Tuesday, March 30, 2004

Monday, March 29, 2004

The next three months

Posting may get a little spotty during the coming months as I've started the local mentor class for the SANS GIAC GCIA certification (as a student). This is one of the harder ones and the practical is going to take a lot of analytical work in a short period of time (something that requires practice).

The following has priority over blogging when it comes to my remaining waking hours: a day job, trying to get a business up and running, attending meetings of various professional orgs, and attending college. I'm not saying that I won't stop blogging, just that it may be short, sparse and/or sporadic.


The Security Basics Mailing List first pointed out the Comprehensive Risk Analysis and Management Network web site and the various publications (internal and external) available via the site, some IA-related, some terrorism-related. Also of value are the site's risk definitions.

Sunday, March 28, 2004

The HIPAA Security Rule

Security Focus has an article which discusses the HIPAA Security Rule and how it applies to "Covered Entities".

Protecting against 0-day's

ComputerWorld has an article about measures you can take to protect against 0-day exploits.


The PIRATE Act could lean things in further against "innocent until proven guilty". We've already seen "accidental" seizures of systems with legitmate MP3's (whose filenames just happen to coincide with ones made up by pirates for songs they stole). I don't think that another law is going to improve the situation. We run the risk of having just as many IP laws as gun laws. The act is still illegal, another law will not deter people already determined to commit the crime. (courtesy of /.)

Bruce Sterling Online Works

It's entirely off-topic but I want to keep the URL: The Bruce Sterling Online Index.


Security-Protocols has a pointer to FLAG, the Forensic and Log Analysis GUI.

FUD Wars

This gets old quickly. If you're considering a move in either direction, find yourself an objective third party with no interest in the outcome (it's more difficult than it sounds though).

Friday, March 26, 2004

NANOG presentations

Memestreams has a pointer to the NANOG Security Curriculum, a collection of presentations (pdf's, audio files, etc.) intended to educate the reader in various facets of network security. In other words, free education! These are well worth the reading.

USB security

Furrygoat has a piece on bootable USB drives. This came out about the time we (at work) were discussing policy on these things and talking about them as attack devices (the insider threat).

Appliances are better?

Tim Chiu says "appliances are better" but I'm not sure I'm taking the bite. The devices he's talking about are just computers devoted to running the same software. I dislike the blackbox approach as it promotes the seriously bad idea of "plug it in and it works". This paradigm only works if technology and threats do not change. Or, if you buy a managed box, you have to trust someone with no interest in your busines to protect it.

In reading the article, it appears that the main argument is the usual standardization, one-size-fits-all approach to network security. Sorry, but I don't buy it. While using the best technologies is a good idea, you also have to take into account what you're protecting. Just like IDS's, anti-spam devices have to be "tuned" to work properly.

Guess that means that I agree with Ken Schneider.

Why they attack

Network World Fusion has an article which discusses the various reasons why hackers attack (mostly opportunity, some status, money, data, etc.), examples included.

Thursday, March 25, 2004

More point and click ranting

At the risk of alienating yet more MS purists, this is yet another point-and-click rant.

Steve Friedl has a post about exploiting the ability to quickly block new worms, in this case the NetSky worm. This is a support for my ongoing argument that, if you're running an Exchange server, you should have a Unix/Linux-based mail handler immediately upstream from it to filter viruses, score/filter spam, and gather various metrics. Why? If you know Perl (or some other just as capable scripting language), you can quickly adapt to an outbreak, in as little as fifteen minutes, without having to wait for the anti-virus vendors to issue a signature update (which can take up to two days).

For Steve's example, it would look something like:

   if($source_domain eq $dest_domain) {

This design exploits the assumption that anything meant to remain within the domain would remain on the Exchange box. The mail handler would filter only traffic entering or leaving the network. The idea is to add an additional level of security, invisible to the users. For that matter, even MS can be used for this as long as it's not running the same MTA software as the main mail server.

Traffic Analysis

Found this while looking for a tool to play back Rootfu files (tcpreplay doesn't work in this case): CAIDA has a site devoted to learning traffic analysis.

Overview of SSH

Here's a decent overview of SSH. Includes descriptions of protocol versions 1 and 2. Also includes other good SSH-related links. (via Information Security Magazine)

How'd you do?

Only two more days in the SoTM challenge. How'd you do?

Wednesday, March 24, 2004

FIrst Responders Guide

SilverStr has a pointer to Electronic Crime Scene Investigation: A Guide For First Responders.

BlueTooth MITM

From SecuriTeam, a paper on BlueTooth man-in-the-middle attacks.

Goot root?

From Web Pro News: "How I Got Root - A Penetration Tester's Diary".

Spy ware tools

As I've not used the most popular operating system in years, I'm only recently getting back into the desktop-level of security. Here's an article about what appears to be the two more popular spyware clean-up tools. I'm still somewhat amazed at the amount of kruft that creeps in via surfing with Windows.

NIST's List

NIST has a list of Unix Host and Network Security Tools.

Sunday, March 21, 2004

Wireless VoIP on a lanyard around your neck!

