Download Managers
Hi, Just wondering on thoughts about download managers- do they pose are security risk? Any known to be trojaned? The one I use is GetRight, does anyone know if this one has known security issues? Any thoughts appreciated, thanks. Leon
RE: CIS Security template
I had to change the SFCScan value because I got Windows File Protection errors on many of the machines, other than that it worked well. Most importantly however, make sure you test it out on your various standard environments first, this should catch most potential issues early. You may also find you will need slightly different versions depending on the systems aimed at. Regards, Leon -Original Message- From: Simon Taplin [mailto:[EMAIL PROTECTED]] Sent: Sunday, 5 January 2003 7:29 AM To: Security-Basics Subject: CIS Security template Has anybody run into any problems using Win2000 Pro when they have installed/run the CIS Win2kProGold_R1.2 security template? The PC's would be used by students studying anything from a basic secretary course to graphic design to in some cases, MCSE students. Thanks Simon Quote of the day: Systems Administration is the kind of job that nobody notices if you're doing it well. People only take notice of their systems when they're not working. --- This email has been scanned by AVG Anti-Virus Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.435 / Virus Database: 244 - Release Date: 2002/12/30
RE: XP admin shares
Yeah I searched google read that, which is why I said- You can do it through Computer Management but they'll be re-enabled at reboot Thanks to everyone for your help in pointing out the Win2k Reg Key location is still correct, and if this doesn't previously exist it can safely be created. Doing this worked a treat. :) -Original Message- From: flur [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 10 December 2002 10:33 AM To: [EMAIL PROTECTED] Cc: Leon Pholi Subject: Re: XP admin shares Try reading Microsoft Knowledge Base Article #314984 entitled HOW TO: Create and Disable Administrative Shares on Windows XP. You can find it at http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q314984 Remember, Google is your friend. At 11:27 AM 12/09/2002 +1100, you wrote: Hi everyone, Just a quick one, does anyone know how to stop the default administrative file shares in Win XP (professional edition)? One would think this would be a standard part of locking down a box, but can't find much on it for XP. You can do it through Computer Management but they'll be re-enabled at reboot, and the Win2k key of HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShar eWks doesn't seem to exist. Any ideas? Thanks, Leon __ _ ~FluRDoInG[EMAIL PROTECTED] http://www.flurnet.org KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048 1876 B762 F909 91EB 0C02 C06B 83FF E6C5 8C2C 37C4
XP admin shares
Hi everyone, Just a quick one, does anyone know how to stop the default administrative file shares in Win XP (professional edition)? One would think this would be a standard part of locking down a box, but can't find much on it for XP. You can do it through Computer Management but they'll be re-enabled at reboot, and the Win2k key of HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShareWks doesn't seem to exist. Any ideas? Thanks, Leon
RE: WIRELESS THEFT
Would it also come down to trespass? Just a thought... nard http://www.nardware.co.uk -Original Message- From: Robert J. Young [mailto:rjyoung;frankie.ca] Sent: 18 October 2002 17:26 To: [EMAIL PROTECTED] Subject: Re: WIRELESS THEFT It's a theft of service. The wireless part is not relevant. This is the same as if you hooked a telephone up to a phone line in your neighbour's house without his permission. The fact that they have poorly secured their services doesn't make this less illegal. Maybe you should tell them about their problem, though. Amit P. Gandre wrote: Hi Can someone tell me if there are any laws regarding wireless theft? One of the apartment complexes near mine has free wireless connections offered to their residents. Now, my computer happens to catch that signal. Now, is that illegal. If so, how should I go about dealing with this issue. Amit -- [EMAIL PROTECTED] http://www.frankie.ca This E-mail and its attachments have been scanned for viruses before delivery. For more information contact [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact [EMAIL PROTECTED]
Formation of Network / Information Security user group: Reading UK
Hello. A user group for people interested in network security is being formed in the Reading (UK) Area. The general idea and behind the group includes; * Allowing like minded people bounce ideas off each other. * Learn something new. * Converse and discuss new developments. * Pass on knowledge. * The possibility of arranging guest speakers exists but will depend on levels of interest. * Drink Beer. If anyone is interested in joining, Please send a mail to: [EMAIL PROTECTED] Nard. This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact [EMAIL PROTECTED]
Firewall options- which way to go
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I am looking at options for setting up a Linux firewall for our company. Although I am a relative newbie to Linux, I'm not afraid to get my 'hands dirty' with IPTables etc. I have a couple of questions and would appreciate all comments. 1) Is it better to use a purpose built distribution such as Smoothwall, IPCop or firewall specific ones from Redhat, Mandrake, SuSE etc, or, would it be better to use a standard distro built it from scratch (bearing in mind I haven't yet recompiled a kernel but I'm willing to give that a go too)? 2) If building from scratch, kernel version 2.4 supports both ipchains iptables (newer)- does anyone have a strong view on using one over the other? If using a purpose built one, does anyone have any experienced based preferences? 3) Other than just suggesting to do a google search, are there any resources (a simple step by step howto would be good) you would recommend for the suggested approach? All help greatly appreciated. Thanks in advance. Leon -BEGIN PGP SIGNATURE- Version: PGP 7.0.4 iQA/AwUBPaoQ+23X5duwk+XvEQKyUQCfcI+YuA2CoEgTKPdMkacPHhc0MWQAoKid reavCfqXEnT7pygVQ+8nO9P4 =kL3I -END PGP SIGNATURE-
RE: Word 2000 Password Recovery
I've the PDF version and works fine, I haven't used the Word version. www.elcomsoft.com Saludos, Jose D. Crespo de Leon MCSE, MCSA, CISSP E-mail: [EMAIL PROTECTED] Mobile: 787-607-8574 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 4:03 PM To: [EMAIL PROTECTED] Subject: Word 2000 Password Recovery Sorry about sending that without a subject... Does anybody know of a good tool (hopefully free) for Word 2000 Open Document password recovery? Will it work with WordXP documents (w/ the Office2000 Compatibility set)? ~Richard M. Conlan
RE: L0phtcrack3 Metrics
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I would use LC4 the what's new section claims the algorithms are improved and the cracking time is faster. Just a thought. Cheers, leon - -Original Message- From: Michael Ungar [mailto:[EMAIL PROTECTED]] Sent: Friday, June 14, 2002 12:31 AM To: [EMAIL PROTECTED] Subject: L0phtcrack3 Metrics I've been challenged by one of my peers to provide metrics on the amount of time it would take L0phtcrack3 to crack an eight character password that was alphanumeric vs a similar password that was alphamumeric but had a requirement for upper and lower case level. So for example, would it take L0phtcrack3 signiifcantly longer to crack a password of 1367AseR vs 1367aser. Thanks.Mike Ungar __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBPQtXv87zNvD2yOEeEQJ8+wCeOzP05GhdVC7sSqAdnFpkoqeMbXoAoL6q iuzsz0Tlmo5pp+jVDXzOwgHl =e+xv -END PGP SIGNATURE-
RE: ISS and NFR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What about using sourcefire? www.sourcefire.com from the maker(s) of snort. Cheers, Leon - -Original Message- From: shawn merdinger [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 4:08 PM To: ABRAHAM AJI Cc: [EMAIL PROTECTED] Subject: Re: ISS and NFR Gee...you're not looking at Cisco's offerings? They have both network IDS and host IDS products. http://www.cisco.com/univercd/cc/td/doc/pcat/nerg.htm - -scm On Sun, 2 Jun 2002, ABRAHAM AJI wrote: Hello, Is anybody having a document which compares performance and features of the Intrusion Detection Systems from the above two vendors? We are in the process of evaluating IDS for our company.Has anybody done tests on these products.Your reply in this regard is highly appreciated. Aji Abraham __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBPQpz687zNvD2yOEeEQKbhQCfS6JZ36FWLtp/zuVBLBCIiEN40+wAoMf1 /c6kKaWNOazkM4bURuWu87TZ =Apkd -END PGP SIGNATURE-
RE: Snort or Ethereal for a relative newbie?
Thomas, thought Snort was capable of dropping packets based on the snort ruleset... am I wrong? Basically yes, you are wrong. Snort captures packets using libpcap and runs them through a ruleset to decide weather they could contain suspicious traffic, if it matches anything an alarm will be created. You can then review the alarms (or have an automated tool to do this for you) and decide on the action to take. Consider this... (Internet)--|hub| |---|firewall|---|hub| || |---|snort| |---|snort| | |---|internal lan| Your firewall (should) block access to all ports excluding specific ones that you specify, therefore if you have TCP:80 open for a web server, you are allowing any traffic (including exploit code) through the wall. Snort would pick this up and let you know. Remember to make sure that if you have a sensor external to your firewall it is secure, but that's another conversation. Does anyone have any in depth installation and config tutorials? Snort.org has a few, but nothing I can make good use of. There are many documents about setting up snort out there, and to be honest if you are accustomed to compiling software on UNIX asked systems you will not have problems installing snort. As far as configuration goes, the config file itself (snort.conf) has a great many comments describing what everything does. If you get really stuck, you could take a look at a document about setting up a honeypot I wrote a while ago, it touches on snort a little. http://62.231.147.171/nard/Honeypot1.htm Good luck, Leon ward aka nard Please direct replies to: [EMAIL PROTECTED] -Original Message- From: Thomas Madhavan [mailto:[EMAIL PROTECTED]] Sent: 29 May 2002 21:13 To: Leon Ward Cc: [EMAIL PROTECTED] Subject: Re: Snort or Ethereal for a relative newbie? I thought Snort was capable of dropping packets based on the snort ruleset... am I wrong? Is that performed only by the firewall? I realise Ethereal is only for listening to what's happening. Does anyone have any in depth installation and config tutorials? Snort.org has a few, but nothing I can make good use of. I'll check out silicondefense... although I'm not on any MS product - Mandrake Linux 8.2 Regards, Thomas Madhavan Leon Ward wrote: It seams that you are thinking on slightly along the wrong lines here, Snort and Ethereal capture packets and do not do not block anything. Snort has the capability to inspect packets against a set of rules and report accordingly (alert on suspicious traffic). Ethereal captures packets for the purpose of allowing a user to inspect what is going on the wire. As far as the snort compiling problems go, check that the directory that libpcap installed its libraries into is listed in your /etc/ld.so.conf file. Try installing both libpcap and snort from source, you will get more installation options. Nard -Original Message- From: Thomas Madhavan [mailto:[EMAIL PROTECTED]] Sent: 25 May 2002 15:29 To: [EMAIL PROTECTED] Subject: Snort or Ethereal for a relative newbie? Hi all. Responses have been good before so I thought I'd try again. I've recently set up a Mandrake 8.2 workstation. I've used firestarter to build a firewall, and I want to use a packet sniffer. After installing Snort, it didn't work due to a data type 113 error. I uninstalled it, then reinstalled from an RPM, but apparently I don't have libpcap installed (which I do). So, I tried Ethereal and it works fine. However, can rulesets be applied to Ethereal as they can with Snort? I want a little extra security, not just logs of packets. If Ethereal *can* be used to block packets, is it a good substitute for snort? Or would I benefit from using Snort instead? There also seem to be a lot of snort reporting tools - are there any for Ethereal? Thanks a lot, Thomas Madhavan This E-mail and its attachments have been scanned for viruses before delivery. For more information contact [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. For more information contact [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact [EMAIL PROTECTED]
RE: banned sites lists!
As much J Dyson will hate this (because his site is unfairly banned IMHO) you can try Websense.com They have quite a list. HTH, Leon -Original Message- From: Ivan Hernandez [mailto:[EMAIL PROTECTED]] Sent: Friday, May 24, 2002 4:32 PM To: [EMAIL PROTECTED] Subject: banned sites lists! Hello. I have searched google and the bugtraq mail list with no luck while looking for banned sites lists. I mean, porn, warez, banners, ads, big cookie damage and all that thins that i don't won't my sweet and innocent network lusers to see trough my proxy :) Any list would be appreciated, recyclated, processated and devlutionated later to this mailing list in order to make a benefit for others in my situation ! Thanks in advance... Ivan Hernandez
RE: Cisco IOS question
I believe that telnet and ssh are run all or none deals. What I mean by this is they are not running on 1 interface per say (well you actually can do what you want by choosing which interface you apply the access list to); they are running on all interfaces for the router (meaning if you don't filter traffic with an access list people can reach the service from all interfaces). Why not write an extended access list (101 - 199) and permit specific ips (or ip ranges) to access port 23 (if you have the enterprise IOS you should just get rid of telnet all together and run ssh) if you choose to run ssh just permit access to port 22. Just apply the access list to the interface you want people to reach it from. By default there is a catch all deny rule at the end so if you don't permit telnet or ssh in the access list applied to your serial 0/0 it will by default be denied. If you need help with the syntax or writing acls please feel free to contact me off list. Best regards and HTH, Leon -Original Message- From: Kevin Brooks [mailto:[EMAIL PROTECTED]] Sent: Monday, May 20, 2002 12:21 PM To: [EMAIL PROTECTED] Subject: Cisco IOS question On my cisco 3600 router. How can I disable telnet into serial 0/0. I do need to leave telnet open on FastEth0/0 but I don't want anyone to be able to telnet in from the outside. Any Ideas? Thanks __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
RE: firewall+dns on a unique device
Small device, as in physically small or lightweight? Cheep What's Cheep, do you mean free? Anyway here are some links. http://www.ipcop.org http://www.smoothwall.org http://www.gnatbox.com They do a light version that's PUFFware and a new RoBox device. http://www.gta.com/ Info about the GTA RoBox, is that small enough for you? http://www.linuxrouter.org/ -Original Message- From: Mike Fox [mailto:[EMAIL PROTECTED]] Sent: 18 May 2002 23:32 To: [EMAIL PROTECTED] Subject: firewall+dns on a unique device Hi, Somone knows a small device that has a firewall and dns server on it and really cheap? I don't want to go for a linux box but prefer a small device instead. Thx. Mike __ Boîte aux lettres - Caramail - http://www.caramail.com This E-mail and its attachments have been scanned for viruses before delivery. For more information contact [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact [EMAIL PROTECTED]
RE: Restricting DHCP addresses to known MAC's via Win2K DHCP server
This can be done with cisco switches and port security. IN FACT you don't even have to hard code the mac address you can actually tell the switch to set the port for the mac addy of the first frame it recieves. HTH, Leon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 10:04 AM To: [EMAIL PROTECTED] Subject: Restricting DHCP addresses to known MAC's via Win2K DHCP server There's been periodic discussion on this list about restricting DHCP leases by MAC address and the relative merits of doing so. My question is once the decision is made to do it, how is it being done? Does anyone know how to do it in a Win2K server environment? (Win2K DHCP services...) If not possible, is there a typical strategy people are using to restrict granting of DHCP addresses to known MAC's?
