There are a ton of different tools and ways to change your MAC address, let alone simply doing it manually. Here’s a few I’ve accumulated notes about over the past 6 months.
Macshift is a standalone C++ tool run via the command line. Does what it should do!

Technitium is probably the Mercedes of mac changers, sporting tons of information in the GUI and also being scriptable.

Smac is also a old favorite I see mentioned a lot, but the eval version is slightly limited. For such a small tool, I just don’t believe in shelling out money for it.

Speaking of Windows tools, Wirelesskeyview is a quick .exe (no installation required) that will pull out wireless network keys and display them for you. I’m sure these are just stored in a registry entry somewhere and, if encrypted at all, are like just rot13, but still this tool makes life easy.

Heck, I’ll stick with Windows for this whole post. The Windows firewall is still daunting to manage or maintain for most people, even those of us who are comfortable with firewalls! This kb article from Microsoft is surprisingly detailed. I especially like the last section on enabling and checking the logging of dropped packets. Combine this with a tail program and it might turn a spare WinXP box into a network tripwire-like device.

Yesterday I posted a few OS fingerprinting tools. I missed one I had in my box called Satori. This looks like a quick effort that may not be regularly updated, but is a passive OS fingerprinter for a few OS types. I’ve not had a chance to try this out yet as my Windows machines at home are limited, but it might be fun to try, even if it doesn’t make any toolboxes. A related paper on the site is also interesting.

I’ve been going over some of the pending things in my todo lists. Here’s a few things.

I don’t know of anything that can browse shares in Gnome on Ubuntu (Nautilus can using smb:\\server\share, but that requires knowing your target). So I installed smb4k which is available through Synaptic. Seems I needed a bunch of other stuff, including kdelibs. While smb4k is a KDE tool, it seems to run just fine in Gnome. It can be loaded from Applications->Accessories. The initial load will throw a non-terminating KWallet error, but then happily disables itself and continues. One bonus is the ability to manage and see existing mounts.

If you see a system but aren’t sure what OS it might be (if Windows, then you can try those fun admin shares!), you can check it out using an OS fingerprint tool. Yes, nmap and p0f are your typical choices, but SinFP might be a third option. I decided to try this on Windows and followed the instructions given. Everything seemed fine, but when I tried to fingerprint anything on my network, I typically was told I cannot fingerprint a closed or filtered port, even though I know it was open and allowed. Most of the time perl.exe would then spin and I’d have to kill it. Not sure what was going on, but might revisit it at some later date on Linux, perhaps. Regardless of the results of this tool, being able to know some of the differences that operating systems display in various packets and other behavior is some pretty fundamental and “not difficult” stuff. Being written in perl, it might be nice to read through this tool’s signatures and techniques.

XAMPP looks like a nice way to get a full compliment of tools and applications for a web server set up quickly on either Linux or Windows (or others!). I’ve not tried this out as I wanted to do stuff manually with my latest build, but I might consider XAMPP in the future.

Here is a snippet of a Dan Kaminsky presentation on SSL Hell at Toorcon. He talks about the bad things he has found about SSL through his huge scans of the Internet. I really dig that he admits security people can be wrong when trying to require SSL on every page. SSL can be intensive on servers and the hardware doesn’t scale well with it. One thing I didn’t like is a minor quibble. He points out that a lot of sites don’t appear to use SSL (https) on their logins, but I’d like if he just said, “I sniffed this transaction to verify it wasn’t secured underneath what I can see in my browser.” He’s probably correct in saying they were insecure, however.

I can’t remember where I found this originally, but I wanted to document it on my site for future reference. This reg script should add the ability to right-click any Windows folder and launch a cmd prompt at that location. Update: Looks like I maybe found it here.

