knocking.html I agree. But it does decrease your attack profile. If you take 10 equal systems 3 of them apparently have no ports open and 6 of them have port 22 open and one of them has port 23 open which ones are going to be getting attacked? Probably not the 3 with apparently zero services. But yes, I totally agree with that article on the 'dangers' of port-knocking and the firewall daemon etc.
|
| # ? Jan 31, 2013 20:38 |
|
|
It's a fun little exercise to do. Throw up a VM with port 22 open on it, and then later on change SSH to listen on another high number port. You'll be amazed about the amount of difference of traffic in the logs you'll see.
|
| # ? Jan 31, 2013 22:39 |
|
|
Don't know if this is a better place for my question over the IT Cert thread, but I'm looking at doing CISSP. Any suggestions for good resources? I learn best by doing and hearing, rather than reading, but I'm not illiterate or anything. Guess I'm looking for a good video resource as well as reading material. Not sure what sort of labs are available but I guess I'll be working on figuring all this out ASAP. I have a fair amount of security background, probably not enough to not start out as an Associate, but whatever. Martytoof fucked around with this message at Feb 6, 2013 around 00:34 |
| # ? Feb 6, 2013 00:21 |
|
|
Martytoof posted:Don't know if this is a better place for my question over the IT Cert thread, but I'm looking at doing CISSP. Any suggestions for good resources? I learn best by doing and hearing, rather than reading, but I'm not illiterate or anything. Guess I'm looking for a good video resource as well as reading material. Not sure what sort of labs are available but I guess I'll be working on figuring all this out ASAP. CISSP is a joke. There is nothing hands on about it. The Harris book is terrible, so just skip the the bullet points at end of each chapter. When taking the test view each question as a manager or business type and not an engineer. You'll do just fine.
|
| # ? Feb 6, 2013 03:51 |
|
|
I'm working with my very first snort deployment and I have a couple of questions...can I ask here? Any of y'all experienced with snort?
|
| # ? Feb 7, 2013 01:19 |
|
|
I've set it up a few times, and this would be the place for it - Ask away
|
| # ? Feb 7, 2013 01:42 |
|
|
I'm knee deep in an Online Banking conversion, with an experimental product.. 
|
| # ? Feb 7, 2013 02:38 |
|
|
Well, I'm looking for a way to automatically give the WAN IPs that we are monitoring (internet-facing servers for web, mail, vpn, various other stuff) friendly names in my alerts or at least ultimately in the executive summary reports that have been requested. We have a /24 block and are using about half of the addresses. The post-processing system I'm using (snorby) can do reverse lookups but that doesn't really help me, because I want the names of the servers that are mapped to the WAN IPs via NAT through our firewall. I of course have that NAT list, but I'm not sure how to get snort/snorby to use that information.
|
| # ? Feb 7, 2013 04:31 |
|
|
Maybe this is the right place, not really sure. Anyone have any experience getting Google and whoever to stop thinking that you're a bot? They and Yelp apparently think my VPS is one for some reason, and I use it as a browser proxy. I don't see anything to indicate that it's sending malicious traffic (low net load, nothing odd running, and it was wiped clean pretty recently). Only other information I can find is a projecthoneypot.org record that shows 6 spam messages a year before I got it, with a disclaimer saying that it's probably now clean. The whois record is anonymized, which may be specific, but the block pages reference the IP and not the domain.
|
| # ? Feb 12, 2013 15:53 |
|
|
Anyone have a good list of blogs or sources of white papers they would be willing to share? I've been meaning to start trying to read up on more up-to-date info, and after reading this thread it dawned on me some of you probably already have a list of "daily reads". Its starting to look like incident response investigations are going to become a much bigger part of my job in the future.
|
| # ? Feb 12, 2013 18:56 |
|
|
http://ccie-in-3-months.blogspot.com/ This is mostly networking oriented, but the RSS feed on the right links to a lot of security posts as well as VM Ware etc. also http://www.insinuator.net/ for a more "infosec" centric blog. Remember "Security" isn't a discrete thing, it penetrates the entire OSI stack, so if you want to be "good" at security you should be somewhat familiar about everything computer related.
