Friday, December 13, 2002

How to setup a Linux Router/Firewall
Following up on our Windows ICS article, we look at setting up a Linux router/firewall. It'll allow you to share your Internet connection and provide some protection to your home network.
Microsoft Security Tools and Checklists
Computer security over the Internet is a worldwide concern fundamental to the way we live and do business. To help ensure this security, Microsoft is mobilizing its people and resources in the Microsoft Strategic Technology Protection Program, which integrates products, services, and support.

Thursday, December 12, 2002

Lepton's Crack
Lepton's Crack can crack:

* Notes/Domino HTTP passwords (only Release 4, not the new ones used in
R5/6)
* pure MD4
* pure MD5
* NT hashes (MD4/Unicode)

Using either:

* dictionary attack
* "intelligent permutations" on dictionary words attack
* "login mode" attack, that tries userID, userIDuserID, etc., as the
password
Black Ops of TCP/IP: Paketto Keiretsu 1.0 DoxPara Research is proud to announce the release of the Paketto Keiretsu, Version 1.0, for general use.
scanrand
Scanrand is a proof of concept, investigating stateless manipulation of the TCP Finite State Machine. It implements extremely fast and efficient port, host, and network trace scanning, and does so with two completely separate and disconnected processes -- one that sends queries, the other that receives responses and reconstructs the original message from the returned content. Security is maintained, in the sense that false results are difficult to forge, by embeddeding a cryptographic signature in the outgoing requests which must be detected in any received response. HMAC-SHA1, truncated to 32 bits, is used for this "Inverse SYN Cookie".
minewt
Minewt is a minimal "testbed" implementation of a stateful address translation gateway, rendered so entirely in userspace that not even the hardware addresses of the gateway correspond to what the kernel is operating against. Minewt implements what is common referred to as NAT, as well as a Doxpara-developed technique known as MAT. MAT, or MAC Address Translation, allows several backend hosts to share the same IP address, by dropping the static ARP cache and merging Layer 2 information into the NAT state table. Minewt's ability to manipulate MAC addresses also allows it to demonstrate Guerilla Multicast, which allows multiple hosts on the same subnet to receive a unicasted TCP/UDP datastream from the outside world. Minewt is not a firewall, and should not be treated as such.
lc
Linkcat(lc) attempts to do to Layer 2 (Ethernet) what Netcat(nc) does for Layer 4-7(TCP/UDP): Provide direct, bidirectional, streaming access to the network. Lib­ cap/tcpdump syntax filters may be specified in either direction, but no filtering is enabled by default. Two separate syntaxes are supported; one accepts and emits libpcap dump format(raw binary w/ a fixed size file header and a fixed size packet header), the other accepts and emits simple hex w/ backslash line continuation. Several other features are also implemented; specifically, early work involving the embedding of cryptographic shared- secret signatures in the Ethernet Trailer is demonstrated.
phentropy
Phentropy plots an arbitrarily large data source (of arbitrary data) onto a three dimensional volumetric matrix, which may then be parsed by OpenQVIS. Data mapping is accomplished by interpreting the file as a one dimensional stream of integers and progressively mapping quads in phase space. This process is reasonably straightforward: Take four numbers. Make X equal to the second number minus the first number. Make Y equal to the third number minus the second number. Then make Z equal to the last number minus the third number. Given the XYZ coordinate, draw a point. It turns out that many, many non-random datasets will have extraordinarily apparent regions in 3-space with increased density, reflecting common rates of change of the apparently random dataset. These regions are referred to as Strange Attractors, and can be used to predict future values from an otherwise random system.
paratrace
Paratrace traces the path between a client and a server, much like "traceroute", but with a major twist: Rather than iterate the TTLs of UDP, ICMP, or even TCP SYN packets, paratrace attaches itself to an existing, stateful- firewall-approved TCP flow, statelessly releasing as many TCP Keepalive messages as the software estimates the remote host is hop-distant. The resultant ICMP Time Exceeded replies are analyzed, with their original hopcount "tattooed" in the IPID field copied into the returned packets by so many helpful routers. Through this process, paratrace can trace a route without modulating a single byte of TCP/Layer 4, and thus delivers fully valid (if occasionally redundant) segments at Layer 4 -- segments generated by another process entirely.

Friday, December 06, 2002

Burglars target 'out of office' emails
Thieves are using information contained in 'out of office' auto-reply emails and cross-referencing it with publicly available personal information to target empty houses.

Thursday, December 05, 2002

Ethics in Data Mining and Cryptography
In recent years, computer science has become more of an applied science than a pure discipline. It is true that much of the driving force behind proliferation of computing devices is commercial. However, over-commercialization has begun cultivating products that give rise to ethical issues.
In this brief article, I shall mention two such areas which require our immediate attention in both making the public aware and warning the future researchers of the implications.
KisMAC, a wireless stumbler for MacOS X
KisMAC is a stumbler application for MacOS X, that puts your card into the monitor mode. For that purpose we are using the viha driver. Unlike other applications we are completely invisible and send no probe requests.
Secure Interaction Design
Criticizing bad user interfaces is easy. Designing good ones is tough. The paper tries to give some new ideas on how to think about secure interaction design and some positive design suggestions, not just criticism. (I'm sure some readers will think the design principles are obvious. That's great; then the question is: why are they so often ignored in software and how can we improve? Others will disagree with the principles. That's great too; let's start talking about it, because this topic desperately needs more thought and attention!)
IDE RAID round-up
AS IDE HARD DRIVE manufacturers squeeze more and more storage capacity onto new drives, they're hacking the warranty coverage for standard drives down to one year. You get more data to use, but manufacturers seem less and less willing to guarantee the integrity and safety of all those extra bytes. RAID can help you take back some of that reliability, but that's not all. A RAID array can also dramatically increase your overall hard disk performance. In some cases, IDE RAID can even offer you the best of both worlds: redundancy to protect against drive failure and better overall storage performance to pry open the bottleneck.

Wednesday, December 04, 2002

DansGuardian - True Web Content Filtering for All
DansGuardian is a web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters.
DansGuardian is designed to be completely flexible and allows you to tailor the filtering to your exact needs. It can be as draconian or as unobstructive as you want. The default settings are geared towards what a primay school might want but DansGuardian puts you in control of what you want to block.

Tuesday, December 03, 2002

Forensicsweb Online Services List
The following list is updated about once a month and posted monthly. This list contains a variety of ISPs and similar information services, specifically, contacts at the legal departments for service of subpoenae, court orders, and search warrants.
Reptile
Reptile is a P2P (peer to peer) application designed to locate and filter the best news on the Internet. Reptile provides a distributed and decentralized mechanism to search, cache, subscribe, and publish news and other content. Reptile also provides an infrastructure for increasing information diversification and reducing censorship and bias.
Reptile is decentralized. No single point of failure should deny a user from quality news. To this end, we also to 'bind' across multiple network architectures. Reptile runs over the conventional "web" (HTTP) but also runs over more modern and distributed P2P architectures (JXTA).
Reptile is designed around a hybrid infrastructure which supports the advantages of both client/server and P2P systems. For example, one could run Reptile as a P2P system on a laptop. One could also run Reptile as a client/server application from a home computer and access it over SSL from a web browser from an outside location. Reptile also supports rendezvous nodes (supernodes) which bridge this functionality with the rest of the world. For example a major website can run a search request via a stable Reptile node running on a known host (AKA openprivacy.org).
the Peekabooty Project

The goal of the Peekabooty Project is to create a product that can bypass the nation-wide censorship of the World Wide Web practiced by many countries.

The free, easy and quick exchange of information possible on the Internet is seen as a threat by governments in countries where a free press and freedom of expression are not considered to the parts of their people's rights. Such a government would have two options. The first would be to completely ban use of the Internet. This is an impractical measure, as it would close off that country to business opportunities and technological innovation. The preferred option is to make use of filtering computers and software - called firewalls in technological parlance - that make only those Web pages approved by the government available to their citizens.


