TaoSecurity Blog

I refused to let April end without finishing and reviewing these two books kindly provided by Elsevier Press . The first was a disappointment. Amazon.com just posted my three star review of VoIP Security . From the review : "I decided to read VoIP Security because I thought it would describe VoIP protocols and ways to secure them. The table of contents looked very strong and the preface seemed to meet my goals: "For one to truly understand Internet telephony, the reader must have a solid understanding of digital voice, telephony, networking, Internet protocols, and, most important of all, how all of these technologies are put together." Unfortunately, the book is confusing at times and is not an improvement over earlier VoIP security books. So-called 'reviewers' who write that this book 'goes heavily into explaining the low level mechanics of VoIP' reveal they don't read the books they purport to review." Thankfully, I was very pleased to re

As I guessed recently , we should see FreeBSD 5.4 RELEASE arrive next week or very soon thereafter. Scott Long posted an update on the release status of 5.4 this morning. He says: "As you probably noticed, we are a bit behind on the 5.4 release. There was a major stability problem reported several weeks ago in a particlar high load, high profile environment, and we decided that it was in everyones best interest to get it resolved before the release. Well, thanks to the tireless efforts of Doug White and Stephen Uphoff and several others, the bug has been found, fixed, and verified. As soon as it and a few other fixes get merged in, we will start the RC4 build process and hopefully release it for testing late this weekend. After that, unless another show-stopper comes up, we expect to build and release 5.4-RELEASE next weekend." I hope to test 5.4-RC4 this week, assuming it arrives tomorrow. Thanks FreeBSD release team!

This afternoon I was researching a bot for a chapter in my latest book. I don't spend a lot of time on exploit sites because I am not a penetration tester by trade. I think the last time I really looked at exploits, sites like www.hack.co.za were still around! While searching for the bot in question, I happened to find SecurityForest.com , although the site was announced on BugTraq in March. SecurityForest.com is an impressive piece of work. The site is essentially a giant CVS archive of attack code, called the ExploitTree . They provide a Client Utility, which at least for UNIX, is an interface to a native CVS client. For Windows, they provide everything you need to access a CVS server. Here is how a session using the ExploitTree Client Utility appears under UNIX. ./ExploitTree.pl anonymous ExploitTree Client Utility Manager v0.6 ---------------------------------------- 1) Initialize (first time download) 2) Update Repository 3) Print Exploit Statistics q) Quit > 1 Pass

I find this note from a recent GovExec story valuable: "House Government Reform Chairman Tom Davis, R-Va., said Thursday [7 April] that agencies could have their budgets cut if their information technology security does not improve. With several agencies struggling to meet requirements of the 2002 Federal Information Security Management Act, Davis said that compliance eventually has to be tied to funding." This will never happen. Does Congress advocate cutting funds to poorly performing schools? Regardless of the merits of the approach, I can not see enough people supporting this tactic. Agencies will continue to "muddle through" until evidence of a massive intrusion becomes public. I hope that day never arrives, though.

You may have noticed the new banner at the top of the Blog showing the 14th USENIX Security Symposium in Baltimore, MD, 31 July - 5 August 2005. I presented a one day NSM tutorial at USENIX Security 04 in San Diego, CA last year, and an improved version of that course at USENIX 05 in Anaheim, CA two weeks ago. In Baltimore this summer, I will be presenting Network Security Monitoring with Open Source Tools on 31 July, followed by my brand-new Network Incident Response tutorial on 1 August. Descriptions for each class are available via the provided links. I am really looking forward to offering these classes, especially with the MD-DC-VA crowds in attendance. These are both day-long classes. If you register before 11 July, one day will cost $625 and two days will cost $1200 (for non-students). USENIX offers discounts if five or more people from the same organization attend. I plan to create a proposal for a network forensics class, and submit it along with my NSM and network

Two new books arrived at TaoSecurity world headquarters this week to be added to my reading queue. The first is Silence on the Wire by Michal Zalewski . This looks like a creative and unconventional look at digital security, although the book's subtitle is "A Field Guide to Passive Reconnaissance and Indirect Attacks." Michal was kind enough to email me to ask if I would review his book. You may recognize Michal for some of his work, like the P0f tool or his really cool TCP sequence number analysis . The second book is Python Cookbook, 2nd Ed by Alex Martelli, Anna Ravenscroft, and David Ascher. This new edition covers Python 2.3 and 2.4. I consider this book another piece of my Python education program, which I plan to start in the next month or so. This book is helpful because it presents over 300 problems, code solutions, and discussions of those problems. Assuming the code is good, Python programmers will not have to reinvent the wheel if a problem they f

