Wednesday, December 31, 2003

Wiki entries

Added a few entries to the Security portion of the Wiki.

Pity this guy?

Does anyone feel sorry that Alan now has to spend money to build an actual opt-out server?

Put me on the not list as I receive 20-30 legitimate messages per day which makes up less than 10% of the total volume. Thanks to various people for writing Procmail, SpamAssassin, SpamBayes, and various virus scanners.

Scraped from Slashdot.

Tuesday, December 30, 2003

OpenSSL and FIPS 140

This is a cool development as OpenSSL is behind most *nix-based Apache servers (using HTTPS, that is), SSH, and a variety of VPN's. Nice to see that someone is seeing that open source code is getting tested and certified.

Thanks to SilverStr for the pointer!

Monday, December 29, 2003


I don't think the term "'pooning" will ever catch on (too much 60's era sexual connotation?), but I do like Jim Moore's description of the piggy-backing on someone else's fame (or verbosity). It very similar to what the blog spammers are doing: getting higher search engine ratings by "pooning" onto other websites "in the stream".

Oh, and BTW, I have a copy of the book on my shelf.

Sunday, December 28, 2003

VLAN Insecurity

Odd how these things pop up around the time I get to talk about them at work. Bowulf has a pointer to a discussion about VLAN Insecurity.

I said it before and I'll say it again here: VLAN's are a network traffic managment tool, NOT a security tool!!!

Saturday, December 27, 2003


From Jeremy's linkblog:

Includes a howto and a listing of required hardware/software.

Friday, December 26, 2003

No Op

I've been offline for a few days, rebuilding my home system. One of my Christmas presents was a new hard drive, which I seriously needed. The previous 6 year-old drive would no longer boot into windows. Luckily it would still boot into *nix's so I didn't lose that much data. (I did suffer from a prolonged "Generals" withdrawal, though.)

Anyways, I've backfilled the last few days and will settle down to work on a serious back-log of posts.

Merry Christmas, y'all!

Thursday, December 25, 2003

The Achilles heel to most networks

Bowulf recently blogged "Weak auditing and monitoring - the Achilles heel to most networks" which was about a VUNet article which discussed the common practice of ignoring your logs unless you're trying to backtrack an incident.

I agree with Bowulf, at least in part. You also have to have logging enabled. If you're working in a NOC, that also means router logs (that's syslog servers, not the dinky space for logging in router memory!). For those networks which aren't allowed to enforce a decent firewall policy, you also need to log high-port to high-port traffic which is where most of your shady-stuff (unauthorized/covert channels, P2P, backdoors, etc.) happens.

I disagree with Bowulf in that logging isn't the sole action you need to take. Closely related to logging is taking and maintaining metrics. A good metrics supports the cliche "a picture is worth a thousand words". If you're watching your network metrics, you learn to recognize "normal" network activity and "abnormal" network activity.

One example of this is e-mail metrics. You cannot read every message that passes through your mail servers. However, if you graph your metrics properly, you should be able to recognize the spread of a new virus within 5-15 minutes of the initial spread (depending how often your graphs are update). While it won't block the new infection (usually nothing will), it does allow you to react quickly enough to minimize the damage and protect the rest of your network.

Maybe a good rule-of-thumb is to maintain metrics on your normal traffic (web, email, etc.) and regularly filter your logs for the abnormal traffic?


Wednesday, December 24, 2003

IE bug used in scam

A little while ago, I blogged about the IE bug. It's use has now been noted in a Visa scam.

Tuesday, December 23, 2003

No op

Just noticed that that's two posts with trackback URL's to the Lost Olive that have failed to register. Look's like I'm gonna have the hood up on this thing over the long weekend.

Apologies to Kevin for the missed links.

Jabber XCP review

Kevin, over at The Lost Olive, has a pointer to a SysAdmin review of Jabber XCP.

