Re: Dsniff/mailsnarf
On Tue, Feb 24, 2004 at 05:20:01PM -0600, elijah wright wrote: > > > > I've been asked to place a sniffer on a network that handles HIPPA > > > data, and watch for e-mail containing certain strings. I figured that > > > mailsnarf would be the best way to do this. > > > > > Aside from any of hte technical details of this, I'm kind of wondering > > how this fits into HIPPA and it's policies. > > > > I'd be sure that if I were you, I'd have written evidence of someone (a > > boss/supervisor/etc) ordering this kind of behaviour and also my > > objection to sniffing data that might be confidential under HIPPA. > > sounds like he's being asked to sniff to make SURE that no one is stupid > enough to email hipaa-covered data out. Correct. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 >> << ><
Re: Dsniff/mailsnarf
On Tue, Feb 24, 2004 at 06:19:48PM -0500, John Keimel wrote: > On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote: > > I've been asked to place a sniffer on a network that handles HIPPA data, > > and watch for e-mail containing certain strings. I figured that mailsnarf > > would be the best way to do this. > > > Aside from any of hte technical details of this, I'm kind of wondering > how this fits into HIPPA and it's policies. Certain info has to be protected. > I'd be sure that if I were you, I'd have written evidence of someone (a > boss/supervisor/etc) ordering this kind of behaviour and also my > objection to sniffing data that might be confidential under HIPPA. I have a very nice contract, complete with a very detailed scope of work, which my lawyer has OKed. > This just sounds wrong all around. I'd suggest significant amount of > C.Y.A. activity on your part. There's no CYA. I'm being asked to verify that there is no HIPPA information that is leaving the site, accidentally or otherwise. There is a nice defined set of keywords that would be used in any of the documentation (it's a testing Lab). If the capture file size *ever* goes above 0 bytes, they have a problem. That's all I'm involved with. I want *nothing* to do with the actual data. I'm just setting up a system that will notify certain people if there is a 'leak', and they can go in and figure out what happened. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 >> << ><
Dsniff/mailsnarf
I've been asked to place a sniffer on a network that handles HIPPA data, and watch for e-mail containing certain strings. I figured that mailsnarf would be the best way to do this. Right. In testing, if I run: mailsnarf -i eth2 . "tcp" I get all email. If I run mailsnarf -i eth2 ".*STD.*" "tcp", I get nuttin, even though I send email containing that string. Any pointers from anyone? Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 >> << ><
Re: Dsniff/mailsnarf
On Tue, Feb 24, 2004 at 05:20:01PM -0600, elijah wright wrote: > > > > I've been asked to place a sniffer on a network that handles HIPPA > > > data, and watch for e-mail containing certain strings. I figured that > > > mailsnarf would be the best way to do this. > > > > > Aside from any of hte technical details of this, I'm kind of wondering > > how this fits into HIPPA and it's policies. > > > > I'd be sure that if I were you, I'd have written evidence of someone (a > > boss/supervisor/etc) ordering this kind of behaviour and also my > > objection to sniffing data that might be confidential under HIPPA. > > sounds like he's being asked to sniff to make SURE that no one is stupid > enough to email hipaa-covered data out. Correct. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 << >< -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Dsniff/mailsnarf
On Tue, Feb 24, 2004 at 06:19:48PM -0500, John Keimel wrote: > On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote: > > I've been asked to place a sniffer on a network that handles HIPPA data, > > and watch for e-mail containing certain strings. I figured that mailsnarf > > would be the best way to do this. > > > Aside from any of hte technical details of this, I'm kind of wondering > how this fits into HIPPA and it's policies. Certain info has to be protected. > I'd be sure that if I were you, I'd have written evidence of someone (a > boss/supervisor/etc) ordering this kind of behaviour and also my > objection to sniffing data that might be confidential under HIPPA. I have a very nice contract, complete with a very detailed scope of work, which my lawyer has OKed. > This just sounds wrong all around. I'd suggest significant amount of > C.Y.A. activity on your part. There's no CYA. I'm being asked to verify that there is no HIPPA information that is leaving the site, accidentally or otherwise. There is a nice defined set of keywords that would be used in any of the documentation (it's a testing Lab). If the capture file size *ever* goes above 0 bytes, they have a problem. That's all I'm involved with. I want *nothing* to do with the actual data. I'm just setting up a system that will notify certain people if there is a 'leak', and they can go in and figure out what happened. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 << >< -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Dsniff/mailsnarf
I've been asked to place a sniffer on a network that handles HIPPA data, and watch for e-mail containing certain strings. I figured that mailsnarf would be the best way to do this. Right. In testing, if I run: mailsnarf -i eth2 . "tcp" I get all email. If I run mailsnarf -i eth2 ".*STD.*" "tcp", I get nuttin, even though I send email containing that string. Any pointers from anyone? Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 << >< -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Attempts to poison bayesian systems
On Tue, Dec 23, 2003 at 01:25:30PM +, Dale Amon wrote: > I've been noticing loads of mails like this lately: > > Date: Sun, 21 Dec 2003 16:25:34 +0500 > From: "Joseph Jenkins" <[EMAIL PROTECTED]> > Subject: Re: MIT, rest in peace! > To: [EMAIL PROTECTED] > X-Mailer: mPOP Web-Mail 2.19 > > emery atrocious larval drippy elate incontrollable raster anglicanism > checkerberry feed sit ajar saturable decathlon > already climate inhibition pagoda narcissus expository toni > > I can only assume someone out there is trying to attack > bayesian systems by loading them up with all sorts of > normal words so that good mail gets false positives, thus > breaking the systems. > > I presume others are seeing this? Yup. Thousands each day. I've gone through and used an exim system filter to at least block the email from being delivered (there's usually a link to a site in the email). I'm not sure what to do about the bayesian poisoning of Mailscanner. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 >> << ><
Re: Attempts to poison bayesian systems
On Tue, Dec 23, 2003 at 01:25:30PM +, Dale Amon wrote: > I've been noticing loads of mails like this lately: > > Date: Sun, 21 Dec 2003 16:25:34 +0500 > From: "Joseph Jenkins" <[EMAIL PROTECTED]> > Subject: Re: MIT, rest in peace! > To: [EMAIL PROTECTED] > X-Mailer: mPOP Web-Mail 2.19 > > emery atrocious larval drippy elate incontrollable raster anglicanism > checkerberry feed sit ajar saturable decathlon > already climate inhibition pagoda narcissus expository toni > > I can only assume someone out there is trying to attack > bayesian systems by loading them up with all sorts of > normal words so that good mail gets false positives, thus > breaking the systems. > > I presume others are seeing this? Yup. Thousands each day. I've gone through and used an exim system filter to at least block the email from being delivered (there's usually a link to a site in the email). I'm not sure what to do about the bayesian poisoning of Mailscanner. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 << >< -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort, where to listen?
On Fri, May 16, 2003 at 09:49:32AM +0200, [EMAIL PROTECTED] wrote: > Hi all, > > I just installed Snort IDS on my firewall Debian box which is so configured: > > eth0 10.0.0.1 (serves internal LAN) > eth1 192.168.100.1 (directly connected to an ADSL modem auto-connecting to > the > provider with IP 192.168.100.2) > > I run snort on eth1 NOT in promiscuos mode and I send periodic email reports > to me. > > The problem is that I receive messages from the kernel (firewall) indicating > some > "action" blocked from the internet, but snort never shows up anything in its > reports. > > Could someone tell me if I misconfigured the system and, please, a possible > right > configuration ? That would all depend on how you have Snort configured (ruleset) and what the actual kernel messages say. Just because you block an unwanted connection to a certain port doesn't mean the connection attempt matched a rule. Also, if it was blocked by the kernel, snort may have never seen it, since you are not in promisc. mode, IIRC. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 >> << ><
Re: HELP, my Debian Server was hacked!
