NoShut.com - Technology

Three+ Things I learned at SANS 2010 - Info Recon - Sunday Edition

Tue, 16 Mar 2010 06:54:48 +0100

On Sunday I attended SEC550, Information Reconnaissance: Competitive Intelligence & Online Privacy. It is a one day class taught by Bryce Galbraith. He was clear that it�s early in it�s development, but it�s already packed full of great information and tools - much more than I will cover here. If you took the time to do a deep-dive on info recon it could easily be a multi-day class.

Here are a few items I took away from the class:
1. The explosion of social networks and personal/corporate information being moved online in the last ten years has taken the hunt for information about people and companies to a completely different place. It�s no longer about finding out where a website is hosted, what OS it runs, where someone lives or what a company is using for their accounting software - You can now gather large amounts of real information about people or organizations, dig deep through legal, public sources and correlate information people share freely with deep web and other resources to infer a complete picture.

2. Take copious notes when doing information recon. A tidbit of data you didn�t think was worth much could correlate with other data later to finish the puzzle.

3. The Deep Web is now a ocean of information. There are great gateway sites you can use to find different resources, including (the class had MANY sites and tools, here are a few highlighted): Black Book Online, Pipl, Searchsystems.net, EInvestigator

4. Google is still the premier search tool to find out tidbits of information about people, companies, etc. but there are many other search tools, which may locate other info. A reference for Google Hacking: Google Guide, A list of Search Engines over on Wikipedia: List of Search Engines

5. It�s important to keep your ethics/legal brain engaged when doing recon; you can slip into a zone of gray easily, and perhaps threaten the validity of your findings or risk breaking the law.

6. Ex or Current Employee Resumes on the Internet can provide a wealth of freely available information on corporations.

7. If you are interested in all those data breaches you don�t hear about, there is a maintained database on the web with the highlights: DatalossDB.

8. Social engineering is still in heavy use and cannot be discounted, either by it�s use as a tool, or it�s threat to your organization.

This course is packed with info, there is so much that it would be a big challenge to cover all the topics, if you are really interested it�s definitely a course worth attending.

Link to my 3+ Things Learned List series for the Legal class taught by Ben Wright.
Main Blog

Three+ Things I learned at SANS 2010 - Friday Edition (a bit late :^))

Sun, 14 Mar 2010 20:15:36 +0100

1. Case law may act as a example, but should not be used as a guarantee of result - each case is judged separately and often by different courts with different focus and understanding of the material, and although prior case law is a influence, it�s not a guarantee of result.

2. By looking at cases between similar nations (e.g. english speaking, 1st world nations with similar government structures) you might be able to derive information about how another nation�s courts might interpret a new situation.

3. Information gathered from questionable sources might be admitted in court - such as information gathered through activities that may themselves be illegal, such information gathered by a vigilante.

4. Scienter and Self-Help are important concepts in our legal system - acting with scienter is to act knowing that you are committing a wrongdoing. Wikipedia has a bit on this topic. Self-Help is acting on your own behalf without engaging law enforcement, Wikipedia also has a blurb on this concept.

5. Computer forensics work often requires licenses so it is important to understand the requirements in your state if you are to perform forensics work as a professional.

6. Being aware of international and state law boundaries/compliance is important when gathering evidence and attempting to pursue a situation, especially on the Internet since it crosses so many legal jurisdictions and there might be multiple overlapping law enforcement agencies.

Monday Edition
Main Blog

Things I learned at SANS 2010 - Thursday Edition

Fri, 12 Mar 2010 12:43:46 +0100

1. Every reaction to a situation can influence others to think of your organization as �good� or �bad�. Being open, transparent and taking responsibility quickly comes off much better than shutting down, seeming closed and acting slowly. Your organization needs to assure that at the end of the day people have a positive view of you, even if it means fessing up to major mistakes or wrongdoing.

2. Don�t tamper with a pre-existing records, especially logs and the like - rather than edit a pre-existing record, create a new one referencing the old one and the corrections you have. By doing it that way if the records are ever questioned it will not appear that they were tampered with.

3. Many civil actions and investigations (read: no jail time) can become criminal easily (read: jail time) if there is any evidence of fraud, tampering or misrepresentation.

4. Modern Auditors have a responsibility not only to validate things are correct and in order, but to also look for suspicious activity and ask questions which will help them locate fraud.

Plus over the last few days I�ve added a couple of new books to my to-read list: The Naked Corporation and Geekonomics.

One other thing I should mention is our class is taught by Ben Wright, who is a awesome instructor. It�s rare that you get a instructor who is as energetic and communicating as well on day four as he is on day one.

Friday Edition
Main Blog

Three Things I learned at SANS 2010 - Wednesday Edition

Thu, 11 Mar 2010 18:46:45 +0100

1. Breaching a contract in America is a economic situation, not a ethical or criminal one. The goal is to make the vendor or customer whole. It can have fall-out, and damage company reputation, but it is not a �go directly to jail� situation.

