TaoSecurity Blog

Those of you who read the Atom or RSS feeds for this blog have been missing my personalized USENIX Security 2006 banner ad, visible to my Blogger readers. In fact, some of you might have no idea that I, Richard Bejtlich , write these words, thanks to the various people who copy and reproduce my blog postings without regard to my authorship! In any case, there are ten days left for early registration for USENIX Security in Vancouver, BC. I will teach a brand new, two day course called TCP/IP Weapons School (TWS) on 31 July and 1 August 2006. This will be a fun course. Let me make your expectations perfectly clear, however: the primary purpose of this course is to teach TCP/IP and packet-level analysis. The intended audience is junior and intermediate security personnel. We will work our way up the TCP/IP stack over the two day course, using security tools at each layer to provide sample traffic for analysis. If you walk up to me in class and say "I know all of these tool...

It sounds to me like the Duronio defense team has nothing left in its tank, so it's attacking Keith Jones directly. The latest reporting, UBS Trial: Defense Suggests Witness Altered Evidence , shows how ridiculous the defense team sounds: "So when you talked about putting pieces of the puzzle together, you were missing three-quarters of the pieces for the [central file server] alone?"" [defense attorney] Adams asked. "The puzzle pieces I had to put together formed the picture I needed," Jones replied. "If the puzzle was of a boat, then I had enough pieces to form the picture of the boat." Adams countered, "But you might not see all the other boats around it." Jones replied, "But the second boat won't get rid of the first boat. It's simple mathematics that when you add data, you don't subtract data. There was nothing in that data set that could remove the data I already had." It sounds like Keith has more testifyin...

Today I spoke briefly at the 18th Annual FIRST Conference in Baltimore, MD. Thanks to those who waited to see me fill the very last speaking slot on the very last day of the conference, before an extended holiday weekend. A few of you asked for my slides, so here they are -- The Network-Centric Incident Response and Forensics Imperative .

Keep an eye on your local news stands or mail box for the August 2006 issue of Sys Admin magazine. They published an article I wrote titled Tuning Snort . I describe simple steps one should take with Snort to reduce the number of unwanted alerts. I used a beta of Snort 2.6.0 when writing the article a few months ago.

I've been covering the Duronio trial in which my friend Keith Jones is testifying as the government's star forensic witness. Today's story describes how Keith explained his findings while being attacked by defense attorneys. This excerpt is priceless: At one point, [defense attoryney] Adams laid out a scenario in which someone could have created a backdoor in the UBS system, and then deleted it before a backup was done to capture it. When he asked Jones if he, personally, could do such a thing, Jones replied, "I could do a lot of things. That's why I'm hired to do the investigation." Bamm! Nice response Jones. It has been crucial to the prosecution's case that Jones is not a self-proclaimed "hacker." This report shows how the defense pursued Karl Kasper, aka "John Tan," ex-@Stake, ex-L0pht "hacker," for signing official documents as "John Tan" instead of using his real name. UBS hired @Stake to perform f...

Several months ago I posted how I used Colin Percival's freebsd-update program to perform a binary upgrade from FreeBSD 5.4 to 6.0 remotely over SSH. Thanks to Colin's latest work , I was able to successfully perform a binary upgrade from FreeBSD 6.0 to 6.1 remotely over SSH. hacom:/root/upgrade# uname -a FreeBSD hacom.taosecurity.com 6.0-SECURITY FreeBSD 6.0-SECURITY #0: Tue Apr 18 08:56:09 UTC 2006 root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 hacom:/root# fetch http://www.daemonology.net/freebsd-upgrade-6.0-to-6.1/upgrade-6.0-to-6.1.tgz upgrade-6.0-to-6.1.tgz 0% of 4706 kB hacom:/root# sha256 upgrade-6.0-to-6.1.tgz SHA256 (upgrade-6.0-to-6.1.tgz) = 29075fc5711e0b20d879c69d12bbe5414c1c56d597c8116da7acc0d291116d2f hacom:/root# tar -xzvf upgrade-6.0-to-6.1.tgz x upgrade x upgrade/upgrade.sh x upgrade/6.1-index x upgrade/6.0-index hacom:/root# cd upgrade hacom:/root/upgrade# ./upgrade.sh^M^M Examining system... done. The followin...

