Microsoft Wireless

Here's another good source of basic info on wirless: Microsoft's How 802.11 Wireless Works. Please ignore the part that talks about Zero Conf because, as with any auto-config technology, it has some safety issues.

Shoot self?

The Full Disclosure Mailing List is discussing Richard Smith's suggestion on how to draw the attention of the NSA. A few thoughts:

• Now why would you want to do that?
• I seem to remember that your IP is commonly included in the headers of traffic originating from the large webmail services.
• Why become a "person of interest" just so's you can be funny for two seconds?

It's not that funny of a joke.

Wireless Detection and Tracking

Interlink Networks has a paper on "Wireless Detection and Tracking" that talks about some of the low level stuff, including packet analysis and what amounts to "heat maps". Some of it is a bit dated (WPA, WEP) but it's interesting nonetheless.

Comments offline

Please note that the comment-related functions are offline while the system is tweaked. Be nice, those that are working on the system are not being paid to do it.

More free books

Bruce Perens is working with Prentice Hall to produce a series of books by various authors called the Open Source Series. A nifty additional feature is that the book becomes available online, for free, a few months after it hits the shelves.

Wiki hackers

While Sean has been tweaking the server, I've been digging around in the odd corners of the site. It seems that, in the 2 or so years the wiki has been up, roughly 96 accounts have been added to the wiki in an attempt to spam/hack it. The wiki adds the account, logs the time and IP and promptly refuses any attempt to change it. (heh)

Digium

Okay, I'm having too much fun. Worked last night and this morning to get the Digium TDM400P card and the Asterisk software installed and running. In the process, I also figured out where my problem was in installing the IVTV software. (It had to do with the build version in the Makefile for the kernel.)

So far, I think I've burned up all the spouse points that I earned earlier in the year. I've added a cheap 900MHz handset to act as the console phone and have driven my wife nuts with the phone (and the laptop) ringing. More stuff to add to The List of Unfinished Projects:

• figure out how to stream live audio to the phone
• "adapt" the NSLU2 (saving up for a USB2 HD)
• learn more about the ivtv modules and MythTV
• get ready for next semester's classes
• get ready for ShmooCon (19 shopping days left!!)

Add that to the stuff already on the list and I'll be busy for at least 6 months.

Craaack!

Stand still and watch. You'll see the leading edge of the crack pass by you very quickly.

What am I referring to? How about the fracturing of the Internet?

InfoWorld has an article about a Dutch company (UnifiedRoot) standing up their own dns infrastructure, with the intent to run it in parallel to the ICANN managed namespace.

Call me a sadistic pessimist but this topic is going to be "interesting" (Chinese curse version) to watch and has a high entertainment potential. This sort of thing has been tried before and has taken some intriguing turns. (Hint: the proposed managers of the .XXX domain are the same people that used to sell you the domain under ALTERNIC, for less money.)

You'll need popcorn and some soda for this one folks! (I predict a lot of nasty politics, both external and internal.)

Update: Still think I'm kidding? How about this: the site recommends that DNS owners replace their hints file with one from UR. A quick look at the file reveals none of the normal DNS root servers are included. Yep, that's right, rather than the cooperation the web site touts, they want you to trust them implicitly. This should get interesting quickly.

Beeeeeeeeeeeeep...

Please standby. The powers-that-be (again, mostly Sean) are working to get the system back up and running. Some of the custom code (mine) has to wait on final system tweaks before I attack it.

No entry

The site will be offline today. I'll backfill this day's post(s) later.

dnstop

While we're on the subject of DNS tools, dnstop may be a useful tool if you manage a network. It's a bit simple but will keep track of which host is doing how many DNS lookups. For home networks, it's a bit useless as it needs to listen to a gateway feed. You may find it interesting in any case.

dnstracer

dnstracer is an interesting tool. It traces information from DNS back to its source. It does this by using non-recursive queries. In other words, if you tell it to trace "shmoocon.org", it'll return the following interesting data:

Tracing to shmoocon.org[a] via 68.10.16.25, maximum of 3 retries
68.10.16.25 (68.10.16.25)
 |\___ TLD3.ULTRADNS.org [org] (199.7.66.1)
 |     |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) Got authoritative answer
 |      \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) Got authoritative answer
 |\___ TLD2.ULTRADNS.NET [org] (204.74.113.1)
 |     |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
 |      \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
 |\___ TLD1.ULTRADNS.NET [org] (204.74.112.1)
 |     |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
 |      \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
 |\___ TLD1.ULTRADNS.NET [org] (2001:0502:d399:0000:0000:0000:0000:0001) send_data/sendto: Network is unreachable
* send_data/sendto: Network is unreachable
* send_data/sendto: Network is unreachable
*
 |\___ TLD6.ULTRADNS.CO.UK [org] (198.133.199.11)
 |     |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
 |      \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
 |\___ TLD5.ULTRADNS.INFO [org] (192.100.59.11)
 |     |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
 |      \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
  \___ TLD4.ULTRADNS.org [org] (199.7.67.1)
       |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
        \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)

While it shows that there may be a problem with TLD1 (this is likely to be a problem with the tool's ability to handle IPv6 data rather than the server), you can see that the tool queries all of the DNS servers that are known to have the data. (68.10.16.25 is the IP of a DNS server local to me). This tool also has the ability to detect lame DNS servers (those that are supposed to know the answer but don't)(think misconfigured or damaged secondaries).

If anyone is really proficient with this tool, please contact me. I'd like to know if it is useful in detecting record poisoning.

Help wanted

If PJ (at Groklaw) ever gets around to writing a book on the SCO v. The World cases and I fail to notice it, will y'all let me know? If she can sort out the mess, I'd enjoy reading about it. In any case, more hand-waving and finger-waggling is slated for 22 Dec. Anyone know if I how much it is to buy just one stock (currently at $4.01) and have it framed?

Dasher

The Worm Blog has some initial comments on the Dasher worm. There's also some comment about Dasher.C.

Offensive Computing

Offensive Computing may be a site to keep an eye on. Their stated purpose is to improve computer/network security via analysis of malware.

Heads up

"The powers that be" (Sean mostly) have stated that the server swap will occur this week. While the wiki shouldn't be affected as I already maintain it on the new server, there may be some glitches in the rest of the site. Please excuse any vagaries.

Spam Hunt

Just spent the last hour removing spam from the queue for the blog. I feel another spam hunt coming on. Every single one of the incest and beastiality ads pointed at web servers in the continental U.S.

Geek Style

I've just altered my Bloglines subscriptions to remove the Geek Style feed. Visiting that site causes pop advertisements (even in a Linux-based Firefox install). I don't know about anyone else but I feel that I read are either geek-related or personal. With Geek Style, it's the usual low-grade crap in the pop-ups. Example: The usual "Your system is infected with spyware. Click here to scan for it." message. (Hint: I'm not running Windows on this laptop.)

Babak, if you read this, I think the ads are getting into your blog via your webstats4u logo/link. Read this post at JNode and the following excerpts from the WebStats4U Terms of Service:

• WMS entitles users to access to a variety of on-line and interactive on-line services (the "Products and Services"). Some of the Products and Services are supported by advertising, enabling WMS to provide them to you at no cost. When you use these free services, you agree to allow WMS to display advertising, including third party advertising, through the Products and Services.
• With the installation of WebStats4U on the site it is accepted that WMS has the right to place advertisements on the site in any format or through any channel, including but not limited to e-mail, layer ads, pops, banners and other usual formats without any forewarning and it is furthermore accepted that WMS takes no responsibility for the advertising content and that WMS shall not be liable for any losses incurred regarding this advertising.

I find anything more obtrusive than Google Ads to be offensive. Google Ads are passive and easily ignored. I'll probably resubscribe at a future date but only after the WebStats4U thingy goes away.

Offline

My apologies. I've been offline for a few days while on a short-notice trip out of town. I've back-filled the last few days.

On a tech-related note, I "helped" pick out a couple of my Christmas presents for this year: the Asterisk Developer's Kit (with TDM400P) and a Linksys NSLU2.

You think that it will keep me busy for a few days? To say nothing about the TDM400P.

Alien viruses

Is there any way we can strip a Doctorate from someone absolutely clueless?

Dr. Carrigan believes that the Internet is wide open to infection from alien (as in off-world) computer viruses. I have problems with a number of his anthropomorphised assumptions:

• Where'd they get the 8086-series chips? Dr. Carrigan seems to assume that silicon and the various doping elements are as plentiful there as they are here.
• Are they running Microsoft Windows? If so, how are they getting their updates? I assume they'd be easy to track on Patch Tuesday. Also, I believe Bill would like a word with them about licensing. Actually, taking into account the speed of light, it means that Windows was in use decades (if not centuries or millenia) before it's availability here on Earth. We may need to talk to Bill about his patents and licensing practices.
• Infection by off-planet source would happen in one of two ways: either intentionally or accidentally. If intentional, it means they know we're here and network infection is likely to be the least of our problems. (Somebody call Tom Cruise!!) If unintentional, we need to prompt the anti-virus industry that they need to start including sub-routines to counteract alien worms and viruses.
• If there is a risk of infection from exterrestial sources, what risk do we pose to the galactic community with the problems that we have in our networks? Could that be why no one has contacted us yet? (All claims by the UFO community aside.)

