Tuesday, November 30, 2004

Google Hacking Book

According to this, O'Reilly is going to distribute the Google Hacking book (not the same as their Google Hacks book).


ONLamp has a good article about DNS and DNS security extensions (DNSSEC).

Monday, November 29, 2004

Ads in Feeds

Just to add my two cents to the ads in RSS feeds bickering...

I feel that one of the reasons that RSS became so popular was that it allowed readers to avoid all the extra fluff on a website and get right to the content, thereby increasing the amount of content you can read in a day. Inserting advertisements into those feeds dilutes the value of the content. If, like in some low traffic feeds, the advertisements out-number the actual posts, it can become a justifiable reason to unsubscribe from the feed. I think that many content providers are going to have to learn the hard way that social media (as bloggers are sometimes called)(as opposed to mainstream media) allows for very fickle readers. Contrary to what most content providers think about themselves, very few feed sources are "valuable" enough to be able to keep their subscription levels while annoying their readers at the same time.

In any case, how long before someone writes an aggregator that filters advertisements? Do we really have to join that arms race?

Anti-spam Honeypots

Linux Security has posted part one of an series describing the use of honeypots to fight spam.

Sunday, November 28, 2004

Spam list for 27 Nov 2004

Here's the list of Saturday's spammers (those attempting to access the old comments system). Please remember that some of the IP's are legitimate search engine spiders. Do what you will the list but don't hold me responsible for it.

1 msjwsk02d010101131.sk.sympatico.ca
5 seyhan.cu.edu.tr
1 203-151-40-252.inter.net.th
1 delhi-203.197.234-177.vsnl.net.in
4 mailrelay.flying.co.il
1 proxy.google.com
1 bgm-24-24-72-83.stny.rr.com
1 197-35.35-65.tampabay.rr.com
2 crawl-66-249-64-156.googlebot.com
1 crawl-66-249-64-195.googlebot.com
1 crawl-66-249-64-30.googlebot.com
1 crawl-66-249-64-33.googlebot.com
1 pcp09996361pcs.narlington.nj.comcast.net
9 ip102-162.introweb.nl
2 ip121-214.dsl.introweb.nl
1 ti400720a080-13192.bb.online.no

SQL Injection Attacks

Linux Exposed has an article explaining the basic theory behind SQL injection attacks.

Knoppix Hacks

From what Jeremy says, it looks like the Knoppix Hacks book is out (I don't get into the bookstore often). As per O'Reilly's usual practice, they've posted some sample chapters on their site. I've used the anti-virus one but I've used a commercial scanner. It's a little known fact that McAfee (and others) sells a Linux-based scanning engine that uses the usual DAT files. Combine that with BSDi's LDP, and you can have a commercial scanner running on a commercial OS (for those with management that insists on commercial products) which can act as a (pass-thru) mail handler or mail server. I've even wedged this thing into Sendmail.

Anyways, the book looks like it's worth the $$.

Saturday, November 27, 2004

From Scrabble to Verbal Aggression

Call me weird but I find conversations/listening to presentations/watching tv more interesting with immediate access to Google. A passing comment during Word Wars on the Discovery Channel lead me to The International Journal of Verbal Agression. Sometimes the habit is exceedingly annoying to others (for obvious reasons) and sometimes it leads to a bit of comedy (a quick search on Helen Carr during a recent law enforcement presentation revealed that her hgh school reunion committee was also looking for her).

I think it's one of the reasons why the classes in Chesapeake are so enjoyable. Everyone has the Internet "right there" and usually anyone can hijack the class for a few minutes with a semi-related bit of information. The instructor has to have one of those personalities and be able to herd cats (there IS a learning plan to follow). Some students find it frustrating, others find it just outright odd, but a working knowledge of Google or Yahoo syntax does help with some of the verbal references thrown out during conversations (quick quiz: Who said, "Help me Mr. Wizard! I don't want to be a ..." ).


Tejas Patel pointed out another good-to-have tool: WhoLocksMe (for Windows).

Friday, November 26, 2004


It's nice to see that CWShredder is back in play. The bad news is that it's only available via a commercial product. You can read some of Merijn Bellekom's (the author's) comments here.

Spammers list

Following is a list of IP addresses attempting to use the old comment system on 25 Nov 2004. Please note that some of these may be search engine spiders such as Google (hopefully the spiders will catch on shortly). The rest are spammers. I'm a bit concerned that a good portion of the non-spider entries are caches or proxies.

Do what you want with the list.

