Sunday, August 31, 2003

Shoki, the Alternative Open Source IDS

We all know how popular Snort is as an open source intrusion detection event generation engine. Have you ever heard of Shoki? I've known about it for a while, but will researching I found it seems to be progressing nicely. The latest release dates from May 2003. I'm probably most interested in the project's packet visualization tool, Hustler, from which the screenshot at left is taken. It looks like it doesn't just accept libpcap data, but must work with Shoki. It looks like Shoki is near the same phase as Sguil -- still rough, with some operator knowledge needed to get the system running.


Another open source IDS vying for its place in the sun is Tamandua. Version 2.0 was released in June 2003. It may be a good tool (I haven't used either Shoki or Tamandua), but I'm reluctant to try Tamandua. Most of the presentations are in Portuguese, and the project seems to be the offshoot of a commercial company.


At some point I'd like to have the skills necessary to turn projects I like into FreeBSD ports. That way, I can install, manage, and run them easily on my favorite operating system.

Ohio University Offers Excellent IDS Resources

While doing research for my book Real Digital Forensics I visited the home page for the network session data generation tool TCPTrace. I learned that a new manual was released last week. I also learned that Ohio University supports an IDS project called INBOUNDS. Their publications page is very impressive, since they host their students' theses and copies of some of the most important IDS documents of the last decade. I look forward to seeing Manikantan Ramadas, Shawn Osterman, and Brett Tjaden present their paper next week at RAID 2003 (Recent Advances in Intrusion Detection) in Pittsburgh.

Running Snort On a Linksys Wireless Access Point

I read at Snort.org how Jim Buzbee figured out how to run Snort on his Linksys WAP. This is no joke. The folks at Seattle Wireless discovered the Linksys WRT54G runs Linux kernel 2.4.5. Through a bug they investigated the box thoroughly. They also physically disassembled the box. They learned the web server used to administer the device is mini_httpd. Amazing.

Thursday, August 28, 2003

Is Earth Station Five a Hoax?

Is Earth Station Five a media industry sting operation? A few friends told me about this site today, so I poked around a bit. ES5 appears to be some sort of file-sharing network which thumbs its nose to the Recording Industry Association of America and the Motion Picture Association of America.


ES5 seems to have made its biggest splash in this CNET News.com article where ES5 "President" "Ras Kabir" claims "We're in Palestine, in a refugee camp." The earliest reference I found dates from 18 March 2003 in a post at a digital music site. It was also discussed on 25 June 2003 at the filesharing site Zeropaid.com. Prior to the News.com story, I found press releases which appear to be from 27 June 2003, 1 July 2003 and 7 July 2003.
The News.com story states:


"According to Earthstation 5 founder Kabir, the company was formed after a conversation with his brother Nasser in Ramallah two years ago, as Napster was circling toward its nadir. Over time, they won the financial backing of investors in Israel, Saudi Arabia and Russia, who have asked to remain anonymous. Those funds were used in part to pay contract programmers, largely in Russia, to help build the basic software.

The 35-year-old Kabir, who speaks fluent English, says he is Palestinian but spent much of his childhood in Manchester, England, with his mother. He now has homes in Jenin and elsewhere in Palestine, where Earthstation 5 is based, he said."


It's convenient that someone presenting himself as a Palestinian speaks fluent English. Next ES5 issued a "declaration of war" via press release, claiming:


"In response to the email received today from the Motion Picture Association of America (MPAA) to Earthstation 5 for copyright violations for streaming FIRST RUN movies over the internet for FREE, this is our official response! Earthstation 5 is at war with the Motion Picture Association of America (MPAA) and the Record Association of America (RIAA), and to make our point very clear that their governing laws and policys have absolutely no meaning to us here in Palestine, we will continue to add even more movies for FREE."


I uncovered some "investigative reporting" at slyck.com, whereby the site owner interviewed "Ras Kabir," ES5 "president." He focused mainly on usage statistics: "Slyck asked Ras Kabir to explain how his program could possibly have 3 times the level of usage of FastTrack and be one of the most downloaded software applications in such a short period. This especially seems hard to explain given the fact that it is difficult to find content for some artists. Surely these figures are inflated?"

I'm more concerned with the odd language used by the site. I have two explanations. First, it's the sort of "wanna-be-cool, fight-the-man" language used by a marketing-drone-turned-sting operator. For example, the ES5 Chronicles page, which features the image shown above and uses terms like "evil empire" and "enemy hands" too many times for my tastes. Other people, besides several who spoke up in links listed earlier, express doubts about ES5's authenticity. See this thread and this SlashDot story.

Putting on my intel officer hat, I did some cursory research on the "Jenin refugee camp" from where ES5 allegedly operates. After seeing the pictures on this site, I wondered what kind of infrastructure is there to support major file sharing operations! Still, lots of rebuilding is going on. You can check the United Nations Relief and Works Agency for Palestine Refugees in the Near East site for information. I couldn't find anything specifically mentioning a "Jenin refugee camp 23."


For the sake of research, here's some ownership information on the domains associated with ES5:


Checking server [whois.crsnic.net]
Checking server [whois.namescout.com]
Results:
Domain earthstation5.com

Date Registered: 2002-2-26
Date Modified: 2002-6-13
Expiry Date: 2005-2-26
DNS1: ns1.earthstationv.com
DNS2: ns2.earthstationv.com

Registrant

Earthstationv Ltd, A Vanuatu Corporation
Jenin refugee camp #23
Jenin
PS
NONE

Administrative Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin
NONE
PS
067351065
67351065
ras@earthstationv.com

Technical Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin
NONE
PS
067351065
67351065
ras@earthstationv.com

Registrar: NameScout.com

Register your domain now at www.namescout.com

===

Checking server [whois.crsnic.net]
Checking server [whois.namescout.com]
Results:
Domain es5.com

Date Registered: 12/9/2001
Date Modified: 3/28/2003
Expiry Date: 12/9/2004
DNS1: NS1.EARTHSTATIONV.COM
DNS2: NS2.EARTHSTATIONV.COM

Registrant

Earthstationv Ltd., A Vanuatu Corporation
Jenin refugee camp #23
Jenin (PS)
NONE

Administrative Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin (PS)
NONE
067351065
67351065
N-88532yfvx@usersa5.namescout.com

Technical Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin (PS)
NONE
067351065
67351065
N-88532yfvx@usersa5.namescout.com

Registrar: NameScout.com

Register your domain now at www.namescout.com

===

Checking server [whois.crsnic.net]
Checking server [whois.namescout.com]
Results:
Domain earthstationv.com

Date Registered: 3/10/2002
Date Modified: 2002-6-13
Expiry Date: 2005-3-10
DNS1: NS1.EARTHSTATIONV.COM
DNS2: NS2.EARTHSTATIONV.COM

Registrant

Earthstationv Ltd, A Vanuatu Corporation
Jenin refugee camp #23
Jenin
PS
NONE

Administrative Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin
PS
NONE
067351065
67351065
ras@earthstationv.com

Technical Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin
NONE
PS
067351065
67351065
ras@earthstationv.com

Registrar: NameScout.com

Register your domain now at www.namescout.com

==

Checking server [whois.crsnic.net]
Checking server [whois.namescout.com]
Results:
Domain earthstationfive.com

Date Registered: 2002-2-26
Date Modified: 2002-6-10
Expiry Date: 2005-2-26
DNS1: NS1.EARTHSTATIONV.COM
DNS2: NS2.EARTHSTATIONV.COM

Registrant

Earthstationv Ltd, A Vanuatu Corporation
Jenin refugee camp #23
Jenin
PS
NONE

Administrative Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin (PS)
NONE
067351065
67351065
ras@earthstationv.com

Technical Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin (PS)
NONE
067351065
67351065
ras@earthstationv.com

Registrar: NameScout.com

Register your domain now at www.namescout.com



Here is a query against ns1.earthstationv.com for DNS records:


; <<>> DiG 8.2 <<>> @ns1.earthstationv.com earthstationv.com ANY
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;; earthstationv.com, type = ANY, class = IN

;; ANSWER SECTION:
earthstationv.com. 1H IN SOA earthstationv.com.earthstationv.com. root.earthstationv.com. (
200350918 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum

earthstationv.com. 1H IN NS ns2.earthstationv.com.
earthstationv.com. 1H IN NS ns1.earthstationv.com.
earthstationv.com. 1H IN A 213.152.100.163
earthstationv.com. 1H IN MX 10 earthstationv.com.

