Sunday, November 30, 2003
And the award for Stupid Idea of the Year goes to....
Anti-honeypot Tool
Seems that the spammers developing tools of their own. First the anti-spammer groups set up honeypots whose objective was to tie up and/or detect spam sources. The spammers have responded with "Send-Safe, a honeypot hunter.
I especially like the wording of the product description:
Send-Safe Honeypot Hunter is a tool designed for checking lists of HTTPS and SOCKS proxies for so called "honey pots". "Honey pots" are fake proxies run by the people who are attempting to frame bulkers by using those fake proxies for logging traffic through them and then send complaints to ones' ISPs.
"Attempting to frame bulkers" indeed. If you're using resources other than your own to spam the planet, there's a problem. "Attempting to frame bulkers" gives the impression that you have a legitimate right to other people's systems. That phrase should read "Attempt to catch resouce thieves". If I catch you using mine, I'm going to do my darnest to make your life hell.
Funny part about it is that they want $299.00 for the program. Must be no honor amongst thieves?
How to file a complaint
Normally I just filter and delete the spam but I've received a particularly distasteful one (Brazilian kiddie porn) which I'm going to file a complaint about. You can follow along as I whine to customer support about a message entitled "joat, welcome to Ped0Wor1d ayuGYoaf".
First, we need to take a look at the message header. Other than changing my account name (to block account scrapers), the header is as-is from the message.
Return-Path: | ||
Received: from pop.east.cox.net by localhost with POP3 (fetchmail-6.2.1) | ||
for joat@localhost (single-drop); Sun, 30 Nov 2003 08:43:06 -0500 (EST) | ||
Received: from compuserve.com ([12.229.105.222]) by lakemtai06.cox.net | ||
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id | ||
for | ||
; Sat, 29 Nov 2003 21:32:16 -0500 | ||
Date: Sun, 30 Nov 2003 03:31:53 +0000 | ||
From: mrg@simplewire.com | ||
Subject: joat, welcome to Ped0Wor1d ayuGYoaf | ||
To: joat | ||
References: | ||
In-Reply-To: | ||
Message-ID: | ||
MIME-Version: 1.0 | ||
Content-Type: text/html | ||
Content-Transfer-Encoding: 8bit | ||
X-Spam-Status: No, hits=2.1 required=3.0 | ||
tests=BIG_FONT,CTYPE_JUST_HTML,HTML_FONT_COLOR_BLUE, | ||
HTML_FONT_COLOR_MAGENTA,HTML_FONT_COLOR_NAME,IN_REP_TO, | ||
NO_REAL_NAME,REFERENCES,SPAM_PHRASE_00_01, TO_LOCALPART_EQ_REAL version=2.44 | ||
X-Spam-Level: ** | ||
X-Spambayes-Classification: ham; 0.07 |
Notice the two "Received:" lines.
Received: from pop.east.cox.net by localhost with POP3 (fetchmail-6.2.1) | |
for joat@localhost (single-drop); Sun, 30 Nov 2003 08:43:06 -0500 (EST) | |
Received: from compuserve.com ([12.229.105.222]) by lakemtai06.cox.net | |
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id | |
for | |
; Sat, 29 Nov 2003 21:32:16 -0500 |
Unless one or more of them have been badly forged, "Received;" lines are normally in reverse chronological order. When backtracing spam, you work in the same order, verifying each line until you reach the line that doesn't "read" correctly. Since there are only two lines in this instance, it is very easy to trace this one back to its source.
The first "Received:" line is a normal entry, generated by my instance of fetchmail.
Right away, the second line has an error in it that sticks out: it's not from the domain that claims to be (CompuServe). Rather, Cox's mail server recorded an IP of 12.229.105.222 as making the connection. It's also significant that the "Return-Path:" address is also not CompuServe.
Finally, the lack of any other "Received:" line is also significant. Normally you would have a client-to-server entry followed by a server-to-Cox-server entry to show that the mail was generated by a mail client and uploaded to the sender's mail server before that server "talked" to Cox. (Too confusing?)
What this means is that a program connected directly to Cox's mail server to generate the mail. In other words, a non-MTA program connected to port 25 on Cox's mail server and "typed the message directly onto the server". This is a technique that system administrators use in troubleshooting mail delivery. Anyone know of spammer programs that use mail lists, do MX lookups, and connect directly to the applicable mail servers?
Anyways, we can still trust most of the second line. Except for "from compuserve.com", the line is generated by the Cox mail server. The IP address is significant in that a reverse lookup reveals that it's an ATT IP address:
$ nslookup 12.229.105.222
222.105.229.12.in-addr.arpa name = 12-229-105-222.client.attbi.com.
