TaoSecurity Blog

If you've been following the last few days of posts, I've been thinking about security from a more general level. I've been wondering how we can mitigate risks in a digital world where the following features are appearing in nearly every digital device. Think about digital devices in your possession and see if you agree with this characterization of their development. Digital devices are increasingly: Autonomous: This means they act on their own, often without user confirmation. They are self-updating (downloading patches, firmware) and self-configuring (think zeroconf in IPv6). Users could potentially alter this behavior, but probably not without breaking functionality. Powerful: A cell phone is becoming as robust as a laptop. Almost any platform will be able to offer a shell to those who can solicit it . There is no way to prevent this development -- and would we really want to? Ubiquitous: Embedded devices are everywhere. You cannot buy a car without one. I ex

If you were to pass the dark alley in the image at left, I doubt you would want to enter it. You could imagine all sorts of nasty encounters that might deprive you of property, limb, or life. Yet, few people can imagine the sorts of danger they encounter when using a public PC terminal, or connecting to a wireless access point, or visiting a malicious Web site with a vulnerable browser. This is the problem with envisaging risk that I discussed earlier this week. Furthermore, security in the analog world is much threat-centric. If I'm walking near or in a dark alley, and I see a shady character, I sense risk. I don't walk down the street checking myself for vulnerabilities, ignoring the threats watching me. ("Exposed neck? Could get hurt there. Bare hands? Might get burnt by acid." Etc...) It seems like the digital security model is like an unarmed combatant in a war zone. Survivability is determined solely by vulnerability exposure, the attractiveness of

So-called intrusion prevention systems (IPS) are all the rage. Since the 2003 Gartner report declaring intrusion detection systems (IDS) dead, the IPS has been seen as the "natural evolution" of IDS technology. If you can detect an attack, goes a popular line of reasoning, why can't (or shouldn't) you stop it? Here are a few thoughts on this issue. People who make this argument assume that prevention is an activity with zero cost or down side. The reality is that the prevention action might just as easily stop legitimate traffic. Someone has to decide what level of interruption is acceptible. For many enterprises -- especially those where interruption equals lost revenue -- IPS is a non-starter. (Shoot, I've dealt with companies that tolerated known intrusions for years because they didn't want to "impact" the network!) If you're not allowed to interrupt traffic, what is the remaining course of action? The answer is inspection, followed

As I continue through my list of security notes, I thought I would share a few ideas here. I recorded these while seeing Ron Gula discuss vulnerability management at RMISC . Many people recommend automated patching, at least for desktops. In the enterprise, some people believe patches should be tested prior to rollout. This sounds like automated patching must be disabled. I'm wondering if anyoen has implemented delayed automated patching . In other words, automatic updates are enabled, but with a two or three day delay. Those two or three days give the enterprise security group time to test the patch. If everything is ok, they let the automated patch proceed. If the patch breaks something critical, they instruct the desktops to not install the patch until further orders. I think this approach strikes a good balance since I would prefer to have automated patch installation be the default tactic, not manual installation. Determining which systems are vulnerable results in im

Just today I mentioned that there is no such thing as return on security investment (ROSI). I was saying this two years ago . As I was reviewing my notes, I remembered one true case of ROSI: the film Road House . If you've never seen it, you're in for a treat. It's amazing that this masterpiece is only separated by four years from Swayze's other classic, Red Dawn . (Best quote from Red Dawn: A member of an elite paramilitary organization: "Eagle Scouts." ) In Road House, Swayze plays a "cooler" -- a bouncer who cleans up unruly bars. He's hired to remove the riff raff from the "Double Deuce," a bar so rough the band is protected by a chicken wire fence! I personally would have hired Jackie Chan, but that's a story for another day. Swayze's character indeed fights his way through a variety of local toughs, in the process allowing classier and richer patrons to frequent the Double Deuce. The owner clearly sees a ROSI; the

One of my favorite aspects of attending USENIX conferences is receiving free copies of magazines like IEEE Security and Privacy . The March/April 2005 issue (ok, I'm way behind when I use the freebie method) features two articles that might be interesting to security folks. First, if you want a good summary of trusted computing, read Protecting Client Privacy with Trusted Computing at the Server (.pdf). To get insights on the differences between computer science and computer engineering, try Turing is from Mars, Shannon in from Venus (.pdf). Since Dartmouth faculty wrote both articles, they're published free through dartmouth.edu.

