Thursday, September 30, 2004

Heros

Two people that I'm in awe of: Derek Jeter for his post 9/11 work and
whoever the guy is that came up with Extreme Makeover: Home Edition.
Both have touched more lives than they can ever imagine.

Phishing, Fraud and Other

CastleCops has an article
entitled "Phishing, Fraud and Other Dastardly Deeds, Part 1".

Using NetFlow

Security Focus has a
multi-part series on "Detecting Worms and Abnormal Activities with
NetFlow
": part
1
, part 2.

No op

I've turned off the referer vanity for a bit. I'm taking a beating from
the Global Compass/Cyberwurx spam and need to rewrite the plugin or come
up with a way to block the source(s). The former seems like it'd be
more successful than the latter. It's a bit down on the "to do" list
though.

GDI Exploit

A working version of the JPEG buffer overflow was demo'd in class last
night. This can possibly be a very bad thing but not in the way that
the mainstream media is twitching about it. While a worm is possible,
I don't think it's likely to be all that effective.

Think about
it. The vectors aren't really right. Normally a worm exploits an
already running service. This exploit is part of a graphics
library which means a graphics-based program must run. Unless it's
combined with (or used to amplify) another exploit, we're not going to
see another Nimda.

What's more likely to happen is that this (version,
at least) will deepen the relationship between the hackers and the
spammers (if there's a difference nowadays). The spammers can deliver
corrupt graphics via browser pop-ups and spam which can cause the victim
machines to offer up reverse shells on just about any port.

So much
for the theoretical part. What was demo'd last night was the reverse
shell version. It wouldn't work under IE (patched possibly?) but it did
work locally via the file browser. What's worse was the XP
automatically generated a preview of the JPG so that as soon as you
opened the folder, the local machine provided a shell prompt to the
instructor's machine, running netcat.

But wait! There's more!
Remember that you can configure XP to open the folder when a thumb drive
is inserted? Yep, it does. And let's not forget autorun! This makes
it a very nasty insider tool.

To give proper credit, very little of
the above my own thought train. Most of it belongs to Rob and Ian. The
rest was observed and conjectured during the demo.

As for
countermeasures, it's probably going to be more economical to configure
IDS systems to detect the exploit rather than the exploitation, due to
the lack of default port, IP or even graphic. Since remote delivery
vehicles will probably be limited to SMTP, HTTP, and the various
graphics-capable IM programs, it will probably be easier to watch for
the shell code coming in than the reverse shell going out. That and not
all of the exploits involve reverse shells. Hopefully we'll shortly see
both types of BleedingEdge signatures.

Let add my own two cents to the
SANS vs. MS detector argument. Yes, the SANS detector triggers on a lot
more files than the MS version does but you should read the text that
comes with the SANS detector. The MS one is built for MS purposes. The
additional DLL's detected can be either additional ones that link to
non-MS programs that you've installed or they can be backups of upgraded
libraries. It's worthwhile to check what programs access those
libraries (Foundstone has some of the tools needed for this) and, if
possible, upgrade or disable the programs.

Oh, and one last thing:
"Good luck! You're on your own!"

Wednesday, September 29, 2004

Wireless Attacks

Security Focus has an article
entitled "Wireless Attacks and
Penetration Testing
".

LURHQ's take on the JPEG trojan

LURHQ has a good commentary on the JPEG trojan that has some of the media upset. Many had first run with the initial story of it being a virus. It's not. It's a trojan. In other news, K-Otik has also posted an all-in-one version of the exploit.

ISOC paper

Here's a paper on "The Social Engineering of Internet Fraud".

Connection Cutter

Here's a discussion of how to
cut connections using various methods on a Linux-based firewall.

Tuesday, September 28, 2004

Evolution 2.0

/. has an announcement about Evolution 2.0 being released. Since I already use SA, including it in the MUA may be redundant but I'd like to see what they're doing with it.

MS Security Training

Brian Johnson (BufferOverrun) has pointed out the various free security training offerings at Microsoft's Security Clinics and Labs.

Graphviz

Abe Usher (Sharp Ideas) has an
interesting post about
Graphviz that I'm probably going to need in the near future.

RING

From the Summerschool2004 Wiki, here's a paper discussing remote identification.

