{} and Hardbeat (handles) have a short writeup on how they got root on the apache.org server. Although this was done back in the year 2000, what makes their accomplishment so interesting is that they used a small series of administrative configuration oversights to work their way to the root account. Those misconfigurations are timeless though, and there’s never a patch .

I was recently investigating a networked printer possibly being compromised. I remembered a great paper on printer (in)security written by Dennis Mattison, Network Printers and Other Peripherals – Vulnerability and Fixes. Everyone involved with network security should read that paper and never look the same at printers that are on a network.

Robert Graham, of BlackICE authorship fame, has a somewhat outdated but still very useful FAQ on sniffing. The most interesting section of this FAQ is section 2.5 entitled “How can I detect a packet sniffer?”. This section explains various methods in detecting a sniffer on a network (abnormal responses to ping and ARP, reverse DNS traps, latency, etc) including the mention of some tools that implement these methods such as sentinel, antisniff, and neped. One of the other methods noted by Graham is TDR (Time Domain Reflectometer) which “sends a pulse down the wire, then graphs the reflections that come back. An expert can look at the graph of the response and figure out if any devices are attached to the wire that shouldn’t be. They also roughly tell where, in terms of distance along the wire, the tap is located.” This is a clever way to detect a sniffer as the other methods of detecting network cards in promiscious mode will fail if the sniffer is connected to the network via a RX only cable. Many of Cisco’s higher series switches support TDR albeit without graphing capabilities. According to this document, “the time delay reflectometer (TDR) counter is an internal counter that counts the time (in ticks of 100 nanoseconds (ns) each) from the start of a transmission to the occurrence of a collision. Because a transmission travels about 35 feet per tick, this value is useful to determine the approximate distance to a cable fault.” However, the TDR method described by Graham lends itself more to a device such as the Tektronix 1502C. In any event, I suppose if there’s a question of a rogue sniffer on a network the argument for local encryption should be made.

The Open Source Vulnerability Database (OSVDB) officially opened for public use a few days ago. It is difficult sometimes being in the security field when trying to piece together all the information from different sources on a single vulnerability. I’ve had good luck with ICAT from NIST which builds upon the CVE dictionary (yes, dictionary not database). I’ll start checking out the OSVDB now on a more regular basis. Relatedly, I recently visited the website again for the Open Vulnerability Assessment Language (OVAL) from MITRE. I had read about OVAL during its infancy and it sounded promising. The purpose of OVAL is to provide “a common language used by security experts to discuss technical details about how to check for the presence of a vulnerability on a computer system”. An interesting and aggressive project which breeds a fairly complicated schema. For example, check out the pseudocode (and accompanying XML/SQL) for a IE 5.5/6 vulnerability. The OVAL project provides a Definition Interpreter for download that will check a host for vulnerabilities using the OVAL definitions; however, there is only a Windows NT/2K .exe available at this time. Much like the OSVDB, OVAL depends on community involvement and support and there does not seem to be too much at this time as there are only 596 definitions. In comparison, the OSVDB has 4647 vulnerabilites in its database.