Goodbye AIA

A friend from my AFCERT days left a comment indicating that the 33 IOS split into two different squadrons, the 33 NWS (the old AFCERT) and the 91 NWS. This prompted me to look at the organizational structure of my old Air Force units. I realized that last month what used to be Air Intelligence Agency is now Air Force Intelligence, Surveillance and Reconnaissance Agency, according to this story. AFISR now works as a field operating agency for AF/A2,...

Read More

Basic Cisco Switches Auditing Guidelines

1. Always use VLAN to create collision domain to limit broadcast traffic. Remember that VLAN1 is the admin VLAN which is used for administrative purposes and avoid using VLAN1 to prevent hackers from plugging into unused ports to communicate with the rest of the network.2. Avoid using autotrunking mode. Dynamic Trunking Protocol allows VLAN-Hopping attacks where hackers are able to communicate in various VLANs. Assign trunk interface to the native VLAN other than VLAN 13. Make sure Spanning Tree Protocol is mitigated from attacks. Enable portfast,...

Read More

Bejtlich Interviewed by TSSCI Blog

Marcin Wielgoszewski interview me for his TSSCI Blog. He asked me about my start in security, how to be a good analyst, and concerns for the future. Thanks to Marcin for asking solid questio...

Read More

Remote Command Exec (FireFox 2.0.0.5)

These days, i am reading about web applications hacking and trying out several different stuffs. I happen to stumble across xs-sniper's page and read about his post on owning most major browsers. It appears that there is a problem with Cross Application Browser Scripting where a flaw in the URI handling behavior allows for remote command execution. Be sure to check out his post below:http://xs-sniper.com/blog/remote-command-exec-firefox-2005/The Hacka ...

Read More

Enterprise Visibility Architect

Last month in Security Application Instrumentation I wrote:Right now you're [developers] being taught (hopefully) "secure coding." I would like to see the next innovation be security application instrumentation, where you devise your application to report not only performance and fault logging, but also security and compliance logging.This is a forward-looking plea. In the meantime, we are stuck with numerous platforms, operating systems, applications,...

Read More

Recent CVS Changes

This is a note for myself, so if you're looking for uber-security insights today, please skip this post. If you do stick with me and you can suggest ways to do this better, please share your comments.Earlier this year I posted TaoSecurity CVS at Sourceforge and Committing Changes to CVS. Since posting my Sguil on FreeBSD scripts at TaoSecurity Sourceforge I needed to make a few changes. The system hosting my original files suffered a lightning...

Read More

Review of XSS Attacks Posted

Very shortly Amazon.com should post my four star review of Cross Site Scripting Attacks: XSS Exploits and Defense. Observe that no one (Amazon.com, Syngress) displays the actual cover for this book on their Web sites. From the review:XSS Attacks earns 4 stars for being the first book devoted to Cross Site Scripting and for rounding up multiple experts on the topic. The authors are synonymous with attacking Web applications and regularly share their vast expertise via their blogs and tools. However, XSS Attacks suffers the same problems found...

Read More

Glutton for ROI Punishment

My previous posts No ROI? No Problem and Security ROI Revisited have been smash hits. The emphasis here is on "smash." At the risk for being branded a glutton for ROI punishment, I present one final scenario to convey my thoughts on this topic. I believe there may be some room for common ground. I am only concerned with the Truth as well as we humans can perceive it. With that, once more unto the breach.It's 1992. Happy Corp. is a collaborative advertisement writing company. A team of writers develop advertisement scripts for TV. Writers...

Read More

Managing and Monetizing Victims

I'd like to briefly point you to two must-read articles, if you haven't seen them already. First, the Honeynet Project published Fast-Flux Service Networks. Basically, intruders have introduced availability and load balancing features into their bot networks by quickly changing the IP addresses of redirectors pointing to back end servers (a technique called "single flux"). They may also rapidly change the IP addresses of the authoritative domain name servers (called "double flux") to further complicate identifying and shutting down bot nets....

Read More

Thanks Chr1stian, Google Store flaw?

The other night i was talking to Chr1stian about XSS and google. We were chatting and suddenly the topic got more and more interesting. But anyway, Chr1stian is really a kind soul and a nice nice person to talk with. He taught me a lot of things which i don't understand and guide me slowy with each steps. Thank you Chr1stian for your patience, I can say that now i understand at least 90% of what you taught me. Also, we were talking about how security doesn't make money to flaws in google to google did not correct most of them holes that were reported...

Read More

NoVA Sec and NoVA BUG

This is a quick note for those of you in the northern Virginia area. I am working on meetings for NoVA Sec and NoVA BUG (BSD Users Group). Please check out the most recent posts at each site for details and consider joining one or both groups. I'd like to grow our informal memberships so we have more potential speakers, especially on the BSD side. I keep posts about Sec and BUG to a minimum here because it's a geographically-based topic. Thank y...

