Sguil Status

One of you wrote recently to ask about the status of the open source Network Security Monitoring suite called Sguil. You noticed the last release of Sguil (0.6.1) occurred in February 2006. I can assure you Sguil is not dead. In fact, just last week I wrote an article for a new BSD magazine about installing the sensor and server components of Sguil 0.7.0 (from CVS on FreeBSD 7.0. To keep up with development read the sguil-devel mailing list and...

Read More

Last Book Reviews of 2007 Posted

Amazon.com just published my five star review of Ajax Security by Billy Hoffman and Bryan Sullivan. From the review:Ajax Security was the last book I read and reviewed in 2007. However, it was the best book I read all year. The book is absolutely compelling and every security professional and Web developer should read it. It's really as simple as that.I am not a Web developer. I was not very familiar with Ajax (beyond its buzzword status and a vague notion of functionality) when I started reading Ajax Security. I attended the authors' Black Hat...

Read More

Best Book Bejtlich Read in 2007

Last year I posted my first year-end ranking of books I had read and reviewed in 2006, titled Favorite Books I Read and Reviewed in 2006. I decided to continue the tradition this year by posting my 2007 rankings, and awarding Best Book Bejtlich Read in 2007 (B3R07).2007 was not my most productive year in terms of reading and reviewing books. I read 17 in 2000, 42 in 2001, 24 in 2002, 33 in 2003, 33 in 2004, 26 in 2005, and 52 in 2006. This year...

Read More

Long Live Emerging Threats

If you haven't noticed, availability of Bleeding Threats has been lousy recently. If you read Matt Jonkman's recent post you'll notice the arrival of Emerging Threats. I am currently getting my copy of the Bleeding ruleset there; I am no longer using Bleeding Threa...

Read More

Snort Report 11 Posted

My 11th Snort Report on Snort Limitations has been posted. From the start of the article:In the first Snort Report I mentioned a few things value-added resellers should keep in mind when deploying Snort: 1. Snort is not a "badness-ometer." 2. Snort is not "lightweight." 3. Snort is not just a "packet grepper."In this edition of the Snort Report, I expand beyond those ideas, preparing you to use Snort by explaining how to think properly about...

Read More

Predictions for 2008

For the last five years I've resisted the urge to write year-end predictions (thanks Anton). However, I'm seeing indications of the following, so maybe this is more about highlighting trends than taking wild guesses.Here are my five predictions for 2008.Expect greater government involvement in assessing the security of private sector networks. I base this item on what's happening in the UK following their latest data breach. The article Data watchdog...

Read More

Two Book Reviews Posted

Amazon.com just published my five star review of Absolute FreeBSD, 2nd Ed by Michael Lucas. From the review:Almost five years ago I reviewed Absolute BSD, Michael Lucas' first book on FreeBSD. I gave that book five stars, back when several other BSD books provided competition. On the eve of 2008, I am happy to say that Michael Lucas is probably the best system administration author I've read. I am amazed that he can communicate top-notch content...

Read More

Make Cleaning Awesome

Over three years ago I blogged about my Dyson vacuum cleaner. 99.9% of all of my posts are about digital security, but I know some of you are still looking for holiday presents for that certain someone. My wife bought me the new DC-16 for my birthday. That's right, a vacuum for my birthday. Take a look at the picture of this thing and tell me it is not awesome. I dare you. Don't believe? Forget the perpetually clogged, nasty "filter" on my...

Read More

After Five Years, NSM Is Still More Than IDS

I've received a series of questions relating to Network Security Monitoring (NSM) recently, via email, blog comments, IRC questions, and so on. Just over five years ago (2 Dec 02) Bamm Visscher and I recorded a Webcast for SearchSecurity.com titled Network Security Monitoring Is More Than IDS. That URL links to a series of questions submitted in response to the podcast. I still have a copy of our slides, which I just exported to .pdf and uploaded...

Read More

Does Failure Sell?

I often find myself in situations trying to explain the value of Network Security Monitoring (NSM). This very short fictional conversation explains what I mean. This exchange did not happen but I like to contemplate these sorts of dialogues.NSM Advocate: I recommend deploying network-based sensors to collect data using NSM principles. I will work with our internal business units to select network gateways most likely to yield significant traffic....

Read More

Feds Plan to Reduce, Then Monitor

According to OMB directs agencies to close off most Internet links, by June 2008 the Federal government plans to reduce the number of Internet connections it maintains, and then monitor them more closely:The Office of Management and Budget's Trusted Internet Connections (TIC) initiative likely is to be the last publicized program in the Bush administration's stepped-up focus on cybersecurity, some experts say. More importantly, the new initiative...

