Monday, January 31, 2005

Kismet --> Snort

Finally had enough time to rig a Kismet drone to feed a Snort install.
It looks something like:

kismet_drone --> kismet_server --> fifo
--> snort --> acid

where kismet_drone resides on a WRT54G and
the rest resides on the desktop machine. It doesn't run too well on my
3 year-old lap though (not enough memory). One plus about about the
setup is that I can also connect kismet_client to the kismet_server and
use the normal Kismet interface at the same time.

I'll blog the
configuration at a later date as I have only two nights to get ready for
Shmoo and need to gather a few things. TWUUG and ISSA are also this


iHacked has an excerpted chapter
online from the book "Wardriving: Drive, Detect, Defend/A Guide to
Wireless Security
" entitled "Configuring and Using Kismet".

Sunday, January 30, 2005

L7 Filter

The Application Layer Packet
is an interesting extenstion to netfilter (iptables). I
wonder if the classifier can be used elsewhere, such as with tcpdump or
Snort, to help identify traffic. Anyone know?


The ISECOM website is well worth
exploring. It's the home of the OSSTMM, Hack Highschool (not what you
think), and the OPSA/OPST certs.

I had nothing to do with the Jack of
All Trades presentations.


Following are bloggers and others that have stated intentions to be at
Shmoocon (in no particular order):

  • Beetle (so says beetle) (err... he's a member of the Shmoo Group)

  • Grant Stavely (JokerBone) (he
    wants a t-shirt)

  • Randy Nash (@RISK

  • Richard Bejtlich (<a href="
    shmoocon-2005-today-id.html">Tao Security) - author of Squil and
    The Tao of Network Security Monitoring

  • Seth Fogie (<a href="
    Security Weblog)

  • Buffalo Bandit (Buffalo Bandit's Blogtastic Blog)

  • Adam Shostack (Emergent
    ) (Shmoocon speaker and BOF organizer)

  • Crispin Cowan (Shmoocon speaker and BOF organizer)

  • Ben (<a href="
    +blog&hl=en">Electric Fork)


Should be an interesting con. Anyone else going? It's probably
pointless but I was thinking about rigging a 54G in the car to watch for
stumblers on the drive up (I'm more interested in "watching the
watchers"...). It's only a four-hour drive too.

Saturday, January 29, 2005

Google - A Single Point of Failure

Hendrik Scholz has posted a paper that
he is going to present at <a href="http://chemnitzer.linux-">Chemnitzer Linux-Tage
(Babelfish required) and possibly at Interz0ne 4. The premise of the
paper is that we, as users, have become too reliant on Google.

I mostly disagree with Mr. Scholz. One or two of his points
are valid but I think the rest are in error. His error

  • the implication that it is only Google that voluntarily
    censors content based on local censorship laws
  • the implication
    that Google is not poisoned with ads in the way that Altavista is
    (Google has it bad also)
  • the implication that Firefox only works
    with Google (IE autosearches just one search engine also)(Firefox has
    the ability to add default search engines via plugins)
  • the
    assumption that Google should be used for all searches

is an underlying implication that Google is "the one". In my case, it
is not. Mr. Scholz statements about Google's (and other search
engines') results are accurate only from the point of view of the casual
user. Heavy use of search engines (I average 100 or so per day) reveal
that Google has many of the same problems as the rest (ad poisoning,
blind spots, etc.).

Yes, the community as a whole would suffer greatly
if Google ceased to exist or if Google resorted to overtly dishonest
practices but I don't think the topic is worthy of two conference


The NSA has a page with quite a few SELinux articles
on it.

Friday, January 28, 2005

MySQL worm?

Builder.AU has an article about a "new" worm that is causing MySQL servers to join a botnet. This shouldn't happen, available patch or no available patch.

If you have MySQL, it's likely that you're running a variant of Linux or *BSD. If you have those, you also have some form of packet filter (iptables, ipfw, ipchains, etc.). Can you think of a valid reason why the entire world needs direct access to a MySQL server? At most, maybe one or two other machines would need the access.

