Notes for USENIX Security Students

In a few hours I will be teaching Network Security Monitoring with Open Source Tools at USENIX Security in Baltimore, MD. I have two items of interest for my students concerning their slides.First, the default Tethereal ring buffer syntax has changed. My first book, and the Tethereal slide, use this syntax:tethereal -n -i -s -a duration:3600 -b 24 -w The new syntax requires a filesize whenever -b (ring buffer mode) is invoked, like so:tethereal -n -i -s -a filesize:1000000 -a duration:3600 -b 24 -w Also, there is a slide missing before the...

Read More

ISS Pursues Lynn Presentation Copies

It looks like I spoke too soon about the Lynn affair being closed. ISS is now pursuing Web sites posting Mike Lynn's presentation. For example, Rick Forno has removed his copy of the Lynn slides after receiving a cease-and-desist letter from lawyers representing ISS. The document (.pdf), by DLA Piper Rudnick Gray Cary US LLP attorney Andrew P. Valentine features this piece of exceptional grammar:"The posting is located on your [Forno's] website......

Read More

New Cisco Advisory and Statements

I guess we can wrap up the Cisco and ISS vs. Mike Lynn and Black Hat saga by mentioning the new Cisco security advisory released today: IPv6 Crafted Packet Vulnerability, which states:"(IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further...

Read More

Mike Lynn Presentation Online

Rick Forno has posted a .pdf of Mike Lynn's presentation. So much for the removal of pages from the Black Hat books by Cisco goons! This is a pathetic charade that public relations personnel and lawyers should study in the future. Cisco and ISS have handled this in exactly the wrong way. Did they ever think they could supress information at a hacker convention, of all places? Bruce Schneier has weighed in as well:"Despite their thuggish behavior, this has been a public-relations disaster for Cisco. Now it doesn't matter what they say -- we...

Read More

Mike Lynn Settles

It appears Black Hat presenter Mike Lynn has avoided personal disaster, acccording to Brian Krebs:"Under the terms of a permanent injunction signed by a federal judge this afternoon, Lynn will be forever barred from discussing the details about his research into the vulnerabilities he claimed to have discovered in the widely used Cisco hardware."I recommend reading the rest of Brian Krebs' story for details.I saw this NANOG post refer to a FrSIRT advisory, but the relevant FrSIRT page has been removed (though not without trace). In case anyone...

Read More

Snort 2.4 Released

Snort 2.4.0 has been released. Here are the release notes. The obvious change in this release is the removal of all rules from the snort-2.4.0.tar.gz tarball. The rules are available separately. Marty assures me that the rule download page will have rules available for non-subscriber and non-registered Snort users by close of business today.Update: All rules are available -- even those for unregistered users. Nice work Sourcefi...

Read More

Distributed Traffic Collection with Pf Dup-To

The following is another excerpt from my upcoming book titled Extrusion Detection: Security Monitoring for Internal Intrusions. I learned yesterday that it should be available the last week in November, around the 26th.We’ve seen network taps that make copies of traffic for use by multiple monitoring systems. These copies are all exactly the same, however. There is no way using the taps just described to send port 80 TCP traffic to one sensor,...

Read More

Free Michael Lynn

Ex-ISS X-Force researcher Mike Lynn is in a world of hurt right now. Yesterday he delivered a briefing at Black Hat on Cisco security flaws. Lynn decided to resign from ISS instead of complying with the wishes of his employer and Cisco to keep his discoveries quiet. For a lot more detail, I strongly recommend reading the Brian Krebs Security Fix blog hosted by the Washington Post. Krebs is in Las Vegas and has spoken with Lynn, who "has been served with a temporary restraining order designed to prevent him from discussing any more details about...

Read More

Snort "Not Eliligible" for Zero Day Initiative

I recently wrote about TippingPoint's Zero Day Initiative (ZDI), a pay-for-vulnerabilities program. Thank you to the poster (whom I will keep anonymous) for notifying me of this article Vendors Compete for Hacker Zero Days by Kevin Murphy. It features this quote:"[C]ompetitors will have to sign agreements to the effect that they will not irresponsibly disclose the information, and that any data they provide to their own customers cannot be easily reverse engineered into an attack, he [3Com’s David Endler] said."'Some technology based on Snort...

