| August 2007 |
|---|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
1 |
2 |
3 |
4 |
| 5 |
6 |
7 |
8 |
9 |
10 |
11 |
| 12 |
13 |
14 |
15 |
16 |
17 |
18 |
| 19 |
20 |
21 |
22 |
23 |
24 |
25 |
| 26 |
27 |
28 |
29 |
30 |
31 |
|
|
Recent Comments
Wiki RSS
|
Fri, 31 Dec 2004
Thu, 30 Dec 2004
|
|
Here
is a site discussing basic web proxy theory. An interesting part near
the end discusses "chaining" of proxies so that each department in an
organization can maintain its own usage policy while the organization
can impose its own set of rules. This effectively "chains" or
aggregates usage policies.
joat: 13:00:00 30 Dec 2004 |
|
|
Wed, 29 Dec 2004
Tue, 28 Dec 2004
Mon, 27 Dec 2004
|
|
I made the following with PowerPoint and converted it to a GIF so it's a
bit basic. However, the information is valuable enough. The numbers
across the top is frequency in MHz. 
joat: 13:00:00 27 Dec 2004 |
|
|
Sun, 26 Dec 2004
|
|
QSL.net has a very nice link page.
joat: 15:00:00 26 Dec 2004 |
|
|
Sat, 25 Dec 2004
Fri, 24 Dec 2004
|
|
Normally I spend the first day of the weekend blogging most of the
following week. Today is an exception, for obvious reasons. I have
gifts to wrap, dishes to wash, animals to feed. Somehow I have to
figure out how to sneak my son's and his girlfriend's presents into the
house (past them). HBO is running Carnivale again this coming week so I
have to find time to set up the record schedule. You get the idea. In any case, blogging
this week may be a little erratic. Here's today's... IBM has an
article about building clusters with custom
Knoppix CD's. Knoppix seems to be one of those tools that finds its
way into everything. Since our appliances will soon have their own IPv6
addresses, what's next? Washing Machine Knoppix? Fish Tank Knoppix?
Lawn Mower Knoppix? Don't laugh! Mix in a little wireless or
broadband-over-power-line and it's not that much of a stretch.
joat: 17:00:00 24 Dec 2004 |
|
|
Thu, 23 Dec 2004
|
|
The Web Applications Security mailing list has a pointer to a paper which discusses "session riding", which appears
to amount to hijacking a user's access or data via methods such as
sending crafted instructions via html e-mail (when the user's e-mail
client loads the html, the exploit is executed).
joat: 13:00:00 23 Dec 2004 |
|
|
Wed, 22 Dec 2004
Tue, 21 Dec 2004
|
|
Microsoft has stated that they've
switched virus scanners to " provide a safer online experience for
consumers". Considering that it's probably more of a financial
issue or a programming difficulty (e.g., can't interface the scanner
with the webmail), it's a bad choice of words for the supposed cause.
We may see a lawsuit because a corporation has taken a public
position on the quality of a competitors product (remember Microsoft purchased two
companies last year for this purpose). It's one thing to say your
own product is better than everyone elses. It's another to say (or
directly imply) that a competitor's product is crap. Without proof,
that is.
joat: 22:30:00 21 Dec 2004 |
|
|
|
|
Activeworx has released a new
verion of its Honeynet Security Console (for Win2K/XP). Screenshots are
here.
joat: 13:00:00 21 Dec 2004 |
|
|
Mon, 20 Dec 2004
Sun, 19 Dec 2004
|
|
More news from the wireless front:
joat: 19:00:00 19 Dec 2004 |
|
|
|
|
Here's part one
of a two part series on the current problems with WiFi encryption. The
focus in on WEP but it does touch on other topics. One thing to keep
in mind: if WEP is the best you have, it's better than nothing and
overall WEP security can be improved via basic practices such as
periodically changing keys.
joat: 18:00:00 19 Dec 2004 |
|
|
Sat, 18 Dec 2004
|
|
|
joat: 13:00:00 18 Dec 2004 |
|
|
Fri, 17 Dec 2004
|
|
Found Yet Another Security Related Blog ( YASRB). Here's the RSS feed.
joat: 13:00:00 17 Dec 2004 |
|
|
Thu, 16 Dec 2004
|
|
In doing work-ups for malicious code analysis, I've been using Full Disclosure as a source as it allows attachments. This allows me to download onto a non-MS machine, run a virus scanner and do other things while deciding to use the sample or not. In the process, I usually hit Google also. In trying to figure out "You_are_dismissed.com" (it's Bagle.Ap) I found tasklist.org. It appears to be a really good source for identifying unknown (unauthorized) processes.
joat: 14:00:00 16 Dec 2004 |
|
|
|
|
Tom Dunigan has a very large security-related link list.
joat: 13:30:00 16 Dec 2004 |
|
|
|
|
InfoSec Writers has a good analysis of the JPEG Processing Buffer Overrun.
joat: 13:00:00 16 Dec 2004 |
|
|
Wed, 15 Dec 2004
|
|
Here's an online howto for configuring Putty to tunnel your email traffic safely.
joat: 13:30:00 15 Dec 2004 |
|
|
|
|
Yesterday I posted about a blog run by Deb Radcliff. It appears she has quite an anthology of articles.
joat: 13:00:00 15 Dec 2004 |
|
|
Tue, 14 Dec 2004
|
|
Don't know if I've blogged about it before but HP's free classes site is still online. Topics include firewalls, desktop publishing, MS, Linux, virus protection best practices, organize your life, and many more.
joat: 13:30:00 14 Dec 2004 |
|
|
|
|
Picked up a couple new blogs: Security Awareness (run by Greg Hoffman) and Security Chief (run by Deb Radcliff). Both people are associated with Winn Schwartau, a "security type" and a real character. My first "run in" with him was when someone bulk emailed an employer with tons of wierd email (looked like mail bugs) and the source had his name in the registry.
joat: 13:00:00 14 Dec 2004 |
|
|
Mon, 13 Dec 2004
|
|
Here's Dave Dittrich's home page. Of note are the link's on the left hand side of the page. He maintains some really good lists of site related to various security topics.
joat: 13:30:00 13 Dec 2004 |
|
|
|
|
Here's a good article which discusses the difficulties in detecting complex viruses.
joat: 13:00:00 13 Dec 2004 |
|
|
Sun, 12 Dec 2004
|
|
Here's a good article which discusses network attacks and breaks them down into five basic types.
joat: 13:00:00 12 Dec 2004 |
|
|
Sat, 11 Dec 2004
|
|
Tony Bradley has posted about a site with free CISSP training. This is one of the certifications that will become a bit more valuable in the near future. The Federal Trade Commission is currently suing two companies for lack of GLB compliance. The orders they're trying to get signed include the directive to obtain an satisfactory assessment of their network with 180 days and includes the following statement: | Each assessment shall be prepared by a person as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification from the SysAdmin, Audit, Network, Security Institute (SANS); or by a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission. |
Prediction: You'll see the quals thing get out of hand, even some fakery/foolery that will require either tighter control of quals or the government will create their own quals requirements. Stand by for an industry shift! joat: 13:00:00 11 Dec 2004 |
|
|
Fri, 10 Dec 2004
|
|
This article is a bit sensationalist ("piles on" semi-unrelated facts in order to scare you) but is mostly accurate. Anyone seen "Sweet Tooth" in action? (No, not the Pogo game!)
joat: 13:30:00 10 Dec 2004 |
|
|
|
|
For entertainment, try viewing the videos at The Broken. They're made by a couple of recognizable faces. I'm not sure if what they're showing is illegal or not, most of it is pretty mild or very old. For you conspiracy types, it proves that there was dark forces behind that TV show. Hacking with Ramzi is really, really bad.
joat: 13:00:00 10 Dec 2004 |
|
|
Thu, 09 Dec 2004
|
|
If you're reading this around 7 p.m. EST, I'm at the Biergarden on High Street in Portsmouth, overdosing on an odd version of potato soup and helping to run a local version of geek trivia. It's part of what is becoming a tradition in that the last (unofficial) day of class is held at the Biergarden. I'm addicted to the potato soup, which I'm not supposed to have due to its content. I don't have the recipe for it (hope to though) but it contains what looks like small bits of pot roast, potatoe slices, and spaetzle in a clear beef broth. Occasionally, another veggie may make a cameo appearance but the base recipe is delicious. Anything with spatzle can't be all that bad, right? If you can find someone who makes good spatzle, heifering, and dumpfnodle hire 'em, marry 'em, or otherwise move in with them. Same goes for lumpia and pansit. And before you food vacuums at 757 ask, mine's only passable so you ain't moving in with me. Apologies for the spelling.
joat: 23:30:00 9 Dec 2004 |
|
|
|
|
Interesting visualization tool. I don't expect it to go anywhere but it is a different approach (see the screenshots). Decent GL links on the page to. (via HITB)
joat: 13:00:00 9 Dec 2004 |
|
|
Wed, 08 Dec 2004
|
|
Ubiqx.org has everything you ever wanted to know about SMB (and probably much, much more).
joat: 13:30:00 8 Dec 2004 |
|
|
|
|
I think " Ten Questions to Ask About Application Security Systems" is appropriate, especially when a lot of our applications are moving onto the web server. They are appropriate elsewhere, especially when the other "move" is away from application proxies and towards "deep packet inspection" (which is inappropriate for HTTP traffic).
joat: 13:00:00 8 Dec 2004 |
|
|
Tue, 07 Dec 2004
|
|
|
Roughly two weeks have gone by. Total number of spams, three. Two from the same jerk at/via 81.27.200.49, trying to be funny. The other at/via 24.69.65.52. Both of them entered via the web page (vice the CGI interface). Both added to the blacklist. It's probably not helping that I talk about it but since this is the last week in the semester, I have a bit of free time to run the donkey at the windmill.
joat: 23:30:00 7 Dec 2004 |
|
|
Mon, 06 Dec 2004
|
|
Palo Wireless is a site with in-depth explanations of most (if not all) of the wireless protocols/technologies.
joat: 13:30:00 6 Dec 2004 |
|
|
|
|
|
Just in case anyone wanted to know, I modified the writeback plugin so that it's non-standard. Just come up with a word that isn't used in any of the code (to keep things simple) and substitue it for writeback in all of the code. For now, it's a bit of a manual process but it doesn't appear to all that hard to automate (changing that is). It may drive the spammers back to posting via the interface, where fight can be on a more even ground.
