TaoSecurity Blog

Today and tomorrow (1 October) are the last days to register for ShmooCon 2006 for $75. The conference will be held in Washington, DC on 13-15 January 2006 . Starting 2 October the price doubles to $150. This is a very innovative conference that you simply cannot beat for the price. I will attend.

Dru Lavigne wrote an excellent article called Using FreeBSD's ACLs . She describes how to use File System Access Control Lists in a reader-friendly manner, complete with screen shots of the Eiciel GUI tool (in the ports tree ). Great work Dru!

This morning I briefed a client on the results of a Network Security Monitoring Assessment I performed for them. I model my NSM Assessment on the NSA-IAM , which uses interviews, observation, and documentation review to assess security postures. My NSM Assessment uses the same techniques to identify problems and provide recommendations for improving intrusion detection and NSM operations. During one of the briefings the top manager asked for my opinion on using open source security tools. He wanted to know the guidelines I use to determine if an open source tool is appropriate for use in the enterprise. I told him I am more likely to trust open source products that are developed by companies with whom I have a relationship of some sort (like Snort and Sourcefire , Nessus and Tenable , or Argus and Qosient ). I was wondering what sorts of suggestions you might have governing open source security tools. The intent of the manager's question was to assess how I end up "trusting...

Federico Biancuzzi conducted an excellent interview with Greg Hoglund and Jamie Butler, authors of Rootkits: Subverting the Windows Kernel . I reviewed this book during publication for Addison-Wesley, but I don't plan to read it for personal education until I get deep into the programming part of my reading list . This is the sort of book that looks K-RAD on your bookshelf, telling those passing your cube that you've got m@d 31337 sk1llz. Doing something useful with the contents take some real mastery of Windows programming, especially device driver development and thorough knowledge of material in Microsoft® Windows® Internals, Fourth Edition . The interview reminded me that network security monitoring is needed now more than ever. It is easy for host-centric security types to concentrate on defending the desktop. In reality the battle for the desktop PC has been lost. When intruders can completely control all aspects of a running system, there is almost no where else f...

I read in the story Network appliance to get highest-ever security rating by Michael Arnone about the EAL7 Evaluation Assurance Rating achieved by the Tenix Datagate . An EAL7 system bears these qualities: "Formally Verified Design and Tested. The formal model is supplemented by a formal presentation of the functional specification and high level design showing correspondence. Evidence of developer "white box" testing and complete independent confirmation of developer test results are required. Complexity of the design must be minimised." My last post mentioned an introductory article on the Common Criteria , and I found an exceptional quote in that piece about EALs. Write Alex Ragen says: "EAL is the level of confidence achieved by the TOE [Target of Evaluation, a product], and is a function of the SARs [Security Assurance Requirements] with which the TOE complies... EALs refer to the level of confidence in the conclusions of the evaluation, and not to th...

I received the September issue of the ISSA Journal . It contains several useful articles, with the most helpful to me being a humanly readable summary of the Common Criteria by Alex Ragen . I don't think Mr. Ragen clearly states who needs to purchase Common Criteria-validated products however. His article's first sentence states: "On July 1, 2002, the US Department of Defense began to enforce National Security Telecommunications and Information Systems Security Policy (NSTISSP) #11 (issued in January 2000), which mandates that US government agencies purchase only those IT security products which have been validated in accordance with Common Criteria and/or FIPS 140-1 or FIPS 140-2 as appropriate." He also says: "As mentioned earlier, US government agencies now require Common Criteria certification." This is not true. According to the Committee on National Security Systems FAQ : "The policy mandates, effective 1 July 2002, that departments and agen...

On a flight from San Franciso to Washington Dulles I managed to read the latest State of Spyware report from Webroot Software . I'm not sure how I got the heavy printed version. Maybe it was sent courtesy of Richard Stiennon , who is Vice President of Threat Research. (That's an interesting title.) I thought the report was useful. It provides a broad look at spyware, and specifics on several examples. It contains an excellent section on spyware-related legislation. The report provides plenty of background for management who need justification to spend money on spyware defenses. I even bought into the idea that automated spyware defenses are required. >On a related note, the Symantec Internet Security Threat Report Volume VIII is available for download. I have not read this one yet. It is a huge .pdf though. I believe a report like that complements material from organizations like Webroot. Symantec takes a broader look at Internet threats. It also examines vul...

This article describes the Common Malware Enumeration project. CME is a sister project to Mitre's Common Vulnerabilities and Exposures (CVE) initiative. CME will "assign unique identifiers to high priority malware events." This is a great idea, because anti-virus vendors, security researchers, and OS/application vendors will be able to refer to a common name rather than their internal representations for malware. DHS is funding the CME project.

