Last Days to Register for ShmooCon 2006 for $75

Today and tomorrow (1 October) are the last days to register for ShmooCon 2006 for $75. The conference will be held in Washington, DC on 13-15 January 2006. Starting 2 October the price doubles to $150. This is a very innovative conference that you simply cannot beat for the price. I will atte...

Read More

Excellent Article on FreeBSD ACLs

Dru Lavigne wrote an excellent article called Using FreeBSD's ACLs. She describes how to use File System Access Control Lists in a reader-friendly manner, complete with screen shots of the Eiciel GUI tool (in the ports tree). Great work D...

Read More

Open Source Security in the Enterprise

This morning I briefed a client on the results of a Network Security Monitoring Assessment I performed for them. I model my NSM Assessment on the NSA-IAM, which uses interviews, observation, and documentation review to assess security postures. My NSM Assessment uses the same techniques to identify problems and provide recommendations for improving intrusion detection and NSM operations.During one of the briefings the top manager asked for my opinion on using open source security tools. He wanted to know the guidelines I use to determine if an...

Read More

Rootkits Make NSM More Relevant Than Ever

Federico Biancuzzi conducted an excellent interview with Greg Hoglund and Jamie Butler, authors of Rootkits: Subverting the Windows Kernel. I reviewed this book during publication for Addison-Wesley, but I don't plan to read it for personal education until I get deep into the programming part of my reading list. This is the sort of book that looks K-RAD on your bookshelf, telling those passing your cube that you've got m@d 31337 sk1llz. Doing...

Read More

Thoughts on EAL7 Rating

I read in the story Network appliance to get highest-ever security rating by Michael Arnone about the EAL7 Evaluation Assurance Rating achieved by the Tenix Datagate. An EAL7 system bears these qualities:"Formally Verified Design and Tested. The formal model is supplemented by a formal presentation of the functional specification and high level design showing correspondence. Evidence of developer "white box" testing and complete independent confirmation of developer test results are required. Complexity of the design must be minimised."My last...

Read More

Common Criteria

I received the September issue of the ISSA Journal. It contains several useful articles, with the most helpful to me being a humanly readable summary of the Common Criteria by Alex Ragen. I don't think Mr. Ragen clearly states who needs to purchase Common Criteria-validated products however. His article's first sentence states:"On July 1, 2002, the US Department of Defense began to enforce National Security Telecommunications and Information Systems Security Policy (NSTISSP) #11 (issued in January 2000), which mandates that US government agencies...

Read More

Webroot State of Spyware Report

On a flight from San Franciso to Washington Dulles I managed to read the latest State of Spyware report from Webroot Software. I'm not sure how I got the heavy printed version. Maybe it was sent courtesy of Richard Stiennon, who is Vice President of Threat Research. (That's an interesting title.)I thought the report was useful. It provides a broad look at spyware, and specifics on several examples. It contains an excellent section on spyware-related legislation. The report provides plenty of background for management who need justification...

Read More

Common Malware Enumeration

This article describes the Common Malware Enumeration project. CME is a sister project to Mitre's Common Vulnerabilities and Exposures (CVE) initiative. CME will "assign unique identifiers to high priority malware events." This is a great idea, because anti-virus vendors, security researchers, and OS/application vendors will be able to refer to a common name rather than their internal representations for malware. DHS is funding the CME proje...

Read More

Measuring Bandwidth Utilization on Cisco Switch Ports

Yesterday I spoke at the third Net Optics Think Tank in Santa Clara, CA. During the event one of the Net Optics product managers asked me about measuring bandwidth utilization on switch ports. I did not have an answer for him... until I took a look at the latest Packet magazine. The Q305 (.pdf) edition features a tip from Aurelio DeSimone on p. 13 mentioning the show controllers utilization command. If anyone knows of a similar set of information via SNMP, please let me know via a comment here.Here is sample output:Switch> show controllers...

Read More

John Ward Compiles Snort on Windows

Newsflash: compiling Snort on Windows is not the chore some people believe it to be. After reading my flailing attempt to use a beta Visual Studio to compile Snort 2.4.1 from source on my Windows 2000 laptop, John Ward stepped in and got the job done. John's a professionall programmer, but anyone who uses his approach will have the same results. Thanks for stepping up to the pla...

