Tuesday, August 31, 2004
What did I do?
Google search for "joatblog". Anyone know something I don't?
Still more on the Graffiti Bike
Hmm... Using his lawyer's logic, it's okay to TP the town hall if I call it "art" or "freedom of speech"? Hey, it's biodegradable and eventually washes away.
Blogspot Problems
getting out of hand. It's starting to look like filtering the entire
domain is the only option, something I'm reluctant to do as their are
quite a few legitimate sites that are worthwhile to log. Maybe I should
drop the vanity function altogether?
Airpwn
reasons why you spend a week or so, slicking, reinstalling and locking
down your laptop before you go to Defcon and re-slick it once your
done. It's also one of the reasons why you go to Defcon.
Hilarious!
Yeah, I know, it was only data injection but there are
other more evil things lurking out there. I wonder if anyone was able
to figure it out without help.
Banned books
Monday, August 30, 2004
Another Lawsuit
their newest round of marketing practices. From /., comes
news that various local governments in California are suing for MS's use
of predatory pricing practices.
I can see their point, I'd be ticked
too if I spent $200 for XP and my next door neighbor got it for $50
bucks 'cause he'd stated that he was considering switching to
*nix.
The problem is going to be the punishment though. Do you think
fining a company $100 million is going to hurt when they've profited
$500 million? I wouldn't be surprised if it's written off as an
operating expense at some point.
WEP
What is Public Information?
one really irks me. Since when does information concerning a
housing association constitute public information? Yes, any member of
the organization should be able to examine the records but the
organization is funded by member dues, not "public money".
I also
dislike the Community Council's reaction as it sets a troublesome
precedent that is going to require someone goint to court to reverse.
Given that just about every housing association in the U.S. has a lawyer
on retainer, I think Mar Vista Community should fire theirs.
Telemarketer counter-script
hilarious, especially the part where the telemarketer is uncooperative.
JohnnyIHackStuff
http://johnny.ihackstuff.com/backend.php
Sunday, August 29, 2004
Graffit Bike Update
Rootkit Hunter
Hunter is out. New features include: support for the ADM worm,
support for MzOzD and spwn, LKM filename checks, and tests for
passwordless user accounts.
No Op
surprised if things gain a bit of law-related flavor.
Spam Filtering for Mail Exchanges
which explains spam filtering for systems acting as mail exchangers.
THe subtitle is "How to reject junk mail in incoming SMTP
transactions."
Saturday, August 28, 2004
DoS Attacks
Distributed Metastasis
Actually, Rob is also using the paper to teach defenses in the same manner.
New Honeywall
List has a post announcing a new version of The Honeywall CDROM (from the Honeynet Project).
CallerID Spoofing Service
service and I don't believe the local phone company will put up with
it for long. (From: Security
Focus).
Friday, August 27, 2004
Wiki
Google-related sites, a format change for the Glossary, and a definition
for the Cinderella Attack (courtesy of Burak Dayioglu). The listing of changes is here.
Bots, Arachnids, and Other
802.1x
on 802.1x-based port authentication. This is a good to know if you have anything to do with corporate VLANs or wireless.
Wireless Security
SANS paper which discusses wireless security. The author seems to have
missed that Microsoft's and Cisco's versions of PEAP are not compatible
but it's still a good paper.
Thursday, August 26, 2004
Stealing Passwords Via Browser Refresh
- clear your history (or temporary Internet files) after each use
- turn off auto-complete if it's available
- turn off the browser's password manager
- don't use the "remember me" feature on the website
- close the browser and reboot the machine when you're done with the site
Yeah, some of those are a bit anal but if you're worried about the data controlled by a certain website, it may be worth the trouble.
Squish DNS checker
some really heavy duty records checking. Very useful for DNS admins.
Wednesday, August 25, 2004
The sky is falling, the sky is falling!
down tomorrow. The short version is that terrorists have predicted
that they will take down the Internet some time tomorrow. So far, it
appears to be a hoax.
What if it isn't? Here's some work aheads to
minimize your withdrawal symptons:
- Make an emergency host table
of all of your favorite sites, keep it offline - stand up your own
domain server, use the host table to build zone files for those domains
(i.e., declare yourself authoritative for those zones) - make sure
your IDS signatures are up-to-date - same goes for your
patches - make sure your call tree is up-to-date
- go to the
library, video or game store and borrow/rent/buy that book/video/game
that you've been wanting to read/see/play.
