Wednesday, December 31, 2003
Pity this guy?
Put me on the not list as I receive 20-30 legitimate messages per day which makes up less than 10% of the total volume. Thanks to various people for writing Procmail, SpamAssassin, SpamBayes, and various virus scanners.
Scraped from Slashdot.
Tuesday, December 30, 2003
OpenSSL and FIPS 140
Monday, December 29, 2003
Pooning
Oh, and BTW, I have a copy of the book on my shelf.
Sunday, December 28, 2003
VLAN Insecurity
I said it before and I'll say it again here: VLAN's are a network traffic managment tool, NOT a security tool!!!
Saturday, December 27, 2003
Wardriving
Includes a howto and a listing of required hardware/software.
Friday, December 26, 2003
No Op
Anyways, I've backfilled the last few days and will settle down to work on a serious back-log of posts.
Merry Christmas, y'all!
Thursday, December 25, 2003
The Achilles heel to most networks
I agree with Bowulf, at least in part. You also have to have logging enabled. If you're working in a NOC, that also means router logs (that's syslog servers, not the dinky space for logging in router memory!). For those networks which aren't allowed to enforce a decent firewall policy, you also need to log high-port to high-port traffic which is where most of your shady-stuff (unauthorized/covert channels, P2P, backdoors, etc.) happens.
I disagree with Bowulf in that logging isn't the sole action you need to take. Closely related to logging is taking and maintaining metrics. A good metrics supports the cliche "a picture is worth a thousand words". If you're watching your network metrics, you learn to recognize "normal" network activity and "abnormal" network activity.
One example of this is e-mail metrics. You cannot read every message that passes through your mail servers. However, if you graph your metrics properly, you should be able to recognize the spread of a new virus within 5-15 minutes of the initial spread (depending how often your graphs are update). While it won't block the new infection (usually nothing will), it does allow you to react quickly enough to minimize the damage and protect the rest of your network.
Maybe a good rule-of-thumb is to maintain metrics on your normal traffic (web, email, etc.) and regularly filter your logs for the abnormal traffic?
Thoughts/ideas/comments/flames?
Wednesday, December 24, 2003
Tuesday, December 23, 2003
No op
Apologies to Kevin for the missed links.
Jabber XCP review
Jabber's XML-based communications have been around for quite awhile. The protocol is open source and there are quite a few tools to work with it. At one point, I'd even adapted it to send Instant Messages to all NOC personnel if a router interface or a service went down.
InfoSec Pubs
Monday, December 22, 2003
Another Day in the Life of...
Okay, so I'm descended from a long line of soap addicts.
Blosxom
Got any favorites you want to suggest for a *nix-based server?
Sunday, December 21, 2003
FIrewall FAQ
Saturday, December 20, 2003
Freenet
Friday, December 19, 2003
DCE RPC Vulnerabilities New Attack Vectors Analysis
Cyberthugs
Okay, I'll admit to scraping it from Slashdot.
Freep has an article about what your high-tech kids put up with in school.
Banking Scam Revealed
Thursday, December 18, 2003
NIST posts security control guidelines for comment
Wednesday, December 17, 2003
Tuesday, December 16, 2003
How not to program in PHP
Hint: ignoring this while programming allows cross-site scripting and SQL injection. Not a good thing.
Outlook mebbe-funny
PostScript Tutorial
Monday, December 15, 2003
Microsoft releases network port info
ADS's (not ad's)
Sunday, December 14, 2003
The Anatomy of Cross Site Scripting
Stubborn Ignorance
RFC's are the agreed upon standards by which the "community" is defined. Think of it as the charter for your local government. Protocols (languages) are agreed upon. Responsibilities are defined.
One shortcomiing is that there is no requirement to comply. This allows organizations and individuals to do horrible, aggressive and/or stupid things via the Internet without reprisal. Examples: long distance Outlook-Exchange connections, MS's perversion of the Kerberos protocol, long distance NetBIOS, long distance Telnet/FTP/POP3/IMAP, just about any proprietary encryption scheme, and 90% of the e-mail domains.
For the Internet-based violations, here's a site called "RFC Ignorant", which tracks the stubbornly ignorant.
The Art of Unix Programming
Saturday, December 13, 2003
More celebrity teaching...
Help Net Security - Attacking the DNS Protocol
Thursday, December 11, 2003
Wading into an Eggdrop soup
Wednesday, December 10, 2003
Tuesday, December 9, 2003
FWTK
For those new to the game, FWTK is the Firewall Toolkit, one of the first application proxies written 20 years ago. Amazingly, it's still usable. Combining it with other technologies (SOCKS, ipfw, iptables, Squid, other proxies/packet filters) allows you to build a workable firewall for just about any *nix flavor, including a Mac version.
If you care to read it, click on the Wiki link above and scroll down to the Security section. Let me know what you think?
Monday, December 8, 2003
Anonymous Blogging
Early Warning!!: If you manage a corporate network, you may want to consider blocking this, both for sending (if it's possible) and for reading. There's some pretty unsavory blogs over there (people abusing the service mostly). The hosts state in their FAQ that if they receive a court order, they will turn you in if you're doing something illegal.
Sunday, December 7, 2003
SCO ordered to show evidence
Best Practices for Wireless Network Security - Computerworld
NSA Cisco Router Security Guidelines
No Op
Saturday, December 6, 2003
Am not! Are to!
It seems that beaumonday thinks I pick on Microsoft too much. Acutally, if you read REAL close, I pick on everyone who thinks that any one operating system is the way to go. (Do I need to repost my point-and-click administrator rant again?) I'm a firm believer in the-best-tool-for-the-job and know-the-technology-behind-the-gui.
I provide a lengthy response.