Yesterday I spoke at the third Net Optics Think Tank in Santa Clara, CA. During the event one of the Net Optics product managers asked me about measuring bandwidth utilization on switch ports. I did not have an answer for him... until I took a look at the latest Packet magazine. The Q305 (.pdf) edition features a tip from Aurelio DeSimone on p. 13 mentioning the show controllers utilization command. If anyone knows of a similar set of information via SNMP, please let me know via a comment here. Here is sample output: Switch> show controllers utilization Port Receive Utilization Transmit Utilization Fa0/1 0 0 Fa0/2 0 0 ...truncated... Total Ports : 12 Switch Receive Bandwidth Percentage Utilization : 0 Switch Transmit Bandwidth Percentage Utilization : 0 Switch Fabric Percentage Utilization : 0 This is just the sort of data I would like to see for SPAN ports. You can specify the SPAN port in your syntax ...

Newsflash: compiling Snort on Windows is not the chore some people believe it to be. After reading my flailing attempt to use a beta Visual Studio to compile Snort 2.4.1 from source on my Windows 2000 laptop, John Ward stepped in and got the job done. John's a professionall programmer, but anyone who uses his approach will have the same results. Thanks for stepping up to the plate!

Thanks to this SC Magazine story, I learned that Citadel Security Software is offering a performance warranty on their Hercules vulnerability management product. They say: "The Hercules SecurePlus warranty guarantees the product’s performance against Citadel’s published service level objectives to deliver timely, accurate and effective vulnerability remedies for known exploits. Citadel’s service level objectives are the expected delivery times for the vulnerability remedies and associated security content produced by Citadel’s internal security team, the Remediation Security Group... In the event of an information asset loss due to a successful compromise of a computer system where a remedy is available for the known exploit, you can receive reimbursement up to the amount of Hercules contract. Citadel offers Hercules SecurePlus in collaboration with AIG, a pioneering leader in the cyber security insurance market. This ground-breaking warranty is available at no cost to Citade...

FreeBSD 6.0-BETA5 is available in the pub/FreeBSD/ISO-IMAGES-i386/6.0/ directory of some FreeBSD mirror FTP sites. I found it at the master site, but I expect to see it replicated elsewhere soon. I believe this will be the last BETA before RCs (perhaps RC1, RC2, and RC3) are produced. The release engineering team is putting a lot of work into this release. I can't wait to deploy it in production. I see 6.0 as more of a continuation of 5.x, and not a brand-new OS as happened with 4.x to 5.x.

Yesterday's Security Fix post mentions work by Sean Gorman to map American critical infrastructure. Sean wrote a book titled Networks, Security And Complexity: The Role of Public Policy in Critical Infrastructure Protection based on his studies. I don't plan to buy this book since I cannot justify spending $75 on an academic text, but it does look interesting!

Many of you have undoubtedly read the snort-users thread where some people complain about not having Snort in compiled form as soon as Sourcefire releases Snort in source code form. Sourcefire released Snort 2.4.1, a vulnerability bug fix, on Friday. They only released an updated snort-2.4.1.tar.gz archive. There were no Linux RPMs or Win32 installation packages. I decided to learn what was involved with compiling Snort on Windows. Right now I will say I did not finish the job. I am not a Windows programmer. I do not use Windows as a software development platform. Today was the first day I used the tools I describe below. The purpose of this post is to demonstrate that compiling Snort on Windows is not rocket science. First, notice the snort-2.4.1.tar.gz archive has a src\win32 directory with these contents: Makefile.in WIN32-Code WIN32-Includes WIN32-Prj WIN32-Libraries Makefile.am This looks promising. Let's see the contents of the WIN32-Prj directory. snort_installer....

Thanks to Simon Howard for pointing me toward a new article by Mati Aharoni and William M. Hidalgo titled Cisco SNMP configuration attack with a GRE tunnel . The article shows the dangers of not denying packets from the Internet using spoofed internal addresses. The article builds on Mark Wolfgang's Exploiting Cisco Routers: Part 1 , where an intruder uses an SNMP SET command to retrieve a router configuration file via TFTP. As Simon wrote in his email to me: "Applying an inbound ACL on the Ethernet0/0 interface denying any traffic from the 192.168.1.0 network would resolve this issue [in the article]." On a related note, I am looking forward to the second edition of Essential SNMP , pictured at left.