This blog post about the Great Firewall of China by Cambridge University researchers is fascinating: It turns out [caveat: in the specific cases we’ve closely examined, YMMV] that the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey. Hence the censorship occurs. So China is censoring its citizens using ten-year-old technology. How long before they upgrade? Update: Tom Ptacek shows this story is old news . Grea...

Keith Jones is connecting with his jury, according to the latest Information Security article on the Duronio trial: Jones, trying to explain the program to the jury, said to think of a Looney Tunes cartoon where there's an alarm clock attached to a bundle of dynamite. The alarm clock is the trigger, he told the laughing jury, while the dynamite and resulting explosion make up the payload. This excerpt tells me two facts. (1) Jones is using terminology the jury can understand. (2) The jury is listening to him. I'm looking forward to reading about the defense's cross-examination, which should be happening now.

In the network forensics portion of my Network Security Operations class I cover a variety of reasons to validate that one's tools operate as expected. I encountered another example of this today while capturing network traffic from a wireless adapter. I explained several months ago how I use the ndis0 interface with a Linksys WPC54G adapter. This is a wrapper for the Windows driver packaged with the NIC. Here I am pinging another wireless host. $ ping -c 3 192.168.2.31 PING 192.168.2.31 (192.168.2.31): 56 data bytes 64 bytes from 192.168.2.31: icmp_seq=0 ttl=128 time=71.342 ms 64 bytes from 192.168.2.31: icmp_seq=1 ttl=128 time=95.017 ms 64 bytes from 192.168.2.31: icmp_seq=2 ttl=128 time=15.499 ms --- 192.168.2.31 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss No problems, right? Now I start Tcpdump in another window, and ping again. First, the ping results. $ ping -c 3 192.168.2.31 PING 192.168.2.31 (192.168.2.31): 56 data bytes 64 bytes fr...

If you're looking for details on the Freenode incident, check out Regular Ramblings . This single Slashdot post claims Ettercap was involved. I was online at the time as well.

Articles like Immunizing the Internet, or: How I Learned To Stop Worrying and Love the Worm (.pdf) in the June 2006 (link will work shortly) Harvard Law Review make me embarrassed to be a Harvard graduate . This is the central argument: [C]omputer networks, particularly the Internet, can be thought of as having immune systems that are strengthened by certain attacks. Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security. In essence, certain cybercrime can create more benefits than costs, and cybercrime policy should take this concept into account. Apparently Harvard lawyers do not take economics classes. If they did (or paid attention) they would know of Frédéric Bastiat's parable of the broken window . The...

This book cover always elicits a laugh. The idea that "hacking" is for "dummies" always bothered me. Is that all it takes to 0wn a system? Even a dummy could do it? Yes, that is a real book , with a second edition en route. Today, I see this. As we used to say when teaching at Foundstone, "this is no jokey." Are they kidding me? Who is the dummy here -- the person who is writing the rootkits or the person who buys this real book expecting to remove a rootkit? It's definitely not the former. For the latter, maybe the removal section is just this advice: Reformat hard drive. Reinstall from trusted media. Repeat as necessary. Honestly, the number of people who could even try to recover from a real rootkit installation number in the dozens. Who is supposed to buy this new book? What is really in it? I don't plan to review it -- my reading list is already a mile deep and my wish list is almost as high.

I may have waited seventeen months , but I bought a used PowerPC G4 Mac Mini through eBay. I'm running the Debian PowerPC port on it. Why? It's so darn simple. Download and burn .iso, boot in Mac Mini. Easy. I couldn't do that with FreeBSD. The only wrinkle I encountered involved trying to manually create the partition table. I repeatedly received an error (which I have since forgot), so I let Debian create the partition for me. Here is what it set up: macmini:~# df -h Filesystem Size Used Avail Use% Mounted on /dev/hda3 72G 3.9G 65G 6% / tmpfs 252M 0 252M 0% /dev/shm macmini:~# fdisk -l /dev/hda /dev/hda # type name length base ( size ) system /dev/hda1 Apple_partition_map Apple 63 @ 1 ( 31.5k) Partition map /dev/hda2 Apple_Bootstrap untitled 1954 @ 64 (977.0k) NewWorld bootblock /dev/hda3 ...

