sctp_houdini kernel exploit link

If you haven’t patched your Linux systems lately (for instance Ubuntu 8.04/8.10), you might want to do so. HD Moore threw this out on Twitter.

There are seminal vuln-exploit instances that get used as easy attacks in testing, especially your personal labs. Years ago it was LSASS attacks. In recent months, MS06-087 is an easy route. For some Linux flavors, this should be one of the first scripts grabbed to pwn a box and move on.

Update after reading more: You need to be running SCTP on the target box. Yeah, I haven’t heard of SCTP either.

matching macs to detect rogue wireless devices

It wasn’t too long ago that I was musing about’s latest challenge dealing with some wireless hijinks.

A similar topic just came up on the SecurityFocus IDS mailing list in regards to PCI 11.1 about wireless IDS. It was mentioned that an option would be to use something like RogueScanner on the wired side to detect wireless devices. I don’t know why I hadn’t thought of that right away, but yes, you can poll your wired network, gather MAC addresses, and compare them against what they should be. If you see any that are obvious wireless products, you go over and yank it out.

Now, that’s great, but keep in mind not a foolproof detection. MACs can be changed even on some home consumer wireless routers, firewalls may prevent the polling up front (although a switch MAC table may give more away), extra unmanaged hops can get in the way, and a laptop acting as a router with a second wireless interface may only show up as a regular laptop. But you do get the obvious low-hanging fruit covered.

I have wondered if it could be possible to push traffic from the wired network out through the wireless side. A silent AP can stay relatively hidden, but if you can force it to throw something out now and then, it can be picked up.

powershell: getting a list of active directory servers

Getting a list of servers can be a pretty valuable first task for working with large numbers of computers. Yesterday I had a reason to get a list of them all, and thankfully all of my servers are in the same OU tree in AD (/Machines/Servers). I also see SynJunkie did a similar thing this week, but I prefer not to use third-party cmdlets. 🙂

$blagh = [ADSI]”LDAP://ou=Servers,ou=Machines,dc=my,dc=domain,dc=com”
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $blagh
$objSearcher.Filter = “(objectCategory=computer)”

$PropList = “name”,”cn”,”lastlogon”
foreach ($i in $PropList){$objSearcher.PropertiesToLoad.Add($i)}

$Results = $objSearcher.FindAll()

Write-Host “found $($Results.Count) servers”

What this does is look for all computer objects under Machines/Servers in my domain For all computers that it finds, it pulls out the name, cn, and lastlogon properties.

To find a list of all the properies that can be pulled out, after that above script do this:


Based on the properties I pulled, it should be obvious I was looking for signs of dead computer accounts. This can easily be changed to look for user accounts, properties in them, and other OUs.

commending excellent security disclosures

I had not heard of OAuth before reading a post today on LiquidMatrix about an OAuth vulnerability, found right after a pretty large round of exposure from Twitter adoption.

A big vuln and the pulling back of support is a big deal, but I’d just like to point to OAuth’s own explanation of the security bug.

This article discussing the details of the bug is excellent (especially given a very confusing bug). It gives detail, it remains honest and open, it demonstrates understanding of the issue. I wish all vendors, closed and open, would be more like this. Yes, fine, it makes the sales and marketing teams feel squeamish, but this sort of open cultural attitude is going to make a difference. Maybe not today, maybe not even in ten years, but someday it will be necessary as the world grows up into technology and efficient information-sharing.

So, regardless of what I think about OAuth or the vuln, props for a great disclosure discussion.

Update 1:37pm: So I saw this Google Group posting, and I have to shake my head and think, “Really? Did you just try to say this? Fail.” The statement, “Please do not speculate or publicly discuss the actual details of this or other threats.” Hopefully someone smacks his hand and tells him not to try that tact again.

the arts of empathy and thinking ahead are still dead

Human nature is silly, isn’t it? Too many companies do next to nothing about security until they’re burned by it. And I read today that a Congresswoman who used to be a staunch supporter of warrantless wiretapping has changed her tune after being the subject of a wiretapping herself. Go fucking figure. Way to demonstrate that you’ve not really thought through the subject over the last several years. Of course, she’ll blame those who did it by insinuating they should be held to higher standards and this was an obvious mistake… (which only strengthens my disdain…)

I’m really restraining myself here as this topic of personal responsibility, empathy, and forward-thinking is something I feel especially strongly about.

the net tubes are wisps of sparkly magic fairies

For every annoying idiot or asshole on the net tubes, there are still swaths of users on various sites who have a great sense of humor and demonstrate this on forums and news comments.

My best laugh so far today was seeing that email used to be very scary. While the picture and caption itself are fun enough to pass on, it is the comments that made my day. Things like:

so since he doesnt have a computer that email flails around the office like an angry ghost that is trapped between worlds?

less zombies gives more security

You have 100 zombies beating against your door. There is a chance one of them will beat his fists in the right spot to either smash a hinge or bump the handle in a way that the door springs open.

Your buddy across the street has only 5 zombies beating on his door, but is in the same predicament: they have a chance to smash and hinge or bump the handle.

Which door would you rather be behind?

If you choose the one with 5 zombies, then I’d say that is a less risky situation entirely because there are fewer zombies beating on the door.

If you move your SSH server from default port 22 to some obscure port like 38724, I can predict you will have fewer zombies beating on the door of your SSH server. You’ve lowered your risk. You’ve increased your security (depending on your definition of security).

