Monday, June 30, 2003

Editing c:\windows\system32\drivers\etc\hosts

My ISP is having some teething problems with its "upgrade." I needed a way to point my name resolutions for www.comcast.net to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one server cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y operate which is working, and not to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default server which isn't working. Following this tip I edited c:\windows\system32\drivers\etc\hosts:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first column followed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corresponding host name.
# The IP address and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host name should be separated by at least one
# space.
#
# Additionally, comments (such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se) may be inserted on individual
# lines or following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
63.240.76.72 www.comcast.net

Security Checklist for FreeBSD 4.8

While reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSDforums I learned of a new security checklist for FreeBSD 4.8. You can read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 thread behind this doc. It's a work in progress and may help out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD security initiative at CISecurity.

Odd Activity in Argus Logs

Checking my Argus logs this morning, I noticed a few odd scans. The first is to port 2 TCP, which according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet Storm Center is becoming popular:


16 Jun 03 03:12:08 tcp 24.96.49.46.4396 -> my_IP.2 TIM
23 Jun 03 07:59:05 tcp 220.120.31.233.4900 -> my_IP.2 TIM


I'm also seeing scans to port 57 TCP, which has history dating to Oct 02 and Nov 02 and is a signature of a tool called FX-Scanner (analysis). Apparently port 57 is used as a host discovery mechanism. Here are three examples.


First, recon for port 1433 TCP:


12 Jun 03 18:22:17 tcp 161.53.40.97.4464 -> my_IP.57 TIM
12 Jun 03 18:22:17 icmp 161.53.40.97 <-> my_IP ECO
12 Jun 03 18:23:04 tcp 161.53.40.97.1217 -> my_IP.1433 TIM
12 Jun 03 18:25:08 tcp 161.53.42.46.2036 -> my_IP.57 TIM
12 Jun 03 18:25:08 icmp 161.53.42.46 <-> my_IP.55 ECO
12 Jun 03 18:25:55 tcp 161.53.42.46.3590 -> my_IP.1433 TIM


Next, recon for ports 80 and 21 TCP:


18 Jun 03 15:02:53 tcp 67.116.81.237.3836 -> my_IP.80 TIM
18 Jun 03 15:03:14 tcp 67.116.81.237.4067 -> my_IP.57 TIM
18 Jun 03 15:02:53 icmp 67.116.81.237 <-> my_IP ECO
18 Jun 03 15:03:35 tcp 67.116.81.237.4325 -> my_IP.21 TIM


Third, recon for ports 1433 and 445 TCP:


19 Jun 03 11:35:14 tcp 4.40.163.36.1951 -> my_IP.57 TIM
19 Jun 03 11:35:38 tcp 4.40.163.36.1725 -> my_IP.1433 TIM
19 Jun 03 11:35:13 icmp 4.40.163.36 <-> my_IP ECO
19 Jun 03 11:37:50 tcp 4.40.163.36.2221 -> my_IP.445 TIM


I'm also seeing recon for 3410 TCP. This has only picked up in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last few days. It appears to be associated with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Backdoor.OptixPro.13:


18 Jun 03 01:03:52 tcp 68.120.129.51.4730 -> my_IP.3410 TIM
19 Jun 03 08:30:49 tcp 207.190.78.253.1414 -> my_IP.3410 TIM
19 Jun 03 17:27:04 tcp 68.113.237.250.2200 -> my_IP.3410 TIM
22 Jun 03 15:27:27 tcp 12.247.109.85.1055 -> my_IP.3410 TIM
26 Jun 03 19:25:01 tcp 68.41.93.143.3327 -> my_IP.3410 TIM
29 Jun 03 11:13:00 tcp 68.169.152.189.3554 -> my_IP.3410 TIM
29 Jun 03 12:09:59 tcp 68.61.193.97.1707 -> my_IP.3410 TIM
29 Jun 03 12:40:17 tcp 68.78.131.6.1730 -> my_IP.3410 TIM
30 Jun 03 00:56:29 tcp 64.83.224.72.2246 -> my_IP.3410 TIM
30 Jun 03 02:38:13 tcp 217.231.192.242.4191 -> my_IP.3410 TIM
30 Jun 03 03:29:07 tcp 65.30.207.110.2940 -> my_IP.3410 TIM
30 Jun 03 04:02:53 tcp 24.126.135.126.1500 -> my_IP.3410 TIM
30 Jun 03 04:51:57 tcp 24.79.19.59.1319 -> my_IP.3410 TIM
30 Jun 03 05:30:51 tcp 81.103.33.198.1395 -> my_IP.3410 TIM
30 Jun 03 07:53:05 tcp 68.12.239.185.4690 -> my_IP.3410 TIM

Sunday, June 29, 2003

TaoSecurity Web Down

My TaoSecurity web site is down while my hosting provider upgrades its servers. Estimated returned to service is at least by Monday morning.

