Mon, 31 Jan 2005

Kismet --> Snort

Finally had enough time to rig a Kismet drone to feed a Snort install. It looks something like: kismet_drone --> kismet_server --> fifo --> snort --> acid where kismet_drone resides on a WRT54G and the rest resides on the desktop machine. It doesn't run too well on my 3 year-old lap though (not enough memory). One plus about about the setup is that I can also connect kismet_client to the kismet_server and use the normal Kismet interface at the same time. I'll blog the configuration at a later date as I have only two nights to get ready for Shmoo and need to gather a few things. TWUUG and ISSA are also this week. joat: 13:30:00 31 Jan 2005

| [/Wireless] permanent link

Kismet

iHacked has an excerpted chapter online from the book "Wardriving: Drive, Detect, Defend/A Guide to Wireless Security" entitled "Configuring and Using Kismet". joat: 13:00:00 31 Jan 2005

| [/Wireless] permanent link

Sun, 30 Jan 2005

L7 Filter

The Application Layer Packet Classifier is an interesting extenstion to netfilter (iptables). I wonder if the classifier can be used elsewhere, such as with tcpdump or Snort, to help identify traffic. Anyone know? joat: 13:10:00 30 Jan 2005

| [/Security_Tools] permanent link

ISECOM

The ISECOM website is well worth exploring. It's the home of the OSSTMM, Hack Highschool (not what you think), and the OPSA/OPST certs. I had nothing to do with the Jack of All Trades presentations. joat: 13:00:00 30 Jan 2005

| [/Valuable_URLs] permanent link

ShmooCon

Following are bloggers and others that have stated intentions to be at Shmoocon (in no particular order): Beetle (so says beetle) (err... he's a member of the Shmoo Group) Grant Stavely (JokerBone) (he wants a t-shirt) Randy Nash (@RISK Online) Richard Bejtlich (Tao Security) - author of Squil and The Tao of Network Security Monitoring Seth Fogie (Informit.com Security Weblog) Buffalo Bandit (Buffalo Bandit's Blogtastic Blog) Adam Shostack (Emergent Chaos) (Shmoocon speaker and BOF organizer) Crispin Cowan (Shmoocon speaker and BOF organizer) Ben (Electric Fork) Groups: Michigan Wireless 757 Should be an interesting con. Anyone else going? It's probably pointless but I was thinking about rigging a 54G in the car to watch for stumblers on the drive up (I'm more interested in "watching the watchers"...). It's only a four-hour drive too. joat: 12:30:00 30 Jan 2005

| [/Useless_Trivia] permanent link

Sat, 29 Jan 2005

Google - A Single Point of Failure

Hendrik Scholz has posted a paper that he is going to present at Chemnitzer Linux-Tage (Babelfish required) and possibly at Interz0ne 4. The premise of the paper is that we, as users, have become too reliant on Google. I mostly disagree with Mr. Scholz. One or two of his points are valid but I think the rest are in error. His error include: the implication that it is only Google that voluntarily censors content based on local censorship laws the implication that Google is not poisoned with ads in the way that Altavista is (Google has it bad also) the implication that Firefox only works with Google (IE autosearches just one search engine also)(Firefox has the ability to add default search engines via plugins) the assumption that Google should be used for all searches There is an underlying implication that Google is "the one". In my case, it is not. Mr. Scholz statements about Google's (and other search engines') results are accurate only from the point of view of the casual user. Heavy use of search engines (I average 100 or so per day) reveal that Google has many of the same problems as the rest (ad poisoning, blind spots, etc.). Yes, the community as a whole would suffer greatly if Google ceased to exist or if Google resorted to overtly dishonest practices but I don't think the topic is worthy of two conference presentations. joat: 21:00:00 29 Jan 2005

| [/Silliness] permanent link

SELinux

The NSA has a page with quite a few SELinux articles on it. joat: 13:00:00 29 Jan 2005

| [/Security_Tools] permanent link

Fri, 28 Jan 2005

MySQL worm?

