SCADA Honeypot

I really like the idea of a SCADA honeypot. John Strand live-demoes a SCADA Honeypot. It uses several services which can later on be used to demonstrate (and lure an attacker) the life inside a SCADA universe.

You can download the SCADA Honeypot from here.

From the scadahoneynet site:

[The] goal of this project is to provide tools and to simulate a variety of industrial networks and devices. We see several uses for this project:

• Build a HoneyNet for attackers, to gather data on attacker trends and tools
• Provide a scriptable industrial protocol simulators to test a real live protocol implementation
• Research countermeasures, such as device hardening, stack obfuscation, reducing application information, and the effectiveness network access controls.

Windows 7 installation

I’m an avid user of anything UNIX related: linux, freebsd, opensolaris. I even tinkered around with SCO Unix and Microsoft Xenix (but that was a rather long time ago). But, for some unknown reason I find myself longing to install a windows version.

I’ve used WinXP for a good two months, got fed up that I didn’t get any productivity out of it, and installed a linux distro on my laptop again. Same for the homeserver which was running Win 2003 server at a point in time.

It was that time of year again, so I started installing Windows 7 on the trusty laptop. And all of a sudden it has to go do production within two days of installing. I exploded in an absolute frenzy just to get everything that I might need on the road in there: UMTS connectivity (works), ssh client (two, both work), office (2007, works, duh) (as a sidenote, I love OneNote). And finally to top it all off, a virusscanner/personal firewall thing.

Oi.

It didn’t work, which kind of beta, final release, from whichever firm, it would not work. The resulting install gave me a headache, as the error messages were quite strange. “Unknown error #0×80040201 occurred”. But this night (two days of tinkering and throwing things out of windows and almost throwing in the towel and installing Ubuntu again (I had to become productive again, and secure as well)) I had a light bulb over my head:

Get rid of EFS.

The Encrypting File System (EFS) is a good, sound, well implemented way to have your own files encrypted and no-one will be able to read them, unless you give them permission. Not even SYSTEM can read them.

I’ll repeat that again.

Not even SYSTEM can read them.

If you start a decompression of an EFS encrypted file, the contents will be encrypted as well. In an awful lot of cases this is exactly the behaviour you want. Because you decompress the file, you do not automatically give everyone access to it, now do you? You can do the installation all right (setup.exe does not complain). But SYSTEM cannot read the resulting files. SYSTEM needs to be able to read the files, because they’re drivers, for crying out loud.

If you remove the encryption of the downloaded installer, everything installs fine, like before, but now SYSTEM can read the files. Yay.

Therefore one piece of advice: do not use EFS on your preferred download location, then you can install the resulting stuff to your heart’s delight.

So, I feel quite good about this, now it finally works. I’m running trend micro now, we’ll see if I’ll buy after the trail, or that I’ll be running ubuntu again.

Getting things not quite done

Cleaning the mess on my desk has made me more aware, again, how much stuff one can accumulate in such short time. Getting things done is quite difficult when you have the stuff on your desk. On the other hand, if you don’t have a proper inbox, that’s what you opted for. Hmm. Increasingly I find that the method I’m currently using is not really working out for me. One of the problems is too many inboxes, a fatal accident waiting to happen to the followers of the True Way. So far that accident is waiting to happen because I have a rather diverse work environment. There’s the computer at work, the laptop, the home computer, meetings, babysitting in the park, in the train or when visiting friends and relatives. Well, not that diverse, but diverse enough to end up with more than one inbox. One on the work computer, one on the home computer and one in a paper notebook I keep around. I like the paper notebook, because I have a readable handwriting, you can scribble, and it has nice in-the-bright-sunlight-in-the-park properties and friends and relatives don’t really mind when you scribble something in your paper notebook thingy. Start using a laptop on that occasion and people are seriously upgrading your geek status.It would appear I’m not alone in this.

But paper notebooks have one main setback, you keep repeating yourself. Entering stuff from email into the paper notebook doesn’t feel like you’re accomplishing something. When you have two pages of to-dos and notes it looks quite neat. Start doing things and crossing things off (Feel good moment) it starts to look rather messy. So, after a while, you rewrite your list to get a good overview. But hey, I’m not in this world to rewrite my to-do list for the umpteenth time.

I thought about getting a nice iPhone 3GS, but that sort of appeals to my geekness more than to my I want to get stuff done-ness. Other than that, I have a hard time believing that it has the nice properties a paper notebook has.

Maybe the future will bring something like a Kindle which you can write onto and then organize it. Maybe I should get a scanner, that would at least save the rewriting. That’s two maybes that may rank a bit too high on the ‘wishful thinking scale’.

