Saturday, January 31, 2004

Free Posters

Microsoft is offering free security posters for download (print it yourself) or, for eligible orgs, hardcopy order.

Fix it now (or else)

News.com.com has an article about the FTC getting involved and sending "warning letters" to the administrators of various open relays and proxies. Other countries have sent similar letters to their citizens.

While it may not be "fix your stuff before we fix it for you" it may be the start of a trend of having an outside organizations requiring that you fix your networks.

More Fyodor on Nmap

I've still got a hefty backlog of feed data to wade through; this one is from a month ago....

Fyodor posted various bits in the NMap Hackers mailing list. Topics include legality of scanning and what amounts to the "full disclosure" issue.

Back

OBTW, I'm back. The visit to Charleston, while being productive for my employer, was severly frustrating for myself as my favorite hotel STILL does not have Wifi. I like this hotel as they put serious effort into their upkeep and have a decent Triple-A discount. One new thing: directly across the street is a new (lower quality) hotel which offers free Wifi. I'm going to have a decision to make if I get sent down there again. Connecting to the Internet via my cell sucks, especially in that section of town where something interrupts the quality of the cell signal every 30 seconds or so.

Anyways, I've backfilled yesterday's posts and have attacked the backlog of source data.

Friday, January 30, 2004

Will Google for Feeds

A little bored with the feeds your aggregator provides? Try using a couple Google tricks. If you're want to look for security-related RSS feeds, try:

inurl:RSS security

or

filetype:rss security

Hint: blog feeds sometimes end in "xml" or "rdf" also. It all depends on what your aggregator will accept.

Finding WAP's with Nessus

More cool stuff found while digging for term paper info: "Using Nessus to Detect Wireless Access Points".

IPTables Tutorial

Here's a decent tutorial about IPTables. (Note: your browser needs to be able to recognize/handle compressed Postscript files.)

Thursday, January 29, 2004

Honeyd networks

Insecure.org has a post from Paladion Networks which discusses setting up Honeyd to simulate networks.

Honeypots site

Found "Tracking-Hackers.com" . The site is mostly honeyd related and includes links and papers on the topic.

Sniffing VLANs

HelpNet Security has a paper which discusses "Packet Sniffing on Layer 2 Switched Local Area Networks".

Let me reiterate it again: VLAN's are a traffic management tool, NOT a security tool!

Hi from SC

Greetings from Charleston! I'm having to log in over my cell phone as I wasn't able to quickly find a hotel that offered Wifi. The end result is that while I can still post to the blog, it's severely slow and the cell phone hangs up when it's not actively sending (after about 10 seconds dead time) which, while I'm typing this, it's not. Between getting new posts up and troubleshooting another web server (bad host table), it pretty well shot the evening.

I promise the posts will get better after I've gotten back to my usual desk on Friday.

Wednesday, January 28, 2004

Amap

NMap now has a feature which allows it to figure out what service is running on a port. Amap is a predecessor and (at this point) is still more capable at identifying a specific service. SANS has a pretty decent paper on the proecess. Even the bibliography for the paper is a source of interesting reading.

Tuesday, January 27, 2004

Remailer attacks

It's a bit out of the usual thing for here but Cryptome has what appears to be a mailing list discussion about attacks on specific anonymous remailers and protections against same.

Also interesting are the pointers to papers embbed in the discussion.

Buffer Overflows

Here's a paper on buffer overflows.

FLoP

The Fast Logging Project, aka FLoP (why not FLogger?) is a utility to put Snort alerts (with payload) into a database (MySQL or Postgres) as quickly as possible.

As this semesters NetSec class is focusing on Intrusion Detection, esp. Snort, you'll probably see quite a few posts about Snort here. Anyone else have any favorite Snort plugins/utils?

Monday, January 26, 2004

Bad P2P! Bad! Bad!

InfoAnarchy has a pointer to a New York Times article (registration required) which discusses the use of P2P technology for nefarious purposes (spamming, DoS attacks, phishing, etc.).

Ad-aware

A recent article talked about geeks providing support for friends and family. If you're one of these people, I recommend that you build yourself a small toolkit. Put it on a mini-CDR or a thumb drive and carry it around with you (128M thumb drives go for about $35 now).

