Bejtlich Teaching at Forensec Canada 2007

I just wrapped up teaching at GFIRST and the number of events left on my TaoSecurity training page are dwindling. My last scheduled event open to the general public will take place at Forensec Canada 2007 in Regina, SK on 15-16 September 2007. This is a great opportunity to attend some excellent forensics training, since the conference (17-18 September) follows my class, and MANDIANT's Incident Response Management class wraps up the event on 19-20 September. Each class only holds 12 students.I am teaching TCP/IP Weapons School, covering layers...

Read More

Youtube's 40+ security vulnerabilities

The other night i was chatting with Chris1an about web security and i just happen to realised that he was actually the one who killed Youtube. Some of you might have already knew that he was the one who discovered around 40+ vulnerabilities in Youtube and became famous overnight. Anyway Christ1an is based in Germany and he is only a student, but hack, he is a guru in web security. He was being interviewed by the register and google actually thanked him for his work. Recently Christ1an launched http://planet-websecurity.org/ with the intention to...

Read More

SAP

I always wanted to work for SAP because they pay huge money. I remembered i was being interviewed by SAP back in Singapore. During the first interview, it took me at least 1-2 hours of conversation and i passed the interview. The HR invited me for a second interview, however this time, the interviewer is crap. He asked all sorts of questions and i succintly answered them without beating around the bush. Its either he didnt get what i am trying to say or he is just plain talkative. I entrench strong to my roots for what i said and he did not believe...

Read More

Cisco show mem vs show processes memory sorted

For me to check the router or firewall cpu usage and the memory usage, i always issue the show mem or show processes cpu to see what is causing the router to have a high CPU or memomry utilization. However, i realised that the show mem command output is not as nice as it seemed to be. I was looking at ioshints blog and found out the same command with a little tweaks here and there. This command provides a better output than show mem which is very important for troubleshooting purposes. See below:show processes memory sortedshow processes cpu sorted...

Read More

Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and l7-filter

I was invited by Lucian to review this book. Lucian actually sent me a copy of this book for me to read and i was happy upon receiving it. Well, i am someone who loves firewall and security stuff especially linux and cisco. This book is absolutely amazing. For beginners, there are a lot of technical configuration you can read and learn and for experts, this book will guide you to some topic that might interest you. I would really want to put this...

Read More

VoIPong installation error

For those of you who try to install VoIPong and have installation errors like the ones below, the problem and solution are provided as shown below:Murat Balaban writes:> > Hi Henrique,> > Which UNIX user is trying to run voipong? It seems a non-root> user is running it, but does not have the sufficient privileges> to open the ethernet device in promisc mode.> > Plus, you seem to have problems with the permissions of> your modules directory. That directory should be owned by> the same user running voipong.> >...

Read More

Snom phones web interface exposed to public.

I was just researching on hard and soft phones and i came across Snom VoIP phones. I don't know much about the phones, however a simple google dorking gave me a bad result. Default installations of the phone is not password protected. Check it out:"(e.g. 0114930398330)" s...

Read More

Hakin9 X Hackathology

This past week, i was invited by hakin9 magazine to write an article about the lastest hacking skills. I am still thinking about a topic to write. There are different types of hacks and i am in a dilemma in choosing one. After pondering for sometime, i think i would love to write hacks about VoIP. Personally, because VoIP is a subset of network security, i think its best to write something that i am good at. I had already setup a PBX server and now its up to the guys at hakin9. The hakin9 team is a bunch of really cool and nice guys. They gave...

Read More

Three Reviews Posted

I'm happy to announce three new Amazon.com reviews, partially due to my flights between Washington Dulles and San Jose for USENIX 2007. The first is two stars (yes, unfortunately) for Practical Packet Analysis by Chris Sanders. From the review:To use "American Idol" lingo, you've already read reviews by Randy Jackson and Paula Abdul. It's time for the truth from Simon Cowell -- Practical Packet Analysis (PPA) is a disaster. I am not biased against...

