| August 2007 |
|---|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
1 |
2 |
3 |
4 |
| 5 |
6 |
7 |
8 |
9 |
10 |
11 |
| 12 |
13 |
14 |
15 |
16 |
17 |
18 |
| 19 |
20 |
21 |
22 |
23 |
24 |
25 |
| 26 |
27 |
28 |
29 |
30 |
31 |
|
|
Recent Comments
Wiki RSS
|
Sun, 31 Oct 2004
|
|
If you use the Bleeding Edge Snort rules to alert on spyware, there's a request for data on the Bleeding Edge blog. One user has already contributed virus data. Now they're looking to add in spyware data for anaylysis purposes.
joat: 14:00:00 31 Oct 2004 |
|
|
|
|
Here's a year-old paper on a type of non-cryptographic attack on public key cryptography called Fuzzy Fingerprinting.
joat: 13:00:00 31 Oct 2004 |
|
|
Sat, 30 Oct 2004
|
|
Regardless of what management thinks about the site (so do the searches from home), you really should use the techniques displayed on the GoogleDorks site (now called the Google Hacking Databse) to check what Google "sees" via/from your organization's network.
joat: 12:30:00 30 Oct 2004 |
|
|
|
|
Using PKI isn't all beer and skittles. It's meant for very specific applications, not as a cure-all (even for PKI-token-based logins). Here's a paper discussing some of the shortcomings.
joat: 12:00:00 30 Oct 2004 |
|
|
Fri, 29 Oct 2004
|
|
The Security Journal posts its content online via PDF files. There are quite a few interesting articles there.
joat: 12:30:00 29 Oct 2004 |
|
|
|
|
This should not be a surprise. With physical access to the authenticating mechanism, not even PKI or bio-authentication is safe.
joat: 12:00:00 29 Oct 2004 |
|
|
Thu, 28 Oct 2004
|
|
|
joat: 12:30:00 28 Oct 2004 |
|
|
Wed, 27 Oct 2004
|
|
Here's a quick howto for configuring DPMS (turns your monitor off after a period of non-use) under Linux.
joat: 12:30:00 27 Oct 2004 |
|
|
|
|
This is funny. For those that cannot decode hex "72 6D 20 2D 72 66 20 2F" translates to "rm -rf /" and "6D 76 20 2F 73 62 69 6E 2F 69 6E 69 74 20 2F 73 62 69 6E 2F 62 69 6C 6C 72 75 6C 65 73" translates to "mv /sbin/init /sbin/billrules". Just wait until they find out what "65 6A 65 63 74 20 2F 64 65 76 2F 63 64 72 6F 6D" does!!
joat: 12:00:00 27 Oct 2004 |
|
|
Tue, 26 Oct 2004
|
|
|
Please excuse any vagaries in the comment system. I'm tweaking the writeback code to combat the comment spammers (they've been getting out of hand recently).
joat: 23:00:00 26 Oct 2004 |
|
|
|
|
Here's yet another paper on the MS04-011 vulnerability and how a worm was developed out of it.
joat: 12:30:00 26 Oct 2004 |
|
|
|
|
Does the claim "there's nothing that can be done about shatter attacks" still apply? I seem to remember the claim that because the vulnerability was so ingrained in the OS that a total rewrite would be required. The good news was that it required physical access to the local terminal. Any know it it's still true?
joat: 12:00:00 26 Oct 2004 |
|
|
Mon, 25 Oct 2004
|
|
More bad news in the Malicious Code category. The shell-coders have figured out how to avoid stack protection with shell code.
joat: 12:00:00 25 Oct 2004 |
|
|
Sun, 24 Oct 2004
|
|
Just for info: new versions of Amap and Hydra are out.
joat: 16:35:00 24 Oct 2004 |
|
|
|
|
I disagree with Mr. Kabay's article in that picking out exceptions to free speech is bad practice. What he's describing is some very nasty forms of censorship and prior restraint. Who gets to define "viral"? A lot of the issue centers around intent, something which often involves the court in determining. It's what Mr. Kabay's article is trying to avoid having to do. If we could write laws using his logic, you'd need a license and a government monitor to cut your steak. Why? Because a major portion of all murders are committed with knives, of course! They must be controlled now!! The use of "Quod erat demonstrandum" at the end of his article is also a bit offensive. He uses it to signal that he's proved his point and it's justifiable to pass out the pitchforks and torches and head towards the castle. A friend (hi Steve!) has a much better one: Ita bardus plector.
