Wednesday, April 30, 2003

Fluffi Bunni Arrested

Fluffi Bunni (AKA Fluffy Bunny), infamous web site defacer, was arrested 29 Apr in London by Scotland Yard while attending InfoSecurity Europe 2003. His real name is Lynn Htun, and he's 24 years old. His first public defacement occurred in Jun 00 and was a Linux box belonging to His defaced SANS in Jul 01, and I learned a little about the event at the first SANSFIRE conference later that month. Brian Martin chose to comment on the event and used a quote from me to further embarass SANS. Maybe Mr Htun didn't care for his attitude, as was defaced several days later. I did some Google. Groups searches for Mr. Htun and found these results.

Tuesday, April 29, 2003

Exploit for Snort 1.9.1

PacketStorm alerted me to the 23 Apr release of an exploit taking advantage of these vulnerabilities in Snort 1.9.1. The code was published by Projet 7 Labs and in its default mode opens a shell from the victimized Snort box to port 45295 on the intruder's machine.

First Two SANS GSEs

I just read in the latest SANS Training and GIAC Certification Update that two candidates, named as John P. Jenkinson (described as a contractor for SAIC) and Lenny Zeltser (a consultant and one of the authors of Inside Network Perimeter Security) are the first two SANS "GSEs," or "GIAC Security Experts." (GIAC now stands for Global Information Assurance Certification, although in late 1999 it meant Global Incident Analysis Center.) Congratulations, guys! It looks like they both started at the bottom of the six-rung GSE ladder with the GIAC Security Essentials Certification (GSEC). Neither appears to be a GIAC Certified Forensic Analyst (GCFA), which isn't required for the GSE cert.

(ISC)2 Developments

I learned the NSA is teaming up with (ISC)2 to create the Information Systems Security Engineering Professional (ISSEP) certification. According to the press release:

[The] (ISSEP) credential [is] for information security professionals who want to work for NSA, either as employees or outside contractors. The new certification will serve as an extension of the CISSP. . . The new domains of the ISSEP will focus on the technical knowledge required of government information systems security engineers such as ISSE processes and government regulations. The ISSEP complements the CISSP by comprehensively addressing the systems engineering side of information security.

I like the idea of addressing security "systems engineering," if they follow the ideas of Ross Anderson. I don't find the "government regulations" aspect appealing.

On 16 Apr ISC(2) announced two "concentrations" for CISSPs: "the CISSP, Management Concentration and CISSP, Architecture Concentration." From the press release:

The CISSP Management Concentration validates extensive knowledge in the following areas of the CBK:

  • Enterprise Security Management Practices

  • Enterprise-wide Systems Development Security

  • Operations Security Compliance

  • Business Continuity Planning, Disaster Recovery Planning and Continuity of Operations Planning

  • Law, Investigation, Forensics and Ethics

The CISSP Architecture Concentration validates extensive knowledge in the following areas of the CBK:

  • Access Control, Telecommunications and Methodology

  • Telecommunications and Network Security

  • Cryptography

  • Requirements Analysis and Security Standards/Guidelines Criteria

  • Technology-Related Business Continuity Planning and Disaster Recovery Planning

  • Physical Security Integration

I had hoped one of the concentrations was truly "technical," while the other was "managerial." Seeing "forensics" included with management is a disappointment. The press release states "The first exams for the new CISSP concentrations are scheduled to begin in July 2003, with training classes to begin in the fall."

Beyond the CISSP and its extensions, there's also the SSCP or "Systems Security Certified Practitioner," for people with one year's experience. It was announced 28 Mar 01 but doesn't seem to have gotten much traction.

Review of Windows XP Under the Hood Posted just posted my four star review of Windows XP Under the Hood. From the review:

Let WXPUTH be your guide to a world where graphical user interfaces (GUIs) are optional! Author Brian Knittel introduces the reader to the full range of Windows' command-line capabilities. Through examples, tables, explanations, and humor, WXPUTH doesn't teach everything, but instead concentrates on the most useful features of the Windows command line.