This goes back to securing your network, whether it's an internal or an external network. With just about all *nix machines, you can write filters on each of the boxes that limit access to services. You should write the filters so that there are only the "normal" users of the system can access them. (Example: only your postmaster should need SSH access to your mail server(s).) Everyone else (in your network) gets only port 25 access.)

It's not perfect but it will keep things like MySpool from occuring.


Here's a very large thesis paper from the Naval Postgraduate School which talks about combating cyber-terrorism with cyber-deception. It's a decent paper even if it overuses the c-word. Oh, and it has the obligatory reference to Pearl Harbor that we all saw/used right after Y2K.

Keep in mind that it is a thesis and (in this case) can be treated as a theory or an argument. I disagree with the premise that a "misrepresentation" is unintentional. (See the Taxonomy.)

Thursday, January 27, 2005

Running Windows worms under Linux

<a href="
sid=05/01/25/1430222&from=rss">This showed up via a local user
group's mailing list. Some people have way, way, way too much time on
their hands. This is silly enough that I may just try it if I have
enough free time.

Spyware paper

Here's a paper entitled "Measurement and Analysis of Spyware in a University Environment", from the University of Washington, that has some interesting points.

Wednesday, January 26, 2005


Wups! Happy 2nd Birthday + 1 day joatBlog.


Looks like I'm going to be looking for better Wiki software. The
spammers are starting to act up in the Wiki now (took down the entire
front page). Luckily the current software has rollbacks. The user
management poriton sucks royally though.

Anyone know of a GOOD wiki

  • has strong user managment (not just we'll mail you a
  • Outputs changes into RSS feeds
  • is
  • doesn't have an overly large command set
  • has
  • doesn't have to work with InterWiki (but is a nice-to-

Mebbe I should just tweak the code already here?


"RFC-Ignorant is the
clearinghouse for sites who think that the rules of the internet don't
apply to them.
" (heh)

Yet another site to lookup stuff on.
Instead of aiming at spammers, this site aims at poorly configured DNS

Tuesday, January 25, 2005

Usenet History

Here's Google's history of Usenet.


Just realized that the ShmooCon is a week from Friday. That means I
have this weekend to clean and rebuild the laptop. Hopefully I'll have
time to Tripwire it.

Wonder if it's worth taking audio equipment to
record the talks. Anyone know if they're planning on recording the

New Google Tag

Here's a quick
piece about Google taking a hand in fighting comment and wiki spam.
Unfortunately it'll mostly require the programmers to recode so that the
tag is added automatically to comments.

It's also a small step in the
ever escalating arms race. Spammers will find a way around it.

Monday, January 24, 2005

Cams ongoing

Some of us were playing with this
early last year. It's now becoming difficult, many of the more-popular
cams undergoing what amounts to a remote tug-of-war for control.

amazing the milage that "unsecured cams" have gotten with the media
(mainstream and blogstream). Certain things only have to enter at the
right time and place and they get repeated ad naseum.

for the examples

Sunday, January 23, 2005

Comments back on

The comment system is back on. I've decided to try out manual filtering
for awhile. I think that this approach may work as legitimate traffic
is pretty low and I should be able to filter out the jerks.

If you
make a legitimate comment and it's not added to the page after early
evening, e-mail me (joat@the_obvious_domain) and complain. Otherwise,
please bear with me while I tinker with the comment system again.

Persistance of Vision

I know someone at 757 is working on one of these but
don't remember (off the top of my head) who it is that's working on it.
This project is also interesting in that Michael attempts to run a
gray-scale image through the device.

The Dangers of Using Anonymous Proxies

(I originally wrote this into the wiki but it falls within the scope of the blog also so... It still needs a bit of polish but you'll get the idea.)

First off, the disclaimer: I am not a lawyer. While I've taken a few classes in technology-related law, I am not an expert. This article should not be considered legal and/or expert advise. That said...