Just so I can alienate everyone and level the playing field, out of the box:
- Microsoft Windows is insecure
- Linux is insecure
- Unix (SunOS, BSD, Irix, AIX, Xenix, etc) is insecure
- Cisco/Foundry/Bay/etc. is insecure
- Novell has problems (actually, they had the highest rating by the gov't prior to adding in IP capabilities)
- and the OS that you may be writing has *SERIOUS* problems.
However, when used in conjunction, they can provide a very secure network for your users.
Friday, December 5, 2003
E tu Brute?
So, did the stock purchase include training on how to sue for money? Probably not but this sort of thing can turn nasty and unproductive.
Thursday, December 4, 2003
Free education
Wednesday, December 3, 2003
Britney Spear's Guide to Semi-conductor Physics
Think this woman is capable of teaching you anything? How about semi-conductor physics? (Yet another attempt by those-with-too-much-time-on-their-hands to use sex to teach the less-willing-to-learn.) But it's funny anyways. The "Booble" search engine is interesting also. (Hint: click on the "Search Britney Space" radio button) |
Tuesday, December 2, 2003
The End of RSS
Sunday, November 30, 2003
And the award for Stupid Idea of the Year goes to....
Anti-honeypot Tool
Seems that the spammers developing tools of their own. First the anti-spammer groups set up honeypots whose objective was to tie up and/or detect spam sources. The spammers have responded with "Send-Safe, a honeypot hunter.
I especially like the wording of the product description:
Send-Safe Honeypot Hunter is a tool designed for checking lists of HTTPS and SOCKS proxies for so called "honey pots". "Honey pots" are fake proxies run by the people who are attempting to frame bulkers by using those fake proxies for logging traffic through them and then send complaints to ones' ISPs.
"Attempting to frame bulkers" indeed. If you're using resources other than your own to spam the planet, there's a problem. "Attempting to frame bulkers" gives the impression that you have a legitimate right to other people's systems. That phrase should read "Attempt to catch resouce thieves". If I catch you using mine, I'm going to do my darnest to make your life hell.
Funny part about it is that they want $299.00 for the program. Must be no honor amongst thieves?
How to file a complaint
Normally I just filter and delete the spam but I've received a particularly distasteful one (Brazilian kiddie porn) which I'm going to file a complaint about. You can follow along as I whine to customer support about a message entitled "joat, welcome to Ped0Wor1d ayuGYoaf".
First, we need to take a look at the message header. Other than changing my account name (to block account scrapers), the header is as-is from the message.
Return-Path: | ||
Received: from pop.east.cox.net by localhost with POP3 (fetchmail-6.2.1) | ||
for joat@localhost (single-drop); Sun, 30 Nov 2003 08:43:06 -0500 (EST) | ||
Received: from compuserve.com ([12.229.105.222]) by lakemtai06.cox.net | ||
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id | ||
for | ||
; Sat, 29 Nov 2003 21:32:16 -0500 | ||
Date: Sun, 30 Nov 2003 03:31:53 +0000 | ||
From: mrg@simplewire.com | ||
Subject: joat, welcome to Ped0Wor1d ayuGYoaf | ||
To: joat | ||
References: | ||
In-Reply-To: | ||
Message-ID: | ||
MIME-Version: 1.0 | ||
Content-Type: text/html | ||
Content-Transfer-Encoding: 8bit | ||
X-Spam-Status: No, hits=2.1 required=3.0 | ||
tests=BIG_FONT,CTYPE_JUST_HTML,HTML_FONT_COLOR_BLUE, | ||
HTML_FONT_COLOR_MAGENTA,HTML_FONT_COLOR_NAME,IN_REP_TO, | ||
NO_REAL_NAME,REFERENCES,SPAM_PHRASE_00_01, TO_LOCALPART_EQ_REAL version=2.44 | ||
X-Spam-Level: ** | ||
X-Spambayes-Classification: ham; 0.07 |
Notice the two "Received:" lines.
Received: from pop.east.cox.net by localhost with POP3 (fetchmail-6.2.1) | |
for joat@localhost (single-drop); Sun, 30 Nov 2003 08:43:06 -0500 (EST) | |
Received: from compuserve.com ([12.229.105.222]) by lakemtai06.cox.net | |
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id | |
for | |
; Sat, 29 Nov 2003 21:32:16 -0500 |
Unless one or more of them have been badly forged, "Received;" lines are normally in reverse chronological order. When backtracing spam, you work in the same order, verifying each line until you reach the line that doesn't "read" correctly. Since there are only two lines in this instance, it is very easy to trace this one back to its source.
The first "Received:" line is a normal entry, generated by my instance of fetchmail.
Right away, the second line has an error in it that sticks out: it's not from the domain that claims to be (CompuServe). Rather, Cox's mail server recorded an IP of 12.229.105.222 as making the connection. It's also significant that the "Return-Path:" address is also not CompuServe.
Finally, the lack of any other "Received:" line is also significant. Normally you would have a client-to-server entry followed by a server-to-Cox-server entry to show that the mail was generated by a mail client and uploaded to the sender's mail server before that server "talked" to Cox. (Too confusing?)
What this means is that a program connected directly to Cox's mail server to generate the mail. In other words, a non-MTA program connected to port 25 on Cox's mail server and "typed the message directly onto the server". This is a technique that system administrators use in troubleshooting mail delivery. Anyone know of spammer programs that use mail lists, do MX lookups, and connect directly to the applicable mail servers?
Anyways, we can still trust most of the second line. Except for "from compuserve.com", the line is generated by the Cox mail server. The IP address is significant in that a reverse lookup reveals that it's an ATT IP address:
$ nslookup 12.229.105.222
222.105.229.12.in-addr.arpa name = 12-229-105-222.client.attbi.com.
Note that if you don't have "nslookup" or "whois", SamSpade.org has a nice web-based version.
