Posts

Showing posts from March, 2007

Help Johnny Long Go to Uganda

Long-time readers of my blog know I severely limit the number of non-technical stories I write here. I've probably written less than a dozen in over four years. This one definitely deserves to be posted, however. I shook hands with Johnny Long at ShmooCon last week, but we didn't get a chance to chat. If you don't know Johnny Long, you haven't paid attention to the scene during the last few years! In short, Johnny invented Google hacking, and he's one of the nicest guys you could meet at a security conference. Today I received an email from Johnny stating that he and his wife Jen are flying to Uganda in May to do missionary work. He's working for AIDS Orphans Education Trust . In his usual low-key manner, he's asking for help. He didn't specifically ask people outside of his email addressees to help, but I figure there are a lot of people who could contribute a few dollars to help defray the costs he and his wife must bear to fly and live in Ugan

Full Content Monitoring as a Wiretap

I received the following question today: When installing Sguil, what legal battles have you fought/won about full packet capture and its vulnerability to open records requests from outside parties? I am getting concerns, from various management, regarding the legal ramifications of the installation of a system similar to Sguil in the state government arena. Do you have any advice for easing their worries? I know how important full data capture is to investigating incidents, and I consider it of paramount importance to the security of our state that we do so. Are there any legal precedents that can be cited? Before I say anything else it is important to realize I am not a lawyer, I don't play one on YouTube, and I recommend you consult your lawyer rather than listen to anything I might say. With that out of the way, I have written about wiretaps a few times before. Let me get these generic wiretapping issues out of the way before addressing the question specifically. Understand

Threat Deterrence, Mitigation, and Elimination

Image
A comment on my last post prompted me to answer here. My thesis is this: a significant portion, if not the majority, of security in the analog world is based on threat deterrence, mitigation, and elimination. Security in the analog world is not based on eliminating or applying countermeasures for vulnerabilities. A vulnerability-centric approach is too costly, inconvenient, and static to be effective. Consider the Metro subway in DC, pictured above. There are absolutely zero physical barriers between the platform and the trains. If evil attacker Evelyn were so inclined, she could easily push a waiting passenger off the platform into the path of an arriving train, maiming or killing the person instantly. Why does this not happen (regularly)? Evelyn is presumably a rational actor, and she is deterred by vigilante justice and the power of the legal system. If she killed a Metro passenger in the state of Virginia she would probably be executed herself, or at the very least spend

Remember that TJX Is a Victim

Eight years ago this week news sources buzzed about the Melissa virus . How times change! Vulnerabilities and exposures are being monetized with astonishing efficiency these days. 1999 seems so quaint, doesn't it? With the release of TJX's 10-K to the SEC all news sources are discussing the theft of over 45 million credit cards from TJX computers. I skimmed the 10-K but didn't find details on the root cause. I hope this information is revealed in one of the lawsuits facing TJX. Information on what happened is the only good that can come from this disaster. It's important to remember that TJX is a victim, just as its customers are victims. The real bad guys here are the criminals who compromised TJX resources and stole sensitive information. TJX employees may be found guilty of criminal negligence, but that doesn't remove the fact that an unauthorized party attacked TJX and stole sensitive information. Unfortunately I believe the amount of effort directed

VMware Server 1.0.2 on Ubuntu 6.10

Previously I documented installing VMware Workstation 6 Beta on my Thinkpad x60s. I decided to uninstall Workstation and install VMware Server 1.0.2. I should have used the vmware-uninstall.pl script but even without using it directly I managed to remove the old Workstation installation without real trouble. Running Server on Ubuntu 6.10 (desktop) required me to add a few packages. I found Martti Kuparinen 's installation guide very helpful. I had to add the following packages to ensure a smooth Server installation. sudo apt-get install xinetd sudo apt-get install libX11-dev sudo apt-get install xlibs-dev I did not have to install linux-kernel-headers. I was really impressed that Martti provided a patch for two scripts that did not work correctly out of the box. When I applied the patch I was able to start VMware's Web server and access it via my browser. richard@neely:/tmp$ wget http://users.piuha.net/martti/comp/ubuntu/httpd.vmware.diff --13:52:24-- http://users.piuha.

