Draft Version of New Keeping FreeBSD Applications Up-To-Date

This is a follow-up to my recent post Draft Version of New Keeping FreeBSD Up-To-Date. I updated the draft Keeping FreeBSD Up-To-Date document at http://www.taosecurity.com/kfbutd7.pdf to include new sections on building a kernel and userland on one system and installing on another, and upgrading from one major version of FreeBSD to another via binary upgrades (e.g., 7.1 to 8.0 BETA3, since that just became available).I have also published another...

Read More

SANS WhatWorks in Incident Detection Summit 2009 Web Site Active

The Web site for the SANS WhatWorks in Incident Detection Summit 2009 is live. I created a rough agenda to provide an idea of the structure of the two-day event. I am still working on speakers but I will probably have too few slots to accommodate all the people I would like to appear! As I secure speakers for the event I will submit them to SANS so they can update the Web site.The registration link is also active.Thanks to those of you who posted...

Read More

Draft Version of New Keeping FreeBSD Up-To-Date

Four years ago I wrote an article titled Keeping FreeBSD Up-To-Date. The goal was to document various ways that a FreeBSD 5.2 system could be updated and upgraded using tools from that time, in an example-drive way that complemented the FreeBSD Handbook.I decided to write an updated version that starts with a FreeBSD 7.1 RELEASE system and ends by running FreeBSD 7.2-STABLE. Sections include:Sections:---------IntroductionFreeBSD HandbookThe Short...

Read More

Renesys Blog on Routing Vulnerabilities

I've been writing about the routing infrastructure monitoring company Renesys for several years. James Cowie's post Staring Into the Gorge contains some real gems:Here We Go Again.Imagine an innocent BGP message, sent from a random small network service provider's border router somewhere in the world. It contains a payload that is unusual, but strictly speaking, conformant to protocol. Most of the routers in the world, when faced with such a message,...

Read More

New Must-Read Blog Series from Mike Cloppert

Mike Cloppert has started a series of posts on security intelligence on the SANS Forensics Blog. Part 1 includes multiple worthwhile definitions, and Part 2 follows with a great, correct explanation of risk and its components. Keep your eyes on his section of the blog for at least three more posts. Awesome work Mi...

Read More

Updating FreeBSD Using CVSup through HTTP Proxy

If you've used CVS before, you know that CVS doesn't play well with HTTP proxies. I was looking for a way to run cvsup on FreeBSD behind a proxy when I found a post on the FreeBSD China mailing list. It described using Proxychains with Desproxy to tunnel CVS over a SOCKS proxy through HTTP.Here's how I followed the instructions in my lab environment.First I installed Proxychains from the FreeBSD port. You can see my HTTP proxy is 172.16.2.1 port...

Read More

Three Free Issues of BSD Magazine in .pdf Format

Karolina at BSD Magazine wanted me to let you know that she has posted three free .pdf issues online. The three cover FreeBSD, OpenBSD, and NetBSD. Apparently BSD Magazine has survived a publishing scare and will continue for the foreseeable future. I may also have an article for FreeBSD out so...

Read More

Hakin9 04/2009 Issue

I just received a review copy of the 04/2009 Hakin9 magazine. I am most interested in reading part two of Tyler Hudak's article on automating malware analysis. Cartsen Kohler's article on exploiting Windows via printer drivers looks interesting too. Check it o...

Read More

Manga Guide to Statistics vs Statistics in a Nutshell

I took statistics classes twice in undergrad (once during the normal school year, a second time during a summer program at another school), and once during my master's program. That was so long ago that I don't remember a lot of what I had to learn. Recently review copies of two books arrived, namely The Manga Guide to Statistics by Shin Takahashi and Trend-pro Co., Ltd and Statistics in a Nutshell by Sarah Boslaugh and Dr. Paul A. Watters. Both...

Read More

GE Is Hiring in Michigan

In June in this post I linked to a speech that GE's CEO gave in Michigan. We're hiring about 1,200 people over the next few years, and the jobs are already appearing at gecareers.com. One of the jobs posted requests an IT Project Manager - Information Technology (Security). This candidate would work in a sister unit to our GE-CIRT doing Identity and Access Management (IAM). If this job looks interesting, please check it out. As other roles...

Read More

Attack Models in the Physical World

A few weeks ago I parked my Ford Explorer (It's not a clunker!!) in a parking garage. On the way out I walked by the pipe shown in the picture at left. It looks like a pipe for carrying a fluid (water maybe?) "protected" by a metal frame. I think the purpose of the cage is pretty clear. It's deployed to prevent drivers from inadvertently ramming the pipe with their front or rear car bumpers. However, think of all the "attacks" for which it...

Read More

Review of The Myths of Security Posted

Amazon.com just posted my three star review of The Myths of Security by John Viega. From the review:Let me start by saying I usually like John Viega's books. I rated Building Secure Software 5 stars back in 2005 and 19 Deadly Sins of Software Security 4 stars in 2006. However, I must not be the target audience for this book, and I can't imagine who really would be. The book mainly addresses consumer concerns and largely avoids the enterprise. However,...

