New National Centers of Academic Excellence in Information Assurance Education

Related to my previous post, I decided to see what was happening with the National Security Agency's National Centers of Academic Excellence in Information Assurance Education (CAEIAE) program. I read that today the NSA and Department of Homeland Security jointly announced severeal new schools had met the criteria to be National Centers of Academic Excellence in Information Assurance Education. One of them is my alma mater, the US Air Force Academy. I am glad to see USAFA join this group, since it was embarassing to see the ground-pounders of...

Read More

Thoughts on New Cyber Security Report

Today I skimmed the latest report from the President's Information Technology Advisory Committee (PITAC) titled Cyber Security: A Crisis of Prioritization (.pdf). This Government Computer News Story summarizes the reports findings. Briefly, they are the nation's critical infrastructures remain vulnerable to attack, and federal security research and development funding is misallocated. PITAC estimates "there are fewer than 250 active cyber security or cyber assurance specialists, many of whom lack either formal training or extensive professional...

Read More

Cisco Routers Run Tcl

This morning I was reading The State of the Scripting Universe by Lynn Greiner. That article features interviews with leaders in the development communities for Perl, PHP, Python, Ruby, and Tcl. The article pointed me towards a reference titled Dynamic Languages — ready for the next challenges, by design by David Ascher. While reading this second article I was surprised by this statement:"Tcl is part of Cisco's IOS router operating system, and as such is included in all high-end Cisco routers and switches."What's that? Tcl on my router? A...

Read More

Steve Andres of Special Ops Security emailed me to report his company's release of SQLrecon, Chip Andrews' successor to SQLping. SQLrecon is another .NET application that I tested on my Windows 2000 laptop. You can use SQLrecon to discover servers offering Windows SQL Server, and learn a little bit more than a port scanner might say. The tool is very easy to use. By default, the tool is easy to use. Specify a range of IPs in the boxes and start...

Read More

FreeBSD 5.4 Schedule Updated

This weekend the FreeBSD 5.4 Release Schedule was updated to reflect "facts on the ground." The candidate earlier labelled "PRERELEASE" is now noted as "5.4-BETA1", and the comments state:"First public test release build. Note that the release build name is 5.4-BETA1 but newvers.sh RELEASE name remains 5.4-PRERELEASE. This is because the name BETA often confuses the users who are using the STABLE branch.""5.4-RC1" is slated for 31 March, but then...

Read More

Latest Snort and IDS News

Last week saw several developments involving Snort. First, Sourcefire published the Open Source Snort Rules Consortium (OSSRC) charter (.pdf). The document states:"The stated goals of the OSSRC are to:- Establish metrics and standards for Open Source Snort rule development and documentation.- Provide a forum for the sharing of research and information for the development of effective Snort Rules.- Ensure continuous support for a Snort Ruleset licensed under the GPL."Sourcefire and Bleeding Snort will hold most of the power in the new group:"One...

Read More

IISFA Announces Vendor-Neutral Forensics Certification Test

Today I received an email from James A. Moore, International Vice Chairman (sounds impressive) of the International Information Systems Forensics Association (IISFA). The IISFA is the governing body for the Certified Information Forensics Investigator (CIFI) certification. I mentioned this organization and cert in June and November 2003. Since I don't see any notice of this news on the IISFA Web site, here's the significant parts of Mr. Moore's email:"I am very pleased to formally announce the final release date of the Certified Information...

Read More

Review of The Art of Intrusion Posted

Amazon.com just posted my four star review of The Art of Intrusion. This may be one of my more controversial opinions, so you may want to read the whole review to get my entire take on the book. Here is the beginning of the review:"Over two years ago I read and reviewed The Art of Deception also by Mitnick and Simon. I thought that book was 'original, entertaining, [and] scary.' Those same adjectives apply to The Art of Intrusion (TAOI). While...

Read More

Red Cliff Releases Web Historian

On Friday, security consultancy Red Cliff posted an announcement of their new Web Historian tool. Web Historian parses Web browser history files and presents the information in a manner useful to a host-based forensic investigator. The program requires the Microsoft .NET Framework and runs only on Windows systems.Prior to using Web Historian, I had used Scott Ponder's IE History and Keith Jones' Pasco. Previously IE History was free, but required...

