| August 2007 |
|---|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
1 |
2 |
3 |
4 |
| 5 |
6 |
7 |
8 |
9 |
10 |
11 |
| 12 |
13 |
14 |
15 |
16 |
17 |
18 |
| 19 |
20 |
21 |
22 |
23 |
24 |
25 |
| 26 |
27 |
28 |
29 |
30 |
31 |
|
|
Recent Comments
Wiki RSS
|
Sun, 29 Feb 2004
|
|
Yet another comment spammer trick. Leave a comment accusing the blogger of stealing search engine rank from the website, to quote: "your blog stole my google results".
The miscreant: "webmasterbrain dot com" (Hint: edited so that he gains nothing for page rank. Hopefully, he loses rank because I'm talking about it. Webmasterbrain, webmasterbrain, webmasterbrain!! Anyways, he's been added to the blacklist.)
Piss off Zoink!
(heh)
UPDATE: Err... I was talking out the wrong end of my anatomy (thus the strike-out above.) Apologies to Zoink in the comments below. Still don't know how I stole his google results. joat: 20:40:00 29 Feb 2004 |
|
|
|
|
I will not get into the argument of whether this is true or not. Just let me add that it's also the gun that most people shoot themselves or others with.
"Hey, watch this!"
**WHIR**
[** BANG!**]
Ouch.
joat: 15:29:00 29 Feb 2004 |
|
|
|
|
I'm assuming that this is a links page for Debian multimedia. In any case, it links to a lot of interesting projects. joat: 07:07:00 29 Feb 2004 |
|
|
Sat, 28 Feb 2004
|
|
It's obvious that people sometimes read this blog via search engines as people are still commenting on entries that are almost a year old. This example of advertising in comments, I consider to be "OK" as it directly relates to the topic, contributes to the discussion (short as it may be), and doesn't appear to be a comment that's pasted to every blog on the planet.
Thanks Sid! joat: 21:41:00 28 Feb 2004 |
|
|
|
|
Here's the (PDF) manual for Snort 2.1.1-RC1. joat: 21:26:00 28 Feb 2004 |
|
|
|
|
If you've designed things properly, you have a non-MS mail handler, just in side you r firewall, that scans for viruses and spam before handing the mail off to your local Exchange box which also allows you to script filters in case of emergency so that this doesn't happen.
This can be done with Linux or FreeBSD (or variant), Sendmail/Postfix/QMail/etc., and Perl. Many commercial anti-virus vendors sell *nix versions of their scanners. The key technology here is Perl. If you watch your network metrics, you'll notice virus outbreaks before they're news on the anti-virus sites. A quick analysis allows you to write emergency filters to quarantine or delete traffic until such time that the vendors issue signature updates. joat: 21:15:00 28 Feb 2004 |
|
|
Thu, 26 Feb 2004
|
|
Here's a website devoted to port knocking. joat: 11:45:00 26 Feb 2004 |
|
|
|
|
The penetration testing mailing list has a pointer to a paper about "Passive Information Gathering Techniques" (in PDF format). joat: 11:41:00 26 Feb 2004 |
|
|
|
|
|
Damned comment spammers are at it again. Oh well, 11 new domains added to the blacklist.
One new thing of interest. Some of the spammers are not spamming domains. Rather, they're making comments like "Cool site" and just posting their e-mail address. How do I know it's spam? It's always in comments for archived posts and it's usually the same or similar message from the same IP address in different posts. I'm guessing they're still trying to draw attention to their domain (in the e-mail address), just not as overtly as the other boneheads. These jerks get their domain blacklisted and their IP banned. joat: 01:13:00 26 Feb 2004 |
|
|
|
|
Here's the link to Foundstone's free security tools for Assessment, Forensics, Intrusion Detection, Scanning and Stress Testing. joat: 01:04:00 26 Feb 2004 |
|
|
Wed, 25 Feb 2004
|
|
A new version of John the Ripper is out. joat: 00:18:00 25 Feb 2004 |
|
|
|
|
Am I dreaming? Has hell frozen over? Was I mysteriously transported to an alternate dimension?
I arrived home from work today to find that my SysAdmin subscription included a free 180-day evaluatoion copy of Windows Server 2003 Enterprise Edition. Then this shows up in Slashdot along with an announcement that MS is going to include their own virus scanner in the next XP service pack. Given that anti-virus research tends to be based on being able to quickly analyze malicious code, this could turn into an expensive process (but it's something that they should have done years ago).
