Sourcefire Introduces Appliance

Sourcefire will announce a new appliance to compliment their standard IDS sensor, according to eweek:

Security vendor Sourcefire Inc. on Monday will announce a new security appliance that company executives say will make intrusion detection systems more efficient and valuable in enterprise networks. The Real-Time Network Awareness appliance combines vulnerability assessment and correlation with change management in an effort to reduce or even eliminate the false positives and negatives that plague IDS systems.
The RNA box is meant to work in conjunction with Sourcefire's Intrusion Management System, which is based on the open-source Snort IDS. The appliance starts by identifying all of the assets on a network and assessing their current state. Then, it performs continuous monitoring of the network and alerts the administrator to any changes, such as new devices coming online or unusual services being used on a server.

Cisco Router Evidence Extraction Disk

Router forensics has come to my attention recently. Thomas Akin, author of Hardening Cisco Routers, gave this Black hat 02 presentation and offers CREED, the Cisco Router Evidence Extraction Disk.

Patching in the Air Force

The 28 May SANS NewsBites reported:

Air Force Service Evaluates Patches (19 May 2003)

The Air Force has established the Enterprise Network Operations Support Cell (ENOSC), a software patch service. Patches are tested by the Air Force Computer Emergency Response Team which assesses its effectiveness and assigns it a number indicating its likelihood of interfering with other software. The patch along with that information is placed on the site and administrators can decide if it's an appropriate patch for their systems. ENOSC supports Windows 9x, NT 4.0, 2000 and XP, as well as Exchange Server and Internet Explorer. It also supports Sun Solaris and plans to add Linux and HP-UX.
http://www.gcn.com/22_11/security/22059-1.html

This sounded suspicious to me, as the original article says:

"When a patch comes out for those OSes or applications, the Air Force Computer Emergency Response Team judges its effectiveness—that is, does it in fact fix the problem? A nine-member ENOSC team evaluates the patch’s impact on the OS and on the applications likely to be running under it."

One of my friends at the AFCERT confirmed that the AFCERT is NOT testing patches. The ENOSC performs the testing, while the AFCERT issues compliance orders. The AFCERT is not equipped to test patches, and that is not its primary mission anyway.

Reducing IDS Alerts

The same issue of SC Magazine offered an article on reducing IDS false positives by altering the behavior of Windows Media Player -- not ignoring alerts. What ingenuity! I'd like to see more of this sort of thinking.

Gunter Ollmann Doesn't Like Hacking Exposed

This article by Gunter Ollmann of ISS takes a swipe at readers of the best-selling Hacking Exposed book series. Gunter manages to offend both prospective clients and those who perform his so-called "blind penetration tests," which apparently are inferior to his "crystal box penetration tests." From the article:

I call such prospective clients HE-men (after the Hacking Exposed line of books). They are proof that a little knowledge in the wrong hands really can do a lot of damage...a ‘blind’ penetration test will take considerably longer to discover the same number of security flaws. When conducting a full-knowledge (i.e. ‘crystal-box’) penetration test, it is a simple process to indicate within a report what information was necessary to make the security findings and what level of skill or knowledge an attacker would need to exploit any vulnerabilities. Thus, a full-knowledge penetration test provides the same, or greater, level of security information for less time and cost. I would question anyone trying to sell a ‘blind’ penetration test for less than the cost of a full-knowledge penetration test.

-- end quote --

It sounds like Gunter doesn't understand the difference between a vulnerability assessment and a penetration test. He uses the latter term but describes the former. A vulnerability assessment involves discovering and documenting vulnerabilities, whether with "blind" or "crystal box" knowledge of the target. A penetration test moves beyond discovery to actual compromise, where the analyst exploits targets to gain greater access to the victim network and implement a real-world intrusion scenario. This usually tests the client's response and remediation processes. This opinion isn't just mine -- Google produced this Red Hat Security Guide and I read a recent Rik Farrow article as well.

CAIDA Tool Taxonomy

I continue to research ways to capture information useful for network security monitoring. I found CAIDA's tools taxonomy helpful. RMON (Remote Monitoring) is one solution, especially since it can support full packet capture. (See the IETF charter, mailing list, and Cisco overview.) NetScout probes are a commercial option, although it seems ntop (mailing list) can be modified to collect RMON data. Cisco's NetFlow data appears useful. Competitors include sFlow and nFlow.

Prevention Always Fails

Network Magazine's May issue featured the article Emerging Technology: Detection vs. Prevention - Evolution or Revolution?. This is another case where a policy enforcement mechanism is confused with a policy audit and verification system. Policy enforcement mechanisms include firewalls, routers with access control lists, and so-called "intrusion prevention systems," which are simply layer 7 firewalls. Policy audit and verification systems include some traditional intrusion detection products, along with traffic collection systems like Argus and Sandstorm's NetIntercept. Is Marty Roesch the only high-profile person who understands this? From the article:

"Gartner sees IPS as the next generation of IDS, when they're likely the next generation of firewall," says Marty Roesch, founder of Sourcefire, an IDS vendor. Roesch is also the creator of Snort, an open-source, rules-based language for writing detection signatures.

