Friday, December 31, 2004
Thursday, December 30, 2004
is a site discussing basic web proxy theory. An interesting part near
the end discusses "chaining" of proxies so that each department in an
organization can maintain its own usage policy while the organization
can impose its own set of rules. This effectively "chains" or
aggregates usage policies.
Wednesday, December 29, 2004
Tuesday, December 28, 2004
Monday, December 27, 2004
Sunday, December 26, 2004
Saturday, December 25, 2004
Friday, December 24, 2004
following week. Today is an exception, for obvious reasons. I have
gifts to wrap, dishes to wash, animals to feed. Somehow I have to
figure out how to sneak my son's and his girlfriend's presents into the
house (past them). HBO is running Carnivale again this coming week so I
have to find time to set up the record schedule. You get the idea.
In any case, blogging
this week may be a little erratic. Here's today's...
IBM has an
article about <a href="http://www-106.ibm.com/developerworks/linux/library/l-
clustknop.html?ca=dgr-lnxw06ClusterKnop">building clusters with custom
Knoppix CD's. Knoppix seems to be one of those tools that finds its
way into everything. Since our appliances will soon have their own IPv6
addresses, what's next? Washing Machine Knoppix? Fish Tank Knoppix?
Lawn Mower Knoppix?
Don't laugh! Mix in a little wireless or
broadband-over-power-line and it's not that much of a stretch.
Thursday, December 23, 2004
Dec/0427.html">paper which discusses "session riding", which appears
to amount to hijacking a user's access or data via methods such as
sending crafted instructions via html e-mail (when the user's e-mail
client loads the html, the exploit is executed).
Wednesday, December 22, 2004
Tuesday, December 21, 2004
op=modload&name=News&file=article&sid=4989">stated that they've
switched virus scanners to "provide a safer online experience for
consumers". Considering that it's probably more of a financial
issue or a programming difficulty (e.g., can't interface the scanner
with the webmail), it's a bad choice of words for the supposed cause.
We may see a lawsuit because a corporation has taken a public
position on the quality of a competitors product (remember Microsoft purchased two
companies last year for this purpose). It's one thing to say your
own product is better than everyone elses. It's another to say (or
directly imply) that a competitor's product is crap. Without proof,
Monday, December 20, 2004
Sunday, December 19, 2004
of a two part series on the current problems with WiFi encryption. The
focus in on WEP but it does touch on other topics.
One thing to keep
in mind: if WEP is the best you have, it's better than nothing and
overall WEP security can be improved via basic practices such as
periodically changing keys.
Saturday, December 18, 2004
Friday, December 17, 2004
Thursday, December 16, 2004
In the process, I usually hit Google also. In trying to figure out "You_are_dismissed.com" (it's Bagle.Ap) I found tasklist.org. It appears to be a really good source for identifying unknown (unauthorized) processes.
Wednesday, December 15, 2004
Tuesday, December 14, 2004
Monday, December 13, 2004
Sunday, December 12, 2004
Saturday, December 11, 2004
|Each assessment shall be prepared by a person as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification from the SysAdmin, Audit, Network, Security Institute (SANS); or by a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.|
Prediction: You'll see the quals thing get out of hand, even some fakery/foolery that will require either tighter control of quals or the government will create their own quals requirements.
Stand by for an industry shift!
Friday, December 10, 2004
For you conspiracy types, it proves that there was dark forces behind that TV show. Hacking with Ramzi is really, really bad.
Thursday, December 9, 2004
I'm addicted to the potato soup, which I'm not supposed to have due to its content. I don't have the recipe for it (hope to though) but it contains what looks like small bits of pot roast, potatoe slices, and spaetzle in a clear beef broth. Occasionally, another veggie may make a cameo appearance but the base recipe is delicious. Anything with spatzle can't be all that bad, right?
If you can find someone who makes good spatzle, heifering, and dumpfnodle hire 'em, marry 'em, or otherwise move in with them. Same goes for lumpia and pansit. And before you food vacuums at 757 ask, mine's only passable so you ain't moving in with me.
Apologies for the spelling.