This piece is about anonymous proxies. While some of the information here may aid in setting up or configuring a proxy, the intent is discuss some of the "darker" issues involved with their existence. Please use Google for help if you're looking for information to set up or use a proxy. There are an ample number of those sites available.

Anonymous proxies (web, mail or otherwise) and proxy filters have a number of uses, both for good and bad. Reasons for using them may include:

  • sending a nasty note to a spammer you've tracked down
  • avoiding spyware
  • doing just about anything unethical, immoral, or illegal

Using anonymizing services is not illegal by itself but will surely draw attention if you're being watched for any other purpose. If your driver's license expires and you never drive above 55 or get in an accident, no one will probably notice. However, if you consistently drive like a jerk, passing all the other cars on the highway, you'll get "noticed" within a day or two. You'll also likely discover that you'll be charged with more than one crime.

If you use encryption in the commission of a crime, you may find yourself in deeper trouble for using encryption than you think. Various states have laws which add penalties (of various degree) in such a manner.

For example, Virginia Code[4] (18.2-152.15. Encryption used in criminal activity) reads:

Any person who willfully uses encryption to further any criminal activity shall be guilty of an offense which is separate and distinct from the predicate criminal activity and punishable as a Class 1 misdemeanor.

"Encryption" means the enciphering of intelligible data into unintelligible form or the deciphering of unintelligible data into intelligible form.

While Virginia treats it as a minor crime (anyone know of a compiled list of States' laws?), various efforts have been made to introduce federal statutes where prison sentences of up to 10 years can be applied to persons using encryption in such a manner.

While you may be able to argue that you didn't notice that the illegal web site you visited was employing SSL, use of encryption usually involves a conscious decision to use it. Anonymizing proxies which employ encryption require manual configuration and possibly installation of software.

All of that aside, there's still a few issues that should be discussed: use of remote proxies which are in violation of the owner's ToS, use of foreign proxies and use of covertly installed proxies. One will only get the proxy owner into trouble with his provider but the other two may involve criminal proceedings against you, even if the only sites that you visit are as tame as Playboy or Amnesty International.

Many U.S.-based Internet users access the Internet via a broadband connection purchased from either the local cable or telephone utility. As part of the installation of the service, a subscriber signs or click-agrees to a document entitled "Terms of Service" (ToS). Somewhere in the fine print is the agreement to not install/run servers. If the user then installs an anonymizing proxy or remailer and allows the outside world to access it, he/she is in violation of his/her ToS.

Detection of these services is easy enough. A network monitor (a sniffer or IDS) configured to detect inbound packets with only the SYN flag set will produce a list of suspect IPs. The utility company can then record the count and size of packets passed through the suspect system. At a minimum, the proxy owner will be de-subscribed.

If amount of traffic is large enough, the utility may attempt to pass the costs to the proxy owner via the court system. Remember, most if not all ISPs buy their connectivity "by the bit" and having large volumes of traffic pass in and then out of their domain can make it cost effective for the ISP to at least spot check for suspicious network traffic.

If you use proxies which are located within other countries, you need to consider that you may be wandering into the jurisdiction of foreign or international law. Accessing a site as tame as Playboy is not a crime here in the U.S. but it definitely is in China. While "the Great (fire)Wall" may block direct access to Playboy, there are ways around it, such as chaining yet another proxy. Care to be the first test case for this portion of international law?

The final thing you should consider involves the use of covertly installed proxies. The average home user knows (or even cares) little about the security of their machine(s). Hackers, spammers, and worm authors are able to install all sorts of backdoors and other code in these poorly protected systems. Proxies are some of the milder examples.

There are numerous sites on the Internet that specialize in providing lists of open proxies. As entries in these lists are highly transient, usually residential in nature and often involve port numbers over 1024, it's not an overly large assumption that some of these proxies exist without the machine's owner's knowledge.

