Thursday, July 31, 2003

Setting up a Ram Disk

Linux Focus has an article explaining how to set up a "ram disk" which allows you to allocate a chunk of memory and treat it like a virtual harddrive or floppy.

Tuesday, July 29, 2003

Plugins for Mozilla

Linux Focus has a short article explaining how to add plugins to Mozilla.

Useful if you're using Mozilla or a Mozilla-based (e.g., Galeon) browser.

Monday, July 28, 2003

You don't know where that terminal has been!

Don't touch that public terminal! You don't know where it's been!

SunSpot.net has an article about the sentencing of a hacker who logged keystrokes on 14 of Kinko's public terminals and then used one of the captured logins to access someone else's home computer via GoToMyPC (somewhat like VNC or PCAnywhere). The hacker was caught because the actual owner of the computer was sitting in front of his machine when the cursor started moving around by itself.

In other instances, sensitive corporate data has been gleaned from the convenience terminals in hotel business centers.

Think about what you're doing before using a public terminal! You don't know who's watching!

IDS Theory

Linux Focus has a two-part piece (part I, part II) explaining the theory behind Intrusion Detection Systems (IDS).

Saturday, July 26, 2003

Here it comes!

Computer Cops has a pointer to a ZDNet article which talks about the hacker group "XFocus Team" releasing the exploit code for the Microsoft RPC buffer overflow vulnerability.

This is a bad thing in a couple ways. First, it's the Microsoft RPC utility. It's responsible for all of that pop-up spam (not the browser pops but the Windows pop-ups) that has been appearing more and more as of late. Second, every version of Windows (except ME) since 95 has the darn thing.

Now that the code for the exploit is out, we'll probably see a "test" version of a worm, using the exploit, in the next few days.

Friday, July 25, 2003

Automating with SSH/SCP

Linux Focus has another article explaining how to make your systems administration life easier with SSH and SCP.

NBTScan

I can never find this when I need it (so I'm posting it here).

NBTScan is one of those tools that you come to depend on. It's main strength is being able to gather miscellaneous NetBIOS data by scanning IP's. This is what you need when you're trying to figure out what the NT hostname is at an IP address so's you can point smbclient at it.

You can wrap nbtscan in a Perl script, tie it to a database and maintain a history of what machines are connected to your network. This is made even more powerful in that nbtscan can also grab the MAC address of the remote machine if it's running NetBIOS.

Network Hacking

Not that they're all that detailed, these do give a bit of background on what a hacker does while attacking a target: Hacking Unix (Part 1) (Part 2) (Part 3)

Vi Tutorial

Linux Focus has an tutorial explaining the basics of using Vi, the ubiquitous (the only editor to be included in all Unix/Linux distributions) text editor.

This tutorial only covers basic use. If you scan the Internet for more tips and tricks, you realize that there's a lot of power under the hood with this one.

Note: this is a personal preference of mine. Any attempts at religious jousting over "which editor is better" will be ignored or deleted.

Thursday, July 24, 2003

QOTD

Phrase for the day:

I've been having to think fast-on-my-feet all day and the feet in my head are tired!

-- Me

Amazingly, the mental hot tub I needed turned out to be about 3 hours of cleaning out/rewriting DNS zone files.

Wednesday, July 23, 2003

Getting more out of the BSOD

Windows and .Net magazine has an online article entitled Inside the Blue Screen which explains the basic of how to interpret what has become a famous source of humor for MS users.

NMap Basics

Linux Focus has an article explaining the basic use of NMap, a quick and powerful port scanner/RPC scanner/OS-guesser.

Now we're being spammed by morons!!

OMG!!! I'm being spammed by an idiot now. While it does fall under the "forged header" category (which means I can sue for $$$), he's not selling anything (which means I can't sue, I think).

Anyways, following is the header and body of the message after it passed through SpamAssassin. The message purported to be from rickisok@bahn.de but actually originated from a originated from an IP address belonging to the Department of Social Security of UK!!! (Methinks that someone is testing a Jeem or SoBig worm-compromised system within the GB.)

For those of you new to reading message headers, you read the "Received" lines from the bottom up (for chronological order). I can vouch for anything generated by cox.net as being legit.

