SEMiSLUG Notes
12 August 1999
Question & Answer Sessions
- Is [UUNET] a permanent location?
- Yes, the UUNET building is our latest permanent home.
- Looking for an MPEG2 encoder for the PC. For a real OS.
- Look for a board. If you're lucky, it'll have drivers for some sort
of un*x.
- The weirdest network problem Steve Arlow has seen: WFTK to an NT box
(IIS?) behind a Cisco NAT, the initial control connection is terminated
by a reset packet, presumeably from the Cisco. Promiscuous mode on the
NIC card lets it work once. httpgw figures into the chain of events,
somewhere. What's up?
- Lots of speculation, but too many comments at once to try to sort
them all out. Upshot: nobody really knows. Perhaps someone with
a Gauntlet can try hitting the same site and track what happens.
- Immediate job openings?
- If so, contact Troy. If you get any e-mail from head-hunters, forward
it to Troy.
- Cult of the Dead Cow and BO2K are off the net. What's up?
- Nobody knows. Maybe they switched to NT. Someone looked at their
pager during the meeting and announced that BO2K is back.
- Any pointers to DVD encryption specs?
- Well . . . no.
- What the hell is Mike Bernsen up to?
- Making the digital equivalent of a VCR.
- Sources for high-end Intel (something more than a desktop), fully
configured, boxes (i.e. server boxes.)?
- ASA, TESYS.
- What's with the giant phallic symbol across the street?
- It's an ancient $120,000 fertility symbol.
- Has anyone else seen miserable packet loss on AT&T net lately?
- Mike Wayne has seen it, but not everywhere.
- Do are wonderful hosts have anything to do with MCI Worldcom frame relay
going nuts at the stock exchange?
- Nope.
- Anyone got any references for discussions of domain name pollution?
- Outside this room, not really.
- Is anyone who is using the MediaOne cable modem seeing really terrible
performance?
- Yes. They're having buffer loading patterns.
- Any recommendations for good, free ssh clients? (For NT)
- Terraterm. Mindterm (some folks in Sweden) has a Java SSH client.
Jay will post the
- Anyone in Ann Arbor or Ypsilanti going xDSL?
- Ameritech will not sell ADSL to anyone. Period. No matter what
their publicity says.
There are other competitive carriers coming in, though.
- What kind of Linux for playing around and learning?
- Mandrake just got best product of the year. Caldera's installation
is probably the best, and is usually pushed as a commercial product.
Red Hat is also good, but avoid any of the x.0 releases. SuSE is
very good if you speak Deutche.
- Java development for the above?
- Not very well supported at the moment. The easier would be the Visual
Cafe tools.
- Cyrillic?
- Huh?
-
Presentation
Defcon 7: All the News That Fits (Becki Kain)
www.defcon.org
Flew in Thursday to the worst flooding they have had in at least 15
years, if not 100. It was of biblical proportions. The water was up
to my knees in the streets, rushing by with all kinds of dust, dirt,
and construction material in it. Very not cool. Ate at the very scary
people buffet in the hotel where this couple next to us ate about 15
plates full of food and the man's shirt looked like it was going to bust
off at any minute.
The organizers were completely unorganized and there was no registration
Thursday. The other problem is a lot of people did not have their
presentations together and said "It will be on the web site". Well,
they aren't. The other thing to remember is whenever there was a crowd
of more than one hundred in any one room, people would launch into "Spot
the Fed" which was a very funny game. You yelled out that you spotted a
Fed, of any kind, dragged the person or persons up onto whatever stage
there was in the room, and usually Priest, the emcee, had to be there,
and you and the audience got to ask the "Fed" questions to see if you're
right. Some people were, some weren't, and Priest was real good about
being cool about it. If you didn't want to say who you worked for, you
just had to show your stuff to Priest and he would tell the audience,
yes, this person was a fed. If you spotted a Fed, for real, you got a
T-shirt that I said "I spotted the Fed" and the Fed got a shirt stating,
"I am the Fed". Priest had a thing going where Fed's, in exchange for
paraphernalia from their office, could go up to him, prove they were a
Fed, just to get a t shirt. One guy, who worked for Naval intelligence
was so dumb he basically gave out his home address. Here's a hint, if
they are American Fed's, ask if they can carry a gun across state lines,
legally.