This is another area where existing laws have not been tested. Unauthorized use of computer services is against the law, in the U.S.[2] and many other countries[1]. Most are statutory in nature, meaning that proving intent is not an issue for the court. A lot of them have not been "tested". Just because you didn't know the proxy was illegal may or may not be enough of an excuse to avoid prosecution. If you a proxy to commit a crime, the point may become moot. Care to become the first test case for this portion of your country's law?

To make a convoluted discussion short, when you're configuring your browser, it may be a good idea to at least perform a cursory investigation of the IP address(es) that you will be using for proxy services. If the machine is located in another country or has a hostname that is obviously within a residential subscriber domain, it may be a good idea to find a different proxy to use.

If you're an ISP, it's probably a good idea to periodically check the available proxy lists[5][6][7] for addresses in your IP range.


References & Footnotes:

Saturday, January 22, 2005

SQL Injection

Steve Friedl ( has a
piece entitled "SQL Injection
Attacks by Example
" which discusses the hows, and how to protect
against, of SQL injection attacks.

Friday, January 21, 2005


What is Network Solutions up to now? All of a sudden I cannot SSH into
a friends site. A close look reveals that the IP address attached to
the hostname has changed. An even closer look shows that the IP address
belongs to Network Solutions, the registrar my friend used to purchase
his domain name.

Pointing a browser at his webs site's hostname still
pulls up the usual pages but it now goes through what appears to be a
proxy at Network Solutions. Pointing SSH at the IP address works

I haven't had time to consider the issues that this little
trick creates but I'm uncomfortable with the thought of it. If the site
handled anything relating to financial, personal, or health data (or if
it had anything to do with HTTPS or SHTTP), I would recommend legal

Who protects the Internet?

A 10-year old asked Susan,
"Who protects the Internet?". She and Dana Epp
have addressed parts of the answer. Having "been there", I would like
to add another.

There are also loosely knit groups (organizations?) of
system admins, network admins, and security officers. Some are nothing
more phone numbers on a call list, others are semi-elite groups which
require at least two members to vouch for a newcomer. I actually miss
being part of that "network", having been promptly culled after
switching jobs.

Believe or not, there really are Morlocks under there,
keeping the lights on and the network from collapsing under its own
weight. On the next SysAdmin Day, consider giving a gift certificate
from the local sub shop to your security geeks too (they're probably too
busy to be able to go out to lunch as a group).

Thursday, January 20, 2005

Deep Packet Inspection

Let me take advantage of the disabled comment functions and fan the
flames of the Deep Packet Inspection (DPI) argument. Security Focus has
a good explanation of the
shortcomings of DPI. I've said it before and I'll say it again: DPI is
not a substitute for application layer proxies. DPI is what you use
when you're willing to trade a bit of security for larger throughput for
not so much money. Please refer to the article for the arguments.

Tuesday, January 18, 2005

Monday, January 17, 2005

Social Engineering

Hack In The Box (HITB) has an article
which discusses what they call Social Engineering. I think they've
stretched the title a bit too far to cover what they're

Social Engineering is the art of getting what you want via
verbal and situational trickery. What the article is about is
Intelligence Gathering.

Patents opened

You may want to note that Samba is affected by IBM's recent <a href="
story=20050110235654673">patent action. In my usual no-good-deed-
goes-unpunished skepticism, we may see a few lawsuits against IBM
because of it. Remember, there are things in those patents that were
developed in conjuction with other companies. SMB makes a good example
in that the protocol was developed by MS and IBM.

Sunday, January 16, 2005

Comments offline again

Please note that the comment system is offline again. It took a little bit but at least one spammer has caught on and adapted his software to my changes. I need to make at least one part of the software polymorphic, something in the form of "please type in what you see" or some other function.

I'll be experimenting with the code over the next few days (weeks?) so please accept my apologies ahead of time. If you have anything important that you'd like to add to a post, email it to me (j-o-a-t-@-7-5-7-.-o-r-g) and I'll manually append it to the post.

