Showing posts from September, 2006

Preview: Hunting Security Bugs

Yesterday I received a copy of Hunting Security Bugs . One of this book's authors is Tom Gallagher, who posted thoughts on Microsoft's security initiatives. This looks like a great book, especially as a companion to The Security Development Lifecycle , also by Microsoft authors. A third book, The Practical Guide to Defect Prevention , arrives in the spring. This may be too developer-oriented for my needs, but I might take a look at it. I am glad to see Microsoft sharing the knowledge it has gained through its ongoing security program. You can look at my Wish List to track books I plan to read, but don't have copies. My reading page shows books I own that I plan to read. The reading page also links to my recommended books lists.

Security Scruples Poll

Dark Reading is conducting a Security Scruples Poll . Some of the preliminary results are disturbing. I'll withhold commentary until I see the poll is closed and results are disclosed. Please consider taking the poll. It has some interesting questions, and it takes about 5 minutes.

Review of Apache Security Books Posted

Image just posted my two reviews on books about Apache . The first is Apache Security by Ivan Ristic . Here is a link to the five star review . The second is Preventing Web Attacks with Apache by Ryan Barnett. Here is a link to the four star review . Both reviews share the same introduction. I recently received copies of Apache Security (AS) by Ivan Ristic and Preventing Web Attacks with Apache (PWAWA) by Ryan Barnett. I read AS first, then PWAWA. Both are excellent books, but I expect potential readers want to know which is best for them. The following is a radical simplification, and I could honestly recommend readers buy either (or both) books. If you are more concerned with a methodical, comprehensive approach to securing Apache, choose AS. If you want more information on offensive aspects of Web security, choose PWAWA. These are my 39th and 40th reviews of 2006. I should break my previous high reading mark of 42 books, accomplished in 2001. Congratulations to Iv

Symantec Internet Security Threat Report Volume X

Symantec has posted (for free, no registration!) the latest Internet Security Threat Report . I'm very pleased to see that such a high-profile report uses threat and vulnerability terms properly, and features details on the methodology used to produce the report. Here's some of the Executive Summary. In contrast to previously observed widespread, network-based attacks, attackers today tend to be more focused, often targeting client-side applications... The current threat landscape is populated by lower profile, more targeted attacks, attacks that propagate at a slower rate in order to avoid detection and thereby increase the likelihood of successful compromise. Instead of exploiting vulnerabilities in servers, as traditional attacks often did, these threats tend to exploit vulnerabilities in client-side applications that require a degree of user interaction, such as word processing and spreadsheet programs. A number of these have been zero-day vulnerabilities. These types of

Review of The TCP/IP Guide Posted

Image just posted my 4 star review of The TCP/IP Guide . From the review : Right away I must state that I did not read "The TCP/IP Guide" (TTG) cover-to-cover. I doubt anyone will, which raises interesting issues. This review is based on the sections I did read and my comparisons with other protocol books. Protocol books should be divided into two eras. The first is the "Stevens era" meaning those written around the time Richard Stevens' "TCP/IP Illustrated, Vol 1: The Protocols" was published. For six years (1994-2000) Stevens' book was clearly the best protocol book, and it taught legions of networking pros TCP/IP. The second is the "modern era," beginning in 2000 and continuing to today. TTG fits in this group. I question the approach taken by TTG. The book contains extremely basic information (what is networking, why use layers, what is a protocol, etc.) and extremely obscure information (PPP Link Control Protocol Frame T

Net Optics Think Tank Tuesday in Fairfax, VA

Don't forget to attend the free Net Optics Think Tank on Tuesday, 26 September 2006 in Fairfax, VA. It looks like I will be speaking during lunch from 1215 to 1315. Please register . I expect to see a lot of cool Net Optics gear on display, along with insights from those who make products for enterprise network instrumentation.

Throughput Testing Through a Bridge

In my earlier posts I've discussed throughput testing. Now I'm going to introduce an inline system as a bridge. You could imagine that this system might be a firewall, or run Snort in inline mode. For the purposes of this post, however, we're just going to see what effect the bridge has on throughput between a client and server. This is the new system. It's called cel600, and it's running the same GENERIC.POLLING kernel mentioned earlier. FreeBSD 6.1-RELEASE-p6 #0: Sun Sep 17 17:09:24 EDT 2006 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel Celeron (598.19-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x686 Stepping = 6 Features=0x383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PA T,PSE36,MMX,FXSR,SSE> real memory = 401260544 (382 MB) avail memory = 383201280 (365 MB) This system has two dual NICs in it. em0 and em1 are Gigabit fi