2. Force Majeure clauses are not a 100% protection. If you have a primary system and it fails with no backup you may still be liable if the system that failed was critical, and it was well within your control to have a backup. In the same situation, if you have a backup system, and both the primary and backup system fail, that may fall under Force Majeure since you made reasonable effort to make sure the system didn�t go offline. In other words when something falls under Force Majeure you can�t just throw up your hands and wait for it to fix itself.

3. The definition of Best Effort between the Legal and IT Realm are two different things - in Legal definition it is more than just �reasonable effort�, whereas in IT it is often �the minimum effort necessary�.

Thursday Edition
Main Blog

Three+ Things I learned at SANS 2010 Today - Tuesday Edition

Wed, 10 Mar 2010 11:10:54 +0100

1. Everything said when you are functioning in a legal context must be accurate. Period. Exaggerations or any false statements, even made thinking they are correct at the time can bite you later. Research and understand what you are talking about before commenting.

2. The Legal team needs to have a solid relationship and good communication practices with the IT group. Courts are relying more and more on the lawyer being able to speak intelligently about the organization�s capabilities to do things like recover documentation and what specific information would be needed to find the right data.

3. Your policies (exampled via data retention policies) must be modeled with all applicable laws and industry rules in mind - not just a single one, or a group of laws/rules/guidelines your specific industry is required to follow. By strictly complying to or fixating on one set of rules you could be breaking others or ignoring common sense. Remember the big picture.

4. Identification and Signatures are two different things and should not be confused. Signatures are �a symbol adopted with intent�, meaning that even items you might not think of as a signature (such as a email from your account to another person - or your name typed at the bottom of a message) might be considered legally binding depending on circumstance and intent.

5. When talking about Terms and Conditions - make sure everyone knows yours, and repeat them as often as you must in order to keep them known.

Wednesday Edition
Main Blog

Three+ Things I learned at SANS 2010 Today

Tue, 09 Mar 2010 11:24:29 +0100

Three+ things I learned at SANS 2010 (Legal Track) today:
1. Appropriately vague or tentative language is not a bad thing in security policies. What is the risk of writing a �must� into a policy, not delivering on the promise, then having to testify about your lack of enforcement in court or answer to it in a public forum?

2. Any effort to provide due care is better than no effort at all (e.g. having a security policy vs. not having one due to lack of enforcement concerns). Negligence when common sense states that there was a easy solution is bad - especially to a judge or jury.

3. Disclaimers, Terms of Service, and things like login banners should be used whenever possible. Words are cheap, and can save your ass. The key concept is to seek consent so that you can handle privacy concerns.

4. Handling a legal issue in the wrong way can turn into a PR nightmare. Decisions to take legal action should be ran through a PR filter to make sure it won�t stink when your opponents take their argument to the Internet.

Great class so far, loving the material and providing new perspectives.

Tuesday Edition
Main Blog

Free iTunes Apps

Fri, 27 Nov 2009 11:37:42 +0100

Being the Thanksgiving/Black Friday I took a look for the currently discounted to free iTunes apps (apps that are discounted to zero, but didn't appear to be apps that just bounce up from paid to free all the time).

Here is the list I created tonight:

Current Free Apps:
Sip-N-Store
doubledrop
Lucha Libre Matchup
iSoroban
Creepytown
Perdiemcalc
TweetL
Squeezer
Super Shock Football
Burning Man 2008
Indian Snacks (veg)
Arcade Hockey
Flit
FAce It!
Vocaform
Wash Tub Bass
Galleryify!
Formalogy
Recipes with Conversions
Bug Eat Grass
UpNext 3D Cities
Ink
Christmas Fun Bells
Easy Sale Price Pro
Scare my Puppy - Dog Whistle
Dweebs
Flashlights
iCrossFingers
Blutalk - Bluetooth chat app
Snow Queen - comic book
Post - Twitter app
Pocket Paradise -- soundscape creator
Urinals: The Game
Hot Dog Down a Hallway
FlickTunes
AAA Watch
Baby Animals - A encyclopedia game
Pudge
Color Converter
iChing 2go
An Android's Odyssey
Tides of War
Rocket Bird
Coffee Order
Bubble Trouble
GoParking
DronEze
DodgeDot
Mood Mouse -- Remote control computer App
CA Sales Control
Escape I
Bugs Bubble
Besieged

GCI iPhone Data / MMS Settings

Thu, 12 Nov 2009 01:34:46 +0100

Here are the settings I have found to work on the iPhone 3GS on the GCI (www.gci.com) Alaska cellular network. Note that my phone is running 3.1.2 installed using a Pwnagetool firmware bundle and 5.11 baseband w/ the Blacksn0w patch to carrier unlock it.

Note that after setting the settings for MMS, you should reboot the phone, then test.

Settings > General > Cellular Data Network > MMS
APN: mms.gci
MMSC: http://mmsc.gci.csky.us:6672/
MMS Proxy: 209.4.229.92:9201

Cellular Data Settings (Same tab in preferences):
APN: web.gci

All other fields should be left blank. At this time 3G data should be disabled.

If you need tethering or other profiles they can be downloaded at:
http://help.benm.at/help.php

iPhone 2.0 Update

Mon, 08 Sep 2008 12:24:22 +0100

Since it�s been awhile I figured I should update on my iPhone happiness status since last time I posted we were still in forced-hack land.

