TaoSecurity Blog

2006 was my most productive reading and reviewing year yet. I read and reviewed 17 in 2000, 42 in 2001, 24 in 2002, 33 in 2003, 33 in 2004, 26 in 2005. This year I read and reviewed 52 books. I was determined to make as big a dent as possible in the huge stack of books sent to me by publishers and blog readers, and I made a lot of progress. My ratings yielded the following: 1 star: 0 books 2 stars: 1 book 3 stars: 9 books 4 stars: 29 books 5 stars: 13 books Because I don't try to read every book, I'm glad my ratings are skewed towards the higher end. I don't intentionally read books I expect to be bad. I thought I would list the 13 books that I gave five stars, starting with my favorite and working down. 802.11 Wireless Networks: The Definitive Guide, 2nd Ed by Matthew S Gast: A first-rate technical book that dispels myths by speaking authoritatively and comprehensively. Running IPv6 by Iljitsch-van-Beijnum: A close second, this book nicely describes IPv

Thank you to Patricia at No Starch for sending me two copies of Jon Stokes' Inside the Machine . I was drawn to this book by an Amazon.com review which said this: This book is an introduction to computers that fills the gap between classic and challenging books like Hennesy and Patterson's, and the large number of "How Your Computer Works" books that are too basic for engineers. I like the fact the book covers a variety of microprocessor types. Comparison is a great teaching method. I didn't know who Jon Stokes was, but you can follow that link to read about his motivation for writing the book. I plan to read and review the new book next month.

It would be nice if the Tag in this situation were a watch, but it turns out Martin McKeay has blog-tagged me . I'm supposed to mention five items you probably don't know about me, and then name five of my fellow bloggers. Here goes. I'm a 1994 graduate of the US Air Force Academy . I graudated third of 1024 cadets, with degrees in history and political science, and minors in French and German. However, my whole life I wanted to attend my backyard school, the Massachusetts Institute of Technology (MIT). I was accepted to USAFA first, and when the letter arrived there seemed to be no question about where I should attend. Admission to USAFA requires acceptance by the school (not easy for a nearly-blind non-flyer like me) and Congressional appointment (thanks Ed Markey and Ted Kennedy -- I can't believe I said that). So, USAFA was the "long shot" and it seemed like the opportunity of a lifetime. I still wonder if I should have attended MIT (on an Air For

SearchSecurityChannel.com (SSC) has posted my first Snort Report . This is a new monthly series I'm writing for SSC that is starting at ground zero with Snort and working towards greater levels of complexity. I thought it would be helpful to begin by explaining how to install Snort in a manner that allows easy testing of new versions while running older versions. I also discuss the modes Snort supports. Next month I describe the snort.conf file and show how to get Snort to perform useful work in IDS mode without using a single rule. Is there some aspect of Snort you'd like to know more about? I may not have all the answers tumbling around in my head, but I can do research and ask some of the best Snort minds around if necessary.

As a security person I try to take notice of security measures in non-digital settings. These are a few I noticed this week. When visiting a jewelry store, I saw a sign say the following: "Our insurance policy does not permit us to remove more than one item at a time from this display case." This sign was attached to a case containing the store's most valuable jewelry. This is an example of limiting exposure by restricting access to one asset at a time. In a more generic sense, the digital version might involve following guidelines applied by an insurance company. Perhaps they would require WPA2 for wireless networks, etc. I received a check from a client. Underneath the signature line I read "Two signatures required for amounts over $75,000." This is an example of dual accountability. It requires someone writing fraudulent checks to have an accomplice. The digital version involves requiring two privileged users acting together to accomplish a particula

