Rabu, 30 April 2003
Fluffi Bunni Arrested
Selasa, 29 April 2003
Exploit for Snort 1.9.1
First Two SANS GSEs
(ISC)2 Developments
[The] (ISSEP) credential [is] for information security professionals who want to work for NSA, either as employees or outside contractors. The new certification will serve as an extension of the CISSP. . . The new domains of the ISSEP will focus on the technical knowledge required of government information systems security engineers such as ISSE processes and government regulations. The ISSEP complements the CISSP by comprehensively addressing the systems engineering side of information security.
I like the idea of addressing security "systems engineering," if they follow the ideas of Ross Anderson. I don't find the "government regulations" aspect appealing.
On 16 Apr ISC(2) announced two "concentrations" for CISSPs: "the CISSP, Management Concentration and CISSP, Architecture Concentration." From the press release:
The CISSP Management Concentration validates extensive knowledge in the following areas of the CBK:
- Enterprise Security Management Practices
- Enterprise-wide Systems Development Security
- Operations Security Compliance
- Business Continuity Planning, Disaster Recovery Planning and Continuity of Operations Planning
- Law, Investigation, Forensics and Ethics
The CISSP Architecture Concentration validates extensive knowledge in the following areas of the CBK:
- Access Control, Telecommunications and Methodology
- Telecommunications and Network Security
- Cryptography
- Requirements Analysis and Security Standards/Guidelines Criteria
- Technology-Related Business Continuity Planning and Disaster Recovery Planning
- Physical Security Integration
I had hoped one of the concentrations was truly "technical," while the other was "managerial." Seeing "forensics" included with management is a disappointment. The press release states "The first exams for the new CISSP concentrations are scheduled to begin in July 2003, with training classes to begin in the fall."
Beyond the CISSP and its extensions, there's also the SSCP or "Systems Security Certified Practitioner," for people with one year's experience. It was announced 28 Mar 01 but doesn't seem to have gotten much traction.
Review of Windows XP Under the Hood Posted
Let WXPUTH be your guide to a world where graphical user interfaces (GUIs) are optional! Author Brian Knittel introduces the reader to the full range of Windows' command-line capabilities. Through examples, tables, explanations, and humor, WXPUTH doesn't teach everything, but instead concentrates on the most useful features of the Windows command line.
Senin, 28 April 2003
Trying New Martial Arts School
Interview with FreeBSD Core Members
Having two major packaging formats [in Linux], a number of major distributions, all with differing sets and releases of critical libraries, is a management nightmare nobody really wants to tackle. This is why everyone that goes with Linux picks one distro and makes it an organization standard even if it's not the best. FreeBSD is a *system*, not a kernel with a bunch of other stuff thrown on top to make a "distro." The kernel, userland programs, libraries, booting system, etc., are all tested together to make a release that's known good.
Jumat, 25 April 2003
BGP and ISP Issues
Open Source Forensics Tools
Windows Server 2003 Launch
Rabu, 23 April 2003
Professor Orin Kerr
Selasa, 22 April 2003
North American MSSP Magic Quadrant 2H02
Minggu, 20 April 2003
Museum of Broken Packets
Sabtu, 19 April 2003
Quad NIC for FreeBSD
Interservice Hackfest
Update from this article:
On Wednesday, the NSA told the teams to disable their firewalls for several hours at a time. The request came after a period of relatively little activity from the hackers, which led Midshipman Trevor Baumgartner to boast that the Navy group's defense technologies had stymied the NSA hackers. . . Thomas Hendricks, a visiting NSA professor at the Naval Academy, chuckled at the notion that the NSA team used the firewall exercise as a last resort. The loss of the firewall, he said, exposed an unsecured administrative account on the Navy's network, allowing the NSA to wreak havoc. "They were taught -- though I'm not sure how much they listened -- to protect as many layers of the network as possible," Hendricks said. "This part of the exercise was designed to see how many layers of protection they had in place."
Yeah right! If the NSA had been able to get past the firewall, they could have used a compromised host as a launch pad for attacks against the "unsecured administrative account" or any other internal weakness.
Jumat, 18 April 2003
Midshipmen Busted for File Sharing
Legality of Collecting Network Traffic
That leaves a third "provider exemption" as the most promising for honeypot fans. This allows the operator of a system to eavesdrop for the purpose of protecting their property or services from attack. But even that exemption probably wouldn't apply to a system that's designed to be hacked, Salgado said. "The very purpose of your honeypot is to be attacked... so it's a little odd to say we're doing our monitoring of this computer to prevent it from being attacked."
