TaoSecurity Blog

To mark the launch of Microsoft Windows Vista , CSO Online asked me to write this article . The editor titled it "Security In Microsoft Vista? It Could Happen." I think I took a balanced approach. Let me know what you think. I was pleased to see my FreeBSD reference survived the editor's review!

I've been busy playing with various protocols in preparation for TCP/IP Weapons School in about two weeks. Recently I saw this post by Randall Stewart indicating that Stream Control Transmission Protocol (SCTP) had been added to FreeBSD CURRENT. I poked around in src/sys/netinet/ and found various SCTP files dated 3 Nov 06. Rather than update a FreeBSD 6.x system to 7.0, I decided to look for the latest FreeBSD snapshot . Sure enough, I found the latest 7.0 snapshot was dated 6 Nov 06. I downloaded the first .iso and installed it into a VMware Server VM. The kernel was compiled on 5 Nov 06: $ uname -a FreeBSD freebsd70snap.taosecurity.com 7.0-CURRENT-200611 FreeBSD 7.0-CURRENT-200611 #0: Sun Nov 5 19:31:17 UTC 2006 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 I found the SCTP files I was looking for, too. $ cd /usr/src/sys/netinet $ ls -al *sctp* -rw-r--r-- 1 root wheel 11869 Nov 3 10:23 sctp.h -rw-r--r-- 1 root wheel 83862 Nov 3 14:48 sc

I'm struck by the amount of attention we seem to be paying to discovering vulnerabilities and writing exploits. I call this "offensive" work, in the sense that the fruits of such labor can be used to attack and compromise targets. This work can be justified as a defensive activity if we accept the full disclosure argument that truly bad guys already know about these and similar vulnerabilities, or that so-called responsible disclosure motivates vendors to fix their software. This post isn't about the disclosure debate, however. Instead, I'm wondering what this means for those of us who don't do offensive work, either due to lack of skills or opportunity/responsibility. It occurred to me today that we are witnessing the sort of change that happened to the National Hockey League in the late 1960s and early 1970s. During that time the player pictured at left, Bobby Orr , changed the game of ice hockey forever. For those of you unfamiliar with hockey, teams

Recently I posted thoughts on a few security books on my shelf. Today I received an absolutely gigantic new book called The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities by Mark Dowd, John McDonald, and Justin Schuh. This is a 1200-page book on discovering vulnerabilities in all sorts of software. I plan to read it along with similar books over the next month or so. Books on how to break software in order to make it better seem to be the hottest titles on the market. This is exactly the sort of book I would expect most vendors to dislike, although titles like Hunting Security Bugs , published by shows some vendors realize that if they don't test their software first, some attacker in Bucharest will do it for them.

I continue to receive feedback and questions on my No Shortcuts post. One of you prompted me to write three new Amazon.com Lists , organized thus: Digital Security Boot Camp Digital Security War College Digital Security Postgraduate School For the civilians out there, that's novice, intermediate, and advanced. :) I listed seven books for each category to keep things manageable. One of the problems I encountered with the advanced list, especially, is that coding becomes a big part of the equation when one starts to consider "advanced" topics. I tried including "placeholder" books to give you the idea that you need coding background to make good use of a book like Unix Network Programming, Volume 1: The Sockets Networking API, 3rd Ed . Please let me know if you find these lists helpful. Please remember that reading these 21 books in order will not take you from newbie to guru. Rather, these are books I think will help at each stage of you

Several publishers have sent me new books recently, and I have one comment to make about an older book. I'll start with books that look good, but which I don't plan to read. The first is Linux Administration Handbook, 2nd Ed by Evi Nemeth, Garth Snyder, Trent R. Hein. There's no doubt this is a great general-purpose system administration book for Linux. I gave the 3rd edition of the Unix version three stars almost five years ago (and I'm hoping this 4th edition comes to fruition). The Linux book describes Red Hat Enterprise, Fedora Core, SuSE, Debian, and Ubuntu. If the book covered Slackware and Gentoo instead of SuSE, I think it would have been perfect. I'm guessing RHEL is close enough to Fedora, and Debian to Ubuntu, to allow extra coverage of more diverging distros like Slackware and Gentoo? I plan to use this book as a reference, but I don't plan to read and review it. I suggest you buy it if you're looking for a comprehensive Linux referen

