TaoSecurity Blog

Don't care to see Macromedia Flash on Web sites while using Firefox ? Try installing Flashblock . You can install the .xpi file as a user and have it work at sites like Tom's Hardware as soon as you restart Firefox. Another cool plugin for Firebird (or Mozilla for that matter) is Live HTTP Headers . You can use this plugin to watch your browser's HTTP requests and the server's HTTP responses. To install this plugin, change the permissions on your /usr/X11R6/lib/firefox/lib/mozilla-1.6/components and /usr/X11R6/lib/firefox/lib/mozilla-1.6/chrome directories to be writable by the user installing the plugin. Alternatively, run Firefox as root and then install the plugin. Update : Check out the Web Developer Firefox extension. It's incredibly powerful.

I'd read Tracking for Multiple Machines in the FreeBSD Handbook , which gives hints on building the FreeBSD userland, or "world," and kernel on one system and installing them on another system. You might do this because the target system is slow and your build machine is fast, or because you prefer to let production machines serve users rather than use CPU cycles rebuilding the world and kernel. Inspired by this post , I decided to try building the world and kernel on my package builder, "neely," and installing them on target systems. I chose my sensor platform "bourque," as a test system. First I made sure that neely's world was up to date. I'm tracking the security release of FreeBSD 5.2 (which takes care of 5.2.1). My /usr/local/etc/release-supfile looks like this, with all of the commented lines removed: *default host=cvsup16.FreeBSD.org *default base=/usr *default prefix=/usr *default release=cvs tag=RELENG_5_2 *default delete use-re

Tom's Hardware wrote a good article titled Gigabit Ethernet: On-Board Chips Reviewed . It explains the importance of high bandwidth PCI buses. I recommend reading it, but keep in mind the following feedback I sent the site: Hello, I found your article "Gigabit Ethernet: On-Board Chips Reviewed" useful. I'm really glad to see someone authoritatively discuss NIC issues. However, I think you use some throughput terms in odd ways. I believe a few changes could make it easier for the reader to appreciate your analysis. For example, here you say "133 MB/s," presumably to mean 133 MegaBytes per second, for the bandwidth of a 32 bit 33 MHz PCI bus. That is correct. Farther down the same page, you mention "a 100 MBit interface," which I guess you mean 100 Megabits per second. Would it not be better to standardize on 133 MBps and 100 Mbps, respectively? Just after that you say "2 GBit/s or 266 MBit/s". This is where you are mixing these t

Today I upgraded the flash and system RAM in my Cisco 2651XM router. Before upgrading the router memory, I had this in place: C2600 platform with 65536 Kbytes of main memory 16384K bytes of processor board System flash (Read/Write) I bought 64 MB extra main memory and 16 MB extra flash memory. When I opened up the router, the insides looked like this diagram : I had a single 64 MB DRAM DIMM in the "Primary memory" slot with one free. I had no memory in the "System-code SIMM (Flash memory)" slot, since the 2651XM must ship with 16 MB on the motherboard. Once I snapped in the extra memory, my router recognized it without any trouble, as will be seen later. I also decided to upgrade from a 12.2 release to 12.3. My old IOS was 12.2(11)T10, which corresponded to the c2600-ik9s-mz.122-11.T10.bin image. The 'show flash' command showed this after the memory upgrades: gill#sh flash System flash directory: File Length Name/status 1 14962584 c2600-ik9

I've been following an interesting thread on snort-users about collecting alert data on high speed networks. Users are debating how much traffic Snort can handle. One way to at least start answering this questions is to enable the performance monitor . Vjay Larosa 's post was helpful, as it pointed me towards perfmon-graph . This Perl script works with Snort performance monitor output and RRDtool output to produce graphs of Snort performance statistics. Using perfmon-graph requires two steps. First, enable Snort to output the statistics you need to a text file. Add the following line to your snort.conf file: preprocessor perfmonitor: time 60 file /nsm/snort/perfmon.txt pktcnt 500 This tells Snort to output statistics every 60 seconds to a file called /nsm/snort/perfmon.txt The perfmon-graph README warns us not to set the number following 'pktcnt' too high. For example, if 500 packets are not collected in 60 seconds, then we will not get a statistics output.

