-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Here is the link to the US DoD
guidance:https://infosec.navy.mil/ps/?t=main/main.tagbc=main/tip21.ht
ml Some of the links only work from a .mil or .gov domain,
- -Original Message-
From: Stephen Eaton [mailto:[EMAIL PROTECTED]
Sent:
Any company that does these sort of tests should include recommendations
within the report they produce.
The last time I used hping was to do what's called an idle host ping.
It requires your host to be idle!
To block the pings stop ICMP type traffic, fragmented packets should be
stopped. An
that might give
more details on these 'rumours'
Many thanks
Trevor Cushen
**
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed
then try stunnel to re-direct the port to another
port but have it in place.
www.stunnel.org
Will have more details. I maybe able to be of more help if you had a scenerio.
Trevor Cushen
-Original Message-
From: SB CH [mailto:[EMAIL PROTECTED]
Sent: 24 March 2003 02:39
To: [EMAIL
Use the Tools-Autocorrect Options and turn off the hyperlink options
under auto correct as you type tag and under the auto replace tag. Also
look at the options for the ctrl+click option checkbox.
This will stop web addresses from automatically becoming hyperlinks.
I am using Office XP by the
://etherape.sourceforge.net/
If I have it wrong again then my apologies.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]
Sent: 09 March 2003 22:09
To: swin; [EMAIL PROTECTED]
Subject: RE: Any
and MS-SQL.
Client has one logon only or single sign on.
I am looking at kerberos so if I am going down the wrong track please
let me know.
Many thanks
Trevor Cushen
**
This email and any files transmitted
Have you looked at MRTG?
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
Also Etherape and NTOP work nicely for traffic monitoring.
http://etherape.sourceforge.net/
http://www.ntop.org/ntop.html
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original
scenerio you would use this in a far as forensics is
involved but a handy tool in any arsenal. No good on raided system last
time I tried it.
Hope this helps and sorry again for the misdirection to sysinternals.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
My head is clearly not right these days. I forgot to add this to my
last email. HC asked about viewing binary files such as registry. What
I wanted to add was this tool
http://www.evadenet.com/downloads/lophtcrack.shtml
Which you could use to access the sam file.
Trevor Cushen
Sysnet Ltd
from your NT machine. Yes inclusing the sam files etc.
Would also work to clone an NT machine to another NT machine as a copy
for booting etc. Just run netcat and dd on both from floppy or even a
linux both floppy.
Hope this helps
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax
and can quickly be ruled out if
your Chain of Evidence or Chain of Custody is in doubt.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: H C [mailto:[EMAIL PROTECTED]
Sent: 20 February 2003 19:28
To: [EMAIL PROTECTED]
Subject: RE
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Charles Hamby [mailto:[EMAIL PROTECTED]]
Sent: 19 February 2003 03:50
To: [EMAIL PROTECTED]
Subject: Re: Strange Connection Attempts
I've been seeing 17300 scans from many places outside
.
This is not my line of thinking nor do I have a project in the working
to provide more details on a possible implementation or environment,
number of users, costings etc. It is the concept that I am interested
in getting feedback on just out of curiosity.
Many thanks
Trevor Cushen
Sysnet Ltd
enforcement agencies who have the write tools and
software for the job.
So when running an Incident Handling operation the main thing to know is
when to touch the machine at all to do anything and when to declare it
serious enough for legal action to be taken.
Trevor Cushen
Sysnet Ltd
.
Hope this helps
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Donald V. Gerkin Jr. [mailto:[EMAIL PROTECTED]]
Sent: 19 February 2003 17:43
To: [EMAIL PROTECTED]
Subject: Strange Firewall / IDS Events
Group,
I have been
http://www.crazytrain.com/seizure.html
All is explained.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: H C [mailto:[EMAIL PROTECTED]]
Sent: 19 February 2003 19:15
To: David J. Bianco
Cc: Trevor Cushen; [EMAIL PROTECTED
the same MD5 signatures and is handy if the machine
cannot be rebooted. The disk should be cloned before anything is done
on the machine as in copying files or anything. The document I refered
to gave a way of doing that and is accepted by law enforcement once you
have the MD5 signature.
Trevor
this helps
By the way don't forget to note your MD5 signature before working on
clones.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: H C [mailto:[EMAIL PROTECTED]]
Sent: 17 February 2003 13:18
To: [EMAIL PROTECTED]
Subject: re: tools
at
http://www.knopper.net/knoppix/index-en.html
Which might be interesting to you
Hope this helps and reunites you with an excellent product
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Ivan Hernandez [mailto:[EMAIL PROTECTED
to that level.
