TaoSecurity Blog

Over the last few days I've reviewed several add-ons for Snort. First, everyone using Snort knows about Barnyard . Barnyard processes the output from the spo_unified plugin, which Marty first described in June 2001 . spo-unified creates two log files. To paraphrase Marty, the alert file contains event data (generator, sid, rev, classification, priority, event_reference), timestamp, source IP, destination IP, source port, destination port, protocol, and TCP flags (if applicable). The log file contains the event data, flags that indicate the nature of the stored packet (reassembled fragment, etc.) and the raw binary packet. Barnyard reads unified output and sends the results to other plugins. In most cases those are database plugins. MudPit is an alternative to Barnyard. Mudpit was written to overcome the fact that receiving either alert or log data can be insufficient to validate an event, but receiving both simultaneously is wasteful. At the Sguil project we use

The Register reports on the latest in fraud detection: "Online insurer Esure is to use technology that recognises when a speaker is under stress in a bid to detect fraud. The company hopes using voice risk analysis (VRA) technology will speed genuine claims, cut fraud and make its claims process more efficient... VRA - which identifies micro changes in the voice that can occur when a speaker is showing higher levels of stress - will be used by esure from 4 December. The company is keen to emphasise that the technology is a 'stress detector' not a lie detector. When a speaker experiences stress when answering a question or recounting an exaggerated or false statement, the frequency of their voice changes, according to studies originally conducted in Israel. It is this factor that VRA registers and assesses. The system compares responses to particular questions with baseline responses, answers to simple questions that can only be answered truthfully." Let's

According to Reuters , a 38 year old Home Depot worker was arrested for stealing laptops from Wells Fargo. From the article: "Police recovered the equipment at Krastof's home, along with equipment used for scanning identity cards and checks, he said. 'He is a low-level ID theft kind of guy,' White said of Krastof. Krastof told police that he did not know that sensitive data was on the computer, according to [policeman] White. Wells Fargo will be able to keep the $100,000 reward it had offered in the case, since the arrest was made from regular police work and not a tip, White said. Investigators traced the computer to Krastof when he logged onto his own America Online account at home through one of the stolen computers, White said. That enabled authorities to connect the computer's Internet Protocol address, a number that identifies a computer on the Internet, to Krastof's home address through his AOL account, White said." The article glosses over a

You may have read the fairly critical Information Security review of NeVO by Tenable Security. CTO Ron Gula posted a response to the focus-ids group which makes for good reading: "Since NeVO is on 'all' of the time and it matches for specific vulnerabilities, that means that the vulnerability and IDS correlation which occurs at the Lightning Console is that much more accurate. Our concern at Tenable is that doing correlation based on 'old' vulnerability data (like on a month old Nessus scan) or 'relavent' vulnerability data (like all of the IIS security holes) can produce false correlations."

I continue to watch for tools to keep BSD systems up-to-date. I learned of a new application for OpenBSD called Tepatche . The author wrote this article for next month's Sys Admin magazine. He also mentions the openbechede package management project. Incidentally, Colin Percival reports he's attained the $1000 mark needed to buy a new box to provide freebsd-update binary updates. Hopefully we'll see them available for the 5.X tree soon. While poking around Amazon.com I found a new BSD book will be published in the spring: FreeBSD and OpenBSD Security Solutions .

Wells Fargo Offers $100,000 For Info Leading to Conviction of Laptop Thief ZDNet reports the following: "Wells Fargo said on Friday it had offered a $100,000 reward for information leading to the arrest and conviction of the burglar who stole a bank consultant's computer that had sensitive customer information on it. The computer was one of several stolen earlier this month from the office of an analyst for the bank in Concord, California, the bank said. The stolen PC contained names, addresses, bank account numbers and social security numbers for customers who had taken out personal lines of credit that are used for consumer loans and overdraft protection, according to Wells Fargo. No passwords or personal identification numbers were among the stolen data and no other Wells Fargo customers were affected, the bank said... The bank alerted affected customers this week [and] was also monitoring customer accounts, changing account numbers and paying for a year's subs

