Wednesday, December 31, 2003
Put me on the not list as I receive 20-30 legitimate messages per day which makes up less than 10% of the total volume. Thanks to various people for writing Procmail, SpamAssassin, SpamBayes, and various virus scanners.
Scraped from Slashdot.
Tuesday, December 30, 2003
Thanks to SilverStr for the pointer!
Monday, December 29, 2003
Oh, and BTW, I have a copy of the book on my shelf.
Sunday, December 28, 2003
Saturday, December 27, 2003
Friday, December 26, 2003
Anyways, I've backfilled the last few days and will settle down to work on a serious back-log of posts.
Merry Christmas, y'all!
Thursday, December 25, 2003
I agree with Bowulf, at least in part. You also have to have logging enabled. If you're working in a NOC, that also means router logs (that's syslog servers, not the dinky space for logging in router memory!). For those networks which aren't allowed to enforce a decent firewall policy, you also need to log high-port to high-port traffic which is where most of your shady-stuff (unauthorized/covert channels, P2P, backdoors, etc.) happens.
I disagree with Bowulf in that logging isn't the sole action you need to take. Closely related to logging is taking and maintaining metrics. A good metrics supports the cliche "a picture is worth a thousand words". If you're watching your network metrics, you learn to recognize "normal" network activity and "abnormal" network activity.
One example of this is e-mail metrics. You cannot read every message that passes through your mail servers. However, if you graph your metrics properly, you should be able to recognize the spread of a new virus within 5-15 minutes of the initial spread (depending how often your graphs are update). While it won't block the new infection (usually nothing will), it does allow you to react quickly enough to minimize the damage and protect the rest of your network.
Maybe a good rule-of-thumb is to maintain metrics on your normal traffic (web, email, etc.) and regularly filter your logs for the abnormal traffic?
Wednesday, December 24, 2003
Tuesday, December 23, 2003
Jabber's XML-based communications have been around for quite awhile. The protocol is open source and there are quite a few tools to work with it. At one point, I'd even adapted it to send Instant Messages to all NOC personnel if a router interface or a service went down.
Monday, December 22, 2003
Got any favorites you want to suggest for a *nix-based server?
Sunday, December 21, 2003
Saturday, December 20, 2003
Friday, December 19, 2003
Thursday, December 18, 2003
Wednesday, December 17, 2003
Tuesday, December 16, 2003
Monday, December 15, 2003
Sunday, December 14, 2003
RFC's are the agreed upon standards by which the "community" is defined. Think of it as the charter for your local government. Protocols (languages) are agreed upon. Responsibilities are defined.
One shortcomiing is that there is no requirement to comply. This allows organizations and individuals to do horrible, aggressive and/or stupid things via the Internet without reprisal. Examples: long distance Outlook-Exchange connections, MS's perversion of the Kerberos protocol, long distance NetBIOS, long distance Telnet/FTP/POP3/IMAP, just about any proprietary encryption scheme, and 90% of the e-mail domains.
For the Internet-based violations, here's a site called "RFC Ignorant", which tracks the stubbornly ignorant.
Saturday, December 13, 2003
Thursday, December 11, 2003
Wednesday, December 10, 2003
Tuesday, December 9, 2003
For those new to the game, FWTK is the Firewall Toolkit, one of the first application proxies written 20 years ago. Amazingly, it's still usable. Combining it with other technologies (SOCKS, ipfw, iptables, Squid, other proxies/packet filters) allows you to build a workable firewall for just about any *nix flavor, including a Mac version.
If you care to read it, click on the Wiki link above and scroll down to the Security section. Let me know what you think?
Monday, December 8, 2003
Early Warning!!: If you manage a corporate network, you may want to consider blocking this, both for sending (if it's possible) and for reading. There's some pretty unsavory blogs over there (people abusing the service mostly). The hosts state in their FAQ that if they receive a court order, they will turn you in if you're doing something illegal.
Sunday, December 7, 2003
Saturday, December 6, 2003
It seems that beaumonday thinks I pick on Microsoft too much. Acutally, if you read REAL close, I pick on everyone who thinks that any one operating system is the way to go. (Do I need to repost my point-and-click administrator rant again?) I'm a firm believer in the-best-tool-for-the-job and know-the-technology-behind-the-gui.
I provide a lengthy response.
Just so I can alienate everyone and level the playing field, out of the box:
- Microsoft Windows is insecure
- Linux is insecure
- Unix (SunOS, BSD, Irix, AIX, Xenix, etc) is insecure
- Cisco/Foundry/Bay/etc. is insecure
- Novell has problems (actually, they had the highest rating by the gov't prior to adding in IP capabilities)
- and the OS that you may be writing has *SERIOUS* problems.
However, when used in conjunction, they can provide a very secure network for your users.