In any case, I hereby nominate Dr. Carrigan to be the recipient of a Reynolds Wrap hat. Shiny side out, dude!

Update: the above is a bit dated and lived in my slush pile for a bit but is still amusing.

TMBG

This will a hint to tell how old I am (at a minimum): I'm excited about discovering the TMBG podcast feed.

To those that are Britney's age or younger (or those who've never heard of Login Whitehurst), TMBG is short for "They Might Be Giants". Where else can you hear a band sing in the style of Yes, Rocky Horror, the Beatles, and Leon Redbone?

Then again, trying getting through the day with Birdhouse in Your Soul and Happy Noodle doing battle in your head.

MyMP3 and Beam-It

Here is an analysis of MP3.com's Beam-It protocol which is used to verify that a user actually owns the CD they want to stream.

Something I never really understood: why employ a lower quality stream when you already have the CD?

Ouch

Took a power hit this weekend. Lost a stereo and my home network has been acting funny every since. I thought that I'd lost the router that acts as my IPv4/IPv6 gateway because it'd only work for a few minutes at a time.

Turns out that I was wrong. I'd forgotten about the print server I had picked up a few months ago (my wife is the only one that uses it). I'm not sure if it's permanently damaged yet but the network came back when I unplugged it.

In any case, I'm relieved and my wife is pissed. (Keep in mind there's only one print server and two spare AP's.)

I'm in trouble!

Wireless calculators

Tuanis Technology has various online calculators for use with wireless technologies.

FBI

Not that it's new but I received one from a friendly Mytob worm that I hadn't seen yet. It was from veeby@fbi.gov and said "Here are your bank documents." So, if you're IP is 202.177.156.97 (India), please take a look at your system. It's infected.

Help wanted

I'm searching for stuff to listen to for an upcoming trip to DC. If anyone has any sources for non-music content, please forward 'em.

Hint: stuff from recent cons and the usual podcasts, I already have.

Automated fingerprinting

CCIED has a paper entitled "Automated
Worm Fingerprinting" that attempts to deal with 0day worms.

802.16e

It's old news (2 days) now but 802.16e has been ratified. It's important to wireless because it provides extensions to 802.16 that improves mobility (hand-offs between cells) and streaming media. Between this, podcasting and BPL (at least the noise generated by it), we may see some damage to the AM radio business.

NO OP

No post today, I'm taking the evening off to attend "finals", also known as the class party at the Biergarden in Portsmouth. They have a highly addictive form of potato soup that has beef chunks and spaetzle in it and I'm planning on at least two bowls.

Directory Server

For my own reference (for messing with 802.1x): Fedora Directory Server.

WVE

Wandered across the Wireless Vulnerabilities & Exploits site this morning. Looks like it'll be valuable in the long run.

IWS

I'm a bit nervous when the term Information Warfare is used in relation to a website as the Information Warfare Mailing List suffers from bouts of tangential politics but the IWS appears to be a good site to read. It has a lot of good documents for communications security and InfoSec basics.

Root servers

It's a bit trivial but it's knowing more about your root servers is a good-to-know.

Basics: Netcat

Linux.com has a "CLI Series" piece on netcat. This is yet another good-to-know tool in the netadmin/sysadmin/power user toolkit, especially for the beginner.

This plane is going to Cleveland?

Can RSS hijacking really be that much of a threat? If it is, I'll modify previous statements about RSS being a viable vector for malicious code. It still wouldn't be a good vector for the spread of malicious code but it might be a usuable vector for the introduction of malicious code.

X-Lite Softphone

My entire exercise in getting CounterPath's (XTEN) X-Lite softphone to run under Wine (as logged in the wiki) has been rendered a moot point. I've discovered that they also have versions for Mac and Linux via their download site.

Note: this isn't a new development. Chalk it up to my not noticing.

Worm speed

Here's yet another WORM04 paper: The Top
Speed of Flash Worms.

More typing

I've re-org'd the Asterisk page and have added a bit of work to the "sip.conf" setting descriptions. Think of it as yet another of my (ongoing) unfinished projects.

Hopefully it'll help someone. Let me know if it does?

O3

Here's a new mag: 03.

Needs a dash of clue

While we're on the clueless security rant, here's one that I heard on the radio tonight. A syndicated personality, known as "Troubleshooter Tom Martino", has a consumer-centered talk show. As I was driving back from the grocery store this evening, Mr. Martino was ranting that iPods are susceptible to viruses via podcasting and stating that "we need anti-virus software for our iPods".

Would someone in Denver please ring up Tom and tell him the problems with his logic? Stuff like:

• iPods are not x86 or Windows-based. Ask him to name one ARM or MIPS based virus that's capable of self-replication.
• Podcasts are normally delivered from static, one-way sources. For a podcast to become infected, it (theoretically) would require malicious action on the part of the podcast author. There's no two-way data feeds involved.
• RSS feeds are not like e-mail. They don't mysteriously show up on your iTunes list. You have to subscribe to them. In other words, there's a certain amount of reputation and trust involved with podcast sources.

In short, there are too many things missing from the environment that would support malicious code. "In ain't gonna happen." Instead, Mr. Martino should be ranting about virus scanners for our cars. There are models out there that run versions of MS Windows.

Excommunicated?

I fear that I may have angered some fellow CISSP's. If I haven't said it before, I like to argue. I'm even willing to take positions that I don't necessarily believe in. However, this isn't one of those cases.

In a recent discussion, I took the stance that "risk = threat X vulnerability X asset replacement cost" is not a good formula for sound business decisions.

I will admit to having "poked fun" at their belief that the above is a "security formula". It isn't. It's a business formula, used to decide how much money is safe to throw at a department with no ROI.

I took the stance that the formula is usually a rationalization used to support a business decision that's already been made. That the formula comes from a "recognized" organization of security "professionals", makes it that much more of a problem. My argument follows...

Let's get "threat" and "vulnerability" out of the way. Both are binary in nature or, at least, that was the original intent. You either have the vulnerability or you don't. If you have the vulnerability, it's either exposed or it isn't. The formula becomes "risk = (1 or 0) X (1 or 0) X asset replacement cost".

You can state that "threat" and "vulnerability" are quantitative values ("1" or "0") unless you attempt to put a "degree" on it. If the terms "degree" or "percentage" are applied to either value, that value becomes subjective and I no longer have to argue the point. Unfortunately, you'll usually hear "degree of exposure" or threat described as a percentage (i.e., "how much of a threat is it?").

The real trouble lies within "asset replacement cost". It's an oversimplification and a subjective value hiding behind a number. (i.e., it isn't quantitative!) Don't think so? Try this:

• The basic "asset replacement cost" works best with a standalone system. If it's connected to any other asset, networked or not, the value quickly becomes a WAG (nice version: Wild Assumed Guess) (not-so-nice: drop "um" from the middle word and add a hypen between the first two words)
• The basic "asset replacement cost" works best with a dedicated system. In other words, it's not used for anything else. If the system is used for any additional function, "asset value" gets complicated and other systems may be dragged into the equation. If the equation is artificially limited to the system under discussion, the value loses it's integrity.
• "Asset replacement cost" is only valid when applied to hardware or programs. It fails horribly when applied to data. Normal business types will attempt to say that data replacement cost is nil ("we have a backup, don't we?"). I've yet to see any organization, outside of federal, that will attempt to actually recover "lost" data. Oh, and a law suit does not meet the definition of "recovery". At best, an organization might take into account penalties for lack of due care and/or due dilligence.

The end result is that the formula usually ends up being "risk = estimate X guess X stubbornly narrow error", losing it's security "value" entirely and becoming a rationalization for a business action that might not improve security at all.

In any case, I enjoyed the argument, though it would have been better demonstrated if a white-board was involved. I also won't deny that I enjoyed tormenting two people who actually needed it. Many people who obtain certifications often "stop" once they get them. If a person stops thinking about (and practicing) security, the certification becomes little more than a badge to hang on the wall.

Thoughts?

1st Responder Std.

What comes out of the "First Responder Standard" should be interesting to watch. Various groups have attempted this. The main stumbling block is the lack of a common infrastructure (e.g., radio frequencies, communications protocols, etc.).

VoIP

I highly recommend O'Reilly's book, "Switching to VoIP" by Ted Wallingford. If you're messing around with Asterisk, it's a good book to have. While there's not a whole lot on setting up Asterisk, it is a good reference for theory and troubleshooting.

Happy B-Day!

Happy Birthday to son Jonathan! Happy Bird-Day to everyone!

I finally get it!

Microsoft's Office 12 product looks like it's going to be a pretty slick product. After a "first look", I like it.

However, I could have gone without the marketing approach that the Redmond Dog & Pony Show used. They seem to have taken a page from the Presidential Race strategy guide, where you say little about what you can do and verbally deride all of your competitors.

