| August 2007 |
|---|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
1 |
2 |
3 |
4 |
| 5 |
6 |
7 |
8 |
9 |
10 |
11 |
| 12 |
13 |
14 |
15 |
16 |
17 |
18 |
| 19 |
20 |
21 |
22 |
23 |
24 |
25 |
| 26 |
27 |
28 |
29 |
30 |
31 |
|
|
Recent Comments
Wiki RSS
|
Thu, 30 Sep 2004
|
|
|
Two people that I'm in awe of: Derek Jeter for his post 9/11 work and
whoever the guy is that came up with Extreme Makeover: Home Edition.
Both have touched more lives than they can ever imagine.
joat: 13:00:00 30 Sep 2004 |
|
|
|
|
CastleCops has an article
entitled " Phishing, Fraud and Other Dastardly Deeds, Part 1".
joat: 12:30:00 30 Sep 2004 |
|
|
|
|
Security Focus has a
multi-part series on " Detecting Worms and Abnormal Activities with
NetFlow": part
1, part 2.
joat: 12:00:00 30 Sep 2004 |
|
|
|
|
|
I've turned off the referer vanity for a bit. I'm taking a beating from
the Global Compass/Cyberwurx spam and need to rewrite the plugin or come
up with a way to block the source(s). The former seems like it'd be
more successful than the latter. It's a bit down on the "to do" list
though.
joat: 11:45:00 30 Sep 2004 |
|
|
|
|
A working version of the JPEG buffer overflow was demo'd in class last
night. This can possibly be a very bad thing but not in the way that
the mainstream media is twitching about it. While a worm is possible,
I don't think it's likely to be all that effective. Think about
it. The vectors aren't really right. Normally a worm exploits an
already running service. This exploit is part of a graphics
library which means a graphics-based program must run. Unless it's
combined with (or used to amplify) another exploit, we're not going to
see another Nimda. What's more likely to happen is that this (version,
at least) will deepen the relationship between the hackers and the
spammers (if there's a difference nowadays). The spammers can deliver
corrupt graphics via browser pop-ups and spam which can cause the victim
machines to offer up reverse shells on just about any port. So much
for the theoretical part. What was demo'd last night was the reverse
shell version. It wouldn't work under IE (patched possibly?) but it did
work locally via the file browser. What's worse was the XP
automatically generated a preview of the JPG so that as soon as you
opened the folder, the local machine provided a shell prompt to the
instructor's machine, running netcat. But wait! There's more!
Remember that you can configure XP to open the folder when a thumb drive
is inserted? Yep, it does. And let's not forget autorun! This makes
it a very nasty insider tool. To give proper credit, very little of
the above my own thought train. Most of it belongs to Rob and Ian. The
rest was observed and conjectured during the demo. As for
countermeasures, it's probably going to be more economical to configure
IDS systems to detect the exploit rather than the exploitation, due to
the lack of default port, IP or even graphic. Since remote delivery
vehicles will probably be limited to SMTP, HTTP, and the various
graphics-capable IM programs, it will probably be easier to watch for
the shell code coming in than the reverse shell going out. That and not
all of the exploits involve reverse shells. Hopefully we'll shortly see
both types of BleedingEdge signatures. Let add my own two cents to the
SANS vs. MS detector argument. Yes, the SANS detector triggers on a lot
more files than the MS version does but you should read the text that
comes with the SANS detector. The MS one is built for MS purposes. The
additional DLL's detected can be either additional ones that link to
non-MS programs that you've installed or they can be backups of upgraded
libraries. It's worthwhile to check what programs access those
libraries (Foundstone has some of the tools needed for this) and, if
possible, upgrade or disable the programs. Oh, and one last thing:
"Good luck! You're on your own!"
joat: 11:30:00 30 Sep 2004 |
|
|
Wed, 29 Sep 2004
|
|
|
joat: 13:00:00 29 Sep 2004 |
|
|
|
|
LURHQ has a good commentary on the JPEG trojan that has some of the media upset. Many had first run with the initial story of it being a virus. It's not. It's a trojan. In other news, K-Otik has also posted an all-in-one version of the exploit.