Monday, April 28, 2003

Trying New Martial Arts School

I finally joined a new martial arts school in northern Virginia. It's been two years since I broke my wrist and stopped formal training, and about seven months since my last organized martial arts activity.

Interview with FreeBSD Core Members

I'm reading an interview with three FreeBSD core team members. It's multiple pages but very interesting. From the article:

Having two major packaging formats [in Linux], a number of major distributions, all with differing sets and releases of critical libraries, is a management nightmare nobody really wants to tackle. This is why everyone that goes with Linux picks one distro and makes it an organization standard even if it's not the best. FreeBSD is a *system*, not a kernel with a bunch of other stuff thrown on top to make a "distro." The kernel, userland programs, libraries, booting system, etc., are all tested together to make a release that's known good.

Friday, April 25, 2003

BGP and ISP Issues

I learned of some interesting sites covering BGP and ISP issues. Check out AS summaries at the CIDR report. Visit the archives of the ISP-BGP discussion list.

Open Source Forensics Tools

Three open source forensics tools merit investigation. They are ODESSA, the Open Digital Evidence Search and Seizure Architecture, FTIMES or File Topography and Integrity Monitoring on an Enterprise Scale, and FIRE, the Forensics and Incident Response Environment, previously known as "Biatchux." If you need to identify a port associated with a network service, try this online database.

Windows Server 2003 Launch

Were you excited by yesterday's Windows Server 2003 launch as much as I was? Heh. Anyway, you might find these Technical Resources for Windows Server 2003 helpful.

Wednesday, April 23, 2003

Professor Orin Kerr

One of the participants in today's SANS webcast on legal issues was Prof Orin Kerr, who writes summaries of cybercrime cases available via email listserv. This is a high signal to noise way to keep up to date on these issues.

Tuesday, April 22, 2003

North American MSSP Magic Quadrant 2H02

I found a 23 Jan 03 report called North American MSSP Magic Quadrant 2H02. It depicts Managed Security Services Providers in relation to one another.

Sunday, April 20, 2003

Museum of Broken Packets

While perusing the FreeBSD ports tree, I came across a tool that pointed me towards the Museum of Broken Packets, which contains some odd packets collected from the Internet. This site was profiled by Slashdot in 2001 and a poster mentioned a paper with analysis of checksum failure. The site owner also wrote p0f.

Saturday, April 19, 2003

Quad NIC for FreeBSD

I'm considering purchasing one or more quad NICs for my network monitoring platforms. FreeBSD seems to like the Adaptec ANA-62044 best, although no vendor sells them. You can find them cheaply on eBay, though. When I need a gigabit adapter, I will probably buy a Intel® PRO/1000 MT Server Adapter.

Interservice Hackfest

Cadets are at it again, except this time it's an interservice hackfest supervised by the NSA. West Point gets all the attention here (probably because they host the Information Technology and Operations Center), but I'm sure USAFA grads are there.

Update from this article:

On Wednesday, the NSA told the teams to disable their firewalls for several hours at a time. The request came after a period of relatively little activity from the hackers, which led Midshipman Trevor Baumgartner to boast that the Navy group's defense technologies had stymied the NSA hackers. . . Thomas Hendricks, a visiting NSA professor at the Naval Academy, chuckled at the notion that the NSA team used the firewall exercise as a last resort. The loss of the firewall, he said, exposed an unsecured administrative account on the Navy's network, allowing the NSA to wreak havoc. "They were taught -- though I'm not sure how much they listened -- to protect as many layers of the network as possible," Hendricks said. "This part of the exercise was designed to see how many layers of protection they had in place."

Yeah right! If the NSA had been able to get past the firewall, they could have used a compromised host as a launch pad for attacks against the "unsecured administrative account" or any other internal weakness.

Friday, April 18, 2003

Midshipmen Busted for File Sharing

Those bad midshipmen at the US Naval Academy were busted for swapping files. Back in my day at the US Air Force Academy most cadets didn't even have network connectivity, and some didn't even have hard drives. Can you believe it?

