TaoSecurity Blog

I don't subscribe to the Daily Dave (Aitel) mailing list, but I do keep a link to the archives on my interests page. Some of the offensive security world's superstars hang out on that list, so it makes for good reading. The offensive side really made an appearance with yesterday's thread , where Dave's "lots of monkeys staring at a screen....security?" thread says: My feeling is that IDS is 1980's technology and doesn't work anymore. This makes Sourcefire and Counterpane valuable because they let people fill the checkbox at the lowest possible cost, but if it's free for all IBM customers to throw an IDS in the mix then the price of that checkbox is going to get driven down as well. First, it's kind of neat to see anyone speaking about "IDS" instead of "IPS" here. I think this reflects Dave's background working for everyone's favorite three letter agency . The spooks and .mil types (like me) tend to be the last p

In the spirit of not trying to repeat what everyone else blogs, I'll keep this post on the Sourcefire IPO brief. The must-read post belongs to Mike Rothman -- great work Mike. I'm excited by this development. I'll probably even buy some Sourcefire stock, just so I can attend the shareholders meeting. I've never owned stock in a friend's company, so this would be novel enough to justify the purchase. However, in the long term I expect Sourcefire to be acquired anyway. I stand by my ideas that all network security functions will collapse to the switch , something Richard Stiennon called Secure Network Fabric . This means Sourcefire either needs to sell switches that compete with Cisco (unlikely) or be bought by Cisco (possibly) or a Cisco competitor (probably). Customers are growing increasingly disillusioned with buying more and more point products. If they simply perceive that existing equipment (switches and routers) can be upgraded to implement new securi

Eighteen months after MCI bought MSSP NetSec , another telecom has bought another MSSP. This time, BT bought Counterpane . I guessed that Counterpane was desperate . At least the investors who poured four rounds of venture capital into Counterpane can realize some sort of return. The announcement concluded with this statement: As at 31 December 2004 the audited gross assets of the business were $6.8m. That doesn't sound very promising. I expect a good amount of reorganization and removal of personnel. BT will want the low-level analysts to stay, but some will probably leave. The middle-managers will want to stay, but BT will send them packing. Since Counterpane's brain trust has largely disappeared, they only need to keep Bruce Schneier as their "visibility guy" or "mantlepiece." Good luck to them -- I imagine they will be morphed into protecting BT's cloud . Update: After reading helpful comments and stories like this , it appears Counterpa

Ron Gula of Tenable Security invited me to speak at an upcoming Tenable Webinar . You can register for the event now. It will take place 1000 ET Friday 17 November 2006. We'll talk about network security problems facing the enterprise, my favorite security books and resources, and take questions live.

I will participate in the DE Communications Inside Job Webinar at 1100 ET on Thursday 9 November 2006. I plan to discuss why traditional externally-focused security techniques and tools are not well suited to deterring, detecting, and removing insider threats. By insider threat I do not mean flawed services on desktops. I mean parties with the capabilities and intentions to exploit vulnerabilities in assets. I guarantee you will hear me say that the "80%" figure is a myth. Even though I am appearing with at least one other speaker (Jerry Shenk), this is not a debate. It will be a few people discussing an import subject. I have a few other Webinars in the works and all should be free. Please join us if you have the time and bandwidth. Update: Here's a press release . I'm glad they included this quote: "Insiders do not account for the mythical 80% of security incidents, but their privileged access allows them to inflict devastating harm upon organizations

Several publishers were kind enough to send me review copies of four new books. The first, which I requested, is Cisco Press' Storage Networking Protocol Fundamentals by James Long. I requested a copy of this book while starting to read a book on securing storage area networks and network attached storage. Basically, the book I was reading is a disaster. I decided this new Cisco Press book looked promising, so I plan to read it first and then turn to the security-specific SAN/NAS book. I'll review the two as a set later. Next is Syngress' Hack the Stack: Using Snort and Ethereal to Master the 8 Layers of An Insecure Network by Michael Gregg and friends. This book was interesting to me because I am already teaching TCP/IP Weapons School (TWS), which teachers TCP/IP by examining security-related traffic at various OSI model layers. A quick look at this book makes it seem worth reading, but there is definitely room for a future book based on TWS. Remember I am teac