Friday, December 5, 2003
Thursday, December 4, 2003
Wednesday, December 3, 2003
How about semi-conductor physics? (Yet another attempt by those-with-too-much-time-on-their-hands to use sex to teach the less-willing-to-learn.)
But it's funny anyways. The "Booble" search engine is interesting also. (Hint: click on the "Search Britney Space" radio button)
Tuesday, December 2, 2003
Sunday, November 30, 2003
Seems that the spammers developing tools of their own. First the anti-spammer groups set up honeypots whose objective was to tie up and/or detect spam sources. The spammers have responded with "Send-Safe, a honeypot hunter.
I especially like the wording of the product description:
Send-Safe Honeypot Hunter is a tool designed for checking lists of HTTPS and SOCKS proxies for so called "honey pots". "Honey pots" are fake proxies run by the people who are attempting to frame bulkers by using those fake proxies for logging traffic through them and then send complaints to ones' ISPs.
"Attempting to frame bulkers" indeed. If you're using resources other than your own to spam the planet, there's a problem. "Attempting to frame bulkers" gives the impression that you have a legitimate right to other people's systems. That phrase should read "Attempt to catch resouce thieves". If I catch you using mine, I'm going to do my darnest to make your life hell.
Funny part about it is that they want $299.00 for the program. Must be no honor amongst thieves?
Normally I just filter and delete the spam but I've received a particularly distasteful one (Brazilian kiddie porn) which I'm going to file a complaint about. You can follow along as I whine to customer support about a message entitled "joat, welcome to Ped0Wor1d ayuGYoaf".
First, we need to take a look at the message header. Other than changing my account name (to block account scrapers), the header is as-is from the message.
|Received: from pop.east.cox.net by localhost with POP3 (fetchmail-6.2.1)|
|for joat@localhost (single-drop); Sun, 30 Nov 2003 08:43:06 -0500 (EST)|
|Received: from compuserve.com ([22.214.171.124]) by lakemtai06.cox.net|
|(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id|
|; Sat, 29 Nov 2003 21:32:16 -0500|
|Date: Sun, 30 Nov 2003 03:31:53 +0000|
|Subject: joat, welcome to Ped0Wor1d ayuGYoaf|
|X-Spam-Status: No, hits=2.1 required=3.0|
|NO_REAL_NAME,REFERENCES,SPAM_PHRASE_00_01, TO_LOCALPART_EQ_REAL version=2.44|
|X-Spambayes-Classification: ham; 0.07|
Notice the two "Received:" lines.
|Received: from pop.east.cox.net by localhost with POP3 (fetchmail-6.2.1)|
|for joat@localhost (single-drop); Sun, 30 Nov 2003 08:43:06 -0500 (EST)|
|Received: from compuserve.com ([126.96.36.199]) by lakemtai06.cox.net|
|(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id|
|; Sat, 29 Nov 2003 21:32:16 -0500|
Unless one or more of them have been badly forged, "Received;" lines are normally in reverse chronological order. When backtracing spam, you work in the same order, verifying each line until you reach the line that doesn't "read" correctly. Since there are only two lines in this instance, it is very easy to trace this one back to its source.
The first "Received:" line is a normal entry, generated by my instance of fetchmail.
Right away, the second line has an error in it that sticks out: it's not from the domain that claims to be (CompuServe). Rather, Cox's mail server recorded an IP of 188.8.131.52 as making the connection. It's also significant that the "Return-Path:" address is also not CompuServe.
Finally, the lack of any other "Received:" line is also significant. Normally you would have a client-to-server entry followed by a server-to-Cox-server entry to show that the mail was generated by a mail client and uploaded to the sender's mail server before that server "talked" to Cox. (Too confusing?)
What this means is that a program connected directly to Cox's mail server to generate the mail. In other words, a non-MTA program connected to port 25 on Cox's mail server and "typed the message directly onto the server". This is a technique that system administrators use in troubleshooting mail delivery. Anyone know of spammer programs that use mail lists, do MX lookups, and connect directly to the applicable mail servers?
Anyways, we can still trust most of the second line. Except for "from compuserve.com", the line is generated by the Cox mail server. The IP address is significant in that a reverse lookup reveals that it's an ATT IP address:
$ nslookup 184.108.40.206
220.127.116.11.in-addr.arpa name = 12-229-105-222.client.attbi.com.
Note that if you don't have "nslookup" or "whois", SamSpade.org has a nice web-based version.