Builder.AU has an article about a "new" worm that is causing MySQL servers to join a botnet. This shouldn't happen, available patch or no available patch. If you have MySQL, it's likely that you're running a variant of Linux or *BSD. If you have those, you also have some form of packet filter (iptables, ipfw, ipchains, etc.). Can you think of a valid reason why the entire world needs direct access to a MySQL server? At most, maybe one or two other machines would need the access. This goes back to securing your network, whether it's an internal or an external network. With just about all *nix machines, you can write filters on each of the boxes that limit access to services. You should write the filters so that there are only the "normal" users of the system can access them. (Example: only your postmaster should need SSH access to your mail server(s).) Everyone else (in your network) gets only port 25 access.) It's not perfect but it will keep things like MySpool from occuring. joat: 13:15:00 28 Jan 2005

| [/Malicious_Code] permanent link

Cyber-counter

Here's a very large thesis paper from the Naval Postgraduate School which talks about combating cyber-terrorism with cyber-deception. It's a decent paper even if it overuses the c-word. Oh, and it has the obligatory reference to Pearl Harbor that we all saw/used right after Y2K. Keep in mind that it is a thesis and (in this case) can be treated as a theory or an argument. I disagree with the premise that a "misrepresentation" is unintentional. (See the Taxonomy.) joat: 13:00:00 28 Jan 2005

| [/Theory] permanent link

Thu, 27 Jan 2005

Running Windows worms under Linux

This showed up via a local user group's mailing list. Some people have way, way, way too much time on their hands. This is silly enough that I may just try it if I have enough free time. joat: 13:30:00 27 Jan 2005

| [/Malicious_Code] permanent link

Spyware paper

Here's a paper entitled "Measurement and Analysis of Spyware in a University Environment", from the University of Washington, that has some interesting points. joat: 13:00:00 27 Jan 2005

| [/Malicious_Code] permanent link

Wed, 26 Jan 2005

B-Day

Wups! Happy 2nd Birthday + 1 day joatBlog. joat: 23:45:00 26 Jan 2005

| [/Blogging] permanent link

A55h*l3s

Looks like I'm going to be looking for better Wiki software. The spammers are starting to act up in the Wiki now (took down the entire front page). Luckily the current software has rollbacks. The user management poriton sucks royally though. Anyone know of a GOOD wiki that: has strong user managment (not just we'll mail you a password) Outputs changes into RSS feeds is skinnable doesn't have an overly large command set has rollbacks doesn't have to work with InterWiki (but is a nice-to- have) Mebbe I should just tweak the code already here? joat: 23:00:00 26 Jan 2005

| [/Wiki] permanent link

RFC-Ignorant

"RFC-Ignorant is the clearinghouse for sites who think that the rules of the internet don't apply to them." (heh) Yet another site to lookup stuff on. Instead of aiming at spammers, this site aims at poorly configured DNS servers. joat: 13:00:00 26 Jan 2005

| [/Valuable_URLs] permanent link

Tue, 25 Jan 2005

Usenet History

Here's Google's history of Usenet. joat: 13:10:00 25 Jan 2005

| [/Valuable_URLs] permanent link

Shmoo!

Just realized that the ShmooCon is a week from Friday. That means I have this weekend to clean and rebuild the laptop. Hopefully I'll have time to Tripwire it. Wonder if it's worth taking audio equipment to record the talks. Anyone know if they're planning on recording the talks? joat: 13:00:00 25 Jan 2005

| [/Useless_Trivia] permanent link

New Google Tag

Here's a quick piece about Google taking a hand in fighting comment and wiki spam. Unfortunately it'll mostly require the programmers to recode so that the tag is added automatically to comments. It's also a small step in the ever escalating arms race. Spammers will find a way around it. joat: 13:00:00 25 Jan 2005

| [/Silliness] permanent link

Mon, 24 Jan 2005

Cams ongoing

Some of us were playing with this early last year. It's now becoming difficult, many of the more-popular cams undergoing what amounts to a remote tug-of-war for control. It's amazing the milage that "unsecured cams" have gotten with the media (mainstream and blogstream). Certain things only have to enter at the right time and place and they get repeated ad naseum. (Google for the examples) joat: 13:00:00 24 Jan 2005

| [/Silliness] permanent link

Sun, 23 Jan 2005

Comments back on

The comment system is back on. I've decided to try out manual filtering for awhile. I think that this approach may work as legitimate traffic is pretty low and I should be able to filter out the jerks. If you make a legitimate comment and it's not added to the page after early evening, e-mail me (joat@the_obvious_domain) and complain. Otherwise, please bear with me while I tinker with the comment system again. joat: 15:20:00 23 Jan 2005

