Saturday, January 31, 2004
Free Posters
Fix it now (or else)
While it may not be "fix your stuff before we fix it for you" it may be the start of a trend of having an outside organizations requiring that you fix your networks.
More Fyodor on Nmap
Fyodor posted various bits in the NMap Hackers mailing list. Topics include legality of scanning and what amounts to the "full disclosure" issue.
Back
Anyways, I've backfilled yesterday's posts and have attacked the backlog of source data.
Friday, January 30, 2004
Will Google for Feeds
inurl:RSS security
or
filetype:rss security
Hint: blog feeds sometimes end in "xml" or "rdf" also. It all depends on what your aggregator will accept.
Finding WAP's with Nessus
IPTables Tutorial
Thursday, January 29, 2004
Honeyd networks
Honeypots site
Sniffing VLANs
Let me reiterate it again: VLAN's are a traffic management tool, NOT a security tool!
Hi from SC
I promise the posts will get better after I've gotten back to my usual desk on Friday.
Wednesday, January 28, 2004
Amap
Tuesday, January 27, 2004
Remailer attacks
Also interesting are the pointers to papers embbed in the discussion.
FLoP
As this semesters NetSec class is focusing on Intrusion Detection, esp. Snort, you'll probably see quite a few posts about Snort here. Anyone else have any favorite Snort plugins/utils?
Monday, January 26, 2004
Bad P2P! Bad! Bad!
Ad-aware
In any case, one of the tools that should be in that toolkit is Ad-Aware. This tool is capable of removing most current spy-ware binaries. I've only seen one that it didn't recognize/remove and that'll probably be included in the next release.
Another recommendation, maintain a text file with pointers to the download site for your tools and pointers to any professional versions of the software that you use. You never know when you'll end up "doing a job" for a company.
Types of port scans
Oh, and please don't confuse scan technique with scan type. "Detection and Characterization of Port Scan Attacks" is a paper which describes the different types of scans (vertical, horizontal, block). It's a short paper but does present a decent syntax for describing the type of scan.
Sunday, January 25, 2004
Uh oh IV
I've been spammed by an online gambling site
- run under a domain registered via an Australian registrar
- by a supposed resident of Illinois
- who's actually in the Tampa Bay, FL area
- on a residential IP address
- using a Hotmail account
- and answers complaints to the Hotmail address via a Yahoo account
- defending the site run on a server in California (where unlicensed gambling, online or otherwise, is a crime),
- also advertising off-shore gambling sites,
- and misappropriating advertising services here in Virginia.
This guys wants so bad to not be found that he's sticking out like a sore thumb.
BlogSpam.org
Update:
Also found this post which points to the Blogger's Anti-Spam Manifesto and has the graphic to the right. |
Kermit still alive
The Rise of the Spammers
Thanks to Liudvikas Bukys for the link.
Wiki Entry
1) Happy Birthday to joatBlog! The first entry was one year ago today.
2) I'm working on another paper for schoo (in the wiki)l. Please ignore "Service Fingerprinting" for awhile.
3) I'm leaving town for the week and may not be able to consistently blog. I'll back-fill as needed. (Too bad MT doesn't have Blosxom's ability to accept posts for future use.)
Saturday, January 24, 2004
Blog spam
NIST CD/DVD Preservation Guide
Scraped from Slashdot.
Friday, January 23, 2004
TCPDump build error
./configure --without-crypto
before running "make".
Thursday, January 22, 2004
ONLamp 2003
Wednesday, January 21, 2004
Pending Nmap Book
Snarl Project
MS Exchange 2K Config Guide
MS Exchange has got to be one of the most feature-rich implementations of any server. (Note: this is not necessarily a "good thing" in that you have to be aware what you "get" by default.)
Tuesday, January 20, 2004
Cisco Router Exploits
That's not to say that any/some/most/all of the routers on the Internet are configured properly.
Monday, January 19, 2004
Spamhole
Given my recent spam-related "theme", this is a interesting project to keep an eye on.
Sunday, January 18, 2004
Famous Hacks
Yahoo! News has a list of Nine Famous Hacks.
ICMP
Uncloaking Terrorist Networks
Valdis Krebs has a presentation entitled "Uncloaking Terrorist Networks which discusses the mapping of terrorist networks using open source data.