Read More

Internet Traffic Study

I found this press release from Ellacoya Networks to be interesting. HTTP is approximately 46% of all traffic on the network. P2P continues as a strong second place at 37% of total traffic. Newsgroups (9%), non-HTTP video streaming (3%), gaming (2%) and VoIP (1%) are the next widely used applications.Breaking down application types within HTTP, the data reveals that traditional Web page downloads (i.e. text and images) represent 45% of all Web...

Read More

David Litchfield new Oracle book

I had been wanting to learn more about Oracle hacking and i would not say i am not really good in Oracle Security. I managed to setup a Oracle Database server and do some simple exploitation and auditing, however i know that for me to be good in that aspect, it would require to focus most of my time trying to exploit and learn the techniques to hacking the database. This past week, it had came to my attention that David Litchfield(Oracle Security Guru, google him up to find out more) had published a book called Oracle Hacker's Handbook. I highly...

Read More

Frame Check Sequence Recorded in STP

This evening I was preparing to teach day 2 of my TCP/IP Weapons School class at USENIX. I decided I wanted to get a trace of Spanning Tree Protocol (STP) so I connected back to a box in my lab and ran Tshark. When I brought the trace back to my desktop to view in Wireshark, I saw the following: How/why Tshark capture the FCS for this frame? I looked at other traffic (i.e., non-STP traffic) and did not see a FCS. The only other interesting aspect...

Read More

Open Source Initiative Stands Up

Thanks to this Slashdot article I learned of this blog post by Michael Tiemann, president of the Open Source Initiative. Essentially he writes:Enough is enough. Open Source has grown up. Now it is time for us to stand up. I believe that when we do, the vendors who ignore our norms will suddenly recognize that they really do need to make a choice: to label their software correctly and honestly, or to license it with an OSI-approved license that matches their open source label.This is great. I wrote Real Open Source in April and I am glad OSI is...

Read More

Latest Plane Reading

Tuesday afternoon I flew from Washington Dulles to San Jose, to teach at USENIX 2007. En route I read a few interesting articles that I'd like to mention.When I saw NWC mention the Omni Virtual Network Service, I thought something cool might be on hand. Their Web site states:The migration to blade chassis-based virtual servers has created a new blind spot in the enterprise: the traffic between virtual servers in the same blade chassis. This “invisible...

Read More

More on Enterprise Data Centralization

I'd like to respond to a few comments to my post Enterprise Data Centralization. The first paragraph includes the following:However, I haven't written about a natural complement to thin client computing -- enterprise data centralization. In this world, the thin client is merely a window to a centralized data store (sufficiently implemented according to business continuity processes and methods like redundancy, etc.).The bolded part is my answer to those who think my "centralization" plan means building the Mother of All Storage Servers/Networks....

Read More

Hired Gun No More

The June 2007 Information Security Magazine features a story called When to Call in the Hired Guns. The magazine includes a chart titled VAR Excellence (.pdf) that mentions TaoSecurity. The selection process seems to have no method to its madness; I only recognize a few of the other companies. Furthermore, I did not pay anything for the listing.I don't like to see TaoSecurity listed as a "VAR" since I don't sell any products as a regular business...

Read More

Web-Centric Short-Term Incident Containment

You may have read Large Scale European Web Attack from Websense and other news sources. One or more Italian Web hosting companies have been compromised, and the contents of the Web sites they host have been modified. Malicious IFRAMEs like the one below are being added to Web sites. These IFRAMEs like to malicious code hosting by a third party under the control of the intruder. When an innocent Web browser visits the compromised Web site, the...

Read More

Using ftp with CUTCP telnet

Check out CUTCP"Telnet is a program used to interactively log in to a remote computer. CUTCP telnet is a program that runs on a PC and is used in CIRCA labs and elsewhere on campus to log in to remote computers. This program can also function as an ftp server when you are logged in to a remote host. This means that you can use the host's ftp client to connect back to yourself. Here's how you do it: 1) First use telnet to log in to the remote host.2) Press Alt/T. This will generate an ftp command with the proper network address and start the ftp...

Read More

Regular Expressions with Cisco IOS

I was reaading some cisco stuffs today and i knew long ago that Cisco IOS allows regular expression for simplification of search task and other uses. Well, back then i did not research much on it but i just came across 2 sites which provides more explaination with regards to Cisco IOS regex. http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ftersv_c/ftsappx/tcfaapre.htmhttp://www.nil.com/ipcorner/EnhanceIOS...

