Slashdot Mirror

On the loganalysis mailing list.

It's covered everything from requirements for logs to be admitted, to the validity of using checksums.

It's also been archived on the log analysis website.

even better, we've had several lawyers in on the conversation who site actual case law.

for once the conversation doesn't need the standard IANAL.

Here's a link to the start of the thread
[Log] Log Archival

or for those who prefer a top down view:

Index of threads for december

oh, and here's a website by the ever excellent Tina Bird of counterpayne, as well as Marcus Ranum

Log Analysis

you can find all the info you need in the library off this site.

I'm using an 802.11b network with 128-bit encryption, meaningless passwords (not "admin" or "router"), and the WAP will recognize only the MAC of the portable (yes, that can be spoofed, but it keeps out random strangers). Finally, the access point is in the basement, so its reception zone is mostly up, not horizontal.

There could be specific weaknesses in my brands of hardware, but that's another problem.

Am I mistaken that this provides reasonably good security?

Short answer: Yes, you are mistaken.

Longer answers: Here, here, or here.

Assuming your neighbors are clueless luddites who have to call you when their printer runs out of paper, WEP will prevent them from borrowing you Internet uplink bandwidth. Against a determined attacker, WEP, MAC filtering, and most of the other features built into modern 802.11a/b APs are ineffective.

On the other hand, you may not care.

Eg, my home machines are all secured and I do regular audits and scans. Any sensitive communication (eg, logging into a machine at work) happens over ssh and so is protected. So the only thing a script kiddie can do is watch my web traffic (which he is welcome to do), borrow my bandwidth (which would probably be noticed, and maybe try DoSing my home network (which is easy to fix).

All of the above was also true when my home network was wired. The move to 802.11b just traded a decrease in security for an increase in convenence (ah, reading /. while sitting on the deck).

As Schneier has said, security just buys you time. In the case of 802.11 (or for that matter, any wireless protocol), it takes significantly less time for the security to be breached than it would if the wired protocol was in use. If that worries you, don't use 802.11 networking, cordless phones, or cell phones, or adjust the sensitivity of your traffic to suit the medium.

is Osiris, which has an Apache-style syntax and a weird pseudo-free license. I haven't worked with enough filesystem integrity management systems (aka intrusion detection systems) to differentiate its use from Tripwire. My two cents.

Gosh, that would be illegal. I certainly would recommend that you don't click here to find out how to do it.

There is little point to using WEP anymore. It may keep out people who know nothing about the software from accidentally connecting to your network, but if someone actually wants to spy on you or steal your bandwidth, they can just use AirSnort to break the encryption in seconds.

On the other hand, try convincing your boss of that...

So is it against the law to van Eck Dick Cheney's pacemaker?

(I tried, but failed to find you a link to the Dick Cheney locater satellite, but it got retasked to ObL after 9/11, and now appears to have gone AWOL.)

802.11b is plauged by bad (as in broken) encryption making it easy to sniff. Don't know if there is another encryption standard yet. Most hardware offer other encryption but I don't think they speak well together. This is probably one major reason why it has not took of more.

read more here.

As it is now you could use it but you have to trust your wireless net as much as you trust the internet, which means heavy firewalling.

2) Knoppix and some other live cds may use a swap partition on the hard drive if they find it, or make a swap file on a windows partition. If you want stealth, there is only one distro for you: Tinfoil Hat, baby, nothin' but the metal hat for me.

I remind all of you that all one needs is Airsnort running on a laptop and a little bit of time before they can see ANYTHING and everything going you are sending / recieving. 802.11b is a great idea for increasing the bandwidth to a customer but seriously before I even think about buying a phone or even an internet service that relies solely on 802.11b they are going to have to revise this standard or setup a VPN for me for no charge.

