Tue, 31 Aug 2004

What did I do?

All of a sudden I have 10 concurrent readers and 32 referrals from a Google search for "joatblog". Anyone know something I don't? joat: 23:00:00 31 Aug 2004

| [/Blogging] permanent link

Still more on the Graffiti Bike

Wired has another article about the Graffiti Bike guy. Hmm... Using his lawyer's logic, it's okay to TP the town hall if I call it "art" or "freedom of speech"? Hey, it's biodegradable and eventually washes away. joat: 15:00:00 31 Aug 2004

| [/Boneheaded_Doings] permanent link

Blogspot Problems

The comment spam from suspicious looking Blogspot (Blogger.com) sites is getting out of hand. It's starting to look like filtering the entire domain is the only option, something I'm reluctant to do as their are quite a few legitimate sites that are worthwhile to log. Maybe I should drop the vanity function altogether? joat: 13:30:00 31 Aug 2004

| [/Blogging] permanent link

Airpwn

This is one of the reasons why you spend a week or so, slicking, reinstalling and locking down your laptop before you go to Defcon and re-slick it once your done. It's also one of the reasons why you go to Defcon. Hilarious! Yeah, I know, it was only data injection but there are other more evil things lurking out there. I wonder if anyone was able to figure it out without help. joat: 13:00:00 31 Aug 2004

| [/Silliness] permanent link

Banned books

More evidence that there's more forehead bruises in my future. Admittedly, there's some books on there that I'd probably never read and a few shouldn't be in the hands of anyone in elementary or middle school but I've read a lot of those books, many in middle or high school. joat: 12:30:00 31 Aug 2004

| [/Silliness] permanent link

Wireless MAC Spoofing

Here's a paper on detecting MAC address spoofing in a wireless environment. joat: 12:00:00 31 Aug 2004

| [/Wireless] permanent link

Mon, 30 Aug 2004

TCP/IP Illustrated Online

Here's the online version of Mr. Stevens's book. joat: 13:30:00 30 Aug 2004

| [/Valuable_URLs] permanent link

Another Lawsuit

I was wondering how long it would take before someone would sue MS for their newest round of marketing practices. From /., comes news that various local governments in California are suing for MS's use of predatory pricing practices. I can see their point, I'd be ticked too if I spent $200 for XP and my next door neighbor got it for $50 bucks 'cause he'd stated that he was considering switching to *nix. The problem is going to be the punishment though. Do you think fining a company $100 million is going to hurt when they've profited $500 million? I wouldn't be surprised if it's written off as an operating expense at some point. joat: 13:30:00 30 Aug 2004

| [/Silliness] permanent link

WEP

Even though WEP attack tools continue to be written, if it's all you have, you should still use it. It at least prevents spread of infection from nearby systems that are not part of the network and requires that attackers have one more step in their attacks. joat: 13:30:00 30 Aug 2004

| [/Wireless] permanent link

What is Public Information?

This one really irks me. Since when does information concerning a housing association constitute public information? Yes, any member of the organization should be able to examine the records but the organization is funded by member dues, not "public money". I also dislike the Community Council's reaction as it sets a troublesome precedent that is going to require someone goint to court to reverse. Given that just about every housing association in the U.S. has a lawyer on retainer, I think Mar Vista Community should fire theirs. joat: 13:00:00 30 Aug 2004

| [/Boneheaded_Doings] permanent link

Telemarketer counter-script

This is hilarious, especially the part where the telemarketer is uncooperative. joat: 12:00:00 30 Aug 2004

| [/Silliness] permanent link

JohnnyIHackStuff

Tejas Patel's query about a backend for JohnnyIHackStuff prompted me to search Google for it (heh). Here's the feed: http://johnny.ihackstuff.com/backend.php joat: 11:30:00 30 Aug 2004

