Editing c:\windows\system32\drivers\etc\hosts

My ISP is having some teething problems with its "upgrade." I needed a way to point my name resolutions for www.comcast.net to the one server they operate which is working, and not to the default server which isn't working. Following this tip I edited c:\windows\system32\drivers\etc\hosts:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
63.240.76.72 www.comcast.net

Security Checklist for FreeBSD 4.8

While reading the BSDforums I learned of a new security checklist for FreeBSD 4.8. You can read the thread behind this doc. It's a work in progress and may help out the FreeBSD security initiative at CISecurity.

Odd Activity in Argus Logs

Checking my Argus logs this morning, I noticed a few odd scans. The first is to port 2 TCP, which according to the Internet Storm Center is becoming popular:

16 Jun 03 03:12:08 tcp 24.96.49.46.4396 -> my_IP.2 TIM
23 Jun 03 07:59:05 tcp 220.120.31.233.4900 -> my_IP.2 TIM

I'm also seeing scans to port 57 TCP, which has history dating to Oct 02 and Nov 02 and is a signature of a tool called FX-Scanner (analysis). Apparently port 57 is used as a host discovery mechanism. Here are three examples.

First, recon for port 1433 TCP:

12 Jun 03 18:22:17 tcp 161.53.40.97.4464 -> my_IP.57 TIM
12 Jun 03 18:22:17 icmp 161.53.40.97 <-> my_IP ECO
12 Jun 03 18:23:04 tcp 161.53.40.97.1217 -> my_IP.1433 TIM
12 Jun 03 18:25:08 tcp 161.53.42.46.2036 -> my_IP.57 TIM
12 Jun 03 18:25:08 icmp 161.53.42.46 <-> my_IP.55 ECO
12 Jun 03 18:25:55 tcp 161.53.42.46.3590 -> my_IP.1433 TIM

Next, recon for ports 80 and 21 TCP:

18 Jun 03 15:02:53 tcp 67.116.81.237.3836 -> my_IP.80 TIM
18 Jun 03 15:03:14 tcp 67.116.81.237.4067 -> my_IP.57 TIM
18 Jun 03 15:02:53 icmp 67.116.81.237 <-> my_IP ECO
18 Jun 03 15:03:35 tcp 67.116.81.237.4325 -> my_IP.21 TIM

Third, recon for ports 1433 and 445 TCP:

19 Jun 03 11:35:14 tcp 4.40.163.36.1951 -> my_IP.57 TIM
19 Jun 03 11:35:38 tcp 4.40.163.36.1725 -> my_IP.1433 TIM
19 Jun 03 11:35:13 icmp 4.40.163.36 <-> my_IP ECO
19 Jun 03 11:37:50 tcp 4.40.163.36.2221 -> my_IP.445 TIM

I'm also seeing recon for 3410 TCP. This has only picked up in the last few days. It appears to be associated with the Backdoor.OptixPro.13:

18 Jun 03 01:03:52 tcp 68.120.129.51.4730 -> my_IP.3410 TIM
19 Jun 03 08:30:49 tcp 207.190.78.253.1414 -> my_IP.3410 TIM
19 Jun 03 17:27:04 tcp 68.113.237.250.2200 -> my_IP.3410 TIM
22 Jun 03 15:27:27 tcp 12.247.109.85.1055 -> my_IP.3410 TIM
26 Jun 03 19:25:01 tcp 68.41.93.143.3327 -> my_IP.3410 TIM
29 Jun 03 11:13:00 tcp 68.169.152.189.3554 -> my_IP.3410 TIM
29 Jun 03 12:09:59 tcp 68.61.193.97.1707 -> my_IP.3410 TIM
29 Jun 03 12:40:17 tcp 68.78.131.6.1730 -> my_IP.3410 TIM
30 Jun 03 00:56:29 tcp 64.83.224.72.2246 -> my_IP.3410 TIM
30 Jun 03 02:38:13 tcp 217.231.192.242.4191 -> my_IP.3410 TIM
30 Jun 03 03:29:07 tcp 65.30.207.110.2940 -> my_IP.3410 TIM
30 Jun 03 04:02:53 tcp 24.126.135.126.1500 -> my_IP.3410 TIM
30 Jun 03 04:51:57 tcp 24.79.19.59.1319 -> my_IP.3410 TIM
30 Jun 03 05:30:51 tcp 81.103.33.198.1395 -> my_IP.3410 TIM
30 Jun 03 07:53:05 tcp 68.12.239.185.4690 -> my_IP.3410 TIM

TaoSecurity Web Down

My TaoSecurity web site is down while my hosting provider upgrades its servers. Estimated returned to service is at least by Monday morning.

