TaoSecurity Blog

Fluffi Bunni (AKA Fluffy Bunny ), infamous web site defacer, was arrested 29 Apr in London by Scotland Yard while attending InfoSecurity Europe 2003 . His real name is Lynn Htun, and he's 24 years old. His first public defacement occurred in Jun 00 and was a Linux box belonging to hogeschoolnederland.nl . His defaced SANS in Jul 01, and I learned a little about the event at the first SANSFIRE conference later that month. Brian Martin chose to comment on the event and used a quote from me to further embarass SANS. Maybe Mr Htun didn't care for his attitude, as Attrition.org was defaced several days later. I did some Google. Groups searches for Mr. Htun and found these results .

PacketStorm alerted me to the 23 Apr release of an exploit taking advantage of these vulnerabilities in Snort 1.9.1 . The code was published by Projet 7 Labs and in its default mode opens a shell from the victimized Snort box to port 45295 on the intruder's machine.

I just read in the latest SANS Training and GIAC Certification Update that two candidates, named as John P. Jenkinson ( described as a contractor for SAIC ) and Lenny Zeltser (a consultant and one of the authors of Inside Network Perimeter Security ) are the first two SANS "GSEs," or "GIAC Security Experts." (GIAC now stands for Global Information Assurance Certification, although in late 1999 it meant Global Incident Analysis Center.) Congratulations, guys! It looks like they both started at the bottom of the six-rung GSE ladder with the GIAC Security Essentials Certification (GSEC) . Neither appears to be a GIAC Certified Forensic Analyst (GCFA) , which isn't required for the GSE cert.

I learned the NSA is teaming up with (ISC)2 to create the Information Systems Security Engineering Professional (ISSEP) certification. According to the press release: [The] (ISSEP) credential [is] for information security professionals who want to work for NSA, either as employees or outside contractors. The new certification will serve as an extension of the CISSP. . . The new domains of the ISSEP will focus on the technical knowledge required of government information systems security engineers such as ISSE processes and government regulations. The ISSEP complements the CISSP by comprehensively addressing the systems engineering side of information security. I like the idea of addressing security "systems engineering," if they follow the ideas of Ross Anderson . I don't find the "government regulations" aspect appealing. On 16 Apr ISC(2) announced two "concentrations" for CISSPs: "the CISSP, Management Concentration and CISSP, Architec...

Amazon.com just posted my four star review of Windows XP Under the Hood . From the review: Let WXPUTH be your guide to a world where graphical user interfaces (GUIs) are optional! Author Brian Knittel introduces the reader to the full range of Windows' command-line capabilities. Through examples, tables, explanations, and humor, WXPUTH doesn't teach everything, but instead concentrates on the most useful features of the Windows command line.

I finally joined a new martial arts school in northern Virginia. It's been two years since I broke my wrist and stopped formal training, and about seven months since my last organized martial arts activity.

I'm reading an interview with three FreeBSD core team members . It's multiple pages but very interesting. From the article: Having two major packaging formats [in Linux], a number of major distributions, all with differing sets and releases of critical libraries, is a management nightmare nobody really wants to tackle. This is why everyone that goes with Linux picks one distro and makes it an organization standard even if it's not the best. FreeBSD is a *system*, not a kernel with a bunch of other stuff thrown on top to make a "distro." The kernel, userland programs, libraries, booting system, etc., are all tested together to make a release that's known good.

I learned of some interesting sites covering BGP and ISP issues. Check out AS summaries at the CIDR report . Visit the archives of the ISP-BGP discussion list .

Three open source forensics tools merit investigation. They are ODESSA , the Open Digital Evidence Search and Seizure Architecture, FTIMES or File Topography and Integrity Monitoring on an Enterprise Scale, and FIRE , the Forensics and Incident Response Environment, previously known as "Biatchux." If you need to identify a port associated with a network service, try this online database .

Were you excited by yesterday's Windows Server 2003 launch as much as I was? Heh. Anyway, you might find these Technical Resources for Windows Server 2003 helpful.

One of the participants in today's SANS webcast on legal issues was Prof Orin Kerr , who writes summaries of cybercrime cases available via email listserv. This is a high signal to noise way to keep up to date on these issues.

I found a 23 Jan 03 report called North American MSSP Magic Quadrant 2H02 . It depicts Managed Security Services Providers in relation to one another.

While perusing the FreeBSD ports tree, I came across a tool that pointed me towards the Museum of Broken Packets , which contains some odd packets collected from the Internet. This site was profiled by Slashdot in 2001 and a poster mentioned a paper with analysis of checksum failure. The site owner also wrote p0f.

I'm considering purchasing one or more quad NICs for my network monitoring platforms. FreeBSD seems to like the Adaptec ANA-62044 best, although no vendor sells them. You can find them cheaply on eBay , though. When I need a gigabit adapter, I will probably buy a Intel® PRO/1000 MT Server Adapter .