Wednesday, December 8, 2004
Tuesday, December 7, 2004
Monday, December 6, 2004
Sunday, December 5, 2004
Saturday, December 4, 2004
, work on comment titles, and generally get back to tweaking the site. Are there any features that you'd like to see?
I'm considering dumping the Blogroll and replacing it with a links list or putting a "recent comments" frame there.
Thursday, December 2, 2004
What kind of person (that's the nice version) thinks it's important to post their Winamp-generated playlist to the Internet? (Hint: there's quite a few of them.)
I went shopping for a album, containing a Christmas song that I've not heard in fifteen years by Kevin Bloody Wilson (Hey Santa Claus...). It was amazing, the number of fake sites and playlist sites that I had to wade through before finding a legit site offering Kevin's albums.
Maybe I should write one?
living next door to spammers
Wednesday, December 1, 2004
Tuesday, November 30, 2004
Monday, November 29, 2004
I feel that one of the reasons that RSS became so popular was that it allowed readers to avoid all the extra fluff on a website and get right to the content, thereby increasing the amount of content you can read in a day. Inserting advertisements into those feeds dilutes the value of the content. If, like in some low traffic feeds, the advertisements out-number the actual posts, it can become a justifiable reason to unsubscribe from the feed. I think that many content providers are going to have to learn the hard way that social media (as bloggers are sometimes called)(as opposed to mainstream media) allows for very fickle readers. Contrary to what most content providers think about themselves, very few feed sources are "valuable" enough to be able to keep their subscription levels while annoying their readers at the same time.
In any case, how long before someone writes an aggregator that filters advertisements? Do we really have to join that arms race?
Sunday, November 28, 2004
Anyways, the book looks like it's worth the $$.
Saturday, November 27, 2004
I think it's one of the reasons why the classes in Chesapeake are so enjoyable. Everyone has the Internet "right there" and usually anyone can hijack the class for a few minutes with a semi-related bit of information. The instructor has to have one of those personalities and be able to herd cats (there IS a learning plan to follow). Some students find it frustrating, others find it just outright odd, but a working knowledge of Google or Yahoo syntax does help with some of the verbal references thrown out during conversations (quick quiz: Who said, "Help me Mr. Wizard! I don't want to be a ..." ).
Friday, November 26, 2004
Do what you want with the list.
I don't have that previous paragraph worded the way I'd like it to be but you get the idea.
Thoughts for articles/papers (feel free to borrow):
- networks that adapt to a new threat faster have a better survival rate
- the need for adaptive technologies to fight security threats (even if it's the ability to script "in the middle")
- the need for trained personnel to use those adaptive technologies
- what technologies still need adaptive capabilities
Thursday, November 25, 2004
Wednesday, November 24, 2004
Tuesday, November 23, 2004
Monday, November 22, 2004
Sunday, November 21, 2004
...and the arms race continues...
Subject: [Full-Disclosure] Why is IRC still around?
Well, it sure does help the anti-virus (anti-malware) and security consulting business, but besides that... is it not safe to say that:
1) A hell of a lot of viruses/worms/trojans use IRC to wreck further havoc?
2) A considerable amount of "script kiddies" originate and grow through IRC?
3) A wee bit of software piracy occurs?
4) That many organized DoS attacks through PC zombies are initiated through IRC?
5) The anonymity of the whole thing helps to foster all the illegal and malicious activity that occurs?
The list goes on and on...
Sorry to offend those that use IRC legitimately (LOL - find something else to chat with your buddies), but why the hell are we not pushing to sunset IRC?
What would IT be like today without IRC (or the like)? Am I narrow minded to say that it would be a much safer place?
The following posts quickly degraded into a flame war and name-calling contest. I find the discussion offensive mostly for the implied logic behind it. (It's included in the name calling contest.) One reader summed my opinion up in a short well-worded sentence: Who is 'we' and what makes you think anyone cares what you 'sunset'?
