Building an IDS Solution
Using SNORT. In PDF format.
Friday, August 02, 2002
Wednesday, July 31, 2002
Rating the Enemy: How to identify the enemy
This paper presents a preliminary version of a model for rating the attackers, as well as a justification for doing so and techniques for using the information. There is still more work to be done, and I would appreciate your feedback and constructive suggestions.
This model is designed for IDS analysts and security engineers to use in order to help evaluate attacks, provide better information to upper management and to assist in assessing the threat level to your network.
This paper presents a preliminary version of a model for rating the attackers, as well as a justification for doing so and techniques for using the information. There is still more work to be done, and I would appreciate your feedback and constructive suggestions.
This model is designed for IDS analysts and security engineers to use in order to help evaluate attacks, provide better information to upper management and to assist in assessing the threat level to your network.
Xprobe
Xprobe is an Active OS fingerprinting tool based on Ofir Arkin's ICMP Usage In Scanning Research project.
Xprobe is an alternative to some tools which are heavily dependent upon the usage of the TCP protocol for remote active operating system fingerprinting.
This is especially true when trying to identify some Microsoft based operating systems, when TCP is the protocol being used with the fingerprinting process. Since the TCP implementation with Microsoft Windows 2000 (and Microsoft Windows XP) and Microsoft Windows ME, and with Microsoft Windows NT 4 and Microsoft Windows 98/98SE are so close, usually when using the TCP protocol with a remote active operating systems fingerprinting process we are unable to differentiate between these Microsoft based operating system groups. And this is only an example...
Xprobe combines various remote active operating system fingerprinting methods using the ICMP protocol, which were discovered during the "ICMP Usage in Scanning" research project, into a simple, fast, efficient and a powerful way to detect an underlying operating system a targeted host is using.
Xprobe is an Active OS fingerprinting tool based on Ofir Arkin's ICMP Usage In Scanning Research project.
Xprobe is an alternative to some tools which are heavily dependent upon the usage of the TCP protocol for remote active operating system fingerprinting.
This is especially true when trying to identify some Microsoft based operating systems, when TCP is the protocol being used with the fingerprinting process. Since the TCP implementation with Microsoft Windows 2000 (and Microsoft Windows XP) and Microsoft Windows ME, and with Microsoft Windows NT 4 and Microsoft Windows 98/98SE are so close, usually when using the TCP protocol with a remote active operating systems fingerprinting process we are unable to differentiate between these Microsoft based operating system groups. And this is only an example...
Xprobe combines various remote active operating system fingerprinting methods using the ICMP protocol, which were discovered during the "ICMP Usage in Scanning" research project, into a simple, fast, efficient and a powerful way to detect an underlying operating system a targeted host is using.
On the trail of an identity thief
It was just another stolen credit card number, leaked by just another careless Web site, except for one thing — the victim wouldn’t take it sitting down. So he made a few phone calls, and managed to retrace the thief’s steps. Peeking through accounts at anonymous e-mail services, information brokers, and online banks, the victim got a rare glimpse of an identity thief at work. Here’s how that one stolen credit card became three bank checks totaling $3,000 — and perhaps much more.
It was just another stolen credit card number, leaked by just another careless Web site, except for one thing — the victim wouldn’t take it sitting down. So he made a few phone calls, and managed to retrace the thief’s steps. Peeking through accounts at anonymous e-mail services, information brokers, and online banks, the victim got a rare glimpse of an identity thief at work. Here’s how that one stolen credit card became three bank checks totaling $3,000 — and perhaps much more.
Wi-Fi Honeypots a New Hacker Trap
Hackers searching for wireless access points in the nation's capital may soon war drive right into a trap. Last month researchers at the government contractor Science Applications International Corporation (SAIC) launched what might be the first organized wireless honeypot, designed to tempt unwary Wi-Fi hackers and bandwidth borrowers and gather data on their techniques and tools of choice.
Hackers searching for wireless access points in the nation's capital may soon war drive right into a trap. Last month researchers at the government contractor Science Applications International Corporation (SAIC) launched what might be the first organized wireless honeypot, designed to tempt unwary Wi-Fi hackers and bandwidth borrowers and gather data on their techniques and tools of choice.
Hacking techniques
Password and user account exploitation is one of largest issues in network security. In this article Rob Shimonski will look at password cracking: the how and why of it. Rob will explain just how easy it is to penetrate a network, how attackers get in, the tools they use, and ways to combat it.
Password and user account exploitation is one of largest issues in network security. In this article Rob Shimonski will look at password cracking: the how and why of it. Rob will explain just how easy it is to penetrate a network, how attackers get in, the tools they use, and ways to combat it.
Handheld OSes Due for Security Advances
Just a few years ago, one could expect little more from a handheld computer than a convenient means of storing and retrieving data such as phone numbers and to-do-list items. Today, these devices have evolved greatly in terms of power, functionality and network connectivity, but as handheld computers and the mobile operating systems that drive them grow more complex, so, too, grows the potential for the sort of security vulnerabilities that plague their desktop- and server-based brethren.
Just a few years ago, one could expect little more from a handheld computer than a convenient means of storing and retrieving data such as phone numbers and to-do-list items. Today, these devices have evolved greatly in terms of power, functionality and network connectivity, but as handheld computers and the mobile operating systems that drive them grow more complex, so, too, grows the potential for the sort of security vulnerabilities that plague their desktop- and server-based brethren.
For Users, It's Back to Basics
As third-party developers and vendors of handheld devices beef up encryption and password management technologies, Palm OS, Pocket PC and other handhelds are becoming more secure.