| [/Security_Tools] permanent link

Sun, 29 Aug 2004

Graffit Bike Update

It looks the inventor of the graffiti bike is not going to be able to protest the RNC. According to /. he was arrested during a television interview for vandalism. The IndyMedia site appears to be in the middle of a Slashdotting so I can't grab the details. Maybe later. joat: 19:00:00 29 Aug 2004

| [/Boneheaded_Doings] permanent link

Rootkit Hunter

The new version (1.1.7) of Rootkit Hunter is out. New features include: support for the ADM worm, support for MzOzD and spwn, LKM filename checks, and tests for passwordless user accounts. joat: 16:00:00 29 Aug 2004

| [/Security_Tools] permanent link

No Op

Just for info: one of this semester's classes is: CyberLaw so don't be surprised if things gain a bit of law-related flavor. joat: 13:00:00 29 Aug 2004

| [/Blogging] permanent link

Spamming Punishments

(from /.) The US Sentencing Commission has proposed guidelines for punishment under the CAN-SPAM act. joat: 12:30:00 29 Aug 2004

| [/Crime_And_Punishment] permanent link

Spam Filtering for Mail Exchanges

Here's a site which explains spam filtering for systems acting as mail exchangers. THe subtitle is "How to reject junk mail in incoming SMTP transactions." joat: 12:00:00 29 Aug 2004

| [/Theory] permanent link

Sat, 28 Aug 2004

DoS Attacks

Infosec Writers has a piece entitled "DoS Attacks: Instigation and Mitigation". I haven't read it yet but the promo is interesting enough. joat: 13:00:00 28 Aug 2004

| [/Theory] permanent link

Distributed Metastasis

Here's a PacketFactory paper discussing how a network intrusion spreads. This is one of the papers being used in a class last week that I took last year. The classroom is packed, preventing anyone (like myself) from auditing or otherwise crashing the class. [**SNIFF**] Actually, Rob is also using the paper to teach defenses in the same manner. joat: 13:00:00 28 Aug 2004

| [/Theory] permanent link

CallerID Spoofing Service

I'm not sure that we really need a callerID spoofing service and I don't believe the local phone company will put up with it for long. (From: Security Focus). joat: 12:30:00 28 Aug 2004

| [/Boneheaded_Doings] permanent link

New Honeywall

The Honeypots Mailing List has a post announcing a new version of The Honeywall CDROM (from the Honeynet Project). joat: 12:30:00 28 Aug 2004

| [/Security_Tools] permanent link

Hijacked IPs

Here's a site which lists hijacked IP space, bogon IPs, invalid WHOIS data, and other stuff. joat: 12:00:00 28 Aug 2004

| [/Security_Tools] permanent link

Fri, 27 Aug 2004

Wiki

Dkgoodman and I have added a few things to the Wiki recently: Google-related sites, a format change for the Glossary, and a definition for the Cinderella Attack (courtesy of Burak Dayioglu). The listing of changes is here. joat: 13:30:00 27 Aug 2004

| [/Wiki] permanent link

Bots, Arachnids, and Other

WebRef has an interesting article describing the basic theory behind bots, spiders, and web crawlers. joat: 13:00:00 27 Aug 2004

| [/Theory] permanent link

802.1x

Infosec Writers has a paper on 802.1x-based port authentication. This is a good to know if you have anything to do with corporate VLANs or wireless. joat: 12:30:00 27 Aug 2004

| [/Theory] permanent link

Wireless Security

Here's a SANS paper which discusses wireless security. The author seems to have missed that Microsoft's and Cisco's versions of PEAP are not compatible but it's still a good paper. joat: 10:00:00 27 Aug 2004

| [/Theory] permanent link

Thu, 26 Aug 2004

Running Man

This looks to be interesting to play. Probably boring to watch though. joat: 13:30:00 26 Aug 2004

