Tuesday, August 31, 2004
getting out of hand. It's starting to look like filtering the entire
domain is the only option, something I'm reluctant to do as their are
quite a few legitimate sites that are worthwhile to log. Maybe I should
drop the vanity function altogether?
reasons why you spend a week or so, slicking, reinstalling and locking
down your laptop before you go to Defcon and re-slick it once your
done. It's also one of the reasons why you go to Defcon.
Yeah, I know, it was only data injection but there are
other more evil things lurking out there. I wonder if anyone was able
to figure it out without help.
Monday, August 30, 2004
their newest round of marketing practices. From /., comes
news that various local governments in California are suing for MS's use
of predatory pricing practices.
I can see their point, I'd be ticked
too if I spent $200 for XP and my next door neighbor got it for $50
bucks 'cause he'd stated that he was considering switching to
The problem is going to be the punishment though. Do you think
fining a company $100 million is going to hurt when they've profited
$500 million? I wouldn't be surprised if it's written off as an
operating expense at some point.
one really irks me. Since when does information concerning a
housing association constitute public information? Yes, any member of
the organization should be able to examine the records but the
organization is funded by member dues, not "public money".
dislike the Community Council's reaction as it sets a troublesome
precedent that is going to require someone goint to court to reverse.
Given that just about every housing association in the U.S. has a lawyer
on retainer, I think Mar Vista Community should fire theirs.
Sunday, August 29, 2004
protest the RNC. According to /. he was arrested
during a television interview for vandalism. The IndyMedia site appears
to be in the middle of a Slashdotting so I can't grab the details.
Saturday, August 28, 2004
Actually, Rob is also using the paper to teach defenses in the same manner.
Friday, August 27, 2004
Thursday, August 26, 2004
- clear your history (or temporary Internet files) after each use
- turn off auto-complete if it's available
- turn off the browser's password manager
- don't use the "remember me" feature on the website
- close the browser and reboot the machine when you're done with the site
Yeah, some of those are a bit anal but if you're worried about the data controlled by a certain website, it may be worth the trouble.
Wednesday, August 25, 2004
down tomorrow. The short version is that terrorists have predicted
that they will take down the Internet some time tomorrow. So far, it
appears to be a hoax.
What if it isn't? Here's some work aheads to
minimize your withdrawal symptons:
- Make an emergency host table
of all of your favorite sites, keep it offline
- stand up your own
domain server, use the host table to build zone files for those domains
(i.e., declare yourself authoritative for those zones)
- make sure
your IDS signatures are up-to-date
- same goes for your
- make sure your call tree is up-to-date
- go to the
library, video or game store and borrow/rent/buy that book/video/game
that you've been wanting to read/see/play.
If the world does
end, you're that much ahead of the game and probably not offline
altogether. If the world doesn't end, hey, you won't have much do on
Friday and will already have the entertainment for the weekend.
is good news in that possession of the tools of a crime is not illegal
in itself. Otherwise, you'd be suspect for every sharp or blunt object
in your house. It's the use of those tools which can be
Before we get into that argument, I don't condone
illegal file sharing. It's just that possession of certain software
(port scanner, vulnerability scanner, password checker, spam filter)
should not be cause for arrest. I run each of those tools on my
network. I also "possess" numerous file sharing programs as part of
research for network security (Nessus/NMap/Snort signatures, etc.). I
just don't use them.
Tuesday, August 24, 2004
dd was originally used for hard drive maintenance and also became a staple of many forensics people's toolkits. The trick was that you had to know what you're doing. Encase has since simplified the process and its output is challenged less and less.
For you more paranoid types, this means that you should destroy even the damaged hard drives.
Bubbas better look in the mirror first.
My first network job required that I chase viruses (this was before there were enterprise solutions). I once spent an entire day running back and forth between the department head's office and the division office because they kept re-infecting each other while I was in transit. Come to think of it, that was my first forehead bruise too.
Monday, August 23, 2004
force attack tool for SSH. It's quite a simple tool, the author
having built the dictionary into the code rather than relying on
external dictionary files. I still get the impression that it will
still be affective against those systems with poor configurations and
weak passwords (there's more of them than you
- edit the SSH config to limit who can
log in via SSH (hint: root should not be one of these)
your IP filters (routers, IPFW, IPTables, etc.) so that only certain IPs
can connect with SSH
- consider using SKey, user-level keys,
Kerberos or some other type of authentication
turn off the default username/password authentication.
the Baroque Cycle has been out for
quite awhile. Sorry to say, I'm still wading through Quicksilver, only
getting time for recreational reading during lunch at work (yeah, that's
me in the McDonald's parking lot).