The part that struck me as a bit odd was about interoperability, a point which they stress repeatedly when talking about the Office 12 product. It's taken me almost a month, but I think that I've finally figured out what they meant by the term: they're not talking about platform interoperability, they're talking about interoperability between Office 12 products! [*sarcasm on*] Now there's something new. [*sarcasm off*]

Just call me "slow" this month.

Microsoft almost "gets it". They've said that they're going to allow others to "use" their document format via a free license. The only restriction appears to be "with attribution to Microsoft". What "attribution" means may be a sticky point in the future. I need to find a copy of the EULA and license agreements they're using.

Update: Is this a case of schizophrenia? How can something be patented and open source at the same time? Seems that the open source format has been submitted for patent in certain countries... This will be interesting to watch as it unfolds.

Free Lab

Here's a site to keep an eye on if you're learning about Cisco equipment: Firewall.cx's Free Cisco Lab.

Sleuth Kit Informer

It happened almost a week ago but... Brian Carrier has posted a new
issue of "<a href="http://www.sleuthkit.org/informer/sleuthkit-
informer-21.html">The Sleuth Kit Informer", a newsletter he writes in
conjunction with the Sleuth Kit. This issue talks about the new license
for the Sleuth Kit and about changes to the ils tool.

Getting good from evil

I hereby nominate the five authors of Opportunistic
Measurement: Extracting Insight from Spurious Traffic for
whatever award you'd give for using-evil-for-good ideas. The paper
discusses the shortcomings in current network visibility techniques and
suggests extracting data from the noise generated by infections, spam,
and denial of service attacks.

Synthetic Diversity

Monoculture is a recognized problem when discussing malicious code.
It's what amplifies the effects of malicious code to the point where it
can have devastating effects.

Here is another
paper from last year's WORM, this one describing a method called
synthetic diversity as a method for combating malicious code.

It's an
interesting read but I disagree with most of it for a number of
reasons:

• Synthetic diversity within a program can only go so far.
  While the techniques may reduce the number of attack points within a
  program, it won't remove them entirely. Add millions of users to that
  situation and diversity within a program that does the same function,
  time after time, becomes a bit shallow.
• As always, adding
  complexity isn't a good response to lessen vulnerabilities. The KISS
  principle is better.
• Diversity can only be provided via a small
  number of methods. It wouldn't take long for the "bad guys" to adapt.
  Even if more methods were developed, it would lead to an already
  familiar type of arms race.

Anyone care to argue for or
against?

Mass mailers

Here's a short paper from last year's WORM conference: A Study of
Mass-mailing Worms.

It's over

I hereby declare the novelty of podcasting as officially dead and that the technology is now mainstream. While searching for additional content to listen to during this week's commutes, I noticed that the "ususal suspects" also have their own podcasts. The "usual suspects" include the panorama of pseudo-science, fake grass-roots sock puppet, conspiracy theorist, and hate types.

The good news is that I did find some new security and tech-related casts to listen to (for a list, see my Bloglines subscriptions link at the top of this page).

NOC Notes

Here is a collection of
notes that relate to network operations.

AWK

AWK is one of those "things" that you very quickly (you wouldn't believe
how quickly) forget if you don't use it continuously. It's also a very
powerful tool to have. Here is a tutorial for
it.

It ain't getting any better

I've loved Zyxel modems for many years. However, they've lost points
with me for thinking that undocumented

or hidden equates to secure. What's that old line about repeating
history? [*sigh*]

GraphViz

O'Reilly has a quick
tutorial for GraphViz. This is valuable if you draw a lot of flow
charts or relationship drawings.

DNS poisoning

It's a bit dated but SANS has a good piece on
DNS poisoning. It describes some of the issues and lists a few
mitigations.

Watch your head

Too much time on your hands? Why not entertain yourself by watching the headers of the sites that you visit and see what sort of extra kruft is included?

Dangerous Jokes

Everyone should steer clear of the "<a href="http://www.groklaw.net/article.php?
story=20051112154004597">Nothing joke". The joke has been stretched
so far that when it does fail, Nothing will be funny.

Nothing is
sacred. According to the theory of relativity: Nothing travels faster
than light, Nothing existed before the Big Bang and Nothing can have
negative mass. In the real world, Nothing is perfectly symmetrical and,
for most of the time, Nothing changes.

When you're sick: Nothing
tastes good, Nothing is interesting and Nothing really matters. Then
again, Nothing is better than sleep to help you get better.

A lot of
parents end up sending their kids to college to learn Nothing. Many of
those students think that Nothing is harder to learn than Calculus. If
those students learn Nothing, their parents tell them that they're good
for Nothing.

That's about it for the puns. (I'm hiding Nothing.)
Please contribute Nothing to further the joke.

SCO: you started this!

Priorities!

Hmm... I may be in trouble here: It's roughly six weeks until Christmas
and roughly nine weeks until ShmooCon. I have more shopping done for
the latter than for the former.

(If you're married, ignore the rest
of this. You already know the futility of the thought(s).) How can
it be my fault though? She still hasn't filled out her wish list!

Cables and stuff

Some of it is vendor-centered but this site has a lot of
good hardware info.

Blogroll

I've disabled the blogroll provided by Blogrolling.com as issues with
their server(s) were preventing this page from loading. If things don't
clear up soon, I'll probably move to a static list.

Skype

OpenRCE has a pointer to a quick
binary analysis of Skype. Short but very interesting.

FUD

Let's see if I can re-explain it (without shouting) for those that still
think that I'm anti-MS: it's the marketing aspect that I like to poke
fun at, not the tech.

Example: the ongoing OpenDocument bickering.
The marketing department would like you to think that Massachusetts is
going to require Linux and OpenOffice. I doubt anyone who reads this
blog is confused but just in case, THEY'RE NOT THE SAME!!
(sorry)

OpenDocument is a document format, not a program. MS Office
could save files in OpenDocument format with no more difficulty than
saving in .RTF or .TXT formats. If MS doesn't adopt the format, we'll probably see it as a third party plug-in.

So what's the controversy? Why the
smoke and mirrors from Redmund? How about the "free
flow of data in and out"? With the OpenDocument format, MS no
longer owns any part of your documents, rather than the current
proprietary format where they own the font, the metadata format, and the file storage format.

MS's risk in adopting the OpenDocument format?
Loss of user "lock in" (many companies initially adopt MS Office because
it's considered the "industry standard"), loss of font "lock in" (many
fonts are proprietary to MS Office), loss of feature "lock in" (a common
format is just that: common, and people will come to prefer
interoperability over proprietary features)(will anyone miss fighting
Words auto-formatter?).

I've had to explain this issue multiple times
this week. Hopefully those in the State Government can recognize the
difference. Unfortunately, it's entirely possible that one or more of
those people can be hired to influence the rest.

Update: Here's yet another view and reason for "the stink".

BT Analysis

Here's an in-depth
analysis of BitTorrent.

Google searches

Not a whole lot of time to post this week.

Was playing with the logs
offline. Odd thing: out of the 800 or so Google referrals in the last
month, over half of them were queries about dsniff.

Okay, what are
y'all up to?

Have you voted today?

If not, stop reading this and get out there. I don't know about the
other 49 states but Virginia has lived through a very nasty election
campaign for Governor. Nothing but negative ads during prime time. I
swear, if the independent had bought one commercial last night and did one
"clean" commercial, he'd probably be Governor Elect tomorrow.

Exchange Msg IDs

I'm looking for a technical reference that explains just how the message
ID for an e-mail passing through an Exchange box is created. Is it
entirely random or is at least part of it "readable" in a manner similar
to those generated by Sendmail?

Einstein quotes

Jim's Pond has a set of
Einstein quotes that I'm enamoured of:

• Any intelligent fool
  can make things bigger and more complex... It takes a touch of genius -
  and a lot of courage to move in the opposite
  direction.
• Anyone who has never made a mistake has never
  tried anything new.
• Problems cannot be solved by the same
  level of thinking that created them.

Cox

This is getting really, really old. All along, I've had to put up with stupid-big levels of arp storms. For the last 2 months, I've had to live with periodic outages (6-7 times per day). I'm not the only one. Three other Cox users at the local user group meeting are also noticing it. And it must be wider spread than I thought as Leo Laporte is having to answer questions about it.

Hey Cox! WTF?

Tracking MS systems

Because Arthur asked, I'm adding my scripts for tracking Windows systems
to the wiki. The scripts are short and sweet, describing them is a bit
involved. Keep tabs on my work here.

VoIP Threat Taxonomy

Cool. The VoIP Threat Taxonomy document is on the streets.

I contributed by providing a little bit of content and a whole lot of argument. (My name is on page 6!) Those that know me want the subtitle "Loudly & At-Length: Yet More Evidence That Tim (err.. joat) Likes to Argue"

(heh)

Jeez!

[*sigh*] How many times must we see this happen? Sony should be ashamed of themselves. Sorry, it's probably already blogged to death, but I couldn't resist. Is there any sort of EULA embedded in the packaging or can we sue Sony for doing what two people were sent to jail for last month?

