Upgrading FreeBSD Packages

In my last post I discussed upgrading from FreeBSD 7.0 to 7.1. In this post I'll mention packages that needed to be updated.In the last post I showed two installed packages using the native pkg_info command.neely# pkg_infocdrtools-2.01_6 CD/CD-R[W] and ISO-9660 image creation and extraction toolsdvd+rw-tools-7.0 DVD burning softwareAt this point I could have used pkg_delete to remove them, and added the newest packages via pkg_add. Because...

Read More

Upgrading FreeBSD 7.0 to 7.1

My last post on upgrading FreeBSD was Updating FreeBSD 7.0-BETA2 to 7.0-BETA3. In this post I'll describe how I migrated a test install of FreeBSD 7.0-RELEASE #0 to FreeBSD 7.0-RELEASE-p7 #0, and then from there to FreeBSD 7.1-RELEASE #0.Here's what I started with.neely# uname -aFreeBSD neely.taosecurity.com 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386To update...

Read More

Advice to Bloggers

Recently a blog reader asked two questions as he started his own new blog:1. Do you think I should stick to just one topic? i.e. Digital Forensics?2. Do you think blogging is a good way to learn more about a topic of interest or should you only blog about a topic you already know a lot about?I addressed some of these issues in my post Why Blog?, but I'll add the following.I recommend writing about a handful of topics, but stick to topics within a...

Read More

Northrop Grumman's Timothy McKnight on Security

Ken Bradley sent me a link to Northrop Grumman's Timothy McKnight on Security and Identity Management by Katherine Walsh of CSO Magazine. It's an older article but I liked this part:CSO: Can you tell me about the formation of the Cyber Threat Analysis Intelligence Group and its role at Northrop Grumman?McKnight: That team's focus is on the nation-state threat, which the DoD is now terming the "advanced persistent threat." These are well resourced,...

Read More

Virtualized Network Security Monitoring Platforms

Yesterday a blog reader asked:Looking back at previous blogs, notablyhttp://taosecurity.blogspot.com/2005/12/network-monitoring-platforms-on-vmware.htmlI see that you have, in your classes, used VM's to run your network monitoring tools from. Have you progressed this idea into a production environment or do you still feel that running tools in this configuration, be they on a Linux host or not, would still be too much of a compromise.The scenario...

Read More

Raffy Marty Teaching Security Visualization

Raffy Marty, author of Applied Security Visualization is teaching a Security Visualization and Log Analysis Workshop at SOURCEBoston on 9-10 March. Raffy's a great instructor and this is the first class I've seen on the topic. Check it out!Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rat...

Read More

Why Network Taps

My colleagues and I are spending some time justifying the installation of network taps, instead of using SPAN ports, to gain access to network traffic. This is an old discussion. See my Dec 07 post Expert Commentary on SPAN and RSPAN Weaknesses and Net Optics' page Tap vs SPAN. For a different perspective see Scott Haugdahl's Is Spanning Bad? and Is RSPAN Bad?.I'm using the following points when discussing the situation.Taps free SPAN ports for...

Read More

DC BSDCon 2009 Registration Reminder

Recently I posted that I will be speaking at DC BSDCon 2009, on 6 February 2009. I'll be discussing something about Network Security Monitoring that applies to FreeBSD.As a reminder, registration ends 31 Jan 09 (next Saturday) and is limited to the first 150 attendees.Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rat...

Read More

Reader Questions: Internal or External MSSP

Another reader asked the following:As I am doing research for building a security operations center one of the things I am being asked to do is compare building things internally versus having an MSSP take on certain network monitoring functions. There is the suggestion that it is less expensive and more desirable to have a MSSP provide monitoring services for firewall and IDS devices. In addition the thinking is that the MSSP should provide log...

Read More

Reader Questions on Network Security Monitoring

A regular blog reader and Network Security Monitoring practitioner sent me these questions last month, so I'd like to answer them here.1. Are all alert data created equal?This question originates with my employment at an MSSP where we process many types of alert data from Dragon IDS, Cisco IPS and ISS. Snort and Sourcefire strangely are underrepresented. My question is if Dragon IDS, Cisco IPS, ISS, Snort and Sourcefire all looked at the same full-content...

