On the CCNA Road

This morning I began training to test for the Cisco Certified Network Associate certification. I am in a class offered by GlobalNet Training in northern Virginia. My company ManTech agreed to pay my way, as they support sending engineers to a week's worth of training per year. My instructor is Todd Lammle, author of the recently updated CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801) study guide. Two weeks ago I saw Todd was personally teaching this class, so I immediately signed up. I'm probably not the easiest student to...

Read More

Review of The Art of Computer Virus Research and Defense Posted

Amazon.com just posted my five star review of The Art of Computer Virus Research and Defense. From the review:"Peter Szor's The Art of Computer Virus Research and Defense (TAOCVRAD) is one of the best technical books I've ever read, and I've reviewed over 150 security and networking books during the past 5 years. This book so thoroughly owns the subject of computer viruses that I recommend any authors seeking to write their own virus book find a...

Read More

Jesse James Makes a Flying Car

The Virginia-Pilot reports that Monster Garage host Jesse James flew his modified Panoz Esperante Friday. As the image by photographer Drew C. Wilson shows, the car actually lifted off the runway. The story says "James didn’t get liftoff on the first pass as he tried to get a feel for the craft and the runway. On the second try, just as he reached 80 mph, the wheels lifted about two feet off the pavement, and the craft soared for about 3 seconds...

Read More

Pre-Review: Introduction to Assembly Language Programming

Sometime during the last seven years I decided it was acceptable to read college texts as a way to learn advanced computing topics. These were the same books I was glad to ditch at the end of a college semester when I was a cadet at the Air Force Academy. Now I've received a new college text, and I'm looking forward to reading it. The new book, courtesy of Springer, is Introduction to Assembly Language Programming, 2nd Ed, by Sivarama P. Dandamudi....

Read More

Pre-Review: The Art of Intrusion

I received Kevin Mitnick's new book The Art of Intrusion yesterday. This is a sequel to his 2001 book The Art of Deception. The new book is the result of Kevin's 2004 call for hackers where he said "I'm putting out a call to all current and former hackers to tell me about your sexiest hack. I'm not looking for those who simply downloaded and used pre-packaged exploits, but hackers who have shown innovation and ingenuity to compromise their targets."I...

Read More

FreeBSD Logo Competition Has Begun

The logo-contest.freebsd.org site is operational. The competition ends 31 May. A cleaned-up announcement has the details. Note: "Beastie will be continue [sic] to represent the FreeBSD Project as our mascot." The English is poor, but the message is clear enou...

Read More

Insiders or Outsiders: Bigger Risk?

NetworkWorldFusion features a debate between two authors. One writes Employees [are] the biggest threat to network security. The other says Intruders [are] the biggest threat to network security. My personal opinion is that rogue insiders have the potential to cause the most damage, but the frequency with which they appear and cause havoc is lower than people think. Outsiders, on the other hand, are frequently attacking and exploiting enterprises, but they are not often causing the sort of damage a rogue insider could.What do you think? Which...

Read More

Investigating the Paris Hilton Incident

More details are emerging regarding the Paris Hilton cellphone incident. I'd like to use this case to take a look at the various approaches used to perform incident response. The first two methods are technical, and the third is non-technical.First we have the assessment approach. This involves probing target systems which may have been involved in the incident. Assessors look for security weaknesses in services and applications they believe could have yielded the information acquired by the intruders. Jack Koziol's recent blog entry is an...

Read More

Google Hack Honeypot

Google-fu master J0hnny Long announced the Google Hack Honeypot (GHH) last week. The introduction states:"GHH emulates a vulnerable web application by allowing itself to be indexed by search engines. It's hidden from casual page viewers, but is found through the use of a crawler or search engine. It does this through the use of a transparent link which isn't detected by casual browsing but is found when a search engine crawler indexes a site. The transparent link (when well crafted) will reduce false positives and avoid a fingerprint of the honeypot.The...

Read More

European Scene Magazine Hakin9

My friend James Rodgers pointed me towards a European hacking magazine, Hakin9. It's been around for a while, but the English edition just launched last month. Looking through the contents, the articles appear more tech-oriented and certainly more advanced than the average 2600 magazine. The cover story, pictured at right, by Kamil Folga, discusses Cisco IOS security. It's well-written, with command syntax, diagrams, output listings, screen shots, and helpful advice. A one year, 6 issue, hard copy subscription costs 38 EUR or US $51. The...

Read More

Me, My Book, and Sguil Are "Bilanoed"

I am happy to report that myself, my book The Tao of Network Security Monitoring, and our suite Sguil have been "Bilanoed." I have coined this term to refer to being parodied by Mr. Billy B. Bilano. I first became aware of this fictional (man, I hope he's fictional) character when he described a "crypto virus" on the Full-Disclosure list. Watching people feed the troll was hilarious. Bill's latest message can be found in his posting to Snort-users....