This is the same mentality as that behind my MSCE rant (and before this gets to far, it was a specific MSCE that I was ranting about, not all of them). There's a certain logic used by some of the n00b MSCE's whose only network training amounts to what they learned out of the MSCE book. Contrary to what MS would like you to believe, the Internet is still a very insecure, dangerous "place" with little or no control. The logic that any "we" can force the suspension of a protocol for any reason gives me a headache. The poster actually assumes that there is a man behind the curtain pulling the levers and ropes.
You can read the list via the Checksum archive.
It's interacting with that type of people that got me blacklisted by my grandmother's church in my early 20's. The short version of the story amounts to a short discussion between a picketer and myself, in front of the only convenience store open at 6:30 a.m. in a three county area. Him: "Don't go in there! They sell Playboys!" Me: "They sell coffee in there."
(Yeah, I grew up in a very small town.)
The bad news is that the IDA Pro people have taken down their free download due to excessive traffic.
Saturday, November 20, 2004
Friday, November 19, 2004
Let the politics begin!
Thursday, November 18, 2004
Wednesday, November 17, 2004
Tuesday, November 16, 2004
Monday, November 15, 2004
Sunday, November 14, 2004
name: video chat
date: 11/13/2004 07:06:27
title: video chat
comment: Why my previous comments was deleted, how about freedom of speach?
My son learned the answer to that question at the dinner table, when he was 12. The answer? "I'm not the Federal government. So sit down and shut up."
Mebbe we should give lessons in U.S. law to overseas spammers so they don't sound so f*cking stupid when they ask questions? If there's any question, I did munge the url a bit to prevent him from getting any points with the search engines.
In answer to the first part of the spammer's question, it was deleted because it had absolutely nothing to do with the post it was attached to. Chingate cabron!
Maybe I'm just used to living in areas where being boneheaded in public is considered a form of entertainment (HI, NYS, SOVA)?
Saturday, November 13, 2004
While it may be true that the law blocks the growth of that industry, I'm not so sure that passing the law damaged the economy. Rather, the law made online gambling within the U.S. illegal, forcing the sites to move out of the country, thereby creating the economy that is supposedly now endangered.
It should prove interesting what comes out of this and the upcoming attempt by the U.N. to "govern" the Internet, not only for the U.S. but for any country who'll have to give up sovereignty to participate. (Example: some of the things that I talk about here are illegal in Europe but inane here in the U.S.)
Friday, November 12, 2004
Thursday, November 11, 2004
Wednesday, November 10, 2004
Of course the usual obfuscators showed up within the first few comment posts. And the usual conspriracy freaks. According to one of them, you can recover files via a one-to-one bit copy even after the original had been overwritten ten times.
In an odd twist of timing, tonight's class worked with Helix to gather data from a running system. For those that don't know what it is, Helix is a Linux-based "live CD" that also is devoted to obtaining forensics data from live systems and making bit copies of storage devices. In addition to being a "live cd", you can also drop the CD into the drive on a running Windows system. "Autorun" will bring up an interface with a set of statically-compiled tools which allow you to perform various forensics functions (see the site for more info).
Tuesday, November 9, 2004
Monday, November 8, 2004
Note: to read or download the paper yourself, click on one of the links in the upper right-hand corner.
Most of the Internet's problem protocols are on that list. 'Bout the only thing missing SMTP. I wonder why that's not on the list.
In any case, this should set the purists' (on both sides of the fence) teeth to grinding. Think of it, having to include a MS license with every *nix (Linux, Sun and *BSD) and MacOS distro.
I'm reminded of something my grandmother used to say: I can't see the good in it, in either direction.
Sunday, November 7, 2004
Saturday, November 6, 2004
Friday, November 5, 2004
- Partial Results from Prototype Testing Efforts for Disk Imaging Tools: SafeBack 2.0
- Test Results for Disk Imaging Tools: dd GNU fileutils 4.0.36, Provided with Red Hat Linux 7.1
- Test Results for Disk Imaging Tools: dd Provided with FreeBSD 4.4
- Test Results for Disk Imaging Tools: EnCase 3.20
- Test Results for Disk Imaging Tools: SafeBack 2.18
Thursday, November 4, 2004
If you're a musician/band from Southeast Virginia, be sure to list your band on Music.HRConnect. If you're not in a band and are just looking for a place to go, check out the venues/schedules on the site. You can even listen to some of the bands' MP3's.
