Review of InfoSec Career Hacking Posted

Amazon.com just posted my two star review of InfoSec Career Hacking. This write-up is for those of you who say I don't write enough negative reviews. I was particularly upset to see 3 of the book's 12 chapters are reprints. This is a disturbing trend. Syngress is using chapters from older books as filler for new titles that can't stand on their own. From the review:

InfoSec Career Hacking (ICH) is a confused, directionless book. It's a collection of contributions by various authors, three of which were previously published. The main text never states the goal of the text, so I turned to the description on the back cover: "A technical guide to landing (and keeping) a job in the information security field... If you want to refine those skills to land a top InfoSec job and employer-funded trip to Vegas next year, you've come to the right place." It sounds like ICH wants to be a sort of employment guide for "hackers," but it ends up as a muddle of some useful original material and recycled chapters from older Syngress titles.

Read More

Reviews of Software Piracy Exposed, Phishing Exposed, Stealing the Network: How to Own an Identity, and Insider Threat Posted

Amazon.com just posted my four star review of Software Piracy Exposed. From the review:

I loved Software Piracy Exposed (SPE), despite the lack of good technical review, copyediting, and proofreading. I liked SPE because the author did original investigative reporting to gain the trust of the pirate underground. By infiltrating the scene, he brought an unprecedented level of access to the common reader. That is real threat reporting, which for me compensates for rough presentation.

Amazon.com just posted my five star review of Phishing Exposed by Lance James of Secure Science. From the review:

Phishing Exposed is a powerful analysis of the many severe problems present in Web-based activities. Phishing Exposed is another threat-centric title from Syngress. The book presents research conducted by Secure Science Corporation as a way to understand the adversary. The author demonstrates his own attacks against multiple popular e-commerce sites as a way to show how phishers accomplish their goals. I was surprised by the extent to which the author could repeatedly abuse high-profile financial sites, and for that reason I highly recommend reading Phishing Exposed.

Amazon.com just posted my four star review of Stealing the Network: How to Own an Identity. From the review:

I reviewed the first Stealing book in May 2003, and the second in September 2004. I liked the two earlier books, and the third book -- Stealing the Network: How to 0wn an Identity (STNHT0AI) -- is also a fun read. The book is most impressive when it outlines plausible scenarios for identity theft, penetrating wireless networks, and compromising Hushmail. Although some of the writing is rough, I still recommend reading this book.

Amazon.com just posted my four star review of Insider Threat. From the review:

Those who want to understand the nature of internal attackers should read Insider Threat. The book combines general recommendations to detect and thwart internal attackers with case studies discussing fraud, espionage, and other unfortunate events. Insider Threat could benefit from a tighter focus and better presentation of material, but the core message is still noteworthy.

Read More

Review of Hacking Exposed: Cisco Networks Posted

Amazon.com just posted my four star review of McGraw-Hill/Osborne's Hacking Exposed: Cisco Networks. From the review:

I've always been a fan of Osborne's Hacking Exposed books (although subjects like "Computer Forensics" don't seem to fit the spirit of the series). I previously read Wi-Foo: The Secrets of Wireless Hacking by the same authors who wrote Hacking Exposed: Cisco Networks (HECN). Comparing the two books, I agree with previous reviewer Sean E. Connelly; I think HECN was rushed to market. The book needs better technical review, proofreading, and copyediting as well. Nevertheless, I still recommend reading HECN -- it's a unique book on a critical subject.

Read More

Snort 2.6 BETA on FreeBSD

This week Sourcefire released Snort 2.4.4 and Snort 2.6 BETA. Because the a ports tree freeze is in effect in preparation for FreeBSD 5.5 and 6.1, the Snort port will not be updated to 2.4.4 soon. If you want to install 2.4.4 using the ports tree, make the following changes to /usr/ports/security/snort/Makefile:

orr:/usr/ports/security/snort$ diff Makefile.orig Makefile
9,10c9,10
< PORTVERSION=  2.4.3
< PORTREVISION= 1
---
> PORTVERSION=  2.4.4
> #PORTREVISION=        1

Make these changes to distinfo:

orr:/usr/ports/security/snort$ diff distinfo.orig distinfo
1,6c1,3
< MD5 (snort-2.4.3.tar.gz) = 5c3c8c69f2459bbe0c1f2057966c88a7
< SHA256 (snort-2.4.3.tar.gz) = 4f3aa911234a9fc4beb5ba9b0fe88f1e3af0fcbfe84d4448415f049b9791bc65
< SIZE (snort-2.4.3.tar.gz) = 2733590
< MD5 (snort-2.4.3.tar.gz.sig) = 680b271bb3fe67bd28d41d5a3886865a
< SHA256 (snort-2.4.3.tar.gz.sig) = a7fa680662124e6f95eb87b88e09a0ec7ae394f6845f4a1eada4626066da12d0
< SIZE (snort-2.4.3.tar.gz.sig) = 65
---
> MD5 (snort-2.4.4.tar.gz) = fe82febd153e121369788b3aaa05d415
> SHA256 (snort-2.4.4.tar.gz) = 9d34822e68d6c5bfd98c41f14bf9185424691824b220d70366c40f0477e9d9a7
> SIZE (snort-2.4.4.tar.gz) = 2825060