I usually install FreeBSD applications using the ports system, but I wanted to know how to use the package collection as well. I wondered how to quickly locate the name and URL of a package so I could pass them as a parameter to pkg_add -r . Using this command FreeBSD fetches the package specified and installs any dependencies automatically. I found the answer at the FreeBSD Ports Changes page. Here you can query for a package (or port) by name, and more importantly, specify which distribution you want. For example, if you wanted to install Nessus, you could choose from: FreeBSD 4.9 RELEASE: packages created when 4.9 REL was announced FreeBSD 4.x STABLE: the most up-to-date packages built for FreeBSD 4-stable FreeBSD 5.1 RELEASE: packages created when 5.1 REL was announced FreeBSD 5.x CURRENT: the most up-to-date packages built for FreeBSD 5-current Let's say I wanted to install Nessus. What do these packages look like for the i386 architecture? FreeBSD 4.9 RELEASE : nessu

Tim O'Reilly of O'Reilly publishing answered questions on the economics of writing on computer topics . I found this excerpt interesting: "Your choice of publisher helps [a book be successful]. The clearest lesson from Bookscan (to refer to the data that started this thread) is that the market is consolidating. Fully 80 percent of the market shown by Bookscan (about 65-70 percent of U.S. domestic retail sales, including online accounts) is owned by Pearson, Wiley, O'Reilly, and Microsoft Press, in that order. If you add Osborne and Sybex, you get to 90 percent. (Pearson is a conglomerate owning many individual imprints--AW, PH, Peachpit, Sams, New Riders, Brady, Cisco Press, Adobe Press, Macromedia Press, etc.--so the market looks more diverse than it actually is.) Having been a small publisher who worked my way up over many years, I won't say it [success of a book sold by a small publisher] can't be done. But I think it's a lot harder than it was in th

I needed to bounce through a couple systems while working on a hostile classroom network this week. I found this book excerpt which explains how to chain SSH connections. I started using the EPIC IRC client on FreeBSD and I wanted to use a customization script. I remembered using Splitfire and found it to be useful. In #snort-gui we've been using Pastebot to provide chunks of text via HTTP rather than IRC on homefries . Rob Lee's incident-response.org domain registration apparently expired and was scooped by someone else. You can access Rob's site via IP address at http://66.96.178.49/ . Anyone using Secure Instant Messaging Protocol ? Jamil Farshchi published this article on wireless IDS.

PostgreSQL 7.4 was released this week. We use MySQL in the Sguil project but we used PostgreSQL with older NSM tools. I learned about this MySQL "gotchas" site showing odd MySQL behavior. This could prompt a war between the MySQL and PostgreSQL communities. Speaking of wars, I ran across a site which claims to benchmark various UNIX operating systems. The results caused a crazy thread among OpenBSD users.

Peter Stephenson contributed to a SC Magazine article that featured criteria for credible certifications. I found his comments worthwhile: "The major question to be asked about certifications and their value is: 'Where does the cert come from and what are its objectives?' A good industry certification will have several recognizable components if it is to be credible: It is based upon an accepted common body of knowledge that is well understood, published and consistent with the objectives of the community applying it. It requires ongoing training and updating on new developments in the field. There is an an examination (the exception is grandfathering, where extensive experience may be substituted). Experience is required. Grandfathering is limited to a brief period at the time of the founding of the certification. It is recognised in the applicable field. It is provided by an organization or association operating in the interests of the community, usually non-profit, no

