Showing posts from September, 2003

Review of Investigative Data Mining for Security and Criminal Detection Posted

Image just posted my four star review of Investigative Data Mining for Security and Criminal Detection . From the review: "I read 'Investigative Data Mining for Security and Criminal Detection' (IDM) after attending the 2003 Recent Advances in Intrusion Detection (RAID) conference. Researchers at RAID mentioned "self-organizing maps," "neural networks," "machine learning," and other unfamiliar topics. Mena's book helped me understand these subjects in the context of performing data mining. If you steer clear of the author's discussion of intrusion detection in chapter 10, you'll find IDM enlightening and a little scary." Data mining is a hot topic. Slashdot discussed neural networks recently, which can be used for data mining.

Five Years Ago Today...

Five years ago today I left the information warfare planning directorate at Air Intelligency Agency and joined the Air Force Computer Emergency Response Team at then-Kelly Air Force Base in San Antonio, Texas. Back then we were part of the Air Force Information Warfare Center , tasked with monitoring all of the intrusion detection systems deployed inside border routers at Air Force's installations. I was a new captain and had voluntarily attended some UNIX training after work hours while deployed to RAF Molesworth in late 1997. Just yesterday I was asked how to get into the computer security field. Here's how I did it. I looked at the AFCERT's manning roster for the network security monitoring teams and put myself on the schedule. Wherever I saw an opening -- usually between 2 and 10 pm or 10 pm and 6 am -- I added my name. I sat next to people who seemed to understand the alerts they were analyzing and asked a lot of questions. Six months later I was in charge o

What is BitTorrent?

Whenever new software appears, like the latest Knoppix (3.3 appeared yesterday), I read at Slashdot that "BitTorrent" links are available. I decided to investigate this and found myself at the BitTorrent web site. Like the pages of most developers, it's cryptic and not immediately apparent how to use the software. This Wiki page was more helpful, clueing me in to the fact that BitTorrent is a peer-to-peer file-sharing system. O'Reilly wrote about this too. I installed the BitTorrent client at degreez and tried it out with the files listed at BitTorrent Files for Slashdot Effect Victims . I clicked on the Red Hat 9 Binary ISOs link, which points to This brought my BitTorrent client up. It prompted me for a location to save the file I would download via BitTorrent, so I selected a directory. Next, I could see the BitTorrent client work its magic. I plan to experiment with this. I initially tried to retrieve Knop

Try Tenable Security's NeVO before 30 Sep 03!

I downloaded the demo version of Tenable Security 's NeVO today. I was unable to get it to work on Red Hat Linux 7.3 but I did install it successfully on FreeBSD 4.8 RELEASE. NeVO is a passive vulnerability scanner. It sits and watches your network for services and protocols which could be exploited by an intruder. It doesn't actively check for vulnerabilities like an assessment product might do. This is similar to Sourcefire 's RNA or "Real-time Network Awareness" concept. Below is an example of NeVO's output. It's in the .nsr format produced by the active vulnerability assessment tool Nessus , written by Tenable employee Renaud Deraison . For example:|27201/tcp|8518|INFO|The remote host is using a version of Portable OpenSSH which may allow an attacker to determine if an account exists or not by a timing analysis.;Solution : Upgrade to OpenSSH-portable 3.6.1p2 or newer;CVE : CAN-2003-0190|27201/tcp|8501|INFO|The remote host

Cell Phone Spam

Some overzealous activitst for legalizing marajuana sent a text message spam message to my cell phone last week. Someone named "Alison" from, claiming to be from the ACLU, sent a URL to an advocacy site. I won't publish the URL to deny her the publicity she seeks. The phone number from which the spam was allegedly sent shared the same area code and first three digits.

Suggestion for Patching Windows Dial-Up Users

Larry Seltzer makes a great recommendation for Microsoft to assist its Windows dial-up users: "One way to make things easier for dial-up users, and even broadband users in many cases, would be to issue periodic update CDs. Imagine a disc with all of the updates on it and a program, it could even be written in Windows Script Host, to check a system for which updates need to be installed, apply them in the correct order and even reboot in between. Such a program would not be hard to write. Microsoft could charge a trivial amount for the discs but it would be better just to give them away and encourage users to pass the discs around when they were done. At that point you'd still need to check Windows Update for recent additions, but it's unlikely you'd have an unbearably long download time... I recently put this suggestion to Microsoft and their response basically avoided the whole issue. Why wouldn't the company want to offer such a CD, assuming that's the moti

"Snort not backdoored, Sourcefire not compromised"

