TaoSecurity Blog

This is a follow-up to my recent post Draft Version of New Keeping FreeBSD Up-To-Date . I updated the draft Keeping FreeBSD Up-To-Date document at http://www.taosecurity.com/kfbutd7.pdf to include new sections on building a kernel and userland on one system and installing on another, and upgrading from one major version of FreeBSD to another via binary upgrades (e.g., 7.1 to 8.0 BETA3, since that just became available). I have also published another draft document titled Keeping FreeBSD Applications Up-To-Date at http://www.taosecurity.com/kfbautd7.pdf . That is a follow-up to my 2004 article of the same name that use FreeBSD 5.x for the examples. The new document includes the following. Sections: --------- Introduction FreeBSD Handbook A Common Linux Experience Simple Package Installation on FreeBSD Checking for Vulnerable Packages with Portaudit FreeBSD Package Repositories Updating Packages by Deletion and Addition Introducing the FreeBSD Ports Tree Updatng the FreeBSD Ports Tr

The Web site for the SANS WhatWorks in Incident Detection Summit 2009 is live. I created a rough agenda to provide an idea of the structure of the two-day event. I am still working on speakers but I will probably have too few slots to accommodate all the people I would like to appear! As I secure speakers for the event I will submit them to SANS so they can update the Web site. The registration link is also active. Thanks to those of you who posted thoughts to my earier blog post . I also created a twitter.com/sansincdet account, so feel free to post ideas there too.

Four years ago I wrote an article titled Keeping FreeBSD Up-To-Date. The goal was to document various ways that a FreeBSD 5.2 system could be updated and upgraded using tools from that time, in an example-drive way that complemented the FreeBSD Handbook . I decided to write an updated version that starts with a FreeBSD 7.1 RELEASE system and ends by running FreeBSD 7.2-STABLE. Sections include: Sections: --------- Introduction FreeBSD Handbook The Short Answer Understanding FreeBSD Versions Learning About Security Issues Starting with the Installation Installing Gnupg and Importing Keys Installing Source Code Installing CVSup Applying Kernel Patches Manually Applying Userland Patches Manually Using CVSup to Apply Patches Using Csup to Apply Patches FreeBSD Update to Upgrade FreeBSD within Versions STABLE: The End of the Line for a Single Version What Comes Next? Conclusion Looking at the sections, I noted that it might be good to add a section on using FreeBSD Update to upgrade to 8.

I've been writing about the routing infrastructure monitoring company Renesys for several years. James Cowie's post Staring Into the Gorge contains some real gems: Here We Go Again. Imagine an innocent BGP message, sent from a random small network service provider's border router somewhere in the world. It contains a payload that is unusual, but strictly speaking, conformant to protocol. Most of the routers in the world, when faced with such a message, pass it along. But a few have a bug that makes them drop sessions abruptly and reopen them, flooding their neighbors with full-table session resets every time they hear the offending message. The miracle of global BGP ensures that every vulnerable router on earth gets a peek at the offending message in under 30 seconds. The global routing infrastructure rings like a bell, as BGP update rates spike by orders of magnitude in the blink of an eye. Links congest. Small routing hardware falls over and dies. It takes hours for t

Mike Cloppert has started a series of posts on security intelligence on the SANS Forensics Blog . Part 1 includes multiple worthwhile definitions, and Part 2 follows with a great, correct explanation of risk and its components. Keep your eyes on his section of the blog for at least three more posts. Awesome work Mike.

If you've used CVS before, you know that CVS doesn't play well with HTTP proxies. I was looking for a way to run cvsup on FreeBSD behind a proxy when I found a post on the FreeBSD China mailing list. It described using Proxychains with Desproxy to tunnel CVS over a SOCKS proxy through HTTP. Here's how I followed the instructions in my lab environment. First I installed Proxychains from the FreeBSD port. You can see my HTTP proxy is 172.16.2.1 port 3128. freebsd7# setenv HTTP_PROXY http://172.16.2.1:3128 freebsd7# pkg_add -vr proxychains ...edited... extract: Package name is proxychains-3.1 extract: CWD to /usr/local extract: /usr/local/bin/proxychains extract: /usr/local/bin/proxyresolv extract: /usr/local/etc/proxychains.conf extract: /usr/local/lib/libproxychains.so.3 extract: /usr/local/lib/libproxychains.so extract: /usr/local/lib/libproxychains.la extract: /usr/local/lib/libproxychains.a extract: execute '/sbin/ldconfig -m /usr/local/lib' extract: CWD to

Karolina at BSD Magazine wanted me to let you know that she has posted three free .pdf issues online. The three cover FreeBSD, OpenBSD, and NetBSD. Apparently BSD Magazine has survived a publishing scare and will continue for the foreseeable future. I may also have an article for FreeBSD out soon.

