Rabu, 30 November 2005
Why Duplicate Packets May Appear on SPAN Ports
"We have a range of switches being used within our network for port monitoring, and a couple have had to be set up in such a way that you can end up seeing each packet TWICE on the snort interface. I've been told by our network engineers that this has to be the case in order for the IDS to see the networks it needs to on one card."
I think I know why this is happening. I cover this issue in day one of my Network Security Operations course.
Essentially, the admin who sets up the SPAN port has to decide if he or she wants to copy traffic in to the SPAN port, out of the SPAN port, or in and out of the SPAN port. If the decision is made to copy in and out of the SPAN port, duplicate packets will appear when intra-switch traffic is carried.
Selasa, 29 November 2005
Two New Pre-Reviews
Next is Running IPv6 by Iljitsch van Beijnum, published by Apress. I liked his book BGP. I already read and reviewed IPv6 Network Administration from O'Reilly, which appears similar to this new book. I'll let you know how the two books differ after I read the latest title.
Senin, 28 November 2005
Bejtlich Teaching Next Week at USENIX LISA
Update: I just learned the book signing will take place in the Golden Ballroom from 5:30 to 6:30 p.m., Wednesday, 7 December.
SANS Replaces Several Threat References in Top 20
Update: It's becoming clear where the confusion regarding "threat" vs "vulnerability" originates for the SANS Top 20. One of you pointed me towards the article Mac OS X Under Scrutiny. See how many misuses of the term threat you can find. Here's a freebie:
"SANS's Dhamankar stressed that the intent was not to call the Mac OS X operating system a threat, but to give Mac users a wake up call."
Sabtu, 26 November 2005
Three Great Session Data Articles
- Monitoring Network Traffic with Netflow
- Visualizing Network Traffic with Netflow and FlowScan
- Building Detailed Network Reports with Netflow
Michael introduces several techniques and tools not mentioned in my books, like softflowd, Cflow.pm, flowscan, CUFlow, and others. Nice work! (Incidentally, I am the USENIX instructor Michael references in his last article.) :)
Jumat, 25 November 2005
NISCC Director Understands Real Threats
"Cummings said the most significant element in the malicious marketplace is foreign states, whose target is information. Next are criminals who are trying to compromise the CNI in order to sell information. Hackers motivated by kudos or money have 'a variable capability' when it comes to attacks... However, these pose a more serious threat than terrorists, who currently have a low capability."
The article continues:
"NISCC is working with its equivalents in the countries concerned to try to shut the attacks down, Cummings said. The agency cannot name the countries concerned as this may 'ruin diplomatic efforts to halt the attacks,' he added."
Imagine that -- he didn't say "holes in Internet Explorer," or "Windows RPC services." The director named parties with the capability and intentions to exploit vulnerabilities in assets.
A visit to the NISCC site shows separate threats and vulnerabilities pages. The threats page begins with these words:
"NISCC's key role is to minimise the risk of electronic attack to the CNI. This involves assessing 'threats' from a variety of sources including criminals, foreign intelligence services, terrorists or virus writers."
The vulnerabilities page begins with these words:
"NISCC undertakes research into computer vulnerabilities or 'weaknesses' and augments this with extensive intelligence to determine the extent of threats to the Critical National Infrastructure from hostile and malevolent elements.
Working with a number of partners, NISCC has had considerable success in identifying problems, and getting vendors to provide software 'patches', through a policy of 'responsible disclosure'."
So, here is another organization that understands the difference between threats and vulnerabilities.
Tenable and Nessus News
Selasa, 22 November 2005
The Good and the Bad About the New SANS Top 20
You will remember that a threat is a party with the capabilities and intentions to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset that could lead to exploitation. An intruder (the threat) exploits a hole (the vulnerability) in Microsoft IIS to gain remote control of a Web server. In other words, threats exploit vulnerabilities.
Today, version 6 of the Top 20 was released. I'll start with "the good." I believe the majority of the 2005 content is much better than the 2004 edition. The 2004 list, and previous lists, displayed 10 Windows vulnerabilities and 10 (often dubious) Unix vulnerabilities. The 2005 list, in contrast, displays the following vulnerabilities:
Top Vulnerabilities in Windows Systems
* W1. Windows Services
* W2. Internet Explorer
* W3. Windows Libraries
* W4. Microsoft Office and Outlook Express
* W5. Windows Configuration Weaknesses
Top Vulnerabilities in Cross-Platform Applications
* C1. Backup Software
* C2. Anti-virus Software
* C3. PHP-based Applications
* C4. Database Software
* C5. File Sharing Applications
* C6. DNS Software
* C7. Media Players
* C8. Instant Messaging Applications
* C9. Mozilla and Firefox Browsers
* C10. Other Cross-platform Applications
Top Vulnerabilities in UNIX Systems
* U1. UNIX Configuration Weaknesses
* U2. Mac OS X
Top Vulnerabilities in Networking Products
* N1. Cisco IOS and non-IOS Products
* N2. Juniper, CheckPoint and Symantec Products
* N3. Cisco Devices Configuration Weaknesses
Bravo. I think that is a significant step towards realizing the scope of the problem at hand. To be fair to Microsoft, I believe there could have been "Unix services" and "Unix libraries" sections. I applaud the addition of network products and other applications. Content-wise, this is a great resource.