Les Cottrell Network Monitoring Tools

Les Cottrell maintains a comprehensive list of network monitoring tools. He responds to email if you'd like to suggest additions. CAIDA (Cooperative Association for Internet Data Analysis), lists tools also.

Thursday, June 26, 2003

Packet Creation Tools

Looking for packet creation tools on UNIX? Nemesis and Hping have been around for three years, while Packit is a newcomer from earlier this year. You can find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD ports for all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se at FreshPorts. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs exist but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are some of my favorites. I've used IPSorcery on Linux. Windows users can check out Komodia and lcrzoex (which also runs on UNIX).

Anton Chuvakin profiles TaoSecurity Blog

Anton Chuvakin wrote this blog entry profiling my blog. Thanks Anton! Also, his blog made me aware that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 former Psionic tools (acquired by Cisco in Oct 02) are available at Sourceforge. Cisco makes some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools available on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir site, like Cisco Threat Response (formerly Clear Response), mentioned by Craig Rowland.

Support for Windows NT 4.0

Wondering how long your copy of Windows NT 4.0 will be supported? Visit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Microsoft Lifecycle site. Look here for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quick answer.

IPv6 in DoD

Time to learn IPv6. According to this article: "John Osterholz, director of architecture and interoperability for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Department of Defense, told a gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ring of technology elite that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DoD would phase out purchases of IPv4 network technologies by this fall and would instead begin trials of equipment and applications based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new IPv6 protocol for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet within 30 days."

2003 Recent Advances in Intrusion Detection

The 2003 Recent Advances in Intrusion Detection (RAID) conference will be held in Pittsburgh on 8-10 Sep 03. Word on registration is forthcoming.

Chucktips

If you want to learn more about FreeBSD, visit Chucktips, which looks like Slashdot and is newbie-friendly.

RPM Tips

Although I prefer to use FreeBSD's package system, I recommend Linux users visit FreshRPMs.net or RPMfind.net for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir RPM needs. If you need to install Linux software from source, but want to manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code like an RPM, try CheckInstall.

Miscellaneous Hardware

IOGEAR has two products I need. The first is a combination Firewire and USB 2.0 CardBus adapter. The second is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 COMBO ION™ drive is a 2.5” hard drive enclosure. Both are useful when doing host-based forensics.

OpenBSD Pf Scrubbing

I'm always looking for new ways to handle network traffic. I noticed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OpenBSD Packet Filter offers scrubbing. This builds on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concepts discussed by Mark Handley and Vern Paxson, discussed at Slashdot. PF's "random-id" option should defeat Steve Bellovin's technique for counting NATed hosts. Peter Phaal of InMon wrote Detecting NAT Devices using sFlow, which relies on counting TTL values to detect NAT hosts. pf's "min-ttl" feature might obscure that tactic, according to anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Slashdot thread.

Wednesday, June 25, 2003

Openroot

Want to play on a FreeBSD box? Check out OpenRoot, "a FreeBSD 4.8-stable box in which root access is given to everyone... OpenRoot is essentially a virtual machine (a jail in FreeBSD terminology) running ontop of FreeBSD." You can access openroot.no-ip.org on ports 30 and 31 TCP using secure shell. Log in as user 'openroot', password 'openroot', and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n 'su -' with no password. However, it doesn't appear that 'root' users have a full working environment:


openroot# ping www.google.com

ping: socket: Operation not permitted

openroot# w

12:40AM up 1 day, 14:13, 1 user, load averages: 0.00, 0.00, 0.00

USER TTY FROM LOGIN@ IDLE WHAT

w: proc size mismatch (8480 total, 1064 chunks): No such file or directory

openroot# last | head

openroot ttyp0 86.84.139.55 Fri Jun 27 00:39 still logged in

openroot ttyp0 80.128.117.2 Fri Jun 27 00:17 - 00:23 (00:06)

