Stay tuned!
Monday, March 31, 2003
Config files
Take it with a grain of salt
Tomorrow is April Fool's Day (aka All Fools' Day) and things might get a bit confusing. It's become somewhat of a tradition to "spoof" news articles (usually making fantastic and almost believable claims). Don't believe anything to read tomorrow unless it's collaborated by some other mainstream media. Then again, they've often been fooled to.
Anyone want to place bets on when we'll first see "Iraq Wins War, US/Britian Surrenders!"?
Information Overload
Okay, I'm deep into the deep information overload which happens whenever I discover a new tech, usually Internet based, but not always. This time, I'm dragging you with me, at least for a short distance.
Bare with me for a bit, I promise I'll pare down the links on the left. It may take a bit and might get worse before it gets better. For now, you can blame it on Amphetadesk (yep, another plug).
Sunday, March 30, 2003
Just Totally Disgusting, Like Really!
Okay, I showing my age but I was playing around with Amphetadesk, fidgeting with the code and adding sites, when it hit me in the face like a wet fish. There a blogs devoted to B. Spears (they're listed in the "Add a Site" section)(I'm not going to add to the problem by typing her full name).
Blogs about work, yourself, or your dog are one thing. Blogs about specific other people (IMO) somehow borders on cyberstalking. Placing my own glass house at dire risk, let me say that someone needs a life.
Don't believe me? Google for "spears blog". I wonder if I can get Morbus to tweak the next release to skip over B. entries?
Amphetadesk Date Mod
This mod sort of falls in with Ned Batcheld's and Morbus Iff's conversations about "Local Webservers as Applications" and "Amphetadesk Customizability".
Edit Amphetadesk/templates/default/headlines.html (in v 0.93.1). After the section which reads:
# display the actual item.
to_browser(qq{\n});
\n});
to_browser(qq{ {link}" target="$link_target">\n}) if $item->{link};
to_browser(qq{ $item->{title} \n}) if $item->{title};
to_browser(qq{ \n}) if $item->{link};
to_browser(qq{
Add the following:
if($item->{"dc:date"}) {
my ($itemdate,$itemtime)=split(/T/,$item->{"dc:date"});
to_browser(qq{\n});
\n});
to_browser(qq{ $itemdate $itemtime });
to_browser(qq{
}
Saturday, March 29, 2003
PHP Security
Friday, March 28, 2003
Faugh on Microsoft
MS Win NT, XP, & 2000 are susceptible to a vulnerability in the RPC service which listens on port 135. A specially crafted packet causes the RPC service to shutdown, effectively becoming a very economical DoS.
The part of the issue that really stinks is that, while Microsoft has provided patches for XP and 2000, there will be no patch for NT. Microsoft claims that it would be "too hard" to fix.
Yes, there is an easy work-around (if you can live without port 135) but that's not the point. In my opinion, NT owners can consider themselves abandoned.
Still think it's not that important of an issue? Well, let me try another tack...
TechNet has an explanation of how Outlook connects to Exchange. (For those of you in a hurry, click on the link entitled "An Example of RPC Client-Server Communications".) Yes, the article also states that you shouldn't expose port 135 to the Internet but you're going to have to explain that to every small business on the planet that couldn't afford (or understand) a firewall after buying NT Server, Office, and Exchange.
Keep in mind this is only one example. Microsoft systems are commonly connected directly to the Internet by organizations and individuals that don't understand the need for a firewall (or couldn't afford one at the time). TCP port 135 is tied in with the operatio of DHCP, DNS, and WINS. It also has communications between clients and IIS, Active Directory and Exchange.
The end result is that small business owners have "one more reason to upgrade" which stinks (squeeze another $5K out of a small business that is already seeing lean times). That or Bob-from-Accounting won't be able to use his Outlook client from home.