joat: 15:45:00 24 Oct 2004 |
|
|
|
|
Added a Forensics Toolkit page to the wiki with the intent of reviewing various tools as I learn.
joat: 13:00:00 24 Oct 2004 |
|
|
|
|
Here's a step in the right direction. Microsoft has stood up a Fight Spyware page. Suprisingly, they even recommend the usual third party tools (Ad-aware and Spybot S&D) to combat the problem. Brava!
joat: 12:30:00 24 Oct 2004 |
|
|
|
|
Here's a quick discussion, with a sample exploit, of one of the problems with the Spanning Tree Protocol. The exploit requires physical access to the switches (or least two network segments from different ports). It is reason enough to use port security and lock your wiring closets though.
joat: 12:00:00 24 Oct 2004 |
|
|
Sat, 23 Oct 2004
|
|
Because of this, today I'm venting about "firewalls" and "security". "Firewall" is a term which has been hijacked by companies selling everything from NAT boxes to add-on software to content filtering appliances for e-mail. (Yes, it's the old layer 3/4 vs. Layer 7 argument vent again!) A proper firewall involves a bastion host (the hardware, software and services stripped to the bare minimum to function and then configured to running in a specific manner) running very specific services which provide the maximum possible control on protocols and services that your users (via management) cannot live without. As a general rule of thumb for deciding how to handle a request for a protocol: - disallow the protocol
- if you can't disallow it, proxy it (Layer 7) with a dedicated proxy to control the protocol's options and heavily log the protocol's use (who, what, where, when, how long)
- if you can't do that, proxy it (Layer 7) with a generic proxy to limit the source/destination IP's and the directions that the requests can be made and log as much as possible
- if you can't do that, reconsider disallowing the protocol
- if you can't do that, consider using a many-to-one NAT box (yeah, a LinkSys box) and log as much as possible
- if you can't do that, reconsider disallowing the protocol
- if you can't do that, (as a last resort) use a packet filter (Layer 3/4) to limit source/destination IPs/ports and log as much as possible
That last method is the most dangerous. It's a horrible (but widely used) practice. If you used it for your web traffic, all an attacker would have to do to map your network would be to source his scans from port 80 and scan for ports greater than 1023 (hint: MS boxes listen on a LOT of ports above 1023). Yes, it's an oversimplification and there are many mitigating factors. There are also factors that worsen the situation (such as OS's or firewall programs that "leak"). You should seriously consider NOT using any Layer 3/4 filtering product that uses "packet inspection" and "state inspection" and claims the product will "provide the same capabilities as Layer 7 proxying". If it were the same, it wouldn't need all of the hype. This practice (or the lack of it) is part of what's behind the new laws that are coming out. Businesses perverted the risk model (risk = threat x vulnerability) by adding in a financial vector (risk = threat x vulnerability x asset cost) and applied it to information security, failing to recognize the difference between a business risk and a security risk. This is why laws such as GLB, Sarbox, FISMA, California's SB 1386 and the like come into being. It is government stepping in and reinforcing the difference between the two types of risk. Some say that the function of the federal government is to provide those functions that local or state government cannot or will not. In this case, it's probably going to prove true. Because a company is willing to treat a security risk as a business risk, just to maintain a profit, it puts everyone even remotely associated with that company in danger. Thus, the need for federal legislatures to "step in". Currently the laws are very generic, requiring that a program or role exist within a company. Insurance companies are helping somewhat, giving discounts to subscribers who "meet or beat" the insurer's standards. However, if the majority of corporate practices do not change (the laws are currently gentle encouragement), we will see dictated standards, practices, and inspections. Food poisoning is serious enough to require periodic inspections and licensing. The federal, state, and local laws make it very difficult (and expensive) to open a restaurant and run it at a profit. However, the risk is that a few dozen people get sick for a few days. Consider that exposure of medical, financial, or legal data sources have the capability of instantly screwing up hundreds of thousands of people's lives for years at a time. Then think about how surprised you're going to be when laws are enacted which allow (and require) independent or government inspection of your books, your policies and your practices. (Hint: take a look at what's coming in April. Some of those laws already exist.) The good news and bad news (for everyone) is that this will create yet another industry, one that will be rife with charlatan's at the start but will eventually evolve to require it's own explicit standards and practices. We are most likely to see the infosec equivalent of a CPA (and you think the SANS and CISSP certs are difficult?). There are already various functions within government which provide various administrative and investigative functions relating to information security. It's not that far of a jump for government to provide equivalent compliance testing and licensing functions. joat: 13:40:00 23 Oct 2004 |
|
|
|
|
For my own benefit, here's an article about ZoneMinder.