I watched an episode of Modern Marvels on the History Channel this afternoon. It was Engineering Disasters 11 , one in a series of videos on engineering failures. A few thoughts came to mind while watching the show. I will provide commentary on each topic addressed by the episode. First discussed was the 1944 Cleveland liquified natural gas (LNG) fire. Engineers built a new LNG tank out of material that failed when exposed to cold, torching nearby homes and businesses when ignited. 128 people died. Engineers were not aware of the metal's failure properties, and absolutely no defensive measures were in place around the tank to protect civilian infrastructure. This disaster revealed the need to (1) implement plans and defenses to contain catastrophe, (2) monitor to detect problems and warn potential victims, and (3) thoroughly test designs against possible environmental conditions prior to implementation. These days LNG tanks are surrounded by berms capable of containing a...

Several weeks ago I was looked for a way to provide my desk laptop with 802.11g connectivity. Sometimes I operate two or three systems on my desk. I thought it might be helpful to purchase an 802.11g wireless bridge. Using the bridge, I could connect those multiple systems via Ethernet to the bridge, and have the bridge speak 802.11g to my Linksys wireless access point. I had not had good experiences with 802.11b Linksys WET11 bridges, so I turned to NetGear . I noticed they sold the WGE111 54 Mbps Wireless Game Adapter pictured upper left. I thought, "I can buy that, connect it to a hub, and then connect wired systems to the hub." With a price around $50 after rebate this seemed like a great deal, especially compared to the NetGear WGE101 , for $80 or more, pictured upper right. A competing product from Linksys, the WET54G costs about $120. (I do like the WET54GS5 that has a five port switch built into it, but that costs about $150.) It turns out that the WGE11...

I've written about government and IPv6 before . The article OMB: No new money for IPv6 by David Perera includes the following: "Federal agencies have all the money they need to make a mandatory transition to the next generation of IP, a top Office of Management and Budget official said today. 'The good news, you have all the money you need. [IP Version 6] is a technology refresh' said Glenn Schlarman, information policy branch chief in OMB's Office of Information and Regulatory Affairs . Schlarman spoke at a Potomac Forum event on IPv6. 'You have to adapt, reallocate,' he added." Moving from IPv4 to IPv6 is like transitioning from horse-drawn buggies to internal combustion engine-driven automobiles. Both carry passengers but the complexities, opportunities, and risks associated with cars make the upgrade far more than a "technology refresh." The biggest single problem with IPv6 is network administrators are not familiar with it. 24 year...

Last night I attended a talk at my local ISSA chapter. The speaker was Joe Jarzombek, Director for Software Assurance for the National Cyber Security Division of the Department of Homeland Security . Mr Jarzombek began his talk by pointing out the proposed DHS reorganization creates an Assistant Secretary for Cyber Security and Telecommunications working for the Under Secretary for Preparedness . This is supposed to be an improvement over the previous job held by Amit Yoran , where he lead the National Cyber Security Division, under the Information Analysis and Infrastructure Protection Directorate. According to this story , "Yoran had reported to Robert P. Liscouski, assistant secretary for infrastructure protection, and was not responsible for telecommunication networks, which are the backbone of the Internet." Mr Jarzombek said that people who are not Assistant Secretaries are "not invited to the table" on serious matters. Turning to the main points of his...

The BSD Certification Group is looking for people to complete a BSD Usage Survey . The survey consists of 19 questions. It took me less than five minutes to complete it. You can read more about the survey in this press release and the news section. Please complete this survey if you use any of the BSDs. It will help us better design a BSD Certification for you. Thank you! Also, the August newsletter has been published, and you can track BSD certification progress at our BSD Certification Group Blog .

I've been performing a network security monitoring assessment for a client this week. I use interviews, observations, and documentation review to provide findings, discussion, and recommendations for improving your incident detection and response operations. During this process I was asked if I knew ways to measure packet loss on open source sensors. (This client uses FreeBSD, which is helpful!) Today I remembered work by Christian SJ Peron on bpfstat , available only on FreeBSD 6.0. bpfstat provides statistics like the following. Here I am running Tcpdump and Trafshow, and bpfstat is reporting packet collection information on interface sf0 every 1 second. bpfstat -i 1 -I sf0 pid netif flags recv drop match sblen hblen command 1682 sf0 p--s- 6337 0 6337 3844 0 trafshow 780 sf0 p--s- 38405 0 38405 11380 0 tcpdump 1682 sf0 p--s- 7142 0 7142 22046 0 trafshow 780 sf0 p--s- 39210 0 39210 14588 0 tcpdump 1682 sf0 p--...