Long-time readers of this blog know I subscribe to a security theory called network security monitoring. Two of NSM's principles are "some intruders are smarter than you" and "intruders are unpredictable." Believing these principles changes the way defenders look at watching their networks. If you assume a smart, unpredictable enemy, you have to take as many defensive actions as possible in the remote hope of catching a bad guy. This morning I tested these principles not against an intruder, but against a piece of software that took an unexpected action. I was looking for an IRC proxy and found the Night-light IRC proxy . I installed it through the FreeBSD ports system without a problem. I then checked my sockstat output to see what was listening. I found the following unexpected entry: USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root getty 534 0 tcp4 censored:50396 213.145.164.10:25 This looks like my system

The BBC wrote an article about the threat intelligence group, "codename IS/Recon (Information Security Reconnaissance)." They're TruSecure's "moles" -- people who befriend the "underground" and acquire information on their intentions and capabilities. The national intelligence community calls that "human intelligence," or HUMINT. The article claims TruSecure "currently tracks more than 11,000 individuals in about 900 different hacking groups and gangs." It also states they collect "200 gigabytes of information a day," which "has enabled the team to help out with 54 investigations by law enforcement agencies. IS/Recon gave the FBI over 200 documents about the Melissa virus author after they were asked to get closer to suspects."

Slashdot reported on the Opte Project . It's a single guy who's mapping the Internet using code he wrote. Commercial companies like Lumeta provide much more enhanced functionality, but this is still a cool hack. The Slashdot thread features commentary by Hal Burch and Fyodor , and a useful summary of similar projects. The image at left is supposedly "1/5 of the Internet," but as one Slashdot reader mentioned, it looks a lot like a brain! Given Google has replaced the brain of many people, I imagine this image is appropriate. :)

Today I installed Fedora Core Release 1 in a VMWare session on my laptop. I was unable to using the CD-ROMs I burned and got the same error as described in this thread . I ended up installing the OS using the three .iso files on my laptop hard drive. I installed a default desktop into a 4 GB partition. Here are the daemons listening, the filesystem stats, and the uname output: [root@localhost root]#netstat -natup Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:1026 0.0.0.0:* LISTEN 1665/rpc.statd tcp 0 0 127.0.0.1:1027 0.0.0.0:* LISTEN 1830/xinetd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1645/portmap tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1814/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1777/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:*

The so-called "hacker" who "defaced" aljazeera.net was sentenced yesterday to 1000 hours of community service and a $2000 fine, according to stories by aljazeera.net and Reuters . The intruder, a "Web designer," "posed as an Al Jazeera employee." presumably to Verisign, the registry for the .net domain. This far more informative article has technical details on the "hack." Apparently the perpetrator convinced Verisign to change its listing for aljazeera.net's domain servers to a system controlled by the intruder. The DoJ reports the perp also "re-routed all e-mail traffic to an account he had created on MSN Hotmail using the name of the Al Jazeera systems administrator." Aljazeera.net was also hit by denial of service attacks during the second Gulf War.

I received an email from Stephen Northcutt discussing various SANS initiatives. I found the last paragraph interesting. As this was a mass-mailing I'd like to share what he said: "We do have other tracks in development if the writers and researchers stay on track in the second half of 04 we hope to complete a track on content and email security and a six day legal track designed primarily for attorneys. We have an advanced windows operations and advanced windows audit track in the works. On the unix side of the house we are working on a Linux, Apache, MySQL, and Perl course designed to help you field and maintain a secure working Internet ecommerce presence. Finally, we have started development on Oracle security. Creating a six day track is a huge amount of work, if you are an expert in any of these topics, there may be a spot for you on the development team. If you think you might be interested, drop me a line, Stephen@sans.org. Warm Regards, Stephen Northcutt"

While reading this OSNews thread on FreeBSD, I learned of the portsman tool. It's a curses-based front end to the FreeBSD ports tree. It offers similar functionality to portupgrade but through a menu system. I found it interesting that it was hosted at berlios and not at SourceForge like most open source projects. One adjustment I made to use portsman was to change the default TERM value from 'xterm' to 'xterm-color' so I could see the menu better in an SSH session using root's default csh (actually tcsh) shell. Just edit the .cshrc value in root's home directory and then execute 'source .cshrc' to change the variable. To only change the TERM variable for the session, execute setenv TERM xterm-color It's different for sh or bash. There, run TERM=xterm-color export TERM

