Download Managers

[Leon Pholi]

Hi,

Just wondering on thoughts about download managers- do they pose are
security risk? Any known to be trojaned? The one I use is GetRight, does
anyone know if this one has known security issues?

Any thoughts appreciated, thanks.

Leon

RE: CIS Security template

[Leon Pholi]

I had to change the SFCScan value because I got Windows File Protection
errors on many of the machines, other than that it worked well. Most
importantly however, make sure you test it out on your various standard
environments first, this should catch most potential issues early. You may
also find you will need slightly different versions depending on the systems
aimed at.

Regards,
Leon

-Original Message-
From: Simon Taplin [mailto:[EMAIL PROTECTED]] 
Sent: Sunday, 5 January 2003 7:29 AM
To: Security-Basics
Subject: CIS Security template


Has anybody run into any problems using Win2000 Pro when they have
installed/run the CIS Win2kProGold_R1.2 security template?

The PC's would be used by students studying anything from a basic secretary
course to graphic design to in some cases, MCSE students.

Thanks
Simon


Quote of the day:
Systems Administration is the kind of job that nobody notices if you're
doing it well. People only take notice of their systems when they're not
working.
---

This email has been scanned by AVG Anti-Virus
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.435 / Virus Database: 244 - Release Date: 2002/12/30

RE: XP admin shares

[Leon Pholi]

Yeah I searched google  read that, which is why I said-

You can do it through Computer Management but they'll be re-enabled at 
reboot

Thanks to everyone for your help in pointing out the Win2k Reg Key location
is still correct, and if this doesn't previously exist it can safely be
created. Doing this worked a treat. :)

-Original Message-
From: flur [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, 10 December 2002 10:33 AM
To: [EMAIL PROTECTED]
Cc: Leon Pholi
Subject: Re: XP admin shares


Try reading Microsoft Knowledge Base Article #314984 entitled HOW TO: 
Create and Disable Administrative Shares on Windows XP. You can find it at 
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q314984

Remember, Google is your friend.


At 11:27 AM 12/09/2002 +1100, you wrote:
Hi everyone,

Just a quick one, does anyone know how to stop the default 
administrative file shares in Win XP (professional edition)? One would 
think this would be a standard part of locking down a box, but can't 
find much on it for XP.

You can do it through Computer Management but they'll be re-enabled at 
reboot, and the Win2k key of 
HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShar
eWks
doesn't seem to exist. Any ideas?

Thanks,
Leon


 __ _
~FluRDoInG[EMAIL PROTECTED]
http://www.flurnet.org
KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048
1876 B762 F909 91EB 0C02  C06B 83FF E6C5 8C2C 37C4

XP admin shares

[Leon Pholi]

Hi everyone,

Just a quick one, does anyone know how to stop the default administrative
file shares in Win XP (professional edition)? One would think this would be
a standard part of locking down a box, but can't find much on it for XP.

You can do it through Computer Management but they'll be re-enabled at
reboot, and the Win2k key of
HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShareWks
doesn't seem to exist. Any ideas?

Thanks,
Leon

RE: WIRELESS THEFT

[Leon Ward]

Would it also come down to trespass?
Just a thought...

nard
http://www.nardware.co.uk


-Original Message-
From: Robert J. Young [mailto:rjyoung;frankie.ca]
Sent: 18 October 2002 17:26
To: [EMAIL PROTECTED]
Subject: Re: WIRELESS THEFT


It's a theft of service.  The wireless part is not relevant.  This is 
the same as if you hooked a telephone up to a phone line in your 
neighbour's house without his permission.  The fact that they have 
poorly secured their services doesn't make this less illegal.  Maybe you 
should tell them about their problem, though.

Amit P. Gandre wrote:

Hi
   Can someone tell me if there are any laws regarding wireless
theft?

   One of the apartment complexes near mine has free wireless
connections offered to their residents. Now, my computer happens to catch
that signal.

   Now, is that illegal. If so, how should I go about dealing with
this issue.

Amit

  


-- 

[EMAIL PROTECTED]
http://www.frankie.ca




This E-mail and its attachments have been scanned for viruses before
delivery.
For more information contact [EMAIL PROTECTED]

This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]

Formation of Network / Information Security user group: Reading UK

[Leon Ward]

Hello.
A user group for people interested in network security is being
formed in the Reading (UK) Area. 
The general idea and behind the group includes; 

* Allowing like minded people bounce ideas off each other.
* Learn something new.
* Converse and discuss new developments.
* Pass on knowledge.
* The possibility of arranging guest speakers exists but will depend on
levels of interest.
* Drink Beer.

If anyone is interested in joining, Please send a mail to:
[EMAIL PROTECTED]

Nard.


This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]

Firewall options- which way to go

[Leon Pholi]

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I am looking at options for setting up a Linux firewall for our
company. Although I am a relative newbie to Linux, I'm not afraid to
get my 'hands dirty' with IPTables etc. 

I have a couple of questions and would appreciate all comments.

1) Is it better to use a purpose built distribution such as
Smoothwall, IPCop or firewall specific ones from Redhat, Mandrake,
SuSE etc, or, would it be better to use a standard distro  built it
from scratch (bearing in mind I haven't yet recompiled a kernel but
I'm willing to give that a go too)? 

2) If building from scratch, kernel version 2.4 supports both
ipchains  iptables (newer)- does anyone have a strong view on using
one over the other?
If using a purpose built one, does anyone have any experienced based
preferences?

3) Other than just suggesting to do a google search, are there any
resources (a simple step by step howto would be good) you would
recommend for the suggested approach?

All help greatly appreciated. Thanks in advance.

Leon

-BEGIN PGP SIGNATURE-
Version: PGP 7.0.4

iQA/AwUBPaoQ+23X5duwk+XvEQKyUQCfcI+YuA2CoEgTKPdMkacPHhc0MWQAoKid
reavCfqXEnT7pygVQ+8nO9P4
=kL3I
-END PGP SIGNATURE-

RE: Word 2000 Password Recovery

[Jose D. Crespo de Leon]

I've the PDF version and works fine, I haven't used the Word version.

www.elcomsoft.com


Saludos,
 
Jose D. Crespo de Leon
MCSE, MCSA, CISSP
E-mail: [EMAIL PROTECTED]
Mobile: 787-607-8574
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, June 25, 2002 4:03 PM
To: [EMAIL PROTECTED]
Subject: Word 2000 Password Recovery

Sorry about sending that without a subject...

Does anybody know of a good tool (hopefully free) for Word 2000 Open
Document password recovery? Will it work with WordXP documents (w/ the
Office2000 Compatibility set)?

~Richard M. Conlan

RE: L0phtcrack3 Metrics

[leon]

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I would use LC4 the what's new section claims the algorithms are
improved and the cracking time is faster.

Just a thought.

Cheers,

leon

- -Original Message-
From: Michael Ungar [mailto:[EMAIL PROTECTED]] 
Sent: Friday, June 14, 2002 12:31 AM
To: [EMAIL PROTECTED]
Subject: L0phtcrack3 Metrics


I've been challenged by one of my peers to provide
metrics on the amount of time it would take
L0phtcrack3 to crack an eight character password that
was alphanumeric vs a similar password that was
alphamumeric but had a requirement for upper and lower
case level.

So for example, would it take L0phtcrack3
signiifcantly longer to crack a password of 1367AseR
vs 1367aser.

Thanks.Mike Ungar

__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com

iQA/AwUBPQtXv87zNvD2yOEeEQJ8+wCeOzP05GhdVC7sSqAdnFpkoqeMbXoAoL6q
iuzsz0Tlmo5pp+jVDXzOwgHl
=e+xv
-END PGP SIGNATURE-

RE: ISS and NFR

[leon]

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

What about using sourcefire?  www.sourcefire.com from the maker(s) of
snort.

Cheers,

Leon

- -Original Message-
From: shawn merdinger [mailto:[EMAIL PROTECTED]] 
Sent: Monday, June 03, 2002 4:08 PM
To: ABRAHAM AJI
Cc: [EMAIL PROTECTED]
Subject: Re: ISS and NFR



Gee...you're not looking at Cisco's offerings?  They have both
network IDS and host IDS products.

http://www.cisco.com/univercd/cc/td/doc/pcat/nerg.htm

- -scm


On Sun, 2 Jun 2002, ABRAHAM AJI wrote:

 
 Hello,
 
 Is anybody having a document which compares
 performance and features of the Intrusion Detection
 Systems from the above two vendors? We are in the
 process of evaluating IDS for our company.Has anybody
 done tests on these products.Your reply in this regard
 is highly appreciated.
 
 
 Aji Abraham
 
 __
 Do You Yahoo!?
 Yahoo! - Official partner of 2002 FIFA World Cup 
 http://fifaworldcup.yahoo.com
 


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com

iQA/AwUBPQpz687zNvD2yOEeEQKbhQCfS6JZ36FWLtp/zuVBLBCIiEN40+wAoMf1
/c6kKaWNOazkM4bURuWu87TZ
=Apkd
-END PGP SIGNATURE-

RE: Snort or Ethereal for a relative newbie?

[Leon Ward]

Thomas,
thought Snort was capable of dropping packets based on the snort 
ruleset... am I wrong?

Basically yes, you are wrong.

Snort captures packets using libpcap and runs them through a ruleset to
decide weather they could contain suspicious traffic, if it matches anything
an alarm will be created. You can then review the alarms (or have an
automated tool to do this for you) and decide on the action to take.
Consider this...


(Internet)--|hub|
  |---|firewall|---|hub|
  ||
  |---|snort|  |---|snort|
   |
   |---|internal lan|


Your firewall (should) block access to all ports excluding specific ones
that you specify, therefore if you have TCP:80 open for a web server, you
are allowing any traffic (including exploit code) through the wall. Snort
would pick this up and let you know. Remember to make sure that if you have
a sensor external to your firewall it is secure, but that's another
conversation.


Does anyone have any in depth installation and config tutorials? 
Snort.org has a few, but nothing I can make good use of.

  There are many documents about setting up snort out there, and to be
honest if you are accustomed to compiling software on UNIX asked systems you
will not have problems installing snort.
As far as configuration goes, the config file itself (snort.conf) has a
great many comments describing what everything does.
If you get really stuck, you could take a look at a document about setting
up a honeypot I wrote a while ago, it touches on snort a little.

http://62.231.147.171/nard/Honeypot1.htm


Good luck,

Leon ward 
aka nard

Please direct replies to: [EMAIL PROTECTED]






-Original Message-
From: Thomas Madhavan [mailto:[EMAIL PROTECTED]] 
Sent: 29 May 2002 21:13
To: Leon Ward
Cc: [EMAIL PROTECTED]
Subject: Re: Snort or Ethereal for a relative newbie?


I thought Snort was capable of dropping packets based on the snort 
ruleset... am I wrong? Is that performed only by the firewall?

I realise Ethereal is only for listening to what's happening.

Does anyone have any in depth installation and config tutorials? 
Snort.org has a few, but nothing I can make good use of.

I'll check out silicondefense... although I'm not on any MS product - 
Mandrake Linux 8.2

Regards,
Thomas Madhavan

Leon Ward wrote:

It seams that you are thinking on slightly along the wrong lines here, 
Snort and Ethereal capture packets and do not do not block anything. 
Snort has the capability to inspect packets against a set of rules and 
report accordingly (alert on suspicious traffic). Ethereal captures 
packets for the purpose of allowing a user to inspect what is going on 
the wire.

As far as the snort compiling problems go, check that the directory 
that libpcap installed its libraries into is listed in your 
/etc/ld.so.conf file.

Try installing both libpcap and snort from source, you will get more 
installation options.

Nard



-Original Message-
From: Thomas Madhavan [mailto:[EMAIL PROTECTED]]
Sent: 25 May 2002 15:29
To: [EMAIL PROTECTED]
Subject: Snort or Ethereal for a relative newbie?


Hi all. Responses have been good before so I thought I'd try again.

I've recently set up a Mandrake 8.2 workstation. I've used firestarter 
to build a firewall, and I want to use a packet sniffer.

After installing Snort, it didn't work due to a data type 113 error. I 
uninstalled it, then reinstalled from an RPM, but apparently I don't 
have libpcap installed (which I do).

So, I tried Ethereal and it works fine. However, can rulesets be 
applied to Ethereal as they can with Snort? I want a little extra 
security, not just logs of packets.

If Ethereal *can* be used to block packets, is it a good substitute for 
snort? Or would I benefit from using Snort instead? There also seem to 
be a lot of snort reporting tools - are there any for Ethereal?

Thanks a lot,

Thomas Madhavan




This E-mail and its attachments have been scanned for viruses before 
delivery. For more information contact 
[EMAIL PROTECTED]

This E-mail and its attachments have been scanned for viruses before 
delivery. We recommend that all attachments are also checked by 
recipients before being viewed. For more information contact 
[EMAIL PROTECTED]






This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact [EMAIL PROTECTED]

This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]

RE: banned sites lists!

[leon]

As much J Dyson will hate this (because his site is unfairly banned
IMHO) you can try Websense.com

They have quite a list.

HTH,

Leon

-Original Message-
From: Ivan Hernandez [mailto:[EMAIL PROTECTED]] 
Sent: Friday, May 24, 2002 4:32 PM
To: [EMAIL PROTECTED]
Subject: banned sites lists!


Hello. I have searched google and the bugtraq mail list with no luck 
while looking for  banned sites lists.
I mean, porn, warez, banners, ads, big cookie damage and all that thins 
that i don't won't my sweet and innocent network lusers to see trough my

proxy :)
Any list would be appreciated, recyclated, processated and devlutionated

later to this mailing list in order to make a benefit for others in my 
situation !
Thanks in advance...

Ivan Hernandez

RE: Cisco IOS question

[leon]

I believe that telnet and ssh are run all or none deals.  What I mean by
this is they are not running on 1 interface per say (well you actually
can do what you want by choosing which interface you apply the access
list to); they are running on all interfaces for the router (meaning if
you don't filter traffic with an access list people can reach the
service from all interfaces).  Why not write an extended access list
(101 - 199) and permit specific ips (or ip ranges) to access port 23 (if
you have the enterprise IOS you should just get rid of telnet all
together and run ssh)  if you choose to run ssh just permit access to
port 22.  Just apply the access list to the interface you want people to
reach it from.  By default there is a catch all deny rule at the end so
if you don't permit telnet or ssh in the access list applied to your
serial 0/0 it will by default be denied.  If you need help with the
syntax or writing acls please feel free to contact me off list.

Best regards and HTH,

Leon


-Original Message-
From: Kevin Brooks [mailto:[EMAIL PROTECTED]] 
Sent: Monday, May 20, 2002 12:21 PM
To: [EMAIL PROTECTED]
Subject: Cisco IOS question


On my cisco 3600 router. How can I disable telnet into
serial 0/0. I do need to leave telnet open on
FastEth0/0 but I don't want anyone to be able to
telnet in from the outside.

Any Ideas?
Thanks

__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

RE: firewall+dns on a unique device

[Leon Ward]

Small device, as in physically small or lightweight?
Cheep What's Cheep, do you mean free?
Anyway here are some links.

http://www.ipcop.org
http://www.smoothwall.org
http://www.gnatbox.com  They do a light version that's PUFFware and a new
RoBox device.
http://www.gta.com/ Info about the GTA RoBox, is that small enough for
you?
http://www.linuxrouter.org/


-Original Message-
From: Mike Fox [mailto:[EMAIL PROTECTED]] 
Sent: 18 May 2002 23:32
To: [EMAIL PROTECTED]
Subject: firewall+dns on a unique device


Hi,

Somone knows a small device that has a firewall and dns 
server on it and really cheap? I don't want to go for a 
linux box but prefer a small device instead.

Thx.

Mike
__
Boîte aux lettres - Caramail - http://www.caramail.com



This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact [EMAIL PROTECTED]

This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]

RE: Restricting DHCP addresses to known MAC's via Win2K DHCP server

[leon]

This can be done with cisco switches and port security.  IN FACT you
don't even have to hard code the mac address you can actually tell the
switch to set the port for the mac addy of the first frame it recieves.

HTH,

Leon

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, May 15, 2002 10:04 AM
To: [EMAIL PROTECTED]
Subject: Restricting DHCP addresses to known MAC's via Win2K DHCP server




There's been periodic discussion on this list about 
restricting DHCP leases by MAC address and the relative 
merits of doing so. My question is once the decision is 
made to do it, how is it being done? Does anyone know how 
to do it in a Win2K server environment? (Win2K DHCP 
services...) If not possible, is there a typical strategy 
people are using to restrict granting of DHCP addresses to 
known MAC's? 
 

RE: DHCP Security Questions

[leon]

Couldn't checkpoint meta-ip do what the original poster asked?

Sorry to be late on the response but I get the list in digest form.

Cheers,

Leon

-Original Message-
From: Richard Westlake [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, May 14, 2002 3:22 PM
To: Chris
Cc: [EMAIL PROTECTED]
Subject: Re: DHCP Security Questions


Chris
There is no easy way to stop this. If they can change the IP address on
their system then they can set any address they like.