I've written about Common Critera before. If you also think CC is a waste of money, read GAO: Common Criteria Is Not Common Enough by Michael Arnone. It summarizes and comments upon a report by the Government Accounting Office titled INFORMATION ASSURANCE: National Partnership Offers Benefits, but Faces Considerable Challenges . Mr. Arnone writes: GAO also criticized the National Information Assurance Partnership (NIAP) for not providing metrics or evidence that the Common Criteria actually improves product security. In addition, the Common Criteria process takes so long to complete that agencies often find that the products they need are not on the list of certified offerings or that only older versions have been accredited, GAO’s report states... Pescatore said GAO’s call for increased education and awareness of NIAP’s function is overblown. Large vendors already know the process well and can afford millions of dollars for tailor-made product evaluations, he said. Any edu

The April 2006 issue of CIO Magazine features an article called CSI for the Enterprise? . It addresses the rise of electronic data discovery (eDiscovery in some quarters) tools. For a management magazine, the article makes several useful points: Beware the Forensics Label Many salespeople attach the label "forensics" to their security and compliance analysis tools, and that can be very misleading. In law enforcement circles, "forensics" means a well-defined set of discovery and investigative processes that hold up in court for civil or criminal proceedings. An enterprise that relies on these tools' records or analysis in, for example, a wrongful termination suit, is probably in for an unpleasant surprise. "It may not hold up in court," says Schwalm, a former Secret Service agent. "Very few vendors have an idea of what the requirements [are for proof, from a legal perspective]. They're really providing just a paper trail. You should challen

The April 2006 issue of Information Security Magazine features an article titled Security Survivor All-Stars . It profiles people at five locations -- LexisNexis, U Cal-Berkeley, ChoicePoint, CardSystems, and Georgia Technology Authority -- who suffered recent and well-publicized intrusions. My guess is that InfoSecMag managed to arrange these interviews by putting a "happy face spin" on the story: "We know your organization was a security mess, but let's look on the bright side and call you an all-star!" Although the article is light on details, I recommend reading these disaster stories. They help make security incidents more real to management. ChoicePoint is one of the companies profiled. That story really bothers me. To know why, read The Five Most Shocking Things About the ChoicePoint Debacle and The Never-Ending ChoicePoint Story by Sarah D. Scalet. I noticed the InfoSecMag did not interview ChoicePoint chairman and CEO Derek V. Smith , author

I ran across some thought-provoking articles in the April 2006 CIO Magazine . The editor's introduction summarizes a major problem with calculating IT spending: As sophisticated as the technology and its countless uses have become, all too often the benchmark used to determine the proper level of an enterprise’s IT spending is alarmingly simplistic: the percentage of overall revenue for which IT accounts... Benchmarking IT spending as a percentage of revenue is a truly useless metric. Unfortunately, according to Koch [mentioned next], it remains the most popular way to evaluate IT spending, and also unfortunately (as most of you already know), it doesn’t say anything about how effective or productive your spending is. Even more unfortunately, benchmarking by percentage of revenue casts IT in the role of a cost to be controlled, defining success simply as lowering the percentage over time. This is a really amazing insight. How many of you see progress in security management throu

