Monday, September 29, 2003

Sniffers

Kevin at The Lost Olive pointed out the following:

Turns out Black Sheep Networks has an awesome collection of links, mostly security-related (hint: click on security in the main menu).

Sunday, September 28, 2003

Tweaks

When I don't have any project for the weekend, y'all suffer. (i.e., you have to put up with me playing with the features on this blog).

Changes so far:

  • Comments displayed on the main page (I think I've got it tweaked to where I want it.)
  • Trackbacks listed on the main page (requires more cosmetic tweaking)
  • Removal of the IM feature (never got much use)
  • Removal of the BlogSnob stuff
  • Added a couple buttons on the left

Under consideration:

  • Removal of links not directly related to blog.
  • Coming up with my own version of BlogRolls (why pay for something when you can write your own?)(I'm getting better with PHP!)
  • "fixing" the boxes around each entry (a few complaints about same)
  • making my aggregators available (I use 3 from various locations during the week)
  • Embedding a couple blogs in columns 1 or 3 for use as sidebars

I can "put back" anything if anyone wants (complain loudly!!).

WRT54G

You may want to hold off on buying that Linksys WRT54G until Linksys hammers out a few more bugs. I've got a laptop with a built-in 802.11b function that works perfectly with a SMC Barricade (with wireless) but refuses to work with the 54G. I can get the laptop to "see" the AP and can even sniff pings from the laptop on the desktop machine. However, the replies are not going back via the wireless interface.

I'm going to abuse the 24x7 customer support line this afternoon. I'll keep you posted.

Bloglines

In cleaning out my bookmarks folder, I re-discovered Bloglines. It's a decent on-line aggregator, escpecially if you log on from multiple locations during the day.

Saturday, September 27, 2003

Stealth Management of IPTables

Hacking Linux Exposed has a (now) 3-part series on "Stealthily Managing IPTables Remotely". Part 1 explains how to get Net::Pcap to sniff certain types of packets. Part 2 explains how to run programs based on those sniffed packets. Part 3 describes how to send commands to the above.

Although it's not "port knocking", it's close and gives a good idea of possible capabilities for both methods. In either case, it can be used for good or evil.

Denial of Service Attacks

CERT.org has an article describing the basic theory behind denial of service attacks and some precautions you can take against them.

Securing BIND

Cert.org has a paper describing how to secure Bind.

Thursday, September 25, 2003

E-mail Bombing and Spamming

CERT.org has an article about mail bombing/spamming and what you can do if you're on the receiving end of it.

Caution When Reading E-mail

One of the methods that SoBig employed to spread was social engineering. In other words, it got the user to "open" an e-mail attachment rather than exploiting a vulnerability and running itself. (Unlike the Swen worm which runs if you open or preview the message with Outlook.)

CERT.org has a decent article explaining the hazards of (and precautions for) reading e-mail with attachments.

Responding to Intrusions

CERT.org has a guide for "Responding to Intrusions".

How ISPs trace the source of Spoofed DoS attacks

myNetWatchman has an article describing how ISP's backtrace the source of spoofed denial of service attacks.

Not real in-depth but gives a good idea of how it's done.

Tuesday, September 23, 2003

Spoofed/Forged E-mail

CERT.org has an aritcle describing spoofed/forged e-mails and what you can do about them.

Non-HTML Popup spam

myNetWatchman has a piece about "Windows Pop-UP Spam" which gives a short history/how of Windows Messenger (not IM!) pop-up advertising.

Monday, September 22, 2003

Serv-U Analysis

This was more prevalent (at least around here) last year but this makes for interesting reading.

The Serv-U FTP server hack seems to be (in my experience) the widest used hack. It's how all those IRC DCC file servers get set up for the #warez and #movie channels. They're not real hard to clean up after but they can be an embarassment to whomever was responsible for network security in the first place (school had this, bad!).

More steg

Here's another article on steganography.

Sunday, September 21, 2003

Linux for the very paranoid

I've probably blogged this one before; if not here, then elsewhere, but it's interesting.

Tinfoil Hat Linux is a single-floppy Linux distribution for the paranoid on the go. It will allow you to boot Linux on just about any machine, grab your encrypted e-mail, read it, send replies, and move on, leaving little or not trace.

Useful if you're that paranoid person, yet another hard-to-trace problem if you're a network admin type.

We're back

We're back online! Luckily with minimal damage (knock on wood). I ended up riding the storm out in the building of one of my employers (and got paid to do it). This means that I should be able to afford at least half of the repairs.