47 host-148-244-150-57.block.alestra.net.mx
2 cache-rtc-ad05.proxy.aol.com
3 cache1.thess.sch.gr
2 cache2.thess.sch.gr
1 cache3.thess.sch.gr
1 eapp.tamisa.ro
5 Static-IP-cr2001181184.cable.net.co
2 200-168-62-134.cebinet.com.br
2 client-
6 203-150-234-46.inter.net.th
6 203-151-40-252.inter.net.th
19 delhi-203.197.234-177.vsnl.net.in
1 209-33-210-2.sg-wireless.infowest.net
1 c12-247.actv.ne.jp
12 mailrelay.flying.co.il
1 cache2-2.ruh.isu.net.sa
2 cache6-1.ruh.isu.net.sa
1 cache13-4.ruh.isu.net.sa
1 eth1.cache2.dubaiinternetcity.net
1 localhost
4 63-100-211-203.reverse.newskies.net
4 stdev1.sj3.escalate.com
5 64-132-198-149.essind.com
1 adsl-4-208-158.mem.bellsouth.net
1 CPE002078d287e4-CM014250010853.cpe.net.cable.rogers.com
1 crawl-66-249-64-160.googlebot.com
1 crawl-66-249-64-167.googlebot.com
1 crawl-66-249-64-189.googlebot.com
1 crawl-66-249-64-195.googlebot.com
1 crawl-66-249-64-198.googlebot.com
2 crawl-66-249-64-201.googlebot.com
4 crawl-66-249-64-202.googlebot.com
2 crawl-66-249-64-205.googlebot.com
1 crawl-66-249-64-30.googlebot.com
1 crawl-66-249-64-37.googlebot.com
2 crawl-66-249-64-38.googlebot.com
1 crawl-66-249-64-55.googlebot.com
2 crawl-66-249-64-58.googlebot.com
1 crawl-66-249-64-68.googlebot.com
2 crawl-66-249-64-70.googlebot.com
1 h-68-167-94-202.chcgilgm.covad.net
1 68-235-196-123.crlsca.adelphia.net
1 adsl-68-252-22-121.dsl.dytnoh.ameritech.net
1 adsl-69-152-200-106.dsl.fyvlar.swbell.net
39 ip102-162.introweb.nl
2 ip121-214.dsl.introweb.nl
6 cpc2-with1-4-0-cust10.bagu.cable.ntl.com
1 host81-153-86-133.range81-153.btcentralplus.com
2 adsl-19-77.cytanet.com.cy

Fighting a moving target

Here's a thought (tell me if you think I'm way off): buying one-time products, either hardware or software, to fight spam and malicious code is a bad idea. Your purchase becomes obsolete as soon as what you're fighting changes tactics. Instead, you should use a product/service that is either community driven (e.g., Snort, ORBS, etc.) or is subscription-based (e.g., McAfee, Symantec, etc.).

I don't have that previous paragraph worded the way I'd like it to be but you get the idea.

Thoughts for articles/papers (feel free to borrow):

  • networks that adapt to a new threat faster have a better survival rate
  • the need for adaptive technologies to fight security threats (even if it's the ability to script "in the middle")
  • the need for trained personnel to use those adaptive technologies
  • what technologies still need adaptive capabilities


I think I've blogged about airpwn previously but (in case I haven't) there's a conference coming up and need to recognize the particulars of someone using the tool.

Self-inflicted wounds

I've talked about this before... If you're a network security officer or a security manager, it's a good idea to check what your organization inadvertantly exposes via what it makes available on the Internet.


I managed to fat finger the date on yesterday's entry (it was sent to the 15th vice the 25th). I've fixed it. Apologies.

Thursday, November 25, 2004

Port reporter

This is one of those must-have tools. It logs open ports on the local system and includes who and via what binary. The one short-coming that I can see is that it logs directly to a text file. If it logged into the Microsoft logging system or externally to a syslog service, the tool would be that much better.

Wednesday, November 24, 2004

Spammer update

The changes I made to the writeback code seems to be holding. While the blog still accepts incoming comments from scripts, they're not written to the hard drive (due to the URI being incorrect). As soon as Google's spiders catch up, I should be able to automatically generate a list of spammers on a periodic basis. Anyone have a preference for formats?

Detecting kernel mods with gdb

Security Focus has an article describing an interesting use for gdb, detecting kernel-level compromises with gdb.

Tuesday, November 23, 2004

Knoppix book

I can't see a book about Knoppix Hacks being anything but good. Given the number of things Knoppix has been adapted to, I think the book is going to be a good-to-have. I wonder what they had to weed out to keep the book to managable size.

