Tuesday, August 31, 2004

What did I do?

All of a sudden I have 10 concurrent readers and 32 referrals from a
Google search for "joatblog". Anyone know something I don't?

Still more on the Graffiti Bike

Wired has another article about the Graffiti Bike guy.

Hmm... Using his lawyer's logic, it's okay to TP the town hall if I call it "art" or "freedom of speech"? Hey, it's biodegradable and eventually washes away.

Blogspot Problems

The comment spam from suspicious looking Blogspot (Blogger.com) sites is
getting out of hand. It's starting to look like filtering the entire
domain is the only option, something I'm reluctant to do as their are
quite a few legitimate sites that are worthwhile to log. Maybe I should
drop the vanity function altogether?


This is one of the
reasons why you spend a week or so, slicking, reinstalling and locking
down your laptop before you go to Defcon and re-slick it once your
done. It's also one of the reasons why you go to Defcon.

Yeah, I know, it was only data injection but there are
other more evil things lurking out there. I wonder if anyone was able
to figure it out without help.

Banned books

More evidence that there's more forehead bruises in my future. Admittedly, there's some books on there that I'd probably never read and a few shouldn't be in the hands of anyone in elementary or middle school but I've read a lot of those books, many in middle or high school.

Wireless MAC Spoofing

a paper on detecting MAC address spoofing in a wireless environment.

Monday, August 30, 2004

TCP/IP Illustrated Online

Here's the online version of Mr. Stevens's book.

Another Lawsuit

I was wondering how long it would take before someone would sue MS for
their newest round of marketing practices. From /., comes
news that various local governments in California are suing for MS's use
of predatory pricing practices.

I can see their point, I'd be ticked
too if I spent $200 for XP and my next door neighbor got it for $50
bucks 'cause he'd stated that he was considering switching to

The problem is going to be the punishment though. Do you think
fining a company $100 million is going to hurt when they've profited
$500 million? I wouldn't be surprised if it's written off as an
operating expense at some point.


Even though WEP attack tools continue to be written, if it's all you have, you should still use it. It at least prevents spread of infection from nearby systems that are not part of the network and requires that attackers have one more step in their attacks.

What is Public Information?

really irks me. Since when does information concerning a
housing association constitute public information? Yes, any member of
the organization should be able to examine the records but the
organization is funded by member dues, not "public money".

I also
dislike the Community Council's reaction as it sets a troublesome
precedent that is going to require someone goint to court to reverse.
Given that just about every housing association in the U.S. has a lawyer
on retainer, I think Mar Vista Community should fire theirs.

Telemarketer counter-script

This is
hilarious, especially the part where the telemarketer is uncooperative.


Tejas Patel's query about a backend for JohnnyIHackStuff prompted me to search Google for it (heh). Here's the feed:


Sunday, August 29, 2004

Graffit Bike Update

It looks the inventor of the graffiti bike is not going to be able to
protest the RNC. According to /. he was arrested
during a television interview for vandalism. The IndyMedia site appears
to be in the middle of a Slashdotting so I can't grab the details.
Maybe later.

Rootkit Hunter

The new version (1.1.7) of Rootkit
is out. New features include: support for the ADM worm,
support for MzOzD and spwn, LKM filename checks, and tests for
passwordless user accounts.

No Op

Just for info: one of this semester's classes is: CyberLaw so don't be
surprised if things gain a bit of law-related flavor.

Spamming Punishments

(from /.) The
US Sentencing Commission has proposed guidelines for
punishment under the CAN-SPAM act.

Spam Filtering for Mail Exchanges

Here's a site
which explains spam filtering for systems acting as mail exchangers.
THe subtitle is "How to reject junk mail in incoming SMTP

Saturday, August 28, 2004

DoS Attacks

Infosec Writers has a piece entitled "DoS Attacks: Instigation and Mitigation". I haven't read it yet but the promo is interesting enough.

Distributed Metastasis

Here's a PacketFactory paper discussing how a network intrusion spreads. This is one of the papers being used in a class last week that I took last year. The classroom is packed, preventing anyone (like myself) from auditing or otherwise crashing the class. [**SNIFF**]

Actually, Rob is also using the paper to teach defenses in the same manner.

New Honeywall

The Honeypots Mailing
has a post announcing a new version of The Honeywall CDROM (from the Honeynet Project).

CallerID Spoofing Service

I'm not sure that we really need a callerID spoofing
and I don't believe the local phone company will put up with
it for long. (From: Security

Hijacked IPs

Here's a site which
lists hijacked IP space, bogon IPs, invalid WHOIS data, and other stuff.

Friday, August 27, 2004


Dkgoodman and I have added a few things to the Wiki recently:
Google-related sites, a format change for the Glossary, and a definition
for the Cinderella Attack (courtesy of Burak Dayioglu). The listing of changes is here.

Bots, Arachnids, and Other

WebRef has an interesting article
describing the basic theory behind bots, spiders, and web crawlers.


Infosec Writers has a paper
on 802.1x-based port authentication. This is a good to know if you have anything to do with corporate VLANs or wireless.