If the world does
end, you're that much ahead of the game and probably not offline
altogether. If the world doesn't end, hey, you won't have much do on
Friday and will already have the entertainment for the weekend.
Hash Howto
Illustrated Guide to Cryptographic Hashes" that helps explain (a
bit) the recent panic over broken hashes.
Some good news
is good news in that possession of the tools of a crime is not illegal
in itself. Otherwise, you'd be suspect for every sharp or blunt object
in your house. It's the use of those tools which can be
criminal.
Before we get into that argument, I don't condone
illegal file sharing. It's just that possession of certain software
(port scanner, vulnerability scanner, password checker, spam filter)
should not be cause for arrest. I run each of those tools on my
network. I also "possess" numerous file sharing programs as part of
research for network security (Nessus/NMap/Snort signatures, etc.). I
just don't use them.
Future fight?
Malware Analysis
paper
entitled "Malware Analysis for Administrators" which is
interesting reading. It doesn't walk you through a how-to but it does
have a good list of the tools needed and same basic theory behind the
process.
Tuesday, August 24, 2004
dd_rescue
dd was originally used for hard drive maintenance and also became a staple of many forensics people's toolkits. The trick was that you had to know what you're doing. Encase has since simplified the process and its output is challenged less and less.
For you more paranoid types, this means that you should destroy even the damaged hard drives.
Let him without sin cast the first...
Bubbas better look in the mirror first.
My first network job required that I chase viruses (this was before there were enterprise solutions). I once spent an entire day running back and forth between the department head's office and the division office because they kept re-infecting each other while I was in transit. Come to think of it, that was my first forehead bruise too.
Basic Web Session Impersonation
interesting article which
discusses the basic theory and countermeasures behind web-based session
attacks.
Monday, August 23, 2004
Brute forcing SSH
force attack tool for SSH. It's quite a simple tool, the author
having built the dictionary into the code rather than relying on
external dictionary files. I still get the impression that it will
still be affective against those systems with poor configurations and
weak passwords (there's more of them than you
think).
Countermeasures:
- edit the SSH config to limit who can
log in via SSH (hint: root should not be one of these) - configure
your IP filters (routers, IPFW, IPTables, etc.) so that only certain IPs
can connect with SSH - consider using SKey, user-level keys,
Kerberos or some other type of authentication
turn off the default username/password authentication.
RSS Weather
to getting your local weather via RSS feed. To quote a friend, "cool beans!"
Tivo Sharing II
Neal Stephenson
the Baroque Cycle has been out for
quite awhile. Sorry to say, I'm still wading through Quicksilver, only
getting time for recreational reading during lunch at work (yeah, that's
me in the McDonald's parking lot).
Sunday, August 22, 2004
Wiki/Blog interface
anchors to the Wiki. The idea is that the autolink plugin would
automatically link to certain entries in the wiki glossary and/or the
wiki proper. I've also thrown in extra links to Google, Yahoo, and
other well-known sites.
All of the links in this post were
automatically added by the plugin. Of course, I have to tweak the
plugin (can't resist that) and then manually add the entries but it
saves typing in the long run. Let me know if I get out of hand?
MS Port List
should be the Microsoft Port List. Barry Irwin has even provided a HTML conversion of the XLS for us non-MS users.
Weather feeds
G33k) has pointed out that the NOAA has feeds for their Atlantic and Pacific forecasts.
Bootable Windows CD
(only needed it once to rescue a Linux hard drive). However, I've
needed a bootable Windows CD a number of times but didn't have it. I'm not that talented with the minutia of Windows administration. Hopefully, this will come in handy the next time I need it. (Thanks to ryumaou at Diary of a Network Geek for the pointer).
Profile of a referer spammer
content in the last line.)
My complaint centers around referer spam
rather than e-mail spam. Because my site lists recent referers, I've
come under "attack" from a specific IP address: 63.227.76.25. That IP
address has spammed my site with links to:
www.usa-dui-research.com
www.global-medical-research.com
www.global-home-improvement.com
www.wi-fi-bandwidth.com
www.php-monster.com
www.global-cancer-research.com
A DNS lookup of each of those web sites returns the IP address
69.72.141.154. "wget -S 69.72.141.154" reveals that it is running
Apache 1.3.31. A WHOIS lookup of the web server IP address shows that
the web server is in Parsippany, NJ. A WHOIS lookup of all of these
sites show they are registered to Oi, Inc., via the Go-Daddy registrar.
