Posts

Showing posts from November, 2005

Why Duplicate Packets May Appear on SPAN Ports

Image
I noticed a post to snort-users today asking if Snort had a problem with duplicate packets: "We have a range of switches being used within our network for port monitoring, and a couple have had to be set up in such a way that you can end up seeing each packet TWICE on the snort interface. I've been told by our network engineers that this has to be the case in order for the IDS to see the networks it needs to on one card." I think I know why this is happening. I cover this issue in day one of my Network Security Operations course. Essentially, the admin who sets up the SPAN port has to decide if he or she wants to copy traffic in to the SPAN port, out of the SPAN port, or in and out of the SPAN port. If the decision is made to copy in and out of the SPAN port, duplicate packets will appear when intra-switch traffic is carried.

Two New Pre-Reviews

Image
Thank you to the publishers who sent two new books in the last few weeks. First is Phishing Exposed , by Lance James, published by Syngress . This looks like a great book. I loved Inside the Spam Cartel , so I have high hopes for this new book. The book appears to have plenty of technical details. Next is Running IPv6 by Iljitsch van Beijnum, published by Apress . I liked his book BGP . I already read and reviewed IPv6 Network Administration from O'Reilly, which appears similar to this new book. I'll let you know how the two books differ after I read the latest title.

Bejtlich Teaching Next Week at USENIX LISA

Next week I will present three full-day tutorials at USENIX LISA 2005 in San Diego, CA, from 6-8 December 2005. I will teach network security monitoring , incident response , and forensics . I hope to attend a tutorial on Monday afternoon and several presentations on Friday as well. I'll be wearing TaoSecurity clothing, so please stop by to chat if you're nearby! I believe Addison-Wesley will also sponsor a book -signing, but I do not know when that will be. Update: I just learned the book signing will take place in the Golden Ballroom from 5:30 to 6:30 p.m., Wednesday, 7 December.

SANS Replaces Several Threat References in Top 20

Last week I posted comments about several misuses of the word "threat" in the latest SANS twenty most critical Internet security vulnerabilities . After receiving an email from Alan Paller, I returned to the SANS site and saw many of my recommended changes were made. For example, you can now "Jump To Index of Top 20 Vulnerabilities", instead of "threats." I appreciate SANS taking my suggestions to heart. Update: It's becoming clear where the confusion regarding "threat" vs "vulnerability" originates for the SANS Top 20. One of you pointed me towards the article Mac OS X Under Scrutiny . See how many misuses of the term threat you can find. Here's a freebie: "SANS's Dhamankar stressed that the intent was not to call the Mac OS X operating system a threat, but to give Mac users a wake up call."

Three Great Session Data Articles

I just happened upon three great articles by Michael W. Lucas on collecting and analyzing session data on FreeBSD. They are: Monitoring Network Traffic with Netflow Visualizing Network Traffic with Netflow and FlowScan Building Detailed Network Reports with Netflow Michael introduces several techniques and tools not mentioned in my books , like softflowd , Cflow.pm , flowscan , CUFlow , and others. Nice work! (Incidentally, I am the USENIX instructor Michael references in his last article.) :)

NISCC Director Understands Real Threats

Roger Cummings, director of the UK's National Infrastructure Security Co-ordination Centre made interesting comments reported by News.com : "Cummings said the most significant element in the malicious marketplace is foreign states, whose target is information. Next are criminals who are trying to compromise the CNI in order to sell information. Hackers motivated by kudos or money have 'a variable capability' when it comes to attacks... However, these pose a more serious threat than terrorists, who currently have a low capability." The article continues: "NISCC is working with its equivalents in the countries concerned to try to shut the attacks down, Cummings said. The agency cannot name the countries concerned as this may 'ruin diplomatic efforts to halt the attacks,' he added." Imagine that -- he didn't say "holes in Internet Explorer," or "Windows RPC services." The director named parties with the capability and inten...