Sunday, August 22, 2004
anchors to the Wiki. The idea is that the autolink plugin would
automatically link to certain entries in the wiki glossary and/or the
wiki proper. I've also thrown in extra links to Google, Yahoo, and
other well-known sites.
All of the links in this post were
automatically added by the plugin. Of course, I have to tweak the
plugin (can't resist that) and then manually add the entries but it
saves typing in the long run. Let me know if I get out of hand?
(only needed it once to rescue a Linux hard drive). However, I've
needed a bootable Windows CD a number of times but didn't have it. I'm not that talented with the minutia of Windows administration. Hopefully, this will come in handy the next time I need it. (Thanks to ryumaou at Diary of a Network Geek for the pointer).
content in the last line.)
My complaint centers around referer spam
rather than e-mail spam. Because my site lists recent referers, I've
come under "attack" from a specific IP address: 184.108.40.206. That IP
address has spammed my site with links to:
A DNS lookup of each of those web sites returns the IP address
220.127.116.11. "wget -S 18.104.22.168" reveals that it is running
Apache 1.3.31. A WHOIS lookup of the web server IP address shows that
the web server is in Parsippany, NJ. A WHOIS lookup of all of these
sites show they are registered to Oi, Inc., via the Go-Daddy registrar.
Opinion: As each of these sites has the same bland front-end
with no links (other than Google Ads), I believe that this may be an
attempt to defraud Google's Ad Sense program. (I will send a copy of
this post to Google.)
A WHOIS lookup of any of the domains returns the
same corporate info:
Nashville, Tennessee 37202
Registered through: GoDaddy.com
Domain Name: GLOBAL-CANCER-RESEARCH.COM
Created on: 29-Jul-04
Expires on: 29-Jul-05
Last Updated on: 04-Aug-04
Domains, Admin firstname.lastname@example.org
Nashville, Tennessee 37202
6153610280 Fax --
Domains, Admin email@example.com
Nashville, Tennessee 37202
6153610280 Fax --
Domain servers in listed order:
A short Google search on the postal address brings back:
shows the corporate info as:
O P E N V I E W INTERNATIONAL, INC.
TEL: 615.360.1010 FAX: 615.361.0280
NASHVILLE, TN 37202
According to the immediate above, anyone calling the phone
number used to register the domains will get an ear-full of carrier tone
from the company fax machine. However, a Google lookup on (615)
360-1010 returns to "Jeremy Jackson - (615) 360-1010 - 1306 Massman Dr,
Nashville, TN 37217".
A DNS lookup of the name server for each of
these sites reveals the DNS servers ns1.openviewinc.com and
ns2.openviewinc.com. The IP address for ns1.openviewinc.com is
22.214.171.124. The IP address for ns2.openviewinc.com is 126.96.36.199.
Note that the www.openviewinc.com website and the mailserver for the
openviewinc.com domain is also 188.8.131.52. Telneting to port 25 at
that IP address returns:
Connected to 184.108.40.206.
Escape character is '^]'.
220-ottawa.nshoster.com ESMTP Exim 4.34 #1 Sat, 21 Aug 2004 16:37:46-0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
221 ottawa.nshoster.com closing connection
Connection closed by foreign host.
No spam allowed. That's almost funny.
An interesting bit of
information is reavealed by performing a WHOIS lookup on those IP
addresses. Seems both of them are part of a network owned by Care
Initiatives, Iowa's (according to CI's website) largest senior care
Remember the site sending the referer spam is 220.127.116.11?
A WHOIS lookup shows that it too belongs to Care Initiative in West Des
Getting back to Mr. Jackson. A Yahoo search for "jeremy
jackson nashville" returns a link
(http://www.bizwiz.com/ezcommerce/openviewtrading.htm) for Open View
Trading with the following contact information:
Open View Trading
Nashville, TN 37202
Tel: 615/360-1010 Fax: 615/360-1133
Hey, that's the same phone number but it's a different fax
number. Same P.O. Box too.
Futher Google and Yahoo searches for
"jeremy jackson" and "openview" or "nashville" reveal that he has a
healthy gaming habit (FPS's) too.
