| August 2007 |
|---|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
1 |
2 |
3 |
4 |
| 5 |
6 |
7 |
8 |
9 |
10 |
11 |
| 12 |
13 |
14 |
15 |
16 |
17 |
18 |
| 19 |
20 |
21 |
22 |
23 |
24 |
25 |
| 26 |
27 |
28 |
29 |
30 |
31 |
|
|
Recent Comments
Wiki RSS
|
Tue, 31 Aug 2004
|
|
All of a sudden I have 10 concurrent readers and 32 referrals from a
Google search for "joatblog". Anyone know something I don't?
joat: 23:00:00 31 Aug 2004 |
|
|
|
|
Wired has another article about the Graffiti Bike guy. Hmm... Using his lawyer's logic, it's okay to TP the town hall if I call it "art" or "freedom of speech"? Hey, it's biodegradable and eventually washes away.
joat: 15:00:00 31 Aug 2004 |
|
|
|
|
|
The comment spam from suspicious looking Blogspot (Blogger.com) sites is
getting out of hand. It's starting to look like filtering the entire
domain is the only option, something I'm reluctant to do as their are
quite a few legitimate sites that are worthwhile to log. Maybe I should
drop the vanity function altogether?
joat: 13:30:00 31 Aug 2004 |
|
|
|
|
This is one of the
reasons why you spend a week or so, slicking, reinstalling and locking
down your laptop before you go to Defcon and re-slick it once your
done. It's also one of the reasons why you go to Defcon.
Hilarious! Yeah, I know, it was only data injection but there are
other more evil things lurking out there. I wonder if anyone was able
to figure it out without help.
joat: 13:00:00 31 Aug 2004 |
|
|
|
|
More evidence that there's more forehead bruises in my future. Admittedly, there's some books on there that I'd probably never read and a few shouldn't be in the hands of anyone in elementary or middle school but I've read a lot of those books, many in middle or high school.
joat: 12:30:00 31 Aug 2004 |
|
|
|
|
Here's
a paper on detecting MAC address spoofing in a wireless environment.
joat: 12:00:00 31 Aug 2004 |
|
|
Mon, 30 Aug 2004
|
|
Here's the online version of Mr. Stevens's book.
joat: 13:30:00 30 Aug 2004 |
|
|
|
|
I was wondering how long it would take before someone would sue MS for
their newest round of marketing practices. From /., comes
news that various local governments in California are suing for MS's use
of predatory pricing practices. I can see their point, I'd be ticked
too if I spent $200 for XP and my next door neighbor got it for $50
bucks 'cause he'd stated that he was considering switching to
*nix. The problem is going to be the punishment though. Do you think
fining a company $100 million is going to hurt when they've profited
$500 million? I wouldn't be surprised if it's written off as an
operating expense at some point.
joat: 13:30:00 30 Aug 2004 |
|
|
|
|
Even though WEP attack tools continue to be written, if it's all you have, you should still use it. It at least prevents spread of infection from nearby systems that are not part of the network and requires that attackers have one more step in their attacks.
joat: 13:30:00 30 Aug 2004 |
|
|
|
|
This
one really irks me. Since when does information concerning a
housing association constitute public information? Yes, any member of
the organization should be able to examine the records but the
organization is funded by member dues, not "public money". I also
dislike the Community Council's reaction as it sets a troublesome
precedent that is going to require someone goint to court to reverse.
Given that just about every housing association in the U.S. has a lawyer
on retainer, I think Mar Vista Community should fire theirs.
joat: 13:00:00 30 Aug 2004 |
|
|
|
|
This is
hilarious, especially the part where the telemarketer is uncooperative.
joat: 12:00:00 30 Aug 2004 |
|
|
Sun, 29 Aug 2004
|
|
It looks the inventor of the graffiti bike is not going to be able to
protest the RNC. According to /. he was arrested
during a television interview for vandalism. The IndyMedia site appears
to be in the middle of a Slashdotting so I can't grab the details.
Maybe later.
joat: 19:00:00 29 Aug 2004 |
|
|
|
|
The new version (1.1.7) of Rootkit
Hunter is out. New features include: support for the ADM worm,
support for MzOzD and spwn, LKM filename checks, and tests for
passwordless user accounts.
joat: 16:00:00 29 Aug 2004 |
|
|
|
|
|
Just for info: one of this semester's classes is: CyberLaw so don't be
surprised if things gain a bit of law-related flavor.
joat: 13:00:00 29 Aug 2004 |
|
|
|
|
(from /.) The
US Sentencing Commission has proposed guidelines for
punishment under the CAN-SPAM act.
joat: 12:30:00 29 Aug 2004 |
|
|
|
|
Here's a site
which explains spam filtering for systems acting as mail exchangers.
THe subtitle is " How to reject junk mail in incoming SMTP
transactions."
joat: 12:00:00 29 Aug 2004 |
|
|
Sat, 28 Aug 2004
|
|
Infosec Writers has a piece entitled " DoS Attacks: Instigation and Mitigation". I haven't read it yet but the promo is interesting enough.
joat: 13:00:00 28 Aug 2004 |
|
|
|
|
Here's a PacketFactory paper discussing how a network intrusion spreads. This is one of the papers being used in a class last week that I took last year. The classroom is packed, preventing anyone (like myself) from auditing or otherwise crashing the class. [**SNIFF**] Actually, Rob is also using the paper to teach defenses in the same manner.
joat: 13:00:00 28 Aug 2004 |
|
|
|
|
The Honeypots Mailing
List has a post announcing a new version of The Honeywall CDROM (from the Honeynet Project).
joat: 12:30:00 28 Aug 2004 |
|
|
|
|
Here's a site which
lists hijacked IP space, bogon IPs, invalid WHOIS data, and other stuff.
joat: 12:00:00 28 Aug 2004 |
|
|
Fri, 27 Aug 2004
|
|
Dkgoodman and I have added a few things to the Wiki recently:
Google-related sites, a format change for the Glossary, and a definition
for the Cinderella Attack (courtesy of Burak Dayioglu). The listing of changes is here.
