Page : 1/1

First Page    Prev. Page    Next Page    Last Page

Saturday, 30 Jul 2005

Michael Lynn and the Cisco
IOS Shellcode debacle


I don't really want to get into a huge discussion about the full disclosure issue that raises it's ugly head everytime a particularly juicy exploit hits the headlines, so i'll simply offer my general opinion:

Full disclosure is a good thing, so long as the vendor in has been given enough time to re-produce the vulnerability and patch their code.

The amount of time causes as many arguments as the issue itself. For an exellent discussion on Full Disclosure read this article, written by the outspoken and eminent Mr. Bruce Schneier.

In short:

Michael Lynn wrote a presentation while working for ISS that demonstrated significant flaws in the Cisco IOS. Cisco threatened legal action (and carried out the threat) and Blackhat pulled the presentation and 2000 CDs containing the content. ISS bowed under pressure from Cisco and told Mr. Lynn to keep quiet. Lynn promptly quit his job and presented anyway - to rapturous applause.

Cisco (demonstrating true corporate idiocy) first denied that there was a vulnerability and then stated "Cisco believes that the information Lynn presented at the Blackhat conference today contained proprietary information and was illegally obtained."

So, who came out looking the worst?
Cisco acted badly, but they did what every big corporate would do, they called in the lawyers. It is obvious that their attempts to censor the security folks were always going to fail, but Cisco doesn't sell to the security folks, it sells to managers on the golf course, so they wont suffer permanent harm from this. Cisco's statement.

Michael Lynn acted correctly and with integrity, anyone who really considers the implications of what he did will agree. He needs another job, but that will be with the security folks and they mostly agree with him.

IMHO the real villians of this are ISS and Blackhat. They should have stood up to Cisco and backed their guy. They should have come to an arrangement with Cisco if necessary to allow them to release a patch in time and they should have done everything possible to keep Mr Lynn on side. They do sell to the security folks and they have had their reputation permanently damaged by their rotten handling of the whole mess. The ISS press release. The Blackhat statement apparently doesn't exist, and all references to the presentation have been removed from blackhat.com. However, they did leave the barest taster on the blackpage.

Here is a copy of the presentation pulled by Blackhat 2005 at the behest of ISS and Cisco. Enjoy it, wisely.

Printer Friendly Version | Comments [0] | #Security

Tuesday, 5 Jul 2005

Aftermath of an in-place upgrade


Now that the domain has settled it is time to start tidying it up. I performed an extensive domain cleanup operation before the upgrade, but this is limited to what NT4 domains can support. Now that we have an OU structure we must move the users into their geo-political OUs and start imposing the naming standards.

I wrote a small bit of code that runs as a second logon script to help with the filing. This code collects a small amount of information about each user and computer that will tell me were the user or computer is physically located across the 22 sites in the estate. I wrote another bit of VBScript that parses the output of the second login script and helps perform that actual "filing" of users into the correct OUs. After a few days I had collected enough information to run the "filer" and move most of the accounts (2800 that day).

When NT4 Domains are in-place upgraded very little information is available about user accounts to populate the rest of the available AD attributes. Further, the Name attribute (Name in the GUI, actually CN in the database) is the old NT4 account name (SAMAccountName), the actual logon account name (UserPrincipalName) is left blank and the UPNSuffix (computed from UserPrincipalName) is also empty. Worse, the old netware password sync data comes across too, and lurks incomprehensibly in the UserParameters attribute. More code was clearly needed...

I wrote another VBScript utility that copied SAMAccountName to UserPrincipalName and concatentated the UPNSuffix for the domain. The utility then set DisplayName to the values from GivenName and SN (Surname to us) and renamed the whole object to GivenName SN to comply fully with our new naming standards. I cleared the UserParameters attribute for a template user and then reset the dial-in permissions (that’s where they are stored while the domain is in mixed mode). Finally, the utility cleared the UserParameters attribute for all users (there goes that pesky netware data) and copied the correct binary values from the template user to those that were supposed to have dial-in access.

