Friday, December 31, 2004

Thursday, December 30, 2004

Chaining Policies

Here
is a site discussing basic web proxy theory. An interesting part near
the end discusses "chaining" of proxies so that each department in an
organization can maintain its own usage policy while the organization
can impose its own set of rules. This effectively "chains" or
aggregates usage policies.

Monday, December 27, 2004

Frequency Chart

I made the following with PowerPoint and converted it to a GIF so it's a
bit basic. However, the information is valuable enough. The numbers
across the top is frequency in MHz.

Saturday, December 25, 2004

Friday, December 24, 2004

Swiss Army disk

Normally I spend the first day of the weekend blogging most of the
following week. Today is an exception, for obvious reasons. I have
gifts to wrap, dishes to wash, animals to feed. Somehow I have to
figure out how to sneak my son's and his girlfriend's presents into the
house (past them). HBO is running Carnivale again this coming week so I
have to find time to set up the record schedule. You get the idea.

In any case, blogging
this week may be a little erratic. Here's today's...

IBM has an
article about <a href="http://www-106.ibm.com/developerworks/linux/library/l-
clustknop.html?ca=dgr-lnxw06ClusterKnop">building clusters with custom
Knoppix CD's. Knoppix seems to be one of those tools that finds its
way into everything. Since our appliances will soon have their own IPv6
addresses, what's next? Washing Machine Knoppix? Fish Tank Knoppix?
Lawn Mower Knoppix?

Don't laugh! Mix in a little wireless or
broadband-over-power-line and it's not that much of a stretch.

Thursday, December 23, 2004

Session Riding

The Web Applications Security mailing list has a pointer to a <a href="http://seclists.org/lists/webappsec/2004/Oct-
Dec/0427.html">paper which discusses "session riding", which appears
to amount to hijacking a user's access or data via methods such as
sending crafted instructions via html e-mail (when the user's e-mail
client loads the html, the exploit is executed).

Wednesday, December 22, 2004

More WEP problems

While we're on the topic of WEP problems, <a href="http://www.wifi-
toys.com/">WiFi Toys has an article on <a href="http://www.wifi-
toys.com/wi-fi.php?a=articles&id=53">breaking WEP really fast.

Tuesday, December 21, 2004

Why?

Microsoft has <a href="http://www.blackhat.info/live/modules.php?
op=modload&name=News&file=article&sid=4989">stated that they've
switched virus scanners to "provide a safer online experience for
consumers
". Considering that it's probably more of a financial
issue or a programming difficulty (e.g., can't interface the scanner
with the webmail), it's a bad choice of words for the supposed cause.

We may see a lawsuit because a corporation has taken a public
position on the quality of a competitors product (remember Microsoft purchased two
companies
last year for this purpose). It's one thing to say your
own product is better than everyone elses. It's another to say (or
directly imply) that a competitor's product is crap. Without proof,
that is.

HSC

Activeworx has released a new
verion of its Honeynet Security Console (for Win2K/XP). Screenshots are
here.

Monday, December 20, 2004

Bandwidth shaping

If you do more than the basic video streaming or VoIP on a small
network, it might be worthwhile to learn about <a href="http://www.linuxexposed.com/internal.php?
op=modload&name=News&file=article&sid=563">traffic shaping and bandwidth
management.

Sunday, December 19, 2004

News

More news from the wireless front:

WEP Problems

Here's part one
of a two part series on the current problems with WiFi encryption. The
focus in on WEP but it does touch on other topics.

One thing to keep
in mind: if WEP is the best you have, it's better than nothing and
overall WEP security can be improved via basic practices such as
periodically changing keys.

Friday, December 17, 2004

Thursday, December 16, 2004

tasklist.org

In doing work-ups for malicious code analysis, I've been using Full Disclosure as a source as it allows attachments. This allows me to download onto a non-MS machine, run a virus scanner and do other things while deciding to use the sample or not.

In the process, I usually hit Google also. In trying to figure out "You_are_dismissed.com" (it's Bagle.Ap) I found tasklist.org. It appears to be a really good source for identifying unknown (unauthorized) processes.

Tom Dunigan

Tom Dunigan has a very large security-related link list.

JPeg Vulnerability

InfoSec Writers has a good analysis of the JPEG Processing Buffer Overrun.

Wednesday, December 15, 2004

Putty

Here's an online howto for configuring Putty to tunnel your email traffic safely.

Deb Radcliff

Yesterday I posted about a blog run by Deb Radcliff. It appears she has quite an anthology of articles.

Tuesday, December 14, 2004

Free classes

Don't know if I've blogged about it before but HP's free classes site is still online. Topics include firewalls, desktop publishing, MS, Linux, virus protection best practices, organize your life, and many more.

More blogs

Picked up a couple new blogs: Security Awareness (run by Greg Hoffman) and Security Chief (run by Deb Radcliff). Both people are associated with Winn Schwartau, a "security type" and a real character. My first "run in" with him was when someone bulk emailed an employer with tons of wierd email (looked like mail bugs) and the source had his name in the registry.

Monday, December 13, 2004

Dave Dittrich

Here's Dave Dittrich's home page. Of note are the link's on the left hand side of the page. He maintains some really good lists of site related to various security topics.

Detecting Complex Viruses

Here's a good article which discusses the difficulties in detecting complex viruses.

Sunday, December 12, 2004

Firewalls book

It's almost a decade old but still a good read. Here's the online version of Firewalls and Internet Security: Repelling the Wily Hacker.

Network Attacks

Here's a good article which discusses network attacks and breaks them down into five basic types.

Saturday, December 11, 2004

Free training

Tony Bradley has posted about a site with free CISSP training. This is one of the certifications that will become a bit more valuable in the near future. The Federal Trade Commission is currently suing two companies for lack of GLB compliance. The orders they're trying to get signed include the directive to obtain an satisfactory assessment of their network with 180 days and includes the following statement:

Each assessment shall be prepared by a person as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification from the SysAdmin, Audit, Network, Security Institute (SANS); or by a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.

Prediction: You'll see the quals thing get out of hand, even some fakery/foolery that will require either tighter control of quals or the government will create their own quals requirements.

Stand by for an industry shift!

Friday, December 10, 2004

Phreaking

This article is a bit sensationalist ("piles on" semi-unrelated facts in order to scare you) but is mostly accurate.

Anyone seen "Sweet Tooth" in action? (No, not the Pogo game!)

The Broken

For entertainment, try viewing the videos at The Broken. They're made by a couple of recognizable faces. I'm not sure if what they're showing is illegal or not, most of it is pretty mild or very old.

For you conspiracy types, it proves that there was dark forces behind that TV show. Hacking with Ramzi is really, really bad.

Thursday, December 9, 2004

Another semester ends

If you're reading this around 7 p.m. EST, I'm at the Biergarden on High Street in Portsmouth, overdosing on an odd version of potato soup and helping to run a local version of geek trivia. It's part of what is becoming a tradition in that the last (unofficial) day of class is held at the Biergarden.

I'm addicted to the potato soup, which I'm not supposed to have due to its content. I don't have the recipe for it (hope to though) but it contains what looks like small bits of pot roast, potatoe slices, and spaetzle in a clear beef broth. Occasionally, another veggie may make a cameo appearance but the base recipe is delicious. Anything with spatzle can't be all that bad, right?

If you can find someone who makes good spatzle, heifering, and dumpfnodle hire 'em, marry 'em, or otherwise move in with them. Same goes for lumpia and pansit. And before you food vacuums at 757 ask, mine's only passable so you ain't moving in with me.

Apologies for the spelling.

fe3d

Interesting visualization tool. I don't expect it to go anywhere but it is a different approach (see the screenshots). Decent GL links on the page to. (via HITB)

Wednesday, December 8, 2004

SMB

Ubiqx.org has everything you ever wanted to know about SMB (and probably much, much more).

Questions to Ask

I think "Ten Questions to Ask About Application Security Systems" is appropriate, especially when a lot of our applications are moving onto the web server. They are appropriate elsewhere, especially when the other "move" is away from application proxies and towards "deep packet inspection" (which is inappropriate for HTTP traffic).