joat: 13:30:00 27 Aug 2004 |
|
|
|
|
WebRef has an interesting article
describing the basic theory behind bots, spiders, and web crawlers.
joat: 13:00:00 27 Aug 2004 |
|
|
|
|
Here's a
SANS paper which discusses wireless security. The author seems to have
missed that Microsoft's and Cisco's versions of PEAP are not compatible
but it's still a good paper.
joat: 10:00:00 27 Aug 2004 |
|
|
Thu, 26 Aug 2004
|
|
This
looks to be interesting to play. Probably boring to watch though.
joat: 13:30:00 26 Aug 2004 |
|
|
|
|
Infosec Writers has a paper discussing the theft of passwords via browser refresh and back features and countermeasures. It makes some assumptions about browser use and configuration but is accurate to a point. Here's some additional (user-level) guidelines to avoid this vulnerability: - clear your history (or temporary Internet files) after each use
- turn off auto-complete if it's available
- turn off the browser's password manager
- don't use the "remember me" feature on the website
- close the browser and reboot the machine when you're done with the site
Yeah, some of those are a bit anal but if you're worried about the data controlled by a certain website, it may be worth the trouble.
joat: 13:30:00 26 Aug 2004 |
|
|
|
|
Squish's dns checker does
some really heavy duty records checking. Very useful for DNS admins.
joat: 12:30:00 26 Aug 2004 |
|
|
|
|
Barry Irwin has an interesting
post about the recent 419legal.org hijinks.
joat: 12:00:00 26 Aug 2004 |
|
|
Wed, 25 Aug 2004
|
|
OMG! OMG! The Internet is going
down tomorrow. The short version is that terrorists have predicted
that they will take down the Internet some time tomorrow. So far, it
appears to be a hoax. What if it isn't? Here's some work aheads to
minimize your withdrawal symptons: - Make an emergency host table
of all of your favorite sites, keep it offline
- stand up your own
domain server, use the host table to build zone files for those domains
(i.e., declare yourself authoritative for those zones)
- make sure
your IDS signatures are up-to-date
- same goes for your
patches
- make sure your call tree is up-to-date
- go to the
library, video or game store and borrow/rent/buy that book/video/game
that you've been wanting to read/see/play.
If the world does
end, you're that much ahead of the game and probably not offline
altogether. If the world doesn't end, hey, you won't have much do on
Friday and will already have the entertainment for the weekend.
joat: 17:25:28 25 Aug 2004 |
|
|
|
|
I like that companies are installing wireless every "downtown". The problem I have with it is I can foresee someone standing up their own wireless network in the same area and having to hire a lawyer because the two interfere with each other. In other words, my free network will interfere with (or steal customers from) the for-pay network.
joat: 13:00:00 25 Aug 2004 |
|
|
|
|
This
is good news in that possession of the tools of a crime is not illegal
in itself. Otherwise, you'd be suspect for every sharp or blunt object
in your house. It's the use of those tools which can be
criminal. Before we get into that argument, I don't condone
illegal file sharing. It's just that possession of certain software
(port scanner, vulnerability scanner, password checker, spam filter)
should not be cause for arrest. I run each of those tools on my
network. I also "possess" numerous file sharing programs as part of
research for network security (Nessus/NMap/Snort signatures, etc.). I
just don't use them.
joat: 13:00:00 25 Aug 2004 |
|
|
|
|
Security Focus has a short
paper
entitled " Malware Analysis for Administrators" which is
interesting reading. It doesn't walk you through a how-to but it does
have a good list of the tools needed and same basic theory behind the
process.
joat: 12:00:00 25 Aug 2004 |
|
|
|
|
From HERT comes news that Hydra 4.3 is out.
joat: 11:30:00 25 Aug 2004 |
|
|
Tue, 24 Aug 2004
|
|
Wired has a short news
piece about the latest troubles at BugMeNot, a source for throw-away
registration addresses. I'm filing this under Silliness as BugMeNot is
alleging "mysterious circumstances" while the previous provider is
stating "server failure".
joat: 22:30:00 24 Aug 2004 |
|
|
|
|
I can't help thinking that dd_rescue might have other uses (but I can't think of any right off). dd was originally used for hard drive maintenance and also became a staple of many forensics people's toolkits. The trick was that you had to know what you're doing. Encase has since simplified the process and its output is challenged less and less. For you more paranoid types, this means that you should destroy even the damaged hard drives.
joat: 13:00:00 24 Aug 2004 |
|
|
|
|
The Register has an article in which a survey of corporate directors blame employees for virus infections. Bubbas better look in the mirror first. My first network job required that I chase viruses (this was before there were enterprise solutions). I once spent an entire day running back and forth between the department head's office and the division office because they kept re-infecting each other while I was in transit. Come to think of it, that was my first forehead bruise too.
joat: 12:30:00 24 Aug 2004 |
|
|
|
|
Security Focus has an
interesting article which
discusses the basic theory and countermeasures behind web-based session
attacks.
joat: 12:00:00 24 Aug 2004 |
|
|
Mon, 23 Aug 2004
|
|
K-Otik has posted the source code for a brute
force attack tool for SSH. It's quite a simple tool, the author
having built the dictionary into the code rather than relying on
external dictionary files. I still get the impression that it will
still be affective against those systems with poor configurations and
weak passwords (there's more of them than you
think). Countermeasures: - edit the SSH config to limit who can
log in via SSH (hint: root should not be one of these)
- configure
your IP filters (routers, IPFW, IPTables, etc.) so that only certain IPs
can connect with SSH
- consider using SKey, user-level keys,
Kerberos or some other type of authentication
The idea is to
turn off the default username/password authentication.
