Sunday, October 30, 2005

HackerPort

HackerPort is a project intended to design a USB I/O interface. Something to keep an eye on.

Friday, October 28, 2005

HRSUG

David Bianco, a friend and former SANS mentor of mine has announce the formation of the Hampton Roads Snort Users Group. The first meeting is slated for 7 p.m., Dec. 1st at the Williamsburg Regional Library, 515 Scotland Street, in Williamsburg, VA. The speaker will be Jason Brvenik from Sourcefire.
Please read the announcement (link is above) for more info.

Free OS's

Tripped across this listing of free operating systems while checking up on BeOS. Count how many you've heard of. I've heard of 16 of them and used 6.

Thursday, October 27, 2005

Stand by to shoot yourself in the foot

The Register has an article which describes Microsoft's plan dump SSLv2 for TLSv1 in IE7. While they're intentions are good, it's the following that piques my funny bone:

As part of Microsoft's "secure by default" design philosophy, IE7 will block encrypted web sessions to sites with problematic (untrusted, revoked or expired) digitial certificates.

Along with their increase in security, I hope Redmond has increased their attention to detail. Anyone remember certain lapses in ownership of certain domains in the recent past? There's only so many honest people, like Steve Cox or Michael Chaney, out there. There's a lot more dishonest people out there looking to create mischief or earn a quick buck.

My offer to Mr. Gates (to host cron'd reminders for domain renewal) still stands if he wants it. (heh)

Wednesday, October 26, 2005

X-Lite and Wine

Just spent a half-hour or so playing around with the X-Lite soft phone, getting it to run under Wine. The good news is that it works. The bad news is you may be limited to running it under KDE. It works under AfterStep but sometimes the menus don't pop up properly and it attempts to use a couple "hooks" in AfterStep that aren't there. It works under KDE but KDE isn't exactly my favorite WM.

In any case, notes are in the Wiki.

Tuesday, October 25, 2005

Now that's funny

Here's a Ballmer quote (about Vista): "Most people will trust it from day one on their home computer..." I reserve the option to make further comment at a later date.

Monday, October 24, 2005

Securing Your Network

Whitedust has an article which discusses the maintenance of your network's security by being familiar with what "normal" is.

Just about the only point in the article that I disagree with is in the opening sentence: "While not absolutely required, it is ideal to have working knowledge of how an Ethernet network operates from a low-level perspective. I strongly disagree with this. It is imperative that you be familiar with your network to be able to operate it securely.

Sunday, October 23, 2005

Slowing down scans

A friend was recently concerned about the high number of inbound port 22 (SSH) connections he was getting. Another TWUUG'er suggested using iptables to slow down the brute force attacks (it uses the "recent" module). I've added the config to the wiki.

Saturday, October 22, 2005

Too many ads

I was looking for info on 802.11i and came across this site. I'm sorry but, regardless of the quality of the information available via the site, I won't use sites like that. (Notice that actual content on the site takes up less than a 1/3rd of the page. The rest is Google Ads.)

Captchas

Here's a site that discusses the effectiveness of various Captcha schemes.

Friday, October 21, 2005

Bloglines

Bloglines have some small-but-important modifications to their site. One includes mapping navigation keys to the page, so that you can navigate through articles or folders without having to use the mouse.

The new feature I appreciate the most is the change to the new message count. It's now a combination display of new messages and keep-as-new messages. Example: (2:5). It's a small thing but saves me a lot of time while navigating their site.

Thursday, October 20, 2005

Blackdog

Well, the lack of controls on the USB interface is finally being exploited. The BlackDog product runs Linux on a USB device and pops up windows on Windows (no reboots needed). The device can even (supposedly) access any network that the host computer has access to. If you "do" security, this should scare the crap out of you. The video of the demo and the FAQ are interesting.

More memory

Adding memory to my old junker improved things so well that my wife
broke her long standing rule (of me not touching her computer) and had
me do the same for hers. Between that and the new USB printer server
(both of which I got out of clearance bins at local stores), I've gained
mega-spouse points! (heh)

Wednesday, October 19, 2005

Repaired?