Sources:
Thursday, March 27, 2003
CNN and BBC Feeds
- CNN: http://www.newsisfree.com/HPE/xml/feeds/15/2315.xml
- BBC: http://www.bbc.co.uk/syndication/feeds/news/ukfs_news/world/rss091.xml
Wednesday, March 26, 2003
Faugh on SecFocus
Many, myself included, think this practice is dangerous and poorly designed. Example: If a hackers can gain access to my machine just because a specific feature is turned on in my web browser or mail client, I think I should know about it right away rather than quietly allowing 2-4 weeks for the commercial vendor to publish a patch. 2-4 weeks in Internet time is an eternity.
Anyways, quoting The Register:
Secunia makes no bones in saying that its Security Advisories mailing list initiative is a direct attack against competitor SecurityFocus. The Danes are highly critical of SecurityFocus and security clearing house CERT. And they hope that their Secunia mailing list will replace at the "one source of information regarding the latest vulnerabilities and the security patches released by vendors".
Hopefully, they'll live up to this one. I won't be giving up on SecFocus though, it's still a good source of information, delayed or not. I just wish they'd go back to the old interface on the web. The current one, while looking "pretty", detracts from the site's usefulness.
Tuesday, March 25, 2003
Myths About InfoSec
Monday, March 24, 2003
Perl Tutorials
Sunday, March 23, 2003
HP Error Codes
News aggregator
Features include:
- Grabber runs every two hours.
- Filters for new items, ignores the rest.
- Order follows the order in the "grab" file
- Written in Perl and doesn't require any additional modules.
I would like:
- Order to be chronological.
- Better handling of various formats
- Auto-truncating of long content (into a pseudo-description)
- Better handling of encoded and non-encoded content.
- A MySQL back-end (hint to the powers-that-be here!)
Eventually I'll build into into a CGI script and add a few other features. Suggestions? Comments?
DRDoS Theory
Saturday, March 22, 2003
Drawing a line in the sandbox
Ignoring that, a short extra credit quiz (1 point for each answer):
- List the companies the learned the truth the hard way after claiming that their product was hackerproof. (2 extra points if the company no longer exists.)
- List the companies that have done this more than once (5 extra points if the company no longer exists)
- List the companies that are likely to be on hacker radar for making this type of claim (no points for answering the obvious).
I guess Microsoft still hasn't learned to properly reign-in their marketing types.
DEFCON Archives
Thursday, March 20, 2003
Online CISSP Quizes
If you do take any of the quizes, please post a few comments here about your experience.
Wednesday, March 19, 2003
Removing ^M's from text
(Using Vi) The only hard part about this is figuring out the proper key combination to generate the regular expression. To remove the ^M's, type:
:1,$s/^M//g
or
:%s/^M//g
where:
- "1,$" or "%" designates "do the following to the whole file"
- "^M" is generated by hitting "Control-V Control-M" (that's a capital V and M)
- "g" signifies "perform the substitution with every matching instance in each line"
Source: alt.unix.wizards newsgroup
Breaking the glass...
Tuesdays and Thursday are going to be light for awhile as I have class on those nights. Here's a bit of filler from the recent past:
Win32 is susceptible to a unique form of attack called a shatter attack. It involves a buffer overflow in the message queueing that occrus between onscreen windows, specifically those for user input. Chris Paget, the paper's author, states that the vulnerability is currently unfixable (requires a major rewrite in how Win32 does business). It's not as bad as it sounds though, the exploit requires physical presence at the console.
Tuesday, March 18, 2003
Forging OS Fingerprints
Why would you want to do this? How about: it's one less piece of information that you're giving to hackers. David gives additional reasons in his paper.
Monday, March 17, 2003
Place your bets now!
My question is: how long before we see pr0n blogs? (Do we call them bl0gs? b0rgs?) (heh)
Hey, we've seen spam show up in MT blogs as some miscreant tunes up his Perl scripts.
It's only a matter of time. Place your bets now!
Silly photo of the week
Did she really?
Give it to him, I mean!
The IPod, stupid! (Not it!)
Actually, it's a link to a bit about engraving your swag.
Source: http://nslog.com/archives/2003/03/16/my_ipod_engraving.php
Ganda (SwedenSux) Virus
Yet another mass mailing virus has been detected in the wild. Like others, it carries its own SMTP engine and grabs addresses out of the local Outlook address book. Side note: VE states that "initial analysis would also suggest that the sender's from: address is not spoofed."
