Changes Ahead for FreeBSD LiveCDs

There's plenty of activity in FreeBSD-land these days. Colin Percival has become the new FreeBSD Security Officer. FreeBSD 6.0-BETA3 is available, and we might see 6.0-RELEASE by late September.I just learned of a new FreeBSD LiveCD by Matt Olander called BSDLive, which fits on a business card CD (media sleeve available). This is a great advocacy item. I booted the .iso in VMWare and saw it runs FreeBSD 5.4-RELEASE-p6. It boots into X.org 6.8.2....

Read More

Interview with Def Con CTF Winning Team Member Vika Felmetsger

Earlier this month I congratulated the Def Con Capture The Flag winners from Giovanni Vigna's team. One of the contestants, Vika Felmetsger, was kind enough to answer questions about her experience and the role she played on team Shellphish. I thought I would publish Vika's thoughts in the hopes that she could provide an example of how one becomes a serious security practitioner. Richard (R): What is your experience with security, and what are your interests?Vika (V): I am starting my second year as a computer science Ph. D. student at UCSB,...

Read More

Request for Help with OpenPacket.org

Earlier this month I announced work on OpenPacket.org, a free site providing quality network traffic traces to researchers, analysts, and other members of the digital security community.We are looking for help in two areas:Open source content management systems (CMS) experience: We believe we will use a CMS to accept, moderate, and present traffic captures to users. We need help planning and deploying a CMS that will meet our needs.Open source database...

Read More

How Do You Use Taps?

How do you use taps? Specifically, do any of you use Net Optics taps? If yes, I would like to speak with you through email. I'm interested in your thoughts on any of these subjects:How did you justify buying these products?Did you encounter any installation issues?How are you using taps?What alternatives did you consider?Did taps help you learn more about any intrusions, or help you prevent or mitigate intrusions?I appreciate any feedback you might have. Please email richard at taosecurity dot com. Thank y...

Read More

Speaking at Net Optics Think Tank on 21 September

I will be speaking at the next Net Optics Think Tank at the Hilton Santa Clara in Santa Clara, CA on 21 September 2005. I will discuss network forensics, with a preview of material in my next two books, Real Digital Forensics and Extrusion Detection: Security Monitoring for Internal Intrusions. I had a good time speaking at the last Think Tank, where I met several blog reade...

Read More

Real Threat Reporting

In an environment where too many people think that flaws in SSH or IIS are "threats," (they're vulnerabilities), it's cool to read a story about real threats. Nathan Thornbourgh's story in Time, The Invasion Of The Chinese Cyberspies (And the Man Who Tried to Stop Them), examines Titan Rain, a so-called "cyberespionage ring" first mentioned by Bradley Graham in last week's Washington Post. The Time story centers on Shawn Carpenter, an ex-Navy and now ex-Sandia National Laboratories security analyst. The story says:"As he had almost every night...

Read More

Teaching Pentagon Security Analysts with Special Ops Security

Prior to attending the IAM class this week, I spent two days teaching security analysts from the Pentagon with instructors from Special Ops Security. (The class was four days, but I was only present for the first two.) I think we offered some unique perspectives on security. Steve Andres, author of Security Sage's Guide to Hardening the Network Infrastructure spoke about hardening network infrastructure on day one. I taught network security monitoring...

Read More

Thoughts on NSA IAM Course

Today I finished the NSA INFOSEC Assessment Methodology (IAM) class taught by two great instructors from EDS and hosted in the beautiful Nortel PEC building in Fairfax, VA. I attended because the rate offered by EDS through my local ISSA-NoVA chapter was an incredible bargain. I did not realize prior to the class that NSA posts the exact slides used to teach the course online. The course was much more applicable to my line of work than I realized. I've decided to apply the methodology to the assessments I perform on customer network security...

Read More

What the CISSP Should Be

Today I saw a new comment on my criticism of the ISC2's attempt to survey members on "key input into the content of the CISSP® examination." Several of you have asked what I would recommend the Certified Information Systems Security Professional (CISSP) exam should cover. I have a very simple answer: NIST SP 800-27, Rev. A (.pdf). This document, titled Engineering Principles for Information Technology Security (A Baseline for Achieving Security), is almost exactly what a so-called "security professional" should know. The document presents 33...

Read More

Great Reporting by Brian Krebs

During the Mike Lynn affair I found Brian Krebs' reporting to be invaluable. Now he has provided an excellent story on the arrest of the Zotob and Mytob worm authors. I recommend you read the story linked from Brian's blog. Highlights include:"Both of the suspects' nicknames can be found in the original computer programming code for Zotob, according to the FBI and Microsoft...The author of the original Blaster worm remains at large, and Microsoft has offered a $250,000 bounty for information leading the arrest and conviction of that person...[E]vidence...

Read More

BSD Certification Group Publishes Certification Roadmap

Yesterday the BSD Certification Group published the Certification Roadmap (.pdf). I realize I have been beaten by Slashdot on this story, but I have been either teaching or in training all week! (More on that when I have time -- I return to class tomorrow.) From the press release:"The BSD Certification Group has decided that the associate level certification, followed by the professional level certification, will be rolled out in 2006. The associate certification targets those with light to moderate skills in system administration and maps to...