At the end of this, all the user accounts looked like they had been created in the AD to start with and were far easier to find and work with. The netware password sync data had been causing and fpnwclient.dll not found error the administrative workstations, and that was also now gone. Success.

The next phase is to populate more of the object attributes in the AD and integrate other directories - all the time move ever forwards to that mythical single list. The first target is the HR database, where I will integrate Job title and manager details; after that I will integrate the telephone list and the helpdesk support tool.

Printer Friendly Version | Comments [0] | #AD and Enterprise Systems

Voice over IP


Imagine a world where your desktop phone is whereever you are. At the office, in a meeting, at a client's site, at home; Customers and your boss can always get hold of you. Now, imagine a world where the call centre consists of 500 people, all working out of their houses.

Notwithstanding the stress, productivity and health and safety issues of the above, both worlds are here now, and have been for some time.

Voice over IP (VoIP) is the technology that provides these minor miracles, and businesses are moving towards it in droves. With a reported return on investmment of under 2 years (Gartner) it is also one of the few technologies that provide relatively fast payback.

Typical VoIP infrastructures also provide Power Over Ethernet (POE), so the immediate benefit to be had is during an office relocation. Suddenly, we need far fewer ethernet ports and power points per desk (at a cost of around £50 per port). Cisco has published figures indicating that during in-house development of VoIP it saved over £300 per employee - although for these numbers we expect a certain number of permanent desks were replaced by hotdesks!

Other immediate savings include the removal of intersite call charges and rental fees on the PBX, but the big improvement comes in productivity. Sage Research reports in 2005 that full convergence of Audi, Video and Data services results in 45% increased performance.

For most of us, the decision to move to VoIP now is largely a no brainer. Allow for that office move, planned upgrade of the network hardware, the cost of calls to the new site in Outer Mongolia and the PBX lease coming up for renewal and only the foolhardy would stick with the old systems.

Printer Friendly Version | Comments [0] | #AD and Enterprise Systems

U2 in Cardiff


Kelly and I went to see U2 at the Cardiff Millenium Stadium the other night. U2 were supported by StarSailor and the Killers, both of which I have seen live before, but U2 live are a first for both of us, so we were pretty exited.

StarSailor opened and played the usual tracks they do live. It is a shame that even tho they have been around for a while now, they still haven't really matured as a live band and it was a little like watching McFly at one of their early gigs - severly lacking in confidence or charisma. The venue didn't help as CMS has lousy acoustics and the roof had been left shut, so the sound imaging was all over the place.

The Killers put on their usual crowd-pleasers and we were, well, pleased. The apparently diminutive leadsinger struts about on stage with too much mascara on and really belts out the tracks, turning out a near identical gig to the set performed at Glastonbury the previous week. The Killers have excellent stage prescence, and even allowing for the fact that the whole stage had been set up for someone else, it was still a good gig and worth seeing.

U2 came on a little late and pulled material from possibly every album released but it wasn't until about a third of the way in that we had the real surprise when the whole of the silver 'hoarding' forming the rear of the stage suddenly became a huge pixelated screen - about 100 foot square. Each pixel was made up of what looked like (from where I was) a 6x8in LCD with a horizontal/vertical gap of around 4in to the next column/row of screens. I can't imagagine how complex the electronics are on a unit that size and the logistics involved in moving it and the rest of the stage around from gig to gig are staggering.

The set itself was typical U2, lots of tracks we remember from the 80s and 90s and some new stuff to keep us buying the albums with a large chunk of politics mixed in for good measure. Normally I dislike politics at a gig, the only exception being Glastonbury, and I will not tolerate it from the likes of Madonna (no one who encourages us to join a cult should be allowed on stage anywhere). U2 introduce their politics with feeling and with logic and while there a little cringing to be had to ensure the messahe gets across to the most cynical it is all perfectly acceptable as U2 is still without doubt one of the world's greatest ever rock bands.

Printer Friendly Version | Comments [0] | #Rant Mode OFF!

Hidden Image For SNS Client