More cookies

InfoSec Writers has part
two on their article about cookies. (Part 1 was blogged last Saturday.)

Find Rogue Shares

Iron Geek has an article about finding rogue shares within your network. The idea is aimed more at the corporate network rather than the home network. IG used Windows-based tools but you can gain similar capabilities with *nix-based tools. With a bit of Perl, you can tie MySQL to nbtscan, nmblookup, and smbclient to get (and maintain) a pretty good picture of your network. With a bit more Perl coding, you can watch for unauthorized systems being plugged into your network and, depending on the OS employed, you can even grab MAC addresses remotely (yes, from outside of the local network segment).

I still have some of the scripts laying around here. If anyone wants 'em, let me know. The majority of them are just wrappers for the tools named above, most of 'em aren't pretty.

Cron

Note to self: add "Am I Being Run by Cron?" to Wiki.

HackerPort

HackerPort is a project intended to design a USB I/O interface. Something to keep an eye on.

Cookie Info

InfoSec Writers has a piece on cookies.

HRSUG

David Bianco, a friend and former SANS mentor of mine has announce the formation of the Hampton Roads Snort Users Group. The first meeting is slated for 7 p.m., Dec. 1^st at the Williamsburg Regional Library, 515 Scotland Street, in Williamsburg, VA. The speaker will be Jason Brvenik from Sourcefire.
Please read the announcement (link is above) for more info.

Free OS's

Tripped across this listing of free operating systems while checking up on BeOS. Count how many you've heard of. I've heard of 16 of them and used 6.

Stand by to shoot yourself in the foot

The Register has an article which describes Microsoft's plan dump SSLv2 for TLSv1 in IE7. While they're intentions are good, it's the following that piques my funny bone:

As part of Microsoft's "secure by default" design philosophy, IE7 will block encrypted web sessions to sites with problematic (untrusted, revoked or expired) digitial certificates.

Along with their increase in security, I hope Redmond has increased their attention to detail. Anyone remember certain lapses in ownership of certain domains in the recent past? There's only so many honest people, like Steve Cox or Michael Chaney, out there. There's a lot more dishonest people out there looking to create mischief or earn a quick buck.

My offer to Mr. Gates (to host cron'd reminders for domain renewal) still stands if he wants it. (heh)

X-Lite and Wine

Just spent a half-hour or so playing around with the X-Lite soft phone, getting it to run under Wine. The good news is that it works. The bad news is you may be limited to running it under KDE. It works under AfterStep but sometimes the menus don't pop up properly and it attempts to use a couple "hooks" in AfterStep that aren't there. It works under KDE but KDE isn't exactly my favorite WM.

In any case, notes are in the Wiki.

Now that's funny

Here's a Ballmer quote (about Vista): "Most people will trust it from day one on their home computer..." I reserve the option to make further comment at a later date.

Securing Your Network

Whitedust has an article which discusses the maintenance of your network's security by being familiar with what "normal" is.

Just about the only point in the article that I disagree with is in the opening sentence: "While not absolutely required, it is ideal to have working knowledge of how an Ethernet network operates from a low-level perspective. I strongly disagree with this. It is imperative that you be familiar with your network to be able to operate it securely.

Slowing down scans

A friend was recently concerned about the high number of inbound port 22 (SSH) connections he was getting. Another TWUUG'er suggested using iptables to slow down the brute force attacks (it uses the "recent" module). I've added the config to the wiki.

Too many ads

I was looking for info on 802.11i and came across this site. I'm sorry but, regardless of the quality of the information available via the site, I won't use sites like that. (Notice that actual content on the site takes up less than a 1/3rd of the page. The rest is Google Ads.)

Captchas

Here's a site that discusses the effectiveness of various Captcha schemes.

Bloglines

Bloglines have some small-but-important modifications to their site. One includes mapping navigation keys to the page, so that you can navigate through articles or folders without having to use the mouse.

The new feature I appreciate the most is the change to the new message count. It's now a combination display of new messages and keep-as-new messages. Example: (2:5). It's a small thing but saves me a lot of time while navigating their site.

Blackdog

Well, the lack of controls on the USB interface is finally being exploited. The BlackDog product runs Linux on a USB device and pops up windows on Windows (no reboots needed). The device can even (supposedly) access any network that the host computer has access to. If you "do" security, this should scare the crap out of you. The video of the demo and the FAQ are interesting.

More memory

Adding memory to my old junker improved things so well that my wife
broke her long standing rule (of me not touching her computer) and had
me do the same for hers. Between that and the new USB printer server
(both of which I got out of clearance bins at local stores), I've gained
mega-spouse points! (heh)

Repaired?

The comments function should be fixed, for now. The disk is still short on space so it may pop up again.

XP Shutdown

I checked today and I still have a lot of extra gas in my spleen so I
guess I'll vent again...

What bright mind decided that the time to
install updates is during the shutdown process? We use XP as the host
sytems for VM's at school. The class ran a little late and we were
asked to help by shutting down and removing the hard drives. Nothing
like noticing "Installing 1 of 9" in response to your clicking on
"Shutdown".

Grr...

Worm radar

The Worm Radar site might be
valuable during the next major outbreak.

Shmoo topics posted

For those not paying close attention, the Shmoo Group has chose some of the topics for the Spring Con.

Standards! Standards!! Standards!!!

I panicked, earlier, when I checked this morning's post and saw that each of the enumerated items all started with "1.". Chalking it up to too-many-hours-typing-into-a-Wiki, I'd intended to fix it from class this evening. Now that I have a non-IE browser pointing at it, I realize that I hadn't hosed the post. Rather, it was IE's lack of standards compliance (it didn't recognize the

tag properly) that caused the crappy looking entry.

Heads up MS, that's standard HTML that your browser isn't recognizing!

Embrace-and-extend? [*snicker*] Someone remind me to grab screen shots tomorrow!

Update: Here they are... The one on the left is Firefox. The one on the right is IE.

'Nuff said?

Detecting infected clients via DNS

Consider this as another of my you-need-to-know-what-normal-is
rants.

About five years ago, a couple of us (at a previous job) wrote
a script to process DNS log files to watch for systems suddenly
performing massive amounts of DNS lookups. In other words, watching for
infected systems.

Someone recently wrote a paper on this same topic
and has received a bit of notoriety for it. There's no black art to it.
It's pretty easy to kluge together.

1. First be sure that your
   internal DNS server can handle a heavier load. I recommend running a
   dedicated server using BSDi (even an older version) because the load
   that BIND puts on BSDi is barely noticeable.
2. Turn on querylog.
   It'll generate log entries like:

   
   
   Oct 15 09:18:37 desk named[13556]: client 127.0.0.1#33023: query:
   www.google.com IN A +
   Oct 15 09:18:56 desk named[13556]: client 192.168.2.5#1301: query:
   www.cisco.com IN A +
   

3. Obviously, Perl is perfect to extract data from these log
   entries. Write a script to parse each line and insert the data from the
   line into a MySQL or Postgres database.
4. Then use Perl, PHP,
   Ruby, or [insert your favorite language here] to extract the data in
   different "views", such as total-queries-by-client,
   total-queries-by-network-per-minute (or hour or day),
   total-individual-queries-per-minute-by-target, etc.
5. To go along
   with these data "view", it's usually helpful to graph the generated
   metrics for simple crayon-understanding graphics. To be useful, you'll
   want graphs for the last hour, the last day, the last week and the last
   month, along with a user-configurable graph generation script, so that
   you (or someone else) can make quick interpretations and make
   comparisons to previously collected data.
6. Finally, you'll want a
   script to periodically clean up the log file, either archiving it or
   deleting it. Running querylog full-time with generate massive log
   files. It may also be a good idea to write scripts to aggregate the
   data in the database server, keeping only generic statistical totals for
   data past a certain age.

Collecting/analyzing metrics such
as these are well within the talents of the average network admin (and
is usually free). I'm amazed that companies are willing to shell out
big $$$ for something as simple as this.

If you have anything to do
with network adminstration, this is something that you should be able to
do. If you "own" a network, this is something that you want at least
one of your network admin or security types to do. (Think of it as
being able to gather and analyze data for troubleshooting.)

One more thing...

One more thought about hash collisions: before you throw out the baby
with the bath water, a quick way to improve the integrity of your
checksums is to use both MD5 and SHA-1. While the chance of a
collision with both algorithms is still theoretically possible, it's an
astronomical possibility.

Asterisk book

Click here for
the zipped version of "Asterisk: The Future of Telephony", published
under the Creative Commons license by O'Reilly. Thanks to Asterisk Docs
for pointing it out.

I'm popular

This is supposedly from the author
of the recent MySpace worm, with a link to the technical explanation and
code. It's interesting in the same way the WoW virtual blood plaque
was.

