Friday, February 24, 2006

Bears Teach Network Security Monitoring Principles

Every once in a while it's good to be reminded of certain principles. In my first book I outlined three lessons I've learned while monitoring intruders. Sometimes threats in nature provide examples of these lessons.

Sguil developer Bamm Visscher pointed me to these images, which I have cropped and annotated for your network security monitoring enjoyment.

NSM Principle 1: Some intruders are smarter than you are.

NSM Principle 2: Intruders are unpredictable.

NSM Principle 3: Prevention eventually fails.

Hence, the need for monitoring, e.g., these photos!

Thank you to GeekBase for posting these -- I hope you prefer me not linking to the photos directly, thereby saving your bandwidth!

Thoughts on Open Source Project Mergers

Last month I blogged my installation of Nepenthes. Today I read the announcement that the Nepenthes and mwcollect projects have merged. From this point forward, the mwcollect Alliance will use Nepenthes to collect malware, and the mwcollect suite will be retired.

This announcement follows a similar development with the Auditor and iWhax assessment live CDs to merge into BackTrack. I think both of these developments are great. There are far too many attackers compared to security developers, so combining forces like this optimizes scarce resources. It would be nice to see similar consolidation in other projects, where appropriate.

Thursday, February 23, 2006

Feds Delay Check Point Acquisition of Sourcefire

Based on a friend's tip, I found myself looking for this press release, which reads in part:

Check Point® Software Technologies Ltd. (NASDAQ: CHKP), the world leader in securing the Internet, received notice its pending acquisition of Sourcefire®, Inc. has moved into the investigative stage with the Committee on Foreign Investment in the United States ("CFIUS").

In order to clear the transaction with the United States Government, Check Point submitted two regulatory applications. Check Point received U.S. anti-trust approval and was advised that CFIUS would continue reviewing the application during a 45-day investigative period...

Pursuant to the Exon-Florio legislation, CFIUS reviews proposed foreign acquisitions of U.S. companies in order to protect national security while maintaining the credibility of the United States open investment policy. The Exon-Florio legislation provides for a 30-day review following notification of a potential acquisition. CFIUS has the option to extend the review period for an additional 45-day review (or "investigation").

That press release excerpt sounds fairly tame, but this article is more interesting:

CFIUS has 30 days in which to examine an acquisition. It can extend that period by 45 days for the purposes of investigation. This is exactly what has happened to Check Point. What's more, once the status of an examination becomes "investigative", the acquisition comes under the purview of none other than US President George W. Bush. At the end of the 45 days, CFIUS submits a report to the president, who must announce his decision within 15 days.

All in all then, taking into account the initial 30 day period, the 45 day investigation period, and the 15 days for the presidential decision, it can take 90 days from the initial examination of the application until the president informs Congress whether he chooses to block the deal or not. For Check Point, only the first 30 days have gone by, so that, theoretically, closure of the deal could be put back to the second quarter...

In the case of Check Point and Sourcefire, it is still not clear what the cause pf CFIUS's concern is. It is a fairly rare occurrence for it to choose to investigate such a low-value deal.

Another friend pointed me to this article:

Most foreign U.S. deals are approved after CFIUS completes an informal 30-day probe, but this transaction has raised the eyebrows of some of the panel members, leading to the lengthier examination.

"The fact that they launched a 45-day review means that some serious concerns are being raised," said a national security consultant who formerly worked at the Department of Defense.

Sources said CFIUS representatives from the Department of Defense and the Department of Homeland Security are worried that the deal gives critical computer network security technology to Israel. Sourcefire develops network security and information management systems for Defense Department agencies, in addition to private industry clients.

I'll keep my eye on this. I bet the deal will go through, with the government getting source code access to all Sourcefire products.

VMWare Likes FreeBSD 6.1-BETA2

I just installed FreeBSD 6.1-BETA2 in VMware Workstation 5.5.1 build-19175. I have not seen the same sorts of timing problems shown by FreeBSD 6.0 RELEASE inside the VMs I use and have created for the Sguil project. I did not see any obvious changes that would account for the better behavior. I hope FreeBSD 6.1 RELEASE behaves just as well.

I am not sure if I will create a Sguil VM for FreeBSD 6.1 and Sguil 0.6.1, or if I will wait for a newer version of Sguil. The latest Sguil version mostly contains client-side improvements. The next version of Sguil (release date unknown) will probably integrate the Passive Asset Detection System, so I would want to include that.

Tuesday, February 21, 2006

Brief Thoughts on MJR Pen Testing Post

I learned of this post by Marcus Ranum through commentary by Dave Goldsmith. In brief, I agree with much of what MJR says. However, I think pen testers perform a valuable service. I do not think that it is possible for some modern enterprise code to be fully comprehended by any individual or team of developers or security engineers.

If the code cannot be fully understood statically, it must be tested dynamically. A live test will reveal how the system acts when working, and may reveal unanticipated interactions or vulnerabilities. In light of this fact, I think pen testers who unearth these flaws perform a valuable service. If it's not tested, it's not a service.

Update: Thanks to Tom's comment below, I changed the attribution to fellow Matasano poster Dave Goldsmith.

Monday, February 20, 2006

Wireless FreeBSD 6.0 Update

While preparing for my Network Security Operations class tomorrow, I decided to take a closer look at the state of a few wireless security tools on FreeBSD 6.0. I've used bsd-airtools, specifically dstumbler, before, but I started getting this error when invoking the program with 'dstumbler wi0 -o' as I usually do:

error: unable to ioctl device socket: Invalid argument

Running without '-o' removed the error, but I didn't see any wireless networks. I found that dwepdump also saw no wireless networks. prism2dump, however, still works:

orr:/root# ifconfig wi0 up
orr:/root# prism2ctl wi0 -m
orr:/root# prism2dump wi0
prism2dump: listening on wi0
- [ff:ff:ff:ff:ff:ff <- 0:3:52:f0:b7:60 <- 0:3:52:f0:b7:60]
- port: 7 ts: 208.281597 2:42 10:0
- sn: 45728 (6:f:d8:99:2d:fb) len: 55
- ** mgmt-beacon ** ts: 208.281655 int: 100 capinfo: ess
+ ssid: [STSN]
+ rates: 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0
+ ds ch: 11
+ dtim c: 0 p: 1 bc: 0 pvb: bfbfea15

- [ff:ff:ff:ff:ff:ff <- 0:3:52:f0:b7:61 <- 0:3:52:f0:b7:61]
- port: 7 ts: 208.282482 2:39 10:0
- sn: 28096 (b:16:bc:69:49:f) len: 75
- ** mgmt-beacon ** ts: 208.282540 int: 100 capinfo: ess priv
+ ssid: []
+ rates: 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0
+ ds ch: 11
+ dtim c: 0 p: 1 bc: 0 pvb: bfbfea15

A new feature of the FreeBSD ifconfig is its ability to list networks, using the following syntax:

orr:/root# ifconfig wi0 list scan
STSN 00:03:52:f0:b7:60 11 0M 0:0 0

I also found that I could see both IEEE802_11 and IEEE802_11_RADIO traffic.
orr:/root# ifconfig wi0 mediaopt monitor channel 11 up
orr:/root# tcpdump -i wi0 -L
Data link types (use option -y to set):
EN10MB (Ethernet)
IEEE802_11 (802.11)
IEEE802_11_RADIO (802.11 plus BSD radio information header)
orr:/root# tcpdump -n -i wi0 -y IEEE802_11
tcpdump: data link type IEEE802_11
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wi0, link-type IEEE802_11 (802.11), capture size 96 bytes
16:36:22.913885 Beacon (STSN) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11
16:36:22.914938 Beacon () [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY

orr:/root# tcpdump -n -i wi0 -y IEEE802_11_RADIO
tcpdump: data link type IEEE802_11_RADIO
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wi0, link-type IEEE802_11_RADIO (802.11 plus BSD radio information header), capture size 96 bytes
16:42:04.826729 1.0 Mb/s 2462 MHz (0x00a0) 43dB signal 1dB noise Beacon (STSN)
[1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11
16:42:04.827783 1.0 Mb/s 2462 MHz (0x00a0) 38dB signal 1dB noise Beacon ()
[1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY

That's nice, but I wanted to be able to easily find wireless networks again. Enter Kismet. I hadn't tried Kismet on FreeBSD since the port was added, but I gave it a whirl.

The first thing I needed to do was set up a few configuration files.

orr:/usr/local/etc$ diff kismet.conf.sample kismet.conf
< suiduser=your_user_here
> suiduser=richard
< source=none,none,addme
> source=radiotap_bsd_b,wi0,SMC
< channelvelocity=5
> channelvelocity=1

You'll notice I put my userid 'richard' in place, and I configured the radiotap source for my wireless NIC. I changed the channel hopping velocity from 5 per second to 1 per second. At 5 per second my old laptop was running the Kismet server at over 100% CPU.