Tenable and Nessus News

Federico Biancuzzi conducted an extensive interview with Tenable Network Security co-founder and Extrusion Detection contributor Ron Gula . He discusses Nessus 3, including features and licensing changes. Ron also mentions Nessus support services, training, certification, and books, which all sound cool to me.

The Good and the Bad About the New SANS Top 20

Back in January I noted that SANS was not using the terms "threat" and "vulnerability" properly in its call for help on the "twenty most critical Internet security vulnerabilities," represented by the logo at left. You will remember that a threat is a party with the capabilities and intentions to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset that could lead to exploitation. An intruder (the threat) exploits a hole (the vulnerability) in Microsoft IIS to gain remote control of a Web server. In other words, threats exploit vulnerabilities. Today, version 6 of the Top 20 was released. I'll start with "the good." I believe the majority of the 2005 content is much better than the 2004 edition . The 2004 list, and previous lists, displayed 10 Windows vulnerabilities and 10 (often dubious) Unix vulnerabilities. The 2005 list, in contrast, displays the following vulnerabilities: Top Vulnerabilities in Windows...

Demand for a BSD Associate Certification Guide

I have an idea for a new book. For the last year I have been part of the BSD Certification Group (BSDCG). I started out as a Group member, but moved to the Advisory Board when TaoSecurity business occupied too much of my time. Last month the BSDCG published its BSD Associate Exam Objectives ( .pdf ) The document outlines all the skills a candidate for the BSD Associate cert is expected to have. However, no specifics are given. For example: 3.2.12 Change the encryption algorithm used to encrypt the password database. Concept: Given a screenshot of a password database, the BSDA candidate should be able to recognize the encryption algorithm in use and how to select another algorithm. The candidate should also have a basic understanding of when to use DES, MD5 and Blowfish. Practical: login.conf(5); auth.conf(5); passwd.conf(5); adduser.conf(5) and adduser(8) I am considering writing a BSD Associate Certification Guide . The guide will cover all of the 7 domains on the cert: 1. Ins...

Extrusion Detection Shipping

Image
Good news -- several of you have reported receiving copies of my new book Extrusion Detection , ordered through regular online vendors. I'm happy to see Amazon.com finally listing the book as "Usually ships within 24 hours." It appears Buy.com has a great deal, with free shipping and a $29.69 price. If you have any suggested changes, please let me know within the next 10 days. I owe corrections to my publisher for the second printing on 2 December. Thank you!

Tethereal Ring Buffer Syntax Changes Again

It's tough to keep up with syntax changes in Tethereal . Only a few months ago I posted syntax to use Tethereal in ring buffer mode. I like ring buffer mode because it is a "fire and forget" solution for collection full content data. You tell Tethereal how many files, and of what size, it should collect, and then the program just keeps logging as much as you specify. Today when trying Tethereal 0.10.13, I discovered the syntax has changed again. First, the relevant man page excerpt: -a Specify a criterion that specifies when Tethereal is to stop writ- ing to a capture file. The criterion is of the form test:value, where test is one of: duration:value Stop writing to a capture file after value seconds have elapsed. filesize:value Stop writing to a capture file after it reaches a size of value kilobytes (where a kilobyte is 1024 bytes). If this option is used together with the -b opti...

Security Awareness Training: A Waste of Time?

Image
Extrusion Detection contributing author Rohyt Belani told me about his new SC Magazine article Changing End Users' Security Mindset . Here are some astonishing excerpts: "[M]y company [ Red Cliff Consulting ] has conducted numerous social engineering exercises for Fortune 500 companies whose success relies heavily on the protection of intellectual property. These exercises involved scripted telephone calls to the organizations' customer service departments and mass phishing emails targeting a randomly selected set of employees. The objective was to collect sensitive data, the results were astounding. 627 of the 1000 people targeted by 'spear phishing' emails (aimed at pilfering the employees' corporate VPN credentials) succumbed to the attack and only 4 of the 373 that did not respond reported the issue to information security staff. It's not so much those statistics that made the results astounding; but the fact that all these organizations had recen...

