Showing posts from December, 2004

Thank You for a Strong Year

The image above comes from my Sitemeter blog statistics page. I'd like to thank all of my readers for making the TaoSecurity Blog part of their Internet experience. We've had about 337 posts this year, on a range of subjects. Our two year anniversary will happen January 8th. I'd also like to thank those of you who have been reading my book reviews and voting them "useful." I receive no monetary compensation for any book reviews done at or here, but I do like seeing positive feedback on my reviews. I hope to keep blogging and reviewing as I begin work on my next book , tentatively titled Extrusion Detection: Network Security Monitoring for Internal Intrusions . I'll post information on Extrusion Detection once I have an ISBN, but I expect it to hit bookshelves in the fall. My collaboration with Keith Jones and Curtis Rose called Real Digital Forensics should appear on bookshelves in the summer. 2004 has been a great year, es

Review of Building Firewalls with OpenBSD and PF Posted

Image just posted my five star review of Building Firewalls with OpenBSD and PF . From the review: I was an early buyer of the first edition of 'Building Firewalls with OpenBSD and PF' (BFWOAP), but I am confident my opinion applies to the second edition as well. BFWOAP is the perfect book for anyone looking to build an firewall with Pf. Since Pf is now part of FreeBSD , NetBSD , and DragonFly BSD , this book will be helpful to anyone looking to use Pf on those platforms... The author's blog indicates he is working on a new firewall book that expands beyond OpenBSD and Pf. I hope he is working with an established publisher to ensure his next book has a wider audience."

Today's ISC Handler's Diary Is Partially Right, and Then Completely Wrong

I read the following in today's Internet Storm Center Handler's Diary : "Pay attention, you’re about to read something vitally important: COMPUTERS ARE NOT APPLIANCES. THEY ARE TOOLS. Tools require that their user be skilled. Tools require education and training to use. Tools require a level of involvement beyond that of an appliance because 'tool use' carries with it an inherent danger... [O]ver the past decade, the computer industry has deliberately ignored the nature of its product. It has attempted to grind off the sharp edges, to put padding on the corners, and to make a 'consumer safe' appliance from these inherently dangerous tools. The current state of security on the Internet is simply reaping the seeds we have sown... We don’t allow untrained and inexperienced drivers onto our streets, but any yokel with $9.95 a month can get on the Internet... The time has come for change. Users cannot continue to proxy the responsibility for their security

Review of The Unabridged Pentium 4 Posted

Image just published my four star review of The Unabridged Pentium 4 : IA32 Processor Genealogy . From the review: "Page 1 of 'The Unabridged Pentium 4' (TUP4) claims 'there is real value in understanding how the architecture has grown over the years,' where the 'architecture' is the IA-32 register set, instruction set, and software exceptions. If you accept this premise, you will find TUP4 to be a valuable book. If you are looking for detail on the lowest-level of programming on IA-32, you should download Intel's free IA-32 Intel Architecture Software Developer's Manual . Readers looking for information on IA-32 architecture can first turn to three free books Intel provides in .pdf format: Volume 1: Basic Architecture (448 pp); Volumes 2A (580 pp) & 2B (416 pp): Instruction Set Reference; and Volume 3: System Programming Guide (838 pp), for a total of 2282 pp. Volume 1 describes the basic architecture and programming environment of an I

UNIX History in Detail

I just finished reading the primary two parts of an advocacy piece called Elements of Operating System and Internet History: A FreeBSD Rationale . It appears to be self-published by the author, Bruce Montague. Dru Lavigne made me aware of this work in her blog . The first 64 pages are divided between a 22 page "FreeBSD Executive Summary" and 42 pages on "Unix History, Open Source, and FreeBSD." The third section, which I plan to browse later, consists of 74 pages of various bits of UNIX and Internet trivia. I found the sections describing UNIX history to be very informative and detailed. The author makes the point that the BSD license supports technological transfer of software from the university to the commercial space, while the GPL was explicitly designed to inhibit technology transfer (pp 14, 18). I was surprised to learn that early hardware vendors encouraged users to write their own software, and in many cases sold user-developed software. Even more sh

FreeBSD Foundation Exceeds Its Goals

I'd like to thank everyone who donated to the FreeBSD Foundation . In less than five days we raised almost $40,000! That's simply amazing. Check back in with the Foundation in January when their Web site is redesigned.

