I was at a customer site the other day and we were going back and forth on MTBF numbers like George Costanza trying to split a check for lunch. Reading MTBF numbers is kinda like believing you can actually catch fish with the Ronco pocket fisherman. Wow!! According to my Mean Time Between Failure data, my network gear will last for 30 years!! Sorta like a furniture store going out of business...for five years. Normally, most folks look at MTBF data like this; "Hmmm, a year contains 8,766 hours. My switch has a MTBF score of 292Khrs. Now, lets convert that to years.

Read more

In November 1919, President Wilson proclaimed November 11 as the first commemoration of Armistice Day with the following words: "To us in America, the reflections of Armistice Day will be filled with solemn pride in the heroism of those who died in the country’s service and with gratitude for the victory, both because of the thing from which it has freed us and because of the opportunity it has given America to show her sympathy with peace and justice in the councils of the nations…"

Read more

This has been an interesting week. Sometimes you just have to deliver the bad news to folks. I try the old; "Don't shoot the messenger" routine and although no shots are fired, folks sure want to throw down sometimes. Especially if it relates to a field like computing that folks think if I know how to config route reflectors for BGP peers then, I should be able to do work miracles like Mr. Scott can repair a warp drive with three paper clips, a folding chair and a half eaten po-boy sandwich. Can I get a witness!!

Read more

My 12 year old son asked me the other day what does data sound like. Being asked a computer science question, no, more like a networking based question caused me to break out the hanky I reserve for those times when I find out my backup copy was a incremental instead of a full. I thought about the whistles of the old modems of yester year, the whirl of 8mm backup tapes, 2600 MHz tone of a phone switch, the capacitor start fans in a large router or switch (I have Goosebumps…) So with sage like wisdom of my 18 years in Information Technology I said, “Go ask your Mom”

Read more

I like watching those real life crime shows like American Justice and City Confidential. It is amazing to see how folks can take a torn piece of toilet paper and solve a crime with it. The smallest clues can make the biggest differences. I also like seasons 1-3 of Sponge Bob Square Pants but I will save that cliffhanger analogy for my upcoming blog on packet sniffing...

Chances are that sometime in our IT career we are going to be faced with few choices:
- Sushi or In-Out Burger?
- Reformat a machine or gather evidence to prosecute a hacker.

Read more

Most hard core networking geeks out there today avoid buzzwords like I avoid health food, sushi and light beer. Buzzwords are not technologies that I can go out there and deploy per se, they are terms to make analyst sound smarter then they actually are. Web 2.0 has really taken on a life of its own in the kingdom of buzzwords. I use Web 2.0 to help me move gear and get management behind projects they normally would not. For example:

Read more

It's kinda funny to see how folks 'tudes change when things go from great to worse. For example; I always used to laugh when folks told me how great their Chiropractor made their back feel. I thought they were just a Western version of a witch doctor with newer magazines. Until I hurt my back on a business trip... A Sales Rep drove me to his Chiropractor for help. I was hurtin' so much I would have sacrificed a chicken myself to feel better. This Dude made me a believer and I added him to my Christmas Card list!

Read more

Last night, I wanted to grill up some beer can chicken. If you have not had any, it ranks right up there with going to watch Time Trials at Indy as a must do. My wife loaned out my stand to some goober neighbor and she was out shopping or something another with my daughter so I couldn't ask her where it was. She told me, but I was in CodeMode(tm) and taking in that information would have caused a buffer overflow.

Read more

I really dig writing code. I always have since I wrote my first "Hello World" I was hooked like a Bass on someone else's rod-reel. I have been a huge fan of Cisco AXP for awhile now. The AXP is a module that fits in the ISR and gives a code jockey a Linux environment to develop applications in. It supports C,JBoss,Java,Python,Perl so we have quite a few opinions to code in. But REAL coders code in C...
You can learn more at http://www.cisco.com/go/axp

Read more

Wireless is more fun then fishing for Bass while drinking a Bass. Open your home pantry and you have a wide range of homemade antenna options. What can you do with some of those older WLAN cards stuffed in a office drawer behind the "Must Read" stuff from Human Resources?

Read more

I love Germany. How can you not like a country that has no speed limit and awesome beer. I could move there and not miss a step. Of course the food sucks, so I reckon that is the trade off. I love speed and performance. A couple years back I purchased a couple of Go-Peds for my kids but that was not enough...I had to soup those little dudes up squeeze a another ounce of horsepower out of them. I put on a header, bigger carb, manufactured an intake and advanced the timing as well as changed the splines, man those dudes could really fly!!