Read More

Incident Severity Ratings

Much of digital security focuses on pre-compromise activities. Not as much attention is paid to what happens once your defenses fail. My friend Bamm brought this problem to my attention when he discussed the problem of rating the severity of an incident. He was having trouble explaining to his management the impact of an intrusion, so he asked if I had given any thought to the issue.What follows is my attempt to apply a framework to the problem. If anyone wants to point me to existing work, please feel free. This is not an attempt to put a...

Read More

.NET ViewState vulnerable to manipulation exploits

This past week i had a chance to audit a customer who is using microsoft's viewstate. So what is ViewState and why is it vulnerable? Well, ViewState is an ASP.NET feature that allows you to persist form properties when a page posts back to itself. ASP.NET takes the current state of all form controls and stores them as an encoded string in a hidden form field. The risk of View State is that an attacker might be able to view or modify these form values...

Read More

Expert Commentary on SPAN and RSPAN Weaknesses

It's no secret I am a fan of using taps instead of switch SPAN ports when instrumenting networks. Two excellent posts explain the weakness of using SPAN ports and RSPAN. Both of these were written by Tim O'Neill, an independent consultant.SPAN Port or TAP? CSO BewareRSPAN... Friend or Foe?This is the simplest way for me to compare SPAN ports to taps: a SPAN port is a girlfriend, but a tap is a wife. It takes a real level of institutional commitment...

Read More

Controls Are Not the Solution to Our Problem

If you recognize the inspiration for this post title and graphic, you'll understand my ultimate goal. If not, let me start by saying this post is an expansion of ideas presented in a previous post with the succinct and catchy title Control-Compliant vs Field-Assessed Security. In brief, too many organizations, regulators, and government agencies waste precious time and resources devising and auditing "controls," regardless of the effect these...

Read More

Old School Oracle Auditing

I was again reading for hacking articles and one of the article "Simple Oracle Auditing" caught my attention. Well, its an old article but its still fun to read and learn from the gurus. Check it out guys: http://www.securityfocus.com/infocus/1689The Hacka ...

Read More

MPAA University Toolkit Phone Home

This is a follow-up to my story Examining the MPAA University Toolkit. After reading the hysteria posted on the Slashdot story MPAA College Toolkit Raises Privacy, Security Concerns, I thought I would take a look at traffic leaving the box. Aside from traffic generated by the auto-start of Firefox, the only interesting event was the following. I captured it with my gateway Sguil sensor.Sensor Name: hacomTimestamp: 2007-11-23 21:27:04Connection...

Read More

Examining the MPAA University Toolkit

I learned about the MPAA University Toolkit at Brian Krebs' always-excellent SecurityFix blog. If you want to know more about the user experience, please check out that post. Here I take a look at the monitoring software, focusing on Snort, operating on this application.I downloaded the 534 MB peerwatch-1.2-RC5.iso and started it in a VMware Server session. I used ctrl-c and then 'sudo bash' to exit from the initial script presented within X,...

Read More

Tap vs Lightning Strike

Earlier this year my lab suffered a near lightning strike. A tree right outside the lab was struck by lightning, causing damage to multiple electronic and electrical devices outside and inside the building. Outside, the lightning disabled an exterior lighting system and my phone lines. Inside, the lightning took a severe toll on the lab. The cable modem to the outside world was destroyed. The NIC on the lab firewall facing the cable modem was...

Read More

7 steps to better Solaris Network Settings

I was auditing one of our customer again and this time round, i managed to come up with a 7 step guide to better secure the TCP stack for Solaris. Well, you guys can add on for more.1. Configure for more random TCP sequence number generation. Check that in(/etc/default/inetinit), the TCP_STRONG_ISS is set to 2. For instance, TCP_STRONG_ISS=22. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file "/etc/notrouter" need to be present. If the file is missing, issue the following command to...

Read More

Updating FreeBSD 7.0-BETA2 to 7.0-BETA3

Recently I posted FreeBSD Binary Upgrade News about developments with Colin Percival's FreeBSD Update tool. Today I performed a remote (via SSH) upgrade from FreeBSD 7.0-BETA2 to FreeBSD 7.0-BETA3 using FreeBSD Update. I document the process below so you can see how easy it is and for my future reference.Here is uname output to show the OS version prior to upgrading.# uname -aFreeBSD myhost.mydomain.com 7.0-BETA2 FreeBSD 7.0-BETA2 #0: Fri Nov ...

Read More