Read More

Citadel Offers Product Security Warranty

Thanks to this SC Magazine story, I learned that Citadel Security Software is offering a performance warranty on their Hercules vulnerability management product. They say:"The Hercules SecurePlus warranty guarantees the product’s performance against Citadel’s published service level objectives to deliver timely, accurate and effective vulnerability remedies for known exploits. Citadel’s service level objectives are the expected delivery times for the vulnerability remedies and associated security content produced by Citadel’s internal security...

Read More

FreeBSD 6.0-BETA5 Available

FreeBSD 6.0-BETA5 is available in the pub/FreeBSD/ISO-IMAGES-i386/6.0/ directory of some FreeBSD mirror FTP sites. I found it at the master site, but I expect to see it replicated elsewhere soon. I believe this will be the last BETA before RCs (perhaps RC1, RC2, and RC3) are produced. The release engineering team is putting a lot of work into this release. I can't wait to deploy it in production. I see 6.0 as more of a continuation of 5.x, and...

Read More

Brian Krebs Discusses Sean Gorman

Yesterday's Security Fix post mentions work by Sean Gorman to map American critical infrastructure. Sean wrote a book titled Networks, Security And Complexity: The Role of Public Policy in Critical Infrastructure Protection based on his studies. I don't plan to buy this book since I cannot justify spending $75 on an academic text, but it does look interesti...

Read More

Compiling Snort on Windows

Many of you have undoubtedly read the snort-users thread where some people complain about not having Snort in compiled form as soon as Sourcefire releases Snort in source code form. Sourcefire released Snort 2.4.1, a vulnerability bug fix, on Friday. They only released an updated snort-2.4.1.tar.gz archive. There were no Linux RPMs or Win32 installation packages.I decided to learn what was involved with compiling Snort on Windows. Right now I will say I did not finish the job. I am not a Windows programmer. I do not use Windows as a software...

Read More

SecurityFocus SNMP Article

Thanks to Simon Howard for pointing me toward a new article by Mati Aharoni and William M. Hidalgo titled Cisco SNMP configuration attack with a GRE tunnel. The article shows the dangers of not denying packets from the Internet using spoofed internal addresses. The article builds on Mark Wolfgang's Exploiting Cisco Routers: Part 1, where an intruder uses an SNMP SET command to retrieve a router configuration file via TFTP. As Simon wrote in his...

Read More

Engineering Disaster Lessons for Digital Security

I watched an episode of Modern Marvels on the History Channel this afternoon. It was Engineering Disasters 11, one in a series of videos on engineering failures. A few thoughts came to mind while watching the show. I will provide commentary on each topic addressed by the episode.First discussed was the 1944 Cleveland liquified natural gas (LNG) fire. Engineers built a new LNG tank out of material that failed when exposed to cold, torching nearby homes and businesses when ignited. 128 people died. Engineers were not aware of the metal's failure...

Read More

When a Wireless Adapter Is Not a Wireless Bridge

Several weeks ago I was looked for a way to provide my desk laptop with 802.11g connectivity. Sometimes I operate two or three systems on my desk. I thought it might be helpful to purchase an 802.11g wireless bridge. Using the bridge, I could connect those multiple systems via Ethernet to the bridge, and have the bridge speak 802.11g to my Linksys wireless access point.I had not had good experiences with 802.11b Linksys WET11 bridges, so I turned...

Read More

IPv6 as a Technology Refresh

I've written about government and IPv6 before. The article OMB: No new money for IPv6 by David Perera includes the following:"Federal agencies have all the money they need to make a mandatory transition to the next generation of IP, a top Office of Management and Budget official said today.'The good news, you have all the money you need. [IP Version 6] is a technology refresh' said Glenn Schlarman, information policy branch chief in OMB's Office of Information and Regulatory Affairs. Schlarman spoke at a Potomac Forum event on IPv6. 'You have...