Read More

Enterprise Data Centralization

I've written about thin client computing for several years. However, I haven't written about a natural complement to thin client computing -- enterprise data centralization. In this world, the thin client is merely a window to a centralized data store (sufficiently implemented according to business continuity processes and methods like redundancy, etc.). That vision can be implemented today, albeit really only where low-latency, uninterrupted, decent bandwidth is available. Thanks to EDD Blog I just read an article that makes me think legal...

Read More

Cisco Router's DNS server to kill browser advertisement

I just happen to stumble across ioshints blog. He mentioned something about the cisco router's dns server having a way to prevent unwanted website advertisement. You guys can read more at: http://www.nil.com/ipcorner/RouterD...

Read More

Hacking Old Skoolz Windows

Port 135 (client-server communications)Port 139, 445 (authentication and file sharing)Port 137,138 (NetBIOS browser, name and lookup functions)Look for port 135 endpoint mapping which includes, Microsoft Outlook, Exchange and Messenger Service.Nmap server to look for port 135Run rpcscan or epdump on server over port tcp or udp port 135If udp port 1028, 1029 opened or tcp port 1025 opened, run rpcscan over those portsLook for IFID 12345778-1234-abcd-ef00-0123456789ab and 12345778-1234-abcd-ef00-0123456789ac for both LSA and SAMR interface respectively....

Read More

DHS Einstein Demonstrates Value of Session Data

If you're looking for case studies to show management to justify collecting session data, check out Einstein keeps an eye on agency networks. I've known about this program for several years but waited until a high-profile story like this to mention it in my blog. Basically:Since 2004, Einstein has monitored participating agencies’ network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting traffic information summaries at agency gateways, Einstein gives US-CERT analysts and participating...

Read More

Hope for Air Force Cyberoperators

Last November I wrote about the Air Force Cyberspace Command. I said:I'd like to see the new Cyberspace Command sponsor a new Air Force Specialty Code (AFSC) for information warriors. The current Intel or Comm paradigm isn't suitable.Today I read Air Force moves to populate Cyberspace Command:The Air Force is developing plans for a dedicated force to populate the ranks of the service’s new Cyberspace Command, its commanding general said today.Lt. Gen. Robert Elder, commander of the 8th Air Force and chief of the new command, said the service will...

Read More

Seats for Bejtlich at Black Hat 2007 Filling

I'll be teaching two sessions of TCP/IP Weapons School, Black Hat Edition at Black Hat in Las Vegas, 28-29 July and 30-31 July 2007. This is the same class, just offered twice. The second session is already wait-listed. The only remaining seats are available for the first session. Thank y...

Read More

Why Digital Security?

Today I received the following email:Hi Richard,(Sorry for my bad English, i speak French...)I'm one of your blog readers and i have just a little question about your (Ex) job, Consultant in IT security...I'm very interested by IT security and i want to get a degree in this. In France, we have to write "motivation letter" to show why we are interested by the diploma. That's why i write to you to know a few things that you do in your job, what is interesting and what is boring ??I figured I would say a few words here and then let all of you blog...

Read More

Two Pre-Reviews

I'd like to mention two books that publishers were kind enough to send me recently. I plan to read these during upcoming flights or as part of my new, structured reading regimen that will accompany my plans for the second half of 2007. The first book is Windows Forensic Analysis Including DVD Toolkit by Harlan Carvey. I expect to learn a lot about Windows forensics reading this book. I do not perform host-based forensics regularly so I think Harlan's experience will be appreciated. The second book is Practical Packet Analysis by Chris Sanders....

Read More

Security Application Instrumentation

Last year I mentioned ModSecurity in relation to a book by its author. As mentioned on the project Web site, "ModSecurity is an open source web application firewall that runs as an Apache module." In a sense Apache is both defending itself and reporting on attacks against itself. I consider these features to be forms of security application instrumentation. In a related development, today I learned about PHPIDS:PHPIDS (PHP-Intrusion Detection...

