TaoSecurity Blog

Exactly one year ago today I posted a thank-you note for the great year of blogging in 2004. A look at the 2004 statistics shows as recently as July 2004, this blog had less than 6,000 visitors per month, as tracked by Sitemeter . I have no idea how Atom, RSS, and other republishing is affects those statistics. Soon after my first book was published, we broke through the 10,000 per month mark and have never looked back. As you can see from the 2005 chart above, we're at the 22,000 per month mark now, and broke through 25,000 in August during my coverage of Ciscogate . This blog continues to be a nonpaying venture, despite offers to commercialize, syndicate and repackage the content elsewhere. Others already do this without my permission, but I thank those more responsible people who ask before posting my content elsewhere. For example, I've given the great publisher Apress blanket permission to quote anything I say here. This is my small way to say thank you for th

I just registered for the two-day Black Hat Federal Briefings 2006 in Crysal City, Arlington, VA. Tomorrow (1 Jan 06) appears to be the last day to register for the conference at a discounted rate. I decided to pay my way to the briefings because the event is local and the lineup looks very good. The rate until tomorrow is $895, and after that the price is $1095.

Victor Oppleman, co-author of a great book called Extreme Exploits , is writing a new book. The title is The Secrets to Carrier Class Network Security , and it should be published this summer. Victor asked me to write a chapter on network security monitoring for the new book. Since I do not recycle material, I am working on a chapter with new material. I intend to discuss internal monitoring because I am consulting on such a case now. Do any of you have stories, comments, suggestions, or other ideas that might make good additions to this chapter? For example, I am considering addressing threat-centric vs. target centric sensor positioning, internal network segmentation to facilitate visibility, tapping trunks, new sorts of taps, sensor clusters, and stealthy internal sensor deployment. Does that give any of you ideas? Anything submitted will be given credit via an inline name reference like "Bamm Visscher points out that..." or a footnote with your name and a reference

Ethereal version 0.10.14 was released Tuesday. It addresses vulnerabilities in the IRC, GTP, and OSPF protocol dissectors. Smart bot net IRC operators could inject evil traffic to attack security researchers looking at command and control messages. That's a great reason to not collect traffic directly with Ethereal. Instead, collect it with Tcpdump, then review it as a non-root user using Ethereal.

I am happy to announce the availability of the first public Sguil sensor, server, and database in VM format. It's about 91 MB. Once it has been shared with all of the Sourceforge mirrors, you can download it here . I built it using the script described earlier . So how do you use this? First, you need to have something like the free VMware Player for Windows or Linux. You can also use VMware Workstation or another variant if you like. When you download sguil0-6-0p1_freebsd6-0_1024mb.zip and expand it, you will find a directory like this: FreeBSD.nvram FreeBSD.vmsd FreeBSD.vmx FreeBSD-000001-cl1.vmdk By opening the FreeBSD.vmx file in VMware Player, you should be able to start the VM. Here are some important details. The root password is r00t . The user analyst is a member of the wheel group, so it can su to root. The analyst password is analyst . The user sguil is not a member of the wheel group, so it can not directly su to root. The sguil password is sguil .

My last Sguil Installation Guide , for Sguil 0.5.3 was a mix of English description and command line statements. This did not help much when I needed to install a new Sguil deployment. I essentially followed my guide and typed everything by hand. Today I decided that would be the end of that process. I am excited by the new InstantNSM project, and I intend to support it with respect to FreeBSD. But for today, I decided to just script as many Sguil installation commands as possible. For items that I couldn't easily script (due to my weak script-fu), I decided to edit the files manually and generate a patch for each one. This post describes the end result, which you can download at www.bejtlich.net/sguil_install_v0.1.sh . I should warn you that this is not meant for public production use. However, someone trying to install Sguil might find it useful. The purpose of this script is to automate, as much as possible, the creation of a Sguil sensor, server, and database on a F

