The Hitchhiker's World Issue 7: Covert Channel and Tunneling over the HTTP protocol, Generic attacks against a honeypot, Innovative Mailbombs, New Beginnings, Technology without policy.
3c4bb0c48243e32d61174cb50c3253882eb3d7f5615d6df939802de15c17ffec<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="keywords" content="hitchhiker, security magazine, security holes, exploit, buffer overflow, vulnerability, security writers, malware, virus, trojan, security writers">
<meta name="description" content="The HH's World features mostly network-security articles/programs along with a touch of personal expression. Entries & comments are welcomed.">
<META NAME="AUTHOR" CONTENT="Arun Koshy">
<title>Infosecwriters.com - Hitchhiker's World - Zine #7</title>
<link rel="stylesheet" type="text/css" href="libstyle.css">
<script language="JavaScript">
<!--
function MM_reloadPage(init) { //reloads the window if Nav4 resized
if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
// -->
</script>
</head>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" height="100">
<tr>
<td width="100%" height="43" align="center" class="bluelink">
<p class="title">The Hitchhiker's World <br>
Issue #7</p>
</td>
</tr>
<tr>
<td width="100%" height="16">
<div align="center">
<p><b>Soli Deo gloria - To God alone be glory</b></p>
</div>
</td>
</tr>
<tr>
<td width="100%" height="19">
<p>Released : July 21st' 2003</p>
</td>
</tr>
</table>
<p><B><font face="Arial, Helvetica, sans-serif" size="2">DISCLAIMER :</font></B><font face="Arial, Helvetica, sans-serif" size="2">
[Insert the biggest, most comprehensive lawyerspeak here]. <B>Basically, the
author(s) are NOT RESPONSIBLE for anything</B> arising out of the information
presented below. Enjoy.</font></P>
<p><font face="Arial, Helvetica, sans-serif" size="2"><br>
<b class="emph">Contents</b><BR>
</font></P>
<UL>
<li><font face="Arial, Helvetica, sans-serif" size="2"><a href="http://gray-world.net/projects/papers/html/cctde.html">Covert
Channel and Tunneling over the HTTP protocol detection</a><br>
(Simon Castro from Gray-World.net)<br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2"><a href="#TOP">Technology
without policy</a><br>
(Rants from Charles Hornat)<br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2"><a href="#HONEY">Generic
attacks against a honeypot : Blind your enemy</a><br>
(An interesting possibility of DoSing sensor mechanisms)<br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2"><a href="#MBOMB">Innovative
Mailbombs : A new approach</a><br>
(An unreleased paper from 2001 .. does it hold true today ?)<br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2"><a href="#NBEGIN"><font face="Arial, Helvetica, sans-serif" size="2">New
Beginnings</font></a><font face="Arial, Helvetica, sans-serif" size="2"><br>
(Rants from a faceless curious kid)</font></font><font face="Arial, Helvetica, sans-serif" size="2"><font face="Arial, Helvetica, sans-serif" size="2"><br>
</font></font><font face="Arial, Helvetica, sans-serif" size="2"><br>
</font></li>
<li><a href="#CONTRIB"><font face="Arial, Helvetica, sans-serif" size="2">How
can you contribute ?</font></a><font face="Arial, Helvetica, sans-serif" size="2"><br>
{ Procedure for sending submissions for the zine }</font></li>
</UL>
<p class="emph">Learn<br>
</p>
<p>"any number is a limit, and perfection doesn't have limits. <br>
Perfect speed, my son, is being there." .. <i>Jonathan Livingston Seagull</i></p>
<p class="emph">Spotlight</p>
<p><a href="http://www.google.com.au/search?q=Adrian%2BLamo&ie=UTF-8&oe=UTF-8&hl=en&meta=" target="_blank">Adrian
Lamo</a> .. not for tech, just for the philosophy, long after the news faded
:). <br>
</p>
<p><a href="http://www.google.com.au/search?q=Google%2BHacks&ie=UTF-8&oe=UTF-8&hl=en&meta=" target="_blank">Google</a>
.. for being the best teacher to many, better than many books out there.</p>
<hr>
<p><font face="Arial, Helvetica, sans-serif" size="2"><span class="emph"><span class="title"><a name=TOP></a></span></span><span class="title">Technology
without Policy<br>
</span><a href="http://mrcorp.infosecwriters.com" target="_blank">By Charles
Hornat</a></font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">This is the first of a series
I hope to grow into something that others can read, learn from, and share (or
even laugh at).</font></p>
<p>After several years of working for several Wall St. firms and having the opportunity
to work with some of the brightest<br>
out there, I've come to realize one thing.. technicians love to throw technology
at problems rather than develop a strategy and/or policy to resolve the issue.</p>
<p>For example, we will examine how a company offered a technical solution to
a problem not yet identified. They had a DMZ that contained many high profile
servers, and some technologists were gathered together to design the standards</p>
<p>All systems that would reside in the DMZ had to meet this rigid set of standards,
or it would not be allowed. So they set off, defining routers and Access Control
Lists, Firewalls, Network Based Intrusion Detection, and the likes. About a
month into this process, a business unit of the company requested for a system
to be placed in the DMZ that would be accessed and controlled by a third party.