Is it me or is MS suddenly working with us (hybrid network users/admins/managers) rather than around/over/through/in spite of us? joat: 00:05:00 25 Feb 2004 |
|
|
Tue, 24 Feb 2004
|
|
(Courtesy of HackerIntel) Attrition is donating their defacement archive to Zone-H. This will create the largest database of web site defacements in existance. joat: 23:45:00 24 Feb 2004 |
|
|
|
|
|
joat: 00:46:00 24 Feb 2004 |
|
|
Sun, 22 Feb 2004
|
|
News.com.com has an article about the worries involved with the development and deployment of a patch. One thing the article doesn't discuss is the additional delay that some of the larger organizations add by having to research the effect that the patch has on their infrastructure.
joat: 23:47:00 22 Feb 2004 |
|
|
|
|
(Yet Another ARP Poisoning Tool) Further support for my stance that a VLAN is not a security measure: Seringe, from Michael Hendrickx. joat: 23:27:00 22 Feb 2004 |
|
|
|
|
|
I went through and cleaned out the dead links in the InfoSec category and then moved the entire listing to BlogRoll. For those interested (if any), the older BlogRoll links have either been moved into other categories or deleted. I guess I'm trying to refine the "focus" a bit. I'll continue to work on the main page links. Anything not directly related to the blog should be moved to the secondary (and much larger) links page. joat: 21:57:00 22 Feb 2004 |
|
|
Sat, 21 Feb 2004
|
|
Here's the home page for the Network Visualization Community. (Courtesy of Del.icio.us)
joat: 14:40:00 21 Feb 2004 |
|
|
|
|
From the document: "The purpose of the Engineering Principles for IT Security is to present a list of system-level security principles to be considered in the design, development, and operation of an information system." joat: 14:36:00 21 Feb 2004 |
|
|
|
|
Recently on the Honeypots Mailing List, IPTables::IPv4::DBTarpit looks like something to experiment with during "free time".
joat: 03:24:00 21 Feb 2004 |
|
|
|
|
Here's a regex tutorial, courtesy of Del.icio.us. Be warned! --> You may want to squint a bit when the page loads. The header colors are a bit bright. joat: 02:00:00 21 Feb 2004 |
|
|
Fri, 20 Feb 2004
|
|
Add this one to the "odd gadgets" list: " CueCat" joat: 18:34:00 20 Feb 2004 |
|
|
|
|
(Via Del.icio.us) How the Huffman compression algoritm works. joat: 01:57:00 20 Feb 2004 |
|
|
Thu, 19 Feb 2004
|
|
From Network Sorcery (courtesy of Tao Security): RFC 3675 - .sex Considered Dangerous.
It's not what you think. It's actually a discussion of the reasons why we've not yet seen ".sex", ".xxx" or similar. Network Sorcery is the company which sells the RFC Sourcebook, a good-to-have for people who work with application and network protocols. They also have a pretty decent online reference for IP protocols, complete with header diagram and an explanation of the protocol.
joat: 02:59:00 19 Feb 2004 |
|
|
|
|
Social bookmarking? Looks interesting but I don't know enough about it yet to explain it here. More later. joat: 01:54:00 19 Feb 2004 |
|
|
|
|
Elise has blog with some cool tips for Movable Type. joat: 01:50:00 19 Feb 2004 |
|
|
|
|
|
Received my first comment spam since the powers that be (Thanks J!!) installed MT-Blacklist. Just for the info, 203.198.42.21 spammed me with rxweightloss dot org.