Now, "the bad." The top of the page has this link: -----Jump To Index of Top 20 Threats -----. For Pete's sake, the title of the document is "The Twenty Most Critical Internet Security Vulnerabilities." These are not threats.
Let's see other terms in use:
In the introduction we see:
"In addition to Windows and UNIX categories, we have also included Cross-Platform Applications and Networking Products. The change reflects the dynamic nature of the evolving threat landscape."
I can accept this use of the term threat, if the intent is to refer to parties who exploit vulnerabilities.
Next:
"We will update the list and the instructions as more critical threats and more current or convenient methods of protection are identified, and we welcome your input along the way."
Here, threats should be "vulnerabilities".
Section C2:
"Compromising a gateway could potentially cause a much larger impact since the gateway is the outer layer of protection and the only protection for some threats in many small organizations."
This should either replace "threats" with "vulnerabilities", or "for some" with "from some".
Section C5:
"The main threats arising from P2P software are:"
I think threats should be "risks" here, although the list is a muddle of different issues.
Later in that section:
"The number of threats using P2P, IM, IRC, and CIFS within Symantec's top 50 malicious code reports has increased by 39% over the previous six-month period."
Here, I can accept the use of the term as long as the intent is to describe parties abusing P2P, IM, etc.
Section C8:
"These applications provide an increasing security threat to an organization. The major threats are the following:"
Here's a simple rule of thumb: applications can never be "threats." Again, I suggest replacing the second "threats" here with "risks".
One final note: I am not a lone voice speaking on this subject. The Financial Times, of all people, is linked from the SANS page with a story Hackers pose new threat to desktop software. That's the proper use of the term threat, since a hacker is a "party."
Security will not be taken seriously as a "profession" until its "thought leaders" use basic terms properly.
Senin, 21 November 2005
Demand for a BSD Associate Certification Guide
the BSD Certification Group (BSDCG). I started out as a Group member, but moved to the Advisory Board when TaoSecurity business occupied too much of my time.
Last month the BSDCG published its BSD Associate Exam Objectives (.pdf) The document outlines all the skills a candidate for the BSD Associate cert is expected to have. However, no specifics are given. For example:
3.2.12 Change the encryption algorithm used to encrypt the password database.
Concept:
Given a screenshot of a password database, the BSDA candidate should be
able to recognize the encryption algorithm in use and how to select
another algorithm. The candidate should also have a basic understanding
of when to use DES, MD5 and Blowfish.
Practical:
login.conf(5); auth.conf(5); passwd.conf(5); adduser.conf(5) and adduser(8)
I am considering writing a BSD Associate Certification Guide. The guide will cover all of the 7 domains on the cert:
1. Installing and Upgrading the OS and Software
2. Securing the OS
3. Files, Filesystems, and Disks
4. Users and Accounts Management
5. Basic System Administration
6. Network Administration
7. Basic Unix Skills
Half of the work is already done. I know everything that needs to be covered. What I need to do now is provide answers to the questions.
What do you think? Would you like a book that addresses all of the seven domains for all of the BSD OS' covered by the cert (FreeBSD, NetBSD, OpenBSD, DragonFly BSD)?
Extrusion Detection Shipping
If you have any suggested changes, please let me know within the next 10 days. I owe corrections to my publisher for the second printing on 2 December. Thank you!
Tethereal Ring Buffer Syntax Changes Again
Today when trying Tethereal 0.10.13, I discovered the syntax has changed again. First, the relevant man page excerpt:
-a Specify a criterion that specifies when Tethereal is to stop writ-
ing to a capture file. The criterion is of the form test:value,
where test is one of:
duration:value Stop writing to a capture file after value seconds
have elapsed.
filesize:value Stop writing to a capture file after it reaches a
size of value kilobytes (where a kilobyte is 1024 bytes). If this
option is used together with the -b option, Ethereal will stop
writing to the current capture file and switch to the next one if
filesize is reached.
files:value Stop writing to capture files after value number of
files were written.
-b Cause Tethereal to run in "multiple files" mode. In "multiple
files" mode, Tethereal will write to several capture files. When
the first capture file fills up, Tethereal will switch writing to
the next file and so on.
The created filenames are based on the filename given with the -w
flag, the number of the file and on the creation date and time,
e.g. savefile_00001_20050604120117.pcap, save-
file_00001_20050604120523.pcap, ...
With the files option it's also possible to form a "ring buffer".
This will fill up new files until the number of files specified, at
which point Tethereal will discard the data in the first file and
start writing to that file and so on. If the files option is not
set, new files filled up until one of the capture stop conditions
match (or until the disk if full).
The criterion is of the form key:value, where key is one of:
duration:value switch to the next file after value seconds have
elapsed, even if the current file is not completely filled up.
filesize:value switch to the next file after it reaches a size of
value kilobytes (where a kilobyte is 1024 bytes).
files:value begin again with the first file after value number of
files were written (form a ring buffer).
