Author Archives: apomeroy

How to get a standing ovation

Posted on by

In HP Enterprise Security Products conferences, there are many presentations made by System Engineers, Customers, Product Development types.  Sridhar Karnam gave some excellent advice on how to get a standing ovation for your presentation.  I’ve saved his posting here:

In many surveys conducted people have chosen to jump off the building rather than face the crowd for public speaking. As I am typing these sitting in my cube and not facing people trust me with these tips, you WILL get a standing ovation at HP Protect or HP Discover events whether you are delivering breakout sessions or technical talks such as turbo talks.

My top 10 tips that will help you get the standing ovation:

  1. Number of slides: Divide the number of minutes by 2 and that is the number of slides you need to prepare. For instance, a 45 min breakout session would need a maximum of 22 slides and a 25-minute turbo talk would need a maximum of 12 slides
  2. Structure your story/ not content: Do not worry about adding too much content on the slides. You deliver the content. Use PPT only as a pointer not as a newspaper. This of your presentation as car driving and PPT as a GPS device. Use it to navigate, but you will drive the car to your destination
  3. Images/ graphics: Text is meant to be heard, and visuals are meant to be seen. People usually read faster than you if it is on slides. So, use PPT to put bullets and images, but have texts in the notes section so that you can still refer to notes when you need
  4. Entertain and storytelling: Even if you are presenting the advanced deep dive technical topic, make sure to entertain your audience with examples, use cases, results, and benefits. Always have a story. People can read story later, but they are in your room to listen to your side of the story
  5. Know your audience: Understand your audience. Start with a poll or few questions so that they know you and you know them. Ask them questions (quiz) in your presentation to make sure they are engaged and they interact with you
  6. Start with your Story: Who are you? People want to connect with you as a person before they want to hear your content. Spend a minute or two giving them your story and connect with audience personally. Tell a funny story (not a sad one). Also do not overdo it. Limit your story to 2-3 minutes max.
  7. Show & Tell: It is better to show than tell. Giving demo in the middle of presentation may be a lot of work. However, you can always embed 2-3 min videos in your PPT. At least create a screen shot storyboard if you don’t have video demos. Change of pace from slides to images to videos keep your audience engaged
  8. HP brand: Stick to branding requirement. You are a brand ambassador for HP. What you say or show becomes what HP thinks or shows. Use proper logos, messages, images, color, templates, and be a brand promoter
  9. No Architecture/ marchitecture diagrams: Avoid rectangles, arrow marks and abbreviations of words to showcase marchitecture. There will always be 10-20% of the people who have no idea of what those abbreviations are.
  10. Practice: Practice until you get it right. Record, look in the mirror, screen shot with voice recording, do whatever it takes to provide your best foot forward.

Good luck and go get the standing ovation…

Malware Investigation Tools and Notes

Posted on by

Investigating possible malware involves both detection and identification phases. Here are some notes regarding the tools I commonly use for these two phases .. note this is intended to be a living document so may change as I learn of new resources or as older resources become stale or no longer very useful.

WARNING: Links shown below may lead to sites with active malware. Do not navigate to any site or link unless you know what you are doing.

Detection

Tools like HP TippingPoint IPS do a good job of detecting vulnerabilities (versus exploits) and also use vulnerability research and lighthouse sensors across the world to confirm infected systems (by IP) and sites (by domain).

Research

Both Google and Scumware have good domain and URL status reporting data.  URL shortening services are notorious for masking domains that have become infected, although there may be a large percentage of legitimate sites to which they refer. An example is the WordPress site wp.me:

http://www.google.com/safebrowsing/diagnostic?site=wp.me

http://www.scumware.org/report/wp.me

 Broad industry trends and general knowledge of attacks, outbreaks and other relevant news can be found on various blog sites:

hp.com/go/hpsrblog

 

Memories of Daniel Lawrence’s 3301 Westland Drive

Posted on by

Most realestate agents will tell you “buyer beware” .. certainly true purchasing property and used cars. Even the Romans knew this “caveat emptor”. So when we arrived new to town looking for a place to rent, it’s too bad the rental market was quite hot so there was really not much to choose from. After looking at over 50 places with our amazing realtor, we finally decided to sign a lease for 3301A Westland Dr. Now some opinions were it was the best of the worst, but we were actually quite happy to rent it at the time .. seemed like a nice enough place and we were under an immovable deadline.