Read More

FreeBSD 5.4-BETA1 Available

I am happy to report that FreeBSD 5.4-BETA1 has been announced. The release schedule has not yet been updated, and it doesn't seem to match the process currently underway. Looking back at the 5.3 release schedule, we see that BETA1 is the start to the FreeBSD release process. After a series of BETAs we will see RCs (release candidates). I think 5.4 is a few weeks late, so I expect to see the final RELEASE version ready in late April or early...

Read More

Latest Pre-Reviews

I received three new Pearson imprint books yesterday that I've added to my reading list. First is Windows System Programming, 3rd Ed by Johnson M. Hart, published by Addison-Wesley Professional. This book looks promising because it does not dwell on Windows GUI issues. Instead it focuses on core system services like the file system, memory, processes and threads, synchronization, communication, and security. The 3rd edition is updated to address Windows XP and Windows Server 2003, and it also covers 64 bit issues. I asked for this book to learn...

Read More

SearchSecurity.com on Snort Rules

I just noticed that SearchSecurity.com published an article titled Snort (rules) for sale. I was quoted after the article's author, Shawna McAlearney, read coverage on this blog. I thought Shawna's article was "fair and balance...

Read More

Bookpool Publishes My Ten Favorite Computing Books

I mantain Amazon.com Listmania Lists for a variety of topics. These show books I recommend reading to become more proficient in various security skills. Recently Bookpool asked me to help celebrate their 10th anniversary by participating in their author's favorite 10 computer books from the past 10 years promotion. I hope you find my list helpful. Although I sometimes reference books I read several years ago, I was sure to include older books that had newer editions availab...

Read More

Security Insights from Microsoft Security Architect

Last night I attended the northern Virginia ISSA monthly meeting. The guest speaker was Dean Iacovelli, Security Systems Architect for the Microsoft Mid-Atlantic district. His overall theme was "beyond patching." Dean supports over 200 enterprise customers, for which he serves as "security pinata." Several ISSA members took him to task for Microsoft's security failings, but I thought Dean was diplomatic and handled their mildly aggressive questions...

Read More

Join Me for NSM at USENIX 2005

Four weeks from today I will present a one day class on Network Security Monitoring with Open Source Tools at USENIX 2005 in Anaheim, California. This is an improved an updated version of the class I presented last year at USENIX Security 2004. I am looking forward to teaching this class. It will equip participants with the theory, tools, and techniques to detect and respond to security incidents. Network Security Monitoring (NSM) is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM...

Read More

SecureLogix Enterprise Telephony Management

I just read two reviews of the latest SecureLogix product, the Enterprise Telephony Management system, in Network Computing and Secure Enterprise magazines. Hardly anyone seems to pay attention to voice security. I've only read one book on the subject. As Voice over IP becomes popular, interest in voice security seems to be picking up. The new SecureLogix product can monitor and control traditional POTS voice and also VoIP (SIP and H.323v2). I found this note in one of the reviews alarming:"The ETM 1090 system can capture digital recordings...

Read More

Banks Also Fighting the Last War

Security guru Bruce Schneier wrote an insightful essay titled The Failure of Two-Factor Authentication. He essentially argues that the millions of dollars banks and others are spending on two-factor authentication doesn't address modern threats. When phishers convince victims to enter credentials that the phisher passes to a real e-commerce site, it doesn't matter if the credentials are a password or a RSA token code and PIN. Also, forget about phishing; just install a silent Trojan that performs fraudulent commercial actions during an authenticated,...

Read More

BSD Certification Web Site Launched

This morning the BSD Certification Web site was launched. I am a member of the project. Our mission is to create and support a standardized certification process to assist system administrators and employers validate competence in the implementation of BSD best practices. Keep an eye on the Web site and our public mailing list for more information. I recommend reading our press release as we...

Read More

First Impressions of Lancope StealthWatch

Sometimes vendors send me gear to try in my lab. I was fortunate to receive a StealthWatch appliance from Lancope, which I tried for a few weeks on a production T-3 link. Lancope calls StealthWatch a "Network Behavior Anomaly Detection (NBAD)" system. It is a signature-free product that analyzes network traffic and reports what it considers odd and potentially problematic events.The following is my impressions of the system, based on three assumptions....