I just received a review copy of the 04/2009 Hakin9 magazine. I am most interested in reading part two of Tyler Hudak 's article on automating malware analysis. Cartsen Kohler's article on exploiting Windows via printer drivers looks interesting too. Check it out!

I took statistics classes twice in undergrad (once during the normal school year, a second time during a summer program at another school), and once during my master's program. That was so long ago that I don't remember a lot of what I had to learn. Recently review copies of two books arrived, namely The Manga Guide to Statistics by Shin Takahashi and Trend-pro Co., Ltd and Statistics in a Nutshell by Sarah Boslaugh and Dr. Paul A. Watters. Both books claim to be the right book to introduce newbies to statistics. You can guess which one does a better job just by looking at the covers. Here's a hint: consider the words "a desktop quick reference" on the O'Reilly title to be false advertising. Too many of the so-called "Nutshell" books published by O'Reilly today are nothing of the sort. They are not like my beloved Unix in a Nutshell, 3rd Ed that helped me navigate the Solaris 7 command line in 1999. No, these days too many "Nutshe

In June in this post I linked to a speech that GE's CEO gave in Michigan. We're hiring about 1,200 people over the next few years, and the jobs are already appearing at gecareers.com . One of the jobs posted requests an IT Project Manager - Information Technology (Security) . This candidate would work in a sister unit to our GE-CIRT doing Identity and Access Management (IAM). If this job looks interesting, please check it out. As other roles in our Corporate security group appear -- especially those in GE-CIRT -- I will let you know.

A few weeks ago I parked my Ford Explorer (It's not a clunker!!) in a parking garage. On the way out I walked by the pipe shown in the picture at left. It looks like a pipe for carrying a fluid (water maybe?) "protected" by a metal frame. I think the purpose of the cage is pretty clear. It's deployed to prevent drivers from inadvertently ramming the pipe with their front or rear car bumpers. However, think of all the "attacks" for which it is completely unsuited. Here are the first five I could imagine. Defacement, like painting obscenities on the pipe Cutting the pipe with a saw Melting the pipe with a flame Cracking the pipe with a hammer Stealing water by creating a hole and tube to fill a container So what if any of these attacks were to happen? Detection and response are my first answers. There's likely a camera somewhere that could see me, my car, and the pipe. Cameras or bystanders are likely to record some detail that would cause the in

Amazon.com just posted my three star review of The Myths of Security by John Viega. From the review : Let me start by saying I usually like John Viega's books. I rated Building Secure Software 5 stars back in 2005 and 19 Deadly Sins of Software Security 4 stars in 2006. However, I must not be the target audience for this book, and I can't imagine who really would be. The book mainly addresses consumer concerns and largely avoids the enterprise. However, if most consumers think "antivirus" when they think "security," why would they bother reading The Myths of Security (TMOS)?

Often you will read or hear about a "security mindset," but this is frequently an "offensive security mindset." This attitude is also called a "breaker" mindset, described in my old post On Breakership . The offensive security mindset means looking at features of the physical or digital worlds and reflexively figuring out ways to circumvent their security or lack of security. Johnny Long is one example of a person with this mindset -- pretty much every place he looks he is figuring out a way to profile or subvert what he sees! To a certain extent this mindset can be taught, although one could argue that truly exceptional offensive security pros have this mindset embedded in their DNA. It occurred to me today, after writing Build Visibility In , that I have a different mindset. I have an incident detection mindset . Often when I interact with the physical or digital worlds, I reflexively wonder how can I tell if this feature is trustworthy? For exam

