Jumat, 28 Februari 2003
Manipulating Online Gaming Servers
Rabu, 26 Februari 2003
Quiet X on Port 6000 TCP
netstat -natup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
Instead launch the X server using 'startx -- -nolisten tcp'. Here's the netstat output now:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
Better yet, add the following to your .bash_profile to automate this process:
alias startx='startx -- -nolisten tcp'
Links from SANS Webcast
Undocumented Features in VMWare
Senin, 24 Februari 2003
How Addamark Technologies Detected an Intrusion
"On Jan. 20, the security engineers at Addamark Technologies Inc. noticed the problem immediately: Someone had accessed a confidential, password-protected document on the company's Web server that contained technical product details.
After studying the traffic logs more carefully, San Francisco-based Addamark officials discovered it was no random hack. The intrusion had come from a competitor, ArcSight Inc.
Two seconds after successfully accessing the file, the user attempted to bookmark the page, which is not a link from any of Addamark's public Web pages."
How does Addamark know that a Web visitor tried to bookmark a page? Did the visitor click on a "bookmark this" link on the web site? Odd.
Run KDE on Windows
Within the cygwin bash prompt, I modified my PATH variable:
export PATH=$PATH:/opt/kde2/bin/:/usr/local/lib/qt2/bin:/usr/X11R6/bin:
/bin:/usr/local/kde1/bin:/usr/local/bin:/opt/kde2/lib
I also made a .kde2 directory in the user's home directory who started KDE, and I copied cygwin1.dll and cygz.dll from c:\cygwin\bin to c:\windows\system32.
Help Net Security Interviewed Judy Novak
I'm currently a senior security analyst for a consulting firm - Jacob and Sundstrom, but I'll be changing jobs in about a month to become a research engineer for Sourcefire.
Good luck Judy!
Minggu, 23 Februari 2003
Internet Security Scanner Started as a Shell Script
To sum it up, ISS will scan a domain grabbing essential information for
administrators to easily sort through and give them a chance to secure the
open machines on their network.
---
#! /bin/sh
# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".
# Contents: iss iss/Bugs iss/Makefile iss/iss.1 iss/iss.c
# iss/readme.iss iss/telnet.h iss/todo
# Wrapped by kent@sparky on Tue Sep 28 21:20:25 1993
Sabtu, 22 Februari 2003
Pluf Simple Hostname Scanner
hawke# plushs 195.5.3.0-255
[a] 195-0
[b] 5-0
[c] 3-0
195.5.3.1 ==> dns1.sf.ukrtel.net
195.5.3.5 ==> dev.sf.ukrtel.net
195.5.3.7 ==> kep.sf.ukrtel.net
195.5.3.9 ==> cit.sf.ukrtel.net
195.5.3.10 ==> oplot.sf.ukrtel.net
195.5.3.13 ==> mailer.sf.ukrtel.net
195.5.3.65 ==> router.ylt.sf.ukrtel.net
195.5.3.66 ==> ns.ylt.sf.ukrtel.net
195.5.3.67 ==> name67.ylt.sf.ukrtel.net
...edited for brevity...
195.5.3.187 ==> westcrimea.net
195.5.3.190 ==> evpatoria.com.ua
195.5.3.201 ==> kmk.oaokmk.com
========| Network Statistics |====================
Ip range to scan 195.5.3.0-255
Successfull: [ 34.0%]
Unsuccessfull: [ 66.0%]
Timeouts: [ 0.0%]
=-----------------------------------------------=
Total ips to check: 256
Successfull checks: 87
Unsuccessfull checks: 169
Timeouts: 0
Aliases found: 0
Successfull searchs: 0
=-----------------------------------------------=
String format:
Timeout set to: 9 seconds
Wait second set to: 0 seconds
I was also introduced to dnstrace and dnstracesort, part of the djbdns package.
Foundstone Incident Response in the News
"Foundstone also provides litigation and forensic services to help convict hackers they have caught, as well as penetration testing services."
Kamis, 20 Februari 2003
HIPAA Regulation Available
Data Processors Internation Suffers 8 Million Credit Card Loss
Rabu, 19 Februari 2003
Review of Web Services Security Posted
Before reading "Web Services Security" (WSS), my knowledge of Web Services relied on a few magazine articles and chapter 10 of "Hacking Exposed: Web Applications." After reading WSS, I have a better idea of how Web Services work and how a variety of acronyms (XACML, XKMS, SAML, etc.) provide security. This 312 page book isn't lengthy enough to make you a Web Services security expert, but it provides a good foundation for consultants and other professionals.
The latest SANS NewsBites mentioned a story where TriWest Healthcare is being sued for losing customer data to an intruder.