That was all I needed to do. Next I ran Kismet.

orr:/home/richard/kismet$ sudo kismet
Server options: none
Client options: none
Starting server...
Waiting for server to start before starting UI...
Will drop privs to richard (1001) gid 1001
No specific sources given to be enabled, all will be enabled.
Enabling channel hopping.
Enabling channel splitting.
Source 0 (SMC): Enabling monitor mode for radiotap_bsd_b source interface wi0 channel 6...
Source 0 (SMC): Opening radiotap_bsd_b source interface wi0...
WARNING: pcap reports link type of EN10MB but we'll fake it on BSD.
This may not work the way we want it to.
WARNING: Some Free- and Net- BSD drivers do not report rfmon packets
correctly. Kismet will probably not run correctly. For better
support, you should upgrade to a version of *BSD with Radiotap.
Spawned channelc control process 1604
Dropped privs to richard (1001) gid 1001
Allowing clients to fetch WEP keys.
Logging networks to
Logging networks in CSV format to Kismet-Feb-20-2006-6.csv
Logging networks in XML format to Kismet-Feb-20-2006-6.xml
Logging cryptographically weak packets to Kismet-Feb-20-2006-6.weak
Logging cisco product information to
Logging gps coordinates to Kismet-Feb-20-2006-6.gps
Logging data to Kismet-Feb-20-2006-6.dump
Writing data files to disk every 300 seconds.
Mangling encrypted and fuzzy data packets.
Tracking probe responses and associating probe networks.
Reading AP manufacturer data and defaults from /usr/local/etc/ap_manuf
Reading client manufacturer data and defaults from /usr/local/etc/client_manuf
Using network-classifier based data encryption detection
Dump file format: wiretap (local code) dump
Crypt file format: airsnort (weak packet) dump
Kismet 2005.08.R1 (Kismet)
Logging data networks CSV XML weak cisco gps
GPSD cannot connect: Connection refused
Listening on port 2501.
Allowing connections from
Registering builtin client/server protocols...
Registering requested alerts...
Registering builtin timer events...
Gathering packets...
Starting UI...
Looking for startup info from localhost:2501.... found.
Connected to Kismet server 2005.08.R1 on localhost:2501
Reading AP manufacturer data and defaults from /usr/local/etc/ap_manuf
Reading client manufacturer data and defaults from /usr/local/etc/client_manuf

Soon I had networks appear. I sorted them by channel so I could select individual networks for inspection. Here is the default screen.

Here are details for one of the channels.

Kismet seems to be perfect for wireless network discovery. The only problem I found is that it does not work with the ndis driver I must use with my Linksys WPC54G ver 3 adapter.

Security in the Cloud

A blog reader recently asked me to comment on this Security in the Cloud debate. First, a word on the opposing sides. The Yes proponent, Brad Miller, is CEO of Perimeter Internetworking. His company looks like a managed security services firm, except they are latched onto Gartner's security in the cloud idea. That is derived from MCI's (now Verizon's) concept of filtering traffic on its backbones. I find it odd that a company like Perimeter Internetworking can ride the cloud bandwagon when they are not in the cloud!

The No proponent is Bruce Schneier, CTO of Counterpane. He is not exactly saying no to the idea though:

[A] choice between implementing network security in the middle of the network - in the cloud - or at the endpoints is a false dichotomy. No single security system is a panacea, and it's far better to do both...

I'm all in favor of security in the cloud. If we could build a new Internet today from scratch, we would embed a lot of security functionality in the cloud. But even that wouldn't substitute for security at the endpoints. Defense in-depth beats a single point of failure, and security in the cloud is only part of a layered approach.

So perhaps the argument should have been framed "security only in the cloud"? In that respect, Bruce would obviously disagree because (1) it is a bad idea, due to the security necessity of layered defenses; and (2) as a MSSP, Counterpane would lose business. Counterpane will lose business anyway, since ISPs like Verizon, Sprint, and at&t are offering cloud-based security services. Mr. Miller foolishly favors the abolition of end-user , or "CPE" (Customer Premise Equipment) security:

The bottom line is that the superior protection, economics and speed of deployment of security in the cloud will further marginalize CPE-based managed security. Large carriers will embrace security in the cloud and will obviate the need for CPE systems.

This statement demonstrates Mr. Miller has no concept of security principles.

In any case, I see fewer ISPs offering unfiltered, "clean" pipes, even though the term "clean" seems at odds with carrying "dirty" DoS traffic, spam, and the like. ISPs are already filtering common Microsoft Windows ports. This trend will only continue.

Monitoring the Wrong Places

I am obviously a proponent of network security monitoring, but I am also a strong believer in privacy. The sort of attitude demonstrated in this article disturbs me greatly:

Houston's police chief on Wednesday proposed placing surveillance cameras in apartment complexes, downtown streets, shopping malls and even private homes to fight crime during a shortage of police officers.

"I know a lot of people are concerned about Big Brother, but my response to that is, if you are not doing anything wrong, why should you worry about it?" Chief Harold Hurtt told reporters Wednesday at a regular briefing.

Sure Chief, why don't you lead by example and install cameras in your home. You're not doing anything wrong, are you?

Building permits should require malls and large apartment complexes to install surveillance cameras, Hurtt said. And if a homeowner requires repeated police response, it is reasonable to require camera surveillance of the property, he said...

So, the power of the state should be used to meet the police's wishes?

Andy Teas with the Houston Apartment Association said that although some would consider cameras an invasion of privacy, "I think a lot of people would appreciate the thought of extra eyes looking out for them."

What planet are these people from?

If you don't want your network traffic inspected, you can encrypt it. Unfortunately, there is no encryption in the analog world.

Brian Krebs Botmaster Interview

I highly recommend reading Brian Krebs' latest article Invasion of the Computer Snatchers. Here are a few of my favorite quotes:

"Most days, I just sit at home and chat online while I make money," 0x80 says. "I get one check like every 15 days in the mail for a few hundred bucks, and a buncha others I get from banks in Canada every 30 days." He says his work earns him an average of $6,800 per month, although he's made as much as $10,000. Not bad money for a high school dropout.

That's great -- what a role model.

The young hacker doesn't have much sympathy for his victims. "All those people in my botnet, right, if I don't use them, they're just gonna eventually get caught up in someone else's net, so it might as well be mine," 0x80 says. "I mean, most of these people I infect are so stupid they really ain't got no business being on [the Internet] in the first place."

I'm glad to see this genius is so smart that he let the Washington Post provide identifiable information for the whole world to see.

0x80 has also found credentials for thousands of e-mail accounts, including dozens at ".mil" and ".gov" (U.S. military and government) addresses.

Ding ding -- Feds at the door.

Asked whether he worries about getting caught, 0x80 stuffs his hands into his jeans pockets, shrugs his shoulders and looks down at his shoes. "To tell the truth, man, I'm sorta surprised they haven't caught me yet." He claims he doesn't care but then confesses that he dedicates quite a bit of time to covering his tracks. "I do stay up very late each night trying to make sure nobody is going to kick in my front door . . . If I do [get caught], I'm not all that worried. I've got enough money. I can always get a good lawyer."

Time to find that lawyer, idiot.

[H]e's begun to talk about quitting the criminal hacking scene to join the Army, which, he reasons, will offer not only discipline and the motivation to earn his GED but also potentially a free ride to college. From there, he can imagine a more respectable future working on information technology projects for the military.

Sure, like the Army is going to trust this loser.

I can't wait to see the report that "0x80" is being indicted for his many crimes. I applaud Brian Krebs' reporting, since it gives a wonderful look into the mind of these threats. At the same time, I am disgusted by predators who steal the identities, property, and trust of innocent computer users. If any law enforcement types reading this blog need help analyzing these sorts of crimes, please feel free to contact me.
This is part 4 of my RSA Conference 2006 wrap-up. I started with part 1. I'm writing this in Brussels, Belgium, where I'm teaching my Network Security Operations class to a private group.

I started my final day of RSA presentations last Thursday by wasting over an hour with Peiter "Mudge" Zatko. I should have walked out during the first fifteen minutes, but my respect for his previous work kept me in my chair. That was a huge mistake. In a haze Mudge rambled (for a quarter of his allotted time) about "The Aristocrat's Joke" while pleading with the audio guy to disable the recording of his talk. Eventually he half-turned his attention to his slides, and struggled to make the point that internal intruders don't launch exploits when they can simply browse sensitive information using native file sharing options. He was also really excited by a paper Vern Paxson published in 2000 about detecting stepping stones, and we heard other historical tidbits of no real significance.

