Thursday, September 30, 2004
the Global Compass/Cyberwurx spam and need to rewrite the plugin or come
up with a way to block the source(s). The former seems like it'd be
more successful than the latter. It's a bit down on the "to do" list
night. This can possibly be a very bad thing but not in the way that
the mainstream media is twitching about it. While a worm is possible,
I don't think it's likely to be all that effective.
it. The vectors aren't really right. Normally a worm exploits an
already running service. This exploit is part of a graphics
library which means a graphics-based program must run. Unless it's
combined with (or used to amplify) another exploit, we're not going to
see another Nimda.
What's more likely to happen is that this (version,
at least) will deepen the relationship between the hackers and the
spammers (if there's a difference nowadays). The spammers can deliver
corrupt graphics via browser pop-ups and spam which can cause the victim
machines to offer up reverse shells on just about any port.
for the theoretical part. What was demo'd last night was the reverse
shell version. It wouldn't work under IE (patched possibly?) but it did
work locally via the file browser. What's worse was the XP
automatically generated a preview of the JPG so that as soon as you
opened the folder, the local machine provided a shell prompt to the
instructor's machine, running netcat.
But wait! There's more!
Remember that you can configure XP to open the folder when a thumb drive
is inserted? Yep, it does. And let's not forget autorun! This makes
it a very nasty insider tool.
To give proper credit, very little of
the above my own thought train. Most of it belongs to Rob and Ian. The
rest was observed and conjectured during the demo.
countermeasures, it's probably going to be more economical to configure
IDS systems to detect the exploit rather than the exploitation, due to
the lack of default port, IP or even graphic. Since remote delivery
vehicles will probably be limited to SMTP, HTTP, and the various
graphics-capable IM programs, it will probably be easier to watch for
the shell code coming in than the reverse shell going out. That and not
all of the exploits involve reverse shells. Hopefully we'll shortly see
both types of BleedingEdge signatures.
Let add my own two cents to the
SANS vs. MS detector argument. Yes, the SANS detector triggers on a lot
more files than the MS version does but you should read the text that
comes with the SANS detector. The MS one is built for MS purposes. The
additional DLL's detected can be either additional ones that link to
non-MS programs that you've installed or they can be backups of upgraded
libraries. It's worthwhile to check what programs access those
libraries (Foundstone has some of the tools needed for this) and, if
possible, upgrade or disable the programs.
Oh, and one last thing:
"Good luck! You're on your own!"
Wednesday, September 29, 2004
Tuesday, September 28, 2004
Monday, September 27, 2004
friend is having to deal with an infection:
post about 180solutions
- The Effect of
Warrior's comment on the above
- SecuriTeam analysis
- Other marketers complaints
- SeattlePI article
Also of interest is:
glued together an AIM-based NMap
This sort of thing is the reason why you need to keep an eye
on the traffic that you allow in and out of your network. AIM
complicates the situation because it's one of those "tools" that can
initiate connections via multiple protocols, HTTP being one of them. If
you allow your users to surf, then AIM can probably "get out".
tool if it's yours, nasty if it "belongs" to someone else.
penalties for using false information for WHOIS records. (see Slashdot
This can be a good thing and a bad thing at the same
time. A good thing as it might help track down spammers and fraudsters
who fake up their WHOIS records. It's a bad thing as it will once again
expose techie inboxes to tons of spam due to addresses "borrowed" from
those same records.
The current practice is to use a pseudonum for
business domains. That way when there's a phone call from a salesman
that claims he has an appointment with Bob Wackemwidahammer, you know
Sunday, September 26, 2004
Saturday, September 25, 2004
Next year something will probably have to change as people will expect it to be there.
anonymous file sharing. How long before someone applies the law to
anything you can download from a website via a single-click or, for that
matter, figures out that visiting a website via a proxy constitutes
anonymous file sharing. This has the capability of getting really ugly
before it gets better.
Friday, September 24, 2004
Thursday, September 23, 2004
colored thumb drive around neck, cell phone on belt, trendy slogan
on t-shirt, Dockers --> likely poser
Cell phone and 2 USB's in
pocket, other pocket also lumpy, comfortable (possibly faded) shirt and
jeans, spiral notepad sticking out of back pocket, ratty sneakers and
bad haircut --> true network geek.
WTF is techno-congniscenti?
Wednesday, September 22, 2004
Tuesday, September 21, 2004
Monday, September 20, 2004
Sunday, September 19, 2004
If your organization has anything online, you should be running this sort of search against your site(s) every week or so. As many security problems are caused by human error, this might help minimize the problem.