OK, it's obviously not Airwolf . According to this Israeli newspaper the Steadicopter was recently stolen a few days after the completion of its test program and final test flights. According to the article: "Steadicopter CEO Tuvia Scgl told 'Globes' today that he had no doubt that industrial espionage was behind the theft. "We're convinced that the thief was working for our competitors, because he went directly to the helicopter's location, and broke only the guardrails to that room. 'The helicopter is unique. No other company in the world has succeeded in operating such a flying machine, capable of independent flying without remote control. Many companies have tried, but none of their tests worked.'"

I learned at Slashdot of an article at Financial Times about criminals extorting companies by subjecting them to denial of service attacks. From the article: "More than a dozen offshore gambling sites serving the US market were hit by the so-called Distributed Denial of Service attacks and extortion demands in September and the tactic is now spreading. Sites have been asked to pay up to $50,000 to ensure they are free from attacks for a year. Police are urging any victims not to give in to blackmail and report the crime." This is a lot easier than breaking into a victim and extorting them for theft of credit cards or intellectual property. Just have your home users and university machines blast away at a victim and collect the cash.

I just published a new installation guide for Sguil 0.3.0. Sguil is an interface to Snort which operates using Network Security Monitoring principles. This means it is dedicated to answering the "now what?" question that faces analysts who receive IDS alerts. Sguil provides alert, session, and full content data with a minimum of mouse clicks, window changes, and keystrokes. Users not familiar with FreeBSD should have no problems following the instructions. I provide dozens of screen shots and step-by-step comments to get the OS and all needed applications installed. The document is available in .pdf form here ( .pdf ). The new guide uses FreeBSD 4.9 RELEASE as the server platform and Windows 2000 or XP as the analyst workstation. Please send comments on the guide to sguil at taosecurity dot com. I plan to incorporate as many suggestions for improvement as humanly possible. Update: I'm collaborating with Soup4You2 from BSDHound on an expanded document.

I found a new FreeBSD-based bootable CD-ROM firewall called NetBoz . I haven't tried it yet, but someone put a lot of thought into the logo! I'm often asked why I like FreeBSD. I think the FreeBSD's ports tree is the best of the three BSD's, with over 9000 applications available. FreeBSD offers the FreshPorts site to track updates and changes to ports. OpenBSD has http://ports.puffy.nu/ , openbsd.hstd.net and bsdcoders.org . This post puts the OpenBSD port count at over 2000 as of May 2003. OpenBSD's "higher standards" keeps the count down compared to FreeBSD. NetBSD offers over 3000 packages and a new Web interface to them.

Do you know the game of "Life"? The game was created by mathematician John Conway and described in this 1970 Scientific American article . Based on a small set of rules, the game looks at the initial configuration of a set of counters (representing "organisms") and moves them forward through time. Certain arrangements result in life, while others perish. The coolest implementation of this game is one in PostScript . Remember PostScript is a programming language, although it's mainly used to format documents. There's a Java version and another here .

I'm thinking of building my own firewall appliance. It would be nice to have a "quiet" PC. I found SilentPCReview.com offers reviews, forums, and news on the quiet PC scene.

My C-64 Rides Again Thanks to a RR-Net kit, my Commodore 64 is now on the Internet. I browsed taosecurity.com using the Contiki Web browser and I served Web pages sing the Contiki Web server . It's slow, but really amazing to think a machine that hasn't been used in 13 years is now on the Internet! There's also a version of VNC which I haven't tried yet. I still need to try downloading software and getting it to the C-64. The RR-Net package arrived with a 5 1/4 floppy containing Contiki. Update : The Web server doesn't seem too stable. Twice I've left the box running in the basement only to find Contiki exited several hours later. Oh well, that's why I run FreeBSD.