Monday, November 22, 2004

Bluetooth and GPRS

I managed to find this LJ article on Bluetooth and GPRS. I still have no clue though. The more I read, the more I'm convinced that I'm going to need pointers on Bluetooth security.

Bluetooth setup?

I've managed to pick up a USB Bluetooth interface that my three year-old laptop recognizes. The idea is to use my wife's Bluetooth-enabled cell to get on the Internet (in a pinch) at the con in February. Anyone have any pointers/good websites/advice for security? (If security and Bluetooth can be uttered in the same sentence?)

Intro to kernel backdoors

InfoSec Writers has an intro article entitled "An Introduction to Linux Kernel Backdoors".

Sunday, November 21, 2004

PDA Forensics Guidelines

The news is almost a week old but the Guidelines on PDA Forensics is out in final form.

Comments back on

The comment system is back on. I've "adapted" the comment system so that it is "unique" when compared with other Blosxom blogs. Let's see if the changes are effective and, if so, how long they last before the spammers figure out what they have to change on their end to get comment spam working again.

...and the arms race continues...

The Internet Overlords

There's an ongoing discussion on the Full Disclosure mailing list where the original poster stated the following:

Subject: [Full-Disclosure] Why is IRC still around?

Well, it sure does help the anti-virus (anti-malware) and security consulting business, but besides that... is it not safe to say that:

1) A hell of a lot of viruses/worms/trojans use IRC to wreck further havoc?
2) A considerable amount of "script kiddies" originate and grow through IRC?
3) A wee bit of software piracy occurs?
4) That many organized DoS attacks through PC zombies are initiated through IRC?
5) The anonymity of the whole thing helps to foster all the illegal and malicious activity that occurs?
The list goes on and on...

Sorry to offend those that use IRC legitimately (LOL - find something else to chat with your buddies), but why the hell are we not pushing to sunset IRC?

What would IT be like today without IRC (or the like)? Am I narrow minded to say that it would be a much safer place?

The following posts quickly degraded into a flame war and name-calling contest. I find the discussion offensive mostly for the implied logic behind it. (It's included in the name calling contest.) One reader summed my opinion up in a short well-worded sentence: Who is 'we' and what makes you think anyone cares what you 'sunset'?

This is the same mentality as that behind my MSCE rant (and before this gets to far, it was a specific MSCE that I was ranting about, not all of them). There's a certain logic used by some of the n00b MSCE's whose only network training amounts to what they learned out of the MSCE book. Contrary to what MS would like you to believe, the Internet is still a very insecure, dangerous "place" with little or no control. The logic that any "we" can force the suspension of a protocol for any reason gives me a headache. The poster actually assumes that there is a man behind the curtain pulling the levers and ropes.

You can read the list via the Checksum archive.

It's interacting with that type of people that got me blacklisted by my grandmother's church in my early 20's. The short version of the story amounts to a short discussion between a picketer and myself, in front of the only convenience store open at 6:30 a.m. in a three county area. Him: "Don't go in there! They sell Playboys!" Me: "They sell coffee in there."

(Yeah, I grew up in a very small town.)

Malicious Code Analysis

Ran across the following while looking for a device driver:

The bad news is that the IDA Pro people have taken down their free download due to excessive traffic.

Friday, November 19, 2004

NT to be discontinued

MS stopped supporting client versions of NT on 30 June and will stop supporint the server version at the end of this year (something they don't include in those TCO arguments). MS's motivation is money, either it's too expensive to continue to support it or they want to force NT users to "upgrade". In either case, the talking heads will discuss the "danger" the move is creating.

Let the politics begin!

Thursday, November 18, 2004


Err... You might notice that I've turned off comments again.

Ports database

While doing research on my "freedom of speech" spammer, I found this ports database. A useful tool if you need to look up port numbers.

Wednesday, November 17, 2004

Grey Milter

The majority of spam is sent by compromised zombies. Few (if any) of those rogue programs implement the full SMTP command set. More commands == larger code == easier detection. Because of this, the milter-greylist was written. What it does is, for every incoming message, an initial "temporary" error will be returned. Full blown MTA's handle this error invisibly as part of normal operations. It won't stop all spam, but it'll probably clean up most of your incoming nastiness.

DDoS page

I blogged about the DDoS page (at the Univeristy of Washington) in February of last year. It's a good source, has gotten bigger, and is worth blogging again.

Tuesday, November 16, 2004

Translating RSS Feeds

I've added a short piece to the Wiki about translating RSS feeds prior to aggregating them.

RSS feeds for Wiki

For anyone that's interested, here's the URL's for the "Recent Changes" feeds for the Wiki:


Sunday, November 14, 2004

Fsck'in moron!