Review of Introduction to Microprocessors and Microcontrollers Posted

Image just posted my four star review of Introduction to Microprocessors and Microcontrollers . From the review: "I reviewed the 1998 edition of this book, 'Introduction to Microprocessors,' (ITM) about a year ago. I gave that book five stars for bringing the internal workings of CPUs within the reach of the computer layman. This new 2004 edition, 'Introduction to Microprocessors and Microcontrollers,' (ITMAM) isn't quite the update I expected, but it's still a great book. The major differences between ITM and ITMAM involve a few sections. First, material on the Alpha 21164 microprocessor is replaced by a discussion of the AMD Athlon XP. Second, two chapters on microcontrollers are added. Author John Crisp defines a microcontroller as essentially a microprocessor with some ROM and RAM on a single chip. Third, Crisp briefly discusses the innards of popular game consoles in ch 11. Finally, a short discussion of writing assembly language adds another

Try Identity Vector for Your Web Hosting Needs

Last month I switched my Web-hosting provider to IdentityVector Solutions . The owner is a fellow US Air Force Academy graduate and a colleague at my day job with ManTech . Phil has the following to say about his offering: " IdentityVector Solutions (IVS) provides customized Linux-based web and email hosting services, primarily to small- and medium-scale clients. Rather than providing "cookie-cutter" package solutions that include options many clients would not need, our clients pick a complement of individual services that will meet their requirements. IVS then works with clients one-on-one to ensure that our systems are configured to meet their requirements. All IVS staff members are Red Hat Certified Engineers . Sign up for a consultation online ." I've been very pleased with the quality of service and the price I pay to receive it. Exclusive: Keeping FreeBSD Applications Up-To-Date

I am happy to announce the publication at of Keeping FreeBSD Applications Up-To-Date . This is the sequel to my article Keeping FreeBSD Up-To-Date . The new article takes the same case-based approach I used in the first paper. The article's sections include: Introduction Installation Using Source Code Installation Using the FreeBSD Ports Tree Installation Using Precompiled Packages Updating Applications Installed from Source Code Updating Packages by Deletion and Addition Updating the Ports Tree, Part 1 Manually Updating a Package Using the Ports Tree Updating Packages with Portupgrade, Part 1 Updating Packages with Portupgrade, Part 2 Updating the Ports Tree, Part 2 My Common Package Update Process Creating Packages on One System and Installing Them Elsewhere Addressing Security Issues in Packages Conclusion Acknowledgements References Sections show commands to run, explanations of what they do, sample output, applications versions, and pros and cons of each u

Details on the Snort DoS Condition

You may have heard of an exploit for a denial of service condition in Snort. In short, according to , "You are only vulnerable if you are running snort with "FAST" output (which isn't very fast) or in verbose mode... Using barnyard? Using snortdb? You are not vulnerable." Exploit code is here: Lurking in #snort and #snort-gui on, I learned the following about this vulnerability by listening to Marty. I hope he doesn't mind being quoted in the hopes of getting this information out to reassure the community: roesch: it's a bug that gets manifested by the packet printers in log.c roesch: if you use the -v switch when you run snort you can have a problem, if you're not running the tcp protocol printer in log.c (i.e. using the -v switch or logging in default ascii logging mode) then you're not affected roesch: so if you're running snort as an IDS (which most peopl

Nedit: Simple, Mouse-driven GUI Text Editor

I don't install desktops like Gnome or KDE on my workstations, so I try to avoid graphical applications that have a lot of dependencies. However, when I write articles, I try to avoid composing them in vi. I find vi is fine for editing configuration files or Web pages, but I like to be able to select text with a mouse when composing large articles. Previously I installed Gedit , a Gnome application that ends up carrying a lot of baggage with it. Today on one of my workstations I removed Gedit and as much else as I could using pkg_cutleaves . Then I installed Nedit , a great little GUI text editor with mouse support. While Gedit requires over 60 dependencies, Nedit has only 8. I recommend checking Nedit out if you need a GUI text editor with a light system footprint.

