Facebook Readies IPO Filing
- A LOT of people use Facebook
- A LOT of money

Lion 10.7.3
- Matt Hasn’t upgraded
- Bill and Patrick have had zero problems

Basic FreeNAS Setup
- We use it, it’s nice
- Matt is looking for his own personal setup
- Western Digital TV perhaps?
- Matt might be buying a PS3 or Xbox 360

FBI plans social network map alert mash-up application
- Why?
- There are plenty of existing services, why build something new?

New RIM CEO
- Won’t help
- No vision

Hurricane Labs Boastcast
Modern Search Engines for the Contemporary User
Gaining Access to a Check Point Appliance – Physical Access Trumps All

Hack of the Week
Anonymous hackers leak Scotland Yard-FBI conference call

App of the Week
Lookout Mobile Security Threat Tracker

When on the Internet, how do you find things? Many use a search engine. Currently the most popular search engines that people flock to are Google, Yahoo, Baidu, and Bing. As of January 2011 approximately 98% of all web searches are done on these sites. However, there are quite a lot of other search engines that make up the smaller 2%. Some with many features that aren’t available from the big four. Here are a few that tend to come up often in Internet discussions for being unique with features and results.

blekko
https://blekko.com/

blekko is unique search engine that focuses more on quality of results than on quantity of information. Unlike Google, they specifically do no want to collect all the of the world’s information or make it searchable. They remove low quality and spam sites (who focus more on monetization rather than providing information) from their index. What makes blekko unique from other search engines is that they rely on “human curation,” which relies on it’s users to help tag sites to increase the quality of the results.

blekko provides the ability to filter the results based on their defined relevance or date and blekko shows common tags so you can narrow your search base. blekko also provides the ability to change search preferences, with options such as ads displayed, secure searching (HTTPS), disabling Facebook features, and safe search.

DuckDuckGo
http://ddg.gg

DuckDuckGo is a Perl based search engine that focuses on delivering quality results while respecting users’ privacy. Two privacy issues they focus on are the search bubble and tracking. They even offer a Tor hidden service. DuckDuckGo’s website is also available over SSL.

One of the most unique things DuckDuckGo provides are the !bang syntax searches. With the !bang syntax one can narrow their search to a specific type of results or a specific site. They support hundreds of sites, and they have a complete list of available !bang commands here.

DuckDuckGo provides the ability to adjust search settings including, safe search, region, 0-click result, secure searching (HTTPS), re-directs, and user themes.

ixquick
https://ixquick.com

ixquick is a European based search engine that primarily focuses on privacy. Their privacy policy isn’t as neatly setup as DuckDuckGo, but it is very thorough in explaining their strong stance. In the process of protecting privacy and the security of their users they offer their search over SSL. ixquick’s results are mostly assembled from other popular search engines, of which they don’t specifically list. In the results, one has the ability to hone in on a specific type of result using their unique “Power Search Refinement.”

Many settings and preferences can be set – clustering of results, secure searching (HTTPS), and anatomizing picture and video searches.

whostalkin
http://www.whostalkin.com

whostalkin is a powerful search engine that aggregates results across several different sites and resources. Its primary focus is on searching social networking sites and blogs, ie: FriendFeed, Twitter, identi.ca, wordpress.com, and several others.One can focus their results on a specific division: news, blogs, or social networking, and various other networks.

The main categories that whostalkin makes searchable are: blogs, news, networks, videos, images, forums, and tags. At the time of this writing whostalkin does not provide a way to further customize usage or results besides the category selection.

YaCy
http://www.yacy.net/en/

YaCy is a P2P, decentralized search engine. Unlike most search engines where you visit a website on the Internet, you install YaCy and load up the search page locally. YaCy requires installation because it queries peers in the P2P network. By default YaCy expects you to contribute to the YaCy network. While it is contributing the program crawls various websites on the Internet and stores the results of the crawl locally. When someone else does a search and if their client connects to yours it will query your crawl cache for results.

YaCy’s main philosophy is that they want to keep information free and uncensored. They argue that other search engines are centralized which could potentially lead them to be censored, blocked, removed, or spammed. YaCy is open source, free software and is completely transparent. They provide more in-depth explanation of their philosophy here.

There are several settings that can be adjusted in YaCy, many revolve around the network itself. You can adjust how much caching it does and how much you want to contribute to the network as a whole.