I must interject here that Volpe is somewhat correct in stating that there are applications out there even today that tunnel their information through any port that is open, however according to this post from july of 2000, there is indeed a way to completely stop this transaction, once you find out the server address it is connecting to. it would be wise to note that while this provides a luke-warm feeling of security, a simple new server address and a quick "update" or "fix" or "exchange of information" between a new server and your computer is possible..

k.

From the Osiris website:

Osiris is a file integrity verification system that can be used to monitor changes to a file system over time. Osiris consists of a pair of applications, osiris and scale. The first application, osiris, is used to collect specific data from the local filesystem and store that data into a database. The second application, scale, is then used to analyze, and/or compare the differences between two databases.

This also keeps an administrator apprised of possible attacks and/or nasty little trojans. The purpose here is to isolate changes that indicate a break-in or a compromised system.

BRiX, unlike other modern operating systems, does not use hardware to isolate and protect applications from each other. Instead, it uses a single address space and relies on a safe-language to generate code that will not access memory for which it does not own. This language also handles many checks at compile-time that would be performed at run-time in other operating systems. ... bounds checks can be disabled for stable critical system components. Only untrusted user code is slowed down by the bounds checks.

Unfortunately since they were the only people to actually hand in their results in a usable format they got lost by Pete who had to stay up all night fixing everyone elses data to be parsable and they got left off the list.

It was also the Shmoo Group who social engineered their way into the Fox news helicopter which is how they got more AP's then anyone else. The hack was announced by Priest at one of the talks as well.

Yes, these methods can all be easily circumvented to somebody that really wants to get in.

1. Enable WEP...and enjoy the 20% bandwidth loss. Airsnort.

2. Change the default SSID. SSIDs are not needed to zero down on the AP. Triangulation and GPS are effective enough.

3. Disable "broadcast SSID". The beacon frames can easily be captured otherwise. Attack by enabling your cards monitor mode (not to be confused with promiscious mode which only captures packets on the current network), sniffing all air traffic.

4. Change the default password of your access point. However, I'd like to point out even changing ones password can be insecure. My access point, and I'm sure others as well, send the admin password in a urlencoded form, unencrypted, in plaintext for anyone with a monitor-mode NIC to sniff.

5. Control access via MAC addresses. Spoofing as trivial as ifconfig eth0 down; ifconfig eth0 hw ether 00:00:00:00:00:01; ifconfig eth0 up. On OpenBSD use sea.c. Use arping to sniff MACs.

6. Disable DHCP in your wireless router. Static IP addressing, subnet range determined from arping. Private addressing:

• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

7. Change your IP subnet. See above.

8. Move your access point away from windows. No match for high-gain antennae.

Hope this helps an aspiring black hat! Remember, no network is completely secure. WaReZ anyone?

Yes, these methods can all be easily circumvented to somebody that really wants to get in.

1. Enable WEP...and enjoy the 20% bandwidth loss. Airsnort.

2. Change the default SSID. SSIDs are not needed to zero down on the AP. Triangulation and GPS are effective enough.

3. Disable "broadcast SSID". The beacon frames can easily be captured otherwise. Attack by enabling your cards monitor mode (not to be confused with promiscious mode which only captures packets on the current network), sniffing all air traffic.

4. Change the default password of your access point. However, I'd like to point out even changing ones password can be insecure. My access point, and I'm sure others as well, send the admin password in a urlencoded form, unencrypted, in plaintext for anyone with a monitor-mode NIC to sniff.

5. Control access via MAC addresses. Spoofing as trivial as ifconfig eth0 down; ifconfig eth0 hw ether 00:00:00:00:00:01; ifconfig eth0 up. On OpenBSD use sea.c. Use arping to sniff MACs.

6. Disable DHCP in your wireless router. Static IP addressing, subnet range determined from arping. Private addressing:

• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

7. Change your IP subnet. See above.

8. Move your access point away from windows. No match for high-gain antennae.

Hope this helps an aspiring black hat! Remember, no network is completely secure. WaReZ anyone?