joat: 13:30:00 23 Aug 2004 |
|
|
|
|
I would certainly buy this. I would share with three people: me (my desktop), myself (my laptop, for travel), and possibly I (any other portable device I might own). (Quick, somebody buy me an iRiver, PQI, or NeoSol portable!!)
joat: 13:00:00 23 Aug 2004 |
|
|
|
|
I'm putting this one on my wish list: Neal Stephenson's second book in
the Baroque Cycle has been out for
quite awhile. Sorry to say, I'm still wading through Quicksilver, only
getting time for recreational reading during lunch at work (yeah, that's
me in the McDonald's parking lot).
joat: 12:00:00 23 Aug 2004 |
|
|
Sun, 22 Aug 2004
|
|
I've installed a couple new Blosxom plugins and learned how to add name
anchors to the Wiki. The idea is that the autolink plugin would
automatically link to certain entries in the wiki glossary and/or the
wiki proper. I've also thrown in extra links to Google, Yahoo, and
other well-known sites. All of the links in this post were
automatically added by the plugin. Of course, I have to tweak the
plugin (can't resist that) and then manually add the entries but it
saves typing in the long run. Let me know if I get out of hand?
joat: 19:00:00 22 Aug 2004 |
|
|
|
|
One of the must-haves in any network security or admin type's toolkit
should be the Microsoft Port List. Barry Irwin has even provided a HTML conversion of the XLS for us non-MS users.
joat: 12:30:00 22 Aug 2004 |
|
|
|
|
Joy Larkin (at Confessions of a
G33k) has pointed out that the NOAA has feeds for their Atlantic and Pacific forecasts.
joat: 12:15:00 22 Aug 2004 |
|
|
|
|
Even though they exist, I haven't had much use for bootable Linux CD's
(only needed it once to rescue a Linux hard drive). However, I've
needed a bootable Windows CD a number of times but didn't have it. I'm not that talented with the minutia of Windows administration. Hopefully, this will come in handy the next time I need it. (Thanks to ryumaou at Diary of a Network Geek for the pointer).
joat: 12:00:00 22 Aug 2004 |
|
|
|
|
I just love it when the spammers make it easy for me. (Warning: adult
content in the last line.) My complaint centers around referer spam
rather than e-mail spam. Because my site lists recent referers, I've
come under "attack" from a specific IP address: 63.227.76.25. That IP
address has spammed my site with links to:
www.usa-dui-research.com
www.global-medical-research.com
www.global-home-improvement.com
www.wi-fi-bandwidth.com
www.php-monster.com
www.global-cancer-research.com
A DNS lookup of each of those web sites returns the IP address
69.72.141.154. "wget -S 69.72.141.154" reveals that it is running
Apache 1.3.31. A WHOIS lookup of the web server IP address shows that
the web server is in Parsippany, NJ. A WHOIS lookup of all of these
sites show they are registered to Oi, Inc., via the Go-Daddy registrar.
Opinion: As each of these sites has the same bland front-end
with no links (other than Google Ads), I believe that this may be an
attempt to defraud Google's Ad Sense program. (I will send a copy of
this post to Google.) A WHOIS lookup of any of the domains returns the
same corporate info:
Registrant:
oi,inc.
P.O.BOX 22036
Nashville, Tennessee 37202
United States
Registered through: GoDaddy.com
Domain Name: GLOBAL-CANCER-RESEARCH.COM
Created on: 29-Jul-04
Expires on: 29-Jul-05
Last Updated on: 04-Aug-04
Administrative Contact:
Domains, Admin open_view@yahoo.com
oi,inc.
P.O.BOX 22036
Nashville, Tennessee 37202
United States
6153610280 Fax --
Technical Contact:
Domains, Admin open_view@yahoo.com
oi,inc.
P.O.BOX 22036
Nashville, Tennessee 37202
United States
6153610280 Fax --
Domain servers in listed order:
NS1.OPENVIEWINC.COM
NS2.OPENVIEWINC.COM
A short Google search on the postal address brings back:
http://www.openviewinc.com/contact.html
shows the corporate info as:
O P E N V I E W INTERNATIONAL, INC.
TEL: 615.360.1010 FAX: 615.361.0280
E-MAIL: info@openviewinc.com
MAIL DELIVERY:
DOWNTOWN
P.O.BOX 22036
NASHVILLE, TN 37202
USA
According to the immediate above, anyone calling the phone
number used to register the domains will get an ear-full of carrier tone
from the company fax machine. However, a Google lookup on (615)
360-1010 returns to "Jeremy Jackson - (615) 360-1010 - 1306 Massman Dr,
Nashville, TN 37217". A DNS lookup of the name server for each of
these sites reveals the DNS servers ns1.openviewinc.com and
ns2.openviewinc.com. The IP address for ns1.openviewinc.com is
69.72.141.153. The IP address for ns2.openviewinc.com is 69.72.141.154.
Note that the www.openviewinc.com website and the mailserver for the
openviewinc.com domain is also 69.72.141.153. Telneting to port 25 at
that IP address returns:
Trying 69.72.141.153...
Connected to 69.72.141.153.
Escape character is '^]'.
220-ottawa.nshoster.com ESMTP Exim 4.34 #1 Sat, 21 Aug 2004 16:37:46-0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
quit
221 ottawa.nshoster.com closing connection
Connection closed by foreign host.
No spam allowed. That's almost funny. An interesting bit of
information is reavealed by performing a WHOIS lookup on those IP
addresses. Seems both of them are part of a network owned by Care
Initiatives, Iowa's (according to CI's website) largest senior care
provider. Remember the site sending the referer spam is 63.227.76.25?
A WHOIS lookup shows that it too belongs to Care Initiative in West Des
Moines. Getting back to Mr. Jackson. A Yahoo search for "jeremy
jackson nashville" returns a link
(http://www.bizwiz.com/ezcommerce/openviewtrading.htm) for Open View
Trading with the following contact information:
Contact:
Jeremy Jackson
Owner
Open View Trading
P.O.Box 22036
Nashville, TN 37202
U.S.A.
