Friday Mar 31, 2006

Another fake photo by Howard Kaloogian

In my Congressional District we're having a special election to replace disgraced Congressman Randy "Duke" Cunningham. One of the 18 candidates running is former Republican State Assemblyman Howard Kaloogian. He recently got caught for posting a scene of a street picture his group took showing how peaceful Baghdad is, that turned out to be suburban Istanbul, Turkey. (This was originally discovered by anthonyLA and jem6x of Daily Kos.)

Kaloogian also was caught for claiming false endorsements from the California Pro-Life Council and State Senator Tom McClintock.

Anyway, here's another fake photo. On Kaloogian's campaign website is a photo of him posing with President George Bush, in a rotating "Flash" slideshow. (Here's a screenshot in case it's taken down or you don't have Flash). Why is it fake? Well, both Kaloogian and Bush's shoulder's merge into each other. This is more evident from a fuller-length photo on Gabriell Reilly's website. (Here's a copy in case it's taken down). Observe how Kaloogian and Bush merge into each other: Kaloogian's left shoulder appears to be behind Bush, and Bush's right arm appears to be behind Kaloogian! By itself, not a biggie, but with two fake photos and two fake endorsements, what can you believe?

Howard Kaloogian 'posing' with George Bush (screenshot of fake photo) Howard Kaloogian 'posing' with George Bush (fake photo)

<script type="text/javascript" src=""></script> Technorati Tags: Politics, Howard Kaloogian

<script type="text/javascript" src=""></script>
<script src=""></script>

Monday Mar 06, 2006

Congressman Randy "Duke" Cunningham in prison

Cunningham prosecutors: US Assistant Attorneys Phil L. B. Halpern, Jason Forge, Sanjahy Bharali
Cunningham prosecutors: US Assistant Attorneys Phil L. B. Halpern,
Jason Forge, Sanjahy Bharali after Cunningham sentencing 3/3/2006

I went to Cunningham's sentencing Friday (March 3, 2006) at the U.S. Courthouse in Downtown San Diego. There were lots of news camera and vans around all day. For those who don't know he was my Representative to the U.S. Congress from San Diego, before he was imprisoned for $2.4 million in bribes.

I listened to Judge Burns deal with a counterfeiting case and drug user parole violation case in the morning. Burns seemed even-handed and careful in his rulings.

I then went upstairs to wait in line for the sentencing in a bigger courtroom. I talked to Union-Tribune columnist Logan Jenkins who happened to be nearby in line. Most of the people were press. I knew the names, but didn't know what they looked like. I saw Seth Hettena of the AP, who has written several Cunningham articles.

Then we were led in. The seats were split between the press, public, and family (includes Cunningham friends). The friends I recognized were Congressman Duncan Hunter, Father Joe Carroll, Dan McKinnon (son of a former congressman; Dan is boarding Cunningham), and Cunningham's RIO in Vietnam, Willie Driscoll. Former Congressman Clair Burgener, who has Alzheimers, sat directly in front of me. The children were not present, at the request of Cunningham (and his wife was not present).

The defense and prosecution plead their cases, rehashing what were in their previously-filed briefs. Cunningham made a statement. He seemed emotionally and physically weak and sad, and much thinner. I couldn't hear all his statement, as his voice was shallow, but it seems some of the press did (with better seats). He expressed regret for what he did. The one sentence I wrote down was: "I think I'll trust my friends less, your honor, so I won't make those same wrong U-turns [criminal acts]". Burns listened carefully through it all.

Here's an outline of Judge Burns' ruling:

Sentencing guidelines:

  • $2.4 million bribe earns 16 sentencing "points"
  • 4 points for being an elected official
  • 0 points for orchestrating the bribes (not clear either way if he did nor not)
  • 0 points for public statements denying the crimes (Burns says that's common with public officials)
  • 2 points for obstruction of justice (prompting rug vendors to lie).
  • -3 points subtracted because Cunningham accepted responsibility
  • -2 points for assistance to Department of Justice (more reduction may be coming for future assistance, but it's too early in the investigation).
  • Total of 33 points, giving 135-168 months to sentencing guidelines.

Here's some comments made by Burns:

  • Bribes spread over 5 years, 2000-2005 is aggravating. It wasn't just one "U turn".
  • The $2.4 in bribes "emasculates" all other bribes.
  • "Bid rigging" affected many defense contractors, who thought the system was honest
  • Hugely affected confidence in government.
  • Burns was bothered by Cunningham's bullying. It was reprehensible, beyond pale. Defense officials were trying to do their jobs.
  • Burns was confounded by the choice you (Cunningham) made. Burns recalled reading an article about a lobbyist who made $2.5 million in 2003. Burns didn't name the lobbyist, but said Cunningham knows who he's talking about [my note: was this Bill Lowery, who earned $2 million in 2003? See ]. Burns said Cunningham with his stature in Congress should have earned at least twice as much in a year as a lobbyist if he wanted more money. Burns said you (Cunningham) weren't wet, cold, hungry, yet you did these things (took bribes).
  • Burns said the real harm was loss of confidence in government works.
  • Burns lamented that politics today is more shrill today. Opponents are now "enemies". Burns said he was an optimist, that your (Cunningham's) conduct was an abberation (among members of Congress).
  • Burns took in account Cunningham's brave military service in an unpopular war.
  • Burns was also impressed by two letters of Support:
    • Ronald Ress -- Cunningham intervened with Vietnamese government to get Ress' wife out of custody and out of the country
    • Charles Nesby -- Cunningham mentored Nesby at a time when Black pilots were rare.

Judge Burns then dished out the sentence:

  • 100 months (8 years, 4 months). Count 1 60 months [Conspiracy to Bribe] and Count 2 40 months [Tax Evasion]
  • 3 years suspended release.
  • $1,804,031.50 tax liability to be paid at $1500/month while in prison and $1000/month after release.
  • Forfeit $1.8 million in cash.
  • Forfeit furniture (now in possession of the U.S. government)
  • No upgraded sentencing score.
  • Imprisoned immediately at MCC San Diego. Report Friday by next week for the permanent facility. Burns \*recommends\* a Level 2 institution. He recommended Taft [Central California] (ran by a contract agency, not the U.S. Bureau of Prisons)
  • Good time can reduce sentence by 10%-15%

We all left the courtroom and there were a billion (or so) cameras and newspeople outside the courthouse. Outside, the prosecution gave a quick news conference, as did Rep. Duncan Hunter, Fr. Joe Carroll, and Dan McKinnon.

Cunningham was imprisoned immediately at MCC San Diego across the street (prisoner locator).

- Dan Anderson

Related news articles (more Cunningham scandal news articles and cartoons):

<script type="text/javascript" src=""></script> Technorati Tags: Politics Congress Bribes Duke Cunningham Randy Cunningham

Wednesday Nov 16, 2005

Solaris ZFS and Zones: Simple Example

The following is a simple example of creating a ZFS filesystem and using it to hold a newly-created Solaris Zone (Solaris Container). Zones are in Solaris 10 now. ZFS is a new filesystem in OpenSolaris that allows for large, more reliable filesystems. Tke three key advantages are:

  • Simple administration
  • Data integrity (64-bit checksums on data)
  • Large capacity format for future growth (2\*\*128 512-byte block files). That's 256 quadrillion zettabytes.
Other features are:
  • Filesystems built on virtual storage "pools"
  • Copy-on-write removes need for recovery (no fsck)
  • Dynamic striping and multiple block sizes optimizes throughput (512 to 128K)
  • Optional compression
  • No modifications needed for apps

ZFS software is in packages SUNWzfsr and SUNWzfsu.

