PIX/ASA Finesse 7.1 & 7.2 Privilege Escalation

I was trying to get into admin mode without the enable password during a penetration test and i came across a post by Terry where he describes a designing flaw in the PIX/ASA Finesse Operation System, version 7.1 and 7.2. Well, it was possible to escalate a normal level 0 user to a level 15 privilege user. The exploit is simple and it only works locally, at the console and remotely with Telnet. However, do note that it will NOT work if SSH, TACACS or Radius is implemented in the firewall. Below are the steps.1. Login with your user level 0 account....

Read More

TSA Lessons for Security Analysts

In the past I've run several security teams, such as the Air Force CERT's detection crew and the MSSP division of a publicly traded company. In those positions I was always interested in assessing the performance of my security analysts. The CNN article TSA tester slips mock bomb past airport security contains several lessons which apply to this domain.Jason, a covert tester for the Transportation Security Administration, has been probing airport...

Read More

From Linux to FreeBSD with Depenguinator 2.0

If you read Colin Percival's blog you will notice he posted a message about Depenguinator 2.0. This is a method to convert a Linux system to FreeBSD remotely. Colin tested the script using Ubuntu 7.10. I have a few Red Hat 8.0 systems and one or more Fedora Core 4 systems that I would like to convert to FreeBSD 7.0. I tried using Depenguinator 2.0 to convert a test CentOS 5.1 system to FreeBSD 7.0, but I ran into multiple problems. These included...

Read More

NoVA Sec Meeting 1930 Thu 31 Jan 08

I was determined to start 2008 right by having a NoVA Sec meeting in January. Thursday night is our last chance, but thanks to last-minute coordination with Dowless and Associates we have a meeting location.The next NoVA Sec meeting will take place 1930 Thursday 31 January 2008 at Dowless and Associates:13873 Park Center Rd.Suite 450Herndon, VA 20171Devin will speak and demo his One Laptop Per Child (OLPC) box.Our host is requesting a list of names...

Read More

Is Jerome Kerviel Hacking?

If you read the headline of today's Washington Post story French Bank Says Trader Hacked Computers you might get the impression that Société Générale trader Jerome Kerviel is some kind of shellcoding ninja, Web 2.0 JavaScript samurai, or at the very least a script kiddie who can run Metasploit with the best of the certified ethical hackers. The truth of the matter is probably mixed. Kerviel is most likely a fraudster who took advantage of trading...

Read More

Corporate Digital Responsibility

I've started listening to the Economist Audio Edition on my iPod while running. Last week I listened to a special report on Corporate Social Responsibility. I was struck by the language used and issues discussed in the report. Here are a few excepts.First, from Just good business:Why the boom [in CSR initiatives]? For a number of reasons, companies are having to work harder to protect their reputation — and, by extension, the environment in which...

Read More

Review of The Best of FreeBSD Basics Posted

Amazon.com just posted my four star review of The Best of FreeBSD Basics by Dru Lavigne. From the review:In mid-2004 I reviewed Dru Lavigne's book BSD Hacks, which I really enjoyed. 3 1/2 years later I am pleased to say that Dru's latest book, The Best of FreeBSD Basics (TBOFB), is another excellent resource for FreeBSD users. I really wish this book had been available in 2000 when I started using FreeBSD! If you are a beginner to intermediate FreeBSD...

Read More

Review of Time Based Security Posted

Amazon.com just posted my three star review of Time Based Security by Winn Schwartau. From the review:Time Based Security (TBS) was largely written 10 years ago. The author gave me a copy about 3 years ago at a security conference. What's remarkable about the concept of TBS is that it was as relevant 10 years ago as it is today. The "risk avoidance" idea and "fortress mentality" described in TBS are as prevalent in this decade as they were in the...

Read More

More on 2008 Predictions

In Predictions for 2008 in included the following: 3) Expect increased awareness of external threats and less emphasis on insider threats. Maybe this is just wishful thinking, but the recent attention on botnets, malware professionalization, organized criminal cyber enterprises, and the like seems to be helping direct some attention away from inside threats. This may be premature for 2008, but I expect to see more coverage of outsiders again.Today...

