Sunday, August 31, 2003

More headlines

I've cleaned up some of the code for the headlines page, added a header table, and added quite a few more feeds. Now if I can teach myself how to work with cookies, I'll make it customizeable.

Saturday, August 30, 2003

Bwain hertz!!

Very few brain cells left. Must blog....

(Just finished the second test for GIAC GSEC certification!)

The first test went quicker than the second because I used the "open book" clause for the second. Overconfidence in the first test caused me to get a lower grade than the second one.

Recommendations? Study your ass off! (right up until a day or two before you take the tests) If you don't have hardcopy, generate it and devote a binder to each section. Flag valuable tables/diagrams/info with stickies! Don't wait to the last minute to take the tests (like me).

Yahoo has RSS feeds

Jeff at Blog.This pointed to the following: Yahoo News has RSS feeds. I won't use them because they only occasionally have anything InfoSec related but they might be valuable to others. Enjoy!

Friday, August 29, 2003


I'm a firm believer of using the proper tool for the job. Unfortunately, the marketing department at a huge software vendor likes to talk about its products as being the end-all-be-all for every job.

What am I talking about? IIS.

In most cases, using IIS is like using a 747 to drive to the corner store. In most cases, a comfortable pair of sneakers will suffice.

The newer versions of IIS come with so many features that, contrary to claims, that virus writers and hackers will have plenty to do for the coming decade. (Remember, the more complex a program is, the more bugs/vulnerabilities it contains.)

If you have to use IIS, there are additional measures you should take to protect the system:

  • restrict outside access to just the web port
  • if possible, stick a caching proxy in front of it
  • if possible, that reverse proxy should reside on a non-MS operating system
  • locate the proxy/IIS systems outside of your internal network (in a DMZ)
  • if possible, stick an IDS sensor in there
  • and, wherever possible, gather metrics.

I want to stress the point about metrics. For any publicly exposed system, you've got to have a good idea of what normal traffic looks like so that you can recognize what abnormal traffic looks like.

A good tool for this is MRTG. Allow it to gather data from your router and you'll get a good day-to-day view of traffic. With IIS v6.0, you can even gather metrics from your web server. Here's an article at SecurityFocus which discuss how to do just that.

Getting a cable modem?

Getting (or have) a cable modem? Welcome to the great new world of "you're a target", especially if you plan on leaving your computer on 24/7. If you do this, you become a hacker's prime target.

It's not the data on your computer they want, it's the processing cycles and bandwidth. If you don't protect it, you're machine will be used for:

  • a porn server
  • an open relay for spamming the planet
  • a warez server
  • a jump point for attacks on other systems
  • a hidden IRC server
  • or worse.

InfoPros Joint has a decent article which discusses the minimum of what you should do to protect your system.

Software-based radios

Found a link-page for Software-based radios.

Wednesday, August 27, 2003

Smurfs, Nukes, Teardrops, and Boinks

No, it's not a vicious Country & Western song. has a decent article explaining the different attacks against the weaknesses in the TCP/IP protocol.

Backup services

If a good portion of your business is electronic, it may be a good idea to pay for alternative services for backup. This article describes a company which hired a backup mail service to provide for continuity of its e-mail in the event that their main mail servers where unavailable. The recent network and power outages proved the point for many of Message One's customers.

Monday, August 25, 2003

Intercepting the 3-Finger Salute

Linux Gazette has an article describing how to intercept the 3-finger salute (Ctrl-Alt-Del) to prevent an unauthorized person, with access to the keyboard, from rebooting the system.

A proper chain of evidence

Australian Financial Review has a short article which describes the need for proper collection and tracking of digital evidence, the dearth of which has caused a number of Australian hacking cases to be settled out of court.

Sunday, August 24, 2003

I've been spammed by Microsoft!

Remember the query to Microsoft that I mentioned a few minutes ago? It bounced. So basically, I've been the recipient of unsolicited e-mail from a company which forges return addresses.

Uh oh. I think Microsoft has done something which the State of Virginia says is illegal.

Here's the body of the bounced mail:

This Message was undeliverable due to the following reason:

Your message was not delivered because the Domain Name System
(DNS) for the destination computer is not configured correctly.
The following is a list of reasons why this error message could
have been generated. If you do not understand the explanations
listed here, please contact your system administrator for help.

- The host does not have any mail exchanger (MX) or
address (A) records in the DNS.

- The host has valid MX records, but none of the mail
exchangers listed have valid A records.

- There was a transient error with the DNS that caused
one of the above to appear to be true.