Tuesday, December 7, 2004

Spammer update

Roughly two weeks have gone by. Total number of spams, three. Two from the same jerk at/via 81.27.200.49, trying to be funny. The other at/via 24.69.65.52. Both of them entered via the web page (vice the CGI interface). Both added to the blacklist. It's probably not helping that I talk about it but since this is the last week in the semester, I have a bit of free time to run the donkey at the windmill.

Cell phone glossary

Mobiledia has a glossary of cell phone related terms.

Windows Tips

Here's a good site for various Windows Tips: Win NT/2K/2K3/XP Admin Knowledge Base.

Monday, December 6, 2004

Wireless protocols

Palo Wireless is a site with in-depth explanations of most (if not all) of the wireless protocols/technologies.

Fighting comment spam

Just in case anyone wanted to know, I modified the writeback plugin so that it's non-standard. Just come up with a word that isn't used in any of the code (to keep things simple) and substitue it for writeback in all of the code. For now, it's a bit of a manual process but it doesn't appear to all that hard to automate (changing that is). It may drive the spammers back to posting via the interface, where fight can be on a more even ground.

Sunday, December 5, 2004

Spammer list for 4DEC04

Following is the list of IP's that attempted to connect to the old-style comment system. The only "things" that attempt this are automated programs of one of two types: either search engine spiders (such as Google's below) or comment spammers. Do what you will with the list, just don't hold me responsible for it.

2 12.158.228.18
1 168.143.113.5
5 193.95.113.114
12 194.213.41.11
127 194.213.41.12
26 194.213.41.13
72 194.213.41.14
1 194.7.246.43 uu194-7-246-43.unknown.uunet.be
1 195.132.141.251 m251.net195-132-141.noos.fr
4 195.27.14.2
1 200.12.238.23
40 200.21.45.4 mangostino.ut.edu.co
3 200.212.114.3
4 200.34.99.9
1 211.239.170.46
1 212.138.47.16 cache6-1.ruh.isu.net.sa
1 212.138.47.20 cache10-4.ruh.isu.net.sa
1 212.138.47.21 cache13-4.ruh.isu.net.sa
1 212.138.47.26
10 213.172.36.62
12 213.41.1.222 wan-222.1.rev.fr.colt.net
8 213.41.1.226 wan-226.1.rev.fr.colt.net
19 217.144.0.137
5 218.4.189.197
1 218.57.113.11
6 219.93.211.74
11 64.125.108.114 64.125.108.114.available.above.net
42 65.54.188.139
1 66.249.64.146 crawl-66-249-64-146.googlebot.com
1 66.249.64.156 crawl-66-249-64-156.googlebot.com
1 66.249.64.160 crawl-66-249-64-160.googlebot.com
1 66.249.64.198 crawl-66-249-64-198.googlebot.com
4 68.167.94.202 h-68-167-94-202.chcgilgm.covad.net
6 68.98.206.172 wsip-68-98-206-172.ks.ok.cox.net
5 80.65.102.162 ip102-162.introweb.nl

Defeating Encryption

One thing that is not said all that often is that even the good guys have to know things like what's in this paper. It's not just the "good guys" that use encryption.

Saturday, December 4, 2004

Free time

Now that I'm not spending a hour or so per day mopping up comment barf (spam), I've had time to fix the comment script to all ,

and
, work on comment titles, and generally get back to tweaking the site. Are there any features that you'd like to see?

I'm considering dumping the Blogroll and replacing it with a links list or putting a "recent comments" frame there.

DYI

Ryumaou has pointed out that O'Reilly has a new magazine called "Make". It's aimed at the hardware geeks. (Telmnstr! This one looks like one of yours.)

Thursday, December 2, 2004

Christmas music

Chalk this one up as a pointless temper tantrum...

What kind of person (that's the nice version) thinks it's important to post their Winamp-generated playlist to the Internet? (Hint: there's quite a few of them.)

I went shopping for a album, containing a Christmas song that I've not heard in fifteen years by Kevin Bloody Wilson (Hey Santa Claus...). It was amazing, the number of fake sites and playlist sites that I had to wade through before finding a legit site offering Kevin's albums.

Maybe I should write one?

living next door to spammers

Survey of Odd Security

Via Need To Know and an odd Shmoo, here's A Survey of Novel Approaches to Network Security.

Wednesday, December 1, 2004

Tuesday, November 30, 2004

Google Hacking Book

According to this, O'Reilly is going to distribute the Google Hacking book (not the same as their Google Hacks book).

DNSSEC

ONLamp has a good article about DNS and DNS security extensions (DNSSEC).

Monday, November 29, 2004

Ads in Feeds

Just to add my two cents to the ads in RSS feeds bickering...

I feel that one of the reasons that RSS became so popular was that it allowed readers to avoid all the extra fluff on a website and get right to the content, thereby increasing the amount of content you can read in a day. Inserting advertisements into those feeds dilutes the value of the content. If, like in some low traffic feeds, the advertisements out-number the actual posts, it can become a justifiable reason to unsubscribe from the feed. I think that many content providers are going to have to learn the hard way that social media (as bloggers are sometimes called)(as opposed to mainstream media) allows for very fickle readers. Contrary to what most content providers think about themselves, very few feed sources are "valuable" enough to be able to keep their subscription levels while annoying their readers at the same time.

In any case, how long before someone writes an aggregator that filters advertisements? Do we really have to join that arms race?

Anti-spam Honeypots

Linux Security has posted part one of an series describing the use of honeypots to fight spam.

Sunday, November 28, 2004

Spam list for 27 Nov 2004

Here's the list of Saturday's spammers (those attempting to access the old comments system). Please remember that some of the IP's are legitimate search engine spiders. Do what you will the list but don't hold me responsible for it.

1 142.165.112.131 msjwsk02d010101131.sk.sympatico.ca
5 193.255.207.253 seyhan.cu.edu.tr
2 194.117.217.227
7 200.12.238.31
4 201.12.13.170
1 202.141.239.4
1 202.163.115.203
4 202.163.115.205
1 202.68.147.182
3 203.113.29.2
7 203.115.21.155
1 203.151.40.252 203-151-40-252.inter.net.th
1 203.190.254.9
1 203.197.234.177 delhi-203.197.234-177.vsnl.net.in
1 210.18.184.246
3 211.185.38.61
4 212.117.152.70 mailrelay.flying.co.il
1 212.36.213.15
12 213.172.36.62
22 213.56.68.29
1 216.239.39.5 proxy.google.com
1 217.14.219.34
1 219.95.89.125
1 24.24.72.83 bgm-24-24-72-83.stny.rr.com
1 61.1.185.85
68 64.125.108.114 64.125.108.114.available.above.net
1 64.238.121.155
1 65.35.35.197 197-35.35-65.tampabay.rr.com
26 65.54.188.138
44 65.54.188.139
1 66.231.168.82
2 66.249.64.156 crawl-66-249-64-156.googlebot.com
1 66.249.64.195 crawl-66-249-64-195.googlebot.com
1 66.249.64.30 crawl-66-249-64-30.googlebot.com
1 66.249.64.33 crawl-66-249-64-33.googlebot.com
1 67.107.73.195
1 68.83.190.72 pcp09996361pcs.narlington.nj.comcast.net
9 80.65.102.162 ip102-162.introweb.nl
2 80.65.121.214 ip121-214.dsl.introweb.nl
1 81.15.196.129
1 83.108.243.136 ti400720a080-13192.bb.online.no

SQL Injection Attacks

Linux Exposed has an article explaining the basic theory behind SQL injection attacks.

Knoppix Hacks

From what Jeremy says, it looks like the Knoppix Hacks book is out (I don't get into the bookstore often). As per O'Reilly's usual practice, they've posted some sample chapters on their site. I've used the anti-virus one but I've used a commercial scanner. It's a little known fact that McAfee (and others) sells a Linux-based scanning engine that uses the usual DAT files. Combine that with BSDi's LDP, and you can have a commercial scanner running on a commercial OS (for those with management that insists on commercial products) which can act as a (pass-thru) mail handler or mail server. I've even wedged this thing into Sendmail.