Legality of Collecting Network Traffic

Kevin Poulsen, one of the few sources of original reporting on security issues wrote this article which is of interest to anyone doing network security monitoring. Although the article deals with honeypots, it asks good questions about the legality of collecting network traffic. This excerpt talks about using the "provider exemption" (explained here, with the law here):

That leaves a third "provider exemption" as the most promising for honeypot fans. This allows the operator of a system to eavesdrop for the purpose of protecting their property or services from attack. But even that exemption probably wouldn't apply to a system that's designed to be hacked, Salgado said. "The very purpose of your honeypot is to be attacked... so it's a little odd to say we're doing our monitoring of this computer to prevent it from being attacked."

Thursday, April 17, 2003

Testing LAN Performance

Joe Bardwell mentioned a few products at his Wildpackets seminar last week. One was Spirent Communications performance analysis products. For example, to test LAN performance, you might look at SmartBits Ethernet Modules. Joe also talked about NetScout LAN Probes. These might make good collection platforms, although they are more for performance issues and less for security or traffic collection like a Sandstorm NetIntercept.

Review of IT Security: Risking the Corporation Posted just posted my three star review of IT Security: Risking the Corporation. This book is essentially the same as the Jan 98 book Intranet Security: Stories from the Trenches, according to this interview. From the interview:

Q: Tell us a little about this new version of your book. What's different?

McCarthy:The new version has a new chapter "Looking Back, What's Next?" which looks back over the last decade and discusses some of the problems that we see today and that we will face in the future. It has all new statistics and quotes from well-known people in the computer industry.

From the review:

When I saw Gene Spafford's glowing foreword to "IT Security," I expected a good read. This book did not deliver, and Spafford's suggestion that those seeking "deeper insight" consult "IT Security" rings hollow. I wondered if Spafford even read this very book when he wrote "all too often, management depends on the services or writings of self-professed experts whose whole experience has been in downloading and running pre-packaged penetration tools written by others." (p. xiv) The author's own words fit this mold.

What explains Spafford's words of praise? Perhaps this Dec 02 press release Symantec Funds Fellowship Program at Purdue University does:

"This Fellowship expands the long-standing relationship CERIAS has enjoyed with Symantec over many years. During that time we have collaborated on research issues of Internet security and policy," said Dr. Eugene Spafford, professor and director of CERIAS at Purdue University.

Wednesday, April 16, 2003

Cisco Support for Lawful Intercept In IP Networks

Along the lines of tapping cables comes a new draft RFC Cisco Support for Lawful Intercept In IP Networks, alternate. This Slashdot thread brought it to my attention. Expect to see more of this in the future. User-applied cryptography is the only way to avoid this sort of scrutiny. Here is an article about it, here's Cisco's page, and here's the fed's page. Check out Cable Monitor and Intercept Features for the Cisco CMTS "Cable Modem Termination System," i.e., cable modem.

Fiber Optic Cables and Monitoring Saddam Hussein

This article discusses tapping fiber optic cables, in an attempt to explain how Saddam Hussein was monitored in Iraq. From the article:

Web sites for metropolitan areas, such as San Diego, often post detailed maps of the entire citywide fiber backbone. In addition, the same high-speed fiber bundle sometimes serves a dozen or more office buildings, meaning criminals could gain access to wiring closets located in building basements or to cables that pass through public parking garages or elevator shafts, said Page. . . "This layer of security -- not just for fiber, but for standard LAN and telephone wiring also -- isn't really thought out by companies," said Pescatore. "I'd estimate that 75% of enterprises have some network cabling in public access space."

Here is the map mentioned above, part of the Bandwidth Bay project.


Articles like Intrusion prevention: IDS' 800-pound gorilla make me sick. Quotes like this demonstrate the ignorance of the speaker:

Intrusion-detection systems do a good job of telling companies whether they are being compromised or attacked. So good, in fact, that some question whether systems should go a step further and prevent incidents. It doesn't seem much of a stretch to have systems "flip a switch instead of alerting" when an anomaly is found, said Pete Lindstrom, research director of Malvern, Pa.-based Spire Security.

