TaoSecurity Blog

Inspired by an old post , John Curry, and David Bianco's NSM Wiki, I decided I would install the Sguil client on Ubuntu. It was really easy. First I edited the /etc/apt/sources.list file to include the "universe" package collections: deb http://us.archive.ubuntu.com/ubuntu/ edgy universe deb-src http://us.archive.ubuntu.com/ubuntu/ edgy universe Next I updated the apt cache and added the libraries I needed. richard@neely:~$ sudo apt-get update ...edited... richard@neely:~$ sudo apt-get install tclx8.4 tcllib iwidgets4 wireshark Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: itcl3 itk3 libadns1 libpcre3 tcl8.4 tk8.4 wireshark-common Suggested packages: itcl3-doc itk3-doc iwidgets4-doc tclreadline tclx8.4-doc Recommended packages: libadns1-bin The following NEW packages will be installed: itcl3 itk3 iwidgets4 libadns1 libpcre3 tcl8.4 tcllib tclx8.4 tk8.4 wireshark w

Last year I bought a Lenovo X60s laptop to serve as a portable VMware server for my classes. Recently my seven-year-old Thinkpad a20p has been giving me trouble, like losing half its RAM. When you only have 512 MB, that's a big deal. I decided that it was time to move operations to the newer laptop, even though the screen is smaller than I prefer for daily use. I figure I can get by with the smaller screen at least through the end of the year, when I hope to buy my next dream laptop . I decided this was the time to try a new laptop configuration. The X60s came with Windows XP SP2 preinstalled. Although the bottom of the laptop showed a product key, I used the Magical Jelly Bean Keyfinder v2.0 Beta 2½ to retrieve the key used by Windows internally. I installed Ubuntun Desktop 6.10 but preserved the 5 GB IBM restore partition. I am really impressed by Ubuntu. I never use configuration GUIs for anything, but I did use Ubuntu's to set up wireless networking prior to the

I recommend reading Black Hat: Botnets Go One-on-One by Kelly Jackson Higgins. She interviews Jose Nazario for a peak at findings from his talk at Black Hat DC next week. I won't be attending, although I plan to stop by Thursday evening to meet friends Erik Birkholz, Rohyt Belani, and any other ex-Foundstoners we can find.

Yesterday Sourcefire posted a new advisory on a vulnerability in the DCE/RPC preprocessor introduced in Snort 2.6.1. The vulnerable exists in 2.6.1, 2.6.1.1, 2.6.1.2, and 2.7 beta 1. A look at the snort/src/dynamic-preprocessors/dcerpc/ directory of Snort CVS shows dcerpc.c and smb_andx_decode.c were modified three days ago to patch the vulnerability. You can check the diffs for dcerpc.c and smb_andx_decode.c to see how Sourcefire addressed the problem. This level of transparency is one of my favorite aspects of open source projects. If you are so inclined you can check the source code to find the original vulnerability and then decide if the fix is proper. There are probably a few dinosaurs out there who think this level of disclosure is too much, since it shows the adversary exactly where to find the problem. The truth is that several years of exceptionally effective reverse engineering of binary patches for closed, proprietary operating systems (and even creation of pa

I've previously spoken at the Techno Security 2005 and Techno Security 2006 conferences. A visit to the Techno Security 2007 conference page shows I will be teaching TCP/IP Weapons School (Layers 2-3) at the 2007 event this summer. I'll be teaching 6 and 7 June at one of my favorite vacation spots, Myrtle Beach Marriott Resort at Grande Dunes . I'll also be speaking as part of the technical tracks on 5 June. If you'd like to register for TCP/IP Weapons School, please check out the details here and return the registration form (.pdf) to me as quickly as you can. I believe we have a limit of 20 seats, and at $995 per person you get to attend my two day class and the entire Techno conference . I'm working out the details for other public classes listed here , but it will be tough to beat this Myrtle Beach deal. If you're a security vendor, this is an excellent show to have a booth. There's a very high concentration of sharp security people and dec

