bill’s blog

SMTP (or Simple Mail Transfer Protocol) is the service that handles the sending of email. This protocol runs on port 25. For the most part this is a server-to-server protocol though it is possible to telnet into the service to send emails directly. It uses a number of sub-processes (MSA, MTA, MX exchanger, MDA) to make sure the mail gets to the right place (domain & account).

IMAP (or Internet Message Access Protocol) is one of two protocols that handles the delivery of email to clients. It usually runs on port 143 but this can be changed to allow for obscuring this service by running it on a different port. The downside to this is the client application needs to be manually configured to be made aware of the port change. It can also be to use SSL certs to secure the transmission of data. Secure IMAP runs on port 993 by default. The benefit of using IMAP is it allows for the centralization of email. Mail actually resides on a server and then the end user can access it from multiple machines.

POP (or Post Office Protocol) is the other protocol that handles the delivery of mail to clients. Once again it usually runs on the well-known port of 110 but that can be changed. It too allows for the use of SSL certs and when configure that way it will usually run on port 995. The benefit of using POP is mostly on the server side. POP downloads messages to the local machine and then deletes the record from the mail server keeping storage demands to a minimum.

A Buffer Overflow vulnerability is one in which the programmer of an application does not properly allocate enough memory for a given input. In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory (Wikipedia.org, 2010). This could lead to any number of problems… simple application instability, complete application crashes or in the worst case, a crash that returns a shell prompt allowing direct access to the box. In practice, a hacker could craft an input string that overflows the buffer and executes something like cmd.exe.

So how does one go about performing such deeds of electronic mischief?

1. Start by recon’ing a site. We do this with NMAP or something like Nessus. We find a machine that is running a piece of software that has a known vulnerability for the version of the software it is running.

2. Next we put together a payload. This is an input string that will exceed the input buffer. Theirs is a bit of work that goes into this and for the script kiddies out there… there are many websites and videos that step on through putting together the attack. A real simple buffer overflow is demonstrated in this video on You Tube.

http://www.youtube.com/watch?v=ZZ0LVAFIDrA

Once the buffer overflow is successfully performed you should be returned to a shell prompt. The prompt will have the same privileges as that of the application that was compromised.

Resources:

Various, (2010), Buffer overflow, Retrieved on August 22nd, 2010 from http://en.wikipedia.org/wiki/Buffer_overflow

I work in IT and one of my job functions is to warehouse the image files of a corporate creative department. Translated… that means I buy a lot of storage. One of the things that storage admins are looking at is the failure rate of the disc drives that make up their SAN environments. The higher the failure rate of a particular drive the better your chances of having a catastrophic loss… Or in other words you’re restoring from tape if you loss a lot of drives at one time!

MTBF (or mean time before failure) is a standard measurement (in hours) we use to calculate the life of a disk drive before it fails. The other measurement we use is AFR (or the annualized failure rate), which is expressed as a percent based on the MTBF verse the amount of time that device is powered on and running. A couple of things to note… MTBF is not necessarily a devices useful life. And AFR is not meant to be applied to a single drive but rather it is the expected failure rate of any given drive within a particular production run (population).

So what does this all mean?

Well most vendors spec consumer-geared disk drives at about 300000 MTBF. That being said the key word in MRBF is M (or mean). So what we’re looking at is about half of the drive for a given population with fail in the first 300000 hours of use.

Translated again… and I got help on this one

If you had 600,000 drives with 300,000 hour MTBFs, you’d expect to see one drive failure per hour. In a year you’d expect to see 8,760 (the number of hours in a year) drive failures or a 1.46% Annual Failure Rate (AFR) (Harris, 2007).

Realizing that this is what a manufacturer quotes as the expected life, one has to ask how does that hold up in reality. Well Google did a bit of research on this and found that their failure rate was much different from that of the manufacturers. Why? Because there is no clear definition between what a manufacturer considers a failure and the real world’s expectation on these devise are.

In reality many factors will determine whether a drive should remain in production. Call is an IT admins intuition… Call is that odd clicking sound… calls it taking forever to save a file… Often time we (IT professionals) will replace a drive before it is completely unusable (or the point where we can no longer retrieve data from the device). Did the drive fail? Technically no… Practically yes! If we can’t rely on the drive to reliably save and retrieve data that it has fails for our purpose… guess some manufactures don’t see it the same way!