;; ADDITIONAL SECTION:
ns1.earthstationv.com. 1H IN A 213.152.100.163
ns2.earthstationv.com. 1H IN A 213.152.119.35

;; Total query time: 262 msec
;; FROM: gp.centergate.com to SERVER: ns1.earthstationv.com 213.152.100.163
;; WHEN: Thu Aug 28 21:12:19 2003
;; MSG SIZE sent: 35 rcvd: 194


Here's traceroute output, first to the site's home page in Israel and then to its movie download page, also in Israel. How can that be? Well, the last resolved router name in the first trace is 212.199.218.130.forward.012.net.il, which makes us think the end node is in Israel. The last resolved router name in the second trace is unknown.Level3.net, which tells us nothing. The prior router is gige10-2.ipcolo1.Amsterdam1.Level3.net, which makes us think the end node might be in Amsterdam too. This is not the case. We'll see in the BGP data later that Level 3 is listed as an "adjacent" AS, which might indicate its placement in the traceroute data. Both end nodes, the web site and the download site, belong to the same company (ES5). ES5 receives its connectivity from "SpeedNet," which we'll learn about later. First, traceroutes from a publicly available tracerouter server to each host:


FROM www.above.net TO www.earthstationv.com.

traceroute to www.earthstationv.com (213.152.100.163), 30 hops max, 40 byte packets
1 inside.fw1.sjc2.mfnx.net (208.184.213.129) 0.311 ms 0.245 ms 0.219 ms
2 99.ge-5-1-1.er10a.sjc2.us.above.net (64.124.216.10) 0.534 ms 0.545 ms 0.500 ms
3 so-2-0-0.mpr3.sjc2.us.above.net (64.125.30.89) 0.569 ms 0.513 ms 0.500 ms
4 so-5-1-0.cr1.dca2.us.above.net (208.184.233.134) 66.905 ms 66.742 ms 66.736 ms
5 so-6-0-0.cr1.lhr3.uk.above.net (64.125.31.185) 138.525 ms 138.568 ms 138.596 ms
6 pos9-0.cr1.ams2.nl.above.net (64.125.31.154) 144.160 ms 144.232 ms 144.174 ms
7 pos14-0.mpr1.ams1.nl.above.net (208.184.231.53) 144.717 ms 144.756 ms 144.712 ms
8 so-1-3-0.cr2.fra1.de.above.net (64.125.30.149) 151.540 ms 151.440 ms 151.498 ms
9 pos3-0.pr1.fra1.de.mfnx.net (216.200.116.210) 151.395 ms 151.640 ms 151.411 ms
10 decix-abovenet-us.fra.seabone.net (195.22.211.45) 151.487 ms 151.320 ms 151.478 ms
11 pal6-pal8-racc1.pal.seabone.net (195.22.218.229) 180.994 ms 181.401 ms 180.925 ms
12 goldenlines-1-il-pal6.seabone.net (195.22.196.194) 206.393 ms 206.489 ms 206.300 ms
13 212.199.28.65 (212.199.28.65) 221.834 ms 206.473 ms 206.520 ms
14 212.199.28.242 (212.199.28.242) 208.880 ms 208.337 ms 208.309 ms
15 212.199.26.35 (212.199.26.35) 210.346 ms 210.450 ms 210.242 ms
16 212.199.218.130.forward.012.net.il (212.199.218.130) 211.823 ms 210.629 ms 210.658 ms
17 213.152.100.254 (213.152.100.254) 208.999 ms 209.503 ms 209.039 ms
18 213.152.100.163 (213.152.100.163) 211.880 ms * 212.004 ms

===

FROM www.above.net TO movies.earthstationv.com.

traceroute to movies.earthstationv.com (213.152.119.82), 30 hops max, 40 byte packets
1 inside.fw1.sjc2.mfnx.net (208.184.213.129) 0.301 ms 0.533 ms 0.227 ms
2 99.ge-5-1-1.er10a.sjc2.us.above.net (64.124.216.10) 0.573 ms 0.496 ms 0.467 ms
3 so-1-0-0.mpr4.sjc2.us.above.net (64.125.30.93) 0.506 ms 0.519 ms 0.484 ms
4 pos-1-0.mpr2.pao1.us.above.net (209.249.0.125) 0.932 ms 0.894 ms 0.834 ms
5 GigabitEthernet6-0.edge1.paix-sjo1.Level3.net (209.245.146.157) 0.877 ms 1.041 ms 0.799 ms
6 GigabitEthernet3-1.core1.SanJose1.Level3.net (209.244.3.249) 1.213 ms 1.185 ms 1.188 ms
7 ae0-55.mp1.SanJose1.Level3.net (64.159.2.129) 1.692 ms 1.622 ms 1.680 ms
8 so-0-1-0.bbr1.Washington1.level3.net (64.159.0.229) 80.943 ms 79.589 ms 79.546 ms
9 so-2-0-0.mp1.London2.Level3.net (212.187.128.137) 147.371 ms 147.342 ms 147.247 ms
10 so-2-0-0.mp1.Amsterdam1.Level3.net (212.187.128.26) 160.888 ms 160.546 ms 160.582 ms
11 gige10-2.ipcolo1.Amsterdam1.Level3.net (213.244.165.99) 160.796 ms 160.925 ms 160.833 ms
12 unknown.Level3.net (213.244.164.18) 160.973 ms 161.061 ms 161.095 ms
13 213.152.119.253 (213.152.119.253) 161.885 ms 161.306 ms 161.367 ms
14 213.152.119.82 (213.152.119.82) 161.864 ms 161.294 ms 162.110 ms


RIPE reports that ES5 owns the following netblocks:


213.152.100.0 - 213.152.101.255
213.152.102.0 - 213.152.102.127
213.152.102.128 - 213.152.102.192
213.152.102.193 - 213.152.102.209
213.152.119.0 - 213.152.120.255
213.152.121.0 - 213.152.121.63
213.152.123.0 - 213.152.123.128


Both "Nasser" and "Ras" Kabir are listed as owners. Here are the details on netblocks owned by earthstationv, as returned by RIPE:


inetnum: 213.152.119.0 - 213.152.120.255
netname: EARTHSTATIONV
descr: Employee's VOIP and workstations in the
Jenin refugee camp #23
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
remarks: Speednet's # 2002122740
status: ASSIGNED PA
mnt-by: SPEEDNET-MNT
notify: admin@earthstationv.com
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20021231
source: RIPE

inetnum: 213.152.102.0 - 213.152.102.127
netname: EARTHSTATIONV
descr: VOIP Dialup Gateway
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
notify: admin@earthstationv.com
remarks: Speednet's #2002122740
mnt-by: SPEEDNET-MNT
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20021231
source: RIPE

inetnum: 213.152.121.0 - 213.152.121.63
netname: EARTHSTATIONV
descr: Peer to Peer IP network
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
notify: admin@earthstationv.com
remarks: Speednet's #2002122740
mnt-by: SPEEDNET-MNT
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20021231
source: RIPE

inetnum: 213.152.102.128 - 213.152.102.192
netname: EARTHSTATIONV
descr: Internet Café in Hebron, Gaza City and Jenin
Palestine
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
notify: admin@earthstationv.com
remarks: Speednet's #2002122740
mnt-by: SPEEDNET-MNT
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20021231
source: RIPE