Note that if you don't have "nslookup" or "whois", SamSpade.org has a nice web-based version.
A WHOIS lookup returns the following:
$ whois 12.229.105.222
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Comcast Corporation COMCAST-12-229-96-0-WASHINGTON (NET-12-229-96-0-1)
12.229.96.0 - 12.229.127.255
This indicates that while AT&T owns the IP address, they "sublet" the chunk which our suspect IP belongs in to Comcast Corporaton. Note the "NET-12-229-96-0-1" in parenthesis. We can do another WHOIS lookup on this to get:
$ whois NET-12-229-96-0-1
CustName: Comcast Corporation
Address: 1500 Market Street
City: Philadelphia
StateProv: PA
PostalCode: 19102
Country: US
RegDate: 2003-10-10
Updated: 2003-10-10
NetRange: 12.229.96.0 - 12.229.127.255
CIDR: 12.229.96.0/19
NetName: COMCAST-12-229-96-0-WASHINGTON
NetHandle: NET-12-229-96-0-1
Parent: NET-12-0-0-0-1
NetType: Reassigned
Comment:
RegDate: 2003-10-10
Updated: 2003-10-10
TechHandle: DK71-ARIN
TechName: Kostick, Deirdre
TechPhone: +1-919-319-8249
TechEmail: help@ip.att.net
OrgAbuseHandle: ATTAB-ARIN
OrgAbuseName: ATT Abuse
OrgAbusePhone: +1-919-319-8130
OrgAbuseEmail: abuse@att.net
OrgTechHandle: ICC-ARIN
OrgTechName: IP Customer Care
OrgTechPhone: +1-888-613-6330
OrgTechEmail: qhoang@att.com
OrgTechHandle: IPSWI-ARIN
OrgTechName: IP SWIP
OrgTechPhone: +1-888-613-6330
OrgTechEmail: swipid@nipaweb.vip.att.net
This gives us the address to send our complaint to: "abuse@att.net".
The trick to filing a complaint of this type is to be polite and to present all of the facts (as we've done above). It's also a good idea to provide the original message, with headers, as an attachment to the complaint. You also want to give the ISP an "out" in this case as it may be a hacked box on the far end.
The wording of my complaint (which I've just sent):
To whom it may concern,
Please forward the following to your Abuse and Security departments.
Please find attached an unsolicited (and particularly distasteful) pornographic e-mail advertisement (porn spam) that showed up in my in box. Various things about the headers are notable:
1) The "Return-Path", the source IP, and the source hostname all conflict. That is: "mrg@simplewire.com", "compuserve.com", and "12.229.105.222" respectively.
2) There are no other "Received:" lines other than the one generated by my Fetchmail utility (which I will vouch for the accuracy of) and the one generated by my ISP's (Cox) mailserver. This is indicative of a program connecting directly to Cox's mail server.
The IP recorded by Cox's mail server belongs to one of your customers. Please determine whether the user at that IP is running a spamming program or if it has been compromised by a trojan or worm which allows spammers to use it in a similar manner.
Respectfully,
One side "thought" generated by all of this. When the new federal anti-spam law goes into effect, there's going to be some trouble. There's a strong possibility that this source IP is infected with something similar to the Jeem trojan, which allows for remote control spamming. Given that law enforcement is in a constant game of technological "catch-up" with hackers/spammers, I hope they learn how to read and interpret message headers before throwing some poor church-going Granny in the slammer for spamming the planet with "l33t pr0n".
IPSec Troubleshooting Guide
Thumb Drive Prices
Went window shopping at a few stores yesterday to price a replacement hard drive and noticed that two of the larger chains are now selling 128M thumb drives for about $58.00 US. Saw a 64M USB v1 one for less than $20.00.
Until recently, it'd seemed that the price was never going to go under $1.00/M.
Saturday, November 29, 2003
Nessus
Some organizations use it instead of ISS as it's attack database is generally larger and more up-to-date. The drawback is that it also can do damage in it's penetration testing if you're not careful (there are switches to disable the more brutish attacks).
Update: Bowulf has a piece in which he indicates that you can avoid the setup and configuration of Linux and Nessus by using Knoppix STD. The only thing you have to worry about otherwise is gathering the updated NASL signature files.
Hint: you can add them to the distribution prior to buring the iso by mounting it via the loopback device. (If there's enough room.) For Linux, try
mount cdimage.raw -r -t iso9660 -o loop /mnt
AES Encryption
Friday, November 28, 2003
Writing your name in the snow
In the last few years, Netcraft took a beating from the more zealous side of the Open Source house for saying various nice things about Microsoft and IIS. They were even accused of taking money to produce a slanted survey. Here's another similar situation...