Argh! Thankfully the same article shows some people still understand this issue:

Other companies, however, see their intrusion-prevention products as usurping IDS. Martin Roesch, cofounder and CTO of Columbia, Md.-based Sourcefire, which sells the commercial version of the open-source intrusion-detection system Snort, rejects such a suggestion. "Anyone who tries to sell you an intrusion-prevention system at the expense of an intrusion-detection system doesn't understand the problem stack," he said. "Intrusion prevention is access control. Intrusion detection is monitoring."
Sourcefire will probably play in the intrusion-prevention space at some point. "We see value in having an access control role on the network as well as a network-monitoring role, because it allows us to leverage the information to enhance monitoring and protection," Roesch said. "You can't have one without the other."

Tuesday, April 15, 2003

Neohapsis Open Security Evaluation Criteria

I happened upon the Neohapsis Open Security Evaluation Criteria (OSEC) site today. They measure various products, like network IDS, against the criteria, and post the results. This is a great idea, assuming the criteria are valid!

Snort 2.0 Stream4 Vulnerability

Here's a new reason to update to Snort 2.0 -- a vulnerability in the STREAM4 preprocessor. From the advisory:

Successful exploitation of this vulnerability could lead to execution of arbitrary commands on a system running the Snort sensor with the privileges of the user running the snort process (usually root), a denial of service attack against the snort sensor and possibly the implementation of IDS evasion techniques that would prevent the sensor from detecting attacks on the monitored network.

Black Hat Windows Security 2003: Seattle Presentations

Thanks again to CryptoGram, I noticed that Black Hat Windows Security 2003: Seattle presentations are available. Some of the topics look very interesting. The media archives page is a nice place to see everything available since Black Hat 1997.

Defending Against an Internet-Based Attack on the Physical World

Bruce Schneier also highlighted a new paper by Avi Rubin and friends: Defending Against an Internet-Based Attack on the Physical World. The authors describe how to automate the process of signing up a victim to receive thousands of catalogs and other mailings.

While visiting Avi's site, I noticed he teaches at the John Hopkins Information Security Insitute, which offers a Master of Science in Security Informatics degree. Unfortunately, it does not seem to be one of 36 universities approved by the NSA as Centers of Academic Excellence in Information Assurance. I imagine JHU is working for this certification.

Wiretapping VoIP

Bruce Schneier's 15 Apr 03 CryptoGram (required reading for me) alerted me to a story on wiretapping. This quote blew me away:

Unlike a traditional phone call, where a line is dedicated between two parties, VOIP slices each call into millions of tiny digital packets, each of which can take a discrete route over the Internet. That means surveillance equipment must either be installed permanently on a network or calls must be routed through FBI surveillance equipment before being delivered to the caller, which experts say can create a suspicious delay. "Our tactical people are trying to plug every hole. But it's like playing the field short one player," says Szwajkowski. "A call that is not [able to be intercepted] is a major public-safety and security dilemma."

Snort 2.0 Released

Snort 2.0 was released yesterday. I will keep my eyes on the FreshPorts Snort page to see when the FreeBSD port of Snort 2.0 appears. Can you believe Snort 1.0 has a timestamp of 28 Apr 99? Thank you for the great work Sourcefire -- the community has certainly benefitted from your work!

Monday, April 14, 2003

Holding Owners of Compromised Computers Responsible

I've heard several people refer to legal activity in Texas, where victims of intrusions were being sued when the original victim's systems attacked third parties. This happened in 2001, when systems at Exodus were allegedly compromised and used to attack Web-hosting company C.I. Host. Marc Zwillinger mentioned this is this webcast, saying the suit was moved to Federal court and then settled out of court. His slides included this scan of the indictment. From this article:

JUST BEFORE 8 A.M. ON FEB. 1, 2001, C.I. Host, a Web-hosting company with 90,000 customers, was hit with a crippling denial-of-service attack. By the end of the day, after outage complaints from what CEO Christopher Faulkner described as "countless" customers, the Fort Worth, Texas-based company got its lawyers involved. . . In an injunction filed in a Texas district court and later moved to a U.S. district court, C.I. Host alleged that the defendants committed or allowed a third party to commit a denial-of-service attack on C.I. Host's systems. The defendants insisted that they were victims of a hacker themselves, not the perpetrators of a crime. The case never made it to trial, but C.I. Host's lawyers did convince a Texas judge to issue a temporary restraining order shutting down three of the Web servers involved in the attack until the companies could prove the vulnerabilities had been fixed.