Read More

Review Posted Plus NAC

July's been a great month for controversy on this blog, so I thought I would continue that them by posting word of my Amazon.com review of Endpoint Security. Yes, I've been reading a lot, and it's been keeping me up past midnight for a few weeks. I've been intensely interested in these recent books, so staying up late has been worthwhile.Unfortunately, as you'll read in my three star review, you can skip Endpoint Security:I really looked forward...

Read More

No Undetectable Breaches

PaulM left an interesting comment on my post NORAD-Inspired Security Metrics:...what if the enemy has a stealth plane that we cannot detect via radar, satellite, wind-speed variance, or any other deployed means? And what if your intel doesn't tell us that such a vehicle exists? Then we have potentially millions of airspace breaches every year and our outcome metrics are not helping.I'm not disagreeing with you that outcome metrics are ideally better data than compliance metrics. However, outcome metrics are difficult to identify and collect data...

Read More

NORAD-Inspired Security Metrics

When I was a second degree cadet at USAFA (so long ago that, of my entire class, only myself and three friends had 486 PCs with Ethernet NICs) I visited NORAD. I remember thinking the War Games set was cooler, but I didn't give much thought to the security aspects of their mission. Today I remembered NORAD and considered their mission with respect to my post last year titled Control-Compliant vs Field-Assessed Security. In case you can't tell from the pithy title, the central idea was that it's more effective to measure security by assessing...

Read More

Another Review, Another Pre-Review

Amazon.com just posted my five star review of Network Warrior:Network Warrior is the best network administration book I've ever read. I spend most of my reading time on security books, but because I lean towards network security I like reading complementary sources on protocols and infrastructure. Gary Donahue has written a wonderful book that I highly recommend for anyone who administers, supports, or interacts with networks. Network Warrior may...

Read More

The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws

Sorry for the lack of updates. Recently, i had been reading a lot of books about web hacking and RFID and neglected blogging. Its due to work nature that i have to report what i do everyday. However, just yesterday, I had a small chat with the author of the famous burp proxy and realised that he published a book call "The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws". According to him, this was what he said "Our book...

Read More

Security ROI Revisited

One of you responded to my No ROI? No Problem post with this question:Just read your ROI blog, which I found very interesting. ROI is something I've always tried to put my finger on, and you present an interesting approach. Question: Is it not possible to 'make' money with security, or does it still come down to savings? Example: - A hospital implements a security system that allows doctors to access patient data from anywhere. Now, instead of doing 10 patients a day they can do (and charge) 13 patients a day.I'm not trying to sharp shoot...

Read More

No ROI? No Problem

I continue to be surprised by the confusion surrounding the term Return on Investment (ROI). The Wikipedia entry for Rate of Return treats ROI as a synonym, so it's a good place to go if you want to understand ROI as anyone who's taken introductory corporate finance understands it. In its simplest form, ROI is a mechanism used to choose projects. For example, assume you have $1000 in assets to allocate to one of three projects, all of which have the same time period and risk.Invest $1000. Project yields $900 (-10% ROI)Invest $1000. Project...

Read More

Bank Robber Demonstrates Threat Models

This evening I watched part of a show called American Greed that discussed the Wheaton Bandit, an armed bank robber who last struck in December 2006 and was never apprehended.Several aspects of the story struck me. First, this criminal struck 16 times in less than five years, only once being repelled when he was detected en route to a bank and locked out by vigilant tellers. Does a criminal who continues to strike without being identified and apprehended...

Read More

Thanks for the Memories Sys Admin Magazine

David Bianco clued me in to the fact that, after 15 years, Sys Admin magazine is shutting down. (I was on the road this week and found the issue in my mail when I returned.) The August 2007 issue, pictured at left, is the last. Appropriately for the digital security community, the issue topic is Information Security. I bought my first issue of Sys Admin in the fall of 1999, at the point where I was finally coming to grips with my work at the AFCERT. I had spent the previous year-plus climbing the steep learning curve associated with becoming...

Read More

Ivan Voras FreeBSD 7 Live CD

Ivan Voras posted word on his FreeBSD development blog that he built a FreeBSD 7 LiveCD. This is part of his 2007 Google Summer of Code project, finstall, a graphical FreeBSD installer that's also a live CD. I think this is great. Booting the installer as a live CD lets a user see if FreeBSD recognizes hardware before committing to an installation. The user also gets to play with FreeBSD without making any changes to the production system. I...

Read More

Disk Usage Pages Added to NSM Wiki

I just made several additions to David Bianco's excellent Network Security Monitoring Wiki. You'll see a new Disk Usage category on the lower right side under the Collecting Data header. I added this category because I'd like to see people contribute metrics on the amount of disk space used by various tools in production environments. I created three more pages:Snort AlertsSANCP Session DataFull Content DataOn each page I provided a sample methodology to collect disk usage information for each data type, and provided two examples of production...

Read More

Snort Report 7 Posted

My seventh Snort Report on Working with Unified Output has been posted. From the article:In the last Snort Report we looked at output methods for Snort. These included several ways to write data directly to disk, along with techniques for sending alerts via Syslog and even performing direct database inserts. I recommended not configuring Snort to log directly to a database because Snort is prone to drop packets while performing database inserts....