FCW Reports DoD to Hold Security Stand-Down

I read that DoD plans to hold a security stand-down on 29 November "to focus on information assurance and network security." Apparently United States Strategic Command , one of nine Unified Commands , issued the order. The news came from Air Force Lt. Gen. Charlie Croom , director of the Defense Information Systems Agency and commander of the Joint Task Force - Global Network Operations (JTF-GNO). FCW says "some DOD officials are concerned about the amount of hardware and software manufactured overseas and whether they might incorporate malicious code. [Croom] said one way to fight the problem is to require companies to assure DOD that their products are safe and for the military to monitor them closely ." (emphasis added) I like the fact Lt Gen Croom understands the importance of monitoring. A separate article conveys this story, indicating Lt Gen Croom is a fair guy: "The first time Croom showed up for a meeting at DISA, someone announced his presence...

Thoughts on CMP Acquisition of Black Hat

I just learned that CMP Media , publishers of IT magazines like Network Computing and IT Architect (formerly Network Magazine) just acquired Jeff Moss' Black Hat, Inc. for $10 million. I'm amazed that Black Hat went for that much. The organization may offer consulting , but it's mainly known for its conferences. Those conferences rely on instructors, none of whom are obligated to speak (as far as I know). Without any intellectual property, substantial workforce, or product lines, I'd say Black Hat did pretty well for itself! I did not realize until now that CMP also owns the Computer Security Insitutute , who runs their own security conferences . The CSI conference is a strange beast. I wouldn't consider William Safire to be a "security expert," but there he is appearing as a keynote CSI speaker. Perhaps Black Hat is supposed to pull in another sort of demographic, one without as much gray hair?

BSD Certification Group Solicits Donations

The BSD Certification Group is soliciting donations to offset the costs of creating the certification. The main expense is psychometric analysis of the proposed certification exam. This is fancy talk for ensuring the test assesses what the BSD Certification Group expects to measure. The BSDCG was incorporated as a non-profit corporation (a 501(c)(3) scientific and educational charitable organization) in the state of New Jersey, but the IRS has not validated their status yet.

Using Cache Snooping to Estimate Code Spread

I've stayed out of the whole Sony DRM affair because I felt Windows guru Mark Russinovich has forgotten more about Windows internals than I will ever know. I try to avoid commenting on issues out of my league, and Windows rootkits are generally not something I know how to analyze at the host level. However, today I learned of a Wired story that incorporates new Dan Kaminski research. Dan has provided a conservative estimate of the number of systems on which the Sony DRM software is installed, based on Luis Grangeia 's cache snooping methodology. Essentially Dan used his Deluvian Scanning Platform -- DoxPara Infrastructure Validation Project (DIVP) to ask name servers if they had cached results for the hosts associated with Sony's DRM. For example, in the following I query a name server to see if it knows how to resolve www.bejtlich.net. The key is to tell the name server not to perform recursion; if the name server can't answer my request on its own, it has to...

Extrusion Detection Shipping at Barnes and Noble

Image
I got two boxes of Extrusion Detection copies from my publisher today. Looking at BestBookBuys.com , I see Barnes and Noble lists the book as "Usually ships within 24 hours." I would give B&N a try, or order directly from the publisher , if you really want a copy of the book quickly. Alternatively, you might be able to win a copy in the monthly raffle held at my local ISSA NoVA chapter meeting. Last time I provided a copy of Real Digital Forensics and a Network Security Operations T-shirt. Tuesday (tomorrow) is the last day to RSVP for the Thursday meeting. Steve Crocker will talk about securing DNS at the Oracle building in Reston.