FreeBSD Device Polling Results for Gigabit Copper

In my post FreeBSD Device Polling I ran my tests over Gigabit fiber connections. I thought I would repeat the tests for Gigabit copper, connected by normal straight-through cables. (One benefit of Gigabit copper Ethernet NICs is there's no need for crossover cables.) Although I booted my two test boxes, asa633 and poweredge, with kernels offering polling, neither interface had polling enabled by default. This is asa633's NIC: em1: flags=8843 mtu 1500 options=b inet6 fe80::20e:cff:feba:e726%em1 prefixlen 64 scopeid 0x4 inet netmask 0xffffff00 broadcast ether 00:0e:0c:ba:e7:26 media: Ethernet autoselect (1000baseTX ) status: active This is poweredge's NIC. em1: flags=8843 mtu 1500 options=b inet6 fe80::207:e9ff:fe11:a0a0%em1 prefixlen 64 scopeid 0x4 inet netmask 0xffffff00 broadcast ether 00:07:e9:11:a0:a0 media: Ethernet autoselect (10

The ZERT Evolution

In January during the WMF fiasco, I wrote The Power of Open Source . What we're now reading in Zero-Day Response Team Launches with Emergency IE Patch is the latest evolution of this idea. The Zeroday Emergency Response Team isn't a bunch of amateurs. These are some of the highest skilled security researchers and practitioners in the public arena. They are stepping up to meet a need not fulfilled by vendors, namely rapid response to security problems. Why is this the case? Customers running closed operating systems and applications are stuck. They can't fix problems themselves, so they rely on their vendor. In fact, they are paying their vendor to perform the fixing service. To fund development of an alternative fix would be like paying for a fix twice. ZERT is demonstrating that this model is broken. They are trying to respond as fast as possible to attacks. Because no one can be "ahead of the threat," reaction time is often key. ZERT can act faster

Generating Multicast Traffic

If you're a protocol junkie like me, you probably enjoy investigating a variety of network traffic types. I don't encounter multicast traffic too often, so the following caught my eye. I'm using Iperf for some simple testing, and I notice it has a multicast option. Here's how I used it. In the following scenario, I have two hosts (cel433 and cel600) on the same segment. This is important because the router(s) in this test network are not configured to support multicast. I set up cel433 as a Iperf server listening on multicast address cel433:/root# iperf -s -u -B -i 1 ------------------------------------------------------------ Server listening on UDP port 5001 Binding to local address Joining multicast group Receiving 1470 byte datagrams UDP buffer size: 41.1 KByte (default) Now I generate multicast traffic from cel600. cel600:/root# iperf -c -u -T 32 -t 3 -i 1 -------------------------------------------

FreeBSD Device Polling

Not all of us work with the latest, greatest hardware. If we use open source software, we often find ourselves running it on old hardware. I have a mix of equipment in my lab and I frequently see what I can do with it. In this post I'd like to talk about some simple network performance measurement testing. Some of this is based on the book Network Performance Toolkit: Using Open Source Testing Tools . I don't presume that any of this is definitive, novel, or particularly helpful for all readers. I welcome constructive ideas for improvements. For the purposes of this post, I'd like to get a sense of the network throughput between two hosts, asa633 and poweredge. This is asa633's dmesg output: FreeBSD 6.1-RELEASE-p6 #0: Wed Sep 20 20:02:56 EDT 2006 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel Celeron (631.29-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x6

Nisley on Failure Analysis

Since I'm not a professional software developer, the only reason I pay attention to Dr. Dobb's Journal is Ed Nisley. I cited him earlier in Ed Nisley on Professional Engineering and Insights from Dr. Dobb's . The latest issue features Failure Analysis , Ed's look at NASA 's documentation on mission failures. Ed writes: [R]eviewing your projects to discover what you do worst can pay off, if only by discouraging dumb stunts. What works for you also works for organizations, although few such reviews make it to the outside world. NASA, however, has done a remarkable job of analyzing its failures in public documents that can help the rest of us improve our techniques. Documenting digital disasters has been a theme of this blog, although my request for readers to share their stories went largely unheeded. This is why I would like to see (and maybe create/lead) a National Digital Security Board . Here are a few excerpts from Ed's article. I'm not going to s

