Wednesday, June 30, 2004

IPv6 Transition Cookbook

The /. article has the URL wrong but has a "Free Transition Cookbook" for those moving from IPv4 to IPv6.

A joke gone awry

This is a /. post which describes the origni of the "forward this e-mail and receive $$$ from Bill Gates" chain letter which has been "living" on the Internet since 1997. It's been decades since I last saw one given out, but I hereby nominate Byran Mack for a "Elbow of the Year" award.

Spyware sites

From Liudvikas Bukys, a pointer to the Rogue/Suspect Anti-Spyware Products & Web Sites list. Note also the dissenters.

Even more apologies

I was unable to fix those posts yesterday. Short version of the excuse
== I was troubleshooting a video distribution system (cables!!!) and was
faced with the choice of editing text or five hours sleep. Guess which
one I chose.

As for the cause of the text problems, blame Microsoft.
Seems that even when you tell Outlook to use straight text to compose
messages, it still encodes things like equal signs (=). One more
support for my rant against claiming compliance with industry standards.

Blog spam tools

From Pete K., more about anti-spam tools for blogs.

Tuesday, June 29, 2004


My apologies for the cruft below. I've been experimenting with
mail-based delivery and it seems that Outlook is a horrible source for
it and OWA is even worse. I will delete/correct the mess this evening.

Location Aware WiFi

It's not surprising, after the fact, that someone thought this up: location aware WiFi. The article (Via The New Scientist) states that it works best where GPS doesn't, inside large buildings and other places where the GPS satellite signals are blocked.

Do-Not-Call List Popular

Here's a /.
pointer to an article which talks about 429,000 violations of the DNC
law. We receive these calls occasionally and have given up trying to
report them. Instead, my wife has gotten quite nasty with some of the

Me? I think the epitome of rude is

Remember Nimda?

There's another bit of JavaScript that's causing surfers to compromise their machines just by visiting the website. The Evil Empire has a pointer to an eWeek article about it.


For your security feeds list: US-CERT RSS feeds

Scob stats

The Incidents mailing list has a post
which discusses various statistics about the Scob Trojan which users
were recently contracting from compromised web sites via JavaScript.

The other thing that still needs to be determined was how the
JavaScript got onto the web sites in the first place.

Sunday, June 27, 2004


It appears that my posts are showing up on Bloglines sans titles. More work to do.

No op

For some of last night's posts and all of today's, I've been mailing my entries in (involves shell scripts and procmail). I seem to have run across a problem with time. Because of the problem in the script and the time zone that the server resides in, any post timestamped after 8 p.m. may jump to the next day's set of posts after midnight. I'm working on it.

DNS Tunneling

Dan Kaminsky talked about tunneling non-standard stuff via the DNS protocol at the recent Layer One Technology Conference. The L1 people say the actual presentation "eclipses" the Power Point and will be offering DVD recordings of the event (requires that you join a mailing list). This stuff is funny and scary at the same time.

The Induce Act

I really don't think that the Induce Act is that well thought out. If you follow the logic, MP3 players, IPods, Xerox machines, fax machines, and just about any network-aware program, not counting the P2P software that the Act is aimed at. They really need some serious rewording or someone's going to jail for selling a used cable modem.

It should be noteworthy that while Mr. Hatch's 8-page argument for passing the bill talks about P2P and "protecting the children", the actual Bill does not. Various people have taken it upon themselves to rebut Mr. Hatch's arguments.

This one is going to be interesting to watch.

Interview With the Bloodsucker

Not sure of the amount of truth in the article but "Confession for Two" is an interesting article/interview with a spammer.

Saturday, June 26, 2004

OpenBSD on Soekris

This sort of hardware hacking fascinates the heck out of me.

Referers credit

I've added the referers plugin as sort of a vanity feature for myself. I modified it slightly to include local sources also.

Skype VoIP

<a href=" Skype has decided to offer a free Linux-based version of its VoIP software for download.

Stupid (WiFi) news

The morning shock jocks have a bit they call "Stupid News" where they read news articles about various stupid human tricks. I think that this qualifies as InfoSec Stupid News.

