Saturday, July 31, 2004
Shared stuff
rootsecure post, but it's interesting what people share, documents, photos, etc.
Wiki
changing it). I managed to break it awhile back while messing with the
backend.
Metasploit rant
about MetaSploit and fuzzing first. Kinda like learning "duck and
cover" prior to the ICBM warning. In any case, if you take care of any
network server, this is good theory/experience to have in your head.
IE Universal Exploit
what you wish for! K-otic has
posted a "Universal" IE exploit that supposedly runs on Windows and Linux and gives you a reverse shell via IE.
Advice? Keep your patches up-to-date and configure your firewalls to only allow what you need to do on the Internet. In other words, limit browsing to high-port to port 80. It's not a perfect solution, but it will cut back on exploits like the above.
Friday, July 30, 2004
Web Attack Taxonomy
any effort that copyrights that same taxonomy.
Windows Process Listing Sites
How things jump up and bite you in the *ss
used by politicians and mainstream media. It wasn't that long ago that
we saw mainstream articles which described blogging as self-referential
rantings of socially misfit narcissists. I think/hope we may see a
similar "occurrence" with the Wikipedia.
The Register seems to have
taken a dislike to the Wikipedia, calling it a children's encyclopedia (one of the nice comments).
Warning to The Register: what you're not seeing is: distributed collaboration on distributed servers. Given that "it" includes current events and internal commentary, this has the potential to sneak past mainstream notice and become the next "big it". Especially if someone can figure out a way to "specialize" and come up with something similar to topics (like blogging has "flavors").
Having contributed to the Hitchhiker's Guide (back in the Usenet News days), I like the idea of having the Wikipedia (although I haven't been involved much).
SysAdminAppDay
Tomorrow is System Administrator Appreciation Day. Me? I've got class. You? You |
Thursday, July 29, 2004
Anti-spyware utility analysis
Give it back
Digital Signatures and XML
Balance?
The insanity
concerning the INDUCE Act seems to be balanced by what appears to be
careful consideration at the FCC concerning swapping
out WiFi antennas.
Sorry for the use of /. links, it was the
quickest way to post this.
Wednesday, July 28, 2004
Tips for better networks
"The Top Ten Tips to Make Attackers Lives Hell" which helps move your network away from the low-hanging-fruit category. The tips are pretty basic but it's amazing how often they're not used.
NWF Links
World Fusion's Security
Resource link page. It has many more links to valuable and/or
entertaining security-related sources/stories since I last visited (a
long time ago).
I'm not just recommending it because I'm listed there
too. (heh)
Picked up feeds for ATAC and OhBrian this time.
Tuesday, July 27, 2004
Reducing Human-Factor Mistakes
article, especially "The Top 5 Company Executive Mistakes". It
nails the organization that replaced me at a previous job.
For those
that know me personally, you know who I mean. The article is almost
uncanny while remaining generic, isn't it?
Intro to Malicious Code
entitled "Virus &
Worms" which is supposed to be an introductory guide for security
awareness, describing the basic theory behind malicious code.
TaoSecurity's Book List
(Richard Bejtlich) has contributed to. Included in the list is his
The Tao of Network Security Monitoring: Beyond Intrusion
Detection which appears to be a worthwhile book to have (see his and
the publisher's sites for sample chapters).
Monday, July 26, 2004
PGP/GPG
far) series entitled "File and Email Encryption with GnuPG (PGP)"
which discusses a PGP/GPG intro, creating keys, encryption/decryption, obtaining other's public keys, key verification, and signing a key.
Custom parts and boards
Sunday, July 25, 2004
If you gotta do it...
include a properly written Snort sig so the rest of us can watch out for
your code should the script kiddies take a liking to it.
Trackbacks
GPS Coke X-Ray
is so dumb, it's almost funny. (Slashdot also posted about it.) Seems
that "security people all over the country" think it looks like a bomb.
I've got news for you, small transistor devices like PDA's and iPod's
look a bit like that too. Makes me wonder who those "security people"
are. It's probably that security "concern" is interpreted by the media
as "security panic", instead of equating to "need to inform/be
informed".