You can then build the port with 'make', 'make install', and end up running Snort 2.4.4.:

$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.4.4 (Build 28) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.
 NOTE: Snort's default output has changed in version 2.4.1!
       The default logging mode is now PCAP, use "-K ascii" to activate
       the old default logging mode.

To try Snort 2.6 BETA, you'll need to follow these steps. First, you need the devel/automake19, devel/libtool15, and devel/autoconf259 installed.

Now check out the Snort BETA from CVS.

cvs -d:pserver:anonymous@cvs.snort.org:/cvsroot login
cvs -d:pserver:anonymous@cvs.snort.org:/cvsroot co -r SNORT_2_6 snort
cd snort

Make the following changes to autojunk.sh:

orr:/home/richard/snort$ diff autojunk.sh.orig autojunk.sh
3,7c3,7
< libtoolize --automake --copy
< aclocal -I m4
< autoheader
< automake --add-missing --copy
< autoconf
---
> libtoolize15 --automake --copy
> aclocal19 -I m4 -I /usr/local/share/aclocal
> autoheader259
> automake19 --add-missing --copy
> autoconf259

These changes are needed because of the names used by the tools that build Snort, as shown by the following directory listings:

# ls -al /usr/local/bin/libtoolize*                                    
-r-xr-xr-x  1 root  wheel  10784 Feb  6 04:08 /usr/local/bin/libtoolize15
# ls -al /usr/local/bin/aclocal*
-r-xr-xr-x  1 root  wheel  19737 Feb  6 19:47 /usr/local/bin/aclocal19
# ls -al /usr/local/bin/autoheader*
-r-xr-xr-x  1 root  wheel  8141 Feb  6 17:55 /usr/local/bin/autoheader259
# ls -al /usr/local/bin/automake*
-r-xr-xr-x  1 root  wheel  222000 Feb  6 19:47 /usr/local/bin/automake19
# ls -al /usr/local/bin/autoconf*
-r-xr-xr-x  1 root  wheel  7672 Feb  6 17:55 /usr/local/bin/autoconf259

You've got to make one more change, to src/dynamic-plugins/sf_engine/Makefile.am. Change the two instances of 'cp $< $@' to 'cp $? $@' as shown below.

orr:/home/richard/snort/src/dynamic-plugins/sf_engine$ diff Makefile.am.orig Makefile.am
28c28
<       cp $< $@
---
>       cp $? $@
31c31
<       cp $< $@
---
>       cp $? $@

When these changes are made, run 'sh autojunk.sh' from the snort directory. You'll see some errors, but they are not fatal.

orr:/home/richard/snort$ sh autojunk.sh
configure.in:170: warning: underquoted definition of SN_CHECK_DECL
  run info '(automake)Extending aclocal'
  or see http://sources.redhat.com/automake/automake.html#Extending-aclocal
configure.in:203: warning: underquoted definition of SN_CHECK_DECLS
configure.in:303: warning: underquoted definition of FAIL_MESSAGE
/usr/X11R6/share/aclocal/gtk.m4:7: warning: underquoted definition of AM_PATH_GTK
/usr/local/share/aclocal/glib.m4:8: warning: underquoted definition of AM_PATH_GLIB
/usr/local/share/aclocal/audiofile.m4:12: warning: underquoted definition of AM_PATH_AUDIOFILE
/usr/local/share/aclocal/ao.m4:9: warning: underquoted definition of XIPH_PATH_AO
/usr/local/share/aclocal/aalib.m4:12: warning: underquoted definition of AM_PATH_AALIB

After that, run the following:

./configure
make 
make install

Remember you'll probably want to run 'make install' as root.

When done, Snort 2.6 BETA will be installed.

orr:/home/richard/snort$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.0 (Build 48)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.

Let us know how you find Snort 2.6. Thank you to Steven Sturges from Sourcefire for getting this to work for me!

