| August 2007 |
|---|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
1 |
2 |
3 |
4 |
| 5 |
6 |
7 |
8 |
9 |
10 |
11 |
| 12 |
13 |
14 |
15 |
16 |
17 |
18 |
| 19 |
20 |
21 |
22 |
23 |
24 |
25 |
| 26 |
27 |
28 |
29 |
30 |
31 |
|
|
Recent Comments
Wiki RSS
|
Mon, 31 Oct 2005
Sun, 30 Oct 2005
|
|
HackerPort is a project intended to design a USB I/O interface. Something to keep an eye on. joat: 13:00:00 30 Oct 2005 |
|
|
Sat, 29 Oct 2005
|
|
|
joat: 14:00:00 29 Oct 2005 |
|
|
Fri, 28 Oct 2005
|
|
Tripped across this
listing of free operating systems while checking up on BeOS. Count
how many you've heard of. I've heard of 16 of them and used 6.
joat: 12:00:00 28 Oct 2005 |
|
|
|
|
David Bianco, a
friend and former SANS mentor of mine has announce the formation of the Hampton Roads Snort
Users Group. The first meeting is slated for 7 p.m., Dec.
1 st at the Williamsburg Regional Library, 515 Scotland
Street, in Williamsburg, VA. The speaker will be Jason Brvenik from
Sourcefire. Please read the announcement (link is above) for more
info.
joat: 12:00:00 28 Oct 2005 |
|
|
Thu, 27 Oct 2005
|
|
The Register has an article which describes Microsoft's plan dump SSLv2 for TLSv1 in IE7. While they're intentions are good, it's the following that piques my funny bone: As part of Microsoft's "secure by default" design philosophy, IE7 will block encrypted web sessions to sites with problematic (untrusted, revoked or expired) digitial certificates. Along with their increase in security, I hope Redmond has increased their attention to detail. Anyone remember certain lapses in ownership of certain domains in the recent past? There's only so many honest people, like Steve Cox or Michael Chaney, out there. There's a lot more dishonest people out there looking to create mischief or earn a quick buck. My offer to Mr. Gates (to host cron'd reminders for domain renewal) still stands if he wants it. (heh)
joat: 12:00:00 27 Oct 2005 |
|
|
Wed, 26 Oct 2005
|
|
Just spent a half-hour or so playing around with the X-Lite soft phone, getting it to run under Wine. The good news is that it works. The bad news is you may be limited to running it under KDE. It works under AfterStep but sometimes the menus don't pop up properly and it attempts to use a couple "hooks" in AfterStep that aren't there. It works under KDE but KDE isn't exactly my favorite WM. In any case, notes are in the Wiki. joat: 12:00:00 26 Oct 2005 |
|
|
Tue, 25 Oct 2005
|
|
Here's a Ballmer quote (about Vista): " Most people will trust it from day one on their home computer..." I reserve the option to make further comment at a later date. joat: 12:00:00 25 Oct 2005 |
|
|
Mon, 24 Oct 2005
|
|
Whitedust has an article which discusses the maintenance of your network's security by being familiar with what "normal" is. Just about the only point in the article that I disagree with is in the opening sentence: "While not absolutely required, it is ideal to have working knowledge of how an Ethernet network operates from a low-level perspective. I strongly disagree with this. It is imperative that you be familiar with your network to be able to operate it securely. joat: 12:00:00 24 Oct 2005 |
|
|
Sun, 23 Oct 2005
|
|
A friend was recently concerned about the high number of inbound port 22 (SSH) connections he was getting. Another TWUUG'er suggested using iptables to slow down the brute force attacks (it uses the "recent" module). I've added the config to the wiki. joat: 12:00:00 23 Oct 2005 |
|
|
Sat, 22 Oct 2005
|
|
I was looking for info on 802.11i and came across this site. I'm sorry but, regardless of the quality of the information available via the site, I won't use sites like that. (Notice that actual content on the site takes up less than a 1/3rd of the page. The rest is Google Ads.) joat: 14:07:16 22 Oct 2005 |
|
|
|
|
Here's a site that discusses the effectiveness of various Captcha schemes. joat: 12:30:00 22 Oct 2005 |
|
|
Fri, 21 Oct 2005
|
|
Bloglines have some small-but-important modifications to their site. One includes mapping navigation keys to the page, so that you can navigate through articles or folders without having to use the mouse. The new feature I appreciate the most is the change to the new message count. It's now a combination display of new messages and keep-as-new messages. Example: (2:5). It's a small thing but saves me a lot of time while navigating their site. joat: 12:00:00 21 Oct 2005 |
|
|
Thu, 20 Oct 2005
|
|
Well, the lack of controls on the USB interface is finally being exploited. The BlackDog product runs Linux on a USB device and pops up windows on Windows (no reboots needed). The device can even (supposedly) access any network that the host computer has access to. If you "do" security, this should scare the crap out of you. The video of the demo and the FAQ are interesting. joat: 22:53:46 20 Oct 2005 |
|
|
|
|
|
Adding memory to my old junker improved things so well that my wife
broke her long standing rule (of me not touching her computer) and had
me do the same for hers. Between that and the new USB printer server
(both of which I got out of clearance bins at local stores), I've gained
mega-spouse points! (heh)
joat: 20:30:00 20 Oct 2005 |
|
|
Wed, 19 Oct 2005
|
|
|
The comments function should be fixed, for now. The disk is still short on space so it may pop up again. joat: 12:30:00 19 Oct 2005 |
|
|
|
|
I checked today and I still have a lot of extra gas in my spleen so I
guess I'll vent again... What bright mind decided that the time to
install updates is during the shutdown process? We use XP as the host
sytems for VM's at school. The class ran a little late and we were
asked to help by shutting down and removing the hard drives. Nothing
like noticing "Installing 1 of 9" in response to your clicking on
"Shutdown". Grr...
