Feds Adopt IPv6 by June 2008?

I read OMB: IPv6 by June 2008 today, which says:"The federal government will transition to IP Version 6 (IPv6) by June 2008, said Karen Evans, the Office of Management and Budget’s administrator of e-government and information technology.'Once the network backbones are ready, the applications and other elements will follow,' she said today while testifying before the House Government Reform Committee."Riiight. Be prepared to see this slip to, oh, maybe never. The Federal government is also supposed to be securing its systems, and its report card...

Read More

Bleeding Snort Spyware Listening Post Initial Results

I mentioned a few new projects at Bleeding Snort two weeks ago. Some initial results of the Spyware Listening Post are posted. Check it out -- it's about one page of informati...

Read More

Nvu 1.0 Released

Anyone who's visited TaoSecurity.com or Bejtlich.net has probably stared in awe at the wonder of the Web composition skills inherent in each site. No? Well, I think they are an improvement over the 1996-era, made-with-vi HTML I created by hand. I used a program called Nvu (pronounced "N-view") to lay out the tables for each site. Yesterday Nvu 1.0 was released, and today the www/nvu FreeBSD port was updated. I found Nvu doesn't produce perfect HTML, so I might use a program like Tidy to clean up the pages. The latest version of Tidy is also...

Read More

"IDS Is Dead" Prophet Misunderstands "Sniffing"

Many of you will remember two years ago quotes by Gartner analyst John Pescatore, such as this in Infoworld:"We think IDS is dead. It’s failed to provide enterprise value," Pescatore says.Now this security expert has written more words of wisdom is response to an apparent increase in reconnaissance for port 445 TCP. In More Port 445 Activity Could Mean Security Trouble, Pescatore writes:"An apparent increase in scanning activity may signal an impending malicious-code attack exploiting a critical Windows vulnerability."Fair enough -- but check...

Read More

Initial Thoughts on Visible Ops

I just finished listening to a Webcast offered by Tripwire titled Security Compliance: Revving Up for Regs with a Unified Strategy. To be honest, I don't think the presenters used their time appropriately, and I think the material was not conveyed very well. I listened, however, because I have learned of a book by Tripwire co-founder Gene Kim called Visible Ops. Visible Ops is a four-step methodology to implement the IT Infrastructure Library...

Read More

IPFW Rules on VPN CFG

I already published the IPFW rules I'm using to defend my sensors, so I figured I would add the IPFW rules I'm using on my VPN concentrator / firewall / gateway (CFG). I relied on the FreeBSD Handbook examples heavily, as the placement of certain sections is crucial when the CFG is also NAT box. In these rules, interface xl0 is the interface facing the "Internet" while fxp0 faces a private internal network. Host bourque is a remote sensor with...

Read More

Forwarding Nameserver with BIND 9

I know all of the djbdns fans will attack me, but I set up a forwarding nameserver with the built-in BIND 9.3.1 version packaged with FreeBSD 5.4. I did give djbdns the old college try using the ports tree, but I had trouble getting daemontools and scvscan working in the time I allotted for the project. I was able to get BIND working strictly as a forwarding server using the following steps.First I created a rndc.key file using rndc-confgen.janney:/etc/namedb#...

Read More

Portsnap and Squid

At BSDCan this year I listed to Kris Kennaway describe the FreeBSD package cluster (.pdf). He said he uses a caching Web proxy to optimize retrieval of source code when building packages. This makes an incredible amount of sense. Why download the same archive repeatedly from a remote site when you can download it once, and transparently let other clients retrieve the archive from the Web cache?I decided I needed to emulate this sort of environment...

Read More

Simple IPFW Rules to Defend Sensors

I'm considered deploying the following rule set on a new batch of network security monitoring sensors running the FreeBSD IPFW firewall. I'm running the IPSec tunnel scenario I outlined earlier to carry packets between the sensor and a VPN concentrator / firewall / gateway (VPN CFG) running FreeBSD. My goal is to limit who the sensor can talk to, and to limit who the sensor accepts connections from. In this case, I'm telling the sensor to speak...

Read More

Nessus Registered Feed for Consultants

Yesterday I described my experience registering with Tenable Network Security to access their Registered Feed. I said "security consultants using Nessus must pay an annual $1200 fee to access the Direct Fee. Free use of the Tenable plugins is only allowed on one's own network."This first part was correct, but the second part was not. It turns out that Tenable approves use of the Registered Feed (with the seven day plugin lag) if the consultant signs Tenable's commercial agreement. I downloaded, signed, and faxed the document to Tenable. I just...

Read More

Trying Nessus Registered Feed

I described installing Nessus earlier , and last year I talked about the new Nessus license system. Since I was installing Nessus on a server strictly for scanning my own lab network, I decided to see what was involved with obtaining the Tenable Security Registered Feed.When I first installed Nessus, I received this warning:Loading the plugins... 204 (out of 2225)------------------------------------------------------------------------------You are running a version of Nessus which is not configured to receivea full plugin feed. As a result, your...

