Saturday, April 30, 2005

Thank you Disney

I'm back home. The conference was interesting. It's been a very long
time since I've been to Orlando. One thing I can say about Disney, they
do early sign-ins (for conferences) very nicely. Think sweaty, muggy,
tired and jet-lagged. An ice-cold bottle of water (or soda) and a sugar
cookie the size of your head hits the spot very nicely.

Okay, maybe
the cookie wasn't that large. It makes checking in early worth it though.

Bagle

VirusList has an analysis
of the Bagle worm.

Friday, April 29, 2005

Classical and Contemporary Cryptology

(from NetSec) Here
is one of Richard Spillman's PPTs on encryption. The first half of the
lecture I liked. The second half I wish I understood.

Thursday, April 28, 2005

Wireless Security

John MacMichael recently gave a presentation on wireless at TCC. I wasn't able to attend but have taken a look at the presentation. It has to be one of the best I've seen on the topic. About the only thing that I don't like about it is the assumption that WEP still needs to be a major point of discussion.

I wholly recommend the presentation though.

Wednesday, April 27, 2005

Credentials

I've had a few thoughts about the recent Yankee Group articles rattling
around in my head for awhile now. <a href="http://www.groklaw.net/article.php?
story=20050419175709648">This Groklaw piece prompted me to ask:
Would Ms. Didio please present her credentials?

Seems she is willing
to publish articles on any number of technology-related topics, putting
forth what appears to be expert opinion. However, I am unable to find
any bio mentioning technical education or previous non-journalist jobs.
The impression that I get from digging through her hundreds of articles
is that she started as a "journalist" and nothing much has changed
since.

Information such as this doesn't help
to change my opinion any. I think it's time that we, as readers, start
holding our media outlets responsible for the quality of the articles
that they put out.

Unfortunately, just as in politics, there's a lot
that a "voice" can get away with without being held responsible.

As an
exercise in conspiracy theory, take a look at the people she's worked
with or for. You'll have your work cut out for you though. A Google
search for "Laura Didio" (with the quotes) returns 37,900 entries.

Tuesday, April 26, 2005

Clue

I'm amazed at the number of people that think that the pre-shared keys
used in WEP and WPA are for encryption. They're not. They are
used for authentication.

Monday, April 25, 2005

Disney

Greetings from the Magic Kingdom! Please be patient with any flubs/typos on my part. I'm having to edit files via a multi-hop text connection from Orlando, Florida.

Sunday, April 24, 2005

Wiki

Added "Google Sightseeing"
to the wiki's Google
page
.

Evolution

Viruslist has an interesting
article on the <a href="http://www.viruslist.com/en/analysis?
pubid=162454316">evolution of worms.

RFC 3871

RFC 3871 has a good
discussion of security requirements and practices (and their
shortcomings) for larger ISPs.

Saturday, April 23, 2005

Windows Root Kits

Depends on
what your definition of "new" is. Geez!

VPNs

Here's a lengthy discussion of the under-the-hood view of IPSec VPNs. It's a bit dated (2002) and doesn't include AES but is still worthwhile.

Friday, April 22, 2005

Thursday, April 21, 2005

Bad memories?

Just a bit of history: here's an article about some of the angst that we, as a community, went through (6 years ago) while trying to determine the successor to the DES standard.

Wednesday, April 20, 2005

PGP on small devices

Here's a paper on getting PGP to work on "constrained devices" (e.g., PDAs). The device used by the authors was the Blackberry which has a serious lack of storage (memory).

Tuesday, April 19, 2005

IPv6 Map

For those that missed it, CAIDA has a new poster, this one an AS-level topology map of the IPv6 Internet.

Monday, April 18, 2005

OrcaFlow

OrcaFlow's library has
links to some analyses that, while somewhat "old", are interesting to
read. Included are: the Witty worm, the SCO DoS attack, and an anaylsis
of DDoS attacks on the Internet.

Sunday, April 17, 2005

Uh, right...

