TaoSecurity Blog

I just completed and uploaded a new installation guide .pdf for version 0.2.5 of Sguil . I included a new complete archive which provides everything you need to get Sguil running on a Red Hat 7.3 system. I also learned of this article posted on 29 July about installing Sguil on FreeBSD . I hope to incorporate this into the main Sguil guide once I try it out for myself. That was preceded by this BSDVault post .

An Eagle Scout candidate 's service project is being used to assist security measures at Chicago's O'Hare airport: "[T]he homemade devices in use at O'Hare, and similar ones elsewhere, are an optional, preliminary step to let passengers know whether their shoes will trigger alarms if they don't remove them and send them through the X-ray machines before walking through checkpoints... Inside each box is a wand, or small metal detector, held up with bungee cords. The box sounds an alarm if there's a violation. "

Amazon.com just published my 4 star review of Linux on the Mainframe . From the review: "Server consolidation" is the latest buzzword for downsized IT staffs. Many believe this means reducing the number of Windows servers running on Intel hardware. "Linux on the Mainframe," (LOTM) written by experts from IBM, offer an alternative: virtualization on the IBM zSeries and S/390 mainframes. Virtualization is the process of running dozens or hundreds of operating system "images," each of which thinks it is running on dedicated hardware. LOTM explains the improvements in reliability, availability, and serviceability from implementing this sort of system.

Beware using public Internet kiosks. CNN warns of a criminal who collected usernames and passwords at Kinko's stores: "For more than a year, unbeknownst to people who used Internet terminals at Kinko's stores in New York, Juju Jiang was recording what they typed, paying particular attention to their passwords. Jiang had secretly installed, in at least 14 Kinko's copy shops, software that logs individual keystrokes. He captured more than 450 user names and passwords, and used them to access and open bank accounts online."

Attending Black Hat next week? I will be teaching the first day of Foundstone's Ultimate Hacking Expert class at Black Hat Training in Las Vegas on Mon 28 Jul 03. Stop by and say hi. I'll be there both days but very busy on Monday.

I recently referenced this article on The Evolution of Intrusion Detection Systems by Paul Innella. It links to historical papers dating back to the 1980s and gives a foundation for the modern systems in use today.

I use VMWare for a variety of testing and research reasons. We used VMWare in Lenny Zeltser's class, mentioned below. I noticed VMWare offers webinars , which introduce clients to their products. Numerous VMWare newsgroups are archived at Google.

The Full-Disclosure mailing list has been a good source of information about the recent Cisco IOS vulnerability . This post links to working exploit code and shows how it works with sample data from a router.

CERT announced a new CERT®-Certified Computer Security Incident Handler certification. A combination of coursework at CERT, a college course, three years' experience, a letter of recommendation, and passing a test results in earning the cert.

I just finished day two of Lenny Zeltser 's Reverse Engineering Malware course at SANSFIRE 2003 . The class was excellent, with hands-on use of trial versions of IDA Pro to disassemble and Ollydbg to debug a bot ( download -- beware!). The course combined passive analysis of the binary with active analysis of its behavior and its posture in memory.

As a network security monitoring analyst, I'm always looking for better ways to inspect network traffic. I recently learned of a product by Palisade Systems called PacketHound which "is a network appliance that allows system administrators to block, monitor, log, or throttle LAN access to an expansive list of unproductive or potentially dangerous protocols and applications." I'm happy to see that "PacketHound is an Intel-based PC appliance running FreeBSD and containing one or more 10/100 or Gigabit Ethernet NICs." ( FreeBSD is my favorite OS, and is popular in many network inspection appliances.) The best selling point of PacketHound is its inspection method: "PacketHound passively scans TCP packets for the characteristics that match the protocols it is designed to monitor and block. Conventional approaches to monitoring and blocking rely on blocking TCP ports -- for example, Gnutella typically uses port number 6346 -- so a firewall would block

Want to become an "F8 monkey?" My friend Bamm Visscher released sguil 0.2.5 yesterday. Sguil is an interface to the Snort intrusion detection engine. By combining Snort with other code, it brings Snort closer to being an implementation of "network security monitoring," and not simply "intrusion detection." Bamm has made a demo Sguil server available . Here's a step-by-step guide to installing the Sguil client on Windows, so you can access the Sguil server at Bamm's office. 1. Download and install the latest version of ActiveTCL . Below you see I downloaded the ActiveTCL 8.4.3.0 Windows package. I installed it in "C:\Program Files\tcl". 2. Next, download the sguil-client-0.2.5.zip archive from Sourceforge : 3. Extract the contents of the .zip file. I extracted mine to "C:\Program Files\sguil". Once on your hard drive, edit the sguil.conf file located in the "C:\Program Files\sguil\sguil-0.2.5\client\" direc

