Showing posts from August, 2003

Shoki, the Alternative Open Source IDS

We all know how popular Snort is as an open source intrusion detection event generation engine. Have you ever heard of Shoki ? I've known about it for a while, but will researching I found it seems to be progressing nicely. The latest release dates from May 2003. I'm probably most interested in the project's packet visualization tool, Hustler , from which the screenshot at left is taken. It looks like it doesn't just accept libpcap data, but must work with Shoki. It looks like Shoki is near the same phase as Sguil -- still rough, with some operator knowledge needed to get the system running. Another open source IDS vying for its place in the sun is Tamandua . Version 2.0 was released in June 2003. It may be a good tool (I haven't used either Shoki or Tamandua), but I'm reluctant to try Tamandua. Most of the presentations are in Portuguese, and the project seems to be the offshoot of a commercial company. At some point I'd like to have the skill

Ohio University Offers Excellent IDS Resources

While doing research for my book Real Digital Forensics I visited the home page for the network session data generation tool TCPTrace . I learned that a new manual was released last week. I also learned that Ohio University supports an IDS project called INBOUNDS . Their publications page is very impressive, since they host their students' theses and copies of some of the most important IDS documents of the last decade. I look forward to seeing Manikantan Ramadas, Shawn Osterman, and Brett Tjaden present their paper next week at RAID 2003 (Recent Advances in Intrusion Detection) in Pittsburgh.

Running Snort On a Linksys Wireless Access Point

I read at how Jim Buzbee figured out how to run Snort on his Linksys WAP . This is no joke. The folks at Seattle Wireless discovered the Linksys WRT54G runs Linux kernel 2.4.5. Through a bug they investigated the box thoroughly. They also physically disassembled the box. They learned the web server used to administer the device is mini_httpd . Amazing.

Is Earth Station Five a Hoax?

Is Earth Station Five a media industry sting operation? A few friends told me about this site today, so I poked around a bit. ES5 appears to be some sort of file-sharing network which thumbs its nose to the Recording Industry Association of America and the Motion Picture Association of America . ES5 seems to have made its biggest splash in this CNET article where ES5 "President" "Ras Kabir" claims "We're in Palestine, in a refugee camp." The earliest reference I found dates from 18 March 2003 in a post at a digital music site. It was also discussed on 25 June 2003 at the filesharing site . Prior to the story, I found press releases which appear to be from 27 June 2003 , 1 July 2003 and 7 July 2003 . The story states: "According to Earthstation 5 founder Kabir, the company was formed after a conversation with his brother Nasser in Ramallah two years ago, as Napster was circling toward its nadir. Ov

New "CISSP Associate" for People without Years

I learned today that people who would like to be a CISSP without having the necessary number of years experience can become a CISSP Associate . I find this rather odd. According to the press release: "After passing the selected exam and signing (ISC)2's Code of Ethics, the Associate must garner the requisite work experience and successfully complete a professional endorsement process before he/she becomes officially certified as CISSP or SSCP. The CISSP, designed for professionals devising information security strategy, requires four years of professional experience in the field of information security, while the SSCP, designed for professionals following a tactical information security career path, requires one year of experience. Associates of (ISC)2 will not be able to use the designation of CISSP or SSCP until formally certified." Why bother, then? Is this "CISSP-lite"? I think it's a ploy to get more people to take the exam and say "Yes, pro

Reviews of Absolute OpenBSD, Protect Your Information with Intrusion Detection Posted

Image just posted my five star review of Absolute OpenBSD . I thought this was a great book. No one else has written a general-purpose OpenBSD system administration guide. I used the book to get my first familiarity with OpenBSD. Michael is working on a book for NetBSD now called Absolute NetBSD . From the review: "The bottom line is this: Michael Lucas knows what to write to help system administrators get the job done. I wish other authors did the same. I'd love to see Lucas or another "No Starch" author write "Absolute Cisco Routers," followed by "Absolute Cisco Switches." Any takers?" Unfortunately, I was disappointed by Protect Your Information with Intrusion Detection and gave it three stars. From the review: "It was my fault that I bought this book. I should have been tipped off by the odd choice of "key points" on the cover: "describing firewalls, indicating security policy violations, analyzing the i
While reading a Slashdot story on a Curses library ( .pdf ) version of GTK (The Gimp Toolkit) called Cursed GTK , I found a link to Contiki , a "highly portable, modern, open source, Internet-enabled operating system and desktop environment for very constrained systems, such as 8-bit homecomputers like the Commodore 64." You can access Ethernet using this special NIC . Can it get better? Oh yes. You can access a Commodore 64 remotely using a special version of VNC called CTK VNC by visiting this site . Above is a screenshot of the page when I used the Java VNC client. Not only was this site offering remote VNC access, it was also serving up web pages!