In layperson's terms: firewalls act as intermediaries between users and the rest of the Internet. In countries where the Web is censored, the only way to access the Internet is through the firewalls. A user enters a URL - the address of a Web page - into his or her browser. This URL gets passed to the firewall, which checks to see if it is one of those banned by the government. If the URL is not on the list, the firewall forwards the request for the Web page and the contents of the page are relayed back to the user, who can then read it. If the URL is on the banned list the firewall refuses to forward the request and sends a page back to user2
InvisibleNET - Invisibility is the best defense.
Invisible IRC Project is a three-tier, peer distributed network designed to be a secure and private transport medium for high speed, low volume, dynamic content.
Hacker Log: Pathway to Successful Site Attack
A few fairly simple practices would have prevented my successful attack on eWeek's OpenHack site. The bottom line is that application security can be attained, but it must be consistently applied and methodically checked to be effective.
Xinetd - Part 1
Xinetd is a secure, powerful and efficient replacement for the old Internet services daemons named inetd and tcp_wrappers. Xinetd can control denial-of-access attacks by providing access control mechanisms for all services based on the address of the remote client that wants to connect to the server as well as the ability to make services available based on time of access, extensive logging, and the ability to bind services to specific interfaces.
Schneier: No "magic security dust"
Tech entrepreneur Bruce Schneier is one of America's best-known computer security experts. His testimony before Congress helped defeat legal restrictions on cryptography sought by the FBI and the National Security Agency when an appellate court ruled in 1999 that crypto algorithms were a form of speech covered by the First Amendment.

Friday, November 29, 2002

SQL Injection and Oracle, Part Two
This is the second part of a two-part article that will examine SQL injection attacks against Oracle databases. The first installment offered an overview of SQL injection and looked at how Oracle database applications are vulnerable to this attack, and looked at some examples. This segment will look at enumerating the privileges, detecting SQL injection attacks, and protecting against SQL injection.

Thursday, November 28, 2002

Secure Programming with .NET
At the core of Microsoft's .NET initiative is the goal of interconnecting businesses, users, applications, and data. However, with all the concerns regarding security and privacy of data, many individuals and companies are reluctant to connect their business systems and place their data in reach of hackers thousands of miles away. Microsoft understands the challenges and concerns facing early adopters of their technology, and has made security one of their top priorities. The fundamental pillar for building applications is the security surrounding the .NET framework and the security services it provides. In this article, we will provide an overview of .NET framework security features and provide practical tips on how to write secure code in the .NET framework. More importantly, we will discuss which pitfalls to avoid.
The Open Web Application Security Project
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com. All software and documentation is released under the GNU public licenses.
CodeSeeker
So what is CodeSeeker ? It is an application level Firewall and Intrusion Detection System, written in Java and C/C and runs on Windows NT, Solaris and Linux (beta). It intercepts HTTP traffic off the TCP/IP stack (immediately after its been decrypted by SSL if its HTTPS), and applies a set of security rules to determine if the traffic is legitimate or malicious. CodeSeeker can either sit in a passive mode simply alerting your console of attacks (IDS) or in an active mode blocking traffic (firewall).
Butterfly Security Releases CodeSeeker as Open Source
Butterfly Security released CodeSeeker as open source through the
Open Web Application Security Project (OWASP). CodeSeeker is a Web application firewall and Intrusion Detection System (IDS) tool that
runs on Windows NT, Sun Microsystem's Sun Solaris, and Linux.

Wednesday, November 27, 2002

Location, location, location-based services
Studies by industry analysts forecast even greater demand for wireless and mobile devices, creating substantial opportunities for wireless device application and service providers. Faced with an increasingly difficult challenge in raising both average revenue per user (ARPU) and numbers of subscribers, wireless carriers and their partners are developing a host of new products, services, and business models based on data services. We'll have a look at location-based services and how they boost both service and revenue.
ngSniff
Some time ago, NGSEC released a command line sniffer for win2k or higher (no packet driver requeired). It was developed for penetration tests once you have access for a cmd.exe shell.
Kyle's Instruction on MAC Spoofing in Windows 2000 and XP
Can you really change (Spoof) the MAC address in a Windows 2000 or XP system? YES (Almost all of them, whether Manufacturers allow it or not!).
Packet Excalibur

It is a multi-platform graphical and scriptable network packet engine with extensible text based protocol descriptions.

In short this is a network tool to built and receive custom packets.

With Packet Excalibur you will be able :

to decide packet attributes from physical layer to the top,
to sniff and spoof packets (packet generator) in a single interface,
to build scripts in the gui,
to define additional protocols in simple text files.
Transparent Cryptographic File System
Secure file sharing' is a kernel service to help user applications in sharing secure files among a group of users. Each file is given a unique file_id and a user chosen level by means of which users can choose to forbid or to permit access to it.

Monday, November 25, 2002

National Institute of Justice - Technology Programs
NIJ Sponsors technology research, development, assessment, and implementation to improve public safety.

Thursday, November 21, 2002

CYBER CRIMINALS MOST WANTED
The First One-Stop Cybercrime Awareness, Prevention and Safety Website

Tuesday, November 19, 2002

Inside OE
Inside Outlook Express is a source of technical information, help and tips for users of Microsoft Outlook Express® for Windows, versions 5, 5.01, 5.5 and 6. All articles are valid for all these versions unless otherwise stated.
The Unofficial 802.11 Security Web Page
Lots of people are interested in IEEE 802.11 security nowadays. Given that level of interest, there's a need for accurate information on how the current standards work, what's wrong with them, and the current thinking on how to fix the problems. This page tries to gather relevant papers and standards in a single place.
CRAZYTRAIN.COM
For your reference, my little nook on the Internet will house information pertaining to the Information Security arena, with a few other tidbits here and there.

Saturday, November 16, 2002

When firewalls and intrusion detection just aren't
Firewalls alone are not enough to thwart today's more sophisticated range of attacks, while Intrusion Detection Systems detect and record attacks, but do not block them. AV products, properly updated, can help protect against malicious code but are necessarily limited in their scope.

So enterprises and telecoms operators face a security gap which vendors are trying to plug with a fresh breed of security appliances, dubbed Intrusion Prevention Systems (IPS).

Into this arena comes Top Layer Networks, which is extending its line of appliances that guard against Denial of Service attacks to provide in-line protection against a wider range of Internet attacks. Top Layer's high speed ASIC-based appliances have impressed in tests on their effectiveness against DoS attacks so its entry into what is becoming a crowded marketplace is nonetheless significant.
Wi-Fi Encryption Fix Not Perfect
The biggest security risk for "Wi-Fi" wireless Internet networks is that users sometimes fail to turn on their encryption software.

But even the responsible ones who use the encryption program -- Wired Equivalent Privacy -- aren't immune to malicious attacks.

A growing trend on the streets of Manhattan are WarDrivers who break into wireless networks for fun. A professional hacker or anyone with significant programming knowledge can hack through WEP and even steal data off the network.

"WEP provides a level of security too low for me to take seriously," said Niels Ferguson, a cryptography consultant in Amsterdam who helped come up with an alternative encryption to WEP.

The WEP replacement, Wi-Fi Protected Access, adopts a more rigorous standard for authenticating users in order to eliminate the former's security flaws.

However, WPA comes with its own set of problems: denial of service attacks that can shut down the network and leave people without wireless Internet access.

Ferguson said that all wireless protocols are susceptible to DoS attacks, but WPA "is subject to all of them plus one extra type of DoS attack."
The Peon's Guide To Secure System Development
Increasingly incompetent developers are creeping their way into important projects. Considering that most good programmers are pretty bad at security, bad programmers with roles in important projects are guaranteed to doom the world to oblivion. The author feels that a step toward washing himself clean of responsibility is by writing this document. Checking your memcpy() and malloc() calls have been lectured to death. It's not working. The approach used by this document is to instead shame developers into producing better systems. Enjoy.

Thursday, November 14, 2002

WLAN
Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic.

Wednesday, November 13, 2002

SecNet11 -- Secure Wireless Local Area Network
Harris Corporation provides a revolutionary Type 1 encrypted Secure Wireless LAN (SWLAN) solution that allows COMSEC-approved government agencies to rapidly communicate multimedia information (data, voice, and video) in a secure environment.

The system integrates NSA crypto with commercial chipset based 802.11b PCMCIA cards and access points to create a secure wireless LAN.