Wireless Security

Here's a
SANS paper which discusses wireless security. The author seems to have
missed that Microsoft's and Cisco's versions of PEAP are not compatible
but it's still a good paper.

Thursday, August 26, 2004

Running Man

looks to be interesting to play. Probably boring to watch though.

Stealing Passwords Via Browser Refresh

Infosec Writers has a paper discussing the theft of passwords via browser refresh and back features and countermeasures. It makes some assumptions about browser use and configuration but is accurate to a point. Here's some additional (user-level) guidelines to avoid this vulnerability:
  • clear your history (or temporary Internet files) after each use
  • turn off auto-complete if it's available
  • turn off the browser's password manager
  • don't use the "remember me" feature on the website
  • close the browser and reboot the machine when you're done with the site

Yeah, some of those are a bit anal but if you're worried about the data controlled by a certain website, it may be worth the trouble.

Squish DNS checker

Squish's dns checker does
some really heavy duty records checking. Very useful for DNS admins.


Barry Irwin has an interesting
post about the recent 419legal.org hijinks.

Wednesday, August 25, 2004

The sky is falling, the sky is falling!

OMG! OMG! The Internet is going
tomorrow. The short version is that terrorists have predicted
that they will take down the Internet some time tomorrow. So far, it
appears to be a hoax.

What if it isn't? Here's some work aheads to
minimize your withdrawal symptons:

  • Make an emergency host table
    of all of your favorite sites, keep it offline
  • stand up your own
    domain server, use the host table to build zone files for those domains
    (i.e., declare yourself authoritative for those zones)
  • make sure
    your IDS signatures are up-to-date
  • same goes for your
  • make sure your call tree is up-to-date
  • go to the
    library, video or game store and borrow/rent/buy that book/video/game
    that you've been wanting to read/see/play.

If the world does
end, you're that much ahead of the game and probably not offline
altogether. If the world doesn't end, hey, you won't have much do on
Friday and will already have the entertainment for the weekend.

Hash Howto

UnixWiz has a piece entitled "An
Illustrated Guide to Cryptographic Hashes
" that helps explain (a
bit) the recent panic over broken hashes.

Some good news

is good news in that possession of the tools of a crime is not illegal
in itself. Otherwise, you'd be suspect for every sharp or blunt object
in your house. It's the use of those tools which can be

Before we get into that argument, I don't condone
illegal file sharing. It's just that possession of certain software
(port scanner, vulnerability scanner, password checker, spam filter)
should not be cause for arrest. I run each of those tools on my
network. I also "possess" numerous file sharing programs as part of
research for network security (Nessus/NMap/Snort signatures, etc.). I
just don't use them.

Future fight?

I like that companies are installing wireless every "downtown". The problem I have with it is I can foresee someone standing up their own wireless network in the same area and having to hire a lawyer because the two interfere with each other. In other words, my free network will interfere with (or steal customers from) the for-pay network.

Malware Analysis

Security Focus has a short
entitled "Malware Analysis for Administrators" which is
interesting reading. It doesn't walk you through a how-to but it does
have a good list of the tools needed and same basic theory behind the

Hydra 4.3

From HERT comes news that Hydra 4.3 is out.

Tuesday, August 24, 2004


Wired has a short news
about the latest troubles at BugMeNot, a source for throw-away
registration addresses. I'm filing this under Silliness as BugMeNot is
alleging "mysterious circumstances" while the previous provider is
stating "server failure".


I can't help thinking that dd_rescue might have other uses (but I can't think of any right off).

dd was originally used for hard drive maintenance and also became a staple of many forensics people's toolkits. The trick was that you had to know what you're doing. Encase has since simplified the process and its output is challenged less and less.

For you more paranoid types, this means that you should destroy even the damaged hard drives.

Let him without sin cast the first...

The Register has an article in which a survey of corporate directors blame employees for virus infections.

Bubbas better look in the mirror first.

My first network job required that I chase viruses (this was before there were enterprise solutions). I once spent an entire day running back and forth between the department head's office and the division office because they kept re-infecting each other while I was in transit. Come to think of it, that was my first forehead bruise too.

Basic Web Session Impersonation

Security Focus has an
interesting article which
discusses the basic theory and countermeasures behind web-based session

Monday, August 23, 2004

Brute forcing SSH

K-Otik has posted the source code for a brute
force attack tool
for SSH. It's quite a simple tool, the author
having built the dictionary into the code rather than relying on
external dictionary files. I still get the impression that it will
still be affective against those systems with poor configurations and
weak passwords (there's more of them than you


  • edit the SSH config to limit who can
    log in via SSH (hint: root should not be one of these)
  • configure
    your IP filters (routers, IPFW, IPTables, etc.) so that only certain IPs
    can connect with SSH
  • consider using SKey, user-level keys,
    Kerberos or some other type of authentication
The idea is to
turn off the default username/password authentication.

RSS Weather

From Furrygoat comes a pointer
to getting your local weather via RSS feed. To quote a friend, "cool beans!"