Security News Ticker Added to Blog

I find the security news ticker from Security News Portal to be very helpful, so I added it to the blog. Let me know if you like it or dislike it!

New Version of SHADOW IDS Released

I read on snort-users that Guy Bruneau released version 3.1 of the SHADOW IDS . Installation documentation ( .pdf ) is available. You can download an .iso . I'm interested in seeing how the .iso works out. With VMWare I can install directly from the .iso without burning it to CD-ROM. Keep in mind SHADOW is a packet-header based IDS. It is not a content inspection system like Snort or commercial IDS. Still, it can be useful.

ISECOM Provides "Non-Profit" Competition for SANS

I learned that a new edition of the Open Source Security Testing Methodology Manual was released Saturday. The OSSTMM is a consensus document whose objective is "to create one accepted method for performing a thorough security test." It is created by the Institute for Security and Open Methodologies , described here as "a non-profit organization which provides collective information and tools under the open source licenses for free public use. This information is provided via the Internet and through social venues and conferences." This sounds somewhat like SANS , who as recently as Oct 02 was called "a nonprofit security research and training group." I couldn't find any indication on the SANS web site of their non-profit status, and searches into archived pages for SANS, Escal, and "The Intranet Institute" didn't show anything confirming its non-profit status. Just as SANS offers certifications, ISECOM offers the OSSTMM Profes

Watch Connections with Free Tools

If you're using a Linux-based NAT (or "IP Masquerading") firewall as an inline device, and you may need a way to check the sessions as they pass. ConnViewer will do that for you. Pkstat will give text-based traffic statistics, as will other tools listed on that site.

WAP Gateway Allows Testing, Access

Wireless Application Protocol, or WAP, is a protocol allowing some mobile devices (cell phones mainly) to "surf" the Internet. I found this Public WAP Gateway , with which you can test your phone! Check the Yahoo Forum for the web site to see how people are using this free service.

Researchers Use "Fuzzing" to Find Security Flaws

When I attended Black Hat USA 2003 last month, several presenters mentioned "fuzzing" as a technique to find security vulnerabilities. As I understand it, fuzzing involves sending unexpected input to an application and monitoring its responses for signs of vulnerabilities. The most widely known tool is Dave Aitel's SPIKE . The PROTOS suite was famous for its discovery of SNMP weaknesses last year. The IP Stack Integrity Checker is another open source tool. There are alternatives to these tools in private use, and some offer other methods, like sofwtare from Greg Hoglund's HBGary , to find similar weaknesses.

Oakley Networks Product Monitors for Inappropriate Insider Activity

Earlier I mentioned Vericept , whose product watched for the movement of sensitive data out of corporate networks. I recently learned of Oakley Networks , whose IO-3 product appears to do something similar. Rather than watching for suspicious inbound activity, typically caused by intrusion attempts, this product watches for leakages of data defined by the administrator. Of course, the product only gets interesting if we know it doesn't "grep for strings." We could program Snort or ngrep to do that!
In my never-ending quest to discover obscure ways to transfer data, I've used BBS', the Internet, private government networks, and amateur radio packet networks. Now I've learned of a system called FidoNet . FidoNet is a system whereby users transder mail and files via modem using a "proprietary protocol." These systems link to gateways connected to the Internet, so mail can be exchanged between the two networks. It seems the appeal of FidoNet is the class of users is different, and there's more of a sense of community. FidoNet is strictly regulated , not allowing any commercial content. Candidates have to apply to their region. First locate the major region, like Region 1 for North America. Then, apply to the local region, like Region 13 for Washington, DC. Some web-based gateways to FidoNet exist, and I've noticed some telnet-accessible BBS' offer FidoNet access. There's a FidoNet Newsletter , too!

