Why Duplicate Packets May Appear on SPAN Ports

I noticed a post to snort-users today asking if Snort had a problem with duplicate packets:"We have a range of switches being used within our network for port monitoring, and a couple have had to be set up in such a way that you can end up seeing each packet TWICE on the snort interface. I've been told by our network engineers that this has to be the case in order for the IDS to see the networks it needs to on one card."I think I know why this is...

Read More

Two New Pre-Reviews

Thank you to the publishers who sent two new books in the last few weeks. First is Phishing Exposed, by Lance James, published by Syngress. This looks like a great book. I loved Inside the Spam Cartel, so I have high hopes for this new book. The book appears to have plenty of technical details.Next is Running IPv6 by Iljitsch van Beijnum, published by Apress. I liked his book BGP. I already read and reviewed IPv6 Network Administration from...

Read More

Bejtlich Teaching Next Week at USENIX LISA

Next week I will present three full-day tutorials at USENIX LISA 2005 in San Diego, CA, from 6-8 December 2005. I will teach network security monitoring, incident response, and forensics. I hope to attend a tutorial on Monday afternoon and several presentations on Friday as well. I'll be wearing TaoSecurity clothing, so please stop by to chat if you're nearby! I believe Addison-Wesley will also sponsor a book-signing, but I do not know when that will be.Update: I just learned the book signing will take place in the Golden Ballroom from 5:30...

Read More

SANS Replaces Several Threat References in Top 20

Last week I posted comments about several misuses of the word "threat" in the latest SANS twenty most critical Internet security vulnerabilities. After receiving an email from Alan Paller, I returned to the SANS site and saw many of my recommended changes were made. For example, you can now "Jump To Index of Top 20 Vulnerabilities", instead of "threats." I appreciate SANS taking my suggestions to heart.Update: It's becoming clear where the confusion regarding "threat" vs "vulnerability" originates for the SANS Top 20. One of you pointed me...

Read More

Three Great Session Data Articles

I just happened upon three great articles by Michael W. Lucas on collecting and analyzing session data on FreeBSD. They are:Monitoring Network Traffic with NetflowVisualizing Network Traffic with Netflow and FlowScanBuilding Detailed Network Reports with NetflowMichael introduces several techniques and tools not mentioned in my books, like softflowd, Cflow.pm, flowscan, CUFlow, and others. Nice work! (Incidentally, I am the USENIX instructor Michael references in his last article.) ...

Read More

NISCC Director Understands Real Threats

Roger Cummings, director of the UK's National Infrastructure Security Co-ordination Centre made interesting comments reported by News.com:"Cummings said the most significant element in the malicious marketplace is foreign states, whose target is information. Next are criminals who are trying to compromise the CNI in order to sell information. Hackers motivated by kudos or money have 'a variable capability' when it comes to attacks... However, these pose a more serious threat than terrorists, who currently have a low capability." The article continues:"NISCC...

Read More

Tenable and Nessus News

Federico Biancuzzi conducted an extensive interview with Tenable Network Security co-founder and Extrusion Detection contributor Ron Gula. He discusses Nessus 3, including features and licensing changes. Ron also mentions Nessus support services, training, certification, and books, which all sound cool to ...

Read More

The Good and the Bad About the New SANS Top 20

Back in January I noted that SANS was not using the terms "threat" and "vulnerability" properly in its call for help on the "twenty most critical Internet security vulnerabilities," represented by the logo at left. You will remember that a threat is a party with the capabilities and intentions to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset that could lead to exploitation. An intruder (the threat) exploits a hole (the vulnerability) in Microsoft IIS to gain remote control of a Web server. In other words, threats...

Read More

Demand for a BSD Associate Certification Guide

I have an idea for a new book. For the last year I have been part ofthe BSD Certification Group (BSDCG). I started out as a Group member, but moved to the Advisory Board when TaoSecurity business occupied too much of my time.Last month the BSDCG published its BSD Associate Exam Objectives (.pdf) The document outlines all the skills a candidate for the BSD Associate cert is expected to have. However, no specifics are given. For example:3.2.12 Change the encryption algorithm used to encrypt the password database.Concept:Given a screenshot of...