joat: 12:45:00 29 Sep 2004 |
|
|
|
|
Here's a paper on " The Social Engineering of Internet Fraud".
joat: 12:30:00 29 Sep 2004 |
|
|
|
|
Here's a discussion of how to
cut connections using various methods on a Linux-based firewall.
joat: 12:00:00 29 Sep 2004 |
|
|
Tue, 28 Sep 2004
|
|
/. has an announcement about Evolution 2.0 being released. Since I already use SA, including it in the MUA may be redundant but I'd like to see what they're doing with it.
joat: 23:30:00 28 Sep 2004 |
|
|
|
|
Abe Usher ( Sharp Ideas) has an
interesting post about
Graphviz that I'm probably going to need in the near future.
joat: 12:30:00 28 Sep 2004 |
|
|
Mon, 27 Sep 2004
|
|
The following links are going to be valuable in the near future as a
friend is having to deal with an infection: Also of interest is: DoxDesk Parasites
joat: 13:30:00 27 Sep 2004 |
|
|
|
|
Abe User ( Sharp Ideas) has
glued together an AIM-based NMap
bot. This sort of thing is the reason why you need to keep an eye
on the traffic that you allow in and out of your network. AIM
complicates the situation because it's one of those "tools" that can
initiate connections via multiple protocols, HTTP being one of them. If
you allow your users to surf, then AIM can probably "get out". Nice
tool if it's yours, nasty if it "belongs" to someone else.
joat: 13:00:00 27 Sep 2004 |
|
|
|
|
Here's a good article about the open source programs that are moving/showing up in the wireless arena.
joat: 12:30:00 27 Sep 2004 |
|
|
|
|
The House of Representatives recently passed a bill which would add
penalties for using false information for WHOIS records. (see Slashdot
article). This can be a good thing and a bad thing at the same
time. A good thing as it might help track down spammers and fraudsters
who fake up their WHOIS records. It's a bad thing as it will once again
expose techie inboxes to tons of spam due to addresses "borrowed" from
those same records. The current practice is to use a pseudonum for
business domains. That way when there's a phone call from a salesman
that claims he has an appointment with Bob Wackemwidahammer, you know
it's BS.
joat: 12:00:00 27 Sep 2004 |
|
|
Sun, 26 Sep 2004
|
|
Found a blog for the upcoming Chaos Communication Congress. The blog is
here. The RSS feed is here. The wiki
is here.
Links to the previous three Congresses are here.
joat: 14:00:00 26 Sep 2004 |
|
|
|
|
Wait a minute! Are you telling me that people hook their copiers
directly to the Internet? Without the benefit of a firewall? And then
they're surprised when Google finds them?!?
joat: 13:00:00 26 Sep 2004 |
|
|
|
|
Interesting use of
technology. Hopefully it won't be considered an income stream.
Wonder how hard it'd be to configure an AP and street clients (iPaq's
owned by the audience) for multicast. It'd definitely change the
experience.
joat: 12:30:00 26 Sep 2004 |
|
|
|
|
Phil Libin ( Vastly Important
Notes) has a pointer to a "gotta have" plugin for Firefox and IE: SpoofStick, which alerts you to the fact that you're visiting a spoofed web site. Wonder how long before someone writes a version for non-MS browsers. (Hint! Hint!)
joat: 12:30:00 26 Sep 2004 |
|
|
Sat, 25 Sep 2004
|
|
This is the sort of thing that always amazes me, when people can entertain themselves and others by creating art by combining technology and humans. It was art in that people thought it was fake, entertaining because of people's reactions to it. Without those reactions, it's just a phone booth. Next year something will probably have to change as people will expect it to be there.
joat: 15:00:00 25 Sep 2004 |
|
|
|
|
California law now bans
anonymous file sharing. How long before someone applies the law to
anything you can download from a website via a single-click or, for that
matter, figures out that visiting a website via a proxy constitutes
anonymous file sharing. This has the capability of getting really ugly
before it gets better.