Amazon.com just published my reviews of two new Snort books. I gave Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID three stars: "Intrusion Detection with Snort: Advanced IDS, etc." (IDWS) was the second of this year's intrusion detection books I've reviewed. The first was Tim Crothers' "Implementing Intrusion Detection Systems" (4 stars). I was disappointed by IDWS, since I have a high opinion of Prentice Hall and the new "Bruce Perens' Open Source Series." (I'm looking forward to the book on CIFS, for example.) IDWS read poorly and doesn't deliver as much useful content as the competing Syngress book "Snort 2.0." I gave the much better Snort 2.0 four stars. This book will appeal more to programmers than to casual Snort users: "Snort 2.0" offers content not found in other books on Snort, such as Tim Crothers' more generic "Implementing IDS"

Two years ago today I posted the first public warning and sighting of the Code Red worm. My analyst LeRoy Crooks detected it on the afternoon of Friday 13 Jul 01, and brought it to my attention. I posted my message on 15 Jul 01 and the worm hit full force on 19 Jul 01. In happier new, according to Netcraft , "nearly 2 Million Active Sites [run] FreeBSD. . . Indeed it is the only other operating system [besides Windows and Linux] that is gaining, rather than losing share of the active sites found by the Web Server Survey."

Microsoft released MS03-024 : Buffer Overrun in Windows Could Lead to Data Corruption (817606). From the technical details, "By sending a specially crafted SMB packet request, an attacker could cause a buffer overrun to occur. If exploited, this could lead to data corruption, system failure, or—in the worst case—it could allow an attacker to run the code of their choice. An attacker would need a valid user account and would need to be authenticated by the server to exploit this flaw." I wonder of this is one of the vulnerabilities mentioned by Jeremy Allison of the Samba team on Slashdot last April?

After perusing The Design and Implementation of the 4.4 BSD Operating System (Addison-Wesley, 1996) in the bookstore recently, I asked Kirk McKusick is he was working on a new edition of the book. He graciously replied: We have just started working on a new edition of the 4.4BSD book to be called ``The Design and Implementation of the FreeBSD Operating System''. It will be based on the 5.X version of FreeBSD. It is to be published by Addison-Wesley and we hope to have it out in mid to late 2004. I am really excited by this development. Several cool FreeBSD books have been published recently, like Absolute BSD and the The Embedded FreeBSD Cookbook . I can't wait to read the new McKusick book -- maybe by next year I'll be ready for it!

Slashdot informed me of a New York Times article (free registration required) titled Hackers Hijack PC's for Sex Sites . Don't miss this post which offers some technical details which appear reasonable.

While perusing the Focus-IDS mailing list I read this great thread on the use of taps for IDS , started in Dec 2001. (Did you know TAP means Test Administrative Port ?) The question of how to combine the two output streams from a tap became an issue. "Real" taps like the Finisar UTP IL/1 below or the TopLayer Fast Ethernet Copper Tap have two inputs and two outputs: With two outputs, how do you recombine the streams? Several posts mentioned the "THG", which refers to Finisar's (formerly Shomiti) Ten Hundred Gigabit system, as a means to combine the two streams sent out from tap ports A and B. Intrusion, Inc. , makes a tap with a single output: There's a problem with this setup. If the sum of the streams collected from the two inputs exceeds the capacity of the single output, packets are dropped. Whoops! TopLayer's IDS Balancer was also mentioned as a way to aggregate streams, but I'm not convinced it's appropriate for the stream re

Windows rootkits are all the rage these days. SecurityFocus offered this article last March. Today I learned of the yyt_hac rootkit . Greg Hoglund runs rootkit.com . Hacker Defender , HE4Hook, NT Rootkit , and AFX Rootkit exist too.

I'm constantly on hostile networks, and I'm considering buying a Linksys USBVPN1 "firewall on a token" USB-based NIC. I don't trust software-based firewalls on Windows boxes, so I think this device might be useful.

The Honeynet Project just posted a fascinating paper on credit card fraud via IRC. Lance mentioned this in his recent SANS webcast . Given the date of the "assessment" is 6 Jun, and the paper was released yesterday, it's possible he informed law enforcement and gave them time to exploit the Project's findings before going public.

For the latest in the security world... check out johnny.ihackstuff.com , especially the googledorks site. U Illinois published a guide to reverse engineering software . Microsoft published Incident Response: Managing Security at Microsoft . I found Brian Carrier's Sleuth Kit Informer , a monthly newsletter on his forensic tools, informative. I was happy to see the good guys grab the cyberangels.nl domain, and received my first email screened by the Active Spam Killer . I was sad to read this dissertation on modelling critical infrastructure could be a "security threat." Fellow Foundstoner Dave Wong informed me of some cool wireless sites, including Hyperlink Tech , Demarc Tech , Socket Communications , and Cantenna .

