Wednesday, December 31, 2003

Wiki entries

Added a few entries to the Security portion of the Wiki.

Pity this guy?

Does anyone feel sorry that Alan now has to spend money to build an actual opt-out server?

Put me on the not list as I receive 20-30 legitimate messages per day which makes up less than 10% of the total volume. Thanks to various people for writing Procmail, SpamAssassin, SpamBayes, and various virus scanners.

Scraped from Slashdot.

Tuesday, December 30, 2003

OpenSSL and FIPS 140

This is a cool development as OpenSSL is behind most *nix-based Apache servers (using HTTPS, that is), SSH, and a variety of VPN's. Nice to see that someone is seeing that open source code is getting tested and certified.

Thanks to SilverStr for the pointer!

Monday, December 29, 2003

Pooning

I don't think the term "'pooning" will ever catch on (too much 60's era sexual connotation?), but I do like Jim Moore's description of the piggy-backing on someone else's fame (or verbosity). It very similar to what the blog spammers are doing: getting higher search engine ratings by "pooning" onto other websites "in the stream".

Oh, and BTW, I have a copy of the book on my shelf.

Sunday, December 28, 2003

VLAN Insecurity

Odd how these things pop up around the time I get to talk about them at work. Bowulf has a pointer to a discussion about VLAN Insecurity.

I said it before and I'll say it again here: VLAN's are a network traffic managment tool, NOT a security tool!!!

Saturday, December 27, 2003

Wardriving

From Jeremy's linkblog: WarDriving.com.

Includes a howto and a listing of required hardware/software.

Friday, December 26, 2003

No Op

I've been offline for a few days, rebuilding my home system. One of my Christmas presents was a new hard drive, which I seriously needed. The previous 6 year-old drive would no longer boot into windows. Luckily it would still boot into *nix's so I didn't lose that much data. (I did suffer from a prolonged "Generals" withdrawal, though.)

Anyways, I've backfilled the last few days and will settle down to work on a serious back-log of posts.

Merry Christmas, y'all!

Thursday, December 25, 2003

The Achilles heel to most networks

Bowulf recently blogged "Weak auditing and monitoring - the Achilles heel to most networks" which was about a VUNet article which discussed the common practice of ignoring your logs unless you're trying to backtrack an incident.

I agree with Bowulf, at least in part. You also have to have logging enabled. If you're working in a NOC, that also means router logs (that's syslog servers, not the dinky space for logging in router memory!). For those networks which aren't allowed to enforce a decent firewall policy, you also need to log high-port to high-port traffic which is where most of your shady-stuff (unauthorized/covert channels, P2P, backdoors, etc.) happens.

I disagree with Bowulf in that logging isn't the sole action you need to take. Closely related to logging is taking and maintaining metrics. A good metrics supports the cliche "a picture is worth a thousand words". If you're watching your network metrics, you learn to recognize "normal" network activity and "abnormal" network activity.

One example of this is e-mail metrics. You cannot read every message that passes through your mail servers. However, if you graph your metrics properly, you should be able to recognize the spread of a new virus within 5-15 minutes of the initial spread (depending how often your graphs are update). While it won't block the new infection (usually nothing will), it does allow you to react quickly enough to minimize the damage and protect the rest of your network.

Maybe a good rule-of-thumb is to maintain metrics on your normal traffic (web, email, etc.) and regularly filter your logs for the abnormal traffic?

Thoughts/ideas/comments/flames?

Wednesday, December 24, 2003

IE bug used in scam

A little while ago, I blogged about the IE bug. It's use has now been noted in a Visa scam.

Tuesday, December 23, 2003

No op

Just noticed that that's two posts with trackback URL's to the Lost Olive that have failed to register. Look's like I'm gonna have the hood up on this thing over the long weekend.

Apologies to Kevin for the missed links.

Jabber XCP review

Kevin, over at The Lost Olive, has a pointer to a SysAdmin review of Jabber XCP.

Jabber's XML-based communications have been around for quite awhile. The protocol is open source and there are quite a few tools to work with it. At one point, I'd even adapted it to send Instant Messages to all NOC personnel if a router interface or a service went down.

InfoSec Pubs

Okay, I'm not shy about reciprocal blogging: Kevin added a list of InfoSec pubs to go with the recently blogged Firewall FAQ.

Monday, December 22, 2003

Another Day in the Life of...

Ooh... The security monkey is back! He's posted The Case of the Heartless Husband - Part 1.

Okay, so I'm descended from a long line of soap addicts.

Blosxom

I've been spending the last few days playing around with Blosxom. I've been experimenting with various blogs and wikis and seem to like Blosxom the most. Notice that I didn't mention MT? The reason is that it's for a business and the licensing fee is a bit high for the moment. My personal preferences for the ones I've tried (at least 10 so far) is Blosxom, followed closely by Drupal.

Got any favorites you want to suggest for a *nix-based server?

Sunday, December 21, 2003

More Online Learning

More online learning sites.

FIrewall FAQ

Robert Graham has been involved with network security for years. One of the nice things about his site is that he is very prolific about posting items on his website. For example: the Firewall Forensics FAQ.

Saturday, December 20, 2003

Freenet

Kevin posted about the Freenet Project. Like all other tools, it's a good tool for end-users, a nightmare for your if you're responsible for a business network.

Friday, December 19, 2003

DCE RPC Vulnerabilities New Attack Vectors Analysis

HNS has a paper entitled "DCE RPC Vulnerabilities New Attack Vectors Analysis" which describes how the RPC vulnerabilities might be combined to form an even worse worm.

Cyberthugs

Okay, I'll admit to scraping it from Slashdot.

Freep has an article about what your high-tech kids put up with in school.

Banking Scam Revealed

These people went the extra mile in backtracking spam-based fraud and discovered a criminal enterprise.

Thursday, December 18, 2003

NIST posts security control guidelines for comment

There's still about six weeks left to make comment to the proposed standards for "Minimum Security Controls for Federal Information Systems" (re: the Federal Information Systems Management Act [FISMA]). Get to it by clicking through "NIST posts security control guidelines for comment".

Data Forensics

Linux Security has a decent article on "data forensics".

Uh Oh II

Oh... My... Gawd!

http://www.microsoft.com

If you get the joke, get your d*mn browser fixed!

Tuesday, December 16, 2003

How not to program in PHP

Linux Security has an article entitled "How Not to Program in PHP" which discusses the need for filtering user input.

Hint: ignoring this while programming allows cross-site scripting and SQL injection. Not a good thing.

Outlook mebbe-funny

Evidently this requires a bit of work to be funny. Sent it to three of my coworkers and had to point the "jab" out. Seems that most people focus on the body of the message and ignore all else.

PostScript Tutorial

Found this Postscript tutorial while perusing Life in Postscript to which I'd followed a link from TaoSecurity.

Monday, December 15, 2003

Microsoft releases network port info

SilverStr almost always has pointers to good stuff. This one is no different: Microsoft has released a list of ports used by its various software.

Help Net Security - Attacking the DNS Protocol

HNS has a pointer to a <a href="paper which explains various attacks on the DNS protocol.

ADS's (not ad's)

CarvDawg has a paper out on alternate data streams in NTF entitled "The Dark Side of NTFS" which gives the basic theory behind (and how to create/detect) ADS's.

Sunday, December 14, 2003

The Anatomy of Cross Site Scripting

SilverStr has a pointer to a paper entitled "The Anatomy of Cross Site Scripting which explains the basic theory.

Stubborn Ignorance

Yep! Another rant. This one is about the Internet... errr... a portion of the Internet. Specifically that built their corner of the virtual world while ignoring RFC's.

RFC's are the agreed upon standards by which the "community" is defined. Think of it as the charter for your local government. Protocols (languages) are agreed upon. Responsibilities are defined.

One shortcomiing is that there is no requirement to comply. This allows organizations and individuals to do horrible, aggressive and/or stupid things via the Internet without reprisal. Examples: long distance Outlook-Exchange connections, MS's perversion of the Kerberos protocol, long distance NetBIOS, long distance Telnet/FTP/POP3/IMAP, just about any proprietary encryption scheme, and 90% of the e-mail domains.

