Posts

Showing posts from January, 2004

Bay Auction for "The Best Sr. Network/Security Engineer"

I searched for "VMS Alpha" today at eBay and found this item for auction by niteraven-99 . This guy has put himself up for bid! "You are bidding on myself to work at your company. I will relocate at my expense and honor any offers received through eBay or otherwise. Here is my information. Over 15 years of extensive experience in the Information Technology Industry. Strengths are in networking, security, firewalls, LAN/WAN, Web Server, Application Server, SQL Server, and Oracle Server technologies including infrastructure design, integration, implementation, performance testing, problem resolution, security and network design, Firewall and IDS Implementation using a variety of platforms and products as well as, managerial and strong leadership skills." The "buy it now" price is $100,000 and the starting price is $50,000. Hurry! The auction ends Jan-30-04 11:57:37 PST.

US-CERT National Cyber Alert System

ZDNet reports on the new National Cyber Alert System , also called the "National Cyber Advisory System." (Two names mean they're off to a great start I guess?) This portion of the new US-CERT provides the public with technical and non-technical email bulletins. I subscribed to both technical lists but have yet to hear back from the mail server. According to the press release : "The new National Cyber Alert System security suite of products includes: Cyber Security Tips: Targeted at non-technical home and corporate computer users, the bi-weekly Tips provide information on best computer security practices and "how-to" information. Cyber Security Bulletins: Targeted at technical audiences, Bulletins provide bi-weekly summaries of security issues, new vulnerabilities, potential impact, patches and work-arounds, as well as actions required to mitigate risk. Cyber Security Alerts: Available in two forms - regular for non-technical users and advanced for

Another Internet Explorer Hole

This Slashdot thread discusses a new Internet Explorer hole posted to NT-BugTraq . A good story at Infoworld makes these comments: "This hole could easily be combined with another Explorer spoofing problem discovered in December. The previous spoofing problem allowed Explorer users to think they were visiting one site when in fact they were visiting somewhere entirely different. The implications are not only troublesome, but Microsoft’s failure to include a fix for the problem in its January patches has led many to believe it cannot be prevented. If the same is true for this spoofing issue, then it will only be a matter of time before someone who thinks they are visiting one website and downloading one file will in fact be visiting somewhere entirely different and downloading whatever that site’s owner decides. We also have reason to believe there is no fix. It may be that today’s flaw is identical to one found nearly three years ago by Georgi Guninski in which double-clic

Installing a Single Port

Image
Thanks to this thread I learned how to install a single port that doesn't appear in the ports tree. For example, GNU netcat just appeared at Freshports.org on 12 Jan. I wanted to install this one port to a FreeBSD 4.9 REL box that hasn't ever updated its port tree, as shown here: moog# ls -al /usr/ports/INDEX* -rw-r--r-- 1 root wheel 4003057 Oct 2 16:55 /usr/ports/INDEX -rw-r--r-- 1 root wheel 4036779 Aug 15 21:56 /usr/ports/INDEX-5 I visited /ports/net/gnetcat and chose the download this directory in tarball option. This copied gnetcat.tar.gz to my system, and I moved it to /usr/local/ports/net. Next I extracted it and ran make and make install: moog# tar -xzvf gnetcat.tar.gz gnetcat/ gnetcat/Makefile gnetcat/distinfo gnetcat/pkg-descr gnetcat/pkg-plist gnetcat/files/ gnetcat/files/patch-src-udphelper.c moog# cd gnetcat moog# make && make install >> netcat-0.7.1.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/. >> Attempting to fe

Review of Introduction to Microprocessors Posted

Image
Amazon.com just posted my five star review of Introduction to Microprocessors . From the review: "John Crisp's Introduction to Microprocessors (ITM) is an excellent book. It has a low average score because the author posted the first review with zero stars, which could be the result of an Amazon.com error. I loved this book. It gets right to the heart of the matter regarding the operations of microprocessors. Anyone who wants to really know what happens inside their CPU will love ITM too." I learned a second edition was just published, so I hope to read and review that book soon.