RE: DHCP Security Questions
Couldn't checkpoint meta-ip do what the original poster asked? Sorry to be late on the response but I get the list in digest form. Cheers, Leon -Original Message- From: Richard Westlake [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 3:22 PM To: Chris Cc: [EMAIL PROTECTED] Subject: Re: DHCP Security Questions Chris There is no easy way to stop this. If they can change the IP address on their system then they can set any address they like. You could try the following 1) take away admin access. Not possible with visitors personal laptop etc. can't do this with all OSs e.g. 95/98 2) run something like arpwatch (free)to record MAC/IP address. This will notice new systems on the network and will also report address flip-flops when two systems try and use the same IP address. We use this and it has spotted badly configured systems and people borrowing (stealing) IP address. Doesn't prevent the problem but it makes it easer to find and fix. Problems of two systems using the same address (IP,DECNET etc) can be very hard to debug. For arpwatch try http://www-nrg.ee.lbl.gov/nrg.html or a google search 3) split the network into two with a router. One network can have your static address servers and other important stuff, the other can have the DHCP assigned addresses. This reduces the damage people can do, still a problem if they steal the IP address from your or the MDs laptop. You could also add a network just for visitors. 4) use SNMP on the switches to report when a port goes live. The with SNMP query the address table and compare it with a list of allowed MAC/IP addresses (DHCP server lease file) and possible which ports they can use. If you don't like the system on the port which has just gone live then block the port or move it to a VLAN where it cant do any harm. Maybe you can get a network management system to help with this. This could be a lot of work! If you every try it please let me know how you got on. If you have a lot of people turning up with laptops etc and they already have ID/passwords on your system they you could use something like netreg (free) http://www.netreg.org/ to automate the MAC registration. Matt Campbell at RIT has implemented a similar system which does watch the switches and move ports for new systems to different VLANS http://www.rit.edu/~mrcsys/dhcp/ Netreg type packages are useful if you don't want random strangers wandering into the building, finding an unused port in a quiet corner, connecting to the network and getting an IP address and having fun with your servers etc All the best and good luck Richard Westlake School of Crystallography, Birkbeck College, Malet Street, London WC1E 7HX Tel: 020-7631-6859 -- Truth endures but spelling changes-- Anon. -- On Tue, 14 May 2002, Chris wrote: Date: Tue, 14 May 2002 09:10:26 -0700 From: Chris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: DHCP Security Questions I was curious to find out about some issues that I would like to prevent if at all possible. I am running a network with a DHCP server handing out public IP's to clients. It is also reserving by the MAC for clients that have static publics. My concern is someone that has legitimate access to the network purposely or accidentally setting their IP to an IP that is already taken and login on to the network and causing problems. Obviously this could really be a problem if it is a business client and are running some sort of server and someone logs on with that IP. Does anyone know of a way to prevent this? If you need more details please ask. Thank You, Chris Raynor Network Security Mendo Link, LLC An Ounce Of Prevention Is Worth A Pound Of Cure.
Tripwire Policies
I have 2 questions for the group. 1) Has anyone betaed tripewire 3.0? I am especially interested in the policy wizard and if anyone has found this helpful. 2) Does anyone have any written policies they could share (especially for the win2k platform)? I used the policy creater on the tripwire site policy.tripwire.com and although it does provide something to work off of it is based on a default install (I am getting errors about not having pinball and solitaire installed :) So to reiterate have anyone used the beta for 3.0 (the new version comes out this Monday) and does anyone have policies they wouldn't mind sharing or a website where I can find policies already done? TIA, Leon
RE: IDS Setup
Hi Adam, My 0.2 Euros worth. You are kind of on the correct path, but consider this... I am _guessing_ that you have thinking of a setup along the lines of. (Internet)--|hub| |-|firewall|---|hub| || |-|snort| |-|snort| | |-Rest of internal Network If diagrams don't look correct in your mail reader, paste into a text editor (and get a good mail client). If I do that, can I reasonably assume that any incidents that show up in the outside Snort ARIS logs AND NOT in the firewall logs got through the firewall? Remember, the firewall (should) block access to all ports excluding the ones that you specify, therefore if you have TCP :80 open for a web server, you are allowing any traffic (including exploit code) through the wall. Yes the attack should show on the external snort sensor and the internal sensor, what shows up in your firewall logs depends on what firewall you are using. Can I also reasonably assume that, should something show up in the outside Snort ARIS logs AND NOT in the firewall logs AND NOT in the inside Snort ARIS logs, that the inside Snort station is not functioning properly? By not functioning properly I mean anything from bad NIC to improper configuration to Snort sucks. Think about having TCP:80 Closed. A CodeRed v2 probe enters your network bound for an IP that does not have a webserver running on it, therefore your firewall is closed for the request. External sensor will pick up the attack, your firewall will alarm you that there has been an attempt to access a closed port, and your internal snort sensor will not know anything about it because the traffic has been blocked from entering your internal n/w. An Important Point Do you have ports open on your firewall that are allowing access to systems in your internal network? Are you supplying services to the outside world from inside your protected network? Think SERIOUSLY about using a DMZ/PSN. It would look something like this (Internet)--|hub| |-|firewall|DMZ|hub| | | | |-|snort| | |-|snort| | | | |-|Webserver| internal network |-|FTP| | |-|SMTP| | |hub| |-Server's |-Client's Therefore you can deny any access to clients and servers in your internal network and still supply services to the internet. Hope this helps. Nard Leon Ward Added Dimension Ltd -Original Message- From: Adam Shephard [mailto:[EMAIL PROTECTED]] Sent: 17 May 2002 20:03 To: [EMAIL PROTECTED] Subject: IDS Setup I suffer from a logic deficiency and I've been tossing an idea around in my head. I thought it might be a good idea to run the logic past the people here. I have a firewall between my network and the world and Snort behind my firewall. That Snort station reports to ARIS. I'm toying with the idea of putting another Snort station on the outside between my firewall and the world and having it also report to ARIS. If I do that, can I reasonably assume that any incidents that show up in the outside Snort ARIS logs AND NOT in the firewall logs got through the firewall? Can I also reasonably assume that, should something show up in the outside Snort ARIS logs AND NOT in the firewall logs AND NOT in the inside Snort ARIS logs, that the inside Snort station is not functioning properly? By not functioning properly I mean anything from bad NIC to improper configuration to Snort sucks. It makes sense to me that this would work but, you know, the logic thing. This E-mail and its attachments have been scanned for viruses before delivery. For more information contact [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact [EMAIL PROTECTED]
RE: Strange situation with outlook
Look at fetchmail, Nard Leon Ward Added Dimension -Original Message- From: John D from Best Price Cruises [mailto:[EMAIL PROTECTED]] Sent: 17 May 2002 14:32 To: Security-Basics Mailing List Subject: RE: Strange situation with outlook Sorry, I forgot to say we use pop... Right now, I have him locking his computer with either the screen-saver or by using Ctrl+Alt+Del (we use win2k). This is the only solution that I've managed to come up with so far, any other ideas (especially if they are better/more secure) would be appreciated. John Diaz Technical Department BestPriceCruises.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 10:45 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Strange situation with outlook Doe you use pop or have a Exchange server? (does the best answer get a free cruise? :-) ) -Sanjay -Original Message- From: John D from Best Price Cruises [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 3:03 PM To: Security-Basics Mailing List Subject: Strange situation with outlook I have a unique situation (or at least I think it is) with one of my users. He gets alot of email, and it comes in constantly. To prevent tieing up his machine in the morning, he leaves it logged in all the time so outlook can be constantly getting his mail. I really would like to be able to have him log out and still have his mail coming in (this might just be a pipe dream). I've been looking and I can't find a solution to this problem. Any help would be appreciated. John Diaz Technical Department BestPriceCruises.com [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. For more information contact [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact [EMAIL PROTECTED]
Active Directory Security Migration Questions:
Hi I had a coworker ask me the following questions and I was unsure of the answers to most so I thought I might ask for some help. 1) What does native mode bring in terms of granular user rights and group policy that mixed mode does not? 2) Are there specific security advantages to using native mode over mixed mode? If so what are they? I really appreciate the help and thanks again. Cheers, Leon
Tripewire Docs
Hi, Does anyone have any specific favorite guides for setting up tripwire on 2000? They don't seem to offer much on the tripwire site (some whitepapers and other pdfs that don't really help much). I tried searching google but as always (is this good or bad) the signal to noise ratio is ridicilious. Putting in the word Tripwire with various other keywords always left me with well over 500 hits. Does anyone have any docs or links they have read and found informative? I am talking about speficially version 3.0 for servers. Also if you just have any general advice or watch out for this kind of comments that would be appreciated also. Cheers and thanks again, Leon
RE: Strange scan and port 80 output from an ip
I would guess that there is a script kiddy now in control of the box. He is probably using an automatic tool to search for a certain known vulnerability in web servers by the 1000. Due to the content of the web page being served by the host, my immediate assumption (and remember kids, assumption is the mother of all f*k-ups) is that the host that scanned you has previously fallen to the exploit. It is now owned by sex0r and the page is just to show of his great l33tn3ss. The host is probably now doing all his dirty work of scanning ip's by the 1000. Just my immediate thoughts, please take with a pintch of salt. Best Regards Nard. [EMAIL PROTECTED] -Original Message- From: KoRe MeLtDoWn [mailto:[EMAIL PROTECTED]] Sent: 09 May 2002 07:38 To: [EMAIL PROTECTED] Subject: Strange scan and port 80 output from an ip Hello, Just a few minutes ago I recieved a scan from the ip address 210.101.95.51 on port 80 with the source port being port 3021. Two seperate connection attempts were logged one after the other. The output from my firewall was as follows: Start Output IP: 210.101.95.51 Node: ±èâÁØ NetBIOS: ±èà Group: WORKGROUP MAC: 000102FBE16B DNS: ±èâÁØ End Output If you connect to this Ip on port 80 you get a webpage output that reads the following:sex0r lowd l33tn3ss sex0r geeklab.org contact:[EMAIL PROTECTED] The reason I've posted this is because I have been scanned by these people before, and wanted to know what they were about, and if possible what they were attempting to do on my machine. Thanks in advance for your help Peter Francis -= KoRe WoRkS =- Internet Security Owner Operator http://www.koreworks.com/ New Zealand Is your box REALLY secure? _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. This E-mail and its attachments have been scanned for viruses before delivery. For more information contact [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact [EMAIL PROTECTED]
RE: IIS 5 Log FIle Question
1) This is a code red v2 infection attempt. Unfortunately web server admins are having to class these as just normal background traffic. Please people - MAKE SURE YOU ARE PATCHED! Looking for holes left by CR v1 GET /Rejected-By-UrlScan ~/scripts/root.exe 404 123 - 2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 Testing to see if the box is susceptible to directory traversal, tests many times using different extended unicode chars. GET /Rejected-By-UrlScan ~/scripts/..%255c../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 2) Yes. It comes with the IISLockdown tool. If you want to know more about URLSCAN let me know, I wrote a walkthrough of the options for someone a while back and ill send it onto you. 3) Pissing in the wind I am afraid. It would be useful to send an email to the person in charge of the IP address and CC it to their ISP, but don't hold your breath. 4) MAKE SURE YOU ARE PATCHED! This is the MOST important thing you can do! Also look at some of the IIS / Win2k hardening docs on the internet and go through them carefully. Just a couple of seconds of thought. Best Regards Nard Please reply to : [EMAIL PROTECTED] -Original Message- From: Craig Brauckmiller [mailto:[EMAIL PROTECTED]] Sent: 10 May 2002 13:55 To: [EMAIL PROTECTED] Subject: IIS 5 Log FIle Question Hello all and forgive my ignorance in this area. We are in the process of bringing our website in house. It was being hosted externally The site is almost up and I was just poking at the logs and was intrigued by what I saw. Below is a snippet from the logs. Can anyone tell by looking at it: 1. What type of vulnerabilities were they looking for? 2. Does the fact the it says Rejected by urlscan imply that URLScan from M$ is loaded. I didn't do this myself...thats why I'm curious. 3. What is the best course of action in regards to the individual attempting these activities? I traced the IP back to RoadRunner. Should I call their customer service and complain or am I just pissing in the wind? 4. I did run the IIS Lockdown wizard. Is that sufficient for most types of attacks? What other tools should I consider running? #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status cs(User-Agent) 2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/scripts/root.exe 404 123 - 2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/MSADC/root.exe 404 123 - 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/c/winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/d/winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/scripts/..%255c../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/_vti_bin/..%255c../..%255c../..% 255c../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/_mem_bin/..%255c../..%255c../..% 255c../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1% 1c../..%c1%1c../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/scripts/..%c1%1c../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/scripts/..%c0%2f../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/scripts/..%c0%af../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:05 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/scripts/..%c1%9c../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:09 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/scripts/..%%35%63../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:11 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/scripts/..%%35c../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/scripts/..%25%35%63../winnt/system32/cmd.exe 404 123 - 2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 GET /Rejected-By-UrlScan ~/scripts/..%252f../winnt/system32/cmd.exe 404 123 - Thanks so much for this great list. Craig Brauckmiller This E-mail and its attachments have been scanned for viruses before delivery. For more information contact [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact [EMAIL PROTECTED]
RE: Dictionary Word List
ftp://ftp.cerias.purdue.edu/pub/dict/wordlists/ Very useful wordlists, Includes lists of sci-fi characters, common passwords, girls names, hitchhikers guide words etc. Nard [EMAIL PROTECTED] -Original Message- From: Craig Strait [mailto:[EMAIL PROTECTED]] Sent: 08 May 2002 19:52 To: [EMAIL PROTECTED] Subject: Dictionary Word List Hello All, I'm looking for a English dictionary word list to crack an Excel file. (You've got to love end users..) I've looked all over the place and can't find any suitable word lists. Can someone point me in the direction of a large word list? Thanks! Craig Strait, MCSE, CNE Senior Network Engineer Tracker Business Systems, Inc. This E-mail and its attachments have been scanned for viruses before delivery. For more information contact [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact [EMAIL PROTECTED]
FW: Security Documentation related to Banking
I have a friend who works in banking and this is what he provided me with when I forward him the mail Also might check The report called Suspicious Activity Review - Trends, Tips Issues (issue 3, Oct '01) : http://www.ustreas.gov/fincen/sarreviewissue3.pdf The Suspicious Activity Report and the guidelines: http://www.ncua.gov/ref/sar/f9022-47-1(fill-in).pdf http://www.ncua.gov/ref/sar/SARGuidelines.pdf If you get anything off list you could share to me or the group I am sure we would all appreciate. Cheers, Leon -Original Message- From: Sumit Dhar [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 04, 2002 6:15 AM To: [EMAIL PROTECTED] Subject: Security Documentation related to Banking Hi, Would anyone be aware of any security related documentation connected to 1. Banking 2. ATM (Teller Machines) Security The areas that I would really like to explore are: a. Cryptography in ATM networks, key management and hardware locks b. Any banking security related documentation. I would prefer some kind of online documentation, white papers on these topics. With Regards, a href=http://dhar.homelinux.com/dhar/Sumit Dhar/a Manager, Research and Product Development, SLMsoft.com