Friday, there was finally registration and the conference started with
Kevin Poulson and Jennifer Grannick discussing issues in Interrogations.
She's his lawyer. They showed this cheesy "Unsolved Mystery" television
clip of him getting busted as a teenager for stealing Ma Bell's
equipment as a demonstration of giving up your fourth and fifth
amendment rights during an interrogation. Bascially, the fourth says
you have to have a lawyer, the fifth says you have the right to not
incriminate yourself. She highly recommended, no matter what, even your
as innocent as the driven snow, that if you are arrested, get a lawyer
and say nothing until they show up. Nothing. The interrogators may
lie to you and say that you have to talk, or you can't have a lawyer,
or whatever, but don't listen to them. Now, and this part I'm a little
fuzzy on still, you don't have to be read your Miranda Rights unless
you are arrested. If you are brought in for questioning, you do not
need to be Miranda'd, if I'm remembering this right, so you might not
think to have a lawyer. Have ONE! Oh, and don't anyone in without a
warrant. Read that warrant to see exactly what they are allowed to
search/seize/etc..., don't just assume it's for anything they find.
Next thing was Daremoe talking about Appliance Firewalls. My notes are
sketchy and his are none-existent. There will supposedly be a white
paper at the end of this month at www.microsolved.com. He suggested
simple stuff like Firewalkd, netcat, nmap and queso to port scan an
appliance firewall.
Mojo, who was drunk off his behind, tried to talk about hacking windows
shares. His notes are supposed to also be up on the web site, they
aren't. I got a little from the talk. Win 95/98 cuts off passwords
at 8 char. To look for drive keys, use nbstat and look for $. The
LanManKey is blank, normally, if you can get into the system, you can
turn it on. His personal, and somewhat obvious take on hacking machines
was get a machine yourself of the OS you want to hack and break it. He
suggested running regmon and looking for the keys in HTLocalMachine and
HTLocalUser while you're installing software to see what changed in
those keys. If a machine does not enter information into the registry,
it stores it in an INF file. He suggested not installing anything
in the default directories in a security through obscurity move for
scanners and looking at ww.shadowco.org for a list of Master Keys.
Next was cyber forensics by Peter Stephenson. He was not a geek as much
as a very stressed out investigator. He gave a lot of suggestions for
computer security before and after a hack.
1. turn off DNS zone transfers and just add in via acl's who
2. policy (for a company) can be added at any time
3. If it is the company's policy and that is clearly stated,
an employee can be forced to sign something that states they
have no expectation of privacy and they consent to being
monitored.
4. Prior consent is defined in the Electronic Communications
5. NTObjectives is some free NT forensics software
6. Save two images of the hacked disk before touching it.
One to work on and one to send to the Authorities.
7. Treat a hack like a crime scene. Touch nothing until the
disk images are made and document every person who had access
to the disk image until it goes to the authorities.
Saturday, we weren't let in for like an hour. Now, imagine a whole
bunch of computer geeks, sweltering in the Nevada heat. At this point,
the schedule began to fall completely apart.
Rooster talked about insecurities in networking devices.
Simplistically, if something answers on layer 3 of the OSI model, it
is a router, layer 2, it is a switch, where a router is defined as
something that sits between 2 networks, and a switch segments the same
network. SNMP messages are sent in clear text and community strings are
usually not changed on most people's switches, routers, csu/dsu's and
other network hardware. Even if you change read write, read only still
means anyone can read anything on your equipment, just not change it,
like your ip->mac table. There are enterprise MIBS, Cisco's #9 in the
tree, you can ftp to ftp.cisco.com to get a list of the possible MIBS
and do an SNMPwalk to traverse the tree on a piece of equipment. He
suggests ACL lists and offhost logging since most network hardware does
not come with enough memory to sufficiently log a big event, such as a
hack. Segment your network, set your read only community string so that
you can't be SNMPwalked. His email is rooster@resentment.org.
Dead Addict talked about SET and why it's not dead yet. He recommended
egold.com for a talk on how currency works now. I didn't really pay
much more attention than that.
DJ's/Bands started playing at noon in one of our three rooms so even
though they were running behind, we lost a room anyway.
