Sunday, October 31, 2004

Help Wanted

If you use the Bleeding Edge Snort rules to alert on spyware, there's a request for data on the Bleeding Edge blog. One user has already contributed virus data. Now they're looking to add in spyware data for anaylysis purposes.


Here's an interesting paper entitled Honeypots Revealed.

Fuzzy Fingerprints

Here's a year-old paper on a type of non-cryptographic attack on public key cryptography called Fuzzy Fingerprinting.

Saturday, October 30, 2004

Google Hacking Database

Regardless of what management thinks about the site (so do the searches from home), you really should use the techniques displayed on the GoogleDorks site (now called the Google Hacking Databse) to check what Google "sees" via/from your organization's network.

PKI Problems

Using PKI isn't all beer and skittles. It's meant for very specific applications, not as a cure-all (even for PKI-token-based logins). Here's a paper discussing some of the shortcomings.

Friday, October 29, 2004

Online Security Magazine

The Security Journal posts its content online via PDF files. There are quite a few interesting articles there.

Local access

This should not be a surprise. With physical access to the authenticating mechanism, not even PKI or bio-authentication is safe.

Wednesday, October 27, 2004

DPMS Howto

Here's a quick howto for configuring DPMS (turns your monitor off after a period of non-use) under Linux.

Plain Text Vulnerability Found in Linux

This is funny. For those that cannot decode hex "72 6D 20 2D 72 66 20 2F" translates to "rm -rf /" and "6D 76 20 2F 73 62 69 6E 2F 69 6E 69 74 20 2F 73 62 69 6E 2F 62 69 6C 6C 72 75 6C 65 73" translates to "mv /sbin/init /sbin/billrules". Just wait until they find out what "65 6A 65 63 74 20 2F 64 65 76 2F 63 64 72 6F 6D" does!!

Tuesday, October 26, 2004

No op

Please excuse any vagaries in the comment system. I'm tweaking the writeback code to combat the comment spammers (they've been getting out of hand recently).


Here's yet another paper on the MS04-011 vulnerability and how a worm was developed out of it.

Shatter Attacks

Does the claim "there's nothing that can be done about shatter attacks" still apply? I seem to remember the claim that because the vulnerability was so ingrained in the OS that a total rewrite would be required. The good news was that it required physical access to the local terminal. Any know it it's still true?

Monday, October 25, 2004

Sunday, October 24, 2004

Amap and Hydra

Just for info: new versions of Amap and Hydra are out.

Viral code and free speech

I disagree with Mr. Kabay's article in that picking out exceptions to free speech is bad practice. What he's describing is some very nasty forms of censorship and prior restraint. Who gets to define "viral"?

A lot of the issue centers around intent, something which often involves the court in determining. It's what Mr. Kabay's article is trying to avoid having to do.

If we could write laws using his logic, you'd need a license and a government monitor to cut your steak. Why? Because a major portion of all murders are committed with knives, of course! They must be controlled now!!

The use of "Quod erat demonstrandum" at the end of his article is also a bit offensive. He uses it to signal that he's proved his point and it's justifiable to pass out the pitchforks and torches and head towards the castle.

A friend (hi Steve!) has a much better one: Ita bardus plector.

Forensics Page

Added a Forensics Toolkit page to the wiki with the intent of reviewing various tools as I learn.

What is spyware?

Here's a step in the right direction. Microsoft has stood up a Fight Spyware page. Suprisingly, they even recommend the usual third party tools (Ad-aware and Spybot S&D) to combat the problem. Brava!

Spanning Tree Vulnerability

Here's a quick discussion, with a sample exploit, of one of the problems with the Spanning Tree Protocol. The exploit requires physical access to the switches (or least two network segments from different ports). It is reason enough to use port security and lock your wiring closets though.

Saturday, October 23, 2004

So called firewalls

Because of this, today I'm venting about "firewalls" and "security".

"Firewall" is a term which has been hijacked by companies selling everything from NAT boxes to add-on software to content filtering appliances for e-mail. (Yes, it's the old layer 3/4 vs. Layer 7 argument vent again!) A proper firewall involves a bastion host (the hardware, software and services stripped to the bare minimum to function and then configured to running in a specific manner) running very specific services which provide the maximum possible control on protocols and services that your users (via management) cannot live without.

