airpwn
Posted by creining | Filed under Security
Released at DefCon was a program called airpwn that does injection of application layer data on an 802.11b network. Very evil.
Paper on patching ROI
Posted by creining | Filed under Security
A good paper on measuring ROI (or the inability to) for computer security patching.
A virtual key fob
Posted by creining | Filed under Security
Slick package for OpenSSH on Windows
Posted by creining | Filed under Security
OpenSSH for Windows is a “free package that installs a minimal OpenSSH server and client utilities in the Cygwin package without needing the full Cygwin installation.” I downloaded and installed just the SSH server on my w2k machine. Next I had to create a domain group file (for domain groups, local groups is also an option):
C:\\PROGRA~1\OpenSSH\bin\mkgroup -d >> ..\etc\group
Next I needed to add authorized users into the password file:
C:\\PROGRA~1\OpenSSH\bin\mkpasswd -d -u [my username] >> ..\etc\passwd
Now I can start the server:
C:\\PROGRA~1\OpenSSH\bin\net start opensshd The OpenSSH Server service is starting. The OpenSSH Server service was started successfully.
I fire up an SSH session from a remote machine to my w2k machine to test and after authenticating with my domain password I get dropped into this:
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\[my username]>
Pretty neat software.
Capturing heavy traffic
Posted by creining | Filed under Security
There is an interesting discussion taking place on the tcpdump mailing list about heavy traffic capturing (150Mbps). From my experience there is a whole chain of factors that play into capturing traffic at high speeds. Starting with the NIC card performance issues can crop up if the card does not have adequate buffer space (Intel’s 100 ProS or 1000MX have 128K for receive for example). From there the NIC has to make IR’s to get more data for both sending and receiving. This is an OS issue, it must have fast interrupt request handling code. Next the buffer has to be copied off the card into typically the IP stack of the OS and then and only then your application has to copy the packet out of BPF. Now there are improvements that have been made to address these bottlenecks, for instance, using MMAP to minimize packet copies (Phil Wood’s libpcap patch) and modifications directly to BPF. The discussion on the tcpdump list suggests similar, using a TAP (like Net Optics), hardware with high internal bandwidth such as 533MHz or greater FSB, PCI-X or 64bit/66MHz, a decent NIC card, and a *BSD OS. A very interesting paper cited is Improving Passive Packet Capture: Beyond Device Polling.
Snort 2.2.0, Snortworld, and Sguil 0.5.1
Posted by creining | Filed under Security
I just saw that Snort version 2.2.0 was released. The changelog has all the details. In checking http://www.snort.org I see under the News section that there might be a SnortWorld conference organized in the near future. I would definitely like to attend that. I filled out the survey questions about what I would like to see in a Snort-based conference. In other news, Sguil version 0.5.1 was released. This version fixes a host of bugs, and adds a packet data search feature (my suggestion, thanks to Steve for actually writing the code 
and some good PHB reporting.
Marriage of BitTorrent and RSS
Posted by creining | Filed under Uncategorized
Salon has a decent story on the marriage of BitTorrent and RSS for television programs, which I’ve talked about before (and am a fan of).