Thursday, October 30, 2003


Yet Another Distribution On CD: Dyne:Bolic.

This one is targeted, more or less, at artists, claiming to contain everything you need to record, edit, encode and stream audio and video data, all without having to set up an extra partition on your hard drive.

This distribution also auto-discovers other Dyne:Bolic systems on the LAN and clusters with them.

Wednesday, October 29, 2003

Universal RPC Exploit

Bowulf posted this one awhile back but it's something I'm going to need for class. Supposedly, it's a "universal RPC exploit. "Universal" in that its supposed to be able to exploit the RPC service no matter what port it's running on. (Hint: if you're running anything on Microsoft, you've got at least one RPC port open, sometimes on a ports you're not aware of.)

Tuesday, October 28, 2003

New law would require computer security audits, status reports

This is going to create a lot of work for security types. In the long run, it will probably cause security companies to become bonded, certified and/or licensed. (Insurance companies and stock holders love that sort of thing.)

Vi tutorial

0xDECAFBAD had a quick-pointer to a Vi/Vim tutorial on Harvard University's site.

Monday, October 27, 2003

Vi and XML

PinkJuice has an online tutorial (Warning! Default page contains art in bubble-gum pink!) which covers various valuable tweaks if you use Vi to edit XML. It also has a whole slew of valuable tips for general use of Vi.

Note: this guide is also available on PDF form from the same site.

Sunday, October 26, 2003

XML Microcontent

From 0xDECAFBAD, a piece about microcontent.

More wiki stuff

I've added the following to the wiki:

  • Procmail

    • Using formail to break incoming message digests into individual messages

    • Playing sounds when mail arrives

  • Spam

    • How to add MySQL logging to MIMEDefang

  • Vi

    • Like or hate the multicolored syntax highlighting? Turn it on or off!

    • Opening many files at the same time

The link for the wiki is in the menu bar above.

Saturday, October 25, 2003


One of the things about running intrustion detection on your home system is that you often see stuff that your service provider doesn't want to (or can't) deal with.

My service provider is a very large (read that as national) high speed cable provider. Currently it's in the middle of a severe ARP storm. It's gotten so bad that connecting to this site from across town is slow.

I logged the packets and had them ready to mail off. Turns out the helpdesk doesn't know what the heck I'm talking about. I ended up entering a clueless level ticket in which I complained about "the Internet being slow". It was about the best I could do via that poor kid. He started getting confused when I talked about DHCP, arp requests, and MAC addresses.

Oh well... I'm off to the doctor to see if I can get this key cap removed from my forehead.

Yahoo New Search

I'm going to want/need this at a later date.


It's a bit weird, but it's bound to be a classic. The new TypePad service is hosting a geek that most of us with cable will probably recognize.

Protecting you from yourself?

AOL's been caught making adjustments on subscribers' machines. While their motives are well-intentioned, I think their methods leave a bit to be desired.

Thursday, October 23, 2003

Wednesday, October 22, 2003

Tuesday, October 21, 2003

Cracking Windows Passwords in Seconds has a pointer to a password problem that Microsoft really needs to fix.

Bruce Schneier Interview

Slashdot pointed out that Bruce Schneier ( has done an interview in which he suggests that physical security should be treated like computer security, treat it as a system.

Sunday, October 19, 2003


If you look closely at the menu bar, I've added a Wiki (actually phpWiki) to the options. For now, it's an experiment but I do want to move into using this sort of thing. I'm just not sure which version to settle on. Comments?

Secure the perimeter?

Secure the perimeter?

Secure the perimeter?

Secure the fsck'in perimeter!?

Gee, I think that puts Microsoft's level of security at circa 1990. Does it mean that Microsoft is abandoning trying to secure the code?

After a quick read, I think I can make a few quick preditions:

  • Microsoft will make lots of money selling "more capable" firewalls
  • Millions of Microsoft users will be complacent about their internal networks because "Hey, we've got a firewall to protect us!"
  • resulting in thousands of crunchy-on-the-outside, chewy-on-the-inside networks, thereby lowering the overall level of security on the Internet

One of the biggest shortcomings about using Microsoft workstations is that each and everyone of them is also a server because the same services used to join the local network allows the workstation to share services and data. Let's enumerate what ports 135, 137, and 139 are used for:

  • DHCP to configure your workstation
  • getting your mail to/from the Exchange server
  • RPC calls (allows someone else to remotely run functions/programs on your machine)
  • Microsoft's DNS and WINS services
  • network logons
  • printing services
  • file sharing
  • directory replication
  • event viewer services
  • registry editor
  • user manager
  • and diagnostics

And that's just to/from a workstation. I'm amazed that it took as long as it did for someone to consider NetBIOS as an infection vector.