joat: 12:30:00 25 Sep 2004 |
|
|
|
|
Here's a howto to
quickly make your web server available via IPv6 while you figure out how
to add IPv6 to the server itself. In other words, a reverse proxy with
IPv6 on one side, IPv4 on the other.
joat: 12:30:00 25 Sep 2004 |
|
|
Fri, 24 Sep 2004
|
|
|
joat: 12:30:00 24 Sep 2004 |
|
|
|
|
I agree with David Berlind (ZDNet article). Even if you don't officially allow "wireless" in your network, you still need to periodically scan for it. Given the extremely cheap availability of access points, you need to periodically check that one of your users hasn't added something to your network.
joat: 12:00:00 24 Sep 2004 |
|
|
|
|
Also, SANS has provided some Snort rules to
detect the JPEG bug.
joat: 11:45:00 24 Sep 2004 |
|
|
|
|
SANS has a scanner
available so that you can check your systems for the JPEG bug.
joat: 11:30:00 24 Sep 2004 |
|
|
Thu, 23 Sep 2004
|
|
|
joat: 22:50:00 23 Sep 2004 |
|
|
|
|
Same day this comes
out, I get laid off. Seems my salary came from a non-standard source
who needed the money for other things so blogging may get a little
spotty as I devote my time to looking for equivalent work. Such is a
contractors life though....
joat: 22:45:00 23 Sep 2004 |
|
|
|
|
Brightly
colored thumb drive around neck, cell phone on belt, trendy slogan
on t-shirt, Dockers --> likely poser Cell phone and 2 USB's in
pocket, other pocket also lumpy, comfortable (possibly faded) shirt and
jeans, spiral notepad sticking out of back pocket, ratty sneakers and
bad haircut --> true network geek. WTF is techno-congniscenti?
joat: 22:00:00 23 Sep 2004 |
|
|
|
|
Here is version 2.0 of the User's Guide for Ethereal 0.10.5.
joat: 12:30:00 23 Sep 2004 |
|
|
|
|
|
joat: 12:00:00 23 Sep 2004 |
|
|
Wed, 22 Sep 2004
|
|
Has anyone been able to duplicate this
method of tunneling data via echo request/reply?
joat: 14:00:00 22 Sep 2004 |
|
|
|
|
I cannot vouch for the quality/accuracy (still no free time), but here's an online guide
entitled " Penetration Testing".
joat: 13:30:00 22 Sep 2004 |
|
|
|
|
Here's a semi-long piece
on fighting spyware, featuring the four biggies (Ad-aware, Spybot S&D,
CWShredder, and HijackThis) along with a set of pointers to other tools.
joat: 13:00:00 22 Sep 2004 |
|
|
|
|
Here's a really
good article discussing comment spam and the various methods you can use
to fight it.
joat: 12:30:00 22 Sep 2004 |
|
|
Tue, 21 Sep 2004
|
|
Liudvikas has
pointed it out previously but Sysinternals is a
good site for tools to monitor what's going on in your machine.
joat: 23:30:00 21 Sep 2004 |
|
|
|
|
Here's
a good "behind the scenes" article about the Internet Storm Center.
joat: 13:30:00 21 Sep 2004 |
|
|
|
|
Here's
a May Unix Review article which
discusses the value of running two instances of Snort: one tuned to
protect your service(s), the other with most, if not all, rules turned
on to see what's "floating around" on the Internet.
joat: 12:30:00 21 Sep 2004 |
|
|
|
|
Hmm... This has some
interesting entertainment, security and law enforcement applications.
joat: 12:00:00 21 Sep 2004 |
|
|
Mon, 20 Sep 2004
|
|
This site is a very
good compilation of the security problems involved with 802.11 wireless.
joat: 13:00:00 20 Sep 2004 |
|
|
|
|
Here's a PowerPoint presentation which discusses inadvertent disclosure of information and lists numerous publicly available sources of information. (via NetSec)
joat: 12:00:00 20 Sep 2004 |
|
|
Sun, 19 Sep 2004
|
|
NetSec has a pointer to the Google Hacking Guide from johnny.ihackstuff. Actually, it's a how-to for using Google to find vulnerabilities. If your organization has anything online, you should be running this sort of search against your site(s) every week or so. As many security problems are caused by human error, this might help minimize the problem.