It was not an unusual request, but one that was discussed among those responsible
for the standards in the DMZ. The first response emailed to everyone was: the
system must have Host Based Intrusion Detection.</p>
<p>This comment was also defined in the standards and one that I would consider
an industry best practice guideline. The problem was, there was no process or
policy pertains to Host Based Intrusion Detection defined yet. Thus, we had
a technologist throwing technology at a project to mitigate a risk not yet defined.
Never mind the fact that there was no reporting structure for the IDS. Nor were
there any guidelines for responding to alerts generated by the IDS. Additionally,
there weren't even guidelines on what the IDS would monitor.</p>
<p>Technology is meant to support and help enforce policy. Before any security
technology is ever deployed, and I mean ever,the responsible party should first
stop and do the following:</p>
<ul>
<li> Identify the risks<br>
<br>
</li>
<li> Achieve a balance between security and usability<br>
<br>
</li>
<li> Offer mitigating steps to risks identified that balance in the organization</li>
</ul>
<p>In this case, after risks are identified and understood, one could then create
policies on setup, monitoring, maintenance, and etc. <br>
<br>
On the other hand, it's not always just technicians throwing technology around.
I remember a prime example that occurred several years ago,and to this day,
I still reference it with my peers and staff. This time it was Human Resources
offering technical solutions to a non-technical problem.</p>
<p>The Network Manager came by my office and requested directions on how to disable
someones Internet access. It turned out that an employee was doing more browsing
than work. Next, the management pinged HR who in turn called us. So some engineers
and I sat down and created a solution using the internal hosts file and some
other small changes. It then occurred to me that this was not clearly a technical
issue.</p>
<p>Management, or more so, Human Resources needed to speak to this person who
was abusing their privileges and warn them that it must stop. I raised my concerns
but they were ignored. We implemented the solution. The next day, we got a call
that the user went to another computer and surfed from that computer and that
that system needed it's Internet access removed as well. Pretty soon, no one
in the department had Internet access. To make a long story short, Human Resources
recognized the problem and terminated the employee for abusing their Internet
privileges and failure to comply with corporate policy.</p>
<p>These are just two out of a hundred examples I could give about the importance
of determining when technology should be used to fix or address problems. </p>
<p>Thank you and good luck!</p>
<hr>
<p><font face="Arial, Helvetica, sans-serif" size="2"><span class="emph"><span class="title"><a name=HONEY></a></span></span><span class="title">Generic
attacks against a honeypot : Blind your enemy<br>
</span><a href="http://acksyn.kerneled.com" target="_blank">By Arun Darlie Koshy</a></font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">I proudly call myself a
neophyte when it comes to the brave new world of "Honeypots/nets",
the project has the best people working in it .. its got money, the backing
of corporates and everybody who is anybody in the field wants to be associated
with it (including this website :-)).<br>
<br>
</font>The concept itself is pretty old, its basically "know your enemy"
Sun Tzu stuff (at least the old chinese philosopher is becoming more mainstream
with movies and netsec intiatives being named after his main theory ;-)).</p>
<p>We now come to following lines from the book (Chapter 3, How a Honeynet works
?) : <br>
<br>
<i>"Adminstrators are challenged with reviewing hundreds of megabytes of
system and firewall logs on a daily basis. Production traffic is continually
changing and evolving, making it difficult to determine what is "normal"
traffic. The Honeynet solves these and many other problems through simplicity"<br>
<br>
"Any traffic is suspicious by nature" </i>(i.e if directed towards
