Showing posts from March, 2005

New National Centers of Academic Excellence in Information Assurance Education

Related to my previous post, I decided to see what was happening with the National Security Agency 's National Centers of Academic Excellence in Information Assurance Education (CAEIAE) program. I read that today the NSA and Department of Homeland Security jointly announced severeal new schools had met the criteria to be National Centers of Academic Excellence in Information Assurance Education. One of them is my alma mater, the US Air Force Academy . I am glad to see USAFA join this group, since it was embarassing to see the ground-pounders of West Point already in the CAEIAE program! :)

Thoughts on New Cyber Security Report

Today I skimmed the latest report from the President's Information Technology Advisory Committee (PITAC) titled Cyber Security: A Crisis of Prioritization ( .pdf ). This Government Computer News Story summarizes the reports findings. Briefly, they are the nation's critical infrastructures remain vulnerable to attack, and federal security research and development funding is misallocated. PITAC estimates "there are fewer than 250 active cyber security or cyber assurance specialists, many of whom lack either formal training or extensive professional experience in the field." I agree with this claim; it is very difficult to find anyone with deep and broad security degrees and experience I would trust to teach future practitioners. I was pleased to see the report list the following as some of its ten research priorities, as they are near to my own interests: - Monitoring and Detection . Regardless of progress made in the preceding research areas, unanticipated ev

Cisco Routers Run Tcl

This morning I was reading The State of the Scripting Universe by Lynn Greiner. That article features interviews with leaders in the development communities for Perl, PHP, Python, Ruby, and Tcl. The article pointed me towards a reference titled Dynamic Languages — ready for the next challenges, by design by David Ascher. While reading this second article I was surprised by this statement: "Tcl is part of Cisco's IOS router operating system, and as such is included in all high-end Cisco routers and switches." What's that? Tcl on my router? A quick Google for "tcl cisco ios" revealed two helpful resources: Cisco IOS Scripting with Tcl by Cisco and TCL'ing Your Cisco Router by Peter J. Welcher. Cisco's document revealed that Tcl 8.3.4 was introduced in Cisco IOS 12.3(2)T. Sure enough, it's on my Cisco router: gill#sh ver Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.3(11)T3, RELEASE SOFTWARE (fc4) ...trucated...
Steve Andres of Special Ops Security emailed me to report his company's release of SQLrecon , Chip Andrews' successor to SQLping. SQLrecon is another .NET application that I tested on my Windows 2000 laptop. You can use SQLrecon to discover servers offering Windows SQL Server , and learn a little bit more than a port scanner might say. The tool is very easy to use. By default, the tool is easy to use. Specify a range of IPs in the boxes and start the scan. Results appear in the window at right: SQLrecon provides plenty of customization via options as well. Thank you to Special Ops Security for releasing this free and helpful tool!

FreeBSD 5.4 Schedule Updated

This weekend the FreeBSD 5.4 Release Schedule was updated to reflect "facts on the ground." The candidate earlier labelled "PRERELEASE" is now noted as "5.4-BETA1", and the comments state: "First public test release build. Note that the release build name is 5.4-BETA1 but RELEASE name remains 5.4-PRERELEASE. This is because the name BETA often confuses the users who are using the STABLE branch." "5.4-RC1" is slated for 31 March, but then we read the "First release candidate" is scheduled for 2 April. 5.4 is listed as having a 19 April availability date. This information is a lot more specific than what I see from most commercial operating systems. :)

Latest Snort and IDS News

Last week saw several developments involving Snort . First, Sourcefire published the Open Source Snort Rules Consortium (OSSRC) charter ( .pdf ). The document states: "The stated goals of the OSSRC are to: - Establish metrics and standards for Open Source Snort rule development and documentation. - Provide a forum for the sharing of research and information for the development of effective Snort Rules. - Ensure continuous support for a Snort Ruleset licensed under the GPL." Sourcefire and Bleeding Snort will hold most of the power in the new group: "One representative from each of the founding member organizations, Sourcefire and Bleeding Snort, will serve in the role of co-chair of the OSSRC. Co-chairs will serve as managers of the OSSRC, working as they deem necessary to uphold the mission of the OSSRC. They will hold veto power over any vote of the membership, though any such veto may be overturned by a vote of three-quarters (_) of the membership." I'm n

