Archive for the ‘LINKS’ Category.

FireWire’s physical memory access

Maximillian Dornseif’s Red Team: FireWire round-up has several links on using Firewire (IEEE 1394, Sony i.Link) to access physical memory, without any software cooperation from the target host. He just presented at the PacSec/core04 conference. He publishes sample code. He points out that this could be very useful for forensic analysis of live systems. He demonstrates how the technique can be used for privilege escalation or spying. He points to several security advisories that arose out of this discussion.

SLCT: Pretty good logfile reduction right out of the box

Looking for needles in enormous bulky repetitive haystacks? Many logfile reduction programs require investment in tuning and tweaking. In contrast,
SLCT, the Simple Logfile Clustering Tool is useful right out of the box, with no tuning for specific logfile formats; it figures things out on its own. I was going write something just like it (a generalization of previous logfile reducers I have done), now I can instead plan on improving on something that’s already pretty darned good (and fast and memory-conserving too).

[via the handy site LogAnalysis.Org]

Vixie on SANS on BIND vulnerabilities

Paul Vixie shares his Thoughts About “Protection Against BIND”,
in which he reacts to the latest
SANS Top 20 Vulnerabilities List, pointing out that there
are no recent exploits, some of the configuration advice is lame or worse, and dDoS attacks on otherwise secure software is not a “vulnerability”.
While the SANS Top 10 and Top 20 lists have always been useful awareness tools and helpful basic guidance, there is always a tendency in a complex field for consensus guidance to turn to overgeneralized mush. Intelligent criticism like this is a good thing.

A story of SCADA, radio, and sewage

Computerworld (June 30, 2004):

When an employee from an Australian company that makes manufacturing software got fired in early 2000, he applied for a job with the local government, but was turned down. In retaliation, he got a radio transmitter, went to a nearby hotel where there was a sewage valve, and used the radio to hack into the local government’s computerized waste management system.

Using software from his former employer, he released millions of gallons of raw sewage near the hotel grounds and into rivers and parks.

“He did this 46 times before he was caught,” notes Joe Weiss, a process-control cybersecurity expert and consultant at the Cupertino, Calif., office of Kema Consulting. “The first 20 [times], they didn’t even know it was cyber,” meaning an external attack launched using a computer, he says. “From 20 to 45, they finally figured it was cyber, but they didn’t catch him until 46.” Though this person never worked for the wastewater utility, he was still able to break into its supervisory control and data acquisition system, which was designed with a big security assumption in mind — that only insiders would want to access it.

More links to the same incident: The Register October 2001, ComputerWorld February 2006

Spam introspection

Georgetown University sends spam and faces the wrath of one of its own students.

I’m also getting a little tired of “call for paper” spam sent by otherwise-legitimate conference organizers to lists of web-harvested email addresses. My most frequent offenders will remain nameless for now, but only because I’m busy.

Just because you’re not a fraudulent criminal enterprise doesn’t mean you’re not a spammer.
It would not be a bad thing if everyone started worrying about CAN-SPAM being enforced against them.

Newsletter cartoons
has a pretty good selection of cartoon suitable for business presentations. You can
browse by category; see, for example,
security cartoons.
The artist, Ted Goff, licenses his work at various rates that depend on whether the use is for a presentation, newsletter, magazine, etc.

Victor Yodaiken on Security, Common Criteria

I happened across web site of Victor Yodaiken who had some piquant remarks on security
(“Someone made serious money from construction of the Maginot line.”) and
the Common Criteria (giving a beautifully clear example of how they might be translated into plain acronym-free English). Now if only he published an RSS feed; I don’t know of a currently-open public scraper (myRSS is not accepting new feed requests).

Survivability of RHEL3 circa Nov 2003

Mark J Cox: Survivability:

So a full install of a Red Hat Enterprise Linux 3 box that was connected to the internet in November 2003 even without the firewall and without receiving updates would still remain uncompromised (and still running) to this day.

It’s not to say that a RHEL3 user couldn’t get compromised – but that’s not the point of the survivability statistuc. In order to get compromised, a user would have to have either enabled anonymous rsync, SWAT, or be running an open CVS server, none of which are default or common. Or a user would have to take some action like visiting a malicious web site or receiving and opening a malicious email.

EarthLink SIPshare

EarthLink SIPshare: SIP-based P2P Content Sharing Prototype contibutes an open-source P2P favoring end-to-end principles:

EarthLink believes an open Internet is a good Internet. An open Internet means users have full end-to-end connectivity to say to each other whatever it is they say, be that voice, video, or other data exchanges, without the help of mediating servers in the middle whenever possible. We believe that if peer-to-peer flourishes, the Internet flourishes. SIPshare helps spread the word that SIP is more than a powerful voice over IP enabler — much more. SIP is a protocol that enables peer-to-peer in a standards-based way.

The emerging ubiquity of SIP as a general session-initiation enabler provides a rare opportunity to offer users all manner of P2P applications over a common protocol, instead of inventing a new protocol for each new P2P application that comes along.

[via Many-to-Many]

Exposing Digital Forgeries by Detecting Duplicated Image Regions

Dartmouth TR2004-515:

We describe an efficient technique that automatically detects duplicated regions in a digital image. This technique works by first applying a principal component analysis to small fixed-size image blocks to yield a reduced dimension representation. This representation is robust to minor variations in the image due to additive noise or lossy compression. Duplicated regions are then detected by lexicographically sorting all of the image blocks. We show the efficacy of this technique on credible forgeries, and quantify its robustness and sensitivity to additive noise and lossy JPEG compression.

[via Simson Garfinkel]