joat: 12:00:00 19 Oct 2005 |
|
|
Tue, 18 Oct 2005
|
|
The Worm Radar site might be
valuable during the next major outbreak.
joat: 12:00:00 18 Oct 2005 |
|
|
Mon, 17 Oct 2005
|
|
For those not paying close attention, the Shmoo Group has chose some of the topics for the Spring Con. joat: 21:45:00 17 Oct 2005 |
|
|
|
|
I panicked, earlier, when I checked this morning's post and saw that each of the enumerated items all started with "1.". Chalking it up to too-many-hours-typing-into-a-Wiki, I'd intended to fix it from class this evening. Now that I have a non-IE browser pointing at it, I realize that I hadn't hosed the post. Rather, it was IE's lack of standards compliance (it didn't recognize the <ol> tag properly) that caused the crappy looking entry. Heads up MS, that's standard HTML that your browser isn't recognizing! Embrace-and-extend? [*snicker*] Someone remind me to grab screen shots tomorrow! Update: Here they are... The one on the left is Firefox. The one on the right is IE. 'Nuff said? joat: 21:40:00 17 Oct 2005 |
|
|
|
|
Consider this as another of my you-need-to-know-what-normal-is
rants. About five years ago, a couple of us (at a previous job) wrote
a script to process DNS log files to watch for systems suddenly
performing massive amounts of DNS lookups. In other words, watching for
infected systems. Someone recently wrote a paper on this same topic
and has received a bit of notoriety for it. There's no black art to it.
It's pretty easy to kluge together. - First be sure that your
internal DNS server can handle a heavier load. I recommend running a
dedicated server using BSDi (even an older version) because the load
that BIND puts on BSDi is barely noticeable.
- Turn on querylog.
It'll generate log entries like:
Oct 15 09:18:37 desk named[13556]: client 127.0.0.1#33023: query:
www.google.com IN A +
Oct 15 09:18:56 desk named[13556]: client 192.168.2.5#1301: query:
www.cisco.com IN A +
- Obviously, Perl is perfect to extract data from these log
entries. Write a script to parse each line and insert the data from the
line into a MySQL or Postgres database.
- Then use Perl, PHP,
Ruby, or [insert your favorite language here] to extract the data in
different "views", such as total-queries-by-client,
total-queries-by-network-per-minute (or hour or day),
total-individual-queries-per-minute-by-target, etc.
- To go along
with these data "view", it's usually helpful to graph the generated
metrics for simple crayon-understanding graphics. To be useful, you'll
want graphs for the last hour, the last day, the last week and the last
month, along with a user-configurable graph generation script, so that
you (or someone else) can make quick interpretations and make
comparisons to previously collected data.
- Finally, you'll want a
script to periodically clean up the log file, either archiving it or
deleting it. Running querylog full-time with generate massive log
files. It may also be a good idea to write scripts to aggregate the
data in the database server, keeping only generic statistical totals for
data past a certain age.