| [/Silliness] permanent link

Stealing Passwords Via Browser Refresh

Infosec Writers has a paper discussing the theft of passwords via browser refresh and back features and countermeasures. It makes some assumptions about browser use and configuration but is accurate to a point. Here's some additional (user-level) guidelines to avoid this vulnerability: clear your history (or temporary Internet files) after each use turn off auto-complete if it's available turn off the browser's password manager don't use the "remember me" feature on the website close the browser and reboot the machine when you're done with the site Yeah, some of those are a bit anal but if you're worried about the data controlled by a certain website, it may be worth the trouble. joat: 13:30:00 26 Aug 2004

| [/Theory] permanent link

Squish DNS checker

Squish's dns checker does some really heavy duty records checking. Very useful for DNS admins. joat: 12:30:00 26 Aug 2004

| [/Security_Tools] permanent link

419

Barry Irwin has an interesting post about the recent 419legal.org hijinks. joat: 12:00:00 26 Aug 2004

| [/Crime_And_Punishment] permanent link

Wed, 25 Aug 2004

The sky is falling, the sky is falling!

OMG! OMG! The Internet is going down tomorrow. The short version is that terrorists have predicted that they will take down the Internet some time tomorrow. So far, it appears to be a hoax. What if it isn't? Here's some work aheads to minimize your withdrawal symptons: Make an emergency host table of all of your favorite sites, keep it offline stand up your own domain server, use the host table to build zone files for those domains (i.e., declare yourself authoritative for those zones) make sure your IDS signatures are up-to-date same goes for your patches make sure your call tree is up-to-date go to the library, video or game store and borrow/rent/buy that book/video/game that you've been wanting to read/see/play. If the world does end, you're that much ahead of the game and probably not offline altogether. If the world doesn't end, hey, you won't have much do on Friday and will already have the entertainment for the weekend. joat: 17:25:28 25 Aug 2004

| [/Silliness] permanent link

Hash Howto

UnixWiz has a piece entitled "An Illustrated Guide to Cryptographic Hashes" that helps explain (a bit) the recent panic over broken hashes. joat: 13:30:00 25 Aug 2004

| [/Theory] permanent link

Future fight?

I like that companies are installing wireless every "downtown". The problem I have with it is I can foresee someone standing up their own wireless network in the same area and having to hire a lawyer because the two interfere with each other. In other words, my free network will interfere with (or steal customers from) the for-pay network. joat: 13:00:00 25 Aug 2004

| [/Wireless] permanent link

Some good news

This is good news in that possession of the tools of a crime is not illegal in itself. Otherwise, you'd be suspect for every sharp or blunt object in your house. It's the use of those tools which can be criminal. Before we get into that argument, I don't condone illegal file sharing. It's just that possession of certain software (port scanner, vulnerability scanner, password checker, spam filter) should not be cause for arrest. I run each of those tools on my network. I also "possess" numerous file sharing programs as part of research for network security (Nessus/NMap/Snort signatures, etc.). I just don't use them. joat: 13:00:00 25 Aug 2004

| [/Silliness] permanent link

Malware Analysis

Security Focus has a short paper entitled "Malware Analysis for Administrators" which is interesting reading. It doesn't walk you through a how-to but it does have a good list of the tools needed and same basic theory behind the process. joat: 12:00:00 25 Aug 2004

| [/Theory] permanent link

Hydra 4.3

From HERT comes news that Hydra 4.3 is out. joat: 11:30:00 25 Aug 2004

| [/Security_Tools] permanent link

Tue, 24 Aug 2004

BugMeNot

Wired has a short news piece about the latest troubles at BugMeNot, a source for throw-away registration addresses. I'm filing this under Silliness as BugMeNot is alleging "mysterious circumstances" while the previous provider is stating "server failure". joat: 22:30:00 24 Aug 2004

| [/Silliness] permanent link

dd_rescue

I can't help thinking that dd_rescue might have other uses (but I can't think of any right off). dd was originally used for hard drive maintenance and also became a staple of many forensics people's toolkits. The trick was that you had to know what you're doing. Encase has since simplified the process and its output is challenged less and less. For you more paranoid types, this means that you should destroy even the damaged hard drives. joat: 13:00:00 24 Aug 2004

| [/Security_Tools] permanent link

Let him without sin cast the first...

