TaoSecurity Blog

There's plenty of activity in FreeBSD -land these days. Colin Percival has become the new FreeBSD Security Officer . FreeBSD 6.0-BETA3 is available, and we might see 6.0-RELEASE by late September. I just learned of a new FreeBSD LiveCD by Matt Olander called BSDLive , which fits on a business card CD ( media sleeve available). This is a great advocacy item. I booted the .iso in VMWare and saw it runs FreeBSD 5.4-RELEASE-p6. It boots into X.org 6.8.2. I will be glad when the results of the logo contest are announced! One cannot talk about FreeBSD LiveCDs without mentioning FreeSBIE . Unfortunately, the last official release happened in December. Sguil 0.5.3 is only one day younger! However, a look at the FreeSBIE mailing list shows that Dario Freni is busy working on integrating FreeSBIE into the main FreeBSD source tree. I do not think we will see this in 6.0, but perhaps 6-STABLE will have it shortly after 6.0. Frenzy is an alternative FreeBSD LiveCD that I h

Earlier this month I congratulated the Def Con Capture The Flag winners from Giovanni Vigna 's team. One of the contestants, Vika Felmetsger , was kind enough to answer questions about her experience and the role she played on team Shellphish. I thought I would publish Vika's thoughts in the hopes that she could provide an example of how one becomes a serious security practitioner. Richard (R): What is your experience with security, and what are your interests? Vika (V): I am starting my second year as a computer science Ph. D. student at UCSB , where I work as a research assistant in the Reliable Software Group (RSG). Everybody in the group works on various computer security areas and my current focus is web application security. Even though now security is a part of my everyday life, I am still pretty new to this area. As an undergraduate student at UCSB I learned some security basics, however, my real introduction to practical security, and hacking in particul

Earlier this month I announced work on OpenPacket.org , a free site providing quality network traffic traces to researchers, analysts, and other members of the digital security community. We are looking for help in two areas: Open source content management systems (CMS) experience: We believe we will use a CMS to accept, moderate, and present traffic captures to users. We need help planning and deploying a CMS that will meet our needs. Open source database experience: We will use an open source database like MySQL or PostgreSQL, as compatible with the CMS we choose. We need help planning and deploying a database schema, and we will need guidance on configuring the database properly. Most of the OpenPacket.org crew has database experience as it relates to supporting intrusion detection sensors, but storing and retrieving the sorts of data we have in mind is probably outside our daily routine. We have ideas for additional OpenPacket.org functionality, but providing ways to accept,

How do you use taps? Specifically, do any of you use Net Optics taps? If yes, I would like to speak with you through email. I'm interested in your thoughts on any of these subjects: How did you justify buying these products? Did you encounter any installation issues? How are you using taps? What alternatives did you consider? Did taps help you learn more about any intrusions, or help you prevent or mitigate intrusions? I appreciate any feedback you might have. Please email richard at taosecurity dot com. Thank you.

I will be speaking at the next Net Optics Think Tank at the Hilton Santa Clara in Santa Clara, CA on 21 September 2005. I will discuss network forensics, with a preview of material in my next two books , Real Digital Forensics and Extrusion Detection: Security Monitoring for Internal Intrusions . I had a good time speaking at the last Think Tank , where I met several blog readers.

In an environment where too many people think that flaws in SSH or IIS are "threats," (they're vulnerabilities ), it's cool to read a story about real threats. Nathan Thornbourgh's story in Time, The Invasion Of The Chinese Cyberspies (And the Man Who Tried to Stop Them) , examines Titan Rain , a so-called "cyberespionage ring" first mentioned by Bradley Graham in last week's Washington Post . The Time story centers on Shawn Carpenter, an ex-Navy and now ex- Sandia National Laboratories security analyst. The story says: "As he had almost every night for the previous four months, he worked at his secret volunteer job until dawn, not as Shawn Carpenter, mid-level analyst, but as Spiderman—the apt nickname his military-intelligence handlers gave him—tirelessly pursuing a group of suspected Chinese cyberspies all over the world. Inside the machines, on a mission he believed the U.S. government supported, he clung unseen to the walls of their ch

Prior to attending the IAM class this week, I spent two days teaching security analysts from the Pentagon with instructors from Special Ops Security . (The class was four days, but I was only present for the first two.) I think we offered some unique perspectives on security. Steve Andres, author of Security Sage's Guide to Hardening the Network Infrastructure spoke about hardening network infrastructure on day one. I taught network security monitoring on day two, with hands-on labs. Erik Birkholz, author of Special Ops: Host and Network Security for Microsoft, Unix, and Oracle taught methods to attack Windows systems on day three. Concluding with day four, SQL Server Security author Chip Andrews taught Web application security. In addition to getting a copy of Erik's book, class attendees also received individually numbered challenge coins. This was Steve's idea. A challenge coin is usually a unit-specific coin that military members should carry at all time