You may want to try sending your message again to see if the
problem was only temporary.

DNS for host is mis-configured

The following recipients did not receive this message:


MS IM Upgrade?

The e-mail says it's a security upgrade. Authors for MS-compatible IM's say it's a measure to cut non-MS IM's off from the service. Given past practices, my opinion leans towards the latter. Unfortunately, MS never learns. "Adjust" the protocol and it will cut "outsiders" off in the short run. In the long run, the "outsiders" will adapt and learn how to get back in.

Another thing they're not thinking of is that if they switch out code, they risk more vulnerabilities (i.e., a whole new slew of expoits!).

Mark your calendars. I have asked Microsoft's .Net Messenger Service (the ones who sent me the e-mail to upgrade) what vulnerability the upgrade fixes. Just as in two previous cases (one question, one vulnerability report), I'm not holding my breath.

BTW, that vulnerability still exists, two years later. I did get a reply from them concerning the vulnerability. They claimed it was a non-issue because if I used MS DNS, the problem with their Exchange server cluster would not exist. I couldn't get it into their heads that the DNS local to the Exchange server was MS but that neither was the equipment mine (our shop used 99% *nix) nor was the DNS record causing the problem local.

And coworkers wonder why I have a low opinion of publicly available MS servers.

Who's Attacking You?

Linux Exposed has a two-part post which discusses the different types of attackers and gives a short discussion on their basic goals. (Part 1) (Part 2).

I'm the luckiest man on the planet and I'm gonna be rich!

To make up for that really horrible month of May, my karma has snapped back. This very week I have:
  • offered $7.5 million by Mr. Woo Chong, Manager of the China Trust Bank
  • offered $8.2 million by Chief Kola Matins, Secretary of the Contract Award Committee of the Nigerian Petroleum Committee
  • offered $7.4 million by Dr. Rilwanu lukman, President Advisor on Petroleum and Energy and Alternate Chairman of Board, OPEC President Designate
  • offered $3.6 million by Jonson Tubman, former Special Assistant to Liberian President Charles Taylor
  • and another $15.75 million by Jewel Taylor, Charles Taylor's wife

All for the use of my checking account. Would you believe it?

Wait! It gets better!

I've even won the Netherlands Lottery, not once but twice for another $4 million!! Oh, and while I was typing this, I also won the Citi Financiers Worldwide Lotttery for another $5 million. So far that totals just a tad over $49 million.

I'm rich! I'm leaving right now (headed into town) and I'm gonna buy that Hummer I've had my eye on.

Saturday, August 23, 2003

Figuring out what happened

Tech Republic has an article about discovering, and collecting evidence from, a compromised system. The article describes a compromise that many a NSO has discovered, a Serv-U FTP server hosting up files being traded on IRC.

For this type of compromise (and many others), the legal response varies (at least for now). Goverment organizations tend to investigate fully, gathering as much information as possible (it doesn't happen to them all that much). Educational networks tend to just wipe an d rebuild (it happens to them quite often due to the open nature of their networks). Corporations tend to be binary about the issue; some will investigate, others will "hide & forget that it happened".

Anyways, the article is a good read about an investigation into an all-too-common problem.

Blaster worm has a bunch of stuff about the Blaster worm if you want to learn more about it.


Various articles concerning dsniff:


As per Scott Grenneman's request, the links for the feeds are at the top of the right-hand column.

The new phone book's here! The new phone book's here!

Thanks to Troy Jessup's Security Blog for pointing it out. It's nice to be noticed by the "higher-ups", namely Scott Granneman at SecurityFocus (especially when you discover your discovery at work) (heh).

Thanks Scott. And I'll fix the RSS feed. I'm experimenting with multiple versions and driving people nuts with changes on the back end.

Thursday, August 21, 2003

Minimizing what's running

One of the tenet's of securing a system is to only run that which is absolutely necessary.

Here's an article which explains how to determine what services are running and how to turn specific ones off. (for Windows systems)

Attention slacker!

Attention Road Runner user using IP in New York State!!! You have the SoBig.F virus and need to clean yourself up! Lizabeth1976 and I would both appreciate it. Oh, and you need to update your version of Outlook Express.

Amazing what you can dig out of message headers, huh?

Useful Windows Command Line Commands

Security Horizon has a list of commands that are useful if you have access to the command line on an NT system.

Bookmark this one for future use!

Wednesday, August 20, 2003

Yet Another Thing to Waste Your Free Time

You've heard of war driving right? That "hobby" where you walk around and "take note" of open 802.11b/g/a access points?

