Re: Can anyone break MD5 scheme?
Hello, > As for MD5, to the best of my knowledge, brute force is the only way to > 'crack' it... however I have heard rumors that some implementations are > weaker then others. Brute force is the least efficient attack against MD5, the next best thing is a 'birthday attack' which is based on the idea that in a group of 23 random people there's a probability of 50% that 2 share the same birthday. Therefore, if x represents given inputs to MD5 and y represents its possible outputs there are x(x-1)/2 pairs of inputs. For each pair there's a probability of 1/y. There's a 50% probability that a matching pair will be found in y/2 pairs. There's a good chance of this occuring if n is greater than the root of y. However, this would still take thousands of years of computer time in a practical attack! Next best thing after that is a differential cryptanalytic attack. But that's only been proven effective against 1 round of MD5. _ John Daniele Technical Security & Intelligence Inc. Toronto, ON Voice: (416) 684-3627 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Sat, 30 Nov 2002, flur wrote: > Perhaps a less controversial solution to get your linux box online would be > to designate an older machine running MS Windows as a router... There is > lots of software that will do this for you (ie Sygate, WinRoute, etc). With > few access list rules you can make the router quite transparent, and it can > serve as your first line of defense. > > As for MD5, to the best of my knowledge, brute force is the only way to > 'crack' it... however I have heard rumors that some implementations are > weaker then others. > > At 06:03 AM 11/28/2002 +0800, you wrote: > >I paid a high monthly fee for my PPPOE connection. The damned ISP offered > >only the client for M$ Windows. According to the packet dump, they use > >CHAP for authorization and the CHAP challenge said it used MD5. But when > >rp-pppoe MD5s the string of Identifier+Secret+Challenge Value, the > >concentrator said the response is wrong. > > > >Apparently the ISP-offered client is not going with the RFC 1994 standard > >for CHAP and obviously I cannot get their source code by social engineering. > > > >/Is there a way to break the MD5? Or anyway around ? /I need to know my > >ISP's digest scheme to get my Linux box online. I lived in a > >higly-sensored country and who knows what the offered client will do > >behind my back? Thanks in advance for my safety (not privay). > > > >__ > >Do You Yahoo!? > >Everything you'll ever need on one web page > >from News and Sport to Email and Music Charts > >http://uk.my.yahoo.com > > > __ _ > ~FluRDoInG[EMAIL PROTECTED] > http://www.flurnet.org > KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048 > 1876 B762 F909 91EB 0C02 C06B 83FF E6C5 8C2C 37C4 > >
Re: Business Traveller Use Of Encryption
For a more comprehensive list and breakdown I suggest reading up on the Wassenaar Arrangement; http://www.wassenaar.org or http://www.dfait-maeci.gc.ca/~eicb/eicbintro-e.htm. You'll notice that adhering to export controls aren't quite as simple as you've stated below. Especially in areas of dual-use technology. _________ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On 4 Oct 2002, Arek Gondek wrote: > In-Reply-To: <[EMAIL PROTECTED]> > > Hi All, > Restrictions on exports apply to countries the U.S. > classifies as state supporters of terrorism, including > Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. > Source: > http://www.pcworld.com/news/article/0,aid,14768,00.asp > > Regards, > Arek Gondek > www.securelinx.com > > >
RE: Defense plan
Hi Chris, Everything that has been mentioned is all good, covers some of the basic things that should be addressed, regardless of the environment. But with legal/policy type questions, and even some of the more procedural and technical ways of implementing policy, no one can answer them in a way that is applicable to your situation. Step back, and consider what you are doing -- what are you trying to protect? Define what your company's critical assets are. Who and what are you trying to protect against? What are their capabilities? What are your team's capabilities/strengths/weaknesses? This must be answered in order to design a proper defensive strategy. Might also be a good idea to look into asset management? Does your corporation even know what they have within their datacenters? What software is installed? Patch levels? Once your assets have been identified, perform a gap analysis -- audit the enviornment against industry 'best practices' and look for some of the things that you mentioned earlier (MAC port lock in, turning off unused simple services, etc.). Then work on developing hardening standards and documentation that apply to your specific environment. Turning off services and fixing OS level problems isn't the end all and be all of security -- for example, take a look at the applications you have installed within your environment.. have they been implemented correctly? Are the default permissions in excess of what they should be? Does the application require access to privileged functions? Is it publicly accessible and has been chroot()'d? What is necessary for the chroot() to function? These are things a mailing list simply cannot answer. ttyl, _____ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com
RE: security through obscurity (was: Re: remove apache os banner
I'm absolutely not advocating that anyone implement security through obscurity, but would have to agree that some degree of obscurity can slow down some attacks.. however, it should be the VERY, VERY, VERY last thing on your mind, and NEVER be relied upon as a means of protecting a network, application, building or anything. _ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Tue, 4 Jun 2002, Kevin and Laura Brown wrote: > You answer your own question. Something as simple as changing banners can > stop some automated scripts and keep out some wannabe script-kiddies. You > are right that it doesn't provide any *real* security, but it does help to > stop some scripts and slow down some attackers. And although it might be a > small step, the more steps can add to slow down an attacker, the better > chance I have of keeping them out. Maybe they'll get tired of peeling > through the layers. Maybe it thwarts a dumb script. I run my webserver on > a different port than 80. It may not add any "security", but it keeps Code > Red and Nimda from clogging my logs all day. > > Let's face it, most attacks come from script-kiddies looking for the weakest > host, not real crackers targeting your domain. And if modifying a banner or > changing a port number keeps out one or the other, than it is worth it. > I'll still use other means to beef up my *real* security, but every little > bit helps. > > Brownfox > > > -Original Message- > From: Jay D. Dyson [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 04, 2002 9:57 AM > To: Meritt James > Cc: Pinsky Dan; [EMAIL PROTECTED] > Subject: Re: security through obscurity (was: Re: remove apache os > banner > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Tue, 4 Jun 2002, Meritt James wrote: > > > > ...but be advised: banner obfuscation provides no real security > > > benefit. Security through obscurity ain't. > > > > Nice filter to keep out the harmless... > > If they're harmless, they are no threat. If there is no threat > from the beginning, then please explain the security benefit. > > Besides, what good is it if a banner alteration turns away Joe or > Jane Scriptkiddy if the next visitor is Nimda on rollerskates? > > My assessment stands: security through obscurity ain't. > > - -Jay > > (( ___ > )) )) .--"There's always time for a good cup of coffee"--. ><--. > C|~~|C|~~| (>-- Jay D. Dyson -- [EMAIL PROTECTED] --<) |= |-' > `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `--' > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.7 (TreacherOS) > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > iD8DBQE8/MciGI2IHblM+8ERAjETAJ4smfidvaqEulcIPO87y0iaRAx0dgCgit3F > lj4kiUDR0v/VQstnMuXcG+U= > =sX9j > -END PGP SIGNATURE- > > >
RE: strong encryption - governments denying individuals the rightto use
