Joined: 04 Mar 2003
|Posted: Sun Oct 02, 2005 3:37 pm Post subject: Sep '05 SFDC Column
Sep ’05 SFDC Column
Well yet another month has gone by quickly for us at Security-Forums. There have been many more interesting posts, with some equally inventive responses to questions asked. We certainly are seeing our normally high amount of GPO questions, and that only makes sense as applying GPO’s in an effective way can definitely be a complex task. I for one would definitely like a course on W2K3 administration, which would cover GPO usage. Bearing this in mind if any of you GPO experts would like to write up an article or how-to if you will on GPO’s please feel free to contact me via pm. This would make for a very interesting member article. Also make sure to remember to nominate your favourite posts for our upcoming Quarterly Prize Give Away. On that note lets get to some of last months posts.
Data mining techniques
The poster in this thread wants to know of any data mining techniques that are used by people to help glean some intelligence from the mass of logged data that is generated by an IDS. Not every organization logs activity in the same way, but several companies that I have been associated with log all packets marked suspicious by an IDS, and at the end of the hour compress them. Using this storage method you are able to apply BPF and bitmask filters to accomplish your task of rooting out suspect activity. These filters are in, and of themselves very powerful. What you need though is a strong knowledge of TCP/IP in order to make the most appropriate filter and bitmask to accomplish your task. I gave the example of searching your IP addresses or range for any SYN/ACK’s coming from the ephemeral port range. That is just one way of leveraging you knowledge of TCP/IP that comes readily to mind. There are many others, but it will also come down to your having knowledge of the network protocols, and how they speak to each other.
Can an interface with no IP address be compromised?
Quite a few of the IDS engineers that I have known will by default not assign an IP address to the intrusion detection system that they are setting up on a network. This is done so as to minimize the IDS’s profile, and thereby help prevent attacks against it. Does this make the IDS immune to attack though as the poster of this thread asked? Most certainly not as Capi points out. There have been several exploits that could affect an IDS with no IP address assigned to it. There have been the libpcap vulnerabilities, as well as the exploits against Snort that were published. Quite likely there are more that have simply not been published. Even though the IDS has no IP address assigned to it, it still receives packets. This by inference makes it vulnerable to a number of attacks. Much like anything else you need to follow established best practices when setting up your IDS on your network. Not assigning an IP address to it is very much a part of those best practices. Also keeping the IDS itself up to date, as well as the other parts of it is key to keeping it secure.
The member in question here wants to know how to clear the BIOS password on the computer in question. There are varying ways to do this, and it will vary from manufacturer to manufacturer. This is a good time to point out that having a BIOS password set is an excellent first step in securing your computer. Yes it can be reset if someone has physical access to the computer, however this should be your first step in securing the computer from illegal access. Quite ofen most people will go for the low hanging fruit, and having the BIOS protected is very much an excellent idea. After all you may have restricted USB functionality on that computer, and allowing unfettered access to the BIOS makes that security setting rather moot.
gdb output and my stack
In this post we see MattA doing some work with GDB, and trying to make sense of the output. GDB output can definitely be rather cryptic at the best of times unless you have a knowledge of ASM, and it’s inner workings. Kudos to MattA for tackling such a difficult topic. Should you wish to learn about GDB, and what it is all about you would be well advised to first learn the principles of ASM, and how it works. To that end you would need to know about the registers that ASM uses, and the opcodes that you will see when disassembling as seen in this thread. Learning networking and TCP/IP is very much a cake walk in comparison to actually learning how to program, and use tools such as GDB. Though if you want to further your knowledge of computers you have little choice really but to learn how to program. Each and every one of our interviewee’s in the “Interview with a security professional” has said that. Wise words indeed.
Well this thread ties into the one directly above. There are many excellent books on how to best learn Assembly programming. To that end a couple of books about learning ASM have been reviewed, and can be found in our reviews section. I very much enjoyed the ones I reviewed on this subject. It very much helped me out to understand the underlying structure of ASM in the shape of its various registers, instructions, and opcodes. Though I will never be a programmer I very much enjoy dabbling in it as my time permits. It has certainly helped me perform my job better, as it allows me to better understand exploit source code.
Well this brings us to the end of another monthly column. I would encourage all of you to take the time to vote for this Quarters prize categories. Lastly, we also have several more interesting “Interview with a security professional” segments coming up. Remember if you want to see someone interviewed drop me a pm to let me know who! Have a great month of October, and till the next time!