Showing posts from October, 2005

Bejtlich to Speak at ShmooCon 2006

I just learned I will speak at ShmooCon 2006 in Washington, DC on Saturday, 14 January 2006 at 1600. The subject is Network Security Monitoring with Sguil.

First Hampton Roads, VA Snort Users Group Meeting

My friend David Bianco is organizing a Hampton Roads, VA Snort Users Group . The first meeting will be 1 December 2005. Check out the story for more details!

FreeBSD 6.0-RELEASE Available Soon

According to this announcement by FreeBSD release engineer Scott Long, FreeBSD 6.0-RELEASE "will likely be announced by the end of the weekend or early next week, at the latest." This is great news. I plan to upgrade all of my 5.4 systems to 6.0 when it is available. I'll post my experiences.

New (IN)SECURE Magazine Features Bejtlich Article

The latest (IN)SECURE magazine was just published. Issue 1.4 features a 7-page article on Structured Traffic Analysis , a methodology to investigate network traces I developed for my Network Security Operations class. It uses open source tools to perform zero-knowledge analysis of saved traffic. After reading this article, you may share the sentiments of a student in one of my recent classes who said "I’m embarrassed I ever used Ethereal to start network analysis!"

Review of VMware Workstation 5 Handbook Posted

Image just posted my four star review of VMware Workstation 5 Handbook . From the review : "Steven S. Warren's VMware Workstation 5 Handbook (VW5H) is a great book for beginning and intermediate VMware Workstation (WS) users. It is well-written, thorough, and informative. Those who are trying to deploy WS for average home, research, or corporate purposes will find their needs met. Those looking for in-depth coverage exceeding VMware's online documentation will be disappointed. Still, I've been using VMware for almost 4 years, and I learned a few new tricks. VMware's online documentation is excellent. Those seeking to install and operate WS will find most of their needs met reading VMware's free guides. VW5H provides context and problem-solving techniques that one may not acquire from VMware's documentation. For example, a new user may be unaware of the purpose of a product like VMware P2V Assistant. By reading Ch 15 of VW5H, the user will learn how P

VMware Workstation Vnetsniffer

Did you know VMware Workstation ships with a sniffer? I should have know about it before now. Lenny Zeltser mentioned it in his 2001 paper on reverse engineering malware. There's only 15 references in Google Groups, however. Vnetsniffer is very limited with regard to reporting. Here is sample output: C:\Program Files\VMware\VMware Workstation>vnetsniffer usage: vnetsniffer [/e] (/p "pvnID" | VMnet?) C:\Program Files\VMware\VMware Workstation>runas /u:administrator "vnetsniffer /e vmnet0" Enter password for administrator: Attempting to start "vnetsniffer /e vmnet0" as user "administrator"... len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src dst TCP len 60 src 00:13:10:65:2f:ab dst 00:03:47:0f:1f:3c ARP sender 00:13:10:65:2f:ab target 00:00:00:00:00:00 ARP request len 42 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab ARP sender 00:03:47:0f:1f:3c

Bejtlich Books in HNS Contest

Mirko Zorz from Help Net Security notified me that two of my books are up for grabs in the HNS 7th Anniversary Book Contest . You could win Real Digital Forensics or Extrusion Detection: Security Monitoring for Internal Intrusions . The winners will be announced on Monday, 5 December 2005. Good luck!

Snort BO Exploit Published

As I expected, FrSIRT published an exploit for the Snort Back Orifice vulnerability discovered last week. I was able to compile and execute this code by RD of on FreeBSD 5.4. orr:/home/richard$ ./THCsnortbo 1 Snort BackOrifice PING exploit (version 0.3) by Selected target: 1 | manual testing gcc with -O0 Sending exploit to Done. orr:/home/richard$ ./THCsnortbo 2 Snort BackOrifice PING exploit (version 0.3) by Selected target: 2 | manual testing gcc with -O2 Sending exploit to Done. Here is what the traffic looks like: 09:30:36.134739 IP > 52835 updateD ServFail [5863q][|domain] 0x0000: 4500 0594 0bdb 0000 4011 f669 c0a8 0205 E.......@..i.... 0x0010: 425d 6e0a dbe4 0035 0580 9592 ce63 d1d2 B]n....5.....c.. 0x0020: 16e7 13cf d45a 5a79 4d8a b466 aaa2 c875 .....ZZyM..f...u 0x0030: 2309 78b2 e0d4 ef49 8a8e 39e5 aa8a 4d0d #.