Ok, so how do I use this? I create the following simple shell script:
#!/bin/sh
# Capture file size in KB; here is 1 GB
#FILESIZE=1000000
# Here is 100 MB
FILESIZE=100000
# Number of files to capture
FILENUMBER=5
# Interface to watch
INTERFACE=fxp0
/usr/X11R6/bin/tethereal -n -i $INTERFACE -s 1515 -q -a filesize:$FILESIZE -b files:$FILENUMBER
-w /nsm1/lpc/fullcontent.lpc
The preceding script tells Tethereal to collect five 100,000 KB files. When the fifth one reaches the 100 MB limit, Tethereal begins overwriting the first one. Check out these directory listings as time progresses. First, the initial capture file. Notice the naming convention Tethereal uses. (Note: 100,000 KB != 100 MB, but it's close enough for our purposes.)
sensor01:/nsm1/lpc# ls -alh
total 35780
drwxr-xr-x 2 root wheel 512B Nov 22 15:23 .
drwxr-xr-x 5 root wheel 512B Nov 22 15:00 ..
-rw------- 1 root wheel 35M Nov 22 15:24 fullcontent_00001_20051122152344.lpc
After a while, we have five files:
sensor01:/nsm1/lpc# ls -alh
total 483300
drwxr-xr-x 2 root wheel 512B Nov 22 15:24 .
drwxr-xr-x 5 root wheel 512B Nov 22 15:00 ..
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00001_20051122152344.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00002_20051122152407.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00003_20051122152419.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00004_20051122152430.lpc
-rw------- 1 root wheel 81M Nov 22 15:24 fullcontent_00005_20051122152441.lpc
When the fifth file is completed, the first is overwritten:
sensor01:/nsm1/lpc# ls -alh
total 409316
drwxr-xr-x 2 root wheel 512B Nov 22 15:24 .
drwxr-xr-x 5 root wheel 512B Nov 22 15:00 ..
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00002_20051122152407.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00003_20051122152419.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00004_20051122152430.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00005_20051122152441.lpc
-rw------- 1 root wheel 8.7M Nov 22 15:24 fullcontent_00006_20051122152453.lpc
This processes continues until Tethereal is killed. It is a great full content data collection system.
Jumat, 18 November 2005
Security Awareness Training: A Waste of Time?
"[M]y company [Red Cliff Consulting] has conducted numerous social engineering exercises for Fortune 500 companies whose success relies heavily on the protection of intellectual property.
These exercises involved scripted telephone calls to the organizations' customer service departments and mass phishing emails targeting a randomly selected set of employees. The objective was to collect sensitive data, the results were astounding.
627 of the 1000 people targeted by 'spear phishing' emails (aimed at pilfering the employees' corporate VPN credentials) succumbed to the attack and only 4 of the 373 that did not respond reported the issue to information security staff.
It's not so much those statistics that made the results astounding; but the fact that all these organizations had recently conducted user awareness workshops that addressed the threats posed by social engineers."
Wow. Maybe their Human Firewall was down?
I crack myself up. Anyway, Rohyt mostly blames the staff who offer security awareness training:
"[T]he information security staff must assume the onus of taking the initiative of developing innovative user awareness programs that pique the employees' interest. The majority of the security awareness sessions I attended were unstimulating affairs couching the do's and don'ts of security."
I think it is time to face the fact that security awareness training is generally a waste of time. Trainers can stand on their heads and juggle flaming swords, and some attendees will take a nap. People who handle the most sensitive classified data in the world will happily click on the dancing donkey that appears in their inbox. All it takes to suffer an internal compromise is for one of Rohyt's 1000 respondents to provide their corporate VPN credentials.
In the remainder of Rohyt's article, he does provide good guidelines for improving the quality of security awareness training. However, there is no way to achieve 100% compliance with security policies and sound practices.
So what is my answer? The people with the best capability to address the problem must be given the authority and resources to do so. Those people are the information security staff. They should have the power to remove administrative accounts from normal desktop users. The should have the resources to deploy a proxy to filter and block malicious inbound and outbound traffic. Their concerns should not be sidelined in order to meet "business requirements."
Disagree with me? Well, there are many aspects of business that individual employees should care about. The quality of their work environment is important. I have worked in numerous buildings with asbestos and water problems (thanks .mil). Was it my job to become an environmental engineer? Corporate financial health is another important aspect of a business. Should employees receive accounting training?
Speaking of business concerns: am I the only person who is sick of hearing media pundits tell technical people we need to spend more time and effort understanding "the business?" There are only so many hours in the day. Who is supposed to understand the technical issues facing an organization if we are also tasked with making business decisions?
Why don't I read about business managers being advised to understand TCP/IP?
This is called division of labor, and it's what enables companies to scale to their present size. I am forced to perform business and technical functions by virtue of the size of my small company. As a person who enjoys technical issues, I am not pursuing business issues by choice!
What do you think?
Kamis, 17 November 2005
FCW Reports DoD to Hold Security Stand-Down
FCW says "some DOD officials are concerned about the amount of hardware and software manufactured overseas and whether they might incorporate malicious code. [Croom] said one way to fight the problem is to require companies to assure DOD that their products are safe and for the military to monitor them closely." (emphasis added)
I like the fact Lt Gen Croom understands the importance of monitoring.
A separate article conveys this story, indicating Lt Gen Croom is a fair guy:
"The first time Croom showed up for a meeting at DISA, someone announced his presence and everyone in the room snapped to attention, as they did with previous DISA commanders, a headquarters employee said.
