Our source code has always been air gapped from the Internet. The forensic examination confirmed that software development servers and workstations were not affected by the incident – from HBGary Anyone else find it hard to accept that none of the developers, testers, documentation writers or build people ever accessed source code from their Internet connected laptops / workstations? Especially considering the state of their other security measures. Don’t get me wrong, in some cases it’s a sensible solution ( off-line key signing for example) but for entire teams working on a shared code base?


Ever wanted to limit the number of ssh login attempts a user can make before their account gets locked? Well, not really, but when brute force tools are so common and easy to use it’s another useful trick in the sysadmins arsenal. In this example I’ll show you how to install, configure and audit failed ssh loging attempts on Linux. While the PAM mod_tally module is available for a number of different distros and Unix variants we’ll set it up on Debian. Read on →


I’m not a huge fan of Visio but the ability to connect the MBSA to individual hosts and trigger scans is very neat. I’m also assuming that you can use the Visio scripting interface to mark machines that fail as a different colour. Full details over at the Visio Connector for MBSA article.

Watch it be done in under five minutes in the MS SQL Preauth Attack, Pwdump and John the Ripper video. Surprising? No. Fun to watch? Yes! Every now and again it’s nice to be reminded our systems are not as secure as we’d like to think.

“You do not secure the liberty of our country and value of our democracy by undermining them. That’s the road to hell. – Lord Phillips of Sudbury (source: BBC News - “Police decryption powers ‘flawed’” I don’t normally post on politics or law because I’m not an expert and, to be honest (judging by my apache logs), they’re only interesting to a small fraction of the people that stop by here. Read on →

When it comes to host-based intrusion detection I’m most familiar with the Tripwire OpenSource Edition, while shopping around for a HIDS to deploy on a play box I decided to try AIDE. And got stopped at one of the first hurdles. Tripwire has an interactive update mechanism, it runs a scan (based on your config file) and then prompts you to except, reject or mark changes as pending - within one operation. Read on →

Which ports do your servers have open right now? How did you check? Netstat? Are you really sure that it’s doing the right thing? What the host claims to be exporting isn’t always the same as what other hosts on the network see. When did your DNS server start exposing that TCP port? Has it always been there? I want a tool that keeps track of what ports a machine has open and shows me changes (and tracks when things change). Read on →

While discussing the FIA via SSH article, one of my comments got some feedback; the comment was sudos config potentially giving the game away. A number of people suggested the same solution, patch where the source looks for the config file and compile it yourself. The idea is that you put a fake config file in the usual place, patch the source to use a different location and then compile the application. Read on →

Hal Pomeranz has an interesting article on File Integrity Assessment via SSH over at sysadmin magazine (well worth a subscription). At my last job a couple of us discussed doing something similar so I enjoyed the article; it’s nice to see someone actually implement the damn thing. The basic idea addresses one of the implicit weaknesses with FIA tools. You give the attacker an obvious target to try and subvert. While there are little tricks you can employ to make their life harder (add a false positive so if they replace the binary with a fake it doesn’t report everything you’d expect etc.) Hals technique moves the whole FIA setup off the machine. Read on →

A topic that’s been discussed to great length on one of (many) Linux lists I lurk on has been that of mounting one file over another. It’s easier to show this with an example: $ cat password dwilson:password $ cat fakepassword attacker:fakepassword (root) $ mount --bind fake_password password $ cat password attacker:fakepassword While this requires root access (or flimsy mount permissions) to execute, it is a nasty little trick. An ‘ls’ won’t show anything strange but a ‘mount’ command will. Read on →


I like sudo, it allows you to give people (and automated jobs) more privileges without having to hand out the root password. One of the more important aspects of its use is restricting the commands a user can run. After all, limiting peoples access to rootly powers doesn’t help much if they can just shell out to bash or edit the shadow file (or other important files) and locally escalate their privileges. Read on →

The OpenCON 2005 OpenBSD Slides are now available and linked to from undeadly.org. When ever the OpenBSD people get together and present on security it’s worth ten minutes of the admins day to have a look for the new ideas, after all they’ll often appear ever where else over the next year. The highlights of this batch include an overview of how the congestion indicator works and allows you to log in even when getting DoSed, the changes to the ports and package tools (which are moving to Perl!) and the whole of Theos Exploit Mitigation Techniques slides. Read on →

I’ve never been able to get to a Toorcon but from reading the Toorcon 2005 slides it seems they have a number of quality speakers. The three highlights from this years sessions seem to be Introducing the Bastille Hardening Assessment Tool by Jay Beale, How Big is that Foot in the Door by Foofus and Simple Nomads How Hackers Get Caught. The intro to Bastille does both a good job of explaining why you should care about hardening, which includes some great quotes: The NSA’s Information Assurance Directorate evaluated a system locked-down following CIS’s Windows 2000 guide. Read on →

F-Secure has released a blacklight beta download that is available in both GUI and command-line versions. The full Blacklight details are now online and after a quick play it seems pretty nifty, and most importantly, has a command-line version for automated deployment and scanning. One to watch when it goes gold.