Anyways, the book looks like it's worth the $$.

Saturday, November 27, 2004

From Scrabble to Verbal Aggression

Call me weird but I find conversations/listening to presentations/watching tv more interesting with immediate access to Google. A passing comment during Word Wars on the Discovery Channel lead me to The International Journal of Verbal Agression. Sometimes the habit is exceedingly annoying to others (for obvious reasons) and sometimes it leads to a bit of comedy (a quick search on Helen Carr during a recent law enforcement presentation revealed that her hgh school reunion committee was also looking for her).

I think it's one of the reasons why the classes in Chesapeake are so enjoyable. Everyone has the Internet "right there" and usually anyone can hijack the class for a few minutes with a semi-related bit of information. The instructor has to have one of those personalities and be able to herd cats (there IS a learning plan to follow). Some students find it frustrating, others find it just outright odd, but a working knowledge of Google or Yahoo syntax does help with some of the verbal references thrown out during conversations (quick quiz: Who said, "Help me Mr. Wizard! I don't want to be a ..." ).

WhoLocksMe

Tejas Patel pointed out another good-to-have tool: WhoLocksMe (for Windows).

Friday, November 26, 2004

CWShredder

It's nice to see that CWShredder is back in play. The bad news is that it's only available via a commercial product. You can read some of Merijn Bellekom's (the author's) comments here.

Spammers list

Following is a list of IP addresses attempting to use the old comment system on 25 Nov 2004. Please note that some of these may be search engine spiders such as Google (hopefully the spiders will catch on shortly). The rest are spammers. I'm a bit concerned that a good portion of the non-spider entries are caches or proxies.

Do what you want with the list.

47 148.244.150.57 host-148-244-150-57.block.alestra.net.mx
2 152.163.100.199 cache-rtc-ad05.proxy.aol.com
1 193.129.22.146
8 193.79.18.243
3 194.63.235.155 cache1.thess.sch.gr
2 194.63.235.156 cache2.thess.sch.gr
1 194.63.235.157 cache3.thess.sch.gr
4 195.175.37.11
8 195.175.37.24
2 195.175.37.26
1 195.175.37.7
26 195.245.247.155
1 195.61.146.130 eapp.tamisa.ro
5 200.118.118.4 Static-IP-cr2001181184.cable.net.co
1 200.12.238.31
2 200.168.62.134 200-168-62-134.cebinet.com.br
13 200.31.79.214
2 200.60.207.58 client-200.60.207.58.speedy.net.pe
16 203.113.29.1
3 203.113.29.2
6 203.150.234.46 203-150-234-46.inter.net.th
6 203.151.40.252 203-151-40-252.inter.net.th
2 203.172.154.114
19 203.197.234.177 delhi-203.197.234-177.vsnl.net.in
1 209.33.210.2 209-33-210-2.sg-wireless.infowest.net
1 210.143.29.247 c12-247.actv.ne.jp
12 212.117.152.70 mailrelay.flying.co.il
1 212.138.47.12 cache2-2.ruh.isu.net.sa
2 212.138.47.16 cache6-1.ruh.isu.net.sa
1 212.138.47.21 cache13-4.ruh.isu.net.sa
1 213.132.32.130 eth1.cache2.dubaiinternetcity.net
43 213.172.36.62
8 213.56.68.29
3 217.14.219.34
1 218.5.191.126
15 220.90.132.183
1 221.132.39.253 localhost
2 61.19.243.11
1 61.95.226.18
4 63.100.211.203 63-100-211-203.reverse.newskies.net
1 63.72.136.96
4 64.124.92.199 stdev1.sj3.escalate.com
86 64.125.108.114 64.125.108.114.available.above.net
5 64.132.198.149 64-132-198-149.essind.com
1 65.4.208.158 adsl-4-208-158.mem.bellsouth.net
1 65.50.67.11 CPE002078d287e4-CM014250010853.cpe.net.cable.rogers.com
17 65.54.188.138
1 66.249.64.160 crawl-66-249-64-160.googlebot.com
1 66.249.64.167 crawl-66-249-64-167.googlebot.com
1 66.249.64.189 crawl-66-249-64-189.googlebot.com
1 66.249.64.195 crawl-66-249-64-195.googlebot.com
1 66.249.64.198 crawl-66-249-64-198.googlebot.com
2 66.249.64.201 crawl-66-249-64-201.googlebot.com
4 66.249.64.202 crawl-66-249-64-202.googlebot.com
2 66.249.64.205 crawl-66-249-64-205.googlebot.com
1 66.249.64.30 crawl-66-249-64-30.googlebot.com
1 66.249.64.37 crawl-66-249-64-37.googlebot.com
2 66.249.64.38 crawl-66-249-64-38.googlebot.com
1 66.249.64.55 crawl-66-249-64-55.googlebot.com
2 66.249.64.58 crawl-66-249-64-58.googlebot.com
1 66.249.64.68 crawl-66-249-64-68.googlebot.com
2 66.249.64.70 crawl-66-249-64-70.googlebot.com
1 68.167.94.202 h-68-167-94-202.chcgilgm.covad.net
1 68.235.196.123 68-235-196-123.crlsca.adelphia.net
1 68.252.22.121 adsl-68-252-22-121.dsl.dytnoh.ameritech.net
1 69.152.200.106 adsl-69-152-200-106.dsl.fyvlar.swbell.net
39 80.65.102.162 ip102-162.introweb.nl
2 80.65.121.214 ip121-214.dsl.introweb.nl
6 81.110.124.10 cpc2-with1-4-0-cust10.bagu.cable.ntl.com
1 81.153.86.133 host81-153-86-133.range81-153.btcentralplus.com
7 81.208.62.130
1 82.176.17.196
2 83.168.19.77 adsl-19-77.cytanet.com.cy

Fighting a moving target

Here's a thought (tell me if you think I'm way off): buying one-time products, either hardware or software, to fight spam and malicious code is a bad idea. Your purchase becomes obsolete as soon as what you're fighting changes tactics. Instead, you should use a product/service that is either community driven (e.g., Snort, ORBS, etc.) or is subscription-based (e.g., McAfee, Symantec, etc.).

I don't have that previous paragraph worded the way I'd like it to be but you get the idea.

Thoughts for articles/papers (feel free to borrow):

  • networks that adapt to a new threat faster have a better survival rate
  • the need for adaptive technologies to fight security threats (even if it's the ability to script "in the middle")
  • the need for trained personnel to use those adaptive technologies
  • what technologies still need adaptive capabilities

airpwn

I think I've blogged about airpwn previously but (in case I haven't) there's a conference coming up and need to recognize the particulars of someone using the tool.

Self-inflicted wounds

I've talked about this before... If you're a network security officer or a security manager, it's a good idea to check what your organization inadvertantly exposes via what it makes available on the Internet.

Oops

I managed to fat finger the date on yesterday's entry (it was sent to the 15th vice the 25th). I've fixed it. Apologies.

Thursday, November 25, 2004

Port reporter

This is one of those must-have tools. It logs open ports on the local system and includes who and via what binary. The one short-coming that I can see is that it logs directly to a text file. If it logged into the Microsoft logging system or externally to a syslog service, the tool would be that much better.

Wednesday, November 24, 2004

Spammer update

The changes I made to the writeback code seems to be holding. While the blog still accepts incoming comments from scripts, they're not written to the hard drive (due to the URI being incorrect). As soon as Google's spiders catch up, I should be able to automatically generate a list of spammers on a periodic basis. Anyone have a preference for formats?

Detecting kernel mods with gdb

Security Focus has an article describing an interesting use for gdb, detecting kernel-level compromises with gdb.

Tuesday, November 23, 2004

Knoppix book

I can't see a book about Knoppix Hacks being anything but good. Given the number of things Knoppix has been adapted to, I think the book is going to be a good-to-have. I wonder what they had to weed out to keep the book to managable size.