Wireless Technology (can it be secured and how)
The subject speaks for itself. I have covered the following documentation: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/a350w_ov.htm http://rr.sans.org/wireless/limits.php http://rr.sans.org/wireless/netsec.php http://rr.sans.org/wireless/wireless_net3.php http://rr.sans.org/wireless/wireless_net2.php The network we are going to set up is going to probably based on Cisco technology. Does anyone have any other documentation (links, pdfs, etc) that they could share? Please just don't search on google I can do that myself (and actually have) There is quite a bit of information so I am looking for websites or documentation that people have found helpful to help me lower the signal to noise ratio Thx, Leon
article about secure im
I see this thread come up alot so I thought I might share this article with the group. Hope you enjoy it as much as I did. Regards, Leon http://story.news.yahoo.com/news?tmpl=storyu=/cn/20020409/tc_cn/financial_firms_turn_on_secure_imcid=70 __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
RE: Techniques for Vulnerability discovery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I would like to add this to the thread. http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi ?database=JanL%2edbcommand=viewoneid=14op=t This covers a lot of what is being discussed in this post. Additionally if one takes a look at hack proofing your internetwork there are quite a few chapters on how to discover vulnerabilities. Best regards, Leon - -Original Message- From: Oliver Petruzel [mailto:[EMAIL PROTECTED]] Sent: Friday, April 05, 2002 1:25 AM To: 'kaipower'; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Techniques for Vulnerability discovery I am sincerely glad someone brought this up. My concern lies in a total lack of education or training in this area. Hacking 101 courses are all over the place now; teaching MCSE-kiddies and non-technical managers how to run scripts and nmap (swell..$2-4k to learn this stuff in 3 days? Ach, ask a single grad of those programs what nmap is ACTUALLY sending and receiving..lol duhh, errr, but it says it's BeOS with port 80 open, I'll just use securityfocus like they showed me to find a script to shoot at it..)... (I digress...) There are not many courses that I know of that actually explain the methodology in searching for *new* vulnerabilities... As in Tearing apart that new .dll, .asp, or cgi from a security perspective 101 Some folks claim it's just trial and error and dumb luck. Others say that folks troll the most downloaded new pieces of software at shareware sites and then pound away semi-blindly with input variables and switches that have worked against previously announced holes in other software until they find something that will get their name on bugtraq... Problem is, in our growing field of infosec, beyond post-grad or doctorate level CS, there aren't very many educational tracks to show your average programmer/engineer how to start finding new holes... The only thing I can think of is to send someone through: a secure programming program AND a webapp dev course AND a windows API course AND AND AND..etc...we're talking tens of thousands of bucks there, not to mention the hours involved..ouch. My goal: I want to take 4 of my Jr Security Engineers and send them somewhere for a week or two, or perhaps several weeks at night, and have them come back to tear apart software like it's nothing... foundstone, hint hint, EY, hint hint.. Anyone? Bueller? Bueller?... Of course, pre-req's would be a solid knowledge of scripting languages, C/C++, network architectures and protocols, and all publically known scripts and code... (but I require that of my jr's anyways so I just want someone else to show them the next level! I have no time, and hell, if the course is good enough, I would even go so that I can stop using semi-educated dumbluck and trial and error! lol) I am VERY interested to see someone post a resource... Maybe this is just a pipe-dream. ./oliver Ps: on a side note, there are several interesting projects currently in dev everywhere to automate all of this.. So don't worry, soon those afraid of anything they can't click on will also be able to point and click their way through code to find new vulns...swell eh? There are even dev projects going to automate vulnerability discovery in ALREADY COMPILED software! Woohoo... Excellent Smithers! Now activate the artificial lightning and blue screens of death! - -Original Message- From: kaipower [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 04, 2002 8:05 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Techniques for Vulneability discovery Hi, After reading the mailing list for quite a while, there is a burning question which I kept asking myself: How do experts discover vulnerabilities in a system/software? Some categories of vulnerabilities that I am aware of: 1) Buffer overflow (Stack or Heap) 2) Mal access control and Trust management 3) Cross site scripting 4) Unexpected input - e.g. SQL injection? 5) Race conditions 6) password authentication Do people just run scripts to brute force to find vulnerabilities? (as in the case of Buffer overflows) Or do they do a reverse engineer of the software? How relevant is reverse engineering in this context? Anybody out there care to give a methodology/strategy in finding vulnerabilities? Mike _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPLH3ndqAgf0xoaEuEQLRlwCgjLIEX5srvI8SKIsSLtqZvhFVUvIAnAvL vGKkupag9SRmmt49YjufzbrT =v9Cx -END PGP SIGNATURE-
RE: Pen Testing Skills
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How about getting some reliable references and going with a company that is well known and respected in the pen-testing industry. You could also check the pen-test archives on security focus and see what people are active in answering other peoples questions. Just a few suggestions, Leon - -Original Message- From: Steven Boshuizen [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 6:14 AM To: [EMAIL PROTECTED] Subject: Pen Testing Skills In my understanding people with these skills come from a UNIX background, having worked on projects with VPN's, intrusion detection, administering and implementations. Could anyone tell me that if I was looking for a shit hot penetration tester what sort of background would such a guy have, and what would be the keyskills/ buzzwords that I would have to look for so that I would know I am talking to an ace?? Would appreciate any assistance. -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPKDh6dqAgf0xoaEuEQIgygCdFyu7XvSt7MSvuvANCTSOY5bsLVYAniZY A1kzqm/4i/XbmBG+AfNghDXk =r88y -END PGP SIGNATURE-
RE: Port Scan(?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It would be best if you could actually get a dump of the packets with something like tcp or win dump. 255.255.255.255 is obviously a broadcast address. I would guess it is some kind program or service running that is broadcasting. What programs are running the machine when it does this? What software is loaded on it? Regards, Leon - -Original Message- From: Adrian Horton [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 2:42 PM To: [EMAIL PROTECTED] Subject: Port Scan(?) The [EMAIL PROTECTED] owner rejected this post so can anyone here make sense of this? On my 10.1.2.0/24 network, I discovered (with Ethereal) that one of my hosts (10.1.2.112) was broadcasting UDP packets to 255.255.255.255 to port 62516. The *source port* though was incrementing by one after every packet. That host machine is running Windows 2000. Anyone know what kind of activity this is? It seems the opposite of a port scan and it is inside my private network. I know which machine it is, I just can't figure out what it was doing so I disconnected it from the network until I figure it out. Thanks, AH __ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPKDgsNqAgf0xoaEuEQKOZwCggZI2BgtBfozxI7Xo2LHStP7WUz8AoO6m TA4SVHkzwSQkp61zlIW7x0a2 =9elQ -END PGP SIGNATURE-
RE: Hardware Disposal Policies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I do not have a guide but I know that such things as pgp wipe, symantec's wipeinfo and probably the best of the lot evidence eliminator do a great job at wiping hard drives. I believe (again this is my belief) that the DoD specifies that data must be wiped 7 times with random data to be considered ok for disposing. I would also like to point out that this may not be enough. Some advanced forensic companies seem to recover data no matter what. You should consider doing this and then running the hard drive against a de-gauging (sp?) machine. HTH and best regards, Leon - -Original Message- From: Dan Williamson [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 12:49 PM To: '[EMAIL PROTECTED]' Subject: Hardware Disposal Policies I am looking for a simple guide to write a policy for the disposal of old hardware. I need something that I can easily go out and pull down, not purchase. i.e.. FREE ! Thanks Dan -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPJwKrdqAgf0xoaEuEQKUIACg1NzMTaTd/mMuF+k8zuFJ+aWt+NYAn1jT 4vgzW95A3Km1SbF9SW8Vpysw =/Kui -END PGP SIGNATURE-
RE: FW: Security Engineers Field Tool Kit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I just checked out the link and saw it is from 2001. Canosec west 2002 is about to happen. Anyone know if they are going to release an updated version of this cd? Just curious before I spend what little bandwidth I have to download this. I would like to point out that Eric Cole wrote a book called hackers beware that has a great iso. I would be happy to share the iso if it doesn't violate copyright (as much as I love good lawsuit I cant really afford to be sued right now). If anyone wants to provide public ftp for the group contact me off list and I will upload the iso to them. Cheers, Leon - -Original Message- From: Michael Gilmer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 2:59 PM To: 'Matt Bell'; '[EMAIL PROTECTED]' Subject: RE: FW: Security Engineers Field Tool Kit I downloaded this toolkit this morning. It has a lot of very cool stuff in it that I was going to have to search out. Thanks, Michael Gilmer MCP - -Original Message- From: Matt Bell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 19, 2002 8:56 AM To: [EMAIL PROTECTED] Subject: Fwd: FW: Security Engineers Field Tool Kit I agree.. it would be nice to get a copy of that one! This one is well worth checking out.. http://jeff.wwti.com/cd.html -Original Message- From: b_1995 [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 16, 2002 7:25 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Security Engineers Field Tool Kit Can you ISO that CD? - Original Message - From: Simon Taplin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 15, 2002 9:51 AM Subject: RE: Security Engineers Field Tool Kit On Mon, 2002-03-04 at 17:06, Pradeep Pillai wrote: Folks, what would comprise a Network Enginners tool kit. ---snip--- What else can you think of ? at the rsa conference in san jose last month, @stake was giving out credit card sized cd's that were bootable x86 linux distros. i can't seem to find any info about this on their site, but they were called Pocket Security Toolkit 3.0. anyway, here's a listing of what software they included: Does anybody know of a similar kit for Windows? Simon --- This message has been scanned by AVG Anti-Virus and is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.324 / Virus Database: 181 - Release Date: 2002/02/14 http://jeff.wwti.com/cd.html -Original Message- From: b_1995 [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 16, 2002 7:25 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Security Engineers Field Tool Kit Can you ISO that CD? - Original Message - From: Simon Taplin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 15, 2002 9:51 AM Subject: RE: Security Engineers Field Tool Kit On Mon, 2002-03-04 at 17:06, Pradeep Pillai wrote: Folks, what would comprise a Network Enginners tool kit. ---snip--- What else can you think of ? at the rsa conference in san jose last month, @stake was giving out credit card sized cd's that were bootable x86 linux distros. i can't seem to find any info about this on their site, but they were called Pocket Security Toolkit 3.0. anyway, here's a listing of what software they included: Does anybody know of a similar kit for Windows? Simon --- This message has been scanned by AVG Anti-Virus and is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.324 / Virus Database: 181 - Release Date: 2002/02/14 - --- -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPJwTX9qAgf0xoaEuEQK20gCggO03m7iOj6XnsxfG22LYqHdJV/gAn2dI Q1Rmquk04sedA1+aSKGeTQNP =9eaO -END PGP SIGNATURE-
RE: win 2k
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If you are hacked the best thing I can recommend is to reinstall from original media (reformat and f-disk first) and then apply all patches to both the applications that will reside on the server along with sp 2 and all pre sp3 hot fixes. If you grab hfnetchk (sp?) you can scan the server to make sure you have gotten all the hotfixes (not all are listed on m$ windows update site. God bless 'em). HTH, Leon - -Original Message- From: ++WayanS [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 8:33 PM To: [EMAIL PROTECTED] Subject: win 2k all please help me i have win 2k server tree days ago, some one hack my server what can i do to secure my server please tell me, tip, trik and tool to secure my server regard Way -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPJwVRtqAgf0xoaEuEQLecQCg8uHA9+XMdzereatl3dQb4MSYeUYAnikj PxPDoMYFaQDeiakQhDjmwEUg =HM9j -END PGP SIGNATURE-
FW: Logon Banners (with links for legal precedence)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was quite interested in this thread myself so I wrote a quick post to incidents. Here is one of the best responses I got back with links included. Hope the group is doing well, Leon Though the case is not cited, the 2 Mar 90 Defense Data Network Security Bulletin advises, A court recently threw out a suit against a computer system intruder because the logon prompt was preceded with Welcome to... and implored administrators to cease using Welcome in logon banners. (http://csrc.ncsl.nist.gov/secalert/ddn/1990/sec-9004.txt) Again, without citing a case, NASA's GRC (Glenn Research Center) exclaims in chapter 9 of its Directive 2810.1, To the maximum extent of their capabilities, all GRC systems must display a warning to all users at the time they log on. Recent criminal prosecutions have emphasized the value of well-written logon banners. In one case several years ago, a quick-thinking defense attorney convinced a jury that an external intruder could not possibly have been a criminal computer trespasser because the system that he had broken into had had a logon banner that WELCOMED him to the system. Far from being an uninvited intruder, he was actually a welcome guest! (http://www.grc.nasa.gov/WWW/Directives/2810.1-Chap9.html) And it appears that this is not a U.S.-centric issue; the following exerpt from the Australian University of Queensland Security Emergency Response Team Advisory SA-93:03A bulletin exhorts, SERT recommends that any login banner or system initial message should not imply consent to use the computer services (E.g., words such as greeting or welcome), unless it is the express intention that any user is free to use the system, whether they are authorised or not. (http://www.attrition.org/security/advisory/auscert/AA-93.03.Suggested .Login .Banner) You may want to contact these organizations directly for more detail. However, there's plenty of discussion on the flip side of the coin, too; e.g., see Trespassing, IP and the Law (REALLY long) (was Re: Virus to Virus Idea at http://www.der-keiler.de/Mailing-Lists/securityfocus/security-basics/2 001-09 /0096.html. -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPJy6VNqAgf0xoaEuEQJ3HgCguTo0mTEPdUCJ0Bz2ylExexq3h+AAoPEl Vz3F+ULl0eAeOD231OzpdeA6 =AuB2 -END PGP SIGNATURE-
yet another link
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anyone care to comment on this one? It was passed on to me by a friend. My gut says I don't buy it for a second (it is a news article not a proof of concept site) http://xgate.abovetopsecret.com/news.php?id=61 I think it would have HAD to have been picked up by mainstream info-sec media and then mainstream media. Just thought I would throw that one out there. No flames I don't buy it I just thought the group might find it interesting. As always best regards, Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPJldLNqAgf0xoaEuEQIYcgCfeilTTIfwndCPM1kKSvLpbkGu77cAoIjM lZHWEmF/2pxc6WUtP/u/bnGa =hQo3 -END PGP SIGNATURE-
RE: How to know when was root passwd changed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If you are using LDAP you will be able to trace it. If you are logging to syslog the entry will be in there. Cheers, Leon - -Original Message- From: NP, Ram (CORP, GEITC) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 13, 2002 5:24 AM To: [EMAIL PROTECTED] Subject: How to know when was root passwd changed Hello there, We have an environment where the root password on a solaris box would be there with more than one person and there sure are situations where the root password is changed without prior notice. Now could some one tell me if there is a way to find out when(time) was the Root passwd changed. I understand one way would be using Tripwire. since we didnt have tripwire earlier on the machine is there a way to recover the time. thank you ram THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE ADDRESSEE and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are notified that any dissemination, distribution or copy of this communication is strictly Prohibited. If you have received this message by error, please notify us immediately, return the original mail to the sender and delete the message from your system. -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPJDr49qAgf0xoaEuEQIZIwCgxvr1NUt6I/LQ3jheIDSUsVKvF2AAnRF9 2a6qAjxmIANAlAII0eXOMyvM =QatH -END PGP SIGNATURE-