Understanding Tcpdump's -d Option, Part 2

In September I referenced a post by libpcap guru Guy Harris explaining outfrom from Tcpdump's -d switch. After looking at the original 1992 BSD Packet Filter (.pdf) paper and the subsequent 1999 BPF+ (.ps) paper, I understand the syntax for the compiled packet-matching code generated by the tcpdump -d switch. For example: fedorov:/usr/local/etc/nsm# tcpdump -n -i em1 -d tcp tcpdump: WARNING: em1: no IPv4 address assigned (000) ldh [12] (001) jeq #0x86dd jt 2 jf 4 (002) ldb [20] (003) jeq #0x6 jt 7 jf 8 (004) jeq #0x800 jt 5 jf 8 (005) ldb [23] (006) jeq #0x6 jt 7 jf 8 (007) ret #96 (008) ret #0 Here is what each instruction means: 000 says load (using 'ldh') the "half word" or two bytes starting at offset 12 of the Ethernet header. Since we begin counting at 0, bytes 0 to 5 are the destination MAC address and bytes 6 to 11 are the source MAC address. The

Help FreeBSD Foundation Retain Non-profit Status

The FreeBSD Foundation 's new quarterly newsletter reports that maintaining non-profit 501(c)3 status requires donations totaling US$30,400 by 31 Dec 04. While it's technically possible to retain non-profit status without those donations, the appeal process "can be a lengthy and expensive ordeal." Can the FreeBSD community meet the goal by donating via PayPal (click on the "donate" image)? I just donated $100 to the Foundation via PayPal, so the amount is no bigger than $30,300 now. If you donate, post a reply here! If you're wondering what the Foundation does, the new newsletter reports that it: sponsors events like AsiaBSDCon purchases hardware for developers to write drivers, etc. contributes to the performance cluster sponsors developers to code SMPng supports bringing Java 5 to FreeBSD The Foundation seems to be taking a much more active and public role, which will be publicly visible in a new Web site on 1 January. Update : If you do do

Book Reviews and Citations

I am happy to report a few more satisfied book reviewers. First, thank you to security sage Rik Farrow for his December 2004 USENIX ;login review (.pdf). Second, I'd like to thank David Bianco for his December 2004 Information Security magazine book review (published at ). David is the same David Bianco featured in this priceless 1995 newspaper article titled Computer Security: "Gotta Be Sneaky" . In the article David advocates the importance of computer security. Unfortunately, a member of his audience disagreed: "[Name censored to protect the foolish], a former naval intelligence officer and president of Agent Knowledgebase Associates in Virginia Beach, didn't seem concerned about on-line incursions. 'The security issue is overblown. How many people do you see using secure telephones?' he said. 'I don't see a need for computer security. Everything I do is public information. There's nothing to protect.'" I&

Review of The Hacker Ethic Posted

Image just posted my three star review of The Hacker Ethic . From the review: "I bought and read this book because I enjoy reading about hacker history and culture. When I started, I simply read and flipped pages, thinking I wouldn't find much of deep importance. After about 20 pages I was extremely interested in the book and started underlining the author's main points. By chapter 5, and especially in chapter 6, the author lost my attention and I ended up giving this book a three star review."

Upgrading to the New Java Patchset

Last month I described how I installed Java on my production server and laptop. Today my Portupgrade run showed that my JDK was out-of-date: jdk-1.4.2p6_7 < needs updating (port has 1.4.2p7) Sure enough, a visit to showed a new patchset, number 7, was released at . Prior to updating, here's how my Java version reported itself: orr:/home/richard$ java -version java version "1.4.2-p6" Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2-p6-root_04_dec_2004_17_50) Java HotSpot(TM) Client VM (build 1.4.2-p6-root_04_dec_2004_17_50, mixed mode) I used Portupgrade to upgrade and build a package with the new Java patchset on the server and then made it available via NFS to my laptop. When I was done upgrading, here is what pkg_info and the Java client reported: orr:/home/richard$ pkg_info | grep jdk jdk-1.4.2p7 Java Development Kit 1.4.2 orr:/home/richard$ java -version java version "1.4.