Read More

Extrusion Detection Shipping

Good news -- several of you have reported receiving copies of my new book Extrusion Detection, ordered through regular online vendors. I'm happy to see Amazon.com finally listing the book as "Usually ships within 24 hours." It appears Buy.com has a great deal, with free shipping and a $29.69 price. If you have any suggested changes, please let me know within the next 10 days. I owe corrections to my publisher for the second printing on 2 December....

Read More

Tethereal Ring Buffer Syntax Changes Again

It's tough to keep up with syntax changes in Tethereal. Only a few months ago I posted syntax to use Tethereal in ring buffer mode. I like ring buffer mode because it is a "fire and forget" solution for collection full content data. You tell Tethereal how many files, and of what size, it should collect, and then the program just keeps logging as much as you specify.Today when trying Tethereal 0.10.13, I discovered the syntax has changed again. First, the relevant man page excerpt: -a Specify a criterion that specifies when Tethereal...

Read More

Security Awareness Training: A Waste of Time?

Extrusion Detection contributing author Rohyt Belani told me about his new SC Magazine article Changing End Users' Security Mindset. Here are some astonishing excerpts:"[M]y company [Red Cliff Consulting] has conducted numerous social engineering exercises for Fortune 500 companies whose success relies heavily on the protection of intellectual property. These exercises involved scripted telephone calls to the organizations' customer service departments...

Read More

FCW Reports DoD to Hold Security Stand-Down

I read that DoD plans to hold a security stand-down on 29 November "to focus on information assurance and network security." Apparently United States Strategic Command, one of nine Unified Commands, issued the order. The news came from Air Force Lt. Gen. Charlie Croom, director of the Defense Information Systems Agency and commander of the Joint Task Force - Global Network Operations (JTF-GNO).FCW says "some DOD officials are concerned about the amount of hardware and software manufactured overseas and whether they might incorporate malicious...

Read More

Thoughts on CMP Acquisition of Black Hat

I just learned that CMP Media, publishers of IT magazines like Network Computing and IT Architect (formerly Network Magazine) just acquired Jeff Moss' Black Hat, Inc. for $10 million. I'm amazed that Black Hat went for that much. The organization may offer consulting, but it's mainly known for its conferences. Those conferences rely on instructors, none of whom are obligated to speak (as far as I know). Without any intellectual property, substantial workforce, or product lines, I'd say Black Hat did pretty well for itself!I did not realize...

Read More

BSD Certification Group Solicits Donations

The BSD Certification Group is soliciting donations to offset the costs of creating the certification. The main expense is psychometric analysis of the proposed certification exam. This is fancy talk for ensuring the test assesses what the BSD Certification Group expects to measure. The BSDCG was incorporated as a non-profit corporation (a 501(c)(3) scientific and educational charitable organization) in the state of New Jersey, but the IRS has not validated their status y...

Read More

Using Cache Snooping to Estimate Code Spread

I've stayed out of the whole Sony DRM affair because I felt Windows guru Mark Russinovich has forgotten more about Windows internals than I will ever know. I try to avoid commenting on issues out of my league, and Windows rootkits are generally not something I know how to analyze at the host level.However, today I learned of a Wired story that incorporates new Dan Kaminski research. Dan has provided a conservative estimate of the number of systems on which the Sony DRM software is installed, based on Luis Grangeia's cache snooping methodology....

Read More

Extrusion Detection Shipping at Barnes and Noble

I got two boxes of Extrusion Detection copies from my publisher today. Looking at BestBookBuys.com, I see Barnes and Noble lists the book as "Usually ships within 24 hours." I would give B&N a try, or order directly from the publisher, if you really want a copy of the book quickly. Alternatively, you might be able to win a copy in the monthly raffle held at my local ISSA NoVA chapter meeting. Last time I provided a copy of Real Digital Forensics...