In any case, one of the tools that should be in that toolkit is Ad-Aware. This tool is capable of removing most current spy-ware binaries. I've only seen one that it didn't recognize/remove and that'll probably be included in the next release.

Another recommendation, maintain a text file with pointers to the download site for your tools and pointers to any professional versions of the software that you use. You never know when you'll end up "doing a job" for a company.

Types of port scans

While digging for data for this semester's paper, I found "Examining Port Scan Methods - Analysing Audible Techniques". While it's not entirely accurate (never say that something is impossible when discussing network security!), it does give a somewhat comprehensive listing of the types of network scan techniques in use today. As there's a good chance that the author is an Italian hacker, I think the intent was to use "available" vice "audible" throughout the document.

Oh, and please don't confuse scan technique with scan type. "Detection and Characterization of Port Scan Attacks" is a paper which describes the different types of scans (vertical, horizontal, block). It's a short paper but does present a decent syntax for describing the type of scan.

Sunday, January 25, 2004

Uh oh IV

Updated info about the spammer:

I've been spammed by an online gambling site

- run under a domain registered via an Australian registrar
- by a supposed resident of Illinois
- who's actually in the Tampa Bay, FL area
- on a residential IP address
- using a Hotmail account
- and answers complaints to the Hotmail address via a Yahoo account
- defending the site run on a server in California (where unlicensed gambling, online or otherwise, is a crime),
- also advertising off-shore gambling sites,
- and misappropriating advertising services here in Virginia.

This guys wants so bad to not be found that he's sticking out like a sore thumb.

BlogSpam.org

Found BlogSpam.org which presents various ant-blog-spam techniques for MT-based blogs.

Update:
Also found this post which points to the Blogger's Anti-Spam Manifesto and has the graphic to the right.

Kermit still alive

If you're the administrator of anything larger than a NAT-based firewall, you've seen the need for using Columbia University's Kermit program. This program's sole purpose in life is to allow the user to talk to a piece of hardware, usually through the serial port. Now 22 years old, it even predates most of the Internet. While each OS may have its own program which "talks serial", Kermit has become somewhat ubiquitous in that it runs on just about every well-known OS. This is a "must-have" in any admin's toolkit.

The Rise of the Spammers

Here's a decent article from SecurityFocus which describes the compromise of the author's home machine (to send spam) and the actions he took to trace the spammers.

Thanks to Liudvikas Bukys for the link.

Wiki Entry

A few quick things:

1) Happy Birthday to joatBlog! The first entry was one year ago today.
2) I'm working on another paper for schoo (in the wiki)l. Please ignore "Service Fingerprinting" for awhile.
3) I'm leaving town for the week and may not be able to consistently blog. I'll back-fill as needed. (Too bad MT doesn't have Blosxom's ability to accept posts for future use.)

Saturday, January 24, 2004

Blog spam

IT took me 1/2 hour today to strip out the comment spam from the last two days and block their IP's. Before you start saying, "well why don't you add...", let me say that it's not my site. It's not my MT. I'm here because a local collection of geeks tolerate my presence or at least find me entertaining at times (I periodically gore a sacred cow in a local users group). I'm considering: 1) using Blosxom in my home directory or 2) moving the blog to a different site (which requires $ to purchase MT). In any case, consider me has having joined the legions of pissed off bloggers searching for remedies to blog spam.

Orkut?

Google has their own version of Friendster (called "Orkut")?

Jeremy
has blogged about it. Shashdot has a post. Inforworld has an article; as does The Whir and BizJournals.

Anyone care to invite me? (*sniff*)

NIST CD/DVD Preservation Guide

NIST, under the Digital Preservation Program, has released a guide which provides methods for care and handling of CDs and DVDs. For those that don't know, the DO degrade over time and the usual abuse (handling, label adhesives, direct sunlight, etc.) speeds up the process. For those of you old enough to remember vinyl, many of the precautions sound very familiar.

Scraped from Slashdot.

Network Tools

This is an awesome list of network tools.

Friday, January 23, 2004

TCPDump build error

For anyone trying to build tcpdump on Mandrake or RedHat: if you get an error involving print-esp.c, try:

./configure --without-crypto

before running "make".