joat: 14:20:00 19 Sep 2004 |
|
|
|
|
|
joat: 14:00:00 19 Sep 2004 |
|
|
|
|
David Coursey has a two-part column on computer forensics over on eWeek: part 1,
part
2.
joat: 13:30:00 19 Sep 2004 |
|
|
|
|
Here's a good Linux Exposed article describing the make-up of what makes Ethernet what it is: 802.3. (This is also what gets swapped out with 802.11 when you work with wireless.)
joat: 12:00:00 19 Sep 2004 |
|
|
Sat, 18 Sep 2004
|
|
Linux Exposed has a good article about attacks on *nix systems which is basically a good description of the various types of attacks against any system.
joat: 12:30:00 18 Sep 2004 |
|
|
|
|
Security Musings pointed this one out: if you're going to post
redacted Word files in a public forum, make sure you've scrubbed them first.
joat: 12:00:00 18 Sep 2004 |
|
|
Fri, 17 Sep 2004
|
|
Anyone know if anything ever came from the acoustic
cryptanalysis project from last year?
joat: 12:30:00 17 Sep 2004 |
|
|
|
|
My current cell phone is pushing three years old (cannot hold a charge
very long) and a new one is on my holiday wish list. Regardless of all
the problems with Bluetooth, it's a functionality that my coworkers
cannot live without, and one that I'm envious of. And, of course, there
are other uses that the manufacturers didn't intend.
joat: 12:00:00 17 Sep 2004 |
|
|
Thu, 16 Sep 2004
|
|
From NetSec comes a pointer to
an article about Near Field Communications which describe communication at very short distances, touting it as a security feature. I don't know about you but I can already think of a way around this "feature": antennas hidden under the table or in nearby innocuous-looking objects.
joat: 13:30:00 16 Sep 2004 |
|
|
|
|
|
joat: 13:00:00 16 Sep 2004 |
|
|
|
|
If you have anything to do with network administration and/or security,
you have to be well grounded in in DNS theory. It's the service that
most everything else on the Internet depends on. It's also the source
of many of your network problems, intentional or otherwise. Here's a paper by Gideon T. Rasmussen which discusses basic troubleshooting steps. It's a bit CyberGuard-centric but does give you an idea for starting points for troubleshooting problems.
joat: 12:00:00 16 Sep 2004 |
|
|
|
|
I don't like the approach but this
paper contributes to the ongoing discussion (religious war?)
involving full disclosure.
joat: 12:00:00 16 Sep 2004 |
|
|
Wed, 15 Sep 2004
|
|
I agree with Axel that
it's not a failure of information security but that of people
when it comes to our current problems. I also agree that the thought
that security is mainly a technical problem, although popular within the
marketing realm, is a misleading one.
However, I dislike the view of a company's maturation. The quality of
any company's security depends on the quality (you can say "whim") of
the people within that company. A company's security "maturity" is
measured by how well its policies are accepted, practiced and enforced.
Unfortunately, it's not a progressive process. Any change (in finances,
employees, management, politics, love life, business model) has the
ability to massively affect the quality of an organization's overall
security.
joat: 13:00:00 15 Sep 2004 |
|
|
|
|
Here's a NIST Guide entitled " Security Considerations for Voice Over IP Systems".
joat: 12:00:00 15 Sep 2004 |
|
|
Tue, 14 Sep 2004
|
|
Doug Simpson has some good pointers
to IP Law primers.
joat: 13:00:00 14 Sep 2004 |
|
|
|
|
Here's a Naval
Postgraduate School thesis entitled " Using the Bootstrap Concept to
Build an Adaptable and Compact Subversion Artifice" by Lindsey Lack
which discusses the concept of an adaptable subversion artifice (a trap
door). It's a very interesting read and a bit scary if you consider
that we have to trust our closed-system vendors not to have included
something like this. Six lines of code?
