TaoSecurity Blog

Issue 1.6 (March 2006) (.pdf) of (IN)SECURE Magazine is now available for download. This is a great online magazine that covers a wide variety of security topics. Consider submitting an article.

My friend John Ward posted a discussion of controlling bots with steganography: So basically, all this does is open a Bitmap file, decode the stenography message, and pass the resulting message to the protocol class for handling. More sophisticated techniques can be employed, and steganography has grown as a field, so different graphics formats, MP3 files, or even specially encoded HTML headers can contain the message. This deviates from the traditional botnet where the client connects to an IRC channel or some other central media to receive commands in real time. In this method, the attacker loses real-time response and gains stealth. With a reasonable interval of time set for the clients, the attacker can have their nefarious commands executed in a short amount of time. By combining this code with some disguised distribution method, lets say an image thumb-nail browser for an online graphics catalog, the program can be distributed widely, and its online image grabbing behavior would

Tom Gallagher, author of the forthcoming Hunting Security Bugs , sent the following in reply to my Microsoft Is Getting It post: Hello Richard. Last weekend I read your blog about Microsoft BlueHat and our security books and thought you might be interested in some more information about these topics. I joined the company almost 7 years ago. In that time, I've seen some major changes happen around how the company views security. As you are aware, the company didn't focus much on security back then. I was one of the few people at the company who did fulltime penetration testing. I worked on a small product team within Microsoft Office and was responsible for testing only it. Today things are very different. In Office's vision document for the release, the first tenet is about the importance of security. Unlike when I started, security is now the responsibility of everyone creating the software - not just the person writing the code, but also the people who design, te

Amazon.com just posted my five star review of Protect Your Windows Network by Jesper Johansson and Steve Riley . I loved this book. It's another must-read, but check out my comments. From the extensive review : I received a copy of Protect Your Windows Network (PYWN) almost one year ago, and I immediately put it aside. I figured it was another "security configuration guide," with lots of descriptions of settings and other tweaks that makes for boring reading. Recently I decided to give PYWN another look, and I am exceedingly glad I did. PYWN is one of the best security books I have ever read, and that includes nearly 200 titles over the last six years. Incredibly, even non-Windows users will find plenty of sound advice for their enterprise. Although the book is highly opinionated (and at times perhaps not on my side of the issues) I strongly recommend reading PYWN.

Thanks to SANS Newsbites I read the article FISMA Fizzles . I've written about FISMA before . The new article points me to a potential wise man who understands that FISMA is a joke: ex-Energy Department CIO Bruce Brody. This comment cut straight to the problem with FISMA: OMB's FISMA implementation basically boils security down to paperwork exercises, and score card pressure ensures it stays that way. But that's not how cybersecurity works; it requires real-time monitoring , updating and patching, Brody says, which isn't necessarily reducible to a paper trail. (emphasis added) Did I read "real-time monitoring"? Wow. Mr. Brody "gets it." Consider the alternative point of view: FISMA has its defenders. An agency fully compliant with FISMA is a secure agency, says Scott Charbo, Homeland Security Department CIO. The law and cybersecurity are "the same thing in my mind," he says. I see. Reading the DHS' grade history shows they ha

Using the scripts I described yesterday , I built a new Sguil VM. It is available here: freebsd54-sguil-24mar06-pub1.tar.bz2 (310 MB) SHA256 (freebsd54-sguil-24mar06-pub1.tar.bz2) = a18bcd8114c4f40e43f777dc3f34ca917a44093e16f72a720f1ff6183e66f434 The VM is in bzip2 format. Windows users can extract it with bsdtar for Windows. The OS is FreeBSD 5.4 with the latest security patches. Sguil 0.6.1 is set up with all components on the same system. This VM is similar to my two old VMs using FreeBSD 6.0 and Sguil 0.6.0p1. I tried to address issues people discussed. I could not build the disks using SCSI because FreeBSD did not recognize them. I know the VM works in VMware Workstation and VMware Server Beta. I did not yet test it in VMware Player. VMware ESX Server probably doesn't work because it doesn't like IDE disks. This VM uses a 6 GB virtual disk. I gave the /nsm partition 2 GB space so you can try collecting more traffic. I built the VM with two interfaces. As con

Joe Brockmeier from Newsforge interviewed me via phone today for his article Check Point withdraws from Sourcefire acquisition . I think Joe did a good job relaying my thoughts on the matter. He read my earlier post and decided to call.

My friends at Sybex , a division of Wiley , sent me a review copy of EnCase Computer Forensics -- The Official EnCE: EnCase Certified Examiner Study Guide by Steve Bunting and William Wei. This looks like a good introductory book for Guidance Software 's products, especially those that are host-based. I plan to read this book in tandem with Brian Carrier's File System Forensic Analysis . Speaking of Guidance Software, I am speaking at their 2006 Computer and Enterprise Investigations Conference in LAs Vegas on Thursday, 4 May 2006 from 1400-1530 on Network Forensics.

