Taking all legal considerations out of the equation, what if your neighbor didn't have your best interset at heart?  It is not unheard of that black hats will put up unencrypted or poorly encrypted AP as a fishing net.  Even though you think you are benefitting from free bandwidth, the black hat is actually getting his money's worth taking over your machine. 

If you tread lightly, and respect other people's property you have the best chance of not being compromised.  The laws have changed (alot) and transgressions which were ignored a few years ago are now a major issue.

See Dean's post: google, learn and if you can afford it, seek training in a controlled lab environment. If you post enough here, you may get a free ride for the wi-fi course from Offensive Security!

ChrisG,

Thanks for the incredibly fast turn around and the insider track!  Wish I could be a part of this momentous point in eh history.

Spiceworks 1.7 is another push forward in the short lived, but growing history of the Spiceworks saga.  Spiceworks is a group that takes both its product and user base very seriously. The latest build is not feature rich, but it does add new functionality that most admins will appreciate. The leader of the webinar I attended (and head of the group responsible for user feedback), Tony Frey was clear that the focus of this release was usability, not features which will take front stage in the 2.0 release which is expected late December, early January.

Tony’s concern was that users could easily navigate Spiceworks (even novice users) without resorting to a manual which is a goal that Spiceworks has incorporated since day one.  In this quest for high speed, low drag however, they have found that users miss some key features (browsing by category) and the goal was to rectify that.

Spiceworks 1.7 has added a ‘start here’ feature.  Start here is visible from the main screen within Spiceworks and is designed to educate users on the most basic of features as well as latest functionality developments. Rather than giving the user a .pdf with an FAQ, the start here feature has actual videos that will show the user all the functionality that makes up the Spiceworks application.  In as little as seven minutes, a person that has never touched this program will be able to navigate and leverage Spiceworks for all his/her daily needs.

Another benefit of the latest version is the facelift that was given to the community section.  It was a place were users could post questions they had about Spiceworks, now it is a one stop community driven helpdesk.  Spiceworks users are now welcome to ask any IT question, and one of more than 130,000 members will give them the help they need.  In incorporating everything outside of it product, Spiceworks is poised to remain a key player in the Information Technology market for a long time. While the focus was usability there are some new features which could save admins a lot of headaches.

Perhaps one of the most aggravating issues an admin has to deal with is software compliance.  Many organizations will use illegally obtained software because, “it was there”.  That is no longer acceptable and organizations run the risk of facing large fines as a result.  The latest version of Spiceworks will pick up Serial numbers for Microsoft OSes and Office suites.  You can now scan your network, and if a machine is running an OS with the wrong serial number you can change it on the fly!  The other great feature is the enhanced treatment of unknowns. 

Unknowns are issues that Spiceworks finds, but cannot categorize.  The example that was shown in the webinar was a wrong ssh password.  You can now, enter the correct password, and Spiceworks will automatically scan other unknowns to see if the fix applied (in this case the correct password) will as resolve other unknowns.

I first wrote an article on Spiceworks several months ago http://www.ethicalhacker.net/content/view/104/24/ As I stated before, I am not affiliated with them in anyway, but I really like their product and find its use to be indispensable.  If you haven’t tried it yet, I highly recommend taking it for a spin; most likely you will wonder why you didn’t start using Spiceworks sooner.

Very detailed, well thought out.

 I have to admit, I didn't know that the gentleman that created, "Crime and Punishment" first name was Fyodor Looking forward to part 2!  Thanks again

Any movement on your proposal?  Glad to hear about the dvd...

Andrew,

I don't know if it will help, but feel free to use anything in my article http://www.ethicalhacker.net/content/view/154/24/ I think the point you should emphasize is that SourceFire has cornered the market, and for the sake of open source OSSEC should do everything it can to get known.

If you took a survey, I bet a lot of people have never heard of OSSEC, but they have probably heard of snort. OSSEC is the future, most people just aren't aware of it.

Also as a suggestion, it would be great if you could include a dvd with a vid of installations and advanced techniques, some people learn best by watching then emulating...fwiw

Thanks slimjim 100,

I have used FF since it first came out, and don't know where I would be without it.  As an aside I have been reading a little about 3.0 and there is some grumbling from hardcore beta testers saying that the mozilla folks have bloated the browser with .ext's rather than allowing each user to pick and choose which addons fits his/her individual needs.  Hopefully (if that is the case) they will run a leaner light version, that is just FF *fingers crossed*

jimbob,

Thank you for pointing out that noscript does not defend against xss, I re-read my post and it seemed a little confusing.  I was trying to say that xss is so dangerous that we should do whatever (even if inconvenient) it takes to keep things at bay, when we can (like java and javascript). 

I understand that I am potentially starting a browser war, but so be it.  Firefox, is a better (safer?) browser, and one of the main reasons that I say that is noscript http://noscript.net .  Noscript is a Firefox extension, that allows the  user to decide which sites can and cannot run javascript and java.  It is amazing how many websites want to load code on a page you are looking at, without you even realizing it. 

I personally feel that the threat of cross-site scripting is a major issue and we need to do our due diligence as infosec representatives and take the extra steps to thwart malware.  I empathize that it can be annoying to have to temporarily allow a site to run javascript, but if you blindly trust a site and they become compromised you may or may not now be infected.  I'll put up with the hassle, noscript is enabled and shields are up!

