Thursday, September 30, 2004
Heros
whoever the guy is that came up with Extreme Makeover: Home Edition.
Both have touched more lives than they can ever imagine.
Using NetFlow
multi-part series on "Detecting Worms and Abnormal Activities with
NetFlow": part
1, part 2.
No op
the Global Compass/Cyberwurx spam and need to rewrite the plugin or come
up with a way to block the source(s). The former seems like it'd be
more successful than the latter. It's a bit down on the "to do" list
though.
GDI Exploit
night. This can possibly be a very bad thing but not in the way that
the mainstream media is twitching about it. While a worm is possible,
I don't think it's likely to be all that effective.
Think about
it. The vectors aren't really right. Normally a worm exploits an
already running service. This exploit is part of a graphics
library which means a graphics-based program must run. Unless it's
combined with (or used to amplify) another exploit, we're not going to
see another Nimda.
What's more likely to happen is that this (version,
at least) will deepen the relationship between the hackers and the
spammers (if there's a difference nowadays). The spammers can deliver
corrupt graphics via browser pop-ups and spam which can cause the victim
machines to offer up reverse shells on just about any port.
So much
for the theoretical part. What was demo'd last night was the reverse
shell version. It wouldn't work under IE (patched possibly?) but it did
work locally via the file browser. What's worse was the XP
automatically generated a preview of the JPG so that as soon as you
opened the folder, the local machine provided a shell prompt to the
instructor's machine, running netcat.
But wait! There's more!
Remember that you can configure XP to open the folder when a thumb drive
is inserted? Yep, it does. And let's not forget autorun! This makes
it a very nasty insider tool.
To give proper credit, very little of
the above my own thought train. Most of it belongs to Rob and Ian. The
rest was observed and conjectured during the demo.
As for
countermeasures, it's probably going to be more economical to configure
IDS systems to detect the exploit rather than the exploitation, due to
the lack of default port, IP or even graphic. Since remote delivery
vehicles will probably be limited to SMTP, HTTP, and the various
graphics-capable IM programs, it will probably be easier to watch for
the shell code coming in than the reverse shell going out. That and not
all of the exploits involve reverse shells. Hopefully we'll shortly see
both types of BleedingEdge signatures.
Let add my own two cents to the
SANS vs. MS detector argument. Yes, the SANS detector triggers on a lot
more files than the MS version does but you should read the text that
comes with the SANS detector. The MS one is built for MS purposes. The
additional DLL's detected can be either additional ones that link to
non-MS programs that you've installed or they can be backups of upgraded
libraries. It's worthwhile to check what programs access those
libraries (Foundstone has some of the tools needed for this) and, if
possible, upgrade or disable the programs.
Oh, and one last thing:
"Good luck! You're on your own!"
Wednesday, September 29, 2004
LURHQ's take on the JPEG trojan
Connection Cutter
cut connections using various methods on a Linux-based firewall.
Tuesday, September 28, 2004
Evolution 2.0
MS Security Training
Graphviz
interesting post about
Graphviz that I'm probably going to need in the near future.
Monday, September 27, 2004
180Solutions
friend is having to deal with an infection:
- FD
post about 180solutions - The Effect of
180solutions - Spyware
Warrior's comment on the above - Parasite:
nCase - SecuriTeam analysis
- Other marketers complaints
- SeattlePI article
Also of interest is:
AIM security bot
glued together an AIM-based NMap
bot.
This sort of thing is the reason why you need to keep an eye
on the traffic that you allow in and out of your network. AIM
complicates the situation because it's one of those "tools" that can
initiate connections via multiple protocols, HTTP being one of them. If
you allow your users to surf, then AIM can probably "get out".
Nice
tool if it's yours, nasty if it "belongs" to someone else.
Wireless programs
HR 3632
penalties for using false information for WHOIS records. (see Slashdot
article).
This can be a good thing and a bad thing at the same
time. A good thing as it might help track down spammers and fraudsters
who fake up their WHOIS records. It's a bad thing as it will once again
expose techie inboxes to tons of spam due to addresses "borrowed" from
those same records.
The current practice is to use a pseudonum for
business domains. That way when there's a phone call from a salesman
that claims he has an appointment with Bob Wackemwidahammer, you know
it's BS.
Sunday, September 26, 2004
Chaos Communication Congress
Google hacking copiers?
directly to the Internet? Without the benefit of a firewall? And then
they're surprised when Google finds them?!?
SpoofStick
Notes) has a pointer to a "gotta have" plugin for Firefox and IE: SpoofStick, which alerts you to the fact that you're visiting a spoofed web site. Wonder how long before someone writes a version for non-MS browsers. (Hint! Hint!)