Read More

Paris Hilton T-Mobile Musings

Reuters reporter Andy Sullivan asked me to comment for his story Paris Hilton Exposed on Web After Phone Hacked. I believe this is a continuation of the T-Mobile database incident I blogged earlier. Chances are the original perpetrators obtained T-Mobile customer credentials (user names and passwords) and kept them to themselves, initially. Then, to impress their friends, the intruders shared some or all of the data. Eventually the credentials were passed to one or more parties who thought to make themselves "famous" by posting sensitive information...

Read More

The Jericho Forum

You may have read of The Jericho Forum in the latest SC Magazine. The Jericho Forum describes itself as "an international forum of IT customer and vendor organisations dedicated to the development of open standards to enable secure, boundaryless information flows across organisations." I read stories on them as early as March 2004, two months after they formed. The group appears to be built from representatives of European companies. They are attracting attention for their "de-perimeterisation" and "open network" ideas, which their "Visioning...

Read More

Lockheed Martin Acquires The Sytex Group

On Friday Lockheed Martin announced it is buying The Sytex Group for $462 million. Sytex's revenue for 2004 was $425 million, not much less than the asking price. It shows that service companies sell for much less than product companies. According to the cited story, about 85 percent of Sytex’s revenue comes from the US Department of Defense. I guess those contracts are not worth as much in forward-looking terms as one might expe...

Read More

Rate My Network Diagram

Everyone's probably visited Hot or Not at some point. The site allows visitors to rate pictures supposedly uploaded by the person depicted. Matt Gibson of Flewid Productions expanded on the idea with his Rate My Network Diagram site. Powered by I-Rater, like Hot or Not, Rate My Network Diagram lets visitors critique network plans uploaded by users. Although the site has been operating since September 2003, I just became aware of it. I like the idea of being able to browse network diagrams and devising ways to improve their security or visibility....

Read More

Pre-Review: Apple I Replica Creation

We move from a purely managerial topic in my last blog entry to an exceedingly technical one. Apple I Replica Creation: Back to the Garage by Tom Owad is as unique a technical book as you'll ever see. The book shows the reader how to assemble an Apple 1 replica using a kit from Briel Computers. Author Tom Owad explains soldering, digital logic, and programming in assembly and BASIC. Appendices also cover hacking a Macintosh SE and elementary...

Read More

Pre-Review: Mapping Security

I recently received Mapping Security: The Corporate Security Sourcebook for Today's Global Economy by Tom Patterson and Scott Gleeson Blue, published by Addison-Wesley for Symantec Press. This is the second book from Symantec's new publishing venture. The first was The Executive Guide to Information Security: Threats, Challenges, and Solutions by Mark Egan and Tim Mather. Their third and latest is The Art of Computer Virus Research and Defense...

Read More

ChoicePoint Data Theft Worse Than Initially Reported

As I originally suspected the ChoicePoint fraud case has expanded to a national scope. The Associated Press is reporting that half a million people across the United States may have had their information stolen. Attorneys general from 38 states have demanded that ChoicePoint warn any victims in their states, beyond those in California. So far a 41-year-old Nigerian, Olatunji Oluwatosin, has been sentenced to 16 months in jail. According to AP, Oluatosin "was arrested on Oct. 27 when ChoicePoint faxed him some paperwork at a Kinko's store in...

Read More

Additional Thoughts on Air Force Contracts with Microsoft

I received the February 2005 issue of SC Magazine last week. It features a cover story on the Air Force's Chief Information Officer, John Gilligan, and the $500 million contract consolidation effort that will save the AF $100 million over six years. I commented on this last year and earlier this week. Now I see that Mr. Gilligan has won the SC Magazine US Editors Award. Ostensibly Mr. Gilligan was given this award because he is working to standardize Microsoft software deployed across the Air Force. I would rather have seen him win the award...

Read More

2004 US Government Security Report Card

This is the US House Committee on Government Reform 2004 report card for US Federal government security. I wrote about the report for CY 2003 at the end of 2003. The big news for this year's report card are the huge swings made by some agencies. Justice and Interior improved from F's to B- and C+, respectively, while State marginally moved out of the failing category by progressing from F to D+. Others regressed, some substantially; the NSF dropped...

Read More

Border Gateway Protocol Resources Mentioned in Matthews Book

I was pleased to see WAN protocols like Border Gateway Protocol (BGP) covered in Computer Networking: Internet Protocols in Action, especially since BGP traces appear on the book's CD. In conjunction with her BGP discussion, author Jeanna Matthews mentions BGP resources like traceroute.org, the University of Oregon Route Views Project, Merit Network's Routing Assets Database, and Looking Glass sites. I also found a Router Server Wiki and a Looking...