I've been flying a fair amount recently, so that means I've been reading various articles and the like. I want to make note of those I found interesting. The March 2006 issue of Dr, Dobb's Journal featured a cool article on Performance Analysis and Multicore Processors . I found the first section the most helpful, since it differentiates between multithreading and hyperthreading. I remember when the FreeBSD development team was criticized for devoting so many resources to SMP. Now it seems SMP will be everywhere. In the same issue Ed Nisley writes about Crash Handling . I call out this article for this quote: Mechanical and civil engineers must consider how their projects can fail, right at the start of the design process, by calculating the stress applied to each component and the strength required to withstand it. Electrical engineers apply similar calculations to their circuits by considering voltage, current, and thermal ratings. In each case, engineers determine

Thanks to Anthony Spina for pointing out that Ethereal 0.99 was released yesterday. Jumping from 0.10.14 in late December to 0.99 now indicates to me that 1.0 will finally appear any day now. The release notes mention a new tool -- dumpcap . Dumpcap is a pure packet capture application, unlike Tcpdump or Tethereal. Those two programs are also protocol analyzers, and at least in the case of Tethereal that means larger memory footprints. I tried the Windows version of Dumpcap. First, let's see the options Dumpcap offers, and start it. Notice that Dumpcap is a simple capture application, but it also supports the ring buffer support I love in Tethereal. Nice work. Here is Dumpcap's memory allocation on Windows during the preceeding capture. Here are Tethereal's options. I start Tethereal using syntax similar to Dumpcap. Note Tethereal supports disabling name resolution with -n, while Dumpcap offers no name resolution options. tethereal -n -i 3 -c 10 -w d:\tmp\tethereal

I've wanted to say something about ENIRA for several months now, but I've been under a non-disclosure agreement. This morning, however, I noticed this press release which quotes me. What's the fuss? ENIRA is a nearby company (in northern Virginia) that sells a Network Response System . It's essentially an incident containment appliance that isolates hosts when directed to do so. It's neither an IDS nor firewall -- layer 3, 4, 7 (IPS), or otherwise. ENIRA learns your network topology by accessing infrastructure devices (switches, routers, firewalls, etc.) and implements a containment policy when told to isolate a host or segment. The isolation mechanism makes the best possible choices, based on any policies and restrictions you have provided. It keeps track of its actions and acts like a "network engineer in a box." I think this is a great network-centric incident response product. Lancope is going to use it to implement short-term incident cont

Several publishers were kind enough to send me review copies of three books last week. The first is Securing Storage: A Practical Guide to SAN and NAS Security by Himanshu Dwivedi. I have very little practical experience with SAN and NAS, and less with security for those technologies. I hope this book can get me up to speed on those topics. The second book is Practical VoIP Security by Thomas Porter. VoIP is being deployed everywhere, and I doubt security is being taken as a serious consideration. In many cases, VoIP traffic is being carried on the same network that transports data. I hope this book will examine these issues and offer real strategies for secure VoIP operation. The third book is PGP & GPG by Michael Lucas. Besides being a BSD expert, Michael is an amazing author. This is his fourth book. I expect this title to provide an accessible discussion of email encryption. You can keep tabs on my reading schedule through my reading page. I track new books on m

Most of my training is private. I wanted to let you know of a few public one-day or more classes I will be providing in the coming months. I will teach a one day course on Network Security Monitoring with Open Source Tools at the USENIX 2006 Annual Technical Conference in Boston, MA on Friday, 2 June 2006. This is the course to attend if you want to learn the essential components of network security monitoring. We will use tools on my Sguil VM in this class. I am happy to report that USENIX accepted a proposal for a new class as well. I will teach a brand new, two day course called TCP/IP Weapons School at USENIX Security 2006 in Vancouver, BC on 31 July and 1 August 2006. Are you a junior security analyst or an administrator who wants to learn more about TCP/IP? Are you afraid to be bored in routine TCP/IP classes? TCP/IP Weapons School is the class you need to take! USENIX LISA will take place 3-8 December 2006 in Washington, DC. I plan to propose either or both of th

If you don't read the comments for this blog you missed the best response of the year, attached to my earlier story on rootkit.com . T. Arthur points out the irony of a Hacking Exposed author pointing the finger at rootkit.com. Apparently Hacking Exposed is "the best selling computer security book ever, with more than 500,000 copies sold." Does that mean Stu and friends created half a million more threats? Are they responsible for all the script kiddies running attacks they learned about in HE ? If you follow McAfee's logic, the answer is yes. If you follow mine, the answer is no.

