Sunday, August 31, 2003
Saturday, August 30, 2003
(Just finished the second test for GIAC GSEC certification!)
The first test went quicker than the second because I used the "open book" clause for the second. Overconfidence in the first test caused me to get a lower grade than the second one.
Recommendations? Study your ass off! (right up until a day or two before you take the tests) If you don't have hardcopy, generate it and devote a binder to each section. Flag valuable tables/diagrams/info with stickies! Don't wait to the last minute to take the tests (like me).
Yahoo has RSS feeds
Friday, August 29, 2003
MRTG/SNMP on IIS
What am I talking about? IIS.
In most cases, using IIS is like using a 747 to drive to the corner store. In most cases, a comfortable pair of sneakers will suffice.
The newer versions of IIS come with so many features that, contrary to claims, that virus writers and hackers will have plenty to do for the coming decade. (Remember, the more complex a program is, the more bugs/vulnerabilities it contains.)
If you have to use IIS, there are additional measures you should take to protect the system:
- restrict outside access to just the web port
- if possible, stick a caching proxy in front of it
- if possible, that reverse proxy should reside on a non-MS operating system
- locate the proxy/IIS systems outside of your internal network (in a DMZ)
- if possible, stick an IDS sensor in there
- and, wherever possible, gather metrics.
I want to stress the point about metrics. For any publicly exposed system, you've got to have a good idea of what normal traffic looks like so that you can recognize what abnormal traffic looks like.
A good tool for this is MRTG. Allow it to gather data from your router and you'll get a good day-to-day view of traffic. With IIS v6.0, you can even gather metrics from your web server. Here's an article at SecurityFocus which discuss how to do just that.
Getting a cable modem?
It's not the data on your computer they want, it's the processing cycles and bandwidth. If you don't protect it, you're machine will be used for:
- a porn server
- an open relay for spamming the planet
- a warez server
- a jump point for attacks on other systems
- a hidden IRC server
- or worse.
InfoPros Joint has a decent article which discusses the minimum of what you should do to protect your system.
Wednesday, August 27, 2003
Smurfs, Nukes, Teardrops, and Boinks
Norman.com has a decent article explaining the different attacks against the weaknesses in the TCP/IP protocol.
Monday, August 25, 2003
Intercepting the 3-Finger Salute
A proper chain of evidence
Sunday, August 24, 2003
I've been spammed by Microsoft!
Uh oh. I think Microsoft has done something which the State of Virginia says is illegal.
Here's the body of the bounced mail:
This Message was undeliverable due to the following reason:
Your message was not delivered because the Domain Name System
(DNS) for the destination computer is not configured correctly.
The following is a list of reasons why this error message could
have been generated. If you do not understand the explanations
listed here, please contact your system administrator for help.
- The host does not have any mail exchanger (MX) or
address (A) records in the DNS.
- The host has valid MX records, but none of the mail
exchangers listed have valid A records.
- There was a transient error with the DNS that caused
one of the above to appear to be true.
You may want to try sending your message again to see if the
problem was only temporary.
DNS for host msgr.hotmail.com is mis-configured
The following recipients did not receive this message:
MS IM Upgrade?
Another thing they're not thinking of is that if they switch out code, they risk more vulnerabilities (i.e., a whole new slew of expoits!).
Mark your calendars. I have asked Microsoft's .Net Messenger Service (the ones who sent me the e-mail to upgrade) what vulnerability the upgrade fixes. Just as in two previous cases (one question, one vulnerability report), I'm not holding my breath.
BTW, that vulnerability still exists, two years later. I did get a reply from them concerning the vulnerability. They claimed it was a non-issue because if I used MS DNS, the problem with their Exchange server cluster would not exist. I couldn't get it into their heads that the DNS local to the Exchange server was MS but that neither was the equipment mine (our shop used 99% *nix) nor was the DNS record causing the problem local.
And coworkers wonder why I have a low opinion of publicly available MS servers.
Who's Attacking You?
I'm the luckiest man on the planet and I'm gonna be rich!
- offered $7.5 million by Mr. Woo Chong, Manager of the China Trust Bank
- offered $8.2 million by Chief Kola Matins, Secretary of the Contract Award Committee of the Nigerian Petroleum Committee
- offered $7.4 million by Dr. Rilwanu lukman, President Advisor on Petroleum and Energy and Alternate Chairman of Board, OPEC President Designate
- offered $3.6 million by Jonson Tubman, former Special Assistant to Liberian President Charles Taylor
- and another $15.75 million by Jewel Taylor, Charles Taylor's wife
All for the use of my checking account. Would you believe it?
Wait! It gets better!
I've even won the Netherlands Lottery, not once but twice for another $4 million!! Oh, and while I was typing this, I also won the Citi Financiers Worldwide Lotttery for another $5 million. So far that totals just a tad over $49 million.
I'm rich! I'm leaving right now (headed into town) and I'm gonna buy that Hummer I've had my eye on.
