| August 2007 |
|---|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
1 |
2 |
3 |
4 |
| 5 |
6 |
7 |
8 |
9 |
10 |
11 |
| 12 |
13 |
14 |
15 |
16 |
17 |
18 |
| 19 |
20 |
21 |
22 |
23 |
24 |
25 |
| 26 |
27 |
28 |
29 |
30 |
31 |
|
|
Recent Comments
Wiki RSS
|
Thu, 30 Sep 2004
|
|
|
Two people that I'm in awe of: Derek Jeter for his post 9/11 work and
whoever the guy is that came up with Extreme Makeover: Home Edition.
Both have touched more lives than they can ever imagine.
joat: 13:00:00 30 Sep 2004 |
|
|
|
|
CastleCops has an article
entitled " Phishing, Fraud and Other Dastardly Deeds, Part 1".
joat: 12:30:00 30 Sep 2004 |
|
|
|
|
Security Focus has a
multi-part series on " Detecting Worms and Abnormal Activities with
NetFlow": part
1, part 2.
joat: 12:00:00 30 Sep 2004 |
|
|
|
|
|
I've turned off the referer vanity for a bit. I'm taking a beating from
the Global Compass/Cyberwurx spam and need to rewrite the plugin or come
up with a way to block the source(s). The former seems like it'd be
more successful than the latter. It's a bit down on the "to do" list
though.
joat: 11:45:00 30 Sep 2004 |
|
|
|
|
A working version of the JPEG buffer overflow was demo'd in class last
night. This can possibly be a very bad thing but not in the way that
the mainstream media is twitching about it. While a worm is possible,
I don't think it's likely to be all that effective. Think about
it. The vectors aren't really right. Normally a worm exploits an
already running service. This exploit is part of a graphics
library which means a graphics-based program must run. Unless it's
combined with (or used to amplify) another exploit, we're not going to
see another Nimda. What's more likely to happen is that this (version,
at least) will deepen the relationship between the hackers and the
spammers (if there's a difference nowadays). The spammers can deliver
corrupt graphics via browser pop-ups and spam which can cause the victim
machines to offer up reverse shells on just about any port. So much
for the theoretical part. What was demo'd last night was the reverse
shell version. It wouldn't work under IE (patched possibly?) but it did
work locally via the file browser. What's worse was the XP
automatically generated a preview of the JPG so that as soon as you
opened the folder, the local machine provided a shell prompt to the
instructor's machine, running netcat. But wait! There's more!
Remember that you can configure XP to open the folder when a thumb drive
is inserted? Yep, it does. And let's not forget autorun! This makes
it a very nasty insider tool. To give proper credit, very little of
the above my own thought train. Most of it belongs to Rob and Ian. The
rest was observed and conjectured during the demo. As for
countermeasures, it's probably going to be more economical to configure
IDS systems to detect the exploit rather than the exploitation, due to
the lack of default port, IP or even graphic. Since remote delivery
vehicles will probably be limited to SMTP, HTTP, and the various
graphics-capable IM programs, it will probably be easier to watch for
the shell code coming in than the reverse shell going out. That and not
all of the exploits involve reverse shells. Hopefully we'll shortly see
both types of BleedingEdge signatures. Let add my own two cents to the
SANS vs. MS detector argument. Yes, the SANS detector triggers on a lot
more files than the MS version does but you should read the text that
comes with the SANS detector. The MS one is built for MS purposes. The
additional DLL's detected can be either additional ones that link to
non-MS programs that you've installed or they can be backups of upgraded
libraries. It's worthwhile to check what programs access those
libraries (Foundstone has some of the tools needed for this) and, if
possible, upgrade or disable the programs. Oh, and one last thing:
"Good luck! You're on your own!"
joat: 11:30:00 30 Sep 2004 |
|
|
Wed, 29 Sep 2004
|
|
|
joat: 13:00:00 29 Sep 2004 |
|
|
|
|
LURHQ has a good commentary on the JPEG trojan that has some of the media upset. Many had first run with the initial story of it being a virus. It's not. It's a trojan. In other news, K-Otik has also posted an all-in-one version of the exploit.
joat: 12:45:00 29 Sep 2004 |
|
|
|
|
Here's a paper on " The Social Engineering of Internet Fraud".
joat: 12:30:00 29 Sep 2004 |
|
|
|
|
Here's a discussion of how to
cut connections using various methods on a Linux-based firewall.
