Note on RSS and Atom Feeds

Several times per month I get emails saying I've made a change to this blog's RSS or Atom feeds. I assure you I will post a message here notifying you of any changes I make. Throughout the history of this blog I have made zero changes to these feeds. Any changes you see are the result of tinkering by Feedburner (for RSS) and/or Blogger/Blogspot (for Atom). In many cases there is nothing I can do about any problems you encounter. I suggest notifying Feedburner or Blogger/Blogspot when something happens you don't like. Thank you.

Read More

How Not to Administer Important Systems

Courtesy of SANS NewsBites (link will work shortly) I learned of a router or switch crash that shut down the San Francisco Bay Area Rapid Transit District (BART). According to the article:

BART officials promised Thursday to thoroughly investigate why technicians risked working on computers that control trains while the transit system was running, work that crashed BART's main computer, stalled 50 to 60 trains, and stranded 35,000 passengers for more than an hour at the peak of the Wednesday evening commute.

"The bottom line is we shouldn't have worked on it (during service hours)," BART spokesman Linton Johnson said.

No kidding. They're lucky the trains stopped running rather than keep running -- into each other.

"The network switch was not supposed to get overloaded,'' Johnson said. "It is not supposed to crash. But we shouldn't have been working on (the computer system) while trains were running."

Johnson described the technicians who caused the crash as conscientious workers who were frustrated by problems caused by the installation of new software on Monday and Tuesday. The software upgrade is intended to be more reliable and secure and to allow BART to limit problems instead of having them affect the entire system.

"We had some folks who have a long record of installing (software) components correctly and are proud of having very few problems," Johnson said. "When they had two, they wanted to get them fixed as soon as possible. It was a rush to do the right thing."

"Rush" is an ingredient in a recipe for disaster, despite the desire "to do the right thing." This is why frameworks like IT Infrastructure Library (ITIL) emphasize Service Management over cowboy administrative practices.

Read More

Security Vendor Spin

I worked at Foundstone when the infamous Fortune magazine article accused our company of software license abuses. We took this line from the article -- one of the best-known U.S. computer-security companies -- and put it on the back of T-shirts we wore to Black Hat in 2003.

Now I see the following in an email from Sourcefire:

We're sorry you missed the Sourcefire Federal Seminar in Washington!

However, it's not too late to come see the intrusion detection and prevention technology that the Committee on Foreign Investment in the United States (CFIUS), the Department of Defense, and the FBI felt was too valuable to be owned by a foreign company.

Funny!

Read More

Support OpenSSH Development

Do you use OpenSSH? I use it on every Unix system I own. I decided to answer the call to support OpenSSH development in two ways.

First, I ordered a CD set of the upcoming OpenBSD 3.9 distribution. That was $45 + $4 shipping.

Second, I donated $51 through PayPal for direct support of OpenSSH.

I figured that since I sent $100 to Colin to support FreeBSD, I'd send $100 to OpenBSD as well. Would you (or your company) consider doing the same? Thank you.

Read More

Support FreeBSD Security Coding

I just learned that Colin Percival, FreeBSD Security Officer and author of FreeBSD Update and Portsnap, is asking for donations:

I'm hoping to raise $15,000 Canadian (about US$13,000) to pay me to work full-time on FreeBSD for 16 weeks over the summer. This will allow me to devote more time to my role as FreeBSD Security Officer, perform a complete overhaul of FreeBSD Update, and make some significant improvements to Portsnap.

Specifically regarding FreeBSD Update:

Users will be able to update their World, Kernel(s), and Source code separately; this will make FreeBSD Update more usable by people with custom kernels... Non-i386 architectures will be supported... AMD64 builds will happen first, while other platforms will depend upon demand and the availability of build hardware... The update-building will be on hardware managed by the FreeBSD Security Team and other team members will be able to start builds; this will allow FreeBSD Update to (finally) be officially supported by the project.

I've been using FreeBSD Update for the last 2 1/2 years and Portsnap since November 2004. I couldn't imagine keeping FreeBSD up-to-date without these tools.

I just donated $100 to support Colin's work. I would ask any readers who use FreeBSD, FreeBSD Update, or Portsnap to consider making a donation. Thank you!

Read More

March 2006 (IN)SECURE Magazine Posted

Issue 1.6 (March 2006) (.pdf) of (IN)SECURE Magazine is now available for download. This is a great online magazine that covers a wide variety of security topics. Consider submitting an article.

Read More

Controlling Bots with Steganography

My friend John Ward posted a discussion of controlling bots with steganography:

So basically, all this does is open a Bitmap file, decode the stenography message, and pass the resulting message to the protocol class for handling. More sophisticated techniques can be employed, and steganography has grown as a field, so different graphics formats, MP3 files, or even specially encoded HTML headers can contain the message.

This deviates from the traditional botnet where the client connects to an IRC channel or some other central media to receive commands in real time. In this method, the attacker loses real-time response and gains stealth. With a reasonable interval of time set for the clients, the attacker can have their nefarious commands executed in a short amount of time.

By combining this code with some disguised distribution method, lets say an image thumb-nail browser for an online graphics catalog, the program can be distributed widely, and its online image grabbing behavior would never be suspect until the mass traffic adding to a DDOS attack came from the client machine. And even if it were, your normal Net-Sec analyst would only see an image file and have no clue that the image file contained a steganography-encoded message.

Neat idea John -- is anyone seeing this in the wild?

Read More