Showing posts from November, 2007

Controls Are Not the Solution to Our Problem

If you recognize the inspiration for this post title and graphic, you'll understand my ultimate goal. If not, let me start by saying this post is an expansion of ideas presented in a previous post with the succinct and catchy title Control-Compliant vs Field-Assessed Security . In brief, too many organizations, regulators, and government agencies waste precious time and resources devising and auditing "controls," regardless of the effect these controls have or do not have on security. They are far too input-centric; they should become more output-aware. They obsess over recording conditions they believe may be helpful while remaining ignorant of the "score of the game." They practice management by belief and disregard management by fact. Let me provide a few examples from one of the canonical texts used by the control-compliant crowd: NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems (.pdf). The following is

MPAA University Toolkit Phone Home

This is a follow-up to my story Examining the MPAA University Toolkit . After reading the hysteria posted on the Slashdot story MPAA College Toolkit Raises Privacy, Security Concerns , I thought I would take a look at traffic leaving the box. Aside from traffic generated by the auto-start of Firefox, the only interesting event was the following. I captured it with my gateway Sguil sensor. Sensor Name: hacom Timestamp: 2007-11-23 21:27:04 Connection ID: .hacom_5136150487897024842 Src IP: ( Dst IP: (Unknown) Src Port: 39532 Dst Port: 80 OS Fingerprint: - UNKNOWN [S4:61:1:60:M1460,S,T,N,W4:.:?:?] (up: 3 hrs) OS Fingerprint: -> (link: ethernet/modem) SRC: GET /version.txt HTTP/1.1 SRC: Accept-Encoding: identity SRC: Host: SRC: Connection: close SRC: User-Agent: Python-urllib/2.5 SRC: SRC: DST: HTTP/1.1 200 OK DST: Date: Fri, 23 Nov 2007 21:27:31 GMT

Examining the MPAA University Toolkit

I learned about the MPAA University Toolkit at Brian Krebs' always-excellent SecurityFix blog. If you want to know more about the user experience, please check out that post. Here I take a look at the monitoring software, focusing on Snort, operating on this application. I downloaded the 534 MB peerwatch-1.2-RC5.iso and started it in a VMware Server session. I used ctrl-c and then 'sudo bash' to exit from the initial script presented within X, set a root password, then used 'apt-get ssh install' to install OpenSSH and thus enable root access. From this point forward I accessed the system using OpenSSH remotely to facilitate copying information into this blog post. First, this looks like Ubuntu (Xubuntu, if you really care) Feisty Fawn , or 7.04. root@ubuntu:~# uname -a Linux ubuntu 2.6.20-15-generic #2 SMP Sun Apr 15 07:36:31 UTC 2007 i686 GNU/Linux I was most interested in learning about Snort on this toolkit. I saw this version installed. root@ubuntu:~# s

Tap vs Lightning Strike

Earlier this year my lab suffered a near lightning strike. A tree right outside the lab was struck by lightning, causing damage to multiple electronic and electrical devices outside and inside the building. Outside, the lightning disabled an exterior lighting system and my phone lines. Inside, the lightning took a severe toll on the lab. The cable modem to the outside world was destroyed. The NIC on the lab firewall facing the cable modem was fried, along with a second NIC in the firewall. The NIC on a sensor watching a tap between the cable modem and firewall was also destroyed. So far, this is a grim story. I have one good piece of news to report, and it involves the tap I mentioned sitting between the cable modem and firewall. The tap survived the lightning strike. More precisely, the tap continued to pass traffic even when its monitoring interface was damaged. Had the tap been receiving traffic from the modem or firewall, it would have continued to pass it. This truly ama

Updating FreeBSD 7.0-BETA2 to 7.0-BETA3

Recently I posted FreeBSD Binary Upgrade News about developments with Colin Percival's FreeBSD Update tool. Today I performed a remote (via SSH) upgrade from FreeBSD 7.0-BETA2 to FreeBSD 7.0-BETA3 using FreeBSD Update. I document the process below so you can see how easy it is and for my future reference. Here is uname output to show the OS version prior to upgrading. # uname -a FreeBSD 7.0-BETA2 FreeBSD 7.0-BETA2 #0: Fri Nov 2 16:47:33 UTC 2007 i386 I wasn't sure if the version of FreeBSD Update packaged with FreeBSD 7.0-BETA2 would natively support this process, so I gave it a try. # freebsd-update -r 7.0-BETA3 upgrade usage: freebsd-update [options] command ... [path] Options: -b basedir -- Operate on a system mounted at basedir (default: /) -d workdir -- Store working files in workdir (default: /var/db/freebsd-update/) -f conffile -- Read confi

Network Monitoring: How Far?

In my January post The Revolution Will Be Monitored and elsewhere I discuss how network monitoring is becoming more prevalent, whether we like it or not. When I wrote my first book I clearly said that you should collect as much data as you can, given legal, political, and technical means because that approach gives you the best chance to detect and respond to intrusions. Unfortunately, I did not provide any clear guidance for situations where I think monitoring might not be appropriate. While this is by no means a political blog, I would not want my NSM approach to be taken as justification for monitoring and retaining every electronic transaction, especially beyond the security realm. In that spirit I would like to point out three recent stories which highlight some of the contemporary problems I see with electronic monitoring. First is Boeing bosses spy on workers . From the story: Within its bowels, The Boeing Co. holds volumes of proprietary information deemed so valuable that

Analyzing Protocol Hopping Covert Channel Tool

I enjoy analyzing covert channels, although my skills are far inferior to someone like Steven Murdoch . However, today via Packetstorm I learned of Protocol Hopping Covert Channel Tool by Steffen Wendzel. He wrote a text file describing his thoughts behind the tool called Protocol Hopping Covert Channels . Quoting the paper: This paper describes a new way to implement covert channels. This is done by changing the protocol of the tunnel while the tunnel exists and even change the protocol on a randomized way without restarting the tunnel or reconnecting to the tunnel. A simple proof of concept tool called 'phcct' (protocol hopping covert channel tool) also known as 'takushi' (what is japanese for taxi) is available on my website phcct implements only one (the easiest) version of such a randomized protocol hopping covert channel. As soon as I read this I thought "this is so different from normal traffic, it will be easy to identify

Great Papers from Honeynet Project

If you haven't seen them yet, Know Your Enemy: Behind the Scenes of Malicious Web Servers and Know Your Enemy: Malicious Web Servers are two great papers by the Honeynet Project . You might want to see Web Server Botnets and Server Farms as Attack Platforms by Gadi Evron as background. You'll notice people like e0n are using NSM to combat bots. I have not seen any IRC-controlled SIP/VoIP attack bots and botnets yet. If you think your IPS will save you against bots, keep in mind the time it takes to update some of them. I also recommend reading The World's Biggest Botnets by Kelly Jackson Higgins.

FreeBSD Binary Upgrade News

If you've read my previous posts on FreeBSD binary upgrades you'll see that Colin Percival's work on this subject has been one of my favorite additions to FreeBSD during the last few years. I recommend reading the latest two posts on Colin's blog for even more good news: FreeBSD minor version upgrades and FreeBSD major version upgrades using FreeBSD update . I plan to deploy FreeBSD 7.0 in production soon, and the native capability to upgrade the OS using binary means is incredibly welcome. I build sensors to inspect and capture traffic, not recompile themselves. Congratulations and thanks to Colin for all of his work in this area and for integrating FreeBSD update into the base OS. On another FreeBSD note, I need to try this: Building bootable FreeBSD/i386 images .

Impact of NetFlow on Routers

Thanks to the great IOShints blog for pointing me to NetFlow Performance Analysis . If you have any questions regarding the impact of generating NetFlow records on your routers, check out this Cisco white paper.

Must-Read Snort 3.0 Post

If you care at all about Snort you must read Snort 3.0 Architecture Series Part 1: Overview by Marty Roesch. Keep reading his blog for future descriptions of Snort 3.0. On a related note, Marty released Daemonlogger 1.0 recently. Daemonlogger is an open source full content packet logging tool.

More Unpredictable Intruders

Search my blog for the term unpredictable and the majority of the results describe discussions of one of my three security principles, namely Many intruders are unpredictable. Two posts by pdp perfectly demonstrate this: Bugs in the Browser: Firefox’s DATA URL Scheme Vulnerability Web Mayhem: Firefox’s JAR: Protocol issues How many of you who are not security researchers even knew that data: or jar: protocols existed? (It's rhetorical, no need to answer in a comment.) Do you think your silver bullet security product knows about it? How about your users or developers? No, this is another case where the first time you learn of a feature in a product is in a description of how to attack it . This is why the "ahead of the threat" slogan at the left is a pile of garbage. This is another example of Attacker 3.0 exploiting features devised by Developer 2.5 while Security 1.0 is still thinking about how great it is no big worms have hit since 2005. (The specific cases he

Deflect Silver Bullets

That's quite an image, isn't it? It's ISS CEO Tom Noonan holding a silver bullet, announcing the Proventia IPS product in the October 2003 issue of ISS' Connect magazine. Raise your hand if you think IPS or anything else ISS has produced is a silver bullet. No takers? I don't mention this to criticize ISS, specifically. Rather, I'd like to emphasize the importance of proper frames of reference when considering security. Maybe this story will help explain my point. In the early 1990s as a cadet at camp USAFA I took at least 14 technical classes, including math, science, and engineering subjects. These core classes are the reason every cadet graduates with a BS and not a BA, regardless of the field of study. Remember, I was a history and political science double major, preparing for a career in Air Force intelligence. One of my fellow history majors asked our astronautical engineering professor why we had to sit through his class. I still remember

Bejtlich Teaching at Black Hat DC 2008 Training

Black Hat was kind enough to invite me back to teach TCP/IP Weapons School at Black Hat DC 2008 on 18-19 February 2008, at the Westin Washington DC City Center. This is currently my only scheduled training class in 2008. As you can see from the course description I will focus on OSI model layers 2-5 and add material on network security operations, like monitoring, incident response, and forensics. The cost for this single two-day class is $2000 until 1 January, when the price will increase. Register while seats are still available -- both of my sessions in Las Vegas sold out. Thank you.

Russ McRee on Argus and NSM

Russ McRee followed his excellent discussion of NSM and Sguil in the October InfoSecMag with a new article called Argus – Auditing network activity (.pdf), published in the November 2007 ISSA Journal . It's another great read.

Snort Report 10 Posted

My 10th Snort Report on Snort 2.8.0 new features: IPv6 and port lists is now available online. From the start of the article: Snort 2.8.0 was recently published with several features long desired by Snort veterans. These new features include IPv6, port lists, packet performance monitoring and control of actions enabled by preprocessor or decoder events. This edition of the Snort Report provides details on IPv6 and port lists that VARs and systems integrators can use to optimize their use of the open source intrusion detection system. In the next Snort Report I plan to look at other features in Snort 2.8.