Friday, February 28, 2003

Manipulating Online Gaming Servers

Auriemma Luigi wrote an advisory warning how online gaming servers can manipulated to cause a sort of amplication denial of service attack. We've seen similar issues with DNS in 2000. UDP in general is susceptible to these sorts of attacks because no connection is required.

Wednesday, February 26, 2003

Quiet X on Port 6000 TCP

Page 260 of the second edition of Hacking Linux Exposed gives a simple trick to prevent X from listening on port 6000. If you run the X Window System using 'startx' from the command prompt, and have nothing but sshd listening, you'll find port 6000 listening once X starts:



netstat -natup

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN


Instead launch the X server using 'startx -- -nolisten tcp'. Here's the netstat output now:



Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN


Better yet, add the following to your .bash_profile to automate this process:


alias startx='startx -- -nolisten tcp'

Links from SANS Webcast

Here are the links Alan Paller mentioned in today's SANS webcast:


All IA newsletters


Issue of interest on CIS

Undocumented Features in VMWare

I found an article on using undocumented features in VMWare. Essentially the author wrote tools to interact with the VM software itself from within a virtual machine. One of the tools was ported to Linux and it works.


Monday, February 24, 2003

How Addamark Technologies Detected an Intrusion

I found an article on how Addamark Technologies detected an intrusion. Some of the details sound odd but the article is worth reading anyway. From the article:


"On Jan. 20, the security engineers at Addamark Technologies Inc. noticed the problem immediately: Someone had accessed a confidential, password-protected document on the company's Web server that contained technical product details.


After studying the traffic logs more carefully, San Francisco-based Addamark officials discovered it was no random hack. The intrusion had come from a competitor, ArcSight Inc.


Two seconds after successfully accessing the file, the user attempted to bookmark the page, which is not a link from any of Addamark's public Web pages."


How does Addamark know that a Web visitor tried to bookmark a page? Did the visitor click on a "bookmark this" link on the web site? Odd.

Run KDE on Windows

I found an article on running KDE on Windows using cygwin. I got KDE to start but couldn't launch any applications due to a "DCOP error". To get KDE to work I had to make the following adjustments, some of which were listed in the article:


Within the cygwin bash prompt, I modified my PATH variable:


export PATH=$PATH:/opt/kde2/bin/:/usr/local/lib/qt2/bin:/usr/X11R6/bin:

/bin:/usr/local/kde1/bin:/usr/local/bin:/opt/kde2/lib


I also made a .kde2 directory in the user's home directory who started KDE, and I copied cygwin1.dll and cygz.dll from c:\cygwin\bin to c:\windows\system32.

Help Net Security Interviewed Judy Novak

Help Net Security interviewed Judy Novak of SANS fame. From the article:


I'm currently a senior security analyst for a consulting firm - Jacob and Sundstrom, but I'll be changing jobs in about a month to become a research engineer for Sourcefire.


Good luck Judy!

Sunday, February 23, 2003

Internet Security Scanner Started as a Shell Script

Did you know that the first version of Internet Security Scanner was a shell script? I found it in this 28 Sep 93 post by Christopher Klaus while researching the history of vulnerability scanners. From the post:

To sum it up, ISS will scan a domain grabbing essential information for
administrators to easily sort through and give them a chance to secure the
open machines on their network.

---
#! /bin/sh
# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".
# Contents: iss iss/Bugs iss/Makefile iss/iss.1 iss/iss.c
# iss/readme.iss iss/telnet.h iss/todo
# Wrapped by kent@sparky on Tue Sep 28 21:20:25 1993

Saturday, February 22, 2003

Pluf Simple Hostname Scanner

While reading the second edition of Hacking Linux Exposed, I learned of a simple yet useful tool called Pluf Simple Hostname Scanner, or plushs. I downloaded version 1.2 and installed it without problems on FreeBSD 5.0 REL. You can use plushs to rapidly find PTR records for specified IP ranges. This example returns all PTR records from IPs in the 195.5.3.0/24 block.

