Showing posts from 2003

Administering Servers with Webmin

I've been trying Webmin on FreeBSD, Solaris 8, and HP-UX 11i today. Once I repatriate my AIX box from my employer, I intend to install Webmin on it as well. For FreeBSD, I installed the package provided by the FreeBSD project. For Solaris, I used the package provided by Webmin. For HP-UX, I downloaded the tarball and installed from source. I tried the version packaged by HP with their port of Apache and Tomcat, but couldn't get it to install on its own. Webmin uses its own "" so Apache is not needed. Webmin is a Web-based, cross-platform system administration tool. Although I'm not a huge fan of Web-based interfaces , Webmin is slick. I recommend installing the Swelltech theme , which is cleaner than the default. Using Webmin I successfully installed the lsof package for FreeBSD and Solaris . I didn't have any luck with the same package for HP-UX . Webmin allows you to run commands through the Web browser, so once lsof was installed

Security 101 Book

Today I was asked for my recommendation for a "security 101" book. I hadn't given the subject much thought, although I think Ed Skoudis' Counter-Hack is a great place to start. I looked around my office and found a book Addison-Wesley sent me last year: Internet Site Security by Erik Schetina, Ken Green, Jacob Carlson. After thumbing through the book, I've decided it's excellent. I won't review it on, since my policy is to only review books I've read. Still, a mention here is worthwhile. This book is so solid I adopted its "assess -> protect -> detect -> respond" security process model to replace the "plan -> prevent -> detect -> respond" version in my own book, just to avoid reinventing the wheel. They also correct state the risk equation as "risk = threat X vulnerability X asset value." If you're looking to get your feet wet in security, or if you're a manager who needs to

Using Sysmon to Detect Faulty Hardware

No sooner had I posted the entry on Sysmon than it detected a network problem. Two of my systems were unreachable. They both sat of a DMZ leg of my gateway. After troubleshooting at various layers I narrowed the issue down to a faulty NIC in the gateway. How often does that happen? Unfortunately the bad NIC is a Intel PRO/100+ Dual Port Server Adapter (PILA8472) . When trying to ping out from the NIC to the DMZ, here's the sort of traffic the NIC generated: 00:39:18.628691 > icmp: echo request 00:39:19.638731 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=80 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 00:39:20.648696 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=

FreeBSD on Laptops

I thought the best I could do for help running FreeBSD on laptops was Linux on Laptops , until I learned of the FreeBSD Laptop Compatibility List . This site even had an entry for my Thinkpad a20p . There's an article at and another database of information also available. I've had various versions of FreeBSD running on this laptop since I tried installing FreeBSD 4.1.1 . I plan to install FreeBSD 5.2 REL once issues in the todo list are solved.

Understanding Snort DNS TTL Alerts

While reading a recent Network Computing magazine article, I noticed an interesting discussion of "DNS-based route optimizers." These sounded like the products which confused IDS operators four years ago. I read about it in an earlier NWC article . This December 2003 article states: "Handling external Web requests... is accomplished by advertising a low DNS TTL of about 10 seconds. This forces the end user's DNS server to request an updated IP address every 10 seconds... the device will provide the external IP address that will provide the best path through the network." The whole idea with DNS-based systems is to trick clients into visiting the server that's "closest" to them in Internet space. By "closest" I mean the one offering the lowest latency. It's a performance enhancement for visitors. NWC's graphic does a nice job explaining the system. Notice the mention of "probes." The review mentions ICMP and TCP-b

Ways to Install FreeBSD

While perusing the newgroups at , I learned a new way to get FreeBSD. The FreeBSD Project publishes .iso images of its release software, like 4.9 REL or 5.1 REL. Easy enough. Mirrors for these distributions are available at FreeBSD mirrors . However, I discovered the FreeBSD Snapshots site offers .iso images of the latest version of each tree, e.g., 4-stable and 5-current. You can download the .iso and finish with a system running the newest FreeBSD, assuming they work on your hardware. If you're more conservative, they maintain a "security release" of the 4.8 distribution as well, which right now is 4.8-RELEASE-p13. You can even finger their server to learn the newest builds available there: finger [] FreeBSD/i386: The latest version of FreeBSD -CURRENT is: 5.2-CURRENT-20031227-JPSNAP The latest version of FreeBSD 4-STABLE is: 4.9-STABLE-20031202-JPSNAP FreeBSD/alpha: The latest version of FreeB