Today I finished the NSA INFOSEC Assessment Methodology (IAM) class taught by two great instructors from EDS and hosted in the beautiful Nortel PEC building in Fairfax, VA. I attended because the rate offered by EDS through my local ISSA-NoVA chapter was an incredible bargain. I did not realize prior to the class that NSA posts the exact slides used to teach the course online . The course was much more applicable to my line of work than I realized. I've decided to apply the methodology to the assessments I perform on customer network security monitoring / intrusion detection / prevention operations. Rather than use my own methodology, I plan to use the IAM system to perform hands-off assessments of the operations customers conduct to detect intrusions. I will be performing one of these assessments in the near future, so I look forward to applying lessons from IAM to this consulting work. I am scheduled to attend the two-day INFOSEC Evaluation Methodology (IEM) class nex

Today I saw a new comment on my criticism of the ISC2's attempt to survey members on "key input into the content of the CISSP® examination." Several of you have asked what I would recommend the Certified Information Systems Security Professional (CISSP) exam should cover. I have a very simple answer: NIST SP 800-27, Rev. A (.pdf). This document, titled Engineering Principles for Information Technology Security (A Baseline for Achieving Security) , is almost exactly what a so-called "security professional" should know. The document presents 33 "IT Security Principles," divided into 6 categories. These principles represent sound security theories. For future reference and to facilitate discussion, here are those 33 principles. Security Foundation Principle 1. Establish a sound security policy as the “foundation” for design Principle 2. Treat security as an integral part of the overall system design. Principle 3. Clearly delineate the physical and

During the Mike Lynn affair I found Brian Krebs' reporting to be invaluable. Now he has provided an excellent story on the arrest of the Zotob and Mytob worm authors. I recommend you read the story linked from Brian's blog . Highlights include: "Both of the suspects' nicknames can be found in the original computer programming code for Zotob, according to the FBI and Microsoft... The author of the original Blaster worm remains at large, and Microsoft has offered a $250,000 bounty for information leading the arrest and conviction of that person... [E]vidence indicates Ekici paid Essebar to develop the worms, which the two used for financial gain... [T]he two men are alleged to have forwarded financial information stolen from victims' computers to a credit card fraud ring. [P]olice who raided Essebar's home found a computer that contained the original programming instructions for the first version of the Zotob worm." I am glad to see action against a diff

Yesterday the BSD Certification Group published the Certification Roadmap (.pdf). I realize I have been beaten by Slashdot on this story, but I have been either teaching or in training all week! (More on that when I have time -- I return to class tomorrow.) From the press release : "The BSD Certification Group has decided that the associate level certification, followed by the professional level certification, will be rolled out in 2006. The associate certification targets those with light to moderate skills in system administration and maps to the Junior SAGE Job Description . The professional level certification is for those with stronger skills in BSD system usage and administration and maps to the Intermediate/Advanced SAGE Job Description ." Having participated in the internal voting process for this certification, I am pleased to see a two-cert approach. We will start with the junior cert; "the test activation goal for the associate level certification is Apr

This evening I watched a story on BBC News about the problem of bird flu . Here is the story broken down in proper risk assessment language. Two assets are at risk: human health and bird health. We'll concentrate on birds in this analysis. Healthy birds are the asset we wish to protect. The threat is wild migratory birds infected by bird flu. The threat uses an exploit , namely bird flu itself. The vulnerability possessed by the asset and exploited by the threat is lack of immunity to bird flu. A countermeasure to reduce the asset's exposure to the threat is keeping protected birds indoors, away from their wild counterparts. The risk is infection of domesticated birds by wild birds. All infected birds must be killed. The TV story I watched contained this quote by reported Tom Heap: "The lesson learned from foot-and-mouth [disease, which ravaged Europe several years ago] is to do your best to keep the disease out , but assume that will fail . Be ready to tackle an