Read More

Review of Computer Networking: Internet Protocols in Action Posted

Amazon.com just posted my five star review of Computer Networking: Internet Protocols in Action. From the review:"I eagerly anticipated reading Jeanna Matthews' Computer Networking: Internet Protocols in Action (CN:IPIA). I am always looking for good networking books to recommend to people asking how to enter the digital security field. I am pleased to report that CN:IPIA is an excellent, hands-on, packet-oriented introduction to networking, suitable...

Read More

Lt Gen Michael Hayden to be Deputy Director of National Intelligence

I listened to President Bush announce that he's selected Ambassador to Iraq John Negroponte as the new Director of National Intelligence. No one seems to be publishing the story that current head of the National Security Agency, Michael Hayden, will be Ambassador Negroponte's deputy. I think General Hayden is an excellent choice. He could have been the Director, rather than the deputy. I worked as a lieutenant at Air Intelligence Agency when General Hayden was the AIA commander. I think everyone who ever met him was impressed by his intelligence,...

Read More

Sun's Thin Clients vs Other "Thin Clients"

JustinS posted a comment asking about the difference between a thin client like Sun's new Sun Ray 170 and alternative devices. I specifically mentioned Wyse in a previous story. This is the form factor for their Winterm S30 and their Winterm S50. The S30 runs Windows CE 5.0 while the S50 runs a Linux distro with the 2.6 kernel. In my opinion, these aren't "thin clients" at all, but rather "embedded" devices.In contrast, the Sun Ray does not run a conventional operating system. It doesn't run embedded Windows, Linux, or Solaris. There is enough...

Read More

As Always, .gov and .mil Fight the Last War

The latest SANS Newsbites happily reports on a FCW article titled OMB likes Air Force's patch strategy. The US Office of Management and Budget's Karen Evans reportedly likes the US Air Force's plans to "deliver standardized and securely configured Microsoft software throughout the service." Brig. Gen. Ronnie Hawkins, director of communications operations in the Air Force's Office of the Deputy Chief of Staff for Installation and Logistics, says "We'll decide which configurations will be acceptable in the Air Force... We'll then implement these...

Read More

Pre-Review: Network Processors: Architectures, Protocols, and Platforms

Today I received the first of several books which I hope will illuminate the world of hardware specially-built for networking tasks. This book is Network Processors: Architectures, Protocols, and Platforms by Panos Lekkas and published by McGraw-Hill. A network processor is a programmable processor designed specifically for processing packets. They are an alternative to Application-Specific Integrated Circuits (ASICs), which cost about $1 million...

Read More

Kudos to Microsoft

According to this TechWeb story, Microsoft is denying access to MSN Messenger clients older than version 6.2.0205. This is a response to Core Security's advisory, which Microsoft followed with MS05-009. A malformed buddy image could exploit a vulnerable user's instant messaging (IM) client. Microsoft even posted a dedicated page explaining the problem to IM users.This is the first time I recall a vendor (at least Microsoft) denying access to...

Read More

ChoicePoint Information Theft: An Omen

I read at MSNBC that 30,000 - 35,000 California residents were warned that "unauthorized third parties" may have accessed their personal information, such as their names, addresses, Social Security numbers, credit reports and other information. The data was stolen from ChoicePoint, an Atlanta-based firm that describes itself as "a trusted source and leading provider of decision-making information that helps reduce fraud and mitigate risk. ChoicePoint has grown from the nation's premier source of data to the insurance industry into the premier...

Read More

Review of Google Hacking for Penetration Testers Posted

Amazon.com just posted my five star review of Google Hacking for Penetration Testers. In short, this book rocks. From the review:"'Google Hacking for Penetration Testers' (GHFPT) should be a wake-up call for organizations that consider 'information leakage' a theoretical problem. 'Information leakage' refers to the unintentional disclosure of sensitive information to public forums, like the Web. Security staff can use the tools and techniques outlined...

Read More

Pre-Reviews: On Bejtlich's Bookshelf

Many publishers have been kind enough to send review copies of interesting books. I am especially grateful when publishers send books I definitely plan to read. Unfortunately, in some cases the time between my receipt of the book and my Amazon.com review is longer than I would like. The purpose of this blog entry is to let you know of the great books I have waiting on my bookshelf. They are the same ones listed on my reading list. As I receive books on my a href="http://www.amazon.com/gp/registry/3D740NAODPYTA/ref=cm_aya_bb_wl/103-1176598-2563007">Amazon.com...