inetnum: 213.152.102.193 - 213.152.102.209
netname: EARTHSTATIONV
descr: Video and sound Broadcasting
from the El-Bureij Refugee Camp in Gaza, Palestine
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
notify: admin@earthstationv.com
remarks: Speednet's #2002122740
mnt-by: SPEEDNET-MNT
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20030102
source: RIPE

inetnum: 213.152.100.0 - 213.152.101.255
netname: EARTHSTATIONV
descr: Peer to Peer Ebay Web Pages
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
notify: admin@earthstationv.com
remarks: Speednet's #2002122740
mnt-by: SPEEDNET-MNT
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20021231
source: RIPE

inetnum: 213.152.123.0 - 213.152.123.128
netname: EARTHSTATIONV
descr: DialUP Palestine
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
mnt-by: SPEEDNET-MNT
changed: speednet@email.com 20030325
source: RIPE

role: Earthstationv Hostmaster
address: Jenin refugee camp #23
Palestine
notify: raskabir@gaza.net
trouble: If you have a problem you can email us at
help@earthstationv.com For sales contact
sales@earthstationv.com
phone: +972 673 51065
e-mail: admin@earthstationv.com
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
nic-hdl: EAR0007-RIPE
mnt-by: SPEEDNET-MNT
changed: raskabir@gaza.net 20021231
source: RIPE

person: Ras Kabir
address: 121 Gaza
address: Gaza, Palestine
phone: +972 673 51065
fax-no: +972 673 51065
mnt-by: SPEEDNET-MNT
e-mail: ras@earthstationv.com
nic-hdl: RAS9905-RIPE
changed: ras@earthstationv.com 20030717
source: RIPE

person: Nasser Kabir
address: 121 Gasa
address: Gaza, Palestine
phone: +972 673 51065
fax-no: +972 673 51065
mnt-by: SPEEDNET-MNT
e-mail: ras@earthstationv.com
nic-hdl: NKA9905-RIPE
changed: ras@earthstationv.com 20030717
source: RIPE


The records show SpeedNet is the provider:


mntner: SPEEDNET-MNT
descr: SPEEDNET maintainer
admin-c: MM9905-RIPE
tech-c: MO2551-RIPE
upd-to: domain@17q.com
mnt-nfy: domain@17q.com
auth: MD5-PW $1$hlXT6LEy$iBPFGRF8VXAjVUVBVkdZG1
mnt-by: SPEEDNET-MNT
referral-by: RIPE-DBM-MNT
changed: speednet@email.com 20020924
changed: ripe-dbm@ripe.net 20030508
source: RIPE

person: Moshe Maimone
address: 63 Saudia Gaon
Hertzlya, Israel
phone: +39247585
nic-hdl: MM9905-RIPE
mnt-by: SPEEDNET-MNT
changed: Speednet@email.com 20030508
source: RIPE

person: Motti Oran
address: 25 Hasivin Street
Petach Tikva, Israel 49170
phone: +039247585
fax-no: +039247736
mnt-by: SPEEDNET-MNT
notify: speednet@email.com
e-mail: motti@speed-net.com
nic-hdl: MO2551-RIPE
changed: speednet@email.com 20030105
source: RIPE


I determined SpeedNet's Autonomous System Number (ASN) using a route server:


route-server.he.net>show ip bgp 213.152.100.163
BGP routing table entry for 213.152.100.0/24, version 245489010
Paths: (7 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7911 6762 9116 25276
64.200.150.105 from 216.218.252.147 (216.218.252.147)
Origin IGP, metric 46, localpref 100, valid, internal
Originator: 216.218.252.146, Cluster list: 216.218.252.147
7911 6762 9116 25276
64.200.150.105 from 216.218.252.149 (216.218.252.149)
Origin IGP, metric 46, localpref 100, valid, internal
Originator: 216.218.252.146, Cluster list: 216.218.252.149
7911 6762 9116 25276
216.218.252.146 from 216.218.252.146 (216.218.252.146)
Origin IGP, metric 46, localpref 100, valid, internal
7911 6762 9116 25276
64.200.150.105 from 216.218.252.151 (216.218.252.151)
Origin IGP, metric 60, localpref 100, valid, internal
Originator: 216.218.252.146, Cluster list: 216.218.252.151
7911 6762 9116 25276
64.200.150.105 from 216.218.252.145 (216.218.252.145)
Origin IGP, metric 46, localpref 100, valid, internal
Originator: 216.218.252.146, Cluster list: 216.218.252.145
6461 6762 9116 25276
216.66.23.99 from 216.66.23.99 (216.66.23.99)
Origin IGP, metric 45, localpref 100, valid, internal, best
6461 6762 9116 25276
216.200.56.53 from 216.218.252.152 (216.218.252.152)
Origin IGP, metric 45, localpref 100, valid, internal
Originator: 216.66.23.99, Cluster list: 216.218.252.152


SpeedNet's ASN was the last number in each list, meaning '25276'. I then queried cidr-report.org for more information on ASN 25276. I could have also queried ARIN for similar information.


Report for AS25276
SPEEDNET-AS Speednet Ltd, An Israel Corporation
--------------------------------------------------------------------------------
Whois Entry
IANA has recorded AS25276 as originally allocated by RIPE
RIRs have AS25276 whois information provided by RIPE
-No Whois Entry Obtained-
--------------------------------------------------------------------------------
AS Adjancency Report

In the context of this report "Upstream" indicates that there is an adjacent AS that lines between the BGP table collection point (in this case at AS4637) as the specified AS. Similarly, "Downstream" referes to an adjacent AS that lies beyond the specified AS. This upstream / downstream categorisation is strictly a description relative topology, and should not be confused with provider / customer / peer inter-AS relationships.

5963 AS25276 SPEEDNET-AS Speednet Ltd, An Israel Corporation
Adjacency: 2 Upstream: 2 Downstream: 0
Upstream Adjacent AS list
AS3356 LEVEL3 Level 3 Communications, LLC
AS9116 AS9116 Goldenlines main autonomous system
--------------------------------------------------------------------------------
Announced Prefixes
Rank AS Type Originate Addr Space (pfx) Transit Addr space (pfx) Description
9865 AS25276 ORIGIN Originate: 1280 /21.68 Transit: 0 /0.00 SPEEDNET-AS Speednet Ltd, An Israel Corporation

Aggregation Suggestions

This report does not take into account conditions local to each origin AS in terms of policy or traffic engineering requirements, so this is an approximate guideline as to aggregation possibilities.


Rank AS AS Name Current Wthdw Aggte Annce Redctn %
3730 AS25276 SPEEDNET-AS Speednet Ltd, An Israel Cor 5 2 1 4 1 20.00%


AS25276: SPEEDNET-AS Speednet Ltd, An Israel Corporation
Prefix (AS Path) Aggregation Action
213.152.96.0/24 6762 9116 25276
213.152.99.0/24 3356 25276
213.152.100.0/23 6762 9116 25276 + Announce - aggregate of 213.152.100.0/24 (6762 9116 25276) and 213.152.101.0/24 (6762 9116 25276)
213.152.100.0/24 6762 9116 25276 - Withdrawn - aggregated with 213.152.101.0/24 (6762 9116 25276)
213.152.101.0/24 6762 9116 25276 - Withdrawn - aggregated with 213.152.100.0/24 (6762 9116 25276)
213.152.119.0/24 3356 25276


What does this all mean? I'm not sure, but I hope you followed along and discovered all the different sorts of information you can learn given only a few IP addresses and domain names. I didn't touch ES5 to get any of this, other than visiting their web site to grab a few screen shots. I'd like to download their software and test it in the lab next.

New "CISSP Associate" for People without Years

I learned today that people who would like to be a CISSP without having the necessary number of years experience can become a CISSP Associate. I find this rather odd. According to the press release:


"After passing the selected exam and signing (ISC)2's Code of Ethics, the Associate must garner the requisite work experience and successfully complete a professional endorsement process before he/she becomes officially certified as CISSP or SSCP. The CISSP, designed for professionals devising information security strategy, requires four years of professional experience in the field of information security, while the SSCP, designed for professionals following a tactical information security career path, requires one year of experience. Associates of (ISC)2 will not be able to use the designation of CISSP or SSCP until formally certified."