Monday, November 11, 2002

Forensic Acquisition Utilities
This is a collection of utilities and libraries intended for forensic or forensic-related investigative use in a modern Microsoft Windows environment. The components in this collection are intended to permit the investigator to sterilize media for forensic duplication, discover where logical volume information is located and to collect the evidence from a running system while at the same time guaranteeing data integrity (e.g. with a cryptographic checksum) and while minimizing changes to the subject system.
Using the Java Cryptography Extension in WebSphere Studio Application Developer 4.03
This article also provides step-by-step instructions and help with the Java™ Cryptography Extension (JCE), which is a set of packages that provides a framework and implementation for encryption, key generation, key agreement, and Message Authentication Code (MAC) algorithms. JCE also supports secure streams and sealed objects.

Friday, November 08, 2002

Network Signals Just Scream to Be Exploited
Organizations ignore the security risks of wireless networking at their peril.

I recently strolled past federal buildings along Connecticut Avenue in Washington, carrying a beta-test model of a tablet PC equipped with an integrated IEEE 802.11b wireless PC Card.

In no time, it auto-detected a wireless network. The tablet asked me if I wanted to connect. I declined, but as I kept walking, the tablet detected signals for three more wireless networks. (Apparently, the Secret Service is curious about these free-ranging signals, too, and has sent teams around Washington snooping for wireless networks that broadcast signals onto the street.)

I did no probing, so I don't know whether the signals my tablet PC detected came from government, corporate or home networks. Nevertheless, they're out there, just waiting for someone to exploit them.
How to Keep The Wireless Snoops Away
A wireless network is like hundreds of network cables floating in search of a rogue computer.

A good attacker can get into most networks by taking advantage of a wireless connection and its Wired Equivalent Privacy security.
The FBI's Cybercrime Crackdown
In contrast to the teenage hackers of yore, today's perpetrators -- virtually all of them adults -- mount extremely sophisticated attacks. They don't brag, and they don't leave obvious tracks.

Thursday, November 07, 2002

Understanding Bandwidth and Latency
From the bygone debates over DDR vs. RDRAM to the current controversy over Apple's DDR implementations, one issue is commonly misunderstood in most discussions of memory technology: the nature of the relationship between bandwidth and latency. This article aims to give you a basic grasp of the complex and subtle interaction between bandwidth and latency, so that the next time you see bandwidth numbers quoted for a system you'll be able to better understand how those numbers translate into real-world performance.

This article was written in such a manner that the concepts communicated in it will be applicable to understanding a wide range of systems and parts of systems: from the frontside and memory buses of current P4 and Athlon systems to the buses in Apple's new XServe. Throughout the article, then, I've deliberately avoided getting mired down in the details of specific implementations in hopes that the general concepts will stand out clearly for the reader. The flip side of this simplicity is that for almost every claim I make a technically savvy reader could probably point out various exceptions, workarounds and other caveats peculiar to particular systems and data access scenarios.
Complete Snort-based IDS Architecture, Part One
Intrusion detection systems (IDS) are one of the fastest growing technologies within the security space. Unfortunately, many companies find it hard to justify acquiring IDS systems due to their perceived high cost of ownership (for example see Justifying the Expense of IDS by Kevin Timm and David Kinn). However, not all IDS systems are prohibitively expensive. This two-part article will provide a set of detailed directions to build an affordable intrusion detection architecture from hardware and freely available software. This discussion will avoid the classic "build or buy" debate and instead focus on building the system at a minimum cost.

Wednesday, November 06, 2002

Essential Home Wireless Security Practices
802.11b networks are proliferating like mad. Even though faster wireless networks are now available, 802.11b offers users what they want at a reasonably low price. While the high throughput of other technologies is attractive to large Local Area Networks (LANs) and people wanting to use wireless for high-end home entertainment purposes, 802.11b's 11Mbit/sec is more than enough to hook up a handful of clients in your home to the Wide Area Network (WAN), which in most cases is simply the Internet.

Tuesday, November 05, 2002

The Journal of Craptology
The Journal of Craptology is an electronic journal on cryptologic issues. Papers accepted for publication in the Journal of Craptology relate to cryptology and fall into one or several of the following categories.
1. It is funny.
2. It is controversial.
3. It is crap.

Friday, November 01, 2002

SQL insertion
During the time that we were preparing for BlackHat, Haroon Meer (haroon@sensepost.com) started extensive fiddling with SQL insertion. A topic that has been touched on before, but never really studied in depth, Haroon decided to spend some time on it (between 2am and 5 am). He wrote a paper on it for Phrack Magazine that didn’t make it on account of formatting issues. After licking our wounds, we decided to put the paper out there and Haroon posted it to Pen-Test mailing list. In true Haroon style, the paper is a little difficult to follow, and I promised him I would recycle so that it would make sense to all the listeners out there.

Tuesday, October 29, 2002

very basics of TCP/IP - Layers and what they do
ntroduction – what is TCP/IP TCP/IP stands for Transmission Control Protocol/Internet Protocol and is the system of standard protocols that runs the web. That is to say, any computer that wants to send WWW information to another via the internet will almost certainly want to use TCP/IP as the transmission protocol, and understanding it is the key to understand the ‘lower levels’ of how the internet works. Though keep in mind that other protocols such as SMTP and FTP take over to control email and some file transfers respectively.
Freenet
Freenet is a large-scale peer-to-peer network which pools the power of member computers around the world to create a massive virtual information store open to anyone to freely publish or view information of all kinds.
Increasing Wireless Security with TKIP
TKIP is a quick-fix method to quickly overcome the inherent weaknesses in WEP security, especially the reuse of encryption keys. According to "802.11 Planet," "The TKIP [security] process begins with a 128-bit 'temporal key,' [which is] shared among clients and access points. TKIP combines the temporal key with the [client machine's] MAC address and then adds a relatively large 16-octet initialization vector to produce the key that will encrypt the data. This procedure ensures that each station uses different key streams to encrypt the data. TKIP uses RC4 to perform the encryption, which is the same as WEP. A major difference from WEP, however, is that TKIP changes temporal keys every 10,000 packets. This provides a dynamic distribution method that significantly enhances the security of the network."
The IP Smart Spoofing
This paper describe a new technique for spoofing an IP address with any networking application. IP spoofing is not new and various hacking tools have been developed to exploit it. In the following, we will discuss on the way to use it with any standard application. As a result, we will explain why IP based access control is not reliable in many cases, and should not be used in many corporate networks.

Wednesday, October 23, 2002

Encryption method getting the picture
Researchers have created a new way to encrypt information in a digital image and extract it later without any distortion or loss of information.
A team of scientists from Xerox and the University of Rochester said that the technique, called reversible data hiding, could be used in situations that require proof that an image has not been altered.
Using File Hashes to Reduce Forensic Analysis
The "hashkeeper" paradigm or model was first introduced a number of years ago by Brian Deering of the National Drug Intelligence Center (www.hashkeeper.org). Since then, computer forensic analysts have come to use the term hashkeeper when they discuss ways of using the hash values of files to assist in forensic analysis.

Tuesday, October 22, 2002

Exposing the Underground: Adventures of an Open Proxy Server
This paper discusses the abuse of misconfigured HTTP proxy servers, taking a detailed look at the types of traffic that flow through this underground network. Also discussed is the use of a "honeyproxy", a server designed to look like a misconfigured HTTP proxy. Using such a tool we can spy on the Internet underground without the need for a full-blown honeypot.
EKAHAU
Ekahau Positioning Engine (EPE) is a powerful Java-based positioning server that provides PC and PDA location coordinates (x, y, floor) and tracking features to client applications. EPE includes a stand-alone Manager application for performing the site survey, drawing Ekahau Tracking Rails™, recording site calibration data, tracking wireless devices, and analyzing the positioning accuracy. Ekahau's patent-pending technology features up to 1 meter (3½ ft) average accuracy, enabling people and asset tracking both indoors and outdoors.
Writing a universal backdoor
The idea is to write a simple ( but universal ) backdoor, that is able to perform ANY TASK without knowing ( at the time it is written and installed ) which TASKS it will perform in the future. The backdoor will be very small, containing no coded functionality, but being able to be used for any purpose you don't even know of when you install the backdoor on the victim's PC. Plugin mechanism may be a better description for this kind of backdoor, because anytime your victim is online, you can "plugin" some "feature" and run it on his machine.

This article will focus on the underlying concept, not on the implementation of all the possible "features".

It's an article for people who want to programm a backdoor. Nevertheless it will present a simple ready-to-run backdoor that you just have to compile and install.

AND: I will use Java as the programming language !

