Sunday, February 29, 2004

A new version

Yet another comment spammer trick. Leave a comment accusing the blogger of stealing search engine rank from the website, to quote: "your blog stole my google results".

The miscreant: "webmasterbrain dot com" (Hint: edited so that he gains nothing for page rank. Hopefully, he loses rank because I'm talking about it. Webmasterbrain, webmasterbrain, webmasterbrain!! Anyways, he's been added to the blacklist.)

Piss off Zoink!


UPDATE: Err... I was talking out the wrong end of my anatomy (thus the strike-out above.) Apologies to Zoink in the comments below. Still don't know how I stole his google results.

Buhahahahahaha! D'oh!

I will not get into the argument of whether this is true or not. Just let me add that it's also the gun that most people shoot themselves or others with.

"Hey, watch this!"




Debian links?

I'm assuming that this is a links page for Debian multimedia. In any case, it links to a lot of interesting projects.

Saturday, February 28, 2004

Advertisements vs. Spam

It's obvious that people sometimes read this blog via search engines as people are still commenting on entries that are almost a year old. This example of advertising in comments, I consider to be "OK" as it directly relates to the topic, contributes to the discussion (short as it may be), and doesn't appear to be a comment that's pasted to every blog on the planet.

Thanks Sid!

Snort Manual

Here's the (PDF) manual for Snort 2.1.1-RC1.

Mail defense in depth

If you've designed things properly, you have a non-MS mail handler, just in side you r firewall, that scans for viruses and spam before handing the mail off to your local Exchange box which also allows you to script filters in case of emergency so that this doesn't happen.

This can be done with Linux or FreeBSD (or variant), Sendmail/Postfix/QMail/etc., and Perl. Many commercial anti-virus vendors sell *nix versions of their scanners. The key technology here is Perl. If you watch your network metrics, you'll notice virus outbreaks before they're news on the anti-virus sites. A quick analysis allows you to write emergency filters to quarantine or delete traffic until such time that the vendors issue signature updates.

Thursday, February 26, 2004

Port Knocking

Here's a website devoted to port knocking.

Passive Information Gathering

The penetration testing mailing list has a pointer to a paper about "Passive Information Gathering Techniques" (in PDF format).

Wednesday, February 25, 2004

Comment spammers

Damned comment spammers are at it again. Oh well, 11 new domains added to the blacklist.

One new thing of interest. Some of the spammers are not spamming domains. Rather, they're making comments like "Cool site" and just posting their e-mail address. How do I know it's spam? It's always in comments for archived posts and it's usually the same or similar message from the same IP address in different posts. I'm guessing they're still trying to draw attention to their domain (in the e-mail address), just not as overtly as the other boneheads. These jerks get their domain blacklisted and their IP banned.

NIST Risk Management Guide

SilverStr has a pointer to a draft NIST paper, entitled "Risk Management Guide for Information Technology Systems". This is a good-to-have as it presents a method for formalizing the risk management process. A recent update ties in the FIPS 199 which became "set in stone" approximately two weeks ago.

On an associated note, Kevin at The Lost Olive has one for "A Baseline for Achieving Security" which supposedly helps build usuable security processes.

Foundstone's Free Tools

Here's the link to Foundstone's free security tools for Assessment, Forensics, Intrusion Detection, Scanning and Stress Testing.

Tuesday, February 24, 2004

John the Ripper

A new version of John the Ripper is out.

Okay, what's going on?!

Am I dreaming? Has hell frozen over? Was I mysteriously transported to an alternate dimension?

I arrived home from work today to find that my SysAdmin subscription included a free 180-day evaluatoion copy of Windows Server 2003 Enterprise Edition. Then this shows up in Slashdot along with an announcement that MS is going to include their own virus scanner in the next XP service pack. Given that anti-virus research tends to be based on being able to quickly analyze malicious code, this could turn into an expensive process (but it's something that they should have done years ago).

Is it me or is MS suddenly working with us (hybrid network users/admins/managers) rather than around/over/through/in spite of us?

Consolidation of Defacement Archives

(Courtesy of HackerIntel) Attrition is donating their defacement archive to Zone-H. This will create the largest database of web site defacements in existance.

Monday, February 23, 2004

Blocking XSS attacks

IBM Developer has an article on blocking cross-site scripting attacks.

Defeating NMap OS-Fingerprinting

Although it amounts to "security by obscurity", disguising your OS and applications does add a tiny bit of protection, requiring just that much more effort by an attacker. David Barroso Berrueta has a paper entitled "A Practical Approach for Defeating NMap OS-Fingerprinting". (Courtesy of

Sunday, February 22, 2004

Fretting about patching has an article about the worries involved with the development and deployment of a patch. One thing the article doesn't discuss is the additional delay that some of the larger organizations add by having to research the effect that the patch has on their infrastructure.