Anyways, back to the blog...

Did I miss anything while I was offline?

Idiot's Guide to Network Analysis

myNetWatchman has a Windows-based network forensics howto entitled "Idiot's Guide to Network Analysis" which explains how to capture packets using Ethereal and network scanning with SuperScan.

Monday, September 15, 2003

The Red Scare

This is the stuff that give security managers nightmares for decades. Arguments over disclosure aside, this sort of thing goes on constantly in industry and government. It's why the rules should be enforced, no matter who they're applied to. (Yeah, I'm taking yet another shot at Mr. Ibarra again.)

Sunday, September 14, 2003

Scan for DCOM II vulnerability

Here's a scanner which will tell you what machines on your network are vulnerabile to the MS03-039 RPC exploit.

Uh oh

Let me say it now and get it out of the way.

Isabel is due to pass directly overhead sometime late Thursday so if I don't post for awhile (or if the server goes away entirely), you'll know why.

With the exception of one bad storm in the 80's, this area has dodged the bullet, more or less, for over 30 years. Local wisdom has said that we average one bad one every 15 years or so.

Me? I've been here, off and on, since '81. During the storm in '84 (I think), my property consisted of one motorcycle which I had to spend a month cleaning as it spent the storm in a parking lot approx. 100 yards from the beach (I had no chance to move it.)

After the storm, it was exactly where I left it but I spent the next month cleaning salt out of it (and the leather was ruined).

Nowadays I have a house, two vehicles, and a panicky wife. There's a good chance that my job will require me to "ride it out". I still want my wife and teenager(s) (ask me sometime), out of town.

Wish me luck.

Googlephilia

I'm #2 on Google!!!

I don't see much chance for improvement though. #1 is my blog. (heh)

Saturday, September 13, 2003

More on the worms

Stanford University has a very good page about the recent worms. Given that we're probably going to see more of these, I thought it'd be a good link to have. Of special interest: the links on the right-hand side of the page.

Just a couple worm-related things

I like bits like this (thanks blupwa!) and have noticed the following...

In the ongoing battle to detect customers' infected machines, I've come across an interesting bit: any machine infected with the Welchia/Nachi worm is left running an open TFTP server. "Open" in that it will accept any file you hand it.

I still don't know if I'm limited to a folder or if I can put it anywhere I want or pull any file I want. I'm going to have to dig out the old VMWare and try it out, I guess.

Friday, September 12, 2003

Learn how to count

Statistics is a wonderful thing. Someone once said that with statistics, you can make anything look the way you want it to.

This moron over at The Globe and Mail seems to think that Microsoft doesn't have the "most hacked" title. Someone want to clue him in that most "hacks" for MS are so easy that they've been automated and turned into viruses and worms. (A worm which leaves a backdoor for remote access might be called "automated break-in"?)

Why am I angry? How about THREE WEEKS of dealing with Welchia/Blaster/SoBig and it's side effects? (with, quite possibly, more to come)

Faugh on marketing twisters!

Apologies

Apologies to anyone who tried to comment over the last few days. Sharing a server with a dozen or so web and hardware monkeys has its risks. Seems that someone! broke the File::Spec module while trying to upgrade something else.

Those responsible have been sacked and the moose is feeling much better now.

The horrors to come

Up 'till now, we've had it pretty easy. Yes, even with the Blaster/Nachi/SoBig week. To date, virus writers haven't really gotten ahead of the anti-virus people. Proof? It only takes a day or so for a new signature update to come out.

The problem with most anti-virus products is that they're signature based. In reading various blogs, lists, and sites, the new technologies that we'll see in viruses include even better polymorphism and portless backdoors.

Polymorphism is the ability to change a stored file's appearance, usually through simple encryption and compression. This technology is only going to get better.

Portless backdoors is something that is being developed, under the guise of being a systems administrator tool, where a binary listens for a specific pattern of traffic followed by a command, all without opening a port to listen on.

To date, worms/viruses are pretty easy to detect. How do you know if you have an infected/compromised machine on your network? It's usually doing one of three things:

  • spitting up prodigious amounts of outgoing mail
  • noisily generating traffic on some other port
  • or listening on a specific port for commands from its new master.

Currently this requires driving the local NIC into promiscuous mode and then filtering incoming traffic. But from a virus/worm's point of view, this is a good thing as promiscuous interfaces are much harder to detect than open ports, remotely or otherwise. (We're going to have to get a lot better at detecting promiscuous interfaces!)