Kamis, 17 April 2003
Testing LAN Performance
Review of IT Security: Risking the Corporation Posted
Q: Tell us a little about this new version of your book. What's different?
McCarthy:The new version has a new chapter "Looking Back, What's Next?" which looks back over the last decade and discusses some of the problems that we see today and that we will face in the future. It has all new statistics and quotes from well-known people in the computer industry.
From the review:
When I saw Gene Spafford's glowing foreword to "IT Security," I expected a good read. This book did not deliver, and Spafford's suggestion that those seeking "deeper insight" consult "IT Security" rings hollow. I wondered if Spafford even read this very book when he wrote "all too often, management depends on the services or writings of self-professed experts whose whole experience has been in downloading and running pre-packaged penetration tools written by others." (p. xiv) The author's own words fit this mold.
What explains Spafford's words of praise? Perhaps this Dec 02 press release Symantec Funds Fellowship Program at Purdue University does:
"This Fellowship expands the long-standing relationship CERIAS has enjoyed with Symantec over many years. During that time we have collaborated on research issues of Internet security and policy," said Dr. Eugene Spafford, professor and director of CERIAS at Purdue University.
Rabu, 16 April 2003
Cisco Support for Lawful Intercept In IP Networks
Fiber Optic Cables and Monitoring Saddam Hussein
Web sites for metropolitan areas, such as San Diego, often post detailed maps of the entire citywide fiber backbone. In addition, the same high-speed fiber bundle sometimes serves a dozen or more office buildings, meaning criminals could gain access to wiring closets located in building basements or to cables that pass through public parking garages or elevator shafts, said Page. . . "This layer of security -- not just for fiber, but for standard LAN and telephone wiring also -- isn't really thought out by companies," said Pescatore. "I'd estimate that 75% of enterprises have some network cabling in public access space."
Here is the map mentioned above, part of the Bandwidth Bay project.
IPS vs IDS
Intrusion-detection systems do a good job of telling companies whether they are being compromised or attacked. So good, in fact, that some question whether systems should go a step further and prevent incidents. It doesn't seem much of a stretch to have systems "flip a switch instead of alerting" when an anomaly is found, said Pete Lindstrom, research director of Malvern, Pa.-based Spire Security.
Argh! Thankfully the same article shows some people still understand this issue:
Other companies, however, see their intrusion-prevention products as usurping IDS. Martin Roesch, cofounder and CTO of Columbia, Md.-based Sourcefire, which sells the commercial version of the open-source intrusion-detection system Snort, rejects such a suggestion. "Anyone who tries to sell you an intrusion-prevention system at the expense of an intrusion-detection system doesn't understand the problem stack," he said. "Intrusion prevention is access control. Intrusion detection is monitoring."
Sourcefire will probably play in the intrusion-prevention space at some point. "We see value in having an access control role on the network as well as a network-monitoring role, because it allows us to leverage the information to enhance monitoring and protection," Roesch said. "You can't have one without the other."
Selasa, 15 April 2003
Neohapsis Open Security Evaluation Criteria
Snort 2.0 Stream4 Vulnerability
Successful exploitation of this vulnerability could lead to execution of arbitrary commands on a system running the Snort sensor with the privileges of the user running the snort process (usually root), a denial of service attack against the snort sensor and possibly the implementation of IDS evasion techniques that would prevent the sensor from detecting attacks on the monitored network.
Black Hat Windows Security 2003: Seattle Presentations
Defending Against an Internet-Based Attack on the Physical World
While visiting Avi's site, I noticed he teaches at the John Hopkins Information Security Insitute, which offers a Master of Science in Security Informatics degree. Unfortunately, it does not seem to be one of 36 universities approved by the NSA as Centers of Academic Excellence in Information Assurance. I imagine JHU is working for this certification.
Wiretapping VoIP
Unlike a traditional phone call, where a line is dedicated between two parties, VOIP slices each call into millions of tiny digital packets, each of which can take a discrete route over the Internet. That means surveillance equipment must either be installed permanently on a network or calls must be routed through FBI surveillance equipment before being delivered to the caller, which experts say can create a suspicious delay. "Our tactical people are trying to plug every hole. But it's like playing the field short one player," says Szwajkowski. "A call that is not [able to be intercepted] is a major public-safety and security dilemma."