I hope this helps and is relevent to you.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
-Original Message-
From: Tim Heagarty [mailto:[EMAIL PROTECTED]]
Sent: 17 February 2003 17:36
To: [EMAIL PROTECTED]
Subject: Law office recommendations?
Hello,
I wish to pick the collective
Does windows 2000 server not act as a CA? I'm not sure but I thought it
could. www.Freeswan.org might have something
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: ullmic6 [mailto:[EMAIL PROTECTED]]
Sent: 16 February 2003 08
Not being smart or anything but what layers in this scenerio do you see
as the important ones?
How would you tackle this problem?
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: theog [mailto:[EMAIL PROTECTED]]
Sent: 31 January
I've had a lot of good experience with the ISS product and would
recommend it. There are other smaller products dedicated to particular
databases. MS SQL in particular. What database are you interested in
if any.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
a pattern of the incident. I recommended two
books in a previous post called 'Hacker Challenge'. These show exactly
how efficent good logs can be.
Good luck with all that :)
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Naman
networks.
Google searches will quickly find both for you.
Hope this helps.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 30 January 2003 12:52
To: [EMAIL PROTECTED]
Subject
is
established. Very easy setup and very secure as really everything is
encrypted and multiple authentication is used. With no hassle for the
end user and easier to setup then might appear judgeing by this email.
Hope this helps.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1
Further Chris Berrys suggestion is the use of stunnel or tightvnc
www.tightvnc.com
www.stunnel.org
Hope this helps
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Chris Berry [mailto:[EMAIL PROTECTED]]
Sent: 30 January 2003 01
Have a look at the books Hacker Challenge 1 and 2. They detail actual
cases and are an excellent read. Should have what you are looking for.
Details here
http://www.amazon.com/exec/obidos/search-handle-form/002-0648723-3948060
Hope this helps
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353
recommended)
The list goes on.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: David Gillett [mailto:[EMAIL PROTECTED]]
Sent: 30 January 2003 16:55
To: [EMAIL PROTECTED]
Subject: RE: Risk analysis tools?
The last time I looked
what level of security you want and
they must provide it to their customer (ie you). The customer is always
right after all and yes two layers of security is always better then
one.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From
rules in my very humble oppion are
needed and I certainly advise anyone who cares to listen (they are few
and far between) that the router should be very secure and well
hardened.
I would never consider a router a firewall alternative however.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1
because all
environments are different.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: theog [mailto:[EMAIL PROTECTED]]
Sent: 31 January 2003 00:23
To: Chris Berry; [EMAIL PROTECTED]
Subject: Re: security scenario
Well , I think
Etherpeek will do this too by sniffing the network. It is not free but
the eval limited functionality does what you want.
Runs on Windows
http://www.wildpackets.com/
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Hunt, Jim
being introduced to your network. Put
the whole lot on a single linux machine with a web interface and you
have a very nice solution.
Google searches will find you everything you need to know on the above.
Hope this helps
Trevor Cushen
-Original Message-
From: Ivan Coric [mailto:[EMAIL
http://www.heise.de/ct/english/99/16/180/
There is a webmin module for frees/wan as well making if very easy to adminstrate.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: SB CH [mailto:[EMAIL PROTECTED]]
Sent: 20 November
and encryption is a lot higher and better
(imho). All is flying along very nicely but the NFS traffic, well
authentication anyway won't work. I bypass the IPSec machine it all
works fine. Introduce IPSec and nothing.
Any ideas
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1
logging server with a
nice web front end to view all the logs.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Chris Berry [mailto:compjma;hotmail.com]
Sent: 08 November 2002 19:42
To: [EMAIL PROTECTED]
Subject: Re: Other way to view
was added to the network then I will detect that
too because it will be an unknown MAC address.
I am nearly finished developing this but if anyone knows of a utility
that already does this well then please let me know.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
I was sent this which seemed quite a coinicence as I am eagerly
following the thread on disk forensics etc.
I though the rest of you would see the humour.
http://w1.270.telia.com/%7Eu27007970/ghetto.htm
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: maillist [mailto:maillist;avoiderman.com]
Sent: 30 October 2002 06:45
To: [EMAIL PROTECTED]
Subject: RE: Interesting One
I disagree with you both - the NSA standard for a drive
of some disk wiping
software package they just happen to sell. Do they sell something like
this???