Tivo Sharing II

I would certainly buy this. I would share with three people: me (my desktop), myself (my laptop, for travel), and possibly I (any other portable device I might own). (Quick, somebody buy me an iRiver, PQI, or NeoSol portable!!)

Neal Stephenson

I'm putting this one on my wish list: Neal Stephenson's second book in
the Baroque Cycle has been out for
quite awhile. Sorry to say, I'm still wading through Quicksilver, only
getting time for recreational reading during lunch at work (yeah, that's
me in the McDonald's parking lot).

Sunday, August 22, 2004

Wiki/Blog interface

I've installed a couple new Blosxom plugins and learned how to add name
anchors to the Wiki. The idea is that the autolink plugin would
automatically link to certain entries in the wiki glossary and/or the
wiki proper. I've also thrown in extra links to Google, Yahoo, and
other well-known sites.

All of the links in this post were
automatically added by the plugin. Of course, I have to tweak the
plugin (can't resist that) and then manually add the entries but it
saves typing in the long run. Let me know if I get out of hand?

MS Port List

One of the must-haves in any network security or admin type's toolkit
should be the Microsoft Port List. Barry Irwin has even provided a HTML conversion of the XLS for us non-MS users.

Weather feeds

Joy Larkin (at Confessions of a
) has pointed out that the NOAA has feeds for their Atlantic and Pacific forecasts.

Bootable Windows CD

Even though they exist, I haven't had much use for bootable Linux CD's
(only needed it once to rescue a Linux hard drive). However, I've
needed a bootable Windows CD a number of times but didn't have it. I'm not that talented with the minutia of Windows administration. Hopefully, this will come in handy the next time I need it. (Thanks to ryumaou at Diary of a Network Geek for the pointer).

Profile of a referer spammer

I just love it when the spammers make it easy for me. (Warning: adult
content in the last line.)

My complaint centers around referer spam
rather than e-mail spam. Because my site lists recent referers, I've
come under "attack" from a specific IP address: That IP
address has spammed my site with links to:


A DNS lookup of each of those web sites returns the IP address "wget -S" reveals that it is running
Apache 1.3.31. A WHOIS lookup of the web server IP address shows that
the web server is in Parsippany, NJ. A WHOIS lookup of all of these
sites show they are registered to Oi, Inc., via the Go-Daddy registrar.

Opinion: As each of these sites has the same bland front-end
with no links (other than Google Ads), I believe that this may be an
attempt to defraud Google's Ad Sense program. (I will send a copy of
this post to Google.)

A WHOIS lookup of any of the domains returns the
same corporate info:

P.O.BOX 22036
Nashville, Tennessee 37202
United States

Registered through: GoDaddy.com
Created on: 29-Jul-04
Expires on: 29-Jul-05
Last Updated on: 04-Aug-04

Administrative Contact:
Domains, Admin open_view@yahoo.com
P.O.BOX 22036
Nashville, Tennessee 37202
United States
6153610280 Fax --

Technical Contact:
Domains, Admin open_view@yahoo.com
P.O.BOX 22036
Nashville, Tennessee 37202
United States
6153610280 Fax --

Domain servers in listed order:

A short Google search on the postal address brings back:


shows the corporate info as:


TEL: 615.360.1010 FAX: 615.361.0280

E-MAIL: info@openviewinc.com

P.O.BOX 22036

According to the immediate above, anyone calling the phone
number used to register the domains will get an ear-full of carrier tone
from the company fax machine. However, a Google lookup on (615)
360-1010 returns to "Jeremy Jackson - (615) 360-1010 - 1306 Massman Dr,
Nashville, TN 37217".

A DNS lookup of the name server for each of
these sites reveals the DNS servers ns1.openviewinc.com and
ns2.openviewinc.com. The IP address for ns1.openviewinc.com is The IP address for ns2.openviewinc.com is

Note that the www.openviewinc.com website and the mailserver for the
openviewinc.com domain is also Telneting to port 25 at
that IP address returns:

Connected to
Escape character is '^]'.
220-ottawa.nshoster.com ESMTP Exim 4.34 #1 Sat, 21 Aug 2004 16:37:46-0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
221 ottawa.nshoster.com closing connection
Connection closed by foreign host.

No spam allowed. That's almost funny.

An interesting bit of
information is reavealed by performing a WHOIS lookup on those IP
addresses. Seems both of them are part of a network owned by Care
Initiatives, Iowa's (according to CI's website) largest senior care

Remember the site sending the referer spam is
A WHOIS lookup shows that it too belongs to Care Initiative in West Des

Getting back to Mr. Jackson. A Yahoo search for "jeremy
jackson nashville" returns a link
(http://www.bizwiz.com/ezcommerce/openviewtrading.htm) for Open View
Trading with the following contact information:


Jeremy Jackson
Open View Trading
P.O.Box 22036
Nashville, TN 37202
Tel: 615/360-1010 Fax: 615/360-1133

Hey, that's the same phone number but it's a different fax
number. Same P.O. Box too.