| [/Blogging] permanent link

The Dangers of Using Anonymous Proxies

(I originally wrote this into the wiki but it falls within the scope of the blog also so... It still needs a bit of polish but you'll get the idea.) First off, the disclaimer: I am not a lawyer. While I've taken a few classes in technology-related law, I am not an expert. This article should not be considered legal and/or expert advise. That said... This piece is about anonymous proxies. While some of the information here may aid in setting up or configuring a proxy, the intent is discuss some of the "darker" issues involved with their existence. Please use Google for help if you're looking for information to set up or use a proxy. There are an ample number of those sites available. Anonymous proxies (web, mail or otherwise) and proxy filters have a number of uses, both for good and bad. Reasons for using them may include: sending a nasty note to a spammer you've tracked down avoiding spyware doing just about anything unethical, immoral, or illegal Using anonymizing services is not illegal by itself but will surely draw attention if you're being watched for any other purpose. If your driver's license expires and you never drive above 55 or get in an accident, no one will probably notice. However, if you consistently drive like a jerk, passing all the other cars on the highway, you'll get "noticed" within a day or two. You'll also likely discover that you'll be charged with more than one crime. If you use encryption in the commission of a crime, you may find yourself in deeper trouble for using encryption than you think. Various states have laws which add penalties (of various degree) in such a manner. For example, Virginia Code[4] (18.2-152.15. Encryption used in criminal activity) reads: Any person who willfully uses encryption to further any criminal activity shall be guilty of an offense which is separate and distinct from the predicate criminal activity and punishable as a Class 1 misdemeanor. "Encryption" means the enciphering of intelligible data into unintelligible form or the deciphering of unintelligible data into intelligible form. While Virginia treats it as a minor crime (anyone know of a compiled list of States' laws?), various efforts have been made to introduce federal statutes where prison sentences of up to 10 years can be applied to persons using encryption in such a manner. While you may be able to argue that you didn't notice that the illegal web site you visited was employing SSL, use of encryption usually involves a conscious decision to use it. Anonymizing proxies which employ encryption require manual configuration and possibly installation of software. All of that aside, there's still a few issues that should be discussed: use of remote proxies which are in violation of the owner's ToS, use of foreign proxies and use of covertly installed proxies. One will only get the proxy owner into trouble with his provider but the other two may involve criminal proceedings against you, even if the only sites that you visit are as tame as Playboy or Amnesty International. Many U.S.-based Internet users access the Internet via a broadband connection purchased from either the local cable or telephone utility. As part of the installation of the service, a subscriber signs or click-agrees to a document entitled "Terms of Service" (ToS). Somewhere in the fine print is the agreement to not install/run servers. If the user then installs an anonymizing proxy or remailer and allows the outside world to access it, he/she is in violation of his/her ToS. Detection of these services is easy enough. A network monitor (a sniffer or IDS) configured to detect inbound packets with only the SYN flag set will produce a list of suspect IPs. The utility company can then record the count and size of packets passed through the suspect system. At a minimum, the proxy owner will be de-subscribed. If amount of traffic is large enough, the utility may attempt to pass the costs to the proxy owner via the court system. Remember, most if not all ISPs buy their connectivity "by the bit" and having large volumes of traffic pass in and then out of their domain can make it cost effective for the ISP to at least spot check for suspicious network traffic. If you use proxies which are located within other countries, you need to consider that you may be wandering into the jurisdiction of foreign or international law. Accessing a site as tame as Playboy is not a crime here in the U.S. but it definitely is in China. While "the Great (fire)Wall" may block direct access to Playboy, there are ways around it, such as chaining yet another proxy. Care to be the first test case for this portion of international law? The final thing you should consider involves the use of covertly installed proxies. The average home user knows (or even cares) little about the security of their machine(s). Hackers, spammers, and worm authors are able to install all sorts of backdoors and other code in these poorly protected systems. Proxies are some of the milder examples. There are numerous sites on the Internet that specialize in providing lists of open proxies. As entries in these lists are highly transient, usually residential in nature and often involve port numbers over 1024, it's not an overly large assumption that some of these proxies exist without the machine's owner's knowledge. This is another area where existing laws have not been tested. Unauthorized use of computer services is against the law, in the U.S.[2] and many other countries[1]. Most are statutory in nature, meaning that proving intent is not an issue for the court. A lot of them have not been "tested". Just because you didn't know the proxy was illegal may or may not be enough of an excuse to avoid prosecution. If you a proxy to commit a crime, the point may become moot. Care to become the first test case for this portion of your country's law? To make a convoluted discussion short, when you're configuring your browser, it may be a good idea to at least perform a cursory investigation of the IP address(es) that you will be using for proxy services. If the machine is located in another country or has a hostname that is obviously within a residential subscriber domain, it may be a good idea to find a different proxy to use. If you're an ISP, it's probably a good idea to periodically check the available proxy lists[5][6][7] for addresses in your IP range.   References & Footnotes: [1] The Legal Framework - Unauthorized Access to Computer Systems by Judge Stein Schjolberg [2] Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes by Orin Kerr[3] [3] Orin Kerr teaches at George Washington University School of Law and hosts the CyberCrime Mailing List (CyberCrime) where he posts various computer-related court cases of interest. [4] Code of Virginia - Virginia Computer Crimes Act [5] Atom Intersoft's Free Public High Anonymity Proxy Servers List [6] PublicProxyServers.com [7] ProxyElite's Realtime Proxy List joat: 13:00:00 23 Jan 2005