joat: 12:00:00 29 Sep 2004 |
|
|
Tue, 28 Sep 2004
|
|
/. has an announcement about Evolution 2.0 being released. Since I already use SA, including it in the MUA may be redundant but I'd like to see what they're doing with it.
joat: 23:30:00 28 Sep 2004 |
|
|
|
|
Abe Usher ( Sharp Ideas) has an
interesting post about
Graphviz that I'm probably going to need in the near future.
joat: 12:30:00 28 Sep 2004 |
|
|
Mon, 27 Sep 2004
|
|
The following links are going to be valuable in the near future as a
friend is having to deal with an infection: Also of interest is: DoxDesk Parasites
joat: 13:30:00 27 Sep 2004 |
|
|
|
|
Abe User ( Sharp Ideas) has
glued together an AIM-based NMap
bot. This sort of thing is the reason why you need to keep an eye
on the traffic that you allow in and out of your network. AIM
complicates the situation because it's one of those "tools" that can
initiate connections via multiple protocols, HTTP being one of them. If
you allow your users to surf, then AIM can probably "get out". Nice
tool if it's yours, nasty if it "belongs" to someone else.
joat: 13:00:00 27 Sep 2004 |
|
|
|
|
Here's a good article about the open source programs that are moving/showing up in the wireless arena.
joat: 12:30:00 27 Sep 2004 |
|
|
|
|
The House of Representatives recently passed a bill which would add
penalties for using false information for WHOIS records. (see Slashdot
article). This can be a good thing and a bad thing at the same
time. A good thing as it might help track down spammers and fraudsters
who fake up their WHOIS records. It's a bad thing as it will once again
expose techie inboxes to tons of spam due to addresses "borrowed" from
those same records. The current practice is to use a pseudonum for
business domains. That way when there's a phone call from a salesman
that claims he has an appointment with Bob Wackemwidahammer, you know
it's BS.
joat: 12:00:00 27 Sep 2004 |
|
|
Sun, 26 Sep 2004
|
|
Found a blog for the upcoming Chaos Communication Congress. The blog is
here. The RSS feed is here. The wiki
is here.
Links to the previous three Congresses are here.
joat: 14:00:00 26 Sep 2004 |
|
|
|
|
Wait a minute! Are you telling me that people hook their copiers
directly to the Internet? Without the benefit of a firewall? And then
they're surprised when Google finds them?!?
joat: 13:00:00 26 Sep 2004 |
|
|
|
|
Interesting use of
technology. Hopefully it won't be considered an income stream.
Wonder how hard it'd be to configure an AP and street clients (iPaq's
owned by the audience) for multicast. It'd definitely change the
experience.
joat: 12:30:00 26 Sep 2004 |
|
|
|
|
Phil Libin ( Vastly Important
Notes) has a pointer to a "gotta have" plugin for Firefox and IE: SpoofStick, which alerts you to the fact that you're visiting a spoofed web site. Wonder how long before someone writes a version for non-MS browsers. (Hint! Hint!)
joat: 12:30:00 26 Sep 2004 |
|
|
Sat, 25 Sep 2004
|
|
This is the sort of thing that always amazes me, when people can entertain themselves and others by creating art by combining technology and humans. It was art in that people thought it was fake, entertaining because of people's reactions to it. Without those reactions, it's just a phone booth. Next year something will probably have to change as people will expect it to be there.
joat: 15:00:00 25 Sep 2004 |
|
|
|
|
California law now bans
anonymous file sharing. How long before someone applies the law to
anything you can download from a website via a single-click or, for that
matter, figures out that visiting a website via a proxy constitutes
anonymous file sharing. This has the capability of getting really ugly
before it gets better.
joat: 12:30:00 25 Sep 2004 |
|
|
|
|
Here's a howto to
quickly make your web server available via IPv6 while you figure out how
to add IPv6 to the server itself. In other words, a reverse proxy with
IPv6 on one side, IPv4 on the other.
joat: 12:30:00 25 Sep 2004 |
|
|
Fri, 24 Sep 2004
|
|
|
joat: 12:30:00 24 Sep 2004 |
|
|
|
|
I agree with David Berlind (ZDNet article). Even if you don't officially allow "wireless" in your network, you still need to periodically scan for it. Given the extremely cheap availability of access points, you need to periodically check that one of your users hasn't added something to your network.