In my 2005 book Extrusion Detection (p. 27) I defined the term pervasive network awarenesss (PNA): A truly defensible network permits security administrators to achieve pervasive network awareness. Pervasive network awareness is the ability to collect the network-based information -- from the viewpoint of any node on the network -- required to make decisions. Today while perusing Webcasts at Gigamon University , I listened to a Gigamon presentation on a "data access network" (so-called "DAN") built as the Interop SpyNet , shown earlier. This is exactly an implementation of PNA. The Interop network and security admins can monitor the InteropNet and see traffic anywhere they like. This Interop Blog post provides a portal into discussions of the SpyNet, including history showing the idea stretches back to 1996. This shows that PNA is a good idea, and like many good ideas, not even new! At some point I would like to see a SpyNet in person. I will be in Aus

I wanted to quickly highlight two FreeBSD developments. First, FreeBSD 6.2 RC2 is available . Assuming nothing serious happens, expect FreeBSD 6.2 RELEASE in about two weeks. This post explains the various .iso images. This post explains real weaknesses in the FreeBSD installation documentation, from the standpoint of a person not familiar with FreeBSD. Second, Dru Lavigne explained how the new modular X.org works: xorg 7.x is modular. In practical terms, this means that every driver, font, and application has its own port/package. To spell it out more clearly: my full installation of xorg 6.9 comprised 11 packages; a complete install of xorg 7.2 comprised just over 300. I think it will be cool to only have to install a dozen or so ports in order to run X, instead of 300+. (Right now the equivalent is installing everything and then using only a small portion of the code.) On a related FreeBSD note, I just subscribed to the RSS feed from Planet BSD . I can't believe what

I came across this press release from Solera Networks on their open source DataEcho application. DataEcho is a Windows program that captures live traffic or reads traces in Libpcap format. It's best used for interpreting Web traffic, as shown in this screen capture of a visit to www.bejtlich.net recorded in Wireshark and fed to DataEcho. My Web site doesn't render that well because it uses CSS, but you can see how DataEcho breaks down the Web traffic. This is a similar view from Wireshark, sorted on the last column. Besides DataEcho, I found a SourceForge project page for a Solera-related " tEthereal Network Forensic Console ", which says: Management Console to reconstruct emails, web sessions, VOIP sessions, FTP, and all known supported Internet Protocols for Network Forensics. ***UPDATE*** Project release scheduled. That looks interesting, but no files are available. I have been exchanging emails with Solera CEO Terry Haas, so I hope to find out more about th

This is a follow-up to Incorrect Insider Threat Perceptions . I think security managers are worrying too much about insider threats compared to outsider threats. Let's assume, however, that I wanted to spend some time on the insider threat problem. How would I handle it? First, I would not seek vulnerability-centric solutions. I would not even really seek technological solutions. Instead, I would focus on the threats themselves. Insider threats are humans. They are parties with the capability and intention to exploit a vulnerability in an asset. You absolutely cannot stop all insider threats with technical solutions. You can't even stop most insider threats with technical solutions. You should focus on non-technical solutions. (Ok, step two is technical.) Personnel screening: Know who you are hiring. The more sensitive the position, the deeper the check. The more sensitive the position, the greater the need for periodic reexamination of a person's threat likeli

Search my blog for "insider threat" and you'll find plenty of previous posts. I wanted to include this post in my earlier holiday reading article, but I'd figure it was important enough to stand alone. I'm donning my flameproof suit for this one. The cover story for the December 2006 Information Secuirty magazine, Protect What's Precious by Marcia Savage, clued me into what's wrong with security managment and their perceptions. This is how the article starts: As IT director at a small manufacturer of specialized yacht equipment, Michael Bartlett worries about protecting the firm's intellectual property from outsiders. But increasingly, he's anxious about the threat posed by trusted insiders. His agenda for 2007 is straightforward: beef up internal security. "So far, we've been concentrating on the perimeter and the firewall, and protecting ourselves from the outside world," says Bartlett of Quantum Marine Engineering of Florida.