For the Internet-based violations, here's a site called "RFC Ignorant", which tracks the stubbornly ignorant.

The Art of Unix Programming

Eric Raymond has made available an online version of "The Art of Unix Programming".

Saturday, December 13, 2003

More celebrity teaching...

Last week I blogged about Britney Spear's Guide to Semi-Conductor Physics. There's more celebrities teaching Cisco-related stuff over at RouterGod.

Help Net Security - Attacking the DNS Protocol

HelpNet Security has an article about "Attacking the DNS Protocol". It has a few cosmetic errors but, all-in-all, gives a good description about the DNS service and attacks against it.

Thursday, December 11, 2003

Wednesday, December 10, 2003

Tuesday, December 9, 2003

FWTK

For better or worse, I've declared the FWTK paper done. Barring small changes to correct errors, consider it in its final form.

For those new to the game, FWTK is the Firewall Toolkit, one of the first application proxies written 20 years ago. Amazingly, it's still usable. Combining it with other technologies (SOCKS, ipfw, iptables, Squid, other proxies/packet filters) allows you to build a workable firewall for just about any *nix flavor, including a Mac version.

If you care to read it, click on the Wiki link above and scroll down to the Security section. Let me know what you think?

Monday, December 8, 2003

Anonymous Blogging

It was bound to happen. We've got anonymous e-mail forwarding and anonymous Usenet posting. Now we have anonymous blogging, this instance using GPG and the MixMaster anonymous e-mailer network.

Early Warning!!: If you manage a corporate network, you may want to consider blocking this, both for sending (if it's possible) and for reading. There's some pretty unsavory blogs over there (people abusing the service mostly). The hosts state in their FAQ that if they receive a court order, they will turn you in if you're doing something illegal.

Saturday, December 6, 2003

Am not! Are to!

I've lost a "fanboy" from being too abusive?

It seems that beaumonday thinks I pick on Microsoft too much. Acutally, if you read REAL close, I pick on everyone who thinks that any one operating system is the way to go. (Do I need to repost my point-and-click administrator rant again?) I'm a firm believer in the-best-tool-for-the-job and know-the-technology-behind-the-gui.

I provide a lengthy response.

Just so I can alienate everyone and level the playing field, out of the box:
  • Microsoft Windows is insecure
  • Linux is insecure
  • Unix (SunOS, BSD, Irix, AIX, Xenix, etc) is insecure
  • Cisco/Foundry/Bay/etc. is insecure
  • Novell has problems (actually, they had the highest rating by the gov't prior to adding in IP capabilities)
  • and the OS that you may be writing has *SERIOUS* problems.


However, when used in conjunction, they can provide a very secure network for your users.

Lotsa Links

There's tons of forensic evidence links at e-Evidence.com.

Friday, December 5, 2003

Spidering hacks

Raelity Bytes has a link to some pretty cool spidering hacks.

E tu Brute?

Expect intellectual property law suits from Microsoft soon.

So, did the stock purchase include training on how to sue for money? Probably not but this sort of thing can turn nasty and unproductive.

Thursday, December 4, 2003

Free education

Not sure where I found this originally but there's a lot of good stuff to dig out of it: "Free Computer & IT Training and Tutorials". On their main page, you can sign up for their newsletter so that you can be notified when new stuff is discovered.

Wednesday, December 3, 2003

Britney Spear's Guide to Semi-conductor Physics

Think this woman is capable of teaching you anything?
How about semi-conductor physics? (Yet another attempt by those-with-too-much-time-on-their-hands to use sex to teach the less-willing-to-learn.)
But it's funny anyways. The "Booble" search engine is interesting also. (Hint: click on the "Search Britney Space" radio button)

Tuesday, December 2, 2003

Sunday, November 30, 2003

And the award for Stupid Idea of the Year goes to....

Okay, call me a cynic for continuously whining about these things but I seriously believe that this is an extremely bad idea. Seems that John Str

Anti-honeypot Tool

Read about this on the Honeypots Mailing List...

Seems that the spammers developing tools of their own. First the anti-spammer groups set up honeypots whose objective was to tie up and/or detect spam sources. The spammers have responded with "Send-Safe, a honeypot hunter.

I especially like the wording of the product description:

Send-Safe Honeypot Hunter is a tool designed for checking lists of HTTPS and SOCKS proxies for so called "honey pots". "Honey pots" are fake proxies run by the people who are attempting to frame bulkers by using those fake proxies for logging traffic through them and then send complaints to ones' ISPs.

"Attempting to frame bulkers" indeed. If you're using resources other than your own to spam the planet, there's a problem. "Attempting to frame bulkers" gives the impression that you have a legitimate right to other people's systems. That phrase should read "Attempt to catch resouce thieves". If I catch you using mine, I'm going to do my darnest to make your life hell.

Funny part about it is that they want $299.00 for the program. Must be no honor amongst thieves?

How to file a complaint

Normally I just filter and delete the spam but I've received a particularly distasteful one (Brazilian kiddie porn) which I'm going to file a complaint about. You can follow along as I whine to customer support about a message entitled "joat, welcome to Ped0Wor1d ayuGYoaf".

First, we need to take a look at the message header. Other than changing my account name (to block account scrapers), the header is as-is from the message.


Return-Path: 
Received: from pop.east.cox.net by localhost with POP3 (fetchmail-6.2.1)
    for joat@localhost (single-drop); Sun, 30 Nov 2003 08:43:06 -0500 (EST)
Received: from compuserve.com ([12.229.105.222]) by lakemtai06.cox.net
  (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id
for
; Sat, 29 Nov 2003 21:32:16 -0500
Date: Sun, 30 Nov 2003 03:31:53 +0000
From: mrg@simplewire.com
Subject: joat, welcome to Ped0Wor1d ayuGYoaf
To: joat
References:
In-Reply-To:
Message-ID:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, hits=2.1 required=3.0
tests=BIG_FONT,CTYPE_JUST_HTML,HTML_FONT_COLOR_BLUE,
HTML_FONT_COLOR_MAGENTA,HTML_FONT_COLOR_NAME,IN_REP_TO,
NO_REAL_NAME,REFERENCES,SPAM_PHRASE_00_01, TO_LOCALPART_EQ_REAL version=2.44
X-Spam-Level: **
X-Spambayes-Classification: ham; 0.07

Notice the two "Received:" lines.


Received: from pop.east.cox.net by localhost with POP3 (fetchmail-6.2.1)
    for joat@localhost (single-drop); Sun, 30 Nov 2003 08:43:06 -0500 (EST)
Received: from compuserve.com ([12.229.105.222]) by lakemtai06.cox.net
  (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id
for
; Sat, 29 Nov 2003 21:32:16 -0500

Unless one or more of them have been badly forged, "Received;" lines are normally in reverse chronological order. When backtracing spam, you work in the same order, verifying each line until you reach the line that doesn't "read" correctly. Since there are only two lines in this instance, it is very easy to trace this one back to its source.

The first "Received:" line is a normal entry, generated by my instance of fetchmail.

Right away, the second line has an error in it that sticks out: it's not from the domain that claims to be (CompuServe). Rather, Cox's mail server recorded an IP of 12.229.105.222 as making the connection. It's also significant that the "Return-Path:" address is also not CompuServe.

Finally, the lack of any other "Received:" line is also significant. Normally you would have a client-to-server entry followed by a server-to-Cox-server entry to show that the mail was generated by a mail client and uploaded to the sender's mail server before that server "talked" to Cox. (Too confusing?)

What this means is that a program connected directly to Cox's mail server to generate the mail. In other words, a non-MTA program connected to port 25 on Cox's mail server and "typed the message directly onto the server". This is a technique that system administrators use in troubleshooting mail delivery. Anyone know of spammer programs that use mail lists, do MX lookups, and connect directly to the applicable mail servers?

Anyways, we can still trust most of the second line. Except for "from compuserve.com", the line is generated by the Cox mail server. The IP address is significant in that a reverse lookup reveals that it's an ATT IP address:

$ nslookup 12.229.105.222
222.105.229.12.in-addr.arpa name = 12-229-105-222.client.attbi.com.

Note that if you don't have "nslookup" or "whois", SamSpade.org has a nice web-based version.