Read More

Trying Snort VRT Rules and Oinkmaster

Last week I finally registered with Snort.org to gain access to the rules created by the Sourcefire VRT. The process was really simple, especially now that security/oinkmaster is in the FreeBSD ports tree. I describe the experience from the perspective of running Sguil, but the general concepts apply to anyone using Snort.After registering with Snort.org, logging in, and clicking the "Get Code" button at the bottom of the User Preferences page, I added the code to my oinkmaster.conf file.url = http://www.snort.org/pub-bin/oinkmaster.cgi/codegoeshere/...

Read More

Nessus on FreeBSD

I'm rebuilding my laptop, and I needed to install Nessus. I prefer to install FreeBSD applications using pre-built packages whenever possible. I tried adding the nessus-2.2.4_1.tbz package but got this error when I started the nessus client.Ooops ... This nessus version has no gui support. You need to give nessus the arguments SERVER PORT LOGIN TRG RESULT as explained in more detail using the --help option.The package built by the FreeBSD cluster...

Read More

Three Pre-Reviews

I promise to start reading and reviewing books again, once my independent work schedule permits it. Until then, I would like to let you know about three new books I received. The first is one I specifically requested, and I think it is important reading for anyone developing security and networking appliances. Network Systems Design Using Network Processors: Intel 2XXX Version by Douglas E. Comer, published by Prentice Hall, looks like the definitive work on the Intel IXP2xxx network processor. Computer professionals will see fewer security...

Read More

Thoughts on Security Degrees

Since our CISSP discussion has been thought-provoking, I imagine this might be interesting too. Last night I taught a lesson on network security monitoring to a graduate level forensics class at George Washington University. Earlier this week my friend Kevin Mandia asked me to step in when he was unavailable to teach. I spent 2 1/2 hours describing NSM theory, techniques, and tools, and concluded with a Sguil demo.I do not have any formal degree involving computer security. I have considered pursuing an advanced degree. It would be incredible...

Read More

Contrabandwidth

I read a short article by Kate Palmer in Foreign Policy magazine about evading country-imposed Internet filters. Ms. Palmer writes: "According to the OpenNet Initiative (ONI), a research organization devoted to tracking blocked Web sites, black market access to filtered pages in Saudi Arabia runs anywhere from $26 to $67 per Web site."Good grief! Can't these people get a shell account with OpenSSH and proxy their Web requests? I see a market opportunity he...

Read More

CardSystems Breach Follow-up

Anyone looking for additional details on the CardSystems Solutions intrusion may find Bruce Schneier's blog good reading. He notes that CardSystems was apparently not in compliance with Payment Card Industry (PCI) security guidelines, although on National Public Radio CardSystems' CEO said his company was in compliance. Phil Hollows has written multiple blog entries on the breach, one which correctly points out that compliance with an audit does not equal securi...

Read More

Thesis Cites Tao

I was happy to hear that Bjarte Malmedal's thesis for his Master of Science in Information Security cites network security monitoring theory from my first book The Tao of Network Security Monitoring: Beyond Intrusion Detection. Bjarte cites my work to justify why a single packet inspection and collection tool or system does not sufficiently provide security awareness. His thesis, Using Netflows for Slow Port Scan Detection, argues that Argus session records can be used to detect stealthy reconnaissance. (Thanks to Jeffrey 'jf' Lim for correcting...

Read More

Bleeding Snort Starts snort.conf Collection

I read an announcement yesterday that the Bleeding Snort project has started recommending snort.conf files. I posted the following comment at Bleeding Snort:Hello,I think this sample snort.conf project is a great idea.One concern I have is the general reliance on output_database to insert Snort alerts into databases. output log_unified and output alert_unified have been available for around four years, but many snort.conf files and configuration guides still insist on using output database.For example, the snort.conf addition that I recommend...

Read More

Marcus Ranum Interview at SecurityFocus

I'd like to thank Federico Biancuzzi for interviewing Marcus Ranum at SecurityFocus. The interview is brilliant in my opinion. Unfortunately, I learned of the interview by an ignorant Slashdot story that completely missed the points Marcus makes in the article. Can anyone recommend an alternative to Slashdot that has a lower number of idiotic stories, but still keeps up with technology current events? Anyway, here is my favorite excerpt:"Do you see any new, interesting, or promising path for network security?Nope! I see very little that's new...

Read More

(IN)SECURE Magazine Online

Mirko Zorz of Help Net Security was kind enough to notify me of his organization's new online magazine, (IN)SECURE. Based on perusing the first two issues, this looks like a fairly professional-quality magazine. I found a mix of strategic and technical advice in both issues, with short book reviews, software deployment discussions, configuration guidance, and other security information. Check it out -- it's fr...