You could try the following

1) take away admin access. Not possible with visitors  personal laptop
etc.  can't do this with all OSs  e.g. 95/98

2) run something like arpwatch (free)to record MAC/IP address. This will
notice new systems on the network and will also report address
flip-flops when two systems try and use the same IP address. We use this
and it has spotted badly configured systems and people borrowing
(stealing) IP address. Doesn't prevent the problem but it makes it easer
to find and fix. Problems of two systems using the same address
(IP,DECNET etc) can be very hard to debug. For arpwatch try
http://www-nrg.ee.lbl.gov/nrg.html
or a  google search

3) split the network into two with a router. One network can have your
static address servers and other important stuff, the other can have the
DHCP assigned addresses. This reduces the damage people can do, still a
problem if they steal the IP address from your or the MDs laptop. You
could also add a network just for visitors.

4) use SNMP on the switches to report when a port goes live. The with
SNMP query the address table and compare it with a list of allowed
MAC/IP addresses (DHCP server lease file) and possible which ports they
can use. If you don't like the system on the port which has just gone
live then block the port or move it to a VLAN where it cant do any harm.
Maybe you can get a network management system to help with this. This
could be a  lot of work! If you every try it please let me know how you
got on.

If you have a lot of people turning up with laptops etc and they already
have ID/passwords on your system they you could use something like
netreg
(free) http://www.netreg.org/ to automate the MAC registration. Matt
Campbell at RIT has implemented a similar system which does watch the
switches and move ports for new systems to different VLANS
http://www.rit.edu/~mrcsys/dhcp/

Netreg type packages are useful if you don't want random strangers
wandering into the building, finding an unused port in a quiet corner,
connecting to the network and getting an IP address and having fun with
your servers etc

All the best and good luck


Richard Westlake

School of Crystallography, Birkbeck College, Malet Street, London WC1E
7HX
Tel: 020-7631-6859
--
   Truth endures but spelling changes--  Anon.
--


On Tue, 14 May 2002, Chris wrote:

 Date: Tue, 14 May 2002 09:10:26 -0700
 From: Chris [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: DHCP Security Questions

 I was curious to find out about some issues that I would like to 
 prevent if at all possible.  I am running a network with a DHCP server

 handing out public IP's to clients.  It is also reserving by the MAC 
 for clients that have static publics.  My concern is someone that has 
 legitimate access to the network purposely or accidentally setting 
 their IP to an IP that is already taken and login on to the network 
 and causing problems.  Obviously this could really be a problem if it 
 is a business client and are running some sort of server and someone 
 logs on with that IP.  Does anyone know of a way to prevent this?  If 
 you need more details please ask.

 Thank You,

 Chris Raynor
 Network Security
 Mendo Link, LLC

 An Ounce Of Prevention Is Worth  A Pound Of Cure.

Tripwire Policies

[leon]

I have 2 questions for the group.

1)  Has anyone betaed tripewire 3.0?  I am especially interested in
the policy wizard and if anyone has found this helpful.
2)  Does anyone have any written policies they could share
(especially for the win2k platform)?  I used the policy creater on the
tripwire site policy.tripwire.com and although it does provide something
to work off of it is based on a default install (I am getting errors
about not having pinball and solitaire installed :)  

So to reiterate have anyone used the beta for 3.0 (the new version comes
out this Monday) and does anyone have policies they wouldn't mind
sharing or a website where I can find policies already done?

TIA,

Leon

RE: IDS Setup

[Leon Ward]

Hi Adam,  My 0.2 Euros worth.

You are kind of on the correct path, but consider this...

I am _guessing_ that you have thinking of a setup along the lines
of.


(Internet)--|hub|
  |-|firewall|---|hub|
  ||
  |-|snort|
|-|snort|
   |
 
|-Rest of internal Network
If diagrams don't look correct in your mail reader, paste into a text editor
(and get a good mail client).


If I do that, can I reasonably assume that any incidents 
that show up in the outside Snort ARIS logs AND NOT in 
the firewall logs got through the firewall? 

Remember, the firewall (should) block access to all ports excluding
the ones that you specify, therefore if you have TCP :80 open for a web
server, you are allowing any traffic (including exploit code) through the
wall.
Yes the attack should show on the external snort sensor and the internal
sensor, what shows up in your firewall logs depends on what firewall you are
using.


Can I also reasonably  assume that, should something show up 
in the outside Snort ARIS logs AND NOT in the firewall logs 
AND NOT in the inside Snort ARIS logs, that the inside Snort 
station is not functioning properly? By not functioning properly 
I mean anything from bad NIC to improper configuration to 
Snort sucks.

Think about having TCP:80 Closed.
A CodeRed v2 probe enters your network bound for an IP that does not
have a webserver running on it, therefore your firewall is closed for the
request. 
External sensor will pick up the attack, your firewall will alarm you that
there has been an attempt to access a closed port, and your internal snort
sensor will not know anything about it because the traffic has been blocked
from entering your internal n/w.

An Important Point

Do you have ports open on your firewall that are allowing access to
systems in your internal network? Are you supplying services to the outside
world from inside your protected network? Think SERIOUSLY about using a
DMZ/PSN.

It would look something like this

(Internet)--|hub|
  |-|firewall|DMZ|hub|
  |  | |
  |-|snort|  | |-|snort|
 | |
 | |-|Webserver|
 internal network  |-|FTP|
 | |-|SMTP|
 | 
   |hub|
 |-Server's
 |-Client's


Therefore you can deny any access to clients and servers in your internal
network and still supply services to the internet.

Hope this helps.

Nard

Leon Ward
Added Dimension Ltd



-Original Message-
From: Adam Shephard [mailto:[EMAIL PROTECTED]] 
Sent: 17 May 2002 20:03
To: [EMAIL PROTECTED]
Subject: IDS Setup


I suffer from a logic deficiency and I've been tossing an idea around in my
head. I thought it might be a good idea to run the logic past the people
here. I have a firewall between my network and the world and Snort behind my
firewall. That Snort station reports to ARIS. I'm toying with the idea of
putting another Snort station on the outside between my firewall and the
world and having it also report to ARIS.

If I do that, can I reasonably assume that any incidents that show up in the
outside Snort ARIS logs AND NOT in the firewall logs got through the
firewall? Can I also reasonably  assume that, should something show up in
the outside Snort ARIS logs AND NOT in the firewall logs AND NOT in the
inside Snort ARIS logs, that the inside Snort station is not functioning
properly? By not functioning properly I mean anything from bad NIC to
improper configuration to Snort sucks.

It makes sense to me that this would work but, you know, the logic thing.


This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact [EMAIL PROTECTED]

This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]

RE: Strange situation with outlook

[Leon Ward]

Look at fetchmail,

Nard
Leon Ward
Added Dimension


-Original Message-
From: John D from Best Price Cruises [mailto:[EMAIL PROTECTED]] 
Sent: 17 May 2002 14:32
To: Security-Basics Mailing List
Subject: RE: Strange situation with outlook


Sorry, I forgot to say we use pop... Right now, I have him locking his
computer with either the screen-saver or by using Ctrl+Alt+Del (we use
win2k). This is the only solution that I've managed to come up with so far,
any other ideas (especially if they are better/more secure) would be
appreciated.


John Diaz
Technical Department
BestPriceCruises.com
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 16, 2002 10:45 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Strange situation with outlook


Doe you use pop or have a Exchange server? (does the best answer get a free
cruise? :-) )

-Sanjay

-Original Message-
From: John D from Best Price Cruises [mailto:[EMAIL PROTECTED]]

Sent: Wednesday, May 15, 2002 3:03 PM
To: Security-Basics Mailing List
Subject: Strange situation with outlook


I have a unique situation (or at least I think it is) with one of my
users. He gets alot of email, and it comes in constantly. To prevent tieing
up his machine in the morning, he leaves it logged in all the time so
outlook can be constantly getting his mail. I really would like to be able
to have him log out and still have his mail coming in (this might just be a
pipe dream). I've been looking and I can't find a solution to this problem.
Any help would be appreciated.

John Diaz
Technical Department
BestPriceCruises.com
[EMAIL PROTECTED]






This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact [EMAIL PROTECTED]

This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]

Active Directory Security Migration Questions:

[leon]

Hi

I had a coworker ask me the following questions and I was unsure of the
answers to most so I thought I might ask for some help.  


1)  What does native mode bring in terms of granular user rights and
group policy that mixed mode does not?
2)  Are there specific security advantages to using native mode over
mixed mode?  If so what are they?
 

I really appreciate the help and thanks again.

Cheers,

Leon

Tripewire Docs

[leon]

Hi,

Does anyone have any specific favorite guides for setting up tripwire on
2000?
They don't seem to offer much on the tripwire site (some whitepapers and
other pdfs that don't really help much).  I tried searching google but
as
always (is this good or bad) the signal to noise ratio is
ridicilious.
Putting in the word Tripwire with various other keywords always left me 
with well over 500 hits.  Does anyone have any docs or links they have
read
and found informative?  I am talking about speficially version 3.0 for
servers.
Also if you just have any general advice or watch out for this kind of
comments
that would be appreciated also.

Cheers and thanks again,

Leon

RE: Strange scan and port 80 output from an ip

[Leon Ward]

I would guess that there is a script kiddy now in control of the box. He is
probably using an automatic tool to search for a certain known vulnerability
in web servers by the 1000.

Due to the content of the web page being served by the host, my immediate
assumption (and remember kids, assumption is the mother of all f*k-ups) is
that the host that scanned you has previously fallen to the exploit. It is
now owned by sex0r and the page is just to show of his great l33tn3ss.
The host is  probably now doing all his dirty work of scanning ip's by the
1000.

Just my immediate thoughts, please take with a pintch of salt.

Best Regards

Nard.

[EMAIL PROTECTED]



-Original Message-
From: KoRe MeLtDoWn [mailto:[EMAIL PROTECTED]] 
Sent: 09 May 2002 07:38
To: [EMAIL PROTECTED]
Subject: Strange scan and port 80 output from an ip


Hello,
Just a few minutes ago I recieved a scan from the ip address 210.101.95.51 
on port 80 with the source port being port 3021. Two seperate connection 
attempts were logged one after the other.
The output from my firewall was as follows:
Start Output
IP: 210.101.95.51
Node: ±èâÁØ
NetBIOS: ±èÃ

Group: WORKGROUP
MAC: 000102FBE16B
DNS: ±èâÁØ
End Output
If you connect to this Ip on port 80 you get a webpage output that reads the

following:sex0r lowd l33tn3ss

sex0r geeklab.org

contact:[EMAIL PROTECTED]


The reason I've posted this is because I have been scanned by these people 
before, and wanted to know what they were about, and if possible what they 
were attempting to do on my machine.

Thanks in advance for your help

Peter Francis

-= KoRe WoRkS =- Internet Security
Owner Operator
http://www.koreworks.com/
New Zealand

Is your box REALLY secure?




_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact [EMAIL PROTECTED]

This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]

RE: IIS 5 Log FIle Question

[Leon Ward]

1) This is a code red v2 infection attempt.
   Unfortunately web server admins are having to class these as just normal
background traffic. Please people - MAKE SURE YOU ARE PATCHED! 

Looking for holes left by CR v1

GET /Rejected-By-UrlScan
~/scripts/root.exe 404 123 -
2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80

Testing to see if the box is susceptible to directory traversal, tests many
times using different extended unicode chars.


GET /Rejected-By-UrlScan ~/scripts/..%255c../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 

2) Yes. It comes with the IISLockdown tool. If you want to know more about
URLSCAN let me know, I wrote a walkthrough of the options for someone a
while back and ill send it onto you.

3) Pissing in the wind I am afraid. It would be useful to send an email to
the person in charge of the IP address and CC it to their ISP, but don't
hold your breath.

4) MAKE SURE YOU ARE PATCHED! This is the MOST important thing you can do!
Also look at some of the IIS / Win2k hardening docs on the internet and go
through them carefully.

Just a couple of seconds of thought.

Best Regards

Nard
Please reply to : [EMAIL PROTECTED]


 


-Original Message-
From: Craig Brauckmiller [mailto:[EMAIL PROTECTED]] 
Sent: 10 May 2002 13:55
To: [EMAIL PROTECTED]
Subject: IIS 5 Log FIle Question




Hello all and forgive my ignorance in this area.

We are in the process of bringing our website in house.  It 
was being hosted
externally
The site is almost up and I was just poking at the logs and 
was intrigued by
what I saw.

Below is a snippet from the logs.  Can anyone tell by 
looking at it:

1.  What type of vulnerabilities were they looking for?
2.  Does the fact the it says Rejected by urlscan imply 
that URLScan from M$
is loaded.  I didn't do this myself...thats why I'm curious.
3.  What is the best course of action in regards to the 
individual attempting
these activities?  I traced the IP back to RoadRunner.  
Should I call their
customer service and complain or am I just pissing in the 
wind?
4.  I did run the IIS Lockdown wizard.  Is that sufficient 
for most types of
attacks?  What other tools should I consider running?

#Fields: date time c-ip cs-username s-ip s-port cs-method 
cs-uri-stem
cs-uri-query sc-status sc-win32-status cs(User-Agent) 2002-05-10 02:27:00
65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan
~/scripts/root.exe 404 123 -
2002-05-10 02:27:00 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan
~/MSADC/root.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan
~/c/winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan
~/d/winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan ~/scripts/..%255c../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan
~/_vti_bin/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:01 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan
~/_mem_bin/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe 404 123 -
2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan
~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%
1c../..%c1%1c../winnt/system32/cmd.exe

404 123 -
2002-05-10 02:27:03 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan ~/scripts/..%c1%1c../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan ~/scripts/..%c0%2f../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:04 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan ~/scripts/..%c0%af../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:05 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan ~/scripts/..%c1%9c../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:09 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan ~/scripts/..%%35%63../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:11 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan ~/scripts/..%%35c../winnt/system32/cmd.exe 404
123 - 2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan ~/scripts/..%25%35%63../winnt/system32/cmd.exe
404 123 - 2002-05-10 02:27:12 65.27.56.236 - 10.2.32.20 80 
GET /Rejected-By-UrlScan ~/scripts/..%252f../winnt/system32/cmd.exe 404
123 -

Thanks so much for this great list.

Craig Brauckmiller

This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact [EMAIL PROTECTED]

This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]

RE: Dictionary Word List

[Leon Ward]

ftp://ftp.cerias.purdue.edu/pub/dict/wordlists/

Very useful wordlists, Includes lists of sci-fi characters, common
passwords, girls names, hitchhikers guide words etc.

Nard

[EMAIL PROTECTED]


-Original Message-
From: Craig Strait [mailto:[EMAIL PROTECTED]] 
Sent: 08 May 2002 19:52
To: [EMAIL PROTECTED]
Subject: Dictionary Word List


Hello All,
I'm looking for a English dictionary word list to crack an Excel
file.  (You've got to love end users..)  I've looked all over the place and
can't find any suitable word lists.  Can someone point me in the direction
of a large word list?

Thanks!

Craig Strait, MCSE, CNE
Senior Network Engineer
Tracker Business Systems, Inc.

 

This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact [EMAIL PROTECTED]

This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]

FW: Security Documentation related to Banking

[leon]

I have a friend who works in banking and this is what he provided me
with when I forward him the mail

Also might check

  The report called Suspicious Activity Review - Trends, Tips  Issues
(issue 3, Oct '01) :  

 http://www.ustreas.gov/fincen/sarreviewissue3.pdf  

 The Suspicious Activity Report and the guidelines: 

 http://www.ncua.gov/ref/sar/f9022-47-1(fill-in).pdf 
 http://www.ncua.gov/ref/sar/SARGuidelines.pdf


If you get anything off list you could share to me or the group I am
sure we would all appreciate.

Cheers,

Leon





-Original Message-
From: Sumit Dhar [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, May 04, 2002 6:15 AM
To: [EMAIL PROTECTED]
Subject: Security Documentation related to Banking


Hi,

Would anyone be aware of any security related documentation connected to

1. Banking 
2. ATM (Teller Machines) Security

The areas that I would really like to explore are:

a. Cryptography in ATM networks, key management and hardware
locks
b. Any banking security related documentation.

I would prefer some kind of online documentation, white papers on these
topics. 


With Regards,
a href=http://dhar.homelinux.com/dhar/Sumit Dhar/a
Manager, Research and Product Development,
SLMsoft.com

Wireless Technology (can it be secured and how)

[leon]

The subject speaks for itself.  I have covered the following
documentation:

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm 

http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/a350w_ov.htm


http://rr.sans.org/wireless/limits.php 

http://rr.sans.org/wireless/netsec.php 

http://rr.sans.org/wireless/wireless_net3.php 

http://rr.sans.org/wireless/wireless_net2.php

The network we are going to set up is going to probably based on Cisco
technology.  Does anyone have any other documentation (links, pdfs, etc)
that they could share?  Please just don't search on google I can do that
myself (and actually have)  There is quite a bit of information so I am
looking for websites or documentation that people have found helpful to
help me lower the signal to noise ratio

Thx,

Leon

article about secure im

[Leon]

I see this thread come up alot so I thought I might
share this article with the group.  Hope you enjoy it
as much as I did.

Regards,

Leon

http://story.news.yahoo.com/news?tmpl=storyu=/cn/20020409/tc_cn/financial_firms_turn_on_secure_imcid=70



__
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

RE: Techniques for Vulnerability discovery

[Leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I would like to add this to the thread.

http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi
?database=JanL%2edbcommand=viewoneid=14op=t

This covers a lot of what is being discussed in this post. 
Additionally if one takes a look at hack proofing your internetwork
there are quite a few chapters on how to discover vulnerabilities.