I'm not sure if you're aware of these, but Ron Gula of Tenable Security is conducting a series of Webinars on a variety of interesting network security topics. I watched Tuesday's edition on vulnerability management. The Webinars are not a selling vehicle for Tenable products. Instead, Ron explains one or more aspects of the security scene. If you know Ron you recognize he knows network security better than almost anyone out there. The next Webinar is scheduled for today, and all are free.

Twenty years ago, when some of my readers were busy being born, I was a high school freshman. My favorite instructor, Don Stavely, taught history. One of the educational devices he used was Bloom et al.'s Taxonomy of the Cognitive Domain , pictured at left. This hierarchy, which travels from bottom to top, is a way to describe a student's level of understanding of a given subject. These descriptions from Purdue are helpful: Knowledge entails the ability to recall or state information. Comprehension entails the ability to give meaning to information. Application entails the ability to use knowledge or principles in new or real-life situations. Analysis entails the ability to break down complex information into simpler parts and to understand the relationships among the parts. Synthesis entails the act of creating something that did not exist before by integrating information that had been learned at lower levels of the hierarchy. Evaluation entails the ability to make

While reading Gary McGraw's great book Software Security , I had a chance to re-read the famous Bill Gates security memo of January 2002. I wasn't blogging back then, so I didn't record my reaction to it. Almost five years later, the following excerpt struck me: [E]ven more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony. Today, in the developed world, we do not worry about electricity and water services being available. With telephony, we rely both on its availability and its security for conducting highly confidential business transactions without worrying that information about who we call or what we say will be compromised. Computing fal

The October 2006 Information Security Magazine features a great story titled Safe Exchanges . It discusses software it calls "enterprise rights management" (ERM): Enterprise rights management is technology that allows corporations to continuously control and protect documents, email and other corporate content through the use of encryption and security policies that determine access rights. I found this case study compelling: Fenwick & West was an early adopter, choosing ERM software by startup SealedMedia , a company recently acquired by Stellent. Kesner took advantage of SealedMedia's free 30-day trial, tested it with several clients and was wowed by the results. His law firm's clients use hundreds of data types, including Microsoft Office, Adobe Acrobat, accounting databases, architectural drawings and computer-aided design documents--all of which SealedMedia supports. In addition to the software's broad support, he was impressed by its ease of use. For t

I've noticed the term extrusion detection appearing more frequently, usually tied to the latest buzzphrase -- "insider threat." The GSA -loving magazine Federal Computer Weekly recently mentioned the following: Emerging tools known as extrusion-detection systems are helping government agencies and private companies detect whether sensitive information is leaving their organizations... “Our goal is to monitor traffic from the inside going out,” said Daniel Hedrick, product manager at Vericept and a former intelligence officer in the Air Force. “If I see content going out the door, with or without the approval or the knowledge of the user, I will automatically encrypt it.” (emphasis added) Wow, that's something. So once this "content" is "encrypted," what does the intended recipient do with it? I'm hoping this is an example of a writer misreporting Mr. Hedrick's answers to questions. I mildly dislike seeing terms become hyphenated (e.g

The word "threat" is popular. What used to be Bleeding Edge Snort is now Bleeding Edge Threats . It's a great site but I think it should have avoided using the term "threat." I think "Bleeding Edge Security" would have been better, but apparently that's not cool enough? I noticed the OWASP is trying to define various security terms as well. (Because OWASP means Open Web Application Security Project, I didn't say "OWASP project." Those who say "ATM machine," "NIC card," and "CAC card," please take note.) OWASP has Wiki pages for attack , vulnerability , countermeasure , and, yes, threat . For an example of a project that is largely not falling for the threat hype, check out the Vulnerability Type Distributions in CVE published last week. It provides research results on publicly reported vulnerabilities. It might be helpful to look at already published work when thinking about what these terms m