Collecting/analyzing metrics such
as these are well within the talents of the average network admin (and
is usually free). I'm amazed that companies are willing to shell out
big $$$ for something as simple as this. If you have anything to do
with network adminstration, this is something that you should be able to
do. If you "own" a network, this is something that you want at least
one of your network admin or security types to do. (Think of it as
being able to gather and analyze data for troubleshooting.)
joat: 12:00:00 17 Oct 2005 |
|
|
Sun, 16 Oct 2005
|
|
Click here for
the zipped version of "Asterisk: The Future of Telephony", published
under the Creative Commons license by O'Reilly. Thanks to Asterisk Docs
for pointing it out.
joat: 12:00:00 16 Oct 2005 |
|
|
|
|
|
One more thought about hash collisions: before you throw out the baby
with the bath water, a quick way to improve the integrity of your
checksums is to use both MD5 and SHA-1. While the chance of a
collision with both algorithms is still theoretically possible, it's an
astronomical possibility.
joat: 12:00:00 16 Oct 2005 |
|
|
Sat, 15 Oct 2005
|
|
This is supposedly from the author
of the recent MySpace worm, with a link to the technical explanation and
code. It's interesting in the same way the WoW virtual blood plaque
was.
joat: 21:40:00 15 Oct 2005 |
|
|
|
|
Arachnid has a quick piece on the recent Zotob worm.
joat: 21:00:00 15 Oct 2005 |
|
|
|
|
Linux.com has an article discussing a benign use for p0f, gathering information about what's running the site's that you're visiting. The data that you gather might be complete useless or you might find a use for it or it might provide a bit of entertainment. I think the major benefit is that you gain experience when you perform experiments such as this.
joat: 20:30:00 15 Oct 2005 |
|
|
Fri, 14 Oct 2005
|
|
Dana Epp has some comments
about Nessus's movement towards closed source. While I cannot justify
my feelings in the same manner that Dana can, I did contribute to the
project (a couple measley signatures) and feel just as betrayed as I did
with NFR and the CDDB. For each of these projects, I contributed data
to support an open community and the owner decided to profit by moving
the project away from the user community supporting it.
joat: 20:30:00 14 Oct 2005 |
|
|
Thu, 13 Oct 2005
|
|
Infosec Writers has an
article that explains the basic
theory of salted (seeded) hashes, including SHA-1 and MD5.
joat: 20:30:00 13 Oct 2005 |
|
|
Wed, 12 Oct 2005
|
|
In cleaning up the orphaned pages in the wiki on the new server, got to
looking at the page stats. What's odd is the #1 entry: - Glossary
(5550 views)
- Main Page (3078 views)
- Anonymous Proxies
(2067 views)
- Asterisk (1735 views)
- Looking Up UPC Codes
(1228 views)
- Looking Up Vehicle ID Numbers (VINs) (1094
views)
- Perl - MSN IM Sniffer (1092 views)
- IPv6 on the
WRT54G via OpenWRT (864 views)
- The Firewall Toolkit (FWTK) (818
views)
- IPod Stuff (807 views)
Could it be caused by
the inclusion of sexual fetish descriptions in the glossary? If so,
then y'all are some sick puppies. (heh)
joat: 20:45:00 12 Oct 2005 |
|
|
|
|
Don't you just love catching yourself doing something stupid? I managed
to troubleshoot my IPv6 routing issue in about 10 seconds once I started
to look at it. (Thanks to Wes for prompting me to do it.) The fix is
to not add the following to /etc/init.d/rcS. Rather, create a file
called /etc/init.d/S99tunnel and put it there:
#!/bin/sh
#/bin/mkdir -p /var/log/
ntpclient -h pool.ntp.org -l -s &
# set up the IPv6 tunnel
MYIPADDR=`ip addr show vlan1|grep "inet "|cut -d\/ -f 1|cut -d \ -f 6- `
echo $MYIPADDR > /etc/myipaddr
#MYSCND=`cat /etc/myipaddr`
#echo $MYSCND > /etc/my2ipaddr
echo $MYIPADDR
ip tunnel add he.net mode sit remote 64.71.128.82 local $MYIPADDR ttl 255
ip link set he.net up
ip addr add 2001:470:1F00:FFFF::657/127 dev he.net
ip route add ::/0 dev he.net
ip -f inet6 addr
ip -6 addr add 2001:470:1F00:911::1/64 dev eth1
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
radvd
sleep 15
killall dnsmasq
dnsmasq -i eth1
joat: 20:30:00 12 Oct 2005 |
|
|
Tue, 11 Oct 2005
|
|
I think I have my next toy targeted: the Linksys NSLU2 (Network Storage Link of USB-2). The local TWUUG'ers have pointed out the existance of custom firmware. Hey Santa: hint, hint!
joat: 12:00:00 11 Oct 2005 |
|
|
Mon, 10 Oct 2005
|
|
There's some interesting projects over on Crazy Hacks. There's also evidence that somebody has way too much time on their hands: why in the world would you want to write Perl programs in Latin? joat: 12:00:00 10 Oct 2005 |
|
|
Sun, 09 Oct 2005
|
|
|
Until such time that the site moves to the new server (or the old one
gets its issues fixed), comments are going to be a dicey thing to use.
