TaoSecurity Blog

Earlier I wrote about my proposed Tactical Network Security Monitoring Platform . Today I finally sat down and installed the operating systems I need on this system to create a portable tactical forensics and investigation platform. I did not want to use my main work laptop for this sort of work because I do not administer it. I needed my forensics platform to be separate from the corporate domain and totally under my control. I only feel comfortable attesting to the configuration of a system doing forensics if I built it from the ground up and I am the sole administrator. For operating systems, I had three needs. I wanted Windows XP because the majority of commercial forensics software runs on Windows. I wanted Ubuntu Hardy Heron so I could have access to Linux forensics software and VMware Server. (Windows is also a possible VMware Server candidate, but I might install a copy of VMware Workstation on the Windows side.) I wanted FreeBSD 7.0 in case I needed to do packet captur...

The latest issue of Hakin9 has been released. Several articles look interesting, including Javascript Obfuscation Techniques by David Sancho and an interview with Marcus Ranum. Hakin9 briefly interviewed Harlan Carvey and me. I've uploaded the one page of the interview if you'd like to read it.

I received a copy of the new BSD Magazine yesterday by air mail from Poland, and I have to say it looks pretty cool. It contains an article I wrote explaining how to install Sguil 0.7.0 on FreeBSD 7.0. At the time I used a CVS version of Sguil and FreeBSD 7.0-BETA4, but the article is still relevant. One caution: I discovered a bug in MySQL, which I logged as Optimizer does table scan for select count(*) w/5.1.22, .23, not 5.0.51, 5.1.11 . You will encounter this bug if you follow the instructions in my magazine article. The work-around is to use MySQL 5.0.51a instead of 5.1.22, as shown in the magazine. Dru Lavigne does a nice job detailing the magazine's table of contents.

The next NoVA Sec meeting will take place 1930 (7:30 pm) Thursday 24 April 2008 at Fishnet Security : 13454 Sunrise Valley Dr. Suite 230 Herndon, VA 20171 703.793.1440 Aaron Walters from Volatile Systems will discuss memory forensics. Thank you to Fishnet and Aaron for their last-minute cooperation! I'm cross-posting this notice to get as many people notified as possible in the day before the meeting.

What a great idea for a blog -- CloudSecurity.org : This blog is dedicated to “Cloud Computing” from an IT security perspective. Cloud Computing is a nebulous term covering an array of technologies and services including; Grid Computing, Utility Computing, Software as a Service (SaaS), Storage in the Cloud and Virtualization. There is no shortage of buzzwords and definitions differ depending on who you talk to. The common theme is that computing takes place ‘in the cloud’ - outside of your organisations network. Semantics aside, there is a much bigger question: what does it all mean from an IT security perspective? One day (during my working career, I am positive) we will all either 1) be cloud customers or 2) work in the cloud. I am glad to see someone take a stand now to try to understand what that means from a security perspective. You might also find Craig's other blog -- SecurityWannabe -- to be interesting. He did an interview with one of my Three Wise Men, Ross Anderso...

I'm looking for a dedicated server company that could provide a Debian environment suitable for running VMware Server. As a bonus it would be helpful to contract with a company that permits authorized outbound network scanning. As an alternative, I may try colocation. I am looking for a box for security testing, and VMware may not be suitable. I may need a box that can run Xen, for example. If you have any recommendations for dedicated server or colocation providers, please leave a comment or email me directly -- taosecurity at gmail dot com. Companies situated close to northern Virginia would be excellent. Thank you.

Earlier this month we joked that the Sguil project was acquired by Cisco , such that Sguil would be integrated into Cisco platforms. Cisco routers already run Tcl , but now thanks to Cisco's new Application eXtension Platform , other possibilities are developing. According to Optimize Branch Footprint with Application Integration , Cisco says: Linux-based integration environment with downloadable Software Development Kit (SDK) Multiple applications support with the ability to segment and guarantee CPU, memory, and disk resources Certified libraries to implement C, Python, Perl, and Java applications Supported by Cisco 1841, 2800, and 3800 Series Integrated Services Route Sun used to say The Network is the Computer . Cisco now states The Network as a Platform . In other words, why deploy another server or appliance if you can just run it on your Cisco router? I am unsure how this will play out. I figure Cisco just wanted to add to the confusion caused by virtualization with th...

This looks interesting: Remote Installation of the FreeBSD Operating System without a Remote Console . I read about it on the author's blog . Daniel credits Colin Percival's Depenguinator with the idea, but he uses Martin Matuška's mfsBSD (memory file system) to create a FreeBSD image that can be written to a live remote system's hard drive, then booted and run from memory to allow full OS installation. I intend to give this a try, but if anyone beats me to it please let me know how it worked for you.

Thanks to Nick Selby I learned of a sequel to the great historical security paper Infrastructure Protection in the Ancient World . Michael Assante is back, joined by another security vet, Aaron Turner, discussing Freedom of the Cyber Seas . The authors compare the threat of naval piracy during the Jefferson administration with the current digital threat. Prior to Jefferson, US policy was to pay protection money to stop pirates seizing US goods. Opposing John Adams' pirate payment policy, Jefferson championed the slogan coined by U.S. Representative Robert Goodloe Harper in 1789: "Millions for defense, not one cent for tribute." Jefferson was also a proponent of the Mare Liberum or "Freedom of the seas" doctrine first documented in international law by Dutch jurist Hugo Grotius in 1609. Freedom of the seas was of supreme importance to the success of the United States. If America could not deliver its goods and conduct free trade, the country could not survive...

It looks like Solera Networks built a virtual tap , as I hoped someone would. I mentioned it to Solera when I visited them last year, so I'm glad to see someone built it. I told them it would be helpful for someone to create a way for virtual switches to export traffic from the VM environment to a physical environment, so that a NSM sensor could watch traffic as it would when connected to a physical tap. This picture describes what it does: You can read more in this news post and product description . You can download it here . The V2P Tap requires ESX Server, which I do not run. If someone with ESX Server downloads the V2P Tap, please let me know how it works for you.

Some of you might remember this book from my 2005 review . I thought of it after reading Security Guru Gives Hackers a Taste of Their Own Medicine . From the article: Malicious hackers beware: Computer security expert Joel Eriksson might already own your box. Eriksson, a researcher at the Swedish security firm Bitsec, uses reverse-engineering tools to find remotely exploitable security holes in hacking software. In particular, he targets the client-side applications intruders use to control Trojan horses from afar, finding vulnerabilities that would let him upload his own rogue software to intruders' machines. He demoed the technique publicly for the first time at the RSA conference Friday. You might remember a similar story from Def Con 2005 : New research released at the DefCon conference suggests that not only is it important to apply patches to fix security flaws in commonly used computer software, but that patch installation is important for the very tools hackers and securi...

I just posted that my latest Snort Report covered Argus 3.0 . Those of you who like to wait for release-grade software should be happy. This week, Carter Bullard published Argus 3.0 , as announced on the Argus mailing list. This happened over two years since I posted Argus 3.0 Will Be Released Soon . This is great news and I look forward to learning more about the new features in this powerful application.

My 14th Snort Report titled Network session data analysis with Snort and Argus has been posted. The article doesn't talk about Snort (despite the title -- not mine!) but it does discuss Argus , the network session tool developed by Carter Bullard. From the start of the article: This edition of the Snort Report departs from the standard format by introducing a data format and data collecting tool that can work alongside Snort. The data format is session data, and the tool is Argus 3.0. Why session data? The Snort intrusion detection system can identify suspicious and malicious activity by inspecting network traffic. Snort makes a judgment based on its analytical capabilities and notifies the operator of its decision by generating an alert. I call the output of this collect-inspect-report process "alert data." While this is a good and necessary methodology, it has one important flaw. In most configurations, Snort is not told to report on what it sees if the traffic in q...

I'd like to head off any more messages to me telling me to look at the following: The New E-spionage Threat , the cover story for this week's issue of BusinessWeek . I recommend also listening to the podcast , which is 18:23 long and a good resource for decision makers with iPods.

Nearly three years after the initial post describing the idea , I am happy to report that OpenPacket.org 1.0 is ready for public use, free of charge. The mission of OpenPacket.org is to provide quality network traffic traces to researchers, analysts, and other members of the digital security community. One of the most difficult problems facing researchers, analysts, and others is understanding traffic carried by networks. At present there is no central repository of traces from which a student of network traffic could draw samples. OpenPacket.org will provide one possible solution to this problem. Analysts looking for network traffic of a particular type can visit OpenPacket.org, query the OpenPacket.org capture repo for matching traces, and download those packets in their original format (e.g., Libpcap, etc.). The analyst will be able to process and analyze that traffic using tools of their choice, like Tcpdump, Snort, Ethereal, and so on. Analysts who collect their own traffic wil...

Amazon.com just posted my four star review of Visible Ops Security by Gene Kim, Paul Love, and George Spafford . From the review : I reviewed Visible Ops (VO) in August 2005, and I provided commentary on a draft of Visible Ops Security (VOS) to co-author Gene Kim. I liked VO, with a few caveats that apply to both VO and VOS. I have mixed feelings on VOS because the book seems more about preparations and less about operations. Security operations (SO) obviously include integration with developers and IT staff, but SO also requires action in the face of attack. If VOS is supposed to be about SO, it should address trying to prevent compromise *and* what to do when prevention fails.

Dan Geer was kind enough to send me a copy of his new book Economics and Strategies of Data Security , published by his employer, Verdasys . The book is exceptionally well written and packed with the sorts of insights that make Dan one of my Three Wise Men. I'd like to present a few excerpts here, partially for my own easy reference but also because they might be useful to you. I recommend that anyone who reacts violently to these ideas try reading the book. It will take only an hour or two and you can vet your response against the full text, in context, and not these snippets. In theory, there is no difference between theory and practice, but, in practice, there is. (prior to introduction) That's why I dislike speculation on the effectiveness of security measures and prefer collecting evidence and performing tests. [These changes to our computing models imply] that data must either become self-protecting (massive amounts of encryption and the conversion of passive data ob...

I wrote an article for CSO Online titled Computer Incident Detection, Response, and Forensics . It's online now, and it should appear in the next print edition as well. From the beginning of the article: 2008 is a special year for the digital security community. Twenty years have passed since the Morris Worm brought computer security to the attention of the wider public, followed by the formation of the Computer Emergency Team/Coordination Center (CERT/CC) to help organizations detect, prevent and respond to security incidents. Ten years have passed since members of the L0pht security research group told Congress they could disable the Internet in 30 minutes. Five years have passed since the SQL Slammer worm, which was the high point of automated, mindless malware. The Internet, and digital security, have certainly changed during this period. The only constant, however, is exploitation. For the last twenty years intruders have made unauthorized access to corporate, educational, ...

Three years ago I posted Cisco Routers Run Tcl , I had no idea where that development could run. Last month when I posted Sguil 0.7.0 Released , I wanted to say more about the release, but I couldn't -- until now. I am happy to report the following. Cisco Announces Agreement to Acquire Sguil™ Open Source Security Monitoring Project Acquisition Furthers Cisco’s Vision for Integrated Security Products SAN JOSE, Calif., and LONGMONT, Color., April 1st, 2008 – Cisco and the Sguil™ project today announced an agreement for Cisco to acquire the Sguil™ project, a leading Open Source network security solution. With hundreds of installations world-wide, Sguil™ is the de facto reference implementation for the Network Security Monitoring (NSM) model. Sguil™-based NSM will enable Cisco’s customer base to more efficiently collect and analyze security-related information as it traverses their enterprise networks. This acquisition will help Cisco to cement its reputation as a leader in the Open ...