I operate several Sguil sensors in production environments for clients. At one location I have a single box deployment where the Sguil sensor, server, and database occupy a single FreeBSD platform. This wasn't the original configuration, but I am making do with what I was given. Here is the current df -h output. # df -h Filesystem Size Used Avail Capacity Mounted on /dev/aacd0s2a 989M 76M 834M 8% / devfs 1.0K 1.0K 0B 100% /dev /dev/aacd0s2f 989M 106K 910M 0% /home /dev/aacd0s2h 436G 363G 38G 90% /nsm /dev/aacd0s2e 989M 562M 348M 62% /tmp /dev/aacd0s2d 5.9G 986M 4.4G 18% /usr /dev/aacd0s2g 4.8G 3.8G 639M 86% /var As you can see, /var is approaching the 90% mark. /nsm is already there, but Sguil's log_packets.sh script rotates the full content files stored there. Notice I keep all /nsm data in its own partition, to avoid catastrophe if a runaway p

It took this Slashdot thread to connect me with one of the greatest pieces of music produced in this century: Symantec Revolution If you believe that, you deserve to listen to all 3:10 of it. This is right up there with the Balmer videos , except there's only audio. Update: It gets better. Here's Check Point 's anthem. I like the Symantec one better.

I just read Does Open Source Encourage Rootkits? and the associated McAfee report . In the article we have this quote: Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community. In its "Rootkits" report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems. "The predominant reason for the growth in use of stealthy code is because of sites like Rootkit.com ," says Stuart McClure, senior vice president of global threats at McAfee. Let's start debunking this argument with the easiest parts of this quote. First, is Stuart McClure in charge of parties with the capabilities and intentions to exploit a target (i.e.

You know I am always on the prowl for new networking gear to perform network security monitoring. In fact, I may write a whole new book about the subject, pulling enterprise network instrumentation coverage from future editions of The Tao and other books and concentrating it in a single volume. In the spirit of sharing information on new gear, I am happy to let you know about two cool new products from Net Optics . The first is the 10/100 Teeny Tap , pictured above. This is a fully-functional, dual-power, dual output traditional 10/100 Mbps tap. It's functionally equivalent to the 10/100 Ethernet Tap . The second neat product is the iTap Gigabit Dual Port Aggregator . This is a Gigabit tap that provides two outputs where each are combinations of the two TX input streams. This tap is similar to the Gigabit Dual Port Aggregator with several major differences, which I noted last month. I ran some traffic through this tap today and I really liked seeing the traffic load o

In the TaoSecurity lab I have three physical boxes that perform monitoring duties. I wanted to see how each of them performed full content data collection. Note: I do not consider what I am about to blog as any sort of thorough or comprehensive test. In fact, I expect some of you to flail about in anger that I didn't take into account your favorite testing methodologies! I would be happy to hear constructive feedback. I am aware that anything resembling a test brings out some of the worst flame wars known to man. With those caveats aside, let's move on! These are rough specifications for each system. bourque: Celeron 633 MHz midtower with 320 MB RAM, 9541 MB Quantum Fireball HDD, 4310 MB Quantum Fireball HDD, Adaptec ANA-62044 PCI quad NIC hacom: Via Nehemia 1 GHz small form factor PC with 512 MB RAM, 238 MB HDD, and three Intel Pro/1000 Gigabit adapters shuttle: Intel PIV 3.2 GHz small form factor PC with 2 GB RAM, 2x74 GB HDDs, integrated Broadcom BCM5751 Gigabit Ether

The FreeBSD Status Report First Quarter 2006 has been posted. Notable items include Colin Percival meeting his fundraising goal -- thank you! Remember that BSDCan 2006 takes place 12-13 May in Ottawa. I will be elsewhere that week and unable to attend. The Status Report lists lots of cool developments that are worth perusing. I noticed the End-of-life security schedule says FreeBSD 5.4 will no longer be supported after 30 May 2006.

