headers
Fernando Gont | 1 Jan 2004 14:15
Picon
Favicon

RE: Traces

At 16:05 31/12/2003 -0800, Shawn Jackson wrote:

>         Okdokie. Let's say I am pinging anything.org and its 5 hops
>away. Let's also say that through a status route change (a BGP peer goes
>down, etc) I'm being router through a different backbone, now
>anything.org is 8 hops away due to that change. Great it's 8 hops away.

Note that you only need that packets take the same routes for some stable 
period of time. A BGP peer going down is the exception, not the rule.

>you can't garner that information without, at least, a netblock. The ATM
>core can be connected to thousands of networks, using that information
>you can only have a meager guess at which backbone provider the attack
>is coming from.

As I said in my last e-mail, the more data you have, the more accurate your 
guess may be. (See my example bellow).

>         TTL is not like miles it can't be efficiently measured. Routers
>can be hundreds of miles apart, or a few feet. I can reach the Easter
>half of the US in less hops then it takes me to get to Mexico, does that
>means its closer, nope. Could I take a look at a TTL and say what state
>it's in, nope.

And what does this have to do with our discussion????
You don't need to know where the attacker *physically* is. You just need to 
know where he is, but from a "networking" point of view. You need to detect 
which router he is attached to.

>         Can you give me an example of it in action? How would you use it
(Continue reading)

Permalink | Reply | 0 comments |
headers
. . | 2 Jan 2004 00:56
Picon
Favicon

Re: locked out of XP, need file access

again i agree to what u r saying, most of the things anyway. :)

the reason i told him he could email me privately was just cause i had 
already given an overall description of what i did, and to 90 % of the list, 
the details would probably not be that interesting anyway. it was not an 
attempt to hide info from the rest of the list. it was more an attempt to 
avoid posting details that the majority may not be interested in, like in 
what exact order i did this and that, what my particular setup is etc etc. 
it has nothing to do with security through obscurity.

whether i use a hotmail address or not is not really important i think. i 
can understand your concern if u dont want to exchange email with someone 
who's using a hotmail address, but that's up to u. as far as im concerned, 
there's no reason for me to give out any personal information unless i 
really have to, like if there's money transactions involved or whatever. 
most of the time on the internet though, it is not required, so there's no 
reason for me to give it out. i'm part of this list to pick up tips and 
info, and occationally have my say. why would i have to use my company 
address and give out my details to do that? it's just simple emails with 
text contents anyway. as a professional u can determine the value or 
validity of the content anyway. if u dont know the exact source of the 
information shared, so what? either confirm it elsewhere or choose to 
disregard it.

"And your presented name of "..."?  Is this not obscured?".
it's just two dots, hehe. sorry, but, is a couple of dots worse than a 
nickname like 'opticfibre', 'Gr00ve' or 'lockitdown'? i dont think so. the 
first and last name fields were mandatory when i setup the account, so i 
just put a couple of dots in. i couldve put 'elvis presley', or something 
that looked a bit more trustworthy but still not my name, who cares? im not
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andy Cuff [Talisker] | 1 Jan 2004 21:23

Free Net Nanny - HomeUse and other free stuff

Hi
I've been looking for a free Net Nanny for homeuse.  I'm not interested in
one that excludes based on keywords but one that blocks per site.  I was
hoping that one of the big names out there had offered it up for free.

Also a few months back I told the virus list that Computer Associates had
offered their personal firewall and anti virus combo product free for 12
months, the link I provided was to a News Article which has now been
removed.  For the life of me I cannot find the URL to where CA have buried
this offer away.. If anyone knows of the address could they please let me
know.

As you can probably tell from the above I'm resurrecting the page on my
website detailing quality free security products primarily for homeuse, it
should be uploaded early Feb.  I should be including telephony firewalls
some time this month, but their aren't many out there so it won't take long
;o)  I've also uploaded a new page detailing all the known Wireless IDS

Jeff Ames has provided content detailing every software protocol analyzer at
http://www.securitywizardry.com/analyzers.htm he is also considering doing
the same for protocol analyzer appliances.

Daniele from Italy has also offered to update the Host IDS and IPS pages.
The Host IPS page will be uploaded early Feb.

The firewall pages are a little out of date but Mark Lewis has been doing
his Sans GIAC which is coming to an end shortly.

Happy New Year
-andy cuff
(Continue reading)

Permalink | Reply | 2 comments |
headers
Greg | 2 Jan 2004 10:33
Picon
Picon

Re: compromised network


----- Original Message -----
From: "JM" <jm <at> mindless.com>
To: "'Dana Rawson'" <absolutezero273c <at> nzoomail.com>;
<security-basics <at> securityfocus.com>
Sent: Wednesday, December 31, 2003 12:33 AM
Subject: RE: compromised network

> The only way to be 100% is to completely start from scratch again.
>

You know, I have read this reply from many people, over and over again and
without going to the trouble of finding the original message again, all I
can say is - whatever happened to the idea of image backups with
incrementals?