On Thu, Apr 24, 2003 at 04:02:56AM +0100, Dale Amon wrote: > On Wed, Apr 23, 2003 at 10:44:34AM -0400, James Duncan wrote: > > Obviously steps should be in place to mitigate the damage of these sorts > > of acts. Have steps in place to quickly replace machines that have to be > > removed from production quickly and without warning. Use syslog to log > > locally AND remotely. Have a backup of all your logs. The smart attacker > > will have covered their tracks. > > I'd go further. If you know the machine has been > hacked, pull the ethernet, copy the disks and swap to > CD if you have time... > > Then just wipe it and re-install. It's a very rare > facility that actually has time for forensics. Places > with deep enough pockets to have a senior person > grepping swap disks and reconstructing activity on > one single machine and taking perhaps days or even > weeks to do it. > > It just doesn't happen very often. There are those of us that actually do this kind of stuff for hire, as long as we can get good images of the disk and /proc. dd is best Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)924-3728 (888) 924-3728 >> << ><
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: > Quoting seph ([EMAIL PROTECTED]): > > > depends what you mean by free. Are you aware of openafs? > > http://www.openafs.org > > That is of course derived from the IBM Transarc software. Hmmm. Some > while back, I'd been lead to believe that only client-end software was > available in open source. A quick perusal of that site plus some Google > hits suggests that such is not the case now, if it ever was. Can > someone confirm from experience that AFS can be done with all open > source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)924-3728 (888) 924-3728 >> << ><
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: > Quoting seph ([EMAIL PROTECTED]): > > > depends what you mean by free. Are you aware of openafs? > > http://www.openafs.org > > That is of course derived from the IBM Transarc software. Hmmm. Some > while back, I'd been lead to believe that only client-end software was > available in open source. A quick perusal of that site plus some Google > hits suggests that such is not the case now, if it ever was. Can > someone confirm from experience that AFS can be done with all open > source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)924-3728 (888) 924-3728 << >< -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: machine monitoring packages
On Thu, Feb 13, 2003 at 02:59:26PM +, gabe wrote: > I would like to know what ppl think is the best package for monitor > servers, at my last work place they were installing "mon". In my new > job they use Nagios, which I'm not to sure about due to the fact that > installation / configuration goes wrong. Most importantly there's no > deb package for Nagios which makes me not wanna use it in the first place. mon is better for up/down and service response, nagios is great for up/down on machines/services, and trending... Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)924-3728 (888) 924-3728 >> << ><
Re: machine monitoring packages
On Thu, Feb 13, 2003 at 02:59:26PM +, gabe wrote: > I would like to know what ppl think is the best package for monitor > servers, at my last work place they were installing "mon". In my new > job they use Nagios, which I'm not to sure about due to the fact that > installation / configuration goes wrong. Most importantly there's no > deb package for Nagios which makes me not wanna use it in the first place. mon is better for up/down and service response, nagios is great for up/down on machines/services, and trending... Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED][EMAIL PROTECTED] >< (631)924-3728 (888) 924-3728 << >< -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
On Sat, Feb 08, 2003 at 03:23:33PM +0100, Kristof Goossens wrote: > Hello all, > > I need to make a pop3 account on my server. I intend to work with ipop3d to > provide secure pop3 service. Now I want to provide this service for only > few people, and I don't want them to have an account on the system. Well, they > can have a pop3 account, but no other access whatsoever... > > I don 't like the idea of giving them an account and setting their shell to > /bin/false. So my question is: "Is it possible to create a pop3 account > without > needing to modify the /etc/passwd file?" Use Perdition, the pop/imap proxy. They should only know the machine that is running the proxy, and you can point it to whatever server you want, and they shouldn't know about it. Or, you can use one of the 'sealed servers' like Cyrus Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)924-3728 (888) 924-3728 >> << ><