Opinion: As each of these sites has the same bland front-end
with no links (other than Google Ads), I believe that this may be an
attempt to defraud Google's Ad Sense program. (I will send a copy of
this post to Google.)
A WHOIS lookup of any of the domains returns the
same corporate info:
Registrant:
oi,inc.
P.O.BOX 22036
Nashville, Tennessee 37202
United States
Registered through: GoDaddy.com
Domain Name: GLOBAL-CANCER-RESEARCH.COM
Created on: 29-Jul-04
Expires on: 29-Jul-05
Last Updated on: 04-Aug-04
Administrative Contact:
Domains, Admin open_view@yahoo.com
oi,inc.
P.O.BOX 22036
Nashville, Tennessee 37202
United States
6153610280 Fax --
Technical Contact:
Domains, Admin open_view@yahoo.com
oi,inc.
P.O.BOX 22036
Nashville, Tennessee 37202
United States
6153610280 Fax --
Domain servers in listed order:
NS1.OPENVIEWINC.COM
NS2.OPENVIEWINC.COM
A short Google search on the postal address brings back:
http://www.openviewinc.com/contact.html
shows the corporate info as:
O P E N V I E W INTERNATIONAL, INC.
TEL: 615.360.1010 FAX: 615.361.0280
E-MAIL: info@openviewinc.com
MAIL DELIVERY:
DOWNTOWN
P.O.BOX 22036
NASHVILLE, TN 37202
USA
According to the immediate above, anyone calling the phone
number used to register the domains will get an ear-full of carrier tone
from the company fax machine. However, a Google lookup on (615)
360-1010 returns to "Jeremy Jackson - (615) 360-1010 - 1306 Massman Dr,
Nashville, TN 37217".
A DNS lookup of the name server for each of
these sites reveals the DNS servers ns1.openviewinc.com and
ns2.openviewinc.com. The IP address for ns1.openviewinc.com is
69.72.141.153. The IP address for ns2.openviewinc.com is 69.72.141.154.
Note that the www.openviewinc.com website and the mailserver for the
openviewinc.com domain is also 69.72.141.153. Telneting to port 25 at
that IP address returns:
Trying 69.72.141.153...
Connected to 69.72.141.153.
Escape character is '^]'.
220-ottawa.nshoster.com ESMTP Exim 4.34 #1 Sat, 21 Aug 2004 16:37:46-0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
quit
221 ottawa.nshoster.com closing connection
Connection closed by foreign host.
No spam allowed. That's almost funny.
An interesting bit of
information is reavealed by performing a WHOIS lookup on those IP
addresses. Seems both of them are part of a network owned by Care
Initiatives, Iowa's (according to CI's website) largest senior care
provider.
Remember the site sending the referer spam is 63.227.76.25?
A WHOIS lookup shows that it too belongs to Care Initiative in West Des
Moines.
Getting back to Mr. Jackson. A Yahoo search for "jeremy
jackson nashville" returns a link
(http://www.bizwiz.com/ezcommerce/openviewtrading.htm) for Open View
Trading with the following contact information:
Contact:
Jeremy Jackson
Owner
Open View Trading
P.O.Box 22036
Nashville, TN 37202
U.S.A.
Tel: 615/360-1010 Fax: 615/360-1133
Hey, that's the same phone number but it's a different fax
number. Same P.O. Box too.
Futher Google and Yahoo searches for
"jeremy jackson" and "openview" or "nashville" reveal that he has a
healthy gaming habit (FPS's) too.
So, to sum it all up, we have a
gamer in Nashville, running what might be a shady online business which
isn't registered anywhere (possibly Canada?), uses a web site in New
Jersey which is registered via a yahoo e-mail address through a
registrar that is reluctant to provide information (GoDaddy), has
another e-mail account and dns server at a non-profit senior care
facility in Iowa whose STMP banner prohibits spam, uses his home phone
for his business(es) and likes to referer spam my site.
Hope the rest
of you enjoyed this at least as much as I did.
Jeremy, cut it the
F**K out.
Saturday, August 21, 2004
sudo patent
important because Longhorn has a shell, something that the *nix world
has had for years but MS users are only now receiving. This is good for
MS users but has the possibility to become a really bad PR issue of MS
is going to start patenting features that have prior art going back two
decades. Next we're going to see patents on cron, at, and history?
