Turns out Black Sheep Networks has an awesome collection of links, mostly security-related (hint: click on security in the main menu).
Monday, September 29, 2003
Sunday, September 28, 2003
Changes so far:
- Comments displayed on the main page (I think I've got it tweaked to where I want it.)
- Trackbacks listed on the main page (requires more cosmetic tweaking)
- Removal of the IM feature (never got much use)
- Removal of the BlogSnob stuff
- Added a couple buttons on the left
- Removal of links not directly related to blog.
- Coming up with my own version of BlogRolls (why pay for something when you can write your own?)(I'm getting better with PHP!)
- "fixing" the boxes around each entry (a few complaints about same)
- making my aggregators available (I use 3 from various locations during the week)
- Embedding a couple blogs in columns 1 or 3 for use as sidebars
I can "put back" anything if anyone wants (complain loudly!!).
I'm going to abuse the 24x7 customer support line this afternoon. I'll keep you posted.
Saturday, September 27, 2003
Thursday, September 25, 2003
Tuesday, September 23, 2003
Monday, September 22, 2003
The Serv-U FTP server hack seems to be (in my experience) the widest used hack. It's how all those IRC DCC file servers get set up for the #warez and #movie channels. They're not real hard to clean up after but they can be an embarassment to whomever was responsible for network security in the first place (school had this, bad!).
Sunday, September 21, 2003
Tinfoil Hat Linux is a single-floppy Linux distribution for the paranoid on the go. It will allow you to boot Linux on just about any machine, grab your encrypted e-mail, read it, send replies, and move on, leaving little or not trace.
Useful if you're that paranoid person, yet another hard-to-trace problem if you're a network admin type.
Anyways, back to the blog...
Did I miss anything while I was offline?
Tuesday, September 16, 2003
Monday, September 15, 2003
Sunday, September 14, 2003
Isabel is due to pass directly overhead sometime late Thursday so if I don't post for awhile (or if the server goes away entirely), you'll know why.
With the exception of one bad storm in the 80's, this area has dodged the bullet, more or less, for over 30 years. Local wisdom has said that we average one bad one every 15 years or so.
Me? I've been here, off and on, since '81. During the storm in '84 (I think), my property consisted of one motorcycle which I had to spend a month cleaning as it spent the storm in a parking lot approx. 100 yards from the beach (I had no chance to move it.)
After the storm, it was exactly where I left it but I spent the next month cleaning salt out of it (and the leather was ruined).
Nowadays I have a house, two vehicles, and a panicky wife. There's a good chance that my job will require me to "ride it out". I still want my wife and teenager(s) (ask me sometime), out of town.
Wish me luck.
Saturday, September 13, 2003
In the ongoing battle to detect customers' infected machines, I've come across an interesting bit: any machine infected with the Welchia/Nachi worm is left running an open TFTP server. "Open" in that it will accept any file you hand it.
I still don't know if I'm limited to a folder or if I can put it anywhere I want or pull any file I want. I'm going to have to dig out the old VMWare and try it out, I guess.
Friday, September 12, 2003
This moron over at The Globe and Mail seems to think that Microsoft doesn't have the "most hacked" title. Someone want to clue him in that most "hacks" for MS are so easy that they've been automated and turned into viruses and worms. (A worm which leaves a backdoor for remote access might be called "automated break-in"?)
Faugh on marketing twisters!
Those responsible have been sacked and the moose is feeling much better now.
The problem with most anti-virus products is that they're signature based. In reading various blogs, lists, and sites, the new technologies that we'll see in viruses include even better polymorphism and portless backdoors.
Polymorphism is the ability to change a stored file's appearance, usually through simple encryption and compression. This technology is only going to get better.
Portless backdoors is something that is being developed, under the guise of being a systems administrator tool, where a binary listens for a specific pattern of traffic followed by a command, all without opening a port to listen on.
To date, worms/viruses are pretty easy to detect. How do you know if you have an infected/compromised machine on your network? It's usually doing one of three things:
- spitting up prodigious amounts of outgoing mail
- noisily generating traffic on some other port
- or listening on a specific port for commands from its new master.
Currently this requires driving the local NIC into promiscuous mode and then filtering incoming traffic. But from a virus/worm's point of view, this is a good thing as promiscuous interfaces are much harder to detect than open ports, remotely or otherwise. (We're going to have to get a lot better at detecting promiscuous interfaces!)
Given that the recent versions of malicious code already know how to turn off virus scanners and firewalls, things are going to get a whole lot darker before things improve.
- A Practical Approach to Stealthy Remote Administration by email@example.com for LinuxSecurity.com
- SAdoor website
It'll be sorely missed. IMHO, BSDi was the only implementation of ANY operating system that had a decent TCP/IP stack interface.
Proof? Running DNS on any operating system, MS and Linux included. While every other OS operated at 50% or higher loading while serving 30K users, BSDi barely hit 4% consistently.