Reviews of Computer Security 20 Things Every Employee Should Know, 2nd Ed, The Symantec Guide to Home Internet Security Posted

The drought has ended. just posted my two newest reviews. First was Computer Security 20 Things Every Employee Should Know, 2nd Ed by Ben Rothke. I gave it three stars, but I would give the next edition higher ratings if Ben addresses my suggestions. From the review : Ben Rothke's Computer Security: 20 Things Every Employee Should Know, 2nd Ed, contains a great deal of sound advice for nontechnical employees. At least 10 tips could be eliminated by combining redundancies. I would reduce the list to the following topics: (1) Beware malware, spyware, and phishing; (2) Protect your identity; (3) Protect the organization's data; (4) Choose sound passwords and protect them; (5) Use organization resources for authorized purposes; (6) Beware of social engineers; (7) Call the experts when things go wrong; (8) Protect laptops, PDAs, cell phones, and other mobile devices as you would corporate resources. I also reviewed The Symantec Guide to Home Internet Security by An

More on Engineering Disasters and Bird Flu

Here's another anecdote from the Engineering Disasters story I wrote about recently . In 1956 the cruise ship Andrea Doria was struck and sunk by the ocean liner Stockholm. At that time radar was still a fairly new innovation on sea vessels. Ship bridges were dimly lit, and the controls on radar systems were not illuminated. It is possible that the Stockholm radar operators misinterpreted the readings on their equipment, believing the Andrea Doria was 12 miles away when it was really 2 miles away. The ships literally turned towards one another on a collision course, based on faulty interpretation of radar contact in the dense fog. Catastrophe ensued. This disaster shows how humans can never be removed from the equation, and they are often at center stage when failures occur. The commentator on the show said a 10 cent ligh bulb illuminating the radar controls station could have shown the radar range was positioned in a setting different from that assumed by the operator.

Pre-Review Postscript

I neglected to mention a book I look forward to reading -- Essential SNMP, 2nd Ed by Douglas Mauro and Kevin Schmidt. Most of the technologies I deploy and use are passive monitoring systems. This book represents an active monitoring system, where SNMP is used to determine the status of network resources. I expect Wolfgang Barth's book on Nagios to also be helpful. Since mentioning the new Apress MySQL book yesterday, MySQL 5 is achieved general availability status with version 5.0.15. I expect the FreeBSD port will be updated shortly.

Bejtlich Speaking at RSA Conference 2006

My proposal to speak at the RSA Conference 2006 was accepted out of 1500+ submissions. I will present in San Jose, CA on Tuesday, 14 February 2006 from 1735 to 1825. The subject is Traffic-Centric Incident Response and Forensics.

Latest Book Pre-Reviews

During the last two months my work for TaoSecurity has kept me too busy to read and review books. I am trying to get back on track. Here are pre-reviews for books I have received over the last several weeks. First are two books I intend to keep as reference, but which I don't plan to read cover-to-cover. Hence, I won't review them for . First is Cisco IOS in a Nutshell, 2nd Ed by James Boney. I put this book next to my copy of O'Reilly's UNIX in a Nutshell, 3rd Ed . This book looks like an excellent reference for Cisco admins and anyone pursuing an advanced Cisco certification (beyond the CCNA). I may read the first 350 pages, as the chapters in that half of the book each address a topic of interest, like IP routing or QoS. The last half of the book is a command syntax reference. Windows Server 2003 Network Administration by Craig Hunt and Roberta Bragg is sitting in my reference section next to O'Reilly's Learning Windows Server 2003

Further Thoughts on Engineering Disasters

My TiVo managed to save a few more episodes of Modern Marvels . You may remember I discussed engineering disasters last month. This episode of the show of the same title took a broader look at the problem. Three experts provided comments that resonated with me. First, Dr. Roger McCarthy of Exponent, Inc. offered the following story about problems with the Hubble Space Telescope. When Hubble was built on earth, engineers did not sufficiently address issues with the weight of the lens on Earth and deflections caused by gravity. When Hubble was put in orbit, the lens no longer deflected and as a result it was not the proper shape. Engineers on Earth had never tested the lens because they could not figure out a way to do it. So, they launched and hoped for the best -- only to encounter a disaster that required a $50 million orbital repair mission. Dr. McCarthy's comment was "A single test is worth a thousand expert opinions." This is an example of management by fa

