Digital Choke Daynotes

Happy 4th ! At least, to those of you in 'the states'. I'd guess that this is not a big holiday in other places, like England. But, old enemies are now old friends.

Busy weekend. I spent most of the weekend getting the IBM Thinkpad ready for this week's classes. I installed a few more copies of RedHat Enterprise Linux in some vmWare partitions, after getting the base operating system (WinXP-SP1) loaded and patched. I again had some problems with the CD's, even the new copies I made, so I spent most of Friday night downloading new ISO's onto the IBM's hard drive. That took overnight, on my DSL connection, although I let it run while I relaxed in front of the TV. It was all done by breakfast (probably before then, but I wasn't watching).

I spent quite a while on Saturday running the carpet cleaner machine throughout the house. Got the downstairs family room done, then the upstairs master bath and bedroom, along with the upstairs hall. I also ran a few errands. There was the smog check for Stacy's car, a quick run to Lowe's for a new gate latch for the side fence gate. And I put up a water misting system in part of the back patio.

During all that, I also spent more time getting the Thinkpad configured. Because the ISO's were on the hard disk, I just had to set up the vmWare to point the CD drive to the locations of the ISO's on the hard drive. That made the install happen a bit faster. When it came time to "change CD's", a couple of clicks pointed the install program to the next ISO file. The install of RedHat with this technique still takes about 40 minutes, most of it waiting. Actual time was a bit longer, as I would start a CD, then go off and do some other things while the install program trundled along.

After the installation was done, some minor text editing to get the 'eth0' activated, and the change to the config file so that the 'X' system gets started manually.

I had also moved over a Linux install from the HP laptop to the IBM. That install is set up for the updates from RedHat land, and I wanted to get it on the IBM for the class. But the configuration for the GUI is not working right, the startx command aborts with a monitor configuration error. I suspect there is a command I can run to re-do the x-window configuration, but I haven't found it yet. A bit of Googling is in order, I guess.

Sunday morning (today) was spent getting ready for the trip to the class. It's in Monterey, which is about a 3 1/2 hour drive (assuming there isn't any traffic). It actually took closer to 4 1/4 hours, due to all the traffic on Highway 101 south of San Jose. I spent about a half hour rolling along at about 20-30 mph. But the weather in that area was nice, in the 80's, compared to the high 90's that were forecast for the home area.

Lots of people hanging around the harbor area in Monterey. Something to do with a holiday, I guess. I wandered around a bit around dinner time, then went out again just before 9pm. There were a few thousand people out on the harbor area, and we all enjoyed a nice fireworks show. Then back to the hotel room for a bit of relaxing and surfing.

And probably a bit more playing around with Linux, just for fun.

I was a bit sidetracked today. I got to thinking about the 'download.ject' attack of late last month. It was a pretty clever technique of infecting user computers. You don't infect them directly with an email attachment. You just get them to go to a web site, where just browsing web pages will get the worm program installed on your computer. And then you are really clever by finding some "big-name" web sites that you can subtlety change to deliver your worm.

So the results of my cogitation are in a new report, which I call "A Simple Recipe for Internet Domination". Those of you who have read my "Digital Choke" story might find the report somewhat familiar. I don't claim to be prescient, but I did write that story in 2001-2002. (As usual, links around here open up a new window.)

Other than that, a sort of relaxing day as I continue to prepare for the security class that starts tomorrow. Some minor configuration changes to my RedHat installations, and I'll be set to know. I suspect that this time tomorrow I will be suffering from severe brain overload. But it will be quite interesting.

An interesting day in class, the discussion was about an Incident Response Plan. Although it was material that I already knew, I did pick up a few hints. And the examples that the instructor gave for various incidents that he was involved with was pretty interesting.

Tomorrow, we start nibbling around the edges of some hacking. We'll initially be hacking our own 'localhost', just to be safe. I suspect that most of the tools we will use will be Linux-based, which will be interesting and informative.

To help along Linux 'noobs' (that's pronounced "new-bees") like me, we had a short "Intro to Linux" session tonight. The instructor handed out a vmWare RedHat installation with all the needed tools, so it was quite simple to install that on my laptop. I'll use it in the class; some of the tools that we will be using are already on that install, so that will save some time.

One of the interesting things about a SANS conference is the hacking contest. They set up a network with various defenses, and a challenge to all to try to '0wn' their web server. It's all on an isolated network, and they have some defenses in place, so it can be a bit challenging. A friend of mine is here, and he is much more knowlegable about that kind of stuff. He's having a great time with that hacking challenge. I'm not that advanced (although I expect to be a bit better after this week of classes), but I do recognize a few things as he is poking around the hacker network.

Another full day tomorrow. Classes start at 9am, and go to a bit after 5:30pm. We get a morning and afternoon break (snacks are provided), and a lunch period when we are on our own. There are plenty of lunch places within 2-3 blocks of here, so there is some variety.