Read More

Public Network Security Operations Class

I am happy to announce the first public Network Security Operations class is tentatively scheduled for the last week in September, starting Tuesday 27 September and ending Friday 30 September. The class is tentatively scheduled to be held at Nortel PEC in Fairfax, VA. I plan to offer 13 seats to the public, at a cost of $2995 per seat.The course offers four sections, one per day:Network Security Monitoring: theory, tools, and techniques to detect sophisticated intrudersNetwork Incident Response: network-centric means to contain and remediate...

Read More

Unable to Specify Interface for TCP Portmapper

I'm crushed. Today while working on a FreeBSD system with multiple interfaces, I noticed the portmapper (rpcbind) listening where I didn't think it should be.# sockstat -4 | grep rpcbindroot rpcbind 354 10 udp4 127.0.0.1:111 *:*root rpcbind 354 11 udp4 10.0.0.1:111 *:*root rpcbind 354 12 udp4 *:1007 *:*root rpcbind 354 13 tcp4 *:111 *:*The UDP version was...

Read More

Human Error Results in Being 0wn3d

Bill Brenner's article in the July 2005 Information Security magazine clued me in to a press release by the Computing Technology Industry Association (CompTIA). They announced the results of their third annual CompTIA Study on IT Security and the Workforce. From the press release:"Human error, either alone or in combination with a technical malfunction, was blamed for four out of every five IT security breaches (79.3 percent), the study found. That figure is not statistically different from last year."This study and the 2004 edition appear to...

Read More

New RSS Feed

My RSS feed from 2rss.com is reporting "Bandwidth Limit Exceeded. The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later." Those looking for a new RSS feed can use http://feeds.feedburner.com/Taosecurity. I will try to get this new icon on the blog template when Blogger cooperat...

Read More

SC Magazine IPS Reviews

Recently I received the new SC Magazine and noticed a new Group Test addressing so-called intrusion prevention systems. The reviewer was Christopher Moody, but I was unable to get any sort of background information on him. He has written most of the recent SC Magazine Group Tests, however. As you can read in the story, or in this press release, the Sourcefire IS-2000 won SC Magazine's "Best Buy" award. From the review:< "Its high level of protection and simple rule writing using the Snort engine make it a good standalone product. But it...

Read More

Thoughts on Web Application Security Consortium

Rather than post to his own blog, Aaron Higbee decided to bait me with a link to the Web Application Security Consortium's Web Security Threat Classification guide. Uh oh, there's that magic word -- "threat." Immediately I suspected this document's use of the word "threat" in the title might be problematic, as I doubted it would be a classification of the parties with the capabilities and intentions to exploit vulnerabilities in assets. The document description states "The Web Security Threat Classification is a cooperative effort to clarify...

Read More

Lancope's Take on NetFlow

Earlier this year I had a chance to try a Lancope Stealthwatch appliance. Recently Adam Powers from Lancope weighed in on the focus-ids list with ways NetFlow records can be best utilized for security purposes. This is part of a thread started by Andy Cuff (aka Talisker). To hear more from Lancope, check out their WebEx Wednesday at 11 AM eastern.David Sames started a second interesting focus-ids thread about IDS evaluation. The thread evolved into a discussion of the functions of various security devices. After a great post by Devdas Bhagat,...

Read More

Thoughts on TippingPoint Zero Day Initiative Program

Through the accursed Slashdot I learned of Tipping Point's Zero Day Initiative program. (Incidentally, I just figured out that Slashdot is like Saturday Night Live: we all remember it being a lot better years ago, it stinks now, yet we still watch.) According to this CNet story by Joris Evers, which cites TippingPoint's rationale for the program:"'We want to reward and encourage independent security research, promote and ensure responsible disclosure of vulnerabilities and provide 3Com customers with the world's best security protection,' David...

Read More

Sourcefire Certified Snort Integrator Program

Did you see Sourcefire's press release on its Certified Snort Integrator Program? If you're not in this program, and you use Snort to provide services or products to third parties, you can't deploy or sell sensors with Sourcefire VRT rule sets. The only exception involves major release versions of Snort, e.g., 2.3.0 or 2.4.0, each of which are packaged with the latest rules at the day of release.The press release says "charter members of the program include: Astaro, BRConnection, Catbird Networks, Counterpane Internet Security, e-Cop, Netreo,...

Read More

1000th Post

This is the 1000th TaoSecurity Blog post. Thankfully, after being broken for months, Blogger fixed the post tracking counter in time for me to notice this milestone. I started the blog on 8 January 2003 as a place to post word of new Amazon.com book reviews. I haven't read a new book since May, because I have been extremely busy launching my new company TaoSecurity. I plan to resume reading books very shortly, probably starting with Extreme Exploits.The...