Excellent Pf Documentation

I recently learned of Peter N. M. Hansteen 's document Firewalling with OpenBSD's PF packet filter . I really like the approach Peter takes to describing Pf . He explains enabling Pf on OpenBSD, FreeBSD, and NetBSD, and then builds up the capabilities one can employ using Pf. I recommend anyone who wants to learn more about Pf start with Peter's document. Incidentally, OpenBSD 3.8 will be available at a FTP server near you on 1 November.

The Coming Snort Worm

This week we learned via an advisory of a vulnerability in the Back Orifice preprocessor in Snort version 2.4.2, 2.4.1, and 2.4.0. The vulnerability was discovered by another ISS X-Force researcher . I bet (but have no inside knowledge) that he was following the same marching orders that Mike Lynn received: find vulnerabilities in competitors' products. Mike looked at Cisco, and Neel Mehta looked at Sourcefire's Snort. I am sure ISS is still bitter over the Witty worm that revealed the installed ISS RealSecure and BlackIce userbase to be about 12,000 systems. The Witty worm spread via a single UDP packet with a fixed source port of 4000 UDP. Let's consider the factors that lead me to believe that the Snort BO vulnerability will produce a worm. The new vulnerability can be exploited by a specially crafted UDP packet to or from any port other than port 31337. (Thanks to Jose Nazario for correcting me on this point.) This is similar to the UDP packet used by Witty

VMware Player Changes Everything

In the words of the immortal Joey -- "whoa." I just learned of, and tried, the new VMware Player . If you haven't heard of it yet, VMware player is a free program for Windows and Linux users that allows them to run a single VM on their host OS. VMware Player is like a stripped down version of VMware Workstation . It does not support snapshots, and the documentation says only one VM can run at a time (despite what the comparison chart implies). This changes everything. Everyone who is an end user of VMs (not a creator) just saved $189 for a VMware Workstation license. This includes students who use VMware on their class desktops or laptops. Authors can now distribute VMs with books (like a second edition of Real Digital Forensics ?) and have readers access those VMs with the free VMware Player. I tried one of the freely available images in the Virtual Machine Center -- the Browser-Appliance . As you can see from the screen shot below, it's an Ubuntu Lin

VirtualWiFi and Monitoring

While teaching Network Security Operations last week, I presented material on monitoring wireless networks. Sample syntax follows: orr:/root# ifconfig wi0 mediaopt monitor channel 6 up orr:/root# tcpdump -i wi0 -L Data link types (use option -y to set): EN10MB (Ethernet) IEEE802_11 (802.11) IEEE802_11_RADIO (802.11 plus BSD radio information header) orr:/root# tcpdump -n -i wi0 -y IEEE802_11 One of the students asked if Tcpdump supported hopping across channels to monitor multiple networks simultaneously. I did not know of a way to do this, because the channel to monitor must be specified as shown above. An alternative requires running multiple wireless NICs. I just learned of Microsoft's VirtualWiFi research project. This is continuation of Ranveer Chandra 's work on MultiNet . If VirtualWiFi supports putting a wireless NIC into monitor mode on Windows, it is possible to virtualize the NIC for as many channels as one wishes to monitor. Separate WinDump instanc

Commercial Rootkits Make NSM Even More Relevant

Last month I posted Rootkits Make NSM More Relevant Than Ever . A few weeks ago I spoke at a Cisco training event attended by over 400 sales engineers and broadcast to several hundred more. I built my presentation on the "NSM, Now More Than Ever" theme. Since Cisco is a network infrastructure company, my message resonated with them. I would have delivered the same message to Microsoft if asked, but I am not a 31337 BlueHat h@x0r . Today I learned through Tom Sanders' story Rootkit creators turn professional about Golden Hacker Defender (GHD). GHD is a modification of the freely available Windows userland rootkit Hacker Defender (HD) by holy_father . Buyers can customize HD to suit their needs, which usually involves evading detection. For example, the ultimate form of HD is listed as Brilliant Hacker Defender Forever , shown in the following screen capture. The cost is 900 Euro, or 1,077.09 USD at today's rates. nti-virus company F-Secure brought this