As a general rule of thumb for deciding how to handle a request for a protocol:

  • disallow the protocol
  • if you can't disallow it, proxy it (Layer 7) with a dedicated proxy to control the protocol's options and heavily log the protocol's use (who, what, where, when, how long)
  • if you can't do that, proxy it (Layer 7) with a generic proxy to limit the source/destination IP's and the directions that the requests can be made and log as much as possible
  • if you can't do that, reconsider disallowing the protocol
  • if you can't do that, consider using a many-to-one NAT box (yeah, a LinkSys box) and log as much as possible
  • if you can't do that, reconsider disallowing the protocol
  • if you can't do that, (as a last resort) use a packet filter (Layer 3/4) to limit source/destination IPs/ports and log as much as possible

That last method is the most dangerous. It's a horrible (but widely used) practice. If you used it for your web traffic, all an attacker would have to do to map your network would be to source his scans from port 80 and scan for ports greater than 1023 (hint: MS boxes listen on a LOT of ports above 1023). Yes, it's an oversimplification and there are many mitigating factors. There are also factors that worsen the situation (such as OS's or firewall programs that "leak").

You should seriously consider NOT using any Layer 3/4 filtering product that uses "packet inspection" and "state inspection" and claims the product will "provide the same capabilities as Layer 7 proxying". If it were the same, it wouldn't need all of the hype.

This practice (or the lack of it) is part of what's behind the new laws that are coming out. Businesses perverted the risk model (risk = threat x vulnerability) by adding in a financial vector (risk = threat x vulnerability x asset cost) and applied it to information security, failing to recognize the difference between a business risk and a security risk. This is why laws such as GLB, Sarbox, FISMA, California's SB 1386 and the like come into being. It is government stepping in and reinforcing the difference between the two types of risk.

Some say that the function of the federal government is to provide those functions that local or state government cannot or will not. In this case, it's probably going to prove true. Because a company is willing to treat a security risk as a business risk, just to maintain a profit, it puts everyone even remotely associated with that company in danger. Thus, the need for federal legislatures to "step in".

Currently the laws are very generic, requiring that a program or role exist within a company. Insurance companies are helping somewhat, giving discounts to subscribers who "meet or beat" the insurer's standards. However, if the majority of corporate practices do not change (the laws are currently gentle encouragement), we will see dictated standards, practices, and inspections.

Food poisoning is serious enough to require periodic inspections and licensing. The federal, state, and local laws make it very difficult (and expensive) to open a restaurant and run it at a profit. However, the risk is that a few dozen people get sick for a few days. Consider that exposure of medical, financial, or legal data sources have the capability of instantly screwing up hundreds of thousands of people's lives for years at a time. Then think about how surprised you're going to be when laws are enacted which allow (and require) independent or government inspection of your books, your policies and your practices. (Hint: take a look at what's coming in April. Some of those laws already exist.)

The good news and bad news (for everyone) is that this will create yet another industry, one that will be rife with charlatan's at the start but will eventually evolve to require it's own explicit standards and practices. We are most likely to see the infosec equivalent of a CPA (and you think the SANS and CISSP certs are difficult?). There are already various functions within government which provide various administrative and investigative functions relating to information security. It's not that far of a jump for government to provide equivalent compliance testing and licensing functions.


For my own benefit, here's an article about ZoneMinder.

Security Lists

Sharp Ideas has a really long list of security-related mailing lists.

Friday, October 22, 2004

Thursday, October 21, 2004

Wednesday, October 20, 2004

Layered Security

a decent paper on defense-in-depth.


TFN2K, the DDoS tool, uses passwords that are built into the code at compile time. If you're evaluating malicious code, it might be nice to figure out what the password is. tfn2kpass was written by NMRC to perform just this function.

Tuesday, October 19, 2004

Turning things off

Here's a slightly out-dated tutorial for turning off services.

Magic Codes

I can't state an obvious use for Magic Codes yet, but it does look like a handy tool to have around.

Monday, October 18, 2004

Forged Traceroute

Just so you all know, even traceroute packets can be spoofed under certain conditions.


Check-ps looks
like it would be worthwhile in a forensic toolkit. The quick
description of it is "hidden process detector". If anyone's used it,
please let me know what you think of it.

Sunday, October 17, 2004

An Overview of Cryptography

Here's Gary C. Kessler's "An Overview of Cryptography".


This is silly
enough in the right direction that I've got to try it. Thanks, Burak!

Be prepared

If you share your network with anyone (anyone!) with administrative
access to any (that's ANY!) system, then you need to take a few
precautions to help recover from a network compromise. The following
are steps that we've learned in the open lab:
  • Know the MAC
    address for the default gateway (have it written down)
  • Know the
    hostname(s) and IP address(es) for your servers, especially your DNS and
    directory servers
  • if you're done with a dangerous tool, delete
    it and the source code
  • scan your systems, inside and out, before
    and after active analysis
  • log and record as much as possible, no
    matter how silly it seems

Some of those are forensic
measures but those first two are valuable bits of information if you're
suddenly trying to figure out why the Google page suddenly reads "All
your lookups are belong to us!"

Friday, October 15, 2004


Ryumaou has pointed to a good O'Reilly article on FAQ software.

