TaoSecurity Blog

Every once in a while it's good to be reminded of certain principles. In my first book I outlined three lessons I've learned while monitoring intruders. Sometimes threats in nature provide examples of these lessons. Sguil developer Bamm Visscher pointed me to these images , which I have cropped and annotated for your network security monitoring enjoyment. NSM Principle 1: Some intruders are smarter than you are. NSM Principle 2: Intruders are unpredictable. NSM Principle 3: Prevention eventually fails. Hence, the need for monitoring, e.g., these photos! Thank you to GeekBase for posting these -- I hope you prefer me not linking to the photos directly, thereby saving your bandwidth!

Last month I blogged my installation of Nepenthes . Today I read the announcement that the Nepenthes and mwcollect projects have merged. From this point forward, the mwcollect Alliance will use Nepenthes to collect malware, and the mwcollect suite will be retired. This announcement follows a similar development with the Auditor and iWhax assessment live CDs to merge into BackTrack . I think both of these developments are great. There are far too many attackers compared to security developers, so combining forces like this optimizes scarce resources. It would be nice to see similar consolidation in other projects, where appropriate.

Based on a friend's tip, I found myself looking for this press release , which reads in part: Check Point ® Software Technologies Ltd. (NASDAQ: CHKP), the world leader in securing the Internet, received notice its pending acquisition of Sourcefire ®, Inc. has moved into the investigative stage with the Committee on Foreign Investment in the United States ("CFIUS"). In order to clear the transaction with the United States Government, Check Point submitted two regulatory applications. Check Point received U.S. anti-trust approval and was advised that CFIUS would continue reviewing the application during a 45-day investigative period... Pursuant to the Exon-Florio legislation, CFIUS reviews proposed foreign acquisitions of U.S. companies in order to protect national security while maintaining the credibility of the United States open investment policy. The Exon-Florio legislation provides for a 30-day review following notification of a potential acquisition. CFIUS has the ...

I just installed FreeBSD 6.1-BETA2 in VMware Workstation 5.5.1 build-19175. I have not seen the same sorts of timing problems shown by FreeBSD 6.0 RELEASE inside the VMs I use and have created for the Sguil project. I did not see any obvious changes that would account for the better behavior. I hope FreeBSD 6.1 RELEASE behaves just as well. I am not sure if I will create a Sguil VM for FreeBSD 6.1 and Sguil 0.6.1, or if I will wait for a newer version of Sguil. The latest Sguil version mostly contains client-side improvements. The next version of Sguil (release date unknown) will probably integrate the Passive Asset Detection System , so I would want to include that.

I learned of this post by Marcus Ranum through commentary by Dave Goldsmith . In brief, I agree with much of what MJR says. However, I think pen testers perform a valuable service. I do not think that it is possible for some modern enterprise code to be fully comprehended by any individual or team of developers or security engineers. If the code cannot be fully understood statically, it must be tested dynamically. A live test will reveal how the system acts when working, and may reveal unanticipated interactions or vulnerabilities. In light of this fact, I think pen testers who unearth these flaws perform a valuable service. If it's not tested, it's not a service. Update: Thanks to Tom's comment below, I changed the attribution to fellow Matasano poster Dave Goldsmith.

While preparing for my Network Security Operations class tomorrow, I decided to take a closer look at the state of a few wireless security tools on FreeBSD 6.0. I've used bsd-airtools , specifically dstumbler, before, but I started getting this error when invoking the program with 'dstumbler wi0 -o' as I usually do: error: unable to ioctl device socket: Invalid argument Running without '-o' removed the error, but I didn't see any wireless networks. I found that dwepdump also saw no wireless networks. prism2dump, however, still works: orr:/root# ifconfig wi0 up orr:/root# prism2ctl wi0 -m orr:/root# prism2dump wi0 prism2dump: listening on wi0 - [ff:ff:ff:ff:ff:ff - port: 7 ts: 208.281597 2:42 10:0 - sn: 45728 (6:f:d8:99:2d:fb) len: 55 - ** mgmt-beacon ** ts: 208.281655 int: 100 capinfo: ess + ssid: [STSN] + rates: 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 + ds ch: 11 + dtim c: 0 p: 1 bc: 0 pvb: bfbfea15 - [ff:ff:ff:ff:ff:ff - port: 7 ts: 208.282482...