Tel: 615/360-1010 Fax: 615/360-1133
Hey, that's the same phone number but it's a different fax
number. Same P.O. Box too. Futher Google and Yahoo searches for
"jeremy jackson" and "openview" or "nashville" reveal that he has a
healthy gaming habit (FPS's) too. So, to sum it all up, we have a
gamer in Nashville, running what might be a shady online business which
isn't registered anywhere (possibly Canada?), uses a web site in New
Jersey which is registered via a yahoo e-mail address through a
registrar that is reluctant to provide information (GoDaddy), has
another e-mail account and dns server at a non-profit senior care
facility in Iowa whose STMP banner prohibits spam, uses his home phone
for his business(es) and likes to referer spam my site. Hope the rest
of you enjoyed this at least as much as I did. Jeremy, cut it the
F**K out.
joat: 00:02:52 22 Aug 2004 |
|
|
Sat, 21 Aug 2004
|
|
Here's a really bad article that showed up in HITB, which
came from eBCVG,
which came from WebProNews, which supposedly came from ArticleCity.com (a link I cannot get to come up). What's wrong with the article? How about: - the $25 card probably won't work as the cheap ones don't "do" RFMON
- the computer is not looking for your SSID, it's looking for 802.11a/b/g networks. The SSID is part of that.
- The SSID is not constantly transmitted and computers don't care about it. The SSID is periodically beaconed and wireless NIC cards use it to negotiate connections to specific networks.
- It's Kismet, not Cismet
- I don't get why the GPS receiver records only the coordinates of the strong signal.
- The preliminary drive IS the wardrive. Any subsequent use of the open network is a network hijack, a theft of services, or an attack on local systems.
- I'd like to hear more about how the wardriver can sniff passwords and credit card numbers from SSL secured data. (Yeah, I know it can be done, but not with your standard wardriving kit. The author is going for the "F" in FUD here.)
- Don't broadcast your SSID? This one gets old. Previous guidelines recommended that you turn off SSID beaconing. It's been proven that this action only delays SSID detection for a few seconds as the SSID is included as part of Layer 2 management frames. The author seems to be aware of this but mucks up the explanation anyways.
- How did factory default passwords for routers get into this? Do I need to buy a router too?
- EAP is not encryption. EAP is an authentication protocol which uses encryption.
- WEP encryption is not bypassed, it is broken via AirSnort (i.e., the shared key is extracted).
- MAC spoofing does NOT take time. Manually spoofing a MAC address for an extremely bad typist only takes a few seconds.
- Password protecting MS file shares are pointless on wireless networks. If you're using wireless, don't share files/folders! (Someone want to explain how having the same user accounts on each of your machines allows your computers to share files?).
- Breaking WEP does not take days so the seconds to days/weeks-next-to-your-network comment is garbage.
The closing feel-good paragraph is garbage. The tips are confusing. A script kiddie with the programs listed in the article can still get in. A better way of putting it: - Enable WEP (assuming that's all you have). It will keep honest people honest. The dishonest ones can still get "in" in a matter of minutes.
- Change the access point's default SSID and username/password. (This will show wardrivers that you've devoted at least a little bit of due diligence to your network configuration.)
- Use MAC address filtering. It causes the attacker to execute one more command than before.
- Turn off the d*mn access point when you're not using it.
That last recommendation will provide the most protection in the long run. The others will only make extra work for the attacker. As people tend to take the path of least resistance, an attacker will likely hijack your next door neighbor's wide open network. If you're willing to spend the extra money, you can also: - use third-party layer 2 encryption
- use wireless intrusion detection
- periodically scan for rogue access points and clients
- or even better, put CAT-5 cabling in the walls
It's articles of that quality that cause more damage than help. There are legitimate security-related uses for some of the software. We're already dangerously close to the point where possession of certain software will be considered illegal (and things will get very messy once we're headed down that slippery slope).
joat: 13:30:00 21 Aug 2004 |
|
|
|
|
My guess is that this is
important because Longhorn has a shell, something that the *nix world
has had for years but MS users are only now receiving. This is good for
MS users but has the possibility to become a really bad PR issue of MS
is going to start patenting features that have prior art going back two
decades. Next we're going to see patents on cron, at, and history?
joat: 13:30:00 21 Aug 2004 |
|
|
|
|
Here's a
really good list of standards that related to network-aware appliances.
joat: 13:00:00 21 Aug 2004 |
|
|
|
|
Not sure if I've blogged this yet but it's still in my clippings folder
so here goes... NetSec has a
pointer to a "Chrooting Unix Services Guide" which discusses basic theory and configuration.
joat: 12:00:00 21 Aug 2004 |
|
|
Fri, 20 Aug 2004
|
|
F-Secure has a quick piece on alternate data
streams (ADS) and a note that SP2 changes it slightly (was this ever
a good idea, even for NTFS?). Also described is a freeware tool called
LADS which will List the ADSs.
joat: 14:00:00 20 Aug 2004 |
|
|
|
|
I've added the following to the wiki: as part of the "Google Tricks" section. Thanks to #!/usr/bin/geek for the new pointers.
joat: 13:33:24 20 Aug 2004 |
|
|
|
|
Interesting use of technology but I think he's forgetting about Layer 8. Bet he get's arrested for defacing public property or some such within the first ten minutes.
joat: 13:30:00 20 Aug 2004 |
|
|
|
|
Liu Die Yu's homepage: lots of good
info on browser vulnerabilities.
joat: 13:00:00 20 Aug 2004 |
|
|
Thu, 19 Aug 2004
|
|
Those of us that "do" security owe Dana some free beer for the work
he's done in
the past week to make our lives easier.
joat: 15:00:00 19 Aug 2004 |
|
|
|
|
Security Focus has an
article entitled " Detecting Worms and
Abnormal Activities with NetFlow". You'll hear me harp about
this over and over if you follow this blog: if you're responsible for a
network, you need to know what "normal" "looks" like so that you can
recognize "abnormal". This is a good tool to have.
joat: 13:30:00 19 Aug 2004 |
|
|
|
|
Uh, reasons you might not want to install SP2 right yet --> the
following may not
work: - Citrix
- ArcServ
- eTrust
- F-Secure
- Installshield
- Quicken
- McAfee
- MS Office
- MS Outlook
- Norton
- PCAnywhere
- Symantec
- Reflection
- ZoneAlarm
- and most of the IM's
. The main list (from Microsoft) is here. Really "not good".
joat: 13:00:00 19 Aug 2004 |
|
|
|
|
Here's
a /. post pointing to Hydan, a
steganorgraphy tool which allows you to hide data within an executable.