According to Sourcefire's press release : Sourcefire, Inc., the world leader in intrusion prevention, today announced that, with the consent of the US government, Sourcefire and Check Point Software Technologies have opted to withdraw their merger filing with the Committee on Foreign Investment in the United States (CFIUS). Sourcefire will continue to operate as the industry's largest private Intrusion Prevention System (IPS) vendor. According to Check Point's press release : The companies have determined that it would be more effective to create a customer focused business partnership. "We've decided to pursue alternative ways for Check Point and Sourcefire to partner in order to bring to market the most comprehensive security solutions," said Gil Shwed, Check Point's CEO. Check Point and Sourcefire will continue to create and distribute the best security solutions in their respective spaces. They will work together on formulating a partnership strategy

I have not been happy with the performance of FreeBSD 6.0 under VMware Workstation or VMware Server Beta. I thought some workarounds helped, but that wasn't really the case. Also, since releasing my original Sguil installation script, I've wanted to break it into scripts for the Sguil sensor, database, server, and client. I decided today to kill two birds with one stone. First, I broke the master script into the following smaller scripts. sguil_sensor_install.sh sguil_sensor_install_patch.sh sguil_server_install.sh sguil_database_install_pt1.sh sguil_database_install_pt2.sh sguil_client_install.sh All of them are available in this archive: sguil_install_scripts.tar.gz . These are not pretty. There is no error checking. There is no interaction. You will have to make modifications to get them to work flawlessly in your environment. Important: As written these scripts download packages for FreeBSD 5 , not 6. You can modify this. These will work best "out of the box

I've been writing about deploying VMware Server Beta on Debian. Today I tried my Sguil VM and found I could not sniff all traffic on lnc1. I could only see broadcast traffic (ARP, DHCP, etc.). That indicated lnc1 was not seeing the physical interface in promiscuous mode. I have the lnc1 interface corresponding to /dev/vmnet2, which is bridged to eth1 on the Linux host. After checking to be sure eth1 was up and could see all traffic as I expected, I couldn't think of a reason why lnc1 wouldn't see the same. I did not have this problem on Windows when I wrote about it. Luckily I found this GSX document which said: GSX Server does not allow the virtual Ethernet adapter to go into promiscuous mode unless the user running GSX Server has permission to make that setting. This follows the standard Linux practice that only root can put a network interface into promiscuous mode. Well, I have the VMware Server components running as root. If you want all users to be able to se

William and Lynne Jolitz issued a press release announcing the reprinting of their 1991-1992 series of articles Porting UNIX to the 386 . From the press release: "The series covered all aspects of the project, from its inception in mid-1989 as a personal project done under the auspices of the University of California at Berkeley to its first complete operational open source release on March 17th, 1992 of 386BSD Release 0.0 -- 386BSD releases are officially 14 years old today [17 March]." Anyone interested in Unix and BSD history will like these articles. Thus far two are online, with more to come.

Yesterday I posted experiences with VMware Server Beta. I repeated the installation process on a normal Intel laptop running Debian and I had no problems, save one. When I tried to connect to the VMware Server using the VMware Server Console (running on Windows 2000), I could never see the VM screen appear. The VM seemed to be running fine, but I had the same problem as described in this forum thread . Luckily, the fix in the thread worked for me too; I set the permissions on the .vmx file to 755 and I was able to see the VM screen in VMware Server Console. The only unfortunate aspect of the endeavor was the limitations of my hardware. Although everything runs, a 366 MHz PII laptop with 287 MB (?) RAM does not a good VMware Server make. Also: /usr/lib/vmware-mui/apache/bin/apachectl controls VMware's httpd server. Another note: I had to rerun vmware-config.pl to change networking options. When I did that, I lost httpd. To restore it, I had to run vmware-config-mui.pl.

I previously reported running FreeBSD 6.0 on my Hacom Lex Twister VIA 1 GHz Nehemiah. Today I decided to install Debian on it. I will warn you now that the majority of this post is documentation for my own reference, and the hope it might help someone else. If you're looking for short, pithy security insights, today is not your day. I used a USB-connected external CD burner as my installation source. The Hacom is very temperamental with it. I had to disable all booting sources except the USB-CD. Next I booted the Hacom with the USB-CD off. Once I got an error from the BIOS about a lack of bootable devices, I then turn on the USB-CD and press to try booting again. Installing Debian on the Hacom was fairly painless. I did not add any packages with aptitude during the installation. That meant the following packages were installed. hacom:~# dpkg --list Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?