Here's someone who built a war-spying rig. War-spying amounts to intercepting wireless security camera signals.

Nothing good can come from this one. Probably nothing bad either, but it does have capacity for some evil doing.

Monday, August 18, 2003

I'm not holding my breath...

There has been much discourse in the last few days about the source of the power outage. First it was a fire at the Niagra plant. Then it was lightning. Now it's an equipment failure in Ohio.

The more paranoid types have been relating the power failure to the oddly coincidental worm infection. According to this article, it has been discounted. If you read the article, no solid claim has been made in either case. The strongest point in the article is that a security research director finds it difficult to believe that an industry would use Windows to control its equipment.

Gee, does anyone else remember the Microsoft commercials in which the guy changes the color of the car being painted to match a purse? (Hint: that's Windows being used in industry!) Aggregate that with the "no one's been to the server room in days" commercial and various less-clueful industries might have bought Windows believing that they were getting the most secure OS for their industry.

Would someone please tell Rueters that if they want a quote about security in the power industry, they should be talking to the security experts IN the power industry, not printing opinion from someone who didn't have anything to do with the design of the control systems (or their security) at the power plant.

The article contains only opinion from people "out of the loop". Quotes such as this, from "recognized experts," lessens the veracity of any future statement made by any other security person.

Mr. Paller, shut up.

Tom Clancy Needs a Break

I stood outside in the August heat for two hours today, waiting in line to get my copy of Tom Clancy's new book "The Teeth of the Tiger" signed by the author. By the time I stood in front of his table my back hurt, my feet hurt, and I had the beginnings of the dehydration migraine pounding on the top of my head.

As bad as I felt, Mr. Clancy appeared even worse, looking like he was on the low end of a three-day hangover. Turns out this is the third city in as many days in as many states that he's had signings in and he's due at another one most of the way across the country tomorrow.

Tom, talk to your publisher. Get them to schedule days off every other, or every third day, so's you can sleep in. You looked like crap today.

Thanks for the autograph though.

For those wondering, it's another Jack Ryan novel, chronologically early in Jack's life. I've read four chapters already and my wife is hinting that it's past bedtime.

Never Mind Mom, I've Found Some

Apparently crime does pay. At least for the hardware store where you buy your tools. While searching Google for info for a short paper, I've discovered that there are quite a few sites selling collections of hacker tools. (Search for "hacker tools".)

It also appears to be a "buyer beware" market as quite a few of them have disclaimers protecting the seller from any malicious code which might be hidden in the software they're selling. Silly part of the whole thing is that 99% (if not 100%) of the software being sold is readily available on the Internet. Some of it is even out-of-date.

Not one to let a good idea pass by, I am now offering the following (on separate CD's):

  • a list of books which reside on my bookshelves
  • a collection of howto's which I've written
  • every bit of intellectual junk or garbage which I've authored and managed to save on three systems
  • a digital album of the Crepe Myrtle growing n my front yard (bonus, Christmas shots from the neighborhood)
  • a semi-humorous attempt at trying to explain my family tree (I have four half-sisters, three half-brothers, one foster sister, and one foster brother). Hint: One of those half-brothers has the same first name as me so two of my half-sisters don't take references to "this is my brother Daryl, this is my other brother Daryl" jokes too kindly. (Note: my name is not Daryl.)

Okay, too silly. Time to end this one.

Sunday, August 17, 2003

Mom, Please Send Money


Okay, it's fake but it's funny if you've ever been the recipient of N-419 spam. Read the SCO version here.

Saturday, August 16, 2003

It's your fault too!

I've been reading various sources concerning how backbone providers have minimized the effects of the Blaster worm and the complaints their customers are making because of those measures.

For God's sake people, Exchange/Outlook was designed to be a LAN application, NOT an Internet application. If you've got to access your e-mail over the Internet and just gotta have MS-based clients, use the POP or IMAP protocols. Even better use the SSL-based versions of those protocols, or use OWA or a VPN.

Using a standard Outlook/Exchange configuration opens you to problems such as the Blaster worm.

Analogy: Tractors. Tractors are designed for driving back and forth across your property, doing heavy chores like plowing, bailing hay, or "spreading" manure. They are NOT designed to be taken out on a four-lane highway to get you from point A to point B. You not only run the risk of getting killed when the engine explodes, you inconvenience every other user of that four-lane and most likely anger local authorities.

Take a close look at how you do business and drop me into the Thoroughly Disgusted category.