This was bound to happen eventually, being yet another part of your
system with slack space. Also, this is another one of those tools that
can be used for good (watermarks) or evil (hidden data). It may not
measure up to other steganography methods. If you have readily
available "good" copies of binaries to compare against a steg'd version,
simple MD5 checksums should be able to detect modified versions.
joat: 12:30:00 19 Aug 2004 |
|
|
|
|
Just more support for my "encrypt at layer 2 for wireless"
argument. RedTeam a pointer
to a successful attack on wireless
IPSec.
joat: 12:30:00 19 Aug 2004 |
|
|
|
|
|
joat: 11:30:00 19 Aug 2004 |
|
|
Wed, 18 Aug 2004
|
|
SecurityFocus has an
interesting article on packet
analysis, part one of a series. This is part of the knowledge
required for your SANS GCIA certification.
joat: 13:00:00 18 Aug 2004 |
|
|
|
|
|
joat: 12:30:00 18 Aug 2004 |
|
|
|
|
A post to the HoneyNet mailing list led me to blogs.23.nu which is, I'm assuming, a
site similar to 757.org. What makes it notable is the InfoSec-related
blogs:
I've only included the English-based ones (I'm unable to read German)
and some of those haven't been updated recently (but are interesting to
read anyways). Also, some of the blogs are via the same person. In
any case, thanks to the teenage mutant
ninja hero coders for hosting all of those sites. I've added them
as a separate category in my Bloglines feeds.
joat: 12:30:00 18 Aug 2004 |
|
|
|
|
Here's a NewsForge article about " Rootkit Hunter", an anti-rootkit tool written by Michael Boelen. Very good reading.
joat: 12:00:00 18 Aug 2004 |
|
|
Tue, 17 Aug 2004
|
|
Every now and then you hear about small companies being bought out for
healthy sums. This one is not an exception. McAfee is buying Foundstone! One thing to keep in mind though: one of McAfee's former names was Network Associates, the name to which acquisition was tied to as a secondary nature (my opinion). Gauntlet and certain forms of PGP disappeared through that process (also my opinion).
joat: 14:00:00 17 Aug 2004 |
|
|
|
|
To go along with yesterday's Defense-In-Depth discussion, here's a SANS
paper
which contains a case study of the author's attempts to improve security
at his organization via DiD.
joat: 13:35:00 17 Aug 2004 |
|
|
|
|
Multi-Function Devices (MFD's) have long been an issue of contention between acquisition and security types. MFD's are cheaper than component devices. They also present some interesting security problems. Untested OS's, multiple paths in/out, etc. Heck, I have enough problems with single function devices. Examples include the OS replacement for certain older HP printers which turns them into remote port scanners.
joat: 13:00:00 17 Aug 2004 |
|
|
|
|
I wish Tivo would provide an API for Series 2 boxes so that we could do
something like this. I
miss my Amiga 2000 which was modified beyond my ability to resell it
when it came time to let it go. Tivo! How about just a minor API so
we can modify/add non-dangerous (legal) features?
joat: 13:00:00 17 Aug 2004 |
|
|
|
|
Not sure if it's going to be any use to me, but here's the link to a how-to for a JavaScript textbox with an auto-complete feature.
joat: 12:00:00 17 Aug 2004 |
|
|
Mon, 16 Aug 2004
|
|
There's rumor
that SHA-1 has been broken (at least partially). We've been told to
wait a few days to find out the truth. Also, AbusableTech seems to be
offline at the moment.
joat: 23:37:00 16 Aug 2004 |
|
|
|
|
For those of you that were interested in the patch for Snort so that
ClamAV could be used as a preprocessor, but then were frustrated because
SourceForge's archive doesn't carry the attachments to the post, you can
get it here.
joat: 23:00:00 16 Aug 2004 |
|
|
|
|
There's been recent discussion about how defense-in-depth isn't
working. The new in-vogue approach is local protection. I firmly
believe that this will not produce the fruit the proponents want. For
proof, go search Google for what the Witty worm did. The problem with
defense-in-depth was that most were too lazy to fully embrace the
paradigm. Defense-in-depth was "embraced" only as far as perimeter
protection (firewalls) with some internal support (virus scanner). They
didn't bother with HIDS, local packet filters, tripwires, metrics
monitoring, and periodic scans. Some even used minimal configurations
on their perimeter firewalls. InfoSec Writers has an article talking about the extra security that should be common sense but somehow isn't widespread. The short version is: you should be locking your perimeter filter down to the minimum required to operate. An example is the web server in your DMZ. Your premis router should allow connections to TCP port 80 on your webserver and UDP port 53 on your external DNS. Your host filter (local firewall, IPFW, IPTables, etc.) should have the same configuration (of course, your webserver will also want to talk to the DNS server on UDP port 53). You may want to add some sort of control channel, such as SSH (TCP port 22), but you want that type of traffic to come from one local (internal) IP address, not the Internet. Even better, move the control out-of-band: buy a console switch and use serial connections to all of your servers.
joat: 13:30:00 16 Aug 2004 |
|
|
|
|
SANS has a paper,
entitled " The Role of IT Security in Sarbanes-Oxley Compliance",
which discusses IT-centric requirements for protecting financial
information. If you work in network security, this is going to become
important.