Probably due to the unfortunate drainage issues at the front door area, but during the first couple of months there were quite a few spiders and other small bugs we found, I just thought that was relatively normal .. until the cockroaches started showing up. The first one was a bit of a surprise since the very attentive landlord indicated he had a pesticide treatment applied in January –  shouldn’t be due for another touch up for another six months … right? Well, at least it was dead when we found it. So when the other cockroaches started showing up alive, we started getting a bit concerned. To the landlord’s credit, he got right on the cockroach problem and was caulking any cracks or holes the buggers could be climbing in through. Easy enough since the landlord lives right next door.  Not the best if you’re a college student, but as mature adults, no problem.  No matter, we actually got quite proficient at dealing with the next four or five we found.

Hopefully the extremely loud furnace has been updated and it’s housing ripped out and upgraded .. even if to get rid of the mold found under the furnace that obviously wasn’t picked up in the home inspection.  When we looked at the unit, of course the furnace/AC wasn’t running so it sounded nice and quiet .. it wasn’t until much later when laying in bed in the master bedroom we realized just how noisy the HVAC was.

On to the next adventure .. with the bottom seal of the master shower completely decaying, with a strong mold odor that lead us to believe there may be water damage behind the wall, good lord, more mold?  Being good tenants, we agreed to remove the caulking for the landlord .. in hindsight we should have left that for him, since it appeared the mold was deeper than the surface.  Again yuck.

We certainly found the PitStop behind the house to be very convenient to have our annual vehicle inspections done, and really didn’t think much of a car repair shop located right behind us, since they would be quiet at night when we’re home, right? Oh, yes, that’s assuming they didn’t start work at 5:30-6:00am .. including air power tools. The worst was the schedule on which the industrial trash bins are emptied .. you can set your watch to it on Tuesday and Friday at 2:45am, but I have to admit there were a few nights I was tired enough I slept through the weekly cycle.

With the landlord living right next door, it was very convenient to discuss the state of his property, which we quite enjoyed. There are advantages to having a very involved landlord .. he certainly stayed on top of what he could.

Although there was a beautiful vine growing at the front of the house, they are often quite invasive, this one being no exception .. into the gutter drains, even the eves under the roof. Having the good fortune to have some good landscapers, they started the huge task of cleaning out the vine. So imagine the surprise when the landscapers came aross a garden snake as they are finally digging out the vine. Not a poisonous little guy, so No harm, no foul!

Well, the day eventually came when we had to move out, so caveat emptor part: beware when you move out to take pictures of the walls, hallways, etc. as the land lord did charge us for repairing nail holes in the walls … according to the Texas landlord / tenant act, damages cannot be charged to “normal wear and tear”.  Even though he did not have paint for us to use to patch and paint over larger mounting holes that had been put in the walls for mounting mirrors and such, we selected paint chips to get a good match, got the landlord’s approval with the color, bought the paint and then he charged us for having some areas repainted.  May be an area of mutual disagreement, but just be careful since he sets the bar pretty high.

Moving to a new place closer to downtown was nice, but we sure miss the walking distance to Red’s Porch, Kerbey Lane and Torchies.. nuf said.  We won’t complain, since we’re within walking distance to Maria’s Taco Express and Black Sheep Lodge – and with no landlord .. so it worked out even though we had to buy out our lease.