Adding a New Disk in NetBSD

People complain about FreeBSD's '/stand/sysinstall' program, but I wish I could have used it yesterday when adding an 8 GB HDD to my NetBSD box. I loosely followed the official documentation but laughed when I read "Now we create some disklabel partitions, editing the tempfile as already explained. The result is...", followed by a disklabel output created from scratch! This reminded me of the "intuitively obvious" phrase from my college calculus books. Here's how I did it. This is what the disk looked in dmesg output: wd1 at pciide0 channel 0 drive 1: wd1: drive supports 16-sector PIO transfers, LBA addressing wd1: 8063 MB, 16383 cyl, 16 head, 63 sec, 512 bytes/sect x 16514064 sectors wd1: 32-bit data port wd1: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 2 (Ultra/33) wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 (Ultra/33) (using DMA data transfers) First I ran fdisk. Notice the BIOS never seems to get the HDD geometry corre

Installing Packages on NetBSD and OpenBSD

Last month I wrote about installing packages on FreeBSD. This entry covers my NetBSD and OpenBSD experiences. First, a few differences between NetBSD and OpenBSD. Root's default shell in NetBSD is /bin/sh, while OpenBSD uses /bin/csh. This means environment variables can be set in .profile for NetBSD and .cshrc for OpenBSD. FreeBSD gives users the chance to automatically retrieve packages and dependencies remotely, e.g., 'pkg_add -r mtr'. FreeBSD makes its remote retrieval decisions based on the installed OS. NetBSD and OpenBSD allow the same, but you must specify the OS in an environment variable. For NetBSD, add the following to .profile: export PKG_PATH= For OpenBSD, add this to .cshrc: setenv PKG_PATH These additions make automatic package retrieval easier. I'll install the GTK version of MTR to demonstrate the process on each OS. For NetBSD

Review of Open Source Network Administration Posted

Image just posted my four star review of Open Source Network Administration . It's been nearly two months since my last review. I've been extremely busy writing The Tao of Network Security Monitoring , so reading has taken a back seat. From the review: "Open source is the wave of the future, and James Kretchmar's Open Source Network Administration (OSNA) catches that wave in fine form. Although the book is only 238 pages, it contains several gems. I read the book specifically for its coverage of the Multi Router Traffic Grapher (MRTG), OSU's Flow Tools, and Sysmon. By following Kretchmar's instructions, I easily installed these three applications."

Simple Network Health Performance Monitoring with Sysmon

Do you need a simple Web-based application to check if your systems and/or applications are alive? I learned about Sysmon when reading Open Source Network Administration . Once I wrote my own configuration file to watch my systems, I followed the book's instructions to complete the Sysmon installation. The result is the small screen shot at left. Since you don't need to spend a lot of time checking out the details of my network, you can get the idea by reviewing this image. The green systems are all up. The yellow ones just became unreachable. I forgot to return on one of them to service after working on it. Since it's a bridging firewall for the second box, both are listed in yellow. The orange/reddish entry is a missing box. I lent it to my office for a case, and when it returns the record will be green again! Sysmon is a good alternative to Nagios or the Network Management Information System (NMIS) if you only need to do simple monitoring of 10-100 systems.

Cisco Icons Online

Do you need networking icons for presentations or papers? Check out the completely free, non-copyrighted Cisco collection . I learned about it after reading a tip in Cisco's Packet magazine. Besides having the icons for use in OpenOffice , the zipped .pdf of conceptual icons is handy. It helps you decode Cisco diagrams by recognizing what certain symbols mean.