Read More

Thoughts on Oracle Non-Patching

Thanks to SANS Newsbites (probably the best weekly security round-up around) for pointing me to the story Two-thirds of Oracle DBAs don't apply security patches. They are all citing this Sentrigo press release, which I will quote directly:Sentrigo, Inc., an innovator in database security software, today announced survey results indicating that most Oracle database administrators do not apply the Critical Patch Updates (CPUs) that Oracle issues on...

Read More

Is This For Real?

I'm not sure if this is real: CIA Admits Cyberattacks Blacked Out Cities:The CIA on Friday admitted that cyberattacks have caused at least one power outage affecting multiple cities outside the United States.Alan Paller, director of research at the SANS Institute, said that CIA senior analyst Tom Donahue confirmed that online attackers had caused at least one blackout...Paller said that Donahue presented him with a written statement that read, "We have information, from multiple regions outside the United States, of cyber intrusions into utilities,...

Read More

2008 Predictions Panning Out

Almost one month ago I wrote Predictions for 2008. They included 2) Expect greater military involvement in defending private sector networks. and 4) Expect greater attention paid to incident response and network forensics, and less on prevention.Relevant to number 2, today I read Intelligence Chief Proposes Wide Cyber Surveillance, which says:US National Intelligence Director says government should be able to tap all email, file transfers, and Web...

Read More

Review of Security Power Tools Posted

Amazon.com just posted my four star review of Security Power Tools by a team of authors, mostly from Juniper. From the review:I am probably the first reviewer to have read the vast majority of Security Power Tools (SPT). I do not think the other reviewers are familiar with similar books like Anti-Hacker Toolkit, first published in 2002 and most recently updated in a third edition (AHT3E) in Feb 2006. (I doubt the SPT authors read or even were aware of AHT3E.) SPT has enough original material that I expect at least some of it will appeal to many...

Read More

Reminder: Bejtlich Teaching at Black Hat DC 2008 Training

I just wanted to remind interested readers that Black Hat was kind enough to invite me back to teach TCP/IP Weapons School at Black Hat DC 2008 on 18-19 February 2008, at the Westin Washington DC City Center. This is currently my only scheduled training class in 2008. As you can see from the course description I will focus on OSI model layers 2-5 and add material on network security operations, like monitoring, incident response, and forensics....

Read More

Snort Frequently Asked Questions Podcast Posted

About a month ago I recorded a podcast for SearchSecurityChannel.com. It's a series of frequently asked questions. SSC is for the "channel," which means "vendors," but everything in the podcast applies to Snort operators. You should be able to reach the podcast via this link. Note that when I recorded the podcast we didn't know that Emerging Threats would replacing Bleeding Threa...

Read More

Web Attacker Toolkit

Sorry for the lack of updates. Been roaming around for the past 2 months and felt a little lazy in updating my blog. i was reading news on the internet today and i read something about a hacking toolkit that was able to compromise thousands of webservers and that caught my attention. Well, apparently the tool called the "Web Attacker Toolkit" can be bought from the Russian hacking group called Inex-Lux for a cheap price. All unpatched IE and Firefox browsers can be compromised, with a trojan silently being installed into the local PC without user...

Read More

Unposted Review: Network Security Assessment 2nd Ed

I wrote a 4 star review of review of the first edition of Network Security Assessment by Chris McNab in May 2004. I read the second edition and tried to post a three star review at Amazon.com. Unfortunately, Amazon.com would not let me post a new review because I reviewed the first edition. Therefore, here is my review:In May 2004 I reviewed the first edition of Network Security Assessment (NSA1). Almost four years later, the second edition (NSA2) is basically the same book. This makes sense, given the majority of the action in digital security...