(Obviously, I’m yet again annoyed at the insistence by some that there is no value in security through obscurity. Those people are confusing “security only through obscurity” as being the same as “no security value in obscurity.” I think most people say they like “security through obscurity” as an additive value to an overall posture. Not as the only measure.)

time-to-penetrate and increasing attacker costs

Read some concepts lately that I wanted to remind myself about, and don’t really want to bother figuring out where I first saw them.

Time-to-penetrate. Locks are rated by how long they take to fall to an expert. How long will your network/security last? To drive-by scripts/kids/worms? To experts?

Increasing attacker’s costs. I read about border security between the US and Mexico and how border authorities want to make it more expensive for drug cartels to get drugs over the border. Not stop it, but make it more difficult/expensive. If you rightly believe in the inevitability of insecurity, then you really want to keep the bar raised as far as possible (this is an argument that can formulate a defense to ‘security through obscurity,’ in moderation).

sinking in that twitter use has exploded

I’ve read but really didn’t digest that Twitter use has exploded this year. It was only maybe half a year ago when the most-followed people on Twitter were all excited about 40,000 followers. Now celebrities are topping 300,000 with ease! That’s crazy.

What’s interesting is how this may change culture a bit. On one hand, all of us norms get to see all the silly crap that celebrities think they want to tweet about (and mispell!). Kinda like what will be known as the Kevin Rose effect: it will make celebrities be much more down-to-earth, almost like you know them.

On the other hand, they lose more privacy indirectly as well, such as checking out the few privileged people your favorite celebs are following, some of whom may be unaccustomed to the attention, etc. Not to mention vulnerable to social attacks.

slicing various types of security roles

Bear with me as I ramble a bit in this post. Something unpolished but didn’t really want to lose. I’ll reserve the ability to completely change my opinion!

Which one of these will realistically get us the farthest in security? Choose only one.

  • administration: managers/execs/policywriters
  • techs in the trenches
  • auditors/testers
  • secure code/architecture i.e. “build it secure”

Yes, the best answer is clearly a combination of all of the above.

But for the sake of argument, let’s say you can only pick one horse to put your money behind. Which one gives you the most realistic chance?

– administration: managers/execs/policywriters – This is your typical layer where policies get written, strategies formulated, and employees managed. To me, this is a necessary layer, but alone they don’t do a whole lot without the support of everyone else, much like a policy with no enforcement. There is also the devil of being too abstracted from the real goings-on to be effective, or to live in the correct reality. Do they say security is working but have really no way to back that up? This isn’t always the case, but it is the devil they must battle. And that’s assuming their employees are even following the decrees made… A good aspect on this might be the guys who manage appliances on a broad level to create statistics or whatnot. But do we really want to lean heavily on Big Boxes?

– techs in the trenches – This is where I’d put my money. The people on the ground and in the trenches. Sure, they may have some weaknesses like enforcing security with no real policy or guidance, or a lack of focus, but to me they’re the ones who will always do the implementations, detections, and investigations. These would be the guys and gals who, if you gave them 8 hours a day to “do security” and left them in a room, they’d implement all sorts of wild things that can be extremely effective. If you get them even slightly working with the rest of business rather than just in their caves, they can be a real force.

– auditors/testers – This is your group of people who both point out all the wrong things you do, but also hopefully point out how you can do things correctly. A powerful group, but I think they ultimately rely on finger-pointing and may not, directly, actually get anything done. Given a high degree of intelligence and knowledge, though, and those rare individuals are exceedingly valuable. On the testing side, their research and automation are hideously valuable.

– secure code/architecture i.e. “build it secure” – This is a great approach, but I think the “realistic” part really kills this. I’ve talked about the caveats in this group before (and can’t find the post[s]), so I won’t get into detail. But if technology didn’t change and economics shifted to value security, this could be a powerful group. Sadly, while important, I wouldn’t bet on it as my horse because it just isn’t realistic alone. Technology changes faster than we can learn it enough to secure it properly upon creation; economics pushes function before security; etc.

why the media is a real threat against hacker culture

These are the kinds of articles I don’t like to read. This is about Peerhboy, a terrorist group ‘hacker’ arrested in India.

The implications I don’t like in this article are twofold.

First, this guy got some ‘training’ and this seems to be implied as bad. Does this mean any ‘hacking’ or security training will mark you as evil?

Second, the only wireless ‘hacking’ alluded to in this article is the use of unsecured wireless access points. Yes, a concern, but hardly worthy of eye-catching ‘hacking’ adventures.

throw-away mail box sites

I’ve long used pookmail as a throw-away email box for various things, mostly just to sign up for downloads or worthless one-time-use accounts. I see they’re no longer offering that service.

I know about Mailinator and am using it now, but does anyone know any others? Mostly I just want a couple back-up options.

On a similar note, I should someday get myself a PO Box; one that supports a non-obvious PO Box-like address…

Isn’t that funny? Some companies won’t ship products to a PO Box, so you have to obfuscate it like 1234 Hickory Lane #9870-B. Same thing happens in the digital world with spoofing and forwarding all the time, or services that obfuscate the originator (PayPal? Mailinator?). Why don’t companies just allow shipping to a PO Box? It obviously is a need, even as much as it is abused… Maybe most people don’t go through such hoops, I guess.