Shoki, the Alternative Open Source IDS

We all know how popular Snort is as an open source intrusion detection event generation engine. Have you ever heard of Shoki? I've known about it for a while, but will researching I found it seems to be progressing nicely. The latest release dates from May 2003. I'm probably most interested in the project's packet visualization tool, Hustler, from which the screenshot at left is taken. It looks like it doesn't just accept libpcap data, but must work with Shoki. It looks like Shoki is near the same phase as Sguil -- still rough, with some...

Read More

Ohio University Offers Excellent IDS Resources

While doing research for my book Real Digital Forensics I visited the home page for the network session data generation tool TCPTrace. I learned that a new manual was released last week. I also learned that Ohio University supports an IDS project called INBOUNDS. Their publications page is very impressive, since they host their students' theses and copies of some of the most important IDS documents of the last decade. I look forward to seeing Manikantan Ramadas, Shawn Osterman, and Brett Tjaden present their paper next week at RAID 2003 (Recent...

Read More

Running Snort On a Linksys Wireless Access Point

I read at Snort.org how Jim Buzbee figured out how to run Snort on his Linksys WAP. This is no joke. The folks at Seattle Wireless discovered the Linksys WRT54G runs Linux kernel 2.4.5. Through a bug they investigated the box thoroughly. They also physically disassembled the box. They learned the web server used to administer the device is mini_httpd. Amazi...

Read More

Is Earth Station Five a Hoax?

Is Earth Station Five a media industry sting operation? A few friends told me about this site today, so I poked around a bit. ES5 appears to be some sort of file-sharing network which thumbs its nose to the Recording Industry Association of America and the Motion Picture Association of America.ES5 seems to have made its biggest splash in this CNET News.com article where ES5 "President" "Ras Kabir" claims "We're in Palestine, in a refugee camp."...

Read More

New "CISSP Associate" for People without Years

I learned today that people who would like to be a CISSP without having the necessary number of years experience can become a CISSP Associate. I find this rather odd. According to the press release: "After passing the selected exam and signing (ISC)2's Code of Ethics, the Associate must garner the requisite work experience and successfully complete a professional endorsement process before he/she becomes officially certified as CISSP or SSCP. The CISSP, designed for professionals devising information security strategy, requires four years of...

Read More

Reviews of Absolute OpenBSD, Protect Your Information with Intrusion Detection Posted

Amazon.com just posted my five star review of Absolute OpenBSD. I thought this was a great book. No one else has written a general-purpose OpenBSD system administration guide. I used the book to get my first familiarity with OpenBSD. Michael is working on a book for NetBSD now called Absolute NetBSD. From the review: "The bottom line is this: Michael Lucas knows what to write to help system administrators get the job done. I wish other authors...

Read More

While reading a Slashdot story on a Curses library (.pdf) version of GTK (The Gimp Toolkit) called Cursed GTK, I found a link to Contiki, a "highly portable, modern, open source, Internet-enabled operating system and desktop environment for very constrained systems, such as 8-bit homecomputers like the Commodore 64." You can access Ethernet using this special NIC. Can it get better? Oh yes. You can access a Commodore 64 remotely using a special...

Read More

Security News Ticker Added to Blog

I find the security news ticker from Security News Portal to be very helpful, so I added it to the blog. Let me know if you like it or dislike ...

Read More

New Version of SHADOW IDS Released

I read on snort-users that Guy Bruneau released version 3.1 of the SHADOW IDS. Installation documentation (.pdf) is available. You can download an .iso. I'm interested in seeing how the .iso works out. With VMWare I can install directly from the .iso without burning it to CD-ROM. Keep in mind SHADOW is a packet-header based IDS. It is not a content inspection system like Snort or commercial IDS. Still, it can be usef...

Read More

ISECOM Provides "Non-Profit" Competition for SANS

I learned that a new edition of the Open Source Security Testing Methodology Manual was released Saturday. The OSSTMM is a consensus document whose objective is "to create one accepted method for performing a thorough security test." It is created by the Institute for Security and Open Methodologies, described here as "a non-profit organization which provides collective information and tools under the open source licenses for free public use. This information is provided via the Internet and through social venues and conferences." This sounds...