Croom told everyone at the meeting that that was the first and last time anyone was to announce him and have everyone stand at attention."
That's amazing. I have seen commanders institute similar policies on operations floors, but generally you're expected to stand when the commander enters a meeting room.
The FCW article did not say much about what constitutes a network "stand-down," other than "changing passwords" and "conduct[ing] certain activities to strengthen and become more aware of network security." Can anyone elaborate on this? A department-wide password change sounds like an immense incident response action. I believe we instituted a similar action once when I was still in uniform.
Typically stand-downs are held in the flying community when an aircraft crashes due to a mechanical problem. The rest of the community wants to verify that their aircraft are not also afflicted. I believe the Titan Rain intrusions may be the "crash" that prompted this stand-down. FCW reports "Croom said DOD networks are being intruded on. 'The enemy is among us,' he said."
Rabu, 16 November 2005
Thoughts on CMP Acquisition of Black Hat
I did not realize until now that CMP also owns the Computer Security Insitutute, who runs their own security conferences. The CSI conference is a strange beast. I wouldn't consider William Safire to be a "security expert," but there he is appearing as a keynote CSI speaker. Perhaps Black Hat is supposed to pull in another sort of demographic, one without as much gray hair?
BSD Certification Group Solicits Donations
Selasa, 15 November 2005
Using Cache Snooping to Estimate Code Spread
However, today I learned of a Wired story that incorporates new Dan Kaminski research. Dan has provided a conservative estimate of the number of systems on which the Sony DRM software is installed, based on Luis Grangeia's cache snooping methodology.
Essentially Dan used his Deluvian Scanning Platform -- DoxPara Infrastructure Validation Project (DIVP) to ask name servers if they had cached results for the hosts associated with Sony's DRM. For example, in the following I query a name server to see if it knows how to resolve www.bejtlich.net. The key is to tell the name server not to perform recursion; if the name server can't answer my request on its own, it has to report the authoritative name servers for .net:
orr:/home/richard$ dig @kis.visi.com www.bejtlich.net A +norecurse
; <<>> DiG 9.3.1 <<>> @kis.visi.com www.bejtlich.net A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29658
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
;; QUESTION SECTION:
;www.bejtlich.net. IN A
;; AUTHORITY SECTION:
net. 44802 IN NS k.gtld-servers.net.
net. 44802 IN NS l.gtld-servers.net.
net. 44802 IN NS m.gtld-servers.net.
net. 44802 IN NS a.gtld-servers.net.
net. 44802 IN NS c.gtld-servers.net.
net. 44802 IN NS d.gtld-servers.net.
net. 44802 IN NS e.gtld-servers.net.
net. 44802 IN NS f.gtld-servers.net.
net. 44802 IN NS g.gtld-servers.net.
net. 44802 IN NS h.gtld-servers.net.
net. 44802 IN NS i.gtld-servers.net.
net. 44802 IN NS j.gtld-servers.net.
;; ADDITIONAL SECTION:
a.gtld-servers.net. 155541 IN A 192.5.6.30
a.gtld-servers.net. 159964 IN AAAA 2001:503:a83e::2:30
b.gtld-servers.net. 156332 IN A 192.33.14.30
b.gtld-servers.net. 159476 IN AAAA 2001:503:231d::2:30
c.gtld-servers.net. 156283 IN A 192.26.92.30
d.gtld-servers.net. 156283 IN A 192.31.80.30
e.gtld-servers.net. 156283 IN A 192.12.94.30
f.gtld-servers.net. 156283 IN A 192.35.51.30
g.gtld-servers.net. 156283 IN A 192.42.93.30
h.gtld-servers.net. 156283 IN A 192.54.112.30
i.gtld-servers.net. 156299 IN A 192.43.172.30
j.gtld-servers.net. 156299 IN A 192.48.79.30
k.gtld-servers.net. 156299 IN A 192.52.178.30
l.gtld-servers.net. 156299 IN A 192.41.162.30
;; Query time: 49 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 16:12:49 2005
;; MSG SIZE rcvd: 503
As you can see, kis.visi.com did not know how to resolve www.bejtlich.net, so it gave the .net generic top level domain server list.
Next I ask kis.visi.com to resolve www.bejtlich.net, but I just use the host command and I allow kis.visi.com to ask a name server that knows how to resolve www.bejtlich.net:
orr:/home/richard$ host www.bejtlich.net kis.visi.com
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
www.bejtlich.net has address 66.93.110.10
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
I get a response -- www.bejtlich.net is 66.93.110.10. Now when I use dig again and specify no recursion, kis.visi.com responds with the IP -- it has been cached.
orr:/home/richard$ dig @kis.visi.com www.bejtlich.net A +norecurse
; <<>> DiG 9.3.1 <<>> @kis.visi.com www.bejtlich.net A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42310
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.bejtlich.net. IN A
;; ANSWER SECTION:
www.bejtlich.net. 7194 IN A 66.93.110.10
;; AUTHORITY SECTION:
bejtlich.net. 7194 IN NS ns18.zoneedit.com.
bejtlich.net. 7194 IN NS ns8.zoneedit.com.