I found Ryan Naraine's article From Melissa to Zotob to be a good summary of popular worms of the last few years. I remember Melissa as a real wake-up call for the community. It hit on a Friday night, and the following Saturday morning my (soon-to-be) wife and I were getting engagement photos taken. My commanding officer called during the photo session and said all officers were being recalled to the AFCERT to "fight" the worm. That was an interesting weekend! A comment in the latest SANS NewsBites by editor Rohit Dhamankar on Zotob makes a good point: "The time from vulnerability announcement to release of [the Zotob] worm was one of the shortest seen in recent times. Patch announced August 9th (Tuesday); exploit code posted publicly August 11th (Thursday); worm started to hit on August 13th (Saturday). Because [these] worms spread over 139/tcp or 445/tcp, [these] ports that cannot be firewalled without breaking some functionality in Windows environment. That

Are you a member of ISSA-NoVA ? Would you like to attend my public Network Security Operations class next month, at Nortel PEC in Fairfax, VA from Tuesday 27 September through Friday 30 September? If so, I'm offering a one-time discount for you. ISSA-NoVA members who sign up and pay for the class no later than Friday 16 September can attend the class for $1995 -- a $1000 discount. Contact me at richard at taosecurity dot com if you're interested, and visit my training page for more details on this 4-day, hands-on, technical class.

I previously announced my four day Network Security Operations class. I have planned some of the labs for the class, but I thought you might have ideas regarding the sorts of hands-on activities you would want to try. The class consists of four days, covering network security monitoring, network incident response, and network forensics. Days one, two, and three each offer small labs at regular intervals to reinforce the lecture material. Day four is entirely lab-based. One of my goals is to give each student his or her own environment for analysis. I am considering a mix of real, jailed , and virtual environments. The activities students want to try will drive how I implement the student work environment. For example, using my GSX server I believe I can support 16 simultaneous VMs. A single FreeBSD install might be able to support many more jails on its own. Real hardware could be problematic, but I might be able to use Soekris systems. VMs are attractive because they off

According to this Air Force Times story, personnel data for "about 33,300 officers and 19 airmen" was remotely accessed. The records include "Social Security numbers... marital status, number of dependents, date of birth, race/ethnic origin (if declared), civilian educational degrees and major areas of study, school and year of graduation, and duty information for overseas assignments or for routinely sensitive units." The story quotes an Air Force spokesman: "'Basically, we had an unauthorized user gain access to a single user account by stealing a password,' said Lt. Col. John Clarke, chief of the Systems Operations Division at the Air Force Personnel Center. 'Then they went in and accessed member information on roughly 33,000 military members.'" I would like to know how a "single user account" was able to query records on 33,000 people. If this account belonged to a normal user (i.e., an Air Force member), some serious prob

This morning I worked with several remote administration tools on my Windows Server 2003 system. First I enabled the native Remote Desktop (aka Terminal Services) capability via My Computer -> Properties -> Remote At this point I am only letting administrator connect remotely. Since administrator can connect remotely by default once the service is activated, I didn't need to make any other changes. Once Remote Desktop is listening, it will appear active on port 3389 TCP. To access the Windows server remotely from Unix using the RDP protocol, I use Rdesktop . It's available in the FreeBSD ports tree as net/rdesktop . I like the option to change screen geometry, e.g., 'rdesktop -g 80% 192.168.2.2'. To access the RDP server from my Windows 2000 laptop, I installed the MSRDPCLI.EXE package. Next I tried RealVNC . This program has client and server components. I installed the entire package on the Windows server. Setup is fairly simple, and the server sh

If you're near New York city, you might want to check out NYCBSDCon on 17 September 2005. The New York City BSD User Group is organizing the one-day event. Speakers on the agenda include Dru Lavigne, Michael Lucas, and Marshall Kirk McKusick. I believe I will attend since the drive from DC isn't too bad.

I was asked to comment on Paul Proctor 's new article in the August 2005 Information Security magzine, titled A Safe Bet? . Paul is an analyst at Gartner now, but years ago he wrote an excellent book -- The Practical Intrusion Detection Handbook , which I reviewed five years ago. Paul's article introduces network anomaly detection systems, shorted by the wonderful acronym NADS. Paul describes NADS thus: "NADS are designed to analyze network traffic with data gathered from protocols like Cisco Systems's NetFlow, Juniper's cFlow or sources that support the sFlow standard. Data is correlated directly from packet analysis; and the systems use a combination of anomaly and signature detection to alert network and security managers of suspicious activity, and present a picture of network activity for analysis and response." I find Paul's opinions to be sound: "Despite vendor claims to the contrary, NAD is primarily an investigative technology. While it

If you haven't read How a Bookmaker and a Whiz Kid Took On an Extortionist — and Won , you're in for a treat. I stumbled across this today, and remembered reading it several months ago. I realized I never blogged the story. The technician at the heart of the story is Barrett Lyon , who began the Opte Project . His company Prolexic takes an innovative approach to surviving DDoS attacks. He seems to redirect traffic aimed at his clients, filters attack traffic, and then sends it to the intended recipients. I imagine he employs some creative routing to do it. If Barrett notices this blog entry by the graphic at left I'm pulling from his site, maybe he'll share a few comments with us?