A WHOIS lookup returns the following:
$ whois 18.104.22.168
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
22.214.171.124 - 126.96.36.199
Comcast Corporation COMCAST-12-229-96-0-WASHINGTON (NET-12-229-96-0-1)
188.8.131.52 - 184.108.40.206
This indicates that while AT&T owns the IP address, they "sublet" the chunk which our suspect IP belongs in to Comcast Corporaton. Note the "NET-12-229-96-0-1" in parenthesis. We can do another WHOIS lookup on this to get:
$ whois NET-12-229-96-0-1
CustName: Comcast Corporation
Address: 1500 Market Street
NetRange: 220.127.116.11 - 18.104.22.168
TechName: Kostick, Deirdre
OrgAbuseName: ATT Abuse
OrgTechName: IP Customer Care
OrgTechName: IP SWIP
This gives us the address to send our complaint to: "firstname.lastname@example.org".
The trick to filing a complaint of this type is to be polite and to present all of the facts (as we've done above). It's also a good idea to provide the original message, with headers, as an attachment to the complaint. You also want to give the ISP an "out" in this case as it may be a hacked box on the far end.
The wording of my complaint (which I've just sent):
To whom it may concern,
Please forward the following to your Abuse and Security departments.
Please find attached an unsolicited (and particularly distasteful) pornographic e-mail advertisement (porn spam) that showed up in my in box. Various things about the headers are notable:
1) The "Return-Path", the source IP, and the source hostname all conflict. That is: "email@example.com", "compuserve.com", and "22.214.171.124" respectively.
2) There are no other "Received:" lines other than the one generated by my Fetchmail utility (which I will vouch for the accuracy of) and the one generated by my ISP's (Cox) mailserver. This is indicative of a program connecting directly to Cox's mail server.
The IP recorded by Cox's mail server belongs to one of your customers. Please determine whether the user at that IP is running a spamming program or if it has been compromised by a trojan or worm which allows spammers to use it in a similar manner.
One side "thought" generated by all of this. When the new federal anti-spam law goes into effect, there's going to be some trouble. There's a strong possibility that this source IP is infected with something similar to the Jeem trojan, which allows for remote control spamming. Given that law enforcement is in a constant game of technological "catch-up" with hackers/spammers, I hope they learn how to read and interpret message headers before throwing some poor church-going Granny in the slammer for spamming the planet with "l33t pr0n".
Went window shopping at a few stores yesterday to price a replacement hard drive and noticed that two of the larger chains are now selling 128M thumb drives for about $58.00 US. Saw a 64M USB v1 one for less than $20.00.
Until recently, it'd seemed that the price was never going to go under $1.00/M.
Saturday, November 29, 2003
Some organizations use it instead of ISS as it's attack database is generally larger and more up-to-date. The drawback is that it also can do damage in it's penetration testing if you're not careful (there are switches to disable the more brutish attacks).
Update: Bowulf has a piece in which he indicates that you can avoid the setup and configuration of Linux and Nessus by using Knoppix STD. The only thing you have to worry about otherwise is gathering the updated NASL signature files.
Hint: you can add them to the distribution prior to buring the iso by mounting it via the loopback device. (If there's enough room.) For Linux, try
mount cdimage.raw -r -t iso9660 -o loop /mnt
Friday, November 28, 2003
In the last few years, Netcraft took a beating from the more zealous side of the Open Source house for saying various nice things about Microsoft and IIS. They were even accused of taking money to produce a slanted survey. Here's another similar situation...
NetCraft has stated that Apache runs on the majority of the web sites on the Internet (and has done so since some time mid-Feb 1996). Now there's an org called Port80 Software that says some pretty nasty things about NetCraft. It appears that they're trying the old "running for office campaign" strategy in which the main tactic is to say negative things about the other guy.
Actually, if you read closely, both reports could be true. In other words, it's very likely that IIS has the majority of the Fortune 1000 corporate server realm while Apache has the overall lead. (Hey, at one point I was responsible for 8 individual web servers, only one of them corporate, and none of them IIS.) The problem I have is with the slights thrown in the article which attempts to give NetCraft (I can't believe I'm defending their tactics) a black eye.
I was suspicious enough of the main article to look at it even close. If you look at the data, port80 only looked at the top 1000 corporations. In this case, "top 1000" is the "Fortune 1000" corporate listing. That means that out of the 30298060 web sites polled by NetCraft, port80 says only a specific 1000 of them "count" so that they can declare that IIS has a majority. (Aside: It could also mean that a majority of the Fortune 1000 CIO's saw the "no one's been down to the server room in days" commercial and was gullible enough to believe it.)
Thank God for "Lies, Damn Lies and Statistics"?
Nothing like leveraging of off someone else's reputation, huh?
Thursday, November 27, 2003
Should I select the same service provider to manage both IT services and security services?
No, absolutely not. System administrators that also understand security are rare and (usually) high paid. Unless your system administrator has been around the block quite a few times (able to stand up servers using three or more OS's), it's usually a safe bet that they will attempt to do EVERYTHING using the same OS. You end up with a monolithic network (this is the "all your eggs in one basket" train).