Friday, January 16, 2004
Uh cont (my reply)
To uce@ftc.gov, abuse@cox.net, fm99audio@757.org:
Mr. Gage (dvsoo7@yahoo.com) received the demand for payment by posting an unsolicited advertisement on a computer located within the state of Virginia without permission. This act violates Virginia state law and is punishable by jail, fine or both. Also, the front page of my blog expressly states that posting unauthorized advertisements to my blog comprises consent to pay $100 for each advertisement. Either he did not read it, chose to ignore it, or has $100 that he's willing to remit immediately. I have done nothing illegal. I have only demanded
payment for services used by Mr. Gage for which he had no permission to use.
To abuse@hotmail.com, abuse@yahoo.com:
Please note while I sent the "request for payment" to a blog spammer at at Hotmail account, which was used to register the advertised domain of www.best-online-casino-directory.com, the reply came from a Yahoo account. Please review your terms of service to see if he has violated any Terms of Service he may have agreed to by using your free services.
To all:
Unless Mr. Gage can produce a legitimate California State gambling license (as requested below), there is a possibility that he is running an illegal gambling web site in the state of California under a site name registered in Australia while residing in Illinois and misappropriating advertising services in Virginia.
To Mr. Gage:
I find it interesting that you're able to get an opinion from a lawyer on such short notice. Could it be that you have one on retainer for just such a purpose (responding to requests for payment for the advertising services you've borrowed)? It lends support to my original opinion that you've had this argument before with other people who've managed to track you down for using their websites to promote unauthorized advertisements without their permission.
Please give me the name of your lawyer so that I may contact him directly. I find it doubtful that you actually have a lawyer as they don't normally advise the layman to respond to any communications in such a manner. Rather, lawyers are paid to communicate legal matters. If a lawyer told you to do anything, it would have been to either 1) put me in contact with the person(s) you hired to advertise your site or 2) politely ask for more information.
In case you haven't read it, the following statement is at the bottom of the main page of my blog:
"Note: Unauthorized advertisements posted to this
site or to the comments section for this site comprises
agreement to pay $100.00 (U.S.)(non-refundable) for each
advertisement. I also reserve the right to terminate said
advertisement(s) at any time."
Please consider my demand for payment for your use of my website as having been reiterated.
Also, since the IP address used for your website is registered within the state of California, would you mind providing the Number from your California State gambling license along with the jurisdiction within which it was registered.
Please note that if you are unable or unwilling to comply with the above, I shall feel the need to contact your domain registrar and indicate that you have violated "Part 2" of your terms of service which state:
"By applying to register a domain name, or by asking Melbourne IT to maintain or renew a domain name registration, the Registrant hereby represents and warrants to Melbourne IT that (a) the statements that the Registrant made in the Registration Agreement are complete and accurate; (b) to the Registrant's knowledge, the registration of the domain name will not infringe upon or otherwise violate the rights of any third party; (c) the Registrant is not registering the domain name for an unlawful purpose; and (d) the Registrant will not knowingly use the domain name in violation of any applicable laws or regulations. It is the Registrant's responsibility to determine whether the domain name registration infringes or violates someone else's rights."
Uh cont.
- run under a domain registered via an Australian registrar
- by a resident of Illinois
- using a Hotmail account
- and answers complaints to that address via a Yahoo account about the site
- run on a server in California
- and misappropriates advertising services here in Virginia.
Have I missed anything? Doesn't this appear to be a bit out of the norm?
If he doesn't remit the $100 (see the bottom of the front page of this blog) AND provide the index number from his license, he's then not only committed crimes (misdemeanors, I think) in as many as three states, he has violated terms of service at four different organizations in two countries. Personally, I prefer going after the latter, seeing as it will result in loss of two e-mail accounts, a domain name, and the service provider for his web site.
Uhoh
Mr Gage writes:
I received this unsolicited, threatening email and my
attorney recommended I send this to you of record.