Short of destroying all material, world wide that details the underlying mathematical concepts of cryptography and cryptanalysis or its implementation (books, whitepapers, source code, application binaries or hardware devices that implement 'strong' crypto) and implementing educational restrictions prohibiting the teaching of mathematics, language or any form of 'abstract thought' beyond the tenth grade as well as locking up or otherwise 'eliminating' from the civillian population, those that possess such knowledge (all university professors) no government on this planet can stop the exchange of information or advancement of cryptography. It's a futile yet extremely cruel cause. That being said, however, both governments AND civillians do have a need and a right to protect information THEY deem to be private and confidential. Export laws should be limited to only those algorithms that have been designed for the sole purpose of protecting government and military communication. I'm not as adverse to preventing defense contractors from the sale or exchange of information regarding their technology to a civillian population. However, if a civillian independantly discovers the underlying concepts that a restricted algorithm uses, and develops a custom implementation, they should be allowed to do so. Personally, I don't see how designing a new, untested algorithm would be a more secure alternative to implementing one that has undergone several years of peer review. Afterall, the security of obscurity is merely a factor of time. Unless of course a government can pump out new, moderately secure (whatever that measure might be) algorithm designs on an ongoing basis, estimate the capability of any given foreign government to complete an analysis of the algorithm and based upon this estimation, set stringent time of use restrictions and prohibit recycling, obscurity is not of much practical value or use. Imagine the strengh of a government that spent more time improving their own capability than attempting to limit that of others. _____ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Wed, 1 May 2002, Williams, Larry wrote: > -Original Message- > From: ken > >+++ Davis, Don (CPOCEUR) [29/04/02 08:22 +0200]: > >> If not having 1024-bit encryption available to send my private information > >> over the web is the part of the cost, I can live with that. > >Can you live without the locks on your house / car / safe? > > I doubt it, but you missed the point. He's not talking about removing the locks >altogether but that he can live without a cipher lock. Certainly we all want to protect our personal information as much as our personal property. And because there are bad guys out there who will use whatever tools are at their disposal to obtain anything of value from us, a certain degree of protection is needed both in the physical and online worlds. If government says I can have 256-bit or 512-bit crypto technology, but I can't have the latest 1024-bit blowhard crypto, maybe it's because they use that to ensure national security or protect military secrets. Is it wise that everyone know how to decipher a secure military communication? I wouldn't think so, and to protect that code, they must prevent everyone from having it until they find something better. > >
Re: Books on Math Behind Crypto.
> > Frankly I dont see how PDEs or Complex ananlysis could possible be > useful in crypto, at least it its present state. Hrrmm.. well, for instance, in the case of factoring; there are efficient approaches to polynomial reduction using PDE methods. Although I was perhaps (somewhat incorrectly) thinking that capturing the effects of a apparantly random process using stochastic differential equations might have been relevant. With regards to complex analysis, it is important to number theory. For instance, the use of Riemann Zeta function within prime number theory. The riemann zeta function is a function of a complex variable. Also applicable to sieve theory. oh well.. I'm off to bed. - john
Re: Books on Math Behind Crypto.
Well.. one good mathematics book that does cover in good depth concepts that would be of value such as solving partial differential equations, group theory is: "The Mathematics of Classical and Quantum Physics" by Dover Publishing Also, "Concise Complex Analysis by Sheng Gong" might be something to look into. then there's always "Numerical Recipes in "C" (http://lib-www.lanl.gov/numerical/bookcpdf.html which has been of great help in understanding how to properly implement certain mathematical concepts in code. _________ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Tue, 23 Apr 2002, Sumit Dhar wrote: > Hello Everyone, > > To get a good understanding of Crypto a thorough understanding of the > Mathematical Concepts behind it would be necessary. > > Are there any good documents/books (preferably online) that people here > would like to recommend for this. I am not looking for books on Crypto, > but specifically books on Mathematics which might have the required > information. > > Cheers and Regards, > Sumit Dhar [ http://dhar.homelinux.com/dhar/ ] > Manager, Research and Product Development, > SLMsoft.com > >
RE: Techniques for Vulneability discovery
What you described is more akin to 'functional design' testing than vulnerability analysis. While there definately are elements of black box testing as you described, within the vulnerability analysis process, they are complemented by the application of reverse engineering tools and techniques. Tools such as gdb, strace/truss, Softice and IDA Pro are used to intercept a process or disassemble a function to gain a better, low-level understanding of what the application is actually doing. At that point, the tester will be able to determine whether a function has been implemented correctly and performs as documented or identify potential points of manipulation to force the application to do something it was never intended to do. When application code is available for review, the tester could develop scripts to parse through the code to identify obvious points of failure such as the misuse of certain functions (improper or no bounds checking), signedness issues, memory mismanagement, etc. etc. As well, they would manually review code pertaining to critical functions or activities such as authentication, authorization, etc. There are commercial code audit tools (such as L0pht^H^H^H@stake's slint) available to ASSIST the tester in this job, but IMHO should never be used to replace the role of a security-minded testing team. Security QA (not functional design / QA testing) is something that is severely lacking in all development shops. _________ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Fri, 5 Apr 2002, W. Lee Schexnaider wrote: > Hello, > > As a software tester I might offer some information. > > I am primarily a "black box" tester, which means I do not go into the code. I use >the product as a user would. We do some automated testing with tools like Winrunner. > > However, many testers do exploratory or ad hoc testing for these items. This >involves using the program thinking of ways to break it, theny trying them and >documenting the results. In many cases there are requirements to test against, but >these rarely find the type of problems you are addressing. However, requirements and >written test cases can ensure that the bug does not reappear due to code reuse or old >code getting into a build. > > Testing can be a basic as holding down a key in a field for two minutes to see if a >buffer overflow happened (it did). I include things like the entry of bad data and >other items in my test cases. > > >From a customer standpoint, many people do not allow new code to be placed on >production systems. They have separate test systems where the program is exercised >before it can go on to production system. Such a system can lend itself to >automating test cases for new version of existing software. > > It really comes down to having people who like to break software. These do not have >to be programmers or IT admins. My background is in newspaper journalism. In