The Register has an article in which a survey of corporate directors blame employees for virus infections. Bubbas better look in the mirror first. My first network job required that I chase viruses (this was before there were enterprise solutions). I once spent an entire day running back and forth between the department head's office and the division office because they kept re-infecting each other while I was in transit. Come to think of it, that was my first forehead bruise too. joat: 12:30:00 24 Aug 2004

| [/Vents] permanent link

Basic Web Session Impersonation

Security Focus has an interesting article which discusses the basic theory and countermeasures behind web-based session attacks. joat: 12:00:00 24 Aug 2004

| [/Theory] permanent link

Mon, 23 Aug 2004

Brute forcing SSH

K-Otik has posted the source code for a brute force attack tool for SSH. It's quite a simple tool, the author having built the dictionary into the code rather than relying on external dictionary files. I still get the impression that it will still be affective against those systems with poor configurations and weak passwords (there's more of them than you think). Countermeasures: edit the SSH config to limit who can log in via SSH (hint: root should not be one of these) configure your IP filters (routers, IPFW, IPTables, etc.) so that only certain IPs can connect with SSH consider using SKey, user-level keys, Kerberos or some other type of authentication The idea is to turn off the default username/password authentication. joat: 13:30:00 23 Aug 2004

| [/Security_Tools] permanent link

RSS Weather

From Furrygoat comes a pointer to getting your local weather via RSS feed. To quote a friend, "cool beans!" joat: 13:00:00 23 Aug 2004

| [/Blogging] permanent link

Tivo Sharing II

I would certainly buy this. I would share with three people: me (my desktop), myself (my laptop, for travel), and possibly I (any other portable device I might own). (Quick, somebody buy me an iRiver, PQI, or NeoSol portable!!) joat: 13:00:00 23 Aug 2004

| [/Valuable_URLs] permanent link

Neal Stephenson

I'm putting this one on my wish list: Neal Stephenson's second book in the Baroque Cycle has been out for quite awhile. Sorry to say, I'm still wading through Quicksilver, only getting time for recreational reading during lunch at work (yeah, that's me in the McDonald's parking lot). joat: 12:00:00 23 Aug 2004

| [/Valuable_URLs] permanent link

Sun, 22 Aug 2004

Wiki/Blog interface

I've installed a couple new Blosxom plugins and learned how to add name anchors to the Wiki. The idea is that the autolink plugin would automatically link to certain entries in the wiki glossary and/or the wiki proper. I've also thrown in extra links to Google, Yahoo, and other well-known sites. All of the links in this post were automatically added by the plugin. Of course, I have to tweak the plugin (can't resist that) and then manually add the entries but it saves typing in the long run. Let me know if I get out of hand? joat: 19:00:00 22 Aug 2004

| [/Blogging] permanent link

MS Port List

One of the must-haves in any network security or admin type's toolkit should be the Microsoft Port List. Barry Irwin has even provided a HTML conversion of the XLS for us non-MS users. joat: 12:30:00 22 Aug 2004

| [/Valuable_URLs] permanent link

Weather feeds

Joy Larkin (at Confessions of a G33k) has pointed out that the NOAA has feeds for their Atlantic and Pacific forecasts. joat: 12:15:00 22 Aug 2004

| [/Blogging] permanent link

Bootable Windows CD

Even though they exist, I haven't had much use for bootable Linux CD's (only needed it once to rescue a Linux hard drive). However, I've needed a bootable Windows CD a number of times but didn't have it. I'm not that talented with the minutia of Windows administration. Hopefully, this will come in handy the next time I need it. (Thanks to ryumaou at Diary of a Network Geek for the pointer). joat: 12:00:00 22 Aug 2004

