Tuesday, May 31, 2005
Monday, May 30, 2005
op=modload&name=News&file=article&sid=5191">Blackhat.info and <a href="http://news.zdnet.com/2100-1009_22-5722305.html?
part=rss&tag=feed&subj=zdnet">ZDNet) CipherTrust has used some of
the data gathered from their mail filtering appliances to produce the ZombieMeter.
Saturday, May 28, 2005
Friday, May 27, 2005
Thursday, May 26, 2005
Wednesday, May 25, 2005
Tuesday, May 24, 2005
is that I don't get to do the usual amount of research, so I have to
rely on my backlog for source material. In any case...
Here's a site
with a collections of papers related to "Mining Alarming Incidents in
Data Streams" (MAIDS). (No, not the NT file system.)
Monday, May 23, 2005
Sunday, May 22, 2005
Saturday, May 21, 2005
in the future.
Not to break existing practice, I have issue with
Darren Miller's article, "Road Warrior at
Risk: The Dangers of Ad-Hoc Wireless Networking". While it's a
pretty good article on the dangers of ad-hoc wireless, I find the
authors attitude about sniffing wireless to be a bit too cavalier.
the wired world, port scanning is not deemed as trepass. It's
considered an annoyance. However, sniffing traffic and accessing
systems without permission is a definite no-no. Why should it be any
different in the wireless realm? Is it any different? This is an issue
that will probably need to be decided in court.
While tools like
AirFart will probably considered to be amongst the benign category,
tools like Kismet carry the possibility of landing a war-driver in
court. "But Kismet is a passive tool," you say? True, but it's passive
in the same manner that any wired sniffer is. Don't forget that Kismet
does create pcap-compatible packet dumps. Accessing those
capture files is probably the legal equivalent of accessing the network(s) that the traffic came from.
If you're a traveler, you
should consider encrypting all of your traffic as it leaves your
computer (use a VPN) or only access generic sites that do not require
login or interaction. (Visit CNN, read /., etc.)
If you're a
journalist in search of a story (or anyone else armed with a sniffer),
stay off of other people's computers and don't capture their traffic.
If you're caught doing it, you may end up in cuffs.
Friday, May 20, 2005
Thursday, May 19, 2005
Wednesday, May 18, 2005
option=com_content&task=view&id=160&Itemid=62">Here is an iHacked
article on the browser built into the PSP handheld. I'm fascinated by
them. At last week's course, one classmate had one (and used it to find
a hidden AP), another classmate won one of the three given away in
Tuesday, May 17, 2005
Monday, May 16, 2005
Sunday, May 15, 2005
learn new things, we entertained ourselves (catching the wardriver was
hilarious) (Note to the Denver financial district: you really should
keep an eye on who's sitting at the curb).
Short version of the
course? Don't put anything on wireless that you're not willing to lose
or publicly disclose. This applies if you're using WEP, WPA or even
WPA2. Some protections are inherently faulty, others are secure only
until someone fat-fingers a config file.
Saturday, May 14, 2005
op=modload&name=News&file=article&sid=5174">pointer to an article
that tells of the sentencing of a member of Thr34t Krew to 21 months of
jail-time. I'm a bit amazed that it was that short of a sentence as
this group has been around awhile. Other than the usual "hacker
arrested" stories, I'm able to find:
- <a href="http://www.informit.com/articles/article.asp?
p=30286&redir=1">Close Encounters of the Hacker Kind: A Story from the
- Owned by the THR34T
Krew (Part 1)
- Owned by the THR34T
Krew (Part 2)
Low Level Disk Auditing is as Important as Virus Scanning (uses TK
as an example)
- Could be unrelated but they might also be <a href="http://www.worldogl.com/view_clan_info.php?
Oh, and Sophos says the group is
responsible for the TKBot.
Friday, May 13, 2005
How about, the SSID of the AP in the classroom gets changed to "we-see-you-in-the-car" and a ping storm is sent through the AP so that it "sticks out" in whatever listing his tool has. Then get a half dozen or so in the class to stand in the window and wave/point.
Okay, we're having too much fun.
- DShield is interested in the home user. Logs from your routers give them a much broader view of what's going on than logs from a large organization.
- When you turn in your logs, please sanitize them. Replace the first octet with "10".
- The INFOCon alert status is available as an RSS feed (I still have to find it).
The BOF was very interesting. I came away from it with a couple ideas to work on. One of those is coming up with a script, to run on those modified 54G's that many of us have, so that the router logs can be turned in once per hour (as Johannes requested). Another is to investigate how the black hats are employing IPv6 as a covert channel.
Should keep me busy for awhile....
Thursday, May 12, 2005
Wednesday, May 11, 2005
Tuesday, May 10, 2005
Monday, May 9, 2005
Sunday, May 8, 2005
Saturday, May 7, 2005
Friday, May 6, 2005
Thursday, May 5, 2005
sid=05/04/26/1647203&from=rss">This sort of thing gives CIO's
nightmares as the error reports often include the documents/programs
that were open at the time. On the up side, Microsoft sells an in-house
version of the error-reporting server so that you don't have to expose
your corporate secrets directly to Microsoft.
Wednesday, May 4, 2005
analysis.html">at the packet level. Three years later, I'm still
attached to what amounts to the network boonies (on the back edge of
their infrastructure) and I still suffer from massive ARP storms. When
your management traffic becomes so extreme that your customer traffic
suffers, something is definitely wrong.
I've received everything from
the "I'm the help desk, the problem is in your computer" treatment to
having to talk to security because someone was upset the I supplied the
help desk with a packet capture of what's pounding on the outer
interface of my router.
There's little else I can do except live with
it. They're the only game in this area of town at the moment (short of
Tuesday, May 3, 2005
archiving comment spam. I now have a bit over 800 spam entries that I
will analyze over the next couple weeks.
I may be biasing the results
a bit but I expect that a majority of entries will be posted from broad
number of source IP's (zombie machines?) but will involve domains from a
certain registrar. I'll keep you posted.
Monday, May 2, 2005
a clue to Microsoft? Some of us are already on the IPv6 backbone via a tunnel set up with a Linksys router.
Although I occasionally have to log in to my tunnel broker and reset the tunnel (due to my ISP changing my external IP), I don't have to make any configuration changes to my laptop. It auto-configures thanks to the radvd daemon. Just boot and go.
It should be noted that the firmware that I use on the Linksys is almost a year old. The newer versions include QoS and better network management tools.
something that you need to know about, otherwise the blackhats have yet
Here is the
article that The Grugq wrote just before he was fired from @stake,
exposing various flaws in specific forensic tools. It's valuable info,
both for the blackhats AND the whitehats (so that they know it
when they see it).
Sunday, May 1, 2005
to secure a wireless LAN" over on ZDNet. I agree with eDave. We can
probably come up with more than six though but the George Ou's post is a
Add this to the wish list: someone needs to author a good
article on using wireless intrusion detection systems and how a wired
IDS is almost useless for monitoring wireless network extensions.