Read More

CISSP: Any Value?

A few of you wrote me about this post by Thomas Ptacek in response to my recent CISSP exam post. Tom has one of the best minds in the security business, and I value his opinions. Here are my thoughts on the CISSP and an answer to Tom's blog. (I did not realize Tom has despised the CISSP for so long!)On page 406 of my first book I wrote:"I believe the most valuable certification is the Certified Information Systems Security Professional (CISSP). I don't endorse the CISSP certification as a way to measure managerial skills, and in no way does...

Read More

CardSystems Solutions Intrusion Exposes 40 Million Credit Cards

I am stunned by the scale of this story, and I expect to hear it get worse. Yesterday MasterCard International issued a statement that said "MasterCard International reported today that it is notifying its member financial institutions of a breach of payment card data, which potentially exposed more than 40 million cards of all brands to fraud, of which approximately 13.9 million are MasterCard-branded cards. MasterCard International's team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party...

Read More

(ISC)2 Affiliated Local Interest Groups

As soon as I complained about the ISC2 CISSP survey yesterday, I received an email from (ISC)2 about their new Affiliated Local Interest Group pilot program. Mark Wilson, president of my local ISSA-NoVA chapter, mentioned that our group will be one of the few invited to the ALIG program. We have yet to know what this really means, but I will keep you inform...

Read More

Encrypted Laptop Hard Drives

Yesterday someone asked me what I thought about encrypted laptop hard drives. I believe he was referring to this recent Seagate press release. The new Seagate Momentus Full Disk Encryption (FDE) product should ship this winter and will provide OS-independent disk encryption. This Extreme Tech article references technology by 4c Entity to encrypt the dri...

Read More

(ISC)2 Conducting CISSP Exam Survey

Last month I reported a friend's experiences with the CISSP exam. This week I received an email from (ISC)2 regarding a survey of the CISSP exam. It reads in part:"(ISC)2 would like to extend to you the opportunity to provide key input into the content of the CISSP® examination. With assistance from Schroeder Measurement Technologies, Inc., (ISC)2’s services entity,(ISC)2 is conducting a CISSP job analysis study through an online survey. The purpose...

Read More

Gartner Survey Ranks Threats

I found the article Corporates focus on basics for IT security defences by John Leyden to be interesting. He reports on a survey presented by Gartner at their recent IT Security Summit. Gartner's survey found that IT staff ranked threats as follows: 1. Viruses and Worms 2. Outside Hacking or Cracking 3. Identity Theft and Phishing 4. Spyware 5. Denial of Service 6. Spam 7. Wireless and Mobile Device Viruses 8. Insider Threats 9. Zero Day Threats 10. Social Engineering 11. Cyber-TerrorismI am disappointed to see social engineering...

Read More

FreeBSD Post-Installation Tasks

Last night I installed FreeBSD 5.4 on my Dell PowerEdge 2300 server. Immediately following the installation, these are the tasks I performed. These are the same post-installation tasks I perform, in the same order, on every FreeBSD system I build.1. When I install FreeBSD, I create a user and give him the /bin/sh shell. I used Linux before I used FreeBSD, and I remain more familiar with bash. Therefore, I install the most recent package available....

Read More

Bleeding Snort Innovations

Several interesting projects are taking shape at Bleeding Snort, described as "the aggregation point for Snort signatures and research." The spyware Blackhole DNS project collects domain names identified with spyware and provides a hosts file pointing to localhost for each. Matt Jonkman now wants to extend the idea to create the Spyware Listening Post.Rather than have a domain like 1000funnyvideos.com point to localhost (127.0.0.1), the Spyware Listening Post proposes resolving the host to an IP address operated by the SLP project. The SLP will...

Read More

OpenSolaris Lives

The OpenSolaris Project is alive. Ashlee Vance provides the most intelligent summary of the project that I've read. Something cool you can do immediately is browse the source using a Web front-end to CVS. This is really useful if you want to understand how the OS is assembled. A common criticism of this release is the lack of a downloadable .iso or similar distribution. You must start with Solaris Express: Community Release, Build 16 or newer, then follow the release notes. This is not as user-friendly as the new Fedora Core 4 release announced...

Read More

HTTP Request Smuggling

You may have seen this on Slashdot, but Garth Somerville sent me this link to a paper titled HTTP Request Smuggling (HRS) by Watchfire. You may remember Watchfire as the company that bought Web application security vendor Sanctum. Essentially HRS relies on sending conflicting values or malformed input in HTTP headers. Just as we saw years ago with IDSs, bad results happen when one product interprets commands on way and another product sees the world in a different way. I was pleased to see the Squid proxy server already addressed any problems...