Mesh vs Chain

When Matasano Chargen suggested reading Nate Lawson's blog , I immediately added it to my Bloglines collection. Today I read Building a Mesh Vs a Chain and Mesh Approach vs Defense-in-Depth . Nate's basic premise is this: When explaining the desired properties of a security system, I often use the metaphor of a mesh versus a chain. A mesh implies many interdependent checks, protection measures, and stopgaps. A chain implies a long sequence of independent checks, each assuming or relying on the results of the others. With a mesh, it’s clear that if you cut one or more links, your security still holds. With a chain, any time a single link is cut, the whole chain fails. He explains why mesh != defense-in-depth: A commenter suggested by email that the mesh concept in my previous post is very similar to defense-in-depth. While they are similar, there are some critical differences that are especially important when you apply them to software protection. Defense-in-depth comes fr

Security Operations Fundamentals

Last year I last wrote : Marcus [Ranum] noted that the security industry is just like the diet industry. People who want to lose weight know they should eat less, eat good food, and exercise regularly. Instead, they constantly seek the latest dieting fad, pill, plan, or program -- and wonder why they don't get the results they want! You might be wondering about the digital security equivalent to eating less, eating good food, and exercising regularly. Addressing that subject adequately would take more than this blog post, but I want to share the steps I use as a consultant when encountering a new client's enterprise. You'll notice that these steps fit nicely within Mike Rothman's Pragmatic CSO construct. These are a little more specific and focused because I am not acting as a Chief Security Officer when I work as a consultant. Instrument sample ingress/egress points. What, monitor first? That's exactly right. Start collecting NSM data immediately (at

Ayoi on the Importance of NSM Data

At my ShmooCon talk I provided a series of case studies showing the importance of Network Security Monitoring data. The idea was to ask how it would be possible to determine if an IDS alert represented a real problem if high-quality data didn't exist. Alert management is not security investigation, and unfortunately most products and processes implement the former while the latter is truly needed. I noticed that Ayoi in Malaysia posted a series of blog stories showing his investigative methodology using NSM data and Sguil (Not Only Alert Data parts I , II , and III ). These posts demonstrate several alerts and compare data available via an alert management tool like BASE versus a security investigation tool like Sguil. I am glad to see these sorts of stories because they show how people in the trenches do their jobs. I have yet to meet an analyst -- someone responsible for finding intrusions -- who rejects my methods or the need for collecting NSM data. Almost everyone who ar

SANS Software Security Institute

Today I attended a free three-plus-hour seminar offered by the new SANS Software Security Institute . This is part of SANS dedicated to software security. I recommend reading their press release (.pdf) for the full scoop, but basically SANS is introducing a Secure Programming Skills Assessement, additional training (eventually), and a certification path . Other people will summarize the program, so I'd like to share a few thoughts from the speakers at today's event. Michael Sutton from SPI Dynamics said that the idea of assembling a team of security people to address enterprise vulnerabilities worked (more or less) for network and infrastructure security because the team could (more or less) introduce elements or alter the environment sufficiently to improve their security posture. The same approach is not working and will not work for application security because addressing the problem requires altering code. Because code is owned by developers, the security team can

Manipulating Packet Captures

While capturing traffic at Hack or Halo I realized the timestamps on the packets were off by one hour. Apparently I didn't patch this infrequently used Hacom box for the recent DST change. I captured traffic using Sguil's log_packets.sh script, which uses Snort to write a new full content trace every hour. For the first round of the contest, the script produced two traces. I combined them using Mergecap, bundled with Wireshark. richard@neely:/var/tmp/shmoocon2007$ mergecap -w shmoocon_hack_rd1.pcap snort.log.1174770982 snort.log.1174773600 The Capinfos program accompanying Wireshark summarizes the new trace: richard@neely:/var/tmp/shmoocon2007$ capinfos shmoocon_hack_rd1.pcap File name: shmoocon_hack_rd1.pcap File type: Wireshark/tcpdump/... - libpcap Number of packets: 719534 File size: 155340234 bytes Data size: 143827666 bytes Capture duration: 4587.056482 seconds Start time: Sat Mar 24 17:17:41 2007 End time: Sat Mar 24 18:34:08 2007 Data rate: 31355.11 bytes/s Data r