Welchia provided a very good example of why security has to be from the ground up. Various organizations learned the hard way that while their firewalls protected the front door, various backdoors lurked in their networks. That couple with a laissez-faire attitude for timely patching allowed the damage to stack up like it did.

Hmm... I wonder how Microsoft is going to do/market it. Single-purpose applications? Peer review of all code? [*gasp*] (Yeah, you heard me. I said "open source".) "Embracing and extending" more security protocols? Couple all this with the DRM crack they're pushing and recent attempts to get into the BIOS (the stuff that tells your computer how to boot) business, it's going to get real interesting.

I can hardly wait.

Friday, October 17, 2003

Shatter Attacks - How to break Windows

Anti-Crack has an article about shatter attacks on Windows. Note: This is a vulnerability that Microsoft is likely NOT to fix as it requires such a massive rewrite of code. The good news is that (so far) the attack requires local access to the system.

Worm FAQ

NetWorm has a FAQ about network-based worms.

Wednesday, October 15, 2003

Might be worth the $15

Until someone comes up with a better driver for the kernel, this might be worth the fifteen bucks, especially if it's a viable tech and isn't limited to just wireless drivers.

How It Works: Master Boot Record (MBR)

AntiCrack has a short piece on how MBR's work.


Geez! If if the NSA talked to anyone, they'd be telling industry "I told ya so!". Reworded: For over a decade the NSA has been saying that monolithic networks are "a bad thing"(tm). (I'll look for the link.)

Monday, October 13, 2003

Shift key bypass

Wonder why SunnComm decided not to sue the Princeton student for "discovering" that the autorun security could be bypassed by holding down the shift key?

Could it be that Microsoft lists it as a feature? (Look at the last shortcut before the first table.)

SunnComm would not only have to sue the Princeton student, they'd have to sue Microsoft for engineering the workaround for SunnComm's security device.


Odd that SunnComm stated that they didn't want to be the one to stiffle research. Some research.

Badgers? We don't need no stinkin' badgers!

Ever wonder where the book burners from the 50's went to? They went online.

Why am I saying this? I'm reading a lot of discussion concerning the "we gotta do something to fix this" movement where people are suggesting that "we" "fix" IRC, SMTP, and HTTP so that the miscreants can't abuse them anymore.

At face value, this might appear to be a good idea. But if you think about it, it's a horrible plan.

First, there's little wrong with the actual protocols. It's the software at the client end of the protocol that's the problem (mostly). Whether it be the horribly insecure mail client or the worm with the built in IRC bot.

Second, adding features to a product rarely makes it more secure. The more complex a program is, the more likely it will contain errors and/or exploitable "features" (not necessarily bugs).

Third, it smacks of vigilante justice which I severely mistrust. (Ask me sometine about my coffee drinking habit getting my 80-year-old grandmother in trouble with the church.)

Want to make the internet a safer place to work/play? Try a few of the following:

  • Use a different mail client at home than you do at work. If possible, don't use the Outlook/Outlook Express.
  • For that matter, use a different OS (or at least a different version) than what you use at work.
  • Use a different virus scanner at home than you do at work. Ideally, your work will use more than one scanner. Make sure to check for new signature updates on a daily basis.
  • Use a firewall. If possible more than one. (i.e., use a software-based one on your computers along with the one on the four-port router.) Ideally, your employer will use a corporate-grade firewall which hopefully has application proxies for most of the protocols used. In any case, configure your firewall(s) to only allow those protocols that you need to conduct business/pleasure. Turn off everything else.
  • Learn how to read your log files. Why go to all the trouble of getting those neat security tools and then treat them like pretty toys?
  • Learn how to read message headers. It will help when you're trying to figure out if Aunt Milly actually sent you that infected message.
  • Learn how to politely report incidents where they be spam, ports scans, or viruses. Most ISPs will respond to effective and polite emails indicating that something is amiss in their networks. Be polite even when you're angry. Even if it hurts.
  • Pick a computer news site, an anti-virus vendor's site, and a CERT site (there's lots of them). Visit each of those sites at least once a week and read the "new stuff". For the really adventureous, find a RSS feed aggregator and subscribe to a bunch of security-related feeds. (Personally, I like BlogLines which is completely online and if you ask nicely, I provide a list of the feeds I use.)

You don't have to do all of the above. Two is okay. It improves life for the rest of us just a little bit. Anyone else have any suggestions to add to the list?

Sunday, October 12, 2003

Security Forums Dot Com :: View topic - The Anonymity Tutorial

Security Forms had a post containing The Anonymity Tutorial. Please note that it is not entirely accurate but gives a good starting point for more research, whether you're trying to learn more about it or trying to stop it from happening on your network.

