Monday, June 30, 2003
# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 22.214.171.124 rhino.acme.com # source server
# 126.96.36.199 x.acme.com # x client host
16 Jun 03 03:12:08 tcp 188.8.131.52.4396 -> my_IP.2 TIM
23 Jun 03 07:59:05 tcp 184.108.40.206.4900 -> my_IP.2 TIM
I'm also seeing scans to port 57 TCP, which has history dating to Oct 02 and Nov 02 and is a signature of a tool called FX-Scanner (analysis). Apparently port 57 is used as a host discovery mechanism. Here are three examples.
First, recon for port 1433 TCP:
12 Jun 03 18:22:17 tcp 220.127.116.11.4464 -> my_IP.57 TIM
12 Jun 03 18:22:17 icmp 18.104.22.168 <-> my_IP ECO
12 Jun 03 18:23:04 tcp 22.214.171.124.1217 -> my_IP.1433 TIM
12 Jun 03 18:25:08 tcp 126.96.36.199.2036 -> my_IP.57 TIM
12 Jun 03 18:25:08 icmp 188.8.131.52 <-> my_IP.55 ECO
12 Jun 03 18:25:55 tcp 184.108.40.206.3590 -> my_IP.1433 TIM
Next, recon for ports 80 and 21 TCP:
18 Jun 03 15:02:53 tcp 220.127.116.11.3836 -> my_IP.80 TIM
18 Jun 03 15:03:14 tcp 18.104.22.168.4067 -> my_IP.57 TIM
18 Jun 03 15:02:53 icmp 22.214.171.124 <-> my_IP ECO
18 Jun 03 15:03:35 tcp 126.96.36.199.4325 -> my_IP.21 TIM
Third, recon for ports 1433 and 445 TCP:
19 Jun 03 11:35:14 tcp 188.8.131.52.1951 -> my_IP.57 TIM
19 Jun 03 11:35:38 tcp 184.108.40.206.1725 -> my_IP.1433 TIM
19 Jun 03 11:35:13 icmp 220.127.116.11 <-> my_IP ECO
19 Jun 03 11:37:50 tcp 18.104.22.168.2221 -> my_IP.445 TIM
18 Jun 03 01:03:52 tcp 22.214.171.124.4730 -> my_IP.3410 TIM
19 Jun 03 08:30:49 tcp 126.96.36.199.1414 -> my_IP.3410 TIM
19 Jun 03 17:27:04 tcp 188.8.131.52.2200 -> my_IP.3410 TIM
22 Jun 03 15:27:27 tcp 184.108.40.206.1055 -> my_IP.3410 TIM
26 Jun 03 19:25:01 tcp 220.127.116.11.3327 -> my_IP.3410 TIM
29 Jun 03 11:13:00 tcp 18.104.22.168.3554 -> my_IP.3410 TIM
29 Jun 03 12:09:59 tcp 22.214.171.124.1707 -> my_IP.3410 TIM
29 Jun 03 12:40:17 tcp 126.96.36.199.1730 -> my_IP.3410 TIM
30 Jun 03 00:56:29 tcp 188.8.131.52.2246 -> my_IP.3410 TIM
30 Jun 03 02:38:13 tcp 184.108.40.206.4191 -> my_IP.3410 TIM
30 Jun 03 03:29:07 tcp 220.127.116.11.2940 -> my_IP.3410 TIM
30 Jun 03 04:02:53 tcp 18.104.22.168.1500 -> my_IP.3410 TIM
30 Jun 03 04:51:57 tcp 22.214.171.124.1319 -> my_IP.3410 TIM
30 Jun 03 05:30:51 tcp 126.96.36.199.1395 -> my_IP.3410 TIM
30 Jun 03 07:53:05 tcp 188.8.131.52.4690 -> my_IP.3410 TIM
Sunday, June 29, 2003
Thursday, June 26, 2003
Wednesday, June 25, 2003
openroot# ping www.google.com
ping: socket: Operation not permitted
12:40AM up 1 day, 14:13, 1 user, load averages: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
w: proc size mismatch (8480 total, 1064 chunks): No such file or directory
openroot# last | head
openroot ttyp0 184.108.40.206 Fri Jun 27 00:39 still logged in
openroot ttyp0 220.127.116.11 Fri Jun 27 00:17 - 00:23 (00:06)
openroot ttyp1 csa.bu.edu Wed Jun 25 02:55 - 02:55 (00:00)
wtmp begins Wed Jun 25 02:55:49 GMT 2003
For the NSM box, I'm considering a Shuttle SB52G (support, review) with Intel 845VG chipset and FB52 motherboard sold by ExcaliburPC, NewEgg, and Knowledge MicroExpress. Crucial sells memory. Other options include the Slimpro 1BayPC (manufacturer?), LittlePC, MicroPC4 and Lex Light, For more information there's the mailing.freebsd.small list, the books Embedded FreeBSD Cookbook and Designing Embedded Hardware, or Slashdot.
One issue with these small form factor devices is having enough interfaces for serving as a firewall or router. Luckily FreeBSD 5.x supports the Linksys USB100TX and USB200M USB NICs. Iomega and others make USB floppy drives. One could always buy a full-fledged but cheap PC from TigerDirect.
Tuesday, June 24, 2003
- Sourcefire Network Sensor
- Silicon Defense Sentarus
- StillSecure Border Guard; check the FAQ -- they run Snort but hide it well
- Argus 1000; no relation to the one true Argus
- FidelisSec CyberHound
Snort isn't the only open source IDS engine in town. Check out Shoki or Tamandua.