Peter Shipley did an introduction to TCP/IP exploits, which everyone
was in. It was odd that so many people attended what was supposed to
be a introduction and he was surprised. He went over the four types:
Theft of Information, Destruction of Data, Alteration of Data and Denial
of Service. To block a smurf attack, do not allow inbound broadcast
packets. Shut off port 7, the echo port, to stop udp echo spoofing
(in fact, shut off all ports you don't need. I was very unpleasantly
surprised when someone on the DEC Alpha mailing list told me to leave
time, daytime, echo, etc... open because they are just "internal use
only"). Most of the current OS's are immune to syn flooding, block all
fragmented packets at the firewall as there is no reason to allow them
in. There are also micro packets that are too small to contain a full
TCP header, block those. Get rid of clear text protocols and replace
with ssh/secure crt... l0pht heavy industries has an arp cache poisoning
program that a smart switch would block, but he wouldn't recommend what
a smart switch is. Advantage to using an OS where you have the source
is it's easier to remove promiscuous mode out of the kernel. Arpwatch
is a program that lets you watch your arp table. he suggested hardcoding
your mac addresses of your servers in the arp table to keep from having
spoofs and the software to do that is on phrack. Don't allow packets
from your site that don't originate in your network (which breaks email
forwarding, so I just found out from Ford) and the RFC's on SNMP are
1155, 1157, 1901-1910.
Somebody did a speech on nmap, that you can get from insecure.org. it
was pretty lame, since he just went over what was in the man page, but
it did show you how to scan for back orifice.
Bruce Schneier just took questions from the audience. Anyone who has
not heard him needs to. He's one of those people who are so smart that
it hurts, but at the same time, tries to draw everyone around him into
crypto. He shot down any idea that a true "good" algorithm could not be
published for peer review and was hopeful that the 16 year old girl in
Ireland, once her algorithm was known and probably cracked, would still
need trying because she probably was very good. Every bit you add to a
key doubles the time/work it takes to crack it. 90 bits is good enough
for now. He recommended a book called Cryptonomicon by Neal Stevens
(?).
On Sunday, the scheduling was just non-existent. everything was switched
from rooms and times and most things were cancelled. It was good to
just drink beer and hope for the best.
A guy from Zero knowledge spoke about this incredibly cool service they
offer where they have a bunch of servers set up everywhere (and you
can sign up to be a server) and each server only knows about the next
server, not anything else on the network. The set of routes through
these servers is changed every half hour so it's not traceable and it's
common for servers to just drop off for a while. You sign up, pay them
some amount of money for tokens, and you can route your traffic through
them, anonymously. You also get a set of routes, for your traffic,
and you can choose who to use and who not to use. They even accept
credit cards, but verify in a way that they don't have the knowledge
associating the tokens back to the cards, the expiration date of the
token is built into it.
There was a huge and ongoing thread of anger against the Church of
Scientology shutting down the big Finland anonymous server.
Jonathan Wignall spoke about extra border hacking, like posting false
data about companies in news groups, searching whois records for data
about companies and employees, searching dns records for machine names,
poisoning dns caches.
Priest said "Feds are like Canadians, they walk invisibly among us."
The wearable computer dude Steve Mann video conference into the show
after they fixed the DOS that someone did to the defcon outside router.
one of the big side effects from his work on wearable computers is he's
working with battery manufacturers on long life yet light batteries he
can wear and wants to set up a wearable 16 cpu beowolf cluster.
The big news, of course, was Cult of the Dead Cow and their BO2K
announcement. It was showy and big and Vegas styled, but their software
is really cool. The web site is www.b02k.com, but right now, it and
cultdeadcow.com is down. (anyone know what happened to them?) You can
goto www.bo2k.org for a mirror site of most of the stuff. The very cool
things, from a system administrator point of view of the software is:
the source is GPL'd and they want you to make plug in's for it
it's free for download, as opposed to pc-anywhere
the traffic is encrypted unlike VNC
The bad, or at least interesting issue with it is exploits a known hole
in WinNT where you can piggyback the BO product onto a running process
by starting another thread onto the first process and hide, if you
want, the BO product. This exploit is also used by at least one of the
commercial products. BO can also run a tcp/ip session over ICMP, thus
making it harder to block.
*whew*
Rumor & Innuendo (No names, please)