Thursday, September 05, 2002

spamfaq Every e-mail or post will have a point at which it was injected into the information stream. E-mail will have a real computer from which it was passed along. Likewise a post will have a news server that started passing the post. You need to get cooperation of the postmaster at the sites the message passed thru. Then you can get information from the logs telling you what sites the message actually passed thru, and where the message "looked" like it passed thru (but actually didn't). Of course you do have to have the cooperation of all the postmasters in a string of sites...
EventID.Net
Ever wondered how the mind of NT/2000 gurus works when they troubleshoot a specific problem? How do they come up with the solutions? We may not be quite gurus but through the years we developed a certain troubleshooting ability. We are starting to share our methods by adding "Our Approach" to specific events.

Wednesday, September 04, 2002

Hacker vs. Hacker: How To Tell Them Apart
If we do not distinguish good from bad, if we fail to understand the make-up of such a complex group of people, how can we ever hope to limit black-hat hacking?
Spyware Trojan sends Hotmail to your boss
Here's a piece of software that will make any decent human being vomit. Proudly marketed by spyware outfit SpectorSoft, it's a lowlife Trojan called eBlaster which you can e-mail to anyone in the world foolish enough to use Windows and log their keystrokes, and force their POP mail and Hotmail and Yahoo Web mail accounts to copy you in everything going on.
Adaptive Linux Firewalls
Automatic firewall hardening is a technique used by many commercial firewalls to prevent invalid packets from reaching protected networks. The objective of this document is to demonstrate how to harden iptables in real-time.
MS Outlook digital sigs easily forged
Digital signatures can easily be forged and therefore can't be trusted in Outlook because of the same certificate chaining issue plaguing Internet Explorer, researcher Mike Benham says.

Benham is responsible for discovering and publicizing the IE debacle, where SSL certs can be signed by an untrusted intermediary without warning to the end user.
Corporate saboteurs find hacking powerful weapon
In the popular imagination, a computer hacker is on the fringes of society — either a brilliant but misguided teenager or a solitary, disaffected adult. He's more interested in showing off his skills than benefiting from them. He values havoc over money.

Tuesday, September 03, 2002

TOOLS-ON.NET
Free tools for connected people. Online privacy and proxy tests, great whois tool, ping, traceroute, anonymity, security and more. The tools you can find here were started as a couple of scripts I wrote to help me to administrate Promstroybank of Russia's domain. Now they are available here.
NTI
NTI specializes in finding 'computer secrets'. We are experts in the exploitation of the security weaknesses in DOS, Windows, Windows 95, Windows 98, Windows NT and Windows 2000 to find computer evidence and computer security data leakage.
Computer Forensics
Computer-based crime has given rise to a new type of evidence gathering-or forensics-and a new breed of investigator. But computer forensics is still a young discipline, and almost no one today has been trained purely as a computer forensic analyst. Some police officers are drawn by an interest in computers, while most independent computer investigators are either former police officers or IT professionals. Forensic scientists and technicians play a critical role in law enforcement and corporate investigations.
What all of these professionals have in common, however, is a need to know about computer and network technology, analysis tools and the law. The art and science of computer forensics calls for solid detective skills combined with sufficient knowledge to find, preserve and document computer-based evidence.
Handbook of Computer Crime Investigation
Learning about the ins and outs of computer forensics technology and the law make four recent releases worth investigating.
Wireless Security Tools
A huge collection. Still growing!
Wepcrack
WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling.
daSniff
daSniff is an open source customizable sniffer for win32 systems. It helps you to log your LAN traffic by specifying packet rules as filters. It has two major versions named version A and version B. Both versions use the same packet filtering, but different sniffing code. Version A uses pure WinSock2 API and runs only under Windows 2000 and above with administrator privileges. It is also available as a Windows NT service. Version B uses WinPcap as a packet capture library and runs under Windows 95/98/ME/2000/XP.
Show Traffic
Show Traffic for Windows monitors network traffic on the chosen network interface and displays it continuously. It could be used for locating suspicious network traffic or to evaluate current utilization of the network interface.
Catching wireless hackers in the act
It's been a cinch for vandals with an eye on Internet mischief to launch attacks by co-opting an unsecured wireless network, but such break-ins may not go so unnoticed now.
A heavily monitored wireless network was quietly set up this summer to lure hackers and keep track of attacks. Science Applications International Corp. (SAIC) created the network to study the methods of wireless vandals. It is the first wireless version of a so-called honeynet, networks of servers designed to lure in hackers and then monitor their actions.
Ask these questions before you hire a hacker or cracker
If you interview someone who claims to be a former hacker or cracker, don’t jump to conclusions. Many people who call themselves hackers have never committed an illegal act and possess qualities desirable in an employee. Likewise, some who claim to be crackers lack the technical skills to justify the term, however malicious or self-serving their intent.

Sunday, September 01, 2002

Vihrogon: Advanced SSH RootKit
A rootkit is a blackhat tool used to hide the attacker's activity from the administrators of the system. The most common form of a rootkit contains replacement binaries for commonly used administration utilities, like ps, top and netstat. As you can guess the ps replacement will hide processes matching a certain criteria, identifying them as belonging to the hacker. Another function of the rootkit is to enable the attacker to gain access to the system through a some sort of a backdoor. An example can be a modified ping (suid on most systems) command which spawns a root shell when executed with a special parameter, known only to the attacker.

In this article we will explore the SSH server and the opportunities it provides for those willing to indulge in blackhat activities. An SSH rootkit Vihrogon SSH 0.3 will be presented.