Showing posts from 2007

Sguil Status

One of you wrote recently to ask about the status of the open source Network Security Monitoring suite called Sguil . You noticed the last release of Sguil (0.6.1) occurred in February 2006. I can assure you Sguil is not dead. In fact, just last week I wrote an article for a new BSD magazine about installing the sensor and server components of Sguil 0.7.0 (from CVS on FreeBSD 7.0. To keep up with development read the sguil-devel mailing list and visit #snort-gui on I expect to see Sguil 0.7.0 released before 13 February 2008 to avoid hitting the two year mark.

Last Book Reviews of 2007 Posted just published my five star review of Ajax Security by Billy Hoffman and Bryan Sullivan. From the review : Ajax Security was the last book I read and reviewed in 2007. However, it was the best book I read all year. The book is absolutely compelling and every security professional and Web developer should read it. It's really as simple as that. I am not a Web developer. I was not very familiar with Ajax (beyond its buzzword status and a vague notion of functionality) when I started reading Ajax Security. I attended the authors' Black Hat 2007 talk and was thoroughly impressed and disturbed by the security implications they presented. I expected Ajax Security to be a good book, but one can never be sure if talented hackers and presenters can transfer their skills to the written word. Ajax Security gets the job done. Ajax Security is my Best Book Bejtlich Read in 2007 award winner. will soon publish my four star review of Geekonomics by David Rice. Fro

Best Book Bejtlich Read in 2007

Last year I posted my first year-end ranking of books I had read and reviewed in 2006, titled Favorite Books I Read and Reviewed in 2006 . I decided to continue the tradition this year by posting my 2007 rankings, and awarding Best Book Bejtlich Read in 2007 (B3R07). 2007 was not my most productive year in terms of reading and reviewing books . I read 17 in 2000, 42 in 2001, 24 in 2002, 33 in 2003, 33 in 2004, 26 in 2005, and 52 in 2006. This year I read and reviewed 25 books, several during the last week. My ratings can be summarized as follows: 5 stars: 9 books 4 stars: 11 books 3 stars: 4 books 2 stars: 1 book 1 star: 0 books The competition for the B3R07 award was intense. Keep in mind these are all five star books. 9. Designing BSD Rootkits: An Introduction to Kernel Hacking by Joseph Kong (No Starch). If you understand C and want to learn how to manipulate the FreeBSD kernel, Designing BSD Rootkits is for you. 8. Hacking Exposed VoIP: Voice Over IP Security Secrets &

Long Live Emerging Threats

If you haven't noticed, availability of Bleeding Threats has been lousy recently. If you read Matt Jonkman's recent post you'll notice the arrival of Emerging Threats . I am currently getting my copy of the Bleeding ruleset there; I am no longer using Bleeding Threats.

Snort Report 11 Posted

My 11th Snort Report on Snort Limitations has been posted. From the start of the article: In the first Snort Report I mentioned a few things value-added resellers should keep in mind when deploying Snort: 1. Snort is not a "badness-ometer." 2. Snort is not "lightweight." 3. Snort is not just a "packet grepper." In this edition of the Snort Report, I expand beyond those ideas, preparing you to use Snort by explaining how to think properly about its use. Instead of demonstrating technical capabilities, we'll consider what you can do with a network inspection and control system like Snort. The editors titled this piece "Snort Limitations" -- I didn't.

Predictions for 2008

For the last five years I've resisted the urge to write year-end predictions (thanks Anton ). However, I'm seeing indications of the following, so maybe this is more about highlighting trends than taking wild guesses. Here are my five predictions for 2008. Expect greater government involvement in assessing the security of private sector networks. I base this item on what's happening in the UK following their latest data breach. The article Data watchdog seeks dawn-raid powers states the following: The Information Commissioner’s Office (ICO), which polices the security of the nation’s data, is to be given the power to raid Government departments suspected of breaching protection laws. The move, announced today by Gordon Brown, comes in response to the loss by HM Revenue & Customs (HMRC) of personal details of some 25 million Britons. The Prime Minister said the ICO would be given extra powers to carry out “spot checks” of government departments. However, it is unclea

Two Book Reviews Posted

Image just published my five star review of Absolute FreeBSD, 2nd Ed by Michael Lucas. From the review : Almost five years ago I reviewed Absolute BSD, Michael Lucas' first book on FreeBSD. I gave that book five stars, back when several other BSD books provided competition. On the eve of 2008, I am happy to say that Michael Lucas is probably the best system administration author I've read. I am amazed that he can communicate top-notch content with a sense of humor, while not offending the reader or sounding stupid. When was the last time you could physically feel yourself getting smarter while reading a book? If you are a beginning to average FreeBSD user, Absolute FreeBSD 2nd Ed (AF2E) will deliver that sensation in spades. Even more advanced users will find plenty to enjoy. also just published my five star review of Linux Firewalls by Mike Rash. From the review : Disclaimer: I wrote the foreword for this book, so obviously I am biased. However, I am not