joat: 13:00:00 16 Aug 2004 |
|
|
|
|
IBM has posted a pretty decent article discussing Live CD's.
joat: 12:00:00 16 Aug 2004 |
|
|
Sun, 15 Aug 2004
|
|
RootSecure has a pointer to
NIST's draft version of their " Guidelines on PDA
Forensics". These documents are important, but maybe not for
the reason that you think. The information is available elsewhere,
maybe even in a single document. What makes it important that NIST
publish it is that it becomes a federal standard. The reason that this
is considered "good" is that it makes legal proceedings that much easier
(shorter) because you, as a forensic type talking to judge/jury/other
lawyers, don't have to prove the legitimacy of your investigative
process each and every time you're in court. The short phrase to
describe it: a protocol.
joat: 13:00:00 15 Aug 2004 |
|
|
|
|
If you have anything to do with monitoring network metrics, being able
to push your data thru gnuplot is a good thing to know.
joat: 12:30:00 15 Aug 2004 |
|
|
|
|
I love things like this, where someone figures out how to track do-badders by tweaking their own servers. Thanks to Liudvikas Bukys for the pointer.
joat: 12:30:00 15 Aug 2004 |
|
|
Sat, 14 Aug 2004
|
|
So far so good. The only IP's I've had to blacklist since switching to
Blosxom are: - 151.37.162.250 - a DSL dial-up in Italy
- 207.68.98.5 - a Verizon dial-up in Seneca Highlands (PA)
Shame on you two, whether or not you're spamming directly or have been zombied.
joat: 21:12:33 14 Aug 2004 |
|
|
|
|
Tao Security has a really interesting scenario concerning wireless, supporting yet another argument for encrypting or digitally signing traffic. I recommend doing it at layer 2 because I've seen layer 3 tunnels corrupted via MitM attacks (more about that later).
joat: 13:30:00 14 Aug 2004 |
|
|
|
|
From Geek Notes, a quick
how-to for producing pdf previews from LaTeX documents.
joat: 12:00:00 14 Aug 2004 |
|
|
|
|
IBM has posted an article (part 1 of a series) on the basic theory for securing Linux. It has some good links for further reading and various tools.
joat: 12:00:00 14 Aug 2004 |
|
|
Fri, 13 Aug 2004
|
|
This
is funny. Even funnier when you realize that you misread the title the
first time around. Thanks Dave!
joat: 23:00:00 13 Aug 2004 |
|
|
|
|
I've got to get one of these for work.
joat: 13:30:00 13 Aug 2004 |
|
|
|
|
For my own reference: Chris Samuel
has a post about OpenWRT that I want to keep track of.
joat: 13:00:00 13 Aug 2004 |
|
|
|
|
Robert Graham (of Network ICE fame) has a site with a lot of good
information, from tools to malicious code analysis to commentary. Visit
his site here.
joat: 12:00:00 13 Aug 2004 |
|
|
Thu, 12 Aug 2004
|
|
|
Joat, level 44 lurker, and skifter, level 44 warrior, are hot on the
trail of the evil wizard zENGER. Stott, the Green Warrior, still
follows in my footsteps, waiting for me to make a mistake.
joat: 23:45:00 12 Aug 2004 |
|
|
|
|
Heard it on the news and saw it blogged on SmartMobs on
the same day: Stamps.com. I can see
some geek-mileage in this one. Got root? stamps and the like.
joat: 14:53:00 12 Aug 2004 |
|
|
|
|
Here's a post from Fyodor, commenting on Microsoft's SP2 intentionally breaks programs which use raw sockets, such as NMap, stating that only people writing attack tools use raw sockets. Fyodor seems puzzled that Microsoft considers NMap an attack tool. Fyodor! Think marketing vice programming! NMap, Nessus, TCPDump, Snort and Apache are probably all considered evil even though only some of them use raw sockets. Given the interdependency of the libraries, I'm willing to bet the the interface hasn't totally disappeared. Rather it may have been moved, somehow obfuscated, or has obtained a wrapper or somesuch.
joat: 13:30:00 12 Aug 2004 |
|
|
|
|
Alec Muffet has an old pointer to a SE Linux machine which you can play with (to learn about SE Linux). There's also pointers to Debian and Gentoo boxes.
joat: 13:00:00 12 Aug 2004 |
|
|
|
|
Tejas Patel has a quick
pointer to BattleTorrent which promises to be easy to set up for novice users. I have little interest in MP3 trading as either I or my company paid money for them (think classes not songs) but I do have interest in those updates (Mandrake for one) which become available via BT before anything else. Also, I'd rather archive data (news and articles) rather than eating up storage space on 4 year old drives with MP3's I'll rarely listen to. Thus my novice P2P experience. Anyways, I hope that there's an easy-to-use BT flavor available the next time I want the new *nix distro.
joat: 13:00:00 12 Aug 2004 |
|
|
|
|
Yet another example of the dangers of making anything publicly-available
and security-thru-obscurity failing via Google: another lecture at Blackhat which shows that you can find possibly vulnerable VNC servers listings. Definitely falls into the "this is bad" or "shoot yourelf in the foot" categories. If you have anything to do with security, you should be visiting the major search engines, at least on a weekly basis, and scanning for "stuff" available via your company's domain.
joat: 12:00:00 12 Aug 2004 |
|
|
Wed, 11 Aug 2004
|
|
The Security
Monkey (of "A Day in the Life of a Security Investigator" fame) has
a quick piece about detecting Windows keyloggers. Interesting reading.
joat: 22:00:00 11 Aug 2004 |
|
|
|
|
When the object of an attack on your system is to "borrow" your
bandwidth and harddrive space, the FTP server "Serv-U" is often used
(because of its small size and its portability). To make things worse,
there's a number of vulnerabilities in that binary, resulting in
exploits such as this which allows the secondary attacker to gain system privileges.
joat: 12:00:00 11 Aug 2004 |
|
|
|
|
Here's
an interesting SANS paper on " Social Engineering".