I've written many posts on insider threats, like How Many Spies and Of Course Insiders Cause Fewer Security Incidents . Recently a former Coca-Cola employee was found guilty of trying to steal Coke's trade secrets, with an intent to sell them to Pepsi. According to this story , detection of the plot was decidedly non-technical: In May, a letter appeared at Pepsi's New York headquarters offering to sell the trade secret. But that's how the beverage superpowers learned of common corporate priorities: Pepsi officials immediately notified Coke of the breach; in turn, Coke executives contacted the FBI and a sting operation was put into play. Today I read Insider Tries to Steal $400 Million at DuPont . The story claims a technical detection method: Computer security played a key role in the case. The chemist, Gary Min, was spotted when he began accessing an unusually high volume of abstracts and full-text PDF documents from DuPont's Electronic Data Library (EDL), a D

Two years ago I posted Real Threat Reporting . My story discussed Shawn Carpenter, formerly an analyst at Sandia National Labs who discovered Titan Rain activity at his site. After bringing news of the intrusions to the FBI, Sandia fired him. According to these AP , ComputerWorld , and FCW stories, a New Mexico jury awarded Shawn "$35,661 for lost wages and benefits, $1,875 for counseling costs and $350,000 for emotional distress." The jury also awarded "$4.3 million in punitive damages" which makes "doing the right thing" a financially attractive proposition when your agency doesn't want you discussing national security failings with outside parties.

The chart comes from How To Tell The Open Source Winners From The Losers by InformationWeek's Charles Babcock. You can more or less skip the article, but the chart is interesting. I don't think it's absolutely necessary to have a benevolent dictator if you have a core team like FreeBSD does. In fact, projects with benevolent dictators suffer from a single point-of-failure that might only be addressed by a fork or replacement by another like-minded individual.

The February 2007 (.pdf) issue of (IN)SECURE Magazine is available. This is a great magazine. Interesting articles include an interview with security researcher/ninja Joanna Rutkowska , discussions of Vista and Office 2007, and a neat overview of security careers by Mike Murrary . (Note to Mike: I've never heard of Tim Keanini until now. No offense, but I don't think he's up there with Marcus Ranum or Ron Gula.)

Last year I described performing a binary upgrade of FreeBSD 6.0 to 6.1. Today I tried a similar process for FreeBSD 6.1 to 6.2, using Colin Percival 's instructions for 6.1 to 6.2-RC1. shuttle01# mkdir /usr/upgrade shuttle01# cd /usr/upgrade shuttle01# fetch http://www.daemonology.net/freebsd-update/upgrade-to-6.2.tgz upgrade-to-6.2.tgz 100% of 18 kB 120 kBps shuttle01# tar -xzf upgrade-to-6.2.tgz shuttle01# cd upgrade-to-6.2 shuttle01# sh freebsd-update.sh -f freebsd-update.conf -d /usr/upgrade -r 6.2-RELEASE upgrade Looking up update.FreeBSD.org mirrors... 1 mirrors found. Fetching public key from update1.FreeBSD.org... done. Fetching metadata signature for 6.1-RELEASE from update1.FreeBSD.org... done. Fetching metadata index... done. Fetching 2 metadata files... done. Inspecting system... done. The following components of FreeBSD seem to be installed: kernel/smp world/base world/dict world/doc world/manpages The following components of FreeBSD

Here's more evidence if you need to make a case that blindly requiring anti-virus or other agents on all systems is neither cost-free nor automatically justified, as I mentioned late last year . As reported by SANS @RISK (link will work shortly): Trend Micro Antivirus, a popular antivirus solution, contains a buffer overflow vulnerability when parsing executables compressed with the UPX executable compression program. A specially-crafted executable could trigger this buffer overflow and execute arbitrary code with SYSTEM/root privileges, allowing complete control of the vulnerable system. Note that the malicious file can be sent to a vulnerable system via email (spam messages), web, FTP, Instant Messaging or Peer-to-Peer file sharing . UPX file format vulnerabilities have been widely-reported in the past, and UPX file fuzzers are commonly available. Here's the Trend Micro advisory .

Late last year I mentioned I planned to read and review FISMA Certification & Accreditation Handbook by Laura Taylor. You know if I read a book on Cisco MARS on one leg of my last trip, I probably read a different book on the return leg. FISMA was that book. These comments are going to apply most directly to FISMA itself, based on what I learned reading Ms. Taylor's book. I'll save comments on the book itself for a later date. Last year I wrote FISMA is a joke. . I was wrong, and I've decided to revise my opinion. Based on my understanding of FISMA as presented in this book, FISMA is a jobs program for so-called security companies without the technical skills to operationally defend systems. This doesn't mean that if you happen to conduct FISMA work, you're definitelTy without technical skills. I guarantee my friends at ClearNet Security are solid guys, just based on their ability to detect the C&A project they joined was worthless. Anyway, I gu

Disclaimer: I'm going to single out a book by Cisco employees that talks about a Cisco product. I have no personal feelings about Cisco. I have friends there. I've done work for Cisco. Since I think Cisco is eventually going to own all network security functions in their switches , I may even work for Cisco one day. This post is for all product vendors who approach understanding and defending the network in the ways described here. Wherever you read "Cisco" feel free to add products that share the characteristics I outline below. Once again I found myself hanging in the sky last week. Trips to and from the West Coast gave me the opportunity to read Security Threat Mitigation and Response: Understanding Cisco Security MARS by Dale Tesch and Greg Abelar. This is mainly another Cisco marketing book, like Self-Defending Networks: The Next Generation of Network Security by Duane DeCapite. While I have a few thoughts on the book, I would much rather address the u

I sometimes hear of people talking about controlling TCP and UDP ports, as if that is the battleground for network access in 2007. Reality check -- that hasn't been true for years, unfortunately. Boy, I miss those days -- the days when defined applications used defined ports and blocking all but a few meant understanding the applications permitted in the enterprise. The Cisco IPJ article Boosting the SOA with XML Networking reminded me with this excellent diagram. Those days are long gone, thanks to security monstrosities like those depicted next. My gut tells me that when I see a bunch of terms squashed into one box, it's going to be a mess to understand, inspect, and control. I expect to hear from the development crowd that XML-fu is God's gift to the Green Earth, but it will take a miracle for me to believe that Everything-over-HTTP-over-port-80-TCP is a "good idea." We've got 65535 TCP ports to use and the whole world is collapsing onto one.

In recent posts like Consider This Scenario , I posted information collected from my live network connection. I don't worry about exposing real data, as long as it belongs to my own network. I obviously don't expose client data! Today I received a new alert from OSSEC: OSSEC HIDS Notification. 2007 Feb 08 09:46:13 Received From: macmini->/var/log/auth.log Rule: 5701 fired (level 12) -> "Possible attack on the ssh server (or version gathering)." Portion of the log(s): Feb 8 09:46:11 macmini sshd[21224]: Bad protocol version identification 'Yo. I just read your blog about this SSH server' from ::ffff:201.11.74.161 Interesting. Here is an OSSEC alert -- but is there anything else? How many people think I should check my macmini host again? Rather than poke around on that box, I first check my independent NSM Sguil sensor to see what it says about the event. I didn't see any Snort alerts, so I did a session query and got one result. Sensor:cel4

If you didn't see the announcement , you might like perusing Arbor Network 's new Active Threat Level Analysis System (ATLAS) Initiative, "a multi-stage project to develop the world’s first globally scoped threat analysis network with the help of the service provider community." I'm not sure I totally agree with that description, but the range of data available looks interesting. I plan to mine some of my NSM session data based on information from ATLAS. I applaud Arbor for making this sort of information publicly and freely available.

If you visit www.novabug.org or novabug.blogspot.com , you'll see I just created the northern Virginia BSD users group. Two years ago I expressed interest in helping with this organization, but someone else registered novabug.org and did nothing with the name or concept. Following in the modest success of NoVA Sec , I thought it was time to create a BSD users group for the technical professionals in this area. I'll be looking for an organization to host our first meeting, probably in March. If you are interested in participating in these low-key yet high-value gatherings of like-minded BSD users, please leave a comment at the NoVA BUG blog . I think we'll be able to recruit someone to host a mailing list fairly soon. Thank you!

My third Snort Report has been posted. Using the snort.conf file built in the second Snort Report , I show how Snort can detect suspicious activity without using any rules or dynamic preprocessors. Granted, the examples are somewhat limited, but you get the idea. The purpose of these articles is to develop an intuitive understanding of Snort's capabilities, starting with the basics and becoming more complicated.

Yesterday I learned that more friends of mine from Foundstone have departed to start their own companies. I could probably list a dozen such companies with whom I do work, from whom I get leads, or to whom I pass leads. It seems this is a really popular way for security specialists to do work they enjoy without the burden of corporate management. I think clients like this approach because they always interact directly with the people doing the work. They can target specialists and only bring in the people they need. When I am hired for a project that extends beyond network-centric monitoring, response, and/or forensics, I call on one or more friends I trust. For example, one client needs help with monitoring, infrastructure, and applications, so I am driving to the client with the best guys I know for each subject. I wonder if it might be useful for all of us "single-digit security service providers" (i.e., those of us with less than ten employees) to meet, perhaps at B

The other day I posted I Am Not Anti-Log . I alluded to the fact that I am not a big log fan but I do see the value of logs. This post will give you an indication as to why I prefer network data to logs. Yesterday morning I installed OSSEC on the one system I expose to the Internet. OSSEC is really amazing in the sense that you can install it and immediately it starts parsing system logs for interesting activity. The system on which I installed OSSEC only offers OpenSSH to the world. Therefore, you could say I was surprised when the following appeared in my Gmail inbox this morning: OSSEC HIDS Notification. 2007 Feb 02 06:25:01 Received From: macmini->/var/log/auth.log Rule: 40101 fired (level 12) -> "System user sucessfully logged to the system." Portion of the log(s): Feb 2 06:25:01 macmini su[14861]: (pam_unix) session opened for user nobody by (uid=0) I don't know what that means, but I don't feel good about it. At this point I know what everyone i

I just posted the TaoSecurity 2007 Training Schedule on my company Web site. I didn't include all of the places I might be teaching this year. All of the public classes are tentative at this point, but I am working on securing hosting facilities. You'll notice I plan to conduct six public classes across the US, and I am appearing at a few overseas conferences too -- including a one-day public class in Sydney, Australia. If you would like to support my bid to teach at Black Hat USA Training (28-21 July 2007) in Las Vegas, NV, please email Ping Look via ping [at] blackhat [dot] com . Email training [at] taosecurity [dot] com for advance details on the classes listed below. Registration information for public classes will be posted shortly. I maintain the latest schedule at TaoSecurity training . If you would like me to conduct a private class at your facility, please email training [at] taosecurity [dot] com . Thank you. I hope to meet you in 2007!

Gunnar Peterson pointed me to a great blog post he wrote called Protect the Transaction . He quotes Dave Kilcullen's post Two Schools of Classical CounterInsurgency , which discusses the difference between “enemy-centric” and “population-centric” counter-insurgency operations. I consider two responses to these posts. First, when monitoring, you can take a threat-centric or an asset-centric approach to monitoring insider threats. This is especially true when monitoring inside an organization. As I teach in my Network Security Operations class, threat-centric monitoring places sensors closer to the suspected intruders (rogue sys admins, curious call center workers, etc.) while asset-centric monitoring places sensors closer to valuable resources (source code repositories, payroll servers, etc.) Sometimes you can follow both approaches, but that usually ends up in a "monitor everywhere" style that can be cost- and operationally-prohibitive. Keep in mind that defenses a

Keith Jones, my friend from Jones, Rose, Dykstra and Associates and Real Digital Forensics coauthor wrote The Real World of Computer Forensics for CMP. It's a good read. Keith, Curtis (Rose) and I are discussing writing Real Digital Forensics 2 , which will be fun to develop. We're considering writing a series of cases involving a single enterprise, but involving a wide variety of incident types and data sources. I don't see the book on shelves before 2008, though. It's a lot of work simply creating the evidence for analysis and inclusion on a DVD.