Snort 2.0 Released
Senin, 14 April 2003
Holding Owners of Compromised Computers Responsible
JUST BEFORE 8 A.M. ON FEB. 1, 2001, C.I. Host, a Web-hosting company with 90,000 customers, was hit with a crippling denial-of-service attack. By the end of the day, after outage complaints from what CEO Christopher Faulkner described as "countless" customers, the Fort Worth, Texas-based company got its lawyers involved. . . In an injunction filed in a Texas district court and later moved to a U.S. district court, C.I. Host alleged that the defendants committed or allowed a third party to commit a denial-of-service attack on C.I. Host's systems. The defendants insisted that they were victims of a hacker themselves, not the perpetrators of a crime. The case never made it to trial, but C.I. Host's lawyers did convince a Texas judge to issue a temporary restraining order shutting down three of the Web servers involved in the attack until the companies could prove the vulnerabilities had been fixed.
The other popular case is well-documented in the 2001 CSI/FBI Study:
The U.S. Navy's Criminal Investigative Service (NCIS) is in the throes of an investigation into how and why an as yet unidentified hacker stole the source code to OS/Comet from a computer at the U.S. Navy's naval research lab in Washington, D.C. in an attack conducted on Christmas Eve, 2000. OS/Comet was developed by Exigent International (Melbourne,FL), a U.S. government contractor. The software has been deployed by the U.S. Air Force on the NAVSTAR Global Positioning System (GPS) from its Colorado Springs Monitor Station, which is part of the U.S. Space Command. A copy of the OS/Comet source code was found during a police swoop in Sweden on a computer company whose identity has not been revealed. The intrusion appears to have emanated from a computer at the University of Kaiserslauten in Germany, which was used to download the software's source code via the Web and the service provider Freebox.com, which is owned by the Swedish firm Carbonide. The hacker known only as "Leeif" was able to hide his or her true identity by breaking into the account of a legitimate Freebox.com user and then using that person's account to distribute the source code to others. Exigent has filed suit against both Carbonide and the University of Kaiserlautern in Germany. The NCIS's inquiry is being headedby the NCIS headquarters for European affairs in Naples and by its London bureau, which deals specifically with Scandinavia.
Minggu, 13 April 2003
Review of Troubleshooting Campus Networks Posted
I'm sad I waited so long to read this excellent book. "Troubleshooting Campus Networks" (TCN) was published in Jul 2002, and it belongs on every network administrator's shelf -- now! This is the best networking book since Scott Haugdahl's "Network Analysis and Troubleshooting" and Eric Hall's "Internet Core Protocols." TCN will truly test your networking knowledge; you'll quickly validate the truth and discard the fiction.
Kamis, 10 April 2003
National Society of Professional Engineers Code of Ethics
I. Fundamental Canons
Engineers, in the fulfillment of their professional duties, shall:
- Hold paramount the safety, health and welfare of the public.
- Perform services only in areas of their competence.
- Issue public statements only in an objective and truthful manner.
- Act for each employer or client as faithful agents or trustees.
- Avoid deceptive acts.
- Conduct themselves honorably, responsibly, ethically, and lawfully so as to enhance the honor, reputation, and usefulness of the profession.
Codes of ethics are the only worthy element of the "certification" I hold -- the CISSP. Here is its Code:
- Protect society, the commonwealth, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
Thoughts on SPAN Configurations
"For the SPAN on the Catalyst 2900XL/3500XL switches... the main restriction is that all the ports related to a given session (whether source or destination) must belong to the same VLAN... Unlike the Catalysts 2900XL/3500XL, the Catalyst 4000/5000/6000 can monitor ports belonging to several different VLANs."
I also learned "The Catalyst 2950 Switches can have only one SPAN session active at a time and can monitor only source ports, it can not monitor VLANs. The Catalyst 3550 Switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs... Unlike the 2900XL and 3500XL family Switches, the Catalyst 2950 and 3550 faimly Switches are able SPAN source port traffic in receive direction only, (Rx span or ingress span) or in tranmsit direction only (Tx span or egress span) or both." (The spelling errors belong to Cisco!)
When running CatOS, according to a chart in the document, the Catalyst switches have these limitations for monitoring local ports:
- Catalyst 4000 support 5 Rx or Both SPAN sessions
- Catalyst 5000 support 1 Rx or Both SPAN sessions
- Catalyst 6000 support 2 Rx or Both SPAN sessions
When running Cisco IOS, Catalyst 2950/3550, 4000, and 6000 each support 2 Rx or Both SPAN sessions for monitoring local ports.