I'm currently working on a VM image of FreeBSD 6.0 with the components needed for a demonstration Sguil sensor, server, and database deployment. I'm using a minimal FreeBSD installation; /usr, for example, began at 100 MB. I intend to install as many Sguil components as possible using precompiled packages. Unfortunately, the Barnyard package used to read Snort unified output spool files does not contain support for the latest version of Sguil. To deal with this problem, I am creating a custom Sguil package. I'm not building the package on the host that will eventually run Barnyard. That host, gruden, does not have a compiler and other development tools. Instead I'm working on the package on another FreeBSD 6.0/i386 host, sguilref. First I see what packages Barnyard needs to build. sguilref:/usr/ports/security/barnyard# make pretty-print-build-depends-list This port requires package(s) "autoconf-2.59_2 m4-1.4.3 perl-5.8.7" to build. I know sguilref ha

The October 2005 and December 2005 issues of login magazine feature some interesting articles. Michael W. Lucas wrote FreeBSD 5 SMPng , which does not appear to be online and will be available to non-USENIX members in October 2006. Michael uses layman-friendly language to explain architectural decisions made to properly implement SMP in FreeBSD 5.x and beyond. He explains that removing the Big Giant Lock involved deciding to "make it run" first and then "make it fast" second. Given the arrival of dual-core on the laptop, desktop, and server, with more cores on the way, FreeBSD's SMP work is being validated. Marc Fiuczynski wrote Better Tools for Kernel Evolution, Please! about the problems with the current Linux kernel development model. I am not sure his proposed solution, C4 (CrossCutting C Compiler), is the answer. As mentioned in the conference report on Marc's talk at HotOS X , "Jay Lepreau commented that the problem is that Linux has

Yesterday I described why the scenario depicted above does not work. Notice, however, that the hub in the figure is an EN104TP 10 Mbps hub. Sensors plugged into the hub see erratic traffic. If that 10 Mbps hub is replaced with a 10/100 Mbps hub, like the DS108 , however, the situation changes. With a 100 Mbps hub, each sensor can see traffic without any problems. Apparently the original issue involved the 10 Mbps hub not handling traffic from the single interface of the port aggregator tap, which must have operated at 100 Mbps and failed to autonegotiate to 10 Mbps properly. We also previously explained why the next setup is a terrible idea: In a very helpful comment to the last post, Joshua suggested the following setup: This arrangement takes the output of a traditional two output tap and sends each output to a separate 100 Mbps hub. Sensors can then connect one output from each of their two sniffing interfaces to each hub. The sensor must take care of bonding the traffic on

Several of you have asked about my experiences using FreeBSD sensors inside VMware Workstation . I use VMs in my Network Security Operations class. I especially use VMs on the final day of training, when each team in the class gets access to a VM attack host, a VM target, a VM sensor, and a VM to be monitored defensively. As currently configured, each host has at least one NIC bridged to the network. The sensor VMs have a second interface with no IP also bridged to the network. When any VM takes action against another, the sensors see it. This scenario does not describe how a VM sensor might watch traffic from a tap, however. I decided to document how to use VMware to create a sensor that sniffs traffic from a tap. I outline two scenarios. The first uses a port aggregator tap with a single interface out to a sensor. The second uses a traditional tap with two interfaces out to a sensor. The VMware Workstation host OS in this study is Windows Server 2003 Enterprise x64 Editio

I've written about not using taps with hubs in January 2004 and again in a prereview of Snort Cookbook . The diagram below shows why it's a bad idea to try to "combine" outputs from a traditional tap into a hub. The diagram shows a traditional two-output tap connecting to a hub. Why would someone do this? This unfortunate idea tries to give a sensor with a single sniffing interface the ability to see traffic from both tap outputs simultaneously. The proper way to address the issue is shown below. A method to bond interfaces with FreeBSD is listed here . We could avoid the interface bonding issue if we replace the dual output tap with a so-called port aggregator tap , like the one pictured at left. As long as the total aggregate bandwidth of the monitored link does not exceed 100 Mbps (for a 100 Mbps tap), then we can use it as shown below. What do we do if we have more than one sensor platform? In other words, we may have an IDS and some other device that need