Visualization Software for Snort Alerts

I haven't tried this yet, but called Scanmap3d is available to visually depict Snort alerts. The military has been interested in this sort of technology for years, which gave birth to Silent Runner . IF Scanmap3d displays alerts, that's interesting. I wonder if it could be adapted to display session data, perhaps from Argus ? According to this May 03 press released , Silent Runner received a patent for their technology: "The U.S. Department of Commerce Patent and Trademark Office issued Patent #6,549,208 for SilentRunner’s technology architecture that enables digital data input from external sensors for visual analysis, correlation and display with data derived from four major software groups: Virus Computer Code Detection; Analysis of Computer Source and Executable Code; Dynamic Monitoring of Data Communication Networks; and 3-D Visualization and Animation of Data. "

Review of The Complete FreeBSD, 4th Ed Posted

Image finally posted my five star review of The Complete FreeBSD, 4th Ed. . Currently it appears on my personal reviews site but I expect to see it on the book's individual page soon. From the review: "Before reading Greg Lehey's "The Complete FreeBSD, 4th Ed" (TCF:4E), I reviewed Michael Lucas' excellent "Absolute BSD" (a FreeBSD book) in Feb 03. I can't say which book is better, and I recommend you buy Lucas' book as well as this one. TCF:4E remains for me the FreeBSD user's manual; any serious FreeBSD user will have it on his or her shelf. The two books complement each other, as Lucas is often more direct in his explanations." I submitted my five star review of Michael Lucas' Absolute OpenBSD last night. We'll see how long it takes to appear!

Blaster Strikes Railroad Company

Striking a little closer to home, CSX , operator of "the largest rail network in the eastern United States," reported "significant slowdowns early today after a computer virus infected the network." I ride the Virginia Railway Express to the Foundstone DC office, but I didn't take it yesterday. According to the CSX press release: "The infection resulted in a slowdown of major applications, including dispatching and signal systems. As a result, passenger and freight train traffic was halted immediately, including the morning commuter train service in the metropolitan Washington, D.C., area. Contrary to initial reports, the signal system for train operations was not the source of the problem. Rather, the virus disrupted the CSXT telecommunications network upon which certain systems rely, including signal, dispatching and other operating systems." Wonderful. Who in management will be fired because of these incidents? Probably no one.

Slammer (Jan 03) Crashed Ohio Nuke Plant

Kevin Poulsen wrote an excellent article on the means by which Slammer (not Blaster ) "penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall." The article shows how network admins do not understand the connectivity of their networks, which then allows customer networks and VPN clients to bypass external-facing access control: "It began by penetrating the unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network. The T1 line, investigators later found, was one of multiple ingresses into Davis-Besse's business network that completely bypassed the plant's firewall, which was programmed to block the port Slammer used to spread. 'This is in essence a backdoor from the Internet to the Co

AFCERT Keeps the Faith

Next week I head back to San Antonio to teach Foundstone's "Ultimate Hacking" to members of the 33rd Information Operations Squadron , which includes the Air Force Computer Emergency Response Team (AFCERT). I served as a captain in the AFCERT from Sep 98 through Feb 01. Thanks to the magic of , you can see the first job I was stuck with doing, before I learned IDS -- redesigning the AFCERT web page ! I provided content for some of the pages once that webmaster duty fell on other shoulders, but some of the pages appear familiar ... I'm looking forward to seeing some of my old colleagues. The May 03 Spokesman online magazine profiled the AFCERT. My favorite quote is by one of the best guys to ever work in the AFCERT: The AFCERT of today wasn’t always such a robust organization. "Many people don’t realize we started in the early 1990s with only a handful of dedicated people who understood this business," said Tech. Sgt. Will Patrick, AFCERT

Time Magazine on Blackout

I'm not a big TIME magazine reader but I thought their recent story on the blackout offered some cool graphics, like this depiction of the northeast power grid. Their Shockwave animation is also neat. Be sure to visit TIME's site to read the whole account.