I saw Mudge present to the AFIWC eight years ago, when he had something intelligent to add to the security discourse. Those of us who suffered through his "presentation" last Thursday should get a refund for that talk. It was unprofessional, uninformative, and in many ways plain sad, in vast contrast to the great presentation by fellow ex-L0pht member Chris Wysopal. Am I bitter? Sure, I had high expectations, and I missed listening to other speakers in the same time slot.

The RSA conference redeemed itself when I attended a presentation by Peter Woods from Microsoft. He described the new User Account Control architecture in Windows Vista. (UAC has its own blog too!) In a nutshell, UAC means everyone runs as a Standard User -- even administrators. If a user with administrator powers logs on, he or she operates with a "filtered token." When an action requires administrative powers, it will be displayed with a "shield" icon, as seen in the image above. Peter described a variety of security features in Windows Vista, many of which will be familiar to Unix users of sudo and programs implementing privilege separation. I was a little worried when Peter described Microsoft's Assistive Technology (AT) features. These are designed to help people who cannot use a mouse and keyboard. Microsoft is trying to ensure that the same techniques that help an AT user cannot be used by malware to install itself without the user's consent.

Peter briefly discussed Internet Explorer 7, which he said runs in a protected mode that is at a lower trust level than the desktop. He mentioned Software Restriction Policies (not new).

Overall I was very impressed by Peter's presentation. Microsoft seems to be getting its act together. (I personally plan to buy a new laptop late this year once Vista is available. Of course I will dual-boot with FreeBSD!) Call me naive, but I believe (and have heard from exploit developers) that it is getting more difficult to find vulnerabilities in the Windows OS. I will be curious to see the results of the latest iDefense program. Based on work I've seen by eEye and others, intruders are going to spend more time on the low-hanging fruit of poorly coded embedded devices like SOHO routers and related gear. They will also continue to target applications as the OS becomes more resilient.

I finished Thursday with John Pearce, a consultant with Booz Allen Hamilton. He presented his impressions of IPv6, including an overview of tunneling methods and packet captures. John reinforced that I have a lot of learning to do, like being able to instantly recognize certain prefixes. I also need to see if my preferred session tools will notice IP Protocol 41, used for carrying IPv6 inside IPv4. IP Protocol 47 (GRE) is another option to check. John made the interesting point that even after IPv6 is widely adopted, "there's a fairly good chance that IPv4 will never go away." John recommended we read Sean Convery's paper on IPv6 security.

Overall I enjoyed the RSA conference, but I will probably not attend again. I may attend if I am accepted to speak there. As a paying customer, I can't justify the price for the number of presentations available. I do not consider the morning keynotes to be worthwhile, and there are only three presentations in the afternoon each day. It was cool to walk the exposition floor, where identity management and endpoint security were everywhere, but that doesn't justify a flight to California.

What did you think of RSA?

Saturday, February 18, 2006

RSA Conference 2006 Wrap-Up, Part 3

This is part 3 of my RSA Conference 2006 wrap-up. I started with part 1.

Before continuing I should mention a few items relating to my previous posts. First, I forgot to say that I enjoyed presenting my talk on Tuesday afternoon. Many attendees stayed to ask questions. I ended up leaving the room about 45 minutes after my briefing ended.

Second, Nitesh Dhanjani asked me to mention his O'Reilly articles on Firefox anti-phishing and launching attacks through Tor.

Third, in his talk Nitesh referenced his article Googling for Vulnerabilities, which includes a PHP script. He also reminded the crowd of Foundstone's SiteDigger tool.

Now, on to new material. I finished Wednesday's briefings by listening to Ira Winkler, a fellow ex-intelligence professional. I highly recommend that those of you who give me grief about "threats" and "vulnerabilities" listen to what Mr. Winkler has to say. First, he distinguishes between those who perform security functions and those who perform counter-intelligence. The two are not the same. Security focuses on vulnerabilities, while counter-intelligence focus on threats. He said if an asset does not expose a vulnerability, no threat can damage it. If no threat exists, then a vulnerability cannot be exploited. This sort of discussion is the reason we need to understand the difference between these two terms, which Mr. Winkler said are often "confused." Amen.

Mr. Winkler presented the risk equation as the following: risk = asset value * (threat * vulnerabilities)/countermeasures. I like that since it is essentially asset value * threat * vulnerabilities, with a denominator of countermeasures. Since my version doesn't explicitly address countermeasures, I intend to add that in future references to the risk equation.

Speaking of real threats, he gave a few examples. I believe they are found in his books, but I am not sure. I am repeating what he said, so I hope no one is offended by these remarks. They simply represent some of what is happening in corporate America today. Mr. Winkler described a Chinese restaurant located across the street from the research and development lab of a Fortune 5 company. That company hires many people of Chinese descent. He said that restaurant featured exceedingly good food, of better quality and cheaper price than might be found in China itself.

The restaurant is operated by the Chinese government, or associates of the Chinese government. They staff the restaurant with operatives who try to befriend patrons from the R&D lab. Guess why the restaurant is happy to host company luncheons where the R&D lab discusses upcoming projects? Their meeting rooms are bugged. Mr. Winkler said this sort of corporate espionage is nothing new, and that we all need to understand that this is the way the game is played. He also said he knows people who have the job of "drinking people under the table" in order to get them to talk about their companies.

Mr. Winkler advised that companies conduct security awareness training that emphasizes these points:

  1. A company's information has value.

  2. Competitors will try to steal it.

  3. Employees should report anything suspicious.

  4. Security staff should make employees aware of the countermeasures they deploy to mitigate risk.

After talking about corporate espionage, Mr. Winkler explained how he and an accomplice were hired to steal plans to nuclear reactors from an American company. He started the operation by visiting a nearby restaurant. He searched through a bowl of business cards left by patrons at the front desk, and kept one from an employee of the company he was hired to penetrate. Using that business card, he and his accomplice were able to acquire corporate badges from the target company. They set themselves up as special assistants to the president of the company.

They next traveled to the facility that was responsible for designing nuclear power plants. He didn't even need his badge to enter the grounds, because the guard was waving everyone through the gate. Mr. Winkler asked where he could find the graphics and printing department. Why visit the engineering crew when you could get the same diagrams from the people who print them?

After spending half a day walking around asking the location of the team that printed the nuclear plant proposal, he found the right office. The employees let Mr. Winkler sit at their computers, where he proceeded to acquire the IP address of the server hosting the plans. He left and passed the information to his accomplice, who had set himself up in an empty office with intranet connectivity. After downloading the target plans, the pair noticed unauthorized access to the server from computers in India. As confirmed by this story, Mr. Winkler suspects the users of the Indian computers stole reactor plans and other sensitive data from the target company.

I found Mr. Winkler's talk highly informative, blunt, and disturbing. It was definitely worthwhile.

Friday, February 17, 2006

RSA Conference 2006 Wrap-Up, Part 2

This is part 2 of my RSA Conference 2006 wrap-up. I started with part 1. My first talk of day 2 was Bruce Schneier. Bruce is a great speaker, but I seemed to remember his material from 2002. His major point involved this fact: there are far too many legitimate users compared to attackers. This makes detection and prevention difficult. I believe this is a form of Axelsson's 1999 base rate fallacy (.pdf) paper. Bruce made the interesting point that by charging the conference fee ($1900 or so) to replace a lost badge, RSA had transferred a security problem entirely to the attendees.

Next I saw Nitesh Dhanjani discuss penetration testing techniques and tools. I worked with Nitesh at Foundstone, and his talk was excellent. He emphasized how he only uses open source tools for his work, because they are so easily customized to meet his requirements. Nitesh described how the Metasploit WMF exploit works. He showed how to create a new NASL script for Nessus, and made the point that the fact Nessus 3.x is closed-source makes no difference to him. Anyone can still make custom NASL scripts. Nitesh then showed how to code an Ettercap plug-in.

He continued his presentation by describing problems with the Google Firefox anti-phishing toolbar, namely that it sends all GET requests in clear text to Google -- even those referenced via HTTPS. If a user is browsing the Web with this extension enabled, and is logged in to Gmail, then Google also reads the user's Gmail cookie. Hence, Google knows exactly who you are and what you're browsing. Nice. I should also mentioned Nitesh used the socat tool, which I had never seen before. Nitesh finished by discussing how to use Tor to anonymously attack Web servers, which is a problem without much of a solution at the moment. I wonder if Tor servers will have to run inline filters to police this sort of activity, in the spirit of the "control" aspect of my Defensible Network Architecture framework from Extrusion Detection?

I have to board my plane shortly... part 3 will probably arrive this weekend.