Futher Google and Yahoo searches for
"jeremy jackson" and "openview" or "nashville" reveal that he has a
healthy gaming habit (FPS's) too.

So, to sum it all up, we have a
gamer in Nashville, running what might be a shady online business which
isn't registered anywhere (possibly Canada?), uses a web site in New
Jersey which is registered via a yahoo e-mail address through a
registrar that is reluctant to provide information (GoDaddy), has
another e-mail account and dns server at a non-profit senior care
facility in Iowa whose STMP banner prohibits spam, uses his home phone
for his business(es) and likes to referer spam my site.

Hope the rest
of you enjoyed this at least as much as I did.

Jeremy, cut it the
F**K out.

Saturday, August 21, 2004

sudo patent

My guess is that this is
important because Longhorn has a shell, something that the *nix world
has had for years but MS users are only now receiving. This is good for
MS users but has the possibility to become a really bad PR issue of MS
is going to start patenting features that have prior art going back two
decades. Next we're going to see patents on cron, at, and history?

This isn't helping

Here's a really bad article that showed up in HITB, which
came from eBCVG,
which came from WebProNews, which supposedly came from ArticleCity.com (a link I cannot get to come up).

What's wrong with the article? How about:

  • the $25 card probably won't work as the cheap ones don't "do" RFMON
  • the computer is not looking for your SSID, it's looking for 802.11a/b/g networks. The SSID is part of that.
  • The SSID is not constantly transmitted and computers don't care about it. The SSID is periodically beaconed and wireless NIC cards use it to negotiate connections to specific networks.
  • It's Kismet, not Cismet
  • I don't get why the GPS receiver records only the coordinates of the strong signal.
  • The preliminary drive IS the wardrive. Any subsequent use of the open network is a network hijack, a theft of services, or an attack on local systems.
  • I'd like to hear more about how the wardriver can sniff passwords and credit card numbers from SSL secured data. (Yeah, I know it can be done, but not with your standard wardriving kit. The author is going for the "F" in FUD here.)
  • Don't broadcast your SSID? This one gets old. Previous guidelines recommended that you turn off SSID beaconing. It's been proven that this action only delays SSID detection for a few seconds as the SSID is included as part of Layer 2 management frames. The author seems to be aware of this but mucks up the explanation anyways.
  • How did factory default passwords for routers get into this? Do I need to buy a router too?
  • EAP is not encryption. EAP is an authentication protocol which uses encryption.
  • WEP encryption is not bypassed, it is broken via AirSnort (i.e., the shared key is extracted).
  • MAC spoofing does NOT take time. Manually spoofing a MAC address for an extremely bad typist only takes a few seconds.
  • Password protecting MS file shares are pointless on wireless networks. If you're using wireless, don't share files/folders! (Someone want to explain how having the same user accounts on each of your machines allows your computers to share files?).
  • Breaking WEP does not take days so the seconds to days/weeks-next-to-your-network comment is garbage.

The closing feel-good paragraph is garbage. The tips are confusing. A script kiddie with the programs listed in the article can still get in. A better way of putting it:

  • Enable WEP (assuming that's all you have). It will keep honest people honest. The dishonest ones can still get "in" in a matter of minutes.
  • Change the access point's default SSID and username/password. (This will show wardrivers that you've devoted at least a little bit of due diligence to your network configuration.)
  • Use MAC address filtering. It causes the attacker to execute one more command than before.
  • Turn off the d*mn access point when you're not using it.

That last recommendation will provide the most protection in the long run. The others will only make extra work for the attacker. As people tend to take the path of least resistance, an attacker will likely hijack your next door neighbor's wide open network.

If you're willing to spend the extra money, you can also:

  • use third-party layer 2 encryption
  • use wireless intrusion detection
  • periodically scan for rogue access points and clients
  • or even better, put CAT-5 cabling in the walls

It's articles of that quality that cause more damage than help. There are legitimate security-related uses for some of the software. We're already dangerously close to the point where possession of certain software will be considered illegal (and things will get very messy once we're headed down that slippery slope).

iAppliace Standards

Here's a
really good list of standards that related to network-aware appliances.

BHO Analysis

LURHQ has posted an analysis of the
problem with IE browser
helper objects (BHOs)


Not sure if I've blogged this yet but it's still in my clippings folder
so here goes...

NetSec has a
pointer to a "Chrooting Unix Services Guide" which discusses basic theory and configuration.

Friday, August 20, 2004


F-Secure has a quick piece on alternate data
(ADS) and a note that SP2 changes it slightly (was this ever
a good idea, even for NTFS?). Also described is a freeware tool called
LADS which will List the ADSs.

New entries in wiki

I've added the following to the wiki:

as part of the "Google Tricks" section. Thanks to #!/usr/bin/geek for the new pointers.

Graffiti bike

Interesting use of technology but I think he's forgetting about Layer 8. Bet he get's arrested for defacing public property or some such within the first ten minutes.

Liu Die Yu

Liu Die Yu's homepage: lots of good
info on browser vulnerabilities.

Zindos Analysis

LURHQ has posted an analysis of the
Zindos worm.

