average admins

If you read my article the other day titled VSFTPd on FreeBSD, you’ll remember that the reason I went through the install of vsftpd was to move some data from an older machine to a newer machine for archival purposes. Well, last night I found myself in a similar situation except this machine wouldn’t even boot into Windows 98. Explorer.exe failed right off the bat but left a pretty turquoise background on the monitor for me to stare at wondering how I was going to get this non-profit’s data off the hard drive.

I did not want to remove the drive from the PC in question and install it in one of my PCs to burn the data to a CD so I was looking for some alternatives. Since the PC wouldn’t boot successfully into Windows, I couldn’t use my external USB hard drive to copy the data off like I ended up doing the other night and I couldn’t install an FTP client to move it either. My options were looking pretty grim until I thought about using a live CD.

Since I am currently a FreeBSD fanboy, I decided to hunt down a project I had heard about a while ago, FreeSBIE, a FreeBSD based live CD distribution. I downloaded the ISO, burnt it to a CD, and booted the old PC up without a hitch.

(more…)

From Security Monkey:

Look At All Of These Passwords!
Posted 8/21/2006 by SecurityMonkey (Information Security Investigator)
Comments (61) | Trackbacks (0)

If you use any number of popular web forums or even some commercial services like classmates.com, amazon.com, netzero.com or your provider’s webmail service, you may not be aware that you’re sending your credentials over the internet in the clear.

Some sites appear to secure your credentials, but they really don’t. Some offer SSL sign-ins, but don’t make them the default. Others don’t even make an attempt to use proper SSL encryption or any attempt to obscure the credentials.

Remember the wall of sheep from DefCon? All of those people that kept logging into net resources assuming that nobody was listening? They were wrong!

Let’s look at a couple of great examples of sites that have really awful security design, and see exactly how easy it is to steal credentials if you have access to the wire. These were obtained using nothing more than a linux laptop, a cable modem, ettercap (running ARP spoof and MiM gateway) and a bit of coffee.

Read the rest of this entry »

I have a couple of boxes (boxen?) at home that I like to access remotely. My broadband provider is really good about a.) not having connectivity issues, and b.) rarely changing my IP addresses. However, I have issues with using Dynamic DNS providers, specifically DynDNS.org, as they will remove your free account if you do not send an IP update at least once a month. Well, having dynamic DNS configured on my routers doesn’t do me any good because they will only send an update to DnyDNS.org if the external IP address changes, which it hasn’t in a very long time. Therefore, my DynDNS.org account is constantly being removed and I have to set it up again.

I know, you’re thinking if the IP never changes, why use dynamic DNS, right? Well, it does change from time to time and I don’t want to pay for a hosted DNS service, no matter how cheap.

While reading Richard Bejtlich’s blog the other day, TaoSecurity, I noticed he did a review on the recently released book Building an Internet Server With Freebsd 6 by Bryan J. Hong. Since I am very interested in FreeBSD, and still new to a lot of the concepts and abilities of the OS, I decided I would buy it, especially since Richard gave it 4 stars on Amazon.com.

Thumbing through the book initially I noticed a chapter on a tool called ddclient, a dynamic DNS update tool for FreeBSD, Linux, and I’m guessing anything that can run Perl and has a connection to the Internet. Since my routers don’t update DynDns.org frequently enough I felt that this tool was worth looking in to. It works like a champ and here is a little how to for setting this up on your machines to update your external IP with DynDNS.org, although it can be configured to work with other dynamic DNS providers.

(more…)

This evening I needed to move some files from a friend’s old PC to one of mine for archival purposes. I could have easily used an external USB drive to accomplish this task, but what fun is that?! I wanted to setup an FTP server on one of my FreeBSD boxes so I could move the files from the old PC to the server and then retrieve them from one of my desktop machines.

I got to looking on the AA blog to see if I had documented this before. I knew I had installed and configured an FTP server on FreeBSD before and didn’t want to duplicate the content on the blog unnecessarily. My searches turned up the An Affordable Surveillance System post I wrote a while back but I didn’t document the FTP software install or configuration, only the inetd configuration. I will attempt to make sense of the whole process in this one post. Don’t be upset if the whole procedure takes only a few minutes for setting up a simple FTP server on FreeBSD.

(more…)

I have two users with Java app problems that are very similar and I am out of tricks, so…

Symptoms:

We use Java 1.3 runtime for our web based payroll time clock. This part works without fail. We also have Java 1.4 or 1.5 runtimes, but not both at the same time, for new Java apps. On the two computers I can log in with my domain creds and the Java apps work fine, but when the users log in as themselves the apps won’t work. They start to load and then stop. The users can go to another computer in the same network and the apps work fine for them. I have tried removing and reinstalling, and changing versions of Java to no avail. Also, I have removed (copied to my profile or renamed and removed the users rights to the profile) the users’ local profiles and let them log in and create new profiles and the apps still won’t work. Both users are local Admins of the box. So the users cannot use the newer Java apps on their computer logged in as themselves.

Do any of you have a solution, or have I confuzzled the desciption?

I originally heard about this on Richard Bejtlich’s blog, http://taosecurity.blogspot.com/.

Wow! 9 dollars for a Syngress book? If you’ve been wanting new material to read, now’s definitely the time to get it.

I just ordered a book that’s been on my wish list for a while, Zero-Day Exploit: Countdown to Darkness. It’s a fictional cyber terrorism kind of book that got 4 1/2 out of 5 stars.