I read this news about a vulnerability in Snort 2.4.0 and older versions. You're affected if you process a malicious packet while in verbose mode. This means running Snort using the -v switch. Typically this is only used to visually inspect traffic and not for intrusion detection purposes. Through the FrSIRT advisory I learned about the discovery of this vulnerability by A. Alejandro Hernández Hernández . An exploit is available to crash Snort. Interrupting program flow to control the system is not indicated at this time. The researcher used Fuzzball2 to send weird packets with Selective ACKnowledgement (SACK) options through Snort and find the exploit condition. I am impressed by Sourcefire's response to this issue, as shown by the disclosure timeline: Flaw Discovered: 20/08/2005. Vendor Notification: 22/08/2005. Vendor Response: 23/08/2005. Date Published: 11/09/2005. Sourcefire should have credited the researcher in their vulnerability announcement, however. You c...

Thanks to Russ McRee , Sguil made an appearance in a poster session at the 2005 Eighth International Symposium on Recent Advances in Intrusion Detection (RAID). I attended RAID 2003 . I've posted Russ' slides (.pdf, 5.8 MB) on the Sguil home page to conserve Russ' bandwidth. Russ advocates using Sguil and Aanval in tandem. I have never used Aanval, and it does not appear in the FreeBSD ports tree. I may still give it a try when I find time.

To my DC metro area readers: if you'd like to attend the local ISSA-NoVA chapter meeting on Thursday night, please RSVP by noon Tuesday. I plan to be there to hear Joe Jarzombek, Director for Software Assurance for the National Cyber Security Division of the Departmet of Homeland Security. The topic will be Software Assurance: A Strategic initiative of the US Department of Homeland Security to promote Integrity, Security, and Reliability in Software - Considerations for Advancing a National Strategy to Secure Cyberspace . Wordy, but hopefully interesting. I will be the guy wearing a black or white polo shirt with the TaoSecurity logo. Socializing starts at 1730 at the Nortel PEC building in Fairfax, VA.

I received an email today stating that VMWare Workstation 5.5 Beta is available. I am using Workstation 5 on Windows Server 2003 x86 Edition to support my Network Security Operations class. When students use SSH to connect to the class server, they are logging in to a FreeBSD server running in VMWare. (I also dual-boot the server with FreeBSD 6.0-BETAx using the amd64 port . The key advances appear to be the following: Support for 64-bit guest operating systems Experimental support for 2-way Virtual SMP New support for select host and guest operating systems and hardware - 32 and 64 bit I am excited to see support for SMP (even if only for 2 processors) appear in a Workstation product. We are going to see more multi-core systems appearing in everyday desktops (even though most "normal" users should be using thin clients ). :) 64-bit support is also welcome as that architecture moves out of the server world and onto developer desktops.

I just read two good columns at SecurityFocus . The first, A Changing Landscape , is by Red Cliff consultant, fellow former ex-Foundstone consultant, and Extrusion Detection contributing author Rohyt Belani. He theorizes about the rise of client-side attacks and their effect on statistics reported by CERT/CC . The second article is an interview with FX of Phenoelit . He discusses exploiting Cisco IOS, which is fascinating.

Brad Schonhorst reminds us that if you're near New York city, you might want to check out NYCBSDCon on 17 September 2005. Tomorrow (Saturday) is the last day to preregister for this event. I won't be able to attend due to work constraints, but I think this will be a great con!

Several people have asked for additional detail on the sorts of topics covered in my Network Security Operations class. Having spent several minutes composing this response, I figured others might want to see what I teach. Day one is all network security monitoring . This day is mainly based on material in The Tao of Network Security Monitoring . We start with a case study and then a theory section to provide background. I follow by discussing techniques to access wired and wireless traffic. That's about half of day one. The second half introduces four sections on tools to collect and analyze statistical, session, hybrid, and full content data. All of these sections conclude with hands-on labs using equipment I provide. By the end of day one students should know what network data to collect, how to access it, and what tools to capture and analyze it. Day two is all network incident response . This day is based on material I wrote for Extrusion Detection . I start wit...

Yesterday I attended a meeting of the Information Assurance Technical Framework (IATF) Forum. I last attended an IATF meeting two years ago . According to this introduction (.pdf) document, the IATF Forum "is a National Security Agency (NSA) sponsored outreach activity created to foster dialog amongst U.S. Government agencies, U.S. Industry, and U.S. Academia seeking to provide their customers solutions for information assurance problems." Half of the attendees were government contractors, and a quarter were government civilians. This meeting focused on two elements of the Information Assurance (IA) "cornerstones" DoD's Global Information Grid (GIG): the "Highly Available Enterprise" (HAE) and "Cyber Situational Awareness and Network Defense." (CSA/ND) The Government Accounting Office report The Global Information Grid and Challenges Facing Its Implementation (.pdf) provides a GIG overview. The NSA describes IA with respect to the ...

