Monday, October 31, 2005
Sunday, October 30, 2005
HackerPort
Saturday, October 29, 2005
Friday, October 28, 2005
HRSUG
Please read the announcement (link is above) for more info.
Free OS's
Thursday, October 27, 2005
Stand by to shoot yourself in the foot
As part of Microsoft's "secure by default" design philosophy, IE7 will block encrypted web sessions to sites with problematic (untrusted, revoked or expired) digitial certificates.
Along with their increase in security, I hope Redmond has increased their attention to detail. Anyone remember certain lapses in ownership of certain domains in the recent past? There's only so many honest people, like Steve Cox or Michael Chaney, out there. There's a lot more dishonest people out there looking to create mischief or earn a quick buck.
My offer to Mr. Gates (to host cron'd reminders for domain renewal) still stands if he wants it. (heh)
Wednesday, October 26, 2005
X-Lite and Wine
In any case, notes are in the Wiki.
Tuesday, October 25, 2005
Now that's funny
Monday, October 24, 2005
Securing Your Network
Just about the only point in the article that I disagree with is in the opening sentence: "While not absolutely required, it is ideal to have working knowledge of how an Ethernet network operates from a low-level perspective. I strongly disagree with this. It is imperative that you be familiar with your network to be able to operate it securely.
Sunday, October 23, 2005
Slowing down scans
Saturday, October 22, 2005
Too many ads
Friday, October 21, 2005
Bloglines
The new feature I appreciate the most is the change to the new message count. It's now a combination display of new messages and keep-as-new messages. Example: (2:5). It's a small thing but saves me a lot of time while navigating their site.
Thursday, October 20, 2005
Blackdog
More memory
broke her long standing rule (of me not touching her computer) and had
me do the same for hers. Between that and the new USB printer server
(both of which I got out of clearance bins at local stores), I've gained
mega-spouse points! (heh)
Wednesday, October 19, 2005
Repaired?
XP Shutdown
guess I'll vent again...
What bright mind decided that the time to
install updates is during the shutdown process? We use XP as the host
sytems for VM's at school. The class ran a little late and we were
asked to help by shutting down and removing the hard drives. Nothing
like noticing "Installing 1 of 9" in response to your clicking on
"Shutdown".
Grr...
Tuesday, October 18, 2005
Monday, October 17, 2005
Shmoo topics posted
Standards! Standards!! Standards!!!
- tag properly) that caused the crappy looking entry.
Heads up MS, that's standard HTML that your browser isn't recognizing!
Embrace-and-extend? [*snicker*] Someone remind me to grab screen shots tomorrow!
Update: Here they are... The one on the left is Firefox. The one on the right is IE.
'Nuff said?
Detecting infected clients via DNS
rants.
About five years ago, a couple of us (at a previous job) wrote
a script to process DNS log files to watch for systems suddenly
performing massive amounts of DNS lookups. In other words, watching for
infected systems.
Someone recently wrote a paper on this same topic
and has received a bit of notoriety for it. There's no black art to it.
It's pretty easy to kluge together.
- First be sure that your
internal DNS server can handle a heavier load. I recommend running a
dedicated server using BSDi (even an older version) because the load
that BIND puts on BSDi is barely noticeable. - Turn on querylog.
It'll generate log entries like:
Oct 15 09:18:37 desk named[13556]: client 127.0.0.1#33023: query:
www.google.com IN A +
Oct 15 09:18:56 desk named[13556]: client 192.168.2.5#1301: query:
www.cisco.com IN A + - Obviously, Perl is perfect to extract data from these log
entries. Write a script to parse each line and insert the data from the
line into a MySQL or Postgres database. - Then use Perl, PHP,
Ruby, or [insert your favorite language here] to extract the data in
different "views", such as total-queries-by-client,
total-queries-by-network-per-minute (or hour or day),
total-individual-queries-per-minute-by-target, etc. - To go along
with these data "view", it's usually helpful to graph the generated
metrics for simple crayon-understanding graphics. To be useful, you'll
want graphs for the last hour, the last day, the last week and the last
month, along with a user-configurable graph generation script, so that
you (or someone else) can make quick interpretations and make
comparisons to previously collected data. - Finally, you'll want a
script to periodically clean up the log file, either archiving it or
deleting it. Running querylog full-time with generate massive log
files. It may also be a good idea to write scripts to aggregate the
data in the database server, keeping only generic statistical totals for
data past a certain age.
Collecting/analyzing metrics such
as these are well within the talents of the average network admin (and
is usually free). I'm amazed that companies are willing to shell out
big $$$ for something as simple as this.
If you have anything to do
with network adminstration, this is something that you should be able to
do. If you "own" a network, this is something that you want at least
one of your network admin or security types to do. (Think of it as
being able to gather and analyze data for troubleshooting.)
Sunday, October 16, 2005
One more thing...
with the bath water, a quick way to improve the integrity of your
checksums is to use both MD5 and SHA-1. While the chance of a
collision with both algorithms is still theoretically possible, it's an
astronomical possibility.
Asterisk book
the zipped version of "Asterisk: The Future of Telephony", published
under the Creative Commons license by O'Reilly. Thanks to Asterisk Docs
for pointing it out.
Saturday, October 15, 2005
I'm popular
of the recent MySpace worm, with a link to the technical explanation and
code. It's interesting in the same way the WoW virtual blood plaque
was.
p0f
Friday, October 14, 2005
Nessus
about Nessus's movement towards closed source. While I cannot justify
my feelings in the same manner that Dana can, I did contribute to the
project (a couple measley signatures) and feel just as betrayed as I did
with NFR and the CDDB. For each of these projects, I contributed data
to support an open community and the owner decided to profit by moving
the project away from the user community supporting it.