| [/Valuable_URLs] permanent link

Profile of a referer spammer

I just love it when the spammers make it easy for me. (Warning: adult content in the last line.) My complaint centers around referer spam rather than e-mail spam. Because my site lists recent referers, I've come under "attack" from a specific IP address: 63.227.76.25. That IP address has spammed my site with links to: www.usa-dui-research.com www.global-medical-research.com www.global-home-improvement.com www.wi-fi-bandwidth.com www.php-monster.com www.global-cancer-research.com A DNS lookup of each of those web sites returns the IP address 69.72.141.154. "wget -S 69.72.141.154" reveals that it is running Apache 1.3.31. A WHOIS lookup of the web server IP address shows that the web server is in Parsippany, NJ. A WHOIS lookup of all of these sites show they are registered to Oi, Inc., via the Go-Daddy registrar. Opinion: As each of these sites has the same bland front-end with no links (other than Google Ads), I believe that this may be an attempt to defraud Google's Ad Sense program. (I will send a copy of this post to Google.) A WHOIS lookup of any of the domains returns the same corporate info: Registrant: oi,inc. P.O.BOX 22036 Nashville, Tennessee 37202 United States Registered through: GoDaddy.com Domain Name: GLOBAL-CANCER-RESEARCH.COM Created on: 29-Jul-04 Expires on: 29-Jul-05 Last Updated on: 04-Aug-04 Administrative Contact: Domains, Admin open_view@yahoo.com oi,inc. P.O.BOX 22036 Nashville, Tennessee 37202 United States 6153610280 Fax -- Technical Contact: Domains, Admin open_view@yahoo.com oi,inc. P.O.BOX 22036 Nashville, Tennessee 37202 United States 6153610280 Fax -- Domain servers in listed order: NS1.OPENVIEWINC.COM NS2.OPENVIEWINC.COM A short Google search on the postal address brings back: http://www.openviewinc.com/contact.html shows the corporate info as: O P E N V I E W INTERNATIONAL, INC. TEL: 615.360.1010 FAX: 615.361.0280 E-MAIL: info@openviewinc.com MAIL DELIVERY: DOWNTOWN P.O.BOX 22036 NASHVILLE, TN 37202 USA According to the immediate above, anyone calling the phone number used to register the domains will get an ear-full of carrier tone from the company fax machine. However, a Google lookup on (615) 360-1010 returns to "Jeremy Jackson - (615) 360-1010 - 1306 Massman Dr, Nashville, TN 37217". A DNS lookup of the name server for each of these sites reveals the DNS servers ns1.openviewinc.com and ns2.openviewinc.com. The IP address for ns1.openviewinc.com is 69.72.141.153. The IP address for ns2.openviewinc.com is 69.72.141.154. Note that the www.openviewinc.com website and the mailserver for the openviewinc.com domain is also 69.72.141.153. Telneting to port 25 at that IP address returns: Trying 69.72.141.153... Connected to 69.72.141.153. Escape character is '^]'. 220-ottawa.nshoster.com ESMTP Exim 4.34 #1 Sat, 21 Aug 2004 16:37:46-0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. quit 221 ottawa.nshoster.com closing connection Connection closed by foreign host. No spam allowed. That's almost funny. An interesting bit of information is reavealed by performing a WHOIS lookup on those IP addresses. Seems both of them are part of a network owned by Care Initiatives, Iowa's (according to CI's website) largest senior care provider. Remember the site sending the referer spam is 63.227.76.25? A WHOIS lookup shows that it too belongs to Care Initiative in West Des Moines. Getting back to Mr. Jackson. A Yahoo search for "jeremy jackson nashville" returns a link (http://www.bizwiz.com/ezcommerce/openviewtrading.htm) for Open View Trading with the following contact information: Contact: Jeremy Jackson Owner Open View Trading P.O.Box 22036 Nashville, TN 37202 U.S.A. Tel: 615/360-1010 Fax: 615/360-1133 Hey, that's the same phone number but it's a different fax number. Same P.O. Box too. Futher Google and Yahoo searches for "jeremy jackson" and "openview" or "nashville" reveal that he has a healthy gaming habit (FPS's) too. So, to sum it all up, we have a gamer in Nashville, running what might be a shady online business which isn't registered anywhere (possibly Canada?), uses a web site in New Jersey which is registered via a yahoo e-mail address through a registrar that is reluctant to provide information (GoDaddy), has another e-mail account and dns server at a non-profit senior care facility in Iowa whose STMP banner prohibits spam, uses his home phone for his business(es) and likes to referer spam my site. Hope the rest of you enjoyed this at least as much as I did. Jeremy, cut it the F**K out. joat: 00:02:52 22 Aug 2004

