Hot Topics:


Separate Network for iSCSI Traffic

From: Stephen Haywood 
Since I'm actually participating in the Chugalug discussion today, I
thought I'd throw this out there. I'm doing a pentest right now and the
client has an iSCSI server with no auth on the internal user network. My
test box is also on the internal user network. I was able to mount the
iSCSI LUN on my Linux box.

After accessing the LUN I realized it was holding VMware VMs for their ESXi
server. I was able to download the Domain Controller VM to my box mount the
vmdk files and pull out the ntds.dit and SYSTEM files. From there I was
able to extract the Domain hashes.

Moral of the story: iSCSI should be on a PHYSICALLY separate network for
security and performance reasons. If you have no choice but to have your
iSCSI on the same network, then use authentication.

Stephen Haywood
Owner, ASG Consulting

ICS Security Summit 2016

From: Know Juan 
Any of you guys(/gals?) planning on going to this?

Linode Password Reset

From: Dave Brockman 
Hash: SHA1

I know a couple of you on list have Linodes, I haven't received my email
notification as of yet, but this came across my screen...


Version: GnuPG v2


Upstart Help

From: asg 
I=E2=80=99m working through this tutorial, =
ations-with-uwsgi-and-nginx-on-ubuntu-14-04,  and I=E2=80=99m stuck on =
the Create an Upstart Script section. I=E2=80=99ve written the script =
but when I try to sudo start zkm, I get a generic Job Failed to Start =
message. I=E2=80=99ve looked in /var/log/upstart but there is not a log =
file for my service. I=E2=80=99ve added console output to the .conf file =
but it still only displays the generic message. I=E2=80=99ve also =
checked the .conf file syntax with init-checkconf and the syntax is ok. =
Are there any other log files to check or any other methods to find out =
what is causing the service to fail to start?

Here is the .conf file I=E2=80=99m working with.

description "uWSGI server instance configured to serve zkm."
console output

start on runlevel [2345]
stop on runlevel [!2345]

setuid www-data
setgid www-data

env PATH=3D/var/www/zkm
chdir /var/www/zkm
exec uwsgi --ini zkm.ini


Stephen Haywood
Owner: ASG Consulting

Mozilla foundation thinking kicking thunderbird to the curb.

From: Rod-Lists 

I like this post on slash about. Some think Mozilla trying to kill XUL in favor of HTML5 tech.
Others seem to think that Microsoft and Google funding them that those two mail providers may have something to do with it.
Mozilla, I have actually donated to you in the past, but I have to admit my faith and continued donations are really starting to waiver lately.

Don't get me wrong; its not because of the Australis and UI changes that many people complain about. I actually enjoy those changes, the cross-platform consistency it brought. That's not the issue.

The issue to me is that I feel like you're slowly abandoning your principles:

Incorporation of 3rd party proprietary services such as Pocket and Hello (the calling through Telefonica) seem to give up on principles of open source and control of data
Including ads in my new tab window is annoying, and possibly a privacy/security risk depending on where those ads are sourced from (they're not hosted on mozilla servers I'd guess; so do you trust the servers you're pulling from?).
Support of the DRM plugins/codecs for video. I know the argument was that you didn't really want to do it but were forced to, but how about principles? What can we do as a movement to try to push for open codecs again? I haven't received email updates on what you're doing to support that.
Now, giving up on Thunderbird, which is not just well known and liked, but I think its key selling point is ENCRYPTED PRIVATE email. By necessity, you can't do crypto (encrypted and signed emails) unless its in a mail client. If you want to send a webclient your private key, you're missing the point.
If you need money, tell us how it is. Lay out your plan for the next 3 years (a very specific vision!), estimate a figure of money, and maybe we can crowdsource it to happen. I think people are less likely to donate if they can't get clarity into what the money is used for (I know I'm that way).

I think that plan/vision needs to say more specifics like: we're campaigning against all kinds of ads, especially ones that track you and hurt your privacy; we're abandoning 3rd party proprietary things built in to our browser; we're re-focusing on our needs on your security and privacy. We're going to have the most secure browser on the planet, implementing the following list of protocols and standards, we're researching some new protocols and standards and working with the community on them. We're going 64 bit on Windows to take full advantage of performance and security extensions in modern OSes. We're going to make crypto more easy and transparent, both TLS in the browser, but especially we're going to refocus our efforts on Thunderbird and making your email safe with built in idiot-proof PGP encryption and signing. We're also going to work with web vendors to start implementing their own encryption, meaning when you get a notice from your bank, we expect it to be signed by your bank's encryption key and it all happens automagically to keep you safe.

If I don't start seeing more concrete things like this working for the betterment of the internet and my security and privacy on the internet, then my donation dollars will start looking for other projects. I want to know you're working for me, and not using me only to generate money.

Headless VM Server

From: asg 
I=E2=80=99m building a new VM server and want to try to use Ubuntu and =
KVM. Can anyone recommend a good web-based KVM manager?


