d-khan is coming to Dayton

d-khan is coming to Dayton! What is d-khan? D-khan will be the first Infosec\Hacking convention in the Dayton Ohio area and it will be coming in 2007. Yes... I have decided that I need more to do in my life. So, why not start a hacker... err I mean Infosec convention in Dayton.

Every year over the past 3 years I have been attending Blackhat and Defcon in Las Vegas and I have to say that they are very informative and just down right cool. Tons of great people and lotz of hackers talking about there uder cool haxor skillz. OK... it is really a bunch of nerds that wanna be cool. But, I like that kind of stuff and I think we need this in Dayton.

My vision is to see a convention where the local hackers and Infosec practitioners who do not get to go to Vegas can show up for two days and have fun. There will be talk tracks, a CTF contest, a dealer room with t-shirts and old crappy computer parts... and oh yeah lots of girls whole like nerds. :)

It is my hope that d-khan will be something that I can give back to the Infosec community of Dayton. Something that will bring all of the haxors, Infosec managers and firewall jockies together for 2 days and let them all share and learn together.

Only by understanding our enemy can we learn to best him. In this case, the "enemy" is the hacker on the Internet looking to pwn your site. Learn the techniques that are used to take down a network, and then you can apply these to your site and fix the issues that can lead to compromise.

So...d-khan is coming to town. Are you ready for it?

XS

Least we forget layer 2

Hello everyone,

Over the past few months, I have been working on auditing a large Cisco network. It has been very slow process due to the size of this infrastructure and the amount of appliances I need to review. I also wanted to make sure that the network review included a complete review of the layer 2 devices.

Now, I love my job but it is impossible to have a deep understanding of everything that is networking. My layer 2 auditing experience definitely needed some improvement. So, I used this time as a chance for me to improve a skill area that was lacking.

I have been looking all over the internet for sources of information on Cisco switch security settings and have had good luck in finding loads of information on the subject. The problem is that it is generally scattered all over the place. Cisco's website had quit a bit of the information but you really needed to be direct with your searches.

While I was searching the web, I keep thinking about the FBI's Cisco router security guide. I mean they wrote a book on locking down routers, but they forgot the switches.

So, I decided to compile the documentation I discovered in one location. Yes, you guessed it, it will sit here on my site.

Now, I am not taking credit for this work. All I am doing is compiling a list of links and documents together that deal with layer 2/3 switch security on my site.

Also, I will be posting my switch auditing process so that all you admins out here can use my framework to audit your infrastructures. I am such a nice guy. hehe

Cisco routers are always the hot topic when we talk about network security. It seems like most system admins and network security engineers forget about the layer 2 devices. Why? The switches can be a great way to recon a network or used as an avenue of attack. I mean, they touch all of data on the network at one time or another.

The goal of my paper is to help all of the admins out there understand the attacks that can effect you layer2/3 switches and how you can lock them down. I will include the IOS and CatOS commands for you.

This paper will be a living document and will change from time to time, so be sure to check back for updates. I will also include a list of tools hackers can use to attack your switches and (hopefully) screen shots of the tools in action. I will also try to post the source of Perl scripts that help me in my auditing of layer2/3 devices.

Please use this info responsibly. I am posting to help admins out here audit there networks. Use this info at your own risk.

madnos

my.bunghole will kill your computer!

Who names computer viruses? This is a question that I have had for sometime now. I know that hackers are more creative than calling something zafi-b or Melissa. Hell, if I was to write a virus I would call it the my.bunghole.vbx so I could say that my.bunghole killed your computer. hehehe

CARO (Computer Antivirus Research Organisation), which almost all of the major AV vendors are members of, have a set of standards that are followed when naming new viruses. This also means that sometimes when a non-member releases info on a virus to the press, that the virus in question may have a different name than what the CARO decided upon.

OK, we have a majrity of the AV companies out there at least trying to set a standard around the naming of viruses, and then you have a select few companies who have decided to go on there own and do there own thing. So we get alot of confusion when a major virus outbreak occurs and networks experience downtime due to applying the wrong AV update. That sounds really smart!!!

When I read stuff like this, I think of the movie "Pump up the volume". Christian Slater, who was a radio pirate said "If you are not part of the solution... then you are part of the problem. Quit being part of the f*cking problem!" I could not agree more Christian.

I say support the AV companies who support CARO standards. They are the one's who are trying to make a difference and should get our business because of this.

Anyway, we have a new bug out in the wild and it is a multilingual virus. JOY!

Here is the write up on this nasty bug.

Enjoy.

Security firms have issued warnings over a multilingual computer virus that can shut down firewalls and disable anti-virus software. Zafi-b, which is also known as Hazafi or Erkez-b, spreads both as an email attachment and via peer-to-peer file-sharing systems, using techniques common to similar worms. The worm, first discovered last week and now spreading rapidly, is delivered in the form of a .pif, .exe or .com file.

Most interesting about the malware is its ability to speak in multiple tongues. Zafi replicates itself in Hungarian, German, Dutch, English, Italian, Swedish, Spanish, and Russian.

People are not expecting to get a virus in their own native tongue and so [they] drop their guard a little," said Conor Flynn, technical director of Irish e-security company Rits, who described Zafi-b as "smart...It also uses file names linked to the WinAmp music program and the Total Commander computer games."

Zafi-b is not the first bug with capability of speaking in different languages. Sober-d, released into the wild earlier this year, recognises German email addresses, so that text in emails was written entirely in German, rather than in the default language, English.

Like other email worms, Zafi-b harvests addresses from users' address books and then spreads by sending itself to those addresses. The new variant also disables tools central to the Microsoft Windows operating system such as the Registry Editor and Task Manager, preventing the use of these essential applications by other programs, said Finnish e-security company F-Secure.

Zafi-b accounted for more than 60 per cent of reports to Sophos's network of monitoring stations over 24 hours. Because Zafi-b can disable anti-virus programmes, computer users should update anti-virus signatures on perimeter machines connected to external networks on an hourly basis, said Rits' Flynn.

Zafi-a appeared in the wild in April to coincide with Hungary's accession into the EU; it contained a political message appealing to Hungarian patriotism. This first manifestation of the worm didn't appear outside the country as it only sent itself to .hu addresses. The Zafi.B variant contains a different political payload, this time demanding that the Hungarian government accommodates the homeless, tightens up the penal code and votes for the death penalty.

The new worm can also orchestrate distributed denial of service (DDoS) attacks aimed at shutting down Web sites operated by the Hungarian government and Hungarian anti-virus firms.