Today I received a curious email. At first I thought it was spam, since the subject line was "RE: Help!", and I don't send emails with that subject line. Here is an excerpt: I cannot afford nor have the time to take a full collage course on the topic of network security but I would like to be as knowlageable about it as yourself and be able to protect my computer and others regarding this matter. If I was willing to pay you would you take the time to teach me what you know and/or point me in the direction I would need to learn what you know about network security? Please advise what course I would need to take to accomplish your skill of network security? In my opinion, it seems like this question seeks to learn some sort of "hidden truth" that I might possess, and acquire it in record time. The reality is that there are really no shortcuts to learning as complex a topic as digital security. I have been professionally involved with this topic for almost te

I don't play Second Life or any video games these days. If I had the time I would play Civ IV . Neverthless, virtual worlds like SL are becoming increasingly interesting, as demonstrated by today's attack of the killer rings (pictured at left), also known as a " grey goo " attack. This comment in the accompanying Slashdot post explains that it's possible for a rogue user to exploit vulnerabilities in Second Life and introduce code that peforms a sort of denial of service attack on the game. The attack occurs when game participants decide to interact with the gold rings shown in the thumbnail from this site . It's similar to human penetration testers leaving USB tokens or CD-ROMs at a physical world place of business and waiting for unsuspecting employees to see what's on them. This story illustrates two points. First, it demonstrates that client-side attacks remain a human problem and less of a technical problem. Second, I expect at some point

It seems my earlier post Comments on SANS Top 20 struck a few nerves, e.g. this one and others. One comment I'm hearing is that the latest Top 20 isn't "just opinion." Let's blast that idea out of the water. Sorry if my "cranky hat" is on and I sound like Marcus Ranum today, but Marcus would probably agree with me. First, I had no idea the latest "Top 20" was going to be called the "SANS Top-20 Internet Security Attack Targets" until I saw it posted on the Web. If that isn't a sign that the entire process was arbitrary, I don't know what is. How can anyone decide what to include in a document if the focus of the document isn't determined until the end? Second, I love this comment: Worse still, Richard misses the forest completely when he says that “… it’s called an ‘attack targets’ document, since there’s nothing inherently ‘vulnerable’ about …”. It doesn’t really matter if it’s a weakness, action item, vulnerabilit

No sooner did I write about a CEO gone bad do I read this: Ex-IT Chief Busted for Hacking : Stevan Hoffacker, formerly director of IT and VP of technology for Source Media, was arrested at his home yesterday on charges of breaking into the email system that he once managed. According to the FBI and the U.S. Attorney for the Southern District of New York, Hoffacker hacked into his former company's messaging server, eavesdropped on top executives' emails about employees' job status, and then warned the employees that they were about to lose their positions. I doubt there's any real "hacking" involved here. Hoffacker probably retained access or leveraged knowledge of configuration errors to access these systems. The FBI did not say exactly how Hoffacker broke into the mail system, but it noted that the former IT exec had access to the passwords for the email accounts of other Source Media employees. Of course, if Hoffacker was an "ex-IT chief," he wa

In less than 12 hours I will be speaking on the next Tenable Webinar . Please register here . Ron Gula wrote the foreword for my book and he always has something interesting to say about digital security. I expect he will have some good questions for me!

This is a brief note to let you know that Amazon.com is now publishing an RSS feed of my book reviews. I'm not sure exactly how new this is, but I've been looking for it. I have a stack of books about exploit development and security tools that I hope to review as a group before the end of the year. I'm currently at 52 books reviewed for the year, and adding those 7 would make 59. I have several books on miscellaneous topics waiting as well, so we might see 60 reviews or more by year's end. Now it would be cool to see Amazon.com publish RSS feeds for reviews of specific books, so I could keep track of customer feedback on titles of interest. Update: It looks like you can also subscribe to lists like my Wish List , which is cool.

I received an email asking me to name common enterprise security mistakes and how to avoid them. If I'm going to provide free advice via email, I'd rather just post my thoughts here. This is my answer: Failure to maintain a complete physical asset inventory Failure to maintain a complete logical connectivity and data flow diagram Failure to maintain a complete digital asset/intellectual property inventory Failure to maintain digital situational awareness Failure to prepare for incidents The first three items revolve around knowing your environment. If you don't know what houses your data (item 1), how that data is transported (item 2), and what data you are trying to protect (item 3), you have little chance of success. Once you know your environment, you should learn who is trying to exploit your vulnerabilities to steal, corrupt, or deny access to your data (item 4). Security incidents will occur, so you should have policies, tools, techniques, and trained and exercis

I found the following five posts to be very interesting. You might too: Playing for Keeps Across the Board Andre Durand -- Firewall This Information Security Must Evolve Data Protection -- It's More Than A + B + C Team Evil: Incident 2 The first four are more conceptual, dealing with the need to collapse security measures around data instead of hosts. The fifth is a report of an incident with some decent details.