I'm creating a class describing how to access network traffic in order to conduct network security monitoring. I'd like to know if anyone would mind sharing photos of their network closets, with descriptions of the gear in the rack and their network diagram. I'm looking to learn how you get connectivity from your ISP, where that link goes, and what your core, distribution, and access layers look like. I don't need to know about your desktops or whatever. I really just want students to get a look at a network closet and the sorts of connectors, cables, and rack gear they might expect to find. I will not name any names. I'd just like to provide some real-world photos for students. If you can help, please email your photos Friday, along with short descriptions of what's shown. Even pictures taken with camera phones are fine. Thank you very much!

I just posted about the new FreeBSD Java packages. I figured I would try them out and show how the process works. It's been a while since I last described installing Java, back when compiling from source was required. After downloading the binary for FreeBSD 6.0, I tried to install it. orr:/tmp# ls -al diablo-jdk-freebsd6-1.5.0.06.00.tbz -rw-r--r-- 1 richard wheel 54624741 Apr 13 07:30 diablo-jdk-freebsd6-1.5.0.06.00.tbz orr:/tmp# pkg_add -v diablo-jdk-freebsd6-1.5.0.06.00.tbz Requested space: 218498964 bytes, free space: 4397770752 bytes in /var/tmp/instmp.FMG03P Package 'diablo-jdk-1.5.0.06.00' depends on 'xorg-libraries-6.8.2' with 'x11/xorg-libraries' origin. - already installed. Package 'diablo-jdk-1.5.0.06.00' depends on 'javavmwrapper-2.0_5' with 'java/javavmwrapper' origin. pkg_add: could not find package javavmwrapper-2.0_5 ! pkg_add: 1 package addition(s) failed That didn't work. Let me add the package it req

freebsd.png" align=left>I have a few news items of interest to FreeBSD users. First, FreeBSD 6.1-RC1 is now available . The schedule has not been updated, but I'm hoping to see the new release before or during the first week in May. I bet the developers will try to get it out the door before the end of this month, though. If you use Java on FreeBSD, you'll be happy to hear that Java JRE 1.5 and JDK are available as binaries , courtesy of the FreeBSD Foundation . Securing the license to make this happen cost $35,000 . This is how our donations help open source software.

Amazon.com just posted my three star review of The Definitive Guide to MySQL, 3rd Ed . From the review : I read and reviewed MySQL Press' MySQL Tutorial by Luke Welling and Laura Thomson two years ago. I thought Tutorial was a great, concise (267 pages including index) MySQL overview. I hoped The Definitive Guide to MySQL 5, 3rd Ed (DG, 748 pages) would extend my understanding of MySQL beyond the coverage in the Tutorial. Unfortunately, I found the Tutorial did a better job addressing important information than the DG. While there is some good information in the DG, I recommend staying with books published by MySQL Press. I currently have 205 reviews at Amazon.com. Eight of those are non-tech books. That means after my next two reviews, the third will be my 200th.

In an otherwise unremarkable book on MySQL , I found good advice on database accounts and authentication. Here is what the accounts look like in the Sguil VM I just released. taosecurity:/home/analyst$ mysql -u root -p Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 6 to server version: 5.0.18 Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select user, host, password from user; +-------+-----------------------------+-------------------------------------------+ | user | host | password | +-------+-----------------------------+---------

A bug in the latest VMware Server Beta (22874) affects my newest Sguil VM . I like to deploy the VM so that VM management interface lnc0 is bridged to /dev/vmnet0, and the sniffing interface lnc1 is bridged to /dev/vmnet2. On Linux this means that /dev/vmnet0 corresponds to eth0 and /dev/vmnet2 corresponds to eth1. You can see in the screen capture at right that my second interface is listed as a "custom" network associated with "VMnet2". When I tried starting my VM today, I got an error message saying VMnet2 was not available. After some searching I found the following thread discussing the same problem. The solution is simple. Rather than accept the listing that VMware provides, replace VMnet2 with /dev/vmnet2. The screen capture at left shows this configuration. Now the VM boots without any problem. Remember to alter permissions on /dev/vmnet2 if you want to use it for promiscuous sniffing. Change permissions when the VM is not booted.