Best regards,

Leon

- -Original Message-
From: Oliver Petruzel [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 05, 2002 1:25 AM
To: 'kaipower'; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Techniques for Vulnerability discovery

I am sincerely glad someone brought this up. My concern lies in a
total
lack of education or training in this area.  Hacking 101 courses are
all
over the place now; teaching MCSE-kiddies and non-technical managers
how
to run scripts and nmap (swell..$2-4k to learn this stuff in 3 days?
Ach, ask a single grad of those programs what nmap is ACTUALLY
sending
and receiving..lol duhh, errr, but it says it's BeOS with port 80
open,
I'll just use securityfocus like they showed me to find a script to
shoot at it..)...

(I digress...) There are not many courses that I know of that
actually
explain the methodology in searching for *new* vulnerabilities... As
in
Tearing apart that new .dll, .asp, or cgi from a security
perspective
101

Some folks claim it's just trial and error and dumb luck.  Others say
that folks troll the most downloaded new pieces of software at
shareware sites and then pound away semi-blindly with input variables
and switches that have worked against previously announced holes in
other software until they find something that will get their name on
bugtraq... 

Problem is, in our growing field of infosec, beyond post-grad or
doctorate level CS, there aren't very many educational tracks to show
your average programmer/engineer how to start finding new holes...
The
only thing I can think of is to send someone through: a secure
programming program AND a webapp dev course AND a windows API course
AND
AND AND..etc...we're talking tens of thousands of bucks there, not to
mention the hours involved..ouch.

My goal:  I want to take 4 of my Jr Security Engineers and send them
somewhere for a week or two, or perhaps several weeks at night, and
have
them come back to tear apart software like it's nothing...
foundstone,
hint hint, EY, hint hint.. Anyone? Bueller? Bueller?...  Of course,
pre-req's would be a solid knowledge of scripting languages, C/C++,
network architectures and protocols, and all publically known scripts
and code... (but I require that of my jr's anyways so I just want
someone else to show them the next level!  I have no time, and hell,
if
the course is good enough, I would even go so that I can stop using
semi-educated dumbluck and trial and error! lol)

I am VERY interested to see someone post a resource... Maybe this is
just a pipe-dream.

./oliver

Ps: on a side note, there are several interesting projects currently
in
dev everywhere to automate all of this..  So don't worry, soon those
afraid of anything they can't click on will also be able to point and
click their way through code to find new vulns...swell eh?  There are
even dev projects going to automate vulnerability discovery in
ALREADY
COMPILED software! Woohoo...

Excellent Smithers! Now activate the artificial lightning and blue
screens of death!

- -Original Message-
From: kaipower [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, April 04, 2002 8:05 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Techniques for Vulneability discovery


Hi,

After reading the mailing list for quite a while, there is a burning
question which I kept asking myself:

How do experts discover vulnerabilities in a system/software?

Some categories of vulnerabilities that I am aware of:
1) Buffer overflow (Stack or Heap)
2) Mal access control and Trust management
3) Cross site scripting
4) Unexpected input - e.g. SQL injection?
5) Race conditions
6) password authentication

Do people just run scripts to brute force to find vulnerabilities?
(as
in the case of Buffer overflows) Or do they do a reverse engineer of
the
software?

How relevant is reverse engineering in this context?

Anybody out there care to give a methodology/strategy in finding
vulnerabilities?

Mike



_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPLH3ndqAgf0xoaEuEQLRlwCgjLIEX5srvI8SKIsSLtqZvhFVUvIAnAvL
vGKkupag9SRmmt49YjufzbrT
=v9Cx
-END PGP SIGNATURE-

RE: Pen Testing Skills

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

How about getting some reliable references and going with a company
that is well known and respected in the pen-testing industry.

You could also check the pen-test archives on security focus and see
what people are active in answering other peoples questions.

Just a few suggestions,

Leon

- -Original Message-
From: Steven Boshuizen [mailto:[EMAIL PROTECTED]] 
Sent: Friday, March 22, 2002 6:14 AM
To: [EMAIL PROTECTED]
Subject: Pen Testing Skills



In my understanding people with these skills come 
from a UNIX background, having worked on projects 
with VPN's, intrusion detection, administering and 
implementations. Could anyone tell me that if I was 
looking for a shit hot penetration tester what sort of 
background would such a guy have, and what would 
be the keyskills/ buzzwords that I would have to look 
for so that I would know I am talking to an ace?? 
Would appreciate any assistance.

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPKDh6dqAgf0xoaEuEQIgygCdFyu7XvSt7MSvuvANCTSOY5bsLVYAniZY
A1kzqm/4i/XbmBG+AfNghDXk
=r88y
-END PGP SIGNATURE-

RE: Port Scan(?)

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

It would be best if you could actually get a dump of the packets with
something like tcp or win dump.  255.255.255.255 is obviously a
broadcast address.   I would guess it is some kind program or service
running that is broadcasting.  What programs are running the machine
when it does this?  What software is loaded on it?

Regards,

Leon

- -Original Message-
From: Adrian Horton [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, March 20, 2002 2:42 PM
To: [EMAIL PROTECTED]
Subject: Port Scan(?)

The [EMAIL PROTECTED] owner rejected this
post so can anyone here make sense of this?

On my 10.1.2.0/24 network, I discovered (with
Ethereal) that one of my hosts (10.1.2.112) was
broadcasting UDP packets to 255.255.255.255 to port
62516.
The *source port* though was incrementing by one after
every packet. That host machine is running Windows
2000.

Anyone know what kind of activity this is? It seems
the opposite of a port scan and it is inside my
private network. I know which machine it is, I just
can't figure out what it was doing so I disconnected
it from the network until I figure it out.

Thanks,

AH


__
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPKDgsNqAgf0xoaEuEQKOZwCggZI2BgtBfozxI7Xo2LHStP7WUz8AoO6m
TA4SVHkzwSQkp61zlIW7x0a2
=9elQ
-END PGP SIGNATURE-

RE: Hardware Disposal Policies

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I do not have a guide but I know that such things as pgp wipe,
symantec's wipeinfo and probably the best of the lot evidence
eliminator do a great job at wiping hard drives.  I believe (again
this is my belief) that the DoD specifies that data must be wiped 7
times with random data to be considered ok for disposing.  I would
also like to point out that this may not be enough.  Some advanced
forensic companies seem to recover data no matter what.  You should
consider doing this and then running the hard drive against a
de-gauging (sp?) machine.

HTH and best regards,

Leon

- -Original Message-
From: Dan Williamson [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, March 21, 2002 12:49 PM
To: '[EMAIL PROTECTED]'
Subject: Hardware Disposal Policies

I am looking for a simple guide to write a policy for the disposal of
old
hardware. I need something that I can easily go out and pull down,
not
purchase. i.e.. FREE !


Thanks
Dan

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPJwKrdqAgf0xoaEuEQKUIACg1NzMTaTd/mMuF+k8zuFJ+aWt+NYAn1jT
4vgzW95A3Km1SbF9SW8Vpysw
=/Kui
-END PGP SIGNATURE-

RE: FW: Security Engineers Field Tool Kit

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I just checked out the link and saw it is from 2001.  Canosec west
2002 is about to happen.  Anyone know if they are going to release an
updated version of this cd?  Just curious before I spend what little
bandwidth I have to download this.  I would like to point out that
Eric Cole wrote a book called hackers beware that has a great iso.  I
would be happy to share the iso if it doesn't violate copyright (as
much as I love good lawsuit I cant really afford to be sued right
now).  If anyone wants to provide public ftp for the group contact me
off list and I will upload the iso to them.

Cheers,

Leon

- -Original Message-
From: Michael Gilmer [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, March 20, 2002 2:59 PM
To: 'Matt Bell'; '[EMAIL PROTECTED]'
Subject: RE: FW: Security Engineers Field Tool Kit

I downloaded this toolkit this morning. It has a lot of very cool
stuff in
it that I was going to have to search out. 
Thanks,
Michael Gilmer
MCP

- -Original Message-
From: Matt Bell [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 19, 2002 8:56 AM
To: [EMAIL PROTECTED]
Subject: Fwd: FW: Security Engineers Field Tool Kit


I agree.. it would be nice to get a copy of that one!

This one is well worth checking out..
http://jeff.wwti.com/cd.html

 -Original Message-
 From: b_1995 [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, March 16, 2002 7:25 PM
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: Re: Security Engineers Field Tool Kit
 
 
 Can you ISO that CD?
 
 - Original Message - 
 From: Simon Taplin [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, March 15, 2002 9:51 AM
 Subject: RE: Security Engineers Field Tool Kit
 
 
  On Mon, 2002-03-04 at 17:06, Pradeep Pillai wrote:
   Folks, what would comprise a Network Enginners tool kit.
  ---snip---
   What else can you think of ?
  
  at the rsa conference in san jose last month, @stake was giving
  out credit card sized cd's that were bootable x86 linux distros.
  i can't seem to find any info about this on their site, but they
  were called Pocket Security Toolkit 3.0. anyway, here's a
  listing of 
 what software
  they included:
  
  
  Does anybody know of a similar kit for Windows?
  
  Simon
  
  ---
  This message has been scanned by AVG Anti-Virus and is 
 certified Virus
  Free.
  Checked by AVG anti-virus system (http://www.grisoft.com).
  Version: 6.0.324 / Virus Database: 181 - Release Date: 2002/02/14
   
  
 
 

http://jeff.wwti.com/cd.html

 -Original Message-
 From: b_1995 [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, March 16, 2002 7:25 PM
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: Re: Security Engineers Field Tool Kit


 Can you ISO that CD?

 - Original Message -
 From: Simon Taplin [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, March 15, 2002 9:51 AM
 Subject: RE: Security Engineers Field Tool Kit

  On Mon, 2002-03-04 at 17:06, Pradeep Pillai wrote:
   Folks, what would comprise a Network Enginners tool kit.
 
  ---snip---
 
   What else can you think of ?
 
  at the rsa conference in san jose last month, @stake was giving
  out credit card sized cd's that were bootable x86 linux distros.
  i can't seem to find any info about this on their site, but they
  were called Pocket Security Toolkit 3.0. anyway, here's a
  listing of

 what software

  they included:
 
 
  Does anybody know of a similar kit for Windows?
 
  Simon
 
  ---
  This message has been scanned by AVG Anti-Virus and is

 certified Virus

  Free.
  Checked by AVG anti-virus system (http://www.grisoft.com).
  Version: 6.0.324 / Virus Database: 181 - Release Date: 2002/02/14

- ---

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPJwTX9qAgf0xoaEuEQK20gCggO03m7iOj6XnsxfG22LYqHdJV/gAn2dI
Q1Rmquk04sedA1+aSKGeTQNP
=9eaO
-END PGP SIGNATURE-

RE: win 2k

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

If you are hacked the best thing I can recommend is to reinstall from
original media (reformat and f-disk first) and then apply all patches
to both the applications that will reside on the server along with sp
2 and all pre sp3 hot fixes.  If you grab hfnetchk (sp?) you can scan
the server to make sure you have gotten all the hotfixes (not all are
listed on m$ windows update site.  God bless 'em).

HTH,

Leon

- -Original Message-
From: ++WayanS [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, March 20, 2002 8:33 PM
To: [EMAIL PROTECTED]
Subject: win 2k

all
please help me
i have win 2k server
tree days ago, some one hack my server

what can i do to secure my server
please tell me, tip, trik and tool to secure my server

regard
Way

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPJwVRtqAgf0xoaEuEQLecQCg8uHA9+XMdzereatl3dQb4MSYeUYAnikj
PxPDoMYFaQDeiakQhDjmwEUg
=HM9j
-END PGP SIGNATURE-

FW: Logon Banners (with links for legal precedence)

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I was quite interested in this thread myself so I wrote a quick post
to incidents.  Here is one of the best responses I got back with
links included.

Hope the group is doing well,

Leon


Though the case is not cited, the 2 Mar 90 Defense Data Network
Security
Bulletin advises, A court recently threw out a suit against a
computer
system intruder because the logon prompt was preceded with Welcome
to...
and implored administrators to cease using Welcome in logon
banners.
(http://csrc.ncsl.nist.gov/secalert/ddn/1990/sec-9004.txt)

Again, without citing a case, NASA's GRC (Glenn Research Center)
exclaims in
chapter 9 of its Directive 2810.1, To the maximum extent of their
capabilities, all GRC systems must display a warning to all users at
the
time they log on. Recent criminal prosecutions have emphasized the
value of
well-written logon banners. In one case several years ago, a
quick-thinking
defense attorney convinced a jury that an external intruder could not
possibly have been a criminal computer trespasser because the system
that he
had broken into had had a logon banner that WELCOMED him to the
system. Far
from being an uninvited intruder, he was actually a welcome guest!
(http://www.grc.nasa.gov/WWW/Directives/2810.1-Chap9.html)

And it appears that this is not a U.S.-centric issue; the following
exerpt
from the Australian University of Queensland Security Emergency
Response
Team Advisory SA-93:03A bulletin exhorts, SERT recommends that any
login
banner or system initial message should not imply consent to use the
computer services (E.g., words such as greeting or welcome),
unless it
is the express intention that any user is free to use the system,
whether
they are authorised or not.
(http://www.attrition.org/security/advisory/auscert/AA-93.03.Suggested
.Login
.Banner)

You may want to contact these organizations directly for more detail.

However, there's plenty of discussion on the flip side of the coin,
too;
e.g., see Trespassing, IP and the Law (REALLY long) (was Re: Virus
to
Virus Idea at
http://www.der-keiler.de/Mailing-Lists/securityfocus/security-basics/2
001-09
/0096.html.



-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPJy6VNqAgf0xoaEuEQJ3HgCguTo0mTEPdUCJ0Bz2ylExexq3h+AAoPEl
Vz3F+ULl0eAeOD231OzpdeA6
=AuB2
-END PGP SIGNATURE-

yet another link

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Anyone care to comment on this one?

It was passed on to me by a friend.  My gut says I don't buy it for a
second (it is a news article not a proof of concept site)

http://xgate.abovetopsecret.com/news.php?id=61

I think it would have HAD to have been picked up by mainstream
info-sec media and then mainstream media.

Just thought I would throw that one out there.

No flames I don't buy it I just thought the group might find it
interesting.

As always best regards,

Leon

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPJldLNqAgf0xoaEuEQIYcgCfeilTTIfwndCPM1kKSvLpbkGu77cAoIjM
lZHWEmF/2pxc6WUtP/u/bnGa
=hQo3
-END PGP SIGNATURE-

RE: How to know when was root passwd changed

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

If you are using LDAP you will be able to trace it.  If you are
logging to syslog the entry will be in there.

Cheers,

Leon

- -Original Message-
From: NP, Ram (CORP, GEITC) [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, March 13, 2002 5:24 AM
To: [EMAIL PROTECTED]
Subject: How to know when was root passwd changed

Hello there,
We have an environment where the root password on a solaris box would
be
there with more than one person and there sure are situations where
the root
password is changed without prior notice. Now could some one tell me
if
there is a way to find out when(time) was the Root passwd changed. I
understand one way would be using Tripwire. since we didnt have
tripwire
earlier on the machine is there a way to recover the time.
thank you
ram


THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR
THE
ADDRESSEE and may contain confidential and privileged information.
If the reader of this message is not the intended recipient,
you are notified that any dissemination, distribution or copy of this
communication is strictly Prohibited. 
If you have received this message by error, please notify us 
immediately, return the original mail to the sender and delete the 
message from your system.


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPJDr49qAgf0xoaEuEQIZIwCgxvr1NUt6I/LQ3jheIDSUsVKvF2AAnRF9
2a6qAjxmIANAlAII0eXOMyvM
=QatH
-END PGP SIGNATURE-

RE: sniffing a switch

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Also don't forget about the dsniff suite from Dug Song.  I don't have
the link handy but it can be found a google search for dsniff.  

Best regards,

Leon

- -Original Message-
From: Matt Hemingway [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, March 13, 2002 12:11 PM
To: leon; [EMAIL PROTECTED]
Subject: Re: sniffing a switch

A great program for sniffing a switched LAN is Ettercap 
(http://ettercap.sourceforge.net).  Used in conjunction with Arpwatch
(http://www.securityfocus.com/tools/142) you get a good idea on how
this 
works and how you can detect someone using a tool like Ettercap.

- -Matt

On Tuesday 12 March 2002 07:58, leon wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 I found this very good article I wanted to share with the group
 since I see the question come up a lot.

 I found it informative I hope you do also.


 For those who think switched Ethernet environments are sniff-proof,
 the author offers this warning. Switches may be difficult to sniff,
 but they are certainly not immune. As is clear from the above
 sections, one method of sniffing in a switched environment is using
 ARP spoofing, and the machine that will most probably be ARP
 spoofed is the gateway.

 http://www.linuxsecurity.com/articles/network_security_article-4551.
 ht ml


 Regards,

 Leon

 -BEGIN PGP SIGNATURE-
 Version: PGPfreeware 6.5.8 for non-commercial use
 http://www.pgp.com 

 iQA/AwUBPI4lmdqAgf0xoaEuEQL2pQCffY5f4dArBsXzzBwqPVpQ3D5Fs8oAoL3m
 XOh7wYu4O8KoTCmsuhhgosbz
 =Ys0V
 -END PGP SIGNATURE-

- -- 
-       
Matt Hemingway
SupplyEdge
[EMAIL PROTECTED]
800-733-3380x136
-       

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPI+If9qAgf0xoaEuEQIM/gCgjopbMH6K18K1lSlAwfOi9DJR4QkAnRvK
5IP7nKg6MHKTCJmKDKO1o908
=7L5c
-END PGP SIGNATURE-

heads up wu-ftpd being attacked

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Blackhats have an exploit for 2.6.1 upgrade to 2.6.2 as soon as
possible.