Why bother, then? Is this "CISSP-lite"? I think it's a ploy to get more people to take the exam and say "Yes, prospective employer, I'm 'smart enough' to pass the CISSP exam, even though I only have two years of experience." The press release continues:


"Associates of (ISC)2 who pass these challenging exams will be able to assimilate the discipline and structure that can expedite progress throughout their careers," said Duffy. "The program is ideal for those accumulating their first experience in the field and for students looking toward a future career in our profession."


I think this cheapens the certification, if that were possible. Just keep the CISSP as it is. ISC2 is already diluting it by adding to its "cert suite."

Reviews of Absolute OpenBSD, Protect Your Information with Intrusion Detection Posted

Amazon.com just posted my five star review of Absolute OpenBSD. I thought this was a great book. No one else has written a general-purpose OpenBSD system administration guide. I used the book to get my first familiarity with OpenBSD. Michael is working on a book for NetBSD now called Absolute NetBSD. From the review:


"The bottom line is this: Michael Lucas knows what to write to help system administrators get the job done. I wish other authors did the same. I'd love to see Lucas or another "No Starch" author write "Absolute Cisco Routers," followed by "Absolute Cisco Switches." Any takers?"


Unfortunately, I was disappointed by Protect Your Information with Intrusion Detection and gave it three stars. From the review:


"It was my fault that I bought this book. I should have been tipped off by the odd choice of "key points" on the cover: "describing firewalls, indicating security policy violations, analyzing the information sources, improving the IDS security level." These sound awkward, and PYIWID follows that theme throughout. I give it three stars because the author did a lot of working bringing disparate sources of information together in this single volume, but he did not present it coherently. "

Tuesday, August 26, 2003

While reading a Slashdot story on a Curses library (.pdf) version of GTK (The Gimp Toolkit) called Cursed GTK, I found a link to Contiki, a "highly portable, modern, open source, Internet-enabled operating system and desktop environment for very constrained systems, such as 8-bit homecomputers like the Commodore 64." You can access Ethernet using this special NIC. Can it get better? Oh yes. You can access a Commodore 64 remotely using a special version of VNC called CTK VNC by visiting this site. Above is a screenshot of the page when I used the Java VNC client. Not only was this site offering remote VNC access, it was also serving up web pages!

Security News Ticker Added to Blog

I find the security news ticker from Security News Portal to be very helpful, so I added it to the blog. Let me know if you like it or dislike it!

New Version of SHADOW IDS Released

I read on snort-users that Guy Bruneau released version 3.1 of the SHADOW IDS. Installation documentation (.pdf) is available. You can download an .iso. I'm interested in seeing how the .iso works out. With VMWare I can install directly from the .iso without burning it to CD-ROM. Keep in mind SHADOW is a packet-header based IDS. It is not a content inspection system like Snort or commercial IDS. Still, it can be useful.

ISECOM Provides "Non-Profit" Competition for SANS

I learned that a new edition of the Open Source Security Testing Methodology Manual was released Saturday. The OSSTMM is a consensus document whose objective is "to create one accepted method for performing a thorough security test." It is created by the Institute for Security and Open Methodologies, described here as "a non-profit organization which provides collective information and tools under the open source licenses for free public use. This information is provided via the Internet and through social venues and conferences." This sounds somewhat like SANS, who as recently as Oct 02 was called "a nonprofit security research and training group." I couldn't find any indication on the SANS web site of their non-profit status, and searches into archived pages for SANS, Escal, and "The Intranet Institute" didn't show anything confirming its non-profit status.


Just as SANS offers certifications, ISECOM offers the OSSTMM Professional Security Tester and the OSSTMM Professional Security Analyst. Not surprisingly, ISECOM offers classes to help students pass their certification tests. I was struck by the arrogance of this page from the OPSA course description:


"If all you want to do is pass an exam, we recommend the following:


  • Read the newest versions of the OSSTMM, OSSTMM Internal, and the BSTA Workbook.

  • Take a few MBA classes in business information and security.

  • Read books on intrusion detection, honeypots, secure programming, and anything else you can to see how attacks arrive.

  • Learn how to get what you need for security analysis off the Internet. Know where you can get the needed trend information, solutions, CVE info, hacks, exploits, etc. to do an OSSTMM security test.

  • Learn how TCP, UDP, ICMP, IP, RIP, OSPF, BGP and various application level protocols work like FTP, DNS, SNMP, BOOTP, HTTP, HTTPS, etc. and how to analyze them.

  • Learn how to analyze and categorize information leaks, privacy breaches, and competitive intelligence.

  • Learn where to look in the Security presence to find weaknesses and deficiencies.

  • Calculate risk assessment based on the current version of the OSSTMM.

  • Understand how to calculate and execute project plans while upholding proper legal and ethical testing.

  • Know how to follow the security tester's rules of engagement as per the most recent OSSTMM.

  • Work with an efficient red team either internal or as a consultancy to learn efficient teamwork and project requirements.

  • Read what you can about security policies and security architecture to be able to design secure network topographies with associated process controls.


Otherwise, you may be interested in the training course."


Wow! That sounds like a four year college degree. Wait -- this is all packed into a four day class? Who do these guys think they are?

Monday, August 25, 2003

Watch Connections with Free Tools

If you're using a Linux-based NAT (or "IP Masquerading") firewall as an inline device, and you may need a way to check the sessions as they pass. ConnViewer will do that for you. Pkstat will give text-based traffic statistics, as will other tools listed on that site.

WAP Gateway Allows Testing, Access

Wireless Application Protocol, or WAP, is a protocol allowing some mobile devices (cell phones mainly) to "surf" the Internet. I found this Public WAP Gateway, with which you can test your phone! Check the Yahoo Forum for the web site to see how people are using this free service.

Researchers Use "Fuzzing" to Find Security Flaws

When I attended Black Hat USA 2003 last month, several presenters mentioned "fuzzing" as a technique to find security vulnerabilities. As I understand it, fuzzing involves sending unexpected input to an application and monitoring its responses for signs of vulnerabilities. The most widely known tool is Dave Aitel's SPIKE. The PROTOS suite was famous for its discovery of SNMP weaknesses last year. The IP Stack Integrity Checker is another open source tool. There are alternatives to these tools in private use, and some offer other methods, like sofwtare from Greg Hoglund's HBGary, to find similar weaknesses.

Oakley Networks Product Monitors for Inappropriate Insider Activity

Earlier I mentioned Vericept, whose product watched for the movement of sensitive data out of corporate networks. I recently learned of Oakley Networks, whose IO-3 product appears to do something similar. Rather than watching for suspicious inbound activity, typically caused by intrusion attempts, this product watches for leakages of data defined by the administrator. Of course, the product only gets interesting if we know it doesn't "grep for strings." We could program Snort or ngrep to do that!
In my never-ending quest to discover obscure ways to transfer data, I've used BBS', the Internet, private government networks, and amateur radio packet networks. Now I've learned of a system called FidoNet. FidoNet is a system whereby users transder mail and files via modem using a "proprietary protocol." These systems link to gateways connected to the Internet, so mail can be exchanged between the two networks. It seems the appeal of FidoNet is the class of users is different, and there's more of a sense of community.


FidoNet is strictly regulated, not allowing any commercial content. Candidates have to apply to their region. First locate the major region, like Region 1 for North America. Then, apply to the local region, like Region 13 for Washington, DC. Some web-based gateways to FidoNet exist, and I've noticed some telnet-accessible BBS' offer FidoNet access. There's a FidoNet Newsletter, too!