This isn't helping
came from eBCVG,
which came from WebProNews, which supposedly came from ArticleCity.com (a link I cannot get to come up).
What's wrong with the article? How about:
- the $25 card probably won't work as the cheap ones don't "do" RFMON
- the computer is not looking for your SSID, it's looking for 802.11a/b/g networks. The SSID is part of that.
- The SSID is not constantly transmitted and computers don't care about it. The SSID is periodically beaconed and wireless NIC cards use it to negotiate connections to specific networks.
- It's Kismet, not Cismet
- I don't get why the GPS receiver records only the coordinates of the strong signal.
- The preliminary drive IS the wardrive. Any subsequent use of the open network is a network hijack, a theft of services, or an attack on local systems.
- I'd like to hear more about how the wardriver can sniff passwords and credit card numbers from SSL secured data. (Yeah, I know it can be done, but not with your standard wardriving kit. The author is going for the "F" in FUD here.)
- Don't broadcast your SSID? This one gets old. Previous guidelines recommended that you turn off SSID beaconing. It's been proven that this action only delays SSID detection for a few seconds as the SSID is included as part of Layer 2 management frames. The author seems to be aware of this but mucks up the explanation anyways.
- How did factory default passwords for routers get into this? Do I need to buy a router too?
- EAP is not encryption. EAP is an authentication protocol which uses encryption.
- WEP encryption is not bypassed, it is broken via AirSnort (i.e., the shared key is extracted).
- MAC spoofing does NOT take time. Manually spoofing a MAC address for an extremely bad typist only takes a few seconds.
- Password protecting MS file shares are pointless on wireless networks. If you're using wireless, don't share files/folders! (Someone want to explain how having the same user accounts on each of your machines allows your computers to share files?).
- Breaking WEP does not take days so the seconds to days/weeks-next-to-your-network comment is garbage.
The closing feel-good paragraph is garbage. The tips are confusing. A script kiddie with the programs listed in the article can still get in. A better way of putting it:
- Enable WEP (assuming that's all you have). It will keep honest people honest. The dishonest ones can still get "in" in a matter of minutes.
- Change the access point's default SSID and username/password. (This will show wardrivers that you've devoted at least a little bit of due diligence to your network configuration.)
- Use MAC address filtering. It causes the attacker to execute one more command than before.
- Turn off the d*mn access point when you're not using it.
That last recommendation will provide the most protection in the long run. The others will only make extra work for the attacker. As people tend to take the path of least resistance, an attacker will likely hijack your next door neighbor's wide open network.
If you're willing to spend the extra money, you can also:
- use third-party layer 2 encryption
- use wireless intrusion detection
- periodically scan for rogue access points and clients
- or even better, put CAT-5 cabling in the walls
It's articles of that quality that cause more damage than help. There are legitimate security-related uses for some of the software. We're already dangerously close to the point where possession of certain software will be considered illegal (and things will get very messy once we're headed down that slippery slope).
Chroot
so here goes...
NetSec has a
pointer to a "Chrooting Unix Services Guide" which discusses basic theory and configuration.
Friday, August 20, 2004
LADS
streams (ADS) and a note that SP2 changes it slightly (was this ever
a good idea, even for NTFS?). Also described is a freeware tool called
LADS which will List the ADSs.
New entries in wiki
- Finding the Status of a Package
- Finding the Status of an Airline Flight
- Looking Up UPC Codes"
- Looking Up Vehicle ID Numbers (VINs)
- Searching for a Map of an Area Code
as part of the "Google Tricks" section. Thanks to #!/usr/bin/geek for the new pointers.
Graffiti bike
Thursday, August 19, 2004
Thank you Dana!
Intro to NetFlow
article entitled "Detecting Worms and
Abnormal Activities with NetFlow".
You'll hear me harp about
this over and over if you follow this blog: if you're responsible for a
network, you need to know what "normal" "looks" like so that you can
recognize "abnormal". This is a good tool to have.
Holy Crap!
following may not
work:
- Citrix
- ArcServ
- eTrust
- F-Secure
- Installshield
- Quicken
- McAfee
- MS Office
- MS Outlook
- Norton
- PCAnywhere
- Symantec
- Reflection
- ZoneAlarm
- and most of the IM's
Executable stegs?
a /. post pointing to Hydan, a
steganorgraphy tool which allows you to hide data within an executable.