RSS Feeds

The RSS feeds are online again, I'm still working on the others. You will have to change your subscriptions though. I "borrowed" the RSS 1.0 feed from the Blosxom Starter Kit. Unfortunately I never got past beginner Japanese so I am unable to read/translate the documentation. For anyone that cares, the download is at

I still need to get the other feeds online, get them all validated and tweak out all of the other kruft from the old blog. Repairing the wiki is much further down the road. Wish me luck.

XSS hole in writeback patched

Thanks to Kyle at for pointing out the hole in the writeback plugin. I've applied his patch.

I'm still new to Blosxom so if anyone knows of any other problems I should fix, please let me know. I'm also considering switching over to static files also. Due to the number of entries already in the blog, it takes a bit to do all the background work to build a dynamic page.

Centralized logging

Tech Republic has a short article entitled "Ease the security burden with a central logging server" which discusses the benefits of centralized logging.

Welcome to the new blog!

Welcome to the new version of my ongoing mess. Please bare with me as I clean up various bugs. Everything in the left-hand column should be working properly, the top menu and various links in the right-hand column still link back to the old blog. I'll continue to work on it.

DDoS defense

How to defend against a DDoS.

Friday, June 25, 2004

ILookup Trojan Analysis

Courtesy of the Full Disclosure mailing list, here's an analysis of the ILookup Trojan (examples of exploits included).

Update: more info.
Update: yet more info.
Update: and yet more.

Thursday, June 24, 2004

Yet another form of blog spam

Just started receiving a new type of comment spam. This one started with a synopsis of today's news bulletin which talked about the AOL programmer being arrested for selling the AOL user list. It was followed by 11 links for incest porn sites which are forwarded off of GeoCities web sites. Gee, running a blog is SO much fun...

MS zombies to blame for most of spam

/. has a pointer to an article which blames MS zombies for 80% of spam.

The Register has an articlein which Philippe Gerard, a senior EU official, berates the anti-spam industry for lack of co-operation. Basically, he states the legislation exists, it's now up to the industry to enforce them.

Err.. how? How do I, as a lowly SA or NSO, enforce those laws? Do I now have a federal charter to kick doors in and incarcerate miscreats? (I'm exaggerating but you get my point?) My response to Mr. Gerrard is: we need to go back to the drawing board on this one.

Network Troubleshooting

Believe it or not, your usual network troubleshooting is a pretty straight-forward process. Then again, it's amazing the number of "network professionals" that cannot do basic troubleshooting. (One of the reasons that I still get phone calls from the NOC that I left a year and a half ago.)

802.11i ratified

Not widely announced yet but 802.11i was ratified today!

A new use for malicious code?

JFW... Now the RIAA (or at least one of its memebers) is looking to infect your machine.

Malicious code?

Okay, I'm in a fighting mood. I've had to argue repeatedly in the last week that Spyware is nothing more than malicious code. It's just a trojan with a few odd twists. By using various prevention and detection/clean-up tools, an organization should be able to keep ahead of the malicious code.

Prevention tools include: content filtering for web and mail traffic, pop-up blockers, anti-virus software (those that include spyware scanning), and active systems adminstration and network monitoring. A good portion of the problem can be prevented by blocking specific sites. Unlike worms/viruses, the sources of spyware do not move around much.

Detection/clean-up tools include: spyware scanners or anti-virus scanners with spyware detection capabilities, active systems administration and network monitoring.

Spyware gets in (mostly) via user interaction. It also is included in legitimate software and can even be installed via RPC. People noticed the Blaster worm because it was noisy and infected other systems. How many people have noticed spyware that was quietly installed and only occasionally connects to a website?

Anyone want to convince me otherwise?

No op

I've got the MT to Blosxom conversion script tweaked so that I have only a few errors (only 6 out of 1100) to correct manually. I only have a few template tweaks to work on and I should be able to swap 'em out without too much interuption. The new blog looks a lot like the old one, only a few underlying features will change. Wish me luck!

802.11i about to be signed

It appears that the 802.11i standard willl be signed into being tomorrow!

CIRT functions

Network World Fusion has an article describing the functions you need to consider when setting up a CIRT.