Given that the recent versions of malicious code already know how to turn off virus scanners and firewalls, things are going to get a whole lot darker before things improve.

Sources:

BSDi retiring!?

Wind River is retiring!!??

It'll be sorely missed. IMHO, BSDi was the only implementation of ANY operating system that had a decent TCP/IP stack interface.

Proof? Running DNS on any operating system, MS and Linux included. While every other OS operated at 50% or higher loading while serving 30K users, BSDi barely hit 4% consistently.

Hopefully the code will be made available to other projects (not necessarily open source) to that we can continue to enjoy the level of performance provided by the current versions of BSDi).

Thursday, September 11, 2003

Here it comes again!

Bow before the great hacker god! Uh, not facing towards him!

Stand by people! Here it comes again. (I'd have blogged about this earlier but I was in class when I found out about it.) Microsoft has announced two more RPC vulnerabilities and released the patches. Supposedly the exploit code is already on the street (means that both the hackers and Microsoft has known about the vulnerability for a bit).

Now that it's public knowledge, it won't be long before some mouth breather "adapts" the Blaster worm to use the new exploit. Amongst the various people I've talked to so far, the general groupings in the worm pool say, 2 days or just shy of 2 weeks.

Patch your boxes now and block the usual MS RPC ports!

Read about it here, here, here, here and here.

Note that in the PC World article, the Microsoft rep takes the "ignorant" approach in the last three sentences, after claiming that the vulnerabilities were discovered internally as well as by independant sources. Nothing like being truthful, huh?

Misc. notes:

  • the associated DoS exploit is already out
  • the most capable version of the original RPC exploit that I've found via Google is able to attack 48 different versions of MS Windows.
  • According to various hints in the full disclosure list, the exploit has been out for ~3 weeks

Wednesday, September 10, 2003

Legal MP3's

Kuro5hin has a long piece on legal alternatives to trading in pirated MP3's.

Why the blackbox approach is not a good idea...

If you've been following my rants of late, you can guess where this one is going....

Even taking into account the inertia inherent in corporate thinking, it looks like that management might be realizing that blindly trusting in vendor software might not be a good thing.

For any system to be truly reactive, it must be adaptive. This means that you not only have to have the software, you need the trained personnel. A big plus is having a system that is easily "adapted" to meet situational needs. Unfortunately this counts out just about every piece of commercial software as it's API (or underpinnings) is closed (proprietary).

To date, the most successfully resistant system that I've witnessed in action was a hybrid *nix/MS mix in which the system administrators constantly (let me say it again, CONSTANTLY) monitored their servers and actively responded to new situtations. While the end-point was an Exchange server, immediately upstream was a Unix-based Sendmail server which "protected" the Exchange box from viruses (TWO scanners) and UBE (SpamAssassin). All of this was tied together with various Perl scripts which allowed the entire system to be twisted to meet the situational needs of just about any virus attack.

With the Aplore virus, this system protected it's 30k+ customers within the first ten minutes of the spike in traffic. None of the customers had to go offline until their anti-virus vendors came up with new signatures files. Rather the heroic efforts of "Steve" (manually deleting infected files on the store-and-forward server while the coder was coming up with a solution) allowed our customers' servers to stay online while other organizational systems were taken offline to protect themselves. The anti-virus vendor came up with new signature files about 36 hours later.

Tuesday, September 9, 2003

Math

Okay, it's an odd one for this site, but I just know I'm going to need it in the future: WebMath.

Linksys WRT54G

I'm saving for one of these so I can do just that.

Sunday, September 7, 2003

Ports listing

I've added a "Ports" option to the menu bar. Thanks to my hosts at 757.org, I now have access to a database and have moved my ports database onto the server. I'll leave it up as long as it's use doesn't become an issue. I've attempted to sanitize any "fingerprints" that get included.

Let me know what you think? Suggestions? Content?

Saturday, September 6, 2003

Why your e-mail is slow (or Dammit! It's not an IM!)

The managers at work held an emergency meeting yesterday. We're seeing these often enough that we're calling them the Friday afternoon meltdown. The cause of this one? The level one helpdesk drone flubbing an explanation (to a senior person) as to why incoming e-mail is being delayed up to 12 hours. He finally gave up and said "It's a massive virus infection." (without adding that it was everyone else on the planet that had the infection. We don't.) So, to practice for Monday morning, let me see if I can do better...