Thursday, August 19, 2004

Thank you Dana!

Those of us that "do" security owe Dana some free beer for the work
he's done in
the past week to make our lives easier.

Intro to NetFlow

Security Focus has an
article entitled "Detecting Worms and
Abnormal Activities with NetFlow

You'll hear me harp about
this over and over if you follow this blog: if you're responsible for a
network, you need to know what "normal" "looks" like so that you can
recognize "abnormal". This is a good tool to have.

Holy Crap!

Uh, reasons you might not want to install SP2 right yet --> the
following may not
  • Citrix
  • ArcServ
  • eTrust
  • F-Secure
  • Installshield
  • Quicken
  • McAfee
  • MS Office
  • MS Outlook
  • Norton
  • PCAnywhere
  • Symantec
  • Reflection
  • ZoneAlarm
  • and most of the IM's

The main list (from Microsoft) is here. Really "not good".

Executable stegs?

a /. post pointing to Hydan, a
steganorgraphy tool which allows you to hide data within an executable.
This was bound to happen eventually, being yet another part of your
system with slack space.

Also, this is another one of those tools that
can be used for good (watermarks) or evil (hidden data). It may not
measure up to other steganography methods. If you have readily
available "good" copies of binaries to compare against a steg'd version,
simple MD5 checksums should be able to detect modified versions.

Don't do it

Just more support for my "encrypt at layer 2 for wireless"

RedTeam a pointer
to a successful attack on wireless

Rootkit Hunter 1.1.6

Rootkit Hunter 1.1.6 is out.

Wednesday, August 18, 2004

Intrusion Analysis

SecurityFocus has an
interesting article on packet
, part one of a series. This is part of the knowledge
required for your SANS GCIA certification.

Using honeyd without arpd

Antlab has some notes on running honeyd without

More InfoSec Blogs

A post to the HoneyNet mailing list led me to blogs.23.nu which is, I'm assuming, a
site similar to 757.org. What makes it notable is the InfoSec-related

I've only included the English-based ones (I'm unable to read German)
and some of those haven't been updated recently (but are interesting to
read anyways). Also, some of the blogs are via the same person.

any case, thanks to the teenage mutant
ninja hero coders
for hosting all of those sites. I've added them
as a separate category in my Bloglines feeds.

Rootkit Hunter

Here's a NewsForge article about "Rootkit Hunter", an anti-rootkit tool written by Michael Boelen. Very good reading.

Tuesday, August 17, 2004


Every now and then you hear about small companies being bought out for
healthy sums. This one is not an exception. McAfee is buying Foundstone!

One thing to keep in mind though: one of McAfee's former names was Network Associates, the name to which acquisition was tied to as a secondary nature (my opinion). Gauntlet and certain forms of PGP disappeared through that process (also my opinion).

More DiD

To go along with yesterday's Defense-In-Depth discussion, here's a SANS
which contains a case study of the author's attempts to improve security
at his organization via DiD.

Tivo displays

I wish Tivo would provide an API for Series 2 boxes so that we could do
something like this. I
miss my Amiga 2000 which was modified beyond my ability to resell it
when it came time to let it go.

Tivo! How about just a minor API so
we can modify/add non-dangerous (legal) features?


Multi-Function Devices (MFD's) have long been an issue of contention between acquisition and security types. MFD's are cheaper than component devices. They also present some interesting security problems. Untested OS's, multiple paths in/out, etc. Heck, I have enough problems with single function devices. Examples include the OS replacement for certain older HP printers which turns them into remote port scanners.

Textbox with Auto-complete

Not sure if it's going to be any use to me, but here's the link to a how-to for a JavaScript textbox with an auto-complete feature.

Monday, August 16, 2004

SHA-1 Broke?

There's rumor
that SHA-1 has been broken (at least partially). We've been told to
wait a few days to find out the truth. Also, AbusableTech seems to be
offline at the moment.

Snort + ClamAV

For those of you that were interested in the patch for Snort so that
ClamAV could be used as a preprocessor, but then were frustrated because
SourceForge's archive doesn't carry the attachments to the post, you can
get it here.

More DiD

There's been recent discussion about how defense-in-depth isn't
working. The new in-vogue approach is local protection. I firmly
believe that this will not produce the fruit the proponents want. For
proof, go search Google for what the Witty worm did.

The problem with
defense-in-depth was that most were too lazy to fully embrace the
paradigm. Defense-in-depth was "embraced" only as far as perimeter
protection (firewalls) with some internal support (virus scanner). They
didn't bother with HIDS, local packet filters, tripwires, metrics
monitoring, and periodic scans. Some even used minimal configurations
on their perimeter firewalls.

InfoSec Writers has an article talking about the extra security that should be common sense but somehow isn't widespread. The short version is: you should be locking your perimeter filter down to the minimum required to operate.

An example is the web server in your DMZ. Your premis router should allow connections to TCP port 80 on your webserver and UDP port 53 on your external DNS. Your host filter (local firewall, IPFW, IPTables, etc.) should have the same configuration (of course, your webserver will also want to talk to the DNS server on UDP port 53).