A WHOIS lookup returns the following:

$ whois 12.229.105.222
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Comcast Corporation COMCAST-12-229-96-0-WASHINGTON (NET-12-229-96-0-1)
12.229.96.0 - 12.229.127.255


This indicates that while AT&T owns the IP address, they "sublet" the chunk which our suspect IP belongs in to Comcast Corporaton. Note the "NET-12-229-96-0-1" in parenthesis. We can do another WHOIS lookup on this to get:

$ whois NET-12-229-96-0-1

CustName: Comcast Corporation
Address: 1500 Market Street
City: Philadelphia
StateProv: PA
PostalCode: 19102
Country: US
RegDate: 2003-10-10
Updated: 2003-10-10

NetRange: 12.229.96.0 - 12.229.127.255
CIDR: 12.229.96.0/19
NetName: COMCAST-12-229-96-0-WASHINGTON
NetHandle: NET-12-229-96-0-1
Parent: NET-12-0-0-0-1
NetType: Reassigned
Comment:
RegDate: 2003-10-10
Updated: 2003-10-10

TechHandle: DK71-ARIN
TechName: Kostick, Deirdre
TechPhone: +1-919-319-8249
TechEmail: help@ip.att.net

OrgAbuseHandle: ATTAB-ARIN
OrgAbuseName: ATT Abuse
OrgAbusePhone: +1-919-319-8130
OrgAbuseEmail: abuse@att.net

OrgTechHandle: ICC-ARIN
OrgTechName: IP Customer Care
OrgTechPhone: +1-888-613-6330
OrgTechEmail: qhoang@att.com

OrgTechHandle: IPSWI-ARIN
OrgTechName: IP SWIP
OrgTechPhone: +1-888-613-6330
OrgTechEmail: swipid@nipaweb.vip.att.net


This gives us the address to send our complaint to: "abuse@att.net".

The trick to filing a complaint of this type is to be polite and to present all of the facts (as we've done above). It's also a good idea to provide the original message, with headers, as an attachment to the complaint. You also want to give the ISP an "out" in this case as it may be a hacked box on the far end.

The wording of my complaint (which I've just sent):

To whom it may concern,

Please forward the following to your Abuse and Security departments.

Please find attached an unsolicited (and particularly distasteful) pornographic e-mail advertisement (porn spam) that showed up in my in box. Various things about the headers are notable:

1) The "Return-Path", the source IP, and the source hostname all conflict. That is: "mrg@simplewire.com", "compuserve.com", and "12.229.105.222" respectively.
2) There are no other "Received:" lines other than the one generated by my Fetchmail utility (which I will vouch for the accuracy of) and the one generated by my ISP's (Cox) mailserver. This is indicative of a program connecting directly to Cox's mail server.

The IP recorded by Cox's mail server belongs to one of your customers. Please determine whether the user at that IP is running a spamming program or if it has been compromised by a trojan or worm which allows spammers to use it in a similar manner.

Respectfully,


One side "thought" generated by all of this. When the new federal anti-spam law goes into effect, there's going to be some trouble. There's a strong possibility that this source IP is infected with something similar to the Jeem trojan, which allows for remote control spamming. Given that law enforcement is in a constant game of technological "catch-up" with hackers/spammers, I hope they learn how to read and interpret message headers before throwing some poor church-going Granny in the slammer for spamming the planet with "l33t pr0n".

IPSec Troubleshooting Guide

For those real hair-pullers, here's ICSA Lab's IPSec Troubleshooting Guide.

Thumb Drive Prices

Anyone else notice that "thumb drives" are less than $.50 per M nowadays?

Went window shopping at a few stores yesterday to price a replacement hard drive and noticed that two of the larger chains are now selling 128M thumb drives for about $58.00 US. Saw a 64M USB v1 one for less than $20.00.

Until recently, it'd seemed that the price was never going to go under $1.00/M.

Saturday, November 29, 2003

Nessus

Linux Security has an article entitled "An Introduction to Nessus" which is a decent read. For those not in the know, Nessus is an open source vulnerability scanner.

Some organizations use it instead of ISS as it's attack database is generally larger and more up-to-date. The drawback is that it also can do damage in it's penetration testing if you're not careful (there are switches to disable the more brutish attacks).

Update: Bowulf has a piece in which he indicates that you can avoid the setup and configuration of Linux and Nessus by using Knoppix STD. The only thing you have to worry about otherwise is gathering the updated NASL signature files.

Hint: you can add them to the distribution prior to buring the iso by mounting it via the loopback device. (If there's enough room.) For Linux, try

  mount cdimage.raw -r -t iso9660 -o loop /mnt

AES Encryption

Here's a Microsoft Developers' Network article which discusses how the AES algorithm works. A nice read.

Vi Keys

Got this one from 0xDECAFBAD: a pointer to Harvard's "vi Complete Key Binding List".

Friday, November 28, 2003

Writing your name in the snow

Okay, there seems to be a strong cynical bent to my posts as of late but I can't resist just one more.

In the last few years, Netcraft took a beating from the more zealous side of the Open Source house for saying various nice things about Microsoft and IIS. They were even accused of taking money to produce a slanted survey. Here's another similar situation...

NetCraft has stated that Apache runs on the majority of the web sites on the Internet (and has done so since some time mid-Feb 1996). Now there's an org called Port80 Software that says some pretty nasty things about NetCraft. It appears that they're trying the old "running for office campaign" strategy in which the main tactic is to say negative things about the other guy.

Actually, if you read closely, both reports could be true. In other words, it's very likely that IIS has the majority of the Fortune 1000 corporate server realm while Apache has the overall lead. (Hey, at one point I was responsible for 8 individual web servers, only one of them corporate, and none of them IIS.) The problem I have is with the slights thrown in the article which attempts to give NetCraft (I can't believe I'm defending their tactics) a black eye.

I was suspicious enough of the main article to look at it even close. If you look at the data, port80 only looked at the top 1000 corporations. In this case, "top 1000" is the "Fortune 1000" corporate listing. That means that out of the 30298060 web sites polled by NetCraft, port80 says only a specific 1000 of them "count" so that they can declare that IIS has a majority. (Aside: It could also mean that a majority of the Fortune 1000 CIO's saw the "no one's been down to the server room in days" commercial and was gullible enough to believe it.)

Thank God for "Lies, Damn Lies and Statistics"?

Nothing like leveraging of off someone else's reputation, huh?

Thursday, November 27, 2003

System Administration and Security

Computer World has a short discussion about managed security services. The article is here and following are my answers to their questions:

Should I select the same service provider to manage both IT services and security services?

No, absolutely not. System administrators that also understand security are rare and (usually) high paid. Unless your system administrator has been around the block quite a few times (able to stand up servers using three or more OS's), it's usually a safe bet that they will attempt to do EVERYTHING using the same OS. You end up with a monolithic network (this is the "all your eggs in one basket" train).

What process should I follow when implementing a managed security service?

Semi-agreement with the article. Before you farm out your security services, you should have well-documented policies, procedures, and plans.

How do managed security services affect corporate security risks?

Realize that it is still your organization that is responsible for overall security. You're hiring someone to provide reports on the status of your network. It's still up to you to "push" policy. It'll also be up to you to deal with the politics. If the hired security says that someone is doing something that's against policy, it's up to you to either correct the person or change the policy. Please note that ignoring the situation is bad practice (you're paying for security!) in that it's not a known condition and if you don't correct it immediately, you can't fire anyone for it at a lter date. If it involves anything "shady", you could be sued by other organizations if the situation expands and affects them.

What are the pitfalls of managed security services?

Cost mostly, but depending on what you're buying for service, it can be cheaper than having your own full-time in-house talent.

Also, if you've never had ANY security up 'till now, be prepared for some surprises. The first report that shows up on your desk may tell you a few things about your network that you don't want to hear. Examples of this could include: a virus infection, Bob in accounting spends most of his working time surfing porn, your secretary runs peer-to-peer file trading software at her desk, Fred in purchasing is selling corporate assets on eBay, etc. Just try to remember that these are the reasons that you hired out for security in the first place. Don't shoot the messenger.

What problems are best addressed by managed security services?

If you can't afford (or retain) full-time in-house talent, managed services are definitely an option. See the article for a much better explanation.