Read More

Incident Detection Mindset

Often you will read or hear about a "security mindset," but this is frequently an "offensive security mindset." This attitude is also called a "breaker" mindset, described in my old post On Breakership. The offensive security mindset means looking at features of the physical or digital worlds and reflexively figuring out ways to circumvent their security or lack of security. Johnny Long is one example of a person with this mindset -- pretty much...

Read More

Build Visibility In

Visibility has been a constant theme for this blog. Elsewhere I've used the phrase build visibility in to emphasize the need to integrate visbility requirements into the build and design phases of any technology project. Visibility should not be left as an afterthought. Building security in is required as well, but how can you determine how security is working if you have no visibility?Based on my experiences with technology deployments since...

Read More

Question on NSM Scaling

A long-time TaoSecurity Blog reader sent me the following question:I have a question about scaling NSM in regards to large, complex enterprises that transmit countless gigabytes of data per day.Last month I interviewed for a position with a large wireless company and the hiring manager was familiar with your work, so as I attempted to extol the value of NSM and explain how I thought that NSM could benefit this organization, I was told by the hiring...

Read More

Thoughts on Security Careers

Several recent blog posts have discussed security careers. I'll start with Anton Chuvakin's post A Myth of an Expert Generalist:Lately I’ve run into too many people who [claim to] “know security” or are [claim to be] “security experts.” Now, as some of you recall, I used to do theoretical particle physics before I came to information security. In my physics days, I’d be pretty shocked if I were to meet a colleague in the hallways of the C.N. Yang...

Read More

Securing Digital Content: Part I

I will post no code for this blog entry so that I can answer the question of a friend of mine : How does a normal person take reasonable steps to safeguard sensitive digital content in this day of repeated sophisticated instrusions, penetrations, institutionalized hacking and institutionalized snooping? This is a long subject that would require more than just one blog entry. Here are some (random or not) thoughts: Part I Strategies I would answer the strategy for maintaining content security like this:(1) Assume data loss or data theft. Develop...

Read More

2009 CDX Data Sets Posted

Earlier this year I posted Thoughts on 2009 CDX. Greg Conti just sent me a notice that the West Point Information Technology and Operations Center just published, for free, their Intrusion Detection Labeled Data Sets. They include packet captures generated by NSA Red Team activity, packet captures from West Point defenders, and Snort, DNS, Web server, and host logs. This is great data. Stop using the 1999 DARPA data sets. Plea...

Read More

SANS Incident Detection Summit in DC in December

Last month I blogged about the SANS Forensics and Incident Response 2009 Summit Round-Up. I am pleased to announce that I will be working with SANS to organize a two day SANS Incident Detection Summit in DC in December. I am working on a preliminary agenda that includes two major themes: network-centric detection and host-centric detection. The Summit will include keynotes, practitioner briefings, tool briefings, vendor briefings, and panels....

Read More

Review of IPv6 Security Posted

Amazon.com just posted my five-star review of IPv6 Security by Scott Hogg and Eric Vyncke. From the review:I've read and reviewed three other books on IPv6 in the last four years: IPv6 Essentials, 2nd Ed (IE2E) in September 2006, Running IPv6 (RI) in January 2006, and IPv6 Network Administration (INA) in August 2005. All three were five-star books, but they lacked the sort of attention to security that I hoped would be covered one day. IPv6 Security...

Read More

Blast from the Past

So why a picture of me in uniform from 2000? The answer lies in this article published last month titled Air Force Network Operations begins migration to centralized e-mail, network services:The Air Force Chief of Staff Gen. Norton Schwartz signed a directive memorandum here recently granting the Air Force Network Operations commander centralized order-issue authority over the operation, defense, maintenance and control of Air Force networks.As...

Read More

Parsing Vista Firewalls: Part V

When combined with cmd.exe you can populate a logparser query file with cmd.exe variables. The datagrid output of log parser allows for "pretty". The chart output requires a licensed copy of MS Chart output dll. A little knowledge of SQL takes you quite a long way with Log Parser.:: must delete "#Fields" from pfirewall.log first for correct field parsing.@echo offset field=%1set filename=%2echo SELECT %field%, COUNT(*) > OrderByFieldGroupByCount.sqlecho...

Read More

Parsing Vista Firewall: Part IV

Microsoft's logparser.exe use sql query syntax to parse many different log formats. Vista's firewall most reasonably resembles at TSV log file format. However, it takes some work with logparser.exe to get the correct parameters as below. The third or 'header' line row needs the words "#Fields" removed from the file for accurate field recognition.LogParser "SELECT * FROM 'pfirewall.log' WHERE ( action = 'ALLOW' AND protocol = 'UDP' AND path = 'RECEIVE' AND src-ip <> '127.0.0.1' ) " -i:TSV -iSeparator:spaces -fixedSep:OFF -nSkipLines:3Filename...

Read More