Hint: the only way to stay anonymous on the Internet is to stay off of it, forever (and that doesn't always work either)!

A good idea?

Given the amount of trouble (viruses, worms, non-backward compatibility between versions, etc.) caused by tying the mail and web clients to the desktop and the operating system, does anyone else get a bad feeling when they talk about tying the BIOS in also?


Sorry for being offline the last couple of days. I've had surgery and have been on some heavy pain killers. I'm home but can't seem to stay awake for more than a couple hours at a time. Heck of a way to spend your birthday.

Thursday, October 9, 2003

Michael Reynolds

Michael Reynolds has a short piece on setting up password authentication for your Apache-based website.

Adjacent Overwrite Bugs

Rosiello Security has a text file from DTORS Security Research Group (think hackers) which describes how a text file on how adjacent memory overflows are done.

Buffer Overflows

Rosiello Security has a text file from DTORS Security Research Group (think hackers) which describes how a buffer overflow. Again, it's aimed at hackers but gives you an idea of what you're up against.

Wednesday, October 8, 2003

Reverse Engineering Binaries

Rosiello Security has a text file entitled "Reverse Engineering Binaries" which describes an approach for reverse engineering binaries (machine to C).

This is an exercise that only the very stubborn should attempt as it's very difficult and (IMO) you'll never come up with the same result twice. An interesting read though.

Infosec Writers has an interesting dissection of the Mimail.A worm.


I think I've found a graphic to go along with my rants about users (Thank you, Vowe.). Doesn't looking at them just make you all warm and fuzzy inside. (I'm going to ruin that.)
The usual rant will probably go "See how happy they are? It's because they don't know any better."
Consider yourself warned.

Google search tricks

Linux Exposed has a good piece on various advanced search methods.

Blind SQL Injection

Linux Security has a good article explaining the theory behind "blind SQL injection" and how to protect against it. Short version: "Don't trust user input!".

FIPS - 199

SilverStr pointed out that FIPS 199 is finally out.

This is an extremely short document as government standards go but has far reaching effects as it sets a standard in base terminology for information security and information systems security. The shorter version of the document is "This applies to data, systems, personnel and organizations."

The acceptable format is:

SC(information type)={(confidentiality,impact),(integrity,impact),(availability,impact)}


  • "information type" is the person, org, data or system being described and
  • "impact" is either "high", "moderate", "low" or "N/A".

You'll see this used in incident reports, acquisitions, etc. If you interface with government organizations in any way, start using this now. You'll be ahead of the game when its use becomes mandatory (December).

IJK Best Practice Guide for Electronic Evidence

Silverstr owns this pointer: "Practice Guide for Computer based Electronic Evidence". Running this through an English-to-English translator returns "Best Practice Guide for Digial Evidence". At a minimum, an interesting read (PDF format).

Tuesday, October 7, 2003

The noises in your head

While not directly related to security, this sort of thing is important. Think of it the next time you're reading spam.

SSH SecureID Authentication

SilverStr also pointed this out. You (those of you that can afford the servers and tokens) can now use SecureID as a method for logging in via SSH.

Sunday, October 5, 2003

Occam's Boomerang

Back in the dark ages of history, Occam once posited "Throw that thing out there enough and, eventually, it'll come back and hit you in the head."

Okay, I'm making it up but it's funny that an industry who makes money calling you doesn't want you to call them. Thank you Dave Barry!!

Side note: The ATA's website appears to be also down at this time, either from the Slashdot Effect or from angry telemarketing victims overloading it.

Geek swag

Found a pointer to this one while digging through my aggregator (sorry, I don't remember where).

SCOTTeVEST specializes in garments with extra (lots!) pockets. They've even got a hat with two hidden pockets.

As someone who owns a vest capable of carrying enough tools to manufacture and punch down Cat-5 and polish fiber (including the heat block), I recommend having one (yeah, I know: geek!).

Exploiting Routers

Security Focus has posted the first part in a series on "Exploiting Cisco Routers". Worth knowning if you have to defend a network.

MIT Courses

MIT courses are online! The "Master Course List" is here. As the main page says, you can't get credit for the info, but the information is free.

Saturday, October 4, 2003

Data Recovery and Hiding

Linux Security has an article about "Data Hiding and Recovery" which gives a quick discussion of recovering deleted and/or hidden data (similar to NT's alternative data streams) in Unix filesystems.


I agree with these guys. Take 'em back!

DSniff Howto

Linux Security has a good step-by-step guide for setting up DSniff and other tools.