Tuesday, June 22, 2004


Please excuse any weird problems with the blog over the next few days. By Saturday, I hope to be moved to the other blogging software (still have a few bugs to kick out).

Telematic mesh

<a href=

I am not an income stream!

I agree with <a href=

HIPAA's coming

Baseline Magazine has an article discussing the current state of HIPAA compliance and what many medical organizations are going to have to do in the next 9 1/2 months. Sad to say, but it's probably going to take the government levying a heavy fine against a national org before the rest of them realize that they're going to have to conform.

Fill/clear forms

Scripty Goddess shows how to pre-fill a field entry and how to auto-clear it if the user clicks on the field.

Sunday, June 20, 2004

No op.

Please excuse any interuptions in blogging over the next few days as MT is being removed from the server and bloggers are asked to move to another program. I'll attempt to continue blogging but it may get a bit messy.

InfoSec Mgmt Handbook

From Dana Epp's blog, here's the online version of "Handbook of Information Security Management".


My first exposure to LURHQ was in the late 90's when they were "doing" mostly firewall monitoring. They've grown up a bit since then.

They've posted an analysis of one of my favorite port scanning tools: scanrand, part of the Paketto Kieretsu project.

Certification shakedown?

Richard Dorn, over at Security Focus has an article about how the increase in the number of security certifications cheapens their value, as a whole.

I only agree up to a point. They will lose their value as employers go through a period "realization", (that hiring Bob at the NOC really was a mistake). However, this will also be a shakedown period as the employers figure out what the truly valuable certifications are. (There's a reason why CCIE's get salaries which are in the 6-figure range.) In other words, the valuable security certifications are going to be the ones that are HARD to get.

Live system forensics

Security Focus has an article discussing forensics analysis of a system that hasn't been turned off yet.

Shellcoding basics

Angelo Rosiello has a quick paper about shellcoding basics. Anyone have a paper on reverse engineering shellcode to determine what it does?

Friday, June 18, 2004

Joe jobs

Here and here are explantions and examples of Joe jobs.

Spammer tracking

TrimMail started a project that might be interesting to finish. Read this and this about how they tripped over a nest of "marketers".

The trailer park overtakes the town

I hate to admit (quietly) that I am amongst the demographic that was dropped by Comcast when they merged G4 and TechTV. Comcast just doesn't get it. The geeks and gamers are actually two different demographics with only a little overlap.

What really ticks me off is that Comcast seems to think we watched out of hero worship: "Shane described the cancellation of Call for Help as "just a programming decision." He added that Laporte can be seen on segments of The Screen Savers... Err... yeah, that's it, right...

I wonder if James Burke would consider doing "Connections4"? (My wife calls that cocaine for history geeks.)

Bayesian PHP

The mathematics are a bit beyond me but IBM has posted the methods for doing Bayesian analyis in PHP.

The Witty Worm has a pointer to an analysis of the Witty worm.

Wednesday, June 16, 2004

Kuang2 honeyd script

From the Honeypots mailing list comes the announcement of a Kuang2 emulation script for honeyd.

Writing Nessus Plugins has an article entitled "Writing Nessus Plugins".

WInning friends and influencing people

Once again I've prevented the possibility of making a new friend within the profession by telling both sides of an ongoing "which OS is better" argument that they were both wrong. The argument should be which OS is worse and is totally dependant on the system administrator responsible for the specific instance of the OS. In other words, it's dependant on the people involved.

IP spoofing

LinuxExposed has an article about IP spoofing theory.

Sunday, June 13, 2004

Mail bugs for sale

Recently saw something like this at work. The only reason we detected it was that the spoofed source address belonged to a neighbor org.



USB autorun

From the Penentration-Testing mailing list, more discussion concerning USB hazards.

180 Solutions Analysis

Security Protocols has a quick analysis for the 180 Solutions trojan.

Tracking changes

Michal Zalewski has a piece entitled "Strike Out", which describes the problems of publishing word documents without removing the "change" data. The IEEE also has an article on the topic.