I just updated my events site at TaoSecurity . I keep track of speaking engagements there. For example, I will speak at DoD Cybercrime , SchmooCon 2006 , RSA Conference 2006 , the 2006 Rocky Mountain Information Security Conference , and the 2006 Computer and Enterprise Investigations Conference . I will submit tutorial proposals for USENIX 2006 and USENIX Security 2006 , and Black Hat USA Training 2006 . What conferences do you attend? Do you think I should try to speak there? Based on your knowledge of my interests (through this blog), what do you think I should discuss? Should I speak to your company or organization? At the moment I have several private Network Security Operations classes on tap for 2006, and my schedule for the first half of the year is already filling. I appreciate your feedback!

Every time I attend a USENIX conference, I gather free copies of the ;login: magazine published by the association. The August 2005 issue features some great stories, with some of them available right now to non-USENIX members. (USENIX makes all magazine articles open to the public one year after publication. For example, anyone can now read the entire December 2004 issue.) An article which caught my eye was Forensics for System Administrators by Sean Peisert . Although the USENIX copy of the article won't be published until August 2006, you can read Sean's copy here (.pdf). I thought the article was proceeding well until I came across this advice. "What happens when there is some past event that a system administrator wishes to understand on their system? Where should the administrator, now a novice forensic analyst, begin? There are many variables and questions that must be answered to make proper decisions about this. Under almost all circumstances in which t

Yesterday I blogged about reprinted material in Syngress' "new" Writing Security Tools and Exploits . A commment on that post made me take another look at this book in light of other books by James Foster already published by Syngress. Here is what I found. Chapter 3, "Exploits: Stack" is the same as Chapter 5, "Stack Overflows" in Buffer Overflow Attacks , published several months ago. Chapter 4, "Exploits: Heap" is the same as Chapter 6, "Heap Corruption" in Buffer . Chapter 5, "Exploits: Format String" is the same as Chapter 7, "Format String Attacks" in Buffer . Chapter 6, "Writing Exploits I" is the same as Chapter 10, "Writing Exploits I" in Sockets, Shellcode, Porting, and Coding , another Syngress book by Foster published several months ago. Chapter 7, "Writing Exploits II" is the same as Chapter 11, "Writing Exploits II" in Sockets . Chapter 8, "Coding for

Yesterday I posted a pre-review for Penetration Tester's Open Source Toolkit . I wrote that I thought the two chapters on Metasploit looked interesting. Today I received a review copy of the new Syngress book pictured at left, Writing Security Tools and Exploits by James Foster, Vincent Liu, et al. This looks like a great book, with chapters on various sorts of exploits, plus sections on extending Nessus, Ethereal, and Metasploit. Metasploit, hmm. I looked at chapters 10 and 11 in Writing and found them to be identical to chapters 12 and 13 in Penetration . Identical! I can't remember the last time I saw a publisher print the same chapters in two different books. I assume James Foster wanted the chapters he wrote for Penetration to appear in Writing because he follows with a new chapter 12 on more Metasploit extensions. This realization made me remember another Syngress book that I received earlier this year -- Nessus, Snort, & Ethereal Power Tools . I saw th

Real thin clients, like the Sun Ray 170 , don't run operating systems like Windows or Linux. I like the Sun Ray, since its Sun Ray Server Software runs on either Solaris or Red Hat Enterprise Linux. That's fine for users who want to access applications on Solaris or Linux. What about those who need Windows? I can think of four options: Run a Windows VM inside the free VMware Player on the Red Hat Enterprise Linux user's desktop. Run VMware Workstation on each user's desktop. Run VMware GSX Server on the Red Hat Enterprise Linux server running Sun Ray Server Software, and let users connect to the Windows VMs using the VMware Virtual Machine Console Run VMware ESX Server on a separate platform, and let users connect to the Microsoft VMs using the Remote Console Is anyone trying this already? Update : I noticed a similar issue appeared in the VMTN Blog .