|
| # ? Feb 12, 2013 19:39 |
|
|
Martytoof posted:Don't know if this is a better place for my question over the IT Cert thread, but I'm looking at doing CISSP. Any suggestions for good resources? I learn best by doing and hearing, rather than reading, but I'm not illiterate or anything. Guess I'm looking for a good video resource as well as reading material. Not sure what sort of labs are available but I guess I'll be working on figuring all this out ASAP. http://attrition.org/security/confe...ISSP-public.pdf
|
| # ? Feb 12, 2013 21:31 |
|
|
Fair enough. I can't argue with a lot of that, but I'm still probably going to look at getting the letters behind my name. If it's easy to cram for then I guess I really haven't lost much. I'm definitely not looking to claim that getting a CISSP will make me some super valuable security dude 
|
| # ? Feb 12, 2013 21:51 |
|
|
Martytoof posted:Fair enough. I can't argue with a lot of that, but I'm still probably going to look at getting the letters behind my name. If it's easy to cram for then I guess I really haven't lost much. I'm definitely not looking to claim that getting a CISSP will make me some super valuable security dude Don't get me wrong, I wasn't telling you not to get it. Just giving you the dissenting view so that you may temper your decisions.
|
| # ? Feb 12, 2013 22:07 |
|
|
Oh no, I definitely appreciate different viewpoints, and thank you for contributing I know a lot of people in the local security field so CISSP will help me get in the door with their exployers/contacts, otherwise I probably wouldn't be bothering with it. It's entirely strategic on my part at this point. Definitely not the most noble of reasons to certify, but hey -- a man's gotta eat. I'm also doing VCP in my spare time because that's actually what lights my fire and interests me most at the moment.
|
| # ? Feb 12, 2013 22:11 |
|
|
Stan S. Stanman posted:Anyone have a good list of blogs or sources of white papers they would be willing to share? I've been meaning to start trying to read up on more up-to-date info, and after reading this thread it dawned on me some of you probably already have a list of "daily reads". Its starting to look like incident response investigations are going to become a much bigger part of my job in the future. If you are going into incident response then you definitely want to check out Mandiant's webinars and blogs.
|
| # ? Feb 13, 2013 00:53 |
|
|
How did those of you that are working in information security get your jobs? I'm about to finish college with a B.S. in infosec, and as I'm looking for a position to start with, I'm just not finding entry level infosec jobs, and/or anything that doesn't require 5+ years of industry experience, or experience with hardware and software I've never had the opportunity to use. I'll graduate as one of the most experienced students to complete the major as I've won some competitions (including making it to the NCCDC), I teach the members of the IT Security club some things I've learned, and I had a great infosec internship, so I feel that I'd fit right in if I could find something. Most of the people that work where I want to end up started in some other field, and moved into security within the company. Is this the more common way to end up there?
|
| # ? Feb 18, 2013 16:26 |
|
|
Drunk Badger posted:How did those of you that are working in information security get your jobs? I'm about to finish college with a B.S. in infosec, and as I'm looking for a position to start with, I'm just not finding entry level infosec jobs, and/or anything that doesn't require 5+ years of industry experience, or experience with hardware and software I've never had the opportunity to use. I'll graduate as one of the most experienced students to complete the major as I've won some competitions (including making it to the NCCDC), I teach the members of the IT Security club some things I've learned, and I had a great infosec internship, so I feel that I'd fit right in if I could find something. With a specialized degree like that ignore the five year requirements. I was hired as a contractor to help with annual SOX monitoring and testing and they liked me enough to keep me in security.
|
| # ? Feb 18, 2013 16:33 |
|
|
CISSP is great to have if you'll be doing work for the Department of Defense. Other than that, it's not really useful at all.
|
| # ? Feb 18, 2013 16:42 |
|
|
Drunk Badger posted:How did those of you that are working in information security get your jobs? I'm about to finish college with a B.S. in infosec, and as I'm looking for a position to start with, I'm just not finding entry level infosec jobs, and/or anything that doesn't require 5+ years of industry experience, or experience with hardware and software I've never had the opportunity to use. I'll graduate as one of the most experienced students to complete the major as I've won some competitions (including making it to the NCCDC), I teach the members of the IT Security club some things I've learned, and I had a great infosec internship, so I feel that I'd fit right in if I could find something. I'd disregard lack of experience in your case and invite you straight for an interview and I don't think I am alone here.
