Sunday, June 29, 2003 Tutorial: SSH-Agent has a tutorial explaining how to use ssh-agent.

For those that don't know what it is, ssh-agent (and ssh-add) allows you to authenticate (type in your password) once and, for the rest of the local session, automatically authenticate to remote sessions (you don't have to type in anymore usernames/passwords).

For any systems administrator, this is a godsend (sp?). You can even run scripts remotely or pipe output invisibly with this technique.

Friday, June 27, 2003

IRC Bots

Undernet has an FAQ which discusses the different types and basic functions of IRC bots.

On the road

Greetings from the Denny's at exit 18 on Route 83, just outside of York, PA. I'm just playing around with my cell phone and laptop while waiting for my dinner. I should be in Upstate NY this evening. Hopefully this will still work (there's no coverage map for the service I use).

Thursday, June 26, 2003

Basic Steps in Forensic Analysis of Unix Systems

From the NetSec blog, a Washington University paper entitled Basic Steps in Forensics Analysis of Unix Systems.

Another gotta read.

Out of town

I will be out of town until Monday night. The blog may suffer for it unless I have time to drive to the top of the nearest hill to get a signal (yep, I'm going home for a reunion!). I may even bring back some pictures.

Wednesday, June 25, 2003

Intro Shift Registers has an article explaining the basics of using shift registers.

This is good theory for C/C++ programmers.

Tuesday, June 24, 2003

NetAdmin Tools Tutorial: Build Your Own RPM has a tutorial explaining how to build your own RPM's. Tutorial: SSH Agent Forwarding Inside of Screen has a tutorial entitled "SSH Agent Forwarding and GNU Screen" which discusses how to set up ssh-agent so that it works inside of screen.

Screen allows you to disconnect from a session while leaving it running. A problem arises with SSH if you later login from somewhere else (causes environment variables to change).

A nice technique to know.

Sunday, June 22, 2003

Another tool for fighting spam

HackThePlanet has a pointer to a paper which describes yet another possible method for combating spam: Greylisting. Greylisting is described as a combination black/white listing with automatic maintenance thrown in.

The short version is that the software keeps track of "relationships" which are made up of the sending IP, the sender, and the recipient. Oh! This software is intended to be built into an MTA (server) rather than a MUA (mail client).

Does SCO have a case?

Steve Friedl has a bit about the current status of the SCO case.

Odd traffic?

Concerning the unnamed trojan that's causing an increase in traffic on the Internet:

Various providers have seen a marked increase in the "noise" content of traffic through their outer routers. All of it is high-port to high-port, usually greater than port 10000 on both ends. When I first read an article about it, a week ago, I thought it was just marketing fluff. Now, after seeing it discussed on various security mailing lists and a number of articles having been written about it, I decided to do a bit of research.

Here's what's known about it so far:

  • It was first noticed on or around 16 May.
  • It sends out SYN packets with a total size of 55808. Note that this has nothing to do with the actual packet size though which usually amounts to something much less.
  • The source addresses are spoofed.
  • It has been said the packets contain the phrase "day 0" which alludes to possibly being a "zero day" exploit. Others have said that this "total bull."
  • No one has been able to prove that this is a worm, a trojan, a control signal for some other binary, etc.
  • It's not a SYN flood. That would require the target to be the same. These appear to be random and generating an excessive amount of traffic.
  • Some of the traffic may be from copycat malware (see source #3 below).


If it is a worm, it has the possibility of being nasty. Given that it is spoofing source addresses, it's designed not to care if the packets return. However, it sniffs for the ACK packets generated by return traffic from targets "scanned" by other infected systems. I'm making the "nasty" comment in that this worm had to have had an initial critical mass before it was able generate this noticible level of traffic. Either this is a second stage infection or someone compromised a LOT of systems to get this infection off of the ground.

Alternately, this may be a proof-of-concept distributed network scanner. While being mostly innocuous at this point, it foretells of some dark times for information security types.

Recommended precautions:

  • Ensure your firewalls are configured properly. They should only pass that which you explicitly allow. This will prevent any high-port to high-port traffic from passing through your firewalls.
  • Ensure ingress/egress filtering is properly configured on your premise routers. This will block traffic with spoofed source addresses.


  • If anyone is able to set up a packet capture for this traffic, please forward to myself (Hint: tcpdump tcp[14:2]=55808 ) (credit to Mark Swaar) (add the appropriate switches to save the entire packets)
    Update: no longer needed. The filter does work. The packets are empty SYN packets with large windows.
  • If anyone is able to capture the offending binary, please forward to myself.