The 10 August 2005 issue of the SANS NewsBites newsletter featured this comment by John Pescatore: "There has [sic] been a flood of universities acknowledging data compromises and .edu domains are one of the largest sources of computers compromised with malicious software. While the amount of attention universities pay to security has been rising in the past few years, it has mostly been to react to potential lawsuits do [sic] to illegal file sharing and the like - universities need to pay way more attention to how their own sys admins manage their own servers." I agree with John's assessment, except for the last phrase that implies university sys admins "need to pay way more attention" to security. From my own view of the world, a lot of university system administrators read TaoSecurity Blog, attend my classes (especially USENIX ), and read my books . I believe the fault lies with professors and university management who generally do not care about securit

I managed to install Windows Server 2003, Enterprise x64 Edition (64-bit) trial on my Shuttle SB81P . The only component that wasn't recognized natively was the BCM5751 NetXtreme Gigabit Ethernet Controller for Desktops . I used the Windows Server 2003 (AMD x86-64) driver to get the NIC working. I'm lucky my FreeBSD dmesg output recognized this NIC accurately: bge0: mem 0xd0000000-0xd000ffff irq 16 at device 0.0 on pci1 miibus0: on bge0 brgphy0: on miibus0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto bge0: Ethernet address: 00:30:1b:b6:96:75 The first time I booted Windows, I saw this message: This was an interesting take on the idea of host-centric security. Microsoft could have started with no listening services, and let an administrator decide what to enable. Instead, Microsoft starts services by default, but blocks remote access to them until they are patched. This is a step in the right direction, but I am not happy

I bought a new Shuttle SB81P to use as a VMWare GSX server in my Network Security Operations class . I bought the system to provide VMWare images which students could independently manipulate. This will make the class more hands-on without requiring much investment on the student's part. All I will ask is that the student brings a laptop with a Secure Shell client. If the student wants to directly interact with the VM, he or she can install the VMWare Virtual Console for Windows or Linux on a laptop. I cannot use FreeBSD to host GSX Server. I intend to try the Windows Server 2003, Enterprise x64 Edition (64-bit) trial version . If it works as promised I will buy the Standard Edition from a vendor like NewEgg.com . Here are the Shuttle specifications: Shuttle SB81P Intel Socket T(LGA775) Intel Pentium 4/Celeron INTEL 915G Barebone from NewEgg.com Intel Pentium 4 640 Prescott 800MHz FSB 2MB L2 Cache LGA 775 EM64T Processor from NewEgg.com 2x1GB 184-pin DIMM DDR PC3200 RAM Cr

Mirko Zorz of Help Net Security emailed to tell me that Issue 3 (.pdf) of (IN)SECURE Magazine is available for download. The new issue has a few kind words about my first book and this blog. The new issue also features an interview with Michal Zalewski , a discussion of so-called Unified Threat Management (UTM) "solutions" (groan), and other helpful articles.

While reading the blog of Keith Jones I learned of a variety of new draft NIST pubs that are open for comment from the general public. You may want to review one or more to provide feedback. I found the following drafts interesting (all are .pdf): 800-40 Version 2 , Creating a Patch and Vulnerability Management Program 800-86 , Guide to Computer and Network Data Analysis: Applying Forensic Techniques to Incident Response (which mentions my first book -- thanks) 800-83 , Guide to Malware Incident Prevention and Handling 800-81 , Secure Domain Name System (DNS) Deployment Guide Check their Web site for comment deadlines.

I learned today the National Vulnerability Database (NVD) has replaced the old NIST ICAT system. The NVD describes itself this way: "NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard." There's a link to a workload index , whose URL includes the term "threatindex" (groan). On that page we read: "Workload Index Information This index calculates the number of important vulnerabilities that information technology security operations staff are required to address each day. The higher the number, the greater the workload and the greater the general threat represented by the vulnerabilities." I think the last sentence should instead read: "The higher the number, the greater the workload and the greater the general risk represented by the vuln

