“In the TSA Security check…”

December 26th, 2010 Comments off

They were just patting down and wanding a severely autistic child in a wheel chair. After sending her through the x-ray imagery twice.

What the fuck.

– email from my girlfriend

This is somehow perceived as thwarting terrorism.

Categories: FAIL

“Cannot include special characters”

September 17th, 2010 3 comments

WHY THE FUCK ARE THERE STILL SITES THAT DON’T ALLOW “SPECIAL CHARACTERS” IN PASSWORDS, LET ALONE USERNAMES?

Categories: FAIL

Best. Proof of concept. Ever.

September 1st, 2010 Comments off

For the sake of lulz, please narrate this to yourself in the voice of the Old Spice Guy […]

Security Advisory for NetWare 6.5 OpenSSH (“On Exploitability”)

Categories: Exploits

Richard Clarke sucks [updated]

April 23rd, 2010 1 comment

Today I read a review on Threat Level tearing apart Richard Clarke’s new pile of hardbound bullshit.  I really hate Richard Clarke.  At least when it comes to cyber-anything, he’s full of shit and I don’t know why anyone considers him any kind of expert.

Rather than my usual obscene rant, I’m just going to provide some choice video clips.  These are my two favorite segments from the PBS Frontline titled “Cyberwar” from a few years ago.

Update:  I found a photographic record of Richard Clarke and his brave three hundred pushing enemy packets off the edge of the internet.

"Those packets look thirsty, boys!"

Categories: Books, FAIL

Sguil database schema

April 7th, 2010 Comments off

I can’t find this anywhere else, so I’m just going to quickly throw it up here. These are the tables and columns of a Sguil database. I think there are some extra tables (nessus, etc.) because this is from running a SecurityOnion live CD which uses NSMNow to do the Sguil setup.  Also Sguil seems to copy the following tables for each date and sensor: data, event, icmphdr, sancp, tcphdr, and udphdr, e.g. each day it will make data_sensorname_20100407.

Database: server1_db
+--------------------------+
|          Tables          |
+--------------------------+
| data                     |
| event                    |
| history                  |
| icmphdr                  |
| nessus                   |
| nessus_data              |
| pads                     |
| portscan                 |
| sancp                    |
| sensor                   |
| status                   |
| tcphdr                   |
| udphdr                   |
| user_info                |
| version                  |
+--------------------------+
Database: server1_db  Table: data
+--------------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field        | Type             | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+--------------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| sid          | int(10) unsigned |                   | NO   | MUL |         |       | select,insert,update,references |         |
| cid          | int(10) unsigned |                   | NO   |     |         |       | select,insert,update,references |         |
| data_payload | text             | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+--------------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: event
+-------------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field             | Type                 | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-------------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| sid               | int(10) unsigned     |                   | NO   | MUL |         |       | select,insert,update,references |         |
| cid               | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| signature         | varchar(255)         | latin1_swedish_ci | NO   | MUL |         |       | select,insert,update,references |         |
| signature_gen     | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| signature_id      | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| signature_rev     | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| timestamp         | datetime             |                   | NO   | MUL |         |       | select,insert,update,references |         |
| unified_event_id  | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| unified_event_ref | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| unified_ref_time  | datetime             |                   | YES  |     |         |       | select,insert,update,references |         |
| priority          | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| class             | varchar(20)          | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| status            | smallint(5) unsigned |                   | YES  | MUL | 0       |       | select,insert,update,references |         |
| src_ip            | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| dst_ip            | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| src_port          | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| dst_port          | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| icmp_type         | tinyint(3) unsigned  |                   | YES  | MUL |         |       | select,insert,update,references |         |
| icmp_code         | tinyint(3) unsigned  |                   | YES  | MUL |         |       | select,insert,update,references |         |
| ip_proto          | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_ver            | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_hlen           | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_tos            | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_len            | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_id             | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_flags          | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_off            | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_ttl            | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_csum           | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| last_modified     | datetime             |                   | YES  | MUL |         |       | select,insert,update,references |         |
| last_uid          | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| abuse_queue       | enum('Y','N')        | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| abuse_sent        | enum('Y','N')        | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-------------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: history
+-----------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type                 | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| sid       | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| cid       | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| uid       | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| timestamp | datetime             |                   | NO   | MUL |         |       | select,insert,update,references |         |
| status    | smallint(5) unsigned |                   | NO   |     |         |       | select,insert,update,references |         |
| comment   | varchar(255)         | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-----------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: icmphdr
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid       | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| cid       | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| icmp_csum | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| icmp_id   | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| icmp_seq  | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: nessus
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type        | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| uid       | int(11)     |                   | NO   |     |         |       | select,insert,update,references |         |
| rid       | varchar(40) | latin1_swedish_ci | NO   | PRI |         |       | select,insert,update,references |         |
| ip        | varchar(15) | latin1_swedish_ci | NO   | MUL |         |       | select,insert,update,references |         |
| timestart | datetime    |                   | YES  |     |         |       | select,insert,update,references |         |
| timeend   | datetime    |                   | YES  |     |         |       | select,insert,update,references |         |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Wildcard: nessus_data
+-------------+
|   Tables    |
+-------------+
| nessus_data |
+-------------+
Database: server1_db  Table: pads
+-------------+---------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field       | Type                | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-------------+---------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| hostname    | varchar(255)        | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| sid         | int(10) unsigned    |                   | NO   | PRI |         |       | select,insert,update,references |         |
| asset_id    | int(10) unsigned    |                   | NO   | PRI |         |       | select,insert,update,references |         |
| timestamp   | datetime            |                   | NO   |     |         |       | select,insert,update,references |         |
| ip          | int(10) unsigned    |                   | NO   |     |         |       | select,insert,update,references |         |
| service     | varchar(40)         | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| port        | int(10) unsigned    |                   | NO   |     |         |       | select,insert,update,references |         |
| ip_proto    | tinyint(3) unsigned |                   | NO   |     |         |       | select,insert,update,references |         |
| application | varchar(255)        | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| hex_payload | varchar(255)        | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-------------+---------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: portscan
+-----------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type             | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| hostname  | varchar(255)     | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| timestamp | datetime         |                   | YES  | MUL |         |       | select,insert,update,references |         |
| src_ip    | varchar(16)      | latin1_swedish_ci | YES  | MUL |         |       | select,insert,update,references |         |
| src_port  | int(10) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| dst_ip    | varchar(16)      | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| dst_port  | int(10) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| data      | text             | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-----------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: sancp
+------------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field      | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+------------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid        | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| sancpid    | bigint(20) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
| start_time | datetime             |           | NO   | MUL |         |       | select,insert,update,references |         |
| end_time   | datetime             |           | NO   |     |         |       | select,insert,update,references |         |
| duration   | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| ip_proto   | tinyint(3) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
| src_ip     | int(10) unsigned     |           | YES  | MUL |         |       | select,insert,update,references |         |
| src_port   | smallint(5) unsigned |           | YES  | MUL |         |       | select,insert,update,references |         |
| dst_ip     | int(10) unsigned     |           | YES  | MUL |         |       | select,insert,update,references |         |
| dst_port   | smallint(5) unsigned |           | YES  | MUL |         |       | select,insert,update,references |         |
| src_pkts   | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| src_bytes  | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| dst_pkts   | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| dst_bytes  | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| src_flags  | tinyint(3) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
| dst_flags  | tinyint(3) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
+------------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: sensor
+-------------+------------------+-------------------+------+-----+-------------------+----------------+---------------------------------+---------+
| Field       | Type             | Collation         | Null | Key | Default           | Extra          | Privileges                      | Comment |
+-------------+------------------+-------------------+------+-----+-------------------+----------------+---------------------------------+---------+
| sid         | int(10) unsigned |                   | NO   | PRI |                   | auto_increment | select,insert,update,references |         |
| hostname    | varchar(255)     | latin1_swedish_ci | NO   | MUL |                   |                | select,insert,update,references |         |
| agent_type  | varchar(40)      | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| net_name    | varchar(40)      | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| interface   | varchar(255)     | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| description | text             | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| bpf_filter  | text             | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| updated     | timestamp        |                   | NO   |     | CURRENT_TIMESTAMP |                | select,insert,update,references |         |
| active      | enum('Y','N')    | latin1_swedish_ci | YES  |     | Y                 |                | select,insert,update,references |         |
| ip          | varchar(15)      | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| public_key  | varchar(255)     | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
+-------------+------------------+-------------------+------+-----+-------------------+----------------+---------------------------------+---------+
Database: server1_db  Table: status
+-------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field       | Type                 | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| status_id   | smallint(5) unsigned |                   | NO   | PRI |         |       | select,insert,update,references |         |
| description | varchar(255)         | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| long_desc   | varchar(255)         | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: tcphdr
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid       | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| cid       | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| tcp_seq   | int(10) unsigned     |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_ack   | int(10) unsigned     |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_off   | tinyint(3) unsigned  |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_res   | tinyint(3) unsigned  |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_flags | tinyint(3) unsigned  |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_win   | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_csum  | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_urp   | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: udphdr
+----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field    | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid      | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| cid      | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| udp_len  | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| udp_csum | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
+----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Wildcard: user_info
+-----------+
|  Tables   |
+-----------+
| user_info |
+-----------+
Database: server1_db  Table: version
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type        | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| version   | varchar(32) | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| installed | datetime    |                   | YES  |     |         |       | select,insert,update,references |         |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Categories: Tools

No really, Verified By Visa blows

January 27th, 2010 Comments off

But don’t take my word for it — take Ross Anderson’s.

Categories: FAIL

Fuck Securom (Error 5003)

January 2nd, 2010 1 comment

I bought Crysis so I could play a Mechwarrior mod with it.  When I tried to start it, a window popped up saying:

A required security module cannot be activated. This program cannot be executed (5003).

One of my friends located the explanation.  Indeed, I had IDA Pro running in the background.

Good job, guys.  That will really prevent piracy, a lot.  You are great at what you do.

Categories: FAIL

Verified By Stupid Bullshit

December 29th, 2009 Comments off

I’ve ranted about Verified By Visa before.  Since then, I’ve had the good fortune of having no dealings at all with the idiotic system – until tonight.  Since I’m using a different Visa card for a purchase, it’s harassing me to create myself a new Verified By Visa account which includes my Social Security number for some fucking reason.  And when they prompt me for a password?

Passwords must contain at least one lower case alpha character, one upper case alpha character, and one numeric value. Special characters and spaces are not allowed.

You fucking idiots.  Go fuck the devil in hell.

Categories: FAIL

Dumb code – dumb idea

November 23rd, 2009 Comments off

I saw an article about this new technology that’s supposed to “stop computer viruses in their tracks.”  The idea is interesting, but overall I think it would be useful in only a very limited, focused application.  Things would get far too complicated, far too quickly, for it to be both successful and at all versatile.

So I think the fact that it’s being patented, and the fawning article in New Scientist, are laughable.  I was going to viciously mock them but it turns out David Harley beat me to it.  He added less sarcastic commentary here.

Categories: Malware

Packet visualization with Python

September 13th, 2009 4 comments

A long-time pet project of mine is decoding the network protocol of Valve Software’s “Source” game engine, used in Half-Life 2, Counter-Strike: Source, Team Fortress 2, and Left 4 Dead.  I’ve never made it very far, but it has led me down some interesting paths in reverse engineering, debugging, and visualization.  One example of the latter is this Python script I wrote to analyze a series of packets.  It creates an image in which each row represents a packet, and each pixel represents one byte of the packet.  The pixels range from black (for a value of 0x00) to bright green (0xFF).  I got the idea from Greg Conti in his interview on the Network Security Podcast.  Here’s what I did:

Read more…

Categories: Visualization