Wednesday, November 3, 2004
According to the post, the presentations will be available for a limited time.
Tuesday, November 2, 2004
Monday, November 1, 2004
Also, does anyone make directional antennas for Bluetooth? Or is it even worth the trouble of performing periodic scans because even cell phones have an interface nowadays?
Thanks to Furrygoat for pointing out the site.
Sunday, October 31, 2004
Saturday, October 30, 2004
Friday, October 29, 2004
Thursday, October 28, 2004
Wednesday, October 27, 2004
Tuesday, October 26, 2004
Monday, October 25, 2004
Sunday, October 24, 2004
A lot of the issue centers around intent, something which often involves the court in determining. It's what Mr. Kabay's article is trying to avoid having to do.
If we could write laws using his logic, you'd need a license and a government monitor to cut your steak. Why? Because a major portion of all murders are committed with knives, of course! They must be controlled now!!
The use of "Quod erat demonstrandum" at the end of his article is also a bit offensive. He uses it to signal that he's proved his point and it's justifiable to pass out the pitchforks and torches and head towards the castle.
A friend (hi Steve!) has a much better one: Ita bardus plector.
Saturday, October 23, 2004
Because of this, today I'm venting about "firewalls" and "security".
"Firewall" is a term which has been hijacked by companies selling everything from NAT boxes to add-on software to content filtering appliances for e-mail. (Yes, it's the old layer 3/4 vs. Layer 7 argument vent again!) A proper firewall involves a bastion host (the hardware, software and services stripped to the bare minimum to function and then configured to running in a specific manner) running very specific services which provide the maximum possible control on protocols and services that your users (via management) cannot live without.
As a general rule of thumb for deciding how to handle a request for a protocol:
- disallow the protocol
- if you can't disallow it, proxy it (Layer 7) with a dedicated proxy to control the protocol's options and heavily log the protocol's use (who, what, where, when, how long)
- if you can't do that, proxy it (Layer 7) with a generic proxy to limit the source/destination IP's and the directions that the requests can be made and log as much as possible
- if you can't do that, reconsider disallowing the protocol
- if you can't do that, consider using a many-to-one NAT box (yeah, a LinkSys box) and log as much as possible
- if you can't do that, reconsider disallowing the protocol
- if you can't do that, (as a last resort) use a packet filter (Layer 3/4) to limit source/destination IPs/ports and log as much as possible
That last method is the most dangerous. It's a horrible (but widely used) practice. If you used it for your web traffic, all an attacker would have to do to map your network would be to source his scans from port 80 and scan for ports greater than 1023 (hint: MS boxes listen on a LOT of ports above 1023). Yes, it's an oversimplification and there are many mitigating factors. There are also factors that worsen the situation (such as OS's or firewall programs that "leak").
You should seriously consider NOT using any Layer 3/4 filtering product that uses "packet inspection" and "state inspection" and claims the product will "provide the same capabilities as Layer 7 proxying". If it were the same, it wouldn't need all of the hype.
This practice (or the lack of it) is part of what's behind the new laws that are coming out. Businesses perverted the risk model (risk = threat x vulnerability) by adding in a financial vector (risk = threat x vulnerability x asset cost) and applied it to information security, failing to recognize the difference between a business risk and a security risk. This is why laws such as GLB, Sarbox, FISMA, California's SB 1386 and the like come into being. It is government stepping in and reinforcing the difference between the two types of risk.
Some say that the function of the federal government is to provide those functions that local or state government cannot or will not. In this case, it's probably going to prove true. Because a company is willing to treat a security risk as a business risk, just to maintain a profit, it puts everyone even remotely associated with that company in danger. Thus, the need for federal legislatures to "step in".
Currently the laws are very generic, requiring that a program or role exist within a company. Insurance companies are helping somewhat, giving discounts to subscribers who "meet or beat" the insurer's standards. However, if the majority of corporate practices do not change (the laws are currently gentle encouragement), we will see dictated standards, practices, and inspections.
