TaoSecurity Blog

Have you ever used Tcpdump 's -d option? The man page says: -d Dump the compiled packet-matching code in a human readable form to standard output and stop. I've never used that option before, but I just saw a Tcpdump developer use it to confirm a Berkeley packet filter in this thread . The user in the thread is trying to see TCP or UDP packets with a source address of "centernet.jhuccp.org" (162.129.225.192). First he specifies an incorrect BPF filter, which the developer then corrects . This is mildly interesting, but the useful information on the -d option appears in this post . Tcpdump developer Guy Harris interprets output from the -d option: > www:~# tcpdump -d src host centernet.jhuccp.org and \( ip proto \\tcp > or \\udp \) > (000) ldh [12] > (001) jeq #0x800 jt 2 jf 8 > (002) ld [26] > (003) jeq #0xa281e1c0 jt 4 jf 8 > (004) ldb [23] > (005) jeq #0x6 jt 7

Are you still running Red Hat Linux 7.3 or 9.0? What about Fedora Core 1? If you want to keep those systems patched now that Red Hat has suspended support, consider the Fedora Legacy Project . I just read their advisory for Tcpdump , notifying users of updated libpcap and Tcpdump packages. (Note: The URLs in the advisory are funky. Visit http://download.fedoralegacy.org/redhat/9/updates/i386/ to access the RPMs for Red Hat Linux 9.0 directly.) I used their libpcap and Tcpdump RPMs to patch a system and had no problems.

I previously reported my successful installation of FreeBSD on a Soekris net4801. While the Soekris is a really popular small form factor system, it lacks a fan to keep moving components (like laptop HDDs) cool. It's also not the sort of system you can use to replace a tower PC, since it doesn't have video output, a CD, or mouse and keyboard inputs. If you need the sort of functionality a true PC provides, but want small form factor, check out Padova Technologies . I just installed FreeBSD 5.3-BETA6 on their SlickNode Mini PC . You can see my dmesg output at the NYCBUG dmesg archive. The box is equipped with two NICs -- one is an Intel NIC (fxp0) and the other is unfortunately a Realtek NIC (re0). When you order a SlickNode you can opt for a quad NIC to be installed, or a Wi-Fi card, or several other options. This is a great appliance box for systems that need more of a PC's functionality.

This fall will see the release of upgrades to several open source operating systems I use. First, FreeBSD 5.3 is currently scheduled to be released on 17 October. Over the weekend a sixth beta was cut and a seventh and final beta will be produced this weekend. The following week a release candidate (RC) will arrive. Although no second RC is planned, I expect to see one. The arrival of FreeBSD 5.3 RELEASE will mark the 5.x tree as STABLE. The current STABLE tree, 4.x, will go into maintenance mode. The 6.0 tree is already marked as CURRENT; that's where cutting edge developments are introduced before being "merged from CURRENT" (mfc) to the STABLE tree. I recommend anyone interested in trying FreeBSD for the first time wait until 5.3 is released in mid-October. FreeBSD 5.2.1, the latest in the 5.x tree, arrived in February 2004. On Monday RC1 for NetBSD 2.0 was announced . NetBSD 2.0 has been several years in the making. The last version, 1.6.2 , was a patch

Adam Shostack posted a response to my Thoughts on Digital Crime blog entry. Essentially he questions the "bandwidth" of the law enforcement organizations I listed, i.e., their ability to handle cases. The FBI CART Web page says "in 1999 the Unit conducted 2,400 examinations of computer evidence." At HTCIA I heard Mr. Kosiba state that thus far, in 2004, CART has worked 2,500 cases , which may involve more than one examination per case. The 50+ CART examiners and support personnel and 250 field examiners have processed 665 TB of data so far this year! The CART alone spends $32,000 per examiner on equipment when they are hired, and another $12,500 per year to upgrade each examiner's equipment. This is a sign that the DoJ is pouring money into combatting cyber crime. Of course local and state police do not have the same resources, but especially at the state level we are seeing improvements. If more resources are being plowed into cybercrime, what

One helpful speaker at the HTCIA conference was Timothy Kosiba of the FBI Computer Analysis and Response Team (CART). (Some people say "CART Team." These are probably the same people who say "NIC Card," forgotting "NIC" means "Network Interface Card.") Mr. Kosiba explained the rising importance of forensic lab accreditation by the American Society of Crime Laboratory Directors / Laboratory Accreditation Board (ASCLD/LAB). Apparently the CART parent organization, the FBI Lab , only attained ASCLD/LAB accreditation four years ago, in the wake of the OJ Simpson trial. What might ASCLD/LAB accrediation entail? A few excerpts from the Proposed Revisions to 2001 Accreditation Manual provides a few hints, as the ASCLD/LAB documents are not available for free: "2.11 Digital Evidence Principle Examiners must have mastery of the theories, procedures, and techniques necessary to produce reliable results and conclusions. Standards and Cri