I'm not saying that there shouldn't be "concern" if someone
travels commercially with one of the cans in their luggage. It's just
that they should "declare" it as part of the check-in process. There's
a reason why the TSA people require you to remove your laptops from
luggage. I've gotten into the practice of also pulling out any other
"dense" electronics. It saves time. (via
WiFi Toys)
Intro To's
pointer to Tony Bradley's "Introduction To" articles. Subjects include
vulnerability scanning, packet sniffing, firewalls and intrusion
detection.
Saturday, July 24, 2004
Too d**n hot
house at a freezing (to them) 70 degrees. (My wife understands though.
She's from Buffalo.) I'll admit that, for southeast Virginia, that's
colder than most people's houses.
What brought this on? I stumbled
across the weather forecast for where my parents live: Today - Hi: 73, Lo: 49. (Hint: the hi there for today is the lo here for the week.)
In other words, I grew up where you wear shorts in the low 60's and sweat heavily in the low 70's. If it wasn't for air conditioning, I probably wouldn't live below 1,000 feet above sea level or south of Pennsylvania.
Follow the Bouncing Malware
on-duty handler at the Internet Storm
Center has posted part one of
analysis of malware he contracted by pretending to be "Joe Average" with
a common XP configuration. Intersting to follow.
Remove from Google
getting your private info removed from Google's search engine.
Distributed Metastasis
entitled "Distributed Metastatis: Network Attack Methodology. I disagree that it's a new method of network attack as the methods it uses have already been seen in some form or other. However, it is an interesting read and even hints at the dangers of monoculture.
Friday, July 23, 2004
Packet Crafting for Audits
second part of a two-part article discussing crafting packets for audits
of firewalls and intrusion detection systems.
Google Hacking
Thursday, July 22, 2004
Submithook Analysis
Heh
I really like the idea of the service as I've used various addresses in a domain to test if my data was actually protected by those that claimed that they wouldn't sell it or release it without my permission. For the majority of those sites, the addresses I used quickly made it into spammers address books.
But back to the question... Call it a prediction if you want, but I can forsee at least a token effort to get a law passed to make this sort of thing illegal. Or you can just call me skeptical.
Referrer Tweaks
changed some of the URL's to site names and have added the various
search engines to the "skip" list.
So as to not anger Hormel, I
won't refer to two sites as "spammers". Instead, just feel free to not
click on "ADV" in the referrers list.
The ADV's and the search engines
should disappear from the list shortly as the database updates.
Cybercrime Cases
list to which he posts various crime and court cases. If you like
Groklaw, you'll like this mailing
list.
Wednesday, July 21, 2004
Windows Forensics
said."
Dana's posted a pointer to the BleepingComputer.com
tutorial for a basic (but effective) forensics methodology for determining if you've been hacked and how to clean it up. The assumption is that this process will detect the majority of the compromises due to most of them being "done" in bulk and not in a "clean" manner.
Scammer busted
Tuesday, July 20, 2004
Security Thru Obscurity
Policies and Procedures
Advanced IPTables
especially valuable information. I've seen it used to create emergency
filters for content filtering (think initial worm attack). This
knowledge comes in valuable if you tie Snort into the mess and have it
write IPTables filters on-the-fly.
Monday, July 19, 2004
Quick Quiz
Extra points if you include support for your arguments. (Hint: the problem
is not just missing information.)
Symmetric/Asymmetric Encryption
about encryption, including the difference between symmetric and
asymmetric encryption.
Sunday, July 18, 2004
RIAA to the rescue
Mr. Hatch's INDUCE Act. To me, it comes across a little like "pay no
attention to the man behind the curtain!"
Spyware Info
in comments. I'll build a formal list on a separate page.
Saturday, July 17, 2004
IdleRPG Plugin for Blosxom
Future plugin
to include a day of the week display (single letter). Get the new code
here.
A bit soggy
which my house sits in the middle of. It stayed there and dumped just
under a foot of rain in a two hour period.
The following pictures were
taken hours later. I missed the storm as I was at work and my wife says
the water level was much higher. Keep in mind that the street drains
were operating normally. The police report that 3 blocks over, the
water was 3 feet deep.
Oh and no, I don't live near any bodies of
water that would overflow like this. This all came from the sky at 2
p.m. and it was all gone by 7 p.m.
Neighbor's bush, mailbox, and car
Further down the street, apologies for the fuzziness
The two kids on the left are on the sidewalk.