hawke# plushs 195.5.3.0-255

[a] 195-0
[b] 5-0
[c] 3-0
195.5.3.1 ==> dns1.sf.ukrtel.net
195.5.3.5 ==> dev.sf.ukrtel.net
195.5.3.7 ==> kep.sf.ukrtel.net
195.5.3.9 ==> cit.sf.ukrtel.net
195.5.3.10 ==> oplot.sf.ukrtel.net
195.5.3.13 ==> mailer.sf.ukrtel.net
195.5.3.65 ==> router.ylt.sf.ukrtel.net
195.5.3.66 ==> ns.ylt.sf.ukrtel.net
195.5.3.67 ==> name67.ylt.sf.ukrtel.net
...edited for brevity...
195.5.3.187 ==> westcrimea.net
195.5.3.190 ==> evpatoria.com.ua
195.5.3.201 ==> kmk.oaokmk.com

========| Network Statistics |====================

Ip range to scan 195.5.3.0-255

Successfull: [ 34.0%]
Unsuccessfull: [ 66.0%]
Timeouts: [ 0.0%]

=-----------------------------------------------=

Total ips to check: 256
Successfull checks: 87
Unsuccessfull checks: 169
Timeouts: 0
Aliases found: 0
Successfull searchs: 0

=-----------------------------------------------=

String format:
Timeout set to: 9 seconds
Wait second set to: 0 seconds

I was also introduced to dnstrace and dnstracesort, part of the djbdns package.

Foundstone Incident Response in the News

Foundstone's CEO made the cover of business lifestyle magazine OCMetro. The article even mentions our forensic and incident response services:


"Foundstone also provides litigation and forensic services to help convict hackers they have caught, as well as penetration testing services."

Thursday, February 20, 2003

HIPAA Regulation Available

The HIPAA regulation is available. Review it now to include it in your security requests for proposals and responses.

Data Processors Internation Suffers 8 Million Credit Card Loss

Here's an story on an 8 million credit card theft from Data Processors International. Keep an eye on your statements.

Wednesday, February 19, 2003

Review of Web Services Security Posted

Amazon.com just posted my four-star review of Web Services Security. From the review:


Before reading "Web Services Security" (WSS), my knowledge of Web Services relied on a few magazine articles and chapter 10 of "Hacking Exposed: Web Applications." After reading WSS, I have a better idea of how Web Services work and how a variety of acronyms (XACML, XKMS, SAML, etc.) provide security. This 312 page book isn't lengthy enough to make you a Web Services security expert, but it provides a good foundation for consultants and other professionals.


The latest SANS NewsBites mentioned a story where TriWest Healthcare is being sued for losing customer data to an intruder.

TaoSecurity ISP OK

It looks like my ISP found taosecurity.com's files. Situation normal.

TaoSecurity.com ISP Woes

I just learned the ISP which hosts taosecurity.com can't seem to find my files...great. I am redirecting taosecurity.com here until I deploy a backup, or until the ISP gets its act together. Due to DNS changes it may be a while before taosecurity.com appears here.

Tuesday, February 18, 2003

Sguil User Six

According to my friend Bamm Visscher, I just became user number six of Sguil, an interface for the Snort intrusion detection engine. It's in early alpha stages but it smokes everything else available. It's built BY an analyst FOR an analyst. I spent a chunk of the weekend writing this 4 MB installation guide pdf for it. The 13 MB sguil_complete_17_feb_03.tar archive I mention in the installation guide can be downloaded here, for now. There is also a Sourceforge site. Enjoy!

Saturday, February 15, 2003

Bruce Schneier on Full Disclosure and Locksmiths

Bruce Schneier's latest Cryptogram offers an interesting commentary on full disclosure and locksmithing. From the article:


"...public scrutiny is the only reliable way to improve security. There are several master key designs that are immune to the 100-year-old attack that Blaze rediscovered. They're not common in the marketplace primarily because customers don't understand the risks, and because locksmiths continue to knowingly sell a flawed security system rather than admit and then fix the problem. This is no different from the computer world. Before software vulnerabilities were routinely published, vendors would not bother spending the time and money to fix vulnerabilities, believing in the security of secrecy. And since customers didn't know any better, they bought these systems believing them to be secure. If we return to a world of bug secrecy in computers, we'll have the equivalent of 100-year-old vulnerabilities known by a few in the security community and by the hacker underground."

