TaoSecurity Blog

My ISP is having some teething problems with its "upgrade." I needed a way to point my name resolutions for www.comcast.net to the one server they operate which is working, and not to the default server which isn't working. Following this tip I edited c:\windows\system32\drivers\etc\hosts: # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client

While reading the BSDforums I learned of a new security checklist for FreeBSD 4.8 . You can read the thread behind this doc. It's a work in progress and may help out the FreeBSD security initiative at CISecurity .

Checking my Argus logs this morning, I noticed a few odd scans. The first is to port 2 TCP, which according to the Internet Storm Center is becoming popular : 16 Jun 03 03:12:08 tcp 24.96.49.46.4396 -> my_IP.2 TIM 23 Jun 03 07:59:05 tcp 220.120.31.233.4900 -> my_IP.2 TIM I'm also seeing scans to port 57 TCP , which has history dating to Oct 02 and Nov 02 and is a signature of a tool called FX-Scanner ( analysis ). Apparently port 57 is used as a host discovery mechanism. Here are three examples. First, recon for port 1433 TCP: 12 Jun 03 18:22:17 tcp 161.53.40.97.4464 -> my_IP.57 TIM 12 Jun 03 18:22:17 icmp 161.53.40.97 <-> my_IP ECO 12 Jun 03 18:23:04 tcp 161.53.40.97.1217 -> my_IP.1433 TIM 12 Jun 03 18:25:08 tcp 161.53.42.46.2036 -> my_IP.57 TIM 12 Jun 03 18:25:08 icmp 161.53.42.46 <-> my_IP.55 ECO 12 Jun 03 18:25:55 t

My TaoSecurity web site is down while my hosting provider upgrades its servers. Estimated returned to service is at least by Monday morning.

Les Cottrell maintains a comprehensive list of network monitoring tools . He responds to email if you'd like to suggest additions. CAIDA (Cooperative Association for Internet Data Analysis), lists tools also.

Looking for packet creation tools on UNIX? Nemesis and Hping have been around for three years, while Packit is a newcomer from earlier this year. You can find the FreeBSD ports for all of these at FreshPorts . Others exist but these are some of my favorites. I've used IPSorcery on Linux. Windows users can check out Komodia and lcrzoex (which also runs on UNIX).

Anton Chuvakin wrote this blog entry profiling my blog. Thanks Anton! Also, his blog made me aware that the former Psionic tools (acquired by Cisco in Oct 02) are available at Sourceforge . Cisco makes some of the tools available on their site, like Cisco Threat Response (formerly Clear Response), mentioned by Craig Rowland .

Wondering how long your copy of Windows NT 4.0 will be supported? Visit the Microsoft Lifecycle site. Look here for the quick answer.

Time to learn IPv6 . According to this article : "John Osterholz, director of architecture and interoperability for the Department of Defense, told a gathering of technology elite that the DoD would phase out purchases of IPv4 network technologies by this fall and would instead begin trials of equipment and applications based on the new IPv6 protocol for the Internet within 30 days."

The 2003 Recent Advances in Intrusion Detection (RAID) conference will be held in Pittsburgh on 8-10 Sep 03. Word on registration is forthcoming.

If you want to learn more about FreeBSD, visit Chucktips , which looks like Slashdot and is newbie-friendly.

Although I prefer to use FreeBSD's package system, I recommend Linux users visit FreshRPMs.net or RPMfind.net for their RPM needs. If you need to install Linux software from source, but want to manage the code like an RPM, try CheckInstall .

IOGEAR has two products I need. The first is a combination Firewire and USB 2.0 CardBus adapter . The second is the COMBO ION™ drive is a 2.5” hard drive enclosure . Both are useful when doing host-based forensics.

I'm always looking for new ways to handle network traffic. I noticed that the OpenBSD Packet Filter offers scrubbing . This builds on the concepts discussed by Mark Handley and Vern Paxson , discussed at Slashdot . PF's "random-id" option should defeat Steve Bellovin's technique for counting NATed hosts . Peter Phaal of InMon wrote Detecting NAT Devices using sFlow , which relies on counting TTL values to detect NAT hosts. pf's "min-ttl" feature might obscure that tactic, according to another Slashdot thread.