But, experts say, IT managers should not rely on the availability of improved software alone to secure handheld devices. To be sure, users should be required to install anti-virus software and keep it up-to-date, authenticate with user names and distinct passwords, and use encryption software to safeguard confidential data.
As third-party developers and vendors of handheld devices beef up encryption and password management technologies, Palm OS, Pocket PC and other handhelds are becoming more secure.
But, experts say, IT managers should not rely on the availability of improved software alone to secure handheld devices. To be sure, users should be required to install anti-virus software and keep it up-to-date, authenticate with user names and distinct passwords, and use encryption software to safeguard confidential data.
Tuesday, July 30, 2002
Penetrating a VNC server behind a firewall
The following article will discuss bidirectional inside-out attacks, inspired from netcat. The article discusses how to access a victims VNC server behind a firewall, where the victim initiates connectons to the attacker.
The following article will discuss bidirectional inside-out attacks, inspired from netcat. The article discusses how to access a victims VNC server behind a firewall, where the victim initiates connectons to the attacker.
Monday, July 29, 2002
XML Web services need a firewall
XML application firewalls are like network firewalls in that they are focused on securing and monitoring your network. However, unlike network firewalls, they work at the application level using an in-depth knowledge of the Web services, service requestors, and message content. It is the XML Web services standardization of application-level data that makes application-level firewalls practical.
XML application firewalls are like network firewalls in that they are focused on securing and monitoring your network. However, unlike network firewalls, they work at the application level using an in-depth knowledge of the Web services, service requestors, and message content. It is the XML Web services standardization of application-level data that makes application-level firewalls practical.
Firewalls: More convenience or more security?
The topics I want to cover are: basic definition of a firewall; personal firewalls; the "more convenience or more security" debate; and my recommendations for a reasonable implementation of personal firewalls.
The topics I want to cover are: basic definition of a firewall; personal firewalls; the "more convenience or more security" debate; and my recommendations for a reasonable implementation of personal firewalls.
VPN users: The weakest link
Virtual private networks have generated their share of security concerns, but the focus has been primarily on flaws in VPN protocols and configurations. Although those issues are important, the most significant security threat in any VPN setup is the individual remote telecommuter making a VPN connection from home or an employee on the road with a laptop and the ability to connect to the corporate office via VPN.
Virtual private networks have generated their share of security concerns, but the focus has been primarily on flaws in VPN protocols and configurations. Although those issues are important, the most significant security threat in any VPN setup is the individual remote telecommuter making a VPN connection from home or an employee on the road with a laptop and the ability to connect to the corporate office via VPN.
VMS TUTORIAL - PART I
If you have heard a little bit about computer history or have read old-time hackers talk about their favorite machines, such as in the Jargon File [http://www.tuxedo.org/~esr/jargon/], then you probably have this vague idea of the pool of primordial soup embodied in the operating systems of the past. PDP-10, MULTICS, VAX, VMS, TOPS-20, CP/M, blah blah blah....what is all this? In order to really know one’s stuff computerwise, many sources, mostly reflecting an older viewpoint, say that you should know about all of this stuff. Today, one can navigate the Internet in all of it’s depth without knowing a thing about VMS, the topic at hand. For a few reasons, however, I still think it’s worth having at least some familiarity with for the well-rounded hacker.
If you have heard a little bit about computer history or have read old-time hackers talk about their favorite machines, such as in the Jargon File [http://www.tuxedo.org/~esr/jargon/], then you probably have this vague idea of the pool of primordial soup embodied in the operating systems of the past. PDP-10, MULTICS, VAX, VMS, TOPS-20, CP/M, blah blah blah....what is all this? In order to really know one’s stuff computerwise, many sources, mostly reflecting an older viewpoint, say that you should know about all of this stuff. Today, one can navigate the Internet in all of it’s depth without knowing a thing about VMS, the topic at hand. For a few reasons, however, I still think it’s worth having at least some familiarity with for the well-rounded hacker.
FBI's computer systems absolutely crap
A REPORT IN today's LA Times said that the Federal Bureau Investigation's (FBI's) computer systems were feeble well before last year's terrorist attacks and continue to be weak because of underinvestment and dodgy accounting tricks.
The newspaper also has got hold of a memo former attorney general Janet Reno wrote its director in May 2000 laying into the bureau's inability to use IT to track terrorist threats.
The paper, in the first of a two part investigation, describes the FBI as being in a state of "technological lethargy" because of institutional arrogance, bad prioritising, and poor relations with politicians in Washington.
A REPORT IN today's LA Times said that the Federal Bureau Investigation's (FBI's) computer systems were feeble well before last year's terrorist attacks and continue to be weak because of underinvestment and dodgy accounting tricks.
The newspaper also has got hold of a memo former attorney general Janet Reno wrote its director in May 2000 laying into the bureau's inability to use IT to track terrorist threats.
The paper, in the first of a two part investigation, describes the FBI as being in a state of "technological lethargy" because of institutional arrogance, bad prioritising, and poor relations with politicians in Washington.
One of These Things is not Like the Others
Anomaly detection can be described as an alarm for strange system behavior. The concept stems from a paper fundamental to the field of security - An Intrusion Detection Model, by Dorothy Denning. In it, she describes building an "activity profile" of normal usage over an interval of time. Once in place, the profile is compared against real time events. Anything that deviates from the baseline, or the norm, is logged as anomalous.
Anomaly detection can be described as an alarm for strange system behavior. The concept stems from a paper fundamental to the field of security - An Intrusion Detection Model, by Dorothy Denning. In it, she describes building an "activity profile" of normal usage over an interval of time. Once in place, the profile is compared against real time events. Anything that deviates from the baseline, or the norm, is logged as anomalous.
Sunday, July 28, 2002
Subscribe to:
Posts (Atom)