Bay Auction for "The Best Sr. Network/Security Engineer"

I searched for "VMS Alpha" today at eBay and found this item for auction by niteraven-99. This guy has put himself up for bid! "You are bidding on myself to work at your company.I will relocate at my expense and honor any offers received through eBay or otherwise.Here is my information.Over 15 years of extensive experience in the Information Technology Industry. Strengths are in networking, security, firewalls, LAN/WAN, Web Server, Application Server, SQL Server, and Oracle Server technologies including infrastructure design, integration, implementation,...

Read More

US-CERT National Cyber Alert System

ZDNet reports on the new National Cyber Alert System, also called the "National Cyber Advisory System." (Two names mean they're off to a great start I guess?) This portion of the new US-CERT provides the public with technical and non-technical email bulletins. I subscribed to both technical lists but have yet to hear back from the mail server. According to the press release: "The new National Cyber Alert System security suite of products includes: Cyber Security Tips: Targeted at non-technical home and corporate computer users, the bi-weekly...

Read More

Another Internet Explorer Hole

This Slashdot thread discusses a new Internet Explorer hole posted to NT-BugTraq. A good story at Infoworld makes these comments: "This hole could easily be combined with another Explorer spoofing problem discovered in December. The previous spoofing problem allowed Explorer users to think they were visiting one site when in fact they were visiting somewhere entirely different. The implications are not only troublesome, but Microsoft’s failure to include a fix for the problem in its January patches has led many to believe it cannot be prevented....

Read More

Installing a Single Port

Thanks to this thread I learned how to install a single port that doesn't appear in the ports tree. For example, GNU netcat just appeared at Freshports.org on 12 Jan. I wanted to install this one port to a FreeBSD 4.9 REL box that hasn't ever updated its port tree, as shown here:moog# ls -al /usr/ports/INDEX*-rw-r--r-- 1 root wheel 4003057 Oct 2 16:55 /usr/ports/INDEX-rw-r--r-- 1 root wheel 4036779 Aug 15 21:56 /usr/ports/INDEX-5I visited...

Read More

Review of Introduction to Microprocessors Posted

Amazon.com just posted my five star review of Introduction to Microprocessors. From the review: "John Crisp's Introduction to Microprocessors (ITM) is an excellent book. It has a low average score because the author posted the first review with zero stars, which could be the result of an Amazon.com error. I loved this book. It gets right to the heart of the matter regarding the operations of microprocessors. Anyone who wants to really know what...

Read More

Blogger is "Atom-Enabled"

I learned by reading the Blogger Knowledge Base that Blogger now exports Blog feeds in the Atom API. This means if your newsreader is Atom enabled, you can subscribe to it like a RSS feed. I found XML-Atom-0.05 at search.cpan.org and saw it was in the FreeBSD ports tree. I first tried NewsMonster which integrates with Mozilla and supposedly supports Atom, but encountered an error when trying to run it. I next tried BottomFeeder, and found the...

Read More

Review of Intrusion Detection and Prevention Posted

Amazon.com just posted my three-star review of Intrusion Detection and Prevention. From the review: "I had high hopes for "Intrusion Detection and Prevention" (IDAP) as it is the first book to devote chapters to different vendor IDS products. It's also the first to explicitly mention the buzzword "intrusion prevention" in its title. Unfortunately, the book does not deliver the value I expected... I took exception to some of the authors' conclusions....

Read More

Using Sysctl on FreeBSD

I read a thread on FreeBSD-Security about seeing ARP messages on FreeBSD servers acting as firewalls or gateways. Essentially FreeBSD reports seeing the MAC address for the upstream gateway flip-flop. In other words, the upstream gateway reports MAC address X, then Y, then X, and so on. The replies in the thread reported using sysctl to change kernel state. How could you figure this out if you didn't know the appropriate variable to change?First,...

Read More

BSD for Linux Users

I just finished reading an excellent article called BSD for Linux Users by Matthew D. Fuller. He gets to the heart of the matter to describe how Linux and BSD are different. Here's an ex cerpt on the idea of the BSD base system:"The concept of the "base system" is something that, I think, causes the most trouble for people used to the Linux methodology. Which is perfectly understandable, because the whole idea just doesn't even exist in the Linux...