ShmooCon 2007 Wrap-Up

ShmooCon 2007 ended today. Only four talks occurred today (Sunday), and only two of them (Mike Rash, Rob King/Rohlt Dhamankar) really interested me. Therefore, I went to church with my family this morning and took lead on watching the kids afterwards. I plan to watch those two interesting talks once they are released as video downloads. (It takes me 1 1/2 - 2 hours each way into and out of DC via driving and Metro, so I would have spent more time on the road than listening to speakers.) I also left right after Bruce Potter's introductory comments on Friday afternoon. If it hadn't been for the NoVA Sec meeting I scheduled Friday at 1230, I probably would have only attended Saturday's sessions. I heard Avi Rubin's 7 pm keynote was good, and I would have liked to watch Johnny Long's talk. Otherwise I thought spending time with my family was more important. That leaves Saturday. I spent the whole day at ShmooCon, from the first talk to the end of Hack or Halo

Blogging from ShmooCon Hack or Halo

Image
So much from my lousy camera phone. That's my best attempt to show Sguil monitoring traffic at the ShmooCon Hack or Halo contest. I plan to share the network traffic from the hacking contest when I get the opportunity. Thanks to WXS and the ShmooCon crew for letting my attach a sensor to the network.

Taking the Fight to the Enemy

ShmooCon started today. ShmooCon leader Bruce Potter finished his opening remarks by challenging the audience to find anyone outside of the security community who cares about security. I decided to take his idea seriously and I thought about it on the Metro ride home. It occurred to me that the digital security community fixates on vulnerabilities because that is the only aspect of the Risk Equation we can influence. Lines of business control assets, so we can't decrease risk by making assets less valuable. (That doesn't even make sense.) We do not have the power or authority to remove threats, so we can't decrease risk by lowering the attacks against our assets. (Threat mitigation is the domain of law enforcement and the military.) We can only address vulnerabilities, but unless we develop the asset ourselves we're stuck with whatever security the vendor provided. I would like to hear if anyone can imagine another realm of human endeavor where the asset owner

Wireless Ubuntu on Thinkpad x60s

I'm used to doing everything manually when running wireless FreeBSD on older laptops. Running Ubuntu has shielded me from some of the command-line configuration I used to perform on FreeBSD. Linux uses different commands for certain tasks. My new laptop also has a different chipset from my old laptop, so I wanted to see if I could get Kismet working on it. If I want to find wireless networks via the command line I use this command. richard@neely:~$ sudo iwlist eth1 scan eth1 Scan completed : Cell 01 - Address: 00:13:10:65:2F:AD ESSID:"shaolin" Protocol:IEEE 802.11bg Mode:Master Channel:1 Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s 11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s 48 Mb/s; 54 Mb/s Quality=76/100 Signal level=-58 dBm Noise

Committing Changes to CVS

In my last post I set up CVS so I could upload my Sguil scripts. I decided I would document how I make changes to those scripts and commit them to CVS. First I needed to check out a copy of the scripts. I made a dev directory and will now use that for all future development. richard@macmini:~$ export CVS_RSH=ssh richard@macmini:~$ mkdir dev richard@macmini:~$ cd dev richard@macmini:~/dev$ cvs -z3 \ > -d:ext:taosecurity@taosecurity.cvs.sf.net:/cvsroot/taosecurity checkout -P \ > taosecurity_sguil_scripts taosecurity@taosecurity.cvs.sf.net's password: cvs checkout: Updating taosecurity_sguil_scripts U taosecurity_sguil_scripts/README U taosecurity_sguil_scripts/sancp U taosecurity_sguil_scripts/sguil_client_install.sh U taosecurity_sguil_scripts/sguil_database_install_pt1.sh U taosecurity_sguil_scripts/sguil_database_install_pt2.sh U taosecurity_sguil_scripts/sguil_sensor_install.sh U taosecurity_sguil_scripts/sguil_sensor_install_patch.sh U taosecurity_sguil_scripts/sguil_se

TaoSecurity CVS at Sourceforge

For a while I've maintained a set of fairly lame scripts for automating installation of certain Sguil components on FreeBSD. These scripts have previously been posted as .tar.gz archives in various places. Today I decided to make use of the TaoSecurity Sourceforge site I created a few months back. From now on you can access my scripts via CVS at that site. My CVS experience is minimal, although I posted some notes from Sguil a few years ago. I wanted to document how I set this up, because it was not intuitive. Thanks to Bamm for helping me via IRC. I also found this doc and this how-to helpful. I decided to maintain my local repository on macmini. I wanted to experiment with a local repository before committing anything to Sourceforge. Here I set up that local repository. I have my scripts in a directory called taosecurity_sguil_scripts. I'm going to call the CVS module taosecurity_sguil_scripts too. richard@macmini:~$ mkdir cvsroot richard@macmini:~$ cvs -d /home