If you read my first book you know I prefer small applications that run in Unix terminals to more complicated programs. I decided to get a sense of the bandwidth being monitored at several sensors deployed at client sites. I did not want to install MRTG or Ntop to answer simple questions like "What is the maximum bandwidth seen by the sensor?" or "What is an average amount of traffic seen?" I decided to try bwm-ng . It's in the FreeBSD ports tree as bwm-ng . (Don't think I'm abandoning FreeBSD for Debian. Nothing can beat FreeBSD's package system in terms of number and variety of applications and up-to-date versions.) Start bwm-ng by telling it the interface you want monitored. # bwm-ng -I em2 The default screen looks like this. bwm-ng v0.5 (probing every 0.500s), press 'h' for help input: getifaddrs type: rate | iface Rx Tx Total ========================================

I read the first post by the president of VMware, Diane Greene . She discusses a subject that has been gnawing at my brain since I heard that Microsoft began offering Virtual Server as a free download. Ms. Greene makes two points. First, she promotes VMware's Virtual Machine Disk Format (VMDK) as an open alternative to Microsoft's Virtual Hard Disk Image Format Specification (VHD). I would obviously like to see an open standard prevail against a closed one. Second, she argues discusses "the question of whether virtualization should be tightly integrated into the operating system or instead a separate wholly independent layer." As you might guess she wants separation: "Tight integration comes at the unfortunate cost of giving up bias-free choice of operating system and thus software stack (i.e. OS and application program)." This is the Web browser-in-the-OS argument all over again. Microsoft said last year that "Microsoft will build virtualiza

I decided my Dell PowerEdge 2300 needed to switch from FreeBSD to Debian. I wanted to try using this SMP system to run VMware Server Beta, which runs on Windows or Linux. I'd like to record two notes about how I got this system running Debian with the 2.4 kernel. First, the Dell PowerEdge 2300 uses a Megaraid RAID system that is not supported by the 2.6 kernel that ships with Debian. I couldn't get the 2.4 version of the installation process to recognize the RAID either, meaning Debian didn't see a hard drive on which to install itself. I found sites like Debian on Dell Servers and considered using custom .iso's for installation. Luckily I found a much simpler solution. During the installation, after the hardware check failed to find my hard drive, I ran the following commands. cd /lib/modules/2.4.27-2-386/kernel/drivers/scsi insmod megaraid.o That allowed the Megaraid to be recognized, after which a hardware re-check found the RAID and permitted installing the O

I've been running Windows 2000 and FreeBSD on my Thinkpad a20p for six years, and I've been considering replacements. That machine offered various features for which I had waited many months, such as a graphics card with 16 MB RAM, mini-PCI architecture for onboard Fast Ethernet, etc. Now I find myself considering the features I would like to see in my next-generation laptop. While I don't have any specific vendor or model in mind, here are the features I want: Intel Core Micro CPU, probably Merom - and Santa Rosa -based, offering dual cores, Virtualization Technology , and EM64T . 2 - 4 GB RAM 120+ GB 7200 RPM SATA hard drive nVidia GPU Gigabit NIC Kedron wireless supporting 802.11n Bluetooth Under 7 lbs -- my current laptop is more like a ThinkBrick At least 14.1" screen I don't see anything on Intel's roadmap which offers these capabilities yet, but The Register indicates units will ship around March 2007. Mike's Hardware and NotebookReview.