This morning I was looking for security market research and I came across two useful resources. First, CSO Online provides an Analyst Report section with summaries of research by all of the big name firms. For example, you can read about Symantec Gains Added Vendor Neutrality with New IPS Support by Current Analysis or Deciphering the Dual Meaning of Compliance Monitoring by Forrester . These are not the full articles, but there is enough there to make for interesting reading. I also found some good press releases on security research from Infonetics Research . These include: Growing IP/MPLS Investments Planned as Carriers Transform Their Data Networks Service Providers Banking on Integrated Security Services Network Security Market Up 30% to $3.7B in 2004 Large Companies Lose 2%–16% of Annual Revenue to Network Downtime; Finance and Manufacturing Bleeding the Most ISS and Cisco Tie for Lead in IDS/IPS Market, Prevention Drives Market Growth The last article's chart is r

I filed my taxes a few weeks ago. Now I read in Techweb and Reuters that the Internal Revenue Service's security is horrible. According to Andy Sullivan of Reuters: "Security flaws in computer systems used by the Internal Revenue Service expose millions of taxpayers to potential identity theft or illegal police snooping, according to a congressional report released today. The IRS also is unlikely to know if outsiders are browsing through citizens' tax returns because it doesn't effectively police its computer systems for unauthorized use , the Government Accountability Office found." Greg Keizer writes even more disturbing findings: "The GAO, for instance, found that nearly 7,500 mainframe users, which included IRS employees, independent contractors, and non-IRS government employees, all have the ability to access and even change 'sensitive taxpayer' data. Lack of other security controls and wide-open access privileges mean that the IRS might not

In October 2003 I reported on the Cyber Incident Detection & Data Analysis Center (CIDDAC), a collaboration of the University of Pennsylvania's Institute of Strategic Threat Analysis and Response (ISTAR) laboratory in Philadelphia, the Philadelphia InfraGard chapter, and Charles "Buck" Fleming, CEO of the apparently dormant AdminForce LLC . Details in 2003 were sparse, but I was skeptical that companies would agree to host "what CIDDAC calls Real-time Cyber Attack Detection Sensors, or RCADS, throughout as many U.S. companies as possible — and eventually the world — and feed incident data to a centrally managed operations facility at the University of Pennsylvania at Philadelphia." Stories by Infoworld and Computerworld are shedding some light on the situation. First, it does not appear CIDDAC will watch company traffic. Instead, they are just deploying honeypots: "John Chesson, a special agent at the FBI in Philadelphia, said the RCADS are ess

I learned of four vulnerabilities in Tcpdump found by Vade79 by checking the latest exploits at Packet Storm . Linking to the exploits themselves, they are: xtcpdump-ldp-dos.c : Tcpdump 3.8.3 and below mishandles Multi-Protocol Label Switching (MPLS) Label Distribution Protocol (LDP) packets. The effect is a local denial of service to Tcpdump. No system needs to be listening to port 646 TCP for Tcpdump to be affected. If you run xtcpdump-ldp-dos, it looks like this to the attacker: ./xtcpdump-ldp-dos 192.168.1.1 nospoof [*] tcpdump[3.8.x]: (LDP) ldp_print() infinite loop DOS. [*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) [*] destination : 192.168.1.1 [*] amount : 5 [+] sending(packet = .): ..... [*] done. Here is how Tcpdump handles it, if you're running Tcpdump "live" on the CLI without the -v switch: Unknown Message (0x7fff), length: 0, Message ID: 0xffffffff, Flags: [continue processing if unknown] Unknown Message (0x7fff), length: 0, Message ID:

I heard about this back in December, but it slipped off my radar. Now news outlets like The Register and News.com are reporting on the Payment Card Industry (PCI) Data Security Standard. Prior to standardization on the PCI, vendors had to juggle the Visa Cardholder Information Security Program (CISP), the MasterCard Site Data Protection Program, the American Express Data Security Operating Policy (DSOP), and the Discover Information Security and Compliance (DISC) document. The PCI was publicized back in December when Visa released a memo (available in .pdf form here ) letting vendors know what was happening. The PCI standard consists of twelve requirements: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks

I have a few news items from the Snort world. First, Snort 2.3.3 was released. This should not have any news rules, as it's not Snort 2.4.0 or Snort 3.0.0. Snort 2.3.3 does feature a so-called "mini-preprocessor" to watch for attacks exploiting Vulnerability in Exchange Server Allows Remote Code Execution (MS05-021) . Code to allegedly test for the vulnerability is here , so you might want to try testing Snort 2.3.3 with it. Second, the Open Source Snort Rules Consortium ossrc-intro mailing list is operational. Currently the lead thread is asking for comments on the latest OSSRC Charter , dated 22 March 2005. This is the same document I previously examined .