P.S.

Make certain you enable javascript temporarily when posting on eh.net or you will have to may have to re-type your post

I just read an article that is about malware that is brilliant and unbelievably frightening simultaneously.  Basically, if an infected machine is told to go to a hostile site and it has (the machine) already visited the site, the ip address is used to filter the infected machine to a "benign" page. 

It goes without saying how much more difficult this can make it to identify what exactly is happening on the target machine.  The full article is here: http://www.vnunet.com/vnunet/news/2191298/hackers-turn-genre-evasive

If you don't mind the minor headache of having to temporarily allow scripts to run, I highly recommend noscript.net

Don, (and the EH community)

You are absolutely correct, I am always open to feedback and any ideas that can help shape my column.  I really enjoy doing my articles, and am very thankful to you and the EH community for your continued support.  Please feel free to let me know of any ideas or issues you would like to see addressed, in future columns.  As Don has already stated, I am an admin and I may have missed crucial topics which would benefit all of us.

oleDB,

I didn't use the actual name of the exploit, (just in case the attacker reads our site) but as far as I could tell, it was some type of trojan, possibly a key logger.  My best guess is that the attacker was attempting to use the machine as a jumping off point, but never quite figured out what to do; once he/she had access. The scanner(s) didn't detect anything which forced me to use google and figure out what exactly was taking place.

It is good to know that Stinger is worthless, I always use it as secondary scanner, maybe its time I move to something else like housecall, http://housecall.trendmicro.com/ I guess since it's freeware,  we can't really expect top notch performance; and like you said they should catch a piece of malware that has been around 3-4 mos.  Lets face it, most patches are issued and not applied for months on end, then attackers take advantage of the pre-existing flaw.

I have started to get into sandboxing, and like the idea of running a process in an area that keeps a process from causing havoc on a machine.  I will need to look into these two products, ( NormanSandbox and Anubis) since I am only familiar with Sandboxie, http://www.sandboxie.com/ which honestly I am less than thrilled with.

I know blowing away the machine is the safest way, but it is also time consuming and a huge pain.  I (and everyone else) am hoping for an anti-rookit that updates like anti-virus and stays one step ahead of malware programmers.

Thank you for giving me more apps to look into, and helping me to refine my approach to an incident.  It is vital to stay on the cutting edge of the best tools which help to combat attackers tactics.

I fail to see how this is enforceable.  I can guarantee that each one of us have at least 10% of all our users downloading illegal music and video.  I don't know about anyone else but I don't have time to deal with the scourge of the RIAA.  I am dealing with real issues and as long as they focus their attention on d/l files and not hacking my network/installing malware, I am a happy camper.

I am not a deputized member of the law and as such cannot be expected to police my users actions, there simply is not enough time in the day (or night).

Plik it certainly is a concern, but honestly there is NOTHING we can do.  Tools have become more sophisticated (read GUI-based) and skills that it took to hone are as easy as checking some boxes, see nmapfe.  I would like to see a return to the command line, but it won't happen.

The folks at metasploit deserve the praise, they have created a masterpiece, but it does lead to a watering down of the talent pool.  This is inevitable however, in everything we do.  The more technology evolves the easier it is to do something than it was ten years ago, and so it goes in the infosec community.

I noticed that and to be honest was a little suprised taht they waited a full day.  When the vuln. was first announced the level was left at green but the next morning it was yellow.  Does anyone know if the the threat level is up to the discretion of the incident handler of the day, or if a governing body at SANS  makes that decision.

Thanks to everyone for the kind words.

slimjim100,

It is disturbing how little business thinks about contigency planning till it is too late.  It is our job (whether we like it or not) to sell the concept.  It has been 5+ years since those horrific events on September 11th and many companies still do not get it.

ChrisG, to answer your question, our fires suppression stops and starts with handheld charged fire extinguishers.  As is more par for the course (than most will admit), our server room was at one time office space.  There are no sprinklers of any kind throughout the space, and the door to the "server room" is left unlocked b/c the space is large enough to accomodate old but possibly still usuable (in management's eyes) it equipment printers, switches, etc.

I agree though that if you do have water suppression in your server room that you absolutely need a contigency plan for replacing the hardware.  Even if you have a dry system (water is not charged in the line) once it goes off, it seems as if the cure can be much more harmful than the disease.

cutaway,

Thank you for that sobering example, I will definately carry that with me the next time someone thinks they are mitigating a considerable risk through the purchase of insurance.

Great thread...

It is important to have difficult questions discussed and dissected, it helps both the question answeree and the answerer.  However, there is no reason why the questions cannot be altered enough to where it would be considered a unique item.

The idea behind posting questions should be to learn more and strengthen an area that your are deficient in.  With this thought in mind altering the question would only be an issue if it was the specific question you wanted the answer to and not a similar question, which still holds the spirit of the original question.

Thangvt that is such a great idea, maybe the eh.net community could generate questions and (once we reached a descent amount) Don could create a database that would ask these questions in a randomly generated format. This is obviously just in the brainstorming phase, but something definitely worth talking more about.