While reading a OSNews thread on FreeBSD 4.9, I heard of a tool called fastest_cvsup . You use it in conjunction with cvsup on FreeBSD, NetBSD, and OpenBSD to find the "fastest" source distribution site. I use it in a shell script to update one of my boxes like this: #!/bin/sh # Ports updater by Richard Bejtlich # 0925 07 Nov 03 SERVER=`fastest_cvsup -q -c us` echo "cvsup -g -L 2 -h $SERVER /usr/local/etc/ports-supfile" cvsup -g -L 2 -h $SERVER /usr/local/etc/ports-supfile echo "cd /usr/ports; make index" cd /usr/ports make index echo "portsdb -u" portsdb -u echo "cd /var/db" cd /var/db echo "pkgdb -F" pkgdb -F echo "portversion -v" portversion -v echo "portupgrade -PrRva" portupgrade -PrRva echo "Done updating ports tree at `/bin/date`." exit I changed my portsdb instruction after reading this thread . This article and this thread have tips too. I also gave freebsd-update a try. It'

I announced the availability of Sguil 0.3.0 , so I've been working on a new installation guide. I'm not a big Linux fan so I've been wanting to move my document to reflect FreeBSD. Today I completed the install guide and posted it at http://taosecurity.com/install_freebsd_4-9-REL_DRAFT.zip . If you're so inclined, download the installation doc and try it out. I used FreeBSD 4.9 RELEASE only to have access to that distro's ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.9-release/ packages. These are the same as would be found on the 4.9 CD-ROM. The only package I used from the ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4-stable/ section was OpenSSL , as version 0.9.7c was the latest. It appeared in the stable tree as ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssl-0.9.7c.tgz . The reason I used the packages and not the ports tree was ease of installation. It can take quite a while to build some ports f

Yesterday Marty released Snort version 2.0.3, which contains a few bug fixes. Last week Bamm announced the release of Sguil version 0.3.0. I still need to update the documentation. I had already planned a FreeBSD-only installation guide, even before all the turmoil with Red Hat Linux. I hope to have the guide done by next week. A few weeks ago a good thread on snort-users discussed hardware for Snort and ways to avoid dropping packets.

Here's a great example of creative minds taking advantage of new technology. Those crafty, meddling kids in the United Kingdom have popularized a way to send text messages to unsuspecting owners of Bluetooth-enabled phones and PDAs. The BluejackQ (or "Bluejack You") site, apparently run by a 13 year old English girl, has all the details. Her site has been hammered recently by visitors, but she reports it's weathered the storm. Netcraft reports she's running Apache on Linux, so good for her! A poorly edited by technically informative Slashdot post describes the underlying mechanics of the system used to send messages. As another Slashdot poster mentions, Bluetooth isn't like the Internet. If you get an unsolicited Bluetooth message, turn around. The sender can't be more than a few dozen yards away!

Researching my book I came across this fairly informative article on wireless IDS . It's useful as it spells out three ways to accomplish the task. The article publisher, Unstrung, has written about Joshua Wright's attacks on LEAP, the vendor's response , and wireless IDS services .

The Ethereal project makes the finest open source protocol analyzer available. Yesterday they announced a vulnerability affecting at least Ethereal 0.9.15. They recommend upgrading to 0.9.16 right away. From the advisory: Description: Potential security issues have been discovered in the following protocol dissectors: An improperly formatted GTP MSISDN string could cause a buffer overflow. A malformed ISAKMP or MEGACO packet could make Ethereal or Tethereal crash. The SOCKS dissector was susceptible to a heap overlfow. Impact: It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. Resolution: Upgrade to 0.9.16. If you are running a version prior to 0.9.16 and you cannot upgrade, you can disable the GTP, ISAKMP, MEGACO, and SOCKS protocol dissectors by selecting Edit->Protocols... and deselecting them from the list.