RE: sniffing a switch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Also don't forget about the dsniff suite from Dug Song. I don't have the link handy but it can be found a google search for dsniff. Best regards, Leon - -Original Message- From: Matt Hemingway [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 13, 2002 12:11 PM To: leon; [EMAIL PROTECTED] Subject: Re: sniffing a switch A great program for sniffing a switched LAN is Ettercap (http://ettercap.sourceforge.net). Used in conjunction with Arpwatch (http://www.securityfocus.com/tools/142) you get a good idea on how this works and how you can detect someone using a tool like Ettercap. - -Matt On Tuesday 12 March 2002 07:58, leon wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I found this very good article I wanted to share with the group since I see the question come up a lot. I found it informative I hope you do also. For those who think switched Ethernet environments are sniff-proof, the author offers this warning. Switches may be difficult to sniff, but they are certainly not immune. As is clear from the above sections, one method of sniffing in a switched environment is using ARP spoofing, and the machine that will most probably be ARP spoofed is the gateway. http://www.linuxsecurity.com/articles/network_security_article-4551. ht ml Regards, Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPI4lmdqAgf0xoaEuEQL2pQCffY5f4dArBsXzzBwqPVpQ3D5Fs8oAoL3m XOh7wYu4O8KoTCmsuhhgosbz =Ys0V -END PGP SIGNATURE- - -- - Matt Hemingway SupplyEdge [EMAIL PROTECTED] 800-733-3380x136 - -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPI+If9qAgf0xoaEuEQIM/gCgjopbMH6K18K1lSlAwfOi9DJR4QkAnRvK 5IP7nKg6MHKTCJmKDKO1o908 =7L5c -END PGP SIGNATURE-
heads up wu-ftpd being attacked
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Blackhats have an exploit for 2.6.1 upgrade to 2.6.2 as soon as possible. I posted to incidents and it seems a lot of people are getting scanned for this and compromises are happening as you read this. Cheers, Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPI+8S9qAgf0xoaEuEQJDcwCghJwwHP3SlQnYFj2CXnpnDW208K4AoOVn dirnFRx9sUwf2QDqGCPEc9iN =H6R9 -END PGP SIGNATURE-
RE: Best way to deploy MS security patches ??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Why not try doing this through group policy and assign the patches as software at either the domain, OU or Site level? HTH, Leon - -Original Message- From: Kip Sr. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 12, 2002 1:01 AM To: [EMAIL PROTECTED] Subject: Best way to deploy MS security patches ?? Hi there! I have 180 Win2K desktops, and am looking for an automated solution to quickly and efficiently deploy patches throughout the enterprise. I have used SMS before, but find it cumbersome and time consuming to use. Does anyone have any other suggestions? Tips? Tricks? Much obliged, Kip __ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPI5wNdqAgf0xoaEuEQIp6ACeKAKY1rUgms9cCkz/kp/0j73a7nQAoKK9 Z96700zJ+1hAjhkqvecNl1JY =KEfH -END PGP SIGNATURE-
RE: VPN and Cisco +IIOP question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Maxime, I have never gotten the cisco client to work as advertised. First off it does not run on xp or win 2k (unless you use 3.0 and to use 3.0 you need a vpn concencentrato) ((list please correct me if I am wrong)). If you use a vpn concentrator you should be fine however if you are doing what I was trying to do (vpn into my network at home using ipsec from a win xp machine) that will not work. First off all you have to use the M$ dial up network adapter for a vpn client and for some reason this and cisco can't work together (funny I thought ip-sec was an rfc standard). Supposedly Cisco is going to release a new ios in Feb. (oh wait it is march) that allows you to use the m$ dial up adapter to use IP-Sec. I am sorry but I do not know the answer to your second question but I would bet that most proxy based firewalls could use some kind of generic proxy if this is a well known protocol. HTH, Leon - -Original Message- From: Maxime Rapaille [mailto:[EMAIL PROTECTED]] Sent: Friday, March 08, 2002 3:03 AM To: 'Security-Basics (E-mail)' Subject: VPN and Cisco +IIOP question Dear listmembers, 2 questions on this great list : (And I already made search on google.. Hopefully on the right way.) first one, Do you have any experience with VPN client (Software) compatible with the Cisco IPsec VPN? I already found the Cisco client itself, but we would like to have a panel of product, in order to make a better choice. I found Also the PGP VPN client, but not 100% sure he is compatible. Is the Windows 2000 IPsec compatible ? Any experience, link, feed-back, products info is really appreciated. Second question is concerning the IIOP protocol. Does some of you know a firewall/proxy, capable of handling this protocol ? I know Firewall just know it, but does not proxy nor analyse it (like he does for HTTP, SMTP, FTP). I read about Gauntlet Firewall, but was no more able to find a paper or precise Doc about it. Any other idea? Proposal, Links...? Thanks a lot for all positive feed-back. Have a great week-end all. Regards, Max. Maxime Rapaille Data Security Management National Bank of Belgium Mail : [EMAIL PROTECTED] Visit our website! http://www.nbb.be DISCLAIMER: The content of this e-mail message does not constitute a commitment of the National Bank of Belgium (NBB) except where provided for in a written agreement between you and the NBB or where confirmed with a written form approved according to the internal regulations of the NBB. Besides, the statements and opinions expressed in this e-mail message are those of the author of the message and do not necessarily represent those of the NBB. The e-mail message contains proprietary information intended for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on any part of this e-mail message. -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPI1FQNqAgf0xoaEuEQIOPQCfQk/dKJZDVvGmMq9q2V30PgvRobwAn1bL D9qUF/2NB/q34FDI7sRivWYX =ubJE -END PGP SIGNATURE-
RE: scary site
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The problem with turning of scripting is that it breaks most of ie's functionality. I have gotten a lot of offlist and cc'ed to the list mail about this. I am sorry for not being more specific earlier; it worked for me running win xp, ie 6 and all patches. It doesn't appear to work on win 9x with ie 5 or win 2k with ie 5. Your mileage may vary. Cheers, Leon - -Original Message- From: Patrick McAllister [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 6:23 AM To: leon; [EMAIL PROTECTED] Subject: Re: scary site If possible, turn of scripting (assuming your using IE)...that will prevent it from running. Also it generates all kinds of alerts on my AV software - - Original Message - From: leon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 05, 2002 12:30 PM Subject: scary site -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.liquidwd.freeserve.co.uk/ Try it with a windows machine and IE with all patches. Be afraid be very afraid. FYI this is for all those people who are think that just having a firewall is enough. Guess what? This works through packet filter, stateful inspection and proxy servers. Cheers, Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPIUArNqAgf0xoaEuEQLn0wCgjtpLPuRxLbCscHrq32IjePeezf8AoI6t T73+xCv/VhrCGDVDIVrFBqZl =9gR6 -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPId3n9qAgf0xoaEuEQJ/sgCgvDNdBke4PLPdme62o0wXyz6AOJsAnjQ6 CUp0dkENeGHXirRYWsLXlwu0 =K0x0 -END PGP SIGNATURE-
a few points about my website link post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, I have gotten a lot of on list and off list mail about the link I sent out. I would like to clarify a few things. First it only appears to work with XP, IE 6 and all patches installed. Other versions of win and IE do not appear vulnerable. 2nd there is a question of whether or not this is a virus (as it appears some anti-virus programs are flagging it and I am getting much hate mail). According to trend micro;s site CIDEXPLOIT.B, CIDEXPLOIT Description: This malware uses an Internet Explorer exploit to execute program files on the infected user's computer. Upon execution, it runs files in its command list. So basically it is being flagged as a virus when it is really not. It does not replicate (something characteristic of viri) nor does it carry a malicious payload It is the same FUD that happens when you run the sub 7 client and the anti virus program tells you it is a Trojan when it is clearly not. The same with aim filter which it classifies as a back door. Finally I would like to touch on why I made the point about firewalls not stopping it. This is not because I think firewalls should stop the attack; I merely thought that because we have a lot of people who are new to security they should be aware that having a firewall is not enough. Firewalls will not and cannot stop these times of attacks (IDS might be another story) I didn't mean to confuse anyone or cloud any issues. In closing I would like to say sorry to the group if I upset anyone and reiterate a point that everyone should know; if you don't trust something you find on a public mailing list ignore it. I don't feel I was irresponsible in posting this. We have seen Trojans posted to both bugtraq and vuln-dev (this of course is not destructive as the code I am referring to was). It is a classic case of the buyer (user?) beware. So in summary this is a harmless proof of concept exploit that only appears to effect XP with IE 6 and all patches. Some anti virus programs flag it as a virus when it is not harmful (just delete the files from your IE cache if worried). And again I apologize for upsetting anyone (if you only saw the hate mail). I am here to teach and most importantly be taught. Thanks again for the positive e-mail I received (you know who you people are). Regards, Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPIgoT9qAgf0xoaEuEQKNoQCghsmcspZyQiknE2xhE4xZ6Zv5SvYAnjj8 uEvpTG2VbiC2wBR134L6bopq =T6fR -END PGP SIGNATURE-
scary site
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.liquidwd.freeserve.co.uk/ Try it with a windows machine and IE with all patches. Be afraid be very afraid. FYI this is for all those people who are think that just having a firewall is enough. Guess what? This works through packet filter, stateful inspection and proxy servers. Cheers, Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPIUArNqAgf0xoaEuEQLn0wCgjtpLPuRxLbCscHrq32IjePeezf8AoI6t T73+xCv/VhrCGDVDIVrFBqZl =9gR6 -END PGP SIGNATURE-
RE: Linux hardware firewall question
Is the machine only going to be used as a f/w? If it is have you thought about something like smoothwall? http://www.smoothwall.org It would be easier to keep secure and up-to-date with patches. Just an idea, Nard -Original Message- From: jnf [mailto:[EMAIL PROTECTED]] Sent: 26 February 2002 08:53 To: [EMAIL PROTECTED] Subject: Linux hardware firewall question I operate a small network of about 5 computers and am considering setting up a pc to operate as a firewall/router for the network. The network does no recieve much traffic at all and trying to figure out hardware wise what I need the topology I have decided to go with is that each box on the network will have its own nic on the pc. Additionally, if anyone can suggest documentation on how to set this up software wise I would appreciate it. I have some experience with iptables, but an unsure exactly how I would set this up? Again any help would be appreciated. Thank you. J. Ferguson This E-mail and its attachments have been scanned for viruses before delivery For more information contact [EMAIL PROTECTED] This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact [EMAIL PROTECTED]
RE: Cisco security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I would like to point out that the certification is valid for only 2 years. I don't necessarily know if it is worth the 500 (125 an exam * 4 exams) to have recertify every 2 years. Additionally, you say you know about sans, I would say either the sans firewall or ids cert are much more respected then cisco's equivalent exams. Finally I don't really even see cisco ids out there that much in production so I didn't feel much of a need to pass an exam on it. Just my thoughts, If you want to get into security try a vendor neutral cert like sans, cissp, or SSCP. Cheers, Leon - -Original Message- From: Dave Mee [mailto:[EMAIL PROTECTED]] Sent: Friday, February 22, 2002 2:47 PM To: [EMAIL PROTECTED] Subject: Cisco security Has anyone taken the exams for Cisco Security Specialist 1?? How good are they? Is it worth the time and money? I'm a CCNA and looking to add on security related certs. Already know about SANS certs. thanks dave _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPHp/w9qAgf0xoaEuEQLctgCff8SZDQzP5kQdoxJZ5lJmvzqf2f0AoNk8 Nw4EVhRlRqwli/m2+YxxoXMA =plZV -END PGP SIGNATURE-
RE: ArcServIT 6.5 Enterprise
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Regardless fport can do this. IT can tell you what program is bound to a port. This such a commonly asked question that it should be part of the administravia Administrivia: To find a process bound to a port: Use fport from foundstone.com To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] LOL hope everyone is having a great weekend, Leon - -Original Message- From: Kestas (Bidz) [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 1:54 PM To: [EMAIL PROTECTED] Subject: Re: ArcServIT 6.5 Enterprise Active prote is for NT only what about win2000 Kestas - - Original Message - From: Mathieu Patenaude [EMAIL PROTECTED] To: 'Calhoun, Heath' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, February 20, 2002 1:01 PM Subject: RE: ArcServIT 6.5 Enterprise Use a program called Active Ports that you can get at download.com It tells you which program uses which port. hope this help Mathieu -Original Message- From: Calhoun, Heath [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 10:01 AM To: [EMAIL PROTECTED] Subject: ArcServIT 6.5 Enterprise Does anyone know what ports ArcServeIT 6.5 Enterprise for NT 4 Server runs on? Looking at our pix logs I see multiple ports from our bdc's to a server we have ArcServe on. I haven't been able to find anyting in the ArcServer manual or the website. Heath Calhoun -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA+AwUBPHksSdqAgf0xoaEuEQLewgCWONSryEjt2G/XtK1zVSxsvNDMPACaAv/A qeG6Utod9XgWhXRN//tozrc= =08nU -END PGP SIGNATURE-
Vlan Spoofing / Hopping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, Does anyone know of a program that allows you to change the vlan you are on? I don't mean if you have administrative access I mean if you are put on a vlan and you decide you want to be on another one. Is there some way to spoof the vlan you are on and fool the switch into letting you hop into a different one? Thx and hope everyone is enjoying the weekend. Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPHkTD9qAgf0xoaEuEQJsQgCglrcL93092c7fjRCWe6YmLtstxKsAoLm4 MoY3l4NvHsdbfMuqc5bN7piG =+AOy -END PGP SIGNATURE-
RE: capturing traffic on cisco routers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Put an IDS in front of it and behind it. A free one would be snort. The IDS could log every single packet if you wish it to and you can go through it looking for what ever you want using perl, grep or something of that nature. Cheers, Leon - -Original Message- From: Dave Stein [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 19, 2002 11:40 PM To: [EMAIL PROTECTED] Subject: capturing traffic on cisco routers Hi there, Im very new in this list, and a newbie in cisco administration, i would like to know ,if it is posible, how to capture the traffic on the router (or sniff it, if you like), and send it into another pc on plain text or whatever, or if its posible to keep it on a file. Sorry if this question if too basic, im learning here. If it is any help the cisco is running ios 12.1. anything will help!. bye. __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPHknxdqAgf0xoaEuEQK/KwCbBzXoDjPNymuZ+9xCCU2Cfs65BAcAoPcj i1EmiRt86i9rnhI53kj/IPuf =Kbg0 -END PGP SIGNATURE-
hardening script for redhat 7.2?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, Does anyone know of a good script (that they have successfully used not just read about) that works with Redhat 7.2? I wanted to use the bastille script but it seems to work only up to 7.1 Thanks in advance, Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPHLl89qAgf0xoaEuEQI1ngCfaG9Pxx5X5QIV4e4zYVPSp/z9p9YAoI82 IM2rSHSCI5u42pzek+UtXsBe =Brni -END PGP SIGNATURE-
RE: Denial of service question.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Great question. I definitely want to take a stab at this one. First all of if you are worried about redundancy you could get a back up line and run bgp. That might be a little too complex for this scenario so my other answers follow the posters questions. Snip the T1 router... So if 1.5M is flooding in basically we are out of luck. You sure are. That is the probably with d0s attacks it really comes down to mine is bigger then yours (and yes folks mine is big ;) Absolutely kidding. Snip The question I have is: Is there any way to help this situation? Redundant Internet Connections or there are people out there who makeanti ddos products (though I have not tested nor read reviews of theseso I don't know how effective they are Snip How possible is it for us to put a firewall BEFORE the T1 line to block all of this before it hits our poor little line, or would this even help? I don't know if this would even be possible? Routers have to come before the firewall. I don't think you can put a firewall in front of a router though I might be wrong. Regardless you could have the best firewall in the world (netscreen, pitbull argus, blah blah blah) and if the person has a bigger pipe then you he can knock you off. Best thing to do is contact upstream isp's (good luck). Snip Is there some sort of way we can have a fallback line incase this happens, and just move all of our ip addresses over to another t1 while this is happening to this one computer, so its only getting attacked and not EVERY server we have on that line? BGP Redudnant Lines. Not sure if your company can afford that or has the expertise to implement it. HTH, Leon UIN: 8031369 for people who want to chat via icq -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPGv7BdqAgf0xoaEuEQJYDQCgsXmEYdDsYAXlDgLHqi8R/Gq5/q8AoI9L yV12z2cyd+KpLHpk2J1kDLHi =EAaX -END PGP SIGNATURE-