A blog reader recently asked me to comment on this Security in the Cloud debate. First, a word on the opposing sides. The Yes proponent, Brad Miller, is CEO of Perimeter Internetworking . His company looks like a managed security services firm, except they are latched onto Gartner 's security in the cloud idea. That is derived from MCI 's (now Verizon 's) concept of filtering traffic on its backbones. I find it odd that a company like Perimeter Internetworking can ride the cloud bandwagon when they are not in the cloud! The No proponent is Bruce Schneier, CTO of Counterpane . He is not exactly saying no to the idea though: [A] choice between implementing network security in the middle of the network - in the cloud - or at the endpoints is a false dichotomy. No single security system is a panacea, and it's far better to do both... I'm all in favor of security in the cloud. If we could build a new Internet today from scratch, we would embed a lot of security fu...

I am obviously a proponent of network security monitoring, but I am also a strong believer in privacy. The sort of attitude demonstrated in this article disturbs me greatly: Houston's police chief on Wednesday proposed placing surveillance cameras in apartment complexes, downtown streets, shopping malls and even private homes to fight crime during a shortage of police officers. "I know a lot of people are concerned about Big Brother, but my response to that is, if you are not doing anything wrong, why should you worry about it?" Chief Harold Hurtt told reporters Wednesday at a regular briefing. Sure Chief, why don't you lead by example and install cameras in your home . You're not doing anything wrong, are you? Building permits should require malls and large apartment complexes to install surveillance cameras, Hurtt said. And if a homeowner requires repeated police response, it is reasonable to require camera surveillance of the property, he said... So, the pow...

I highly recommend reading Brian Krebs ' latest article Invasion of the Computer Snatchers . Here are a few of my favorite quotes: "Most days, I just sit at home and chat online while I make money," 0x80 says. "I get one check like every 15 days in the mail for a few hundred bucks, and a buncha others I get from banks in Canada every 30 days." He says his work earns him an average of $6,800 per month, although he's made as much as $10,000. Not bad money for a high school dropout. That's great -- what a role model. The young hacker doesn't have much sympathy for his victims. "All those people in my botnet, right, if I don't use them, they're just gonna eventually get caught up in someone else's net, so it might as well be mine," 0x80 says. "I mean, most of these people I infect are so stupid they really ain't got no business being on [the Internet] in the first place." I'm glad to see this genius is so smart th...

This is part 4 of my RSA Conference 2006 wrap-up. I started with part 1 . I'm writing this in Brussels, Belgium, where I'm teaching my Network Security Operations class to a private group. I started my final day of RSA presentations last Thursday by wasting over an hour with Peiter "Mudge" Zatko. I should have walked out during the first fifteen minutes, but my respect for his previous work kept me in my chair. That was a huge mistake. In a haze Mudge rambled (for a quarter of his allotted time) about "The Aristocrat's Joke" while pleading with the audio guy to disable the recording of his talk. Eventually he half-turned his attention to his slides, and struggled to make the point that internal intruders don't launch exploits when they can simply browse sensitive information using native file sharing options. He was also really excited by a paper Vern Paxson published in 2000 about detecting stepping stones, and we heard other historical ti...

This is part 3 of my RSA Conference 2006 wrap-up. I started with part 1 . Before continuing I should mention a few items relating to my previous posts. First, I forgot to say that I enjoyed presenting my talk on Tuesday afternoon. Many attendees stayed to ask questions. I ended up leaving the room about 45 minutes after my briefing ended. Second, Nitesh Dhanjani asked me to mention his O'Reilly articles on Firefox anti-phishing and launching attacks through Tor . Third, in his talk Nitesh referenced his article Googling for Vulnerabilities , which includes a PHP script . He also reminded the crowd of Foundstone's SiteDigger tool. Now, on to new material. I finished Wednesday's briefings by listening to Ira Winkler , a fellow ex-intelligence professional. I highly recommend that those of you who give me grief about "threats" and "vulnerabilities" listen to what Mr. Winkler has to say. First, he distinguishes between those who perform securit...

This is part 2 of my RSA Conference 2006 wrap-up. I started with part 1 . My first talk of day 2 was Bruce Schneier. Bruce is a great speaker, but I seemed to remember his material from 2002. His major point involved this fact: there are far too many legitimate users compared to attackers. This makes detection and prevention difficult. I believe this is a form of Axelsson's 1999 base rate fallacy (.pdf) paper. Bruce made the interesting point that by charging the conference fee ($1900 or so) to replace a lost badge, RSA had transferred a security problem entirely to the attendees. Next I saw Nitesh Dhanjani discuss penetration testing techniques and tools. I worked with Nitesh at Foundstone, and his talk was excellent. He emphasized how he only uses open source tools for his work, because they are so easily customized to meet his requirements. Nitesh described how the Metasploit WMF exploit works. He showed how to create a new NASL script for Nessus, and made the poi...