Last year I wrote about installing open source software on two commercial UNIXes, Solaris and HP-UX. Today I want to document how to install a few software packages on another commercial UNIX -- AIX. First, I needed to get the ever popular wget onto the AIX 5.1 box to make retrieval of other software easier. I retrieved a wget package from UCLA's Public Domain Software Library for AIX using ftp. I then followed their instructions to extract and install the binary package: # zcat wget.1.9.1.tar.Z | (cd /; tar xvpf -) x ./usr/local/bin/wget, 619059 bytes, 1210 media blocks. x ./usr/local/info/wget.info, 2576 bytes, 6 media blocks. x ./usr/local/info/wget.info-1, 45301 bytes, 89 media blocks. x ./usr/local/info/wget.info-2, 50448 bytes, 99 media blocks. x ./usr/local/info/wget.info-3, 44699 bytes, 88 media blocks. x ./usr/local/info/wget.info-4, 30878 bytes, 61 media blocks. x ./usr/local/man/man1/wget.1, 58351 bytes, 114 media blocks. That's it. Now I have /usr/local/

This weekend at BSDCan Michael Richardson mentioned a security-oriented IETF working group I'd never heard of before. It's called Incident Handling and its purpose is "to define a data format for exchanging security incident information used by a CSIRT." Also: "The working group has created four documents. A data model named the Incident Object Description Exchange Format (IODEF), and an associated implementation in an XML DTD, is the format defined for exchanging incident data. The IODEF conforms to a set of requirements for a Format for INcident Report Exchange (FINE). Additionally, guidelines for implementors are provided." Although the official working group site links to the project schedule and the documents they've written, working group chair Roman Danyliw's unoffical site is informative too. (Yes, that's the same Roman who developed ACID .) The INCH mailing list archive shows plenty of recent activity. This is a nice departu

Sguil developer Michael Boman gave four presentations to the Linux Users Group Singapore this month. They discuss IDS, Snort, ACID, and Sguil. I recommend perusing them at boseco.com . These presentations are viewable online and are a good introduction for people trying to understand IDS from the ground up. I found the Snort presentation helpful for its concise Snort development timeline .

freebsd.png" align=left>The Mar-Apr 04 FreeBSD Status Report brings many glad tidings. The best in my opinion is word of a new version of Kirk McKusick 's classic, called The Design and Implementation of the FreeBSD Operating System (here's the Amazon.com link ). It doesn't get any better than this, folks. Kirk wrote the definitive BSD book, The Design and Implementation of the 4.4 BSD Operating System , in 1996. This long-awaited update is "based on FreeBSD 5.2 and the upcoming FreeBSD 5.3 releases... It is now in final production by Addison-Wesley and will be available in early August 2004. The ISBN is 0-201-70245-2." I can't wait for this one. The report also mentioned availability of OpenOffice.org packages for FreeBSD and updates on the TrustedBSD Security-Enhanced BSD (SEBSD) project. I missed Robert Watson's talk at BSDCan.org due to attending Michael Richardson's libpcap 1.0 discussion. There are several papers on TrustedBS

Yesterday I mentioned the report of the theft of Cisco's IOS. While I have no evidence to support this theory, I always assumed that various nefarious parties already had access to some or all of Cisco's previous IOS versions. While access to source code is not necessary to discover vulnerabilities, the allure of obtaining such a prize (for intellectual and competitive intelligence pursuits) made theft a likely scenario. The February report of the theft of Microsoft's source surely did not represent the first time unsavory parties had access to that intellectual property, either. What does this event mean for Cisco? I found several excellent News.com articles which gave me food for thought. First, last month News.com reported that Cisco will release a new version of IOS on a new product this summer. This new device, the Huge Faster Router (HFR), is designed to compete with Juniper's core routing product , the T640 (Juniper gear pictured below). The new vers