The comments function should be fixed, for now. The disk is still short on space so it may pop up again.

XP Shutdown

I checked today and I still have a lot of extra gas in my spleen so I
guess I'll vent again...

What bright mind decided that the time to
install updates is during the shutdown process? We use XP as the host
sytems for VM's at school. The class ran a little late and we were
asked to help by shutting down and removing the hard drives. Nothing
like noticing "Installing 1 of 9" in response to your clicking on
"Shutdown".

Grr...

Tuesday, October 18, 2005

Monday, October 17, 2005

Shmoo topics posted

For those not paying close attention, the Shmoo Group has chose some of the topics for the Spring Con.

Standards! Standards!! Standards!!!

I panicked, earlier, when I checked this morning's post and saw that each of the enumerated items all started with "1.". Chalking it up to too-many-hours-typing-into-a-Wiki, I'd intended to fix it from class this evening. Now that I have a non-IE browser pointing at it, I realize that I hadn't hosed the post. Rather, it was IE's lack of standards compliance (it didn't recognize the
    tag properly) that caused the crappy looking entry.

    Heads up MS, that's standard HTML that your browser isn't recognizing!

    Embrace-and-extend? [*snicker*] Someone remind me to grab screen shots tomorrow!

    Update: Here they are... The one on the left is Firefox. The one on the right is IE.

    'Nuff said?

Detecting infected clients via DNS

Consider this as another of my you-need-to-know-what-normal-is
rants.

About five years ago, a couple of us (at a previous job) wrote
a script to process DNS log files to watch for systems suddenly
performing massive amounts of DNS lookups. In other words, watching for
infected systems.

Someone recently wrote a paper on this same topic
and has received a bit of notoriety for it. There's no black art to it.
It's pretty easy to kluge together.

  1. First be sure that your
    internal DNS server can handle a heavier load. I recommend running a
    dedicated server using BSDi (even an older version) because the load
    that BIND puts on BSDi is barely noticeable.
  2. Turn on querylog.
    It'll generate log entries like:


    Oct 15 09:18:37 desk named[13556]: client 127.0.0.1#33023: query:
    www.google.com IN A +
    Oct 15 09:18:56 desk named[13556]: client 192.168.2.5#1301: query:
    www.cisco.com IN A +
  3. Obviously, Perl is perfect to extract data from these log
    entries. Write a script to parse each line and insert the data from the
    line into a MySQL or Postgres database.
  4. Then use Perl, PHP,
    Ruby, or [insert your favorite language here] to extract the data in
    different "views", such as total-queries-by-client,
    total-queries-by-network-per-minute (or hour or day),
    total-individual-queries-per-minute-by-target, etc.
  5. To go along
    with these data "view", it's usually helpful to graph the generated
    metrics for simple crayon-understanding graphics. To be useful, you'll
    want graphs for the last hour, the last day, the last week and the last
    month, along with a user-configurable graph generation script, so that
    you (or someone else) can make quick interpretations and make
    comparisons to previously collected data.
  6. Finally, you'll want a
    script to periodically clean up the log file, either archiving it or
    deleting it. Running querylog full-time with generate massive log
    files. It may also be a good idea to write scripts to aggregate the
    data in the database server, keeping only generic statistical totals for
    data past a certain age.
  7. Collecting/analyzing metrics such
    as these are well within the talents of the average network admin (and
    is usually free). I'm amazed that companies are willing to shell out
    big $$$ for something as simple as this.

    If you have anything to do
    with network adminstration, this is something that you should be able to
    do. If you "own" a network, this is something that you want at least
    one of your network admin or security types to do. (Think of it as
    being able to gather and analyze data for troubleshooting.)

Sunday, October 16, 2005

One more thing...

One more thought about hash collisions: before you throw out the baby
with the bath water, a quick way to improve the integrity of your
checksums is to use both MD5 and SHA-1. While the chance of a
collision with both algorithms is still theoretically possible, it's an
astronomical possibility.