Refi
technology. Hopefully it won't be considered an income stream.
Wonder how hard it'd be to configure an AP and street clients (iPaq's
owned by the audience) for multicast. It'd definitely change the
experience.
Saturday, September 25, 2004
Burning Man Phone
Next year something will probably have to change as people will expect it to be there.
6 to 4 proxy
quickly make your web server available via IPv6 while you figure out how
to add IPv6 to the server itself. In other words, a reverse proxy with
IPv6 on one side, IPv4 on the other.
There it goes...
anonymous file sharing. How long before someone applies the law to
anything you can download from a website via a single-click or, for that
matter, figures out that visiting a website via a proxy constitutes
anonymous file sharing. This has the capability of getting really ugly
before it gets better.
Friday, September 24, 2004
Wireless or not?
Thursday, September 23, 2004
A kick in the...
out, I get laid off. Seems my salary came from a non-standard source
who needed the money for other things so blogging may get a little
spotty as I devote my time to looking for equivalent work. Such is a
contractors life though....
Clue
colored thumb drive around neck, cell phone on belt, trendy slogan
on t-shirt, Dockers --> likely poser
Cell phone and 2 USB's in
pocket, other pocket also lumpy, comfortable (possibly faded) shirt and
jeans, spiral notepad sticking out of back pocket, ratty sneakers and
bad haircut --> true network geek.
WTF is techno-congniscenti?
Wednesday, September 22, 2004
Bounce Tunnel??
method of tunneling data via echo request/reply?
Penetration Testing Guide
entitled "Penetration Testing".
The Parasite Fight
on fighting spyware, featuring the four biggies (Ad-aware, Spybot S&D,
CWShredder, and HijackThis) along with a set of pointers to other tools.
Tuesday, September 21, 2004
Sysinternals
pointed it out previously but Sysinternals is a
good site for tools to monitor what's going on in your machine.
Two Snorts
a May Unix Review article which
discusses the value of running two instances of Snort: one tuned to
protect your service(s), the other with most, if not all, rules turned
on to see what's "floating around" on the Internet.
Meeting Point
interesting entertainment, security and law enforcement applications.
Monday, September 20, 2004
802.11 Security
good compilation of the security problems involved with 802.11 wireless.
Open Source Open Source
Sunday, September 19, 2004
Google Guide
If your organization has anything online, you should be running this sort of search against your site(s) every week or so. As many security problems are caused by human error, this might help minimize the problem.
802.3
Saturday, September 18, 2004
Types of Attacks
Launder your docs
redacted Word files in a public forum, make sure you've scrubbed them first.
Friday, September 17, 2004
Acoustic Cryptanalysis
cryptanalysis project from last year?
PocketPC's and Bluetooth Headsets
very long) and a new one is on my holiday wish list. Regardless of all
the problems with Bluetooth, it's a functionality that my coworkers
cannot live without, and one that I'm envious of. And, of course, there
are other uses that the manufacturers didn't intend.
Thursday, September 16, 2004
NFC
an article about Near Field Communications which describe communication at very short distances, touting it as a security feature. I don't know about you but I can already think of a way around this "feature": antennas hidden under the table or in nearby innocuous-looking objects.
DNS Troubleshooting
you have to be well grounded in in DNS theory. It's the service that
most everything else on the Internet depends on. It's also the source
of many of your network problems, intentional or otherwise. Here's a paper by Gideon T. Rasmussen which discusses basic troubleshooting steps. It's a bit CyberGuard-centric but does give you an idea for starting points for troubleshooting problems.
Disclosure
paper contributes to the ongoing discussion (religious war?)
involving full disclosure.
Wednesday, September 15, 2004
Organization Maturity? No.
it's not a failure of information security but that of people
when it comes to our current problems. I also agree that the thought
that security is mainly a technical problem, although popular within the
marketing realm, is a misleading one.
However, I dislike the view of a company's maturation. The quality of
any company's security depends on the quality (you can say "whim") of
the people within that company. A company's security "maturity" is
measured by how well its policies are accepted, practiced and enforced.
Unfortunately, it's not a progressive process. Any change (in finances,
employees, management, politics, love life, business model) has the
ability to massively affect the quality of an organization's overall
security.
Tuesday, September 14, 2004
XP subversion
Postgraduate School thesis entitled "Using the Bootstrap Concept to
Build an Adaptable and Compact Subversion Artifice" by Lindsey Lack
which discusses the concept of an adaptable subversion artifice (a trap
door). It's a very interesting read and a bit scary if you consider
that we have to trust our closed-system vendors not to have included
something like this.
Six lines of code?