During some holiday downtime I managed to catch up on some reading. Recently I mentioned the ISO/IEC 27001 standard. The November 2006 ISSA Journal featured an article by Taiye Lambo of eFortresses , an ISO/IEC 27001 consultancy. From what I read it seems ISO/IEC 27001 is a good option for organizations leaning towards related ISO standards like 9000 . After posting NAC Is Fighting the Last War , I read another ISSA Journal article titled Beyond NAC: The value of post-admission control in LAN security by Jeff Prince of ConSentry . Jeff uses the terms "Network Admission Control" and "Network Access Control" to both describe NAC, although I believe he meant to use the former throughout the article. Jeff discusses the importance of controlling a user's activity once he is allowed onto the LAN, hence the "post-admission" aspect. This function will eventually find its way into everyone's switches, so I wouldn't rush out to buy separate n

Today I received an email which said in part: I'm brand new to the IT Security world, and I figure you'd be a great person to get career advice from. I'm 30 and in the process of making a career change from executive recruiting to IT Security. I'm enrolled in DeVry's CIS program, and my emphasis will be in either Computer Forensics or Information Systems Security. My question is, knowing that even entry-level IT jobs require some kind of IT experience, how does someone such as myself, who has no prior experience, break into this exciting industry? My plan is to earn some of the basic certifications by the time I graduate (A+, Network+, Security+). What else should I be doing? What introductory books and resources can you recommend? I thought I'd discussed this sort of question before, but all I found was my post on No Shortcuts to Security Knowledge and Thoughts on Military Service . I believe I cover this topic in chapter 13 of Tao . To those who are al

I noticed this BSD News story mentioned a long-running VMTN thread showing requests for FreeBSD to be supported as a VMware host OS. This means you could run VMware on FreeBSD, instead of Windows, Linux, or (soon) Mac OS X. If you share this interest, please post to the VMTN thread and let your desire be known. Thank you.

I found the following quote by Microsoft's Ray Ozzie, in The Web 2.0 World According to Ozzie , to be fascinating: "In terms of managing trust boundaries, one of the huge challenges that enterprises are going to have is...managing trust between components of composite applications... "We believe there should be significant auditing within service components—such that when you do expose a partner to certain enterprise data...you have a complete record of the kinds of things that their app did." (emphasis added) I think Mr. Ozzie is advocating application security monitoring , a cousin of network security monitoring. If Mr. Ozzie is being as clever as I think he might be, he's realizing that it's going to be nearly impossible to run Web services and the like "securely." We're going to have to rely on monitoring and response since prevention will be far too complex. Resistance will be tried, but will be -- you guessed -- futile.

TIME magazine's cover story a few weeks ago was Why We Worry About The Things We Shouldn't... ...And Ignore The Things We Should . There's no direct relationship to digital security, but I found it interesting to read about risk perceptions in the analog world.

Thanks to nikns in #snort-gui for pointing me towards this 23rd Chaos Communication Congress talk on an alternative to Wireshark created by Andreas Bogk and Hannes Mehnert. This blog post explains the rationale behind this new tool, still in its infancy and nowhere nearly feature-complete as Wireshark. Two implementations exist. Here is a screenshot of GUI-sniffer: Here is a screenshot of Network Night Vision : These applications are written in the Dylan programming language, which is new to me. There's a lang/dylan FreeBSD port, but as you can see I just tried running the Windows binaries. The authors have written a paper (.pdf) that describes the project in detail. From the first part of the paper: The security industry is in a paradox situation: many security appliances and analysis tools, be it IDS systems, virus scanners, firewalls or others, suffer from the same weaknesses as the systems they try to protect. What makes them vulnerable is the vast amount of structur

Web site defacement mirror Zone-H posted a revealing report on the recent defacement of their own site. The intrusion resulted from a combination of human and technical failures. The moral of the story is that anyone can be compromised, because the attacker has the initiative. The attacker is usually more motivated and has more time, and resources than the defender. In a world where anyone can be compromised, there is no excuse for not monitoring and preparing for incident response. Every digital resource is a future victim. The "solution" to intrusions is analog: arresting the intruders . It is not technical.