;; ADDITIONAL SECTION:
ns8.zoneedit.com. 704 IN A 206.55.124.4
ns18.zoneedit.com. 384 IN A 72.9.106.68
;; Query time: 49 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 16:13:20 2005
;; MSG SIZE rcvd: 131
Dan used this technique to ask as many name servers as possible to resolve connected.sonymusic.com, updates.xcp-aurora.com and license.suncom2.com. When I asked the kis.visi.com name server about connected.sonymusic.com, I got these results:
orr:/home/richard$ dig @kis.visi.com connected.sonymusic.com A +norecurse
; <<>> DiG 9.3.1 <<>> @kis.visi.com connected.sonymusic.com A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10447
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;connected.sonymusic.com. IN A
;; AUTHORITY SECTION:
sonymusic.com. 1255 IN NS udns2.ultradns.net.
sonymusic.com. 1255 IN NS udns1.ultradns.net.
;; ADDITIONAL SECTION:
udns1.ultradns.net. 155728 IN A 204.69.234.1
udns2.ultradns.net. 155944 IN A 204.74.101.1
;; Query time: 53 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 16:29:38 2005
;; MSG SIZE rcvd: 125
This means some system has asked kis.visi.com to resolve an unspecified sonymusic.com host before I did. There is no result for connected.sonymusic.com, however. Compare that result with the following for www.sonymusic.com:
orr:/home/richard$ dig @kis.visi.com www.sonymusic.com A +norecurse
; <<>> DiG 9.3.1 <<>> @kis.visi.com www.sonymusic.com A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37716
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.sonymusic.com. IN A
;; ANSWER SECTION:
www.sonymusic.com. 211 IN A 64.14.39.200
;; AUTHORITY SECTION:
sonymusic.com. 211 IN NS udns2.ultradns.net.
sonymusic.com. 211 IN NS udns1.ultradns.net.
;; ADDITIONAL SECTION:
udns1.ultradns.net. 147104 IN A 204.69.234.1
udns2.ultradns.net. 147320 IN A 204.74.101.1
;; Query time: 53 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 18:53:23 2005
;; MSG SIZE rcvd: 135
Notice the answer?
Next I try querying for connected.sonymusic.com, and we check the dig results again:
orr:/home/richard$ host connected.sonymusic.com kis.visi.com
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
connected.sonymusic.com has address 64.14.39.158
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
orr:/home/richard$ dig @kis.visi.com connected.sonymusic.com A +norecurse
; <<>> DiG 9.3.1 <<>> @kis.visi.com connected.sonymusic.com A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 284
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;connected.sonymusic.com. IN A
;; ANSWER SECTION:
connected.sonymusic.com. 3592 IN A 64.14.39.158
;; AUTHORITY SECTION:
sonymusic.com. 87 IN NS udns1.ultradns.net.
sonymusic.com. 87 IN NS udns2.ultradns.net.
;; ADDITIONAL SECTION:
udns1.ultradns.net. 146980 IN A 204.69.234.1
udns2.ultradns.net. 147196 IN A 204.74.101.1
;; Query time: 53 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 18:55:26 2005
;; MSG SIZE rcvd: 141
The other two domains returned the gtld name servers. That means no one else asked kis.visi.com about those domains or hostnames recently.
Nice work Dan -- cool stuff.
Senin, 14 November 2005
Extrusion Detection Shipping at Barnes and Noble
Alternatively, you might be able to win a copy in the monthly raffle held at my local ISSA NoVA chapter meeting. Last time I provided a copy of Real Digital Forensics and a Network Security Operations T-shirt. Tuesday (tomorrow) is the last day to RSVP for the Thursday meeting. Steve Crocker will talk about securing DNS at the Oracle building in Reston.
Minggu, 13 November 2005
Problems with FreeBSD 6.0 as VMware Workstation Guest
After reading this post, I tried changing this sysctl:
gruden:/root# sysctl -a kern.timecounter.hardware
kern.timecounter.hardware: ACPI-fast
gruden:/root# sysctl kern.timecounter.hardware=TSC
kern.timecounter.hardware: ACPI-fast -> TSC
That had no effect. This is my freebsd.vmx file:
config.version = "8"
virtualHW.version = "4"
scsi0.present = "TRUE"
scsi0.virtualDev = "lsilogic"
memsize = "128"
ide0:0.present = "TRUE"
ide0:0.fileName = "FreeBSD-000003.vmdk"
ide1:0.present = "TRUE"
ide1:0.fileName = "auto detect"
ide1:0.deviceType = "cdrom-raw"
floppy0.fileName = "A:"
ethernet0.present = "TRUE"
usb.present = "FALSE"
sound.present = "FALSE"
sound.virtualDev = "es1371"
displayName = "freebsd6-0_a"
guestOS = "freebsd"
nvram = "freebsd.nvram"
sound.startConnected = "FALSE"
usb.generic.autoconnect = "FALSE"
floppy0.startConnected = "FALSE"
ide0:0.redo = ""
ethernet0.addressType = "generated"
uuid.location = "56 4d 1e 0b c0 77 f6 f2-55 f3 38 5f 3a 47 3e b3"
uuid.bios = "56 4d 1e 0b c0 77 f6 f2-55 f3 38 5f 3a 47 3e b3"
tools.remindInstall = "FALSE"
ethernet0.generatedAddress = "00:0c:29:47:3e:b3"
ethernet0.generatedAddressOffset = "0"
ide1:0.startConnected = "FALSE"
tools.syncTime = "TRUE"
Originally the file had the last variable appear thus:
tools.syncTime = "FALSE"
Either setting had no effect. The host OS is Windows Server 2003 Enterprise x64 Edition SP1. The weird part of this is that a FreeBSD 5.4 VM running within exactly the same parameters has no problem on this system. This does not appear to be an isolated problem.