Trafshow is a ncurses -based program that shows a snapshot of active network sessions in near real time. I like to use it with OpenSSH sessions on sensors to get a quick look at hosts that might be hogging bandwidth. Recently Trafshow 5 became available in the FreeBSD ports tree ( net/trafshow ), so I have started using it. When I showed it in class last week, I realized I did not recognize the color scheme depicted in the screen shot above. I learned that the configuration file /usr/local/etc/trafshow controls these colors: # The colors are: # black red green yellow blue magenta cyan white # # The upper-case Fcolor mean bright *on* and Bcolor blink *on*. # #default white:blue # following color settings looks nice under black-on-gray xterm (xterm-color) # Private IP Addresses will be alarmed by Red foreground. # Source Destination Color 10.0.0.0/8 any Red any 10.0.0.0/8 Red 127.0.0.1/8 any Red any

Today I received a copy of the new Syngress book Penetration Tester's Open Source Toolkit by Johnny Long, Chris Hurley, SensePost, Mark Wolfgang, Mike Petruzzi, et al. This book appears unnecessarily massive; it's probably 1/2 thicker than my first book, but at 704 pages it's nearly 100 pages shorter than Tao . I think Syngress used thicker, "softer" paper, if that makes sense to anyone. The majority of the book appears to be the standard sort of hacker stuff one finds in books like Hacking Exposed , with some exceptions. The book contains two chapters on Metasploit which look helpful. I do not know yet how well these Metasploit 2.0-based chapters apply to the new Metasploit 3.0, whose alpha stage was announced last week. Similarly, chapters on Nessus may not hold up well for Nessus 3.0, also recently released . A major selling point of the new book is its integration of the Auditor live CD. I learned that Auditor is going to merge with "competito

Thanks to a heads-up from "yomama" in the #snort channel, I learned of this advisory from Tim Shelton: "A vulnerability was identified in VMware Workstation (And others) vmnat.exe, which could be exploited by remote attackers to execute arbitrary commands. This vulnerability allows the escape from a VMware Virtual Machine into userland space and compromising the host. 'Vmnat' is unable to process specially crafted 'EPRT' and 'PORT' FTP Requests." This implies that someone who connects to a FTP server using traffic that is processed by vmnat.exe can exploit vmnat.exe. As a VMware Workstation user, I am glad to see they have published a new version to address the vulnerability.

Given the recent coverage of wiretapping in the mainstream media, I thought I would point out two excellent articles in the latest issue of IEEE Security & Privacy Magazine . Thankfully, both are available online: Signaling Vulnerabilities in Wiretapping Systems by Micah Sherr, Eric Cronin, Sandy Clark and Matt Blaze Security, Wiretapping, and the Internet by Susan Landau Both concentrate on technical issues of wiretapping. The first concentrates on how to tap a physical line or switch, and ways to defeat those taps. The second describes why incorporating wiretap features into VoIP is a bad idea. Each article discusses relevant laws.

I received my copy of Cisco's Packet Magazine, Fourth Quarter 2005 recently. The new digital format for the magazine makes linking to anything impossible, but I found the relevant article as a .pdf. It describes the company's Application-Oriented Networking (AON) initiative. According to this story that quotes Cisco personnel, AON "is a network-embedded intelligent message routing system that integrates application message-level communication, visibility, and security into the fabric of the network." According to this document : Cisco AON is currently available in two products that integrate into Cisco switches and routers: Cisco Catalyst® 6500 Series AON module, which is primarily deployed in enterprise core or data centers Cisco 2600/2800/3700/3800 series AON module, which is primarily deployed at branch offices AON is part of Cisco's Intelligent Information Network project. From the article: "The Cisco AON module in the branch puts intelligent dec