Using tap0 with Tcpreplay

This thread on the Wireshark mailing list brought up the issue of not being able to use Tcpreplay with the loopback interface on FreeBSD, e.g.: orr:/root# tcpreplay -i lo0 /data/lpc/1.lpc sending out lo0 processing file: /data/lpc/1.lpc Unable to send packet: Address family not supported by protocol family Here is an alternative: use tap0. orr:/root# ifconfig tap0 ifconfig: interface tap0 does not exist orr:/root# dd if=/dev/tap0 of=/dev/null bs=1500 & [1] 9468 orr:/root# ifconfig tap0 up orr:/root# ifconfig tap0 tap0: flags=8843 mtu 1500 inet6 fe80::2bd:1dff:fe2d:4d00%tap0 prefixlen 64 scopeid 0x5 ether 00:bd:1d:2d:4d:00 Opened by PID 9468 orr:/root# tcpreplay -i tap0 /data/lpc/1.lpc sending out tap0 processing file: /data/lpc/1.lpc ^C Actual: 71 packets (6860 bytes) sent in 6.15 seconds Rated: 1115.0 bps, 0.01 Mbps/sec, 11.54 pps In a second window, sniff with Tcpdump or whatever program you want: orr:/root# tcpdump -n -i tap0 -s 1515 tcpdump: WARNING:

Does SecureWorks-LURHQ Count as Consolidation?

I think it does. Managed network security services is one arena where size is always a factor, and bigger is usually better. With more employees you have more analysts per shift. You have more customers, so you see more of the Internet. With enough customers your view of the Internet begins to resemble a statistically significant sample, from which you can make inferences about the health of the global network. I thought this Dark Reading story on the merger (the new company will be called SecureWorks -- no more "how do I say LURHQ?") had an interesting quote: But all of this doesn't mean IBM-ISS isn't on SecureWorks' radar: Prince says SecureWorks' main competitors on the enterprise side are Symantec, VeriSign, and "now IBM." On the commercial side, it will be local telcos and other service providers, he says. Where is Counterpane? They must be desperate for a buyer. I expect to see more MSSPs combining to form Voltron as time progresses.

Multiple Kernels on FreeBSD

The following is a topic I would enjoy hearing more about. If you have helpful suggestions, please share them as a comment. Two years ago I described my experiences with building a FreeBSD userland and kernel on one system and installing it on another. I found myself in the same situation recently, where I didn't want to sit around waiting for a couple slow boxes to build themselves custom kernels. I wanted to build the custom kernel on a fast box and use it on the slower boxes. I didn't want to replace the default kernel on any of the boxes. I wanted the new kernel(s) to be additional boot-time options. This post gave me the answer I needed. Here's how I applied it. I wanted to build a GENERIC-style kernel, but with security updates applied. First I installed cvsup-without-gui as a package. Next I created this /usr/local/etc/security-supfile file: *default *default base=/usr *default prefix=/usr *default release=cvs tag=RELENG_6_1 *defaul

Changing Definitions of Network Security Monitoring

I first defined Network Security Monitoring in print through my contribution to the February 2003 book Hacking Exposed, 4th Edition . Prior to that I defined NSM in a December 2002 SearchSecurity Webcast . NSM probably became more recognized in my first book , where I repeated the same definition by writing "Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions." I emphasized the role of indications and warning (I&W) because my Air Force intelligence background involved training specifically in that discipline. I recommend reading the last link above for additional insight into this approach. Today, however, I reviewed some Department of Defense documentation that made me take a second look at my NSM definition. (You might say this proves I am not a slave to my prior writings. Then again, you won't ever hear me say a threat and a vulnerability are the same!) I&W is defined

Differentiating Among Assessment Services

Tate Hansen of Clear Net Security provides a great methodology for differentiating among vulnerability assessment and related network security services. Check out his flow chart and then see how your own provider compares.

Review of IPv6 Essentials Posted

Image just posted my five star review of IPv6 Essentials, 2nd Ed by Sylvia Hagen. From the review : I read and reviewed IPv6 Network Administration (INA) in August 2005 and Running IPv6 (RI) in January 2006. I gave those books 5 stars, so I had high expectations for "IPv6 Essentials, 2nd Ed" (IE2E). INA and RI are very hands-on, implementation-specific books. IE2E is more concerned with explaining protocols and IPv6 features. In this respect, IE2E is the perfect complement to INA and RI. My full review mentions IPv6 critiques by Daniel Bernstein and Todd Underwood . I intend to take a closer look at SEcure Neighbor Discovery (SEND) ( RFC 3971 ) and Cryptographically Generated Addresses (CGA) ( RFC 3972 ) after reading about attacks upon stateless autoconfiguration and duplicate address detection, which appear in IPv6 Neighbor Discovery (ND) Trust Models and Threats ( RFC 3756 ). Authentication for DHCP Messages ( RFC 3118 ) can also be a concern, thanks to DHCP

