Posts

Showing posts from 2008

Best Book Bejtlich Read in 2008

Image
If I read and reviewed a book you wrote in 2008, this was one of the better years to win my Best Book Bejtlich Read award. I only read and reviewed 20 books this year, compared to 17 in 2000, 42 in 2001, 24 in 2002, 33 in 2003, 33 in 2004, 26 in 2005, 52 in 2006, and 25 in 2007. My 2007 and 2006 winners are posted too. Although I've been reviewing books seriously since 2000 and blogging since 2003, I only started listing my favorite books in 2006. I did not spend enough time "hanging in the sky" (to quote John Denver) reading a book, and too much of my day job spilled into my evening reading hours. I prefer to avoid long-haul air travel, so I don't expect to read more on planes in 2009. Regarding work-life balance, I have more help at work for detection and response duties. We'll see how 2009 fares with respect to reading overall. My ratings for 2008 can be summarized as follows: 5 stars: 7 books 4 stars: 8 books 3 stars: 4 books 2 s

Bejtlich Speaking at DC BSDCon 2009

Image
Jason Dixon just announced that I will be speaking at DC BSDCon 2009 , either 5 or 6 February 2009. I'm looking forward to this conference since it's local and thus easier to attend. I'll be discussing something about Network Security Monitoring that applies to FreeBSD. Registration ends 31 Jan 09 and is limited to the first 150 attendees. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Installing Sguil Using NSMNow

Image
In my post NSM-Friendly VMware Lab Setup I mentioned wanting to use NSMNow to install Sguil on Ubuntu 8.04 for student use in my next class. I had tried the Securix-NSM live CD but I had not tried installing Sguil using the same project's NSMNow scripts. I just did it: root@twsu804:/usr/local/src# wget http://www.securixlive.com/download/nsmnow/NSMnow-1.1.1.tar.gz --22:14:38-- http://www.securixlive.com/download/nsmnow/NSMnow-1.1.1.tar.gz => `NSMnow-1.1.1.tar.gz' Resolving www.securixlive.com... 202.191.61.156 Connecting to www.securixlive.com|202.191.61.156|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 164,613 (161K) [application/x-gzip] 100%[====================================>] 164,613 53.85K/s 22:14:42 (53.80 KB/s) - `NSMnow-1.1.1.tar.gz' saved [164613/164613] root@twsu804:/usr/local/src# tar -xzvf NSMnow-1.1.1.tar.gz NSMnow-1.1.1/ NSMnow-1.1.1/NSMnow-core NSMnow-1.1.1/RELEASE.NOTES NSMnow-1.1

NSM-Friendly VMWare Lab Setup

Image
I'm working on labs for my all-new TCP/IP Weapons School 2.0 class (early registration ends Wednesday). Almost the whole class is labs; I'll have between 10 and 12 scenarios for students to investigate. As you might imagine, network traffic will play a key role. I wanted to set up a VM running Ubuntu that could watch traffic involving other VMs. (Why not FreeBSD? Ubuntu is easier for students to use, and NSMnow makes it easy to get Sguil running. FreeBSD has also never seemed to run well in VMs due to some weird timing issues that have never been resolved.) The problem, as I noted in Using VMware for Network Security Monitoring last year, is that modern versions of VMware Server (I run 1.0.8 now) act as switches and not hubs. That means each VM is connected to a virtual switch, effectively sheltered from other traffic. This is good for performance but bad for my monitoring needs. Monitoring on the VMware server itself is not an option. Although it can see the traf

Snort Report 22 Posted

Image
My 22nd Snort Report titled Snort vs. Microsoft Security Bulletin MS08-068 has been posted. From the article: Welcome to the 22nd edition of the Snort Report! On Nov. 11, 2008, Microsoft published Microsoft Security Bulletin MS08-068 -- Important Vulnerability in SMB Could Allow Remote Code Execution (957097). Server Message Block (SMB) is an old and integral aspect of Microsoft Windows file sharing and related functions... I continue by describing how Snort's rule set dealt with this super-old vulnerability. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