Email and full headers are as follows
_________________________________________--
From : Tim
Sent : Wednesday, January 14, 2004 10:22 PM
To : dvsoo7@hotmail.com
Subject : Your spam
| | | Inbox
MIME-Version: 1.0
Received: from users.757.org ([216.54.62.141]) by
mc10-f2.hotmail.com with Microsoft
SMTPSVC(5.0.2195.6824); Wed, 14 Jan 2004 19:21:41
-0800
Received: from users.757.org (joat@localhost
[127.0.0.1])by users.757.org (8.12.9/8.12.5) with
ESMTP id i0F3MZHB058085for ; Wed,
14 Jan 2004 22:22:35 -0500 (EST)(envelope-from
joat@users.757.org)
Received: from localhost (joat@localhost)by
users.757.org (8.12.9/8.12.5/Submit) with ESMTP id
i0F3MYP7058082for ; Wed, 14 Jan
2004 22:22:35 -0500 (EST)
X-Message-Info: JGTYoYF78jFSkjbX+RUyN0F+IgBQF0rE
Message-ID:
Return-Path: joat@users.757.org
X-OriginalArrivalTime: 15 Jan 2004 03:21:42.0125 (UTC)
FILETIME=[B22839D0:01C3DB16]
Testing your virus scanner(s)
DOS Emulation
David Precious has an online howto for setting up DOS Emulation on a Linux box. He even has links to shareware games that were favorites of many of us.
Thursday, January 15, 2004
Okay, that's it
For those that don't know how to do it, here's the method for BIND:
First declare the zone in your config file:
zone "best-online-casino-directory.com" {
type master;
file "db.spammer";
allow-update { none; };
allow-transfer { none; };
}
Then build your zone file:
$TTL 86400
@ IN SOA @ you.yourdomain.com (
2004011401; serial
3H; refresh
15M; retry
1W; expiry
1D ); mim TTL
;
; ## Poison MX Records ##
@ IN MX 10 localhost
; ## Poison A Records ##
* IN A 65.174.230.39
Restart your DNS service and that's it. Anyone who queries your DNS server will not get the site they're expecting. (Hint: you may want to be careful using those IP addresses. Point a browser at them first.)
Oh! And be careful using this method if you sell service to general users. I'm able to use this method because of the existance of a security policy that says "no porn/no gambling from your workstation".
Mr. Gage of 1401-C Skyridge Dr, Crystal Lake, IL: pay the advertising charges I have posted on the front page of my blog and I'll re-enable the domain for the 35,000+ users my servers resolve for. Otherwise you become the 21,453rd poisoned domain in the server.
Developing a Response Plan for Forensics
EarthWeb has an old article, which is still worth reading, entitled "Developing a Response Plan for Computer Forensics".
Intro to Port Scanning
This is one of those things, along with packet captures, that "they" should be teaching system administrators before they give them the d*mn certificate, making the point-and-click adminstrator an Internet expert.
[Yeah, I had another argument with the MSCE, which makes him an authority on security and "how the Internet should run".]
Wednesday, January 14, 2004
l0rd links
page for hacker and security-related items. Some of it is a bit old but
it's a good point to start at if you're going to spend the day surfing
that kind of site.
Just for fun (or not)
Did you know that there's 1,668,724 suspected blogs?
Tuesday, January 13, 2004
PVR
The reason? NBC's new practice of starting shows at 8 minutes after the hour. Near as I can figure, it causes your NBC viewing to conflict with the other channels (to see the end of the current show, you have to give up the beginning of any other show starting on the hour).
What a pisser!
Monday, January 12, 2004
LURHQ: Scanrand
Testing for open relay/proxy
TCPReplay
Sunday, January 11, 2004
Spyware links
Duke Univeristy has a linting of various spy ware.
Spamlinks
Wiki Entry
Google search
Saturday, January 10, 2004
Gmane - mail 2 news archive
Oh really?
[Now what did I do with that sharp stick. Ah, there it is.]
Mr. Brittan has a few misconceptions in his article. The problem which contributes the most to the current environment of worms and viruses is not corporate. It's all of those unprotected home systems. Suggesting a move to thin client technology is ludicrous in that no home user will pay thousands of dollars just for the operating system. If they did, it's the same clueless user managing the server for those thin clients.
While Microsoft did market itself as the "secure" operating system for the general masses, I don't see them as being at fault. Rather, I see the person responsible for administering the computer as being mostly at fault. The majority of all vulnerabilities, regardless of which operating system is in use, have patches or work-arounds. It's up to the end-user to keep his/her system up-to-date.
Okay, I do blame Microsoft a bit. Mostly their marketing department though. MS's marketing department drives if/when a product hits the shelves (often before it's ready). If you've read my posts before, you'll see a common theme. If you're going to use the Iraqi Information Minister's method of marketing, you'll be able to find me here, whispering "the Emporer has no clothes".