Les Cottrell Network Monitoring Tools

Les Cottrell maintains a comprehensive list of network monitoring tools. He responds to email if you'd like to suggest additions. CAIDA (Cooperative Association for Internet Data Analysis), lists tools also.

Packet Creation Tools

Looking for packet creation tools on UNIX? Nemesis and Hping have been around for three years, while Packit is a newcomer from earlier this year. You can find the FreeBSD ports for all of these at FreshPorts. Others exist but these are some of my favorites. I've used IPSorcery on Linux. Windows users can check out Komodia and lcrzoex (which also runs on UNIX).

Anton Chuvakin profiles TaoSecurity Blog

Anton Chuvakin wrote this blog entry profiling my blog. Thanks Anton! Also, his blog made me aware that the former Psionic tools (acquired by Cisco in Oct 02) are available at Sourceforge. Cisco makes some of the tools available on their site, like Cisco Threat Response (formerly Clear Response), mentioned by Craig Rowland.

Support for Windows NT 4.0

Wondering how long your copy of Windows NT 4.0 will be supported? Visit the Microsoft Lifecycle site. Look here for the quick answer.

IPv6 in DoD

Time to learn IPv6. According to this article: "John Osterholz, director of architecture and interoperability for the Department of Defense, told a gathering of technology elite that the DoD would phase out purchases of IPv4 network technologies by this fall and would instead begin trials of equipment and applications based on the new IPv6 protocol for the Internet within 30 days."

2003 Recent Advances in Intrusion Detection

The 2003 Recent Advances in Intrusion Detection (RAID) conference will be held in Pittsburgh on 8-10 Sep 03. Word on registration is forthcoming.

Chucktips

If you want to learn more about FreeBSD, visit Chucktips, which looks like Slashdot and is newbie-friendly.

RPM Tips

Although I prefer to use FreeBSD's package system, I recommend Linux users visit FreshRPMs.net or RPMfind.net for their RPM needs. If you need to install Linux software from source, but want to manage the code like an RPM, try CheckInstall.

Miscellaneous Hardware

IOGEAR has two products I need. The first is a combination Firewire and USB 2.0 CardBus adapter. The second is the COMBO ION™ drive is a 2.5” hard drive enclosure. Both are useful when doing host-based forensics.

OpenBSD Pf Scrubbing

I'm always looking for new ways to handle network traffic. I noticed that the OpenBSD Packet Filter offers scrubbing. This builds on the concepts discussed by Mark Handley and Vern Paxson, discussed at Slashdot. PF's "random-id" option should defeat Steve Bellovin's technique for counting NATed hosts. Peter Phaal of InMon wrote Detecting NAT Devices using sFlow, which relies on counting TTL values to detect NAT hosts. pf's "min-ttl" feature might obscure that tactic, according to another Slashdot thread.

Openroot

Want to play on a FreeBSD box? Check out OpenRoot, "a FreeBSD 4.8-stable box in which root access is given to everyone... OpenRoot is essentially a virtual machine (a jail in FreeBSD terminology) running ontop of FreeBSD." You can access openroot.no-ip.org on ports 30 and 31 TCP using secure shell. Log in as user 'openroot', password 'openroot', and then 'su -' with no password. However, it doesn't appear that 'root' users have a full working environment:

openroot# ping www.google.com

ping: socket: Operation not permitted

openroot# w

12:40AM up 1 day, 14:13, 1 user, load averages: 0.00, 0.00, 0.00

USER TTY FROM LOGIN@ IDLE WHAT

w: proc size mismatch (8480 total, 1064 chunks): No such file or directory

openroot# last | head

openroot ttyp0 86.84.139.55 Fri Jun 27 00:39 still logged in

openroot ttyp0 80.128.117.2 Fri Jun 27 00:17 - 00:23 (00:06)

openroot ttyp1 csa.bu.edu Wed Jun 25 02:55 - 02:55 (00:00)