The Coroner's Toolkit

Sys Admin Magazine has an article describing the uses of The Coroner's Toolkit which is a open source digital forensics toolkit. (You use this after you image the drive.)

This is just a magazine article about the toolkit, if anyone knows of a good lesson or how-to, please post it in comments.

Thursday, August 14, 2003

Procmail Tutorial

Elflord has a decent tutorial which discusses getting Procmail configured and running.

How the Blaster worm progogates

I've made a short (and very basic) presentation for my employer about how the Blaster worm propogates which you can view here.

It looks a little crappy (the fonts look horrible or are too small) because it's the first time that I've tried to push a PowerPoint presentation through OpenOffice. I'll clean it up over the next few days and add some more details.

Let me know what you think? (Suggestions for better appearances?)

Wednesday, August 13, 2003


Depending on your browser, this might be difficult to read (in Galeon, everything shows up centered, everything!). Regardless, it contains valuable info if you program with Perl and MySQL.

Steganography Revealed

Security Focus has an article entitled "Steganography Revealed" which explains the basic theory behind hiding data in graphics files.

Monday, August 11, 2003

RPC Buffer Overflow GUI?

As of this morning, the MS RPC buffer overflow has a publicly available GUI. (Courtesy of Astalavista)

Can't you just tell it's Monday. I wonder what joys work will bring this morning. (I got up at 4 a.m. this morning and I haven't had my coffee yet.) (I'm in a good mood dammit!)

Grep tutorial

Elflord has a decent tutorial explaining the proper use of "grep".

An actual victory?

(File this one under "Hoist by own petard")

The BSA has claimed a victory by reducing the level of piracy in the U.S. by 2% last year, even though the total is up $100M (piracy amounted to an estimated total of just short of two billion dollars last year, by their calculations).

Something's not quite kosher in the report. (I wish someone would hire an honest mathetician. Or, at least, explain their math to me.) If piracy increases one hundred million dollars and causes a loss of an additional 105,000 jobs (equates to $950 per job, which also doesn't sound correct), how does piracy decrease 2%? Do you get the feeling that someone is using a random number generator?

I also love the blanket statement of "Piracy depletes available funding for valuable research and development causing the staggering job losses and billions of dollars in lost wages and tax revenues." Most "innovation" is done by small companies prior to buy-out by larger corporations. Of late, piracy has mostly affected those companies who have the least to do with innovation and the most to do with the purchase of those same companies.

I live in a city where the BSA successfully stomped out piracy by causing the city government to cough up $$$ because they couldn't match the number of licenses to the number of computers in use (question: how many of you actually rec'd paper certs when you bought your machine?). Nevermind that the purchase of additional paper cost the city government enough $$$ that they had to "not hire" at least five $20K employees to cover the cost of the purchase of additional licenses. Based on the reasoning that no criminal charges were filed, it was an honest mistake and "saved" more jobs (by BSA's logic) than it deleted. (Note: we're also a member of the list of states where piracy is the least prevalent!)

Based on the logic used in BSA's annual report, I can claim a victory for ecology because I've slowed global warming by 2% by getting 30 of my friends to switch from aerosol hairsprays to pump-based even though there's an extra 300,000 people on the planet due to birth rates. Proof? Our local ocean temp was 15 degrees cooler this year than average.

My final question: given BSA's altruistic intentions of "promoting a safe and legal digital world", why haven't they weighed in on the SCO/IBM/Linux Intellectual Theft issue?

Sunday, August 10, 2003

Setting up for forensics

Kill-HUP has a pointer to this Unix Review article which discusses digital forensic basics and preparation.

This is a bit deja-vu-ish as I was present at just such a presentation earlier this week. A good read.

RPC buffer overflow tutorial

Yet again, I think we'll see this stuff in a worm soon. Unless your organization absolutely really-has-to-have ports 135-139 and 445 open, close 'em!

Saturday, August 9, 2003

No Op

Added more feeds to the "Headlines" page. Even found a D-Shield feed (which I'll experiment with later).

No Op

I've cleaned up the news menu, consolodating the "Advisories", "Exploits", "News", and "Vulnerabilities" all under "Headlines". I'm still experimenting with different ways to display stuff and I'm still adding feeds (let me know if you have a favorite InfoSec feed!).

Laptop Linux

Linux Journal has an article about adding those finishing touches to the Linux install on your laptop.

Thursday, August 7, 2003

Covert HTTP Channel Detection

In a previous post, I pointed to an article which described how to set up a covert channel which would use HTTP proxies to get to the outside world. The same group (Gray-World) that posted that article has also posted this one which describes how to detect those covert channels.