Read More

SANS Ends Practical Requirement for Certifications

I just learned that SANS, an organization whose conferences I attended fairly regularly five years ago, has terminated the practical requirement for all of its GIAC (Global Information Assurance Certification) programs. GIAC was originally the Global Incident Analysis Center, a Web site to disseminate information on Y2K rollover threats. From a February 2000 archive of the site:GIAC began December 21, 1999 as a service to support Y2K watchstanders all over the world, watching for cyber attacks and Y2K problems. We've come a long way since then,...

Read More

Ethereal Development and Support News

I just noticed that Ethereal 0.10.0 was released Friday. It fixes several security and reliability bugs, so an upgrade is warranted. While perusing the Ethereal home page I noticed news on Ethereal training by Ethereal Software. The classes include:- Ethereal Essentials 1 (two days): Introduction to Ethereal and network troubleshooting- Ethereal Essentials 2 (three days): Advanced network troubleshooting with Ethereal- Development Using Ethereal (three days): Coming soon!The second and third classes look very interesting. So who is Ethereal...

Read More

Latest Pre-Reviews

I received five promising books recently. Here's a quick look at them. Once I read each book, I'll post news of my Amazon.com review here. First is VoIP Security by James Ransome and John Rittinghouse, published by Elsevier. I'm looking forward to reading this book because it explains Voice over Internet Protocol, and then explores security issues associated with this increasingly popular technology. This protocol is going to be used everywhere, and I don't think security professionals are ready for it. Next we have the first of two new books...

Read More

Argus Documention

Argus is a session data collection tool, and probably the most underrated network security application available. I wrote about Argus in my first book, a Sys Admin article, and here. Recently I read on the argus mailing list that Thorbjörn Axelsson posted his thesis Network Security Auditing at Gigabit Speeds (.pdf) online, and it uses Argus. Through his references I discovered an earlier article by Peter Van Epp titled Pssst, Wanna Buy Some Network Insurance? (.pdf). Peter's article in particular demonstrates a wonderful appreciation of the...

Read More

More Snort News

I have several developments to report from the Snort front. First, Jeremy Hewlett announced Thursday the release of Snort 2.3.2. This version is a quick response to the problem parsing Bleeding Snort rules reported shortly after Snort 2.3.1 arrived. I think this release was quickly pushed out the door to demonstrate that Sourcefire was not trying to lock out Bleeding Snort users. This is smart; there's no need to repeat a Microsoft-style "DOS isn't done until Lotus won't run" situation with Snort!Speaking of Bleeding Snort, Matt Jonkman announced...

Read More

BSDCan 2005 Registration Opens

Registration for BSDCan 2005 is now open. Last year at the inaugural event I reported on days one and two and spoke about Sguil. This year I will present Keeping FreeBSD Up-To-Date and More Tools for Network Security Monitoring on 13 May, according to the schedule. I learned I was not accepted to speak at CanSecWest this year, so the visit to Ottawa for BSDCan will probably be my only trip north of the border in the coming mont...

Read More

Visiting Sourcefire

Today I visited the Columbia, MD headquarters of Sourcefire with DC Snort Users Group founder Keith McCammon, pictured with me at left. We drove up from our Falls Church, VA office to meet with Sourcefire founder and Snort creator Marty Roesch. Sourcefire is housed in an Ikea-type building constructed to house optical networking start-ups during the dot-com craze. In addition to Sourcefire, Optical Capital Group Ventures and another company called...

Read More

Snort 2.3.1 Released, Audit Clause Modified

Jeremy Hewlett announced that Snort 2.3.1 is now available. According to the announcement, there are only supposed to be new rules in the major releases (e.g., 2.4.0, 3.0.0 -- not 2.3.1). However, a cursory inspection of the new rules in 2.3.1 revealed some additions. For example:drury:/usr/local/src$ diff snort-2.3.0/rules/backdoor.rules snort-2.3.1/rules/backdoor.rules 3c3< # $Id: backdoor.rules,v 1.44.2.4 2005/01/17 23:52:48 bmc Exp $---> # $Id: backdoor.rules,v 1.44.2.5 2005/03/01 18:57:08 bmc Exp $102a103,104> alert tcp...