Read more

Planning for a branch office roll out is like going to your inlaws family reunion. You just know in the end there is going to be trouble... It is difficult to find a good formula that addresses the needs of the branch. The bean counters look at the branch from a low port count point of view and push non managed devices or even hand me downs from the central LAN.

Looking back at the branch office/replicated sites I have rolled out in the past, I have noticed five things in common across the board that seem to contribute to a successful roll out for the IT staff, Management and Bean Counters.

Tip 00x01 Build a template. I am the first to scream against using a cookie cutter approach in building out networks. In the branch office, I think it is critical. Have a simple IBM style flow chart that looks at; cable plant, seats supports, number of closets, voip, service level agreement, etc. Then build out your set up scripts add the new branch to the NOC support plan and start deployin' Not only is this easier on you by far, but now bean counters can see the IT cost associated with a roll out and management can do people planning better.../insert joke here

Tip 00x02 Accelerate the WAN. I am a big fan of WAN accelerators. I have tested and installed most of the popular one on the market today. Personally, I like the Cisco WAAS module best of all. Now I know y'all are thinkin' "whatta a knob! of course he likes WAAS he works for Cisco doesn't he read Gartner?" True I work for Cisco and no I do not read any analyst that has never been in the field and built street cred yo. They write about that in the networking geek handbook; Something about talkin' the talk... I have really beat that product up in testing big time. I love the conf options, performance, management and modular design of WAAS. Either way, WAN acceleration is a great way to optimize bandwidth for a low cost and certain a MUST in branch deployment.

Read more

I was at a customer site the other day conducting a bit of forensic analysis for an upcoming security TechWiseTV show. This customer was not happy about the SQL injection attacks some of his users were getting. He conducted training with his staff and end users, yet still, folks came back with Bots, keyloggers, etc... He was more angry then Chicago Cubs fan in October. Looking at what was going on, it appeared to be an classic drive by download attack and not a SQL injection.

A drive by works kinda like this; A hacker attacks a web server with a SQL injection to act as a man in the middle between the user facing web application and the SQL database that supports it. Now a SQL injection can really do a lot of different things to get that database to present and do stuff it was not supposed to do. However, in this case, it was a classic ASPROX. It would transparently redirect the user to a hacker mirror that would launch a dark javascript to do an footprinting of the client machine. This is so common a attack that Sophos detected over 16K legitimate web pages were hit with this attack the first half of 2008. If you love math as much as me, you can see that averages out to about one page every five seconds. That is x3 what it was in all of 2007!

After the hacker site determined the type and patch level of the OS, the hacker site just launched a simple iFrame redirect to send the user to the server that hosting the vuln exploiter for that OS. Simple, automated and transparent. Now that is goooood codin'! In the end, we found that many users exploited would go to a online gaming site at lunchtime and play poker. Their machines would be patched up on patch Tuesday, be OK for a bit then all of the sudden these clients would bring back all kinds of nastyware to the LAN. Kinda like the Malware version of the Circle of Life...sing it with me!!!

Read more

Here in the CodeCave I run a large Dark Net and report my findings to my Twitter followers. If you are not familiar with darknettin' this is the practice of having servers out on the Internet for bait to allow hackers to hack them. Folks do this for many different reasons but my reason is to learn the latest and greatest methods in use on the net today to break into networks.

Many times these servers are just trashed out. Hackers try to destroy them if they are discovered. I had a major exploit found in my FireFox add-in FlashGot. A hacker got in and trashed my system and then changed the password of the root account. Now this is a big deal since I need to log on to that server to gather the data to learn from this attack. Now what? I remembered a little physical access trick I learned a few years back at Linux users group conf from a guru. It works like this:

- Boot the system and get to the GRUB screen. I moved the arrow key so I did not go into normal boot mode.
- Select the version and hit the "E" key to edit the kernel
- Arrow key to the line that begins with Kernel and hit the "E" key
- At the GRUB Edit line, I just simply append the load string with a number 1. So it looks like this:
grub edit>/vmlinuz-2.5.9-22.DRnetsmp ro root=LABEL=/ rhgb quiet 1
- Now hit ENTER and B and the system will boot up into single user mode
- Newcastle time!!! A simple:
sh-2.5# passwd
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully

I got in and grabbed the data and released the forensics to the open source community. I think that is a great example of how we learn from each other. Users groups are a great place but also are open blog postings. Hey, share your knowledge here! Got any good tips and tricks we can all learn from?

Jimmy Ray

I run a purty darn big Darknet here in the Code Cave. I like to keep up to date with what is going on in the security space all over the world. I have peering agreements with other Darknetters all over the world to form a huge sensornet that we all benefit from. We have a ton of data to sift thru to find the good stuff. Feels like what panning for gold at Sutters Mill must have felt like in the 1800's...without all the killin' Sounds a little like my last family reunion, but I'll save that for another blog...

