Tuesday, May 31, 2005

Another trip

Please excuse the interruption in blogging. I'm on yet another trip, this time to Baltimore. I'll get back to posting shortly.

Monday, May 30, 2005


(via <a href="http://www.blackhat.info/live/modules.php?
op=modload&name=News&file=article&sid=5191">Blackhat.info and <a href="http://news.zdnet.com/2100-1009_22-5722305.html?
part=rss&tag=feed&subj=zdnet">ZDNet) CipherTrust has used some of
the data gathered from their mail filtering appliances to produce the ZombieMeter.

Saturday, May 28, 2005


I've finally "got" Del.icio.us. You can see my bookmarks here. The RSS feed for it is here.

Thursday, May 26, 2005

State Taxes

Unless you work with the data, you never know when you'll need odd
sources of data so, for my benefit, here is a site that lists the tax rates of all 50 states.

Wednesday, May 25, 2005


Here's a website
mostly devoted to a tool that builds AutoRun files but has other AutoRun

Tuesday, May 24, 2005


One of the problems with being on the road for two weeks out of a month
is that I don't get to do the usual amount of research, so I have to
rely on my backlog for source material. In any case...

Here's a site
with a collections of papers related to "Mining Alarming Incidents in
Data Streams" (MAIDS). (No, not the NT file system.)

Monday, May 23, 2005

More on spammers

It's a bit from the mutual-appreciation-society but it's more about
tracing the spammers (from awhile ago). Ann Elisabeth has
performed a lot more research and has gotten a lot farther than I did.
She also took advantage of a server crash.

Sunday, May 22, 2005

Spring Cleaning

Please bear with the site for a bit. I'm doing a bit of spring cleaning
and some things may not work properly for a short while.


LinuxElectrons has an article about XTen soft phones being available for Linux. They're a bit of overkill for my setup but I'll probably "grow into them". Worth taking a look at.

Saturday, May 21, 2005

Anyone know?

Any truth to the rumor that AirJack is being updated to the 2.6 kernel?


I've disliked CircleID articles before, I'll probably continue to do so
in the future.

Not to break existing practice, I have issue with
Darren Miller's article, "Road Warrior at
Risk: The Dangers of Ad-Hoc Wireless Networking
". While it's a
pretty good article on the dangers of ad-hoc wireless, I find the
authors attitude about sniffing wireless to be a bit too cavalier.

the wired world, port scanning is not deemed as trepass. It's
considered an annoyance. However, sniffing traffic and accessing
systems without permission is a definite no-no. Why should it be any
different in the wireless realm? Is it any different? This is an issue
that will probably need to be decided in court.

While tools like
AirFart will probably considered to be amongst the benign category,
tools like Kismet carry the possibility of landing a war-driver in
court. "But Kismet is a passive tool," you say? True, but it's passive
in the same manner that any wired sniffer is. Don't forget that Kismet
does create pcap-compatible packet dumps. Accessing those
capture files is probably the legal equivalent of accessing the network(s) that the traffic came from.


If you're a traveler, you
should consider encrypting all of your traffic as it leaves your
computer (use a VPN) or only access generic sites that do not require
login or interaction. (Visit CNN, read /., etc.)

If you're a
journalist in search of a story (or anyone else armed with a sniffer),
stay off of other people's computers and don't capture their traffic.
If you're caught doing it, you may end up in cuffs.

Friday, May 20, 2005


Here's a HERT interview
with Kismet developer Mike Kershaw, aka Dragorn.

Thursday, May 19, 2005

Mal Code

You can view the presentations from the 2004 DoD Malicious Code
Conference here.


To make it simple for the jerk at the comments are
manually reviewed. Stop trying to spam from your porn site.

Wednesday, May 18, 2005


<a href="http://www.i-hacked.com/index.php?
option=com_content&task=view&id=160&Itemid=62">Here is an iHacked
article on the browser built into the PSP handheld. I'm fascinated by
them. At last week's course, one classmate had one (and used it to find
a hidden AP), another classmate won one of the three given away in

Tuesday, May 17, 2005

Laser Audio

For my own benefit, for whenever I get some free time (yeah, like
that'll happen): <a href="http://www.i-hacked.com/index.php?
option=com_content&task=view&id=162&Itemid=44">Transmit Audio with a
Laser Pen.