  

Return-Path:
Received: from pop.cox.east by localhost with POP3 (fetchmail-6.2.1) for joat@localhost (single-drop); Wed, 23 Jul 2003 06:30:18 -0400 (EDT)
Received: from host-148-244-152-186.block.alestra.net.mx ([200.76.178.243]) by lakemtai04.cox.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id ; Wed, 23 Jul 2003 06:24:26 -0400
Received: from vi3m.4fyzhbh.net [51.41.95.3] by host-148-244-152-186.block.alestra.net.mx id for ; Wed, 23 Jul 2003 15:09:43 +0200
Message-ID:
From: rickisok@bahn.de
To: xxxx.xxxx@cox.net, krarge@cox.net, krastonscott@cox.net, kratten@cox.net, kraut1-9@cox.net, krawietz@cox.net, kraynekg@cox.net
Subject: *****SPAM***** Need Dimensional Warp Generator ahd
Date: Wed, 23 Jul 03 15:09:43 GMT
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Status: Yes, hits=4.0 required=4.0 tests=MISSING_MIMEOLE,NO_REAL_NAME,SPAM_PHRASE_02_03, SUPERLONG_LINE,SUSPICIOUS_RECIPS,USER_AGENT_OE, VERY_SUSP_RECIPS version=2.44
X-Spam-Flag: YES
X-Spam-Level: ****
X-Spam-Checker-Version: SpamAssassin 2.44 (1.115.2.24-2003-01-30-exp)
X-Spam-Prev-Content-Type: multipart/alternative; boundary="E.3.EAD.3C"
X-Evolution-Source: imap://joat@127.0.0.1/

SPAM:

Blog Update

I've moved more of the links on the right-hand side of the page off to the "links" page in an effort to clean up the site a bit.

I've also added the RootSecure Vulnerabilites and Exploits feeds to the "news" page. The "news" page is getting crowded enough that I'm considering busting it up into "exploits", "news", and "vulnerabilities". What do you think?

Just for info

Just in case anyone wants to link directly to my list of InfoSec blogs (for example), the format follows:

  http://users.757.org/~joat/blog/links_infosec.php

I know, useless for the first 5.999999999 billion people on the planet, might be useful to the rest.

Amap update

Troy Jessup almost snuck two past me today. First, I find that he has a new version of Troy Jessup's Security Blog up and running (like the new format!) and second, he mentions that the new version of Amap has been posted.

Time to update your bookmarks and your software!

Tuesday, July 22, 2003

SoBig!

It used to be something that my German immigrant grandmother used to say to my one-year old cousin in a thick accent: "Sooo biick!". "Sooo biick!"

Now it's one of the headaches in my life: the SoBig worm.

Jim O'Halloran has a short piece on analysis of the SoBig worm.

This weekend's Cisco attacks

BitShift.org has a short piece and pointers discussing the Cisco router/switch exploit/attacks from this past weekend.

Monday, July 21, 2003

Defeating 802.11b Dissociation DoS Attacks

Okay, I don't understand it but it sounds like it'll be fun to learn about.

BitShift.org has an article about "Defeating 802.11b Dissociation DoS Attacks". Even lists three methods.

Looks like there's a bit of research in my near future.

Multicasting

Linux Focus has an article explaining the basics of multicasting.

While you normally wouldn't use this technology, it's a good-to-know bit of information if you work with streaming audio or video.

Sunday, July 20, 2003

Procmail

Linux Focus has an article discussing the installation and basic use of Procmail.

This is intended for Unix/Linux users who want to be able to filter their e-mail. This is a very powerful program in that you can plug all sorts of other programs into it, like SpamAssassin, virus scanners, etc.

Perl hash examples

TroubleShooters.com has a good set of examples of using Perl hashes.

IPTables tutorial

FrozenTux.net has an tutorial for IPTables.

Saturday, July 19, 2003

Using PGP to verify signatures

Computer Cops has an article about how to verify PGP signatures.

Everyone should know how to do this.

Squid basics

Linux Focus has an article which explains how to set up a Squid-based web cache.

This is useful even if you're the only one that uses it. Once you get Squid up and running, you can add in things like pop-up filters and the like.

Friday, July 18, 2003

Bad, bad author!

This one falls entirely out of the normal scope of this blog but it's the type of contest I would be submitting entries to year 'round in hopes of creating a new "most relentless" category.

http://www.bulwer-lytton.com/

Of course, this post is mostly for my own benefit.

Thursday, July 17, 2003

SpamAssassin & Mailman

One of the problems with running a mailing list is that, occasionally, spam gets onto the list. LinMagAU.org has an article explaining how to incorporate SpamAssassin into MailMan.

If anyone actually does this, how 'bout commenting about it here?

Wednesday, July 16, 2003

Intro to DNS

Linux Focus has an article explaining the basic theory behind DNS.

This is part of the underlying infrastructure of the Internet. You use it when you surf, chat, share files, or send e-mail. Without it, you have to remember a ton of IP addresses and ports.

Tuesday, July 15, 2003

Wardriving Mailing List

Michiganwireless.org has announced a new mailing list which focuses on "wardriving in general, wardriving in the media, wardriving ethics, and basically wardriving et al.".

To join the list, send a blank e-mail to:

wardriving-subscribe@michiganwireless.org.