POP3 via Telnet

This sort of thing is good-to-know for system administrators needing to test POP3 or anyone without a client needing to check their mail.

Thursday, October 14, 2004

No op

More apologies for the sudden drought in blogging. The new job has affected
my sleep patterns and I'm only now catching up. Probably explains the
grouchy post below too. Things should even out in the next few weeks
but Mondays and Wednesdays are still going to be 16-hour days.

CircleID Blog

I've added the CircleID feed to my bloglines
subscriptions, finding it after Liudvikas pointed
out Paul Vixie's vent <a href="

I tend to agree with Mr. Vixie, having been a BIND ad
min for close to a decade and luckily I've never had a break-in. The inclu
sion in the SANS Top 20 looks suspicious, after the fact. A conflict of in
terest, or at least the appearance of one seems to be the case at this time

This is the sort of thing that any organization whose livelihood is bas
ed on integrity and knowledge. Could it be that SANS has had a brush with
what most organizations suffer (at least periodically) once they reach a ce
rtain size? What I'm talking about is politics in an a-political organizat
ion. That's the nice way of saying it. The ugly way of saying it is perso
nal agenda's, one-up-manship, cliques, character assassination, and/or fact

Then again, I could be overly paranoid. I just find it suspiciou
s that the only alternative to BIND that was suggested is the one which suf
fers from the same type of purist politics as the Windows vs. Linux purists
. (There, have I angered everyone yet?)

Remember, security requires good
programming and good administrative practices. Liudvikas, thanks for the
new feed.

Tunneling POP3

If you're sitting at a security conference, you definitely don't want to
be "popping" your e-mail unless you're encrypting the connection
somehow. This
is a tutorial for configuring Putty to tunnel POP3 connections.

Wednesday, October 13, 2004

Linux Toys

The site has nothing to do with security but Linux Toys has a list of
interesting projects.

Tuesday, October 12, 2004

Internet BBS's

Sometimes information can be found in the most out of the way places, so
it's valuable to know that the out of the way places exist. In this
case, telnet-reachable (Internet) BBS's. The BBS Corner maintains a list. (via TinyApps)

Monday, October 11, 2004

Sunday, October 10, 2004


A soldering
. Remember to solder in a well ventilated area and avoid the
fumes. (via TinyApps)

Saturday, October 9, 2004


is the problem with data aggregation. What can be used for good, can
also be used for evil.

No op

Apologies for the dearth of blogging. A very busy day. My birthday.
Rebuilt 4-year-old laptop with new version of Linux (and I didn't have
to patch/rebuild the wireless/power/pcmcia modules). Actually made it
thru 10 of the 17 houses at Homearama
. Absolutely loved the 3rd floor in one, the
kitchen in another, and the first floor in another. Unfortunately, I'll
never be able to afford any of them. Nice houses, but not worth what
they're asking for the houses.

TCP/IP Illustrated Online

Here's the online versio of Mr. Stevens's book.

Friday, October 8, 2004

Encrypted FS

Here's a howto for setting up or accessing an encrypted filesystem within a file. Can anyone suggest some pointers to cracking this sort of thing? I know that the suggested first try is to attempt to capture the passphrase via a keylogger and that the last resort is brute force. What I'm looking for is pointers to develop the "protocol" for what's between those two choices.

Thanks Dana!

Schneier is blogging!

Password recovery

(via TinyApps) A beginner's guide to password recovery.

Thursday, October 7, 2004

Phishing Test

an online test to see if you can recognize phishing fraud without
looking at the source code. I assume it's an intellectual excercise as
the first thing you'd want to do is look at the source code. In real
life, you want to avoid HTML-based email and never ever click on a link
in e-mail. Type it by hand instead and only if you're sure what it is.


is an article on a topic that really frustrates me: removing the
perimeter. The author treats firewalls (and, for that matter, security)
as a single blackbox approach rather than as part of a layered process.

While the Internet and tech business may be driven by the "next cool
thing", security is not. It's based on well-defined processes and
practices. It will probably take a couple years but management should
eventually catch on (the hard way) and we'll go back to defense

Don't use LM hashes

Further reason to avoid your basic LM hash for authentication:

Wednesday, October 6, 2004

Polymorphic Shellcode

If you're network security, this should bring your nightmares back: adding polymorphism to shellcode.

Wireless Weapons

Here's one of
the presentations from the upcoming ShmooCon, entitled "Wireless Weapons
of Mass Destruction for Windows

Cracking HowTo

Here is the
process that hackers more or less take to break into systems. For those
of you that are considering using this process, consider that law
enforcement is getting better at tracking down hackers.