Monday, September 27, 2004

180Solutions

The following links are going to be valuable in the near future as a
friend is having to deal with an infection:

Also of interest is:

  • DoxDesk Parasites

  • AIM security bot

    Abe User (Sharp Ideas) has
    glued together an AIM-based NMap
    bot
    .

    This sort of thing is the reason why you need to keep an eye
    on the traffic that you allow in and out of your network. AIM
    complicates the situation because it's one of those "tools" that can
    initiate connections via multiple protocols, HTTP being one of them. If
    you allow your users to surf, then AIM can probably "get out".

    Nice
    tool if it's yours, nasty if it "belongs" to someone else.

    Wireless programs

    Here's a good article about the open source programs that are moving/showing up in the wireless arena.

    HR 3632

    The House of Representatives recently passed a bill which would add
    penalties for using false information for WHOIS records. (see Slashdot
    article
    ).

    This can be a good thing and a bad thing at the same
    time. A good thing as it might help track down spammers and fraudsters
    who fake up their WHOIS records. It's a bad thing as it will once again
    expose techie inboxes to tons of spam due to addresses "borrowed" from
    those same records.

    The current practice is to use a pseudonum for
    business domains. That way when there's a phone call from a salesman
    that claims he has an appointment with Bob Wackemwidahammer, you know
    it's BS.

    Sunday, September 26, 2004

    Chaos Communication Congress

    Found a blog for the upcoming Chaos Communication Congress. The blog is
    here. The RSS feed is here. The wiki
    is here.
    Links to the previous three Congresses are here.

    Google hacking copiers?

    Wait a minute! Are you telling me that people hook their copiers
    directly to the Internet? Without the benefit of a firewall? And then
    they're surprised when Google finds them?!?

    SpoofStick

    Phil Libin (Vastly Important
    Notes
    ) has a pointer to a "gotta have" plugin for Firefox and IE: SpoofStick, which alerts you to the fact that you're visiting a spoofed web site. Wonder how long before someone writes a version for non-MS browsers. (Hint! Hint!)

    Refi

    Interesting use of
    technology
    . Hopefully it won't be considered an income stream.
    Wonder how hard it'd be to configure an AP and street clients (iPaq's
    owned by the audience) for multicast. It'd definitely change the
    experience.

    Saturday, September 25, 2004

    Burning Man Phone

    This is the sort of thing that always amazes me, when people can entertain themselves and others by creating art by combining technology and humans. It was art in that people thought it was fake, entertaining because of people's reactions to it. Without those reactions, it's just a phone booth.

    Next year something will probably have to change as people will expect it to be there.

    6 to 4 proxy

    Here's a howto to
    quickly make your web server available via IPv6 while you figure out how
    to add IPv6 to the server itself. In other words, a reverse proxy with
    IPv6 on one side, IPv4 on the other.

    There it goes...

    California law now bans
    anonymous file sharing. How long before someone applies the law to
    anything you can download from a website via a single-click or, for that
    matter, figures out that visiting a website via a proxy constitutes
    anonymous file sharing. This has the capability of getting really ugly
    before it gets better.

    Friday, September 24, 2004

    Subnet tutorial

    LearnToSubnet.com.

    Wireless or not?

    I agree with David Berlind (ZDNet article). Even if you don't officially allow "wireless" in your network, you still need to periodically scan for it. Given the extremely cheap availability of access points, you need to periodically check that one of your users hasn't added something to your network.

    JPEG bug Snort rules

    Also, SANS has provided some Snort rules to
    detect the JPEG bug.

    GDI Scanner

    SANS has a scanner
    available so that you can check your systems for the JPEG bug.

    Thursday, September 23, 2004

    SpamAssassin 3.0

    For my to do list.

    A kick in the...

    Same day this comes
    out, I get laid off. Seems my salary came from a non-standard source
    who needed the money for other things so blogging may get a little
    spotty as I devote my time to looking for equivalent work. Such is a
    contractors life though....

    Clue

    Brightly
    colored thumb drive
    around neck, cell phone on belt, trendy slogan
    on t-shirt, Dockers --> likely poser

    Cell phone and 2 USB's in
    pocket, other pocket also lumpy, comfortable (possibly faded) shirt and
    jeans, spiral notepad sticking out of back pocket, ratty sneakers and
    bad haircut --> true network geek.