Hopefully the code will be made available to other projects (not necessarily open source) to that we can continue to enjoy the level of performance provided by the current versions of BSDi).
Thursday, September 11, 2003
Stand by people! Here it comes again. (I'd have blogged about this earlier but I was in class when I found out about it.) Microsoft has announced two more RPC vulnerabilities and released the patches. Supposedly the exploit code is already on the street (means that both the hackers and Microsoft has known about the vulnerability for a bit).
Now that it's public knowledge, it won't be long before some mouth breather "adapts" the Blaster worm to use the new exploit. Amongst the various people I've talked to so far, the general groupings in the worm pool say, 2 days or just shy of 2 weeks.
Patch your boxes now and block the usual MS RPC ports!
Note that in the PC World article, the Microsoft rep takes the "ignorant" approach in the last three sentences, after claiming that the vulnerabilities were discovered internally as well as by independant sources. Nothing like being truthful, huh?
Wednesday, September 10, 2003
Even taking into account the inertia inherent in corporate thinking, it looks like that management might be realizing that blindly trusting in vendor software might not be a good thing.
For any system to be truly reactive, it must be adaptive. This means that you not only have to have the software, you need the trained personnel. A big plus is having a system that is easily "adapted" to meet situational needs. Unfortunately this counts out just about every piece of commercial software as it's API (or underpinnings) is closed (proprietary).
To date, the most successfully resistant system that I've witnessed in action was a hybrid *nix/MS mix in which the system administrators constantly (let me say it again, CONSTANTLY) monitored their servers and actively responded to new situtations. While the end-point was an Exchange server, immediately upstream was a Unix-based Sendmail server which "protected" the Exchange box from viruses (TWO scanners) and UBE (SpamAssassin). All of this was tied together with various Perl scripts which allowed the entire system to be twisted to meet the situational needs of just about any virus attack.
With the Aplore virus, this system protected it's 30k+ customers within the first ten minutes of the spike in traffic. None of the customers had to go offline until their anti-virus vendors came up with new signatures files. Rather the heroic efforts of "Steve" (manually deleting infected files on the store-and-forward server while the coder was coming up with a solution) allowed our customers' servers to stay online while other organizational systems were taken offline to protect themselves. The anti-virus vendor came up with new signature files about 36 hours later.
Tuesday, September 9, 2003
Monday, September 8, 2003
Sunday, September 7, 2003
Let me know what you think? Suggestions? Content?
Saturday, September 6, 2003
1) E-mail is handled by a number of machines as it goes from point A to point B. When the user A hit send, the message gets deposited on his local server.
2) That server may scan the mail for viruses/spam/inappropriate content before dumping it in the outgoing queue (a folder or directory on the harddrive). Normally that queue gets processed every five minutes or so. Depending on system load, this time period is variable.
3) The local mail server then hands the mail off to the next server (usually the site's firewall) which cause the mail to go through a similar process, queue, and forward process until
4) The previous step is repeated as the message passes from the local network and onto the Internet, then onto the recipient's network until
5) the e-mail is received at user B's local mail server.
Depending on the size of the organizations involved, this can happen up to or over 25 times (think about the number of places/people involved in delivering a hand-written letter to Aunt Sophie on the other side of the country).
Mail servers are designed to alter their characteristics depending on their current processing load. (This applies to Exchange, Sendmail, and Postfix as well as just about any other MTA.) Above a certain load, mail servers will ask delivering MTA's to hold their content so that the local server can catch up on its own deliveries.
Now mix in the SoBig virus. This thing has even outperformed Klez in the sheer numbers of infected traffic generated. Given an file size of about 72K and approximately a 1000 infected messages per day for a small-to-medium-sized organization, this means a processing requirement of about 72 MB per day. Throw THAT on top of the organization's normal mail traffic and mix in the usual bandwidth requirements for web browsing abuse, audio streaming, P2P file trading, and the ongoing problem with Blaster/Welchia. What you get is any under-sized gateway and/or gateway servers (mail handline devices in this case) slowing down delivery of mail.
Want to figure out which servers caused your mail to be delivered late? Read the message header. It'll show "Received by" dates and times for each server it passes through. One thing to remember though: not everyone keeps their system clocks set properly.
Overall, given the havoc being created by Welchia/SoBig and any organizations tendency to spend the least amount of money possible when buying IT equipment, count yourself lucky that it only took 12 hours for you to get your e-mail. Want something faster? Try using IM or the telephone!
Friday, September 5, 2003
Things that worry me:
- RIAA is not a law enforcement agency so any laws that would normally apply don't
- Because this is effectively an admission of guilt to a third party, your expectation of privacy is virtually nil.
- They want to know what you look like.
Not that I condone piracy. I don't. (I've participated in at least two projects which have gone private with no credit). It's just that I'm a bit confused in trying to figure out how stupid the RIAA thinks the average pirate is. Give us all the information we need to apprehend you and we'll forgive you?