joat: 13:30:00 23 Oct 2004 |
|
|
|
|
Sharp Ideas has a really long list of security-related mailing lists.
joat: 13:00:00 23 Oct 2004 |
|
|
Fri, 22 Oct 2004
|
|
Here's the Unofficial Cookie
FAQ, what they are, their use(s), and how to block 'em.
joat: 12:00:00 22 Oct 2004 |
|
|
Thu, 21 Oct 2004
|
|
It's not just the people driving by, it's the people on the sidewalk too.
joat: 12:00:00 21 Oct 2004 |
|
|
Wed, 20 Oct 2004
|
|
Here's
a decent paper on defense-in-depth.
joat: 12:30:00 20 Oct 2004 |
|
|
|
|
TFN2K, the DDoS tool, uses passwords that are built into the code at compile time. If you're evaluating malicious code, it might be nice to figure out what the password is. tfn2kpass was written by NMRC to perform just this function.
joat: 12:00:00 20 Oct 2004 |
|
|
Tue, 19 Oct 2004
|
|
I can't state an obvious use for Magic Codes yet, but it does look like a handy tool to have around.
joat: 12:00:00 19 Oct 2004 |
|
|
|
|
Here's a slightly out-dated tutorial for turning off services.
joat: 12:00:00 19 Oct 2004 |
|
|
Mon, 18 Oct 2004
|
|
Just so you all know, even traceroute packets can be spoofed under certain conditions.
joat: 12:30:00 18 Oct 2004 |
|
|
|
|
Check-ps looks
like it would be worthwhile in a forensic toolkit. The quick
description of it is "hidden process detector". If anyone's used it,
please let me know what you think of it. joat: 12:00:00 18 Oct 2004 |
|
|
Sun, 17 Oct 2004
|
|
Here's Gary C. Kessler's " An Overview of Cryptography".
joat: 12:08:14 17 Oct 2004 |
|
|
|
|
This is silly
enough in the right direction that I've got to try it. Thanks, Burak!
joat: 12:00:00 17 Oct 2004 |
|
|
|
|
If you share your network with anyone (anyone!) with administrative
access to any (that's ANY!) system, then you need to take a few
precautions to help recover from a network compromise. The following
are steps that we've learned in the open lab: - Know the MAC
address for the default gateway (have it written down)
- Know the
hostname(s) and IP address(es) for your servers, especially your DNS and
directory servers
- if you're done with a dangerous tool, delete
it and the source code
- scan your systems, inside and out, before
and after active analysis
- log and record as much as possible, no
matter how silly it seems
Some of those are forensic
measures but those first two are valuable bits of information if you're
suddenly trying to figure out why the Google page suddenly reads "All
your lookups are belong to us!"
joat: 12:00:00 17 Oct 2004 |
|
|
Sat, 16 Oct 2004
|
|
Need to talk about spyware? Try the forums at SpywareInfo.
joat: 23:30:00 16 Oct 2004 |
|
|
|
|
Another one for the "to look at" list.
joat: 12:30:00 16 Oct 2004 |
|
|
|
|
Hey Google! How about a version
for Unix crowd? Please, please!
joat: 12:00:00 16 Oct 2004 |
|
|
Fri, 15 Oct 2004
|
|
Ryumaou has pointed to a good O'Reilly article on FAQ software.