You may want to add some sort of control channel, such as SSH (TCP port 22), but you want that type of traffic to come from one local (internal) IP address, not the Internet. Even better, move the control out-of-band: buy a console switch and use serial connections to all of your servers.

IT's SarbOx role

SANS has a paper,
entitled "The Role of IT Security in Sarbanes-Oxley Compliance",
which discusses IT-centric requirements for protecting financial
information. If you work in network security, this is going to become

Live CD's

IBM has posted a pretty decent article discussing Live CD's.

Sunday, August 15, 2004

PDA Forensics

RootSecure has a pointer to
NIST's draft version of their "Guidelines on PDA

These documents are important, but maybe not for
the reason that you think. The information is available elsewhere,
maybe even in a single document. What makes it important that NIST
publish it is that it becomes a federal standard.

The reason that this
is considered "good" is that it makes legal proceedings that much easier
(shorter) because you, as a forensic type talking to judge/jury/other
lawyers, don't have to prove the legitimacy of your investigative
process each and every time you're in court. The short phrase to
describe it: a protocol.

Tracking spammers

I love things like this, where someone figures out how to track do-badders by tweaking their own servers. Thanks to Liudvikas Bukys for the pointer.

Visualize your metrics

If you have anything to do with monitoring network metrics, being able
to push your data thru gnuplot is a good thing to know.

Saturday, August 14, 2004


So far so good. The only IP's I've had to blacklist since switching to
Blosxom are:
  • - a DSL dial-up in Italy
  • - a Verizon dial-up in Seneca Highlands (PA)

Shame on you two, whether or not you're spamming directly or have been zombied.

More wireless problems

Tao Security has a really interesting scenario concerning wireless, supporting yet another argument for encrypting or digitally signing traffic. I recommend doing it at layer 2 because I've seen layer 3 tunnels corrupted via MitM attacks (more about that later).

Begginer's Guide to Phishing

Millersmiles has a "Begginer's Guide to Phishing" that your users should read.

IBM: Securing Linux

IBM has posted an article (part 1 of a series) on the basic theory for securing Linux. It has some good links for further reading and various tools.

PDF-preview of LaTeX Documents

From Geek Notes, a quick
how-to for producing pdf previews from LaTeX documents.

Friday, August 13, 2004

MS's Lower Total Cost of 0wnership

is funny. Even funnier when you realize that you misread the title the
first time around. Thanks Dave!

Password are like gum poster

I've got to get one of these for work.


For my own reference: Chris Samuel
has a post about OpenWRT that I want to keep track of.

Robert Graham

Robert Graham (of Network ICE fame) has a site with a lot of good
information, from tools to malicious code analysis to commentary. Visit
his site here.

Thursday, August 12, 2004

757 IdleRPG update

Joat, level 44 lurker, and skifter, level 44 warrior, are hot on the
trail of the evil wizard zENGER. Stott, the Green Warrior, still
follows in my footsteps, waiting for me to make a mistake.


Heard it on the news and saw it blogged on SmartMobs on
the same day: Stamps.com. I can see
some geek-mileage in this one. Got root? stamps and the like.

Let the hairsplitting begin!

Here's a post from Fyodor, commenting on Microsoft's SP2 intentionally breaks programs which use raw sockets, such as NMap, stating that only people writing attack tools use raw sockets.

Fyodor seems puzzled that Microsoft considers NMap an attack tool. Fyodor! Think marketing vice programming! NMap, Nessus, TCPDump, Snort and Apache are probably all considered evil even though only some of them use raw sockets.

Given the interdependency of the libraries, I'm willing to bet the the interface hasn't totally disappeared. Rather it may have been moved, somehow obfuscated, or has obtained a wrapper or somesuch.

SE Linux

Alec Muffet has an old pointer to a SE Linux machine which you can play with (to learn about SE Linux). There's also pointers to Debian and Gentoo boxes.


Tejas Patel has a quick
pointer to BattleTorrent which promises to be easy to set up for novice users.

I have little interest in MP3 trading as either I or my company paid money for them (think classes not songs) but I do have interest in those updates (Mandrake for one) which become available via BT before anything else. Also, I'd rather archive data (news and articles) rather than eating up storage space on 4 year old drives with MP3's I'll rarely listen to. Thus my novice P2P experience.

Anyways, I hope that there's an easy-to-use BT flavor available the next time I want the new *nix distro.


Yet another example of the dangers of making anything publicly-available
and security-thru-obscurity failing via Google: another lecture at Blackhat which shows that you can find possibly vulnerable VNC servers listings. Definitely falls into the "this is bad" or "shoot yourelf in the foot" categories. If you have anything to do with security, you should be visiting the major search engines, at least on a weekly basis, and scanning for "stuff" available via your company's domain.

Wednesday, August 11, 2004

Detecting Windows Keyloggers

The Security
(of "A Day in the Life of a Security Investigator" fame) has
a quick piece about detecting Windows keyloggers. Interesting reading.