| [/Theory] permanent link

Persistance of Vision

I know someone at 757 is working on one of these but don't remember (off the top of my head) who it is that's working on it. This project is also interesting in that Michael attempts to run a gray-scale image through the device. joat: 13:00:00 23 Jan 2005

| [/Silliness] permanent link

Sat, 22 Jan 2005

SQL Injection

Steve Friedl (UnixWiz.net) has a piece entitled "SQL Injection Attacks by Example" which discusses the hows, and how to protect against, of SQL injection attacks. joat: 13:00:00 22 Jan 2005

| [/Theory] permanent link

Fri, 21 Jan 2005

WTF?

What is Network Solutions up to now? All of a sudden I cannot SSH into a friends site. A close look reveals that the IP address attached to the hostname has changed. An even closer look shows that the IP address belongs to Network Solutions, the registrar my friend used to purchase his domain name. Pointing a browser at his webs site's hostname still pulls up the usual pages but it now goes through what appears to be a proxy at Network Solutions. Pointing SSH at the IP address works normally. I haven't had time to consider the issues that this little trick creates but I'm uncomfortable with the thought of it. If the site handled anything relating to financial, personal, or health data (or if it had anything to do with HTTPS or SHTTP), I would recommend legal sanctions. joat: 13:30:00 21 Jan 2005

| [/Boneheaded_Doings] permanent link

Who protects the Internet?

A 10-year old asked Susan, "Who protects the Internet?". She and Dana Epp have addressed parts of the answer. Having "been there", I would like to add another. There are also loosely knit groups (organizations?) of system admins, network admins, and security officers. Some are nothing more phone numbers on a call list, others are semi-elite groups which require at least two members to vouch for a newcomer. I actually miss being part of that "network", having been promptly culled after switching jobs. Believe or not, there really are Morlocks under there, keeping the lights on and the network from collapsing under its own weight. On the next SysAdmin Day, consider giving a gift certificate from the local sub shop to your security geeks too (they're probably too busy to be able to go out to lunch as a group). joat: 13:00:00 21 Jan 2005

| [/Uncategorized] permanent link

Thu, 20 Jan 2005

Deep Packet Inspection

Let me take advantage of the disabled comment functions and fan the flames of the Deep Packet Inspection (DPI) argument. Security Focus has a good explanation of the shortcomings of DPI. I've said it before and I'll say it again: DPI is not a substitute for application layer proxies. DPI is what you use when you're willing to trade a bit of security for larger throughput for not so much money. Please refer to the article for the arguments. joat: 13:00:00 20 Jan 2005

| [/Theory] permanent link

Wed, 19 Jan 2005

DoS terms

Linux Exposed has a short piece which explains a few denial of service terms. joat: 13:00:00 19 Jan 2005

| [/Theory] permanent link

Tue, 18 Jan 2005

Firewall Theory

Linux Exposed has a good article which discusses basic Linux firewall theory. joat: 13:00:00 18 Jan 2005