Asterisk book

Click here for
the zipped version of "Asterisk: The Future of Telephony", published
under the Creative Commons license by O'Reilly. Thanks to Asterisk Docs
for pointing it out.

Saturday, October 15, 2005

I'm popular

This is supposedly from the author
of the recent MySpace worm, with a link to the technical explanation and
code. It's interesting in the same way the WoW virtual blood plaque
was.

Zotob

Arachnid has a quick piece on the recent Zotob worm.

p0f

Linux.com has an article discussing a benign use for p0f, gathering information about what's running the site's that you're visiting. The data that you gather might be complete useless or you might find a use for it or it might provide a bit of entertainment. I think the major benefit is that you gain experience when you perform experiments such as this.

Friday, October 14, 2005

Nessus

Dana Epp has some comments
about Nessus's movement towards closed source. While I cannot justify
my feelings in the same manner that Dana can, I did contribute to the
project (a couple measley signatures) and feel just as betrayed as I did
with NFR and the CDDB. For each of these projects, I contributed data
to support an open community and the owner decided to profit by moving
the project away from the user community supporting it.

Thursday, October 13, 2005

Salted Hashes

Infosec Writers has an
article that explains the basic
theory
of salted (seeded) hashes, including SHA-1 and MD5.

Wednesday, October 12, 2005

Wiki stats

In cleaning up the orphaned pages in the wiki on the new server, got to
looking at the page stats. What's odd is the #1 entry:
  1. Glossary
    (5550 views)
  2. Main Page (3078 views)
  3. Anonymous Proxies
    (2067 views)
  4. Asterisk (1735 views)
  5. Looking Up UPC Codes
    (1228 views)
  6. Looking Up Vehicle ID Numbers (VINs) (1094
    views)
  7. Perl - MSN IM Sniffer (1092 views)
  8. IPv6 on the
    WRT54G via OpenWRT (864 views)
  9. The Firewall Toolkit (FWTK) (818
    views)
  10. IPod Stuff (807 views)

Could it be caused by
the inclusion of sexual fetish descriptions in the glossary? If so,
then y'all are some sick puppies. (heh)

D'oh

Don't you just love catching yourself doing something stupid? I managed
to troubleshoot my IPv6 routing issue in about 10 seconds once I started
to look at it. (Thanks to Wes for prompting me to do it.) The fix is
to not add the following to /etc/init.d/rcS. Rather, create a file
called /etc/init.d/S99tunnel and put it there:

#!/bin/sh

#/bin/mkdir -p /var/log/
ntpclient -h pool.ntp.org -l -s &

# set up the IPv6 tunnel
MYIPADDR=`ip addr show vlan1|grep "inet "|cut -d\/ -f 1|cut -d \ -f 6- `
echo $MYIPADDR > /etc/myipaddr
#MYSCND=`cat /etc/myipaddr`
#echo $MYSCND > /etc/my2ipaddr
echo $MYIPADDR
ip tunnel add he.net mode sit remote 64.71.128.82 local $MYIPADDR ttl 255
ip link set he.net up
ip addr add 2001:470:1F00:FFFF::657/127 dev he.net
ip route add ::/0 dev he.net
ip -f inet6 addr
ip -6 addr add 2001:470:1F00:911::1/64 dev eth1
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
radvd
sleep 15
killall dnsmasq
dnsmasq -i eth1

Tuesday, October 11, 2005

NSLU2

I think I have my next toy targeted: the Linksys NSLU2 (Network Storage Link of USB-2). The local TWUUG'ers have pointed out the existance of custom firmware. Hey Santa: hint, hint!

Monday, October 10, 2005

Crazy Hacks

There's some interesting projects over on Crazy Hacks. There's also evidence that somebody has way too much time on their hands: why in the world would you want to write Perl programs in Latin?

Sunday, October 9, 2005

Comments off

Until such time that the site moves to the new server (or the old one
gets its issues fixed), comments are going to be a dicey thing to use.
Anything left in comments over the last two weeks has not been saved. I
apologize for any inconvenience. If there's a comment that you want to
add to the site, it might be easier to email me directly
(joat@guess.where).