joat: 13:00:00 6 Dec 2004 |
|
|
|
|
Following is the list of IP's that attempted to connect to the old-style comment system. The only "things" that attempt this are automated programs of one of two types: either search engine spiders (such as Google's below) or comment spammers. Do what you will with the list, just don't hold me responsible for it. | 2 | | 12.158.228.18 | | | | 1 | | 168.143.113.5 | | | | 5 | | 193.95.113.114 | | | | 12 | | 194.213.41.11 | | | | 127 | | 194.213.41.12 | | | | 26 | | 194.213.41.13 | | | | 72 | | 194.213.41.14 | | | | 1 | | 194.7.246.43 | | uu194-7-246-43.unknown.uunet.be | | 1 | | 195.132.141.251 | | m251.net195-132-141.noos.fr | | 4 | | 195.27.14.2 | | | | 1 | | 200.12.238.23 | | | | 40 | | 200.21.45.4 | | mangostino.ut.edu.co | | 3 | | 200.212.114.3 | | | | 4 | | 200.34.99.9 | | | | 1 | | 211.239.170.46 | | | | 1 | | 212.138.47.16 | | cache6-1.ruh.isu.net.sa | | 1 | | 212.138.47.20 | | cache10-4.ruh.isu.net.sa | | 1 | | 212.138.47.21 | | cache13-4.ruh.isu.net.sa | | 1 | | 212.138.47.26 | | | | 10 | | 213.172.36.62 | | | | 12 | | 213.41.1.222 | | wan-222.1.rev.fr.colt.net | | 8 | | 213.41.1.226 | | wan-226.1.rev.fr.colt.net | | 19 | | 217.144.0.137 | | | | 5 | | 218.4.189.197 | | | | 1 | | 218.57.113.11 | | | | 6 | | 219.93.211.74 | | | | 11 | | 64.125.108.114 | | 64.125.108.114.available.above.net | | 42 | | 65.54.188.139 | | | | 1 | | 66.249.64.146 | | crawl-66-249-64-146.googlebot.com | | 1 | | 66.249.64.156 | | crawl-66-249-64-156.googlebot.com | | 1 | | 66.249.64.160 | | crawl-66-249-64-160.googlebot.com | | 1 | | 66.249.64.198 | | crawl-66-249-64-198.googlebot.com | | 4 | | 68.167.94.202 | | h-68-167-94-202.chcgilgm.covad.net | | 6 | | 68.98.206.172 | | wsip-68-98-206-172.ks.ok.cox.net | | 5 | | 80.65.102.162 | | ip102-162.introweb.nl |
joat: 01:52:25 6 Dec 2004 |
|
|
Sun, 05 Dec 2004
|
|
One thing that is not said all that often is that even the good guys have to know things like what's in this paper. It's not just the "good guys" that use encryption.
joat: 13:00:00 5 Dec 2004 |
|
|
Sat, 04 Dec 2004
|
|
Now that I'm not spending a hour or so per day mopping up comment barf (spam), I've had time to fix the comment script to all <b>, <p> and <br>, work on comment titles, and generally get back to tweaking the site. Are there any features that you'd like to see? I'm considering dumping the Blogroll and replacing it with a links list or putting a "recent comments" frame there.
joat: 15:00:00 4 Dec 2004 |
|
|
|
|
Ryumaou has pointed out that O'Reilly has a new magazine called " Make". It's aimed at the hardware geeks. (Telmnstr! This one looks like one of yours.)
joat: 13:00:00 4 Dec 2004 |
|
|
Fri, 03 Dec 2004
|
|
Ever wonder what happened to Sealand?
joat: 13:00:00 3 Dec 2004 |
|
|
Thu, 02 Dec 2004
|
|
Chalk this one up as a pointless temper tantrum... What kind of person (that's the nice version) thinks it's important to post their Winamp-generated playlist to the Internet? (Hint: there's quite a few of them.) I went shopping for a album, containing a Christmas song that I've not heard in fifteen years by Kevin Bloody Wilson (Hey Santa Claus...). It was amazing, the number of fake sites and playlist sites that I had to wade through before finding a legit site offering Kevin's albums. Maybe I should write one? <humming> living next door to spammers </humming>
joat: 13:30:00 2 Dec 2004 |
|
|
|
|
|
joat: 13:00:00 2 Dec 2004 |
|
|
Wed, 01 Dec 2004
Tue, 30 Nov 2004
|
|
According to this, O'Reilly is going to distribute the Google Hacking book (not the same as their Google Hacks book).
joat: 22:30:00 30 Nov 2004 |
|
|
Mon, 29 Nov 2004
|
|
Just to add my two cents to the ads in RSS feeds bickering... I feel that one of the reasons that RSS became so popular was that it allowed readers to avoid all the extra fluff on a website and get right to the content, thereby increasing the amount of content you can read in a day. Inserting advertisements into those feeds dilutes the value of the content. If, like in some low traffic feeds, the advertisements out-number the actual posts, it can become a justifiable reason to unsubscribe from the feed. I think that many content providers are going to have to learn the hard way that social media (as bloggers are sometimes called)(as opposed to mainstream media) allows for very fickle readers. Contrary to what most content providers think about themselves, very few feed sources are "valuable" enough to be able to keep their subscription levels while annoying their readers at the same time. In any case, how long before someone writes an aggregator that filters advertisements? Do we really have to join that arms race?
joat: 13:30:00 29 Nov 2004 |
|
|
|
|
Linux Security has posted part one of an series describing the use of honeypots to fight spam.
joat: 13:00:00 29 Nov 2004 |
|
|
Sun, 28 Nov 2004
|
|
Here's the list of Saturday's spammers (those attempting to access the old comments system). Please remember that some of the IP's are legitimate search engine spiders. Do what you will the list but don't hold me responsible for it. | 1 | | 142.165.112.131 | | msjwsk02d010101131.sk.sympatico.ca | | 5 | | 193.255.207.253 | | seyhan.cu.edu.tr | | 2 | | 194.117.217.227 | | | | 7 | | 200.12.238.31 | | | | 4 | | 201.12.13.170 | | | | 1 | | 202.141.239.4 | | | | 1 | | 202.163.115.203 | | | | 4 | | 202.163.115.205 | | | | 1 | | 202.68.147.182 | | | | 3 | | 203.113.29.2 | | | | 7 | | 203.115.21.155 | | | | 1 | | 203.151.40.252 | | 203-151-40-252.inter.net.th | | 1 | | 203.190.254.9 | | | | 1 | | 203.197.234.177 | | delhi-203.197.234-177.vsnl.net.in | | 1 | | 210.18.184.246 | | | | 3 | | 211.185.38.61 | | | | 4 | | 212.117.152.70 | | mailrelay.flying.co.il | | 1 | | 212.36.213.15 | | | | 12 | | 213.172.36.62 | | | | 22 | | 213.56.68.29 | | | | 1 | | 216.239.39.5 | | proxy.google.com | | 1 | | 217.14.219.34 | | | | 1 | | 219.95.89.125 | | | | 1 | | 24.24.72.83 | | bgm-24-24-72-83.stny.rr.com | | 1 | | 61.1.185.85 | | | | 68 | | 64.125.108.114 | | 64.125.108.114.available.above.net | | 1 | | 64.238.121.155 | | | | 1 | | 65.35.35.197 | | 197-35.35-65.tampabay.rr.com | | 26 | | 65.54.188.138 | | | | 44 | | 65.54.188.139 | | | | 1 | | 66.231.168.82 | | | | 2 | | 66.249.64.156 | | crawl-66-249-64-156.googlebot.com | | 1 | | 66.249.64.195 | | crawl-66-249-64-195.googlebot.com | | 1 | | 66.249.64.30 | | crawl-66-249-64-30.googlebot.com | | 1 | | 66.249.64.33 | | crawl-66-249-64-33.googlebot.com | | 1 | | 67.107.73.195 | | | | 1 | | 68.83.190.72 | | pcp09996361pcs.narlington.nj.comcast.net | | 9 | | 80.65.102.162 | | ip102-162.introweb.nl | | 2 | | 80.65.121.214 | | ip121-214.dsl.introweb.nl | | 1 | | 81.15.196.129 | | | | 1 | | 83.108.243.136 | | ti400720a080-13192.bb.online.no |
joat: 23:30:00 28 Nov 2004 |
|
|
|
|
Linux Exposed has an article explaining the basic theory behind SQL injection attacks.
joat: 13:00:00 28 Nov 2004 |
|
|
|
|
From what Jeremy says, it looks like the Knoppix Hacks book is out (I don't get into the bookstore often). As per O'Reilly's usual practice, they've posted some sample chapters on their site. I've used the anti-virus one but I've used a commercial scanner. It's a little known fact that McAfee (and others) sells a Linux-based scanning engine that uses the usual DAT files. Combine that with BSDi's LDP, and you can have a commercial scanner running on a commercial OS (for those with management that insists on commercial products) which can act as a (pass-thru) mail handler or mail server. I've even wedged this thing into Sendmail. Anyways, the book looks like it's worth the $$.
joat: 13:00:00 28 Nov 2004 |
|
|
Sat, 27 Nov 2004
|
|
Call me weird but I find conversations/listening to presentations/watching tv more interesting with immediate access to Google. A passing comment during Word Wars on the Discovery Channel lead me to The International Journal of Verbal Agression. Sometimes the habit is exceedingly annoying to others (for obvious reasons) and sometimes it leads to a bit of comedy (a quick search on Helen Carr during a recent law enforcement presentation revealed that her hgh school reunion committee was also looking for her). I think it's one of the reasons why the classes in Chesapeake are so enjoyable. Everyone has the Internet "right there" and usually anyone can hijack the class for a few minutes with a semi-related bit of information. The instructor has to have one of those personalities and be able to herd cats (there IS a learning plan to follow). Some students find it frustrating, others find it just outright odd, but a working knowledge of Google or Yahoo syntax does help with some of the verbal references thrown out during conversations (quick quiz: Who said, "Help me Mr. Wizard! I don't want to be a ..." ).
joat: 13:30:00 27 Nov 2004 |
|
|
Fri, 26 Nov 2004
|
|
It's nice to see that CWShredder is back in play. The bad news is that it's only available via a commercial product. You can read some of Merijn Bellekom's (the author's) comments here.
