Fluffi Bunni Arrested

Fluffi Bunni (AKA Fluffy Bunny), infamous web site defacer, was arrested 29 Apr in London by Scotland Yard while attending InfoSecurity Europe 2003. His real name is Lynn Htun, and he's 24 years old. His first public defacement occurred in Jun 00 and was a Linux box belonging to hogeschoolnederland.nl. His defaced SANS in Jul 01, and I learned a little about the event at the first SANSFIRE conference later that month. Brian Martin chose to comment on the event and used a quote from me to further embarass SANS. Maybe Mr Htun didn't care for...

Read More

Exploit for Snort 1.9.1

PacketStorm alerted me to the 23 Apr release of an exploit taking advantage of these vulnerabilities in Snort 1.9.1. The code was published by Projet 7 Labs and in its default mode opens a shell from the victimized Snort box to port 45295 on the intruder's machi...

Read More

First Two SANS GSEs

I just read in the latest SANS Training and GIAC Certification Update that two candidates, named as John P. Jenkinson (described as a contractor for SAIC) and Lenny Zeltser (a consultant and one of the authors of Inside Network Perimeter Security) are the first two SANS "GSEs," or "GIAC Security Experts." (GIAC now stands for Global Information Assurance Certification, although in late 1999 it meant Global Incident Analysis Center.) Congratulations, guys! It looks like they both started at the bottom of the six-rung GSE ladder with the GIAC...

Read More

(ISC)2 Developments

I learned the NSA is teaming up with (ISC)2 to create the Information Systems Security Engineering Professional (ISSEP) certification. According to the press release: [The] (ISSEP) credential [is] for information security professionals who want to work for NSA, either as employees or outside contractors. The new certification will serve as an extension of the CISSP. . . The new domains of the ISSEP will focus on the technical knowledge required of government information systems security engineers such as ISSE processes and government regulations....

Read More

Review of Windows XP Under the Hood Posted

Amazon.com just posted my four star review of Windows XP Under the Hood. From the review: Let WXPUTH be your guide to a world where graphical user interfaces (GUIs) are optional! Author Brian Knittel introduces the reader to the full range of Windows' command-line capabilities. Through examples, tables, explanations, and humor, WXPUTH doesn't teach everything, but instead concentrates on the most useful features of the Windows command li...

Read More

Trying New Martial Arts School

I finally joined a new martial arts school in northern Virginia. It's been two years since I broke my wrist and stopped formal training, and about seven months since my last organized martial arts activi...

Read More

Interview with FreeBSD Core Members

I'm reading an interview with three FreeBSD core team members. It's multiple pages but very interesting. From the article: Having two major packaging formats [in Linux], a number of major distributions, all with differing sets and releases of critical libraries, is a management nightmare nobody really wants to tackle. This is why everyone that goes with Linux picks one distro and makes it an organization standard even if it's not the best. FreeBSD is a *system*, not a kernel with a bunch of other stuff thrown on top to make a "distro." The kernel,...

Read More

BGP and ISP Issues

I learned of some interesting sites covering BGP and ISP issues. Check out AS summaries at the CIDR report. Visit the archives of the ISP-BGP discussion li...

Read More

Open Source Forensics Tools

Three open source forensics tools merit investigation. They are ODESSA, the Open Digital Evidence Search and Seizure Architecture, FTIMES or File Topography and Integrity Monitoring on an Enterprise Scale, and FIRE, the Forensics and Incident Response Environment, previously known as "Biatchux." If you need to identify a port associated with a network service, try this online databa...

Read More

Windows Server 2003 Launch

Were you excited by yesterday's Windows Server 2003 launch as much as I was? Heh. Anyway, you might find these Technical Resources for Windows Server 2003 helpf...

Read More

Professor Orin Kerr

One of the participants in today's SANS webcast on legal issues was Prof Orin Kerr, who writes summaries of cybercrime cases available via email listserv. This is a high signal to noise way to keep up to date on these issu...

Read More

North American MSSP Magic Quadrant 2H02

I found a 23 Jan 03 report called North American MSSP Magic Quadrant 2H02. It depicts Managed Security Services Providers in relation to one anoth...

Read More

Museum of Broken Packets

While perusing the FreeBSD ports tree, I came across a tool that pointed me towards the Museum of Broken Packets, which contains some odd packets collected from the Internet. This site was profiled by Slashdot in 2001 and a poster mentioned a paper with analysis of checksum failure. The site owner also wrote p...