A WHOIS lookup returns the following:
$ whois 12.229.105.222
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Comcast Corporation COMCAST-12-229-96-0-WASHINGTON (NET-12-229-96-0-1)
12.229.96.0 - 12.229.127.255
This indicates that while AT&T owns the IP address, they "sublet" the chunk which our suspect IP belongs in to Comcast Corporaton. Note the "NET-12-229-96-0-1" in parenthesis. We can do another WHOIS lookup on this to get:
$ whois NET-12-229-96-0-1
CustName: Comcast Corporation
Address: 1500 Market Street
City: Philadelphia
StateProv: PA
PostalCode: 19102
Country: US
RegDate: 2003-10-10
Updated: 2003-10-10
NetRange: 12.229.96.0 - 12.229.127.255
CIDR: 12.229.96.0/19
NetName: COMCAST-12-229-96-0-WASHINGTON
NetHandle: NET-12-229-96-0-1
Parent: NET-12-0-0-0-1
NetType: Reassigned
Comment:
RegDate: 2003-10-10
Updated: 2003-10-10
TechHandle: DK71-ARIN
TechName: Kostick, Deirdre
TechPhone: +1-919-319-8249
TechEmail: help@ip.att.net
OrgAbuseHandle: ATTAB-ARIN
OrgAbuseName: ATT Abuse
OrgAbusePhone: +1-919-319-8130
OrgAbuseEmail: abuse@att.net
OrgTechHandle: ICC-ARIN
OrgTechName: IP Customer Care
OrgTechPhone: +1-888-613-6330
OrgTechEmail: qhoang@att.com
OrgTechHandle: IPSWI-ARIN
OrgTechName: IP SWIP
OrgTechPhone: +1-888-613-6330
OrgTechEmail: swipid@nipaweb.vip.att.net
This gives us the address to send our complaint to: "abuse@att.net".
The trick to filing a complaint of this type is to be polite and to present all of the facts (as we've done above). It's also a good idea to provide the original message, with headers, as an attachment to the complaint. You also want to give the ISP an "out" in this case as it may be a hacked box on the far end.
The wording of my complaint (which I've just sent):
To whom it may concern,
Please forward the following to your Abuse and Security departments.
Please find attached an unsolicited (and particularly distasteful) pornographic e-mail advertisement (porn spam) that showed up in my in box. Various things about the headers are notable:
1) The "Return-Path", the source IP, and the source hostname all conflict. That is: "mrg@simplewire.com", "compuserve.com", and "12.229.105.222" respectively.
2) There are no other "Received:" lines other than the one generated by my Fetchmail utility (which I will vouch for the accuracy of) and the one generated by my ISP's (Cox) mailserver. This is indicative of a program connecting directly to Cox's mail server.
The IP recorded by Cox's mail server belongs to one of your customers. Please determine whether the user at that IP is running a spamming program or if it has been compromised by a trojan or worm which allows spammers to use it in a similar manner.
Respectfully,
One side "thought" generated by all of this. When the new federal anti-spam law goes into effect, there's going to be some trouble. There's a strong possibility that this source IP is infected with something similar to the Jeem trojan, which allows for remote control spamming. Given that law enforcement is in a constant game of technological "catch-up" with hackers/spammers, I hope they learn how to read and interpret message headers before throwing some poor church-going Granny in the slammer for spamming the planet with "l33t pr0n".
IPSec Troubleshooting Guide
Thumb Drive Prices
Went window shopping at a few stores yesterday to price a replacement hard drive and noticed that two of the larger chains are now selling 128M thumb drives for about $58.00 US. Saw a 64M USB v1 one for less than $20.00.
Until recently, it'd seemed that the price was never going to go under $1.00/M.
Saturday, November 29, 2003
Nessus
Some organizations use it instead of ISS as it's attack database is generally larger and more up-to-date. The drawback is that it also can do damage in it's penetration testing if you're not careful (there are switches to disable the more brutish attacks).
Update: Bowulf has a piece in which he indicates that you can avoid the setup and configuration of Linux and Nessus by using Knoppix STD. The only thing you have to worry about otherwise is gathering the updated NASL signature files.
Hint: you can add them to the distribution prior to buring the iso by mounting it via the loopback device. (If there's enough room.) For Linux, try
mount cdimage.raw -r -t iso9660 -o loop /mnt
AES Encryption
Friday, November 28, 2003
Writing your name in the snow
In the last few years, Netcraft took a beating from the more zealous side of the Open Source house for saying various nice things about Microsoft and IIS. They were even accused of taking money to produce a slanted survey. Here's another similar situation...
NetCraft has stated that Apache runs on the majority of the web sites on the Internet (and has done so since some time mid-Feb 1996). Now there's an org called Port80 Software that says some pretty nasty things about NetCraft. It appears that they're trying the old "running for office campaign" strategy in which the main tactic is to say negative things about the other guy.
Actually, if you read closely, both reports could be true. In other words, it's very likely that IIS has the majority of the Fortune 1000 corporate server realm while Apache has the overall lead. (Hey, at one point I was responsible for 8 individual web servers, only one of them corporate, and none of them IIS.) The problem I have is with the slights thrown in the article which attempts to give NetCraft (I can't believe I'm defending their tactics) a black eye.
I was suspicious enough of the main article to look at it even close. If you look at the data, port80 only looked at the top 1000 corporations. In this case, "top 1000" is the "Fortune 1000" corporate listing. That means that out of the 30298060 web sites polled by NetCraft, port80 says only a specific 1000 of them "count" so that they can declare that IIS has a majority. (Aside: It could also mean that a majority of the Fortune 1000 CIO's saw the "no one's been down to the server room in days" commercial and was gullible enough to believe it.)
Thank God for "Lies, Damn Lies and Statistics"?
Nothing like leveraging of off someone else's reputation, huh?
Thursday, November 27, 2003
System Administration and Security
Should I select the same service provider to manage both IT services and security services?