You may have seen that the latest SANS Top 20 was released yesterday. You may also notice I am listed as one of several dozen "experts" (cough) who "helped create" the list. Based on last year's list , I thought I might join the development process for the latest Top 20. Maybe instead of complaining once the list was published, I could try to influence the process from inside? First let me say that project lead Rohit Dhamankar did a good job considering the nature of the task. He even made a last-minute effort to solicit my feedback, and some of my comments altered the categories you now see in the Top 20. I thank him for that. As far as the nature of the list goes, it's important to realize that it's based on a bunch of people's opinions. There is no analysis of past vulnerability trends or conclusions based on real data, like the Vulnerability Type Distribution I mentioned earlier . At the point where I realized people were just going to w

Here are two quick notes on my favorite operating system. First, support for Stream Control Transmission Protocol (SCTP) has been added to FreeBSD CURRENT (i.e., 7.x). SCTP is a layer 4 alternative to TCP or UDP. I saw it mentioned in the final issue of Cisco's Packet magazine, in the context of NetFlow , specifically the new Flexible Netflow . When I get a chance to test this it will probably be using this technology. Second, Federico Biancuzzi conducted an excellent interview with Robert Watson regarding OpenBSM and FreeBSD. This is incorporated into the upcoming FreeBSD 6.2, which I expect to see in early December.

Two years ago I documented how I used Vinum on FreeBSD. Since then Vinum has been replaced by Gvinum, although it's not always clear when you should use either term. The Handbook documentation isn't easy to understand, either. Luckily I combined my old notes with this helpful tutorial to accomplish my goal. I wanted to take two separate partitions, /nsm1 on one disk and /nsm2 on a second disk, and make them look like a single /nsm partition. I had already been using /nsm1, but I was prepared to lose that data since it was only for test purposes thus far. This is what the df command produced. cel433:/root# df -m Filesystem 1M-blocks Used Avail Capacity Mounted on /dev/ad0s1a 495 36 419 8% / devfs 0 0 0 100% /dev /dev/ad0s1f 989 0 910 0% /home /dev/ad0s1h 10553 8655 1053 89% /nsm1 /dev/ad1s1d 18491 0 17012 0% /nsm2 /dev/ad0s1g 989 25 884 3% /tmp /dev/ad0s1d 1978

The next ISSA NoVA meeting will take place 1730 Thursday 16 Nov 06 at Oracle Corp in Reston, VA. Marcus Sachs will be the guest speaker. Please RSVP as soon as possible. Unfortunately a new NoVA Snort Users Group decided to ignore this meeting of 100+ security practitioners by scheduling their first meeting at exactly the same time. Hopefully future NoVA SUG meetings will take a look at their surroundings before scheduling future events or at least respond to posts about their group.

Last year I discussed the value of the CISSP with respect to its code of ethics . Today while renewing my ISSA membership, I was presented with the following: The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA has established the following Code of Ethics and requires its observance as a prerequisite for continued membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I have in the past and will in the future: * Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles; * Promote generally accepted information security current best practices and standards; * Maintain appropriate confident

This is a reminder for those interested in attending one or more of the training classes I'm conducting in December. These will be the last public classes for several months. I have consulting and private classes occupying my time in Q107, although I'll have some public work in Q207. For Enterprise Network Instrumentation at SANS CDI East 2006 on 14-15 Dec 06 in Washington, DC, the discounted registration ends tomorrow, 8 Nov 06. For Network Security Monitoring with Open Source Tools at USENIX LISA 2006 , on 8 Dec 06, discounted registration ends Friday 10 Nov 06. For TCP/IP Weapons School days one and two at USENIX LISA 2006 , on 3-4 Dec 06, discounted registration ends Friday 10 Nov 06. For TCP/IP Weapons School days three and four, on 9-10 Dec 06, held at the same hotel as USENIX LISA but conducted separately by me, return this form (.pdf) by Friday 10 Nov 06 for discounted rates. This flyer (.pdf) explains the course as well. Thank you. If you have any questi

Bill Brenner published this quote in his story Sourcefire IPO could fuel Snort, users say : The infrastructure to support Snort isn't cheap and Sourcefire isn't flush with cash, said Richard Bejtlich, founder of the Washington, D.C.-based consultancy Tao Security. "The money to keep Snort thriving has to come from somewhere, and an IPO could give Snort more legs," he said. I based this thought on the following from Sourcefire's S-1, listed under Risks Related to Our Business: We have incurred operating losses each year since our inception in 2001. Our net loss was approximately $10.5 million for the year ended December 31, 2004, $5.5 million for the year ended December 31, 2005 and $2.9 million for the nine months ended September 30, 2006. Our accumulated deficit as of September 30, 2006 is approximately $40.3 million. It looks like Sourcefire's losses are narrowing, which points to future profitability. My point is that development of Snort and associated

CIO Magazine published The Global State of Information Security 2006 . The story contained what I consider to be some fairly disappointing results. Complacency, it seems, abounds. A large proportion of security execs admitted they're not in compliance with regulations that specifically dictate security measures their organization must undertake or risk stiff sanctions, up to and including prison time for executives. Some of these regulations—such as California's security breach law, the Health Insurance Portability and Accountability Act (HIPAA), and non-U.S. laws such as the European Union Data Privacy Directive—have been around for years. .. The information security discipline still suffers from the fundamental problem of making a business value case for security. Security is still viewed and calculated as a cost, not as something that could add strategic value and therefore translate into revenue or even savings. (emphasis added) No one spends money on insurance because

Amazon.com just posted my three star review of Hack the Stack by Michael Gregg, et al. From the review : I teach a course called "TCP/IP Weapons School" that involves walking students up the OSI model. We look at network traces generated by tools and techniques to defeat security measures. When I saw "Hack the Stack" (HTS) I thought it might make a good resource for my class, since HTS seemed to advocate a similar approach. Unfortunately, technical errors, shoddy production, internal repetition and poor organization, and a lack of original material make me question the value of HTS... Overall, I think there is room for a book like HTS. It's too bad this one did not deliver what I was expecting. I do appreciate the authors citing my network security monitoring methodology on p 232.

Just the other day I read the following in Cliff Berg's book High-Assurance Design : Roles should be narrowly defined so that a single role does not have permission for many different functions, at least not without secure traceability. The CTO of a Fortune 100 financial services company once bragged to me over dinner that if he wanted to, he had the ability to secretly divert a billion dollars from his firm, erase all traces of his actions, and disappear before it was discovered. Clearly, the principles of separation of duties and compartmentalization were not being practiced within his organization. Now I read the following in VARBusiness : Federal law enforcement officials Tuesday arrested the well-known CEO of White Plains, N.Y.-based MSP provider Compulinx on charges of stealing the identities of his employees in order to secure fraudulent loans, lines of credit and credit cards, according to an eight-count indictment unsealed by the U.S. Attorney's office in White Plai

According to Air Force Link , 8th Air Force will become the new Air Force Cyberspace Command. This appears to be the next step following the creation of a Air Force Network Operations Command structure in August. That came on the heels of the Air Force Information Warfare Center being redesignated as the Air Force Information Operations Center . That was a result of the Air Force Tactical Fighter Weapons Center being redesignated as the Air Force Warfare Center . In a related move, the former 67th Information Operations Wing is now the 67th Network Warfare Wing . Follow all that? It also appears the Air Force is centralizing control of network operations and security centers, according to this article : All Air Force network operations security centers, which were previously decentralized among the major commands, will consolidate under the 67th with the stand-up of two integrated network operations and security centers, or I-NOSCs, located at Langley AFB, Va., and at Peterson AF

Amazon.com just posted my six new reviews on books about software security. The first is Software Security by Gary McGraw. This was my favorite of the six because it was the most logically organized. Here is a link to the five star review . The second is Security Development Lifecycle by Microsoft's Michael Howard and Steve Lipner. I thought it was neat to read about Microsoft's software development practices with respect to security. Just don't expect the CD-ROM training videos to keep you awake. Here is a link to the four star review . The third is Writing Secure Code, 2nd Ed by Microsoft's Michael Howard and David LeBlanc. This is probably the definitive book on writing secure code for Windows, although the terminology gives me pains. Here is a link to the four star review . The fourth is 19 Deadly Sins of Software Security by Michael Howard, David LeBlanc, and John Viega. This book is a stripped down version of other secure coding books, but it