Previously I wrote about my plans to incorporate VMWare into my classes . Originally I intended to use GSX Server . I thought I would give each student his or her own independent image. I assumed people would want to build their own sensors (from the ground up), and that required providing complete virtual machines. Based on feedback here and in classes since that post, I've learned most people don't care about building sensors. They are more interested in analysis. Therefore, I decided students didn't need dedicated VMs. Therefore, I could run a few VMs with dedicated functions, and let students share systems as normal users. For example, in my last class a dozen students all logged in to a single FreeBSD image to perform analysis. In the future, I plan to have multiple images running. For example, I plan to offer several complete Sguil installations. Students in groups of two or four might share one Sguil server. My current test environment uses VMWare Wor...

I learned I will be delivering two presentations at the DoD Cybercrime 2006 Conference in Palm Harbor, FL on 11 January 2006. I will present shortened versions of my network incident response and forensics classes . Last year I spoke about network security monitoring with Sguil and other open source tools. In 2000 I spoke at the first DoD Cybercrime conference in Colorado, delivering the AFCERT mission briefing.

I just checked the training schedule for the next USENIX LISA (Large Installation System Administration) conference. I will teach network security monitoring , incident response , and forensics . These are each full-day tutorials, which begin on Tuesday 6 December and end Thursday 8 December. Early bird registration ends 18 November 2005. It looks like you can attend all three days for $1775. I am looking forward to teaching these classes because the USENIX crowd is always top-notch. Don't forget my only scheduled public Network Security Operations class, which will be held in Fairfax, VA 27-30 September (that's three weeks from Tuesday)! If you're an ISSA-NoVA member and you register no later than Friday 16 September, you will save $1000 on the class price. To register or for more information, email me: richard at taosecurity dot com. Thank you.

I have been taking a closer look at training offered by the CERT® Coordination Center and the Software Engineering Institute . Six years ago as an Air Force captain from the AFCERT I enjoyed the Advanced Incident Handling for Technical Staff . Now I may have a chance to teach or develop course materials for some of these courses. I am also considering the value of the CERT®-Certified Computer Security Incident Handler program. Has anyone attended any of these courses recently? If yes, what do you think of them? If no, why not? What alternatives have you considered or attended?

I like to read Cisco's quarterly Packet magazine. It's free, and it provides insight into developments by the world's networking (and one day, security) juggernaut. While waiting for car maintenance this morning, I managed to read much of the Quarter 2 2005 issue , devoted to Self-Defending Networks . According to Cisco, they have been releasing Self-Defending Network components every few years. In 2000 they offered integrated security , followed by collaborative security in 2003. Now, in 2005, we have adaptive threat defense . The first term means security is part of Cisco products, such as routers and switches. The second term means these products should work together. Let's look closer at the third term, which Cisco claims will "protect every packet and every packet flow on a network." I was skeptical when I saw the cover text. The phrase "eliminating the source of attacks" and the sentence "network security grows adaptive, rea...

In my post Opportunity Costs of Security Clearances I ranted about needing security clearances for assessment work. Now I read Security clearance delays still a problem by Florence Olsen: "Security clearance delays are the same, if not worse, than a year ago, before lawmakers made changes designed to help clear the backlog... [N]ewly enacted reciprocity rules have made no dent in a problem that is creating mounting costs for high-tech companies. Those rules permit agencies to accept clearances initiated by other agencies." Wonderful. Not only do agencies not trust employees, they don't trust other government agenices. That is understandable, but pathetic; jobs are left vacant because .gov entities want to play petty games. It gets worse: " ITAA officials said 27 member companies that responded to a survey are coping with the backlog by hiring cleared employees from one another, sometimes paying premiums of up to 25 percent." Great. This means the same ca...

By now you've probably heard the story about the 10-year-old girl in Wales who was saved by the Poseidon computer-aided drowning detection system . According to the vendor: "[Poseidon] uses advanced computer vision technology to analyze activity in the pool, captured by a network of cameras mounted both above and below the surface of the pool. Poseidon helps lifeguards monitor swimmers' trajectories, and can alert them in seconds to a swimmer in trouble." While reading comments at Slashdot , several of them reminded me of the value of digital intrusion detection systems. This one by a Poseidon user is very helpful if you want to know more about how Poseidon works. For example, some critics complain about "false positives," meaning Poseidon sounds the alarm although no one is drowning. Poseidon alarms when a swimmer stops moving below the water for more than a few seconds. If the Poseidon programmers tell the device to alert when people appear to be ...