There are several other great search engines that help make up the other 2% of the market share. This list is to highlight those that have unique features that aren’t found or commonly found together on other search engines. Wikipedia has an article of search engines (past and present) in a timeline format of when they were released.

Recently, one of my co-workers and I were tasked with reconfiguring a Check Point Appliance for use as the main firewall in a lab environment we are building for some internal testing. Because we both are recent hires (and thus, the low men on the totem pole), we were not given passwords to the devices or any other useful information regarding their previous configuration. We were expected to learn how to manage the devices, reload the Check Point software, and configure the equipment entirely from scratch. Unfortunately, the Check Point devices refused to play nicely and cooperate with our mission, instead insisting on throwing fatal exceptions whenever we attempted to reload the software. With our attempts to reload and configure the devices properly crippled, we were forced to seek an alternative solution. Our minds quickly turned from reinstalling the software to hacking into the password-protected devices instead.

A Check Point appliance is a purpose-built server. It contains a CPU, memory, and hard drive, along with multiple network interfaces and a USB port. Optical media is accessible via a USB drive. Unfortunately, the appliance is lacking one critical feature that would make administration much simpler – a video output. This is done by design – normally, once the device is configured, there is no reason or need to view the output of the device itself. All of the administration is handled through the web interface or management server application. This, however, was neither a typical nor a normal situation. A lone serial interface would provide our only method of accessing the device.

On any Linux-based system with an unencrypted hard drive, it is possible to completely overtake a system once you have gained physical access. Often this is easily accomplished with a live CD distribution, such as Backtrack or Ubuntu, and some command line tools. Unfortunately, most live CDs are not designed with a serial console in mind – instead, they rely on a graphical user interface, which would not work on the hardware we had. But just because something is not easily done does not mean it is not possible.

Some creative thinking, judicious Googling, and an Ubuntu 8.04 Server CD provided the answer. This version of Ubuntu supports installation via a serial console (other versions might work as well, but we had one of these CDs laying around in the lab). However, the first steps of the installer still expect a video display to be connected, and do not output via the serial console by default. To work around this condition, we connected a USB cable to the appliance, and used the following sequence of keystrokes to (blindly) advance the installation to the point where we could see the serial console output:

1) Enter (for language selection)
2) F6 (for specifying command line installation parameters)
3) Backspace three times (to clear out the end of the installation parameters string)
4) Typing “console=ttyS0,115200n8 — ” (to specify the serial console location and connection settings)
5) Enter (to start the installation process)

A few moments later, low and behold, we were greeted with the initial screen for a new Ubuntu installation displayed in our minicom session. At this point, it was a simple process of dropping into a root shell, mounting the Check Point partition and chrooting into it, and running the passwd command (/usr/bin/passwd) to reset the passwords for the device’s administrator accounts. Upon reboot, we had successfully regained full access to the device – no reinstallation required.

There are several lessons to take away from this experience. First and foremost, physical security is paramount when seeking to protect any device or server, including your firewalls. Without physical access, we would not have been able to compromise the device in this manner. Second, when attempting to gain access to any device, know the underlying technology and its operation. Since the Check Point operating system is based on Linux, we were able to apply the same techniques to attack this device as one would use when seeking to compromise a Linux system. Finally, when faced with a challenge, don’t rule out novel approaches for solving your problems. Your initial plan of attack may result in failure, but failure does not mean that success is unreachable – and you might even learn something new in the process.

How to Read and Search the Support Life Cycle Documentation
This series of links can help you plan for a Check Point implementation, as well as an upgrade or refresh of a current Check Point infrastructure. Due to a long-standing product history, and having gone through a couple of different licensing models, figuring out hardware can sometimes be difficult with Check Point. Hopefully this information can help ease that process.

Using these links, you will find Check Point’s supported versions, and when applicable, their recommended upgrade path.

Check Point Enterprise Support Life Cycle Policy
http://www.checkpoint.com/services/lifecycle/index.html

Check Point Software Support Timeline
http://www.checkpoint.com/services/lifecycle/support-periods.html

Check Point Appliance Support Timeline
http://www.checkpoint.com/services/lifecycle/appliance-support.html

How to Find Out What Check Point Products are Supported on Your Hardware
http://www.checkpoint.com/services/techsupport/hcl/all.html
Check Point currently supports hardware from a specific set of vendors, apart from their branded appliances. An up to date list of supported platforms can be found here, including models from: Dell, HP, Fujitsu, IBM, Kontron, Lenovo, Sun, Supermicro, and Toshiba. Note that some models are only supported for certain functions or products, so pay attention to this list when deciding what hardware to choose for your Gateways, Management Servers, Connectra or Eventia hosts, etc.