Cadets are at it again, except this time it's an interservice hackfest supervised by the NSA. West Point gets all the attention here (probably because they host the Information Technology and Operations Center ), but I'm sure USAFA grads are there. Update from this article : On Wednesday, the NSA told the teams to disable their firewalls for several hours at a time. The request came after a period of relatively little activity from the hackers, which led Midshipman Trevor Baumgartner to boast that the Navy group's defense technologies had stymied the NSA hackers. . . Thomas Hendricks, a visiting NSA professor at the Naval Academy, chuckled at the notion that the NSA team used the firewall exercise as a last resort. The loss of the firewall, he said, exposed an unsecured administrative account on the Navy's network, allowing the NSA to wreak havoc. "They were taught -- though I'm not sure how much they listened -- to protect as many layers of the network as ...

Those bad midshipmen at the US Naval Academy were busted for swapping files. Back in my day at the US Air Force Academy most cadets didn't even have network connectivity, and some didn't even have hard drives. Can you believe it?

Kevin Poulsen, one of the few sources of original reporting on security issues wrote this article which is of interest to anyone doing network security monitoring. Although the article deals with honeypots, it asks good questions about the legality of collecting network traffic. This excerpt talks about using the "provider exemption" (explained here , with the law here ): That leaves a third "provider exemption" as the most promising for honeypot fans. This allows the operator of a system to eavesdrop for the purpose of protecting their property or services from attack. But even that exemption probably wouldn't apply to a system that's designed to be hacked, Salgado said. "The very purpose of your honeypot is to be attacked... so it's a little odd to say we're doing our monitoring of this computer to prevent it from being attacked."

Joe Bardwell mentioned a few products at his Wildpackets seminar last week. One was Spirent Communications performance analysis products . For example, to test LAN performance , you might look at SmartBits Ethernet Modules . Joe also talked about NetScout LAN Probes . These might make good collection platforms, although they are more for performance issues and less for security or traffic collection like a Sandstorm NetIntercept .

Amazon.com just posted my three star review of IT Security: Risking the Corporation . This book is essentially the same as the Jan 98 book Intranet Security: Stories from the Trenches , according to this interview . From the interview: Q: Tell us a little about this new version of your book. What's different? McCarthy:The new version has a new chapter "Looking Back, What's Next?" which looks back over the last decade and discusses some of the problems that we see today and that we will face in the future. It has all new statistics and quotes from well-known people in the computer industry. From the review: When I saw Gene Spafford's glowing foreword to "IT Security," I expected a good read. This book did not deliver, and Spafford's suggestion that those seeking "deeper insight" consult "IT Security" rings hollow. I wondered if Spafford even read this very book when he wrote "all too often, management depends on the serv...

Along the lines of tapping cables comes a new draft RFC Cisco Support for Lawful Intercept In IP Networks , alternate . This Slashdot thread brought it to my attention. Expect to see more of this in the future. User-applied cryptography is the only way to avoid this sort of scrutiny. Here is an article about it, here's Cisco's page , and here's the fed's page . Check out Cable Monitor and Intercept Features for the Cisco CMTS "Cable Modem Termination System," i.e., cable modem.

This article discusses tapping fiber optic cables, in an attempt to explain how Saddam Hussein was monitored in Iraq. From the article: Web sites for metropolitan areas, such as San Diego, often post detailed maps of the entire citywide fiber backbone. In addition, the same high-speed fiber bundle sometimes serves a dozen or more office buildings, meaning criminals could gain access to wiring closets located in building basements or to cables that pass through public parking garages or elevator shafts, said Page. . . "This layer of security -- not just for fiber, but for standard LAN and telephone wiring also -- isn't really thought out by companies," said Pescatore. "I'd estimate that 75% of enterprises have some network cabling in public access space." Here is the map mentioned above, part of the Bandwidth Bay project.

Articles like Intrusion prevention: IDS' 800-pound gorilla make me sick. Quotes like this demonstrate the ignorance of the speaker: Intrusion-detection systems do a good job of telling companies whether they are being compromised or attacked. So good, in fact, that some question whether systems should go a step further and prevent incidents. It doesn't seem much of a stretch to have systems "flip a switch instead of alerting" when an anomaly is found, said Pete Lindstrom, research director of Malvern, Pa.-based Spire Security. Argh! Thankfully the same article shows some people still understand this issue: Other companies, however, see their intrusion-prevention products as usurping IDS. Martin Roesch, cofounder and CTO of Columbia, Md.-based Sourcefire, which sells the commercial version of the open-source intrusion-detection system Snort, rejects such a suggestion. "Anyone who tries to sell you an intrusion-prevention system at the expense of an intrusion...