our sweet network)</p>
<p>As an attacker who has to operate in these tough times, I would be most interested
in the above lines .. this is the critical point that I would wish to develop
my skills against. I feel we're seeing an analogue from the "lame"
vx scene here .. the scanner is nascent.<br>
Lets make the patterns confusing and tough.</p>
<p>Rules of engagement for "blackhats" :<br>
<br>
1) Use your own networks for communication (i.e do not be stupid enough to IRC
from an "unidentified" rooted box), use public systems with proper
encryption thrown in.<br>
<br>
2) plan and formulate your objectives down to the last detail and use your bag
of exploits with caution and restraint. </p>
<p>Now we come to the most amazing statement in the book and our target becomes
more defined :<br>
<br>
<i>"On an average, the Honeynet Project collects only about 1 MB - 10 MB
of network information a day"</i><br>
<br>
So when operating in an environment which you have not ascertained to be a production
environment (even if its a hunt for zombies), you have to take steps to overload
the sensors .. in short, DoS the studying mechanisms .. e.g.</p>
<p>(Hypothetical overrun of a logging sensor)<br>
<br>
Let's assume that you wish to do :</p>
<p>rm -rf /var/log/<br>
cp troj.tgz /home/x<br>
<br>
instad of that :<br>
<br>
ls *.*<br>
junk command 1<br>
junk command 2<br>
..<br>
(insert n number of useless entries .. feel free to go wild here)<br>
rm -rf /var/log<br>
(mutate)<br>
cp troj.tgz ..<br>
<br>
Next, we build our list of signatures against known tools that are used in the
architecture, a few examples would be those of analyzing and studying Snort,
VMware etc .. interesting, to detect if ur in a VMWare box, its pretty easy
(just check for some registry entries .. it takes just some lines of code to
detect if the process is running in a simulated VM box).<br>
<br>
So efforts may be already underway to build a "Honeypot detector",
of course a carefully laid pot may be no different from a production system,
but we're are going to get all the Honeypot kiddies .. And as usual, we will
see people in both camps having a lot of fun.<br>
<br>
If there is something that is sickening. its over-enthusiasm and the buildup
of a concept to far larger proportions than it actually is (past examples :
The Windows Vs Linux thing, Linux being the most "secure" OS) .. I
see the same attitude in people armed with Spitzner's book .. Honeypots are
just another row of squares in the game folks.<br>
<br>
Don't hype it up. We're dealing with code still .. Remember the scene from the
movie Rocky, you have to have the hunger to keep winning .. the eye of the tiger
.. who ever has that for the specific instance, wins.<br>
</p>
<hr>
<p><font face="Arial, Helvetica, sans-serif" size="2"><span class="emph"><span class="title"><a name=MBOMB></a></span></span><span class="title">Innovative
mailbombs : A new approach<br>
</span><a href="http://acksyn.kerneled.com" target="_blank">By Arun Darlie Koshy</a></font></p>
<p>It's widely recognized that e-mail based attacks are "lame" and usually
a "script kiddie" approach. But what's also<br>
acknowledged is the fact that an effective list-linking attack cannot be put
off easily. It usually means that you either have to :</p>
<ul>
<li> manually unsubscribe </li>
<li>forgo the mail account</li>
</ul>
<p>It also can be used to DoS a server.</p>
<p>Today some techniques are used to prevent such attacks are in place. Newsgroups,
Message boards, newsletters <br>
features are usually equipped to add users only after confirmation etc.</p>
<p>Strangely a potentially huge hole exists. There are a multitude of free "forwarder"
services on the web.<br>
<br>
<b>No</b>, before u jump the gun and think we are going to talk abt the echo
bomb approach (where you use to addresses which are set to each other to bomb
the target).. we're not.</p>
<p>Here's the variation :</p>
<p>1) Open up the forwarder account at a server that you control</p>
<p>2) Subscribe to sufficient number of high volume newsgroups in the message
digest mode.</p>