How to Look Up Your NIC and Other Hardware Related Information
This tends to be more of an issue when ensuring the NICs in your chosen server are listed in the compatibility list, or for instance when you need to add more NICs to a host. On a typical *nix installation, you can run the command ifconfig to see a list of details on your host’s interfaces. The section you will want to note is: HWaddr f0:de:f1:xx:xx:xx

From the MAC address, we can see that this is an ethernet interface on a Lenovo machine, manufactured by Wistron InfoComm Co. According to the Hardware Compatibility List the NIC in my Lenovo laptop is not officially supported for Check Point installations.

A handy resource to find out exactly who made your Dell or HP or Sun server’s NIC is here (http://hwaddress.com/) Input the first three segments of your MAC address, and it will query the known manufacturers and provide the info.

If you’re not familiar with MAC addresses, they’re the “hardware address”, “burned-in address”, “layer 2 address”, etc. Basically, it’s a unique ID that is only on your one specific piece of hardware.

Using the example MAC address aa:aa:aa:bb:bb:bb, we see that: Each MAC address has two sections; the first is comprised of the first three segments and are used to identify the manufacturer of the hardware. So we could see that aa:aa:aa indicates this NIC was made by “NIC Builders 1234, INC”. The last three segments simply are a combination that the manufacturer has not yet used with the particular manufacturer ID. Obviously, manufacturers can have multiple MAC prefixes (Cisco is listed at 159) so this gives them a wide range of MAC address space.

There may also come a time when you need to find a hardware serial number while remotely connected to a machine. The more important item here is to know that Check Point ties licensing to primary NIC MAC address, so if you can run ifconfig, you have what you need. But if you also happen to ever need your system’s serial number, you can try this:

dmidecode | grep Serial

This will show your system’s main serial number usually as the first entry, and depending on how your hardware vendor has laid out their information, may also show you the serial for the baseboard for other
components.

Using both the software support timelines and the hardware compatibility list, you can achieve a couple of key goals: you can get as much life as possible out of existing hardware, and you can plan future installations or upgrades to get the best possible combination of features and long term viability.

Raise your hand, how many of you have Googled yourselves recently? I knew it – you haven’t! I believe you should do it right now. Why, you ask? Because that’s what other people are doing to learn more about you. Shouldn’t you be the one who controls what anyone sees and discovers about you when searching online?

Looking for a job, hiring a new employee, meeting new people, and finding classmates for a reunion are simply a few of the reasons people may be googling your name.

What will they find? Type in your name and many things will come up: Your Facebook account, your Twitter account, and any other social networking accounts, all of your pictures and personal profiles full of your personal information that Internet Search Engines have collected about you. If you are job searching, employers will Google your name to discover what you are up to online. Not just professionally on sites like LinkedIn, but personally as well. You need to carefully monitor what you say online because even though you are tweeting with just your friends, everyone can read it and make professional decisions simply based on what you have posted.

To discover exactly what information I could find out there, I Googled a good friend from high school. I found his address, phone number, family members, where he went to school, the value of his house, a variety of activities that he participates in currently, petitions he has signed, and donations he has made. All public information! But he’s also a quiet guy who doesn’t participate in online social networking sites, so I didn’t find the pictures I expected. That was surprising, as I know I would have found more information about him easily if he did have a social networking account.

Google a college student you know. Are they keeping their online profile professional or are they simply posting anything and everything they are doing? While it may be fun to tweet with your friends, it is public information. When these friends graduate and go out searching for a permanent job, will anything they have posted stop them from getting it? Or will it stop them from wooing customers if they choose to start a business? They should definitely check it out before it comes back to haunt them.

What would I have found if I had Googled you? Check it out now and find ways to delete any unwanted information that you discover. Taking a proactive stance in your online profile will help you now and for years to come.