Create a ZFS Pool

First, you need a virtual device for ZFS. Normally this would be raw disk (or raw disk slice, if you prefer). However, for testing/demonstration, I'll create a regular file (this takes a few minutes):

# mkfile 5g /virtualDeviceForZFS

Now I create a "ZFS Storage Pool" for one or more ZFS filesystems:

# zpool create poolForZones /virtualDeviceForZFS
# zpool list
NAME                    SIZE    USED   AVAIL    CAP  HEALTH     ALTROOT
poolForZones           4.97G   32.5K   4.97G     0%  ONLINE

To create a mirrored-pool use the keyword "pool" and specify two virtual devices.

Create a ZFS Filesystem

Now, I'll create a ZFS filesystem using the ZFS pool I just created:

# zfs create poolForZones/twilightZone
# zfs set mountpoint=/twilightZone poolForZones/twilightZone
# zpool status -z
  pool: poolForZones
 state: ONLINE
 scrub: none requested

        NAME                    STATE     READ WRITE CKSUM
        poolForZones            ONLINE       0     0     0
          /virtualDeviceForZFS  ONLINE       0     0     0

# mount |grep twilightZone
/twilightZone on poolForZones/twilightZone read/write/setuid/devices/exec/atime/dev=3f50004 on Mon Nov 14 12:34:37 2005
# df -k /twilightZone
Filesystem            kbytes    used   avail capacity  Mounted on
                     5169408       8 5169341     1%    /twilightZone
# ls -l /twilightZone
total 0

Note that /twilightZone is not in /etc/vfstab. Mounting is done automatically at boot time by ZFS:

# grep /twilightZone /etc/vfstab

If you want to allow the filesystem to be managed inside the zone, use the zfs zoned=on option when creating or modifying the filesystem.

Create a Solaris Zone

Use zonecfg to setup your zone:

# zonecfg -z twilightZone
twilightZone: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:twilightZone> create
zonecfg:twilightZone> set zonepath=/twilightZone
zonecfg:twilightZone> set autoboot=true
zonecfg:twilightZone> add net
zonecfg:twilightZone:net> set address=
zonecfg:twilightZone:net> set physical=ce0
zonecfg:twilightZone:net> end
zonecfg:twilightZone> verify
zonecfg:twilightZone> commit
zonecfg:twilightZone> exit

Install a Solaris Zone

Now install packages to your Solaris Zone:

# zoneadm -z twilightZone install
/twilightZone must not be group readable.
/twilightZone must not be group executable.
/twilightZone must not be world readable.
/twilightZone must not be world executable.
could not verify zonepath /twilightZone because of the above errors.
zoneadm: zone twilightZone failed to verify

Ooops. We need to set proper permissions. The directory must not be world or group read, write, or execute:

# ls -ld /twilightZone
drwxr-xr-x   2 root     sys            2 Nov 14 12:34 /twilightZone
# chmod go-rxw /twilightZone
# ls -ld /twilightZone
drwx------   2 root     sys            2 Nov 14 12:34 /twilightZone

Try install with zoneadm again.  This takes several minutes:

# zoneadm -z twilightZone install
Preparing to install zone <twilightZone>.
Creating list of files to copy from the global zone.
Copying <2808> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <946> packages on the zone.
Initializing package <252> of <946>: percent complete: 26%
. . .
Initialized <946> packages on zone.
Zone <twilightZone> is initialized.
The file </twilightZone/root/var/sadm/system/logs/install_log> contains a log of the zone installation.

Later, if you wish to halt, uninstall, or delete a zone, use these commands, respectively:

zoneadm -z twilightZone halt
zoneadm -z twilightZone uninstall
zonecfg -z twilightZone delete

By default zonecfg creates a "sparse" zone--that is read-only files are shared from the "global" zone. This saves a lot of space as shown below: only 68 MB is used (as opposed to the 4GB or so for the global zone):

# df -k /twilightZone
Filesystem            kbytes    used   avail capacity  Mounted on
                     5169408   68508 5100754     2%    /twilightZone

If a "sparse" zone isn't desired, use "create -b" instead of "create" in zonecfg above. This prevents the new zone from "inheriting" packages from the global zone. This is called a "whole root" configuration.

The zone has been created, but it won't show up until after the initial boot:

# zoneadm list -v
  ID NAME             STATUS         PATH
   0 global           running        /

Boot and Configure a Solaris Zone

Lets boot the zone and login to the console with zoneadm and zlogin. The initial boot prompts for basic configuration information (language, locale, terminal, hostname, name service, time zone, and root password):

# zoneadm -z twilightZone boot
# zlogin -C twilightZone
[Connected to zone 'twilightZone' console]
Loading smf(5) service descriptions:   1/108
. . .
twilightZone2 console login: root
. . .

Use "~." to disconnect from the console.

More Info

Technorati Tags: ZFS Zones Solaris OpenSolaris

<script type="text/javascript" src=""></script>
<script src=""></script>

Monday Nov 14, 2005

South Park portrait

In the great tradition of many Sun bloggers, here's my South Park Portrait:

Dan Anderson

Saturday Nov 05, 2005

War Dog walking for wireless access points

Patsy Ann's head in a flower pot
Trusty assistant servicing prototype antenna
Most people reading this have probably heard of "wardriving," where somone drives around wtih a wifi laptop with a GPS looking for wireless "hotspots" (Access Points or APs). The results are typically uploaded to a website such as where one can view the APs on a map or chart. A few years ago, someone in San Diego tried "warflying " over San Diego. Well, out of curiosity I decided to try wardogwalking, walking my dog looking for hotspots.

So, with dog leash and poop bag in one hand, and laptop running Kismet in the other, I gave it a try (hardware details below). However, as soon as I got outside, Kismet immediately found about 10. By the time I got done walking (10-15 minutes), Kismet found 60-some APs. 40 are displayed on the screen--that's all that would fit.

Security usage The main reason I did this is I was curious how many APs are in my neighborhood and how many are secured. Of the 40 or so APs, 10 (25%) were wide open, 24 (60%) were secured with WEP (which can be broken in a few minutes with downloadable software), and only 6 (15%) were secured with WPA (see column "W": "N" open, "Y" is WEP, and "O" os WPA).

Channel usage Looking at channel usage (column "Ch"), channel 6 was the most popular, the typical default, with channel 11 coming second. Channel 1 is the least popular, so that is usually the best to use. Note that if you or someone else has a 2.4GHz wireless phone, it's most likely to interfere with the upper channel,11, rather than 6 or 1. Other channels are used, such as 4, 6, 7, but those overlap with two out of channels 1, 6, and 11. Only channels 1, 6, and 11 should be used as the other's overlap (for example, channel 5 overlaps with channel 1 and 6).

Hardware Details For my wardogwalking, I used my IBM T40 Thinkpad. It has an IBM 11abg II wireless adapter and runs SuSE Linux 9.3 with Kismet (it also runs Win XP and Solaris 10). I used the built-in laptop antenna (instead of a "high-gain" antenna, which would have had better reception). I don't have a GPS, which real wardrivers use to plot where the APs are located.