Last month I described the security/portaudit tool, which checks for vulnerable ports and prevents their installation. Sometimes it's reasonable to install a port that has a vulnerability, if the risk is acceptable. For example, the databases/mysql-client port currently reports a security problem when I try to install it: neely:/usr/ports/databases/mysql40-client$ make ===> mysql-client-4.0.18_1 has known vulnerabilities: >> MySQL insecure temporary file creation (mysqlbug). Reference: >> Please update your ports tree and try again. This is a minor problem affecting only the 'mysqlbug' script, not core mysql client functionality. We may not see a fix in the MySQL distribution until 4.0.19. Thanks to Michael Nottebrock, I learned how to install a port with a vulnerability: neely:/usr/ports/databases/mysql40-client$ make -DDISABLE_VULNERABILITIES ===> Vulnerability check disabled >> mysql-4.0.18.tar.gz doesn't seem to exist in /usr/ports/

I first read this on the NANOG list, but it appears to have been broken by BugTraq . According to this translation of the original Russian story : "As it became known to SecurityLab, the source code of operating system CISCO IOS 12.3, 12.3t, which is used in the majority of Cisco network devices has been stolen on May 13, 2004. The total volume of the stolen information represents about 800MB in an archive file." The Russian site shows "ipv6_discovery_test.c -- Neighbor Discovery unit tests" and "ipv6_tcp.c -- IP version 6 support functions for TCP" as some sample code. Update : This was my 500th Blog post.

Day two of the first ever BSDCan is over. This concludes the conference, which we believe was a great success. Dan Langille reported over 175 attendees and is making plans for a second conference next year. I started the day with Michael Richardson discussing libpcap 1.0 . Michael described how the current libpcap file format, major version 2 minor version 4, will eventually become major version 3. The current format presents a header (pcap_file_header) for every trace file as well as per-packet headers (currently pcap_pkthdr), making it difficult to concatenate two separate trace files. The proposed new version eliminates this header and uses more per-packet headers to facilitate mixing packets from various sources into a single trace file. Compare pcap.h and pcap1.h to get a sense of what he means. Besides the new header Michael discussed, he also presented a two year old alternative format with its own issues. I also learned to pay attention to the savefile.c file,

Day one of BSDCan today was great. I first attended Network Buffer Allocation in the FreeBSD Operating System by Bosko Milekic . He gave an overview of changes made in FreeBSD 5.x to improve TCP/IP performance, especially on SMP systems. I then heard conference organizer Dan Langille discuss Bacula , a backup solution I intend to try. After lunch I presented Network Security Monitoring with Sguil , which was fun. The last formal talk I saw was by Poul-Henning Kamp . He described GEOM-based Disk Encryption . Browsing the freebsd-current mailing list, I found a thread discussing novel ways to use GEOM and GBDE called ggate or GEOM gate. Check it out in src/sbin/ggate . The thread discusses using ggate to encrypt a floppy. I also spent some time in a BoF on IPSec and learned about isakmpd , an alternative to racoon for managing IPSec keys. It's in security/isakmpd too.

Wednesday I reported the publication of an exploit for the FTP service used by the Sasser worm . Now there's a new worm called Dabber exploiting the same vulnerability in Sasser's FTP service. Read each link for LURHQ 's analysis of each worm. If you've been seeing increased scans to ports 9898 and 5554 TCP, you'll know why after reading the advisories. Port 5554 TCP is the Sasser FTP server. Port 9898 is the Dabber back door.

I found this Neowin.net article to be a good summary of future Microsoft OS release plans. The key points I noted are: Microsoft is adopting a "4 year release schedule for Windows Server then that would place Windows Server Longhorn in 2007 (4 years from Server 2003)" "[W]e'll be seeing Windows Client Longhorn in 2006" "Microsoft will release an update every 2 years after an initial major release which refreshes the Operating System with add-ons, security fixes and new features. The next planned update is for Windows Server 2003 which is due to be released in 2005 and currently code-named R2."

A visit to Amazon.com reveals a page for my book . Amazon.com reports the publication date as 14 July 2004. This is a little earlier than I expected, but everything remains on schedule. Perhaps my publisher built in a little time for problems, and thankfully we haven't had any major difficulties yet. You may notice the cover is similar to Secure Architectures with OpenBSD and the second edition of Know Your Enemy . All three books are part of Addison-Wesley's new lineup of security books.