1) Title: Trojan Picks Up Steam, Baffles Experts

2) Title: New Breed of Trojan

3) Title: Intrusec Alert: 55808 Trojan Analysis

4) Title: Meet Stumbler: Next Gen port scanning malware

5) Title: Mysterious Net traffic spurs code hunt

Saturday, June 21, 2003

Bad Practices: Analogies to the Real World

It's a common part of every network or computer related argument since the dawn of time (Jan 1, 1970), possibly earlier. What am I talking about?

Bad analogies. Used mostly as ill-constructed attempts to prop up one side of an argument that revolves mostly around an opinion rather than a fact. Examples include:

  • comparing someone port scanning to someone wandering through town, rattling doorknobs to see if they're unlocked
  • any argument that treats bandwidth as a conservable resource
  • almost any justification for or against illegally copying software
  • almost any justification for extremely harsh cyber-laws (Don't believe me? Do a little research on allowable punishments.)
  • any altruistic reason for doing anything on the web

What set me off this week was overhearing two people argue the pros and cons of what is known as "responsible reporting". For some, it's a "good thing" (tm). For others, it's a "bad thing" (tm). What started that argument was an article about the topic which somehow gave the impression that a 30-day waiting period has been commonplace sine that same dawn of time. (total bullshit (tm))

I have my own opinions on the issue which I'll post separately. But please, if you ARE going to use analogies to support your opinions, please, please, please don't argue within earshot of me (or near my inbox)!

Using 'Select'

Unix Review has a good article about how to use MySQL's Select instruction.

Friday, June 20, 2003

Thursday, June 19, 2003

Wednesday, June 18, 2003

Pounding on Code

I'll admit it. I've been killing a LOT of time trying to get the PVR card to work. I've been somewhat successful in that I've got the binaries to compile without error (to quote a favorite actress: "Gawd! What a nightmare!"). I've got it to the point where XAWTv complains about lack of overlay capability.

Hopefully I'll have it fixed soon. I want to take a crack at getting MythTV running.

Oh, and for those that haven't notice, I've backfilled the missing day's data.

Tuesday, June 17, 2003


Thanks to Ned Batchelder for pointing this one out.

Matrix-XP is a pretty good spoof of the new Matrix movie.

Worth the time to download it.

Monday, June 16, 2003

Amap update

I missed this when it happened, but about a week ago a new version of Amap was posted. New features include: "many more application fingerprints, speeed, optimal SSL support, full RPC detection added, etc.! ".

This is one of the Gotta-Have tools if you have anything to do with network security.

Thanks to Troy Jessup's Security Blog for pointing it out.

Sunday, June 15, 2003

Homemade PVR's

Wired has an article about building your own PVR which will supposedly work better than TiVo or Replay. I like the part about MythTV working in distributed mode.

Note: Some of this is still in the early development stage. I picked up a Hauppauge card yesterday which has a hardware encoder. I'm having to upgrade the operating system and may have to buy more memory to get it working smoothly (my ME cannot handle the card well)(it's jerky).

Proper vulnerability reporting?

SlashDot has a pointer to a public draft of a bug disclosure standard.

Right off the top, I don't like it as it seems to leave all the chips on the vendor's side of the table. It also makes the "finder" traceable, which is not necessarily a "good thing" (tm) if the DCMA goes sour on vulnerability researchers.

Example: Say you find a really nasty bug and report it. Sometime during the 30-day waiting periond, someone else discovers the bug and writes a virus exploiting that bug which takes down the Internet (ala Slammer). Mebbe I'm being paranoid but don't you think that yours would be one of the first doors knocked on?

Besides, I've reported the same DoS bug to MS twice and it's still not fixed a year and a half later.

I guess you can put me on the "troublemaking-full-disclosure (shoot-these-people-first-when-we-take-over)" list of malcontents.

Saturday, June 14, 2003

BlueTooth Detection has a pointer to a new security tool which "hunts down non-discoverable bluetooth devices via brute force".

Practical Approaches to Recovering Encrypted Digital Evidence

The International Journal of Digital Evidence has a paper which discusses Practical Approaches to Recovering Encrypted Digital Evidence.

An interesting side note: the author is Eoghan Casey, whose taught a couple of the online classes I took at Knowledge Solutions a few years ago.

Friday, June 13, 2003

Making Presentations with LaTeX and Prosper

Freshmeat has a tutorial for "Making Presentations with LaTeX and Prosper".