No, absolutely not. System administrators that also understand security are rare and (usually) high paid. Unless your system administrator has been around the block quite a few times (able to stand up servers using three or more OS's), it's usually a safe bet that they will attempt to do EVERYTHING using the same OS. You end up with a monolithic network (this is the "all your eggs in one basket" train).
What process should I follow when implementing a managed security service?
Semi-agreement with the article. Before you farm out your security services, you should have well-documented policies, procedures, and plans.
How do managed security services affect corporate security risks?
Realize that it is still your organization that is responsible for overall security. You're hiring someone to provide reports on the status of your network. It's still up to you to "push" policy. It'll also be up to you to deal with the politics. If the hired security says that someone is doing something that's against policy, it's up to you to either correct the person or change the policy. Please note that ignoring the situation is bad practice (you're paying for security!) in that it's not a known condition and if you don't correct it immediately, you can't fire anyone for it at a lter date. If it involves anything "shady", you could be sued by other organizations if the situation expands and affects them.
What are the pitfalls of managed security services?
Cost mostly, but depending on what you're buying for service, it can be cheaper than having your own full-time in-house talent.
Also, if you've never had ANY security up 'till now, be prepared for some surprises. The first report that shows up on your desk may tell you a few things about your network that you don't want to hear. Examples of this could include: a virus infection, Bob in accounting spends most of his working time surfing porn, your secretary runs peer-to-peer file trading software at her desk, Fred in purchasing is selling corporate assets on eBay, etc. Just try to remember that these are the reasons that you hired out for security in the first place. Don't shoot the messenger.
What problems are best addressed by managed security services?
If you can't afford (or retain) full-time in-house talent, managed services are definitely an option. See the article for a much better explanation.
Doctor, Doctor!!
"So don't do that."
While that may make for shoddy medical practice, it's even worse for security. According to ZDNet, Microsoft has issued a "knowledge paper to fix the hole in MS Exchange's OWA.
Anyone else see bad practice here?
(Hint: if they call it a "fix", marketing can claim that MS "fixes" things rapidly.) Want to talk fast, an ElGamal bug in GPG was announced today. Guess how long you have to wait for the patch? Answer: It's already out.
Question
Saw yet another capture-to-wav tool today.
Wednesday, November 26, 2003
NSM PowerPoint
Bit Torrent FAQ
Tuesday, November 25, 2003
Don't use Word!
Monday, November 24, 2003
Linux McAfee Update Script
Sunday, November 23, 2003
Mess in the wiki
Public Certificates
Is it worth anything? Like a lot of other things on the Internet, the answer is "it depends". It depends on how well people trust the site and use it. Note: You don't have to use Verisign, you can issue your own certificates. Verisign's strength is that, by way of government sponsorship, the majority of users "trust" it as a CA.
Update: For those that are interested in rolling your own, check out the "OpenSSL Certificate Cookbook".
Blech!
Okay, let's see him try the "a trojoan did it" defense! (Warning: Article is about a really sick f**k.) (Sorry but that's the only description for him.)
Net::Dict Interface
Saturday, November 22, 2003
Looking for Incident-Response.org?
http://66.96.178.49/
Friday, November 21, 2003
Soap attacks
The paper also describes defenses against those attacks.
Wednesday, November 19, 2003
IPSec Troubleshooting Guide
Tuesday, November 18, 2003
Corporate Schizophrenia?
- Could it be that they finally get it? Just a little bit?
- They also want to do some buy and kill, especially after Google pulled a fast one.
- Why won't they learn that shouldn't promise stuff a trade shows? Anyone else remember the super-fantastic backup technology that Microsoft promised at a Comdex? Funny, Veritas and friends are still around. (The super-fantastic Microsoft backup robot isn't.) That and tablets have already been declared dead.
- Bill also use Comdex to announce new anti-spam tools. I really hope that Bill didn't use the word "spam" as Hormel might get a little pissed that the worlds (sometimes) richest man is attempting to profit off of the name of one of their products.
- Meanwhile, pundits punditted that this would put other anti-spam products out of business (yeah, just like IIS and Active Directory did?)
- Meanwhile, Steve was in Japan, making promises of better security while spreading FUD about open source products.
- Microsoft has put a "bounty" on the heads of malicious code writers, specifically two evil-doers.
- The "discussion" over those bounties is only a couple insinuations above a name calling contest
- Users are a bit less than pleased with Microsoft's new patches
- and yet two more exploits that use port 135 were made public along with another vulnerabiltity in Microsoft Exchange.
Thanks to: Slashdot, The Evil Empire, HelpNet Security, Computer Cops, Insecure.org Lists, HackInTheBox, eWeek, InfoWorld, ThinkComputer
Side note: Sorry this is showing up on Tuesday. I'd meant to post it on Sunday but it took this long to pull all of the MS-related stuff off of the spike.
CSI loses points
Heh.
Monday, November 17, 2003
Troubles from within...
I heartily agree with him and will throw in my own comments here...
Many upper management types are worried that "we'll be seen as network Nazi's". Personally, I don't care of your opinion of me if the network is running properly. If the security model (based on the business model) requires that I flog every dolt who thinks the rules don't apply to them, so be it. Call me all the names you want. I plan on going home at the end of the work day.
Also, and this might sound contrary to the above, you have to have realistic and enforceable rules. Anything else breeds contempt and circumvention of the rules. The end-user also has to understand the reason for each of the rules. This requires user training and user agreements.
Sunday, November 16, 2003
While fishing around I found...
Saturday, November 15, 2003
Quick screen howto
Bridging Firewalls
For the short version, Bridging Firewalls are effectively network bridges which have IPTables-like filtering added in. They are "invisible" because you don't add IP addresses to bridges.
Friday, November 14, 2003
Alternate Data Streams
Covert Communications
What's on your network? (to the tune of "What's in your wallet?")