I'm taking another look at Debian , as I may need to run some software tied to Linux firewalling software not found on FreeBSD. I took advantage of a few good articles, including Introduction to Debian Software Package Management , the Apt How-To , Apt-Pinning for Beginners , and Using APT with more than 2 sources . Following their advice I created an /etc/apt/sources.list like this: #Stable deb http://ftp.us.debian.org/debian stable main non-free contrib deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free #Testing deb http://ftp.us.debian.org/debian testing main non-free contrib deb http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free #Unstable deb http://ftp.us.debian.org/debian unstable main non-free contrib deb http://non-us.debian.org/debian-non-US unstable/non-US main contrib non-free #Security deb http://security.debian.org/ stable/updates main contrib non-free I created an /etc/apt/apt.conf file to address some me

We've heard of intruders exploiting systems already infected by worms, but this is another way to take advantage of poorly deployed systems. A Romanian coder released sasserftpd.c recently. This code attacks the FTP server used by Sasser to propogate. The rogue Sasser FTP server listens on port 5554 TCP on versions a through d and port 1023 TCP on version e. The Romanian exploit attacks this FTP server.

Dan Langille just added me to the schedule at BSDCan , the first BSD Canada conference. I'll be presenting Network Security Monitoring with Sguil on Friday at 2 pm. I plan to discuss many short case studies on using Sguil to detect and validate security incidents, followed by a short live demo of Sguil on FreeBSD. Come by and say hello!

I want to note a couple of helpful hints I stumbled across. First, I learned something new about the xterm program. I run FreeBSD on many systems and start X manually with 'startx'. One system has Windowmaker for a window manager. When I launch an xterm, the new instance doesn't read .profile. This means the prompt stays with the default, rather than changing to suit my needs. For example, my .profile has this entry to change the prompt: PS1='`hostname -s`:$PWD$ ' This creates a prompt like this: drury:/var/log$ Unfortunately, prior to today I manually sourced the .profile to change the prompt, using '. .profile' in the user's home directory. While perusing this Unix for Advanced Users guide, I came across this article: Is my .login or .profile being used? . It explained that I needed to start xterm with the '-ls' option to specify it running as a login shell. In that case it will read the user's .profile. Here is the menu comman

I was looking to upgrade a few packages installed from Sunfreeware.com when I stumbled upon Blastwave.org . Blastwave.org is a "community software" (CSW) site which emulates the Debian apt-get system for installing Solaris packages. Once you install the pkg-get package, you can install Solaris software as easily as this: pkg-get install mutt Pkg-get installs the dependencies and the desired package. The executable's home is /opt/csw/bin, unlike /usr/local/bin for packages installed from Sunfreeware.com. Here is a comparison of how mutt, from Blastwave.org, and OpenSSH, from Sunfreeware, appear to pkginfo: bash-2.03$ pkginfo | grep mutt system CSWmutt mutt - Command line email reader with IMAP and SSL support bash-2.03$ pkginfo | grep ssh application SMCossh openssh Perusing the mailing list archive , it seems users are enthusiastic. I hope this project continues to improve and update its package selection. Keep in mind that so

I'm interested in experimenting with IPv6 at some point. Since most of the operating systems I use in my lab have IPv6 stacks, I plan to run a native IPv6 VLAN internally. I'm also interested in connectivity to other IPv6-enabled sites. This OpenBSD Journal article offers a few options for people wanting to use IPv6 across the IPv4 Internet. I plan to try one of these solutions and post my results here in the future.

Normally a change from a 2.0.5 to 2.0.6 release wouldn't be big news. That's not the case with Argus , however. 2.0.6 has been about a year in the making. Argus is the world's longest living open source session data collection program. It runs on most any UNIX distribution and appears in my book. Give it a try!

Visitors to www.taosecurity.com will notice they are no longer redirected to mywebpages.comcast.net/taosecurity . I've started hosting TaoSecurity.com at Niuhi.com , co-operated by a fellow security consultant. This move should only have positive effects. If you bookmarked the old Comcast site, please use www.taosecurity.com .