Monday, November 22, 2004

Bluetooth and GPRS

I managed to find this LJ article on Bluetooth and GPRS. I still have no clue though. The more I read, the more I'm convinced that I'm going to need pointers on Bluetooth security.

Bluetooth setup?

I've managed to pick up a USB Bluetooth interface that my three year-old laptop recognizes. The idea is to use my wife's Bluetooth-enabled cell to get on the Internet (in a pinch) at the con in February. Anyone have any pointers/good websites/advice for security? (If security and Bluetooth can be uttered in the same sentence?)

Intro to kernel backdoors

InfoSec Writers has an intro article entitled "An Introduction to Linux Kernel Backdoors".

Sunday, November 21, 2004

PDA Forensics Guidelines

The news is almost a week old but the Guidelines on PDA Forensics is out in final form.

Comments back on

The comment system is back on. I've "adapted" the comment system so that it is "unique" when compared with other Blosxom blogs. Let's see if the changes are effective and, if so, how long they last before the spammers figure out what they have to change on their end to get comment spam working again.

...and the arms race continues...

The Internet Overlords

There's an ongoing discussion on the Full Disclosure mailing list where the original poster stated the following:

Subject: [Full-Disclosure] Why is IRC still around?

Well, it sure does help the anti-virus (anti-malware) and security consulting business, but besides that... is it not safe to say that:

1) A hell of a lot of viruses/worms/trojans use IRC to wreck further havoc?
2) A considerable amount of "script kiddies" originate and grow through IRC?
3) A wee bit of software piracy occurs?
4) That many organized DoS attacks through PC zombies are initiated through IRC?
5) The anonymity of the whole thing helps to foster all the illegal and malicious activity that occurs?
The list goes on and on...

Sorry to offend those that use IRC legitimately (LOL - find something else to chat with your buddies), but why the hell are we not pushing to sunset IRC?

What would IT be like today without IRC (or the like)? Am I narrow minded to say that it would be a much safer place?

The following posts quickly degraded into a flame war and name-calling contest. I find the discussion offensive mostly for the implied logic behind it. (It's included in the name calling contest.) One reader summed my opinion up in a short well-worded sentence: Who is 'we' and what makes you think anyone cares what you 'sunset'?

This is the same mentality as that behind my MSCE rant (and before this gets to far, it was a specific MSCE that I was ranting about, not all of them). There's a certain logic used by some of the n00b MSCE's whose only network training amounts to what they learned out of the MSCE book. Contrary to what MS would like you to believe, the Internet is still a very insecure, dangerous "place" with little or no control. The logic that any "we" can force the suspension of a protocol for any reason gives me a headache. The poster actually assumes that there is a man behind the curtain pulling the levers and ropes.

You can read the list via the Checksum archive.

It's interacting with that type of people that got me blacklisted by my grandmother's church in my early 20's. The short version of the story amounts to a short discussion between a picketer and myself, in front of the only convenience store open at 6:30 a.m. in a three county area. Him: "Don't go in there! They sell Playboys!" Me: "They sell coffee in there."

(Yeah, I grew up in a very small town.)

Malicious Code Analysis

Ran across the following while looking for a device driver:

The bad news is that the IDA Pro people have taken down their free download due to excessive traffic.

Friday, November 19, 2004

NT to be discontinued

MS stopped supporting client versions of NT on 30 June and will stop supporint the server version at the end of this year (something they don't include in those TCO arguments). MS's motivation is money, either it's too expensive to continue to support it or they want to force NT users to "upgrade". In either case, the talking heads will discuss the "danger" the move is creating.

Let the politics begin!

Thursday, November 18, 2004

Re-Spam

Err... You might notice that I've turned off comments again.

Ports database

While doing research on my "freedom of speech" spammer, I found this ports database. A useful tool if you need to look up port numbers.

Wednesday, November 17, 2004

Grey Milter

The majority of spam is sent by compromised zombies. Few (if any) of those rogue programs implement the full SMTP command set. More commands == larger code == easier detection. Because of this, the milter-greylist was written. What it does is, for every incoming message, an initial "temporary" error will be returned. Full blown MTA's handle this error invisibly as part of normal operations. It won't stop all spam, but it'll probably clean up most of your incoming nastiness.

DDoS page

I blogged about the DDoS page (at the Univeristy of Washington) in February of last year. It's a good source, has gotten bigger, and is worth blogging again.

Tuesday, November 16, 2004

Translating RSS Feeds

I've added a short piece to the Wiki about translating RSS feeds prior to aggregating them.

RSS feeds for Wiki

For anyone that's interested, here's the URL's for the "Recent Changes" feeds for the Wiki:

Enjoy!

Sunday, November 14, 2004

Fsck'in moron!

The following is excerpted from comment spam created after the sender noticed that I'd disabled comments.

  name: video chat
  url: http://www.video[-]chat[-]room.c0m
  date: 11/13/2004 07:06:27
  title: video chat
  comment: Why my previous comments was deleted, how about freedom of speach?
  excerpt:
  blog_name:
  ip: 62.183.50.164

My son learned the answer to that question at the dinner table, when he was 12. The answer? "I'm not the Federal government. So sit down and shut up."

Mebbe we should give lessons in U.S. law to overseas spammers so they don't sound so f*cking stupid when they ask questions? If there's any question, I did munge the url a bit to prevent him from getting any points with the search engines.

In answer to the first part of the spammer's question, it was deleted because it had absolutely nothing to do with the post it was attached to. Chingate cabron!

It's too quiet

If you've read this blog from early on, you know that I live near some people/organizations that seem to end up in the news. A lot. Examples include: Pat Robertson, PETA, the Edgar Cayce Foundation, the Sniper trials, and the Friendship Patrol. Maybe I'm just being paranoid but, barring the insanity in the political area for the past year, I think it's been too quiet. Someone out there is planning something.

Maybe I'm just used to living in areas where being boneheaded in public is considered a form of entertainment (HI, NYS, SOVA)?

Application Layer DoS Attacks

InfoSecWriters has a good paper on the different types of application layer denial of service attacks.

Building Policy

Here's a SANS paper which discusses the corporate requirements for security and how to get there. I did a quick skim of the paper and it appears that they only thing missing is FIPS 199 compliance (a common syntax standard).

Saturday, November 13, 2004

Spamming

I've turned off comments until I can figure out a different approach to comments. The spammers have won, for now. If you need to post a comment, please send it to me directly (joat 757.org <-- insert "@" in the appropriate place).

Yet more legal issues coming this way

The WTO has told the U.S. how to (I wanted to say "suck eggs" but...) run its internal affairs by ruling that the U.S. law banning online gambling is damaging to the Antigua and Barbuda economies. (Uh, when did the WTO become a legislative body?)

While it may be true that the law blocks the growth of that industry, I'm not so sure that passing the law damaged the economy. Rather, the law made online gambling within the U.S. illegal, forcing the sites to move out of the country, thereby creating the economy that is supposedly now endangered.

It should prove interesting what comes out of this and the upcoming attempt by the U.N. to "govern" the Internet, not only for the U.S. but for any country who'll have to give up sovereignty to participate. (Example: some of the things that I talk about here are illegal in Europe but inane here in the U.S.)

Is that thunder?

Giants are battling somewhere. Me? I'm going to pull the covers up over my head. Tell me when Novell v Microsoft and the whole SCO thing is over.

Bloglines

Apologies for anyone accessing my Bloglines subscriptions. At just shy of 300 feeds, it has gotten a bit unwieldy. I've decided to clean out the dupes and unsubscribe from the feeds that aren't relevant. It had gotten to the point where it takes hours each week just to read those feeds. Hopefully things will improve shortly...

SarbOx

The rules change next week. Most of the industry is waiting for the first "case" to go to court to see what happens. After that, it'll either be yawns or a sudden shift in security budgets.

Honeypots

Here's a NewsForge article which discusses basic theory of honeypots. (excerpted from the book "Know Your Enemy: Learning about Security Threats")

TAP Mag.