Last week I spoke at and attended the High Technology Crime Investigation Association International Conference and Expo 2004 . The keynote speaker was US Attorney General John Ashcroft. Although I spent time furiously copying notes on his speech, the text is online . Not printed in that text was the AG's repeated theme: the US Department of Justice and Federal Bureau of Investigation are committed to "protecting lives and liberty." I thought this was a curious stance given the recent efforts to scale back the Patriot Act . The AG mentioned that "protect[ing] the United States against cyber-based attacks and high-technology crimes" is the number 3 FBI priority . I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to op

Speaking of attacking appliances , a Rigel Kent Security advisory claims: "Three high-risk vulnerabilities have been identified in the Symantec Enterprise Firewall products and two in the Gateway products. All are remotely exploitable and allow an attacker to perform a denial of service attack against the firewall, identify active services in the WAN interface and exploit the use of default community strings in the SNMP service to collect and alter the firewall or gateway's configuration. Moreover, the administrative interface for the firewall does not allow the operator to disable SNMP nor change the community strings. The Gateway Security products are vulnerable to all but the denial of service issue." Symantec's advisory states: "Symantec resolved three high-risk vulnerabilities that had been identified in the Symantec Firewall/VPN Appliance 100, 200 and 200R models. The Symantec Gateway Security 320, 360 and 360R are vulnerable to only two of the issue

The latest Symantec Internet Security Threat Report (volume VI) was released this week, along with Six Secrets of Highly Secure Organizations by CIO , CSO , and PricewaterhouseCoopers . The Symantec report requires "registration," but in return you receive a hefty 50 pages or so of data (ignoring the blank pages, covers, etc.) Here are a few excerpts I found interesting: "Over the past six months, the average time between the announcement of a vulnerability and the appearance of associated exploit code was 5.8 days... This means that, on average, organizations have less than a week to patch all their systems on which the vulnerable application is running. Over the first six months of 2004, the number of monitored bots rose from well under 2,000 computers to more than 30,000. Over the first six months of 2004, Symantec observed worm traffic originating from Fortune 100 corporations. This data was gathered not by monitoring the Fortune 100 companies themselves, but b

Amazon.com just posted my four star review of High-Tech Crimes Revealed: Cyberwar Stories From The Digital Front . From the review: "Prior to 'High-Tech Crimes Revealed' (HTCR) I read and reviewed 'Stealing the Network: How to Own a Continent' (HTOAC). While HTOAC is fictional and written almost exclusively from the point of view of the 'hacker,' HTCR is mostly true and written from the law enforcement perspective. On the strength of the cases described in the first half of the book, I recommend HTCR as an introduction to the mindset needed to pursue and prosecute cyber criminals. Author Steve Branigan brings a unique perspective to his book. In 1986-7 Branigan was a patrolman in the Seaside Heights Police Department, but three years later he investigated telecom incidents for Bell Communications Research. Later work at Lucent and Bell Labs prepared him for co-founding Lumeta in 2000. His experience with telecom security differentiates the book from tho

Do you have any Gmail invitations you don't need? Do you want a Gmail account? If the answer to either question is yes, visit isnoop.net . Their "Gmailomatic" site will accept invitations sent activated by clicking "Invite a friend to join Gmail!" from within your Gmail account. Send the invite to "gmail@isnoop.net" and the invitation will be made available for anyone who requests it through isnoop.net. I donated two invites a few minutes ago. Literally within seconds of seeing the donation count increase by two, both were snatched up by requesters at isnoop.net.

I've been reading David Courtney's Soekris guide . It's incredibly detailed and explains how to install FreeBSD 4.9 and FreeBSD 5.2.1 onto the Soekris net4801 . I previously described my experiences with the Soekris, but David's document addresses issues I hadn't considered. For example, he discusses the Soekris BIOS and shows how to navigate it. His setup uses PXE and he installs the OS onto a 2.5 inch laptop hard drive rather than a CF card.