Roesch insists that IDSs and IPSs are separate technologies with mutually exclusive functions. "IPS is access control, and IDS is network monitoring. IPS is policy enforcement, and IDS is audit. It's not the IDS's job to secure your network. Its job is to tell you how insecure it is."

But Roesch's distinction may not resonate in the wider security market. "Joe Average doesn't want to monitor traffic and comb through data and make changes in rules and policies based on detected attacks," says Jeff Wilson, executive director of Infonetics Research (www.infonetics.com). "They want to stop attacks."

-- end article --

Fine -- prevention is always preferable to detection. But prevention always fails, at some point. How do you determine the scope of a compromise when your IPS fails to detect and prevent an attack? You better be able to fail back on your audit capabilities, which log what they see and make no value judgements.

Sguil 0.2 Released

My friend Bamm Visscher released version 0.2 of his Snort-based network monitoring solution, called sguil. I will be working on more comprehensive documentation when I finish my current incident response deployments! Also, check out the new project logo! From the announcement:

Sguil (pronounced "sgweel") is a graphical interface to snort. The actual interface and GUI server are written in tcl/tk. Sguil uses other open source software like barnyard and mysql for accessing data. The client interface provides 'hooks' to analyst tools like ethereal, tcpflow, and p0f. Sguil makes it easy for multiple analyst to work together in monitoring multiple sensors. Currently, sguil only provides an analyst interface. Sensor and rule management is forthcoming.

Sguil-0.2 includes numerous changes and bugfixes. Notable additions inlude event history, event comments, access to session data (stream4 keepstats), abuse email templates, and user accountability. See http://sguil.sourceforge.net for downloads, updated screenshots, and more info.

Review of Art of the Steal Posted

Amazon.com just posted my four star review of The Art of the Steal. From the review:

I typically read and review books on digital security. I bought "The Art of the Steal" (TAOTS) after being captivated by "Catch Me If You Can." TAOTS is an incredible book, but not because it is a masterpiece of English literature. Rather, TAOTS is an amazing and personalized tour of a seedy underworld where ingenuity serves evil purposes. In

Amazon.com also posted my four star review of Stealing the Network. From the review:

"Stealing the Network" (STN) is an entertaining and informative look at the weapons and tactics employed by those who attack and defend digital systems. STN is similar to the "Hacker's Challenge" books published by Osborne, although the stories are not separated into evidence and resolution sections. Rather, a collection of authors use mildly fictional tales to introduce readers to tactics and techniques used by black and white hat hackers.

Vasiliy Gorshkov and Alexey Ivanov

The Washington Post is running a three part article on Russian criminals Vasiliy Gorshkov and Alexey Ivanov. From the article:

Vasiliy Gorshkov did not set out to be a thief. Relatives and friends say he had wanted to build a dot-com . . . Gorshkov, then 24, didn't have the cash. Business associates recalled that he didn't even have enough money to keep paying his four programmers. But one of those programmers, 19-year-old Alexey Ivanov, said he knew how to raise the protection money, according to lawyers familiar with the conversation. Goshkov could offer a protection service of his own. To online businesses. Six thousand miles away in the United States.

Parts two and three are available.

Loopback for Forensics on Linux and FreeBSD

Ever done forensics and needed to find the enhanced loopback kernel patch for Linux? Now you know where to find it. FreeBSD supports this natively using vnconfig.

Nmap in The Matrix Reloaded

Kevin Poulsen reported that the new movie The Matrix Reloaded features Trinity using nmap and a SSH exploit!

TaoSecurity Blog Added to Security Blog List

Jiri Ludvik added this site to his security weblogs list. I also learned of a site that creates a fictitious market for blogs, called BlogShares.

More on Fluffi Bunni Arrest

Here's an update on the arrest of the alleged ringleader of the Fluffi Bunni group:

Senior detectives at Scotland Yard's Computer Crime Unit spotted 27-year-old Lynn Htun, believed to be the brains behind the infamous Fluffi Bunni hacking group, on the stand run by Insight Consulting and its business partner Siemens at the Infosecurity Europe 2003 show at Olympia, London.

New $20 Bill Arriving

Just as I'm reading Catch Me If You Can star Frank Abagnale's book Art of the Steal, CNN reports the $20 bill will be released with a color design this fall.

Sp_Perl for Snort

Saturday Jeff Nathan announced he and Brian Caswell have developed a new plugin for Snort: sp_perl. This detection plugin offers users full regular expression matching within a Snort rule as well as runtime execution of perl code. They briefed their work at CanSecWest 03. At the same conference, Jed Haile gave a short presentation on using Argus to monitor network flows. Russell Fulton has been doing the same thing with Argus for at least four years. Argus was publicly announced almost exactly seven years ago. I learned similar techniques working with the Air Force's ASIM sensor, developed in the mid-1990s.

Sourcefire Seminar

Yesterday I attended a seminar on Sourcefire by Marty Roesch. Marty will present at a few other cities.

ILOVEYOU Virus Three Years Old Today

Three years ago today the Love Letter virus rampaged across Outlook applications everywhere. I believe we set up our ASIM sensors to execute TCP resets on any mail message containing the words "ILOVEYOU". What a waste of CPUs!

Fyodor, author of nmap, released the latest version of his security tool survey. This "who's who" of security tools is a good place to start to learn which tools to try.