openroot ttyp1 csa.bu.edu Wed Jun 25 02:55 - 02:55 (00:00)



wtmp begins Wed Jun 25 02:55:49 GMT 2003

Small Form Factor Sensors

I plan to roll out new firewall and network security monitoring platforms for my home lab network. For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 firewall, I'm considering an "embedded" BSD solution, like OpenSoekris, m0n0wall, or m0n0BSD, which run on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 popular Soekris (mailing list) embedded computers, like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 net4501 and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new net4801. I like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se mocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rboards because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're equipped with three NICs. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Soekris-based projects include FreeBSD wireless router (more info), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365Wall, Linux Embedded Appliance Firewall, linux4501, Personal Linux Router Project, and Debian on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 net4501. The OpenBrick project exists, although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mini-ITX community seems to have more support, along with vendors like LinITX and Ultim8PC. This CompactFlashTM Type II Card Adapter looks useful.


For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM box, I'm considering a Shuttle SB52G (support, review) with Intel 845VG chipset and FB52 mocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rboard sold by ExcaliburPC, NewEgg, and Knowledge MicroExpress. Crucial sells memory. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r options include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Slimpro 1BayPC (manufacturer?), LittlePC, MicroPC4 and Lex Light, For more information cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mailing.freebsd.small list, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 books Embedded FreeBSD Cookbook and Designing Embedded Hardware, or Slashdot.


One issue with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se small form factor devices is having enough interfaces for serving as a firewall or router. Luckily FreeBSD 5.x supports cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Linksys USB100TX and USB200M USB NICs. Iomega and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs make USB floppy drives. One could always buy a full-fledged but cheap PC from TigerDirect.

Tuesday, June 24, 2003

DCPhoneHome

Interested in by-passing access control, or understanding how it's done in order to monitor it? Check out dcphonehome, run by my friend Aaron Higbee, or Gray-World.

Commercial IDS Appliances Built on Snort

Consider all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 commercial IDS appliances built on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort detection engine:

Snort isn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only open source IDS engine in town. Check out Shoki or Tamandua.

Security Focus Vulnerability Database

In Jan 03 I noted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SecurityFocus vulnerability database didn't seem to include exploits anymore. Yesterday I was searching for Windows XP vulnerabilities for a class and found one example where exploits were available.

Monday, June 23, 2003

Remote Capture Using Winpcap

Just when you thought network monitoring couldn't get any cooler -- I learned WinPcap (mailing list) version 3.0 support Remote Capture. "This is an highly experimental feature that allows [you to] interact [with] a remote machine and capture packets that are being transmitted on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote network. This requires a remote daemon (called rpcapd) which performs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capture and sends data back and a local client that sends cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appropriate commands and receives cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 captured data." What is even cooler -- "The [Remote] daemon [rpcapd] can be compiled and it is actually working on Linux as well." This sounds similar to SVtun. I couldn't get remote capture to work with Analyzer (Sourceforge site) by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WinPcap team, even though it natively supports remote capture.

Flow Tools

Thomas H. Ptacek, who co-authored a slightly famous paper on IDS several years ago, wrote me regarding his company's product, Peakflow X. According to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir press release, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system profiles network traffic and complements traditional signature-based IDS:


"Upon installation, Peakflow X monitors network traffic, automatically constructing a holistic real-time model of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire network from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inside out. Identifying factors such as services (HTTP, FTP, Microsoft File Sharing, etc.), inbound and outbound traffic, and host-to-host behavior, Peakflow X dynamically clusters all hosts into groups based on similar operational policies. For example, hosts that communicate primarily HTTP only to hosts in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 marketing department would be grouped togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, indicating an organization’s internal workgroup Web servers. Based on this detailed network-wide model, Peakflow X immediately detects anomalous behavior whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r or not it stems from a known vulnerability. For example, should one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internal Web servers initiate a file sharing connection to a system on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, Peakflow X would immediately flag cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 activity as suspicious. As a result, Peakflow X can detect not only zero-day threats, like worms, but also internal misuse."


This seems like one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best ways to deal with inspecting huge traffic flows. Readers may know I am a huge fan of products which independently capture network flows without processing stored libpcap data. Argus is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best stand-alone app, while Cisco NetFlow is an option. Luca Deri of ntop fame shared news of his nProbe, a PC-based NetFlow collector, and nBox, a Cyclades-TS100 appliance-based NetFlow collector. Commercial ntop support is available.

