Thoughts of an Angel
 
Now that I've had a chance to recover from travel, show off new swag, and catch up on the latest Doomsday news that unfortunately needlessly spams our Internet, I shall give a bit of a commentary on my past week in Atlanta, GA.  It has to be brief as the time where I go to the In-N-Out Burger that just opened in Frisco is fast-arriving (heck yeah!). 

I really liked the TechEd Conference.  It was a lot of fun.  A few of my initial impressions were a bit wrong. For instance, due to the three buildings it spanned throughout, it was often more of a track meet than a conference - but it was a very educational track meet.  I did not go to as many seminars as I had originally wanted to, but feel that I gained more from talking with some of the attendees and fellow staff members anyway.  I went to see the Keynote speaker who spoke for nearly two hours about the Cloud, and a couple of the security-related ones such as the Wireshark course, WiFi, and "Defense Against the Dark Arts" courses.  I found most of these informative, but I feel that I should have gauged the courses better to gain more, but that's for next year.  I learned a lot not only about the security of my technical network, but of my personal network.  By that, I mean to say, how to network with people.  I made new friends, found out about different types of businesses (I never would have actually thought that a third party business would make another's application run more efficiently.  Isn't this what the programmers themselves were supposed to do?).  I also learned a lot about techniques in my own job search.  I learned that I was smarter than I thought I was.  Out of it, I got a plan for at least the next five years of my life, which is not something many other college graduates can say they have.  This is priceless!  

I certainly will not leave this blog alone any time soon (though am considering a host change).    There will, however, be a few weeks where updates will be scarce as I finish my last class for my Bachelor's Degree (*happy dance and hallelujah chorus ensues*).  In the next couple of days, I hope to have some pictures up.

Meanwhile, cheers! 
Angel Fox

P.S: Just in case Pastor Crackpot is right and the Rapture really does happen
tonight: So long, and thanks for all the fish!
 
 

Normally, I avoid "technical women's" events like the plague.  Most of them discuss either how to be a man or how to find other women and seclude themselves from the evil, gross, stinky, sex-ridden, and sometimes creepy men in their workplace (or so the impression seems to be).  So far, however, most of my experiences with working with men in IT and Sound Engineering (my first love) have been positive.  Then again, I'm a bit of a tomboy at heart.  I make friends easier with guys than most women - no drama, no super loud high-pitch squealing and/or screaming on excitement, they get right to the point when they speak (perfect for my attention span...or lack thereof), and being logically wired, most of what they say makes sense.  Men are just mentally wired differently from women.  And frankly, I feel that most women take on a sort of "victimized" mentality in the technical workplace by just automatically assuming that life is out to get them because they were born a woman.  Albeit, it is not easy sometimes.  It's even a little overwhelming at times when your thought process is not lined up with the rest of your team (i.e. left-brainers vs. right-brainers, process-oriented vs. detailed oriented).  It's really not that bad though.

Needless to say, this women's luncheon was quite good (as was the food, though I'm pretty sure my table was served last).  I enjoyed the panelists who were speaking.  They gave good advice to those of us who had questions about working in the industry from how to deal with male family members who are not supportive to how to get the men at work to take us seriously.  There was one question that I had that never got answered however, one of etiquette: I've never had so much problem working with men as I have dealing with their significant others.  For instance, when I started working at the Help Desk, my manager's wife (who is also IT, but different department) gave me the evil eye for the first several weeks.  It seems that after I became engaged, she's a great deal more friendly to me now.  I've come across this before in the work place.  I can't help it - I'm just naturally friendly.  It seems that the best anecdote is communication.  While there are still some women who are just naturally jealous, it usually at least helps to try to talk to the girl more than the guy while in the presence of both of them.  I know I'm not alone though.  When I told all the ladies at my table about this, they all were like, "Hey, that's my problem too!  I thought I was the only one who dealt with that!" I'm glad to know I'm not the only one with that problem.

If you're a guy, how do you suggest you deal with this?  If you're a girl, how do you deal with this? I'm interested in contrasting opinions. 

'Til next time.
Angela


 
 
This session discussed the basics of capturing and analyzing network packets using Wireshark.  

First they briefly discussed potential legal issues.  For instance, one should be aware of the local and national laws concerning computer technology and cyber security.  One must have permission to capture and review traffic for purposes of troubleshooting, optimization, security, and application analysis.  I do believe that has to be permission in writing too...

One must know their chain of custody and create SHA1, RIPEMD160, or MD5 hashes of trace files one plans on using as evidence with capinto - the command line for Wireshark.

I also learned that most bot-infected hosts and their Command and Control (C and C) servers can be detected by capturing and analyzing DNS responses.

One of the key points that is important to note is that to know whether or not your server is being attacked is to know how your servers normally behave in the first place.  