(Yet Another ARP Poisoning Tool) Further support for my stance that a VLAN is not a security measure: Seringe, from Michael Hendrickx.

No Op

I went through and cleaned out the dead links in the InfoSec category and then moved the entire listing to BlogRoll. For those interested (if any), the older BlogRoll links have either been moved into other categories or deleted. I guess I'm trying to refine the "focus" a bit. I'll continue to work on the main page links. Anything not directly related to the blog should be moved to the secondary (and much larger) links page.

Saturday, February 21, 2004

Network Visualization Community

Here's the home page for the Network Visualization Community. (Courtesy of

Misc. Links

Mark Kuhn has various interesting links on his home page and on his hardware security links page.

Engineering Priciples for IT Security

From the document: "The purpose of the Engineering Principles for IT Security is to present a list of system-level security principles to be considered in the design, development, and operation of an information system."

IPTables Tarpit

Recently on the Honeypots Mailing List, IPTables::IPv4::DBTarpit looks like something to experiment with during "free time".

Regular Expressions Tutorial

Here's a regex tutorial, courtesy of Be warned! --> You may want to squint a bit when the page loads. The header colors are a bit bright.

Friday, February 20, 2004

Thursday, February 19, 2004

Huffman Compression

(Via How the Huffman compression algoritm works.

Windows Security Checklist

Scott Granneman has a column in this week's SecurityFocus entitled "A Home User's Security Checklist For Windows". It covers all the basics which should keep you out of 99% of the trouble you're exposed to, being connected to the Internet.

RFC 3675 - .sex bad!

From Network Sorcery (courtesy of Tao Security): RFC 3675 - .sex Considered Dangerous.

It's not what you think. It's actually a discussion of the reasons why we've not yet seen ".sex", ".xxx" or similar. Network Sorcery is the company which sells the RFC Sourcebook, a good-to-have for people who work with application and network protocols. They also have a pretty decent online reference for IP protocols, complete with header diagram and an explanation of the protocol.

Wednesday, February 18, 2004

Social bookmarking? Looks interesting but I don't know enough about it yet to explain it here. More later.

MT Tricks

Elise has blog with some cool tips for Movable Type.

Spammer added

Received my first comment spam since the powers that be (Thanks J!!) installed MT-Blacklist. Just for the info, spammed me with rxweightloss dot org.

Monday, February 16, 2004

TCPDump Tutorial

Here's another TCPDump tutorial, this one from Firetower Information Security, Inc.

Playing with IPTables

I've been playing around with tying IPTables to Snort, experimenting with the idea of an adaptive Layer 3/4 firewall with layer 7 sensing (i.e., Snort senses something bad in content and sends a modification to the IPTables box. Not sure how well it's going it's going to turn out but it's interesting to work on. Got sidetracked into the string matching capability of IPTables and lost a day of "work". Example:

iptables -I INPUT -j DROP -p tcp -d -m string --string "JOIN \: \#"
iptables -I INPUT -j DROP -p tcp -d -m string --string "PRIVMSG "

Courtesy of the Firewall Wizards Mailing List.

Network corelations

I'm absolutely fascinated by relationship diagrams and the technology used to produce them. Courtesy of Mark Newman.

Sunday, February 15, 2004

Offline IMAP

The March issue of Linux Journal has a piece on OfflineIMAP. It took a bit of tweaking to get it to run on the older laptop my employer provided but it does work. Makes it very convenient for me as I subscribe to a lot of mailing lists and often don't have the time to sit at home to read through them. Being able to sync the laptop to multiple mail servers and work offline is an awesome ability.

A nice coincidence that fits in nicely with the project is that I do not use the default inbox. I use Procmail as my incoming MTA and anything that passes all the way through those filters (SpamAssassin, SpamBayes, topic sorting, etc) gets filed in a different inbox folder. It took a long while to sync initially, due to the size of my e-mail archive, but updates are quick enough.

My thought for its use: fire up the laptop, start the sync, go build the coffee for the morning, and take both to work a few minutes later.

With a bit of tweaking, I can see this used as a way to maintain mail backups.

Protocol basics

It's not really a tutorial but Gideon Rasmussen has posted a short explanation of the protocols used in a typical web query. You need to know this as a SA or NSO.

Verifying JavaScript Entries

Another for my own future use: checking entries using JavaScript (from Scripty Goddess).

What is a honeypot?

ComputerWorld has an article which gives a really basic description of what a honeypot is/does.


(Prompted by a Slashdot scrape...)

One thing that seems to be catching on is specialized *nix distributions, specifically Knoppix. Here's a list of what I could find in a 15-minute search.

MyYahoo news feed

I've added the "Add to MyYahoo" button to the top right for those that like MyYahoo's RSS handler (can't say aggregator as it's somewhat limited in it's functionality).