I happened upon the Neohapsis Open Security Evaluation Criteria (OSEC) site today. They measure various products, like network IDS, against the criteria, and post the results . This is a great idea, assuming the criteria are valid!

Here's a new reason to update to Snort 2.0 -- a vulnerability in the STREAM4 preprocessor . From the advisory: Successful exploitation of this vulnerability could lead to execution of arbitrary commands on a system running the Snort sensor with the privileges of the user running the snort process (usually root), a denial of service attack against the snort sensor and possibly the implementation of IDS evasion techniques that would prevent the sensor from detecting attacks on the monitored network.

Thanks again to CryptoGram, I noticed that Black Hat Windows Security 2003: Seattle presentations are available. Some of the topics look very interesting. The media archives page is a nice place to see everything available since Black Hat 1997.

Bruce Schneier also highlighted a new paper by Avi Rubin and friends: Defending Against an Internet-Based Attack on the Physical World . The authors describe how to automate the process of signing up a victim to receive thousands of catalogs and other mailings. While visiting Avi's site, I noticed he teaches at the John Hopkins Information Security Insitute , which offers a Master of Science in Security Informatics degree. Unfortunately, it does not seem to be one of 36 universities approved by the NSA as Centers of Academic Excellence in Information Assurance . I imagine JHU is working for this certification.

Bruce Schneier's 15 Apr 03 CryptoGram (required reading for me) alerted me to a story on wiretapping . This quote blew me away: Unlike a traditional phone call, where a line is dedicated between two parties, VOIP slices each call into millions of tiny digital packets, each of which can take a discrete route over the Internet. That means surveillance equipment must either be installed permanently on a network or calls must be routed through FBI surveillance equipment before being delivered to the caller, which experts say can create a suspicious delay. "Our tactical people are trying to plug every hole. But it's like playing the field short one player," says Szwajkowski. "A call that is not [able to be intercepted] is a major public-safety and security dilemma."

Snort 2.0 was released yesterday. I will keep my eyes on the FreshPorts Snort page to see when the FreeBSD port of Snort 2.0 appears. Can you believe Snort 1.0 has a timestamp of 28 Apr 99? Thank you for the great work Sourcefire -- the community has certainly benefitted from your work!

I've heard several people refer to legal activity in Texas, where victims of intrusions were being sued when the original victim's systems attacked third parties. This happened in 2001, when systems at Exodus were allegedly compromised and used to attack Web-hosting company C.I. Host . Marc Zwillinger mentioned this is this webcast , saying the suit was moved to Federal court and then settled out of court. His slides included this scan of the indictment. From this article : JUST BEFORE 8 A.M. ON FEB. 1, 2001, C.I. Host, a Web-hosting company with 90,000 customers, was hit with a crippling denial-of-service attack. By the end of the day, after outage complaints from what CEO Christopher Faulkner described as "countless" customers, the Fort Worth, Texas-based company got its lawyers involved. . . In an injunction filed in a Texas district court and later moved to a U.S. district court, C.I. Host alleged that the defendants committed or allowed a third party to co...

Amazon.com just posted my five star review of Troubleshooting Campus Networks . From the review: I'm sad I waited so long to read this excellent book. "Troubleshooting Campus Networks" (TCN) was published in Jul 2002, and it belongs on every network administrator's shelf -- now! This is the best networking book since Scott Haugdahl's "Network Analysis and Troubleshooting" and Eric Hall's "Internet Core Protocols." TCN will truly test your networking knowledge; you'll quickly validate the truth and discard the fiction.

This Slashdot post brought to my attention the National Society of Professional Engineers Code of Ethics , which should apply to IT consultants as well. It includes: I. Fundamental Canons Engineers, in the fulfillment of their professional duties, shall: Hold paramount the safety, health and welfare of the public. Perform services only in areas of their competence. Issue public statements only in an objective and truthful manner. Act for each employer or client as faithful agents or trustees. Avoid deceptive acts. Conduct themselves honorably, responsibly, ethically, and lawfully so as to enhance the honor, reputation, and usefulness of the profession. Codes of ethics are the only worthy element of the "certification" I hold -- the CISSP. Here is its Code : Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect...

I've been trying to understand how to configure Cisco switches for use in network security monitoring solutions. By reading Configuring the Catalyst Switched Port Analyzer (SPAN) I learned: "For the SPAN on the Catalyst 2900XL/3500XL switches... the main restriction is that all the ports related to a given session (whether source or destination) must belong to the same VLAN... Unlike the Catalysts 2900XL/3500XL, the Catalyst 4000/5000/6000 can monitor ports belonging to several different VLANs." I also learned "The Catalyst 2950 Switches can have only one SPAN session active at a time and can monitor only source ports, it can not monitor VLANs. The Catalyst 3550 Switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs... Unlike the 2900XL and 3500XL family Switches, the Catalyst 2950 and 3550 faimly Switches are able SPAN source port traffic in receive direction only, (Rx span or ingress span) or in tranmsit directio...