Learning To Install Open Source Software on Solaris and HP-UX

This summer I bought an Ultra 30 workstation and an HP Visualize B2000 workstation to learn Solaris on SPARC and HP-UX on PA-RISC, respectively. Today I worked on installing open source software on each. Starting with the Sun box running Solaris 8 on SPARC, I visited Sun Freeware , an absolutely incredible site providing free compiled binary packages of key open source software. Here's a sample installation: 1. FTP to the Sunfreeware site to retrieve the package for bash 2. Unzip the package with 'gzip -d' 3. Install the package with 'pkgadd -d' I later installed wget, which made step one much easier. I was even able to install OpenSSH using the site's instructions, which outlined step-by-step the actions needed to install a necessary Solaris patch, then grab the required packages, create keys, and so forth. I made my own startup script using ideas from the instructions: #!/bin/sh # # Simple OpenSSH start script by Richard Bejtlich SSHCONF=/usr/local/etc

Verisign Acquires Guardent for $140 Million

Big news from the managed security services space. Consolidation continues, as big companies looking for growth opportunities acquire the small fries. Today Verisign announced it bought Guardent (yes, the Guardent URL spells the company's name incorrectly) for $140 million in stock and cash. Guardent currently employees about 150 people. Update : Here's eWeek 's analysis.

Getting Your FreeBSD Box to Speak 802.1q Trunks with a Cisco Switch

I have the following setup on my home LAN: cable modem - cisco router - freebsd fw/gw - cisco switch - clients < The client boxes are in two separate VLANs with different address spaces. I needed a way for them to be able to talk to the FreeBSD 4.9 REL firewall/gateway without wasting two interfaces on the fw/gw. Here's how I set this up. I'm no Cisco guru so excuse my lack of shortcuts. I got some help from this how-to , this thread , and this Cisco guide . First, on the switch, I created my VLANs: gruden#conf term Enter configuration commands, one per line. End with CNTL/Z. gruden(config)#vlan 20 gruden(config-vlan)#name green gruden(config-vlan)#end gruden#conf term Enter configuration commands, one per line. End with CNTL/Z. gruden(config)#vlan 10 gruden(config-vlan)#name yellow gruden(config-vlan)#end Next I created my trunk port to speak to the FreeBSD box: gruden#conf term Enter configuration commands, one per line. End with CNTL/Z. gruden(config)#int fa0/24 g

MRTG with FreeBSD and a Cisco Router

It doesn't get much easier than this. I wanted to add the Multi Router Traffic Grapher (MRTG) to my NSM tool collection. Based on the instructions provided by Open Source Network Administration and Cisco , here's how I did it. bourque is the name of my FreeBSD 4.9 REL NSM sensor and is my Cisco router. First I enabled the SNMP server on the router. Replace 'public' and 'private' with other community strings, like I did. (These are examples.) gill(config)#snmp-server community public RO gill(config)#snmp-server community private RW Make sure you set up an access list on interfaces where you don't want people accessing the SNMP service on your router: access-list 101 deny udp any any eq snmp log Next install an Apache Web server on the system which will hold MRTG's output: bourque# pkg_add -r packages-4-stable/All/apache+mod_ssl-1.3.29+2.8.16.tgz Fetching

CAIDA to the Rescue

Kudos to CAIDA for applying real research to the issue of whether the SCO Web site was hit by a DoS attack or not. CAIDA used its Network Telescopes to watch backscatter from SCO servers and confirmed SCO Web and FTP servers were indeed flooded : "At 3:20 AM PST on Wednesday, December 10, 2003, the UCSD Network Telescope began to receive backscatter traffic indicating a distributed denial-of-service attack against the SCO Group. Early in the attack, unknown perpetrators targeted SCO's web servers with a SYN flood of approximately 34,000 packets per second... Around 2:50 AM PST Thursday morning, December 11, the attacker(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continuing the web server attack. Together and experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout

Creating Fake Interfaces and Bonding Them

In June I posted a way to bond two FreeBSD interfaces to a third unused interface for purposes of combining tap outputs and sniffing the result. This method used ng_one2many and was based on advice from Andrew Fleming . In July I corresponded with John Bradberry who shared his method of using ng_fec, the man-page-less Fast Ether Channel netgraph (4) module. Two months ago John posted his method, which looks like the email he sent me in July. I finally got a chance to try it, and can report that it works. Here's what's required on a stock FreeBSD 4.9 REL system where sf2 and sf3 see the tap outputs. First, build the ng_fec kernel module: cd /usr/src/sys/modules/netgraph/fec make make install Next, create the virtual fec0 interface which will see traffic from sf2 and sf3 simultaneously. Note the use of single quote and double quote around the interface names. ngctl mkpeer fec dummy fec ngctl msg fec0: add_iface '"sf2"' ngctl msg fec0: add_iface '&q

Bruce Schneier on Northeast Blackout

Bruce Schneier wrote about the possible role of MSBlaster in the 14 August 2003 northeast electrical blackout. He reports on the November interim report ( .pdf ) by a joint US-Canadian taskforce: "The coincidence is too obvious to ignore. At 2:14 p.m. EDT, the MSBlast worm was dropping systems all across North America. The report doesn't explain why so many computers--both primary and backup systems--at FirstEnergy were failing at around the same time. But MSBlast is certainly a reasonable suspect. Unfortunately, the report doesn't directly address the MSBlast worm and its effects on FirstEnergy's computers. The closest I could find is this paragraph, on page 99: "Although there were a number of worms and viruses impacting the Internet and Internet connected systems and networks in North America before and during the outage, the SWG's preliminary analysis provides no indication that worm/virus activity had a significant effect on the power generation and de

US Government Security Report Card

Yesterday Congressman Putnam of the US House Committee on Government Reform announced the federal government's computer security report card ( .pdf ). FCW summarized the results. For the first time two agencies scored above 90%: the Nuclear Regulatory Commission earned top honors with an A, and the National Science Foundation received an A-. The grades were based for the first time in the four-year program on the Federal Information Security Management Act ( .pdf ) reportedly an improvement over the Government Information Security Reform Act (GISRA) ( .pdf ). I found it amusing that after the press NASA received for working with SANS to patch systems in 2001 ( .pdf ), NASA's score has consistently dropped. NASA scored a C- in 2001 , a D+ in 2002 and now a D- in 2003. In 2001 NASA was lauded as a "poster child" for their "vulnerability-focused approach to eliminate security problems." Apparently SANS no longer thinks addressing vulnerabilities i

Creative Commons

After reading why Microsoft Word is not a document exchange format , I found myself at the Creative Common Web site. Their goal is "to build a layer of reasonable, flexible copyright in the face of increasingly restrictive default rules." I found their license builder interesting.

Spammers Target Cambridgeshire Police Force

I learned of this scam via this Sophos report. Spammers are sending messages which appear to be receipts for £399.99 Apple iPods. The message lists the phone number of the Cambridgeshire Police Force in the UK as the point of contact for complaints. This sounds more like a prank than a structured attack, but the concept is sound. I imagine we'll see more of this in the future. Here's what the email looks like: Subject: Transaction Receipt (UKCards) From: "UKCards" ------------------ Please note: All charges to your statement will appear in the name "UKCARDS LIMITED". Order Information Amount: £399.95 Currency: GBP Merchant Name: HUNTINGDON MAIL ORDER Description: iPod Music Player 40GB Customer Service Telephone: 01480 456111 Email: N/A Delivery Address 47 Silver Street, London, NW1 5TR If you have any questions on the delivery of this order or product details please contact the merchant directly using the above details.
I commend the Debian project for detailing the exact timetable and methodology associated with their recent compromise. They posted a detailed report on the incident Tuesday. I found several points noteworthy. First, notice how they detected the intrusion. Sharp admins knew something was amiss, and a host-based IDS detected file changes: "On the evening (GMT) of Thursday, November 20th, the admin team noticed several kernel oopses on master. Since that system was running without problems for a long time, the system was about to be taken into maintenance for deeper investigation of potential hardware problems. However, at the same time, a second machine, murphy, was experiencing exactly the same problems, which made the admins suspicious. Also, klecker, murphy and gluck have Advanced Intrusion Detection Environment (package aide) installed to monitor filesystem changes and at around the same time it started warning that /sbin/init had been replaced and that the mtime and