I'm using T-Mobile at the San Francisco airport as I write this, on my way home from the RSA Conference 2006 . Here are my thoughts on my first RSA conference: Holy vendors, Batman. This seemed to be a show by vendors, for vendors. In some ways the presentations were afterthoughts, or just another way for some vendors to describe their products or upcoming technologies. I plan to report on one or two cool products I encountered on the exposition floor, but for now I'll quickly mention the talks I saw. I began Tuesday be attending a briefing advertised as a discussion of wireless intrusion detection. Instead of learning something new, I heard an IBM employee describe wireless as if the audience had never heard of it. Buddy, it's 2006, for Pete's sake. That was a wasted hour. Next I listened to Chris Wysopal discuss static binary analysis to discover security vulnerabilities. In contrast to another ex-@Stake/ex-L0pht member (mentioned later), Chris was coherent, i...

Just in time for RSA , Bamm Visscher has released Sguil 0.6.1 . You can read the release announcement . Most of the improvements have happened on the client side, especially with regard to using UNION queries. The client will also look slightly different due to using the tablelist widget. If you're at RSA, I speak today from 1735 to 1825. The subject is Traffic-Centric Incident Response and Forensics. I will sign books on Wednesday, 15 February 2006 from 1200 to 1230.

I have a few really old laptops that I've rescued for use in the TaoSecurity labs . One is a Thinkpad 600e PII 366 MHz with 128 MB RAM, and the other is a Thinkpad 1400 Pentium MMX 300 MHz with 256 MB RAM. Recently I wondered if I could use them as VMware Player running on them. First I needed a supported operating system. I first tried Ubuntu , since it looked like the most recent free OS with which I was familiar. Unfortunately, Ubuntu's live CD and installation CD hung on the two laptops I tried. I turned next to Red Hat Linux 9, intending to use the Fedora Legacy project to update the OS once installed. RH 9 and Fedora Legacy worked perfectly. I don't need to repeat what I did because the Using Fedora Legacy's yum 2.x for Red Hat Linux 9 documentation is so excellent. I checked the FAQ and used Yum to update the kernel after the userland apps were updated. Impressive all around. Next came the moment of truth. Would VMware Player run on these old syste...

My friend John Ward wrote me recently, asking what sorts of reports managers should receive from network security monitoring operations. John posted his experiences using Business Intelligence and Reporting Tools (BIRT), and its role in business intelligence (BI). What do you put in the NSM reports you provide for management? What would you want to see extracted from the NSM data you collect?

I am very happy to report that the CV863A -based Lex Twister VIA 1 GHz Nehemiah Padlock ACE 3-LAN Gigabit Ethernet Dual-PCMCIA 1-PCI (Lex Twister CV863A3U10) small form factor PC I bought from Hacom is running FreeBSD 6.0. You can see the dmesg output courtesy of NYCBUG dmesgd . I bought this system as a proof-of-concept mobile sensor. It's much smaller than the Shuttle SB81p I also use. The Lex Twister even fits in my consulting bag. Although the Lex Twister is not as versatile as the Shuttle, it still supports a full 3.5 inch HDD. The model I bought also has three built-in Intel Gigabit NICs. Here is a look at the back of a similar box; mine does not have four NICs. I installed FreeBSD 6.0 using a USB-connected external CD/DVD burner. I had to first try to boot the Lex Twister, have it find the optical drive, report an error, and then place the FreeBSD install CD in the drive and try again. Is anyone using a small monitor, like these ? If so, can you recommend a p...

The new TaoSecurity company services brochure is available (.pdf). If any of you small business owners would like to contact the graphics designer who created this brochure for me, I would be happy to forward his email address. The front of the brochure explains my company's services, and the reverse explains our classes .

If you listened to my recent BSDTalk podcast , you heard me mention PortRequest . Well, it's live! PortRequest is part of the NYCBUG site; Michael Welsh coded it, receiving nothing in compensation. If you visit www.portrequest.org you will be redirected to the actual NYCBUG Portrequest page. The idea behind PortRequest is simple: I am lazy. Whenever I find a new program, I first look to see if it is in the FreeBSD ports tree by searching Dan Langille's FreshPorts site. What do I do if the program is not in the ports tree? Next I query the Problem Reports database to see if a new port is pending. For example, this query shows Sguil-related ports that are being developed. What do I do if there is no PR? Do I just bookmark the tool and move on? I hate bookmarks. Rather than simply bookmark the page for a new program, I now have an alternative. I can try the program (verify that it compiles, see how it works, etc.), and then post information about that program to P...