In previous blog entries I've created GnuPG keys and decrypted a message encrypted with my public GnuPG key. In this entry I show how I respond with an encrypted email using Enigmail and how I encrypt a file using gpg at the command line. You'll remember Bob sent me an encrypted email. I decided to send Bob an encrypted email in return. The first task was to find his public key. I used the key search feature. You may remember Bob included pgp.mit.edu in his signature as a hint for where to look for his public key, so I pass that site as the keyserver. orr:/home/richard$ gpg --keyserver pgp.mit.edu --search-keys rgrabowsky_at_rasecurity_dot_com gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: searching for "rgrabowsky_at_rasecurity_dot_com" from hkp server pgp.mit.edu (1) Bob Grabowsky bob_at_infotech-nj_dot_com Bob Grabowsky robertg_at_InfoTech-NJ_dot_com Robert Grabowsky rgrabowsk

No sooner had I posted my last entry on creating a GnuPG key, a visitor sent me an encrypted email. My mail client is Thunderbird , and it promptly put a message from Robert Grabowsky into my Junk folder. Thunderbird suspected the message was spam! It looked like this. Certain fields have been edited to foil email address harvesting: Date: Sat, 23 Apr 2005 17:26:37 -0400 (EDT) From: Robert Grabowsky rgrabowsky_at_rasecurity_dot_com To: Richard Bejtlich richard_at_taosecurit_dot_com Subject: test of your key -----BEGIN PGP MESSAGE----- hQIOA+vNZOSLpEmREAf/XTL0KqQAnwOIkONZGgZMsyEFD00O7O8qzNRmv7A/IVwg o95VmxSoUXDIwNtQG1QpSbTY217k/HmUEKup0n2laON49SGKj1H76SwS0BVNG8Xj ...edited... ADc/eiJOmnZuhDhTYMJoqziAilKf9Y7ChHKKjtil2WTrnNL3qfwX5636Sb3sjFMg f1Q+WCHWMr9LOQG3JGmGfjNZe6iMzp+Wl5y7m/j+7HMwiVp+J2sHyx1pffnGtFgP =Xa7M -----END PGP MESSAGE----- To manually decrypt this message, I saved the message body into a file called msg.txt. Then I used gpg to decrypt it. orr:/home/richard$ gpg -d msg.t

I was recently asked to provide my GnuPG public key to facilitate sharing encrypted documents. I realized I needed to set up a public key with my richard at taosecurity dot com mailing address. Here's how I did it. First I installed the FreeBSD security/gnupg-devel package. Then I was ready to begin. I started by creating my key. Where necessary I've modified my email address in the listing below to spoil simple harvesting methods. orr:/home/richard$ gpg --gen-key gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: directory `/home/richard/.gnupg' created gpg: new configuration file `/home/richard/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/richard/.gnupg/gpg

Joe Brockmeier published an interview with Dru Lavigne, chair of the BSD Certification Group . I'm a member of that organization and I will be present at the BSDCan 2005 BoFs to discuss BSD certification with any interested parties. Dru's interview provides additional background on our progress towards creating respected, valuable BSD certifications. Most importantly, today our Task Analysis Survey is publicly available. This is a Web-based questionnaire that we hope BSD users like you will complete. Our goal is to learn what BSD users and administrators consider to be the essential administration tasks for BSD systems. Please help us out by completing the survey no later than midnight GMT 22 May 2005. Thank you!

You may have followed my recent journey towards passing the CCNA exam. My instructor Todd Lammle just told me he will be teaching another CCNA class in Denver , from 13 to 17 June. This is a rare event as Todd runs the training company GlobalNet Training and stays very busy. Todd is the author of the best-selling CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed which helped immensely. I highly recommend attending this class if you want to pass your CCNA. If you decide to go, please email me at taosecurity at gmail dot com. I would like to hear what you think of the class.

Cross-platform Pf GuideWhile the official OpenBSD Pf guide is very good, I recommend those wishing to learn more about the Pf firewall check out Peter N. M. Hansteen's Firewalling with Pf guide. I like this document because it shows how to get Pf working on OpenBSD, FreeBSD, and NetBSD. Peter also covers the most common deployment scenarios and he addresses topics I consider important. Check it out if you're considering a Pf-based firewall solution.

I have some good FreeBSD news to report. FreeBSD 5.4-RC3 was announced Monday. Although the schedule still calls for a 26 April release date, I believe we will not see the RELEASE until the first week in May. According to the announcement: "Due to one major issue that crops up on large (4-processor) systems under heavy load that is still being debugged there will be at least one more RC added to the schedule. Timing for the extra RC and the new Release date have not been set yet." I am hoping that FreeBSD 5.4 will be the release that convinces 4.x users to upgrade. I have not had any problems running FreeBSD 5.3 since it arrived last November, but others are more cautious. There's an interesting freebsd-stable thread with several hints on updating systems. This post by Aristedes Maniatis recommends using the following command to preserve access to a system when you accidentally lock yourself out while modifying firewall rules. echo "ipfw add 1 pass all fr