Read More

Updated Sguil 0.5.3 Installation Guide Posted

I just posted an updated Sguil Installation Guide. The previous edition was slightly out-of-sync with the directory conventions introduced in Sguil 0.5.3. I also was careful to account for actions required when installing separate sensor, database, and sguild server components. The new guide does not yet describe installing Snort or Barnyard on FreeBSD using the ports tree. Once Paul Schmehl finishes his work on Sguil ports, I will redo the guide...

Read More

Thoughts on MCI Acquisition of NetSec

I only recently learned that telecom giant MCI bought managed security services provider NetSec for $105 million. Other telecom companies might want to look at Lisa Phifer's Managed Security Service Provider Survey or Adam Stone's In MSSPs We Trust for acquisition candidates. I expect acquisitions to continue, as there are between one and two dozen small MSSPs available. There are also people like myself who know how to build MSSPs from the ground up (hint hint). :)Update: It must be confusing to work for NetSec. One minute you're working...

Read More

Two Questions for Readers

I have two questions for readers:1. What is the cheapest switch you've found that offers a SPAN port?2. Is anyone interested in writing a chapter providing an overview of peer-to-peer protocols? I have been unable to contact the subject matter expert I hoped to contribute this section to my new book. I am looking for someone with experience detecting, interpreting, and controlling peer-to-peer protocols on internal networks. I am interested in providing the reader the following:- Overview of general p2p principles and networks- Discussion...

Read More

Mark Rasch on Cabellas Case

Last month I wrote on the Caballes drug case. On Tuesday the former head of the US DoJ's computer crimes squad wrote Of Dog Sniffs and Packet Sniffs. In his article Mark Rasch says:"[T]he search by the dog into, effectively, the entire contents of a closed container inside a locked trunk, without probable cause, was 'reasonable' even though the driver and society would consider the closed container 'private' because the search only revealed criminal conduct.The same reasoning could easily apply to an expanded use of packet sniffers for law enforcement."Since...

Read More

Another Foundstone Spin-Off: Security Compass

I was happy to learn that another friend and ex-Foundstone colleague, Nish Bhalla, has started his own consulting company: Security Compass. Nish most recently contributed to the new book Buffer Overflow Attacks, which I plan to read. Nish is an expert on Web and application security, so if you need a customized, in-depth assessment of those services give him a ca...

Read More

Save the FreeBSD Mascot and Create a Logo

I learned of the furor over the upcoming FreeBSD logo contest by reading the recent Slashdot thread bearing the unfortunate title "FreeBSD Announces Contest To Replace Daemon Logo." There is no replacement going on. As I've written previously, FreeBSD has no logo. FreeBSD has a mascot, "Beastie" the daemon. Core team member Robert Watson has affirmed this, and I believe the forthcoming announcement at FreeBSD logo contest willl make this point...

Read More

FreeBSD 5.4 Release Schedule

I haven't been reading the FreeBSD mailing lists regularly. Today I looked into the freebsd-stable list and saw the FreeBSD 5.4 Release Schedule posted. Highlights include: Feb. 23 newvers.sh starts to say 5.4-PRERELEASE Mar. 2 RELENG_5 code freeze begins Mar. 4 Public test release build called 5.4-PRERELEASE Mar. 16 Branch RELENG_5_4, unfreeze RELENG_5 Mar. 18 5.4-RC1 Mar. 25 5.4-RC2 Apr. 4 5.4-RELEASE You can watch the schedule and open issues...

Read More

Review of Internet Denial of Service Posted

Amazon.com just posted my five star review of Internet Denial of Service. From the review: "'Internet Denial of Service' (IDOS) is an excellent book by expert authors. IDOS combines sound advice with a fairly complete examination of the denial of service (DoS) problem set. Although the authors write from the DoS point of view, as a network security monitoring advocate I found myself agreeing with many of their insights. Since there are no other...

Read More

Shmoocon Concludes

Shmoocon finished today. Overall I found the con very worthwhile and an incredible financial bargain for the $199 late admission price I paid.I started the day in a briefing by Joe Stewart and Mike Wisener of LURHQ. I attended this talk primarily because Joe has been my point of contact at LURHQ for contributing several malware analysis case studies to my next book, Extrusion Detection. LURHQ analysts do some of the best technical research publicly...

Read More

Shmoocon Day Two

Here are a few impressions of the talks I saw during the second day of Shmoocon in Washington, DC. The day started with a rant by Riley "Caezar" Eller on the state of security. Caezar wrote Bypassing MSB Data Filters for Buffer Overflow Exploits on Intel Platforms and works for CoCo Corp. (CoCo appears to stand for Connection Optimizing Cryptographic Operator.) He pleaded for someone to invent a new Internet and asked why other speakers at security conventions do not make similar requests. Such pleas are similar to those who call for replacement...

Read More