Feedz
Monkey - House


  • ShmooCon 2008 Videos - ONLINE!
    On the heels of my last post, it appears that the ShmooCon 2008 Videos have now been posted online.



  • (IN) Secure Magazine Issue 16
    Just a quick heads up to let you know that the newest issue of (IN) Secure Magazine has been published.

    This issue has an interesting article regarding SCM (software configuration management), security, and how they apply to the Japan market/ workforce. The author touches on some interesting points/ challenges that most American companies never have to deal with.



  • ShmooCon 2008 Presentations - ONLINE!

    I haven't seen this mentioned anywhere else, but it looks like at least some of the ShmooCon 2008 presentations are now available on their website.


    ShmooCon 2008 Presentations

    Hopefully the videos won't be too far behind!



  • Barracuda Spam "Firewall" Drowns in The Ping River
    During the course of an average day's work, I often run across numerous IT and security products that quite frankly, belong in the garbage. When I run across these products, I often joke with my coworkers that the fix for the problem product, is to remove it and throw in the Ping River which flows right through the heart of town here. Therefore, in honor of this running joke, I have decided to start a new section on the Monkey House blog where I can draw special attention to these garbage products. I call it "Bottom of the Ping River", the only real place that these products belong. A sidebar has been added to keep a running list. Think of it as a wall of shame of sorts.

    At the top of my list to toss into the river, is the Barracuda Spam "Firewall". The product in and of itself is not actually too bad. Its fairly tolerable, now ever its support team is not. Barracuda support could easily be replaced with a couple of monkeys pressing a random solution generator button. Everytime I have contacted them, it has been one random solution after another, with the most recent being instructions to rebuild the appliance! Normally I could live with a lackluster support team for a product and make every attempt to troubleshoot and resolve the issue myself. However, Barracuda does NOT allow its customers to have the root login or ssh access for the device that they paid for. Let that sink in for a second. As the author mentions in this excellent article, "I wouldn't trust everyone at Microsoft to have the only Administrator account to my Exchange server, so why would I trust Barracuda Networks to have the only root password to my SF Appliance?"

    Just for kicks, I decided to open a Barracuda Support Ticket and request SSH access. Here is the response I received from the Barracuda Support Monkey:

    Thank you for contacting Barracuda Networks. We can not provide you with SSH credentials. In order to have support access to any Barracuda Device you need to be a Barracuda employee or have gone through certified training to do so. The firmware and information on the Barracuda units are strictly Barracuda property. We do not allow anyone to have access unless they have gone through our Barracuda certified training and pass. If you are interested in this training and would like to know more, please contact your Barracuda Sales person.

    So essentially, in order to gain access to the device we have already paid for, we must pay Barracuda FURTHER for training?? I'll pass. And for that Barracuda, you must shall now meet your ultimate demise at the Bottom of The Ping River. ....R.I.P.



  • Sawat Dee Krap! - (I Am Still Alive)
    Sawat Deep Krap (Hello) from Thailand! I am alive and well here in Thailand. To the left, is a breathtaking view of my new home from the mountain top.

    I have purposely taken a few months hiatus from blogging to settle into my new job and adjust to my new life 10,000 miles away. As of today, I plan to resume regular blogging activities. I've already got a few blogs written out on paper that I have been saving for some time now. :)

    Over the next couple months, my blogs will start to examine some of the differences that exist between the security mindsets of the US and that of companies in south east Asia. The Monkey House blogs will also start to containing more view points from the system administrator and developer standpoints, as they relate to security. Think of this as more of a security view from "down in the trenches", which coincides with my new roles and responsibilities here with my new company. Stay tuned...



  • Security Links - 11/06/07
    Serversniff.net - Fantastic little tool for auditing SSL. Easy way to test for the presence of SSL v2 and weak/export grade ciphers.

    Hungry Machine - The guys over at Hungry Machine less show us how to quickly and effectively perform Geo-Locating by IP address in Ruby on Rails. Just goes to show that the 'net is alot less anonymous than people think. [For those that are unaware, IP address Geo-Locating is how adult friend finder always manages to display banner ads with lovely ladies from your present location! Now if only they could find a way to display a different set of women based on my location. I find it hard to believe that the exact same set of Caucasian women waiting for me in Arlington, VA are also patiently waiting for me when I travel to Bangkok, Thailand. ;) ]

    ToorCon 2007 - Alot of the presentations are now available for download. (Hint: Click the [M])

    Overlooked SQL Injection Techniques - Another presentation from ToorCon but not linked on their page. Great presentation that shows alot of often overlooked SQL Injection techniques.

    The Bungling Sys Admin     - A coworker's blog. I think its good for us security folks to be reminded of what its like working down in the trenches and on the front lines. Also some fairly useful information there.



  • OpenSSH Brute Password Capture Patch
    Today I took was dealing with one of the countless ssh brute force grinders running wild out there on the net. I was thinking that it would be cool if I could capture all the username/password combinations they were supplying. During a search I ran across this nifty little patch. I downloaded and attempted to use it, but could not get the patch to apply. After a bit of investigation, I determined that this patch was written for the OpenBSD-specific version of OpenSSH and would not work on OpenSSH Portable. Since I wanted to use this on my Linux box, I had modify the patch to get it work.

    The next thing I discovered, is that I really didn't like the logging format... The logs record Epoch time, username, password, and IP address... However, these are spread across 4 separate lines. So, a sample entry looks something like this:

    1193780392
     root
     test
     10.0.6.147


    Not very easy to parse. Since I was interested in using the data for other things, I also decided to modify the logging as well. The format is still all the same fields, but now in a colon-delimited format, with one attempt per line. It now looks something like this:

    1193780828:root:test2:10.0.6.147
    1193788608:test:test:127.0.0.1

    I've placed the patch on my Google code site for now. Its not very clean, but appears to work with the portable version of openssh for Linux. I tested it on version 4.7p1 on CentOS.

    I'll attempt to clean it up and refine it later.



  • CapSec October - 10/25
    Reminder: CapSec meet up tomorrow.

    CapSec October
    October 25 (Thursday) 7:30 PM
    The Brickskellar
    1523 22nd St, NW
    Washington DC 20037


    View Larger Map



  • Published! .... well, sorta
    Last month I was contacted by a professor from a university in the midwest. He had run across my posting on DNS Best Practices and was requesting permission to include those in his course material. This material is being included in the curriculum for a Systems Administration class he teaches.

    While this is both an honor and a privilege, the real kicker is that I am extremely jealous. I really wish that these sort of courses existed back in my college days. The closest thing available for me at the University of Houston where I majored in Physics, was an intro to computers they provided as part of my Physics major curriculum. We briefly learned about hardware (486 vs Pentium, ISA cards vs PCI, etc) and then we jumped into Mathematica and how we could use it to do our physics homework. Unfortunately, like many of my fellow UofH students that year, about the only thing I did learn was which computers could and could not effectively run the now classic Civ I game. ;)



  • Security Links - 10/22/07
    Just a few links for security related tools and sites that piqued my interested in the past few weeks.

    Hashmaster - Have a tool or application that is encrypting data, but you are unsure what algorithm is being used? Pass your application a string to encrypt and then pass those tow values to Hashmaster. It will make compare the values and attempt to identify the algorithm in question.

    HITB Presentations - All the presentations from last months HackInTheBox Security Conference in Malaysia have been posted and are available to download. Pretty interesting stuff.

    fierce.pl - By far, the best tool available for enumerating hosts via DNS. I had played with the very first version when it was announced, but had never bothered to follow up on subsequent releases. I recently downloaded and played with the most current version (0.9.9 - Beta) and was wholly impressed. A must have in any pen-testers toolbox.

    Knoppix-NSM - A bootable LiveCD based on the popular Knoppix distro. This one has been customized to provide almost-instant NSM capabilities. Comes with Snort, BASE, Barnyard, ntop, and Squil. Was covered in this months copy of Information Security Mag.