|
| # ? Feb 18, 2013 19:30 |
|
|
ming-the-mazdaless posted:I'd disregard lack of experience in your case and invite you straight for an interview and I don't think I am alone here. Good, hopefully someone in the giant pile of people I've shotgunned my resumes to agrees with you
|
| # ? Feb 18, 2013 20:05 |
|
|
Drunk Badger posted:Most of the people that work where I want to end up started in some other field, and moved into security within the company. Is this the more common way to end up there? I started as a teller at a medium sized community bank and was lucky enough to work at the headquarters and be good with computers. Viola, I will be Info Sec Officer for the company before the end of the year. CloFan fucked around with this message at Feb 19, 2013 around 01:51 |
| # ? Feb 18, 2013 23:33 |
|
|
CloFan posted:I started as a teller and a medium sized community bank and was lucky enough to work at the headquarters and be good with computers. Viola, I will be Info Sec Officer for the company before the end of the year. How long ago did you start?
|
| # ? Feb 19, 2013 00:23 |
|
|
Started as a teller late 2010 and a had few promotions, moved to info sec last August.
CloFan fucked around with this message at Feb 19, 2013 around 01:58 |
| # ? Feb 19, 2013 01:51 |
|
|
Stan S. Stanman posted:Anyone have a good list of blogs or sources of white papers they would be willing to share? I've been meaning to start trying to read up on more up-to-date info, and after reading this thread it dawned on me some of you probably already have a list of "daily reads". Its starting to look like incident response investigations are going to become a much bigger part of my job in the future. I have a bunch of daily reads, but the best ones are the Mandiant blogs and Krebs on Security
|
| # ? Feb 19, 2013 21:08 |
|
|
I have a general question that someone here might be able to answer, if it's out of place I apologize. This is just theoretical, for my own edification. For the attack where you freeze DIMMs with a can of compressed air, yank it out and dump the data, how exactly is the data stitched back together? Is the rank/bank/etc. information used to reconstruct portions of the system address map or is the data viewed and stitched together without relying on that information? Basically what assumptions about the DIMM addressing are used? It seems like the tricks DIMM vendors use to hide bad cells and system channel hashing would interfere with reconstruction if you rely on the address mapping, but I don't see how you'd go from unaddressed blobs to usable data without it. Am I making any sense or is my mental model of how this attack is done broken?
|
| # ? Feb 19, 2013 21:31 |
|
|
AIUI, you just plug the frozen chip into a device which powers it up and starts refreshing the cells. Then you can dump the contents of memory as the OS sees it, by physical address. You don't crack the chip open and read voltages out of capacitors or anything.
|
| # ? Feb 19, 2013 21:46 |
|
|
Drunk Badger posted:How did those of you that are working in information security get your jobs? I'm about to finish college with a B.S. in infosec, and as I'm looking for a position to start with, I'm just not finding entry level infosec jobs, and/or anything that doesn't require 5+ years of industry experience, or experience with hardware and software I've never had the opportunity to use. I'll graduate as one of the most experienced students to complete the major as I've won some competitions (including making it to the NCCDC), I teach the members of the IT Security club some things I've learned, and I had a great infosec internship, so I feel that I'd fit right in if I could find something. I had my job description expanded to include it several weeks ago and let me just say that I've learned I do not like network forensics. Network Engineering and security have quite a bit of overlap, though, so it's not like I'm being shoved into an entirely different position. We have a full-time security guy who does daily and weekly audits of all of the logs, IDSs, and IPSs, while my other coworker and I worry more about implementing firewall and IPS rules and conducting incident response. Pretty much every security guy I've met has started out in networking and moved over to a more security centered role, mainly due to the knowledge and experience requirements necessary to do anything other than bitch about using thumb drives. Networking is only a piece of it, though: you'll be expected to know about protocols at every level of the OSI model, how webservers work, the fundamentals of databases and how SQL queries work, and a general understanding of programming (especially as it relates to the platforms your applications run on), among other things. e: This is all assuming you don't to be one of those guys who yells at people for using thumb drives and not making their new passwords different enough from their old ones. Because gently caress those guys. psydude fucked around with this message at Feb 19, 2013 around 21:52 |
| # ? Feb 19, 2013 21:49 |
|
|
Jabor posted:AIUI, you just plug the frozen chip into a device which powers it up and starts refreshing the cells. Then you can dump the contents of memory as the OS sees it, by physical address. You're handwaving over the part I'm interested in. "Physical address" from a core's point of view doesn't necessarily translate into a particular rank/bank/col on the DIMM. The memory controller is free to do all kinds of wacky poo poo to hide the system from the vulgarities of actually shuffling electrons. The DIMMs themselves have their own tricks to hide bad cells. All of which would confound an attempt to correlate a particular DIMM location with a system physical address. I can see how you could build up a map of likely translations (i can spot a PTE in a memory dump, no reason a machine couldn't) and try to work out the hashing, but it seems like far more work than these tricks have behind them and it seems like the "aligning random blobs" would be easier.