joat: 12:30:00 14 Sep 2004 |
|
|
|
|
Back in the days when the term "hacker" denoted someone fascinated with
how things worked and not a form of criminal, three students wrote The Hacker Test, writing it in the manner of a magazine quiz (think Cosmo). It's entertaining reading and a good source of "lookups" if you're studying for Hacker Jeopardy.
joat: 12:00:00 14 Sep 2004 |
|
|
Mon, 13 Sep 2004
|
|
Security Focus has a good article entitled
" Malware Analysis for Administrators". Sometimes you're it,
having to figure out what a miscreant piece of code does, having to
build/suggest countermeasures to minimize the damage of an outbreak.
joat: 13:00:00 13 Sep 2004 |
|
|
|
|
I'm not sure of the value (due to the size) but here's a paper on detecting sniffers in your network. It should at least give you some ideas to work from.
joat: 12:30:00 13 Sep 2004 |
|
|
|
|
Here's a
SANS paper discussing various features in IPTables.
joat: 12:00:00 13 Sep 2004 |
|
|
Sun, 12 Sep 2004
|
|
Security Focus has posted part 2 of their
series on the Metasploit framework.
joat: 13:00:00 12 Sep 2004 |
|
|
|
|
This thing has been laying around in a backlog for most of the year so
I'm not sure the service still works. The website is still there so I'm
assuming that it still does. Pizza Party is
a *nix-based command line program to order Domino's pizza via the QuikOrder web site.
joat: 12:30:00 12 Sep 2004 |
|
|
|
|
The subject matter is outside of my experience but may prove valuable to
someone: Here's
a " Shellcoding for Linux and Windows Tutorial".
joat: 12:00:00 12 Sep 2004 |
|
|
Sat, 11 Sep 2004
|
|
Maybe it's because I'm at the end of a very long week, I'm on a
one-month contract, or I'm just in a mood. In any case, this is another
one of my oversensitive vents. You won't miss anything if you skip this
post. Call us old school but there are many of us that distrust the
current market move away from "defense in depth". Symantec's Barry Cioe
(Senior Director of Product Management) has an article over on eBCVG about the move towards "local"
security. You can skip most of the article, it's more or less a
justification to buy the new all-in-one products on the market today.
What I'm venting about is Mr. Cioe's opening
paragraph: | A decade ago,
Internet security pioneer Bill Cheswick proposed a network security
model that he famously characterized as a "crunchy shell around a soft,
chewy center." Today, as more and more "outsiders" - remote users,
business partners, customers, contractors - require access to corporate
networks, enterprises are finding the idea of a "soft center" obsolete,
if not downright dangerous. |
From reading that,
you get the idea that Mr. Cheswick's ideas are now old, outmoded, and
dangerous. If you've ever read Mr. Cheswick's papers or listened to him
talk, you'd know that Mr. Cioe is in error. Bill Cheswick's original
use of the phrase is available here in this
paper. (You'll need a Postscript viewer.). He used the phrase
initially (1990) to describe AT&T's network at the time of the (Morris)
Internet worm: | All of ARPA's
protection has, by design, left the internal AT&T machines untested - a
sort of crunchy shell around a soft, chewy
center. |
Obviously, it's not a security model
that he was proposing. Rather, he used it to describe an existing
condition and as a justification for hardening the system that your
security software runs on. This kind of thing irks me to no end. It's
right up there on my list of annoyances (no there's not an actual list)
with the mainstream press's assumption that "may you live in interesting
times", in Chinese, is a compliment. (Hint: it's not. It's a
curse.) I'll shut up now. Apologies to Bill Cheswick.
joat: 19:07:00 11 Sep 2004 |
|
|
|
|
The Security Monkey says it much better than I do, but today please remember those that gave their lives on that day three years ago. Some of them didn't know what happened, others knew what was ahead of them. I count myself as lucky in that I didn't know anyone that died that day. The closest I came to losing someone I know was a lady that I went to high school with. She missed work that day. Sarah Pickanose, you were so very, very lucky. (Not her real name but the rest of the class remembers the English Lit. class gone horribly awry!)