joat: 22:30:00 26 Nov 2004 |
|
|
|
|
Following is a list of IP addresses attempting to use the old comment system on 25 Nov 2004. Please note that some of these may be search engine spiders such as Google (hopefully the spiders will catch on shortly). The rest are spammers. I'm a bit concerned that a good portion of the non-spider entries are caches or proxies. Do what you want with the list. | 47 | | 148.244.150.57 | | host-148-244-150-57.block.alestra.net.mx | | 2 | | 152.163.100.199 | | cache-rtc-ad05.proxy.aol.com | | 1 | | 193.129.22.146 | | | | 8 | | 193.79.18.243 | | | | 3 | | 194.63.235.155 | | cache1.thess.sch.gr | | 2 | | 194.63.235.156 | | cache2.thess.sch.gr | | 1 | | 194.63.235.157 | | cache3.thess.sch.gr | | 4 | | 195.175.37.11 | | | | 8 | | 195.175.37.24 | | | | 2 | | 195.175.37.26 | | | | 1 | | 195.175.37.7 | | | | 26 | | 195.245.247.155 | | | | 1 | | 195.61.146.130 | | eapp.tamisa.ro | | 5 | | 200.118.118.4 | | Static-IP-cr2001181184.cable.net.co | | 1 | | 200.12.238.31 | | | | 2 | | 200.168.62.134 | | 200-168-62-134.cebinet.com.br | | 13 | | 200.31.79.214 | | | | 2 | | 200.60.207.58 | | client-200.60.207.58.speedy.net.pe | | 16 | | 203.113.29.1 | | | | 3 | | 203.113.29.2 | | | | 6 | | 203.150.234.46 | | 203-150-234-46.inter.net.th | | 6 | | 203.151.40.252 | | 203-151-40-252.inter.net.th | | 2 | | 203.172.154.114 | | | | 19 | | 203.197.234.177 | | delhi-203.197.234-177.vsnl.net.in | | 1 | | 209.33.210.2 | | 209-33-210-2.sg-wireless.infowest.net | | 1 | | 210.143.29.247 | | c12-247.actv.ne.jp | | 12 | | 212.117.152.70 | | mailrelay.flying.co.il | | 1 | | 212.138.47.12 | | cache2-2.ruh.isu.net.sa | | 2 | | 212.138.47.16 | | cache6-1.ruh.isu.net.sa | | 1 | | 212.138.47.21 | | cache13-4.ruh.isu.net.sa | | 1 | | 213.132.32.130 | | eth1.cache2.dubaiinternetcity.net | | 43 | | 213.172.36.62 | | | | 8 | | 213.56.68.29 | | | | 3 | | 217.14.219.34 | | | | 1 | | 218.5.191.126 | | | | 15 | | 220.90.132.183 | | | | 1 | | 221.132.39.253 | | localhost | | 2 | | 61.19.243.11 | | | | 1 | | 61.95.226.18 | | | | 4 | | 63.100.211.203 | | 63-100-211-203.reverse.newskies.net | | 1 | | 63.72.136.96 | | | | 4 | | 64.124.92.199 | | stdev1.sj3.escalate.com | | 86 | | 64.125.108.114 | | 64.125.108.114.available.above.net | | 5 | | 64.132.198.149 | | 64-132-198-149.essind.com | | 1 | | 65.4.208.158 | | adsl-4-208-158.mem.bellsouth.net | | 1 | | 65.50.67.11 | | CPE002078d287e4-CM014250010853.cpe.net.cable.rogers.com | | 17 | | 65.54.188.138 | | | | 1 | | 66.249.64.160 | | crawl-66-249-64-160.googlebot.com | | 1 | | 66.249.64.167 | | crawl-66-249-64-167.googlebot.com | | 1 | | 66.249.64.189 | | crawl-66-249-64-189.googlebot.com | | 1 | | 66.249.64.195 | | crawl-66-249-64-195.googlebot.com | | 1 | | 66.249.64.198 | | crawl-66-249-64-198.googlebot.com | | 2 | | 66.249.64.201 | | crawl-66-249-64-201.googlebot.com | | 4 | | 66.249.64.202 | | crawl-66-249-64-202.googlebot.com | | 2 | | 66.249.64.205 | | crawl-66-249-64-205.googlebot.com | | 1 | | 66.249.64.30 | | crawl-66-249-64-30.googlebot.com | | 1 | | 66.249.64.37 | | crawl-66-249-64-37.googlebot.com | | 2 | | 66.249.64.38 | | crawl-66-249-64-38.googlebot.com | | 1 | | 66.249.64.55 | | crawl-66-249-64-55.googlebot.com | | 2 | | 66.249.64.58 | | crawl-66-249-64-58.googlebot.com | | 1 | | 66.249.64.68 | | crawl-66-249-64-68.googlebot.com | | 2 | | 66.249.64.70 | | crawl-66-249-64-70.googlebot.com | | 1 | | 68.167.94.202 | | h-68-167-94-202.chcgilgm.covad.net | | 1 | | 68.235.196.123 | | 68-235-196-123.crlsca.adelphia.net | | 1 | | 68.252.22.121 | | adsl-68-252-22-121.dsl.dytnoh.ameritech.net | | 1 | | 69.152.200.106 | | adsl-69-152-200-106.dsl.fyvlar.swbell.net | | 39 | | 80.65.102.162 | | ip102-162.introweb.nl | | 2 | | 80.65.121.214 | | ip121-214.dsl.introweb.nl | | 6 | | 81.110.124.10 | | cpc2-with1-4-0-cust10.bagu.cable.ntl.com | | 1 | | 81.153.86.133 | | host81-153-86-133.range81-153.btcentralplus.com | | 7 | | 81.208.62.130 | | | | 1 | | 82.176.17.196 | | | | 2 | | 83.168.19.77 | | adsl-19-77.cytanet.com.cy |
joat: 22:11:40 26 Nov 2004 |
|
|
|
|
Here's a thought (tell me if you think I'm way off): buying one-time products, either hardware or software, to fight spam and malicious code is a bad idea. Your purchase becomes obsolete as soon as what you're fighting changes tactics. Instead, you should use a product/service that is either community driven (e.g., Snort, ORBS, etc.) or is subscription-based (e.g., McAfee, Symantec, etc.). I don't have that previous paragraph worded the way I'd like it to be but you get the idea. Thoughts for articles/papers (feel free to borrow): - networks that adapt to a new threat faster have a better survival rate
- the need for adaptive technologies to fight security threats (even if it's the ability to script "in the middle")
- the need for trained personnel to use those adaptive technologies
- what technologies still need adaptive capabilities
joat: 21:30:00 26 Nov 2004 |
|
|
|
|
I think I've blogged about airpwn previously but (in case I haven't) there's a conference coming up and need to recognize the particulars of someone using the tool.
joat: 14:30:00 26 Nov 2004 |
|
|
|
|
I've talked about this before... If you're a network security officer or a security manager, it's a good idea to check what your organization inadvertantly exposes via what it makes available on the Internet.
joat: 14:00:00 26 Nov 2004 |
|
|
|
|
|
I managed to fat finger the date on yesterday's entry (it was sent to the 15th vice the 25th). I've fixed it. Apologies.
joat: 13:30:00 26 Nov 2004 |
|
|
Thu, 25 Nov 2004
|
|
This is one of those must-have tools. It logs open ports on the local system and includes who and via what binary. The one short-coming that I can see is that it logs directly to a text file. If it logged into the Microsoft logging system or externally to a syslog service, the tool would be that much better.
joat: 23:30:00 25 Nov 2004 |
|
|
Wed, 24 Nov 2004
|
|
|
The changes I made to the writeback code seems to be holding. While the blog still accepts incoming comments from scripts, they're not written to the hard drive (due to the URI being incorrect). As soon as Google's spiders catch up, I should be able to automatically generate a list of spammers on a periodic basis. Anyone have a preference for formats? joat: 15:35:51 24 Nov 2004 |
|
|
Tue, 23 Nov 2004
|
|
I can't see a book about Knoppix Hacks being anything but good. Given the number of things Knoppix has been adapted to, I think the book is going to be a good-to-have. I wonder what they had to weed out to keep the book to managable size.
joat: 13:00:00 23 Nov 2004 |
|
|
Mon, 22 Nov 2004
|
|
I managed to find this LJ article on Bluetooth and GPRS. I still have no clue though. The more I read, the more I'm convinced that I'm going to need pointers on Bluetooth security.
joat: 14:30:00 22 Nov 2004 |
|
|
|
|
|
I've managed to pick up a USB Bluetooth interface that my three year-old laptop recognizes. The idea is to use my wife's Bluetooth-enabled cell to get on the Internet (in a pinch) at the con in February. Anyone have any pointers/good websites/advice for security? (If security and Bluetooth can be uttered in the same sentence?) joat: 13:30:00 22 Nov 2004 |
|
|
Sun, 21 Nov 2004
|
|
The comment system is back on. I've "adapted" the comment system so that it is "unique" when compared with other Blosxom blogs. Let's see if the changes are effective and, if so, how long they last before the spammers figure out what they have to change on their end to get comment spam working again. ...and the arms race continues... joat: 17:18:16 21 Nov 2004 |
|
|
|
|
There's an ongoing discussion on the Full Disclosure mailing list where the original poster stated the following: Subject: [Full-Disclosure] Why is IRC still around?
Well, it sure does help the anti-virus (anti-malware) and security consulting business, but besides that... is it not safe to say that:
1) A hell of a lot of viruses/worms/trojans use IRC to wreck further havoc?
2) A considerable amount of "script kiddies" originate and grow through IRC?
3) A wee bit of software piracy occurs?
4) That many organized DoS attacks through PC zombies are initiated through IRC?
5) The anonymity of the whole thing helps to foster all the illegal and malicious activity that occurs?
The list goes on and on... Sorry to offend those that use IRC legitimately (LOL - find something else to chat with your buddies), but why the hell are we not pushing to sunset IRC? What would IT be like today without IRC (or the like)? Am I narrow minded to say that it would be a much safer place? The following posts quickly degraded into a flame war and name-calling contest. I find the discussion offensive mostly for the implied logic behind it. (It's included in the name calling contest.) One reader summed my opinion up in a short well-worded sentence: Who is 'we' and what makes you think anyone cares what you 'sunset'? This is the same mentality as that behind my MSCE rant (and before this gets to far, it was a specific MSCE that I was ranting about, not all of them). There's a certain logic used by some of the n00b MSCE's whose only network training amounts to what they learned out of the MSCE book. Contrary to what MS would like you to believe, the Internet is still a very insecure, dangerous "place" with little or no control. The logic that any "we" can force the suspension of a protocol for any reason gives me a headache. The poster actually assumes that there is a man behind the curtain pulling the levers and ropes. You can read the list via the Checksum archive. It's interacting with that type of people that got me blacklisted by my grandmother's church in my early 20's. The short version of the story amounts to a short discussion between a picketer and myself, in front of the only convenience store open at 6:30 a.m. in a three county area. Him: "Don't go in there! They sell Playboys!" Me: "They sell coffee in there." (Yeah, I grew up in a very small town.) joat: 13:30:00 21 Nov 2004 |
|
|
|
|
Ran across the following while looking for a device driver: The bad news is that the IDA Pro people have taken down their free download due to excessive traffic.
joat: 13:00:00 21 Nov 2004 |
|
|
Sat, 20 Nov 2004
|
|
LURHQ has an analysis of the Get E-Gold trojan.
joat: 13:00:00 20 Nov 2004 |
|
|
Fri, 19 Nov 2004
|
|
MS stopped supporting client versions of NT on 30 June and will stop supporint the server version at the end of this year (something they don't include in those TCO arguments). MS's motivation is money, either it's too expensive to continue to support it or they want to force NT users to "upgrade". In either case, the talking heads will discuss the "danger" the move is creating. Let the politics begin!
joat: 23:30:00 19 Nov 2004 |
|
|
Thu, 18 Nov 2004
|
|
|
Err... You might notice that I've turned off comments again.
joat: 23:30:00 18 Nov 2004 |
|
|
|
|
While doing research on my "freedom of speech" spammer, I found this ports database. A useful tool if you need to look up port numbers.
joat: 13:00:00 18 Nov 2004 |
|
|
Wed, 17 Nov 2004
|
|
The majority of spam is sent by compromised zombies. Few (if any) of those rogue programs implement the full SMTP command set. More commands == larger code == easier detection. Because of this, the milter-greylist was written. What it does is, for every incoming message, an initial "temporary" error will be returned. Full blown MTA's handle this error invisibly as part of normal operations. It won't stop all spam, but it'll probably clean up most of your incoming nastiness.
joat: 13:30:00 17 Nov 2004 |
|
|
|
|
I blogged about the DDoS page (at the Univeristy of Washington) in February of last year. It's a good source, has gotten bigger, and is worth blogging again.
joat: 13:00:00 17 Nov 2004 |
|
|
Tue, 16 Nov 2004
|
|
I've added a short piece to the Wiki about translating RSS feeds prior to aggregating them.
joat: 13:30:00 16 Nov 2004 |
|
|
|
|
For anyone that's interested, here's the URL's for the "Recent Changes" feeds for the Wiki: Enjoy!
joat: 13:00:00 16 Nov 2004 |
|
|
Mon, 15 Nov 2004
Sun, 14 Nov 2004
|
|
The following is excerpted from comment spam created after the sender noticed that I'd disabled comments. name: video chat
url: http://www.video[-]chat[-]room.c0m
date: 11/13/2004 07:06:27
title: video chat
comment: Why my previous comments was deleted, how about freedom of speach?
excerpt:
blog_name:
ip: 62.183.50.164
My son learned the answer to that question at the dinner table, when he was 12. The answer? "I'm not the Federal government. So sit down and shut up." Mebbe we should give lessons in U.S. law to overseas spammers so they don't sound so f*cking stupid when they ask questions? If there's any question, I did munge the url a bit to prevent him from getting any points with the search engines. In answer to the first part of the spammer's question, it was deleted because it had absolutely nothing to do with the post it was attached to. Chingate cabron!