I wonder how many entries they'll receive for the following people:
- Hillary Rosen
- Mitch Bainwol
- The Easter Bunny
- Fluffi Bunni
- Santa Claus
- etc., etc., etc.
You turned yourself in? Did you get a contract from the RIAA stating that you've been given amnesty?
Date: Mon, 1 Sep 2003 17:25:34 -0500
From: Brian Carrier
To: Forensics , firstname.lastname@example.org
Subject: Honeynet Scan of The Month #29
The latest Honeynet Project's Scan of the Month has finally been
released. We think you will find that it was worth the wait though.
Your mission is to conduct incident response and analyze a live image
of a compromised Linux Red Hat 7.2 system. Using VMWare, the honeypot
system was suspended and the challenge is to verify the incident and
analyze it, while minimizing the impact you have on the potential
evidence. An eval copy of VMWare workstation can be used for the
The image details and a full list of questions can be found at:
Because of the amount of work involved in this challenge, a full month
will be given. All submissions must be returned no later than 23:00
GMT September 29, 2003.
The Honeynet Scan of the Month is to forensics types as the free-weight room is to bodybuilders. Various abilities and group efforts are welcome (unless otherwise stated in the intro for the month's contest.
Thursday, September 4, 2003
I'd bought one of the original LinkSys BEFSX41's (old enough not to have a "version") for my home network. Somewhere along the line, it started acting up, dropping the internal connection and refusing to talk to my computer. Tonight I accidently left my only other router at school and was forced to try the LinkSys again. POS dropped out after 10 minutes and then wouldn't stay up for more than a minute or two if I left it connected to the cable provider.
So... after unplugging the provider and rebooting the router, I went through each menu option, examing ALL of the settings. Damned if I didn't find both options for UPnP turned on. Since then I've been online for over 30 minutes.
I'm keeping my fingers crossed and hoping it'll still be working in the morning. If my wife discovers that she's going to have to spend the day offline because of "no router", there'll be hell to pay.
Wednesday, September 3, 2003
Tuesday, September 2, 2003
For the blog version of techno adventure read "A Day in the Life...". I can't vouch if the situations are real or not but they're written well enough that I'm looking forward to the next installment of "Mysteriously Missing Records". (heh)
Monday, September 1, 2003
He doesn't use Microsoft OS's but Microsoft used some of his public domain code in XP so his e-mail address was included in the local License. If anyone doesn't remember what the Klez (and other) worm(s) does, part of it scans the local hard drive for e-mail addresses to use in the "To:" and "From:" lines of infected messages. The end result, Phil and the three other guys who wrote "free" code have been pounded on by just about every infected XP user.
I'd be pissed, too. Actually, after two arguments at work about this, I'll go stand on Phil's side of the line. Someone actually said that "Microsoft is the source of all this malicious code because of their market share". They're the victim?!??!
#*@:!!!! <--- replace with your favorite multi-syllable expletive
Market share is only part of the reason, possibly a small part of the reason. The major part of the reason is that Microsoft has tied all of their software together and have done it so insecurely that it's like dog poop on the sidewalk. Leave it there long enough and you'll get crawly things in it.
(Don't believe me. Okay, MS SQL doesn't have that big of a market share. Why hasn't an Oracle worm prevented me from getting money from an ATM and hopping on a plane?)
For the rest of my rant, keep this paradigm in mind: security depends on simplicity.
The more complicated a software product is, the more likely it is that the product contains exploitable bugs. Adding features, even if they're security features, only makes the code more complicated and, past a certain point, may seriously affect how code works in other portions of the program. (What, no one has installed a MS patch and was suprised by a registry setting change or a failure in some other program?)
(In my opinion) Any claims that Microsoft makes about increasing security by taking a month off to review code and then returning to churning out new features is totally bogus. To increase security, they're also going to have to take a look at how their code interacts! If the OS was a house, it would have slid off of its foundations long ago.
Why am I pissed? Why "hate"? Try two solid weeks of Blaster/Welchia/SoBig side effects combined with the usual inter-org politics and under-caffienated moodiness. No the NOC doesn't use MS but 90% of the customers do.
I hereby curse Alexander Graham Bell for commercializing the telephone (I don't want to get into the argument about who actually invented it.)
Seems that the worm delayed the signals between the power plants long enough to cause the automatic protections to run outside of specifications. Think of a public address system with run-away feedback. It's a sign of being unbalanced. The system actually oscillates and throws subsystems off. It's a result of engineers designing a system around what they think will be "normal" stresses to a system and not taking into account what is deemed unlikely. Protecting against the unlikely is usually not cost effective (i.e., no return on an expensive process.).
This is part of vulnerability analysis: reviewing what normal processes of a system are, what abnormal processes a system is designed to handle, and what abnormal processes the system is not designed to handle.
Unfortunately it is very difficult, if not impossible, to foresee every possible vulnerability a system has. (Note: Mother Nature/Fate/Kizmet often displays those unforeseen processes for us.)