Is anyone successfully running FreeBSD 6.0 within VMware Workstation?
Update: I just copied a complete clone of this VM to my Windows 2000 Professional laptop running the same version of VMware Workstation. (Yes, I have two licenses!) :) It made no difference. The 5.5 RC2, VMware Workstation 5.5.0 build-18007, was no better with FreeBSD 6.0 as far as time goes. However, the excessive beeping that I saw with FreeBSD 6.0 on VMware WS 5.0 was shortened considerable on WS 5.5.
I just posted this story as a question to the VMTN forums. I also posted to freebsd-emulation.
Sabtu, 12 November 2005
Presentations on OpenBSD Ports and More
I do agree with some of Marc's critique, however. It would be nice to have package update tools built into the base system. Perhaps they could be written in Perl to avoid adding Ruby? We are starting to see new ports tools developed outside of the base now being added to the base, with Colin Percival's portsnap now in FreeBSD 6.0. I expect to see this trend continue because Colin is a member of the FreeBSD project now. (He's the security officer.)
The second presentation is OpenBSD Networking Update by Henning Brauer. OpenBSD is doing some cool work with OpenBGPD and I see now that OpenOSPFD is planned as well.
Kamis, 10 November 2005
Sample Extrusion Detection Chapter Posted
"MJR: I’ve noticed you’re a fan of Bruce Lee! It’s interesting to me how a lot of us security guys find parallels between computer/network security and the martial arts/art of war. Remember Lee’s great “It’s like a finger pointing away to the moon” speech? What do you think would be the equivalent for a student of computer security? What do you think Bruce would tell us?
RB: I am indeed a fan of Bruce Lee, and I’ve practiced several martial arts... I advise that intruders should be viewed as smart (sometimes smarter than you) and unpredictable, and able to beat your defenses. Bruce would probably agree. He would train to be ready for whatever his opponent would deliver, and he would have techniques in place to deal with the consequences of not blocking an initial punch or kick. Rather than failing catastrophically when an opponent lands a blow, Bruce would take advantage of the attacker’s proximity to initiate a different sort of counterattack or improved defense."
The chapters are as follows:
- Network Security Monitoring Revisited
- Defensible Network Architecture
- Extrusion Detection Illustrated
- Enterprise Network Instrumentation
- Layer 3 Network Access Control
- Traffic Threat Assessment
- Network Incident Response
- Network Forensics
- Traffic Threat Assessment Case Study
- Malicious Bots
- Epilogue
- Appendix A: Collecting Session Data in an Emergency
- Appendix B: Minimal Snort Installation Guide
- Appendix C: Survey of Enumeraiton Methods
- Appendix D: Open Source Host Enumeration
The book should begin shipping tomorrow. If you have any suggestions for errata, please send them to me via richard at taosecurity dot com. Thank you!
Deleting Hard Drives
I found DBAN very easy to use. It boasts some impressive features too.
When you boot from the floppy image or CD-ROM .iso you see this screen.
The About screen offers warnings and caveats.
I like the ability to boot using one of the available deletion methods.
I simply hit [enter], which started DBAN in interactive mode. Here you can set parameters for wiping the drive.
In the future I plan to carry a DBAN floppy with me to wipe hard drives prior to installing my own NSM software.
Selasa, 08 November 2005
Powerful Laptop Recommendations?
- Intel® Pentium® M Processor 760 [2.00GHz, 2MB L2 cache, 533MHz FSB]
- 2 GB RAM
- 60 GB+ 7200 RPM HDD
- NVIDIA GeForce video, to take advantage of their FreeBSD drivers and avoid ATI
- Gigabit NIC
- 802.11b/g is nice, especially if disabled via external switch
- Bluetooth -- not sure if I need it?
- Under 7 lbs -- my current laptop is more like a ThinkBrick
- At least a 14.1" screen; I don't care about widescreens
I like the features of the Toshiba Tecra M3, but the reviews are terrible. I really like the durability and keyboard of my Thinkpad and I worry what other vendors are going to provide. I appreciate your help.
Update: Thank you for all of your comments. I've decided to wait for the arrival of Windows Vista in Q306. By that time I expect to see Intel Virtualization Technology in 64 bit mobile CPUs like the Intel Merom, which will be very helpful for my classroom setup. There's an outside chance I would get a Mac running on Intel as well, if VMware was supported.
Congratulations to Feds
This is exactly the sort of work that needs to be done. Security professionals cannot win against intruders if only the "vulnerability" variable of the risk equation is addressed. We need law enforcement to reduce the "threat" variable as well. The suspect in this case is a 20-year-old living in California. This is the sort of perpetrator who can be deterred, unlike a foreign intelligence agent or member of organized crime. The more bot net operators who are put in jail, the fewer lower-end threats we will need to stop.