 

I posted to incidents and it seems a lot of people are getting
scanned for this and compromises are happening as you read this.

 

 

Cheers,

 

Leon


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPI+8S9qAgf0xoaEuEQJDcwCghJwwHP3SlQnYFj2CXnpnDW208K4AoOVn
dirnFRx9sUwf2QDqGCPEc9iN
=H6R9
-END PGP SIGNATURE-

RE: Best way to deploy MS security patches ??

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Why not try doing this through group policy and assign the patches as
software at either the domain, OU or Site level?

HTH,

Leon

- -Original Message-
From: Kip Sr. [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, March 12, 2002 1:01 AM
To: [EMAIL PROTECTED]
Subject: Best way to deploy MS security patches ??

Hi there!

I have 180 Win2K desktops, and am looking for an
automated solution to quickly and efficiently deploy
patches throughout the enterprise. I have used SMS
before, but find it cumbersome and time consuming to
use. Does anyone have any other suggestions? Tips?
Tricks?

Much obliged,
Kip

__
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPI5wNdqAgf0xoaEuEQIp6ACeKAKY1rUgms9cCkz/kp/0j73a7nQAoKK9
Z96700zJ+1hAjhkqvecNl1JY
=KEfH
-END PGP SIGNATURE-

RE: VPN and Cisco +IIOP question

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Maxime,

I have never gotten the cisco client to work as advertised.  First
off it does not run on xp or win 2k (unless you use 3.0 and to use
3.0 you need a vpn concencentrato) ((list please correct me if I am
wrong)).  If you use a vpn concentrator you should be fine however if
you are doing what I was trying to do (vpn into my network at home
using ipsec from a win xp machine) that will not work.  First off all
you have to use the M$ dial up network adapter for a vpn client and
for some reason this and cisco can't work together (funny I thought
ip-sec was an rfc standard).

Supposedly Cisco is going to release a new ios in Feb. (oh wait it
is march) that allows you to use the m$ dial up adapter to use
IP-Sec.  I am sorry but I do not know the answer to your second
question but I would bet that most proxy based firewalls could use
some kind of generic proxy if this is a well known protocol.

HTH,

Leon

- -Original Message-
From: Maxime Rapaille [mailto:[EMAIL PROTECTED]] 
Sent: Friday, March 08, 2002 3:03 AM
To: 'Security-Basics (E-mail)'
Subject: VPN and Cisco +IIOP question

Dear listmembers,

2 questions on this great list :  (And I already made search on
google..
Hopefully on the right way.)

first one, Do you have any experience with VPN client (Software)
compatible
with the Cisco IPsec VPN?
I already found the Cisco client itself, but we would like to have a
panel
of product, in order to make a better choice.
I found Also the PGP VPN client, but not 100% sure he is compatible. 
Is the
Windows 2000 IPsec compatible ?
Any experience, link, feed-back, products info is really appreciated.

Second question is concerning the IIOP protocol.
Does some of you know a firewall/proxy, capable of handling this
protocol ?
I know Firewall just know it, but does not proxy nor analyse it (like
he
does for HTTP, SMTP, FTP).
I read about Gauntlet Firewall, but was no more able to find a paper
or
precise Doc about it.  Any other idea? Proposal, Links...?

Thanks a lot for all positive feed-back.


Have a great week-end all.


Regards,




Max.



Maxime Rapaille
Data Security Management
National Bank of Belgium
Mail : [EMAIL PROTECTED]


Visit our website! http://www.nbb.be

DISCLAIMER: The content of this e-mail message does not constitute a
commitment of the National Bank of Belgium (NBB) except where
provided for in a written agreement between you and the NBB or where
confirmed with a written form approved according to the internal
regulations of the NBB.
Besides, the statements and opinions expressed in this e-mail message
are those of the author of the message and do not necessarily
represent those of the NBB.
The e-mail message contains proprietary information intended for the
intended recipient only. If an addressing or transmission error has
misdirected this e-mail, please notify the author. If you are not the
intended recipient you must not use, disclose, distribute, copy,
print or rely on any part of this e-mail message.








-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPI1FQNqAgf0xoaEuEQIOPQCfQk/dKJZDVvGmMq9q2V30PgvRobwAn1bL
D9qUF/2NB/q34FDI7sRivWYX
=ubJE
-END PGP SIGNATURE-

RE: scary site

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The problem with turning of scripting is that it breaks most of
ie's functionality.  I have gotten a lot of offlist and cc'ed to the
list mail about this.  I am sorry for not being more specific
earlier; it worked for me running win xp, ie 6 and all patches.  It
doesn't appear to work on win 9x with ie 5 or win 2k with ie 5. Your
mileage may vary.

Cheers,

Leon

- -Original Message-
From: Patrick McAllister [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, March 07, 2002 6:23 AM
To: leon; [EMAIL PROTECTED]
Subject: Re: scary site

If possible, turn of scripting (assuming your using IE)...that will
prevent
it from running. Also it generates all kinds of alerts on my AV
software


- - Original Message -
From: leon [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, March 05, 2002 12:30 PM
Subject: scary site


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 http://www.liquidwd.freeserve.co.uk/


 Try it with a windows machine and IE with all patches.

 Be afraid be very afraid.

 FYI this is for all those people who are think that just having a
 firewall is enough.

 Guess what?

 This works through packet filter, stateful inspection and proxy
 servers.

 Cheers,

 Leon

 -BEGIN PGP SIGNATURE-
 Version: PGPfreeware 6.5.8 for non-commercial use
 http://www.pgp.com 

 iQA/AwUBPIUArNqAgf0xoaEuEQLn0wCgjtpLPuRxLbCscHrq32IjePeezf8AoI6t
 T73+xCv/VhrCGDVDIVrFBqZl
 =9gR6
 -END PGP SIGNATURE-


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPId3n9qAgf0xoaEuEQJ/sgCgvDNdBke4PLPdme62o0wXyz6AOJsAnjQ6
CUp0dkENeGHXirRYWsLXlwu0
=K0x0
-END PGP SIGNATURE-

a few points about my website link post

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,

I have gotten a lot of on list and off list mail about the link I
sent out.

I would like to clarify a few things.  First it only appears to work
with XP, IE 6 and all patches installed.  Other versions of win and
IE do not appear vulnerable.
2nd there is a question of whether or not this is a virus (as it
appears some anti-virus programs are flagging it and I am getting
much hate mail).

According to trend micro;s site CIDEXPLOIT.B, CIDEXPLOIT
Description:
This malware uses an Internet Explorer exploit to execute program
files on the infected user's computer. Upon execution, it runs files
in its command list.

So basically it is being flagged as a virus when it is really not. 
It does not replicate (something characteristic of viri) nor does it
carry a malicious payload It is the same FUD that happens when you
run the sub 7 client and the anti virus program tells you it is a
Trojan when it is clearly not.  The same with aim filter which it
classifies as a back door.  

Finally I would like to touch on why I made the point about firewalls
not stopping it.  This is not because I think firewalls should stop
the attack; I merely thought that because we have a lot of people who
are new to security they should be aware that having a firewall is
not enough.  Firewalls will not and cannot stop these times of
attacks (IDS might be another story)  I didn't mean to confuse anyone
or cloud any issues.  In closing I would like to say sorry to the
group if I upset anyone and reiterate a point that everyone should
know; if you don't trust something you find on a public mailing list
ignore it.  I don't feel I was irresponsible in posting this.  We
have seen Trojans posted to both bugtraq and vuln-dev (this of course
is not destructive as the code I am referring to was).  It is a
classic case of the buyer (user?) beware.  

So in summary this is a harmless proof of concept exploit that only
appears to effect XP with IE 6 and all patches.  Some anti virus
programs flag it as a virus when it is not harmful (just delete the
files from your IE cache if worried).  And again I apologize for
upsetting anyone (if you only saw the hate mail).  I am here to teach
and most importantly be taught.

Thanks again for the positive e-mail I received (you know who you
people are).

Regards,

Leon


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPIgoT9qAgf0xoaEuEQKNoQCghsmcspZyQiknE2xhE4xZ6Zv5SvYAnjj8
uEvpTG2VbiC2wBR134L6bopq
=T6fR
-END PGP SIGNATURE-

scary site

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

http://www.liquidwd.freeserve.co.uk/


Try it with a windows machine and IE with all patches.

Be afraid be very afraid.

FYI this is for all those people who are think that just having a
firewall is enough.

Guess what?

This works through packet filter, stateful inspection and proxy
servers.

Cheers,

Leon

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPIUArNqAgf0xoaEuEQLn0wCgjtpLPuRxLbCscHrq32IjePeezf8AoI6t
T73+xCv/VhrCGDVDIVrFBqZl
=9gR6
-END PGP SIGNATURE-

RE: Linux hardware firewall question

[Leon Ward]

Is the machine only going to be used as a f/w?
If it is have you thought about something like smoothwall? 
http://www.smoothwall.org
It would be easier to keep secure and up-to-date with patches.

Just an idea,
Nard


-Original Message-
From: jnf [mailto:[EMAIL PROTECTED]] 
Sent: 26 February 2002 08:53
To: [EMAIL PROTECTED]
Subject: Linux hardware firewall question


I operate a small network of about 5 computers and am considering setting up
a pc to operate as a firewall/router for the network. The network does no
recieve much traffic at all and trying to figure out hardware wise what I
need the topology I have decided to go with is that each box on the network
will have its own nic on the pc. Additionally, if anyone can suggest
documentation on how to set this up software wise I would appreciate it. 

I have some experience with iptables, but an unsure exactly how I would set
this up? Again any help would be appreciated. 

Thank you.

J. Ferguson

This E-mail and its attachments have been scanned for viruses before
delivery For more information contact [EMAIL PROTECTED]

This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]

RE: Cisco security

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I would like to point out that the certification is valid for only 2
years.  I don't necessarily know if it is worth the 500 (125 an exam
* 4 exams) to have recertify every 2 years.  Additionally, you say
you know about sans, I would say either the sans firewall or ids cert
are much more respected then cisco's equivalent exams.  Finally I
don't really even see cisco ids out there that much in production so
I didn't feel much of a need to pass an exam on it.

Just my thoughts,

If you want to get into security try a vendor neutral cert like sans,
cissp, or SSCP.

Cheers,

Leon

- -Original Message-
From: Dave Mee [mailto:[EMAIL PROTECTED]] 
Sent: Friday, February 22, 2002 2:47 PM
To: [EMAIL PROTECTED]
Subject: Cisco security

Has anyone taken the exams for Cisco Security Specialist 1??  How
good are 
they?  Is it worth the time and money?  I'm a CCNA and looking to add
on 
security related certs.  Already know about SANS certs.

thanks

dave



_
Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPHp/w9qAgf0xoaEuEQLctgCff8SZDQzP5kQdoxJZ5lJmvzqf2f0AoNk8
Nw4EVhRlRqwli/m2+YxxoXMA
=plZV
-END PGP SIGNATURE-

RE: ArcServIT 6.5 Enterprise

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Regardless fport can do this.  IT can tell you what program is bound
to a port.  This such a commonly asked question that it should be
part of the administravia

Administrivia:

To find a process bound to a port:
Use fport from foundstone.com

To subscribe to the digest, e-mail:
[EMAIL PROTECTED]

To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]

To post to the list, e-mail:
[EMAIL PROTECTED]



LOL hope everyone is having a great weekend,

Leon

- -Original Message-
From: Kestas (Bidz) [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 21, 2002 1:54 PM
To: [EMAIL PROTECTED]
Subject: Re: ArcServIT 6.5 Enterprise

Active prote is for NT only what about win2000

Kestas

- - Original Message -
From: Mathieu Patenaude [EMAIL PROTECTED]
To: 'Calhoun, Heath' [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, February 20, 2002 1:01 PM
Subject: RE: ArcServIT 6.5 Enterprise


 Use a program called Active Ports that you can get at download.com
 It tells you which program uses which port.

 hope this help

 Mathieu


 -Original Message-
 From: Calhoun, Heath [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, February 06, 2002 10:01 AM
 To: [EMAIL PROTECTED]
 Subject: ArcServIT 6.5 Enterprise


 Does anyone know what ports ArcServeIT 6.5 Enterprise for NT 4
 Server runs on?  Looking at our pix logs I see multiple ports from
 our bdc's to a 
server
 we have ArcServe on.  I haven't been able to find anyting in the
 ArcServer manual or the website.

 Heath Calhoun


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA+AwUBPHksSdqAgf0xoaEuEQLewgCWONSryEjt2G/XtK1zVSxsvNDMPACaAv/A
qeG6Utod9XgWhXRN//tozrc=
=08nU
-END PGP SIGNATURE-

Vlan Spoofing / Hopping

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,

Does anyone know of a program that allows you to change the vlan you
are on?  I don't mean if you have administrative access I mean if you
are put on a vlan and you decide you want to be on another one.  Is
there some way to spoof the vlan you are on and fool the switch into
letting you hop into a different one?

Thx and hope everyone is enjoying the weekend.

Leon

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPHkTD9qAgf0xoaEuEQJsQgCglrcL93092c7fjRCWe6YmLtstxKsAoLm4
MoY3l4NvHsdbfMuqc5bN7piG
=+AOy
-END PGP SIGNATURE-

RE: capturing traffic on cisco routers

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Put an IDS in front of it and behind it.  A free one would be snort. 
The IDS could log every single packet if you wish it to and you can
go through it looking for what ever you want using perl, grep or
something of that nature.

Cheers,

Leon

- -Original Message-
From: Dave Stein [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, February 19, 2002 11:40 PM
To: [EMAIL PROTECTED]
Subject: capturing traffic on cisco routers

Hi there,
Im very new in this list, and a newbie in cisco
administration, i would like to know ,if it is
posible,
how to capture the traffic on the router (or sniff it,
if you like), and send it into another pc on plain
text or whatever, or if its posible to keep it on a
file.
Sorry if this question if too basic, im learning here.
If it is any help the cisco is running ios 12.1.
anything will help!.
bye.


__
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPHknxdqAgf0xoaEuEQK/KwCbBzXoDjPNymuZ+9xCCU2Cfs65BAcAoPcj
i1EmiRt86i9rnhI53kj/IPuf
=Kbg0
-END PGP SIGNATURE-

hardening script for redhat 7.2?

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,

Does anyone know of a good script (that they have successfully used
not 
just read about) that works with Redhat 7.2?  I wanted to use the
bastille 
script but it seems to work only up to 7.1

Thanks in advance,

Leon

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPHLl89qAgf0xoaEuEQI1ngCfaG9Pxx5X5QIV4e4zYVPSp/z9p9YAoI82
IM2rSHSCI5u42pzek+UtXsBe
=Brni
-END PGP SIGNATURE-

RE: Denial of service question.

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Great question.  I definitely want to take a stab at this one.

First all of if you are worried about redundancy you could get a back
up line and run bgp.  That might be a little too complex for this
scenario so my other answers follow the posters questions.

Snip the T1 router... So if 1.5M is flooding in basically we are out
of luck.

You sure are.  That is the probably with d0s attacks it really comes
down to mine is bigger then yours (and yes folks mine is big ;) 
Absolutely kidding.

Snip The question I have is: Is there any way to help this
situation?

Redundant Internet Connections or there are people out there who
makeanti ddos products (though I have not tested nor read reviews
of theseso I don't know how effective they are

Snip How possible is it for us to put a firewall BEFORE the T1 line
to block all of this before it hits our poor little line, or would
this even help? I don't know if this would even be possible?

Routers have to come before the firewall.  I don't think you can put
a   firewall in front of a router though I might be wrong.  Regardless
you could have the best firewall in the world (netscreen, pitbull
argus,  blah blah blah) and if the person has a bigger pipe then you
he can  knock you off.  Best thing to do is contact upstream isp's
(good   luck).


Snip Is there some sort of way we can have a fallback line incase
this
happens, and just move all of our ip addresses over to another t1
while
this is happening to this one computer, so its only getting attacked
and
not EVERY server we have on that line?

BGP Redudnant Lines.  Not sure if your company can afford that 
or has the expertise to implement it.

HTH,

Leon
UIN: 8031369 for people who want to chat via icq

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPGv7BdqAgf0xoaEuEQJYDQCgsXmEYdDsYAXlDgLHqi8R/Gq5/q8AoI9L
yV12z2cyd+KpLHpk2J1kDLHi
=EAaX
-END PGP SIGNATURE-

RE: Floodnet Controls

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yeah I am going to go out on a limb and be contrary.  What you are
saying is not exactly clear to me but I am going to give it a shot
anyway

Can't an ids look at the actual payload instead of the url  layer 3
- - layer 4 info?

