Recently Amazon's EC2 service has experienced a bit of a hiccup (to put it mildly) and as I've been reading through samples of the coverage a few thoughts have been occurring to me. Judging by the articles I've read to date, it would appear that there's something in there for everyone with a thought/stake/opinion on cloud services.
The naysayers now have a new example to point to when they look for a reason to reject moving any operations into the cloud and those in support of cloud have a new hurdle to overcome. I've got a feeling a whole new series of negative ads will be following from cloud service providers that want to let us all know exactly why this could never happen to them.
The likely reality is that availability and uptime that can be achieved through a cloud service provider would still far outpace anything the majority of those pointing at the current incident as reassurance that keeping all services in house has been the right thing to do.
Any service interruption at the provider level is going to reveal its fair share of overly enthusiastic adopters who have pushed the limits of what would should reasonably be entrusted fully and completely into the cloud. In response, expect an upcoming series of soapbox articles to come out of the security geek peanut gallery pointing out the series of #fail.
As always, blindly dismissing or trusting any solution without performing your own due diligence seems silly. Learn to make the most of the information that is being released but also try to filter out the noise and the hype and consider the real implications to your specific situation.
Sunday, April 24, 2011
Wednesday, April 20, 2011
Search Remote Machines for Specific File
I know I have heard of utilities that provide remote search functionality but I was unable to remember the exact name of the utility. My google-foo was insufficiently strong to find a utility to do exactly what I am trying to do so this is the result:
This is a compilation of a few code snippets that I have cobbled together to meet my immediate requirements. To run the script and get useful results, the requirements are:
1. Must be run as a user that already has WMI access to remote machines.
2. Input file consists of a series of hosts one per line that will be iterated through
3. Will only check files on the default system drive to my knowledge (suspect minor modification would allow searching other drives)
4. Must change the variable strInputFile strFileName and strFileExt to correspond with source input file and what you are looking for
Happy searching....
This is a compilation of a few code snippets that I have cobbled together to meet my immediate requirements. To run the script and get useful results, the requirements are:
1. Must be run as a user that already has WMI access to remote machines.
2. Input file consists of a series of hosts one per line that will be iterated through
3. Will only check files on the default system drive to my knowledge (suspect minor modification would allow searching other drives)
4. Must change the variable strInputFile strFileName and strFileExt to correspond with source input file and what you are looking for
Happy searching....
' filecheck.vbs
' VBScript program written to check for the file on a list of remote servers
' currently hard coded to exist in text file named servers.txt in same directory
' as this script
'
' This script assumes currently logged on account has access to WMI service
' on remote machines. Each instance of a matching file on the remote system
' results in an output of hostname, filename including full patch to be displayed
'
' Small modifications would be required to search drives other than C:
'
'
' Based off sample script by:
' ----------------------------------------------------------------------
' Copyright (c) 2007-2010 Richard L. Mueller
' Hilltop Lab web site - http://www.rlmueller.net
' Version 1.0 - January 2, 2007
' Version 1.1 - November 6, 2010 - No need to set objects to Nothing.
'
' You have a royalty-free right to use, modify, reproduce, and
' distribute this script file in any way you find useful, provided that
' you agree that the copyright owner above has no warranty, obligations,
' or liability for such use.
Option Explicit
Dim strComputer, locobjWMIService
Dim remobjWMIService
Dim listFile, fso, hname,colItems,objItem, driveItems, driveLetter
Dim strInputFile
Dim strFileName
Dim strFileExt
strInputFile = "servers.txt"
strFileName = "desktop"
strFileExt = "ini"
Set fso = CreateObject("Scripting.FileSystemObject")
Set listFile = fso.OpenTextFile(strInputFile)
do while not listFile.AtEndOfStream
on error resume next
hName = listFile.ReadLine()
' Connect to WMI service on the local computer.
Set locobjWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& ".\root\cimv2")
' Ping remote computer to see if online.