I have a sales droid mockup of one of these on my desk at work. It's swag from a recent wireless conference that I attended. Just too cool. Voice dial. Touch to talk. Caller ID.

The only drawbacks that I could come up with is that this is not a phone. Other people in the room get to hear both sides of the conversation. Also, the size of the battery probably doesn't lend to extended conversations.

Obvious uses? Hospitals and warehouses where the user is normally mobile.

Stop using it! It's mine!

I agree with L. M. Orchard (over at DECAFBAD), get over it. Since when does heavy use (or abuse) equate to death? What about IRC and e-mail? The only technologies that I've seen "die" are those that are proprietary in nature and someone wants more money for its use than the general public is willing to pay.

Note: this is one of the problems with ".NET". (Why should I pay a penny for a weather forecast when I can get it for free elsewhere?) Most .NET services are subscription based and are already available via SOAP, XMLRPC, or some other technology.

Bookmaker DOS

This is old news but is interesting read in any case. (via ThisIsLondon)

Phishing commentary

Personally, I'm very suspicious when a complete stranger talks about something that involves my money or data.

The Hitchhikers Guide to Security

To borrow an idea from Mr. Adams: First rule == Don't Panic! (via Tech Republic)

Saturday, March 20, 2004


ComputerWorld has an opinion piece entitled "IPsec: How It Works and Why We Need It".


Why do I feel that we'll see a certain company for sale on eBay real soon now?

Hey Darl! I'll save you the trouble. I'll give you a dollar for the entire company! But you gotta hurry, I'm not going to make this offer for long.

Friday, March 19, 2004

One of the problems with warning networks....

IT Toolbox has an article about "experts" wanting an early warning network for various Internet threats (from the government). Unknown to them, many of these already exist and are active to the point that the major problems experienced on the Internet could have been much worse.

The problem with these networks is that they are somewhat elitist and/or restrictive (to the point that many that could benefit from participation in these networks are excluded). Justifications include signal-to-noise ratio, disclosure risks, and/or lack of peer recognition. I was a member of a well-used mailing list for network security types for almost two years until it was decided that I didn't pass the weeding out process (the two times I actually interacted with others from the list involved law enforcement and disclosure restrictions). Two attempts to rejoin the list (required peer "vouching") were only temporarily succussful.

I've since switched jobs but may be qualified to rejoin the list in the near future (Yeah, I'm frustrated by being excluded. I miss the "edge" on various inter-network problems.)

Another online security guide

From RootSecure, the online version of the Handbook of Information Security Management.

Was there a cover-up?

This cannot be good.

Another Serv-U story

Tech Republic has another "catching the bad guy" story. Interesting reading.

Thursday, March 18, 2004

Wednesday, March 17, 2004

Tuesday, March 16, 2004


Host-based Intrusion Detection Systems (HIDS) are a recent development that has been a bit overhyped as late. Don't get me wrong, HIDS are a valuable too. It's just that the technology has been pushed as the solution du-jour a bit more than I care to see. In any case, it should be part of your reptoire for defense-in-depth. Linux Security has an article about a project called Open Source HIDS.

Sunday, March 14, 2004

Working with TWiki

Sorry for the slow-down in posting. I'm heavily loaded at the moment, building servers for a show at the end of the week.

In other news, I've managed to wedge TWiki into MT (on another site), thanks to this link from DECAFBAD. It's something that I've been searching for over the last few weeks. It was a bit hard to find as some of DECAFBAD's wiki is broken. I'm hoping I can talk the powers-that-be here into adding a Perl module and an MT plugin to the site.

It's an awesome tool (better than the PHPWiki I'm using now).

Vi templates

Deadman has some interesting scripts and templates, including PHP programming templates for Vi.

Saturday, March 13, 2004

Another spam solution

NetworkWorld Fusion has an article which discusses yet another proposed solution for fighting spam, this one involves the sender paying if the recipient rejects the e-mail. Personally, I dislike the thought of paying anything for e-mail because it leads directly into "quality of service", "service level agreements", and law suits.

Blog skins

How to skin a web site.

Update: BlogSkins

Friday, March 12, 2004

Stupid security

Randy Bias has an article about various security-related items including a Bruce Schneier interview and the Stupid Security Contest results.

Hidden software

Here's another hijacking story. (via GrayScales)

Wednesday, March 10, 2004


Linux Security has the first part of a series on "Using GPG".

Scary stuff

SilverStr has an article which discusses some scary stuff. Many security types seem to go through this state at one point in their career or another (usually very early but not necessarily). Hopefully, the people at Symbiot will think it through. SilverStr is able to cover most of the points why hack-back is really not a good idea.

Update: /. has an additional article about Symbiot's product.

Securing Apache

Linux Exposed has an article describing how to secure an Apache-based web server.

PBX Bridge Hijacking

Here's an article which talks about hijacking conference call systems. The article says the practice is new but I know of one incident locally that happened almost two years ago. If you have a PBX, you should take a close look at your security capabilities and practices.


Here's a quick article on bluesnarfing, an act that amounts to data theft from a cell phone.

Clueless few?

Mebbe I'm biased because of my customer service days but the only response I can come with for this is, "clueless few"??