IISFA Announces Vendor-Neutral Forensics Certification Test

Today I received an email from James A. Moore, International Vice Chairman (sounds impressive) of the International Information Systems Forensics Association (IISFA). The IISFA is the governing body for the Certified Information Forensics Investigator (CIFI) certification. I mentioned this organization and cert in June and November 2003. Since I don't see any notice of this news on the IISFA Web site, here's the significant parts of Mr. Moore's email: "I am very pleased to formally announce the final release date of the Certified Information Forensic Investigator examination through Thompson Prometric. The exam will be available at over 2500 testing centers worldwide on April 18th, 2005. The exam fee will be $150 USD and registration for the exam will be completed through the Thompson Prometric website located at The exam will be 125 random questions with a minimum passing score of 70%. Results to the candidate will be immediate. The IISFA

Review of The Art of Intrusion Posted

Image just posted my four star review of The Art of Intrusion . This may be one of my more controversial opinions, so you may want to read the whole review to get my entire take on the book. Here is the beginning of the review: "Over two years ago I read and reviewed The Art of Deception also by Mitnick and Simon. I thought that book was 'original, entertaining, [and] scary.' Those same adjectives apply to The Art of Intrusion (TAOI). While I also add 'disappointing' and 'disturbing' to the description of TAOI, sections of the new book make it an absolute must-read. If you want to understand the consequences of systematic, long-term compromise of your enterprise, you must read and heed the lessons of TAOI."

Red Cliff Releases Web Historian

On Friday, security consultancy Red Cliff posted an announcement of their new Web Historian tool. Web Historian parses Web browser history files and presents the information in a manner useful to a host-based forensic investigator. The program requires the Microsoft .NET Framework and runs only on Windows systems. Prior to using Web Historian, I had used Scott Ponder's IE History and Keith Jones' Pasco . Previously IE History was free, but required sending an email to the developer. Now IE History costs $50 and is "limited to Law Enforcement and Corporate Security." Web Historian improves upon Pasco, and the new tool probably benefitted from Keith Jones' input, as he now works for Red Cliff. I downloaded and installed Web Historian. The program prompts the user for a Web history file to parse, or gives the option of searching a specified location for Web history files. I chose the latter option and directed Web Historian towards the c:\Documents and Se

FreeBSD 5.4-BETA1 Available

I am happy to report that FreeBSD 5.4-BETA1 has been announced . The release schedule has not yet been updated, and it doesn't seem to match the process currently underway. Looking back at the 5.3 release schedule , we see that BETA1 is the start to the FreeBSD release process. After a series of BETAs we will see RCs (release candidates). I think 5.4 is a few weeks late, so I expect to see the final RELEASE version ready in late April or early May.

Latest Pre-Reviews

I received three new Pearson imprint books yesterday that I've added to my reading list . First is Windows System Programming, 3rd Ed by Johnson M. Hart, published by Addison-Wesley Professional. This book looks promising because it does not dwell on Windows GUI issues. Instead it focuses on core system services like the file system, memory, processes and threads, synchronization, communication, and security. The 3rd edition is updated to address Windows XP and Windows Server 2003, and it also covers 64 bit issues. I asked for this book to learn more about Windows internals and programming Windows systems. The author is said to take more of a "UNIX-like" approach to Windows programming, which should be a blessing for me. Next is Cisco Router Firewall Security by Richard Deal, published by Cisco Press. I absolutely cannot wait to read this book, given the attention I've paid to IOS this month. This book is an exhaustive examination of the security feature on Snort Rules

I just noticed that published an article titled Snort (rules) for sale . I was quoted after the article's author, Shawna McAlearney, read coverage on this blog. I thought Shawna's article was "fair and balanced."

Bookpool Publishes My Ten Favorite Computing Books

I mantain Listmania Lists for a variety of topics. These show books I recommend reading to become more proficient in various security skills. Recently Bookpool asked me to help celebrate their 10th anniversary by participating in their author's favorite 10 computer books from the past 10 years promotion. I hope you find my list helpful. Although I sometimes reference books I read several years ago, I was sure to include older books that had newer editions available.