Jabber's XML-based communications have been around for quite awhile. The protocol is open source and there are quite a few tools to work with it. At one point, I'd even adapted it to send Instant Messages to all NOC personnel if a router interface or a service went down.

InfoSec Pubs

Okay, I'm not shy about reciprocal blogging: Kevin added a list of InfoSec pubs to go with the recently blogged Firewall FAQ.

Monday, December 22, 2003

Another Day in the Life of...

Ooh... The security monkey is back! He's posted The Case of the Heartless Husband - Part 1.

Okay, so I'm descended from a long line of soap addicts.


I've been spending the last few days playing around with Blosxom. I've been experimenting with various blogs and wikis and seem to like Blosxom the most. Notice that I didn't mention MT? The reason is that it's for a business and the licensing fee is a bit high for the moment. My personal preferences for the ones I've tried (at least 10 so far) is Blosxom, followed closely by Drupal.

Got any favorites you want to suggest for a *nix-based server?

Sunday, December 21, 2003

More Online Learning

More online learning sites.

FIrewall FAQ

Robert Graham has been involved with network security for years. One of the nice things about his site is that he is very prolific about posting items on his website. For example: the Firewall Forensics FAQ.

Saturday, December 20, 2003


Kevin posted about the Freenet Project. Like all other tools, it's a good tool for end-users, a nightmare for your if you're responsible for a business network.

Friday, December 19, 2003

DCE RPC Vulnerabilities New Attack Vectors Analysis

HNS has a paper entitled "DCE RPC Vulnerabilities New Attack Vectors Analysis" which describes how the RPC vulnerabilities might be combined to form an even worse worm.


Okay, I'll admit to scraping it from Slashdot.

Freep has an article about what your high-tech kids put up with in school.

Banking Scam Revealed

These people went the extra mile in backtracking spam-based fraud and discovered a criminal enterprise.

Thursday, December 18, 2003

NIST posts security control guidelines for comment

There's still about six weeks left to make comment to the proposed standards for "Minimum Security Controls for Federal Information Systems" (re: the Federal Information Systems Management Act [FISMA]). Get to it by clicking through "NIST posts security control guidelines for comment".

Data Forensics

Linux Security has a decent article on "data forensics".

Uh Oh II

Oh... My... Gawd!

If you get the joke, get your d*mn browser fixed!

Tuesday, December 16, 2003

How not to program in PHP

Linux Security has an article entitled "How Not to Program in PHP" which discusses the need for filtering user input.

Hint: ignoring this while programming allows cross-site scripting and SQL injection. Not a good thing.

Outlook mebbe-funny

Evidently this requires a bit of work to be funny. Sent it to three of my coworkers and had to point the "jab" out. Seems that most people focus on the body of the message and ignore all else.

PostScript Tutorial

Found this Postscript tutorial while perusing Life in Postscript to which I'd followed a link from TaoSecurity.

Monday, December 15, 2003

Microsoft releases network port info

SilverStr almost always has pointers to good stuff. This one is no different: Microsoft has released a list of ports used by its various software.

Help Net Security - Attacking the DNS Protocol

HNS has a pointer to a <a href="paper which explains various attacks on the DNS protocol.

ADS's (not ad's)

CarvDawg has a paper out on alternate data streams in NTF entitled "The Dark Side of NTFS" which gives the basic theory behind (and how to create/detect) ADS's.

Sunday, December 14, 2003

The Anatomy of Cross Site Scripting

SilverStr has a pointer to a paper entitled "The Anatomy of Cross Site Scripting which explains the basic theory.

Stubborn Ignorance

Yep! Another rant. This one is about the Internet... errr... a portion of the Internet. Specifically that built their corner of the virtual world while ignoring RFC's.

RFC's are the agreed upon standards by which the "community" is defined. Think of it as the charter for your local government. Protocols (languages) are agreed upon. Responsibilities are defined.