Sunday, August 24, 2003

Visualization Software for Snort Alerts

I haven't tried this yet, but called Scanmap3d is available to visually depict Snort alerts. The military has been interested in this sort of technology for years, which gave birth to Silent Runner. IF Scanmap3d displays alerts, that's interesting. I wonder if it could be adapted to display session data, perhaps from Argus? According to this May 03 press released, Silent Runner received a patent for their technology:


"The U.S. Department of Commerce Patent and Trademark Office issued Patent #6,549,208 for SilentRunner’s technology architecture that enables digital data input from external sensors for visual analysis, correlation and display with data derived from four major software groups: Virus Computer Code Detection; Analysis of Computer Source and Executable Code; Dynamic Monitoring of Data Communication Networks; and 3-D Visualization and Animation of Data. "

Friday, August 22, 2003

Review of The Complete FreeBSD, 4th Ed Posted

Amazon.com finally posted my five star review of The Complete FreeBSD, 4th Ed.. Currently it appears on my personal reviews site but I expect to see it on the book's individual page soon. From the review:


"Before reading Greg Lehey's "The Complete FreeBSD, 4th Ed" (TCF:4E), I reviewed Michael Lucas' excellent "Absolute BSD" (a FreeBSD book) in Feb 03. I can't say which book is better, and I recommend you buy Lucas' book as well as this one. TCF:4E remains for me the FreeBSD user's manual; any serious FreeBSD user will have it on his or her shelf. The two books complement each other, as Lucas is often more direct in his explanations."


I submitted my five star review of Michael Lucas' Absolute OpenBSD last night. We'll see how long it takes to appear!

Thursday, August 21, 2003

Blaster Strikes Railroad Company

Striking a little closer to home, CSX, operator of "the largest rail network in the eastern United States," reported "significant slowdowns early today after a computer virus infected the network." I ride the Virginia Railway Express to the Foundstone DC office, but I didn't take it yesterday. According to the CSX press release:


"The infection resulted in a slowdown of major applications, including dispatching and signal systems. As a result, passenger and freight train traffic was halted immediately, including the morning commuter train service in the metropolitan Washington, D.C., area. Contrary to initial reports, the signal system for train operations was not the source of the problem. Rather, the virus disrupted the CSXT telecommunications network upon which certain systems rely, including signal, dispatching and other operating systems."


Wonderful. Who in management will be fired because of these incidents? Probably no one.

Slammer (Jan 03) Crashed Ohio Nuke Plant

Kevin Poulsen wrote an excellent article on the means by which Slammer (not Blaster) "penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall."
The article shows how network admins do not understand the connectivity of their networks, which then allows customer networks and VPN clients to bypass external-facing access control:


"It began by penetrating the unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network. The T1 line, investigators later found, was one of multiple ingresses into Davis-Besse's business network that completely bypassed the plant's firewall, which was programmed to block the port Slammer used to spread. 'This is in essence a backdoor from the Internet to the Corporate internal network that was not monitored by Corporate personnel,' reads the April NRC filing by FirstEnergy's Dale Wuokko. '[S]ome people in Corporate's Network Services department were aware of this T1 connection and some were not.'"

Wednesday, August 20, 2003

AFCERT Keeps the Faith

Next week I head back to San Antonio to teach Foundstone's "Ultimate Hacking" to members of the 33rd Information Operations Squadron, which includes the Air Force Computer Emergency Response Team (AFCERT). I served as a captain in the AFCERT from Sep 98 through Feb 01. Thanks to the magic of archive.org, you can see the first job I was stuck with doing, before I learned IDS -- redesigning the AFCERT web page! I provided content for some of the pages once that webmaster duty fell on other shoulders, but some of the pages appear familiar...


I'm looking forward to seeing some of my old colleagues. The May 03 Spokesman online magazine profiled the AFCERT. My favorite quote is by one of the best guys to ever work in the AFCERT:


The AFCERT of today wasn’t always such a robust organization. "Many people don’t realize we started in the early 1990s with only a handful of dedicated people who understood this business," said Tech. Sgt. Will Patrick, AFCERT superintendent.


I'd argue only a few still understand the business, and there's far too much work to go around! Thankfully, most of the people who served in key roles have brought that knowledge to the private sector. Instead of protecting the military, they're protecting your banks, insurance companies, utilities, and other pieces of critical infrastructure. Besides the military folks I'll visit, I'm also having dinner with the group of analysts Bamm Visscher and I hired at Ball Aerospace & Technologies Corp. to implement the world's only, albeit short-lived, commercial managed network security monitoring operation. Like me, we've all moved to other jobs since the decision by BATC to yank our funding. Oddly. I left a month before funding was actually removed, since my family wanted to move from San Antonio to Washington, DC!

Time Magazine on Blackout

I'm not a big TIME magazine reader but I thought their recent story on the blackout offered some cool graphics, like this depiction of the northeast power grid.

Their Shockwave animation is also neat. Be sure to visit TIME's site to read the whole account.

Updating My Mini-PC... I Mean Cell Phone

I've had a Motorola i90c cell phone for a year and a half now. I've known all along that the i90c is for all intents a general purpose computer, with memory, CPU, and I/O. I've used my Nextel Online service to download Java applications, but no one has yet hacked me via a malicious Java application. It will happen though. This CNN story says "Victor Brilon, Java applications manager at Nokia, and Charles Chopp, Nokia's media relations manager, laughed when I asked questions about writing Java programs that make full use of a cell phone's computing and communications power. As on PCs, Java apps on cell phones run in a "sandbox" that prevents them from doing damage to their surroundings." Sure. Check out the presentation (.pdf) by FX of Phenoelit.de on hacking the Siemens S55. Back to updating the phone...

All this time I've had the cable needed to connect the phone to my laptop, but never used it. Well, after perusing the Howard Forums Motorola section I decided to see what I could do with my i90c.


I started by visiting the iDenUpdate site, the portal for software for Motorola cell phones. I visited the i90c software update page and saw "R76.02.04" was available, with the description "This iDEN Update Service Pack includes the most recent updates and enhancements to your Nextel phone software. Current Service Pack releases contain all previous Service Pack fixes and any new fixes created after the previous Service Pack Release." Sounds like Windows! If this doesn't remind you that your cell phone is a full-fledged computer, what will?


At this point I realized I needed an application on my laptop to talk to the i90c, called iDenUpdate. Although the link to the software was broken on the page, I found the page source pointed here (.exe). I downloaded, installed, and ran the app, and eventually found myself downloading a 4 MB file from Motorola. While my i90c was being updated, it showed the following on its display. At right is a screen shot of my phone and laptop during the update process:


FLASHStrap
FS76v00.10
i28F320W18-ROM4

Code OK
Ready to Program
Soon the process ended and I was asked if I wanted to install any other applications. I picked a few that I use regularly, but when the update process was done only one was installed. (I had enough memory for all three.) Although I had done the update through the PC and serial cable, I installed the additional Java apps through the native cellular features of the i90c.


If you'd like to update your Motorola cell phone, you need to know what version you're running. You can access this information by hitting the following keys in rapid succession, then browse to "Software Version" and other information:

# * Menu RIGHTARROW


This helpful animated .gif shows how to do the steps. If you're a developer/hacker, visit the iDen developer page. It offers tools like the Motorola iDEN SDK 3.0.0 for J2ME Technology. Once you register you'll be able to download emulators, documentation on the iDen network, and other goodies. One thing I doubt I'll find is a description of the "updates and enhancements" I downloaded to my i90c. I believe they were transferred over an SSL link from shop.motorola.com. I could have used some sort of SSL proxy to obtain a clear text version of the package as it streamed by. I could probably have analyzed the package, and if it were actually a binary, disassembled it. I wonder if anyone is doing that? :)

FDIC Proposes Guidelines Telling Banks to Notify Customers of Breaches

SANS Newsbites informed me of a Washington Post article on the Federal Deposit Insurance Corporation's plans for new banking guidelines. From the story:

"Under the proposal, banks and other financial institutions would alert customers by mail, telephone or e-mail, when they find unauthorized access to personal data that could result in substantial harm or inconvenience. Banks also would be told to flag any accounts that may have been compromised and monitor them for unusual or suspicious activity."