    WTF is techno-congniscenti?

    Ethereal Users Guide

    Here is version 2.0 of the User's Guide for Ethereal 0.10.5.

    Intro to DoS

    Linux Exposed has an article discussing basic denial of service theory.

    Wednesday, September 22, 2004

    Bounce Tunnel??

    Has anyone been able to duplicate this
    method of tunneling data via echo request/reply?

    Penetration Testing Guide

    I cannot vouch for the quality/accuracy (still no free time), but here's an online guide
    entitled "Penetration Testing".

    The Parasite Fight

    Here's a semi-long piece
    on fighting spyware, featuring the four biggies (Ad-aware, Spybot S&D,
    CWShredder, and HijackThis) along with a set of pointers to other tools.

    Comment Spam

    Here's a really
    good article discussing comment spam and the various methods you can use
    to fight it.

    IP Spoofing

    Linux Exposed has a good
    explanation of the theory behind IP Spoofing.

    Tuesday, September 21, 2004

    Sysinternals

    Liudvikas has
    pointed it out previously but Sysinternals is a
    good site for tools to monitor what's going on in your machine.

    ISC

    Here's
    a good "behind the scenes" article about the Internet Storm Center.

    Two Snorts

    Here's
    a May Unix Review article which
    discusses the value of running two instances of Snort: one tuned to
    protect your service(s), the other with most, if not all, rules turned
    on to see what's "floating around" on the Internet.

    Meeting Point

    Hmm... This has some
    interesting entertainment, security and law enforcement applications.

    Monday, September 20, 2004

    802.11 Security

    This site is a very
    good compilation of the security problems involved with 802.11 wireless.

    Bleeding Snort HowTo

    Burak has a how-to for importing
    Bleeding Snort rules into
    your existing setup.

    Open Source Open Source

    Here's a PowerPoint presentation which discusses inadvertent disclosure of information and lists numerous publicly available sources of information. (via NetSec)

    Sunday, September 19, 2004

    Google Guide

    NetSec has a pointer to the Google Hacking Guide from johnny.ihackstuff. Actually, it's a how-to for using Google to find vulnerabilities.

    If your organization has anything online, you should be running this sort of search against your site(s) every week or so. As many security problems are caused by human error, this might help minimize the problem.

    NMap/Nessus Cheat Sheet

    InfoSec Writers has a NMap/Nessus Cheat Sheet (in PDF format).

    Forensics

    David Coursey has a two-part column on computer forensics over on eWeek: part 1,
    part
    2
    .

    802.3

    Here's a good Linux Exposed article describing the make-up of what makes Ethernet what it is: 802.3. (This is also what gets swapped out with 802.11 when you work with wireless.)

    Saturday, September 18, 2004

    Spyware Scan

    Barry Irwin has a good
    discussion about CA's free online spyware scan.

    Walk like an Egyptian?

    Oh please, not another "Talk
    Like a Pirate
    " day. Please no!

    Types of Attacks

    Linux Exposed has a good article about attacks on *nix systems which is basically a good description of the various types of attacks against any system.

    Launder your docs

    Security Musings pointed this one out: if you're going to post
    redacted Word files in a public forum, make sure you've scrubbed them first.

    Friday, September 17, 2004

    Acoustic Cryptanalysis

    Anyone know if anything ever came from the acoustic
    cryptanalysis
    project from last year?

    PocketPC's and Bluetooth Headsets

    My current cell phone is pushing three years old (cannot hold a charge
    very long) and a new one is on my holiday wish list. Regardless of all
    the problems with Bluetooth, it's a functionality that my coworkers
    cannot live without, and one that I'm envious of. And, of course, there
    are other uses that the manufacturers didn't intend.

    Thursday, September 16, 2004

    NFC

    From NetSec comes a pointer to
    an article about Near Field Communications which describe communication at very short distances, touting it as a security feature. I don't know about you but I can already think of a way around this "feature": antennas hidden under the table or in nearby innocuous-looking objects.

    TCP Reset Attacks

    KernelTrap has a piece entitled "Understanding TCP Reset
    Attacks
    ".