If (PingMachine(strComputer) = True) Then
colItems = ""
remobjWMIService = ""
Set remobjWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=Impersonate}!\\" & _
hname & "\root\cimv2")
' WMI Query to retrieve list of local drives
set driveItems = remobjWMIService.ExecQuery _
(Select * from Win32_LogicalDisk where DriveType = 3")
For Each driveLetter in DriveItems
Wscript.Echo "Drive Letter " & driveLetter.DeviceID & " is Present"
' WMI Query to retrieve list of files
Set colItems = remobjWMIService.ExecQuery _
("Select * from CIM_DataFile where Drive = '" & driveLetter.DeviceID & "' and _
FileName = '" & strFileName & "' and Extension = '" & strFileExt & "'")
' For Each... In Loop (Next at the very end)
For Each objItem in colItems
WScript.Echo hname & "," & objItem.name
Next
Else
Wscript.Echo "Computer " & hname & ", NOT available"
End If
loop
Function PingMachine(ByVal strHost)
' Returns True if strHost can be pinged.
' Variable objWMIService has global scope
' and must be declared in the main program.
Dim colPings, objPing
Set colPings = locobjWMIService.ExecQuery _
("SELECT * FROM Win32_PingStatus " _
& "WHERE Address = '" & strHost & "'")
For Each objPing In colPings
If objPing.StatusCode = 0 Then
' Computer responded to ping.
PingMachine = True
Exit Function
Else
' No reponse.
PingMachine = False
End If
Next
End Function
Friday, April 15, 2011
MS11-020 and Criticality ratings
Another good lesson in watching for patch criticality occurred this week. On Tuesday Microsoft released their load of 17 bulletins covering 64 separate issues and we were all left with the task of attempting to prioritize. At the best of times this isn't an easy task and while it would be really nice if we simply state 'patch them all now', the reality is that there are a finite number of staff and resources available to run through QA of these patches so being able to offer some form of prioritization will realistically ensure that the most important patches are rolled out as soon as practical.
I have become a big fan of the additional guidance the Microsoft provides in terms of the exploitability index and additional technical detail. Likewise the folks at SANS provide a free resource at the Internet Storm Center. All these resources make our job of prioritizing a little easier but it's important to keep in mind a couple additional details. While the existence of an exploit in the wild is important, an exploit that requires a user to be tricked into opening a file or visiting a malicious site lessens the potential impact. On the other end of the spectrum, the potential for a vulnerability to be weaponized to become next big internet worm needs to be kept in mind despite assurances in advisories that suggest normal port filtering will prevent access to services such as SMB.
Strict formulas are good to get a general sense of priorities but it's important to conduct a triage and take into consideration existing safeguards to lower these initial ratings and potential for a vulnerability that has no known exploit to be quickly turned into a serious threat to large portions of your infrastructure.
Today, MS11-020 was updated to a Patch Now criticality from SANS based upon notifications from Microsoft. For some who take the publicly available recommendations as gospel this could mean reprioritizing staff to put an extra rush on get MS11-020 out the door, for others who did a bit of homework and read through the technical details prior to making a determination, little has changed.
I'll be keeping my fingers crossed on MS11-020 and watching out for a couple additional patches from this last batch.
I have become a big fan of the additional guidance the Microsoft provides in terms of the exploitability index and additional technical detail. Likewise the folks at SANS provide a free resource at the Internet Storm Center. All these resources make our job of prioritizing a little easier but it's important to keep in mind a couple additional details. While the existence of an exploit in the wild is important, an exploit that requires a user to be tricked into opening a file or visiting a malicious site lessens the potential impact. On the other end of the spectrum, the potential for a vulnerability to be weaponized to become next big internet worm needs to be kept in mind despite assurances in advisories that suggest normal port filtering will prevent access to services such as SMB.
Strict formulas are good to get a general sense of priorities but it's important to conduct a triage and take into consideration existing safeguards to lower these initial ratings and potential for a vulnerability that has no known exploit to be quickly turned into a serious threat to large portions of your infrastructure.
Today, MS11-020 was updated to a Patch Now criticality from SANS based upon notifications from Microsoft. For some who take the publicly available recommendations as gospel this could mean reprioritizing staff to put an extra rush on get MS11-020 out the door, for others who did a bit of homework and read through the technical details prior to making a determination, little has changed.
I'll be keeping my fingers crossed on MS11-020 and watching out for a couple additional patches from this last batch.
Thursday, April 14, 2011
Walking a mile...
