TaoSecurity Blog

In other BSD news, NetBSD announced their new logo , pictured at left. Slashdot discussed the new logo, with the consensus being it is "uninspired," "corporate," and not "fun." I am not surprised that a tech crowd would think this way. One post broke from this trend by saying: "If you're trying to get people interested in your product, the first rule is don't offend people. Like it or not, there are folks out there who don't understand the difference between daemon and demon." I agree with this. I also found it fairly juvenile that Slashdot's moderators rated a complaint about the NetBSD daemons as being "funny." I get plenty of odd looks by airport security when I show them my laptop covered with FreeBSD daemon sticks. Most importantly, the old NetBSD "logo" doesn't qualify as a logo at all. It's a piece of computer-inspired art that doesn't meet the conditions necessary for a logo. To

img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFELTS_mW2w2E8_rYK4i6ODJEW8U3TqlchVHJDJAJfGiIPD23EPfN29wTUN6s6fT92tDnqQUmodHZe72xjzvq1V4tfLER8lOXz4S9XCFF6KR3B26bOa85wcH0VOXBkWL7tQyz-/s1600/freebsd.png" align=left>The availability of FreeBSD 5.3-RC2 was just announced . The release engineer says "if no more show-stopper problems are found this will be the last test release done before 5.3-RELEASE." I intend to test this at work tomorrow morning. The release engineering team is doing everything they can to make this a release fit for the title STABLE.

I decided to try to get my Canon Powershot S40 digital camera working with my FreeBSD laptop. I found that plugging in the USB cable only yielded this entry in /var/log/messages: ugen0: Canon Inc. PowerShot S40, rev 1.10/0.01, addr 2 The ugen driver provides support for all USB devices that do not have a special driver, according to its man page. Running usbdevs showed the camera connected to the laptop: sudo usbdevs -dv Controller /dev/usb0: addr 1: full speed, self powered, config 1, UHCI root hub(0x0000), Intel(0x0000), rev 1.00 uhub0 port 1 addr 2: full speed, self powered, config 1, PowerShot S40(0x3056), Canon Inc.(0x04a9), rev 0.01 ugen0 port 2 powered Unfortunately, I did not see the dymanic creation of a device like /dev/da0 that might have let me mount the camera and read files from it. (The problem was discussed in this thread .) I turned to the ports tree and found graphics/gphoto2 , which I installed as a package: orr:/home/richard$ sudo pkg_add -vr gp

Earlier this month McAfee completed its acquisition of Foundstone . Previously I reported that several early refugees from Foundstone, led by Kevin Mandia, founded Red Cliff Consulting . Now a faction led by another former Foundstone director, Clinton Mugge, has created C-Level Security . Whereas Red Cliff focuses on computer forensics and incident response, C-Level concentrates on prevention-oriented services like vulnerability assessments and network architecture. C-Level's first press release emphasizes its independent nature, according to founder Mugge: "Problems are solved by selecting and deploying the best products and solutions in an unbiased manner, something a product-centric vendor is just not focused on delivering. C-Level Security's clients are provided the knowledge and understanding to make strategic decisions in security roadmap planning and spending without the push toward a single vendor product line." These departures are a good example why a

In an arrangement with SearchSecurity.com and Addison-Wesley , chapter 11 of The Tao of Network Security Monitoring: Beyond Intrusion Detection is now available online . Although the chapter discusses "Best Practices," typically a boring management concept, I managed to include several packet trace-driven case studies. Chapter 11 joins the foreward, chapter 2, and chapter 10 as being available online .

As an open source user and advocate, and especially as a FreeBSD user, I found this interview with Poul-Henning Kamp fascinating. PHK recently became famous for requesting and receiving funding from the community for FreeBSD development. PHK describes what it's like to be self-employed and working alone: "[I]t is a mixed blessing for me. The situation is not as much a bold 'I answer to nobody!' as a worried 'Shit! I'm all alone...' Normally then, as selfemployed, you have the separation from your customers, some kind of contract where you can draw the line, but in my case I answer to the FreeBSD community more or less on a contract of 'give me money and I'll do good things for FreeBSD.' The pressure from within is worse than any pressure any boss have ever laid on me. " To me this is one of the greatest differences between open source software and commercial software. When I see someone commit code to an open source project, I can ass