RSA Conference 2006 Wrap-Up, Part 1

I'm using T-Mobile at the San Francisco airport as I write this, on my way home from the RSA Conference 2006. Here are my thoughts on my first RSA conference: Holy vendors, Batman. This seemed to be a show by vendors, for vendors. In some ways the presentations were afterthoughts, or just another way for some vendors to describe their products or upcoming technologies. I plan to report on one or two cool products I encountered on the exposition floor, but for now I'll quickly mention the talks I saw.

I began Tuesday be attending a briefing advertised as a discussion of wireless intrusion detection. Instead of learning something new, I heard an IBM employee describe wireless as if the audience had never heard of it. Buddy, it's 2006, for Pete's sake. That was a wasted hour.

Next I listened to Chris Wysopal discuss static binary analysis to discover security vulnerabilities. In contrast to another ex-@Stake/ex-L0pht member (mentioned later), Chris was coherent, informative, and worth seeing. He mentioned that compilers sometimes introduce vulnerabilities that were not intended by the coder. This is called What You See Is Not What You eXecute, or WYSINWYX (.pdf). For example, an older version of a Microsoft compiler decided that it was not necessary to clear memory before freeing it, as instructed by the coder. Instead, the compiler created an executable where passwords or other sensitive information could be found in memory.

Chris mentioned the Software Assurance Metrics and Tool Evaluation project, which I intend to visit. He also discussed why he would like to see an EnergyStar-like rating for software. The rating might say, "Of the financial applications subjected to binary security analysis, the best score was 112, the worst was 24, and this application rates 86. This program's estimated incident response and patching cost is $1600 per server per year when customer-facing, and $400 per server per year when kept in-house." He concluded the talk by describing how defenders are being destroyed by adversaries who get inside their OODA loops.

After Chris I saw Dan Geer speak. That was certainly a valuable hour. He postulated that "data value and data mobility are conjoined," and that "it's not security if it's not cost-effective." Dr. Geer discussed relationships between predators and prey, and how they evolve together. He focused on data "as the point and focus of security," where the "perimeter must contract down to data." He believes data is at risk when it changes state, from when it goes from being at rest (in storage) to being in motion (in use). Dr. Geer believes data must be protected at that point of transition.

I was very pleased to hear and see these thoughts: "Monitoring is the first priority. You cannot manage what you cannot measure. The unknown unknowns will kill you. Rumsfeld was right." Attacks which do not reveal themselves require preemption. Preemption requires intelligence. Intelligence requires surveillance. But what should you observe, people or data? Dr. Geer prefers observing data.

To perform that observation, he invoked the idea of a reference monitor (citing Anderson, circa-1972) that watches all data access, and can intervene when necessary. It acts by analyzing "traffic" (ostensibly data manipulation, not packets) and does not use content inspection to make decisions. Dr. Geer concluded by saying that trusted computing can be implemented in software or hardware. Software implemention favors innovation with a default permit stance, while hardware favors safety and a default deny stance. I obviously cannot do either of these talks justice, but if you'd like to hear more these talks should be sold through RSA in audio format.

Tuesday, February 14, 2006

Sguil 0.6.1 Released

Just in time for RSA, Bamm Visscher has released Sguil 0.6.1. You can read the release announcement. Most of the improvements have happened on the client side, especially with regard to using UNION queries. The client will also look slightly different due to using the tablelist widget.

If you're at RSA, I speak today from 1735 to 1825. The subject is Traffic-Centric Incident Response and Forensics. I will sign books on Wednesday, 15 February 2006 from 1200 to 1230.

Monday, February 13, 2006

Virtualization on Low-End Hardware

I have a few really old laptops that I've rescued for use in the TaoSecurity labs. One is a Thinkpad 600e PII 366 MHz with 128 MB RAM, and the other is a Thinkpad 1400 Pentium MMX 300 MHz with 256 MB RAM. Recently I wondered if I could use them as VMware Player running on them. First I needed a supported operating system. I first tried Ubuntu, since it looked like the most recent free OS with which I was familiar. Unfortunately, Ubuntu's live CD and installation CD hung on the two laptops I tried.

I turned next to Red Hat Linux 9, intending to use the Fedora Legacy project to update the OS once installed. RH 9 and Fedora Legacy worked perfectly. I don't need to repeat what I did because the Using Fedora Legacy's yum 2.x for Red Hat Linux 9 documentation is so excellent. I checked the FAQ and used Yum to update the kernel after the userland apps were updated. Impressive all around.

Next came the moment of truth. Would VMware Player run on these old systems? The newer PII ThinkPad installed the Linux .rpm with no problems. When I ran, however, I had to let VMware compile the kernel modules it needed. It needed kernel-source-2.4.20-43.9.legacy.i386.rpm installed, and I had to point the installer to /usr/src/include/linux-2.4 instead of /usr/src/include/linux. When the process was done I was able to run VMware Player as root. Awesome.

Then I tried the older Thinkpad. After installing the .rpm, I tried running I encountered this error:

[root@rh9tp1400 root]#
Your processor does not support the cmov instruction. VMware Player will not run
on this system.

Your /proc/cpuinfo is:

processor : 0
vendor_id : GenuineIntel
cpu family : 5
model : 8
model name : Mobile Pentium MMX
stepping : 2
cpu MHz : 299.950
fdiv_bug : no
hlt_bug : no
f00f_bug : yes
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr mce cx8 mmx
bogomips : 598.01

Execution aborted.

Darn. No VMware Player on the Pentium MMX 300 MHz! Well, if VMware Player wouldn't run, what about QEMU? I found a QEMU .rpm at the DAG repository. When I tried installing it, the .rpm complained it needed SDL-1.2.5-3.i386.rpm.

(Note: When I installed RH 9 on these laptops, I did a Workstation install, automatic partitioning, no firewall, and I customized the packages to remove GNOME, Graphical Internet, Office/Productivity, Sound and Video, Graphics, Games and Entertainment, X Software Development, GNOME Software Development, and Printing Support; I added System Tools and Kernel Development. Total package size: 1311 MB.)

I installed the SDL package, and sure enough QEMU ran on the P-MMX! I booted a Linux image to test it. I did not try networking. This was more proof-of-concept, since I do not have QEMU images ready for use as I do VMs.

One of the main reasons I conducted this test was to provide a baseline of hardware I could expect to use when I teach my classes. I plan to suggest a PII with 256 MB RAM running RH 9 as the absolute free-OS minimum for supporting VMware Player.

Saturday, February 11, 2006

Request for Comments: NSM Reporting

My friend John Ward wrote me recently, asking what sorts of reports managers should receive from network security monitoring operations. John posted his experiences using Business Intelligence and Reporting Tools (BIRT), and its role in business intelligence (BI).

What do you put in the NSM reports you provide for management? What would you want to see extracted from the NSM data you collect?

FreeBSD in Lex Twister

I am very happy to report that the CV863A-based Lex Twister VIA 1 GHz Nehemiah Padlock ACE 3-LAN Gigabit Ethernet Dual-PCMCIA 1-PCI (Lex Twister CV863A3U10) small form factor PC I bought from Hacom is running FreeBSD 6.0. You can see the dmesg output courtesy of NYCBUG dmesgd.

I bought this system as a proof-of-concept mobile sensor. It's much smaller than the Shuttle SB81p I also use. The Lex Twister even fits in my consulting bag.

Although the Lex Twister is not as versatile as the Shuttle, it still supports a full 3.5 inch HDD. The model I bought also has three built-in Intel Gigabit NICs. Here is a look at the back of a similar box; mine does not have four NICs. I installed FreeBSD 6.0 using a USB-connected external CD/DVD burner. I had to first try to boot the Lex Twister, have it find the optical drive, report an error, and then place the FreeBSD install CD in the drive and try again.

Is anyone using a small monitor, like these? If so, can you recommend a product? It would be nice to have one of these small monitors for emergencies, when connectivity by Ethernet or serial port fails.

New TaoSecurity Services Brochure Online

The new TaoSecurity company services brochure is available (.pdf). If any of you small business owners would like to contact the graphics designer who created this brochure for me, I would be happy to forward his email address. The front of the brochure explains my company's services, and the reverse explains our classes.

PortRequest is Live

If you listened to my recent BSDTalk podcast, you heard me mention PortRequest. Well, it's live! PortRequest is part of the NYCBUG site; Michael Welsh coded it, receiving nothing in compensation. If you visit you will be redirected to the actual NYCBUG Portrequest page.

The idea behind PortRequest is simple: I am lazy. Whenever I find a new program, I first look to see if it is in the FreeBSD ports tree by searching Dan Langille's FreshPorts site. What do I do if the program is not in the ports tree? Next I query the Problem Reports database to see if a new port is pending. For example, this query shows Sguil-related ports that are being developed. What do I do if there is no PR? Do I just bookmark the tool and move on?