Read More

Contract BSD Associate-or-better FreeBSD Sys Admin

I am looking to hire a FreeBSD system administrator, with BSD Associate or better experience, for long-term contract work. My team operates a small number of Network Security Monitoring (NSM) sensors running FreeBSD and open source tools. We plan to expand our sensor deployment from the low double digits to the high double digits, and perhaps the low triple digits. The ideal candidate will be able to examine our current deployment and suggest...

Read More

Integrity Attacks Begin as Mistakes

Last year I wrote First They Came for Bandwidth, where I described a progression through three attack types:First they came for bandwidth... These are attacks on availability, executed via denial of service attacks starting in the mid 1990's and monetized later via extortion. Next they came for secrets... These are attacks on confidentiality, executed via disclosure of sensitive data starting in the late 1990's and monetized as personally identifiable...

Read More

Happy 6th Birthday TaoSecurity Blog

Today, 8 January 2009, is the 6th birthday of TaoSecurity Blog. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. 2339 posts (averaging 390 per year) later, I am still blogging. I don't have any changes planned here. I plan to continue blogging, especially with respect to network security monitoring, incident detection and response, network forensics, and FreeBSD when appropriate. I especially...

Read More

Metasploit 3.2 on Windows XP

I've been an infrequent yet admiring user of Metasploit for about four years, but I've never tried it on Windows. It strikes me as being something I "just shouldn't do," like running Nmap on Windows or (shudder) Snort on Windows. However, while preparing labs for my upcoming class, I thought I would give version 3.2 a try. It worked very well, at least for the simple test I ran.After installing the .exe and launching the new app, I saw this window:I...

Read More

Recommendation for an Introduction to Unix

A regular blog reader asked me for recommendations on books to learn Unix, and which Unix to learn. I still remember asking my "Unix and Solaris Fundamentals" instructor in 1997 to recommend a book on Unix for me. I thought I would share my response here.I think, as a beginner, you have to decide what you want to learn. I'll try to keep this description generic yet answer the reader's question. The person who asked the question requested an emphasis...

Read More

IPv6 Tunnel on Windows XP Using Freenet6

Almost two years ago I described testing IPv6 using Freenet6 on FreeBSD. This morning I decided to try the same on Windows XP and document the process here.I needed to use a tunnel method like Freenet6 because the test host is behind NAT. First, visit go6.net and click "Free IPv6 Connectivity with Freenet6". Register yourself a user account. To install on my Windows XPSP3 32-bit system I downloaded "Gateway6 Client 6.0-BETA4 Windows Installer...

Read More

BGPMon On Illegitimate Route Announcement

In November I posted BGPMon on BGP Table Leak by Companhia de Telecomunicacoes do Brasil Central. A lot of people saw that activity but the overall effect was negligible to nonexistent. Yesterday I received a more personalized alert from BGPMon:You Receive this email because you are subscribed to BGPmon.net.For more details about these updates please visit:http://bgpmon.net/showupdates.php====================WithDraw of More Specific (Code: 23)2...

Read More

Predictions for 2009

I better get with the program and post my 2009 predictions before any more of the new year slips by. I plan to build on my Predictions for 2008 in Hindsight and add a few new thoughts.Expect greater government involvement in assessing the security of private sector networks. I wasn't inventing this a year ago, and I'm not inventing it now. I'm extrapolating from a trend line. My post Letters You Will Need to Know: 201 CMR 17.00 is just the latest...

Read More

Predictions for 2008 in Hindsight

In late 2007 I posted Predictions for 2008, my first foray into the world of prognostication. I'd like to review what I said to see how those ideas panned out.Expect greater government involvement in assessing the security of private sector networks. This is happening but not to the extent I expected. I predict more of this in 2009.Expect greater military involvement in defending private sector networks. This also started to happen, as noted in...

Read More