Kismet display after War-dog-walking
Kismet output after dog walk

Technorati Tags:

Friday Nov 04, 2005

WikiMedia, PHP, MySQL, and Apache in Solaris 10

Configuring Wikimedia using stock PHP, MySQL, and Apache packages on Solaris.[Read More]

Sunday Sep 18, 2005

Toorcon 7: Computer Security Conference, San Diego, Sept. 2005

Toorcon 7: Computer Security Conference, San Diego, Sept. 2005

View of San Diego Bay and Coronado Island from San Diego Convention Center, Toorcon 2005
View of San Diego Bay from Toorcon 2005 @ the Convention Center

Toorcon 7 is the annual Computer Security Conference held in San Diego. I think of it as a smaller-scale version of Black Hat or Defcon in Vegas (more toned-down than Defcon and less-commercial than Black Hat). I like it because it's local and cheap (as I'm paying for it). Previously, I have notes for Toorcon 6 (2004) and Toorcon 5 (2003)

This year's conference moved from the Hyatt to the Convention Center, with views of San Diego Bay and Coronado Island.

The thoughts below are not my own and I don't necessarily endorse them. Also, my summaries of other people's thoughts may be inaccurate, so don't take anything for gospel here :-). Trademarks are the property of the respective owners.

Also, I didn't cover everything. There were two tracks and not everything was worth repeating.

Operational Security: Rethinking Realty

Or: An Internet Legend is sick, and I get to rant instead

By Bruce Potter. Shmoo Group (runs ShmooCon in D.C. in January). Online at


  • Feds call security Information Assurance.
  • Design Flaw (bad design) vs. not coding error (from bad tools)
  • Script kiddie vs. Dedicated Attacker. Most attacks are easy and automated, not complex. Most attacks are known vulnerabilities.
  • Host Hardening vs. Long term operational security
  • Security Functionality vs. Secure Functionality E.g., PKI is Security functionality and JPEG rendering needs to be secure.

Current operational security focus: firewalls, IDS, & Antivirus

  • Problem: very network centric
  • focused on security, not secure operations
  • patch management important, but also consider firewall/IDS infrastructure (latter is usually neglected) Long-term Operational Security is often overlooked. Any idiot can be trained to secure a host

Potter's Pyramid of IT Security Needs, from top to bottom:

  • Honeypots,
  • IDS,
  • Software Security, ACLs,
  • Firewalls, Auth/Auth,
  • Patch management, Op. Procedures
Top of pyramid more sophisticated and costly.

  • problems ignored until "in the wild"
  • firewalls in our control
  • patch management usually out of our control (especially for closed source)
  • hardening server is harder than it used to be - not obvious what needs to be disabled (especially for wacky crap on MS Windows)
  • procedures are important (don't mean written tombs). Pay attention to updates, be careful about changes.
  • must understand environment: what's running or not on each server.

    Next step: Network Security

  • really a Band-Aid® for other problems
  • firewall is a network solution to a software engineering problem
  • firewalls prevent whole classes of problems
  • access control is not just for routers, but part of any security architecture.
  • FreeBSD-style Access Control Lists (ACLs) help control custom code problems. So does SELinux or Immunix. Difficult to setup, but great rewards
  • IDS: great way to audit operational procedures and configuration. Attacks past firewall are bad, but IDS as defense is difficult. Must interpret IDS output.
  • Honeypots and Honeynets good for academics, to learn what's going on.

OS Selection important: MS Windows vs. Linux.

Microsoft Windows A complete system and then some: flexible, productive, works. Tightly integrated applications: MS creates kernel and apps.

  • MS seeds new technology in advance of release with a huge developer network
  • MS ignores market once dominated (e.g., Internet Explorer). harms security.
  • MS spending money on security: long term initiatives, internal code security programs, security roadmap (aware of security operations)
  • Patching now planned (monthly on "Black Tuesday")

Linux - "Bazaar": community-created with loose coordination.

  • Distribution adds duct tape as "value add", making each "Linux" distribution basically different OSs.
  • Distros at whim of community for security features. E.g., firewall code.
  • No roadmap, lots of add-on things, uncoordinated changes
  • more vulnerabilities in RHEL ES 3 than MS 2003
  • Distribution patches "second order" — done by developer, reshipped (modified?) by distro
  • Linux will survive by brute force by a network of zealots (make Apple zealots look tame)

Future (two wild conjectures)

  • Apple move to Intel will help solve security problems that have been around for over 30 years. Trusted boot and other hooks. Will be tested by attackers.
  • Bluetooth device security - biggest problem is nobody believe it's a problem. More BT than 802.11, so a good war driver target

How Hackers Get Caught

By Simple Nomad, Nomad Mobile Research Centre, and BindView.

The other keynote. Here's the major ways hackers are caught. Overall principle: "Laziness" == Jail time".

  • Access from hacker's home is common, especially after broke in.
  • Shell history written after exit.
  • Log files don't always make sense after editing.
  • Duplicate remote logs and forgotten logs.
  • Port scans are obvious during port scans (multiple or timed-out connections)
  • Scanning stops, and attack at box last scanned
  • Attackers often use the same playbook and leave footprints
  • Include trusted hosts from log or tools
  • Using wrong code for wrong OS or wrong processor on a server (core dumps)
  • File access times (atime) changed on filesystem
  • Monitoring quotas on disk use and bandwidth use
  • Forensic tools such as The Coroner's Toolkit finds footprints
  • Malware often fails under high load
  • Nmap does its job well (such as OS and version ID), but every noisy
  • Admins can use Nmap to find attacker-installed back door
  • Botnets by "skiddies" with IRC is very noticeable. It's SO February 2000.
  • ARP footprints during port scans
  • Logs of DNS server showing accesses or zone dumps from attacker's home machine around time of attack.
  • Attackers often tell friends on IRC, SILC
  • Deleted files left on free areas or journal of filesystem
  • DES, PGP (and some others?) not secure

Bastille Hardening Assessment Tool

By Jay Beale, Bastille Linux & Intel Guardians (Bastille is pronounced "Bas-tee" by French, "Bas-teal" by English (and Jay))

(Note: Sun has a tool for hardening and auditing Solaris systems (and that I work on) called Solaris Security Toolkit )

Bastille Linux is for Hardening and Assessing Linux. Hardening enabled HP-UX, Mac OS X, Linux (RedHat flavors, Mandrake, Debian, SuSE, and Gentoo), and soon Solaris. Assessment enabled for Redhat, Mandrake, and SuSE Linux, but not others.

Why harden? Hardening is setting system config settings to make it more resilient to attack. Hardening is not sexy (like firewalls). More people now know their system is a useful target for attack. Useful by the attacker for the next hop to the target, for distributing warez, botnet, phishing, fake websites, etc.

Patching not fast enough—still have windows of vulnerability. Average patching speed: Redhat increased from 7 to 30 days. Windows 30 days. Sun decreased from 90 to 30 days.

Proactive security decreases odds of attack, establishing policies in advance.

Hardening is "configuring a system for better security." Deactivating unnecessary programs, using file permissions and ACLs, and tweaking OS parameters to limit access to what's needed, Using Least Privilege: giving just what they need and a little bit more. Using Minimalism: turning stuff off you're not using. Hardening is easy with available tools. About 95% of Linux exploits mitigated with hardening (e.g., man or nmh exploits not stopped).

Kernel-level technologies (Trusted OSs, such as SELinux) are complementary to hardening and good to use.