Are you talking about an ids on the client machine or the machine
being attacked?  ON the client machine you should not let the applet
be downloaded in the first place.  On the target I would think the
ids would work the way I referenced up above.  Further most automated
programs continuously make the same kind of packets (ie the source
port never changes, etc).  So it would not be unusually hard for
someone skilled at writing signatures to come up with one if they
could get a packet dump and all the program's packets appear the
same.

Anyone disagree???

Cheers,

Leon

- -Original Message-
From: Michael Ungar [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, February 12, 2002 3:51 PM
To: [EMAIL PROTECTED]
Subject: Floodnet Controls

As demonstrated with the recent DOS attack on the
World Economic Forum's web site, tools are being made
available which assist users in downloading an applet
to automatically refresh against a target's home page;
thereby making the site unavailable if enough users
have downloaded and are running the applet.

Question 1 - In this type of attack, I've heard
different opinions as to whether an IDS would or would
not pick up the event since
a - url looks normal
b - three way handshake completes
c - traffic might be under url

I'm under the assumption the IDS would not catch
'cause of reasons a - c above. Any views to the
contrary ?

Question 2 - Any best practices against this risk
other than making sure your site has much and
redundant bandwidth.

Thanks.Mike Ungar

__
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPGv8+NqAgf0xoaEuEQJ7+ACgkxt2LKLyoIHL46e5yygfz2WlBBQAoK2g
HRbqu73LGca9SMSLAZjxdzIw
=+gYE
-END PGP SIGNATURE-

RE: network traffic logging tool ?

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Argus is a company that produces security products.  They are most
well known for their pitbull firewalls and hosting the openhack
challenge.  I believe they do have a logging tool also.

Cheers,

Leon

PS: Russel is quite friendly if the original poster (whose name is
not on the e-mail) wants to contact him directly I am sure he would
not mind

- -Original Message-
From: Windex King [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, February 12, 2002 8:52 AM
To: [EMAIL PROTECTED]
Subject: Re: network traffic logging tool ?



[EMAIL PROTECTED] wrote:
 I'm looking for a promiscuous mode network monitor

I regularly see posts on the Incidents list by Russell
Fulton where he makes mention of a network traffic 
logging tool named ARGUS.

A little searching on google pointed me to
http://www.qosient.com/argus/

W   K

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPGv4stqAgf0xoaEuEQJQUwCfcT6WGzyuqeAT81PsCwoiv2d0ODgAoL5j
vx9teDpWHPMdElqQTN6pTj03
=liDy
-END PGP SIGNATURE-

RE: aol IM sniffer?

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Don't allow people to run code on your machine (via physical access
or logical access via a buffer overflow).  If he thinks he is on a
network where someone has installed sniffer software or has put a nic
in promiscuous mode (one in the same?) then we have covered that
on this list and you can refer him to antisniff by l0pht (now @stake)
or some other programs that people have listed (that don't come to
mind right now).  Further he could try trillian (this uses encryption
and was discussed on this list and some people brought up some good
counter points).  I am not sure if AOL is playing with Trillian
anymore or if aol is still being monopolistic.  Whoops I meant, um,
well lets be honest they are just as bad as M$ by not opening up the
protocol to other vendors :)

Cheers,

Leon


- -Original Message-
From: william taylor [mailto:[EMAIL PROTECTED]] 
Sent: Monday, February 11, 2002 1:16 PM
To: [EMAIL PROTECTED]
Subject: aol IM sniffer?

I had a friend who uses AOL.  he told me that someone he knew had
bugged his 
AOL account so that his IMs were logged, his sites visited was
logged, and 
all of his settings (favorites, buddy list, etc.) had been recorded. 
i know 
that this is done by cracking and is probably some juvenile prank,
but how 
could i protect myself against someone doing that?  i.e. is it a
packet 
sniffer sniffing packets coming out of a specific ip address with
specific 
headers, or is it some sort of spoofer that asks AOL for that
information?  
and if so, how could i prevent an attack like that from succeeding?

charles

_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPGmoZdqAgf0xoaEuEQIpIQCdHnJpD6J30vK0YGWnk+JBOQ5zTUsAnjUx
9yS3JYzB86TJ0aPpu2g5fisY
=77rJ
-END PGP SIGNATURE-

ms ip-sec question

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,

Just curious if there were any known flaws with m$'s implementation
of ip-sec?
I know that some of their protocols have issues (pptp, ms-chap, and
the lan-man hash).

Does have anyone have any links discussing this?

Thx,

Leon

PS: as far the cert thread(s) go all I can say is a - q and if anyone
has the exam cram or braindump for r - z let me know ;)

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPGm/adqAgf0xoaEuEQJrKwCgkIr1ML4JUetI0k5sPOCKEjLHqrIAoPnj
pePMGjmt3/NNfmUv9lLCxQLx
=i88T
-END PGP SIGNATURE-

PKI Books

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,

Can someone suggest to me books they have read and found helpful in
regards to implementing a PKI?

Please don't hand me a list from Amazon or google I know how to
search, I am really asking the list for opinions on what they find to
be the best
(e.g. everyone, at least people in their right minds, agree that tcp
ip illustrated is the de-facto standard for tcp/ip books.)  Can
anyone help me a 
similar book for PKI?

Also if anyone wants to answer my questions on stateful inspection
firewalls that would be appreciated also (only 2 people have taken a
crack at it so far and no one has answered the question.)

Either way,

Thx and cheers,

Leon

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPGgsG9qAgf0xoaEuEQKtLACgwPFWPE+LOLgYTf2vr9pVJguhENEAoNqa
/InQpDHOyRl29bh1X4QWbFY6
=PBAO
-END PGP SIGNATURE-

RE: DSL speed test s/w

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

There is a link off both www.cnet.com and www.dslreports.com

Both do a fairly thorough test.

HTH,

Leon



- -Original Message-
From: Todd Sparks [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, February 09, 2002 11:41 PM
To: Security-Basics@Securityfocus. Com
Subject: DSL speed test s/w

Hi all,

I'm looking for a good free s/w test for my Enhanced DSL up/down
speed.

Thanks,
Todd

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPGgkJ9qAgf0xoaEuEQJiYQCfXRlZVQwBO938Sb88LNmnaLSAFW8AoIgl
Jn4wMPxUUwtOGS7HG0GgHF2D
=idPI
-END PGP SIGNATURE-

basic stateful inspection question

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,

I have a question regarding stateful inspection firewalls
(specifically pix and checkpoint).

It seems to me that a lot of people use either nat or pat and that
these types of firewalls
by default drop unsolicited connection attempts (meaning packets that
arrive with the syn bit set).
Any packet that leaves the network is put in the state table so that
the return packets can come back in.
My question is this; if I were to exploit a client-side buffer
overflow and I got the system to make a
connection to me via netcat with a destination port of 80, would I
circumvent a majority of the stateful
inspection firewalls?  It seems that these firewalls trust that ALL
connections originating from the
inside are good.  Now I know we could block off destination ports of
services we don't want to allow
access to (say no port 23 traffic leaves the network because we don't
allow telnet) but I am wondering
if either of these firewalls have a method of filtering based on
protocol (for example allow 80 to be
a destination port but only http traffic can cross it.  No netcat, no
aim, no limewire just http.

I have seen a ton of networks where I came in and I found people
using things like aim even though
the firewall specifically only permitted port 80 traffic out
(obviously these people switched the port
from 5190 to 80).

So to reiterate; is there a way to configure pix or checkpoint to
judge the connection based on protocol
as opposed to arbitrary things like source ip, destination IP or port
numbers?

Cheers and thanks in advance,

PS: Links are appreciated but flames are not :)

Leon


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPGHkRtqAgf0xoaEuEQJgUgCgiGaVcoapw7+T4+QYqADv/jJYIycAni9v
W0GcE8qAvdNF6ZNanoDjjyn3
=u/Nk
-END PGP SIGNATURE-

RE: sftp server

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

If you have a Cisco (or any other Router that is halfway decent) in
front why not set up an access list denying traffic with a
destination port of 22?

This would solve the problem quite easily.

HTH,

Leon

- -Original Message-
From: Geeking Out [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 31, 2002 10:12 AM
To: [EMAIL PROTECTED]
Subject: sftp server

Greetings,

I have someone with which I wish to automate file
transfers. I wish to do this securely.
I thought that running ssh on the box with key
exchanges would do this just fine since i can then use
sftp. However, if I install ssh on the box, and I give
the client access, they can also log into the box and
get a shell.
Is there a way in which I can limit them to sftp only?

Thank you in advance!

__
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPF6JBNqAgf0xoaEuEQK8KACeNTKEQMIZpk4+BDmFDGe8aZC4AvEAoL61
uG/tikpHx/7msA0BI8D5NYc4
=CKb+
-END PGP SIGNATURE-

1 last small worthless AIM point

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,

It has recently come to my attention that the buffer overflowing
affecting aim is still remotely exploitable.
I just thought that I would let the list know that CONTARY TO
PUBLISHED REPORTS the vulnerability is still being actively
exploited.

I did a little testing at home and it seems the newest version of the
aim client (4.8.2646) is NOT vulnerable.

I would also like to point out that this is a great reason why
shortcuts and security just don't play nicely together.

Instead of fixing and making a big point to let everyone know about
the vulnerability (as in we messed up but most 
software companies do, here's a patch or you MUST download the newest
version,) AOL took the easy way out and claimed 
to fix the problem at the server.  Bull-cocky.  If the problem is
fixed at the server how come I am still able to kick people 
off with aimfilter? (rhetorical ;)

D'oh!  AOl's engineers or Oracle's engineers; who is doing worse in
the month of January? One is breakable the other is remotely
exploitable.  Hehe

Cheers to the group,

Leon

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPFf/htqAgf0xoaEuEQL3zQCg69Gd7PbfHwxWMBL/E2QzTICqeuMAoKQl
/iQO3DkBt8aDMcymoh+84IiD
=uNkL
-END PGP SIGNATURE-

RE: loopback device

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

That is not true.  P stands for proto not port.

- -p proto  Shows connections for the protocol specified by proto;
proto
  may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with
the -s
  option to display per-protocol statistics, proto may be
any of:
  IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.

It has nothing to do with ports.  Please DO NOT GIVE ADVICE ON THE
LIST IF YOU ARE NOT SURE OF WHAT YOU ARE SAYING.

Cheers,

Leon

- -Original Message-
From: shawn merdinger [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 18, 2002 8:45 PM
Cc: Craig Van Tassle; secuirty-basics
Subject: Re: loopback device

Also, try the following:

netstat -anp

The p option displays the program bound to that socket/port.

From the looks of your snort log, it did not *appear* to be a
loopback 
address.

- -scm


 On 15-Jan-2002 Craig Van Tassle wrote:
  My loop back is supposed to be 127.0.0.1.. at least that is what
  my ifconfig shows me..  and i have no idea what program is
  running on that port. Do you think that i could have a possible
  intrusin?
 
  Thanks
  Craig
 
  On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote:
  No, you can't bypass the firewall using the loopback interface. 
  Whats interesting though is the IP address they're using...
  usually loopback is 127.0.0.1 and the port number, 5460 isn't
  assigned to anyone so what program is running?
 
  -Original Message-
  From: Craig Van Tassle [mailto:[EMAIL PROTECTED]]
  Sent: Monday, January 14, 2002 8:48 AM
  To: secuirty-basics
  Subject: loopback device
 
 
  Is it possible for someone over a network to use my loopback to
  by pass my firewall?  If so what can i do to mitigate the
  problem and how damageing can it be?
 
  The reason im asking is my Snort sytem is showing badd loopback
  traffic.. thanks
 
  here is a snipit from my snort logs.
 
  [**] [1:528:2] BAD TRAFFIC loopback traffic [**]
  [Classification: Potentially Bad Traffic] [Priority: 2]
  01/12-14:10:11.568007 45.253.14.97:49847 - 127.167.228.85:5460
  TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40
  **S* Seq: 0x3F4BB00A  Ack: 0x0  Win: 0x200  TcpLen: 20
 
  Thanks
  Craig
 
 

 - --
 Phillip O'Donnell
 Software Engineer, Esphion Limited
 [EMAIL PROTECTED]


 -BEGIN PGP SIGNATURE-
 Version: PGP 6.5.1i

 iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g
 Ky+CD/KuL2KCESveLJw30Gb1
 =VjXg
 -END PGP SIGNATURE-



-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPExZDdqAgf0xoaEuEQK/AwCgrV/Qlvx1IWJAZTd3Nj8GZv1naOgAnREV
KVGYnYIsKnsMNF+zyt4M76cB
=jg5K
-END PGP SIGNATURE-

RE: Security of Private Networks

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This is a common mis-conception about nat (pat overload or whatever
you want to call it); that the security is fairly strong.  Nat is a
way to prevent the inevitable depletion of public ip space.  The fact
that it provides security is a bonus and not at all it's original
reason for being created.  How would I get around this (this being
attacking a private IP)?  Why layer 7 client-side attacks of course. 
If I can execute code on your computer to make an outbound connection
to mine game over.  Wait, if I can just plain execute code (pick your
buffer overflow choice.  I know there a bunch of IE 6 one's that have
not been sovled yet; though I am not sure if they all allow the
attack to run code of their choosing.) then the game is over. As
always an IDS (network or host based) can take care of this for you
(keeping an eye on what is leaving and entering your network).

HTH,

Leon 

- -Original Message-
From: Jason Jaszewski [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 18, 2002 2:21 PM
To: [EMAIL PROTECTED]
Subject: Security of Private Networks

Hello all,
If I have a Private network (with IPs of the 192.168.1.x flavor) and
run 
WinRoute (which utilizes NAT), or even a Cable/DSL router,  what are
my 
security concerns. It is my understanding that since private networks
are 
non-routable on the Internet, it is a relatively secure setup.
Assuming 
the boxes are running Windows 2000 and there is no software such as
VNC or 
other remote admin software, what are the security concerns to have?
I 
would assume vulnerability with email attachments, downloads, or file
sharing, etc. But, for the sake of argument, assume that these issues
are 
not factors. Is there a way to get into those machines?
In my (thus far) limited understanding of NAT, I was informed that
because 
NAT creates the socket, it would be difficult to connect to a box
with a 
Private IP remotely without some kind of software previously
installed. 
However, based on previous list emails about the (in)security of NAT,
I 
question this. Are there apps out there that could trick the NAT
box (or 
router) into making a connection with another machine? Even without
remote 
admin software installed, assuming the conditions above?
Thanks in advance for answering my curiosity.

Jason


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA+AwUBPExQxNqAgf0xoaEuEQJHsACg2C2Nas35GsLiqkA1aWJE29VNEZ0AmOcT
Buf5LgIyzWlfbAZOsfnbY6Y=
=UGRQ
-END PGP SIGNATURE-

RE: Remote PC Management via LAN/WAN

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

VNC is free but it is very slow..  The problem with using things like
subseven is you don't know what backdoors are built into the backdoor
(kind of like backdoor squared for the math folk out there).  For
example in subseven 1.0 - 1.9 I believe there was backdoor so that
the author of the program could bypass the password and connect it at
any time.

HTH,

Leon

- -Original Message-
From: Levi Pugh [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 15, 2002 4:12 PM
To: [EMAIL PROTECTED]
Subject: Remote PC Management via LAN/WAN

Hello Fellow Subscribers,

The Question I have is: What is your opinion on useing a Trojan like
SubSeven to manage your network or even any other Remote Management
type of
Program? And if you were how would you go about and testing the Prog
for
Backdoors. And also could you suggest any remote management Software
that
you have found useful and free is the key word here.

Thanks,

Levi M Pugh
PC TECH III
Fortune 800, Inc
5200 Golden Foothill Parkway
EL Dorado Hills, CA 95762
(916)605-0185
www.Fortune800.com



-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPEci9NqAgf0xoaEuEQLUxACgpt+uh73RWNIm8Nolnt9DTZaTDpAAoITx
jsNtLAtHu+FJdxmLb5NCiaKC
=GfG/
-END PGP SIGNATURE-

Sonicwalls 10 Guidelines to securing your network

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This was a checklist that Sonicwall developed and I saw on SnP.  I
thought it might be useful for the readers of the list and thus I
posted it.

Cheers,

Leon


10 Security Guidelines 

I. Secure telecommuters and remote workers: Telecommuters and remote
workers are often one of the weakest parts of a company's security
system. As external attacks become increasingly sophisticated, a
favorite tactic is to infiltrate the computer of a telecommuter or
remote worker and follow them into the corporate LAN. It is critical
that businesses implement firewall, VPN and anti-virus technologies
among telecommuters and remote workers. 

II. Assess the vulnerability of the network perimeter: Despite a
heightened security awareness, many significant holes still exist in
companies' security systems. A number of successful external attacks
exploit known vulnerabilities. Vulnerability scanning services can
help anticipate potential security problems and help a company
address their weaknesses before a hacker exploits them. Vulnerability
scanning should take place at a minimum of once per quarter. 

III. Guard against internal security threats: A common misperception
is that the majority of attacks occur from the outside of a network.
Internal attacks happen more often and tend to be significantly more
costly and damaging than external hacks. Companies should implement
security technologies such as enterprise-class firewalls for
individual workstations that store sensitive data or servers that
host mission-critical applications to protect them from these
internal attacks. 

