Domain: whitehats.com
Stories and comments across the archive that link to whitehats.com.
Comments · 12
-
Re:HoneyPot?
Yeah, agreed, but.....
I think motivation is important here. Honeypots by their nature are designed to entice black hats into attacking them...so that the owner of the honeypot can analyse what the latest and greatest black hats are going to look for, exploit etc
A darknet setup is passive in that it logs aberrant traffic. It tells you when something out there is actively scanning large gobs of your address space.
Ever played with Snort\ACID and a ruleset from somewhere like Whitehats on a live user subnet ? You get so many false positives that you start to pare down your ruleset. You keep doing this until you start to question the validity of the IDS in the first place.
I think this idea has some real utility....even if it is just to create another dataset to throw at MRTG !! :) -
Re:That is a "trojan".If you run an app and it does that, then it is a "trojan". No operating system will ever be free of trojans.
Actually, forcing executable stuff to be signed (as currently possible with internet explorer, attempted by open source project teams and in store for tcpa) can theoraticly stop the "trojan" problem for the most part. That is, if you follow the definition of "software abusing a users inability to predict what executable stuff does", rather then "software that does something "nasty/BAD/evil/demonic/deleting". When forcing code to be signed, users can choose from who they get their software, does that fix anything? no! But if users choose to only use software from people who advertise and document what their software does, then the trojan problem is reduced to basic human trust again (as oposed to a problem of which non normal user readable binaries to trust). Now if you where to accept only software from microsoft you could still end up with software that does something "evil/wrong" (calling home to inform microsoft about your musical preferences) but it would be the result of someone at microsoft screwing up to live up to the documented behaviour, or a compromise at microsoft. Your still f**ed, its just no longer a trojan problem
Yes, if a hole is found in pine or mutt or Evolution that allows email viruses such as you describe is found, then email viruses such as you describe can be written for that application. But an exploit for pine would not affect someone running mutt or Evolution.
And an exploint in outlook does not effect users using the bat or mozilla. Also an exploit in OpenSSH would not effect telnet users one in "the" kernel would not effect bsd users and an exploit in apache would not effect all those users of the abyss,ahd or anti-web httpd (first freshmeat results ;-). Point being that outlook only worms come pretty far as it is, and if they need to they can even go further faster by attaking mutiple problems (like nimda). A worm going for both evolution and netscape/mozilla has a good shot at the linux user base, but one going for just ssl on apache was doing just fine Ofcourse worms going for holes in multiple populair internet deamons were doing very well and can be expected again if enough people forget their daily patching
I think the reason I haven`t seen any traditional executable file infecting viruses is becouse unix users are not houling programs over from a friends copy of a friends copy of a fri....
Linux has a better designed security system than Windows does.
I make this mistake to, I mean to say windows is implemented bad from a security point of view (or more likely I wanna say from any point of view) and I end up implying windows has bad security by design.... which is shortsighted to say the least. It is the only operating system I can think of that comes with a combination of by default:- ACL`s on the filesystem, usefull in real life where groupa full acces, groupb none just doesn`t cut it
- ACL`s on individual configuration options in the registry! Got a newbie admin you dont want messing with one of the settings of any single application (say crypto strength negotiation)
- A system for small to medium networks to actually get a central database of users into those ACL`s on every machine on the net
- A central place where all security relavant choices to be made can be set with adequate documentation (securit
-
Only a couple of others
I'm only aware of a couple of other worms from last year:
From a few years ago:
You'd be better off not looking at an Anti-Virus company's description of any of these worms. Because of the AV community's deep-seated belief that if they give away even the tiniest shred of information about how a virus works, they end up writing the least informative descriptions possible.
-
Only a couple of others
I'm only aware of a couple of other worms from last year:
From a few years ago:
You'd be better off not looking at an Anti-Virus company's description of any of these worms. Because of the AV community's deep-seated belief that if they give away even the tiniest shred of information about how a virus works, they end up writing the least informative descriptions possible.
-
Not very interesting
This paper includes very loose regex heuristics for requests that "might be" attacks. These may be interesting for anomaly detection, when coupled with an engine that records incidence rate (if you see an exponential surge in 'weird' requests, then maybe you're seeing a worm's infection growth curve ).
But the result of deploying these (say, matching for "%20" in a URI) as intrusion detection system rules would be a high false positive rate.
You would be better off looking at arachNIDS for rules that are more specific and less likely to drown you in alerts. -
Links
For anyone (like me) who hasn't heard of the Linux worms here are some links.
Code Red. Windows
Lion. (1i0n) Linux/UNIX
Sadmind. Sun
Ramen. Linux/UNIX
Nimda. WindowsHe seems to complain quite a bit, but offer no real solutions. Basically he seems to be trying to create yet another buzzword, "information anarcy". The problem is that it has no real meaning other than things that make his job difficult.
the one good point he had was:
Finally, information anarchy threatens to undo much of the progress made in recent years with regard to encouraging vendors to openly address security vulnerabilities. At the end of the day, a vendor?s paramount responsibility is to its customers, not to a self-described security community. If openly addressing vulnerabilities inevitably leads to those vulnerabilities being exploited, vendors will have no choice but to find other ways to protect their customers.
does anyone know how much info microsoft actuallyshared about their vulnerabilities before the above hacks were made?
-
Re:Users share much of the blame
It was done and it was called RAMEN. Same scenario, except set $IRRESPONSIBLE_BIG_SOFTWARE_COMPANY to Red Hat instead of Microsoft.
-
The Cheese Worm did this for Lion-infected hosts
The Cheese Worm seems to constitute exactly what you want. Cheese actually sought out Linux hosts infected by the Lion worm and removes any backdoor root shells from
/etc/inetd.conf . Some say the Cheese Worm constitutes the first hack-of-a-hack known.Another first for Linux and Open Source software!
-
Re:InterestingObviously Freeveracity doesn't know what they are talking about. Even their website says "network intrusion detection tool" in bold type, which does not instill much confidence in their hax0r skillz. This is a host-based intrusion detection system, much like Tripwire.
If you want some real free Network Intrusion detection systems try opensec.net and whitehats.com.
-
Read, read, read
This is a growing hobby of mine as well. I've found that the best way to learn is read...I read both sides of the fence with equal eagerness, because as people have said, most notably Mudge(l0pht), learning to attack is the key to learning to defend. When constructing defences you must think about who and what you're defending against, and get inside their head. I frequent Security Focus, White Hats which is home to arachNID and anything else I can find linked, etc. Tools like Nmap, Nessus, Snort, tripwire, and the assorted "3l337" toolkits are incredibly useful. O'Reilly's Building Internet Firewalls is a good reference for when you get into a production environment, but it's tough to implement with only a few computers.
-
Re:Security survey?
-
Snort
Snort can be used to do network intrusion detection. Combine Snort with this ruleset and you have intrusion detection -way- beyond most anything out there.
Of course, if you're just looking for whether or not someone is probing your host, the aforementioned PortSentry will do quite nicely.