| [/Theory] permanent link

Mon, 17 Jan 2005

Social Engineering

Hack In The Box (HITB) has an article which discusses what they call Social Engineering. I think they've stretched the title a bit too far to cover what they're discussing. Social Engineering is the art of getting what you want via verbal and situational trickery. What the article is about is Intelligence Gathering. joat: 13:30:00 17 Jan 2005

| [/Theory] permanent link

Patents opened

You may want to note that Samba is affected by IBM's recent patent action. In my usual no-good-deed- goes-unpunished skepticism, we may see a few lawsuits against IBM because of it. Remember, there are things in those patents that were developed in conjuction with other companies. SMB makes a good example in that the protocol was developed by MS and IBM. joat: 13:00:00 17 Jan 2005

| [/Crime_And_Punishment] permanent link

Sun, 16 Jan 2005

Comments offline again

Please note that the comment system is offline again. It took a little bit but at least one spammer has caught on and adapted his software to my changes. I need to make at least one part of the software polymorphic, something in the form of "please type in what you see" or some other function. I'll be experimenting with the code over the next few days (weeks?) so please accept my apologies ahead of time. If you have anything important that you'd like to add to a post, email it to me (j-o-a-t-@-7-5-7-.-o-r-g) and I'll manually append it to the post. joat: 20:34:20 16 Jan 2005

| [/Blogging] permanent link

Honeypot Trend Analysis

Last month the Honeynet Project published a paper that will surely fan the flames of just about any which-is-better argument. In short, the project claims that, for unpatched systems, the life expectancy for MS-based systems continues to decrease while the same for Linux-based systems has greatly increased (MS lost a few minutes, Linux gained a couple months). I don't know that I agree with the possible reasons that they listed. They completely ignored statistics on malicious code. It'll make for a good loud-conversation-starter at the next Internet Professionals meeting though. joat: 13:30:00 16 Jan 2005

| [/Security_Tools] permanent link

Huh?

A certain analyst says that the iPod has almost reached icon status. I say that a certain analyst has almost made it out of the 90's. While Apple is likely to lose their market share (there's no where to go but down?), I think that they reached icon status prior to the millenium. The trick is now to add features/capabilities to existing products (to get users to buy those upgrades) or to come out with the next-best-thing so that those same users will buy it when their current iPods wear out. joat: 13:00:00 16 Jan 2005

| [/Boneheaded_Doings] permanent link

No op

Apologies to anyone that tried to access the blog in the last 4-5 hours. The visitors module had logging problems and caused the blog to hang. As you can see, it's back up. joat: 05:30:00 16 Jan 2005

| [/Blogging] permanent link

Sat, 15 Jan 2005

I'm back

I'm back from DC. Just looked at my backlog and I have at least a couple days work ahead of me. The class was fun (I passed). Did miss my own coffee though. I did remember why I don't like staying in DC: the local tv. Due to the extremely high level of politics built into the city's existance, the local tv tends to include access to groups that the rest of the country would consider a bit "out there". 'Nuff said? Now back to work... joat: 14:31:26 15 Jan 2005

| [/Blogging] permanent link

Fri, 14 Jan 2005

Malware Analysis Tutorial

Here's a Malware Analysis Tutorial from the University of Lousiana at Lafayette. joat: 13:00:00 14 Jan 2005

| [/Malicious_Code] permanent link

Thu, 13 Jan 2005

Phillipe Biodi

Here's Phillipe Biodi's home page. He has some interesting looking projects/programs. Of special interest to me is EtherPuppet, which may allow me to work around some of the processing limitations of my 54G's. joat: 13:00:00 13 Jan 2005

| [/Valuable_URLs] permanent link

Wed, 12 Jan 2005

HWGA

Here we go again. I knew it couldn't last forever. The spammers have adapted to the changes I made to the comment system so I'll be tweaking it again this weekend. joat: 13:34:51 12 Jan 2005

| [/Spammers] permanent link

French Honeynet

Here's the home page for the French Honeynet Project. Check out the papers, reports, and tools links! joat: 13:00:00 12 Jan 2005

| [/Valuable_URLs] permanent link

Tue, 11 Jan 2005

Odd Google Entry

This is a bit odd. While doing research for my class, I found an intereting site. While the front page (http://tanaya.net) is a religious site, behind it lurks a few other things. The research involved researching a company which had recently emerged from Chapter 11. In looking at Google's content relating to the company I came across http://tanaya.net/dns/. Try it out for yourself, using the first three octets of your company's IP space. Example: http://tanaya.net/dns/10/10/5.text. Turns out this listing is supposedly generated by the Bulldog firewall. As the dates on the files are not that old, I'm assumed these are updated periodically. It looks like the entire IP space. Interesting that someone would put that much work into tracking something as fluid as the Internet. joat: 20:16:16 11 Jan 2005

