Bears Teach Network Security Monitoring Principles

Every once in a while it's good to be reminded of certain principles. In my first book I outlined three lessons I've learned while monitoring intruders. Sometimes threats in nature provide examples of these lessons. Sguil developer Bamm Visscher pointed me to these images, which I have cropped and annotated for your network security monitoring enjoyment. NSM Principle 1: Some intruders are smarter than you are.NSM Principle 2: Intruders are unpredictable.NSM...

Read More

Thoughts on Open Source Project Mergers

Last month I blogged my installation of Nepenthes. Today I read the announcement that the Nepenthes and mwcollect projects have merged. From this point forward, the mwcollect Alliance will use Nepenthes to collect malware, and the mwcollect suite will be retired.This announcement follows a similar development with the Auditor and iWhax assessment live CDs to merge into BackTrack. I think both of these developments are great. There are far too many attackers compared to security developers, so combining forces like this optimizes scarce resources....

Read More

Feds Delay Check Point Acquisition of Sourcefire

Based on a friend's tip, I found myself looking for this press release, which reads in part:Check Point® Software Technologies Ltd. (NASDAQ: CHKP), the world leader in securing the Internet, received notice its pending acquisition of Sourcefire®, Inc. has moved into the investigative stage with the Committee on Foreign Investment in the United States ("CFIUS").In order to clear the transaction with the United States Government, Check Point submitted two regulatory applications. Check Point received U.S. anti-trust approval and was advised that...

Read More

VMWare Likes FreeBSD 6.1-BETA2

I just installed FreeBSD 6.1-BETA2 in VMware Workstation 5.5.1 build-19175. I have not seen the same sorts of timing problems shown by FreeBSD 6.0 RELEASE inside the VMs I use and have created for the Sguil project. I did not see any obvious changes that would account for the better behavior. I hope FreeBSD 6.1 RELEASE behaves just as well. I am not sure if I will create a Sguil VM for FreeBSD 6.1 and Sguil 0.6.1, or if I will wait for a newer...

Read More

Brief Thoughts on MJR Pen Testing Post

I learned of this post by Marcus Ranum through commentary by Dave Goldsmith. In brief, I agree with much of what MJR says. However, I think pen testers perform a valuable service. I do not think that it is possible for some modern enterprise code to be fully comprehended by any individual or team of developers or security engineers. If the code cannot be fully understood statically, it must be tested dynamically. A live test will reveal how the system acts when working, and may reveal unanticipated interactions or vulnerabilities. In light...

Read More

Wireless FreeBSD 6.0 Update

While preparing for my Network Security Operations class tomorrow, I decided to take a closer look at the state of a few wireless security tools on FreeBSD 6.0. I've used bsd-airtools, specifically dstumbler, before, but I started getting this error when invoking the program with 'dstumbler wi0 -o' as I usually do:error: unable to ioctl device socket: Invalid argumentRunning without '-o' removed the error, but I didn't see any wireless networks....

Read More

Security in the Cloud

A blog reader recently asked me to comment on this Security in the Cloud debate. First, a word on the opposing sides. The Yes proponent, Brad Miller, is CEO of Perimeter Internetworking. His company looks like a managed security services firm, except they are latched onto Gartner's security in the cloud idea. That is derived from MCI's (now Verizon's) concept of filtering traffic on its backbones. I find it odd that a company like Perimeter Internetworking can ride the cloud bandwagon when they are not in the cloud!The No proponent is Bruce...

Read More

Monitoring the Wrong Places

I am obviously a proponent of network security monitoring, but I am also a strong believer in privacy. The sort of attitude demonstrated in this article disturbs me greatly:Houston's police chief on Wednesday proposed placing surveillance cameras in apartment complexes, downtown streets, shopping malls and even private homes to fight crime during a shortage of police officers."I know a lot of people are concerned about Big Brother, but my response to that is, if you are not doing anything wrong, why should you worry about it?" Chief Harold Hurtt...

Read More

Brian Krebs Botmaster Interview

I highly recommend reading Brian Krebs' latest article Invasion of the Computer Snatchers. Here are a few of my favorite quotes:"Most days, I just sit at home and chat online while I make money," 0x80 says. "I get one check like every 15 days in the mail for a few hundred bucks, and a buncha others I get from banks in Canada every 30 days." He says his work earns him an average of $6,800 per month, although he's made as much as $10,000. Not bad money for a high school dropout.That's great -- what a role model.The young hacker doesn't have much...

Read More

This is part 4 of my RSA Conference 2006 wrap-up. I started with part 1. I'm writing this in Brussels, Belgium, where I'm teaching my Network Security Operations class to a private group.I started my final day of RSA presentations last Thursday by wasting over an hour with Peiter "Mudge" Zatko. I should have walked out during the first fifteen minutes, but my respect for his previous work kept me in my chair. That was a huge mistake. In a haze...