I read at OSNews.com that MySQL 4.1 is now Generally Available (GA). MySQL.com also issued a press release . GA status means the MySQL development team considers the software stable enough for production use. Previously MySQL 4.0 was the GA release and 3.23 was considered "Recent; still supported." Currently both MySQL 4.0 and 4.1 are GA, with 4.1 "recommended" over 4.0. The bleeding edge of MySQL development is 5.0 , which is alpha code. When I began writing Sguil installation docs , I advocated using MySQL 4.0. One of the advantages of MySQL 4.0 is UNION , or the ability to combine the result from many SELECT statements into one result set. While Sguil does not currently use this UNION feature, I expect to see it in future releases. The UNION function in MySQL 4.0 and higher results in much faster queries of session data in Sguil. The OSNews discussion mentions that replication has been enhanced in MySQL 4.1. Replication allows sharing data between

Last year I reported my experiences attending the 2003 International Symposium on Recent Advances in Intrusion Detection , also known as RAID. Many briefers complained that their security research suffered due to lack of good data. For example, intrusion detection analysts usually relied on the 1999 DARPA Intrusion Detection Evaluation data . Data like this may be sanitized for analysis by researchers but it pales in comparison to watching live traffic from production networks. Several recent events may give security researchers the data they need. For example, UC Berekely suffered an intrusion on 1 Aug 04 which jeopardized a database containing names, addresses, telephone and Social Security numbers collected by the California Department of Social Services (CDSS). According to Carlos Ramos, assistant secretary at CDSS, the compromise "was discovered on Aug. 30 by Berkeley IT staff using intrusion detection software." I wonder if the IDS was Vern Paxson's Bro ,

I just read a review of The Tao of Network Security Monitoring by the acclaimed network information site Firewall.cx . From the review: "Every once in a while you come across a book that really opens your eyes. One that talks in-depth about something completely different. Unfortunately, most technical IT books are rehashes of a bunch of papers and tutorials off the net, and you often wonder whether the time you spent reading the book would have been better spent on google. The Tao of Network Security Monitoring is not one of these books. It is with great pleasure that I am reviewing what I consider one of the most informative and well written books I have ever come across. Network Security Monitoring (NSM) is half a science, and half a black art. It requires an in-depth knowledge of packets, protocols, applications, vulnerabilities and black hat tactics. This book focuses on the philosophy behind NSM, the skills required, the tools you need, and the way to set up an effect

The October 2004 issue of Information Security Magazine offers an excellent study by Ed Skoudis . I saw Ed speak at a Computer Associates sales pitch a few weeks ago and he gave me preview of the new article . Now the whole study is available online. In Ed's words: "As a follow-up to our technical review of desktop AV products, Information Security investigated the state of the AV industry's customer support, putting five vendors to the test: Computer Associates, McAfee, Symantec, Sophos and Trend Micro. We graded each on the entire support experience, putting the greatest weight on the ability to solve our test problems... AV support has a long way to go before it achieves what we consider acceptable levels. It's not hard to figure out what's needed: The prescription for success is more or less distributed among the vendors we reviewed. Sophos technicians displayed the technical savvy and problem-solving ability we expected from all of the vendors. Rea

For my testing of FreeBSD 5.3 before it's available as a RELEASE, I decided to work on dual-booting it with Windows 2000. I did not want to use any third-party boot loaders unless absolutely necessary. I preferred to use the FreeBSD boot loader as FreeBSD is the primary OS on my Thinkpad a20p. Unfortunately, I could not figure out a way to overcome the different ways Windows and FreeBSD see disk geometry while using the FreeBSD boot loader. The following describes how to dual-boot FreeBSD 5.3 and Windows 2000 with Windows in the Master Boot Record handling boot selection. I found these notes helpful although I did not following all of the author's recommendations. First I installed Windows 2000 in a 7427 MB C: partition, formatted as NTFS. I also created a 30727 MB D: partition to hold FreeBSD, although I only let the Windows installation process create the partition and nothing more. Next I began the FreeBSD installation process using a CD-ROM. When it came time to p