Anyways, enjoy! Thanks to Jeremy for the pointer.

Friday, February 13, 2004

It's a little light on live links but does have good pointers for tracking down various papers on malicious code (see the bibliography section):

Snort links

Here's some Snort-related links and link-sites:

UndergroundSecuritySystemsResearch (USSR)
Translating Snort Rules to STATL Scenarios
AlchemistOwl - Of note: the daily report
Vim Snort HOWTO

Link site

Found during a search for a good Diffie-Hellman presentation, has a link page with a good collection of security-related links.

Thursday, February 12, 2004


NIST has a draft paper entitled "Special Pub. 800-63 - Recommendation for Electronic Authentication". Basically, it discusses the theory and various types of authentication and makes recommendations for the proper choice of authentication.

Real Admins Read Raw Logs has been around awhile. Although Marcus (yes, that Marcus Ranum) and tBird won't openly admit it, their main purpose in life is to produce more people on the planet capable of reading their own log files. A good SA or NSO should be able to read/filter raw logs. Think I'm kidding?

In any case, check out their online library. It's a good URL to have for reference.

GP Settings Reference

Dana (over at SilverStr's Blog) has a pointer to the Group Policy Settings Reference for WS2K3 and XPSP2.

Wednesday, February 11, 2004

DC Snort Blog

Hey, DC has a Snort Users Group, complete with blog!

It's too bad they don't have an RSS feed. (HINT! HINT!)

Something to watch

Snort-Wireless is a site to keep an eye on, for further developments.

Google games

Added Google games to the wiki.


NIST has a RFC for IPv6. Yes, they really want comments. You have about four weeks to provide your input.

Tao Book

This is a reminder for me: Watch for this book! He also has some interesting things linked on his homepage.

Aside: Richard, I want one! Who's the publisher?

Aside: Rob, if you still read this blog, this may be a book for one of your classes. It looks like Richard uses your method for "proving" how something works.

.htaccess tutorials

ScriptyGoddess has pointed out this .htaccess tutorial.

Tuesday, February 10, 2004

Digital Confusion

Yeah, it's a Slashdot scrape, but it's important.

Digital forensics, especially image enhancement and incident tracing, are undergoing the same growing pains as did fingerprints and DNA. With digital forensics, it's that much more difficult as it's easier to fake ones and zeros than it is to fake molecular constructs. It's always an uphill climb for any technology to be used as scientific evidence in criminal cases.

Anyone see the problem in the following quote from the defense lawyer in the CNN story?

"Until there's a history of [what was done and when], not only will I attack it, it should be attacked. Otherwise, you are relying solely on the word of the person doing the work. That's not something I would like to do when someone's facing life in prison or death."

For those that don't see it, think about expert witnesses. WIth DNA or fingerprints, each side supports or attacks the evidence presented via an one or more expert witnesses. Often, jury decisions are based on which expert witness appeared to be more knowledgable, whether they actually were or not. (Hmm... It just occurred to me that this has a lot in common with those vendors that are able to convince management to buy a product even though you've been telling them for the last six months that the product is junk.) WIth digital evidence, until specific techniques become generally known and accepted as "common knowledge", we're going to see decisions like "a trojan did it!".

Monday, February 9, 2004

To do

To do list for the coming weekend:

- fix SpamAssassin install (priority!!)
- experiment with Squid authentication schemes
- work on term paper


I'm too lazy to go over and post on LazyWeb but this might be the basis for a decent lookup tool if anyone wanted to code the front-end to it.

Apache Basics

Unix Review has an article describing the basics for configuring the Apache web server.

Avoiding DDoS Attacks

ComputerWorld (AU) has an article which talks about the options for avoiding known attacks, with commentary about the approaches used by Microsoft and SCO in the current MyDoom attack.

One thing the article does not talk about is the measures that the "sending" service providers can take. These are varied and numerous. Most involve knowing what your (as a service provider) normal traffic looks like and what isn't normal traffic (i.e., network "flow" metrics). Some involve the use of sniffers (a temporary Snort box works wonders for specific attacks such as MyDoom). Still others involve log file review (a web-based DDoS showing up in proxy logs? Naw!). A lot of it depends on the configuration of your network.

In any case, while the victim's business model may demand that "something be done" to provide continuity, it's also your responsibility (as a service provider) to monitor your network and take corrective (or preventive) measures to mitigate the attacks.

Then again, it may be in the best interest of your current business model to appear the victim and periodically fall off the net (*cough* Santa *cough* Claus *cough* Online *cough*).

Sunday, February 8, 2004

Snort input for DShield

It's been awhile since I looked at DShield, almost since the project started, but I'm now pleasantly surprised that they accept a number of other inputs, including Snort.

Speek like a geek pointed out Bradford University's semi-serious pronunciation guide "for miscellaneous things Unix". Odd that "switch" doesn't equate to "-" though.