SANS Papers

Sans just posted this weeks papers submissions. Titles include:

- Building a More Secure Network
- A Company in Chapter Eleven Doesn't Have to Eat Spam
- Algorithm-based Approaches to Intrusion Detection and Response
- Cyber Risk Insurance
- Worm Propogation and Countermeasures
- Psychology: A Precious Security Tool
- Security and Vulnerability Analysis of an Ethernet-based Attack on Cisco IOS
- An Ettercap Primer
- Securing Your Wireless Access Point: What Do All Those Settings Mean Anyways?
- CIRT, Through Conception Labor and Delivery
- Defeating Overflow Attacks
- Utilizing Open Source Software to Build a (Relatively) Secure, Spam- and Virus-free Mail Service
- Developing & Implementing an Information Secuirty Policy and Standard Framework
- Design and Devolopment of a Rapid Response Security Vulnerability Scanning Infrastructure
- Overview of Security Issues Facing Computer Users
- Designing and Implementing an Effective Information Security Program: Protecting The Data Assets of Individuals, Small and Large Businesses
- The Next Internet Privacy in Internet Protocol Version 6 (IPv6)
- Budget File and System Integrity Verification for Windows
- The Shift to Security Implementation in a Healthcare Facility
- Eradicating Spam Through a Hybrid Sender-Pays Model
- Printing the Paper and Sending the News After a Localized Disaster

Keep in mind that some are technical, others are highly opinionated. (I have issues with any anti-spam scheme that includes specialized technology or money.) If you're willing to argue an issue, I'm sure that many of the authors are willing to discuss points. Give 'em a few weeks or so though. Speaking from experience, their brains are probably feeling a bit bruised at the moment.

Saturday, June 12, 2004

Worm Analysis

Here is a work-in-progress entitled "Analyzing Worms Using Compression".

Forensic links

Here's a site with TONS of links to digital forensics articles, papers and FAQs.

SSH Keys

Using SSH keys greatly improves a system administrator's life. It allows you to make multiple, repeated connections to (if you have to) an unlimited number of systems. Anything that you can do from a terminal, you can do via SSH. You can even run scripts remotely without having to open an additional window.

Wiping MS disks

Here's a decent article, posted to the Information Security News mailing list, on securely wiping Microsoft disks.

Smaller wireless

This is roughly two inches by two and 3/4 inches in size, is powered by Ethernet, and is designed to run in mesh configurations. Problem is that it's roughly $160 US so I don't see anyone buying in bulk just yet.

Friday, June 11, 2004

MS DNS racing

DHCP, while having good specific uses, gives me nightmares when it comes to network security. I've seen instances where a neighbor networks DHCP server answers up before the local server, leadning to some very interesting network problems to pick apart. To further complicate/compound the issue, Microsoft likes to lump DNS, DHCP, and WINS into the same server. This complication doesn't help things much.

Incident Handling wrongs

Abner Stories's blog has a pointer to a "now not to do it" piece.

Windows Forensics

The book is not out yet but here's the site associated with "Windows Forensics and Incident Recovery". (via the Incidents mailing list)

Comparing corporate fraud to network security

I agree with Richard, over at TaoSecurity, that "prevention eventually fails". It's a symptom of the arms race where the attackers are always ahead of the defenders.

A real-world example of this was the Blaster worm. Until that incident, the majority did not filter/block ports 135-139.

Stop using NTLM

Stop using NTLM passwords now. If this has any truth , using NTLM authentication has just become that much more of a security problem.

The problem is if the database exists. We already knew that this would be a problem eventually.

Smart Cards

I've been asked about Smart Cards repeatedly in the past week (in different forums). It appears that I'm going to have to brush up on the theory as various orgs are looking at using them as part of either authentication or non-repudiation. Here's an SANS paper discussing the use of eliptic crytography with Smart Cards.

The DarkNet Project

Found an interesting project while reading the Handlers Diary, the DarkNet Project intends to analyze traffic amid at vacant portions of the net.

More darknet

Troy Jessup also has a piece on darknet. It should be interesting to see what he comes up with. /. also has a pointer to yet another piece on darknet.

Metasploit 2.1

Metasploit 2.1 is out. Hide your children!