some >cases specific technical knowledge may be needed. But often the technical person >needs to be teamed with someone who thinks more like a user. > > If a programmer says "someone would never do that" in reference to an action with a >program, you can bet everything you own that at some time somebody will. Take the >classic case of a video card that if it had more than one monitor connected to it, >the monitors would catch fire! > > > > -Original Message- > From: kaipower [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 04, 2002 7:05 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: Techniques for Vulneability discovery > > > Hi, > > After reading the mailing list for quite a while, there is a burning > question which I kept asking myself: > > How do experts discover vulnerabilities in a system/software? > > Some categories of vulnerabilities that I am aware of: > 1) Buffer overflow (Stack or Heap) > 2) Mal access control and Trust management > 3) Cross site scripting > 4) Unexpected input - e.g. SQL injection? > 5) Race conditions > 6) password authentication > > Do people just run scripts to brute force to find vulnerabilities? (as in > the case of Buffer overflows) > Or do they do a reverse engineer of the software? > > How relevant is reverse engineering in this context? > > Anybody out there care to give a methodology/strategy in finding > vulnerabilities? > > Mike > > > > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > > __ > D O T E A S Y - "Join the web hosting revolution!" > http://www.doteasy.com >
Re: Disk Wiping Utilities
This topic had been discussed at great length in a previous thread - unclassified disk sanitizers; to sum it up, no a simple format will not ensure that data cannot be recovered. What is needed is a tool that will overwrite every physical sector of a drive with data, from the very start to the very, very end. 'dd' will do the job just fine. However, with any tool that you use, be careful of BIOS translation errors and verify that the last sector of the drive had been wiped using a disk editor, preferably with a verification system seperate from the one used to do the wipe. However, since the original person who asked the question works for government, depending on the classification of the data he wishes to destroy, this may or may not be adequate enough. Drives that house data classified as Top Secret are generally destroyed in house. _ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Wed, 27 Mar 2002, Bassam ALHUSSEIN wrote: > I am not sure but I thought that a format then fdisk would do the job > wouldn't it ??? > correct me guys ..plz > > Bisso > - Original Message - > From: Dan Williamson <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, March 27, 2002 12:14 AM > Subject: Disk Wiping Utilities > > > > > > > > I am looking for a good utility to erase all hard drives > > in a machine to a DOD standard. I would prefer a > > FREE utility as this is a government agency and I try > > to keep costs down. > > > > I have read that Norton Wipeinfo, BCWipe and > > several other programs wipe only the known > > partitions. I need a tool that will wipe EVERYTHING ! > > > > TIA > > Dan > > > > > > >
RE: Disk "Sanitizers" *Final Comments*
You lack understanding and still continue to argue and attack? Your almost antagonizing comment on Canadian standards was laughable.. I am so glad that you represent a minute portion of Americans that think of Canada as the inferior 51st state? (at least I hope... ;-)) I own and build much of the equipment you mentioned below. For the most part it is simply standard computer equipment built into a compact, portable chassis so it is easy for a forensic investigator to lug around and interface with many different drive types/connectors (i.e. 50/68/80 pin SCSI or ATA66/100/133 type drives). I have also designed and built electronic equipment to dump various types of EEPROMs for reverse engineering or recovery purposes. The forensic imaging equipment you mentioned is standard across the community. The purpose is to create an exact, bitstream copy of the contents of a drive, including file slack and freespace, regardless of filesystem format in such a way so that the data recovered from the drive can be admitted as evidence during criminal proceedings. As well, it provides an investigator with an exact replica of the drive from which to perform his/her analysis, so that they are not working with the original. It is a very big no-no to perform analysis on the original evidence as electronic data is extremely volatile and any mistakes could severly hurt an investigation. The investigator would then examine file slack and freespace for deleted data that could be recovered using forensic analysis software that will examine a drive at the physical layer, completely ignoring the logical filesystem. I have personally assisted government/police agencies in the past recover data from these areas of a drive, even if they are highly fragmented. One case in particular, I was able to repair the header of a deleted video file as most of its contents were still intact and could still be viewed. However, if these areas have truly been overwritten, even simply one time, it is unrecoverable. If there are bad blocks on the drive and whatever disk sanitization tool used did not properly overwrite the data, then there are other recovery techniques that can be applied. Just because a drive is damaged, doesn't necessarily mean that data is unrecoverable. Using one of my past examples, I have personally worked with data recovery teams that have done wonders with drives that have really been put through hell and back. Even in cases where the disk platters have been slightly mangled, there may be things one could attempt from a recovery perspective. Please Mr. Donovan, DO NOT put words into my mouth and DO NOT claim that I am spreading misinformation. Right now, decent MFM equipment is quite expensive and requires a very specific skillset to use. As well, it requires an excruitiatingly large amount of time to even recover 1Mb of meaningful data. Although I do understand that MFM equipment is becoming increasingly cheap to obtain, not every corporation on the planet has to worry just yet. Some perhaps, like defence contractors, yes.. Be paranoid, but within reason. Is your organization extremely worried about the possibility that their competitors have improved upon Shamir's cracking device or built a quanutm computer in which to crack all their encrypted communications? I highly doubt it.. If they have good reason to, then should you really be communicating on an open mailing list? Congratulations!, You have just compromised your organization's operational security! In most cases, there are far easier and more efficient ways to break into an organization than using an electron microscope. ttyl, _________ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Sat, 9 Mar 2002, Mike Donovan wrote: > >= Original Message From "Holmes, Ben" <[EMAIL PROTECTED]> = > > >"...makes it impracticable for all except the most sophisticated, high $$$ > scenarios." > > First, for John: for the hundredth time, your focusing only on "software > recovery tools" is baffling to me. The above post seems to argue the same > thing. ("All but...") I only included one small part to keep the limits down > that bugtaq faces. > > WHY do you two believe that hardware recovery methods (which makes a one-pass > method as a "secure" method a joke) is: > > A) Rare > B) Expensive > C) Not worth protecting information from, since John, you have defined > "standard" as SOFTWARE RECOVERY only. > > The expense of hardware recovery has come down so dramatically that just about > ANY large US police department owns forensic hardware tools. In the U.S. many > COUNTY **sheriff's** departments have these tools and have been trained in > their use. In my city, which is in the
Re: Unclassified Disk "Sanitizers"