Anything left in comments over the last two weeks has not been saved. I
apologize for any inconvenience. If there's a comment that you want to
add to the site, it might be easier to email me directly
(joat@guess.where).
joat: 20:30:00 9 Oct 2005 |
|
|
|
|
Looks intriguing. Anyone know if it conflicts with similar protection schemes running at the same time? joat: 12:00:00 9 Oct 2005 |
|
|
Sat, 08 Oct 2005
|
|
The link to the Nepenthes database (yesterday's post) led through Aachen University's malware database. I have high hopes for this. joat: 20:30:00 8 Oct 2005 |
|
|
Fri, 07 Oct 2005
|
|
While following a link in Antlab, I came across the malicous code visualization published by the Nepenthes people. joat: 20:30:00 7 Oct 2005 |
|
|
Thu, 06 Oct 2005
|
|
Heads up! 802.11e (aka QoS for Wireless) is on the streets. joat: 12:00:00 6 Oct 2005 |
|
|
Wed, 05 Oct 2005
|
|
Trivia question: When does 2000 1k (or less) blog entries eat up more disk space than 30 100K pictures? The-powers-that-be say that the new server is waiting on some hardware. In the meantime, this one continues to wobble. I'll attempt to trim the site at the same time I'm posting but, with the current configuration, there's a limit. The good news is that the site is mirrored here if the inode problem surfaces again. The bad news is that the mirror may be taken offline periodically to have "stuff" added to it. joat: 07:39:16 5 Oct 2005 |
|
|
Tue, 04 Oct 2005
|
|
|
joat: 12:00:00 4 Oct 2005 |
|
|
Mon, 03 Oct 2005
|
|
Here's NIST's guide for PDA forensics. joat: 12:00:00 3 Oct 2005 |
|
|
Sun, 02 Oct 2005
|
|
Another rambling post... I've been reading various presentations and papers from recent conferences. Couple that with my recent knighting as a CISSP (yeah, last year I couldn't spell CISSP, now I is one) (don't ask me to say anything nice about it) and I have a schizophrenic thought: there's a difference between a business's view of security and a practitioner's view of security. The business view of security is, and always will be, a money-based decision. Various certifications teach that risk involves a hole (the vulnerability), the likelihood that it'll be exploited (the threat) and the expected cost of reparations in the event that the vulnerability is exploited. Various pseudo-mathematical formulas have been generated to justify what is usually an already-made decision. Purists will be offended that I've said that but, in reality, most business operate somewhere to the left of the ideals taught by various certification organizations. In other words, most small businesses still don't (and won't) comply with SarbOx, GLB, HIPAA and/or FISMA. They either cannot afford to comply or they would just like to maintain their profit margins. (Maybe it was a formal business decision: risk of getting caught = not maintain protections or records X likelihood of discovery X possible fines?) One thing that has irked me ever since someone tried to convince me of the correctness of tieing asset cost to the risk formula: the missing business costs. Think of it this way: you have web server. You've made the "business decision" that a specific level of risk is acceptable and that you can tolerate four incidents per year before your business suffers excessive damages. (Remember, the cost of the protections must be less than the recovery costs.) What's missing? How about people? If I'm your system administrator, I'll probably enjoy the overtime pay. The first time. If it's a recurring event, it's going to affect my personal life and I'm going to want a raise plus better overtime pay to counter-balance the loss of my personal life. That or I'm likely to be going to job interviews during my off-time. (Hint: Using "flex time" to keep me on a 40-hour per week timetable adds insult to injury.) If I'm your customer, it's likely that my business depends on your business. I'm likely to leave after the first incident, especially if it's spectacular enough. If I'm your investor, I'm not going to like that my profits go to your system administrators' overtime or that your customer base is shrinking. I think you'll find that your stock price drops at an "interesting" rate. On the flip side, the practioner's view is usually just as narrow. System and network administrators often get so caught up in "fighting the threat" that they spend inordinate amounts of time "doing security" and allowing operations to suffer. They might spend so much time "locking things down" that the network becomes rigid and inflexible, unable to quickly adapt to sudden changes in business requirements. There's also a common belief that the operations/security budget is too small, regardless of its size. It's this dichotomy in security "views" that perpetuates the resentment between business (AKA "the suits") and operations (AKA "the nerds"). Unfortunately, I don't have a fix for this. I'm just noting that the condition exists. Apologies for the incomplete rambling. I'm still trying to flesh out this argument elsewhere for future "at length" use. The argument currently is skewed as I "came up" from the sysadmin side of the house. Comments/thoughts? joat: 12:00:00 2 Oct 2005 |
|
|
Sat, 01 Oct 2005
|
|
|
Heads up! Today is the last day to get your $75 ShmooCon tickets (got
mine last night). Tomorrow they're $150 each. joat: 12:00:00 1 Oct 2005 |
|
|
|