Blogger is "Atom-Enabled"

Image
I learned by reading the Blogger Knowledge Base that Blogger now exports Blog feeds in the Atom API . This means if your newsreader is Atom enabled , you can subscribe to it like a RSS feed. I found XML-Atom-0.05 at search.cpan.org and saw it was in the FreeBSD ports tree . I first tried NewsMonster which integrates with Mozilla and supposedly supports Atom, but encountered an error when trying to run it. I next tried BottomFeeder , and found the precompiled Linux version worked fine using FreeBSD's Linux application binary interface (ABI). If you use BottomFeeder to access http://taosecurity.blogspot.com/atom.xml , you'll see the screen shot at left.

Review of Intrusion Detection and Prevention Posted

Image
Amazon.com just posted my three-star review of Intrusion Detection and Prevention . From the review: "I had high hopes for "Intrusion Detection and Prevention" (IDAP) as it is the first book to devote chapters to different vendor IDS products. It's also the first to explicitly mention the buzzword "intrusion prevention" in its title. Unfortunately, the book does not deliver the value I expected... I took exception to some of the authors' conclusions. (Keep in mind a team wrote this book.) A cheap shot on page 187 shows the ISS chapter author doesn't understand what real analysts need to "trust" their IDS: "These increases in product signatures have given more customers the capability to trust the comprehensive nature of RealSecure over every other product, including the freeware power player, Snort." Analyst trust is built on transparency and validation, meaning he can see why the product generated an alert, and use additional

Using Sysctl on FreeBSD

Image
I read a thread on FreeBSD-Security about seeing ARP messages on FreeBSD servers acting as firewalls or gateways. Essentially FreeBSD reports seeing the MAC address for the upstream gateway flip-flop. In other words, the upstream gateway reports MAC address X, then Y, then X, and so on. The replies in the thread reported using sysctl to change kernel state. How could you figure this out if you didn't know the appropriate variable to change? First, use grep with sysctl to see if any variables involve ARP: bash-2.05b$ sysctl -a | grep -i arp net.link.ether.inet.log_arp_wrong_iface: 1 net.link.ether.inet.log_arp_movements: 1 These look interesting. What do they mean? bash-2.05b$ sysctl -d net.link.ether.inet.log_arp_wrong_iface net.link.ether.inet.log_arp_wrong_iface: log arp packets arriving on the wrong interface bash-2.05b$ sysctl -d net.link.ether.inet.log_arp_movements net.link.ether.inet.log_arp_movements: log arp replies from MACs different than the one in the cache We

BSD for Linux Users

Image
I just finished reading an excellent article called BSD for Linux Users by Matthew D. Fuller. He gets to the heart of the matter to describe how Linux and BSD are different. Here's an ex cerpt on the idea of the BSD base system : "The concept of the "base system" is something that, I think, causes the most trouble for people used to the Linux methodology. Which is perfectly understandable, because the whole idea just doesn't even exist in the Linux world. Linux, from the start, was just a kernel. Without getting into the eternal debate of what an "operating system" precisely consists of, it's easy to state that a kernel by itself isn't very useful. You need all the userland utilities to make it work. Linux has always been a conglomerate; a kernel from here, a ls from there, a ps from this other place, vim, perl, gzip, tar, and a bundle of others. Linux has never had any sort of separation between what is the "base system" and what i

Microsoft Provides Mozilla 1.6?

Image
Ok, not really. This is the work of a Slashdot poster offering this link . He exploits a vulnerability in Internet Explorer explain by CERT , for which there is not yet a patch...other than running Mozilla .

Network Sorcery Protocol Reference

While doing book research today I discovered the protocol resources at Network Sorecery . They clearly break down protocols by network, transport, and application layers by noting the following: Network layer protocols are assigned EtherTypes, like 0x0806 for ARP, 0x0800 for IPv4, and 0x86DD for IPv6. Transport layer protocols are assigned IP protocol values, like 1 for ICMP, 6 for TCP, 17 for UDP, 132 for Stream Control Transmission Protocol, and so on. Application layer protocols are assigned one or more SCTP, TCP or UDP port numbers, like 23 for Telnet, 80 for HTTP, and so on. Most people argue about what protocols do and forget how they are carried. I like the way Network Sorcery cuts through this issue. Besides describing all of these protocols and showing their header formats, Network Sorcery also links to the RFCs defining their operation.