Useful Nmap Documentation

Today Slashdot notified me of an interview with Nmap author Fyodor . I found it interesting that Fyodor makes a living through Insecure.Com LLC, whose "primary business is licensing Nmap technology for inclusion in commercial products." I also learned he is working on a book on Nmap, and he "only [has] a couple chapters left to draft." Apparently the new Nmap man page is an excerpt from this book. By reading Slashdot comments, I learned about James Messmer's online book Secrets of Network Cartography: A Comprehensive Guide to Nmap . I have not reviewed this book for technical content, but the table of contents looks interesting. Anyone who considers themselves to be a security or traffic analyst should be familiar with Nmap's workings. It is important to understand how all of the Nmap scans work and how they appear in traffic excerpts.

Register for 20 October ISSA-NoVA Meeting by Noon Tuesday

To my DC metro area readers: if you'd like to attend the local ISSA-NoVA chapter meeting on Thursday night, please RSVP by noon Tuesday. I plan to be there to hear Paco Hope discuss FreeBSD and OpenBSD .

MySpace Worm Demonstrates NSM Principles

In my first book , the The Tao of Network Security Monitoring: Beyond Intrusion Detection , I say "some intruders are smarter than you," and "intruders are unpredictable." Because of these two facts, prevention eventually fails . In other words, intruders are cleverly figuring out ways to circumvent security of services you have never heard about in ways you could not imagine. As a result, defenses fail and monitoring is the only way to detect that failure and respond appropriately. The story Cross-Site Scripting Worm Hits MySpace is a perfect example of these principles in action. In short, someone figured out how to create a worm on the MySpace online community. More details are posted at this Slashdot thread . I had never heard of MySpace until today, but over a million users were affected by this worm. Did you see this coming? Of course not. There is little point in forecasting future threats. The best we can do is to implement the best preventative

Bejtlich Quotes in Sourcefire Acquisition Story

Eric B. Parizo mentioned me in his story Snort users fear future under Check Point . One of the quotes appears as follows: Richard Bejtlich, principal with Washington, D.C.-based consultancy Tao Security, said many fail to realize just how expensive it is to support a product like Snort. "I've been to Sourcefire, and I've seen how many people they have working on the product and on signatures," Bejtlich said. "They have what seems like millions and millions of racks of equipment. I was surprised they were able to continue with Snort as they did." That should say "millions and millions of dollars of racks of equipment." I obviously haven't seen millions of racks of anything when I visit Sourcefire! Also, I appear to have been demoted at my own company. I am not a "principle" at TaoSecurity . My boss must be upset with my performance! :)

Brief Thought on Digital Security

I was asked to write an article for an upcoming issue of Information Security Magazine based on my Engineering Disasters blog post. I had the following thought after writing that article. When an engineering catastrophe befalls the "real" or "analog" world, it's often very visible. Failed bridges collapse, levees break, sink holes swallow buildings, and so on. If you look closely enough, prior to ultimate failure you see indications of pending doom. Cracks appear in concrete, materials swell or contract, groaning noises abound, etc. This is generally not the case in the digital world. It is possible for an enterprise to be completely owned by unauthorized parties, without any overt signs. If one knows where to look of course, indicators can be seen, and evidence of compromise can be gathered, analyzed, and escalated. This is the reason I advocate network security monitoring (NSM) and conducting traffic threat assessments (TTAs).

SecurityMetrics Documents Security Cycles

Andrew Jaquith of posted an interesting story called Hamster Wheels of Pain . It's a follow-up to an earlier article . I think the present story is cool because Andrew collected and posted the security process "wheels" of 11 security vendors. I recognize Foundstone's in there, shown as a thumbnail at left. I think Andrew is a little too cynical regarding some of these process charts. Some are used to sell products, and often reflect vendor biases. Others are just ways to break the security problem down into manageable chunks. I use the diagram at right in my classes to emphasize the traffic-centric approach I take to network security operations. Does this make me bad? I doubt it.