My post on the IETF Network Endpoint Assessment Working Group elicited a comment that suggested I expand on my thoughts, namely that Cisco Network Admission Control (NAC) / Microsoft Network Access Protection (NAP) / Trusted Network Connect (TNC) "are all fighting the last war." Let's see what the comment poster's own company has to say about NAC. (Please note that although I use NAC in the text that follows [as used by my sources], I could just as easily say NAP or TNC or NEA. I only single out Cisco because they are investing so much effort into NAC.) Network Admission Control (NAC), a set of technologies and solutions built on an industry initiative led by Cisco, uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. Customers using NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers, and P

One of my clients wants to know if it's possible to implement something like the DoD Common Access Card (CAC, not "CAC card") in a commercial setting. In other words, you use a single card for building access, PC access, etc. Is anyone using something like that in their organization?

I'm not an auditor or CPA, thank goodness. The first time I heard of SAS 70 (Statement on Auditing Standards No. 70, Service Organizations) happened when I visited Symantec in October. Last week, however, one of my clients asked what I knew about SAS 70. I knew Symantec used its SAS 70 results as a way to avoid having every Symantec managed security service client perform its own audit of Symantec. My client wanted to know if his company might also benefit from getting a SAS 70 audit. I found an exceptionally helpful CSO Online article by Michael Fitzgerald about SAS 70. I'd like to share some insights from it. A spokeswoman for the body that created SAS 70 doesn't actually recommend it for security purposes. "It isn't a measure of security, it's a measure of financial controls," says Judith Sherinsky, a technical manager on the audit and test standards team at the American Institute of Certified Public Accountants (AICPA), which created SAS 70...

For my 1700th post (as reported by the new Blogging infrastructure) I thought I would report on an issue I'm looking at in Sguil right now. I have 1586 of the following alerts like the following aggregated in my Sguil console. This is the text representation. Count:1 Event#1.130182 2006-12-15 15:57:32 DOS MSDTC attempt a.b.c.d -> e.f.g.h IPVer=4 hlen=5 tos=0 dlen=1388 ID=16858 flags=0 offset=0 ttl=55 chksum=38030 Protocol: 6 sport=10000 -> dport=3372 Seq=3640110148 Ack=536397245 Off=5 Res=0 Flags=***A**** Win=65535 urp=15810 chksum=0 Payload: 35 69 86 C2 00 00 04 1E B1 B6 7E 19 FC 4A 28 87 5i........~..J(. 18 7C 2E F4 12 68 F1 79 66 F6 D0 17 D0 26 5A 48 .|...h.yf....&ZH C6 0A 54 AB 58 42 9A F4 83 7A 85 3F E3 40 AD CB ..T.XB...z.?.@.. AF 1C 03 EE DE CD 38 94 1E 1F 55 8C 99 E8 1A 4E ......8...U....N ...truncated... They were caused by this rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flow:to_server,established; dsize:>10

I switched today to the new Blogger infrastructure. A few of my students from USENIX LISA were Google employees. They encouraged me to switch. I did try to do so last week, but I received an error saying my blog had too many postings (or something to that effect). Today, however, I was able to move all my blogs to the new system. Let me know if you see any problems. Thank you.

The December 2006 (.pdf) issue of (IN)SECURE Magazine is available. Interesting articles include Web 2.0 Defense with AJAX Fingerprinting and Filtering by Shreeraj Shah, and another "virtual trust" article by Ken Belva and Sam DeKay.