Resources:

Harris, R., (2007, February, 19th), Google’s Disk Failure Experience, retrieved on June 3rd 2010 from http://storagemojo.com/2007/02/19/googles-disk-failure-experience/

Wow what a week! It was a stroll down math’s hit parade… number line theory… adding fractions… primes… substituting variables… and the rules for the order of mathematical operations.  The fact is we use math everyday but rarely do we think about the fact we are using math! So let’s see how we take our math skills for granted!

The other day I was in NYC. I had $7.50 in my pocket for lunch! It was the end of the week and wife’s snagged my wallet so going to the ATM was out of the question! For anyone who’s never been to New York, filling your belly on $7.50 is not an easy task!

I was in the mood for pizza. I ran into the nearest pizza place and saw that a slice of pizza costs $3.50 and a coke would run me an additional $1.50. Now I know this is going to be a stretch but bear with me… Let’s put some number line theory to work! Let’s look at 0 on the number line as being the dividing mark between contentment and starvation! If I drop into the negative side of the number line I’d go hungry. If I stay on the positive side, I’d walk away with a full belly!

Let’s begin…

Starting at + 7.50 on a number line… let’s do some math. 2 slices of pizza, because one slice wasn’t going to cut it… could be represented by the following the equation:

(2 * -3.50)

Let’s apply that to our number line.

(2 * -3.5) = -7.00 + 7.50 (our starting point) = .50

So we’re still positive…  still good! BUT then I need to add the coke in.

.50 + (- 1.50) = -1.00

As you can see I’ve fallen into the negative side of the number line at -1.00. Bill goes hungry.

I know one can say do without the Coke… but I just can’t eat a slice without and icy cold soda!

Let’s look at the menu again!

Ohhh… that calzone looks good at $6.50 for a plain one (I’d have to sacrifice palette for hunger)!

Back to the number line…

(1 * -6.5) = – 6.5 + (7.50) = 1.00

Now we’re talking… still on the positive side. BUT I still need to add in that icy cold Coke (it doesn’t matter… just need one of them to swallow back food with)!

- 6.5  + (- 1.50) = -.50

Poof… I just got blewn that out of the water by .50. I’m running out of options! Let’s see what else is on the menu!

Ahhh… Garlic knots at $2.25. SO maybe I can do a bag of knots, a slice of pizza and that icy cold Coke!

-3.5 + (-2.25) + (-1.5) = -7.25 +7.25 = +.25

Now we’re talking! Still on the positive side of zero… SO I guess I’ve got my lunch! Contentment!

Is my example simple? Yes BUT this is the kind of math that we perform automatically everyday without really putting any effort into it!

Stay tuned for primes and encryption next week!



Everywhere we look in life… rules guide us to the correct way of doing things. Whether it’s the rules of the road or something as basic as math! It’s funny; those of us with kids often have to think back many years when they come home with new math problems. AND the older they get the more you have to think. This year I’ve had to look at the rules of operations all over again… both in this class and my kids. Without these rules the correct answer will be ever elusive! One person may do addition first… another follows from left to right… still another multiplication. Rules are put in place so that everyone can understand and interpret equations without ambiguity! Math has its rules! One easy way to remember which order to execute math equations is…

BEDMAS (Brackets, Exponents, Divide, Multiply, Add, Subtract)

So what does all this mean? Given the equation

4+7-(8*5) = X

The first thing we would do is deal with what’s inside the brackets (8*5) or 40.

Then we would deal with the addition 4 + 7 or 11.

Now we’d deal with the final operator subtraction so 11 – 40 or -29.

SO 4+7-(8*5) = -29

Here in the United States we use a base10 system for many things… certainly we count using a base10 numbering system. Our currency is base10. I can remember the big push in the late ‘70s to move to the metric system, which by the way is a base10 system. Yet we may not realize that there are many different numbering systems ingrained in our society. We use an English system to express units of measure (length). Which in many ways is based on a Roman system of measurement! An example being the mile… Originally based on the Roman mile (5000 feet), in 1592 it was extended to 5280 feet to make it an even number (8) of furlongs (wikipedia.org, 2010). By the way… The distance between the rails on a high-speed train line is 143.5 centimeters. Why? Because that was the distance betweens the wheels of Roman chariot. That was the distance needed to fit two horses side by side in front of the chariot.

In IT, we are familiar seeing different numbering systems. We see both Base2 (binary) and Base16 (Hexadecimal) numbering system quite a lot.