Read More

RSA Conference 2006 Wrap-Up, Part 3

This is part 3 of my RSA Conference 2006 wrap-up. I started with part 1. Before continuing I should mention a few items relating to my previous posts. First, I forgot to say that I enjoyed presenting my talk on Tuesday afternoon. Many attendees stayed to ask questions. I ended up leaving the room about 45 minutes after my briefing ended. Second, Nitesh Dhanjani asked me to mention his O'Reilly articles on Firefox anti-phishing and launching attacks through Tor.Third, in his talk Nitesh referenced his article Googling for Vulnerabilities, which...

Read More

RSA Conference 2006 Wrap-Up, Part 2

This is part 2 of my RSA Conference 2006 wrap-up. I started with part 1. My first talk of day 2 was Bruce Schneier. Bruce is a great speaker, but I seemed to remember his material from 2002. His major point involved this fact: there are far too many legitimate users compared to attackers. This makes detection and prevention difficult. I believe this is a form of Axelsson's 1999 base rate fallacy (.pdf) paper. Bruce made the interesting point that by charging the conference fee ($1900 or so) to replace a lost badge, RSA had transferred a...

Read More

RSA Conference 2006 Wrap-Up, Part 1

I'm using T-Mobile at the San Francisco airport as I write this, on my way home from the RSA Conference 2006. Here are my thoughts on my first RSA conference: Holy vendors, Batman. This seemed to be a show by vendors, for vendors. In some ways the presentations were afterthoughts, or just another way for some vendors to describe their products or upcoming technologies. I plan to report on one or two cool products I encountered on the exposition floor, but for now I'll quickly mention the talks I saw.I began Tuesday be attending a briefing advertised...

Read More

Sguil 0.6.1 Released

Just in time for RSA, Bamm Visscher has released Sguil 0.6.1. You can read the release announcement. Most of the improvements have happened on the client side, especially with regard to using UNION queries. The client will also look slightly different due to using the tablelist widget.If you're at RSA, I speak today from 1735 to 1825. The subject is Traffic-Centric Incident Response and Forensics. I will sign books on Wednesday, 15 February 2006 from 1200 to 12...

Read More

Virtualization on Low-End Hardware

I have a few really old laptops that I've rescued for use in the TaoSecurity labs. One is a Thinkpad 600e PII 366 MHz with 128 MB RAM, and the other is a Thinkpad 1400 Pentium MMX 300 MHz with 256 MB RAM. Recently I wondered if I could use them as VMware Player running on them. First I needed a supported operating system. I first tried Ubuntu, since it looked like the most recent free OS with which I was familiar. Unfortunately, Ubuntu's live CD and installation CD hung on the two laptops I tried. I turned next to Red Hat Linux 9, intending...

Read More

Request for Comments: NSM Reporting

My friend John Ward wrote me recently, asking what sorts of reports managers should receive from network security monitoring operations. John posted his experiences using Business Intelligence and Reporting Tools (BIRT), and its role in business intelligence (BI). What do you put in the NSM reports you provide for management? What would you want to see extracted from the NSM data you colle...

Read More

New TaoSecurity Services Brochure Online

The new TaoSecurity company services brochure is available (.pdf). If any of you small business owners would like to contact the graphics designer who created this brochure for me, I would be happy to forward his email address. The front of the brochure explains my company's services, and the reverse explains our class...

Read More

PortRequest is Live

If you listened to my recent BSDTalk podcast, you heard me mention PortRequest. Well, it's live! PortRequest is part of the NYCBUG site; Michael Welsh coded it, receiving nothing in compensation. If you visit www.portrequest.org you will be redirected to the actual NYCBUG Portrequest page.The idea behind PortRequest is simple: I am lazy. Whenever I find a new program, I first look to see if it is in the FreeBSD ports tree by searching Dan Langille's...

Read More

Pursuing Advanced Degrees When Older

If you've seen my resume you'll know I do not have a degree in computer science. My last post mentioned what I studied in "college" -- history and political science, along with minors in French and German -- including a heavy engineering core. In grad school I studied national security in a public policy program. I graduated from the master's program ten years ago.Looking to the future, I've considered what my resume needs to look like if I want to keep certain doors open. One of the doors involves teaching at the college/university level....

Read More

FreeBSD News

freebsd.png" align=left>According to this announcement, FreeBSD 5.5-BETA1 and FreeBSD 6.1-BETA1 are now available. Looking at the release schedule, I estimate we'll see FreeBSD 5.5 in late April and FreeBSD 6.1 in early April. The schedule is very ambitious, will 6.2 and 6.3 releases planned for this year too. Remember that FreeBSD 5.5 is probably the last in the 5.x tree.I'd like to thank Royce Williams for pointing out that Colin Percival has been building SMP kernels for freebsd-update. Here is the announcement. This is great news for...