Read More

Quad NIC for FreeBSD

I'm considering purchasing one or more quad NICs for my network monitoring platforms. FreeBSD seems to like the Adaptec ANA-62044 best, although no vendor sells them. You can find them cheaply on eBay, though. When I need a gigabit adapter, I will probably buy a Intel® PRO/1000 MT Server Adapt...

Read More

Interservice Hackfest

Cadets are at it again, except this time it's an interservice hackfest supervised by the NSA. West Point gets all the attention here (probably because they host the Information Technology and Operations Center), but I'm sure USAFA grads are there. Update from this article: On Wednesday, the NSA told the teams to disable their firewalls for several hours at a time. The request came after a period of relatively little activity from the hackers, which led Midshipman Trevor Baumgartner to boast that the Navy group's defense technologies had stymied...

Read More

Midshipmen Busted for File Sharing

Those bad midshipmen at the US Naval Academy were busted for swapping files. Back in my day at the US Air Force Academy most cadets didn't even have network connectivity, and some didn't even have hard drives. Can you believe ...

Read More

Legality of Collecting Network Traffic

Kevin Poulsen, one of the few sources of original reporting on security issues wrote this article which is of interest to anyone doing network security monitoring. Although the article deals with honeypots, it asks good questions about the legality of collecting network traffic. This excerpt talks about using the "provider exemption" (explained here, with the law here): That leaves a third "provider exemption" as the most promising for honeypot fans. This allows the operator of a system to eavesdrop for the purpose of protecting their property...

Read More

Testing LAN Performance

Joe Bardwell mentioned a few products at his Wildpackets seminar last week. One was Spirent Communications performance analysis products. For example, to test LAN performance, you might look at SmartBits Ethernet Modules. Joe also talked about NetScout LAN Probes. These might make good collection platforms, although they are more for performance issues and less for security or traffic collection like a Sandstorm NetInterce...

Read More

Review of IT Security: Risking the Corporation Posted

Amazon.com just posted my three star review of IT Security: Risking the Corporation. This book is essentially the same as the Jan 98 book Intranet Security: Stories from the Trenches, according to this interview. From the interview: Q: Tell us a little about this new version of your book. What's different? McCarthy:The new version has a new chapter "Looking Back, What's Next?" which looks back over the last decade and discusses some of the problems that we see today and that we will face in the future. It has all new statistics and quotes from...

Read More

Cisco Support for Lawful Intercept In IP Networks

Along the lines of tapping cables comes a new draft RFC Cisco Support for Lawful Intercept In IP Networks, alternate. This Slashdot thread brought it to my attention. Expect to see more of this in the future. User-applied cryptography is the only way to avoid this sort of scrutiny. Here is an article about it, here's Cisco's page, and here's the fed's page. Check out Cable Monitor and Intercept Features for the Cisco CMTS "Cable Modem Termination System," i.e., cable mod...

Read More

Fiber Optic Cables and Monitoring Saddam Hussein

This article discusses tapping fiber optic cables, in an attempt to explain how Saddam Hussein was monitored in Iraq. From the article: Web sites for metropolitan areas, such as San Diego, often post detailed maps of the entire citywide fiber backbone. In addition, the same high-speed fiber bundle sometimes serves a dozen or more office buildings, meaning criminals could gain access to wiring closets located in building basements or to cables that pass through public parking garages or elevator shafts, said Page. . . "This layer of security --...

Read More

IPS vs IDS

Articles like Intrusion prevention: IDS' 800-pound gorilla make me sick. Quotes like this demonstrate the ignorance of the speaker: Intrusion-detection systems do a good job of telling companies whether they are being compromised or attacked. So good, in fact, that some question whether systems should go a step further and prevent incidents. It doesn't seem much of a stretch to have systems "flip a switch instead of alerting" when an anomaly is found, said Pete Lindstrom, research director of Malvern, Pa.-based Spire Security. Argh! Thankfully...

Read More

Neohapsis Open Security Evaluation Criteria

I happened upon the Neohapsis Open Security Evaluation Criteria (OSEC) site today. They measure various products, like network IDS, against the criteria, and post the results. This is a great idea, assuming the criteria are val...