RE: Floodnet Controls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yeah I am going to go out on a limb and be contrary. What you are saying is not exactly clear to me but I am going to give it a shot anyway Can't an ids look at the actual payload instead of the url layer 3 - - layer 4 info? Are you talking about an ids on the client machine or the machine being attacked? ON the client machine you should not let the applet be downloaded in the first place. On the target I would think the ids would work the way I referenced up above. Further most automated programs continuously make the same kind of packets (ie the source port never changes, etc). So it would not be unusually hard for someone skilled at writing signatures to come up with one if they could get a packet dump and all the program's packets appear the same. Anyone disagree??? Cheers, Leon - -Original Message- From: Michael Ungar [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 3:51 PM To: [EMAIL PROTECTED] Subject: Floodnet Controls As demonstrated with the recent DOS attack on the World Economic Forum's web site, tools are being made available which assist users in downloading an applet to automatically refresh against a target's home page; thereby making the site unavailable if enough users have downloaded and are running the applet. Question 1 - In this type of attack, I've heard different opinions as to whether an IDS would or would not pick up the event since a - url looks normal b - three way handshake completes c - traffic might be under url I'm under the assumption the IDS would not catch 'cause of reasons a - c above. Any views to the contrary ? Question 2 - Any best practices against this risk other than making sure your site has much and redundant bandwidth. Thanks.Mike Ungar __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPGv8+NqAgf0xoaEuEQJ7+ACgkxt2LKLyoIHL46e5yygfz2WlBBQAoK2g HRbqu73LGca9SMSLAZjxdzIw =+gYE -END PGP SIGNATURE-
RE: network traffic logging tool ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Argus is a company that produces security products. They are most well known for their pitbull firewalls and hosting the openhack challenge. I believe they do have a logging tool also. Cheers, Leon PS: Russel is quite friendly if the original poster (whose name is not on the e-mail) wants to contact him directly I am sure he would not mind - -Original Message- From: Windex King [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 8:52 AM To: [EMAIL PROTECTED] Subject: Re: network traffic logging tool ? [EMAIL PROTECTED] wrote: I'm looking for a promiscuous mode network monitor I regularly see posts on the Incidents list by Russell Fulton where he makes mention of a network traffic logging tool named ARGUS. A little searching on google pointed me to http://www.qosient.com/argus/ W K -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPGv4stqAgf0xoaEuEQJQUwCfcT6WGzyuqeAT81PsCwoiv2d0ODgAoL5j vx9teDpWHPMdElqQTN6pTj03 =liDy -END PGP SIGNATURE-
RE: aol IM sniffer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don't allow people to run code on your machine (via physical access or logical access via a buffer overflow). If he thinks he is on a network where someone has installed sniffer software or has put a nic in promiscuous mode (one in the same?) then we have covered that on this list and you can refer him to antisniff by l0pht (now @stake) or some other programs that people have listed (that don't come to mind right now). Further he could try trillian (this uses encryption and was discussed on this list and some people brought up some good counter points). I am not sure if AOL is playing with Trillian anymore or if aol is still being monopolistic. Whoops I meant, um, well lets be honest they are just as bad as M$ by not opening up the protocol to other vendors :) Cheers, Leon - -Original Message- From: william taylor [mailto:[EMAIL PROTECTED]] Sent: Monday, February 11, 2002 1:16 PM To: [EMAIL PROTECTED] Subject: aol IM sniffer? I had a friend who uses AOL. he told me that someone he knew had bugged his AOL account so that his IMs were logged, his sites visited was logged, and all of his settings (favorites, buddy list, etc.) had been recorded. i know that this is done by cracking and is probably some juvenile prank, but how could i protect myself against someone doing that? i.e. is it a packet sniffer sniffing packets coming out of a specific ip address with specific headers, or is it some sort of spoofer that asks AOL for that information? and if so, how could i prevent an attack like that from succeeding? charles _ Chat with friends online, try MSN Messenger: http://messenger.msn.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPGmoZdqAgf0xoaEuEQIpIQCdHnJpD6J30vK0YGWnk+JBOQ5zTUsAnjUx 9yS3JYzB86TJ0aPpu2g5fisY =77rJ -END PGP SIGNATURE-
ms ip-sec question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, Just curious if there were any known flaws with m$'s implementation of ip-sec? I know that some of their protocols have issues (pptp, ms-chap, and the lan-man hash). Does have anyone have any links discussing this? Thx, Leon PS: as far the cert thread(s) go all I can say is a - q and if anyone has the exam cram or braindump for r - z let me know ;) -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPGm/adqAgf0xoaEuEQJrKwCgkIr1ML4JUetI0k5sPOCKEjLHqrIAoPnj pePMGjmt3/NNfmUv9lLCxQLx =i88T -END PGP SIGNATURE-
PKI Books
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, Can someone suggest to me books they have read and found helpful in regards to implementing a PKI? Please don't hand me a list from Amazon or google I know how to search, I am really asking the list for opinions on what they find to be the best (e.g. everyone, at least people in their right minds, agree that tcp ip illustrated is the de-facto standard for tcp/ip books.) Can anyone help me a similar book for PKI? Also if anyone wants to answer my questions on stateful inspection firewalls that would be appreciated also (only 2 people have taken a crack at it so far and no one has answered the question.) Either way, Thx and cheers, Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPGgsG9qAgf0xoaEuEQKtLACgwPFWPE+LOLgYTf2vr9pVJguhENEAoNqa /InQpDHOyRl29bh1X4QWbFY6 =PBAO -END PGP SIGNATURE-
RE: DSL speed test s/w
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There is a link off both www.cnet.com and www.dslreports.com Both do a fairly thorough test. HTH, Leon - -Original Message- From: Todd Sparks [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 09, 2002 11:41 PM To: Security-Basics@Securityfocus. Com Subject: DSL speed test s/w Hi all, I'm looking for a good free s/w test for my Enhanced DSL up/down speed. Thanks, Todd -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPGgkJ9qAgf0xoaEuEQJiYQCfXRlZVQwBO938Sb88LNmnaLSAFW8AoIgl Jn4wMPxUUwtOGS7HG0GgHF2D =idPI -END PGP SIGNATURE-
basic stateful inspection question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, I have a question regarding stateful inspection firewalls (specifically pix and checkpoint). It seems to me that a lot of people use either nat or pat and that these types of firewalls by default drop unsolicited connection attempts (meaning packets that arrive with the syn bit set). Any packet that leaves the network is put in the state table so that the return packets can come back in. My question is this; if I were to exploit a client-side buffer overflow and I got the system to make a connection to me via netcat with a destination port of 80, would I circumvent a majority of the stateful inspection firewalls? It seems that these firewalls trust that ALL connections originating from the inside are good. Now I know we could block off destination ports of services we don't want to allow access to (say no port 23 traffic leaves the network because we don't allow telnet) but I am wondering if either of these firewalls have a method of filtering based on protocol (for example allow 80 to be a destination port but only http traffic can cross it. No netcat, no aim, no limewire just http. I have seen a ton of networks where I came in and I found people using things like aim even though the firewall specifically only permitted port 80 traffic out (obviously these people switched the port from 5190 to 80). So to reiterate; is there a way to configure pix or checkpoint to judge the connection based on protocol as opposed to arbitrary things like source ip, destination IP or port numbers? Cheers and thanks in advance, PS: Links are appreciated but flames are not :) Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPGHkRtqAgf0xoaEuEQJgUgCgiGaVcoapw7+T4+QYqADv/jJYIycAni9v W0GcE8qAvdNF6ZNanoDjjyn3 =u/Nk -END PGP SIGNATURE-
RE: sftp server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If you have a Cisco (or any other Router that is halfway decent) in front why not set up an access list denying traffic with a destination port of 22? This would solve the problem quite easily. HTH, Leon - -Original Message- From: Geeking Out [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 31, 2002 10:12 AM To: [EMAIL PROTECTED] Subject: sftp server Greetings, I have someone with which I wish to automate file transfers. I wish to do this securely. I thought that running ssh on the box with key exchanges would do this just fine since i can then use sftp. However, if I install ssh on the box, and I give the client access, they can also log into the box and get a shell. Is there a way in which I can limit them to sftp only? Thank you in advance! __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPF6JBNqAgf0xoaEuEQK8KACeNTKEQMIZpk4+BDmFDGe8aZC4AvEAoL61 uG/tikpHx/7msA0BI8D5NYc4 =CKb+ -END PGP SIGNATURE-
1 last small worthless AIM point
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, It has recently come to my attention that the buffer overflowing affecting aim is still remotely exploitable. I just thought that I would let the list know that CONTARY TO PUBLISHED REPORTS the vulnerability is still being actively exploited. I did a little testing at home and it seems the newest version of the aim client (4.8.2646) is NOT vulnerable. I would also like to point out that this is a great reason why shortcuts and security just don't play nicely together. Instead of fixing and making a big point to let everyone know about the vulnerability (as in we messed up but most software companies do, here's a patch or you MUST download the newest version,) AOL took the easy way out and claimed to fix the problem at the server. Bull-cocky. If the problem is fixed at the server how come I am still able to kick people off with aimfilter? (rhetorical ;) D'oh! AOl's engineers or Oracle's engineers; who is doing worse in the month of January? One is breakable the other is remotely exploitable. Hehe Cheers to the group, Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPFf/htqAgf0xoaEuEQL3zQCg69Gd7PbfHwxWMBL/E2QzTICqeuMAoKQl /iQO3DkBt8aDMcymoh+84IiD =uNkL -END PGP SIGNATURE-
RE: loopback device
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 That is not true. P stands for proto not port. - -p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. It has nothing to do with ports. Please DO NOT GIVE ADVICE ON THE LIST IF YOU ARE NOT SURE OF WHAT YOU ARE SAYING. Cheers, Leon - -Original Message- From: shawn merdinger [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 8:45 PM Cc: Craig Van Tassle; secuirty-basics Subject: Re: loopback device Also, try the following: netstat -anp The p option displays the program bound to that socket/port. From the looks of your snort log, it did not *appear* to be a loopback address. - -scm On 15-Jan-2002 Craig Van Tassle wrote: My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig shows me.. and i have no idea what program is running on that port. Do you think that i could have a possible intrusin? Thanks Craig On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: No, you can't bypass the firewall using the loopback interface. Whats interesting though is the IP address they're using... usually loopback is 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program is running? -Original Message- From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 8:48 AM To: secuirty-basics Subject: loopback device Is it possible for someone over a network to use my loopback to by pass my firewall? If so what can i do to mitigate the problem and how damageing can it be? The reason im asking is my Snort sytem is showing badd loopback traffic.. thanks here is a snipit from my snort logs. [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/12-14:10:11.568007 45.253.14.97:49847 - 127.167.228.85:5460 TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 Thanks Craig - -- Phillip O'Donnell Software Engineer, Esphion Limited [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGP 6.5.1i iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g Ky+CD/KuL2KCESveLJw30Gb1 =VjXg -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPExZDdqAgf0xoaEuEQK/AwCgrV/Qlvx1IWJAZTd3Nj8GZv1naOgAnREV KVGYnYIsKnsMNF+zyt4M76cB =jg5K -END PGP SIGNATURE-
RE: Security of Private Networks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is a common mis-conception about nat (pat overload or whatever you want to call it); that the security is fairly strong. Nat is a way to prevent the inevitable depletion of public ip space. The fact that it provides security is a bonus and not at all it's original reason for being created. How would I get around this (this being attacking a private IP)? Why layer 7 client-side attacks of course. If I can execute code on your computer to make an outbound connection to mine game over. Wait, if I can just plain execute code (pick your buffer overflow choice. I know there a bunch of IE 6 one's that have not been sovled yet; though I am not sure if they all allow the attack to run code of their choosing.) then the game is over. As always an IDS (network or host based) can take care of this for you (keeping an eye on what is leaving and entering your network). HTH, Leon - -Original Message- From: Jason Jaszewski [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 2:21 PM To: [EMAIL PROTECTED] Subject: Security of Private Networks Hello all, If I have a Private network (with IPs of the 192.168.1.x flavor) and run WinRoute (which utilizes NAT), or even a Cable/DSL router, what are my security concerns. It is my understanding that since private networks are non-routable on the Internet, it is a relatively secure setup. Assuming the boxes are running Windows 2000 and there is no software such as VNC or other remote admin software, what are the security concerns to have? I would assume vulnerability with email attachments, downloads, or file sharing, etc. But, for the sake of argument, assume that these issues are not factors. Is there a way to get into those machines? In my (thus far) limited understanding of NAT, I was informed that because NAT creates the socket, it would be difficult to connect to a box with a Private IP remotely without some kind of software previously installed. However, based on previous list emails about the (in)security of NAT, I question this. Are there apps out there that could trick the NAT box (or router) into making a connection with another machine? Even without remote admin software installed, assuming the conditions above? Thanks in advance for answering my curiosity. Jason -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA+AwUBPExQxNqAgf0xoaEuEQJHsACg2C2Nas35GsLiqkA1aWJE29VNEZ0AmOcT Buf5LgIyzWlfbAZOsfnbY6Y= =UGRQ -END PGP SIGNATURE-
RE: Remote PC Management via LAN/WAN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VNC is free but it is very slow.. The problem with using things like subseven is you don't know what backdoors are built into the backdoor (kind of like backdoor squared for the math folk out there). For example in subseven 1.0 - 1.9 I believe there was backdoor so that the author of the program could bypass the password and connect it at any time. HTH, Leon - -Original Message- From: Levi Pugh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 15, 2002 4:12 PM To: [EMAIL PROTECTED] Subject: Remote PC Management via LAN/WAN Hello Fellow Subscribers, The Question I have is: What is your opinion on useing a Trojan like SubSeven to manage your network or even any other Remote Management type of Program? And if you were how would you go about and testing the Prog for Backdoors. And also could you suggest any remote management Software that you have found useful and free is the key word here. Thanks, Levi M Pugh PC TECH III Fortune 800, Inc 5200 Golden Foothill Parkway EL Dorado Hills, CA 95762 (916)605-0185 www.Fortune800.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPEci9NqAgf0xoaEuEQLUxACgpt+uh73RWNIm8Nolnt9DTZaTDpAAoITx jsNtLAtHu+FJdxmLb5NCiaKC =GfG/ -END PGP SIGNATURE-