If you didn't want to buy the ShmooCon DVD of my Sguil talk from ShmooCon 2006 , you can now download the video in .mp4 format. It's about 84 MB, and when I grabbed it the download was fairly quick.

I've posted the flyer and registration form ( .pdf ) for my only public Network Security Operations class in 2006. It will takes place 13-16 June 2006 in Fairfax, Virginia. If you refresh your browser or clear you're cache you'll notice the new banner for the class at the top of the blog . All you RSS and Atom readers are missing out! For more details, please see the flyer and this blog post . There's only 20 seats. 2 are filled by the agency hosting the class, and the rest are filling. Please contact me soon, especially if you want to save money on registration! Thank you.

Amazon.com just posted my four star review of Silence on the Wire by Michal Zalewski . I liked this book, although reading it was not as pleasant as I expected. From the review : I received Silence on the Wire (SOTW) almost one year ago. When I first tried reading the book, I couldn't get past Ch 1. In fact, I didn't try reading anything for three months, hoping I could re-engage SOTW. Eventually I put SOTW aside and read other books, only to return to SOTW this week. I'm glad I gave SOTW a second chance. There's plenty to like in this book if you look for the details that interest you.

Amazon.com just posted my four star review of Perfect Passwords . This brings my dozen-Syngress-book reading drive to an end. Note that I read the first several books on flights over the Atlantic or waiting in airports. That gave me a jump on the reviews. From the review : I never thought I would find a whole book about passwords to be interesting, but I really like Mark Burnett's Perfect Passwords. This short book (134 pages without the appendices, which can be ignored) is remarkably informative. I recommend anyone developing password policies or security awareness training reading Perfect Passwords.

My friends at Pearson sent me four new books from their various imprints. The first is Penetration Testing and Network Defense by Andrew Whitaker and Daniel Newman. This book has received high marks at Amazon.com and it seems more coherent than a similar book I just reviewed. This is my first Cisco Press security book. The last Cisco Press book I reviewed was Cisco Router Firewall Security . Next is VPNs Illustrated: Tunnels, VPNs,, and IPsec by Jon C. Snader. This book is unique in that it looks and communicates like Richard Stevens' TCP/IP Illustrated, Volume 1: The Protocols . I wanted to read this book after seeing the diagrams, code snippets, and Tcpdump traces. I've also never found a really satisfying analysis of IPsec, which is covered by this book. The Amazon.com reviews are mixed, but I am hopeful. The next book is High-Assurance Design: Architecting Secure and Reliable Enterprise Applications by Clifford J. Berg . This is a book of design principles

I learned through Slashdot that Microsoft held its third Blue Hat Security Briefings . They also have a Blue Hat Blog . Reading this article , and considering that this is the third Blue Hat, it sounds to me like Microsoft is taking security seriously. It's been over over four years since Bill Gates issued his famous security memo . What's happened since then? With Blue Hat, Microsoft is listening to the top public security researchers who are breaking Windows. Halvar Flake at Black Hat Federal 2006 says it is getting tougher to find vulnerabilities in Windows. I reported that a talk I saw on Vista at RSA 2006 impressed me. The company is incorporating good security practices like least privilege and privilege separation, already found in Unix OS' and tools. Microsoft is publishing books like Writing Secure Code, 2nd Ed , Hunting Security Bugs , and The Security Development Lifecycle . The company has a group which has the power to stop shipment of software due

Amazon.com just published my three star review of Penetration Tester's Open Source Toolkit . From the review : I am not sure why Penetration Tester's Open Source Toolkit (PTOST) was published. If you have no other security assessment books, you may find PTOST helpful. Otherwise, I don't believe this book offers enough value to justify purchasing it. Other books -- some published by Syngress -- cover some of the same ideas, and 5 of PTOST's chapters are published in other books anyway.

I just signed up to see Marty Roesch from Sourcefire speak on Wednesday 29 March 2006 in Washington, DC. The topic is Redefining Federal Network Security - Protecting Against Threats, from All Vectors, at All Times . That sounds ambitious. Marty might be coming to a city near you -- check the calendar and register. If you're going to attend the DC event, say hello -- I'll be wearing a TaoSecurity polo.