joat: 14:30:00 14 Nov 2004 |
|
|
|
|
If you've read this blog from early on, you know that I live near some people/organizations that seem to end up in the news. A lot. Examples include: Pat Robertson, PETA, the Edgar Cayce Foundation, the Sniper trials, and the Friendship Patrol. Maybe I'm just being paranoid but, barring the insanity in the political area for the past year, I think it's been too quiet. Someone out there is planning something. Maybe I'm just used to living in areas where being boneheaded in public is considered a form of entertainment (HI, NYS, SOVA)?
joat: 13:45:00 14 Nov 2004 |
|
|
|
|
Here's a SANS paper which discusses the corporate requirements for security and how to get there. I did a quick skim of the paper and it appears that they only thing missing is FIPS 199 compliance (a common syntax standard).
joat: 13:00:00 14 Nov 2004 |
|
|
Sat, 13 Nov 2004
|
|
|
I've turned off comments until I can figure out a different approach to comments. The spammers have won, for now. If you need to post a comment, please send it to me directly (joat 757.org <-- insert "@" in the appropriate place).
joat: 19:00:00 13 Nov 2004 |
|
|
|
|
The WTO has told the U.S. how to (I wanted to say "suck eggs" but...) run its internal affairs by ruling that the U.S. law banning online gambling is damaging to the Antigua and Barbuda economies. (Uh, when did the WTO become a legislative body?) While it may be true that the law blocks the growth of that industry, I'm not so sure that passing the law damaged the economy. Rather, the law made online gambling within the U.S. illegal, forcing the sites to move out of the country, thereby creating the economy that is supposedly now endangered. It should prove interesting what comes out of this and the upcoming attempt by the U.N. to "govern" the Internet, not only for the U.S. but for any country who'll have to give up sovereignty to participate. (Example: some of the things that I talk about here are illegal in Europe but inane here in the U.S.)
joat: 16:30:00 13 Nov 2004 |
|
|
|
|
Giants are battling somewhere. Me? I'm going to pull the covers up over my head. Tell me when Novell v Microsoft and the whole SCO thing is over.
joat: 16:00:00 13 Nov 2004 |
|
|
|
|
Apologies for anyone accessing my Bloglines subscriptions. At just shy of 300 feeds, it has gotten a bit unwieldy. I've decided to clean out the dupes and unsubscribe from the feeds that aren't relevant. It had gotten to the point where it takes hours each week just to read those feeds. Hopefully things will improve shortly...
joat: 15:30:00 13 Nov 2004 |
|
|
|
|
The rules change next week. Most of the industry is waiting for the first "case" to go to court to see what happens. After that, it'll either be yawns or a sudden shift in security budgets.
joat: 14:00:00 13 Nov 2004 |
|
|
|
|
Here's a NewsForge article which discusses basic theory of honeypots. (excerpted from the book " Know Your Enemy: Learning about Security Threats")
joat: 13:30:00 13 Nov 2004 |
|
|
|
|
More info for those of you studying for Geek Trivia: TAP Magazine (first 10 issues).
joat: 13:00:00 13 Nov 2004 |
|
|
Fri, 12 Nov 2004
|
|
I finally had enough time to re-install the text-to-speech tools (speechd and festival) so that I can monitor IRC channels in XChat. I've added the process to the Wiki. Now I only have to redo the RAM disk stuff and write/tune the shorthand translators.
joat: 15:00:00 12 Nov 2004 |
|
|
|
|
Here's a good article on SSH keys. The use of public key authentication makes SSH very, very convenient to use (moving files, remotely executing scripts on multiple machines, monitoring "state" on remote systems, etc.) and, in some cases, protecting against certain types of attack.
joat: 14:30:00 12 Nov 2004 |
|
|
|
|
Here's InfoSec Writers' paper on IPSec under IPv6.
joat: 14:00:00 12 Nov 2004 |
|
|
|
|
The Phishing Guide (PDF) discusses the various problems that scammers exploit and how to protect against them. A decent read. On a related note, here's an article describing five steps to protect yourself.
joat: 13:30:00 12 Nov 2004 |
|
|
Thu, 11 Nov 2004
|
|
InfoSecWriters has a quick analysis of the MyDoom/Doomjuice worms.
joat: 13:30:00 11 Nov 2004 |
|
|
|
|
Crossnodes has a very good article about setting up and experimenting with IPv6.
joat: 13:00:00 11 Nov 2004 |
|
|
Wed, 10 Nov 2004
|
|
Harlan often comments here. (Hi Harlan!) A review of his book has been posted on Slashdot. To state the obvious, his received both good and bad responses from Slashdot. Mostly good. Of course the usual obfuscators showed up within the first few comment posts. And the usual conspriracy freaks. According to one of them, you can recover files via a one-to-one bit copy even after the original had been overwritten ten times. In an odd twist of timing, tonight's class worked with Helix to gather data from a running system. For those that don't know what it is, Helix is a Linux-based "live CD" that also is devoted to obtaining forensics data from live systems and making bit copies of storage devices. In addition to being a "live cd", you can also drop the CD into the drive on a running Windows system. "Autorun" will bring up an interface with a set of statically-compiled tools which allow you to perform various forensics functions (see the site for more info). joat: 23:30:00 10 Nov 2004 |
|
|
|
|
ShmooCon seems to be shaping up nicely (visit the site!). Quite a few people going from this end of the state.
joat: 14:00:00 10 Nov 2004 |
|
|
|
|
I once worked at a place where the boss would stage Nerf Gun fights in the large conference room, immediately after the pot luck. I miss those days. Especially after this has become available. <nostalgia>In those days, all we had was a couple chain-fed repeaters...</nostalgia>
joat: 13:30:00 10 Nov 2004 |
|
|
Tue, 09 Nov 2004
|
|
|
joat: 13:00:00 9 Nov 2004 |
|
|
Mon, 08 Nov 2004
|
|
|
The arms race has escalated again. This site is being spammed into oblivion by a network in the Netherlands and an IP address belonging to the state of Ohio. Until I get the code behind the blog cleaned up, I'm going to turn off comments. I'm also going to do a bit of research for applicable laws (worst case == I need the data for a term paper).
joat: 15:00:00 8 Nov 2004 |
|
|
|
|
I haven't had a chance to read the paper yet, but while I was digging for references to cryptovirology I came across this CiteSeer reference which discusses the use of cryptovirology in extortion threats. Note: to read or download the paper yourself, click on one of the links in the upper right-hand corner.
joat: 14:30:00 8 Nov 2004 |
|
|
|
|
The book is still in my "to read" stack but here's the site for the book Malicious Cryptography - Exposing Cryptovirology.
joat: 14:00:00 8 Nov 2004 |
|
|
|
|
I can't vouch for the veracity in this but if there's any truth in it, it's gonna make the SCO fiasco quite entertaining legally. Most of the Internet's problem protocols are on that list. 'Bout the only thing missing SMTP. I wonder why that's not on the list. In any case, this should set the purists' (on both sides of the fence) teeth to grinding. Think of it, having to include a MS license with every *nix (Linux, Sun and *BSD) and MacOS distro. I'm reminded of something my grandmother used to say: I can't see the good in it, in either direction.
joat: 13:30:00 8 Nov 2004 |
|
|
Sun, 07 Nov 2004
|
|
The Bleeding Snort people are looking for volunteers again, this time for Inline Snort users willing to help with a specialized signature set.
joat: 13:30:00 7 Nov 2004 |
|
|
Sat, 06 Nov 2004
|
|
They haven't caught the author of the worm yet but here's an analysis of the code.
joat: 14:00:00 6 Nov 2004 |
|
|
|
|
I love Procmail. I've used it for years, employing it to do everything from files-on-request to filtering spam and viruses. Security focus has a four-parter: joat: 13:30:00 6 Nov 2004 |
|
|
|
|
|
joat: 13:00:00 6 Nov 2004 |
|
|
Fri, 05 Nov 2004
|
|
Here's a site devoted to port knocking.
joat: 13:30:00 5 Nov 2004 |
|
|
|
|
The National Institute of Justice has done evaluations on a number of digital forensic tools:
joat: 13:00:00 5 Nov 2004 |
|
|
|
|
Now a word for/from our sponsor... If you're a musician/band from Southeast Virginia, be sure to list your band on Music.HRConnect. If you're not in a band and are just looking for a place to go, check out the venues/schedules on the site. You can even listen to some of the bands' MP3's. joat: 01:54:26 5 Nov 2004 |
|
|
Thu, 04 Nov 2004
|
|
Spyware Warrior is an interesting blog about fighting spyware.
joat: 13:30:00 4 Nov 2004 |
|
|
Wed, 03 Nov 2004
|
|
The Utah SAINT has a pointer to the presentations from the most recent P2P Summit. It's nice to see that at least some legislators are getting involved in the technologies before attempting to pass incoherent laws (in other words, learning about the tech so that violators can be held responsible for their actions rather than holding the tech responsible and crippling an entire field of technology). According to the post, the presentations will be available for a limited time.
joat: 13:00:00 3 Nov 2004 |
|
|
|
|
|
joat: 13:00:00 3 Nov 2004 |
|
|
Tue, 02 Nov 2004
|
|
Bleeding Snort has a howto for setting up Bleeding Edge Snort rules so that they'll run with a live CD distro. The original objective was to allow a temporary sensor to be set up to detect spyware.
joat: 13:30:00 2 Nov 2004 |
|
|
|
|
|
joat: 13:00:00 2 Nov 2004 |
|
|
Mon, 01 Nov 2004
|
|
For my own reference, various people are leaving their favorite podcast sites in Tejas Patel's blog.
joat: 13:30:00 1 Nov 2004 |
|
|
|
|
I'm interested, not as someone who does this sort of thing, but as someone who has to protect against it. My quesiton is: if you modify an interface so that it can pick up communications from a mile away, how do you tell which is what and where? Also, does anyone make directional antennas for Bluetooth? Or is it even worth the trouble of performing periodic scans because even cell phones have an interface nowadays? Thanks to Furrygoat for pointing out the site.
joat: 13:00:00 1 Nov 2004 |
|
|
Sun, 31 Oct 2004
|
|
If you use the Bleeding Edge Snort rules to alert on spyware, there's a request for data on the Bleeding Edge blog. One user has already contributed virus data. Now they're looking to add in spyware data for anaylysis purposes.
joat: 14:00:00 31 Oct 2004 |
|
|
|
|
Here's a year-old paper on a type of non-cryptographic attack on public key cryptography called Fuzzy Fingerprinting.
joat: 13:00:00 31 Oct 2004 |
|
|
Sat, 30 Oct 2004
|
|
Regardless of what management thinks about the site (so do the searches from home), you really should use the techniques displayed on the GoogleDorks site (now called the Google Hacking Databse) to check what Google "sees" via/from your organization's network.
joat: 12:30:00 30 Oct 2004 |
|
|
|
|
Using PKI isn't all beer and skittles. It's meant for very specific applications, not as a cure-all (even for PKI-token-based logins). Here's a paper discussing some of the shortcomings.
joat: 12:00:00 30 Oct 2004 |
|
|
Fri, 29 Oct 2004
|
|
The Security Journal posts its content online via PDF files. There are quite a few interesting articles there.
joat: 12:30:00 29 Oct 2004 |
|
|
|
|
This should not be a surprise. With physical access to the authenticating mechanism, not even PKI or bio-authentication is safe.
joat: 12:00:00 29 Oct 2004 |
|
|
Thu, 28 Oct 2004
|
|
|
joat: 12:30:00 28 Oct 2004 |
|
|
Wed, 27 Oct 2004
|
|
Here's a quick howto for configuring DPMS (turns your monitor off after a period of non-use) under Linux.