More info for those of you studying for Geek Trivia: TAP Magazine (first 10 issues).

Friday, November 12, 2004

Playing with speech

I finally had enough time to re-install the text-to-speech tools (speechd and festival) so that I can monitor IRC channels in XChat. I've added the process to the Wiki. Now I only have to redo the RAM disk stuff and write/tune the shorthand translators.

SSH Keys

Here's a good article on SSH keys. The use of public key authentication makes SSH very, very convenient to use (moving files, remotely executing scripts on multiple machines, monitoring "state" on remote systems, etc.) and, in some cases, protecting against certain types of attack.

IPSec on IPv6

Here's InfoSec Writers' paper on IPSec under IPv6.

The Phishing Guide

The Phishing Guide (PDF) discusses the various problems that scammers exploit and how to protect against them. A decent read. On a related note, here's an article describing five steps to protect yourself.

Thursday, November 11, 2004

Wednesday, November 10, 2004

Harlan takes a pounding and keeps ticking

Harlan often comments here. (Hi Harlan!) A review of his book has been posted on Slashdot. To state the obvious, his received both good and bad responses from Slashdot. Mostly good.

Of course the usual obfuscators showed up within the first few comment posts. And the usual conspriracy freaks. According to one of them, you can recover files via a one-to-one bit copy even after the original had been overwritten ten times.

In an odd twist of timing, tonight's class worked with Helix to gather data from a running system. For those that don't know what it is, Helix is a Linux-based "live CD" that also is devoted to obtaining forensics data from live systems and making bit copies of storage devices. In addition to being a "live cd", you can also drop the CD into the drive on a running Windows system. "Autorun" will bring up an interface with a set of statically-compiled tools which allow you to perform various forensics functions (see the site for more info).

ShmooCon

ShmooCon seems to be shaping up nicely (visit the site!). Quite a few people going from this end of the state.

Stored Malicious Code

SecuriTeam has a paper which discusses Second Order Code Injection attacks which cause an attack to be executed at a later time.

Christmas is coming

I once worked at a place where the boss would stage Nerf Gun fights in the large conference room, immediately after the pot luck. I miss those days. Especially after this has become available. In those days, all we had was a couple chain-fed repeaters...

Monday, November 8, 2004

Spammers

The arms race has escalated again. This site is being spammed into oblivion by a network in the Netherlands and an IP address belonging to the state of Ohio. Until I get the code behind the blog cleaned up, I'm going to turn off comments. I'm also going to do a bit of research for applicable laws (worst case == I need the data for a term paper).

Cryptovirology and Extortion

I haven't had a chance to read the paper yet, but while I was digging for references to cryptovirology I came across this CiteSeer reference which discusses the use of cryptovirology in extortion threats.

Note: to read or download the paper yourself, click on one of the links in the upper right-hand corner.

Cryptovirology

The book is still in my "to read" stack but here's the site for the book Malicious Cryptography - Exposing Cryptovirology.

2-year Train Wreck

I can't vouch for the veracity in this but if there's any truth in it, it's gonna make the SCO fiasco quite entertaining legally.

Most of the Internet's problem protocols are on that list. 'Bout the only thing missing SMTP. I wonder why that's not on the list.

In any case, this should set the purists' (on both sides of the fence) teeth to grinding. Think of it, having to include a MS license with every *nix (Linux, Sun and *BSD) and MacOS distro.

I'm reminded of something my grandmother used to say: I can't see the good in it, in either direction.

Brian Carrier

Here's a link to Brian Carrier's digital forensics page.

Sunday, November 7, 2004

Saturday, November 6, 2004

SoBig

They haven't caught the author of the worm yet but here's an analysis of the code.

Procmail howto

I love Procmail. I've used it for years, employing it to do everything from files-on-request to filtering spam and viruses. Security focus has a four-parter:

Electronic Crime Needs Assessment

More interesting online reading from the NIJ website: Electronic Crime Needs Assessment for State and Local Law Enforcement.

Thursday, November 4, 2004

Music.HRConnect

Now a word for/from our sponsor...

If you're a musician/band from Southeast Virginia, be sure to list your band on Music.HRConnect. If you're not in a band and are just looking for a place to go, check out the venues/schedules on the site. You can even listen to some of the bands' MP3's.

Spyware Warrior

Spyware Warrior is an interesting blog about fighting spyware.

Electronic Crime Scene Investigation

The National Institute of Justice (NIJ) has made available an online version of Electronic Crime Scene Investigation: A Guide for First Responders (Jul 2001).

Wednesday, November 3, 2004

P2P Summit presentations

The Utah SAINT has a pointer to the presentations from the most recent P2P Summit. It's nice to see that at least some legislators are getting involved in the technologies before attempting to pass incoherent laws (in other words, learning about the tech so that violators can be held responsible for their actions rather than holding the tech responsible and crippling an entire field of technology).

According to the post, the presentations will be available for a limited time.

Digital Evidence Collection

Here's a good "protocol" for evidence collection, entitled "Forensic Examination of Digital Evidence: A Guide for Law Enforcement".

Tuesday, November 2, 2004

Bleeding Snort Howto

Bleeding Snort has a howto for setting up Bleeding Edge Snort rules so that they'll run with a live CD distro. The original objective was to allow a temporary sensor to be set up to detect spyware.

About E-mail Spoofing

HNS has a short piece entitled "Understanding E-mail Spoofing".

Monday, November 1, 2004

Podcasting

For my own reference, various people are leaving their favorite podcast sites in Tejas Patel's blog.

Bluedriving?

I'm interested, not as someone who does this sort of thing, but as someone who has to protect against it. My quesiton is: if you modify an interface so that it can pick up communications from a mile away, how do you tell which is what and where?

Also, does anyone make directional antennas for Bluetooth? Or is it even worth the trouble of performing periodic scans because even cell phones have an interface nowadays?

Thanks to Furrygoat for pointing out the site.

Sunday, October 31, 2004

Help Wanted

If you use the Bleeding Edge Snort rules to alert on spyware, there's a request for data on the Bleeding Edge blog. One user has already contributed virus data. Now they're looking to add in spyware data for anaylysis purposes.

Honeypots

Here's an interesting paper entitled Honeypots Revealed.

Fuzzy Fingerprints

Here's a year-old paper on a type of non-cryptographic attack on public key cryptography called Fuzzy Fingerprinting.

Saturday, October 30, 2004

Google Hacking Database

Regardless of what management thinks about the site (so do the searches from home), you really should use the techniques displayed on the GoogleDorks site (now called the Google Hacking Databse) to check what Google "sees" via/from your organization's network.

PKI Problems

Using PKI isn't all beer and skittles. It's meant for very specific applications, not as a cure-all (even for PKI-token-based logins). Here's a paper discussing some of the shortcomings.

Friday, October 29, 2004

Online Security Magazine

The Security Journal posts its content online via PDF files. There are quite a few interesting articles there.

Local access

This should not be a surprise. With physical access to the authenticating mechanism, not even PKI or bio-authentication is safe.

Wednesday, October 27, 2004

DPMS Howto

Here's a quick howto for configuring DPMS (turns your monitor off after a period of non-use) under Linux.

Plain Text Vulnerability Found in Linux

This is funny. For those that cannot decode hex "72 6D 20 2D 72 66 20 2F" translates to "rm -rf /" and "6D 76 20 2F 73 62 69 6E 2F 69 6E 69 74 20 2F 73 62 69 6E 2F 62 69 6C 6C 72 75 6C 65 73" translates to "mv /sbin/init /sbin/billrules". Just wait until they find out what "65 6A 65 63 74 20 2F 64 65 76 2F 63 64 72 6F 6D" does!!

Tuesday, October 26, 2004

No op

Please excuse any vagaries in the comment system. I'm tweaking the writeback code to combat the comment spammers (they've been getting out of hand recently).

Worm

Here's yet another paper on the MS04-011 vulnerability and how a worm was developed out of it.