Pay me for your honey-do list

Right up there with patenting mouse clicks, Microsoft has now patented task lists.

Thursday, June 10, 2004

Tuesday, June 8, 2004

Troubleshooting mail

CyberGuard has a piece about troubleshooting problems in e-mail.

Net/Disk Forensics

Dana Epp has a piece on network and disk forensics that's intersting.

Analysis of the Exploitation Process has a pointer to a paper entitled "Analysis of the Exploitation Process" which, at a minimum, has a decent description of the different types of memory attacks. It's a work-in-progress though.

Burp spider

One more tool to run against your server prior to putting it online.

Your cell phone attacked my mom

Mebbe I'm being paranoid but this leads me to think about the hordes of portable electronic devices that we're supposed to have in the future becoming members of the zombie hordes (think warez, spam, and attack bots).


I once had a job where I had little control over the network but was responsible for finding the problems in it. My tools? Router logs and NMap. <-- a good article about using NMap to search for problems.

Sunday, June 6, 2004

Initial infections

Initial infection via WiFi has been a discussion at work as of late. Given the use-rate of <20% for WEP/WPA, the most-successful/least-traceable infection vector seems to be from the parking lot outside of an apartment building.

To compound the headache

The New Scientist has noted that Microsoft has patented mouse clicks.

Hmm... based on that logic, I'll bet that I can patent the process of operating a car door to gain entry into motorized vehicles. Anyone want to help?

Keep saying it until you believe it!

This type of denial leads to serious problems. Does the GMU paper mean that the Internet has never been affected by the security of the Microsoft boxes connected to same? Hmm... so airline delays, ATM failures, internal document exposures, etc. don't count?

The clue: it depends on the definition of "national security"?

To quote them, "If catastrophic failure of the network is the threshold by which national security threats are defined, Microsoft wouldn't qualify, simply because their monoculture is not at the core of the network," says the George Mason report. "No matter how many Windows operating sytems are infected or fail, the core of the network will still run, even if there is nobody left to send traffic."

Err... I have a headache now.


In case you want to complain or comment privately, I've added a button to the right-hand column, under the Google search. You'll have to edit the "To:" address as I'm trying to avoid having my address scraped by the spammers.


Saturday (yesterday) as the last instance of required classroom attendance for me, at least for the rest of the summer. (Only two of us showed up, the rest of you should be ashamed.) I have a paper due in August and a test in September but I do have a little free time to catch up on the RSS feed backlog. A quick look shows that I'm behind approx. 60 days. Ouch.

I'll be leaning into it over the next few weeks.

Link Prefetching

While it improves life for the majority, I somehow think that link prefetching contains the possibility to be seriously abused by unsavory webmasters.

Intro to CIRT management

Network World Fusion has an introduction to CIRT management article.

Basic lockdown steps

PCWorld has an article which describes 29 basic steps for locking down your PC. It's more Windows-centric but does enumerate the basics.


I cannot vouch for the accuracy but here is a copy the MT blacklist for 757.

Saturday, June 5, 2004

What do I need to do?

I was part of a presentation today which was attended by two groups of high school students, along with various CIO's from local schools and gov't. Most of the high school students were bored out of their gourds (how interesting can talking about policy and procedures be?). There were a few that were actually interested and asked questions afterwards.