I hate bookmarks. Rather than simply bookmark the page for a new program, I now have an alternative. I can try the program (verify that it compiles, see how it works, etc.), and then post information about that program to PortRequest. Others can see the post in PortRequest and add comments. A potential port writer can browse the database looking for interesting ports to create. The idea is to connect people who find new tools with people who have the skill to create new ports.

Here's an example: mwcollect. It's a program similar to Nepenthes, which is already in the ports tree. It would be great to see mwcollect in the tree too. So, I download the program, and I see if I can compile it. Using gmake, I have no errors. Perhaps creating a port would be easy, since mwcollect is now supporting FreeBSD?

This morning I submitted a PortRequest for mwcollect. The program looks like a good candidate for the ports tree. Hopefully an aspiring port developer will visit PortRequest, browse the queue, see that mwcollect looks interesting, and then create a port. We welcome your comments.

Update: I noticed a great thread that discusses contributing to the ports tree, along with this Handbook article.

Friday, February 10, 2006

Pursuing Advanced Degrees When Older

If you've seen my resume you'll know I do not have a degree in computer science. My last post mentioned what I studied in "college" -- history and political science, along with minors in French and German -- including a heavy engineering core. In grad school I studied national security in a public policy program. I graduated from the master's program ten years ago.

Looking to the future, I've considered what my resume needs to look like if I want to keep certain doors open. One of the doors involves teaching at the college/university level. Another door involves being considered for leadership positions in government. A common factor I've seen in both roles is possession of a PhD in the appropriate field.

Through speaking with people like Christian Kreibich (author of NetDude) or reading the work of people like Ross Anderson (author of the incomparable Security Engineering), I've come to respect the University of Cambridge Computer Laboratory. The university offers a Diploma in Computer Science, a one year conversion course for students who have a first degree in another discipline. That sounds perfect for me. If that program goes well, I would be interested in their research-centric PhD program.

My family has always wanted to live overseas. Our daughter won't enter school until 2009, and attending kindergarten and first grade in the UK should be fun. Assuming we follow the rules, we can even bring our dog with us without worrying about quarantine.

Are any of you pursuing advanced degrees, while in your thirties? My goal is to finish the PhD before I turn 40, which is attainable if I start next year, take 1 year for the Diploma, and three years for the PhD. If this comes to fruition, I'll be at Cambridge when it celebrates its 800th anniversary in 2009.

I know others are doing it. Forensics god Brian Carrier is at CERIAS. I just learned FreeBSD guru Robert Watson started studying at Cambridge last fall. What do you think?

FreeBSD News

freebsd.png" align=left>According to this announcement, FreeBSD 5.5-BETA1 and FreeBSD 6.1-BETA1 are now available. Looking at the release schedule, I estimate we'll see FreeBSD 5.5 in late April and FreeBSD 6.1 in early April. The schedule is very ambitious, will 6.2 and 6.3 releases planned for this year too. Remember that FreeBSD 5.5 is probably the last in the 5.x tree.

I'd like to thank Royce Williams for pointing out that Colin Percival has been building SMP kernels for freebsd-update. Here is the announcement. This is great news for people who want to run stock FreeBSD installs and stay up-to-date with the SECURITY branch on SMP hardware.

Thursday, February 09, 2006

Ed Nisley on Professional Engineering

I get a free subscription to Dr. Dobb's Journal. The March 2006 issue features an article by Ed Nisley titled "Professionalism." Ed is a software developer with a degree in Electrical Engineering. After working at a computer manufacturer for ten years in New York state, he decided to become a "consulting engineer." Following the state's advice, Ed pursued a license to be a Professional Engineer. Now, 20 years after first earning his PE license, Ed declined to renew it. He says "the existing PE license structure has little relevance and poses considerable trouble for software developers." You have to register with DDJ to read the whole article, but the process is free and the article is worthwhile.

Here are a few of Ed's reasons to no longer be a PE:

  • "[T]o maintain my Professional Engineering license, I must travel to inconvenient places, take largely irrelevant courses, and pay a few kilobucks. As nearly as I can tell from the course descriptions, the net benefit would be close to zero."

  • ["T]here's no generally applicable Software Engineering Body of Knowledge (SWEBOK) upon which to base a Software Engineering examination, so (as I understand it) a Texas engineer seeking a PE license for software activities must demonstrate a suitable amount of experience, as attested by letters of recommendation." (He was discussing efforts in Texas to make software engineers be PEs.)

  • "A 2001 ACM task force report on Licensing of Software Engineers Working on Safety-Critical Software concluded that professional licensing as it stands today simply wouldn't work in that field. They observe that very few 'software engineers' have an engineering degree accredited by the Accreditation Board for Engineering and Technology, which all state PE licensing boards require. Most programmers, it seems, don't have the opportunity to forget Thermo and Chem, having not studied them in the first place."

  • "Software development also moves much faster than the NCEES testing process. Mechanical and electrical engineering questions dating back three decades remain perfectly useful, but most recent graduates have little knowledge of Fortran and GOTOs."

  • "If you produce work as a PE, you must follow established design practices or risk a malpractice lawsuit when your design fails. Software engineering, even in the embedded field, simply doesn't have any known-good design practices: Most projects fail despite applying the current crop of Best Practices."

  • "Worse, without a good self-imposed technical solution, we're definitely going to get legislative requirements that won't solve the problem."

If you think that creating a test designed for "software engineers" is a good idea, check out the rest of the article to see Ed's experience taking the exams. They sound like nothing more than a check to ensure the ability to answer a smattering of science and math questions.

The process reminded me of an exam we took at the Air Force Academy for what was then called (and may still be) Engineering 410. This was supposed to be a "capstone course" that all seniors took to demonstrate their engineering prowess. Yes, even your local history/political science double major took chemistry, physics (two courses), math (Cal III and Diff Eq), thermodynamics, and the five pure engineering courses (electrical, mechanical, civil, aeronautical, astronautical) prior to this capstone course. (That's why I have Bachelor of Science degrees and not BAs. At a normal college I would also have a minor in Engineering.)

To enter the capstone course, all students had to pass a cross-subject exam, where anything studied up to that point was fair game. I should add that non-engineering subjects like biology or the "soft sciences" were also included. If you failed the exam (with a possibility of one retake) you failed the course. If you took the course in the fall semester, you could return in the spring. If you took the course in the last semester of senior year (like me), and you failed the test, you were coming back for a special "fifth year" (USAFA has no real "fifth year" of study!) just to take Engineering 410.

In the dreamworld of the academic faculty, I'm sure they believed this exam would test the quality of the "engineers" they were producing. In reality all they tested was our ability to cram as much as we could fit into our brains prior to the test. By the time I was a senior I had no clue what I had studied in chemistry or biology three years earlier. After reading Ed's story, it sounds like his PE exams were exactly the same. They test the candidate's ability to remember information (itself no mean feat, granted) and then apply that to a test. They say nothing about whether the candidate is a good or even qualified engineer.

If the test is worthless, what might really drive PEs to do good work? I think the fact that PEs can lose their license to practice is a big factor. That happened in the 1981 Hyatt collapse I blogged about earlier. If you're a PE and you lose your license because your project fails, you've lost your ability to make a living. If you're a software developer and your project fails, you continue working or you get a job elsewhere.

Incidentally, the skies over USAFA looked exactly like the photo posted above. Every day. Ok, I'm kidding, but it felt like that. That is a real photo taken 10 August 2004.

Wednesday, February 08, 2006

Integrating Sguil into Intrusion Detection and Incident Response

A fellow Sguil user wrote a surprisingly complete account of a compromise of his Web server, and how he used Sguil to identify the intrusion and respond to the incident. The author, Chas Tomlin, provides a step-by-step walkthrough of his investigation, along with some of his actual findings -- including a transcript of an IRC conversation between bot net operators.

Monday, February 06, 2006

Linksys WPC54G with FreeBSD

Yesterday I posted how I figured out how to use wlan_wep on FreeBSD. Today I received my new Linksys WPC54G wireless 802.11g network adapter. I decided to try using it with FreeBSD 6.0.

When I inserted it into the PCMCIA slot, I got these errors:

cardbus0: CIS pointer is 0!
cardbus0: Resource not specified in CIS: id=10, size=2000
cardbus0: at device 0.0 (no driver attached)

That didn't look good. I decided to use Bill Paul's ndis driver to get the Windows drivers working with FreeBSD. I posted about this capability two years ago, but today I used it in production.

I had previously tried the ndiscvt utility to turn Windows device drivers into something recognized by FreeBSD. Looking at the man pages, I soon learned of the new ndisgen a text-driven wizard to facilitate using ndis. Here's how it worked for me.