Magazine Quiz
how things worked and not a form of criminal, three students wrote The Hacker Test, writing it in the manner of a magazine quiz (think Cosmo). It's entertaining reading and a good source of "lookups" if you're studying for Hacker Jeopardy.
Monday, September 13, 2004
Forensics site
Bradley for pointing out the Forensic Focus web site. For
those that need it, here's the backend
feed.
Sometimes you're it
"Malware Analysis for Administrators". Sometimes you're it,
having to figure out what a miscreant piece of code does, having to
build/suggest countermeasures to minimize the damage of an outbreak.
Sniffer sniffer
Sunday, September 12, 2004
Online pizza
I'm not sure the service still works. The website is still there so I'm
assuming that it still does.
Pizza Party is
a *nix-based command line program to order Domino's pizza via the QuikOrder web site.
Shellcoding Tutorial
someone: Here's
a "Shellcoding for Linux and Windows Tutorial".
Saturday, September 11, 2004
Rant!
one-month contract, or I'm just in a mood. In any case, this is another
one of my oversensitive vents. You won't miss anything if you skip this
post.
Call us old school but there are many of us that distrust the
current market move away from "defense in depth". Symantec's Barry Cioe
(Senior Director of Product Management) has an article over on eBCVG about the move towards "local"
security.
You can skip most of the article, it's more or less a
justification to buy the new all-in-one products on the market today.
What I'm venting about is Mr. Cioe's opening
paragraph:
A decade ago, Internet security pioneer Bill Cheswick proposed a network security model that he famously characterized as a "crunchy shell around a soft, chewy center." Today, as more and more "outsiders" - remote users, business partners, customers, contractors - require access to corporate networks, enterprises are finding the idea of a "soft center" obsolete, if not downright dangerous. |
From reading that,
you get the idea that Mr. Cheswick's ideas are now old, outmoded, and
dangerous. If you've ever read Mr. Cheswick's papers or listened to him
talk, you'd know that Mr. Cioe is in error. Bill Cheswick's original
use of the phrase is available here in this
paper. (You'll need a Postscript viewer.).
He used the phrase
initially (1990) to describe AT&T's network at the time of the (Morris)
Internet worm:
All of ARPA's protection has, by design, left the internal AT&T machines untested - a sort of crunchy shell around a soft, chewy center. |
Obviously, it's not a security model
that he was proposing. Rather, he used it to describe an existing
condition and as a justification for hardening the system that your
security software runs on.
This kind of thing irks me to no end. It's
right up there on my list of annoyances (no there's not an actual list)
with the mainstream press's assumption that "may you live in interesting
times", in Chinese, is a compliment. (Hint: it's not. It's a
curse.)
I'll shut up now. Apologies to Bill Cheswick.
Rememberance
I count myself as lucky in that I didn't know anyone that died that day. The closest I came to losing someone I know was a lady that I went to high school with. She missed work that day. Sarah Pickanose, you were so very, very lucky. (Not her real name but the rest of the class remembers the English Lit. class gone horribly awry!)
AutoAcronym
to write simple plugins. I had a lot of trouble writing anything for MT
but Blosxom plugins seem to be very easy.
In any case, I've been
jealous of the acronym-in-a-title thingy over at Cox
Crow. To make the story shorter, I adapted Fletcher Penney's
AutoLink to make AutoAcryonym. If an acronym is in the file and in a
post, it will put a dotted-underline under the acronym and if you hover
the mouse over it, a "tag" will pop-up with the acronym
explanation.
Oh, almost forgot, if you also borrow from Cox Crow's
style sheet, you can get the cursor to change to one with a "?" next to
it when you hover over one of the acronyms. (Exercise left up to you to
steal from Cox Crow's or my style sheet for the syntax.)
Here's an
example:
BOFH
Network Hot-or-Not
I like one of Security Musings' descriptions of it: "a honeypot for the dim-witted?". Scary!
Amen!
Piscitello's vent entitled "De-perimeterization is a crock..." is
right on the money. Network security, of late, has been hijacked by a
collection of people aiming to get-rich-quick by pitching something that
sounds new and improved.
Situation normal
Friday, September 10, 2004
Firewall enforcement
firewalls for their computers and their home networks (this is two
separate issues, BTW) but I don't think anyone should be able to mandate
it outside of a corporate network.
This
discussion is very scary and reminiscent of a recent presentation
that I attended where the speaker suggested mandatory PKI IDs for each
and every Internet user. There are some serious enforcement and privacy
issues involved.
Don't forget, one size does not fit all. The machine
that I'm setting at, as an example, passes through two firewalls and a
web proxy (for HTTP) or a virus/spam scanner (for SMTP, in both
directions) to connect to the Internet. However, it's nobody's business
whether or not I do this. Forcing me to use a specific firewall is
likely to involve an OS change and a degradation in security on my
part. Mine is considered non-standard and is customized (tuned) to
protect my configuration. To paraphrase the more paranoid militia
types: you'll get my firewall when you pry it from my cold, dead hands.