Read More

Are the Questions Sound?

Dan Geer, second of the three wise men, was kind enough to share slides from his Measuring Security USENIX class. If I were not teaching at USENIX I would be in Dan's class. One of the slides bothered me -- not for what Dan said, but for what was said to him. The slide is reproduced above, and the notes below:These are precisely the questions that any CFO would want to know and we are not in a good position to answer. The present author was confronted...

Read More

Network Security Monitoring Case Study

I received the following email from a friend. He agreed to share his story in exchange for commentary from me and fellow blog readers. I've added comments inline.I'm now responsible for cleaning up a mid sized company perimeter defences... To be honest, at first glance the task is a daunting one, thousands of users, dozens of dis-separate systems and gigabits of network traffic plus as part of the enterprise support team, I have other projects...

Read More

More Engineering Disasters

I've written several times about engineering disasters here and elsewhere.Watching more man-made failures on The History Channel's "Engineering Disasters," I realized lessons learned the hard way by safety, mechanical, and structural engineers and operators can be applied to those practicing digital security. >In 1983, en route from Virginia to Massachusetts, the World War II-era bulk carrier SS Marine Electric sank in high seas. The almost...

Read More

Yet Another Review and Pre-Review

Yes, I am on a roll. I admit to not reading every page of the book I just reviewed, however. I am not going to spend time learning about bare-metal HP-UX or AIX recoveries if I have no expertise in either subject (to check for mistakes) or desire to learn (because I do not admin either OS). Shortly Amazon.com will publish my four star review of Backup and Recovery by W. Curtis Preston. From the review:W. Curtis Preston is the king of backups,...

Read More

ARP Spoofing in Real Life

I teach various layer 2 attacks in my TCP/IP Weapons School class. Sometimes I wonder if students are thinking "That is so old! Who does that anymore?" In response I mention last year's Freenode incident where Ettercap was used in an ARP spoofing attack. Thanks to Robert Hensing's pointer to Neil Carpenter's post, I have another documented ARP spoofing attack. Here a malicious IFRAME is injected into traffic by ARP spoofing a gateway. We cover that in my Black Hat class, both of which are now officially full.Please remember that TCP/IP Weapons...

Read More

Another Review, Another Pre-Review

Amazon.com just published my five star review of Windows Forensic Analysis by Harlan Carvey. From the review:I loved Windows Forensic Analysis (WFA). It's the first five star book from Syngress I've read since early 2006. WFA delivered just what I hoped to read in a book of its size and intended audience, and my expectations were high. If your job requires investigating compromised Windows hosts, you must read WFA. In the mail today I received a...

Read More

IPSec VPN in PIX/ASA

For those of you who wants to setup an IPSec VPN connection in the PIX/ASA firewall, below is a snaphot of the commands of how to do it.crypto ipsec transform-set hacker esp-aes-256 esp-sha-hmac crypto dynamic-map dynmap 20 set transform-set hackercrypto map hacker 10 ipsec-isakmpcrypto map hacker 10 match address IPSEC_hackerscrypto map hacker 10 set peer 111.111.111.111crypto map hacker 10 set transform-set hackerZcrypto map hacker 20 ipsec-isakmp dynamic dynmapcrypto map hacker client authentication LOCALcrypto map hacker interface outsideisakmp...

Read More

One Review, One Pre-Review

Amazon.com just published my four-star review of Exploiting Software. From the review:I read Exploiting Software (ES) last year but realized I hadn't reviewed it yet. Having read other books by these authors, like McGraw's Software Security and Hoglund's Rootkits, I realized ES was not as good as those newer books. At the time ES was published (2004) it continued to define the software exploitation genre begun in Building Secure Software. However,...

Read More

OpenPacket.org Developments

I am happy to report that work on OpenPacket.org is back on track, thanks to a new volunteer Web application developer.Please read the rest of the story at the Openpacket.org Bl...

Read More

DNS Pinning Exposed

Christ1an wrote a very detailed article on Anti anti anti DNS Pinning or you can call it DNS pinning. For those who are still confused or still find it complicated to understand, this article actually explained it with a step by step approach with pictures attached. In it he mentioned the whole dns pinning issues and how it actually works to attack a web browser. Check it out here: http://christ1an.blogspot.com/2007/07/dns-pinning-explained.htmlThe Hacka ...

Read More

Asset-Centric vs Threat-Centric Digital Situational Awareness

As an Air Force officer I was taught the importance of situational awareness (SA). The surprisingly good (at least for now) Wikipedia entry describes SA as "knowing what is going on so you can figure out what to do" (Adam, 1993) and knowing "what you need to know not to be surprised" (Jeannot et al., 2003). Wikipedia also mentions fighter pilots who leveraged SA to win dogfights. When applied to information security, I like to use the term digital situational awareness (DSA).In 2005 invented the term pervasive network awareness (PNA) for my...

Read More