It works on my orinoco but needs a bit kernel/orinoco driver tweaking. By default this _does not_ work on orinoco cards i.e. mac is not changed. Yes I verified that.
Basically

hermes_write_ltv(hw,
USER_BAP,
HERMES_RID_CNFOWNMACADDR,
HERMES_BYTES_TO_RECLEN(ETH_ALEN),
dev->dev_addr);

when resetting card does the trick. (i'm using orinoco_cs drivers).
If you are lazy to add this code where appropriate, use these patches. They support mac changing plus monitoring mode for orinoco/wavelan cards.

The trusty Lucent/Agere Orinoco card, under Linux, can set MAC address with the standard 'ifconfig hw ether xx:xx:xx:xx:xx:xx' command - note, this only works with newer versions of the orinoco driver.

A MAC hopper wouldn't work too well, considering you must take the interface down to set MAC (this would obviously de-associate you from the AP).

I recommend using Snax's patches to enable RF Monitor mode as well, for use with Kismet, an excellent passive 802.11b scanner.

The new airsnort page has links to nifty stuff like a patch for "monitor mode" - now all those Prism2 owners will have nothing to hold over you.

The newer versions of this patch also let you change the MAC address with ifconfig as seen in another post on this story. Stock versions of the driver (as found in the pcmcia-cs distribution) don't.

Driving around with one of these things and a standard Lucent range extender popsicle antenna is almost boring now. LOTS of ISPs are getting into the business, and you get hits just about anywhere you go. You can even pick up a good signal while being chased by alligators at Brazos Bend state park outside Houston. It's everywhere.

It occurs to me that when security tools such as nmap, or crack or airsnort or SATAN come from places OTHER than the government, they are seen as threats to Internet security. Some people in government even want to make them illegal.

But when the government itself comes out with software to expose security holes, it's called the "Gold Standard".

What gives?

What, no mention of Tinfoil Hat Linux? :)

Meanwhile, the geeks at the Shmoo Group are finding open 802.11 networks and making VoIP calls over the 'participants' Internet connection. Very clever.

You mean like http://www.80211hotspots.com/ or http://www.shmoo.com/gawd/? There's some more, do a search on Google.

It worked for NASA. WEP is worse than useless, it slows you down with (arguaby) no benefit (read the whitepaper or download airsnort). Use application/transport layer security when you really need it, like at login time.

If someone is determined enough, they can get on your WLAN. MAC addresses can be spoofed, WEP keys can be sniffed. All you can do is authenticate and log.

I recently spoke to some keen fellows from Baylor University that have created an OpenBSD-based firewall/logging/authentication system that takes the poster's info page one step further. Everyone authenticates via an SSL-encrypted web site in order to join the network. DHCP leases are handed out in conjunction with a login session, so you can track who does what. Logging in also opens up your firewall to allow the newly-leased IP address through.

Forget the admins, there are lazy admins on wired systems who run IIS and the like, how bout the gaping flaws in the 802.11b design???? Even if they do use encryption, it just takes a little time and AirSnort or WepCrack

You're right.

If I'd thought a minute I probably would have figured out that such Linux distros exist; Tin Foil Hat comes to mind.

However, you luckily aren't on any blackhole lists. Yet.

And it's a problem with your mailer. All anti-spam software returns errors to your mailer when you connect, or bounces the email. It wouldn't drop them on the floor, that's not discouraging you at all, you'll still keep sucking up their bandwidth, as you can't possibly know they're being dropped.

Ergo, your mailer does not understand the 5xx reply they are sending. You need to report it as a bug.

So at twice the speed, I can gather enough packets to crack WEP encryption keys in half the time using Airsnort. Seriously, I really want secure security! My office won't move to wireless until there is cheap and proven FIPS-140 compliant security.

Although obviously a generic press release, but cute that they don't mention security concerns.

on the insecurity of 802.11b

Try hacking your own gateway with airsnort

DeCSS isn't a trade secret any longer, according to this kuro5hin story from November, and also according to the story linked to from the Norwegian site... According to the EFF even the DVD CCA have stopped attempting to limit its distribution.