  • Bastille asks questions for hardening in its GUI, and has explanations for each question. This is to educate the sysadmin. E.g., give reasons why telnet is bad, instead of just asking.
  • Modules: patches, file permissions, account security, secure inetd, miscellaneous daemons, sendmail, dns, printing, and OS-specific. Can add user-written modules (Perl, API manual).
  • Can create policy file with GUI on one system, and run it on other systems.
  • HP-UX donates developers to Bastille and ships with HP-UX 11.11+
  • Assessment Report has weighted scoring for vulnerabilities (configurable). Educational benefit and strong psychological power to do things now. High scores == better.
  • Assessment good for triage—harden worst systems first
  • Assessment good for due diligence for SOX, etc.
  • Assessment detects "rot" from patches, installs, and reconfig.
  • LiveCD version in progress.

How Big is that Foot in the Door?

By Foofus, Foofus Networking Services

This concerns a problem with vulnerability enumeration tools tend too give massive output that needs to be analyzed. This talk is about a framework to visualize the network data. This is by looking at trust relationships between hosts. Uses matrices and matrix inversion to compute trust networks. An example implementation is looking at password-based trusts between MS Windows hosts (OWNR). Graphically shows the likelihood if one host can be attacked from another. Can visually see (beneficial) effect of removing various accounts on graphs (usually admin accounts). Tools incomplete, not user-friendly. Written in J Software. Using AfterGlow to visualize graphs. Visual graphs very persuasive to non-technical people (PHBs).

Exploring Security Problems in Hardware: Past and Present

Joe Grand of Grand Idea Studio. Talked about historical attacks, how to analyze new devices, and RFID technologies. Threat vectors are interception (eavesdropping), interruption (fault generation), modification, and fabrication/man-in-the-middle (counterfeit/spoofing).

Why attack? Rip off competitors (IP), steal services, forge ID to gain system access, and privilege escalation (feature unlocking) Can find out how to attack systems with trial and error and vendor docs.

Example attacks: Rainbow iKey 1000 (EEPROM dongle with weak key algorithm, xor with md5("rainbow")). Master admin password key is "rainbow". Epoxy not secure—can just scratch off.

Another authentication token: Dallas Semiconductor iButton. Java-based. DS1991 iButton has 3 48-byte keys. Used a lot in Europe for cashless transactions. Supposedly on password errors, return "random" data, but data was predictable (equals input + constant), not "random." Can use dictionary attack against it.

Biometrics: considered more secure than passwords, but physical characteristics hard to keep secret. Can lift fingerprint, face, or voice. Stealing finger or fingerprint gives new meaning to "hacking" and "digital theft!" Gelatin finger works 80%, can eat afterward.

Intel NetStructure 110 (crypto accelerator). Uses serial port management console that can be attacked. Opened box and used strings to find OS on EEPROM (BSD). Still had debug symbols. Found password based on mac address. Uses weak crypto (xor of constants).

MAC address cloning is easy. Usually stored in EEPROM. Sun SPARC: set in NVRAM with prom-monitor. Also NS, Ansel, Microdyne, Linksys, Genius, Winbond, and almost every NIC.

RFID uses radio waves (RF) to ID. Becoming popular just now. RFID chips has a unique serial # (tag). Active &mmp; passive (power or not). Four frequencies, most LF or HF (low, not UHF, uW). Tags are read-only, read/write, or crypto. Most tags have no security—just need to know frequency, so can easily "snoop". Tags come in capsules or thin and flat (for retail). Gillette® has 35% loss from plant to retail. Easy attacks: label switch, cover, or destroy. Reader attacks: read cell phones going by on a bridge. TI uses a weak 40-bit homemade key cipher (reversed engineered from a Powerpoint slide). Proximity Card Simulation by Jonathan Westhues. Other tools available. Can read/write with rf-dump (Java-based).

Conclusion: can't trust hardware—it's not voodoo; lots of people understand it.

Tor: Anonymous Communication for the Dept. of Defense and you

By Roger Dingleline, EFF,

Bad people doing great (viruses, botnets, phishing, spam). Criminals have anonymity (have motivation to get it), but normal people and government don't. Lots of legit needs of Anonymous communication (privacy, commerce). Used by EU PRIME project. Used by Navy group in Gulf. Could be useful for, say, DoD Net: hard to get on, but once there—you're home free.

  • Keys: can distribute keys among three servers, all three required to decrypt. Stealing one server doesn't break security.
  • Onion Routing: resists traffic analysis (traffic analysis can be used even with VPN and SSL traffic). Path chosen by client (can't trust anonymous Tor servers).
  • Tor has never been down. Each node decides amount of traffic it accepts.
  • Tor client looks like a Socks proxy. Tor is TCP only—not UDP (yet). Connect with a Tor server with TLS. Proxy tunnels with Onion Router to "next guy". Public keys used to verify destination ID. Directory servers used to find onion routers and keys. In future, may need to remove or decentralize directories.
  • Tor supported Linux, BSD, MacOS X, Solaris, MS Windows, xbox, linksys wireless routers, etc.
  • Voluntary server operators— no payments, not proprietary
  • Servers DOS-resistant (too many of them)
  • Some tradeoffs for efficiency (e.g., no packet padding).
  • Many entry nodes needed for China, Iran, and other censor-heavy countries, to defeat banning of IPs.
  • Policy issues: Tor used to relay ransom notes, spam, IRC jerks, high-bandwidth Vin Diesel movies. Posts from Tor exit nodes banned by Wikipedia & Slashdot (lots of defacement from tor) Tor exit nodes in some spam blacklists (e.g., SORBS).

BBS Documentary: Fidonet Episode (and others)

   /  \\
  /|oo \\
 (_|  /_)
  _`@/_ \\    _
 |     | \\   \\\\
 | (\*) |  \\   ))
 |__U__| /  \\//
  _//|| _\\   /

Jason Scott ( produced an 8-episode documentary on DVD about BBS ( The episode he screened was on Fidonet. On first thought it sounds as dry as dust (or neon-green ASCII chars). However, it's not about obsolete technology—it's about people behind it. FidoNet founder Tom Jennings. Scott interviewed people about the creation of Fidonet, to it's height in 1995 (30,000 nodes), and subsequent decline (15,000 nodes 2005). An interesting part was the great amount of conflict and flamewar it generated. Ken Kaplan was in charge of the master "SysOp List" that he had to push out to 30,000 or so nodes. It created tremendous phone bills. To defray this, he accepted donations. However, his accountant said he had to pay taxes on it. To avoid this in the future, he and other Fidonet founders created a non-profit IFNA ("if-naa"). Unfortunately, the paranoid thought this was a move to gain dictatorial control over Fidonet, or at least it had the future potential, along with commercializing Fidonet and possibly enriching a few. Even today people involved still are disgusted with the rabid politics of Fidonet.

In the end, IFNA was disbanded and Kaplan and many others, including Fidonet founders, quit in disgust. Fidonet still exists today in smaller form. Many Fidonet "nodes" can be accessed by telnet, not just a modem. One of Fidonet's growing uses is in third-world countries with low-bandwidth or high-censorship (e.g., Vietnam).

SCAIDA Exposed

Next day, Sunday noon, Mark Grimes of SAIC talked about SCAIDA networks, which are private Control Systems networks. I missed most of this driving around the ballpark crowd barriers. His main point is the network conventions are private and not available to the security community. This is security by obscurity, and he feels that is a bad approach. This is not necessarily his employer's opinion. SCAIDA is suffering the same weaknesses that Internet used to have (or have more frequently). An example he gave was ARP spoofing. ARP is the main protocol used to ensure security—that the correct devices are connecting to the network. ARP, however, is easily defeated. An audience member gave another example about Nuclear power plants are going wireless. Wires are very expensive because it requires physical recertification of the plant. However, wireless (such as 802.11) is notorious for poor encryption protocols. He suggested a Ziggy war driver can easily break into a plant.