Several people provided feedback on my Simple Post-Installation Baselines on Windows Blog entry. First, Beau Monday reminded me of his FirstOnScene incident response scripts. I haven't tried these out but you might want to see if they make life easier for your first responders. Second, Harlan Carvey pointed out the program tlist.exe shipped with the Debugging Tools for Windows . This is apparently not the same tlist.exe found on some Windows systems. You can obtain tlist.exe by downloading and installing the debugging tools, and then copying the tlist.exe binary elsewhere. I tested the independence of tlist.exe by running it on a system where no special debugging tools were installed, and where I did not have administrator privileges. Here is an excerpt of tlist.exe output. This tool is especially helpful because it shows the full path for executables. This allows you to differentiate between a 'svchost.exe' started from "C:\WINDOWS\system32" (whe

One of the regulars in the #snort-gui IRC channel of irc.freenode.net asked me the following question via email. This is an excerpt, and my response follows: "I am very interested to hear your insight on the topic of 'incident containment' via TCP resets... I am concerned about whether or not incident containment should even be used. From a purely technical standpoint it seems like 'Sure, it's better than just leaving the connection live. It's helping to interfere, after-all.' But when I think about it in a real-world application, it seems like many malicious hackers will notice TCP resets as a clear sign they have been spotted. It seems like this understanding on their part will cause them to attempt to shoot in again even if only for the brief seconds required to 'rm -rf /'. The alternative, no TCP resets, it seems the intruder will most likely think their presence is yet unknown and they may be content with their backdoor... I guess the overall

FreeBSD 5.3-RC1 just appeared on the FreeBSD FTP servers. I was hoping to see it soon after the schedule was updated. If only one Release Candidate is built (as planned), then we might see 5.3 RELEASE in about a week. After having seven BETAs produced, I expect we'll have RC2 as well. I imagine 5.3 RELEASE will appear the first week of November, as the release engineers have high standards for this FreeBSD version. With 5.3 the STABLE tag will migrate from the 4.x line to the 5.x line. 6.0 will be CURRENT although it has been treated as such for a few months now.

I just finished setting up a new Windows XP SP2 system on a Shuttle SB52G2 for my wife. This box screams compared to the 1998-era PII 333 MHz tower it replaced. Now that the installation is done and I've loaded all the software we expect to use on the system and all appropriate patches, I've taken a few simple steps to record a baseline configuration. I use the free PsTools suite from SysInternals.com to record key aspects of the operating system and installed software. Here are the tools I run and sample output for each. All of this information is redirected into text files that I store on the system and on a separate system for safekeeping. I ran all of these programs without administrator privileges. Believe it or not, but not everyone who breaks into your Windows systems is a Uber Elite hacker. Sometimes they tools used by intruders or malware leaves evidence in output such as this. If you can compare this listing, taken in a known good state, to later records

The Sguil team just posted a trial version of our new Flash Sguil demo . There isn't any sound or text notes yet, but you can watch a user interact with the Sguil console on a Windows system. The user shows how to investigate alerts, generate transcripts, launch Ethereal, categorize events, and query for session data. The demo lasts a few minutes and shows some of what Sguil 0.5.2 can do. Provide any feedback to sguil-users at lists dot sourceforge dot net.

The November 2004 issue of Dr. Dobb's Journal features an Addison-Wesley -sponsored article I wrote titled Considering Convergence? ( .pdf ). I wrote it as an elaboration of thoughts I posted to focus-ids two months ago: "I argue against 'convergence' between products doing 'detection' and those doing 'protection.' Too many people focus on detecting attacks when really they should be detecting failures in protection caused by poor access control, exposure of vulnerable targets, and misconfiguration. This means the IDS remains a network audit device doing detection, and all products which filter, scrub, manipulate, or otherwise stop traffic be accepted as access control devices (aka 'firewalls') doing protection. You can't have the same device do both functions. It's like a guard without a security camera thinking he's doing a good job when an intruder's already slipped behind him. If any convergence should take place, i

Microsoft's October 2004 security bulletin was released today. Some of the guys in #snort-gui were shocked that the bulletins ranged from MS04-029 to MS04-038. An astute Slashdot post notes that only one vulnerability, MS04-038 , affects Windows XP SP2 . The XP SP2 weakness is referred to as the drag-and-drop vulnerability as it allows intruders to install programs through malicious Web pages rendered by Internet Explorer. This reminds me of a saying that I wish I could attribute to someone: "Q: What's the best security patch for Windows 2000? A: Windows XP." This is more than a joke. I have a difficult time being sympathetic to enterprises that continue to operate Windows NT 4 systems. I am beginning to lose faith in organizations that have no plans to upgrade their servers from Windows 2000 to Windows 2003. Let's remember that Windows NT was released in 1996 and Windows 2000 in the year 2000. An organization relying on an 8 year old Microsoft OS is

