SS4200-E Serial Connection for NAS4Free

The SS4200-E has a header for a 9 pin serial (DE9) connector.  There is even a knockout on the back for the connector.  This page describes the pinout in great detail.  The key point, and I can't stress this enough, is that the motherboard header is an Intel/DK style instead of the more common AT/Everex style.  I pulled out an old connector, and I spent a day trying to figure out if that, the null modem cable, or the usb to serial adapter on my desktop was bad.

I finally got it to work after resoldering the DE9 connections.  My SS4200 has a bios setting for the serial connection.  It was set to:

• Serial Port Mode: 115200 8,n,1
• Flow Control: None
• Terminal Type: ANSI
• VT-UTF8 Combo Key Support: Enabled

Eventually, I was able to get this to work using Putty and the settings here.  However, I turned flow control off in both Putty and in the device manager for the serial port.

This is great for getting into the bios.  My next step was to install NAS4Free from the USB image to the 2GB SanDisk Ultra compact flash card mounted in the PATA port.  I could see text in the terminal but it eventually froze. 

I then used another computer to install NAS4Free from USB to compact flash.  I put the compact flash back into the SS4200-E, but it would freeze.  I remembered reading somewhere that it defaulted to 9600 baud, so I closed putty and opened at the 9600 baud setting.  Sure enough, I could see NAS4Free booting.  Eventually, it gave the error "The device that contains the config file (config.xml) could not be found."  More googling led to this, which explains that the most likely culprit is that the bios isn't dealing with the CF card very well.  Which is odd, because it managed to boot pretty far.  Maybe that isn't the problem....

I'm going to try reinstalling from USB to CF directly on the SS4200-E again.  Now that I know the baud settings might change, I can default the SS4200-E to 9600 baud and work with that.

SS4200-E Hardware

I have two Intel SS4200E servers.  I found a good description of the hardware in this presentation from Intel.

• IA-Based Low End Storage Appliance
• Four SATA ports (3.0Gbps)
• Four Drive Bays
• Conroe–L processor [Celeron 420] 1.6 GHz
• Chipset: 945GZ with ICH7-R
• 512 MB DDR2 SDRAM
• Four USB 2.0 Ports
• 2 x E-SATA Port
• 1 x Gb Ethernet [Intel 82573V]

I'm interested in the chipset, because I want to upgrade to a dual-core cpu to run Nas4Free.  I also will upgrade the ram from 512MB to 2GB.  The chipset supports 4GB in two banks, but there is only one slot for ram on the motherboard.

The 945GZ chipset supports:

• Memory Types DDR2-400 / DDR2-533
• Celeron 420 (1.6GHz), 430 (1.8GHz), 440 (2.0GHz)
• Core 2 Duo E4400 (2.0GHz), E4500 (2.2GHz), E4600 (2.4GHz), E4700 (2.6GHz)
• Pentium E2200 (2.2GHz), E2220 (2.4GHz),

Interestingly, the higher numbers came out first and have more cache.  A good comparison is here.
The E4600 is a Core 2 Duo with 1Mb cache, 800MHz FSB, and came out in Q4 of 2007.  The E2200 is a Pentium with 1M caches, 800MHz FSB, and came out Q1 2008.  The E1600 is a Celeron with 512K cache, 800MHz FSB, and came out Q2 209.  They are all 2.4GHz CPUs, and all should be compatible with the 945GZ chipset.

On this comparison, the E2200 is 96% of the E4600, and the E1600 is 88% of the E4600.  They are all 65W processors vs. the 35W Celeron 420 that it comes with.  Many people have upgraded to E2200 and have had the same CPU temps.

DDR2-400 is PC 3200, and DDR2-533 is PC4200.  Higher speeds should work fine as well.

Off to craigslist and ebay to search for parts!

SANS Webinar: Put Your Game Face On: Using InfoSec Challenges to Build Your Skills and Career

I'm watching webinars for continuing eduation and CPE credit.  This webinar is "Put Your Game Face On: Using InfoSec Challenges to Build Your Skills and Career."  Who doesn't want to build their career?

Overview

Discuss ways to develop information security skills.  Behind the scenes of Capture the Flag games and other challenges.  Tips on what makes a good security challenge.  Point out places with security challenges.

Notes

Use gamification to measure skill, identify talent, train, and provide motivation.  When confronting a problem, assume that it can be solved.

Types of challenges

• Offense - attack targets, pen test
• Defense - stock attackers
• Offense and Defense - exciting, but more work to implement.  Need to enforce minimal attach surfaces - i.e. a scorebot.
• Analysis - packets, files, malware
• Other - bot-net control, cloud resources, etc.

Flat vs. depth

• flat - all challenges accessible from anywhere
• depth - need to solve earlier challenges to get to the later ones

When creating challenges, don't put in red herrings.  There will already be patterns and diversions in the challenges; don't make it more difficult.  Don't make puzzles for puzzles sake - i.e. needle in a haystack.  They won't lead to real world skills.  Have multiple methods to solve problems.

Free Challenges

Damn Vulnerable Web App
http://www.dvwa.co.uk

Iron Geek’s Mutillidae
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

OWASP WebGoat
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Metasploitable
https://community.rapid7.com/community/metasploit/blog/2010/05/19/introducing -metasploitable

Damn Vulnerable Linux: Currently being rebuilt, but you can find older versions
http://www.damnvulnerablelinux.org/


Huge archive of challenges from
2009 to 2012 here:
http://capture.thefl.ag

Multi-leveled exploit development
environment
http://exploit-exercises.com

www.counterhack.net

Conclusion

Interesting webinar.  Need to check out some of the challenges!