Applied Data Profiling, Classification, and Analysis Methods and Lo-Fi Graphics Demos

Christopher Abad of Cloudmark and The Math Club

Showed using Adobe Photoshop to model data, such as password length. This makes it a lot easier to visualize problems. Read binary files as a .raw grayscale graphics files, then modify the file with histogram and color picker tools. Showed using Adobe Photoshop to even decrypt a file (although tedious).

Showed using the OSPF routing algorithm to spellcheck email for possible spam. This finds misspelled words (such as "c1a1i5"). Scores each word for resemblance's to spam words.

Hacking Silicon: Secrets form Behind the Epoxy Curtain

By "bunnie" (Dr. Huang), bunnie studios LLC. Famous for hacking MS Xbox encrypted keys.

Lots of stuff going into one package or one chip now (Moore's Law). Discussed methods of opening packages (acid, brazing)—dangerous. X-ray lab often easiest and safest. Scopes, microprobes. No secrets in silicon—can't encrypt, and can remove shields. Silicon design is hard, so lots of debug and test resources in silicon. Design is modular and layered. Often locking in hardware uses weak encryption. Sometimes there's a bug and encryption or locking is not enabled at all.

Law Enforcement Panel

This year's panel was Jim Blanco, Computer & Tech Crime High-tech Response Team (CATCH), Robert Morgester, Dept. of Justice, Dan Hubbard, Websense, and Simple Nomad (moderator) and Weasel, both of Nomad Mobile Research Centre (aka Simple Nomad). The panel's goal is to discuss the legal aspects of computer security with law enforcement and legal people.

Discussed disclosures of vulnerabilities. DOJ not interested in exploit writers (although Corporations harmed are very interested). DOJ interesed in those who use it and those who give it to them. DOJs problem is they are overwhelmed by an overwhelming number of cases.

ID theft (DOJ): everyone will be a victim. Problem is neglect by corporations--you have a right to sue them. Class action a possibility.

DOJ guy said sniffing packets over wireless networks (without permission) is wire tapping. He said problem is old laws written for a land-line culture. Also protects you from government wiretaps. Lots of heated discussion.

More discussion about spyware and ID theft. DOJ guy says to call him if you get a well-documented spyware case. He wants an example made of someone. ID theft a big problem because lots of small and big corporations do not encrypt their customer data.

Technorati Tags:

Wednesday Aug 03, 2005

Yosemite Valley's First Art Exhibit

Indian Life at Mirror Lake, 1878. Watercolor by Constance Frederica Gordon-Cumming
Indian Life at Mirror Lake, 1878.
Watercolor by Constance Frederica Gordon-Cumming (29.5'x19.25').
[Click to enlarge and for more images]

The first art exhibit in Yosemite Valley was held in 1878 by Lady Constance Frederica Gordon-Cumming, a travel writer from a wealthy Scottish family. Lady Gordon-Cumming taught herself how to paint, and had help from prominent artists visiting her home. She traveled the world, mostly the Pacific and Asia, and often alone. Lady Gordon-Cumming was a prolific writer, and painted over a thousand watercolors of landscapes. She visited Yosemite in 1878, after arriving in San Francisco from a trip to Tahiti. She intended to visit for three days, but ended up staying three months. She says “I for one have wandered far enough over the wide world to know a unique glory when I am blessed by the sight of one . . .”

Of her art exhibit, Lady Gordon-Cumming says:

I have myself held rather an amusing Great Exhibition this afternoon. Latterly I have repeatedly been asked to “do portfolio” for the edification of various friends; but the people who took the keenest interest in all the sketches were just those who had not seen them, so I had promised them all to have a grand show before I leave the valley. That sad day, alas! is drawing near; so, having issued a general invitation to every man, woman, and child in the neighbourhood, I borrowed a lot of sheets from my landlady, who allowed me to nail them all round the outside of the wooden house. To these I fastened each sketch with small pins, so that the verandah became a famous picture gallery.

I certainly have got through a good deal of work in the last three months, having twenty-five finished drawings, and as many more very carefully drawn and half coloured. Most of these are large, for water-colour sketches—about thirty by twenty inches—as I find it far more troublesome to express such vast subjects on a smaller scale.

I was amused by the zeal with which one of the guides constituted himself showman, and went round and round the verandah descanting on every drawing. Hitherto he has always been so busy with tourists, that I had not previously discovered this kindred spirit. He did his work thoroughly; for when I returned from my walk, I found him still hard at it! I was much gratified by the enthusiasm of the Yō-semité-ites, as they recognised all their favourite points of view, and vouched for the rigid accuracy of each,—that being the one quality for which I have striven, feeling sorely aggrieved by the unscrupulous manner in which some celebrated artists have sacrificed faithfulness of outline to make grand Nature fit their ideal.

More Information

Technorati Tags:

Friday Jul 29, 2005

Solaris Security Toolkit Customization

Customizing Solaris Security Toolkit

The Solaris Security Toolkit provides a flexible way to harden a Solaris system, making it more secure from malicious attack. This software may be installed during a unattended Solaris JumpStart install, or installed after Solaris is installed and booted. Solaris Security Toolkit supports Solaris 8, 9, and 10 on SPARC and x86 systems. Solaris 2.5.1, 2.6, and 7 can be used, but are not supported.

One size does not fit all. The degree of hardening depends on your site requirements. For that reason, pre-canned scripts provide various levels of hardening. The secure.driver closes all ports except for ssh. The server-secure.driver leaves frequently-used server services open. The following discusses customizing the server-secure.driver to your site-specific needs. Once customized, your systems can be hardened in an automated way using one or more configurations you established.

Usage and Customization Example

I won't go into all the details of use and customization of Solaris Security Toolkit, but I'll give enough details to get you started. I'm only covering interactive use in this example. For unattended JumpStart installs, see the Administration Guide.