Read More

Watch Connections with Free Tools

If you're using a Linux-based NAT (or "IP Masquerading") firewall as an inline device, and you may need a way to check the sessions as they pass. ConnViewer will do that for you. Pkstat will give text-based traffic statistics, as will other tools listed on that si...

Read More

WAP Gateway Allows Testing, Access

Wireless Application Protocol, or WAP, is a protocol allowing some mobile devices (cell phones mainly) to "surf" the Internet. I found this Public WAP Gateway, with which you can test your phone! Check the Yahoo Forum for the web site to see how people are using this free servi...

Read More

Researchers Use "Fuzzing" to Find Security Flaws

When I attended Black Hat USA 2003 last month, several presenters mentioned "fuzzing" as a technique to find security vulnerabilities. As I understand it, fuzzing involves sending unexpected input to an application and monitoring its responses for signs of vulnerabilities. The most widely known tool is Dave Aitel's SPIKE. The PROTOS suite was famous for its discovery of SNMP weaknesses last year. The IP Stack Integrity Checker is another open source tool. There are alternatives to these tools in private use, and some offer other methods,...

Read More

Oakley Networks Product Monitors for Inappropriate Insider Activity

Earlier I mentioned Vericept, whose product watched for the movement of sensitive data out of corporate networks. I recently learned of Oakley Networks, whose IO-3 product appears to do something similar. Rather than watching for suspicious inbound activity, typically caused by intrusion attempts, this product watches for leakages of data defined by the administrator. Of course, the product only gets interesting if we know it doesn't "grep for strings." We could program Snort or ngrep to do th...

Read More

In my never-ending quest to discover obscure ways to transfer data, I've used BBS', the Internet, private government networks, and amateur radio packet networks. Now I've learned of a system called FidoNet. FidoNet is a system whereby users transder mail and files via modem using a "proprietary protocol." These systems link to gateways connected to the Internet, so mail can be exchanged between the two networks. It seems the appeal of FidoNet is the class of users is different, and there's more of a sense of community. FidoNet is strictly regulated,...

Read More

Visualization Software for Snort Alerts

I haven't tried this yet, but called Scanmap3d is available to visually depict Snort alerts. The military has been interested in this sort of technology for years, which gave birth to Silent Runner. IF Scanmap3d displays alerts, that's interesting. I wonder if it could be adapted to display session data, perhaps from Argus? According to this May 03 press released, Silent Runner received a patent for their technology:"The U.S. Department of Commerce...

Read More

Review of The Complete FreeBSD, 4th Ed Posted

Amazon.com finally posted my five star review of The Complete FreeBSD, 4th Ed.. Currently it appears on my personal reviews site but I expect to see it on the book's individual page soon. From the review: "Before reading Greg Lehey's "The Complete FreeBSD, 4th Ed" (TCF:4E), I reviewed Michael Lucas' excellent "Absolute BSD" (a FreeBSD book) in Feb 03. I can't say which book is better, and I recommend you buy Lucas' book as well as this one. TCF:4E...

Read More

Blaster Strikes Railroad Company

Striking a little closer to home, CSX, operator of "the largest rail network in the eastern United States," reported "significant slowdowns early today after a computer virus infected the network." I ride the Virginia Railway Express to the Foundstone DC office, but I didn't take it yesterday. According to the CSX press release: "The infection resulted in a slowdown of major applications, including dispatching and signal systems. As a result, passenger and freight train traffic was halted immediately, including the morning commuter train service...

Read More

Slammer (Jan 03) Crashed Ohio Nuke Plant

Kevin Poulsen wrote an excellent article on the means by which Slammer (not Blaster) "penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall." The article shows how network admins do not understand the connectivity of their networks, which then allows customer networks...

Read More

AFCERT Keeps the Faith

Next week I head back to San Antonio to teach Foundstone's "Ultimate Hacking" to members of the 33rd Information Operations Squadron, which includes the Air Force Computer Emergency Response Team (AFCERT). I served as a captain in the AFCERT from Sep 98 through Feb 01. Thanks to the magic of archive.org, you can see the first job I was stuck with doing, before I learned IDS -- redesigning the AFCERT web page! I provided content for some of the...

Read More

Time Magazine on Blackout

I'm not a big TIME magazine reader but I thought their recent story on the blackout offered some cool graphics, like this depiction of the northeast power grid. Their Shockwave animation is also neat. Be sure to visit TIME's site to read the whole accou...

Read More

Updating My Mini-PC... I Mean Cell Phone

I've had a Motorola i90c cell phone for a year and a half now. I've known all along that the i90c is for all intents a general purpose computer, with memory, CPU, and I/O. I've used my Nextel Online service to download Java applications, but no one has yet hacked me via a malicious Java application. It will happen though. This CNN story says "Victor Brilon, Java applications manager at Nokia, and Charles Chopp, Nokia's media relations manager,...

Read More

FDIC Proposes Guidelines Telling Banks to Notify Customers of Breaches

SANS Newsbites informed me of a Washington Post article on the Federal Deposit Insurance Corporation's plans for new banking guidelines. From the story: "Under the proposal, banks and other financial institutions would alert customers by mail, telephone or e-mail, when they find unauthorized access to personal data that could result in substantial harm or inconvenience. Banks also would be told to flag any accounts that may have been compromised and monitor them for unusual or suspicious activity." This marks a significant break from standard...

Read More

Last Day to Oppose Broadband over Power Lines (BPL)

I just learned of this issue Monday night at an amateur radio meeting. The Federal Communications Commission released a "notice of inquiry" (NOI) (.pdf, .doc) on 28 Apr 03 regarding "Broadband over Power Lines" (BPL). The American Radio Relay League, an organization supporting amateur radio, filed its opposition to BPL, and I encourage readers who care about supporting amateur radio to do the same. Today is the last day to submit a comment to the FCC! I describe how to do so below. BPL involves sending data in the form of electrical signals...

Read More

Study Shows Blackout's Effects on Individual Routers

Slashdot alerted me to an online report on the effects of the northeast blackout on individual routers. Renesys monitored BGP announcements and watched routers drop out of the tables, as shown in their graph below. From the report: "The majority of the power failures began at about 16:10 EDT. Immediately thereafter, the number of routes in global routing tables dropped rapidly, falling by nearly 1000 within five minutes. This likely corresponded to the loss of reachability of networks which did not have alternative backup power sources. Table...

Read More

Systrace Policy Library

While reading Michael Lucas' excellent Absolute OpenBSD, I learned of a project which maintains a library of Systrace policies called the Hairy Eyeball Project. Systrace allows administrators to define which system calls their applications can execute. Systrace is included in OpenBSD and ports exist for other operating systems. I most interested in the FreeBSD version which Rich Murphey presented at DefCon XI. I haven't seen anything from DefCon XI posted in the site's archives yet. While perusing the mailing lists I discovered CerbNG which...

Read More

Webcast on Network Security Monitoring

At 9 am eastern on Wed 28 Aug 03 my webcast "Implementing network security monitoring with open source tools" will "premiere" at searchsecurity.com. You can sign up here. It won't be live since I'm recording it Thursday afternoon, but you can submit questions which I'll answer on their web site. It's a sequel to last year's webcast mentioned on my press pa...

Read More

Bring New Life to Your Commodore 64

My dad recently shipped my old Commodore 64 to me and I'm trying to figure out how best to use it. It would be fun to run a BBS accessible via telnet, like these. My Commodore 64, 1541 disk drive, Capetronic 1200 baud modem, and RS-232 serial interface all work, but I need software for the C-64. There are plenty of games that run on emulators, but how do I get software from the archives onto the C-64? Assuming the C-64 has no terminal software...

Read More

Internet Radio Linking Project Connects the World

When I attended Black Hat USA 2003 in Las Vegas last month, I brought my amateur radio with me and found myself listening to callers all over the world. It turns out I had stumbled upon a frequency used by the Internet Radio Linking Project. The IRLP links amateur radio repeaters by encapsulating voice communications over the Internet. So, when I listened to 146.40 MHz in Las Vegas, I was listening to node 3290 on the IRLP! This is another example of how amateur radio is alive and well in the age of IRC and text messaging via cellphone. You...