Review of Building Open Source Network Security Tools Posted

Image just posted my five star review of Mike Schiffman 's Building Open Source Network Security Tools . From the review: "Books on hacking, cracking, exploiting, and breaking software seem to get all of the attention in the security world. However, we need more works like Mike Schiffman's 'Building Open Source Network Security Tools' (BOSNST). I regret having waited so long to read BOSNST, but I'm glad I did. Schiffman's book is for people who want to build, not break, software, and the way he describes how to create tools is enlightening. The major theme I captured from BOSNST was the importance of creating useful code libraries. Six of the book's 12 chapters focus on libraries which provide functions for application programmers. While not all have gained the same amount of fame or use, the author's approach remains sound. Libraries are the building blocks around which numerous tools can and should be built." Mike is a researcher at

Northern Virginia BSD Users Group?

I was approached by a member of the NYC BSD Users Group recently. He asked if there was a DC area BSD users group . That got me thinking... are any readers interested in participating in a northern Virginia BSD users group? If you are, email me at taosecurity at gmail dot com. I might also post to some mailing lists, but it would be nice to get a head start here. Thank you.

Open Vulnerability Assessment Language

Jay Beale's excellent new article "Big O" for Testing brought MITRE's Open Vulnerability Assessment Language project to my attention. I didn't understand how this project was different from MITRE's Common Vulnerabilities and Exposures project until I looked at OVAL's details. Consider CAN-2003-1048 . This is Microsoft Security Bulletin MS04-025 , which described multiple problems with vulnerable versions of Internet Explorer. If you look at the CVE entry , you'll see the following information: - Name: CAN-2003-1048 (under review) - Description: Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. - References: -- FULLDISC:20030902 New Microsoft Internet Explorer mshtml.dll Denial of Service? -- URL: -- FULLDISC:20040902 AW: [Ful

Ripping Into ROI

In April I wrote Calculating Security ROI Is a Waste of Time . The latest print issue of Information Security magazine features a story by Anne Saita that confirms my judgement: "If you find executives resisting your security suggestions, try simply removing the term 'ROI' from the conversation. 'ROI is no longer effective terminology to use in most security justifications,' says Paul Proctor, Vp of security and risk strategies for META Group . [Paul is also author of the excellent book Practical Intrusion Detection , where he correctly said 'there is no such thing as a false positive.'] Executives, he says, interpret ROI as ' quantifiable financial return following investment .' Security professionals view it more like an insurance premium. The C-suite is also wary of the numbers security ROI calculators crunch. 'Bottom line is that most executives are frustrated and no longer interested in hearing this type of justification,' Pro

Fedora Available via CVS

Last month I answered PHK's "Why Bother?" with FreeBSD Question . Reason 3 was "3. All FreeBSD source code is available via CVS . Rather than delete the latest issue of Red Hat Magazine , I should have paid attention to the Fedora Status Report . It notes that the The Fedora Project CVS Repository is now operational. You can now browse the Core or Extras CVS trees. This is a great development for the Fedora Core community, but it's not the same as what's available for, say, FreeBSD . The Fedora Core CVS gives greater access to the packages available in Fedora Core. I believe this is a result of the package-oriented installation process of Red Hat and Fedora distributions. Can anyone comment on this?

Thoughts on Tenable's Nessus Changes at

Shawna McAlearney of contacted me about recent Nessus developments , meaning Tenable's new licensing deal with NASL scripts. She quotes me in her story Nessus no longer free : "'It is difficult to financially justify releasing the work of a corporate developer to the open source community when that developer is supported by thousands of dollars of equipment, salary and benefits,' said Richard Bejtlich, technical director for the Monitoring Operations Division of ManTech 's Computer Forensics and Intrusion Analysis group. 'To do so is to provide free software development for one's less scrupulous competitors, who are only too happy to take but not give back.'" Shawna and Tenable co-founder Ron Gula elaborate on this point, including naming companies who commercially profit from using Nessus.

Cisco Network Analysis Module

It pays to subscribe to trade magazines like Network Computing . Today I read Sean Doherty's Cisco Integrated Services Routers: When Routes Converge . Although his article was a useful introduction to two of Cisco's new products, he mentioned the Cisco Network Analysis Module . I had never heard of such a product. I should have, since Greg Shipley wrote about it in his 2002 article Cisco's Network Analysis Module Fills Monitoring Gap for Switched Networks . Greg's article, as well as Cisco's documents, are fascinating to those of us responsible for monitoring networks. The device pictured above is the Cisco Catalyst 6500 Series NAM (NAM-1 and NAM-2) , a blade for your Catalyst switch. Pictured at right is the Cisco Branch Routers Series Network Analysis Module (NM-NAM) , a module for your Cisco router. The blade and module are embedded PCs that collect and present traffic and statistics on network operation. The picture shows the 20 GB HDD present in the

Snort 2.3.0 RC2 Released

Jeremy Hewlett announced the availability of Snort 2.3.0 RC2 . This comes about a month after the release of Snort 2.3.0 RC1. Check out the announcement or the CHANGELOG for specifics. Besides bug fixes, there are additional options added to byte_jump . I hope to see this information added to the manual once 2.3 final is released.