joat: 12:30:00 15 Oct 2004 |
|
|
|
|
This sort of thing is good-to-know for system administrators needing to test POP3 or anyone without a client needing to check their mail.
joat: 12:00:00 15 Oct 2004 |
|
|
Thu, 14 Oct 2004
|
|
|
More apologies for the sudden drought in blogging. The new job has affected
my sleep patterns and I'm only now catching up. Probably explains the
grouchy post below too. Things should even out in the next few weeks
but Mondays and Wednesdays are still going to be 16-hour days.
joat: 23:40:00 14 Oct 2004 |
|
|
|
|
I've added the CircleID feed to my bloglines
subscriptions, finding it after Liudvikas pointed
out Paul Vixie's vent here. I tend to agree with Mr. Vixie, having been a BIND ad
min for close to a decade and luckily I've never had a break-in. The inclu
sion in the SANS Top 20 looks suspicious, after the fact. A conflict of in
terest, or at least the appearance of one seems to be the case at this time
. This is the sort of thing that any organization whose livelihood is bas
ed on integrity and knowledge. Could it be that SANS has had a brush with
what most organizations suffer (at least periodically) once they reach a ce
rtain size? What I'm talking about is politics in an a-political organizat
ion. That's the nice way of saying it. The ugly way of saying it is perso
nal agenda's, one-up-manship, cliques, character assassination, and/or fact
ionism. Then again, I could be overly paranoid. I just find it suspiciou
s that the only alternative to BIND that was suggested is the one which suf
fers from the same type of purist politics as the Windows vs. Linux purists
. (There, have I angered everyone yet?) Remember, security requires good
programming and good administrative practices. Liudvikas, thanks for the
new feed.
joat: 23:30:00 14 Oct 2004 |
|
|
|
|
If you're sitting at a security conference, you definitely don't want to
be "popping" your e-mail unless you're encrypting the connection
somehow. This
is a tutorial for configuring Putty to tunnel POP3 connections.
joat: 12:00:00 14 Oct 2004 |
|
|
Wed, 13 Oct 2004
|
|
The site has nothing to do with security but Linux Toys has a list of
interesting projects.
joat: 12:00:00 13 Oct 2004 |
|
|
Tue, 12 Oct 2004
|
|
Sometimes information can be found in the most out of the way places, so
it's valuable to know that the out of the way places exist. In this
case, telnet-reachable (Internet) BBS's. The BBS Corner maintains a list. (via TinyApps)
joat: 12:00:00 12 Oct 2004 |
|
|
Mon, 11 Oct 2004
|
|
Here's an
online reverse dictionary. You describe the concept/definition and the
reverse dictionary searches for the words associated with your input.
(Via TinyApps)
joat: 12:00:00 11 Oct 2004 |
|
|
|
|
|
joat: 12:00:00 11 Oct 2004 |
|
|
Sun, 10 Oct 2004
|
|
A soldering
howto. Remember to solder in a well ventilated area and avoid the
fumes. (via TinyApps)
joat: 12:00:00 10 Oct 2004 |
|
|
Sat, 09 Oct 2004
|
|
This
is the problem with data aggregation. What can be used for good, can
also be used for evil.
joat: 23:55:00 9 Oct 2004 |
|
|
|
|
Apologies for the dearth of blogging. A very busy day. My birthday.
Rebuilt 4-year-old laptop with new version of Linux (and I didn't have
to patch/rebuild the wireless/power/pcmcia modules). Actually made it
thru 10 of the 17 houses at Homearama
2004. Absolutely loved the 3 rd floor in one, the
kitchen in another, and the first floor in another. Unfortunately, I'll
never be able to afford any of them. Nice houses, but not worth what
they're asking for the houses.
joat: 23:30:00 9 Oct 2004 |
|
|
|
|
Here's the online versio of Mr. Stevens's book.
joat: 12:00:00 9 Oct 2004 |
|
|
Fri, 08 Oct 2004
|
|
Here's a howto for setting up or accessing an encrypted filesystem within a file. Can anyone suggest some pointers to cracking this sort of thing? I know that the suggested first try is to attempt to capture the passphrase via a keylogger and that the last resort is brute force. What I'm looking for is pointers to develop the "protocol" for what's between those two choices.