Saturday, September 18, 2004
Friday, September 17, 2004
very long) and a new one is on my holiday wish list. Regardless of all
the problems with Bluetooth, it's a functionality that my coworkers
cannot live without, and one that I'm envious of. And, of course, there
are other uses that the manufacturers didn't intend.
Thursday, September 16, 2004
an article about Near Field Communications which describe communication at very short distances, touting it as a security feature. I don't know about you but I can already think of a way around this "feature": antennas hidden under the table or in nearby innocuous-looking objects.
you have to be well grounded in in DNS theory. It's the service that
most everything else on the Internet depends on. It's also the source
of many of your network problems, intentional or otherwise. Here's a paper by Gideon T. Rasmussen which discusses basic troubleshooting steps. It's a bit CyberGuard-centric but does give you an idea for starting points for troubleshooting problems.
Wednesday, September 15, 2004
it's not a failure of information security but that of people
when it comes to our current problems. I also agree that the thought
that security is mainly a technical problem, although popular within the
marketing realm, is a misleading one.
However, I dislike the view of a company's maturation. The quality of
any company's security depends on the quality (you can say "whim") of
the people within that company. A company's security "maturity" is
measured by how well its policies are accepted, practiced and enforced.
Unfortunately, it's not a progressive process. Any change (in finances,
employees, management, politics, love life, business model) has the
ability to massively affect the quality of an organization's overall
Tuesday, September 14, 2004
Postgraduate School thesis entitled "Using the Bootstrap Concept to
Build an Adaptable and Compact Subversion Artifice" by Lindsey Lack
which discusses the concept of an adaptable subversion artifice (a trap
door). It's a very interesting read and a bit scary if you consider
that we have to trust our closed-system vendors not to have included
something like this.
Six lines of code?
how things worked and not a form of criminal, three students wrote The Hacker Test, writing it in the manner of a magazine quiz (think Cosmo). It's entertaining reading and a good source of "lookups" if you're studying for Hacker Jeopardy.
Monday, September 13, 2004
Sunday, September 12, 2004
I'm not sure the service still works. The website is still there so I'm
assuming that it still does.
Saturday, September 11, 2004
one-month contract, or I'm just in a mood. In any case, this is another
one of my oversensitive vents. You won't miss anything if you skip this
Call us old school but there are many of us that distrust the
current market move away from "defense in depth". Symantec's Barry Cioe
(Senior Director of Product Management) has an article over on eBCVG about the move towards "local"
You can skip most of the article, it's more or less a
justification to buy the new all-in-one products on the market today.
What I'm venting about is Mr. Cioe's opening
|A decade ago,|
Internet security pioneer Bill Cheswick proposed a network security
model that he famously characterized as a "crunchy shell around a soft,
chewy center." Today, as more and more "outsiders" - remote users,
business partners, customers, contractors - require access to corporate
networks, enterprises are finding the idea of a "soft center" obsolete,
if not downright dangerous.
From reading that,
you get the idea that Mr. Cheswick's ideas are now old, outmoded, and
dangerous. If you've ever read Mr. Cheswick's papers or listened to him
talk, you'd know that Mr. Cioe is in error. Bill Cheswick's original
use of the phrase is available here in this
paper. (You'll need a Postscript viewer.).
He used the phrase
initially (1990) to describe AT&T's network at the time of the (Morris)
|All of ARPA's|
protection has, by design, left the internal AT&T machines untested - a
sort of crunchy shell around a soft, chewy
Obviously, it's not a security model
that he was proposing. Rather, he used it to describe an existing
condition and as a justification for hardening the system that your
security software runs on.
This kind of thing irks me to no end. It's
right up there on my list of annoyances (no there's not an actual list)
with the mainstream press's assumption that "may you live in interesting
times", in Chinese, is a compliment. (Hint: it's not. It's a
I'll shut up now. Apologies to Bill Cheswick.
I count myself as lucky in that I didn't know anyone that died that day. The closest I came to losing someone I know was a lady that I went to high school with. She missed work that day. Sarah Pickanose, you were so very, very lucky. (Not her real name but the rest of the class remembers the English Lit. class gone horribly awry!)
to write simple plugins. I had a lot of trouble writing anything for MT
but Blosxom plugins seem to be very easy.