Read More

Defensible Network Architecture 2.0

Four years ago when I wrote The Tao of Network Security Monitoring I introduced the term defensible network architecture. I expanded on the concept in my second book, Extrusion Detection. When I first presented the idea, I said that a defensible network is an information architecture that is monitored, controlled, minimized, and current. In my opinion, a defensible network architecture gives you the best chance to resist intrusion, since perfect...

Read More

How can a blog reader find competent operations personnel?

I received the following question from a blog reader. I am interested in hearing what you think.I'm team lead for a small private-sector security operations team. We are fortunate that we have a reasonably interesting and attractive work environment, readily available financial resources, and a relatively manageable event load. We've been trying to hire a mid to senior level analyst position for at least a year now, and have been having absolutely...

Read More

Happy 5th Birthday TaoSecurity Blog

Today, 8 January 2008, is the fifth birthday of TaoSecurity Blog. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. 2087 posts (averaging 417 per year !?!) later, I am still blogging. My pace has slowed during the last few months, mainly because I have been spending more time reading in my off hours. I have also found less really gripping security events to report. I try not to jump on the...

Read More

Sussy McBride Shouts: I got hacked

Thanks to Sensepost for reporting this story last month. They describe an advisory published by Charles Miller and Dino Dai Zovi whereby arbitrary characters in Second Life are digitally mindjacked and robbed. By walking on "land" owned by an attacker, and having Second Life configured to automatically display video, a victim's avatar and computer can be exploited via the November 2007 Quicktime vulnerability. In the YouTube video you can see...

Read More

Review of Virtual Honeypots Posted

Amazon.com just posted my five star review of Virtual Honeypots by Niels Provos and Thorsten Holz. From the review:It's fairly difficult to find good books on digital defense. Breaking and entering seems to be more exciting than protecting victims. Thankfully, Niels Provos and Thorsten Holz show that defense can be interesting and innovative too. Their book Virtual Honeypots is your ticket for deploying defensive resources that will provide greater...

Read More

Snort Report 12 Posted

My 12th Snort Report titled Snort Frequently Asked Questions is posted. From the start of the article:Service provider takeaway: Snort isn't perfect. In this tip, service providers will learn the answers to frequently asked questions about Snort's usage and limitations.In this edition of the Snort Report, I address some of the questions frequently asked by service providers who are users or potential users of Snort. I say "potential users" because...

Read More

Bejtlich Interviews

Taking a look at posts from the last year, I realized I forgot to mention a few events. First, Kai Roer wrote a security profile of me using a question-and-answer format. Second, Chris Byrd posted an interview with me that covers different ground. Finally, TechTarget and Addison-Wesley asked me to read a portion of my book Extrusion Detection, specifically the beginning of chapter 2. It is listed as the February 5, 2007 feature in their 2007...

Read More

No More Tiger Team?

You may have already heard about Tiger Team on the former Court TV (now TruTV, but I finally watched both episodes this weekend on my TiVo. I liked the "WWJD40D", "Core Impact", and "I am an Infosec Sellout" T-shirts. I especially liked the injection of time-based security into the jewelry heist scenario, where the tiger team was slowed by 15 minutes because they tried brute-forcing a keypad lock. I contacted several PR reps at TruTV and asked...

Read More

Reminder: Bejtlich Teaching at Black Hat DC 2008 Training

I just wanted to remind interested readers that Black Hat was kind enough to invite me back to teach TCP/IP Weapons School at Black Hat DC 2008 on 18-19 February 2008, at the Westin Washington DC City Center. This is currently my only scheduled training class in 2008. As you can see from the course description I will focus on OSI model layers 2-5 and add material on network security operations, like monitoring, incident response, and forensics....

Read More

Private Eyes Again

In May 2006 I wrote Avoid Incident Response and Forensics Work in These States after reading a great article by Mark Rasch about states requiring some digital forensics consultants to have private investigator licenses. One of my colleagues pointed me to a new article titled http://www.baselinemag.com/article2/0,1540,2242720,00.asp by Deb Radcliff. From the article:Under pending legislation in South Carolina, digital forensic evidence gathered for use in a court in that state must be collected by a person with a PI license or through a PI licensed...

Read More