Note: Gray-Worlds alternate title (slogan?) is: Network Access Control Systems bypassing.

This site has a lot of discussion (and tools) about setting up covert channels.

New toy

Ran out during lunch today to get one of these 'cause it was just too cool and too cheap (less than what's listed on the site) not to get. It's already paid for itself by identifying the sweet and sour spots in the house. While in the store, I also noticed that DLink is selling a repeater for 802.11 which suddenly seems to be next on the save-up-for list.


I apologize for the two-day lag in posting. I managed to seriously damage the kernel and file system (don't ask!) while trying to upgrade the kernel for yet another hardware encoder. Since the d*mn thing was cutting edge tech (for Linux), I was guessing at a couple things and guessed wrong.

So far, I've got my system rebuilt, minus a whole bunch of tools and data. I'm going to have to wait until the weekend to restore off of the backups. I've got enough in "draft" to cover posts until then.

Again, sorry.

Wednesday, August 6, 2003


Hitchhiker's World (on InfoSec Writers) has a short bit on shellcode. Another nice-to-know if you're working InfoSec.

Tuesday, August 5, 2003

Recovering Hidden Data on Linux

Another article by Anton Chuvakin on Linux Security, this one talks about recovering data from a Linux hard drive which was inadvertantly deleted. The article has pointers to similar items for other OS's and technologies and also talks about hiding data on Linux ext2 partitions.

Monday, August 4, 2003


It's an older article (and I may have already posted about it) but it's a good to know...

Linux Security has an article about setting up various utilities/services to run under Chroot.

Sunday, August 3, 2003

It's a surprise?

DSI has an article which describes Phil Zimmerman being disappointed that encryption has not caught on in the public sector (the exception being SSL).

Personally, I think it's obvious why: for the same reason SSL is widespread and why Microsoft Windows remains popular even after horrendous security incidents. It's because people are inherently lazy. They are willing to "live" with various risks/abuse for the sake of not having to click two more buttons (what's more or less involved with using PGP in Outlook).

For cryptography use to become widespread, it's going to have to be transparent to the average user. Even a minimal setup requirement will cause most people to avoid using the technology.


InfoSec Writers has an article entitled "AES Simplified which explains the theory behind the algorithm used in the AES standard - Rijndael.

Saturday, August 2, 2003

A good general purpose network monitoring tool

(heh) Management is going to talk to Troy about this one... Seems he's "proven" that Winamp makes a good network monitoring tool.

TOC and Search

Thanks to Bowulf for the pointer to Feedster's Tools for the Blog Author. Because of it, I now have search (upper right) and a Table of Contents (menu above) for an older and paritally broken (server-related, not MT-related) blog.

Update: Please note that these features are in devolopment and might not work as you expect them to (default values still need work). However, it is still useful.

The Eighth Layer of the OSI Model

No, really!! There is eight layers! They only teach you the first seven in school. You have to work in a NOC to realize that the lowest and most resource-consuming layer is:

   the political layer.

Nothing else happens in the upper layers without it.

Never mind that there's an incident in progress. Never mind that you're responsible for network security. Let it burn! Until such time that the paperwork is signed, no one is going to change anything on this network! So go home!

That's all I'm allowed to say and I apologize for the mysterious half-rant. Those of you who know me, know what I'm talking about.

New Vulnerability Blog

I've added a new vulnerability-related blog to the list on the right: Mangia!

MiMail worm

Just a short explanation of what it does:

The worm shows up in your inbox with a (possibly) zipped file attachment, usually and a return address of "admin@somedomain" (where somedomain = a valid domain, possibly yours). Unzipping the file creates message.htm. Clicking on the web file fires up your Internet Explorer browswer and runs the JavaScript-based worm hidden the the file.

The worm then gathers e-mail addresses from the local machine, generates new infected messages and sends them to the collected addresses via a list of known open relays. Congratulations, you've just spammed your friends, family, and coworkers with infected messages.

Precautions to take:

  • Make sure your browser is up-to-date (the vulnerability this worm exploits has been around since January)
  • Don't open unsolicited mail from people you don't know, especially those with attachments.
  • Install an anti-virus product and keep it up-to-date.

Friday, August 1, 2003

Other uses for Make

Linux Focus has an article about using "make" for things other than compiling code into binaries.

An interesting read.

Crypto Basics

Linux Focus has an article explaining the basic theory of crytpography.

Another good-to-know.