Senin, 07 November 2005
New SearchSecurity.com Tip Posted
"Network-based IDSes are deployed to identify compromised targets, while network-based IPSes are deployed in an effort to prevent compromise. Both systems must be able to recognize malicious traffic to issue warnings or block offending packets.
IDSes, however, have the upper hand in identifying intrusions, because they have the luxury of generating an alert based on traffic from the attacker to the victim or from the victim to the client. In other words, an IDS can alert on either the inbound attack traffic or the outbound victim response.
But to prevent an intrusion, an IPS must deny incoming attack traffic. An IPS that only inspects outbound traffic allows a target to be compromised. An IPS that makes a block decision based on responses from the victim is an 'intrusion containment system,' not an IPS."
I've contacted the site editor to see if they can fix the corrupted Windows command prompt output.
Websense ToorCon Presentation
Jumat, 04 November 2005
Latest Book Arrives Soon
I looked at the Best Book Buys Top 100 List this evening and saw these results:
I don't understand these book rankings, which are listed "as of 28-Oct-2005". Here are the top 5 books:
- Wild at Heart: Discovering the Secret of a Man's Soul by John Eldredge
- The Complete Calvin and Hobbes by Bill Watterson
- Financial Accounting by Robert Libby
- The Game: Undercover In The Secret Society Of Pick-up Artists by Neil Strauss
- The World Is Flat: A Brief History Of The Twenty-first Century by Thomas L. Friedman
I could not imagine a more ecclectic groups of books! I guess having my three books in the rankings is better than not seeing them there. Incidentally, the list includes two other books to which I contributed; number 11 is Incident Response & Computer Forensics, 2nd Ed by Chris Prosise, Kevin Mandia, and number 18 is Hacking Exposed: Network Security Secrets and Solutions, 4th Ed by Stuart McClure, Joel Scambray, and George Kurtz.
I have ideas for another book which I plan to reveal soon. If anyone has feedback on any of my books or ideas for future work, please feel free to leave a comment or send me email. Thank you.
Sguil 0.6.0-RC2 Available
- MySQL's MERGE storage engine is used. The MERGE storage engine, also known as the MRG_MyISAM engine, is a collection of identical MyISAM tables that can be used as one. All Snort alerts and SANCP session data is now stored in MERGE tables, resulting in better scalability and performance. Sguil author Bamm Visscher reports "I went from being able to keep ~6 million rows to >300 million rows."
- All sensor communication is performed through sensor_agent.tcl. This allows Sguil to be seemingly one of the few programs that respects the new licensing of MySQL under the GPL.
- Support for Snort's sfPortscan function has been added. Users no longer need to patch and use the portscan preprocessor.
- Increased use of tabs for window management provides better access to new information like sensor status.
Barring unforeseen issues, Sguil 0.6.0-RC2 will be released soon as 0.6.0. If you'd like to test the RC2, please download it.
I plan to create a VM image using FreeBSD 6.0 RELEASE and Sguil 0.6.0, suitable for use in VMware Player.
FreeBSD 6.0 RELEASE Announced
I should have a new article in the February 2006 issue of SysAdmin Magazine explaining the simplest way to keep the FreeBSD OS and applications up-to-date.
Network Forensics? Please.
When I mention "network forensics," I define it as the art of collecting, protecting,
analyzing, and presenting network traffic to support remediation or prosecution. This is in line with the definition of forensics:
"1. The art or study of formal debate; argumentation.
2. The use of science and technology to investigate and establish facts in criminal or civil courts of law."
It turns out PMG's use of the term "Network Forensics" has nothing to do with any recognized application of the term. They say:
"Network Forensics is the study of the micro transactions of inter-network components, platforms and the applications that process on and across them.
By taking a forensic measurement of a micro transaction, quantifying the repeated dependency on the micro to that of the macro we can quantify the improvement for an end user that specific IT optimizations might provide. On the business process side, quantification of the cost of the macro transaction time spent by an end user can be quantified in annual cost or lost productivity associated with slow applications. Knowing optimization improvements and their associated costs allows a long term ROI to be considered. The result? Best bang for the buck optimization!
Come join PMG NetAnalyst in a day of cross technology, vendor independent network training with a twist: PMG will take you on a journey down several complex multi-vendor network environments where troubles abound. You will be taught how to use a well rounded 'bag of tools' to analyze and troubleshoot the issues as well as how applying best practices could have avoided these issues. Forensics Day will show you how to save money as well as improve performance and reliability by using 'brain cells' instead of budget to solve and even prevent problems."
Please. This is not "network forensics" by any stretch of the imagination. This is an attempt to add a sexy name to the otherwise boring ideas of network troubleshooting. The latest iteration and expansion of the concept uses the term Business Service Management, which I learned about recently though the 1 September 2005 Network Computing magazine.
I understand there are similar uses of the term "forensics" outside of the legal realm. However, "network forensics" has had a security association for years. I would like to see it stay that way to avoid further cluttering our professional landscape.