What process should I follow when implementing a managed security service?
Semi-agreement with the article. Before you farm out your security services, you should have well-documented policies, procedures, and plans.
How do managed security services affect corporate security risks?
Realize that it is still your organization that is responsible for overall security. You're hiring someone to provide reports on the status of your network. It's still up to you to "push" policy. It'll also be up to you to deal with the politics. If the hired security says that someone is doing something that's against policy, it's up to you to either correct the person or change the policy. Please note that ignoring the situation is bad practice (you're paying for security!) in that it's not a known condition and if you don't correct it immediately, you can't fire anyone for it at a lter date. If it involves anything "shady", you could be sued by other organizations if the situation expands and affects them.
What are the pitfalls of managed security services?
Cost mostly, but depending on what you're buying for service, it can be cheaper than having your own full-time in-house talent.
Also, if you've never had ANY security up 'till now, be prepared for some surprises. The first report that shows up on your desk may tell you a few things about your network that you don't want to hear. Examples of this could include: a virus infection, Bob in accounting spends most of his working time surfing porn, your secretary runs peer-to-peer file trading software at her desk, Fred in purchasing is selling corporate assets on eBay, etc. Just try to remember that these are the reasons that you hired out for security in the first place. Don't shoot the messenger.
What problems are best addressed by managed security services?
If you can't afford (or retain) full-time in-house talent, managed services are definitely an option. See the article for a much better explanation.
"So don't do that."
While that may make for shoddy medical practice, it's even worse for security. According to ZDNet, Microsoft has issued a "knowledge paper to fix the hole in MS Exchange's OWA.
Anyone else see bad practice here?
(Hint: if they call it a "fix", marketing can claim that MS "fixes" things rapidly.) Want to talk fast, an ElGamal bug in GPG was announced today. Guess how long you have to wait for the patch? Answer: It's already out.
Wednesday, November 26, 2003
Tuesday, November 25, 2003
Monday, November 24, 2003
Sunday, November 23, 2003
Is it worth anything? Like a lot of other things on the Internet, the answer is "it depends". It depends on how well people trust the site and use it. Note: You don't have to use Verisign, you can issue your own certificates. Verisign's strength is that, by way of government sponsorship, the majority of users "trust" it as a CA.
Update: For those that are interested in rolling your own, check out the "OpenSSL Certificate Cookbook".
Okay, let's see him try the "a trojoan did it" defense! (Warning: Article is about a really sick f**k.) (Sorry but that's the only description for him.)
Saturday, November 22, 2003
Friday, November 21, 2003
The paper also describes defenses against those attacks.
Wednesday, November 19, 2003
Then again, it might not have. We finally figured out that d*mn Pix's had to be rebooted for the configuration to load properly.
In any case, it's a nice to have.
Tuesday, November 18, 2003
- Could it be that they finally get it? Just a little bit?
- They also want to do some buy and kill, especially after Google pulled a fast one.
- Why won't they learn that shouldn't promise stuff a trade shows? Anyone else remember the super-fantastic backup technology that Microsoft promised at a Comdex? Funny, Veritas and friends are still around. (The super-fantastic Microsoft backup robot isn't.) That and tablets have already been declared dead.
- Bill also use Comdex to announce new anti-spam tools. I really hope that Bill didn't use the word "spam" as Hormel might get a little pissed that the worlds (sometimes) richest man is attempting to profit off of the name of one of their products.
- Meanwhile, pundits punditted that this would put other anti-spam products out of business (yeah, just like IIS and Active Directory did?)
- Meanwhile, Steve was in Japan, making promises of better security while spreading FUD about open source products.
- Microsoft has put a "bounty" on the heads of malicious code writers, specifically two evil-doers.
- The "discussion" over those bounties is only a couple insinuations above a name calling contest
- Users are a bit less than pleased with Microsoft's new patches
- and yet two more exploits that use port 135 were made public along with another vulnerabiltity in Microsoft Exchange.
Side note: Sorry this is showing up on Tuesday. I'd meant to post it on Sunday but it took this long to pull all of the MS-related stuff off of the spike.
Monday, November 17, 2003
I heartily agree with him and will throw in my own comments here...
Many upper management types are worried that "we'll be seen as network Nazi's". Personally, I don't care of your opinion of me if the network is running properly. If the security model (based on the business model) requires that I flog every dolt who thinks the rules don't apply to them, so be it. Call me all the names you want. I plan on going home at the end of the work day.
Also, and this might sound contrary to the above, you have to have realistic and enforceable rules. Anything else breeds contempt and circumvention of the rules. The end-user also has to understand the reason for each of the rules. This requires user training and user agreements.
Sunday, November 16, 2003
Saturday, November 15, 2003
For the short version, Bridging Firewalls are effectively network bridges which have IPTables-like filtering added in. They are "invisible" because you don't add IP addresses to bridges.