Read More

FreeBSD Status Report Second Quarter 2005

The latest FreeBSD Status Report makes for interesting reading. Many of the ongoing tasks are Google Summer of Code projects. Nmap author Fyodor posted that Google is spending $2 million to fund projects this summer, including ten for Nmap itself. I highly commend Google for devoting a small portion of its market capitalization to these coding efforts.Emily Boyd will redesign FreeBSD.org. Previous work includes the PostgreSQL Web site. Previews...

Read More

Ron Gula Podcast

I finally got a chance to listen to a new podcast with Ron Gula. Sondra Schneider from Security University interviewed Ron. The podcast lasts about 26 minutes and discusses Ron's experience as a NSA red team aggressor and his work at BBN. I specifically liked Ron's discussion of the difference between access control and monitoring. He said making a firewall change affects customer service level agreements; hence, firewalls were part of operations as they had direct impact on moving packets. Monitoring was typically not an operational function,...

Read More

FreeBSD Quality

The topic of the quality of FreeBSD has recently appeared in several places. Earlier this week SecurityFocus reported on the results of a study by Coverity. From Coverity's 27 June 2005 press release:Coverity "released software defect and security vulnerability results for FreeBSD 6.0... [and] found 306 software defects in FreeBSD's 1.2 million lines of code, or an average of 0.25 defects per 1,000 lines of code."That is interesting, considering...

Read More

Visa and AmEx Pull the Plug on CardSystems

Thanks to Richard Stiennon for informing me that Visa and American Express will no longer allow CardSystems Solutions to process their credit cards. I am stunned, but in a good way. If companies begin to take security seriously, I will be very pleased. If this turns into a rationale to justify the current "compliance = security" mindset, then nothing will change and more organizations will be compromised.The CardSystems news page reported yesterday that "John Perry, President and CEO of CardSystems "look[s] forward to the opportunity to share...

Read More

BSD Certification Group Publishes Survey Results

Yesterday the BSD Certification Group published the results of their task analysis survey. The 147 page report is available here.I found these excerpts interesting:The survey saw an "often expressed desire to see the eventual certifications emphasize advanced achievement and mastery of Unix knowledge in general and BSD usage in particular. Yet, desires that the certification be difficult to obtain were balanced by the concern to not neglect younger,...

Read More

Excerpt from Network Forensics Chapter

A crucial component of using trusted tools and techniques is ensuring that the network evidence collected by a sensor can be read and analyzed in another environment. This may seem like an obvious point, but consider my recent dismay when I tried to analyze the following trace supposedly captured in Libpcap format. I started by using the Capinfos command packaged with Ethereal. On a regular trace, Capinfos lists output like the following.bourque:/home/analyst$ capinfos goodtraceFile name: goodtraceFile type: libpcap (tcpdump, Ethereal, etc.)Number...

Read More

Scary New Dangers in Cyberspace

I sometimes watch TV, and I happened to catch a story on ABC World News Tonight called "Your Computer's Stealth Identity Thief." I listened carefully and learned about something scary called a "keylogger." I even saw some cool shots of Symantec's cyber ninjas tapping away on their uber-31337 keyboards. I really paid attention to the tips to help protect [my]self against key logging, spyware, and other computer viruses like "Do not click OK on pop-up windows without first reading them thoroughly." The next time I see a pop-up that says "It's...

Read More

News from Visa on Payment Card Industry Standards

Today I got an email from Visa about their participation in the Payment Card Industry standards. They wrote:"A key component of PCI Data Security Standard implementation success is merchant and service provider compliance. When Standard requirements are enforced, they can provide a well-aimed defense against data exposure and compromise. This is why on-site PCI validation assessments performed by Visa-approved Qualified Data Security Companies (QDSC) have become increasingly critical in today’s environment. The proficiency with which a QDSC conducts...

Read More

Stiennon on Enforcement

Richard Stiennon's blog makes a great point today. He says"The entire IT security market is focused on protections. This is great as more and more protections by default are deployed. But I believe that enforcement actions must be taken as well. There is some sign that cooperation between enforcement agencies in the UK, Israel, and Russia have been effective. The most important was the breaking up of a ring of cyber-extortionists in 2003 that dramatically slowed the number of DDOS incidents.As it will be a while before prosperity finds its way...

