I've Got Brain Ache

I'm very busy on the work front at the moment, both in my day job and with the internet business.

In my day job I'm involved in a major, very complex, government PKI project. PKI stands for Public Key Infrastructure and is basically a set of systems that can be used for issuing and signing digital certificates that can be used for encryption, authentication and other security type things. The thing about PKI is it's all about trust. If you're going to use a digital certificate to encrypt your communications, or use it for authentication (such as to gain access to a website, or even to a building by putting the certificate on a building access card) both you, and the owner of the systems, need to have confidence that the certificate hasn't been compromised in any way.

What this means is that every aspect of how the certificate is created, issued, renewed, revoked, used, and stored has to be managed in a way that covers all the potential security risks.

My job is to create a framework of rules around the entire PKI, covering everything from the physical security of the buildings and servers which will host the PKI, the security procedures for the operation of the PKI, the HR procedures to ensure the people operating the PKI can be trusted, to the technical security controls of the particular systems.

The framework has to be specific enough so it covers all the risks, but generic enough so that the PKI can be future-proof and used for multiple different purposes.

I've also got to write the audit procedures so that they can get an outside auditor to come in and carry out annual audits of every Certificate Authority that wants to operate under the PKI (of which there may be many covering multiple government agencies) in accordance with the procedures I've written.

To say it's making my head hurt is an understatement. There's particular international standards that I need to make sure it complies with, as well as fitting in with government standards around authentication and identity management.

My little brain is struggling to cope!

As for our internet business. IPChitChat is doing pretty well. We've had some good feedback on the new site, and most importantly, revenue was up for last month considerably from Sept 2007. We're still some way from making a full-time living out of it but it's growing, slowly but surely.

We've also launched EzeeQuit, which is more of an experiment than anything else. Probably won't be a long term venture but it demonstrated we can now react to new opportunities and get an e-commerce site up relatively quickly.

We've also changed the name of our company. We originally registered the company as Autonomy Business Solutions Ltd when we had the idea of creating an IT Managed Service for medium to small businesses. Our business model has changed considerably since then and we're now concentrating on building internet-based brands.

We're really interested in the whole new phenomenon of cloud computing, the whole idea of applications moving away from the desktop to being purely web-based. With that in mind we've now changed our business name to NetCloud Ltd, which we believe better reflects the ethos of the business. We couldn't get netcloud.co.uk so our domain name for NetCloud Ltd is www.netcloudgroup.co.uk. This is ok as NetCloud will effectively be a group of companies under the netcloud banner. There's not much on that website yet but it will grow as our underlying businesses grow.

So our existing websites are keeping us busy, there's day-to-day management of the site, marketing and development of more features, as well as troubleshooting the odd issue that comes up here and there. I'm currently putting together the next newsletter for IPChitChat which you can sign up for on our site.

And of course there's the development of our next sites. The social networking site I've mentioned previously has been completed (to some degree) by the developers we hired in India, and I'm now working on developing features and content. Not sure when we'll get this one off the ground as it's a major project but it's certainly an exciting prospect.

We also have a couple more ideas for e-commerce sites that we're investigating.

All in all life is busy on all fronts.

Home for a Short Weekend

I'm currently sat in the departure lounge at Canberra airport with a 3 hour wait for my flight. Luckily I'm sat at a table that's near a bar, and also has a power socket I can use, so the combination of my laptop and Crown Lager should see me through. It feels weird travelling home on a Saturday though. There won't be much of a weekend left when I get home.

I'm glad I stuck around for today's exercise as it was really enjoyable. The hacking exercise was a lot harder than I expected. The goal was to capture 4 flags. These were basically text files called flag1.txt, flag2.txt etc that were stored on the each of 4 servers on the target network. Each of the flags had a 'phrase that pays' and the end goal was to get the full phrase that pays and be the first person to whisper it into the ear of the instructor. Two of the servers were Windows servers and two were Linux. I was fairly confident I'd be able to handle the Windows Servers (I did used to be a Microsoft Enginner after all) but it was the Linux Server that worried me. My Linux skills are quite rudimentary and there were some really experienced techies in the class who I new I had no chance of beating. Suffice to say I didn't win the competition. Nor did I manage to get all the flags in the alloted time. I did manage to get 3 out of the 4 though.

The Windows servers turned out be fairly easy to exploit. The first one that I managed to connect to had the old null sessions vulnerability so I was able to connect to it using an anonymous account. Once I had a netbios session I was able to enumerate the accounts and grab a copy of the SAM password list. I then used a password cracker to crack an account that had admin privilages and then simply mapped a drive to it. Easy peasy.

The other servers weren't that easy. One of the servers had some firewall or routing restrictions so it was only accessible from one of the other servers. So I had to compromise one server and then use that has a launching pad to compromise the other server. To make things trickier still, it turned out that one of the flags.txt files was hidden. There's a thing called NTFS Alternate Data Streams on Windows where it's possibly to hide a file in the data stream of another file or directory. So when you browse the file directory it's completely hidden. You can't even use file comparisons to detect the hidden file has it doesn't affect the file size or checksum of the file that it's attached to. After a few hints I did manage to find it using a tool that discovers these hidden data streams, and also found a few other hacking tools hidden within the same directory that I could use to compromise one of the other servers.

One of the other servers had a buffer overflow vulnerability so I used Metasploit to exploit that server and get a command shell.