This morning when checking for updated applications I saw that lang/ruby18 was updated recently: drury:# portversion -v | grep ruby ruby-1.8.1_2 < needs updating (port has 1.8.1.2004.05.02) ruby18-bdb1-0.2.2 = up-to-date with port I remembered what trouble we had with Ruby and Portupgrade a few months ago, so I used Portupgrade to upgrade Ruby by itself: drury# portupgrade -v ruby^M ---> Session started at: Tue, 04 May 2004 12:16:17 -0400 ---> Upgrade of lang/ruby18 started at: Tue, 04 May 2004 12:16:19 -0400 ---> Upgrading 'ruby-1.8.1_2' to 'ruby-1.8.1.2004.05.02' (lang/ruby18) ---> Build of lang/ruby18 started at: Tue, 04 May 2004 12:16:19 -0400 ---> Building '/usr/ports/lang/ruby18' >> ruby-1.8.1-2004.05.02.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/ruby. >> Attempting to fetch from ftp://ftp.iij.ad.jp/pub/lang/ruby/snapshots/. Receiving ruby-1.8.1-2004.05.02.tar.bz2 (2395420 bytes)

Amazon.com just published my four star review of Network Security Assessment . From the review: " Network Security Assessment (NSA) is the latest in a long line of vulnerability assessment / penetration testing books, stretching back to Maximum Security in 1997 and Hacking Exposed shortly thereafter. NSA is also the second major security title from O'Reilly this year, soon to be followed by Network Security Hacks . NSA is a good book with some new material to offer, but don't expect to find deep security insight in this or similar assessment books. NSA begins with the almost obligatory reference to the king of assessment books, Hacking Exposed (HE), saying 'I leave listings of obscure techniques to behemoth 800-page "hacking" books.' I don't think some of the techniques covered in HE but not NSA are "obscure." Noticably lacking in NSA is coverage of dial-up techniques, wireless insecurities, Novell vulnerabilities, and attacking clien

Amazon.com just posted my five star review of Ethereal Packet Sniffing . From the review: " Ethereal Packet Sniffing is the first book in Jay Beale's new Open Source Security Series with Syngress. It's a great book to lead the way. Ethereal is full of helpful tips and clear discussions that benefit newbies and wizards alike. I've been using Ethereal for around five years, and this book still taught me a few new tricks. The key to the new material is Ethereal's development, from 0.2 in July 1998 to 0.10.3 this year. (The book covers 0.10.0 which is far from being outdated.) The many improvements lend themselves to the sort of explanations found in Ethereal . For example, my favorite material involved filters. Although chs. 4 and 5 had minor overlap regarding this feature, I learned new ways to manipulate Ethereal's packet search and display capabilities."

Today while using portupgrade to update my ports tree, I ran into this problem. The process was trying to upgrade OpenMortal when it died: ---> Uninstallation of openmortal-0.6 ended at: Sat, 01 May 2004 18:26:13 -0400 (consumed 00:02:22) ---> Upgrade of games/openmortal ended at: Sat, 01 May 2004 18:26:13 -0400 (con sumed 00:02:28) [Updating the pkgdb in /var/db/pkg ... - 258 packages found (-1 +0) (...)ruby18 in malloc(): error: allocation failed Abort (core dumped) That didn't look good. I tried this and got similar results: orr:/root# portversion -v [Updating the pkgdb in /var/db/pkg ... - 258 packages found (-1 +0) (...)ruby18 in malloc(): error: allocation failed Abort (core dumped) At this point I decided to try rebuilding the package database: orr:/var/db/pkg# mv pkgdb.db pkgdb.db.broken orr:/var/db/pkg# pkgdb -F ---> Checking the package registry database [Rebuilding the pkgdb in /var/db/pkg ... - 258 packages foun d (-0 +258) ..........................

While reviewing a new book on Ethereal , I learned about the Packet Details Markup Language (PDML). PDML is a way to express a packet in XML format. For example, here is an ICMP echo request: tethereal -n -r snort.log.1082637820 -T pdml icmp <?xml version="1.0"?> <pdml version="0" creator="ethereal/0.10.3"> <packet> <proto name="geninfo" pos="0" showname="General information" size="60"> <field name="num" pos="0" show="1" showname="Number" value="1" size="60"/> <field name="len" pos="0" show="60" showname="Packet Length" value="3c" size="60"/> <field name="caplen" pos="0" show="60" showname="Captured Length" value="3c" size="60"/> <field name="timestamp" pos="