SSH Basics

Linux Focus has an article explaining the basics for using SSH.

Yet another tool with a lot of "hidden power".

Sunday, July 13, 2003

Compiling a Linux Kernel

Linux Focus has three articles by three different authors explaining the basics behind compiling a new kernel and generating boot/root disks. They are:

More need-to-know info for administrators!

Saturday, July 12, 2003

IPv6

For those of you interested in learning about IPv6, Hurricane Electric is still offering free tunnels to the IPv6 address space. (They currently manage about 10 trillion addresses).

They have a short news article at http://www.he.com/news/article2.html.

The site to sign up for the service is at http://ipv6tb.he.net.

A good site with a LOT of IPv6 info: http://hs247.com.

Because it's a free service, Hurricane Electric doesn't spend a lot of resources supporing it. You're expected to provide your own support, including figuring out how to configure the darn thing.

For Linux: a HOWTO is at: http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO

Another good source which also has pointers for IPv6 for Windows: http://www.ch.ipv6tf.org/documents.php

Now that IPv6 compatability requirements have been set in stone, expect to see a lot more interest (military, government, and public) in this.

Note: this does require some expertise (it's not plug-and-play).

Friday, July 11, 2003

Crypto Links

This is a very large collecton of links related to security and encryption.

Thursday, July 10, 2003

Linux Name Services

Like all well written documents, even experts can learn a thing or two by reading them.  Such is the case with "Linux Name Services at LinuxExposed.com.

Thanks to Jim O'Halloran for pointing out the site. It has a lot of decent articles.

News site

Oh, for the geek news junkies that haven't found the site yet: Meerkat.

Tuesday, July 8, 2003

Stand by for something evil

While trojans/worms that call home via IRC or IM are nasty, they're easy to trace if you have a corporate firewall policy that blocks access to those services. However, code designed to communicate directly with other compromised systems within the same IP space or via ports that are normally open (think HTTP here) is coming in the near future. The first pointers to development of these capabilities is here.

Blame RootShell for the link.

Hidden Cisco Commands

Geek Style posted a list of pointers to various lists of undocuments Cisco commands. (Look for the post entitled "Documenting the Undocumented".)

Sunday, July 6, 2003

ChkRootKit

Geek Style provided this pointer to chkrootkit, a security tool which will scan your system for (currently) 51 rootkits, worms, and LKM's.

Saturday, July 5, 2003

Take security serious

Geek Style has a short vent/post about being serious about your security.

Just for info

Just for info. The following is the proper format for pinging blogrolling.com if you're using an older version of MT. Edit as appropriate and paste it into the "URL(s) to ping" box.

http://www.blogrolling.com/ping.php?pingform=single&title=joatBlog&url_1=http://www.757.org/~joat/blog/

Friday, July 4, 2003

Nice Titles

A comment by Brent Ashley prompted me to fix the Nice Titles thingy. The problem with my config was that I had to change the paths to the various files (relative doesn't work when your site is in a sub-directory!).

Oh and be sure to grab the semi-transparent background.

Proxies

LAMP has a good article explaining the terminology for, and basic theory behind, proxies.

I learned a new word today

Various blogs have pointed to it... The new word for the day is cybor-Glogging. Get it?">Glogging.

Thursday, July 3, 2003

Backtracking through your network

Security Focus has an article which discusses the procedures for backtracking a (possibly) compromised system in your network.

Yet another good-to-know.

Wednesday, July 2, 2003

VNC

Linux Magazine has a short article on VNC, complete with links to the different versions available.

This is one of those tools which I have conflicting opinions about. It's a real nice to have if you're an admin. type but a security nightmare if someone else is using it on your network.

Back

Okay, I'm back (happily). Much as I like visiting family (and there's a lot of them), I missed the divot in my side of the mattress, my air conditioning, and the output from my coffee pot.

Had a blast though. My sister told me to aim for the high school and I arrived just in time to hear my nephew's valedictorian speech (not the one approved by the principal). Needless to say, 99% of the audience thought it was funny, the remaining two people (my aunt & uncle) were seriously scandalized. I made it to my couzin's son's birthday party and the reunion (caught up with relatives and gossip I hadn't seen/heard in years). Even got to sing Happy Birthday to my mother (yep, she's out of the hospital and recovering to the point where she's obnoxious again).

Learned some curse words in sign language.

I missed my cousin's pinning ceremony on the way back due to traffic (damned DC maintenance planners thought it would be a good idea to squeeze I-95 traffic in to one lane, during rush hour, at three different locations! (Sorry Rich!)

Anyways, I've backfilled the last few days with entries and will be digging for more new stuff over the next week (the draft pool has gotten dangerously low).

IPCrime

A good InfoSec news site: IPCrime.