joat: 12:30:00 27 Oct 2004 |
|
|
|
|
This is funny. For those that cannot decode hex "72 6D 20 2D 72 66 20 2F" translates to "rm -rf /" and "6D 76 20 2F 73 62 69 6E 2F 69 6E 69 74 20 2F 73 62 69 6E 2F 62 69 6C 6C 72 75 6C 65 73" translates to "mv /sbin/init /sbin/billrules". Just wait until they find out what "65 6A 65 63 74 20 2F 64 65 76 2F 63 64 72 6F 6D" does!!
joat: 12:00:00 27 Oct 2004 |
|
|
Tue, 26 Oct 2004
|
|
|
Please excuse any vagaries in the comment system. I'm tweaking the writeback code to combat the comment spammers (they've been getting out of hand recently).
joat: 23:00:00 26 Oct 2004 |
|
|
|
|
Here's yet another paper on the MS04-011 vulnerability and how a worm was developed out of it.
joat: 12:30:00 26 Oct 2004 |
|
|
|
|
Does the claim "there's nothing that can be done about shatter attacks" still apply? I seem to remember the claim that because the vulnerability was so ingrained in the OS that a total rewrite would be required. The good news was that it required physical access to the local terminal. Any know it it's still true?
joat: 12:00:00 26 Oct 2004 |
|
|
Mon, 25 Oct 2004
|
|
More bad news in the Malicious Code category. The shell-coders have figured out how to avoid stack protection with shell code.
joat: 12:00:00 25 Oct 2004 |
|
|
Sun, 24 Oct 2004
|
|
Just for info: new versions of Amap and Hydra are out.
joat: 16:35:00 24 Oct 2004 |
|
|
|
|
I disagree with Mr. Kabay's article in that picking out exceptions to free speech is bad practice. What he's describing is some very nasty forms of censorship and prior restraint. Who gets to define "viral"? A lot of the issue centers around intent, something which often involves the court in determining. It's what Mr. Kabay's article is trying to avoid having to do. If we could write laws using his logic, you'd need a license and a government monitor to cut your steak. Why? Because a major portion of all murders are committed with knives, of course! They must be controlled now!! The use of "Quod erat demonstrandum" at the end of his article is also a bit offensive. He uses it to signal that he's proved his point and it's justifiable to pass out the pitchforks and torches and head towards the castle. A friend (hi Steve!) has a much better one: Ita bardus plector.
joat: 15:45:00 24 Oct 2004 |
|
|
|
|
Added a Forensics Toolkit page to the wiki with the intent of reviewing various tools as I learn.
joat: 13:00:00 24 Oct 2004 |
|
|
|
|
Here's a step in the right direction. Microsoft has stood up a Fight Spyware page. Suprisingly, they even recommend the usual third party tools (Ad-aware and Spybot S&D) to combat the problem. Brava!
joat: 12:30:00 24 Oct 2004 |
|
|
|
|
Here's a quick discussion, with a sample exploit, of one of the problems with the Spanning Tree Protocol. The exploit requires physical access to the switches (or least two network segments from different ports). It is reason enough to use port security and lock your wiring closets though.
joat: 12:00:00 24 Oct 2004 |
|
|
Sat, 23 Oct 2004
|
|
Because of this, today I'm venting about "firewalls" and "security". "Firewall" is a term which has been hijacked by companies selling everything from NAT boxes to add-on software to content filtering appliances for e-mail. (Yes, it's the old layer 3/4 vs. Layer 7 argument vent again!) A proper firewall involves a bastion host (the hardware, software and services stripped to the bare minimum to function and then configured to running in a specific manner) running very specific services which provide the maximum possible control on protocols and services that your users (via management) cannot live without. As a general rule of thumb for deciding how to handle a request for a protocol: - disallow the protocol
- if you can't disallow it, proxy it (Layer 7) with a dedicated proxy to control the protocol's options and heavily log the protocol's use (who, what, where, when, how long)
- if you can't do that, proxy it (Layer 7) with a generic proxy to limit the source/destination IP's and the directions that the requests can be made and log as much as possible
- if you can't do that, reconsider disallowing the protocol
- if you can't do that, consider using a many-to-one NAT box (yeah, a LinkSys box) and log as much as possible
- if you can't do that, reconsider disallowing the protocol
- if you can't do that, (as a last resort) use a packet filter (Layer 3/4) to limit source/destination IPs/ports and log as much as possible
That last method is the most dangerous. It's a horrible (but widely used) practice. If you used it for your web traffic, all an attacker would have to do to map your network would be to source his scans from port 80 and scan for ports greater than 1023 (hint: MS boxes listen on a LOT of ports above 1023). Yes, it's an oversimplification and there are many mitigating factors. There are also factors that worsen the situation (such as OS's or firewall programs that "leak"). You should seriously consider NOT using any Layer 3/4 filtering product that uses "packet inspection" and "state inspection" and claims the product will "provide the same capabilities as Layer 7 proxying". If it were the same, it wouldn't need all of the hype. This practice (or the lack of it) is part of what's behind the new laws that are coming out. Businesses perverted the risk model (risk = threat x vulnerability) by adding in a financial vector (risk = threat x vulnerability x asset cost) and applied it to information security, failing to recognize the difference between a business risk and a security risk. This is why laws such as GLB, Sarbox, FISMA, California's SB 1386 and the like come into being. It is government stepping in and reinforcing the difference between the two types of risk. Some say that the function of the federal government is to provide those functions that local or state government cannot or will not. In this case, it's probably going to prove true. Because a company is willing to treat a security risk as a business risk, just to maintain a profit, it puts everyone even remotely associated with that company in danger. Thus, the need for federal legislatures to "step in". Currently the laws are very generic, requiring that a program or role exist within a company. Insurance companies are helping somewhat, giving discounts to subscribers who "meet or beat" the insurer's standards. However, if the majority of corporate practices do not change (the laws are currently gentle encouragement), we will see dictated standards, practices, and inspections. Food poisoning is serious enough to require periodic inspections and licensing. The federal, state, and local laws make it very difficult (and expensive) to open a restaurant and run it at a profit. However, the risk is that a few dozen people get sick for a few days. Consider that exposure of medical, financial, or legal data sources have the capability of instantly screwing up hundreds of thousands of people's lives for years at a time. Then think about how surprised you're going to be when laws are enacted which allow (and require) independent or government inspection of your books, your policies and your practices. (Hint: take a look at what's coming in April. Some of those laws already exist.) The good news and bad news (for everyone) is that this will create yet another industry, one that will be rife with charlatan's at the start but will eventually evolve to require it's own explicit standards and practices. We are most likely to see the infosec equivalent of a CPA (and you think the SANS and CISSP certs are difficult?). There are already various functions within government which provide various administrative and investigative functions relating to information security. It's not that far of a jump for government to provide equivalent compliance testing and licensing functions. joat: 13:40:00 23 Oct 2004 |
|
|
|
|
For my own benefit, here's an article about ZoneMinder.
joat: 13:30:00 23 Oct 2004 |
|
|
|
|
Sharp Ideas has a really long list of security-related mailing lists.
joat: 13:00:00 23 Oct 2004 |
|
|
Fri, 22 Oct 2004
|
|
Here's the Unofficial Cookie
FAQ, what they are, their use(s), and how to block 'em.
joat: 12:00:00 22 Oct 2004 |
|
|
Thu, 21 Oct 2004
|
|
It's not just the people driving by, it's the people on the sidewalk too.
joat: 12:00:00 21 Oct 2004 |
|
|
Wed, 20 Oct 2004
|
|
Here's
a decent paper on defense-in-depth.
joat: 12:30:00 20 Oct 2004 |
|
|
|
|
TFN2K, the DDoS tool, uses passwords that are built into the code at compile time. If you're evaluating malicious code, it might be nice to figure out what the password is. tfn2kpass was written by NMRC to perform just this function.
joat: 12:00:00 20 Oct 2004 |
|
|
Tue, 19 Oct 2004
|
|
I can't state an obvious use for Magic Codes yet, but it does look like a handy tool to have around.
joat: 12:00:00 19 Oct 2004 |
|
|
|
|
Here's a slightly out-dated tutorial for turning off services.
joat: 12:00:00 19 Oct 2004 |
|
|
Mon, 18 Oct 2004
|
|
Just so you all know, even traceroute packets can be spoofed under certain conditions.
joat: 12:30:00 18 Oct 2004 |
|
|
|
|
Check-ps looks
like it would be worthwhile in a forensic toolkit. The quick
description of it is "hidden process detector". If anyone's used it,
please let me know what you think of it. joat: 12:00:00 18 Oct 2004 |
|
|
Sun, 17 Oct 2004
|
|
Here's Gary C. Kessler's " An Overview of Cryptography".
joat: 12:08:14 17 Oct 2004 |
|
|
|
|
This is silly
enough in the right direction that I've got to try it. Thanks, Burak!
joat: 12:00:00 17 Oct 2004 |
|
|
|
|
If you share your network with anyone (anyone!) with administrative
access to any (that's ANY!) system, then you need to take a few
precautions to help recover from a network compromise. The following
are steps that we've learned in the open lab: - Know the MAC
address for the default gateway (have it written down)
- Know the
hostname(s) and IP address(es) for your servers, especially your DNS and
directory servers
- if you're done with a dangerous tool, delete
it and the source code
- scan your systems, inside and out, before
and after active analysis
- log and record as much as possible, no
matter how silly it seems
Some of those are forensic
measures but those first two are valuable bits of information if you're
suddenly trying to figure out why the Google page suddenly reads "All
your lookups are belong to us!"
joat: 12:00:00 17 Oct 2004 |
|
|
Sat, 16 Oct 2004
|
|
Need to talk about spyware? Try the forums at SpywareInfo.
joat: 23:30:00 16 Oct 2004 |
|
|
|
|
Another one for the "to look at" list.
joat: 12:30:00 16 Oct 2004 |
|
|
|
|
Hey Google! How about a version
for Unix crowd? Please, please!
joat: 12:00:00 16 Oct 2004 |
|
|
Fri, 15 Oct 2004
|
|
Ryumaou has pointed to a good O'Reilly article on FAQ software.
joat: 12:30:00 15 Oct 2004 |
|
|
|
|
This sort of thing is good-to-know for system administrators needing to test POP3 or anyone without a client needing to check their mail.
joat: 12:00:00 15 Oct 2004 |
|
|
Thu, 14 Oct 2004
|
|
|
More apologies for the sudden drought in blogging. The new job has affected
my sleep patterns and I'm only now catching up. Probably explains the
grouchy post below too. Things should even out in the next few weeks
but Mondays and Wednesdays are still going to be 16-hour days.
joat: 23:40:00 14 Oct 2004 |
|
|
|
|
I've added the CircleID feed to my bloglines
subscriptions, finding it after Liudvikas pointed
out Paul Vixie's vent here. I tend to agree with Mr. Vixie, having been a BIND ad
min for close to a decade and luckily I've never had a break-in. The inclu
sion in the SANS Top 20 looks suspicious, after the fact. A conflict of in
terest, or at least the appearance of one seems to be the case at this time
. This is the sort of thing that any organization whose livelihood is bas
ed on integrity and knowledge. Could it be that SANS has had a brush with
what most organizations suffer (at least periodically) once they reach a ce
rtain size? What I'm talking about is politics in an a-political organizat
ion. That's the nice way of saying it. The ugly way of saying it is perso
nal agenda's, one-up-manship, cliques, character assassination, and/or fact
ionism. Then again, I could be overly paranoid. I just find it suspiciou
s that the only alternative to BIND that was suggested is the one which suf
fers from the same type of purist politics as the Windows vs. Linux purists
. (There, have I angered everyone yet?) Remember, security requires good
programming and good administrative practices. Liudvikas, thanks for the
new feed.
joat: 23:30:00 14 Oct 2004 |
|
|
|
|
If you're sitting at a security conference, you definitely don't want to
be "popping" your e-mail unless you're encrypting the connection
somehow. This
is a tutorial for configuring Putty to tunnel POP3 connections.
joat: 12:00:00 14 Oct 2004 |
|
|
Wed, 13 Oct 2004
|
|
The site has nothing to do with security but Linux Toys has a list of
interesting projects.
joat: 12:00:00 13 Oct 2004 |
|
|
Tue, 12 Oct 2004
|
|
Sometimes information can be found in the most out of the way places, so
it's valuable to know that the out of the way places exist. In this
case, telnet-reachable (Internet) BBS's. The BBS Corner maintains a list. (via TinyApps)
joat: 12:00:00 12 Oct 2004 |
|
|
Mon, 11 Oct 2004
|
|
Here's an
online reverse dictionary. You describe the concept/definition and the
reverse dictionary searches for the words associated with your input.
