Showing posts from August, 2004

Review of The Design and Implementation of the FreeBSD Operating System Posted

Image just posted my five star review of The Design and Implementation of the FreeBSD Operating System . I was excited to see this update of the 1996 classic The Design and Implementation of the 4.4BSD Operating System finally published. From the review: "I have been administering FreeBSD systems for four years, and I read 'The Design' to get a better understanding of the system 'under the hood.' This book is definitely not for beginners, and intermediate users like myself can become quickly overwhelmed. Nevertheless, I am very glad FreeBSD developers like McKusick and Neville-Neil took the time to document the kernel in this book." You can access the authors' works at Addison-Wesley or at and .

What is the Ultimate Security Solution?

I received an email asking certain questions about digital security. Since the author said I could post my reply in my Blog, here is an excerpt from his email: "I have read of many ways that hackers obtain access. But, I am uncertain what is comprehensive protection. Clearly, there are firewalls, anti-virus, anti-spyware, IDS, IPS, and many other three letter acronym tools available. I have read of your use/support for Sguil. Do you feel that is the ultimate solution? There are other tools out there like eEye Blink, Pivx Qwikfix, and Securecore type products. I like them, but am uncertain if they do an adequate job at providing security. And I really don't know which would be considered the best of these. So, I appeal to you for your insight. Would really appreciate any feedback - here or on your blog." This is an interesting question, because at least one reader of my recent Focus-IDS post thought I was a "detection-only" advocate. Since I believe pro
Showing the FreeBSD Release Engineering Team is on schedule , FreeBSD 5.3-BETA2 is now available . Relating to my earlier post on GIANT, the announcement states "debug.mpsafenet (multi-processor safe network stack) is still turned off by default for BETA2 but will be turned on for BETA3."

GIANT-free Networking in FreeBSD 6.0 CURRENT and Upcoming 5.3 STABLE

I've been watching Robert Watson 's work on removing the GIANT lock from the FreeBSD kernel. This is an aspect of the FreeBSD SMP project (aka SMPng). Robert's posts on 24 Aug 04 and 28 Aug 04 explain what is affected by these developments. The aspects I care about include the following: - Those using KAME IPSec will not be able to disable the GIANT lock, and least not yet. - FAST IPSEC does work with GIANT removed. - The ath (802.11g), bge, dc, em (Intel gigabit), ep, fxp (Intel 10/100), rl, sis (Soekris Net4801), xl, and wi (802.11b Prism2) network interface drivers work with GIANT disabled. You can see how the GIANT lock appears when enabled in the dmesg output from a Dell PowerEdge 750 running FreeBSD 5.3-BETA1. John Baldwin's Locking in the Multithreaded FreeBSD Kernel explains what the GIANT lock does.

My Book on Slashdot

My book made Slashdot . Let's see how well this site and hold up! Thank you to Anton Chuvakin for a positive review. Update: Here's how the Slashdot effect looked to : Here's how the Slashdot effect looked to this Blog: My Barnes and Nobles sales rank has dropped from the 40,000 range to 20 -- I've passed Bill Clinton and Harry Potter. :) My sales rank has dropped from the 20,000 range to 119. Slashdot is absolutely amazing. If you find the Amazon price too high, remember Bookpool has the best deal going -- $27.25 plus shipping. I'd been tracking the Amazon rank to see if I could make any sense of it. You can watch the Slashdot effect kick in between 5 and 6 pm EDT: Fri Aug 27 17:00:02 EDT 2004 Sales Rank: 20,998 Fri Aug 27 18:00:01 EDT 2004 Sales Rank: 9,363 Fri Aug 27 19:00:02 EDT 2004 Sales Rank: 1,256 Fri Aug 27 20:00:02 EDT 2004 Sales Rank: 614 Fri Aug 27 2

Senator Kennedy No-Fly Watch List and IDS "False Positives"

It struck me today that Senator Kennedy's no-fly watch list troubles are very similar to our digital security woes. Recently Kennedy said "he was stopped and questioned at airports on the East Coast five times in March because his name appeared on the government's secret 'no-fly' list." The Washington Post reported "a senior administration official, who spoke on condition he not be identified, said Kennedy was stopped because the name 'T. Kennedy' has been used as an alias by someone on the list of terrorist suspects." "T. Kennedy" reminds me of a content matching IDS rule. Is this a "false positive"? If you consider that airline personnel were making decisions based on the rules they were given -- stop anyone using the name "T. [Ted, in the senator's case] Kennedy," this is not a false positive. Perhaps with more context, like personal recognition that the individual at hand is one of the most famou