Also, according to this, the DVD CCA claimed at least once that reverse engineering the CSS code was 'in principal lawful', and that the illegal part of it was from the fact that the reverse engineering was done from a piece of software which required you to click through a contract that said you agreed not to do so.

All of which makes me wonder why the Norwegians have decided to make a fuss about it now. Just when I thought we'd finally heard the last of CSS lawsuits.

Added to which, I have no idea about the Norwegian law but surely the kid was a minor at the time? He's only 18 now! Maybe it's different in Norway but most countries seem to relax laws somewhat for children...?

Good description of van Eck phreaking in Cryptonomicon by Neal Stephenson or in this article (which is quite a large pdf)

If this turns into another microsoft bashing party, some people need to get a clue. This isn't Microsofts fault, I don't see a database server as something that should have a pretty wizard or wonderful config tool. And Microsoft is not the only database server out there that has no password by default. First off the top of my head would be MySQL. Every install I have ever done of MySQL has always been followed up with the setting of the "root" password. If the administrators of internet accessable systems can't take the time to set passwords on all their services admin interfaces then they deserve what they get. If this were some backdoor that would work no matter how much care the admin took to secure the service then great. Lets get pissed at Microsoft and bitch a little. But don't forget that stuff on the other side of the fence is no better. How long has the BIND source code been available to look at? And how often in the past have there been AMAZINGLY big holes in BIND? Instead of doing nothing but bitching about the problem, lets try and come up with some solutions and get the word out on safe programming/administration practices.

The only thing at all newsworthy about this is that it's now being used to gather legal evidence. Tools like this have been around for years--now the government is just trying to make evidence gathered thereby admissible.

Now, what would be techinically sweet is something like a van Eck phreaking, where you latch onto the radiation produced by your CRT and reproduce the scan. Some more info available here.

Well, since the site is getting hit pretty hard, here is a direct link to all the mirrors:

Capture the Capture The Flag Mirrors

If you have a mirror up, please let me know.

If you're using wget to pull the data, please use the following command:
&nbspwget -r -nd --no-parent -R "=A","=D" http://site/path/

US - Wisconsin (100Mbit):
http://www.wi2600.org/mediawhore/mirrors/shmoo/cct f-defcon9

US - Colorado (100Mbit):
http://www.ucar.edu/temp/shmoo-defcon9-ctf/

US - Pennsylvania (T1):
http://www.bitsend.com/defcon9-cctf

US - Alaska (DSL):
http://cctf1.shmoo.com

Please be sure to read the license.

Well, since the site is getting hit pretty hard, here is a direct link to all the mirrors:

Capture the Capture The Flag Mirrors

If you have a mirror up, please let me know.

If you're using wget to pull the data, please use the following command:
&nbspwget -r -nd --no-parent -R "=A","=D" http://site/path/

US - Wisconsin (100Mbit):
http://www.wi2600.org/mediawhore/mirrors/shmoo/cct f-defcon9

US - Colorado (100Mbit):
http://www.ucar.edu/temp/shmoo-defcon9-ctf/

US - Pennsylvania (T1):
http://www.bitsend.com/defcon9-cctf

US - Alaska (DSL):
http://cctf1.shmoo.com

Please be sure to read the license.

We're using an access point located outside our firewall behind another firewall. [...] Anyone breaking the security of our access point gets plain old Internet access and doesn't get into the corporate net.

It is one thing to openly allow access, with users presumably understanding that they should not abuse a common resource. It is another to leave your (I'm assuming) fat pipe open to NetStumblers, who may be more inclined to over-exploit it while they still can.

Also, does unencrypted SMTP or other traffic go in/out via this link? You have a sniffer's paradise if it does.

I just set up an "open" WLAN access point. So how does one go about organising this "parasite" network?