Mail bugs

Burak Dayioglu has a discussion of two of
the mail bug services and the risks involved.

Making things worse

When the object of an attack on your system is to "borrow" your
bandwidth and harddrive space, the FTP server "Serv-U" is often used
(because of its small size and its portability). To make things worse,
there's a number of vulnerabilities in that binary, resulting in
exploits such as this which allows the secondary attacker to gain system privileges.

Social Engineering

an interesting SANS paper on "Social Engineering".

Tuesday, August 10, 2004

Blackhat Media

For those that don't know about it, here's the link for the BH Media Archives. Of interest is Paul Simmonds's presentation on De-Perimeterisation with which I totally disagree.

Call me old-school but I firmly believe that adding technology, especially that without a long-term performance history, does not increase security. The presentation uses a lot of rationalizations which stretch the truth a bit. "We" do not let in port 80, that's done by people, using ISA, who are too cheap to buy a second IP address. Some of the "new" suggestions are actually from the old "moat" model, such as moving your public servers outside of the internal network.

In any case, there's also quite a few other presentations archived there. You may want to download/keep copies of the ones you find interesting. The site practice is to only make files available until they're about 6 months of age.

People Search

USSearch is a
people locating service. (via NetSec)

Environmental Security

Here's an
interesting paper discussing the enhancement of physical security via
modificiations to the local and semi-local environment.

Monday, August 9, 2004

The Art of Rootkits

InfoSec Writers has an article entitled "The Art of Rootkits" which gives some basic theory on the topic.

IDS in Large Orgs

Here's a
SANS paper entitled "Intrusion Detection on a Large Network".
It's a good paper for building and installing Snort. However, it's a
bit lacking in the data correlation side of the house (something that
you have to have to effectively monitor/protect networks of any size).


Here's a
should-read SANS paper entitled "An Overview of Sabanes-Oxley for the
Information Security Professional

Sunday, August 8, 2004


From the Something-to-burn-up-a-few-extra-cycles-on-your-server

and skifter22!! I am coming for you! If I can keep stott off my butt, that is. (heh)

For those that don't know, IdleRPG is an IRC game that you play by doing absolutely nothing on various IRC servers (see "Other IRPGs" link).


I've swapped out PHPWiki for something that works with me better,
MediaWiki. This may not be the last one I try out but it should work
for now. You're welcome to edit/add but please read the rules on the
font page first.

Setting up a server

Here's a
SANS paper with a decent how-to for setting up a Linux-based
Web/DNS/Mail server.

Using Session Data to Scope Events Without Signatures

Ever notice that the same people who are detractors of IDS systems also
actively support "deep packet inspection" over "application proxies"?
What's the trade-off? A slight speed increase and using a "cool" new
technology vs. a slight loss of control and security (in the form of
record keeping). I'd like to see proof of that speed increase
sometime. Yes, layer 4 (OSI model) filtering is faster than layer 7
proxying but, once you start tacking on layer 7 inspection onto a layer
4 packet filter, does the extra processing requirements even the

In any case, TaoSecurity states the IDS
issue very nicely and describes a tool that nicely covers one of the blind spots in IDS technologies: session data.

Possible Points of Failure

Here's a
SANS paper which discusses the various possible points of failure in
Information security. A common theme seems to be "blind trust", in
certifications, in equipment, in processes, etc.

Saturday, August 7, 2004

Old news

I used to think that Wired was a cutting edge magazine for professional
geeks. Now it seems to have faded into trying to keep up with the rest
of mainstream (esp. since most of mainstream has moved online and isn't
controlled by the few). Evidence the news
that you can hack bluetooth, something that was publicly known over a
year ago.

Why's it suddenly news? Cause Adam and Martin figured out a
way to do it over long distances.

Next thing you know, they'll
discover that, with the right equipment, the guy in the van at the curb
can watch what you type into your computer.

Bootable USBs

Here's a quick bit on bootable USB OS's, this one using Linux.

Friday, August 6, 2004

The Art of Web Filtering

Here's a
SANS paper entitled "The Art of Web Filtering". I disagree with
the author only where he states that keyword filtering is poor, at
best. My view is that it really, REALLY stinks as a tool.

depending on the size of your customer base and what you're trying to
block, filtering may become an exercise in futility as you try to keep
up with your policy abusers. It's much more efficient to have an
enforceable policy and self-policing users.

Public prosecution of
offenders do wonders for policy enforcement, unfortunately they may not
be a legal technique at your organization.

Long-range Kits

Wow. Defcon hasn't been over a week and already long-range kits for
Blue/War-driving are on

Defcon 12 News

A bunch of my friends and coworkers went to Defcon and didn't even bring
back a T-Shirt. Of more value was NetSec's posting of the presentations
(Please be nice to the server, the webmaster is asking for mirrors for
and L-Z.

Look at Rob's Aug. 5th posts over on NetSec for a bunch of news about
the shootout, The Schmoo Group's upcoming conference, Meet the Fed,
Robert Morris Sr.,

/. has a pointer
to yet another review of DC12.