By all appearances, this is another virus that's easily blocked by stripping executables at the gateway. As they've only captured 3 copies of the virus, analysis is still a bit thin. Read it here.
Sunday, March 16, 2003
We've been spammed
I used to run a newsgroup. It regularly got spammed. I regularly got pissed.
I used to manage a mailing list. It regularly got spammed. I regularly got pissed.
This list has been spammed 8 times in the last two days by the same person. I wonder what the laws are concerning unsolicited advertisements in personal journals with fake return addresses. Any lawyers reading this? (The list is located in Virginia.)
If anyone sees spam in the comments, please e-mail me and I'll remove it. I'm off to find the owner of the website that was advertised.
Saturday, March 15, 2003
CMS testbed
Wanted: Graphics
I'm currently searching for graphics to include in the subject line, to indicate what category each post falls into.
Help!!!
I wannabe the Guine Pig!
TCP checksum manipulation
Supposedly, you can supposedly trace MitM attacks with it. If you actually try this, would you forward the results to me? Possibly something for the security lab at school? Definitely a good project for CISSP certification: "How to trace MitM's".
Swapping two adjacent characters
Friday, March 14, 2003
XOR Tutorial
For those of you that need to know more of the basic: try LearnTCPIP.com to learn about TCP/IP, subnetting, DNS, and the OSI model.
Shell escape to AWK
Following is a neat trick for pulling a document through awk from inside of Vi. Say you generate a file by typing:
ls -l > myfile
"myfile" then contains like:
-rw-rw-r-- 1 joat joat 610 Oct 29 10:28 whois
You can then generate a list of shell commands by typing:
:1,.!awk '{print "cp",$9,$9 ".bak"}'
An alternative to this is:
:%!awk '{print "cp",$9,$9".bak"}'
This takes the ninth field in each row and inserts it into an output line with the format of
cp whois whois.bak
Source: UNIX IN THE ENTERPRISE newsletter for 13 March 2003.
If it still works, why throw it out?
For years, I used a second-hand HP DeskJet 400. It was the only printer in the house for at least 2 years and I've owned it for at least 5. After two moves and a new computer purchase, it seemed easier to just push the file across to my wife's computer and onto the printer which was part of the purchase deal. I refused to throw the old printer out on the basis that "it still works". The ink cartridge had long sinced dried out (I'd run it low right before a move), and I wasn't willing to risk $30 to find out that the printer was dead, so my side of the argument was on shaky ground.
This last move was to a smaller house, meaning that there are a lot of cardboard boxes still in the garage after a year. In rooting around for a screwdriver set, I came across the nice case, that comes with the printer, that protects your alternate (black or color) cartridge. Surprise! There was still a bit of liquid ink in that one! Further digging revealed a 6' printer cable and my old SMC router.
What I now have is a nice remote printer which will allow me to dump stuff to printer first thing in the morning, go get ready for work, and grab the output on my way out the door. Now all I have to do is learn how to fish cables up (or down) through the walls.
Thursday, March 13, 2003
Code Red F
A couple news articles about older variants:
Various groups analysis of variants:
- CERT (Code Red)
- Symantec (Code Red)
- Symantec (Code Red II)
- Steve Friedl (Code Red II) <-- more in-depth
- CAIDA <-- has analysis and animations of variants
Wednesday, March 12, 2003
SecurityFocus on IP Spoofing
Prosthetic Brain
However, this does make Logan Whitehurst somewhat of a visionary. Prosthetic Brain has been out for a couple years now. For more good/odd/silly Jr. Science, check out When Werewolves Collide, Waffle of Death and Happy Noodle vs. Sad Noodle (if you can find it) (WARNING: Happy Noodle is one of those that takes up residence in your head).
Good background noise for coding.
Tuesday, March 11, 2003
The Sky is Falling! The Sky is Falling!