Food poisoning is serious enough to require periodic inspections and licensing. The federal, state, and local laws make it very difficult (and expensive) to open a restaurant and run it at a profit. However, the risk is that a few dozen people get sick for a few days. Consider that exposure of medical, financial, or legal data sources have the capability of instantly screwing up hundreds of thousands of people's lives for years at a time. Then think about how surprised you're going to be when laws are enacted which allow (and require) independent or government inspection of your books, your policies and your practices. (Hint: take a look at what's coming in April. Some of those laws already exist.)
The good news and bad news (for everyone) is that this will create yet another industry, one that will be rife with charlatan's at the start but will eventually evolve to require it's own explicit standards and practices. We are most likely to see the infosec equivalent of a CPA (and you think the SANS and CISSP certs are difficult?). There are already various functions within government which provide various administrative and investigative functions relating to information security. It's not that far of a jump for government to provide equivalent compliance testing and licensing functions.
Friday, October 22, 2004
Thursday, October 21, 2004
Wednesday, October 20, 2004
Tuesday, October 19, 2004
Monday, October 18, 2004
Sunday, October 17, 2004
access to any (that's ANY!) system, then you need to take a few
precautions to help recover from a network compromise. The following
are steps that we've learned in the open lab:
- Know the MAC
address for the default gateway (have it written down)
- Know the
hostname(s) and IP address(es) for your servers, especially your DNS and
- if you're done with a dangerous tool, delete
it and the source code
- scan your systems, inside and out, before
and after active analysis
- log and record as much as possible, no
matter how silly it seems
Some of those are forensic
measures but those first two are valuable bits of information if you're
suddenly trying to figure out why the Google page suddenly reads "All
your lookups are belong to us!"
Saturday, October 16, 2004
Friday, October 15, 2004
Thursday, October 14, 2004
my sleep patterns and I'm only now catching up. Probably explains the
grouchy post below too. Things should even out in the next few weeks
but Mondays and Wednesdays are still going to be 16-hour days.
subscriptions, finding it after Liudvikas pointed
out Paul Vixie's vent <a href="http://www.cs.rochester.edu/~bukys/weblog/archives/2004/10/13.html#
I tend to agree with Mr. Vixie, having been a BIND ad
min for close to a decade and luckily I've never had a break-in. The inclu
sion in the SANS Top 20 looks suspicious, after the fact. A conflict of in
terest, or at least the appearance of one seems to be the case at this time
This is the sort of thing that any organization whose livelihood is bas
ed on integrity and knowledge. Could it be that SANS has had a brush with
what most organizations suffer (at least periodically) once they reach a ce
rtain size? What I'm talking about is politics in an a-political organizat
ion. That's the nice way of saying it. The ugly way of saying it is perso
nal agenda's, one-up-manship, cliques, character assassination, and/or fact
Then again, I could be overly paranoid. I just find it suspiciou
s that the only alternative to BIND that was suggested is the one which suf
fers from the same type of purist politics as the Windows vs. Linux purists
. (There, have I angered everyone yet?)
Remember, security requires good
programming and good administrative practices. Liudvikas, thanks for the
Wednesday, October 13, 2004
Tuesday, October 12, 2004
Monday, October 11, 2004
Sunday, October 10, 2004
Saturday, October 9, 2004
Rebuilt 4-year-old laptop with new version of Linux (and I didn't have
to patch/rebuild the wireless/power/pcmcia modules). Actually made it
thru 10 of the 17 houses at Homearama
2004. Absolutely loved the 3rd floor in one, the
kitchen in another, and the first floor in another. Unfortunately, I'll
never be able to afford any of them. Nice houses, but not worth what
they're asking for the houses.
Friday, October 8, 2004
Thursday, October 7, 2004
an online test to see if you can recognize phishing fraud without
looking at the source code. I assume it's an intellectual excercise as
the first thing you'd want to do is look at the source code. In real
life, you want to avoid HTML-based email and never ever click on a link
in e-mail. Type it by hand instead and only if you're sure what it is.
is an article on a topic that really frustrates me: removing the
perimeter. The author treats firewalls (and, for that matter, security)
as a single blackbox approach rather than as part of a layered process.