IV. Reduce time-to-deployment of patches: Updates and patches to
defend against viruses and hacks often exist in time to prevent a
successful infection or hack attack, but are not deployed in a timely
manner. New computer viruses are designed to spread quickly,
therefore leaving a computer on the local area network with outdated
AV software exposes the entire network to infection, not just the PC.
As a general rule, updates and patches should be deployed to all
systems on the network within 4 hours from the time they are made
available. Additionally, operating systems and applications should be
regularly updated and businesses should not rely on the default
installation. 

V. Decentralize and secure vital information: Many companies are
considering a decentralized, distributed model for storing
business-critical information to prevent the complete loss of such
information in the event of an emergency. This requires security
technologies that can protect a distributed architecture and that can
also be centrally managed 

VI. Create a company culture of sound security: Network security is
more than the IT manager's responsibility. For effective network
security, all levels of the company must be involved. Additionally,
effective security requires training and commitment. To create a
company culture of sound security, a business can: 
- - Regularly train/update employees on current security practices 
- - Actively seek the help of employees to identify potential security
risks 
- - Recognize individuals or departments that have a strong security
track record 

VII. Regularly backup vital information: Important data such as sales
records, personnel information, client records, etc. should be backed
up daily, in offsite locations. Utilize a repository located offsite
for either Internet-based or tape-based data backup. Look into
alternative solutions for recovery, i.e. hotels with additional
phones lines and quick access to the Internet. Test disaster recovery
procedures to determine how long it will take for your business to be
50%, 75% and 90% functional. 

VIII. Develop an internal Security Audit: In addition to
assessments by third parties, each company should develop its own
unique internal security diagnostic. This includes: 
- - The regular testing of all security hardware and software to ensure
they are functioning properly and are properly configured 
- - Reviewing hardware and software to determine the date of the last
firmware or software upgrade 
- - Reviewing the authorized users list to ensure former employees no
longer have access to the network 
- - Interviewing key security personnel and random workers to determine
if policies are effective, incomplete, being followed correctly,
understood, etc. 

IX. Consider hardware solutions over server-based solutions: Hardware
solutions typically offer higher performance at a better price-point
and can support a diverse number of network configurations. Dedicated
hardware solutions are not only higher performing and more
cost-effective, they offer a higher level of security as they are not
susceptible to OS vulnerabilities. 

X. Keep directory services up to date. On average, large percentages
of names and accompanying passwords in company directories are
out-dated and unused, hence are prime targets for external hacks as
well as 'internal' hacks from

RE: Blocking Kazaa

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

So maybe it is time to ditch Windows 95?  It was not meant to be run
by business anyway.  Try win2k.

I still think my idea of using the security policy is best.  

Regards,

Leon



- -Original Message-
From: Calhoun, Heath [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 14, 2002 12:51 PM
To: leon; 'Benoit Joseph'; Calhoun, Heath
Cc: [EMAIL PROTECTED]
Subject: RE: Blocking Kazaa

Unfortunately Windows 95 does not let you.
True, we could run the network where everyone has the same desktop,
but 95
still allows you to install apps.

Heath Calhoun.

- -Original Message-
From: leon [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 13, 2002 11:26 AM
To: 'Benoit Joseph'; 'Calhoun, Heath'
Cc: [EMAIL PROTECTED]
Subject: RE: Blocking Kazaa


- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Why cant you just forbid users from installing there own applications
(especially ones that just recently were installing spyware without
the users knowledge) in an everyone e-mail and then refer users who
still proceed to do this anyway to the corporate security policy?

Cheers,

Leon

- - -Original Message-
From: Benoit Joseph [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 08, 2002 4:55 PM
To: Calhoun, Heath
Cc: [EMAIL PROTECTED]
Subject: Re: Blocking Kazaa


Can't you just block the port 1214? I think that if you block it on
your
firewall, you'll have no problem.

Can't you use some ACL rules? I believe the IOS has a FW.

Bye


On Mon, Jan 07, 2002 at 03:53:50PM, Calhoun, Heath wrote:
 I am attempting to block the multimedia search program kazaa on a
 pix 515 running ios 4.4.
 Pinging the Kazaa website, I got a address of 213.248.107.10.  The
 program uses port 1214.
 I need to block any access to the website and to the program.  I
 have tried several conduits
 without success.
  
 Any help is appreciated.
  
 Heath Calhoun
- - ---end quoted text---

- - -- 

Benoit JOSEPH 
Manex SPRL: [EMAIL PROTECTED]
Perso: [EMAIL PROTECTED]
   [EMAIL PROTECTED]

- -BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use
http://www.pgp.com

iQA/AwUBPEHDLdqAgf0xoaEuEQIrRACg0GlCfft4xA/MbgvqxQYjdlKvR9oAoJnD
f5fthJRPLXeZrtZm4nFzjDAX
=TSNg
- -END PGP SIGNATURE-

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPEMcHdqAgf0xoaEuEQIBGwCfeguowKYd/xJbjtn141JX7pg2lkgAoJJh
WBJbK4IH9IrDGCVVyrNO2lvq
=8hEA
-END PGP SIGNATURE-

RE: MS EFS Question

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

If they goto fat32 (probably the same for 16) it turns out they lose
their encryption because fat32 does not support these types of
attributes (same with NTFS permissions and compression.)  I am not
sure who pointed this out to me on the list but I thank them.

Cheers,

Leon

- -Original Message-
From: Rob Weiss [mailto:[EMAIL PROTECTED]] 


Leon (and others),

I tried to verify this in some of my MS books, but couldn't find the
answer.


What I believe that I remember is this:  Encrypted files keep their
encryption when they are copied or moved, regardless of the
destination
(NTFS or FAT).

Rob



-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPD8wdtqAgf0xoaEuEQJx2gCg77JlSju+K7XPEuEupkOVA3+dC6wAoPvw
PwKJDn4GJEjTvOBfMexOI2Ir
=7x4c
-END PGP SIGNATURE-

RE: Macintosh Vulnerability Scanner

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mac Pork and the more famous MacAnalysis.  Sorry I cant provide links
But I bet google can ;)

Have a nice weekend,

Leon

- -Original Message-
From: M W [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 09, 2002 2:22 PM
To: [EMAIL PROTECTED]
Subject: Macintosh Vulnerability Scanner

Does anyone know of a commercial vulnerability scanner that would
work on
the Macintosh OS?

Thanks in advance

mark

_
Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPD8u8tqAgf0xoaEuEQKfxQCfeZVZlbCLS1/TNApAuonxr0jJdtMAn0IS
zvCdSRaEmBi832Ym3FHjX4FF
=7ds1
-END PGP SIGNATURE-

CSS how do you tell if a site is vulnerable

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,

I don't really have much programming skill, (ok, you got me, I have
none at all) and 
I was wondering if some of the people on the list who understand how
to test for Cross
Site Scripting could help me.  I understand what it is but not how to
test for it.  Does
Anyone have some generic syntax that I could tack on to the end of a
url to test if it is vulnerable?
What I mean is www.testsite.com/whatevercomes/yadda/some/blah/etc.

There are a few sites that I have responsibility for that I would
like to test
but I really don't know how (obviously or I would not be writing this
post :).
Can anyone share some simple syntax?  It does not have to be in-depth
(as far as stealing cookies or anything like that) all I have to be
able to
do is confirm whether or not the sites are vulnerable.

Thanks again and I hope everyone on the list has a great weekend.

Cheers,

Leon
Icq 8031369 if anyone ever wants to reach me via chat.



-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPD8qDNqAgf0xoaEuEQKuvgCfQMtREsr87B3bTPzsi63TBw2kpK0AoJVj
GxATJRCuEogkJTECDnJsWqIY
=QSRx
-END PGP SIGNATURE-

RE: Hardening VS firewalling ?

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

People commonly compare security to an onion as both are layered.

Firewalling is one layer, hardening is another layer, ids is yet
another layer, then you have physical security, strong
authentication, yadda yadda

However once you start having layers security becomes more like a
chain (only as strong as your weakest link).  So I am not saving
don't have layers (the more layers the better) just don't assume
because you have a firewall you don't need to harden (or any
combination; I have an ids and a firewall who needs to patch?)


Hope everyone is having a nice weekend,

Leon

- -Original Message-
From: Octavio / Super [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 08, 2002 4:57 AM
To: Omar Koudsi; [EMAIL PROTECTED]
Subject: Re: Hardening VS firewalling ?

If I have to choose _only_ one, then I would go for security patches,
but if I use time optimization as a base for my decision, then I
would firewall to deny everything except explicitly necessary
services and then I would security-patch all of those explicitly
allowed services.

If time is not of my concern, I would to that, plus I would develop
security policies, like more secure passwords, secure practices, I
would have the employees/students take a course on computing culture,
etc.

Octavio.

At 02:29 a.m. 08/01/2002 +0200, Omar Koudsi wrote:
OK, I know this is more of a theoretical debate, because in reality
we are able and should do BOTH. 


But according to you, which is more important? Paying attention to
having great firewall with a great ACL more than hardening and
patching the systems? Or not have to worry about the firewall or
having one at all and concentrate on applying best practices to
OS/APPS and making sure the OS/APPS is up date on patches?

In the unlikely event that you had to choose one over the other (or
some people would argue that this is a reality since time is limited
and you can really concentrate on one) , which one would it be and
why?

Regards,


---
Omar Koudsi
IT Architect
Network Security Center
Special Systems Company
http://security.sscjo.com
[EMAIL PROTECTED]
Tel: (9626) 5664221
Fax: (9626) 5681557


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPEG8V9qAgf0xoaEuEQItGwCgihAJaZTKgQlprIdKzyqINdwli2gAoMwE
TmDjLGFusezF+98EdOn7hU+5
=frma
-END PGP SIGNATURE-

RE: Blocking Kazaa

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Why cant you just forbid users from installing there own applications
(especially ones that just recently were installing spyware without
the users knowledge) in an everyone e-mail and then refer users who
still proceed to do this anyway to the corporate security policy?

Cheers,

Leon

- -Original Message-
From: Benoit Joseph [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 08, 2002 4:55 PM
To: Calhoun, Heath
Cc: [EMAIL PROTECTED]
Subject: Re: Blocking Kazaa


Can't you just block the port 1214? I think that if you block it on
your
firewall, you'll have no problem.

Can't you use some ACL rules? I believe the IOS has a FW.

Bye


On Mon, Jan 07, 2002 at 03:53:50PM, Calhoun, Heath wrote:
 I am attempting to block the multimedia search program kazaa on a
 pix 515 running ios 4.4.
 Pinging the Kazaa website, I got a address of 213.248.107.10.  The
 program uses port 1214.
 I need to block any access to the website and to the program.  I
 have tried several conduits
 without success.
  
 Any help is appreciated.
  
 Heath Calhoun
- ---end quoted text---

- -- 

Benoit JOSEPH 
Manex SPRL: [EMAIL PROTECTED]
Perso: [EMAIL PROTECTED]
   [EMAIL PROTECTED]

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPEHDLdqAgf0xoaEuEQIrRACg0GlCfft4xA/MbgvqxQYjdlKvR9oAoJnD
f5fthJRPLXeZrtZm4nFzjDAX
=TSNg
-END PGP SIGNATURE-

RE: Portscanning from Windows XP machine

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I can confirm that both of these work just fine.

Leon

- -Original Message-
From: Mark L. Jackson [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 09, 2002 3:34 AM
To: Philip Wagenaar; [EMAIL PROTECTED]
Subject: RE: Portscanning from Windows XP machine


http://www.foundstone.com/rdlabs/tools.php?category=Scanner

fscan and superscan should work under XP. Have not tried them, but
I see no reason for them not to function.


 I`m looking for a good port scanner that will run under Windows XP.
 My wishlist for it that it scans TCP, UDP and stealth but i`m not
 really sure if there is such a one under Win enviroment.



-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPEHEhtqAgf0xoaEuEQI4GwCg6sdVl5r8DcYlnXRQfHjZD9Ao5lIAn0Lh
Ywpver9azHs9RgY8pBeBrGRo
=/sYl
-END PGP SIGNATURE-

RE: Mobile user Firewall Comparison

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I think with the exception of Black Ice (which might be called an
ids) it really boils down to a matter of choice.  I have to see any
real hard statistical evidence that one is better then the other. 
Why not try installing them all (one at a time of course ;) and see
which one YOU like the best.

HTH,

Leon

- -Original Message-
From: Askew, Gary [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 09, 2002 2:22 PM
To: '[EMAIL PROTECTED]'
Subject: Mobile user Firewall Comparison

Hi All,

Does anyone know of some good (recent) comparisons of the main
firewalls
that would sit on Win 2k laptops for mobile users. Roughly 200
clients.

The main ones Im considering are ZoneAlarm Pro, Black Ice defender,
Tiny and
Sygate but I am open to suggestions.

Thanks in advance

Gary Askew

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPEHKutqAgf0xoaEuEQJnZwCguWPX0GwcW3n+dv1R2/ZDVQnvUmAAoKtF
zC7zgPYe2pzwI7X+FqOUU2+h
=bSax
-END PGP SIGNATURE-

RE: Hardening/Firewall/Network Audit

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Whisker and Nessus.

www.google.com


- -Original Message-
From: Alok Ahuja [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 08, 2002 1:39 AM
To: [EMAIL PROTECTED]
Subject: Hardening/Firewall/Network Audit

hi folks ,
i am new to the security arena.

We just installed FW1 at our office.
Now we want to do a local network Audit.Could u suugest some tools
etc. Also
how to get rid of the vulnerabilities

Also we have setup a web server and wanna know, which tool to  audit
its
vulnerablilities and how to get rid of the vulnerabilities.

ALok


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPEG+ZtqAgf0xoaEuEQJTXACeOhZgY9RbU9aaayBsD8f/JSq6HU0AoOOk
Qy2XVpjMRT6kxicOpsTEG4MK
=+i82
-END PGP SIGNATURE-

RE: Study material for the Common Base of Knowledge...

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

www.cccure.org has some material for the SSCP I believe.

HTH,

Leon

- -Original Message-
From: Joshua Carlson [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 10, 2002 12:54 PM
To: [EMAIL PROTECTED]
Subject: Study material for the Common Base of Knowledge...

Hello Everyone,

   I am currently investigating research material to obtain my
CISSP/SSCP 
certifications, however I am having a hard time finding recommended 
books/reading material for the SSCP. If you know of any websites or
books 
that I should obtain aside from the Information Security Management
- - 
Tipton (cause I already have that one on the way)please let me know.

Thank you for your time and information.

Joshua Carlson
Professional Services Consultant
Tripwire, Inc.

_
Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPEHNg9qAgf0xoaEuEQIu7QCfRuFXuhrTJm+lfoIpdW3kPGbeoWkAoP2b
JJytRj3sXkyjGDYH0VM64zN/
=JsTJ
-END PGP SIGNATURE-

MS EFS Question

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,


Quick (and perhaps easy?) question for the MS folks.

If you have a file on an NTFS volume that is encrypted (with EFS) and
you transfer it to a fat32 partition what happens?  What happens if
you copy the EFS file from one NTFS volume to another?  I am going to
guess that in the 1st case it decrypts the file (not sure).  I am
pretty sure that in the 2nd case it retains the encryption.  Can
anyone quickly verify?  I don't have a fat32 partition to test on. 
In the meantime I will try out the 2nd scenario and you are welcome
to mail me off-list if you are curious (unless someone answers it on
list).

Thanks guys (and ladies of course).

Cheers,

Leon

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPD0RqtqAgf0xoaEuEQJiZwCgw7TNQs9wVbIZdxAdSZGR8J6D3IoAoNZz
SUCaNmqheFn+HZIPhSYY+Btp
=Ptbl
-END PGP SIGNATURE-

RE: Firewall: a basic question

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Heh it could be implemented at layer one by securing your wiring.  On
some cisco switches (don't know about bridges) you can apply ACL's

Cheers,

Leon

- -Original Message-
From: ashley thomas [mailto:[EMAIL PROTECTED]] 
Sent: Sunday, January 06, 2002 2:17 AM
To: [EMAIL PROTECTED]
Subject: Firewall: a basic question

hi,

which is the lowest layer where a firewall can be implemented ?
i guess, it is network layer (layer 3)

in that case , how is firewall implemented on bridges , which is a
layer 2 
device ?

thanks
ashley




_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPD2qM9qAgf0xoaEuEQJDRQCgsnAyHUepshUVKeY1Y/UBcRG10w4AoN6r
PDme/3gKJLPZl33KucjfuQ0D
=R7eN
-END PGP SIGNATURE-

RE: XP security issue...

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Have you tried sniffing the traffic?  Could you post dumps to the
list?

Cheers,

Leon

- -Original Message-
From: Nicholas  Anthony McKenzie [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 07, 2002 1:13 AM
To: [EMAIL PROTECTED]
Subject: Re: XP security issue...

Lads and lasses,

I've just recently upgraded my home (shared) computer to XP. I have
been
using X-nestat to monitor all realtime TCP connections...

Anyway i have seen alot of random SYN packets being sent from my
computer
from ports 4150, 4151,4152 etc to another destination IP address
216.187.XX.XX on port 7730.

What the #$#@ is going on???

