Network Security Blog

When you get a chance, check out ‘A Taste of Computer Security’. It’s long, it’s all in HTML, it’s not an easy read. But I think it’s worth the effort. There is a lot of information about the history of computer security, and some lesson’s to be learned. This document represents a lot of work, and kudos to the people who wrote it, but I wish they have a ‘printer-friendly’ version. I’ve flipped through the whole thing, read the section on the *nix/Windows holy wars, and now I’m working on reading it from front to back. I have to agree with the authors feeling that the *nix/Windows arguments are mostly a bunch of hot air. I’m an agnostic when it comes to OS, though I’m slowly coming to prefer command line Linux for most of my power apps.

I was lucky enough to be the target of a Distributed Comment Spam last night. I recieved over 100 very similar comment spams, all with the same email address, but all from different IP addresses. I didn’t have the time to ban all of the addresses, and I’m thinking these are just comprimised zombie systems in any case. If this happens again, I’ll take a full list of the IP addresses and post them here.

Anyone else experienced this before? And what was your solution?

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

This is a really good, fairly quick analysis of the latest version of MyDoom. My question is this: was this an intentional DDoS attack on the search engines, or was that just a side effect? It apparently had some effect on Google and it’s ilk.

The Internet Storm Center is warning of brute force password hack attempts against SSH. I’m waiting to see more specific information, but I have been seeing attempts against my own SSH daemon, specifically trying to use the ‘guest’ and ‘test’ accounts. Since neither of those accounts exist on my systems, I feel pretty safe, but I do find it interesting that this has been happening. I hope to find out more soon.

I finally got around to reading the rest of the diary for the 23rd. I’m impressed with the ‘Follow the Bouncing Malware” article. The author built a sacrificial web surfing box and monitored all of the malware that was downloaded while going to several popular sites. I’ve thought about doing the same in the past, but the time involved is more than I have to spare. I’d be interested in seeing the difference between doing this with Internet Explorer and Firefox. Since I switched to Firefox, I haven’t had to run AdAware nearly as often. But as Firefox becomes a better alternative to IE, I expect the scumware authors will start targetting it a lot more.

Source Code Club Newsletter

Here’s some more information on the group who’s trying to sell the source code for the Dragon IDS. They went so far as to include a FAQ in their newsletter, answering such questions as “Why should you trust us?” Who would ever be foolish enough to trust someone who specializes in breaking and stealing source code and then advertising it on the Web?

What disturbs me the most is that I’m sure there are companies out their with employees who probably would buy code this way, if it wasn’t for the current publicity. I have no idea why the SCC went out of their way to advertise that they have Dragon and Napster code in such a public manner. What on earth were they thinking? I guess it’s because it takes technical skills, not common sense, to procure the code.

I hope the authorities catch up with these guys soon. I’m not holding my breath, just hoping.

The last couple of days I have been having some connectivity issues which are sort of confusing and really starting to annoy me. I think a large part of my problems are my firewall, a Coyote Linux Floppy-based firewall, running on a 486 with 16 megs of memory. This has worked pretty well for me for about 2 years, and overall I really like Coyote Linux, but every once and a while the firewall stops passing traffic. At least I think it’s the firewall. What happens is I loose connection to my ISP until I log on to the firewall and ping my ISP. The problem may be the DSL modem, it may be the firewall, or there may be some other problem that I haven’t figured out yet. I highly suspect that the issue is the memory on the firewall, but since I don’t have any more memory of that vintage, I think I’ll just create a new firewall and hope that’s the issue.

I’m looking at Smoothwall, and from what everyone has told me it’s pretty good. I have a spare PII 266 with 128 megs sitting in the garage, which should be more than enough to power a decent home firewall. My other option is to put in my Cisco 806 router with a firewall ruleset, but I’m a little leery of this as a solution. The 806 has limited memory, and despite what was advertised when I first purchased the router, it can’t take an IOS with full firewall and security functionallity. I could upgrade the memory, but the last time I checked, the memory for this system would actually cost me more than a new Linksys would. A new Linksys router is another option, but right now the budget is a little stretched and any new hardware might get me killed. Ah, for the days when I was single and kidless. Wait, strike that. When I was single and kidless I was also unemployed for long stretches, so the budget wasn’t any better. Oh whell.