Dark Reading posting an article on the new Network Endpoint Assessment (nea) IETF working group. The description says, in part: Network Endpoint Assessment (NEA) architectures have been implemented in the industry to assess the "posture" of endpoint devices for the purposes of monitoring compliance to an organization's posture policy and optionally restricting access until the endpoint has been updated to satisfy the posture requirements. An endpoint that does not comply with posture policy may be vulnerable to a number of known threats that may exist on the network. The intent of NEA is to facilitate corrective actions to address these known vulnerabilities before a host is exposed to potential attack. Note that an endpoint that is deemed compliant may still be vulnerable to threats that may exist on the network. The network may thus continue to be exposed to such threats as well as the range of other threats not addressed by maintaining endpoint compliance. I have

Earlier this year I covered Check Point 's attempt to purchase Sourcefire . Well, Check Point bought another vendor -- NFR -- for $20 million. Talk about market valuation; Sourcefire's sale price was $225 million. NFR is also down to 22 employees, according to the press release. Although the FAQ says Check Point intends to continue to sell, support, and develop an independent NFR Security product line. I doubt that will last. It doesn't make sense to buy the technology but not integrate it into Check Point's firewalls, and then discard the separate box. At this point it seems we're left with the following IDS/IPS vendors: Cisco 3Com (via Tipping Point ) Juniper Enterasys (Dragon) IBM (via ISS ) McAfee Sourcefire Let's see how that relates to the idea that all network security functions will collapse to switches . The first four sell switches, so I expect them to lead that drive. The fifth (ISS) is owned by IBM, who is more interested in services thes

Two publishers were kind enough to send new books last week. I plan to read and review both early next year. The first is McGraw-Hill/Osborne's Hacking Exposed: VoIP by David Endler and Mark Collier. The best Hacking Exposed books introduce a new technology, then demonstrate ways to break it that a reader can duplicate. I like seeing new HE books on specific issues, rather than having everything rolled into a single book. The second is Syngress' Wireshark & Ethereal Network Protocol Analyzer Toolkit by Angela Orebaugh and friends. This looks like an updated edition of 2004's Ethereal Packet Sniffing , which I really liked. Jose Nazario's review gave it four stars, partly due to editing problems. I plan to read this book and let you know what I think.

In June and July this year I devoted several posts to covering the Duronio intrusion where my friend Keith Jones served as prosecution expert witness. Keith called this week to tell me Roger Duronio was sentenced to 8 years and one month jail time for his crimes. Great work Keith!

Saad Kadhi kindly pointed me to this blog post which summarizes a talk given by Marty Roesch. Saad describes Marty's plans for Snort 3.0, and I recommend taking a look.

I've been exceptionally busy teaching all week at USENIX LISA , so blogging has been pushed aside. However, I literally read the Matasano Blog first, of all the Bloglines feeds I watch. This evening I read their great post Matasano Security Recommendation #001: Avoid Agents . They really mean "Minimize Agents," as noted in their summary: Enterprise security teams should seek to minimize their exposure to endpoint agent vulnerabilities, by: 1. Minimizing the number of machines that run agent software. 2. Minimizing the number of different agents supported in the enterprise as a whole. I absolutely agree with these statements. One of the first signs that you are dealing with a clueless security manager is the requirement to run anti-virus on every system. I shared the pain of such a foolish idea yesterday with a student who is struggling to meet such a mandate. He must deploy anti-virus on his Unix-like servers (I forget what OS -- something not common, however), a

I will attend a book signing event at USENIX LISA 06 at the Wardman Park Marriott Hotel in Washington DC from 1230-1330 on Thursday 7 December. Representatives from Reiters will be selling books there as part of the conference expo from 1000-1400 on Thursday. Please stop by to say hello if you'd like a book signed. I'll return to LISA on Friday to teach Network Security Monitoring with Open Source Tools . You can still sign up onsite if you'd like to attend. Thank you.

I'd like to address a few issues that arose during class Sunday and Monday. First, someone asked about interoperability between the various Ethernet frame types. Page 75 of the excellent Troubleshooting Campus Networks states Two stations cannot communicate unless they share a common frame format, which is sometimes beneficial. For example, if you have two networks on a physical medium that you wish to keep separate for security reasons, you can configure the networks for different frame types and they won't communicate with each other. I don't agree with the "security" aspect, since the a station on a SPAN port can still see the traffic through promiscuous sniffing. Still, now you know that a host using Ethernet II framing can't talk to one using 802.3 LLC SNAP, for example. One of you asked how a host knows the length of an Ethernet II frame if the frame doesn't carry a length filed like 802.3. This FAQ claims: How is the length of an Ethernet II fr