Zotob

Arachnid has a quick piece on the recent Zotob worm.

p0f

Linux.com has an article discussing a benign use for p0f, gathering information about what's running the site's that you're visiting. The data that you gather might be complete useless or you might find a use for it or it might provide a bit of entertainment. I think the major benefit is that you gain experience when you perform experiments such as this.

Nessus

Dana Epp has some comments
about Nessus's movement towards closed source. While I cannot justify
my feelings in the same manner that Dana can, I did contribute to the
project (a couple measley signatures) and feel just as betrayed as I did
with NFR and the CDDB. For each of these projects, I contributed data
to support an open community and the owner decided to profit by moving
the project away from the user community supporting it.

Salted Hashes

Infosec Writers has an
article that explains the basic
theory of salted (seeded) hashes, including SHA-1 and MD5.

Wiki stats

In cleaning up the orphaned pages in the wiki on the new server, got to
looking at the page stats. What's odd is the #1 entry:

1. Glossary
   (5550 views)
2. Main Page (3078 views)
3. Anonymous Proxies
   (2067 views)
4. Asterisk (1735 views)
5. Looking Up UPC Codes
   (1228 views)
6. Looking Up Vehicle ID Numbers (VINs) (1094
   views)
7. Perl - MSN IM Sniffer (1092 views)
8. IPv6 on the
   WRT54G via OpenWRT (864 views)
9. The Firewall Toolkit (FWTK) (818
   views)
10. IPod Stuff (807 views)

Could it be caused by
the inclusion of sexual fetish descriptions in the glossary? If so,
then y'all are some sick puppies. (heh)

D'oh

Don't you just love catching yourself doing something stupid? I managed
to troubleshoot my IPv6 routing issue in about 10 seconds once I started
to look at it. (Thanks to Wes for prompting me to do it.) The fix is
to not add the following to /etc/init.d/rcS. Rather, create a file
called /etc/init.d/S99tunnel and put it there:

  #!/bin/sh

  #/bin/mkdir -p /var/log/
  ntpclient -h pool.ntp.org -l -s &

  # set up the IPv6 tunnel
  MYIPADDR=`ip addr show vlan1|grep "inet "|cut -d\/ -f 1|cut -d \  -f 6- `
  echo $MYIPADDR > /etc/myipaddr
  #MYSCND=`cat /etc/myipaddr`
  #echo $MYSCND > /etc/my2ipaddr
  echo $MYIPADDR
  ip tunnel add he.net mode sit remote 64.71.128.82 local $MYIPADDR ttl 255
  ip link set he.net up
  ip addr add 2001:470:1F00:FFFF::657/127 dev he.net
  ip route add ::/0 dev he.net
  ip -f inet6 addr
  ip -6 addr add 2001:470:1F00:911::1/64 dev eth1
  echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
  radvd
  sleep 15
  killall dnsmasq
  dnsmasq -i eth1

NSLU2

I think I have my next toy targeted: the Linksys NSLU2 (Network Storage Link of USB-2). The local TWUUG'ers have pointed out the existance of custom firmware. Hey Santa: hint, hint!

Crazy Hacks

There's some interesting projects over on Crazy Hacks. There's also evidence that somebody has way too much time on their hands: why in the world would you want to write Perl programs in Latin?

Comments off

Until such time that the site moves to the new server (or the old one
gets its issues fixed), comments are going to be a dicey thing to use.
Anything left in comments over the last two weeks has not been saved. I
apologize for any inconvenience. If there's a comment that you want to
add to the site, it might be easier to email me directly
(joat@guess.where).

AntiExploit

Looks intriguing. Anyone know if it conflicts with similar protection schemes running at the same time?

Malware database

The link to the Nepenthes database (yesterday's post) led through Aachen University's malware database. I have high hopes for this.

Malicious Code Visualization

While following a link in Antlab, I came across the malicous code visualization published by the Nepenthes people.

802.11e

Heads up! 802.11e (aka QoS for Wireless) is on the streets.

Wobbling

Trivia question: When does 2000 1k (or less) blog entries eat up more disk space than 30 100K pictures?

The-powers-that-be say that the new server is waiting on some hardware. In the meantime, this one continues to wobble. I'll attempt to trim the site at the same time I'm posting but, with the current configuration, there's a limit.

The good news is that the site is mirrored here if the inode problem surfaces again. The bad news is that the mirror may be taken offline periodically to have "stuff" added to it.

BlueTraq

The Trifinite group has a new mailing list devoced to BlueTooth security.

PDA Forensics

Here's NIST's guide for PDA forensics.

Risk

Another rambling post...

I've been reading various presentations and papers from recent conferences. Couple that with my recent knighting as a CISSP (yeah, last year I couldn't spell CISSP, now I is one) (don't ask me to say anything nice about it) and I have a schizophrenic thought: there's a difference between a business's view of security and a practitioner's view of security.

The business view of security is, and always will be, a money-based decision. Various certifications teach that risk involves a hole (the vulnerability), the likelihood that it'll be exploited (the threat) and the expected cost of reparations in the event that the vulnerability is exploited. Various pseudo-mathematical formulas have been generated to justify what is usually an already-made decision.

Purists will be offended that I've said that but, in reality, most business operate somewhere to the left of the ideals taught by various certification organizations. In other words, most small businesses still don't (and won't) comply with SarbOx, GLB, HIPAA and/or FISMA. They either cannot afford to comply or they would just like to maintain their profit margins. (Maybe it was a formal business decision: risk of getting caught = not maintain protections or records X likelihood of discovery X possible fines?)

One thing that has irked me ever since someone tried to convince me of the correctness of tieing asset cost to the risk formula: the missing business costs.

Think of it this way: you have web server. You've made the "business decision" that a specific level of risk is acceptable and that you can tolerate four incidents per year before your business suffers excessive damages. (Remember, the cost of the protections must be less than the recovery costs.) What's missing? How about people?

If I'm your system administrator, I'll probably enjoy the overtime pay. The first time. If it's a recurring event, it's going to affect my personal life and I'm going to want a raise plus better overtime pay to counter-balance the loss of my personal life. That or I'm likely to be going to job interviews during my off-time. (Hint: Using "flex time" to keep me on a 40-hour per week timetable adds insult to injury.)

If I'm your customer, it's likely that my business depends on your business. I'm likely to leave after the first incident, especially if it's spectacular enough.

If I'm your investor, I'm not going to like that my profits go to your system administrators' overtime or that your customer base is shrinking. I think you'll find that your stock price drops at an "interesting" rate.

On the flip side, the practioner's view is usually just as narrow. System and network administrators often get so caught up in "fighting the threat" that they spend inordinate amounts of time "doing security" and allowing operations to suffer. They might spend so much time "locking things down" that the network becomes rigid and inflexible, unable to quickly adapt to sudden changes in business requirements. There's also a common belief that the operations/security budget is too small, regardless of its size.

It's this dichotomy in security "views" that perpetuates the resentment between business (AKA "the suits") and operations (AKA "the nerds"). Unfortunately, I don't have a fix for this. I'm just noting that the condition exists.

Apologies for the incomplete rambling. I'm still trying to flesh out this argument elsewhere for future "at length" use. The argument currently is skewed as I "came up" from the sysadmin side of the house. Comments/thoughts?

Shmoo

Heads up! Today is the last day to get your $75 ShmooCon tickets (got
mine last night). Tomorrow they're $150 each.

Wish list

The following from PCPhoneLine
are going onto my wish list:

• VST1000
  Standalone IP-Phone
• VPC1000 FSX
  to FSO Port Converter
• VTA1000 VoIP Gateway

Anyone know of any reason why I shouldn't?

I didn't add the VPT1000 to the list because it's a corded (USB) phone, something I'm not looking for at this time.

Trojan ports

You may find it useful (I don't): Rob (NetSec) has a Excel spreadsheet of well-known trojan ports. I don't like it because it's just a spreadsheet of ports and names; it contains no extra data.

Grep

Open ITWorld has an article
entitled "Finding Text in Context" which talks about using grep. This is another one of those good-to-knows.

Extending Nagios

Unix Review has an article about extending Nagios, a good tool for monitoring metrics and various statuses within your network.

DVDs

Could it be that Touchstone Pics "gets" it?

I've just watched the DVD
for Hitchhiker's Guide and the previews were a menu option, not a
required series of bits that you passed through on the way to the movie.
Heck, after watching the movie, I went back and watched the two previews
that interested me.

I see dead people

... or, at least, get
e-mail from them. Why am I not surprised?

Registry Listing

(from adminfoo) Microsoft has a listing of registry keys. It's a bit blind for third party software but is a good resource for Microsoft keys.

Research

It's interesting and frustrating when you're doing research (in this
case, for the Kismet::Client wiki entry) and search engine searches
return your own work-in-progress. Arg! (heh)

I've finished sorting
out the Kismet tags and I'm trying to fill out the descriptions of each.

Audio Processing

A classmate recently used my iPod and a iPod microphone to record a
class that I could not attend. Needless to say, the audio was extremely
poor. I've managed to clean up the audio by running it through a few of
the filters in Audacity but I'm still not that happy with it.