REGEDIT4

[HKEY_CLASSES_ROOT\Directory\shell\DosHere]
@=”Command &Prompt:”

[HKEY_CLASSES_ROOT\Directory\shell\DosHere\command]
@=”C:\\windows\\SYSTEM32\\cmd.exe /k cd \”%1\””

[HKEY_CLASSES_ROOT\Drive\shell\DosHere]
@=”DOS &Prompt Here”

[HKEY_CLASSES_ROOT\Drive\shell\DosHere\command]
@=”C:\\windows\\SYSTEM32\\cmd.exe /k cd \”%1\””

People often ask me how I like my Razr phone. I tell them it’d be a really nice phone…if I wasn’t on Verizon. Yes, Verizon is well known for crippling their Razr’s to the point where I really do only use it for phone calls and the occassional text message. In the past I have done minor adjustments like getting my own ringtones on the phone (text yourself a .wav file renamed to .mp3 and it will let it through, and play it as a .wav file properly) I’ve never delved too deeply into messing with it, being my first personally-owned cell phone. John Ward over at The Digital Voice has posted an awesome article about hacking the Razr, and he suffered from the same crippling issues from Verizon that I do. Since my contract is quite mature now and I’m more comfortable with pushing the line on my phone, I think I will make a note to try this stuff out. He’s truly right that if I can unlock all this stuff in the article, the phone will take on a whole new level of use in my life. Funny how Verizon doesn’t get that…

About half a year ago I posted about Untangle (and it has remained on my long-term projects list, sadly). I see they got some more press in ComputerWorld as they have turned their product open source. Sounds cool, and I still want to check it out on my home network someday (yeah, one of those projects that keeps getting pushed down…).

Use Snort either on an active link or as a packet inspection tool after the fact? It might be useful to throw down PE Hunter to capture Windows binaries as they pass by. I can think of plenty of uses for this, not just in front of a honeypot, but in front of Internet-facing servers themselves. This is one of those detective tools that won’t necessarily stop or prevent an attack, but can act as a watchguard for something evul going on, or to figure out what an attacker may have done on your network. The real usefulness of this tool won’t be realized until it is used though. Who knows, maybe it will pick up too much junk from malware or software downloads and miss too much other stuff.

Of note, no, I’m not all that great with Snort. It’s on my medium-term project list, probably nearer the fall or winter before I can really dig my fingers into Snort more, even though I may have my own Snort box up in the next month or so just to get it up and familiarized.

I’ve been ramping up my studying lately, which has taken some time away from blogging (both reading them and writing some). I’ve also made headway into my huge list of “pending” items that both sit on my bathroom counter and in my email box.

But I have found time to plug away at some more books. I’ve (finally!) started reading Tao of Network Security by Richard Bejtlich. I’ve put this book off way too long (I wanted more background into TCP/IP and Linux before tackling the book, or so I tell myself) and am finally getting into it. I really dig the tone and how Bejtlich presents the topics. Thankfully, the very academic first chapters were followed-up by excellent later chapters that I found much more interesting (maybe because I already knew his positions and definitions from following his blog).

Last night I also started reading Security Metrics by Andrew Jaquith. I really dig this guy’s writing, and I was amazed by the opening tones of the book. First an opening by one of the most recognizable writing styles in security, Dan Geer, which is also visionary and almost prophetic. Just reading anything he writes feels weighty; old and dustry like an important magical tome hidden in some wizard’s tower. Then into Jaquith’s wonderful presentations. I think this book will go fast.

Yes, I read multiple books at once. Sometimes I read novels which just require me and a chair. Other times technical books that pretty much require a computer nearby to follow along. I typically have two or three going at any given time, depending on my mood and the resources nearby. It is usually too much to be reading 2 hands-on books at a time, so I try to keep it mixed up with different flavors of books.

A few days ago I mentioned ddos mitigation. The referenced article [pdf] concerns UFIRT’s actions in the face of a rather unique incident: a DDOS attack planned to occur in 1 week’s time. Incident Response plans are important to a company’s security posture, but not every imaginable incident needs to have an itemized response plan. And while issues like a DDOS likely should not be painstakingly planned out, it should at least be contemplated now and then as a sort of verbal/introspective exercise. What would you do in such a situation? Do you have extra resources, gear, or skills on your team to deal with an adhoc incident like a DDOS? Do you know where to turn for help on short notice? Can you pull a Joe Stewart out of your back pocket? 🙂 It might be a useful exercise for an IR team, or just for a manager or techie to sit back and think about some lazy afternoon…

Christian Matthies has posted up an explanation of DNS Pinning attacks. While this article is really cool and informative, there are a couple of caveats.