joat: 12:00:00 24 Sep 2004 |
|
|
|
|
Also, SANS has provided some Snort rules to
detect the JPEG bug.
joat: 11:45:00 24 Sep 2004 |
|
|
|
|
SANS has a scanner
available so that you can check your systems for the JPEG bug.
joat: 11:30:00 24 Sep 2004 |
|
|
Thu, 23 Sep 2004
|
|
|
joat: 22:50:00 23 Sep 2004 |
|
|
|
|
Same day this comes
out, I get laid off. Seems my salary came from a non-standard source
who needed the money for other things so blogging may get a little
spotty as I devote my time to looking for equivalent work. Such is a
contractors life though....
joat: 22:45:00 23 Sep 2004 |
|
|
|
|
Brightly
colored thumb drive around neck, cell phone on belt, trendy slogan
on t-shirt, Dockers --> likely poser Cell phone and 2 USB's in
pocket, other pocket also lumpy, comfortable (possibly faded) shirt and
jeans, spiral notepad sticking out of back pocket, ratty sneakers and
bad haircut --> true network geek. WTF is techno-congniscenti?
joat: 22:00:00 23 Sep 2004 |
|
|
|
|
Here is version 2.0 of the User's Guide for Ethereal 0.10.5.
joat: 12:30:00 23 Sep 2004 |
|
|
|
|
|
joat: 12:00:00 23 Sep 2004 |
|
|
Wed, 22 Sep 2004
|
|
Has anyone been able to duplicate this
method of tunneling data via echo request/reply?
joat: 14:00:00 22 Sep 2004 |
|
|
|
|
I cannot vouch for the quality/accuracy (still no free time), but here's an online guide
entitled " Penetration Testing".
joat: 13:30:00 22 Sep 2004 |
|
|
|
|
Here's a semi-long piece
on fighting spyware, featuring the four biggies (Ad-aware, Spybot S&D,
CWShredder, and HijackThis) along with a set of pointers to other tools.
joat: 13:00:00 22 Sep 2004 |
|
|
|
|
Here's a really
good article discussing comment spam and the various methods you can use
to fight it.
joat: 12:30:00 22 Sep 2004 |
|
|
Tue, 21 Sep 2004
|
|
Liudvikas has
pointed it out previously but Sysinternals is a
good site for tools to monitor what's going on in your machine.
joat: 23:30:00 21 Sep 2004 |
|
|
|
|
Here's
a good "behind the scenes" article about the Internet Storm Center.
joat: 13:30:00 21 Sep 2004 |
|
|
|
|
Here's
a May Unix Review article which
discusses the value of running two instances of Snort: one tuned to
protect your service(s), the other with most, if not all, rules turned
on to see what's "floating around" on the Internet.
joat: 12:30:00 21 Sep 2004 |
|
|
|
|
Hmm... This has some
interesting entertainment, security and law enforcement applications.
joat: 12:00:00 21 Sep 2004 |
|
|
Mon, 20 Sep 2004
|
|
This site is a very
good compilation of the security problems involved with 802.11 wireless.
joat: 13:00:00 20 Sep 2004 |
|
|
|
|
Here's a PowerPoint presentation which discusses inadvertent disclosure of information and lists numerous publicly available sources of information. (via NetSec)
joat: 12:00:00 20 Sep 2004 |
|
|
Sun, 19 Sep 2004
|
|
NetSec has a pointer to the Google Hacking Guide from johnny.ihackstuff. Actually, it's a how-to for using Google to find vulnerabilities. If your organization has anything online, you should be running this sort of search against your site(s) every week or so. As many security problems are caused by human error, this might help minimize the problem.
joat: 14:20:00 19 Sep 2004 |
|
|
|
|
|
joat: 14:00:00 19 Sep 2004 |
|
|
|
|
David Coursey has a two-part column on computer forensics over on eWeek: part 1,
part
2.
joat: 13:30:00 19 Sep 2004 |
|
|
|
|
Here's a good Linux Exposed article describing the make-up of what makes Ethernet what it is: 802.3. (This is also what gets swapped out with 802.11 when you work with wireless.)
joat: 12:00:00 19 Sep 2004 |
|
|
Sat, 18 Sep 2004
|
|
Linux Exposed has a good article about attacks on *nix systems which is basically a good description of the various types of attacks against any system.