Problems with FreeBSD 6.0 as VMware Workstation Guest

I've encountered a problem running FreeBSD 6.0 as a guest OS in VMware Workstation 5.0. I discovered the FreeBSD VM runs at half speed, such that 10 seconds of real time appears to be 5 or so seconds within the VM. I tried installing the vmware-guestd port but that had no effect, even though it is running in the VM. After reading this post , I tried changing this sysctl: gruden:/root# sysctl -a kern.timecounter.hardware kern.timecounter.hardware: ACPI-fast gruden:/root# sysctl kern.timecounter.hardware=TSC kern.timecounter.hardware: ACPI-fast -> TSC That had no effect. This is my freebsd.vmx file: config.version = "8" virtualHW.version = "4" scsi0.present = "TRUE" scsi0.virtualDev = "lsilogic" memsize = "128" ide0:0.present = "TRUE" ide0:0.fileName = "FreeBSD-000003.vmdk" ide1:0.present = "TRUE" ide1:0.fileName = "auto detect" ide1:0.deviceType = "cdrom-raw" floppy0.fileName ...

Presentations on OpenBSD Ports and More

Joe Stevensen sent word of two new OpenBSD presentations . The first is OpenBSD Ports and Packages , by Marc Espie. He takes some shots at the other BSDs, including FreeBSD . He's wrong about Python being needed to update FreeBSD ports. An article I wrote for the February 2006 Sys Admin magazine on keeping FreeBSD up-to-date doesn't use any Python, but it does require Ruby and Perl. I do agree with some of Marc's critique, however. It would be nice to have package update tools built into the base system. Perhaps they could be written in Perl to avoid adding Ruby? We are starting to see new ports tools developed outside of the base now being added to the base, with Colin Percival's portsnap now in FreeBSD 6.0 . I expect to see this trend continue because Colin is a member of the FreeBSD project now. (He's the security officer.) The second presentation is OpenBSD Networking Update by Henning Brauer. OpenBSD is doing some cool work with OpenBGPD and I s...

Sample Extrusion Detection Chapter Posted

Image
My publisher just posted Chapter 4: Enterprise Network Instrumentation from my new book , Extrusion Detection: Security Monitoring for Internal Intrusions . The table of contents, preface, foreword by Marcus Ranum, and index are also all online. Marcus' foreword (.pdf) is a different than most; he interviews me. For example: "MJR: I’ve noticed you’re a fan of Bruce Lee! It’s interesting to me how a lot of us security guys find parallels between computer/network security and the martial arts/art of war. Remember Lee’s great “It’s like a finger pointing away to the moon” speech? What do you think would be the equivalent for a student of computer security? What do you think Bruce would tell us? RB: I am indeed a fan of Bruce Lee, and I’ve practiced several martial arts... I advise that intruders should be viewed as smart (sometimes smarter than you) and unpredictable, and able to beat your defenses. Bruce would probably agree. He would train to be ready for whatever his opp...

Deleting Hard Drives

Image
Today the subject of deleting hard drives was raised in the #snort-gui IRC channel. jrk and geek00L mentioned using Darik's Boot and Nuke (DBAN), an open source (GPL) "self-contained boot floppy that securely wipes the hard disks of most computers." I found DBAN very easy to use. It boasts some impressive features too. When you boot from the floppy image or CD-ROM .iso you see this screen. The About screen offers warnings and caveats. I like the ability to boot using one of the available deletion methods. I simply hit [enter], which started DBAN in interactive mode. Here you can set parameters for wiping the drive. In the future I plan to carry a DBAN floppy with me to wipe hard drives prior to installing my own NSM software.

Powerful Laptop Recommendations?

I'm looking for a replacement for my aging, circa-2000 IBM Thinkpad a20p, pictured at right. I was wondering if you might have any recommendations? I plan to dual-boot Windows XP and FreeBSD 6.0 on this system. It needs to be powerful as I would like to use it for teaching classes as well. Here are the specs I had in mind: Intel® Pentium® M Processor 760 [2.00GHz, 2MB L2 cache, 533MHz FSB] 2 GB RAM 60 GB+ 7200 RPM HDD NVIDIA GeForce video, to take advantage of their FreeBSD drivers and avoid ATI Gigabit NIC 802.11b/g is nice, especially if disabled via external switch Bluetooth -- not sure if I need it? Under 7 lbs -- my current laptop is more like a ThinkBrick At least a 14.1" screen; I don't care about widescreens I like the features of the Toshiba Tecra M3 , but the reviews are terrible. I really like the durability and keyboard of my Thinkpad and I worry what other vendors are going to provide. I appreciate your help. Update: Thank you for all of your commen...

