Preview: Hunting Security Bugs

Yesterday I received a copy of Hunting Security Bugs. One of this book's authors is Tom Gallagher, who posted thoughts on Microsoft's security initiatives.This looks like a great book, especially as a companion to The Security Development Lifecycle, also by Microsoft authors. A third book, The Practical Guide to Defect Prevention, arrives in the spring. This may be too developer-oriented for my needs, but I might take a look at it. I am glad...

Read More

Security Scruples Poll

Dark Reading is conducting a Security Scruples Poll. Some of the preliminary results are disturbing. I'll withhold commentary until I see the poll is closed and results are disclosed. Please consider taking the poll. It has some interesting questions, and it takes about 5 minut...

Read More

Review of Apache Security Books Posted

Amazon.com just posted my two reviews on books about Apache. The first is Apache Security by Ivan Ristic. Here is a link to the five star review. The second is Preventing Web Attacks with Apache by Ryan Barnett. Here is a link to the four star review.Both reviews share the same introduction.I recently received copies of Apache Security (AS) by Ivan Ristic and Preventing Web Attacks with Apache (PWAWA) by Ryan Barnett. I read AS first, then PWAWA....

Read More

Symantec Internet Security Threat Report Volume X

Symantec has posted (for free, no registration!) the latest Internet Security Threat Report. I'm very pleased to see that such a high-profile report uses threat and vulnerability terms properly, and features details on the methodology used to produce the report. Here's some of the Executive Summary.In contrast to previously observed widespread, network-based attacks, attackers today tend to be more focused, often targeting client-side applications... The current threat landscape is populated by lower profile, more targeted attacks, attacks that...

Read More

Review of The TCP/IP Guide Posted

Amazon.com just posted my 4 star review of The TCP/IP Guide. From the review:Right away I must state that I did not read "The TCP/IP Guide" (TTG) cover-to-cover. I doubt anyone will, which raises interesting issues. This review is based on the sections I did read and my comparisons with other protocol books.Protocol books should be divided into two eras. The first is the "Stevens era" meaning those written around the time Richard Stevens' "TCP/IP...

Read More

Net Optics Think Tank Tuesday in Fairfax, VA

Don't forget to attend the free Net Optics Think Tank on Tuesday, 26 September 2006 in Fairfax, VA. It looks like I will be speaking during lunch from 1215 to 1315. Please register. I expect to see a lot of cool Net Optics gear on display, along with insights from those who make products for enterprise network instrumentati...

Read More

Throughput Testing Through a Bridge

In my earlier posts I've discussed throughput testing. Now I'm going to introduce an inline system as a bridge. You could imagine that this system might be a firewall, or run Snort in inline mode. For the purposes of this post, however, we're just going to see what effect the bridge has on throughput between a client and server.This is the new system. It's called cel600, and it's running the same GENERIC.POLLING kernel mentioned earlier.FreeBSD...

Read More

FreeBSD Device Polling Results for Gigabit Copper

In my post FreeBSD Device Polling I ran my tests over Gigabit fiber connections. I thought I would repeat the tests for Gigabit copper, connected by normal straight-through cables. (One benefit of Gigabit copper Ethernet NICs is there's no need for crossover cables.)Although I booted my two test boxes, asa633 and poweredge, with kernels offering polling, neither interface had polling enabled by default. This is asa633's NIC:em1: flags=8843 mtu...

Read More

The ZERT Evolution

In January during the WMF fiasco, I wrote The Power of Open Source. What we're now reading in Zero-Day Response Team Launches with Emergency IE Patch is the latest evolution of this idea. The Zeroday Emergency Response Team isn't a bunch of amateurs. These are some of the highest skilled security researchers and practitioners in the public arena. They are stepping up to meet a need not fulfilled by vendors, namely rapid response to security problems.Why is this the case? Customers running closed operating systems and applications are stuck....

Read More

Generating Multicast Traffic

If you're a protocol junkie like me, you probably enjoy investigating a variety of network traffic types. I don't encounter multicast traffic too often, so the following caught my eye. I'm using Iperf for some simple testing, and I notice it has a multicast option. Here's how I used it.In the following scenario, I have two hosts (cel433 and cel600) on the same segment. This is important because the router(s) in this test network are not configured to support multicast.I set up cel433 as a Iperf server listening on multicast address 224.0.55.55.cel433:/root#...

Read More

FreeBSD Device Polling

Not all of us work with the latest, greatest hardware. If we use open source software, we often find ourselves running it on old hardware. I have a mix of equipment in my lab and I frequently see what I can do with it.In this post I'd like to talk about some simple network performance measurement testing. Some of this is based on the book Network Performance Toolkit: Using Open Source Testing Tools. I don't presume that any of this is definitive,...

Read More

Nisley on Failure Analysis

Since I'm not a professional software developer, the only reason I pay attention to Dr. Dobb's Journal is Ed Nisley. I cited him earlier in Ed Nisley on Professional Engineering and Insights from Dr. Dobb's. The latest issue features Failure Analysis, Ed's look at NASA's documentation on mission failures. Ed writes:[R]eviewing your projects to discover what you do worst can pay off, if only by discouraging dumb stunts.What works for you also works for organizations, although few such reviews make it to the outside world. NASA, however, has done...