Network Computing Misses the Mark
First, the 27 October 2005 issues includes an article called Open-Source Security Technology Joins Endangered List. Here are excerpts:
"For many users and vendors, network security is dependent on a collection of open-source programs that provide key capabilities, sometimes as standalone tools and sometimes as the basis for commercial products. Last month, however, the open-source status of two of those key technologies--Snort and Nessus--became threatened....
The moral is that heavy reliance on open source carries risk, and that the greatest insurance policy for open-source technology is participation by a large number of users and developers. If you're thinking of using open source, keep a close eye on what happens to both Snort and Nessus."
I would argue that open source carries much less "risk" when compared to closed applications. The fact that the code is open is the "greatest insurance policy," not "participation by a large number of users and developers." If an open source program is no longer maintained, it can be assumed by another developer. Assuming the license is truly open, that new developer can resume the project, fork it, or rebuild from scratch using the original as inspiration.
For example, Linux guru Tim Lawless started the Saint Jude project to protect the integrity of the Linux kernel, but had to abandon coding it in 2002. Last week Rodrigo Rubira Branco took over maintainership and released a new version. BASE, the replacement for the Web-based alert browser ACID, is a second example. The new version of SPADE hosted by Bleeding Snort is a third example. None of this would be possible with so-called less "risky" closed programs.
The second example of Network Computing missing the mark appeared in the following letter and response:
"I have a question concerning an application one of my consultancy clients needs that's targeted for Microsoft Data Center Server 2003, a product used to manage DPM, on Unisys 3S7000. The systems integrator is saying that 'for performance reasons,' it plans to 'modify the operating system' for the application.
It's been a long time since I've heard of any vendor advocating modification of a native OS to boost performance or achieve goals not supported by the OS. I've been all over Microsoft's OEM partner site and haven't read anything about using Data Center Server as an OEM product. Not even its predecessor, Data Center Server 2000, was ever available as a shrinkwrapped product; you had to have Microsoft services to implement it.
Have you ever heard of any vendor wanting to tweak the Windows kernel in order to support its application? Sounds risky...
Don MacVittie replies: Larry, your instincts are dead-on. Even in the Linux world, tweaking the OS for the application layer is generally considered taboo. There's just too much that can go wrong.
Are you sure the vendor is talking about making code changes to the kernel? Maybe what it has in mind is custom drivers, which are more acceptable, or a custom build, which is relatively common for OEMs.
If the vendor really does want to modify the kernel, you should tell your client to run away from it as fast as it can. There are enough good products out there to handle high-volume backups and replication without having to resort to such a drastic measure."
Good grief. "Even in the Linux world, tweaking the OS for the application layer is generally considered taboo. There's just too much that can go wrong." Like what, better performance? I do not know if it is possible for end users to make any modifications to the Windows kernel, perhaps via a sysctl mechanism as found in BSD. I do not fault the NWC writer for advising users to stay away from Windows kernel tweaks.
Linux and BSD are completely different beasts. I find the power to alter the kernel to be an advantage, not voodoo. In production I make few kernel customizations on BSD not because I am scared and need to "run away." I only make the customizations with which I am familiar, like adding support for IPSec or NAT. If I encountered a problem that could be addressed by customizing the kernel, I would take full advantage of the control that an open source OS provides.
What are your thoughts on these issues?
Selasa, 01 November 2005
Dealing with FreeBSD Port Options
orr:/usr/ports/ftp/gftp# make
...menu appears, hit 'OK'...
===> WARNING: Vulnerability database out of date, checking anyway
===> Found saved configuration for gftp-2.0.18
===> Extracting for gftp-2.0.18
=> Checksum mismatch for gftp-2.0.18.tar.gz.
===> Refetch for 1 more times files: gftp-2.0.18.tar.gz
^C
orr:/usr/ports/ftp/gftp# make
===> WARNING: Vulnerability database out of date, checking anyway
===> Found saved configuration for gftp-2.0.18
===> Extracting for gftp-2.0.18
=> Checksum mismatch for gftp-2.0.18.tar.gz.
===> Refetch for 1 more times files: gftp-2.0.18.tar.gz
===> WARNING: Vulnerability database out of date, checking anyway
===> Found saved configuration for gftp-2.0.18
^C
What is happening? Where is the menu?
It turns out the menu process creates a file called 'options' in the /var/db/ports/PORTNAME directory. For example:
orr:/var/db/ports/gftp$ ls -al
total 6
drwxr-xr-x 2 root wheel 512 Nov 1 15:00 .
drwxr-xr-x 3 root wheel 512 Nov 1 14:44 ..
-rw-r--r-- 1 root wheel 167 Nov 1 14:59 options
orr:/var/db/ports/gftp$ cat options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for gftp-2.0.18
_OPTIONS_READ=gftp-2.0.18
WITH_X11=true
WITHOUT_GTK2=true
If you want to eliminate the menu on a subsequent run of 'make', just delete the options file.
New FreeBSD Logo Announced
BSD Certification Group Publishes Usage Survey Results
- 77% report using FreeBSD
- 33% report using OpenBSD
- 16% report using NetBSD
- 3% report using DragonFly BSD
- 7% report "other"
On a related note, I have resigned my seat on the Certification Group and joined the Advisory Board due to time constraints caused by running TaoSecurity.