Thursday, January 22, 2004

ONLamp 2003

ONLamp.com has a collection called "The Best of ONLamp 2003". There's a wide variety of topics touched, from XBox to MPlayer to OpenLDAP to PHP to programming methods to FreeBSD to mail servers. If you haven't read any of the articles, you could probably spend most of an afternoon reading and playing with the various tips/tricks discussed.

Wednesday, January 21, 2004

Pending Nmap Book

For anyone that missed it, Fyodor talks talks about the Nmap book he's working on.

Snarl Project

Not sure how usable it is yet (development is quite slow), but in searching for background data on my comment spammers, I tripped across the Snarl Project, a FreeBSD forensic bootable ISO.

MS Exchange 2K Config Guide

Exchange admins! If you're not securing your systems, you're an incident waiting to happen.

MS Exchange has got to be one of the most feature-rich implementations of any server. (Note: this is not necessarily a "good thing" in that you have to be aware what you "get" by default.)

Tuesday, January 20, 2004

Cisco Router Exploits

TaoSecurity has a pointer to a two-part article on Cisco Router exploits. The vulnerabilities discussed in the article are already well-known and easy to configure around.

That's not to say that any/some/most/all of the routers on the Internet are configured properly.

Monday, January 19, 2004

SecurityFocus HOME Infocus: Worm Propagation In Protected Networks

SecurityFocus has an article entitled "A Comparison Study of Three Worm Families and Their Propagation in a Network".

Spamhole

At the end of last semester's class, we experimented with honeyd. In my surfing, I've tripped across SpamHole which amounts to being a SMTP-only honeypot that simulates an open mail relay.

Given my recent spam-related "theme", this is a interesting project to keep an eye on.

More steganography

From ONLamp, a article about steganography.

Sunday, January 18, 2004

GPG Cheatsheet

From Kevin at The Lost Olive, a pointer to a GPG CheatSheet.

Famous Hacks

Every geek blogger from here to Sunday is going to blog this but I couldn't resist...

Yahoo! News has a list of Nine Famous Hacks.

ICMP

Sys-Security.com has a wealth of information about ICMP and the various security tools related to the protocol. An awesome site!

Uncloaking Terrorist Networks

In digging through a couple of my old folders, found the following. It's not very relevant to this blog but I found the visualization techniques interesting so...

Valdis Krebs has a presentation entitled "Uncloaking Terrorist Networks which discusses the mapping of terrorist networks using open source data.

Friday, January 16, 2004

Uh cont (my reply)

My reply-to-all to which I'm adding abuse@yahoo and abuse@hotmail

To uce@ftc.gov, abuse@cox.net, fm99audio@757.org:

Mr. Gage (dvsoo7@yahoo.com) received the demand for payment by posting an unsolicited advertisement on a computer located within the state of Virginia without permission. This act violates Virginia state law and is punishable by jail, fine or both. Also, the front page of my blog expressly states that posting unauthorized advertisements to my blog comprises consent to pay $100 for each advertisement. Either he did not read it, chose to ignore it, or has $100 that he's willing to remit immediately. I have done nothing illegal. I have only demanded
payment for services used by Mr. Gage for which he had no permission to use.

To abuse@hotmail.com, abuse@yahoo.com:

Please note while I sent the "request for payment" to a blog spammer at at Hotmail account, which was used to register the advertised domain of www.best-online-casino-directory.com, the reply came from a Yahoo account. Please review your terms of service to see if he has violated any Terms of Service he may have agreed to by using your free services.

To all:

Unless Mr. Gage can produce a legitimate California State gambling license (as requested below), there is a possibility that he is running an illegal gambling web site in the state of California under a site name registered in Australia while residing in Illinois and misappropriating advertising services in Virginia.

To Mr. Gage:

I find it interesting that you're able to get an opinion from a lawyer on such short notice. Could it be that you have one on retainer for just such a purpose (responding to requests for payment for the advertising services you've borrowed)? It lends support to my original opinion that you've had this argument before with other people who've managed to track you down for using their websites to promote unauthorized advertisements without their permission.