Want to play on a FreeBSD box? Check out OpenRoot , "a FreeBSD 4.8-stable box in which root access is given to everyone... OpenRoot is essentially a virtual machine (a jail in FreeBSD terminology) running ontop of FreeBSD." You can access openroot.no-ip.org on ports 30 and 31 TCP using secure shell. Log in as user 'openroot', password 'openroot', and then 'su -' with no password. However, it doesn't appear that 'root' users have a full working environment: openroot# ping www.google.com ping: socket: Operation not permitted openroot# w 12:40AM up 1 day, 14:13, 1 user, load averages: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE WHAT w: proc size mismatch (8480 total, 1064 chunks): No such file or directory openroot# last | head openroot ttyp0 86.84.139.55 Fri Jun 27 00:39 still logged in openroot ttyp0 80.128.117.2 Fri Jun 27 00:17 - 00:23 (00:06) openroot tt

I plan to roll out new firewall and network security monitoring platforms for my home lab network. For the firewall, I'm considering an "embedded" BSD solution, like OpenSoekris , m0n0wall , or m0n0BSD , which run on the popular Soekris ( mailing list ) embedded computers, like the net4501 and the new net4801 . I like these motherboards because they're equipped with three NICs. Other Soekris-based projects include FreeBSD wireless router ( more info ), theWall , Linux Embedded Appliance Firewall , linux4501 , Personal Linux Router Project , and Debian on the net4501 . The OpenBrick project exists, although the Mini-ITX community seems to have more support, along with vendors like LinITX and Ultim8PC . This CompactFlashTM Type II Card Adapter looks useful. For the NSM box, I'm considering a Shuttle SB52G ( support , review ) with Intel 845VG chipset and FB52 motherboard sold by ExcaliburPC , NewEgg , and Knowledge MicroExpress . Crucial sells mem

Interested in by-passing access control, or understanding how it's done in order to monitor it? Check out dcphonehome , run by my friend Aaron Higbee , or Gray-World .

Consider all of the commercial IDS appliances built on the Snort detection engine: Sourcefire Network Sensor Silicon Defense Sentarus PacketAlarm StillSecure Border Guard ; check the FAQ -- they run Snort but hide it well Argus 1000 ; no relation to the one true Argus FidelisSec CyberHound Snort isn't the only open source IDS engine in town. Check out Shoki or Tamandua .

In Jan 03 I noted the SecurityFocus vulnerability database didn't seem to include exploits anymore. Yesterday I was searching for Windows XP vulnerabilities for a class and found one example where exploits were available.

Just when you thought network monitoring couldn't get any cooler -- I learned WinPcap ( mailing list ) version 3.0 support Remote Capture . "This is an highly experimental feature that allows [you to] interact [with] a remote machine and capture packets that are being transmitted on the remote network. This requires a remote daemon (called rpcapd) which performs the capture and sends data back and a local client that sends the appropriate commands and receives the captured data." What is even cooler -- "The [Remote] daemon [rpcapd] can be compiled and it is actually working on Linux as well." This sounds similar to SVtun . I couldn't get remote capture to work with Analyzer ( Sourceforge site ) by the WinPcap team, even though it natively supports remote capture.

Thomas H. Ptacek, who co-authored a slightly famous paper on IDS several years ago, wrote me regarding his company's product, Peakflow X . According to their press release , the system profiles network traffic and complements traditional signature-based IDS: "Upon installation, Peakflow X monitors network traffic, automatically constructing a holistic real-time model of the entire network from the inside out. Identifying factors such as services (HTTP, FTP, Microsoft File Sharing, etc.), inbound and outbound traffic, and host-to-host behavior, Peakflow X dynamically clusters all hosts into groups based on similar operational policies. For example, hosts that communicate primarily HTTP only to hosts in the marketing department would be grouped together, indicating an organization’s internal workgroup Web servers. Based on this detailed network-wide model, Peakflow X immediately detects anomalous behavior whether or not it stems from a known vulnerability. For example, shoul

The June 2003 Information Security Magazine offered some great reading too. It reminded me of a Gartner statistic saying between 60 to 70 percent of Windows Server users run NT 4 . Writing about his experience taking the CISSP exam, Andrew Briney nails the problem with CISSP questions : "There's a chunk of questions that are difficult for all the wrong reasons. They're poorly worded, misleading or simply evasive. Evasive: that's the word that first came to mind when I walked out of the exam. It just seems like these questions serve no purpose other than to confuse and frustrate you. It's because of these questions that you won't have an intuitive sense if you passed the exam. And it's because of these questions that the CISSP exam often gets a bad rap. Even though these questions comprise a comparatively small part of the exam, they're the ones that stick in your craw as you walk out the door." I learned while reading Thomas Ptacek's

The June 03 SC Magazine offered several excellent articles. Peter Stephenson discusses new forensic certifications , like the Certified Information Forensics Investigator (CIFI). (If you qualify by 31 Dec 03, you might be able to grandfather the cert without sitting for the test.) The same issue featured a case study called Tracking Down Cybercriminals . Unfortunately, SC Magazine quotes an Addamarkl survey saying "companies are unwilling to prosecute hackers, even when they have enough evidence for legal action. Information security departments said they preferred to fix the damage or use forensic evidence to achieve a settlement with the wrongdoer, rather than opt for legal proceedings." This is too bad, as an article by Mark Doll of E&Y discusses the effect of security incidents on share prices. In short, within three days of X, share prices dropped by Y: "significant security breach": 5.6%, or $15-$20 million on average "theft of credit ca

I'm trying to find products which can intelligently analyze network traffic to supplement traditional intrusion detection products. I'd like to get a look a Silent Runner , which offers visualization and analysis tools. Lancope Stealthwatch calls itself a "behavior-based IDS" which analyzes flows to identify anomalies. Incidentally, if you're looking for a giant list of IDS and other security products, visit Talisker's Network Security Resource . SPADE , the Statistical Packet Anomaly Detection Engine for Snort, is available but I have yet to try it.