| [/Security_Tools] permanent link

Santy Analysis

SIG^2 G-TEC has a two-part analysis of the Santy Worm(s): 21DEC and 26DEC. joat: 13:00:00 11 Jan 2005

| [/Malicious_Code] permanent link

Mon, 10 Jan 2005

Another Security Diary

The SIG^2 G-TEC Honeynet Project has a daily diary in the same style as the ISC Handler's Diary. Here's the RSS feed. joat: 13:00:00 10 Jan 2005

| [/Security_Tools] permanent link

Sun, 09 Jan 2005

Spam Engine Analysis

Here's a quick analysis that Brian Eckman performed on a machine that was discovered spewing spam into the Internet. joat: 13:30:00 9 Jan 2005

| [/Malicious_Code] permanent link

Useful LaTeX Tricks

I don't get to blog the LaTeX category all that often (I haven't touched any of those projects in awhile) but Ariya Hidayat has a page for Useful LaTeX Tricks. joat: 13:00:00 9 Jan 2005

| [/LaTeX] permanent link

Sat, 08 Jan 2005

Honeynet Diary Entry

The 4 Jan entry for the Honeynet Project Handler's Diary is pretty interesting. It talks about unusual TCP/4899 (radmin) traffic and UDP/1026 and 1027 (Windows messenger) traffic. (Not to be confused with Instant Messenger traffic.) joat: 19:00:00 8 Jan 2005

| [/Security_Tools] permanent link

MS Anti-Spyware Beta

Has anyone actually tried out the beta for MS's Anti- Spyware Tool? If so, what are you impressions of it? joat: 17:00:00 8 Jan 2005

| [/Security_Tools] permanent link

Virtual Honeypotting Basics

Here's a piece by Kurt Seifried which discusses the basics of "honeypotting" with VMware. joat: 13:30:00 8 Jan 2005

| [/Theory] permanent link

Ben Gross

Ben Gross has a good link list of security-related items. joat: 13:00:00 8 Jan 2005

| [/Valuable_URLs] permanent link

Fri, 07 Jan 2005

VMware Honeypots

Here's a Linux Voodoo article entitled "Building Virtual Honeynets using VMware". It's a couple years old but still valuable. joat: 13:30:00 7 Jan 2005

| [/Theory] permanent link

IA&W SOP

Here's the NIPC's Indications, Analysis & Warning Program SOP. joat: 13:00:00 7 Jan 2005

| [/Theory] permanent link

Thu, 06 Jan 2005

Reverse Engineering Malware

Here's Lenny Zeltzer's paper entitled "Reverse Engineering Malware" that he did for the SANS GCIH certification. joat: 13:30:00 6 Jan 2005

| [/Theory] permanent link

Security Forest

(Not sure how I found this one) SecurityForest.com is an interesting use of the MediaWiki to produce an InfoSec-related site. joat: 13:00:00 6 Jan 2005

| [/Valuable_URLs] permanent link

Wed, 05 Jan 2005

Rada Analysis

Here's an analysis of the Rada backdoor which was performed as part of the September '04 Scan of the month. joat: 13:30:00 5 Jan 2005

| [/Malicious_Code] permanent link

Auditor CD

WindowsITPro has a good article describing the Auditor Security Collection CD. A Knoppix variant (which this is) is one of those tools that any Microsoft admin should learn to use, especially because it's not MS. It allows you to do and learn "new things" and gets you out of the purist mindset. As an analogy: Craftsmen makes very good tools (the replacement policy is a plus too) but sometimes the best tool for the job is a Starrett Micrometer. In any case, the article reviews the various tools available on the CD (this collection is "aimed" at the security auditor). joat: 13:00:00 5 Jan 2005

| [/Security_Tools] permanent link

Tue, 04 Jan 2005

Virtual Evidence Handling?

