Reviews of VoIP Security, The Internet and Its Protocols Posted

I refused to let April end without finishing and reviewing these two books kindly provided by Elsevier Press. The first was a disappointment. Amazon.com just posted my three star review of VoIP Security. From the review:"I decided to read VoIP Security because I thought it would describe VoIP protocols and ways to secure them. The table of contents looked very strong and the preface seemed to meet my goals: "For one to truly understand Internet...

Read More

FreeBSD 5.4-RC4 Imminent

As I guessed recently, we should see FreeBSD 5.4 RELEASE arrive next week or very soon thereafter. Scott Long posted an update on the release status of 5.4 this morning. He says:"As you probably noticed, we are a bit behind on the 5.4 release. There was a major stability problem reported several weeks ago in a particlar high load, high profile environment, and we decided that it was in everyones best interest to get it resolved before the release....

Read More

SecurityForest.com ExploitTree

This afternoon I was researching a bot for a chapter in my latest book. I don't spend a lot of time on exploit sites because I am not a penetration tester by trade. I think the last time I really looked at exploits, sites like www.hack.co.za were still around!While searching for the bot in question, I happened to find SecurityForest.com, although the site was announced on BugTraq in March. SecurityForest.com is an impressive piece of work. The site is essentially a giant CVS archive of attack code, called the ExploitTree. They provide a Client...

Read More

Cut Budgets If Security Fails to Improve?

I find this note from a recent GovExec story valuable:"House Government Reform Chairman Tom Davis, R-Va., said Thursday [7 April] that agencies could have their budgets cut if their information technology security does not improve.With several agencies struggling to meet requirements of the 2002 Federal Information Security Management Act, Davis said that compliance eventually has to be tied to funding."This will never happen. Does Congress advocate cutting funds to poorly performing schools? Regardless of the merits of the approach, I can not...

Read More

Join Me at USENIX Security 05

You may have noticed the new banner at the top of the Blog showing the 14th USENIX Security Symposium in Baltimore, MD, 31 July - 5 August 2005. I presented a one day NSM tutorial at USENIX Security 04 in San Diego, CA last year, and an improved version of that course at USENIX 05 in Anaheim, CA two weeks ago. In Baltimore this summer, I will be presenting Network Security Monitoring with Open Source Tools on 31 July, followed by my brand-new Network Incident Response tutorial on 1 August. Descriptions for each class are available via the provided...

Read More

Two More Pre-Reviews

Two new books arrived at TaoSecurity world headquarters this week to be added to my reading queue. The first is Silence on the Wire by Michal Zalewski. This looks like a creative and unconventional look at digital security, although the book's subtitle is "A Field Guide to Passive Reconnaissance and Indirect Attacks." Michal was kind enough to email me to ask if I would review his book. You may recognize Michal for some of his work, like the...

Read More

Sources of Free Security Market Research

This morning I was looking for security market research and I came across two useful resources. First, CSO Online provides an Analyst Report section with summaries of research by all of the big name firms. For example, you can read about Symantec Gains Added Vendor Neutrality with New IPS Support by Current Analysis or Deciphering the Dual Meaning of Compliance Monitoring by Forrester. These are not the full articles, but there is enough there to make for interesting reading.I also found some good press releases on security research from Infonetics...

Read More

Internal Revenue Service Hassling You? Cite Security Issues

I filed my taxes a few weeks ago. Now I read in Techweb and Reuters that the Internal Revenue Service's security is horrible. According to Andy Sullivan of Reuters:"Security flaws in computer systems used by the Internal Revenue Service expose millions of taxpayers to potential identity theft or illegal police snooping, according to a congressional report released today.The IRS also is unlikely to know if outsiders are browsing through citizens' tax returns because it doesn't effectively police its computer systems for unauthorized use, the Government...

Read More

Cyber Incident Detection and Data Analysis Center Goes Public

In October 2003 I reported on the Cyber Incident Detection & Data Analysis Center (CIDDAC), a collaboration of the University of Pennsylvania's Institute of Strategic Threat Analysis and Response (ISTAR) laboratory in Philadelphia, the Philadelphia InfraGard chapter, and Charles "Buck" Fleming, CEO of the apparently dormant AdminForce LLC. Details in 2003 were sparse, but I was skeptical that companies would agree to host "what CIDDAC calls Real-time Cyber Attack Detection Sensors, or RCADS, throughout as many U.S. companies as possible —...