Please give me the name of your lawyer so that I may contact him directly. I find it doubtful that you actually have a lawyer as they don't normally advise the layman to respond to any communications in such a manner. Rather, lawyers are paid to communicate legal matters. If a lawyer told you to do anything, it would have been to either 1) put me in contact with the person(s) you hired to advertise your site or 2) politely ask for more information.

In case you haven't read it, the following statement is at the bottom of the main page of my blog:

"Note: Unauthorized advertisements posted to this
site or to the comments section for this site comprises
agreement to pay $100.00 (U.S.)(non-refundable) for each
advertisement. I also reserve the right to terminate said
advertisement(s) at any time."

Please consider my demand for payment for your use of my website as having been reiterated.

Also, since the IP address used for your website is registered within the state of California, would you mind providing the Number from your California State gambling license along with the jurisdiction within which it was registered.

Please note that if you are unable or unwilling to comply with the above, I shall feel the need to contact your domain registrar and indicate that you have violated "Part 2" of your terms of service which state:

"By applying to register a domain name, or by asking Melbourne IT to maintain or renew a domain name registration, the Registrant hereby represents and warrants to Melbourne IT that (a) the statements that the Registrant made in the Registration Agreement are complete and accurate; (b) to the Registrant's knowledge, the registration of the domain name will not infringe upon or otherwise violate the rights of any third party; (c) the Registrant is not registering the domain name for an unlawful purpose; and (d) the Registrant will not knowingly use the domain name in violation of any applicable laws or regulations. It is the Registrant's responsibility to determine whether the domain name registration infringes or violates someone else's rights."

Uh cont.

So in investigating the blog spam I've found an online gambling site

- run under a domain registered via an Australian registrar
- by a resident of Illinois
- using a Hotmail account
- and answers complaints to that address via a Yahoo account about the site
- run on a server in California
- and misappropriates advertising services here in Virginia.

Have I missed anything? Doesn't this appear to be a bit out of the norm?

If he doesn't remit the $100 (see the bottom of the front page of this blog) AND provide the index number from his license, he's then not only committed crimes (misdemeanors, I think) in as many as three states, he has violated terms of service at four different organizations in two countries. Personally, I prefer going after the latter, seeing as it will result in loss of two e-mail accounts, a domain name, and the service provider for his web site.

Uhoh

Mr. Gage was a little upset when I asked for my $100 and contacted the Federal Trade Commission, both of my service providers and an online radio station that has since gone "off the air". You'll notice that he hasn't denied it yet.


Mr Gage writes:

I received this unsolicited, threatening email and my
attorney recommended I send this to you of record.

Email and full headers are as follows
_________________________________________--

From : Tim
Sent : Wednesday, January 14, 2004 10:22 PM
To : dvsoo7@hotmail.com
Subject : Your spam

| | | Inbox

MIME-Version: 1.0
Received: from users.757.org ([216.54.62.141]) by
mc10-f2.hotmail.com with Microsoft
SMTPSVC(5.0.2195.6824); Wed, 14 Jan 2004 19:21:41
-0800
Received: from users.757.org (joat@localhost
[127.0.0.1])by users.757.org (8.12.9/8.12.5) with
ESMTP id i0F3MZHB058085for ; Wed,
14 Jan 2004 22:22:35 -0500 (EST)(envelope-from
joat@users.757.org)
Received: from localhost (joat@localhost)by
users.757.org (8.12.9/8.12.5/Submit) with ESMTP id
i0F3MYP7058082for ; Wed, 14 Jan
2004 22:22:35 -0500 (EST)
X-Message-Info: JGTYoYF78jFSkjbX+RUyN0F+IgBQF0rE
Message-ID:

Return-Path: joat@users.757.org
X-OriginalArrivalTime: 15 Jan 2004 03:21:42.0125 (UTC)
FILETIME=[B22839D0:01C3DB16]

Testing your virus scanner(s)

David Precious has an online howto for using the EICAR pseudo-virus to test your virus scanners.

DOS Emulation

Scraped from Slashdot.

David Precious has an online howto for setting up DOS Emulation on a Linux box. He even has links to shareware games that were favorites of many of us.

