Tuesday, May 31, 2005
Another trip
Monday, May 30, 2005
ZombieMeter
op=modload&name=News&file=article&sid=5191">Blackhat.info and <a href="http://news.zdnet.com/2100-1009_22-5722305.html?
part=rss&tag=feed&subj=zdnet">ZDNet) CipherTrust has used some of
the data gathered from their mail filtering appliances to produce the ZombieMeter.
Sunday, May 29, 2005
Saturday, May 28, 2005
Friday, May 27, 2005
Thursday, May 26, 2005
State Taxes
sources of data so, for my benefit, here is a site that lists the tax rates of all 50 states.
Wednesday, May 25, 2005
Tuesday, May 24, 2005
MAIDS
is that I don't get to do the usual amount of research, so I have to
rely on my backlog for source material. In any case...
Here's a site
with a collections of papers related to "Mining Alarming Incidents in
Data Streams" (MAIDS). (No, not the NT file system.)
Monday, May 23, 2005
More on spammers
tracing the spammers (from awhile ago). Ann Elisabeth has
performed a lot more research and has gotten a lot farther than I did.
She also took advantage of a server crash.
Sunday, May 22, 2005
Spring Cleaning
and some things may not work properly for a short while.
XTen
Saturday, May 21, 2005
Legal?
in the future.
Not to break existing practice, I have issue with
Darren Miller's article, "Road Warrior at
Risk: The Dangers of Ad-Hoc Wireless Networking". While it's a
pretty good article on the dangers of ad-hoc wireless, I find the
authors attitude about sniffing wireless to be a bit too cavalier.
In
the wired world, port scanning is not deemed as trepass. It's
considered an annoyance. However, sniffing traffic and accessing
systems without permission is a definite no-no. Why should it be any
different in the wireless realm? Is it any different? This is an issue
that will probably need to be decided in court.
While tools like
AirFart will probably considered to be amongst the benign category,
tools like Kismet carry the possibility of landing a war-driver in
court. "But Kismet is a passive tool," you say? True, but it's passive
in the same manner that any wired sniffer is. Don't forget that Kismet
does create pcap-compatible packet dumps. Accessing those
capture files is probably the legal equivalent of accessing the network(s) that the traffic came from.
So...
If you're a traveler, you
should consider encrypting all of your traffic as it leaves your
computer (use a VPN) or only access generic sites that do not require
login or interaction. (Visit CNN, read /., etc.)
If you're a
journalist in search of a story (or anyone else armed with a sniffer),
stay off of other people's computers and don't capture their traffic.
If you're caught doing it, you may end up in cuffs.
Thursday, May 19, 2005
Wednesday, May 18, 2005
PSP
option=com_content&task=view&id=160&Itemid=62">Here is an iHacked
article on the browser built into the PSP handheld. I'm fascinated by
them. At last week's course, one classmate had one (and used it to find
a hidden AP), another classmate won one of the three given away in
drawings.
Tuesday, May 17, 2005
Laser Audio
that'll happen): <a href="http://www.i-hacked.com/index.php?
option=com_content&task=view&id=162&Itemid=44">Transmit Audio with a
Laser Pen.
Monday, May 16, 2005
Botnet Tracking
Botnets is a paper from The Honeynet Project that gives the basic
theory behind botnets and how to track them.
Sunday, May 15, 2005
Back home
learn new things, we entertained ourselves (catching the wardriver was
hilarious) (Note to the Denver financial district: you really should
keep an eye on who's sitting at the curb).
Short version of the
course? Don't put anything on wireless that you're not willing to lose
or publicly disclose. This applies if you're using WEP, WPA or even
WPA2. Some protections are inherently faulty, others are secure only
until someone fat-fingers a config file.
Common Failures in Internet Applications
Applications", please let me know what you think of the lecture(s).
Saturday, May 14, 2005
Hacker Jailed
op=modload&name=News&file=article&sid=5174">pointer to an article
that tells of the sentencing of a member of Thr34t Krew to 21 months of
jail-time. I'm a bit amazed that it was that short of a sentence as
this group has been around awhile. Other than the usual "hacker
arrested" stories, I'm able to find:
- <a href="http://www.informit.com/articles/article.asp?
p=30286&redir=1">Close Encounters of the Hacker Kind: A Story from the
Font Line - Owned by the THR34T
Krew (Part 1) - Owned by the THR34T
Krew (Part 2) - Why
Low Level Disk Auditing is as Important as Virus Scanning (uses TK
as an example) - Could be unrelated but they might also be <a href="http://www.worldogl.com/view_clan_info.php?
clanid=49969">gamers
Oh, and Sophos says the group is
responsible for the TKBot.