Another point discussed was the responses of host-based firewalls.  Many of them simply come back with an ICMP reponse when it detects an invalid host attempting to access it.  However, a host-based firewall should NEVER actually send anything back, but just drop the connection if it is suspicious.  In other words, do not violate the #1 rule of the internet - do not feed the trolls.

Also, ARP does not get past routers for a lack of an IP header - no identification, no access.

Some Active Discovery Processes were discussed here:
  • ARP Scan - local only; can find << hidden >> hosts
  • Ping scan - ICMP type 8/0
  • ACK Scan - TCP ACK - check firewall rules
  • FIN Scan - FIN - illogical TCP fram
  • Xmas Scan - FIN PUSH URG
  • Null Scan - No flags set
  • Maimon Scan - FIN/ACK
  • Idle Scan - Uses zombie; watches IP ID value
  • TCP Port Scan - stealth of full
  • UDP Port Scan - listening for ICMP responses
  • OS Fingerprinting Scan - TCP, UDP, ICMP Probes


Remember, the difference between reconnaissance and a breach is what they are used for.
  • Here are some of the signatures of traffic:
  • Unusual ports in use
  • Unusual protocols in use
  • High TCP "data" rate/Undissected traffic
  • Unusual conversation pairs
  • Unusual endpoints
  • High number of application failures/error responses
  • Higher-than-normal traffic rates
  • Higher-than-normal conversations per user
  • Traffic to/from illegal MAC or IP address

I also learned that a dark MAC address or dark IP address is a bogus address packet treated as a broadcast.  Consequently, the router simply keeps flooding the network in search of a machine that matches the MAC and/or IP address, but of course, never finds it.

I also learned how to create Coloring Rules.  Essentially, you tell it to find certain packets that meet a certain condition.  If it does, then you will notice it highlighted as the color you assign to that. One suggestion is to assign your largest threats the color(s) that is/are most aggravating and/or certain to catch your attention.

And finally, I leave you with two pieces of advice:  
1) Try to stay away from using "!=" in your filter.  Instead, opt for "!<insert condition here> = <insert compared condition here>"  For instance, instead of:
if(x!=y), 

use

 if(!(x==y)).

2) When you look at your trace files, it will come up as several characters.  Just know that the combination letters "MZ" should be treated as an executable file, because it is.  Be very careful with this, however

More to come later today!
 
 
With 10,000 attendees from 84 countries, 800 Microsoft participants, Microsoft TechEd 2011 is hosting 551 unique sessions and 250 hands-on labs (among other things).  As of a bit after 3:00pm, here is my summary of the day:

We (the bloggers and Imagine Cup team) walked in right before the sounds of The Glitch Mob played masterfully as our pre-show entertainment.  Our Imagine Cup team stood up to the sound of applause shortly after talking about their successful project which involved portable medical imaging/ultrasounds in order to give much less expensive access to diagnostic health care for people who are unable to afford it.

Robert Wahbe, CVP Server and Tools was our keynote speaker who talked about many applications of both Public and Private Cloud that included extending existing applications, dealing with large data sets and data warehousing, reaching larger capability of high performance computing, better opportunities for promotion of events and content distribution, and better using the Cloud for marketing campaigns and gaming web sites.

Several demos were put on that I found quite interesting.  
Joey Snow demonstrated a few Cloud services such as requesting Private Cloud capacity, deploying from the System Center via a New VMM Service Deployment, and Public Cloud deployment.
Amir demonstrated one of the ways that the Cloud can be used as a Business Intelligence System by using PowerPivot to create full spreadsheet, database, and graphic functionality.  For those nay-sayers who believe the Cloud is not capable of good speed - think again.  In the time that it takes to blink your eyes, he performed a query on a database consisting of 2 billion records, retrieving a bit more than a million of said record matching his query.
Augusto Valdez demonstrated Cloud-Based Productivity via Windows Phone 7 and its ability to sync with its PC-based software via the Cloud.  He showed us how to sync with Outlook as well as Lync via Lync Mobile.  Finally, he showed us the e-mail security capabilities that one can use on Windows Phone 7.
Edwin Yuen presented what was perhaps my favorite demo - the Worldwide Telescope using the X-Box Kinect.  He was able to show us a literal real-time view of events and objects such as the greatest solar eclipse that will ever happen in our lifetimes in 2014 as well as the entirety of the known universe.
Cameron Skinner discussed managing the life cycle of applications using the example of utilizing the Cloud for communication between the Operations side of IT (Infrastructure) and Developers to meet the needs of the customer, understand the requirements, and agree on the priorities of the application.
There was one more demonstration of making an application to address how a call center assigns tickets to technicians.

After wandering about the Convention Center for a while (this is a HUGE place with SO much to do!  You really should be here!), I went to a session on "Wiretapping."  It is a basic how-to session on using Wireshark to capture and analyze traffic.  This is discussed in the next entry if you're interested...