Virtual Honeynet
Honeynet: Deploying Honeywall using VMware" project.
Having someone join your church: priceless!
a BBC article about a 419 scam baiter towing the scammer far enough to
send him a birthday card, $80, and a picture of his chest spray painted
as proof that he had joined the scam baiters "church".
This is
priceless.
Quick Reference Cards
out this side: RefCards.com. It's a
site with free refcards for various languages and utilities.
Friday, July 16, 2004
My first plugin
Don't know how useful it'll be. The intended audience is those who use some form of procmail recipe to reroute e-mail messages into their blogs. The plugin populates $future::count with the count of messages waiting with timestamps set in the future. (See the bottom of the right-hand column here.)
Grab the plugin here.
Senators catching up
It's about time. My spam intake is starting to include a lot of messages from previously unknown banks requiring me to update my accounts.
Anyone else find it interesting that the Senator has used a "technical" term (phishing) in his legislation?
Bruce Schneier on Cryptography
essay entitled "Why
Cryptography Is Harder Than It Looks" which describes many of
the strengths and weaknesses of today's encryption schemes.
Thursday, July 15, 2004
Bleeding edge Snort rules
last minute Snort signatures. Most of them have small use or are
development only. In the site's words, they "are prone to false
positives and sometimes not work as expected". However, it is a good
site to keep up with the latest sigs (and problems) and can give you a
few good ideas of your own.
There's a difference
issue. Yes, both IE and Mozilla (on Windows) have "shell"
problems. What makes the IE issue worse is that IE is tied into the
desktop and the operating system. In other words, Mozilla rides on top
of the OS, IE is in the OS.
Wednesday, July 14, 2004
k-otik RSS feeds
has RSS feeds!
http://www.k-otik.com/advisories.xml
http://www.k-otik.com/news.xml
http://www.k-otik.com/exploits.xml
http://www.k-otik.com/virus.xml
How long is it going to stay open
that the FCC is handling. Unfortunately, everyone with an agenda has
responded to his first post.
How long will Mr. Powell be able to stand the usually-off-topic nattering before he closes commenting? From the looks of the replies, not long. There's a little bit of just about every movement and cause in there and a couple nut cases, too. Some of it's even FCC-related!
Local access
Aside: with "local access", you have to heavily depend on the honor system.
Employee abuse?
Policy controls and monitoring are good for security, up to a point. If the controls and monitoring are so overbearing it can have a degrading effect on corporate productivity and security as, past a certain point, it will be held in general contempt by all, including management.
Your security policies have to be enforceable and, above all, realistic. Allowing some personal use of e-mail and some surfing during break or lunch time improves the situation a great deal.
Tuesday, July 13, 2004
Open Source creates jobs!
Bill also hinted that not using MS products reduces tax income for governments. Which do you think brings in more taxes: a one time sales tax or ongoing income tax? Better to spend that money on SA training (no matter what OS you use) or assistant SA's.
And before we have another Blue Monday incident, I'm not griping about the OS. I'm griping about the marketing practice!
Viruses for sale!?
are now offering custom viruses for a
price. It seems to be more of the bleed-over we've been hearing
about: the relationship between hackers and spammers.
Wardriving article
accurate article about the issues involved with wardriving, entitled "Confessions of a War Driver".
Monday, July 12, 2004
I did not send you a virus!
Anyone know of a good open source version I can use as a pre-formated response to complaints?
IRC Searches
It's amazing the amount of stuff that gets indexed by various search engines. Following is a list of non-standard search engines (IRC users, IRC channels, BT files, etc.) that security types might be interested in:
IRCSpy - IRC file search
SearchIRC - IRC channels, users, networks
ISOHunt - BitTorrent file search
PacketNews - IRC file search
NetSplit - IRC channel search
XDCCSpy - IRC file search
Warning: Some sites listed cause browser crashes.
DNS Snooping
MT blog gone
Now we just have to wait for the search engines to catch up.
Sunday, July 11, 2004
Message count
the blog is running without a web input, I wrote a bit of code to count
the messages pending in the near future and stuck it in an i-frame.
Let me know if anyone has problems with it or wants the code. It's a
hack, not an acutal plug-in, though I probably should rewrite it into
one?