Monday, May 16, 2005

Botnet Tracking

Know Your Enemy: Tracking
is a paper from The Honeynet Project that gives the basic
theory behind botnets and how to track them.

Sunday, May 15, 2005

Back home

I'm back home now. The course in Denver was a blast. Not only did we
learn new things, we entertained ourselves (catching the wardriver was
hilarious) (Note to the Denver financial district: you really should
keep an eye on who's sitting at the curb).

Short version of the
course? Don't put anything on wireless that you're not willing to lose
or publicly disclose. This applies if you're using WEP, WPA or even
WPA2. Some protections are inherently faulty, others are secure only
until someone fat-fingers a config file.

Common Failures in Internet Applications

If anybody has time to view "Common Failures in Internet
", please let me know what you think of the lecture(s).

Saturday, May 14, 2005

Hacker Jailed

BlackHat.Info has an <a href="http://www.blackhat.info/live/modules.php?
op=modload&name=News&file=article&sid=5174">pointer to an article
that tells of the sentencing of a member of Thr34t Krew to 21 months of
jail-time. I'm a bit amazed that it was that short of a sentence as
this group has been around awhile. Other than the usual "hacker
arrested" stories, I'm able to find:

Oh, and Sophos says the group is
responsible for the TKBot.

Friday, May 13, 2005


What happens when a wireless security class discovers a wardriver, just outside the window? (heh)

How about, the SSID of the AP in the classroom gets changed to "we-see-you-in-the-car" and a ping storm is sent through the AP so that it "sticks out" in whatever listing his tool has. Then get a half dozen or so in the class to stand in the window and wave/point.

Okay, we're having too much fun.


Johannes Ulrich talked at last night's BOF (Birds Of a Feather) about the Internet Storm Center (ISC) and DShield (the organization that the ISC depends on for data). Salient points include:
  • DShield is interested in the home user. Logs from your routers give them a much broader view of what's going on than logs from a large organization.
  • When you turn in your logs, please sanitize them. Replace the first octet with "10".
  • The INFOCon alert status is available as an RSS feed (I still have to find it).
  • The ISC site can be viewed without any browser-side scripting (no Java, no JavaScript, no VBS, etc.).

The BOF was very interesting. I came away from it with a couple ideas to work on. One of those is coming up with a script, to run on those modified 54G's that many of us have, so that the router logs can be turned in once per hour (as Johannes requested). Another is to investigate how the black hats are employing IPv6 as a covert channel.

Should keep me busy for awhile....

Wireless Tools

Here is a large listing of wireless tools.

Thursday, May 12, 2005


I'm at the SANS conference in Denver this week, having a good time in the Assessing Wireless Network Security class. I won an iPod Shuffle yesterday (like I needed another?). Anyone want to trade for one of those PSP's (what I was hoping to win)?

Mobile IPv6

I've been learning about the ins and outs of Mobile IP. Here's a paper
on the IPv6 version.

Wednesday, May 11, 2005


CINEMA (Columbia
InterNet Extensible Multimedia Architecture) is a set of server for
creating an enterprise telephony and multimedia system. Remember SIP is
intended for more than just VoIP.

It ain't getting any better

I've loved Zyxel modems for many years. However, they've lost points
with me for thinking that undocumented
or hidden equates to secure. What's that old line about repeating
history? [*sigh*]

Tuesday, May 10, 2005


Dotslash is a
project that aims to be the antidote to the Slashdot Effect.

Monday, May 9, 2005


For those that are interested in attending Cons, the CarolinaCon is in Raliegh, NC on
June 10-12 this year. The schedule looks interesting.

Black Hat Archives

This isn't new but it's a good idea to check the <a href="http://www.blackhat.com/html/bh-multimedia-archives-
index.html">Black Hat Media Archives now and then.

Sunday, May 8, 2005


If you're reading this within 6-8 hours of my posting it, have sympathy
for me. I'm on my way to Denver and I'll be a nervous wreck for the
entirety of the trip.