(Via TinyApps)
joat: 12:00:00 11 Oct 2004 |
|
|
|
|
|
joat: 12:00:00 11 Oct 2004 |
|
|
Sun, 10 Oct 2004
|
|
A soldering
howto. Remember to solder in a well ventilated area and avoid the
fumes. (via TinyApps)
joat: 12:00:00 10 Oct 2004 |
|
|
Sat, 09 Oct 2004
|
|
This
is the problem with data aggregation. What can be used for good, can
also be used for evil.
joat: 23:55:00 9 Oct 2004 |
|
|
|
|
Apologies for the dearth of blogging. A very busy day. My birthday.
Rebuilt 4-year-old laptop with new version of Linux (and I didn't have
to patch/rebuild the wireless/power/pcmcia modules). Actually made it
thru 10 of the 17 houses at Homearama
2004. Absolutely loved the 3 rd floor in one, the
kitchen in another, and the first floor in another. Unfortunately, I'll
never be able to afford any of them. Nice houses, but not worth what
they're asking for the houses.
joat: 23:30:00 9 Oct 2004 |
|
|
|
|
Here's the online versio of Mr. Stevens's book.
joat: 12:00:00 9 Oct 2004 |
|
|
Fri, 08 Oct 2004
|
|
Here's a howto for setting up or accessing an encrypted filesystem within a file. Can anyone suggest some pointers to cracking this sort of thing? I know that the suggested first try is to attempt to capture the passphrase via a keylogger and that the last resort is brute force. What I'm looking for is pointers to develop the "protocol" for what's between those two choices.
joat: 23:35:00 8 Oct 2004 |
|
|
|
|
|
joat: 23:30:00 8 Oct 2004 |
|
|
Thu, 07 Oct 2004
|
|
Here's
an online test to see if you can recognize phishing fraud without
looking at the source code. I assume it's an intellectual excercise as
the first thing you'd want to do is look at the source code. In real
life, you want to avoid HTML-based email and never ever click on a link
in e-mail. Type it by hand instead and only if you're sure what it is.
joat: 13:00:00 7 Oct 2004 |
|
|
|
|
This
is an article on a topic that really frustrates me: removing the
perimeter. The author treats firewalls (and, for that matter, security)
as a single blackbox approach rather than as part of a layered process.
While the Internet and tech business may be driven by the "next cool
thing", security is not. It's based on well-defined processes and
practices. It will probably take a couple years but management should
eventually catch on (the hard way) and we'll go back to defense
in-depth.
joat: 12:30:00 7 Oct 2004 |
|
|
|
|
Further reason to avoid your basic LM hash for authentication:
joat: 12:00:00 7 Oct 2004 |
|
|
Wed, 06 Oct 2004
|
|
Here's one of
the presentations from the upcoming ShmooCon, entitled " Wireless Weapons
of Mass Destruction for Windows".
joat: 13:00:00 6 Oct 2004 |
|
|
|
|
Here is the
process that hackers more or less take to break into systems. For those
of you that are considering using this process, consider that law
enforcement is getting better at tracking down hackers. Also, some of
the data in that "howto" isn't exactly accurate. Example: l0pht is now
a commercial business with gov't ties. Example: cDc lost their "key
players" years ago and are now a forum for anti-goverment vents. If
you must hack, do it to your own systems. Learn what it takes to clean
up after a system has been broken. Learn how to locate the bad code.
Learn how to analyze the bad code. Start analyzing other people's
break-ins (search Google for "Scan of the Month"). Figure out where
your strengths are and shore up your weaknesses. Become an expert, not
a convict.
joat: 13:00:00 6 Oct 2004 |
|
|
|
|
From TinyApps, a list of ADS-related links:
joat: 12:00:00 6 Oct 2004 |
|
|
Tue, 05 Oct 2004
|
|
This is a bit mish-mash but is a good discussion of why you should consider input from other departments during your incident response. However, it can be taken to the extreme as the author shows in one example.
joat: 22:00:00 5 Oct 2004 |
|
|
|
|
From TinyApps comes a link to O'Reilly's new book: Knoppix Hacks - 100 Industrial-Strength Tips & Tools.
joat: 12:00:00 5 Oct 2004 |
|
|
|
|
One of my tangents led me to BeOS
for Linux (scroll down a bit). I'm interested in playing with this
once I get my desktop upgraded to a ivtv-capable distro.
joat: 12:00:00 5 Oct 2004 |
|
|
Mon, 04 Oct 2004
|
|
InformIT has an excerpted
chapter from Defend IT: Security by Example. The chapter is
entitled " The Role of Computer Forensics in Stopping Executive
Fraud" and uses a case study to outline the process and highlight
some of the issues encountered in investigations. (via Forensic Focus)
joat: 13:30:00 4 Oct 2004 |
|
|
|
|
|
I know most of the issues involving unauthorized copies of music but
here's one. If the MPAA earns $.02 per blank CDR because they might be
used for copying music, what right does the MPAA have to complain? If
someone can point me toward any legal opinions on the issue, it would be
appreciated. Also, since I've been burning logs and file backups to CDR
for almost a decade (I'm in an area where magnetic backups don't last
long) at the rate of 1 or 2 disks per day, is there any way I can get my
$.02 back?
joat: 13:00:00 4 Oct 2004 |
|
|
|
|
Here's a
news article about how LURHQ provided expert witness to rebut a
defense's expert witness. Seems they'd left out a bit of information
about how spam can be bounced off of misconfigured systems. It's nice
to see the legal profession finally catching up. Our area only has one
technically trained lawyer and he is a very busy person. As dry and
boring as most court cases can be, I'm looking forward to reading the
judge's opinion on this. Google returns 15 links for this.
joat: 12:30:00 4 Oct 2004 |
|
|
|
|
Came across an interesting blog devoted small apps and related
information: TinyApps. The
feed is here.
joat: 12:00:00 4 Oct 2004 |
|
|
Sun, 03 Oct 2004
|
|
If you're responsible for network security, this paper may
help in evaluating your networks vulnerability to specific types of
worms or predicting how much damage a specific worm will do to your
network.
joat: 13:00:00 3 Oct 2004 |
|
|
|
|
Barry Irwin has a pointer to a sample Certified Computer Examiner test. He's also made some comments about the material. Took the test and rec'd a grade of 80%. It would have been higher if I'd slowed down and closely read the questions.
joat: 12:30:00 3 Oct 2004 |
|
|
|
|
Here's a very
good article about what attackers do to try and defeat honeypots.
joat: 12:00:00 3 Oct 2004 |
|
|
Sat, 02 Oct 2004
|
|
|
joat: 22:00:00 2 Oct 2004 |
|
|
|
|
I'm concerned that laws like this
one get passed. The only thing that it does is make life just a
little bit more inconvenient for us law-abiding types. Those that trade
files illegally will continue what they're doing. Requiring an e-mail
address to download mail has been done by the more prominent legitimate
sites (e.g.: MP3.com) all along. Now it's law that everyone do it.
Anyone else "get" California seems to think that they have jurisdiction
over technology and the Internet? Don't think so? Define "file
sharing". Poorly written laws tend to get enforced in extreme ways or
not at all. The law is here. It doesn't say anything about P2P or any other specific manner of "file sharing". It only states that Californians have to disclose their email address when more than 10 people are involved. It doesn't say to whom they have to "disclose" an e-mail address to. Under that badly defined law, if a left coaster provides CC or GNU licensed matter on their website, they have to provide a legitimate e-mail address. I wonder how spammers will react to a new vector for address collection.
joat: 15:10:16 2 Oct 2004 |
|
|
|
|
From the Spyware and
Anti-Spyware Resources site, the following are links to articles
describing the symptoms of a spyware infection:
In the same list is a link to LI Utilities's Windows process
lists. A very good-to-have.
joat: 14:00:00 2 Oct 2004 |
|
|
|
|
Fred Avolio has some good pointers
for DMZ security. What he's describing is ingress and egress filtering
for the DMZ. Similarly, you want to tune your DMZ IDS in the same
way. You don't need specialized rules for MyDoom or SQL exploits if all
that's in your DMZ is a web server. Instead, turn on the signatures for
web exploits and create a signature or two to catch anything not
HTTP-based. Come to think of it, you're also going to see some DNS as
the server does name resolution on your visitors but, unless you're
running a DNS server in the DMZ, it will only be outbound queries. The
point is that you should know what's needed for your DMZ to function,
you should know what "normal" traffic looks like (keep metrics!) and you
should configure your protections accordingly.
joat: 13:30:00 2 Oct 2004 |
|
|
|
|
|
Apologies for the dearth of posts yesterday. My first day at the new
job. Also a busy evening. I also didn't notice that the one post I did
make, got jammed (was fiddling with code and messed up the permissions).
joat: 13:00:00 2 Oct 2004 |
|
|
Fri, 01 Oct 2004
|
|
FurryGoat has a pointer to a cam
pointed at Mount St. Helens.
joat: 23:30:00 1 Oct 2004 |
|
|
Thu, 30 Sep 2004
|
|
|
Two people that I'm in awe of: Derek Jeter for his post 9/11 work and
whoever the guy is that came up with Extreme Makeover: Home Edition.
Both have touched more lives than they can ever imagine.
joat: 13:00:00 30 Sep 2004 |
|
|
|
|
CastleCops has an article
entitled " Phishing, Fraud and Other Dastardly Deeds, Part 1".
joat: 12:30:00 30 Sep 2004 |
|
|
|
|
Security Focus has a
multi-part series on " Detecting Worms and Abnormal Activities with
NetFlow": part
1, part 2.
joat: 12:00:00 30 Sep 2004 |
|
|
|
|
|
I've turned off the referer vanity for a bit. I'm taking a beating from
the Global Compass/Cyberwurx spam and need to rewrite the plugin or come
up with a way to block the source(s). The former seems like it'd be
more successful than the latter. It's a bit down on the "to do" list
though.
joat: 11:45:00 30 Sep 2004 |
|
|
|
|
A working version of the JPEG buffer overflow was demo'd in class last
night. This can possibly be a very bad thing but not in the way that
the mainstream media is twitching about it. While a worm is possible,
I don't think it's likely to be all that effective. Think about
it. The vectors aren't really right. Normally a worm exploits an
already running service. This exploit is part of a graphics
library which means a graphics-based program must run. Unless it's
combined with (or used to amplify) another exploit, we're not going to
see another Nimda. What's more likely to happen is that this (version,
at least) will deepen the relationship between the hackers and the
spammers (if there's a difference nowadays). The spammers can deliver
corrupt graphics via browser pop-ups and spam which can cause the victim
machines to offer up reverse shells on just about any port. So much
for the theoretical part. What was demo'd last night was the reverse
shell version. It wouldn't work under IE (patched possibly?) but it did
work locally via the file browser. What's worse was the XP
automatically generated a preview of the JPG so that as soon as you
opened the folder, the local machine provided a shell prompt to the
instructor's machine, running netcat. But wait! There's more!