Read More

Email Sent from Amateur Radio Network to Internet and Back

Today I visited the Ham Radio Outlet in Woodbridge, VA and bought a Kantronics KPC-3+, pictured above. This little beauty is a "Terminal Node Controller" (TNC) and it lets my HTX-202 2 meter radio (pictured next) talk to the "packet radio" network around the world. Combine this equipment with an amateur radio license and you're ready to go! (I earned my Technician class license in 2001.)I cabled my laptop to the KPC-3+, and cabled the KPC-3+ to...

Read More

Blog Enhancements

Since I still can't upgrade to Blogger Pro, I'm trying a few free services. First, I added a counter courtesy of Sitemeter.com. I'm also I'm experimenting with a free service that allows readers to comment, courtesy of BlogExtra. I got ideas on both from CFMXPLUS. Let me know what you think! Update: I removed the comment service as it doesn't seem to be working now....

Read More

Reliable Software Group Produces Security Code

Yesterday I came across the Reliable Software Group at the University of California Santa Barbara. They offer research on several projects, but the one of most interest to me is STAT, or "State Transition Analysis Technique for Real-Time Intrusion Detection." They provide RPMs for Red Hat 7.3 and packages for Solaris 7 SPARC, so I might give some of their code a t...

Read More

Computer Forensic Conference Concludes

Today the Regional Computer Forensic Group finishes their Annual GMU Computer Forensics Symposium. The RCFG is sponsored by the High Technology Crime Investigation Association DC Chapter. I watched two of my Foundstone coworkers brief scenarios based on cases we've worked during the last few years. You don't have to be a Fed to join the HTCIA, although some of the briefings at the conference were "confidential" and closed to those outside the government or law enforceme...

Read More

Effect of East Coast Blackout on Internet

Yesterday just after 6 pm eastern I checked the Internet Health Report to see if the east coast blackout was affecting the Internet. I didn't see anything out of the ordinary.Looking at the Internet Traffic Report, however, as of this writing a core router in Michigan, danu.ili.net (209.115.84.254), appears down. Since my father-in-law in Michigan reported he's still without power, maybe that's the cause. Of the 78 routers monitored in North America...

Read More

Running Four VMWare Guests Simultaneously

I installed Red Hat 9.0 on my IBM ThinkBrink (I mean ThinkPad) a20p yesterday. It has 384 MB RAM and a 20 GB hard drive. I then installed a trial version of VMWare 4 for Linux. Next, I installed images of Windows NT 4, Red Hat 7.0, FreeBSD 4.3, and Solaris 7 x86. I gave each OS 32 MB RAM and between 1-3 GB hard drive space. I was able to run all four OS simultaneously without a real problem, although I didn't run X in Linux and FreeBSD. Solaris...

Read More

Knoppix

Several people have told me to try Knoppix, a bootable Linux distro that runs in a RAM disk. I gave it a shot, running it straight from my CD-ROM drive and then within a virtual machine to acquire screen shots. This is a great idea if you want to try Linux without installing a full distro on your hard drive. Knoppix is entirely memory-resident, so if you power off your machine Knoppix disappears. I must note that upon restarting my Windows XP...

Read More

GNU FTP Site Compromised

While perusing recent CERT advisories, I read gnu.ftp.org was compromised in Mar 03 but discovered only this month. According to the annoucement, "The modus operandi of the cracker shows that (s)he was interested primarily in using gnuftp to collect passwords and as a launching point to attack other machines. It appears that the machine was cracked using a ptrace exploit by a local user immediately after the exploit was posted." This shows escalating privileges to root isn't the "end game," as this intruder sought to leverage that access to...

Read More

hrack 61 Released

Phrack 61 was released today. The mag has the usual mix of clever put-downs of the clueless in the loopback section, and cutting-edge programming-oriented articles in the main sections. Phrack 60 was released in Dec ...

Read More

Vulnerability in TCPFlow

@stake discovered a vulnerability in one of my favorite network security monitoring tools -- TCPflow. TCPFlow can read libpcap data and generate files containing the contents of network sessions. It's used in Sguil to create "transcripts." Be sure to upgrade to v0.21, released 7 August 2003. The FreeBSD port hasn't been updated y...