Sunday, October 20, 2002

network Security Group
These are descriptions, slides and notes for the monthly OSU SECWOG meetings and for other talks that members of the group have given. In some cases you'll find slides (web, Adobe Acrobat (pdf), postscript...) and in others we just have notes available.
Best Free Computer Forensics Training Materials
A long list of links to training materials.

Thursday, October 17, 2002

IACIS Home Page
IACIS is an international volunteer non-profit corporation composed of law enforcement professionals dedicated to education in the field of forensic computer science. IACIS members represent Federal, State, Local and International Law Enforcement professionals. Regular IACIS members have been trained in the forensic science of seizing and processing computer systems.
Computer Forensic Legal Standards and Equipment
This paper addresses an issue of increasing importance to companies in this modern era. Computer Incident Response Teams (CIRTs), network security, and intellectual property (IP) security are growing in importance and are becoming many companies’ top priority in this age of increased security conscious commerce. The topic of this document focuses on the CIRT aspect of security conscious commerce, but in a less familiar role. This less familiar role of CIRT is the function of investigations and more specifically, the role of computer forensics as part of a company’s arsenal in the war on network/resource abuse and intellectual property theft. This document is not designed to provide a specific checklist of everything that a CIRT must have, or provide expert knowledge of all laws related to the handling of evidence. It does however seek to provide the reader with some of the basic considerations and tools available to make a CIRT or corporate investigator effective in gathering, preserving and analyzing computer evidence.
Forensic Computer and Data Investigations
Things you should consider before gathering and determining who will examine your data.
Computer Forensic Examiners
CYBER CRIMINALS MOST WANTED, The First One-Stop Cybercrime Awareness, Prevention and Safety Website. I'm on it!
Hacking Citrix Citrix is a Remote Desktop application that is becoming widely popular. It is similar to Microsoft's Terminal Services, RDP (Remote Desktop Protocol). Unlike Terminal Services, Citrixs' lines of products allow the administrator to specify
certain applications to be run on the server. This allows them to control which programs they want to allow the end user to execute. There exists an interesting gray line for the security of citrix applications due to the mixing of both
citrix technology, and microsoft technology. With an application that allows users remote access to not only published programs, but remote desktops, a serious threat arises. Microsoft Terminal Services uses RDP, whereas Citrix uses ICA
(Independent Computing Architecture).

In this paper I will be outlining how citrix works, and how to take advantage of the way citrix handles user access to programs.

Tuesday, October 15, 2002

How mobile phones let spies see our every move
Government's secret Celldar project will allow surveillance of anyone, at any time and anywhere there is a phone signal.

Tuesday, October 08, 2002

Wireless & Devices: Secure Your Organization's Mobile Devices
Without proper security, mobile devices can present risks to your enterprise. Discover your options for securing them.

Friday, October 04, 2002

Laptop Disassembly
Pictures of several laptops taken apart.
DNSSEC - Securing the Domain Name System
DNSSEC (short for "DNS Security") is a technique for securing the Domain System. It is a set of extensions to provide end-to-end authenticity and integrity and was designed to protect the Internet from certain attacks.
There are several distinct classes of threats to the DNS, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol.
Wireless Security & Hacking
This article deals with WLAN security, explains the most common attack techniques and introduces some useful tools.
Computer Forensics Tool Testing (CFTT)
The CFTT is designed to provide a measure of assurance in the results of investigations based on automated tools used in computer forensics examinations. These tools are used by law enforcement, government, and industry organizations to examine disk drives seized in computer crime investigations and to analyze the files found. Examples of tools may include disk imaging software, password crackers, image analysis tools, and others.
National Software Reference Library (NSRL)
This project is supported by the U.S. Department of Justice's National Institute of Justice (NIJ), federal, state, and local law enforcement, and the National Institute of Standards and Technology (NIST) to promote efficient and effective use of computer technology in the investigation of crimes involving computers. Numerous other sponsoring organizations from law enforcement, government, and industry are providing resources to accomplish these goals.
The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations.

Thursday, October 03, 2002

Unix tools track hackers
If you find you've been cracked use these old-school Unix tools to help track down the perpetrators.

Tuesday, October 01, 2002

Evaluating Network Intrusion Detection Signatures
In this series of articles, we present recommendations that will help readers to evaluate the quality of network intrusion detection (NID) signatures, either through hands-on testing or through careful consideration of third-party product reviews and comparisons. The first installment discussed some of the basics of evaluating NID signature quality, as well selecting attacks to be used in testing. This article will conclude the discussion on criteria for choosing attacks and then provide recommendations for generating attacks and creating a good testing environment. We begin by discussing some methods of acquiring attacks and attack traffic.
DFRWS
The Digital Forensic Research Workshop, or DFRWS, was initiated in August 2001 to bring academic researchers and digital forensic investigators and practitioners together for active discussion that addresses three major objectives:
Define the need and create the processes for the incorporation of a rigorous scientific method as a fundamental tenant of the evolving discipline of Digital Forensic Science

Develop a research agenda that considers practitioner requirements, multiple investigative environments and emphasizes real world usability

The discovery, explanation and presentation of conclusive, persuasive evidence that will meet the heightened scrutiny of the courts and other decision-makers in military and civilian environments
Special Applications - Port ListList of ports that commonly used applications make use of.

Monday, September 30, 2002

Security and Encryption Links
The following are security-related resources (aka "the crypto link farm") that I've found on the net. If there's anything which needs updating or correcting, please let me know. Because of its large size, I only update the online version of the page every few months, so please be patient when waiting for updates to reported changes to appear.
poorsniff - a command line windows sniffer
no pcap, winpcap, packet driver required, only a 9k executable (at present), all code public domain.

Sunday, September 29, 2002

Secret Service agents probe wireless networks
Secret Service agents are putting a high-tech twist on the idea of a cop walking the beat. Using a laptop computer and an antenna fashioned from a Pringles potato chip can, they are looking for security holes in wireless networks in the nation's capital.

The agency best known for protecting the president and chasing down counterfeiters has started addressing what it calls one of the most overlooked threats to computer networks.

Friday, September 27, 2002

Hacking Citrix
Citrix is a Remote Desktop application that is becoming widely popular. It is built off of Microsoft's Terminal Services RDP (Remote Desktop Protocol). Unlike Terminal Services, Citrixs' lines of products allow the administrator to specify certain applications to be run on the server. This allows them to control which programs they want to allow the end user to execute. There exists an interesting gray line for the security of citrix applications due to the mixing of both citrix technology, and microsoft technology. With an application that allows users remote access to not only published programs, but remote desktops, a serious threat arises.

Thursday, September 26, 2002

Security Gateway
SecurityGateway.com is an exciting, innovative online resource. It is a uniquely designed portal, or “gateway” to a vast world of security industry related news and information. Whether you are a professional working in the security or public safety fields, a business owner or a residential consumer, SecurityGateway.com has something for you. You’ll have quick and easy access to industry news, trends and information – all in one place.
Explore and experience SecurityGateway.com for yourself.
Securing Linux 101: Reasonable Steps to Detect and Prevent Blackhats
In the age of Web-based archives of packaged break-in tools (“script kits”) being run by inexperienced hackers (“script kiddies”), it’s increasingly important not to overreact when you suspect that a break-in has occurred. This article helps provide ideas, methods, and checklists for detecting blackhats and securing your Linux box. The article also provides a list of resources.
Remote Management of Win2K Servers: Three Secure
It's a common scenario: your company has an IIS Web server sitting 300 miles away at a high-bandwith, air-conditioned and power-regulated co-location center. The network is stable and the price is right, but you must completely manage the server remotely; you can't just go sit down at the console whenever you want. Remote management presents several problems, the most obvious being that the traffic between you and the server is travelling across the public Internet, available for others to sniff. Another problem is that remote administration normally involves installing software and opening ports, both of which increase the attack surface of your server. The goal when selecting a remote administration solution is to make sure that you (and only you) can do your job without exposing the server to additional risk.
Secure Programming in PHP
The goal of this paper is not only to show common threats and challenges of programming secure PHP applications but also to show you practical methods for doing so. The wonderful thing about PHP is that people with little or even no programming experience are able to achieve simple goals very quickly. The problem, on the other hand, is that many programmers are not really conscious about what is going behind the curtains. Security and convenience do not often go hand in hand -- but they can.
The Art of Unspoofing
The amount and frequency of denial of service attacks are escalating. It is becoming harder to track down the source who initiates them due to trace-evasion techniques. A raw interface to the networking stack allows anyone to send spoofed packets to a target host, eliminating the ability of its administrator to determine the origin of the attack. In today's world of e-commerce and globalization, the devastating attacks and the inability to determine their source can be devastating. It gives small companies a bad name, and destroys the good reputations of larger companies.


