Rabu, 30 Juli 2003
Installing Sguil in Red Hat 7.3
Jumat, 25 Juli 2003
Eagle Scout Security Project
"[T]he homemade devices in use at O'Hare, and similar ones elsewhere, are an optional, preliminary step to let passengers know whether their shoes will trigger alarms if they don't remove them and send them through the X-ray machines before walking through checkpoints... Inside each box is a wand, or small metal detector, held up with bungee cords. The box sounds an alarm if there's a violation. "
Kamis, 24 Juli 2003
Review of Linux on the Mainframe Posted
Amazon.com just published my 4 star review of Linux on the Mainframe. From the review:
"Server consolidation" is the latest buzzword for downsized IT staffs. Many believe this means reducing the number of Windows servers running on Intel hardware. "Linux on the Mainframe," (LOTM) written by experts from IBM, offer an alternative: virtualization on the IBM zSeries and S/390 mainframes. Virtualization is the process of running dozens or hundreds of operating system "images," each of which thinks it is running on dedicated hardware. LOTM explains the improvements in reliability, availability, and serviceability from implementing this sort of system.
Rabu, 23 Juli 2003
Criminals Keylogging Kiosks
"For more than a year, unbeknownst to people who used Internet terminals at Kinko's stores in New York, Juju Jiang was recording what they typed, paying particular attention to their passwords. Jiang had secretly installed, in at least 14 Kinko's copy shops, software that logs individual keystrokes. He captured more than 450 user names and passwords, and used them to access and open bank accounts online."
Selasa, 22 Juli 2003
Teaching Foundstone Classes at Black Hat
Evolution of Intrusion Detection Systems
VMWare Webinars
I use VMWare for a variety of testing and research reasons. We used VMWare in Lenny Zeltser's class, mentioned below. I noticed VMWare offers webinars, which introduce clients to their products. Numerous VMWare newsgroups are archived at Google.
Cisco IOS Vulnerability
The Full-Disclosure mailing list has been a good source of information about the recent Cisco IOS vulnerability. This post links to working exploit code and shows how it works with sample data from a router.
CERT®-Certified Computer Security Incident Handler
CERT announced a new CERT®-Certified Computer Security Incident Handler certification. A combination of coursework at CERT, a college course, three years' experience, a letter of recommendation, and passing a test results in earning the cert.
Jumat, 18 Juli 2003
Lenny Zeltser's Reverse Engineering Malware
PacketHound
I recently learned of a product by Palisade Systems called PacketHound which "is a network appliance that allows system administrators to block, monitor, log, or throttle LAN access to an expansive list of unproductive or potentially dangerous protocols and applications." I'm happy to see that "PacketHound is an Intel-based PC appliance running FreeBSD and containing one or more 10/100 or Gigabit Ethernet NICs." (FreeBSD is my favorite OS, and is popular in many network inspection appliances.)
The best selling point of PacketHound is its inspection method: "PacketHound passively scans TCP packets for the characteristics that match the protocols it is designed to monitor and block. Conventional approaches to monitoring and blocking rely on blocking TCP ports -- for example, Gnutella typically uses port number 6346 -- so a firewall would block Gnutella by shutting off access to port 6346. Unfortunately, this approach works only with unsophisticated users and applications; more sophisticated users and newer applications can easily switch to other ports and thereby bypass the firewall. PacketHound, on the other hand, uses the fundamental characteristics of the protocol itself in addition to relying on default port blocking and, as a result, is immensely more difficult to bypass." I imagine this sort of inspection could be done with Snort if it were given signatures and told to watch all ports. However, the chances of false alarms could be high.
Another network product, this from Vericept, looks promising. Vericept View for Privacy Protection comes in forms for financial services and health care providers. According to Network Computing, "Vericept's Intelligent Early Warning (VIEW) for Privacy Protection helps financial services organizations comply with the Gramm-Leach-Bliley Act. Using Vericept's linguistic and mathematical analysis of all TCP/IP network traffic, VIEW monitors all communications, including Internet, intranet, e-mail, IM, chat P2P, FTP, telnet and bulletin board postings, for inadvertent or malicious leaks of nonpublic personal information, such as credit card or social security numbers, account balances and payment or credit history. VIEW is designed to run on Vericept security appliances installed on a 10Base-T/100Base-T or Gigabit network." If indeed some intelligent algorithms are in play here, and not simple string or regular expression matching, this could be helpful to detect all sorts of abuse.
Sguil 0.2.5 on Windows
Bamm has made a demo Sguil server available. Here's a step-by-step guide to installing the Sguil client on Windows, so you can access the Sguil server at Bamm's office.
1. Download and install the latest version of ActiveTCL. Below you see I downloaded the ActiveTCL 8.4.3.0 Windows package. I installed it in "C:\Program Files\tcl".