Security Insights from Microsoft Security Architect

Last night I attended the northern Virginia ISSA monthly meeting. The guest speaker was Dean Iacovelli, Security Systems Architect for the Microsoft Mid-Atlantic district. His overall theme was "beyond patching." Dean supports over 200 enterprise customers, for which he serves as "security pinata ." Several ISSA members took him to task for Microsoft's security failings, but I thought Dean was diplomatic and handled their mildly aggressive questions well. Dean said that the patching approach to security is becoming a "second or third line defense, like backups. You patch regularly but hope you don't need them." As evidence he cited the decreasing window of time between announcement of a vulnerability and release of an exploit. Patches are still the best way to fix a vulnerability in broken software, so Microsoft has been pursing multiple initiatives to improve their patches. First, Microsoft is migrating from multiple update sites (e.g., O

Join Me for NSM at USENIX 2005

Four weeks from today I will present a one day class on Network Security Monitoring with Open Source Tools at USENIX 2005 in Anaheim, California. This is an improved an updated version of the class I presented last year at USENIX Security 2004. I am looking forward to teaching this class. It will equip participants with the theory, tools, and techniques to detect and respond to security incidents. Network Security Monitoring (NSM) is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM relies upon alert data, session data, full content data, and statistical data to provide analysts with the information needed to achieve network awareness. Whereas intrusion detection cares more about identifying successful and usually known attack methods, NSM is more concerned with providing evidence to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps. According to the registration deta

SecureLogix Enterprise Telephony Management

I just read two reviews of the latest SecureLogix product, the Enterprise Telephony Management system, in Network Computing and Secure Enterprise magazines. Hardly anyone seems to pay attention to voice security. I've only read one book on the subject. As Voice over IP becomes popular, interest in voice security seems to be picking up. The new SecureLogix product can monitor and control traditional POTS voice and also VoIP (SIP and H.323v2). I found this note in one of the reviews alarming: "The ETM 1090 system can capture digital recordings of any call and record up to eight simultaneous calls off one voice span. The 5.0 production release captures calls only off of a voice T1. SecureLogix is prepping VoIP recording for the next release. The ETM 1060 caches audio at a rate of 57 MB per hour from up to 32 simultaneous calls, yielding roughly 2,000 hours capacity on the appliance, and it automatically uploads the recorded calls to your target server drive as .wav file

Banks Also Fighting the Last War

Security guru Bruce Schneier wrote an insightful essay titled The Failure of Two-Factor Authentication . He essentially argues that the millions of dollars banks and others are spending on two-factor authentication doesn't address modern threats. When phishers convince victims to enter credentials that the phisher passes to a real e-commerce site, it doesn't matter if the credentials are a password or a RSA token code and PIN. Also, forget about phishing; just install a silent Trojan that performs fraudulent commercial actions during an authenticated, legitimate session. Something like xss-proxy might do the trick. This reminded me of my blog entry As Always, .gov and .mil Fight the Last War . I guess it takes too long to implement and fund initiatives in these huge organizations. It's like changing the course of an oil tanker. I'm sure the security staff recommended two-factor authentication five years ago and has only now received funding. Unfortunately, th

BSD Certification Web Site Launched

This morning the BSD Certification Web site was launched. I am a member of the project. Our mission is to create and support a standardized certification process to assist system administrators and employers validate competence in the implementation of BSD best practices. Keep an eye on the Web site and our public mailing list for more information. I recommend reading our press release as well.

