Wednesday, May 31, 2006

Footprinting

Infosec Writers has a piece about footprinting. Keep in mind that while it's written from the black hat point of view (and is a bit basic), it works the other way too. In other words, the tool and techniques can be used to enforce security also.

You can wrap hook NMap to MySQL and cron with a bit of Perl and get e-mail alerts whenever there's an unauthorized system connected to your network. If your policy permits, you can then "prosecute" the system by gathering as much information as possible from the system without breaking into it (make sure your organization's policy allows this and make sure your supervisors know and support this).

You'd be amazed what info you can gather with NBTScan, SMBClient, NMBClient, SNMPWalk, and NMap. Note: all of these tools can gather information that a normal MS system offers up by default (withouth authentication). For awhile, the home version of XP not only had default shares, it also had SNMP enabled by default. Between all of those tools, you could determine MAC address, IP address, installed software, logged in users, IM logins, files available via P2P, running software (it's also common that people who disregard the rules concerning unauthorized systems are usually infected with one or more bits of malicious code), misc. keys and serial numbers. Couple that with whatever's available via open shares and it's rare that they can deny that the system was online.

As I no longer have that job, I cannot vouch for what's open by default on XP Home or XP Pro systems. Those systems have had a firewall enabled since SP2 but that often doesn't matter as people who take their laptops everywhere tend to have a lot of holes poked through the firewall.

It might be a learning experience if turn off your firewall and scan your laptop. (Hint: you not only want to learn what ports are open, you want to discover what services are running on those ports and what info is freely available via those services.) The older an install is, the more info it will usually offer up.

Tuesday, May 30, 2006

Linux Device Drivers

Alexandre Dulaunoy has made the Linux Device Drivers book available. I found that while following a piece about the source code for the Morris Worm.

Monday, May 29, 2006

Netflow

Netflow is another of those really-nice-to-have tools for anyone other than NOC admins. For NOC admins, it's a must-have. In any case, O'Reilly has an article on "Monitoring Network Traffic with Netflow".

Sunday, May 28, 2006

Reading logs

I've been saying it for years: the majority of your problems can be detected by simply reading your log files. Of course, effective log file reduction falls somewhere between a skill and a talent.

Friday, May 26, 2006

Cron

One of the Unix basics that you need to know is how to schedule tasks. "at" allows you to set up one-time schedules. "cron" allows you to set up repetitive, scheduled tasks. Really Linux has an article on "The Basics of CRON and Linux Automation".

Wednesday, May 24, 2006

Using dates

If you do any sort of shell scripting, you'll eventually run across the need for using dates. RootPrompt has a pointer to an article entitled "Using dates in shell scripts".

Monday, May 22, 2006

Closed source binaries

Just wanted to add my two cents into the ongoing argument over the use of closed source binaries, including modules, under Linux.

Me? I'm a mutt power user. I use whatever tool best fits the job. I have Linux running under Windows, Windows running under Linux, and misc. *BSD variants. And that's all on one system at home. I can tweak/fix other peoples' C code but can't write my own well enough that I'd show it in public.

While listening to the argument on TLLTS, I disliked the argument that we should wait for drivers to be legally reverse engineered as it keeps the kernel un-tainted. My argument is that I'm still the one that ends up on the short end of the stick.

Case in point: my Hauppauge PVR-250 card. I bought the darn thing when it first came out. Paid "handsomely" for it too. Was forced to run it under a crippled (translation: prone to destructive crashing) version of Windows because that was the only software that was available for it at the time. Waited 3+ years for the Linux world to develop decent drivers and software for it.

Can you guess what the problem is now? The minimum recommended system requirements for Linux is now greater than the capabilities of my system.

If Hauppauge had issued a binary for Linux when the card first came out, I'd still be running whatever version of Linux it required (at least on one partition). It'd be considered ancient by now but I'd have 3+ years of enjoying the use of the hardware. Now it's 3+ years later, I finally have the Linux software to access the 3+ year-old card and the software won't run because my system is too damn slow.

Yeah, Mr. Stallman, it's for the good of mankind that we suffer. (Hint: that was sarcasm.)

Saturday, May 20, 2006

Comment section

I'm experimenting with anti-spam code in the comment section again so please tolerate a few mistakes.

Friday, May 19, 2006

Can you do this?

I know that WinME can't and Linux barely can, can XP do the following at the same time:
  • transcode 20GB of conference videos
  • push 6GB through SSH
  • pull another 1.5 GB from HTTP
  • pull/share 300MB podcasts with BitTorrent
  • view Bloglines with Firefox
  • edit a text file (this one) with Vi
  • chat in IRC

The above has to occur without serious latency or interaction. Admittedly most of the above are text-based and/or tunable, but I'm wondering if XP can do it too. Yes, there are days when I don't use more than one side of the dual boot and, yes, there are good reasons to use XP. Just don't ask me to list them after 6 p.m. (As I write this, it's 8:30 p.m.)

Wednesday, May 17, 2006

ShmooCon!

Psst! According to this (look in the upper right corner), the next ShmooCon is March 22-25, 2007. Pass it on!!

Tuesday, May 16, 2006

hack.lu

The presentations from the 2005 HackLu conference are interesting. (Videos are near the bottom.)

Monday, May 15, 2006

22C3

Not sure if I posted this previously but here are the videos of the presentations at last year's 22C3.