SANS Network IPS Testing Webcast

I'm listening to a SANS Webcast on Trustworthy IPS Testing and Certification . Jack Walsh from the Network Intrusion Prevention section of ICSA Labs spoke for about 45 minutes on his testing system. Jack spent a decent amount of time discussing the Network IPS Corporate Certification Testing Criteria (.pdf) and vulnerabilities set (.xls). The vulnerabilities set was just updated a week ago, after being criticized in July. At present only three products are ICSA Labs certified, according to the ICSA Web site and this press release . ICSA Lab certification is a pass/fail endeavor; there are no grades. ICSA does not release the name of the companies whose products fail. Looking at the members of the NIPS Product Developers Consortium , you can make some guesses about who participated. Vendors pay for testing. They do so by paying for a year-long testing period, during which time they will receive at least one "full battery" of testing. Tests are rerun when the

How the FCC Handles Radio Denial of Service

I am a licensed Amateur Radio operator, but I'm about as active as packet radio. Today, though, I read how the Federal Communications Commission handles those who interfere with radio transmissions. It was a day a lot of radio amateurs in Southern California had been waiting for a long time. On September 18, US District Court Judge R. Gary Klausner sentenced convicted radio jammer Jack Gerritsen, now 70, to seven years imprisonment and imposed $15,225 in fines on six counts -- one a felony -- that included transmitting without a license and willful and malicious interference with radio transmissions. Before sentencing, Gerritsen apologized to the federal government, the FCC and the local Amateur Radio community, which had endured the brunt of Gerritsen's on-air tirades and outright jamming. Wow -- seven years in prison with a felony conviction. No wonder my Dad used to warn me about broadcasting without a license.

Suggestions for Testing Bypass Switches

I've acquired a number of bypass devices for testing in the TaoSecurity labs. I'd like to know if any of you have requests to know more about these devices. In other words, how would you like me to test them? The devices in question include the following. Shore Micro SM-2400 Programmable Bypass Switch: This device has TX copper connectors and may support Gigabit Ethernet. Optical Bypass Switch with Heartbeat: This device has SX fiber connectors and supports Gigabit Ethernet. 10/100/1000 Bypass Switch with Heartbeat: This device has TX copper connectors and supports Gigabit Ethernet. Interface Masters Niagara 2295RJ: This device has TX copper connectors and supports Gigabit Ethernet. I find it interesting that it does not require a power supply, but I wonder how it supports a heartbeat without power? Niagara 2282: This is an internal NIC that acts as a bypass switch. It has SX fiber connectors and supports Gigabit Ethernet. Niagara 2280: This is an internal NIC that

Teaching Possibilities in Australia

I've been invited to speak at the AusCERT Asia Pacific Information Technology Security Conference in Gold Coast, Australia. The conference takes place Sunday 20 May - Friday 25 May 2007. I haven't decided if I will accept yet. I'd like to know if any TaoSecurity Blog readers in Australia, New Zealand, or nearby areas would be interested in attending a two (or maybe more) day class either directly before or after my presentation date (which is unknown right now). I would need a location to host the training, in exchange for which I would provide two free seats for the hosting organization. Is anyone interested in attending and/or hosting such a class? Please email training [at] I have to accept or decline the AusCERT invitation next week. I am open to suggestions regarding the location of the class (if the Gold Coast is too remote) and the content of the class (Network Security Operations, TCP/IP Weapons School, etc.). Sydney is a possibility since

Insider Threat Study

I received a copy of a study announced by ArcSight and conducted by the Ponemon Institute . I mention this for two reasons. One, it highlights issues regarding the meaning of security terms. Two, the content is worth a look. First, the email I received bore the subject "Are Executives the Cause of Insider Threats?". I wondered if the study examined if executives were the parties with the intentions and capabilities to exploit weaknesses in assets. That's what a threat is, and a study that implied executives (and not corporate minions or IT staff) were the real problem would be noteworthy in its own right. Near the beginning of the report I read the following: The survey was sponsored by ArcSight, an enterprise security management company, and queried 461 respondents who are employed in corporate IT departments within U.S.-based organizations. For purposes of this survey, we define the "insider threat" as the misuse or destruction of sensitive or confidenti