This was bound to happen eventually, being yet another part of your
system with slack space.
Also, this is another one of those tools that
can be used for good (watermarks) or evil (hidden data). It may not
measure up to other steganography methods. If you have readily
available "good" copies of binaries to compare against a steg'd version,
simple MD5 checksums should be able to detect modified versions.
Wednesday, August 18, 2004
Intrusion Analysis
interesting article on packet
analysis, part one of a series. This is part of the knowledge
required for your SANS GCIA certification.
More InfoSec Blogs
site similar to 757.org. What makes it notable is the InfoSec-related
blogs:
- antlab
- cybercrime/-security
sightings - Defcon
=D8c - disLEXia
3000 - KE(ep)YO(ur)BA(ck)
- King Size Che
- lufg: Hacker Seminar SS
2004 - Red
Team - Running
LAN - Summerschool Applied
IT Security
I've only included the English-based ones (I'm unable to read German)
and some of those haven't been updated recently (but are interesting to
read anyways). Also, some of the blogs are via the same person.
In
any case, thanks to the teenage mutant
ninja hero coders for hosting all of those sites. I've added them
as a separate category in my Bloglines feeds.
Rootkit Hunter
Tuesday, August 17, 2004
Whoa
healthy sums. This one is not an exception. McAfee is buying Foundstone!
One thing to keep in mind though: one of McAfee's former names was Network Associates, the name to which acquisition was tied to as a secondary nature (my opinion). Gauntlet and certain forms of PGP disappeared through that process (also my opinion).
Tivo displays
something like this. I
miss my Amiga 2000 which was modified beyond my ability to resell it
when it came time to let it go.
Tivo! How about just a minor API so
we can modify/add non-dangerous (legal) features?
MFD's
Textbox with Auto-complete
Monday, August 16, 2004
SHA-1 Broke?
that SHA-1 has been broken (at least partially). We've been told to
wait a few days to find out the truth. Also, AbusableTech seems to be
offline at the moment.
Snort + ClamAV
ClamAV could be used as a preprocessor, but then were frustrated because
SourceForge's archive doesn't carry the attachments to the post, you can
get it here.
More DiD
working. The new in-vogue approach is local protection. I firmly
believe that this will not produce the fruit the proponents want. For
proof, go search Google for what the Witty worm did.
The problem with
defense-in-depth was that most were too lazy to fully embrace the
paradigm. Defense-in-depth was "embraced" only as far as perimeter
protection (firewalls) with some internal support (virus scanner). They
didn't bother with HIDS, local packet filters, tripwires, metrics
monitoring, and periodic scans. Some even used minimal configurations
on their perimeter firewalls.
InfoSec Writers has an article talking about the extra security that should be common sense but somehow isn't widespread. The short version is: you should be locking your perimeter filter down to the minimum required to operate.
An example is the web server in your DMZ. Your premis router should allow connections to TCP port 80 on your webserver and UDP port 53 on your external DNS. Your host filter (local firewall, IPFW, IPTables, etc.) should have the same configuration (of course, your webserver will also want to talk to the DNS server on UDP port 53).
You may want to add some sort of control channel, such as SSH (TCP port 22), but you want that type of traffic to come from one local (internal) IP address, not the Internet. Even better, move the control out-of-band: buy a console switch and use serial connections to all of your servers.
IT's SarbOx role
entitled "The Role of IT Security in Sarbanes-Oxley Compliance",
which discusses IT-centric requirements for protecting financial
information. If you work in network security, this is going to become
important.
Sunday, August 15, 2004
PDA Forensics
NIST's draft version of their "Guidelines on PDA
Forensics".
These documents are important, but maybe not for
the reason that you think. The information is available elsewhere,
maybe even in a single document. What makes it important that NIST
publish it is that it becomes a federal standard.
The reason that this
is considered "good" is that it makes legal proceedings that much easier
(shorter) because you, as a forensic type talking to judge/jury/other
lawyers, don't have to prove the legitimacy of your investigative
process each and every time you're in court. The short phrase to
describe it: a protocol.
Tracking spammers
Visualize your metrics
to push your data thru gnuplot is a good thing to know.
Saturday, August 14, 2004
More wireless problems
Begginer's Guide to Phishing
IBM: Securing Linux
Friday, August 13, 2004
MS's Lower Total Cost of 0wnership
is funny. Even funnier when you realize that you misread the title the
first time around. Thanks Dave!