One of the common questions was about how to get into the field. Here's some of the answer(s) to that type of question (I try not to blather on in person about it but, here, it's a brain dump):
  • Don't do it unless you're really interested in it. The money's good but unless you really like your job, it can be a real ball-buster (not in those words)
  • When you're first starting out, don't try to specialize. Learn as much as you can about the underlying theory. Ex: you want to know as much as possible about TCP/IP before you work on Foundry or Cisco equipment. (Doctors learn general medicine before they specialize.) Learn as much as you can about DNS before you work with just *nix or MS implementations. (Don't be a point-and-click administrator.) Specialization comes naturally as you find favorite topics/areas to learn more about.
  • Leave the "which OS is better/more secure" argument behind. It's a religious argument which will never be settled. Your job will be to protect the castle, not just the chapel in the north-east tower. The actual question isn't "which one is better". It's "which one is worse". The answer is "all of them". OS's are only as secure as the people managing them.
  • Plan on spending a good portion of the rest of your life in school (something most teenagers find painful). It doesn't have to be formal though. The idea is to keep current in technology or to learn more of what you're interested in. If you're focused enough, this leads to a Masters or a PHD. If not, (like me) it, at least, adds up a lot of college credits in varied curriculums, a decent GPA, and working relationship with a LOT of the people you need to know in your local neighborhood. (Hint: the people "in power" are doing the same thing: continuing/broadening their education to keep ahead.) Or, at least, you make a lot of friends.
  • To go along with that, read. The Internet makes it easy. Current developments with RSS make the process even easier. (Heck, borrow/steal from my blog feeds if you're that desparate.) Learn about the advanced features on your favorite search engines (an invaluable skill!!).
  • To get ahead of the rest of the pack, keep yourself busy. During the week, find something you're interested in. Spend the weekend learning more about it. Set up a DNS/mail/web server. Learn about all of the switches in tcpdump (or whatever utility strikes your fancy). Barring any projects, read up on the bleeding-edge technologies.
  • No matter how painful it is, be polite and honest. Your career in the technology field depends on three inter-related things: your knowledge/experience, your ability to interact, and the amount of trust your employer has in you. The first two may offset lack of the third to some degree but trust and integrity are large parts of the package that your employer is "buying".
  • As part of that, "keep your nose clean". Contrary to popular myth, very few organizations hire hackers to to protect their systems. Nowadays, the big-money positions require a LOT of talent and a LOT of integrity (both of which you'll be selling to your employers).
  • Pay attention in English Composition (at least). To be recognized "within the community", you're going to have to research and talk about new (or new twists to old) developments. This means "publishing", either in trade journals or magazines. (Or even blathering periodically in a blog.)
Like it or not, your parents expect you to move out in the near future. Many are willing to help pay for your seconday education but the end goal is to let you loose into the world to make your own way. They have their own lives to live and they're looking forward to the post-child-rearing years (really, their lives do not end when you move out). The objective is to do well enough for yourself that you're able to do the things that you really like doing. If you can "get by" by flipping meat at the local burger joint, more power to you. Many computer geeks, nowadays, have a nasty eBay (hardware) or book habit that can't be supported by a minimum wage job.

Not that I'm the fount of wisdom here, but the main points are: only "do it" if you really like it, plan on working to staying current, and remember the Boy Scout creed.

To be honest, we had aimed at a slightly different audience but, due to layers 8 and 9 of the OSI model, other groups were invited to "fill in" for the missing attendees.

TechTV Goes Ghetto

Anyone else notice that until this past week, you didn't hear the phrase "yo yo yo!" on TechTV? I left TechTV on after the ScreenSavers this evening. How interesting is a show about video games where you get to watch a 3-minute sequence, viewing the guys on the couch, playing a PS-2 game that was out 3 years ago (Golden Eye).

Thursday, June 3, 2004

E-mail disclaimers

Personally, I find email disclaimers very, very silly and pointless:
  1. they ignore the fact that, if you futz up the recipient's address, one or more postmasters automatically receive a copy of your message and
  2. people are generally lazy. They are more likely to forward or copy the message (to someone else) without deleting anything, not even the obnoxious signature blocks or silly disclaimers.

MAC Addresses

There are various methods for changing your MAC address and they're all the more reason(s) you should be using port security on your switches.

Windows tip

This one from Dana Epp (who got it from someone else) is a keeper. Open a command prompt in the folder's location by right clicking the folder.

Same ol' same ol'

Liudvikas Bukys pointed out Fred Avolio's blog post which basically summarizes everything we geeks have talked/argued about in the last two decades. There's a couple less-important topics missing but I'm not about to start those conversations here. (heh!)

Wednesday, June 2, 2004

Snort article

Security Focus has an article about writing Snort rules for detecting cross-site scripting and SQL injection attacks.

Haha, very funny

(heh) There's at least one comedian spammer out there. Tried to get me to block by dressing the URL up with a fictional path to what was supposedly a sales site.