Fascinating .gov and .mil Docs

Perhaps "fascinating" is too strong a word, but I've come across several intriguing government reports and documents which security professionals might find interesting. First, the CERT/CC and the Secret Service released a joint report titled Insider Threat Study . It's based on "23 incidents carried out by 26 insiders in the banking and finance sector between 1996 and 2002. Organizations affected by insider activity in this sector include credit unions, banks, investment firms, credit bureaus, and other companies whose activities fall within this sector. Of the 23 incidents, 15 involved fraud, four involved theft of intellectual property, and four involved sabotage to the information system/network." One of the incidents, mentioned in the beginning of the report, was the case prosecuted by the DoJ on behalf of UBS . The major findings include: "- Most of the incidents in the banking and finance sector were not technically sophisticated or complex.

Helpful Technology Guides for PCI and RAID

If you ever need to deploy sensors to capture traffic in high load environments, you'll need quality NICs on a fast bus and plenty of hard drive storage. I came across guides for each technology that I thought people might like. The first is a .pdf by on Peripheral Component Interconnect (PCI). The second guide describes Redundant Arrays of Inexpensive Disks (RAID). If you want to know what sorts of NICs I prefer, I usually try to deploy Intel products.

Best Way to Extract a Pcap Session from A Larger Pcap Session?

I was asked today to describe the best way to extract a session from a libpcap file into its own libpcap file. In other words, if I have a large collection of network packets, how can I extract a specific session but keep that information in libpcap format? The answer I proposed relies on (1) identifying the session of interest and (2) telling Tcpdump what to extract. To meet the first goal, consider using a tool like Tcptrace to identify sessions in a sample.lpc file: drury:/$ tcptrace -n sample.lpc 1 arg remaining, starting with 'sample.lpc' Ostermann's tcptrace -- version 6.4.2 -- Sat May 3, 2003 288 packets seen, 280 TCP packets traced elapsed wallclock time: 0:00:00.002588, 111282 pkts/sec analyzed trace file elapsed time: 0:00:37.256768 TCP connection info: 1: - (a2b) 9> 10< (complete) (reset) 2: - (c2d) 54> 70< (complete) 3: - (

FreeBSD 5.3-BETA1 Released

A significant step has been taken down the road to FreeBSD 5.3 . Ken Smith announced the availability of FreeBSD 5.3-BETA1 yesterday. You can download an ISO from one of the mirrors , where the directory for an .iso will look like . I downloaded an burned the disc 1 .iso to CD and installed it on a Dell PowerEdge 750 . It seems to be working fine. I did not have to dance fandango on the keyboard like I did installing a snapshot from June. I did have to bang on the keyboard prior to OpenSSH key generation, however, to provide entropy for a process called by /etc/rc. I hope this is removed in the final RELEASE. I am looking forward to the removal of the GIANT lock, especially in networking. Robert Watson explains what this means, along with caveats. This should make FreeBSD an even more capable packet capture platform. Check out this great tcpdump-workers thread for a variety of opinions on high-speed packet

Helix Linux Forensic Live CD

You may already know of the FIRE live forensic CD and the Knoppix-STD security tools CD. Last week I attended a free talk by Ed Skoudis , who spoke about his favorite forensic live CD -- Helix , by Drew Fahey of e-fense . I downloaded Helix 1.4 (2004-07-04), burned it to CD, and it started without incident on a Dell PowerEdge 750. The major issues with forensic-minded live CDs is the degree to which they avoid touching the host computer's hard drive on boot. You don't want a live CD to mount the host hard drives, since you don't need to mount drives to image them. Helix is safe in this regard; it doesn't touch the drive unless you tell it to. Helix also sports the sorts of tools you'd expect on a forensic CD, including a nice graphical interface to dd and variants sdd and dcfldd. Probably the most amazing aspect of Helix is its support for Windows. The Helix CD provides distributable Windows binaries, including a Windows shell, that run within Windows.