<p>3) Confirm using the forwarder address as reply-to</p>
<p>(NOTE : step 2 and 3 are time consuming if manual, u can devise techniques
to automate)</p>
<p>4) Immediately detach the forwarder account from the receptor account which
u used. You don't want to get bombed when all the groups start sending u info.</p>
<p>Your bandwidth cheap e-mail bomber is ready. All you have to do to drown someone
is to set the new target as his/her<br>
mail address. This attack can be as many levels deep as possible.</p>
<p><b>Defenses ?</b><br>
</p>
<p>All I can think of at the moment is to find out the forwarder account (usually
mentioned somewhere in the SMTP log of the<br>
forwarded message) and to filter it out. To clean out the bombed account, you
can use a standard pop cleaner. <br>
<br>
Awaiting the community's comments. More importantly, we should now concentrate
in making e-mail systems more and more resistant to variations of these kind
of attacks.</p>
<p>More dangerous forms of attacks of the SMTP genre exist .. including readymade
servers/relays or writing your own engines to send mail (most organizations
today do not know how to differentiate from spoofed e-mail and they still think
PGP is for the "strange" people).<br>
<br>
A parting scenario :<br>
<br>
put your brains to work on the "Received: from" header .. think of
the possibilities.</p>
<hr>
<p><font face="Arial, Helvetica, sans-serif" size="2"><span class="emph"><span class="title"><a name=NBEGIN></a></span></span><span class="title">New
beginnings<br>
</span></font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">Have you had a playground
on which you played during childhood, with some close friends .. a quiet spot,
or places that you knew too well .. as you read this, are you expecting to read
something that you've read before ? </font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">Then it suddenly changed,
buildings came up .. they put up labels and names on the place you knew .. that
playground disappeared. Somethings similar has happened .. slowly all of this
has become meaningless, organisation stifles freedom. Was it meant to happen
?</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">Some comments :</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">"The interesting thing
about Palladium is that it just moves the location of the exploit. Let's assume,
for the sake of this discussion, that Palladium is 100% secure - it really does
provide a completely trusted path between the keyboard and the screen. All that
happens is that the hacker moves the exploit to the special hardware. ... all
you're doing is moving the point of exploitation about. Does it make it harder?
Absolutely. Will it make it hard enough is not clear to me at this point"
.. <b> Dr.Richard Ford (from personal e-mail communcations)</b><br>
<br>
" Unfortunately, there are still some aspects of the hacker community that
disgust me. One is the rampant arrogance and elitism. Most hackers I have met
are very friendly, but some have the attitude that they are somehow better than
everyone else.. In the same vein, I am sick of the information leeches. They
freely take from the hacker community, but then they hoard the information and
refuse to share it with others. What rankles me the most are the miscreants
who deface systems, engage in petty theft, or commit serious crimes and have
the audacity to call themselves hackers.... <b>Fyodor, Insecure</b><br>
<br>
"Security is now sold in a red box with a support contract. And this is
where things went downhill.. Don't lose sight of security. Security is a state
of being, not a state of budget. He with the most firewalls still does not win.
Put down that honeypot and keep up to date on your patches. Demand better security
from vendors and hold them responsible. Use what you have, and make sure you
know how to use it properly and effectively..</font>And above all else, don't
abuse or take for granted sources of help and information. Without them, you
might find yourself lost or inconvenienced" .. <b>RFP, Wiretrip</b></p>
<p>The future..</p>
<p>I say, lets put the "sub-culture" to rest.. we've fractured it ..