After last week's bad press at Fortune and Slashdot , some good press for Foundstone. Network Computing likes Foundstone's 2.6 scanner -- and hasn't seen 3.0 yet. This job request looks fake to me.

The SANS and Neohapsis Security Alert Consensus told me of the settlement between Guess and the FTC . From the article: According to the FTC complaint, since at least October 2000, Guess' Web site has been vulnerable to commonly known attacks such as "Structured Query Language (SQL) injection attacks" and other web-based application attacks. Guess' online statements reassured consumers that their personal information would be secure and protected. The company's claims included "This site has security measures in place to protect the loss, misuse, and alteration of information under our control" and "All of your personal information, including your credit card information and sign-in password, are stored in an unreadable, encrypted format at all times." In fact, according to the FTC, the personal information was not stored in an unreadable, encrypted format at all times and Guess' security measures failed to protect against SQL and other

A captain I worked with in the AFCERT several years ago, Carl Grant, published Transforming the U.S. Air Force Enterprise Network in the latest IA Newsletter . Carl talks about the AFNOSC, which was also discussed in this testimony by the Air Force CIO John Gilligan.

I installed FreeBSD 5.1 REL on my IBM Thinkpad a20p this afternoon. I finally have X working on a FreeBSD system "out of the box" -- more or less. X couldn't auto-configure my card, but I was able to do it manually. Once I was done installing XFree86 4.3 I installed KDE 3.1. I copied the .xinitrc (just a text file with 'exec startkde' from root's home directory to my user directory.) Here's my X config file: -bash-2.05b$ cat /etc/X11/XF86Config Section "ServerLayout" Identifier "Layout0" Screen 0 "Screen0" 0 0 InputDevice "Keyboard0" "CoreKeyboard" InputDevice "Mouse0" "CorePointer" EndSection Section "Files" EndSection Section "Module" # Load "freetype" # Load "xtt" Load "extmod" Load "glx" Load "dri" Load &quo

It does not pay to live in the US and compromise Air Force systems! From this article : An 18-year-old hacker who breached computers at Sandia National Laboratories and posted an anti-Israeli message on the Eglin Air Force Base Web site was sentenced Thursday to a year and a day in federal prison. Adil Yahya Zakaria Shakour also was ordered to pay $88,253 in restitution, and his computer use was restricted during the three years he will spend under supervised release after his prison term. Shakour, a Pakistani national who lives in Los Angeles, pleaded guilty in March to computer and credit card fraud charges.

I wrote this post yesterday in response to a question on how to mirror interfaces for combining tap outputs.

A colleague informed me of the Microsoft Patterns and Practices site, which offers book-length treatises on many subjects. The latest is Improving Web Application Security: Threats and Countermeasures .

While reading comp.dcom.sys.cisco , I found a thread discussing licenses for Cisco IOS. This abbreviation of Cisco's software transfer and licensing policy states "owners of Cisco products are only allowed to transfer, re-sell or re-lease used Cisco hardware and not the embedded software that runs on the hardware." One option for licensed use of Cisco gear at reduced prices is buying refurbished equipment , sold by authorized resellers , and getting a SMARTnet support contract to access parts of Cisco's software center . There seems to be no shortage of Asian sites offering IOS, although I suspect Trojaned versions might appear in those listings. This thread includes a lengthy post by Ted Mittelstaedt explaining how Cisco discourages eBay purchases of Cisco gear.

Read Marty Roesch's response to the uninformed claims of Gartner, Inc. . From the Gartner press release: According to the Gartner, Inc. (NYSE: IT and ITB) Information Security Hype Cycle, IDSs have failed to provide value relative to its costs and will be obsolete by 2005. From Marty's response: Let me get this straight… better access control will completely remove the need for auditing? Auditing functions are a fundamental part of providing defense in depth in any security environment. Do they not understand this or, perhaps, have the economic challenges for industry analysts led them to the point where citing the outrageous is a competitive necessity?

Kevin Poulsen published an article on stealing network address space . From the article: Los Angeles County had been hit by a growing type of hi-tech fraud, in which large, and usually dormant, segments of the Internet's address space are taken away from their registered users through an elaborate shell game of forged letters, ephemeral domain names and anonymous corporate fronts. The patsies in the scheme are the four non-profit registries that parcel out address space around the world and keep track of who's using it. The prizes are the coveted "Class B" or "/16" (read "slash-sixteen") address blocks that Internet authorities passed out like candy in the days when address space was bountiful, but are harder to get legitimately now.