Read More

Improved Bridging for Monitoring in FreeBSD

FreeBSD developer Christian S.J. Peron wrote to me about two commits that improve support for bonding interfaces for use with network taps. He writes:

---

Let's say that you have a GigE copper tap, and you have the two monitor cables coming into the FreeBSD network analyzer on interfaces em0 and em1. You can aggregate the two links into one logical bridge interface to monitor them:

ifconfig bridge0 create
ifconfig bridge0 addm em0 addm em1 up
tcpdump -i bridge0

This basically turns em0 and em1 into switch ports. If you want to use this bridge specifically to aggregate one or more network interfaces and pass the packets off to BPF and return, then you can turn off the bridging functionality.

ifconfig bridge0 monitor

This prevents the bridge code from looking up which port a certain hardware address is attached to, or broadcasting packets out all ports in the event it doesn't know. Essentially, it short circuits the bridging code, which saves a number of mutex acquisitions, list traversals, reducing the load.

We have done this in places which use firewall clusters, I.E. 2 or 3 different PIX firewalls running VRRP

ifconfig bridge0 create
ifconfig bridge0 addm em0 addm em1 addm em2 addm em3 addm em4 addm em5 up monitor

snort -i bridge0

This way, snort works regardless of which firewall has failed over. The bridge is in monitor mode, so it's not actually trying to TX packets out the other interfaces, it just passes the packets it receives to BPF and returns.

---

This is neat. We won't see it in FreeBSD 6.1, but probably 6.2. Before 6.2, these features will appear in STABLE.

Read More

Binary Upgrade of FreeBSD 5.4 to 6.0

Yesterday I took control of a system running FreeBSD 5.4. I wanted to upgrade it to FreeBSD 6.0. I considered using cvsup to upgrade the userland and kernel, but I wanted an easier way. I also wanted to end up with a completely GENERIC system that would work well with freebsd-update.

I decided to follow Colin Percival's FreeBSD 5.4 to FreeBSD 6.0 binary upgrade instructions. This process worked flawlessly. I am not going to repeat the steps here, but I will point out a few details.

In step 2 of his process, Colin uses freebsd-update to create a base-modified file. Mine had these contents:

# cat base-modified
/.cshrc
/boot/defaults/loader.conf
/boot/kernel/kernel
/boot/kernel/linker.hints
/etc/group
/etc/hosts
/etc/manpath.config
/etc/master.passwd
/etc/motd
/etc/passwd
/etc/pwd.db
/etc/shells
/etc/spwd.db
/etc/ttys
/root/.cshrc
/usr/share/man/cat1/crontab.1.gz
/usr/share/man/cat1/tcpdump.1.gz
/usr/share/man/cat1/uname.1.gz
/usr/share/man/cat8/ifconfig.8.gz
/usr/share/man/whatis
/var/db/locate.database
/var/log/auth.log
/var/log/cron
/var/log/debug.log
/var/log/lastlog
/var/log/maillog
/var/log/sendmail.st
/var/log/wtmp
/var/run/utmp

The first three files are associated with this system running a modified 5.4 kernel. I did not want to preserve those changes. I wanted to preserve all of the changes to files in /etc/, as those are important -- password files and the like. I did not care about changes to files in /usr. I preserved files in /var that related to logs.

I decided to make a new version with these contents.

# cat base-modified.final 
/.cshrc
/etc/group
/etc/hosts
/etc/manpath.config
/etc/master.passwd
/etc/motd
/etc/passwd
/etc/pwd.db
/etc/shells
/etc/spwd.db
/etc/ttys
/root/.cshrc
/var/log/auth.log
/var/log/cron
/var/log/debug.log
/var/log/lastlog
/var/log/maillog
/var/log/sendmail.st
/var/log/wtmp
/var/run/utmp

In step 14, Colin recommends recompiling all installed ports. I decided to simply pkg_delete all of them. I will add back new packages when the upgrade process is finished.

After following Colin's directions, I ended up with a system running FreeBSD 6.0 RELEASE. I was able to use freebsd-update to apply binary updates of the kernel and userland. I did all of this remotely over OpenSSH. Very cool -- thanks Colin!

Read More

Public NSO Class Planned 13-16 June 2006

TaoSecurity is proud to offer its only scheduled public Network Security Operations class of 2006 with consultant, author, and teacher Richard Bejtlich.

This four day class, normally presented only to private government, military, and commercial groups, will be taught personally by Mr. Bejtlich from 13-16 June 2006 at the Nortel Government Solutions facility in Fairfax, VA. Students will learn network security monitoring, incident response, and forensics in a hands-on environment that combines lecture with lab work.

Class fees:

• Register by 1 April 2006: $2395/student


• Register by 1 May 2006: $2595/student


• Register by 1 June 2006: $2795/student

ISSA Chapter members receive a 10% discount on registration.

This class only seats 20 students -- register today by contacting Richard via email: richard at taosecurity dot com.

Details of each day's events can be downloaded from www.taosecurity.com/training.html.

Read More