First (using a wired connection) I downloaded the latest version of the Windows drivers for my WPC54G. I saw the Linksys site offered downloads for WPC54G versions 1 through 5. Looking closely at the card itself, I saw I had version 3. (I saw nothing resembling a version number on the box.) I downloaded and extracted the 32 MB .zip containing the Windows files.

In the WPC54G Setup Wizard 3.1/Driver/NT directory I saw three files:

-rw-r--r-- 1 richard richard 8266 Apr 19 2005
-rw-r--r-- 1 richard richard 31738 Apr 19 2005 LSBCMNDS.inf
-rw-r--r-- 1 richard richard 371712 Feb 11 2005 bcmwl5.sys

The last two were the ones I needed. I copied them to /home/richard/tmp, and changed into that directory.

Next I started ndisgen and saw this screen. I decided to cut to the chase and begin at step 3.

------------------ Windows(r) driver converter -------------------

This script is designed to guide you through the process
of converting a Windows(r) binary driver module and .INF
specification file into a FreeBSD ELF kernel module for use
with the NDIS compatibility system.

The following options are available:

1] Learn about the NDIS compatibility system
2] Convert individual firmware files
3] Convert driver
4] Exit

Enter your selection here and press return: 3

Now I'm prompted for the .inf file:

------------------ Windows(r) driver converter -------------------

INF file validation

A .INF file is most often provided as an ASCII file, however
files with multilanguage support are provided in Unicode format.
Please type in the path to your .INF file now.

> /home/richard/tmp/LSBCMNDS.inf

This .INF file appears to be ASCII.

Press return to continue...

Now I'm prompted for the .sys file.

------------------ Windows(r) driver converter -------------------

Driver file validation

Now you need to specify the name of the Windows(r) driver .SYS
file for your device. Note that if you are running FreeBSD/amd64,
then you must provide a driver that has been compiled for the
64-bit Windows(r) platform. If a 64-bit driver is not available
for your device, you must install FreeBSD/i386 and use the
32-bit driver instead.

Please type in the path to the Windows(r) driver .SYS file now.

> /home/richard/bcmwl5.sys

This .SYS file appears to be in Windows(r) PE format.

Press return to continue...

Now I'm prompted for to confirm conversion.

------------------ Windows(r) driver converter -------------------

Driver file conversion

The script will now try to convert the .INF and .SYS files
using the ndiscvt(1) utility. This utility can handle most
.INF files; however, occasionally it can fail to parse some files
due to subtle syntax issues: the .INF syntax is very complex,
and the Windows(r) parser will sometimes allow files with small
syntax errors to be processed correctly which ndiscvt(1) will
not. If the conversion fails, you may have to edit the .INF
file by hand to remove the offending lines.

Press enter to try converting the files now:

Conversion was successful.

Press enter to continue...

There aren't any additional firmware files, so I hit enter below.

------------------ Windows(r) driver converter -------------------

Firmware file conversion

If your driver uses additional firmware files, please list them
below. When you're finished, just press enter to continue. (If your
driver doesn't need any extra firmware files, just press enter
to move to the next step.)


Nothing happens here.

------------------ Windows(r) driver converter -------------------

List of files converted firmware files:

Press enter to continue...

Now ndisgen creates a kernel module for me.

------------------ Windows(r) driver converter -------------------

Kernel module generation

The script will now try to generate the kernel driver module.
This is the last step. Once this module is generated, you should
be able to load it just like any other FreeBSD driver module.

Press enter to compile the stub module and generate the driver
module now:

Generating Makefile... done.
Building kernel module... done.
Cleaning up... done.

The file bcmwl5_sys.ko has been successfully generated.
You can kldload this module to get started.

Press return to exit.

My directory now has a kernel module for my wireless card.

orr:/home/richard/tmp$ ls -alh
total 868
drwxr-xr-x 2 richard richard 512B Feb 6 18:56 .
drwxr-xr-x 15 richard richard 1.0K Feb 6 18:55 ..
-rw-r--r-- 1 richard richard 31K Feb 6 18:52 LSBCMNDS.inf
-rw-r--r-- 1 richard richard 363K Feb 6 18:52 bcmwl5.sys
-rwxr-xr-x 1 richard richard 420K Feb 6 18:55 bcmwl5_sys.ko

I load the kernel module and check dmesg output.

orr:/home/richard/tmp$ sudo kldload ./bcmwl5_sys.ko
orr:/home/richard/tmp$ dmesg | grep ndis
ndis0: mem 0x88000000-0x88001fff irq 11 at device 0.0 on cardbus0
ndis0: NDIS API version: 5.1
ndis0: Ethernet address: 00:14:bf:22:be:12

Bingo. I have a ndis0 interface. Let's see it.

orr:/home/richard/tmp$ ifconfig ndis0
ndis0: flags=8802 mtu 1500
ether 00:14:bf:22:be:12
media: IEEE 802.11 Wireless Ethernet autoselect
status: no carrier
ssid "" channel 1
authmode OPEN privacy OFF txpowmax 100 protmode CTS

A look at the loaded kernel modules shows my custom kernel module, if_ndis, and ndis are loaded.

orr:/home/richard/tmp$ kldstat
Id Refs Address Size Name
1 18 0xc0400000 63072c kernel
2 2 0xc0a31000 74b0 snd_csa.ko
3 3 0xc0a39000 1d408 sound.ko
4 1 0xc0a57000 c3a4 r128.ko
5 2 0xc0a64000 eeec drm.ko
6 16 0xc0a73000 568dc acpi.ko
7 1 0xc2003000 69000 bcmwl5_sys.ko
8 1 0xc206c000 b000 if_ndis.ko
9 2 0xc2077000 13000 ndis.ko

Before I can bring up the card, I load the wlan_wep module as explained yesterday.

orr:/home/richard/tmp$ kldload wlan_wep

Now I'm ready to bring up the card.

orr:/home/richard/tmp$ sudo ifconfig ndis0 inet netmask ssid shaolin
wepkey 0xmykey deftxkey 1 wepmode on

No errors -- let's check ndis0

orr:/home/richard/tmp$ ifconfig ndis0
ndis0: flags=8843 mtu 1500
inet netmask 0xffffff00 broadcast
inet6 fe80::214:bfff:fe22:be12%ndis0 prefixlen 64 scopeid 0x4
ether 00:14:bf:22:be:12
media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
status: associated
ssid shaolin channel 1 bssid 00:13:10:65:2f:ad
authmode OPEN privacy ON deftxkey 1 wepkey 1:104-bit txpowmax 100
protmode CTS

Looks good -- I'll add a default route and ping Google.

orr:/home/richard/tmp$ sudo route add default
add net default: gateway
orr:/home/richard/tmp$ ping -c 1
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=233 time=270.746 ms

--- ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 270.746/270.746/270.746/0.000 ms

Awesome. To make life easier, I copy my new kernel module to the location other kernel modules are stored.

orr:/home/richard/tmp$ sudo cp bcmwl5_sys.ko /boot/kernel/

Finally I create a short shell script to automate the process of bringing the card up once it's inserted.

kldload bcmwl5_sys
kldload wlan_wep
ifconfig ndis0 inet netmask ssid shaolin wepkey 0xmykey deftxkey 1 wepmode on
route add default

Everything works; in fact, I'm posting while using the card now.

Sunday, February 05, 2006

FreeBSD Wireless Changes

At my desk I connect to the rest of my wireless network with a Netgear WGE111 54 Mbps Wireless Game Adapter (don't ask). I usually don't use the SMC EZ Connect 802.11b Wireless PCMCIA card, model SMC 2632W v.1 I have nearby. While watching "the big game" I decided to check email, so I tried using this wireless card with my FreeBSD 6.0 laptop. I saw this error:

orr:/home/richard$ sudo ifconfig wi0 inet netmask ssid
shaolin wepkey 0xmykey wepmode on
ifconfig: SIOCS80211: Invalid argument

What the heck is this? I took a look at dmesg output and saw the following:

ieee80211_load_module: load the wlan_wep module by hand for now.

