Thursday, August 31, 2006


My apologies to non-Firefox readers. I just got a glimpse of the blog from a school system (not running Firefox). I will move the Bloglines blogroll to a separate page shortly.

Wednesday, August 30, 2006

I will not

Things I will not blog about: full disclosure, the accuracy of the Apple hack, Paris Hilton's crimes, or the SCO trial. There's way too many people already blogging about it and I have nothing new to add.

Tuesday, August 29, 2006

An old, old joke

I really find it hard to believe that this joke actually got the mileage that it did. I think Irongeek has discovered a large need for basic network classes.

I'm also surprised that a fight didn't ensue...

"He's running Ubuntu!"

"No he's not! He's got Windows XP!"

"You're both idiots! He's got a Mac!"

It's funny, even if it turns out to be fake, though I like this version better.

Monday, August 28, 2006


I use wget to download various podcasts (yeah, yeah, real men don't use pod-catchers). Lifehacker has a mini-howto for using wget to do various things.


I love my ISP! (Uh, that's sarcasm, BTW.)

First Cox blocks my e-mail forwarding from the 757 account because someone complained that was in the "From" address. It tooks weeks of arguing with the helpdesk and the abuse desk to get it unblocked.

Then they reblock it by turning on their spam filters, which I had expressly asked that they not do. This caused me to have to set up encrypted mail on two sites and I have no option on a third.

This on top of the near-constant ARP storms and the period loss of carrier on the cable modem. How much do I pay for this?

Saturday, August 26, 2006


Here is a very short howto for installing and running Nikto against your web server to check for known vulnerabilities.

Friday, August 25, 2006

Thursday, August 24, 2006

PenTest Checklist

Infosec Writers has a link to a checklist that you can use for penetration testing. Although it does need a bit of work (network footprinting is a bit on the weak side and should be called initial research), it is a good start.

Wednesday, August 23, 2006

Tony Ruscoe

Tony Ruscoe has blogged about how he discovers Google services before they're announced. The techniques he uses are not new, esp. to pentesting. But they are good to know if your work has anything to do with search engines and the like.

Tuesday, August 22, 2006


The Aug 14 entry for the SANS Handler's Diary talks about using a log book to keep track of issues, maintenance, and incidents. I'd like to add "it's that simple" and "it's not that simple".

It's that simple in that, for any business network, you need to do just that: keep a record. It's not that simple in that, for most business networks, it's not mandatory to keep a record. Personally, I don't recommend using a log book as it doesn't allow for the inclusion of external documents.

If your company lives by paper record, you should be keeping a set of folders, one for each system. Entries should be made via a set of forms (incident, maintenance, configuration change, etc.) that can be dated and signed by personnel concerned with the specific evolution. For some of the entries, management should sign.

If you take the electronic path, I recommend a Wiki or even just a set of folders in a directory on a stand-alone system (not networked!). The same idea for blank form follows: keep a set of templates handy that you can cut-and-paste from.

In either case, you want to limit the access to the logs. If they're paper-based, keep them in under lock and key. If they're electronic, restrict access and don't network the system. File or file system encryption might be useful (if not time consuming). Side note: backups are your friend.

The entire point of the exercise is to produce a legally useable record. It's a benefit for the company in that it can be used to display due care (compliance). It's a benefit for you in that it becomes a reference for keeping track of who did what to when and when. It is valuable to anyone that follows you after you've moved on, so that they don't have to repeat your mistakes (yes, you should include them too) and it'll minimize having to figure out if you did or didn't perform a specific action on a machine.

I used the phrases "mandatory" and "due care" above to denote that there are now a number of laws (GLB, SarBox, FISMA, HIPAA, etc.) in existance that require due diligence (having policy/practices/protections in place) and due care (recording the exercise of due diligence). Most of those laws (if not all) don't care how you perform these functions, just that you have them. If you (as an organization) use a well-recognized set of practices (e.g., ISO 17799), so much the better. You'll use less time having to defend them, should you end up in court.

Monday, August 21, 2006

p0f - IronGeek

Here is IronGeek's tutorial on OS fingerprinting using p0f and ettercap. (Uses Macromedia Flash.)

More security blogs

Thanks to Michael Farnum posting his OPML. Along with that and a few Google searches, I've added a ton of security related blogs to my Bloglines subscription. View the list here or grab the OMPL here.

I'm also experimenting with the Bloglines Blogroll for those same feeds. I've tacked it up over on the left and have re-enabled the blogroll for comparison.

Update: Wow, for the half-hour or so, that was horrible. Adding 348 lines to an already crowded panel caused the new blogroll to stick off of the bottom of the page for a long distance. For now, I'll leave the list on the left and the Bloglines list on the right, though it still sticks off the bottom of the page.

I promise that it'll get better as I resort the Bloglines subscriptions into folders and limit what folders can be seen.

Update: in taking a look at the Bloglines JavaScript, it should be very easy to run the external call through some PHP, strip the JavaScript, format the data and come up with a nicer menuing system. Something for the to do list, I guess.

Then again, maybe I'll just move the thing to its own page. That is a lot of links messing up the page. What do you think?