now we look for playgrounds, the bars have been raised .. so you know "Hacking
Exposed", nmap, firewalking .. and all the rest, welcome to the next level
then.</p>
<p>Nothing has changed .. <b>it is all about intent</b>. Sloth and resting on
past laurels are the perfect recipe for disaster. As the levels of complexity
rises, the people involved will slowly become passive .. they will become subject
to shock and the defenses they build will reflect that .. </p>
<p>You do not eliminate someone who wishes to break into a system by putting a
thousand blocks in front of him .. given enough motivation and spirit, he will
break it .. we have to eliminate the distress and inequalities in society to
do that.</p>
<p>Till then, the plastic knives to get planes into buildings, exploit No.nth,
service packs will continue. It is a fractal, repeating, without stop and no
limits.. till we honestly try to eliminate dishonesty and exploiting the human
spirit (be it in the form of divisions of border, corporations and sickening
imbalance of wealth) .. nothing will stop. All harm is done when you do not
allow someone to stand WITH you, and you make barriers. </p>
<p>For every one who used abused their privileges, there is a payback .. the countries
who think they have solutions due to wealth will have to face the voids in their
hearts as they count the number of anonymous souls they destroyed, the people
living in large beautiful houses with everything going on for them would have
to face the silent screams of those who do not .. you won the war with missiles
and you belittled your brother.<br>
</p>
<p>With honeypots, you gave the group of people who had an upper hand a kick,
now ur growing in arrogance .. forget the people who lay the building blocks
.. how are u better than them ? You think that drawing up CERT, SANS and countless
security procedures will put a stop ? Have you been arrogant to those who wish
to learn ? How about pricing books explaining this .. how about restricting
information .. how about talking rudely to someone on a newsgroup asking how
to start learning ?</p>
<p>Also I take this opportunity to bash the PLAGIARISTS in this game, those people
who are in it for the media glare..writing hacked up books, vomiting recycled
information .. STOP, it makes me SICK.</p>
<p>I am just a kids' curiosity .. till date, when a sitiuation challenged me enough,
i've circumvented it ... You cannot STUDY me with honeypots or psychoanalyzing
me, the firewalls, IDSes .. billions of bits on wires and ether.</p>
<p></p>
<p>We can laugh, ignore or react in pity. Cain and Abel .. everything starts again.</p>
<p><img src="kye.jpg" width="687" height="456"><br>
<br>
(Taken from <a href="http://www.knowyourenemy.com" target="_blank">http://www.knowyourenemy.com</a>
)</p>
<hr>
<font face="Arial, Helvetica, sans-serif" size="2"><span class="emph"></span></font><font face="Arial, Helvetica, sans-serif"><span class="text_head1"><br>
<a name="CONTRIB"></a>Contribute! Learn! Discuss!</span><br>
<br>
<span class="text_head2">Contact:</span><br>
You're invited to send in your entries, comments et.al for publication to <b>hwcol
/at\ arunkoshy.cjb.net</b></font>
<p><font face="Arial, Helvetica, sans-serif"><span class="text_head2"> Topics
(but definitely not restricted to):</span><br>
algorithms, stuff related to systems programming and applied network security.</font></p>
<p><font face="Arial, Helvetica, sans-serif"><span class="text_head2">Style:</span><br>
The zine advocates a "hands-on" approach when it comes to tech.. Get to the
code or point. Provide references and links if necessary (especially if you're
presenting a fresh perspective on something already known). </font>
<p>
<p>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center" class="unnamed1"><span class="footer"><a href="http://www.Infosecwriters.com"><font size="1" face="Arial, Helvetica, sans-serif">Home</font></a><font size="1" face="Arial, Helvetica, sans-serif">
|<a href="http://www.Infosecwriters.com/about.php"> About Us</a> |<a href="http://www.Infosecwriters.com/contact.php">
Contact Us</a> |<a href="http://www.Infosecwriters.com/privacy.php"> Privacy
Policy</a> | <a href="http://www.Infosecwriters.com/map.php">Site Map</a>
</font></span></div>
<p align="center"><font size="1" face="Arial, Helvetica, sans-serif"><span class="footer">All
images, content & text (unless other ownership applies) are © copyrighted
2003, Infosecwriters.com. All rights reserved. Comments are property of
the respective posters.</span></font></p>
</td>
</tr>
</table>
</body>
</html>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed