Archive for July, 2007

Netstat Tricks

July 22, 2007

A tail of three sites and spy verses spy

Using a Web Browser to surf the web is sort of like a Vulcan Mind Probe. At the same time information is flowing to you through various ports, you are sharing information with the host. On the basic level, there is nothing terribly sinister about this because two way communication is necessary for web browsing.

So at the simplest level, you connect with a site (nottelling.com) but before connecting you do a traceroute to see its relatively safe. The request goes to 8 IP’s in the Washington area before heading to Atlanta Ga and then the final destination in Scottsdale Arizona. None of the IP’s along the route belong to a known honeypot or are on a honeypot list and the path is very logical so it looks safe.

Now to see what’s happening to my machine, I use a blank homepage and no browser search bar which might be connected to the web. I check the “netstat -a” command to see my starting point and leave the Dos Window open. After typing in the URL and pressing enter, I as quickly as possible reopen the Dos Window and run the “netstat -a” command again. I repeat this command several times until the page is fully loaded. In the case of nottelling.com, two ports (1042 &1044) are opened and connected to Http at the nottelling.com host.

This is just about as vanilla as Web Browsing can be. In the case of nottelling.com, the only entity probing my machine is the one I expected.

As discussed at the Fatsavage Blog, WordPress is hidden in the walled garden of cyberspace where it’s a little difficult to find out who is doing what to whom and where that person is getting screwed. WordPress Blogs are now being served by the Akamai Technology System which is about six hops away from any computer in the world and all traces end with their system and the server can be anywhere.

However, when some entity wants to probe your machine they have to connect through a port and it’s the function of netstat to tell you who’s doing what to you. When I checked fatsavage.wordpress.com. There were logical and not so logical connections.

Obviously, akamaitechnologies.com is connected.
Not obvious but logically Snap (38.98.19.109) and Google analytics are connected or they couldn’t provide the services they provide.
Unexpected, layeredtech.com which was the original WordPress host is still connected and I guess it’s necessary for posting blogs etc.

Now after that it gets a little messy.

I had a connection from a security firm, pccwglobal.net, at port 1809. Now this pisses me off a little, I can’t recall in anyway inviting them to do the mind probe thing and I can’t recall WordPress ever telling me that they would be providing some new wonderful service. At least with Google analytic and Snap there were warnings.

And last but not least was a reemergence of my old friend Carnivore. It seems that clandestine operations must be hosted by your ISP because of some archaic law and my ISP was connected to me on port 1802. They don’t necessary need a search warrant as long as their is a search warrant for one person on the whole system which is of course almost guaranteed so that means they can spy on everyone.

On a positive note, it would seem that “netstat -a” provides a peephole to see who’s playing with themselves behind the walled garden of Akamai.

The third site is my own at fatsavage.com and will be discussed separately.

Advertisements

What’s Vista????

July 19, 2007

Check out dictionary.com for the meaning of Vista. It is either a

1. A distant view especially one seen through a long, narrow passage as between rows of trees or houses.

2. An operating system which provides a brilliant vision of the
future when viewed from the narrow perspective of Microsoft Public Relations

Actually, I’m really not able to evaluate Vista so can’t really form an opinion. I purchased an upgrade from Office Max who warned me in advance that all software purchases are final. My intent was to play with an old laptop and test it there before I sacrifice a real machine to another Microsoft disaster. Unfortunately, the CD Rom wouldn’t be recognized so it wouldn’t upgrade. My only logical choices are Microsoft sells crap or Office Max is selling counterfeits. Oh well Down $109 and not about to stand in line to bitch because if it takes more than a couple of hours, I make more than that consulting.

So I went to my neighborhood computer builder and begged a copy of OEM Vista. I didn’t feel guilty because I am known as a computer builder and have already spent the first $109 to test Vista. Guess what? Down another $129 as that didn’t work either.

At least the shop took it back to offload on some other machine. Guess I’ll have to wait until I purchase a cheep machine with Vista pre-installed.

So far, the so called OOBE sucks. For those who don’t know OOBE is supposed to be that absolutely wonderful “Out Of Box Experience” you get when everything works.