One of the cooler sections in Extreme Exploits covers ways to learn about a target network by looking at routes to those networks. I showed a few ways to use this data two years ago , but here's a more recent example. Let's say I want to find out more about the organization hosting the Extreme Exploits Web site. First I resolve the hostname to an IP address. host www.extremeexploits.com www.extremeexploits.com has address 69.16.147.21 Now I use whois to locate the owner's netblock. whois 69.16.147.21 Puregig, Inc. PUREGIG1 (NET-69-16-128-0-1) 69.16.128.0 - 69.16.191.255 VOSTROM Holdings, Inc. PUREGIG1-VOSTROM1 (NET-69-16-147-0-1) 69.16.147.0 - 69.16.147.255 # ARIN WHOIS database, last updated 2005-08-14 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Now I telnet to a route server and make queries about this netblock. route-server.phx1>sh ip bgp 69.16.147.0 BGP routing t

Amazon.com just posted my four star review of Extreme Exploits Advanced Defenses Against Hardcore Hacks . From the review : "I read Extreme Exploits because the content looked intriguing and I am familiar with applications written by lead author Victor Oppleman. The back cover states the book is "packed with never-before-published advanced security techniques," but I disagree with that assessment. While I found all of the content helpful, between 1/3 and 1/2 of it is probably available in older books -- including several by publisher McGraw-Hill/Osborne . Nevertheless, I find the strength of the network infrastructure security sections powerful enough to recommend Extreme Exploits ." This is a cool book, but it is clear the publisher is trying to position it with a catchy title that doesn't necessarily reflect the contents. The book is mostly defensive in nature, but it does show ways to gather information that are used by more sophisticated intruders. You

I detest having to upgrade core FreeBSD packages like Perl that are relied upon by so many other applications. All of my systems are old and dog slow, so I tend to install software on FreeBSD using its native package system. For example, before installing a package, I set this environment variable: setenv PACKAGESITE ftp://ftp6.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/Latest/ Replace '6' with the number of the mirror closest to you. That command tells pkg_add to not use the default RELEASE packages, but to look for the latest STABLE package. Those packages are built by the FreeBSD ports cluster and are kept fairly current. The problem with such a system is that the packages may get ahead of my upgrade plans. For example, if my system is running Perl 5.8.6_2 and the ports cluster is building packages that look for Perl 5.8.7, I will eventually run into trouble. That happened this weekend. I installed security/metasploit , which was built as a package for Perl 5

The SANS ISC is reporting that a worm which exploits the Plug and Play (PnP) vulnerability described by MS05-039 is in the wild. The F-Secure Blog reports the worm is called Zotob . The Microsoft bulletin lists three mitigating factors: On Windows XP Service Pack 2 and Windows Server 2003 an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions. On Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts. Firewall best practices [e.g., blocking SMB ports] and standard default firewall configurations can help

Today I was chatting in the #snort-gui channel on irc.freenode.net, and someone (who shall rename anonymous) mentioned that his ISP provides Ethernet connectivity. This surprised me because my previous employer had DS3 circuits as one might see in the image below. Tapping a DS3 connection requires specialized gear (as shown in the DS3 tap , but access to Ethernet is more readily available. How many of you have Ethernet connectivity to your ISP? The reason I ask is that many monitoring deployments place the wire access device (e.g., a tap) between the border router and your firewall. If you have Ethernet to your ISP, you could place the tap in front of your border router. This scenario would provide visibility to traffic addressed to the Internet-facing interface of your border router. You could monitor for attacks against the router without having to tap a T1 or DS3 connection.

David Bianco of Vorant Network Security posted his LinuxWorld presentation Open Source Network Security Monitoring With Sguil ( .pdf ). David provides a great overview of Sguil, how to use it, and its benefits. On the Sguil improvement front, lead developer Bamm Visscher has moved his family to Colorado and will settle in his new house next week. Expect to see Sguil 0.6.0 later this summer as Bamm's new work environment settles down.

This is not a Microsoft issue, but I learned of it through a Microsoft Security Newsletter feature called 802.1X on Wired Networks Considered Harmful by Steve Riley . He claims to have written about this subject in his book Protect Your Windows Network: From Perimeter to Data , but he believes the issue merits greater attention. Cutting past the introduction to 802.1X, Steve writes: "[T]here’s a fundamental flaw in wired, 802.1X that seriously reduces its effectiveness at keeping out rogue machines... [I]t authenticates only at the establishment of a connection. Once a supplicant authenticates and the switch port opens, further communications between the supplicant and the switch aren’t authenticated. This creates a situation in which it’s possible for an attacker to join the network. (Thanks to Svyatoslav Pidgorny , Microsoft MVP for security, for showing me this vulnerability.) Setting up the attack does require physical access to the network. An attacker needs to disconnect