Saturday, August 23, 2003
Figuring out what happened
For this type of compromise (and many others), the legal response varies (at least for now). Goverment organizations tend to investigate fully, gathering as much information as possible (it doesn't happen to them all that much). Educational networks tend to just wipe an d rebuild (it happens to them quite often due to the open nature of their networks). Corporations tend to be binary about the issue; some will investigate, others will "hide & forget that it happened".
Anyways, the article is a good read about an investigation into an all-too-common problem.
- Installing dsniff from rpm
- Dsniff'n the Mirror - Linux Security article about various network monitoring tools, including dsniff.
- On the lookout for dsniff (Part 1) (Part 2) - an IBM two-part series discussing sniffers and protecting your networks from them.
- dsniff - an older version of dsniff that was ported to Windows
- dsniff and SSH : Reports of My Demise are Greatly Exaggerated - an O'Reilly article
- The Dsniff FAQ - managed by the author
The new phone book's here! The new phone book's here!
Thanks Scott. And I'll fix the RSS feed. I'm experimenting with multiple versions and driving people nuts with changes on the back end.
Thursday, August 21, 2003
Minimizing what's running
Here's an article which explains how to determine what services are running and how to turn specific ones off. (for Windows systems)
Amazing what you can dig out of message headers, huh?
Useful Windows Command Line Commands
Bookmark this one for future use!
Wednesday, August 20, 2003
Yet Another Thing to Waste Your Free Time
Here's someone who built a war-spying rig. War-spying amounts to intercepting wireless security camera signals.
Nothing good can come from this one. Probably nothing bad either, but it does have capacity for some evil doing.
Monday, August 18, 2003
I'm not holding my breath...
The more paranoid types have been relating the power failure to the oddly coincidental worm infection. According to this article, it has been discounted. If you read the article, no solid claim has been made in either case. The strongest point in the article is that a security research director finds it difficult to believe that an industry would use Windows to control its equipment.
Gee, does anyone else remember the Microsoft commercials in which the guy changes the color of the car being painted to match a purse? (Hint: that's Windows being used in industry!) Aggregate that with the "no one's been to the server room in days" commercial and various less-clueful industries might have bought Windows believing that they were getting the most secure OS for their industry.
Would someone please tell Rueters that if they want a quote about security in the power industry, they should be talking to the security experts IN the power industry, not printing opinion from someone who didn't have anything to do with the design of the control systems (or their security) at the power plant.
The article contains only opinion from people "out of the loop". Quotes such as this, from "recognized experts," lessens the veracity of any future statement made by any other security person.
Mr. Paller, shut up.
Tom Clancy Needs a Break
As bad as I felt, Mr. Clancy appeared even worse, looking like he was on the low end of a three-day hangover. Turns out this is the third city in as many days in as many states that he's had signings in and he's due at another one most of the way across the country tomorrow.
Tom, talk to your publisher. Get them to schedule days off every other, or every third day, so's you can sleep in. You looked like crap today.
Thanks for the autograph though.
For those wondering, it's another Jack Ryan novel, chronologically early in Jack's life. I've read four chapters already and my wife is hinting that it's past bedtime.
Never Mind Mom, I've Found Some
It also appears to be a "buyer beware" market as quite a few of them have disclaimers protecting the seller from any malicious code which might be hidden in the software they're selling. Silly part of the whole thing is that 99% (if not 100%) of the software being sold is readily available on the Internet. Some of it is even out-of-date.
Not one to let a good idea pass by, I am now offering the following (on separate CD's):
- a list of books which reside on my bookshelves
- a collection of howto's which I've written
- every bit of intellectual junk or garbage which I've authored and managed to save on three systems
- a digital album of the Crepe Myrtle growing n my front yard (bonus, Christmas shots from the neighborhood)
- a semi-humorous attempt at trying to explain my family tree (I have four half-sisters, three half-brothers, one foster sister, and one foster brother). Hint: One of those half-brothers has the same first name as me so two of my half-sisters don't take references to "this is my brother Daryl, this is my other brother Daryl" jokes too kindly. (Note: my name is not Daryl.)
Okay, too silly. Time to end this one.
Sunday, August 17, 2003
Mom, Please Send Money
Okay, it's fake but it's funny if you've ever been the recipient of N-419 spam. Read the SCO version here.
Saturday, August 16, 2003
It's your fault too!
For God's sake people, Exchange/Outlook was designed to be a LAN application, NOT an Internet application. If you've got to access your e-mail over the Internet and just gotta have MS-based clients, use the POP or IMAP protocols. Even better use the SSL-based versions of those protocols, or use OWA or a VPN.
Using a standard Outlook/Exchange configuration opens you to problems such as the Blaster worm.
Analogy: Tractors. Tractors are designed for driving back and forth across your property, doing heavy chores like plowing, bailing hay, or "spreading" manure. They are NOT designed to be taken out on a four-lane highway to get you from point A to point B. You not only run the risk of getting killed when the engine explodes, you inconvenience every other user of that four-lane and most likely anger local authorities.