Read More

BBC News Understands Risk

This evening I watched a story on BBC News about the problem of bird flu. Here is the story broken down in proper risk assessment language.Two assets are at risk: human health and bird health. We'll concentrate on birds in this analysis. Healthy birds are the asset we wish to protect.The threat is wild migratory birds infected by bird flu.The threat uses an exploit, namely bird flu itself.The vulnerability possessed by the asset and exploited by the threat is lack of immunity to bird flu.A countermeasure to reduce the asset's exposure to the...

Read More

Short History of Worms

I found Ryan Naraine's article From Melissa to Zotob to be a good summary of popular worms of the last few years. I remember Melissa as a real wake-up call for the community. It hit on a Friday night, and the following Saturday morning my (soon-to-be) wife and I were getting engagement photos taken. My commanding officer called during the photo session and said all officers were being recalled to the AFCERT to "fight" the worm. That was an interesting weekend!A comment in the latest SANS NewsBites by editor Rohit Dhamankar on Zotob makes a...

Read More

Network Security Operations Class Discount for ISSA-NoVA Members

Are you a member of ISSA-NoVA? Would you like to attend my public Network Security Operations class next month, at Nortel PEC in Fairfax, VA from Tuesday 27 September through Friday 30 September? If so, I'm offering a one-time discount for you. ISSA-NoVA members who sign up and pay for the class no later than Friday 16 September can attend the class for $1995 -- a $1000 discount. Contact me at richard at taosecurity dot com if you're interested, and visit my training page for more details on this 4-day, hands-on, technical cla...

Read More

Request for Lab Ideas

I previously announced my four day Network Security Operations class. I have planned some of the labs for the class, but I thought you might have ideas regarding the sorts of hands-on activities you would want to try. The class consists of four days, covering network security monitoring, network incident response, and network forensics. Days one, two, and three each offer small labs at regular intervals to reinforce the lecture material. Day four is entirely lab-based.One of my goals is to give each student his or her own environment for analysis....

Read More

Air Force Personnel Database Owned

According to this Air Force Times story, personnel data for "about 33,300 officers and 19 airmen" was remotely accessed. The records include "Social Security numbers... marital status, number of dependents, date of birth, race/ethnic origin (if declared), civilian educational degrees and major areas of study, school and year of graduation, and duty information for overseas assignments or for routinely sensitive units." The story quotes an Air Force spokesman:"'Basically, we had an unauthorized user gain access to a single user account by stealing...

Read More

Windows Remote Administration Options

This morning I worked with several remote administration tools on my Windows Server 2003 system. First I enabled the native Remote Desktop (aka Terminal Services) capability via My Computer -> Properties -> Remote At this point I am only letting administrator connect remotely. Since administrator can connect remotely by default once the service is activated, I didn't need to make any other changes. Once Remote Desktop is listening, it will appear active on port 3389 TCP. To access the Windows server remotely from Unix using the RDP protocol,...

Read More

NYCBSDCon

If you're near New York city, you might want to check out NYCBSDCon on 17 September 2005. The New York City BSD User Group is organizing the one-day event. Speakers on the agenda include Dru Lavigne, Michael Lucas, and Marshall Kirk McKusick. I believe I will attend since the drive from DC isn't too b...

Read More

Comments on Network Anomaly Detection System Article

I was asked to comment on Paul Proctor's new article in the August 2005 Information Security magzine, titled A Safe Bet?. Paul is an analyst at Gartner now, but years ago he wrote an excellent book -- The Practical Intrusion Detection Handbook, which I reviewed five years ago. Paul's article introduces network anomaly detection systems, shorted by the wonderful acronym NADS. Paul describes NADS thus:"NADS are designed to analyze network traffic...

Read More

Excellent Anti-DDoS Story

If you haven't read How a Bookmaker and a Whiz Kid Took On an Extortionist — and Won, you're in for a treat. I stumbled across this today, and remembered reading it several months ago. I realized I never blogged the story. The technician at the heart of the story is Barrett Lyon, who began the Opte Project. His company Prolexic takes an innovative approach to surviving DDoS attacks. He seems to redirect traffic aimed at his clients, filters attack traffic, and then sends it to the intended recipients. I imagine he employs some creative routing...

Read More

Thoughts on SANS .edu Security Debate

The 10 August 2005 issue of the SANS NewsBites newsletter featured this comment by John Pescatore:"There has [sic] been a flood of universities acknowledging data compromises and .edu domains are one of the largest sources of computers compromised with malicious software. While the amount of attention universities pay to security has been rising in the past few years, it has mostly been to react to potential lawsuits do [sic] to illegal file sharing and the like - universities need to pay way more attention to how their own sys admins manage their...