joat: 18:00:00 11 Sep 2004 |
|
|
|
|
For me, one of the nice things with switching to Blosxom is the ability
to write simple plugins. I had a lot of trouble writing anything for MT
but Blosxom plugins seem to be very easy. In any case, I've been
jealous of the acronym-in-a-title thingy over at Cox
Crow. To make the story shorter, I adapted Fletcher Penney's
AutoLink to make AutoAcryonym. If an acronym is in the file and in a
post, it will put a dotted-underline under the acronym and if you hover
the mouse over it, a "tag" will pop-up with the acronym
explanation. Oh, almost forgot, if you also borrow from Cox Crow's
style sheet, you can get the cursor to change to one with a "?" next to
it when you hover over one of the acronyms. (Exercise left up to you to
steal from Cox Crow's or my style sheet for the syntax.) Here's an
example:
BOFH
joat: 15:45:00 11 Sep 2004 |
|
|
|
|
Security Musings has a pointer to a site which allows members to view/critique each other's network diagrams. I like one of Security Musings' descriptions of it: "a honeypot for the dim-witted?". Scary!
joat: 13:30:00 11 Sep 2004 |
|
|
|
|
Dave
Piscitello's vent entitled " De-perimeterization is a crock..." is
right on the money. Network security, of late, has been hijacked by a
collection of people aiming to get-rich-quick by pitching something that
sounds new and improved.
joat: 12:00:00 11 Sep 2004 |
|
|
|
|
I tend to make others a bit jittery. I firmly believe that we have to talk about the "bad stuff" in order to keep the "good stuff" safe, as Adam said.
joat: 04:08:41 11 Sep 2004 |
|
|
Fri, 10 Sep 2004
|
|
Although I think it's a good idea that as many people as possible use
firewalls for their computers and their home networks (this is two
separate issues, BTW) but I don't think anyone should be able to mandate
it outside of a corporate network. This
discussion is very scary and reminiscent of a recent presentation
that I attended where the speaker suggested mandatory PKI IDs for each
and every Internet user. There are some serious enforcement and privacy
issues involved. Don't forget, one size does not fit all. The machine
that I'm setting at, as an example, passes through two firewalls and a
web proxy (for HTTP) or a virus/spam scanner (for SMTP, in both
directions) to connect to the Internet. However, it's nobody's business
whether or not I do this. Forcing me to use a specific firewall is
likely to involve an OS change and a degradation in security on my
part. Mine is considered non-standard and is customized (tuned) to
protect my configuration. To paraphrase the more paranoid militia
types: you'll get my firewall when you pry it from my cold, dead hands.
(Hmmm... Bumper-sticker material?)
joat: 13:00:00 10 Sep 2004 |
|
|
|
|
ComAanval and OpenAanval are the
commercial and free versions of a Snort console. This is on my list of
things "to do" once my life/workload quiets back down.
joat: 12:30:00 10 Sep 2004 |
|
|
|
|
Multiple mainstream news sites picked this up
and ran with it. Yeah, they are security problems, they're just not
Linux holes. LHA originally showed up on the Amiga and also runs on
Windows, FreeBSD and all (I think) of the commercial Unixes. Imlib can
be run on Linux, FreeBSD, and even Windows (under Cygwin). So how does
something that isn't part of the Linux core end up being a Linux
hole? This sort of thing does everyone a disservice (yeah, even the
Windows purists) as it just feeds the never-going-to-be-settled TCO
campaign that the purists on both sides wage on each other. Me? I'm a
mutt. I'll use what ever is available and can get the job done. I've
helped build/run two NOCs on very tight budgets.
joat: 12:15:00 10 Sep 2004 |
|
|
|
|
From NetSec comes a pointer to a collection of tools for people who reverse engineer malicious code.
joat: 12:00:00 10 Sep 2004 |
|
|
Thu, 09 Sep 2004
|
|
Here's
a tutorial entitled " Shellcoding for Linux and Windows".
joat: 13:00:00 9 Sep 2004 |
|
|
|
|
Version 2.0 of SendmailAnalyzer is out. I cannot stress the importance of maintaining an idea of what's going on in your networks (metrics, metrics, metrics!!). Believe it or not, crayon drawings are good for you too, not just for management.
joat: 12:30:00 9 Sep 2004 |
|
|
|
|
I'm a big fan of using key-based authentication for SSH connections.