Wednesday, February 12, 2003

Marcus Ranum on Firewalls

Marcus Ranum, one of the smartest security visionaries around, made an interesting post on 31 Dec 02 to the Focus-IDS list. He's right, as usual, about several issues. I especially applaud his proxy firewall ideas:


"About a million years ago I was designing and coding firewalls. I wrote pure proxy firewalls. OK, actually, I _invented_ pure proxy firewalls. You know what? I still think that, for security, it's The Way To Do It and everything else sucks. But the industry appears to disagree. That's OK, it's customer choice. But if I was reviewing product firewalls, guess which ones I'd say sucked and which didn't? If I developed a firewall testing methodology, NONE of the packet screens would have cut it. And people would have been able to accuse me of trying to promote my own product because my _beliefs_ and my _implementation_ were inseparable."

JTF-CNO Splits

This article discusses splitting the Joint Task Force - Computer Network Operations (JTF-CNO) into two separate units -- one for attack and one for defense. I remember when the JTF-CND was created, and then became the JTF-CNO. I didn't know that STRATCOM and SPACECOM had merged as of last October, though! From the article:


No full-scale cyberattack on the United States from a known enemy has been documented, and that also complicates the issue because DOD would not want to attack a nation-state's computer operations based on the actions of a few skilled hackers, Campen said. He added that it is not clear whether a cyberattack would be anything more than a nuisance to U.S. enemies unless it was done in conjunction with more traditional acts of war.

Review of Absolute BSD Posted

Amazon.com just posted my five star review of Absolute BSD. From the review:


This is the sort of book I've been waiting for, since reading Annelise Anderson's "FreeBSD" almost one year ago. Michael Lucas is well-known for his articles, and his knowledge and easy conversational style shine in "Absolute BSD." Of the four books I've read with "FreeBSD" in the title, this has been the most helpful -- but not necessarily the most comprehensive.

Tuesday, February 11, 2003

Rik Farrow on Firewalls

Rik Farrow wrote another interesting column for Network Magazine. It's A Farewell to Firewalls? and talks about the security implications of web services. From the article:


SOAP leaves some things unchanged. Your firewall will permit access to public Web servers that provide Web services and block access to internal servers. And internal clients will still be permitted to visit Web servers and read e-mail. But the paradigm changes here, as the emphasis changes from execution of remote methods on remote servers to include the execution of remote code on local clients. Execution of remote code on IE is already well known as a successful attack vector. Will the security features of .NET or Java mitigate this threat?

Friday, February 07, 2003

Cyber Warfare in Iraq

The Washington Post offers an interesting article about the U.S. government's preparations for "cyber warfare" in Iraq. From the article:


The full extent of the U.S. cyber-arsenal is among the most tightly held national security secrets, even more guarded than nuclear capabilities. Because of secrecy concerns, many of the programs remain known only to strictly compartmented groups, a situation that in the past has inhibited the drafting of general policy and specific rules of engagement.


Gregory Rattray wrote Strategic Warfare in Cyberspace, which is the definitive work on the subject. I reviewed it in Jun 02.


Tomorrow is my "Internet birthday." 8 Feb 94 is the first publicly available evidence that I had access to the Internet. It's manifested in this USENET post.

Wednesday, February 05, 2003

FreeBSD Serial Console Access

I enabled serial console access on one of my FreeBSD 5.0 RELEASE boxes. First I checked to see the serial ports available:

#dmesg | grep sio
usb0: USB revision 1.0
sio0 port 0x3f8-0x3ff irq 4 on acpi0
sio0: type 16550A
sio1 port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A

I checked to see what devices I had:

#ls -al /dev/cua*
crw------- 1 root wheel 28, 128 Feb 3 22:07 /dev/cuaa0
crw-rw---- 1 uucp dialer 28, 129 Feb 3 21:50 /dev/cuaa1
crw-rw---- 1 uucp dialer 28, 160 Feb 3 21:50 /dev/cuaia0
crw-rw---- 1 uucp dialer 28, 161 Feb 3 21:50 /dev/cuaia1
crw-rw---- 1 uucp dialer 28, 192 Feb 3 21:50 /dev/cuala0
crw-rw---- 1 uucp dialer 28, 193 Feb 3 21:50 /dev/cuala1


Then I added the following line to /etc/ttys



cuaa0 "/usr/libexec/getty std.38400" vt100 on secure

Then I restarted init via 'kill -HUP 1' and checked to see what had changed:



#ps -auxww | grep cua
root 493 0.0 0.3 1184 864 a0 Is+ Mon10PM 0:00.01 /usr/libexec/getty std.38400 cuaa0

Now I can use Windows HyperTerminal or a similar program to access my FreeBSD box using a serial cable and null modem.