Thursday, November 13, 2003
Changing MAC Addresses
Under *nix, it's quite easy (and doesn't need to be explained here.).
Yet more wiki stuff
- Added to the Blogger's Toolkit - Content Tools section.
- Added "Refresh or Redirect in PHP"
Some of it you just have to leave at the curb
Is this usable?
Also, he seems to have had better luck with SpamBayes than I have. Could it be that my run-away collection of Procmail recipes is finally catching up with me? It has piqued my interest in graphing my spam though.
Wednesday, November 12, 2003
Rules for a successful security policy
Tuesday, November 11, 2003
Incident Response Tools
- Incident Response Tools For Unix, Part One: System Tools
- Incident Response Tools For Unix, Part Two: File-System Tools
Definitely worth the read. Both articles have an extensive list of tools and links.
This is a test...
This is a test. This blog is conducting a test of the Emergency Blogcast System. This is only a test.
(annoying noise)
This is a test of the Emergency Blogcast System. The bloggers of your area, in voluntary cooperation with just about no authorities, have developed this system to keep you informed in the event of blogger's block. If this had been an actual post, the Annoying Noise you just heard would have been followed by interesting information, witty posts or snarky behavior. This blog serves the Tidewater area. This concludes this test of the Emergency Blogcast System.
(I was out of town for awhile and missed the official test)
Monday, November 10, 2003
MT Upgrade
- "external" pings feature in the main config
- the ability to figure out the trackback URL for posts which include pointers to other trackback-capable blogs
Sunday, November 9, 2003
Push back
"I sick and tired of it and won't take any more!!"
What am I ranting about? Comment spam.
Jeremy, Chris, Adam, and duemer have all vented on this topic and have had varying levels of success in fighting back.
Kalsey Consulting has also posted a howto entitled "Cutting Comment Spammers Off at the Knees" and a "Manifesto".
And before you think this is a small group of people, try looking at:
- http://rw.burningbird.net/cgi-bin/mt-tb.cgi?__mode=view&entry_id=182
- http://blog.iloaf.com/archives/000228.html
- http://blog.iloaf.com/archives/000229.html
- http://www.neilturner.me.uk/2003/Nov/08/spamtastic_hypocrisy.html
- http://www.neilturner.me.uk/2003/Nov/08/is_it_a_spam_or_is_it_an_idiot.html
- http://blog.kevindonahue.com/archives/001517.php
- http://www.gerald-steffens.com/blog/archives/00000047.htm
- http://www.blogd.com/archives/000237.html
- and many more (Google for them via "blog comment spam".)
In response to the comment spam here, I'm brushing up on my tracking skills and have added the fine print at the bottom of the main page. (Hey, spam is illegal here in Virgina! Be glad I'm only asking for $100.00!!)
[With apologies to those on the receiving end of the trackbacks; this has a lot of links in it.]
Saturday, November 8, 2003
One question?
- Given that the author already knows how to break into computers, what's to stop him/her from chosing another programmer and planting the "evidence" on that person's computer before calling the cops?
- Where is all this bounty money coming from? (If you can't guess the obvious answer, e-mail "joat@757.org" with a subject line of "obvious answer" (without the quotes)(an infobot will answer).
Friday, November 7, 2003
Common courtesy?
This entire post is a peevish vent so you may want to skip it.
Okay, I'm back. My last job made me a cynic (network security officer for 30,000+ users). This new job isn't improving my impression of the general public any. This job requires that I travel every other month or so, so I get to view the public "up close and personal". Here's what's set me off this time:
In the U.S., airlines load planes from the back to front. One of the attendants will call out over the announcing system "Now boarding rows 15 through 22". This causes 30 or so of us to queue up and slowly drag ourselves and a carry-on piece of luggage onto the plane.
I've done this four times in as many days and, without fail, there's at least one moron from row 6 or so that makes the super-human effort to get onboard before the rest of us (he cuts in line). Short version: the entire compliment of passengers are delayed while those that should already be on the plane before him waits while he tries to jam an oversized bag (that should have been checked) into the overhead storage. On one of the four flights, this held up boarding long enough that the plane was bumped from it's position in the take-off queue (an additional 10-minute delay).
Would someone explain to me why these people think that they'll get where they're going quicker if they cut in line? Seriously, I think these people should be bumped to the "on standby" category and forced off of the plane.
Thursday, November 6, 2003
More Hitchhikers on the radio
File this one under the "Mebbe I Should Start a 'Cult' Category" category. (That's where the BBC filed it.)
The BBC is going to adapt the remaining Hitchhiker's books to audio.
Yeah, I know: This makes me an old geek. Doesn't anyone else remember staying up late to listen to the Radio Mystery Theater? Extra credit if you did it via a tube or crystal set!
Wednesday, November 5, 2003
I will donate the following service to Bill Gates (if he wants it)
Bill: Give me a list of the domains and their expirations and I set up cron jobs so that you can be notified a month or so ahead of time.
Update:Jeremy has a short bit about Vixie cron.
Tuesday, November 4, 2003
Security Testing Guide
Monday, November 3, 2003
Alien II?
Even though this one is from Slashdot, it makes for interesting "entertainment" (loosely defined).
Every community has their own nut cases. The Internet isn't any different.
Remember awhile back where everyone got spammed by that guy looking for the dimensional warp generator so's he could get back to his own time. He was quickly "outed" by a group of people who are now on the receiving end of what amounts to an e-mail bombing (mail with forged return addresses in intentionally bounced off of legitimate servers in an attempt to fill the victims' mailboxes and block legitimate mail to them.
I had a Great Uncle who responded to situations in a similar manner. It kept a family feud going for decades.
Sunday, November 2, 2003
More Wiki entries
- Connecting a Linux box to Sprint PCS via a Samsung N400
- Using fetchmail with Procmail and a virus scanner
- isvirus code listing
Saturday, November 1, 2003
NSA picks a commercial encryption product
Please note: they have SDK's for Windows, Linux, Unix and more.