For the hundreth time! There is a difference between a file being deleted from a filesystem and it being truly OVERWRITTEN. If you are sanitizing the drive, you will OVERWRITE it with data from the first sector to the very last PHYSICAL sector of the drive. OVERWRITTEN. Period. Unless you wish to pursue other PHYSICAL RECOVERY methods such as the use of Scanning Tunneling Microscopy or recovery of tiny fragments of data from the cache chip found on the drive's circuit board, it's for all intents and purposes GONE. _ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Fri, 8 Mar 2002, Marnix Petrarca wrote: > didn't the coroners toolkit from wietse venema and consorts do something > like that? > There's other interesting reading there, too. > http://www.porcupine.org/forensics/tct.html > -M > > - Original Message - > From: "John Daniele" <[EMAIL PROTECTED]> > To: "Mike Donovan" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: 06 March, 2002 6:07 PM > Subject: RE: Unclassified Disk "Sanitizers" > > > > > > Could you point me towards SOFTWARE (not STM equipment) that would be able > > to recover data that had been OVERWRITTEN from a sector of a drive? > > > > i.e. dd if=/dev/zero of=/dev/dsk/c0t0* > > > > Read each physical sector of the drive and explain to me how meaningful > > data is recovered from 00's using software recovery tools? > > > > Sorry for my abrasive response, but you are out of line. I was not > > referring to a scenario where portions of a deleted file may be recovered > > from file slack, or swap space but rather in the case that it had truly > > been OVERWRITTEN! > > > > _ > > John Daniele > > Technical Security & Intelligence > > Toronto, ON > > Voice: (416) 605-2041 > > E-mail: [EMAIL PROTECTED] > > Web:http://www.tsintel.com > > > > On Wed, 6 Mar 2002, Mike Donovan wrote: > > > > > >= Original Message From John Daniele <[EMAIL PROTECTED]> = > > > >The data only has to be overwritten once such that it is unrecoverable > > > >using standard forensic recovery methods. > > > > -- > - > > > This is false. Completely. A one-time pass --- making data > "unrecoverable?" > > > Why is it that Bruce Schneier and others are constantly harping on how > we > > > can't assume ANYTHING is truly "unrecoverable" using software methods? > Period! > > > Even Gutmann's paper questions his own method! John, in referring others > for > > > more information to the over-used "Gutmann Paper" (which is going now on > > > six-years old), need I remind you how recovery capabilities have changed > in > > > SIX years? Let me refer you to something more current and more realistic > from > > > SANS: > > > http://rr.sans.org/incident/deletion.php > > > It must be remembered the Gutmann 35-pass method is *completely* > different in > > > what a "pass" is than, say, the D.O.D 7-pass method. Gutmann's method > takes > > > into account various encoding methods used my makers of the drives. It's > > > totally different. Hard drive slack space and unallocated space? Not > even > > > mentioned in John's all-inclusive sentence above. How can anything be > securely > > > deleted without even touching these data storage hogs that a simple > one-pass > > > method will NOT touch? In the very paper John referred to, Peter Gutmann > says > > > in the opening sentence of his conclusion,(point 9)"Data overwritten > once or > > > twice may be recovered by subtracting what is expected to be read from a > > > storage location from what is actually read." > > > > > > The kind of misinformation in John's post is dangerous - especially in > today's > > > world. Bottom line: Stick with Department of Defense regulations for > secure > > > deletion or use the 35-pass Gutmann method. Please, don't let **anyone** > tell > > > you a one-time pass will make data "unrecoverable." > > > > > > Mike Donovan > > > > > > > > > >
RE: Unclassified Disk "Sanitizers"
Ok, before you put any more words into my mouth, lets go over the basics: (in very simplistic terms for better understanding of the core concepts) What happens when a file is deleted depends on the filesystem upon which it resides. Windows/DOS simply marks the file for deletion simply by 'hiding' the file from view. On filesystems such as EXT2, for example, the directory entry is marked as unused, the inode block is the marked as unused as well as the file data block in its block allocation map. However, some information is still intact, such as the relation between the file inode and first 12 file data blocks, which allows for easy recovery of smaller files that within within 12 blocks. For other files however, recovery is still possible! Just because there is no relationship between the inode and file data block, doesn't mean that the content within the file data block is erased. In fact, it can still be intact long after deletion of the file. As well, shreds of data may still exist within the unused spaces within the last data blocks of a file for potential reassembly (file slack). Now, what wiping utilities try to do is OVERWRITE those portions of the disk such as all unused data blocks and file slack space where potential data can be recovered. Once overwritten, it is UNRECOVERABLE using forensic analysis tools such as EnCase, Byte-Back, Ontrack Recovery, etc. etc. However, this does not necessarily mean that it cannot be recovered using other PHYSICAL means by closely examining information within the magnetic domains using specialized equipment, i.e. the physical components of the drive; disk platters, cache chips, etc. I was trying to get two points across; number 1: data CAN still be recovered after a 35 Guttman pass or 7 pass DoD standard blah blah blah using physical methods such as the use of scanning tunnelling microscopy. Also, simply denting a drive platter or otherwise attempting to damage the drive may not in all cases equal unrecoverability! The drive platters can be removed, remodelled and read using PHYSICAL methods. But also that a company should be realistic as to who their potential adversaries are, and architect a solution that fits their needs. Not everyone needs to spend billions building their secure datacenter deep underground within a vault with two interlocking vaulting doors protecting a pressure floor to determine the weight of only one person before allowing access to authenticate against a vein and retina biometric device. Properly assess your threats, otherwise you will lose the war. ttyl, _________ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Wed, 6 Mar 2002, Mike Donovan wrote: > >===== Original Message From John Daniele <[EMAIL PROTECTED]> = > >Could you point me towards SOFTWARE (not STM equipment) that would be able > >to recover data that had been OVERWRITTEN from a sector of a drive? > >i.e. dd if=/dev/zero of=/dev/dsk/c0t0* > >Read each physical sector of the drive and explain to me how meaningful > >data is recovered from 00's using software recovery tools? > >John Daniele > > > I think all-inclusive statements, such as that by John in an earlier post, > that a one-time pass will make data "unrecoverable" with standard forensic > recovery methods is simply wrong. It's not a matter of which software could - > or couldn't. It's a matter of what you mean by "standard" forensic recovery > methods. You did not make clear what you meant by "standard" methods. If you > mean Norton or McAfee Undelete when you speak of "forensic" methods - well > then, we're talking different ball parks. Standard "forensic recovery methods" > by big city US Police Departments and the FBI include more in their arsenal > than simple data recovery programs. I am sure (or assume) the true is in > Canada as well. The USA Dept. Of Defense (as you know) has protocols that are > acceptable --- a three-pass method, a seven-pass method, and then there's the > Gutmann method, which is acceptable to anybody, except maybe the Marines - who > must blow their old drives to bits! (Pardon the pun).But a one-time pass? > Not acceptable for true security. And what good does it do to call something > "unrecoverable" and NOT take into account slack space? Again, it comes back to > the term "standard" -- I think the definition may be different in Canada than > the United States. > - Mike Donovan > >
RE: Unclassified Disk "Sanitizers"
