Friday, 8 August 2008

What is Legal Juristiction?

Jurisdiction (or the location where a case may be heard) can be a big issue on the Internet. In a contractual negotiation where the client is in country A and the web server is in country B, the case may be heard in A or B based on whether the transaction was business to consumer (B2C) or business to business (B2B).

Where a contract was a B2C negotiation, the consumer can sue that business in the courts of his own country (justified as a consumer is likely to lack the required resources to bring suit overseas).

In B2B disputes, the court used for the dispute is that of the country in which the defending party is based.

Enforcement is another issue. Just because a party in a B2C case has won damages, it does not mean that there will be an international treaty to enforce the judgment.

Thursday, 7 August 2008

What is an INVITATION TO TREAT in contracts?

An invitation to treat is distinct from an offer in that it is an indication of one parties willingness to negotiate a contract but not the acceptance thereof.

Two examples of an invitation to treat are:

  1. A tender requesting proposals to be lodged.
  2. Goods being offered for sale in a store window.

In point 2, the store is not obliged to sell the goods to anyone who is willing to pay for them, and may refuse custom.

What is a CLICK-WRAP contract?

Click-wrap contracts are functionally the same as the shrink-wrap method in software licenses and other product offering, bar being in the digital world. A click-wrap contract allows the purchaser to read the terms of the agreement before accepting the product.

"Click-wrap" followed from the use of "shrink wrap contracts" in physical software and media purchases (such as CDs and DVDs). The inclusion of a notice that states “by opening the packaging you have agreed to the terms” results in the purchaser being legally bound to the terms of the license or contract.

Wednesday, 6 August 2008


Non-repudiation is the process of ensuring that a parties to a transaction cannot deny (this is repudiate) that a transaction occurred.

Repudiation is an assertion refuting a claim or the refusal to acknowledge an action or deed. Anticipatory repudiation (or anticipatory breach) describes a declaration by the promising party (as associated with a contract) that they intend to fail to meet their contractual obligations.

Tuesday, 5 August 2008

Netcat as a Honeypot

Acting as a virtual server or honeypot

Netcat can simulate any TCP or UDP service, the binary ones are far more compliacted, but are still possible. IF we take the simple example of a Web server that we wish to create as a honeypot, the process is to serve a page and log the results.

Make a webserver:
while true; do nc -l -p 80 -q 1 < /tmp/index.html; done

Then you could log the netstat and other packets, setup snort etc. Or you could integrate logging.
cat { while read; do echo "`date` > $REPLY">> log.txt; echo $REPLY; done; } nc -l -p 80 -q 1 < /tmp/index.html { while read; do echo "`date` < $REPLY" >> log.txt; echo $REPLY; done; }

Add a proxy or client header and fool simple systems:
# nc 80 GET / HTTP/1.1Host: google.comUser-Agent: Mozilla Version 2800.1 (one day)Referrer:

Make a log with times etc and the script needs to be spawn - but the idea is there.

This can be done for nearly any service or port, but of course there are simpler ways to do this.

Monday, 4 August 2008

Determning DNS Version

There are several ways to determine the version of a DNS server. The more common ones include NSLOOKUP and DIG.

  • nslookup -q=txt -class=CHAOS version.bind [DNS Server IP or name]
  • dig -t txt -c chaos VERSION.BIND

Each of these are essentially the same. They query the version ID of the server (if it has not been altered or deleted. Changing this is a simple exercise in BIND, though few servers have been thus secured.

A more complex way of doing this (where access to either DIG or NSLookup have been restrited) can be achieved in the following script:

which_dns() {
printf 'begin-base64 644 -\np8IBAAABAAAAAAAAB3ZlcnNpb24EYmluZAAAEAADCg==\n===='
uudecode nc -uw 1 $1 domain strings tail -1; }

This is run as follows:

  • which_dns [DNS Server IP or name]

Ths simple function is useful in testing systems. If access to a shell can be obtained, tests through a firewall could provide information from the servers inside the DMZ or internal network. These systems are commonly not well secured and access to a script such as the previous one can be invaluable in systems testing.

Another way

The methods listed initially all require that the DNS server administrator has not changed the version number. Good practice calls for this to be changed. In my presentation at CACLS (Sydney) 2008 in September for ISACA, I am addressing some new ways of determining versioning.

Using a combination of Neural networks and Random Forest algorithims, I have created a test engine for DNS. The NMAP and PoF databases where used are an initial feed. This data was tested with many of the versions of DNS (both BIND and Windows). This led to a multilayer perceptron that can determine the DNS version even when the versioning information is disabled.

This method can be used to find server versions using standard calls to the DNS server. This appears as standard traffic to the server and does not register as an attack.

I also used this in the DNS paper I am publishing later this month.

Unfortunately, what this demonstrated is that some of the higher level DNS servers are not patched. One of the com servers in particular was very poorly patched when tested. A strong reliance on obscurity through hiding the version information has led to a state of apathy.

This leaves us all vulnerable.