PCWorld has an article which discusses MS's intention to make Longhorn easier to use, more secure, and less costly to manage.

I'm sorry, but this is what got them into trouble in the first place. "Easier to use, more secure, and less costly to manage" equates to "more features, more automation, and more code". The problems that we are forced to live with today (i.e., spyware and malicious code) stems from the fact that Windows is "easy to use".

MS Windows is easy to use because the components of the OS are tied together in such a manner that you can click on a link in a Word document and have a browser kick off, or the media player starts, or the spread sheet can be embedded in the presentation. Now the instant messenger can fire off a whiteboard session where more than one person can mark up a document, or it can start a audio or video call, or it can access the address book in Exchange.

Adding features and code NEVER increases security. Rather, it adds to complexity and Windows source code is well beyond the size where any one person can entirely understand the interaction between all of its parts (this argument includes the 3rd party software that users load).

I also have doubts about the "secure startup" feature. Yes, it's a nice to have if you're worried about your laptop being stolen. However, having it everywhere forces users to give up being able to recover files if the OS becomes corrupted. (I may be misunderstanding Mr. Allchin's short description of the service.)

In any case, I wouldn't jump to the new OS until at least 6 months to a year after it hits the street. There are always serious kinks and bugs to hammer out in new OSs.

Saturday, April 16, 2005

No op

The coming six weeks are going to be quite busy for me so please bare
with any vagaries at this blog (e.g., typos won't be corrected right
away, comments will have to wait to the end of the week to be approved,
etc.).

I'll be in Orlando at the end of this month, Denver the second
week in May, and California at the end of May. I'm planning on not
being able to walk by the end of May as my legs are about 1" longer than
the leg space available in the standard coach seat.

For those of you
that notice, I'm already trying to post ahead as much as possible.

You're being frisked

Some of the local user group is complaining of a new type of spam. I've
seen it (or its ilk) before. It slips through filters because of its
size, it appears to be made up entirely of a mishmash of characters from
the BIG5 character set, and has three links.

Looking at the source
code tells an entirely different story. The message is HTML-based and
contains a mail bug that looks like:

<img
src="http://list168.com/CheckEmailReaded.php?
email_user=EMAIL_ADDRESS&site=A_CODE" border="0" width="0"
height="0">

where EMAIL_ADDRESS is the address of the email
recipient and A_CODE appears to be another unique identifier or some
such.

So, if you opened the message with a HTML-capable mail reader,
you just gave up a LOT of information:

  • first of all (and probably
    what they were looking for), you've verified a valid email
    address
  • along with the IP address of the system you use to read
    mail (for most of us, our home IP)
  • the OS of that
    system
  • the browser version on that system
  • plus a whole
    slew of less valuable information

Best case: this was an
attempt at harvesting valid email addresses (ones with humans at the end
of them).

Worse case: this is an attempt to find systems at IP
addresses with specific versions of a browser (pre-staging an
attack).

Worst case: ???

In any case, a bit more can be learned from it. There are three "interesting" lines in the header. Line 1:

Received: from finwait.mrhz.net (ip-64-32-173-93.s1c.megapath.net [64.32.173.93]) by users.757.org (Postfix) with ESMTP id 3BBF83F67B for ; Thu, 14 Apr 2005 06:05:25 -0400 (EDT)

Line 2:

Received: from 64.32.173.93 (unknown [202.160.161.100]) by finwait.mrhz.net (Postfix) with SMTP id D5ADBE0449 for ; Thu, 14 Apr 2005 03:04:12 -0700 (PDT)

Line 3:

Received: from 111.144.71.128 by 202.160.169.134; Thu, 14 Apr 2005 12:58:28 +0300

The first one is valid (generated by the local mail server). The second one is also valid as it is one of 757's mail handlers. However, it's a good bet that the third one is forged.

As the primary purpose of the message is getting the mail bug "out there", let's assume that the other URLs and email addresses are garbage.