Installing FreeBSD 5.2 REL on the Thinkpad a20p

Image
Today I installed FreeBSD 5.2 REL on my Thinkpad a20p. I used the FreeBSD Laptop Compatability List and Paul Roe 's example for guidance. I posted my results , such as dmesg output, and my XF86Config for others to reference. Here are a few tweaks to get the system working: I enabled sound with these entries in /boot/loader.conf snd_pcm_load="YES" snd_csa_load="YES" I enabled my SMC wireless NIC with this entry in /etc/rc.conf: ifconfig_wi0="inet 192.168.2.3 netmask 255.255.255.0 ssid myssid wepkey 0xmywepkeyinhex wepmode on" My biggest challenge and favorite achievement was getting Java to work properly. A visit to the FreeBSD Foundation Java site showed it was behind the times. It did give me a pointer to the FreeBSD-Java mailing list , which would prove to be invaluable. I eventually found FreeBSDDom and their patch sets of the Sun JDKs. I also read about the FreeBSD Java Project 's work. I decided to give the /usr/ports/java/jdk14

FreeBSD 5.2 Released Today!

FreeBSD 5.2 was released today. Be sure to read the errata if you have trouble with ACPI . As soon as I download the .iso I need from a mirror I will install 5.2 REL on my Thinkpad laptop. I still use 4.9 on my production systems, although many people report good results with 5.x on their servers. I was sad to see Slashdot repeated last year's debacle with FreeBSD 5.0 by posting news of the "release" prior to the official annoucement. What's wrong with them? I encourage all FreeBSD users to support the project by buying a CD-ROM or T-shirt from FreeBSDMall . I've started buying copies of the releases, and for less than $40 you get four CDs. They include the install CD, and live CD-based distro, and two CDs of precompiled packages. The polo shirt pictured at left is really sharp too, not a flimsy piece of clothing.

Laptopsforless.com Laptop Parts

Slashdot redeemed itself today by posting a good thread on obtaining parts for your laptop. I checked out Laptopsforless.com and was able to browse for parts for my Thinkpad. While my favorite place to buy RAM remains Crucial , I'll keep Laptopsforless in mind when I need a battery or AC adapter.

TCP Sequence Numbers Explained

Image
Today I was reading a new book on "intrusion detection and prevention" which repeats an often misinformed interpretation of TCP sequence numbers. The book said "When either party wishes to send data to the other, it will send a packet with the ACK flag set, with an acknowledgement of the last sequence number (in the Acknowledgement field) received from the remote host, and with its own sequence number incremented to reflect the amount of data being transmitted. " This gets both the acknowledgement and sequence numbers wrong. The following excerpt from my upcoming book The Tao of Network Security Monitoring explains how TCP sequence and acknowledgement numbers work by following a TCP session through Ethereal: This brief section uses Ethereal screen captures to definitively explain TCP sequence numbers. 192.168.2.4 is a workstation named “caine” and 204.152.184.75 is ftp.netbsd.org, contracted to “netbsd” here. Packet 1 shows a SYN from caine to netbsd. The

New Taps from NetOptics

Thanks to NetOptics , I've deployed their 10/100BaseT tap as a replacement for my Finisar model. The NetOptics device is intriguing in that it ships with redundant power inputs. I use a FreeBSD-based solution documented here to combine the two tap TX outputs into a single virtual interface. Beyond the Ethernet-based products shown here, NetOptics offers a variety of alternatives , including devices for tapping multiple ports. Shortly I hope to try NetOptics new 10/100BaseT Port Aggregator Tap . This device has a single output, which removes the need for combining two TX outputs. Unlike a competitor's product, the Aggregator Tap specifically addresses the issues of combining streams which may exceed 100 Mbps: "For cases where the NIC’s capacity is exceeded – for instance, if there is a traffic burst, and the 100 Mbps NIC is now receiving 140 Mbps of traffic – port buffering is offered as an additional innovative feature to help prevent data overload. Buffered memo

A FreeBSD Kernel Module for Generating NetFlow Records

Image
While visiting SourceForge, I queried for NetFlow and found ng_netflow , a NetGraph -based kernel module for FreeBSD. The project was started this week and the first release, ng_netflow 0.1, occurred three days ago! The author warns that this early version is for demonstration only, as the method ng_netflow uses to time out flow records can be extremely slow. With ng_netflow in the kernel, however, this method has the possibility for being much faster than userland implementations like Fprobe. I tested ng_netflow on a FreeBSD 4.9 system named janney, with IP address 172.27.20.5. To use ng_netflow, download the archive and extract it. Change into the ng_netflow-0.1 directory and execute ‘make’. janney# tar -xzf ng_netflow-0.1.tar.gz janney # cd ng_netflow-0.1 janney # ls CVS Makefile flowctl ChangeLog README ng_netflow janney # make && make install ...edited... ===> ng_netflow install -o root -g wheel -m 555 ng_netflow.ko /modules i