    DNS Troubleshooting

    If you have anything to do with network administration and/or security,
    you have to be well grounded in in DNS theory. It's the service that
    most everything else on the Internet depends on. It's also the source
    of many of your network problems, intentional or otherwise. Here's a paper by Gideon T. Rasmussen which discusses basic troubleshooting steps. It's a bit CyberGuard-centric but does give you an idea for starting points for troubleshooting problems.

    Disclosure

    I don't like the approach but this
    paper
    contributes to the ongoing discussion (religious war?)
    involving full disclosure.

    Wednesday, September 15, 2004

    Organization Maturity? No.

    I agree with Axel that
    it's not a failure of information security but that of people
    when it comes to our current problems. I also agree that the thought
    that security is mainly a technical problem, although popular within the
    marketing realm, is a misleading one.

    However, I dislike the view of a company's maturation. The quality of
    any company's security depends on the quality (you can say "whim") of
    the people within that company. A company's security "maturity" is
    measured by how well its policies are accepted, practiced and enforced.
    Unfortunately, it's not a progressive process. Any change (in finances,
    employees, management, politics, love life, business model) has the
    ability to massively affect the quality of an organization's overall
    security.

    DNS

    Linux Exposed has a good article about DNS theory and attacks on same.

    VoIP Security

    Here's a NIST Guide entitled "Security Considerations for Voice Over IP Systems".

    Tuesday, September 14, 2004

    IP Law

    Doug Simpson has some good pointers
    to IP Law primers.

    XP subversion

    Here's a Naval
    Postgraduate School thesis entitled "Using the Bootstrap Concept to
    Build an Adaptable and Compact Subversion Artifice
    " by Lindsey Lack
    which discusses the concept of an adaptable subversion artifice (a trap
    door). It's a very interesting read and a bit scary if you consider
    that we have to trust our closed-system vendors not to have included
    something like this.

    Six lines of code?

    Magazine Quiz

    Back in the days when the term "hacker" denoted someone fascinated with
    how things worked and not a form of criminal, three students wrote The Hacker Test, writing it in the manner of a magazine quiz (think Cosmo). It's entertaining reading and a good source of "lookups" if you're studying for Hacker Jeopardy.

    Monday, September 13, 2004

    Forensics site

    Thanks to Tony
    Bradley
    for pointing out the Forensic Focus web site. For
    those that need it, here's the backend
    feed.

    Sometimes you're it

    Security Focus has a good article entitled
    "Malware Analysis for Administrators". Sometimes you're it,
    having to figure out what a miscreant piece of code does, having to
    build/suggest countermeasures to minimize the damage of an outbreak.

    Sniffer sniffer

    I'm not sure of the value (due to the size) but here's a paper on detecting sniffers in your network. It should at least give you some ideas to work from.

    IPTables

    Here's a
    SANS paper discussing various features in IPTables.

    Sunday, September 12, 2004

    Metasploit II

    Security Focus has posted part 2 of their
    series on the Metasploit framework.

    Online pizza

    This thing has been laying around in a backlog for most of the year so
    I'm not sure the service still works. The website is still there so I'm
    assuming that it still does.

    Pizza Party is
    a *nix-based command line program to order Domino's pizza via the QuikOrder web site.

    Shellcoding Tutorial

    The subject matter is outside of my experience but may prove valuable to
    someone: Here's
    a "Shellcoding for Linux and Windows Tutorial".

    Saturday, September 11, 2004

    Rant!

    Maybe it's because I'm at the end of a very long week, I'm on a
    one-month contract, or I'm just in a mood. In any case, this is another
    one of my oversensitive vents. You won't miss anything if you skip this
    post.

    Call us old school but there are many of us that distrust the
    current market move away from "defense in depth". Symantec's Barry Cioe
    (Senior Director of Product Management) has an article over on eBCVG about the move towards "local"
    security.

    You can skip most of the article, it's more or less a
    justification to buy the new all-in-one products on the market today.
    What I'm venting about is Mr. Cioe's opening
    paragraph:

    A decade ago,
    Internet security pioneer Bill Cheswick proposed a network security
    model that he famously characterized as a "crunchy shell around a soft,
    chewy center." Today, as more and more "outsiders" - remote users,
    business partners, customers, contractors - require access to corporate
    networks, enterprises are finding the idea of a "soft center" obsolete,
    if not downright dangerous.

