Thousands of Sacrificial Lambs

Problem:

• So you say 'hackers' are constantly knocking on the perimeter door to your network.

• You claim that they are trying to 'map' your network.

• You insist that they will cherry pick targets based on fingerprint data, wins/dns name, or other factors.

Proposition:

• Fill up a virtual machine host with hundreds to thousands of fake hosts that each have random fingerprint appearance and different name. They don't need to do anything except listen on a few ports (on a set of believable ports, to mimic a real OS), and maybe send a fake packet or two around (you know, like M$ boxes like to do because they get lonely.) A full blown app like vmware is overkill for this purpose. A perl script on five tiny embedded systems would suffice.

Just think of the possibilities.

1. Each would dilute any reconnaissance tool with bogus hosts


2. Each is indistinguishable from real hosts without attempting to check the function of each service for each address.


3. Each could also be setup to send alerts to your InfoSec dept when anyone attempts to connect to them; (only two categories of connectors: 1) misconfigured friendlies, and 2) bad guys.)


4. Every second the scanner spends poking around in these fake hosts, your real ones aren't touched.


5. You can brag about how many 'hosts' are on the network you manage.


6. If 'fancy' is your middle name, you could write a script that would forward connection attempts to a honeypot and attempt to grab a fresh piece of badware.

Thoughts?

P.S. I admit I partly stole this idea from Tom Liston's LaBrea tarpit.

Snap `Em Good

After trying out a window manager that forces windows to always be tiled (thus preventing any window from getting covered up by another) I realized how silly this idea is. The whole point of a windows based GUI system is to hide inactive panes and prominently display those in use.

But the seed was planted. The ability to line up windows with no gaps was beneficial in certain situations. Thanks to Steve Gibson of Security Now! for pointing out Allsnap.

Why freeways should be conveyor belts

I drive a pretty sizable distance every day to commute to work. I drive on a freeway most of the distance.

Freeways were poorly named. Congested freeways are anything but free of cars. They house traffic 'trends' such as 'packs' or 'squadrons' as well as 'stop and go' sections or often just convenient 'parking lot' areas while you attempt to get home before dark.
In an attempt to optimize this sad state of affairs affecting those of us in urban life, I have come up with the solution (which as I'm sure you've guessed by now since you read the title) is that all freeways should be replaced with conveyor belts.

Now, I don't mean the rubber & pulley wheel variety, I have in mind something more like the catapult system found on the flight decks of American super carriers. It seems so simple it just may work!

Each car would hook up to one of these at speed and "lock in" to a spot on the freeway 'belt.' That way, the belt is always moving at a constant speed, no one is able to weave in and out of lanes, it's impossible to have a fender bender, people can't use the margins on the side of the road as 'temp passing lanes,' maximum fuel efficiency for all cars is enforced and no one can speed!

It's a perfect solution! I just solved the top 5 highway issues with one ginormously expensive and implausible invention that everyone would hate.

I dare you to poke holes in my logic...

Pretty graphs for the malware detection (ftw?)

Security data visualization is definitely a promising and awesome way to look at your logs / ids alerts / firewall rules. I was recently introduced to secviz, a site showcasing the various graphing and plotting tools freely available to help visualize un-eye-popping log or plaintext data. Of particular interest to me was:

• How many times have you looked at a firewall rule set and collapse in anticipated mental exhaustion? Wouldn't it be much nicer if someone just drew a picture of that rats nest? Enter Ruined which makes prettyful things like this:

• Monitoring server load sounds like a job for another server to do (agh infinite loop!) but with a couple RGB values and some squiggly math, you can produce load reports that look like this!

Take a peek at secviz and get inspired. What else would you make pretty pictures of?

I sure miss grep in M$ Windows

At least, I used to! Check out this awesome utility for all your closed-source grepping needs!

Writing a DNS sniffer

Programming project: construct a program that can listen to perimeter traffic and construct http proxy-like logs. The weapon of choice? libpcap! The app will need to listen for both DNS (udp port 53) and HTTP (tcp port 80) traffic to accomplish this.

First up is determining where all the interesting bits in each layer of the OSI stack are located within each packet. In logical order:

• Ethernet Headers & Packet Structure

• IP Headers & Packet Structure

• UDP Headers & Packet Structure

• DNS Records and DNS Headers (about half way down)

With all that reference material, you might think this is a lot of reading! Okay, fine how about a copy and paste job? Tcpdump is the perfect place to exercise your mouse wheel click skillz to get all the data structures and defines you'll need.



One last useful tool that should be in every network programmers tool belt is of course, Wiershark (aka ethereal). In this case, it comes in handy to double check your program is disassembling the packets the same as Wireshark.

A BPF is used to speed up the filtering of interesting packets from useless ones and is passed in to the program as follows:

dns_sniffer "udp port 53"

When writing any network aware application, the best place to start for documentation is always going to be the applicable RFC for whatever protocol you plan to speak.

When figuring out what bitmasks were needed to mask out specific bits (namely the first two bits for parsing DNS compression) Conversion Table came in handy. I also found this handy page if you need to brush up on bitwise operations (I sure did, since I hardly use them.) And don't forget your ASCII-Table!

Have you ever wondered how your lonely little-endian wintel laptop / desktop is able to communicate over the same IP network to a big-endian speaking SPARC system? It certainly kept me up at night! See for yourself how it is able to work.

More to follow... (you know, like source code)

Windows Tune Up! (type: Auto-magic)

I don't know about you, but every time I reinstall Windows (you know, every 3 months or so) thanks to WinRot, I spend an hour or so reconfiguring Windows the way I like it.

In an effort to reduce that time, here is a bunch of windows registry tweaks which change a ton of things from window pop up times to NTFS cluster sizes. This file may also come in handy for first time installations on to new machines.

This file was started by one of my colleagues at work, so props attributed where they are due!

BIG DISCLAIMER: Please, Please, Please, review all the tweaks before you blindly run the file. Remember, trust but verify.

Download

Detecting bad TCP sessions

Here's an idea:

Why not develop a feature into personal firewalls that tracks active tcp sessions (via netstat) but with some intelligence. The idea behind intelligence is to not spam the poor user every single time an application wants to talk on the NIC. How would that work?

Well, it could associate keystrokes / clicks with network events. If there is a new tcp session established or new listening local port, challenge the user with the application name associated with said session or listening port.

It sounds so simple it just might work. Do you see any false-positive scenarios?

Hiking! Pt1

[gallery]

Some random shots I took while hiking with friends.

Hiking! Pt2

[gallery]

More hiking photos! Unmanipulated full sized images are only a click away!

Picture for Day

CSU Channel Island's new library in all it's night-shot glory!