OSSEC and Pf on FreeBSD to Limit SSH Brute Forcing

Image
Disclaimer: This post is neither original nor particularly illuminating. It does, however, document how I configured software on systems I administer. Therefore, I post it here mainly for my own future reference, but know it might be useful to someone else. If you run OpenSSH on any Internet-facing server, you're likely to see entries like these every day: r200a:/root# bzcat /var/log/auth.log.0.bz2 | head -n 5 | grep -v turned Dec 23 20:00:02 r200a sshd[33320]: Invalid user httpd from 87.106.142.217 Dec 23 20:00:03 r200a sshd[33322]: Invalid user dima from 87.106.142.217 Dec 23 20:00:04 r200a sshd[33324]: Invalid user bane from 87.106.142.217 Dec 23 20:00:05 r200a sshd[33326]: Invalid user juan from 87.106.142.217 I like to run OSSEC on servers as a means to monitor and analyze log files. OSSEC would report that activity as follows. 2008 Dec 23 20:00:44 Rule Id: 5712 level: 10 Location: (r200a) 172.16.2.1->/var/log/auth.log Src IP: 87.106.142.217 SSHD brute force tryin

Traffic for Revoked TLSv1 Certificate

Image
I read the Slashdot post Perfect MITM Attacks With No-Check SSL Certs with some interest, mainly from a traffic perspective. Basically Eddy Nigg managed to obtain a certificate for a domain he should not have had access to via a reseller for a company called Comodo. You can check your Firefox certificate authorities list to see their presence in the screenshot below. Eddy managed to get a certificate allowing him to masquerade as mozilla.com, because the party issuing the certificate did not properly validate his authorization to act on behalf of mozilla.com. I wondered what this might look like when I read this comment suggesting visiting a site using a Comodo-provided certificate. When I visited I saw this: The question is, how did Firefox know to avoid this problem? I decided to sniff traffic while revisiting the site. Here's what happened. The first session of interest is from client 24.126.62.67 to Comodo-certificate-possessing Web server 192.116.242.23. The

Physical Security Lessons for Digital Security

Image
The newest CSO magazine featured a great article by Bill Brenner on jewelry store security. It's online via PCWorld at How Tech Caught the Jewelry Thief . I'd like to cite several excerpts and relate them to digital security. It used to be that after a robbery, the police would review a surveillance tape for clues into who broke in, at what time and what the bad guys looked like. Since the thieves would be long gone by the time the tape was reviewed, there would often be little the authorities could do about it. That sounds like a traditional digital forensics scenario, with the problem that it can be difficult to apprehend criminals well after the crime occurs. But thanks to 21st-Century technology, the crooks are being watched in real time and, as a result, getting caught a lot more often. Notice the word "watched" -- this frames the problem as one of faster detection and response. In this Q&A, Dennis Thomas, regional loss prevention manager and certi

Download Free Hakin9 Issue

Image
I noticed that Hakin9 magazine is running a one-day special free download of issue 1/2008 . If you'd like to check out this magazine, visit the link to download the magazine in .pdf format. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Justifying National Security Spending

Image
Recently I posted Jeremiah Grossman on Justifying Security Spending . Yesterday I read Noah Schachtman's article Jets vs. Grunts in Pentagon Spending Showdown . I realized DoD (and really any other global military) has the same problem facing digital security practitioners: how do you justify security spending? DoD spending doesn't make the country richer. As I've said elsewhere, spending on security only makes security vendors richer. (See Security ROI Revisited for my reference to the broken window fallacy. By the way, if you are a politically-minded first-time blog visitor, you can forget about posting comments. This blog is for digital security; I'm not taking political sides here.) One major difference between digital security justification and military justification is the latter's emphasis on threats , especially their capabilities and intentions. We are not worried if the United Kingdom builds a 5th generation fighter aircraft. We are worried if C