Local Area Security Linux
If anyone uses this, would you post a few comments here?
Nop +4-7
I may be out of touch for a few days as I'm headed for New Orleans first thing Monday morning. I may have connectivity, I may not. The map for my cell phone service is kinda vague as to what service is available, just like it was when I was visiting my parents (had to drive halfway down a mountain but found service)(pretty good connection in that 100 or so feet).
Anyways, I'll keep posting. It's just that you might not see the posts until I get back.
Thursday, October 30, 2003
YADOCD
Yet Another Distribution On CD: Dyne:Bolic.
This one is targeted, more or less, at artists, claiming to contain everything you need to record, edit, encode and stream audio and video data, all without having to set up an extra partition on your hard drive.
This distribution also auto-discovers other Dyne:Bolic systems on the LAN and clusters with them.
Wednesday, October 29, 2003
Universal RPC Exploit
Tuesday, October 28, 2003
New law would require computer security audits, status reports
Monday, October 27, 2003
Vi and XML
Note: this guide is also available on PDF form from the same site.
Sunday, October 26, 2003
More wiki stuff
I've added the following to the wiki:
- Procmail
- Using formail to break incoming message digests into individual messages
- Playing sounds when mail arrives
- Spam
- How to add MySQL logging to MIMEDefang
- Vi
- Like or hate the multicolored syntax highlighting? Turn it on or off!
- Opening many files at the same time
The link for the wiki is in the menu bar above.
Saturday, October 25, 2003
Garg!
One of the things about running intrustion detection on your home system is that you often see stuff that your service provider doesn't want to (or can't) deal with.
My service provider is a very large (read that as national) high speed cable provider. Currently it's in the middle of a severe ARP storm. It's gotten so bad that connecting to this site from across town is slow.
I logged the packets and had them ready to mail off. Turns out the helpdesk doesn't know what the heck I'm talking about. I ended up entering a clueless level ticket in which I complained about "the Internet being slow". It was about the best I could do via that poor kid. He started getting confused when I talked about DHCP, arp requests, and MAC addresses.
Oh well... I'm off to the doctor to see if I can get this key cap removed from my forehead.
Protecting you from yourself?
Thursday, October 23, 2003
Wednesday, October 22, 2003
THE Network Security Blog - Geek Troy Jessup: Threats - Email Scams
Tuesday, October 21, 2003
Bruce Schneier Interview
Sunday, October 19, 2003
joatWiki?
Secure the perimeter?
Secure the perimeter?
Secure the perimeter?
Secure the fsck'in perimeter!?
Gee, I think that puts Microsoft's level of security at circa 1990. Does it mean that Microsoft is abandoning trying to secure the code?
After a quick read, I think I can make a few quick preditions:
- Microsoft will make lots of money selling "more capable" firewalls
- Millions of Microsoft users will be complacent about their internal networks because "Hey, we've got a firewall to protect us!"
- resulting in thousands of crunchy-on-the-outside, chewy-on-the-inside networks, thereby lowering the overall level of security on the Internet
One of the biggest shortcomings about using Microsoft workstations is that each and everyone of them is also a server because the same services used to join the local network allows the workstation to share services and data. Let's enumerate what ports 135, 137, and 139 are used for:
- DHCP to configure your workstation
- getting your mail to/from the Exchange server
- RPC calls (allows someone else to remotely run functions/programs on your machine)
- Microsoft's DNS and WINS services
- network logons
- printing services
- file sharing
- directory replication
- event viewer services
- registry editor
- user manager
- and diagnostics
And that's just to/from a workstation. I'm amazed that it took as long as it did for someone to consider NetBIOS as an infection vector.
Welchia provided a very good example of why security has to be from the ground up. Various organizations learned the hard way that while their firewalls protected the front door, various backdoors lurked in their networks. That couple with a laissez-faire attitude for timely patching allowed the damage to stack up like it did.
Hmm... I wonder how Microsoft is going to do/market it. Single-purpose applications? Peer review of all code? [*gasp*] (Yeah, you heard me. I said "open source".) "Embracing and extending" more security protocols? Couple all this with the DRM crack they're pushing and recent attempts to get into the BIOS (the stuff that tells your computer how to boot) business, it's going to get real interesting.
I can hardly wait.
Friday, October 17, 2003
Shatter Attacks - How to break Windows
Wednesday, October 15, 2003
Might be worth the $15
Nonya-nonya-NON-YAAAAA...
Monday, October 13, 2003
Shift key bypass
Could it be that Microsoft lists it as a feature? (Look at the last shortcut before the first table.)
SunnComm would not only have to sue the Princeton student, they'd have to sue Microsoft for engineering the workaround for SunnComm's security device.
D'oh!
Odd that SunnComm stated that they didn't want to be the one to stiffle research. Some research.
Badgers? We don't need no stinkin' badgers!
Ever wonder where the book burners from the 50's went to? They went online.
Why am I saying this? I'm reading a lot of discussion concerning the "we gotta do something to fix this" movement where people are suggesting that "we" "fix" IRC, SMTP, and HTTP so that the miscreants can't abuse them anymore.
At face value, this might appear to be a good idea. But if you think about it, it's a horrible plan.
First, there's little wrong with the actual protocols. It's the software at the client end of the protocol that's the problem (mostly). Whether it be the horribly insecure mail client or the worm with the built in IRC bot.
Second, adding features to a product rarely makes it more secure. The more complex a program is, the more likely it will contain errors and/or exploitable "features" (not necessarily bugs).
Third, it smacks of vigilante justice which I severely mistrust. (Ask me sometine about my coffee drinking habit getting my 80-year-old grandmother in trouble with the church.)