One shortcomiing is that there is no requirement to comply. This allows organizations and individuals to do horrible, aggressive and/or stupid things via the Internet without reprisal. Examples: long distance Outlook-Exchange connections, MS's perversion of the Kerberos protocol, long distance NetBIOS, long distance Telnet/FTP/POP3/IMAP, just about any proprietary encryption scheme, and 90% of the e-mail domains.

For the Internet-based violations, here's a site called "RFC Ignorant", which tracks the stubbornly ignorant.

The Art of Unix Programming

Eric Raymond has made available an online version of "The Art of Unix Programming".

Saturday, December 13, 2003

More celebrity teaching...

Last week I blogged about Britney Spear's Guide to Semi-Conductor Physics. There's more celebrities teaching Cisco-related stuff over at RouterGod.

Help Net Security - Attacking the DNS Protocol

HelpNet Security has an article about "Attacking the DNS Protocol". It has a few cosmetic errors but, all-in-all, gives a good description about the DNS service and attacks against it.

Thursday, December 11, 2003

Wednesday, December 10, 2003

Tuesday, December 9, 2003


For better or worse, I've declared the FWTK paper done. Barring small changes to correct errors, consider it in its final form.

For those new to the game, FWTK is the Firewall Toolkit, one of the first application proxies written 20 years ago. Amazingly, it's still usable. Combining it with other technologies (SOCKS, ipfw, iptables, Squid, other proxies/packet filters) allows you to build a workable firewall for just about any *nix flavor, including a Mac version.

If you care to read it, click on the Wiki link above and scroll down to the Security section. Let me know what you think?

Monday, December 8, 2003

Anonymous Blogging

It was bound to happen. We've got anonymous e-mail forwarding and anonymous Usenet posting. Now we have anonymous blogging, this instance using GPG and the MixMaster anonymous e-mailer network.

Early Warning!!: If you manage a corporate network, you may want to consider blocking this, both for sending (if it's possible) and for reading. There's some pretty unsavory blogs over there (people abusing the service mostly). The hosts state in their FAQ that if they receive a court order, they will turn you in if you're doing something illegal.

Saturday, December 6, 2003

Am not! Are to!

I've lost a "fanboy" from being too abusive?

It seems that beaumonday thinks I pick on Microsoft too much. Acutally, if you read REAL close, I pick on everyone who thinks that any one operating system is the way to go. (Do I need to repost my point-and-click administrator rant again?) I'm a firm believer in the-best-tool-for-the-job and know-the-technology-behind-the-gui.

I provide a lengthy response.

Just so I can alienate everyone and level the playing field, out of the box:
  • Microsoft Windows is insecure
  • Linux is insecure
  • Unix (SunOS, BSD, Irix, AIX, Xenix, etc) is insecure
  • Cisco/Foundry/Bay/etc. is insecure
  • Novell has problems (actually, they had the highest rating by the gov't prior to adding in IP capabilities)
  • and the OS that you may be writing has *SERIOUS* problems.

However, when used in conjunction, they can provide a very secure network for your users.

Lotsa Links

There's tons of forensic evidence links at

Friday, December 5, 2003

Spidering hacks

Raelity Bytes has a link to some pretty cool spidering hacks.

E tu Brute?

Expect intellectual property law suits from Microsoft soon.

So, did the stock purchase include training on how to sue for money? Probably not but this sort of thing can turn nasty and unproductive.

Thursday, December 4, 2003

Free education

Not sure where I found this originally but there's a lot of good stuff to dig out of it: "Free Computer & IT Training and Tutorials". On their main page, you can sign up for their newsletter so that you can be notified when new stuff is discovered.

Wednesday, December 3, 2003

Britney Spear's Guide to Semi-conductor Physics

Think this woman is capable of teaching you anything?
How about semi-conductor physics? (Yet another attempt by those-with-too-much-time-on-their-hands to use sex to teach the less-willing-to-learn.)
But it's funny anyways. The "Booble" search engine is interesting also. (Hint: click on the "Search Britney Space" radio button)

Tuesday, December 2, 2003