  1. First, download the SUNWjass package, available at no cost at You don't need the MD5 (SUNBEmd5) or fixmodes (SUNBEfixm) packages, as the functionality is incorporated in Solaris 10.
  2. If SUNWjass is already installed, remove it with pkgrm (back up any modified files first)
  3. Uncompress and install the package to /opt/SUNWjass:
    # uncompress SUNWjass.pkg.Z
    # pkgadd -d SUNWjass.pkg
  4. Run a driver in "apply" mode. In this example, we use server-secure.driver This takes a few minutes. Other drivers are covered in the security_drivers(7) man page and Reference Manual.
    # /opt/SUNWjass/bin/jass-execute -d server-secure.driver
  5. Check the summary output for failures and errors:
    [SUMMARY] Results Summary for APPLY run of server-secure.driver
    [SUMMARY] The run completed with a total of 85 scripts run.
    [SUMMARY] There were  Failures in   0 Scripts
    [SUMMARY] There were  Errors   in   0 Scripts
    [SUMMARY] There were  Warnings in   2 Scripts
    [SUMMARY] There were  Notes    in  68 Scripts
  6. Reboot and login again:
    # /usr/sbin/reboot
  7. You can verify the previous run of jass-execute ("audit" mode) was correct:
    # /opt/SUNWjass/bin/jass-execute -a server-secure.driver
    This takes a few minutes and produces a summary at the end:
    [SUMMARY] Results Summary for AUDIT run of server-secure.driver
    [SUMMARY] The run completed with a total of 85 scripts run.
    [SUMMARY] There was a Failure  in   1 Script
    [SUMMARY] There were  Errors   in   0 Scripts
    [SUMMARY] There was a Warning  in   1 Script
    [SUMMARY] There were  Notes    in  20 Scripts
    [SUMMARY] Failure Scripts listed in:
    Verify there are no failures. If any failures are found, look at the script output to see if there are any unexpected problems. In the example above, I see the failure is from set-root-home-dir.aud because I provided a created a custom .profile script:
    [FAIL] Template /root/.profile does not match target on system.
    I can ignore the error or fix it by removing my custom .profile file, or modifying the .profile in Solaris Security Toolkit (under /opt/SUNWjass/Files).
  8. Determine if any services have been disabled that you may need or if you wish to disable more services. Use tools such as netstat -an, svcs, and nmap. See the Administration Guide for a detailed approach.
  9. In this example, we see telnet is running from svcs and wish to disable it:
    # svcs telnet
    STATE          STIME    FMRI
    online          9:06:31 svc:/network/telnet:default
  10. To disable telnet, add the FMRI svc:/network/telnet:default to JASS_SVCS_DISABLE in /opt/SUNWjass/Drivers/user.init Use the package-provided file user.init.SAMPLE as a template
    # cd /opt/SUNWjass/Drivers
    # cp user.init.SAMPLE user.init
    # cat >>user.init
    To enable a service that was disabled, use JASS_SVCS_ENABLE (if the service was listed in JASS_SVCS_DISABLE) or disable the appropriate finish script in /opt/SUNWjass/Finish/\*.fin. For details see the Reference Manual and Administration Guide.
  11. To apply the change run jass-execute in apply mode again and reboot:
    # /opt/SUNWjass/bin/jass-execute -d server-secure.driver
    If you want a service enabled that was previously enabled, you need to undo the previous run of jass-execute in Apply mode. To do run this and reboot:
    # /opt/SUNWjass/bin/jass-execute -u

Periodic Maintenance

It's a good idea to periodically run jass-execute -a (Audit mode) to verify disabled services are still disabled. If a service becomes enabled (say, because of admin error, a patch, or installing other software), run jass-execute -d (Apply mode) again to lock down the service.

Customizing changes for multiple systems

Sometimes you may want to apply the same customized changes you made with Solaris Security Toolkit to multiple systems, or you want to save the changes you made off the system. To do this, you create "customized" package JASScustm with the following command:

 # /opt/SUNWjass/bin/make-jass-pkg

This creates this package, which may be installed in lieu of SUNWjass. Customized changes such as user.init are included in the package at /opt/SUNWjass/JASScustm.pkg

New Solaris Security Toolkit 4.2 Features For Solaris 10

New features supported in Solaris Security Toolkit 4.2 (aka JASS) are:
  • Solaris 10 support
  • Flexible Crypt, password history, and strict password checking support
  • Service Management Facility (SMF) aware
  • Solaris Zones support
  • Summary output at end of jass-execute run
  • Auditing of file changes through BART (Basic Auditing and Reporting Tool)
  • Root home directory changed from / to /root
  • ipfilter firewall enabled
  • TCP Wrappers (hosts.allow, hosts.deny)
  • Continued support for Solaris 8 and 9. Solaris Security Toolkit may still be used on Solaris 2.5.1, 2.6, and 7, but support is not available.
  • Solaris Security Toolkit supports SPARC (64-bit only) and x86 (32- and 64-bit).
  • Full and official details of changes are available at "Solaris Security Toolkit 4.2 Release Notes." (see below)

Downloads and Documentation

Solaris Security Toolkit downloads and documentation is available at These documents are available:

  • Solaris Security Toolkit 4.2 Release Notes, July 2005 (part # 819-1504-10)
  • Solaris Security Toolkit 4.2 Administration Guide, July 2005 (part # 819-1402-10)
  • Solaris Security Toolkit 4.2 Reference Manual, July 2005 (part # 819-1503-10)
  • Solaris Security Toolkit 4.2 Man Page Guide, July 2005 (part # 819-1505-10)
  • Sun BluePrints OnLine has several documents on security, including Solaris Security Toolkit, at

Technorati Tags:

Wednesday Apr 27, 2005

Glacier National Park

Grinnell Glacier Trail Here's my wife, Helen Gunn, on the trail to Grinnell Glacier last summer, out of Many Glacier, Glacier National Park, Montana. We liked it so much we're going back again. Usually the trail is dry, but there was a temporary waterfall on the way. The days before there were these wonderful, loud thunderstorms at night. Grinnell Glacier is melting away, due to global warming, but it's still huge. There's a giant part above a cliff and another below the cliff behind a glacier lake. The water is a pretty milky blue. One giant piece of the glacier broke off and is floating in the lake. The rangers call it the "Lucitania," and will probably have the same fate as the original in 1915.

Many Glacier has this great hotel the Park Service is renovating. I love those old turn-of-the-century hotels (previous century turn, of course). It has a great dining room with large picture window views. Also a nice diner with pasta and other stuff.

The first day we spent on the Going To The Sun Road. It's a dramatic road cut into the cliffs. Very scenic, but go early as it's prettier and more wildlife is about, and the road gets crowded later on. We saw lots of mountain goats and bighorn sheep. Later in the trip we say black bear and grizzly bear, but that was early in the morning. The rangers say "bear bells" are ineffective for scaring bears--you should just use normal conversation to keep them away. We spent other days hiking to waterfalls around western St. Mary Lake and Two Medicine.

The western part of the park is drier and not as pretty, I think. Apgar has a small country diner with good pancakes. Don't order their so-called "broiled chicken" though--it's just deep-fried chicken with lots of breading. I recommend the diner or hotel restaurant at MacDonald instead. The diner at Rising Sun on St. Mary Lake is not great either--just a burger joint, and real slow. Try St. Mary's outside the park.

We also spent some time across the border in Waterton National Park in Alberta, Canada. For one hike, a morning van shuttle takes you to Cameron Lake and you hike back to town (Waterton) one way. Beautiful alpine countryside. We also hiked to Crypt Lake on the US/Canadian border, taking a boat across Waterton.Lake. The town of Waterton has several restaurants. One to avoid is full of tobacco smoke, but the others are non-smoking. The prices seem higher in Canada, but don't forget the Canadian dollar is only 75-80 cents US.

Monday Sep 27, 2004

Toorcon 2004 Security Conference, San Diego

Toorcon 2004 Security Conference, San Diego, Toorcon 2004

Once again, I attended San Diego's annual hacker and Security Convention sponsored by a local hacker group. It's cheap ($60), tax-deductible, and convenient for me! (my time, my money).

Disclaimers: These are my notes, so it has typos and isn't highly polished. I may have misinterpreted other people's words or ideas. Opinions here are not mine nor my employer.
— Dan

Here's the best of the sessions I attended:

Keynote: The Future of Encryption Jon Callas, OpenPGP Standard Author, PGP Co-founder,

History. Cryptography invented after the third person in the world could learn to read and write. Traditionally a arcane skill and done by a few clever people. Became common after WW II: Enigma machine worked and put Crypto people out of work. Computer invented specifically to break Enigma machine. Software cryptography came into play in mid-1970's with DES. Became a standard, a technology (not a secret, not a art). Public key cryptography took care of secret key management problem.

Present. Network everywhere. Encryption must be done with non-clever or non-computer people. Adoption and Human Interface Design is current focus.

Problems being ignored:

Digital signatures (DS): problem is in laws, not technology. DS not a signature (signature is an act, not a thing), but more like a seal or voice. Is a DS a commitment? Is it a tamper-evident seal? How do we know? DS pushes liability to signer. Credit card. Email. Agreement. Are users or servers certified? If everyone has a cert, why should they be trusted? Sysadmins more responsible than typical user. Same problem with universal DS as with universal ID cards to fight terrorism. Another example is using DS to fight spam (spammers can get DS also). What does "Non-repudiation (sp)" mean? Need to have accountability when using DS, otherwise not believable.

Blinded signatures. Chom Patent expiry Summer 2005—may be used more once this happens. Certifies something without revealing private information.

Group signatures. Someone in a known group signed, but don't know which one. Gives accountability while preserving privacy.

Reliability—always interwined with security. Security: protect against intelligent attacks. Reliability: protect against unintelligent attacks.

Mediated Locks: Can only put worthless things in a unpickable safe (only a mad person would put valuable stuff there). Must have access to protected keys or data.

Pervasive Encryption: Humans make wrong decisions in the heat of the moment. E.g., security vs. keeping job. Or email vs. IMs or hotmail or dialup modems. Policies need to be setup beforehand to be followed and automated.

End-to-End Security myth. Not possible. What's an "end"? What's important? Close ends lose reliability and usefulness (e.g., spam filter or archiving). Distant ends lose security. "Ends" need to be at appropriate location, depending on these trade-offs.

Digital Rights Management (DRM). Not solvable. Can always be broken. Works against polite or lazy hackers. Doesn't work in real world with cell phone cameras and recorders. Nobody wants it. Works only if everyone honest. Legal liabilities will stop DRM documents in corporations. DRM useful for niche markets though (e.g., government or financial).

The Accountable Net. Can provide privacy and security wht the right questions. Issue is accountability and reputation, not identity (e.g., do you pay your bills?) Authority-based authentication useful (e.g., ,are you a spammer).

Identity Management. Trendy words for single sign-on. Everyone wants it, but trades off security for management. Federated Identity—not useful for end users. Breaks privacy from tying together records.

Hash Functions Breaking. PGP 2 (not sacred because of Zimmerman; don't use—use PGP 5). SHA-1 still safe; can move to SHA-256 if needed. More advances coming. Secure hash functions easy, but fast hash functions are hard. E.g., MD5 half the speed of MD4. Details at

Advances with little impact. Fast ciphers (don't care which one is being used), public key systems, encryption_authentication. Quantum "Cryptography" interesting physics, but not cryptography. Pet peeve of his.

Sci-fi-like Technology. Unlikely but possible. Quantum computing. DNA computing. Faster-than-light (FTL) information transfer. Unexpected advances in math (factoring, discrete log, AES algebraic equation solution).

Summary. Cryptography pervasive, invisible, interoperable, invisible core technology, and more use in future.

Lunch break. Went next door to Seaport Village. Had a bean burrito while lots of young girls were singing Karoake(sp). Some were good, some not, but they were having fun. I also visited the Hyatt's pool on the 4th floor. Lots of people. There was a nice view of San Diego Bay. I saw 2 aircraft carriers and I noticed they are now surrounded by large inflatable pontoons (to protect against suicide boats, I guess).

PATRIOT Act, Privacy and You Jennifer Granick, Esq., Stanford Law School,

Goal here is not to review USA PATRIOT Act—too complicated. But to review impact to you. There's a patchwork of several laws about privacy. Will talk about some of them 4th Amendment, Stored Communications Act, Electronic Communications Privacy Act, Wiretap Act, Computer Frad and Abuse Act of 1986, and USA PATRIOT Act.

Privacy: right to be left alone (autonomy) and right to control your information. Privacy enables other rights, such as speech, association, or voting.

Privacy Policy Questions: What is collected or disclosed?, to whom?, when?, safeguards, and penalty.

US 4th Amendment is her favorite (even over 1st—speech). Protects against unreasonable search and seizure. Gives a reasonable expectation of privacy (e.g., in your house). Sometimes have gray areas. If there's a reasonable expectation of privacy, you need probable cause to get a warrant from a judge. With warrant, you must knock and announce. If these not followed, evidence is excluded. PATRIOT Act allows secret search ("sneak and peek").

Computer Frad and Abuse Act. Disallows damage or unauthorized access. E.g., court says this includes spam, DNS search robots, Internet auction or Travel agent spiders, and port scanning. This is if it especially true if it downs or DOSs the computer (must "cause harm"). Otherwise rulings not consistent. Law is vague and overly broad.

Interception of communications. Information more private than just fact there's some communication ("chatter"). Need warrant for information. Rules differ for intelligence agency, law enforcement, ISp, and employer. Wiretapping can't be done (excepts require a wiretap warrant). PATRIOT Act made wiretapping easier: giving support to terrorists. Nationwide/roving wiretaps now legal. Monitoring computer "trespasser" now ok (if no business relationship). ISPs may monitor.

At this time my laptop ran out of power. The two important remaining points. Most of the PATRIOT Act provisions "sunset" (expire) Summer 2005. A nation has the right to defend itself. However, it's important to make sure that, when it's renewed next year they not be so broad as they are now.

Honeynet Project: Honeynets for the Masses Patrick McCarty Azusa Pacific University

Honeypot - a decoy, no production value. Purpose is gathering information. Separating production from malicious(sp) project.

Honeynet - system of Honeypots. Architecture, not a product.

Data Control - no restrictions incoming to Honeypot. Scrubbed/limited outgoing connections (keep honeypot compromises from spreading to Internet). Uses Snort.

Data Capture - Network-based uses tcpdump or Snort. host-based uses Sebek (module that captures all sys_read kernel calls). Attacker can't sniff for monitoring traffic with Sebek (not network based).

Issues - Takes a lot of resources to properly maintain (ton of data). Anti-honeynet technologies available (such as anti-Sebek). Honeynets can attack other Honeynets. Privacy a possible issue.

Honeywall - "control center" of a honeynet. Goals are data capture and control, then altering attacks. Tools used: IPTables, snort, swatch, gr-security, tcpdump, and (soon) ntop. Available on the "Honeywall CD" (a bootable CDROM with a UI).

Future - distributed analysis among different physical locations with a central database.

A Survey of Novel Approaches to Network Security aempirei, Baseline Research

Profile - used to assess and predict someone's behavior: behavior and appearance. Most things too complex to profile automatically.

Behavioral analysis - used to create a profile, then can preduct future behavior based on a "fingerprint" of known profiles.

Stochastic process - non-deterministic (random or complex) behavior. E. g., traffic, gambling. Can be modeled with statistical models. Static stochastic processes - games of chance or quantum dynamics. Can't predict--can only use statistics.

Dynamic stochastic processes - don't understand underlying model. Context-sensitive state and changing probabilities. E.g., "i before e except after c" only true 80% of the time. Less return with more refinements to rule. Still 170 words after this grep:
grep -v '\\([rc]ei\\)\\|\\(ei[sdlnkrtzg]\\)'
Primes are deterministic, but sufficiently complex to defy prediction and appears to be stochastic.

Can use frequency distributions to distinguish random data from meaningful data (e.g., DNA sequences, English text, or (poorly encrypted) XOR-ed text is meaningful, PRNG or DES encrypted data appears random).

Markov Process - predicts stochastic processes.

Can use Sequitur (Nevill-Manning Algorithm) to analyze non-context-free (CFG) grammars with a n-gram model to reveal common structures (useful for compression).

E.g., several repetitive patterns in "In the beginning God created the heaven and the earth."

Can use this to identify authors from anonymous text (or author gender or text language or dog bread DNA)

PRNG: Linux good, \*BSD good for 2 high bytes, 2 low bytes not good (predictable). Found by pumping random stream in Gzip and looking at byte distribution. Anyone can do this.

Pkzip was used to classify European language similarities (by how well they compress). Sequitur (dictionary builder) can also be used instead of pkzip, by comparing number of rules generated by Sequitur.

Can use this to identify hackers who break into a system:
sort ~/.bash_history|uniq -c |sort -nr > frequency.dat
Compare output using Stereotype.

"Most Likely Path First" (similar to OSPF routing) tree built of adjacent word comparisons. Can use to identify spam, for example. Can also use to prioritize hosts that are probably vulnerable (looking at activity or open ports).

Making Privacy Enhancing Technology a Reality Len Sassaman, PGP Security

PGP released over 10 years ago. Other security software developed: SSL/TLS, S/MIME, PEM, MOSS, disk encryption, ecash (wiped out with patents and Paypal), Anonymizer, Mixmaster.

Problem is consumers don't demand privacy (want it, but won't take steps tp protect themselves—it's inconvenient).

"Privacy policies are the opiate of the Internet." A feel-good measure. Some companies violate own policies (e.g., Jet Blue giving out travel info.). Criminals certainly don't obey privacy policies.

Most crypto software "cool projects" but not usable. Political problems also. Often designed by committee and is often bloated with options and details. People often in the know explain encryption software by how it's implemented not by what it does (e.g., "PGP is a public key . . ." not "encrypts and signs files") PGP's "web of trust" is shallow. Too easy to misuse.

SSL is worse than PGP. Has top-down trust model, but easy to get a certificate. Excessive SSL warnings give click-fatigue. Users click through certificate warnings. Verisign says need a trusted third party to use SSL/TLS.

Crypto is a success where it's mandated (e.g., military, banking).

True user-empowering encryption should have: Friendly UI, simplified concepts, 1-click. User goal is not encryption, but to keep email from being observed. No reading, no extra skill required.

Spam Forenics: Reverse-Engineer Spammer Tactics Justin Mason, SpamAssassin,

Antispam tools work because spammers don't write their own tools—they buy spamware (currently most popular are Dark Mailer and Send Safe). Spammers target AOL, since they are relatively clueless (and buy the junk advertised in spam). Spammers like HTML as you can hide text and malicious script in it.

Early days, spammers identified themselves with X-Mailer headers. Now spam is disguised as being from MS Outlook Express. However, can parse Message-ID to tell spam from real MS OE email.

Hashing Systems. E.g., Razor (open source) Pyzor, DCC, or AOL internal filters. If same message body sent to say 500 people, its spam. Also user-reported spam (but sometimes users report non-spam as spam).

Hashbusting. Spammers adding random gibberish to email body. But, "random" not really random—patterns observable in gibberish. Length of "random" string character range, or location were static. E.g., time(NULL)/4444 used as random email address:

Spammers top priority is avoiding abuse reports to their ISPs (expensive for them). They "list wash" reporters off their list so the ISP doesn't get reports. They encode recipients email address with rot13 in body. Spammers like ROT13, even though it's a trivial "spy decoder ring" algorithm.

Spam software then added templates to specify where randomness and parameters are placed. But it also makes it easy for anti-spam ware. Spamware also hides behind proxies (legit bulk mail and mailing lists do not).

Bayes-Busters. Bayesian filtering popular recently. Random word sequences used to defeat filter. However word sequences are the wrong length. Easy to detect. Look for a high number of HTML tags that don't exist:
li<modem>ke recei<benzedrine>ved th<false>is ema<downey>il Easy to detect gibberish and chaff with long word detection, bad tag detection, or a lot of invalid html. Look for 18th century words (much gibberish is text taken from Project Guttenberg etext).

Many strange email headers in spam, rarely or never seen in normal email. Spam software also has special MIME boundary patterns.

CAN SPAM: Pretty crappy, of course—spammer friendly. One loophole. Only "ISPs" can now bring action. If you host a few other people's email, for example, you can qualify as a ISP and sue spammers.

Complaint system: SpamCop and AOL are good (AOL only for AOL customers). Hard to do by hand (examing headers time-consuming and non-trivial).

Future: download and reverse-engineer spamware (DMCA an issue). Can learn a lot from just spamware docs. Currently SpamAssassin is overloaded writing rules. Spam Assassin has always tried for high-accuracy at the expense of high system load. In future, will have a plug-in system to choose the set of filters to use.

Risks in Passive Network Discovery Systems Brian Hermacki, Symantec Research Labs,

Security systems require knowledge of their environment to operate effectively. I.e., net topology, host, user, local policies. Can't be hard-coded.

Even large companies rarely have their network topology sketched out well. Efforts to write tools (active discovery or passive discovery). But these tools suck.

Active Network Discovery System (ANDS). Usually take an old map and update it. This sucks. Slow, labor intensive, human error, not detailed, snapshot only, obtrusive (triggers security sensors), misses hardened assets and dark nodes, doesn't work through proxies and firewalls.

Passive Network Discovery System (PNDS). PNDS listens to a network to gather info on host OS, general topology, apps and patch levels, peers.

PNDS vs. ADNS: Not static. Deeper information (than just probing). Dark spots: active hosts visible even if scanning hardened (but may still miss a quiet host).

PNDS problems: A large number of sensors, scalability problems for large networks, lots of app knowledge required (so high dev costs). Security.

PNDS Security issues. Can poison PNDS with lots of noise: just plug a laptop in. Can use tcpreplay 2.x to do this. Can flood out old (correct) results. DOS not a problem. Easy to detect.

PNDS Countermeasures. Should be suspicious of changes (non-trivial; easier when DHCP networks segmented). Need to be robust

Summary: Use both ANDS and PNDS for best results. Hard to compromise from outside network. Need inside knowledge. Don't build your own NDS—tricky.

Technorati Tags:

Tuesday Sep 14, 2004

Icons for Gnome, CDE, or MS Windoz

ladybug I have some icons I converted or screen-scraped at Many or most of these are not public domain, so I would investigate their legal status if using for non-personal commercial use. Enjoy.

Technorati Tag: Technorati Tag:

Monday Sep 13, 2004

Yosemite Valley website

Here's some information that's available on Yosemite Valley and surroundings on my webpage:

Tuesday Sep 07, 2004

Californians: vote AGAINST a spammer for Senate

This November, Californians will have a rare opportunity to vote for or against a spammer. Do you enjoy spam? Then vote for Bill Jones for the U.S. Senate.

Do you dislike spam? Then vote against Spam King Bill Jones for the U.S. Senate.

Your choice :-)

Technorati Tag:

Unlocking a blog locked my account. I think it's because I haven't posted in awhile. Arrrggggg!!!! So, I'll just create a new account with different capitalization.

Workarounds: what keeps you sane when dealing with computers.


Solaris Verified Boot, cryptography, and security.


« July 2016