SANS ' GIAC just published Sguil contributor Chris Reining 's GCIA practical titled The State of Intrusion Detection (.pdf). This is not a follow-on to the 1999 CERT classic State of the Practice of Intrusion Detection Technologies . Rather, Chris describes the shortcomings of other technologies like ACID , and how to use Sguil to detect and respond to intrusions. I like seeing discussion of Sguil infiltrate the SANS Reading Room . Incidentally -- I haven't read all of Chris' paper with a critical eye yet, so I can't vouch for his conclusions right now. On the lighter side, system administrator extraordinaire Bill Bilano just announced "Severe exploit found, all UNIX are affected!" This was my favorite line: "Northcutt better take out that section about the Mitnik attack in that terrible book he is always rehasing with only a spit-shine and fancy new cover because here comes something leaner and meaner! (I have re-bought that nut's bo

The SNORT_2_3 branch was marked in CVS shortly after I first posted the snort-inline story . Release manager Jeremy Hewlett made the announcement . If you follow the instructions to check out Snort from CVS, be sure to use SNORT_2_3 for your tag and run 'autojunk.sh' before trying to run 'configure'. Remember this is not a new Snort release, only the appearance of new code in CVS. Along with Snort, there are new versions of passive fingerprinting tool p0f , and the passive asset detection system (PADS) available.

Two days ago Cisco announced a new set of Integrated Services Routers , including the 1800 , 2800 , and 3800 series. For historical comparison, the 2600 was announced in March 1998 and the last enhancements to that line, the 2600XM series and 2691, were announced in June 2002. The press release shows an interesting bias; emphasis is added: "Cisco Systems today announced a new line of integrated services routers, the industry's first routers to deliver secure, wire-speed data, voice, video and other advanced services to small and medium-sized businesses (SMBs) and enterprise branch offices, as well as service providers for managed network services offerings. Founded on 20 years of routing innovation and leadership , the new Cisco 1800 Series, Cisco 2800 Series and Cisco 3800 Series integrated services routers are the first to provide customers with an infrastructure that enables fast, secure access to today's mission-critical business applications with optimized s

In my last story I originally stated "With Windows, unless I deploy a host-based firewall, it is difficult if not impossible to disable unnecessary services." I based this assessment on previous experiences where it was difficult to get a "clean" netstat output (meaning no unnecessary listening services). Getting to this point, as described by books like Securing Windows NT/2000 Servers for the Internet , was difficult and in many cases left services functionally disabled but still in netstat output. I found an excellent guide by Hervé Schauer Consultants called Minimizing Windows Network Services that takes a step-by-step, netstat-based approach to removing Windows services. After reading the guide, I changed my original Blog entry to say "With Windows, unless I deploy a host-based firewall, it is difficult to disable all unnecessary services." I base this statement after interpreting advice in the HSC guide. For example, the HSC guide begins by o

I'm slowly working through the last few days' developments while I attended my 10th reunion at the US Air Force Academy . I recently received the following email: "I have been reading your book on The Tao of NSM. I am an amateur but very interested in the subject. My only issue is that I am very uncomfortable with your bias against Windows and for the OpenSoftware. [sic] In our market, 95% of the desktops and 55% of the servers are Windows. We do not want to be caught in the emotional battle of OS. Any chance you can recommend a Windows zealot that is as good with the NSM subject as you are?" This is an interesting question, as I directly address my sentiments on operating systems in chapter 3 of my book. I was also "quoted" on Slashdot recently about OpenBSD, but I can't remember making that statement. (If you know where it came from, email taosecurity at gmail dot com.) Several factors drive my personal preference for UNIX, or more specifically

Amazon.com just posted my four star review of Stealing the Network: How to Own a Continent . I really enjoyed reading this fictional yet techincal work. From the review: "'Stealing the Network: How to Own a Continent' (STN:HTOAC) is a detailed look at the capabilities a structured threat could apply to the world's vulnerable digital infrastructures. Rather than hire a Beltway Bandit, I recommend those planning the digital defense of this nation read HTOAC. This book is more creative, comprehensive, and plausible than what most 'infowar' think-tanks could produce."

I noticed a post to the snort-inline mailing list last week that announced a "changing maintainer and future plans." Snort-inline is a project which allows a Snort sensor positioned inline (as opposed to sniffing passively offline) to accept packets from IPTables and then make pass/drop decisions. William Metcalf is taking over as lead developer from Rob McMillen, although Rob will remain with the project along with newcomer Victor Julien. William claims "we have been very busy working on snort_inline and evaluating the snort_inline code that is being integrated into the snort-2.3 source branch. That's right, you heard it here first: snort-2.3 will have snort_inline functionality built into it. Rob, Victor and I will be maintaining and supporting it. We will still maintain snort_inline as a separate project and use it as vehicle for bleeding-edge functionality and honey net-specific features." This is interesting because of comments Marty made at CanSe

I received the following question via email today: "I'm a huge fan of your newest book , and I read it cover-to-cover in a handful of evenings. However, I have a question about the approach you take for doing network monitoring. The average throughput of our Internet connection is around 5Mbits/sec sustained. I would love to implement Sguil as an interface to my IDS infrastructure (currently Acid and Snort on the network side), but I ran some numbers on the disk space required to store that much network traffic, and the number quickly swamped the disk resources I currently have available to me for this activity. Am I missing something with regards to how Snort stores data in this kind of scenario, or do I really need to plan for that much disk space?" This is a good question, and it is a common initial response to learning about Network Security Monitoring (NSM). Remember that NSM is defined as "the collection, analysis, and escalation of indications and warning

Bruce Mah is requesting comments on his FreeBSD Migration Guide . The guide explains the FreeBSD release process, new features in 5.3, and how to upgrade from 4.x to 5.3. Remember this is a draft , but if you have feedback join the thread on freebsd-current .