I've written about Sun's Sun Ray 170 thin client before. The Sun Ray is a true thin client, and to me it is the best way for enterprises to win the battle of the desktop against Microsoft-centric threats. Accordingly, I would like to congratulate the US Navy after reading Navy opts for thin-client systems onboard ships : "Bob Stephenson, chief technology officer for command, control, communications, computers and intelligence operations at Spawar, said the Navy plans to use the thin-client systems from Sun Microsystems on all major surface ships in the fleet. Thin clients will be installed on 160 vessels, Stephenson said. .. Mario Diaz, Sun Microsystems' Navy sales manager, said the Navy will deploy the company's Sun Ray thin clients connected to servers running the Trusted Solaris operating system, which can collapse multiple networks onto a single network while providing separate levels of classification." As a former Air Force officer, I'm biased to

Sguil 0.6.0p1 introduced the use of MERGE tables in MySQL to improve database performance. Sguil 0.6.1, in development now, will bring UNION functionality to database queries. This will also improve performance. Consider the following standard event or alert query in Sguil. This query says return Snort alerts where 151.201.11.227 is the source IP OR the destination IP. OR is a slow operation compared to UNION. Sguil 0.6.1 will use a new query. Here we look for Snort alerts where 220.98.198.35 is the source IP address, and use UNION to return those results with alerts where 220.98.198.35 is the destination IP address. UNION functionality was not available in MySQL 3.x, but it appeared in 4.x. Many Sguil users are running MySQL 5.x now. Those screen shots just show the WHERE portions of the database queries. Here is each version of similar queries look like in their entirety: Sguil 0.5.3 and older: SELECT sensor.hostname, sancp.sancpid, sancp.start_time as datetime, sancp.en

This morning I read stories by Brian Krebs and Joris Evers explaining how Guidance Software , maker of host-based forensics suite Encase , was compromised. Guidance CEO John Colbert claims "a person compromised one of our servers," including "names, addresses and credit card details" of 3,800 Guidance customers. Guidance claims to have learned about the intrusion on 7 December. Victim Kessler International reports the following: "Our credit card fraud goes back to Nov. 25. If Guidance knew about it on Dec. 7, they should have immediately sent out e-mails. Why send out letters through U.S. mail while we could have blocked our credit cards?" Guidance could face severe financial trouble. According to reporter Joris Evers: "Guidance stored customer names and addresses and retained card value verification, or CVV, numbers, Colbert said. The CVV number is a three-digit code found on the back of most credit cards that is used to prevent fraud in onlin

I finally got a chance to try Tcpdump 3.9.4 and Libpcap 0.9.4 on FreeBSD using the net/tcpdump and net/libpcap ports. I was unable to install them using packages, so I used the ports tree. I initally got the following error: ===> Extracting for tcpdump-3.9.4 => MD5 Checksum OK for tcpdump-3.9.4.tar.gz. => SHA256 Checksum OK for tcpdump-3.9.4.tar.gz. ===> Patching for tcpdump-3.9.4 ===> tcpdump-3.9.4 depends on shared library: pcap.2 - not found ===> Verifying install for pcap.2 in /usr/ports/net/libpcap ===> WARNING: Vulnerability database out of date, checking anyway => libpcap-0.9.4.tar.gz doesn't seem to exist in /usr/ports/distfiles/. => Attempting to fetch from http://www.tcpdump.org/release/. libpcap-0.9.4.tar.gz 100% of 415 kB 73 kBps ===> Extracting for libpcap-0.9.4 => MD5 Checksum OK for libpcap-0.9.4.tar.gz. => SHA256 Checksum OK for libpcap-0.9.4.tar.gz. ===> Patching for libpcap-0.9.4 ...