I'm not going to cite the source of the rumors which prompted this story, since I don't want to give publicity to those seeking it for its own sake. Rather, I though it important to post in its entirety a recent message Marty Roesch of Sourcefire sent to the snort-users mailing list. By the way, sign up for one of Marty's seminars , coming to a city near you. I'll see him in DC on 7 Oct. Now for Marty's post: Date: Sun, 21 Sep 2003 20:44:11 -0400 From: Martin Roesch To: full-disclosure@xxxxxxxxxxxxxxxx Subject: [Snort-users] Snort not backdoored, Sourcefire not compromised -------------------------------------------------------------------------------- It's come to my attention that some group is claiming to have broken into a Sourcefire server and backdoored the Snort source code. First things first, there is no backdoor in Snort nor has there ever been, everyone can relax. A shell server got compromised well over a year ago, but what these guys aren

Reviews of TCP/IP Analysis and Troubleshooting Toolkit, Real 802.11 Security, and Network Performance Toolkit Posted

Image recently posted three new reviews. From the four star review of TCP/IP Analysis and Troubleshooting Toolkit , whose author provides videos of trace analysis: "As a network security monitoring analyst, I like to read network troubleshooting books. They help me understand protocols I see on the wire, usually using case studies that are far more exciting than reading dry Request For Comment (RFC) documents. "TCP/IP Analysis and Troubleshooting Toolkit" (TAATT) isn't a "tool" book like Wiley's "Network Performance Open Source Toolkit." Rather, TAATT tries to explain the operations of many popular protocols. It does a fairly good job, and deserves a look." From the five star review of Real 802.11 Security: Wi-Fi Protected Access and 802.11i : "I was somewhat hesitant to read "Real 802.11 Security" (R8S) as it seemed to offer too much theory and background on wireless security. I prefer "getting to the point&q

Project to Customize Windows

We need more projects like XPlite . This is a system to "modularize" Windows components to facilitate their removal and reinstallation, if necessary. Windows would be much easier to secure if we could install the absolute minimum number of packages to support our applications. This is why I like the FreeBSD ports system. I install a base FreeBSD OS, and load the ports tree. Within the ports tree, I add whatever I need, and the ports system only adds what's necessary to support that application. Brilliant? Perhaps -- but that's FreeBSD, and also a few Linux variants ( Debian and Gentoo ). :)

Verisign -- "The Value of Trust"?

I can't believe the stunt Verisign is pulling now. The screen shot says it all. Essentially, all nonexistent domain names are resolving to, which itself resolves to I learned about this issue through the NANOG (North American Network Operators Group), Slashdot , this article , and Verisign's "notification" . The talk I've seen involves , but that resolves to for me. I even queried an authoritative domain name server for (, which handles the domain). Some have said ISPs are already null-routing I think this post makes a good case for review of Verisign's actions. This is not how an administrator for the two most important generic top level domains should act!

Thoughts on OpenSSH Vulnerability

If you've read this blog for a while you'll notice I try not to regurgitate the day's headlines. If my brain is my RAM, this blog is my hard drive -- a place I'd like to keep stories archived. So, rather than restate the OpenSSH issues (it doesn't take much , does it?), I'd like to record this thought. How should organizations posture themselves against threats to core infrastructure? Since OpenSSH is the recommended means to administer all sorts of devices, its importance approaches that of BGP, DNS, and similar services. We're familiar with the plan -> prevent -> detect -> respond model. We form and practice plans and policies to guide our organizations. We prevent exploitation of vulnerabilities with security strategies like defense-in-depth, access control, least privilege, segmentation, and vulnerability management via proactive assessment and patching. We should perform detection via network security monitoring -- collecting, vali

Good Samaritan Saves Bank's Behind

A good Samaritan who buys computers from eBay saved the Bank of Montreal 's behind. According to this story : "Geoff Ellis, a 26-year-old masters student living in North York, purchased the computers last week from Ecosys Canada Inc., a computer asset-management firm in Mississauga. He paid $400 each for two powerful IBM Netfinity servers that would have cost about $5,000 new. Ellis buys, fixes up and then resells used computer equipment on He had posted the two machines on the popular online auction site for six hours before he noticed, after turning one of them on, that it contained an operating system that let him access file folders from the bank without needing a password. He immediately removed the items from the Web site, he said." I bought a handful of servers from eBay a couple months ago. I have since installed new operating systems on each one, but maybe I should have checked to see what was left behind by the previous owners? Market pressure w

RAID News Posted

Scroll a few pages down and you'll see I posted my thoughts on last week's RAID conference in Pittsburgh. Enjoy!

