Friday, February 29, 2008

Leap Day, Leap Year and WMIC

It's not often that I get to post on Leap Day, so I thought I would take advantage of the occurrence.

Class has been talking a lot about Windows command-line tools. One such tool that has been getting a lot of time is WMIC. I've printed the help, but there doesn't seem to be a lot there. Also, I'm in the process of going through the knowledge base:
here
here
here
and here

If anyone knows of other good sources to read up on WMIC, I'd love to know of them.

Tuesday, February 26, 2008

The Linkin Park Stalker

First off, if you haven't signed up for the various newsletters from SANS, you should. They're great. Not only is there a list for recent vulnerabilities that have been released, but they have newsletters for relevant security news.

In today's NewsBites (Vol 10, No. 16), there is an article on the internet stalker that had been harassing the lead singer of Linkin Park, and his wife. I'm going to quote the article here:

--Internet Stalker Gets Prison Time
(February 21, 2008)
Devon Townsend has been sentenced to two years in prison for using
computers at her workplace to access private information about Linkin
Park lead singer Chester Bennington. Townsend was employed at Sandia
National Laboratories; from computers there, she managed to access
Bennington's email account, phone numbers, phone bill records, and
family photographs. She used some of the information she found to
threaten Bennington's wife.
There were two articles that the note linked to:
Link 1
Link 2

However, I remember a truly great article from Wired Magazine detailing the story. A little searching and I was able to find it. Click here to read the article.




Wednesday, February 20, 2008

F-Secure Blacklight Rootkit Elimination

I've just recently downloaded and been running F-Secure's Blacklight Rootkit Elimination tool. And, I have to say, I like it. I've been using it on the home network, but the real test when it accompanies me out in the field. For quite a while, I had been using Trend Micro's Rootkit Buster, but when I built a new machine, I decided to try F-Secure. Of course, I haven't found anything, so I'll be putting it through its paces in the field. As I see more action, I'll report in on the results.

Saturday, February 16, 2008

Getting Nessus running on Ubuntu (Feisty) on a Thinkpad T40

Notes for myself, hopefully, they'll help someone else.

I noticed that Nessus was available from the Ubuntu repositories.
I added it through Add/Remove, but realized that it did not include the server package.
Type: "sudo apt-get install nessusd" to grab and install the server.
Next, run: nessus-mkcert to create a certificate.
Next, run: nessus-adduser in order to create a user to run the scans from.

I ran Nessus, both the server and the client. However, the scan was limited because I did not have many of the plug-ins. To get the plug-ins, I went to http://www.nessus.org and register for free. (Free gets the newest plug-ins after they have been out for a week.) You will receive the key to unlock the program in the email that was used to register. To activate it, type:

sudo nessus-fetch --register

(In the future, to update the plug-ins: sudo nessus-update-plugins)

That done, it's time to run Nessus.
To start the server and put it in the background, type:
sudo nessusd -D

Wait for the command prompt to come back (plug-ins will be loaded.)

Then, you are able to run the client program from Applications -> Internet -> Nessus

That should do it.

Wednesday, February 13, 2008

Kismet on a Thinkpad T40

It took me a bit, but I finally got Kismet installed and running on my Thinkpad T40. I believe the on-board wireless chip is a Cisco, and as such was not easily detected. There were a couple of things I needed to fix.

Mainly, I had to edit the read-only kismet.conf file.
In the file, there were two settings that needed to be changed. The first was the user Kismet would drop into if needed. I run Ubuntu, and to get Kismet to work properly, I start it with sudo. Secondly, you need to add a source record. This was the hardest part for me. A quick check at the ThinkWiki showed me that the wireless card could have been one of three manufacturers. A little trial and error got me to the Cisco card (and even that had some tricky conventions.) In my case, I set the source = "cisco_wifix,eth1:wifi0,Cisco" That middle parameter was the tricky part. For the Cisco card, you have to list both configurations. You can get a listing of the different chipsets and parameters at Kismet's documentation page.

To get Kismet running, I just typed 'sudo kismet' and away I went.

Friday, February 8, 2008

Network Taps

In the class last night, we briefly discussed network taps. The name that came up was Net Optics. However, reading this page on Wikipedia, I see other manufacturers. A couple of people in the class mentioned Net Optics as being very good, although they mentioned they were pricey. Wikipedia's page lists some other vendors: Comcraft, Datacom Systems, Network Critical, and VSS Monitoring. None of those names were mentioned so I'm wondering if anyone has any experience with them. Any thoughts would be appreciated.

[edit: I just saw this in my drafts folder...I don't know why it was never published.]

Network Taps

In the class last night, we briefly discussed network taps. The name that came up was Net Optics. However, reading this page on Wikipedia, I see other manufacturers. A couple of people in the class mentioned Net Optics as being very good, although they mentioned they were pricey. Wikipedia's page lists some other vendors: Comcraft, Datacom Systems, Network Critical, and VSS Monitoring. None of those names were mentioned so I'm wondering if anyone has any experience with them. Any thoughts would be appreciated.

Thursday, February 7, 2008

5th Cable Cut

I'm not sure even what to write, or believe any more.

In other (un)related news.. .the GCIH class is AWESOME.

Saturday, February 2, 2008

GIAC certification coursework materials arrived

Woohoo!
The course books and cd of software arrived the other day. I just quickly thumbed through them, and they really look great. The class looks like it will be a lot of fun.

It Looks Like the Middle East Cable Cuts were accidental

SANS NewsBytes reports that the cut to the Middle East data cable was accidental. They site three articles, which I've listed below:
The New York Times
BBC
and news.smh.com.au

I'm excited to read they were accidentally cut.

Friday, February 1, 2008

Middle East cable - Part II

CNN.com has a story on the cable being cut. In it, it is postulated that it was possible that a boat anchor had cut the cable. You can read the story here.

Middle East Cable cuts

A read a while ago of the potential cable cut in the Mid-East here from SANS. Normally, I wouldn't dwell too much on it. However, as it happens, I have a very old friend working in Djibouti that I have just re-connected with. So, I was a little surprised when I read of the cable cut. My first thought was "how, exactly, does a cable get cut?" Ok, I can believe an earthquake would do the trick. But, outside of that, what would cut a cable? A person? A fish? A boat/sub? Something else?

Now, I read on the SANS Internet Storm Center that apparently more cables to the Middle East have been cut. You can read the new article here. Now, I am suspicious. One cable? Ok. But the backup cables as well? I have to wonder. The post talks about backups going down. Sometimes our backup systems are rarely used until they get called into service. And that's not when you want to find out there's a problem with them.

As it is, I hope connectivity isn't down for a long time. I enjoy hearing from my friend.