Seagate Disk Replacement and RAID1 mdadm Commands

Posted on by

So I’ve had to replace a Seagate disk yet again and spent a frustrating amount of time on their website looking for a link to their warrenty replacement page >> http://www.seagate.com/support/warranty-and-replacements/

At least this time, I’m using Linux software RAID for a RAID1 mirroring configuration. When I determined there was a disk failure, I used the following mdadm commands to remove the bad drive:

# cat /proc/mdstat
Personalities : [raid1]
md0 : active raid1 sda1[0](F) sdb1[2]
5139084 blocks [2/1] [U_]
md1 : active raid1 sda2[0](F) sdb2[2]
9841585344 blocks [2/1] [U_]
unused devices:

– Fail and remove all /dev/sdb partitions (/dev/sdb1, /dev/sdb2)
# mdadm --manage /dev/md0 --fail /dev/sdb1
mdadm: set /dev/sdb1 faulty in /dev/md0
# mdadm --manage /dev/md0 --remove /dev/sdb1
mdadm: hot removed /dev/sdb1
# mdadm --manage /dev/md1 --fail /dev/sdb3
mdadm: set /dev/sdb3 faulty in /dev/md1
# mdadm --manage /dev/md1 --remove /dev/sdb3
mdadm: hot removed /dev/sdb3

– Shutdown and replace the bad disk (assuming you have been able to replace with the exact disk)
– Copy the partition table from the surviving disk
# sfdisk -d /dev/sda | sfdisk /dev/sdb

– Re-attach the partitions from /dev/sdb to the RAID1 mirrors:
# mdadm --manage /dev/md0 --add /dev/sdb1
# mdadm --manage /dev/md1 --add /dev/sdb2

You should now see the md devices syncing up by:
# cat /proc/mdstat
Personalities : [raid1]
md0 : active raid1 sda1[1] sdb1[2]
5139084 blocks [2/1] [U_]
[======>.......] recovery = 49.3% ...

Once the sync completes, install grub on both the drives again:
# grub
grub> root (hd0,0)
grub> setup (hd0)
grub> root (hd1,0)
grub> setup (hd1)

Great reference pages:
http://serverfault.com/questions/483141/mdadm-raid-1-grub-only-on-sda
https://blogs.it.ox.ac.uk/jamest/2011/07/26/software-raid1-plus-grub-drive-replacement/

Reputation and Success Formulas

Posted on by

Your reputation is built from not only what you do but also how you do it and the level of knowledge others have about what you’ve done.

Reputation = Accomplishments x Communication x Attitude

Your probability of success on any endeavor can be calculated by ranking the following elements 1-10 (1 = low, 10 = high) ..

Motivation  1-10

Belief  1-10

Effort  1-10

% probability of success = ( (M + B) x E ) / 200

In other words if Motivation = 10, Belief = 10 and Effort = 10, probability of success = 100%

Drive for Meaning

Posted on by

Sometimes staying motivated in any particular role for a long time can be tough. In the information security world, the upsides include proactive customers that take protecting their company values, mission and intellectual property (shareholder value) seriously. The downside includes prospects that are completely clueless about the risks they face. Some very wise investors whos advice I follow say when evaluating a company to invest in, there are four M’s that potential shareholders should pay attention to: Meaning, Management, Moat, and Margin. The company has to do something that resonates with you, they need to have skilled management that has shareholder value in mind (they aren’t traitors that spend shareholder owned money for their own luxury or enrichment), they need to have some inherent competitive differentiator, and finally they need to have a current valuation that gives prospective shareholders a return on their investment.

Equally, to stay motivated in a role, individuals need a sense of accomplishment. Paul G gave a great synopsis of this by condensing it down to four key attributes that any role has to have to provide an individual with the motivation to do great things: Compensation, Purpose, Autonomy, and Mastery. It’s been proven that money is not an effective motivator by itself .. an example being the difference between a cash payout versus some meaningful memory.  If an individual receives $5,000 in bonus money, although it’s appreciated and goes to some purpose, three months later, it’s difficult to recall exactly what that money was spent on.  Where that same individual receives an equivilent value item (prehaps a mountain bike or a trip to a vacation spot), three months later, the reward is still very tangible. Purpose, autonomy and mastery are all needed to give an individual the tools and space to make a tangible difference, where it may be difficult, if not impossible, for them to make a lasting difference without all three attributes.