1500 Helpful Review Votes at

I'd like to thank everyone who's voted my reviews to be "helpful" over the last 3+ years. I started seriously reviewing books with Radia Perlman's Interconnections, 2nd Ed in May 2000. Since then I've written reviews of 116 books on security and computing topics. Some reviews of poor books caused quite a stir. Several were pulled only to have me resubmit "just the facts" in the form of direct quotes. Others caused me to argue with certain members of the community who praised books they should not have. Either they didn't read the book or they were too out of touch to realize printing 250 pages of C code did nothing to teach the reader about "hacking." Every month I received many books to review. I only read those on my reading list or those that surprise me with their originality. I don't review books I've skimmed, unless the reason I've stopped reading was disappointment with content. As a result, ma

Exploiting Cisco Routers Article

SecurityFocus published the sequel to an article on exploiting Cisco routers. This has been happening for a while but this article spells out the details.

Quirks of NetBSD

Exactly two months ago I reported installing FreeBSD, NetBSD, OpenBSD, and Debian on my laptop for test purposes. Yesterday I tried to upgrade a different box from FreeBSD 5.1 RELEASE to FreeBSD 5.1 CURRENT. I've had no luck getting my SMC 2632W or 2602W wireless NICs, or an Orinoco Gold wireless NIC, to work in any modern version of FreeBSD. (I had the 2632W working with FreeBSD 4.5 and earlier using this hack .) I thought trying CURRENT might be a good idea but the install failed. Wireless support is my biggest grievance with FreeBSD. I used a wireless NIC on OpenBSD 3.3 fine yesterday. So, I decided to replace the failed FreeBSD install with NetBSD 1.6.1. I got the OS installed but found it to be quirky. It works fine, but it's got its own peculiarities that separates it from FreeBSD. For example, I installed "everything," but OpenSSH was not installed by default. In fact, nothing was listening by default. What is this, OpenBSD? Not even OpenBSD is s

Snort Add-Ons

Over the last few days I've reviewed several add-ons for Snort. First, everyone using Snort knows about Barnyard . Barnyard processes the output from the spo_unified plugin, which Marty first described in June 2001 . spo-unified creates two log files. To paraphrase Marty, the alert file contains event data (generator, sid, rev, classification, priority, event_reference), timestamp, source IP, destination IP, source port, destination port, protocol, and TCP flags (if applicable). The log file contains the event data, flags that indicate the nature of the stored packet (reassembled fragment, etc.) and the raw binary packet. Barnyard reads unified output and sends the results to other plugins. In most cases those are database plugins. MudPit is an alternative to Barnyard. Mudpit was written to overcome the fact that receiving either alert or log data can be insufficient to validate an event, but receiving both simultaneously is wasteful. At the Sguil project we use

Voice-Based Fraud Detection

The Register reports on the latest in fraud detection: "Online insurer Esure is to use technology that recognises when a speaker is under stress in a bid to detect fraud. The company hopes using voice risk analysis (VRA) technology will speed genuine claims, cut fraud and make its claims process more efficient... VRA - which identifies micro changes in the voice that can occur when a speaker is showing higher levels of stress - will be used by esure from 4 December. The company is keen to emphasise that the technology is a 'stress detector' not a lie detector. When a speaker experiences stress when answering a question or recounting an exaggerated or false statement, the frequency of their voice changes, according to studies originally conducted in Israel. It is this factor that VRA registers and assesses. The system compares responses to particular questions with baseline responses, answers to simple questions that can only be answered truthfully." Let's
According to Reuters , a 38 year old Home Depot worker was arrested for stealing laptops from Wells Fargo. From the article: "Police recovered the equipment at Krastof's home, along with equipment used for scanning identity cards and checks, he said. 'He is a low-level ID theft kind of guy,' White said of Krastof. Krastof told police that he did not know that sensitive data was on the computer, according to [policeman] White. Wells Fargo will be able to keep the $100,000 reward it had offered in the case, since the arrest was made from regular police work and not a tip, White said. Investigators traced the computer to Krastof when he logged onto his own America Online account at home through one of the stolen computers, White said. That enabled authorities to connect the computer's Internet Protocol address, a number that identifies a computer on the Internet, to Krastof's home address through his AOL account, White said." The article glosses over a