I read today on Slashdot that Red Hat will discontinue maintenance and errata support for all versions of Red Hat Linux through 9.0 by 30 April 2004, and produce no other products in that line. Everyone looking for a "free" version of "Red Hat" will have to check out their Fedora Project as Red Hat now focuses on its Red Hat Enterprise Linux line. Those wishing to try the "Fedora Core" are directed to a download page mentioning the Red Hat beta OS severn . Looking at the Fedora release schedule , the Fedora offering is called cambridge and was due today. It has been delayed and will be released "as soon as possible." I haven't yet seen a "Red Hat is Dead" post like the "BSD is dead" posts left by Slashdot trolls, so I made the observation myself. NewsForge has more details on this story. I found their mention of the 10 major Linux distros at Distrowatch interesting. How can anyone say the BSD world is frag

I ran across this chart at the Kentucky government security page, of all places. They must have reproduced it from a Department of Homeland Security briefing. It shows the five components used to judge a threat: existence, capability, history, intentions, and targeting. My earlier definitions focuses on capability and intentions, as I believe existence is taken for granted once you begin a threat assessment. You can easily wrap history into intentions. Targeting is a "special form" of intentions, meaning current intelligence suggesting plans for imminent attack against specific targets. As an enemy meets more of the criteria, the threat rating increases from "low" to "severe." Update: A blog visitor asked if publication of this chart was a sarcastic move. While I don't think this matrix represents the ultimate in threat assessment, I reproduced it here to show some of the elements used to assess threats. They include the five components ment

read the new FreeBSD release schedule today and learned FreeBSD 5.2 is due 2 Dec 03, with FreeBSD 5.3 scheduled for 29 Mar 04. FreeBSD 5.2 will still be a "new technology" release, and 5.3 will be the first released to be considered "stable." Currently, FreeBSD 4.9 is the newest "stable" release. I also learned that Robert Watson, one of the brains behind FreeBSD, has posted a Web-browsable interface to BSD and Linux source code. Do you want to see sys/net/bpf_filter.c? Look here for FreeBSD 5.1 or here for FreeBSD 4.9 . Here's if_wi.c , the driver for Prism wireless cards. According to this post it has had problems due to bugs in the card's firmware . Here's a how-to for flashing Prism cards; more info here . Those with Orinoco cards can find firmware here . Are you interested in knowing the status of ports in FreeBSD? Visit Mark Linimon's Package building logs and errors for the bento cluster. You can get all sorts of

Last Thursday DeMarc announced its acquisition of the Sentaurus IDS from Silicon Defense . In June I listed various companies selling Snort-based IDS appliances. It looks like Silicon Defense's support for its Windows version of Snort continues at WinSnort.com . This appears to be different from the binaries available at Snort.org . (I didn't check the WinSnort version because downloads there require registration.) DeMarc was famous for its GUI for Snort alerts, which no longer appears as a Snort add-on . However, it's now called PureSecure Personal and is free for "home use." Downloading it requires registration.

Amazon.com just publishes three new reviews. First, from the five star review of C Primer Plus, 4th Ed by Stephen Prata: "Stephen Prata's C Primer Plus, 4th Ed (CPP4E) is an excellent book. I took a close look at the competition and even started reading O'Reilly's Practical C Programming before realizing CPP4E was the book for me. I had no C programming background, but had the knowledge of C-64 BASIC, Pascal, and other languages shared by many kids born in the 1970s. If you're looking for a well-conceived introduction to C, Prata's book is for you." I plan to read books on secure coding and socket programming next, as these are my real interests. I also have books on C++, Java, and C# waiting. I'm reading these to gain familiarity with these languages for purposes of security, not contributing code to FreeBSD (yet). Next are two more controversial reviews. Although I gave each book four stars, I make specific critiques of each book. From my