Updating My Mini-PC... I Mean Cell Phone

I've had a Motorola i90c cell phone for a year and a half now. I've known all along that the i90c is for all intents a general purpose computer, with memory, CPU, and I/O. I've used my Nextel Online service to download Java applications , but no one has yet hacked me via a malicious Java application. It will happen though. This CNN story says "Victor Brilon, Java applications manager at Nokia, and Charles Chopp, Nokia's media relations manager, laughed when I asked questions about writing Java programs that make full use of a cell phone's computing and communications power. As on PCs, Java apps on cell phones run in a "sandbox" that prevents them from doing damage to their surroundings." Sure. Check out the presentation ( .pdf ) by FX of on hacking the Siemens S55 . Back to updating the phone... All this time I've had the cable needed to connect the phone to my laptop, but never used it. Well, after perusing the How

FDIC Proposes Guidelines Telling Banks to Notify Customers of Breaches

SANS Newsbites informed me of a Washington Post article on the Federal Deposit Insurance Corporation's plans for new banking guidelines. From the story: "Under the proposal, banks and other financial institutions would alert customers by mail, telephone or e-mail, when they find unauthorized access to personal data that could result in substantial harm or inconvenience. Banks also would be told to flag any accounts that may have been compromised and monitor them for unusual or suspicious activity." This marks a significant break from standard practice. In the past banks had latitude to keep things quiet, at the discretion of the board and legal counsel. Of course, the details of the guidelines must dictate what constitutes "unauthorized access" and "personal data" and "substantial harm or inconvenience." Stay tuned.

Last Day to Oppose Broadband over Power Lines (BPL)

I just learned of this issue Monday night at an amateur radio meeting. The Federal Communications Commission released a "notice of inquiry" (NOI) ( .pdf , .doc ) on 28 Apr 03 regarding "Broadband over Power Lines" (BPL). The American Radio Relay League , an organization supporting amateur radio, filed its opposition to BPL, and I encourage readers who care about supporting amateur radio to do the same. Today is the last day to submit a comment to the FCC! I describe how to do so below. BPL involves sending data in the form of electrical signals over power lines designed and optimized for 60 kHz signals. Unfortunately, power lines weren't built to handle BPL, which operates at 2 to 80 MHz. Power lines are unshielded, and they make the world's greatest antennas! So what? The result is "spillage" of the signal all over the radio spectrum in the 2 to 80 MHz band. You can see what uses these channels on a frequency allocation chart . An ama

Study Shows Blackout's Effects on Individual Routers

Slashdot alerted me to an online report on the effects of the northeast blackout on individual routers. Renesys monitored BGP announcements and watched routers drop out of the tables, as shown in their graph below. From the report: "The majority of the power failures began at about 16:10 EDT. Immediately thereafter, the number of routes in global routing tables dropped rapidly, falling by nearly 1000 within five minutes. This likely corresponded to the loss of reachability of networks which did not have alternative backup power sources. Table size then continued to drop, though at a slightly more gradual pace. We suspect that losses during this time correspond to networks with limited backup power which were able to stay online temporarily until those power supplies were exhausted. By 19:00 EDT, routing table sizes had reached their low point, a full 2500 networks fewer than the current baseline size."

Systrace Policy Library

While reading Michael Lucas' excellent Absolute OpenBSD , I learned of a project which maintains a library of Systrace policies called the Hairy Eyeball Project . Systrace allows administrators to define which system calls their applications can execute. Systrace is included in OpenBSD and ports exist for other operating systems. I most interested in the FreeBSD version which Rich Murphey presented at DefCon XI . I haven't seen anything from DefCon XI posted in the site's archives yet. While perusing the mailing lists I discovered CerbNG which appears to have similar functionality to Systrace. I think projects like this are key to improving security. Boundaries between the untrusted "outside world" and the trusted "inside world" are dissolving. Road warriors infected with the latest worm use their VPN to connect to the corporate network, bypassing defenses aimed at exterior threats. Increasingly hosts must defend themselves as access contro

Webcast on Network Security Monitoring

At 9 am eastern on Wed 28 Aug 03 my webcast "Implementing network security monitoring with open source tools" will "premiere" at You can sign up here . It won't be live since I'm recording it Thursday afternoon, but you can submit questions which I'll answer on their web site. It's a sequel to last year's webcast mentioned on my press page.