The parallel between these two sets of concepts is clear: a company needs individuals that are motivated to be the best at what they do and compete for the win better than our competitors.  Individuals need a company that will not only provide these motivational tools, but has the capability to do so.  For a company that is not managed well, doesn’t have a competitve offering, or is under capitalized, they won’t be able to attract and retain the best individuals that they need to win and thrive.

With any major change, such as starting another degree, changing jobs or moving cities, things can be overwhelming. It takes every ounce of strength and stick-to-it-tivness to navigate these changes and focus on the end goal.  Finding ways to motivate yourself can be challenging when faced with the overwhelming task of taking on that degree or life change. Just like strength training in any fitness program, one fantastic outcome of these challenging circumstances is the realization that we can do it .. and that new strength is our new norm.

Al’s Bucket List

Posted on by

Everyone has a bucket list. Some are written down, some are just in the person’s head. Sometimes it’s just a list of really interesting stuff you’ve done. This is kind of both for me. To get the creative juices flowing, I have both stuff I’ve done and stuff I want to do on here .. in no particular order. Maybe I should put some pictures in here some day too.

Live in a different city
Become a minister to officiate a wedding
Get a Masters degree
Take up mountain biking .. learn to ride technically challenging terrain

Learn how to pick a lock
Hike Mount Kilimanjaro
Learn how to swim laps
Re-learn how to shoot a pistol and how to handle a gun
Dive off Belize, Bonaire, Curaco, Great Barrier Reef, Mediterranean
Learn how to roll sushi
Become proficient in Spanish .. spoken and reading
Run a half marathon
Go bare boat sailing

How to reset the enable password on a Cisco ASA 5505

Posted on by

How to reset the enable password on an ASA 5505:

The following procedure worked for me to reset the enable password.

Connect to serial port – typically 9600,8,N,1.  On my MacBook Pro, I use a Keyspan USB-Serial adapter, so my command line is:

screen /dev/tty.USA19Hfd13P1.1 9600,8

You can eventually use <ctrl-A><ctrl-\> to kill the screen session.

Power on the device.
When it prompts to interrupt boot sequence, do so (press ESC).

It should prompt

rommon #0>

Type in:
rommon #0> confreg

Should show something like:

Current Configuration Register: 0×00000001
Configuration Summary:
boot default image from Flash

Do you wish to change this configuration? y/n [n]:

Press n (don’t change)

We can have the ASA boot a default config with no password by setting register flags 0×41, so do this:

rommon #2> confreg 0×41
rommon #2> reboot

You now can login as the password has been removed (use <return> as the password).  Be sure to set the enable password with:

config t
enable password new-password-here
config-register 0x1
wr

Ensure you either use the config-register command or interrupt the boot sequence again and reset the boot flags back to 0x1, otherwise the boot loader will continue to boot the default configuration – ignoring your configuration.

 

Unix, Linux and Mac OS X Notes

Posted on by

Here’s some notable command syntax I use. You can also select the Notes category and you’ll get more specific topics such as Linux LVM and Mac OS X commands.

rsyslog options

Forward syslog events to external host via UDP:
– edit /etc/rsyslog.conf .. add a stanza like the example at the end of the file .. a single @ = UDP forward, @@ = TCP forward

$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @10.0.0.45:514

– restart the rsyslog daemon
systemctl restart rsyslog.service
or
service rsyslog restart

Mac OS X syslog to remote syslog server

Forward syslog events on Mac OS X 10.11 to external syslog server via UDP or TCP:
– edit /etc/syslog.conf .. add a line at the end of the file .. a single @ = UDP forward, @@ = TCP forward

*.* @10.0.0.45:514
# remote host is: name or ip:port, e.g. 10.0.0.45:514, port optional

– restart the OS X syslog daemon
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

Write ISO image to USB on Mac

– plug in USB to Mac
– lookup disk number
sudo diskutil list
– unmount the USB
sudo diskutil unmountDisk /dev/disk2
– copy ISO image to USB
sudo dd if=CentOS.iso of=/dev/disk2

