Friday, April 30, 2004

ISC Handlers' Diary

You should be reading the diary section of the Internet Storm Center on a daily basis.

Stumbler Detection

More fun for the packet watchers: Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection (NetStumbler, DStumbler, Wellenwriter, etc.). Cool discussion of LLC and MAC address layers.. Basically, if you can detect it, you can alert on it. (via: NetSec)

Wireless Adhoc IDS

(Courtesy of NetSec): Intrusion Detection in Wireless Adhoc Networks

You're infected

Everyone that has my home address (you're not that many), please check your machines. One of you is infected with NetSky.P. It's causing one of my boneheaded ISP techs to claim that I'm infected. Anyone else want to explain to him that:
  1. NetSky forges "From:" lines by grabbing addresses off of the infected machine
  2. I can't be infected with NetSky as I don't run MS on my home machines

I'm gonna go injure my forehead.

Thursday, April 29, 2004

DNS Cache Snooping

From the Full Disclosure list, here's a paper on DNS Cache Snooping. It's another one of those techniques that can be used for evil or for good. In any case, it's an interesting topic that needs further examination.


Cool tool. Too bad it only runs on Windows. (via /.)

Blame or don't blame the victim

You've heard me vent about this before. My only response to Tim Mullen is that my grandmother expects you for dinner the last week in July. You'll be teaching her all about viruses, safe computing practices, what the "any key" is for, whether or not her "MS Keyboard" calling home is good or bad, whether or not that nice man from the bank really wants her to update her account info, and how to look up my e-mail address (she writes it down and tends to lose it)(doesn't trust her electronic address book). All on your own expense Tim.

I'm venting...

I'm about to drop my feeds to Moreover. I just waded through "Computer Security News". It had one actual news item, the rest were ads for Verisign. First DNS wildcards, now RSS spam. Geez!

Wednesday, April 28, 2004

DNS wildcards

Here's the Internet Architecture Board's comments on DNS wildcards.

My view on it is they're useful, at my level. When certain orgs start wildcarding top-level domains, I'm there passing out the pitchforks, torches, and maps of the castle.

FISMA Compliance

NIST has set up a site for FISMA compliance.

Linux-Sec is a security-related site with A LOT of links.

Tuesday, April 27, 2004


OpenCores: Free open source IP cores and chip design.

Encrypted dirs in Linux

Linux Security has a howto for encrypting/decrypting directories with GPG.

Open relay testing

(via BugTraq) It's now well-known that you can test your ISP for an open relay. This sort of thing keeps SA's awake at night. Then again, the good ones use a variant of this to periodically test their own servers.

Sunday, April 25, 2004


It's old hat but even Google can be used for evil.


Here's a good discussion on VLAN's and trunking.

More TCP RST problem info

OSVDB has a piece about the recent problem discovered in the TCP protocol. I still don't think it's that bad of an issue. It's easily mitigatable and was only a problem for certain protocols.

New Postfix

While I am a firm supporter of Sendmail, I've also shown an interest in Postfix and other MTA's (anything that can interface with Procmail can't be all bad). I've still got a lot to learn about the non-Sendmail "solutions" but I'm learning quickly. From /.'s Postfix post, there's some new features worth taking a close look at.

Saturday, April 24, 2004

Skoudis-like prediction

TrimMail has some doom and gloom about near-future worms.

Pat Tillman

Pat Tillman died today (yesterday in Afghanistan). He was 27.

Your mom's lesson of "If you can't say anything nice, don't speak" applies here.

If you see his family on the street, pay your respects. (Express sympathy, don't stare.) If his coffin passes in front of you in the coming days, show respect. (Remove hat, put hand on heart.) Other than offering assistance or kind words to his wife or parents, you're not allowed to say anything.

This young man was one of few who volunteered. Some do this with the blessing of their families, some do it against the wishes of their families. Regardless of that, it is a choice that they make with knowledge of the possible results. No one, not even family, is allowed to take away from that choice.