O'Reilly recently featured an interview with Hping author Salvatore Sanfilippo titled Network Tool Development with hping3 . Hping is a packet crafting tool with a long lineage. I recommend reading the interview if you'd like background on Hping and what the developer formerly known as antirez is doing. I downloaded hping3-alpha-2.tar.gz to a system running FreeBSD 5.3 BETA1 and gave it a try. Before extracting and installing the new Hping3, you must have a Tcl interpreter installed. Tcl is required because Hping now works within a Tcl shell. It surprised me to see Tcl used in something other than Sguil . Here are highlights from the installation process: fedorov:/home/hping3-alpha-2$ ./configure build byteorder.c... create byteorder.h... ===> Found Tclsh in: /usr/local/bin/tclsh8.4 -------------------------------------- system type: FREEBSD LIBPCAP : PCAP=-lpcap PCAP_INCLUDE : MANPATH : /usr/local/man USE_TCL : -DUSE_TCL TCL_VER : 8.4 TCL_I

Three noteworthy events have occurred in the Snort community during the last few weeks. First, Kevin Johnson has forked the ACID (Analysis Console for Intrusion Databases) project due to lack of formal releases by Roman Danyliw. Kevin announced his new Basic Analysis and Security Engine (BASE) project last month. I don't think ACID provides the information needed to collect, analyze, and escalate indications and warning to detect and respond to intrusions. For that, check out Sguil . The fork is good news for the people who use ACID and expect updates. From a community perspective, this BASE fork is a positive development allowed only by the open source nature of ACID. Trying forking a proprietary product! Second, as discovered by Keith McCammon , another moribund project has been resurrected. Simon Biles has revived the Statistical Packet Anomaly Detection Engine (SPADE) project. SPADE is a plug-in for Snort. It appears in the Snort CVS tree as Spade-092200.1.tar

I just read an interesting article by Marcus Ranum titled Security: The root of the problem . Marcus makes some very good observations: "We're stuck in an endless loop on the education concept. We've been trying to educate programmers about writing secure code for at least a decade and it flat-out hasn't worked. While I'm the first to agree that beating one's head against the wall shows dedication, I am starting to wonder if we've chosen the wrong wall. What's Plan B?" Marcus' "Plan B" is trying to add more security checking at compile-time, or at least pay attention to and address the warnings already output by compilers given the -Wall flag. In his words: "I think that Plan B is largely a matter of doing a lot more work on our compiler and runtime environments, with a focus on making them embed more support for code quality and error checking. We've got to put it 'below the radar screen' of the programmer'

I wrote about Helix in August . Helix is a Knoppix -based live CD. Drew Fahey at e-fense added the 0.5.2 version of the Sguil client to Helix. This means you can boot the Helix live CD and launch Sguil to connect to our demo server at demo.sguil.net. Although the client installation on UNIX is still difficult (due to the number of libraries and applications needed beyond most people's default installations), the Windows Sguil client installation is fairly simple. I documented the process for an older version last year , but the process is still sound.

A few hours ago Scott Long announced the availability of FreeBSD 5.3-BETA7, the presumed last BETA in the 5.3 release cycle. The schedule has not yet changed to reflect this new BETA. Although only one release candidate (RC1) is planned, I would not be surprised to see a RC2 or maybe even RC3. Since FreeBSD 5.3 will be the first version of the 5.x tree marked STABLE, the release engineering team wants 5.3 to be the best FreeBSD version to date. I personally can't wait to deploy it on my laptop and servers. One of the biggest changes in the current BETA is the replacement of BIND 8.x with 9.3 . The release engineers felt that although it was late in the release process, they didn't want to have to support 8.x throughout the life of the FreeBSD 5.x STABLE tree. In other words, if BIND 9.x didn't appear in FreeBSD 5.3, BIND 9.x wouldn't be imported until FreeBSD 6.0. If you'd like to know more about this process, check out the thread from mid-September. Thi