This is a change reported in the release notes. Luckily wlan_wep is available as a kernel module, so I was able to load it easily.

orr:/home/richard$ kldstat
Id Refs Address Size Name
1 10 0xc0400000 63072c kernel
2 2 0xc0a31000 74b0 snd_csa.ko
3 3 0xc0a39000 1d408 sound.ko
4 1 0xc0a57000 c3a4 r128.ko
5 2 0xc0a64000 eeec drm.ko
6 16 0xc0a73000 568dc acpi.ko

orr:/home/richard$ sudo kldload wlan_wep

orr:/home/richard$ kldstat
Id Refs Address Size Name
1 12 0xc0400000 63072c kernel
2 2 0xc0a31000 74b0 snd_csa.ko
3 3 0xc0a39000 1d408 sound.ko
4 1 0xc0a57000 c3a4 r128.ko
5 2 0xc0a64000 eeec drm.ko
6 16 0xc0a73000 568dc acpi.ko
7 1 0xc1fa8000 3000 wlan_wep.ko

There it is. Now let's try that configuration again.

orr:/home/richard$ sudo ifconfig wi0 inet netmask ssid
shaolin wepkey 0xmykey wepmode on

No errors -- so far so good. Let's see ifconfig output.

orr:/home/richard$ ifconfig wi0
wi0: flags=8843 mtu 1500
inet netmask 0xffffff00 broadcast
inet6 fe80::204:e2ff:fe29:3bba%wi0 prefixlen 64 scopeid 0x4
ether 00:04:e2:29:3b:ba
media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps)
status: associated
ssid shaolin channel 6 bssid 00:13:10:65:2f:ad
stationname "FreeBSD WaveLAN/IEEE node"
authmode OPEN privacy MIXED deftxkey UNDEF wepkey 1:104-bit txpowmax 100

Nothing too odd here. The deftxkey UNDEF looks new, but that shouldn't matter? Let me ping a host.

orr:/home/richard$ ping -c 1

Nothing. I sniff on the wi0 interface and see my host ARP for the gateway, but that's it. (By the way, I added a default route.)

I poke around a bit and decide to see if I can get any useful information about this problem from the kernel.

orr:/home/richard$ sysctl -a | grep wlan
net.wlan.debug: 0
net.wlan.0.%parent: wi0
net.wlan.0.debug: 0
net.wlan.0.inact_run: 300
net.wlan.0.inact_probe: 30
net.wlan.0.inact_auth: 180
net.wlan.0.inact_init: 30
net.wlan.0.driver_caps: 67329

I see the wlan man page mentions setting a mask to enable wlan debugging, so I try doing that with all 1s. This is just a wild guess, but it shouldn't break anything.

orr:/home/richard$ sudo sysctl net.wlan.0.debug=0x11111111
net.wlan.0.debug: 0 -> 286331153

Now I start to see messages like the following:

wi0: [ff:ff:ff:ff:ff:ff] no default transmit key (ieee80211_encap) deftxkey 65535
wi0: [33:33:ff:29:3b:ba] no default transmit key (ieee80211_encap) deftxkey 65535

The deftxkey UNDEF is important after all. It isn't mentioned in the ifconfig man page. I initially decide to try setting it to my WEP key, but that doesn't work. Next I try setting it to 1.

orr:/home/richard$ sudo ifconfig wi0 deftxkey 1
orr:/home/richard$ ifconfig wi0
wi0: flags=8847 mtu 1500
inet netmask 0xffffff00 broadcast
inet6 fe80::204:e2ff:fe29:3bba%wi0 prefixlen 64 scopeid 0x4
ether 00:04:e2:29:3b:ba
media: IEEE 802.11 Wireless Ethernet autoselect (DS/2Mbps)
status: associated
ssid shaolin channel 6 bssid 00:13:10:65:2f:ad
stationname "FreeBSD WaveLAN/IEEE node"
authmode OPEN privacy MIXED deftxkey 1 wepkey 1:104-bit txpowmax 100
bintval 100

Let's see what new messages I get.

wi0: ieee80211_timeout_stations: station scangen 1
wi0: ieee80211_timeout_stations: station scangen 2
wi0: ieee80211_ref_node (ieee80211_send_mgmt:1063) 0xc1b66000<00:13:10:65:2f:ad> refcnt 3
wi0: _ieee80211_crypto_delkey: NONE keyix 65535 flags 0x3 rsc 0 tsc 0 len 0
wi0: link state changed to DOWN
wi0: ieee80211_node_table_reset scan table
wi0: ieee80211_free_allnodes_locked: free all nodes in scan table
wi0: node_reclaim: remove 0xc1b66000<00:13:10:65:2f:ad> from scan table, refcnt 1
wi0: ieee80211_node_table_reset station table
wi0: ieee80211_free_allnodes_locked: free all nodes in station table
wi0: ieee80211_setup_node 0xc1b60c00<00:04:e2:29:3b:ba> in scan table
wi0: _ieee80211_free_node 0xc1b66000<00:13:10:65:2f:ad> in table
wi0: _ieee80211_crypto_delkey: NONE keyix 65535 flags 0x3 rsc 0 tsc 0 len 0
wi0: ieee80211_newstate: invalid transition

That did something. Can I ping a host?

orr:/home/richard$ ping -c 1
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=8.093 ms

--- ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.093/8.093/8.093/0.000 ms

Alright, we're working. In fact, I'm posting using the card now. I've added 'kldload wlan_wep' along with 'deftxkey 1' in ifconfig to the script I use to manually enable wi0 on FreeBSD.

I have a new 802.11b/g card en route, so when I get that and use it successfully I'll report it here.

Another Engineering Disaster

Does the following sound like any security project you may have worked?

  1. Executives decide to pursue a project with a timetable that is too aggressive, given the nature of the task.

  2. They appoint a manager with no technical or engineering experience to "lead" the project. He is a finance major who can neither create nor understand design documents. (This sounds like the news of MBAs being in vogue, as I reported earlier.)

  3. The project is hastily implemented using shoddy techniques and lowest-cost components.

  4. No serious testing is done. The only "testing" even tried does not stress the solution in any meaningful way -- it only "checks a box."

  5. Shortly after implementation, the solution shows signs of trouble. The project manager literally patches the holes and misdirects attention without addressing the underlying flaws.

  6. Catastrophe eventually ensues.

What I've just described is the Boston Molasses Flood of 1919, best described by the Boston Society of Civil Engineers in their newsletter (.pdf). I learned about this event by watching another episode of Engineering Disasters on Modern Marvels. Here's what happened.

  1. In 1915, United States Industrial Alcohol needed to build a tank in Boston to support World War I munitions production. They decide to place it in an immigrant-dominated portion of the city; Italians live there.

  2. USIA puts Arthur Jell in charge. He is a finance major with no technical or engineering experience or training. He can't even read blueprints, yet he designs a five-story, 90' diameter tank capable of holding over 2 million gallons of molasses, in the middle of a populated area.

  3. The tank is built by contractors who use thin steel and too few rivets. No one supervises their work. They hurry to complete the tank 2 days before it is filled.

  4. Prior to being filled, the tank is "tested" by holding between 4 and 8 inches of water!

  5. The tank stands three years, although apparently it was never filled to capacity until shortly before its collapse. During those three years, molasses leak from the tank on a daily basis. Jell orders the leaks plugged and has the tank painted brown to divert attention from the leaks.

  6. In 1918, with WWI ending and prohibition approaching, USIA decides to switch production from industrial alcohol to drinking alcohol. They want to cash out as fast as possible by supporting customers who want to "stock up" before prohibition begins. They accept a shipment of molasses from Cuba in January 1919, which fills the tank to capacity. Three days later, on January 15, the tank ruptures, killing 21 people and injuring 150.

USIA claimed Italian anarchists had destroyed the tank, but the evidence showed otherwise. USIA was subjected to the first ever class action lawsuit in the US, which the company lost. Safety regulations were enacted which required supervision of construction, real testing, and stamps of approval of blueprints by architects and engineers.

I foresee a similar event, with similar consequences, for the digital security industry. Hopefully not as much death and destruction will occur, but the remedies will be the same.

Saturday, February 04, 2006

Review of Hardening Network Security Posted just posted my four star review of McGraw-Hill/Osborne's Hardening Network Security. From the review:

"As a security consultant I am sometimes asked for reference books for new security managers. These individuals need help bringing their enterprise under control. Hardening Network Security is a good book for this sort of problem, although it is important to recognize a few technical errors outlined below."

BSDTalk Podcast Posted

Will Backman from BSDTalk posted a new podcast (.mp3, 16 MB) featuring his interview with me. In the first half of the podcast Will explains ways to obtain BSD. The second half of the podcast is the interview. We talked about my ShmooCon presentation, my blog, book reviews, how I use FreeBSD, and the upcoming PortRequest project implemented by the good people at NYCBUG.

orr:/data/media/audio$ mpg123 -a /dev/dsp0.0 bsdtalk013.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3.
Version 0.59r (1999/Jun/15). Written and copyrights by Michael Hipp.
Uses code from various people. See 'README' for more!
Title : bsdtalk013 - Interview with Ri Artist: Will Backman
Album : Year : 2006
Comment: Genre : Speech

Playing MPEG stream from bsdtalk013.mp3 ...
Junk at the beginning 49443303
MPEG 1.0 layer III, 96 kbit/s, 44100 Hz mono

[23:12] Decoding of bsdtalk013.mp3 finished.