Sunday, June 22, 2003

Problems with CISSP Questions

The June 2003 Information Security Magazine offered some great reading too. It reminded me of a Gartner statistic saying between 60 to 70 percent of Windows Server users run NT 4. Writing about his experience taking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP exam, Andrew Briney nails cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem with CISSP questions:


"There's a chunk of questions that are difficult for all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong reasons. They're poorly worded, misleading or simply evasive. Evasive: that's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word that first came to mind when I walked out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exam. It just seems like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se questions serve no purpose ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than to confuse and frustrate you.

It's because of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se questions that you won't have an intuitive sense if you passed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exam. And it's because of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se questions that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP exam often gets a bad rap. Even though cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se questions comprise a comparatively small part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exam, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones that stick in your craw as you walk out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 door."


I learned while reading Thomas Ptacek's commentaries of this article blasting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP. I maintain that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main redeeming aspect of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP is its code of ethics, which moves digital security closer to being a true profession with a code of ethics that matters.

Security "Return on Investment"

The June 03 SC Magazine offered several excellent articles. Peter Stephenson discusses new forensic certifications, like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Certified Information Forensics Investigator (CIFI). (If you qualify by 31 Dec 03, you might be able to grandfacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cert without sitting for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test.) The same issue featured a case study called Tracking Down Cybercriminals. Unfortunately, SC Magazine quotes an Addamarkl survey saying "companies are unwilling to prosecute hackers, even when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have enough evidence for legal action. Information security departments said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y preferred to fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 damage or use forensic evidence to achieve a settlement with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrongdoer, racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than opt for legal proceedings." This is too bad, as an article by Mark Doll of E&Y discusses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effect of security incidents on share prices. In short, within three days of X, share prices dropped by Y:



  • "significant security breach": 5.6%, or $15-$20 million on average

  • "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft of credit card data": 15%

  • "denial of service": 3.6%

  • "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft of customer information": 1.2%



Finally, I say forget all this talk about security providing "return on investment." Page 15 of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Deloitte Touche Tohmatsu 2003 Global Security Survey shows 63% of executives see security as "a necessary cost of doing business." Only 13% say security is "an investment in enabling infrastructure."

Network Tools

I'm trying to find products which can intelligently analyze network traffic to supplement traditional intrusion detection products. I'd like to get a look a Silent Runner, which offers visualization and analysis tools. Lancope Stealthwatch calls itself a "behavior-based IDS" which analyzes flows to identify anomalies. Incidentally, if you're looking for a giant list of IDS and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security products, visit Talisker's Network Security Resource. SPADE, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Statistical Packet Anomaly Detection Engine for Snort, is available but I have yet to try it.

Friday, June 20, 2003

Network Computing on Foundstone

After last week's bad press at Fortune and Slashdot, some good press for Foundstone. Network Computing likes Foundstone's 2.6 scanner -- and hasn't seen 3.0 yet. This job request looks fake to me.

Guess and FTC Settlement

The SANS and Neohapsis Security Alert Consensus told me of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 settlement between Guess and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FTC. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article:


According to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FTC complaint, since at least October 2000, Guess' Web site has been vulnerable to commonly known attacks such as "Structured Query Language (SQL) injection attacks" and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r web-based application attacks. Guess' online statements reassured consumers that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir personal information would be secure and protected. The company's claims included "This site has security measures in place to protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 loss, misuse, and alteration of information under our control" and "All of your personal information, including your credit card information and sign-in password, are stored in an unreadable, encrypted format at all times." In fact, according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FTC, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 personal information was not stored in an unreadable, encrypted format at all times and Guess' security measures failed to protect against SQL and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r commonly known attacks. In February 2002, a vistor to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web site, using an SQL injection attack, was able to read in clear text credit card numbers stored in Guess' databases, according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FTC.

Transforming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Air Force Enterprise Network

A captain I worked with in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT several years ago, Carl Grant, published Transforming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Air Force Enterprise Network in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest IA Newsletter. Carl talks about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFNOSC, which was also discussed in this testimony by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force CIO John Gilligan.