Bring New Life to Your Commodore 64

My dad recently shipped my old Commodore 64 to me and I'm trying to figure out how best to use it. It would be fun to run a BBS accessible via telnet, like these . My Commodore 64, 1541 disk drive, Capetronic 1200 baud modem, and RS-232 serial interface all work, but I need software for the C-64. There are plenty of games that run on emulators , but how do I get software from the archives onto the C-64? Assuming the C-64 has no terminal software available, my best bet appears to be to use Star Commander on a PC running MS-DOS. I'll connect the PC to the 1541 disk drive using a special cable (probably the XA1541 ). I'll use Star Commander to write Commodore software like EBBS to a floppy in the 1541. Once the software is available to the C-64, I can try setting up a BBS like that run by Leif Bloomquist . Using these instructions , I could even access telnet services from the C-64! Here's another option called BBSLink that forwards incoming telnet conne

Internet Radio Linking Project Connects the World

When I attended Black Hat USA 2003 in Las Vegas last month, I brought my amateur radio with me and found myself listening to callers all over the world. It turns out I had stumbled upon a frequency used by the Internet Radio Linking Project . The IRLP links amateur radio repeaters by encapsulating voice communications over the Internet. So, when I listened to 146.40 MHz in Las Vegas, I was listening to node 3290 on the IRLP! This is another example of how amateur radio is alive and well in the age of IRC and text messaging via cellphone. You can listen to the IRLP live for free here: . >Currently my rig can only operate on 2 meters (144-148 MHz), and the nearest IRLP nodes to me operate on 70 centimeters (420-450 MHz). I've been checking the eHamnet Reviews for a good dual-band rig I can afford. The Yaesu FT-8800R has good reviews and supports a feature called WIRES , or "Wide-coverage Internet Repeater Enhancement System.&q

Email Sent from Amateur Radio Network to Internet and Back

Today I visited the Ham Radio Outlet in Woodbridge, VA and bought a Kantronics KPC-3+ , pictured above. This little beauty is a "Terminal Node Controller" (TNC) and it lets my HTX-202 2 meter radio (pictured next) talk to the "packet radio" network around the world. Combine this equipment with an amateur radio license and you're ready to go! (I earned my Technician class license in 2001.) I cabled my laptop to the KPC-3+, and cabled the KPC-3+ to my HTX-202. Next I used the Windows Hyper Terminal program to communicate with the KPC-3+. I told the TNC to connect to W4OVH , which is a geographically nearby packet node operated by the Ole Virginia Hams Amateur Radio Club . From there I hopped to a node which offers mail relay to Internet space from the packet network. I composed a message, shown partially below: I received the message on my Thunderbird Windows XP Internet email client: I replied to the message on my XP box and got the reply

Blog Enhancements

Since I still can't upgrade to Blogger Pro, I'm trying a few free services. First, I added a counter courtesy of . I'm also I'm experimenting with a free service that allows readers to comment, courtesy of BlogExtra . I got ideas on both from CFMXPLUS . Let me know what you think! Update: I removed the comment service as it doesn't seem to be working now.

Reliable Software Group Produces Security Code

Yesterday I came across the Reliable Software Group at the University of California Santa Barbara . They offer research on several projects , but the one of most interest to me is STAT , or "State Transition Analysis Technique for Real-Time Intrusion Detection." They provide RPMs for Red Hat 7.3 and packages for Solaris 7 SPARC, so I might give some of their code a try.

Computer Forensic Conference Concludes

Today the Regional Computer Forensic Group finishes their Annual GMU Computer Forensics Symposium . The RCFG is sponsored by the High Technology Crime Investigation Association DC Chapter . I watched two of my Foundstone coworkers brief scenarios based on cases we've worked during the last few years. You don't have to be a Fed to join the HTCIA, although some of the briefings at the conference were "confidential" and closed to those outside the government or law enforcement.

Effect of East Coast Blackout on Internet

Yesterday just after 6 pm eastern I checked the Internet Health Report to see if the east coast blackout was affecting the Internet. I didn't see anything out of the ordinary. Looking at the Internet Traffic Report , however, as of this writing a core router in Michigan, (, appears down. Since my father-in-law in Michigan reported he's still without power, maybe that's the cause. Of the 78 routers monitored in North America by the ITR, only a handful are in the affected states. Most of those didn't see major problems during the outage, so they must have had backup power. Oddly, besides the router, ( and ( are also completely down right now.

Running Four VMWare Guests Simultaneously

I installed Red Hat 9.0 on my IBM ThinkBrink (I mean ThinkPad) a20p yesterday. It has 384 MB RAM and a 20 GB hard drive. I then installed a trial version of VMWare 4 for Linux. Next, I installed images of Windows NT 4, Red Hat 7.0, FreeBSD 4.3, and Solaris 7 x86. I gave each OS 32 MB RAM and between 1-3 GB hard drive space. I was able to run all four OS simultaneously without a real problem, although I didn't run X in Linux and FreeBSD. Solaris offers a GUI by default but I began a command line session instead. This arrangement makes a decent lab environment, although more RAM would help. It's nice being able to run old operating systems in such small amounts of memory!