One of my favorite lines in the article is "Servers, on the other hand, operate in highly managed environments and are much easier to protect than desktop PCs." That depends on the server and the company it "works" for. Most companies spend as little as possible on adminstration after the fortune they lay out for their technology. What's not stated here is that compromised servers are often able to do that much more damage before they're detected because the hardware is that much faster/more powerful. Yes, one compromised server is easier to repair than twenty five compromised workstations. But unless you're a Fortune 1000 company and can afford a "grid", your thin client network is going to be down until the server is repaired.
Anyways... Substituting thin clients for stand-alone systems is not a solution for compromises. It only changes the environment in which the viruses and worms develop. Outlook is Outlook. If you're using thin client technology and have three infected users, it means you have three instances of a virus running in user space on that server. The infected e-mails are still being sent out. Hackers and virus writers will find other vectors/vulnerabilities (thin client technology has its own problems) to exploit.
Rather than throwing the baby out with the bath water (dumping all of your workstations for thin clients), spend the money on your people. More/new technology is NOT a substitute for education. Spend the money on your administrators ("grow" your own, hire better ones, or outsource 'em) and your users. I cannot stress enough that you have to also train your users. It only takes a careless click of a user's mouse to void all that money you spent on administrators and technology.
Finally, contrary to what you might assume in reading the article, Mr. Brittan has nothing to do with information security. A little research reveals that he is chairman of Droplets, Inc., a company which sells a thin client application.
IP Ban List
213.91.182.142
203.106.151.137
203.113.34.239
217.81.38.207
68.173.7.113
217.26.240.61
148.245.163.7
62.213.67.122
80.131.65.249
217.26.244.11
Each of these IP's have practiced blog spamming.
Risk Management of Wireless Networks
- Risk Acceptance - accepting the threats and vulnerabilities associated with using a specific technology
- Risk Avoidance - removing the threat, the vulnerabilty, or both
- Risk Mitigation - reducing the threat and/or the vulnerability to the point where it is acceptable
- Risk Transferance - making someone else responsible for the threat/vulnerability
To this end, BankInfoSecurity.com has an article entitled "Risk Management of Wireless Networks".
Electronic Evidence site
Friday, January 9, 2004
Button styles
I've tried this on another site and have come up with some interesting scaled-down buttons. One thing I may have to work on though is browser specificity. While the differences in appearance on different browsers are not unappealing, they are noticeably different. (Overuse of the same word in a sentence?)
I'll probably end up using them here though.
Wednesday, January 7, 2004
LURHQ: Open web proxies
Silly analogy?
Silly? Sublime? I don't know but it was a fun read.
Unrelated personal trivia: Bill Pullman grew up one town over from me.
Slashdot | Finding MD5 Collisions With Chinese Lottery
While at first glance this may seem innocuous, it is not. Basically, it's an attack on a cryptographic function. Keep in mind that "attacks on cryptographic functions" are not necessarily a bad thing. Like just about anything else, they can be used for good or evil.
What is especially interesting about this specific "attack" is the manner in which they are going about getting the "massively parallel" computing power. It's in the form of a Java applet that they are asking webmasters to add to their sites. This results in each visitor to a website contributing processing power to the project for the amount of time that the user leaves the browser page open on that web site.
Innocuous again? Maybe. It's also something that can be used for evil. Anyone remember a certain virus that got around by adding a bit of code to web sites and also highjacked the (invisible) browser of the user that visited that site? In this case, it asks the webmaster to trust someone else's code and gives the site visitor little or no choice in the matter.
Tuesday, January 6, 2004
BT/RSS/Tivo
The short of it is that there's a suggestion to improve BitTorrent with RSS so that searches could be more powerful. Points to the author for admitting that this idea would most likely be used for illegal purposes (see article for examples).
Encryption Gone Wild
Bowulf has a piece on the use of SSL and the problems it creates with monitoring and content control.
Things will only get worse as virus writers and hackers adapt the use of encryption for network traffic, not to mention those users in your network who are knowledgeable enough to set up encrypted channels to avoid your security policy.
Blog Spammer IP
Sunday, January 4, 2004
Google Hacks
In any case, I'll be updating the Google portion of the Wiki (see link at top) over the next few weeks as I play with various scripts and absorb more useless trivia.
The Eight Rules of Security
I agree that if you're only going to enforce one of the rules, it should be "Least Privilege". It's also one of the hardest to enforce. The higher the user is in the food chain, the more difficult it is to educate them and to get them to comply to "the rules".