Regards,
Nick


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPD2quNqAgf0xoaEuEQJxpwCgizUNVPNL/6iB8FTTKzfJA6C3X3wAoM5r
Ib0giTsPYW0NdQKgFO6xsXQ3
=2YyY
-END PGP SIGNATURE-

RE: Portscanning from Windows XP machine

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I have gotten nmap to compile and work with visual C++


Cheers,

Leon

PS: foundstone makes a great command line port scanner but the name
escapes me right now.  You could goto www.foundstone.com and find it
quite easily.

- -Original Message-
From: Philip Wagenaar [mailto:[EMAIL PROTECTED]] 
Sent: Sunday, January 06, 2002 6:29 PM
To: [EMAIL PROTECTED]
Subject: Portscanning from Windows XP machine

Hi,

I`m looking for a good port scanner that will run under Windows XP.
My
wishlist for it that it scans TCP, UDP and stealth but i`m not really
sure if there is such a one under Win enviroment.

I also wondered if anyone got nmap for win32 compiled and working
yet.

Philip Wagenaar




-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPD2rAtqAgf0xoaEuEQKpBwCgu6w3I2gNq3hGvjwEgVU7qhMDqYoAn3mp
xoW2NVxS5AVtDMDFaZBSqRNJ
=Jqc7
-END PGP SIGNATURE-

RE: another little IM problem...

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I would like to argue this point.  I posted the original post to
vuln-dev in September.  It took them 4 MONTHS to fix the hole and all
they had to do was add a filter to there server.  IMHO this is
pathetic microsoftesque (like that word folks? I bet J Dyson does,)
behavior.  Considering that an im could give up total control of your
computer and it took them 4 months to add the equivalent of a
firewall acl I find this behavior nauseating.

Cheers,

Leon

- -Original Message-
From: dewt [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 07, 2002 2:30 PM
To: Dan Trainor; [EMAIL PROTECTED]
Subject: Re: another little IM problem...

On Friday 04 January 2002 03:34 pm, Dan Trainor wrote:
 Does this alarm anyone else?  How will AOL fix this problem without
 making users download any patches / fixes?  Are they going to
 install it themselves?  If so, if they can fix this problem by
 installing a fix on to your machine, what's stopping a malicious
 user from installing
 something else on your machine?

 If I am misunderstanding how this latest vulnerability works, I do
 apologize for this junk mail. :)


 -dt
they fixed the issue on their servers, so clients dont need to
update, 
allthough there will likely be a client-side solution for the issue
in their 
next release. They also fixed the issue in about a day, which is very
very 
fast for closed source products.

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPD2t1dqAgf0xoaEuEQIkQwCeOVwes+A4catJQfg0zDySxmY6JQ4AoIEl
cDGt59gCJtRM0BahzJPgGAx3
=eH+4
-END PGP SIGNATURE-

RE: PPTP and Hub and Spoke

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

You check out www.counterpane.com for a list of weaknesses with PPTP.
 Incidentally this was discussed on this list within the last 4
weeks.  Sorry I cant remember the subject heading.

HTH,

Leon

- -Original Message-
From: Jerry Roy [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 07, 2002 8:27 PM
To: [EMAIL PROTECTED]
Subject: PPTP and Hub and Spoke

Hello all,

I am interested if someone can let me know their Experiences with
ATT
NetClient - good or bad?

Issues with PPTP Thru a FW?

Scalability of PPTP in a Hub and Spoke Environment?

TIA

Jerry Roy
Systems Engineer
Axcelerant, Inc.
w. 949-221-7208 
c. 562-305-9545

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPD23QNqAgf0xoaEuEQLS9wCeI4UfwKYd9oExU2nAgQUefDc39REAoNZe
CZY0paK8O1iDNC3Lyi+hVlky
=/SCR
-END PGP SIGNATURE-

RE: Has 3des been broken

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I thought 3des used 168 bit encryption

Also the reason I asked is because I thought of it using for a VPN
solution.  So although no encryption is permanently safe; by the time
people cracked the data it would probably be worthless anyway.

Thx for you response,

Leon

- -Original Message-
From: David Correa [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, December 27, 2001 12:53 PM
To: Dante Mercurio
Cc: leon; [EMAIL PROTECTED]
Subject: RE: Has 3des been broken

Hi,

Although it is widely believed that 3DES is substantially stronger
than DES, as it is less amenable to brute force attack, it should be
noted that real cryptanalysis of 3DES might not use brute force
methods at all.  Instead, it might be performed using variants on
differential or linear cryptonalysis.

3DES is generally quoted as having an effective key length of 112
bits, as opposed to the 56 bits for DES. At the rate
they claim, it would take about 304,313,814,678,323 years maximum
(slow/older computers) to crack 3DES.

No encryption algorithm is permanently safe from
brute force attack, because of the increasing speed of modern
computers.

::dc::

David Correa RHCE CCNA
http://www.linux-tech.com


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPCtmZNqAgf0xoaEuEQKaTgCeNlUpFODHf9mcC+xjP5Dc+W2OcaMAoJpG
oeIubMPXRvMHmXXE0d/V0E/x
=K8+K
-END PGP SIGNATURE-

Has 3des been broken

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,

I was wondering if anyone knows of any instances (through things like
distributed computing or supercomputers) that triple des have been
broken?

Thx,

Leon

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPCWJJNqAgf0xoaEuEQJk6ACgoMZGQadBjlaq3BnjMbu5WxU9JjwAnAku
SKwvfVlup+n4o9kYRVpwNG6Z
=omtJ
-END PGP SIGNATURE-

RE: obfuscating ip's (worth the read I think)

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This is not really a response to Jay's post this is just my own 2
cents for whatever that is worth (in today's economy I venture not
much).

I think a person SHOULD obfuscate their ips.  Let's say they are
running a vulnerable service and they are trying to shut it off.  Say
they cut n paste the netstat showing there ip and listening port;
they are basically saying, here I am, come get me.  Sure the point
that someone is going to find them anyway is both valid and strong
but let's face it: some people on this list don't always have the
best intentions.  Case n point going back about 6 months (maybe
more) when the t0rn r00tkit was trendy; David D made some points
about it on the incident list and what do you know. sure enough
in the next version of t0rn there was a note in the read me quoting
what David said on the incidents list (I believe it an even provided
a link back to his post). 

I don't believe security through obscurity works as a means to an end
but I say the more hurdles the better.  Further I think obfuscating
the ips is not really so much security through obscurity as it is
more like common sense.  It is like saying this yeah I just bought
this new lock and it appears to be broken here is my address; sure
are other people are going to try to break into the house anyway but
no need to provide a street address and exact directions on how to
get there.

Again 2 cents falling quickly

Leon

(I have recently become certified in ghi for all those following my
saga.  Currently working on jkl ;)



- -Original Message-
From: Jay D. Dyson [mailto:[EMAIL PROTECTED]] 
Sent: Monday, December 03, 2001 1:12 PM
To: Security-Basics List
Subject: Re: obfuscating ip's

- -BEGIN PGP SIGNED MESSAGE-

On Sun, 2 Dec 2001, dewt wrote:

 i see many times on this list that people post ip's of their
 machines, and of suspect machines. occasionally with lines like
 i'm running version (insert any vulnerable version number) of this
 service! or a much less serious but still iffy we only allow port
 53 through the fireall to the machine 192.168.14.3  i think a risk
 exists by posting ip addresses.

I disagree for several reasons:

1.  Any system that's reachable on the 'net is getting
aggressively scanned anyway.  Yes, discussing a problem
may yield a temporary jump in scanning, but the threat of
attack is not appreciably raised.

2.  Discussing RFC-1918 addresses is pretty moot.  Unless
someone leaves some useful clues as to the external IP
of their NAT, any planned attack on that LAN is an
exercise in futility.

 first of all you expose your own machines to risk by announcing to
 some unneeded information. sometimes a lot of information is needed
 to deduce problems, but the actual ips involved are usually not.

This is true, but only nominally so.  There's a wealth of public
information that one can use apart from any messages here by which
they
can mount an attack.

The point I'm trying to make here is that obfuscating IP addresses
in the course of discussions here won't buy the author any real
security.
Anyone with access to these public repositories of information can
divine
most everything they want to know if they truly have malevolent
purposes.
Obfuscating IP's isn't an obstacle...hell, it's barely a speedbump in
any
case.

 i have also heard in an email message that some people do indeed
 scan these machines for innocent purposes, but that can still cause
 alarm at the other end.

Now *this* is a valid concern.  It's not a good idea to discuss
IPs of systems you don't personally own and/or manage.  As a rule, I
*never* disclose information on an employer's or contractor's
systems.
The only IPs I spill are those I personally maintain.

 as for suspect machines (scans from this ip, or attempted worms
 whatever)  also raises some issues, first of all if many people
 start scanning a compromised box the person who compromised it may
 get scared and delete everything on the system before someone
 responsible for the machine can take any appropriate action,
 alternatively you could invite scans to dialup accounts which by
 then wouldnt' be the same machine anyway, slowing down someone's
 internet connection, or if the suspect traffic turned out to be a
 false alarm, you may have caused headaches for whoever deals with
 the innocent suspect machine(i know i have
 strange traffic forwarded to my pager, not sure about all of you). 

I'm ambivalent on this issue.  I see scans from different sites
all over the world.  Most scans I simply ignore if they're just
vanilla
scans for known vulnerable services (BIND, SunRPC, some SSHd
iterations,
et cetera).  If it's a scan via a worm, I notify the netblock owner.

But if it's repeated spews from a specific netblock and notices to
the upstream

RE: security tools with email notification

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi John,

Here are my thoughts in the order that you wrote your questions.

1)  Yes I see a lot of problems.  Not so much with yahoo specifically
but the idea of sending sensitive information in clear text.  This
allows anyone on the same segment (network that is) that is running a
sniffer to see the traffic.  Obviously this a big problem due to the
sensitive of the information being sent.

2)  Sure.  What if he is running a sniffer (if it is a local
attacker)?

3)  I would send them to a pop3 account and write a script to have
them encrypted before they are sent using some kind of PKI solution. 
I wish I had a website or link for you but I don't.  I have a sneaky
suspicion that someone probably has had this problem before and
hasn't written a script for it.

Best of luck,

Leon

- -Original Message-
From: John Christopher [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, November 29, 2001 1:32 PM
To: [EMAIL PROTECTED]
Subject: security tools with email notification


Hi -

Many security tools (logcheck, for example)
provide a facility for sending warnings, etc.
to an email address.

1. Can anyone see any security problems with
sending such info to a yahoo.com email address
(in other words, how secure is yahoo mail)?

2. Is it possible for an attacker to intercept
email messages sent from a host he has targeted?

3. Should such emails be encrypted before being
sent?

Thanks -
JC


__
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPAlwgdqAgf0xoaEuEQLUIgCgkx5AVL4FUqEGSmICPD+IEd+LaXcAn2F9
K5RFxIIIQa+GturKmQ6Qnewj
=j2kB
-END PGP SIGNATURE-

RE: Spoofing question?

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi again Dee,

Spoofing is usually for subversion of trust attacks and work with
session hijacking.  Probably the most famous example of this would be
the Christmas attack by mitnick (I believe he spoofed his ip to be
that of the trusted system during when he hijacked the session and
syn-flooded the host.  Maybe I am confused and this is just tcp
sequence predicition I am talking about).  Also spoofing is used when
you don't care about the return packet (ie d0s Dd0s).  Lastly someone
on this list posted a link to a great article on doing idle scans
with nmap and hping2.  Below is the link.

HTH and not confused,

Leon

http://www.sans.org/infosecFAQ/audit/hping2.htm



- -Original Message-
From: Dee Harrod [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, November 27, 2001 3:18 PM
To: SecurityBasics
Subject: Spoofing question?

How does spoofing work?

If I change the source address of my outbound packet,
how do I get the response? How does it get back to me?

- -- Dee

__
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPAeoB9qAgf0xoaEuEQLsqQCg4PpTzQodLGkJkkAaksdAlwwlPIkAoITw
VJHv3BjRxEpT78aWReiys5mS
=AnFg
-END PGP SIGNATURE-

RE: Unix Security Standards, books, tools...

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Real world linux security by bob toxen is by far the best book I have
ever read on linux and it of course applies to unix.

HTH,

Leon

- -Original Message-
From: tony toni [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, November 28, 2001 9:09 PM
To: [EMAIL PROTECTED]
Subject: Unix Security Standards, books, tools...

Folks,

I recently was assigned the project of developing security standards
for our 
Unix environment. We have about 400 unix box's (HP-UX, Sun Solaris,
AIX, 
etc)and the admins do their *own thing* with these boxes.

This is not a project I exactly like...I am buried with 20 other 
projects...and I am not Unix guru. For each Unix *flavor*, I need to
develop 
Unix security standards that will cover areas like configuration
settings, 
defaults, permissions, admin. account, password file, shells, trusts,
root, 
patch's, logging, etc.

These are my questions:

(1) Does anyone know where I can quickly get my hands on some high
quality, 
concise security standards/templates/checklists? for each Unix
*flavor*?

(2) What about good books/sites on Unix Security?

(3) What about user friendly software tool(s) that I can 
periodically use 
to audit the Unix boxes for compliance to the new security standards
I 
developed?

Thanks

Tony
IT Security Manager
Major Telecommunications Company





_
Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPAfhYNqAgf0xoaEuEQIeWwCfcqDxYwNsVcpcECSghd08cvDFnUMAn0tZ
bulvf9b7zk5FEhgqRc2I0Hp0
=cFts
-END PGP SIGNATURE-

RE: Ip Spoofing I Think

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Do you allow anon relaying? If so turn it off immediately.

Leon

- -Original Message-
From: Gerald Lyons [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, November 29, 2001 10:26 AM
To: [EMAIL PROTECTED]
Subject: Ip Spoofing I Think

Mailer: SecurityFocus

We have been getting complaint about spam going 
threw our web server...The e-mail that people are 
receiving has 'Received: from 208.149.120.240' 
which is our Ip address...We do have a Mail Server 
but shows no logs of the sender or the receivers.. 
We have contacted CW Our Isp but have gotten 
nowhere with them...I need help Any suggestions 
on what to do about this..

Thank You
Gerald Lyons
[EMAIL PROTECTED]

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPAfhztqAgf0xoaEuEQIEgwCfTFT6mwjnWVciaL3c/yTzJrAYx8MAnjba
uso5QzVTLpKJrdvB0xLomiHm
=XP5W
-END PGP SIGNATURE-

RE: List of dos apps? (was svchost.exe)

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi.  I am sorry if I didn't make myself clearer.  Sysinternals is a
great site.  My question was does anyone have a list of the dos apps
that come installed by default with xp (eg netstat, tasklist, arp,
ping, traceroute, etc).

That is what I meant.  I am sorry for not making myself clearer the
first time.  I am looking for a list of dos apps that are installed
by default on win xp (win 2k would be nice also)

I checked M$ site and google and did not find anything.  I am hoping
someone on the list has a link or .txt for me.

Cheers and hope everyone is having a great weekend.

Leon

- -Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, December 01, 2001 5:07 PM
To: leon; 'Richard'; 'Jonas M Luster'
Cc: [EMAIL PROTECTED]
Subject: Re: List of dos apps? (was svchost.exe)

A good source of tools is www.sysinternals.com  :)


- - Original Message - 
From: leon [EMAIL PROTECTED]
To: 'Richard' [EMAIL PROTECTED]; 'Jonas M Luster'
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, November 29, 2001 03:01
Subject: List of dos apps? (was svchost.exe)


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Anyone have a list or a link to the complete dos tools that are
 installed by default with XP?
 
 Thx
 
 Leon
 
 - -Original Message-
 From: Richard [mailto:[EMAIL PROTECTED]] 
 Sent: Tuesday, November 27, 2001 7:21 AM
 To: Jonas M Luster
 Cc: [EMAIL PROTECTED]
 Subject: Fw: svchost.exe
 
  To see what process this is hosting, do a tlist  on the
  process id 
 
 XP does not have tlist.
 
 Yes it does.  MS is constantly renaming utilities, tlist in xp is
 tasklist
 and
 it's installed by default, which is a nice change.
 
 This is an old link to Default Processes in Windows 2000 that you
 may also
 find useful.  I don't think MS has released a similar kb article
 for xp yet.
 
 http://support.microsoft.com/support/kb/articles/q263/2/01.asp
 
 
 -BEGIN PGP SIGNATURE-
 Version: PGPfreeware 6.5.8 for non-commercial use
 http://www.pgp.com  
 
 iQA/AwUBPAWXDdqAgf0xoaEuEQIZdgCfQLVhjEYUBgM0mrHeb11SQHbN5/oAoNMA
 uWO/k+MXcM6FaCgOr8mLlgaB
 =0wRu
 -END PGP SIGNATURE-


_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPAlblNqAgf0xoaEuEQIZFwCcDRz7jMVXiwnui6PuVerNPueTRbEAn3oC
PljGzcvh9xGvuc5bQjoydqMu
=hWYo
-END PGP SIGNATURE-

RE: NAT/PAT (Hide NAT) Vulnerabilities?

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Snipped down to last paragraph

So it seems to me that if you use NAT/PAT, you don't
need a real firewall unless you're actually permitting
some kind of traffic to connect to something from the
outside.

Is that right?

- -- Dee

Hi Dee,

A lot of firewalls use NAT/PAT so if you are using it then you are
using a firewall/ing (technique?)  Also if you don't have any
listening services then it becomes much harder for an attacker to
remotely execute code on your system (especially if it is *ix, hi m$
outlook and all your bugs ((heh I say that as I type this e-mail in
outlook)) ).