Anyone else have any experience with Coyote Linux? Anyone else experienced the type of problems I’m seeing?

Yahoo! News - Online Hacker Shop Shuts Down

Hackers had set up a web site dedicated to selling the source code for Dragon by Enterasys and Napster, now owned by Roxio. The price for the code was $16k and $10k respectively. Fear of prosecution has forced the hackers to close the website down.

On one hand, I find it very disturbing that the source code for Dragon and Napster is out there somewhere, on the other hand, I say, ‘So what?’

A skilled hacker is going to be able to get much of the same information from working with a product directly and observing the results as they would from looking at the source code directly. It is unlikely that there would be any more holes discovered because of the leak, just that they’d be uncovered more quickly.

Even with the source code for Dragon, I doubt a hacker will be able to take great advantage of it. They might be able to discover a way to disguise an attack based on the algorythms used by Dragon, but I doubt (hope) there are any vulnerabilites that will enable a hacker to take control of a Dragon box, especially if it and the network it protects are properly setup.

Napster, on the other hand, could be a bigger problem. They have a much bigger installed client base, and the discovery of a vulnerability in their product could have larger consequences.

In either case, the price was going to keep the casual hacker from getting the code. Of course the whole thing could have been a ruse to get attention. Why would a hacker group that has the capability to get the source code for these two products ever post to a public website? Maybe they’re just stupid hackers.

NRC pleads case for Hubble mercy mission | The Register

I know it’s not security related, but this is one of the cases where I think this is important enough to put up on the site. We’ve already got a lot of time and money invested in the Hubble Space Telescope. Why throw that resource away without a replacement? The HST has years of service ahead of it with just a little maintanance. Hopefully NASA changes it’s mind.

I got a curious phone call yesterday. I wish I’d had more presence of mind to ask questions, but when you’re trying to herd your children, answering and asking questions is usually the last thing on your mind. The call came in the mid-afternoon, and it was a woman claiming to be a reporter for a number of Ziff-Davis publications. She wanted to ask me questions about Windows XP SP2. When I told her that I didn’t have any direct experience yet, she started to ask about what I’d heard from other security professionals. That’s when I told her I needed to cut the call short and deal with children. I’m not willing to speculate on much of anything by way of third hand information.

I’m going to assume that the call was real, since the lady sounded a bit too bored and disinterested to be some one running a scam. I wish I’d thought of getting a phone number to call her back at (since caller ID was blocked), and some sort of proof she actually worked for ZDNet. I also want to know where she got my phone number. It probably wasn’t too hard, since I’m one of those people who include my cellphone number with every email I send out. I am guessing she may have pulled my name out of Google from a search on something like “XP Security”, or she followed a link to my site.

I’m like most people, and I feel somewhat honored to have someone from the press asking my opinion on, well, on anything to tell the truth. On the other hand, I’m a network security professional, and more than slightly paranoid too boot. If I ever recieve another call like this, I’m going to have to pay a lot more attention from the get go. Anyone else recieve calls like this, either lately or in general? How do you respond to them? I don’t think I’m in too much danger of becoming a quoted name in the industry, but having a blog does raise my visibility level somewhat.

Secunia has issued an alert for 4 new IE related vulnerabilities and is listing all four as ‘Extremely Critical’. In addition, /. is stating that there are a total of 9 security patches being release for IE today. I can already hear the screams, “The sky is falling!”

I like the very simple instructions Secunia has for solving the IE vulnerabilities: Disable Active Scripting -or- Use another product. Boy Microsoft and IE are taking a lot of flack the last couple of weeks. First the US-CERT recommends using a different browser, now everyone is jumping on the bandwagon. How long until the US-CERT comes out of the closet and starts advocating any OS other than Windows? That will be quite a day.

On a related note, Mozilla is starting to get more attention from malware writers. This isn’t really suprising, since the malware guys are going to go where the action is. As Firefox and Mozilla become more popular, it’s only logical that they’re going to get more attention from the blackhats. Hopefully Mozilla will do a better job of dealing with vulnerabilities that Microsoft does. Only time will tell.