Comments on Firewalls, a New Security Magazine, and Wireless Wiretaps

My response to a thread about the differences between "firewalls" and "intrusion prevention systems" (IPSs) seems to have touched a nerve. A message from someone who works for an IPS vendor stated the following: "I know that it is unlikely that I can sway you, but I do not see why the investigative role should preclude the protective role. Aren't you arguing that police should not interfere with the criminals of the world?" I replied: "I didn't mean to imply that 'the investigative role should preclude the protective role.' I support products which protect targets from exploitation. The best incident is the one that never happens. However, I believe the detection role should not be combined with the protection role. Remember I stress that detection of failures of protection is more important than detecting attacks . How can a single product that performs protection know when it has failed to provide protection? Only a sepa
InfoWorld published two articles of interest to the intrusion detection community this week. Network Detectives Sniff for Snoops is a review of "Internet Security Systems (ISS) Proventia G200, Lancope StealthWatch 4.0, Snort 2.10, and StillSecure Border Guard 4.3." I think they meant "Snort 2.1.0." Already you might suspect I have problems with this first article, which was done at the Naval Postgraduate School in Monterey, CA. My major concerns with product reviews of this sort is their focus on alert-centric intrusion detection at the expense of other forms of network security monitoring data. Session, full content, and statistical data are completely ignored. Most reviews judge products primarily on their capability to identify "attacks," which in this case included "both live Internet traffic and a variety of attacks we launched from penetration testing tool Core Impact 4.0 ." When an attack is launched, the IDS is judged to be "

Need Help Proofreading My Book

In preparation for the second printing of The Tao of Network Security Monitoring: Beyond Intrusion Detection , my publisher has tasked me to find typos in the text. So far I've fairly thoroughly checked chapters 1 to 14. If anyone has found typos needing correction in chapters 15-18 and in the epilogue and appendices, I would really appreciate hearing about it. I am making changes to a copy of the book itself and plan to ship it via Priority Mail to my publisher Thursday afternoon. If you have any comments, please email them to taosecurity at gmail dot com. Thank you! Update: Errata for the first printing are now online . Aside from minor typo changes, the one set of corrections I recommend readers check is the reference to figures in Appendix A. I've got an "off by one" error for the references to TCP sequence number figures.

Passive Asset Detection System Catalogs Hosts Offering Services

I'm happy to report successful use of Matt Shelton 's Passive Asset Detection System (PADS). PADS watchs network traffic and tries to recognize and record services it sees. I was able to compile and run PADS on Red Hat 9.0 and FreeBSD 5.2.1. Here is a sample run with PADS in the foreground. Because I do not specify the network to watch (with the "-n" switch), PADS reports every host offering a service: drury:/$ sudo pads -i fxp0 pads - Passive Asset Detection System v1.1 - 08/14/04 Matt Shelton [-] Processing Existing assets.csv [-] Listening on interface fxp0 [*] Asset Found: IP Address - / MAC Address - XX:30:48:XX:f9:56 [*] Asset Found: Port - 0 / Host - / Service - ICMP / Application - ICMP [*] Asset Found: Port - 80 / Host - / Service - www / Application - Apache 1.3.26 (Unix) [*] Asset Found: Port - 80 / Host - / Service - www / Application - Apache 1.3.27 (Unix) ^C [*] 1587 Packets Received [*] 0

New Ethereal Release and Documentation

Ethereal 0.10.6 was released last week, and an up-to-date User's Guide (covering 0.10.5) was just published last Sunday. This document is a good alternative to those who can't afford to buy Syngress' Ethereal Packet Sniffing book. The User's Guide is over 200 pages in .pdf form, although a decent chunk of space is wasted for page and section breaks.

McAfee Buys Foundstone

McAfee just announced they bought Foundstone "for $86 million in cash, less various adjustments." The consultant core comprised of my former colleagues "will become part of the McAfee Expert Services team." I spoke with one of them and he doesn't foresee any major changes on the consulting side. He expects to continue doing assessments and other security work. Given the price McAfee paid, McAfee primarily bought Foundstone for its technology and says it "is committed to supporting Foundstone customers and the continued development of the Foundstone technology. Once the transaction closes the company will begin to sell the Foundstone line of products including Foundstone Enterprise, Foundstone FS1000 appliance, Foundstone On-demand Service and Foundstone Professional TL." McAfee expects the transaction to close in the next 60 days. This acquisition follows McAfee's sale of Network General (famous for its Sniffer ) to Silver Lake Partners a

Perspectives on "Fed's Web Plan"

Today's New York Post opens with the following scare line: "With little fanfare, the Federal Reserve will begin transferring the nation's money supply over an Internet-based system this month — a move critics say could open the U.S.'s banking system to cyber threats." Apparently this is not the case. Reading from the Fedline Introduction , we find the following: "FedLine is the Federal Reserve Bank’s proprietary electronic delivery channel for financial institution access to Federal Reserve financial services, and includes DOS-based FedLine and FedLine for the Web. FedLine for the Web is available to financial institutions for access to financial services deemed low-risk by the Federal Reserve but does not currently offer access to high-risk payment-related applications such as funds transfer. " (emphasis added) Federal Reserve Financial Services documents differentiate between the existing DOS-based , dial-up system and the new Web-based system

I Told Oprah and Dr Phil to Watch Out...