Read More

Meta Group on IDS

Meta Group, a firm which competes with Gartner for the ears and dollars of CIOs, is reported to have said "commitment to IT security in big business has never been stronger, with network and host intrusion detection systems (IDS) high on the shopping list." Meta sounds like they know their stuff: "Meta vice president Tom Scholtz said organisations that had taken an intelligent approach to IDS have had no problem establishing the value of the technologies. But he added: "Those that have purchased a product without the benefit of an underlying...

Read More

OS Uptime Project

When looking to see who was running OpenBSD 3.3 on 486 boxes (more on this later), I discovered The Uptimes Project. Participants install a daemon on their systems which report uptimes to a central site. Beyond general statistics, you can check individual operating systems, such as FreeBSD. Maybe once my home network has been stabilized I will try this o...

Read More

Enabling Serial Console Access in FreeBSD

Back in February I posted a means to enable serial access to my FreeBSD 5.0 RELEASE box. I'm not sure where I got that method, even though it worked. A more correct method is to change an entry in /etc/ttys from this ttyd0 "/usr/libexec/getty std.9600" dialup off secureto this ttyd0 "/usr/libexec/getty std.9600" dialup on secureOptionally, for faster access, make the line look like this ttyd0 "/usr/libexec/getty std.115200" dialup on secureBe sure to restart process 1 (init) using 'kill -1 1'. Then configure your terminal client...

Read More

Msblast Worm Ravaging Internet?

Hardly, although it's clear a lot of recon is ongoing and thousands of Windows boxes are being owned. Consider this data from the Internet Storm Center: That's a lot of scanning, but what effect is there on the Internet? Here's a snapshot from the Internet Health Report: Contrast that report with one posted by H.D. Moore during Slammer. All of the red means severe problems, which aren't seen in today's report: What this worm proves is...

Read More

Vulnerability in Realpath(3) Function Could Lead to Remote Root Compromise

I just read the FreeBSD security advisory on the realpath(3) function, which "is used to determine the canonical, absolute pathname from a given pathname which may contain extra "/" characters, references to ""/." or "/../", or references to symbolic links. The realpath(3) function is part of the FreeBSD Standard C Library. . . Applications using realpath(3) MAY be vulnerable to denial of service attacks, remote code execution, and/or privilege escalation." This is a problem because all releases of FreeBSD up to and including 4.8-RELEASE and...

Read More

MyRSS feed for TaoSecurity Blog, but So What?

It looks like MyRSS somehow has a feed for this blog. If someone would like to try it and let me know how it works, please contact me at blog at taosecurity dot com. I am particularly interested in who uses RSS 0.91 or 1.0. This free site appears to update its RSS feed once per day. It looks like it's pulling the titles from the first link in the story, which means it takes you directly to the first link of the post and not the blog itself. :( I'm still working on upgrading to Blogger Pro, but they haven't answer my email on their upgrade...

Read More

IOS Updates

Last month I posted that I bought Cisco gear from a reseller in Virginia. I bought new gear with software licenses, and got a SmartNet contract so I have legitimate access to IOS updates. I had read of problems with licensing if I bought used gear through eBay. Well, Slashdot is discussing this Infoworld article on that very subject. From the article: "I made the mistake of showing a visiting Cisco rep the 2611 router I’d purchased on eBay for $1,200,” says Mark Payton, director of IT at the Vermont Academy, a school in Saxtons River, Vt....

Read More

Portknocking

I read in the June 03 Sys Admin magazine about Portknocking. The basic idea involves using a firewall and log watcher to respond in a user-defined manner to sequences of connection attempts to closed ports. For example, connections to ports 100, 102, 101, and 201 mean "open up secure shell for the source IP address." This is really a twist on the idea of covert channels, but it has lots of possibilities -- including an attacker who brute forces the system to gain access. It's still a neat idea.The September 03 Sys Admin magazine is available,...

Read More

Troubleshooting Thunderbird

I've had it with the "upgrade" to the Web-based email I use at Comcast. (I might be revealing too much about how I get my email, but if you wanted to hack me before there was enough info out there to do it already. I'm assuming you have no interest in accessing my mail at this point.) I used to use Comcast's Web-based email system because I constantly rebuilt machines and liked keeping non-work email elsewhere. Now that I've decided Comcast's...

Read More