The binary number system contained just two values, 1 and 0. George Boole is considered by many as the father of modern day computing. It was his work with logic that ultimately boils down logic and the math behind it to simple yes or no (1 or 0). This can make computing numbers extremely fast. If one thinks in terms of electricity switches you either have an on or an off position. Computer microchips are designed in such a fashion that depending of the state of the signal (1 or 0) a logic pattern can be computed and the software then executed. We in IT often find behind this logic. It is so ingrained in our beings that it is often hard for us to factor in the randomness that plays such a large part in life. Why? Because we are surrounded by 1’s and 0’s. Yes we all know that computers use on and off as a basic premise of computer code… But did you know that CD/DVD/BluRay Discs are perfect illustrations of the use of the binary system. They are encoded by a laser punching holes in the foil membrane embedded within the protective plastic casing. These holes (or pits) represent a 0 (or no signal) and the untouched foil (or non-pit areas) represents a 1. When played back the software converts this binary stream into the music or movies that we’ve come to enjoy!

We also come across hex numbers quite often as well! The hexadecimal number system complements the binary system. Each hexadecimal digit represents four binary digits (bits) (also called a “nibble”), and the primary use of hexadecimal notation is as a human-friendly representation of binary coded values in computing and digital electronics (wicketkeeper, 2010) We see hex used when looking at MAC addresses. We use hexadecimal representation for RGB colors in Photoshop, HTML or CSS documents. We will be using hexadecimal numbers when writing out Ipv6 addresses! If you’ve ever used a packet capture tool such as Wireshark. Network packets as written in hexadecimal as well. 192.168.1.1 can be represented as c0 a8 01 01. A lot less characters that need to be put out onto the wire.

Different number systems are be fundamentally thought of as ways to keep track of information in the most efficient way that the numbers can be grouped together.

Resources:

Various, (2010, April, 10) English Units, Retrieved on April 28th, 2010 from http://en.wikipedia.org/wiki/English_units

Various, (2010, April 28th), Hexadecimal, Retrieved on April 28th, 2010 from http://en.wikipedia.org/wiki/Hexadecimal

Computers and science fiction are intrinsically bound at the hip! And no one individual ties the both together than Star Trek’s Mr. Spock! Spock could be seen in most episodes working at his computer workstation fine-tuning the results of a search, calculating odds or presenting definitive course of action. But it wasn’t Spock’s love of computers that made him so special… It was his impeccable logic! SO sound was his logic that Kirk would go on to say, “You’d make a splendid computer, Mr. Spock” (Roddenberry, 1967).

We as human beings often think with emotion rather than logic. Thinking with emotion clouds logical thought. In IT the ability to think logically about a problem is a must… ones and zeros. It helps with the reasoning process… “I understand that your computer seems slow but can you be more precise?” If we can eliminate subjectiveness, we can often get at the root of the problem much more expeditiously. But logic isn’t only used to troubleshoot software bugs. Logic comes in handy for project management concerns as well.

We are constantly moving solutions into and out of the organizations we work for. Returning machines on lease seems pretty benign. We buy machines… they get delivered… we image them… we deploy them to the end-users desktop. One needs to be worried about interrupting the user. We don’t want to incur additional costs because we can’t turn around the number of machines ordered. It takes a lot of planning. The more you touch a piece of hardware the more time it takes to deploy… the better your chances of messing up! Understanding how to stage the machines and being able to be flexible to change needs to be a part of your logic.

Technology data migrations are another place where logic plays a hand. The more complex a migration is the more logic needs to be applied for a successful outcome. One needs to be able to determine the order in which changes happen. Formatting out a hard drive before you move the data off would be a really bad thing. Does the users home directory reside on the server or is it cached locally on their laptop? When was the last time the data was synced? These are just some of the questions you need to adequately plan. It is logic that you use to formulate the best way to make things happen.

Common sense… plays a part here too. The most common meaning to the phrase is good sense and sound judgment in practical matters (Wikipedia, 2010). It is this judgment that when strung together makes our logic sound as well! Some may Logic does not come naturally. Just like our reasoning skills logic needs to be learned. The study of logic enables us to communicate effectively, make more convincing arguments, and develop patterns of reasoning for decision making (Angel, 2007). The more you exercise your logical thinking the better you become at it.

Resources:

Angel, A., Abbott, C., & Runde, D., (2007), A Survey of Mathematics with Applications, Pearson/Addison Wesley

Roddenberry, G., (1967, February 9), Star Trek [The Return of the Archons], New York: National Broadcasting Company.