Read More

Microsoft Provides Mozilla 1.6?

Ok, not really. This is the work of a Slashdot poster offering this link. He exploits a vulnerability in Internet Explorer explain by CERT, for which there is not yet a patch...other than running Mozil...

Read More

Network Sorcery Protocol Reference

While doing book research today I discovered the protocol resources at Network Sorecery. They clearly break down protocols by network, transport, and application layers by noting the following:Network layer protocols are assigned EtherTypes, like 0x0806 for ARP, 0x0800 for IPv4, and 0x86DD for IPv6.Transport layer protocols are assigned IP protocol values, like 1 for ICMP, 6 for TCP, 17 for UDP, 132 for Stream Control Transmission Protocol, and so on.Application layer protocols are assigned one or more SCTP, TCP or UDP port numbers, like 23 for...

Read More

Installing FreeBSD 5.2 REL on the Thinkpad a20p

Today I installed FreeBSD 5.2 REL on my Thinkpad a20p. I used the FreeBSD Laptop Compatability List and Paul Roe's example for guidance. I posted my results, such as dmesg output, and my XF86Config for others to reference.Here are a few tweaks to get the system working:I enabled sound with these entries in /boot/loader.confsnd_pcm_load="YES"snd_csa_load="YES"I enabled my SMC wireless NIC with this entry in /etc/rc.conf:ifconfig_wi0="inet 192.168.2.3...

Read More

FreeBSD 5.2 Released Today!

FreeBSD 5.2 was released today. Be sure to read the errata if you have trouble with ACPI. As soon as I download the .iso I need from a mirror I will install 5.2 REL on my Thinkpad laptop. I still use 4.9 on my production systems, although many people report good results with 5.x on their servers.I was sad to see Slashdot repeated last year's debacle with FreeBSD 5.0 by posting news of the "release" prior to the official annoucement. What's wrong with them?I encourage all FreeBSD users to support the project by buying a CD-ROM or T-shirt from...

Read More

Laptopsforless.com Laptop Parts

Slashdot redeemed itself today by posting a good thread on obtaining parts for your laptop. I checked out Laptopsforless.com and was able to browse for parts for my Thinkpad. While my favorite place to buy RAM remains Crucial, I'll keep Laptopsforless in mind when I need a battery or AC adapt...

Read More

TCP Sequence Numbers Explained

Today I was reading a new book on "intrusion detection and prevention" which repeats an often misinformed interpretation of TCP sequence numbers. The book said "When either party wishes to send data to the other, it will send a packet with the ACK flag set, with an acknowledgement of the last sequence number (in the Acknowledgement field) received from the remote host, and with its own sequence number incremented to reflect the amount of data being...

Read More

New Taps from NetOptics

Thanks to NetOptics, I've deployed their 10/100BaseT tap as a replacement for my Finisar model. The NetOptics device is intriguing in that it ships with redundant power inputs. I use a FreeBSD-based solution documented here to combine the two tap TX outputs into a single virtual interface. Beyond the Ethernet-based products shown here, NetOptics offers a variety of alternatives, including devices for tapping multiple ports. Shortly I hope to try NetOptics new 10/100BaseT Port Aggregator Tap. This device has a single output, which removes the...

Read More

A FreeBSD Kernel Module for Generating NetFlow Records

While visiting SourceForge, I queried for NetFlow and found ng_netflow, a NetGraph-based kernel module for FreeBSD. The project was started this week and the first release, ng_netflow 0.1, occurred three days ago! The author warns that this early version is for demonstration only, as the method ng_netflow uses to time out flow records can be extremely slow. With ng_netflow in the kernel, however, this method has the possibility for being much...

Read More

rying Tenable's NeWT Security Scanner

After watching this TechTV piece on Tenable Security's new NeWT (Nessus Windows Technology) Security Scanner, I downloaded the trial version. It expires 31 Jan 04 and will scan the same class C address as the system on which it is run. I tried it on a Windows XP laptop with 384 MB RAM and a 1 GHz Pentium III CPU. It installed easily, accepting that I already had version 3.0 of WinPcap loaded.Within minutes I was scanning one of the other systems...