I would have got the Stealing the Network books, but I already own them and have read all of them multiple times. I can’t wait for the 4th and final book to be released.

If you haven’t read any of the Stealing the Network series, YOU HAVE TO. Remember, it’s a series so make sure you start with the first book. The story line is great and the mix of technical and non-technical content seems to flow very well. You really can’t go wrong with a book that was written by the very best security guys around. The list of authors that contributed to these books is outstanding.

And now that you can own 3 of the four books in the series for just 9 bucks a piece, you really have no excuse to not buy them.

OK, enough rambling, here’s the links to the books:

Stealing the Network: How to Own the Box
Stealing the Network: How to Own a Continent
Stealing the Network: How to Own an Identity

Happy reading!

This has got to be one of the coolest flash games I’ve played in a long time.

http://www.deviantart.com/view/36706349/

If you’re like me and you like to hang on to stuff like this in case it disappears in the future, make sure you download it using the download link at the top left.

Here are a few other flash games that I’ve run across:

http://www.addictinggames.com/kittencannon.html
Just got 1200ft after about 20 tries. Press the spacebar after you’ve died to start over … you don’t need to click on Continue.

http://www.addictinggames.com/bowman.html

As with any flash games, if you want a bigger game to play and you don’t like looking at all of the advertisements, view the source of the page and search for ’swf’. Once you find the link to the flash game, just copy and paste it into your address field and you’ll not only be able to play a bigger version of the game, but you’ll also be able to save it.

Got any flash games you can’t live without?

I recently acquired a new 2Gb USB key (an upgrade from my 256Mb one) and have been trying to convert a lot of my applications so they’re more portable.

My first goal was to convert PuTTY into a portable app so I can have my same list regardless of where I am. Turns out there are instructions for this in the PuTTY documentation.

First, you’ll want to pull your existing list of PuTTY sites:

regedit /ea putty.reg HKEY_CURRENT_USER\Software\SimonTatham\PuTTY


Next, you’ll want to create a batch file that will launch a couple of .reg files:

@ECHO OFF
regedit /s putty.reg
regedit /s puttyrnd.reg
start /w putty.exe
regedit /ea new.reg HKEY_CURRENT_USER\Software\SimonTatham\PuTTY
copy new.reg putty.reg
del new.reg
regedit /s puttydel.reg


Finally, the reg files:

puttyrnd.reg

REGEDIT4

[HKEY_CURRENT_USER\Software\SimonTatham\PuTTY]
"RandSeedFile"="c:\\putty.rnd"


puttydel.reg

REGEDIT4

[-HKEY_CURRENT_USER\Software\SimonTatham\PuTTY]


The putty.reg file is the one you’ll create from your current list of sites.

You’ll want to make sure that you have access to write to the location where you’re going to store your PuTTY random seed file in the puttyrnd.reg file. I chose C: but if you plan on using this at a public computer, you probably won’t have access to the C: drive so you’ll need to chose another location.

You can find the entry in for this in the PuTTY documentation at http://the.earth.li/~sgtatham/putty/0.58/puttydoc.txt
in the section 4.24 Storing configuration in a file.

I am deep in the trenches right now trying to battle some dirty virus problems and have a simple question. I am looking for a way to scan the running processes on every computer in my domain and look for a certain pattern. Currently, I am using Hyena to look one at a time right now and it is just taking too long.

It is a long story and I will recap what has happened when I get the fire out.

Thanks in advance to anybody that can help.

Jason

I was digging through the AA web server logs this afternoon and noticed that IP address 208.66.195.3 is the top visitor so far this month with 3,795 hits, 3,436 files, and 50,093 kilobytes pulled down but only 1 visit, according to Webalizer. I did a WHOIS query on the IP address and came up with:

[cross@xsmp /usr/home/cross]$ whois 208.66.195.3
McColo Corporation MCCOLO (NET-208-66-192-0-1)
208.66.192.0 - 208.66.195.255
Digital Infinity Ltd DIGITALINFINITY (NET-208-66-195-0-1)
208.66.195.0 - 208.66.195.15

# ARIN WHOIS database, last updated 2006-08-09 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

So, who is Digital Infinity, LTD? I did some Google searches and found these three posts on blogs and forums asking the same thing:

http://www.ihelpyou.com/forums/showthread.php?s=20e9…
http://blog.cihar.com/archives/2006/06/13/i_must_be…
http://erichw33.proboards53.com/index.cgi?action=display&boa…

I did a little more searching and came across this guy’s story:

http://72.9.248.34/~z3600011/index.htm

He claims that after sending a fax to someone in Russia he started seeing this stuff in his web server access logs. Remember in April 2006 when the Russians were very frequent visitors to our site?

I also found some information on the crawler these guys seem to be using. It seems to be a crawler named “Psychclone”. Here are two links I found referring to this crawler and the IP:

http://www.webmasterworld.com/forum11/3269.htm
http://en.wikipedia.org/wiki/Psycheclone

So, is it all just a harmless crawler, caching e-mail addresses off of unsuspecting web sites? If it is, it isn’t presenting itself to my web server as “Psychlone”. Maybe it is time for a robots.txt file to block this little fella… Or maybe an Apache or similar access rule to deny access to their net-block… Or maybe I need to take my medication so I’m not so paranoid!