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: James Taylor [mailto:james_n_taylor;yahoo.com]
Sent: 30 October 2002 04:50
on the market. If you are
really unsure try posting your query to the people at Vogon.
www.vogon.co.uk
They are the best at this stuff bar none. Read some of their news
stories for just how realistic computer forensics is.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1
).
Your not parked in the parking lot or anything are you, or hanging of
the roof with a pringles tin attached to your laptop to improve the
signal
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Amit P. Gandre [mailto:agandre
programs from it before that
were infected. Run a virus scan before doing anything with the
downloaded files. A recently updated virus scan!!!
A hex viewer mighten be a bad idea either, just in case. Great site but
I did get the odd dodgy file.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1
a problem then you can change them by
changing the /etc/services file and/or providing the port as part of the ftp session.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: brien mac [mailto:aph3x;linuxmail.org]
Sent: 15
which might be best if you are fairly new to Linux.
It certainly makes life easier.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Arjen De Landgraaf [mailto:arjen.de.landgraaf;cologic.co.nz]
Sent: 15 October 2002 22:40
Hope this helps
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: dsardina [mailto:dsardina;si.rr.com]
Sent: 15 October 2002 21:41
To: Kip Sr.; [EMAIL PROTECTED]
Subject: Re: Increase in traffic on port 20480 and 6667
I dont
interesting and informative and I will let you know the final
result from the report etc, (If you still care at this stage)
Cheers :)
Trevor Cushen
**
This email and any files transmitted with it are confidential and intended
unfortunately has
not read through all the domains of CISSP and doesn't really see the end
benefit.
Rock and Hard place springs to mind.
Thanks again to all on thread.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: harley mcdonald
This man is a god amoung men, I will test this and get back to you. SSH is going in
place if all this works out. I'm side tracked at the moment but will get back to it
next week.
Thanks again to all
Trevor Cushen
P.s
Can I ask you for a url to more info on this expect language
machine
to set all this up and emulate the site as much as possible. I will
post the final result in time.
Thanks again for the feedback.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
is, is it worth it. Bare
in mind also that few people have passwords to the boxes and the only
real threat is sniffing the traffic.
All opinions welcome,
thanks
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
. The CISSP exam requires three years
experience before you even get to sit the exam, for a reason. In an
interview for a job you should be able to tell very quickly the real
experience level of the candidate. If that experience is valid then I
don't care if they are from Mars.
Trevor Cushen
level of security on it and like everything else we discussed they
do not come secure 'out of the box'. Access lists, and removal of
services on your router are vital steps. Just take a look at what is
possible with GRE tunnels to see some of the damage that can be done
quite easily.
Trevor Cushen
A very good point made here on what you allow to go from your web server
via the firewall. Alot of people only consider the threat of what comes
in. Note that there are many tools that allow traffic to 'tunnel'
through port 80, so if your firewall allows traffic out from port 80
then it can be
Just an article that is worth noting to follow up on the recent
discussion on IIS and *nix Web servers
http://linuxtoday.com/news_story.php3?ltsn=2002-07-15-007-26-SC-SL
Thanks Douglas, I had not heard of IPCop is some time. I see that the
latest verion is 0.1.1, so I guess it is still in development. Have a
look at GuardDog http://www.simonzone.com/software/guarddog/ and see
what you think.
I assume you are having no troubles with IPCop, I must try it.
.
I can live with Trevor Cushen is an idiot you should be running X
product on Y Server, see so and so web site for more details that is
constructive. And even I the idiot get to learn something. But just
Trevor Cushen is an idiot is useless to everyone.
And finally before anyone replies, I
Scanner is web
server only.
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Steve Bremer [mailto:[EMAIL PROTECTED]]
Sent: 12 July 2002 14:14
To: Trevor Cushen
Cc: [EMAIL PROTECTED]
Subject: RE: NT/2000 vs Unix based Web Servers
Tiny Personal Firewall for Windows systems
GuardDog for Linux systems
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From: Nicole Tutt [mailto:[EMAIL PROTECTED]]
Sent: 12 July 2002 18:14
To: [EMAIL PROTECTED]
Subject: Personal
media is easier to
build with Windows systems as more software is available for it and a
better price.
But again if you are up and running why change.
Hope this helps if even a little
Trevor Cushen
Sysnet Ltd
www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499
-Original Message-
From
PAM or Kerberos?
Try webmin for easy configuring of both.
On Sun, 2002-07-07 at 21:34, ABRAHAM AJI wrote:
Hello,
Is there any product available on the market, whcih
can make different applications running on UNIX,
Single Sign On enabled with or without customization.
