lnx4n6.be (get it?) is a Belgian site that has a Knoppix based forensics CD with a fascinating variety of tools. They can be used on both Micro$oft and Unix boxes — extremely useful for data recovery.

dmiessler.com is a rather excellent web log of an information security consultant. He also has some clearly written, succinct articles, such as a primer on tcpdump, and another on firewalls.

I often feel less than confident in my ability to know when a server has been compromised. One can have a fairly good knowledge of the architecture of an operating system, but such knowledge is different from a forensic awareness. A forensic sense probably needs to be built by post-mortem examinations, so, to that end, I’ll be looking for reports such as this one from honeynet.org.

I posted on the issue of net neutrality in a classroom forum (for my Network Administration class at CCSF):

Doc Searls of Linux Journal wrote a column, “Saving theNet: How to Keep the Carriers from Flushing the Net Down the Tubes,”about this issue recently.

Searls is a strong advocate of the point of view that the main reasonfor the internet’s extreme malleability and explosive growth has beenthe abstraction of applications from the underlying networkinfrastructure. To use his term, the internet is a “stupid” network: thenetwork says nothing about what applications (the networks “endpoints”)can or should be. In contrast is the PSTN, of Ma Bell fame — thepenultimate example of a circuit switched “smart” network. Searlsargues that the telcos, owners of the PSTN, yearn to exert the kind ofcontrol over the internet that they have over the PSTN, and that theyare moving to reestablish their hegemony by arguing before the USCongress in favor of doing so.

What would this mean in a pratical sense for you and I? It would meanmuch less diversity on the application side, and little or no control,or ability to develop our own solutions. Think cell phones, where it isvirtually impossible — if not illegal — to control the software on thebox. Reverse engineering the software, even if only to build beneficialnew applications, is a violation of an agreement that you entered intoin order to get phone service. This closed, proprietary software worldis a fundamentally different development (and user) environment from theworld of tcp/ip, where standards are published and vetted openly in theform of RFCs.

This is a complicated issue, but it would behoove us not tounderestimate its implications. The outcome of the fight for control ofintellectual “property” in the form of patents and copyright onsoftware, in conjunction with the struggle for control of networkinfrastructure, may very well determine whether the “useful arts”continue to flourish in the U.S., or, conversely, as we’re alreadywitnessing in both the software and telecom world, the US slips intorelative obsolesence.

Best list of network analysis tools out there can be found at Insecure.org’s ‘Top 75 Network Security Tools’ page.

I’ve been exploring nbtscan, ntop, iptraf, tcpdump, ettercap and mrtg.

To build basic WiFi security literacy, I was reading around a bit, and came across this article. My summary of the article’s points:

1. Use WPA.
2. Enable MAC address filtering (via router’s ACLs).
3. Turn off WLAN SSID broadcast.
4. Change default admin password(s) … um, from the factory default, and, er, to something more secure than “fluffy.”
5. Use maximum encryption level.

According to a March Netcraft article, botnets are abundant on the net. Says the article:

“Botnets” of compromised computers launched 226 distributed denial of service (DDoS) attacks on 99 different targets in a three-month period from November to January, according to new research from the Honeynet Project.

The Honeynet Project paper states that the scope of the activity is rather impressive:

The project tracked more than 100 active botnets, including one containing 50,000 compromised “zombie” machines. In the three-month tracking period, Honeynet detected 226,585 unique IP addresses joining at least one of the IRC channels being monitored. Since the project sees only a portion of active botnets, the report

said that even by conservative estimates, “this would mean that more then one million hosts are compromised

and can be controlled by malicious attackers.”

Worse, according to Honeynet (as quoted in the Netcraft article), the activity seems increasingly well-organized and adept:

“Our research shows that some attackers are highly skilled and organized, potentially belonging to well organized crime structures,” the report concludes. “Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly. Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon.”

My refrain of late to everyone I’m in contact with has been: ‘You’re nuts if you connect a Microsoft Windows box to the net. Consider your financial information already gone if you’ve done so. Worse is connecting with no firewall. If you do so, may the Great Kavod help you (or flush you from this mortal coil expeditiously).’

I arrived at the Netcraft article on the Honeynet paper via this May 4th Netcraft post on botnet controlled DNS nameservers.