Domain: fish2.com
Stories and comments across the archive that link to fish2.com.
Comments · 8
-
Re:So .. Security by Obscurity.
There's actually a lot of precedent for this sort of thing in the way of ILOM/DRAC/IPMI and similar capabilities. In fact Intel's AMT isn't really news, it's been there for years. A general pattern in all of these systems is the use of crappy old ARM processors, incredibly ancient Linux kernels (2.6.x), unpatched old binaries from God knows where, and coding like it's 1997 (strcpy(), fixed-length buffers, etc). There's lots of material out there on this, e.g. Dan Farmer's take. Oh yeah, and you typically can't disable it, even when you think you've disabled it. My only surprise about all of this is that people are surprised by it.
-
Re:So is this a manufactured clickbait story?
You're going to make a comparison to IPMI?
Start reading: http://fish2.com/ipmi/
-
Re:Big Brother has your encryption keys by default
It's not big brother, it's anyone. All of the IPMI systems used by Intel, Dell, HP, etc, are unaudited cesspits of remote-rootkit capabilities full of buffer overflows, authorisation bugs, parser errors, and so on. It's hard to know where to begin, but here's one starting point. Hack like it's 1999.
Intel SSD's have had AES encryption built in for years, it's no big deal. What they've added with their IPMI support is a capability for remote attackers to get at the encryption, which is kind of a big deal if you're worried about your privacy.
-
Be careful disposing of servers
Servers typically have an IPMI password stored in flash on the motherboard. This gives access to the server's lights-out management capabilities (with which you can do anything, including booting from a remote OS image so you can dump the disks). Many servers in a data centre typically share the same IPMI password. So you ought to be concerned about how you dispose of defunct servers. Details here.
-
Re:Chinese OS?
Who in their right mind would install a chinese OS on their device
Lots of datacenters are doing just this without realising it. I've just finished reading this paper. It talks about the vulnerabilities in IPMI and BMC, the latter being the embedded computer that runs inside every server to provide lights-out management, and has full access to everything happening on the computer. Guess what country provides these embedded computers for all the major server vendors?
-
Forensic Discovery, Windows Services for UNIX
Windows Services for UNIX 3.5:
http://technet.microsoft.com/en-us/interopmigration/bb380242.aspx
http://technet.microsoft.com/en-us/magazine/cc160802.aspx
Utilities
SFU comes with more than 300 UNIX utilities as part of the Interix subsystem, with additional utilities available either from InteropSystems or by compiling from available source code. These utilities cover all the major UNIX utilities and areasâ"everything from addr to yaccâ"and behave exactly as you and your UNIX users would expect them to behave.
The utilities include familiar text processing tools, including grep, less, awk, sed, pr, and tr, batch processing tools such as at, cron, and batch, as well as job control tools like ps, nice, kill, and so on. They're all there and they work exactly as you would expect. Even the man command is just as ugly (but infinitely useful) as it's always been.
Utilities such as ps and kill work against both Interix and Win32 processes, making SFU particularly appealing for the system administrator. Need to find and kill all instances of a particular process? The script to do it in Interix is straightforward, whether the process is running in the Win32 subsystem or the Interix subsystem.
As a simplistic but useful example, suppose you have an unknown number of copies of a process running on a machine with SFU. Figure 2 shows a script that will kill them. This script would work exactly the same running on a UNIX or Linux system.Free Grep and Tail tools for Windows:
http://blogs.officezealot.com/marc/archive/2004/01/31/2046.aspx
Real Digital Forensics:
http://www.jonesdykstra.com/index.php/real-digital-forensics-mainmenu-54
Forensic Discovery:
Wietse Venema:
http://www.porcupine.org/forensics/
Forensic Discovery (he posts it for free, but worth buying)
http://www.porcupine.org/forensics/forensic-discovery/ftp://ftp.porcupine.org/pub/security/index.html
Dan Farmer:
-
Got done....
I got done reading this, and it's pretty dumb.
"If you're a big company, you already have a security team. If not, hire one." DOH!
That smacks me of the same kind of response from slashdot about legal advice... "Im being sued by the RIAA, should I ignore it?"
Still, why not gander around and see what the the real security experts and such say about such matters:
The Coroners Toolkit Tools for Unix
Nagios detection suite
Honeypots for 'sticking hackers'
And there's the wonderful tools in the Linux kernel for bridges and such that can be made to monitor data as if there was no computer there at all. Also, PF in FreeBSD can route and filter based on much more criteria than Linux netfilter can (like via OS).
You should have a secure layout of your network along with a respectable sensor network. The Sensornet should be separate from the general network.
If you already work in IT, these things should be obvious, as it is the similar measures required for data recovery on non-hack problems. -
Don't Panic PANIC BUTTON
netr00t's got solid advice for you.
http://slashdot.org/~netr00t
I would add, get a Lawyer, as in, have a Lawyer (anyway).
If you're in the USA, you should know by now, mostly morons make the "rules" of conduct, try not to participate.
Pay the Man:
http://www.forescout.com/index.php?url=products&se ction=activescout
http://www.winternals.com/
Useful:
http://www.sysinternals.com/SecurityUtilities.html
http://www.porcupine.org/forensics/forensic-discov ery/
http://www.fish2.com/tct/help-when-broken-into
Firewalls and Internet Security
http://www.wilyhacker.com/
First Ed. (online)
http://www.wilyhacker.com/1e/
Practical UNIX and Internet Security
http://www.oreilly.com/catalog/puis3/
FWIW
http://exuberant.ms11.net/index.html
http://exuberant.ms11.net/98sesp.html
http://exuberant.ms11.net/links.html
http://www.oldversion.com/