Read More

Snort 2.0 Stream4 Vulnerability

Here's a new reason to update to Snort 2.0 -- a vulnerability in the STREAM4 preprocessor. From the advisory: Successful exploitation of this vulnerability could lead to execution of arbitrary commands on a system running the Snort sensor with the privileges of the user running the snort process (usually root), a denial of service attack against the snort sensor and possibly the implementation of IDS evasion techniques that would prevent the sensor from detecting attacks on the monitored netwo...

Read More

Black Hat Windows Security 2003: Seattle Presentations

Thanks again to CryptoGram, I noticed that Black Hat Windows Security 2003: Seattle presentations are available. Some of the topics look very interesting. The media archives page is a nice place to see everything available since Black Hat 19...

Read More

Defending Against an Internet-Based Attack on the Physical World

Bruce Schneier also highlighted a new paper by Avi Rubin and friends: Defending Against an Internet-Based Attack on the Physical World. The authors describe how to automate the process of signing up a victim to receive thousands of catalogs and other mailings. While visiting Avi's site, I noticed he teaches at the John Hopkins Information Security Insitute, which offers a Master of Science in Security Informatics degree. Unfortunately, it does not seem to be one of 36 universities approved by the NSA as Centers of Academic Excellence in Information...

Read More

Wiretapping VoIP

Bruce Schneier's 15 Apr 03 CryptoGram (required reading for me) alerted me to a story on wiretapping. This quote blew me away: Unlike a traditional phone call, where a line is dedicated between two parties, VOIP slices each call into millions of tiny digital packets, each of which can take a discrete route over the Internet. That means surveillance equipment must either be installed permanently on a network or calls must be routed through FBI surveillance equipment before being delivered to the caller, which experts say can create a suspicious...

Read More

Snort 2.0 Released

Snort 2.0 was released yesterday. I will keep my eyes on the FreshPorts Snort page to see when the FreeBSD port of Snort 2.0 appears. Can you believe Snort 1.0 has a timestamp of 28 Apr 99? Thank you for the great work Sourcefire -- the community has certainly benefitted from your wo...

Read More

Holding Owners of Compromised Computers Responsible

I've heard several people refer to legal activity in Texas, where victims of intrusions were being sued when the original victim's systems attacked third parties. This happened in 2001, when systems at Exodus were allegedly compromised and used to attack Web-hosting company C.I. Host. Marc Zwillinger mentioned this is this webcast, saying the suit was moved to Federal court and then settled out of court. His slides included this scan of the indictment. From this article: JUST BEFORE 8 A.M. ON FEB. 1, 2001, C.I. Host, a Web-hosting company with...

Read More

Review of Troubleshooting Campus Networks Posted

Amazon.com just posted my five star review of Troubleshooting Campus Networks. From the review: I'm sad I waited so long to read this excellent book. "Troubleshooting Campus Networks" (TCN) was published in Jul 2002, and it belongs on every network administrator's shelf -- now! This is the best networking book since Scott Haugdahl's "Network Analysis and Troubleshooting" and Eric Hall's "Internet Core Protocols." TCN will truly test your networking knowledge; you'll quickly validate the truth and discard the ficti...

Read More

National Society of Professional Engineers Code of Ethics

This Slashdot post brought to my attention the National Society of Professional Engineers Code of Ethics, which should apply to IT consultants as well. It includes: I. Fundamental Canons Engineers, in the fulfillment of their professional duties, shall: Hold paramount the safety, health and welfare of the public. Perform services only in areas of their competence. Issue public statements only in an objective and truthful manner. Act for each employer or client as faithful agents or trustees.Avoid deceptive acts. Conduct themselves honorably,...

Read More

Thoughts on SPAN Configurations

I've been trying to understand how to configure Cisco switches for use in network security monitoring solutions. By reading Configuring the Catalyst Switched Port Analyzer (SPAN) I learned: "For the SPAN on the Catalyst 2900XL/3500XL switches... the main restriction is that all the ports related to a given session (whether source or destination) must belong to the same VLAN... Unlike the Catalysts 2900XL/3500XL, the Catalyst 4000/5000/6000 can monitor ports belonging to several different VLANs." I also learned "The Catalyst 2950 Switches can...