Several people have told me to try Knoppix , a bootable Linux distro that runs in a RAM disk. I gave it a shot, running it straight from my CD-ROM drive and then within a virtual machine to acquire screen shots. This is a great idea if you want to try Linux without installing a full distro on your hard drive. Knoppix is entirely memory-resident, so if you power off your machine Knoppix disappears. I must note that upon restarting my Windows XP laptop after running Knoppix, it bluescreened when the Windows logo disappeared. A hard shutdown fixed the problem, which must have had something to do with memory contents. Knoppix loads directly from the CD-ROM, and drops users into a KDE desktop. Knoppix is based on Debian . You can read the software included on the Knoppix web page. My friends like Knoppix because it has vast driver support for peripherals, making their lives easier. A special Security Tools Distribution is available. This poorly named "STD" distro inc

GNU FTP Site Compromised

While perusing recent CERT advisories , I read was compromised in Mar 03 but discovered only this month . According to the annoucement , "The modus operandi of the cracker shows that (s)he was interested primarily in using gnuftp to collect passwords and as a launching point to attack other machines. It appears that the machine was cracked using a ptrace exploit by a local user immediately after the exploit was posted." This shows escalating privileges to root isn't the "end game," as this intruder sought to leverage that access to compromise others. This reminds me of the techniques espoused by el8 in their war on white hats. Update : A year ago today Wired published a story on an underground zine called el8.3.txt which declared war on white hats.

hrack 61 Released

Phrack 61 was released today. The mag has the usual mix of clever put-downs of the clueless in the loopback section, and cutting-edge programming-oriented articles in the main sections. Phrack 60 was released in Dec 02.

Vulnerability in TCPFlow

@stake discovered a vulnerability in one of my favorite network security monitoring tools -- TCPflow . TCPFlow can read libpcap data and generate files containing the contents of network sessions. It's used in Sguil to create "transcripts." Be sure to upgrade to v0.21, released 7 August 2003. The FreeBSD port hasn't been updated yet.

Meta Group on IDS

Meta Group , a firm which competes with Gartner for the ears and dollars of CIOs, is reported to have said "commitment to IT security in big business has never been stronger, with network and host intrusion detection systems (IDS) high on the shopping list." Meta sounds like they know their stuff: "Meta vice president Tom Scholtz said organisations that had taken an intelligent approach to IDS have had no problem establishing the value of the technologies. But he added: "Those that have purchased a product without the benefit of an underlying policy and plan naturally feel like they have wasted their money, because they have." Amen!

OS Uptime Project

When looking to see who was running OpenBSD 3.3 on 486 boxes (more on this later), I discovered The Uptimes Project . Participants install a daemon on their systems which report uptimes to a central site. Beyond general statistics , you can check individual operating systems, such as FreeBSD . Maybe once my home network has been stabilized I will try this out.

Enabling Serial Console Access in FreeBSD

Back in February I posted a means to enable serial access to my FreeBSD 5.0 RELEASE box. I'm not sure where I got that method, even though it worked. A more correct method is to change an entry in /etc/ttys from this ttyd0 "/usr/libexec/getty std.9600" dialup off secure to this ttyd0 "/usr/libexec/getty std.9600" dialup on secure Optionally, for faster access, make the line look like this ttyd0 "/usr/libexec/getty std.115200" dialup on secure Be sure to restart process 1 (init) using 'kill -1 1'. Then configure your terminal client to use 115200 as its connection speed, and you can connect to the serial port using a serial cable and null modem.

Msblast Worm Ravaging Internet?