The following is excerpted from comment spam created after the sender noticed that I'd disabled comments.

  name: video chat
  url: http://www.video[-]chat[-]room.c0m
  date: 11/13/2004 07:06:27
  title: video chat
  comment: Why my previous comments was deleted, how about freedom of speach?

My son learned the answer to that question at the dinner table, when he was 12. The answer? "I'm not the Federal government. So sit down and shut up."

Mebbe we should give lessons in U.S. law to overseas spammers so they don't sound so f*cking stupid when they ask questions? If there's any question, I did munge the url a bit to prevent him from getting any points with the search engines.

In answer to the first part of the spammer's question, it was deleted because it had absolutely nothing to do with the post it was attached to. Chingate cabron!

It's too quiet

If you've read this blog from early on, you know that I live near some people/organizations that seem to end up in the news. A lot. Examples include: Pat Robertson, PETA, the Edgar Cayce Foundation, the Sniper trials, and the Friendship Patrol. Maybe I'm just being paranoid but, barring the insanity in the political area for the past year, I think it's been too quiet. Someone out there is planning something.

Maybe I'm just used to living in areas where being boneheaded in public is considered a form of entertainment (HI, NYS, SOVA)?

Application Layer DoS Attacks

InfoSecWriters has a good paper on the different types of application layer denial of service attacks.

Building Policy

Here's a SANS paper which discusses the corporate requirements for security and how to get there. I did a quick skim of the paper and it appears that they only thing missing is FIPS 199 compliance (a common syntax standard).

Saturday, November 13, 2004


I've turned off comments until I can figure out a different approach to comments. The spammers have won, for now. If you need to post a comment, please send it to me directly (joat 757.org <-- insert "@" in the appropriate place).

Yet more legal issues coming this way

The WTO has told the U.S. how to (I wanted to say "suck eggs" but...) run its internal affairs by ruling that the U.S. law banning online gambling is damaging to the Antigua and Barbuda economies. (Uh, when did the WTO become a legislative body?)

While it may be true that the law blocks the growth of that industry, I'm not so sure that passing the law damaged the economy. Rather, the law made online gambling within the U.S. illegal, forcing the sites to move out of the country, thereby creating the economy that is supposedly now endangered.

It should prove interesting what comes out of this and the upcoming attempt by the U.N. to "govern" the Internet, not only for the U.S. but for any country who'll have to give up sovereignty to participate. (Example: some of the things that I talk about here are illegal in Europe but inane here in the U.S.)

Is that thunder?

Giants are battling somewhere. Me? I'm going to pull the covers up over my head. Tell me when Novell v Microsoft and the whole SCO thing is over.


Apologies for anyone accessing my Bloglines subscriptions. At just shy of 300 feeds, it has gotten a bit unwieldy. I've decided to clean out the dupes and unsubscribe from the feeds that aren't relevant. It had gotten to the point where it takes hours each week just to read those feeds. Hopefully things will improve shortly...


The rules change next week. Most of the industry is waiting for the first "case" to go to court to see what happens. After that, it'll either be yawns or a sudden shift in security budgets.


Here's a NewsForge article which discusses basic theory of honeypots. (excerpted from the book "Know Your Enemy: Learning about Security Threats")

TAP Mag.

More info for those of you studying for Geek Trivia: TAP Magazine (first 10 issues).

Friday, November 12, 2004

Playing with speech

I finally had enough time to re-install the text-to-speech tools (speechd and festival) so that I can monitor IRC channels in XChat. I've added the process to the Wiki. Now I only have to redo the RAM disk stuff and write/tune the shorthand translators.

SSH Keys

Here's a good article on SSH keys. The use of public key authentication makes SSH very, very convenient to use (moving files, remotely executing scripts on multiple machines, monitoring "state" on remote systems, etc.) and, in some cases, protecting against certain types of attack.

IPSec on IPv6

Here's InfoSec Writers' paper on IPSec under IPv6.

The Phishing Guide

The Phishing Guide (PDF) discusses the various problems that scammers exploit and how to protect against them. A decent read. On a related note, here's an article describing five steps to protect yourself.

Thursday, November 11, 2004

Wednesday, November 10, 2004

Harlan takes a pounding and keeps ticking

Harlan often comments here. (Hi Harlan!) A review of his book has been posted on Slashdot. To state the obvious, his received both good and bad responses from Slashdot. Mostly good.

Of course the usual obfuscators showed up within the first few comment posts. And the usual conspriracy freaks. According to one of them, you can recover files via a one-to-one bit copy even after the original had been overwritten ten times.