The other popular case is well-documented in the 2001 CSI/FBI Study:

The U.S. Navy's Criminal Investigative Service (NCIS) is in the throes of an investigation into how and why an as yet unidentified hacker stole the source code to OS/Comet from a computer at the U.S. Navy's naval research lab in Washington, D.C. in an attack conducted on Christmas Eve, 2000. OS/Comet was developed by Exigent International (Melbourne,FL), a U.S. government contractor. The software has been deployed by the U.S. Air Force on the NAVSTAR Global Positioning System (GPS) from its Colorado Springs Monitor Station, which is part of the U.S. Space Command. A copy of the OS/Comet source code was found during a police swoop in Sweden on a computer company whose identity has not been revealed. The intrusion appears to have emanated from a computer at the University of Kaiserslauten in Germany, which was used to download the software's source code via the Web and the service provider, which is owned by the Swedish firm Carbonide. The hacker known only as "Leeif" was able to hide his or her true identity by breaking into the account of a legitimate user and then using that person's account to distribute the source code to others. Exigent has filed suit against both Carbonide and the University of Kaiserlautern in Germany. The NCIS's inquiry is being headedby the NCIS headquarters for European affairs in Naples and by its London bureau, which deals specifically with Scandinavia.

Sunday, April 13, 2003

Review of Troubleshooting Campus Networks Posted just posted my five star review of Troubleshooting Campus Networks. From the review:

I'm sad I waited so long to read this excellent book. "Troubleshooting Campus Networks" (TCN) was published in Jul 2002, and it belongs on every network administrator's shelf -- now! This is the best networking book since Scott Haugdahl's "Network Analysis and Troubleshooting" and Eric Hall's "Internet Core Protocols." TCN will truly test your networking knowledge; you'll quickly validate the truth and discard the fiction.

Thursday, April 10, 2003

National Society of Professional Engineers Code of Ethics

This Slashdot post brought to my attention the National Society of Professional Engineers Code of Ethics, which should apply to IT consultants as well. It includes:

I. Fundamental Canons

Engineers, in the fulfillment of their professional duties, shall:

  1. Hold paramount the safety, health and welfare of the public.

  2. Perform services only in areas of their competence.

  3. Issue public statements only in an objective and truthful manner.

  4. Act for each employer or client as faithful agents or trustees.

  5. Avoid deceptive acts.

  6. Conduct themselves honorably, responsibly, ethically, and lawfully so as to enhance the honor, reputation, and usefulness of the profession.

Codes of ethics are the only worthy element of the "certification" I hold -- the CISSP. Here is its Code:

  1. Protect society, the commonwealth, and the infrastructure.

  2. Act honorably, honestly, justly, responsibly, and legally.

  3. Provide diligent and competent service to principals.

  4. Advance and protect the profession.

Thoughts on SPAN Configurations

I've been trying to understand how to configure Cisco switches for use in network security monitoring solutions. By reading Configuring the Catalyst Switched Port Analyzer (SPAN) I learned:

"For the SPAN on the Catalyst 2900XL/3500XL switches... the main restriction is that all the ports related to a given session (whether source or destination) must belong to the same VLAN... Unlike the Catalysts 2900XL/3500XL, the Catalyst 4000/5000/6000 can monitor ports belonging to several different VLANs."