Want to make the internet a safer place to work/play? Try a few of the following:
- Use a different mail client at home than you do at work. If possible, don't use the Outlook/Outlook Express.
- For that matter, use a different OS (or at least a different version) than what you use at work.
- Use a different virus scanner at home than you do at work. Ideally, your work will use more than one scanner. Make sure to check for new signature updates on a daily basis.
- Use a firewall. If possible more than one. (i.e., use a software-based one on your computers along with the one on the four-port router.) Ideally, your employer will use a corporate-grade firewall which hopefully has application proxies for most of the protocols used. In any case, configure your firewall(s) to only allow those protocols that you need to conduct business/pleasure. Turn off everything else.
- Learn how to read your log files. Why go to all the trouble of getting those neat security tools and then treat them like pretty toys?
- Learn how to read message headers. It will help when you're trying to figure out if Aunt Milly actually sent you that infected message.
- Learn how to politely report incidents where they be spam, ports scans, or viruses. Most ISPs will respond to effective and polite emails indicating that something is amiss in their networks. Be polite even when you're angry. Even if it hurts.
- Pick a computer news site, an anti-virus vendor's site, and a CERT site (there's lots of them). Visit each of those sites at least once a week and read the "new stuff". For the really adventureous, find a RSS feed aggregator and subscribe to a bunch of security-related feeds. (Personally, I like BlogLines which is completely online and if you ask nicely, I provide a list of the feeds I use.)
You don't have to do all of the above. Two is okay. It improves life for the rest of us just a little bit. Anyone else have any suggestions to add to the list?
Sunday, October 12, 2003
Security Forums Dot Com :: View topic - The Anonymity Tutorial
Hint: the only way to stay anonymous on the Internet is to stay off of it, forever (and that doesn't always work either)!
A good idea?
Offline
Friday, October 10, 2003
Mining for Gold in your Web Logs
Thursday, October 9, 2003
Michael Reynolds
Adjacent Overwrite Bugs
Buffer Overflows
Wednesday, October 8, 2003
Reverse Engineering Binaries
This is an exercise that only the very stubborn should attempt as it's very difficult and (IMO) you'll never come up with the same result twice. An interesting read though.
Users
I think I've found a graphic to go along with my rants about users (Thank you, Vowe.). Doesn't looking at them just make you all warm and fuzzy inside. (I'm going to ruin that.) The usual rant will probably go "See how happy they are? It's because they don't know any better." Consider yourself warned. (heh) |
Blind SQL Injection
FIPS - 199
This is an extremely short document as government standards go but has far reaching effects as it sets a standard in base terminology for information security and information systems security. The shorter version of the document is "This applies to data, systems, personnel and organizations."
The acceptable format is:
SC(information type)={(confidentiality,impact),(integrity,impact),(availability,impact)}
where:
- "information type" is the person, org, data or system being described and
- "impact" is either "high", "moderate", "low" or "N/A".
You'll see this used in incident reports, acquisitions, etc. If you interface with government organizations in any way, start using this now. You'll be ahead of the game when its use becomes mandatory (December).
IJK Best Practice Guide for Electronic Evidence
Tuesday, October 7, 2003
The noises in your head
SSH SecureID Authentication
Sunday, October 5, 2003
Occam's Boomerang
Back in the dark ages of history, Occam once posited "Throw that thing out there enough and, eventually, it'll come back and hit you in the head."
Okay, I'm making it up but it's funny that an industry who makes money calling you doesn't want you to call them. Thank you Dave Barry!!
Side note: The ATA's website appears to be also down at this time, either from the Slashdot Effect or from angry telemarketing victims overloading it.
Geek swag
SCOTTeVEST specializes in garments with extra (lots!) pockets. They've even got a hat with two hidden pockets.
As someone who owns a vest capable of carrying enough tools to manufacture and punch down Cat-5 and polish fiber (including the heat block), I recommend having one (yeah, I know: geek!).
Exploiting Routers
MIT Courses
Saturday, October 4, 2003
Data Recovery and Hiding
DSniff Howto
Note: This is a discussion for the "good" uses of this/these tool(s). Too many are describing how to use these tools for "evil". We're all going to pay for that in the long run (in the form of overpowered laws, censorship, etc.). We'll end up with laws equating to having all hammers outlawed because there's a certain percentage of the population that have blugeoned their spouse to death with one.
Don't think so? It wasn't that long ago that legislating "responsible disclosure" was unheard of. Nowadays, there's been multiple attempts at it.
Using IPSec to improve security
But what's it used for?
Friday, October 3, 2003
Snort Install Manual
Transparent Proxy Howto
Thursday, October 2, 2003
Linux Security Guide
A good read even if you don't have or even plan to have a Linux system.
Installing plugins in Mozilla/Galeon
Ed Halley has written a collection of Red Hat Configuration HowTo's which includes one which explains how to get Java properly installed under Mozilla and Galeon.
And if you look closely at the options at the top, there's a link to getting Flash installed properly too.
Faster booting
A good read, especially if you're interested in what goes on in your start scripts.
Wednesday, October 1, 2003
The night of a thousand (okay, three) vents
Uh, sorry?
Inbred operating systems
Unfortunately, the human condition is predisposed to creating these environments. People tend to take the path of least resistance. Why trouble to "see the world" when you can marry "the girl next door". It's easier to run the same operating system on your firewalls as you do on your workstations. It's easier to train your users to run the same word processor, whether it's unfriendly to every other WP or not.
@stake, whose origins were not exactly related to a business plan, "sold out" (IMO <-- for those litigous natures) long ago. Mr. Geer was fired because his opinions conflicted with someone in charge. (Hint: Companies don't have opinions. People do. He was fired because he angered someone with the power to do so.) (I hope he sues because he was expressing concerns about a security issue while being employed by a company which specializes in security.)
