DHS grant for development of SCADA Snort sigs
Posted by creining | Filed under Security
I had expressed interest awhile ago in developing Snort signatures for SCADA networks. Well, I’m happy to report that Digital Bond recently received a Department of Homeland Security research grant under HSARPA to work on intrusion detection and security monitoring of SCADA networks. They will be developing a SCADA signature set for Snort and I have been contacted by Digital Bond in order to be involved with this project.
OpenBSDs firewall failover
Posted by creining | Filed under Security
Firewall Failover with pfsync and CARP. OpenBSD 3.5, to be released May 1st, is ready for enterprise deployments now? I’ve written about CARP and pfsync before. CARP is much like VRRP, although it improves on it in many ways: it supports IPv6 addresses, provides strong authentication via a SHA1 HMAC, and supports a degree of load balancing via an “arp balancing” feature. The pfsync protocol works by sending out state creations, updates, and deletions via multicast. Other firewalls listen for the messages and import the changes into their state table. The OpenBSD crew, and rightly so, is ticked at the Cisco patents in IETF standards whereby Cisco stated “it would be impossible for a free software group to produce a truly free implementation of the IETF standard protocol.”
Replay payloads in Snort
Posted by creining | Filed under Security
The snort-replay patch to Snort replays payloads.
Eavesdropping on computer displays
Posted by creining | Filed under Security
Perhaps some day I will build some hardware to perform eavesdropping on computer displays and use the open source software eckbox. You can protect yourself against some TEMPEST observation by using something like Tinfoil Hat Linux. It does a few things such as manipulating the VGA console palette (okay, this just makes photography of the screen harder) and blinking encrypted messages in morse code on the keyboard LEDs. And TEMPEST does really exist, check out TEMPEST for Eliza. Good website on TEMPEST is The Complete, Unofficial
TEMPEST Information Page.
Diagrams of packet traversal through the linux stack
Posted by creining | Filed under Security
Diagrams, I love ‘em. How a packet makes the journey through the 2.4 linux kernel network stack. Also this document is useful.
Mitnicks blind TCP/IP spoofing
Posted by creining | Filed under Security
There is a great explanation on an old school blind TCP/IP spoofing attack done by Kevin Mitnick against Tsutomu Shimomura at the Takedown book site. There is actually quite a bit of interesting historical information on Kevin Mitnick at the website in general. There are some Mitnick telnet sessions and quite funny are some of the voicemail messages that Mitnick left for Shimomura after he hacked him: like this one and this one. I have not read the Takedown book but I have seen the movie based on the book of the same name. It was an okay film, definitely better than other “hacker” movies such as Hackers or Swordfish but for the real scoop on Mitnick I would recommend Freedom Downtime which is a documentary directed by the 2600 publisher Emmanuel Goldstein. Mitnick is currently doing consulting and training under his company Defensive Thinking.
TAP manufacturers II
Posted by creining | Filed under Security
One more TAP manufacturer – DATACOMsystems. Within the near future I’ll be getting my hands on a few different manufacturers fiber TAPs to play with.
TAP manufacturers
Posted by creining | Filed under Security
There was a thread on the pen-test mailing list about suggestions for ethernet TAPs. I replied with the TAP manufacturers that I was aware of: Intrusion, Finisar (formerly Shomiti), Net Optics, and Top Layer. One pointer I made with respect to buying a TAP was to make note of how the traffic from a full duplex link is handled. Some TAPs require
that 2 outputs are needed and you are responsible for aggregation of the
two half duplex streams while others do the aggregation and provide a
full duplex output. In the case that a full duplex output is presented
from the TAP some manufacturers products will drop
output traffic when, for example, there’s greater than 50% utilization
on each side, or greater than 100Mbps. Intrusions TAPs drop traffic if the aggregate traffic is greater than 100Mbps whereas Net Optics Port Aggregator addresses this issue by buffering data during bursts but will drop traffic once that RAM buffer is exceeded. Also, I learned from the pen-test thread of one other TAP manufacturer, Network Critical.
Jamming police radio
Posted by creining | Filed under Security
There’s not much computer security specific news coming out of Madison, Wisconsin (my current residency) but this story about a man being found guilty of jamming Madison police radio communications was picked up by some large security news sites.
Portable MP3 players
Posted by creining | Filed under Uncategorized
Nomad Jukebox Zen Xtra or iRiver iHP or Dell Digital Jukebox or iPod. That is the question. One of the most important requirements for me is that the device will work under linux (I quit that Windows habit almost 3 years ago now). This page contains great information on portable music players interoperability with linux. It appears that all except the Dell Digitial Jukebox have support under linux. It also appears that the most mature software exists for the iPod with the handful of software developments for the Nomad Jukebox Zen being in beta stages and only one software development existing for the iRiver. In searching google I find a lot of success stories such as this and this about people using an iPod under linux. The common application that they use is named gtkpod which is a GUI frontend based off of gnupod. Now if I do purchase an iPod, I’ve read that the latest generation is for Windows and Mac (filesystem format is the point here) and that it comes HFS+ formatted by default. The first time someone uses their iPod under Windows the conversion to FAT32 would be performed invisibly. In my case HFS+ support under linux is limited so either a Windows PC can do the conversion to FAT32 or it can be done under linux with fdisk, dd and mkfs.vfat. Also, here’s a graphical comparison between iPod generations that’s neat.