Sunday, May 30, 2004


From Kevin at The Lost Olive: a tutorial from Kuro5shin for the GNU screen utility.

Patting myself on the back

Just wanted to keep track of these:

Comment spam zombies

Dana Epp had the same problem that I did today. Massive comment spam. Today's was oriented towards beastiality. It appears that there's an army of zombies out there being used to spam MT-based blogs. The following IP's blogged the same comment spam:

  • - Unknown, connection failed but online

  • - Unknown, connection failed but online

  • - IIS 4.0, WinNT 4.0 (default web page), DSL customer

  • - Unknown, connection failed, no ping

  • - IIS 4.0

  • - Unknown, connection refused

  • - IIS 5.0, Win2K (NH Solutions)

  • - Unknown, connection failed, no ping

  • - Unknown, connection failed, but online

  • - IIS 5.0, no default page

  • - Unknown, connection refused

  • - IIS 5.0, default web page

  • - IIS 5.0, default web page

  • - Unknown, connection refused

  • - IIS 5.0, no default page

  • - Unknown, connection failed, no ping

  • - IIS 5.0, Middle School web server

  • - Unknown, connection failed but online

  • - IIS 3.0, defautl NT page in Spanish

  • - Unknown, connection failed but online

  • - Unknown, connection failed but online

  • - Unknown, connection failed but online

  • - IIS 5.0, default page

  • - Unknown, connection refused

  • - IIS 4.0, no default page

For each of the IP's I attempted to connect to port 80 via various means (browser, telnet, wget -S) and pinged the IP if port 80 failed to get the above. Anyone see a really nasty trend in the data?

So, either there's an army of blog spamming zombies or someone has figured out blind commenting with spoofed addresses. In any case, this is getting old.

Saturday, May 29, 2004

PGP Joe Job

From the Full Disclosure mailing list comes a story about how one author's address and PGP signature was hijacked and used in a spam, thereby forcing the author to do a lot of extra work and, in his words, having to be nice about it.

DNS security

RootSecure has a link to Practical Domain Name System Security.

Thursday, May 27, 2004

Identifying hoaxes

LinuxSecurity has a short, but good, article on "Identifying Hoaxes and Urban Legends". This is one of those bits of information that you'll want to have a local copy of. You'll find yourself providing it to various users on a regular basis.

New Helix

(via NetSec) A new version of Helix is out. Helix is a Knoppix-based disk with forensics and auditing purposes in mind.

Saturday, May 22, 2004

New tactic

Blog spammers are trying a new tactic here. They're using the old URL obfuscation trick. Fortunately, filtering for "&#" seems to do the trick.

Using PGP

So far Hacking Linux Exposed's series on file and email encryption using PGP is up to six parts:
  • 1 - file and mail security
  • 2 - creating your key
  • 3 - encrypting and decrypting
  • 4 - importing and exporting keys
  • 5 - verifying public keys
  • 6 - signing public keys
  • Thursday, May 20, 2004

    Best practice

    It's considered a "best practice" to manually type in an URL for any site that involves your personal data or finances. Clicking on a link that someone else wrote is considered "untrusted", at best, or possibly criminal, as recent news reports have stated. Of course, it also makes you responsible for any mistyped URL's too.

    Wednesday, May 19, 2004


    TaoSecurity has a pointer to Slyck. In Richards words, "Slyck does an excellent job categorizing and explaining a dozen individual file sharing methods, then offers information on programs implementing each method. This is a great resource for anyone trying to understand file sharing protocols they might see on their networks."

    Tuesday, May 18, 2004

    Required skills

    Security Focus has an article about the TCP/IP knowledge required to be a security analyst. I agree except that you should not only be able to read code, you should be able to write/fix C and have more than a passing familiarity with Perl.

    Spam and Security

    Security Focus has a two-part article on Anti-Spam Solutions and Security (Part 1)(Part 2).

    The short version is that the article talks about the dangers that are contained within spam and the methods that can be used to fight spam. Mention of changing the SMTP protocol is made. Personally, major changes to the protocol will likely not work. There is too much inertia in "how things are done". Any change has to be seamless, invisible, and compatible with systems that don't use whatever the new scheme is.

    Why use WEP?

    Here's one good reason to use that broken-down and often abused encryption protocol for wireless (WEP): it prevents open access to, and infection of, your network by any infected wireless device that happens to pass through your immediate area. If it's all you have, use it. It adds a layer of protection.