wtmp begins Wed Jun 25 02:55:49 GMT 2003

Small Form Factor Sensors

I plan to roll out new firewall and network security monitoring platforms for my home lab network. For the firewall, I'm considering an "embedded" BSD solution, like OpenSoekris, m0n0wall, or m0n0BSD, which run on the popular Soekris (mailing list) embedded computers, like the net4501 and the new net4801. I like these motherboards because they're equipped with three NICs. Other Soekris-based projects include FreeBSD wireless router (more info), theWall, Linux Embedded Appliance Firewall, linux4501, Personal Linux Router Project, and Debian on the net4501. The OpenBrick project exists, although the Mini-ITX community seems to have more support, along with vendors like LinITX and Ultim8PC. This CompactFlashTM Type II Card Adapter looks useful.

For the NSM box, I'm considering a Shuttle SB52G (support, review) with Intel 845VG chipset and FB52 motherboard sold by ExcaliburPC, NewEgg, and Knowledge MicroExpress. Crucial sells memory. Other options include the Slimpro 1BayPC (manufacturer?), LittlePC, MicroPC4 and Lex Light, For more information there's the mailing.freebsd.small list, the books Embedded FreeBSD Cookbook and Designing Embedded Hardware, or Slashdot.

One issue with these small form factor devices is having enough interfaces for serving as a firewall or router. Luckily FreeBSD 5.x supports the Linksys USB100TX and USB200M USB NICs. Iomega and others make USB floppy drives. One could always buy a full-fledged but cheap PC from TigerDirect.

DCPhoneHome

Interested in by-passing access control, or understanding how it's done in order to monitor it? Check out dcphonehome, run by my friend Aaron Higbee, or Gray-World.

Commercial IDS Appliances Built on Snort

Consider all of the commercial IDS appliances built on the Snort detection engine:

• Sourcefire Network Sensor


• Silicon Defense Sentarus


• PacketAlarm


• StillSecure Border Guard; check the FAQ -- they run Snort but hide it well


• Argus 1000; no relation to the one true Argus


• FidelisSec CyberHound

Snort isn't the only open source IDS engine in town. Check out Shoki or Tamandua.

Security Focus Vulnerability Database

In Jan 03 I noted the SecurityFocus vulnerability database didn't seem to include exploits anymore. Yesterday I was searching for Windows XP vulnerabilities for a class and found one example where exploits were available.

Remote Capture Using Winpcap

Just when you thought network monitoring couldn't get any cooler -- I learned WinPcap (mailing list) version 3.0 support Remote Capture. "This is an highly experimental feature that allows [you to] interact [with] a remote machine and capture packets that are being transmitted on the remote network. This requires a remote daemon (called rpcapd) which performs the capture and sends data back and a local client that sends the appropriate commands and receives the captured data." What is even cooler -- "The [Remote] daemon [rpcapd] can be compiled and it is actually working on Linux as well." This sounds similar to SVtun. I couldn't get remote capture to work with Analyzer (Sourceforge site) by the WinPcap team, even though it natively supports remote capture.

Flow Tools

Thomas H. Ptacek, who co-authored a slightly famous paper on IDS several years ago, wrote me regarding his company's product, Peakflow X. According to their press release, the system profiles network traffic and complements traditional signature-based IDS:

"Upon installation, Peakflow X monitors network traffic, automatically constructing a holistic real-time model of the entire network from the inside out. Identifying factors such as services (HTTP, FTP, Microsoft File Sharing, etc.), inbound and outbound traffic, and host-to-host behavior, Peakflow X dynamically clusters all hosts into groups based on similar operational policies. For example, hosts that communicate primarily HTTP only to hosts in the marketing department would be grouped together, indicating an organization’s internal workgroup Web servers. Based on this detailed network-wide model, Peakflow X immediately detects anomalous behavior whether or not it stems from a known vulnerability. For example, should one of the internal Web servers initiate a file sharing connection to a system on the Internet, Peakflow X would immediately flag the activity as suspicious. As a result, Peakflow X can detect not only zero-day threats, like worms, but also internal misuse."

This seems like one of the best ways to deal with inspecting huge traffic flows. Readers may know I am a huge fan of products which independently capture network flows without processing stored libpcap data. Argus is the best stand-alone app, while Cisco NetFlow is an option. Luca Deri of ntop fame shared news of his nProbe, a PC-based NetFlow collector, and nBox, a Cyclades-TS100 appliance-based NetFlow collector. Commercial ntop support is available.

