.:Computer Defense:.

I shared a while back that I had decided to pick up two dedicated servers... rather than worrying about buying hardware and paying colo fees, I went with just paying fees... high fees, but fees none-the-less. I picked up one windows machine and one linux machine and I've been playing with them quite a bit.

One of the things I got to do was remember everything I learned in school and configure various services in a working "production" state. It's one thing to setup a piece of software to test against... it's another to configure it, and lock it down to a state you're comfortable with having online.

One of the things I decided to do was to pick up an extra IP and setup nepenthes listening. I decided to register the domain scan-me.org to attach to it. The domain may seem to obvious but I figure automatted tools looking at IP addresses or links to domains (required link for any bots to pick up).

I've had it listening for about a month with nepenthes 0.2.0. I attempted to upgrade to the latest svn version so that I could include the listener for MS08-067 but my first attempt went rather poorly and I ended up with nothing listening. I'm back to 0.2.0 for now, however I do plan to attempt another upgrade in the near future.

I'm hoping mentioning the domain here will increase the number of scans and quantity of traffic that it sees (anyone that wants to feel free to repost the address). As I've seen limited samples coming in so far, however those samples do make for some fun nights (I suppose I have an odd definition of fun).

Anyways... I just wanted to share that I had nepenthes running and get a blog post out with the domain mentioned. In the upcoming weeks I hope to post some write-ups related to the samples I'm seeing.

SecTor Day #1
Speaker: Rares Stefan
Presentation (ppt)
Audio (wmv)

This was the first talk that I attended. Based on what I saw, it was the smallest of the three rooms, however I can't be sure as every talk I attended was in the same room. I rather enjoyed the intimate nature of the setting... a small, yet packed, room made for a great presentation environment (at least it did on the attendee side).

The subject was TCP/IP Perversion and the presenter was Rares Stefan, the Chief Security Architect at Third Brigade. The talk centered around inline drivers that could be placed low enough in the stack that they could modify data being sent without the OS taking notice. The idea was focused around malware, but the demonstration slides made use of what I believe is internal Third Brigade software for testing/development (Note to any Third Brigade employees that read this: I'd love to a chance to play with the software).

So here's an example of what was presented. You (192.168.1.100) fire up Wireshark and start sniffing, then you request a web page (Google.ca: 64.233.161.104):

Source: 192.168.1.100
Destination: 64.233.161.104

GET / HTTP/1.1
Host: www.google.ca
Connection: close

In Wireshark you see the request as you should, however the sniffer on the hub you are connected to sees the following request.

Source: 192.168.1.100
Destination: 82.165.158.149

POST / HTTP/1.1
Host: www.computerdefense.org
Connection: close

Data that has been inserted.

Your sniffer, and therefore any HIPS/HIDS that you have, will not have noticed this change. To any device further down the network (IDS/IPS/Proxy) this is a completely valid request. The network device hasn't seen the original message and your computer hasn't seen the modified message.

This was demonstrated/discussed using Pre-Vista Windows Operating Systems but that doesn't preclude Vista from the possibility of the same issues.

As I said in my SecTor Overview post, I had expected presentations that were quite a bit more technical. This presentation was actually great in that category... while the technical details weren't necessarily communicated, you could see what was happening in the debug window of the software used and the actions taking pace in those images were quite interesting to watch.

The concept of malware that could do this is frightening. If I remember correctly, it was mentioned that presently there isn't any malware taking these sort of actions, but that doesn't mean that we won't see it in the future.

The talk ended up being a great way to start off Day #1, and struck me as a topic that I would love to delve deeper into.