Over the weekend I learned about BlogShares.com, a fantasy stock market for Blogs. It was originally created by Seyed Razavi , but he turned over management of the project late last year. I found out that TaoSecurity.Blogspot.com was listed on the BlogShares market, so I registered myself as the owner. I found out Barry Irwin, owner of lair.moira.org , holds 4000 shares of this blog, and I as the Blog owner was given 1000. I found out about Barry's site when researching the nVidia driver issue mentioned earlier. I haven't figure out Blogshares yet, but there's a growing community around it. For example, there's an unofficial BlogShares Strategy Blog and a BlogShares Webring .

Last month Nvidia released FreeBSD drivers for their products. The README describes how to install and configure the drivers. Their forums offer advice for those having problems. Slashdot reported on this as well. If anyone can recommend a dual-DVI card that works with FreeBSD, please email me at richard at taosecurity dot com.

In the spirit of reporting on technology, I feel compelled to report on the latest gadget to enter my home -- the DCO7 . What is it, you might ask? A miniature rocket? A new USB device? This, my friends, is the most amazing vacuum cleaner I have ever used. I call it the Macintosh of Vacuums due to its elegant engineering, thoughtful design, and superior performance. The product is made by Dyson , a British company founded by inventor James Dyson. His story , also described by Forbes , is compelling. His recent TV ads show him describing how he thought other vacuums didn't do a good job. 5,127 prototypes later, he invented the Dyson. He shopped his bag-less design to the major vacuum manufacturers, who passed on his technology. Dyson claims the manufacturers make $500 million per year selling bags, so they were not interested in ending that income stream by selling a bagless vacuum. Once the manufacturers realized how good Dyson's system worked, they introduced their

FreeBSD 5.3-BETA3 is now available via FTP from sites like ftp10.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/5.3/ . I covered the release of BETA1 and BETA2 previously. If you'd like more information on changes to the network stack in 5.3, read Andre Oppermann 's presentation (.pdf) from SUCON 04 . The announcement mentions that the "MP-safe network stack is now enabled by default" and "X server configuration has been removed from sysinstall." There is one more BETA scheduled for 10 Sep 04, followed by RC1 on 17 Sep and RC2 on 24 Sep. 5.3 RELEASE is due on 3 Oct.

After more than a month of selling my book at cover price, Amazon.com is now selling The Tao of Network Security Monitoring: Beyond Intrusion Detection for $33.99, a 32% discount. The US-based site still doesn't show as much information as Amazon.ca , where the table of contents and preface are posted. Barnes and Noble has the book for $1 more, and Bookpool is still the best buy with a 45% discount and $27.25 price. The best place to get all of the information is the Addison-Wesley page. My TaoSecurity.com books page also hosts the errata for the first printing, the pcap files used in the book, and other information.

Last week I posted a method to extract individual pcap files from a larger pcap file. Originally I thought it would be useful to have a tool which would extract all individual flows from a pcap file into pcap format. Note this is different from the capability offered by the excellent Tcpflow , which extracts the application data from all TCP flows. I thought the tool Netdude might have this capability when I saw its libnetdude plugin Flow Demultiplexer. I was familiar with plugins for Netdude , the graphical interface. Flow Demultiplexer is not available within Netdude and must be invoked using libnetdude . First, install Netdude. I used the FreeBSD net/netdude port. Next download and install the following from source code, in the order specified: - Connection State Tracker - Trace Set - Flow Demultiplexer I didn't know how to proceed. I asked Netdude's author Christian Kreibich for help, and he sent a very helpful email. To access libnetdude plugins, use

Amazon.com just posted my four star review of IRC Hacks . From the review: "'IRC Hacks' is not a more recent version of Alex Charalabidis's ' The Book of IRC .' Published by No Starch Press in 2000, 'The Book of IRC' focuses on more introductory material, and thoroughly covers the issues facing most IRC users. Unlike the older No Starch book, 'IRC Hacks' devotes over 200 pages to bot development. In other words, the 'IRC Hacks' authors concentrate on more advanced ways to interact with IRC servers. If this is your primary interest, you will enjoy 'IRC Hacks.'"