Read More

Draft of Extrusion Detection Submitted for Copyeditin

I am happy to report that I just submitted the final draft of my next book Extrusion Detection: Security Monitoring for Internal Intrusions to my publisher, Addison-Wesley. The new book is a sequel to The Tao of Network Security Monitoring: Beyond Intrusion Detection. I think readers will find the new book very interesting. Thus far my reviewers have provided positive feedback.For those interested in the mechanics of book writing: I thought of the idea last summer, just after my first book arrived. I signed a contract in November, then began...

Read More

FreeBSD 6.0-BETA1 Available

The availability of FreeBSD 6.0-BETA1 was just announced. I am excited to see this release approaching. Here are a few excerpts from the release announcement thread that may be of interest.Colin Percival: "The FreeBSD Security Team will support FreeBSD 5.x until at least the endof September 2007."Colin Percival: "If I was deploying a new server today, I'd install FreeBSD 5.4. If I were planning on installing a new server next month, I'd install...

Read More

New Libpcap and Tcpdump Available

Yesterday Libpcap 0.9.3 and Tcpdump 3.9.3 were released at Tcpdump.org. The changelog lists "Support for sending packets" as a new feature. This is the biggest release since 0.8.3/3.8.3 in March last year. I hope to see the FreeBSD ports tree updated to include these new versions, although eventually they will be imported into the base syst...

Read More

Network Trace Archival and Retrieval

I don't pay close enough attention to the Pcap mailing lists. While doing research on WinPcap, I learned of a new project hosted at the WinPcap site called Network Trace Archival and Retrieval (NTAR). The Web site says "the main objective of NTAR is to provide an extensible way to store and retrieve network traces to mass storage." I found this post by NTAR developer Gianluca Varenni make the claim that NTAR is "a working prototype of a library that reads and writes the PCAP-NG format." PCAP-NG is a reference to the PCAP Next Generation Dump...

Read More

Auditors in Charge, but 0wn3d Anyway

I read in the latest SC Magazine this comment from Lloyd Hession, CSO of Radianz."'What is really happening is the head of security is losing control over the security agenda, which is being co-opted by audit and this umbrella of controls... The ability to decide which security projects get funded is being taken out of the security officer's hands... This focus on regulatory issues is causing a loss of control over the security agenda, which is being pushed and dictated by the audit and controls group and meeting the requirements of the regulation."I...

Read More

Net Optics Seminar on Passive Monitoring Access

I just received word that Net Optics will be hosting a free seminar titled Fundamentals of Passive Monitoring Access. It will start at 0830 on Wednesday 3 August 2005 at the Hilton Santa Clara in Santa Clara, CA. You will notice the seminar description uses terms like pervasive network awareness and defensible network, which I described when I spoke at Net Optics in May. I am scheduled to speak again at a Net Optics event in September in California. I will post details when availab...

Read More

Verisign to Acquire iDEFENSE

The 45 survivors at iDEFENSE must be breathing a sigh of relief. Verisign will buy iDEFENSE for $40 million. That is $100 million less than the cost to acquire Guardent in December 2003. Verisign has over 3,500 employees according to its fact sheet, and it seems to be making ever bigger advances into the security market. I would be interested in hearing from any iDEFENSE insiders (anonymously here) what they think of this acquisiti...

Read More

How Do You Read TaoSecurity Blog?

Would anyone care to mention how they read this blog? I ask because an owner of a site that aggregates blog postings thoughtfully asked my permission to include TaoSecurity Blog content on his site. I said I preferred to not have this blog's content aggregated and posted elsewhere. I prefer readers to visit this site directly or use the provided XML or RSS links. What are your though...

Read More

How to Misuse an Intrusion Detection System

I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email:(jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels) (washington|london|new york)Here is part of my reply to the Bleeding-Sigs thread.These rules are completely inappropriate.First, there is no digital security aspect of these rules, so the "provider exception" of the wiretap act is likely nullified. Without obtaining consent from the end users (and thereby...

Read More

New Desktop Computing Variant from ClearCube

Clued in by Slashdot I learned of this ZDNet article on ClearCube. This company sells "blade desktops." Users see have a device ClearCube calls a "user port" on their desk. Remotely connected to the user port by Cat 5, fiber, or IP is a "PC blade" mounted in a "cage" sitting in a server room or data center. Smart management software allows administrators to switch user ports from blade desktop to blade desktop if one fails.The following diagram...

Read More