3Com Buys TippingPoint

The Register is reporting that 3Com is buying TippingPoint for $430 million. TippingPoint employs 125 people and makes the UnityOne layer 7 firewall... I mean "Intrusion Prevention System." This is huge, since The Register says TippingPoint "reported Q3 2005 revenues of $9.7m (up 44 per cent from $6.7m in Q2 2005) and a net loss of $1.8m for the three months up to October 31." $430 million is a huge multiple. Before I left Texas to join Foundstone in 2002, I was asked to interview at TippingPoint. It looks like their employees made out much better than Foundstone's!

IPxray Reports on Top Five Vulnerabilities

We all should be familiar with the SANS Top 20 Internet Security Vulnerabilities list, which Paul Vixie rightfully criticized for its inclusion of dated BIND vulnerablities. Now security firm IPxray has published its top 5 vulnerabilities found in our universe of scanned hosts . This was reported by as well. I find these results useful because they are based on the findings of this security firm and reflect what's happening "in the trenches." Rather than repeat the five here, I recommend checking out the links.

Winfingerprint 0.6.0 Released

Kirby Kuehl, a Cisco engineer who provided great feedback on my first book , released version 0.6.0 of his Windows enumeration tool Winfingerprint . This tool is very comprehensive and features an exceptionally clean installation process. Note that although the Winfingerprint home page mentions inclusion of a command line version, Kirby is not currently bundling it with the latest release. Above is a screen shot of Winfingerprint running on a Windows Server 2003 eval with SP1 RC running.

Sun Thin Client Technology Upgrade

I learned about Sun's new thin client technology by reading a Register story by Ashlee Vance . Sun has released the new Sun Ray 170 . This is like the new Apple iMac since it is essentially all screen. To power the new Sun Ray, Sun released Sun Ray Server Software 3 . The Sun Ray server can be UltraSPARC-based to run Solaris or it can be an x86 box running Sun's Java Desktop System, Release 2, Red Hat Enterprise Server AS 3 (32-bit), or SuSE Enterprise Linux 8, service pack 3 (32-bit). According to Ashlee's article: "Sun will also be looking to convince service providers to consider thin clients as options for their customers. The basic idea is that AOL, for example, could give consumers a thin client for free and then charge monthly fees for its 'computing' service. AOL would be able to manage consumers' software from its servers and provide a secure, simple package for people that really just want to surf the internet, check e-mail, message and

Review of Embedded FreeBSD Cookbook Posted

Image just posted my four star review of Embedded FreeBSD Cookbook . From the review: "When I skimmed 'Embedded FreeBSD Cookbook' (EFC) in the bookstore, I was impressed by the amount of general FreeBSD information it contained. Now that I've bought and read it, I'm glad this book caught my eye. Although EFC is somewhat dated by its use of FreeBSD 4.4 (released Sep 01), I learned more about about FreeBSD internals. I also gained insights into what is needed to create an embedded appliance from the ground up." On a related note, I still need to check out the papers from EuroBSDCon 2004 .

Review of Inside the Spam Cartel Posted

Image just posted my five star review of Inside the Spam Cartel . From the review: "Reading 'Inside the Spam Cartel' (ITSC) is like watching a racing car crash; you're horrified to see it happen, but you can't take your eyes off it. ITSC exposes spam from the point of view of the 'enemy' -- a spammer who claims 'you need to be ruthless in this industry if you want to make any money at it' (p. 132). This book is an absolute must-read for anyone trying to combat spam, especially policy makers who think passing laws with clever names makes any difference." I loved that this book was written from the spammer's perspective. It's similar to the 1997 groundbreaking book Maximum Security , also written by an "anonymous" author bringing light to the underground.

