Thursday, January 27, 2005


I just wanted to put in a little plug here for my other blog, InfosecBooks.Com. I read security books, then I let you know what I think about them. If that sounds good to you, drop by sometime.

Tuesday, January 25, 2005

Detecting TOR on your network

I've written about the TOR anonymizing TCP proxy before, and in general I think it's quite a useful tool. There are a lot of situations where you might legitimately want to obfuscate your true online identity and/or prevent your ISP from keeping track of what you access over the Internet. TOR is really good for these sorts of things, and is a cool project, to boot.

There are some situations, though, in which using TOR (or any other similar service) is not appropriate. One such situation is when your Acceptable Use Policy forbids it, as is probably the case for many people using their employer's LAN. If you're a network administrator and you need to monitor TOR usage, you can try the following Snort rule I cooked up:

alert tcp any any -> $HOME_NET any (msg: "TOR 1.0 Proxy Connection Attempt"; content: "TOR"; content: "<identity>"; within:30; classtype:policy-violation; resp:rst_all; sid:5000030; rev:1;)

This should alert you any time the TOR proxy attempts to create a connection to the rest of the TOR network. As written, this rule also makes use of Snort's "flexible response" feature to try to shut down the connections as they are established. This isn't entirely effective, but it seems to work about 80% of the time for me, which at least makes TOR really annoying to use. If you prefer not to take action, delete the part that says "resp:rst_all;".

Thursday, January 13, 2005

More on the T-Mobile/Secret Service connection

This story sheds a little more light on how the T-Mobile hacker was able to access Secret Service documents. It seems that one of their agents made a habit of forwarding files to his T-Mobile email device so he could access them while traveling.

The article downplays the problem and makes it sound like it wasn't a big deal. The handheld contained "very limited investigative material" and "no government investigations were compromised." However, the article also quotes court records as stating that the files contained "highly sensitive information pertaining to ongoing ... criminal cases." This is apparent contradiction seems to indicate that someone in the USSS is either willfully over- or under-stating the case.

The agent in question, by the way, says he was cleared of any wrongdoing in an internal USSS investigation. He has since voluntarily resigned to work in the private sector.

Wednesday, January 12, 2005

T-Mobile pwn3d & Shame on the US Secret Service

The Register has a shocking story about a major security breach at T-Mobile. Apparently they learned in July 2004 that an intruder had wormed his way into their customer database and had easy access to a wide variety of information, including names, addresses, dates of birth, social security numbers, web usernames and passwords, email and cameraphone snapshots.

Ok, so shame on T-Mobile for keeping this quiet so long, but the more shocking part is that the US Secret Service fell vicitim to this. Here's a paragraph from the article:

On 28 July the informant gave [the Secret Service] proof that their own sensitive documents were circulating in the underground marketplace they were striving to destroy. He had obtained a log of an IRC chat session in which a hacker named "Myth" copy-and-pasted excerpts of an internal Secret Service memorandum report, and a Mutual Legal Assistance Treaty from the Russian Federation. Both documents are described in the Secret Service affidavit as "highly sensitive information pertaining to ongoing USSS criminal cases".

What the heck is the Secret Service doing sending "sensitive documents" over T-Mobile, anyway? Shouldn't a law enforcement agency so heavily involved in computer crime investigation know better than this?

Tuesday, January 11, 2005

How to make Windows event logs less chatty

If you haven't seen it already, head over to the Windows Security Logging and Other Esoterica blog. It's pretty new, and so far has addressed several things I've always hated, wondered about or both. The most recent post is about how to tune your event logs so you don't get swamped with crap you don't care about.

Wednesday, January 05, 2005

Searching PCs without a warrant

A Washington state appeals court issued a ruling today that allows the owner of a computer system to give law enforcement officers permission to search or sieze a PC. This means your employer can, in most cases, grant this permission without your consent. See the story here.

Overall, this is probably a good thing for us as investigators and security professionals. I am no lawyer, but I'd still cover my butt with a suitable disclaimer at login time if I were you. And who knows, warning your users upfront that you're able to monitor them may just prevent them from doing some regrettable in the first place.

Tuesday, January 04, 2005

Screenshots of the new MS Anti-Spyware App has published some screenshots of Microsoft's new anti-spyware application. This is based on the software they aquired when they bought Giant recently. I'm not familiar with the predecessor product, but the new screenshots look promising. Can't wait until it's released and some reviews start rolling in. How will it compare to Ad-Aware or Spybot?

While I'm on the subject... who's got a better name for this sort of thing than "anti-spyware"? That sounds so clunky, and doesn't roll of the tongue quite like "anti-virus".