And before you put me down as being anti-MS, let me state that I'm not. Rather, list me as a member of the "the best tool for the job" crowd. If you're running MS on your desktops, you'd better be running some version of commercial Unix on your firewalls and some other version of *nix on your NOC equipment. The larger your customer base is, the more important this is. Diversive network equipment, while requiring a wider talent-base (read that as $$), is more resistant to inbreeding and failure in the long run.
[Oh and, yes, you can put me down as implying that point-and-click administrators have narrow family trees. Eventually it leads to "Hey, what's this button do?" and "Hey, watch this!" (Which leads to family-hour comedy shows. But that's another story.)]
Note: Philip Greenspun has a post on the same topic. I'm especially entertained that "ass ugly" is a logarithmic (Gaussian) scale and that the majority of system cases are a .05 deviation. [I wonder if he ever saw the attempt to sell cube-balanced-on-a-corner systems to self-styled power geeks [okay, posers!] (circa 1998).]
Don't make up your own definitions!
How do you prevent your network from getting the Welchia worm a month after the patch is issued? INSTALL THE PATCH, DAMMIT!
Using the "we're safe, we have a firewall" as a network defense either means you're severely deluded or you have no users on your network. And any previous reference you've made to "defense in depth" or having a secure network compounds your problem, making you look like an *ss.
Forgotten techniquies?
Why do I have this near-unresistable urge to go into my point-and-click adminstrators rant? Or to tie someone to a chair and force them to watch "War Games" in an unending loop.
Monday, September 29, 2003
Sniffers
Turns out Black Sheep Networks has an awesome collection of links, mostly security-related (hint: click on security in the main menu).
Sunday, September 28, 2003
Tweaks
Changes so far:
- Comments displayed on the main page (I think I've got it tweaked to where I want it.)
- Trackbacks listed on the main page (requires more cosmetic tweaking)
- Removal of the IM feature (never got much use)
- Removal of the BlogSnob stuff
- Added a couple buttons on the left
Under consideration:
- Removal of links not directly related to blog.
- Coming up with my own version of BlogRolls (why pay for something when you can write your own?)(I'm getting better with PHP!)
- "fixing" the boxes around each entry (a few complaints about same)
- making my aggregators available (I use 3 from various locations during the week)
- Embedding a couple blogs in columns 1 or 3 for use as sidebars
I can "put back" anything if anyone wants (complain loudly!!).
WRT54G
I'm going to abuse the 24x7 customer support line this afternoon. I'll keep you posted.
Saturday, September 27, 2003
Stealth Management of IPTables
Although it's not "port knocking", it's close and gives a good idea of possible capabilities for both methods. In either case, it can be used for good or evil.
Denial of Service Attacks
Thursday, September 25, 2003
E-mail Bombing and Spamming
Caution When Reading E-mail
CERT.org has a decent article explaining the hazards of (and precautions for) reading e-mail with attachments.
How ISPs trace the source of Spoofed DoS attacks
Not real in-depth but gives a good idea of how it's done.
Tuesday, September 23, 2003
Non-HTML Popup spam
Monday, September 22, 2003
Serv-U Analysis
The Serv-U FTP server hack seems to be (in my experience) the widest used hack. It's how all those IRC DCC file servers get set up for the #warez and #movie channels. They're not real hard to clean up after but they can be an embarassment to whomever was responsible for network security in the first place (school had this, bad!).
Sunday, September 21, 2003
Linux for the very paranoid
Tinfoil Hat Linux is a single-floppy Linux distribution for the paranoid on the go. It will allow you to boot Linux on just about any machine, grab your encrypted e-mail, read it, send replies, and move on, leaving little or not trace.
Useful if you're that paranoid person, yet another hard-to-trace problem if you're a network admin type.
We're back
Anyways, back to the blog...
Did I miss anything while I was offline?
Idiot's Guide to Network Analysis
Tuesday, September 16, 2003
Monday, September 15, 2003
The Red Scare
Sunday, September 14, 2003
Scan for DCOM II vulnerability
Uh oh
Isabel is due to pass directly overhead sometime late Thursday so if I don't post for awhile (or if the server goes away entirely), you'll know why.
With the exception of one bad storm in the 80's, this area has dodged the bullet, more or less, for over 30 years. Local wisdom has said that we average one bad one every 15 years or so.
Me? I've been here, off and on, since '81. During the storm in '84 (I think), my property consisted of one motorcycle which I had to spend a month cleaning as it spent the storm in a parking lot approx. 100 yards from the beach (I had no chance to move it.)
After the storm, it was exactly where I left it but I spent the next month cleaning salt out of it (and the leather was ruined).
Nowadays I have a house, two vehicles, and a panicky wife. There's a good chance that my job will require me to "ride it out". I still want my wife and teenager(s) (ask me sometime), out of town.
Wish me luck.
Googlephilia
I don't see much chance for improvement though. #1 is my blog. (heh)
Saturday, September 13, 2003
More on the worms
Just a couple worm-related things
In the ongoing battle to detect customers' infected machines, I've come across an interesting bit: any machine infected with the Welchia/Nachi worm is left running an open TFTP server. "Open" in that it will accept any file you hand it.
I still don't know if I'm limited to a folder or if I can put it anywhere I want or pull any file I want. I'm going to have to dig out the old VMWare and try it out, I guess.
Friday, September 12, 2003
Learn how to count
This moron over at The Globe and Mail seems to think that Microsoft doesn't have the "most hacked" title. Someone want to clue him in that most "hacks" for MS are so easy that they've been automated and turned into viruses and worms. (A worm which leaves a backdoor for remote access might be called "automated break-in"?)
Why am I angry? How about THREE WEEKS of dealing with Welchia/Blaster/SoBig and it's side effects? (with, quite possibly, more to come)
Faugh on marketing twisters!
Apologies
Those responsible have been sacked and the moose is feeling much better now.