(Hmmm... Bumper-sticker material?)
Aanval
commercial and free versions of a Snort console. This is on my list of
things "to do" once my life/workload quiets back down.
Let's call a duck a duck?
and ran with it. Yeah, they are security problems, they're just not
Linux holes. LHA originally showed up on the Amiga and also runs on
Windows, FreeBSD and all (I think) of the commercial Unixes. Imlib can
be run on Linux, FreeBSD, and even Windows (under Cygwin). So how does
something that isn't part of the Linux core end up being a Linux
hole?
This sort of thing does everyone a disservice (yeah, even the
Windows purists) as it just feeds the never-going-to-be-settled TCO
campaign that the purists on both sides wage on each other.
Me? I'm a
mutt. I'll use what ever is available and can get the job done. I've
helped build/run two NOCs on very tight budgets.
Reverse Engineering Malware
Thursday, September 9, 2004
SendmailAnalyzer
SSH Keys
However, to say you need to keep your keys secure is an understatement.
Need a reason? How about a brute force key cracker.
Wednesday, September 8, 2004
NMap Scanning
While the new version has a sticky problem at very slow speeds (I can't
find the link into the mailing list but it involves SYN scans and Sneaky
speed), there is also a paper
which discusses optimization of scanning times.
Intro to Learning About Network Security
Introduction to Learning About Network Security". It's a good list
of the things you should learn while preparing for a job in network
security.
DNS Version Detection
becoming useless to alter the version string in BIND. SecuriTeam has a piece (with
source code) that describes how to remotely figure out what version of
BIND is running, even without the banner information.
Tuesday, September 7, 2004
NTFS Tools
Please note that the programmers (all three of them) are looking for help, mostly in the form of secondary documentation and web site support. See the SourceForge site for more information.
SQL Injection Signature Evasion
Just keep in mind the general rules of thumb for security:
- It's not "if" someone is going to break in, it's "when"...
- in the real world the best you can hope for is fifteen minutes of fame, in the virtual world, the best you can hope for is fifteen minutes of obscurity... (quote mine)
- there's no such thing as a secure online system...
- and adding technology rarely adds security.
The general rules of thumb for countering attacks:
- Log as much as practical
- review your logs automatically AND manually
- employ a consistent backup schedule
- use your metrics, be able to recognize what's normal and what isn't
- the most expensive investment in security is also the one you'll get the best return on: knowledge
Regardless of what personnel and what cool toys you have guarding your network, someone, somewhere, sometime will break into your network.
Apologies for turning it into a rant.
Feeling dirty
I wonder...
Monday, September 6, 2004
Scan of the Month
Month. This one focuses around reverse engineering a bit of
malicious code.
Jailed VMs
has a pointer to an FreeBSD
Diary article which describes how to jail a virutal machine.
The author used this process to jail his website.
Perl for Admins
Sunday, September 5, 2004
NMap Parser
NMap. I haven't seen anyone do anything with it yet but a Perl
interface to something that normally spits up a ton of text can't be all
bad.
Wiki
and an iPod page, all with some minor data. The main page is getting
large enough that I'm considering moving the sub-entries to pages of
their own (or another scheme if someone wants to suggest one).
Saturday, September 4, 2004
Swiss Army USB
think they have the right idea but haven't taken it far enough in true
geek fashion. Here's my wish list for combined "tools":
- 1G thumb
drive - 802.11 interface, RFMON capable, with jack for external
antenna - Bluetooth interface, all three modes, with jack for
external antenna - IR interface
- 3 or 4 programmable LEDS or a
4 character alphanumeric display
Yeah, I know that no one
makes chips for all that together but I can hope, can't I?
Any other
features you'd like to see?
SpamAssassin Tuning
article discussing the finer points of SpamAssassin use. I also like
the argument that Spam should not be auto-deleted because of false
positives (something that no Spam filter doesn't have, regardless of the
marketing-speak).
Friday, September 3, 2004
Hotspotter
listens to the WLAN for probe requests from XP clients. When a network
matches a common name, Hotspotter switches over to being an access
point, allowing the client to authenticate and associate with it (rather
than the normal AP) and run other commands.
Discovering Passwords in Memory
Thursday, September 2, 2004
Grrr...
They sell Reffy, which is discribed as a Windows-based mass referrer
spammer which comes with a starter list (of blogs) of 3047 sites to
spam. Yes, for $75, you too can get on the hate list of everyone on the
planet.