NetBSD 2.0 Installation Issues

I wanted to install NetBSD 2.0 on a real system, so I called on one of the mightiest boxes in my arsenal to host a new installation. I picked a Dell-built 1996-era Pentium (original, not "Pro") 200 MHz with 32 MB RAM. This box was running Windows 98, and my father-in-law donated it to my collection when he bought a new system. I had multiple problems with this box. First, it has a Sony CDU311 CD-ROM that refused to read the CD on which I had burnt NetBSD 2.0. I created boot floppies and did an FTP install. I missed a crucial part of the partition creation process, however, that caused the system to hang at "Mounting all filesystems..." after a reboot. If you look at the screenshot below, you'll see that NetBSD by default offers to host the "tmp" partition on a RAM disk: By default the size is 0, meaning this "memory file system" (mfs) won't be created. However, I moved my cursor down to the "tmp" row and added a 10

New "Must Read" Security Blog

One of my buddies who's still with Foundstone (now part of McAfee ) has started a blog. Aaron Higbee of DCPhoneHome fame, along with some of his well-dressed friends, have begun sharing their knowledge and sense of style at . They are deep into the assessment side of security, so I'm sure you can pick up a few tricks by regularly visiting their site. I'm afraid these guys look nothing like their "pictures," however.

April 2004 Sys Admin NSM Article Online

I learned today that my April 2004 Sys Admin article Integrating the Network Security Model is now available online. I've also posted .pdf and .ps versions at my publications page. From the article: " Intrusion detection is a controversial topic. Although intrusion detection systems (IDS) were once hailed as the answer to the shortcomings of firewalls, they are now labeled "dead" by some market analysts and are threatened by intrusion prevention systems (IPS) and 'deep inspection' firewalls. In this article, I'll look at the detection and validation of intrusions through an operational model called network security monitoring (NSM). I will briefly explain NSM theory and introduce several tools for integrating NSM concepts into existing prevention and detection systems. NSM is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is an operational model inspired by the United St

NetBSD 2.0 Released

NetBSD 2.0 has been released ! The last major release was NetBSD 1.6 , in September 2002. The last update to the 1.6 branch was 1.6.2 , in March 2004. I strongly recommend finding a mirror site close to you. There are even torrents available. I've toyed with NetBSD before, but never in a serious manner. One aspect of the system I'm anxious to try is the well-documented NetBSD pkgsrc system. There is an excellent Web-based interface to the NetBSD packages at . While there aren't as many NetBSD packages as there are FreeBSD ports (~5000 vs ~12000), the NetBSD system looks promising. If you look in the iso directory of the NetBSD FTP servers, you will see .iso's like "i386cd.iso" and "i386live.iso". The prefix refers to the machine architecture and the suffix refers to the contents of the .iso. For example, I just downloaded and burned the i386cd.iso to CD-R, to test on my Intel 32-bit systems. It appears to be a m

Thoughts on Future Microsoft Servers

Robert L. Mitchell reported Microsoft goes to pieces in a recent ComputerWorld article. The article is light on specifics, but the message is interesting: "With the release of Longhorn in 2007, the company has said it will offer 'role-based' versions of Windows in which only the code needed to perform a given function will be included in a particular build of the operating system... Now, rather than simply selling task-specific editions of Windows, Microsoft may let systems administrators choose which core elements of Windows to include at installation." As a security engineer, I think this is a great idea. Microsoft is already encouraging administrators to shut down unnecessary services via Windows Server 2003 SP1 RC's Service Configuration Wizard . Completely omitting unnecessary systems would be an even better idea. This is similar to a "minimal" FreeBSD installation . My guess is Microsoft will offer templates for mail, Web, database, and fire

Pros and Cons of Outsourcing Security Tasks

Jian Zhen of LogLogic wrote two helpful articles for ComputerWorld . The first lists ten benefits of outsourcing security functions, and the second lists seven potential drawbacks. I largely agree with his analysis, particularly concerning the advantages of leveraging centralized security expertise. A managed security service that does nothing but handle security issues all day long has a much higher level of security situational awareness than an overtasked administrator with multiple responsibilities. How is a general purpose administrator who has to deal with users, stop spam, recover backups, install patches, and maintain infrastructure going to know more about the latest types of attacks and defenses than a dedicated security professional? Companies who can afford to maintain specialized security teams probably don't need to oursource these functions. A quick way to determine if a company probably doesn't need to outsource security tasks is to check to see if t
I subscribe to Sys Admin magazine because it offers excellent articles. One that is available online is Bryan Smith's Dissecting PC Server Performance . He explains the major bottleneck issues in traditional CPU architecture and how the AMD Opteron is an improvement. I found the article highly technical yet readable and enlightening. This is a must-read before you buy your next high-load server.