Pat had the fortune of being famous early in his life. Thus his death has drawn a lot more attention than others in the past three years. All deserve the same respect. Forget the fanfare and hype of Memorial Days of the past decade. Instead, when you're standing on the curb during the next Memorial Day Parade, think about what Pat and others gave up to do something they believed was needed, knowing what might happen. Put your hand over your heart or nod your head. Wish them well, wherever they may be.

If you have strong feelings for/against the war, find another venue to vent in. Pat's death (and the other's) is not a soapbox for you to stand on. You don't get to use it as "proof" for anything. This isn't the Viet Nam war where hundreds of thousands were drafted. Every single member of the military is a volunteer.

Ignore them if you want, most prefer it that way. They don't do it for the money (it doesn't pay well). They don't do it for respect (however pride has a lot to do with it). They, like others that died in responding to 9/11, do it because it needs to be done and no one else is willing to do it. If you can't understand why people do this sort of thing, accept it as something that you don't understand. Don't attach your own motives or politics to their actions (or deaths). Kathleen Parker has been able to explain it somewhat.

(Jerry Bowman, you're a no-class asshole. Show some sympathy for his family. Suppress your politics at least until after they bury the dude.)

Thursday, April 22, 2004


Just a quick one...

The hot topic of the week is the TCP RST vulnerability. Dana Epp has a post about it.

Personally, I don't think that it's that big of an issue because you need the following:
  - Src & Dst IP (one of which is more or less dynamic)
  - Src & Dst Port (one of which is ephemeral)
  - the range of sequence #'s (which are in a sliding window).

For this type of attack to be successful, you either:
  - be inline so that you can sniff the one IP, the ephemeral port, and the sequence number window, or
  - need a massively distributed zombie army to brute force the same information.

Certain protocols which use consistent source and/or destination IP's and/or ports are statistically more at risk but I still don't think it's that much of a vulnerability. Local wireless attacks are more like as being "inline" only requires proximity to the AP.

Then again, I could be wrong.

Intro to IDS has an article which discusses the basics of Intrusion Detection Systems.


I love IMAP. It makes a lot of email "things" easy, especially centralized backups. It's just not intended for anything larger than a local LAN. I hope AOL knows what they're getting into.

Here it comes...

Some has code a port knocking implementation, as a proof of concept. Stand by for this thing to be included in worm infections. (from /.)

Default message

I haven't tested this (from Code Novice) but I'll need it in the future:

Set the default status on your page via:

Sunday, April 18, 2004

WDS Howto

Tom's Networking has a howto for setting up WDS, currently the only way to implement mesh mode. It has limitations (see the article) but does extend your range. I'll be experimenting with this more once I've got one of my class papers turned in (one of two is due soon).

Saturday, April 17, 2004

Hackers and hotspots

USA Today has a piece about how hackers routinely snoop other systems at hot spots. It also talks about wirelessly transmitted diseases (many computers in those hotspots have little or no protection).

Wireless theme tonight

I've dug through my backlog and posted all of the recent wireless-related items for a friend who's going to be on tomorrow's "Ask the Expert". Other topics should include WEP, WPA, China's attempt to jump-start the WAPI standard as part of the WiFi certification, and what the WiFi certification actually means (interoperability between vendors).

Wireless FAQ

Here's DISA's wireless FAQ.

Wireless IDS

I've seen this wireless IDS (AirMagnet) in action in three forms (PDA, laptop, and stand-alone sensor). It's an awesome tool. Especially fun to watch at a wireless technology "vendors day". A bit on the expensive side though.

What do you call this?

War-walking is when you wander around with some sort of sensing device to find WiFi hotspots. So what do you call it when you wander around with the hotspot strapped to your back?


Yet another hobby for someone: wireless video warspying. For those that don't know, the "war" part indicates people wandering around attempting to pick up unprotected wireless signals. In this case, they're looking for those cheap X-10 cameras that have been popular over the last 5 or so years.