Monday, June 23, 2003
"Upon installation, Peakflow X monitors network traffic, automatically constructing a holistic real-time model of the entire network from the inside out. Identifying factors such as services (HTTP, FTP, Microsoft File Sharing, etc.), inbound and outbound traffic, and host-to-host behavior, Peakflow X dynamically clusters all hosts into groups based on similar operational policies. For example, hosts that communicate primarily HTTP only to hosts in the marketing department would be grouped together, indicating an organization’s internal workgroup Web servers. Based on this detailed network-wide model, Peakflow X immediately detects anomalous behavior whether or not it stems from a known vulnerability. For example, should one of the internal Web servers initiate a file sharing connection to a system on the Internet, Peakflow X would immediately flag the activity as suspicious. As a result, Peakflow X can detect not only zero-day threats, like worms, but also internal misuse."
This seems like one of the best ways to deal with inspecting huge traffic flows. Readers may know I am a huge fan of products which independently capture network flows without processing stored libpcap data. Argus is the best stand-alone app, while Cisco NetFlow is an option. Luca Deri of ntop fame shared news of his nProbe, a PC-based NetFlow collector, and nBox, a Cyclades-TS100 appliance-based NetFlow collector. Commercial ntop support is available.
Sunday, June 22, 2003
"There's a chunk of questions that are difficult for all the wrong reasons. They're poorly worded, misleading or simply evasive. Evasive: that's the word that first came to mind when I walked out of the exam. It just seems like these questions serve no purpose other than to confuse and frustrate you.
It's because of these questions that you won't have an intuitive sense if you passed the exam. And it's because of these questions that the CISSP exam often gets a bad rap. Even though these questions comprise a comparatively small part of the exam, they're the ones that stick in your craw as you walk out the door."
I learned while reading Thomas Ptacek's commentaries of this article blasting the CISSP. I maintain that the main redeeming aspect of the CISSP is its code of ethics, which moves digital security closer to being a true profession with a code of ethics that matters.
- "significant security breach": 5.6%, or $15-$20 million on average
- "theft of credit card data": 15%
- "denial of service": 3.6%
- "theft of customer information": 1.2%
Finally, I say forget all this talk about security providing "return on investment." Page 15 of the Deloitte Touche Tohmatsu 2003 Global Security Survey shows 63% of executives see security as "a necessary cost of doing business." Only 13% say security is "an investment in enabling infrastructure."
Friday, June 20, 2003
According to the FTC complaint, since at least October 2000, Guess' Web site has been vulnerable to commonly known attacks such as "Structured Query Language (SQL) injection attacks" and other web-based application attacks. Guess' online statements reassured consumers that their personal information would be secure and protected. The company's claims included "This site has security measures in place to protect the loss, misuse, and alteration of information under our control" and "All of your personal information, including your credit card information and sign-in password, are stored in an unreadable, encrypted format at all times." In fact, according to the FTC, the personal information was not stored in an unreadable, encrypted format at all times and Guess' security measures failed to protect against SQL and other commonly known attacks. In February 2002, a vistor to the Web site, using an SQL injection attack, was able to read in clear text credit card numbers stored in Guess' databases, according to the FTC.
Thursday, June 19, 2003
-bash-2.05b$ cat /etc/X11/XF86Config
Screen 0 "Screen0" 0 0
InputDevice "Keyboard0" "CoreKeyboard"
InputDevice "Mouse0" "CorePointer"
# Load "freetype"
# Load "xtt"
Option "Protocol" "SysMouse"
Option "Device" "/dev/sysmouse"
Option "XkbModel" "pc101"
Option "XkbLayout" "us"
HorizSync 30.0 - 100.0
VertRefresh 50.0 - 100.0
Also -- Happy 10th birdthday FreeBSD!
Wednesday, June 18, 2003
An 18-year-old hacker who breached computers at Sandia National Laboratories and posted an anti-Israeli message on the Eglin Air Force Base Web site was sentenced Thursday to a year and a day in federal prison.
Adil Yahya Zakaria Shakour also was ordered to pay $88,253 in restitution, and his computer use was restricted during the three years he will spend under supervised release after his prison term.
Shakour, a Pakistani national who lives in Los Angeles, pleaded guilty in March to computer and credit card fraud charges.
Tuesday, June 17, 2003
Friday, June 13, 2003
According to the Gartner, Inc. (NYSE: IT and ITB) Information Security Hype Cycle, IDSs have failed to provide value relative to its costs and will be obsolete by 2005.
From Marty's response:
Let me get this straight… better access control will completely remove the need for auditing? Auditing functions are a fundamental part of providing defense in depth in any security environment. Do they not understand this or, perhaps, have the economic challenges for industry analysts led them to the point where citing the outrageous is a competitive necessity?
Wednesday, June 11, 2003
Los Angeles County had been hit by a growing type of hi-tech fraud, in which large, and usually dormant, segments of the Internet's address space are taken away from their registered users through an elaborate shell game of forged letters, ephemeral domain names and anonymous corporate fronts. The patsies in the scheme are the four non-profit registries that parcel out address space around the world and keep track of who's using it. The prizes are the coveted "Class B" or "/16" (read "slash-sixteen") address blocks that Internet authorities passed out like candy in the days when address space was bountiful, but are harder to get legitimately now.