rying Tenable's NeWT Security Scanner

Image
After watching this TechTV piece on Tenable Security 's new NeWT (Nessus Windows Technology) Security Scanner, I downloaded the trial version. It expires 31 Jan 04 and will scan the same class C address as the system on which it is run. I tried it on a Windows XP laptop with 384 MB RAM and a 1 GHz Pentium III CPU. It installed easily, accepting that I already had version 3.0 of WinPcap loaded. Within minutes I was scanning one of the other systems on the same class C as my laptop. NeWT has a very "Windows Update" or Microsoft Baseline Security Analyzer feel to it. It's easy to configure and navigate, and the report results were clear. NeWT is a Windows port of the Nessus engine. Currently the open source version of the Nessus server is UNIX-only, with clients for configuring scans available for Windows or UNIX. NeWT brings the power of Nessus to those preferring to scan from a Windows platform. Tenable sells two versions of NeWT: one for $500, and one f

Using Device Polling and More to Improve Packet Capture

Image
I just read a fascinating paper by Luca Deri, author of Ntop , about "Improving Passive Packet Capture: Beyond Device Polling" ( .pdf ). Luca claims that out of the box, Windows 2000 performs better as a traffic collection platform under high loads (~80 Kpps), capturing 68% of traffic compared to 34% for FreeBSD and 0.2% for Linux kernel 2.4.x. Linux's performance improves to 1% if the mmap libpcap version is used, and up to 4% if a Netfilter-based loadable kernel module is used. These percentages sound off to me. Luca explains the results: "An explanation for the poor performance figures is something called interrupt livelock. Device drivers instrument network cards to generate an interrupt whenever the card needs attention (e.g. for informing the operating system that there is an incoming packet to handle). In case of high traffic rate, the operating system spends most of its time handling interrupts leaving little time for other tasks. A solution to this probl

Happy 1st Birthday TaoSecurity Blog

Image
Today this Blog is one year old. My first post was 8 Jan 03 . I started this Blog as a "hard drive for my brain," since I dislike keeping bookmarks and I prefer to place Internet links and news within context. I decided today to try to get VMWare 3.x working fully within FreeBSD, so I installed the VMWare3 port (version vmware3 3.2.1.2242-2) on my FreeBSD 4.9 STABLE system. First I made this change as recommended by the port install directions: janney# sysctl kern.ipc.shm_allow_removed=1 kern.ipc.shm_allow_removed: 0 -> 1 I then added this line to /etc/sysctl.conf to enable this at boot time: kern.ipc.shm_allow_removed=1 I then mounted linproc: janney# mount_linprocfs linproc /compat/linux/proc janney# mount /dev/amrd0s1a on / (ufs, NFS exported, local) /dev/amrd0s1h on /home (ufs, local, soft-updates) /dev/amrd0s1g on /tmp (ufs, local, soft-updates) /dev/amrd0s1e on /usr (ufs, local, soft-updates) /dev/amrd0s1f on /var (ufs, local, soft-updates) procfs on /proc (procf

Finisar Tap Advice Strains the Brain

Image
At left is an image of the Finisar Ethernet tap I use in my basement to monitor traffic. I wrote about it last July when I explained the bad design of Intrusion Inc's tap. Today I was trying to find the UTP IL/1 at Finisar's site . I didn't find it, but I did find a document which shocked me. It's titled "Using Single Port Taps with IDS Systems" ( .pdf ). (Note to self: Intrusion Detection System Systems?) This document mentions the IL/1 and advocates plugging the tap outputs into a hub . The problem with this is simple: a tap preserves the full-duplex nature of a link between switches. Full-duplex means both ends can transmit simultaneously. What happens to packets transmitted simultaneously when they enter a hub? BANG -- collision. That's no problem on a half-duplex medium like unswitched Ethernet, since the transmitters will sense the collision (hence Carrier Sense Multiple Access Collision Detection ). The parties will back off and retrans

Options for Security Shell History in FreeBSD

I was looking for a tool to secure shell histories in FreeBSD. Ideally I was looking for the FreeBSD equivalent of Snare , which can record user activities on Linux, Windows, and Solaris. I learned today Snare is the foundation for the Forensix Project . The Honeynet Project links to several tools, including the Sebek LKM. Ryan Barnett of honeypots.sf.net wrote an extensive guide ( .pdf ) to Snare usage. Unfortunately I couldn't find exactly that, but I did locate this excellent article at DefCon1.org . The author explains how to use FreeBSD's chflags utility to prevent users from deleting the Bash .history file. The author also explains how to set up process accounting via acct and mentions briefly how to use the sa and lastcomm utilities. His recommendations worked on one of my FreeBSD 4.9 REL boxes as described.