Ron Gula Replies to Information Security Review of NeVO

You may have read the fairly critical Information Security review of NeVO by Tenable Security. CTO Ron Gula posted a response to the focus-ids group which makes for good reading: "Since NeVO is on 'all' of the time and it matches for specific vulnerabilities, that means that the vulnerability and IDS correlation which occurs at the Lightning Console is that much more accurate. Our concern at Tenable is that doing correlation based on 'old' vulnerability data (like on a month old Nessus scan) or 'relavent' vulnerability data (like all of the IIS security holes) can produce false correlations."

Tepatche - Automatic OpenBSD System Patcher

I continue to watch for tools to keep BSD systems up-to-date. I learned of a new application for OpenBSD called Tepatche . The author wrote this article for next month's Sys Admin magazine. He also mentions the openbechede package management project. Incidentally, Colin Percival reports he's attained the $1000 mark needed to buy a new box to provide freebsd-update binary updates. Hopefully we'll see them available for the 5.X tree soon. While poking around I found a new BSD book will be published in the spring: FreeBSD and OpenBSD Security Solutions .
Wells Fargo Offers $100,000 For Info Leading to Conviction of Laptop Thief ZDNet reports the following: "Wells Fargo said on Friday it had offered a $100,000 reward for information leading to the arrest and conviction of the burglar who stole a bank consultant's computer that had sensitive customer information on it. The computer was one of several stolen earlier this month from the office of an analyst for the bank in Concord, California, the bank said. The stolen PC contained names, addresses, bank account numbers and social security numbers for customers who had taken out personal lines of credit that are used for consumer loans and overdraft protection, according to Wells Fargo. No passwords or personal identification numbers were among the stolen data and no other Wells Fargo customers were affected, the bank said... The bank alerted affected customers this week [and] was also monitoring customer accounts, changing account numbers and paying for a year's subs

Finding the Name of FreeBSD Packages to Install

I usually install FreeBSD applications using the ports system, but I wanted to know how to use the package collection as well. I wondered how to quickly locate the name and URL of a package so I could pass them as a parameter to pkg_add -r . Using this command FreeBSD fetches the package specified and installs any dependencies automatically. I found the answer at the FreeBSD Ports Changes page. Here you can query for a package (or port) by name, and more importantly, specify which distribution you want. For example, if you wanted to install Nessus, you could choose from: FreeBSD 4.9 RELEASE: packages created when 4.9 REL was announced FreeBSD 4.x STABLE: the most up-to-date packages built for FreeBSD 4-stable FreeBSD 5.1 RELEASE: packages created when 5.1 REL was announced FreeBSD 5.x CURRENT: the most up-to-date packages built for FreeBSD 5-current Let's say I wanted to install Nessus. What do these packages look like for the i386 architecture? FreeBSD 4.9 RELEASE : nessu

Tim O'Reilly on Computer Books

Tim O'Reilly of O'Reilly publishing answered questions on the economics of writing on computer topics . I found this excerpt interesting: "Your choice of publisher helps [a book be successful]. The clearest lesson from Bookscan (to refer to the data that started this thread) is that the market is consolidating. Fully 80 percent of the market shown by Bookscan (about 65-70 percent of U.S. domestic retail sales, including online accounts) is owned by Pearson, Wiley, O'Reilly, and Microsoft Press, in that order. If you add Osborne and Sybex, you get to 90 percent. (Pearson is a conglomerate owning many individual imprints--AW, PH, Peachpit, Sams, New Riders, Brady, Cisco Press, Adobe Press, Macromedia Press, etc.--so the market looks more diverse than it actually is.) Having been a small publisher who worked my way up over many years, I won't say it [success of a book sold by a small publisher] can't be done. But I think it's a lot harder than it was in th

Other Tidbits on SSH, IRC, and other Topics

I needed to bounce through a couple systems while working on a hostile classroom network this week. I found this book excerpt which explains how to chain SSH connections. I started using the EPIC IRC client on FreeBSD and I wanted to use a customization script. I remembered using Splitfire and found it to be useful. In #snort-gui we've been using Pastebot to provide chunks of text via HTTP rather than IRC on homefries . Rob Lee's domain registration apparently expired and was scooped by someone else. You can access Rob's site via IP address at . Anyone using Secure Instant Messaging Protocol ? Jamil Farshchi published this article on wireless IDS.