Read More

Problems with FreeBSD 6.0 as VMware Workstation Guest

I've encountered a problem running FreeBSD 6.0 as a guest OS in VMware Workstation 5.0. I discovered the FreeBSD VM runs at half speed, such that 10 seconds of real time appears to be 5 or so seconds within the VM. I tried installing the vmware-guestd port but that had no effect, even though it is running in the VM. After reading this post, I tried changing this sysctl:gruden:/root# sysctl -a kern.timecounter.hardwarekern.timecounter.hardware: ACPI-fastgruden:/root# sysctl kern.timecounter.hardware=TSCkern.timecounter.hardware: ACPI-fast ->...

Read More

Presentations on OpenBSD Ports and More

Joe Stevensen sent word of two new OpenBSD presentations. The first is OpenBSD Ports and Packages, by Marc Espie. He takes some shots at the other BSDs, including FreeBSD. He's wrong about Python being needed to update FreeBSD ports. An article I wrote for the February 2006 Sys Admin magazine on keeping FreeBSD up-to-date doesn't use any Python, but it does require Ruby and Perl. I do agree with some of Marc's critique, however. It would be nice to have package update tools built into the base system. Perhaps they could be written in Perl...

Read More

Sample Extrusion Detection Chapter Posted

My publisher just posted Chapter 4: Enterprise Network Instrumentation from my new book, Extrusion Detection: Security Monitoring for Internal Intrusions. The table of contents, preface, foreword by Marcus Ranum, and index are also all online. Marcus' foreword (.pdf) is a different than most; he interviews me. For example:"MJR: I’ve noticed you’re a fan of Bruce Lee! It’s interesting to me how a lot of us security guys find parallels between...

Read More

Deleting Hard Drives

Today the subject of deleting hard drives was raised in the #snort-gui IRC channel. jrk and geek00L mentioned using Darik's Boot and Nuke (DBAN), an open source (GPL) "self-contained boot floppy that securely wipes the hard disks of most computers."I found DBAN very easy to use. It boasts some impressive features too.When you boot from the floppy image or CD-ROM .iso you see this screen.The About screen offers warnings and caveats.I like the ability...

Read More

Powerful Laptop Recommendations?

I'm looking for a replacement for my aging, circa-2000 IBM Thinkpad a20p, pictured at right. I was wondering if you might have any recommendations? I plan to dual-boot Windows XP and FreeBSD 6.0 on this system. It needs to be powerful as I would like to use it for teaching classes as well. Here are the specs I had in mind:Intel® Pentium® M Processor 760 [2.00GHz, 2MB L2 cache, 533MHz FSB]2 GB RAM60 GB+ 7200 RPM HDDNVIDIA GeForce video, to take advantage of their FreeBSD drivers and avoid ATIGigabit NIC802.11b/g is nice, especially if disabled...

Read More

Congratulations to Feds

I'd like to congratulate the United States Attorney's Office, Central District of California for indicting a bot net controller. According to the press release and the indictment (.pdf), up to 400,000 victims were compromised. You can track the progress of this case through the Post Indictment Arraignment Calendar. This is exactly the sort of work that needs to be done. Security professionals cannot win against intruders if only the "vulnerability" variable of the risk equation is addressed. We need law enforcement to reduce the "threat" variable...

Read More

New SearchSecurity.com Tip Posted

SearchSecurity.com just posted a short article I wrote titled Using attack responses to improve intrusion detection. It's about watching outbound traffic to identify intrusions. From the article:"Network-based IDSes are deployed to identify compromised targets, while network-based IPSes are deployed in an effort to prevent compromise. Both systems must be able to recognize malicious traffic to issue warnings or block offending packets. IDSes, however, have the upper hand in identifying intrusions, because they have the luxury of generating an...