Free anti-virus
If you think, they will do it
using a time-memory tradeoff. Basically, for certain types of
algorithms, results of hashes can be pre-calculated and stored.
Unhashing a hash becomes the result of performing a lookup in a giant
database.
Well, someone has done come up with online MD5 cracking. (via /.)
Bluemonger
sounds (or may actually be), I don't think tying yet another infection
vector to the Internet or your home computer is that good of an idea.
Saturday, July 10, 2004
Wireless not secure just yet
LAYER 3 VPN'S ARE NOT SAFE TO USE IN WIRELESS ENVIRONMENTS!!!
Don't forget your wireless IDS's either.
It's scary to see that "experts" in the business world are still recommending WEP.
Friday, July 9, 2004
SEO Contest
Clueless users should be jailed?
Professional Technical Reference has an article which discusses the author's point of view where each and every user on the Internet should be held legally responsible for their hacked systems flooding the planet with spam.
Again, I don't believe you can hold my grandmother responsible for someone hacking her Tivo.
A. Lizard likes to say things like "due diligence" but ignores the fact he may only be able to sue for those instructions in the booklet that came with the device. After he can prove that everyone consistently reads all of the directions in those multi-language documents.
Why share source?
Can y'all think of any other reason(s)?
Thursday, July 8, 2004
Stop using NTLM
has any truth , using NTLM authentication has just become that much more
of a security problem.
The problem is if the database exists. We already knew that this would
be a problem eventually.
Link Prefetching
Wednesday, July 7, 2004
The Fine Print
Statments.
Tuesday, July 6, 2004
New Attack on RSA-based SSL/TLS Protocols
Building OpenSSH
"Building
OpenSSH - Tools and Tradeoffs" which discusses theory and
installation of OpenSSH 3.7.1p2.
Steg Forensics
(actually last February) a paper entitled "Steganography for the Computer Forensics Examiner"
which discusses theory and various detection tools.
Monday, July 5, 2004
Logs
new code in the last two days.
What have I learned? Three things: 1)
a lot more people visit here than make comments, 2) someone in Japan
blogged something about my site (I cannot read/speak Japanese all that
well), and 3) I should consider switching the "make a comment" HTML link
over to a bit of JavaScript "onClick" code. Seems MSN's and Google's
spiders follow the "make a comment" link, even if there's no comments on
the far end. Using the alternate code might avoid the extra network
bits and might cause a few less useless pages to be stored in search
engines.
Boneheads
it". It's not which OS is better, it's which one is used and
protected properly.
Considering some of the recent news articles about
both sites, in this case it's neither. And it'll only get nasty. If
the IIS box gets hacked, the OSS purists get on the news with a "told
you so". If it's the Apache box, the MS purists start ranting about
"lack of support".
Neither group is correct. Both groups are
correct. Mostly it's the people hired to run the servers. And given
the reason for the servers existances, it's not a question of "if" but
"when".
Exploiting Google
but, in the long run, it damages Google. Basically, it's a contest to
see who can get a page up to #1 and keep it there. Some consider "by
any means possible" as justifiable.
The contest finishes
day-after-tomorrow. Read more about it here and here.
Packet Crafting for Audits
has an article entitled Packet
Crafting for Firewall & IDS Audits. This is part one of two and
discusses hping and tcpdump use. Network admins should know this!
Security bible quote?
good guideline for security: "Trust not
your users, for they will lead you into darkness.".
Lies, Damn Lies, and Statistics
the chorus.
Computer
Weekly has an article discussing the number of vulnerabilities discovered last year for each of the major OS's. Unfortunately, this kind of statistic fails to clear up anything.
MS had 46, Suse had 48, Sun had 60, etc.
You should notice that they gave you numbers but didn't enumerate the vulnerabilities. What's normally done is limit MS products to just those in the default install (usually just those that MS wrote). However, Linux and Sun includes other peoples programs on their disks. See the problem?
(Chorus)It's not which one is better, it's which one is managed worse!
If you're going to compare products, do it on a case-by-case basis. Mail client vs mail client. Browser vs. browser. Core OS vs. core OS. Exploit which takes the Internet down vs. Exploit which takes the Internet down. Ad nausium.
Any report which just spouts numbers makes me think that the source of the report suddenly has additional funding from somewhere, as we've seen this before.