Here's another note with some grammar issues: "Catalyst 2950 switches using software release 12.1.(9)EA1d and earlier versions in 12.1 train supported SPAN with the caveat that all packets seen on the SPAN destination port (connected to the sniffing device/PC) had a 802.1Q tag on them, even though the SPAN source port (monitored port) may not be a 802.1Q trunk port. If the sniffing device or PC NIC does not understand 802.1Q tagged packets, they may drop the packets or have difficulty decoding them. Ability to see the 802.1Q tagged frames is important only when the SPAN source port is a trunk port. Starting from 12.1(11)EA1, you can enable/disable tagging of the packets at the SPAN destination port. Issue the monitor session session_number destination interface interface-id encapsulation dot1q command to enable encapsulation of the packets at the destination port. If the encapsulation keyword is not specified, the packets are sent untagged, which is the default starting from 12.1(11)EA1."
This means your sniffer must be able to decode VLAN tags, if using older versions of Cisco IOS. Since Snort v1.8, Snort has supported decoding 802.1q VLAN tags. The TCPdump man page mentions VLAN tagging as well.
The FAQ at the document's end is useful:
Can I Have Several SPAN Sessions Running at the Same Time?
- On the Catalyst 2900XL/3500XL family, the number of destination ports available on the switch is the only limit to the number of SPAN sessions.
- On the Catalyst 2950 family, you can have only one assigned monitor port at any given time. If you select another port as the monitor port, the previous monitor port is disabled, and the newly selected port becomes the monitor port. (Me: This seems to conflict with guidance above on having two SPAN ports?)
- On the Catalyst 4000/5000/6000, since CatOS 5.1, you can have several concurrent SPAN sessions:
The product specific-literature is more detailed. The Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(13)EA1 includes Configuring SPAN and RSPAN, and the Catalyst 2950 and 2955 Switches, Rel. 12.1(13)EA1 also includes Configuring SPAN and RSPAN. The bottom line appears to be that SPANning multiple VLANs is not a problem, but there are limits as to what data is available regarding where the packets come or go.
I learned of a new term -- port snooping. This applies to layer 3 switches like the Cisco 8500 series.
The Cisco Catalyst 3550 24 10/100 port switch with two gigabit interface converter (GBIC) ports for sells for about $2100. The Cisco Catalyst 2950G-24 24 port switch with 2 GBIC ports sells at CDW for about $1800. A cheaper 2950 sells for a little under $1000, but I don't immediately recognize the differences.
Tracfone Fraud
On a related note, it's possible Tracfone's prepaid calling cards have been the target of fraud. This post claims people are selling Tracfone cards on eBay, and references this thread as "proof". I also found a site which teaches ways to defraud Tracfone, complaining that Tracfone defrauds its customers.
Let me make it clear that none of this discussion is intended to assist the reader with defrauding anyone. I try to understand these techniques because my professional career involves helping companies to combat fraud.
Rabu, 09 April 2003
900 MHz Wireless Access Points
Selasa, 08 April 2003
Wildpackets Expert Packet Analysis Seminar
ISS Internet Risk Impact Summary Published
Senin, 07 April 2003
New Samba Vulnerability?
If you put one of your Windows servers on a network
I had access to I would be able to show you. I will
not release the code publicly (for obvious reasons).
Knowledge of these bugs would allow worms/viruses to
utterly cripple Microsoft based corporate networks.
If you choose not to believe me without exploit code
then that's up to you, but I will not act in an
unprofessional way to prove a point.
Jeremy Allison,
Samba Team.
Minggu, 06 April 2003
Cisco Network Infrastructure Design
- Data Center Networking: Infrastructure Architecture
- Data Center Networking: Internet Edge Design Architectures
- Data Center Networking: Securing Server Farms
- Data Center Networking: Enterprise Distributed Data Centers
It's also a good idea to visit Cisco's SAFE site and read SAFE: A Security Blueprint for Enterprise Networks document and SAFE Blueprint for Small, Midsize, and Remote-User Networks.
Sabtu, 05 April 2003
Stegtunnel New Release
Stegtunnel is a tool written to hide data within TCP/IP header fields. It was designed to be undetectable, even by people familiar with the tool. It can hide the data underneath real TCP connections, using real, unmodified clients and servers to provide the TCP conversation. In this way, detection of odd-looking sessions is avoided. It provides covert channels in the sequence numbers and IPIDs of TCP connections.
FreeBSD 4.8 Released
Jumat, 04 April 2003
Removing Content from Google
if you want your materials removed right away, you can use the automatic remover at http://services.google.com:8882/urlconsole/controller. You'll have to sign in with an account (all an account requires is an email address and a password). Using the remover, you can request either that Google crawl your newly created robots.txt file, or you can enter the URL of a page that contains exclusionary META tags.
Rabu, 02 April 2003
Rik Farrow on VLANs