I was
able to find this list
of tools available for Linux but it's obvious that I have no clue about
where to start. Anyone have any good how-to's or a list of recommended
books? It appears that this is going to become more and more important
for me as the topic of recording lectures has come up quite often
lately.

Hash Function Workshop

NIST:
NIST is planning on hosting a Hash Function Workshop to solicit public
input in how best to respond to the issues arising from Wang, Yin, and
Yu's paper on SHA-1 collisions.

Hashing Function Lounge

To go along with Sunday's Cryptanalysis Lounge, here's the Hashing Function Lounge.

TLAPDay

Well the spaceship failed to appear on time and rescue me. I'm faced
with having to experience yet another Talk-Like-A-Pirate Day
(today).

Arrr!

p.s., Anyone know if you-know-who dressed-the-part
again?

Paranoid?

Are some people are entirely too paranoid? I find the idea that eavesdroppers can figure out what you're typing after 15 minutes of eavesdropping, while technically possible, just a bit over the top. Things like this, while feasible in the lab, tend to be impractical in real life.

In any case, for you tin-foil hat people, here's a list of countermeasures so the black helicopters don't get you:

• Never use the same computer for more than 15 minutes
• never use that computer in the same location
• construct a "glove box", with sound dampening material, to contain the keyboard (helps block those evil shoulder surfers too!)
• Intersperse a significant amount of random letters in your text and then go back and remove them with the mouse
• purposely mispell your "Letters to the Editor" to throw off the statistical analysis (it won't change the Editor's opinion of you any)

Can anyone else think of any? (heh)

Audio Analysis

(This is a repeat but...) Rob and I are going to have to talk about this tonight. Very few of use should be concerned about password (or other text) capture via audio analysis.

That is, unless you're worried about who's listening via the microphone that you're absolutely sure is in the smoke detector, along with the radioactive source the government put there to slowly kill you.

Wiki

The joatWiki has been moved to the new server. Although the
host name may be transitional, that is where the data is located. I
will start deleting information on the old server shortly.

The Side Channel Cryptanalysis Lounge

Via NetSec: here is the Side
Channel Cryptanalysis Lounge.

Star Wars

From the too-much-time-on-their-hands category: You can view the
animated text version of Star Wars by telnet'ing to
towel.blinkenlights.nl

It appears to be full-length but I didn't have
the time to watch it all the way through (got as far as Luke meets Obi-
Wan). Is the story line that bad without the special effects?

Oh, it's safe to ignore the IPv6 comments. It'll still play.

You know you're a dad when...

...you hear (or find yourself saying) this or
"Put the hammer down and let go of the cat!" or "That's not what that's
for!" and you don't even bother to look up.

Security humor

How to catch script kiddies.

Kismet

Still more fun with Kismet::Client in the Wiki. Experiments in determining the Perl-accessible variables in Kismet.

WTF!

As a counter-weight to Marcus Ranum (yesterday's post), here's an example of what Marcus was talking about...

Uh, could someone take a handful of clues and slap David Coursey with them? I was just pointed to DC's June article where he promotes what amounts to censorship, though he claims it's not.

Originally, I wrote a long, rambling vent about how ignorant DC is. Thanks to the recent outage, I've reconsidered my thoughts and have slightly more PC recommendations: David, go take a civics class (to find out how government works) and then take a criminal justice class (to find out how law & law enforcement work).

For any law students reading this, here's a quiz: what were the errors in his article? (5 points each) Answers later.

6 Dumb Ideas

Marcus Ranum has an interesting article on "The Six Dumbest Ideas in Computer Security".

I agree with "Default Permit", "Penetrate and Patch" and "Action is Better Than Inaction". I could do without the Sun Tzu reference, regardless of what he did or did not say. That reference gives the impression that your management isn't to be trusted. (See "user" reference below.)

I had to read all of "Enumerating Badness" before agreeing with it. It's AKA "log file reduction".

I slightly disagree with his position in "Hacking is Cool", only for the factor that the only available alternative (currently) amounts to "ignorance is bliss".

I have issue with his "Educating Users" section as it comes across as "don't trust your users" and the need to "protect people from themselves". However, I'm not saying that I disagree with him. I just don't like how he stated the issue.

"The Minor Dumbs" are mostly spot-on, though the root of the problem (IMO) is the security vendors that promote those ideas in the first place. Every single "minor dumb" originates in the marketing fluff that management reads on a regular basis.

Apologies

My apologies. I ran afoul of an experiment with group quotas. The powers-that-be have fixed the issues (thanks Count!).

Update: I've reposted the missing posts. Anyone who'd left comments between 9 Sep and 12 Sep, please repost them.

Wiki - Kismet

I've put some more work into the "Kismet & Perl" wiki page. (Still more to come.) Take a look at it here.

Downtime

The blog may be a bit dodgy this month for a couple of reasons:

• I plan on adding memory to the cantankerous antique of a machine that I call my desktop system
• the powers-that-be at 757 have said that the current system has a very nasty wobble and that we should migrate to another server

Please bear with me/them.

Update: OMG! I should have added that memory years ago. It probably would have saved me the cost of the two hard drives that I wore out (from almost incessant page swapping). I actually like Windows boot-up speed for once (it's that noticeable)!

Update II: In performing clean-up for the move, I've taken a lot of older non-joat content offline, such as the files from last year's ShmooCon. If something's listed-but-offline, ask.

Con audio files

Here. Go nuts! (heh)

Wrappers

It's basic but it's good to know: TCPWrappers.

If you have a *nix system, you should be using this in conjunction with some sort of packet filtering software (IPTables, BPF, IPFS, IPFW, etc.), even if it's an internal system.

Sysadm Law

If you administer a system/site for anyone, even for family members,
it's a good idea to be familiar with the topics described in David
Loundy's E-Law4.

9 Questions

ComputerWorld published a
valuable article almost a year ago that will probably be applicable for
a very long time: Nine
questions to ask when evaluating a security threat.

Things to
keep in mind when asking yourself these questions: the underlying
assumptions are not static and other "forces" may change the questions.
To be able to answer the questions effectively, you need to have
intimate knowledge of your infrastructure (well-maintained documention)
and you need to know what "normal" traffic looks like (well-monitored
metrics).

Kismet and Perl

I managed to find some of my original notes on using Perl with Kismet.
There were a lot of errors so I'm redoing all of the work while I'm
adding it into the Wiki. Take a look (here)
at what I've got so far.

Bluetooth spam

Bluetooth spam is coming into existence. Bruce Schneier has talked about some of it.

My thought is that this will lead to physical vandalism of a number of vending machines, due to the short transmission ranges involved. In other words, rabid "no spam" types may assault the local soda machine because they receive unwanted "Drink Pepsi" ads every time they walk by it.

This could lead to some interesting developments. I can see just about every type of spam (porn and "your system is insecure" included) being transmitted in public places.

Wiki

Added a new category to the wiki: free online training.

Worm invades!

Pete Lindstrom hit it right on the funny bone. Mebbe he should included a comment about [the author's agenda to change something] or how the author released the worm because he/she [verbs|has a secret verb] for [person|place|thing]?

No op

Nothing much to talk about today. I'm just getting back up to speed
after taking a certification test two weeks ago. Except for a few
posts, you've been reading from my backlog. The test was so rough that
it put me "off my feed" for the better part of two weeks. Tonight is
the first time that I've typed (non-work-related) for more than 5
minutes.

The test was horribly convoluted, the questions poorly
worded, and overly rationalized. I got the feeling that they were
testing more for the ability to pick the question apart rather than for
problem solving or knowledge.

And, yes, I did pass. Just don't ask me
to say anything nice about the course or the certification. I don't
feel that anyone, having passed the exam, has accomplished anything.
It's ironic that the certification is promoted as one of the leading
accomplishments in the field. The course and test bank strongly needs
accreditation by an external entity.

Note: this is not the
certification that I talked about last weekend.

HICA!

Anyone know of a short-haul star freighter in the area that can get me off of the planet by the evening of September 18th? Why? Because September 19th is "Talk Like A Pirate Day"! Something I can't avoid even by staying in bed that day.

Hmm... Mebbe if I use a hammer on the only house phone?

Kutztown 13

The Kutztown incident is a very good example of "what not to do". Let's
see if I can explain this and why I think that even attempting to impose "community service" might be a bad idea.

The basic situation: the school attempted to press felony charges
against school children for repeatedly bypassing security functions
installed by the school.

The problems:

• Attempting to become the parent
• Assuming
  all students are the same
• Lack of due care and due
  diligence
• Other problems

Attempting to become the parent

The parents cannot be held responsible for the actions of their
children because it is the school that acted as "the parent" in this
situation by putting an adult "tool" into the hands of a minor. Use of
an adult tool, be it car, gun, or communications device requires a
specific level of adult judgement. This is something that most minors
do not have and it is also something that is not easily replaced by
software, especially software purchased via a least-bidder contract.