Note: This is a discussion for the "good" uses of this/these tool(s). Too many are describing how to use these tools for "evil". We're all going to pay for that in the long run (in the form of overpowered laws, censorship, etc.). We'll end up with laws equating to having all hammers outlawed because there's a certain percentage of the population that have blugeoned their spouse to death with one.

Don't think so? It wasn't that long ago that legislating "responsible disclosure" was unheard of. Nowadays, there's been multiple attempts at it.

Using IPSec to improve security

Thanks to Silverstr for the pointer (no trackback?) to "HOWTO: Secure Network Server with Windows IPSec". The theory is sound but the insistance on the Microsoft version scares me a bit because of the usual "embrace & extend" practice of our favorite vendor. In any case, it's a good practice.

But what's it used for?

I play with a lot of RSS stuff. I still don't understand Mailbucket is but it looks interesting.

Friday, October 3, 2003

Thursday, October 2, 2003

Linux Security Guide

Search Enterprise Linux has an online guide called "Linux Security Learning Guide" which teaches the basics of Linux security.

A good read even if you don't have or even plan to have a Linux system.

Installing plugins in Mozilla/Galeon

I consider this one valuable as I'm always futzing the install.

Ed Halley has written a collection of Red Hat Configuration HowTo's which includes one which explains how to get Java properly installed under Mozilla and Galeon.

And if you look closely at the options at the top, there's a link to getting Flash installed properly too.

Faster booting

IBM has an article which explains how to improve the booting time for Linux. Basically, it requires a review of what's going on in your boot scripts and paralleling anything that doesn't have to wait for other services to start.

A good read, especially if you're interested in what goes on in your start scripts.

Wednesday, October 1, 2003

The night of a thousand (okay, three) vents

Maybe it's because I had a Monday today (it's Tuesday). Maybe it's because normally conflictive people were suddenly very cooperative this morning, causing me to have a very odd day. Maybe it's hormonal, but I feel the need to vent so here's three that set me off today...

Uh, sorry?

Inbred operating systems

Dan Geer was right! Any monolithic culture is inherently doomed to suffer its own inbred shortcomings, whether we're talking about Appalachian hillfolk (I is one, BTW) (remind me to tell you about two sisters who have to go through life saying, "this is my brother joat, this is my other brother joat" (names changed to protect my half-brother joat)), operating systems in a network, or programs. All of those homogenous environments run the risk of a single vulnerability taking out the entire eco-culture, whether it be a bad gene or malicious code.

Unfortunately, the human condition is predisposed to creating these environments. People tend to take the path of least resistance. Why trouble to "see the world" when you can marry "the girl next door". It's easier to run the same operating system on your firewalls as you do on your workstations. It's easier to train your users to run the same word processor, whether it's unfriendly to every other WP or not.

@stake, whose origins were not exactly related to a business plan, "sold out" (IMO <-- for those litigous natures) long ago. Mr. Geer was fired because his opinions conflicted with someone in charge. (Hint: Companies don't have opinions. People do. He was fired because he angered someone with the power to do so.) (I hope he sues because he was expressing concerns about a security issue while being employed by a company which specializes in security.)

And before you put me down as being anti-MS, let me state that I'm not. Rather, list me as a member of the "the best tool for the job" crowd. If you're running MS on your desktops, you'd better be running some version of commercial Unix on your firewalls and some other version of *nix on your NOC equipment. The larger your customer base is, the more important this is. Diversive network equipment, while requiring a wider talent-base (read that as $$), is more resistant to inbreeding and failure in the long run.

[Oh and, yes, you can put me down as implying that point-and-click administrators have narrow family trees. Eventually it leads to "Hey, what's this button do?" and "Hey, watch this!" (Which leads to family-hour comedy shows. But that's another story.)]

Note: Philip Greenspun has a post on the same topic. I'm especially entertained that "ass ugly" is a logarithmic (Gaussian) scale and that the majority of system cases are a .05 deviation. [I wonder if he ever saw the attempt to sell cube-balanced-on-a-corner systems to self-styled power geeks [okay, posers!] (circa 1998).]

Don't make up your own definitions!

This is a ComputerWorld article about the "layered defense" model failing when exposed to the Welchia worm. Total bullsh*t, of course.

How do you prevent your network from getting the Welchia worm a month after the patch is issued? INSTALL THE PATCH, DAMMIT!

Using the "we're safe, we have a firewall" as a network defense either means you're severely deluded or you have no users on your network. And any previous reference you've made to "defense in depth" or having a secure network compounds your problem, making you look like an *ss.

Forgotten techniquies?

Please tell me that this is journalists that have forgotten (or are too young to have known) "war dialing".

Why do I have this near-unresistable urge to go into my point-and-click adminstrators rant? Or to tie someone to a chair and force them to watch "War Games" in an unending loop.