.:Computer Defense:.

I decided it was time to update CDVT, so the latest version is now checked into SVN.

The Metasploit Web-based SVN seems to have stopped passing a revision number, so I removed it from cdvt.xml. At the same time I updated the regexes to scrape the version information from nmap ('stable' was previously in italics and is now underlines) and Notepad++ ('The latest version :' used to have a 'v' before the version number).

The output is now:

treguly@ns:~/code/cdvt$ python cdvt.py text display
Getting Information for 2.4 Kernel
Getting Information for 2.6 Kernel
Getting Information for Cain & Abel
Getting Information for ettercap
Getting Information for Kismet
Getting Information for Metasploit Release
Getting Information for NetStumbler
Getting Information for nmap
Getting Information for Notepad++
Getting Information for PuTTy
Getting Information for Wireshark
2.4 Kernel:                     2.4.37
2.6 Kernel:                     2.6.28.7
Cain & Abel:                    4.9.29
ettercap:                       NG-0.7.3
Kismet:                         Kismet-2008-05-R1
Metasploit Release:             3.2 Release
NetStumbler:                    0.4.0
nmap:                           4.76
Notepad++:                      5.2
PuTTy:                          0.60
Wireshark:                      1.0.6

As always, I'm open to adding additional software, just let me know what you'd like to see added.

Yesterday I stopped halfway through and said I'd continue with the responses today. So tonight I'm going to look at the responses to:

• Does Web 2.0 Make Availability More Important?
• Are Denial of Service and Availability Interchangeable?
• A Browser Crash is...?
• A Firewall Denial of Service is...?
• A Web Server Crash is...?

These are the questions that drew the responses that I was really interested in... so let's jump right in.

Question 5 - Does Web 2.0 Make Availability More Important?

With this one here, I was rather impressed by the splits, overall we had 89 'Yes' responses to78 'No's. Our biggest group (IT Professional) saw 34 to 20 in favour of 'Yes', while the second biggest group (Security researcher) was an even split of 26 to 26. Perhaps the most surprising was IS Professional with 16 to 10 in favour of 'No'. Going into this survey if I had to pick one question that I thought would be clear cut, it would have been this one. I thought that everyone would say yes, that obviously isn't the case. So what did people have to say about this question?

If anything Web 2.0 has shown how little people care about availability. - Security Researcher/No

Web 2.0 (Web 'Uh-oh') actually opens up an entirely different set of security issues... - Security Researcher/No

There are just more people pissed off about it. - Developer/No

Availability is an issue for COBOL apps written in the 1960s.  Mission critical is mission critical.  Platform is irrelevant. - IS Professional/No

It really shouldn't it should have been just as important 10 years ago. I think the big difference is rather than 10,000 web users on a site 10 years ago, today there may be 1,0,000! Web 2.0, to me, signifies a big uptake in people casually using those tools. This makes A seem important as it really affects revenues and perceptions.  But should it have been less important? I guess that's a paradigm difference amongst people, but I think it should always have been important. - IT Professional/No

The purpose, not the technology dictate when availability is more important. - Management/No

As you can see, I've only selected comments where the commentor selected 'No' as their answer. So it seems to be that it's not, 'more important' but should be considered 'as important', at least to some people. That's complete valid... just not how I looked at it. I had assumed more people... more importance. The developers comment is interesting, "There are just more people pissed off about it". That follows the logic that I had used in my assumptions, yet they answered no. I guess that means the question comes down to "more important to who"? The business, the user or both? I'd say both. If I can access the service, I'll be happy. If I'm happy I'll most likely be retained as a customer. If I stick around, I'll probably buy more and the business will be happy.

The remaining comments either passed off 'Web 2.0' as a horrid buzz word or revolved around the concept I just mentioned, more people and more business make Web 2.0 more important.

Read more...