The responsible adult(s) in this situation are still the school board
and the teachers (those that gave the adult tools to the minors). Most
parents do not understand computer technology/security or the related
federal laws. Thus, the school became (and remains) the responsible
party by being the knowledgeable "enabler" by putting an adult "tool"
into the hands of minors and then not providing constant adult
supervision.

Although the parents probably signed a permission slip, it's probable
that they didn't understand the implications of that permission. I'm
willing to bet even a poor lawyer could break the supposed contract in
that permission slip.

Assuming that all students are the same

Regardless of the "we're all equal" tripe that is force-fed in most
schools today, students differ. They have different/differing IQ's,
religions, respect for authority, and upbringings. Occasionally (ahem)
you'll have a student that is smart enough and motivated (peer pressure
in high school usually will override ethics and authority) to take
advantage of an opportunity. Peer recognition will usually cause this
"seized opportunity" to be shared.

Believing that the installed
protections were adequate enough to (to use a noun as a verb)
countermeasure all students abilities and motivations, makes the
school eligible for the InfoSec Darwin Awards, if such a thing ever
exists. To maintain "security", your minimum protections must be
sufficient to counter the most talented and badly motivated user, not
the "average" user. 'Nuff said?

Lack of due care and due diligence

AKA "poor judgement". The school displayed poor judgement (lack of
due care) by putting an adult "tool" into the hands of a minor and then
neglecting to provide adequate supervision when the minor
exercised that tool. Even though the school may have believed that it
had practiced "due care" by installing various protections, it obviously
didn't practice "due diligence".

"Due care" equates to taking the necessary precautions to prevent an
incident (an instantiation of a risk). Obviously, the level of security
was not sufficient to prevent an incident. That the incident was as
severe as it was and that it involved so many students is an indication
that there was a difference between perceived and actually required
protections.

"Due diligence" is the practice of enforcing those precautions
(countermeasures) and being able to prove their consistent enforcement
over time (auditing, record keeping, etc.). What occurred didn't happen
overnight. Who was reading the firewall/router logs? IM traffic is
easy to detect. The school should have noticed when the first student
started experimenting with his laptop.

"Due care" and "due diligence" also requires adjustment of
countermeasures they reveal an inadequacy. The article indicates that
the situation continued to exist, even after detentions, suspensions and
"other punishments" (what the heck does that mean?). This means
that the school only attempted to correct the situation by external
measures (getting the parents involved). The school obviously failed to
increase required physical, logical and administrative countermeasures.

"Adequate supervision" involves the phrases "consistent (and
constant) supervision" and "adult-quality judgement". Believing that
adult judgement can be replaced with software, especially when "physical
security" is negated by allowing student custody of the laptops, is a
serious mis-judgement.

Use of desktop machines in a formal classroom setting implies a
certain level of integrity provided by constant physical security and
near-constant physical presence of authority. This "advantage" was lost
by issuing portable systems and allowing them to be taken out of the
"secure environment". Even if possession of the laptops were restricted
to the school, you can't assume that the 50 year-old part-time teacher
would be able to recognize improper or illegal activity in study hall.

Other problems

Err... How about overreacting? The "zero tolerance" policy often
quoted by public school officials is often a rationalization to vacate a
school's responsibility/judgement or to hide their own
complicity-due-to-negligence in a situation. In this case, all three
might be involved.

Some of the security "tools" installed by the school may have been
illegal. While it is permissive for a parent to invisibly monitor their
child's online activity, serious questions should be asked when a school
installs the ability to monitor students' activities on an individual
basis. In other words, generic monitoring (watching proxy or router
logs for suspicious activity) is generally permissible with prior
notice. However, employing a "a remote monitoring function that let
administrators see what students were viewing on their screens,"
without just cause (and usually a search warrant), is likely to be a
felony in itself. Remember, we are not talking about parent-child or
employer/employee relationships.

Parent-child relationships/responsibilities have created unique legal
conditions which are not easily transferred to institution-child
relationships/responsibilities. In this case, the school can probably
be slapped with a "contributing to the delinquency of a minor" charge
for not providing adequate supervision after facilitating (providing the
tools of) the crime.

That the tools of the crime were provided by the school, that the
object(s) of the crime was also school property, and that the
perpetrators of the crime were school charges has created a very sticky
situation for the school. The school exacerbated the situation by
attempting to charge the students with felonies, thereby drawing the
attention of national media.

Closing comments:

• this "experiment" obviously has
  failed
• attempting to "save face", as the article puts it, via
  imposed community service, risks yet more embarrassment
• since
  this is a public school which accepts federal money and keeps digital
  records on its students, do you think FISMA or GLB applies?

DNS6

I've attempted to talk about the following, off-and-on, for the last few
years. Here's yet another attempt...

I'm likely to be completely off
the mark with this but the DNS control argument may become a moot point
(or an even bigger issue) with the adoption of IPv6. The U.S. keeps
control of DNS space solely by the pseudo-rules-of-thumb known as
"possession is nine-tenths of the law" and "majority rule". In other
words, control is maintained solely by inertia and continued support of
majority rule.

IPv6 changes the playing field because of the differing
rates of adoption of the technology. A visit to the current 6bone will
show that the ratio of English to non-English sites is much different
than version 4 IP space. There is a slight risk that current
infrastructure managers might attempt to use "majority rule" to start
their own address infrastructure.

I say slight as such an action would
require cooperation on a massive scale by parties who normally are very
contentious, politically different and motivated by normally-opposing
agendas (profit, control, ideologies, etc.).

I believe the situation
to be quite binary. As long as the forces remain below a certain level,
ICANN is likely to retain "control" (a poor term for it) of the DNS
system. This is the most likely outcome.

However, if the level of
contention goes above a certain point, or if opposing forces change the
turn-over point in the equation by cooperating with each other, we might
see a very fractious DNS system. Fortunately, if this occurs, the
condition won't last long (in geological time) as systems do not
normally support unstable conditions for long. Remember:

• chaos
  requires complete lack of control
• oscillation requires a very
  specific form of control (feedback) and a permanently unstable
  condition

. Neither of these conditions are tolerated long by
financial or political institutions. Unfortunately for us users, the
corrective controls used by either of these institutions are not
normally that subtle.

This should be quite interesting to watch.
Also, there are probably quite a few "business opportunities" in the
above if you're in the right place at the right time with the right
tools.

Thoughts?

Blog

I've been having a lot of trouble with my BlogRoll of late. Anyone
visiting the site may have noticed (I'm not understating) extremely long
load times. In other words, the page stalls while loading the Infosec
blogroll.

Does anyone have any suggestions for alternate services?
I'd like to keep the same basic information-presentation but, barring
that, I'm willing to try out just about anything.

NSA IAM/IEM

I'll echo Richard's recommendation about the NSA's IAM and IEM certifications: if you "do" assessments, the certs are a very-nice-to-have.

Squidly1

If you're going to ToorCon, I recommend Squidly1's talk on alternate
uses for the PSP. Ask her about using her PSP to find the hidden AP
at SANS.

Once more into the bitch (err... breach?)

(heh) This time the fire
is over on Dana's blog. Remind me to put "responsible disclosure" on
the list of things never to talk about again?

Xpire

This is almost a year old but is interesting (for me) in that it references some old work of mine concerning the OpenFuck exploit. Found during some vanity surfing.

DNS MITM attacks

SANS has a paper
discussing a man-in-the-middle attack on DNS.

Dorothy Denning

Her 1987 "An
Intrusion-Detection Model".

Caffeinated Security

Here's another interesting blog: Caffeinated Security.

Porn pirates

You'd think the name "joatblog" would be pretty darn unique, wouldn't you? Another thing that I found out via vanity surfing is that some porn jerks (FG4/DF4) are "borrowing" key names, using them as hostnames within their domain and are hosting porn sites behind them. For those that want to know more, substitute "joatblog" for "MYBLOG" in the following string (keep the underscores) and go search Google for that phrase: "cyberspace_MYBLOG_hopefully".

If this blog were part of a business, I'd have a legal action available. As it is, I can only (legally) remain pissed.

Forensics forms

It struck me as a bit odd that part of the homework (tonight was the
first class) was to search for forms used in collecting digital evidence
(use of the term "computer forensics" has been formally "frowned
upon").

After a 15-minute Google search, it's amazing. Everybody,
including their mother and her Bingo friends, has some form of computer
forensics (sorry Rob) book or course. Very few of those sites, other
than law enforcement, provides any tools or support.

The assignment is
actually to find a number of processes used to support the creation and
maintenance of the chain of custody, and discuss them. This could get
interesting.

PSK

The Penguin Sleuth Kit
(PSK) is a Knoppix-based Linux distro with tools not only for computer
forensics but quite a few network troubleshooting and monitoring tools.

Note: Users of this kit should also read the disclaimers on the site
if the use is intended for legal/LEO purposes.

Myfip

For those that missed it (a few days ago), LURHQ has an analysis of the Myfip worm.

Ethereal

Here
is a SANS paper which discusses the simple traffic analysis using
Ethereal.