FUD stands for Fear, Uncertainty, and Doubt. It's a marketing ploy. When your product is only marginally better (or worse) than a competitor's product, you gain a better market share by casting indirect insuations at your competitor's product.

Before I go any further, I don't want to start a religious war here. Anyone who thinks I'm starting a "this OS is better than THAT one" argument will find themselves banned for an indeterminate period of time.

Example: The Lost Olive had a pointer to Reality Check: How Safe is Linux. The article gives the appearance of comparing the security of *nix and Windows. It even describes the usual binaries exploited on a *nix box (Sendmail, FTP, Telnet and Samba), stating that one is notorious for security holes. Anyone see what's missing in the article? How about the Microsoft counterparts for those same services which have the same notoriety? (Hint: Exchange/Outlook, IIS, and NetBIOS)? This only irked me though. It's an old brown substance that will be thrown back and forth across the fence for years.

What prompted me to blog here is the paragraph entitled "Keeping It Simple" which leads you to believe point and click adminstration is more secure than anything else because it's easier to use. I've got news for you Mr. Vincent Ryan, point-and-click administration breeds legions of point-and-click administrators (they don't understand the technology behind the GUI). You end up with administrators who can't read message headers to troubleshoot and think that LDAP is used only for Exchange's address book.

Shame on NewsFactor Network passing it off as news (a special report) rather than slanted Op/Ed.

Dig back through the archives of my previous blog and you'll find a rant about point-and-click administrators.

Thursday, June 12, 2003

Mobile Forensics Platform

The International Journal of Digital Evidence has a paper about using The Mobile Forensic Platform.

Rather than describing a specific platform, it discusses requirements. An interesting read.

Monday, June 9, 2003

Session Hijacking

HackerThreads has a short paper on "Session Hijacking", explaining how it's done and how to protect against it.

Update:The and links seems to have disappeared in the past week. Fortunately, the author liked to post the same article in different forms on different sites, so here's two links:

- Google cache
- Skynet

It's a shame about the hackerthreads version, it had some really nice graphics to go with the article. Use the Skynet one now for readability.

Total Backup Howto (for Linux)

Chris on NetSec posted a pointer to the Linux Complete Backup and Recovery Howto. This is valuable knowledge to have, whether you own Linux or not.

Sunday, June 8, 2003

Regex Coach

The Tech Observer posted a link to The Regex Coach which is a GUI for teaching yourself RegEx's (Regular Expressions). If you use it, please let us (here) know your opinion of it.

The next DDoS?

Lawrence Baldwin has made a prediction that the next big DDoS will be a distributed spam attack. I like his graffic but don't think he's taken the idea far enough. We've already seen the Jeem worm which supplies its own SMTP engine and reports home upon successful infection.

Given better infection vectors, I think we'll see Lawrence Baldwin's prediction come true. Maybe just not from the direction we'd thought it would come.

Saturday, June 7, 2003

The Five Most Disruptive 'Free' Apps

SNP has an article which discusses the five most disruptive 'free' applications that a business should not allow on its network.

An interesting read.

Links Re-Org

Pardon the dust for a bit, the links on this page have gotten out of hand and I'm reorganizing them a bit. If you're watching closely, you'll see most of them move to the "Links" page.

I'm shooting for a few short lists of blog links directly related to this page, on this page. The rest I will move and will try to generate better categories to put them in.

Open Ports

Hacking Exposed has an article about figuring out which program is listening on an open port. Somewhat basic, but an interesting read.

Running jobs unattended

Linux Magazine has an online article entitled "Running Jobs Unattended" which explains the basics of using sleep, at, and cron.

Thursday, June 5, 2003

Canibalism has an article about hackers taking advantage of unsuspecting "Script Kiddies" by hiding extra "stuff" in the binaries used by those looking for a quick exploit.

Public Key Encryption

HelpNet Security has an article explaining the basics of Public and Symmetric Key Encryption.

Monday, June 2, 2003

Understanding Traceroute

Truncode has a basic explanation of "How Traceroute Works". They use hping to help explain it.

DoS by Attacking Hash Tables

Pointed out by /., Rice University has a paper describing "Denial of Service via Algorithmic Complexity Attacks". Basically, it's an asymmetrical attack (very little input to trigger the DoS) against hash tables which are used heavily in programming.

Examples include: just about anything written in Perl, NIC drivers, Squid, and DJBDNS (gasp!).

GSM Phone Forensics

The International Journal of Digital Evidence has a paper which discusses forensics issues when dealing with GSM phones.