I'd like to thank the fine folks at O'Reilly for sending me a review copy of Programming Python, 3rd Ed . I've added this book to my other set of programming books waiting to be read. I'll probably start with several tiles from Apress , namely Beginning Python , Dive Into Python , and then end the Apress titles with Foundations of Python Network Programming , since network programming is my main interest. I'll use O'Reilly's Programming Python, 3rd Ed and Python Cookbook, 2nd Ed as references. Two years ago I tried reading Learning Python, 2nd Ed but found it not that helpful as an introduction -- hence my interest in the new Apress titles.

Amazon.com just posted three new reviews on digital forensics books. The first is File System Forensics Analysis by Brian Carrier . Here is a link to the five star review . The second is Windows Forensics by Chad Steel . Here is a link to the four star review . The third is EnCase Computer Forensics by Steve Bunting and William Wei. Here is a link to the three star review . All three books share the same introduction. I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei. All three books contain the word "forensics" in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an inve

As a consultant near the Beltway, it helps to understand the competition and potential partners. I found the following lists to be helpful. They appeared in the 4 Sep 06 print issue of FCW . Top 74 systems integrators Top 140 Schedule 70 contracts Top 25 government IT contractors Top 100 small federal vendors in fiscal 2006 Top 25 8(a) companies and Top 25 women-owned companies

Analogies are not the best way to make an argument, but they help when debating abstract concepts like " virtual trust ". Consider the refrigerated train car at left. Refrigeration is definitely a "business enabler." Without refrigeration, food producers on the west coast couldn't sell their goods to consumers on the east coast. Refrigeration opened new markets and keeps them open. However, refrigeration is not the business . Refrigeration is a means to an end -- namely selling food to hungry people. Refrigeration does not generate value; growing and selling food does. (Refrigeration is only the business for those that sell refrigerated train cars and supporting devices.) You might think "security" is like refrigeration. Like refrigeration, security could be said to "enable" business. Like refrigeration, security does not generate value; selling a product or service through a "secure" channel does. So why is "security&q

I try to attend meetings of the Information Assurance Technical Forum once a year. I last visited in 2003 and 2005 . The following are some thoughts from the meeting I attended two weeks ago. They are not an attempt to authoritatively summarize or describe years of net-centric thought and work by the US Department of Defense. These are just a few thoughts based on the presentations I saw in an unclassified environment. Prior to seeing this diagram I had heard a lot about "net-centric warfare" but I had no real grasp of the underlying. It seemed more of a buzzword. Now I understand the idea of getting information from any source to the people who need it, instead of, say Air Force sensors sending data to Air Force decision-makers who feed Air Force assets. Given the net-centric model, DoD needs to move away from a "System High" model of security to a "Transactional" model. In the System High world, you essentially define a perimeter by classificat

Amazon.com just posted my two reviews on books about Web application security. The first is Hacking Exposed: Web Applications, 2nd Edition by Joel Scambray, Mike Shema, and Caleb Sima. Here is a link to the five star review . The second is Professional Pen Testing for Web Applications by Andres Andreu . Here is a link to the four star review . Both reviews share the same introduction. I recently received copies of Hacking Exposed: Web Applications, 2nd Ed (HE:WA2E) by Joel Scambray, Mike Shema, and Caleb Sima, and Professional Pen Testing for Web Applications (PPTFWA) by Andres Andreu. I read HE:WA2E first, then PPTFWA. Both are excellent books, but I expect potential readers want to know which is best for them. I could honestly recommend readers buy either (or both) books. Most people should start by reading HE:WA2E, and then fill in gaps by reading PPTFWA. Update: A torrrent for the Web App Honeypot is here . You can download the VMware image directly from Wrox here . The r