Thursday, June 19, 2003

FreeBSD X Configuration

I installed FreeBSD 5.1 REL on my IBM Thinkpad a20p this afternoon. I finally have X working on a FreeBSD system "out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box" -- more or less. X couldn't auto-configure my card, but I was able to do it manually. Once I was done installing XFree86 4.3 I installed KDE 3.1. I copied cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .xinitrc (just a text file with 'exec startkde' from root's home directory to my user directory.) Here's my X config file:

-bash-2.05b$ cat /etc/X11/XF86Config
Section "ServerLayout"
Identifier "Layout0"
Screen 0 "Screen0" 0 0
InputDevice "Keyboard0" "CoreKeyboard"
InputDevice "Mouse0" "CorePointer"
EndSection

Section "Files"
EndSection

Section "Module"
# Load "freetype"
# Load "xtt"
Load "extmod"
Load "glx"
Load "dri"
Load "dbe"
Load "record"
Load "xtrap"
Load "type1"
Load "speedo"
EndSection

Section "InputDevice"
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "SysMouse"
Option "Device" "/dev/sysmouse"
EndSection

Section "InputDevice"
Identifier "Keyboard0"
Driver "keyboard"
Option "XkbModel" "pc101"
Option "XkbLayout" "us"
EndSection

Section "Monitor"
Identifier "Monitor0"
HorizSync 30.0 - 100.0
VertRefresh 50.0 - 100.0
EndSection

Section "Device"
Identifier "Card0"
Driver "ati"
EndSection

Section "Screen"
Identifier "Screen0"
Device "Card0"
Monitor "Monitor0"
DefaultDepth 24
SubSection "Display"
Depth 24
Modes "1400x1050"
EndSubSection
EndSection

Also -- Happy 10th birdthday FreeBSD!

Wednesday, June 18, 2003

Don't Hack Air Force Systems

It does not pay to live in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US and compromise Air Force systems! From this article:


An 18-year-old hacker who breached computers at Sandia National Laboratories and posted an anti-Israeli message on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Eglin Air Force Base Web site was sentenced Thursday to a year and a day in federal prison.

Adil Yahya Zakaria Shakour also was ordered to pay $88,253 in restitution, and his computer use was restricted during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three years he will spend under supervised release after his prison term.

Shakour, a Pakistani national who lives in Los Angeles, pleaded guilty in March to computer and credit card fraud charges.

Tuesday, June 17, 2003

Combining NIC interfaces on FreeBSD

I wrote this post yesterday in response to a question on how to mirror interfaces for combining tap outputs.

Microsoft Patterns and Practices

A colleague informed me of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Microsoft Patterns and Practices site, which offers book-length treatises on many subjects. The latest is Improving Web Application Security: Threats and Countermeasures.

Cisco IOS Licenses

While reading comp.dcom.sys.cisco, I found a thread discussing licenses for Cisco IOS. This abbreviation of Cisco's software transfer and licensing policy states "owners of Cisco products are only allowed to transfer, re-sell or re-lease used Cisco hardware and not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 embedded software that runs on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hardware." One option for licensed use of Cisco gear at reduced prices is buying refurbished equipment, sold by authorized resellers, and getting a SMARTnet support contract to access parts of Cisco's software center. There seems to be no shortage of Asian sites offering IOS, although I suspect Trojaned versions might appear in those listings. This thread includes a lengthy post by Ted Mittelstaedt explaining how Cisco discourages eBay purchases of Cisco gear.

Friday, June 13, 2003

You go Marty!

Read Marty Roesch's response to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 uninformed claims of Gartner, Inc.. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Gartner press release:


According to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Gartner, Inc. (NYSE: IT and ITB) Information Security Hype Cycle, IDSs have failed to provide value relative to its costs and will be obsolete by 2005.


From Marty's response:


Let me get this straight… better access control will completely remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for auditing? Auditing functions are a fundamental part of providing defense in depth in any security environment. Do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y not understand this or, perhaps, have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 economic challenges for industry analysts led cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point where citing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outrageous is a competitive necessity?

Wednesday, June 11, 2003

Stealing Network Address Space

Kevin Poulsen published an article on stealing network address space. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article:


Los Angeles County had been hit by a growing type of hi-tech fraud, in which large, and usually dormant, segments of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet's address space are taken away from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir registered users through an elaborate shell game of forged letters, ephemeral domain names and anonymous corporate fronts. The patsies in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scheme are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 four non-profit registries that parcel out address space around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world and keep track of who's using it. The prizes are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coveted "Class B" or "/16" (read "slash-sixteen") address blocks that Internet authorities passed out like candy in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 days when address space was bountiful, but are harder to get legitimately now.