Thursday, January 15, 2004

Okay, that's it

Okay, that's it! Screw the blacklists. I'm killing your domain "dvsoo7@hotmail.com" who "owns" "www.best-online-casino-directory.com". You spam my blog, I have my DNS servers declare themselves authoritive for your domain. What this means is any of my users trying to get to your site ends up on 65.174.230.39, 164.109.48.78, or 209.16.87.50 (or anything else I can come up to use in a round robin).

For those that don't know how to do it, here's the method for BIND:

First declare the zone in your config file:

zone "best-online-casino-directory.com" {
type master;
file "db.spammer";
allow-update { none; };
allow-transfer { none; };
}

Then build your zone file:

$TTL 86400
@ IN SOA @ you.yourdomain.com (
2004011401; serial
3H; refresh
15M; retry
1W; expiry
1D ); mim TTL
;
; ## Poison MX Records ##
@ IN MX 10 localhost
; ## Poison A Records ##
* IN A 65.174.230.39

Restart your DNS service and that's it. Anyone who queries your DNS server will not get the site they're expecting. (Hint: you may want to be careful using those IP addresses. Point a browser at them first.)

Oh! And be careful using this method if you sell service to general users. I'm able to use this method because of the existance of a security policy that says "no porn/no gambling from your workstation".

Mr. Gage of 1401-C Skyridge Dr, Crystal Lake, IL: pay the advertising charges I have posted on the front page of my blog and I'll re-enable the domain for the 35,000+ users my servers resolve for. Otherwise you become the 21,453rd poisoned domain in the server.

Developing a Response Plan for Forensics

Another one from the ancient links folder...

EarthWeb has an old article, which is still worth reading, entitled "Developing a Response Plan for Computer Forensics".

Intro to Port Scanning

About.net has a good tutorial entitled "Intro to Port Scanning".

This is one of those things, along with packet captures, that "they" should be teaching system administrators before they give them the d*mn certificate, making the point-and-click adminstrator an Internet expert.

[Yeah, I had another argument with the MSCE, which makes him an authority on security and "how the Internet should run".]

Wednesday, January 14, 2004

l0rd links

Here's a good link
page for hacker and security-related items. Some of it is a bit old but
it's a good point to start at if you're going to spend the day surfing
that kind of site.

Just for fun (or not)

Got off on a tangent, following interesting links. Found the Nitle Weblog Census which led to blog count, a blog about blogs. Fun reading!

Did you know that there's 1,668,724 suspected blogs?

Intro to IP Spoofing

Security Focus has a good article on the theory behind IP Spoofing.

Security Links

Here's a big page of security links on a gov't site.

Tuesday, January 13, 2004

PVR

I don't own a PVR but I've come up with justification (rationalization?) for recording your TV shows. It's called time-shifting, otherwise known as watching a show at a later time/date.

The reason? NBC's new practice of starting shows at 8 minutes after the hour. Near as I can figure, it causes your NBC viewing to conflict with the other channels (to see the end of the current show, you have to give up the beginning of any other show starting on the hour).

What a pisser!

Monday, January 12, 2004

LURHQ: Scanrand

LURHQ Corporation has a very nice paper about Dox Para's very fast port scanner, ScanRand.

Testing for open relay/proxy

Security Wizards has an article which describes how to test your mail relay or web proxy to see if it's "open" (not a good thing).

TCPReplay

If you work with networks, one of the tools you just have to have is TCPDump. Also, TCPReplay is a pretty decent companion to TCPDump. It lets you play back your capture files just in case you want to take a closer look at a specific connection.

Update: SilverStr also has a piece about TCPReplay.

Sunday, January 11, 2004

Online version of Handbook of Applied Cryptography

SilverStr has a pointer to the Online version of Handbook of Applied Cryptography.

Spyware links

I'm gathering spy-ware links for a future page/paper so I'll be taking the lazy way out and blogging the links until I'm ready to write the thing. So here's the first one...

Duke Univeristy has a linting of various spy ware.

Spamlinks

Spamlinks.net has a good links page with pointers to various bits of info about open relays and proxies.

Wiki Entry

Added "Banned IP List" to the wiki to hold the content of the posts over the last few days.

Google search

Given the problems I've had with Feedster and PHP, I've switched the blog search from Feedster to Google (see above right).