Problems with CISSP Questions

The June 2003 Information Security Magazine offered some great reading too. It reminded me of a Gartner statistic saying between 60 to 70 percent of Windows Server users run NT 4. Writing about his experience taking the CISSP exam, Andrew Briney nails the problem with CISSP questions:

"There's a chunk of questions that are difficult for all the wrong reasons. They're poorly worded, misleading or simply evasive. Evasive: that's the word that first came to mind when I walked out of the exam. It just seems like these questions serve no purpose other than to confuse and frustrate you.

It's because of these questions that you won't have an intuitive sense if you passed the exam. And it's because of these questions that the CISSP exam often gets a bad rap. Even though these questions comprise a comparatively small part of the exam, they're the ones that stick in your craw as you walk out the door."

I learned while reading Thomas Ptacek's commentaries of this article blasting the CISSP. I maintain that the main redeeming aspect of the CISSP is its code of ethics, which moves digital security closer to being a true profession with a code of ethics that matters.

Security "Return on Investment"

The June 03 SC Magazine offered several excellent articles. Peter Stephenson discusses new forensic certifications, like the Certified Information Forensics Investigator (CIFI). (If you qualify by 31 Dec 03, you might be able to grandfather the cert without sitting for the test.) The same issue featured a case study called Tracking Down Cybercriminals. Unfortunately, SC Magazine quotes an Addamarkl survey saying "companies are unwilling to prosecute hackers, even when they have enough evidence for legal action. Information security departments said they preferred to fix the damage or use forensic evidence to achieve a settlement with the wrongdoer, rather than opt for legal proceedings." This is too bad, as an article by Mark Doll of E&Y discusses the effect of security incidents on share prices. In short, within three days of X, share prices dropped by Y:

• "significant security breach": 5.6%, or $15-$20 million on average


• "theft of credit card data": 15%


• "denial of service": 3.6%


• "theft of customer information": 1.2%

Finally, I say forget all this talk about security providing "return on investment." Page 15 of the Deloitte Touche Tohmatsu 2003 Global Security Survey shows 63% of executives see security as "a necessary cost of doing business." Only 13% say security is "an investment in enabling infrastructure."

Network Tools

I'm trying to find products which can intelligently analyze network traffic to supplement traditional intrusion detection products. I'd like to get a look a Silent Runner, which offers visualization and analysis tools. Lancope Stealthwatch calls itself a "behavior-based IDS" which analyzes flows to identify anomalies. Incidentally, if you're looking for a giant list of IDS and other security products, visit Talisker's Network Security Resource. SPADE, the Statistical Packet Anomaly Detection Engine for Snort, is available but I have yet to try it.

Network Computing on Foundstone

After last week's bad press at Fortune and Slashdot, some good press for Foundstone. Network Computing likes Foundstone's 2.6 scanner -- and hasn't seen 3.0 yet. This job request looks fake to me.

Guess and FTC Settlement

The SANS and Neohapsis Security Alert Consensus told me of the settlement between Guess and the FTC. From the article:

According to the FTC complaint, since at least October 2000, Guess' Web site has been vulnerable to commonly known attacks such as "Structured Query Language (SQL) injection attacks" and other web-based application attacks. Guess' online statements reassured consumers that their personal information would be secure and protected. The company's claims included "This site has security measures in place to protect the loss, misuse, and alteration of information under our control" and "All of your personal information, including your credit card information and sign-in password, are stored in an unreadable, encrypted format at all times." In fact, according to the FTC, the personal information was not stored in an unreadable, encrypted format at all times and Guess' security measures failed to protect against SQL and other commonly known attacks. In February 2002, a vistor to the Web site, using an SQL injection attack, was able to read in clear text credit card numbers stored in Guess' databases, according to the FTC.

Transforming the U.S. Air Force Enterprise Network

A captain I worked with in the AFCERT several years ago, Carl Grant, published Transforming the U.S. Air Force Enterprise Network in the latest IA Newsletter. Carl talks about the AFNOSC, which was also discussed in this testimony by the Air Force CIO John Gilligan.