Various, (2010, April 20th), Common sense retrieved on April 21, 2010 from http://en.wikipedia.org/wiki/Common_sense

Getting up in front of any gathering of people can make many people uncomfortable. In fact, it is often rated as one of the top 10 common phobias people have. This social phobia affects about 15 million American adults, according to the National Institute of Mental Health (livescience.com, 2010). Practice makes prefect. The more you get up in front of people the more comfortable you are with it. That really holds true with anything in life. The more you do something the better you get at doing it.

Preparation for your testimony starts way before you get into the courtroom. It starts the minute you’re actually assigned to the case, whether hired by an attorney or assigned by the jurisdiction you work for. You have to work at getting into a routine or better yet a systematic approach to collecting evidence. If for nothing else but to eliminate mistakes. As with anything have a game plan but allow for enough flexibility to keep from looking at evidence the same old way. Sun Tzu, the legendary Chinese military general and strategist once wrote, “According as circumstances are favorable, one should modify one’s plan (Giles, 2009)”. What Sun Tzu is expressing is that one must be open to change if change does not hurt the ultimate outcome. Attorneys will get to know you, if you’re good. Don’t always rely on the same course of action, change things up. They will have a harder time refuting your methods of collecting evidence.

In studying for my Masters, I am looking to update my skill set… keeping current and furthermore look at a completely new set of skills. This is extremely important for the expert witness. Why? Because lawyers need to discredit you and the evidence you bring to the table. If you’re shown being 10 years behind the times in your learning, lawyers could use that to introduce doubt to the jury.

“Perhaps there are better ways to examine that hard drive Mr. Heese?”

The Federal Rules of Civil Procedures, Rule 26 requires that you provide a report on the evidence you are testifying to. As part of that report you are required to present any published writings you’ve done in the last 10 years. Realize since you are being considered an “expert” witness, it is assumed that you keep current and are completely knowledgeable in the your field of expertise. What better way to keep things honest but to write about the things you know about, let your peers refute or agree with the thing you have to say. Publishing provides for this!

One thing we’re never really prepared for, and most celebrities are either is media attention! Sometimes you’ll get a case that is of particular interest to the public such as the Pete Townsend child molestation case. In 2003 Pete Townsend the guitarist for the rock band The Who was arrested for downloading child pornography from the Internet. At the time, Townsend was placed on the sex offender registry for five years after he admitted using his credit card to view the images (Lisi, 2010). A perfect case for computer forensics specialist! But there is a price to pay. The media is going to want to know if it’s true. You will be bombarded. What you say and do could taint your testimony! The media will try and judge the case in the press. They will distort the truth and your words will be taken out of context.

You should know how the trail process works. Who speaks first? When is it your turn? You should know how to dress. What is appropriate attire? Are jeans and sneakers cool? Should you bring your lab coat? What is the proper etiquette in court? Speak to the jury they are the ones you have to convince. Make eye contact! The fastest way to lose creditability is to look down at the floor when providing an answer. Know what you are going to say but don’t spend a lot of time rehearsing things. Try to keep things simple without minimizing the importance of the testimony you are providing. You have to realize that you are the expert. You need to explain things to the jury on a level they can understand. Computers and the technology they bring to the table are complex. Many people may not be able to grasp the concepts they need to make a knowledgeable decision on guilt or innocence!

Resources:

Conners, S. & Giles, L., (2009, June 15th), The Art of War – Classic Kindle Edition, Chapter 1, Section 17

Lisi, C., (2010, January 28), Pete Townshend targeted as a ’sex offender’ before Super Bowl, Retrieved on March 9th, 2010 from http://www.nypost.com/p/news/national/pete_townshend_targeted_as_sex_offender_3BJDh6zHpMRuPy9pSFfnUL

Unknown, (2010), What Really Scares People: Top 10 Phobias, Retrieved on March 9th, 2010 from http://www.livescience.com/culture/091023-top10-fear-1.html

Many things go into the exchange of information. How is it communicated? How is that information received and most importantly how is that information interpreted? Things such as the person’s tone or their body language or in the case of the written word, what words were chosen and how they were used. Is the wording formal or informal? All of these factors are part of the communication process. It is evident from reading the article that different people may interpret the information in many ways. Clearly and precisely stating you point is extremely important especially when human lives are at stake.

Let’s take a look at what we have learned.

In the case of the Columbia accident, the information that was passed around happened over a long period of time. NASA knew that foam from the external fuel tank breaks free during the launch and could cause damage to the shuttle. NASA failed to take timely measures to correct the problem.