Read More

Thoughts on Software Assurance

Last night I attended a talk at my local ISSA chapter. The speaker was Joe Jarzombek, Director for Software Assurance for the National Cyber Security Division of the Department of Homeland Security. Mr Jarzombek began his talk by pointing out the proposed DHS reorganization creates an Assistant Secretary for Cyber Security and Telecommunications working for the Under Secretary for Preparedness. This is supposed to be an improvement over the previous job held by Amit Yoran, where he lead the National Cyber Security Division, under the Information...

Read More

BSD Certification Group Publishes Usage Survey

The BSD Certification Group is looking for people to complete a BSD Usage Survey. The survey consists of 19 questions. It took me less than five minutes to complete it. You can read more about the survey in this press release and the news section. Please complete this survey if you use any of the BSDs. It will help us better design a BSD Certification for you. Thank you!Also, the August newsletter has been published, and you can track BSD certification progress at our BSD Certification Group Bl...

Read More

Notes on Network Security Monitoring

I've been performing a network security monitoring assessment for a client this week. I use interviews, observations, and documentation review to provide findings, discussion, and recommendations for improving your incident detection and response operations. During this process I was asked if I knew ways to measure packet loss on open source sensors. (This client uses FreeBSD, which is helpful!) Today I remembered work by Christian SJ Peron on bpfstat, available only on FreeBSD 6.0. bpfstat provides statistics like the following. Here I am...

Read More

Vulnerability in Snort 2.4.0 and Older

I read this news about a vulnerability in Snort 2.4.0 and older versions. You're affected if you process a malicious packet while in verbose mode. This means running Snort using the -v switch. Typically this is only used to visually inspect traffic and not for intrusion detection purposes.Through the FrSIRT advisory I learned about the discovery of this vulnerability by A. Alejandro Hernández Hernández. An exploit is available to crash Snort. Interrupting program flow to control the system is not indicated at this time. The researcher used...

Read More

Sguil at RAID 2005

Thanks to Russ McRee, Sguil made an appearance in a poster session at the 2005 Eighth International Symposium on Recent Advances in Intrusion Detection (RAID). I attended RAID 2003. I've posted Russ' slides (.pdf, 5.8 MB) on the Sguil home page to conserve Russ' bandwidth. Russ advocates using Sguil and Aanval in tandem. I have never used Aanval, and it does not appear in the FreeBSD ports tree. I may still give it a try when I find ti...

Read More

Register for 15 September ISSA-NoVA Meeting by Noon Tuesday

To my DC metro area readers: if you'd like to attend the local ISSA-NoVA chapter meeting on Thursday night, please RSVP by noon Tuesday. I plan to be there to hear Joe Jarzombek, Director for Software Assurance for the National Cyber Security Division of the Departmet of Homeland Security. The topic will be Software Assurance: A Strategic initiative of the US Department of Homeland Security to promote Integrity, Security, and Reliability in Software - Considerations for Advancing a National Strategy to Secure Cyberspace. Wordy, but hopefully...

Read More

VMWare 5.5 Beta Available

I received an email today stating that VMWare Workstation 5.5 Beta is available. I am using Workstation 5 on Windows Server 2003 x86 Edition to support my Network Security Operations class. When students use SSH to connect to the class server, they are logging in to a FreeBSD server running in VMWare. (I also dual-boot the server with FreeBSD 6.0-BETAx using the amd64 port.The key advances appear to be the following:Support for 64-bit guest operating systemsExperimental support for 2-way Virtual SMPNew support for select host and guest operating...

Read More

Two Good SecurityFocus Articles

I just read two good columns at SecurityFocus. The first, A Changing Landscape, is by Red Cliff consultant, fellow former ex-Foundstone consultant, and Extrusion Detection contributing author Rohyt Belani. He theorizes about the rise of client-side attacks and their effect on statistics reported by CERT/CC.The second article is an interview with FX of Phenoelit. He discusses exploiting Cisco IOS, which is fascinati...

Read More

Final Call for NYCBSDCON Preregistration

Brad Schonhorst reminds us that if you're near New York city, you might want to check out NYCBSDCon on 17 September 2005. Tomorrow (Saturday) is the last day to preregister for this event. I won't be able to attend due to work constraints, but I think this will be a great c...