I found a sign of the Apocalypse will reading the Argus mailing list . Long-time Blog readers should know that Argus is a stand-alone NSM session data program that I profiled in Tao . The relevant message by Argus developer Carter Bullard is here . In brief, Carter will be releasing a beta of Argus 3.0 "in 2-3 weeks". This is an incredible development. The last publicly posted Argus version is available at ftp://ftp.qosient.com/dev/argus-2.0/ . The server and client programs are argus-2.0.6.fixes.1 and argus-clients-2.0.6.fixes.1, respectively. These files are almost two years old, and Argus mailing list users recommend adding patches that are only available on the mailing list! For the sake of proper version management alone, I can't wait to see Argus 3.0 released. Carter reports that Argus 3.0 "adds IPv6 support, better encapsulation parsing, 64-bit support, Cygwin support and 64 bit counters, as well as a hundred thousand little nits and small changes t

Amazon.com just posted my four star review of the fourth book in Jay Beale's Open Source Security Series , Nessus, Snort, and Ethereal Power Tools . From the review : I've read and reviewed the three previous books in Jay Beale's Open Source Security Series -- Snort 2.1, Nessus Network Auditing, and Ethereal Packet Sniffing. I liked all three of those books, and I'm glad to say that this fourth book -- Nessus, Snort, and Ethereal Power Tools (NSAEPT), is a worthy continuation of Jay's series. NSAEPT is a unique resource for anyone who wants to extend Nessus, Snort, and Ethereal. The book could save programmers hours of work, and it should be the first step for those looking to contribute to the development of all three projects. Update: Andrew Williams from Syngress provided this feedback concerning the problems with FI and FL characters being mangled. Those who register can download a PDF of the book. This PDF fixes the code problems you referenced. Readers can

Amazon.com just posted my four star review of Securing IM and P2P Applications for the Enterprise . From the review : I had high hopes for Securing IM and P2P Applications for the Enterprise (SIAPAFTE), and thankfully this book delivers. SIAPAFTE is a modern, well-written, thorough guide to instant messaging (IM), peer-to-peer (P2P), and Internet Relay Chat (IRC) networks and related security issues. I recommend all network and security administrators read this book.

Amazon.com just posted my four star review of Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools . From the review : I read Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools (SOICUCAOST) to learn more about compliance issues. I am a security engineer who thankfully has not had to suffer through a SOX audit. I am glad I read SOICUCAOST, however. The book is clear, well-written, and makes innovative use of a live CD. While the book is not the answer to SOX compliance (no book is), small-to-medium-sized businesses will find SOICUCAOST a valuable guide.

If you'd like to see me teach material related to my first book , please register for USENIX 2006 (the Annual Technical Conference). I'll be presenting Network Security Monitoring with Open Source Tools all day on Friday, 2 June 2006 in Boston, MA. I'll probably fly in the previous day, then attend Gerald Carter's half-day presentation Ethereal and the Art of Debugging Networks . I may stay for Dan Geer's class on Saturday -- Measuring Security . Seats are filling for my only public Network Security Operations class in Fairfax, VA , 13-16 June 2006. Contact me via email (richard at taosecurity dot com) before 1 April to get the best rate!

Amazon.com just posted my three star review of Security Log Management . From the review : When I received a review copy of Security Log Management (SLM) last month, I was eager to read it. I saw two very powerful but seldom discussed tools -- Argus and Bro -- mentioned in the table of contents. This indicated some original thinking, which I appreciate. Unfortunately, SLM did not live up to my expectations. When you strip out the pages of scripts and code and the three reprinted chapters, you're left with a series of examples of output from the author's deployment of several tools. Aside from a few examples mentioned in this review, I don't think readers will learn much from SLM.

Two new books arrived at TaoSecurity last week. The first is Software Security: Building Security In by Gary McGraw. This book is available alone or in a boxed set with Exploiting Software and Building Secure Software . I've read the second book, so I may try to read Software Security right away. The new book is the third in the Addison-Wesley Software Security Series . At RSA in February Gary told me he wanted Building Secure Software to begin that series, but instead it ended up in the Addison-Wesley Professional Computing Series . The other book in the Software Security Series is Rootkits , a book I'm waiting to read. I'd like a little more programming knowledge before trying that one. The second book added to my reading queue is Anti-Hacker Toolkit, 3rd Ed . I reviewed the 2nd Ed in June 2004 and the 1st Ed in August 2002. I sat down with the 2nd and 3rd editions and did a cursory examination of changes. The major difference is a new chapter, 26, on re

Amazon.com just posted my five star review of Skype Me! . From the review : Skype Me! is the perfect introduction to Skype for users of all skill levels. It could serve as an example of how to write a product-centric book that delivers real value. The text is well written, clear, and focused. The material becomes progressively complex as the reader moves from learning about Skype, to installing it, to using it, to extending it into areas I hadn't previously considered. Anyone who wants to get the most out of Skype should read Skype Me!

I found the following quote in this story about problems at the CIA: "[Y]ou're getting into the problem of very junior, inexperienced people, which a lot of veteran CIA people feel now is part of the problem. Porter Goss has to double the number of operational people in an environment where there are no mentors. Who's going to train these people?" This reminded me of the problems in information technology. There is far too much infrastructure being operated by far too many inexperienced people who have no mentors.