|
| # ? Feb 19, 2013 21:58 |
|
|
JawnV6 posted:I have a general question that someone here might be able to answer, if it's out of place I apologize. This is just theoretical, for my own edification. RAM does not necessarily flush out the contents after power-down but it "degrades" as soon as no more electricity is fed to it. In the case of a cold boot attack, you are unlikely to power the machine down without using normal OS means, so you end up with a more or less static snapshot of what is in memory at that time. The reason why you're freezing the memory is to slowdown the degradation of whatever is left in memory but you can still have success if you do it without cooling the chips down, it's just less likely. When you swap the module into another system (or the same one too) after having done so and then power it on, it still has the chance of having a good sizeable chunk of data that is accessible. It is at this point that you can use a minimalist operating system to read the data and dump it into a file that you can then later look at. The memory is stitched together as a typical memory dump albeit with likely errors. It is quite a lot of work to remove the modules and then swap them into another machine and it does require a lot more intrusion than it might be worth. If I were to go about performing a memory dump, I'd instead consider looking something that uses DMA like firewire. I would look at this tool if my answer didn't help: http://www.mcgrewsecurity.com/tools/msramdmp/ OSI bean dip fucked around with this message at Feb 19, 2013 around 23:26 |
| # ? Feb 19, 2013 23:23 |
|
|
When you're dumping the memory, you're literally just reading off the bus the same as when it's talking to the CPU normally. Any tricks the DIMMS are doing don't matter, because they're still doing them. I guess the processor MMU could gently caress around with physical addresses to do something, but I don't know why it would - that's literally why virtual memory exists. Are you aware of any existing processors where the MMU screws with addresses before the virtual memory remapping?
|
| # ? Feb 20, 2013 02:31 |
|
|
psydude posted:I had my job description expanded to include it several weeks ago and let me just say that I've learned I do not like network forensics. Network Engineering and security have quite a bit of overlap, though, so it's not like I'm being shoved into an entirely different position. We have a full-time security guy who does daily and weekly audits of all of the logs, IDSs, and IPSs, while my other coworker and I worry more about implementing firewall and IPS rules and conducting incident response. I started as Desktop support, moved to sysadmin, and then Networking back in 2006. I've been doing Networking until last summer, when I finally started handling Infosec. It's pretty startling to see how useful being a network person helps the transition to infosec if you've actually been learning things on the way. I agree with your last statement too. gently caress those self important admin puke security types. With a chainsaw.
|
| # ? Feb 20, 2013 04:42 |
|
|
To expand on my background, before I got a job at the bank I worked as an IT tech at a college for three years. Little bit of everything there, but mostly networking- I can easily see how my background there has helped the transition.
|
| # ? Feb 20, 2013 05:06 |
|
|
If you really want to lock down thumb drives but ensure that users don't abuse them, it's fairly simple to ensure that poo poo stays put. Some ideas include: - Disabling AutoRun across the board. A large number of infections can be prevented just by doing this. - Ensuring that users are not local administrators when using thumb drives (this one makes me grind my teeth all too often for a number of other reasons too). - Creating an audit log of whatever files have been copied to and from these drives. - Using third-party tools to limit what can and cannot be retrieved from or stored on a drive. It's somewhat asinine to go and outright ban thumb drives. I once worked in one place that did and it was cumbersome when you did want to use one as they wanted to inspect the drive before it was inserted. Of course, the software used to restrict them couldn't detect things like iPhones and other mobile devices so people were using them to transfer files around. I got into infosec after having worked in desktop support and then as a systems administrator for a number of years. I landed a job at an unnamed vendor and haven't looked back since. On the note of certifications, I had a CISSP ask me today why he couldn't detect a hardware keyboard logger using software.
|
| # ? Feb 20, 2013 08:39 |
|
|
|
| # ? May 22, 2013 11:26 |
|
|
What are some industry publications y'all read? It'd be nice to stay on top the flavor of the month for different types of attacks.
|
| # ? Feb 20, 2013 14:05 |
|