Read More

Network Security Operations Class Description

Several people have asked for additional detail on the sorts of topics covered in my Network Security Operations class. Having spent several minutes composing this response, I figured others might want to see what I teach. Day one is all network security monitoring. This day is mainly based on material in The Tao of Network Security Monitoring. We start with a case study and then a theory section to provide background. I follow by discussing techniques to access wired and wireless traffic. That's about half of day one. The second half introduces...

Read More

IATF Discusses Availability and Awareness

Yesterday I attended a meeting of the Information Assurance Technical Framework (IATF) Forum. I last attended an IATF meeting two years ago. According to this introduction (.pdf) document, the IATF Forum "is a National Security Agency (NSA) sponsored outreach activity created to foster dialog amongst U.S. Government agencies, U.S. Industry, and U.S. Academia seeking to provide their customers solutions for information assurance problems." Half...

Read More

VMWare Team LAN Appears Shared

Previously I wrote about my plans to incorporate VMWare into my classes. Originally I intended to use GSX Server. I thought I would give each student his or her own independent image. I assumed people would want to build their own sensors (from the ground up), and that required providing complete virtual machines. Based on feedback here and in classes since that post, I've learned most people don't care about building sensors. They are more...

Read More

Speaking at DoD Cybercrime in January

I learned I will be delivering two presentations at the DoD Cybercrime 2006 Conference in Palm Harbor, FL on 11 January 2006. I will present shortened versions of my network incident response and forensics classes. Last year I spoke about network security monitoring with Sguil and other open source tools. In 2000 I spoke at the first DoD Cybercrime conference in Colorado, delivering the AFCERT mission briefi...

Read More

Speaking at USENIX LISA in December

I just checked the training schedule for the next USENIX LISA (Large Installation System Administration) conference. I will teach network security monitoring, incident response, and forensics. These are each full-day tutorials, which begin on Tuesday 6 December and end Thursday 8 December. Early bird registration ends 18 November 2005. It looks like you can attend all three days for $1775. I am looking forward to teaching these classes because the USENIX crowd is always top-notch.Don't forget my only scheduled public Network Security Operations...

Read More

Request for Comments on CERT and SEI Training

I have been taking a closer look at training offered by the CERT® Coordination Center and the Software Engineering Institute. Six years ago as an Air Force captain from the AFCERT I enjoyed the Advanced Incident Handling for Technical Staff. Now I may have a chance to teach or develop course materials for some of these courses. I am also considering the value of the CERT®-Certified Computer Security Incident Handler program.Has anyone attended any of these courses recently? If yes, what do you think of them? If no, why not? What alternatives...

Read More

Thoughts on Cisco Packet Magazine

I like to read Cisco's quarterly Packet magazine. It's free, and it provides insight into developments by the world's networking (and one day, security) juggernaut. While waiting for car maintenance this morning, I managed to read much of the Quarter 2 2005 issue, devoted to Self-Defending Networks. According to Cisco, they have been releasing Self-Defending Network components every few years. In 2000 they offered integrated security, followed...

Read More

Feds Hurry, Slow Down

In my post Opportunity Costs of Security Clearances I ranted about needing security clearances for assessment work. Now I read Security clearance delays still a problem by Florence Olsen:"Security clearance delays are the same, if not worse, than a year ago, before lawmakers made changes designed to help clear the backlog...[N]ewly enacted reciprocity rules have made no dent in a problem that is creating mounting costs for high-tech companies. Those rules permit agencies to accept clearances initiated by other agencies."Wonderful. Not only do...

Read More

Pool IDS

By now you've probably heard the story about the 10-year-old girl in Wales who was saved by the Poseidon computer-aided drowning detection system. According to the vendor:"[Poseidon] uses advanced computer vision technology to analyze activity in the pool, captured by a network of cameras mounted both above and below the surface of the pool. Poseidon helps lifeguards monitor swimmers' trajectories, and can alert them in seconds to a swimmer in trouble."...

Read More