First Impressions of Lancope StealthWatch

Sometimes vendors send me gear to try in my lab. I was fortunate to receive a StealthWatch appliance from Lancope , which I tried for a few weeks on a production T-3 link. Lancope calls StealthWatch a "Network Behavior Anomaly Detection (NBAD)" system. It is a signature-free product that analyzes network traffic and reports what it considers odd and potentially problematic events. The following is my impressions of the system, based on three assumptions. First, I did not try to stress-test or attack the system to gauge its performance under load. I placed it on a production network as any other client might. Second, I did not validate its findings independently. In other words, I did not collect information on another system to test if a StealthWatch "high traffic" alarm truly corresponded to a "high traffic" event. Third, I did not fully configure the system as one might as a Lancope customer. Full utilization of this or any security product usu

SANS Ends Practical Requirement for Certifications

I just learned that SANS , an organization whose conferences I attended fairly regularly five years ago, has terminated the practical requirement for all of its GIAC (Global Information Assurance Certification) programs. GIAC was originally the Global Incident Analysis Center , a Web site to disseminate information on Y2K rollover threats. From a February 2000 archive of the site: GIAC began December 21, 1999 as a service to support Y2K watchstanders all over the world, watching for cyber attacks and Y2K problems. We've come a long way since then, but the orignial pages are archived here. I was an original incident handler and had some of my work posted. I also taught the IDS track several times, until I decided their material was too out-of-date and irrelevant to IDS practitioners. I was tired of scrapping SANS material on stage (aside from some of Judy Novak's TCP/IP slides and Marty Roesch's Snort tutorial) and teaching what students really needed to know. SANS t

Ethereal Development and Support News

I just noticed that Ethereal 0.10.0 was released Friday. It fixes several security and reliability bugs, so an upgrade is warranted. While perusing the Ethereal home page I noticed news on Ethereal training by Ethereal Software . The classes include: - Ethereal Essentials 1 (two days): Introduction to Ethereal and network troubleshooting - Ethereal Essentials 2 (three days): Advanced network troubleshooting with Ethereal - Development Using Ethereal (three days): Coming soon! The second and third classes look very interesting. So who is Ethereal Software ? Their site says they were "formed by Network Integration Services to provide value-added services for the Ethereal network protocol analyzer." There is no name associated with either Ethereal Software or NIS, but the contact phone number and street addresses belong to Ethereal founder Gerald Combs. I confirmed this by looking at these results from . This is a cool Web site where thos

Latest Pre-Reviews

I received five promising books recently. Here's a quick look at them. Once I read each book, I'll post news of my review here. First is VoIP Security by James Ransome and John Rittinghouse, published by Elsevier . I'm looking forward to reading this book because it explains Voice over Internet Protocol, and then explores security issues associated with this increasingly popular technology. This protocol is going to be used everywhere, and I don't think security professionals are ready for it. Next we have the first of two new books from Syngress : Intrusion Prevention and Active Response: Deploying Network And Host IPS , by Michael Rash, et al. Regular blog readers know I see any system which blocks traffic to be an access control device, also known as a firewall. This book will not see the world in the same way, but I think it will be intriguing nonetheless. Several of the authors have written for Syngress before on subjects like Snort and Ether

Argus Documention

Argus is a session data collection tool, and probably the most underrated network security application available. I wrote about Argus in my first book , a Sys Admin article , and here . Recently I read on the argus mailing list that Thorbjörn Axelsson posted his thesis Network Security Auditing at Gigabit Speeds ( .pdf ) online, and it uses Argus. Through his references I discovered an earlier article by Peter Van Epp titled Pssst, Wanna Buy Some Network Insurance? ( .pdf ). Peter's article in particular demonstrates a wonderful appreciation of the limitations of IDS/IPS, e.g.: "Knowing of a break in after the fact, while undesirable, is much better than not knowing of the break in at all... With Argus you at least have the data; with only an overwhelmed IDS or firewall you don't (or at least not all of it). Something to think about, especially in terms of insurance."