In the case of the Challenger disaster, the engineers at Morton Thiokol had expressed to NASA their concerns for hat the cold could cause the o-rings to fail. The information that was being communicated happened over a very short period of time (less than 24 hours). The engineers didn’t have hard facts and NASA was under pressure to launch.

Now, let’s take a look at another NASA mishap, the Apollo 1 fire. On January 27, 1967, the Apollo 1 astronauts were performing a test and training exercise. During the course of the event a fire broke out in the spacecraft killing all three astronauts. A number of factors were to blame, the 100% oxygen environment, the flammable materials in the cockpit (Velcro) and an inward opening hatch. North American Aviation (the spacecraft’s builder) had argued with NASA officials that these factors could have catastrophic consequences.

It is interesting to note, the only times that we have lost astronauts in their spacecraft; NASA has been at odds with the spacecraft’s manufacturer. No one wants to be blame with death of another human being… so the blame game begins!

During the hearings of the shuttle tragedy, it came to light that two different people had two different opinions on what was being said. The article did not go into any length on who these individuals were and whether or not they worked for NASA or the spacecraft’s manufacturer. It’s important to know about which side of the fence these individuals sat? Without this information an objective third party could draw the wrong conclusions. Clear and precise wording is just as important as what is being said.

Changing corporate culture? Hmmm, now there’s an idea.

It truly is amazing how one of the most basic of protocols is the foundation of the Internet. DNS is a service/protocol that is essential to traffic out on the Internet AND in many cases MORE important on internal networks. Humans, by nature, aren’t really adept at remembering long strings of numbers. Hell, most of us can’t remember a name five minutes after you tell it to us! And while IPv4 addresses are broken down into four octets separated by decimals (or dot-decimal notation), it’s still longer than most phone numbers. Servers (or hosts) are not usually referred to by their IP address but rather their hostname (www) followed by the domain’s name (yahoo.com). Enter DNS (or the Domain Name System). It takes a domain name (such as weblog.randomdog.net) and converts it to an associated IP address for that domain (such as 69.0.94.158). It also does the reverse (converting IPs to domain names). DNS is a hierarchical naming system meaning that there are a few top-level domains (.com, .net, .org, .gov, etc) that pass requests to authoritative name servers for each domain, and in turn pass request authoritative name servers for their sub-domains.

Today DNS has expanded beyond its humble roots! It supplies the name of the administrator for the domain and the IP address of the mails servers for that domain. Additionally, DNS has also been expanded to provide listings of where services can be found out on a network, as in the case of SRV records. These SRV records inform systems as to where on the network certain resources (LDAP, AD, mail) can be located. Many other services rely on a properly functioning DNS system. In fact, Microsoft’s Active Directory and Apple’s OpenDirectory will break without a properly functioning DNS.

SO what if DNS breaks?

Well that’s a problem. DNS was not designed with security in mind. It actually grew out of a shared file. Before DNS, people passed host files around. The thought of actually tampering with the associations between host and address was not likely. People wanted to be able to reach the host they were looking for. Times have changed and there’s money at stake. DNS cache poisoning is a very real problem. If I were able to redirect your web browser to a ‘fake’ banking site, I could collect your credentials and make unauthorized withdrawals against your account. In March of 2008, Dan Kaminsky met with various software vendors than provide DNS solutions to discuss a vulnerability he had discovered. The consequences of this discovery were of such concern that all vendors present agreed to release a software patch that would fix the vulnerability on the same day. In very simple terms, Kaminsky’s vulnerability centered on the possibility of a “man in the middle” cause by the lack of true randomization of transaction IDs possible with only 65,000 values available. A DNS look-up query is assigned a random translation ID, but Kaminsky observed that when a vulnerable DNS server is able to perform recursive DNS queries, it was possible to guess the transaction ID and redirect the results (Vamosi, 2008).

Enter DNSSEC!

DNSSEC (short for DNS Security Extensions) adds a layer of security to DNS. Its aim is to minimize threats against the Domain Name System. These threats include the following:

1. DNS Cache Poisoning
2. DNS Amplification Attacks
3. DNS Man-in-the-Middle Attack
4. DNS Spoofing Attacks

The US government has already deployed DNSSEC on the root servers for the .gov and .mil domains. Unfortunately, as of today DNSSEC has not been deployed for the root server of the .com, .net and .org top-level domains.

Resources:

Vamosi, R., (2008, July 9), Massive, coordinated DNS patch released, Retrieved on May 27th, 2009 from http://www.zdnet.com.au/news/security/soa/Massive-coordinated-DNS-patch-released/0,130061744,339290456,00.htm