Doctor, Doctor!!

"Hey, Doc! It hurts when I do this!"

"So don't do that."

While that may make for shoddy medical practice, it's even worse for security. According to ZDNet, Microsoft has issued a "knowledge paper to fix the hole in MS Exchange's OWA.

Anyone else see bad practice here?

(Hint: if they call it a "fix", marketing can claim that MS "fixes" things rapidly.) Want to talk fast, an ElGamal bug in GPG was announced today. Guess how long you have to wait for the patch? Answer: It's already out.

Question

I've been reading/considering about VOIP today. Is it me or can the only way to secure VOIP be on-the-fly encryption (session and user)?

Saw yet another capture-to-wav tool today.

Wednesday, November 26, 2003

NSM PowerPoint

Something said over on TaoSecurity caused me to Google for NSM and I found a very good PowerPoint presentation on NSM.

Bit Torrent FAQ

A good network administrator knows how the programs employed by his/her users work (or at least knows where to go look it up). Here's the "BitTorrent FAQ". It doesn't describe how to control/limit the traffic but it does describe how the tool works.

Public Clock

pool.ntp.org is home for the public time server project.

Tuesday, November 25, 2003

Don't use Word!

Don't use MS Word if you're going to e-mail or post the document. It makes some pretty heavy assumptions, including who your readers are going to be and the capabilities of their systems. This is a long-standing peeve of a sizeable portion of the Internet. Here's a well-worded version of the anti-Word side of the argument.

Monday, November 24, 2003

Linux McAfee Update Script

For us altruistic types that push our customers files and e-mail through the Linux-based McAfee anti-virus scanner, here's an auto-update script for the signature files. Thanks to Jorge Becerra for writing it and to Bluestream Consulting for reposting it.

Sunday, November 23, 2003

Mess in the wiki

Please bear with the mess under the FWTK pointer, I'm writing a quick paper. It's quite unusable at the moment but should be in near-finished form in the next 10 days or so.

Public Certificates

CACert.org is a public Certificate Authority (CA). For non-admin types, this is a self-proclaimed issuer of free SSL certificates.

Is it worth anything? Like a lot of other things on the Internet, the answer is "it depends". It depends on how well people trust the site and use it. Note: You don't have to use Verisign, you can issue your own certificates. Verisign's strength is that, by way of government sponsorship, the majority of users "trust" it as a CA.

Update: For those that are interested in rolling your own, check out the "OpenSSL Certificate Cookbook".

Blech!

In the five years that I managed firewalls for various networks, I gradually became a cynic. It's also the reason why I'm a stickler for policy wording and some have referred to me as a network Nazi. (Hey, if 29,999 users are happy with how the network runs and you're the one malcontent, call me anything you want.) Exposure to people like that described in the link below is the reason that network security has a high attrition rate. (There is truth to the cliche that some network security types "get out" and raise flowers for a living.)

Okay, let's see him try the "a trojoan did it" defense! (Warning: Article is about a really sick f**k.) (Sorry but that's the only description for him.)

Net::Dict Interface

Having tried my hand at writing various IRC infobots, I've played with Net::Dict occasionally and will probably need it again (thus this blog).

Saturday, November 22, 2003

Looking for Incident-Response.org?

According to Tao Security, someone snagged the domain for Incident-Response.org when it expired (don't you just love how DNS is managed?). If you're still looking for the site, point your browser at:

http://66.96.178.49/

Friday, November 21, 2003

Soap attacks

Here's a Web Apps Security mailing list pointer to a white paper on basic attacks on SOAP. No, it's not discussing strange goings-on in the shower! SOAP is the Simple Object Access Protocol. It's used to overlay various services on top of HTTP allowing communications via XML.

The paper also describes defenses against those attacks.

Wednesday, November 19, 2003

IPSec Troubleshooting Guide

If only Bowulf has posted this a week ago. Took us all of the time we had for lab to get a 5-node VPN up and running.

Then again, it might not have. We finally figured out that d*mn Pix's had to be rebooted for the configuration to load properly.

In any case, it's a nice to have.

Tuesday, November 18, 2003

Corporate Schizophrenia?

It's a busy couple of weeks for Microsoft news. Both good and bad. Enough so that reading them all together may give the impression of corporate schizophrenia:
  • Could it be that they finally get it? Just a little bit?
  • They also want to do some buy and kill, especially after Google pulled a fast one.
  • Why won't they learn that shouldn't promise stuff a trade shows? Anyone else remember the super-fantastic backup technology that Microsoft promised at a Comdex? Funny, Veritas and friends are still around. (The super-fantastic Microsoft backup robot isn't.) That and tablets have already been declared dead.
  • Bill also use Comdex to announce new anti-spam tools. I really hope that Bill didn't use the word "spam" as Hormel might get a little pissed that the worlds (sometimes) richest man is attempting to profit off of the name of one of their products.
  • Meanwhile, pundits punditted that this would put other anti-spam products out of business (yeah, just like IIS and Active Directory did?)
  • Meanwhile, Steve was in Japan, making promises of better security while spreading FUD about open source products.
  • Microsoft has put a "bounty" on the heads of malicious code writers, specifically two evil-doers.
  • The "discussion" over those bounties is only a couple insinuations above a name calling contest
  • Users are a bit less than pleased with Microsoft's new patches
  • and yet two more exploits that use port 135 were made public along with another vulnerabiltity in Microsoft Exchange.

Thanks to: Slashdot, The Evil Empire, HelpNet Security, Computer Cops, Insecure.org Lists, HackInTheBox, eWeek, InfoWorld, ThinkComputer

Side note: Sorry this is showing up on Tuesday. I'd meant to post it on Sunday but it took this long to pull all of the MS-related stuff off of the spike.

CSI loses points

Ooh! CSI just lost points amongst the geeks. One of the investigators called stealing WIFI access from the next building over as "War Chalking".

Heh.

Monday, November 17, 2003

Troubles from within...

Troy Jessup has a good post over on The Security Blog. In it, he talks about the need for upper management to understand the issues which drive network security and some of the shortcomings which damage security (can you say "personal business").

I heartily agree with him and will throw in my own comments here...

Many upper management types are worried that "we'll be seen as network Nazi's". Personally, I don't care of your opinion of me if the network is running properly. If the security model (based on the business model) requires that I flog every dolt who thinks the rules don't apply to them, so be it. Call me all the names you want. I plan on going home at the end of the work day.

Also, and this might sound contrary to the above, you have to have realistic and enforceable rules. Anything else breeds contempt and circumvention of the rules. The end-user also has to understand the reason for each of the rules. This requires user training and user agreements.

Sunday, November 16, 2003

While fishing around I found...

While I was fishing around for some other information, I came across SpammerHunters.com. Might be interesting.

Saturday, November 15, 2003

Quick screen howto

Not necessarily a security tooll, screen is useful in any case. Uptime has a quick howto for using screen.

RSS IM?

Something to play with during free time.

Bridging Firewalls

"Bridging Firewalls" have been around for awhile but are only recently getting notice. (SecurityFocus has a nice article about them.

For the short version, Bridging Firewalls are effectively network bridges which have IPTables-like filtering added in. They are "invisible" because you don't add IP addresses to bridges.

Friday, November 14, 2003

Alternate Data Streams

I'm not able to verify the accuracy of it but Anti-Crack has a piece about "Alternate Data Streams. This is one of the ways you hide stuff in Windows files systems. Includes pointers to tools to detect ADS.

Covert Communications

SilverStr has a piece about covert communications channels.

What's on your network? (to the tune of "What's in your wallet?")

Thursday, November 13, 2003

Changing MAC Addresses

I've gotten into this argument quite a few times over the years. If you ask "most" Windows types if MAC addresses can be changed, they'll say "no". The answer is actually "yes" but under windows, you have to know the trick. (No points for grammar/spelling/translation but you get the idea.)

Under *nix, it's quite easy (and doesn't need to be explained here.).

Yet more wiki stuff

More info added to the wiki:
  • Added to the Blogger's Toolkit - Content Tools section.
  • Added "Refresh or Redirect in PHP"

Some of it you just have to leave at the curb

Jeremy has noticed that spam doesn't compress well.