| [/Blogging] permanent link

Sat, 21 Aug 2004

This isn't helping

Here's a really bad article that showed up in HITB, which came from eBCVG, which came from WebProNews, which supposedly came from ArticleCity.com (a link I cannot get to come up). What's wrong with the article? How about: the $25 card probably won't work as the cheap ones don't "do" RFMON the computer is not looking for your SSID, it's looking for 802.11a/b/g networks. The SSID is part of that. The SSID is not constantly transmitted and computers don't care about it. The SSID is periodically beaconed and wireless NIC cards use it to negotiate connections to specific networks. It's Kismet, not Cismet I don't get why the GPS receiver records only the coordinates of the strong signal. The preliminary drive IS the wardrive. Any subsequent use of the open network is a network hijack, a theft of services, or an attack on local systems. I'd like to hear more about how the wardriver can sniff passwords and credit card numbers from SSL secured data. (Yeah, I know it can be done, but not with your standard wardriving kit. The author is going for the "F" in FUD here.) Don't broadcast your SSID? This one gets old. Previous guidelines recommended that you turn off SSID beaconing. It's been proven that this action only delays SSID detection for a few seconds as the SSID is included as part of Layer 2 management frames. The author seems to be aware of this but mucks up the explanation anyways. How did factory default passwords for routers get into this? Do I need to buy a router too? EAP is not encryption. EAP is an authentication protocol which uses encryption. WEP encryption is not bypassed, it is broken via AirSnort (i.e., the shared key is extracted). MAC spoofing does NOT take time. Manually spoofing a MAC address for an extremely bad typist only takes a few seconds. Password protecting MS file shares are pointless on wireless networks. If you're using wireless, don't share files/folders! (Someone want to explain how having the same user accounts on each of your machines allows your computers to share files?). Breaking WEP does not take days so the seconds to days/weeks-next-to-your-network comment is garbage. The closing feel-good paragraph is garbage. The tips are confusing. A script kiddie with the programs listed in the article can still get in. A better way of putting it: Enable WEP (assuming that's all you have). It will keep honest people honest. The dishonest ones can still get "in" in a matter of minutes. Change the access point's default SSID and username/password. (This will show wardrivers that you've devoted at least a little bit of due diligence to your network configuration.) Use MAC address filtering. It causes the attacker to execute one more command than before. Turn off the d*mn access point when you're not using it. That last recommendation will provide the most protection in the long run. The others will only make extra work for the attacker. As people tend to take the path of least resistance, an attacker will likely hijack your next door neighbor's wide open network. If you're willing to spend the extra money, you can also: use third-party layer 2 encryption use wireless intrusion detection periodically scan for rogue access points and clients or even better, put CAT-5 cabling in the walls It's articles of that quality that cause more damage than help. There are legitimate security-related uses for some of the software. We're already dangerously close to the point where possession of certain software will be considered illegal (and things will get very messy once we're headed down that slippery slope). joat: 13:30:00 21 Aug 2004