    From reading that,
    you get the idea that Mr. Cheswick's ideas are now old, outmoded, and
    dangerous. If you've ever read Mr. Cheswick's papers or listened to him
    talk, you'd know that Mr. Cioe is in error. Bill Cheswick's original
    use of the phrase is available here in this
    paper
    . (You'll need a Postscript viewer.).

    He used the phrase
    initially (1990) to describe AT&T's network at the time of the (Morris)
    Internet worm:

    All of ARPA's
    protection has, by design, left the internal AT&T machines untested - a
    sort of crunchy shell around a soft, chewy
    center.

    Obviously, it's not a security model
    that he was proposing. Rather, he used it to describe an existing
    condition and as a justification for hardening the system that your
    security software runs on.

    This kind of thing irks me to no end. It's
    right up there on my list of annoyances (no there's not an actual list)
    with the mainstream press's assumption that "may you live in interesting
    times", in Chinese, is a compliment. (Hint: it's not. It's a
    curse.)

    I'll shut up now. Apologies to Bill Cheswick.

    Rememberance

    The Security Monkey says it much better than I do, but today please remember those that gave their lives on that day three years ago. Some of them didn't know what happened, others knew what was ahead of them.

    I count myself as lucky in that I didn't know anyone that died that day. The closest I came to losing someone I know was a lady that I went to high school with. She missed work that day. Sarah Pickanose, you were so very, very lucky. (Not her real name but the rest of the class remembers the English Lit. class gone horribly awry!)

    AutoAcronym

    For me, one of the nice things with switching to Blosxom is the ability
    to write simple plugins. I had a lot of trouble writing anything for MT
    but Blosxom plugins seem to be very easy.

    In any case, I've been
    jealous of the acronym-in-a-title thingy over at Cox
    Crow
    . To make the story shorter, I adapted Fletcher Penney's
    AutoLink to make AutoAcryonym. If an acronym is in the file and in a
    post, it will put a dotted-underline under the acronym and if you hover
    the mouse over it, a "tag" will pop-up with the acronym
    explanation.

    Oh, almost forgot, if you also borrow from Cox Crow's
    style sheet, you can get the cursor to change to one with a "?" next to
    it when you hover over one of the acronyms. (Exercise left up to you to
    steal from Cox Crow's or my style sheet for the syntax.)

    Here's an
    example:

    BOFH

    Network Hot-or-Not

    Security Musings has a pointer to a site which allows members to view/critique each other's network diagrams.

    I like one of Security Musings' descriptions of it: "a honeypot for the dim-witted?". Scary!

    Amen!

    Dave
    Piscitello's vent
    entitled "De-perimeterization is a crock..." is
    right on the money. Network security, of late, has been hijacked by a
    collection of people aiming to get-rich-quick by pitching something that
    sounds new and improved.

    Situation normal

    I tend to make others a bit jittery. I firmly believe that we have to talk about the "bad stuff" in order to keep the "good stuff" safe, as Adam said.

    Friday, September 10, 2004

    IPv6 Intro

    /. has a pointer
    to a beginner's intro to IPv6.

    Firewall enforcement

    Although I think it's a good idea that as many people as possible use
    firewalls for their computers and their home networks (this is two
    separate issues, BTW) but I don't think anyone should be able to mandate
    it outside of a corporate network.

    This
    discussion
    is very scary and reminiscent of a recent presentation
    that I attended where the speaker suggested mandatory PKI IDs for each
    and every Internet user. There are some serious enforcement and privacy
    issues involved.

    Don't forget, one size does not fit all. The machine
    that I'm setting at, as an example, passes through two firewalls and a
    web proxy (for HTTP) or a virus/spam scanner (for SMTP, in both
    directions) to connect to the Internet. However, it's nobody's business
    whether or not I do this. Forcing me to use a specific firewall is
    likely to involve an OS change and a degradation in security on my
    part. Mine is considered non-standard and is customized (tuned) to
    protect my configuration. To paraphrase the more paranoid militia
    types: you'll get my firewall when you pry it from my cold, dead hands.
    (Hmmm... Bumper-sticker material?)