There is a database at http://www.shmoo.com/gawd/ but it doesn't seem to be well frequented. I live in Germany. There are only 3 entries :-(. I know that just about every Technical University in the country has lans, as well as tons of companys that don't have any security at all.

We need:
1) a quasi standard setup
2) a database with a map an geo data for organising everything
3) publicity

what do you think?

I assume that based on this judgement, van Eck phreaking (as featured in Cryptonomicon, and elsewhere) would also be considered illegal. I'm not up on US law, and don't know what difference there is considered to be between going into someone's home and someone's computer, but using van Eck (which isn't "in development", it's there now) to see what people are doing on their screens would seem to be similar to me. Are there any legal references to van Eck phreaking?

I presume that wiretaps are needed for phone-lines, but is that for speech only, or data as well? Echelon, and all the fun ways of looking at data, can get their information from lots of different places, and this, of course, is only one of them.

You can read more about it here and here

Da Cr33p

http://www.shmoo.com/cgi-bin/gawd/gawd.cgi?new=1

Also, the ISP-Wireless mailing list archives offers a search engine which allows people to search for wireless access in their area.

Check out GAWD. It's a DB of lots of wireless AP's. We've got "generic" mapping capabilities, but nothing fancy. We're trying to improve it currently. However, many ppl don't know their lat/long, so only a fraction of the AP's actually map to somewhere valid.

The Shmoo Group setup the Global Wireless Access Database (GAWD) not too long ago. Heck we even got /.'d for it. It's a public DB of access points all over the world.

The AP's are all user contributed, so if you've got one, or know of one, feel free to add it.

I was having that Deja Vu too

The definition of wiping drives properly, like other security related matters, depends on what adversary you are trying to protect the data from. If your adversary is a coworker, shred ( gnu fileutils (older) or gnu fileutils (newer) ), wipe , or norton utilities wipeinfo (see Norton System Works , you might have to get the professional edition to get wipeinfo) might work. For adversaries that have more funding and/or time, purchasing sanitizer is advisable as its "D" version meets DOD requirements for electronically disposing of classified and sensitive data on a hard drive. It can apparently defeat electron microscopes with spin control, when properly utilized. Note that if you're going to this extent you probably want to TEMPEST shield (and here and there ) your life, and start using crypto sytems that keep the key material in FIPS 140 compliant crypto devices like these.

If dirt world communities behaved like online communities, or even if the HAM "spirit" would spread a bit, we could have wireless networks all across the countryside.

This securitygeeks story covers how to setup a very basic AirPort wireless network that can communicate at great distances as well as 128 bit encryption.

As far as I know you still have to use a Mac to use the AirPort base station, but it does not look like it would be impossible to hack for UNIX use (perhaps it already has been and I just missed the news).

Anyway, the point is that the hardware and the software is already here, all we need to do is band together and use it.

Visit DC2600

Just take a look at http://www.shmoo.com/cctf/data/ to see how large the files are.

Over at shmoo.com, we've been running our own number station contest for over a month now. We're not using a OTP, so it is very solvable. The hard part is we have streaming audio feeds, so you actually need to do a bit of transscription. ;)

Anyhoo, if you're interested, tune in to a number station you actually have a chance at cracking. BTW: the prize is currently 2 DVD's.

I believe that what you're talking about is Van Eck Phreaking (that is, interrupting the stray RF that the cathode ray tube in your monitor transmits, and recreating the image on another cathode.). This is quite old stuff, and is still in use today. The Tempest stuff that was recently released deals greatly with this. Basically, if you don't have a monitor shielded in metal, you're at risk, and that's that. For more information, you can check out this link for basic information, and Van Eck's original submission, or you can check out this one, and lastly, if you want some info on how to build a Van Eck Phreaking rig, then I would suggest the book at this site. Don't forget to type in Van Eck in the search box to find the box. Happy Van Eck'ing.

--Josh Adams