NetCraft has stated that Apache runs on the majority of the web sites on the Internet (and has done so since some time mid-Feb 1996). Now there's an org called Port80 Software that says some pretty nasty things about NetCraft. It appears that they're trying the old "running for office campaign" strategy in which the main tactic is to say negative things about the other guy.
Actually, if you read closely, both reports could be true. In other words, it's very likely that IIS has the majority of the Fortune 1000 corporate server realm while Apache has the overall lead. (Hey, at one point I was responsible for 8 individual web servers, only one of them corporate, and none of them IIS.) The problem I have is with the slights thrown in the article which attempts to give NetCraft (I can't believe I'm defending their tactics) a black eye.
I was suspicious enough of the main article to look at it even close. If you look at the data, port80 only looked at the top 1000 corporations. In this case, "top 1000" is the "Fortune 1000" corporate listing. That means that out of the 30298060 web sites polled by NetCraft, port80 says only a specific 1000 of them "count" so that they can declare that IIS has a majority. (Aside: It could also mean that a majority of the Fortune 1000 CIO's saw the "no one's been down to the server room in days" commercial and was gullible enough to believe it.)
Thank God for "Lies, Damn Lies and Statistics"?
Nothing like leveraging of off someone else's reputation, huh?
Thursday, November 27, 2003
System Administration and Security
Should I select the same service provider to manage both IT services and security services?
No, absolutely not. System administrators that also understand security are rare and (usually) high paid. Unless your system administrator has been around the block quite a few times (able to stand up servers using three or more OS's), it's usually a safe bet that they will attempt to do EVERYTHING using the same OS. You end up with a monolithic network (this is the "all your eggs in one basket" train).
What process should I follow when implementing a managed security service?
Semi-agreement with the article. Before you farm out your security services, you should have well-documented policies, procedures, and plans.
How do managed security services affect corporate security risks?
Realize that it is still your organization that is responsible for overall security. You're hiring someone to provide reports on the status of your network. It's still up to you to "push" policy. It'll also be up to you to deal with the politics. If the hired security says that someone is doing something that's against policy, it's up to you to either correct the person or change the policy. Please note that ignoring the situation is bad practice (you're paying for security!) in that it's not a known condition and if you don't correct it immediately, you can't fire anyone for it at a lter date. If it involves anything "shady", you could be sued by other organizations if the situation expands and affects them.
What are the pitfalls of managed security services?
Cost mostly, but depending on what you're buying for service, it can be cheaper than having your own full-time in-house talent.
Also, if you've never had ANY security up 'till now, be prepared for some surprises. The first report that shows up on your desk may tell you a few things about your network that you don't want to hear. Examples of this could include: a virus infection, Bob in accounting spends most of his working time surfing porn, your secretary runs peer-to-peer file trading software at her desk, Fred in purchasing is selling corporate assets on eBay, etc. Just try to remember that these are the reasons that you hired out for security in the first place. Don't shoot the messenger.
What problems are best addressed by managed security services?
If you can't afford (or retain) full-time in-house talent, managed services are definitely an option. See the article for a much better explanation.
Doctor, Doctor!!
"So don't do that."
While that may make for shoddy medical practice, it's even worse for security. According to ZDNet, Microsoft has issued a "knowledge paper to fix the hole in MS Exchange's OWA.
Anyone else see bad practice here?
(Hint: if they call it a "fix", marketing can claim that MS "fixes" things rapidly.) Want to talk fast, an ElGamal bug in GPG was announced today. Guess how long you have to wait for the patch? Answer: It's already out.
Question
Saw yet another capture-to-wav tool today.
Wednesday, November 26, 2003
NSM PowerPoint
Bit Torrent FAQ
Tuesday, November 25, 2003
Don't use Word!
Monday, November 24, 2003
Linux McAfee Update Script
Sunday, November 23, 2003
Mess in the wiki
Public Certificates
Is it worth anything? Like a lot of other things on the Internet, the answer is "it depends". It depends on how well people trust the site and use it. Note: You don't have to use Verisign, you can issue your own certificates. Verisign's strength is that, by way of government sponsorship, the majority of users "trust" it as a CA.
Update: For those that are interested in rolling your own, check out the "OpenSSL Certificate Cookbook".
Blech!
Okay, let's see him try the "a trojoan did it" defense! (Warning: Article is about a really sick f**k.) (Sorry but that's the only description for him.)