Command Information Securing, Hacking and Defending IPv6

Image
Last week I had the good fortune to attend Securing, Hacking and Defending IPv6 , a class offered by Command Information in Herndon, VA. I've experimented with IPv6, as noted most recently in my May 2007 post Freenet6 on FreeBSD . I thought I knew a decent amount about IPv6, although I recognized a class like this would be helpful. One word: wow. IPv6 is more complicated than I expected. I only began to realize this as the two Command Information instructors, Joe Klein and TJ Evans, explained what they know about the protocol and how it is used and abused. When IPv6 becomes even moderately deployed, intruders are going to have a field day. The network teams who have been hiding in the shadows of the Web app folks are going to have to step into the light and learn quickly. You can forget any hype about IPv6 bringing "security" when deployed, at least in the short-to-mid-term. The operational realty of designing, building, and running IPv6 networks properly is g

Traffic Talk 4 Posted

Image
My fourth edition of Traffic Talk , titled Daemonlogger for Packet Capture and Redirection , has been posted. From the article: Welcome to the 4th edition of Traffic Talk, a regular SearchNetworkingChannel.com series for network solution providers and consultants who troubleshoot business networks. In this article I'll demonstrate two novel features of Marty Roesch's Daemonlogger tool. I compare Daemonlogger's ring buffer to Tcpdump's ring buffer, and then show how to use the Daemonlogger soft tap function. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Colin Percival and Craig Balding on Amazon Cloud Security

Image
If you're a security professional, it would be worth your time to read Craig Balding's post What’s New in the Amazon Cloud?: Security Vulnerability in Amazon EC2 and SimpleDB Fixed (7.5 Months After Notification) , a summary and analysis of Colin Percival's post AWS signature version 1 is insecure . These posts demonstrate the changing nature of our jobs. We will become increasingly reliant on others hosting, processing, and ostensibly "protecting" our data, but our ability to measure the effectiveness of these services is likely to erode over time. In this case it sounds like Amazon.com worked slowly but very effectively with Colin, and their example should be followed. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

You Get What You Inspect

Image
There are some great security catch phrases, like "Trust but verify." I found my new favorite in Fresher Cookers , an Economist article about designing stoves for the developing world. “You don’t get what you expect—you get what you inspect,” says Dr [Kirk] Smith, [an expert on the impact of stove air-pollution on health.] I think that maxim holds very true for anyone who inspects their enterprise to see how it is really used and abused. That saying holds true at every level -- network, platform, operating system, or application. All of these components are so complicated and ever-changing that you are likely to be surprised every time you stop to look at what's happening. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Traffic Talk 3 Posted

Image
My third edition of Traffic Talk , titled Network Security Monitoring: Knowing Your Network has been posted. From the article: Recently I read an interview with network security pioneer Marcus Ranum, who was asked the following question about network security monitoring: "In your opinion, what is the current weakest link in the network security chain that will need to be dealt with next year and beyond?" Read my article to see what Marcus wrote and how I responded. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Indian Navy Demonstrates that Offense Stops Pirates

Image
Clearly the Indian Navy doesn't understand vulnerability-centric security. If they did, they wouldn't have captured 23 pirates "who tried to take over a merchant vessel in the Gulf of Aden, between the Horn of Africa and the Arabian Peninsula." They also wouldn't have " exchanged fire with a pirate "mother vessel" off the hijacking-plagued Horn of Africa, leaving the ship ablaze." Someone needs to teach these Indian sailors that the best way to stop pirates is to "build security in" when merchants construct ships! I guess the Indians read my Offense Kills Pirates post. Maybe they decided to Take the Fight to the Enemy . Whatever the reason, good for them. Instead of commercial shippers being the only party suffering higher costs in this piracy environment (due to losses, higher insurance, increased salaries, etc.), now it's more expensive for pirates too. Yo ho ho, pirates. We're coming for you soon. When will

Supporting FreeBSD

Image
I've been using FreeBSD in production environments since early 2000, and I continue to rely on it at home and at work. Even though I could download the operating system for free, I still subscribe through FreeBSDMall.com to support the project. However, I seem to ask for public support for FreeBSD every two years, with my call for Helping the FreeBSD Foundation Retain Non-profit Status in 2004 and Supporting FreeBSD Security Coding in 2006. Today I read FreeBSD Foundation End-of-Year Fund Raising Drive Update . The FreeBSD Foundation is a 501(c)(3) non-profit organization dedicated to supporting and building the FreeBSD Project and community worldwide. You can see all the good work they are doing on their Web site. The Foundation set a $300,000 goal for 2008 fundraising, and it's 2/3 of the way there. I just donated $100. Will anyone else donate? Please let me know here. I thank you and the project thanks you. Richard Bejtlich is teaching new classes in DC a

Jeremiah Grossman on Justifying Security Spending

Image
I liked the way Jeremiah Grossman listed five ways to justify security spending : 1) Risk Mitigation "If we spend $X on Y, we’ll reduce of risk of loss of $A by B%." 2) Due Diligence "We must spend $X on Y because it’s an industry best-practice." 3) Incident Response "We must spend $X on Y so that Z never happens again." 4) Regulatory Compliance "We must spend $X on Y because PCI-DSS says so." 5) Competitive Advantage "We must spend $X on Y to make the customer happy." Jeremiah expands on each in his blog, which makes for good reading. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

3rd Issue of BSD Magazine

Image
I recently received a copy of the 3rd issue of BSD Magazine . This issue turns to NetBSD , the BSD project with the most stylish BSD Web site I've seen. The next issue will be devoted to PC-BSD , which I have never used (but should probably try). Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Review of Nmap Network Scanning Posted

Image
Earlier this year I posted Review of Nmap Network Scanning . Now Fyodor's book is available through Amazon.com . Therefore, I expanded my earlier story into a five star review : Earlier this year Fyodor sent me a pre-publication review copy of his new self-published book, Nmap Network Scanning (NNS). I had heard of Fyodor's book when I wrote my 3 star review of Nmap in the Enterprise in June, but I wasn't consciously considering what could be in Fyodor's version compared to the Syngress title. Although the copy I read was labelled "Pre-Release Beta Version," I was very impressed by this book. Now that I have the final copy (available from Amazon) in my hands, I am really pleased with the product. In short, if you are looking for *the* book on Nmap, the search is over: NNS is a winner. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Review of Googling Security Posted

Image
Amazon.com just posted my five star review of Greg Conti's Googling Security . From the review : There's no question that Greg Conti writes excellent books. Last year's Security Data Visualization book earned 5 stars, and I put Googling Security in the same league. Conti takes a thorough and methodical look at the privacy consequences of Google's services, incorporating technical realities and thoughtful analysis. My only question is whether this book will matter to the intended audience. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Review of Software Security Engineering Posted

Image
Amazon.com just posted my three star review of Software Security Engineering: A Guide for Project Managers . From the review : The Addison-Wesley Software Security Series is generally a great collection, with titles like Software Security: Building Security In (my rating: 5 stars), Rootkits: Subverting the Windows Kernel (my rating: 4 stars), and Exploiting Software: How to Break Code (my rating: 4 stars). I particularly liked the first of those three (SS:BSI), which I reviewed last year. I felt Gary McGraw wrote "a powerful book with deep truths for secure development." Software Security Engineering (SSE), by a collection of authors, pales in comparison to SS:BSI. You can skip SSE and stick with SS:BSI. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Bejtlich Cited in Economist

Image
I've been a subscriber of the Economist magazine since 1997. Although I have not been working to achieve this goal, I am happy to report that a personal ambition of mine has been reached today: I was cited in the 6 Dec 08 edition, in an article titled Cyberwarfare: Marching off to cyberwar . One way for governments to do this [to become resilient to cyber attack], says Richard Bejtlich, a former digital-security officer with the United States Air Force who now works at GE, an American conglomerate, might be to make greater use of open-source software, the underlying source code of which is available to anyone to inspect and improve. To those outside the field of computer security, and particularly to government types, the idea that such software can be more secure than code that is kept under lock and key can be difficult to accept. But from web-browsers to operating systems to encryption algorithms, the more people can scrutinise a piece of code, the more likely it is that

BPF for IP or VLAN Traffic

Image
Four years ago I did a second post on Understanding Tcpdump's -d Option , showing how you can using the -d option to understand how Berkeley Packet Filter syntax works. Recently my colleagues and I encountered a problem where we were monitoring traffic on a tap, but the traffic contained traffic with and without 802.1q VLAN tags. We wanted to create a BPF that would catch traffic whether or not it had VLAN tags. It turns out there is a difference between these two BPFs: ip or vlan is not the same as vlan or ip The first accomplishes our goal, but the second does not. To understand why, I used Tcpdump's -d option. $ tcpdump -d -n -r sample.pcap ip or vlan reading from file sample.pcap, link-type EN10MB (Ethernet) (000) ldh [12] (001) jeq #0x800 jt 3 jf 2 (002) jeq #0x8100 jt 3 jf 4 (003) ret #65535 (004) ret #0 That looks right. Load the half word at offset 12. If it's the IP Ethertype, you get the whole packet.

Letters You Will Need to Know: 201 CMR 17.00

Image
Props to Ed at SecurityCurve for informing me of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth , a new Massachusetts law. Section 17.03 sets the basic tone; Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. Unless you're prepared to figure out how to separate PII on Massachusetts residents from non-MA residents, this law now applies to all PII in your organization. Jack Daniel has written several great posts on what this new law means. References for Mass 201 CMR 17.00 is really helpful. You can also access a video of a presentation he just made to the Boston chapter of the National Information Security Group . The slides don't render in Firefox but I was able to download the .wmv video an

Craig Balding Podcast on Cloud Security

Image
I noticed Craig Balding's post Podcast: Cloud Computing, Software Development, Testing and Security , so I just listened to all three segments. Readers of this blog may choose to concentrate on the third segment, Cloud computing's effect on application security . Craig is a thought leader on cloud security so I enjoy hearing his ideas. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Splunk on FreeBSD 7.0

Image
Although there is not a version of Splunk compiled natively for FreeBSD 7.0, I was told to try using Splunk 3.4.1 on FreeBSD 7.0 via FreeBSD's compat6x libraries. I did the following: freebsd70:/usr/local/src# pkg_add -v splunk-3.4.1-45588-freebsd-6.1-intel.tgz Requested space: 106458852 bytes, free space: 1565927424 bytes in /var/tmp/instmp.HhNhQk Running pre-install for splunk-3.4.1-45588-freebsd-6.1-intel.. extract: Package name is splunk-3.4.1-45588-freebsd-6.1-intel extract: CWD to /opt extract: /opt/splunk/README.txt extract: /opt/splunk/bin/btool extract: /opt/splunk/bin/bunzip2 ...edited... extract: /opt/splunk/splunk-3.4.1-45588-FreeBSD-i386-manifest extract: CWD to . Running post-install for splunk-3.4.1-45588-freebsd-6.1-intel.. ---------------------------------------------------------------------- Splunk has been installed in: /opt/splunk To start Splunk, run the command: /opt/splunk/bin/splunk start To use the Splunk Web interface, point your br

Defining the Win

Image
In March I posted Ten Themes From Recent Conferences , which included the following: Permanent compromise is the norm, so accept it. I used to think digital defense was a cycle involving resist -> detect -> respond -> recover. Between recover and the next attack there would be a period where the enterprise could be considered "clean." I've learned now that all enterprises remain "dirty" to some degree , unless massive and cost-prohibitive resources are directed at the problem. We can not stop intruders, only raise their costs . Enterprises stay dirty because we can not stop intruders, but we can make their lives more difficult. I've heard of some organizations trying to raise the $ per MB that the adversary must spend in order to exfiltrate/degrade/deny information.‏ (emphasis added) Since then I've grappled with this idea of how to define the win . If you used to define the win as detecting and ejecting all intruders from your enterprise

Live Incident Map

Image
I think this is fascinating: a map depicting naval piracy . One of the most interesting aspects of this map is that it concerns commercial entities (i.e. ships carrying cargo) and anyone can quickly learn the fate of each vessel. It's a giant incident map for 2008. Previous years (2007, 2006) are also available. The closest equivalent for digital security is probably the narrative of the Breach Blog and similar sites. Only when we can openly talk about this problem and share lessons learned can we improve. We still need a National Digital Security Board . Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.