Both copies came in boxes and both suck.

Windows Vista, Your First Class Ticket to Jail!

July 17, 2007

If Windows XP is your XP-ress ticket to jail, upgrading to Vista will make it a first class trip. This is really not an issue of security but of built in indexing and recovery features that will keep deleted files longer and make undelete easier.

The good news is that the records of sites visited is so accurate, it will tell exactly how many times a site was visited and revisited. The defense of I went there by accident and never went back will be much weaker or stronger depending on the record. On the other hand there will be no way to destroy the files or remove them from your computer short of the Lot’s Wife approach advocated by the Fatsavage.

This means a mean spirited prankster (or an enemy) can set you up with a trip to a Kiddie porn site and the Honeypot will tag you at the same time that Vista documents the frequency of the visits. Since most corporate or school computers have a fixed identity or IP address for security, it’s easy to find the user behind a network and even easier for a home computer. There is no defense for more than one picture and frequent visits so you better learn to automatically secure your Vista Computer when you are not at your Desk and never let anybody surf your Vista Computer.

I think the best possible use of the new Vista features will be as a plot for a novel where a woman sets up her spouse with a one way ticket to jail. When the husband is asleep and the kids are in bed, she surfs kiddie porn and then makes a show of deleting the files. Do this on a regular basis then leave it live one night and call the cops in the morning. The record of the site visited and the deleted pictures will still be there. The divorce is automatic and uncontestible, there are no custody issues and the husband is in jail. The more prominent or famous the husband the more the ICE man from Customs will pursue the case.

In the future, will the paragraph above represent fact of fiction for the new Vista World.

SANS Lite – Definitely Worth the Money

July 15, 2007

A $99 SANS Security Course????

I have been using computers in one way or another since 1964. Thats pretty incredible when I think about it. I have used the Wang desktop (1972) where you used a pencil to punch your cards and only one card was read at a time, I owned the Timex-Sinclair (1982) where the memory pack fell out when it moved and you lost all programming and data and a Victor Programmable (1976) that used a credit card type device for programs and memory.

I have to admit that I’ve always had a casual attitude about security as I’ve done it pretty much by instinct, knew when my computers were sick and treated them. When I started to allow kids to access the net from my office and there were constant downloads and file sharing, my security got a little tighter but it was still a casual effort.

Even putting a secure gambling machine on line was not that tough although it was never operated at high volume.

It was not until I got involved with tracking the ownership of kiddie porn sites that I got to feel the sting of Military Strength Malware. So, now I’ve started to increase my knowledge. Over the years, I’ve spent thousands on computer books and on line programming courses and also got a lot of information for free. Much has been excellent although I must admit to a few unfinished courses and unread books that were not worth the time to complete.

So when I started seeking information on security, it was impossible to miss SANS (SysAdmin, Audit, Network, Security) Institute which was established in 1989 as a cooperative research and education organization. Now most of their courses cost thousands and take a week of your life but on my last visit, I took notice in the middle of their on line courses which still cost thousands a $99 special which jumped at me.

Now according to SANS, The Stay Sharp Computer and Network Security Awareness course is offered for the individual just beginning to explore computer security. They also warn that it might be a little elementary. “Please note: If you have a basic understanding of security concepts and basic technologies, please consider our more advanced offerings.”

Now simply stated, this is the simplest most useful knowledge packed course I have ever taken.

This thing is designed to protect, the computer, the family and the individual. It describes simple to use DOS tools that I had never heard of and web sites that will check your machine for everything. I will be discussing some of these over the next few days because they are just too cool not to share.

If I had kids in the house, I’d take this course as a family project as an alternative to prime time television. It’s amazing how easy it is to find out where Dad’s been surfing, what the family credit card numbers are and who uses what for a password. As a matter of fact when you find out how easy it is to hack yourself, you might spend a little more effort trying to defend yourself. I know I did. If I were a 12 year old wannabe geek, I would definitely beg for this for Christmas.

