Yesterday I got a hasty call from Jon D about my server. He had checked out my blog from work and within an hour got a call from a Symantec SOC that he was looking at a web page that was part of a botnet.

So he called me.

Back 4 years ago I had set up an IRC network for a friend, including my server as one of the nodes. Over time the network died, as they do, and when I moved the server a couple of times over the course of several years, the ircd didn’t come back up.  The ircd.conf didn’t match up with the network interfaces on the box, so ircd would croak every time it tried to start up.

Well, I guess the last server move did something that the ircd did like because it came back up and stayed up.  Bah, that’s resiliency in action for you, kids.

When I got the call from Jon I knew exactly what it was.  It took about 2 minutes to ssh in,verify that there were 8 dirtballs squatting on my server, kill the ircd, and kill the line in crontab that restarts the server if/when it dies.  Problem solved, now back to playing zombie hack-n-slash games.

In an OS sense, there wasn’t a compromise or anything, just the greasies using the application like it was intended to be used, only with a different intent.

• Life Behind “The Great Big NAT in the Sky”
• Rybolov is Dead, Long Live Rybolov
• Downtime
• Turning Routers into Firewalls
• Stress-Test Apache with Intent to Tune: BSOFH Tip for the Software Masochist

I’m not Lord Nikon, but I play him at lunchtime. A guy can always pretend, can’t he?

You see, here in “occupied” Northern Virginia, we all work for either the Government, contractors, IT companies, or any combination thereof. Everywhere you go, you have a badge. Most badges have at least two things: the company name and the employee’s name. Looking at my “25 pieces of flair”, I see that you can even get my middle initial and where I work.

If all this sounds exactly like seed material for your password seed files, well then it just might be. Not really what I would call earth-shattering ‘leet skillz, but it might be enough to get a foothold if you’re targeting one company in particular–find the nearest lunch spot and look for the right logo, check the web for @targetcompany.com email addresses, note the smtp headers to see what kind of a user naming convention they use, and mung your collected names list into the right format.

Then get hacking! That’s an exercise left to the reader, just follow the golden rule and “never hack from home.”

Anyway, my little lunchtime distraction is to notice how many organizations I can see standing in line, talking on the phone, or enjoying their lowfat Atkins-friendly salad. I guess you could say it’s the CISO’s version of buzzword bingo.

But then again, I’ve always been a little bit touched, so this shouldn’t be a big surprise. =)

• Some Thoughts on Comments to My Blog…
• My Stalking Spammers
• Internet in the Remote Desert
• And in This Corner, Special Publication 800-60
• Is Myspace Satan?

Check it out at www.zombieportraits.com:

“Why wait until the end of days to see your mug as a mound of undead rot? With the aid of a photograph, master illustrator Rob Sacchetto will hand illustrate a custom portrait depicting YOU as a brain chasing ghoul.”

• Training for the Zombie Pandemic
• Wednesday Zombie Post–Zombie Reagan
• Wednesday Zombie Post–The Zen of Zombie
• Barricade and Kill
• Wednesday Zombie Post-How Zombies Work

No, I’m not talking about the guy at your local automotive garage co-op that signs out wrenches. What I mean is something similar to what a project manager would recognize as scope creep.

Imagine the scenario: You’re a managed service provider and have a variety of tools to do the following things:

• Monitor servers
• Monitor network devices
• Archive/review logs
• Automatically generate trouble tickets
• Manage NIDS
• Manage HIDS

And then along comes a client request out of the blue that surprises you. Say, for instance, they want to generate an automatic feed for an asset management system. It’s a great idea, but you don’t have a tool that can do it, then you end up buying something new.

Normally this is a problem for the typical IT shop. For a Managed Service Provider, it’s what will kill you.  Either you support a tool for all clients, or it becomes a one-off for that particular client, and that’s bad because then you end up with every client having their own peculiarities.

So the big question is, how do you handle tool creep?  Well, about the same way you handle engineers messing around with :

• Train your people on what you have build already and manage attrition.
• The Technical Review Board if you have one can/should do tool evaluations and selections.
• Look at plugins for the existing toolset that you have–can you get the same effect with an additional license/module or teaching a new group of people how to  use what you already have?
• Make the new tool ODC–Other Direct Charge.  IE, carry through the cost to the customer, including design and implementation.

• Being the Resident Curmudgeon
• More Vendor Spam
• Federated Vulnerability Management
• Enterprise !== Managed Service Provider
• 20 Critical Security Controls: Control-by-Control