Thoughts of an Angel
 
Due to some needed correction, I have redone the test and made sure that they both came from the same servers (thanks, Billy!).
Picture
Google Chrome
Picture
IE9

Eh...they have their trade-offs, it looks like. 

My guess would be that given that we were on a Microsoft network in Atlanta, that something was configured specifically for the browser, IE9.  Still, "kudos" to Microsoft for making their browser a great deal better over time. 

I still maintain that Bing makes for an awful verb. 
Professional Tip of the Day: Now go Bing yourself.
 
 
I am in Texas again.   Here are the results:
Picture
Google Chrome

Picture
IE9

'Nuff said.

As for location, I am currently in Arlington, the sweaty and slow armpit of internet connectivity.  I only have to sit on a different side of a couch before my phone begins roaming.  And well, the router was $15 at a garage sale...and it's AT&T service (can someone say *blegh!*?).

I also noticed that IE9 had to draw from a different server, which I find interesting. 

Anyhow, g'day!
 
 
Now that I've had a chance to recover from travel, show off new swag, and catch up on the latest Doomsday news that unfortunately needlessly spams our Internet, I shall give a bit of a commentary on my past week in Atlanta, GA.  It has to be brief as the time where I go to the In-N-Out Burger that just opened in Frisco is fast-arriving (heck yeah!). 

I really liked the TechEd Conference.  It was a lot of fun.  A few of my initial impressions were a bit wrong. For instance, due to the three buildings it spanned throughout, it was often more of a track meet than a conference - but it was a very educational track meet.  I did not go to as many seminars as I had originally wanted to, but feel that I gained more from talking with some of the attendees and fellow staff members anyway.  I went to see the Keynote speaker who spoke for nearly two hours about the Cloud, and a couple of the security-related ones such as the Wireshark course, WiFi, and "Defense Against the Dark Arts" courses.  I found most of these informative, but I feel that I should have gauged the courses better to gain more, but that's for next year.  I learned a lot not only about the security of my technical network, but of my personal network.  By that, I mean to say, how to network with people.  I made new friends, found out about different types of businesses (I never would have actually thought that a third party business would make another's application run more efficiently.  Isn't this what the programmers themselves were supposed to do?).  I also learned a lot about techniques in my own job search.  I learned that I was smarter than I thought I was.  Out of it, I got a plan for at least the next five years of my life, which is not something many other college graduates can say they have.  This is priceless!  

I certainly will not leave this blog alone any time soon (though am considering a host change).    There will, however, be a few weeks where updates will be scarce as I finish my last class for my Bachelor's Degree (*happy dance and hallelujah chorus ensues*).  In the next couple of days, I hope to have some pictures up.

Meanwhile, cheers! 
Angel Fox

P.S: Just in case Pastor Crackpot is right and the Rapture really does happen
tonight: So long, and thanks for all the fish!
 
 
This session discussed the basics of capturing and analyzing network packets using Wireshark.  

First they briefly discussed potential legal issues.  For instance, one should be aware of the local and national laws concerning computer technology and cyber security.  One must have permission to capture and review traffic for purposes of troubleshooting, optimization, security, and application analysis.  I do believe that has to be permission in writing too...

One must know their chain of custody and create SHA1, RIPEMD160, or MD5 hashes of trace files one plans on using as evidence with capinto - the command line for Wireshark.

I also learned that most bot-infected hosts and their Command and Control (C and C) servers can be detected by capturing and analyzing DNS responses.

One of the key points that is important to note is that to know whether or not your server is being attacked is to know how your servers normally behave in the first place.  

Another point discussed was the responses of host-based firewalls.  Many of them simply come back with an ICMP reponse when it detects an invalid host attempting to access it.  However, a host-based firewall should NEVER actually send anything back, but just drop the connection if it is suspicious.  In other words, do not violate the #1 rule of the internet - do not feed the trolls.

Also, ARP does not get past routers for a lack of an IP header - no identification, no access.