Robert Graham
information, from tools to malicious code analysis to commentary. Visit
his site here.
Thursday, August 12, 2004
757 IdleRPG update
trail of the evil wizard zENGER. Stott, the Green Warrior, still
follows in my footsteps, waiting for me to make a mistake.
Stamps.com
the same day: Stamps.com. I can see
some geek-mileage in this one. Got root? stamps and the like.
Let the hairsplitting begin!
Fyodor seems puzzled that Microsoft considers NMap an attack tool. Fyodor! Think marketing vice programming! NMap, Nessus, TCPDump, Snort and Apache are probably all considered evil even though only some of them use raw sockets.
Given the interdependency of the libraries, I'm willing to bet the the interface hasn't totally disappeared. Rather it may have been moved, somehow obfuscated, or has obtained a wrapper or somesuch.
SE Linux
BattleTorrent
pointer to BattleTorrent which promises to be easy to set up for novice users.
I have little interest in MP3 trading as either I or my company paid money for them (think classes not songs) but I do have interest in those updates (Mandrake for one) which become available via BT before anything else. Also, I'd rather archive data (news and articles) rather than eating up storage space on 4 year old drives with MP3's I'll rarely listen to. Thus my novice P2P experience.
Anyways, I hope that there's an easy-to-use BT flavor available the next time I want the new *nix distro.
VNC
and security-thru-obscurity failing via Google: another lecture at Blackhat which shows that you can find possibly vulnerable VNC servers listings. Definitely falls into the "this is bad" or "shoot yourelf in the foot" categories. If you have anything to do with security, you should be visiting the major search engines, at least on a weekly basis, and scanning for "stuff" available via your company's domain.
Wednesday, August 11, 2004
Detecting Windows Keyloggers
Monkey (of "A Day in the Life of a Security Investigator" fame) has
a quick piece about detecting Windows keyloggers. Interesting reading.
Making things worse
bandwidth and harddrive space, the FTP server "Serv-U" is often used
(because of its small size and its portability). To make things worse,
there's a number of vulnerabilities in that binary, resulting in
exploits such as this which allows the secondary attacker to gain system privileges.
Tuesday, August 10, 2004
Blackhat Media
Call me old-school but I firmly believe that adding technology, especially that without a long-term performance history, does not increase security. The presentation uses a lot of rationalizations which stretch the truth a bit. "We" do not let in port 80, that's done by people, using ISA, who are too cheap to buy a second IP address. Some of the "new" suggestions are actually from the old "moat" model, such as moving your public servers outside of the internal network.
In any case, there's also quite a few other presentations archived there. You may want to download/keep copies of the ones you find interesting. The site practice is to only make files available until they're about 6 months of age.
Environmental Security
interesting paper discussing the enhancement of physical security via
modificiations to the local and semi-local environment.
Monday, August 9, 2004
The Art of Rootkits
IDS in Large Orgs
SANS paper entitled "Intrusion Detection on a Large Network".
It's a good paper for building and installing Snort. However, it's a
bit lacking in the data correlation side of the house (something that
you have to have to effectively monitor/protect networks of any size).
Sunday, August 8, 2004
IdleRPG
sub-category...
zENGER
and skifter22!! I am coming for you! If I can keep stott off my butt, that is. (heh)
For those that don't know, IdleRPG is an IRC game that you play by doing absolutely nothing on various IRC servers (see "Other IRPGs" link).
Wiki
MediaWiki. This may not be the last one I try out but it should work
for now. You're welcome to edit/add but please read the rules on the
font page first.
Using Session Data to Scope Events Without Signatures
actively support "deep packet inspection" over "application proxies"?
What's the trade-off? A slight speed increase and using a "cool" new
technology vs. a slight loss of control and security (in the form of
record keeping). I'd like to see proof of that speed increase
sometime. Yes, layer 4 (OSI model) filtering is faster than layer 7
proxying but, once you start tacking on layer 7 inspection onto a layer
4 packet filter, does the extra processing requirements even the
equation?
In any case, TaoSecurity states the IDS
issue very nicely and describes a tool that nicely covers one of the blind spots in IDS technologies: session data.
Possible Points of Failure
SANS paper which discusses the various possible points of failure in
Information security. A common theme seems to be "blind trust", in
certifications, in equipment, in processes, etc.