    Aanval

    ComAanval and OpenAanval are the
    commercial and free versions of a Snort console. This is on my list of
    things "to do" once my life/workload quiets back down.

    Let's call a duck a duck?

    Multiple mainstream news sites picked this up
    and ran with it. Yeah, they are security problems, they're just not
    Linux holes. LHA originally showed up on the Amiga and also runs on
    Windows, FreeBSD and all (I think) of the commercial Unixes. Imlib can
    be run on Linux, FreeBSD, and even Windows (under Cygwin). So how does
    something that isn't part of the Linux core end up being a Linux
    hole?

    This sort of thing does everyone a disservice (yeah, even the
    Windows purists) as it just feeds the never-going-to-be-settled TCO
    campaign that the purists on both sides wage on each other.

    Me? I'm a
    mutt. I'll use what ever is available and can get the job done. I've
    helped build/run two NOCs on very tight budgets.

    Reverse Engineering Malware

    From NetSec comes a pointer to a collection of tools for people who reverse engineer malicious code.

    Thursday, September 9, 2004

    Shellcoding Tutorial

    Here's
    a tutorial entitled "Shellcoding for Linux and Windows".

    SendmailAnalyzer

    Version 2.0 of SendmailAnalyzer is out. I cannot stress the importance of maintaining an idea of what's going on in your networks (metrics, metrics, metrics!!). Believe it or not, crayon drawings are good for you too, not just for management.

    SSH Keys

    I'm a big fan of using key-based authentication for SSH connections.
    However, to say you need to keep your keys secure is an understatement.
    Need a reason? How about a brute force key cracker.

    Wednesday, September 8, 2004

    NMap Scanning

    The scanning speed for NMap scans has seen some attention recently.
    While the new version has a sticky problem at very slow speeds (I can't
    find the link into the mailing list but it involves SYN scans and Sneaky
    speed), there is also a paper
    which discusses optimization of scanning times.

    Intro to Learning About Network Security

    SANS has a piece entitled "An
    Introduction to Learning About Network Security
    ". It's a good list
    of the things you should learn while preparing for a job in network
    security.

    DNS Version Detection

    Just like it's becoming pointless to turn off SSID beaconing, it's
    becoming useless to alter the version string in BIND. SecuriTeam has a piece (with
    source code) that describes how to remotely figure out what version of
    BIND is running, even without the banner information.

    Tuesday, September 7, 2004

    NTFS Tools

    Version 1.9.4 of Linux NTFS Tools and Library is out. In reading the "changes" on the Freshmeat site, this is turning into a very powerful toolset. Hopefully it'll make it into new distro's and the various forensics toolkits (if it already hasn't).

    Please note that the programmers (all three of them) are looking for help, mostly in the form of secondary documentation and web site support. See the SourceForge site for more information.

    PAM_USB

    This looks interesting but I'd
    rather see something like this boot from USB and never mount the hard
    drive(s). Smart cards and iButtons make better authentication tokens.

    SQL Injection Signature Evasion

    SecuriTeam has a paper discussing how to structure your SQL injection to evade IDSs. Of course, if you're doing things properly, your network only allows a few specific IPs to connect to your SQL server and you should closely watch those (HIDS, NIDS, malicious code scanners, etc.). You CGI or PHP code should also limit acceptable input to certain characters and prevent direct user input.

    Just keep in mind the general rules of thumb for security:

    • It's not "if" someone is going to break in, it's "when"...
    • in the real world the best you can hope for is fifteen minutes of fame, in the virtual world, the best you can hope for is fifteen minutes of obscurity... (quote mine)
    • there's no such thing as a secure online system...
    • and adding technology rarely adds security.

    The general rules of thumb for countering attacks:

    • Log as much as practical
    • review your logs automatically AND manually
    • employ a consistent backup schedule
    • use your metrics, be able to recognize what's normal and what isn't
    • the most expensive investment in security is also the one you'll get the best return on: knowledge

    Regardless of what personnel and what cool toys you have guarding your network, someone, somewhere, sometime will break into your network.

    Apologies for turning it into a rant.