This morning I was pleased to speak at the Pentagon on behalf of the Network Security Services-Pentagon section of the US Army Information Technology Agency. (I would like to provide a URL, but there's no point linking to sites that return "403.6 Forbidden: IP address rejected" errors!) Doug Steelman, pictured with me in the photo below, invited me to discuss network security monitoring at their Pentagon Security Forum. Last month Erik Birkholz and Steve Andres from Special Ops Security spoke on assessments. Next month Kevin Mandia of Red Cliff Consulting will discuss incident response. Doug and his colleague Mark Orlando were kind enough to take me on a tour of the building and share some of their approaches to detecting intrusions on the Pentagon's networks. While I will not outline specifics here, I will say I was impressed by the variety of network traffic the Pentagon collects. They are not a single-solution shop that can be beaten by evading one var

While teaching at USENIX last week, I discussed SPAN ports . I mentioned that copying traffic to the SPAN port was less important than moving packets through the switch. One of the students asked if measuring the utilization of the switch backplane would reveal how well the switch was performing the SPAN function. Another student said there was a Simple Network Management Protocol Management Information Base (SNMP MIB) from which backplane statistics could be retrieved. I decided to research this issue as it affects using switches to collect traffic for network security monitoring. (Incidentally, Talisker offers SPAN port configuration advice for all sorts of switches.) One answer appears in the Cisco document How to Get Catalyst Switch Backplane Utilization Using SNMP . This sounds promising until we read "the information in this document is valid for Cisco Catalyst switches that run Catalyst code only." Since modern Cisco switches run IOS, we seem out of luck. Tha

I saw that the Honeynet Project announced a new Scan of the Month last week. The evidence consists of Apache logs, Linux syslogs, Snort logs, and IPTables firewall logs. Here are examples. From the Apache access log: 210.116.59.164 - - [13/Mar/2005:04:05:47 -0500] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 1063 "-" "-" From the /var/log/messages syslog: Mar 13 22:50:53 combo sshd(pam_unix)[9356]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=h-67-103-15-70.nycmny83.covad.net user=root From the Snort logs, apparently captured via syslog: Feb 25 12:21:33 bastion snort: [1:483:5] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} 70.81.243.88 -> 11.11.79.100 Finally, from the IPTables logs: Feb 25 12:11:24 bridge kernel: INBOUND TCP: IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1 SRC=220.228.136.38 DST=11.11.79.83 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=17159 DF PROTO=TCP SPT=1629 DPT=1

I will be presenting my thoughts on pervasive network awareness as facilitated by taps at the next Net Optics Think Tank . The event will take place on 18 May 2005 in their Sunnyvale, CA headquarters. I use Net Optics taps to gain access to traffic when performing network security monitoring.

I just learned of a new article, Web Browser Forensics, Part 1 by Keith J. Jones and Rohyt Belani of Red Cliff Consulting . This is part one of two articles, and it features a variety of methods to learn about a user's Web browsing history. Any time digital forensics appears in the news, it is often based on discovering a person's Web browsing activites. The Chandra Levy case is the canonical example.

In my USENIX talk I show how to collect wireless traffic using Tcpdump . In my slides I use a verbose method that only shows a few packets. In the following I'd like to show a variety of traffic available using Tcpdump. First I tell my wireless card to go into monitor mode and watch channel 1. Then I ask Tcpdump to show me the media types it understands. orr:/root# ifconfig wi0 mediaopt monitor channel 1 up orr:/root# tcpdump -i wi0 -L Data link types (use option -y to set): EN10MB (Ethernet) IEEE802_11 (802.11) IEEE802_11_RADIO (802.11 plus BSD radio information header) Now that I see the media types, I select the second option and begin capturing traffic. orr:/root# tcpdump -n -i wi0 -y IEEE802_11 tcpdump: data link type IEEE802_11 tcpdump: WARNING: wi0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wi0, link-type IEEE802_11 (802.11), capture size 96 bytes First we see a beacon with the conference wireles

Tomorrow morning I teach Network Security Monitoring with Open Source Tools at USENIX 05 . I've been taking another look at the tools I will be presenting tomorrow to ensure I'm up-to-date on their latest versions and features. One of the tools I talk about is IPCAD , the IP Cisco Accounting Daemon by Lev Walkin. I discuss IPCAD in the section on statistical data for network security monitoring (NSM) in my book and my talk. I like IPCAD because it presents data just like one sees with the Cisco show ip accounting command. I actually used IPCAD in an incident response scenario several years ago, before I learned of Carter Bullard's Argus . The version available in the FreeBSD ports tree ( net-mgmt/ipcad ) requires more entries in the ipcad.conf file than what I present in my book and slides. Here is the ipcad.conf file I created after I installed IPCAD using the FreeBSD port. capture-ports disable; interface wi0; rsh enable at 127.0.0.1; rsh root@127.0.0.1 admin; d