Eg, let's say all is quiet and OK and the crap started happening, at the
local timezone of that machine, at 11PM. Let's FURTHER say that the business
has a once a week full backup with hourly incrementals. What the heck is the
matter with going back to that SAME day at 10PM's incremental and restoring
from that image/incremental? Sure, the WEAKNESS that ALLOWED all this to
happen may WELL have occurred prior to that date but if you have the logs
with ports and IP ranges, surely you can get away without starting from
scratch? Otherwise, what the HELL is the use of backing ANYTHING up? Oh yes,
in case of hardware blowout (eg, hard drive burning out), equipment theft
etc. Yes I hear all that but at this date in 2004, I have to say that the
chances of that happening as opposed to what DID happen to this person are
small. I think the hardware will continue through many such intrusion
attempts.
(Continue reading)

Permalink | Reply | 14 comments |
headers
jburzenski | 2 Jan 2004 15:40

RE: home wireless router good practices for security

> 1) Anyone know how much enabling 128-bit encryption will hurt 
> my wireless performance?

Not enough.

> 2) Does setting the SSID for my wireless NIC then keep me 
> from getting onto other wireless networks like when 
> traveling?  I ask since that setting was set to ANY before I 
> changed it to the SSID that I set for my wireless router.

No.

> 3) What else should I really do to protect my home network?

I have a clever friend who plugged his WAP into an outlet that was
controlled by a wall switch.  He flips the switch which turns on the light
and the WAP and switches it off when he leaves the room.  This is a very
effective means of protecting a wireless network.  

128 bit WEP is easy to crack in theory but the reality of it is it often
requires a substantial effort to accomplish.  WEP cracking tools need
packets, usually millions of them to make a good guess at a key.  If you
have a low bandwidth network and brute-force resistant key you are in pretty
good shape.  

One final tip.  Set your SSID to SST-PR-1.  This will cause most war-drivers
to move on without bothering with you.  ;)

---------------------------------------------------------------------------
----------------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 1 comment |
headers
Eric Appelboom | 2 Jan 2004 08:43

Backported patches - vulnrability scanning


Hi,

I am looking for a scanner that does not false positive on deamons that
have
Been back ported (patched) and still keep the same banner versions.

How do security teams keep track of what is current or backported as I
am finding it a problem.

One soloution of course is to have a policy to always use current
released builds in 
Production. (cough)

Any other ideas?
Cheers
Eric

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
nate | 1 Jan 2004 05:58

RE: home wireless router good practices for security

Another way with the MAC filtering is block all MAC address except for the
ones on your wireless cards. Second you can change your SSID on the card
very easy so it won't affect you if you travel. 128 bit WEP will ding you
slightly but if it helps slow someone from getting in is it worth it? If it
is a highly important network that you are using wireless use a VPN on it to
require a user and a password to gain access. 

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
John Kampanellis | 2 Jan 2004 08:49
Picon
Picon

advice

Hi!

I know my question has already been asked, but I think that answers do
not follow the rule one size fit all.
What I would like, is the chance to get as much as I can from the
maturity and experience of the people joinning this list.

I come from Greece. I a holder of a diploma in Electrical and Computer
Engineering and I am about to finish my MSc in System and Network
Security, pursued in France. Considering, that I am about to finish my
internship, I have to thing what to do next. I decided that a first step
before entering the market, could be to get a certificate. But which
one? 

I am pationned with security and and I am very intersted in networks. My
opinion is that  being successful in the security domain, requires from
someone to have a very good knowedge of networks and systems.So my
questions are  the following:

1)Should I get a certificate in networks , i.e. CCNA? 
Since I have an MSc in security may be being certified in networking is
better.
I believe that I know 70% of what CCNA covers. However, may a
certificate may help me at the beginning of my carreer.

2)Should I get a ceritificate in security and in that case which one?
I know some of you would recommend me certificates such as:GIAC, CISSP,
CSSP.
However, the problem is that I don't thing there are centers in Greece
where I can get the exams.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Shawn Jackson | 1 Jan 2004 01:05

RE: Traces


	Okdokie. Let's say I am pinging anything.org and its 5 hops
away. Let's also say that through a status route change (a BGP peer goes
down, etc) I'm being router through a different backbone, now
anything.org is 8 hops away due to that change. Great it's 8 hops away.

	Now, you have a DOS attack against two networks, your friends
and yours. Your friend detects that the attacker is 12 hops away. You
are suffering from the same attack and detect that it is 7 hops away.
Let's also assume that we've stripped the dynamic properties of the
Internet away and you know for a FACT that 11 hops away from him and 6
hops away from you is a SBC ATM Core. The last hop is unknown because
you can't garner that information without, at least, a netblock. The ATM
core can be connected to thousands of networks, using that information
you can only have a meager guess at which backbone provider the attack
is coming from.

	Now 20 hops away from me could be almost anywhere in the western
half of the world thanks to AT&T. The dynamic state of routes is what
complicates this technique. 12 hops for me can be 30 hops to you. The
all of a sudden it's 30 hops for me and 33 hops for you. Using the above
example say your ISP had to route though its backup Tier 1 connection
due to traffic load which leaves the backbone network in another state,
now instead of 7 hops you're up to 9. 

	TTL is not like miles it can't be efficiently measured. Routers
can be hundreds of miles apart, or a few feet. I can reach the Easter
half of the US in less hops then it takes me to get to Mexico, does that
means its closer, nope. Could I take a look at a TTL and say what state
it's in, nope.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Adam Hawliczek | 1 Jan 2004 01:10
Picon
Favicon

Simple Question ...

Hello there .. I have a very simple question to You ...
Can I encrypt a FAT32 partiton running over XP ?
I know that i can do this when i'm using NTFS but i prefered FAT and now i
think i could have a problem ..

If i sent this today -> Happy new year !
If not ... well Happy new year too ...

and once again you must forgive me my english i'm still working on it .

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Permalink | Reply | 7 comments |

Gmane