Take a close look at how you do business and drop me into the Thoroughly Disgusted category.
The Coroner's Toolkit
This is just a magazine article about the toolkit, if anyone knows of a good lesson or how-to, please post it in comments.
Thursday, August 14, 2003
How the Blaster worm progogates
It looks a little crappy (the fonts look horrible or are too small) because it's the first time that I've tried to push a PowerPoint presentation through OpenOffice. I'll clean it up over the next few days and add some more details.
Let me know what you think? (Suggestions for better appearances?)
Wednesday, August 13, 2003
Monday, August 11, 2003
RPC Buffer Overflow GUI?
Can't you just tell it's Monday. I wonder what joys work will bring this morning. (I got up at 4 a.m. this morning and I haven't had my coffee yet.) (I'm in a good mood dammit!)
An actual victory?
The BSA has claimed a victory by reducing the level of piracy in the U.S. by 2% last year, even though the total is up $100M (piracy amounted to an estimated total of just short of two billion dollars last year, by their calculations).
Something's not quite kosher in the report. (I wish someone would hire an honest mathetician. Or, at least, explain their math to me.) If piracy increases one hundred million dollars and causes a loss of an additional 105,000 jobs (equates to $950 per job, which also doesn't sound correct), how does piracy decrease 2%? Do you get the feeling that someone is using a random number generator?
I also love the blanket statement of "Piracy depletes available funding for valuable research and development causing the staggering job losses and billions of dollars in lost wages and tax revenues." Most "innovation" is done by small companies prior to buy-out by larger corporations. Of late, piracy has mostly affected those companies who have the least to do with innovation and the most to do with the purchase of those same companies.
I live in a city where the BSA successfully stomped out piracy by causing the city government to cough up $$$ because they couldn't match the number of licenses to the number of computers in use (question: how many of you actually rec'd paper certs when you bought your machine?). Nevermind that the purchase of additional paper cost the city government enough $$$ that they had to "not hire" at least five $20K employees to cover the cost of the purchase of additional licenses. Based on the reasoning that no criminal charges were filed, it was an honest mistake and "saved" more jobs (by BSA's logic) than it deleted. (Note: we're also a member of the list of states where piracy is the least prevalent!)
Based on the logic used in BSA's annual report, I can claim a victory for ecology because I've slowed global warming by 2% by getting 30 of my friends to switch from aerosol hairsprays to pump-based even though there's an extra 300,000 people on the planet due to birth rates. Proof? Our local ocean temp was 15 degrees cooler this year than average.
My final question: given BSA's altruistic intentions of "promoting a safe and legal digital world", why haven't they weighed in on the SCO/IBM/Linux Intellectual Theft issue?
Sunday, August 10, 2003
Setting up for forensics
This is a bit deja-vu-ish as I was present at just such a presentation earlier this week. A good read.
RPC buffer overflow tutorial
Saturday, August 9, 2003
Thursday, August 7, 2003
Covert HTTP Channel Detection
Note: Gray-Worlds alternate title (slogan?) is: Network Access Control Systems bypassing.
This site has a lot of discussion (and tools) about setting up covert channels.
So far, I've got my system rebuilt, minus a whole bunch of tools and data. I'm going to have to wait until the weekend to restore off of the backups. I've got enough in "draft" to cover posts until then.
Wednesday, August 6, 2003
Tuesday, August 5, 2003
Recovering Hidden Data on Linux
Monday, August 4, 2003
Linux Security has an article about setting up various utilities/services to run under Chroot.
Sunday, August 3, 2003
It's a surprise?
Personally, I think it's obvious why: for the same reason SSL is widespread and why Microsoft Windows remains popular even after horrendous security incidents. It's because people are inherently lazy. They are willing to "live" with various risks/abuse for the sake of not having to click two more buttons (what's more or less involved with using PGP in Outlook).
For cryptography use to become widespread, it's going to have to be transparent to the average user. Even a minimal setup requirement will cause most people to avoid using the technology.
Saturday, August 2, 2003
A good general purpose network monitoring tool
TOC and Search
Update: Please note that these features are in devolopment and might not work as you expect them to (default values still need work). However, it is still useful.
The Eighth Layer of the OSI Model
the political layer.
Nothing else happens in the upper layers without it.
Never mind that there's an incident in progress. Never mind that you're responsible for network security. Let it burn! Until such time that the paperwork is signed, no one is going to change anything on this network! So go home!
That's all I'm allowed to say and I apologize for the mysterious half-rant. Those of you who know me, know what I'm talking about.
New Vulnerability Blog
The worm then gathers e-mail addresses from the local machine, generates new infected messages and sends them to the collected addresses via a list of known open relays. Congratulations, you've just spammed your friends, family, and coworkers with infected messages.
Precautions to take:
- Make sure your browser is up-to-date (the vulnerability this worm exploits has been around since January)
- Don't open unsolicited mail from people you don't know, especially those with attachments.
- Install an anti-virus product and keep it up-to-date.
Friday, August 1, 2003
Other uses for Make
An interesting read.