Read More

Tracfone Fraud

Yesterday I was walking through a Lowe's hardware store. I saw a Tracfone for sale. Tracfone is a product consisting of a phone and separate prepaid wireless minutes. Given you can buy these with cash in your local Circuit City, I sensed an opportunity for troublemakers who prefer to act anonymously. (While there are other prepaid cellular plans, it appears they tie to existing accounts, or at least don't offer the easy cash purchase method of Tracfone.) I found that Tracfone sells at least one cell phone, the Motorola v120t, which can be...

Read More

900 MHz Wireless Access Points

At yesterday's Wildpackets seminar, Joe Bardwell mentioned techniques to lessen the chances of finding rouge wireless networks. He said someone wanting to hide a rogue wireless network should use a frequency not currently popular. Given most people run 802.11b at 2.4 GHz or 802.11a at 5 GHz, that leaves something operating at 900 MHz. Thanks to Cisco documentation, I found products by Aironet, which Cisco bought, that run at 900 MHz. They include: Aironet 1200: 900 MHz Wireless LAN Adapter; Standard type II PC CardAironet AP 1200-E: 900 MHz...

Read More

Wildpackets Expert Packet Analysis Seminar

Today I attended a free Wildpackets Expert Packet Analysis Seminar. The instructor was Joe Bardwell and he gave an incredible, educational talk. Joe is one of the authors of Troubleshooting Campus Networks, which I recently reviewed and whose review I'm waiting for Amazon.com to post. I recommend you sign up for the free Wildpackets seminar in your ar...

Read More

ISS Internet Risk Impact Summary Published

This Register story alerted me to the publication of the latest ISS Internet Risk Impact Summary. It's a 16 page doc describing what ISS has seen in the last three mont...

Read More

New Samba Vulnerability?

Slashdot is running a thread on a new Samba vulnerability which Digital Defense discovered. This comment by Jeremy Allison of the Samba team is one of the best reasons why event-based IDS data can fail, and should be reinforced by collecting session and full content data. He's responding to a challenge to prove he has unreleased exploits for Microsoft SMB/CIFS: If you put one of your Windows servers on a network I had access to I would be able to show you. I will not release the code publicly (for obvious reasons). Knowledge of these bugs would...

Read More

Cisco Network Infrastructure Design

I stay alert for good resources on network infrastructure design. I found these on the Cisco web site. Of the documents listed here, I thought these looked intriguing: Data Center Networking: Infrastructure ArchitectureData Center Networking: Internet Edge Design ArchitecturesData Center Networking: Securing Server FarmsData Center Networking: Enterprise Distributed Data CentersIt's also a good idea to visit Cisco's SAFE site and read SAFE: A Security Blueprint for Enterprise Networks document and SAFE Blueprint for Small, Midsize, and Remote-User...

Read More

Stegtunnel New Release

PacketStorm alerted me to the newest release of stegtunnel. As a network security analyst, I like to keep an eye out for these sorts of tools. I'll test it when I have time. This tool also manipulates the IP ID field, just as Craig Rowland's covert_tcp program did in 1996. From the stegtunnel description: Stegtunnel is a tool written to hide data within TCP/IP header fields. It was designed to be undetectable, even by people familiar with the tool. It can hide the data underneath real TCP connections, using real, unmodified clients and servers...

Read More

FreeBSD 4.8 Released

FreeBSD 4.8 was released late Thursday night. FreeBSD 5.1 is scheduled for release 2 Jun 03. I'm looking forward to reading the fourth edition of The Complete FreeBSD, hopefully later this mon...

Read More

Removing Content from Google

A FIRST post alerted me to this article on Removing Your Materials from Google. For example: if you want your materials removed right away, you can use the automatic remover at http://services.google.com:8882/urlconsole/controller. You'll have to sign in with an account (all an account requires is an email address and a password). Using the remover, you can request either that Google crawl your newly created robots.txt file, or you can enter the URL of a page that contains exclusionary META ta...

Read More

Rik Farrow on VLANs

Rik Farrow wrote another great article, VLANs: Virtually Insecure?. That same issue of Network Magazine features a product highlight of a XML firewall built by Data Power Technology. I find this interesting because we now have to inspect, filter, and alert on traffic to specific ports like 80 tcp. This happens when developers code multiple protocols for a single port. We already have this problem with the Windows networking world, where ports 135, 137, 138, and 139 are used for multiple purposes by multiple services. Unfortunately, businesses...

Read More