A quick research of list168.com returns info on the domain that appears to be registered to "LU huang" in China. The IP address is also Chinese and is owned by "Lui Jing" whose email address is "lakesmi@163.net".

Grabbing the headers from list returns:


HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Server: Microsoft-IIS/5.0
3 X-Powered-By: ASP.NET
4 Connection: keep-alive
5 Content-Location: http://list168.com/index.htm
6 Date: Sat, 16 Apr 2005 13:03:26 GMT
7 Content-Type: text/html
8 Accept-Ranges: bytes
9 Last-Modified: Thu, 06 Jan 2005 11:30:42 GMT
10 ETag: "7efcce27e3f3c41:1642"
11 Content-Length: 3585

The page returned appears to be an error page but the above indicates a code 200 so it's probably intended to be mistaken as an error page.

Grabbing http://list168.com/CheckEmailReaded.php returns two errors:

PHP Notice: Undefined index: email_user in D:\idccweb\ftpacc\wwwroot\CheckEmailReaded.php on line 77
PHP Notice: Undefined index: site in D:\idccweb\ftpacc\wwwroot\CheckEmailReaded.php on line 78

Trying to grab http://list168.com/CheckEmailReaded.php?email_user=
youre@busted.com&site=avcd returns only the line 78 error.

Trying to grab http://list168.com/CheckEmailReaded.php?email_user=
youre@757.org&site=avcd returns the same error.

So... It appears that there's a custom PHP script on the far end.

Performing Google searches on the URLs returns some spam complaints and a lot of Chinese web pages.

Google Groups searches for list168.com and CheckEmailReaded returns the usual spam complaints but not a whole lot of them.

Following the 686.to links leads to a music site and a Chinese porn site (both hosted in Hong Kong).

In summary, it appears to be just an attempt to harvest valid e-mail addresses. All-in-all, pretty much of a waste of an hour, researching the spam.

Friday, April 15, 2005

Thursday, April 14, 2005

Entrapment?

The Honeypots mailing list has a <a href="http://seclists.org/lists/honeypots/2005/Apr-
Jun/0012.html">discussion going on whether or not the use of
honeypots can be considered entrapment. I dislike any argument that
tries to treat honeypots as entrapment.

I think that Randy Bachman
answers his own question with his definition of a valid entrapment
defense:

  A valid entrapment
defense has two related elements: (1) government inducement of the
crime, and (2) the defendant's lack of predisposition to engage in
criminal conduct.
  

The
entrapment argument fails to pass argument #2 because the attacker is
already predisposed to commit the crime. The attacker is already
accessing a system without authorization.

Law enforcment is not
going to bust someone for port scanning. However, they will go after
the attacker that uses SQL injection to break into a system, honeypot or
not. "Average" users do not do that sort of thing so the predisposition
argument fails.

Can you argue entrapment just because that third drunk
you've rolled in the subway turned out to be a sober police officer
pretending to be drunk?

Wednesday, April 13, 2005

Cleanup

How to minimize
metadata in Word documents
.

Wireless Security

This argument gets a bit old. Turning off the SSID beacon and setting up MAC filtering takes longer to configure than it does for an attacker to get around the security it adds.

Tuesday, April 12, 2005

SoTM

Hurry! You have a little less than 4 weeks to get your submissions in
for Scan of
the Month 34
.

PIX IPSec

>From NetSec, a collection of
PIX configuration documents:

Does squatting still exist?

Take a look at NetCraft's survey and check out the "Hostnames" and "Active" graphs. If I'm reading that correctly, it indicates that only 1 in every 3 domain names (out of a total of 62,286,451) actually return an active site?

Monday, April 11, 2005

Google Maps

MT, over on the Securty Blog has a post about how Google's satellite images freaks him out (security-wise).

I now understand why they closed down the airport after the 2001 attacks. (Click on the link to MT's post, above.) Directly to the south of the White House is the Washington Monument. Straight across the river from that (to the southwest) is the Pentagon. The airport is directly across the highway from there. With it being that close, I'm surprised the airport open now.