Congratulations to Feds

I'd like to congratulate the United States Attorney's Office, Central District of California for indicting a bot net controller. According to the press release and the indictment (.pdf), up to 400,000 victims were compromised. You can track the progress of this case through the Post Indictment Arraignment Calendar . This is exactly the sort of work that needs to be done. Security professionals cannot win against intruders if only the "vulnerability" variable of the risk equation is addressed. We need law enforcement to reduce the "threat" variable as well. The suspect in this case is a 20-year-old living in California. This is the sort of perpetrator who can be deterred, unlike a foreign intelligence agent or member of organized crime. The more bot net operators who are put in jail, the fewer lower-end threats we will need to stop.

New SearchSecurity.com Tip Posted

SearchSecurity.com just posted a short article I wrote titled Using attack responses to improve intrusion detection . It's about watching outbound traffic to identify intrusions. From the article: "Network-based IDSes are deployed to identify compromised targets, while network-based IPSes are deployed in an effort to prevent compromise. Both systems must be able to recognize malicious traffic to issue warnings or block offending packets. IDSes, however, have the upper hand in identifying intrusions, because they have the luxury of generating an alert based on traffic from the attacker to the victim or from the victim to the client. In other words, an IDS can alert on either the inbound attack traffic or the outbound victim response. But to prevent an intrusion, an IPS must deny incoming attack traffic. An IPS that only inspects outbound traffic allows a target to be compromised. An IPS that makes a block decision based on responses from the victim is an 'intrusion conta...

Websense ToorCon Presentation

Thanks to a comment from Shahid for pointing me to the WebSense Security Labs presentation The Web Vector: Exploiting Human and Browser Vulnerabilities (.pdf). I think the most interesting part of the briefing is the introduction of Web-based bot net command and control. Because organizations are locking down outbound IRC, bot net controllers are using HTTP as a replacement protocol. If anyone has any experience with this sort of traffic, I would be interested in hearing from you.

Latest Book Arrives Soon

Image
My third book, Extrusion Detection: Security Monitoring for Internal Intrusions , should appear on book shelves very soon. Addison-Wesley updated the publication date to reflect today (4 November 2005), a week earlier than the planned 11 November launch. I have not yet received a copy, and no preview chapters have been posted yet. I was assured that Chapter 4, Enterprise Network Instrumentation, would be made available in .pdf form at the publisher's Web site. I looked at the Best Book Buys Top 100 List this evening and saw these results: I don't understand these book rankings, which are listed "as of 28-Oct-2005". Here are the top 5 books: Wild at Heart: Discovering the Secret of a Man's Soul by John Eldredge The Complete Calvin and Hobbes by Bill Watterson Financial Accounting by Robert Libby The Game: Undercover In The Secret Society Of Pick-up Artists by Neil Strauss The World Is Flat: A Brief History Of The Twenty-first Century by Thomas L. Friedman...

Sguil 0.6.0-RC2 Available

After much development, Sguil 0.6.0-RC2 is now available for download. Several new features appear in 0.6.0, including: MySQL's MERGE storage engine is used. The MERGE storage engine, also known as the MRG_MyISAM engine, is a collection of identical MyISAM tables that can be used as one. All Snort alerts and SANCP session data is now stored in MERGE tables, resulting in better scalability and performance. Sguil author Bamm Visscher reports "I went from being able to keep ~6 million rows to >300 million rows." All sensor communication is performed through sensor_agent.tcl. This allows Sguil to be seemingly one of the few programs that respects the new licensing of MySQL under the GPL. Support for Snort's sfPortscan function has been added. Users no longer need to patch and use the portscan preprocessor. Increased use of tabs for window management provides better access to new information like sensor status. Barring unforeseen issues, Sguil 0.6.0-RC2 will ...