Friday, November 14, 2003
Thursday, November 13, 2003
Under *nix, it's quite easy (and doesn't need to be explained here.).
Is this usable?
Also, he seems to have had better luck with SpamBayes than I have. Could it be that my run-away collection of Procmail recipes is finally catching up with me? It has piqued my interest in graphing my spam though.
Wednesday, November 12, 2003
Tuesday, November 11, 2003
- Incident Response Tools For Unix, Part One: System Tools
- Incident Response Tools For Unix, Part Two: File-System Tools
Definitely worth the read. Both articles have an extensive list of tools and links.
This is a test. This blog is conducting a test of the Emergency Blogcast System. This is only a test.
This is a test of the Emergency Blogcast System. The bloggers of your area, in voluntary cooperation with just about no authorities, have developed this system to keep you informed in the event of blogger's block. If this had been an actual post, the Annoying Noise you just heard would have been followed by interesting information, witty posts or snarky behavior. This blog serves the Tidewater area. This concludes this test of the Emergency Blogcast System.
(I was out of town for awhile and missed the official test)
Monday, November 10, 2003
- "external" pings feature in the main config
- the ability to figure out the trackback URL for posts which include pointers to other trackback-capable blogs
Sunday, November 9, 2003
"I sick and tired of it and won't take any more!!"
What am I ranting about? Comment spam.
Jeremy, Chris, Adam, and duemer have all vented on this topic and have had varying levels of success in fighting back.
Kalsey Consulting has also posted a howto entitled "Cutting Comment Spammers Off at the Knees" and a "Manifesto".
And before you think this is a small group of people, try looking at:
- and many more (Google for them via "blog comment spam".)
In response to the comment spam here, I'm brushing up on my tracking skills and have added the fine print at the bottom of the main page. (Hey, spam is illegal here in Virgina! Be glad I'm only asking for $100.00!!)
[With apologies to those on the receiving end of the trackbacks; this has a lot of links in it.]
Saturday, November 8, 2003
- Given that the author already knows how to break into computers, what's to stop him/her from chosing another programmer and planting the "evidence" on that person's computer before calling the cops?
- Where is all this bounty money coming from? (If you can't guess the obvious answer, e-mail "firstname.lastname@example.org" with a subject line of "obvious answer" (without the quotes)(an infobot will answer).
Friday, November 7, 2003
This entire post is a peevish vent so you may want to skip it.
Okay, I'm back. My last job made me a cynic (network security officer for 30,000+ users). This new job isn't improving my impression of the general public any. This job requires that I travel every other month or so, so I get to view the public "up close and personal". Here's what's set me off this time:
In the U.S., airlines load planes from the back to front. One of the attendants will call out over the announcing system "Now boarding rows 15 through 22". This causes 30 or so of us to queue up and slowly drag ourselves and a carry-on piece of luggage onto the plane.
I've done this four times in as many days and, without fail, there's at least one moron from row 6 or so that makes the super-human effort to get onboard before the rest of us (he cuts in line). Short version: the entire compliment of passengers are delayed while those that should already be on the plane before him waits while he tries to jam an oversized bag (that should have been checked) into the overhead storage. On one of the four flights, this held up boarding long enough that the plane was bumped from it's position in the take-off queue (an additional 10-minute delay).
Would someone explain to me why these people think that they'll get where they're going quicker if they cut in line? Seriously, I think these people should be bumped to the "on standby" category and forced off of the plane.
Thursday, November 6, 2003
File this one under the "Mebbe I Should Start a 'Cult' Category" category. (That's where the BBC filed it.)
The BBC is going to adapt the remaining Hitchhiker's books to audio.
Yeah, I know: This makes me an old geek. Doesn't anyone else remember staying up late to listen to the Radio Mystery Theater? Extra credit if you did it via a tube or crystal set!
Wednesday, November 5, 2003
Bill: Give me a list of the domains and their expirations and I set up cron jobs so that you can be notified a month or so ahead of time.
Tuesday, November 4, 2003
Monday, November 3, 2003
Even though this one is from Slashdot, it makes for interesting "entertainment" (loosely defined).
Every community has their own nut cases. The Internet isn't any different.
Remember awhile back where everyone got spammed by that guy looking for the dimensional warp generator so's he could get back to his own time. He was quickly "outed" by a group of people who are now on the receiving end of what amounts to an e-mail bombing (mail with forged return addresses in intentionally bounced off of legitimate servers in an attempt to fill the victims' mailboxes and block legitimate mail to them.
I had a Great Uncle who responded to situations in a similar manner. It kept a family feud going for decades.