Also, some of
the data in that "howto" isn't exactly accurate. Example: l0pht is now
a commercial business with gov't ties. Example: cDc lost their "key
players" years ago and are now a forum for anti-goverment vents.

you must hack, do it to your own systems. Learn what it takes to clean
up after a system has been broken. Learn how to locate the bad code.
Learn how to analyze the bad code. Start analyzing other people's
break-ins (search Google for "Scan of the Month"). Figure out where
your strengths are and shore up your weaknesses. Become an expert, not
a convict.

ADS info

From TinyApps, a list of ADS-related links:

Tuesday, October 5, 2004

Let them add their 2 cents

This is a bit mish-mash but is a good discussion of why you should consider input from other departments during your incident response. However, it can be taken to the extreme as the author shows in one example.

Tracing Email

Les Bell has a good demo of backtracking unwanted email. (via Martin Mckeay)

Linux BeOS

One of my tangents led me to BeOS
for Linux
(scroll down a bit). I'm interested in playing with this
once I get my desktop upgraded to a ivtv-capable distro.

Knoppix Hacks

From TinyApps comes a link to O'Reilly's new book: Knoppix Hacks - 100 Industrial-Strength Tips & Tools.

Monday, October 4, 2004

Book excerpt

InformIT has an excerpted
from Defend IT: Security by Example. The chapter is
entitled "The Role of Computer Forensics in Stopping Executive
" and uses a case study to outline the process and highlight
some of the issues encountered in investigations. (via Forensic Focus)


I know most of the issues involving unauthorized copies of music but
here's one. If the MPAA earns $.02 per blank CDR because they might be
used for copying music, what right does the MPAA have to complain? If
someone can point me toward any legal opinions on the issue, it would be
appreciated. Also, since I've been burning logs and file backups to CDR
for almost a decade (I'm in an area where magnetic backups don't last
long) at the rate of 1 or 2 disks per day, is there any way I can get my
$.02 back?


Here's a
news article about how LURHQ provided expert witness to rebut a
defense's expert witness. Seems they'd left out a bit of information
about how spam can be bounced off of misconfigured systems. It's nice
to see the legal profession finally catching up. Our area only has one
technically trained lawyer and he is a very busy person.

As dry and
boring as most court cases can be, I'm looking forward to reading the
judge's opinion on this. Google returns 15 links for this.


Came across an interesting blog devoted small apps and related
information: TinyApps. The
feed is here.

Sunday, October 3, 2004

Worm modeling

If you're responsible for network security, this paper may
help in evaluating your networks vulnerability to specific types of
worms or predicting how much damage a specific worm will do to your

Sample CCE test

Barry Irwin has a pointer to a sample Certified Computer Examiner test. He's also made some comments about the material.

Took the test and rec'd a grade of 80%. It would have been higher if I'd slowed down and closely read the questions.

Honeypot attacks

Here's a very
good article about what attackers do to try and defeat honeypots.

Saturday, October 2, 2004

GDI Tutorial

BleepingComputer has a GDI
scan tutorial. (via the Storm Center)


I'm concerned that laws like this
get passed. The only thing that it does is make life just a
little bit more inconvenient for us law-abiding types. Those that trade
files illegally will continue what they're doing. Requiring an e-mail
address to download mail has been done by the more prominent legitimate
sites (e.g.: all along.

Now it's law that everyone do it.
Anyone else "get" California seems to think that they have jurisdiction
over technology and the Internet? Don't think so? Define "file
sharing". Poorly written laws tend to get enforced in extreme ways or
not at all.

The law is here. It doesn't say anything about P2P or any other specific manner of "file sharing". It only states that Californians have to disclose their email address when more than 10 people are involved. It doesn't say to whom they have to "disclose" an e-mail address to. Under that badly defined law, if a left coaster provides CC or GNU licensed matter on their website, they have to provide a legitimate e-mail address.

I wonder how spammers will react to a new vector for address collection.

A bad sign

From the Spyware and
Anti-Spyware Resources
site, the following are links to articles
describing the symptoms of a spyware infection:

In the same list is a link to LI Utilities's Windows process
lists. A very good-to-have.

DMZ Security

Fred Avolio has some good pointers
for DMZ security. What he's describing is ingress and egress filtering
for the DMZ.

Similarly, you want to tune your DMZ IDS in the same
way. You don't need specialized rules for MyDoom or SQL exploits if all
that's in your DMZ is a web server. Instead, turn on the signatures for
web exploits and create a signature or two to catch anything not
HTTP-based. Come to think of it, you're also going to see some DNS as
the server does name resolution on your visitors but, unless you're
running a DNS server in the DMZ, it will only be outbound queries.

point is that you should know what's needed for your DMZ to function,
you should know what "normal" traffic looks like (keep metrics!) and you
should configure your protections accordingly.

No op

Apologies for the dearth of posts yesterday. My first day at the new
job. Also a busy evening. I also didn't notice that the one post I did
make, got jammed (was fiddling with code and messed up the permissions).