YMD (Yet More Drama)

I may be reading more into it than I should be but here's more drama over the .xxx situation. I can't help but think that the finger pointing up the hill is meant more to point at someone else's dirty laundry than their (ICANN) own.

Quote

From class today:

"Firewalls cannot block stupidity." - Dennis Lee

Standardization

Just a topic that was brought up earlier this week. Standardization of equipment and software across an enterprise allows that organization to operate more smoothly and (usually) more securely. However, many organizations forget that this is a "horizontal" rule but NOT a "vertical" rule. For example, all workstations should use the same make/model computer with the same version/patch level OS and configuration. However, the you should not be using the same hardware/software/configuration on your servers and perimeter equipment. You'd be amazed at the number of people that don't "get" this.

Still more problems

Here is more of the ongoing issues involved with the .xxx domain. The author seems to be a bit naive in that he is suprised that objections exist. Not only are the porn site owners objecting (most sites are transient in nature and they don't want to pay $70 per domain per year), various government offices are also objecting.

MD5

The media has once again created controversy by overstating a court decision. (this one) The court case was lost not due to the use of MD5, it was lost due to RTA's inability to "find an expert" to prove the pictures were not tampered with after they had been taken. This means one or more of the following conditions occurred:

• they actually couldn't find anyone (although it's unlikely)
• they couldn't find anyone that could explain MD5 in simple terms that would indicate that the liklihood that the traffic infraction actually occurred. Hint: think DNA evidence. You will always hear "probabilities" discussed when lawyers discuss DNA. Yes, there are collisions in MD5 number space. The probability of forgery goes down very fast if that "collision" has the same MD5 hash, looks like a picture, of the intersection in question, with the defendant's car passing through it, with the defendant's license plate in view, with the camera's timestamp (and other) data embedded in the picture.
• the prosecution was unable to display the chain of evidence, in the form of being unable to prove when the MD5 hash was generated. The hash being embedded in the picture may actually cause a problem because it means that the picture was changed after it was taken, by the camera itself. However, this is a procedural problem, not a technical one, and would translate into the prosecution not being able to find anyone willing to take an oath to assert/support the accuracy of the data.

I doubt that MD5 hashing of traffic pictures will cease. Rather, I believe that how they're presented in court will change.

No op

I'm on the road again this week, in the DC area, Vienna specifically.

Enigma

Don't know where Rob got it but NetSec has a pointer to a very
good paper on the Enigma machine.

Wiki update

I've changed the format of the wiki slightly and have moved quite a few
items from my house wiki. I have quite a bit of clean up to do so
please bear with me.

Python tutorials

From NetSec, free, online Python tutorials.

3-button mice

Tony Finch point to this one.
"Where are
all the 3-button mice?" rings a bell with me.

The only reason
you don't hear incessant whining from me is my secret (okay, now it's no
longer a secret) cache of Logitech 3-button mice. I bought ten of those
suckers when I heard Logitech was discontinuing the line. Also, I have
to thank Hurd for donating a Sun Crossbow (3-button USB) to the
collection, thereby prolonging the canibalism and jury-rigged repairs of
those first ten mice. I wear 'em out fast.

Everything Wireless

InfoSec Writers has a paper which has a pretty good overview of most of the issues involved with using Wi-Fi technologies.

Richard Bejtlich has a post about a court case that a friend (Dave!) will probably find interesting. It's about a court case that the prosecution lost because they didn't understand current theory about MD5 collisions. In other words, they couldn't prove that a picture hadn't been tampered with after it had been taken.

In the same post, Richard points out a project by Harlan Carvey, who visits here now and then: the Forensic Server Project. His book also has a supporting site: http://www.windows-ir.com. I highly recommend visiting all three.

Responsible non-disclosure

I'm pissed at Michael Lynn throwing a tanker truck of gasoline on the
"responsible disclosure" pyre. It leads to overly politically correct
announcements such as this. Little is
gained from this type of announcement other than eEye getting a bit of
"street cred". Announcements like that damage Microsoft's business by
making organizations leery of server safety without giving them an idea
of what to do to protect themselves.

Personally, I favor full
disclosure but if we cannot live with that, I'd rather not hear about
the vulnerability until such time that the vendor can comfortably talk
about it. Many of the same arguments for "responsible disclosure" (I
really dislike using that term), can be made for "responsible
non-disclosure". Maybe the only way we can get back to the middle is to
push the pendulum further away from center?

Port-knocking theory

SANS has a paper on
port-knocking which provides a bit more detail.

Malicious agents

Here's a paper discussing the evolution of malicious agents (spyware and the like).

I miss the peace and quiet

I guess my spammer decided to sell this URL to some n00b spammers 'cause
I've got a ton of poker spam and Chinese porn spam in the comments
queue. Oh well, the peace and quiet was nice while it lasted.

Crypto latency

InfoSec Writers has a paper which discusses the latency added by using high-end encryption in VPN's.

Ouch

We already knew that CWS was bad. Now this:

• CastleCops article
• ComputerWorld article

It looks like the FBI is involved now. If your machine has ever been infected with CWS, consider any valuable information on it as compromised (i.e., at a minimum, change your passwords).

Interesting tools

I've seen some interesting new tools in the past few days:

• Nepenthes - a
  honeypot tool
• fwknop - using portknocking
  as an additional security feature

Update: I managed to fat-finger the URL for Nepenthes. Thanks goes to Gaetano Zappulla for correcting it. He also suggests taking a look at kojoney, SSH honeypot written in Python using the Twisted Conch libraries.

WinPCAP

For those that use it, a new version of WinPCAP was announced yesterday.

RUXCON

RUXCON (1-2 Oct) has a list of
pending presentations. Looks like it'll be interesting.

NSA

The Network Security and Architecture Lab (thought this was going to be about the other NSA, didn't you?) has a post about the Georgia Tech Honeynet Report which has some interesting screenshots of a homemade visualization tool. I often get quite frustrated with these topics as very few people are willing to share their visualization tools. Interesting screenshots though.

New semester starting

This fall's class centers on computer (and possibly network?) forensics
so expect a good number of forensic-related posts. Rob is also
attempting to provoke me into teaching an IPv6 class.

The Ten Commandments

Brian Warshawsky has a piece on the Ten Commandments of System
Administration. He posted the tenth one, of which I'm a firm believer,
on June 27. I wrote a SANS paper for log reduction based on this
commandment. Entertaining and rules-to-live-by at the same time.

Henning Schulzrinne

If you dig a little at Henning Schulzrinne's (Professor and Chair,
Columbia's Dept. of Computer Science) Internet Technical
Resources page, you come across some valuable listings of
network tools.

Gergely Erdelyi

Gergely Erdelyi has written a number of papers. He has the following
available here:

• Cleaning up the
  Mess - Time to redefine disinfection?
• Chasing Ghosts? - Return
  of the Stealth Malware
• Hide 'n Seek - Anatomy of Stealth
  Malware
• Digital Genome Mapping - Advanced Binary Malware
  Analysis

Podcast list

Finally got around to compiling the list of podcasts that people listen
to. See it here (in the
Wiki). If you want to add to the list, e-mail 'em to me.

New record

Wi-Fi Toys has a post
about the new unamplified Wi-Fi distance record being set.

Weasel-wording

Short version: I think that Cisco is overreacting and is being a bully.
Long version follows...

Cisco has a press release about the
permanent injunction against M. Lynn. Most of it reads like the usual
PC fluff. However, I take exception to the following:

Cisco's
actions with Mr. Lynn and Black Hat were not based on the fact that a
flaw was identified, rather that they chose to address the issue outside
of established industry practices and procedures for responsible
disclosure.

Based on available information, I feel that those
words are entirely bullshit and ask that someone (at Cisco hopefully)
point me to those "established industry practices and
procedures" (the phrase implies that they're written down
somewhere). Supposedly Cisco patched the flaw last April, which means
that it was known (or made known) to them before that. If "established
industry procedures" indicates the "Full Disclosure Policy" that was
drafted by Rain Forest
Puppy, then M.L. was well outside of the 5-day waiting period. Or
even the 30-day standard that Microsoft pushed for when that company
last trotted out
responsible disclosure. Or how about eEye's RDP where specific
information is withheld until the patch is realeased? Coincidentally,
eEye's reported process is similar to those of the OIS (Organization for
Internet Safety) (read their PDF for the actual written practices
and procedures) in that specific information is withheld until the patch
is released.

So which "established industry practice and procedure"
did M. Lynn violate? Or did Cisco just not like someone airing their
dirty laundry?

Just so that there's no confusion about my
"overreacting" opinion, I used that term in referring to the injunction
requirement put forth by Cisco, where M. Lynn never speak at Blackhat or
Defcon again, on any topic. I'd understand if the requirement was
limited to this specific vulnerability. In my opinion, anything extra
is malicious and over-the-top.

Neither side has acted with logical
consideration to their actions, both are trying to appear to be "the
victim", and all involved should "get over it".

Shmoo Redo

Errr... I missed the announcement of this one too: ShmooCon 2006. Current price $75.
For those that don't know: the price goes up as it gets closer to con
time.