Read More

Tcpdump Vulnerabilities

I learned of four vulnerabilities in Tcpdump found by Vade79 by checking the latest exploits at Packet Storm. Linking to the exploits themselves, they are:xtcpdump-ldp-dos.c: Tcpdump 3.8.3 and below mishandles Multi-Protocol Label Switching (MPLS) Label Distribution Protocol (LDP) packets. The effect is a local denial of service to Tcpdump. No system needs to be listening to port 646 TCP for Tcpdump to be affected. If you run xtcpdump-ldp-dos, it looks like this to the attacker:./xtcpdump-ldp-dos 192.168.1.1 nospoof[*] tcpdump[3.8.x]: (LDP)...

Read More

Payment Card Industry Security Guidelines

I heard about this back in December, but it slipped off my radar. Now news outlets like The Register and News.com are reporting on the Payment Card Industry (PCI) Data Security Standard. Prior to standardization on the PCI, vendors had to juggle the Visa Cardholder Information Security Program (CISP), the MasterCard Site Data Protection Program, the American Express Data Security Operating Policy (DSOP), and the Discover Information Security and Compliance (DISC) document.The PCI was publicized back in December when Visa released a memo (available...

Read More

Snort Developments

I have a few news items from the Snort world. First, Snort 2.3.3 was released. This should not have any news rules, as it's not Snort 2.4.0 or Snort 3.0.0. Snort 2.3.3 does feature a so-called "mini-preprocessor" to watch for attacks exploiting Vulnerability in Exchange Server Allows Remote Code Execution (MS05-021). Code to allegedly test for the vulnerability is here, so you might want to try testing Snort 2.3.3 with it.Second, the Open Source Snort Rules Consortium ossrc-intro mailing list is operational. Currently the lead thread is asking...

Read More

Sending Encrypted Email

In previous blog entries I've created GnuPG keys and decrypted a message encrypted with my public GnuPG key. In this entry I show how I respond with an encrypted email using Enigmail and how I encrypt a file using gpg at the command line. You'll remember Bob sent me an encrypted email. I decided to send Bob an encrypted email in return. The first task was to find his public key. I used the key search feature. You may remember Bob included pgp.mit.edu in his signature as a hint for where to look for his public key, so I pass that site as the...

Read More

Decrypting Encrypted Email

No sooner had I posted my last entry on creating a GnuPG key, a visitor sent me an encrypted email. My mail client is Thunderbird, and it promptly put a message from Robert Grabowsky into my Junk folder. Thunderbird suspected the message was spam! It looked like this. Certain fields have been edited to foil email address harvesting:Date: Sat, 23 Apr 2005 17:26:37 -0400 (EDT)From: Robert Grabowsky rgrabowsky_at_rasecurity_dot_comTo: Richard Bejtlich richard_at_taosecurit_dot_comSubject: test of your key-----BEGIN PGP MESSAGE-----hQIOA+vNZOSLpEmREAf/XTL0KqQAnwOIkONZGgZMsyEFD00O7O8qzNRmv7A/IVwgo95VmxSoUXDIwNtQG1QpSbTY217k/HmUEKup0n2laON49SGKj1H76SwS0BVNG8Xj...edited...ADc/eiJOmnZuhDhTYMJoqziAilKf9Y7ChHKKjtil2WTrnNL3qfwX5636Sb3sjFMgf1Q+WCHWMr9LOQG3JGmGfjNZe6iMzp+Wl5y7m/j+7HMwiVp+J2sHyx1pffnGtFgP=Xa7M-----END...

Read More

Simple GnuPG Key Creation

I was recently asked to provide my GnuPG public key to facilitate sharing encrypted documents. I realized I needed to set up a public key with my richard at taosecurity dot com mailing address. Here's how I did it. First I installed the FreeBSD security/gnupg-devel package. Then I was ready to begin. I started by creating my key. Where necessary I've modified my email address in the listing below to spoil simple harvesting methods.orr:/home/richard$ gpg --gen-keygpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.This program...

Read More

ZDNet BSD Certification Coverage and More

Joe Brockmeier published an interview with Dru Lavigne, chair of the BSD Certification Group. I'm a member of that organization and I will be present at the BSDCan 2005 BoFs to discuss BSD certification with any interested parties. Dru's interview provides additional background on our progress towards creating respected, valuable BSD certifications.Most importantly, today our Task Analysis Survey is publicly available. This is a Web-based questionnaire...