FreeBSD X Configuration

I installed FreeBSD 5.1 REL on my IBM Thinkpad a20p this afternoon. I finally have X working on a FreeBSD system "out of the box" -- more or less. X couldn't auto-configure my card, but I was able to do it manually. Once I was done installing XFree86 4.3 I installed KDE 3.1. I copied the .xinitrc (just a text file with 'exec startkde' from root's home directory to my user directory.) Here's my X config file:

-bash-2.05b$ cat /etc/X11/XF86Config
Section "ServerLayout"
Identifier "Layout0"
Screen 0 "Screen0" 0 0
InputDevice "Keyboard0" "CoreKeyboard"
InputDevice "Mouse0" "CorePointer"
EndSection

Section "Files"
EndSection

Section "Module"
# Load "freetype"
# Load "xtt"
Load "extmod"
Load "glx"
Load "dri"
Load "dbe"
Load "record"
Load "xtrap"
Load "type1"
Load "speedo"
EndSection

Section "InputDevice"
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "SysMouse"
Option "Device" "/dev/sysmouse"
EndSection

Section "InputDevice"
Identifier "Keyboard0"
Driver "keyboard"
Option "XkbModel" "pc101"
Option "XkbLayout" "us"
EndSection

Section "Monitor"
Identifier "Monitor0"
HorizSync 30.0 - 100.0
VertRefresh 50.0 - 100.0
EndSection

Section "Device"
Identifier "Card0"
Driver "ati"
EndSection

Section "Screen"
Identifier "Screen0"
Device "Card0"
Monitor "Monitor0"
DefaultDepth 24
SubSection "Display"
Depth 24
Modes "1400x1050"
EndSubSection
EndSection

Also -- Happy 10th birdthday FreeBSD!

Don't Hack Air Force Systems

It does not pay to live in the US and compromise Air Force systems! From this article:

An 18-year-old hacker who breached computers at Sandia National Laboratories and posted an anti-Israeli message on the Eglin Air Force Base Web site was sentenced Thursday to a year and a day in federal prison.

Adil Yahya Zakaria Shakour also was ordered to pay $88,253 in restitution, and his computer use was restricted during the three years he will spend under supervised release after his prison term.

Shakour, a Pakistani national who lives in Los Angeles, pleaded guilty in March to computer and credit card fraud charges.

Combining NIC interfaces on FreeBSD

I wrote this post yesterday in response to a question on how to mirror interfaces for combining tap outputs.

Microsoft Patterns and Practices

A colleague informed me of the Microsoft Patterns and Practices site, which offers book-length treatises on many subjects. The latest is Improving Web Application Security: Threats and Countermeasures.

Cisco IOS Licenses

While reading comp.dcom.sys.cisco, I found a thread discussing licenses for Cisco IOS. This abbreviation of Cisco's software transfer and licensing policy states "owners of Cisco products are only allowed to transfer, re-sell or re-lease used Cisco hardware and not the embedded software that runs on the hardware." One option for licensed use of Cisco gear at reduced prices is buying refurbished equipment, sold by authorized resellers, and getting a SMARTnet support contract to access parts of Cisco's software center. There seems to be no shortage of Asian sites offering IOS, although I suspect Trojaned versions might appear in those listings. This thread includes a lengthy post by Ted Mittelstaedt explaining how Cisco discourages eBay purchases of Cisco gear.

You go Marty!

Read Marty Roesch's response to the uninformed claims of Gartner, Inc.. From the Gartner press release:

According to the Gartner, Inc. (NYSE: IT and ITB) Information Security Hype Cycle, IDSs have failed to provide value relative to its costs and will be obsolete by 2005.

From Marty's response:

Let me get this straight… better access control will completely remove the need for auditing? Auditing functions are a fundamental part of providing defense in depth in any security environment. Do they not understand this or, perhaps, have the economic challenges for industry analysts led them to the point where citing the outrageous is a competitive necessity?

Stealing Network Address Space

Kevin Poulsen published an article on stealing network address space. From the article:

Los Angeles County had been hit by a growing type of hi-tech fraud, in which large, and usually dormant, segments of the Internet's address space are taken away from their registered users through an elaborate shell game of forged letters, ephemeral domain names and anonymous corporate fronts. The patsies in the scheme are the four non-profit registries that parcel out address space around the world and keep track of who's using it. The prizes are the coveted "Class B" or "/16" (read "slash-sixteen") address blocks that Internet authorities passed out like candy in the days when address space was bountiful, but are harder to get legitimately now.