In an odd twist of timing, tonight's class worked with Helix to gather data from a running system. For those that don't know what it is, Helix is a Linux-based "live CD" that also is devoted to obtaining forensics data from live systems and making bit copies of storage devices. In addition to being a "live cd", you can also drop the CD into the drive on a running Windows system. "Autorun" will bring up an interface with a set of statically-compiled tools which allow you to perform various forensics functions (see the site for more info).


ShmooCon seems to be shaping up nicely (visit the site!). Quite a few people going from this end of the state.

Stored Malicious Code

SecuriTeam has a paper which discusses Second Order Code Injection attacks which cause an attack to be executed at a later time.

Christmas is coming

I once worked at a place where the boss would stage Nerf Gun fights in the large conference room, immediately after the pot luck. I miss those days. Especially after this has become available. In those days, all we had was a couple chain-fed repeaters...

Monday, November 8, 2004


The arms race has escalated again. This site is being spammed into oblivion by a network in the Netherlands and an IP address belonging to the state of Ohio. Until I get the code behind the blog cleaned up, I'm going to turn off comments. I'm also going to do a bit of research for applicable laws (worst case == I need the data for a term paper).

Cryptovirology and Extortion

I haven't had a chance to read the paper yet, but while I was digging for references to cryptovirology I came across this CiteSeer reference which discusses the use of cryptovirology in extortion threats.

Note: to read or download the paper yourself, click on one of the links in the upper right-hand corner.


The book is still in my "to read" stack but here's the site for the book Malicious Cryptography - Exposing Cryptovirology.

2-year Train Wreck

I can't vouch for the veracity in this but if there's any truth in it, it's gonna make the SCO fiasco quite entertaining legally.

Most of the Internet's problem protocols are on that list. 'Bout the only thing missing SMTP. I wonder why that's not on the list.

In any case, this should set the purists' (on both sides of the fence) teeth to grinding. Think of it, having to include a MS license with every *nix (Linux, Sun and *BSD) and MacOS distro.

I'm reminded of something my grandmother used to say: I can't see the good in it, in either direction.

Brian Carrier

Here's a link to Brian Carrier's digital forensics page.

Sunday, November 7, 2004

Saturday, November 6, 2004


They haven't caught the author of the worm yet but here's an analysis of the code.

Procmail howto

I love Procmail. I've used it for years, employing it to do everything from files-on-request to filtering spam and viruses. Security focus has a four-parter:

Electronic Crime Needs Assessment

More interesting online reading from the NIJ website: Electronic Crime Needs Assessment for State and Local Law Enforcement.

Thursday, November 4, 2004


Now a word for/from our sponsor...

If you're a musician/band from Southeast Virginia, be sure to list your band on Music.HRConnect. If you're not in a band and are just looking for a place to go, check out the venues/schedules on the site. You can even listen to some of the bands' MP3's.

Spyware Warrior

Spyware Warrior is an interesting blog about fighting spyware.

Electronic Crime Scene Investigation

The National Institute of Justice (NIJ) has made available an online version of Electronic Crime Scene Investigation: A Guide for First Responders (Jul 2001).

Wednesday, November 3, 2004

P2P Summit presentations

The Utah SAINT has a pointer to the presentations from the most recent P2P Summit. It's nice to see that at least some legislators are getting involved in the technologies before attempting to pass incoherent laws (in other words, learning about the tech so that violators can be held responsible for their actions rather than holding the tech responsible and crippling an entire field of technology).

According to the post, the presentations will be available for a limited time.

Digital Evidence Collection

Here's a good "protocol" for evidence collection, entitled "Forensic Examination of Digital Evidence: A Guide for Law Enforcement".

Tuesday, November 2, 2004

Bleeding Snort Howto

Bleeding Snort has a howto for setting up Bleeding Edge Snort rules so that they'll run with a live CD distro. The original objective was to allow a temporary sensor to be set up to detect spyware.

About E-mail Spoofing

HNS has a short piece entitled "Understanding E-mail Spoofing".

Monday, November 1, 2004


For my own reference, various people are leaving their favorite podcast sites in Tejas Patel's blog.


I'm interested, not as someone who does this sort of thing, but as someone who has to protect against it. My quesiton is: if you modify an interface so that it can pick up communications from a mile away, how do you tell which is what and where?

Also, does anyone make directional antennas for Bluetooth? Or is it even worth the trouble of performing periodic scans because even cell phones have an interface nowadays?

Thanks to Furrygoat for pointing out the site.