I continue to explore ways to do network security monitoring. I've seen a few interesting posts in the TCPTrace archives , comp.dcom.net-management and mailing.unix.net-snmp and read references to the application monitor Zabbix , the graphical monitor Moodss , the Network Management Information System , and Big Brother mods . I'm giving up on using RMON2 and NetScout as I can't duplicate a production environment using low-cost used equipment. I might give LanStat a try.

I'm building a new test lab. To start, I needed a lot of Cat 5 cables of specific lengths and colors. Cat5Net.com 's handy order form lets you specify just what you need, and their customer service is excellent. Next I wanted a new FreeBSD network management station, so I bought a used Dell Poweredge 2300 . For experience with commerical UNIX boxes, I acquired (all used) a Sun Ultra 30 ( AnswerBook ; I needed a floppy and video adapter ) an 7043-150 IBM RS/6000 Model 150 ( hardware info ) to run AIX 5L Version 5.2 ( good AIX site , patches , and support for open source software ), and an HP Visualize B2000 to run HP-UX 11i ( software news , informal HP box timeline , floppy woes ). ( Linux is an option too! I feared I needed an adapter like this for HP's EVC -enabled DVI connector, but didn't need one.) Resellers include NORCO , Southwest Computer Solutions , AnySystem , and Elarasys .) Video standards helped me know I could connect, using adapters, to

I recently bought a Cisco 2651XM router ( docs ) and a Cisco Catalyst 2950T-24 switch ( docs ) from Black Hat Networks of Arlington, VA. I'd like to administer them and centralize logging without using the main data-carrying network. I looked at Cisco's Cabling Guide for Console and AUX Ports and considered administering the devices via serial cable to the console ports and sending the logs via other interfaces. (An explanation of the difference between console and AUX is here . Question 137 in the Cisco FAQ is helpful.) The 24 port switch has plenty of extra interfaces to use, so I think I can dedicate one port to a separate "logging network." The router doesn't have an extra interface, but it does have its AUX port. Cisco offers this Connecting a SLIP/PPP Device to a Router's AUX Port PDF. A Google search found this post , which considered doing something similar, with log messages sent to a printer. (Even printers can be attacked .) Other

I was wondering if I would need a special cable, perhaps Cat 5e or 6, to operate at gigabit speeds when connecting the gigabit ports of my monitoring platform and switch. It turns out that Cat 5 happily supports gigabit speeds. This article provides a useful summary.

I just listened to today's Top Three Advances in Honeynet Technology . Lance Spitzner was interesting as always. He announced a 3 minute video (45 MB) describing the Honeynet Project . It's fun watching "Sonja Johnson" and her DefCon shirt run around until she's captured in a corporate data center.

I'm testing a new Intel PRO 1000 MT gigabit NIC on a FreeBSD 5.0 REL box. The box already has a separate NIC with a 192.168.1.x address. I wanted the gigabit NIC to also have a 192.168.1.x address. However, when bringing up a second interface on the same subnet as an existing interface, you have to tell FreeBSD which interface to use for broadcasts. In other words, the second interface can't have the default netmask for the subnet. This was confirmed in this helpful post . To bring up the first (primary) interface: ifconfig ed1 192.168.1.100 netmask 255.255.255.0 up To bring up the second interface: ifconfig em0 192.168.1.101 netmask 255.255.255.255 up Now both work properly.

Slashdot featured a BBC story on the "Super Zonda" spammers. I modded up this post because it gives technical details missing or misleading in the original article.

The Register reminded me that California's new security disclosure law became effective today. If you store data from customers in California, watch out. Here's an AP story , and here's a CNN story on a nationwide bill introduced last week. Managers understand the need for physical security, to lock doors and windows and install monitoring cameras. When will digital security be truly appreciated, with people, processes, and products allocated appropriately? Maybe when they're charged "up to $5,000 per violation, or up to $25,000 each day." Ouch.

I'm looking for ways to archive entire 9.1 GB hard drives to DVD media. I've seen advertisements for 9.4 GB media . First, I learned the "GB" in "9.4 GB" doesn't really mean the "gigabyte" we grew up knowing. We learned in math or science class that a kilobyte wasn't 1000 bytes. It was (note the "was" -- I'll explain below) 2^10, or 1024^1, or 1024 bytes. A megabyte was 2^20, or 1024^2, or 1,048,576 bytes. A gigabyte was 2^30, or 1024^3, or 1,073,741,824 bytes. According to the NIST Reference on Constants, Units, and Uncertainty , these definitions have changed: kilobyte = 1000 bytes megabyte = 1,000,000 bytes gigabyte = 1,000,000,000 bytes We have new terminology for the "prefixes of old": kibibyte (kiB) = 1024 bytes mebibyte (MiB) = 1,048,576 bytes gibibyte (GiB) = 1,073,741,824 bytes For example, discs advertised to be 4.7 GB are actually 4.7 billion bytes, or 4.37 "old GB." (Hard drive manuf