Read More

Cisco's PIX/ASA TCP flags syntax

Have you guys ever wondered how PIX or ASA firewall TCP 3 way handshake works? Well, its absolutely similiar to how the normal TCP/IP handshake works. Just a little different in terms of the syntax. For instance SYN flag in PIX is known as saA. For torubleshooting purposes, you would however need to know these flags in PIX/ASA. I had summarised a table of the flags and how it wor...

Read More

Threat Model vs Attack Model

This is just a brief post on terminology. Recently I've heard people discussing "threat models" and "attack models." When I reviewed Gary McGraw's excellent Software Security I said the following:Gary is not afraid to point out the problems with other interpretations of the software security problem. I almost fell out of my chair when I read his critique on pp 140-7 and p 213 of Microsoft's improper use of terms like "threat" in their so-called...

Read More

I'm Not Dead

Several of you leaving comments, posting your own blog entries, and sending me email seem to think my job at General Electric means I am dead. I am not dead, God willing. Let me reprint the second-to-last paragraph from that post:What about writing here, or articles, or books? My boss supports my blogging and writing. I have never made a practice of posting "Look what I found at this client!" and he does not expect me to start doing so at GE....

Read More

One for Ken Belva

I mentioned Ken Belva's thoughts in Thoughts on Virtual Trust last year. If you don't know Ken's thoughts on "virtual trust" please read that post before continuing further. I refrained from pointing a finger at Ken's Apple DRM example after Steve Jobs posted his Thoughts on Music, where DRM won't apply to Apple music (thereby depriving Ken of one of his case studies and questioning his logic).Now I'd really like an answer to this article: Retailers Fuming Over Card Data Security Rules; Claim PCI standard shifts burden to them, could alienate...

Read More

PIX firewall troubleshooting commands

I am adding some commonly used PIX firewall troubleshooting commands. For those of you who does troubleshooting of the firewall, you know should familiar yourself with these commmands. Handy yet Powerful.1. show xlate, show xlate detail - display NAT translations and its details2. show connection, show connection detail - display connection details built in the firewall3. show service-policy - display inspection policies4. show local-host 192.168.1.1 - display translation, AAA, connection information5. show asp drop - show number of packets dropped...

Read More

Cisco Router as DNS Server Demonstrates Functional Aggregation

Did you know that a sufficiently new Cisco router can be a DNS server? Apparently this functionality is not that new (dating from 2005), but I did not hear of it until I saw the article Cisco Router: The Swiss Army Knife of Network Services. I think this is a good example of what I may start calling "functional aggregation," whereby features previously provided on separate servers are collapsed to one box. I know others call that "convergence," but that term applies to so many topics (voice + video + data, etc.) that I'll use FA here. It doesn't...

Read More

Bejtlich Joining General Electric as Director of Incident Response

Two years ago this month I left my corporate job to focus on being an independent consultant through TaoSecurity. Today I am pleased to announce a new professional development. Starting next month I will be joining General Electric as Director of Incident Response, based near Manassas, VA, working for GE's Chief Information Security Officer, Grady Summers at GE HQ in Fairfield, CT. My new boss reads my blog and contacted me after reading my Security...

Read More

Triple-Boot Thinkpad x60s

Many years ago I thought multibooting operating systems was quite the cool thing to do. This was before VMware when my budget was tighter and so was my living space. Recently with my new laptop configuration I moved to an all-Ubuntu setup, upon which I loaded VMware Server. VMware Server had Windows XP and FreeBSD 6.2 VMs at its disposal. I've spent nearly all my time in Ubuntu, never really needing to turn to Windows or FreeBSD for desktop work.With...

Read More

PowerLite S4 Multimedia Projector

This week I taught TCP/IP Weapons School, Layers 2-3 at Techno Security 2007 in Myrtle Beach, SC. I enjoyed teaching the class, especially since several students were repeat customers. Two were even alumni from classes I taught at Foundstone five years ago! Because the cost of renting a projector and screen from the hotel (and even from rentacomputer.com) seemed outrageous, I decided to buy my own. I purchased an Epson PowerLite S4 Multimedia Projector and Da-Lite 72263 Versatol Tripod Screen 70"x70" Matte White with Keystone Elim for use in...

Read More