Sonicwalls 10 Guidelines to securing your network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This was a checklist that Sonicwall developed and I saw on SnP. I thought it might be useful for the readers of the list and thus I posted it. Cheers, Leon 10 Security Guidelines I. Secure telecommuters and remote workers: Telecommuters and remote workers are often one of the weakest parts of a company's security system. As external attacks become increasingly sophisticated, a favorite tactic is to infiltrate the computer of a telecommuter or remote worker and follow them into the corporate LAN. It is critical that businesses implement firewall, VPN and anti-virus technologies among telecommuters and remote workers. II. Assess the vulnerability of the network perimeter: Despite a heightened security awareness, many significant holes still exist in companies' security systems. A number of successful external attacks exploit known vulnerabilities. Vulnerability scanning services can help anticipate potential security problems and help a company address their weaknesses before a hacker exploits them. Vulnerability scanning should take place at a minimum of once per quarter. III. Guard against internal security threats: A common misperception is that the majority of attacks occur from the outside of a network. Internal attacks happen more often and tend to be significantly more costly and damaging than external hacks. Companies should implement security technologies such as enterprise-class firewalls for individual workstations that store sensitive data or servers that host mission-critical applications to protect them from these internal attacks. IV. Reduce time-to-deployment of patches: Updates and patches to defend against viruses and hacks often exist in time to prevent a successful infection or hack attack, but are not deployed in a timely manner. New computer viruses are designed to spread quickly, therefore leaving a computer on the local area network with outdated AV software exposes the entire network to infection, not just the PC. As a general rule, updates and patches should be deployed to all systems on the network within 4 hours from the time they are made available. Additionally, operating systems and applications should be regularly updated and businesses should not rely on the default installation. V. Decentralize and secure vital information: Many companies are considering a decentralized, distributed model for storing business-critical information to prevent the complete loss of such information in the event of an emergency. This requires security technologies that can protect a distributed architecture and that can also be centrally managed VI. Create a company culture of sound security: Network security is more than the IT manager's responsibility. For effective network security, all levels of the company must be involved. Additionally, effective security requires training and commitment. To create a company culture of sound security, a business can: - - Regularly train/update employees on current security practices - - Actively seek the help of employees to identify potential security risks - - Recognize individuals or departments that have a strong security track record VII. Regularly backup vital information: Important data such as sales records, personnel information, client records, etc. should be backed up daily, in offsite locations. Utilize a repository located offsite for either Internet-based or tape-based data backup. Look into alternative solutions for recovery, i.e. hotels with additional phones lines and quick access to the Internet. Test disaster recovery procedures to determine how long it will take for your business to be 50%, 75% and 90% functional. VIII. Develop an internal Security Audit: In addition to assessments by third parties, each company should develop its own unique internal security diagnostic. This includes: - - The regular testing of all security hardware and software to ensure they are functioning properly and are properly configured - - Reviewing hardware and software to determine the date of the last firmware or software upgrade - - Reviewing the authorized users list to ensure former employees no longer have access to the network - - Interviewing key security personnel and random workers to determine if policies are effective, incomplete, being followed correctly, understood, etc. IX. Consider hardware solutions over server-based solutions: Hardware solutions typically offer higher performance at a better price-point and can support a diverse number of network configurations. Dedicated hardware solutions are not only higher performing and more cost-effective, they offer a higher level of security as they are not susceptible to OS vulnerabilities. X. Keep directory services up to date. On average, large percentages of names and accompanying passwords in company directories are out-dated and unused, hence are prime targets for external hacks as well as 'internal' hacks from
RE: Blocking Kazaa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So maybe it is time to ditch Windows 95? It was not meant to be run by business anyway. Try win2k. I still think my idea of using the security policy is best. Regards, Leon - -Original Message- From: Calhoun, Heath [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 12:51 PM To: leon; 'Benoit Joseph'; Calhoun, Heath Cc: [EMAIL PROTECTED] Subject: RE: Blocking Kazaa Unfortunately Windows 95 does not let you. True, we could run the network where everyone has the same desktop, but 95 still allows you to install apps. Heath Calhoun. - -Original Message- From: leon [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 13, 2002 11:26 AM To: 'Benoit Joseph'; 'Calhoun, Heath' Cc: [EMAIL PROTECTED] Subject: RE: Blocking Kazaa - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Why cant you just forbid users from installing there own applications (especially ones that just recently were installing spyware without the users knowledge) in an everyone e-mail and then refer users who still proceed to do this anyway to the corporate security policy? Cheers, Leon - - -Original Message- From: Benoit Joseph [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 08, 2002 4:55 PM To: Calhoun, Heath Cc: [EMAIL PROTECTED] Subject: Re: Blocking Kazaa Can't you just block the port 1214? I think that if you block it on your firewall, you'll have no problem. Can't you use some ACL rules? I believe the IOS has a FW. Bye On Mon, Jan 07, 2002 at 03:53:50PM, Calhoun, Heath wrote: I am attempting to block the multimedia search program kazaa on a pix 515 running ios 4.4. Pinging the Kazaa website, I got a address of 213.248.107.10. The program uses port 1214. I need to block any access to the website and to the program. I have tried several conduits without success. Any help is appreciated. Heath Calhoun - - ---end quoted text--- - - -- Benoit JOSEPH Manex SPRL: [EMAIL PROTECTED] Perso: [EMAIL PROTECTED] [EMAIL PROTECTED] - -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPEHDLdqAgf0xoaEuEQIrRACg0GlCfft4xA/MbgvqxQYjdlKvR9oAoJnD f5fthJRPLXeZrtZm4nFzjDAX =TSNg - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPEMcHdqAgf0xoaEuEQIBGwCfeguowKYd/xJbjtn141JX7pg2lkgAoJJh WBJbK4IH9IrDGCVVyrNO2lvq =8hEA -END PGP SIGNATURE-
RE: MS EFS Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If they goto fat32 (probably the same for 16) it turns out they lose their encryption because fat32 does not support these types of attributes (same with NTFS permissions and compression.) I am not sure who pointed this out to me on the list but I thank them. Cheers, Leon - -Original Message- From: Rob Weiss [mailto:[EMAIL PROTECTED]] Leon (and others), I tried to verify this in some of my MS books, but couldn't find the answer. What I believe that I remember is this: Encrypted files keep their encryption when they are copied or moved, regardless of the destination (NTFS or FAT). Rob -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPD8wdtqAgf0xoaEuEQJx2gCg77JlSju+K7XPEuEupkOVA3+dC6wAoPvw PwKJDn4GJEjTvOBfMexOI2Ir =7x4c -END PGP SIGNATURE-
RE: Macintosh Vulnerability Scanner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mac Pork and the more famous MacAnalysis. Sorry I cant provide links But I bet google can ;) Have a nice weekend, Leon - -Original Message- From: M W [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 2:22 PM To: [EMAIL PROTECTED] Subject: Macintosh Vulnerability Scanner Does anyone know of a commercial vulnerability scanner that would work on the Macintosh OS? Thanks in advance mark _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPD8u8tqAgf0xoaEuEQKfxQCfeZVZlbCLS1/TNApAuonxr0jJdtMAn0IS zvCdSRaEmBi832Ym3FHjX4FF =7ds1 -END PGP SIGNATURE-
CSS how do you tell if a site is vulnerable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, I don't really have much programming skill, (ok, you got me, I have none at all) and I was wondering if some of the people on the list who understand how to test for Cross Site Scripting could help me. I understand what it is but not how to test for it. Does Anyone have some generic syntax that I could tack on to the end of a url to test if it is vulnerable? What I mean is www.testsite.com/whatevercomes/yadda/some/blah/etc. There are a few sites that I have responsibility for that I would like to test but I really don't know how (obviously or I would not be writing this post :). Can anyone share some simple syntax? It does not have to be in-depth (as far as stealing cookies or anything like that) all I have to be able to do is confirm whether or not the sites are vulnerable. Thanks again and I hope everyone on the list has a great weekend. Cheers, Leon Icq 8031369 if anyone ever wants to reach me via chat. -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPD8qDNqAgf0xoaEuEQKuvgCfQMtREsr87B3bTPzsi63TBw2kpK0AoJVj GxATJRCuEogkJTECDnJsWqIY =QSRx -END PGP SIGNATURE-
RE: Hardening VS firewalling ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 People commonly compare security to an onion as both are layered. Firewalling is one layer, hardening is another layer, ids is yet another layer, then you have physical security, strong authentication, yadda yadda However once you start having layers security becomes more like a chain (only as strong as your weakest link). So I am not saving don't have layers (the more layers the better) just don't assume because you have a firewall you don't need to harden (or any combination; I have an ids and a firewall who needs to patch?) Hope everyone is having a nice weekend, Leon - -Original Message- From: Octavio / Super [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 08, 2002 4:57 AM To: Omar Koudsi; [EMAIL PROTECTED] Subject: Re: Hardening VS firewalling ? If I have to choose _only_ one, then I would go for security patches, but if I use time optimization as a base for my decision, then I would firewall to deny everything except explicitly necessary services and then I would security-patch all of those explicitly allowed services. If time is not of my concern, I would to that, plus I would develop security policies, like more secure passwords, secure practices, I would have the employees/students take a course on computing culture, etc. Octavio. At 02:29 a.m. 08/01/2002 +0200, Omar Koudsi wrote: OK, I know this is more of a theoretical debate, because in reality we are able and should do BOTH. But according to you, which is more important? Paying attention to having great firewall with a great ACL more than hardening and patching the systems? Or not have to worry about the firewall or having one at all and concentrate on applying best practices to OS/APPS and making sure the OS/APPS is up date on patches? In the unlikely event that you had to choose one over the other (or some people would argue that this is a reality since time is limited and you can really concentrate on one) , which one would it be and why? Regards, --- Omar Koudsi IT Architect Network Security Center Special Systems Company http://security.sscjo.com [EMAIL PROTECTED] Tel: (9626) 5664221 Fax: (9626) 5681557 -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPEG8V9qAgf0xoaEuEQItGwCgihAJaZTKgQlprIdKzyqINdwli2gAoMwE TmDjLGFusezF+98EdOn7hU+5 =frma -END PGP SIGNATURE-
RE: Blocking Kazaa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Why cant you just forbid users from installing there own applications (especially ones that just recently were installing spyware without the users knowledge) in an everyone e-mail and then refer users who still proceed to do this anyway to the corporate security policy? Cheers, Leon - -Original Message- From: Benoit Joseph [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 08, 2002 4:55 PM To: Calhoun, Heath Cc: [EMAIL PROTECTED] Subject: Re: Blocking Kazaa Can't you just block the port 1214? I think that if you block it on your firewall, you'll have no problem. Can't you use some ACL rules? I believe the IOS has a FW. Bye On Mon, Jan 07, 2002 at 03:53:50PM, Calhoun, Heath wrote: I am attempting to block the multimedia search program kazaa on a pix 515 running ios 4.4. Pinging the Kazaa website, I got a address of 213.248.107.10. The program uses port 1214. I need to block any access to the website and to the program. I have tried several conduits without success. Any help is appreciated. Heath Calhoun - ---end quoted text--- - -- Benoit JOSEPH Manex SPRL: [EMAIL PROTECTED] Perso: [EMAIL PROTECTED] [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPEHDLdqAgf0xoaEuEQIrRACg0GlCfft4xA/MbgvqxQYjdlKvR9oAoJnD f5fthJRPLXeZrtZm4nFzjDAX =TSNg -END PGP SIGNATURE-
RE: Portscanning from Windows XP machine
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I can confirm that both of these work just fine. Leon - -Original Message- From: Mark L. Jackson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 3:34 AM To: Philip Wagenaar; [EMAIL PROTECTED] Subject: RE: Portscanning from Windows XP machine http://www.foundstone.com/rdlabs/tools.php?category=Scanner fscan and superscan should work under XP. Have not tried them, but I see no reason for them not to function. I`m looking for a good port scanner that will run under Windows XP. My wishlist for it that it scans TCP, UDP and stealth but i`m not really sure if there is such a one under Win enviroment. -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPEHEhtqAgf0xoaEuEQI4GwCg6sdVl5r8DcYlnXRQfHjZD9Ao5lIAn0Lh Ywpver9azHs9RgY8pBeBrGRo =/sYl -END PGP SIGNATURE-
RE: Mobile user Firewall Comparison
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think with the exception of Black Ice (which might be called an ids) it really boils down to a matter of choice. I have to see any real hard statistical evidence that one is better then the other. Why not try installing them all (one at a time of course ;) and see which one YOU like the best. HTH, Leon - -Original Message- From: Askew, Gary [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 2:22 PM To: '[EMAIL PROTECTED]' Subject: Mobile user Firewall Comparison Hi All, Does anyone know of some good (recent) comparisons of the main firewalls that would sit on Win 2k laptops for mobile users. Roughly 200 clients. The main ones Im considering are ZoneAlarm Pro, Black Ice defender, Tiny and Sygate but I am open to suggestions. Thanks in advance Gary Askew -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPEHKutqAgf0xoaEuEQJnZwCguWPX0GwcW3n+dv1R2/ZDVQnvUmAAoKtF zC7zgPYe2pzwI7X+FqOUU2+h =bSax -END PGP SIGNATURE-
RE: Hardening/Firewall/Network Audit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Whisker and Nessus. www.google.com - -Original Message- From: Alok Ahuja [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 08, 2002 1:39 AM To: [EMAIL PROTECTED] Subject: Hardening/Firewall/Network Audit hi folks , i am new to the security arena. We just installed FW1 at our office. Now we want to do a local network Audit.Could u suugest some tools etc. Also how to get rid of the vulnerabilities Also we have setup a web server and wanna know, which tool to audit its vulnerablilities and how to get rid of the vulnerabilities. ALok -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPEG+ZtqAgf0xoaEuEQJTXACeOhZgY9RbU9aaayBsD8f/JSq6HU0AoOOk Qy2XVpjMRT6kxicOpsTEG4MK =+i82 -END PGP SIGNATURE-
RE: Study material for the Common Base of Knowledge...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 www.cccure.org has some material for the SSCP I believe. HTH, Leon - -Original Message- From: Joshua Carlson [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 10, 2002 12:54 PM To: [EMAIL PROTECTED] Subject: Study material for the Common Base of Knowledge... Hello Everyone, I am currently investigating research material to obtain my CISSP/SSCP certifications, however I am having a hard time finding recommended books/reading material for the SSCP. If you know of any websites or books that I should obtain aside from the Information Security Management - - Tipton (cause I already have that one on the way)please let me know. Thank you for your time and information. Joshua Carlson Professional Services Consultant Tripwire, Inc. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPEHNg9qAgf0xoaEuEQIu7QCfRuFXuhrTJm+lfoIpdW3kPGbeoWkAoP2b JJytRj3sXkyjGDYH0VM64zN/ =JsTJ -END PGP SIGNATURE-
MS EFS Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, Quick (and perhaps easy?) question for the MS folks. If you have a file on an NTFS volume that is encrypted (with EFS) and you transfer it to a fat32 partition what happens? What happens if you copy the EFS file from one NTFS volume to another? I am going to guess that in the 1st case it decrypts the file (not sure). I am pretty sure that in the 2nd case it retains the encryption. Can anyone quickly verify? I don't have a fat32 partition to test on. In the meantime I will try out the 2nd scenario and you are welcome to mail me off-list if you are curious (unless someone answers it on list). Thanks guys (and ladies of course). Cheers, Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPD0RqtqAgf0xoaEuEQJiZwCgw7TNQs9wVbIZdxAdSZGR8J6D3IoAoNZz SUCaNmqheFn+HZIPhSYY+Btp =Ptbl -END PGP SIGNATURE-
RE: Firewall: a basic question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Heh it could be implemented at layer one by securing your wiring. On some cisco switches (don't know about bridges) you can apply ACL's Cheers, Leon - -Original Message- From: ashley thomas [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 06, 2002 2:17 AM To: [EMAIL PROTECTED] Subject: Firewall: a basic question hi, which is the lowest layer where a firewall can be implemented ? i guess, it is network layer (layer 3) in that case , how is firewall implemented on bridges , which is a layer 2 device ? thanks ashley _ Chat with friends online, try MSN Messenger: http://messenger.msn.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPD2qM9qAgf0xoaEuEQJDRQCgsnAyHUepshUVKeY1Y/UBcRG10w4AoN6r PDme/3gKJLPZl33KucjfuQ0D =R7eN -END PGP SIGNATURE-
RE: XP security issue...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Have you tried sniffing the traffic? Could you post dumps to the list? Cheers, Leon - -Original Message- From: Nicholas Anthony McKenzie [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 1:13 AM To: [EMAIL PROTECTED] Subject: Re: XP security issue... Lads and lasses, I've just recently upgraded my home (shared) computer to XP. I have been using X-nestat to monitor all realtime TCP connections... Anyway i have seen alot of random SYN packets being sent from my computer from ports 4150, 4151,4152 etc to another destination IP address 216.187.XX.XX on port 7730. What the #$#@ is going on??? Regards, Nick -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPD2quNqAgf0xoaEuEQJxpwCgizUNVPNL/6iB8FTTKzfJA6C3X3wAoM5r Ib0giTsPYW0NdQKgFO6xsXQ3 =2YyY -END PGP SIGNATURE-