Saturday, January 10, 2004

Gmane - mail 2 news archive

In researching a TCP port, I tripped across Gmane, a mailing-list-to-nntp server which stores/serves mailing list traffic. It's been online for just over a year and currently stores (roughly) 12.5M messages from various mailing lists.

Oh really?

Philip Brittan has a News.com article in which he states his belief that thin client technology will solve todays' problem with worms and viruses.

[Now what did I do with that sharp stick. Ah, there it is.]

Mr. Brittan has a few misconceptions in his article. The problem which contributes the most to the current environment of worms and viruses is not corporate. It's all of those unprotected home systems. Suggesting a move to thin client technology is ludicrous in that no home user will pay thousands of dollars just for the operating system. If they did, it's the same clueless user managing the server for those thin clients.

While Microsoft did market itself as the "secure" operating system for the general masses, I don't see them as being at fault. Rather, I see the person responsible for administering the computer as being mostly at fault. The majority of all vulnerabilities, regardless of which operating system is in use, have patches or work-arounds. It's up to the end-user to keep his/her system up-to-date.

Okay, I do blame Microsoft a bit. Mostly their marketing department though. MS's marketing department drives if/when a product hits the shelves (often before it's ready). If you've read my posts before, you'll see a common theme. If you're going to use the Iraqi Information Minister's method of marketing, you'll be able to find me here, whispering "the Emporer has no clothes".

One of my favorite lines in the article is "Servers, on the other hand, operate in highly managed environments and are much easier to protect than desktop PCs." That depends on the server and the company it "works" for. Most companies spend as little as possible on adminstration after the fortune they lay out for their technology. What's not stated here is that compromised servers are often able to do that much more damage before they're detected because the hardware is that much faster/more powerful. Yes, one compromised server is easier to repair than twenty five compromised workstations. But unless you're a Fortune 1000 company and can afford a "grid", your thin client network is going to be down until the server is repaired.

Anyways... Substituting thin clients for stand-alone systems is not a solution for compromises. It only changes the environment in which the viruses and worms develop. Outlook is Outlook. If you're using thin client technology and have three infected users, it means you have three instances of a virus running in user space on that server. The infected e-mails are still being sent out. Hackers and virus writers will find other vectors/vulnerabilities (thin client technology has its own problems) to exploit.

Rather than throwing the baby out with the bath water (dumping all of your workstations for thin clients), spend the money on your people. More/new technology is NOT a substitute for education. Spend the money on your administrators ("grow" your own, hire better ones, or outsource 'em) and your users. I cannot stress enough that you have to also train your users. It only takes a careless click of a user's mouse to void all that money you spent on administrators and technology.

Finally, contrary to what you might assume in reading the article, Mr. Brittan has nothing to do with information security. A little research reveals that he is chairman of Droplets, Inc., a company which sells a thin client application.

Wiki entry

Added "Things to Read" Category and NANOG entry to the wiki (click above).

IP Ban List

For those that care, here's my current IP ban list:

213.91.182.142
203.106.151.137
203.113.34.239
217.81.38.207
68.173.7.113
217.26.240.61
148.245.163.7
62.213.67.122
80.131.65.249
217.26.244.11

Each of these IP's have practiced blog spamming.

Risk Management of Wireless Networks

To the layman, "risk management" may appear to be rationalization (coming up with an excuse to do something), it's actually a decision process whether or not to do or use something. Keeping in mind that risk equates to the existance of a vulnerability coupled with the threat of that vulnerability being exploited, "Risk managment" actually boils down to:
  • Risk Acceptance - accepting the threats and vulnerabilities associated with using a specific technology
  • Risk Avoidance - removing the threat, the vulnerabilty, or both
  • Risk Mitigation - reducing the threat and/or the vulnerability to the point where it is acceptable
  • Risk Transferance - making someone else responsible for the threat/vulnerability

To this end, BankInfoSecurity.com has an article entitled "Risk Management of Wireless Networks".

Electronic Evidence site

e-Evidence.info has a listing of various tools used for gathering electronic evidence.

Friday, January 9, 2004

WLAN Security Howto

NetworkWorld Fusion has a howto for securing your wireless network.

Button styles

I found this one quite fun. (Okay, so I'm a geek.) The article describes how to apply cascading style sheets to change the appearance of your "submit" buttons.