NIC MAC change

Changing MAC address of NIC
– RedHat stores this in: /etc/sysconfig
networking/devices/ifcfg-eth?
networking/profiles/default/ifcfg-eth?
hwconf
You need to edit the hwaddr in /etc/sysconfig/hwconf and HWADDR in the other locations (some are links).

ssh tunneling of syslog traffic

– Example SSH configuration for tunneling a syslog TCP stream from a remote server back to a local node:

Remote node has TCP client process (rsyslog) running, we want it to write to a local TCP port (15514/tcp), and have that local port forward to the local node we have initiated the ssh connection from to a syslog daemon listening on port 1514/tcp:

Remote node rsyslog.conf:
@@localhost:15514

Event flow is through ssh on the remote node, listening on 15514/tcp and forwarding to the local node via ssh tunnel launched on the local node:
$ ssh -R 15514:localhost:1514 remotehostusername@remote.hostname.domain

To complete the picture, we probably want some sort of process on the local node to detect when the ssh connection has been lost and (1) re-establish the ssh connection, (2) restart rsyslog on the remote host to re-establish the connection from the remote rsyslog daemon to the ssh listener on port 15514/tcp.

YUM Software Repository

– Manually add DVD location/repository by:

35.3.1.2. Using a Red Hat Enterprise Linux Installation DVD as a Software Repository

To use a Red Hat Enterprise Linux installation DVD as a software repository, either in the form of a physical disc, or in the form of an ISO image file.

1. Create a mount point for the repository:
mkdir -p /path/to/repo

Where /path/to/repo is a location for the repository, for example, /mnt/repo. Mount the DVD on the mount point that you just created. If you are using a physical disc, you need to know the device name of your DVD drive. You can find the names of any CD or DVD drives on your system with the command cat /proc/sys/dev/cdrom/info. The first CD or DVD drive on the system is typically named sr0. When you know the device name, mount the DVD:
mount -r -t iso9660 /dev/device_name /path/to/repo
For example: mount -r -t iso9660 /dev/sr0 /mnt/repo

If you are using an ISO image file of a disc, mount the image file like this:
mount -r -t iso9660 -o loop /path/to/image/file.iso /path/to/repo
For example: mount -r -o loop /home/root/Downloads/RHEL6-Server-i386-DVD.iso /mnt/repo

Note that you can only mount an image file if the storage device that holds the image file is itself mounted. For example, if the image file is stored on a hard drive that is not mounted automatically when the system boots, you must mount the hard drive before you mount an image file stored on that hard drive. Consider a hard drive named /dev/sdb that is not automatically mounted at boot time and which has an image file stored in a directory named Downloads on its first partition:

mkdir /mnt/temp
mount /dev/sdb1 /mnt/temp
mkdir /mnt/repo
mount -r -t iso9660 -o loop mount -r -o loop /mnt/temp/Downloads/RHEL6-Server-i386-DVD.iso /mnt/repo

2. Create a new repo file in the /etc/yum.repos.d/ directory:
The name of the file is not important, as long as it ends in .repo. For example, dvd.repo is an obvious choice. Choose a name for the repo file and open it as a new file with the vi text editor. For example:

vi /etc/yum.repos.d/dvd.repo

[dvd]
baseurl=file:///mnt/repo/Server
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

The name of the repository is specified in square brackets — in this example, [dvd]. The name is not important, but you should choose something that is meaningful and recognizable. The line that specifies the baseurl should contain the path to the mount point that you created previously, suffixed with /Server for a Red Hat Enterprise Linux server installation DVD, or with /Client for a Red Hat Enterprise Linux client installation DVD. NOTE: After installing or upgrading software from the DVD, delete the repo file that you created to get updates from the online sources.

