[an error occurred while processing this directive] [an error occurred while processing this directive]
[an error occurred while processing this directive] [an error occurred while processing this directive]
;) Packet-Securitydot com
[an error occurred while processing this directive] [an error occurred while processing this directive]

Papers By Bagarre:

  • Intro to PGP
    • Chris Snell give a good explaination of what Pretty Good Privacy is and how it works.

  • Intro to Pseudo Code
    • A good read on the basics of pseudo code and program management.

  • I'd rather be fragging
    • Bypassing those Linksys boxes, some ACLs and tons of other fun stuff.

  • The Art of Wardialing
    • A lost art? Not worth exploring? I think not.

  • deny, Deny, DENY
    • If you didn't say it could come in, it shouldn't. This will be a discussion on router ACLs and the construction of a DMZ.

  • OPP Other People's Passwords
    • How do you get your users to use good passwords? How important is it?

  • The Enemy Within
    • Do you trust your users? Should you? The internal threat is real and needs to be addressed with written policy, permissions and well planned grouping.

  • Who's Watching Who?
    • The intruder is no doubt looking at your traffic. You should too. How will you know what's not normal if you've never seen your normal traffic on the wire?
    		  [an error occurred while processing this directive]
    [an error occurred while processing this directive]
    [an error occurred while processing this directive]
    Who is Watching Who?
    By: Bagarre
    [an error occurred while processing this directive]
    Loading Document
    If the page does not load, click here.
    [an error occurred while processing this directive] [an error occurred while processing this directive]
    • How does one know when something is 'not right'?
    • If it's broken, how do you know when it's fixed?
    • What is 'Normal'?
    • If you have never seen 'Normal', how could you identify 'Abnormal'?

    Pretty basic questions with not so obvious answers. Networks spew millions of packets a day. Pages upon pages of logs are created on almost every computer. How can you tell what's going on in your network with this kind of sensory overflow? By knowing what to ignore and looking for the stuff that doesn't fit a pre-determined pattern.

    By this point, you should already have a good set of ACLs in place and a DMZ established. [an error occurred while processing this directive] [an error occurred while processing this directive]

    Senario: Flipping thru your morning network logs of the DMZ, you see tons of port 80 traffic to your web server. That's pretty normal so, you keep flipping until something catches your eye. Around midnight, you see a failed connection from your web server to somesite.com's port 21. Your router dropped the connection but why did your web server do that? Hmmm.

    A few minutes further in the logs, you see another packet from your web server to the same somesite.com but on port 50555. Now that's just odd. Again, your router dropped the packet but it worries you. Next, your web server made a successful connection to somesite.com on port 80. FROM your server? At midnight? After all the other weird stuff?? We better look into this one.

    Next, you see a butt ton of SYN packets from your web server to every other box in the DMZ. Huston, we have a problem! You grab the web server's log files and check the site activity around the same time and find that, someone was sending weird GET requests like %255c..%255c..%c0af..blah blah.... You have no idea what this is but you know it's not normal! [an error occurred while processing this directive] [an error occurred while processing this directive]

    As it turns out, someone figured out how to upload a backdoor to your website and tried using it as a jump point into your network! Because of the permission settings on your web pages and their limited access, they couldn't deface any pages and your internal router ACL's prevented them from going any further but, Holy Shit! We've been hacked!

    This is an overly simplified scenario but, very probable. There was no apparent damage or corruption to your computers or even degradation to the network. Without a review of your network logs, you might not have ever noticed this event... until the attacker was able to escalate his privileges, monitor the network traffic himself , 'sniff' a password or two and do some real damage.

    We have just gone thru a basic Intrusion Detection System without spending thousands of dollars! I like that. Depending how big your networks are and how many pages of traffic you have to look at, you could write a PERL script to help you sift thru the logs even faster!


      -Bagarre
    [an error occurred while processing this directive] [an error occurred while processing this directive]

    Loading Document
    If the page does not load, click here.

    Google Packet-Security.com
    [an error occurred while processing this directive]
    [an error occurred while processing this directive]