| [/Wireless] permanent link

sudo patent

My guess is that this is important because Longhorn has a shell, something that the *nix world has had for years but MS users are only now receiving. This is good for MS users but has the possibility to become a really bad PR issue of MS is going to start patenting features that have prior art going back two decades. Next we're going to see patents on cron, at, and history? joat: 13:30:00 21 Aug 2004

| [/Boneheaded_Doings] permanent link

iAppliace Standards

Here's a really good list of standards that related to network-aware appliances. joat: 13:00:00 21 Aug 2004

| [/Valuable_URLs] permanent link

BHO Analysis

LURHQ has posted an analysis of the problem with IE browser helper objects (BHOs). joat: 13:00:00 21 Aug 2004

| [/Malicious_Code] permanent link

Chroot

Not sure if I've blogged this yet but it's still in my clippings folder so here goes... NetSec has a pointer to a "Chrooting Unix Services Guide" which discusses basic theory and configuration. joat: 12:00:00 21 Aug 2004

| [/Theory] permanent link

Fri, 20 Aug 2004

LADS

F-Secure has a quick piece on alternate data streams (ADS) and a note that SP2 changes it slightly (was this ever a good idea, even for NTFS?). Also described is a freeware tool called LADS which will List the ADSs. joat: 14:00:00 20 Aug 2004

| [/Security_Tools] permanent link

New entries in wiki

I've added the following to the wiki: Finding the Status of a Package Finding the Status of an Airline Flight Looking Up UPC Codes" Looking Up Vehicle ID Numbers (VINs) Searching for a Map of an Area Code as part of the "Google Tricks" section. Thanks to #!/usr/bin/geek for the new pointers. joat: 13:33:24 20 Aug 2004

| [/Wiki] permanent link

Graffiti bike

Interesting use of technology but I think he's forgetting about Layer 8. Bet he get's arrested for defacing public property or some such within the first ten minutes. joat: 13:30:00 20 Aug 2004

| [/Boneheaded_Doings] permanent link

Liu Die Yu

Liu Die Yu's homepage: lots of good info on browser vulnerabilities. joat: 13:00:00 20 Aug 2004

| [/Valuable_URLs] permanent link

Zindos Analysis

LURHQ has posted an analysis of the Zindos worm. joat: 12:30:00 20 Aug 2004

| [/Malicious_Code] permanent link

Thu, 19 Aug 2004

Thank you Dana!

Those of us that "do" security owe Dana some free beer for the work he's done in the past week to make our lives easier. joat: 15:00:00 19 Aug 2004

| [/Coding] permanent link

Intro to NetFlow

Security Focus has an article entitled "Detecting Worms and Abnormal Activities with NetFlow". You'll hear me harp about this over and over if you follow this blog: if you're responsible for a network, you need to know what "normal" "looks" like so that you can recognize "abnormal". This is a good tool to have. joat: 13:30:00 19 Aug 2004

| [/Security_Tools] permanent link

Holy Crap!

Uh, reasons you might not want to install SP2 right yet --> the following may not work: Citrix ArcServ eTrust F-Secure Installshield Quicken McAfee MS Office MS Outlook Norton PCAnywhere Symantec Reflection ZoneAlarm and most of the IM's . The main list (from Microsoft) is here. Really "not good". joat: 13:00:00 19 Aug 2004

| [/Boneheaded_Doings] permanent link

Executable stegs?

Here's a /. post pointing to Hydan, a steganorgraphy tool which allows you to hide data within an executable. This was bound to happen eventually, being yet another part of your system with slack space. Also, this is another one of those tools that can be used for good (watermarks) or evil (hidden data). It may not measure up to other steganography methods. If you have readily available "good" copies of binaries to compare against a steg'd version, simple MD5 checksums should be able to detect modified versions. joat: 12:30:00 19 Aug 2004

| [/Security_Tools] permanent link

Don't do it