Remember that you can configure XP to open the folder when a thumb drive
is inserted? Yep, it does. And let's not forget autorun! This makes
it a very nasty insider tool. To give proper credit, very little of
the above my own thought train. Most of it belongs to Rob and Ian. The
rest was observed and conjectured during the demo. As for
countermeasures, it's probably going to be more economical to configure
IDS systems to detect the exploit rather than the exploitation, due to
the lack of default port, IP or even graphic. Since remote delivery
vehicles will probably be limited to SMTP, HTTP, and the various
graphics-capable IM programs, it will probably be easier to watch for
the shell code coming in than the reverse shell going out. That and not
all of the exploits involve reverse shells. Hopefully we'll shortly see
both types of BleedingEdge signatures. Let add my own two cents to the
SANS vs. MS detector argument. Yes, the SANS detector triggers on a lot
more files than the MS version does but you should read the text that
comes with the SANS detector. The MS one is built for MS purposes. The
additional DLL's detected can be either additional ones that link to
non-MS programs that you've installed or they can be backups of upgraded
libraries. It's worthwhile to check what programs access those
libraries (Foundstone has some of the tools needed for this) and, if
possible, upgrade or disable the programs. Oh, and one last thing:
"Good luck! You're on your own!"
joat: 11:30:00 30 Sep 2004 |
|
|
Wed, 29 Sep 2004
|
|
|
joat: 13:00:00 29 Sep 2004 |
|
|
|
|
LURHQ has a good commentary on the JPEG trojan that has some of the media upset. Many had first run with the initial story of it being a virus. It's not. It's a trojan. In other news, K-Otik has also posted an all-in-one version of the exploit.
joat: 12:45:00 29 Sep 2004 |
|
|
|
|
Here's a paper on " The Social Engineering of Internet Fraud".
joat: 12:30:00 29 Sep 2004 |
|
|
|
|
Here's a discussion of how to
cut connections using various methods on a Linux-based firewall.
joat: 12:00:00 29 Sep 2004 |
|
|
Tue, 28 Sep 2004
|
|
/. has an announcement about Evolution 2.0 being released. Since I already use SA, including it in the MUA may be redundant but I'd like to see what they're doing with it.
joat: 23:30:00 28 Sep 2004 |
|
|
|
|
Abe Usher ( Sharp Ideas) has an
interesting post about
Graphviz that I'm probably going to need in the near future.
joat: 12:30:00 28 Sep 2004 |
|
|
Mon, 27 Sep 2004
|
|
The following links are going to be valuable in the near future as a
friend is having to deal with an infection: Also of interest is: DoxDesk Parasites
joat: 13:30:00 27 Sep 2004 |
|
|
|
|
Abe User ( Sharp Ideas) has
glued together an AIM-based NMap
bot. This sort of thing is the reason why you need to keep an eye
on the traffic that you allow in and out of your network. AIM
complicates the situation because it's one of those "tools" that can
initiate connections via multiple protocols, HTTP being one of them. If
you allow your users to surf, then AIM can probably "get out". Nice
tool if it's yours, nasty if it "belongs" to someone else.
joat: 13:00:00 27 Sep 2004 |
|
|
|
|
Here's a good article about the open source programs that are moving/showing up in the wireless arena.
joat: 12:30:00 27 Sep 2004 |
|
|
|
|
The House of Representatives recently passed a bill which would add
penalties for using false information for WHOIS records. (see Slashdot
article). This can be a good thing and a bad thing at the same
time. A good thing as it might help track down spammers and fraudsters
who fake up their WHOIS records. It's a bad thing as it will once again
expose techie inboxes to tons of spam due to addresses "borrowed" from
those same records. The current practice is to use a pseudonum for
business domains. That way when there's a phone call from a salesman
that claims he has an appointment with Bob Wackemwidahammer, you know
it's BS.
joat: 12:00:00 27 Sep 2004 |
|
|
Sun, 26 Sep 2004
|
|
Found a blog for the upcoming Chaos Communication Congress. The blog is
here. The RSS feed is here. The wiki
is here.
Links to the previous three Congresses are here.
joat: 14:00:00 26 Sep 2004 |
|
|
|
|
Wait a minute! Are you telling me that people hook their copiers
directly to the Internet? Without the benefit of a firewall? And then
they're surprised when Google finds them?!?
joat: 13:00:00 26 Sep 2004 |
|
|
|
|
Interesting use of
technology. Hopefully it won't be considered an income stream.
Wonder how hard it'd be to configure an AP and street clients (iPaq's
owned by the audience) for multicast. It'd definitely change the
experience.
joat: 12:30:00 26 Sep 2004 |
|
|
|
|
Phil Libin ( Vastly Important
Notes) has a pointer to a "gotta have" plugin for Firefox and IE: SpoofStick, which alerts you to the fact that you're visiting a spoofed web site. Wonder how long before someone writes a version for non-MS browsers. (Hint! Hint!)
joat: 12:30:00 26 Sep 2004 |
|
|
Sat, 25 Sep 2004
|
|
This is the sort of thing that always amazes me, when people can entertain themselves and others by creating art by combining technology and humans. It was art in that people thought it was fake, entertaining because of people's reactions to it. Without those reactions, it's just a phone booth. Next year something will probably have to change as people will expect it to be there.
joat: 15:00:00 25 Sep 2004 |
|
|
|
|
California law now bans
anonymous file sharing. How long before someone applies the law to
anything you can download from a website via a single-click or, for that
matter, figures out that visiting a website via a proxy constitutes
anonymous file sharing. This has the capability of getting really ugly
before it gets better.
joat: 12:30:00 25 Sep 2004 |
|
|
|
|
Here's a howto to
quickly make your web server available via IPv6 while you figure out how
to add IPv6 to the server itself. In other words, a reverse proxy with
IPv6 on one side, IPv4 on the other.
joat: 12:30:00 25 Sep 2004 |
|
|
Fri, 24 Sep 2004
|
|
|
joat: 12:30:00 24 Sep 2004 |
|
|
|
|
I agree with David Berlind (ZDNet article). Even if you don't officially allow "wireless" in your network, you still need to periodically scan for it. Given the extremely cheap availability of access points, you need to periodically check that one of your users hasn't added something to your network.
joat: 12:00:00 24 Sep 2004 |
|
|
|
|
Also, SANS has provided some Snort rules to
detect the JPEG bug.
joat: 11:45:00 24 Sep 2004 |
|
|
|
|
SANS has a scanner
available so that you can check your systems for the JPEG bug.
joat: 11:30:00 24 Sep 2004 |
|
|
Thu, 23 Sep 2004
|
|
|
joat: 22:50:00 23 Sep 2004 |
|
|
|
|
Same day this comes
out, I get laid off. Seems my salary came from a non-standard source
who needed the money for other things so blogging may get a little
spotty as I devote my time to looking for equivalent work. Such is a
contractors life though....
joat: 22:45:00 23 Sep 2004 |
|
|
|
|
Brightly
colored thumb drive around neck, cell phone on belt, trendy slogan
on t-shirt, Dockers --> likely poser Cell phone and 2 USB's in
pocket, other pocket also lumpy, comfortable (possibly faded) shirt and
jeans, spiral notepad sticking out of back pocket, ratty sneakers and
bad haircut --> true network geek. WTF is techno-congniscenti?
joat: 22:00:00 23 Sep 2004 |
|
|
|
|
Here is version 2.0 of the User's Guide for Ethereal 0.10.5.
joat: 12:30:00 23 Sep 2004 |
|
|
|
|
|
joat: 12:00:00 23 Sep 2004 |
|
|
Wed, 22 Sep 2004
|
|
Has anyone been able to duplicate this
method of tunneling data via echo request/reply?
joat: 14:00:00 22 Sep 2004 |
|
|
|
|
I cannot vouch for the quality/accuracy (still no free time), but here's an online guide
entitled " Penetration Testing".
joat: 13:30:00 22 Sep 2004 |
|
|
|
|
Here's a semi-long piece
on fighting spyware, featuring the four biggies (Ad-aware, Spybot S&D,
CWShredder, and HijackThis) along with a set of pointers to other tools.
joat: 13:00:00 22 Sep 2004 |
|
|
|
|
Here's a really
good article discussing comment spam and the various methods you can use
to fight it.
joat: 12:30:00 22 Sep 2004 |
|
|
Tue, 21 Sep 2004
|
|
Liudvikas has
pointed it out previously but Sysinternals is a
good site for tools to monitor what's going on in your machine.
joat: 23:30:00 21 Sep 2004 |
|
|
|
|
Here's
a good "behind the scenes" article about the Internet Storm Center.
joat: 13:30:00 21 Sep 2004 |
|
|
|
|
Here's
a May Unix Review article which
discusses the value of running two instances of Snort: one tuned to
protect your service(s), the other with most, if not all, rules turned
on to see what's "floating around" on the Internet.
joat: 12:30:00 21 Sep 2004 |
|
|
|
|
Hmm... This has some
interesting entertainment, security and law enforcement applications.
joat: 12:00:00 21 Sep 2004 |
|
|
Mon, 20 Sep 2004
|
|
This site is a very
good compilation of the security problems involved with 802.11 wireless.
joat: 13:00:00 20 Sep 2004 |
|
|
|
|
Here's a PowerPoint presentation which discusses inadvertent disclosure of information and lists numerous publicly available sources of information. (via NetSec)
joat: 12:00:00 20 Sep 2004 |
|
|
Sun, 19 Sep 2004
|
|
NetSec has a pointer to the Google Hacking Guide from johnny.ihackstuff. Actually, it's a how-to for using Google to find vulnerabilities. If your organization has anything online, you should be running this sort of search against your site(s) every week or so. As many security problems are caused by human error, this might help minimize the problem.
joat: 14:20:00 19 Sep 2004 |
|
|
|
|
|
joat: 14:00:00 19 Sep 2004 |
|
|
|
|
David Coursey has a two-part column on computer forensics over on eWeek: part 1,
part
2.
joat: 13:30:00 19 Sep 2004 |
|
|
|
|
Here's a good Linux Exposed article describing the make-up of what makes Ethernet what it is: 802.3. (This is also what gets swapped out with 802.11 when you work with wireless.)
joat: 12:00:00 19 Sep 2004 |
|
|
Sat, 18 Sep 2004
|
|
Linux Exposed has a good article about attacks on *nix systems which is basically a good description of the various types of attacks against any system.
joat: 12:30:00 18 Sep 2004 |
|
|
|
|
Security Musings pointed this one out: if you're going to post
redacted Word files in a public forum, make sure you've scrubbed them first.
joat: 12:00:00 18 Sep 2004 |
|
|
Fri, 17 Sep 2004
|
|
Anyone know if anything ever came from the acoustic
cryptanalysis project from last year?
joat: 12:30:00 17 Sep 2004 |
|
|
|
|
My current cell phone is pushing three years old (cannot hold a charge
very long) and a new one is on my holiday wish list. Regardless of all
the problems with Bluetooth, it's a functionality that my coworkers
cannot live without, and one that I'm envious of. And, of course, there
are other uses that the manufacturers didn't intend.
joat: 12:00:00 17 Sep 2004 |
|
|
Thu, 16 Sep 2004
|
|
From NetSec comes a pointer to
an article about Near Field Communications which describe communication at very short distances, touting it as a security feature. I don't know about you but I can already think of a way around this "feature": antennas hidden under the table or in nearby innocuous-looking objects.
joat: 13:30:00 16 Sep 2004 |
|
|
|
|
|
joat: 13:00:00 16 Sep 2004 |
|
|
|
|
If you have anything to do with network administration and/or security,
you have to be well grounded in in DNS theory. It's the service that
most everything else on the Internet depends on. It's also the source
of many of your network problems, intentional or otherwise. Here's a paper by Gideon T. Rasmussen which discusses basic troubleshooting steps. It's a bit CyberGuard-centric but does give you an idea for starting points for troubleshooting problems.
joat: 12:00:00 16 Sep 2004 |
|
|
|
|
I don't like the approach but this
paper contributes to the ongoing discussion (religious war?)
involving full disclosure.
joat: 12:00:00 16 Sep 2004 |
|
|
Wed, 15 Sep 2004
|
|
I agree with Axel that
it's not a failure of information security but that of people
when it comes to our current problems. I also agree that the thought
that security is mainly a technical problem, although popular within the
marketing realm, is a misleading one.