Net::Dict Interface
Saturday, November 22, 2003
Looking for Incident-Response.org?
http://66.96.178.49/
Friday, November 21, 2003
Soap attacks
The paper also describes defenses against those attacks.
Wednesday, November 19, 2003
IPSec Troubleshooting Guide
Tuesday, November 18, 2003
Corporate Schizophrenia?
- Could it be that they finally get it? Just a little bit?
- They also want to do some buy and kill, especially after Google pulled a fast one.
- Why won't they learn that shouldn't promise stuff a trade shows? Anyone else remember the super-fantastic backup technology that Microsoft promised at a Comdex? Funny, Veritas and friends are still around. (The super-fantastic Microsoft backup robot isn't.) That and tablets have already been declared dead.
- Bill also use Comdex to announce new anti-spam tools. I really hope that Bill didn't use the word "spam" as Hormel might get a little pissed that the worlds (sometimes) richest man is attempting to profit off of the name of one of their products.
- Meanwhile, pundits punditted that this would put other anti-spam products out of business (yeah, just like IIS and Active Directory did?)
- Meanwhile, Steve was in Japan, making promises of better security while spreading FUD about open source products.
- Microsoft has put a "bounty" on the heads of malicious code writers, specifically two evil-doers.
- The "discussion" over those bounties is only a couple insinuations above a name calling contest
- Users are a bit less than pleased with Microsoft's new patches
- and yet two more exploits that use port 135 were made public along with another vulnerabiltity in Microsoft Exchange.
Thanks to: Slashdot, The Evil Empire, HelpNet Security, Computer Cops, Insecure.org Lists, HackInTheBox, eWeek, InfoWorld, ThinkComputer
Side note: Sorry this is showing up on Tuesday. I'd meant to post it on Sunday but it took this long to pull all of the MS-related stuff off of the spike.
CSI loses points
Heh.
Monday, November 17, 2003
Troubles from within...
I heartily agree with him and will throw in my own comments here...
Many upper management types are worried that "we'll be seen as network Nazi's". Personally, I don't care of your opinion of me if the network is running properly. If the security model (based on the business model) requires that I flog every dolt who thinks the rules don't apply to them, so be it. Call me all the names you want. I plan on going home at the end of the work day.
Also, and this might sound contrary to the above, you have to have realistic and enforceable rules. Anything else breeds contempt and circumvention of the rules. The end-user also has to understand the reason for each of the rules. This requires user training and user agreements.
Sunday, November 16, 2003
While fishing around I found...
Saturday, November 15, 2003
Quick screen howto
Bridging Firewalls
For the short version, Bridging Firewalls are effectively network bridges which have IPTables-like filtering added in. They are "invisible" because you don't add IP addresses to bridges.
Friday, November 14, 2003
Alternate Data Streams
Covert Communications
What's on your network? (to the tune of "What's in your wallet?")
Thursday, November 13, 2003
Changing MAC Addresses
Under *nix, it's quite easy (and doesn't need to be explained here.).
Yet more wiki stuff
- Added to the Blogger's Toolkit - Content Tools section.
- Added "Refresh or Redirect in PHP"
Some of it you just have to leave at the curb
Is this usable?
Also, he seems to have had better luck with SpamBayes than I have. Could it be that my run-away collection of Procmail recipes is finally catching up with me? It has piqued my interest in graphing my spam though.
Wednesday, November 12, 2003
Rules for a successful security policy
Tuesday, November 11, 2003
Incident Response Tools
- Incident Response Tools For Unix, Part One: System Tools
- Incident Response Tools For Unix, Part Two: File-System Tools
Definitely worth the read. Both articles have an extensive list of tools and links.
This is a test...
This is a test. This blog is conducting a test of the Emergency Blogcast System. This is only a test.
(annoying noise)
This is a test of the Emergency Blogcast System. The bloggers of your area, in voluntary cooperation with just about no authorities, have developed this system to keep you informed in the event of blogger's block. If this had been an actual post, the Annoying Noise you just heard would have been followed by interesting information, witty posts or snarky behavior. This blog serves the Tidewater area. This concludes this test of the Emergency Blogcast System.
(I was out of town for awhile and missed the official test)
Monday, November 10, 2003
MT Upgrade
- "external" pings feature in the main config
- the ability to figure out the trackback URL for posts which include pointers to other trackback-capable blogs
Sunday, November 9, 2003
Push back
"I sick and tired of it and won't take any more!!"
What am I ranting about? Comment spam.
Jeremy, Chris, Adam, and duemer have all vented on this topic and have had varying levels of success in fighting back.
Kalsey Consulting has also posted a howto entitled "Cutting Comment Spammers Off at the Knees" and a "Manifesto".