TaoSecurity.com ISP Woes
Senin, 17 Februari 2003
Sguil User Six
Sabtu, 15 Februari 2003
Bruce Schneier on Full Disclosure and Locksmiths
"...public scrutiny is the only reliable way to improve security. There are several master key designs that are immune to the 100-year-old attack that Blaze rediscovered. They're not common in the marketplace primarily because customers don't understand the risks, and because locksmiths continue to knowingly sell a flawed security system rather than admit and then fix the problem. This is no different from the computer world. Before software vulnerabilities were routinely published, vendors would not bother spending the time and money to fix vulnerabilities, believing in the security of secrecy. And since customers didn't know any better, they bought these systems believing them to be secure. If we return to a world of bug secrecy in computers, we'll have the equivalent of 100-year-old vulnerabilities known by a few in the security community and by the hacker underground."
Rabu, 12 Februari 2003
Marcus Ranum on Firewalls
"About a million years ago I was designing and coding firewalls. I wrote pure proxy firewalls. OK, actually, I _invented_ pure proxy firewalls. You know what? I still think that, for security, it's The Way To Do It and everything else sucks. But the industry appears to disagree. That's OK, it's customer choice. But if I was reviewing product firewalls, guess which ones I'd say sucked and which didn't? If I developed a firewall testing methodology, NONE of the packet screens would have cut it. And people would have been able to accuse me of trying to promote my own product because my _beliefs_ and my _implementation_ were inseparable."
JTF-CNO Splits
No full-scale cyberattack on the United States from a known enemy has been documented, and that also complicates the issue because DOD would not want to attack a nation-state's computer operations based on the actions of a few skilled hackers, Campen said. He added that it is not clear whether a cyberattack would be anything more than a nuisance to U.S. enemies unless it was done in conjunction with more traditional acts of war.
Review of Absolute BSD Posted
This is the sort of book I've been waiting for, since reading Annelise Anderson's "FreeBSD" almost one year ago. Michael Lucas is well-known for his articles, and his knowledge and easy conversational style shine in "Absolute BSD." Of the four books I've read with "FreeBSD" in the title, this has been the most helpful -- but not necessarily the most comprehensive.
Selasa, 11 Februari 2003
Rik Farrow on Firewalls
SOAP leaves some things unchanged. Your firewall will permit access to public Web servers that provide Web services and block access to internal servers. And internal clients will still be permitted to visit Web servers and read e-mail. But the paradigm changes here, as the emphasis changes from execution of remote methods on remote servers to include the execution of remote code on local clients. Execution of remote code on IE is already well known as a successful attack vector. Will the security features of .NET or Java mitigate this threat?
Jumat, 07 Februari 2003
Cyber Warfare in Iraq
The full extent of the U.S. cyber-arsenal is among the most tightly held national security secrets, even more guarded than nuclear capabilities. Because of secrecy concerns, many of the programs remain known only to strictly compartmented groups, a situation that in the past has inhibited the drafting of general policy and specific rules of engagement.
Gregory Rattray wrote Strategic Warfare in Cyberspace, which is the definitive work on the subject. I reviewed it in Jun 02.
Tomorrow is my "Internet birthday." 8 Feb 94 is the first publicly available evidence that I had access to the Internet. It's manifested in this USENET post.
Rabu, 05 Februari 2003
FreeBSD Serial Console Access
#dmesg | grep sio
usb0: USB revision 1.0
sio0 port 0x3f8-0x3ff irq 4 on acpi0
sio0: type 16550A
sio1 port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
I checked to see what devices I had:
#ls -al /dev/cua*
crw------- 1 root wheel 28, 128 Feb 3 22:07 /dev/cuaa0
crw-rw---- 1 uucp dialer 28, 129 Feb 3 21:50 /dev/cuaa1
crw-rw---- 1 uucp dialer 28, 160 Feb 3 21:50 /dev/cuaia0
crw-rw---- 1 uucp dialer 28, 161 Feb 3 21:50 /dev/cuaia1
crw-rw---- 1 uucp dialer 28, 192 Feb 3 21:50 /dev/cuala0
crw-rw---- 1 uucp dialer 28, 193 Feb 3 21:50 /dev/cuala1
Then I added the following line to /etc/ttys
cuaa0 "/usr/libexec/getty std.38400" vt100 on secure
Then I restarted init via 'kill -HUP 1' and checked to see what had changed:
#ps -auxww | grep cua
root 493 0.0 0.3 1184 864 a0 Is+ Mon10PM 0:00.01 /usr/libexec/getty std.38400 cuaa0
Now I can use Windows HyperTerminal or a similar program to access my FreeBSD box using a serial cable and null modem.