Could you point me towards SOFTWARE (not STM equipment) that would be able to recover data that had been OVERWRITTEN from a sector of a drive? i.e. dd if=/dev/zero of=/dev/dsk/c0t0* Read each physical sector of the drive and explain to me how meaningful data is recovered from 00's using software recovery tools? Sorry for my abrasive response, but you are out of line. I was not referring to a scenario where portions of a deleted file may be recovered from file slack, or swap space but rather in the case that it had truly been OVERWRITTEN! _ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Wed, 6 Mar 2002, Mike Donovan wrote: > >= Original Message From John Daniele <[EMAIL PROTECTED]> = > >The data only has to be overwritten once such that it is unrecoverable > >using standard forensic recovery methods. > --- > This is false. Completely. A one-time pass --- making data "unrecoverable?" > Why is it that Bruce Schneier and others are constantly harping on how we > can't assume ANYTHING is truly "unrecoverable" using software methods? Period! > Even Gutmann's paper questions his own method! John, in referring others for > more information to the over-used "Gutmann Paper" (which is going now on > six-years old), need I remind you how recovery capabilities have changed in > SIX years? Let me refer you to something more current and more realistic from > SANS: > http://rr.sans.org/incident/deletion.php > It must be remembered the Gutmann 35-pass method is *completely* different in > what a "pass" is than, say, the D.O.D 7-pass method. Gutmann's method takes > into account various encoding methods used my makers of the drives. It's > totally different. Hard drive slack space and unallocated space? Not even > mentioned in John's all-inclusive sentence above. How can anything be securely > deleted without even touching these data storage hogs that a simple one-pass > method will NOT touch? In the very paper John referred to, Peter Gutmann says > in the opening sentence of his conclusion,(point 9)"Data overwritten once or > twice may be recovered by subtracting what is expected to be read from a > storage location from what is actually read." > > The kind of misinformation in John's post is dangerous - especially in today's > world. Bottom line: Stick with Department of Defense regulations for secure > deletion or use the 35-pass Gutmann method. Please, don't let **anyone** tell > you a one-time pass will make data "unrecoverable." > > Mike Donovan > >
RE: Unclassified Disk "Sanitizers"
The data only has to be overwritten once such that it is unrecoverable using standard forensic recovery methods. Secondly, the point of overwriting with several passes is to generate enough magnetic force to switch the domains and may or may not work, depending on the physical characteristics of the drive. I suspect that in most cases, it won't as it isn't that easy when dealing with the threat of MFM/STM/*[F|T|I|P]M You have to have an understanding of the particulars of the scheme used by the drive for encoding data (and its variants) to properly design alternating overwrite patterns that don't repeat, and will work, not to mention an understanding of its physical characteristics as was mentioned by Matthew. more info: http://www.cs.auckland.ac.nz/~pgut001/secure_del.html _________ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Sun, 3 Mar 2002, Matthew Tallon wrote: > > Hi, > > > the safe side and use 7 passes to be thorough. If memory > > serves, seven passes is also the DoD standard (along with > > randomized non-sensitive data for the re-write). > > I don't want to beat this one to death, but more than a few > questions bounce around in my head. Any physics majors or hd > gurus out there? Having a fair amount of experience in the > audio field, I understand the issues involved with analog > recordings but I know very little about the details of digital > media. > > This seems to imply that if I re-write the same data to the same > location on a disk, the bits are magnetically stronger with each > write, or even that under normal use, I could extract (under > optimal conditions) several generations of data from the same > location on the disk. I suppose various vendors would create > heads that write stronger signals to disk and would prove more > reliable from a security (and integrity) point of view. > > Sort of going back to college, can someone point me to an > authoritative breakdown of hard drive media? I have to admit, > my curiosity is thoroughly piqued! > > Thanks, > > Matthew Tallon > >
RE: Unclassified Disk "Sanitizers"
> Who's to say the recycling company doesn't read'em first? Or a > corporate spy assigned to work at a recycling center? Well.. yah obviously!! Which is why if one is so concerned one should accompany their equipment to the destruction site and oversee the process. Sounds a bit silly to be worried about spies armed with MFM/STM/*[F|T|I|P]M equipment while completely ignoring common sense! > And I'd think formatted drives sent to the NSA for meltdown would prolly > make a pretty good training media for those at NSA learning to read data > from erased/over-written disks. Perhaps.. can you even take a guess at how long it would take to recover even 1Mbs of meaningful data that had been overwritten? Not that there aren't organizations that should be worried about this threat, however, it is important to be somewhat realistic as to who your potential adversaries are. > Sanding the platters is a POSITIVE way to forever destroy the data and it's > one that most folks can do. Perhaps.. ;-) > Third party forges/furnaces are like accepting candy and rides from > strangers. As I said before -- sounds a bit silly to be worried about spies armed with MFM/STM/*[F|T|I|P]M equipment while completely ignoring common sense! I agree ten fold! > Army Regulation (AR) 380-19 Appendix E 4.5.2 Destruction of Removable Hard > Disks and Disk Packs states that sanding the platters is one of the > recommended ways to declassify a Top Secret hard drive. I'm not arguing against sanding down platters, but simply denting it with a sledgehammer is hardly proper procedure. Occasionally platters from drives located within aircraft 'black boxes' are dented.. that doesn't *always* prevent investigation of the data. > D. Weiss > CCNA/MCSE/SSP2 john.
RE: Unencrypted Email
heheh, well I'd place my spy at the company itself and have them perform a security walkaround of the building to locate the (normally unprotected) demark point and install my sniffer physically on the wire there. Not to say that there aren't any lame ISPs/datacenters around (I have definately seen my share) but this is their primary line of business, you are perhaps more likely to gain access to the end user's infrastructure. I say that the direct approach will probably be more successful. You'd be suprised how many large companies don't even think to set up a surveillance camera within their telecom/switching rooms, or even in the hallway leading up to the door. _____ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Mon, 25 Feb 2002, Coffey, Christopher S. wrote: > I'll add my opinions here, hopefully you will find them interesting: > > 1. Yes most sniffers can be configured to find just curtain types of traffic > by headers (mail, ftp, etc.) > > 2. Yes but it takes more work than that, let me explain (this is but a > sample scenario btw). Say I was a company in LA and I wanted to snoop the > email of my competitor in NY city. I would need to find out who there ISP is > (who runs there T1 or whatever) then I would need to "Hack" into that ISP ( > Ok yes this is complicated it might require breaking into multiple routers > and servers within the ISP to find the right link into there T1 ) and > install my sniffer software to grab all the mail coming and going from that > company. This could either be done by a group of black hat mercenaries or by > a well placed inside at the ISP. > > 3. This is a rough scenario, it would be a very big case of corporate > espionage that so far we haven't seen yet ( or at least not made public) but > it is possible, with enough time money and luck it could be done, it all > depends on how much $$$ the data is worth ??? > > Christopher Coffey > Network Security Officer > AAC-VA > > > > > -Original Message- > From: Dave Bujaucius [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 22, 2002 10:58 AM > To: [EMAIL PROTECTED] > Subject: Unencrypted Email > > > It is common knowledge that unencrypted messages sent over an unsecured > Internet connection *can* be viewed in clear text and thus the contents > compromised. My questions: > > 1. Is it really easy? How readily available are sniffing tools that > can do this? > 2. Can it be done from a user's home dial up or DSL type connection? > Can someone in California somehow be scanning mail leaving a New York > location? > 3. Outside of government agencies that have access to selected ISP's, > how likely is it that a company could be targeted by an outside person > or organization? > > I realize that like most IT issues everything is relative. I'm > questioning the relative risk in sending confidential information over > the Internet. Real life experiences versus theory. > > Dave Bujaucius >