Sunday, November 2, 2003
Saturday, November 1, 2003
I may be out of touch for a few days as I'm headed for New Orleans first thing Monday morning. I may have connectivity, I may not. The map for my cell phone service is kinda vague as to what service is available, just like it was when I was visiting my parents (had to drive halfway down a mountain but found service)(pretty good connection in that 100 or so feet).
Anyways, I'll keep posting. It's just that you might not see the posts until I get back.
Thursday, October 30, 2003
Yet Another Distribution On CD: Dyne:Bolic.
This one is targeted, more or less, at artists, claiming to contain everything you need to record, edit, encode and stream audio and video data, all without having to set up an extra partition on your hard drive.
This distribution also auto-discovers other Dyne:Bolic systems on the LAN and clusters with them.
Wednesday, October 29, 2003
Tuesday, October 28, 2003
Monday, October 27, 2003
Note: this guide is also available on PDF form from the same site.
Sunday, October 26, 2003
I've added the following to the wiki:
- Using formail to break incoming message digests into individual messages
- Playing sounds when mail arrives
- How to add MySQL logging to MIMEDefang
- Like or hate the multicolored syntax highlighting? Turn it on or off!
- Opening many files at the same time
The link for the wiki is in the menu bar above.
Saturday, October 25, 2003
One of the things about running intrustion detection on your home system is that you often see stuff that your service provider doesn't want to (or can't) deal with.
My service provider is a very large (read that as national) high speed cable provider. Currently it's in the middle of a severe ARP storm. It's gotten so bad that connecting to this site from across town is slow.
I logged the packets and had them ready to mail off. Turns out the helpdesk doesn't know what the heck I'm talking about. I ended up entering a clueless level ticket in which I complained about "the Internet being slow". It was about the best I could do via that poor kid. He started getting confused when I talked about DHCP, arp requests, and MAC addresses.
Oh well... I'm off to the doctor to see if I can get this key cap removed from my forehead.
Thursday, October 23, 2003
Wednesday, October 22, 2003
Tuesday, October 21, 2003
Sunday, October 19, 2003
Secure the perimeter?
Secure the perimeter?
Secure the fsck'in perimeter!?
Gee, I think that puts Microsoft's level of security at circa 1990. Does it mean that Microsoft is abandoning trying to secure the code?
After a quick read, I think I can make a few quick preditions:
- Microsoft will make lots of money selling "more capable" firewalls
- Millions of Microsoft users will be complacent about their internal networks because "Hey, we've got a firewall to protect us!"
- resulting in thousands of crunchy-on-the-outside, chewy-on-the-inside networks, thereby lowering the overall level of security on the Internet
One of the biggest shortcomings about using Microsoft workstations is that each and everyone of them is also a server because the same services used to join the local network allows the workstation to share services and data. Let's enumerate what ports 135, 137, and 139 are used for:
- DHCP to configure your workstation
- getting your mail to/from the Exchange server
- RPC calls (allows someone else to remotely run functions/programs on your machine)
- Microsoft's DNS and WINS services
- network logons
- printing services
- file sharing
- directory replication
- event viewer services
- registry editor
- user manager
- and diagnostics
And that's just to/from a workstation. I'm amazed that it took as long as it did for someone to consider NetBIOS as an infection vector.
Welchia provided a very good example of why security has to be from the ground up. Various organizations learned the hard way that while their firewalls protected the front door, various backdoors lurked in their networks. That couple with a laissez-faire attitude for timely patching allowed the damage to stack up like it did.
Hmm... I wonder how Microsoft is going to do/market it. Single-purpose applications? Peer review of all code? [*gasp*] (Yeah, you heard me. I said "open source".) "Embracing and extending" more security protocols? Couple all this with the DRM crack they're pushing and recent attempts to get into the BIOS (the stuff that tells your computer how to boot) business, it's going to get real interesting.
I can hardly wait.
Friday, October 17, 2003
Wednesday, October 15, 2003
Monday, October 13, 2003
SunnComm would not only have to sue the Princeton student, they'd have to sue Microsoft for engineering the workaround for SunnComm's security device.
Odd that SunnComm stated that they didn't want to be the one to stiffle research. Some research.
Ever wonder where the book burners from the 50's went to? They went online.
Why am I saying this? I'm reading a lot of discussion concerning the "we gotta do something to fix this" movement where people are suggesting that "we" "fix" IRC, SMTP, and HTTP so that the miscreants can't abuse them anymore.
At face value, this might appear to be a good idea. But if you think about it, it's a horrible plan.
First, there's little wrong with the actual protocols. It's the software at the client end of the protocol that's the problem (mostly). Whether it be the horribly insecure mail client or the worm with the built in IRC bot.
Second, adding features to a product rarely makes it more secure. The more complex a program is, the more likely it will contain errors and/or exploitable "features" (not necessarily bugs).