Some Active Discovery Processes were discussed here:
  • ARP Scan - local only; can find << hidden >> hosts
  • Ping scan - ICMP type 8/0
  • ACK Scan - TCP ACK - check firewall rules
  • FIN Scan - FIN - illogical TCP fram
  • Xmas Scan - FIN PUSH URG
  • Null Scan - No flags set
  • Maimon Scan - FIN/ACK
  • Idle Scan - Uses zombie; watches IP ID value
  • TCP Port Scan - stealth of full
  • UDP Port Scan - listening for ICMP responses
  • OS Fingerprinting Scan - TCP, UDP, ICMP Probes


Remember, the difference between reconnaissance and a breach is what they are used for.
  • Here are some of the signatures of traffic:
  • Unusual ports in use
  • Unusual protocols in use
  • High TCP "data" rate/Undissected traffic
  • Unusual conversation pairs
  • Unusual endpoints
  • High number of application failures/error responses
  • Higher-than-normal traffic rates
  • Higher-than-normal conversations per user
  • Traffic to/from illegal MAC or IP address

I also learned that a dark MAC address or dark IP address is a bogus address packet treated as a broadcast.  Consequently, the router simply keeps flooding the network in search of a machine that matches the MAC and/or IP address, but of course, never finds it.

I also learned how to create Coloring Rules.  Essentially, you tell it to find certain packets that meet a certain condition.  If it does, then you will notice it highlighted as the color you assign to that. One suggestion is to assign your largest threats the color(s) that is/are most aggravating and/or certain to catch your attention.

And finally, I leave you with two pieces of advice:  
1) Try to stay away from using "!=" in your filter.  Instead, opt for "!<insert condition here> = <insert compared condition here>"  For instance, instead of:
if(x!=y), 

use

 if(!(x==y)).

2) When you look at your trace files, it will come up as several characters.  Just know that the combination letters "MZ" should be treated as an executable file, because it is.  Be very careful with this, however

More to come later today!
 
 
With 10,000 attendees from 84 countries, 800 Microsoft participants, Microsoft TechEd 2011 is hosting 551 unique sessions and 250 hands-on labs (among other things).  As of a bit after 3:00pm, here is my summary of the day:

We (the bloggers and Imagine Cup team) walked in right before the sounds of The Glitch Mob played masterfully as our pre-show entertainment.  Our Imagine Cup team stood up to the sound of applause shortly after talking about their successful project which involved portable medical imaging/ultrasounds in order to give much less expensive access to diagnostic health care for people who are unable to afford it.

Robert Wahbe, CVP Server and Tools was our keynote speaker who talked about many applications of both Public and Private Cloud that included extending existing applications, dealing with large data sets and data warehousing, reaching larger capability of high performance computing, better opportunities for promotion of events and content distribution, and better using the Cloud for marketing campaigns and gaming web sites.

Several demos were put on that I found quite interesting.  
Joey Snow demonstrated a few Cloud services such as requesting Private Cloud capacity, deploying from the System Center via a New VMM Service Deployment, and Public Cloud deployment.
Amir demonstrated one of the ways that the Cloud can be used as a Business Intelligence System by using PowerPivot to create full spreadsheet, database, and graphic functionality.  For those nay-sayers who believe the Cloud is not capable of good speed - think again.  In the time that it takes to blink your eyes, he performed a query on a database consisting of 2 billion records, retrieving a bit more than a million of said record matching his query.
Augusto Valdez demonstrated Cloud-Based Productivity via Windows Phone 7 and its ability to sync with its PC-based software via the Cloud.  He showed us how to sync with Outlook as well as Lync via Lync Mobile.  Finally, he showed us the e-mail security capabilities that one can use on Windows Phone 7.
Edwin Yuen presented what was perhaps my favorite demo - the Worldwide Telescope using the X-Box Kinect.  He was able to show us a literal real-time view of events and objects such as the greatest solar eclipse that will ever happen in our lifetimes in 2014 as well as the entirety of the known universe.
Cameron Skinner discussed managing the life cycle of applications using the example of utilizing the Cloud for communication between the Operations side of IT (Infrastructure) and Developers to meet the needs of the customer, understand the requirements, and agree on the priorities of the application.
There was one more demonstration of making an application to address how a call center assigns tickets to technicians.

After wandering about the Convention Center for a while (this is a HUGE place with SO much to do!  You really should be here!), I went to a session on "Wiretapping."  It is a basic how-to session on using Wireshark to capture and analyze traffic.  This is discussed in the next entry if you're interested...