CIRT.net is a site with various
default settings (passwords, SSIDs, ports) lists and various tools,
including Nikto, a web server scanner which can scan for thousands of

Paper: Phishing

Here's a
good SANS GSEC paper on phishing.

Thursday, August 5, 2004

More on MSN's new search engine

More skepticism that MSN's new search engine will be all that

Again, I don't think
that tweaking a search engine to support a business/business model will
help in the "success" of that search engine (or the business).

Secret handshakes?

/. has an article
about combining port knocking with OS detection to limit access.
Seriously? Doesn't this sound like too much time on your hands?


TerraServer is a search
engine for the US Geographical Survey aerial imagery and topographic
maps. (via NetSec)

UCE paper

Here's a SANS paper discussing the
effects of
in a large corporation (and some countermeasures).

Wednesday, August 4, 2004

Tivo sharing

could get interesting, in either the technology or legal sense.
Something to keep an eye on.

Oh come on!

AirDefense is surprised that hackers are using wired attacks via wireless?

Cross-linked pr0n sites

The problem with this
is that they not only cross-link their own shady blogs, they use comment
and referer spam to point to their blogs and pr0n sites.

Search Engine Wars?

/. has a posting about Microsofts
plans to challenge
. I have reservations about them being able to compete with
Google. They're using two different business models.

Besides, having
your search engine affected by widespread referrer and comment spam is
one thing. Additionally adjusting your own database to limit competitor
listings is another.

Guide to ARP Spoofing

HITB has a "Guide to ARP

Shoutcast Howto

Another one for my own (later) benefit: Shoutcast

The Wayback Machine

"Simon, set the..."

Wait, wrong machine. This one allows you to
search snapshots of the Internet as far back as 1996.

Tuesday, August 3, 2004

MetaSploit 2.2

The pre-release version of MetaSploit 2.2 is available.


This is nothing! Try going to one of my family reunions where you have the choice of 14.4k over long distance or an intermittant 9.6k via PCS. Which is worse: not having it at all or having just enough to not do want you want?

Scam trace

Barry did a good job with <a href="http://lair.moria.org/blog/entry/Security/Interscope_Financial_Gou
p_Scam_101.txt">this except he missed one thing. Since he doesn't
allow comments, hopefully he'll see it here:

Barry, do a whois on the reverse lookup (IP address) for the web site! It's in the U.S.

Another feed

Thanks to Hatena::Atenna, I found
Firewall.cx. Seems to be an
interesting site. (Their RSS feed.)

Web Site Defacements

Zone-H maintains a
database of web site defacements. This is also where some of the older
defacement archives ended up.

Five-button Mouse

one is for my own benefit. My secret cache of Logitech 3-button mice is
running seriously low. I bought a half-dozen of 'em when Logitech
decided to stop making them. I've been wearing them out at a rate of
one every 6-8 months and have been cannibalizing all of them for repair

Wheel-mice piss me off and I consider Microsoft/Mac/other
two-button mice as seriously crippled. I learned Unix over a decade
ago. Middle-button paste is an ingrained (sp?) reflex at this point.

Intro to /proc

HITB has an article
discussing the information available via "/proc".

Monday, August 2, 2004

Finding Rootkits and Stuff

Linux Magazine has a quick article
entitled "Finding Rootkits, Infections, and Files".

Linux on iPod

I'll need this sometime
next year.

Linux Gazette

If you're new to the field or have been around for awhile, The Linux Gazette is a very good
online newsletter to read. The format has changed over the years (since
1996, I think) but they've always had good articles. Now they even have
a RSS feed.

Sunday, August 1, 2004

Free Snort Book

(via NetSec), here's a free Snort book entitled "Intrusion Detection Systems with Snort - Advanced IDS Techniques Using Snort, Apache, MySQL, PHP and ACID".

Tunneling over DNS

Dan Kaminsky has presented his technique for tunneling anything over the DNS protocol at DEFCON.

New feed

One of the nice things that I've gained in switching from MT to Blosxom
is the referer plugin. Picked up a new feed for Burak Dayioglu and a list of sites
to watch.

Too far?

This is why you
have to be very careful about the wording of laws like Mr. Hatch's

I disagree with the article where it talks about law
enforcement abusing its power. Law enforcement is not at fault here,
they were doing what a judge thought the law allowed. It all goes back
to how the law is written.

Unless it has very specific wording, it
will end up like the Bible: subject to interpretation. If you hear
someone screaming about a law being evil, don't just jump up on the
soapbox with him and start screaming too. Instead, read the proposed
act and make constructive comments. (Many politicians ask for
input/comments.) Also, remember that phrase like "doing it this way may
be better in the long run" works a heck of a lot better than "your law
is a piece of sh*t".

DNS Attacks

LinuxExposed has an article explaining the basic theory behind the Domain Name System (DNS) and various attacks against it.

Please keep in mind that DNS poisoning is not necessarily a "bad thing"(tm). It is still the only truly scalable method of blocking objectionable web sites and mail servers. I've seen it used at sites with 50K users.