Shatter Attacks

Does the claim "there's nothing that can be done about shatter attacks" still apply? I seem to remember the claim that because the vulnerability was so ingrained in the OS that a total rewrite would be required. The good news was that it required physical access to the local terminal. Any know it it's still true?

Monday, October 25, 2004

Sunday, October 24, 2004

Amap and Hydra

Just for info: new versions of Amap and Hydra are out.

Viral code and free speech

I disagree with Mr. Kabay's article in that picking out exceptions to free speech is bad practice. What he's describing is some very nasty forms of censorship and prior restraint. Who gets to define "viral"?

A lot of the issue centers around intent, something which often involves the court in determining. It's what Mr. Kabay's article is trying to avoid having to do.

If we could write laws using his logic, you'd need a license and a government monitor to cut your steak. Why? Because a major portion of all murders are committed with knives, of course! They must be controlled now!!

The use of "Quod erat demonstrandum" at the end of his article is also a bit offensive. He uses it to signal that he's proved his point and it's justifiable to pass out the pitchforks and torches and head towards the castle.

A friend (hi Steve!) has a much better one: Ita bardus plector.

Forensics Page

Added a Forensics Toolkit page to the wiki with the intent of reviewing various tools as I learn.

What is spyware?

Here's a step in the right direction. Microsoft has stood up a Fight Spyware page. Suprisingly, they even recommend the usual third party tools (Ad-aware and Spybot S&D) to combat the problem. Brava!

Spanning Tree Vulnerability

Here's a quick discussion, with a sample exploit, of one of the problems with the Spanning Tree Protocol. The exploit requires physical access to the switches (or least two network segments from different ports). It is reason enough to use port security and lock your wiring closets though.

Saturday, October 23, 2004

So called firewalls

Because of this, today I'm venting about "firewalls" and "security".

"Firewall" is a term which has been hijacked by companies selling everything from NAT boxes to add-on software to content filtering appliances for e-mail. (Yes, it's the old layer 3/4 vs. Layer 7 argument vent again!) A proper firewall involves a bastion host (the hardware, software and services stripped to the bare minimum to function and then configured to running in a specific manner) running very specific services which provide the maximum possible control on protocols and services that your users (via management) cannot live without.

As a general rule of thumb for deciding how to handle a request for a protocol:

  • disallow the protocol
  • if you can't disallow it, proxy it (Layer 7) with a dedicated proxy to control the protocol's options and heavily log the protocol's use (who, what, where, when, how long)
  • if you can't do that, proxy it (Layer 7) with a generic proxy to limit the source/destination IP's and the directions that the requests can be made and log as much as possible
  • if you can't do that, reconsider disallowing the protocol
  • if you can't do that, consider using a many-to-one NAT box (yeah, a LinkSys box) and log as much as possible
  • if you can't do that, reconsider disallowing the protocol
  • if you can't do that, (as a last resort) use a packet filter (Layer 3/4) to limit source/destination IPs/ports and log as much as possible

That last method is the most dangerous. It's a horrible (but widely used) practice. If you used it for your web traffic, all an attacker would have to do to map your network would be to source his scans from port 80 and scan for ports greater than 1023 (hint: MS boxes listen on a LOT of ports above 1023). Yes, it's an oversimplification and there are many mitigating factors. There are also factors that worsen the situation (such as OS's or firewall programs that "leak").

You should seriously consider NOT using any Layer 3/4 filtering product that uses "packet inspection" and "state inspection" and claims the product will "provide the same capabilities as Layer 7 proxying". If it were the same, it wouldn't need all of the hype.

This practice (or the lack of it) is part of what's behind the new laws that are coming out. Businesses perverted the risk model (risk = threat x vulnerability) by adding in a financial vector (risk = threat x vulnerability x asset cost) and applied it to information security, failing to recognize the difference between a business risk and a security risk. This is why laws such as GLB, Sarbox, FISMA, California's SB 1386 and the like come into being. It is government stepping in and reinforcing the difference between the two types of risk.

Some say that the function of the federal government is to provide those functions that local or state government cannot or will not. In this case, it's probably going to prove true. Because a company is willing to treat a security risk as a business risk, just to maintain a profit, it puts everyone even remotely associated with that company in danger. Thus, the need for federal legislatures to "step in".

Currently the laws are very generic, requiring that a program or role exist within a company. Insurance companies are helping somewhat, giving discounts to subscribers who "meet or beat" the insurer's standards. However, if the majority of corporate practices do not change (the laws are currently gentle encouragement), we will see dictated standards, practices, and inspections.

Food poisoning is serious enough to require periodic inspections and licensing. The federal, state, and local laws make it very difficult (and expensive) to open a restaurant and run it at a profit. However, the risk is that a few dozen people get sick for a few days. Consider that exposure of medical, financial, or legal data sources have the capability of instantly screwing up hundreds of thousands of people's lives for years at a time. Then think about how surprised you're going to be when laws are enacted which allow (and require) independent or government inspection of your books, your policies and your practices. (Hint: take a look at what's coming in April. Some of those laws already exist.)

The good news and bad news (for everyone) is that this will create yet another industry, one that will be rife with charlatan's at the start but will eventually evolve to require it's own explicit standards and practices. We are most likely to see the infosec equivalent of a CPA (and you think the SANS and CISSP certs are difficult?). There are already various functions within government which provide various administrative and investigative functions relating to information security. It's not that far of a jump for government to provide equivalent compliance testing and licensing functions.

ZoneMinder

For my own benefit, here's an article about ZoneMinder.

Security Lists

Sharp Ideas has a really long list of security-related mailing lists.

Friday, October 22, 2004

Thursday, October 21, 2004

Wednesday, October 20, 2004

Layered Security

Here's
a decent paper on defense-in-depth.

tfn2kpass

TFN2K, the DDoS tool, uses passwords that are built into the code at compile time. If you're evaluating malicious code, it might be nice to figure out what the password is. tfn2kpass was written by NMRC to perform just this function.

Tuesday, October 19, 2004

Turning things off

Here's a slightly out-dated tutorial for turning off services.

Magic Codes

I can't state an obvious use for Magic Codes yet, but it does look like a handy tool to have around.

Monday, October 18, 2004

Forged Traceroute

Just so you all know, even traceroute packets can be spoofed under certain conditions.

Check-ps

Check-ps looks
like it would be worthwhile in a forensic toolkit. The quick
description of it is "hidden process detector". If anyone's used it,
please let me know what you think of it.

Sunday, October 17, 2004

An Overview of Cryptography

Here's Gary C. Kessler's "An Overview of Cryptography".

MatrixDump

This is silly
enough in the right direction that I've got to try it. Thanks, Burak!

Be prepared

If you share your network with anyone (anyone!) with administrative
access to any (that's ANY!) system, then you need to take a few
precautions to help recover from a network compromise. The following
are steps that we've learned in the open lab:
  • Know the MAC
    address for the default gateway (have it written down)
  • Know the
    hostname(s) and IP address(es) for your servers, especially your DNS and
    directory servers
  • if you're done with a dangerous tool, delete
    it and the source code
  • scan your systems, inside and out, before
    and after active analysis
  • log and record as much as possible, no
    matter how silly it seems

Some of those are forensic
measures but those first two are valuable bits of information if you're
suddenly trying to figure out why the Google page suddenly reads "All
your lookups are belong to us!"

Friday, October 15, 2004

FAQ FAQ

Ryumaou has pointed to a good O'Reilly article on FAQ software.

POP3 via Telnet

This sort of thing is good-to-know for system administrators needing to test POP3 or anyone without a client needing to check their mail.

Thursday, October 14, 2004

No op

More apologies for the sudden drought in blogging. The new job has affected
my sleep patterns and I'm only now catching up. Probably explains the
grouchy post below too. Things should even out in the next few weeks
but Mondays and Wednesdays are still going to be 16-hour days.

CircleID Blog

I've added the CircleID feed to my bloglines
subscriptions, finding it after Liudvikas pointed
out Paul Vixie's vent <a href="http://www.cs.rochester.edu/~bukys/weblog/archives/2004/10/13.html#
001941">here.