RE: Unclassified Disk "Sanitizers"
While taking a sledgehammer to a drive does sound quite therapeutic, I would suggest rather, to look around for your local metal recycling company. They will gladly take your old hard drives, monitors, Sun IPCs (on second thought, instead send them over my way! :p) and mince them to itty bitty peices for you! And in much smaller chunks than you could ever possibly replicate with a sledgehammer. www.resourcecon.com is one company that a few of my clients have used. ttyl, _ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Tue, 26 Feb 2002 [EMAIL PROTECTED] wrote: > DoD wipe, Norton Wipe, KO. > > Three passes for sensitive info. Seen KO and DoD used for higher than that. > > And all three could have been the same program. They sure did look alike. > > No idea on price > > I can't find my link at the moment, but there used to be a link to a paper > that went into painful detail how you could build your own -- oops!! found > the link. Luck I remembered "Magnetic force scanning tunneling microscopy > (STM)" Made the search pretty quick. > > This link tells you just how safe your old hard drive is. YOU have to > determine how much effort YOU want to spend to be safe. > > If it was my hard drive with my excel spreadsheet of all my unreturned > public library books (Which I do really intend to turn back in, some day > when I return to the USA (Any lawyer types out there know the statute of > limitations on overdue library books??)) I'd open the drive up and sand off > the magnetic media with an electric sander, then use an 8 pound fine > alignment tool (sledgehammer) to reduce it to shards. > > The link, for those that held out: > > http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gut > mann/ > > When you read this, don't feel inferior. Uncle Peter Guttmann doesn't want > you to feel that way; he's just oh so much more brilliant than most of us. I > sure felt humbled. > > D. Weiss > CCNA/MCSE/SSP2 > > > -Original Message- > From: Kevin Maute [mailto:[EMAIL PROTECTED]] > Sent: Saturday, February 23, 2002 4:29 PM > To: Sadler, Connie J; [EMAIL PROTECTED] > Subject: Re: Unclassified Disk "Sanitizers" > > > Connie, > > I found no (reasonably priced) utility when I looked at this about 2 years > ago. I was an Air Force contractor at the time and had much the same > problem > that you (probably) do. > > My solution was to develop a Linux based solution to do this. The advantage > of > this was it supports both SCSI and IDE disks and doesn't care what OS/Data > is > on the disk. > > There was also a document that dictated that for your needs you needed 3 > passes > to "clear" the data and for more sensitive needs require 7 passes to > "sanitize" > the disk. > > Many people that are familiar with disk technologies feel this may not be > enough but to do anything with the data that may still be on the disk > requires > fairly expensive hardware and lots of time... > > Kevin > > > "Sadler, Connie J" wrote: > > > Does anyone have recommendations for freeware or shareware that > effectively > > erases disks for unclassified but sensitive information? This would be > used > > for all machines "retired" to school programs, etc. We need one for > Windows > > and one for UNIX, if one tool can't clean both types of disks. Anybody > have > > experience with this? > > > > Thank you! > > > > Connie > > > > > -- > ++ > Kevin Maute > > Educating people on the avoidable carcinogens in their lives > and how to replace them with safe, superior products. > > mailto:[EMAIL PROTECTED] > http://www.ineways.com/kmaute > http://www.newaysonline.com > ++ > > > >
Re: Unclassified Disk "Sanitizers"
hehe.. true., then again, STM can work wonders if you have the luxury of unlimited time! ;-) dd will work as well, realistically, data only has to be overwritten ONCE to be unrecoverable using standard forensic methods! _ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Mon, 25 Feb 2002, Meritt James wrote: > Sorta depends if you ever want to use it again. > > If not, a blowtorch would probably work nicely. > > -- > James W. Meritt CISSP, CISA > Booz | Allen | Hamilton > phone: (410) 684-6566 >
Re: Software Firewall Development
> TPF, Back-Ice, Zone-Alarm, all do their job, why would you want a > separate tool. Doesn't anyone ever embark on a project simply for its merits as an academic challenge or exercise anymore? ;-) _____ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com
Re: NIC promiscuous mode
Define ifreq blah; strcpy(blah.ifr_name, "name-of-device0"), set blah.ifr_flags to IFF_PROMISC then ioctl() the socket; _ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Fri, 8 Feb 2002, Steve Schott wrote: > I am having problems figuring out how to put a NIC in or out of > promiscuous mode. I am using RH 7.2 using an Intel Pro 100+ > > How does one do that. > > I can get around pretty well in Linux. I am just missing the step by > step procedure. > > Thanks so much. > > Steve > > Definition of insanity: Repeating the same action over and over > expecting a different outcome. > > - > > > >
Re: DOS and other security threats
In addition to egress filtering, do try to configure your current infrastructure to survive a direct attack as long as possible by: - properly configuring Cisco QoS - change default route cache algorithm to Cisco Express Forwarding (CES) as it is optimized for short duration, dynamic traffic - where possible, implement reflexive filtering rules as opposed to vanilla ACLs - Tune the command scheduler timing, so that when under direct attack, the device is not spending more time responding to interrupts than routing - where possible, implement tcp-intercept rules Not intended to be a complete list of things to do, but should set one on the right path. ttyl, _ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com On Sat, 2 Feb 2002 [EMAIL PROTECTED] wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Glen, > > If it's DoS that you're specically worried about one thing that you could implement >to help mitigate the risk is egress filtering. I've included a couple of resouces >that may be of help. > > http://www.sans.org/dosstep/ > http://www.mitre.org/research/cyber/DDOS/ > > cheers, > gattaca > > - > liquidmatrix.Org > - > > > > > > > Hush provide the worlds most secure, easy to use online applications - which >solution is right for you? > HushMail Secure Email http://www.hushmail.com/ > HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ > Hush Business - security for your Business http://www.hush.com/ > Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ > > -BEGIN PGP SIGNATURE- > Version: Hush 2.1 > Note: This signature can be verified at https://www.hushtools.com > > wlwEARECABwFAjxcMagVHGdhdHRhY2FAaHVzaG1haWwuY29tAAoJED1qYAupECclhiEA > oL8PQXgLzLIGdvcKhLvascpPlVOtAJ488DM5bI0N/u3YXe838OEmSscTEg== > =3Erq > -END PGP SIGNATURE- > >
Re: Attack Responses id check returned root
I may be totally wrong on this, but I thought id check is logged when the output of 'id' is detected within traffic, i.e.: uid=(root), gid=0(wheel). _ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web:http://www.tsintel.com
RE: what's the real address?