AntiExploit

Looks intriguing. Anyone know if it conflicts with similar protection schemes running at the same time?

Saturday, October 8, 2005

Malware database

The link to the Nepenthes database (yesterday's post) led through Aachen University's malware database. I have high hopes for this.

Friday, October 7, 2005

Malicious Code Visualization

While following a link in Antlab, I came across the malicous code visualization published by the Nepenthes people.

Thursday, October 6, 2005

Wednesday, October 5, 2005

Wobbling

Trivia question: When does 2000 1k (or less) blog entries eat up more disk space than 30 100K pictures?

The-powers-that-be say that the new server is waiting on some hardware. In the meantime, this one continues to wobble. I'll attempt to trim the site at the same time I'm posting but, with the current configuration, there's a limit.

The good news is that the site is mirrored here if the inode problem surfaces again. The bad news is that the mirror may be taken offline periodically to have "stuff" added to it.

Sunday, October 2, 2005

Risk

Another rambling post...

I've been reading various presentations and papers from recent conferences. Couple that with my recent knighting as a CISSP (yeah, last year I couldn't spell CISSP, now I is one) (don't ask me to say anything nice about it) and I have a schizophrenic thought: there's a difference between a business's view of security and a practitioner's view of security.

The business view of security is, and always will be, a money-based decision. Various certifications teach that risk involves a hole (the vulnerability), the likelihood that it'll be exploited (the threat) and the expected cost of reparations in the event that the vulnerability is exploited. Various pseudo-mathematical formulas have been generated to justify what is usually an already-made decision.

Purists will be offended that I've said that but, in reality, most business operate somewhere to the left of the ideals taught by various certification organizations. In other words, most small businesses still don't (and won't) comply with SarbOx, GLB, HIPAA and/or FISMA. They either cannot afford to comply or they would just like to maintain their profit margins. (Maybe it was a formal business decision: risk of getting caught = not maintain protections or records X likelihood of discovery X possible fines?)

One thing that has irked me ever since someone tried to convince me of the correctness of tieing asset cost to the risk formula: the missing business costs.

Think of it this way: you have web server. You've made the "business decision" that a specific level of risk is acceptable and that you can tolerate four incidents per year before your business suffers excessive damages. (Remember, the cost of the protections must be less than the recovery costs.) What's missing? How about people?

If I'm your system administrator, I'll probably enjoy the overtime pay. The first time. If it's a recurring event, it's going to affect my personal life and I'm going to want a raise plus better overtime pay to counter-balance the loss of my personal life. That or I'm likely to be going to job interviews during my off-time. (Hint: Using "flex time" to keep me on a 40-hour per week timetable adds insult to injury.)

If I'm your customer, it's likely that my business depends on your business. I'm likely to leave after the first incident, especially if it's spectacular enough.

If I'm your investor, I'm not going to like that my profits go to your system administrators' overtime or that your customer base is shrinking. I think you'll find that your stock price drops at an "interesting" rate.

On the flip side, the practioner's view is usually just as narrow. System and network administrators often get so caught up in "fighting the threat" that they spend inordinate amounts of time "doing security" and allowing operations to suffer. They might spend so much time "locking things down" that the network becomes rigid and inflexible, unable to quickly adapt to sudden changes in business requirements. There's also a common belief that the operations/security budget is too small, regardless of its size.

It's this dichotomy in security "views" that perpetuates the resentment between business (AKA "the suits") and operations (AKA "the nerds"). Unfortunately, I don't have a fix for this. I'm just noting that the condition exists.

Apologies for the incomplete rambling. I'm still trying to flesh out this argument elsewhere for future "at length" use. The argument currently is skewed as I "came up" from the sysadmin side of the house. Comments/thoughts?

Saturday, October 1, 2005

Shmoo

Heads up! Today is the last day to get your $75 ShmooCon tickets (got
mine last night). Tomorrow they're $150 each.