Nessus Developments

Recently I reviewed the new Syngress Nessus book , after installing Nessus 2.2 using the security/nessus FreeBSD port. Yesterday Tenable Network Security relaunched the Nessus home page . The author of the Nessus vulnerability scanner is Renaud Deraison, who co-founded Tenable and currently serves as Chief Research Officer there. Tenable formally supports the development of Nessus. Along with a sharp new Web design and the release of Nessus 2.2.1 , the site announced a new policy on plug-ins. Plug-ins are code written in the Nessus Attack Scripting Language (NASL) which perform vulnerability checks. Tenable is offering three feeds for Nessus plug-ins: The Direct Feed "is commercially available [and] entitles subscribers to the latest vulnerability checks," immediately. It costs $1200 per scanner per year. The Registered Feed "is available for free to the general public, but new plugins are added seven days after they are added to the Direct Feed." Ready to Deploy

My buddy Erik Birkholz, fellow ex-Foundstone consultant and author of Special Ops , appears to be shifting more resources to his consultancy, Special Ops Security . I found his company's service datasheet ( .pdf ) offers several novel services. For example, SOS provides "Pre-Sales Engineers and Deployment Services" and "Security Sales Consultants." They act as hired technical guns, bridging the gap between account executives and customers or sales people and customers. I think this is an excellent resource for clients who need to know the "real deal" about security. To get a sense of the company's technical skills, I recommend perusing their presentation Show and Tell: Attacks and Defense ( .pdf ).

Thoughts on Windows Server 2003 SP1 RC

Microsoft announced that Windows Server 2003 Service Pack 1 Release Candidate is available for testing on non-production servers. I installed it remotely using Rdesktop on a 180 day evaluation copy of Windows Server 2003 with hotfixes installed. The whole process went smoothly, and after a reboot I was still able to connect via Rdesktop and PsExec . Microsoft published Top 10 Reasons to Install Windows Server 2003 SP1 , which I found interesting reading. The majority of the reasons sound helpful. Point one is especially revealing. Microsoft now recommends "reducing the attack surface," which is code for disabling unnecessary services via the "Security Configuration Wizard" (SCW). Microsoft says "With SCW you can disable unused services easily and quickly, block unnecessary ports, modify registry values, and configure audit settings." I heartily endorse this and many other changes. Points nine (Help secure Internet Explorer) and ten (Avoid potenti

Dru Lavigne on Upgrading FreeBSD

img src="" align=left> Dru Lavigne 's latest Blog entry explains her experiences upgrading two systems to FreeBSD 5.3. Her article nicely complements my Keeping FreeBSD Up-To-Date . Over 7,000 of you appear to have already read it. I've made a few tweaks recently, including changing the CVS tag for the FreeBSD 5.3 RELEASE to 5_3_0_RELEASE, plus misspellings and relating typos.

Sguil 0.5.3 Released

Sguil 0.5.3 , the analyst console for Network Security Monitoring, is now available . Updated screenshots are also posted. I'll be tweaking my install guide to reflect the version bump, but the content won't change. I wrote the latest version using a CVS version of Sguil, so it has the same capabilities as 0.5.3. You can read Bamm's release announcement and CHANGES for more information. If you have any questions, join us in #snort-gui at A chapter from my book devoted to Sguil is online .