"Although the experts are not yet rating this worm as a high-risk to users, the technical make-up of the Trojans it leaves behind is of concern. " To tell the truth, I don't think this worm will ever rate high on anyone's scale. It supposedly replicates by exploiting weak password protection on network shares. This has been tried before.
Botnets used in DDoS attacks we've seen before. What makes this one different? Because VNC is included? It's an interesting twist but not something that would make this a dangerous worm.
"The SANS Institute's Internet Storm Centre, a research group that monitors the Internet for attacks, have lifted their alert status from green to yellow." Really? It's green right now (20 hours after the release of the article) on both the SANS and ISC websites (okay, they're the from the same source).
VNC and DDoS should not be used in the same phrase. VNC exports your desktop rather than allowing access to the services below. In other words, it allows use of your mouse and desktop and requires individual interaction with a user. While you CAN script mouse actions and key presses, I doubt it's a viable vector for DDoS attacks (remember, VNC on Microsoft boxes share a common desktop with the local user).
ZDNet, please explain! We've seen botnets before. What's worse about this worm? What's the worms name? Why is the article so vague?
While this type of article might make for great reading amongst non-techies (and for ratings overall), it hurts the industry in the long run.
If I'm full of it, fire when ready! Otherwise, faugh!
Sunday, March 9, 2003
Playing with Amphetadesk
Now to hack it into tiny pieces and rebuild the way it should be!
Review: Paketto Keiretsu
ScanRand - A very fast stateless port scanner which can also trace routes to machines. Stateless, in this case, means that the scanner does not maintain state between sending out a packet and listening for the return from that packet. Rather, the sending portion of the program screams out query packets as fast as it can and there's a separate listener (which can be run on a different machine entirely) which records any responses and reports to the user.
Amongst the tools, this is the one that I've gotten the most use out of. Because it is much faster than nmap, it's good for initial queries across a large range of IP's.
It does have it's shortcomings though. It takes a bit of experimenting to figure out a useful setting for the timer that the listener uses. Improperly configured switches (which abound) causes reporting failures. Some NIC's cannot handle the high counter turnover if you're repeatedly scanning all 65,535 ports on a large number of IP's.
MineWT - A very odd tool to have (unless you're trying to hide something). Allows multiple hosts on the same network to share an IP address. Why would you want to do this? How about: you want to download GIG's of MP3's using your employers network but you don't want the download to be traced to your machine. MineWT effectively maps multipe MAC addresses to the same IP address and routes traffic between them.
Dan Kaminsky explains it this way: Network Address Translation maps IP's. Arp maps MAC's. MAC Address Translation (DK's term for it) combines the two.
I still haven't found time to experiment with this but will update this document when I do.
LinkCat - (lc) is to network protocols as NetCat is to network connections. You can use it to view traffic in Hex or to capture and play it back.
ParaTrace - Another traceroute utility. However, this one is "passive" in that it does not set up a TCP connection of it's own. Rather, it "replays" (slightly modified) recent packets. Shortcoming: this only works for existing paths to remote machines (you have to have a connection to the remote IP)(i.e., this is path detection rather than path discovery). The author states that this is able to get past stateful firewalls (If the firewall allows a connection to an internal machine, it'll also allow the paratrace traffic.).
Phentropy - Makes interesting looking pictures of TCP/IP sequence numbers. Quoting Dan Kaminsky: "This is an extension of Michel Zalewski's excellent Phase Space Analysis of TCP/IP Sequence Numbers, done with an incredibly interesting tool called OpenQVIS." Only useful to those people who like to analyze TCP/IP stack implementations, I guess.
These tools have been out for almost a year now. I haven't seen widespread use of them probably because of their "niche uses" and/or other, more robust, tools already exist for legitimate uses. Very interesting code though.
Corporate schizophrenia
A close look at SCO's announcement doesn't help. Rather it further confuses the issue by including the following:
- "SCO is in the enviable position of owning the UNIX operating system," said Darl McBride, president and CEO, SCO.
- SCO, SCOsource, UnixWare and the associated SCO logo are trademarks or registered trademarks of Caldera International, Inc. in the U.S. and other countries.