This marks a significant break from standard practice. In the past banks had latitude to keep things quiet, at the discretion of the board and legal counsel. Of course, the details of the guidelines must dictate what constitutes "unauthorized access" and "personal data" and "substantial harm or inconvenience." Stay tuned.

Last Day to Oppose Broadband over Power Lines (BPL)

I just learned of this issue Monday night at an amateur radio meeting. The Federal Communications Commission released a "notice of inquiry" (NOI) (.pdf, .doc) on 28 Apr 03 regarding "Broadband over Power Lines" (BPL). The American Radio Relay League, an organization supporting amateur radio, filed its opposition to BPL, and I encourage readers who care about supporting amateur radio to do the same. Today is the last day to submit a comment to the FCC! I describe how to do so below.

BPL involves sending data in the form of electrical signals over power lines designed and optimized for 60 kHz signals. Unfortunately, power lines weren't built to handle BPL, which operates at 2 to 80 MHz. Power lines are unshielded, and they make the world's greatest antennas! So what? The result is "spillage" of the signal all over the radio spectrum in the 2 to 80 MHz band. You can see what uses these channels on a frequency allocation chart. An amateur radio-specific chart is here. Spilling noise all over this frequency range eliminates the ability of amateur radio operators to respond to crises like the northeast blackout and 9/11. (This Slashdot thread on hams helping during the blackout shows the public needs to be educated on the sorts of services amateurs provide during emergenices.) More than just amateur radio is affected, so I expect the military and other organizations to complain as well.

You can submit a comment by visiting the FCC Electronic Comment Filing System and selecting "Broadband Over Power Line (BPL) - Docket 03-104." (For some reason the NOI claims number "03-100" while the BPL issue now uses 03-104.) Here's what I submitted:

"I am writing to oppose deployment of Broadband over Power Line (BPL). I am an amateur radio operator. It is wrong to allocate 78 MHz of spectrum (from 2 to 80 MHz) to BPL, when amateurs are already licensed to use large portions of this spectrum. Amateurs provide critical service during emergencies, such as the power blackout in the northeast. Without access to the frequenices planned for allocation to BPL, amateurs would not have been able to communicate with each other at the distances needed to coordinate emergency services. I concur with the documents submitted by the ARRL and I request the FCC consider the ARRL's submission."

For more information, Slashdot carried a recent thread with many thoughtful contributions by amateur radio operators. Amateur radio operators might prefer QRZ's thread and should also read the most recent ARRL story. A video (.mpg) shows what happens to the amateur bands when near BPL-enabled power lines. Wired gave its take, with a quote of support by the FCC chairman. (Here's hoping Congress will step in again if Powell gets his way.)

During emergencies amateur radio operators work within two organizations: ARES and RACES. The Amateur Radio Emergency Service (ARES) consists of licensed amateurs who have voluntarily registered their qualifications and equipment for communications duty in the public service when disaster strikes. The Radio Amateur Civil Emergency Service (RACES) is an organization of amateur radio operators who volunteer to provide radio communications for State and local governments in times of emergency. (These definitions came from the Virginia ARES/RACES site.) Some amateurs also support Skywarn, a National Weather Service program involving amateur radio operators trained to report severe weather back to the NWS.

Tuesday, August 19, 2003

Study Shows Blackout's Effects on Individual Routers

Slashdot alerted me to an online report on the effects of the northeast blackout on individual routers. Renesys monitored BGP announcements and watched routers drop out of the tables, as shown in their graph below. From the report:


"The majority of the power failures began at about 16:10 EDT. Immediately thereafter, the number of routes in global routing tables dropped rapidly, falling by nearly 1000 within five minutes. This likely corresponded to the loss of reachability of networks which did not have alternative backup power sources. Table size then continued to drop, though at a slightly more gradual pace. We suspect that losses during this time correspond to networks with limited backup power which were able to stay online temporarily until those power supplies were exhausted. By 19:00 EDT, routing table sizes had reached their low point, a full 2500 networks fewer than the current baseline size."

Systrace Policy Library

While reading Michael Lucas' excellent Absolute OpenBSD, I learned of a project which maintains a library of Systrace policies called the Hairy Eyeball Project. Systrace allows administrators to define which system calls their applications can execute. Systrace is included in OpenBSD and ports exist for other operating systems. I most interested in the FreeBSD version which Rich Murphey presented at DefCon XI. I haven't seen anything from DefCon XI posted in the site's archives yet.

While perusing the mailing lists I discovered CerbNG which appears to have similar functionality to Systrace. I think projects like this are key to improving security. Boundaries between the untrusted "outside world" and the trusted "inside world" are dissolving. Road warriors infected with the latest worm use their VPN to connect to the corporate network, bypassing defenses aimed at exterior threats. Increasingly hosts must defend themselves as access control is becoming difficult if not impossible. Organizations are unwilling or unable to segment their networks, as most can't even define the relative importance of their business assets. The future of security is every machine being a bastion host.

If you need a commercial solution, Primary Response from Sana Security "monitors and protects applications at the OS kernel level, building a profile of the application's normal behavior based on the code paths of a running program, then continually monitoring those code paths for deviations from the norm."

Monday, August 18, 2003

Webcast on Network Security Monitoring

At 9 am eastern on Wed 28 Aug 03 my webcast "Implementing network security monitoring with open source tools" will "premiere" at searchsecurity.com. You can sign up here. It won't be live since I'm recording it Thursday afternoon, but you can submit questions which I'll answer on their web site. It's a sequel to last year's webcast mentioned on my press page.

Sunday, August 17, 2003

Bring New Life to Your Commodore 64

My dad recently shipped my old Commodore 64 to me and I'm trying to figure out how best to use it. It would be fun to run a BBS accessible via telnet, like these. My Commodore 64, 1541 disk drive, Capetronic 1200 baud modem, and RS-232 serial interface all work, but I need software for the C-64. There are plenty of games that run on emulators, but how do I get software from the archives onto the C-64?


Assuming the C-64 has no terminal software available, my best bet appears to be to use Star Commander on a PC running MS-DOS. I'll connect the PC to the 1541 disk drive using a special cable (probably the XA1541). I'll use Star Commander to write Commodore software like EBBS to a floppy in the 1541. Once the software is available to the C-64, I can try setting up a BBS like that run by Leif Bloomquist. Using these instructions, I could even access telnet services from the C-64! Here's another option called BBSLink that forwards incoming telnet connections to a Windows box to the COM port, where the C-64 listens. Maybe I'll connect the C-64 to my packet radio TNC, and really go retro.


I also found these how-to's to be helpful in figuring out this process, and an incredible amount of original documentation is online. Because Star Commander works only in a true MS-DOS environment, I started looking at what could be done in DOS. Would you believe people are running DOS-based web servers?

Saturday, August 16, 2003

Internet Radio Linking Project Connects the World

When I attended Black Hat USA 2003 in Las Vegas last month, I brought my amateur radio with me and found myself listening to callers all over the world. It turns out I had stumbled upon a frequency used by the Internet Radio Linking Project. The IRLP links amateur radio repeaters by encapsulating voice communications over the Internet. So, when I listened to 146.40 MHz in Las Vegas, I was listening to node 3290 on the IRLP! This is another example of how amateur radio is alive and well in the age of IRC and text messaging via cellphone. You can listen to the IRLP live for free here: http://live.irlp.net:8000/listen.pls.


>Currently my rig can only operate on 2 meters (144-148 MHz), and the nearest IRLP nodes to me operate on 70 centimeters (420-450 MHz). I've been checking the eHamnet Reviews for a good dual-band rig I can afford. The Yaesu FT-8800R has good reviews and supports a feature called WIRES, or "Wide-coverage Internet Repeater Enhancement System."

Email Sent from Amateur Radio Network to Internet and Back

Today I visited the Ham Radio Outlet in Woodbridge, VA and bought a Kantronics KPC-3+, pictured above. This little beauty is a "Terminal Node Controller" (TNC) and it lets my HTX-202 2 meter radio (pictured next) talk to the "packet radio" network around the world.