Installing a Free X Server on Windows XP

I needed to export X sessions to my Windows XP laptop, so I turned to Cygwin/XFree86 . In less than 10 minutes I had am xterm from a FreeBSD machine appear on my Windows XP desktop. Here's how I did it. Download and execute Cygwin setup . The Cygwin/XFree86 User's Guide gives plenty of hand-holding if you need it. I selected all of the XFree86 packages plus OpenSSH. You'll see why OpenSSH was included shortly. Once Cygwin has finished installing, start a Cygwin shell, typically via 'C:\cygwin\cygwin.bat'. Within the Cygwin shell, start the X server via 'sh /usr/X11R6/bin/' as shown below. You'll see an xterm appear. Within the xterm, allow the remote host to connect via X by executing '/usr/X11R6/bin/xhost', where is the IP address of the remote host. Now use SSH to connect to the remote UNIX system. For example, 'ssh -l username -X'. Using the '-X' switch enables X forwarding, i

Happenings at TruSecure

This Register story gave details on a good virus prevalence report (available in their whitepaper library . It describes TruSecure's assessments of important viruses of the past few years. I also saw Marcus Ranum wrote a paper on false positives while he was an "independent consultant." I then read this press release saying TruSecure hired Marcus as "Senior Scientist" on 19 Aug. Good luck Marcus!

Way to Go Mike Fratto

Congratulations to Mike Fratto of Network Computing magazine for speaking the truth about the intrusion detection vs. intrusion prevention debate in two articles. First, from Inside NIP Hype ("NIP" meaning "Network Intrusion Prevention"): " NIP is not a replacement for firewalls and won't be in the foreseeable future. Why? The fundamental problem is false positives -- the potential to block legitimate traffic. Before you can prevent attacks, you have to detect them, but NIP systems rely on intrusion detection , which is hardly an exact science. A properly configured firewall will allow in only the traffic you want, and you can bet the farm on that. We need to feel this same confidence in IDSs before we can believe in NIP systems, but IDS vendors have employed lots of talented brain cells trying to raise detection accuracy, and they're nowhere close to 100 percent. " (emphasis added) Exactly! How is a firewall doing intrusion detection any b

RAID Conference Concludes

Today I drove home from the 6th annual Recent Advances in Intrusion Detection (RAID) conference held at Carnegie Mellon University . The picture at left shows the nearby University of Pittsburgh 's magnificent Cathedral of Learning , which is just about the coolest name for a building I can imagine. (It reminds me of Kwai Chang Caine 's answer to a question on what he does: "I work, eat, learn.") This was my first RAID conference, and I took several pages of notes on what IDS researchers are doing. The conference began with a presentation by Richard Clarke . Some of his more interesting points included: He confirmed US DoD networks have indeed suffered worms and/or viruses on "classified networks." He also stated "one ugly fact... every network I know of has been penetrated -- recently and regularly," with the exceptions being one or two classified government networks. However, he "[hasn't] seen cyberterrorism yet," although
Anton Chuvakin submitted a post alerting me to an article by Gartner gadflies John Pescatore, Richard Stiennon, and Anthony Allan. From the article: "You should continue to detect intrusions. However, you shouldn't invest in stand-alone, network-based intrusion detection systems (IDSs)... by 2006, most enterprises will perform intrusion detection as part of firewall processing with next-generation firewalls... There have been enough advances in algorithms and high-speed network security processors to enable next-generation firewalls to perform network intrusion detection and blocking at all layers of the protocol stack. Mature products will ship in 2005... Purchase security management products - see "CIO Update: Gartner's IT Security Management Magic Quadrant Lacks a Leader," - to perform IDS alarm data reduction and correlation to firewall and vulnerability assessment logs, or outsource IDS monitoring to managed security service providers... Gartner has pu

Slides on NSM Webcasts Posted

I recorded a second webcast on network security monitoring for . This webcast focuses on tools to implement NSM, namely tcpdump, argus, snort, and trafd/trafshow. I talk about their use and capabilities. You can view it here . I posted the slides here . Previously I recorded a webcast on NSM theory with my friend Bamm Visscher, lead author of Sguil . You can view it here or here and read answers to questions submitted by listeners. A SearchSecurity editor commented on our talk as well. The slides for that Dec 02 webcast are here .

IT Security Hottest Job

Challenger, Gray & Christmas named "IT Security" the "hottest" job for 2003 and 2004, according to this article. From the story: "The post of chief privacy officer just got the nod for the highest-paying hot job, bringing in an average salary of $122,360. An IT manager or security manager came in ninth on the list of high-paying hot jobs with an average salary of $91,470. Security is simply hot this year. The security industry came in second, just behind preventative health care, for the hottest industry of this year and next. Security and IT managers are earning salaries of more than $91,000, according to the report. And a survey of top corporate information systems security executives for Fortune 500 companies found that the average overall compensation level was $237,000." $237,000 ? What are those guys doing to justify that sort of salary? Running vulnerable Windows boxes? :)