    Feeling dirty

    Not me, you. A recent post in the Web App Security mailing list prompted me to take a look at my own logs and do a little bit of extra research. This NWF article talks about FunWebProducts and its rapid spread as spyware. One thing that I haven't seen mentioned yet is what I've noticed in my referer logs. The IP's with the spyware (67.149.42.119, 24.186.59.180, 172.141.208.54, and 4.16.57.93, in the last week) are all referers for www.locators.com.

    I wonder...

    Monday, September 6, 2004

    Scan of the Month

    You still have about three weeks to participate in Honeynet's Scan of the
    Month
    . This one focuses around reverse engineering a bit of
    malicious code.

    TCPReplay 2.3.0

    The new version of TCPReplay is available.

    Jailed VMs

    RootPrompt
    has a pointer to an FreeBSD
    Diary
    article which describes how to jail a virutal machine.
    The author used this process to jail his website.

    Perl for Admins

    Dana Epp has pointed
    to a SANS
    paper
    which discusses various bits of Perl code for systems and
    network administrators.

    Sunday, September 5, 2004

    Hash Collision Questions

    Here's some of
    the discussion concerning hash collisions.

    NMap Parser

    (via RootSecure) NMap-Parser is a Perl module that interfaces with
    NMap. I haven't seen anyone do anything with it yet but a Perl
    interface to something that normally spits up a ton of text can't be all
    bad.

    Logging

    It cannot be said often enough. It is important that you log (SANS
    paper) events so that you know what normal and abnormal metrics look
    like and so that you can backtrack events when "something bad happens".

    Wiki

    I've added a few minor things to the wiki: a Forensics page, an IM page,
    and an iPod page, all with some minor data. The main page is getting
    large enough that I'm considering moving the sub-entries to pages of
    their own (or another scheme if someone wants to suggest one).

    Saturday, September 4, 2004

    Spyware

    Here's a very good site
    for spyware issues.

    NBS

    Marcus Ranum (of Network Flight Recorder fame) has released a tool
    called "NBS"
    (Never Been Seen) which is a small piece of code that watches for
    out-of-the-ordinary traffic. He explains it better than I can here.

    Swiss Army USB

    /. has a post about a Swiss Army knife with a USB drive built in. I
    think they have the right idea but haven't taken it far enough in true
    geek fashion. Here's my wish list for combined "tools":
    • 1G thumb
      drive
    • 802.11 interface, RFMON capable, with jack for external
      antenna
    • Bluetooth interface, all three modes, with jack for
      external antenna
    • IR interface
    • 3 or 4 programmable LEDS or a
      4 character alphanumeric display

    Yeah, I know that no one
    makes chips for all that together but I can hope, can't I?

    Any other
    features you'd like to see?

    SpamAssassin Tuning

    (via RootPrompt) Here's a good
    article discussing the finer points of SpamAssassin use. I also like
    the argument that Spam should not be auto-deleted because of false
    positives (something that no Spam filter doesn't have, regardless of the
    marketing-speak).

    Detecting detectors

    Here's
    a paper on detecting wireless discovery applications (think Stumbler and
    the like).

    Friday, September 3, 2004

    pfprintd

    pfprintd is
    another passive analysis tool I want to play with.

    Hotspotter

    More info for my wireless paper, mostly a tool for evil doing: Hotspotter passively
    listens to the WLAN for probe requests from XP clients. When a network
    matches a common name, Hotspotter switches over to being an access
    point, allowing the client to authenticate and associate with it (rather
    than the normal AP) and run other commands.

    Discovering Passwords in Memory

    Here's an Infosec Writer's paper on recovering passwords from memory (think hex editor). Interesting.

    Thursday, September 2, 2004

    Grrr...

    One of the sources for our problems (as bloggers) is www.adminshop.com.
    They sell Reffy, which is discribed as a Windows-based mass referrer
    spammer which comes with a starter list (of blogs) of 3047 sites to
    spam. Yes, for $75, you too can get on the hate list of everyone on the
    planet.

    ttlscan

    Red Team is
    considering it's use and so am I. ttlscan appears to
    be yet another good tool for passive analysis (think SANS paper).

    DCMA and Search Engines

    Here's
    an interesting article about how the DCMA applies to search engines.

    Mobile Bloglines

    Here's the link for the
    minimized Bloglines (i.e., it's for your PDA).