Friday, May 13, 2005
D'oh!
How about, the SSID of the AP in the classroom gets changed to "we-see-you-in-the-car" and a ping storm is sent through the AP so that it "sticks out" in whatever listing his tool has. Then get a half dozen or so in the class to stand in the window and wave/point.
Okay, we're having too much fun.
ISC
- DShield is interested in the home user. Logs from your routers give them a much broader view of what's going on than logs from a large organization.
- When you turn in your logs, please sanitize them. Replace the first octet with "10".
- The INFOCon alert status is available as an RSS feed (I still have to find it).
- The ISC site can be viewed without any browser-side scripting (no Java, no JavaScript, no VBS, etc.).
The BOF was very interesting. I came away from it with a couple ideas to work on. One of those is coming up with a script, to run on those modified 54G's that many of us have, so that the router logs can be turned in once per hour (as Johannes requested). Another is to investigate how the black hats are employing IPv6 as a covert channel.
Should keep me busy for awhile....
Thursday, May 12, 2005
SANS
Mobile IPv6
on the IPv6 version.
Wednesday, May 11, 2005
It ain't getting any better
with me for thinking that undocumented
or hidden equates to secure. What's that old line about repeating
history? [*sigh*]
Tuesday, May 10, 2005
Monday, May 9, 2005
CarolinaCon
June 10-12 this year. The schedule looks interesting.
Black Hat Archives
index.html">Black Hat Media Archives now and then.
Sunday, May 8, 2005
Fear
for me. I'm on my way to Denver and I'll be a nervous wreck for the
entirety of the trip.
VoP Security Forum
over Packet Security Forum. The forums (there's a link in the left-hand
menu) are a bit light in content at the moment but hopefully the site
will gain popularity.
Saturday, May 7, 2005
Spam clustering
has a piece on <a href="http://the-
mathclub.net/index.php/Spam_Clustering">spam clustering.
Friday, May 6, 2005
Hacker Trespasser Exception
Thursday, May 5, 2005
MS adds a black box
sid=05/04/26/1647203&from=rss">This sort of thing gives CIO's
nightmares as the error reports often include the documents/programs
that were open at the time. On the up side, Microsoft sells an in-house
version of the error-reporting server so that you don't have to expose
your corporate secrets directly to Microsoft.
Wednesday, May 4, 2005
Packet analysis
analysis.html">at the packet level. Three years later, I'm still
attached to what amounts to the network boonies (on the back edge of
their infrastructure) and I still suffer from massive ARP storms. When
your management traffic becomes so extreme that your customer traffic
suffers, something is definitely wrong.
I've received everything from
the "I'm the help desk, the problem is in your computer" treatment to
having to talk to security because someone was upset the I supplied the
help desk with a packet capture of what's pounding on the outer
interface of my router.
There's little else I can do except live with
it. They're the only game in this area of town at the moment (short of
dial-up).
Tuesday, May 3, 2005
Pending analysis
archiving comment spam. I now have a bit over 800 spam entries that I
will analyze over the next couple weeks.
I may be biasing the results
a bit but I expect that a majority of entries will be posted from broad
number of source IP's (zombie machines?) but will involve domains from a
certain registrar. I'll keep you posted.
Skype protocol
repository/reports/reports-2004/cucs-039-04.pdf">Here is a paper
from Columbia University entitled "An Analysis of the Skype Peer-to-
Peer Internet Telephony Protocol".
Monday, May 2, 2005
Cutting edge?
a clue to Microsoft? Some of us are already on the IPv6 backbone via a tunnel set up with a Linksys router.
Although I occasionally have to log in to my tunnel broker and reset the tunnel (due to my ISP changing my external IP), I don't have to make any configuration changes to my laptop. It auto-configures thanks to the radvd daemon. Just boot and go.
It should be noted that the firmware that I use on the Linksys is almost a year old. The newer versions include QoS and better network management tools.
Anti-Forensics
something that you need to know about, otherwise the blackhats have yet
another advantage.
Here is the
article that The Grugq wrote just before he was fired from @stake,
exposing various flaws in specific forensic tools. It's valuable info,
both for the blackhats AND the whitehats (so that they know it
when they see it).
Sunday, May 1, 2005
Dumb
to secure a wireless LAN" over on ZDNet. I agree with eDave. We can
probably come up with more than six though but the George Ou's post is a
good read.
Add this to the wish list: someone needs to author a good
article on using wireless intrusion detection systems and how a wired
IDS is almost useless for monitoring wireless network extensions.