Read More

Using Device Polling and More to Improve Packet Capture

I just read a fascinating paper by Luca Deri, author of Ntop, about "Improving Passive Packet Capture: Beyond Device Polling" (.pdf). Luca claims that out of the box, Windows 2000 performs better as a traffic collection platform under high loads (~80 Kpps), capturing 68% of traffic compared to 34% for FreeBSD and 0.2% for Linux kernel 2.4.x. Linux's performance improves to 1% if the mmap libpcap version is used, and up to 4% if a Netfilter-based...

Read More

Happy 1st Birthday TaoSecurity Blog

Today this Blog is one year old. My first post was 8 Jan 03. I started this Blog as a "hard drive for my brain," since I dislike keeping bookmarks and I prefer to place Internet links and news within context.I decided today to try to get VMWare 3.x working fully within FreeBSD, so I installed the VMWare3 port (version vmware3 3.2.1.2242-2) on my FreeBSD 4.9 STABLE system. First I made this change as recommended by the port install directions:janney#...

Read More

Finisar Tap Advice Strains the Brain

At left is an image of the Finisar Ethernet tap I use in my basement to monitor traffic. I wrote about it last July when I explained the bad design of Intrusion Inc's tap. Today I was trying to find the UTP IL/1 at Finisar's site. I didn't find it, but I did find a document which shocked me. It's titled "Using Single Port Taps with IDS Systems" (.pdf). (Note to self: Intrusion Detection System Systems?) This document mentions the IL/1 and advocates...

Read More

Options for Security Shell History in FreeBSD

I was looking for a tool to secure shell histories in FreeBSD. Ideally I was looking for the FreeBSD equivalent of Snare, which can record user activities on Linux, Windows, and Solaris. I learned today Snare is the foundation for the Forensix Project. The Honeynet Project links to several tools, including the Sebek LKM. Ryan Barnett of honeypots.sf.net wrote an extensive guide (.pdf) to Snare usage. Unfortunately I couldn't find exactly that, but I did locate this excellent article at DefCon1.org. The author explains how to use FreeBSD's...

Read More

Review of Understanding Open Source Software Development Posted

Amazon.com just posted my four star review of Understanding Open Source Software Development, a new addition to my Listmania List on Management and Policy. From the review: "UOSSD is the perfect introduction to OSS for those outside the community. The book takes a fairly balanced look at the people and processes which define the open source movement. Although some aspects of the book have grown stale over the last three years, I still recommend...

Read More

Binary Patching with OpenBSD

I tried the Binpatch binary patching system for OpenBSD today on an OpenBSD 3.3 system. I downloaded each of the archives listed for my version and then architecture, and sequentially applied them starting with 001 and ending with 008. The binpatch author Gerardo Santana Gómez Garrido told me I could avoid applying all of the kernel patches if I installed the newest one, but all of the userland patches needed to be applied. Since it was simple enough to install all of the eight archives, I tried that. Essentially I downloaded all eight archives...

Read More

Chaosreader Rocks

For a while I've been looking for a program to extract application layer data from pcap files. We all know how to rebuild sessions using Ethereal and some of us know about tcpflow. Today I found Chaosreader. It's a Perl script which parses pcap or snoop files and extracts email, images, HTML, telnet sessions, and other application data. I think this part of the Perl script defines its capabilities: # These ports have been selected to be saved as coloured 2-way HTML files#@Save_As_HTML_TCP_Ports = (21,23,25,79,80,109,110,119,143,513,514,1080,...

Read More

Ipsumdump Summarizes Network Traffic

I came across Ipsumdump today. It's a program to read traffic and summarize what it sees in a user-defined format on one line. In the example below I watch the sf1 interface in real time and tell Ipsumdump to show a timestamp, source IP and port, and destination IP and port. Ipsumdump works against multiple interfaces simultaneously as well as pcap files and NetFlow traces. In the example below the first two packets are an ICMP echo and echo reply, followed by the beginning of an SSH session. bourque# ipsumdump -tsSdD -i sf1warning: sf1: no...

Read More