So here we go... I know some people have been waiting to see these numbers so it's about time I share them. In the end 279 people responded to the survey, and I'm fairly happy about the responses... only one of those 279 used the comments inappropriately but I've still counted the drop down boxes from that survey. There were 204 anonymous responses and 75 with names, email addresses or websites attached to them. People that follow me on twitter may have noted last night that I was really enjoying the comments. Based on the comments to the first question I had done a quick estimate, expecting ~600 comments... however the numbers dwindled on the following comments and picked up again for the last question. In the end I received 250 comments in addition to the survey responses. I haven't yet decided if I'll make the survey data available but if I do, I'll definitely remove all personal information.

The survey posed 9 questions and allowed for plenty of space to provide comments, so I was really excited to see the answers that I would get.  Some people felt my questions biased the responses (I believe it's impossible to do anything without introducing personal bias on some level) and others questioned what I was trying to get at.  I think I'll start by summing that up as simply as I can.  If someone causes me to lose access to something, I believe they've denied me service and it is therefore a denial of service. I've seen all sorts of responses that it depends on if the denial was malicious or accidental, that it only applies to servers and so forth. I think it's much simpler than that... if I visit a website and it crashes my browser... Denial of Service. If I run a web server and someone crashes it... Denial of Service. So I wanted to know who shared my opinion and how people felt about Denial of Service.

For this post I'm going to provide graphs of the responses, mapping response to profession and some minor feedback.

Read more...

Quite a while back I had posted everywhere and contacted everyone I knew regarding a Denial of Service survey that I was conducting. It came out of the frustration of watching people and companies disregard denial of service as a valid security concern. It seemed to be an ongoing debate -- Confidentiality & Integrity vs Availability, instead of all three being treated as important. Anyways I've been under constant hounding to release some statistics from the survey, so I figured I'd do a multi-part series on Denial of Service (ok... so right now it's planned as a 2-part series). This first part is a precursor, since I had numerous people argue on whether or not DoS and DDoS were the same thing or different things and also on whether or not DoS was still valid (more on that to come). Since the survey was part of a conference talk that I wanted to do and the talk wasn't accepted, I figure it's as good a time as any to start posting.

One of the most interesting things that I came across during my initial investigation was that there's no clear definition of Denial of Service. A simple define: denial of service search on Google yields numerous results:

Attacks on wired networks require a far greater deal of computing power, often even requiring the need of distributed computing. Attacks on wired networks of course do not require any NICs or external antennae, yet often does have the need of a (broadband) connection to the Internet. (Wikipedia)

I rather enjoy this one because it has two interesting remarks. The first is that you require a great deal of computing power to perform a denial of service attack. The second is that when attacking a wired network you do not require a NIC.

A type of attack that tries to block a network service by overloading the server. (Ingate - A firewall vendor)

Blocking a network service is definitely one form of a DoS, however a single computer usually doesn't accomplish the task very well and this will usually be a DDoS.

denial of service: An attack that consumes the resources on your computer for things it was not intended to be doing, thus preventing normal use of your network resources for legitimate purposes. (The Linux Security How-To)

This time instead of "overloading the server" we see "consumes the resources". One again, we seem to be confusing DoS as a whole with a single type of DoS or a DDoS. This confusion seems to occur everywhere. When I was initially distributing the survey link, I had numerous people question why I was even bothering. They claimed that DoS was irrelevant because it was simply a packet flood, that you were "overloading the server" and "consuming the resources". This is not the case at all and, as I've mentioned repeatedly, they were looking at a single piece of the Denial of Service Pie.

So what is a Denial of Serivce? Excellent question. There are actually a few sites that define it more appropriately.

Denial of Service: Result of any action or series of actions that prevents any part of an information system from functioning. (KeyBank)

Denial of Service: Unwanted or malicious messages that render network resources non-functional. Some examples are Ping of Death, SYN flood, IP spoofing and Smurf attacks (SEQUI)

This is a much more accurate definition of Denial of Service and I'm glad to see that there are proper definitions floating around.