First, this is a great article for people who already are familiar with DNS Pinning, since the author really throws out “Anti DNS Pinning” and “DNS Pinning” quite a lot, and it gets confusing which one he is actually talking about in each example. DNS Pinning is a behavior of a web browser to cache DNS requests until the window (or all windows of that browser) are closed. Any admin supporting DNS or web servers has experienced this behavior. “That should work…did you hit refresh? Oh wait, close all your browser first and retry. Yup that did it!” Christian then explains a way to get around DNS Pinning so an attacker can redirect users without their knowledge by leveraging browser behavior and changes to DNS entries.

Second, while several web security researchers would like to say this is a Big Deal, I consider this an exotic attack, yet. Christian mentions this can be used to attack internal servers, but that requires significant knowledge, and I don’t think most corporations will have to care. Still, there is always the potential for something like this to become a common attack method in the future.

The takeaways for this is to know what DNS Pinning means, what Anti DNS Pinning means, and that there is still a grey area firmly between network and web security when it comes to DNS manipulation.

Via elamb, The Register has an article on hacking World of Warcraft, and also mentions an upcoming book I didn’t know about, Exploiting Online Games: Cheating Massively Distributed Systems, by Gary McGraw and Greg Hoglund.

Exploiting games like this, as I’m sure the authors posit, is something that might not interest a lot of people, but should still be watched. Things like WoW (12 million users! This has become a social network in itself, really!) and Second Life bleed over into the real world, both in relationships with fellow people and business realms. But beyond that, the distributed worlds of gaming on such a large level will, just like the hardware gaming pushes, eventually find more mainstream uses. Being able to know these risks (like offloading some of the work to the client machines), at least just being aware of them, should prove useful someday.

I’ll get this book regardless, since I play WoW [0] and I’ve seen things in past games that exemplify the issues with cheating [1]. It helps a lot to know what is possible out there, and can put the whole gaming world/experience into more of a perspective. The book also looks like it will explore the issues that the game software presents to the users, for instance how far the game software can go in monitoring the user. Thankfully I run gaming on a separate box which does nothing but burn discs and run games, but I’m a rarity in that setup.

[0] I have a 60 Warlock (main) and 60 Priest on Crushridge Alliance, and a 55 Shaman on Kul’Tiras Alliance. Obviously I’ve focused on the Shammy since BC.
[1] Aimbots in Quake 1 (yes, some people earned money using them); farm bots in Diablo II/Battlenet.

A smooth sea never made a skillful mariner. -English proverb

By way of the SecuriTeam blog, I see Joe Stewart has posted a quick technical article about thwarting an HTTP DDoS attack using iptables tarpitting. I also like the cite to a report by Jordan Wiens [pdf] about tarpitting DDoS worms (I’ve not read it yet). I especially like the graph showing the effects of no action, connection dropping, and tarpitting. As a question to myself, I wonder if the attacked system needs to keep track of those sessions as well, and if that might bleed the server a bit over time? Obviously, this is still better than having the server fall over in the first 5 minutes, while tarpitting likely can allow the server to hold out far longer, even if it still bleeds.

One thing that Joe leaves unspoken is tarpitting is not to be used for all HTTP requests. Some of those requests are legitimate users and you certainly don’t want to tarpit them. Tarpitting should be triggered after a connection is determined to be part of the DDoS, so there is some front-end work to be done. I expect Wiens covers this in the longer paper.

Mr. Buddha, Mark Curphey, mentioned dashboards recently, which got me all giddy at the link he provided to a site about information dashboards. I love me some dashboards. I love them enough that I have a section of my menu on the right devoted to security dashboards. Dashboards are used to distill relevant information down to a, hopefully, more visual representation of your reality. Not only that, but have you ever had someone in the management chain above you go gaa-gaa over the pretty pictures and lights and trends on your desk, even when they have no friggen clue what it all means? People seem to react positively to seeing things like this on a network or security admin’s desk. At a previous job, I didn’t get too many people walking by wondering what I had up my sleeve for that day, but whenever I turned on a dashboard, I had plenty of people from various job roles wander over and ask what all the lights and colors were for and how “cool” it was. In my mind, it has become part of selling oneself as a technical and security expert.