So, to sum it all up, we have a
gamer in Nashville, running what might be a shady online business which
isn't registered anywhere (possibly Canada?), uses a web site in New
Jersey which is registered via a yahoo e-mail address through a
registrar that is reluctant to provide information (GoDaddy), has
another e-mail account and dns server at a non-profit senior care
facility in Iowa whose STMP banner prohibits spam, uses his home phone
for his business(es) and likes to referer spam my site.
Hope the rest
of you enjoyed this at least as much as I did.
Jeremy, cut it the
Saturday, August 21, 2004
important because Longhorn has a shell, something that the *nix world
has had for years but MS users are only now receiving. This is good for
MS users but has the possibility to become a really bad PR issue of MS
is going to start patenting features that have prior art going back two
decades. Next we're going to see patents on cron, at, and history?
came from eBCVG,
which came from WebProNews, which supposedly came from ArticleCity.com (a link I cannot get to come up).
What's wrong with the article? How about:
- the $25 card probably won't work as the cheap ones don't "do" RFMON
- the computer is not looking for your SSID, it's looking for 802.11a/b/g networks. The SSID is part of that.
- The SSID is not constantly transmitted and computers don't care about it. The SSID is periodically beaconed and wireless NIC cards use it to negotiate connections to specific networks.
- It's Kismet, not Cismet
- I don't get why the GPS receiver records only the coordinates of the strong signal.
- The preliminary drive IS the wardrive. Any subsequent use of the open network is a network hijack, a theft of services, or an attack on local systems.
- I'd like to hear more about how the wardriver can sniff passwords and credit card numbers from SSL secured data. (Yeah, I know it can be done, but not with your standard wardriving kit. The author is going for the "F" in FUD here.)
- Don't broadcast your SSID? This one gets old. Previous guidelines recommended that you turn off SSID beaconing. It's been proven that this action only delays SSID detection for a few seconds as the SSID is included as part of Layer 2 management frames. The author seems to be aware of this but mucks up the explanation anyways.
- How did factory default passwords for routers get into this? Do I need to buy a router too?
- EAP is not encryption. EAP is an authentication protocol which uses encryption.
- WEP encryption is not bypassed, it is broken via AirSnort (i.e., the shared key is extracted).
- MAC spoofing does NOT take time. Manually spoofing a MAC address for an extremely bad typist only takes a few seconds.
- Password protecting MS file shares are pointless on wireless networks. If you're using wireless, don't share files/folders! (Someone want to explain how having the same user accounts on each of your machines allows your computers to share files?).
- Breaking WEP does not take days so the seconds to days/weeks-next-to-your-network comment is garbage.
The closing feel-good paragraph is garbage. The tips are confusing. A script kiddie with the programs listed in the article can still get in. A better way of putting it:
- Enable WEP (assuming that's all you have). It will keep honest people honest. The dishonest ones can still get "in" in a matter of minutes.
- Change the access point's default SSID and username/password. (This will show wardrivers that you've devoted at least a little bit of due diligence to your network configuration.)
- Use MAC address filtering. It causes the attacker to execute one more command than before.
- Turn off the d*mn access point when you're not using it.
That last recommendation will provide the most protection in the long run. The others will only make extra work for the attacker. As people tend to take the path of least resistance, an attacker will likely hijack your next door neighbor's wide open network.
If you're willing to spend the extra money, you can also:
- use third-party layer 2 encryption
- use wireless intrusion detection
- periodically scan for rogue access points and clients
- or even better, put CAT-5 cabling in the walls
It's articles of that quality that cause more damage than help. There are legitimate security-related uses for some of the software. We're already dangerously close to the point where possession of certain software will be considered illegal (and things will get very messy once we're headed down that slippery slope).
Friday, August 20, 2004
- Finding the Status of a Package
- Finding the Status of an Airline Flight
- Looking Up UPC Codes"
- Looking Up Vehicle ID Numbers (VINs)
- Searching for a Map of an Area Code
as part of the "Google Tricks" section. Thanks to #!/usr/bin/geek for the new pointers.
Thursday, August 19, 2004
article entitled "Detecting Worms and
Abnormal Activities with NetFlow".
You'll hear me harp about
this over and over if you follow this blog: if you're responsible for a
network, you need to know what "normal" "looks" like so that you can
recognize "abnormal". This is a good tool to have.
following may not
- MS Office
- MS Outlook
- and most of the IM's
a /. post pointing to Hydan, a
steganorgraphy tool which allows you to hide data within an executable.
This was bound to happen eventually, being yet another part of your
system with slack space.