Oh, and you can count me amongst those people that are concerned that data of this quality is openly available. Yes, I've enjoyed wasting more than a few minutes looking at places I've been but I'm nervous about certain people looking at places they're interested in visiting.

ATA-186 Config Guide

Here's an ATA-186 configuration guide from RemWave.

Sunday, April 10, 2005

Hard drive practices

Here's yet another article on data recovered from hard drives sold on eBay. I have a better recommendation for getting rid of your old computer equipment: consider not selling your hard drives (including the ones in your printers). Instead, dismantle them and break (or grind) the platters.

Just for info, the platters are engraveable. They make very nice geek awards for departing sys admins or employee of the month (if they fill a geek role).

VoIP Interception

>From Interzone and Autoblogiographie: <a href="http://www.wormulon.net/files/pub/Interz0ne_4_-
_Lawful_Interception/img0.html">Lawful Interception in VoIP
Networks
.

Saturday, April 9, 2005

Thursday, April 7, 2005

Wednesday, April 6, 2005

Tuesday, April 5, 2005

Monday, April 4, 2005

Back to work

Ever have one of those weekends where you're glad to be back at work on
Monday? I consider this past weekend to be another one of those.

I
missed my usual research-the-week's-posts-on-Saturday-morning routine
because I spent Friday evening/most of Saturday extracting documents
from an un-mountable hard drive and Saturday evening/most of Sunday
researching a "movement" that a friend-of-the-family's stepson wants to
participate in. Actually, the research was quite "interesting",
participants and organized government having differing views (where the
definition of "interesting" matches the Chinese curse version: "May you
live in interesting times.").

The short version of my research is:
"it's a dangerous situation waiting for something bad to happen".

The
longer version amounts to: 10 points to anyone who can figure out what
group I'm talking about when I describe 20K people who camp in a state
forest, on an impromptu site, without permit, support structure (medical
care, refrigeration, sanitation, clean water, electricity), or
organization (law enforcement, fire fighters, rules). 50 points (for
each of the following categories) if you can describe the environmental,
financial, health, and legal issues created when those 20K people stay
for a month.

Scary.

Browswer Forensics

Here's what
appears to be the first installment on an interesting series: Web
Browser Forensics.

Sunday, April 3, 2005

HashDig

HashDig
is a project for comparing the hash of a local file to a database of
known hashes.

Saturday, April 2, 2005

This year's pranks

I wasn't able to keep tabs on a lot of this year's pranks but here's
this years joatBlog 04/01 Awards:
  • The Funniest: The claim of
    discovery of a pr0n Easter Egg within MS Office. I find it funny as it
    was outside of the usual Man Pregnant/New Protocol announcements that I
    was expecting.
  • The Most Insidious: The announcment that the
    Internet will be taken down for a short time for maintenance. Insidious
    in that it caused a bunch of Full Disclosure readers to post tongue-in-
    cheek responses which other readers mistook for plausible and started
    complaining and rediculing the second stage posters.
  • The
    Dumbest
    : The Ribbed-For-Its-Pleasure method of transferring songs
    between iPods (ThinkGeek! You can do better)
  • The Most Obtuse:
    The new information transfer method from Opera.

Anyone see
any others?

YASC (Yet Another ServU Compromise)

I seem to have a "thing" for these analysises. Maybe it's because the first real-life incident that I was directly exposed to involved ServU.

Friday, April 1, 2005

IDABench

<a href="http://www.open-
mag.com/features/Vol_18/shadow/SHADOW.htm">Shadow has been around
for years. It was one of the first traffic analysis tools available,
allowing the user to analyze aggregate data gathered from packet
headers. It was "cutting edge" at the time and has inspired other non-
standard tools to view network traffic.

IDABench is another of
those tools, this one providing a web front-end to the tool. All in
all, it's still a libpcap-based analysis tool. One of it's nice
features is that you can export a tcpdump-readable file via the web
interface so adding analysts doesn't mean adding root access to a sensor
or console.