More Snort News

I have several developments to report from the Snort front. First, Jeremy Hewlett announced Thursday the release of Snort 2.3.2 . This version is a quick response to the problem parsing Bleeding Snort rules reported shortly after Snort 2.3.1 arrived. I think this release was quickly pushed out the door to demonstrate that Sourcefire was not trying to lock out Bleeding Snort users. This is smart; there's no need to repeat a Microsoft-style "DOS isn't done until Lotus won't run" situation with Snort! Speaking of Bleeding Snort, Matt Jonkman announced Friday work on a new "Open Source Snort Rules Consortium." He says: "The OSSRC will be a group that any company or organization will be welcome to join. The members will share research on new threats and rules to handle those threats, with the goal of creating a unified community-based ruleset. Each member may post these rules wherever they choose, distribute them to their clients or customers,

BSDCan 2005 Registration Opens

Registration for BSDCan 2005 is now open. Last year at the inaugural event I reported on days one and two and spoke about Sguil. This year I will present Keeping FreeBSD Up-To-Date and More Tools for Network Security Monitoring on 13 May, according to the schedule . I learned I was not accepted to speak at CanSecWest this year, so the visit to Ottawa for BSDCan will probably be my only trip north of the border in the coming months.

Visiting Sourcefire

Today I visited the Columbia, MD headquarters of Sourcefire with DC Snort Users Group founder Keith McCammon, pictured with me at left. We drove up from our Falls Church, VA office to meet with Sourcefire founder and Snort creator Marty Roesch. Sourcefire is housed in an Ikea-type building constructed to house optical networking start-ups during the dot-com craze. In addition to Sourcefire, Optical Capital Group Ventures and another company called Debt Shield share the space. We started our conversation with Marty by discussing the new VRT Certified Rules License Agreement . Marty said that Sourcefire isn't a "nameless, faceless company. Real people work here." He demonstrated Sourcefire's commitment to the security community by mentioning the change to the Audit clause , previously reported here. Marty reported that many companies, several of which he was previously unaware, have reported interest in Snort Integrator licenses. As of this afternoon almost

Snort 2.3.1 Released, Audit Clause Modified

Jeremy Hewlett announced that Snort 2.3.1 is now available. According to the announcement, there are only supposed to be new rules in the major releases (e.g., 2.4.0, 3.0.0 -- not 2.3.1). However, a cursory inspection of the new rules in 2.3.1 revealed some additions. For example: drury:/usr/local/src$ diff snort-2.3.0/rules/backdoor.rules snort-2.3.1/rules/backdoor.rules 3c3 < # $Id: backdoor.rules,v 2005/01/17 23:52:48 bmc Exp $ --- > # $Id: backdoor.rules,v 2005/03/01 18:57:08 bmc Exp $ 102a103,104 > alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"|31 6a d0 d9|"; classtype:trojan-activity; sid:3155; rev:1;) > alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"BACKDOOR mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13 3c 9e a2|"; depth:5; classtype:trojan-activity

Passed My CCNA Test

I just finished testing for my Cisco Certified Network Associate certification. I passed with a 973 out of 1000. The test was 90 minutes long and I finished with only 8 minutes to spare. I think I missed one question, maybe two. The exam was as tough as I expected, meaning it was not easy. I know it was difficult since I usually breeze through majority multiple-choice exams. (For example, I answered all 250 questions on the CISSP exam in 90 minutes, and walked out the door.) I cannot say enough about the CCNA class I took with Todd Lammle at GlobalNet Training . He was not kidding when he said students need to know everything he writes in his slides and says while teaching. I was amazed how much of my knowledge Cisco managed to test with a 55 question exam. Also, if I did not know Todd's block size method of IP subnetting, I do not think I would have finished the test in time. If you want to pass the CCNA, I recommend the following: 1. Take GlobalNet Training 's

Review of Cisco IP Routing Posted

Image just posted my five star review of Alex Zinin 's exceptional Cisco IP Routing . From the review : "With my CCNA exam date staring straight at me, I decided to finally read my copy of Alex Zinin's Cisco IP Routing . This book clearly exceeds the level of knowledge to pass Cisco's entry level certification. It is aimed more at CCNPs or CCIEs who need a deeper understanding of Cisco routing. Nevertheless, I found the book's explanations of certain subjects to be absolutely outstanding, even for a CCNA candidate. I recommend anyone wishing to learn Cisco router operations read Cisco IP Routing ."