- UNIX, used under an exclusive license, is a registered trademark of The Open Group in the United States and other countries.
- Linux is a registered trademark of Linus Torvalds.
Further questions:
- Until recently, didn't Caldera sell Linux? (Is this the reason they stopped?)
- What about Sun/Oracle/SCO/Microsoft's exerimentation with Linux? Are they next?
- SCO is laying claim to all Unix. Are they going to want licensing fees from Linux users too?
- Or is all this just like the recent patent problems?
Saturday, March 8, 2003
Please bear with me...
Microsoft Root Kits
Mozilla features
First impression of TMDA
My reasons for not liking TMDA as a solution:
- Electronic mail was never designed to be "instant messaging". Depending on how the mail is handled, it can take 1-30 minutes (on a good day) for the message to be delivered. TMDA does not take into account firewalls, virus scanners, forwarders, etc.
- You want to to send another message to okay the one I just sent just so I can get on your whitelist? grrr...
- Once I'm on your whitelist, do I get kicked off when someone gets infected with Kazaa and the virus just loves my address when forging headers of infected messages.
- The technical level of the solution will confuse the majority of the people who use e-mail. In other words, it's not "transparent" and will probaby be avoided by people who have dial-ups and only use them for e-mailing out pictures of the grandkids. (This level of user vastly outnumbers the people who'd understand the use of TMDA.)(IMO)
Personally, I like spam-scoring and then sorting the flagged messages into a separate folder for manual deletion. Yeah, a few still get by the filters, but I don't lose that forwarded content that my Mom thought I'd find useful.
Friday, March 7, 2003
Posting from Perl
Thursday, March 6, 2003
InfoSec Books
Anti-Spam Research Group
The Anti-Spam Research Group (ASRG) focuses on the problem of unwanted email messages, loosely referred to as spam. The scale, growth, and effect of spam on the Internet have generated considerable interest in addressing this problem. Once considered a nuisance, spam has grown to account for a large percentage of the mail volume on the Internet. This unwanted traffic stands to affect local networks, the infrastructure, and the way that people use email.
I'm not sure if anything will come of it. My views include:
- automatic deletion of detected spam is doomed to failure as it is never 100% accurate (you still lose a few messages from Mom). Rather you should tag messages as spam, automatically move them to a separate folder, and make the user delete the messages.
- Like virus detection, it's an arms race. Spammers will always be one step ahead.
- Most of us have joined various opt-in lists via IWon, Pogo, or a vendor's site. Violent reaction to apparent spam could lead to legal problems.
So... I'm not holding my breath. I will keep my SpamAssassin config up-to-date though.
Wednesday, March 5, 2003
Cut my feet off, too!
Monday, March 3, 2003
Watch me do my headless chicken imitation!
The vendors advisory is available here and a better explanation of the actual vulnerability is available here.
Short version: An attacker can exploit a buffer overflow via specially crafted message headers and possibly execute code due to a flawed security check in Sendmail versions 8.12.7 and below.
Really simple version: An attacker can break into your computer by sending e-mail.
I hereby invoke Godwin's Law
For the uninformed, Godwin's Law states that if at any point a conversation contains a comparision to Hitler or Nazi's, any further participation in the conversation is deemed pointless and unproductive.
Sunday, March 2, 2003
Spam from the Admin.
I've actually seen this in action, as term paper spam on the local college campus: "Wired's" article on alert spamming.
The Care and Feeding of Introverts
Bloggrolling
I really like Blogrolling's idea for maintaining a database of links that you can display on any web page. A really "good idea" was the bit of JavaScript code that allows you to add URL's without having to log onto their site. There's a couple things I'd change though:
- Add the blogroll name to the button that we keep in our bookmarklets bar
- I don't like the "one blogroll unless you donate $$$" rule
As such, I'm going to be adding a script to the local server and am taking requests for features (can't let outsiders access the service but you can have the code for your own site).
Saturday, March 1, 2003
Ah, youth.
Did you say Bono?
Who's next? Sean Penn?