joat: 23:35:00 8 Oct 2004 |
|
|
|
|
|
joat: 23:30:00 8 Oct 2004 |
|
|
Thu, 07 Oct 2004
|
|
Here's
an online test to see if you can recognize phishing fraud without
looking at the source code. I assume it's an intellectual excercise as
the first thing you'd want to do is look at the source code. In real
life, you want to avoid HTML-based email and never ever click on a link
in e-mail. Type it by hand instead and only if you're sure what it is.
joat: 13:00:00 7 Oct 2004 |
|
|
|
|
This
is an article on a topic that really frustrates me: removing the
perimeter. The author treats firewalls (and, for that matter, security)
as a single blackbox approach rather than as part of a layered process.
While the Internet and tech business may be driven by the "next cool
thing", security is not. It's based on well-defined processes and
practices. It will probably take a couple years but management should
eventually catch on (the hard way) and we'll go back to defense
in-depth.
joat: 12:30:00 7 Oct 2004 |
|
|
|
|
Further reason to avoid your basic LM hash for authentication:
joat: 12:00:00 7 Oct 2004 |
|
|
Wed, 06 Oct 2004
|
|
Here's one of
the presentations from the upcoming ShmooCon, entitled " Wireless Weapons
of Mass Destruction for Windows".
joat: 13:00:00 6 Oct 2004 |
|
|
|
|
Here is the
process that hackers more or less take to break into systems. For those
of you that are considering using this process, consider that law
enforcement is getting better at tracking down hackers. Also, some of
the data in that "howto" isn't exactly accurate. Example: l0pht is now
a commercial business with gov't ties. Example: cDc lost their "key
players" years ago and are now a forum for anti-goverment vents. If
you must hack, do it to your own systems. Learn what it takes to clean
up after a system has been broken. Learn how to locate the bad code.
Learn how to analyze the bad code. Start analyzing other people's
break-ins (search Google for "Scan of the Month"). Figure out where
your strengths are and shore up your weaknesses. Become an expert, not
a convict.
joat: 13:00:00 6 Oct 2004 |
|
|
|
|
From TinyApps, a list of ADS-related links:
joat: 12:00:00 6 Oct 2004 |
|
|
Tue, 05 Oct 2004
|
|
This is a bit mish-mash but is a good discussion of why you should consider input from other departments during your incident response. However, it can be taken to the extreme as the author shows in one example.
joat: 22:00:00 5 Oct 2004 |
|
|
|
|
From TinyApps comes a link to O'Reilly's new book: Knoppix Hacks - 100 Industrial-Strength Tips & Tools.
joat: 12:00:00 5 Oct 2004 |
|
|
|
|
One of my tangents led me to BeOS
for Linux (scroll down a bit). I'm interested in playing with this
once I get my desktop upgraded to a ivtv-capable distro.
joat: 12:00:00 5 Oct 2004 |
|
|
Mon, 04 Oct 2004
|
|
InformIT has an excerpted
chapter from Defend IT: Security by Example. The chapter is
entitled " The Role of Computer Forensics in Stopping Executive
Fraud" and uses a case study to outline the process and highlight
some of the issues encountered in investigations. (via Forensic Focus)
joat: 13:30:00 4 Oct 2004 |
|
|
|
|
|
I know most of the issues involving unauthorized copies of music but
here's one. If the MPAA earns $.02 per blank CDR because they might be
used for copying music, what right does the MPAA have to complain? If
someone can point me toward any legal opinions on the issue, it would be
appreciated. Also, since I've been burning logs and file backups to CDR
for almost a decade (I'm in an area where magnetic backups don't last
long) at the rate of 1 or 2 disks per day, is there any way I can get my
$.02 back?
joat: 13:00:00 4 Oct 2004 |
|
|
|
|
Here's a
news article about how LURHQ provided expert witness to rebut a
defense's expert witness. Seems they'd left out a bit of information
about how spam can be bounced off of misconfigured systems. It's nice
to see the legal profession finally catching up. Our area only has one
technically trained lawyer and he is a very busy person. As dry and
boring as most court cases can be, I'm looking forward to reading the
judge's opinion on this. Google returns 15 links for this.
|
| |