Last week I attended and spoke at the latest Net Optics Think Tank . I've presented for Net Optics twice before , but this was the first event held in northern Virginia. The first half of the event consisted of two briefings. The first discussed tap technology. This was supposed to be a basic introduction but I learned quite a bit, especially with regards to fiber optics. Specifically, I learned of some cases where customers reverse cables when plugging in their taps, thereby causing lots of tough-to-troubleshoot problems. Furthermore, as customers move from Gigabit over fiber to 10 Gigabit over fiber, they are encountering cabling issues. Gigabit is much more forgiving than 10 Gig. At 10 Gig, you apparently have to pay close attention to the specifications, such as core size. I learned that Net Optics is considering ways to "tag" or "label" packets collected by their link aggregator taps. When discussing matrix switches , it occurred to me that tho

This Undeadly.org thread clued me in to the problems OpenBSD is having getting documentation and firmware restribution rights for Intel wireless NICs. Theo's letter is not what I would want an Intel decision-maker to read. However, Kenneth J Hendrickson's comment is exactly what I used as a template for an email to Intel's point of contact on this manner -- majid [dot] awad [at] intel [dot] com. As a FreeBSD user, I recognize that drivers for Linux are not going to help me use my wireless cards. This Slashdot comment explains key points as well. If you want to use Intel NICs with native drivers, send an email like the one Kenneth sent (but not a duplicate -- explain the situation in your own words). I just did.

I've said before that there is no return on security investment (ROSI). This argument appears to have morphed again in the form of a paper titled Creating Business Through Virtual Trust . A Technorati search will show you other comments on this idea. These are mine. First, I agree with others who say "virtual trust" should not be "virtual" -- it's either "trust" or it's not. That's not a major point though. Second, the thesis for the paper appears to be the following, as shown in the abstract. Business is concerned with the creation of new entities and assets that generate cash. Information security, by contrast, is traditionally concerned with protecting these entities and assets. In this paper we examine a perspective which currently exists but is largely dormant in the information security field. We maintain that information security can be actively involved in the creation of business and that the skills required to create commer

Last week I was invited to visit the Symantec Security Operations Center (SOC) in Alexandria, VA. I had been there twice before, before they acquired Riptech and after. Jonah Paransky, Director of Product Management for MSS, answered many of my technical and business questions. On this trip I learned that Symantec operates two 24x7x365 SOCs (in the USA and the UK), along with one in Europe, one in Japan, and other support centers. They do not collect and store security data at the SOC; instead, they have they data pouring into colocation facilities elsewhere. Jonah said they see 3000-4000 "potential" incidents per day, of which about 100 are considered "hard kills." I couldn't tell if that meant actual compromise or not, but those 100 events per day prompt calls to customers. We discussed the nature of their customer base. Symantec provides managed security services to many global 500 companies, some "with security staffs larger than Symantec's

In addition to Chapter 18 from Tao , I noticed Chapter 3 from my third book , Extrusion Detection: Security Monitoring for Internal Intrusions is also online at SearchSecurityChannel.com . This book has been getting some attention because it starts with the premise that your internal network is compromised. Given that assumption, how do you detect, contain, and eradicate intruders on your network? The model applies well to insider and outsider threats. I consider Extrusion to be a companion volume to Tao , and as such I recommend reading Tao first and then Extrusion . Real Digital Forensics is a book where network security monitoring, network incident response, and network forensics are intergrated with host- and memory-centric security operations.

I mentioned earlier that I was invited to speak at the AusCERT Asia Pacific Information Technology Security Conference in Gold Coast, Australia. The conference takes place Sunday 20 May - Friday 25 May 2007. I accepted the invitation, and I will probably deliver a short presentation and a longer (half-day or day-long) tutorial. After AusCERT, I plan to teach one or two-day classes in Brisbane and/or Sydney. I will probably teach condensed versions of my training classes Network Security Operations and TCP/IP Weapons School . As I develop the plans for all of these classes I will post details here and at TaoSecurity.com . If you would like me to keep you informed via email please write me: training [at] taosecurity [dot] com. Thank you.

With the launch of the new SearchSecurityChannel.com site, I can report that chapter 18 of my first book , The Tao of Network Security Monitoring: Beyond Intrusion Detection is now available online . Chapter 18 is "Tactics for Attacking Network Security Monitoring." It outlines technical means attackers may degrade or deny operations to detect and respond to intrusions. Keep an eye on SearchSecurityChannel.com . I am working with the editor on a plan to contribute regular content for the site.

Recently I've encountered problems with some of the packages built by the FreeBSD team. In the case I described earlier, libtclx8.4.so and libmysqltcl.so.3 were somehow damaged in the .tbz packages I installed on one of my systems. I recovered by using good copies from another system. Yesterday I ran into the following error after I upgraded my packages. orr:/home/richard$ firefox /libexec/ld-elf.so.1: /usr/local/lib/libplds4.so.1: Undefined symbol "gethostbyname_r" orr:/home/richard$ thunderbird /libexec/ld-elf.so.1: /usr/local/lib/libplds4.so.1: Undefined symbol "gethostbyname_r" Uh oh. Email I can live without, but it's difficult to troubleshoot a problem without a Web browser. I had to turn to another laptop running Windows (for shame) to search for clues. I found one post on a Chinese Website with the same errors, but nothing else. I found the pkg-plist for the linux-firefox and linux-thunderbird ports contained this entry: lib/%%APP_NAME%%/libp

Is it possible to use FreeBSD Update with a host running FreeBSD in an IPv6 only scenario ? It's not acceptable to leave it unpatched. The system in question is also extremely slow (P200, 32 MB RAM) so building via CVS is not a good option. Maybe FreeBSD Update is hosted on an IPv6 dual-stack system? p200:/root# freebsd-update fetch Fetching updates signature... fetch: http://update.daemonology.net/i386/6.1/updates.sig: Network is unreachable Shoot. Well, I can reach a host (we'll call it "dualstack") that has both IPv4 and IPv6 addresses. dualstack can also reach my Squid proxy on the IPv4 network. I'll use SSH to port forward traffic needed by FreeBSD Update. p200:/home/richard$ ssh -p 22022 -L 3128:squidproxy:3128 user@dualstack In a new window I'll set the appropriate proxy environment variable. p200:/root# setenv HTTP_PROXY http://localhost:3128 Now I run FreeBSD Update. p200:/root# freebsd-update fetch Fetching updates signature... Fetching updates.

In the spirit of documenting my FreeBSD system administration practices, I thought I would mention the FreeBSD ports I install on every system -- regardless of function. In the future you may see some of these migrate into the base installation, as happening with Portsnap. Others are well-established but have stayed out of the base system for various reasons. security/freebsd-update : described here as a tool to update a GENERIC kernel and userland, destined to move into FreeBSD 6.2 sysutils/portupgrade : described here as a tool to keep ports/packages up-to-date security/portaudit : described here as a tool to find ports/packages with security vulnerabilities sysutils/pkg_cutleaves : described here as a tool to remove packages and their dependencies shells/bash : this is a legacy of my time using Linux, where Bash is the default shell You can read a summary of many of these tools here as well.

I don't like to keep ports trees on all of my FreeBSD systems. I prefer to install packages whenever possible. Upgrading those packages requires the ports tree, however. To use Portupgrade I NFS mount /usr/ports from a single system that keeps an up-to-date ports tree. The major problem with this plan involves the sysutils/screen port. No package is created, and you can't build one yourself. poweredge:/usr/ports/sysutils/screen# make package ===> screen-4.0.2_4 may not be packaged: Tends to loop using 100% CPU when used from package - perhaps it hard-codes information about the build host. Is there a way to build Screen without installing the ports tree? First I tried just NFS mounting /usr/ports and trying to build the port. Here, poweredge is th box with the ports tree and mwmicro needs to run screen. mwmicro:/root# mount /dev/ad0s1a on / (ufs, local) devfs on /dev (devfs, local) /dev/ad0s1f on /home (ufs, local, soft-updates) /dev/ad0s1g on /tmp (ufs, local, soft