Here's a paper from the U.S. Customs Service entitled "Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer". It can also be used for specific types of non-law-enforcement analysis. -- Tim Kramer joat: 13:30:00 4 Jan 2005

| [/Security_Tools] permanent link

Maximillian Dornseif

Maximillian Dornseif presented three lectures at 21C3 (21st CCC) which are available online: Hidden Data in Internet Published Documents Hacking with Fire The Art of Fingerprinting His other papers/presentations are also available on that site. Note: You may need to run a few of them through a translator. joat: 13:00:00 4 Jan 2005

| [/Theory] permanent link

Mon, 03 Jan 2005

Monitoring VMWare Honeypots

Here's a paper by Ryan Barnett describing how to monitor VMware-based honeypots. joat: 13:30:00 3 Jan 2005

| [/Security_Tools] permanent link

Security-Lists.org

Abe Usher has launched Security-Lists.org "in an effort to provide a centralized location for finding the latest trends and cutting edge issues in the information security community. For now, it just has a list of mailing list but I expect that this will be a useful site. joat: 13:00:00 3 Jan 2005

| [/Valuable_URLs] permanent link

Sun, 02 Jan 2005

Spammers List

Here's the list of spammers for yesterday. I cannot guarantee the accuracy of this list. These are just the IPs attempting to access the old comment system that doesn't live here anymore. 1 148.233.165.151 customer-148-233-165-151.uninet-ide.com.mx 2 193.188.105.16 1 194.154.129.7 proxy03.spidernet.net 1 195.61.146.130 eapp.tamisa.ro 28 202.134.0.136 webserver2.telkom.net.id 6 202.134.0.137 1 202.160.25.46 espeed25-46.brunet.bn 21 202.57.35.130 1 202.86.196.18 1 203.190.254.9 52 205.232.210.35 3 208.31.142.13 dkhs-13.mei.net 10 208.63.116.194 1 209.88.128.9 5 212.17.56.2 1 212.203.71.247 1 213.155.143.19 13 213.172.36.62 12 213.174.190.219 1 213.253.212.101 7 213.56.68.29 4 217.117.225.34 louise.utelisys.netloes.utelisys.netlouise.tc2.utelisys.net 1 217.139.146.246 mail.latt.com.eg 29 217.57.78.70 host70-78.pool21757.interbusiness.it 2 217.59.135.138 host138-135.pool21759.interbusiness.it 2 62.49.144.85 no-dns-yet.demon.co.uk 1 62.99.210.222 62-99-210-222.c-vbergg.xdsl-line.inode.at 1 66.128.202.122 66-128-202-122.rev.intercom.com 1 66.160.92.90 66-160-92-90.dsl.cavtel.net 4 66.195.232.124 5 66.237.84.20 66.237.84.20.ptr.us.xo.net 1 68.167.94.202 h-68-167-94-202.chcgilgm.covad.net 1 69.199.80.43 CPE00a065c62c50-CM0011aefcded4.cpe.net.cable.rogers.com 1 80.200.243.151 151.243-200-80.adsl-fix.skynet.be 1 80.200.243.152 152.243-200-80.adsl-fix.skynet.be 1 80.200.243.153 153.243-200-80.adsl-fix.skynet.be 3 80.201.241.47 47.241-201-80.adsl-fix.skynet.be 1 80.65.102.162 ip102-162.introweb.nl 46 81.114.64.103 host103-64.pool81114.interbusiness.it joat: 19:30:02 2 Jan 2005

| [/Spammers] permanent link

No op

For those of you that notice the small table on the bottom right, you'll see that I've blogged entries almost the next two weeks. I'm going to be busy this week, in DC next week (studying for yet another test and playing tourist)(periods of spotty Internet access predicted!), home for two weeks and back in DC for the ShmooCon. Add in ISSA, TWUUG, a coding project, starting next semester's classes and I end up having very little blogging time, at least during January. I wanted to take the pressure off of having at least one daily entry, so I cheated and blogged a bunch of stuff from my "hold" pile. As a result, most of it is honeypot and/or malicious code analysis related. Please accept my ahead-of-time apologies for the narrowed "theme". joat: 17:00:00 2 Jan 2005

| [/Blogging] permanent link

DNS Black Ops

It's somewhat of an old topic but (thanks to Autoblogiographie and the 21st CCC) Dan Kaminsky has posted his slides from his "Black Ops of DNS" lecture. We'll probably see this lecture or something similar at the ShmooCon next month. joat: 13:00:00 2 Jan 2005

|