2. Next, download the sguil-client-0.2.5.zip archive from Sourceforge:
3. Extract the contents of the .zip file. I extracted mine to "C:\Program Files\sguil". Once on your hard drive, edit the sguil.conf file located in the "C:\Program Files\sguil\sguil-0.2.5\client\" directory. Make the change as highlighted below to set your Sguil server to Bamm's office machine at bamm.dyndns.org:
4. Now you need to associated the sguil.tk Tcl application with the Tcl interpreter. This will allow you to double-click on the sguil.tk file in "C:\Program Files\sguil\sguil-0.2.5\client\" and launch the application. In the Windows Explorer, right-click on sguil.tk and select properties:
5. You will see a button which says "Change". This allows you to associate the sguil.tk file with a new application. The screen shot shows mine associated with WordPad. We want to change that, so find the associated title "Wish Application" and click "Ok" to associate .tk files with "Wish":
6. When you're done, sguil.tk will be associated with "Wish":
7. That's it! Double-click on "sguil.tk" in the "C:\Program Files\sguil\sguil-0.2.5\client\" directory and you will be prompted for a username and password. Enter the name by which you want to be identified and any password you want:
8. You will be prompted to choose a sensor. Click the 'reset' button (that's the sensor name) and then 'Start SGUIL'.
9. You should a screen like the one below appear. If so, you're using Sguil!
10. This sensor is not monitoring the external interface of the bamm.dyndns.org network, so if you portscan or otherwise attack bamm.dyndns.org, it will not register on the Sguil interface. You can investigate the test alerts, though. For example, you can run a query on the source IP of the entry highlighted below by right-clicking on it:
Here are the results:
11. If you want to chat with other people using Sguil, select the "User Messages" tab and enter messages in the MSG: field. To see who is in using Sguil, type 'who':
If you have questions, the Sguil authors hang out in #snort-gui on irc.freenode.net. Enjoy!
Kamis, 17 Juli 2003
Reviews of Intrusion Detection with SNORT, Intrusion Detection with Snort, and UNIX Shell Programming, 3rd Ed Posted
"Intrusion Detection with Snort: Advanced IDS, etc." (IDWS) was the second of this year's intrusion detection books I've reviewed. The first was Tim Crothers' "Implementing Intrusion Detection Systems" (4 stars). I was disappointed by IDWS, since I have a high opinion of Prentice Hall and the new "Bruce Perens' Open Source Series." (I'm looking forward to the book on CIFS, for example.) IDWS read poorly and doesn't deliver as much useful content as the competing Syngress book "Snort 2.0."
I gave the much better Snort 2.0 four stars. This book will appeal more to programmers than to casual Snort users:
"Snort 2.0" offers content not found in other books on Snort, such as Tim Crothers' more generic "Implementing IDS" (4 stars) and Rafeeq Rehman's "Intrusion Detection with Snort." (3 stars) I've read the best IDS books, and used IDS technology, since 1998, and "Snort 2.0" is the first to give real insight into an IDS' inner workings. Thanks to the technical knowledge of the author team, "Snort 2.0" earns the reader's appreciation by explaining how and why the open source Snort IDS works its magic.
I realized I never mentioned when Amazon.com published my four star review of UNIX Shell Programming, 3rd Ed. This was significant as it was my 100th technically-oriented book review. I've submitted reviews for eight other items, like a pack of CD-Rs, or books and videos on non-computer subjects like hockey or kenpo. So, although as of today I have 110 "reviews," only 102 are associated in some way with security or technology.
Selasa, 15 Juli 2003
Code Red Two Years Old Today
In happier new, according to Netcraft, "nearly 2 Million Active Sites [run] FreeBSD. . . Indeed it is the only other operating system [besides Windows and Linux] that is gaining, rather than losing share of the active sites found by the Web Server Survey."
Sabtu, 12 Juli 2003
MS03-024
Jumat, 11 Juli 2003
The Design and Implementation of the FreeBSD Operating System
We have just started working on a new edition of the 4.4BSD book to be called ``The Design and Implementation of the FreeBSD Operating System''. It will be based on the 5.X version of FreeBSD. It is to be published by Addison-Wesley and we hope to have it out in mid to late 2004.
I am really excited by this development. Several cool FreeBSD books have been published recently, like Absolute BSD and the The Embedded FreeBSD Cookbook. I can't wait to read the new McKusick book -- maybe by next year I'll be ready for it!
Hackers Hijack PC's for Sex Sites
Kamis, 10 Juli 2003
Bonding Tap Outputs
With two outputs, how do you recombine the streams? Several posts mentioned the "THG", which refers to Finisar's (formerly Shomiti) Ten Hundred Gigabit system, as a means to combine the two streams sent out from tap ports A and B. Intrusion, Inc., makes a tap with a single output:
There's a problem with this setup. If the sum of the streams collected from the two inputs exceeds the capacity of the single output, packets are dropped. Whoops!
TopLayer's IDS Balancer was also mentioned as a way to aggregate streams, but I'm not convinced it's appropriate for the stream reassembly problem. This post claims:
"the core technology we use on the ASICs firstly track and follow "conversations" (flows, sessions call it what you will) - so in essence we have a "state table" (of sorts) which sees the first packet in a stream and sends it to Monitor Group 1 - any subsequent packet in the conversation (regardless of input port) is then sent to the same port (we do this on a mapping of IP to MAC plus a few other things). The next conversation is then sent to the 2nd Monitor port and so forth. So in terms of re-assembly - are we (at this level) truly re-assembling ??"