Is this usable?

Also, he seems to have had better luck with SpamBayes than I have. Could it be that my run-away collection of Procmail recipes is finally catching up with me? It has piqued my interest in graphing my spam though.

Wednesday, November 12, 2003

Rules for a successful security policy

Computer World called them "10 steps" but they're more like "rules of thumb". In any case, they're make up a good guide for having an enforceable security policy.

Tuesday, November 11, 2003

Incident Response Tools

SecurityFocus has a two-part series on Incident Response (by Holt Sorenson):

Definitely worth the read. Both articles have an extensive list of tools and links.

This is a test...


This is a test. This blog is conducting a test of the Emergency Blogcast System. This is only a test.
(annoying noise)
This is a test of the Emergency Blogcast System. The bloggers of your area, in voluntary cooperation with just about no authorities, have developed this system to keep you informed in the event of blogger's block. If this had been an actual post, the Annoying Noise you just heard would have been followed by interesting information, witty posts or snarky behavior. This blog serves the Tidewater area. This concludes this test of the Emergency Blogcast System.
(I was out of town for awhile and missed the official test)

Monday, November 10, 2003

MT Upgrade

Thanks to Mr. 804 for dragging himself through a multi-version upgrade to MT. The new features are just awesome. The two I find most useful in the new version are:
  • "external" pings feature in the main config
  • the ability to figure out the trackback URL for posts which include pointers to other trackback-capable blogs
.

Sunday, November 9, 2003

Push back

I'm joining the posse a bit late in the game but



"I sick and tired of it and won't take any more!!"

What am I ranting about? Comment spam.

Jeremy, Chris, Adam, and duemer have all vented on this topic and have had varying levels of success in fighting back.

Kalsey Consulting has also posted a howto entitled "Cutting Comment Spammers Off at the Knees" and a "Manifesto".

And before you think this is a small group of people, try looking at:

In response to the comment spam here, I'm brushing up on my tracking skills and have added the fine print at the bottom of the main page. (Hey, spam is illegal here in Virgina! Be glad I'm only asking for $100.00!!)

[With apologies to those on the receiving end of the trackbacks; this has a lot of links in it.]

Saturday, November 8, 2003

New wiki entry

New wiki entry: "Procmail - Filtering and forwading at the same time".

One question?

I know I tend to sit in the back row and ignore what's going on down front most of the time but I have a few questions/comments about "Microsoft's bounty":
  • Given that the author already knows how to break into computers, what's to stop him/her from chosing another programmer and planting the "evidence" on that person's computer before calling the cops?
  • Where is all this bounty money coming from? (If you can't guess the obvious answer, e-mail "joat@757.org" with a subject line of "obvious answer" (without the quotes)(an infobot will answer).

Friday, November 7, 2003

Common courtesy?

This entire post is a peevish vent so you may want to skip it.

Okay, I'm back. My last job made me a cynic (network security officer for 30,000+ users). This new job isn't improving my impression of the general public any. This job requires that I travel every other month or so, so I get to view the public "up close and personal". Here's what's set me off this time:

In the U.S., airlines load planes from the back to front. One of the attendants will call out over the announcing system "Now boarding rows 15 through 22". This causes 30 or so of us to queue up and slowly drag ourselves and a carry-on piece of luggage onto the plane.

I've done this four times in as many days and, without fail, there's at least one moron from row 6 or so that makes the super-human effort to get onboard before the rest of us (he cuts in line). Short version: the entire compliment of passengers are delayed while those that should already be on the plane before him waits while he tries to jam an oversized bag (that should have been checked) into the overhead storage. On one of the four flights, this held up boarding long enough that the plane was bumped from it's position in the take-off queue (an additional 10-minute delay).

Would someone explain to me why these people think that they'll get where they're going quicker if they cut in line? Seriously, I think these people should be bumped to the "on standby" category and forced off of the plane.

Thursday, November 6, 2003

More Hitchhikers on the radio

File this one under the "Mebbe I Should Start a 'Cult' Category" category. (That's where the BBC filed it.)

The BBC is going to adapt the remaining Hitchhiker's books to audio.

Yeah, I know: This makes me an old geek. Doesn't anyone else remember staying up late to listen to the Radio Mystery Theater? Extra credit if you did it via a tube or crystal set!

Wednesday, November 5, 2003

I will donate the following service to Bill Gates (if he wants it)

I hereby volunteer my instance of Vixie Cron for Bill Gates's use so that this never happens again.

Bill: Give me a list of the domains and their expirations and I set up cron jobs so that you can be notified a month or so ahead of time.

Update:Jeremy has a short bit about Vixie cron.

Tuesday, November 4, 2003

Security Testing Guide

While we're talking about standards, NIST has published the Guide to Network Security Testing. Thanks to Bowulf for the pointer.

Monday, November 3, 2003

Alien II?

Even though this one is from Slashdot, it makes for interesting "entertainment" (loosely defined).

Every community has their own nut cases. The Internet isn't any different.

Remember awhile back where everyone got spammed by that guy looking for the dimensional warp generator so's he could get back to his own time. He was quickly "outed" by a group of people who are now on the receiving end of what amounts to an e-mail bombing (mail with forged return addresses in intentionally bounced off of legitimate servers in an attempt to fill the victims' mailboxes and block legitimate mail to them.

I had a Great Uncle who responded to situations in a similar manner. It kept a family feud going for decades.

Sunday, November 2, 2003

More Wiki entries

More stuff in the wiki:

- Connecting a Linux box to Sprint PCS via a Samsung N400
- Using fetchmail with Procmail and a virus scanner
- isvirus code listing

Saturday, November 1, 2003

NSA picks a commercial encryption product

From what I can get from the announcement, the NSA has picked a commercial encryption of its internal use.

Please note: they have SDK's for Windows, Linux, Unix and more.

Local Area Security Linux

While we're on the subject of useful CD-based Linux distributions, here's Local Area Security. It claims to be a mix of Trustix and Knoppix.

If anyone uses this, would you post a few comments here?

Nop +4-7

Happy Halloween, y'all.

I may be out of touch for a few days as I'm headed for New Orleans first thing Monday morning. I may have connectivity, I may not. The map for my cell phone service is kinda vague as to what service is available, just like it was when I was visiting my parents (had to drive halfway down a mountain but found service)(pretty good connection in that 100 or so feet).

Anyways, I'll keep posting. It's just that you might not see the posts until I get back.

Thursday, October 30, 2003

YADOCD

Yet Another Distribution On CD: Dyne:Bolic.

This one is targeted, more or less, at artists, claiming to contain everything you need to record, edit, encode and stream audio and video data, all without having to set up an extra partition on your hard drive.

This distribution also auto-discovers other Dyne:Bolic systems on the LAN and clusters with them.

Wednesday, October 29, 2003

Universal RPC Exploit

Bowulf posted this one awhile back but it's something I'm going to need for class. Supposedly, it's a "universal RPC exploit. "Universal" in that its supposed to be able to exploit the RPC service no matter what port it's running on. (Hint: if you're running anything on Microsoft, you've got at least one RPC port open, sometimes on a ports you're not aware of.)

Tuesday, October 28, 2003

New law would require computer security audits, status reports

This is going to create a lot of work for security types. In the long run, it will probably cause security companies to become bonded, certified and/or licensed. (Insurance companies and stock holders love that sort of thing.)

Vi tutorial

0xDECAFBAD had a quick-pointer to a Vi/Vim tutorial on Harvard University's site.

Monday, October 27, 2003

Vi and XML

PinkJuice has an online tutorial (Warning! Default page contains art in bubble-gum pink!) which covers various valuable tweaks if you use Vi to edit XML. It also has a whole slew of valuable tips for general use of Vi.

Note: this guide is also available on PDF form from the same site.

Sunday, October 26, 2003

XML Microcontent

From 0xDECAFBAD, a piece about microcontent.

More wiki stuff

I've added the following to the wiki:


  • Procmail

    • Using formail to break incoming message digests into individual messages

    • Playing sounds when mail arrives

  • Spam

    • How to add MySQL logging to MIMEDefang

  • Vi

    • Like or hate the multicolored syntax highlighting? Turn it on or off!