For the time being I see no other option than to muddle forward in this way.

Summer Cleaning

Today I finally got around to cleaning my desk at home. It had become cluttered with all sorts of stuff. You probably know, old bills, new bills, a used password list (only one of them has been sort of correct), leaflets received during a trade show, etc. I was wondering myself how much information about me, good and bad, could be derived from the assorted clutter.

It’s quite scary and a reminder for myself that I should be more careful when leaving stuff on my desk. I know all the risks of garbage dumpers and people coming in and slicing and dicing your personal life (been there, done that) but it takes some mental effort to be aware of your own clutter.

So, back to cleaning the desk and keeping it clean.

Installing FreeBSD 7.2

As a friday night expedition, I decided to install FreeBSD on one of the old PC in the proximity of my desk. An Amd Athlon 2400+, 1GB mem, a cdr-drive and two 50G PATA disks. Should work, shouldn’t it?

For some reason the installdisk from the full CD set did not boot. At all. Reason unknown, but the situation persisted. OpenBSD ran like a charm, but OpenBSD wasn’t the intended goal for reasons I will not go into, at this point. Using the OpenBSD bootloader to boot from the CD also wasn’t an option as even OpenBSD found something wrong with the install cd. I was getting tired of the sh*t, so I tried one last thing: use the boot-only disk to do a network install. Guess what: no problem. At all. So, that took care of that. FreeBSD was running on the old box, I could login.

I wanted X to work, because I might actually decide to use BSD from some development I’m doing right now. But, setting up X is rather awkward. For some reason FreeBSD doesn’t accept that I have a normal keyboard and a simple mouse. X insists that the machine has a sysmouse. Hmm. Because of this insistence I did not have a mouse or a keyboard. But Ctrl-Alt-Del seemed to work ok, go figure.

Finally, I found an answer: add the following to /etc/rc.conf:
hald_enable=“YES”
dbus_enable=“YES“

What happens is that FreeBSD’s default X configuration (or xorg’s default config) wants to autoconfigure all input devices, but the default FreeBSD config does not enable the features to actually enable the autoconfiguration stuff.

That took a while and cost me some gray hairs, but that now works. Next step: getting nfs4 to properly work. It sort of worked, but the idmapd did not arrive at the proper ids. Looking further on the net, it was revealed that nfs4 was kinda, well, pushing up the daisies. It was no more than an abandoned carcass. Sigh. No lovely kerberos + nfsv4, but plain old insecure nfsv3.

Package management is a bit harsh, when you compare it to other package managers out there. At least pkg_add has an -r option to get stuff remote and it actually resolves dependencies. But there is no real equivalent for ”apt-cache search foo“, which is a bit of a nuisance since I like to search the package repository before building myself (I’m lazy, and totally fed up with dependency problems)

But now everything works, and the system is very fast. Faster than it used to be running other stuff, at least, that’s how it feels to me.

hotdogsladies: remark

Seen on twitter.

Multitasking is like driving or cunnilingus; most people assume they’re great at it until they start asking around…

As always Merlin Mann has something to say that is obnoxious, but to the point as well. Yes, people are very bad at multitasking. I thought I did okay, but recently I find that hard to believe of myself. It’s not to bad to switch between tasks that combined only take less than the whole of your attention span. However, if you have a task where you need your whole brain, not just the left or right part, it starts to fall apart.

What can you do in this case?

• Well, I try to get away, if possible. That works like a charm when I do not need my computer. When I do, well, I’m (literally) stuck.
• Posting a note on the door telling everybody they can come in during ‘visiting hours’ does not work. At all. Unless you get very impolite, which is rather against my nature, I suppose. You can tell people to come back another time, but if you break that rule once for somebody, anybody feels they can break the rule as well. So, visiting hours, yes, if you can keep the discipline of telling everybody to, basically, come back during visiting hours or send email.

But, people walking in, even if you tell then to come back later, take your focus away from the task at hand, and you need time to get back in. That’s when I get sidetracked: “Ok, I’ve been interrupted anyway, I’ll check the email before I get back to the groove.” At that point in time, I’ve lost the flow and takes me even longer to get back in.

Serious flaw in CA certs.

Oh boy. People are still dumb enough to use MD5 for anything important? Well, it’s all over the net of course, so this is the reference to the original research. Wow.

SCADA attackvector

Attacks on SCADA got easier: just use metasploit.

Dumpcap tutorial

A small slideshow that touches on the basic things you can do with dumpcap: OSTU – Unattended Packet Capturing with dumpcap.

Hacking wifi

It became a lot easier for scripkiddies to exploit a known vulnerability in the Intel Centrino 2200BG wifi adapter driver. It was added to the metasploit hacking tool.