Now, I want dashbaords at home, someday. I don’t know if I will ever become proficient enough to roll my own, but I have plenty of spare systems and monitors around to utilize their extra cycles to display neat metrics and dashboards. Due to my current refusal to “settle,” I don’t have big furniture in my apartment like a desk or two, so the whole dashboard setup needs to wait a bit more.

But I thought it worthwhile to write down, for myself, a bit of a wishlist on dashboards I’d like to see on my desk over time. Note that this is at home, although many of these things should be able to scale up to enterprise use. Suggestions for tools are welcome.

• visual traffic monitoring – like etherape or eve or plenty other tools that give a pretty view of what and where traffic is on the network.
• less visual traffic monitoring – like a tcpdump scrolling by on a monitor; only tailored down to watch only things really important (and not my workstation streaming web radio…)
• traffic summary – a summary of traffic levels to web, mail, VPN, SSH servers and so on; even as pared down as simple daily log file sizing.
• system monitoring – on a basic level, what is up and what is currently down. On a deeper level, system health such as CPU, RAM, and disk usage, running processes, and so on.
• service monitoring – on an even deeper level, any time traffic to something comes in it can log, throw a visual cue, or send a quick message, for instance a login attempt on SSH or VPN.
• arp watching – roll your own basic NAC rogue detection on a network by monitoring arp requests in a DHCP network, using arpwatch or arpalert (I think those are the names).
• security monitoring – tripwire-like integrity detection on important systems, account creation events
• IDS – things like Snort alerts, although these aren’t as useful on a dashboard, per se.
• threat/vulnerability/external – It is nice to monitor one’s own realms, but none of us are islands. We need to know about changing threats, new vulnerabilities, or maybe some trend or new attack vector affecting the security health of the Internet as a whole. There are plenty of these sorts of dashboards available, since they lend themselves well to the web.
• wireless – kismet just to keep an eye open for new clients and the wireless network in the area
• wireless spectrum analyzer – run the pretty Wi-Spy tool in a corner to monitor the health of the wireless frequency range.

Ok, so all of this is pretty personal to me, because I am a firm believer in keeping one’s fingers not just in the trenches of the back room, but making sure they are constantly feeling for a pulse, temperature, clamminess, etc. So much about security and IT in general has a fundamental base of monitoring for changes and abnormalities. It’s the part of me that is a control/information freak which lends itself well to the field. And yes, I like having a few non-screensaver’d monitors around me showing me what is going on at all times.

Workplace geek humor time! One of those sounds that just always makes me grin in eerie pleasure when sitting in my cubicle is the sound of print job white noise unceremoniously turning into a printer quietly eating the paper. Not just printing, but jamming up and eating the paper; the pleasant crinkling that indicates things are not well…sure to give me a grin!

Bonus points if someone walks over in the next 15 minutes and starts swearing softly and sounding like they’re banging every lid tray and movable plastic piece on the printer…that sadistic side of geek humor, that!

There is talk about the iPhone’s implications to security. I think it is important that anyone discussing this make it clear where their perspective lies: from the eyes of an autonomous home consumer or the eyes of corporate IT. From the eyes of a home user, my condolences, but I really expect this device to be no different than any other, and likely exploitable. For the business perspective, this is no different from any other phone or USB key fob on the market.

• 1. Limit/disable USB/Bluetooth ports on your laptops and desktops.
• 2. Only officially support the use of approved devices, of which there should be few, and they should be manageable from something like a BES server.
• 3. Make sure you know what MACs are on your network, and if an iPhone is able to get onto your Ethernet network, be sure you have alarms and possibly port security on your network.
• 4. (Optionally) Disallow, by policy, the use of home phone devices to transmit corporate email to and from. You might not be able to effectively audit this, but you better let people know they shouldn’t be doing it in the event you find out they are.

If you don’t already do the above corporate security measures, you have no business worrying about the iPhone. If you already do the above corporate business measures, you have no business worrying about the iPhone beyond deciding how long to wait before allowing it as an approved device for syncing and official use (or when to put the final “PERMA-DENIED” stamp down.