Read More

Passed My CCNA Test

I just finished testing for my Cisco Certified Network Associate certification. I passed with a 973 out of 1000. The test was 90 minutes long and I finished with only 8 minutes to spare. I think I missed one question, maybe two. The exam was as tough as I expected, meaning it was not easy. I know it was difficult since I usually breeze through majority multiple-choice exams. (For example, I answered all 250 questions on the CISSP exam in 90 minutes, and walked out the door.) cannot say enough about the CCNA class I took with Todd Lammle...

Read More

Review of Cisco IP Routing Posted

Amazon.com just posted my five star review of Alex Zinin's exceptional Cisco IP Routing. From the review:"With my CCNA exam date staring straight at me, I decided to finally read my copy of Alex Zinin's Cisco IP Routing. This book clearly exceeds the level of knowledge to pass Cisco's entry level certification. It is aimed more at CCNPs or CCIEs who need a deeper understanding of Cisco routing. Nevertheless, I found the book's explanations of certain...

Read More

ourcefire VRT Rules License Audit Rights

Don't be too quick to register to receive the latest Snort rules if you use Snort in your organization. This snort-users post brought this section of the VRT Certified Rules License Agreement to my attention:"11. Audit Rights.You will, from time to time and as requested by Sourcefire, provide assurances to Sourcefire that you are using the VRT Certified Rules consistent with a Permitted Use, and you grant Sourcefire access, at reasonable times and in a reasonable manner, to the VRT Certified Rules in your possession or control, and to your books,...

Read More

Book Featured by Net Optics

This image is an excerpt from what appears to be a new marketing slick (.pdf) from Net Optics, a California company that makes excellent network taps. I profiled two of their products in my first book. I am working with them to evaluate a set of new products for my next book, with an eye towards internal monitoring. If all goes well I may speak to some of their users in May, at their Sunnyvale, California headquarte...

Read More

New Snort.org Web Site Launched

Sometime during this afternoon, the new Snort.org Web site was launched. It features a message from Marty that says "We will continue to dedicate our research, development and QA resources to ensuring that Snort remains the de facto standard in intrusion detection and prevention technology." I noticed the Snort.org Web page titles also use the same "de facto" language. While I more or less agree with the IDS aspect, I believe Marty and crew are being pushed by market forces to adopt the IPS stance. This is a shame, as we all know an "IPS" is...

Read More

Review of CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed Posted

Amazon.com just posted my five star review of CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed. From the review:"Last week I attended Todd Lammle's CCNA class, where I received a free copy of his 'CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed' (CCNADE4E). Todd's class was excellent, and his book is almost literally Todd in written form. There is hardly a wasted word in this book. If Todd mentions...

Read More

Use FTP Instead of TFTP to Transfer IOS Images

Michael Lucas' book Cisco Routers for the Desperate saved me this evening. I was trying to update the flash image on my Cisco 2950T-24 switch via TFTP, and had this problem (twice, actually):gruden#copy tftp flash Address or name of remote host [192.168.2.7]? Source filename [c2950-i6k2l2q4-mz.121-22.EA3.bin]? Destination filename [c2950-i6k2l2q4-mz.121-22.EA3.bin]? Accessing tftp://192.168.2.7/c2950-i6k2l2q4-mz.121-22.EA3.bin...Loading c2950-i6k2l2q4-mz.121-22.EA3.bin from 192.168.2.7 (via Vlan1):!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...edited...!!!!!!!!!!!O!O!O!O!OO!OO!OO!OOOO%Error...

Read More

Switch to Router-on-a-Stick Communication

In January I described how I configured my Cisco 2651XM router to pass traffic between two VLANs on my Cisco 2950T-24 switch. I never assigned an IP for management purposes to the switch, since I always reached it via console cable. Today I decided to try upgrading the switch IOS, but that required applying a management IP to the switch.My router had this configuration on the interface facing the switch:interface FastEthernet0/1 description Connection to gruden, Cisco switch no ip address duplex auto speed auto!interface FastEthernet0/1.1 encapsulation...

Read More