joat: 12:30:00 18 Sep 2004 |
|
|
|
|
Security Musings pointed this one out: if you're going to post
redacted Word files in a public forum, make sure you've scrubbed them first.
joat: 12:00:00 18 Sep 2004 |
|
|
Fri, 17 Sep 2004
|
|
Anyone know if anything ever came from the acoustic
cryptanalysis project from last year?
joat: 12:30:00 17 Sep 2004 |
|
|
|
|
My current cell phone is pushing three years old (cannot hold a charge
very long) and a new one is on my holiday wish list. Regardless of all
the problems with Bluetooth, it's a functionality that my coworkers
cannot live without, and one that I'm envious of. And, of course, there
are other uses that the manufacturers didn't intend.
joat: 12:00:00 17 Sep 2004 |
|
|
Thu, 16 Sep 2004
|
|
From NetSec comes a pointer to
an article about Near Field Communications which describe communication at very short distances, touting it as a security feature. I don't know about you but I can already think of a way around this "feature": antennas hidden under the table or in nearby innocuous-looking objects.
joat: 13:30:00 16 Sep 2004 |
|
|
|
|
|
joat: 13:00:00 16 Sep 2004 |
|
|
|
|
If you have anything to do with network administration and/or security,
you have to be well grounded in in DNS theory. It's the service that
most everything else on the Internet depends on. It's also the source
of many of your network problems, intentional or otherwise. Here's a paper by Gideon T. Rasmussen which discusses basic troubleshooting steps. It's a bit CyberGuard-centric but does give you an idea for starting points for troubleshooting problems.
joat: 12:00:00 16 Sep 2004 |
|
|
|
|
I don't like the approach but this
paper contributes to the ongoing discussion (religious war?)
involving full disclosure.
joat: 12:00:00 16 Sep 2004 |
|
|
Wed, 15 Sep 2004
|
|
I agree with Axel that
it's not a failure of information security but that of people
when it comes to our current problems. I also agree that the thought
that security is mainly a technical problem, although popular within the
marketing realm, is a misleading one.
However, I dislike the view of a company's maturation. The quality of
any company's security depends on the quality (you can say "whim") of
the people within that company. A company's security "maturity" is
measured by how well its policies are accepted, practiced and enforced.
Unfortunately, it's not a progressive process. Any change (in finances,
employees, management, politics, love life, business model) has the
ability to massively affect the quality of an organization's overall
security.
joat: 13:00:00 15 Sep 2004 |
|
|
|
|
Here's a NIST Guide entitled " Security Considerations for Voice Over IP Systems".
joat: 12:00:00 15 Sep 2004 |
|
|
Tue, 14 Sep 2004
|
|
Doug Simpson has some good pointers
to IP Law primers.
joat: 13:00:00 14 Sep 2004 |
|
|
|
|
Here's a Naval
Postgraduate School thesis entitled " Using the Bootstrap Concept to
Build an Adaptable and Compact Subversion Artifice" by Lindsey Lack
which discusses the concept of an adaptable subversion artifice (a trap
door). It's a very interesting read and a bit scary if you consider
that we have to trust our closed-system vendors not to have included
something like this. Six lines of code?
joat: 12:30:00 14 Sep 2004 |
|
|
|
|
Back in the days when the term "hacker" denoted someone fascinated with
how things worked and not a form of criminal, three students wrote The Hacker Test, writing it in the manner of a magazine quiz (think Cosmo). It's entertaining reading and a good source of "lookups" if you're studying for Hacker Jeopardy.
joat: 12:00:00 14 Sep 2004 |
|
|
Mon, 13 Sep 2004
|
|
Security Focus has a good article entitled
" Malware Analysis for Administrators". Sometimes you're it,
having to figure out what a miscreant piece of code does, having to
build/suggest countermeasures to minimize the damage of an outbreak.
joat: 13:00:00 13 Sep 2004 |
|
|
|
|
I'm not sure of the value (due to the size) but here's a paper on detecting sniffers in your network. It should at least give you some ideas to work from.
joat: 12:30:00 13 Sep 2004 |
|
|
|
|
Here's a
SANS paper discussing various features in IPTables.
joat: 12:00:00 13 Sep 2004 |
|
|
Sun, 12 Sep 2004
|
|
Security Focus has posted part 2 of their
series on the Metasploit framework.
joat: 13:00:00 12 Sep 2004 |
|
| |