Zappos
- Database breach
- Customers advised to change passwords
- Class action lawsuit
- Bill mentions Batman

World IPv6 Launch
- “Speaking of problems…”
- Bill doesn’t think it will work

13 Security Steps
- Build knowledge
- Share knowledge
- Maintain
- Improve

White House Labels SOPA Censorship
- Political ranting

Apple Education Event
- The future is now
- Text books on iPad

Hack of the Week
Zappos.com security breach

App of the Week
Chromebook

During my early morning Twitter-lurking I ran across this gem, which basically says that a good chunk of folks surveyed just give up their personal information to their “favorite” merchants. Now usually I always doubt the veracity of such surveys but for the sake of this post let’s assume this is true. If folks are more than willing to hand over their information to merchants I think on some level they have to trust the merchants, or should at least. The bigger question is, what have merchants done to earn that trust? The short answer is, not much.

I am actually one of those knuckle headed “consumers” who doesn’t mind sharing my email, address, phone number, etc with merchants whom I buy from regularly, in fact, I might sell my soul to Johnston & Murphy. The point is, in the back of my head, I’m imparting some sort of trust to these guys with my data. What shoes did I buy? Where did I buy them? How much did I spend? Am I more likely to buy in the Spring or Winter? These are trivial details to any one person but take on a mass scale they can help a marketer figure out where to bump up advertising and where to scale back. They can tell them how to build a display or what shoes to discontinue. The data is very valuable to a marketer and also to fraudsters and scammers. This is the rub as they say. You give your information and trust to these vendors and what do they do with it?

For the most part I’m certain the data lives in some database, usually in the “cloud” but sometimes it lives on the vendor’s own network. There are quite a few so-called data mining tools out there that will allow them to carve out the data in the ways I’ve described and probably in ways I cannot begin to imagine. Then there are also folks out there who will chop up your data and sell it to other vendors to market to you. For instance, a grocery store might roll up all of your fruit purchases along with their other shoppers from your zip code and send it to a fruit vendor to do other “cooperative” types of marketing. Often it is that benign and then sometimes they’ll just sell it outright to make some more revenue off the data they’ve collected. Usually this is reserved for more nefarious merchants and sometimes it is done out of ignorance of their own policies. But make no mistake – it DOES happen. Want to test it? Sign up for an email address you’ll never use anywhere else, register it with one, just one online vendor or some local chain. Watch how much your spam increases for that address you never use. This is a violation of that implied trust.

I was thinking quite a bit about this after reading that article and wondering if maybe I’m just being ultra paranoid. Am I overreacting by removing myself from all these programs? From an identity theft perspective I’m probably not being paranoid enough but I should definitely not trust these places with my credit card numbers. I like one-click buying as much as the next person but typing in my credit card number is a small inconvenience to trade so that my number isn’t stored in every online store I’ve ever been to. This was all before 6:00 am so quite a bit to think about before the sun came up. I was just contemplating all the “legitimate” things marketers do with your data then this showed up on twitter: http://www.zappos.com/passwordchange (okay not this EXACT one but this news).

Nearly 24 million accounts hacked? Lots of media hype, etc. Bottom line – a whole lot of personal information just got leaked. Zappos claims no credit card information was stolen but enough data was probably leaked that the thieves will make some money from identities, etc. The larger points are that you should not only be careful about who you share information with but what you allow them to store. I don’t personally use Zappos (even though I’m a shoe freak) but I probably would’ve let them have my email, etc to send me deals. I would’ve imparted that trust to them. It depends on how they handle this situation as to if they’ll get that sort of implied trust from me (their parent company Amazon certainly has that trust from me)…but this isn’t about me, it’s about you. When you get a letter like this, how do you respond to the vendor? Do you just change your password, keep on shopping and move on? Or do you hold their feet to the fire and ask more questions? I’d love to hear how you handle it (blog@hurricanelabs.com)

Sprint Galaxy Nexus
– Cool, I guess?
– Verizon raging

iPhone Turns 5
– Still, none of us care
– McMaster makes mean comments about Steve Jobs
– Seth Green Star Wars
– McMaster is culturally clueless

Microsoft GPS Patents
– Sounds good, but crime can happen anywhere
– Someone has already made a Google Maps crime map

Google vs Twitter Social Search
– Google showing Google+ results and not Twitter
– But Twitter didn’t renew their contract so it’s not Google’s fault?
– Everyone is in an uproar and I don’t know why
– Bill misses the old days of Google, “only search”
– McMaster is a Google fanboy
– Also, McMaster and Patrick start a bold battle in the show notes behind the scenes