I’m sure that the knowledge contained in this course can be used to protect the average family for all their surfing needs. I’m not sure anything can protect you when you get attacked by Military Strength Malware.

GhostSurf Sucks!

July 9, 2007

For the emotional rant against Ghostsurf you can go to our sister site fatsavage.wordpress.com Here we will just cover the facts. In 20 minutes of surfing I got 6 cookies from 35 URL’s and there were 140 entries into cache memory including images. I got a bot which commandeered my machine and delivered 1.1 million files which is 10 times my normal machine load. There was no way to erase these files as delete, move and wash was overloaded by the sheer volume. and in 24 hours, I never even dented the raw number of files.

Restore and renaming after restoring seemed to work but since this was my ultra secure machine, I didn’t think that was good enough.

The only way out was wipe the drive and reinstall. I had to pay 35 dollars for Ghostsurf to screw me like this. Hell, I’m pissed at the Feds for the evil crap they do to me and they never screwed me this bad, but then the Feds are supposed to be the good guys.

netstat- Cool Tool!

July 8, 2007

I really don’t know how I missed the netstat DOS command. I mean all you do is head to your start menu and click run. When the box pops up type in Command, command or cmd. It just doesn’t matter as a black DOS window will open. Type in netstat -an and get your results. You can do it with your browser open or closed. Better yet do it both ways. It shows you all the IP addresses that are open and the ports they connect to. With the browser closed, it will look something like the following:

C:\Documents and Settings\Compaq_Owner>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING
TCP 192.168.0.101:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1100 *:*
UDP 0.0.0.0:1107 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:9370 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1099 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.101:123 *:*
UDP 192.168.0.101:137 *:*
UDP 192.168.0.101:138 *:*
UDP 192.168.0.101:1900 *:*

As previously discussed, 0.0.0.0 is a firewall bypass and port 0 is sort of a garbage port number which means give me any unused port to make the connection. IP 127.0.0.1 is a local server on my machine and IP 192.168.0.101 is my machine IP. Now the only really weird thing at this point is that I don’t have a known server on my machine and the local server IP does not show up on the Microsoft netstat example.

Next we can run “netstat -a” without the “n” in the DOS window in order to get the IP names and find out who’s controlling the action. ( Note, I wouldn’t have identified the localhost operating if I ran this command alone.)

The results will look as follows:

C:\Documents and Settings\Compaq_Owner>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP Whatever:epmap Whatever:0 LISTENING
TCP Whatever:microsoft-ds Whatever:0 LISTENING
TCP Whatever:1026 Whatever:0 LISTENING
TCP Whatever:1025 Whatever:0 LISTENING
TCP Whatever:1027 Whatever:0 LISTENING
TCP Whatever:1032 Whatever:0 LISTENING
TCP Whatever:netbios-ssn Whatever:0 LISTENING
UDP Whatever:microsoft-ds *:*
UDP Whatever:isakmp *:*
UDP Whatever:1100 *:*
UDP Whatever:1107 *:*
UDP Whatever:4500 *:*
UDP Whatever:9370 *:*
UDP Whatever:ntp *:*
UDP Whatever:1099 *:*
UDP Whatever:1900 *:*
UDP Whatever:ntp *:*
UDP Whatever:netbios-ns *:*
UDP Whatever:netbios-dgm *:*
UDP Whatever:1900 *:*

All of these requests go from anywhere on my machine (“whatever”) through specified ports to pretty much anywhere (*.*) on any port. Less than half of these requests are identified Microsoft processes and the rest can only be identified by a tedious port by port search. A good place to start is at http://www.grc.com/ and use their free Shield’s UP! product.

Now my machine is know to have a serious unremovable infection and the Port search shows the potential for several know Trojans and a Remote Administrative Tools (RAT) but an external port scan, shows that I am protected by my hard wired firewall and Internet router except for one closed port which flags my machine. I’m sure if I misbehave, it won’t be much of a challenge for Carnivore to eat my firewall for lunch and actively monitor my activity. But for now, I guess I’m sort of in a state of remission with no active Trojans giving away information or planting evidence.