The ability to track down the source that uses spoofing techniques will certainly increase the chance to catch those attacking, and will force people to think of more intricate ways to attack servers on the net. This paper describes a few ways to track down these sort of attacks up to the last link in the chain (the attacker himself), or at least his ISP.
The BSDs: Sophisticated, Powerful, and (Mostly) Free
What is BSD? If you ask a typical computer "expert," he or she is likely to reply (incorrectly!) that it is "an operating system." The correct answer, however, is more complex than that. BSD is -- among other things -- a culture, a philosophy, and a growing collection of software, most (though not all) of which is available for free and with source code.
Here are the origins of BSD and the operating systems it has spawned. BSD stands for "Berkeley Software Distribution," the name first given to the University of California at Berkeley's own toolkit of enhancements for the UNIX operating system. Created by the students and faculty, BSD was not part of UNIX itself, which was created by Bell Labs. Rather, it was a widely distributed package of software enhancements for UNIX -- a supplement that made the operating system, which was originally strictly a research vehicle, useful in the real world.

Over time, however, BSD took on a life of its own. It evolved to include replacements for nearly every part of UNIX -- so much so that only the omission of six computer files prevented it from being a complete operating system by itself. Industrious programmers quickly developed replacements for these six files and made the BSDs into usable operating systems.
The BSDs: Sophisticated, Powerful, and (Mostly) Free
What is BSD? If you ask a typical computer "expert," he or she is likely to reply (incorrectly!) that it is "an operating system." The correct answer, however, is more complex than that. BSD is -- among other things -- a culture, a philosophy, and a growing collection of software, most (though not all) of which is available for free and with source code.
Here are the origins of BSD and the operating systems it has spawned. BSD stands for "Berkeley Software Distribution," the name first given to the University of California at Berkeley's own toolkit of enhancements for the UNIX operating system. Created by the students and faculty, BSD was not part of UNIX itself, which was created by Bell Labs. Rather, it was a widely distributed package of software enhancements for UNIX -- a supplement that made the operating system, which was originally strictly a research vehicle, useful in the real world.

Over time, however, BSD took on a life of its own. It evolved to include replacements for nearly every part of UNIX -- so much so that only the omission of six computer files prevented it from being a complete operating system by itself. Industrious programmers quickly developed replacements for these six files and made the BSDs into usable operating systems.

Tuesday, September 24, 2002

ngSniff
ngSniff is a command line sniffer for win2k or higher. It does not require any packet driver, so it is a "must have" tool for penetration tests.
Cain & Abel
A Microsoft password recovery tool. Freeware!
Manipulating Microsoft SQL Server Using SQL Injection
This paper will focus on advanced techniques that can be used in an attack on an application utilizing Microsoft SQL Server as a backend. These techniques demonstrate how an attacker could use a SQL Injection vulnerability to retrieve the database content from behind a firewall and penetrate the internal network.
AntiSniff
This is a 15 day fully functional trial version of AntiSniff 1.01
IBM Delivers Security For Wireless LANs
IBM on Monday released several security services that are designed to plug holes in corporate wireless LANs.

The services are meant to address some of the weak spots in wireless networking that make enterprises nervous about allowing access to e-business applications from increasingly popular wireless devices.
Fake AP
Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables.
Wireless Scanning – Wardriving / Warchalking
In my previous article about wireless security and hacking, I introduced common security threats in WLANs and ways that wireless hackers use them to break into a wireless network. Before a wireless hacker breaks into a WLAN, he/she must identify a suitable open network to launch her/his attack. This article explains what the common methods for wireless scanning are, and how to get protected against them as well.
SucKIT
The SucKIT is easy-to-use, Linux-i386 kernel-based rootkit. The code
stays in memory through /dev/kmem trick, without help of LKM support nor System.map or such things. Everything is done on the fly. It can hide PIDs, files, tcp/udp/raw sockets, sniff TTYs. Next, it have integrated TTY shell access (xor sha1) which can be invoked through any running service on a server. No compiling on target box needed, one binary can work on any of 2.2.x & 2.4.x kernels precompiled (libc-free).

Monday, September 23, 2002

The Case For Ethical Hacking
An excerpt from The CISSP Prep Guide: Mastering The Ten Domains of Computer Security.
Want secure e-mail? Train users
Despite the huge volume of business-related e-mail and the pent-up demand for secure e-mail solutions, encrypted e-mail is still the exception rather than the rule. As organizations evaluate the maturing technologies for secure e-mail, both policy and user training issues must be examined. Often, project plans become so caught up in the technical pros, cons, and differentiators that the goal is overlooked, as is the significant hurdle of user acceptance and utilization of any proposed secure e-mail technology. We advise that organizations examine possible solutions for their merit and security, the usability of such solutions, as well as the user training and education that will be required for successful deployment.
Website statistics
The website statistics of this weblog.
PHENOELIT
You are entering the lands of packets, brute force and misuse of trust.
This is a dark land. Full of problems and choices. Be carefull when you use your knowledge. Be also carefull with your tools and weapons. Never underestimate your enemy.

Sunday, September 22, 2002

Remote Administration Tool PART 1
This article discusses about programming a remote administration utility using Winsock component in Visual Basic 6. This is the first part of this series and it is for newbies. This section helps you to build an utility to send messages from client to the server. In the coming sections we will be discussing about programming advanced features(to the server like making it a FTP server or Telnet server etc…) to make it a perfect remote administration tool.

Friday, September 20, 2002

Networking to Internet, a long journey
The art of computer networking dates back to the 1960s. As the use of computers was on the increase in the early 1960s the question of how to hook up and share the data between computers had arisen. The first revolutionary packet switching technique was invented by Leonard Kleinrock. Thereafter, this idea had gained popularity and people like Paul Baran at the Rand Institute had begun investigating on how to use packet switching for secure voice over military networks.

Roberts published a plan for the ARPAnet (Advanced Projects Research Agency) based in United States, the first packet switched computer network and the ancestors of today's Internet. The early packet switched were known as Interface Message Processors (IMP) which was first installed at the UCLA. Shortly, 3 more followed and the Internet grew to four nodes large by the end of 1969. Ofcourse, things weren't as easy, the very first use of the network to perform a remote login from UCLA crashed the remote system. (other three nodes - Stanford Research Institute, UC Santa Barbara, and the University of Utah).
Search engine
Something went wrong with the search function on this site. The index didn't automatically update for about 41 days (...). Fixed the problem so now the search engine is updated every week.
Internal Network Security
When organizations first begin to assess network security, the tendency is to focus almost exclusively on external facing assets to defend against unauthorized "hacker" attacks. However, to establish an effective security program, organizations must examine both internet facing, publicly accessible resources, as well as private internal networks. Recent findings, released by the FBI and the Computer Security Institute, show that internal attacks account for the majority (60%) of security breaches organizations experience, suggesting that internal security needs to become more of a priority for security managers.

Thursday, September 19, 2002

Scary Tales from the Cryptologist
Information-security expert Paul Kocher is worried because as programs grow larger, identifying flaws becomes increasingly harder
In 1995, Paul Kocher caught the attention of information-security experts when he unveiled a method for cracking a handful of commonly used computer codes by timing how long it took for computers to process requests using those code algorithims. Today, Kocher remains a prominent voice in the cryptography field. As head of Cryptography Research, he and his small band of San Francisco-based cryptographers are paid by banks and credit-card companies to "hack" their products in hopes of uncovering system vulnerabilities.

Far from being an unqualified believer in cryptography, however, Kocher is deeply concerned. What worries him is that the tried and true methods, which rely on increased computing power to crack codes, will fall behind in their capacity to solve information-security problems. I recently spoke with Kocher about encryption's looming challenges. Here are edited excerpts from our conversation.
E-Secure-DB IT Security Information Database
This outstanding repository of data has information stored in easily accessed folders, indexed and cross referenced on all aspects of IT security. Vulnerabilities, product overviews, policy, procedures and more Information on IT Security Worldwide.

Wednesday, September 18, 2002

Detecting and Removing Trojans and Malicious Code
The purpose of this article is to recommend steps that an administrator can use to determine whether or not a Win2K system has been infected with malicious code or "malware" and, if so, to remove it. This article will specifically address network backdoor Trojans and IRC bots, but the information delivered in this article should assist the reader in a variety of situations.
Enterprise Security: An Architectural Approach
it is easy to lose sight of the bigger picture when addressing security concerns in the enterprise. IT executives should develop a strategic plan to address security requirements throughout the enterprise before digging into any single issue. IT executives should also work closely with other line of business (LOB) executives to incorporate areas such as auditing, intellectual property, and physical site security into an overarching security strategy document for the company as a whole.
Wiretapped - Computer Security Software etc. Wiretapped is an archive of software and information covering the areas of host, network and information security, network operations, cryptography and privacy, among others. We believe we are now the largest archive of this type of software & information, hosting in excess of 20 gigabytes of information mirrored from around the world.

Tuesday, September 17, 2002

Offline NT Password & Registry Editor
Overview
This is a utility to (re)set the password of any user that has a valid (local) account on your NT system, by modifying the crypted password in the registrys SAM file.
You do not need to know the old password to set a new one.
It works offline, that is, you have to shutdown your computer and boot off a floppydisk. The bootdisk includes stuff to access NTFS partitions and scripts to glue the whole thing together.
Note: It will now also work with SYSKEY, including the option to turn it off!
Why?
NT stores it's user information including crypted versions of the passwords in a file called 'sam', usually found in \winnt\system32\config. This file is a part of the registry, in a binary format previously undocumented, and not easily accessible. But thanks to a German(?) named B.D, I've now made a program that understands the registry. As far as I know, Microsoft provides no way of changing the password if you cannot log in as someone with appropriate privileges, except restoring the registry files from the rescuefloppy.

Sunday, September 15, 2002

Timing analysis of keystrokes and timing attacks on SSH
In PDF format.
Human Firewall - Be aware. Be secure.
The Human Firewall Council, a non-profit security awareness organization, has created the industry's first free online tool for benchmarking security management best practices. The Security Management Index takes participants through a series of questions covering the nine major sections of ISO17799. At the end of the survey, each participant receives a score that shows how their security practices measure up. Results are completely confidential. Aggregate data will be used to create a final report to be released in January 2003. The Security Management Index is sponsored by industry leaders such as British Standards Institute, PentaSafe, Sun Microsystems, ISSA, QinetiQ and InfoWorld.

Thursday, September 12, 2002

Stunnel 4.00 Builds on Prior Success
Late last week, the newest version of Stunnel[1], the secure SSL wrapper, was released. Stunnel encapsulates cleartext protocols within strong SSL encryption and can be used to protect pretty much any standard[2] TCP connection, from your mail protocol (POP, IMAP, SMTP) to your own customized application. Stunnel runs on many different operating systems from Linux and other Unix-like systems (*BSD, Solaris, etc) to Windows.
Evaluating Network Intrusion Detection Signatures, Part 1
Over the past several years, a number of academic and commercial entities have conducted evaluations of various network intrusion detection (NID) software, to determine the overall effectiveness of each product and to compare the products to each other. Many system administrators and security analysts are also responsible for conducting their own evaluations of NID products, in order to choose a solution for deployment in their environments. NID evaluations typically include some rough indication of the relative quality of each product's signatures. However, high signature quality is critical to achieving a good NID solution, so the importance of accurately evaluating signature quality cannot be stressed strongly enough.
In this series of articles, we will present recommendations that will help you to evaluate NID signatures. As you shall see, properly testing NID signatures is a surprisingly complex topic. We will begin by discussing some of the basics of evaluating NID signature quality, and then look at issues relating to selecting attacks to be used in testing. Although you may not necessarily perform hands-on NID testing and evaluations, the information presented in this series of articles will give you the knowledge and the facts to get the most out of published reviews and comparisons of NID signatures. Note that we assume that the reader is already familiar with the basic concepts and principles of network intrusion detection.
Web server security
This article details how to secure dynamic content on an Apache Web server. Topics covered include general security issues pertaining to dynamic content, securing Server Side Includes, configuring Apache's Common Gateway Interface, and wrappering dynamic content. The article is targeted primarily at Webmasters and system administrators responsible for maintaining and securing a Web server; however, anyone with a need or desire to server dynamic content will benefit from the topics covered. A basic understanding of Linux commands, permissions, and file structures is assumed.
Web Hacking: Attacks and Defense
Web Hacking is the ultimate technical good read. With solid technical content, keen analysis, and acclaimed cut-to-the-chase writing style, the authors bring unparalleled insight to both well-known and lesser-known web vulnerabilities. They show how to defend your web servers and web-based payment systems. They explain the complete range of attacks, including buffer overflows, the most wicked of attacks. "How Do They Do It?" real-world case studies describe how different attacks work and why they work.

Sunday, September 08, 2002

Corporate Spies: Get Out
If you want good employees, treat them like human beings and show them some trust. Spying makes for a frosty, unwelcome workplace.
As an employee and not a boss, I have a fairly limited perspective in terms of allowable workplace slack. At every job I've started since the computer came into play, part of the human resources mix has been perusal and signing of a document that states, basically, that I have sold my soul to the company store.
This document varies in its wording, but it basically threatens the new employee with expulsion if the phone, computer or office is used for any type of personal business whatsoever.
Profile of the Perfect Security Guru
Experts agree that penetration testing or vulnerability analysis are key to securing systems, but opinions differ on whether a background in hacking is necessary.
Trick 'wardriving' hackers with a blizzard of bogus access points
Software that generates a blizzard of bogus wireless network access points could bamboozle hackers trying to access corporate and home computer networks. This would stop them stealing wireless surfing time and exploring corporate wireless networks, say the two US computer programmers behind the scheme.
Win2K First Responder's Guide
When it comes to handling computer security incidents, proper first response handling of computer security incidents is second in importance only to incident prevention. Improper handling or collection of available information can do irreparable harm to an investigation. Investigators need to have a thorough understanding of what information they intend to collect, as well as the tools they can use and the effects those tools have on the system itself.
Computer forensics specialists in demand as hacking grows
Today's real-life crime-fighters battle villains more sophisticated than those the comic-book character ever faced — and these modern-day crooks often set their sights on threatening business, government and national security using computers.

Thursday, September 05, 2002

spamfaq Every e-mail or post will have a point at which it was injected into the information stream. E-mail will have a real computer from which it was passed along. Likewise a post will have a news server that started passing the post. You need to get cooperation of the postmaster at the sites the message passed thru. Then you can get information from the logs telling you what sites the message actually passed thru, and where the message "looked" like it passed thru (but actually didn't). Of course you do have to have the cooperation of all the postmasters in a string of sites...
EventID.Net
Ever wondered how the mind of NT/2000 gurus works when they troubleshoot a specific problem? How do they come up with the solutions? We may not be quite gurus but through the years we developed a certain troubleshooting ability. We are starting to share our methods by adding "Our Approach" to specific events.

Wednesday, September 04, 2002

Hacker vs. Hacker: How To Tell Them Apart
If we do not distinguish good from bad, if we fail to understand the make-up of such a complex group of people, how can we ever hope to limit black-hat hacking?
Spyware Trojan sends Hotmail to your boss
Here's a piece of software that will make any decent human being vomit. Proudly marketed by spyware outfit SpectorSoft, it's a lowlife Trojan called eBlaster which you can e-mail to anyone in the world foolish enough to use Windows and log their keystrokes, and force their POP mail and Hotmail and Yahoo Web mail accounts to copy you in everything going on.
Adaptive Linux Firewalls
Automatic firewall hardening is a technique used by many commercial firewalls to prevent invalid packets from reaching protected networks. The objective of this document is to demonstrate how to harden iptables in real-time.
MS Outlook digital sigs easily forged
Digital signatures can easily be forged and therefore can't be trusted in Outlook because of the same certificate chaining issue plaguing Internet Explorer, researcher Mike Benham says.

Benham is responsible for discovering and publicizing the IE debacle, where SSL certs can be signed by an untrusted intermediary without warning to the end user.
Corporate saboteurs find hacking powerful weapon
In the popular imagination, a computer hacker is on the fringes of society — either a brilliant but misguided teenager or a solitary, disaffected adult. He's more interested in showing off his skills than benefiting from them. He values havoc over money.

Tuesday, September 03, 2002

TOOLS-ON.NET
Free tools for connected people. Online privacy and proxy tests, great whois tool, ping, traceroute, anonymity, security and more. The tools you can find here were started as a couple of scripts I wrote to help me to administrate Promstroybank of Russia's domain. Now they are available here.
NTI
NTI specializes in finding 'computer secrets'. We are experts in the exploitation of the security weaknesses in DOS, Windows, Windows 95, Windows 98, Windows NT and Windows 2000 to find computer evidence and computer security data leakage.
Computer Forensics
Computer-based crime has given rise to a new type of evidence gathering-or forensics-and a new breed of investigator. But computer forensics is still a young discipline, and almost no one today has been trained purely as a computer forensic analyst. Some police officers are drawn by an interest in computers, while most independent computer investigators are either former police officers or IT professionals. Forensic scientists and technicians play a critical role in law enforcement and corporate investigations.
What all of these professionals have in common, however, is a need to know about computer and network technology, analysis tools and the law. The art and science of computer forensics calls for solid detective skills combined with sufficient knowledge to find, preserve and document computer-based evidence.
Handbook of Computer Crime Investigation
Learning about the ins and outs of computer forensics technology and the law make four recent releases worth investigating.
Wireless Security Tools
A huge collection. Still growing!
Wepcrack
WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling.
daSniff
daSniff is an open source customizable sniffer for win32 systems. It helps you to log your LAN traffic by specifying packet rules as filters. It has two major versions named version A and version B. Both versions use the same packet filtering, but different sniffing code. Version A uses pure WinSock2 API and runs only under Windows 2000 and above with administrator privileges. It is also available as a Windows NT service. Version B uses WinPcap as a packet capture library and runs under Windows 95/98/ME/2000/XP.
Show Traffic
Show Traffic for Windows monitors network traffic on the chosen network interface and displays it continuously. It could be used for locating suspicious network traffic or to evaluate current utilization of the network interface.
Catching wireless hackers in the act
It's been a cinch for vandals with an eye on Internet mischief to launch attacks by co-opting an unsecured wireless network, but such break-ins may not go so unnoticed now.
A heavily monitored wireless network was quietly set up this summer to lure hackers and keep track of attacks. Science Applications International Corp. (SAIC) created the network to study the methods of wireless vandals. It is the first wireless version of a so-called honeynet, networks of servers designed to lure in hackers and then monitor their actions.
Ask these questions before you hire a hacker or cracker
If you interview someone who claims to be a former hacker or cracker, don’t jump to conclusions. Many people who call themselves hackers have never committed an illegal act and possess qualities desirable in an employee. Likewise, some who claim to be crackers lack the technical skills to justify the term, however malicious or self-serving their intent.

Sunday, September 01, 2002

Vihrogon: Advanced SSH RootKit
A rootkit is a blackhat tool used to hide the attacker's activity from the administrators of the system. The most common form of a rootkit contains replacement binaries for commonly used administration utilities, like ps, top and netstat. As you can guess the ps replacement will hide processes matching a certain criteria, identifying them as belonging to the hacker. Another function of the rootkit is to enable the attacker to gain access to the system through a some sort of a backdoor. An example can be a modified ping (suid on most systems) command which spawns a root shell when executed with a special parameter, known only to the attacker.

In this article we will explore the SSH server and the opportunities it provides for those willing to indulge in blackhat activities. An SSH rootkit Vihrogon SSH 0.3 will be presented.

Friday, August 30, 2002

Internet anonymity for Windows power users
Our previous article, "Do-it-yourself Internet anonymity" was targeted towards average Windows users. It generated a startling number of e-mail requests for some advanced tactics, which I'm happy to supply. However, power user or not, I'd recommend at least skimming the earlier article if you haven't read it, just to ensure that you're not forgetting something obvious and useful. I'm not going to re-cap much of it here.
Proxys - 4 - All : Helping Secure Your Privacy & Anonymity on the Internet
These proxy servers can be used by anyone.
SOCKS
SocksCapTM automatically enables Windows-based TCP and UDP networking client applications to traverse a SOCKS firewall. SocksCap intercepts the networking calls from WinSock applications and redirects them through the SOCKS server without modification to the orginal applications or to the operating system software or drivers.
Do-it-yourself Internet anonymity
Along with the recent government hysteria over terrorists, we've seen legislative measures and 'emergency powers' inviting law-enforcement agencies worldwide to conduct Internet surveillance on an unprecedented scale. But because the state-of-the-art of electronic dragnets makes it difficult if not impossible to exclude the comings and goings of innocent citizens, we thought this a good time to run down the basic techniques for ordinary, law-abiding folk to come and go anonymously on the Net, and keep their private business private.

Thursday, August 29, 2002

E-mail a treasure trove for cops
Not since the glory days of letter-writing, before the advent of the telephone, have people committed so much revealing stuff to written form as they do in the age of computers. All those e-mail messages and electronic files are a treasure trove of evidence for law enforcement officers, whether they are targeting terrorists, crooked CEOs or local drug dealers.
Next-Generation Win32 exploits: fundamental API flaws
This paper presents a new generation of attacks against Microsoft Windows, and possibly other message-based windowing systems. The flaws presented in this paper are, at the time of writing, unfixable. The only reliable solution to these attacks requires functionality that is not present in Windows, as well as efforts on the part of every single Windows software vendor. Microsoft has known about these flaws for some time; when I alerted them to this attack, their response was that they do not class it as a flaw - the email can be found here. This research was sparked by comments made by Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. He mentioned Message Queueing, and immediately regretted it. However, given the quantity of research currently taking place around the world after Mr Allchin's comments, it is about time the white hat community saw what is actually possible.

This paper is a step-by-step walkthrough of how to exploit one example of this class of flaw. Several other attack methods are discussed, although examples are not given. There are many ways to exploit these flaws, and many variations on each of the stages presented. This is just one example.
WirelessSniffer
More and more WirelessSniffers are becoming available. These could be quite useful.
Computer Fraud & Security
Computer Fraud & Security has grown with the fast-moving information technology industry and has earned a reputation for editorial excellence with IT security practitioners around the world.

Every month Computer Fraud & Security enables you to see the threats to your IT systems before they become a problem. It focuses on providing practical, usable information to effectively manage and control computer and information security within commercial organizations.

Current News - A round up of all the latest IT fraud and security news worldwide giving you advance warning of all the latest threats and countermeasures.
Security Reports - Leading experts discuss recent headline security events will help you better understand the problems and learn from the mistakes of others.
In-depth Feature Articles - Providing advice and solutions to key IT security management issues to help you develop, implement and strengthen your corporate IT security policy.
Regular columns: Tales from the Crypt examines the changing face of international cryptography policy. Web Review takes a look at excellent new Web sites to guide the security professional to useful pages. Shockwave Writer offers a stimulating view on a number of hot topics in IT security.
Technical aspects - IT security explained in clear English to help you convey the value of IT security to board level.
Computer Law & Security Report
Equally accessible to lawyers and computer security professionals alike, The Computer Law and Security Report regularly covers:
Data protection and privacy
Data and software protection
European community developments in IT, IP and telecoms law
IT contracts
Telecommunications law and online liability
Internet law and security policy
Electronic commerce
Internet fraud and misuse
Systems security and risk management

The Forum includes more than 80 specialists in computer law and security - between them specializing in every aspect of computer and communications law - spotting trends, highlighting practical concerns, monitoring new problems, and outlining key developments.

Each issue contains well-researched reliable and thought provoking articles, case studies, detailed features and news reports - ensuring that you do not miss out on the impact of legislation worldwide and that you understand the problems of managing the legal and security requirements of computer use.