Also, this is another one of those tools that
can be used for good (watermarks) or evil (hidden data). It may not
measure up to other steganography methods. If you have readily
available "good" copies of binaries to compare against a steg'd version,
simple MD5 checksums should be able to detect modified versions.
Wednesday, August 18, 2004
site similar to 757.org. What makes it notable is the InfoSec-related
- King Size Che
- lufg: Hacker Seminar SS
- Summerschool Applied
I've only included the English-based ones (I'm unable to read German)
and some of those haven't been updated recently (but are interesting to
read anyways). Also, some of the blogs are via the same person.
Tuesday, August 17, 2004
healthy sums. This one is not an exception. McAfee is buying Foundstone!
One thing to keep in mind though: one of McAfee's former names was Network Associates, the name to which acquisition was tied to as a secondary nature (my opinion). Gauntlet and certain forms of PGP disappeared through that process (also my opinion).
something like this. I
miss my Amiga 2000 which was modified beyond my ability to resell it
when it came time to let it go.
Tivo! How about just a minor API so
we can modify/add non-dangerous (legal) features?
Monday, August 16, 2004
working. The new in-vogue approach is local protection. I firmly
believe that this will not produce the fruit the proponents want. For
proof, go search Google for what the Witty worm did.
The problem with
defense-in-depth was that most were too lazy to fully embrace the
paradigm. Defense-in-depth was "embraced" only as far as perimeter
protection (firewalls) with some internal support (virus scanner). They
didn't bother with HIDS, local packet filters, tripwires, metrics
monitoring, and periodic scans. Some even used minimal configurations
on their perimeter firewalls.
InfoSec Writers has an article talking about the extra security that should be common sense but somehow isn't widespread. The short version is: you should be locking your perimeter filter down to the minimum required to operate.
An example is the web server in your DMZ. Your premis router should allow connections to TCP port 80 on your webserver and UDP port 53 on your external DNS. Your host filter (local firewall, IPFW, IPTables, etc.) should have the same configuration (of course, your webserver will also want to talk to the DNS server on UDP port 53).
You may want to add some sort of control channel, such as SSH (TCP port 22), but you want that type of traffic to come from one local (internal) IP address, not the Internet. Even better, move the control out-of-band: buy a console switch and use serial connections to all of your servers.
Sunday, August 15, 2004
NIST's draft version of their "Guidelines on PDA
These documents are important, but maybe not for
the reason that you think. The information is available elsewhere,
maybe even in a single document. What makes it important that NIST
publish it is that it becomes a federal standard.
The reason that this
is considered "good" is that it makes legal proceedings that much easier
(shorter) because you, as a forensic type talking to judge/jury/other
lawyers, don't have to prove the legitimacy of your investigative
process each and every time you're in court. The short phrase to
describe it: a protocol.
Saturday, August 14, 2004
Friday, August 13, 2004
Thursday, August 12, 2004
Fyodor seems puzzled that Microsoft considers NMap an attack tool. Fyodor! Think marketing vice programming! NMap, Nessus, TCPDump, Snort and Apache are probably all considered evil even though only some of them use raw sockets.
Given the interdependency of the libraries, I'm willing to bet the the interface hasn't totally disappeared. Rather it may have been moved, somehow obfuscated, or has obtained a wrapper or somesuch.
pointer to BattleTorrent which promises to be easy to set up for novice users.
I have little interest in MP3 trading as either I or my company paid money for them (think classes not songs) but I do have interest in those updates (Mandrake for one) which become available via BT before anything else. Also, I'd rather archive data (news and articles) rather than eating up storage space on 4 year old drives with MP3's I'll rarely listen to. Thus my novice P2P experience.
Anyways, I hope that there's an easy-to-use BT flavor available the next time I want the new *nix distro.
and security-thru-obscurity failing via Google: another lecture at Blackhat which shows that you can find possibly vulnerable VNC servers listings. Definitely falls into the "this is bad" or "shoot yourelf in the foot" categories. If you have anything to do with security, you should be visiting the major search engines, at least on a weekly basis, and scanning for "stuff" available via your company's domain.
Wednesday, August 11, 2004
bandwidth and harddrive space, the FTP server "Serv-U" is often used
(because of its small size and its portability). To make things worse,
there's a number of vulnerabilities in that binary, resulting in
exploits such as this which allows the secondary attacker to gain system privileges.