    Monday, May 17, 2004

    Honeywall CD

    From the Honepot Mailing List, the HoneyNet Project has released a beta (bootable) version of their Honeywall CD.

    A self-licker?

    (from /.) A Salt Lake Tribune article indicates that Novell may has started the SCO mess years ago.



    Here's another blog search engine. Nice thing about this one, a search for "joatblog" doesn't bring up this site, just entries on sites with references to joatblog. However it's being done, it's a nice that the search engine is limited to entry text.

    Saturday, May 15, 2004

    New MT blogging license

    Read this and this. Count me amongst the negative response from the "personal users" and those who've put a lot of work into the code behind their sites. (For Scripty Goddess, it's a serious amount of code.)

    J (if you're reading this), I'm seriously considering switching also. Given the number of "authors" that use this site (whether or not their blogs have been dead for months), the site may be in violation of the new license. I don't think it's worth putting the effort into supporting a version of any code that the authors/owners have abandoned. (I'm pissed because I put a LOT of work into the code behind this monstrosity!)

    For any Six Apart people reading this: my response is not entirely your fault. It's a reaction to yet another "volunteer" project that has gone commercial and has left certain categories of users behind by changing their licensing scheme for profit purposes. IMHO, you now reside with CDDB and NFR.

    Guess it's time to read up on the export function?

    Scans for open relays

    On one of the Snort sensors that I have access to, it appears that China is scanning for open mail relays. At least fifteen IP addresses are trying to bounce mail back to Has anyone else seen this or know what the tool is that they're using?

    No op

    I'm back in town. Bloglines is currently offline (for maintenance and upgrade) so I'm not able to access my backlog. I'll back file yesterday and today once it gets back online. I'll use the "free time" to clear out what appears to be a couple hundred blog spams that crept in while I was AFK.

    Thursday, May 13, 2004

    Sniffer sniffer

    Here's a paper on "Packer Sniffer Detection With AntiSniff".

    Bloglines Mozilla Toolkit

    I've been a heavy Bloglines user (abuser!) for almost a year now. Other users, such as Chad Everett put their free time to much more productive use than I do. Hence the Bloglines Mozilla Toolkit. This thing adds a notifier and several additional features to Mozilla and Firefox. Given the additional features that Bloglines has added recently, this is a very powerful addition to the power blogger's toolset.

    Note: runs on Windows and Linux (supposedly)

    Tuesday, May 11, 2004

    No Op

    Sorry for the delay on yesterday's posts. I'm in Laurel, MD again. I'm attending a conference in DC on Wed./Thur. and Laurel is the closest I could get a room on really short notice (less than a day). For once, I timed the drive around the belt just right. I only had to slow for traffic once and that was for bridge construction.

    "Hi" to all you NoVa types!

    TCP RST Attacks

    Linux Security has a quick article on TCP RST (reset) attacks.


    I agree with Matt: seven tuners? Whatever for?

    I want one!

    Rainbow Crack

    Here's a GIAC GCIH (Sans GIAC Incident Handler) paper, submitted by Mike Mahurin, which describes the Microsoft LANMAN password decryptor, Rainbow Crack.

    This tools uses a time-memory trade-off instead of brute force attacks on passwords. In other words, it can pre-compute the the resulting hash because the same user and password on different machines (using LM authentication) produces the same hash. This is the reason that, if possible, you should use more modern authentication or alternative methods for Windows authenticaion.

    Towards good passwords

    The Thai online news site, The Nation, has a good article about chosing good passwords.

    Sunday, May 9, 2004

    Privacy is a perception

    Privacy is a perception.

    In the coming weeks/months, you'll hear a lot of griping about how there's no privacy in Gmail, how various proposed laws will take away from your freedom, and possibly some other issues will arise out of the increasing rhetoric that culminates in November.

    Whether or not any of it is true is beside the point. Pundits treat "privacy" as an all or nothing thing. It doesn't work that way. If you're over a certain age, hundreds if not thousands of people are intimate with various details of your life Examples include: doctors, lawyers, law enforcement, your spouse/SI, your pet's vet, your bank, numerous insurance companies, your neighbors, public utiiities, your employer. Need I go on?

    Privacy in public places is even more of a perceived issue. It is dependant on the degree of conformity you are willing to submit to. A very bad example is from the movie "The Matrix". How many of you remember the blonde in the red dress? Okay, now describe the last person to pass between her and the camera. (Hint: they were wearing dark business clothes and sensible shoes.)