Consumer Electronics Show (CES)
– Samsung home appliances
– LG Google TV remote
– Badass Solid State Drives
– Pre-built Makerbot Replicators
– Maneto NFC MicroSD cards
– Razer Blade gaming laptop
– More 3D TVs

Game Corner

– Kinect for Windows
– Patrick goes on about Assassin’s Creed while McMaster has the most condescending, smug look on his face

Hack of the Week

– Norton Antivirus source code stolen

Apps of the Week

ESET Smart Security
– Antivirus
– Windows, Mac, Linux support

ViewSonic dual-sim phone

A little while ago some (allegedly) Indian based hackers (ref: http://hlurl.com/8qv, http://hlurl.com/8qw) announced that they got their hands on some of Symantec’s source code (SEP 11 and AV 10.2 respectively). Don’t worry though, according to Symantec it’s all cool because they weren’t breached (it was a third party/one-armed man) and only “older code” was exposed. This is an example of a vendor’s glaring ignorance about its client base and a sort of arrogance about their own product. Let’s examine some of their arguments.

The Third Party Issue
We hear this one a lot. “This is our vendor” or “We can’t fix this, it’s some third party’s problem.” This is purely an attitude problem and I wish this one would just go away. You have to take control of your supply chain and your vendors. Surely a company of Symantec’s size has some sway over their suppliers and vendors? You would think so at least. I have customers who have larger upstream clients that demand they receive regular audits and tests to assure some level of security standard is being followed. It isn’t perfect but it’s better than nothing. The bottom line is: When it’s your stuff you don’t get to blame a third party, it really is your problem and you need to own up to it. Complete disclosure of the breach is the only way to maintain your integrity at this point.

Older Code? Not Our Problem!
The problem with this argument is that (and I’m PURELY guessing here) a lot of their customers, even enterprise users, haven’t upgraded lately. I know, I know, security evolves fast, etc. But a lot of larger, more conservative places have a “stay one version behind” policy for all their critical or possibly production-killing software. This any sort of software, not just security products. If their defense for this is, “well it was just older stuff and everyone should be upgraded anyway,” and it appears it is, then they are not living in reality. Upgrades, even with security software we like to think is critical, are neither automatic nor pervasive. In light of this release though, I would encourage clients to upgrade if this is software you are reliant upon.

Seeya Later Source Code
This is always where the rubber meets the road. I am a firm believer that security systems should be able to hold up to open scrutiny but often I’m alone in that. If this code leak really makes Symantec’s software useless for securing systems I would contend they’re doing it wrong. That being said here’s a little homework, go Google “antivirus evasion techniques” and see what you find. The “bad guys” don’t actually need the source code to evade much of it so I doubt this leak really increases that risk much. I know this seems snarky and pessimistic but that’s the point I’m at with AV vendors. I just don’t think most of it is quality code and liken much of it to snake oil. Obviously that’s my opinion but I’m sticking to it.

Okay smarty-pants, what do I do now?
Obviously if you’re relying on this software for even an illusion of protection you should upgrade as soon as possible. At this point though I think you should start examining the levels of protection you have in place for malware/virus/phishing threats. Do you have an internal honeypot that can help to detect an early outbreak? No? You should. Are you making effective use of DNS blackholes and other blacklisting methods? No? You should be. Do you have a testable, useful user security awareness program in place? No? Why not? As the Google search hopefully convinced you, A/V by itself is no longer enough, you need layers to help protect you when something fails. I hope this is the lesson that is taken away from this event and not “gee, Symantec should take better care of their code.”

Happy Holidays
– Patrick got Jurassic Park
– Matt got a TV and Kindle Fire

Full Disk Encryption
– All your devices
– We use it already
– You should be doing this already

Cleaning App Permissions
– http://mypermissions.org/
– Protect yourself from rogue webapps

Anatomy of an ATM Skimmer Scam
– Cool, but not something you see everyday
– Watch out for suspicious ATMs

HTC Unlockable Bootloaders
– Good on HTC’s part to allow this
– Hooray for customization

AT&T gives up buying T-Mobile USA
– T-Mobile gets crazy amount of money/spectrum
– Hopefully they put it to good use

Verizon Outages
– At least 3 data outages in December
– Bill doesn’t like Verizon

Game Corner

– Assassin’s Creed
– Arkham City

Hack of the Week

– Israeli Credit Cards
– Stratfor