    • Opening many files at the same time

The link for the wiki is in the menu bar above.

Saturday, October 25, 2003

Garg!

One of the things about running intrustion detection on your home system is that you often see stuff that your service provider doesn't want to (or can't) deal with.

My service provider is a very large (read that as national) high speed cable provider. Currently it's in the middle of a severe ARP storm. It's gotten so bad that connecting to this site from across town is slow.

I logged the packets and had them ready to mail off. Turns out the helpdesk doesn't know what the heck I'm talking about. I ended up entering a clueless level ticket in which I complained about "the Internet being slow". It was about the best I could do via that poor kid. He started getting confused when I talked about DHCP, arp requests, and MAC addresses.

Oh well... I'm off to the doctor to see if I can get this key cap removed from my forehead.

Yahoo New Search

I'm going to want/need this at a later date.

Leo

It's a bit weird, but it's bound to be a classic. The new TypePad service is hosting a geek that most of us with cable will probably recognize.

Protecting you from yourself?

AOL's been caught making adjustments on subscribers' machines. While their motives are well-intentioned, I think their methods leave a bit to be desired.

Thursday, October 23, 2003

Wednesday, October 22, 2003

Tuesday, October 21, 2003

Cracking Windows Passwords in Seconds

net.law.blog has a pointer to a password problem that Microsoft really needs to fix.

Bruce Schneier Interview

Slashdot pointed out that Bruce Schneier (Cryptome.org) has done an interview in which he suggests that physical security should be treated like computer security, treat it as a system.

Sunday, October 19, 2003

joatWiki?

If you look closely at the menu bar, I've added a Wiki (actually phpWiki) to the options. For now, it's an experiment but I do want to move into using this sort of thing. I'm just not sure which version to settle on. Comments?

Secure the perimeter?

Secure the perimeter?

Secure the perimeter?

Secure the fsck'in perimeter!?

Gee, I think that puts Microsoft's level of security at circa 1990. Does it mean that Microsoft is abandoning trying to secure the code?

After a quick read, I think I can make a few quick preditions:

  • Microsoft will make lots of money selling "more capable" firewalls
  • Millions of Microsoft users will be complacent about their internal networks because "Hey, we've got a firewall to protect us!"
  • resulting in thousands of crunchy-on-the-outside, chewy-on-the-inside networks, thereby lowering the overall level of security on the Internet

One of the biggest shortcomings about using Microsoft workstations is that each and everyone of them is also a server because the same services used to join the local network allows the workstation to share services and data. Let's enumerate what ports 135, 137, and 139 are used for:

  • DHCP to configure your workstation
  • getting your mail to/from the Exchange server
  • RPC calls (allows someone else to remotely run functions/programs on your machine)
  • Microsoft's DNS and WINS services
  • network logons
  • printing services
  • file sharing
  • directory replication
  • event viewer services
  • registry editor
  • user manager
  • and diagnostics

And that's just to/from a workstation. I'm amazed that it took as long as it did for someone to consider NetBIOS as an infection vector.

Welchia provided a very good example of why security has to be from the ground up. Various organizations learned the hard way that while their firewalls protected the front door, various backdoors lurked in their networks. That couple with a laissez-faire attitude for timely patching allowed the damage to stack up like it did.

Hmm... I wonder how Microsoft is going to do/market it. Single-purpose applications? Peer review of all code? [*gasp*] (Yeah, you heard me. I said "open source".) "Embracing and extending" more security protocols? Couple all this with the DRM crack they're pushing and recent attempts to get into the BIOS (the stuff that tells your computer how to boot) business, it's going to get real interesting.

I can hardly wait.

Friday, October 17, 2003

Shatter Attacks - How to break Windows

Anti-Crack has an article about shatter attacks on Windows. Note: This is a vulnerability that Microsoft is likely NOT to fix as it requires such a massive rewrite of code. The good news is that (so far) the attack requires local access to the system.

Worm FAQ

NetWorm has a FAQ about network-based worms.

Wednesday, October 15, 2003

Might be worth the $15

Until someone comes up with a better driver for the kernel, this might be worth the fifteen bucks, especially if it's a viable tech and isn't limited to just wireless drivers.

How It Works: Master Boot Record (MBR)

AntiCrack has a short piece on how MBR's work.

Nonya-nonya-NON-YAAAAA...

Geez! If if the NSA talked to anyone, they'd be telling industry "I told ya so!". Reworded: For over a decade the NSA has been saying that monolithic networks are "a bad thing"(tm). (I'll look for the link.)

Monday, October 13, 2003

Shift key bypass

Wonder why SunnComm decided not to sue the Princeton student for "discovering" that the autorun security could be bypassed by holding down the shift key?

Could it be that Microsoft lists it as a feature? (Look at the last shortcut before the first table.)

SunnComm would not only have to sue the Princeton student, they'd have to sue Microsoft for engineering the workaround for SunnComm's security device.

D'oh!

Odd that SunnComm stated that they didn't want to be the one to stiffle research. Some research.

Badgers? We don't need no stinkin' badgers!

Ever wonder where the book burners from the 50's went to? They went online.

Why am I saying this? I'm reading a lot of discussion concerning the "we gotta do something to fix this" movement where people are suggesting that "we" "fix" IRC, SMTP, and HTTP so that the miscreants can't abuse them anymore.

At face value, this might appear to be a good idea. But if you think about it, it's a horrible plan.

First, there's little wrong with the actual protocols. It's the software at the client end of the protocol that's the problem (mostly). Whether it be the horribly insecure mail client or the worm with the built in IRC bot.

Second, adding features to a product rarely makes it more secure. The more complex a program is, the more likely it will contain errors and/or exploitable "features" (not necessarily bugs).

Third, it smacks of vigilante justice which I severely mistrust. (Ask me sometine about my coffee drinking habit getting my 80-year-old grandmother in trouble with the church.)

Want to make the internet a safer place to work/play? Try a few of the following:

  • Use a different mail client at home than you do at work. If possible, don't use the Outlook/Outlook Express.
  • For that matter, use a different OS (or at least a different version) than what you use at work.
  • Use a different virus scanner at home than you do at work. Ideally, your work will use more than one scanner. Make sure to check for new signature updates on a daily basis.
  • Use a firewall. If possible more than one. (i.e., use a software-based one on your computers along with the one on the four-port router.) Ideally, your employer will use a corporate-grade firewall which hopefully has application proxies for most of the protocols used. In any case, configure your firewall(s) to only allow those protocols that you need to conduct business/pleasure. Turn off everything else.
  • Learn how to read your log files. Why go to all the trouble of getting those neat security tools and then treat them like pretty toys?
  • Learn how to read message headers. It will help when you're trying to figure out if Aunt Milly actually sent you that infected message.
  • Learn how to politely report incidents where they be spam, ports scans, or viruses. Most ISPs will respond to effective and polite emails indicating that something is amiss in their networks. Be polite even when you're angry. Even if it hurts.
  • Pick a computer news site, an anti-virus vendor's site, and a CERT site (there's lots of them). Visit each of those sites at least once a week and read the "new stuff". For the really adventureous, find a RSS feed aggregator and subscribe to a bunch of security-related feeds. (Personally, I like BlogLines which is completely online and if you ask nicely, I provide a list of the feeds I use.)

You don't have to do all of the above. Two is okay. It improves life for the rest of us just a little bit. Anyone else have any suggestions to add to the list?

Sunday, October 12, 2003

Security Forums Dot Com :: View topic - The Anonymity Tutorial

Security Forms had a post containing The Anonymity Tutorial. Please note that it is not entirely accurate but gives a good starting point for more research, whether you're trying to learn more about it or trying to stop it from happening on your network.

Hint: the only way to stay anonymous on the Internet is to stay off of it, forever (and that doesn't always work either)!

A good idea?

Given the amount of trouble (viruses, worms, non-backward compatibility between versions, etc.) caused by tying the mail and web clients to the desktop and the operating system, does anyone else get a bad feeling when they talk about tying the BIOS in also?

Offline

Sorry for being offline the last couple of days. I've had surgery and have been on some heavy pain killers. I'm home but can't seem to stay awake for more than a couple hours at a time. Heck of a way to spend your birthday.