Yesterday I was walking through a Lowe's hardware store. I saw a Tracfone for sale. Tracfone is a product consisting of a phone and separate prepaid wireless minutes. Given you can buy these with cash in your local Circuit City , I sensed an opportunity for troublemakers who prefer to act anonymously. (While there are other prepaid cellular plans , it appears they tie to existing accounts, or at least don't offer the easy cash purchase method of Tracfone.) I found that Tracfone sells at least one cell phone , the Motorola v120t , which can be equipped with the Multi-Connect Serial Data Kit - 98320 -- a cellular modem. At this point a dial-up ISP is required to use the cellular modem. I'm not sure where to go with this, but overall this exercise has given me an idea how criminals might seek to hide their identity. On a related note, it's possible Tracfone's prepaid calling cards have been the target of fraud. This post claims people are selling Tracfone c...

At yesterday's Wildpackets seminar, Joe Bardwell mentioned techniques to lessen the chances of finding rouge wireless networks. He said someone wanting to hide a rogue wireless network should use a frequency not currently popular. Given most people run 802.11b at 2.4 GHz or 802.11a at 5 GHz, that leaves something operating at 900 MHz. Thanks to Cisco documentation , I found products by Aironet, which Cisco bought, that run at 900 MHz. They include: Aironet 1200: 900 MHz Wireless LAN Adapter; Standard type II PC Card Aironet AP 1200-E: 900 MHz Wireless Access Point

Today I attended a free Wildpackets Expert Packet Analysis Seminar . The instructor was Joe Bardwell and he gave an incredible, educational talk. Joe is one of the authors of Troubleshooting Campus Networks , which I recently reviewed and whose review I'm waiting for Amazon.com to post. I recommend you sign up for the free Wildpackets seminar in your area.

This Register story alerted me to the publication of the latest ISS Internet Risk Impact Summary . It's a 16 page doc describing what ISS has seen in the last three months.

Slashdot is running a thread on a new Samba vulnerability which Digital Defense discovered . This comment by Jeremy Allison of the Samba team is one of the best reasons why event-based IDS data can fail, and should be reinforced by collecting session and full content data. He's responding to a challenge to prove he has unreleased exploits for Microsoft SMB/CIFS: If you put one of your Windows servers on a network I had access to I would be able to show you. I will not release the code publicly (for obvious reasons). Knowledge of these bugs would allow worms/viruses to utterly cripple Microsoft based corporate networks. If you choose not to believe me without exploit code then that's up to you, but I will not act in an unprofessional way to prove a point. Jeremy Allison, Samba Team.

I stay alert for good resources on network infrastructure design. I found these on the Cisco web site. Of the documents listed here , I thought these looked intriguing: Data Center Networking: Infrastructure Architecture Data Center Networking: Internet Edge Design Architectures Data Center Networking: Securing Server Farms Data Center Networking: Enterprise Distributed Data Centers It's also a good idea to visit Cisco's SAFE site and read SAFE: A Security Blueprint for Enterprise Networks document and SAFE Blueprint for Small, Midsize, and Remote-User Networks .

PacketStorm alerted me to the newest release of stegtunnel . As a network security analyst, I like to keep an eye out for these sorts of tools. I'll test it when I have time. This tool also manipulates the IP ID field, just as Craig Rowland's covert_tcp program did in 1996. From the stegtunnel description: Stegtunnel is a tool written to hide data within TCP/IP header fields. It was designed to be undetectable, even by people familiar with the tool. It can hide the data underneath real TCP connections, using real, unmodified clients and servers to provide the TCP conversation. In this way, detection of odd-looking sessions is avoided. It provides covert channels in the sequence numbers and IPIDs of TCP connections.

FreeBSD 4.8 was released late Thursday night . FreeBSD 5.1 is scheduled for release 2 Jun 03 . I'm looking forward to reading the fourth edition of The Complete FreeBSD , hopefully later this month.

A FIRST post alerted me to this article on Removing Your Materials from Google . For example: if you want your materials removed right away, you can use the automatic remover at http://services.google.com:8882/urlconsole/controller . You'll have to sign in with an account (all an account requires is an email address and a password). Using the remover, you can request either that Google crawl your newly created robots.txt file, or you can enter the URL of a page that contains exclusionary META tags.

Rik Farrow wrote another great article, VLANs: Virtually Insecure? . That same issue of Network Magazine features a product highlight of a XML firewall built by Data Power Technology . I find this interesting because we now have to inspect, filter, and alert on traffic to specific ports like 80 tcp. This happens when developers code multiple protocols for a single port. We already have this problem with the Windows networking world, where ports 135, 137, 138, and 139 are used for multiple purposes by multiple services. Unfortunately, businesses can't firewall off port 80 to the world.