Anyone want to explain to the reporters that being able to point-and-click does NOT amount to "clue". If it was actually just a few, we could go over to their house and either teach them or have their Internet disconnected.

Tuesday, March 9, 2004

Tracking a hijacker

(via /.) Here's one person's account of how he backtracked an attempted e-card hijacking of his system.

Passive Information Gathering

SilverStr has a pointer to an interesting paper on passive information gathering.

Monday, March 8, 2004


Simon Willison has a piece about the dangers of PageRank. It's the entertaining side of what the comment spammers are exploiting to "get ahead".

Sunday, March 7, 2004

The Network Administrator

The Network Administrator has an interesting mix of stories about security and network administration. Interesting icon for identity theft.

US CyberCERT Alerts

Go here for instructions for getting on the Cyber Alerts mailing lists from the US-CERT.

Blog badges

For the Blogger Toolkit: Steal These Buttons.

Password guidelines

Here's a guide for choosing passwords. (from Linux Security)

Why split?

(From the Penetration Testing mailing list) Compass Security has published a proof-of-concept tool to support the reason for running a split-DNS configuration. Basically the tool allows for tunneling data through your firewall via the DNS protocol. Note: the tool is offered for a limited time but I wouldn't be surprised if it's available elsewhere.

This is similar to the problems you risk if you allow wide-open ICMP through your firewalls.

Custom Underlines

Here's a tutorial for creating custom CSS underlines.

Saturday, March 6, 2004

Wiki gone bad

The wiki managed to drop one of its sessions tables (and therefore screwed up the entire schemas). Not sure how it happened but it's a good excuse to try a few other wikis. Bear with me while I get the content back online.

Lessons Learned

Computer World has an article which discusses the "lessons learned" from the recent MyDoom DDoS.

Unfortunately, the protections described is nothing new. ISP ingress/egress filtering and changing IP's has been around for years. The filtering is considered a "best practice".

The article also describes adding server capacity, which is what Microsoft did to survive its own DDoS attack. They actually moved their website to Akamai.

Application Security List

(From Bugtraq): Here's the announcement of a new mailing list devoted to discussions about application security research.

RSS feed syndication

Robin Good has a listing of services to publish your RSS feeds to.


Local Area Security has a PDF-based tutoral for NBTScan.

This is one of those need-to-have tools if you have anything to do with network security. Not only can you view various NMB/SMB data for a remote machine, it's not that hard to tie it to MySQL via Perl and keep a database to find rogue systems on your network.

Thursday, March 4, 2004

The GhettoHackers

Xatrix.org has an article about the GhettoHackers. (These are the guys that are hosting/winning CTF at DEFCON lately.)

Wednesday, March 3, 2004

SSH Overview

Information Security Magazine has an article which gives a quick overview of SSH. This is one of those tools that you should seriously consider substituting for FTP and Telnet.

Hackers are really idea theives?

While this may be true in some cases, I think Mr. Beighton is seriously off by trying to paint the majority with that paint brush.

Port Knocking

Kevin at The Lost Olive has a pointer to PortKnocking.org, a technology we'll probably start to see in various bits of malicious code soon.

Tuesday, March 2, 2004


It's been blogged elsewhere but it shouldn't hurt to do it here too. SecurityFocus has a collection of articles about Nessus, the open source vulnerability scanner. This one is valuable enough that you should run it in parallel to commercial grade vulnerability scanners. While there is some overlap, both scan for items that the other doesn't search for.

Here's the articles:


I've been a bit under the weather for the last few days so I've spent the day napping and watching whatever on the portable TV. As a result, I ended up watching misc. shows, including the ScreenSavers. BootDisk.com was mentioned in passing but looks to be one of those nice-to-have tools if you suddenly need a bootdisk for whatever.

Temp files

Linux Security has a paper entitled "Safely Creating Temp Files in Shell Scripts".

Monday, March 1, 2004

IP Subnetting Tutorial

Cisco has a tutorial for IP addressing and subnetting.


Here's one from Slashdot about GoogleDorks, a term which denotes the inept type of person that exposes data that he/she shouldn't have. (Then again, various media have defined GoogleDorks as the miscreants who abuse exposed data.)

Searching for this kind of thing is a weekly routine for me (I work for a very large organization and there's a need to keep various information "internal"). Understanding how to narrow searches is a must if you use a search engine on more than a passing basis. Learning how only involves a few minutes of reading (this too). Sorry, for those of you old enough to remember, I was the AV geek in middle school (yeah, I'm old enough to have operated a mimeograph too).

Yes, it can be used for evil but it's the responsibility of the data owner to secure their data. And before you say anything, that is NOT a justification for anyone to exploit exposed data. If you discover exposed data, the only thing you should do is report it to the owner. Using it for any other purpose is, at best, unethical unless that data endangers others or is illegal. In that case, there are other organizations to report to.

In any case, GoogleDorks is a Google listing of various sites that are interesting/educational to read, evil not withstanding.

Multimedia for Fedora

Here's the howto for enabling various multimedia tools under Fedora. (Courtesy of the Lost Olive).