In terms of the tracroute.. perhaps the system is simply spoofing the replies to instill fear or confusion? ;-) -- John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 Email: [EMAIL PROTECTED] Web: http://www.tsintel.com -- On Thu, 31 Jan 2002, Rob Reeves wrote: > The machine seems to be down now, but my guess is they were running a script > or web service that redirected you to the CIA site and logged your attempt > to connect. > > Not sure why your Neotrace tool resolved to odci.gov. You might want to try > one of the live VisualRoute servers on the Internet: > > http://www.visualware.com/visualroute/livedemo.html > > > www.tracert.com is also good. > > > > ~Rob > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 30, 2002 7:41 AM > To: [EMAIL PROTECTED] > Subject: what's the real address? > > > Hello, > > I received a medium sized ftp scan from address 64.81.213.144 to my > subnet. Doing a traceroute resolved the IP to > dsl081-213-144.nyc2.dsl.speakeasy.net. A quick nmap scan showed port 80 to > be open.. But when I typed the IP into my browser, I was taken immediately > to www.cia.gov. Performing a tracert from a win machine brought up the > same speakeasy.net host. But using NeoTrace (graphical win trace route > tool) that IP resolved to www.odci.gov, which takes you to the cia.gov web > page.. What gives? > > > Cavell McDermott > Domino Admin > APW Ltd. - Texas Campus > 214-343-1400 - Main > 214-355-2022 - Direct > 214-341-9950 - Fax > http://www.apw.com >
Re: BCC email virus
Heh, I guess I didn't read the thread previous to yours.. IMO, that's exactly what you should do. Uninterpreted plaintext can rarely hurt you! :-) -- John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 Email: [EMAIL PROTECTED] Web: http://www.tsintel.com -- On Wed, 30 Jan 2002, Meritt James wrote: > So why not simply disable the association to interpreters (including > VBS, of course) and modifying the configuration of your whatever reader > not to do that? > > John Daniele wrote: > > > > > Why just don't run emailed executables? > > > > Because for as long as you are running an email client that interprets > > vb/java/lotus/*scripting code, you are at risk. There have been cases > > where executable code is automatically run simply by clicking on the > > message as opposed to running it manually. I've also seen one one case > > where the executable was executed accidently by buggy code implemented > > as a part of the email client's export-attachment function. > > > > -- > > John Daniele > > Technical Security & Intelligence > > Toronto, ON > > Voice: (416) 605-2041 > > Email: [EMAIL PROTECTED] > > Web: http://www.tsintel.com > > -- > > -- > James W. Meritt CISSP, CISA > Booz | Allen | Hamilton > phone: (410) 684-6566 >
Re: BCC email virus
> Why just don't run emailed executables? Because for as long as you are running an email client that interprets vb/java/lotus/*scripting code, you are at risk. There have been cases where executable code is automatically run simply by clicking on the message as opposed to running it manually. I've also seen one one case where the executable was executed accidently by buggy code implemented as a part of the email client's export-attachment function. ------ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 Email: [EMAIL PROTECTED] Web: http://www.tsintel.com --
Re: Audit Research - WHOIS?
Well.. probably better suited question for [EMAIL PROTECTED], but find the server that is authoritative for your company's corporate web site, and hope that you can perform a zone domain transfer. You may also get lucky if your company's provider hasn't secured the DNS server that is responsible for delegating authority and try to perform a zone transfer on the reverse arpa of your company's netblock. Then try each server, recursively. ---------- John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 Email: [EMAIL PROTECTED] Web: http://www.tsintel.com -- On Tue, 29 Jan 2002, Dee Harrod wrote: > True enough. This is for auditing purposes, though, > and I'm trying to approach it as a hacker would - not > using insider information. I've found a number of > domains that point back to us, but I'd like to find > all of them. Thanks, though. > > -- DS > > --- [EMAIL PROTECTED] wrote: > > > > Do you guys host your own dns? If so, on your dns > > server there should be > > zone files for every domain you manage. > > > > Cavell McDermott > > Domino Admin > > APW Ltd. - Texas Campus > > 214-343-1400 - Main > > 214-355-2022 - Direct > > 214-341-9950 - Fax > > http://www.apw.com > > > > > > > > > > > > Dee Harrod > > > > > > > [EMAIL PROTECTED] > > > > ahoo.com>cc: > > > > > > Subject: > > Audit Research - WHOIS? > > > > 01/28/2002 > > > > > > 03:36 PM > > > > > > > > > > > > > > > > > > > > > > > > > > I'm doing an audit on my corporate network. One of > > the > > things I'm trying to get is a list of all domains > > registered to the company. There are a lot of them. > > > > The problem is that I'm finding it increasingly > > difficult to track down that information. There are > > numerous servers out there that will do whois checks > > against a domain name. There are even a number that > > will do it against a word, and bring up all the > > domain > > names that match it. But I'd like to, say, query > > against a registration ID, or an email address, etc. > > That way I could find all domains registered by our > > registeration address. > > > > Any suggestions on how I might better approach this? > > > > -- Dee > > > > __ > > Do You Yahoo!? > > Great stuff seeking new owners in Yahoo! Auctions! > > http://auctions.yahoo.com > > > > > > > > > > __ > Do You Yahoo!? > Great stuff seeking new owners in Yahoo! Auctions! > http://auctions.yahoo.com >
Re: keylogger?