If I were to define Denial of Service, I would say, very simply, "The absence of Availability." I don't think the definition itself needs to go much beyond that. It is very broad, but broad can be good. Some people may argue that it's too encompassing but that definitely isn't the case. Think about the recent Slashdot downtime, while the problem was internal, it was a Denial of Service in the broadest sense of the term. Whether it's a power outage, a tornado, a tank driving through your data center, a packet flood or a malformed packet bringing down a listening server... it's all Denial of Service.

Now DDoS is another beast. Distributed Denial of Service tends to be defined more reasonably most of the time and people are generally clear on what it is. Essentially, it's what everyone I quoted above was describing, a wide-scale, multiple-source attack that consumes resources and renders the device or service inaccessible. Metasploit, and many others, have experienced this recently.

So why is all of this important? It helps you to understand the logic and reasoning behind some of the questions on the survey. Many people left comments stating that the questions were unclear, primarily because they were thinking of Denial of Service in terms of a packet flood. Before I release details on the survey, I want to be sure people have a clear understanding of what I'm talking about. I know what you're thinking, and I should have done this prior to the survey, however I didn't realize that what I considered to be a industry standard definition was not.

That is why I asked questions like, "Is Denial of Service a Vulnerability?" Some said 'no', it's a packet flood and that isn't a vulnerability. Many said 'sometimes', with the logic that some times it's taking advantage of a vulnerability and other times it's a simple packet flood. Personally, I like 'sometimes' as the answer to this question, although the comment that I'd add would be that I consider the majority of DoS to be a vulnerability (in other words, 'sometimes' doesn't need to be a 50/50 split). The answer however, may depend on where you sit within IT/IS or perhaps where you sit within your organization.

I see a vulnerability as any weakness, within reason, that leaves you vulnerable. Some see a vulnerability as a coding flaw or poor protocol implementation, while others see a configuration option as a vulnerability. I've been told that a null pointer dereference shouldn't be labeled as a 'critical vulnerability' but we've all seen what Mark Dowd can do with one. I guess my point is that no answers were cut and dry, that's why I left the ability to comment on the majority of the questions.

So back to my point... my goal was to find out what everyone thought Denial of Service meant, and when they felt the label "Denial of Service" applied. Is a web server crashing on a malformed HTTP request a DoS? If it is, then is a web browser crashing on a malformed HTTP response also a DoS? The opinions on answering this can be quite varied, and in writing this I believe I just talked myself into a third post... a follow up with my commentary to the survey data, especially to this point as the answer really intrigues me. That being said, I invite everyone to comment on this point in particular (of course I always welcome comments on everything).  Whether it's a comment below this post, or a blog post of your own... I would love to see full responses (in greater detail than the survey could have possibly allowed for) to those two questions.

I have theories and thoughts that I will expand on as well, as I explore this series (I believe I've just through of a fourth post now)... but up next will be the survey results. I just wanted to be sure that everyone had an understanding of the difference between DoS and DDoS, and that it was understood, or at very least understood that I feel, that a DoS is more than a simple packet flood.

Really... the title says it all... There's a small write-up here which is where I found out.

I just received one of the best scam phone calls every to my cell phone (I seem to be getting more and more of these calls to my cell phone and it pisses me off).

The call came from (916) 219-8163

It was an automated recording that said the following:

This is the second time we've called to notify you that the warranty on your vehicle is about to expire. Driving without a warranty can lead to serious problems and you should renew your warranty immediately. We will not call you again, if you do not renew your warrant we will remove your file from our system. Please press 1 to speak with a representative or press 2 to be taking of our calling list

Given that I'd already answered, I figured I might as well have some fun, so I pressed 1.

The remainder of the call went like this:

> "Hello sir, can I get your name"
< "Yes... it's Tyler Jones J-O-N-E-S"
> "Thank you sir and I just need to confirm the vehicle you drive"
< "I don't own a vehicle.. but I have a bike"
> "Does anyone in your home have a vehicle sir?"
< "Nope... we all have bikes"
> "Oh, just to confirm your number was 647-828-6206, we'll put you on our do not call list"
*click*

I didn't get to have nearly as much fun as I wanted... next time they call back I'm definitely going to own a car.