Avoiding worms

ComputerWorld has an article which describes the steps to take to protect your network from infection. It's a bit basic but that's where you've got to start.

Internet Law 2003 has an article that summarizes the Internet law-related news from last year.

JavaScript in CSS?

For my future use: Here's a bit about putting JavaScript in CSS.

Saturday, February 7, 2004

Show/hide (JavaScript)

ScriptyGoddess has a new show/hide script.

Wine Howto's

Somone on the Penetration Testing mailing list noted that Frank's Corner has some pointers for loading various programs under Wine (check the Howto's option). It appears that even l0phtCrack will run under it.

Thursday, February 5, 2004


While the generated graphic is not as extensive as Disruptive Tech's, TouchGraph is an interesting alternative view of a website.

Hidden data in MS Word

If you're going to redact your documents to make them suitable for public release, make sure that your also redact the document info (properties) and ensure that the deletions are not reversable. Liudvikas Bukys has a pointer to an article about it.

Hidden Files in MS

Good to know if you're the forensic or security type. Thanks to Mark Swan for the link to Microsuck.

SpamAssassin Stuff

Misc. SpamAssassin stuff, courtesy of BadAssGeek: SubWiki,

Wednesday, February 4, 2004

Spyware attack

GrayScales has a bit about a spyware attack that's interesting reading.

What did you do wrong?

ComputerWorld has an article which describe the two most common mistakes made by companies which complicates forensics investigations.

I cannot stress this enough: "As a system administrator, your job is to determine why a box is acting up. If you discover a break-in, call law enforcement and/or the incident response team. While you're waiting for them, write down what you did up to that point. DON'T DO ANYTHING ELSE TO/WITH THE BOX!!!!"

Buffer Overflows Tutorial

Infosec Writers has a Buffer Overflows for Beginners tutorial.

Default passwords

Here's one of the reason that you should reset the default passwords on your equipment BEFORE you connect it to the Internet.

(via The Lost Olive)

Microsoft ignores MyDoom

Hacker Intel is reporting that Microsoft is weathering the storm via undisclosed measures. Could it be that "" is now a CNAME for ""? For those that can't take it further, "" is Akamai. This means that Microsoft is "leaning into the wind" by providing more service capability than the Internet bandwidth can load.

Not to restart the argument but this method is more irresponsible as the one used by SCO in that ISP's will end up paying more to the backbone providers.

It IS an interesting solution though. I wonder how much MS is paying for the distributed website.

Tuesday, February 3, 2004

Worm code optimization?

Various talking heads have noted the speed with which Mydoom has spread. Karl Wolfgang (on the Full Disclosure list) even used it in part of a warning to non-MS and supposedly secure networks to "not rest on you laurels".

In reading Karl's post, I noted that the author of Mydoom had modified his code so that it avoided domains that contained specific keywords (see Sophos for the lists). It appears that the author wanted the worm to avoid "wasting its time" in that he may have been trying to skip domains that are Unix-based or known to have better security than the rest of the Internet. At the local ISSA meeting, someone else stated that attacking ".gov" or ".mil" could allow for the use of the Patriot Act? Agree/disagree to either? Comments?

As a side note, Chris Neitzert (on the Full disclosure list) has provide a Procmail recipe to filter Mydoom from incoming mail.


Is this a good thing or a bad thing. My first impression is that it's something that spammers can use to register untraceable domains.

Common PHP mistakes has an article which discusses common security problems in PHP code.

Found a good web-based WHOIS

Robert J. Brown pointed out this web-based WHOIS lookup.

More weird USB stuff

Hand Sterilizer (for your favorite hypochondriac)
Air Ionizer (Somewhere along the line, weren't we warned that ionized air was "bad" because it caused dust particles to attach to surfaces, like equipment?)

Sunday, February 1, 2004

Network Mgmt Tools has an article entitled "Network Administration From a Linux Desktop" which describes various tools that you can use to help run your network(s). Many of these are nice-to-have, even if your network is MS-only. Installing these tools not only results in easier network monitoring/management, you learn something to boot.

PDF to Word

Again, for my reference.

It's a really bad idea (PDF readers are more ubiquitous than MS Word) but it's a useful tool nonetheless: a PDF-to-Word Converter.

Forms Tricks

For my future reference, Simon Wilson's post about tricks for more usable forms.

Required to act?

NetCraft has a semi-serious article which presents the various options for SCO to take to prevent damage that's supposed to occur in tomorrow's scheduled attack on their website.

The only viable solution at this point in time is #5: set the A record to localhost.

My question is: what if they DON'T set the A record (even temporarily) to Any other solution will cause extremely heavy (if not overwhelming) traffic on the Internet. Are we going to see a class-action suit for lack of due diligence?