I tend to agree with Mr. Vixie, having been a BIND ad
min for close to a decade and luckily I've never had a break-in. The inclu
sion in the SANS Top 20 looks suspicious, after the fact. A conflict of in
terest, or at least the appearance of one seems to be the case at this time
.

This is the sort of thing that any organization whose livelihood is bas
ed on integrity and knowledge. Could it be that SANS has had a brush with
what most organizations suffer (at least periodically) once they reach a ce
rtain size? What I'm talking about is politics in an a-political organizat
ion. That's the nice way of saying it. The ugly way of saying it is perso
nal agenda's, one-up-manship, cliques, character assassination, and/or fact
ionism.

Then again, I could be overly paranoid. I just find it suspiciou
s that the only alternative to BIND that was suggested is the one which suf
fers from the same type of purist politics as the Windows vs. Linux purists
. (There, have I angered everyone yet?)

Remember, security requires good
programming and good administrative practices. Liudvikas, thanks for the
new feed.

Tunneling POP3

If you're sitting at a security conference, you definitely don't want to
be "popping" your e-mail unless you're encrypting the connection
somehow. This
is a tutorial for configuring Putty to tunnel POP3 connections.

Wednesday, October 13, 2004

Linux Toys

The site has nothing to do with security but Linux Toys has a list of
interesting projects.

Tuesday, October 12, 2004

Internet BBS's

Sometimes information can be found in the most out of the way places, so
it's valuable to know that the out of the way places exist. In this
case, telnet-reachable (Internet) BBS's. The BBS Corner maintains a list. (via TinyApps)

Monday, October 11, 2004

Sunday, October 10, 2004

Soldering

A soldering
howto
. Remember to solder in a well ventilated area and avoid the
fumes. (via TinyApps)

Saturday, October 9, 2004

Aggregation

This
is the problem with data aggregation. What can be used for good, can
also be used for evil.

No op

Apologies for the dearth of blogging. A very busy day. My birthday.
Rebuilt 4-year-old laptop with new version of Linux (and I didn't have
to patch/rebuild the wireless/power/pcmcia modules). Actually made it
thru 10 of the 17 houses at Homearama
2004
. Absolutely loved the 3rd floor in one, the
kitchen in another, and the first floor in another. Unfortunately, I'll
never be able to afford any of them. Nice houses, but not worth what
they're asking for the houses.

TCP/IP Illustrated Online

Here's the online versio of Mr. Stevens's book.

Friday, October 8, 2004

Encrypted FS

Here's a howto for setting up or accessing an encrypted filesystem within a file. Can anyone suggest some pointers to cracking this sort of thing? I know that the suggested first try is to attempt to capture the passphrase via a keylogger and that the last resort is brute force. What I'm looking for is pointers to develop the "protocol" for what's between those two choices.

Thanks Dana!

Bruce
Schneier is blogging!

Password recovery

(via TinyApps) A beginner's guide to password recovery.

Thursday, October 7, 2004

Phishing Test

Here's
an online test to see if you can recognize phishing fraud without
looking at the source code. I assume it's an intellectual excercise as
the first thing you'd want to do is look at the source code. In real
life, you want to avoid HTML-based email and never ever click on a link
in e-mail. Type it by hand instead and only if you're sure what it is.

De-perimeter-ization

This
is an article on a topic that really frustrates me: removing the
perimeter. The author treats firewalls (and, for that matter, security)
as a single blackbox approach rather than as part of a layered process.

While the Internet and tech business may be driven by the "next cool
thing", security is not. It's based on well-defined processes and
practices. It will probably take a couple years but management should
eventually catch on (the hard way) and we'll go back to defense
in-depth.

Don't use LM hashes

Further reason to avoid your basic LM hash for authentication:

Wednesday, October 6, 2004

Polymorphic Shellcode

If you're network security, this should bring your nightmares back: adding polymorphism to shellcode.

Wireless Weapons

Here's one of
the presentations from the upcoming ShmooCon, entitled "Wireless Weapons
of Mass Destruction for Windows
".

Cracking HowTo

Here is the
process that hackers more or less take to break into systems. For those
of you that are considering using this process, consider that law
enforcement is getting better at tracking down hackers.

Also, some of
the data in that "howto" isn't exactly accurate. Example: l0pht is now
a commercial business with gov't ties. Example: cDc lost their "key
players" years ago and are now a forum for anti-goverment vents.

If
you must hack, do it to your own systems. Learn what it takes to clean
up after a system has been broken. Learn how to locate the bad code.
Learn how to analyze the bad code. Start analyzing other people's
break-ins (search Google for "Scan of the Month"). Figure out where
your strengths are and shore up your weaknesses. Become an expert, not
a convict.

ADS info

From TinyApps, a list of ADS-related links:

Tuesday, October 5, 2004

Let them add their 2 cents

This is a bit mish-mash but is a good discussion of why you should consider input from other departments during your incident response. However, it can be taken to the extreme as the author shows in one example.

Tracing Email

Les Bell has a good demo of backtracking unwanted email. (via Martin Mckeay)

Linux BeOS

One of my tangents led me to BeOS
for Linux
(scroll down a bit). I'm interested in playing with this
once I get my desktop upgraded to a ivtv-capable distro.

Knoppix Hacks

From TinyApps comes a link to O'Reilly's new book: Knoppix Hacks - 100 Industrial-Strength Tips & Tools.

Monday, October 4, 2004

Book excerpt

InformIT has an excerpted
chapter
from Defend IT: Security by Example. The chapter is
entitled "The Role of Computer Forensics in Stopping Executive
Fraud
" and uses a case study to outline the process and highlight
some of the issues encountered in investigations. (via Forensic Focus)

Help?

I know most of the issues involving unauthorized copies of music but
here's one. If the MPAA earns $.02 per blank CDR because they might be
used for copying music, what right does the MPAA have to complain? If
someone can point me toward any legal opinions on the issue, it would be
appreciated. Also, since I've been burning logs and file backups to CDR
for almost a decade (I'm in an area where magnetic backups don't last
long) at the rate of 1 or 2 disks per day, is there any way I can get my
$.02 back?

LURHQ

Here's a
news article about how LURHQ provided expert witness to rebut a
defense's expert witness. Seems they'd left out a bit of information
about how spam can be bounced off of misconfigured systems. It's nice
to see the legal profession finally catching up. Our area only has one
technically trained lawyer and he is a very busy person.

As dry and
boring as most court cases can be, I'm looking forward to reading the
judge's opinion on this. Google returns 15 links for this.

TinyApps

Came across an interesting blog devoted small apps and related
information: TinyApps. The
feed is here.

Sunday, October 3, 2004

Worm modeling

If you're responsible for network security, this paper may
help in evaluating your networks vulnerability to specific types of
worms or predicting how much damage a specific worm will do to your
network.

Sample CCE test

Barry Irwin has a pointer to a sample Certified Computer Examiner test. He's also made some comments about the material.

Took the test and rec'd a grade of 80%. It would have been higher if I'd slowed down and closely read the questions.

Honeypot attacks

Here's a very
good article about what attackers do to try and defeat honeypots.

Saturday, October 2, 2004

GDI Tutorial

BleepingComputer has a GDI
scan tutorial. (via the Storm Center)

Why?

I'm concerned that laws like this
one
get passed. The only thing that it does is make life just a
little bit more inconvenient for us law-abiding types. Those that trade
files illegally will continue what they're doing. Requiring an e-mail
address to download mail has been done by the more prominent legitimate
sites (e.g.: MP3.com) all along.

Now it's law that everyone do it.
Anyone else "get" California seems to think that they have jurisdiction
over technology and the Internet? Don't think so? Define "file
sharing". Poorly written laws tend to get enforced in extreme ways or
not at all.

The law is here. It doesn't say anything about P2P or any other specific manner of "file sharing". It only states that Californians have to disclose their email address when more than 10 people are involved. It doesn't say to whom they have to "disclose" an e-mail address to. Under that badly defined law, if a left coaster provides CC or GNU licensed matter on their website, they have to provide a legitimate e-mail address.