Friday, February 03, 2006

Exporting X Sessions

This is one of those tasks that I want to remember for the future, because I can imagine encountering the same problem again. When I build servers with FreeBSD, I usually do not include packages for I access my servers using OpenSSH so I don't need any graphics support.

Recently I needed a platform to QEMU. It turns out that QEMU opens an X session. The system where I wanted to run QEMU was a remote server (janney), so I needed to add X support. I figured "If I can export an xterm, I can export QEMU." So, I added the xterm package. Here are Xterm's dependencies as reported by pkg_tree:

janney:/home/richard$ pkg_tree xterm
|\__ pkgconfig-0.17.2
|\__ freetype2-2.1.10_1
|\__ expat-1.95.8_3
|\__ fontconfig-2.2.3,1
|\__ xorg-libraries-6.8.2
\__ libXft-2.1.7

So, you can see that installing Xterm added the following package:

xorg-libraries-6.8.2 X11 libraries and headers from X.Org

So, I ssh to janney, using the -X option to enable X forwarding, and I get this error.

orr:/home/richard$ ssh -X janney -v
OpenSSH_4.2p1 FreeBSD-20050903, OpenSSL 0.9.7e-p1 25 Oct 2004
debug1: Next authentication method: keyboard-interactive
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Warning: No xauth data; using fake authentication data for X11 forwarding.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Remote: No xauth program; cannot forward with spoofing.

That doesn't look good. Here's what happened when I tried to export an xterm.

janney:/home/richard$ xterm
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 59764
connect port 6000: Connection refused
debug1: failure x11
X connection to localhost:10.0 broken (explicit kill or server shutdown).

Notice the connection attempt to port 6000 TCP. I knew that wasn't right, either. When forwarding X connections, OpenSSH connects to port 6010 TCP.

I figured I needed to add xauth, and that auth was part of the xorg-clients package. I added xuath as a package, and saw this pass by on the screen:

janney:/root# pkg_add -vr xorg-clients
x bin/xauth

The next time I tried connecting to janney using ssh -X, I got these results:

orr:/home/richard$ ssh -X janney -v
debug1: Entering interactive session.
Warning: No xauth data; using fake authentication data for X11 forwarding.
debug1: Requesting X11 forwarding with authentication spoofing.

That's better. Now I can see port 6010 TCP listening, and I can export an Xterm, too:

janney:/home/richard$ sockstat -4 | grep sshd
richard sshd 19911 3 tcp4
richard sshd 19911 8 tcp4 *:*
root sshd 19908 3 tcp4
root sshd 19858 4 tcp4 *:22 *:*

janney:/home/richard$ xterm
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 49825
debug1: channel 1: new [x11]
debug1: confirm x11

You'll remember I wanted to export a QEMU window. I tried doing so:

janney:/home/richard$ qemu -hda freedos.dsk -boot c
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 57479
debug1: channel 1: new [x11]
debug1: confirm x11
debug1: channel 1: FORCE input drain
debug1: client_input_channel_open: ctype x11 rchan 4 win 65536 max 16384
debug1: client_request_x11: request from ::1 57480
debug1: channel 2: new [x11]
debug1: confirm x11
debug1: channel 1: free: x11, nchannels 3
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 57481
debug1: channel 1: new [x11]
debug1: confirm x11
X Error of failed request: BadWindow (invalid Window parameter)
Major opcode of failed request: 25 (X_SendEvent)
Resource id in failed request: 0x40
Serial number of failed request: 12
Current serial number in output stream: 17
debug1: channel 1: FORCE input drain
debug1: channel 2: FORCE input drain
debug1: channel 1: free: x11, nchannels 3
debug1: channel 2: free: x11, nchannels 2

And nothing happens. That is lousy. It turns out I needed to use the -Y switch instead of -X. -Y "Enables trusted X11 forwarding," which I found using the ssh man page. I figured I would try it.

orr:/home/richard$ ssh -Y janney -v
...connects to janney...
janney:/home/richard$ qemu -hda freedos.dsk -boot c
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 57482
debug1: channel 1: new [x11]
debug1: confirm x11
debug1: channel 1: FORCE input drain
debug1: client_input_channel_open: ctype x11 rchan 4 win 65536 max 16384
debug1: client_request_x11: request from ::1 57483
debug1: channel 2: new [x11]
debug1: confirm x11
debug1: channel 1: free: x11, nchannels 3
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 57484
debug1: channel 1: new [x11]
debug1: confirm x11

And it works.

The bottom line is that exporting X sessions needs the xorg-libraries and xorg-clients packages. Sometimes you have to use -Y instead of -X.

Four New Pre-Reviews

I received four new books in the last few weeks. The first is Wiley's Security Patterns: Integrating Security and Systems Engineering by Markus Schumacher, et al. I am very interested in books like Wiley's unparalleled Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson. I hope Security Patterns will present techniques that can be implemented in a vendor- and possibly technology-neutral manner.

The second is No Starch's TCP/IP Guide by Charles M. Kozierok. The book is already online, but in a fairly difficult format for reading. This is an interesting approach. One might consider mirroring the whole site, but that violates the author's rules. You can download the book or now purchase the printed version. You might want to buy it directly from the author, since he offers an electronic copy with the printed one. As for the book itself, it's a massive 1500+ page tome. Reviews seem to be positive, and at a glance the content looks good. I hope to read this in order to provide a proper review, but that will be quite an undertaking.

The third book is McGraw-Hill/Osborne's Hacking Exposed: Cisco Networks by Andrew Vladimirov, et al. The book's Web site has published advisories as a result of the author team's research into attacking IOS. I spoke to the authors months ago and I have been eagerly awaiting this book. The authors also developed tools while writing the book, which I look forward to trying. I guess I am excitied by the potential for originality that a book like this offers.

The last book is Syngress' Security Log Management: Identifying Patterns in the Chaos by Jake Babbin, et al. I like what I've seen so far in this book. It uses Argus and Bro, two network security monitoring tools that haven't seen much print outside of my books. The authors use these tools in novel ways, which I appreciate. I will definitely read and review this book.

Dangers of Tracking FreeBSD STABLE

Most of my FreeBSD systems track the SECURITY branch of FreeBSD. Wherever possible I try to apply binary updates for the kernel and userland with Colin Percival's freebsd-update tool. Most of my hardware is really old and I prefer not to spend a lot of time recompiling from source.

One of my systems does track the STABLE branch of FreeBSD, specifically RELENG_6. This is more or less a lab system. I like to see what might appear in the next version of FreeBSD, since 6.1 will be a version of STABLE.

Although STABLE is definitely more likely to be operational than CURRENT (which is the bleeding edge and will become FreeBSD 7.0), running STABLE is not without its hazards. Recently a commit appeared that changed part of the PCI code, shown with diffs here.

I happened to try updating to the version of FreeBSD STABLE that had src/sys/dev/pci/pci.c version, dated Mon Jan 30 18:42:10 2006 UTC. While compiling, I got this error:

/usr/src/sys/dev/pci/pci.c:1611: error: `PCI_IVAR_LATTIMER' undeclared
(first use in this function)
*** Error code 1
Stop in /usr/obj/usr/src/sys/JANNEY.
Error code 1
Stop in /usr/src.
*** Error code 1

I can see the line in pci.c the compiler doesn't like:

1612 *result = cfg->lattimer;
1613 break;

Shorly after version, dated Mon Jan 30 18:42:10 2006 UTC, appeared in STABLE, it was updated to, dated Tue Jan 31 14:42:43 2006 UTC. However, the diffs to the previous version don't appear to affect the PCI_IVAR_LATTIMER code. I'm not sure what happened, but I was able to update to STABLE after the new code was committed and therefore get the system compiled and running.

janney:/home/richard$ uname -a
FreeBSD 6.0-STABLE FreeBSD 6.0-STABLE #0: Tue Jan 31 22:17:14 EST 2006 i386
janney:/home/richard$ grep FBSDID /usr/src/sys/dev/pci/pci.c
__FBSDID("$FreeBSD: src/sys/dev/pci/pci.c,v 2006/01/31 14:42:43 imp Exp $");

As you can see, the system is now running STABLE as of late 31 Jan 06.

Wednesday, February 01, 2006

Request for Comments: Bluetooth on FreeBSD

I haven't tried Bluetooth yet because I do not have any Bluetooth-enabled devices. I've considered buying a stock Linksys USBBT100 adapter, or one of the fancier models from Unfortunately, I do not see much support for Bluetooth security tools on FreeBSD. Today I downloaded and tried Bluediving, which is supposed to work. I was unable to get the programs in the tools directory to compile on FreeBSD 6.0.

Is anyone using Bluetooth security tools on FreeBSD? If yes, what tools, and what hardware do you use? Thank you.