1) E-mail is handled by a number of machines as it goes from point A to point B. When the user A hit send, the message gets deposited on his local server.

2) That server may scan the mail for viruses/spam/inappropriate content before dumping it in the outgoing queue (a folder or directory on the harddrive). Normally that queue gets processed every five minutes or so. Depending on system load, this time period is variable.

3) The local mail server then hands the mail off to the next server (usually the site's firewall) which cause the mail to go through a similar process, queue, and forward process until

4) The previous step is repeated as the message passes from the local network and onto the Internet, then onto the recipient's network until

5) the e-mail is received at user B's local mail server.

Depending on the size of the organizations involved, this can happen up to or over 25 times (think about the number of places/people involved in delivering a hand-written letter to Aunt Sophie on the other side of the country).

Mail servers are designed to alter their characteristics depending on their current processing load. (This applies to Exchange, Sendmail, and Postfix as well as just about any other MTA.) Above a certain load, mail servers will ask delivering MTA's to hold their content so that the local server can catch up on its own deliveries.

Now mix in the SoBig virus. This thing has even outperformed Klez in the sheer numbers of infected traffic generated. Given an file size of about 72K and approximately a 1000 infected messages per day for a small-to-medium-sized organization, this means a processing requirement of about 72 MB per day. Throw THAT on top of the organization's normal mail traffic and mix in the usual bandwidth requirements for web browsing abuse, audio streaming, P2P file trading, and the ongoing problem with Blaster/Welchia. What you get is any under-sized gateway and/or gateway servers (mail handline devices in this case) slowing down delivery of mail.

Want to figure out which servers caused your mail to be delivered late? Read the message header. It'll show "Received by" dates and times for each server it passes through. One thing to remember though: not everyone keeps their system clocks set properly.

Overall, given the havoc being created by Welchia/SoBig and any organizations tendency to spend the least amount of money possible when buying IT equipment, count yourself lucky that it only took 12 hours for you to get your e-mail. Want something faster? Try using IM or the telephone!

Friday, September 5, 2003

This one gives me a headache...

This one gives me a headache every time I read it. Why not just erase all of your illegal MP3's and not tell anyone?

Things that worry me:

  • RIAA is not a law enforcement agency so any laws that would normally apply don't
  • Because this is effectively an admission of guilt to a third party, your expectation of privacy is virtually nil.
  • They want to know what you look like.

Not that I condone piracy. I don't. (I've participated in at least two projects which have gone private with no credit). It's just that I'm a bit confused in trying to figure out how stupid the RIAA thinks the average pirate is. Give us all the information we need to apprehend you and we'll forgive you?

I wonder how many entries they'll receive for the following people:

  • Hillary Rosen
  • Mitch Bainwol
  • Kibo
  • Bob
  • The Easter Bunny
  • Fluffi Bunni
  • Santa Claus
  • etc., etc., etc.

You turned yourself in? Did you get a contract from the RIAA stating that you've been given amnesty?

Honeynet Scan of the Month

From the ISN Mailing List:

Date: Mon, 1 Sep 2003 17:25:34 -0500
From: Brian Carrier
To: Forensics , honeypots@securityfocus.com
Subject: Honeynet Scan of The Month #29

The latest Honeynet Project's Scan of the Month has finally been
released. We think you will find that it was worth the wait though.

Your mission is to conduct incident response and analyze a live image
of a compromised Linux Red Hat 7.2 system. Using VMWare, the honeypot
system was suspended and the challenge is to verify the incident and
analyze it, while minimizing the impact you have on the potential
evidence. An eval copy of VMWare workstation can be used for the
challenge.

The image details and a full list of questions can be found at:

http://www.honeynet.org/scans/scan29/

Because of the amount of work involved in this challenge, a full month
will be given. All submissions must be returned no later than 23:00
GMT September 29, 2003.

thanks,
Brian Carrier


The Honeynet Scan of the Month is to forensics types as the free-weight room is to bodybuilders. Various abilities and group efforts are welcome (unless otherwise stated in the intro for the month's contest.

Thursday, September 4, 2003

Shell scripting

Here's a short tutorial on shell scripting.

Well, gee.... Duh!

Okay, mebbe I burned out too many brain cells this past weekend taking those tests. Or maybe I've been pretty dim all along.