That's about as far as I got. 3 out of 4 isn't bad but I didn't get the full phrase. After the instructor explained how to do it I realised I could have been at it for days. One of the exploits was ridiculously hard. It involved carrying out a cross-site scripting attack (XSS), but it wasn't as simply as launching the attack from my PC against the server. No, it involved compromising one server, generating traffic from that server to another server, and then sniffing the traffic off the network to grab the session cookies and then using the session cookies as part of the attack. That would have took me days to figure out!

Anyway, the day was very geeky but thorougly enjoyable and challenging. The 6 days course has been great but no one can really come out of a 6 day course and become a professional hacker or penetration tester. We've covered dozens of hacking tools in the 6 days so of course there's a limit to the depth that you can go into for each tool given the alloted time. Now I have the fundamentals I'll need to dig into the tools and techniques in detail and keep practicing to hone my skills. Luckily these days with VMWare I can easily do that by simulating an whole network on my laptop. All week I was running Windows XP and Red Hat Linux in virtual machines as guest operating systems whilst still using my Mac OSX Leoopard operating system as the host, and didn't have any problems - basically running 3 different PC's on my one mac.

One of the things that I'll take away from this course is that it doesn't take the latest and greatest malware (viruses, etc) to compromise a system. Some of the best hackers simply use the in-built administration tools already resident on the systems. That way there's little danger of triggering off the anti-virus software or intrusion prevention software. For instance, the WMIC (Windows Management Instrumentation Command-Line) tool resident in all modern versions of Windows is a fantastic legitimate windows scripting tool that can be manipulated to do all sorts of nasty stuff.

Anyway, hopefully I'll be able to put some of these new skills into practice on some real clients some time soon.

Hacking in Canberra

This week I've made my first visit to our nation's capital - Canberra - for a 6-day course in Hacker Techniques, Exploits and Incident Handling.

Canberra is a strange little city. It seems to me to be a cross-between Washington and Milton Keynes, in that it's clearly a Government town; the Federal government being the largest employer in this capital city which has only a population of 300,000. Yet like Milton Keynes, Canberra has an artificial feel to it. You can see the planning and design - it's not a city that has grown organically like most others. It's even got some of the same 60's carbuncles as Milton Keynes!

I've come to Canberra completely ill-prepared for the freezing temperatures. It's about 13 degrees C in the day but it drops down to zero at night. I new what the temperatures would be before I arrived and I thought I'd be ok, after all I am from the UK! However, I didn't realise how much I've acclimatised to the Queensland weather over the past year. 13 degrees C feels to me like -5 did in the UK! All I've brought is a thin jacket and some jeans and t-shirts. I didn't even pack a jumper.

Because it's so cold, tonight has been the first evening that I've dared to venture out. I had a gander around the city centre (which isn't much bigger than Doncaster town centre) and then went to the flicks to watch Hancock. I had planned to see the Indiana Jones film but the timing didn't work out very well, so then it was a toss-up between Hancock and Sex and the City. No contest - I couldn't bear the thought of sitting through 2 hours of self-obsessed women talking about shoes and Prada handbags.

I was pleasantly surprised with Hancock. I thought it was just going to be just another dumb superhero movie but it was actually really good. Of course the action scenes and special effects were good, that's a given, but this added in a really funny script, as well as some character development and a few twists and turns to boot. Definitely one I'd recommend for 90 minutes of pure escapism. I plan on seeing Indian Jones tomorrow night, If I can be brave enough to go out into the cold again. I'm not expecting anything great from Indian Jones and the blah blah whatever-it-is as most of the reviews I've read have been pretty damning. I'll try and keep an open mind.

Being holed up in the National Convention Centre each days means I haven't had chance to take in any of the sights of Canberra. All the things I'd like to see are only open during the day. I'll probably come back here sometime in the future with Rach & Lauren. In particular I'd love to take a tour of Parliament House and the National Museum of Australia.

As for the course, i've really enjoyed it. Over the past few months I've been quite dissolusioned with my career and frankly have been getting bored to death of doing security compliance work. This course has re-awakened the geek inside me and allowed me to get back to my technical roots. Learning the technicalities of how to break into systems is much more fun that just learning how to defend them!

As much as the content of the course has been really good and up-to-date, the best bit about the course so far has been having access to the knowledge and experience of our tutor - Bryce Galbraith. Bryce is very much an expert in this industry and is a contributing author to the bestselling book 'Hacking Exposed: Network Security Secrets & Solutions'. He has worked with a ton of Fortune 500 companies and has also worked on Foundstone's world renowned Attack and Penetration team.

Of course I had a decent knowledge of hacking before I came on this course (you're not much of a security consultant if you don't know how the bad guys exploit the vulnerabilities you're telling companies to fix), but this course has significantly enhanced my knowledge and brought it up to date with the latest exploits and attack vectors. I'm looking forward to Saturday when we get to put all we've learnt into practice with a live 'capture the flag' exercise - where we all compete to hack into a system.

I tell you, there's some scary stuff happening out there and there's a good reason to be paranoid about your computer security. A lot of the myths around security have been dispelled this week. Do you think I can't get around your personal firewall? Think again! Do you think I can't sniff your traffic on a switched network? Think again! You think your wireless network is secure because you've enabled WPA2 instead of WEP? Think again!

It's a shame this damn code of ethics prevents me from using my knowledge for evil. I could be rich in no time!