My book rank has been all over the map -- as high as 2.2 million and as low as 1,011. lists my book at #85 in their Top 100 Sellers . I think this means I am kicking some Oprah and Dr. Phil butt like I promised. Bill Clinton's book is safe at #11 ... for now. :) Bookpool is now the most trustworthy online vendor selling the book at a steep discount. You can get the book for $27.25 plus shipping. shows no sign of discounting their price, although my publisher has VP-level people working to fix Amazon's pricing errors for all sorts of books. Apparently Amazon is putting more effort and personnel into their other (non-book-selling) stores, which make higher margins.

RSS Feeds, Bmonday Comments, and Airpwn

Thanks to an email from Jim O'Gorman, I learned of a way to publish a RSS feed, even though Blogger only supports Atom . Try feeding this to your RSS reader. I've been using the Firefox plug-in Sage since Chris Reining 's Blog told me about it. Sage supports RSS and Atom in a Firefox sidebar. Speaking of reading other people's Blogs, I was happy to see positive feedback on my book at . My thoughts on logging packets allowed through the firewall, rather than logging packets dropped by the firewall, helped Beau identify someone trying to brute force his SQL server. If you haven't thought about the use of airpwn at DefCon 12 , consider the following. Airpwn is a traffic injection tool for 802.11 networks, released to last week. Essentially an intruder sniffs for outbound Web image requests, then tries to craft and transmit a response faster than the legitimate server can reply. In most cases the legitimate server loses the

Snort 2.2.0 Released

Brian just announced the release of Snort 2.2.0 You can look at the main Snort page or the ChangeLog for word on improvements and fixes. Combined with the changes for 2.2.0 RC1, this 2.2.0 release looks impressive. I will shortly update my Sguil installation guide using Sguil 0.5.2, Snort 2.2.0, and the appropriate supporting software.
New Sguil and Metasploit Releases Bamm just released Sguil 0.5.1. This is a lot more than a bug fix release. There are some cool new features in Sguil 0.5.1, like enhanced reporting options, regular expressing matching for the autocat function, and searching packet payloads in the client. I will update my installation guide soon, probably by next week. The only major installation issue involves a change in directory structures to support multiple Sguil installations on a single sensor. Incidentally, it appears the Prelude project has been taking a look at Sguil features. I cover Prelude in chapter 9 of my book, based on help by the Prelude team and their documentation folks at Dreamlab. Also, the Metasploit Framework has released version 2.2. The Framework page shows new exploits which have been added. Update: Sguil 0.5.2 was just released on 12 Aug to fix a bug in the autocat function, so don't bother with 0.5.1, as detailed in the CHANGES file.

Net Optics Press Release on Book and USENIX Class

I'm a big fan of taps made by Net Optics , especially after reading advice from other manufacturers . Because I featured Net Optics taps in chapter 3 of my book, and brought one for my class network at USENIX, Net Optics published a press release on the two events today. I'd like to thank Net Optics for supporting my tap research and for giving expert advice on chapter 3. On a related note, I came across this 1996 thread discussing early tap use.

Dru Likes My Book and Good BSD News

While visiting I read Dru Lavigne 's latest musings. She has some kind words on my book : "So far, I'm really enjoying the book and appreciate Richard's logical, thorough approach and the plethora of useful URLs to additional references interspersed on nearly every page. His discussion on 'accessing traffic in each zone' is very practical and definitely written by someone who has "been there done that". And within the first 100 pages I've already come across undocumented or poorly documented BSD commands which Richard explains in detail. My only caution to readers is that they'll enjoy the book a lot more if they bring to it a fairly solid understanding of networking, TCP/IP, and general security concepts. After all, this is an Addison Wesley, not a "teach yourself network monitoring in 24 hours". I do think that those with the networking and security background will appreciate the level of experience Richard has brough