Tomorrow the SANS folks will open up the bookstore with some books by some of the teachers here. There are a couple that look interesting, so I might hit the bookstore first thing in the morning to ensure that I get to see the full selection. Then it's off to class.

Another full day of class. Today's topic was information gathering, using various tools to gather information about a 'target'. Interesting stuff.

Spent this evening backing up and reloading the "Digital Choke" story pages. I got rid of all the Flash buttons on the pages; they are now just plain links. I've been thinking about updating the story a bit to make it a bit current -- it was written in 2001-2002, so things have changed a bit. Still working on the details, though.

But, if you happen to read the story and find some missing links, let me know. And you can always participate in the story by sending a message as if you were a participant. Or, you can just enjoy the story. Comments are welcome.

Interesting class today. We continued investigating various techniques used to get control of a computer. We learned about the NetCat program, and how we can use it to control another computer, or harvest information from a computer. We could even install and/or run programs on that controlled computer.

We learned about 'buffer overflow' techniques, and how they can easily be used to compromise a computer. There are programs, some quite sophisticated, that can help us easily make buffer overflow programs. (You still need to know a good programming language for the actual exploit code.) There are programs that can 'mutate' a program to make it look slightly different that the original, while maintaining the same program code. There is even a technique that can encrypt a program inside a program. (Think of stenography that uses a program instead of a picture to store a message, or program code.)

There are some scary tools out there, which make it quite interesting to be in the field of information security. But you could get a little paranoid with the tools and techniques available to the 'bad guys'. (Based on the things that were discussed today, I made some changes and additions to my report of A Simple Recipe for Internet Domination?.)

Open source is not the answer. An open source program can have vulnerabilities in it just as easily as closed source. For instance, today's Internet Storm Center Handler's Diary notes of a problem in Mozilla/Firefox (open source web browsers, based on Netscape). Here's what I sent off to Dr. Jerry Pournelle (who has a few more readers than I do). (You'll find it here in his "Daynotes" at the end of his Thursday mail, along with his comments, and many other interesting topics and discussions. His upcoming column in the on-line Byte Magazine discusses IE vulnerabilities, including the 'download.ject' issue, and his take on other's recommendations of using a different webbrowser. Note that reading any of the Byte magazine content requires the purchase of a subscription. I have always found his weekly columns to be quite interesting, especially Dr. Pournelle's discussions of computers. I've read and enjoyed his computer columns for many years. So a Byte subscription, and his column, is recommended.)

Moving away from Internet Explorer will not cure all problems. There are vulnerabilities that can be found in any program. For instance, this quote from the Internet Storm Center "Handler's Diary" of today concerning problems with Mozilla/Firefox browsers. The exploit's techniques seem similar to the 'download.ject' problem with IE that allowed a visit to a web site to infect your computer. This one could allow an attacker to run a program (worm, keystroke logger, whatever) on your computer. Of course, you have to visit a 'bad site', which might reduce the impact.

"It's time to update your browser, though this time the problem is not with Internet Explorer, but with Mozilla and Firefox running on Windows. As described in the eWeek article at http://www.eweek.com/article2/0,1759,1621463,00.asp , a flaw in the way Mozilla and Firefox handled links containing the shell: suffix could allow a malicious web site to run arbitrary code on the visitor's system. We advise you to upgrade to Mozilla 1.7.1 or Firefox 0.9.2 to patch this vulnerability. Alternatively, you may install the patch from http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7.1/shellblock.xpi .

"For more information about this vulnerability and ways of addressing it, please see http://mozilla.org/security/shell.html . This URL also points out that Thunderbird, an email client that's part of the Mozilla suite, is vulnerable, and explains how you can address the Thunderbird vulnerability as well. "

The point is that one must be careful with *any* program. Just because a program is "open-source" doesn't mean that there won't be exploits in the future. Sure, open-source might fix problems faster by the 'good guys'. But open source means the source code is available to the 'bad guys', which might make it easier to figure out malicious code.

So, the 'mantra' still applies, no matter what browser program you are using.

Another good session in class today. More information about hacks and attacks. Good information, a great teacher.

I picked up the new book "Malware: Fighting Malicious Code" by Ed Skoudis, our instructor. If you are interested in malware (viruses, works, trojans, hack attacks, etc), this is an excellent book full of detailed information. I've only made it through the first four chapters, but am enjoying reading about this subject. Mr. Skoudis has excellent knowlege of this subject. The book is recommended. Wander over to his web site (www.counterhacks.net) for information, including some interesting scenarios about hacking attacks. I suspect that you can order the book there. I think you will enjoy it.

Another good day of classes. Much learned. Tomorrow we do some excercises to see how much we learned. We'll attack and defend all the computers in the classroom: students and instructor. Should be interesting.

I spent a bit of time doing a major update of the "Chuck and Mom" report. It includes new knowlege gained about the 'download.ject' attack. It also includes some suggestions for protection. Use the mailbox icon to send any comments.

... more later ...
Last Week	Next Week	Prior Weeks	mail	bookmark	The Digital Choke story