So previously I'd posted about writing my own curses twitter client, partially to use and partially to start playing with curses. It was quickly pointed out that I had used an older version of twyt (python library to access the twitter API) -- this taught me to think twice before running apt-get install in the future.

Anyways, I was a little delayed (due to a quick trip to Atlanta) but now I'm back at a computer and I decided to fix up TwCuP to make use of the latest twyt (0.9.0). Everything is cleaned up and working, and at Marcin's request, I've set it to make use of the API over HTTPS (twyt uses HTTP by default).

Once you have all the required modules (twyt.twitter, twyt.data, getpass, sys and curses), you'll only require a single file (client.py).

You can get this file via websvn here.

I plan to add the rest of the twyt API and then start tweaking... expanding on just what can and can't be done. In the mean time I'm open to comments and feature requests.

[Update: Added Screenshots]

A long time ago I decided that I would never review software that I was asked to look at, and that I probably wouldn't post deals sent my way unless they were truly valuable to my readers. So when I was contacted by Neobyte Solutions with a "special offer" for my readers, I almost hit the spam button. However, I've recently been considering personal backup software (storage is dropping in price and I have a number of systems with critical files these days), so I looked online and saw some features of Titan Backup that I really liked. The initial offer was a copy of Titan Backup 1.5 [download] for free with this serial: 000020-ACM8KK-1YXTMT-JZT4C6-JF18HG-VTR9BJ-VKM9KR-K2923Y.  They also offered a 50% off discount code [NEOB-SGKO] which could be used here to upgrade to Titan Backup 2.5.

I countered with a request for a few 2.5 keys that I could give away to my readers and they were happy to provide a couple. As such, I'm going to give away a few serials for Tital Backup 2.5 on Friday by selecting random people from the comments. Please be sure to include your email address so I can get back to you.

Read more...

[Update: Due to Bandwidth concerns and the popularity of DVL, I've had to remove the public mirror. If you really require a direct download and can't get one... contact me and I'll share a private link. I just need to limit the number of downloads.]

DVL 1.5 is out, and I have mirrored it again.

There is also a call out for people to create training materials, so if you can, swing by the DVL forums and volunteer to make a video or two. However, I'm unsure of where to find the forums (there's no link on the main page and I'm not a user). Please share a link if you know how to get to them.

So I mentioned some of this to someone the other day and they were surprised by it (and a Blackberry user) so I thought I'd do up a quick post about it... some people may not realize how much information can be determined about you. Note, these are based on my observations.

Blackberry IM Status:

• Active -- User can be sent messages and will receive them immediately
• Contact is Unreachable (Icon: (- (not quite sure on this one but that's what it looks like) )
  • Out of cell range
  • Phone is no longer active
  • On a phone call
• Pending -- They haven't authorized you yet. (Icon: Green +)
• Unavailable -- Set by the user (Icon: Red X)

Blackberry IM  Icon:

• Clock -- Waiting to Sent
• Bulls Eye Circles -- Sending
• Checkmark -- Sent successfully
• D -- Delivered
• R -- Read

Now... you'd think that this limits what you know, but it really doesn't. Generally you'll know if one of your Blackberry IM contacts has had their phone deactivated and depending on where you live, you may also know when they are in or out of cell range (the exception may be if they turn their phone off).

Something that was recently pointed out to me is that GSM will continue to deliver messages while you're on the phone, while CDMA (which is what both the Blackberries in my house are) won't.

This means that you can further determine:

• Unreachable + Checkmark == Phone Off or CDMA on a Call
• Unreachable + D == GSM on a Call

I know, to most people this probably doesn't seem like much, but I figured it was worth sharing... if one person learns something new... mission accomplished.