Hi Michael, Before even considering the specifics of installing surveillance devices, do consider what you are trying to accomplish. Be clear as to what your company's intentions are. Are they to simply fire this individual or perhaps press charges. Perhaps you have already done this, but in either case I would advise you to review your company's HR policies before proceeding. Ensure that your HR policy specifically states that your employees may be closely monitored for internal security purposes. Also ensure that the suspect has signed off understanding and acceptance of these policies. If not, you may want to coordinate this operation with your company's lawyers as you may or may not be violating this individual's privacy rights, if any. If your company does intend to press charges, I would encourage you to enlist the services of a computer forensic investigator to assist in collecting evidence that can be admissible in the court of law. There are very strict procedures that need to be followed in order to meet admissibility requirements. Also consider the possibility that this individual files a wrongful dismissal suit. Having evidence on your side collected in accordance with the law may help prevent the suit from progressing any further. Also consider the possibility that once you begin monitoring this individual, you are witness to other, unrelated, criminal acts. You may be required by law to report this activity to the proper law enforcement authority. If proper procedure was not followed from the beginning, that evidence may or may not be admissible; making law enforcement's job that much more difficult. ------ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 Email: [EMAIL PROTECTED] Web: http://www.tsintel.com -- On Wed, 23 Jan 2002, Michael Ullrich wrote: > It looks like as if somebody in our company is misusing > the pcs of others. We have already changed passwords and stuff. > But nevertheless I want to install some kind of logging software on pcs > which we left open. The audit policy on NT4 (which is the os of those > pcs) is not enough. Does anybody know good logging software that is > free. It would be good if this could be installed without > Admin rights. > > Thanx > Mike > > __ > 100 MB gute Gründe. Jetzt im WEB.DE Club anmelden und Prämie sichern! > Superstars, Topevents und Wunschrufnummer inklusive - http://club.web.de > >
Re: CSS Question [CSS Explained /some Detail]
Better yet, only parse out and use the metacharacters that you absolutely require and ignore the rest. -- John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 Email: [EMAIL PROTECTED] Web: http://www.tsintel.com -- On Sat, 19 Jan 2002, zero wrote: > > > > > > > > B - I've seen literaure which says servers should > > > block " < > " ' ; ( ) + - " characters. If one has not > > > blocked all these types what are the implications > > > (i.e., if only <> types are blocked) ? > > > >while "<" and ">" are the first nessasary step... those > >other special characters can sometimes used to > >modify HTML in other instances. All in all they are > >just a good idea to filter so users arent messed with. > > > Not only HTML tags but also unix redirections: >> , >, << , < > > Alex > > > mailto:[EMAIL PROTECTED] > http://www.podergeek.com/ > http://www.citfi.org > -- > "The further backward you look, the further forward you can see" Winston > Churchill > "Access is GOD..." > >
Re: Remote PC Management via LAN/WAN
Well then again... if you have the source, have the capability to perform a security code audit for due diligence, and understand how to implement a standard encryption algorithm that has undergone several years of peer review (or AES :P)... Afterall.. source to Back Orifice is available, and there is support for 3DES over tcp or udp! I say put things into perspective; no one in their right mind would simply download a trojan executable and use it to administer an enterprise environment with sensitive information (at least I hope not).. but if you got the source and the know how -- it's all fair game. -- John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 Email: [EMAIL PROTECTED] Web: http://www.tsintel.com -- On Thu, 17 Jan 2002, Levi Pugh wrote: > First of all I would like to say thanks for all the replies. > > I agree it would be very unethical to use a Trojan to control a > network. And under no circumstances would I endanger any network with such > an idea even. As Security Professionals we have to be aware of all aspects > of Security. So with this in mind we have to take certain steps to testing > in an controlled environments. *security by obscurity* or even *security > through obscurity* is detrimental to all in the computer field. There are > certain steps that need to be followed to make security by obscurity from > software companies/writers non-existent. They maybe already in the works or > there is already a standard that's in place. > This is just my opinion and the following statement earlier was a quick > question I wanted to see other Security Professionals view points on this > subject. Also if you have any resources that you would like to share or > opinion's don't hesitate. But be considerate... > Thanks > > > Hello Fellow Subscribers, > > The Question I have is: What is your opinion on using a Trojan like > SubSeven to manage your network or even any other Remote Management type of > Program? And if you were how would you go about and testing the Prog for > Backdoors. And also could you suggest any remote management Software that > you have found useful and free is the key word here. > > > > Levi M Pugh > PC TECH III > Fortune 800, Inc > 5200 Golden Foothill Parkway > EL Dorado Hills, CA 95762 > (916)605-0185 > www.Fortune800.com > > >
Maintaining Time Integrity
The proper synchronization of time is vital to any organization, particularly those that are responsible for processing financial transactions (or any data of a transactional nature, for that matter), for one main reason : liability. If a transaction is ever disputed within the court of law, evidence pertaining to the transaction must be presented. Therefore, (speaking from a Canadian perspective), the rule of 'best evidence' applies; you must be able to provide proof of the integrity of the system wherein the transactions are recorded or stored. The integrity of an electronic documents system is proven by providing evidence that the times used by the system and any related devices were correct, that the system was operating properly during the time the transaction occurred, or at least that the malfunction would not have affected the integrity of the electronic document evidencing the transaction. Also, there must be no other reasonable grounds to doubt the integrity of the electronic documents system, as referenced by the Canada Evidence Act Section 31.3(a). -- John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 Email: [EMAIL PROTECTED] Web: http://www.tsintel.com --
RE: How can I detect someone sniffing my network? (fwd)
Antisniff is a cool tool that exploits certain 'features' inherent in some TCP/IP stack implementations to detect the supposedly passive activity of sniffing. However, do keep in mind that if these features have been corrected or a custom TCP/IP stack is used, you will not be able to detect passive sniffing. If an attacker is attempting to 'sniff' packets across a switched segment, examining traffic data for suspicious looking ARP redirects will work. Ultimately, your best bet is to simply architect countermeasures. For instance; establish three tiered 'security zones' in your environment (not trusted, semi-'trusted', 'trusted') and implement proper segmentation at the network AND application level, utilize MAC lock-in port features on your switches, ensure trunking ports exist on its own VLAN, etc. -- John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 Email: [EMAIL PROTECTED] http://www.tsintel.com --
Vendor Contract Computer Security Requirements
I would encourage you to contact a lawyer that has an understanding of your business and a background in technology law for your own due diligence. However, does your company have policies, standards and supporting procedures regarding confidentiality and non-disclosure, handling of sensitive information or data, general security and professional behavior or ethics policies? If so, perhaps an addendum to the contract whereby the vendor will sign off understanding and acceptance of your company's established policies and procedures will do. Then again, I'm not a lawyer, take the above with a grain of salt. If your company does not have any written documentation that relates to your concerns, perhaps this is a perfect opportunity to sell your superiors on the idea of establishing proper policy, in turn better managing your risk. -- John Daniele Technical Security & Intelligence http://www.tsintel.com --
RE: Hardening VS firewalling
Hello, In order to properly evaluate any sort of defensive strategy, one must first attempt to answer the following questions : who is your adversary? what are their potential capabilities? do they have access to financial resources? to what extent? and do they have the luxory of time? what is the extent of *your* financial resources? what are *your* capabilities? A proper baseline must be established. However, I think the question should be modified to include access control mechanisms in general; otherwise, we are comparing apples to oranges. A network based firewall will not protect against a web application vulnerability, however an application firewall might, compartmentalization might, RBAC might... depends on the circumstances. Suppose, theoretically, we can quantify security and measure the level of security that a system possesses. What influence would the concept of susceptibility to attack have on this measurable quantity? Access control mechanisms would reduce exposure, in turn, reducing the system's susceptibility to attack, but does it make the system any more secure? Does the concept of vulnerability still exist within an environment of implicit trust? IMNSHO, access control is often misused as a tool of obfuscation. One should always assume that the security controls in place within an infrastructre CAN and WILL be circumvented; then, architect accordingly. The most common mistake made within the security industry is failure to do so. Bottom line -- system hardening is your first line of defence. Not doing so creates a risk. However manageable that risk may be in the short term, the survivability of your system will be reduced in the long term. -- John Daniele Technical Security & Intelligence http://www.tsintel.com --