Suggested Blog Reading – Monday May 21st, 2007

ReadOh how I enjoy holiday Monday’s…

Here’s the list:
Argus 3.0: Cisco Netflow – Good intro to using Argus with NetFlow if you’ve never been exposed to either before.

Cisco has improved and add new features to its IOS, I have found few new features for Netflow that looks pretty interesting to me where you can capture more useful information. The most commonly used Netflow version is 5, I would like to try out version 9(shiny?If any of you use version 9, I would like to hear from you) however argus doesn’t identify Netflow version 9 yet thus I remain to use the solid Netflow version 5. So here I start to export Cisco Netflow data to argus collector(probe).

Hiding Inside a Rainbow, Part 2 – Part Two in the series.

In my previous post about steganography and rainbow tables, I explained a technique to hide data in a rainbow table. The disadvantage of this method is that there is a way, albeit costly, to detect the hidden data. This is because we replace the random bytes, that makeup the start of the chain, by the data we want to hide, thereby breaking the chain. A broken chain can be detected by recalculating the chain and comparing the recalculated hash with the stored hash. If they differ, the chain is broken.

Pre-connect NAC – The first building block of a controlled guarded enterprise LAN – Good overview of “pre-connect” NAC.

For those of you who are confused by the different terms, pre-connect NAC is the phase in which the identity of the device and the identity of its user are to be verified.

Litchfield on Oracle Live Response – I can’t believe I missed this one. Thanks Harlan/Richard!

Thanks to Richard Bejtlich, I learned this morning that David Litchfield, famed security researcher with NGSSoftware, has released a paper entitled Oracle Forensics Part 4: Live Response. In that paper, David starts off by discussing live response in general, which I found to be very interesting, as he addresses some of the questions that we all face when performing live response, particularly those regarding trust and assurance…trusting the operating system, trusting what the tools are telling use, etc.

More Terms from Logging Glossary Published – I can’t wait to see how this list grows.

As I mentioned here, I started publishing the LogLogic Logging Glossary. Here are the terms and definitions published so far:

Alert
Audit Logging
Context Information

Windows Home Server versus Linux or BSD – I don’t think I’ll be up late at night pondering which to choose 😛

Last year whenever people asked me what to use when building a home server, I’d tell them to use Linux or FreeBSD because there was absolutely nothing from Microsoft under a few hundred dollars. There was no way anyone would spend a few hundred dollars on Windows Small Business Server so Linux or FreeBSD was their only choice. With Windows Home Server on the horizon, Microsoft might just steal a piece of the home server appliance market from Linux.

This Old Vulnerability: Sendmail 8.6.9 – I think these articles are a fantastic idea. Simply telling people that sendmail is/was vulnerable just doesn’t cut it. Showing some historic examples will drive the point home. Someone give this guy a laptop 🙂

Today on This Old Vulnerability, we will take a quick tour through a classic metacharacter/delimiter injection attack. Our petri dish will be Sendmail 8.6.9 (and 8.6.10). The vulnerability was caused when sendmail would take input from a remote identd (the username) and blindly write it into a sendmail queue file.

Enumerate Windows Users In JS – Creepy-cool!

Sergey Vzloman is at it again… He sent over a really interesting piece of demo code (he tested it in IE6.0 and FF – I was only able to test it in Firefox) that enumerates users on Windows systems. Right now, as the code stands in his demo (with only minor tweaks from me) it only tries four accounts and is intentionally noisy to show what it’s doing, but it works pretty well.

Scroll to top