joat: 12:00:00 11 Aug 2004 |
|
|
Tue, 10 Aug 2004
|
|
For those that don't know about it, here's the link for the BH Media Archives. Of interest is Paul Simmonds's presentation on De-Perimeterisation with which I totally disagree. Call me old-school but I firmly believe that adding technology, especially that without a long-term performance history, does not increase security. The presentation uses a lot of rationalizations which stretch the truth a bit. "We" do not let in port 80, that's done by people, using ISA, who are too cheap to buy a second IP address. Some of the "new" suggestions are actually from the old "moat" model, such as moving your public servers outside of the internal network. In any case, there's also quite a few other presentations archived there. You may want to download/keep copies of the ones you find interesting. The site practice is to only make files available until they're about 6 months of age.
joat: 12:30:00 10 Aug 2004 |
|
|
|
|
Here's an
interesting paper discussing the enhancement of physical security via
modificiations to the local and semi-local environment.
joat: 12:00:00 10 Aug 2004 |
|
|
|
|
USSearch is a
people locating service. (via NetSec)
joat: 12:00:00 10 Aug 2004 |
|
|
Mon, 09 Aug 2004
|
|
InfoSec Writers has an article entitled " The Art of Rootkits" which gives some basic theory on the topic.
joat: 13:00:00 9 Aug 2004 |
|
|
|
|
Here's a
SANS paper entitled " Intrusion Detection on a Large Network".
It's a good paper for building and installing Snort. However, it's a
bit lacking in the data correlation side of the house (something that
you have to have to effectively monitor/protect networks of any size).
joat: 12:30:00 9 Aug 2004 |
|
|
|
|
Here's a
should-read SANS paper entitled " An Overview of Sabanes-Oxley for the
Information Security Professional".
joat: 12:00:00 9 Aug 2004 |
|
|
Sun, 08 Aug 2004
|
|
From the Something-to-burn-up-a-few-extra-cycles-on-your-server
sub-category... zENGER
and skifter22!! I am coming for you! If I can keep stott off my butt, that is. (heh) For those that don't know, IdleRPG is an IRC game that you play by doing absolutely nothing on various IRC servers (see "Other IRPGs" link).
joat: 17:00:00 8 Aug 2004 |
|
|
|
|
|
I've swapped out PHPWiki for something that works with me better,
MediaWiki. This may not be the last one I try out but it should work
for now. You're welcome to edit/add but please read the rules on the
font page first.
joat: 14:00:00 8 Aug 2004 |
|
|
|
|
Ever notice that the same people who are detractors of IDS systems also
actively support "deep packet inspection" over "application proxies"?
What's the trade-off? A slight speed increase and using a "cool" new
technology vs. a slight loss of control and security (in the form of
record keeping). I'd like to see proof of that speed increase
sometime. Yes, layer 4 (OSI model) filtering is faster than layer 7
proxying but, once you start tacking on layer 7 inspection onto a layer
4 packet filter, does the extra processing requirements even the
equation? In any case, TaoSecurity states the IDS
issue very nicely and describes a tool that nicely covers one of the blind spots in IDS technologies: session data.
joat: 13:00:00 8 Aug 2004 |
|
|
|
|
Here's a
SANS paper with a decent how-to for setting up a Linux-based
Web/DNS/Mail server.
joat: 13:00:00 8 Aug 2004 |
|
|
|
|
Here's a
SANS paper which discusses the various possible points of failure in
Information security. A common theme seems to be "blind trust", in
certifications, in equipment, in processes, etc.
joat: 12:00:00 8 Aug 2004 |
|
|
Sat, 07 Aug 2004
|
|
I used to think that Wired was a cutting edge magazine for professional
geeks. Now it seems to have faded into trying to keep up with the rest
of mainstream (esp. since most of mainstream has moved online and isn't
controlled by the few). Evidence the news
that you can hack bluetooth, something that was publicly known over a
year ago. Why's it suddenly news? Cause Adam and Martin figured out a
way to do it over long distances. Next thing you know, they'll
discover that, with the right equipment, the guy in the van at the curb
can watch what you type into your computer.
joat: 13:30:00 7 Aug 2004 |
|
|
|
|
Here's a quick bit on bootable USB OS's, this one using Linux.
joat: 13:00:00 7 Aug 2004 |
|
|
Fri, 06 Aug 2004
|
|
Here's a
SANS paper entitled " The Art of Web Filtering". I disagree with
the author only where he states that keyword filtering is poor, at
best. My view is that it really, REALLY stinks as a tool. Also,
depending on the size of your customer base and what you're trying to
block, filtering may become an exercise in futility as you try to keep
up with your policy abusers. It's much more efficient to have an
enforceable policy and self-policing users. Public prosecution of
offenders do wonders for policy enforcement, unfortunately they may not
be a legal technique at your organization.
joat: 14:10:00 6 Aug 2004 |
|
|
|
|
Wow. Defcon hasn't been over a week and already long-range kits for
Blue/War-driving are on
sale.
joat: 14:00:00 6 Aug 2004 |
|
|
|
|
A bunch of my friends and coworkers went to Defcon and didn't even bring
back a T-Shirt. Of more value was NetSec's posting of the presentations
(Please be nice to the server, the webmaster is asking for mirrors for
A-K
and L-Z.
Look at Rob's Aug. 5th posts over on NetSec for a bunch of news about
the shootout, The Schmoo Group's upcoming conference, Meet the Fed,
Robert Morris Sr.,
/. has a pointer
to yet another review of DC12.
joat: 13:45:00 6 Aug 2004 |
|
|
|
|
Here's a
good SANS GSEC paper on phishing.
joat: 12:00:00 6 Aug 2004 |
|
|
|
|
CIRT.net is a site with various
default settings (passwords, SSIDs, ports) lists and various tools,
including Nikto, a web server scanner which can scan for thousands of
vulnerabilities.
joat: 12:00:00 6 Aug 2004 |
|
|
Thu, 05 Aug 2004
|
|
More skepticism that MSN's new search engine will be all that
successful: Again, I don't think
that tweaking a search engine to support a business/business model will
help in the "success" of that search engine (or the business).
joat: 14:00:00 5 Aug 2004 |
|
|
|
|
/. has an article
about combining port knocking with OS detection to limit access.
