So, tired of xss / csrf / clickjacking etc? How about blocking the scumbags with your hosts file? I know, that would take too long right? What if someone else did all the heavy lifting? Check out this site, they distribute a hosts.txt and also provide directions for how to get it up and running in your OS of choice
Block scumbags with local DNS file!
Thursday, August 25, 2011
Monday, April 4, 2011
IPv6 0day
I've been on a soapbox for the last 3 years telling people that tell me "We're not running IPv6" that they are and they don't realize it. Essentially your systems in their default state are trying to pull addresses but nobody is offering them. The moment I connect to your network and start sending Router Advertisements (RA) your systems will accept them will be part of my IPv6 network. As you can imagine at this point they will be susceptible to any IPv6 exploits. I've discovered a few of my own, but here is a really nice article about one that went public today.
SLAAC IPv6 Attack
Moral of the story is InfoSec Rule 1.a(1) If you're not using a service disable it.
SLAAC IPv6 Attack
Moral of the story is InfoSec Rule 1.a(1) If you're not using a service disable it.
Tuesday, February 8, 2011
Tuning trunks to ESX servers
You'll be hard pressed to find a network these days that doesn't have a VMware server (ESX/ESXi) connected. While this is a common scenario there seems to be some misunderstanding on the way that a vSwitch handles frames and their tags.
First off:
The vSwitch does not support untagged frames. This means, that VLAN 1 and all of the traffic that gets passed along will only be dropped.
Second:
The vSwitch does not support DTP, so set the port to no-negotiate.
Third:
It's best practice to manually prune the link to only carry required VLAN's.
This can be done with the switchport allowed command.
For example, on the physical switch port:
* interface GigabitEthernet1/1
* description VMware ESX - Trunk A - NIC 0 – Port Description
* switchport trunk encapsulation dot1q – ESX only supports dot1q and not ISL
* switchport trunk allowed vlan 100,200 – Allowed VLANs
* switchport mode trunk – Enables Trunk
* switchport nonegotiate – ESX does not support DTP dynamic trunking protocol. When configuring trunk port, set it to nonegotiate.
* spanning-tree portfast trunk – Enables PortFast on the interface when it is in trunk mode.
First off:
The vSwitch does not support untagged frames. This means, that VLAN 1 and all of the traffic that gets passed along will only be dropped.
Second:
The vSwitch does not support DTP, so set the port to no-negotiate.
Third:
It's best practice to manually prune the link to only carry required VLAN's.
This can be done with the switchport allowed command.
For example, on the physical switch port:
* interface GigabitEthernet1/1
* description VMware ESX - Trunk A - NIC 0 – Port Description
* switchport trunk encapsulation dot1q – ESX only supports dot1q and not ISL
* switchport trunk allowed vlan 100,200 – Allowed VLANs
* switchport mode trunk – Enables Trunk
* switchport nonegotiate – ESX does not support DTP dynamic trunking protocol. When configuring trunk port, set it to nonegotiate.
* spanning-tree portfast trunk – Enables PortFast on the interface when it is in trunk mode.
Tuesday, February 1, 2011
ATM skimmers
I typically don't may too much attention to ATM machines and recent scams. I rarely use ATM and when I do I'm fairly selective, but it's only a few times a year so when articles are published I'm likely to skim by them. That said, I've found an excellent repository of information about ATM card skimming. Kerbs has a series of articles that I thought I'd link to just in case anyone who follows me is interested.
ATM card skimming articles.
ATM card skimming articles.
Friday, January 7, 2011
So what the heck is a darknet?
I was contacted by a former student last night asking to explain the concept of a darknet. Prior to contacting me he had read several descriptions online but none of them made any sense. Well since I took a few minutes to create my own explanation for one person I might as well put it here.
Let's look at it from an operational perspective opposed to a regular definition.
1)You want to study malware and wormlike / scanning activity
2)So you allocate a block of network space, say 4.16.5.0/24 to your "dark net"
3)On your router create a static route, 4.16.5.0/24 --> 1.1.1.1 (this being the IP of your analysis box.
