Monday, June 30, 2003
Incident Handling Checklist
Sunday, June 29, 2003
Deadman.org Tutorial: SSH-Agent
For those that don't know what it is, ssh-agent (and ssh-add) allows you to authenticate (type in your password) once and, for the rest of the local session, automatically authenticate to remote sessions (you don't have to type in anymore usernames/passwords).
For any systems administrator, this is a godsend (sp?). You can even run scripts remotely or pipe output invisibly with this technique.
Saturday, June 28, 2003
Intro to Block Ciphers
Friday, June 27, 2003
On the road
Thursday, June 26, 2003
Basic Steps in Forensic Analysis of Unix Systems
Another gotta read.
Out of town
Wednesday, June 25, 2003
Intro Shift Registers
This is good theory for C/C++ programmers.
Tuesday, June 24, 2003
NetAdmin Tools Tutorial: Build Your Own RPM
Deadman.org Tutorial: SSH Agent Forwarding Inside of Screen
Screen allows you to disconnect from a session while leaving it running. A problem arises with SSH if you later login from somewhere else (causes environment variables to change).
A nice technique to know.
Sunday, June 22, 2003
Another tool for fighting spam
The short version is that the software keeps track of "relationships" which are made up of the sending IP, the sender, and the recipient. Oh! This software is intended to be built into an MTA (server) rather than a MUA (mail client).
Does SCO have a case?
Concerning the unnamed trojan that's causing an increase in traffic on the Internet:
Various providers have seen a marked increase in the "noise" content of traffic through their outer routers. All of it is high-port to high-port, usually greater than port 10000 on both ends. When I first read an article about it, a week ago, I thought it was just marketing fluff. Now, after seeing it discussed on various security mailing lists and a number of articles having been written about it, I decided to do a bit of research.
Here's what's known about it so far:
- It was first noticed on or around 16 May.
- It sends out SYN packets with a total size of 55808. Note that this has nothing to do with the actual packet size though which usually amounts to something much less.
- The source addresses are spoofed.
- It has been said the packets contain the phrase "day 0" which alludes to possibly being a "zero day" exploit. Others have said that this "total bull."
- No one has been able to prove that this is a worm, a trojan, a control signal for some other binary, etc.
- It's not a SYN flood. That would require the target to be the same. These appear to be random and generating an excessive amount of traffic.
- Some of the traffic may be from copycat malware (see source #3 below).
If it is a worm, it has the possibility of being nasty. Given that it is spoofing source addresses, it's designed not to care if the packets return. However, it sniffs for the ACK packets generated by return traffic from targets "scanned" by other infected systems. I'm making the "nasty" comment in that this worm had to have had an initial critical mass before it was able generate this noticible level of traffic. Either this is a second stage infection or someone compromised a LOT of systems to get this infection off of the ground.
Alternately, this may be a proof-of-concept distributed network scanner. While being mostly innocuous at this point, it foretells of some dark times for information security types.
- Ensure your firewalls are configured properly. They should only pass that which you explicitly allow. This will prevent any high-port to high-port traffic from passing through your firewalls.
- Ensure ingress/egress filtering is properly configured on your premise routers. This will block traffic with spoofed source addresses.
- If anyone is able to set up a packet capture for this traffic, please forward to myself (Hint: tcpdump tcp[14:2]=55808 ) (credit to Mark Swaar) (add the appropriate switches to save the entire packets)
Update: no longer needed. The filter does work. The packets are empty SYN packets with large windows.
- If anyone is able to capture the offending binary, please forward to myself.
1) Title: Trojan Picks Up Steam, Baffles Experts
2) Title: New Breed of Trojan
3) Title: Intrusec Alert: 55808 Trojan Analysis
4) Title: Meet Stumbler: Next Gen port scanning malware
5) Title: Mysterious Net traffic spurs code hunt
Saturday, June 21, 2003
Bad Practices: Analogies to the Real World
Bad analogies. Used mostly as ill-constructed attempts to prop up one side of an argument that revolves mostly around an opinion rather than a fact. Examples include:
- comparing someone port scanning to someone wandering through town, rattling doorknobs to see if they're unlocked
- any argument that treats bandwidth as a conservable resource
- almost any justification for or against illegally copying software
- almost any justification for extremely harsh cyber-laws (Don't believe me? Do a little research on allowable punishments.)
- any altruistic reason for doing anything on the web
What set me off this week was overhearing two people argue the pros and cons of what is known as "responsible reporting". For some, it's a "good thing" (tm). For others, it's a "bad thing" (tm). What started that argument was an article about the topic which somehow gave the impression that a 30-day waiting period has been commonplace sine that same dawn of time. (total bullshit (tm))
I have my own opinions on the issue which I'll post separately. But please, if you ARE going to use analogies to support your opinions, please, please, please don't argue within earshot of me (or near my inbox)!