ourcefire VRT Rules License Audit Rights

Don't be too quick to register to receive the latest Snort rules if you use Snort in your organization. This snort-users post brought this section of the VRT Certified Rules License Agreement to my attention: "11. Audit Rights. You will, from time to time and as requested by Sourcefire, provide assurances to Sourcefire that you are using the VRT Certified Rules consistent with a Permitted Use, and you grant Sourcefire access , at reasonable times and in a reasonable manner, to the VRT Certified Rules in your possession or control, and to your books, records and facilities to permit Sourcefire to verify appropriate use of the VRT Certified Rules and compliance with this Agreement. Sourcefire's non-exercise of this right, or its failure to discover or object to any inappropriate use or other breach of this Agreement by you, shall not constitute its consent thereto or waiver of Sourcefire's rights hereunder or under law. In the event your use of the VRT Certified Rul

Book Featured by Net Optics

This image is an excerpt from what appears to be a new marketing slick ( .pdf ) from Net Optics , a California company that makes excellent network taps. I profiled two of their products in my first book. I am working with them to evaluate a set of new products for my next book , with an eye towards internal monitoring. If all goes well I may speak to some of their users in May, at their Sunnyvale, California headquarters.

New Web Site Launched

Sometime during this afternoon, the new Web site was launched. It features a message from Marty that says "We will continue to dedicate our research, development and QA resources to ensuring that Snort remains the de facto standard in intrusion detection and prevention technology." I noticed the Web page titles also use the same "de facto" language. While I more or less agree with the IDS aspect, I believe Marty and crew are being pushed by market forces to adopt the IPS stance. This is a shame, as we all know an "IPS" is a layer 7 firewall that inverts the access control best practice of "allow some, deny everything else." (In other words, an IPS performs a "deny some, allow everything else" function.) I absolutely detest the IPS label and wish access control devices were simply identified as such, and not confused with audit devices (e.g., IDSs). The new site features a comprehensive FAQ that links to th

Review of CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed Posted

Image just posted my five star review of CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed . From the review : "Last week I attended Todd Lammle 's CCNA class , where I received a free copy of his 'CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed' (CCNADE4E). Todd's class was excellent, and his book is almost literally Todd in written form. There is hardly a wasted word in this book. If Todd mentions a detail concerning a protocol or a certain default value in a configuration parameter, it's important. If he calls out that same item in a 'Note', it's definitely important. This is not 'teaching to the test' -- it's ensuring students and readers are familiar with material Cisco considers relevant. Cisco started its certification program to ensure administrators could properly configure and deploy its gear. By reading CCNADE4E, you will gain that knowledge." I test Wednesday after

Use FTP Instead of TFTP to Transfer IOS Images

Michael Lucas' book Cisco Routers for the Desperate saved me this evening. I was trying to update the flash image on my Cisco 2950T-24 switch via TFTP, and had this problem (twice, actually): gruden#copy tftp flash Address or name of remote host []? Source filename [c2950-i6k2l2q4-mz.121-22.EA3.bin]? Destination filename [c2950-i6k2l2q4-mz.121-22.EA3.bin]? Accessing tftp:// Loading c2950-i6k2l2q4-mz.121-22.EA3.bin from (via Vlan1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ...edited... !!!!!!!!!!!O!O!O!O!OO!OO!OO!OOOO %Error reading tftp:// (Transfer aborted) Luckily the switch was not hosed at this point. I still had my command prompt and normal functionality. For some reason TFTP kept failing. The image stored on the TFTP server appeared good, since its MD5 hash matched that provided by Cisco. What to do? I remember

Switch to Router-on-a-Stick Communication

In January I described how I configured my Cisco 2651XM router to pass traffic between two VLANs on my Cisco 2950T-24 switch. I never assigned an IP for management purposes to the switch, since I always reached it via console cable. Today I decided to try upgrading the switch IOS, but that required applying a management IP to the switch. My router had this configuration on the interface facing the switch: interface FastEthernet0/1 description Connection to gruden, Cisco switch no ip address duplex auto speed auto ! interface FastEthernet0/1.1 encapsulation dot1Q 10 ip address ! interface FastEthernet0/1.2 encapsulation dot1Q 20 ip address I assumed that if I assigned a management IP to my switch with either a or address, the switch would be able to speak to the router. I assigned to the switch. Because switches do not receive IPs on individual ports, I applied the IP to VLAN 1: