insecure.org · Domains · Slashdot Mirror

Re:"Old as the Hills" by wavelet · 2001-03-12 07:36 · Score: 1 · on Security Hole In TCP

As a computer security consultant, this story seems silly to me.

see CERT advisories dating back to 1995... as well as bugraq discussions about it...

This is a very well known "vulnerability". The most famous use of this vulnerability was by Kevin Mitnick to attack Tsutomu Shimomura's computers.

Basically one of Shimomura's unix boxes had root level .rhost that trusted another one. Kevin spoofed packets from the trusted computer to execute a "echo '+ +' >> /.rhosts" then just rlogin. To help the attack Kevin also SYN flooded the the trusted computer so that it would not respond with RST packets. This type of attack is called blind spoofing and is usually difficult to do. There are programs out there that will do this. ie: ADM-rsh

Tools like nmap test for ISN randomness. Just about all unixen are atleast pseudo-random, which makes the attack almost impossible to do to two computers that you can't sniff traffic to or from.

If you can sniff traffic from either box then the problem of hijacking connections becomes much simpler. At this point it doesn't even matter what the ISNs are because you can just sniff them. Tools like: hunt are the preferred tools for session hijacking. hunt even has ARP spoofing so that you can sniff over switched enviornments.

TCP Sequence Prediction in nmap by Baconator · 2001-03-12 04:51 · Score: 1 · on Security Hole In TCP

Nmap, the network scanner, has long had a feature which attempts to rate how good (random) a TCP sequence is. Any TCP stack worth its salt would be very hard to exploit on this basis, but I guess there are still some TCP stacks that aren't worth their salt.

Check out http://insecure.org/nmap/

This is NOT new nor is it news... by Anonymous Coward · 2001-03-12 04:27 · Score: 1 · on Security Hole In TCP

... when nmap has been testing for it for years.

God Bless Andre Hedrick by mdecerbo · 2001-02-28 00:28 · Score: 2 · on CPRM Smokescreen

Linux-IDE guru Andre Hedrick, who's a member of the T13 committee considering this stuff,
is doing his best to squelch this, by counter-proposing more mandatory features for the spec
that will let the host operating system turn off the nasty CPRM commands at the drive.

As a Register article puts it:

CPRM could yet be commonplace in hard disks in the future, implemented through the back door of "Vendor Unique" commands, Hedrick argues. And the task of finding out where CPRM is coming from would permanently impair the performance of non-CPRM operating systems. Like a Smash the Hippo Game, only with an infinite number of Hippos. And he adds, there's really nothing to stop vendors doing this. Much of what your hard drive can really do is not considered or ratified by T.13. This ain't the Supreme Court: it only sets down lowest common denominator interoperability standards. The rest is a free for all. Hedrick's "suggestion" to the T.13 mailing list, promising to give away a command parser that bounces unknown new commands, so obliging a CPRM-vigilant OS to track and reject all such command sets. His threat poses a dilemma for drive manufacturers which may be inclined to sneak CPRM in through the back door: they'll effectively lose the Linux market. Hedrick's parser will include trap-doors for vendors who try to circumvent known command sets, too.

For those interested in this CPRM nonsense, there's a good page at http://www.theregister.co.uk/content/2/17009.html.

List of tools by raffe · 2001-01-04 23:07 · Score: 3 · on Vulnerability Assessment Scanners Comparison

Here is a list of good tools

But email bugs ARE a serious risk by fv · 2001-01-04 11:37 · Score: 5 · on Fox Says Web Bugs = Virus Risk

While Hemos says "just use the bottom line - don't click on spam URLs", he misses the point. The insidious nature of these emailed "web bugs" is that they DON'T requre any clicking. Spammers hide the information in the URL of an invisible image which is automatically loaded by (stupid) HTML-based mail readers. Every time you open the message, the sender is notified and generally logs the time, location (IP) and email address of the person reading the email. They also frequently set an HTTP cookie so they can cross reference future browsing activity with your email address (which they know because they sent you the spam).

Making matters worse, these email bugs have moved beyond the domain of "get-rich quick" and porn spam. Even companies you might consider legitimate have been doing this. One would think financial institutions would be particularly concerned about privacy, but I have found email bugs lurking in mail from both E*Trade and American Express.

While these bugs aren't very effective against those of us who use pine, mutt, etc., they set a dangerous precedent. If users tolerate applications retrieving untrusted data from the net without notification or permission, we could see even worse abuses like this in the future.

Unfortunately pressuring application vendors to respect our privacy is not always fruitful. And with closed-souce applications, you often have no idea what they are up to. I was glad to see that some of the Windows "personal firewall" programs such as ZoneAlarm offer features that alert users to unexpected outgoing connections made by applications. Users can define notification policies based on their own privacy concerns. I haven't run across similar software for Linux, although it wouldn't be hard to write. And it isn't quite as important on Linux since fewer users download/buy untrusted binary-only programs.

Cheers,
Fyodor

Concerned about your network security? Try the Free Nmap Security Scanner.

My favorites by dubl-u · 2000-12-15 17:24 · Score: 4 · on Useful Utilities?

Given that you're posting around here, I'm guessing you have a Linux box handy. Here are some of my favorite sysadmin tools:

dig - This is a more advanced tool for seeing what's going on with DNS.
nmap - A great tool for probing your server to make sure you haven't left anything open.
Apache Bench (ab) - This simple but effective benchmarking tool comes with the Apache server. It's great to see how your site will perform under load.
wget - a tool for remotely getting web pages; it's very versatile -- you can even use to save a copy of your whole site, just in case.
Ethereal - Having trouble figuring out what's going on between the browser and your server? This will capture all the packets and decode them into a nice conversation for you.
vmstat - want to know why your server is slow? Get used to watching the vmstat numbers while it's fast, so you can see what's different when it's slow. It's raw numbers that are hard to interpret, but it's worth getting to know. Maybe this should be another Ask Slashdot question?
Netsaint - this is my favorite automatic monitoring package. Once your site is in production, you can set this up to patrol things and make sure everything is working. That lets you get on with other stuff, knowing you'll hear about trouble pronto.
MRTG - A tool that makes excellent long-term graphs of bandwidth use.
IPtraf - Where MRTG gives you the broad overview, this gives you the second-by-second nitty gritty.
perl - Last but most is Perl, a Swiss Army chainsaw of languages. If you'll be doing any web stuff, pick up a copy of Learning Perl and spend a little time with it. Once you learn the magic of regular expressions, you will never again say "that's impossible!" to a problem.

As far as non-sysadmin stuff goes, here are some of my other favorites:

Bugzilla - this is a free and flexible bug tracking system. Highly recommended, especially for those people who don't think they need a bug tracking system. Our designers thought it was silly to start, but even they use it all the time now.
CVS - Like bug tracking, most web sites don't think they need version control. Most web sites are wrong! CVSweb is also recommended.
HTML Tidy - bad HTML in, good HTML out.
WebTV Simulator - Sure, you and I don't use WebTVs, but a lot of people do. Browse your site with this to see how the other half surfs.
VMWare - Along similar lines, VMWare is a Windows box emulator. I use it to keep a bunch of synthetic windows machines with a variety of OS versions and browser versions. It makes QA much easier.

And if there are particular tasks that have you stumped, come back and ask again. 'Round these parts, we have big toolboxes.

Why not apply the "no spam software" evenly? by jwa0 · 2000-12-14 14:56 · Score: 2 · on MAPS RBL Is Now Censorware (Updated)

Since the RBL is used against those who write or distribute programs designed to send mass e-mail, I should fully expect places like PacketStorm (a fine archive of security-related tools and scripts) to be placed on the RBL. They knowingly host code that sends mass mail: http://packetstorm.securify.com/Exploit_Code_Archi ve/mailbomb.c Why then is PacketStorm not on the RBL? Or any of the other hosts that have similar tools?

I use the RBL hooks in Postfix, and I find them very useful. This is a bit much, though. While I have enormous respect for Vix & co., I think this is way over the line.

How is software that is designed to send bulk email any "worse" than software that is designed explictly for the purpose of, say sniffing user passwords or performing denial-of-service attacks? Indeed, why aren't we, as the Internet community, tracking down those people arrogant enough to write these tools -- tools that are clearly used to commit all manner of subversion havoc -- and blackholing them?

It's because (most) technical people understand that tools are just tools. Somebody who writes a password grinder is "just" a programmer. The Unix admin who downloads it and runs it against her password file is just doing her job. The peeved help-desk guy who uses the password grinder to get the VP of Finance's Unix password and then uses it to access the nifty Oracle financial system is acting-- in the words of AUPs everywhere-- in excess of his authority, and if caught, will be squashed by the Law.

It's not valid to want it both ways, to want software that you think is "bad for the net" blackholed out of existence, yet allow other software -- arguably more damaging -- to exist unchallenged. If this was, say, WIPO vs. nmap, would those of you in favour of MAPS' stance take offense? Software is speech. Censor it and contribute to the decline of your freedom to write it. I'm sure the brains behind WIPO are very interested in seeing how this plays out; if an .org which essentially controls access to and from the large nationwide ISPs can succesfully censor software without question, then certainly WIPO can.

And finally: simply because MAPS says "These are our guidelines, and we are following them" doesn't mean the guidelines have merit.

Emperor Has No Clothes by 1010011010 · 2000-10-21 10:09 · Score: 5 · on Linus Speaks With c't On Clean Design And ReiserFS

I'd like to know why people aren't interested in 2.4. Is it that it's been delayed so long it's like vaporware?

I'd say that the reason that people aren't interested in the 2.4 kernel is they they have lost faith in the development process.

Over the last two years, people have repeatedly posted on the LKML in one way or another that the emperor has no clothes. They've been nice, they've been rude, they've even posted good ideas and patches to provide some clothes. But, universally, the response from the LKML acolytes has been a variant of "the emperor isn't naked; he is in fact wearing a 3-piece suit, and if you don't like it, you can get your own emperor, you idiot."

It's very sad. Criticism is what keeps any public enterprise honest and productive, and the denizens of the LKML don't have any tolerance for it.

The linux development process has little direction, no planning, little to no leadership, meaningless feature freezes, and little to no documentation and guidelines. The kernel itself *is* spaghetti code inside, no matter what people say. They try to maintain control over what people use by not exporting some functions from the kernel .o files, but that's a bandaid, and a way to control who gets to work with the kernel more than what can be done with it. That the kernel is spaghetti code is one of the major reasons that 2.4 is so late, and so buggy. Just try to do some kernel programming, and you'll see, if you don't believe me. Take a look at the big, ugly union in the VFS. Figure out all the places that bdflush gets invoked, and the number of different ways to have a pinned buffer flushed by other parts of the kernel anyway. Look at the brokenness in the spinlocks and semaphores. Look at all the VM rewrites and the warring but both broken USB stacks. Check out the tendency of the VM OOM "feature" to kill random programs like X and kswapd. And don't forget all the race conditions.

It is very difficult to alter some part of Linux because of all the unintended consequences. It's difficult to get needed features and clean-ups into the kernel because of cronyism and a narrow-minded religious devotion to Posix. Go back and read up on the NTFS-streams thread for a good example of that (Alan and Viro actually invited everyone talking about streams to an off-list discussion, and then notified them that they had been added to their killfiles).

Clean code? Just look at the 2.4.0-test-pre-pooch-screw series of debacles, where the VM is rewritten every few weeks, and new features are tossed in while there's still massive bugs to fix in the code that's already there, and in spite of repeated "feature freezes". That would all be fine in a 2.3.x series kernel, but judging from the version number, "2.4.0-test" is supposed to be pretty stable except for bug fixes -- not have major features added and subsystems being rewritten.

Linux has terminal featureitis. No one wants to work on the hard things; they just want to add features. Quickly.

And Linus, to make things worse, claims that a kernel debugger is counter-productive; that debugging with printk puts hair on your chest. Never mind that you can't debug race conditions well, if at all, by adding printk statements everywhere, because they change the timing of the code when it runs. Never mind that essentially every other 'modern' OS includes a kernel debugger, and that many of those OSes are better designed, better implemented, and perform better and run more reliably than Linux (FreeBSD, HPUX, Solaris, and even NT come to mind).