Tony Stevenson wrote a very thorough review of my newest book , Extrusion Detection: Security Monitoring for Internal Intrusions . Tony really seems to understand this book, unlike the author of a recent review for Information Security magazine who completely missed the point of Extrusion . Tony writes in his review in Windows IT Library : While it is true that his latest book can be read in isolation from the previous one, I agree with Bejtlich when he says, "in many ways, Extrusion Detection is an attempt to extend The Tao to the addressing of internal threats." By reading both books, and by rigorously applying the strategies that are described within them, it becomes possible to significantly increase the odds in your favor of not having your company's systems violated, either from an external threat or from an internally generated attack.

Logic bomb is a term often used in the media, despite the fact that almost all reporters (there are notable exceptions ) have no clue what it means. Well, now we can look at a real one, thanks to forensics work by Keith Jones . He found a real logic bomb while doing forensics on the United States v. Duronio case. I worked the very beginning of this case while Keith and I were both at Foundstone. My small part involved trying to figure out how to restore images of AIX machines from tape. I even bought an AIX box on eBay for experimentation. You can read about Keith's testimony in this Information Week article. This is the "logic bomb" Keith recovered: One of the neat aspects of this case is its age: over four years. The media and elsewhere are abuzz with stories of "insider threats," but this has been a problem for a very long time. Congratulations to Keith for testifying on such an important case. If the jury has a clue, the defendant doesn't h...

Fyodor of Nmap fame has posted the results of his 2006 survey of security tools. Fyodor posted the results at his new site SecTools.org . On page 4 you'll find Sguil listed as number 85 out of 100. Unfortunately, BASE beat out Sguil at number 82. Another personal regret is seeing Argus listed after BASE at number 83. The next time Fyodor asks for suvery participation, I will have to respond! Although the top 100 results are useful, some of the sub-categorization makes little sense. Sguil is listed in the Traffic Monitoring Tools subsection, along with Solar Winds and Nagios (?!?). The Intrusion Detection category lists BASE but not Sguil, along with Fragroute and Fragrouter (?!?). Bizarre. Regardless, I recommend security pros familiarize themselves with all of the tools in the top 100. It makes for great discussions during job interviews, either as the employer or prospective employee.

Three weeks remain for early registration for USENIX Security in Vancouver, BC. I will teach a brand new, two day course called TCP/IP Weapons School (TWS) on 31 July and 1 August 2006. Early registration ends 10 July. Are you a junior security analyst or an administrator who wants to learn more about TCP/IP? Are you afraid to be bored in routine TCP/IP classes? TWS is the class you need to take! TWS is an excellent introduction to TCP/IP for those who are not ready for my Network Security Operations (NSO) class. I have no plans at the moment to publicly teach TWS anywhere else in 2006. If you might want a private class, please contact us via training at taosecurity dot com . I've updated my services brochure (.pdf) to reflect the latest course offerings, in case you need something nice to read.

I had forgotten about these comments, but Mike Mimoso was kind enough to cite me in his article Today's Attackers Can Find the Needle : "What hackers are realizing is that there are so many ways to get information out of an enterprise. As people get wise to them, hackers are adapting," says Richard Bejtlich, a former captain for the Air Force CERT and founder of consultancy TaoSecurity. He cautions businesses to focus on egress filtering as a means to monitor packets that leave your network. "Pay attention to what is leaving your company," Bejtlich says.

I built the existing TaoSecurity.com and Bejtlich.net Web sites with with Nvu . I would like to redesign both sites, but I am not sure how to proceed. I approached one company and they told me they design sites using Wordpress . Another uses Joomla . I am not comfortable using PHP given some of the recent security problems I've seen. I'm not sure I want/need a database on the back end either. I have a feeling that I could use a nice style sheet from Open Source Web Design and continue to use Nvu to generate static HTML. Does anyone have any comments on this?

The Defense Technical Information Center houses a group called the Information Assurance Technology Analysis Center . IATAC publishes the IA Newsletter . I recently learned that an article I wrote, Network Security Monitoring: Beyond Intrusion Detection , was published in Volume 8, No. 4 (.pdf). I wrote it as a response to an earlier article called The Future of Network Intrusion Detection in Volume 7, No. 3 (.pdf). This earlier article preached the common idea that intrusion prevention systems are the future of network intrusion detection. Read my article for an alternative opinion.