PostgreSQL 7.4 Released. Watch Out For MySQL "Gotchas"

PostgreSQL 7.4 was released this week. We use MySQL in the Sguil project but we used PostgreSQL with older NSM tools. I learned about this MySQL "gotchas" site showing odd MySQL behavior. This could prompt a war between the MySQL and PostgreSQL communities. Speaking of wars, I ran across a site which claims to benchmark various UNIX operating systems. The results caused a crazy thread among OpenBSD users.

What Makes For Credible Certifications?

Peter Stephenson contributed to a SC Magazine article that featured criteria for credible certifications. I found his comments worthwhile: "The major question to be asked about certifications and their value is: 'Where does the cert come from and what are its objectives?' A good industry certification will have several recognizable components if it is to be credible: It is based upon an accepted common body of knowledge that is well understood, published and consistent with the objectives of the community applying it. It requires ongoing training and updating on new developments in the field. There is an an examination (the exception is grandfathering, where extensive experience may be substituted). Experience is required. Grandfathering is limited to a brief period at the time of the founding of the certification. It is recognised in the applicable field. It is provided by an organization or association operating in the interests of the community, usually non-profit, no

Network Security Monitoring Saves My Bacon

Long-time readers of this blog know I subscribe to a security theory called network security monitoring. Two of NSM's principles are "some intruders are smarter than you" and "intruders are unpredictable." Believing these principles changes the way defenders look at watching their networks. If you assume a smart, unpredictable enemy, you have to take as many defensive actions as possible in the remote hope of catching a bad guy. This morning I tested these principles not against an intruder, but against a piece of software that took an unexpected action. I was looking for an IRC proxy and found the Night-light IRC proxy . I installed it through the FreeBSD ports system without a problem. I then checked my sockstat output to see what was listening. I found the following unexpected entry: USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root getty 534 0 tcp4 censored:50396 This looks like my system

TruSecure: "k3wl ," Like "Hackweiser and G-force Pakistan"

The BBC wrote an article about the threat intelligence group, "codename IS/Recon (Information Security Reconnaissance)." They're TruSecure's "moles" -- people who befriend the "underground" and acquire information on their intentions and capabilities. The national intelligence community calls that "human intelligence," or HUMINT. The article claims TruSecure "currently tracks more than 11,000 individuals in about 900 different hacking groups and gangs." It also states they collect "200 gigabytes of information a day," which "has enabled the team to help out with 54 investigations by law enforcement agencies. IS/Recon gave the FBI over 200 documents about the Melissa virus author after they were asked to get closer to suspects."

Mapping the Internet on a Dare

Slashdot reported on the Opte Project . It's a single guy who's mapping the Internet using code he wrote. Commercial companies like Lumeta provide much more enhanced functionality, but this is still a cool hack. The Slashdot thread features commentary by Hal Burch and Fyodor , and a useful summary of similar projects. The image at left is supposedly "1/5 of the Internet," but as one Slashdot reader mentioned, it looks a lot like a brain! Given Google has replaced the brain of many people, I imagine this image is appropriate. :)

Trying Fedora Core 1

Today I installed Fedora Core Release 1 in a VMWare session on my laptop. I was unable to using the CD-ROMs I burned and got the same error as described in this thread . I ended up installing the OS using the three .iso files on my laptop hard drive. I installed a default desktop into a 4 GB partition. Here are the daemons listening, the filesystem stats, and the uname output: [root@localhost root]#netstat -natup Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0* LISTEN 1665/rpc.statd tcp 0 0* LISTEN 1830/xinetd tcp 0 0* LISTEN 1645/portmap tcp 0 0* LISTEN 1814/sshd tcp 0 0* LISTEN 1777/cupsd tcp 0 0*