Stephen Haywood
Owner: ASG Consulting

EPB Gigabit

From: asg 
Yesterday, I upgraded my EPB account to 1Gbps instead of 100Mbps. EPB =
made the changes on their end and said they wouldn=E2=80=99t take effect =
until midnight. This morning I=E2=80=99m still running at 100Mbps. The =
tech person at EPB says the equipment is provisioned properly but that =
it is auto negotiating a 100M link with my router. I have a Ubiquiti =
EdgeRouter Lite so I know it is capable of 1Gbps. I plugged my laptop =
directly into the EPB jack in my house and the laptop negotiated a 100M =
connection as well. When I plug my laptop into my gigabit switch, it =
negotiates a 1Gbps connection. Any other things I should try before =
calling EPB back?

Stephen Haywood
Owner: ASG Consulting

Ubiquiti Networks and their gear

From: "Alex Smith (K4RNT)" 
Hello guys,

I'm doing some consulting for a friend who is moving into a trailer on
their parents property, and I would like to suggest a wi-fi bridge using
Ubiquiti products.

Any suggestions on what I should look at from their product line for a
point-to-point bridge? No special security is required, I'm just looking at
the hardware and CPE.

So far I'm looking at the Rocket M, the NanoBeam M and the LiteBeam M5.

I haven't asked the distance from the house the trailer will be, but I'm
assuming it's less than 500 meters, too long for an Ethernet trunk and a
fiber link will probably be out of the question, since that would involve
digging a conduit.

Thanks in advance for the advice.

" 'With the first link, the chain is forged. The first speech censured, the
first thought forbidden, the first freedom denied, chains us all
irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and
warning... The first time any man's freedom is trodden on, we=E2=80=99re al=
damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG
episode "The Drumhead"
- Alex Smith
- Kent, Washington (metropolitan Seattle area)

Chattanooga ISSA After Hours Event

From: Christopher Rimondi 

Our Chattanooga ISSA chapter will be having an after hours event on Tuesday
October 20th. For all those interested in attending here is link:



Chris Rimondi | |

Let's Encrypt

From: Michael Scholten 
Anyone see look at this yet? A free and open CA.

Just heard about them on Steve Gibson's Security Now podcast...

Nexus Device

From: asg 

  I am taking an Android exploit development class next week and I am =
trying to get my hands on a  cheap Nexus device. Anyone got one they are =
willing to let go for cheap or willing to let me borrow and abuse for a =
week or two?

Stephen Haywood
Owner: ASG Consulting

iPhone 5s For Sale

From: asg 

  I have a 16GB, Space Gray, iPhone 5s with a cracked screen for sale. =
If any of you are interested, let me know.

Stephen Haywood
Owner: ASG Consulting

I'm a Broken Recording (and I need a switch)

From: David White 
I'm always on the lookout for some cheap, used switches.

Dumb is fine.

We're putting in some IP-based security cameras an NAS that will primarily
be used as an NVR at my church here in East Lake.

1GBps would be preferable, but we can make do with 10/100.

Does anyone have anything they'd be willing to donate or let go for cheap?

I'm also on the lookout for these types of switches that I can keep on hand
for my own business needs....


David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Organizations Worldwide

In GOP Debate Cybersecurity the new National Security

From: Rod-Lists 
I'm only moderately monitoring politics at the moment. I'm by my standards, strangely politically disengaged at the moment.
But I saw this short blurb on Cybersecurity @ the GOP debates.

Debian MySQL Preseed question

From: asg 
I=E2=80=99m working with a script that installs MySQL on Debian with =
preseeded responses to the questions. One of the preseeded responses is:

mysql-server-5.5 mysql-server-5.5/really

OT: Graphics Design Jobs

From: asg 
I=E2=80=99ve got a friend who is going to school for graphics design =
work. He=E2=80=99s still got a couple of years of school left and is =
looking for full-time work while he finishes school. He=E2=80=99s =
willing to do anything but I=E2=80=99d like to help him find something =
design related. Internet searches are proving fruitless. Any of you =
folks know of companies in town that may be looking for someone trying =
to break into the graphics design business?

Stephen Haywood
Owner: ASG Consulting

Too Quiet

From: asg 
Haven=E2=80=99t seen much come across the list the last couple of days. =
I guess everyone is up to no good?

Stephen Haywood
Owner: ASG Consulting

Evidence links China to Github attack

From: Rod-Lists 

Four separate security researchers have said that international web traffic to sites that use analytics tools provided by search firm Baidu was being hijacked in China.
According to analysis published by Erik Hjelmvik of the firm Netresec, when browsers requested script from the Chinese firm's servers, as they normally would, malicious code was inserted into the reply.
"The upshot is that people from around the world... had their traffic redirected to swamp GitHub," Prof Alan Woodward of the University of Surrey told the BBC after verifying the research.

NTP's Fate Hinges On 'Father Time'

From: Rod-Lists 
In April, one of the open source code movement's first and biggest success stories, the Network Time Protocol, will reach a decision point. At 30 years old, will NTP continue as the preeminent time synchronization system for Macs, Windows, and Linux computers and most servers on networks?

Or will this protocol go into a decline marked by drastically slowed development, fewer bug fixes, and greater security risks for the computers that use it? The question hinges to a surprising degree on the personal finances of a 59-year-old technologist in Talent, Ore., named Harlan Stenn.

Anyone else get hit by the recent Panda update?

From: Rod-Lists 
A local business which got rid of most of its Macs just got bit by the recent Panda Security update.
Started to quarantine some important .dll's on windows machines.
Apparently it flagged itself as well.