For me, it looks like most of a day to download and at least a week to transcode to something the DSM-320 can handle (they're all MP4's).

Sunday, May 14, 2006

Password myth

Here is a piece which argues that changing passwords on a periodic basis is no longer effective. I dislike the article not for its position but for the assumptions underlying the author's arguments. Example: He argues that passwords can be quickly cracked by various modern day programs. He assumes that the attacker already has custody of your password file. If that's the case, you have other problems too. With sufficient layered defenses, this wouldn't be the case.

It all boils back to deciding on what you need to do to adequately protect (there's no 100% solution) whatever it is you're protecting.

Saturday, May 13, 2006

DRRWS Challenge

For all of you digital forensics types, the Digital Forensic Research Workshop has a File Carving Challenge for you. The object is to extract as many complete files from the 50MB target data set as possible. Deadline for submissions is 17 July. Enjoy!

Update: Almost forgot to mention that the organizers are Brian Carrier, Eoghan Casey (a former instructor of mine), and Wietse Venema. If you have to ask who they are, maybe you shouldn't bother entering. (heh)

Friday, May 12, 2006

Not his idea

Saw this patent application in Digg. I'd like to dispute it. If you read the "Claims" section, you'd realize that this guy was abducted by aliens (happens to all of us) and they deposited him at a distance down the street calculated from his walking speed at the time of the abduction and the amount of time it took to probe him. All that other stuff about constructing the device is just kruft the aliens implanted in his brain.

Seriously, this should have been filtered out of the process early on, not posted on a ".gov" site. I'm starting to agree that the patent process needs a bit of review.

Thursday, May 11, 2006

AVW-1000 and 802.11

A long time ago, I bought a Grandtec AVW-1000 wireless video link to show videos in a class room without having to run cables back to the projector. I no longer have the classroom but I still have the AVW-1000. The problem is that it uses the same frequencies as my wireless network and the cordless phone.

Here are my notes on figuring out what channels to use on each device. So far, I've only included the AVW-1000 and 802.11b but it's a start.

Wednesday, May 10, 2006

ROFL

Hahahahahahahahahahahaha....

Don't get me wrong, I don't hate Microsoft. It's their marketing department that I have issues with. And their shills.

One thing that programmers (Linux and Microsoft and others) rarely "get" is that adding complexity rarely improves security. By adding features, they're only rearranging the playing field and making it bigger.

Microsoft will do away with the market for antispyware and desktop firewalls? That's about as accurate as the "Nobody's been to the server room in days" commercial.

(heh)

Tuesday, May 9, 2006

D'oh!

It's sad to see that some people (who should know better) still can't recognize the difference between "open standard" and "open source". Sadly, for most, it's not an easy distinction because the vendor at the center of it all promotes it as the same thing. (I've sat in on two of their dog and pony shows and the presenters purposely mix the two.)

What's not being said was that the RFP for the plug-in was released after the vendor refused to provide it themselves. If you read the RFP, it does not block anyone from participating (open source or proprietary). Now that someone else has provided the plug-in, they're crying foul? I call "Shenanigans! Get your brooms!"

Ms. Wyne is either ignorant or a shill. That she works for a company which specializes in computer training, I tend to believe the latter.

Update: The ISC organization that Ms. Wyne is associated with isn't the one that we normally associate with that acronyms so I can't accuse her of "knowing better" as much as I'd initially thought. Hey! Isn't that exactly the type of crime that Ms. Wyne is whinging about? I think that it's time that a certain tech organization enforce its trademark (here in the U.S., if you don't actively enforce your trademarks, you lose them).

Update 2: In any case, I've asked CompTIA to explain the difference between "open source" and "open standard". I'm not holding my breath for a reply though.

802.11 security links

Here is a large link page for 802.11 security-related info.

Monday, May 8, 2006

SNMP Config Attack with a GRE Tunnel

Here is an interesting analysis an SNMP attack with a Generic Routing Encapsulation tunnel thrown in for fun.

Saturday, May 6, 2006

Web bots

Ever wonder what those programs were, crawling your site and showing up in your logs? I bet The Web Robot Pages helps in your research.

Friday, May 5, 2006

Thursday, May 4, 2006

Wednesday, May 3, 2006

DNS Amplification Attacks

Here's a paper (about 6 weeks old) on DNS Amplification Attacks. This sort of attack has panicked certain types, causing them to do odd things with their DNS servers (external and internal) including dedicated functions, employing DNSSEC where it is useless, and/or buying more of the usual snake oil.

I think part of the panic originates in the (improper) assumption that DNS servers are like home computers, in that they think an most insecure DNS servers will remain insecure. I think that this is incorrect because DNS servers are usually run by trained personnel and are usually located in network segments where bit usage is purchased at a flat rate. While this sort of attack surfaces periodically, it also goes away periodically as the admins catch on and tighten up their servers. I think the problem returns as admins move on/up and are replace by newer personnel who also have to learn the hard way.

Tuesday, May 2, 2006

Fragmentation

This one is for my own notes...

The Final Nail in WEP's Coffin talks about problems in WEP. Yeah, it's old news but it also talks about fragmentation and it mentions a couple tools that I'm researching.

Monday, May 1, 2006

Layer 2 Analysis

Here is Josh Wright's paper on Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection.