TaoSecurity Blog

In my last post I discussed upgrading from FreeBSD 7.0 to 7.1. In this post I'll mention packages that needed to be updated. In the last post I showed two installed packages using the native pkg_info command. neely# pkg_info cdrtools-2.01_6 CD/CD-R[W] and ISO-9660 image creation and extraction tools dvd+rw-tools-7.0 DVD burning software At this point I could have used pkg_delete to remove them, and added the newest packages via pkg_add. Because that is easy, I decided to show an alternative that might be better for systems with many packages. I decided to use Portupgrade to update packages installed on the system. Portupgrade was not on the box so I added it via pkg_add. I used the -n switch to do a "dry run" to see what version would be added. neely# pkg_add -vrn portupgrade scheme: [ftp] user: [] password: [] host: [ftp.freebsd.org] port: [0] document: [/pub/FreeBSD/ports/i386/packages-7.1-release/Latest/portupgrade.tbz] ---> ftp.freebsd.org:...

My last post on upgrading FreeBSD was Updating FreeBSD 7.0-BETA2 to 7.0-BETA3 . In this post I'll describe how I migrated a test install of FreeBSD 7.0-RELEASE #0 to FreeBSD 7.0-RELEASE-p7 #0, and then from there to FreeBSD 7.1-RELEASE #0. Here's what I started with. neely# uname -a FreeBSD neely.taosecurity.com 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 To update to the latest version of 7.0, I ran freebsd-update. First I run without switches to show available options. neely# freebsd-update usage: freebsd-update [options] command ... [path] Options: -b basedir -- Operate on a system mounted at basedir (default: /) -d workdir -- Store working files in workdir (default: /var/db/freebsd-update/) -f conffile -- Read configuration options from conffile (default: /etc/freebsd-update.conf) -k KEY -- Trust an RSA key with SH...

Recently a blog reader asked two questions as he started his own new blog: 1. Do you think I should stick to just one topic? i.e. Digital Forensics? 2. Do you think blogging is a good way to learn more about a topic of interest or should you only blog about a topic you already know a lot about? I addressed some of these issues in my post Why Blog? , but I'll add the following. I recommend writing about a handful of topics, but stick to topics within a certain theme. For example, my blog covers "digital security and the practices of network security monitoring, incident response, and forensics." Although I love martial arts and ice hockey, I don't write about that here. I also do not address politics, family, religion, or any other non-technical issues in this forum. I believe blog readers prefer me to stay on my listed subjects; they can visit other sites for non-technical information. I believe it is ok to write about subjects that are outside your core expertise...

Ken Bradley sent me a link to Northrop Grumman's Timothy McKnight on Security and Identity Management by Katherine Walsh of CSO Magazine. It's an older article but I liked this part: CSO: Can you tell me about the formation of the Cyber Threat Analysis Intelligence Group and its role at Northrop Grumman? McKnight: That team's focus is on the nation-state threat, which the DoD is now terming the "advanced persistent threat." These are well resourced, highly targeted attacks at corporations and governments [by groups] that are looking primarily to steal intellectual property and gain competitive advantage. The Cyber Threat Analysis Intelligence Group is made up of techies and people with government analyst backgrounds. Their job is to focus on the technologies that are considered the crown jewels of Northrop Grumman. They look at the technologies we provide for the government, who the biggest threat to those technologies is, who needs them the most, how they [may...

Yesterday a blog reader asked: Looking back at previous blogs, notably http://taosecurity.blogspot.com/2005/12/network-monitoring-platforms-on-vmware.html I see that you have, in your classes, used VM's to run your network monitoring tools from. Have you progressed this idea into a production environment or do you still feel that running tools in this configuration, be they on a Linux host or not, would still be too much of a compromise. The scenario i work under means that i cannot have my sensors connected to the Internet which makes keeping them upto date difficult and i was looking at creating a generic VM that i could keep live and up to date on an Internet facing terminal and then copy to my production environment as and when i wish to deploy new verions of tools or updated signatures. Grateful for your thoughts The reader is correct; whenever I deploy NSM platforms as VMs, it's only for demo or class purposes. I do not use NSM platforms as VMs in production, where my ...

Raffy Marty, author of Applied Security Visualization is teaching a Security Visualization and Log Analysis Workshop at SOURCEBoston on 9-10 March. Raffy's a great instructor and this is the first class I've seen on the topic. Check it out! Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

My colleagues and I are spending some time justifying the installation of network taps, instead of using SPAN ports, to gain access to network traffic. This is an old discussion. See my Dec 07 post Expert Commentary on SPAN and RSPAN Weaknesses and Net Optics' page Tap vs SPAN . For a different perspective see Scott Haugdahl's Is Spanning Bad? and Is RSPAN Bad? . I'm using the following points when discussing the situation. Taps free SPAN ports for tactical, on-demand monitoring, especially intra-switch monitoring. Many switches have only two ports capable of SPAN, and some offer only one. If you commit a SPAN port for permanent monitoring duties, and you need to reassign it for some sort of troubleshooting on a VLAN or other aspect of the traffic, you have to deny traffic to your sensor while the SPAN port is doing other work. Keep your SPAN ports free so you can do intra-switch monitoring when you need it. Taps provide strategic, persistent monitoring. Installing a...

Recently I posted that I will be speaking at DC BSDCon 2009 , on 6 February 2009. I'll be discussing something about Network Security Monitoring that applies to FreeBSD. As a reminder, registration ends 31 Jan 09 (next Saturday) and is limited to the first 150 attendees. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Another reader asked the following: As I am doing research for building a security operations center one of the things I am being asked to do is compare building things internally versus having an MSSP take on certain network monitoring functions . There is the suggestion that it is less expensive and more desirable to have a MSSP provide monitoring services for firewall and IDS devices. In addition the thinking is that the MSSP should provide log managment services for other logs that are being sent to our log managment platform (not sure what this service offering means). I do not personally agree that this is the best approach. First of all they are planning on obtaining these services from a vendor we currently utilize that already is supposed to be providing some of these services and they don't appear to be providing anything useful. I've had discussions with a network security analyst that has been in this environment for quite some time and he said he routinely finds is...

A regular blog reader and Network Security Monitoring practitioner sent me these questions last month, so I'd like to answer them here. 1. Are all alert data created equal? This question originates with my employment at an MSSP where we process many types of alert data from Dragon IDS, Cisco IPS and ISS. Snort and Sourcefire strangely are underrepresented. My question is if Dragon IDS, Cisco IPS, ISS, Snort and Sourcefire all looked at the same full-content data, would they all produce the same results? I think not and would like to empirically verify this theory. Testing detection systems is a complicated topic. I am not sure what methodology a place like NSS Labs uses. I bet they get varying results depending on the product. If you read A Tool for Offline and Live Testing of Evasion Resilience. in Network Intrusion Detection Systems you will see big differences between Snort and Bro, for example. 2. When is an analyst no longer an analyzer of data but an analyzer of dashboar...

I am looking to hire a FreeBSD system administrator, with BSD Associate or better experience, for long-term contract work. My team operates a small number of Network Security Monitoring (NSM) sensors running FreeBSD and open source tools. We plan to expand our sensor deployment from the low double digits to the high double digits, and perhaps the low triple digits. The ideal candidate will be able to examine our current deployment and suggest improvements for our next generation NSM platform. He or she will implement a simplified software installation process, with the idea that the NSM platform should be an in-house "appliance." He or she must be able to properly select, configure, test, and maintain software deployed on FreeBSD. The ideal candidate has experience administering large numbers of FreeBSD systems, with emphasis on keeping software up-to-date in a consistent and repeatable manner. Although you will be working within the security team, the candidate does ...

Last year I wrote First They Came for Bandwidth , where I described a progression through three attack types: First they came for bandwidth... These are attacks on availability , executed via denial of service attacks starting in the mid 1990's and monetized later via extortion. Next they came for secrets... These are attacks on confidentiality , executed via disclosure of sensitive data starting in the late 1990's and monetized as personally identifiable information and accounts for sale in the underground. Now they are coming to make a difference... These are attacks on integrity , executed by degrading information starting at the beginning of this decade. These attacks will manifest as changes to trusted data such that those alterations benefit the party making the change. This sort of attack undermines the trustworthiness of data. The scariest part is the last attack can be the hardest to detect and recover. I thought about this when I read this entry in the newes...

Today, 8 January 2009, is the 6th birthday of TaoSecurity Blog . I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. 2339 posts (averaging 390 per year) later, I am still blogging. I don't have any changes planned here. I plan to continue blogging, especially with respect to network security monitoring, incident detection and response, network forensics, and FreeBSD when appropriate. I especially enjoy reading your comments and engaging in informed dialogues. Thanks for joining me these 6 years -- I hope to have a ten year post in 2013! Don't forget -- today is Elvis Presley 's birthday. Coincidence? You decide. The image shows Elvis training with Ed Parker , founder of American Kenpo . As I like to tell my students, Elvis' stance is so wide it would take him a week to react to an attack. Then again, he's Elvis . I studied Kenpo in San Antonio, TX and would like to return to practicing, along with ice...

I've been an infrequent yet admiring user of Metasploit for about four years, but I've never tried it on Windows. It strikes me as being something I "just shouldn't do," like running Nmap on Windows or (shudder) Snort on Windows. However, while preparing labs for my upcoming class, I thought I would give version 3.2 a try. It worked very well, at least for the simple test I ran. After installing the .exe and launching the new app, I saw this window: I decided to try exploiting a vulnerable Samba server: When I set the parameters I ran the exploit: When I got my session I interacted with a root shell on the victim. By identifying the process started on the victim (PID 2216) and running lsof, you can see the vulnerable service which Metasploit attacked. Incidentally, my take on why having these sorts of tools available is In Defense of HD Moore , from three years ago. Great work Metasploit team! Richard Bejtlich is teaching new classes in DC and Europe in 2009...

A regular blog reader asked me for recommendations on books to learn Unix, and which Unix to learn. I still remember asking my "Unix and Solaris Fundamentals" instructor in 1997 to recommend a book on Unix for me. I thought I would share my response here. I think, as a beginner, you have to decide what you want to learn. I'll try to keep this description generic yet answer the reader's question. The person who asked the question requested an emphasis on the command line, rather than administration using GUIs. As you might have guessed, I recommend trying FreeBSD . In fact FreeBSD 7.1 was released today . FreeBSD is a great OS for beginners, especially those who want to rely on the command line. I am reluctant to suggest trying to learn a new OS without a good reference, but luckily a modern and thorough book arrived a little over a year ago. Michael Lucas' book Absolute BSD, 2nd Ed is probably the best pure introductions to Unix administration available. ...

Almost two years ago I described testing IPv6 using Freenet6 on FreeBSD . This morning I decided to try the same on Windows XP and document the process here. I needed to use a tunnel method like Freenet6 because the test host is behind NAT. First, visit go6.net and click "Free IPv6 Connectivity with Freenet6". Register yourself a user account. To install on my Windows XPSP3 32-bit system I downloaded "Gateway6 Client 6.0-BETA4 Windows Installer 32-bit". I installed and accepted the defaults: When I first tried installing the software I got an error which denied installing the TUN driver. I had to back out of the installation and change this local group policy key using gpedit.msc: I changed "Do not allow installation" to "Warn but allow installation" under Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Devices: Unsigned driver installation ...

In November I posted BGPMon on BGP Table Leak by Companhia de Telecomunicacoes do Brasil Central . A lot of people saw that activity but the overall effect was negligible to nonexistent. Yesterday I received a more personalized alert from BGPMon: You Receive this email because you are subscribed to BGPmon.net. For more details about these updates please visit: http://bgpmon.net/showupdates.php ==================== WithDraw of More Specific (Code: 23) 2 number of peer(s) detected this updates for your prefix 3.0.0.0/8: Update details: 2009-01-01 08:33 (UTC) 3.3.3.3/32 ==================== Possible Prefix Hijack (Code: 11) 2 number of peer(s) detected this updates for your prefix 3.0.0.0/8: Update details: 2009-01-01 08:31 (UTC) 3.3.3.3/32 Announced by: AS15475 (NOL) Transit AS: 8452 (TEDATA TEDATA) ASpath: 29073 9009 19151 4788 8452 15475 Checking WHOIS data for AS15475 shows: % Information related to 'AS15475' aut-num: AS15475 as-name: NOL descr: Nile O...

I better get with the program and post my 2009 predictions before any more of the new year slips by. I plan to build on my Predictions for 2008 in Hindsight and add a few new thoughts. Expect greater government involvement in assessing the security of private sector networks. I wasn't inventing this a year ago, and I'm not inventing it now. I'm extrapolating from a trend line. My post Letters You Will Need to Know: 201 CMR 17.00 is just the latest example of increasingly aggressive government involvement in private sector security matters. Expect to start learning about IPv6, or be confused quickly. 2009 is not the year of IPv6, but we're getting there. The US Department of Defense is already grappling with IPv6, despite the compliance charade of mid-2008. Wider adoption of Microsoft Vista and its tunnel mechanisms, along with IPv6-active consumer devices, are driving IPv6 in one form or the other into our lives. Expect at least one cloud security incident to ...

In late 2007 I posted Predictions for 2008 , my first foray into the world of prognostication. I'd like to review what I said to see how those ideas panned out. Expect greater government involvement in assessing the security of private sector networks. This is happening but not to the extent I expected. I predict more of this in 2009. Expect greater military involvement in defending private sector networks. This also started to happen, as noted in my post Predictions Panning Out . I now think this point will happen more slowly than #1. Expect increased awareness of external threats and less emphasis on insider threats. I nailed this one. In my posts More on 2008 Predictions and Insider Threat Prediction Materializing I documented several cases. Looking to a recent Jeremiah Grossman post as well, I doubt all those Web app hackers are insiders! Expect greater attention paid to incident response and network forensics, and less on prevention. You can't expect people to ...