Hardly, although it's clear a lot of recon is ongoing and thousands of Windows boxes are being owned . Consider this data from the Internet Storm Center : That's a lot of scanning, but what effect is there on the Internet? Here's a snapshot from the Internet Health Report : Contrast that report with one posted by H.D. Moore during Slammer . All of the red means severe problems, which aren't seen in today's report: What this worm proves is that Windows boxes cannot be placed on the Internet without an access control device protecting certain ports. Windows offers too many services that are capable of being exploited. Connecting unprotected laptops to corporate internal networks via VPN is a risk which needs to be controlled. (Here's a home user wondering why his machine keeps rebooting -- msblast.exe ?) Companies should look for firewall solutions on the NIC, perhaps like this Linksys USBVPN1 . If anyone has experience with this produc

Vulnerability in Realpath(3) Function Could Lead to Remote Root Compromise

I just read the FreeBSD security advisory on the realpath(3) function, which "is used to determine the canonical, absolute pathname from a given pathname which may contain extra "/" characters, references to ""/." or "/../", or references to symbolic links. The realpath(3) function is part of the FreeBSD Standard C Library. . . Applications using realpath(3) MAY be vulnerable to denial of service attacks, remote code execution, and/or privilege escalation." This is a problem because all releases of FreeBSD up to and including 4.8-RELEASE and 5.0-RELEASE are affected, and OpenSSH is listed as one of the programs affected by this bug. The fix is to upgrade your system to 5.1 RELEASE or the respective security releases of 4.7 and 4.8 RELEASE, or apply the patch given in the advisory. This FreeBSD-specific warning builds on advisories released by ISEC and CERT . There seems to be a spike in port 22 TCP scans as reported by

MyRSS feed for TaoSecurity Blog, but So What?

It looks like MyRSS somehow has a feed for this blog. If someone would like to try it and let me know how it works, please contact me at blog at taosecurity dot com. I am particularly interested in who uses RSS 0.91 or 1.0 . This free site appears to update its RSS feed once per day. It looks like it's pulling the titles from the first link in the story, which means it takes you directly to the first link of the post and not the blog itself. :( I'm still working on upgrading to Blogger Pro, but they haven't answer my email on their upgrade site being down. Update: I was contacted via email by someone who tested this myRSS feed with and found it worthless. Thanks for the info!

IOS Updates

Last month I posted that I bought Cisco gear from a reseller in Virginia. I bought new gear with software licenses, and got a SmartNet contract so I have legitimate access to IOS updates. I had read of problems with licensing if I bought used gear through eBay. Well, Slashdot is discussing this Infoworld article on that very subject. From the article: "I made the mistake of showing a visiting Cisco rep the 2611 router I’d purchased on eBay for $1,200,” says Mark Payton, director of IT at the Vermont Academy, a school in Saxtons River, Vt. “Not only are they asking me to pay to relicense the software, but they are expecting me to get a one-year SmartNet maintenance agreement and to pay an inspection fee.” Although Cisco is only asking Payton for slightly more than $300 each for the software relicensing and the SmartNet agreement, the inspection fee alone is more than $850. Payton is still negotiating with Cisco. “If my sales rep can’t get some of those costs waived, the t


I read in the June 03 Sys Admin magazine about Portknocking . The basic idea involves using a firewall and log watcher to respond in a user-defined manner to sequences of connection attempts to closed ports. For example, connections to ports 100, 102, 101, and 201 mean "open up secure shell for the source IP address." This is really a twist on the idea of covert channels, but it has lots of possibilities -- including an attacker who brute forces the system to gain access. It's still a neat idea. The September 03 Sys Admin magazine is available, with the title "Security." I don't see how this is different from June's "Security" issue, but I like to see that much attention given to the subject. Is anyone else attending the Recent Advances in Intrusion Detection (RAID) conference in Pittsburgh next month? I'll be an attendee doing research for my book. The conference lasts from 8 to 10 Sep and is dirt cheap -- $300 until 15 Aug, $40

Troubleshooting Thunderbird

I've had it with the "upgrade" to the Web-based email I use at Comcast. (I might be revealing too much about how I get my email, but if you wanted to hack me before there was enough info out there to do it already. I'm assuming you have no interest in accessing my mail at this point.) I used to use Comcast's Web-based email system because I constantly rebuilt machines and liked keeping non-work email elsewhere. Now that I've decided Comcast's "new improved" Web-based system is horrible, I looked for a lightweight mail client and found Mozilla Thunderbird : When choosing a mail client I wanted one that avoided proprietary formats, like those used by Outlook and Outlook Express. Mozilla/Netscape has had a history of keeping mail files in plain text format, which makes importation and manipulation easy. I also like Thunderbird because it supports SSL enabled POP and SMTP, which according to Comcast they support too. SSL-enabled POP works fi