Visibility has been a constant theme for this blog. Elsewhere I've used the phrase build visibility in to emphasize the need to integrate visbility requirements into the build and design phases of any technology project. Visibility should not be left as an afterthought. Building security in is required as well, but how can you determine how security is working if you have no visibility? Based on my experiences with technology deployments since the late 1990s, I've realized that the following cycle defines just about every project I've ever seen. The cycle is Feature -> Management -> "Security" -> Visibility. I am seeing this cycle at work in the mobile device space right now. Hardly anyone is thinking about how to determine if a mobile device (Blackberry, etc.) is compromised. The best we can do is imagine the sorts of attacks that might be happening to our mobile infrastructure, without visibility regarding how those devices might already be unde

A long-time TaoSecurity Blog reader sent me the following question: I have a question about scaling NSM in regards to large, complex enterprises that transmit countless gigabytes of data per day. Last month I interviewed for a position with a large wireless company and the hiring manager was familiar with your work, so as I attempted to extol the value of NSM and explain how I thought that NSM could benefit this organization, I was told by the hiring manager that he felt that NSM worked with small organizations, but did not scale well with organizations of a certain size. I am curious if you have ever had to counter this type of argument and how you addressed it. This is a common question. I'll need to address it concisely and precisely in an updated edition of Tao. A few recent posts come to mind, like Requirements for Defensible Network Architecture: Monitored , NSM vs Encrypted Traffic, Plus Virtualization , and Network Security Monitoring Lives . A few principles come to

Several recent blog posts have discussed security careers. I'll start with Anton Chuvakin's post A Myth of an Expert Generalist : Lately I’ve run into too many people who [claim to] “know security” or are [claim to be] “security experts.” Now, as some of you recall, I used to do theoretical particle physics before I came to information security. In my physics days, I’d be pretty shocked if I were to meet a colleague in the hallways of the C.N. Yang Institute for Theoretical Physics who would self-identify as “a scientist” or, for that matter, even as “a physicist.” It is overwhelmingly more likely that he would say “quantum chromodynamics” or “lepton number violation in electroweak gauge theories” or “self-ionization of the vacuum” or some such fun thing... I think this has a lot to do with the fact that the area of security is too new and too fuzzy. However, my point here is that a little common sense goes a long way even at this stage of our industry development. In light o

Earlier this year I posted Thoughts on 2009 CDX . Greg Conti just sent me a notice that the West Point Information Technology and Operations Center just published, for free, their Intrusion Detection Labeled Data Sets . They include packet captures generated by NSA Red Team activity, packet captures from West Point defenders, and Snort, DNS, Web server, and host logs. This is great data. Stop using the 1999 DARPA data sets. Please.

Last month I blogged about the SANS Forensics and Incident Response 2009 Summit Round-Up . I am pleased to announce that I will be working with SANS to organize a two day SANS Incident Detection Summit in DC in December. I am working on a preliminary agenda that includes two major themes: network-centric detection and host-centric detection. The Summit will include keynotes, practitioner briefings, tool briefings, vendor briefings, and panels. As we develop the content I will report it here. I am excited about this event and look forward to seeing you in December. My goal is to "bring detection back", since we all know that detection never really died! If there are topics you'd like to see at the Summit, feel free to share them here. Thank you. Update: 9-10 December are the days for the Summit.

Amazon.com just posted my five-star review of IPv6 Security by Scott Hogg and Eric Vyncke. From the review : I've read and reviewed three other books on IPv6 in the last four years: IPv6 Essentials, 2nd Ed (IE2E) in September 2006, Running IPv6 (RI) in January 2006, and IPv6 Network Administration (INA) in August 2005. All three were five-star books, but they lacked the sort of attention to security that I hoped would be covered one day. IPv6 Security by Scott Hogg and Eric Vyncke is the book for which we have been waiting. Although some of the early "philosophical" security discussions (what's a threat, where are they) are lacking, the overwhelming amount of thorough and actionable content makes this book a winner.

So why a picture of me in uniform from 2000? The answer lies in this article published last month titled Air Force Network Operations begins migration to centralized e-mail, network services : The Air Force Chief of Staff Gen. Norton Schwartz signed a directive memorandum here recently granting the Air Force Network Operations commander centralized order-issue authority over the operation, defense, maintenance and control of Air Force networks. As part of an ongoing service-wide cyber operations transformation, the Air Force will establish a centralized user directory and e-mail service known as ADX that will service all Air Force network users. The changes will be relatively transparent to most network users, but this migration to centralized services will significantly improve security and efficiency on the Air Force Global Information Grid, officials said. " Major commands and subordinate commanders will no longer 'own' networks , but will be responsible for their port