Since 2.0 lots has changed, here are the bullets I can think of off the top of my head:

Exchange - Exchange and the iPhone live happily together at last. It works well, in the spots where things might not work well together they left out the feature, which was wise. The basics are all there and they are executed excellently.

Appstore - The Appstore isn�t perfect, as a matter of fact it�s quite frustrating when trying to find applications of a specific type/category (other than overly general), under a certain price, etc.. They don�t give you the flexibility that a tool such as a application service should have in finding what you want. Now that I�ve pointed out the negatives, it�s a huge step in the right direction for the industry. Microsoft, Google, Palm, Symbianites, etc. and just about everyone else need to learn from their model� then improve it.

Application Availability - App selection (above and beyond the built-in apps) and stability have greatly improved. The appstore has taken ownership of almost everything that would be considered a non-OS modification hack and Cydia/Installer still retain all the good OS hacks including themes/system sound mods/etc..

Current state of the hack - The iPhone Dev Team has done a great job of providing the tools necessary to build your own custom firmware and load it onto your phone. Lots of tweaking ability built-in.

Alan's List of Best iPhone Apps

Tue, 01 Jul 2008 00:52:11 +0100

After reflashing my iphone a few times recently I've settled on a list of applications that I've deemed useful. I created this list for a coworker a week or so ago but thought it might be useful for someone out in the Internetland.

Tools:
Boss tool � INSTALL THIS FIRST � use it to move your applications, etc. to your main memory and off the systems partition.
Intelliscreen - The tool that allowed me to start using the iPhone again, it adds significant customization to your lock screen, including news, weather, SMS, email, Calendar, etc. and will also periodically remind you of events - such as if you receive a new SMS you can set it to vibrate the phone every five minutes. It is shareware, but well worth it IMO.
Books � E-book reader.
Convert � Unit Converter
Lockbox � password manager
Sendpics � email uncompressed pictures
TimeCapsule � backup utility
Sendsong � Sends songs over email, or moves them to ringtones (must be in a specific format)
Services �turn services on and off
SwirlyMMS � MMS software, I have yet to get it working with Dobson, apparently for AT&T you have to call and ask them to enable MMS on your iPhone account.
VNSea � VNC client
HP-15c / 12c / 16c � calculator emulator.
Yes/No � Makes a decision for you.
Syncstep � Syncronizes the speed of music to your walking pace. I haven't been able to test it yet but it looks promising.
SMBPrefs � Summerboard, Theme customizer for the iPhone
weDict � Stardict reader for the iPhone � I�ve added over 80MB of dictionaries/fact books/encyclopedias to my phone. Tons of info.. even knows what a OC48 and a Tapir is :^)
Respring � resets the springboard (your main interface)
Shutdown � shuts down the phone.
Twinkle - Just added this yesterday, it's a Twitter client that also support pictures. MobileTwitter is also available, but doesn't seem quite as refined.
NemusSync - Syncs your iPhone Calendar OTA with a Google Calendar. By using this in conjunction with Plaxo I have a updated work and home Calendar on my iPhone. It should still be considered Beta but I haven't found any major quirks yet.

Games I have installed - * indicates games that seem to be well suited for the iPhone and work correctly.
*Mahjong - Shanghai, good, but could use a bit of refinement.
Openttd � Transport Tycoon for Tycoon game fans
*Tris � Tetris Clone
Caissa � Chess Program
iCrossword
Domino
*Mines
Dictionary � Scrabble Dictionary
Parking Lot
*HTTouch � Texas Hold'em Poker
Icave - Clone of the original Palm game.
*Five Dice � Yahtzee Clone (Tanya's favorite iphone game)
*Chess � Based on Gnu chess
*Othello
*Puzzlemaniac � lots of little puzzles
*Lexitron � Text Twirl/Twist Clone - quickly becoming Tanya's favorite game
*Gemlogic � Bejeweled/Diamond Mine Clone
*Tap Tap Revolution � Tap to your music.
*iSolitaire - Good iPhone Klondike.
*Poddle � still in beta, but amusing.
Frotz � Z-Game emulator (Zork)
*Sudoku - Good Sudoku Game
*iPhysics � Physics engine that people have used to create games, very nice. Lots of plug-ins available from other sources
iDope � Dope Wars
*iGo � Go for the iPhone
Yeti3d � Doom-style game. Mainly a toy right now.

A side note:
If you owned a iPhone and attempted to hack it many months ago to no avail, or had fear of bricking it - those concerns seem to be largely dead today. Even though the standard disclaimer regarding dead phones comes with any re-flashing of a device the tools today have become pretty damn good as I mentioned in a previous entry. Plus, the software available on hacked iPhones has advanced enough so that I abandoned my previous work phone and am now back to using the iPhone full-time. I you hadn't read my rants about the iPhone before, I have carried it for many months now but had to carry a secondary phone that acted as my calendar since the iPhone wouldn't remind me of appointments, which is one of the things I count on my phone to do.