Read More

Comments on Israeli Intellectual Property Theft Stories

Thanks to Jason Anderson of Lancope for making me aware of a large case of intellectual property theft in Israel. This 29 May story explains how Israeli programmer Michael Haephrati was hired to create Trojan Horses for private investigation companies. Those PI firms then deployed the programs to target companies via "email attachments." The PIs sold what they found to competitors of the targets. For more details, I recommend Richard Steinnon's blog. I found a detail in this story very interesting:"The Trojan sent images and documents to FTP...

Read More

Bejtlich at Techo Security Conference

If you're in Myrtle Beach, SC for the 2005 Techno Security Conference, stop by and say hello. I should be at the 3:00 pm Monday book signing, and I will be speaking on behalf of Tenable Security at 7:00 pm Monday. I hope to squeeze in a Monday afternoon visit to managed security vendor LURHQ while I am here as well. This is my first Techno Security Conference, but I don't plan to see any talks other than those by Ron Gula and Marcus Ranum tomorrow morning. The conference organizers told me this is the 7th such event, and they have over 1,000...

Read More

Multiple New Pre-Reviews

I've been too busy to read as I transition to being an independent consultant. Once I have a few business and related issues on track, I will begin scheduling time for reading again. I have a huge reading list as usual. A few books not on the list, but which merit attention, include the following. Last month one of the books I pre-reviewed was a Windows title by O'Reilly. Here is another: Learning Windows Server 2003 by Jonathan Hassell. This book looks like it will help me with the Windows Server 2003 Trial Software I mentioned last month....

Read More

Article on IPS Evaluations

Thanks to Ronaldo Vasconcellos for pointing me towards What to ask when evaluating intrusion prevention systems. This is an interview with Bob Walder of the NSS Group. I agree with the conclusion of the article:"I can't stress enough the need for a thorough bake-off in your own network. It's likely to be very different from a test lab environment and may throw up some very interesting challenges for the vendors."I provided inputs to an IPS test done by a partner company. I would be happy to conduct thorough IDS, IPS, or firewall testing for...

Read More

FreeBSD Ports Tree Breaks 13,000 Ports, and Other FreeBSD News

This week the FreeBSD ports tree broke the 13,000 mark. The tree has added about 2000 ports per year for the past four years. This graph shows the number of ports added per year since 1995. Just last six months ago I blogged about passing the 12,000 mark.For those of you not familiar with the FreeBSD ports tree, it's a set of files and directories bundled with FreeBSD that allows easy software installation from source code. The ports tree is a...

Read More

Testing New Rules with TurboSnortRules.org

On Sunday I wrote about TurboSnortRules.org. Today I saw a post to snort-users asking if anyone had rules to detect W32.Mytob.DL@mm. One response recommended checking Bleeding Snort new rules. Looking there I found WORM_Mytob rules in a Web-browsable CVS format. Very nice. I read the first rule and decided to see what TurboSnortRules.org had to say. I submitted the first rule after removing the classtype field, as TSR doesn't support it. Here...

Read More

DIY Security with Open Source

This morning I received word of a new SANS Webcast titled What Works in Intrusion Detection Systems. The introductory paragraph for the announcement starts with these two sentences:"The days of do-it-yourself security using free software have passed. There is broad understanding among CIOs and CISOs that an effective cyber security program cannot be implemented without commercial technology and services."As you might expect I strongly disagree with this claim. I was disappointed to see these sentiments expressed in an announcement about IDS sponsored...

Read More

Test Your Snort Rules at TurboSnortRules.org

I missed the announcement in the Bleeding Snort forums last month of TurboSnortRules.org, a project supported by security vendor VigilantMinds. The idea is to submit a custom rule to see how it stacks up against other Snort rules in terms of "Relative Measure of Efficiency". Looking at the chart below, you see various RMEs for different Snort rule sets. The important port is to notice how a rule like this BACKDOOR WinCrash 1.0 Server Active is considered "very slow" (probably due to PCRE matches), with a RME over 4 on Snort 2.2.0, compared to...

Read More

New Bejtlich.net Launched

Here's a quick note for anyone who cares -- content no longer at TaoSecurity.com has been modified and moved to Bejtlich.net. There's kinks to iron out at both sites, but I should have those fixed during the next we...

Read More

Counterfeiters Kill Subway Stamps

I had no idea losers were selling Subway stamps on eBay or just plain counterfeiting them. Now Subway will end the program. This is a good example of reacting to a changing threat environment. When the stamp program was started in the 1980s, I imagine the majority of the users were honest and the technology to mass-produce look-alike stamps wasn't accessible to most people. Throw in high-quality printers and unscrupulous employees who steal and sell stamps, and we end up with the current situation. Perhaps Subway will institute some sort of...

Read More