Honeypot Trend Analysis

Last month the Honeynet Project published a <a href="
Dec/0141.html">paper that will surely fan the flames of just about
any which-is-better argument. In short, the project claims that, for
unpatched systems, the life expectancy for MS-based systems continues to
decrease while the same for Linux-based systems has greatly increased
(MS lost a few minutes, Linux gained a couple months).

I don't know
that I agree with the possible reasons that they listed. They
completely ignored statistics on malicious code. It'll make for a good
loud-conversation-starter at the next Internet Professionals meeting though.


A certain
says that the iPod has almost reached icon status. I say
that a certain analyst has almost made it out of the 90's.

While Apple
is likely to lose their market share (there's no where to go but down?),
I think that they reached icon status prior to the millenium. The trick
is now to add features/capabilities to existing products (to get users
to buy those upgrades) or to come out with the next-best-thing so that
those same users will buy it when their current iPods wear out.

No op

Apologies to anyone that tried to access the blog in the last 4-5 hours.
The visitors module had logging problems and caused the blog to hang.
As you can see, it's back up.

Saturday, January 15, 2005

I'm back

I'm back from DC. Just looked at my backlog and I have at least a couple days work ahead of me.

The class was fun (I passed). Did miss my own coffee though.

I did remember why I don't like staying in DC: the local tv. Due to the extremely high level of politics built into the city's existance, the local tv tends to include access to groups that the rest of the country would consider a bit "out there". 'Nuff said?

Now back to work...

Friday, January 14, 2005

Malware Analysis Tutorial

<a href="
tutorial/">Here's a Malware Analysis Tutorial from the
University of Lousiana at Lafayette.

Thursday, January 13, 2005

Phillipe Biodi

Here's Phillipe
Biodi's home page. He has some interesting looking projects/programs.
Of special interest to me is EtherPuppet, which may allow me to work
around some of the processing limitations of my 54G's.

Wednesday, January 12, 2005


Here we go again. I knew it couldn't last forever. The spammers have adapted to the changes I made to the comment system so I'll be tweaking it again this weekend.

French Honeynet

Here's the home page
for the French Honeynet Project. Check out the papers, reports, and
tools links!

Tuesday, January 11, 2005

Odd Google Entry

This is a bit odd. While doing research for my class, I found an intereting site. While the front page ( is a religious site, behind it lurks a few other things.

The research involved researching a company which had recently emerged from Chapter 11. In looking at Google's content relating to the company I came across

Try it out for yourself, using the first three octets of your company's IP space. Example:

Turns out this listing is supposedly generated by the Bulldog firewall. As the dates on the files are not that old, I'm assumed these are updated periodically. It looks like the entire IP space. Interesting that someone would put that much work into tracking something as fluid as the Internet.

Santy Analysis

SIG^2 G-TEC has a two-part analysis of the Santy Worm(s): <a href="
diary=20041221">21DEC and <a href="

Monday, January 10, 2005

Another Security Diary

The SIG^2 G-TEC Honeynet Project has a daily diary in the
same style as the ISC Handler's Diary. Here's the RSS feed.

Sunday, January 9, 2005

Spam Engine Analysis

<a href="
September/010914.html">Here's a quick analysis that Brian Eckman
performed on a machine that was discovered spewing spam into the

Useful LaTeX Tricks

I don't get to blog the LaTeX category all that often (I haven't touched
any of those projects in awhile) but Ariya Hidayat has a page for
<a href="http://nakula.rvs.uni-">Useful LaTeX Tricks.

Saturday, January 8, 2005

Honeynet Diary Entry

The 4 Jan <a href="
diary=20050104">entry for the Honeynet Project Handler's Diary is
pretty interesting. It talks about unusual TCP/4899 (radmin) traffic
and UDP/1026 and 1027 (Windows messenger) traffic. (Not to be confused
with Instant Messenger traffic.)

MS Anti-Spyware Beta

Has anyone actually tried out the beta for <a href="
FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&DisplayLang=en">MS's Anti-
Spyware Tool? If so, what are you impressions of it?

