tcp/ip illustrated vol. 1

The online book TCP/IP Illustrated Vol 1 is available online. Note that this is an older book dating from 1994, and is also not for the faint of heart as it skips past the high-level view of TCP/IP and actually digs right down into the nuts and bolts that make it work, in conjunction with real-world illustrative examples (hence the book name!). I should read this volume at some point, but maybe not quite yet until I get some more sniffing experience under my belt.

insider threat papers from the .gov

Two papers popped up as mentioned on another site I visit. First a paper discussing a number of insider security incidents over the past 8 years involving about 26 insiders at financial institutions. Second, a 4 year old paper from the DoD outlining means of mitigating insider threats.

Snippets shamelessly snagged from the other site in regards to the first paper:

“- Most of the incidents in the banking and finance sector were not technically sophisticated or complex. They typically involved the exploitation of non-technical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network) by individuals who had little or no technical expertise. In 87% of the cases the insiders employed simple, legitimate user commands to carry out the incidents, and in 78% of the incidents, the insiders were authorized users with active computer accounts.

– The majority of the incidents (81%) were devised and planned in advance. Furthermore, in most cases, others had knowledge of the insider’s intentions, plans, and/or activities. Those who knew were often directly involved in the planning or stood to benefit from the activity.

– Most insiders (81%) were motivated by financial gain, rather than a desire to harm the company or information system.

– Insiders in this report fit no common profile. Only 23% held a technical position, 13% had a demonstrated interest in hacking and 27% had come to the attention of a supervisor or co-worker prior to the incident.

– Most of the incidents (83%) were executed physically from within the insider’s organization and took place during normal business hours.”

the art of war

A translation for The Art of War online. Another book that I should get, but I just don’t know which version to pick up… I may just read this one, formulate my own conclusions and gain my own insight from it before picking up a book that expounds on the principles for me.

researching vlans

I’ve not heard much about VLANs until the last few days when our security pen testers mentioned possibly implementing some VLAN segmentation to control our traffic and manage groups of users. Since then I’ve been attempting to research them with mixed luck. My best lead is a technical article from Intel.

I have decided that VLANs don’t really truly segregate people into separate groups, but rather separate (layer 3, I think it is) broadcast traffic that simply does not need to be read by every workstation. It is much like 5 years ago with the big push away from “chatty” hubs into actual switches that were much more private with their information. Broadcast traffic adds a decent amount of traffic to most networks of decent sizes, especially when you factor in some variables like wireless traffic or VOIP traffic.

Anyway, I’m still researching this, and I think the best way to truly segregate users (I have developers in mind, who tend to want the most freedom with their computers coupled with the least security) would be to create VLANs, create their own subnets, and then plop a firewall between their VLAN and the rest of the network space. But…that’s just my initial understanding. I’ll post more links to information as I find them.

rainbow crack ntlm hash cracking tool

Rainbow Crack is the next Microsoft Authentication-killer. Basically this crack generates every possible NTLM hash. These can then be put into a database and searched against. Instead of a crack tool brute forcing a particular hash by comparing it, one by one, with every computed value, this tool precomputes all the values and saves them. For complex passwords, this can save days of crack time. For the most complex passwords, it can save weeks. I believe the whole database can be bought for just over a hundred bucks, in some circles, but this free tool will generate it free.

update: Everything I ever wanted to know about passwords and rainbow tables all in one very recent paper/article. And hey, I didn’t even know Cain comes with a table generator!! W00t!

Been a lot of talk about rainbox tables here and passwords, so here are suggestions on how to withstand even rainbox attacks. Basically, what this tells me is that passwords/passphrases are flawed, fundamentally.

ssh brute force tool to crack root

A new SSH brute force tool attempts to crack into a box by brute forcing root through an listening SSH service. The tool even includes its own dictionary, where as most other tools of this type rely on a separate user-defined dictionary. Impressive. At any rate, this just further illustrates a security practice that should be used for all SSH Linux boxes: don’t allow root to log into SSH. Force a user account to be used, and then su to root.

sql enterprise manager table view error

For the second time in twice as many weeks, a developer has reported the same error. When opening a table to view in Enterprise Manager, the error “the provider was not found for this property” displayed. Reinstalls of SQL 2000 client tools and MSDE did not work, but it turns out just a newer MDAC was needed. The sad part is that I solved the issue the first time two weeks ago, but was unable to do the same this time. Burnt out…

image for windows

Ghost costs way too much to license, so I have chosen to use the amazingly cheap Image for Windows (and Image for DOS) tools for imaging workstations. Sadly, one needs to keep up-to-date with updates in order to make sure they can mount new Dell machines…

In addition, to support network shared drives, Bart’s Boot Disk works wonders once I can get it set up.

turn off ssdp and upnp

Universal Plug-n-Play has been a nightmare of a vulnerable and useless service running by default on Windows XP systems. Patches have come and gone, but still, this service, coupled with SSDP, are simply useless and volunteer far too much information for prying eyes as they readily display the OS of a target machine to a hostile probe. Turning off the SSDP service in Windows XP also turns off the UPnP service as well, and should be part of a base install configuration set. NIST standards include this disabling of SSDP as part of their XP procedures.

random logo at top

I have spent far more time than I should have on getting a series of 3 logos randomly displayed up above. I used a blosxom plugin, but the plugin conveniently makes three lame mistakes: 1) Includes a typo in the part that needs included in this page, 2) Has poor documentation on what things do, for instance how to set path names, 3) has more features than I want, which just added to the headache of trying to get it to work. I’ve never truly written anything in Perl, but I know enough programming to be able to gut a program without breaking it, so I took all the lame features out, simplified the code to suit my exact need, and am now done. Blah! But at least I now have colors and pictures and stuff up top!