Sunday, July 4, 2004
How to use cryptography in computer security
has a good manager-level aritcle discussing basic "theory" (uses?) of cryptography.
Thumpa Thumpa shh!
neat trick. I can appreciate it because I live just down the street
from a group of just-got-our-own-car teenagers. Up until now, I'd
considered HERF but that'd also cook the electronics in the rest of the
immediate neighborhood.
Saturday, July 3, 2004
Counter plugin
for his counter plugin.
Update: Allen is also responsible for pointing out the proper plugin (and giving enough hints) to allow me to put comments back on the main page.
Security Planet
Security
sub-blog and from there, his Security Planet, a
good pseudo-aggregator. (I use "pseudo" only because it's not the
reader that adds/deletes feeds. Barry does that.) Good site though.
No op
up here. Next on the list: fix pings.
Spammers tied to blo.gs?
is that the comment spammers are still adding junk to the old blog. The
traffic level seems to have dropped off a bit though. Could it be
related to the fact that I no longer post via MT and therefore no longer
"ping" the usual sites to indicate that the MT blog has been
updated?
Hmm... Wonder if it would be worth leaving MT running and
doing an analysis of the traffic after a month or so?
Badly worded laws
law on the books that prohibits you from holding a cell phone up to your head while driving. While it's intended to regulate those distracted idiots doing 40 in a 55 while talking long distance with their mom, I have "issues" with the law:
- cell phone use is sixth,
ninth
or first depending on who you ask. "First" is usually based on surveys
of common opinion rather than actual studies. The government studies
usually indicate cell phones having less cause than adjusting the
radio/internal temperature, eating, and yelling at the kids. - the law is too broad as it allows for fines for ANY distraction
- the law is vaguely worded (can apply to any driver with a two-way
radio with a button-operated microphone, GPS, or radar device)(i.e., law
enforcement, cab drivers, delivery personnel, firemen, utility workers,
etc.) ("electronic device" is generic and, by definition, means just
about anything in the car) - the law adds yet another requirement on law enforcement (must search
for the presence of cell phones at each accident) and government
(database tracking, reporting, and training). Unless the legistlators
intend on providing additional funding for yet another requirement on
law enforcement and lower government, this just adds another stress on
an already limited budget.
Unfortunately, it's one more low level law that is too expensive to
fight and will probably be ignored in the long run. In the security
world, your policies have to be realistic and enforceable for them to be
effective. Too many "silly rules" and the entire system is held in
contempt by the average user.
I've been rear ended seven times. Four of them while stopped at a
light, two while slowing for a light, and one in a parking lot. Each
and every time the driver was distracted (by sunlight, a road sign,
another person, etc.). That is, unless one or more of them did it
intentionally (road rage?).
Accidents will continue to happen, regardless of what drivers are
doing, especially inside of, or on, 495 after 3 p.m. on a workday. (too
damned many cars in narrow lanes on not enough pavement)(ignoring the
amount road construction that occurs during rush hour in DC).
We'd save more lives by making cars single person vehicles, with a
top speed of 35 mph, without radios or temperature controls and tearing
down every sign along the highway.
Good things to come
released Linux
drivers for their chipsets. Hopefully we'll start seeing these in
the next distros.
Tracking by GPS
Friday, July 2, 2004
HMO for Tivo
me know. It took a bit to get Java up and running (hint: copy the JRE
folder to /usr/local/) but JavaHMO is installed and start-able. I'll be
playing with it over the next few days.
Spam Host Countries
Sombria Honeypot
Forensics.nl
Infection by Search Engine
Your efforts may not be appreciated
One, you need support from management to do ANYTHING security-related.
Two, it's next to impossible to get a gov't worker fired for waste and abuse. (Hey, the guy that did get fired probably violated a security policy about installing unauthorized software. The boss was only wasting time.)
Thursday, July 1, 2004
Scob Source Code
Parents Guide to Linux Web Filtering
Misc. No Op
MS-CHAPv2 Cryptanalysis
Service providers can read your e-mail?
G on a chip
Hmmm.. Be the first on your block to have your toilet paper dispenser on the Internet! Seriously, if this becomes available to the garage hardware hacker, we'll probably see some interesting projects. More here.