IP Networking

– Manually add IPv4 alias to interface by:
ip addr add 192.168.0.30/24 dev eth4
– Manually remove that IPv4 alias to interface by (note the subnet mask):
ip addr del 192.168.0.30/32 dev eth4
– Manually add route for specific host:
route add -host 45.56.119.201 gw 10.20.1.5

pcap files

– Split large pcap file by using command line tool that comes with Wireshark editcap:
editcap -c 10000 infile.pcap outfile.pcap

tcpdump options

Display only packets with SYN flag set (for host 10.10.1.1 and NOT port 80):
tcpdump 'host 10.10.1.1  &&  tcp[13]&0x02 = 2  &&  !port 80'

Mac OS X (10.7)

sudo /usr/sbin/sysctl -w net.inet.ip.fw.enable=1
sudo /sbin/ipfw -q /etc/firewall.conf
sudo ifconfig en0 lladdr 00:1e:c2:0f:86:10
sudo ifconfig en1 alias 192.168.0.10 netmask 255.255.255.0
sudo ifconfig en1 -alias 192.168.0.10
sudo route add -net 10.2.1.0/24 10.3.1.1

rpm commands:

List files in an rpm file
rpm -qlp package-name.rpm

List files associated with an already installed package
rpm --query –-filesbypkg package-name
How do I find out what rpm provides a file?
yum whatprovides '*bin/grep'
Returns the package that supplies the file, but the repoquery tool (in the yum-utils package) is faster and provides more output as well as do other queries such as listing package contents, dependencies, reverse-dependencies.

sed commands:

Remove specific patterns (delete or remove blank lines):
sed '/^$/d'
sed command matching multiple line pattern (a single log line got split into two lines, the second line beginning with a space):
cat syslog3.txt | sed 'N;s/\n / /' > syslog3a.txt
– matches the end of line (\n) and space at the beginning of the next line, then removes the newline

awk commands:

Print out key value pairs KVP separated by =:
awk /SRC=/ RS=" "
Print out source IP for all iptables entries that contain the keyword recent:
cat /var/log/iptables.log | egrep recent | awk /SRC=/ RS=" " | sort | uniq
Sum column one in a file, giving the average (where NR is the automatically computed number of lines in the file):
./packet_parser analyzer_data.pcap | awk '{print $5}' | sed -e 's/length=//g' | awk 'BEGIN {sum=0} { sum+=$1 } END { print sum/NR }'
Find the number of tabs per line – used to do a sanity check on tab delimited input files
awk -F$'\t' '{print NF-1;}' file | sort -u

sort by some mid-line column

I wanted to sort by the sub-facility message name internal to the dovecot messages, so found the default behavior of sorting by space delimited columns works.

sort -k6 refers to the sixth column with the default delimiter as space.
sort -tx -k1.20,1.25 is an alternative, where ‘x’ is a delimiter character that does not appear anywhere in the line, and character position 20 is the start of the sort key and character position 25 is the end of the sort key.

This sorts by the bold column:
$ sort -k6 dovecot.txt
Oct 7 09:09:31 server1 dovecot: auth: mysql: Connected to 10.30.132.15 (db1)
Oct 7 09:34:03 server1 dovecot: auth: sql(user1@example.com,10.30.132.15): Password mismatch
Oct 7 09:33:36 server1 dovecot: auth: sql(someuser@example.com,10.30.132.15): unknown user
Oct 7 09:15:27 server1 dovecot: imap(user1@example.com): Disconnected for inactivity bytes=946/215256
Oct 7 09:21:11 server1 dovecot: imap(user2@example2.com): Disconnected: Logged out bytes=120/12718

dos2unix equivalent with tr

tr -d '\15\32' < windows-file.csv > unix-file.csv

Fedora 16 biosdevname

– Fedora 16 includes a package called “biosdevname” that sets up strange network port names (p3p1 versus eth0) .. since I don’t particilarly care if my ethernet adapter(s) is(are) in a particular PCI slot, remove this nonsense by:

yum erase biosdevname

– to take total control of network interfaces back over (edit /etc/sysconfig/network-scripts/ifcfg-eth?)

– remove NetworkManager

yum erase NetworkManager
chkconfig network on