And before you think this is a small group of people, try looking at:
- http://rw.burningbird.net/cgi-bin/mt-tb.cgi?__mode=view&entry_id=182
- http://blog.iloaf.com/archives/000228.html
- http://blog.iloaf.com/archives/000229.html
- http://www.neilturner.me.uk/2003/Nov/08/spamtastic_hypocrisy.html
- http://www.neilturner.me.uk/2003/Nov/08/is_it_a_spam_or_is_it_an_idiot.html
- http://blog.kevindonahue.com/archives/001517.php
- http://www.gerald-steffens.com/blog/archives/00000047.htm
- http://www.blogd.com/archives/000237.html
- and many more (Google for them via "blog comment spam".)
In response to the comment spam here, I'm brushing up on my tracking skills and have added the fine print at the bottom of the main page. (Hey, spam is illegal here in Virgina! Be glad I'm only asking for $100.00!!)
[With apologies to those on the receiving end of the trackbacks; this has a lot of links in it.]
Saturday, November 8, 2003
One question?
- Given that the author already knows how to break into computers, what's to stop him/her from chosing another programmer and planting the "evidence" on that person's computer before calling the cops?
- Where is all this bounty money coming from? (If you can't guess the obvious answer, e-mail "joat@757.org" with a subject line of "obvious answer" (without the quotes)(an infobot will answer).
Friday, November 7, 2003
Common courtesy?
This entire post is a peevish vent so you may want to skip it.
Okay, I'm back. My last job made me a cynic (network security officer for 30,000+ users). This new job isn't improving my impression of the general public any. This job requires that I travel every other month or so, so I get to view the public "up close and personal". Here's what's set me off this time:
In the U.S., airlines load planes from the back to front. One of the attendants will call out over the announcing system "Now boarding rows 15 through 22". This causes 30 or so of us to queue up and slowly drag ourselves and a carry-on piece of luggage onto the plane.
I've done this four times in as many days and, without fail, there's at least one moron from row 6 or so that makes the super-human effort to get onboard before the rest of us (he cuts in line). Short version: the entire compliment of passengers are delayed while those that should already be on the plane before him waits while he tries to jam an oversized bag (that should have been checked) into the overhead storage. On one of the four flights, this held up boarding long enough that the plane was bumped from it's position in the take-off queue (an additional 10-minute delay).
Would someone explain to me why these people think that they'll get where they're going quicker if they cut in line? Seriously, I think these people should be bumped to the "on standby" category and forced off of the plane.
Thursday, November 6, 2003
More Hitchhikers on the radio
File this one under the "Mebbe I Should Start a 'Cult' Category" category. (That's where the BBC filed it.)
The BBC is going to adapt the remaining Hitchhiker's books to audio.
Yeah, I know: This makes me an old geek. Doesn't anyone else remember staying up late to listen to the Radio Mystery Theater? Extra credit if you did it via a tube or crystal set!
Wednesday, November 5, 2003
I will donate the following service to Bill Gates (if he wants it)
Bill: Give me a list of the domains and their expirations and I set up cron jobs so that you can be notified a month or so ahead of time.
Update:Jeremy has a short bit about Vixie cron.
Tuesday, November 4, 2003
Security Testing Guide
Monday, November 3, 2003
Alien II?
Even though this one is from Slashdot, it makes for interesting "entertainment" (loosely defined).
Every community has their own nut cases. The Internet isn't any different.
Remember awhile back where everyone got spammed by that guy looking for the dimensional warp generator so's he could get back to his own time. He was quickly "outed" by a group of people who are now on the receiving end of what amounts to an e-mail bombing (mail with forged return addresses in intentionally bounced off of legitimate servers in an attempt to fill the victims' mailboxes and block legitimate mail to them.
I had a Great Uncle who responded to situations in a similar manner. It kept a family feud going for decades.
Sunday, November 2, 2003
More Wiki entries
- Connecting a Linux box to Sprint PCS via a Samsung N400
- Using fetchmail with Procmail and a virus scanner
- isvirus code listing
Saturday, November 1, 2003
NSA picks a commercial encryption product
Please note: they have SDK's for Windows, Linux, Unix and more.
Local Area Security Linux
If anyone uses this, would you post a few comments here?
Nop +4-7
I may be out of touch for a few days as I'm headed for New Orleans first thing Monday morning. I may have connectivity, I may not. The map for my cell phone service is kinda vague as to what service is available, just like it was when I was visiting my parents (had to drive halfway down a mountain but found service)(pretty good connection in that 100 or so feet).
Anyways, I'll keep posting. It's just that you might not see the posts until I get back.