The problem is after we document an attack or we need to filter out some of the noise, we need to write our own sig to detect and catalogue a known attack. Pattern matching takes some time get the right amount of detail and has always kinda been like having a mother in law that cooks good... An x86 emulator is what is needed however, I have tried qemu and bochs (a little, mainly qemu) and I was not too impressed. They are OK but not cool enough to change my processes and rudimentary scripts. I been messin' around with the tool Libemu to automate the process of shellcode pattern matching and I have been amazed.

Libemu is a tool wrote in C (thank goodness) by Markus Koetter. This smokin' hot tool allows me to feed raw decodes from my nepenthes directly into Libemu. It will in turn detect the shellcode offsets and does a analysis of what the shellcode is actually trying to do. I have been using this with a great amount of success in shellcode analysis and it has a hit rate of about 92%!!! Pairing up Libemu with Nepenthes has really cut down my manual shellcode analysis time and increased my cohiba and fishing time and in the end that's what is all about. If you run honeys or do shellcode analysis; do yourself a big favor and start messin' around with Libemu.

Jimmy Ray

I have been messin' round with Keystroke loggers for quite sometime now. Brute forcing and luck of the draw password guessing cuts too much into my fishing time. Sure rainbow tables speed up the process, but I still need a username. That is were keystroke loggers come in handy. I have tried many types of software loggers and truthfully they all suck. It is just the level of suckiness you are willing to put up with. Plus the fact that nearly all of the ones I tested have backdoor relies funnelin'-tunnelin' your info back to abyss of hackerland... I have coded up my own but truthfully, they are just not as flexible as I need them. NEXT!

I have also used the Snoop Stick to monitor my kids Internet usage and it works OK. The problem with that product is it does not scale that well and it wraps itself so tight around the TCP/IP stack that any problems with a patch, update or just plain ole removal results in having to reformat the machine. NEXT!

Now I am left with hardware keyloggers. Most of those are PS2 connectors so I have to use an adapter that makes it stick out like a turd in a punchbowl. (ah...college...) Anyway, I ordered a hardware logger from KeyGhost and I must admit, I am as impressed with it as I am to walk into a restaurant and they have Newcastle on tap. First off, the KeyGhost logger uses a USB connector like 98% of the keyboards out there today. It also works on both my mega awesome Mac and my average Windows based PC's. Set up is like most other hardware loggers; just plug it inline. But that is really the only similarity.

Three things that make the KeyGhost logger far superior to any other product I have tested:

- Timestamping. Hardware loggers stand alone and can record thousands to millions of keystrokes. knowing how fresh the data is, is super important to avoid detection and provide useful analysis.

Read more

I like lists. I tend to break down many different topics into a list format. Mentally, it is in CSS format and without a doubt marketing speak is equal to a SQL injection attack in my ole gourd. Be that as it may, (I love using that statement, makes me feel like a literary type person) I keep a top five list on the best places to eat in all the cities I visit often, top five best fishing holes, top five best Star Trek episodes and of course top five reasons to avoid going to my mother in laws.

Read more

Secret stuff really appeals to me. Movies like National Treasure and Indy Jones, coupled with books like Da Vinci Code and By Way of Deception, really hook me. Who out there today doesn't daydream about having privileged access to some big secret that folks are chasing you down to get? Can I get a witness? If you really want to get someone's attention, start your statement with "Let me tell you a secret" I would stop eating Popeye's chicken to tune in to that OK, maybe not that drastic.

Read more

This last weekend, I heard a tool box open somewhere in the neighborhood so I had to investigate. Nothing gathers men quite like the opening of a Newcastle or the opening of a tool box. My next door neighbor was fixin' to work on his car. He looked a little confused, but instead of asking him what was wrong, I looked over at his toolbox. Yep, that told me all I needed to know. Hard to fix a ride with two finishing hammers, stud finder and a interchangeable bit head screw driver that was stamped, "Network World Top Dog" (I think he stole that from me...)

Read more

USB hacking is certainly not new, we have been building Linux shells on USB keys for years. The U3 USB drive from SanDisk really changed our methods of launching hacks.

What makes the U3 cool is the little "Launch Pad utility" that comes preinstalled. A Normal USB flash drives only has 1 drive letter but for U3 smart drive, it has 2 drives. One is the normal storage drive and the other one is an emulated CD drive. It is this two drive behavior that allows a hacker to turn a simple USB drive into an Auto-Run powerhouse!!

Read more