Thursday, October 9, 2003

Michael Reynolds

Michael Reynolds has a short piece on setting up password authentication for your Apache-based website.

Adjacent Overwrite Bugs

Rosiello Security has a text file from DTORS Security Research Group (think hackers) which describes how a text file on how adjacent memory overflows are done.

Buffer Overflows

Rosiello Security has a text file from DTORS Security Research Group (think hackers) which describes how a buffer overflow. Again, it's aimed at hackers but gives you an idea of what you're up against.

Wednesday, October 8, 2003

Reverse Engineering Binaries

Rosiello Security has a text file entitled "Reverse Engineering Binaries" which describes an approach for reverse engineering binaries (machine to C).

This is an exercise that only the very stubborn should attempt as it's very difficult and (IMO) you'll never come up with the same result twice. An interesting read though.

Infosecwriters.com

Infosec Writers has an interesting dissection of the Mimail.A worm.

Users


  
I think I've found a graphic to go along with my rants about users (Thank you, Vowe.). Doesn't looking at them just make you all warm and fuzzy inside. (I'm going to ruin that.)
The usual rant will probably go "See how happy they are? It's because they don't know any better."
Consider yourself warned.
(heh)

Google search tricks

Linux Exposed has a good piece on various advanced search methods.

Blind SQL Injection

Linux Security has a good article explaining the theory behind "blind SQL injection" and how to protect against it. Short version: "Don't trust user input!".

FIPS - 199

SilverStr pointed out that FIPS 199 is finally out.

This is an extremely short document as government standards go but has far reaching effects as it sets a standard in base terminology for information security and information systems security. The shorter version of the document is "This applies to data, systems, personnel and organizations."

The acceptable format is:

SC(information type)={(confidentiality,impact),(integrity,impact),(availability,impact)}

where:

  • "information type" is the person, org, data or system being described and
  • "impact" is either "high", "moderate", "low" or "N/A".

You'll see this used in incident reports, acquisitions, etc. If you interface with government organizations in any way, start using this now. You'll be ahead of the game when its use becomes mandatory (December).

IJK Best Practice Guide for Electronic Evidence

Silverstr owns this pointer: "Practice Guide for Computer based Electronic Evidence". Running this through an English-to-English translator returns "Best Practice Guide for Digial Evidence". At a minimum, an interesting read (PDF format).

Tuesday, October 7, 2003

The noises in your head

While not directly related to security, this sort of thing is important. Think of it the next time you're reading spam.

SSH SecureID Authentication

SilverStr also pointed this out. You (those of you that can afford the servers and tokens) can now use SecureID as a method for logging in via SSH.

Sunday, October 5, 2003

Occam's Boomerang

Back in the dark ages of history, Occam once posited "Throw that thing out there enough and, eventually, it'll come back and hit you in the head."

Okay, I'm making it up but it's funny that an industry who makes money calling you doesn't want you to call them. Thank you Dave Barry!!

Side note: The ATA's website appears to be also down at this time, either from the Slashdot Effect or from angry telemarketing victims overloading it.

Geek swag

Found a pointer to this one while digging through my aggregator (sorry, I don't remember where).

SCOTTeVEST specializes in garments with extra (lots!) pockets. They've even got a hat with two hidden pockets.

As someone who owns a vest capable of carrying enough tools to manufacture and punch down Cat-5 and polish fiber (including the heat block), I recommend having one (yeah, I know: geek!).

Exploiting Routers

Security Focus has posted the first part in a series on "Exploiting Cisco Routers". Worth knowning if you have to defend a network.

MIT Courses

MIT courses are online! The "Master Course List" is here. As the main page says, you can't get credit for the info, but the information is free.

Saturday, October 4, 2003

Data Recovery and Hiding

Linux Security has an article about "Data Hiding and Recovery" which gives a quick discussion of recovering deleted and/or hidden data (similar to NT's alternative data streams) in Unix filesystems.

Oxymores

I agree with these guys. Take 'em back!

DSniff Howto

Linux Security has a good step-by-step guide for setting up DSniff and other tools.

Note: This is a discussion for the "good" uses of this/these tool(s). Too many are describing how to use these tools for "evil". We're all going to pay for that in the long run (in the form of overpowered laws, censorship, etc.). We'll end up with laws equating to having all hammers outlawed because there's a certain percentage of the population that have blugeoned their spouse to death with one.

Don't think so? It wasn't that long ago that legislating "responsible disclosure" was unheard of. Nowadays, there's been multiple attempts at it.

Using IPSec to improve security

Thanks to Silverstr for the pointer (no trackback?) to "HOWTO: Secure Network Server with Windows IPSec". The theory is sound but the insistance on the Microsoft version scares me a bit because of the usual "embrace & extend" practice of our favorite vendor. In any case, it's a good practice.

But what's it used for?

I play with a lot of RSS stuff. I still don't understand Mailbucket is but it looks interesting.

Friday, October 3, 2003

Thursday, October 2, 2003

Linux Security Guide

Search Enterprise Linux has an online guide called "Linux Security Learning Guide" which teaches the basics of Linux security.

A good read even if you don't have or even plan to have a Linux system.

Installing plugins in Mozilla/Galeon

I consider this one valuable as I'm always futzing the install.

Ed Halley has written a collection of Red Hat Configuration HowTo's which includes one which explains how to get Java properly installed under Mozilla and Galeon.

And if you look closely at the options at the top, there's a link to getting Flash installed properly too.

Faster booting

IBM has an article which explains how to improve the booting time for Linux. Basically, it requires a review of what's going on in your boot scripts and paralleling anything that doesn't have to wait for other services to start.

A good read, especially if you're interested in what goes on in your start scripts.

Wednesday, October 1, 2003

The night of a thousand (okay, three) vents

Maybe it's because I had a Monday today (it's Tuesday). Maybe it's because normally conflictive people were suddenly very cooperative this morning, causing me to have a very odd day. Maybe it's hormonal, but I feel the need to vent so here's three that set me off today...

Uh, sorry?

Inbred operating systems

Dan Geer was right! Any monolithic culture is inherently doomed to suffer its own inbred shortcomings, whether we're talking about Appalachian hillfolk (I is one, BTW) (remind me to tell you about two sisters who have to go through life saying, "this is my brother joat, this is my other brother joat" (names changed to protect my half-brother joat)), operating systems in a network, or programs. All of those homogenous environments run the risk of a single vulnerability taking out the entire eco-culture, whether it be a bad gene or malicious code.

Unfortunately, the human condition is predisposed to creating these environments. People tend to take the path of least resistance. Why trouble to "see the world" when you can marry "the girl next door". It's easier to run the same operating system on your firewalls as you do on your workstations. It's easier to train your users to run the same word processor, whether it's unfriendly to every other WP or not.

@stake, whose origins were not exactly related to a business plan, "sold out" (IMO <-- for those litigous natures) long ago. Mr. Geer was fired because his opinions conflicted with someone in charge. (Hint: Companies don't have opinions. People do. He was fired because he angered someone with the power to do so.) (I hope he sues because he was expressing concerns about a security issue while being employed by a company which specializes in security.)

And before you put me down as being anti-MS, let me state that I'm not. Rather, list me as a member of the "the best tool for the job" crowd. If you're running MS on your desktops, you'd better be running some version of commercial Unix on your firewalls and some other version of *nix on your NOC equipment. The larger your customer base is, the more important this is. Diversive network equipment, while requiring a wider talent-base (read that as $$), is more resistant to inbreeding and failure in the long run.

[Oh and, yes, you can put me down as implying that point-and-click administrators have narrow family trees. Eventually it leads to "Hey, what's this button do?" and "Hey, watch this!" (Which leads to family-hour comedy shows. But that's another story.)]

Note: Philip Greenspun has a post on the same topic. I'm especially entertained that "ass ugly" is a logarithmic (Gaussian) scale and that the majority of system cases are a .05 deviation. [I wonder if he ever saw the attempt to sell cube-balanced-on-a-corner systems to self-styled power geeks [okay, posers!] (circa 1998).]

Don't make up your own definitions!

This is a ComputerWorld article about the "layered defense" model failing when exposed to the Welchia worm. Total bullsh*t, of course.