FreeBSD 6.0 RELEASE Announced

Image
FreeBSD 6.0 RELEASE has been officially announced . When I get a chance I intend to upgrade my 5.4 systems to 6.0 to take advantage of bpfstat on my sensors. I should have a new article in the February 2006 issue of SysAdmin Magazine explaining the simplest way to keep the FreeBSD OS and applications up-to-date.

Network Forensics? Please.

Today I looked at the Interop New York 2005 Schedule and noticed an item called "Network Forensic Day" taught by Pine Mountain Group . I try to stay current with people and companies performing security work, but I had never heard of PMG. I looked at the description of the course, wondering if the "network" meant "enterprise," as in "how to use forensics in the enterprise." I think that is a misapplication of the term network in that context, but it's common enough. Alternatively, perhaps "network" meant "traffic," which is how I use the term. When I mention "network forensics," I define it as the art of collecting, protecting, analyzing, and presenting network traffic to support remediation or prosecution. This is in line with the definition of forensics : "1. The art or study of formal debate; argumentation. 2. The use of science and technology to investigate and establish facts in criminal or ci...

Network Computing Misses the Mark

I really enjoy reading the free IT magazine Network Computing . However, I believe comments by NWC authors in the last two issues demonstrate some fundamental misunderstandings of open source applications and system administration. These are not earth-shattering issues, but I thought I would share them with you. First, the 27 October 2005 issues includes an article called Open-Source Security Technology Joins Endangered List . Here are excerpts: "For many users and vendors, network security is dependent on a collection of open-source programs that provide key capabilities, sometimes as standalone tools and sometimes as the basis for commercial products. Last month, however, the open-source status of two of those key technologies--Snort and Nessus--became threatened.... The moral is that heavy reliance on open source carries risk, and that the greatest insurance policy for open-source technology is participation by a large number of users and developers. If you're thinkin...

Dealing with FreeBSD Port Options

Image
Sometime when you build a port in FreeBSD, you are confronted with a curses menu like the following. This example shows the menu that appears when you run 'make' as root in the /usr/ports/ftp/gftp directory. If you hit 'OK' and then interrupt the port building process, and run 'make' again, you will not see the menu: orr:/usr/ports/ftp/gftp# make ...menu appears, hit 'OK'... ===> WARNING: Vulnerability database out of date, checking anyway ===> Found saved configuration for gftp-2.0.18 ===> Extracting for gftp-2.0.18 => Checksum mismatch for gftp-2.0.18.tar.gz. ===> Refetch for 1 more times files: gftp-2.0.18.tar.gz ^C orr:/usr/ports/ftp/gftp# make ===> WARNING: Vulnerability database out of date, checking anyway ===> Found saved configuration for gftp-2.0.18 ===> Extracting for gftp-2.0.18 => Checksum mismatch for gftp-2.0.18.tar.gz. ===> Refetch for 1 more times files: gftp-2.0.18.tar.gz ===> WARNING: Vulnera...

New FreeBSD Logo Announced

Image
There you have it. That is the new FreeBSD logo . I think it is a mess. I cannot picture it being embroidered on a polo shirt. That is my basic test for a good logo . On the bright side, I hope to see Beastie disappear off the front of the FreeBSD Web site now.

BSD Certification Group Publishes Usage Survey Results

The BSD Certification Group has released the results of their usage survey here (.pdf). Here is a quick look at the numbers: 77% report using FreeBSD 33% report using OpenBSD 16% report using NetBSD 3% report using DragonFly BSD 7% report "other" On a related note, I have resigned my seat on the Certification Group and joined the Advisory Board due to time constraints caused by running TaoSecurity .