I also learned "The Catalyst 2950 Switches can have only one SPAN session active at a time and can monitor only source ports, it can not monitor VLANs. The Catalyst 3550 Switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs... Unlike the 2900XL and 3500XL family Switches, the Catalyst 2950 and 3550 faimly Switches are able SPAN source port traffic in receive direction only, (Rx span or ingress span) or in tranmsit direction only (Tx span or egress span) or both." (The spelling errors belong to Cisco!)

When running CatOS, according to a chart in the document, the Catalyst switches have these limitations for monitoring local ports:

  • Catalyst 4000 support 5 Rx or Both SPAN sessions

  • Catalyst 5000 support 1 Rx or Both SPAN sessions

  • Catalyst 6000 support 2 Rx or Both SPAN sessions

When running Cisco IOS, Catalyst 2950/3550, 4000, and 6000 each support 2 Rx or Both SPAN sessions for monitoring local ports.

Here's another note with some grammar issues: "Catalyst 2950 switches using software release 12.1.(9)EA1d and earlier versions in 12.1 train supported SPAN with the caveat that all packets seen on the SPAN destination port (connected to the sniffing device/PC) had a 802.1Q tag on them, even though the SPAN source port (monitored port) may not be a 802.1Q trunk port. If the sniffing device or PC NIC does not understand 802.1Q tagged packets, they may drop the packets or have difficulty decoding them. Ability to see the 802.1Q tagged frames is important only when the SPAN source port is a trunk port. Starting from 12.1(11)EA1, you can enable/disable tagging of the packets at the SPAN destination port. Issue the monitor session session_number destination interface interface-id encapsulation dot1q command to enable encapsulation of the packets at the destination port. If the encapsulation keyword is not specified, the packets are sent untagged, which is the default starting from 12.1(11)EA1."

This means your sniffer must be able to decode VLAN tags, if using older versions of Cisco IOS. Since Snort v1.8, Snort has supported decoding 802.1q VLAN tags. The TCPdump man page mentions VLAN tagging as well.

The FAQ at the document's end is useful:

Can I Have Several SPAN Sessions Running at the Same Time?

  • On the Catalyst 2900XL/3500XL family, the number of destination ports available on the switch is the only limit to the number of SPAN sessions.

  • On the Catalyst 2950 family, you can have only one assigned monitor port at any given time. If you select another port as the monitor port, the previous monitor port is disabled, and the newly selected port becomes the monitor port. (Me: This seems to conflict with guidance above on having two SPAN ports?)

  • On the Catalyst 4000/5000/6000, since CatOS 5.1, you can have several concurrent SPAN sessions:

The product specific-literature is more detailed. The Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(13)EA1 includes Configuring SPAN and RSPAN, and the Catalyst 2950 and 2955 Switches, Rel. 12.1(13)EA1 also includes Configuring SPAN and RSPAN. The bottom line appears to be that SPANning multiple VLANs is not a problem, but there are limits as to what data is available regarding where the packets come or go.

I learned of a new term -- port snooping. This applies to layer 3 switches like the Cisco 8500 series.

The Cisco Catalyst 3550 24 10/100 port switch with two gigabit interface converter (GBIC) ports for sells for about $2100. The Cisco Catalyst 2950G-24 24 port switch with 2 GBIC ports sells at CDW for about $1800. A cheaper 2950 sells for a little under $1000, but I don't immediately recognize the differences.

Tracfone Fraud

Yesterday I was walking through a Lowe's hardware store. I saw a Tracfone for sale. Tracfone is a product consisting of a phone and separate prepaid wireless minutes. Given you can buy these with cash in your local Circuit City, I sensed an opportunity for troublemakers who prefer to act anonymously. (While there are other prepaid cellular plans, it appears they tie to existing accounts, or at least don't offer the easy cash purchase method of Tracfone.) I found that Tracfone sells at least one cell phone, the Motorola v120t, which can be equipped with the Multi-Connect Serial Data Kit - 98320 -- a cellular modem. At this point a dial-up ISP is required to use the cellular modem. I'm not sure where to go with this, but overall this exercise has given me an idea how criminals might seek to hide their identity.