Third, it smacks of vigilante justice which I severely mistrust. (Ask me sometine about my coffee drinking habit getting my 80-year-old grandmother in trouble with the church.)
Want to make the internet a safer place to work/play? Try a few of the following:
- Use a different mail client at home than you do at work. If possible, don't use the Outlook/Outlook Express.
- For that matter, use a different OS (or at least a different version) than what you use at work.
- Use a different virus scanner at home than you do at work. Ideally, your work will use more than one scanner. Make sure to check for new signature updates on a daily basis.
- Use a firewall. If possible more than one. (i.e., use a software-based one on your computers along with the one on the four-port router.) Ideally, your employer will use a corporate-grade firewall which hopefully has application proxies for most of the protocols used. In any case, configure your firewall(s) to only allow those protocols that you need to conduct business/pleasure. Turn off everything else.
- Learn how to read your log files. Why go to all the trouble of getting those neat security tools and then treat them like pretty toys?
- Learn how to read message headers. It will help when you're trying to figure out if Aunt Milly actually sent you that infected message.
- Learn how to politely report incidents where they be spam, ports scans, or viruses. Most ISPs will respond to effective and polite emails indicating that something is amiss in their networks. Be polite even when you're angry. Even if it hurts.
- Pick a computer news site, an anti-virus vendor's site, and a CERT site (there's lots of them). Visit each of those sites at least once a week and read the "new stuff". For the really adventureous, find a RSS feed aggregator and subscribe to a bunch of security-related feeds. (Personally, I like BlogLines which is completely online and if you ask nicely, I provide a list of the feeds I use.)
You don't have to do all of the above. Two is okay. It improves life for the rest of us just a little bit. Anyone else have any suggestions to add to the list?
Sunday, October 12, 2003
Hint: the only way to stay anonymous on the Internet is to stay off of it, forever (and that doesn't always work either)!
Friday, October 10, 2003
Thursday, October 9, 2003
Wednesday, October 8, 2003
This is an exercise that only the very stubborn should attempt as it's very difficult and (IMO) you'll never come up with the same result twice. An interesting read though.
|I think I've found a graphic to go along with my rants about users (Thank you, Vowe.). Doesn't looking at them just make you all warm and fuzzy inside. (I'm going to ruin that.)|
The usual rant will probably go "See how happy they are? It's because they don't know any better."
Consider yourself warned.
This is an extremely short document as government standards go but has far reaching effects as it sets a standard in base terminology for information security and information systems security. The shorter version of the document is "This applies to data, systems, personnel and organizations."
The acceptable format is:
- "information type" is the person, org, data or system being described and
- "impact" is either "high", "moderate", "low" or "N/A".
You'll see this used in incident reports, acquisitions, etc. If you interface with government organizations in any way, start using this now. You'll be ahead of the game when its use becomes mandatory (December).
Tuesday, October 7, 2003
Sunday, October 5, 2003
Back in the dark ages of history, Occam once posited "Throw that thing out there enough and, eventually, it'll come back and hit you in the head."
Okay, I'm making it up but it's funny that an industry who makes money calling you doesn't want you to call them. Thank you Dave Barry!!
Side note: The ATA's website appears to be also down at this time, either from the Slashdot Effect or from angry telemarketing victims overloading it.
SCOTTeVEST specializes in garments with extra (lots!) pockets. They've even got a hat with two hidden pockets.
As someone who owns a vest capable of carrying enough tools to manufacture and punch down Cat-5 and polish fiber (including the heat block), I recommend having one (yeah, I know: geek!).
Saturday, October 4, 2003
Note: This is a discussion for the "good" uses of this/these tool(s). Too many are describing how to use these tools for "evil". We're all going to pay for that in the long run (in the form of overpowered laws, censorship, etc.). We'll end up with laws equating to having all hammers outlawed because there's a certain percentage of the population that have blugeoned their spouse to death with one.
Don't think so? It wasn't that long ago that legislating "responsible disclosure" was unheard of. Nowadays, there's been multiple attempts at it.
Friday, October 3, 2003
Thursday, October 2, 2003
And if you look closely at the options at the top, there's a link to getting Flash installed properly too.
A good read, especially if you're interested in what goes on in your start scripts.
Wednesday, October 1, 2003
Unfortunately, the human condition is predisposed to creating these environments. People tend to take the path of least resistance. Why trouble to "see the world" when you can marry "the girl next door". It's easier to run the same operating system on your firewalls as you do on your workstations. It's easier to train your users to run the same word processor, whether it's unfriendly to every other WP or not.
@stake, whose origins were not exactly related to a business plan, "sold out" (IMO <-- for those litigous natures) long ago. Mr. Geer was fired because his opinions conflicted with someone in charge. (Hint: Companies don't have opinions. People do. He was fired because he angered someone with the power to do so.) (I hope he sues because he was expressing concerns about a security issue while being employed by a company which specializes in security.)