Read More

Windows Server 2003 x64 Enterprise Edition

I managed to install Windows Server 2003, Enterprise x64 Edition (64-bit) trial on my Shuttle SB81P. The only component that wasn't recognized natively was the BCM5751NetXtreme Gigabit Ethernet Controller for Desktops. I used the Windows Server 2003 (AMD x86-64) driver to get the NIC working. I'm lucky my FreeBSD dmesg output recognized this NIC accurately:bge0: mem 0xd0000000-0xd000ffff irq 16 at device 0.0 on pci1miibus0: on bge0brgphy0: ...

Read More

FreeBSD on Shuttle SB81P

I bought a new Shuttle SB81P to use as a VMWare GSX server in my Network Security Operations class. I bought the system to provide VMWare images which students could independently manipulate. This will make the class more hands-on without requiring much investment on the student's part. All I will ask is that the student brings a laptop with a Secure Shell client. If the student wants to directly interact with the VM, he or she can install the...

Read More

New Issue of (IN)SECURE Magazine Features Book, Blog

Mirko Zorz of Help Net Security emailed to tell me that Issue 3 (.pdf) of (IN)SECURE Magazine is available for download. The new issue has a few kind words about my first book and this blog. The new issue also features an interview with Michal Zalewski, a discussion of so-called Unified Threat Management (UTM) "solutions" (groan), and other helpful articl...

Read More

Comment on Draft NIST Publications

While reading the blog of Keith Jones I learned of a variety of new draft NIST pubs that are open for comment from the general public. You may want to review one or more to provide feedback. I found the following drafts interesting (all are .pdf):800-40 Version 2, Creating a Patch and Vulnerability Management Program800-86, Guide to Computer and Network Data Analysis: Applying Forensic Techniques to Incident Response (which mentions my first book -- thanks)800-83, Guide to Malware Incident Prevention and Handling800-81, Secure Domain Name System...

Read More

National Vulnerability Database

I learned today the National Vulnerability Database (NVD) has replaced the old NIST ICAT system. The NVD describes itself this way:"NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard."There's a link to a workload index, whose URL includes the term "threatindex" (groan). On that page we read:"Workload Index InformationThis index calculates...

Read More

Routing Enumeration

One of the cooler sections in Extreme Exploits covers ways to learn about a target network by looking at routes to those networks. I showed a few ways to use this data two years ago, but here's a more recent example.Let's say I want to find out more about the organization hosting the Extreme Exploits Web site. First I resolve the hostname to an IP address.host www.extremeexploits.comwww.extremeexploits.com has address 69.16.147.21Now I use whois to locate the owner's netblock.whois 69.16.147.21Puregig, Inc. PUREGIG1 (NET-69-16-128-0-1) ...

Read More

Review of Extreme Exploits Posted

Amazon.com just posted my four star review of Extreme Exploits Advanced Defenses Against Hardcore Hacks. From the review:"I read Extreme Exploits because the content looked intriguing and I am familiar with applications written by lead author Victor Oppleman. The back cover states the book is "packed with never-before-published advanced security techniques," but I disagree with that assessment. While I found all of the content helpful, between 1/3...

Read More

Updating FreeBSD Perl Using Packages

I detest having to upgrade core FreeBSD packages like Perl that are relied upon by so many other applications. All of my systems are old and dog slow, so I tend to install software on FreeBSD using its native package system. For example, before installing a package, I set this environment variable:setenv PACKAGESITE ftp://ftp6.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/Latest/Replace '6' with the number of the mirror closest to you.That...

Read More

Plug and Play Worm in Wild

The SANS ISC is reporting that a worm which exploits the Plug and Play (PnP) vulnerability described by MS05-039 is in the wild. The F-Secure Blog reports the worm is called Zotob. The Microsoft bulletin lists three mitigating factors:On Windows XP Service Pack 2 and Windows Server 2003 an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely by...

Read More

Ethernet to Your ISP

Today I was chatting in the #snort-gui channel on irc.freenode.net, and someone (who shall rename anonymous) mentioned that his ISP provides Ethernet connectivity. This surprised me because my previous employer had DS3 circuits as one might see in the image below.Tapping a DS3 connection requires specialized gear (as shown in the DS3 tap, but access to Ethernet is more readily available.How many of you have Ethernet connectivity to your ISP?The...

Read More

LinuxWorld Sguil Presentation Online

David Bianco of Vorant Network Security posted his LinuxWorld presentation Open Source Network Security Monitoring With Sguil (.pdf). David provides a great overview of Sguil, how to use it, and its benefits. On the Sguil improvement front, lead developer Bamm Visscher has moved his family to Colorado and will settle in his new house next week. Expect to see Sguil 0.6.0 later this summer as Bamm's new work environment settles do...

Read More

Steve Riley on 802.1X Flaw

This is not a Microsoft issue, but I learned of it through a Microsoft Security Newsletter feature called 802.1X on Wired Networks Considered Harmful by Steve Riley. He claims to have written about this subject in his book Protect Your Windows Network: From Perimeter to Data, but he believes the issue merits greater attention. Cutting past the introduction to 802.1X, Steve writes:"[T]here’s a fundamental flaw in wired, 802.1X that seriously reduces its effectiveness at keeping out rogue machines...[I]t authenticates only at the establishment...

Read More