However, to say you need to keep your keys secure is an understatement.
Need a reason? How about a brute force key cracker.
joat: 12:00:00 9 Sep 2004 |
|
|
Wed, 08 Sep 2004
|
|
The scanning speed for NMap scans has seen some attention recently.
While the new version has a sticky problem at very slow speeds (I can't
find the link into the mailing list but it involves SYN scans and Sneaky
speed), there is also a paper
which discusses optimization of scanning times.
joat: 13:00:00 8 Sep 2004 |
|
|
|
|
Just like it's becoming pointless to turn off SSID beaconing, it's
becoming useless to alter the version string in BIND. SecuriTeam has a piece (with
source code) that describes how to remotely figure out what version of
BIND is running, even without the banner information.
joat: 12:00:00 8 Sep 2004 |
|
|
Tue, 07 Sep 2004
|
|
Version 1.9.4 of Linux NTFS Tools and Library is out. In reading the "changes" on the Freshmeat site, this is turning into a very powerful toolset. Hopefully it'll make it into new distro's and the various forensics toolkits (if it already hasn't). Please note that the programmers (all three of them) are looking for help, mostly in the form of secondary documentation and web site support. See the SourceForge site for more information.
joat: 13:00:00 7 Sep 2004 |
|
|
|
|
SecuriTeam has a paper discussing how to structure your SQL injection to evade IDSs. Of course, if you're doing things properly, your network only allows a few specific IPs to connect to your SQL server and you should closely watch those (HIDS, NIDS, malicious code scanners, etc.). You CGI or PHP code should also limit acceptable input to certain characters and prevent direct user input. Just keep in mind the general rules of thumb for security: - It's not "if" someone is going to break in, it's "when"...
- in the real world the best you can hope for is fifteen minutes of fame, in the virtual world, the best you can hope for is fifteen minutes of obscurity... (quote mine)
- there's no such thing as a secure online system...
- and adding technology rarely adds security.
The general rules of thumb for countering attacks: - Log as much as practical
- review your logs automatically AND manually
- employ a consistent backup schedule
- use your metrics, be able to recognize what's normal and what isn't
- the most expensive investment in security is also the one you'll get the best return on: knowledge
Regardless of what personnel and what cool toys you have guarding your network, someone, somewhere, sometime will break into your network. Apologies for turning it into a rant.
joat: 12:00:00 7 Sep 2004 |
|
|
|
|
This looks interesting but I'd
rather see something like this boot from USB and never mount the hard
drive(s). Smart cards and iButtons make better authentication tokens.
joat: 12:00:00 7 Sep 2004 |
|
|
|
|
Not me, you. A recent post in the Web App Security mailing list prompted me to take a look at my own logs and do a little bit of extra research. This NWF article talks about FunWebProducts and its rapid spread as spyware. One thing that I haven't seen mentioned yet is what I've noticed in my referer logs. The IP's with the spyware (67.149.42.119, 24.186.59.180, 172.141.208.54, and 4.16.57.93, in the last week) are all referers for www.locators.com. I wonder... joat: 00:10:33 7 Sep 2004 |
|
|
Mon, 06 Sep 2004
|
|
You still have about three weeks to participate in Honeynet's Scan of the
Month. This one focuses around reverse engineering a bit of
malicious code.
joat: 15:30:00 6 Sep 2004 |
|
|
|
|
The new version of TCPReplay is available.
joat: 13:00:00 6 Sep 2004 |
|
|
|
|
Dana Epp has pointed
to a SANS
paper which discusses various bits of Perl code for systems and
network administrators.
joat: 12:00:00 6 Sep 2004 |
|
|
Sun, 05 Sep 2004
|
|
Here's some of
the discussion concerning hash collisions.
joat: 13:30:00 5 Sep 2004 |
|
|
|
|
(via RootSecure) NMap-Parser is a Perl module that interfaces with
NMap. I haven't seen anyone do anything with it yet but a Perl
interface to something that normally spits up a ton of text can't be all
bad.