And before you put me down as being anti-MS, let me state that I'm not. Rather, list me as a member of the "the best tool for the job" crowd. If you're running MS on your desktops, you'd better be running some version of commercial Unix on your firewalls and some other version of *nix on your NOC equipment. The larger your customer base is, the more important this is. Diversive network equipment, while requiring a wider talent-base (read that as $$), is more resistant to inbreeding and failure in the long run.
[Oh and, yes, you can put me down as implying that point-and-click administrators have narrow family trees. Eventually it leads to "Hey, what's this button do?" and "Hey, watch this!" (Which leads to family-hour comedy shows. But that's another story.)]
Note: Philip Greenspun has a post on the same topic. I'm especially entertained that "ass ugly" is a logarithmic (Gaussian) scale and that the majority of system cases are a .05 deviation. [I wonder if he ever saw the attempt to sell cube-balanced-on-a-corner systems to self-styled power geeks [okay, posers!] (circa 1998).]
How do you prevent your network from getting the Welchia worm a month after the patch is issued? INSTALL THE PATCH, DAMMIT!
Using the "we're safe, we have a firewall" as a network defense either means you're severely deluded or you have no users on your network. And any previous reference you've made to "defense in depth" or having a secure network compounds your problem, making you look like an *ss.
Why do I have this near-unresistable urge to go into my point-and-click adminstrators rant? Or to tie someone to a chair and force them to watch "War Games" in an unending loop.
Monday, September 29, 2003
Sunday, September 28, 2003
Changes so far:
- Comments displayed on the main page (I think I've got it tweaked to where I want it.)
- Trackbacks listed on the main page (requires more cosmetic tweaking)
- Removal of the IM feature (never got much use)
- Removal of the BlogSnob stuff
- Added a couple buttons on the left
- Removal of links not directly related to blog.
- Coming up with my own version of BlogRolls (why pay for something when you can write your own?)(I'm getting better with PHP!)
- "fixing" the boxes around each entry (a few complaints about same)
- making my aggregators available (I use 3 from various locations during the week)
- Embedding a couple blogs in columns 1 or 3 for use as sidebars
I can "put back" anything if anyone wants (complain loudly!!).
I'm going to abuse the 24x7 customer support line this afternoon. I'll keep you posted.
Saturday, September 27, 2003
Thursday, September 25, 2003
Tuesday, September 23, 2003
Monday, September 22, 2003
The Serv-U FTP server hack seems to be (in my experience) the widest used hack. It's how all those IRC DCC file servers get set up for the #warez and #movie channels. They're not real hard to clean up after but they can be an embarassment to whomever was responsible for network security in the first place (school had this, bad!).
Sunday, September 21, 2003
Tinfoil Hat Linux is a single-floppy Linux distribution for the paranoid on the go. It will allow you to boot Linux on just about any machine, grab your encrypted e-mail, read it, send replies, and move on, leaving little or not trace.
Useful if you're that paranoid person, yet another hard-to-trace problem if you're a network admin type.
Anyways, back to the blog...
Did I miss anything while I was offline?
Tuesday, September 16, 2003
Monday, September 15, 2003
Sunday, September 14, 2003
Isabel is due to pass directly overhead sometime late Thursday so if I don't post for awhile (or if the server goes away entirely), you'll know why.
With the exception of one bad storm in the 80's, this area has dodged the bullet, more or less, for over 30 years. Local wisdom has said that we average one bad one every 15 years or so.
Me? I've been here, off and on, since '81. During the storm in '84 (I think), my property consisted of one motorcycle which I had to spend a month cleaning as it spent the storm in a parking lot approx. 100 yards from the beach (I had no chance to move it.)
After the storm, it was exactly where I left it but I spent the next month cleaning salt out of it (and the leather was ruined).
Nowadays I have a house, two vehicles, and a panicky wife. There's a good chance that my job will require me to "ride it out". I still want my wife and teenager(s) (ask me sometime), out of town.
Wish me luck.
Saturday, September 13, 2003
In the ongoing battle to detect customers' infected machines, I've come across an interesting bit: any machine infected with the Welchia/Nachi worm is left running an open TFTP server. "Open" in that it will accept any file you hand it.
I still don't know if I'm limited to a folder or if I can put it anywhere I want or pull any file I want. I'm going to have to dig out the old VMWare and try it out, I guess.
Friday, September 12, 2003
This moron over at The Globe and Mail seems to think that Microsoft doesn't have the "most hacked" title. Someone want to clue him in that most "hacks" for MS are so easy that they've been automated and turned into viruses and worms. (A worm which leaves a backdoor for remote access might be called "automated break-in"?)
Faugh on marketing twisters!
Those responsible have been sacked and the moose is feeling much better now.