Combine this equipment with an amateur radio license and you're ready to go! (I earned my Technician class license in 2001.)

I cabled my laptop to the KPC-3+, and cabled the KPC-3+ to my HTX-202. Next I used the Windows Hyper Terminal program to communicate with the KPC-3+. I told the TNC to connect to W4OVH, which is a geographically nearby packet node operated by the Ole Virginia Hams Amateur Radio Club. From there I hopped to a node which offers mail relay to Internet space from the packet network. I composed a message, shown partially below:

I received the message on my Thunderbird Windows XP Internet email client:

I replied to the message on my XP box and got the reply back through the packet radio network:

I think that's cool! Amateur radio operators can send email to each other without the use of the Internet. It's just like the old BBS days in the 1980s, and especially relevant in emergencies today. (The VA Digital Emergency Network operates using packet radio.) My HTX-202 rig supports data transfer at 1200 baud, which is what I used with my Commodore 64 back in the day. Monday night I plan to attend a meeting of the amateur radio operators in my area and learn what else I can do with this technology.

Friday, August 15, 2003

Blog Enhancements

Since I still can't upgrade to Blogger Pro, I'm trying a few free services. First, I added a counter courtesy of Sitemeter.com. I'm also I'm experimenting with a free service that allows readers to comment, courtesy of BlogExtra. I got ideas on both from CFMXPLUS. Let me know what you think! Update: I removed the comment service as it doesn't seem to be working now.

Reliable Software Group Produces Security Code

Yesterday I came across the Reliable Software Group at the University of California Santa Barbara. They offer research on several projects, but the one of most interest to me is STAT, or "State Transition Analysis Technique for Real-Time Intrusion Detection." They provide RPMs for Red Hat 7.3 and packages for Solaris 7 SPARC, so I might give some of their code a try.

Computer Forensic Conference Concludes

Today the Regional Computer Forensic Group finishes their Annual GMU Computer Forensics Symposium. The RCFG is sponsored by the High Technology Crime Investigation Association DC Chapter. I watched two of my Foundstone coworkers brief scenarios based on cases we've worked during the last few years. You don't have to be a Fed to join the HTCIA, although some of the briefings at the conference were "confidential" and closed to those outside the government or law enforcement.

Effect of East Coast Blackout on Internet

Yesterday just after 6 pm eastern I checked the Internet Health Report to see if the east coast blackout was affecting the Internet. I didn't see anything out of the ordinary.



Looking at the Internet Traffic Report, however, as of this writing a core router in Michigan, danu.ili.net (209.115.84.254), appears down. Since my father-in-law in Michigan reported he's still without power, maybe that's the cause. Of the 78 routers monitored in North America by the ITR, only a handful are in the affected states. Most of those didn't see major problems during the outage, so they must have had backup power. Oddly, besides the ili.net router, denver-br2.bbnplanet.net (4.0.0.118) and atl1-core1-l0.atlas.algx.net (165.117.1.76) are also completely down right now.

Running Four VMWare Guests Simultaneously

I installed Red Hat 9.0 on my IBM ThinkBrink (I mean ThinkPad) a20p yesterday. It has 384 MB RAM and a 20 GB hard drive. I then installed a trial version of VMWare 4 for Linux. Next, I installed images of Windows NT 4, Red Hat 7.0, FreeBSD 4.3, and Solaris 7 x86. I gave each OS 32 MB RAM and between 1-3 GB hard drive space. I was able to run all four OS simultaneously without a real problem, although I didn't run X in Linux and FreeBSD. Solaris offers a GUI by default but I began a command line session instead. This arrangement makes a decent lab environment, although more RAM would help. It's nice being able to run old operating systems in such small amounts of memory!

Thursday, August 14, 2003

Knoppix

Several people have told me to try Knoppix, a bootable Linux distro that runs in a RAM disk. I gave it a shot, running it straight from my CD-ROM drive and then within a virtual machine to acquire screen shots. This is a great idea if you want to try Linux without installing a full distro on your hard drive. Knoppix is entirely memory-resident, so if you power off your machine Knoppix disappears. I must note that upon restarting my Windows XP laptop after running Knoppix, it bluescreened when the Windows logo disappeared. A hard shutdown fixed the problem, which must have had something to do with memory contents.




Knoppix loads directly from the CD-ROM, and drops users into a KDE desktop. Knoppix is based on Debian. You can read the software included on the Knoppix web page. My friends like Knoppix because it has vast driver support for peripherals, making their lives easier.




A special Security Tools Distribution is available. This poorly named "STD" distro includes tools commonly used by security professionals. The developer had STP in mind, but please! I think I'll try STD next, but for testing purposes won't burn the .iso to a CD-ROM. Rather, I'll mount the .iso as a "fake" CD-ROM in VMWare. (I tried this with nmrcOS. While the overall nmrcOS project is interesting, I found the author's political comments and use of expletives in the message of the day to be juvenile.)


I know of some security researchers who do their programming within Knoppix, so others can try their software on a similar platform without much trouble. This is actually a powerful idea. The programmer knows exactly what the user brings to the table if he's using a stock Knoppix distro. If the user has modified or created his own Knoppix distro, then all bets are off. However, if programmer and user each operate the same Knoppix distro, they can be sure software designed by the programmer will work for the user.

Wednesday, August 13, 2003

GNU FTP Site Compromised

While perusing recent CERT advisories, I read gnu.ftp.org was compromised in Mar 03 but discovered only this month. According to the annoucement, "The modus operandi of the cracker shows that (s)he was interested primarily in using gnuftp to collect passwords and as a launching point to attack other machines. It appears that the machine was cracked using a ptrace exploit by a local user immediately after the exploit was posted." This shows escalating privileges to root isn't the "end game," as this intruder sought to leverage that access to compromise others. This reminds me of the techniques espoused by el8 in their war on white hats.

Update: A year ago today Wired published a story on an underground zine called el8.3.txt which declared war on white hats.

hrack 61 Released

Phrack 61 was released today. The mag has the usual mix of clever put-downs of the clueless in the loopback section, and cutting-edge programming-oriented articles in the main sections. Phrack 60 was released in Dec 02.

Vulnerability in TCPFlow

@stake discovered a vulnerability in one of my favorite network security monitoring tools -- TCPflow. TCPFlow can read libpcap data and generate files containing the contents of network sessions. It's used in Sguil to create "transcripts." Be sure to upgrade to v0.21, released 7 August 2003. The FreeBSD port hasn't been updated yet.

Meta Group on IDS

Meta Group, a firm which competes with Gartner for the ears and dollars of CIOs, is reported to have said "commitment to IT security in big business has never been stronger, with network and host intrusion detection systems (IDS) high on the shopping list." Meta sounds like they know their stuff:


"Meta vice president Tom Scholtz said organisations that had taken an intelligent approach to IDS have had no problem establishing the value of the technologies. But he added: "Those that have purchased a product without the benefit of an underlying policy and plan naturally feel like they have wasted their money, because they have." Amen!

Tuesday, August 12, 2003

OS Uptime Project

When looking to see who was running OpenBSD 3.3 on 486 boxes (more on this later), I discovered The Uptimes Project. Participants install a daemon on their systems which report uptimes to a central site. Beyond general statistics, you can check individual operating systems, such as FreeBSD. Maybe once my home network has been stabilized I will try this out.

Enabling Serial Console Access in FreeBSD

Back in February I posted a means to enable serial access to my FreeBSD 5.0 RELEASE box. I'm not sure where I got that method, even though it worked. A more correct method is to change an entry in /etc/ttys from this

ttyd0 "/usr/libexec/getty std.9600" dialup off secure

to this

ttyd0 "/usr/libexec/getty std.9600" dialup on secure

Optionally, for faster access, make the line look like this

ttyd0 "/usr/libexec/getty std.115200" dialup on secure

Be sure to restart process 1 (init) using 'kill -1 1'. Then configure your terminal client to use 115200 as its connection speed, and you can connect to the serial port using a serial cable and null modem.