Saturday, August 7, 2004
Old news
geeks. Now it seems to have faded into trying to keep up with the rest
of mainstream (esp. since most of mainstream has moved online and isn't
controlled by the few). Evidence the news
that you can hack bluetooth, something that was publicly known over a
year ago.
Why's it suddenly news? Cause Adam and Martin figured out a
way to do it over long distances.
Next thing you know, they'll
discover that, with the right equipment, the guy in the van at the curb
can watch what you type into your computer.
Friday, August 6, 2004
The Art of Web Filtering
SANS paper entitled "The Art of Web Filtering". I disagree with
the author only where he states that keyword filtering is poor, at
best. My view is that it really, REALLY stinks as a tool.
Also,
depending on the size of your customer base and what you're trying to
block, filtering may become an exercise in futility as you try to keep
up with your policy abusers. It's much more efficient to have an
enforceable policy and self-policing users.
Public prosecution of
offenders do wonders for policy enforcement, unfortunately they may not
be a legal technique at your organization.
Long-range Kits
Blue/War-driving are on
sale.
Defcon 12 News
back a T-Shirt. Of more value was NetSec's posting of the presentations
(Please be nice to the server, the webmaster is asking for mirrors for
A-K
and L-Z.
Look at Rob's Aug. 5th posts over on NetSec for a bunch of news about
the shootout, The Schmoo Group's upcoming conference, Meet the Fed,
Robert Morris Sr.,
/. has a pointer
to yet another review of DC12.
Thursday, August 5, 2004
More on MSN's new search engine
successful:
Again, I don't think
that tweaking a search engine to support a business/business model will
help in the "success" of that search engine (or the business).
Secret handshakes?
about combining port knocking with OS detection to limit access.
Seriously? Doesn't this sound like too much time on your hands?
TerraServer
engine for the US Geographical Survey aerial imagery and topographic
maps. (via NetSec)
Wednesday, August 4, 2004
Cross-linked pr0n sites
is that they not only cross-link their own shady blogs, they use comment
and referer spam to point to their blogs and pr0n sites.
Search Engine Wars?
plans to challenge
Google. I have reservations about them being able to compete with
Google. They're using two different business models.
Besides, having
your search engine affected by widespread referrer and comment spam is
one thing. Additionally adjusting your own database to limit competitor
listings is another.
The Wayback Machine
Wait, wrong machine. This one allows you to
search snapshots of the Internet as far back as 1996.
Tuesday, August 3, 2004
Withdrawals
Scam trace
p_Scam_101.txt">this except he missed one thing. Since he doesn't
allow comments, hopefully he'll see it here:
Barry, do a whois on the reverse lookup (IP address) for the web site! It's in the U.S.
Web Site Defacements
database of web site defacements. This is also where some of the older
defacement archives ended up.
Five-button Mouse
one is for my own benefit. My secret cache of Logitech 3-button mice is
running seriously low. I bought a half-dozen of 'em when Logitech
decided to stop making them. I've been wearing them out at a rate of
one every 6-8 months and have been cannibalizing all of them for repair
parts.
Wheel-mice piss me off and I consider Microsoft/Mac/other
two-button mice as seriously crippled. I learned Unix over a decade
ago. Middle-button paste is an ingrained (sp?) reflex at this point.
Monday, August 2, 2004
Linux Gazette
online newsletter to read. The format has changed over the years (since
1996, I think) but they've always had good articles. Now they even have
a RSS feed.
Sunday, August 1, 2004
Free Snort Book
Tunneling over DNS
New feed
is the referer plugin. Picked up a new feed for Burak Dayioglu and a list of sites
to watch.
Too far?
have to be very careful about the wording of laws like Mr. Hatch's
INDUCE act.
I disagree with the article where it talks about law
enforcement abusing its power. Law enforcement is not at fault here,
they were doing what a judge thought the law allowed. It all goes back
to how the law is written.
Unless it has very specific wording, it
will end up like the Bible: subject to interpretation. If you hear
someone screaming about a law being evil, don't just jump up on the
soapbox with him and start screaming too. Instead, read the proposed
act and make constructive comments. (Many politicians ask for
input/comments.) Also, remember that phrase like "doing it this way may
be better in the long run" works a heck of a lot better than "your law
is a piece of sh*t".
DNS Attacks
Please keep in mind that DNS poisoning is not necessarily a "bad thing"(tm). It is still the only truly scalable method of blocking objectionable web sites and mail servers. I've seen it used at sites with 50K users.