BSD Certification Group Publishes BSD Associate Exam Objectives

Last week the BSD Certification Group published its BSD Associate Exam Objectives (.pdf). The preface of the document explains its purpose: "This document introduces the BSD Associate (BSDA) examination and describes in considerable detail the objectives covered by the exam. The exam covers material across all four major projects of BSD Unix - NetBSD, FreeBSD, OpenBSD and DragonFly BSD. While the testing candidate is expected to know concepts and practical details from all four main projects, it is not necessary to know all the details of each one. A thorough reading of this document is recommended to understand which concepts and practical details are expected to be mastered. Throughout this document, a clear distinction is placed on 'recognizing' and 'understanding', versus 'demonstrating' and 'performing'. Certain objectives call for the mere understanding of certain topics, while others call for the ability to demonstrate performance level kn

FreeBSD 6.0-RC1 Available

I just read the announcement that FreeBSD 6.0-RC1 is available for download. There's a helpful link on the new front page that directly points to places to find the new release candidate. The 6.0 schedule does not list a release date, but the RC candidate announcement says RC1 will be the only release candidate. I expect to see 6.0-RELEASE arrive within the next two weeks. Great work FreeBSD release engineering team ! FreeBSD 5.5, at least one more upgrade to the existing 5.x tree, is scheduled for arrival in November. According to the security advisory schedule , FreeBSD 4.11 will enter end-of-life status on 31 January 2007. After that date no security fixes for the 4.x tree will be officially provided. Support for the 5.x tree will end earlier, 31 May 2006. I believe the FreeBSD team is trying to encourage 5.x users to migrate, and leave a window open for people who have been running 4.x for years.

TaoSecurity Blog on CNET Blog 100

I received word today that this blog was added to the CNET Blog 100 list. My site is described as a "good aggregation of information on a wide range of security issues. Detailed and authoritative, with many updates." I've been really busy preparing, teaching and speaking the last several weeks, but I expect to return to my normal blogging pace late next week. Thanks CNET!

New FreeBSD Web Site Launched

I like the look of the new FreeBSD home page, but the daemon in the middle looks obnoxiously large compared to the rest of the content. I'd much rather see Beastie small and somewhere else, preferably in a corner or on the community page. FreeBSD is an operating system for professionals; I'd like to see it treated seriously for once. On a related note, I found this interview with Scott Long very interesting.

Thoughts on the Week's Security News

This was a busy week for me; I spent all week teaching (and all last week preparing) a private Network Security Operations class in California. I just flew back from LAX to Dulles this morning and I get on another plane tomorrow afternoon. I'm speaking in San Jose at a Cisco event, and then teaching a second private NSO class again next week. I've been tracking all of the week's security news. Thank you to those who thought I may have missed something. I didn't want to commit any thoughts to the blog without taking some time to ponder various events. Obviously the biggest news of the week was Checkpoint 's $225 million acquisition of Sourcefire . In short, I didn't see that coming. I have doubts about the future of Snort being a free product, let alone open source. I don't see anyone making the case to the board of a publicly traded company that part of that company's work is going to be given away for free, especially after spending $225 mill

Real Digital Forensics and Shirts

This week I received a batch of TaoSecurity T-shirts for my Network Security Operations class. The back of the T-shirt is pictured at left. The front of the T-shirt shows the TaoSecurity logo. I also received my copy of our new book Real Digital Forensics , also pictured at right. You can visit the pubisher Addison-Wesley to review the table of contents, the preface, and also download the first chapter. It's a review of Windows live response. I think you will really enjoy this book. I wrote with Keith Jones and Curtis Rose from Red Cliff Consulting . The project was two, almost three years in the making. In the book we look at intrusions from the perspective of the file system, memory, and network activity. (Guess who handled the network side?) :) All of the evidence we analyze is included on a DVD shipped with the book. You can get a better look at the cover in the photo at left. In addition to TaoSecurity T-shirts for my class students, I'm making TaoSecurit

Comment Verification Activated

Some idiot's comment spam bot posted over 70 "comments" to this blog last night. I am working my way through deleting them all. This is the latest salvo in an escalating battle which starting which intermittent spam comments several months ago. To try to reduce these automated attacks in the future, I've enabled comment verification . I hope it is not too onerous for those making legitimate comments. Thank you.