Applications are
The O'Reilly Books on Perl are the best without a doubt.
Learning Perl by O'Reilly is the place to start the the Advanced Perl
Programming and keep the Perl Reference by your side. All by O'Reilly
and also the cheaper of the books on the market.
http://perl.oreilly.com
Good luck
Trevor
NOT try to connect to them direct
from your site, even with a ping.
Best of luck
Trevor Cushen
for attempted exploits.
Hope this helps
http://www.counterpane.com/log-analysis.html#gen_parsing
Good luck
Trevor
On Tue, 2002-06-25 at 15:57, Omar Khawaja wrote:
I need to parse through syslog messages from a PIX firewall to analyze
corporate users internet traffic.
-Original Message
I used some Perl code to parse our various logs and produce a simple
break down of usage. If you are unfamiliar with Perl and want to go
this route then I have no problem sending you some code if you send a
spec of your needs.
Trevor Cushen
-Original Message-
From: Omar Khawaja [mailto
things a little better, you might want to add some sort of AAA server instead
of using terminal passwords alone. . .
Thanks and have a great day,
Trevor Williams
Sr. Design Engineer
The TechKnowledgy Center
A problem well stated is a problem half solved
Charles Kettering
have
the budget for the 4006, the 3500 would be a better solution to the
2900, since it has a better switching fabric and the 3524 can come with
inline power for wireless stuff and phones. . .
My $.02
Thanks and have a great day,
Trevor Williams
Sr. Design Engineer
The TechKnowledgy Center
5200
anything to do with Linux so that
goes first.
Then install Nessus, Sara, etc etc etc on the machine. All run perfect.
VMWARE is good but hogs the machine when you run something like Nessus
on it. Not comfortable to work with in my humble opion.
Good luck,
Trevor
-Original Message-
From
a google search
before too long.
Quick pointers for further investigation,
Network based tools used for IDS:
Snort
Demarc
--- also note
Tcpdump
Etherpeek
Ethereal
IPWatcher
Host based IDS tools:
Tripwire
regmon
MD5 tools
stuck to think of more at the moment sorry.
Good luck.
Trevor
Add DD Unix utility to the list so that disk cloning can be done of live
machines.
But that is just a suggestion for those who wish to build a complete
kit.
-Original Message-
From: jon schatz [mailto:[EMAIL PROTECTED]]
Sent: 06 March 2002 00:00
To: Pradeep Pillai
Cc: [EMAIL PROTECTED]
http://www.isaca.org/standard/guidelne.htm
-Original Message-
From: Chad [mailto:[EMAIL PROTECTED]]
Sent: 05 March 2002 20:26
To: [EMAIL PROTECTED]
Subject: Security Auditing / Assesments
I am looking for a good reference or some
established guidelines for performing a professional
Even if you had your setup as an AdHoc system running VPN over it?
- Original Message -
From: [EMAIL PROTECTED]
To: Trevor S [EMAIL PROTECTED]; Marc Eiler (Volt)
[EMAIL PROTECTED]; Hornat, Charles
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, March 05, 2002 4:02 AM
Subject: RE
. Tough enough to setup but certainly
possible.
Good Luck.
Trevor
p.s.
The VPN side I am sure of as I have set it up already, working nicely
too. The Kerberos I am in the middle of and Microsoft documents and
Linux documents are what I am going by so I am open for correction
Do sniffers like AirSnort detect the MAC addresses of the devices that are
being used?
On Thursday 28 February 2002 04:36 pm, Marc Eiler (Volt) wrote:
Depending on the brand of transceiver that you are using, you
may be able to add all of the MAC addresses of the access points that
you are
VNC can be used on both platforms.
Etherpeek will also run on Windows if needed.
If you just want a packet capture and display tool then NTOP listens on
a port and any web browser can connect to view network activity.
There are also many X11 emulators for windows that can act as windows to
the
Eoin,
I downloaded that x-deep package again to test it was indeed the one I
was talking about.
I got it from that site I sent you. My Anti-Virus software shows two of
the files as infected. Please be carefull if you use that URL I posted
to you.
Trevor
-Original Message-
From: Eric
All documents and experience I have of this is using a three tier
solution.
Internet --- firewall --- web box firewall --- database
IPSec between web box and database. All boxes hardened etc. Firewalls
different systems to avoid one exploit giving full through access.
Microsoft site has a
79 matches
Mail list logo