Virtual Honeypotting Basics

<a href="
basics.html">Here's a piece by Kurt Seifried which discusses the
basics of "honeypotting" with VMware.

Ben Gross

Ben Gross has a good link list of security-related items.

Friday, January 7, 2005

VMware Honeypots

a Linux Voodoo article entitled "Building Virtual Honeynets using
". It's a couple years old but still valuable.


Here's the
NIPC's Indications, Analysis & Warning Program SOP.

Thursday, January 6, 2005

Reverse Engineering Malware

<a href="
practical/revmalw.html">Here's Lenny Zeltzer's paper entitled
"Reverse Engineering Malware" that he did for the SANS GCIH

Security Forest

(Not sure how I found this one) is an interesting use of the MediaWiki to produce an InfoSec-related site.

Wednesday, January 5, 2005

Rada Analysis

<a href="
Rajesh_Jose/">Here's an analysis of the Rada backdoor which was
performed as part of the September '04 Scan of the month.

Auditor CD

WindowsITPro has a good
article describing the Auditor Security Collection CD. A Knoppix
variant (which this is) is one of those tools that any Microsoft admin
should learn to use, especially because it's not MS. It allows
you to do and learn "new things" and gets you out of the purist mindset.
As an analogy: Craftsmen makes very good tools (the replacement policy
is a plus too) but sometimes the best tool for the job is a Starrett

In any case, the article reviews the various tools
available on the CD (this collection is "aimed" at the security

Tuesday, January 4, 2005

Virtual Evidence Handling?

Here's a paper from the U.S. Customs Service entitled "Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer". It can also be used for specific types of non-law-enforcement analysis.
Tim Kramer

Maximillian Dornseif

Maximillian Dornseif presented three
lectures at 21C3 (21st CCC) which are available
  • Hidden Data in Internet Published
  • Hacking with Fire
  • The Art of

His other papers/presentations are also
available on that site. Note: You may need to run a few of them through
a translator.

Monday, January 3, 2005

Monitoring VMWare Honeypots

Here's a paper by Ryan Barnett describing how to monitor VMware-based honeypots.

Abe Usher has launched <a href=""> "in an effort to provide a
centralized location for finding the latest trends and cutting edge
issues in the information security community. For now, it just has a
list of mailing list but I expect that this will be a useful site.

Sunday, January 2, 2005

Spammers List

Here's the list of spammers for yesterday. I cannot guarantee the accuracy of this list. These are just the IPs attempting to access the old comment system that doesn't live here anymore.


No op

For those of you that notice the small table on the bottom right, you'll
see that I've blogged entries almost the next two weeks. I'm going to
be busy this week, in DC next week (studying for yet another test and
playing tourist)(periods of spotty Internet access predicted!), home for
two weeks and back in DC for the ShmooCon. Add in ISSA, TWUUG, a coding
project, starting next semester's classes and I end up having very
little blogging time, at least during January.

I wanted to take the
pressure off of having at least one daily entry, so I cheated and
blogged a bunch of stuff from my "hold" pile. As a result, most of it
is honeypot and/or malicious code analysis related. Please accept my
ahead-of-time apologies for the narrowed "theme".

DNS Black Ops

It's somewhat of an old topic but (thanks to <a href="
dns/">Autoblogiographie and the 21st
) Dan Kaminsky has posted his slides from his "Black Ops of DNS" lecture. We'll probably see this lecture or something similar at the ShmooCon next month.

Saturday, January 1, 2005

Trifinite and Bluetooth

Thanks to the F-Secure
, I've discovered the Trifinite Blog (RSS) and their BlueTooth Hacking slideshow from the 21st CCC. The blog is mostly related to problems with BlueTooth and has a very good list of problems with the technology.

Update: Dana blogged it also. Also, check out the download portion of the Trifinite site for other related slideshows and tools!

Worm Theory

IT Observer has a good article on web-app-based worms
such as the current PHP-based ones.