More problems with wireless?

SecList's BugTraq archive has a post which discusses a problem with having multiple profiles in your wireless configuration and having the NIC automatically select the best available AP. Tools like AirJack can disconnect a NIC from an secure connection and cause it to switch over to an insecure one. Can anyone else remember Mitnick's attack on Shimomura's machine?

High speed wireless USB

Device Forge has an article about the coming development of high speed wireless USB. Supposedly up to 127 devices and a bandwidth of 480 Mbps with a future target of 1Gbps. Assuming a range comparible with Bluetooth, this is probably going to be fun.

With that kind of bandwidth, you're going to have fewer and fewer cables to worry about. I can see no video cable to the monitor, a wireless hard drive, CDROM/DVD drive, wireless speakers, wireless interface to your plasma flat screen monitor, etc.

Heck, why stop there? Why not enable your fridge, your automobile, a television remote which is also tied into your computer, your doorbell, etc. Given the two way technology, it's only a hop to RFID-like capabilities where you can keep track of your pets, your kids, what's in your pantry, how much TP you have left, etc. All it'll take is a small transceiver in each room, either wired or wireless using 802.11g or similar.

WiFi with your cellular?

Awhile ago one of the projects that the local geek group was trying to get off the ground was community wireless. Unfortunately, the land around here varies less than 10 feet per mile, so there's very little line-of-sight unless you own a few buildings or cell towers.

According to this, the U.S. cell phone companies are going to take advantage of their man-made advantages and get into the act, offering 802.11 wireless from the same towers that they offer telephone and PCS data from.

What's next? They aren't talking but if the above happens, how far is it to IP addresses for devices in your car? We're going to need IPv6 sooner than we thought.

Spyware everywhere

The Screen Savers and The Register both had a bit about Earthlink's spyware audit which found an average of 28 instances of spyware per subscriber's machine.

After cleaning my wife's machine, I think that number is quite low. Then again, she'd been running the machine nightly for almost two years.


Here's the link for the Cyphernomicon.

Thursday, April 15, 2004

Online book

The second version of Firewalls and Internet Security: Repelling the Wily Hacker is out. The first version is now available online.

Anti-spam tools

TrimMail has a list of online spam fighting tools.

An anniversary

Curse you Canter & Siegel!!

May you always live on multiple catalog mailing lists and have to tow your can uphill to the street. In the rain! Hopefully your garbage man will know that it was you who started this mess!

Tuesday, April 13, 2004

Sunday, April 11, 2004

RSS and Mobile Devices

Another one for my benefit: Daily Wireless's article about RSS readers for mobile devices.

Online book

Bruce Schneier's Applied Cryptography is available online.

No Op

Added "SUB BLOGLINES" button near the top right so that you can quickly subscribe to this blog via Bloglines. Also added a link so that you can view my Bloglines subscriptions.


The Last Stage of Delirium Research Group's home page.

Friday, April 9, 2004

ARP Spoofing Guide

HITB has a quick post about arp spoofing. Not much theory but gives a quick description of the basics and what it's used for.

Wednesday, April 7, 2004

Yet another proposal?

Things I find wrong with this proposal:

"(1) A person who wishes to greatly reduce spam must install software on each computer with an e-mail client application (such as Microsoft Outlook)."

Doesn't take into account the scope of what he's proposing. Everyone who has an e-mail client must also install some other software? What hooks does it require? Personnaly, Outlook doesn't run on my home computers or any of my servers. For those really paranoid moments, I use a text client with no hooks to external programs. Am I going to be required (the "or else" kind) to change my preferred e-mail client if it doesn't have the hooks to run with this extra software. The assumption is that my grandmother can install software.

"(2) A person who wishes to greatly reduce spam, when sharing his or her e-mail address, must also go through the trouble of sharing a code number."

A personal ID number? Your papers please? (Sorry, I sat in a proposal for mandatory PKI certificates for all Internet users last night.) (To protect the children, of course!) This assumes that my grandmother can remember another number, let alone being able to figure out how to use e-mail.