I wonder how spammers will react to a new vector for address collection.

A bad sign

From the Spyware and
Anti-Spyware Resources
site, the following are links to articles
describing the symptoms of a spyware infection:

In the same list is a link to LI Utilities's Windows process
lists. A very good-to-have.

DMZ Security

Fred Avolio has some good pointers
for DMZ security. What he's describing is ingress and egress filtering
for the DMZ.

Similarly, you want to tune your DMZ IDS in the same
way. You don't need specialized rules for MyDoom or SQL exploits if all
that's in your DMZ is a web server. Instead, turn on the signatures for
web exploits and create a signature or two to catch anything not
HTTP-based. Come to think of it, you're also going to see some DNS as
the server does name resolution on your visitors but, unless you're
running a DNS server in the DMZ, it will only be outbound queries.

The
point is that you should know what's needed for your DMZ to function,
you should know what "normal" traffic looks like (keep metrics!) and you
should configure your protections accordingly.

No op

Apologies for the dearth of posts yesterday. My first day at the new
job. Also a busy evening. I also didn't notice that the one post I did
make, got jammed (was fiddling with code and messed up the permissions).

Thursday, September 30, 2004

Heros

Two people that I'm in awe of: Derek Jeter for his post 9/11 work and
whoever the guy is that came up with Extreme Makeover: Home Edition.
Both have touched more lives than they can ever imagine.

Phishing, Fraud and Other

CastleCops has an article
entitled "Phishing, Fraud and Other Dastardly Deeds, Part 1".

Using NetFlow

Security Focus has a
multi-part series on "Detecting Worms and Abnormal Activities with
NetFlow
": part
1
, part 2.

No op

I've turned off the referer vanity for a bit. I'm taking a beating from
the Global Compass/Cyberwurx spam and need to rewrite the plugin or come
up with a way to block the source(s). The former seems like it'd be
more successful than the latter. It's a bit down on the "to do" list
though.

GDI Exploit

A working version of the JPEG buffer overflow was demo'd in class last
night. This can possibly be a very bad thing but not in the way that
the mainstream media is twitching about it. While a worm is possible,
I don't think it's likely to be all that effective.

Think about
it. The vectors aren't really right. Normally a worm exploits an
already running service. This exploit is part of a graphics
library which means a graphics-based program must run. Unless it's
combined with (or used to amplify) another exploit, we're not going to
see another Nimda.

What's more likely to happen is that this (version,
at least) will deepen the relationship between the hackers and the
spammers (if there's a difference nowadays). The spammers can deliver
corrupt graphics via browser pop-ups and spam which can cause the victim
machines to offer up reverse shells on just about any port.

So much
for the theoretical part. What was demo'd last night was the reverse
shell version. It wouldn't work under IE (patched possibly?) but it did
work locally via the file browser. What's worse was the XP
automatically generated a preview of the JPG so that as soon as you
opened the folder, the local machine provided a shell prompt to the
instructor's machine, running netcat.

But wait! There's more!
Remember that you can configure XP to open the folder when a thumb drive
is inserted? Yep, it does. And let's not forget autorun! This makes
it a very nasty insider tool.

To give proper credit, very little of
the above my own thought train. Most of it belongs to Rob and Ian. The
rest was observed and conjectured during the demo.

As for
countermeasures, it's probably going to be more economical to configure
IDS systems to detect the exploit rather than the exploitation, due to
the lack of default port, IP or even graphic. Since remote delivery
vehicles will probably be limited to SMTP, HTTP, and the various
graphics-capable IM programs, it will probably be easier to watch for
the shell code coming in than the reverse shell going out. That and not
all of the exploits involve reverse shells. Hopefully we'll shortly see
both types of BleedingEdge signatures.

Let add my own two cents to the
SANS vs. MS detector argument. Yes, the SANS detector triggers on a lot
more files than the MS version does but you should read the text that
comes with the SANS detector. The MS one is built for MS purposes. The
additional DLL's detected can be either additional ones that link to
non-MS programs that you've installed or they can be backups of upgraded
libraries. It's worthwhile to check what programs access those
libraries (Foundstone has some of the tools needed for this) and, if
possible, upgrade or disable the programs.

Oh, and one last thing:
"Good luck! You're on your own!"

Wednesday, September 29, 2004

Wireless Attacks

Security Focus has an article
entitled "Wireless Attacks and
Penetration Testing
".

LURHQ's take on the JPEG trojan

LURHQ has a good commentary on the JPEG trojan that has some of the media upset. Many had first run with the initial story of it being a virus. It's not. It's a trojan. In other news, K-Otik has also posted an all-in-one version of the exploit.

ISOC paper

Here's a paper on "The Social Engineering of Internet Fraud".

Connection Cutter

Here's a discussion of how to
cut connections using various methods on a Linux-based firewall.

Tuesday, September 28, 2004

Evolution 2.0

/. has an announcement about Evolution 2.0 being released. Since I already use SA, including it in the MUA may be redundant but I'd like to see what they're doing with it.

MS Security Training

Brian Johnson (BufferOverrun) has pointed out the various free security training offerings at Microsoft's Security Clinics and Labs.

Graphviz

Abe Usher (Sharp Ideas) has an
interesting post about
Graphviz that I'm probably going to need in the near future.

RING

From the Summerschool2004 Wiki, here's a paper discussing remote identification.

Monday, September 27, 2004

180Solutions

The following links are going to be valuable in the near future as a
friend is having to deal with an infection:

Also of interest is:

  • DoxDesk Parasites

  • AIM security bot

    Abe User (Sharp Ideas) has
    glued together an AIM-based NMap
    bot
    .

    This sort of thing is the reason why you need to keep an eye
    on the traffic that you allow in and out of your network. AIM
    complicates the situation because it's one of those "tools" that can
    initiate connections via multiple protocols, HTTP being one of them. If
    you allow your users to surf, then AIM can probably "get out".

    Nice
    tool if it's yours, nasty if it "belongs" to someone else.

    Wireless programs

    Here's a good article about the open source programs that are moving/showing up in the wireless arena.

    HR 3632

    The House of Representatives recently passed a bill which would add
    penalties for using false information for WHOIS records. (see Slashdot
    article
    ).

    This can be a good thing and a bad thing at the same
    time. A good thing as it might help track down spammers and fraudsters
    who fake up their WHOIS records. It's a bad thing as it will once again
    expose techie inboxes to tons of spam due to addresses "borrowed" from
    those same records.

    The current practice is to use a pseudonum for
    business domains. That way when there's a phone call from a salesman
    that claims he has an appointment with Bob Wackemwidahammer, you know
    it's BS.

    Sunday, September 26, 2004

    Chaos Communication Congress

    Found a blog for the upcoming Chaos Communication Congress. The blog is
    here. The RSS feed is here. The wiki
    is here.
    Links to the previous three Congresses are here.

    Google hacking copiers?

    Wait a minute! Are you telling me that people hook their copiers
    directly to the Internet? Without the benefit of a firewall? And then
    they're surprised when Google finds them?!?

    SpoofStick

    Phil Libin (Vastly Important
    Notes
    ) has a pointer to a "gotta have" plugin for Firefox and IE: SpoofStick, which alerts you to the fact that you're visiting a spoofed web site. Wonder how long before someone writes a version for non-MS browsers. (Hint! Hint!)

    Refi

    Interesting use of
    technology
    . Hopefully it won't be considered an income stream.
    Wonder how hard it'd be to configure an AP and street clients (iPaq's
    owned by the audience) for multicast. It'd definitely change the
    experience.

    Saturday, September 25, 2004

    Burning Man Phone

    This is the sort of thing that always amazes me, when people can entertain themselves and others by creating art by combining technology and humans. It was art in that people thought it was fake, entertaining because of people's reactions to it. Without those reactions, it's just a phone booth.

    Next year something will probably have to change as people will expect it to be there.