RE: Portscanning from Windows XP machine
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have gotten nmap to compile and work with visual C++ Cheers, Leon PS: foundstone makes a great command line port scanner but the name escapes me right now. You could goto www.foundstone.com and find it quite easily. - -Original Message- From: Philip Wagenaar [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 06, 2002 6:29 PM To: [EMAIL PROTECTED] Subject: Portscanning from Windows XP machine Hi, I`m looking for a good port scanner that will run under Windows XP. My wishlist for it that it scans TCP, UDP and stealth but i`m not really sure if there is such a one under Win enviroment. I also wondered if anyone got nmap for win32 compiled and working yet. Philip Wagenaar -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPD2rAtqAgf0xoaEuEQKpBwCgu6w3I2gNq3hGvjwEgVU7qhMDqYoAn3mp xoW2NVxS5AVtDMDFaZBSqRNJ =Jqc7 -END PGP SIGNATURE-
RE: another little IM problem...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I would like to argue this point. I posted the original post to vuln-dev in September. It took them 4 MONTHS to fix the hole and all they had to do was add a filter to there server. IMHO this is pathetic microsoftesque (like that word folks? I bet J Dyson does,) behavior. Considering that an im could give up total control of your computer and it took them 4 months to add the equivalent of a firewall acl I find this behavior nauseating. Cheers, Leon - -Original Message- From: dewt [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 2:30 PM To: Dan Trainor; [EMAIL PROTECTED] Subject: Re: another little IM problem... On Friday 04 January 2002 03:34 pm, Dan Trainor wrote: Does this alarm anyone else? How will AOL fix this problem without making users download any patches / fixes? Are they going to install it themselves? If so, if they can fix this problem by installing a fix on to your machine, what's stopping a malicious user from installing something else on your machine? If I am misunderstanding how this latest vulnerability works, I do apologize for this junk mail. :) -dt they fixed the issue on their servers, so clients dont need to update, allthough there will likely be a client-side solution for the issue in their next release. They also fixed the issue in about a day, which is very very fast for closed source products. -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPD2t1dqAgf0xoaEuEQIkQwCeOVwes+A4catJQfg0zDySxmY6JQ4AoIEl cDGt59gCJtRM0BahzJPgGAx3 =eH+4 -END PGP SIGNATURE-
RE: PPTP and Hub and Spoke
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You check out www.counterpane.com for a list of weaknesses with PPTP. Incidentally this was discussed on this list within the last 4 weeks. Sorry I cant remember the subject heading. HTH, Leon - -Original Message- From: Jerry Roy [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 8:27 PM To: [EMAIL PROTECTED] Subject: PPTP and Hub and Spoke Hello all, I am interested if someone can let me know their Experiences with ATT NetClient - good or bad? Issues with PPTP Thru a FW? Scalability of PPTP in a Hub and Spoke Environment? TIA Jerry Roy Systems Engineer Axcelerant, Inc. w. 949-221-7208 c. 562-305-9545 -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPD23QNqAgf0xoaEuEQLS9wCeI4UfwKYd9oExU2nAgQUefDc39REAoNZe CZY0paK8O1iDNC3Lyi+hVlky =/SCR -END PGP SIGNATURE-
RE: Has 3des been broken
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I thought 3des used 168 bit encryption Also the reason I asked is because I thought of it using for a VPN solution. So although no encryption is permanently safe; by the time people cracked the data it would probably be worthless anyway. Thx for you response, Leon - -Original Message- From: David Correa [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 27, 2001 12:53 PM To: Dante Mercurio Cc: leon; [EMAIL PROTECTED] Subject: RE: Has 3des been broken Hi, Although it is widely believed that 3DES is substantially stronger than DES, as it is less amenable to brute force attack, it should be noted that real cryptanalysis of 3DES might not use brute force methods at all. Instead, it might be performed using variants on differential or linear cryptonalysis. 3DES is generally quoted as having an effective key length of 112 bits, as opposed to the 56 bits for DES. At the rate they claim, it would take about 304,313,814,678,323 years maximum (slow/older computers) to crack 3DES. No encryption algorithm is permanently safe from brute force attack, because of the increasing speed of modern computers. ::dc:: David Correa RHCE CCNA http://www.linux-tech.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPCtmZNqAgf0xoaEuEQKaTgCeNlUpFODHf9mcC+xjP5Dc+W2OcaMAoJpG oeIubMPXRvMHmXXE0d/V0E/x =K8+K -END PGP SIGNATURE-
Has 3des been broken
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, I was wondering if anyone knows of any instances (through things like distributed computing or supercomputers) that triple des have been broken? Thx, Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPCWJJNqAgf0xoaEuEQJk6ACgoMZGQadBjlaq3BnjMbu5WxU9JjwAnAku SKwvfVlup+n4o9kYRVpwNG6Z =omtJ -END PGP SIGNATURE-
RE: obfuscating ip's (worth the read I think)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is not really a response to Jay's post this is just my own 2 cents for whatever that is worth (in today's economy I venture not much). I think a person SHOULD obfuscate their ips. Let's say they are running a vulnerable service and they are trying to shut it off. Say they cut n paste the netstat showing there ip and listening port; they are basically saying, here I am, come get me. Sure the point that someone is going to find them anyway is both valid and strong but let's face it: some people on this list don't always have the best intentions. Case n point going back about 6 months (maybe more) when the t0rn r00tkit was trendy; David D made some points about it on the incident list and what do you know. sure enough in the next version of t0rn there was a note in the read me quoting what David said on the incidents list (I believe it an even provided a link back to his post). I don't believe security through obscurity works as a means to an end but I say the more hurdles the better. Further I think obfuscating the ips is not really so much security through obscurity as it is more like common sense. It is like saying this yeah I just bought this new lock and it appears to be broken here is my address; sure are other people are going to try to break into the house anyway but no need to provide a street address and exact directions on how to get there. Again 2 cents falling quickly Leon (I have recently become certified in ghi for all those following my saga. Currently working on jkl ;) - -Original Message- From: Jay D. Dyson [mailto:[EMAIL PROTECTED]] Sent: Monday, December 03, 2001 1:12 PM To: Security-Basics List Subject: Re: obfuscating ip's - -BEGIN PGP SIGNED MESSAGE- On Sun, 2 Dec 2001, dewt wrote: i see many times on this list that people post ip's of their machines, and of suspect machines. occasionally with lines like i'm running version (insert any vulnerable version number) of this service! or a much less serious but still iffy we only allow port 53 through the fireall to the machine 192.168.14.3 i think a risk exists by posting ip addresses. I disagree for several reasons: 1. Any system that's reachable on the 'net is getting aggressively scanned anyway. Yes, discussing a problem may yield a temporary jump in scanning, but the threat of attack is not appreciably raised. 2. Discussing RFC-1918 addresses is pretty moot. Unless someone leaves some useful clues as to the external IP of their NAT, any planned attack on that LAN is an exercise in futility. first of all you expose your own machines to risk by announcing to some unneeded information. sometimes a lot of information is needed to deduce problems, but the actual ips involved are usually not. This is true, but only nominally so. There's a wealth of public information that one can use apart from any messages here by which they can mount an attack. The point I'm trying to make here is that obfuscating IP addresses in the course of discussions here won't buy the author any real security. Anyone with access to these public repositories of information can divine most everything they want to know if they truly have malevolent purposes. Obfuscating IP's isn't an obstacle...hell, it's barely a speedbump in any case. i have also heard in an email message that some people do indeed scan these machines for innocent purposes, but that can still cause alarm at the other end. Now *this* is a valid concern. It's not a good idea to discuss IPs of systems you don't personally own and/or manage. As a rule, I *never* disclose information on an employer's or contractor's systems. The only IPs I spill are those I personally maintain. as for suspect machines (scans from this ip, or attempted worms whatever) also raises some issues, first of all if many people start scanning a compromised box the person who compromised it may get scared and delete everything on the system before someone responsible for the machine can take any appropriate action, alternatively you could invite scans to dialup accounts which by then wouldnt' be the same machine anyway, slowing down someone's internet connection, or if the suspect traffic turned out to be a false alarm, you may have caused headaches for whoever deals with the innocent suspect machine(i know i have strange traffic forwarded to my pager, not sure about all of you). I'm ambivalent on this issue. I see scans from different sites all over the world. Most scans I simply ignore if they're just vanilla scans for known vulnerable services (BIND, SunRPC, some SSHd iterations, et cetera). If it's a scan via a worm, I notify the netblock owner. But if it's repeated spews from a specific netblock and notices to the upstream
RE: security tools with email notification
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi John, Here are my thoughts in the order that you wrote your questions. 1) Yes I see a lot of problems. Not so much with yahoo specifically but the idea of sending sensitive information in clear text. This allows anyone on the same segment (network that is) that is running a sniffer to see the traffic. Obviously this a big problem due to the sensitive of the information being sent. 2) Sure. What if he is running a sniffer (if it is a local attacker)? 3) I would send them to a pop3 account and write a script to have them encrypted before they are sent using some kind of PKI solution. I wish I had a website or link for you but I don't. I have a sneaky suspicion that someone probably has had this problem before and hasn't written a script for it. Best of luck, Leon - -Original Message- From: John Christopher [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 1:32 PM To: [EMAIL PROTECTED] Subject: security tools with email notification Hi - Many security tools (logcheck, for example) provide a facility for sending warnings, etc. to an email address. 1. Can anyone see any security problems with sending such info to a yahoo.com email address (in other words, how secure is yahoo mail)? 2. Is it possible for an attacker to intercept email messages sent from a host he has targeted? 3. Should such emails be encrypted before being sent? Thanks - JC __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPAlwgdqAgf0xoaEuEQLUIgCgkx5AVL4FUqEGSmICPD+IEd+LaXcAn2F9 K5RFxIIIQa+GturKmQ6Qnewj =j2kB -END PGP SIGNATURE-
RE: Spoofing question?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi again Dee, Spoofing is usually for subversion of trust attacks and work with session hijacking. Probably the most famous example of this would be the Christmas attack by mitnick (I believe he spoofed his ip to be that of the trusted system during when he hijacked the session and syn-flooded the host. Maybe I am confused and this is just tcp sequence predicition I am talking about). Also spoofing is used when you don't care about the return packet (ie d0s Dd0s). Lastly someone on this list posted a link to a great article on doing idle scans with nmap and hping2. Below is the link. HTH and not confused, Leon http://www.sans.org/infosecFAQ/audit/hping2.htm - -Original Message- From: Dee Harrod [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 27, 2001 3:18 PM To: SecurityBasics Subject: Spoofing question? How does spoofing work? If I change the source address of my outbound packet, how do I get the response? How does it get back to me? - -- Dee __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPAeoB9qAgf0xoaEuEQLsqQCg4PpTzQodLGkJkkAaksdAlwwlPIkAoITw VJHv3BjRxEpT78aWReiys5mS =AnFg -END PGP SIGNATURE-
RE: Unix Security Standards, books, tools...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Real world linux security by bob toxen is by far the best book I have ever read on linux and it of course applies to unix. HTH, Leon - -Original Message- From: tony toni [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 28, 2001 9:09 PM To: [EMAIL PROTECTED] Subject: Unix Security Standards, books, tools... Folks, I recently was assigned the project of developing security standards for our Unix environment. We have about 400 unix box's (HP-UX, Sun Solaris, AIX, etc)and the admins do their *own thing* with these boxes. This is not a project I exactly like...I am buried with 20 other projects...and I am not Unix guru. For each Unix *flavor*, I need to develop Unix security standards that will cover areas like configuration settings, defaults, permissions, admin. account, password file, shells, trusts, root, patch's, logging, etc. These are my questions: (1) Does anyone know where I can quickly get my hands on some high quality, concise security standards/templates/checklists? for each Unix *flavor*? (2) What about good books/sites on Unix Security? (3) What about user friendly software tool(s) that I can periodically use to audit the Unix boxes for compliance to the new security standards I developed? Thanks Tony IT Security Manager Major Telecommunications Company _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPAfhYNqAgf0xoaEuEQIeWwCfcqDxYwNsVcpcECSghd08cvDFnUMAn0tZ bulvf9b7zk5FEhgqRc2I0Hp0 =cFts -END PGP SIGNATURE-
RE: Ip Spoofing I Think
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Do you allow anon relaying? If so turn it off immediately. Leon - -Original Message- From: Gerald Lyons [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 10:26 AM To: [EMAIL PROTECTED] Subject: Ip Spoofing I Think Mailer: SecurityFocus We have been getting complaint about spam going threw our web server...The e-mail that people are receiving has 'Received: from 208.149.120.240' which is our Ip address...We do have a Mail Server but shows no logs of the sender or the receivers.. We have contacted CW Our Isp but have gotten nowhere with them...I need help Any suggestions on what to do about this.. Thank You Gerald Lyons [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPAfhztqAgf0xoaEuEQIEgwCfTFT6mwjnWVciaL3c/yTzJrAYx8MAnjba uso5QzVTLpKJrdvB0xLomiHm =XP5W -END PGP SIGNATURE-
RE: List of dos apps? (was svchost.exe)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi. I am sorry if I didn't make myself clearer. Sysinternals is a great site. My question was does anyone have a list of the dos apps that come installed by default with xp (eg netstat, tasklist, arp, ping, traceroute, etc). That is what I meant. I am sorry for not making myself clearer the first time. I am looking for a list of dos apps that are installed by default on win xp (win 2k would be nice also) I checked M$ site and google and did not find anything. I am hoping someone on the list has a link or .txt for me. Cheers and hope everyone is having a great weekend. Leon - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 01, 2001 5:07 PM To: leon; 'Richard'; 'Jonas M Luster' Cc: [EMAIL PROTECTED] Subject: Re: List of dos apps? (was svchost.exe) A good source of tools is www.sysinternals.com :) - - Original Message - From: leon [EMAIL PROTECTED] To: 'Richard' [EMAIL PROTECTED]; 'Jonas M Luster' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, November 29, 2001 03:01 Subject: List of dos apps? (was svchost.exe) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anyone have a list or a link to the complete dos tools that are installed by default with XP? Thx Leon - -Original Message- From: Richard [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 27, 2001 7:21 AM To: Jonas M Luster Cc: [EMAIL PROTECTED] Subject: Fw: svchost.exe To see what process this is hosting, do a tlist on the process id XP does not have tlist. Yes it does. MS is constantly renaming utilities, tlist in xp is tasklist and it's installed by default, which is a nice change. This is an old link to Default Processes in Windows 2000 that you may also find useful. I don't think MS has released a similar kb article for xp yet. http://support.microsoft.com/support/kb/articles/q263/2/01.asp -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPAWXDdqAgf0xoaEuEQIZdgCfQLVhjEYUBgM0mrHeb11SQHbN5/oAoNMA uWO/k+MXcM6FaCgOr8mLlgaB =0wRu -END PGP SIGNATURE- _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPAlblNqAgf0xoaEuEQIZFwCcDRz7jMVXiwnui6PuVerNPueTRbEAn3oC PljGzcvh9xGvuc5bQjoydqMu =hWYo -END PGP SIGNATURE-
RE: NAT/PAT (Hide NAT) Vulnerabilities?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Snipped down to last paragraph So it seems to me that if you use NAT/PAT, you don't need a real firewall unless you're actually permitting some kind of traffic to connect to something from the outside. Is that right? - -- Dee Hi Dee, A lot of firewalls use NAT/PAT so if you are using it then you are using a firewall/ing (technique?) Also if you don't have any listening services then it becomes much harder for an attacker to remotely execute code on your system (especially if it is *ix, hi m$ outlook and all your bugs ((heh I say that as I type this e-mail in outlook)) ). Not sure if that cleared things up or not. I think it is really arguing the semantics of a nuance (ie NAT/PAT forget about firewall yet a lot of firewalls actually use this for firewalling or a means of). HTH, Leon __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPAenBNqAgf0xoaEuEQLz7ACfWR8W3+cuRWZ0KHkdeAS8cVNTgW4An1AJ i1Wd139r7vhcQvDZGob/Z4/c =zpvZ -END PGP SIGNATURE-