Friday, June 20, 2003
The Linux File System
Thursday, June 19, 2003
Deadman.org Tutorial: Advanced Bash Shell Programming
Wednesday, June 18, 2003
Pounding on Code
Hopefully I'll have it fixed soon. I want to take a crack at getting MythTV running.
Oh, and for those that haven't notice, I've backfilled the missing day's data.
Tuesday, June 17, 2003
Matrix-XP is a pretty good spoof of the new Matrix movie.
Worth the time to download it.
Monday, June 16, 2003
This is one of the Gotta-Have tools if you have anything to do with network security.
Thanks to Troy Jessup's Security Blog for pointing it out.
Sunday, June 15, 2003
Note: Some of this is still in the early development stage. I picked up a Hauppauge card yesterday which has a hardware encoder. I'm having to upgrade the operating system and may have to buy more memory to get it working smoothly (my ME cannot handle the card well)(it's jerky).
Proper vulnerability reporting?
Right off the top, I don't like it as it seems to leave all the chips on the vendor's side of the table. It also makes the "finder" traceable, which is not necessarily a "good thing" (tm) if the DCMA goes sour on vulnerability researchers.
Example: Say you find a really nasty bug and report it. Sometime during the 30-day waiting periond, someone else discovers the bug and writes a virus exploiting that bug which takes down the Internet (ala Slammer). Mebbe I'm being paranoid but don't you think that yours would be one of the first doors knocked on?
Besides, I've reported the same DoS bug to MS twice and it's still not fixed a year and a half later.
I guess you can put me on the "troublemaking-full-disclosure (shoot-these-people-first-when-we-take-over)" list of malcontents.
Saturday, June 14, 2003
Practical Approaches to Recovering Encrypted Digital Evidence
An interesting side note: the author is Eoghan Casey, whose taught a couple of the online classes I took at Knowledge Solutions a few years ago.
Friday, June 13, 2003
Before I go any further, I don't want to start a religious war here. Anyone who thinks I'm starting a "this OS is better than THAT one" argument will find themselves banned for an indeterminate period of time.
Example: The Lost Olive had a pointer to Reality Check: How Safe is Linux. The article gives the appearance of comparing the security of *nix and Windows. It even describes the usual binaries exploited on a *nix box (Sendmail, FTP, Telnet and Samba), stating that one is notorious for security holes. Anyone see what's missing in the article? How about the Microsoft counterparts for those same services which have the same notoriety? (Hint: Exchange/Outlook, IIS, and NetBIOS)? This only irked me though. It's an old brown substance that will be thrown back and forth across the fence for years.
What prompted me to blog here is the paragraph entitled "Keeping It Simple" which leads you to believe point and click adminstration is more secure than anything else because it's easier to use. I've got news for you Mr. Vincent Ryan, point-and-click administration breeds legions of point-and-click administrators (they don't understand the technology behind the GUI). You end up with administrators who can't read message headers to troubleshoot and think that LDAP is used only for Exchange's address book.
Shame on NewsFactor Network passing it off as news (a special report) rather than slanted Op/Ed.
Dig back through the archives of my previous blog and you'll find a rant about point-and-click administrators.
Thursday, June 12, 2003
Mobile Forensics Platform
Rather than describing a specific platform, it discusses requirements. An interesting read.
Wednesday, June 11, 2003
Service Banner Fingerprinting
Tunneling via SSH
Monday, June 9, 2003
Update:The hackerthreads.net and netflood.net links seems to have disappeared in the past week. Fortunately, the author liked to post the same article in different forms on different sites, so here's two links:
- Google cache
It's a shame about the hackerthreads version, it had some really nice graphics to go with the article. Use the Skynet one now for readability.
Total Backup Howto (for Linux)
Sunday, June 8, 2003
The next DDoS?
Given better infection vectors, I think we'll see Lawrence Baldwin's prediction come true. Maybe just not from the direction we'd thought it would come.
Saturday, June 7, 2003
The Five Most Disruptive 'Free' Apps
An interesting read.
I'm shooting for a few short lists of blog links directly related to this page, on this page. The rest I will move and will try to generate better categories to put them in.
Running jobs unattended
Thursday, June 5, 2003
Public Key Encryption
Wednesday, June 4, 2003
A Lessons Learned Repository for Computer Forensics
A bit on the high side but interesting:
The International Journal of Digital Evidence has a paper discussing A Lessons Learned Repository for Computer Forensics.
Monday, June 2, 2003
DoS by Attacking Hash Tables
Examples include: just about anything written in Perl, NIC drivers, Squid, and DJBDNS (gasp!).
GSM Phone Forensics
Sunday, June 1, 2003
Calendar printout for Unix users
Simple and handy!