While the Internet and tech business may be driven by the "next cool
thing", security is not. It's based on well-defined processes and
practices. It will probably take a couple years but management should
eventually catch on (the hard way) and we'll go back to defense
Wednesday, October 6, 2004
process that hackers more or less take to break into systems. For those
of you that are considering using this process, consider that law
enforcement is getting better at tracking down hackers.
Also, some of
the data in that "howto" isn't exactly accurate. Example: l0pht is now
a commercial business with gov't ties. Example: cDc lost their "key
players" years ago and are now a forum for anti-goverment vents.
you must hack, do it to your own systems. Learn what it takes to clean
up after a system has been broken. Learn how to locate the bad code.
Learn how to analyze the bad code. Start analyzing other people's
break-ins (search Google for "Scan of the Month"). Figure out where
your strengths are and shore up your weaknesses. Become an expert, not
Alternate Data Streams in NTFS
- LADS - List Alternate
Data Streams (freeware)
s (open source stream viewer from Sysinternals)
- Hidden Threat: Alternate Data Streams
- The DiamondCS Archive - NTFS Alternate Data Streams
- What Forensic Analysts should know about NT ALTERNATE DATA STREAMS (ADS)
- Info on ADS from Lavasoft (makers of AdAware)
- The Dark Side of NTFS (Microsoft=92s Scarlet Letter)
Tuesday, October 5, 2004
Monday, October 4, 2004
chapter from Defend IT: Security by Example. The chapter is
entitled "The Role of Computer Forensics in Stopping Executive
Fraud" and uses a case study to outline the process and highlight
some of the issues encountered in investigations. (via Forensic Focus)
here's one. If the MPAA earns $.02 per blank CDR because they might be
used for copying music, what right does the MPAA have to complain? If
someone can point me toward any legal opinions on the issue, it would be
appreciated. Also, since I've been burning logs and file backups to CDR
for almost a decade (I'm in an area where magnetic backups don't last
long) at the rate of 1 or 2 disks per day, is there any way I can get my
news article about how LURHQ provided expert witness to rebut a
defense's expert witness. Seems they'd left out a bit of information
about how spam can be bounced off of misconfigured systems. It's nice
to see the legal profession finally catching up. Our area only has one
technically trained lawyer and he is a very busy person.
Sunday, October 3, 2004
Saturday, October 2, 2004
one get passed. The only thing that it does is make life just a
little bit more inconvenient for us law-abiding types. Those that trade
files illegally will continue what they're doing. Requiring an e-mail
address to download mail has been done by the more prominent legitimate
sites (e.g.: MP3.com) all along.
Now it's law that everyone do it.
Anyone else "get" California seems to think that they have jurisdiction
over technology and the Internet? Don't think so? Define "file
sharing". Poorly written laws tend to get enforced in extreme ways or
not at all.
The law is here. It doesn't say anything about P2P or any other specific manner of "file sharing". It only states that Californians have to disclose their email address when more than 10 people are involved. It doesn't say to whom they have to "disclose" an e-mail address to. Under that badly defined law, if a left coaster provides CC or GNU licensed matter on their website, they have to provide a legitimate e-mail address.
I wonder how spammers will react to a new vector for address collection.
Anti-Spyware Resources site, the following are links to articles
describing the symptoms of a spyware infection:
Journal: Symptoms of Spyware and Other Pests
Symptoms of Spyware
- PC Magazine:
11 Signs of Spyware
- SeriousVirusWarning.com: Adware and Spyware Symptoms
- Directory One: How To Check If Your Infected by Spyware
In the same list is a link to LI Utilities's Windows process
lists. A very good-to-have.
for DMZ security. What he's describing is ingress and egress filtering
for the DMZ.