Read More

Websense ToorCon Presentation

Thanks to a comment from Shahid for pointing me to the WebSense Security Labs presentation The Web Vector: Exploiting Human and Browser Vulnerabilities (.pdf). I think the most interesting part of the briefing is the introduction of Web-based bot net command and control. Because organizations are locking down outbound IRC, bot net controllers are using HTTP as a replacement protocol. If anyone has any experience with this sort of traffic, I would be interested in hearing from y...

Read More

Latest Book Arrives Soon

My third book, Extrusion Detection: Security Monitoring for Internal Intrusions, should appear on book shelves very soon. Addison-Wesley updated the publication date to reflect today (4 November 2005), a week earlier than the planned 11 November launch. I have not yet received a copy, and no preview chapters have been posted yet. I was assured that Chapter 4, Enterprise Network Instrumentation, would be made available in .pdf form at the publisher's...

Read More

Sguil 0.6.0-RC2 Available

After much development, Sguil 0.6.0-RC2 is now available for download. Several new features appear in 0.6.0, including:MySQL's MERGE storage engine is used. The MERGE storage engine, also known as the MRG_MyISAM engine, is a collection of identical MyISAM tables that can be used as one. All Snort alerts and SANCP session data is now stored in MERGE tables, resulting in better scalability and performance. Sguil author Bamm Visscher reports "I went from being able to keep ~6 million rows to >300 million rows."All sensor communication is performed...

Read More

FreeBSD 6.0 RELEASE Announced

FreeBSD 6.0 RELEASE has been officially announced. When I get a chance I intend to upgrade my 5.4 systems to 6.0 to take advantage of bpfstat on my sensors.I should have a new article in the February 2006 issue of SysAdmin Magazine explaining the simplest way to keep the FreeBSD OS and applications up-to-da...

Read More

Network Forensics? Please.

Today I looked at the Interop New York 2005 Schedule and noticed an item called "Network Forensic Day" taught by Pine Mountain Group. I try to stay current with people and companies performing security work, but I had never heard of PMG. I looked at the description of the course, wondering if the "network" meant "enterprise," as in "how to use forensics in the enterprise." I think that is a misapplication of the term network in that context, but it's common enough. Alternatively, perhaps "network" meant "traffic," which is how I use the term....

Read More

Network Computing Misses the Mark

I really enjoy reading the free IT magazine Network Computing. However, I believe comments by NWC authors in the last two issues demonstrate some fundamental misunderstandings of open source applications and system administration. These are not earth-shattering issues, but I thought I would share them with you. First, the 27 October 2005 issues includes an article called Open-Source Security Technology Joins Endangered List. Here are excerpts:"For many users and vendors, network security is dependent on a collection of open-source programs that...

Read More

Dealing with FreeBSD Port Options

Sometime when you build a port in FreeBSD, you are confronted with a curses menu like the following. This example shows the menu that appears when you run 'make' as root in the /usr/ports/ftp/gftp directory. If you hit 'OK' and then interrupt the port building process, and run 'make' again, you will not see the menu:orr:/usr/ports/ftp/gftp# make...menu appears, hit 'OK'...===> WARNING: Vulnerability database out of date, checking anyway===>...

Read More

New FreeBSD Logo Announced

There you have it. That is the new FreeBSD logo. I think it is a mess. I cannot picture it being embroidered on a polo shirt. That is my basic test for a good logo. On the bright side, I hope to see Beastie disappear off the front of the FreeBSD Web site n...

Read More

BSD Certification Group Publishes Usage Survey Results

The BSD Certification Group has released the results of their usage survey here (.pdf). Here is a quick look at the numbers:77% report using FreeBSD33% report using OpenBSD16% report using NetBSD3% report using DragonFly BSD7% report "other"On a related note, I have resigned my seat on the Certification Group and joined the Advisory Board due to time constraints caused by running TaoSecuri...

Read More