Read More

Ed Nisley on Professional Engineering

I get a free subscription to Dr. Dobb's Journal. The March 2006 issue features an article by Ed Nisley titled "Professionalism." Ed is a software developer with a degree in Electrical Engineering. After working at a computer manufacturer for ten years in New York state, he decided to become a "consulting engineer." Following the state's advice, Ed pursued a license to be a Professional Engineer. Now, 20 years after first earning his PE license,...

Read More

Integrating Sguil into Intrusion Detection and Incident Response

A fellow Sguil user wrote a surprisingly complete account of a compromise of his Web server, and how he used Sguil to identify the intrusion and respond to the incident. The author, Chas Tomlin, provides a step-by-step walkthrough of his investigation, along with some of his actual findings -- including a transcript of an IRC conversation between bot net operato...

Read More

Linksys WPC54G with FreeBSD

Yesterday I posted how I figured out how to use wlan_wep on FreeBSD. Today I received my new Linksys WPC54G wireless 802.11g network adapter. I decided to try using it with FreeBSD 6.0.When I inserted it into the PCMCIA slot, I got these errors:cardbus0: CIS pointer is 0!cardbus0: Resource not specified in CIS: id=10, size=2000cardbus0: at device 0.0 (no driver attached)That didn't look good. I decided to use Bill Paul's ndis driver to get the Windows drivers working with FreeBSD. I posted about this capability two years ago, but today I used...

Read More

FreeBSD Wireless Changes

At my desk I connect to the rest of my wireless network with a Netgear WGE111 54 Mbps Wireless Game Adapter (don't ask). I usually don't use the SMC EZ Connect 802.11b Wireless PCMCIA card, model SMC 2632W v.1 I have nearby. While watching "the big game" I decided to check email, so I tried using this wireless card with my FreeBSD 6.0 laptop. I saw this error:orr:/home/richard$ sudo ifconfig wi0 inet 192.168.2.5 netmask 255.255.255.0 ssid shaolin...

Read More

Another Engineering Disaster

Does the following sound like any security project you may have worked?Executives decide to pursue a project with a timetable that is too aggressive, given the nature of the task.They appoint a manager with no technical or engineering experience to "lead" the project. He is a finance major who can neither create nor understand design documents. (This sounds like the news of MBAs being in vogue, as I reported earlier.)The project is hastily implemented using shoddy techniques and lowest-cost components.No serious testing is done. The only "testing"...

Read More

Review of Hardening Network Security Posted

Amazon.com just posted my four star review of McGraw-Hill/Osborne's Hardening Network Security. From the review:"As a security consultant I am sometimes asked for reference books for new security managers. These individuals need help bringing their enterprise under control. Hardening Network Security is a good book for this sort of problem, although it is important to recognize a few technical errors outlined belo...

Read More

BSDTalk Podcast Posted

Will Backman from BSDTalk posted a new podcast (.mp3, 16 MB) featuring his interview with me. In the first half of the podcast Will explains ways to obtain BSD. The second half of the podcast is the interview. We talked about my ShmooCon presentation, my blog, book reviews, how I use FreeBSD, and the upcoming PortRequest project implemented by the good people at NYCBUG.orr:/data/media/audio$ mpg123 -a /dev/dsp0.0 bsdtalk013.mp3High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3.Version 0.59r (1999/Jun/15). Written and copyrights...

Read More

Exporting X Sessions

This is one of those tasks that I want to remember for the future, because I can imagine encountering the same problem again. When I build servers with FreeBSD, I usually do not include packages for X.org. I access my servers using OpenSSH so I don't need any graphics support. Recently I needed a platform to QEMU. It turns out that QEMU opens an X session. The system where I wanted to run QEMU was a remote server (janney), so I needed to add...

Read More

Four New Pre-Reviews

I received four new books in the last few weeks. The first is Wiley's Security Patterns: Integrating Security and Systems Engineering by Markus Schumacher, et al. I am very interested in books like Wiley's unparalleled Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson. I hope Security Patterns will present techniques that can be implemented in a vendor- and possibly technology-neutral manner.The second is No Starch's TCP/IP Guide by Charles M. Kozierok. The book is already online, but in a fairly difficult...

Read More

Dangers of Tracking FreeBSD STABLE

Most of my FreeBSD systems track the SECURITY branch of FreeBSD. Wherever possible I try to apply binary updates for the kernel and userland with Colin Percival's freebsd-update tool. Most of my hardware is really old and I prefer not to spend a lot of time recompiling from source.One of my systems does track the STABLE branch of FreeBSD, specifically RELENG_6. This is more or less a lab system. I like to see what might appear in the next version...

Read More

Request for Comments: Bluetooth on FreeBSD

I haven't tried Bluetooth yet because I do not have any Bluetooth-enabled devices. I've considered buying a stock Linksys USBBT100 adapter, or one of the fancier models from WarDrivingWorld.com. Unfortunately, I do not see much support for Bluetooth security tools on FreeBSD. Today I downloaded and tried Bluediving, which is supposed to work. I was unable to get the programs in the tools directory to compile on FreeBSD 6.0.Is anyone using Bluetooth...

Read More