joat: 01:47:00 19 Feb 2004 |
|
|
Wed, 18 Feb 2004
|
|
|
joat: 00:49:00 18 Feb 2004 |
|
|
|
|
Here's a rough analysis of the MyDoom worm. joat: 00:46:00 18 Feb 2004 |
|
|
|
|
Here's the NIST page for all of the special pubs. joat: 00:44:00 18 Feb 2004 |
|
|
Mon, 16 Feb 2004
|
|
Here's another TCPDump tutorial, this one from Firetower Information Security, Inc. joat: 14:39:00 16 Feb 2004 |
|
|
|
|
I've been playing around with tying IPTables to Snort, experimenting with the idea of an adaptive Layer 3/4 firewall with layer 7 sensing (i.e., Snort senses something bad in content and sends a modification to the IPTables box. Not sure how well it's going it's going to turn out but it's interesting to work on. Got sidetracked into the string matching capability of IPTables and lost a day of "work". Example:
iptables -I INPUT -j DROP -p tcp -d 0.0.0.0/0 -m string --string "JOIN \: \#"
iptables -I INPUT -j DROP -p tcp -d 0.0.0.0/0 -m string --string "PRIVMSG "
Courtesy of the Firewall Wizards Mailing List. joat: 14:20:00 16 Feb 2004 |
|
|
Sun, 15 Feb 2004
|
|
|
The March issue of Linux Journal has a piece on OfflineIMAP. It took a bit of tweaking to get it to run on the older laptop my employer provided but it does work. Makes it very convenient for me as I subscribe to a lot of mailing lists and often don't have the time to sit at home to read through them. Being able to sync the laptop to multiple mail servers and work offline is an awesome ability.
A nice coincidence that fits in nicely with the project is that I do not use the default inbox. I use Procmail as my incoming MTA and anything that passes all the way through those filters (SpamAssassin, SpamBayes, topic sorting, etc) gets filed in a different inbox folder. It took a long while to sync initially, due to the size of my e-mail archive, but updates are quick enough.
My thought for its use: fire up the laptop, start the sync, go build the coffee for the morning, and take both to work a few minutes later.
With a bit of tweaking, I can see this used as a way to maintain mail backups. joat: 12:43:00 15 Feb 2004 |
|
|
|
|
It's not really a tutorial but Gideon Rasmussen has posted a short explanation of the protocols used in a typical web query. You need to know this as a SA or NSO. joat: 12:30:00 15 Feb 2004 |
|
|
|
|
Another for my own future use: checking entries using JavaScript (from Scripty Goddess).
joat: 11:33:00 15 Feb 2004 |
|
|
|
|
ComputerWorld has an article which gives a really basic description of what a honeypot is/does. joat: 04:47:00 15 Feb 2004 |
|
|
|
|
(Prompted by a Slashdot scrape...)
One thing that seems to be catching on is specialized *nix distributions, specifically Knoppix. Here's a list of what I could find in a 15-minute search.
joat: 04:21:00 15 Feb 2004 |
|
|
|
|
I've added the "Add to MyYahoo" button to the top right for those that like MyYahoo's RSS handler (can't say aggregator as it's somewhat limited in it's functionality).
Anyways, enjoy! Thanks to Jeremy for the pointer. joat: 03:20:00 15 Feb 2004 |
|
|
Sat, 14 Feb 2004
|
|
It's a little light on live links but does have good pointers for tracking down various papers on malicious code (see the bibliography section): NetWorm.org. joat: 00:59:00 14 Feb 2004 |
|
|
|
|
|
joat: 00:58:00 14 Feb 2004 |
|
|
|
|
Found during a search for a good Diffie-Hellman presentation, Is-It-True.org has a link page with a good collection of security-related links. joat: 00:56:00 14 Feb 2004 |
|
|
Thu, 12 Feb 2004
|
|
LogAnalysis.org has been around awhile. Although Marcus (yes, that Marcus Ranum) and tBird won't openly admit it, their main purpose in life is to produce more people on the planet capable of reading their own log files. A good SA or NSO should be able to read/filter raw logs. Think I'm kidding?
In any case, check out their online library. It's a good URL to have for reference. joat: 11:27:00 12 Feb 2004 |
|
|
|
|
Dana (over at SilverStr's Blog) has a pointer to the Group Policy Settings Reference for WS2K3 and XPSP2.
joat: 11:26:00 12 Feb 2004 |
|
|
Wed, 11 Feb 2004
|
|
Hey, DC has a Snort Users Group, complete with blog!
It's too bad they don't have an RSS feed. (HINT! HINT!) joat: 11:48:00 11 Feb 2004 |
|
|
|
|
Snort-Wireless is a site to keep an eye on, for further developments. joat: 11:47:00 11 Feb 2004 |
|
|
|
|
Added Google games to the wiki. joat: 11:22:00 11 Feb 2004 |
|
|
|
|
NIST has a RFC for IPv6. Yes, they really want comments. You have about four weeks to provide your input. joat: 02:22:00 11 Feb 2004 |
|
|
|
|
This is a reminder for me: Watch for this book! He also has some interesting things linked on his homepage.
Aside: Richard, I want one! Who's the publisher?