Review of Understanding Open Source Software Development Posted

Image
Amazon.com just posted my four star review of Understanding Open Source Software Development , a new addition to my Listmania List on Management and Policy . From the review: "UOSSD is the perfect introduction to OSS for those outside the community. The book takes a fairly balanced look at the people and processes which define the open source movement. Although some aspects of the book have grown stale over the last three years, I still recommend UOSSD to those desiring a deeper look at the open source phenomenon." This is my first new review of 2004. Last year I read and reviewed 33 technical books.

Binary Patching with OpenBSD

I tried the Binpatch binary patching system for OpenBSD today on an OpenBSD 3.3 system. I downloaded each of the archives listed for my version and then architecture, and sequentially applied them starting with 001 and ending with 008. The binpatch author Gerardo Santana Gómez Garrido told me I could avoid applying all of the kernel patches if I installed the newest one, but all of the userland patches needed to be applied. Since it was simple enough to install all of the eight archives, I tried that. Essentially I downloaded all eight archives and applied each as follows. So, to apply the first set of patches: wget http://www.openbsd.org.mx/pub/binpatch/3.3/i386/binpatch-3.3-i386-001.tgz tar -xzvpf binpatch-3.3-i386-001.tgz -C / Then I downloaded the second set and untarred them, and so on. When I was done I rebooted and found my system had a new kernel: OpenBSD 3.3 (GENERIC) #3: Sat Oct 4 12:38:19 CDT 2003 santana@santana.openbsd.org.mx:/root/binpatch/work-binpatch-3.3/

Chaosreader Rocks

For a while I've been looking for a program to extract application layer data from pcap files. We all know how to rebuild sessions using Ethereal and some of us know about tcpflow. Today I found Chaosreader . It's a Perl script which parses pcap or snoop files and extracts email, images, HTML, telnet sessions, and other application data. I think this part of the Perl script defines its capabilities: # These ports have been selected to be saved as coloured 2-way HTML files # @Save_As_HTML_TCP_Ports = (21,23,25,79,80,109,110,119,143,513,514,1080, 3128,4110,5000,5555,6660,6665,6666,6667,6668,7000,8000,8080,9000); @Save_As_HTML_UDP_Ports = (53); # # These ports have been selected to be saved as realtime playback scripts # (telnet, login, and numerous IRC ports) # @Save_As_TCP_Playback_Ports = (23,513,4110,5000,5555,6660,6666,6667, 6668,7000,8000,9000); @Save_As_UDP_Playback_Ports = (7); Chaosreader presents the information in .html files for easy browsing. When it rebu

Ipsumdump Summarizes Network Traffic

I came across Ipsumdump today. It's a program to read traffic and summarize what it sees in a user-defined format on one line. In the example below I watch the sf1 interface in real time and tell Ipsumdump to show a timestamp, source IP and port, and destination IP and port. Ipsumdump works against multiple interfaces simultaneously as well as pcap files and NetFlow traces. In the example below the first two packets are an ICMP echo and echo reply, followed by the beginning of an SSH session. bourque# ipsumdump -tsSdD -i sf1 warning: sf1: no IPv4 address assigned !IPSummaryDump 1.1 !creator "ipsumdump -tsSdD -i sf1" !host bourque.taosecurity.com !runtime 1073092478.545313 (Fri Jan 2 20:14:38 2004) !data timestamp ip_src sport ip_dst dport 1073092486.925087 172.27.20.11 - 192.168.60.3 - 1073092486.925253 192.168.60.3 - 172.27.20.11 - 1073092529.535523 192.168.50.2 23924 192.168.60.3 22 1073092529.535689 192.168.60.3 22 192.168.50.2 23924 1073092529.543094 192.168.5