SANS Webinar: APT: It is Time to Act

This is the 2nd SANs webinar that I've watched.  The title is "APT: It is Time to Act."  It looked interesting because I've seen APT a few times and wasn't sure what it meant.  APT is Advanced Persistent Threat.  These notes are for my reference and for audit purposes as I log this for CPEs for CISSP.

Overview

APT is like cancer vs. the common cold threat of a few years ago.  Should think in terms of you are already infected, now go find it.  Despite best efforts, we will still get infected.

Advanced = advanced adversary.  Another interpretation of APT = average phishing technique.  Adversaries are going to used the easiest method that they can to break in.  I.e. phishing.  Usually buried in an attachment so you get compromised without even knowing.  That is the persistent part.

Too much focus on presentation and not enough on detection.

Solutions

Most dangerous applications are web browsers and email clients.  So sandbox/VM those applications.

3 Primary vectors

1. Executable content in email
2. Macros in an office document
3. Executable code in embedded HTML in the email

So disable executable content, macros, and executable HTML in email.

Prevention vs. Detection

Prevention will eventually fail, so need to also have detection.  This will allow you to detect a breach after it gets through prevention and then stop it. Organizations have to focus more on detection.  Most security is preventative (85%) vs. detective (15%), and most of it is on inbound vs. outbound.  Need to examine outbound traffic to spot unusual activity.

Encrypted outbound traffic can sneak past detection.  Need to load crypto modules to decrypt, but if adversary controls keys, then that won't work.  Solution - create crypto free zones.  That is from understanding adversary and their strength, then turning it into a weakness.

5 Steps to Secure Future

1. Identify Critical Data - can't protect what you don't know.  Determine your most important assets, biggest threats, and biggest vulnerabilities.  Get a unified focus from everyone.  Risk Based Thinking improves results.  Questions to ask:
1. What is the risk?
2. Is it the highest priority?
3. Is it the most cost effective way to reduce risk?
2. Align the defense with the offense.  Most attacks follow these five steps.  Most effort is spent defending steps 3 and 4.  If you do enough reconnaissance and scanning, then exploitation is fairly easy.
1. Reconnaissance
2. Scanning
3. Exploitation
4. Create backdoors
5. Cover tracks
3. Know your organization.  If offense knows more than defense, then they will win.  You need to have:
1. Accurate network diagram - can't protect what you don't know about
2. Network visibility map
3. CM and change control
4. Defense in depth.  There is no unstoppable adversary.  
1. Inbound protection
2. Outbound detection
3. Log correlation - look at IP address destination countries
4. Anomaly detection
5. Common Metrics.  Use the critical controls
1. Offense informing the defense
2. Automation and continuous monitoring of security
3. metrics to drive measurement and compliance

Conclusion

Need to focus on outbound detection - no prevention is perfect.  Use automation, current security devices, and a common focus.  Understand your assets and the adversary.

SANS Webinar: Windows Ports and Services Tools

I was watching a webcast called "Auditing Windows Controls: What You May Not Know Windows Can Tell You" at sans.org.  It was about Windows software and network controls and auditing them.  There are a few useful commands that I wanted to document.  This also serves as an audit record for CISSP CPEs.

Commands

One great benefit of command line tools is that the output can be captured to text logs for auditing.  They often can be scripted as well, which automates the audit process.

• netstat - lists current TCP and UDP connections
• -ano flags list all connections and listening ports, win numerical form, with the process id
• wmic - Windows Management Instrumentation Command-line
• Once in the cli, you can execute various commands
• 'process X list' - lists process from the object ID X (from netstat -ano)
• 'product list' - lists installed software with version
• netsh - network shell
• quick scripting interface to network interfaces
• gives quick information on firewall configuration
• can save information to a text file for auditing
• scwcmd - server command line configuration tooll
• gives text output for auditing
• read reports with "scwcmd /view c:/temp/report.xml" 
• 
  

Software restriction

Starting in Windows XP, there are software restriction policies (SRP).  It can be used to deny all executables unless there is an approved MD5 hash.  In Windows 7 and later, moved to AppLocker instead of SRP.  Uses SHA-256 hashes instead of MD5 for fewer collisions.  AppLocker has an audit mode.

Conclusion

This was a good webinar with a good overview of various tools.  I did not know about some of them, so it was very useful.

When auditing, get a list of authorized services and software.  Check to see if IPv6 enabled and supported officiall.  FInd out how is patching managed.

Reporting CPEs

1. Go to isc.org
2. Log in
3. Click "Submit CPEs" 
4. On the CPE Report page, click "Add CPEs"
5. Fill out the questionnaire

• Apply CPE to Credential/Concentration: CISSP
• Domain for CPE Credit: Usually "Multiple Domains (Group A)" unless webinar is specific to one domain
• Activity Start Date: the data that the webinar was watched
• CPE Type: Self Study, Computer-Based Training [CBT] or Web Cast
•  Course Name: Name of Webinar.  I put (SANS) at the end so I know where I watched it
•  Number of hours: length of webinar