VoP Security Forum

Here's the link for the Voice
over Packet Security Forum. The forums (there's a link in the left-hand
menu) are a bit light in content at the moment but hopefully the site
will gain popularity.

Saturday, May 7, 2005

Spam clustering

Don't know the value of it, but it looks interesting: The Math Club has
has a piece on <a href="http://the-
mathclub.net/index.php/Spam_Clustering">spam clustering.

Friday, May 6, 2005

Hacker Trespasser Exception

LinuxElectrons has an pointer to Congressional testimony concerning The Hacker Trespasser Exception. It's an interesting read. I just wish that lawmakers would refrain from using slang terms (such as hacker) when writing laws. That sort of thing always requires rewriting of the law after years of judicial interpretation of what the use of the slang term actually meant and the intent of the law that's wrapped around it.

Thursday, May 5, 2005

MS adds a black box

<a href="http://yro.slashdot.org/article.pl?
sid=05/04/26/1647203&from=rss">This sort of thing gives CIO's
nightmares as the error reports often include the documents/programs
that were open at the time. On the up side, Microsoft sells an in-house
version of the error-reporting server so that you don't have to expose
your corporate secrets directly to Microsoft.

Wednesday, May 4, 2005

Packet analysis

I still wish I could get Cox to do this: look at their network <a href="http://www.windowsecurity.com/articles/audit-network-packet-
analysis.html">at the packet level. Three years later, I'm still
attached to what amounts to the network boonies (on the back edge of
their infrastructure) and I still suffer from massive ARP storms. When
your management traffic becomes so extreme that your customer traffic
suffers, something is definitely wrong.

I've received everything from
the "I'm the help desk, the problem is in your computer" treatment to
having to talk to security because someone was upset the I supplied the
help desk with a packet capture of what's pounding on the outer
interface of my router.

There's little else I can do except live with
it. They're the only game in this area of town at the moment (short of


Here's LURHQ's
analysis of pay-per-click hijacking.

Tuesday, May 3, 2005

Pending analysis

One thing that I didn't mention during the last month was that I was
archiving comment spam. I now have a bit over 800 spam entries that I
will analyze over the next couple weeks.

I may be biasing the results
a bit but I expect that a majority of entries will be posted from broad
number of source IP's (zombie machines?) but will involve domains from a
certain registrar. I'll keep you posted.

Skype protocol

<a href="http://www.cs.columbia.edu/%7Elibrary/TR-
repository/reports/reports-2004/cucs-039-04.pdf">Here is a paper
from Columbia University entitled "An Analysis of the Skype Peer-to-
Peer Internet Telephony Protocol

Monday, May 2, 2005

Cutting edge?

Someone want to donate
a clue
to Microsoft? Some of us are already on the IPv6 backbone via a tunnel set up with a Linksys router.

Although I occasionally have to log in to my tunnel broker and reset the tunnel (due to my ISP changing my external IP), I don't have to make any configuration changes to my laptop. It auto-configures thanks to the radvd daemon. Just boot and go.

It should be noted that the firmware that I use on the Linksys is almost a year old. The newer versions include QoS and better network management tools.


I've been chided for talking about "evil" theory but it is
something that you need to know about, otherwise the blackhats have yet
another advantage.

Here is the
article that The Grugq wrote just before he was fired from @stake,
exposing various flaws in specific forensic tools. It's valuable info,
both for the blackhats AND the whitehats (so that they know it
when they see it).

Sunday, May 1, 2005


For those that missed it, the public release of the final version of
Sveasoft's Alchemy firmware hit the streets just about two weeks ago.
You can get the public release here.


eDave has a pointer to "The six dumbest ways
to secure a wireless LAN" over on ZDNet. I agree with eDave. We can
probably come up with more than six though but the George Ou's post is a
good read.

Add this to the wish list: someone needs to author a good
article on using wireless intrusion detection systems and how a wired
IDS is almost useless for monitoring wireless network extensions.

BCS Asia Presentations

the presentations from the Bellua Cyber Security Asia 2005 conference.