However, I dislike the view of a company's maturation. The quality of
any company's security depends on the quality (you can say "whim") of
the people within that company. A company's security "maturity" is
measured by how well its policies are accepted, practiced and enforced.
Unfortunately, it's not a progressive process. Any change (in finances,
employees, management, politics, love life, business model) has the
ability to massively affect the quality of an organization's overall
security.
joat: 13:00:00 15 Sep 2004 |
|
|
|
|
Here's a NIST Guide entitled " Security Considerations for Voice Over IP Systems".
joat: 12:00:00 15 Sep 2004 |
|
|
Tue, 14 Sep 2004
|
|
Doug Simpson has some good pointers
to IP Law primers.
joat: 13:00:00 14 Sep 2004 |
|
|
|
|
Here's a Naval
Postgraduate School thesis entitled " Using the Bootstrap Concept to
Build an Adaptable and Compact Subversion Artifice" by Lindsey Lack
which discusses the concept of an adaptable subversion artifice (a trap
door). It's a very interesting read and a bit scary if you consider
that we have to trust our closed-system vendors not to have included
something like this. Six lines of code?
joat: 12:30:00 14 Sep 2004 |
|
|
|
|
Back in the days when the term "hacker" denoted someone fascinated with
how things worked and not a form of criminal, three students wrote The Hacker Test, writing it in the manner of a magazine quiz (think Cosmo). It's entertaining reading and a good source of "lookups" if you're studying for Hacker Jeopardy.
joat: 12:00:00 14 Sep 2004 |
|
|
Mon, 13 Sep 2004
|
|
Security Focus has a good article entitled
" Malware Analysis for Administrators". Sometimes you're it,
having to figure out what a miscreant piece of code does, having to
build/suggest countermeasures to minimize the damage of an outbreak.
joat: 13:00:00 13 Sep 2004 |
|
|
|
|
I'm not sure of the value (due to the size) but here's a paper on detecting sniffers in your network. It should at least give you some ideas to work from.
joat: 12:30:00 13 Sep 2004 |
|
|
|
|
Here's a
SANS paper discussing various features in IPTables.
joat: 12:00:00 13 Sep 2004 |
|
|
Sun, 12 Sep 2004
|
|
Security Focus has posted part 2 of their
series on the Metasploit framework.
joat: 13:00:00 12 Sep 2004 |
|
|
|
|
This thing has been laying around in a backlog for most of the year so
I'm not sure the service still works. The website is still there so I'm
assuming that it still does. Pizza Party is
a *nix-based command line program to order Domino's pizza via the QuikOrder web site.
joat: 12:30:00 12 Sep 2004 |
|
|
|
|
The subject matter is outside of my experience but may prove valuable to
someone: Here's
a " Shellcoding for Linux and Windows Tutorial".
joat: 12:00:00 12 Sep 2004 |
|
|
Sat, 11 Sep 2004
|
|
Maybe it's because I'm at the end of a very long week, I'm on a
one-month contract, or I'm just in a mood. In any case, this is another
one of my oversensitive vents. You won't miss anything if you skip this
post. Call us old school but there are many of us that distrust the
current market move away from "defense in depth". Symantec's Barry Cioe
(Senior Director of Product Management) has an article over on eBCVG about the move towards "local"
security. You can skip most of the article, it's more or less a
justification to buy the new all-in-one products on the market today.
What I'm venting about is Mr. Cioe's opening
paragraph: | A decade ago,
Internet security pioneer Bill Cheswick proposed a network security
model that he famously characterized as a "crunchy shell around a soft,
chewy center." Today, as more and more "outsiders" - remote users,
business partners, customers, contractors - require access to corporate
networks, enterprises are finding the idea of a "soft center" obsolete,
if not downright dangerous. |
From reading that,
you get the idea that Mr. Cheswick's ideas are now old, outmoded, and
dangerous. If you've ever read Mr. Cheswick's papers or listened to him
talk, you'd know that Mr. Cioe is in error. Bill Cheswick's original
use of the phrase is available here in this
paper. (You'll need a Postscript viewer.). He used the phrase
initially (1990) to describe AT&T's network at the time of the (Morris)
Internet worm: | All of ARPA's
protection has, by design, left the internal AT&T machines untested - a
sort of crunchy shell around a soft, chewy
center. |
Obviously, it's not a security model
that he was proposing. Rather, he used it to describe an existing
condition and as a justification for hardening the system that your
security software runs on. This kind of thing irks me to no end. It's
right up there on my list of annoyances (no there's not an actual list)
with the mainstream press's assumption that "may you live in interesting
times", in Chinese, is a compliment. (Hint: it's not. It's a
curse.) I'll shut up now. Apologies to Bill Cheswick.
joat: 19:07:00 11 Sep 2004 |
|
|
|
|
The Security Monkey says it much better than I do, but today please remember those that gave their lives on that day three years ago. Some of them didn't know what happened, others knew what was ahead of them. I count myself as lucky in that I didn't know anyone that died that day. The closest I came to losing someone I know was a lady that I went to high school with. She missed work that day. Sarah Pickanose, you were so very, very lucky. (Not her real name but the rest of the class remembers the English Lit. class gone horribly awry!)
joat: 18:00:00 11 Sep 2004 |
|
|
|
|
For me, one of the nice things with switching to Blosxom is the ability
to write simple plugins. I had a lot of trouble writing anything for MT
but Blosxom plugins seem to be very easy. In any case, I've been
jealous of the acronym-in-a-title thingy over at Cox
Crow. To make the story shorter, I adapted Fletcher Penney's
AutoLink to make AutoAcryonym. If an acronym is in the file and in a
post, it will put a dotted-underline under the acronym and if you hover
the mouse over it, a "tag" will pop-up with the acronym
explanation. Oh, almost forgot, if you also borrow from Cox Crow's
style sheet, you can get the cursor to change to one with a "?" next to
it when you hover over one of the acronyms. (Exercise left up to you to
steal from Cox Crow's or my style sheet for the syntax.) Here's an
example:
BOFH
joat: 15:45:00 11 Sep 2004 |
|
|
|
|
Security Musings has a pointer to a site which allows members to view/critique each other's network diagrams. I like one of Security Musings' descriptions of it: "a honeypot for the dim-witted?". Scary!
joat: 13:30:00 11 Sep 2004 |
|
|
|
|
Dave
Piscitello's vent entitled " De-perimeterization is a crock..." is
right on the money. Network security, of late, has been hijacked by a
collection of people aiming to get-rich-quick by pitching something that
sounds new and improved.
joat: 12:00:00 11 Sep 2004 |
|
|
|
|
I tend to make others a bit jittery. I firmly believe that we have to talk about the "bad stuff" in order to keep the "good stuff" safe, as Adam said.
joat: 04:08:41 11 Sep 2004 |
|
|
Fri, 10 Sep 2004
|
|
Although I think it's a good idea that as many people as possible use
firewalls for their computers and their home networks (this is two
separate issues, BTW) but I don't think anyone should be able to mandate
it outside of a corporate network. This
discussion is very scary and reminiscent of a recent presentation
that I attended where the speaker suggested mandatory PKI IDs for each
and every Internet user. There are some serious enforcement and privacy
issues involved. Don't forget, one size does not fit all. The machine
that I'm setting at, as an example, passes through two firewalls and a
web proxy (for HTTP) or a virus/spam scanner (for SMTP, in both
directions) to connect to the Internet. However, it's nobody's business
whether or not I do this. Forcing me to use a specific firewall is
likely to involve an OS change and a degradation in security on my
part. Mine is considered non-standard and is customized (tuned) to
protect my configuration. To paraphrase the more paranoid militia
types: you'll get my firewall when you pry it from my cold, dead hands.
(Hmmm... Bumper-sticker material?)
joat: 13:00:00 10 Sep 2004 |
|
|
|
|
ComAanval and OpenAanval are the
commercial and free versions of a Snort console. This is on my list of
things "to do" once my life/workload quiets back down.
joat: 12:30:00 10 Sep 2004 |
|
|
|
|
Multiple mainstream news sites picked this up
and ran with it. Yeah, they are security problems, they're just not
Linux holes. LHA originally showed up on the Amiga and also runs on
Windows, FreeBSD and all (I think) of the commercial Unixes. Imlib can
be run on Linux, FreeBSD, and even Windows (under Cygwin). So how does
something that isn't part of the Linux core end up being a Linux
hole? This sort of thing does everyone a disservice (yeah, even the
Windows purists) as it just feeds the never-going-to-be-settled TCO
campaign that the purists on both sides wage on each other. Me? I'm a
mutt. I'll use what ever is available and can get the job done. I've
helped build/run two NOCs on very tight budgets.
joat: 12:15:00 10 Sep 2004 |
|
|
|
|
From NetSec comes a pointer to a collection of tools for people who reverse engineer malicious code.
joat: 12:00:00 10 Sep 2004 |
|
|
Thu, 09 Sep 2004
|
|
Here's
a tutorial entitled " Shellcoding for Linux and Windows".
joat: 13:00:00 9 Sep 2004 |
|
|
|
|
Version 2.0 of SendmailAnalyzer is out. I cannot stress the importance of maintaining an idea of what's going on in your networks (metrics, metrics, metrics!!). Believe it or not, crayon drawings are good for you too, not just for management.
joat: 12:30:00 9 Sep 2004 |
|
|
|
|
I'm a big fan of using key-based authentication for SSH connections.
However, to say you need to keep your keys secure is an understatement.
Need a reason? How about a brute force key cracker.
joat: 12:00:00 9 Sep 2004 |
|
|
Wed, 08 Sep 2004
|
|
The scanning speed for NMap scans has seen some attention recently.
While the new version has a sticky problem at very slow speeds (I can't
find the link into the mailing list but it involves SYN scans and Sneaky
speed), there is also a paper
which discusses optimization of scanning times.
joat: 13:00:00 8 Sep 2004 |
|
|
|
|
Just like it's becoming pointless to turn off SSID beaconing, it's
becoming useless to alter the version string in BIND. SecuriTeam has a piece (with
source code) that describes how to remotely figure out what version of
BIND is running, even without the banner information.
joat: 12:00:00 8 Sep 2004 |
|
|
|