Enabling DRI on FreeBSD

Last February I wrote of my adventures enabling DRI on my laptop. I already had a few tweaks to my /boot/loader.conf to get sound and AGP working: snd_csa_load="YES" r128_load="YES" Using kldstat, I could see what kernel modules were loaded: orr:/home/richard$ kldstat Id Refs Address Size Name 1 12 0xc0400000 5cdb30 kernel 2 2 0xc09ce000 7464 snd_csa.ko 3 3 0xc09d6000 1d4fc sound.ko 4 1 0xc09f4000 1520c r128.ko 5 14 0xc0a0a000 537f0 acpi.ko 6 1 0xc1a97000 17000 linux.ko When I installed FreeBSD 5.3 RELEASE I was not able to get DRI working when I simply uncommented it in my xorg.conf file: # This loads the GLX module Load "glx" # This loads the DRI module # Load "dri" When I did uncomment the dri module, I saw a green bar appear at the top of my X display, and the system locked. Without DRI, a test with glxgears showed poor performance: orr:/home/richard$ glxgears -info GL_RENDE

FreeSBIE 1.1 Released

I was happy to see that FreeSBIE 1.1 was released today. FreeSBIE is a live CD version of FreeBSD. Version 1.1 offers FreeBSD 5.3 RELEASE as the underlying OS. If you've used Knoppix to get familiar with Linux in a live CD environment, you should give FreeSBIE a try. New for this version are the release announcement , a manual , and the list of packages installed on the live CD.

Review of Nessus Network Auditing Posted

Image just posted my four star review of Nessus Network Auditing . It's been almost three months since my last book review. I hope to get several more done before the end of the year. It's tough when, as a reviewer, I actually try to read the books I critique. From my review: "'Nessus Network Auditing' (NNA) is the definitive (and only) guide to the Nessus open source vulnerability assessment tool. I recommend all security professionals read this book. You may start as a Nessus user, but the book will help you become part of the Nessus community. NNA features twelve contributors, but it doesn't suffer the fate of other books with similar high author counts. NNA manages to present fairly original material in each chapter, without a lot of overlap. I credit the lead authors and editors for keeping the contributors on track. They could have reduced the number of crashing printer stories, however. "

OpenBSD 3.6 on Soekris Net4801

In June I described a way to install OpenBSD 3.5 on a Soekris Net4801 small form factor system. I followed a similar method today with OpenBSD 3.6 , installing from floppy to 2.5 inch HDD on one laptop and then moving the HDD to the Soekris. I had two problems. The first involved not being able to use dd to write the OpenBSD floppy image to the floppy drive. I used this syntax: orr:/root# dd if=floppyC36.fs of=/dev/fd0 At one point I got errors from dd. Later I saw these error messages from the kernel: fdc0: ready for input in output ...repeats... fdc0: ready for input in output fdc0: too many errors, not logging any more I was able to use the same syntax on a FreeBSD 4.10 box to create the boot floppy. I booted with the OpenBSD boot floppy and installed OpenBSD 3.6 on the laptop. When I moved the laptop HDD to the Soekris, I got this error via serial console as OpenBSD tried to boot: booting hd0a:?1;2c: open hd0a:?1;2c: No such file or directory failed(2). will try /

Dru Lavigne Chimes in on "Why Bother?"

FreeBSD author and advocate Dru Lavigne has responded to PHK's "Why Bother?" article. While citing my previous Blog entry on the subject, she made me aware of a freebsd-chat thread discussing project goals. Two users ( Chris Pressey and Paul Robinson ) asked questions about goals that are similar to my earlier Blog entry . Chris ended up being attacked once he mentioned the "number of backouts and backout requests" to cvs-src as a metric for "the amount of floundering a project is undergoing." This is a shame, because the original project goal question remains unanswered.

TaoSecurity Blog Under Construction

I'm experimenting with adding a comments feature to the blog. The easiest way to do that was to use a new template. You may see additional changes. Also, links which were previously in this format now take this format The old format appears to still work, however. Exclusive: Keeping FreeBSD Up-To-Date

I am happy to announce the publication at of Keeping FreeBSD Up-To-Date . I wrote this article to answer questions I've received over the past few months on how to apply security fixes to a FreeBSD system. While the official Handbook is excellent, I thought a case-study approach would be enlightening for some readers. I thought it would be interesting to see a box begin life as FreeBSD 5.2.1 RELEASE, and then progress through a variety of security fixes applied in different ways. The article's sections include: Introduction FreeBSD Versions Learning About Security Issues Starting with the Installation Binary OS and Userland Updates with FreeBSD Update Applying Kernel Patches Manually Applying Userland Patches Manually, Part 1 Applying Userland Patches Manually, Part 2 CVSup to 5_2 Security Branch Beyond the Security Branch STABLE: The End of the Line The "Next" STABLE Conclusion Acknowledgements References Sections show commands to run, explanati