Saturday, August 19, 2006


For those interested, F-Secure has announced a command-line version of BlackLight.


To paraphrase Popeye:

IAM what I am,
IEM what I am,
and that's both what I am.

Official confirmation in a few weeks. List me as "on pins and needles" until then.


I'm finally back home and caught up. If you left a comment and I deleted it, please submit it again. Unless you're spamming me that is.

One thing that I've discovered: the DC area has a serious lack of book stores. I've got to drive into Alexandria from Herndon to find one? Geesh!

Thursday, August 17, 2006

Details, Details...

Rob pointed out this Wired piece about a recent cyber-security exercise hosted by DHS. The funny part is that at least one speedreader missed the bits about it being an exercise scenario and decided it was politically funded propoganda. I wonder how long it will take before we have to invoke Godwin's Law? The usual precursors are already there in the comments.


BTW, What is the record for shortest thread preceeding Godwin's Law? This one is going to be close.

Wednesday, August 16, 2006


An article in Monday's USA Today about the new luggage restrictions still has me chuckling. I'll quote the article and you tell me where you've heard the logic before. If you've worked in IT or IA for any period of time, you've heard it.


"It's not a 'right' to fly and carry whatever you like," notes David Gregory, a Dallas-based travel coordinator and former airline employee, in one of nearly 200 posts in response to a recent item on USA's Today in the Sky blog about the threat to the carry-on culture.

"Just think how wonderfully blissful it would be not to have a single carry-on aboard a plane," Gregory adds.

"I say ban all carry-on luggage. It's about time! And if you are so important that you cannot be away from your computer for a day, do us a favor and stay at your office."

Figure it out yet? How about the system admin who states that he wished there were no users on the network?

I bet Mr. Gregory runs a very successful travel business. (heh)

Tuesday, August 15, 2006

Lack of EOP by extension?

Here's a court case that strikes me as vaguely (but greatly) wrong, but not for any of the reasons stated by the plaintiff, the defendant or the judge. While I would agree that the employee would not have an expectation of privacy (EOP) for any action performed from a company computer, I have serious reservations about the logic that the expectation of privacy remains in "failed" mode if the employer then uses a captured password to access a system not belonging to them.

If you read the fine print in just about any TOS or contract, the account is property of the system owner and the user is allowed access to the system at the discretion of the system owner. Account termination usually can occur without warning, justification or appeal. The account (and often any data within) remains the property of the system owner. In this case, eBay.

If I were eBay, I'd be investigating the application of "accessing a system without permission" as it relates to the private investigation company.

Off site

My apologies for any delay in approving comments or fixing stuff in the blog/wiki. I'm in Herndon this week, taking a course for (hopefully) another cert. Wish me luck!

Saturday, August 12, 2006

Asterisk book

I've probably blogged about this before but it doesn't hurt to post it again. Did you know that there's an online version of "Asterisk: The Future of Telephony"?

Friday, August 11, 2006

BlackHat presentations

I haven't been keeping in touch with my friends. This is evidenced by the fact that Rob posted the BlackHat presentations and I learned about it via limitedexposure.

Oh, and the DefCon presentations are here.

Thursday, August 10, 2006


Tcpreplay 3.0 was released as its 10th beta this week. It's actually a suite of tools now (I haven't used it in a very long time) including: tcpprep, tcprewrite, tcpreplay, tcpbridge and flowreplay. Read about them here. Hint: scroll down to the bottom to find them, the wiki also talks about Trac, which takes up a lot more space in the wiki.

In any case, this is one of those tools that you need to know how to use if you're going to analyze traffic (though I seem to remember it not handling broken packets well).

Monday, August 7, 2006

Investigating Sophisticated Security Breaches

Here is one of Eoghan Casey's articles, entitled "Investigating Sophisticated Security Breaches".

Sunday, August 6, 2006


The suggestion that RSS feeds are dangerous is an idea that seems to make the rounds every 3 months or so. Personally, I think that it's more hype than actual danger. People don't normally subscribe to feeds without looking at the site. At least, I hope they don't. Very few sites blindly accept comments. Fewer still allow any sort of embedded code or HTML in comments.

As far as dangers go, this doesn't rate high on my list.

Saturday, August 5, 2006


An online conversation reminded me of the following site for CISSP quizes: If you're working on your cert and are taking the practice questions, avoid taking them at the Pro level. That level does not correlate (at all) to the level of the questions on the actual test. Try jumping back and forth between medium and hard. If you can get a high grade in medium or a moderately good grade in hard, you'll likely pass the actual test.

Friday, August 4, 2006

Thursday, August 3, 2006

Free courses

Tony Bradley has posted some info about free training for basic info. It appears to be e-mail based.

Wednesday, August 2, 2006


Last June, the ARO (Army Research Office), DARPA, DHS and Georgia Tech hosted a special workshop on botnets. The various presentations are attached to the schedule. I also recommend keeping an eye on Georgia Tech's Information Security Center front page.

Tuesday, August 1, 2006


Hmmm... I'm finding out (the hard way) just how poorly the "wl" command set is documented. For those inclined, you can check my work here. It's not much at the moment but I'll keep working on it.