In any case, I've been
jealous of the acronym-in-a-title thingy over at Cox
Crow. To make the story shorter, I adapted Fletcher Penney's
AutoLink to make AutoAcryonym. If an acronym is in the file and in a
post, it will put a dotted-underline under the acronym and if you hover
the mouse over it, a "tag" will pop-up with the acronym
Oh, almost forgot, if you also borrow from Cox Crow's
style sheet, you can get the cursor to change to one with a "?" next to
it when you hover over one of the acronyms. (Exercise left up to you to
steal from Cox Crow's or my style sheet for the syntax.)
Friday, September 10, 2004
firewalls for their computers and their home networks (this is two
separate issues, BTW) but I don't think anyone should be able to mandate
it outside of a corporate network.
discussion is very scary and reminiscent of a recent presentation
that I attended where the speaker suggested mandatory PKI IDs for each
and every Internet user. There are some serious enforcement and privacy
Don't forget, one size does not fit all. The machine
that I'm setting at, as an example, passes through two firewalls and a
web proxy (for HTTP) or a virus/spam scanner (for SMTP, in both
directions) to connect to the Internet. However, it's nobody's business
whether or not I do this. Forcing me to use a specific firewall is
likely to involve an OS change and a degradation in security on my
part. Mine is considered non-standard and is customized (tuned) to
protect my configuration. To paraphrase the more paranoid militia
types: you'll get my firewall when you pry it from my cold, dead hands.
(Hmmm... Bumper-sticker material?)
and ran with it. Yeah, they are security problems, they're just not
Linux holes. LHA originally showed up on the Amiga and also runs on
Windows, FreeBSD and all (I think) of the commercial Unixes. Imlib can
be run on Linux, FreeBSD, and even Windows (under Cygwin). So how does
something that isn't part of the Linux core end up being a Linux
This sort of thing does everyone a disservice (yeah, even the
Windows purists) as it just feeds the never-going-to-be-settled TCO
campaign that the purists on both sides wage on each other.
Me? I'm a
mutt. I'll use what ever is available and can get the job done. I've
helped build/run two NOCs on very tight budgets.
Thursday, September 9, 2004
Wednesday, September 8, 2004
While the new version has a sticky problem at very slow speeds (I can't
find the link into the mailing list but it involves SYN scans and Sneaky
speed), there is also a paper
which discusses optimization of scanning times.
becoming useless to alter the version string in BIND. SecuriTeam has a piece (with
source code) that describes how to remotely figure out what version of
BIND is running, even without the banner information.
Tuesday, September 7, 2004
Please note that the programmers (all three of them) are looking for help, mostly in the form of secondary documentation and web site support. See the SourceForge site for more information.
Just keep in mind the general rules of thumb for security:
- It's not "if" someone is going to break in, it's "when"...
- in the real world the best you can hope for is fifteen minutes of fame, in the virtual world, the best you can hope for is fifteen minutes of obscurity... (quote mine)
- there's no such thing as a secure online system...
- and adding technology rarely adds security.
The general rules of thumb for countering attacks:
- Log as much as practical
- review your logs automatically AND manually
- employ a consistent backup schedule
- use your metrics, be able to recognize what's normal and what isn't
- the most expensive investment in security is also the one you'll get the best return on: knowledge
Regardless of what personnel and what cool toys you have guarding your network, someone, somewhere, sometime will break into your network.
Apologies for turning it into a rant.
Monday, September 6, 2004
Sunday, September 5, 2004
and an iPod page, all with some minor data. The main page is getting
large enough that I'm considering moving the sub-entries to pages of
their own (or another scheme if someone wants to suggest one).
Saturday, September 4, 2004
think they have the right idea but haven't taken it far enough in true
geek fashion. Here's my wish list for combined "tools":
- 1G thumb
- 802.11 interface, RFMON capable, with jack for external
- Bluetooth interface, all three modes, with jack for
- IR interface
- 3 or 4 programmable LEDS or a
4 character alphanumeric display
Yeah, I know that no one
makes chips for all that together but I can hope, can't I?
features you'd like to see?
article discussing the finer points of SpamAssassin use. I also like
the argument that Spam should not be auto-deleted because of false
positives (something that no Spam filter doesn't have, regardless of the
Friday, September 3, 2004
listens to the WLAN for probe requests from XP clients. When a network
matches a common name, Hotspotter switches over to being an access
point, allowing the client to authenticate and associate with it (rather
than the normal AP) and run other commands.
Thursday, September 2, 2004
They sell Reffy, which is discribed as a Windows-based mass referrer
spammer which comes with a starter list (of blogs) of 3047 sites to
spam. Yes, for $75, you too can get on the hate list of everyone on the