Make Cleaning Awesome

Over three years ago I blogged about my Dyson vacuum cleaner. 99.9% of all of my posts are about digital security, but I know some of you are still looking for holiday presents for that certain someone. My wife bought me the new DC-16 for my birthday. That's right, a vacuum for my birthday. Take a look at the picture of this thing and tell me it is not awesome. I dare you. Don't believe? Forget the perpetually clogged, nasty "filter" on my old Dustbuster. The DC-16 has a canister that I empty. The DC-16 also has a trigger, not a power button. It looks even more weaponized when the crevice tool is attached instead of the combination accessory tool (pictured above). Don't let the crybaby reviewers dismay you. Sure, it would be nice to be able to have a second battery pack for swappable charging. However, if you're draining the battery regularly it's a sign you need to pull out your regular vacuum and not rely on a handheld . I'

After Five Years, NSM Is Still More Than IDS

I've received a series of questions relating to Network Security Monitoring (NSM) recently, via email, blog comments, IRC questions, and so on. Just over five years ago (2 Dec 02) Bamm Visscher and I recorded a Webcast for titled Network Security Monitoring Is More Than IDS . That URL links to a series of questions submitted in response to the podcast. I still have a copy of our slides, which I just exported to .pdf and uploaded as bejtlich_visscher_techtarget_webcast_4_dec_02.pdf . Remarkably, I would hardly change any of the content. All of the arguments we made back then still hold today. The only real changes involve replacing one or two defunct Web sites. Anyone who is trying to understand NSM will enjoy this presentation. Please post questions here, and I will either answer the comments directly or save them for a follow-on blog post. Thank you.

Does Failure Sell?

I often find myself in situations trying to explain the value of Network Security Monitoring (NSM). This very short fictional conversation explains what I mean. This exchange did not happen but I like to contemplate these sorts of dialogues. NSM Advocate: I recommend deploying network-based sensors to collect data using NSM principles. I will work with our internal business units to select network gateways most likely to yield significant traffic. I will build the sensors using open source software on commodity hardware, recycled from other projects if need be. Manager: Why do we need this? NSM Advocate: Do you believe all of your defensive measures are 100% effective? Manager: No. (This indicates a smart manager. Answering Yes would result in a line of reasoning on why Prevention Eventually Fails.) NSM Advocate: Do you want to know when your defensive measures fail? Manager: Yes. (This also indicates a smart manager. Answering No would result in a line of reasoning on why ign

Feds Plan to Reduce, Then Monitor

According to OMB directs agencies to close off most Internet links , by June 2008 the Federal government plans to reduce the number of Internet connections it maintains, and then monitor them more closely: The Office of Management and Budget's Trusted Internet Connections (TIC) initiative likely is to be the last publicized program in the Bush administration's stepped-up focus on cybersecurity, some experts say. More importantly, the new initiative requires agencies to implement real-time gateway monitoring , which has been a deficit in federal network protection. The TIC initiative mandates that officials develop plans for limiting the number of Internet connections into their departments and agencies. OMB officials want to reduce the number of gateways from the more than 1,000 to about 50, said Karen Evans, OMB's administrator for e-government and information technology. (emphasis added) This sounds promising. The story continues: The initiative also asks chief informat

Incident Severity Ratings

Much of digital security focuses on pre-compromise activities. Not as much attention is paid to what happens once your defenses fail. My friend Bamm brought this problem to my attention when he discussed the problem of rating the severity of an incident. He was having trouble explaining to his management the impact of an intrusion, so he asked if I had given any thought to the issue. What follows is my attempt to apply a framework to the problem. If anyone wants to point me to existing work, please feel free. This is not an attempt to put a flag in the ground. We're trying to figure out how to talk about post-compromise activities in a world where scoring vulnerabilities receives far more attention. This is a list of factors which influence the severity of an incident. It is written mainly from the intrusion standpoint. In other words, an unauthorized party is somehow interacting with your asset. I have ordered the options under each category such that the top items in eac

Expert Commentary on SPAN and RSPAN Weaknesses

It's no secret I am a fan of using taps instead of switch SPAN ports when instrumenting networks. Two excellent posts explain the weakness of using SPAN ports and RSPAN. Both of these were written by Tim O'Neill, an independent consultant. SPAN Port or TAP? CSO Beware RSPAN... Friend or Foe? This is the simplest way for me to compare SPAN ports to taps: a SPAN port is a girlfriend, but a tap is a wife. It takes a real level of institutional commitment to install a tap, and the rewards are long-lasting. A SPAN port is a temporary fling subject to break-up (i.e., deactivation). Furthermore, I really liked the blog post's emphasis on SPAN configuration as a change that must be allowed by the change control board in any semi-mature IT shop. The only CCB action needed for a tap is the initial installation. Any change to a SPAN port configuration should be authorized by the CCB. This is one of the reasons why very mature (and well-funded) IT shops use matrix switches for

Controls Are Not the Solution to Our Problem

If you recognize the inspiration for this post title and graphic, you'll understand my ultimate goal. If not, let me start by saying this post is an expansion of ideas presented in a previous post with the succinct and catchy title Control-Compliant vs Field-Assessed Security . In brief, too many organizations, regulators, and government agencies waste precious time and resources devising and auditing "controls," regardless of the effect these controls have or do not have on security. They are far too input-centric; they should become more output-aware. They obsess over recording conditions they believe may be helpful while remaining ignorant of the "score of the game." They practice management by belief and disregard management by fact. Let me provide a few examples from one of the canonical texts used by the control-compliant crowd: NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems (.pdf). The following is

MPAA University Toolkit Phone Home

This is a follow-up to my story Examining the MPAA University Toolkit . After reading the hysteria posted on the Slashdot story MPAA College Toolkit Raises Privacy, Security Concerns , I thought I would take a look at traffic leaving the box. Aside from traffic generated by the auto-start of Firefox, the only interesting event was the following. I captured it with my gateway Sguil sensor. Sensor Name: hacom Timestamp: 2007-11-23 21:27:04 Connection ID: .hacom_5136150487897024842 Src IP: ( Dst IP: (Unknown) Src Port: 39532 Dst Port: 80 OS Fingerprint: - UNKNOWN [S4:61:1:60:M1460,S,T,N,W4:.:?:?] (up: 3 hrs) OS Fingerprint: -> (link: ethernet/modem) SRC: GET /version.txt HTTP/1.1 SRC: Accept-Encoding: identity SRC: Host: SRC: Connection: close SRC: User-Agent: Python-urllib/2.5 SRC: SRC: DST: HTTP/1.1 200 OK DST: Date: Fri, 23 Nov 2007 21:27:31 GMT

Examining the MPAA University Toolkit

I learned about the MPAA University Toolkit at Brian Krebs' always-excellent SecurityFix blog. If you want to know more about the user experience, please check out that post. Here I take a look at the monitoring software, focusing on Snort, operating on this application. I downloaded the 534 MB peerwatch-1.2-RC5.iso and started it in a VMware Server session. I used ctrl-c and then 'sudo bash' to exit from the initial script presented within X, set a root password, then used 'apt-get ssh install' to install OpenSSH and thus enable root access. From this point forward I accessed the system using OpenSSH remotely to facilitate copying information into this blog post. First, this looks like Ubuntu (Xubuntu, if you really care) Feisty Fawn , or 7.04. root@ubuntu:~# uname -a Linux ubuntu 2.6.20-15-generic #2 SMP Sun Apr 15 07:36:31 UTC 2007 i686 GNU/Linux I was most interested in learning about Snort on this toolkit. I saw this version installed. root@ubuntu:~# s

Tap vs Lightning Strike

Earlier this year my lab suffered a near lightning strike. A tree right outside the lab was struck by lightning, causing damage to multiple electronic and electrical devices outside and inside the building. Outside, the lightning disabled an exterior lighting system and my phone lines. Inside, the lightning took a severe toll on the lab. The cable modem to the outside world was destroyed. The NIC on the lab firewall facing the cable modem was fried, along with a second NIC in the firewall. The NIC on a sensor watching a tap between the cable modem and firewall was also destroyed. So far, this is a grim story. I have one good piece of news to report, and it involves the tap I mentioned sitting between the cable modem and firewall. The tap survived the lightning strike. More precisely, the tap continued to pass traffic even when its monitoring interface was damaged. Had the tap been receiving traffic from the modem or firewall, it would have continued to pass it. This truly ama

Updating FreeBSD 7.0-BETA2 to 7.0-BETA3

Recently I posted FreeBSD Binary Upgrade News about developments with Colin Percival's FreeBSD Update tool. Today I performed a remote (via SSH) upgrade from FreeBSD 7.0-BETA2 to FreeBSD 7.0-BETA3 using FreeBSD Update. I document the process below so you can see how easy it is and for my future reference. Here is uname output to show the OS version prior to upgrading. # uname -a FreeBSD 7.0-BETA2 FreeBSD 7.0-BETA2 #0: Fri Nov 2 16:47:33 UTC 2007 i386 I wasn't sure if the version of FreeBSD Update packaged with FreeBSD 7.0-BETA2 would natively support this process, so I gave it a try. # freebsd-update -r 7.0-BETA3 upgrade usage: freebsd-update [options] command ... [path] Options: -b basedir -- Operate on a system mounted at basedir (default: /) -d workdir -- Store working files in workdir (default: /var/db/freebsd-update/) -f conffile -- Read confi

Network Monitoring: How Far?

In my January post The Revolution Will Be Monitored and elsewhere I discuss how network monitoring is becoming more prevalent, whether we like it or not. When I wrote my first book I clearly said that you should collect as much data as you can, given legal, political, and technical means because that approach gives you the best chance to detect and respond to intrusions. Unfortunately, I did not provide any clear guidance for situations where I think monitoring might not be appropriate. While this is by no means a political blog, I would not want my NSM approach to be taken as justification for monitoring and retaining every electronic transaction, especially beyond the security realm. In that spirit I would like to point out three recent stories which highlight some of the contemporary problems I see with electronic monitoring. First is Boeing bosses spy on workers . From the story: Within its bowels, The Boeing Co. holds volumes of proprietary information deemed so valuable that