Aside: Rob, if you still read this blog, this may be a book for one of your classes. It looks like Richard uses your method for "proving" how something works. joat: 02:17:00 11 Feb 2004 |
|
|
|
|
|
joat: 02:14:00 11 Feb 2004 |
|
|
|
|
Yeah, it's a Slashdot scrape, but it's important.
Digital forensics, especially image enhancement and incident tracing, are undergoing the same growing pains as did fingerprints and DNA. With digital forensics, it's that much more difficult as it's easier to fake ones and zeros than it is to fake molecular constructs. It's always an uphill climb for any technology to be used as scientific evidence in criminal cases.
Anyone see the problem in the following quote from the defense lawyer in the CNN story?
" Until there's a history of [what was done and when], not only will I attack it, it should be attacked. Otherwise, you are relying solely on the word of the person doing the work. That's not something I would like to do when someone's facing life in prison or death."
For those that don't see it, think about expert witnesses. WIth DNA or fingerprints, each side supports or attacks the evidence presented via an one or more expert witnesses. Often, jury decisions are based on which expert witness appeared to be more knowledgable, whether they actually were or not. (Hmm... It just occurred to me that this has a lot in common with those vendors that are able to convince management to buy a product even though you've been telling them for the last six months that the product is junk.) WIth digital evidence, until specific techniques become generally known and accepted as "common knowledge", we're going to see decisions like " a trojan did it!". joat: 01:39:00 11 Feb 2004 |
|
|
Mon, 09 Feb 2004
|
|
|
To do list for the coming weekend:
- fix SpamAssassin install (priority!!)
- experiment with Squid authentication schemes
- work on term paper
joat: 10:53:00 9 Feb 2004 |
|
|
|
|
I'm too lazy to go over and post on LazyWeb but this might be the basis for a decent lookup tool if anyone wanted to code the front-end to it. joat: 10:39:00 9 Feb 2004 |
|
|
|
|
Unix Review has an article describing the basics for configuring the Apache web server. joat: 10:29:00 9 Feb 2004 |
|
|
|
|
ComputerWorld (AU) has an article which talks about the options for avoiding known attacks, with commentary about the approaches used by Microsoft and SCO in the current MyDoom attack.
One thing the article does not talk about is the measures that the "sending" service providers can take. These are varied and numerous. Most involve knowing what your (as a service provider) normal traffic looks like and what isn't normal traffic (i.e., network "flow" metrics). Some involve the use of sniffers (a temporary Snort box works wonders for specific attacks such as MyDoom). Still others involve log file review (a web-based DDoS showing up in proxy logs? Naw!). A lot of it depends on the configuration of your network.
In any case, while the victim's business model may demand that "something be done" to provide continuity, it's also your responsibility (as a service provider) to monitor your network and take corrective (or preventive) measures to mitigate the attacks.
Then again, it may be in the best interest of your current business model to appear the victim and periodically fall off the net (*cough* Santa *cough* Claus *cough* Online *cough*). joat: 10:24:00 9 Feb 2004 |
|
|
Sun, 08 Feb 2004
|
|
It's been awhile since I looked at DShield, almost since the project started, but I'm now pleasantly surprised that they accept a number of other inputs, including Snort. joat: 23:17:00 8 Feb 2004 |
|
|
|
|
RootSecure.net pointed out Bradford University's semi-serious pronunciation guide "for miscellaneous things Unix". Odd that "switch" doesn't equate to "-" though. joat: 17:17:00 8 Feb 2004 |
|
|
|
|
ComputerWorld has an article which describes the steps to take to protect your network from infection. It's a bit basic but that's where you've got to start. joat: 02:54:00 8 Feb 2004 |
|
|
|
|
News.com.com has an article that summarizes the Internet law-related news from last year. joat: 02:30:00 8 Feb 2004 |
|
|
|
|
For my future use: Here's a bit about putting JavaScript in CSS. joat: 02:23:00 8 Feb 2004 |
|
|
Sat, 07 Feb 2004
|
|
|
joat: 03:47:00 7 Feb 2004 |
|
|
|
|
Somone on the Penetration Testing mailing list noted that Frank's Corner has some pointers for loading various programs under Wine (check the Howto's option). It appears that even l0phtCrack will run under it. joat: 03:46:00 7 Feb 2004 |
|
|
Thu, 05 Feb 2004
|
|
While the generated graphic is not as extensive as Disruptive Tech's, TouchGraph is an interesting alternative view of a website. joat: 11:47:00 5 Feb 2004 |
|
|
|
|
If you're going to redact your documents to make them suitable for public release, make sure that your also redact the document info (properties) and ensure that the deletions are not reversable. Liudvikas Bukys has a pointer to an article about it. joat: 11:46:00 5 Feb 2004 |
|
|
|
|
Good to know if you're the forensic or security type. Thanks to Mark Swan for the link to Microsuck. joat: 11:45:00 5 Feb 2004 |
|
|
Wed, 04 Feb 2004
|
|
GrayScales has a bit about a spyware attack that's interesting reading. joat: 11:48:00 4 Feb 2004 |
|
|
|
|
ComputerWorld has an article which describe the two most common mistakes made by companies which complicates forensics investigations.