Linus must be right. In fact, he's declared himself to be infallible -- he will not allow a kernel debugger to be added, and has publicly stated that he thinks people who use debuggers are dummies and that he won't work with them. But never mind that; he's the leader of the mo vmentarians , Linux is our official OS, and we'll just get back to work on his lima bean farm and wait for him to wave out the window of his car at us, or splash us with mud as he drives by. And that would actually be fine, if he was actually a leader; that is, if he made decisions and stuck with them. But he doesn't do that. Refer to his "I'm a wimp" email. He'll occasionally toss in a new filesystem ("accidentally,"Alan Cox recently suggested merely covering them up with his skip-a-number, backport and turn yourself around hokey-pokey versioning scheme. The real solution would be the one that software developers everywhere have always used, which is to:

set realistic goals for a release
defer any further feature creep until the next release
concentrate on fixing bugs in the pre-release cycle
aim for modularity, stable interfaces and good documentation to make upgrades and new feature addition easier and the learning curve less steep
provide robust methods for troubleshooting the system to make development and debugging easier.

Linux does none of these things. By design. So continue to kvetch about idiots like me (and IBM, and SGI, and HP, and Reiser, and about 1000 other people and companies) pointing out that Linux is fundamentally screwed.

The most common response to criticism is a variant of "love it or leave it." Keep suggesting that we go write our own damn OS if we don't like it; your love it or leave it response will be accepted one day, and we will leave Linux. I actually think it would be a good idea for the major external linux players to fork the kernel, clean it up, and maintain their own version. I don't doubt that it would shortly become the defacto standard kernel, because it will be cleaner, more stable, more scalable, more extendible, and will probably be released on time and respect feature freezes. SGI, IBM, Reiser and a lot of other people and companies have a lot of good code and ideas to contribute, not to mention full-time developers, years of experience making scalable and robust systems, and a willingness to release all that work under the GPL. And if they fork the kernel, they can do it without having to be named "Ted", "Ingo", "Alan", "Linus" or "Rik".

One day the question will be, are *you* relevant? Why should we accept *your* code? Is it clean? Is it modular? Is it safe (see LWN article about C code with undefined behavior being included in the kernel). Of course, a fork can always be re-merged with the holy penguin pee version. In the meantime, all the people who want to run Linux on enterprise systems rather than PDAs and webpads can have a stable, working kernel with adequate features.

It would be useful if people would make substantive replies to this message, rather than engage in the usual comments about rioting, sending spam reports, saying "love it or leave it," moderating it as a troll, port-scanning my mail server, attempted hacks and other juvenile/illegal acts, sending spam reports, threatening violence, etc. Of course, substantive debate is really hard to come by on either the LKML or Slashdot, so I don't expect it. So, go ahead, get started telling me to sod off. I'll get back to switching over to FreeBSD, although I would prefer if someone would take up a rational refutation of this message instead. Show me the Emperor's Clothes.

________________________________________

Re:No Worries! by Tassach · 2000-10-04 23:19 · Score: 5 · on First Look Inside Carnivore

Carnivore/Omnivore on Solaris is scary. Carnivore/Omnivore on NT is VERY scary. If someone were able to exploit a hole on a carnivore box, they could then use it to monitor anyone's communication. This is of course possible under Solaris too, but NT is far more vulnerable to remote exploits.

A black-hat being investigated by the FBI could possibly turn their tool against them, using *nivore for counter-intelligence. At least the FBI has to pretend to obey the law and respect some limits -- a black-had has no such restrictions.

I wonder if there is enough information in what has been released to be able to identify a carnivore box remotely. Does it use promiscuous mode packet sniffing? Could you detect one with a variant of l0pht's antisniff? Does it exhibit any tcp/ip eccentricities that could be detected with nmap or SATAN?

Note to Pat Christian, news item author: by Platinum+Dragon · 2000-10-01 10:36 · Score: 2 · on Microsoft Withdraws Linux NTFS Threats

"It all kind of got out of proportion," Merkey said of the threats. He spoke about them only after some of his private e-mail was intercepted and posted on the Internet.

I don't think the linux-kernel mailing list is exactly "private e-mail". I wouldn't expect Pat to know what a mailing list is, but come on here. It seems as if Pat didn't even bother digging up the post that started it all. I wonder if Pat even asked Merkey about how the incident flared up.

sheesh, basic story research...
-------------

Re:Umm... by interiot · 2000-09-25 20:59 · Score: 4 · on Microsoft Litigation vs. Linux NTFS Kernel Support

Counterclaim, with evidence:

Linux Kernel mailing list archive, with 133 messages from Jeff V. Merkey in the last 26 days, including his posts about Microsoft.
--

Re:A giant pack of lies by catscan2000 · 2000-09-04 22:22 · Score: 2 · on Barcode Maker Responds After Forcing Drivers Offline

-- That whole third paragraph about the linux community helping Microsoft is hogwash.