Read More

Todd Lammle Teaches CCNA in Denver in June

You may have followed my recent journey towards passing the CCNA exam. My instructor Todd Lammle just told me he will be teaching another CCNA class in Denver, from 13 to 17 June. This is a rare event as Todd runs the training company GlobalNet Training and stays very busy.Todd is the author of the best-selling CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed which helped immensely. I highly recommend attending this class...

Read More

Cross-platform Pf Guide

Cross-platform Pf GuideWhile the official OpenBSD Pf guide is very good, I recommend those wishing to learn more about the Pf firewall check out Peter N. M. Hansteen's Firewalling with Pf guide. I like this document because it shows how to get Pf working on OpenBSD, FreeBSD, and NetBSD. Peter also covers the most common deployment scenarios and he addresses topics I consider important. Check it out if you're considering a Pf-based firewall soluti...

Read More

FreeBSD News

I have some good FreeBSD news to report. FreeBSD 5.4-RC3 was announced Monday. Although the schedule still calls for a 26 April release date, I believe we will not see the RELEASE until the first week in May. According to the announcement:"Due to one major issue that crops up on large (4-processor) systems under heavy load that is still being debugged there will be at least one more RC added to the schedule. Timing for the extra RC and the new...

Read More

TaoSecurity Visits the Pentagon

This morning I was pleased to speak at the Pentagon on behalf of the Network Security Services-Pentagon section of the US Army Information Technology Agency. (I would like to provide a URL, but there's no point linking to sites that return "403.6 Forbidden: IP address rejected" errors!) Doug Steelman, pictured with me in the photo below, invited me to discuss network security monitoring at their Pentagon Security Forum. Last month Erik Birkholz...

Read More

Researching Cisco Switch Backplane Statistics

While teaching at USENIX last week, I discussed SPAN ports. I mentioned that copying traffic to the SPAN port was less important than moving packets through the switch. One of the students asked if measuring the utilization of the switch backplane would reveal how well the switch was performing the SPAN function. Another student said there was a Simple Network Management Protocol Management Information Base (SNMP MIB) from which backplane statistics could be retrieved. I decided to research this issue as it affects using switches to collect...

Read More

New Honeynet Project Challenge

I saw that the Honeynet Project announced a new Scan of the Month last week. The evidence consists of Apache logs, Linux syslogs, Snort logs, and IPTables firewall logs. Here are examples.From the Apache access log:210.116.59.164 - - [13/Mar/2005:04:05:47 -0500] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 1063 "-" "-"From the /var/log/messages syslog:Mar 13 22:50:53 combo sshd(pam_unix)[9356]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=h-67-103-15-70.nycmny83.covad.net user=rootFrom the Snort logs, apparently...

Read More

Speaking at Net Optics Think Tank Event in May

I will be presenting my thoughts on pervasive network awareness as facilitated by taps at the next Net Optics Think Tank. The event will take place on 18 May 2005 in their Sunnyvale, CA headquarters. I use Net Optics taps to gain access to traffic when performing network security monitori...

Read More

Red Cliff Article on Web Browser Forensics

I just learned of a new article, Web Browser Forensics, Part 1 by Keith J. Jones and Rohyt Belani of Red Cliff Consulting. This is part one of two articles, and it features a variety of methods to learn about a user's Web browsing history. Any time digital forensics appears in the news, it is often based on discovering a person's Web browsing activites. The Chandra Levy case is the canonical examp...

Read More

Wireless Traffic Snippets

In my USENIX talk I show how to collect wireless traffic using Tcpdump. In my slides I use a verbose method that only shows a few packets. In the following I'd like to show a variety of traffic available using Tcpdump.First I tell my wireless card to go into monitor mode and watch channel 1. Then I ask Tcpdump to show me the media types it understands.orr:/root# ifconfig wi0 mediaopt monitor channel 1 uporr:/root# tcpdump -i wi0 -LData link types (use option -y to set): EN10MB (Ethernet) IEEE802_11 (802.11) IEEE802_11_RADIO (802.11 plus BSD...

Read More

Notes on IPCAD

Tomorrow morning I teach Network Security Monitoring with Open Source Tools at USENIX 05. I've been taking another look at the tools I will be presenting tomorrow to ensure I'm up-to-date on their latest versions and features. One of the tools I talk about is IPCAD, the IP Cisco Accounting Daemon by Lev Walkin. I discuss IPCAD in the section on statistical data for network security monitoring (NSM) in my book and my talk. I like IPCAD because it presents data just like one sees with the Cisco show ip accounting command. I actually used IPCAD...

Read More