Seriously? Doesn't this sound like too much time on your hands?
joat: 13:30:00 5 Aug 2004 |
|
|
|
|
Here's a SANS paper discussing the
effects of
spam in a large corporation (and some countermeasures).
joat: 12:00:00 5 Aug 2004 |
|
|
|
|
TerraServer is a search
engine for the US Geographical Survey aerial imagery and topographic
maps. (via NetSec)
joat: 12:00:00 5 Aug 2004 |
|
|
Wed, 04 Aug 2004
|
|
This
could get interesting, in either the technology or legal sense.
Something to keep an eye on.
joat: 23:00:00 4 Aug 2004 |
|
|
|
|
AirDefense is surprised that hackers are using wired attacks via wireless?
joat: 16:00:00 4 Aug 2004 |
|
|
|
|
The problem with this
is that they not only cross-link their own shady blogs, they use comment
and referer spam to point to their blogs and pr0n sites.
joat: 15:00:00 4 Aug 2004 |
|
|
|
|
/. has a posting about Microsofts
plans to challenge
Google. I have reservations about them being able to compete with
Google. They're using two different business models. Besides, having
your search engine affected by widespread referrer and comment spam is
one thing. Additionally adjusting your own database to limit competitor
listings is another.
joat: 13:00:00 4 Aug 2004 |
|
|
|
|
"Simon, set the..." Wait, wrong machine. This one allows you to
search snapshots of the Internet as far back as 1996.
joat: 12:00:00 4 Aug 2004 |
|
|
|
|
|
joat: 12:00:00 4 Aug 2004 |
|
|
|
|
Another one for my own (later) benefit: Shoutcast
Howto.
joat: 12:00:00 4 Aug 2004 |
|
|
Tue, 03 Aug 2004
|
|
The pre-release version of MetaSploit 2.2 is available.
joat: 22:30:00 3 Aug 2004 |
|
|
|
|
This is nothing! Try going to one of my family reunions where you have the choice of 14.4k over long distance or an intermittant 9.6k via PCS. Which is worse: not having it at all or having just enough to not do want you want?
joat: 22:00:00 3 Aug 2004 |
|
|
|
|
Barry did a good job with this except he missed one thing. Since he doesn't
allow comments, hopefully he'll see it here: Barry, do a whois on the reverse lookup (IP address) for the web site! It's in the U.S.
joat: 20:00:00 3 Aug 2004 |
|
|
|
|
Zone-H maintains a
database of web site defacements. This is also where some of the older
defacement archives ended up.
joat: 12:00:00 3 Aug 2004 |
|
|
|
|
This
one is for my own benefit. My secret cache of Logitech 3-button mice is
running seriously low. I bought a half-dozen of 'em when Logitech
decided to stop making them. I've been wearing them out at a rate of
one every 6-8 months and have been cannibalizing all of them for repair
parts. Wheel-mice piss me off and I consider Microsoft/Mac/other
two-button mice as seriously crippled. I learned Unix over a decade
ago. Middle-button paste is an ingrained (sp?) reflex at this point.
joat: 12:00:00 3 Aug 2004 |
|
|
|
|
HITB has an article
discussing the information available via "/proc".
joat: 12:00:00 3 Aug 2004 |
|
|
Mon, 02 Aug 2004
|
|
I'll need this sometime
next year.
joat: 12:00:00 2 Aug 2004 |
|
|
|
|
Linux Magazine has a quick article
entitled " Finding Rootkits, Infections, and Files".
joat: 12:00:00 2 Aug 2004 |
|
|
|
|
If you're new to the field or have been around for awhile, The Linux Gazette is a very good
online newsletter to read. The format has changed over the years (since
1996, I think) but they've always had good articles. Now they even have
a RSS feed.
joat: 12:00:00 2 Aug 2004 |
|
|
Sun, 01 Aug 2004
|
|
(via NetSec), here's a free Snort book entitled " Intrusion Detection Systems with Snort - Advanced IDS Techniques Using Snort, Apache, MySQL, PHP and ACID".
joat: 15:00:00 1 Aug 2004 |
|
|
|
|
Dan Kaminsky has presented his technique for tunneling anything over the DNS protocol at DEFCON.
joat: 14:00:00 1 Aug 2004 |
|
|
|
|
One of the nice things that I've gained in switching from MT to Blosxom
is the referer plugin. Picked up a new feed for Burak Dayioglu and a list of sites
to watch.
joat: 13:30:00 1 Aug 2004 |
|
|
|
|
This is why you
have to be very careful about the wording of laws like Mr. Hatch's
INDUCE act. I disagree with the article where it talks about law
enforcement abusing its power. Law enforcement is not at fault here,
they were doing what a judge thought the law allowed. It all goes back
to how the law is written. Unless it has very specific wording, it
will end up like the Bible: subject to interpretation. If you hear
someone screaming about a law being evil, don't just jump up on the
soapbox with him and start screaming too. Instead, read the proposed
act and make constructive comments. (Many politicians ask for
input/comments.) Also, remember that phrase like "doing it this way may
be better in the long run" works a heck of a lot better than "your law
is a piece of sh*t".
joat: 12:30:00 1 Aug 2004 |
|
|
|
|
LinuxExposed has an article explaining the basic theory behind the Domain Name System (DNS) and various attacks against it. Please keep in mind that DNS poisoning is not necessarily a "bad thing"(tm). It is still the only truly scalable method of blocking objectionable web sites and mail servers. I've seen it used at sites with 50K users.
joat: 12:00:00 1 Aug 2004 |
|
|
|