Thursday, October 13, 2005
Salted Hashes
article that explains the basic
theory of salted (seeded) hashes, including SHA-1 and MD5.
Wednesday, October 12, 2005
Wiki stats
looking at the page stats. What's odd is the #1 entry:
- Glossary
(5550 views) - Main Page (3078 views)
- Anonymous Proxies
(2067 views) - Asterisk (1735 views)
- Looking Up UPC Codes
(1228 views) - Looking Up Vehicle ID Numbers (VINs) (1094
views) - Perl - MSN IM Sniffer (1092 views)
- IPv6 on the
WRT54G via OpenWRT (864 views) - The Firewall Toolkit (FWTK) (818
views) - IPod Stuff (807 views)
Could it be caused by
the inclusion of sexual fetish descriptions in the glossary? If so,
then y'all are some sick puppies. (heh)
D'oh
to troubleshoot my IPv6 routing issue in about 10 seconds once I started
to look at it. (Thanks to Wes for prompting me to do it.) The fix is
to not add the following to /etc/init.d/rcS. Rather, create a file
called /etc/init.d/S99tunnel and put it there:
#!/bin/sh
#/bin/mkdir -p /var/log/
ntpclient -h pool.ntp.org -l -s &
# set up the IPv6 tunnel
MYIPADDR=`ip addr show vlan1|grep "inet "|cut -d\/ -f 1|cut -d \ -f 6- `
echo $MYIPADDR > /etc/myipaddr
#MYSCND=`cat /etc/myipaddr`
#echo $MYSCND > /etc/my2ipaddr
echo $MYIPADDR
ip tunnel add he.net mode sit remote 64.71.128.82 local $MYIPADDR ttl 255
ip link set he.net up
ip addr add 2001:470:1F00:FFFF::657/127 dev he.net
ip route add ::/0 dev he.net
ip -f inet6 addr
ip -6 addr add 2001:470:1F00:911::1/64 dev eth1
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
radvd
sleep 15
killall dnsmasq
dnsmasq -i eth1
Tuesday, October 11, 2005
NSLU2
Monday, October 10, 2005
Crazy Hacks
Sunday, October 9, 2005
Comments off
gets its issues fixed), comments are going to be a dicey thing to use.
Anything left in comments over the last two weeks has not been saved. I
apologize for any inconvenience. If there's a comment that you want to
add to the site, it might be easier to email me directly
(joat@guess.where).
AntiExploit
Saturday, October 8, 2005
Malware database
Friday, October 7, 2005
Malicious Code Visualization
Wednesday, October 5, 2005
Wobbling
The-powers-that-be say that the new server is waiting on some hardware. In the meantime, this one continues to wobble. I'll attempt to trim the site at the same time I'm posting but, with the current configuration, there's a limit.
The good news is that the site is mirrored here if the inode problem surfaces again. The bad news is that the mirror may be taken offline periodically to have "stuff" added to it.
Tuesday, October 4, 2005
Monday, October 3, 2005
Sunday, October 2, 2005
Risk
I've been reading various presentations and papers from recent conferences. Couple that with my recent knighting as a CISSP (yeah, last year I couldn't spell CISSP, now I is one) (don't ask me to say anything nice about it) and I have a schizophrenic thought: there's a difference between a business's view of security and a practitioner's view of security.
The business view of security is, and always will be, a money-based decision. Various certifications teach that risk involves a hole (the vulnerability), the likelihood that it'll be exploited (the threat) and the expected cost of reparations in the event that the vulnerability is exploited. Various pseudo-mathematical formulas have been generated to justify what is usually an already-made decision.
Purists will be offended that I've said that but, in reality, most business operate somewhere to the left of the ideals taught by various certification organizations. In other words, most small businesses still don't (and won't) comply with SarbOx, GLB, HIPAA and/or FISMA. They either cannot afford to comply or they would just like to maintain their profit margins. (Maybe it was a formal business decision: risk of getting caught = not maintain protections or records X likelihood of discovery X possible fines?)
One thing that has irked me ever since someone tried to convince me of the correctness of tieing asset cost to the risk formula: the missing business costs.
Think of it this way: you have web server. You've made the "business decision" that a specific level of risk is acceptable and that you can tolerate four incidents per year before your business suffers excessive damages. (Remember, the cost of the protections must be less than the recovery costs.) What's missing? How about people?
If I'm your system administrator, I'll probably enjoy the overtime pay. The first time. If it's a recurring event, it's going to affect my personal life and I'm going to want a raise plus better overtime pay to counter-balance the loss of my personal life. That or I'm likely to be going to job interviews during my off-time. (Hint: Using "flex time" to keep me on a 40-hour per week timetable adds insult to injury.)
If I'm your customer, it's likely that my business depends on your business. I'm likely to leave after the first incident, especially if it's spectacular enough.
If I'm your investor, I'm not going to like that my profits go to your system administrators' overtime or that your customer base is shrinking. I think you'll find that your stock price drops at an "interesting" rate.
On the flip side, the practioner's view is usually just as narrow. System and network administrators often get so caught up in "fighting the threat" that they spend inordinate amounts of time "doing security" and allowing operations to suffer. They might spend so much time "locking things down" that the network becomes rigid and inflexible, unable to quickly adapt to sudden changes in business requirements. There's also a common belief that the operations/security budget is too small, regardless of its size.
It's this dichotomy in security "views" that perpetuates the resentment between business (AKA "the suits") and operations (AKA "the nerds"). Unfortunately, I don't have a fix for this. I'm just noting that the condition exists.
Apologies for the incomplete rambling. I'm still trying to flesh out this argument elsewhere for future "at length" use. The argument currently is skewed as I "came up" from the sysadmin side of the house. Comments/thoughts?
Saturday, October 1, 2005
Shmoo
mine last night). Tomorrow they're $150 each.