    You can drive to work every day, at or near the speed limit, no one will take notice of you. Do twenty five miles an hour over or under the speed limit and everyone else near you will take notice, especially if their job involves traffic control.

    Your e-mail can get inspected (and normally is) numerous times, for malicious code, content, legitimacy. It leaves a trail on whatever mail server/handler it passes through. Some of those systems may keep copies of the entire message. Now people are up in arms about a service whose computers attach targeted advertisements to messages and makes your mail folder searchable (note: they've always been searchable in some form or other).

    This country has numerous laws which protect your privacy. However, just like tax laws, there are hundreds of exceptions to those laws, most of which do not require notifying you of their use. For the majority of our online life, it translates into the phrase "expectation of privacy".

    That "expectation of privacy" depends on our "perception of privacy". Most of us don't know that our ISP's keep records of what we do online and/or periodically scan for TOS compliance. Many of us don't care. A good portion of those that do know and do care consider that "invasion" as a protection.

    A good portion relates to how unique you believe yourself to be and how worried you are that the rest of the world may take an interest in the minute details of your "private" life. How paranoid are you? And yes, just because you're paranoid doesn't mean that "they" aren't out to get you.

    Brad Templeton (of the EFF) and John Battelle have quite a few good points, for and against, GMail. Personally, I think the proposed California legislation to ban GMail is idiotic for the same reason that I think most of the other arguments are silly: no one is going to force you to use the service.

    Another point is that many of the other web-mail services already do, in some form or another, what Google is proposing to do (see Mr. Templeton's article).

    I haven't tied the above together all that well but I think it's the start of a good argument. What do you think?

    (Note to you TCC alumni: this fall's class involves Cyberlaw and you'll need to be able to argue either side or both sides of the argument.)

    Saturday, May 8, 2004


    Took a look at my backlog this morning. I have three months of notes to work on. The good news is that I've finished the semester at college. That only leaves the GCIA cert. The bad news is that the cert will probably expand to absorb all available time. Things should pick up a little bit and hopefully I'll gain on the backlog.


    Here's a news article about a traceback feature developed at Penn State called "e-postmark" which allows analysts to traceback spam via "hidden" data at the packet level.

    Personally I'm skeptical that it will work, I'm skeptical that it'll be effective, and I think it'll force spammers to be more technically competent.

    This third thought is the worrier. Personally, I liked the days before we had Baynsian filtering. It was really easy to filter spam. Nowadays, I run, at a minimum, two scoring schemes and a good number of messages still end up in my inbox.

    Free books

    More in the "Free Books" category, /. has a pointer to five free calculus books.

    Web Attacks

    (via the Web Application Security mailing list) Amit Klein has a paper entitled "Divide and Conquer" describing "HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics".

    An interesting read.

    MT Tutorials

    From Scripty Goddess, here's a blog devoted to Movable Type tutorials.

    Intro to Vulnerabilty Scanning has an article entitled "Intro to Vulnerability Scanning".

    Friday, May 7, 2004

    Wireless Security

    Here is NIST's paper on "Wireless Network Security - 802.11, Bluetooth and Handheld Devices".

    DNS Troubleshooting

    If you're going to do anything related to networks, you have to know how DNS works (the mainline stuff, not just MS's version) and how the other services interact with it. Here is a paper on basic DNS troubleshooting.

    Wednesday, May 5, 2004


    Here's some of the presentations from the Yale Conference on Cybercrime.

    More keyword filtering

    Yet more support for the argument that keyword filtering, either for viruses or mail/web content, does NOT work.

    Sunday, May 2, 2004

    Looking for...

    Does anyone have a link for Dave Aitel's Unmask? I'm interested in running it against 11,000 or so spam messages I've collected in the past month. Failing that, how about a link to a paper describing the technique?

    802.11 Dish

    Others have used Primestar dishes to do this before but here's a good description of how to do it.

    Home Security

    (via NetSec): Wireless Security and Monitoring for the Home Network. Basically it's a discussion of a home-grown security setup for the home wireless network. Note: many of the tools used are good for wired networks also.

    Detecting Wireless MAC Spoofing

    Another paper on Detecting Wireless LAN MAC Address Spoofing.

    Saturday, May 1, 2004

    Comment Spam

    Sorry for the delay, spent some extra time today removing over 800 new spams in comments.

    Moreover gone

    For those that watch the Bloglines feeds that I use, I've unsubscribed from Moreover's Security feed. Bloglines said that I had five new stories to read. Each of them were Verisign Ads. Blech!