Tuesday, August 10, 2004
Call me old-school but I firmly believe that adding technology, especially that without a long-term performance history, does not increase security. The presentation uses a lot of rationalizations which stretch the truth a bit. "We" do not let in port 80, that's done by people, using ISA, who are too cheap to buy a second IP address. Some of the "new" suggestions are actually from the old "moat" model, such as moving your public servers outside of the internal network.
In any case, there's also quite a few other presentations archived there. You may want to download/keep copies of the ones you find interesting. The site practice is to only make files available until they're about 6 months of age.
Monday, August 9, 2004
SANS paper entitled "Intrusion Detection on a Large Network".
It's a good paper for building and installing Snort. However, it's a
bit lacking in the data correlation side of the house (something that
you have to have to effectively monitor/protect networks of any size).
Sunday, August 8, 2004
actively support "deep packet inspection" over "application proxies"?
What's the trade-off? A slight speed increase and using a "cool" new
technology vs. a slight loss of control and security (in the form of
record keeping). I'd like to see proof of that speed increase
sometime. Yes, layer 4 (OSI model) filtering is faster than layer 7
proxying but, once you start tacking on layer 7 inspection onto a layer
4 packet filter, does the extra processing requirements even the
Saturday, August 7, 2004
geeks. Now it seems to have faded into trying to keep up with the rest
of mainstream (esp. since most of mainstream has moved online and isn't
controlled by the few). Evidence the news
that you can hack bluetooth, something that was publicly known over a
Why's it suddenly news? Cause Adam and Martin figured out a
way to do it over long distances.
Next thing you know, they'll
discover that, with the right equipment, the guy in the van at the curb
can watch what you type into your computer.
Friday, August 6, 2004
SANS paper entitled "The Art of Web Filtering". I disagree with
the author only where he states that keyword filtering is poor, at
best. My view is that it really, REALLY stinks as a tool.
depending on the size of your customer base and what you're trying to
block, filtering may become an exercise in futility as you try to keep
up with your policy abusers. It's much more efficient to have an
enforceable policy and self-policing users.
Public prosecution of
offenders do wonders for policy enforcement, unfortunately they may not
be a legal technique at your organization.
back a T-Shirt. Of more value was NetSec's posting of the presentations
(Please be nice to the server, the webmaster is asking for mirrors for
Look at Rob's Aug. 5th posts over on NetSec for a bunch of news about
the shootout, The Schmoo Group's upcoming conference, Meet the Fed,
Robert Morris Sr.,
/. has a pointer
to yet another review of DC12.
Thursday, August 5, 2004
Again, I don't think
that tweaking a search engine to support a business/business model will
help in the "success" of that search engine (or the business).
Wednesday, August 4, 2004
plans to challenge
Google. I have reservations about them being able to compete with
Google. They're using two different business models.
your search engine affected by widespread referrer and comment spam is
one thing. Additionally adjusting your own database to limit competitor
listings is another.
Tuesday, August 3, 2004
p_Scam_101.txt">this except he missed one thing. Since he doesn't
allow comments, hopefully he'll see it here:
Barry, do a whois on the reverse lookup (IP address) for the web site! It's in the U.S.
one is for my own benefit. My secret cache of Logitech 3-button mice is
running seriously low. I bought a half-dozen of 'em when Logitech
decided to stop making them. I've been wearing them out at a rate of
one every 6-8 months and have been cannibalizing all of them for repair
Wheel-mice piss me off and I consider Microsoft/Mac/other
two-button mice as seriously crippled. I learned Unix over a decade
ago. Middle-button paste is an ingrained (sp?) reflex at this point.
Monday, August 2, 2004
Sunday, August 1, 2004
have to be very careful about the wording of laws like Mr. Hatch's
I disagree with the article where it talks about law
enforcement abusing its power. Law enforcement is not at fault here,
they were doing what a judge thought the law allowed. It all goes back
to how the law is written.
Unless it has very specific wording, it
will end up like the Bible: subject to interpretation. If you hear
someone screaming about a law being evil, don't just jump up on the
soapbox with him and start screaming too. Instead, read the proposed
act and make constructive comments. (Many politicians ask for
input/comments.) Also, remember that phrase like "doing it this way may
be better in the long run" works a heck of a lot better than "your law
is a piece of sh*t".
Please keep in mind that DNS poisoning is not necessarily a "bad thing"(tm). It is still the only truly scalable method of blocking objectionable web sites and mail servers. I've seen it used at sites with 50K users.