On a related note, it's possible Tracfone's prepaid calling cards have been the target of fraud. This post claims people are selling Tracfone cards on eBay, and references this thread as "proof". I also found a site which teaches ways to defraud Tracfone, complaining that Tracfone defrauds its customers.

Let me make it clear that none of this discussion is intended to assist the reader with defrauding anyone. I try to understand these techniques because my professional career involves helping companies to combat fraud.

Wednesday, April 09, 2003

900 MHz Wireless Access Points

At yesterday's Wildpackets seminar, Joe Bardwell mentioned techniques to lessen the chances of finding rouge wireless networks. He said someone wanting to hide a rogue wireless network should use a frequency not currently popular. Given most people run 802.11b at 2.4 GHz or 802.11a at 5 GHz, that leaves something operating at 900 MHz. Thanks to Cisco documentation, I found products by Aironet, which Cisco bought, that run at 900 MHz. They include:

Tuesday, April 08, 2003

Wildpackets Expert Packet Analysis Seminar

Today I attended a free Wildpackets Expert Packet Analysis Seminar. The instructor was Joe Bardwell and he gave an incredible, educational talk. Joe is one of the authors of Troubleshooting Campus Networks, which I recently reviewed and whose review I'm waiting for to post. I recommend you sign up for the free Wildpackets seminar in your area.

ISS Internet Risk Impact Summary Published

This Register story alerted me to the publication of the latest ISS Internet Risk Impact Summary. It's a 16 page doc describing what ISS has seen in the last three months.

Monday, April 07, 2003

New Samba Vulnerability?

Slashdot is running a thread on a new Samba vulnerability which Digital Defense discovered. This comment by Jeremy Allison of the Samba team is one of the best reasons why event-based IDS data can fail, and should be reinforced by collecting session and full content data. He's responding to a challenge to prove he has unreleased exploits for Microsoft SMB/CIFS:

If you put one of your Windows servers on a network
I had access to I would be able to show you. I will
not release the code publicly (for obvious reasons).
Knowledge of these bugs would allow worms/viruses to
utterly cripple Microsoft based corporate networks.

If you choose not to believe me without exploit code
then that's up to you, but I will not act in an
unprofessional way to prove a point.

Jeremy Allison,
Samba Team.

Saturday, April 05, 2003

Stegtunnel New Release

PacketStorm alerted me to the newest release of stegtunnel. As a network security analyst, I like to keep an eye out for these sorts of tools. I'll test it when I have time. This tool also manipulates the IP ID field, just as Craig Rowland's covert_tcp program did in 1996. From the stegtunnel description:

Stegtunnel is a tool written to hide data within TCP/IP header fields. It was designed to be undetectable, even by people familiar with the tool. It can hide the data underneath real TCP connections, using real, unmodified clients and servers to provide the TCP conversation. In this way, detection of odd-looking sessions is avoided. It provides covert channels in the sequence numbers and IPIDs of TCP connections.

FreeBSD 4.8 Released

FreeBSD 4.8 was released late Thursday night. FreeBSD 5.1 is scheduled for release 2 Jun 03. I'm looking forward to reading the fourth edition of The Complete FreeBSD, hopefully later this month.

Friday, April 04, 2003

Removing Content from Google

A FIRST post alerted me to this article on Removing Your Materials from Google. For example:

if you want your materials removed right away, you can use the automatic remover at You'll have to sign in with an account (all an account requires is an email address and a password). Using the remover, you can request either that Google crawl your newly created robots.txt file, or you can enter the URL of a page that contains exclusionary META tags.

Wednesday, April 02, 2003

Rik Farrow on VLANs

Rik Farrow wrote another great article, VLANs: Virtually Insecure?. That same issue of Network Magazine features a product highlight of a XML firewall built by Data Power Technology. I find this interesting because we now have to inspect, filter, and alert on traffic to specific ports like 80 tcp. This happens when developers code multiple protocols for a single port. We already have this problem with the Windows networking world, where ports 135, 137, 138, and 139 are used for multiple purposes by multiple services. Unfortunately, businesses can't firewall off port 80 to the world.