If you've seen my resume you'll know I do not have a degree in computer science. My last post mentioned what I studied in "college" -- history and political science, along with minors in French and German -- including a heavy engineering core. In grad school I studied national security in a public policy program. I graduated from the master's program ten years ago. Looking to the future, I've considered what my resume needs to look like if I want to keep certain doors open. One of the doors involves teaching at the college/university level. Another door involves being considered for leadership positions in government. A common factor I've seen in both roles is possession of a PhD in the appropriate field. Through speaking with people like Christian Kreibich (author of NetDude ) or reading the work of people like Ross Anderson (author of the incomparable Security Engineering ), I've come to respect the University of Cambridge Computer Laborato...

freebsd.png" align=left>According to this announcement , FreeBSD 5.5-BETA1 and FreeBSD 6.1-BETA1 are now available. Looking at the release schedule , I estimate we'll see FreeBSD 5.5 in late April and FreeBSD 6.1 in early April. The schedule is very ambitious, will 6.2 and 6.3 releases planned for this year too. Remember that FreeBSD 5.5 is probably the last in the 5.x tree. I'd like to thank Royce Williams for pointing out that Colin Percival has been building SMP kernels for freebsd-update . Here is the announcement. This is great news for people who want to run stock FreeBSD installs and stay up-to-date with the SECURITY branch on SMP hardware.

I get a free subscription to Dr. Dobb's Journal . The March 2006 issue features an article by Ed Nisley titled "Professionalism." Ed is a software developer with a degree in Electrical Engineering. After working at a computer manufacturer for ten years in New York state, he decided to become a "consulting engineer." Following the state's advice, Ed pursued a license to be a Professional Engineer. Now, 20 years after first earning his PE license, Ed declined to renew it. He says "the existing PE license structure has little relevance and poses considerable trouble for software developers." You have to register with DDJ to read the whole article, but the process is free and the article is worthwhile. Here are a few of Ed's reasons to no longer be a PE: "[T]o maintain my Professional Engineering license, I must travel to inconvenient places, take largely irrelevant courses, and pay a few kilobucks. As nearly as I can tell from the co...

A fellow Sguil user wrote a surprisingly complete account of a compromise of his Web server, and how he used Sguil to identify the intrusion and respond to the incident. The author, Chas Tomlin , provides a step-by-step walkthrough of his investigation, along with some of his actual findings -- including a transcript of an IRC conversation between bot net operators.

Yesterday I posted how I figured out how to use wlan_wep on FreeBSD. Today I received my new Linksys WPC54G wireless 802.11g network adapter. I decided to try using it with FreeBSD 6.0. When I inserted it into the PCMCIA slot, I got these errors: cardbus0: CIS pointer is 0! cardbus0: Resource not specified in CIS: id=10, size=2000 cardbus0: at device 0.0 (no driver attached) That didn't look good. I decided to use Bill Paul's ndis driver to get the Windows drivers working with FreeBSD. I posted about this capability two years ago, but today I used it in production. I had previously tried the ndiscvt utility to turn Windows device drivers into something recognized by FreeBSD. Looking at the man pages, I soon learned of the new ndisgen a text-driven wizard to facilitate using ndis. Here's how it worked for me. First (using a wired connection) I downloaded the latest version of the Windows drivers for my WPC54G. I saw the Linksys site offered downloads for WPC54...

At my desk I connect to the rest of my wireless network with a Netgear WGE111 54 Mbps Wireless Game Adapter (don't ask). I usually don't use the SMC EZ Connect 802.11b Wireless PCMCIA card, model SMC 2632W v.1 I have nearby. While watching "the big game" I decided to check email, so I tried using this wireless card with my FreeBSD 6.0 laptop. I saw this error: orr:/home/richard$ sudo ifconfig wi0 inet 192.168.2.5 netmask 255.255.255.0 ssid shaolin wepkey 0xmykey wepmode on ifconfig: SIOCS80211: Invalid argument What the heck is this? I took a look at dmesg output and saw the following: ieee80211_load_module: load the wlan_wep module by hand for now. This is a change reported in the release notes . Luckily wlan_wep is available as a kernel module, so I was able to load it easily. orr:/home/richard$ kldstat Id Refs Address Size Name 1 10 0xc0400000 63072c kernel 2 2 0xc0a31000 74b0 snd_csa.ko 3 3 0xc0a39000 1d408 sound.ko 4 1 0xc0...

Does the following sound like any security project you may have worked? Executives decide to pursue a project with a timetable that is too aggressive, given the nature of the task. They appoint a manager with no technical or engineering experience to "lead" the project. He is a finance major who can neither create nor understand design documents. (This sounds like the news of MBA s being in vogue, as I reported earlier.) The project is hastily implemented using shoddy techniques and lowest-cost components. No serious testing is done. The only "testing" even tried does not stress the solution in any meaningful way -- it only "checks a box." Shortly after implementation, the solution shows signs of trouble. The project manager literally patches the holes and misdirects attention without addressing the underlying flaws. Catastrophe eventually ensues. What I've just described is the Boston Molasses Flood of 1919, best described by the Boston Society of ...

Amazon.com just posted my four star review of McGraw-Hill/Osborne's Hardening Network Security . From the review : "As a security consultant I am sometimes asked for reference books for new security managers. These individuals need help bringing their enterprise under control. Hardening Network Security is a good book for this sort of problem, although it is important to recognize a few technical errors outlined below."

Will Backman from BSDTalk posted a new podcast (.mp3, 16 MB) featuring his interview with me. In the first half of the podcast Will explains ways to obtain BSD. The second half of the podcast is the interview. We talked about my ShmooCon presentation, my blog, book reviews, how I use FreeBSD, and the upcoming PortRequest project implemented by the good people at NYCBUG . orr:/data/media/audio$ mpg123 -a /dev/dsp0.0 bsdtalk013.mp3 High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3. Version 0.59r (1999/Jun/15). Written and copyrights by Michael Hipp. Uses code from various people. See 'README' for more! THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Title : bsdtalk013 - Interview with Ri Artist: Will Backman Album : Year : 2006 Comment: Genre : Speech Playing MPEG stream from bsdtalk013.mp3 ... Junk at the beginning 49443303 MPEG 1.0 layer III, 96 kbit/s, 44100 Hz mo...

This is one of those tasks that I want to remember for the future, because I can imagine encountering the same problem again. When I build servers with FreeBSD, I usually do not include packages for X.org . I access my servers using OpenSSH so I don't need any graphics support. Recently I needed a platform to QEMU . It turns out that QEMU opens an X session. The system where I wanted to run QEMU was a remote server (janney), so I needed to add X support. I figured "If I can export an xterm, I can export QEMU." So, I added the xterm package. Here are Xterm's dependencies as reported by pkg_tree: janney:/home/richard$ pkg_tree xterm xterm-203 |\__ pkgconfig-0.17.2 |\__ freetype2-2.1.10_1 |\__ expat-1.95.8_3 |\__ fontconfig-2.2.3,1 |\__ xorg-libraries-6.8.2 \__ libXft-2.1.7 So, you can see that installing Xterm added the following X.org package: xorg-libraries-6.8.2 X11 libraries and headers from X.Org So, I ssh to janney, using the -X option to enable X forwardi...

I received four new books in the last few weeks. The first is Wiley's Security Patterns: Integrating Security and Systems Engineering by Markus Schumacher, et al. I am very interested in books like Wiley's unparalleled Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson . I hope Security Patterns will present techniques that can be implemented in a vendor- and possibly technology-neutral manner. The second is No Starch's TCP/IP Guide by Charles M. Kozierok. The book is already online , but in a fairly difficult format for reading. This is an interesting approach. One might consider mirroring the whole site, but that violates the author's rules. You can download the book or now purchase the printed version. You might want to buy it directly from the author, since he offers an electronic copy with the printed one. As for the book itself, it's a massive 1500+ page tome. Reviews seem to be positive, and at a glance th...

Most of my FreeBSD systems track the SECURITY branch of FreeBSD. Wherever possible I try to apply binary updates for the kernel and userland with Colin Percival's freebsd-update tool. Most of my hardware is really old and I prefer not to spend a lot of time recompiling from source. One of my systems does track the STABLE branch of FreeBSD, specifically RELENG_6. This is more or less a lab system. I like to see what might appear in the next version of FreeBSD, since 6.1 will be a version of STABLE. Although STABLE is definitely more likely to be operational than CURRENT (which is the bleeding edge and will become FreeBSD 7.0), running STABLE is not without its hazards. Recently a commit appeared that changed part of the PCI code, shown with diffs here . I happened to try updating to the version of FreeBSD STABLE that had src/sys/dev/pci/pci.c version 1.292.2.6, dated Mon Jan 30 18:42:10 2006 UTC. While compiling, I got this error: /usr/src/sys/dev/pci/pci.c:1611: error: `PCI...