Working with computers on the defensive end of the spectrum does have its moments when you succeed in making the life of the attackers ever so slightly more difficult through the implementation of a new safeguard or by identifying and correcting weaknesses throughout a network. Playing on the defensive end also comes with its fair share of fail when your best efforts aren't good enough.
On the attacking end, probing, discovering and leveraging exposures in systems also provides its fair share of victory and defeat. However, I'm starting to discover that both sides of the industry can become a little stagnant if you don't take it upon yourself to liven it up from time to time.
For some, the spice will flow if they decide to take a deeper dive and blaze a new trail in a specific field of research where they push the boundaries of defensive or offensive tactics. Others decide that IT and playing these silly games are no longer how they want to spend their lives and leave their laptops and stress behind and pursue a different career.
Over the years, I have been fortunate enough to have had the chance to dabble in many different areas within the IT and security fields and have come to enjoy the wealth of new learning experiences that are out there waiting to be had. I can make no claim as to being particularly proficient in any one specific area but each time I get to tackle a new area I always gain an appreciation for those of us who spend our career working to develop a specialty and push those boundaries.
The security industry can be harsh. There's never a shortage of people out there looking for the next thing to criticize whether it's management who "have no clue and never listen to us", a security company who finds themselves under close public scrutiny for getting "pwned" or the developers who "don't have the slightest clue how to prevent"
Think we'd all be a lot better off if we spent a little less time complaining and a little more time walking a mile...
My next mile:
Over the past number of years I have done minimal coding during the course of my work. The closest I have managed to come is a rudimentary ability to cobble together a piece of quasi functional code in whichever scripting language is closest at hand. The intention of which is to provide automation of tasks that would otherwise become very monotonous.
Until the next shiny object distracts me, I've decided to start the process of learning how to develop applications for a mobile platform. My goal isn't to attack any of these apps but to gain an appreciation for the development community whose successes actual provide businesses value and whose failures keep giving all the negative dipshits in our community something to complain about.
On the attacking end, probing, discovering and leveraging exposures in systems also provides its fair share of victory and defeat. However, I'm starting to discover that both sides of the industry can become a little stagnant if you don't take it upon yourself to liven it up from time to time.
For some, the spice will flow if they decide to take a deeper dive and blaze a new trail in a specific field of research where they push the boundaries of defensive or offensive tactics. Others decide that IT and playing these silly games are no longer how they want to spend their lives and leave their laptops and stress behind and pursue a different career.
Over the years, I have been fortunate enough to have had the chance to dabble in many different areas within the IT and security fields and have come to enjoy the wealth of new learning experiences that are out there waiting to be had. I can make no claim as to being particularly proficient in any one specific area but each time I get to tackle a new area I always gain an appreciation for those of us who spend our career working to develop a specialty and push those boundaries.
The security industry can be harsh. There's never a shortage of people out there looking for the next thing to criticize whether it's management who "have no clue and never listen to us", a security company who finds themselves under close public scrutiny for getting "pwned" or the developers who "don't have the slightest clue how to prevent
Think we'd all be a lot better off if we spent a little less time complaining and a little more time walking a mile...
My next mile:
Over the past number of years I have done minimal coding during the course of my work. The closest I have managed to come is a rudimentary ability to cobble together a piece of quasi functional code in whichever scripting language is closest at hand. The intention of which is to provide automation of tasks that would otherwise become very monotonous.
Until the next shiny object distracts me, I've decided to start the process of learning how to develop applications for a mobile platform. My goal isn't to attack any of these apps but to gain an appreciation for the development community whose successes actual provide businesses value and whose failures keep giving all the negative dipshits in our community something to complain about.
Back Again
So after a few months experimenting with running my own blog software on a WordPress installation I have decided that the work and time required to track and maintain security updates is not something I am willing to commit. I have retired my WordPress before it gets taken over by spammers/attackers and will resume posting on this site instead.
Postings will likely continue to be sporadic and serve mainly as a repository for me to keep track of certain projects that temporarily catch my attention.
Postings will likely continue to be sporadic and serve mainly as a repository for me to keep track of certain projects that temporarily catch my attention.
Subscribe to:
Posts (Atom)