Protecting Web Surfing from Prying Wireless Eyes

Well here I am at USENIX Security 2004 , on the Town and Country Hotel's wireless network. I received an authorization code from the concierge, and no other instructions. This code wasn't a SSID since the guy after me received a different code. When I got to my hotel room, I fired up dstumbler to see what networks were available. dstumbler wi0 -o I found several LodgeNet access points, so I figured I'd try associating with those: ifconfig wi0 ssid LodgeNet up This got me associated: ifconfig wi0 wi0: flags=8843 mtu 1500 ether 00:04:e2:29:3b:ba media: IEEE 802.11 Wireless Ethernet autoselect (DS/2Mbps) status: associated ssid LodgeNet 1:LodgeNet stationname "FreeBSD WaveLAN/IEEE node" channel 6 authmode OPEN powersavemode OFF powersavesleep 100 wepmode OFF weptxkey 1 Next I needed an IP address: dhclient wi0 ifconfig wi0 wi0: flags=8843 mtu 1500 inet netmask 0xffffff00 broadcas

Romanian Hacker and Friends Indicted

A friend and former Foundstone colleague informed me of the indictment of a Romanian (Calin Mateias, 24, of Bucharest) and five Americans for conspiring to steal more than $10 million US in computer equipment from Ingram Micro of Santa Ana, California. I worked this case two years ago as a Foundstone consultant and helped detect and remove the intruder's X-based back doors from Ingram Micro systems. I commend Ingram Micro for publicly pursuing these intruders in court. This is one of the best ways to encourage other companies to go forward with prosecution, which is a form of deterrence. This CRN article says Ingram Micro is trying to reassure its value added resellers that its systems are secure. While I worked there, Ingram Micro was outsourcing its IT services to ACS , but security remained a "core competency" handled by Ingram Micro employees. As far as I am concerned, Ingram Micro handled the intrusions properly. I was very impressed by the way their CIO de

Hints on Using Oinkmaster and Sguil

I released an updated Sguil Installation Guide today that shows how to replace the Snort stream4 keepstats-based session data collection system with John Curry's SANCP code. SANCP is a better option than stream4, as SANCP tracks not only TCP like stream4 but also UDP and ICMP. The flows are also easier to work with, since they tend to occupy single entries. I've also been experimenting with the best way to use Oinkmaster with my preferred directory layouts. When Oinkmaster runs, it works in the directory specified. For example: perl ./ -b /tmp -o /usr/local/etc/snort/rules -C /usr/local/etc/snort/oinkmaster.conf This syntax will tell Oinkmaster to place the files it manipulates in the /usr/local/etc/snort/rules directory. Besides the .rules files, this includes other important files: -> classification.config -> -> reference.config -> -> threshold.conf -> I like to keep these

Security Threat Profile in 2600 Magazine

2600 Magazine isn't the magazine I recommend to learn security tools and techniques, but the Summer 2004 issue has one article which justifies spending $5.50 to buy the whole issue. "A Guide to Internet Piracy" is a 4-page introduction to the "warez scene." The author, b-bstf, describes the piracy "food chain," from top to bottom: - Warez/release groups: people who release warez to the warez community; often linked to the site traders - Site traders: people who trade the releases from the above groups on fast servers - FXP board users: script kiddies who scan/hack/fill vulnerable computers with warez - IRC kiddies: users of IRC who download using XDCC bots or Fserves - KaZaA kiddies: Users of KaZaA and other peer to peer programs If you'd like to know how this community works and why they're interested in your servers or home workstations, buy the Summer 2004 2600 magazine.

Review of Defend IT Posted

Image just posted my four star review of Defend IT . From the review: "I commend ch 2 ('Home Architecture') for insights I find lacking in most books on intrusion detection or incident response. The authors astutely state on p. 26 and 33: 'this incident was not discovered by flashing lights and alerts set off by an IDS... In fact, there was no early indication of a network compromise.' This explains the authors' next recommendation: 'It is a good idea to keep access logs that are as detailed as possible -- at least with respect to inbound and outbound connections... Though you may not use these logs on a regular basis, for those instances when you need them, especially including investigations of network compromise, they are invaluable." Exactly!" Although I didn't mention it in the review, I found the authors' use of Cenzic's Hailstorm vulnerability testing software to generate IDS alerts, and Mercury LoadRunner to load the