joat: 12:30:00 5 Sep 2004 |
|
|
|
|
It cannot be said often enough. It is important that you log (SANS
paper) events so that you know what normal and abnormal metrics look
like and so that you can backtrack events when "something bad happens".
joat: 12:00:00 5 Sep 2004 |
|
|
|
|
|
I've added a few minor things to the wiki: a Forensics page, an IM page,
and an iPod page, all with some minor data. The main page is getting
large enough that I'm considering moving the sub-entries to pages of
their own (or another scheme if someone wants to suggest one).
joat: 03:30:00 5 Sep 2004 |
|
|
Sat, 04 Sep 2004
|
|
Here's a very good site
for spyware issues.
joat: 14:30:00 4 Sep 2004 |
|
|
|
|
Marcus Ranum (of Network Flight Recorder fame) has released a tool
called " NBS"
(Never Been Seen) which is a small piece of code that watches for
out-of-the-ordinary traffic. He explains it better than I can here.
joat: 13:40:00 4 Sep 2004 |
|
|
|
|
/. has a post about a Swiss Army knife with a USB drive built in. I
think they have the right idea but haven't taken it far enough in true
geek fashion. Here's my wish list for combined "tools": - 1G thumb
drive
- 802.11 interface, RFMON capable, with jack for external
antenna
- Bluetooth interface, all three modes, with jack for
external antenna
- IR interface
- 3 or 4 programmable LEDS or a
4 character alphanumeric display
Yeah, I know that no one
makes chips for all that together but I can hope, can't I? Any other
features you'd like to see?
joat: 13:00:00 4 Sep 2004 |
|
|
|
|
(via RootPrompt) Here's a good
article discussing the finer points of SpamAssassin use. I also like
the argument that Spam should not be auto-deleted because of false
positives (something that no Spam filter doesn't have, regardless of the
marketing-speak).
joat: 13:00:00 4 Sep 2004 |
|
|
|
|
Here's
a paper on detecting wireless discovery applications (think Stumbler and
the like).
joat: 12:00:00 4 Sep 2004 |
|
|
Fri, 03 Sep 2004
|
|
pfprintd is
another passive analysis tool I want to play with.
joat: 13:00:00 3 Sep 2004 |
|
|
|
|
More info for my wireless paper, mostly a tool for evil doing: Hotspotter passively
listens to the WLAN for probe requests from XP clients. When a network
matches a common name, Hotspotter switches over to being an access
point, allowing the client to authenticate and associate with it (rather
than the normal AP) and run other commands.
joat: 12:30:00 3 Sep 2004 |
|
|
|
|
Here's an Infosec Writer's paper on recovering passwords from memory (think hex editor). Interesting.
joat: 12:00:00 3 Sep 2004 |
|
|
Thu, 02 Sep 2004
|
|
|
One of the sources for our problems (as bloggers) is www.adminshop.com.
They sell Reffy, which is discribed as a Windows-based mass referrer
spammer which comes with a starter list (of blogs) of 3047 sites to
spam. Yes, for $75, you too can get on the hate list of everyone on the
planet.
joat: 22:00:00 2 Sep 2004 |
|
|
|
|
Red Team is
considering it's use and so am I. ttlscan appears to
be yet another good tool for passive analysis (think SANS paper).
joat: 13:00:00 2 Sep 2004 |
|
|
|
|
Here's
an interesting article about how the DCMA applies to search engines.
joat: 12:30:00 2 Sep 2004 |
|
|
|
|
Here's the link for the
minimized Bloglines (i.e., it's for your PDA).
joat: 12:00:00 2 Sep 2004 |
|
|
Wed, 01 Sep 2004
|
|
The new version of ARPing is available. This is one of those tools that should be good for your wireless toolkit as it can ping MAC addresses directly.
joat: 12:30:00 1 Sep 2004 |
|
|
|
|
|
joat: 12:00:00 1 Sep 2004 |
|
|
|
|
|
joat: 12:00:00 1 Sep 2004 |
|
|
|