Not sure if that cleared things up or not.  I think it is really
arguing the semantics of a nuance (ie NAT/PAT forget about firewall
yet a lot of firewalls actually use this for firewalling or a means
of).

HTH,

Leon

__
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPAenBNqAgf0xoaEuEQLz7ACfWR8W3+cuRWZ0KHkdeAS8cVNTgW4An1AJ
i1Wd139r7vhcQvDZGob/Z4/c
=zpvZ
-END PGP SIGNATURE-

default password(s) website(s)

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,

I use to have links to a couple of websites that had default password
databases.  I can only find these out of my links;
http://www.securityparadigm.com/defaultpw.htm
http://www.phenoelit.de/dpl/dpl.html
http://www.underground.org.pl/majdom/dpl.html


With the exception of the phenoelit one they mostly seem out of date
(relative I know).  Anyone with any other links they would like to
contribute?

Best regards,

Leon 


PS: a quick google search revealed the 3 I named plus this one which
didn't supply instant gratification (it didn't just throw passwords
at me like the other ones).  So feel free to check this out also if
you have patience (unlike me). http://security.nerdnet.com/index.php




-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBPAV4K9qAgf0xoaEuEQIyFgCgh6gzGrzBOAvmL96StsiC1lCZqlQAni80
T5oTz9b6Wfxq4Eds2HccO+t4
=aPke
-END PGP SIGNATURE-

RE: WIN2K Ports 32000 32001 Open ?

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

See the problem with saying this is this or that based on static port
assignment is that it makes a huge assumption; it assumes that either
the attacker is using a program that does not allow him to change the
port or if he is using one he decided not to change the port.  You
should not make an assumption or underestimate the situation.  So
when people write to the list I always, and I think most
professionals will agree with me on this, tell them they have to
identify and investigate what process is bound to the port.  It is
always nice to do a little investigation and see what port is
registered or if a Trojan port is listed in a database but in the end
you have to identify both the process and related dll's and hopefully
sniff some traffic to or from it.
Hope that clears up for a lot of people (seem like a lot of people
get confused on this point; ie getting bogged down in this port or
that).

Regards,

Leon

- -Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, November 24, 2001 5:22 AM
To: 'Richard Feaver'; [EMAIL PROTECTED]
Cc: leon
Subject: RE: WIN2K Ports 32000  32001 Open ?


http://www.simovits.com/trojans/tr_data/y358.html




 

leon   

[EMAIL PROTECTED]   To: 'Richard Feaver'  

 [EMAIL PROTECTED], 

 
[EMAIL PROTECTED]
11/23/2001   cc: 

09:53 PM Subject: RE: WIN2K Ports
32000  32001 Open  
  ?  

 





- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Why don't you get f-port or vision from foundstone.com and track down
the process that is bound to the port?


Regards,

Leon

- - -Original Message-
From: Richard Feaver [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 21, 2001 5:38 AM
To: [EMAIL PROTECTED]
Subject: WIN2K Ports 32000  32001 Open ?

Greets all,

recently checking one of our Win2k boxes
i found ports 32000 and 32001 open
and listening for connections.
checking google i failed to find
much concerning port 32000 but i did
find a trojan called Donald Dick which
apparently runs on port 32001. Ive checked
official application port listings and those
port numbers are not registered so i can only
assume its a trojan of some sort.

Has anyone else had any experiance with these
port numbers or coudl offer any more advice
as to track down exactly what it is and how i
could go about curing the problem. I tried a
reboot aswell but they were still open on re-startup.

thank you,

rich

- -BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use
http://www.pgp.com

iQA/AwUBO/6pSdqAgf0xoaEuEQIeDACfct/JtOM6E2A0RxD52g7Ysq1m9KMAn374
w2dambja8M8xsBEfmsoqClhE
=8Zpl
- -END PGP SIGNATURE-






-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBO//ZY9qAgf0xoaEuEQLtqgCgy4e10y561RINmNFDiCITtetciF8AoIZz
d9GG5W34xi/Er6TVKQF3g+gP
=HPp1
-END PGP SIGNATURE-

RE: WIN2K Ports 32000 32001 Open ?

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Why don't you get f-port or vision from foundstone.com and track down
the process that is bound to the port?


Regards,

Leon

- -Original Message-
From: Richard Feaver [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, November 21, 2001 5:38 AM
To: [EMAIL PROTECTED]
Subject: WIN2K Ports 32000  32001 Open ?

Greets all, 

recently checking one of our Win2k boxes
i found ports 32000 and 32001 open
and listening for connections.
checking google i failed to find  
much concerning port 32000 but i did
find a trojan called Donald Dick which
apparently runs on port 32001. Ive checked
official application port listings and those
port numbers are not registered so i can only 
assume its a trojan of some sort. 

Has anyone else had any experiance with these
port numbers or coudl offer any more advice
as to track down exactly what it is and how i 
could go about curing the problem. I tried a 
reboot aswell but they were still open on re-startup. 

thank you,

rich

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBO/6pSdqAgf0xoaEuEQIeDACfct/JtOM6E2A0RxD52g7Ysq1m9KMAn374
w2dambja8M8xsBEfmsoqClhE
=8Zpl
-END PGP SIGNATURE-

RE: Has anyone seen this before?

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

If you are worried about being overloaded by this traffic, (or any
undesirable traffic for that matter), why not just throw them in your
edge router's acls?  After that why not contact the owners of ip
after you do a whois on them?

HTH,

Leon

- -Original Message-
From: Seth Keller [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, November 21, 2001 2:51 PM
To: [EMAIL PROTECTED]
Subject: Has anyone seen this before?

We have been absolutely bombarbed for the last 3 hours from a range
of IP's which appear to be performing legitimate requests to port 80
on our web server.  Our T1 line has seen 100% utilization for the
last 3 hours.  We are getting roughly 500-600 requests per minute
from a specific range of IP's.  The IP addresses revolve around in
near perfect order.  They start at 216.106.166.141 and roll up to
216.106.166.207 before repeating.  Any ideas?  Thanks in advance.

Seth Keller
Culver Community Schools


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBO/6qA9qAgf0xoaEuEQL8EACbBtJKS9zIfQWqbX7ETqbQCgSNOTwAoMZl
ntlvP2/Mgr9tCf/7fRb/KTLE
=saY4
-END PGP SIGNATURE-

bricker server question

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everyone,
 
It seems that SNP is now being protected (or at least using) a
firewall by the name of the brick server.  I have never heard of this
firewall anyone, on the list have anything to say about it (practical
experiences, nightmares, feedback, etc).  .  I checked google and did
not find that many useful references (even less if you are looking
for practical experience as opposed to a review of the product).
 
Thanks in advance and I have provided the link below.
 
 
http://www.thirdpig.com/brickserver.htm
 
 
Cheers and hope everyone had a fantastic thanks-giving.
 
Leon

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBO/5mCdqAgf0xoaEuEQIvKwCg76hU745JC4CZPHAzmePxPlaiPKkAoJKl
aL9Z8cEhEsATNZ133p8x0Z2G
=WKAN
-END PGP SIGNATURE-

SNP back from the ashes

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The SecurityNewsPortal is BACK !

http://206.61.52.48/index.html 

You can use this direct IP address to get to the new
web site until the new DNS of
www.SecurityNewsPortal.com starts working again.

The SNP will initially return to the Internet running
with its barebones skeleton web page, often referred
to by our regular viewers of SNP as the 'surgery' web
page. A term coined by the users when I posted this
style of interim page online while having surgery and
I was not able to perform the hourly ( by the minute )
news updates like usual. 

I have added several new features to the 'surgery'
page that will give you access to the entire news
resources at moreover.com and newsnow.com.  As well I
have placed a news search engine on the page that has
the ability to search for news at eighty-two different
news resources.

As soon as possible the SNP will return to its
previous look, feel and method of presenting the
latest breaking security, hacking and virus news. This
is what we will be silently constructing in the
background over the next couple of weeks. 

Until the SNP returns to its full original look and
feel we want to thank you for visiting and we hope you
will be able to make use of the new features we have
added to the 'temporary' web page that we have put up
for your use.

Hopefully within a few days the folks at Network
Solutions will do their magic and make our domain name
of www.SecurityNewsPortal point to this new server. In
the meantime feel free to bookmark this IP address
until the domain name address of
www.SecurityNewsPortal.com starts working again

http://206.61.52.48/index.html

As you know, the SNP is owned, operated and paid for
by one person as a non-commercial web site. As such
there were limitations as to how much money could be
spent towards finding a secure web hosting environment
that took server security as seriously as we wanted
and required. Being a 'one man' beer budget operation
we knew our limitations on how much we could afford to
spend to support this 'hobby' web site.

During the course of all these events the SNP was
overwhelmed with kind offers of support from its
viewership, many of whom work for some of the leading
security product and services companies. SNP looked at
the many kind offers of assistance that were put
forward and entered into discussions with a major
security product and services vendor who wished to
bring the SNP under the protection and support of
their publishing subsidiary. Unfortunately, every
thing was proceeding quite favorably until the lawyers
entered the picture. 

At that point the negotiations collapsed. It is
unfortunate that the negotiations had to end after
having consumed so much valuable time, but SNP had to thoroughly
investigate that kind offer as its long term benefits to the future
of SNP would have been a dream come true for any webmaster.

One of the conditions of the negotiations hinged on
the server that would host the SecurityNewsPortal. It
was SNP's desire to make use of the BRICKServer that
had been graciously offered by SAGE Inc, aka
ThirdPig.com. We were already familiar with this
technology which provides a single box solution that
offers the hardware, software and security measures
all built into one convenient package. Due to the
excellent history of this product in the 'real world'
we were confident that it would provide an effective
solution that would permit the SNP to resume operating
in a safe and secure manner.

We are pleased to acknowledge that SNP is now running
on a BRICKServer provided by SAGE Inc. Within 20
minutes of my phone call to ThirdPig.com the server
was placed online for SNP. Within five minutes of
receiving the program that controls the administrative interface to
the server I was able to start transferring the interim web pages to
the server. The speed with which the BRICKServer was put online and
made functional for SNP's use is a testimony to all the good things
that we had heard about this particular hardware, software, security
product. We are proud to fly the banner for the BRICKServer on our
home page. 

SNP would like to take this opportunity to thank all
of the companies that stepped forward and offered
their services, products, network hosting and other
kind offers of assistance. It is because of this
overwhelming show of support from the professional
security community that this 'one man' beer budget
operation has returned to the Internet. Your kindness
will long be remembered and will motivate us to build
a bigger and better SNP for your news reading
enjoyment.

SNP would also like to take this opportunity to
personally thank and acknowledge the thousands of
people ( 5000+) who took the time to write directly to
us and offer us their kind words of support. We were
truly touched and overwhelmed by this massive show of
support and sympathy to our plight. Your kind words
will be the fuel that motivates us to improve and
double our efforts 

RE: Application Development

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Securityfocus has a mailing list that is called secure programming. 
Perhaps that would help.  If not you could always try google and
throw in some key words like secure programming  I just did and it
returned a ton of results for me!!

Cheers,

Leon

- -Original Message-
From: Patrick Fong [mailto:[EMAIL PROTECTED]] 
Sent: Friday, November 16, 2001 11:42 PM
To: [EMAIL PROTECTED]
Subject: Application Development

Hi

I am a Java programmer. I am interested in the security aspects of 
application development. Java being the Internet programming language
involves understanding Internet security concepts. About a month ago,
I got 
an email outlining alot of the Internet security concepts like
Session 
Hijacking and many others that I can't remember from one of security
focus' 
lists. I was wondering if someone can give me some links and books
perhaps 
so that I can learn more about these concepts. I am aware of Sun's
Java 
security web site. I want to know about others.

I have heard of CISSP - however I do not have the amount of
experience to 
sit for that exam. Is there anything else?

Patrick 


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBO/pr19qAgf0xoaEuEQKr2ACg+nyO32oe1gkbRo5sPfYzWPc7Tq4An2lt
CVY75jr5cFyLUDgpXj0ERqO0
=Z+0/
-END PGP SIGNATURE-

RE: Multiple port mirroring?

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Does it have to be logical or can it be physical?  There are switches
out there that actually have physical spanning ports (that is you
plug your computer / sniffer into the span port and it actually gets
a mirror of all the traffic traversing the switch).  I bet you could
even configure a cisco switch (I bet but I am not sure, especially on
some of the higher end models with the CAT OS) that you could have it
set up logically also.  Could someone let me know if I am wrong about
the cisco comment because I am curious as to the answer myself.

Regards,

Leon

- -Original Message-
From: Marc Mc Guinness [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 19, 2001 1:04 AM
To: [EMAIL PROTECTED]
Subject: Multiple port mirroring?

Hello!

Am Mittwoch, 14. November 2001 19:24 schrieb David Ellis:
 What you could actually do is create a mirrored port on your
 switch and sniff all the traffic that way

Does anybody know something about switches, which can do multiple 
port mirroring? What I want is one port, that gets all the traffic 
of the other ports on that switch.

Best regards,

Marc Mc Guinness


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBO/puAdqAgf0xoaEuEQL1HQCfdAnbA//M9GIotv4WIHpADgIiJ7UAn0+O
/i4a0TlA2Et2GpYBnOg64pKd
=S8C7
-END PGP SIGNATURE-

RE: packet sniffer

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Snort, TCP-Dump, Ethereal, Sniffer Pro, www.google.com (search for
sniffers and NT).

Regards,

Leon

- -Original Message-
From: BurntCircuit [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 19, 2001 11:58 AM
To: Security-Basics
Subject: packet sniffer

im looking for a good windows NT/2K/maybe XP pro) packet sniffer to
monitor
the comming and goings of a few programs that i dont trust. would
someone be
able to tell me of a good one (better yet the best one (LOL if there
is
one))

thanks
Ben


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBO/rJd9qAgf0xoaEuEQKwlgCfagfPZPdbqt10iE8gjcSe5sWx7j8AoIqS
BkK2fS1DYn5uE3ji+msSQZAM
=eawZ
-END PGP SIGNATURE-

RE: Firewall features

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I thought there use to be one at http://www.networkintrusion.co.uk/
but I have not seen the site owner on any of the lists lately and
since he does it (the website) as a hobby I am not sure how up2date
it is anymore.

HTH,

Leon

- -Original Message-
From: Dilli Rajesh Kumar [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, November 20, 2001 12:09 AM
To: leon; [EMAIL PROTECTED]
Subject: Re: Firewall features

By where i mean any webpage where the features supported by different
firewalls are mentioned.As far as seen from the vendor's site and
other
pages i think FW-1 supports the most max features.

Bye
DRajesh


- - Original Message -
From: leon [EMAIL PROTECTED]
To: 'Dilli Rajesh Kumar' [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Monday, November 19, 2001 1:39 AM
Subject: RE: Firewall features


 What do you mean by where can you get the features?  If you are
 looking for a list of the features of each product (pix,
 checkpoint, sonicwall, ip /tables /chains, etc) why not goto the
 vendors homepage?  I hate to tell you that there is probably not
 (at least in my experience and I am sure the list will correct me
 if I am wrong), one product that does everything you requested. 
 Even if there was it stinks of single point of failure and I
 probably would not deploy it.

 Cheers,

 Leon

 -Original Message-
 From: Dilli Rajesh Kumar [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, November 14, 2001 11:56 PM
 To: [EMAIL PROTECTED]
 Subject: Firewall features

 Hi,
  Where can i get the features associated with various
 firewalls.Features like content filtering,intrusion
 detection,antivirus software and much more.

 Regards
 DRajesh




-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBO/pnG9qAgf0xoaEuEQI4cACbBMTgP2kj4uZCfFn3UjcEZaqQquoAn11U
P880IBE46sYOPmeq0ULrWWhc
=RuS3
-END PGP SIGNATURE-

RE: SAM Database viewing access

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Pwdump2 or 3 (search google you will find them) will dump the hashes
from the sam.  Is this what you meant?  If not and you are more
specific (on list or off) I will try to help if I can.

Cheers,

Leon

- -Original Message-
From: Brian Heathfield [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 19, 2001 6:52 AM
To: [EMAIL PROTECTED]
Subject: SAM Database viewing access

Hi,

Does anyone know where I can find a tool to view the SAM on an NT4
machine
in real-time, or at least snapshots.

Many thanks,

Brian


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBO/rIttqAgf0xoaEuEQIoDACfZttGtZDglCrjqFQVX7UIW0PUHFgAoJ6L
BGheuwLn7UbkB3hQc7gDFNp8
=4987
-END PGP SIGNATURE-

RE: HIPAA Standards

[leon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

There is a ton of information on this if you do a search on google. 
Also there is quite a bit of information in the cissp prep guide
which you can find at Amazon or your local bookstore.

Cheers,

Leon

- -Original Message-
From: Thomas Ryan [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, November 15, 2001 8:51 PM
To: [EMAIL PROTECTED]
Subject: HIPAA Standards

Where can I find information on the current HIPAA Security Standards?

Thanks!

Tom


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQA/AwUBO/lNlNqAgf0xoaEuEQJv6QCgqhvBkRQvUDdgPNQqHTOkNah53H0An1+H
XcsXToXscMwstYFAE2gGweM9
=SIFs
-END PGP SIGNATURE-