Archive for January, 2004

Jan 30 2004

I got my Movable Type key code!

Published by under Site Configuration

Well, it only took three weeks, but I got my Movable Type Recently Updated Key. It got lost due to a change in procedures, but everything has been made right now. I needed something positive to end my day. I’ll rant about it another time.

Comments Off

Jan 28 2004

Ethics in Security

Published by under General

From Dictionary.com:

ethics (used with a sing. or pl. verb) The rules or standards governing the conduct of a person or the members of a profession.

It’s funny, but over the last several days this has been a major topic in my conversations with the people I work for and with. I have been contracting for the same company for two years now, and I decided that its time for me to move on. Part of the issue is the length of my commute, but the internal politics at the company also plays a part. My own personal sense of ethics have made me be very up front with my employer and let them know that I’m looking. So far, this seems to be appreciated.

As of last Friday, two of my co-workers became former co-workers. One left of his own free will for another job, the other left at the request of the company. Both already have positions elsewhere they are going to fill, and will hopefully be happier at the new position than they were here. In both cases I had occasion to speak to them, and the conversations touched on the ethics of security.

(Beware, fairly long rant follows)

Continue Reading »

One response so far

Jan 22 2004

Back to … normal?

Published by under Site Configuration

Well, it took me almost 24 hours, but I finally figured out that the plugin I had installed to take care of comment spamming was what was disabling my news feeds. Some of you may ask, why wasn’t that the first thing I tried? Well, to be perfectly honest, I panicked and messed things up bad enought that I had to reconstruct parts of my site from scratch. I took the opportunity to cull through the news feeds to remove the couple I almost never read, and add a couple that I had wanted to look at for a while.

Now all that’s left is to figure out why mt-blacklist kills mt-rssfeed, and to wait 72 hours for Slashdot to take me off their banned list. Seems I landed there while testing the site. Oh well.

Comments Off

Jan 21 2004

Trouble with RSS feeds

Published by under Site Configuration

I’ve been having some problems with the RSS feeds, but I will hopefully have it figured out soon. Then all I’ll need is some Tylenol.

Comments Off

Jan 20 2004

Have you seen this tool?

Published by under Hacking

Over the last couple of months I have seen repeated intrusion attempts against the corporate web servers I protect of an unusual nature. These are extremely noisy attacks against the servers that attempt several thousand different forms of directory traversal attacks in a very short period of time, usaully 3-7 minutes. Is there anyone out there who has seen a tool, or set of tools, that would perform this sort of attack? I have to say that I’m not really up to date on the attack tools, so this may be a common tool that I just haven’t heard of. Additionally, either recent upgrades to Snort have allowed me to catch more of the attacks, or the tool is being modified to include more diverse and less known vulnerable scripts. The good news is that, so far, none of the attempts appear to be successful.

On a seperate note, I was watching Screen Savers and saw a new Linux build I’m dying to try out. It’s called PHLAK: Professional Hackers Linux Assault Kit. I downloaded it and tried it on one of my personal laptops, but it doesn’t appear to like something on the system. Unluckily I haven’t had the time to troubleshoot yet, nor have I had the time to try it on a different system yet. If you’ve played with this linux build, give me some feedback on it. I really want to know how well it works.

One response so far

Jan 15 2004

Personal Firewall Day

Published by under Simple Security

Today is Personal Firewall Day!

Check out the website. This is basically an attempt to raise the awareness in the average user that they should at least have a personal firewall, anti-virus, and the latest patches on their system. Something we’ve been telling people for years!

Hopefully this will catch on.

Comments Off

Jan 15 2004

Interesting Presentation, but not for the reasons the vendor meant it to be.

Published by under General

I went and saw in interesting presentation yesterday by Bill Pennington, Chief Technical Officer at Whitehat Security. The presentation was given at the monthly meeting of the San Francisco ISSA (can’t find the link yet) chapter. His basic message was, “Your firewalls can’t protect you, your IDS can’t protect you, one-time audits can’t protect you. The only way to protect your web servers is continuous auditing by US!” And he does have a good point: many of the threats coming at our systems today are coming over legitamite ports, using legitimate applications, but using them in ways they weren’t intended to be used. Your firewall won’t stop traffic from going to the web server, the IDS won’t detect a web request where the numbers have been slightly altered, and one-time audits can’t track system changes that may expose new vulnerabilities.

Where Mr. Pennington lost a lot of his audience was in his insinuation that firewalls, IDSs and one time audits aren’t worth the money, and the occasional barb he threw out at some of his competitors. To be honest, his comments about his competitors weren’t all that bad, but there were a number of said competitors in the audience. I know that at least one member of the governing body of the ISSA chapter sponsoring the event were going to take him to task for his comments. Note for the future, don’t bash on the competition in a public forum.

Back to the firewall, IDS, audit thread. I think that Mr. Pennington was trying to say that these alone can’t protect you, you need more. But what he came across as saying was that his way was the only way to protect your network. This sort of market-speak may work with some of the VP and higher level people that he speaks to, but most security professionals have heard it all before. How many times have you seen someone shouting from the rooftops (metaphorically speaking) that their NEW, IMPROVED way is the only true way to protect your network? I’d say at least every six months to a year someone is saying this.

Bottom line: It is possible to promote your product without tearing down others. Admittedly, a lot harder, but doable. And I think it is a much better long-term philosophy.

One response so far

Jan 12 2004

Term of the week

Published by under Malware

The Word Spy website has a pretty good description of the word “phishing”.

phishing

(FISH.ing) pp. Creating a replica of an existing Web page to fool a user into submitting personal, financial, or password data. ?adj.
?phisher n.

This term seems to be getting a lot of use lately, especially considereng a bug recently found in the way Internet Explorer renders HTML address. There is an error in IE’s URL parsing . The vulnerability allows a malicious spammer send an email with authentic looking URL’s and phish for information.

Continue Reading »

Comments Off

Jan 10 2004

I have nothing to say, I just felt like blogging

Published by under General

I’m sitting at work on a Saturday morning, waiting for the phone to ring, monitoring logs, and wishing I hadn’t stayed out late last night with friends. Caffiene only makes up for so much lack of sleep, and I have definitely passed that threshold. My mind is a mush of random thoughts, so I thought I would put a couple of them on the blog to see if that helps organize them. I have absolutely nothing to post that is revolutionary or revealing, but I felt a sudden urge to write.

Continue Reading »

Comments Off

Jan 09 2004

Hello. Did you know you’ve been hacked?

Published by under Hacking

Yesterday afternoon I had a rather interesting experience. A host was trying to comprimise several of the web servers I protect. After asking the firewall administrator to shun the host, I decided I would do what I can to track back the host and make the attempts stop. This led to an interesting series of conversations. I wonder how many small businesses are sitting out there, directly connected to the Internet, blissfully ignorant of their vulnerability. There’s at least one less now. They’re less blissfully ignorant, not less vulnerable, but there is only so much I can do.

Continue Reading »

One response so far

Next »