Usually the TopLayer product is used to distribute bandwidth amongst multiple intrusion detection systems. For example, one IDS watchs all Web traffic, while another watches everything else.
Robert Graham mentioned software implementations which see two NICs on the monitoring platform as a single virtual NIC. This is the method I documented for FreeBSD in this post, although vendors like Znyx offer some support for combining interfaces on non-Windows operating systems. Calvin Gorriaran told me OpenBSD's pf can be used to bridge the two interfaces listening for tap inputs. His method:
Create "/etc/bridgename.bridge0" with
add fxp0 add fxp1 -learn fxp0 -learn fxp1 -discover fxp0 -discover fxp1 -stp fxp0 -stp fxp1 link0 link1 rulefile /etc/bpf.conf up
Then in /etc/bpf.conf..
# bridge0 ruleset
block in on fxp0
block out on fxp0
block in on fxp1
block out on fxp1
Make sure both interfaces are up and reboot.
Greg Shipley weighed in with some of the nicest ASCII art on taps I've seen. :)
Windows Rootkits
Firewall on a Token USB-based NIC
Honeynet Project Paper on Credit Card Fraud
Rabu, 09 Juli 2003
Johnny Long and More
More NSM Notes
Thoughts on New Lab
Cisco Logging Network
The 24 port switch has plenty of extra interfaces to use, so I think I can dedicate one port to a separate "logging network." The router doesn't have an extra interface, but it does have its AUX port. Cisco offers this Connecting a SLIP/PPP Device to a Router's AUX Port PDF. A Google search found this post, which considered doing something similar, with log messages sent to a printer. (Even printers can be attacked.) Other posts (here and here) mentioned Kermit to log data, via a null modem and PPP session (mentioned here). I think this article on building a FreeBSD-based console server, with conserver and an EasyIO PCI serial card (vendor, or similar products) is the way to go, with PPP conf files available. (For an alternative, this thread debates the merits of setting up a parallel port point-to-point connection.)
Some people take the serial port to a whole new level. A serial sniffer exists. With PC Weasel 2000, which allows BIOS access via serial port:
LogAnalysis.org is a great site for information on logging.
Kamis, 03 Juli 2003
Cables for Gigabit
Rabu, 02 Juli 2003
Top Three Advances in Honeynet Technology
Two FreeBSD Interfaces on the Same Subnet
To bring up the first (primary) interface:
ifconfig ed1 192.168.1.100 netmask 255.255.255.0 up
To bring up the second interface:
ifconfig em0 192.168.1.101 netmask 255.255.255.255 up
Now both work properly.
"Super Zonda" Spammers
Selasa, 01 Juli 2003
California Disclosure Law
Understanding DVD Storage
According to the NIST Reference on Constants, Units, and Uncertainty, these definitions have changed:
- kilobyte = 1000 bytes
- megabyte = 1,000,000 bytes
- gigabyte = 1,000,000,000 bytes
We have new terminology for the "prefixes of old":
- kibibyte (kiB) = 1024 bytes
- mebibyte (MiB) = 1,048,576 bytes
- gibibyte (GiB) = 1,073,741,824 bytes
For example, discs advertised to be 4.7 GB are actually 4.7 billion bytes, or 4.37 "old GB." (Hard drive manufacturers pull the same trick, with "9.1 GB drives" reporting around 8.68 "old GB.") So, a 9.4 GB DVD really holds 8.75 "old GB" of data, which is bigger than a "9.1 GB" hard drive that really holds 8.68 "old GB".
I guess it's easiest to accept that any modern usage of the terms KB, MB, and GB denotes powers of 10 and not powers of 2, so a "new GB" is a billion bytes -- end of story. Here's a nice summary.
Back to DVDs! Unfortunately, 9.4 GB DVD media are dual-sided, single-layer. That means they must be manually flipped over, because they're essentially two DVD-5 discs glued together. Here's a diagram, courtesy of this site:
What about movie DVDs, which are reported to hold "8.5 GB" (really 8.5 billion bytes or 7.95 "old GB")? Most movie DVDs meet the DVD-9 specification, which is a single-sided, dual-layer disc:
Recognize that you have to be in the DVD manufacturing business to create DVD-9 discs, as consumer-grade DVD burners can't write dual-layer, single-sided media (and it's not for sale to most of us). So, until that changes, I'm restricted to reading and writing in single-sided, 4.37 GB chunks. Some DVD burners, like these from LaCie or Panasonic, advertise writing 9.4 GB media, but that's still to double-sided discs. Keep an eye on the rec.video.dvd.tech list or DVDRHelp.
While researching for ways to archive a 730 MB hard drive, I learned 800 MB CD-Rs exist, but I guess your burner needs to recognize it.