Though this reply isn't about the Linux Community, per se, the people as nmap believe that Windows 2000 is using NetBSD's IP stack ;)

TCP Initial Window -- This simply involves checking the window size on returned packets. Older scanners simply used a non-zero window on a RST packet to mean "BSD 4.4 derived". Newer scanners such as queso and nmap keep track of the exact window since it is actually pretty constant by OS type. This test actually gives us a lot of information, since some operating systems can be uniquely identified by the window alone (for example, AIX is the only OS I have seen which uses 0x3F25). In their "completely rewritten" TCP stack for NT5, Microsoft uses 0x402E. Interestingly, that is exactly the number used by OpenBSD and FreeBSD.

http://www.insecure.o rg/nmap/nmap-fingerprinting-article.html

Data publicly available since Aug 11 by fv · 2000-09-02 11:02 · Score: 1 · on Capture The Capture The Flag

Ron Gula already posted DefCon8 data along with DC7 and SANS ID-Net dumps several weeks ago. The page says Toorcon captures will be available shortly.

--
Frustrated by firewalls? Try the Nmap Security Scanner

Data publicly available since Aug 11 by fv · 2000-09-02 11:02 · Score: 1 · on Capture The Capture The Flag

Ron Gula already posted DefCon8 data along with DC7 and SANS ID-Net dumps several weeks ago. The page says Toorcon captures will be available shortly.

--
Frustrated by firewalls? Try the Nmap Security Scanner

Re:And we're supposed to believe this because... ? by David+A.+Madore · 2000-08-29 08:31 · Score: 2 · on Ex-Microsoft Employee On Unix Within The Empire

anyone care to run one of those tcp signature OS-guessing programs on www.hotmail.com?

I've just tried that (using nmap). But we don't get much info:

TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) Remote operating system guess: Cisco Localdirector 430, running OS 2.1

Also, regarding philosophy, by bgalehouse · 2000-08-05 13:02 · Score: 1 · on Java Security Hole Makes Netscape Into Web Server

This is the same sort of hole as, say, the old bsd mmap problem. Just as user/supervisor modes make it possible to write a system which puts processes in sandboxes, the JVM security system makes it possible to put applets into sandboxes. But in both cases, getting the security checks correct is a non-trivial exercise.

Re:Remember the box? by bmc · 2000-08-01 02:09 · Score: 1 · on Hotmail about to collapse under load

Well, this article from the author of nmap does note that Win2000 uses the same TCP Initial Window value as FreeBSD and OpenBSD (the NT4 value is different). Hardly conclusive, but an interesting coincidence.

Re:Id are hypocrites by Th3+D0t · 2000-07-23 21:01 · Score: 1 · on Rocket Arena For Quake 3 Arena Released

Yeah, maybe if it were open source, they wouldn't be so tempted to put in blatant backdoors.
---

Hacking insurance! by 11223 · 2000-07-09 23:21 · Score: 5 · on Hacking Insurance For Net Businesses

Here at XYZ Insurance Corporation, we're proud to announce our new Hacking Insurance - protecting your business interests against hackers!

Hackers have been known to attempt to undermine your business interests with subversive activities like replacing IIS with Apache, and porting your product to Linux. Here's what we offer for protection:

Instant Apache uninstall - we keep secured backup tapes that let you go back to your secure, responsive IIS environment instantly!
Linux replacement - with proprietary tools we can search out Linux computers connected to your network and replace them with secured NT workstations!
Source code security - we offer to help you write Windows-specific code so your developers can never switch to Linux if their hacker instincts flair up! As you can see, hacker insurance has many benifits. Protect your business investments today!

insecure.org, Re:[Cr]acker pages by TheMeister · 2000-07-07 09:06 · Score: 1 · on Security - How Can you Learn Internet Self-Defense?

Fyodar's exploit world has a good collection of scanners, articles, and known exploits (if that's what you want).

Word of advice though, don't ask about the back doors in the various Quakes (here and here) during interviews on /. unless you've got Karma to spare . . . ouch.

It's mostly a conglomerate of different sources, but a number of the articles are kinda interesting. Keeping up with CERT advisories would probably be better for self defense though (always good to know what they do though). The scanners are pretty good, especially if your, um, on the "testing" end and the the detection end . . .