Msblast Worm Ravaging Internet?

Hardly, although it's clear a lot of recon is ongoing and thousands of Windows boxes are being owned. Consider this data from the Internet Storm Center:

That's a lot of scanning, but what effect is there on the Internet? Here's a snapshot from the Internet Health Report:

Contrast that report with one posted by H.D. Moore during Slammer. All of the red means severe problems, which aren't seen in today's report:

What this worm proves is that Windows boxes cannot be placed on the Internet without an access control device protecting certain ports. Windows offers too many services that are capable of being exploited. Connecting unprotected laptops to corporate internal networks via VPN is a risk which needs to be controlled. (Here's a home user wondering why his machine keeps rebooting -- msblast.exe?) Companies should look for firewall solutions on the NIC, perhaps like this Linksys USBVPN1. If anyone has experience with this product, please email me.

Monday, August 11, 2003

Vulnerability in Realpath(3) Function Could Lead to Remote Root Compromise

I just read the FreeBSD security advisory on the realpath(3) function, which "is used to determine the canonical, absolute pathname from a given pathname which may contain extra "/" characters, references to ""/." or "/../", or references to symbolic links. The realpath(3) function is part of the FreeBSD Standard C Library. . . Applications using realpath(3) MAY be vulnerable to denial of service attacks, remote code execution, and/or privilege escalation."


This is a problem because all releases of FreeBSD up to and including 4.8-RELEASE and 5.0-RELEASE are affected, and OpenSSH is listed as one of the programs affected by this bug. The fix is to upgrade your system to 5.1 RELEASE or the respective security releases of 4.7 and 4.8 RELEASE, or apply the patch given in the advisory.


This FreeBSD-specific warning builds on advisories released by ISEC and CERT. There seems to be a spike in port 22 TCP scans as reported by Incidents.org near the day ISEC released their advisory.

MyRSS feed for TaoSecurity Blog, but So What?

It looks like MyRSS somehow has a feed for this blog. If someone would like to try it and let me know how it works, please contact me at blog at taosecurity dot com. I am particularly interested in who uses RSS 0.91 or 1.0. This free site appears to update its RSS feed once per day. It looks like it's pulling the titles from the first link in the story, which means it takes you directly to the first link of the post and not the blog itself. :( I'm still working on upgrading to Blogger Pro, but they haven't answer my email on their upgrade site being down. Update: I was contacted via email by someone who tested this myRSS feed with Aggreg8.net and found it worthless. Thanks for the info!

Saturday, August 09, 2003

IOS Updates

Last month I posted that I bought Cisco gear from a reseller in Virginia. I bought new gear with software licenses, and got a SmartNet contract so I have legitimate access to IOS updates. I had read of problems with licensing if I bought used gear through eBay. Well, Slashdot is discussing this Infoworld article on that very subject. From the article:


"I made the mistake of showing a visiting Cisco rep the 2611 router I’d purchased on eBay for $1,200,” says Mark Payton, director of IT at the Vermont Academy, a school in Saxtons River, Vt. “Not only are they asking me to pay to relicense the software, but they are expecting me to get a one-year SmartNet maintenance agreement and to pay an inspection fee.” Although Cisco is only asking Payton for slightly more than $300 each for the software relicensing and the SmartNet agreement, the inspection fee alone is more than $850. Payton is still negotiating with Cisco. “If my sales rep can’t get some of those costs waived, the total cost to me for the 2611 router is over $2,700. Brand new through CDW without my additional discounts, I could get this same unit today with one year of SmartNet for $2,300.”

Portknocking

I read in the June 03 Sys Admin magazine about Portknocking. The basic idea involves using a firewall and log watcher to respond in a user-defined manner to sequences of connection attempts to closed ports. For example, connections to ports 100, 102, 101, and 201 mean "open up secure shell for the source IP address." This is really a twist on the idea of covert channels, but it has lots of possibilities -- including an attacker who brute forces the system to gain access. It's still a neat idea.

The September 03 Sys Admin magazine is available, with the title "Security." I don't see how this is different from June's "Security" issue, but I like to see that much attention given to the subject.


Is anyone else attending the Recent Advances in Intrusion Detection (RAID) conference in Pittsburgh next month? I'll be an attendee doing research for my book. The conference lasts from 8 to 10 Sep and is dirt cheap -- $300 until 15 Aug, $400 afterwards.

Friday, August 08, 2003

Troubleshooting Thunderbird

I've had it with the "upgrade" to the Web-based email I use at Comcast. (I might be revealing too much about how I get my email, but if you wanted to hack me before there was enough info out there to do it already. I'm assuming you have no interest in accessing my mail at this point.) I used to use Comcast's Web-based email system because I constantly rebuilt machines and liked keeping non-work email elsewhere. Now that I've decided Comcast's "new improved" Web-based system is horrible, I looked for a lightweight mail client and found Mozilla Thunderbird:



When choosing a mail client I wanted one that avoided proprietary formats, like those used by Outlook and Outlook Express. Mozilla/Netscape has had a history of keeping mail files in plain text format, which makes importation and manipulation easy. I also like Thunderbird because it supports SSL enabled POP and SMTP, which according to Comcast they support too. SSL-enabled POP works fine, but this is as far as I get with SSL-enabled SMTP:



21:59:52.049456 IP 192.168.2.4.4067 > 216.148.227.125.465:
S 1728039870:1728039870(0) win 16384 (DF)
21:59:52.133043 IP 216.148.227.125.465 > 192.168.2.4.4067:
S 640665924:640665924(0) ack 1728039871 win 65520 (DF)
21:59:52.133152 IP 192.168.2.4.4067 > 216.148.227.125.465:
. ack 1 win 17640 (DF)

As you can see I can complete a three way handshake, but there the process hangs. I posted this to the support forums (reg required) and to their feedback form. I can't wait to see the replies. Update: I received an email stating this could be a problem with Thunderbird.

USENIX Follow-Up

Given that USENIX finished today, I figured I'd say a few words beyond those already uttered this week. I found two of the "ask-the-experts" sessions to be very informative. Steve Bellovin of AT&T Research Labs and Bill Cheswick of Lumeta gave great talks. Yes, I gave the second edition of their book a three star review. Regardless, their USENIX talks were very helpful. After explaining how Lumeta's IPSonar works, Ches told us of a project called RocketFuel which is mapping the Internet, as Lumeta's most current maps aren't shared anymore due to post-9/11 security concerns. I found Cheswick's patent on "Method and apparatus for tracing packets in a communications network".


Mark Seiden gave a great talk on physical security. He believes digital security is superior to physical security, as physical security is dominated by people who believe obscurity is a legitimate way to achieve security. As a result, only criminals and locksmiths know which systems work, and the public is left vulnerable. Several years a group called Anti Security tried promoting a "closed source" movement. Their web site was down today but you can see an archive. (Incidentally, Matt Blaze's research created a firestorm in the physical security community.) Five years ago, Mark discovered a vulnerability in security systems used in airports, which "could enable terrorists to gain control of the electronic
badges that allow employees with security clearance to enter and
leave restricted areas."

Thursday, August 07, 2003

Windows NT on FreeBSD

FreeBSD is my operating system of choice. I'd run FreeBSD as a guest operating system using VMWare and Windows XP as the host OS. Yesterday I managed to do nearly the oppositive. I installed VMWare via the VMWare3 port on my Thinkpad a20p running FreeBSD 5.1, and ran Windows NT 4 within VMWare!




Essentially I installed the port, started vmware.sh, and created a /usr/lib/vmware/licenses/user directory with the license.ws.3.0 file in it. I also executed 'mount_linprocfs linproc /compat/linux/proc' to prepare the Linux emulator. I used an unused VMWare 3 license made obsolete by my VMWare 4 license, and fired it up. Unfortunately, I had trouble getting the network to work (and read in the mailing list this is common), and read only one guest OS per session is allowed. I plan to use Linux as the host OS for my next test.