How do you prevent your network from getting the Welchia worm a month after the patch is issued? INSTALL THE PATCH, DAMMIT!

Using the "we're safe, we have a firewall" as a network defense either means you're severely deluded or you have no users on your network. And any previous reference you've made to "defense in depth" or having a secure network compounds your problem, making you look like an *ss.

Forgotten techniquies?

Please tell me that this is journalists that have forgotten (or are too young to have known) "war dialing".

Why do I have this near-unresistable urge to go into my point-and-click adminstrators rant? Or to tie someone to a chair and force them to watch "War Games" in an unending loop.

Monday, September 29, 2003

Sniffers

Kevin at The Lost Olive pointed out the following:

Turns out Black Sheep Networks has an awesome collection of links, mostly security-related (hint: click on security in the main menu).

Sunday, September 28, 2003

Tweaks

When I don't have any project for the weekend, y'all suffer. (i.e., you have to put up with me playing with the features on this blog).

Changes so far:

  • Comments displayed on the main page (I think I've got it tweaked to where I want it.)
  • Trackbacks listed on the main page (requires more cosmetic tweaking)
  • Removal of the IM feature (never got much use)
  • Removal of the BlogSnob stuff
  • Added a couple buttons on the left

Under consideration:

  • Removal of links not directly related to blog.
  • Coming up with my own version of BlogRolls (why pay for something when you can write your own?)(I'm getting better with PHP!)
  • "fixing" the boxes around each entry (a few complaints about same)
  • making my aggregators available (I use 3 from various locations during the week)
  • Embedding a couple blogs in columns 1 or 3 for use as sidebars

I can "put back" anything if anyone wants (complain loudly!!).

WRT54G

You may want to hold off on buying that Linksys WRT54G until Linksys hammers out a few more bugs. I've got a laptop with a built-in 802.11b function that works perfectly with a SMC Barricade (with wireless) but refuses to work with the 54G. I can get the laptop to "see" the AP and can even sniff pings from the laptop on the desktop machine. However, the replies are not going back via the wireless interface.

I'm going to abuse the 24x7 customer support line this afternoon. I'll keep you posted.

Bloglines

In cleaning out my bookmarks folder, I re-discovered Bloglines. It's a decent on-line aggregator, escpecially if you log on from multiple locations during the day.

Saturday, September 27, 2003

Stealth Management of IPTables

Hacking Linux Exposed has a (now) 3-part series on "Stealthily Managing IPTables Remotely". Part 1 explains how to get Net::Pcap to sniff certain types of packets. Part 2 explains how to run programs based on those sniffed packets. Part 3 describes how to send commands to the above.

Although it's not "port knocking", it's close and gives a good idea of possible capabilities for both methods. In either case, it can be used for good or evil.

Denial of Service Attacks

CERT.org has an article describing the basic theory behind denial of service attacks and some precautions you can take against them.

Securing BIND

Cert.org has a paper describing how to secure Bind.

Thursday, September 25, 2003

E-mail Bombing and Spamming

CERT.org has an article about mail bombing/spamming and what you can do if you're on the receiving end of it.

Caution When Reading E-mail

One of the methods that SoBig employed to spread was social engineering. In other words, it got the user to "open" an e-mail attachment rather than exploiting a vulnerability and running itself. (Unlike the Swen worm which runs if you open or preview the message with Outlook.)

CERT.org has a decent article explaining the hazards of (and precautions for) reading e-mail with attachments.

Responding to Intrusions

CERT.org has a guide for "Responding to Intrusions".

How ISPs trace the source of Spoofed DoS attacks

myNetWatchman has an article describing how ISP's backtrace the source of spoofed denial of service attacks.

Not real in-depth but gives a good idea of how it's done.

Tuesday, September 23, 2003

Spoofed/Forged E-mail

CERT.org has an aritcle describing spoofed/forged e-mails and what you can do about them.

Non-HTML Popup spam

myNetWatchman has a piece about "Windows Pop-UP Spam" which gives a short history/how of Windows Messenger (not IM!) pop-up advertising.

Monday, September 22, 2003

Serv-U Analysis

This was more prevalent (at least around here) last year but this makes for interesting reading.

The Serv-U FTP server hack seems to be (in my experience) the widest used hack. It's how all those IRC DCC file servers get set up for the #warez and #movie channels. They're not real hard to clean up after but they can be an embarassment to whomever was responsible for network security in the first place (school had this, bad!).

More steg

Here's another article on steganography.

Sunday, September 21, 2003

Linux for the very paranoid

I've probably blogged this one before; if not here, then elsewhere, but it's interesting.

Tinfoil Hat Linux is a single-floppy Linux distribution for the paranoid on the go. It will allow you to boot Linux on just about any machine, grab your encrypted e-mail, read it, send replies, and move on, leaving little or not trace.

Useful if you're that paranoid person, yet another hard-to-trace problem if you're a network admin type.

We're back

We're back online! Luckily with minimal damage (knock on wood). I ended up riding the storm out in the building of one of my employers (and got paid to do it). This means that I should be able to afford at least half of the repairs.

Anyways, back to the blog...

Did I miss anything while I was offline?

Idiot's Guide to Network Analysis

myNetWatchman has a Windows-based network forensics howto entitled "Idiot's Guide to Network Analysis" which explains how to capture packets using Ethereal and network scanning with SuperScan.

Monday, September 15, 2003

The Red Scare

This is the stuff that give security managers nightmares for decades. Arguments over disclosure aside, this sort of thing goes on constantly in industry and government. It's why the rules should be enforced, no matter who they're applied to. (Yeah, I'm taking yet another shot at Mr. Ibarra again.)

Sunday, September 14, 2003

Scan for DCOM II vulnerability

Here's a scanner which will tell you what machines on your network are vulnerabile to the MS03-039 RPC exploit.

Uh oh

Let me say it now and get it out of the way.

Isabel is due to pass directly overhead sometime late Thursday so if I don't post for awhile (or if the server goes away entirely), you'll know why.

With the exception of one bad storm in the 80's, this area has dodged the bullet, more or less, for over 30 years. Local wisdom has said that we average one bad one every 15 years or so.

Me? I've been here, off and on, since '81. During the storm in '84 (I think), my property consisted of one motorcycle which I had to spend a month cleaning as it spent the storm in a parking lot approx. 100 yards from the beach (I had no chance to move it.)

After the storm, it was exactly where I left it but I spent the next month cleaning salt out of it (and the leather was ruined).

Nowadays I have a house, two vehicles, and a panicky wife. There's a good chance that my job will require me to "ride it out". I still want my wife and teenager(s) (ask me sometime), out of town.

Wish me luck.

Googlephilia

I'm #2 on Google!!!

I don't see much chance for improvement though. #1 is my blog. (heh)

Saturday, September 13, 2003

More on the worms

Stanford University has a very good page about the recent worms. Given that we're probably going to see more of these, I thought it'd be a good link to have. Of special interest: the links on the right-hand side of the page.

Just a couple worm-related things

I like bits like this (thanks blupwa!) and have noticed the following...

In the ongoing battle to detect customers' infected machines, I've come across an interesting bit: any machine infected with the Welchia/Nachi worm is left running an open TFTP server. "Open" in that it will accept any file you hand it.

I still don't know if I'm limited to a folder or if I can put it anywhere I want or pull any file I want. I'm going to have to dig out the old VMWare and try it out, I guess.

Friday, September 12, 2003

Learn how to count

Statistics is a wonderful thing. Someone once said that with statistics, you can make anything look the way you want it to.

This moron over at The Globe and Mail seems to think that Microsoft doesn't have the "most hacked" title. Someone want to clue him in that most "hacks" for MS are so easy that they've been automated and turned into viruses and worms. (A worm which leaves a backdoor for remote access might be called "automated break-in"?)

Why am I angry? How about THREE WEEKS of dealing with Welchia/Blaster/SoBig and it's side effects? (with, quite possibly, more to come)

Faugh on marketing twisters!

Apologies

Apologies to anyone who tried to comment over the last few days. Sharing a server with a dozen or so web and hardware monkeys has its risks. Seems that someone! broke the File::Spec module while trying to upgrade something else.

Those responsible have been sacked and the moose is feeling much better now.