Wednesday, July 16, 2008

Coffee Shop Warfare

It seems like I can't go to a coffee shop, conference center, or bar these days without some jackass on the network abusing the bandwidth. Running MMO games, BitTorrent, gnutella, or even just a large FTP/HTTP download will saturate the wireless access point, let alone the modest DSL line it's connected to, rendering it unusable for the other patrons there. This is just plain rude. And since the barrista can make a mean caramel cappucino, but doesn't have the ability to blacklist your MAC on the AP (which I realize isn't a very effective control, but hey - maybe you'd get the message then?), we're all stuck to suffer.

And I wouldn't do anything hostile on a public network. But in the name of network self-defense, there are a couple of tools you might want to take with you to the coffee shop next time.

  • Wireshark - The quickest, easiest way to identify the abuser's MAC/IP is with a sniffer like Wireshark, tcpdump, or iptraf.

  • Snort - Snort with flexresp2 enabled, bound to your wireless interface, and the p2p.rules set enabled and modified with "resp:reset_both,icmp_host" is an effective deterrent for people using P2P file-sharing software.

  • Ettercap - More severe than Snort, you can use Ettercap to perform ARP poisoning and essentially blackhole the client(s) of your choice by MAC address. You could also use this tool to sniff unencrypted traffic between clients and the AP (and points beyond). But you wouldn't do this. It would be uncivilized, and possibly illegal.

There are lots of other wireless tools out there that have some application here, but many of them either go to far to be civil (Void11) or legal (Hotspotter), so I don't recommend them. For that matter, what I do recommend is getting your own EVDO card. Then you don't have to put up with rude WiFi users in the first place.

Tuesday, July 15, 2008

A Conversation With My Wife

My wife was at her mother's tonight when she caught me on GMail chat. This is the log of that chat, unedited:

Jessica: boo!

me: hey there

Jessica: hey baby!
Just looking at my moms task mamanger, she has a ton of stuff running
inlcuiding a bunch of exe file

me: that's all you should see in task manager - exe files

Sent at 10:28 PM on Tuesday

Jessica: how amobile deviceservice.exe, alg.exe, msmsgs.exe, searchprotection.exe, jusched.exe, E-S10IC1.exe
all of these are listed under "Administrator"

me: some of those are fine
type them into google
liutilities.com
searchprotection.exe sounds suspicious
don't log into the bank or anything

Jessica: why would there be 4 svchost.exe's?

me: that's typical

Jessica: or services.exe
winlogon.exe

me: both fine

Jessica: csrss.exe

me: also fine

Jessica: smss

me: seriously
google

Jessica: mDNSR

me: that sounds suspicious

Jessica: I don't need no stinkin google, I have you
:)

me: meh
Sent at 10:33 PM on Tuesday

Monday, July 14, 2008

When is a Security Event Not a Security Event?

When it's also a beer event, of course!

July's GRSec meetup will be Wednesday, 7/23/08. The reason for the Wednesday date is two-fold. First, Tuesdays don't work for everybody, so we're switching it up over the summer to see if we can get some fresh faces out to GRSec. Second, this month we're at the new Graydon's Derby Station, and that particular evening, they will be tapping a cask of Victory Hop-Devil IPA.

If that's not enough reason for you to be there, then I don't know who you are anymore, man! I don't know you at all...

Details & Map

Tuesday, July 8, 2008

Monkey-Spider

It's been awhile since I've covered anything to do with honeypots or honeyclients. But it's also been awhile since anything new came along.

Via Thorsten Holz at honeyblog: Sicherheit'08: "Monkey-Spider: Detecting Malicious Web Sites with Low-Interaction Honeyclients"

Monkey-Spider, not to be confused with SpiderMonkey, is a new honeyclient from Thorsten, Ali Ikinci, and Felix Freiling. Like HoneyC, it's a crawler-based client that detects web-based, client-side attacks. It was presented at Sicherheit in Germany in April. Fortunately, the whitepaper and documentation are in English.

After reading the whitepaper and playing with the code a little, the thing that occurs to me is that, while this is very cool, and still somewhat useful, what I really want for operationalizing a honeyclient in my enterprise is the ability to seed the honeyclient from firewall/proxy logs. That way the honeyclient is analyzing my web traffic, not off looking for random malicious sites to add to already big blacklists.

Monday, July 7, 2008

MiniMetriCon 2.5 Slide Decks

MiniMetricon 2.5 was a one-day security metrics event held in San Francisco back in April. Some of the slides decks were published to securitymetrics.org earlier today. I'm only about half way through them, but there's some good stuff in there, and if you're doing anything around security metrics, I recommend you check them out.

So far, the standouts for me are Pete Lindstrom's slides on Enterprise Security Metrics, and Wade Baker's deck on Incident Reponse Trends. And speaking of Wade Baker, he and a few of the other rockstars at Verizon Business have a blog that you should add to your feeds list.