Done.
Ok, so what just happened? The idea, is that a darknet, or dark IP range, is a range that has no services in it, therefore there should be no incoming traffic, and if there is incoming traffic it must be bad. To test this theory all traffic for the non-existing subnet of legitament address space is being pushed to an analysis machine. Here you would log the connection attempts to get a better understanding of which ports are trying to be reached.
How is this effective? well ideally you would want to combine several darknets and aggregate the data from all of them to build stats & trends on which servies are being targeted.
That's it!
Hopefully that helps, Arbor Networks collects data and publishes stats publicly. If your IP block were discovered it would obviously not be effective, so if you work for security company you would want to get ahold of address space that is not adjacent to production IPs.
So another question: Couldn't you just look at incoming traffic to your prouction network?
Not really, your production network has legitamate services and an identity, it's not actually "Dark". You may be receiving targeted reconnaissance, or other attacks. Useful to know about, but not useful for research of trends of malware that are not targeting a specific victim.
Hope that helps!
Let's look at it from an operational perspective opposed to a regular definition.
1)You want to study malware and wormlike / scanning activity
2)So you allocate a block of network space, say 4.16.5.0/24 to your "dark net"
3)On your router create a static route, 4.16.5.0/24 --> 1.1.1.1 (this being the IP of your analysis box.
Done.
Ok, so what just happened? The idea, is that a darknet, or dark IP range, is a range that has no services in it, therefore there should be no incoming traffic, and if there is incoming traffic it must be bad. To test this theory all traffic for the non-existing subnet of legitament address space is being pushed to an analysis machine. Here you would log the connection attempts to get a better understanding of which ports are trying to be reached.
How is this effective? well ideally you would want to combine several darknets and aggregate the data from all of them to build stats & trends on which servies are being targeted.
That's it!
Hopefully that helps, Arbor Networks collects data and publishes stats publicly. If your IP block were discovered it would obviously not be effective, so if you work for security company you would want to get ahold of address space that is not adjacent to production IPs.
So another question: Couldn't you just look at incoming traffic to your prouction network?
Not really, your production network has legitamate services and an identity, it's not actually "Dark". You may be receiving targeted reconnaissance, or other attacks. Useful to know about, but not useful for research of trends of malware that are not targeting a specific victim.
Hope that helps!
Tuesday, December 7, 2010
Beating wireshark into shape on OSX
I've gotten emails from several past students regarding wireshark operations on OSX. Similar to the experiences in the classroom, when installing Wireshark into OSX you must also FOLLOW ALL OF THE DIRECTIONS ;).
If you are experiencing the following error:
“Insecure Startup Item disabled. – “/Library/StartupItems/ChmodBPF” has not been started because it does not have the proper security settings.
Pretty simple fix, just change the ownership of the ChmodBPF script to that of root in the wheel group.
To accomplish this:
cd /Library/StartupItems
sudo chown -R root:wheel ChmodBPF
If you are experiencing the following error:
“Insecure Startup Item disabled. – “/Library/StartupItems/ChmodBPF” has not been started because it does not have the proper security settings.
Pretty simple fix, just change the ownership of the ChmodBPF script to that of root in the wheel group.
To accomplish this:
cd /Library/StartupItems
sudo chown -R root:wheel ChmodBPF
Tuesday, October 26, 2010
Firesheep
Very cool new firefox plugin for sniffing credentials over HTTP for common online services such as twitter, facebook, and others that use HTTP logins STILL IN 2010.. Long overdue :)
I know that everyone reading this can decode HTTP logins, but this is a cool way to do it within a plugin!
Works over wifi, supports session hijacking (cookie theft).
Supports OSX! (win& linux too)
Might be worth checking out!
http://codebutler.com/firesheep
I know that everyone reading this can decode HTTP logins, but this is a cool way to do it within a plugin!
Works over wifi, supports session hijacking (cookie theft).
Supports OSX! (win& linux too)
Might be worth checking out!
http://codebutler.com/firesheep
Subscribe to:
Posts (Atom)