default password(s) website(s)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, I use to have links to a couple of websites that had default password databases. I can only find these out of my links; http://www.securityparadigm.com/defaultpw.htm http://www.phenoelit.de/dpl/dpl.html http://www.underground.org.pl/majdom/dpl.html With the exception of the phenoelit one they mostly seem out of date (relative I know). Anyone with any other links they would like to contribute? Best regards, Leon PS: a quick google search revealed the 3 I named plus this one which didn't supply instant gratification (it didn't just throw passwords at me like the other ones). So feel free to check this out also if you have patience (unlike me). http://security.nerdnet.com/index.php -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPAV4K9qAgf0xoaEuEQIyFgCgh6gzGrzBOAvmL96StsiC1lCZqlQAni80 T5oTz9b6Wfxq4Eds2HccO+t4 =aPke -END PGP SIGNATURE-
RE: WIN2K Ports 32000 32001 Open ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 See the problem with saying this is this or that based on static port assignment is that it makes a huge assumption; it assumes that either the attacker is using a program that does not allow him to change the port or if he is using one he decided not to change the port. You should not make an assumption or underestimate the situation. So when people write to the list I always, and I think most professionals will agree with me on this, tell them they have to identify and investigate what process is bound to the port. It is always nice to do a little investigation and see what port is registered or if a Trojan port is listed in a database but in the end you have to identify both the process and related dll's and hopefully sniff some traffic to or from it. Hope that clears up for a lot of people (seem like a lot of people get confused on this point; ie getting bogged down in this port or that). Regards, Leon - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, November 24, 2001 5:22 AM To: 'Richard Feaver'; [EMAIL PROTECTED] Cc: leon Subject: RE: WIN2K Ports 32000 32001 Open ? http://www.simovits.com/trojans/tr_data/y358.html leon [EMAIL PROTECTED] To: 'Richard Feaver' [EMAIL PROTECTED], [EMAIL PROTECTED] 11/23/2001 cc: 09:53 PM Subject: RE: WIN2K Ports 32000 32001 Open ? - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Why don't you get f-port or vision from foundstone.com and track down the process that is bound to the port? Regards, Leon - - -Original Message- From: Richard Feaver [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 5:38 AM To: [EMAIL PROTECTED] Subject: WIN2K Ports 32000 32001 Open ? Greets all, recently checking one of our Win2k boxes i found ports 32000 and 32001 open and listening for connections. checking google i failed to find much concerning port 32000 but i did find a trojan called Donald Dick which apparently runs on port 32001. Ive checked official application port listings and those port numbers are not registered so i can only assume its a trojan of some sort. Has anyone else had any experiance with these port numbers or coudl offer any more advice as to track down exactly what it is and how i could go about curing the problem. I tried a reboot aswell but they were still open on re-startup. thank you, rich - -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBO/6pSdqAgf0xoaEuEQIeDACfct/JtOM6E2A0RxD52g7Ysq1m9KMAn374 w2dambja8M8xsBEfmsoqClhE =8Zpl - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBO//ZY9qAgf0xoaEuEQLtqgCgy4e10y561RINmNFDiCITtetciF8AoIZz d9GG5W34xi/Er6TVKQF3g+gP =HPp1 -END PGP SIGNATURE-
RE: WIN2K Ports 32000 32001 Open ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Why don't you get f-port or vision from foundstone.com and track down the process that is bound to the port? Regards, Leon - -Original Message- From: Richard Feaver [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 5:38 AM To: [EMAIL PROTECTED] Subject: WIN2K Ports 32000 32001 Open ? Greets all, recently checking one of our Win2k boxes i found ports 32000 and 32001 open and listening for connections. checking google i failed to find much concerning port 32000 but i did find a trojan called Donald Dick which apparently runs on port 32001. Ive checked official application port listings and those port numbers are not registered so i can only assume its a trojan of some sort. Has anyone else had any experiance with these port numbers or coudl offer any more advice as to track down exactly what it is and how i could go about curing the problem. I tried a reboot aswell but they were still open on re-startup. thank you, rich -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBO/6pSdqAgf0xoaEuEQIeDACfct/JtOM6E2A0RxD52g7Ysq1m9KMAn374 w2dambja8M8xsBEfmsoqClhE =8Zpl -END PGP SIGNATURE-
RE: Has anyone seen this before?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If you are worried about being overloaded by this traffic, (or any undesirable traffic for that matter), why not just throw them in your edge router's acls? After that why not contact the owners of ip after you do a whois on them? HTH, Leon - -Original Message- From: Seth Keller [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 2:51 PM To: [EMAIL PROTECTED] Subject: Has anyone seen this before? We have been absolutely bombarbed for the last 3 hours from a range of IP's which appear to be performing legitimate requests to port 80 on our web server. Our T1 line has seen 100% utilization for the last 3 hours. We are getting roughly 500-600 requests per minute from a specific range of IP's. The IP addresses revolve around in near perfect order. They start at 216.106.166.141 and roll up to 216.106.166.207 before repeating. Any ideas? Thanks in advance. Seth Keller Culver Community Schools -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBO/6qA9qAgf0xoaEuEQL8EACbBtJKS9zIfQWqbX7ETqbQCgSNOTwAoMZl ntlvP2/Mgr9tCf/7fRb/KTLE =saY4 -END PGP SIGNATURE-
bricker server question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, It seems that SNP is now being protected (or at least using) a firewall by the name of the brick server. I have never heard of this firewall anyone, on the list have anything to say about it (practical experiences, nightmares, feedback, etc). . I checked google and did not find that many useful references (even less if you are looking for practical experience as opposed to a review of the product). Thanks in advance and I have provided the link below. http://www.thirdpig.com/brickserver.htm Cheers and hope everyone had a fantastic thanks-giving. Leon -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBO/5mCdqAgf0xoaEuEQIvKwCg76hU745JC4CZPHAzmePxPlaiPKkAoJKl aL9Z8cEhEsATNZ133p8x0Z2G =WKAN -END PGP SIGNATURE-
SNP back from the ashes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The SecurityNewsPortal is BACK ! http://206.61.52.48/index.html You can use this direct IP address to get to the new web site until the new DNS of www.SecurityNewsPortal.com starts working again. The SNP will initially return to the Internet running with its barebones skeleton web page, often referred to by our regular viewers of SNP as the 'surgery' web page. A term coined by the users when I posted this style of interim page online while having surgery and I was not able to perform the hourly ( by the minute ) news updates like usual. I have added several new features to the 'surgery' page that will give you access to the entire news resources at moreover.com and newsnow.com. As well I have placed a news search engine on the page that has the ability to search for news at eighty-two different news resources. As soon as possible the SNP will return to its previous look, feel and method of presenting the latest breaking security, hacking and virus news. This is what we will be silently constructing in the background over the next couple of weeks. Until the SNP returns to its full original look and feel we want to thank you for visiting and we hope you will be able to make use of the new features we have added to the 'temporary' web page that we have put up for your use. Hopefully within a few days the folks at Network Solutions will do their magic and make our domain name of www.SecurityNewsPortal point to this new server. In the meantime feel free to bookmark this IP address until the domain name address of www.SecurityNewsPortal.com starts working again http://206.61.52.48/index.html As you know, the SNP is owned, operated and paid for by one person as a non-commercial web site. As such there were limitations as to how much money could be spent towards finding a secure web hosting environment that took server security as seriously as we wanted and required. Being a 'one man' beer budget operation we knew our limitations on how much we could afford to spend to support this 'hobby' web site. During the course of all these events the SNP was overwhelmed with kind offers of support from its viewership, many of whom work for some of the leading security product and services companies. SNP looked at the many kind offers of assistance that were put forward and entered into discussions with a major security product and services vendor who wished to bring the SNP under the protection and support of their publishing subsidiary. Unfortunately, every thing was proceeding quite favorably until the lawyers entered the picture. At that point the negotiations collapsed. It is unfortunate that the negotiations had to end after having consumed so much valuable time, but SNP had to thoroughly investigate that kind offer as its long term benefits to the future of SNP would have been a dream come true for any webmaster. One of the conditions of the negotiations hinged on the server that would host the SecurityNewsPortal. It was SNP's desire to make use of the BRICKServer that had been graciously offered by SAGE Inc, aka ThirdPig.com. We were already familiar with this technology which provides a single box solution that offers the hardware, software and security measures all built into one convenient package. Due to the excellent history of this product in the 'real world' we were confident that it would provide an effective solution that would permit the SNP to resume operating in a safe and secure manner. We are pleased to acknowledge that SNP is now running on a BRICKServer provided by SAGE Inc. Within 20 minutes of my phone call to ThirdPig.com the server was placed online for SNP. Within five minutes of receiving the program that controls the administrative interface to the server I was able to start transferring the interim web pages to the server. The speed with which the BRICKServer was put online and made functional for SNP's use is a testimony to all the good things that we had heard about this particular hardware, software, security product. We are proud to fly the banner for the BRICKServer on our home page. SNP would like to take this opportunity to thank all of the companies that stepped forward and offered their services, products, network hosting and other kind offers of assistance. It is because of this overwhelming show of support from the professional security community that this 'one man' beer budget operation has returned to the Internet. Your kindness will long be remembered and will motivate us to build a bigger and better SNP for your news reading enjoyment. SNP would also like to take this opportunity to personally thank and acknowledge the thousands of people ( 5000+) who took the time to write directly to us and offer us their kind words of support. We were truly touched and overwhelmed by this massive show of support and sympathy to our plight. Your kind words will be the fuel that motivates us to improve and double our efforts
RE: Application Development
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Securityfocus has a mailing list that is called secure programming. Perhaps that would help. If not you could always try google and throw in some key words like secure programming I just did and it returned a ton of results for me!! Cheers, Leon - -Original Message- From: Patrick Fong [mailto:[EMAIL PROTECTED]] Sent: Friday, November 16, 2001 11:42 PM To: [EMAIL PROTECTED] Subject: Application Development Hi I am a Java programmer. I am interested in the security aspects of application development. Java being the Internet programming language involves understanding Internet security concepts. About a month ago, I got an email outlining alot of the Internet security concepts like Session Hijacking and many others that I can't remember from one of security focus' lists. I was wondering if someone can give me some links and books perhaps so that I can learn more about these concepts. I am aware of Sun's Java security web site. I want to know about others. I have heard of CISSP - however I do not have the amount of experience to sit for that exam. Is there anything else? Patrick -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBO/pr19qAgf0xoaEuEQKr2ACg+nyO32oe1gkbRo5sPfYzWPc7Tq4An2lt CVY75jr5cFyLUDgpXj0ERqO0 =Z+0/ -END PGP SIGNATURE-
RE: Multiple port mirroring?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does it have to be logical or can it be physical? There are switches out there that actually have physical spanning ports (that is you plug your computer / sniffer into the span port and it actually gets a mirror of all the traffic traversing the switch). I bet you could even configure a cisco switch (I bet but I am not sure, especially on some of the higher end models with the CAT OS) that you could have it set up logically also. Could someone let me know if I am wrong about the cisco comment because I am curious as to the answer myself. Regards, Leon - -Original Message- From: Marc Mc Guinness [mailto:[EMAIL PROTECTED]] Sent: Monday, November 19, 2001 1:04 AM To: [EMAIL PROTECTED] Subject: Multiple port mirroring? Hello! Am Mittwoch, 14. November 2001 19:24 schrieb David Ellis: What you could actually do is create a mirrored port on your switch and sniff all the traffic that way Does anybody know something about switches, which can do multiple port mirroring? What I want is one port, that gets all the traffic of the other ports on that switch. Best regards, Marc Mc Guinness -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBO/puAdqAgf0xoaEuEQL1HQCfdAnbA//M9GIotv4WIHpADgIiJ7UAn0+O /i4a0TlA2Et2GpYBnOg64pKd =S8C7 -END PGP SIGNATURE-
RE: packet sniffer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Snort, TCP-Dump, Ethereal, Sniffer Pro, www.google.com (search for sniffers and NT). Regards, Leon - -Original Message- From: BurntCircuit [mailto:[EMAIL PROTECTED]] Sent: Monday, November 19, 2001 11:58 AM To: Security-Basics Subject: packet sniffer im looking for a good windows NT/2K/maybe XP pro) packet sniffer to monitor the comming and goings of a few programs that i dont trust. would someone be able to tell me of a good one (better yet the best one (LOL if there is one)) thanks Ben -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBO/rJd9qAgf0xoaEuEQKwlgCfagfPZPdbqt10iE8gjcSe5sWx7j8AoIqS BkK2fS1DYn5uE3ji+msSQZAM =eawZ -END PGP SIGNATURE-
RE: Firewall features
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I thought there use to be one at http://www.networkintrusion.co.uk/ but I have not seen the site owner on any of the lists lately and since he does it (the website) as a hobby I am not sure how up2date it is anymore. HTH, Leon - -Original Message- From: Dilli Rajesh Kumar [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 20, 2001 12:09 AM To: leon; [EMAIL PROTECTED] Subject: Re: Firewall features By where i mean any webpage where the features supported by different firewalls are mentioned.As far as seen from the vendor's site and other pages i think FW-1 supports the most max features. Bye DRajesh - - Original Message - From: leon [EMAIL PROTECTED] To: 'Dilli Rajesh Kumar' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, November 19, 2001 1:39 AM Subject: RE: Firewall features What do you mean by where can you get the features? If you are looking for a list of the features of each product (pix, checkpoint, sonicwall, ip /tables /chains, etc) why not goto the vendors homepage? I hate to tell you that there is probably not (at least in my experience and I am sure the list will correct me if I am wrong), one product that does everything you requested. Even if there was it stinks of single point of failure and I probably would not deploy it. Cheers, Leon -Original Message- From: Dilli Rajesh Kumar [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 11:56 PM To: [EMAIL PROTECTED] Subject: Firewall features Hi, Where can i get the features associated with various firewalls.Features like content filtering,intrusion detection,antivirus software and much more. Regards DRajesh -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBO/pnG9qAgf0xoaEuEQI4cACbBMTgP2kj4uZCfFn3UjcEZaqQquoAn11U P880IBE46sYOPmeq0ULrWWhc =RuS3 -END PGP SIGNATURE-
RE: SAM Database viewing access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pwdump2 or 3 (search google you will find them) will dump the hashes from the sam. Is this what you meant? If not and you are more specific (on list or off) I will try to help if I can. Cheers, Leon - -Original Message- From: Brian Heathfield [mailto:[EMAIL PROTECTED]] Sent: Monday, November 19, 2001 6:52 AM To: [EMAIL PROTECTED] Subject: SAM Database viewing access Hi, Does anyone know where I can find a tool to view the SAM on an NT4 machine in real-time, or at least snapshots. Many thanks, Brian -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBO/rIttqAgf0xoaEuEQIoDACfZttGtZDglCrjqFQVX7UIW0PUHFgAoJ6L BGheuwLn7UbkB3hQc7gDFNp8 =4987 -END PGP SIGNATURE-
RE: HIPAA Standards
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There is a ton of information on this if you do a search on google. Also there is quite a bit of information in the cissp prep guide which you can find at Amazon or your local bookstore. Cheers, Leon - -Original Message- From: Thomas Ryan [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 8:51 PM To: [EMAIL PROTECTED] Subject: HIPAA Standards Where can I find information on the current HIPAA Security Standards? Thanks! Tom -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBO/lNlNqAgf0xoaEuEQJv6QCgqhvBkRQvUDdgPNQqHTOkNah53H0An1+H XcsXToXscMwstYFAE2gGweM9 =SIFs -END PGP SIGNATURE-