Read More

Using tap0 with Tcpreplay

This thread on the Wireshark mailing list brought up the issue of not being able to use Tcpreplay with the loopback interface on FreeBSD, e.g.:orr:/root# tcpreplay -i lo0 /data/lpc/1.lpcsending out lo0 processing file: /data/lpc/1.lpcUnable to send packet: Address family not supported by protocol familyHere is an alternative: use tap0.orr:/root# ifconfig tap0ifconfig: interface tap0 does not existorr:/root# dd if=/dev/tap0 of=/dev/null bs=1500 &[1]...

Read More

Does SecureWorks-LURHQ Count as Consolidation?

I think it does. Managed network security services is one arena where size is always a factor, and bigger is usually better. With more employees you have more analysts per shift. You have more customers, so you see more of the Internet. With enough customers your view of the Internet begins to resemble a statistically significant sample, from which you can make inferences about the health of the global network. I thought this Dark Reading story on the merger (the new company will be called SecureWorks -- no more "how do I say LURHQ?") had an...

Read More

Multiple Kernels on FreeBSD

The following is a topic I would enjoy hearing more about. If you have helpful suggestions, please share them as a comment.Two years ago I described my experiences with building a FreeBSD userland and kernel on one system and installing it on another. I found myself in the same situation recently, where I didn't want to sit around waiting for a couple slow boxes to build themselves custom kernels. I wanted to build the custom kernel on a fast...

Read More

Changing Definitions of Network Security Monitoring

I first defined Network Security Monitoring in print through my contribution to the February 2003 book Hacking Exposed, 4th Edition. Prior to that I defined NSM in a December 2002 SearchSecurity Webcast. NSM probably became more recognized in my first book, where I repeated the same definition by writing "Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."I emphasized...

Read More

Differentiating Among Assessment Services

Tate Hansen of Clear Net Security provides a great methodology for differentiating among vulnerability assessment and related network security services. Check out his flow chart and then see how your own provider compar...

Read More

Review of IPv6 Essentials Posted

Amazon.com just posted my five star review of IPv6 Essentials, 2nd Ed by Sylvia Hagen. From the review:I read and reviewed IPv6 Network Administration (INA) in August 2005 and Running IPv6 (RI) in January 2006. I gave those books 5 stars, so I had high expectations for "IPv6 Essentials, 2nd Ed" (IE2E). INA and RI are very hands-on, implementation-specific books. IE2E is more concerned with explaining protocols and IPv6 features. In this respect,...

Read More

SANS Network IPS Testing Webcast

I'm listening to a SANS Webcast on Trustworthy IPS Testing and Certification. Jack Walsh from the Network Intrusion Prevention section of ICSA Labs spoke for about 45 minutes on his testing system. Jack spent a decent amount of time discussing the Network IPS Corporate Certification Testing Criteria (.pdf) and vulnerabilities set (.xls). The vulnerabilities set was just updated a week ago, after being criticized in July.At present only three products are ICSA Labs certified, according to the ICSA Web site and this press release. ICSA Lab certification...

Read More

How the FCC Handles Radio Denial of Service

I am a licensed Amateur Radio operator, but I'm about as active as packet radio. Today, though, I read how the Federal Communications Commission handles those who interfere with radio transmissions.It was a day a lot of radio amateurs in Southern California had been waiting for a long time. On September 18, US District Court Judge R. Gary Klausner sentenced convicted radio jammer Jack Gerritsen, now 70, to seven years imprisonment and imposed $15,225 in fines on six counts -- one a felony -- that included transmitting without a license and willful...

Read More

Suggestions for Testing Bypass Switches

I've acquired a number of bypass devices for testing in the TaoSecurity labs. I'd like to know if any of you have requests to know more about these devices. In other words, how would you like me to test them?The devices in question include the following. Shore Micro SM-2400 Programmable Bypass Switch: This device has TX copper connectors and may support Gigabit Ethernet. Optical Bypass Switch with Heartbeat: This device has SX fiber connectors and supports Gigabit Ethernet. 10/100/1000 Bypass Switch with Heartbeat: This device has TX copper...

Read More

Teaching Possibilities in Australia

I've been invited to speak at the AusCERT Asia Pacific Information Technology Security Conference in Gold Coast, Australia. The conference takes place Sunday 20 May - Friday 25 May 2007. I haven't decided if I will accept yet. I'd like to know if any TaoSecurity Blog readers in Australia, New Zealand, or nearby areas would be interested in attending a two (or maybe more) day class either directly before or after my presentation date (which is unknown right now). I would need a location to host the training, in exchange for which I would provide...

Read More

Insider Threat Study

I received a copy of a study announced by ArcSight and conducted by the Ponemon Institute. I mention this for two reasons. One, it highlights issues regarding the meaning of security terms. Two, the content is worth a look.First, the email I received bore the subject "Are Executives the Cause of Insider Threats?". I wondered if the study examined if executives were the parties with the intentions and capabilities to exploit weaknesses in assets....

Read More