I'd bought one of the original LinkSys BEFSX41's (old enough not to have a "version") for my home network. Somewhere along the line, it started acting up, dropping the internal connection and refusing to talk to my computer. Tonight I accidently left my only other router at school and was forced to try the LinkSys again. POS dropped out after 10 minutes and then wouldn't stay up for more than a minute or two if I left it connected to the cable provider.

So... after unplugging the provider and rebooting the router, I went through each menu option, examing ALL of the settings. Damned if I didn't find both options for UPnP turned on. Since then I've been online for over 30 minutes.

I'm keeping my fingers crossed and hoping it'll still be working in the morning. If my wife discovers that she's going to have to spend the day offline because of "no router", there'll be hell to pay.

Wednesday, September 3, 2003

Interacting with SMTP

This explains how to interact with SMTP, either to test if a server is working correctly or to send a fake e-mail. (Note: Anyone who can read a message header and has access to the server logs can trace this back.)

Tuesday, September 2, 2003

Serialized geek mysteries...

I freely admit it. I am a techno-mystery/adventure junky. I like Tom Clancy (the Jack stuff) and Neal Stephenson, etc. I even like CSI, though I know most of it is faked.

For the blog version of techno adventure read "A Day in the Life...". I can't vouch if the situations are real or not but they're written well enough that I'm looking forward to the next installment of "Mysteriously Missing Records". (heh)

Monday, September 1, 2003

Why hate?

Phil Karn has ranted about Microsoft's lack of security.

He doesn't use Microsoft OS's but Microsoft used some of his public domain code in XP so his e-mail address was included in the local License. If anyone doesn't remember what the Klez (and other) worm(s) does, part of it scans the local hard drive for e-mail addresses to use in the "To:" and "From:" lines of infected messages. The end result, Phil and the three other guys who wrote "free" code have been pounded on by just about every infected XP user.

I'd be pissed, too. Actually, after two arguments at work about this, I'll go stand on Phil's side of the line. Someone actually said that "Microsoft is the source of all this malicious code because of their market share". They're the victim?!??!

#*@:!!!! <--- replace with your favorite multi-syllable expletive

Market share is only part of the reason, possibly a small part of the reason. The major part of the reason is that Microsoft has tied all of their software together and have done it so insecurely that it's like dog poop on the sidewalk. Leave it there long enough and you'll get crawly things in it.

(Don't believe me. Okay, MS SQL doesn't have that big of a market share. Why hasn't an Oracle worm prevented me from getting money from an ATM and hopping on a plane?)

For the rest of my rant, keep this paradigm in mind: security depends on simplicity.

The more complicated a software product is, the more likely it is that the product contains exploitable bugs. Adding features, even if they're security features, only makes the code more complicated and, past a certain point, may seriously affect how code works in other portions of the program. (What, no one has installed a MS patch and was suprised by a registry setting change or a failure in some other program?)

(In my opinion) Any claims that Microsoft makes about increasing security by taking a month off to review code and then returning to churning out new features is totally bogus. To increase security, they're also going to have to take a look at how their code interacts! If the OS was a house, it would have slid off of its foundations long ago.

Why am I pissed? Why "hate"? Try two solid weeks of Blaster/Welchia/SoBig side effects combined with the usual inter-org politics and under-caffienated moodiness. No the NOC doesn't use MS but 90% of the customers do.

I hereby curse Alexander Graham Bell for commercializing the telephone (I don't want to get into the argument about who actually invented it.)

I win $.25

I had bet $.25 in a one-person pool that the blackout was somehow related to the recent worm problem. Since I am sole bookie and bettor in this gambling organization, I hereby declare myself as the winner. (heh)

Computer World has an article which describes how the Blaster worm contributed to the severity of the power failure.

Seems that the worm delayed the signals between the power plants long enough to cause the automatic protections to run outside of specifications. Think of a public address system with run-away feedback. It's a sign of being unbalanced. The system actually oscillates and throws subsystems off. It's a result of engineers designing a system around what they think will be "normal" stresses to a system and not taking into account what is deemed unlikely. Protecting against the unlikely is usually not cost effective (i.e., no return on an expensive process.).

This is part of vulnerability analysis: reviewing what normal processes of a system are, what abnormal processes a system is designed to handle, and what abnormal processes the system is not designed to handle.

Unfortunately it is very difficult, if not impossible, to foresee every possible vulnerability a system has. (Note: Mother Nature/Fate/Kizmet often displays those unforeseen processes for us.)