I've tried this on another site and have come up with some interesting scaled-down buttons. One thing I may have to work on though is browser specificity. While the differences in appearance on different browsers are not unappealing, they are noticeably different. (Overuse of the same word in a sentence?)

I'll probably end up using them here though.

Wednesday, January 7, 2004

LURHQ: Open web proxies

LURHQ Corporation has a decent article explaining the dangers of having an "open" web proxy entitled "Exposing the Underground: Adventures of an Open Proxy Server".

Silly analogy?

SecureWorks has a somewhat silly article, by Markus De Shon, which ties together the movie Zero Effect and network security. Bill Pullman's character Darryl Zero is a detective who spouts various Douglas Adams-like paradigms for investigation that Mr. De Shon has associated with network security.

Silly? Sublime? I don't know but it was a fun read.

Unrelated personal trivia: Bill Pullman grew up one town over from me.

Blog spammer

For anyone that cares, add 213.91.182.142 to your IP banning list.

Slashdot | Finding MD5 Collisions With Chinese Lottery

Scraped from SlashDot a week ago, there's an effort afoot to use the "Chinese Lottery" attack against the MD5 function to find collision. In other words, there is an attempt to use massively parallel computing to find an two inputs that, when passed through the MD5 function, produce the same output.

While at first glance this may seem innocuous, it is not. Basically, it's an attack on a cryptographic function. Keep in mind that "attacks on cryptographic functions" are not necessarily a bad thing. Like just about anything else, they can be used for good or evil.

What is especially interesting about this specific "attack" is the manner in which they are going about getting the "massively parallel" computing power. It's in the form of a Java applet that they are asking webmasters to add to their sites. This results in each visitor to a website contributing processing power to the project for the amount of time that the user leaves the browser page open on that web site.

Innocuous again? Maybe. It's also something that can be used for evil. Anyone remember a certain virus that got around by adding a bit of code to web sites and also highjacked the (invisible) browser of the user that visited that site? In this case, it asks the webmaster to trust someone else's code and gives the site visitor little or no choice in the matter.

Tuesday, January 6, 2004

BT/RSS/Tivo

From the PVRBlog comes a pointer to a ScottRaymonNet discussion of combining BitTorrent, RSS, and Tivo (see if "Street Smarts" can find anyone to explain that one!).

The short of it is that there's a suggestion to improve BitTorrent with RSS so that searches could be more powerful. Points to the author for admitting that this idea would most likely be used for illegal purposes (see article for examples).

Encryption Gone Wild

Encryption is not the end-all solution to security problems, especially if it's widely used and uncontrolled. Encrypting a protocol may solve one security problem but it can also create other problems. Like any other technology, it can easily be abused.

Bowulf has a piece on the use of SSL and the problems it creates with monitoring and content control.

Things will only get worse as virus writers and hackers adapt the use of encryption for network traffic, not to mention those users in your network who are knowledgeable enough to set up encrypted channels to avoid your security policy.

Blog Spammer IP

For anyone that cares, add 217.26.244.11 to your IP banning. It's the latest comment spammer to hit my site.

Sunday, January 4, 2004

Google Hacks

Discovered "Google Hacks" at the local library yesterday and checked it out. In just perusing the book, it's well worth the $$ if you have a job that requires any sort of online research (Do you use Google more than twice a day?).

In any case, I'll be updating the Google portion of the Wiki (see link at top) over the next few weeks as I play with various scripts and absorb more useless trivia.

The Eight Rules of Security

SilverStr has a piece describing "The Eight Rules of Security".

I agree that if you're only going to enforce one of the rules, it should be "Least Privilege". It's also one of the hardest to enforce. The higher the user is in the food chain, the more difficult it is to educate them and to get them to comply to "the rules".

Thursday, January 1, 2004

Grep'able NMap

InfoSecWriters has an article in which the author demonstrates how to configure NMap so that its output is quickly "grep'able", making the output easy-to-handle by other programs, such as "grep".

Wiki Entry

Added "Cron Basics" to the wiki.

Compliance drives security investments

SearchSecurity has a short article entitled "Compliance drives security investments" which talks about the current laws and how compliance may or may not equate to adequate security.