Three generous publishers sent me three books to review this week. The first is Osborne's Hacking Exposed: Web Applications, 2nd Ed by Joel Scambray, Mike Shema, and Caleb Sima. I reviewed the first edition four years ago and loved it. The first edition was 386 pages, and the second is 520. Although each book has 13 chapters, only a few have the same name. I expect the involvement of a new co-author and many contributors have made this book relevant and worth reading. The second is No Starch's Nagios: System and Network Monitoring by Wolfgang Barth. I am looking forward to reading this book. I have never seriously tried to get Nagios working, but I plan to try while reading this book. System and network monitoring is a perfect complement to network security monitoring. The third book was unexpected, but welcome. It's Syngress' Winternals Defragmentation, Recovery, and Administration Field Guide by a slew of authors. I wasn't planning to read this boo...

I just signed up to attend the SANS Log Management Summit , 12-14 July 2006 in Washington, DC. I think this is a great opportunity to hear some real users and experts talk about log management. Given that it's located near me, I decided I could afford to pay my own way to this conference. Is anyone else attending? If yes, register by tomorrow for the cheapest rates.

Sometimes you have to make the best of a bad situation, with no warning. Good-bye Ethereal , hello Wireshark . Gerald Combs, original author and primary Ethereal developer, left his job at Network Integration Services, Inc. and joined CACE Technologies . Unfortunately, NIS owns the Ethereal trademark, and Mr. Combs wasn't able to take it with him. He also lost administrative rights to the servers hosting Ethereal.com, so he can't post news of the name change there. So, nearly eight years after the first public release , Ethereal is dead. Long live Wireshark -- especially with 1.0 expected very soon.

Thanks to the newest SANS NewsBites (link will work shortly), I learned of the Certification & Accreditation Re-vitalization Initiative launched by the Chief Information Officer from the office of the Director of National Intelligence . According to this letter from retired Maj Gen Dale Meyerrose, the C&A process is too costly and slow, due to "widely divergent standards and controls, the lack of a robust set of automated tools and reliance upon manual review." He wants to "move from a posture of risk aversion to one of risk management, from a concept of information secuirty at all costs to one of getting the right information to the right people at the right time with some reasonable assurance of timeliness, accuracy, authenticity, security, and a host of other attributes." That all sounds well and good, but it misses the key problem with C&A -- it doesn't prevent intrusions . It may be seen as a necessary condition for "securing" a...

Dan Geer published an interesting article in the May/June 2006 issue of IEEE Privacy and Security . He questions the utility of converging physical and digital security "within a common reporting structure." In brief: This observer says convergence is a mirage. The reason is time. Everything about digital security has time constants that are three orders of magnitude different from the time constants of physical security: break into my computer in 500 milliseconds but into my house in 5 to 10 minutes... That is true, but the value of compromising a system doesn't necessarily come from just getting a root shell. This is especially true when organized crime, corporate espionage, and foreign intelligence activities are involved. Achieving the goals of each of those groups usually takes more than a few minutes, with the first taking the least time and the last the most. Nevertheless, Dan is probably still right. What he says later is even more compelling: Human-scale ...

I received a link to this press release today. Unlike many press releases, this one contained interesting news. It reported that a new security company called Exploit Prevention Labs (XPL) just released their first Exploit Prevalence Survey™ , which ranks five client-side exploits used to compromise Web surfers. This seems similar to US-CERT Current Activity , although that report jumbles together many different news items and doesn't name specific exploits. According to the press release The results of the monthly Exploit Prevalence Survey are derived from automated reports by users of Exploit Prevention Labs’ SocketShield anti-exploit software (free trial download at http://www.explabs.com), who have agreed to have their SocketShield installations report all suspected exploit attempts back to the researchers at Exploit Prevention Labs. This reminds me of Microsoft's Strider HoneyMonkey project, which uses bots to crawl the Web looking for malicious sites. XPL inste...

Some of you have written regarding my post on penetration testing . One of you sent the following questions, which I thought I should answer here. Please note that penetration testing is not currently a TaoSecurity service offering, so I'm not trying to be controversial in order to attract business. What do you feel is the most efficient way to determine the scope of a pen test that is appropriate for a given enterprise? Prior to hiring any pen testers, an enterprise should conduct an asset assessment to identify, classify, and prioritize their information resources. The NSA-IAM includes this process. I would then task the pen testers with gaining access to the most sensitive information, as determined by the asset assessment. Per my previous goal (Time for a pen testing team of [low/high] skill with [internal/external] access to obtain unauthorized [unstealthy/stealthy] access to a specified asset using [public/custom] tools and [complete/zero] target knowledge.) one mus...