Tom Liston wrote up an excellent (and scary!) analysis of what happens to an unpatched machine when it goes to a less than reputable site. The full details, part 1, part 2, part 3 and part 4 are well worth a read. You’ll be stunned at how much shite comes down from a single executable that the user never even gets a choice whether to run.

Firstly let’s define Phishing, “The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.” While most phishing attacks are done over the web consider how they could be tailored to abuse email and local address books. Lets consider a scenario, a non-technical (and busy) receptionist or assistant (Alice) sends a number of email’s from her pet executive to certain people outside the company. Read on →

You know you’ve hit the big time when you get your own worm! The MySpool worm is turning badly configured MySQL installations (on Windows) into zombies in a huge bot net. Now I’m not even going to ask why so many people have MySQL installations listening to the network (Debian disables this by default so bonus points to them) but it is depressing. To stop it doing this just add “skip-networking” to the [mysqld] section of the config file. Read on →

I recently wrote down a couple of snippets on Limiting Administration by OS, since putting those to er… paper another thought crossed my mind. Some of the worst internal incidents I’ve been involved in were those where the attacker either rebooted into a live Linux CD or had a second hard drive that was mostly left unwired. This made tracking and auditing his actions extremely difficult due to the nature of his attack platform. Read on →

This is the third and probably last of my ramblings on the subject of locking down a machines potential attack footprint by mass filtering. While I’ve already mentioned blocking certain ports to entire countries (mostly to stop SPAM) and only allowing access to other ports to geographically local IPs (to stop attacks on critical services like SSH for admins) it is also worth mentioning OS detection. Certain products and operating systems, such as P0F, OpenBSD’s PF etc, can detect what operating system someone is trying to connect with. Read on →


TheRegister has an informative, and pretty short, article on MS NAP, a technology that should help keep networks clear of worm activity by requiring all machines to have up-to-date patching and anti-virus before the network equipment will let them play with others. Now lets gloss over the more obvious question, how do you get a machine on the network for the first time, as it’s simple, the kind of company that actually needs this will have a patch management system in place for new builds (maybe just something like MS SUS) to bootstrap the process. Read on →

In a previous post about blacklisting IP ranges used by China I stated why I feel it’s a valid approach. I think I should clarify my own actions when it comes to things like this. Any servers that are owned and admined by me alone (Bytemark Virtual machines, friends servers etc) have a number of deny rules in place to drop connections to a number of important ports (SSH, SSL etc) to reduce the attack vectors provided by the servers. Read on →

There has recently been a thread about PHP easter eggs on the webappsec security list. In essence if you call ANY PHP page with certain parameters custom pages will be returned. Here’s an example of the PHP Credits Page. It may seem a little petty to complain about such a small thing in a code-base provided for free but there is a more serious aspect to this, the pages returned vary depending on the version of PHP you run so it’s possible to use this to determine which version the server is running; even if you’ve changed the ServerTokens directive to something more restrictive than the default. Read on →

Heres the shell of an idea I’ve been mulling over recently, we all know that compilers on server are bad don’t we? The common wisdom (and this is often disputed by people who use source based systems) is that people shouldn’t be compiling up new versions of software on the production servers. By omitting the compiler suite and required header files you force compilation to occur elsewhere. The second reason, and I’m not so sure about how current this is, is that you deny an attacker an easy way of hiding their tracks. Read on →

In my quest to learn how RADIUS works and the correct way of running my own server I picked up both the O’Reilly RADIUS book and GNU RADIUS, A Reference Manual. Neither of which are exactly ground breaking books. Now I’ve almost finished the O’Reilly book I thought it would be a good time to get my hands dirty and have a play, so I looked at XT RADIUS; which hasn’t been updated since very early in 2002. Read on →

Service banner grabbing is no longer the prominent issue it once was. Todays fire and forget worms probe large IP ranges so quickly that they just try to brute force compromise any servers they encounter and hope to get lucky without checking the product name or version of the target. While these are the most common attacks you will see on your Apache server its also worth noting that they are the easiest ones to defend against. Read on →