Similarly, you want to tune your DMZ IDS in the same
way. You don't need specialized rules for MyDoom or SQL exploits if all
that's in your DMZ is a web server. Instead, turn on the signatures for
web exploits and create a signature or two to catch anything not
HTTP-based. Come to think of it, you're also going to see some DNS as
the server does name resolution on your visitors but, unless you're
running a DNS server in the DMZ, it will only be outbound queries.
point is that you should know what's needed for your DMZ to function,
you should know what "normal" traffic looks like (keep metrics!) and you
should configure your protections accordingly.
Friday, October 1, 2004
Thursday, September 30, 2004
the Global Compass/Cyberwurx spam and need to rewrite the plugin or come
up with a way to block the source(s). The former seems like it'd be
more successful than the latter. It's a bit down on the "to do" list
night. This can possibly be a very bad thing but not in the way that
the mainstream media is twitching about it. While a worm is possible,
I don't think it's likely to be all that effective.
it. The vectors aren't really right. Normally a worm exploits an
already running service. This exploit is part of a graphics
library which means a graphics-based program must run. Unless it's
combined with (or used to amplify) another exploit, we're not going to
see another Nimda.
What's more likely to happen is that this (version,
at least) will deepen the relationship between the hackers and the
spammers (if there's a difference nowadays). The spammers can deliver
corrupt graphics via browser pop-ups and spam which can cause the victim
machines to offer up reverse shells on just about any port.
for the theoretical part. What was demo'd last night was the reverse
shell version. It wouldn't work under IE (patched possibly?) but it did
work locally via the file browser. What's worse was the XP
automatically generated a preview of the JPG so that as soon as you
opened the folder, the local machine provided a shell prompt to the
instructor's machine, running netcat.
But wait! There's more!
Remember that you can configure XP to open the folder when a thumb drive
is inserted? Yep, it does. And let's not forget autorun! This makes
it a very nasty insider tool.
To give proper credit, very little of
the above my own thought train. Most of it belongs to Rob and Ian. The
rest was observed and conjectured during the demo.
countermeasures, it's probably going to be more economical to configure
IDS systems to detect the exploit rather than the exploitation, due to
the lack of default port, IP or even graphic. Since remote delivery
vehicles will probably be limited to SMTP, HTTP, and the various
graphics-capable IM programs, it will probably be easier to watch for
the shell code coming in than the reverse shell going out. That and not
all of the exploits involve reverse shells. Hopefully we'll shortly see
both types of BleedingEdge signatures.
Let add my own two cents to the
SANS vs. MS detector argument. Yes, the SANS detector triggers on a lot
more files than the MS version does but you should read the text that
comes with the SANS detector. The MS one is built for MS purposes. The
additional DLL's detected can be either additional ones that link to
non-MS programs that you've installed or they can be backups of upgraded
libraries. It's worthwhile to check what programs access those
libraries (Foundstone has some of the tools needed for this) and, if
possible, upgrade or disable the programs.
Oh, and one last thing:
"Good luck! You're on your own!"
Wednesday, September 29, 2004
Tuesday, September 28, 2004
Monday, September 27, 2004
friend is having to deal with an infection:
post about 180solutions
- The Effect of
Warrior's comment on the above
- SecuriTeam analysis
- Other marketers complaints
- SeattlePI article
Also of interest is:
glued together an AIM-based NMap
This sort of thing is the reason why you need to keep an eye
on the traffic that you allow in and out of your network. AIM
complicates the situation because it's one of those "tools" that can
initiate connections via multiple protocols, HTTP being one of them. If
you allow your users to surf, then AIM can probably "get out".
tool if it's yours, nasty if it "belongs" to someone else.
penalties for using false information for WHOIS records. (see Slashdot
This can be a good thing and a bad thing at the same
time. A good thing as it might help track down spammers and fraudsters
who fake up their WHOIS records. It's a bad thing as it will once again
expose techie inboxes to tons of spam due to addresses "borrowed" from
those same records.
The current practice is to use a pseudonum for
business domains. That way when there's a phone call from a salesman
that claims he has an appointment with Bob Wackemwidahammer, you know
Sunday, September 26, 2004
Saturday, September 25, 2004
Next year something will probably have to change as people will expect it to be there.