I cannot stress this enough: "As a system administrator, your job is to determine why a box is acting up. If you discover a break-in, call law enforcement and/or the incident response team. While you're waiting for them, write down what you did up to that point. DON'T DO ANYTHING ELSE TO/WITH THE BOX!!!!" joat: 11:46:00 4 Feb 2004 |
|
|
|
|
|
joat: 11:45:00 4 Feb 2004 |
|
|
|
|
Here's one of the reason that you should reset the default passwords on your equipment BEFORE you connect it to the Internet.
(via The Lost Olive) joat: 11:44:00 4 Feb 2004 |
|
|
|
|
Hacker Intel is reporting that Microsoft is weathering the storm via undisclosed measures. Could it be that "www.microsoft.com" is now a CNAME for "www.microsoft.akadns.com"? For those that can't take it further, "akadns.com" is Akamai. This means that Microsoft is "leaning into the wind" by providing more service capability than the Internet bandwidth can load.
Not to restart the argument but this method is more irresponsible as the one used by SCO in that ISP's will end up paying more to the backbone providers.
It IS an interesting solution though. I wonder how much MS is paying for the distributed website. joat: 02:26:00 4 Feb 2004 |
|
|
|
|
Various talking heads have noted the speed with which Mydoom has spread. Karl Wolfgang (on the Full Disclosure list) even used it in part of a warning to non-MS and supposedly secure networks to "not rest on you laurels".
In reading Karl's post, I noted that the author of Mydoom had modified his code so that it avoided domains that contained specific keywords (see Sophos for the lists). It appears that the author wanted the worm to avoid "wasting its time" in that he may have been trying to skip domains that are Unix-based or known to have better security than the rest of the Internet. At the local ISSA meeting, someone else stated that attacking ".gov" or ".mil" could allow for the use of the Patriot Act? Agree/disagree to either? Comments?
As a side note, Chris Neitzert (on the Full disclosure list) has provide a Procmail recipe to filter Mydoom from incoming mail. joat: 01:03:00 4 Feb 2004 |
|
|
Tue, 03 Feb 2004
|
|
Is this a good thing or a bad thing. My first impression is that it's something that spammers can use to register untraceable domains. joat: 15:02:00 3 Feb 2004 |
|
|
|
|
Hand Sterilizer (for your favorite hypochondriac) Air Ionizer (Somewhere along the line, weren't we warned that ionized air was "bad" because it caused dust particles to attach to surfaces, like equipment?) joat: 02:12:00 3 Feb 2004 |
|
|
Mon, 02 Feb 2004
|
|
Linux.com has an article entitled " Network Administration From a Linux Desktop" which describes various tools that you can use to help run your network(s). Many of these are nice-to-have, even if your network is MS-only. Installing these tools not only results in easier network monitoring/management, you learn something to boot. joat: 00:59:00 2 Feb 2004 |
|
|
|
|
Again, for my reference.
It's a really bad idea (PDF readers are more ubiquitous than MS Word) but it's a useful tool nonetheless: a PDF-to-Word Converter. joat: 00:54:00 2 Feb 2004 |
|
|
Sun, 01 Feb 2004
|
|
NetCraft has a semi-serious article which presents the various options for SCO to take to prevent damage that's supposed to occur in tomorrow's scheduled attack on their website.
The only viable solution at this point in time is #5: set the A record to localhost.
My question is: what if they DON'T set the A record (even temporarily) to 127.0.0.1? Any other solution will cause extremely heavy (if not overwhelming) traffic on the Internet. Are we going to see a class-action suit for lack of due diligence?
joat: 02:46:00 1 Feb 2004 |
|
|
|