"(3) Mailing list services must make a slight modification to their databases and mailing scripts to store and use codes in addition to e-mail addresses. "

Are you going to pay for this? The improper assumption is that all mailing lists respect their subscribers' privacy and don't sell the codes along with the addresses. It also assumes that my grandmother can code the changes into her mailman server without damaging her pr0n list. (heh)

Adding technology isn't going to work. That way leads to an arms race as spammers develop ways around the obstacles placed in front of them. We'll solve the spam problem via technology about the same time that the virus problem is solved via similar methods.

Adding more laws isn't going to work. Do that will only add greater contempt for the law. They're criminals already, another law won't make them feel bad about themselves.

The only solution is enforcement. Unfortunately, very few law enforcement agencies have the personnel/time/money/talent/inclination to track down and prosecute spammers. Most of those that do are acting in response to corporate complaints, not complaints from the individual citizen.

I've learned (via recent jobs) that small business takes a beating from small scale fraud and theft. There's a well-populated gap between what local law enforcement is able to investigate and what state/federal law enforcement is willing to investigate. Who fills that gap? Private investigators, if the businessman/woman is willing to pay for an investigation that may or may not yield results.

Unfortunately, enforcement of exisiting laws is also a probable non-option. It costs to train the local law enforcement officer(s). You also have to find officers willing to take the training. Low-end cybercrime, while possibly glamourous for prosecutors, holds little career advancement for the local city cop or sheriff (usually it's not within their jurisdiction either).

IP Stack & Protocol Hacking

Linux Gazette has an article on Network Protocol Stack and TCP Hacking.

Tuesday, April 6, 2004

Saturday, April 3, 2004

Sluethkit update

It's two weeks late but there's a new verions of SleuthKit out. SleuthKit is a forensics tool used with the Autopsy Forensic Browser.

Spam Noise

I'm blogging this one 'cause I want to investigate the tool once I've got more time....

Given the amount of spam that's getting past my filters, DSpam may be the next tool/tech to take a look at (it contains Bayesian noise filters).

Hackers in general?

I don't really trust any article in which a journalist and a hacker, especially a teenage one, interact. What you get is what the often-clueless journalist thinks that the limited-world-view teenager thinks of the world in general. That make's it a second-hand view of the world, right?

In any case, here's a third-hand view of the world (a journalist interviews a guy who has talked to actual hackers!). Take it with a grain of salt.

Friday, April 2, 2004

ComputerWorld Link Page

ComputerWorld has a sidebar in which they list various virus, worm, and threat-related links.

Here's a clue

Hint to management: two $30K SA's are not better than one $65K SA. They're not even cheaper.

Wireless Hacks

ComputerWorld has excerpts from Maximum Wireless Security from Sams Publishing.

Pigeon Bandwidth

One of the more silly "projects" over the past years is describing bandwidth or transfer rate via pigeon units. There's even a technology commercial on tv nowadays in which data is retrieved by the pigeon living in the back of the monitor. This year, a pigeon test set various records including transfer rate, wireless range, and transfer-to-infrastructure-mass ratio. Read more about it here. (Thanks to /.)

Thursday, April 1, 2004

Here we go again....

Define "subdomain".

If you ask a DNS admin, every domain on the Internet is a sub-domain of the implicit ".". In other words, for "", "www" is the hostname, "cisco" is a subdomain of "com", and "com" is a sub-domain of ".". If you write zone files, you know that the "." is explicit on the backend or you end up with some strange looking results. In any case, we have another bone-headed patent making the rounds.

Anyone know if this news item is legit or an April Fools joke? (I'm overly suspicious of everything on the Internet at this time of year.)

Prank spotting

Anyone spot any April Fools pranks yet? Me? I'm somewhat dense when it comes to subtle humor (although I do appreciate it when I "get it"). This appears to be the first one that I've spotted.