Two publishers were kind enough to send new books last week. I plan to read and review both early next year. The first is Apress' Beginning C, 4th Ed by Ivor Horton. What, learn C? I don't expect or plan to become any C wizard by reading this and a few other books. Rather, I'd like to be able to understand code I come across, or perhaps make small modifications to otherwise useful programs. Any original programming I plan for 2007, I expect to use Python. Second is Syngress' FISMA Certification & Accreditation Handbook by Laura Taylor. Talk about moving from something useful (C) to something not (FISMA). Still, this seems like the only book on the subject, and FISMA is always a big discussion item at my local beltway bandit ISSA meetings. I hope this book will let me better understand the FISMA racket and why it's a waste of money. Of course, the book will not use those terms, but I will report what I find when I review it early next year.

This note is intended for students in days one and two of TCP/IP Weapons School on 3-4 December 2006 at USENIX LISA in Washington, DC. These are the tools that will be discussed. Remember, this is a class on TCP/IP -- tools are not the primary focus. However, I needed something to generate interesting traffic. Nemesis Arping Arpdig Arpwatch Arp-sk Dsniff suite Ettercap Yersinia Fragroute Sing Gnetcat Packit Gont attacks ICMPshell The traces we will analyze are available at www.taosecurity.com/taosecurity_tws_v1_traces.zip . You will need to have Ethereal , Wireshark , or a similar protocol analyzer installed to review the traces. Tcpdump might be somewhat limited for this class but you can at least inspect packets with it. There are still a few seats available for TCP/IP Weapons School Part 2 , which covers a little more on layer 3 and then covers layers 4,5,6 and probably 7. I will post a summary of that class' contents soon. If you want to register for Part 2, please v

To mark the launch of Microsoft Windows Vista , CSO Online asked me to write this article . The editor titled it "Security In Microsoft Vista? It Could Happen." I think I took a balanced approach. Let me know what you think. I was pleased to see my FreeBSD reference survived the editor's review!

I've been busy playing with various protocols in preparation for TCP/IP Weapons School in about two weeks. Recently I saw this post by Randall Stewart indicating that Stream Control Transmission Protocol (SCTP) had been added to FreeBSD CURRENT. I poked around in src/sys/netinet/ and found various SCTP files dated 3 Nov 06. Rather than update a FreeBSD 6.x system to 7.0, I decided to look for the latest FreeBSD snapshot . Sure enough, I found the latest 7.0 snapshot was dated 6 Nov 06. I downloaded the first .iso and installed it into a VMware Server VM. The kernel was compiled on 5 Nov 06: $ uname -a FreeBSD freebsd70snap.taosecurity.com 7.0-CURRENT-200611 FreeBSD 7.0-CURRENT-200611 #0: Sun Nov 5 19:31:17 UTC 2006 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 I found the SCTP files I was looking for, too. $ cd /usr/src/sys/netinet $ ls -al *sctp* -rw-r--r-- 1 root wheel 11869 Nov 3 10:23 sctp.h -rw-r--r-- 1 root wheel 83862 Nov 3 14:48 sc

I'm struck by the amount of attention we seem to be paying to discovering vulnerabilities and writing exploits. I call this "offensive" work, in the sense that the fruits of such labor can be used to attack and compromise targets. This work can be justified as a defensive activity if we accept the full disclosure argument that truly bad guys already know about these and similar vulnerabilities, or that so-called responsible disclosure motivates vendors to fix their software. This post isn't about the disclosure debate, however. Instead, I'm wondering what this means for those of us who don't do offensive work, either due to lack of skills or opportunity/responsibility. It occurred to me today that we are witnessing the sort of change that happened to the National Hockey League in the late 1960s and early 1970s. During that time the player pictured at left, Bobby Orr , changed the game of ice hockey forever. For those of you unfamiliar with hockey, teams