Today I spoke at three Techno Security 2006 events. I started the day discussing enterprise network instrumentation basic and advanced topics. I ended the day on a panel discussion with Russ Rogers, Marcus Ranum, and Johnny Long, moderated by Ron Gula. My wife and daughter and I also shared lunch with Kevin Mandia and Julie Darmstadt, both of whom I worked with at Foundstone. This was my second Techno Security conference. I want to record a few thoughts from this conference, especially after hearing Marcus speak yesterday and after joining today's panel discussion. Yesterday Marcus noted that the security industry is just like the diet industry. People who want to lose weight know they should eat less, eat good food, and exercise regularly. Instead, they constantly seek the latest dieting fad, pill, plan, or program -- and wonder why they don't get the results they want! Marcus spent some time discussing money spent on security. He says we are "spending rocket sci...

My earlier post is being debated on the private Security Metrics mailing list. I posted the following tonight: Chris Walsh wrote: > Alrighty. > > It's time for a Marines vs. Air Force slapdown! I should have anticipated that someone on this list would read my blog! I do not agree with all of Donn's points, and I state in my post some of his ideas are weak. I would prefer Donn defend himself in person. However, I am going to stand by this statement: "As security professionals I agree we are trying to reduce risk, but trying to measure it is a waste of time." I agree with Donn that a risk measurement approach has not made us more secure. That does not mean nothing can be measured. It also does not mean that measurements are worthless. Removing the double negatives, I am saying that some things can be measured, and measurements can be worthwhile. Rather than spending resources measuring risk, I would prefer to see measurements like the following: 1. Time ...

Several times last year I talked about using Nessus on FreeBSD. Last night I finally got a chance to install and try Nessus 3.0.3 on FreeBSD. Here's how I did it. First I downloaded Nessus 3.0.3 as a package for FreeBSD 6.x (called Nessus-3.0.3-fbsd6.tbz). I added the package: orr:/root# pkg_add -v Nessus-3.0.3-fbsd6.tbz Requested space: 16570324 bytes, free space: 4394956800 bytes in /var/tmp/instmp.YdVsPF Running pre-install for Nessus-3.0.3.. extract: Package name is Nessus-3.0.3 extract: CWD to /usr/local extract: /usr/local/nessus/lib/nessus/plugins/synscan.nes extract: /usr/local/nessus/lib/nessus/plugins/12planet_chat_server_path_disclosure.nasl ...edited... extract: /usr/local/nessus/bin/nasl extract: /usr/local/nessus/bin/nessus extract: /usr/local/nessus/bin/nessus-fetch extract: /usr/local/nessus/bin/nessus-bug-report-generator extract: /usr/local/nessus/bin/nessus-mkcert-client extract: /usr/local/nessus/bin/nessus-mkrand extract: /usr/local/nessus/sbin/nessus-a...

I wanted to briefly mention three great articles in the newest Network Computing magazine: Market Analysis: Security Information Management by Greg Shipley Review: Security Information Management Products Affordable IT: Leasing IT Equipment by Andrew Conry-Murray All three are free and fairly informative. I hear a lot of buzz about leasing hardware and software. Are you turning to leasing instead of buying? If so, what are you leasing, and why?

Donn Parker published an excellent article in the latest issue of The ISSA Journal titled Making the Case for Replacing Risk-Based Security . This article carried a curious disclaimer I had not seen in other articles: This article contains the opinions of the author, which are not necessarily the opinions of the ISSA or the ISSA Journal. I knew immediately I needed to read this article. It starts with a wonderful observation: What are we doing wrong? Is the lack of support for adequate security linked to our risk-based approach to security? Why can't we make a successful case to management to increase the support for information security to meet the needs? Part of the answer is that management deals with risk every day, and it is too easy for them to accept security risk rather than reducing it by increasing security that is inconvenient and interferes with business. I would argue that management decides to "accept security risk" because they cannot envisage the conse...