Wednesday, August 28, 2002

Who’s spying on my Hotmail?
Think using Yahoo or Hotmail e-mail at work protects you from your boss’ prying eyes? Think again. New spy software essentially lets employers or parents co-pilot virtually any kind of e-mail account, including private Web-based e-mail accounts like Yahoo and Hotmail. A new version of eBlaster spyware will secretly forward all e-mail coming and going through such Web-based accounts to a spy’s e-mail, allowing anyone to “ride-along” even the supposedly private e-mail.
Loophole Software
Loophole Server and Loophole Client use a technique called HTTP Tunneling to avoid filtering by the firewall or web filter. This process makes Loophole's Internet traffic appear to be web browsing.
Tunneling combines with strong encryption to make your Internet traffic secure against monitoring.
Doxpara Researc!
DoxPara Research exists as a repository for information security analysis, UI theory, and the miscellaneous writings of its founder, Dan Kaminsky.
WhiteHat Arsenal
WhiteHat Arsenal is designed to be the next generation of professional web application security audit software. Architected from the ground up to be a generic web application security productivity tool, WhiteHat Arsenal provides security professionals and web application developers access to the tools they need to make the job of securing web applications faster and easier than ever before.
Mixmaster
Mixmaster is an anonymous remailer. Remailers provide protection against traffic analysis and allow sending electronic mail anonymously or pseudonymously. Mixmaster consists of both client and server installations.
Ettercap
Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
Achilles
Achilles is a tool designed for testing the security of web applications. Achilles is a proxy server that allows you to intercept and maipulate data sent to and received from the destination server. Achilles supports secure socket layer (SSL) transactions. Achilles waits to receive all packets before building the request or reply and features the ability to recalculate the content-length field before retransmitting to avoid invalid request errors.
HTTPush
HTTPush aims at providing an easy way to audit HTTP and HTTPS application/server security. It supports on-the-fly request modification, automated decission making and vulnerability detection through the use of plugins and full reporting capabilities.
Websleuth - Open Source Web Application Security Auditing Tool
WebSleuth was developed from my own personal need for a web application analysis tool. It represents the exact functionality I found necessary in the trenchs of a security audit.

Sleuth puts a nice twist on efficiency of design and visual tools keeping a complete toolbox of testing aids at the intutive auditors fingertips.
The Open Web Application Security Project
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services.
Dos and Don'ts of Client Authentication on the Web
Several publications.
HTTP Basic Auth Encode and Decode
Base64 en- and decoder.
Firewalk
Firewalking is a technique developed by Mike D. Schiffman and David E. Goldsmith that employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. The newest version of the tool, firewalk/GTK introduces the option of using a graphical interface and a few bug fixes.
The Internet Printing ProtocolThe Internet Printing Protocol (IPP) is a new development in the TCP/IP suite of protocols. It is intended to make printing over a network or a larger internetwork much easier, based on IP addresses. Companies such as Hewlett-Packard have already introduced some devices that support the proposed IPP standards, and more expected to arrive as IPP works toward a standard.

This article will explain what IPP is and how it works. Although may not have much need for IPP if you only have an printer attached to your computer, it does show how network based printing can be used.
Network Monitoring Tools
This is a list of tools used for Network (both LAN and WAN) Monitoring tools and where to find out more about them. The audience is mainly network administrators.

Monday, August 26, 2002

Eavesdropping Detection and Counterespionage Consulting
Eavesdropping Detection and Counterespionage Consulting for Business & Government

Specialists in detecting…
• audio eavesdropping
• computer intercepts
• video voyeurism
• wiretaps
• technical espionage
• competitive intelligence
How to prepare for and react to being hacked
You have that funny feeling that something is not right. One of your admins reported that his Unix box keeps rebooting in OpenWindows. You sit down at the box, type some commands, and wham, it reboots again. This doesn?t look like a bug, you?ve been hacked! Now what do you do?
Audiotel
Established in 1978 Audiotel International is the leading manufacturer of electronic countermeasures equipment and other secure communications products. Today we offer a complete range of electronic sweep equipment for all types of situation. We combine the latest advances in technology with the need to keep the equipment quick and practical to use.
Air Magnet
AirMagnet provides mission-critical wireless LAN (WLAN) administration and diagnostic tools to help companies deploy, administer and secure their networks.
The company's products address the unique challenges confronting network and security professionals in deploying and maintaining WLANs, by offering a new generation of integrated solutions designed for wireless network and security administration.
Unix logfiles
We'll discuss the unix logfiles, how the administrator of the system can secure the system enough to have log files containing trustful and reliable information. We'll also discuss the possibilities for the hacker to trick the system logfiles and delete the traces of his activities. As always, I'm trying to discuss the things from 'both sides of chessboard'. Hackers and administrators are all the same, most of good and security-minded admins did some annoyance in past by hacking. In any case, if someone wants to secure his system well, its really important to understand things from both sides.
Tuning Red Hat for maximum performance
This tutorial details the ins and outs of transforming a stock, "out of the box" Red Hat installation into a finely tuned, stable system customized to individual needs and tastes. The material presented here is based on Red Hat 7.3, although many of the techniques and procedures discussed are equally applicable to other mainstream Linux distributions. And while the title uses the phrase "performance tuning," you'll soon discover that performance and security often go hand in hand.

Friday, August 23, 2002

Extreme Hacking
Ernst & Young's updated and redesigned eXtreme Hacking course was created to rapidly address and educate participants on the exploits and techniques that attackers may use to breach the security of corporate networks. Ernst & Young Security Professionals will teach security profiling techniques that allow security and IT practitioners to quickly, efficiently, and methodically uncover many network and O/S vulnerabilities. Once such vulnerabilities are uncovered, participants learn cutting edge exploit tools and techniques to gain access to target systems and countermeasures to protect the organization. This course will focus on internet profiling and the Windows NT, 2000, and Unix environments. Other supplemental modules are available that include: Databases, Novell Netware, Social Engineering, Mainframes, Firewalls, Remote Access and Web Resources.
Ernst & Youngs 2002 Digital Security Overview
A new Digital Security index by Ernst & Young LLP, one of the world's largest professional services firms, indicates that many Fortune 500 companies are unprepared to respond to digital security incidents that threaten their businesses.
SECTOR 5
SECTOR 5 has gathered the top minds in cyber and IT security from corporations, organizations, and government agencies that represent five critical infrastructure sector groupings:

S.1 Transportation
S.2 Energy, Utilities Water
S.3 Banking Financial Services
S.4 Telecommunications Information Services
S.5 Vital Health, Safety Emergency Services

Thursday, August 22, 2002

Autoclave - Secure Disk Deletion
Hard drive sterilization on a bootable floppy.

Wednesday, August 21, 2002

Intrusion detection: Too much information
Intrusion detection systems have been around for years, but lately companies have shown new interest in them as worm and virus attacks have risen, and as new cyber-attacks have been launched from overseas. But contrary to some enthusiastic claims, these systems aren't some new security panacea for the enterprise.
In fact, as useful as they are, intrusion detection systems (IDSs) are very limited in what they can do, and much harder to incorporate than many would suggest.
Field Sobriety Test: netfilter & iptables
I was planning to write a short tutorial on the use of iptables, however, "short" is no longer in my vocabulary. iptables in itself is very simple, yet can be quite complex depending on the nature of how you plan to use it. Rather than writing one massive tutorial, I plan to take the reader on a magical tour of multiple explanations. With this method, we can work together from the ground up as to not cause any confusion or mass chaos. So put on your reading glasses, and iron that thinking cap! All levels of experience will find this to be an informative piece, or so I hope. Enjoy.. ;)
Introduction to Autorooters
Efficiency and automation: one can argue that they are two of the most valuable by-products of any technology. There is little doubt that the electronic tools of today allow us to get more done in less time. We use software to eliminate tedious work, reduce man-hours, and sift through mounds of data in seconds. Crackers, as we know, are smart... and lazy. It should come as no surprise then that they too, have employed technology to reduce their workload. The result? A type of malicious code known as autorooters, programs designed to automatically scan and attack target computers at blistering speeds.
A successful autorooter will give crackers what they want: complete control of a target machine with little effort, fast. Scanning networks for vulnerable machines, gaining unauthorized administrative access, installing backdoors, all the tricks of the trade, can all be achieved at the click of a button. In this article we'll explore the concepts behind autorooters and what can be done to defend against them.
U.S. Probes Firm In Security Breach
Federal law enforcement authorities searched the computers of a San Diego security firm that used the Internet to access government and military computers without authorization this summer, officials said yesterday.

Investigators from the FBI, the Army and NASA visited the offices of ForensicTec Solutions Inc. over the weekend and on Monday, seeking details about how the company gained access to computers at Fort Hood in Texas and at the Energy Department, NASA and other government facilities, officials said.