Gconcat on FreeBSD

Image
The last time I wanted to combine two smaller drives into a single virtual drive on FreeBSD I used Gvinum . Ceri Davies posted a helpful comment indicating I should try using gconcat(8) . I did that today and thanks to an insightful piece of advice from Robert Watson, I got it working. This is what the drive looked like. shuttle01# df -h Filesystem Size Used Avail Capacity Mounted on /dev/ad5s1a 496M 36M 420M 8% / devfs 1.0K 1.0K 0B 100% /dev /dev/ad5s1f 989M 22K 910M 0% /home /dev/ad5s1h 54G 4.0K 50G 0% /nsm1 /dev/ad7s1d 361G 4.0K 332G 0% /nsm2 /dev/ad5s1g 989M 12K 910M 0% /tmp /dev/ad5s1d 1.9G 531M 1.3G 29% /usr /dev/ad5s1e 4.8G 1.6M 4.5G 0% /var I want to create /dev/concat/nsm. However, if I try to do that while /nsm1 and /nsm2 are mounted I'll get errors like this: shuttle01# gconcat label -v nsm ad5s1h ad7s1d Can't store m

Recovering from Corrupted MySQL Database

Today one of my clients ran into a problem with his Sguil installation. The server hosting his Sguil MySQL database experienced a crash, as shown by dmesg on reboot: Trying to mount root from ufs:/dev/ad0s1a WARNING: / was not properly dismounted WARNING: /home was not properly dismounted WARNING: /nsm was not properly dismounted WARNING: /usr was not properly dismounted WARNING: /var was not properly dismounted The original error message said: ERROR: loaderd: mysqlexec/db server: Incorrect key file for table './sguildb/sancp_sensor_20070322.MYI'; try to repair it If the sensor crashed while SANCP data was loading, it would make sense that sancp_sensor_20070322.MYI was corrupted. When trying to restart sguild, the following error appeared: [user@sensor ~]$ ./sguild_start.sh pid(3119) Loading access list: ./sguild.access pid(3119) Sensor access list set to ALLOW ANY. pid(3119) Client access list set to ALLOW ANY. pid(3119) Adding AutoCat Rule: pid(3119) Adding AutoCat Rule

Backscatter Detected

Image
Recently I posted a conclusion to my backscatter investigation, where people were reporting backscatter from SYN and other DoS attacks to SANS ISC. When you monitor your own cable modem it's not common to see this sort of traffic unless you go explicitly looking for it. Today however I saw the following using Sguil . Count:2 Event#1.204541 2007-03-20 18:04:19 BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) 69.143.202.28 -> 193.109.122.67 IPVer=4 hlen=5 tos=0 dlen=40 ID=2644 flags=2 offset=0 ttl=64 chksum=58655 Protocol: 6 sport=1024 -> dport=6667 Seq=2934031229 Ack=0 Off=5 Res=0 Flags=*****R** Win=0 urp=54297 chksum=0 Payload: None. What got my attention at first was an alert indicating my host (possibly some box behind my NAT gateway) appeared to initiate a connection to port 6667 TCP (IRC) on an IP that was a "Known Bot" IP for command and control. Looking at the packet data in the alert and seeing the RST flag, I guessed this wasn't a proble

When Lawsuits Attack

I haven't said anything about the intrusions affecting TJX until now because I haven't felt the need to contribute to this company's woes. Today I read TJX Faces Suit from Shareholder : The Arkansas Carpenters Pension Fund owns 4,500 shares of TJX stock, and TJX denied its request to access documents outlining the company's IT security measures and its response to the data breach. The shareholder filed the lawsuit in Delaware's Court of Chancery Monday afternoon under a law permitting shareholders to sue for access to corporate documents in certain cases, The Associated Press reported. The pension fund wants the records to see whether TJX's board has been doing its job in overseeing the company's handling of customer data, the news agency said. Imagine having your security measures and incident response procedures laid bare for everyone to see. (It's possible there might not be anything to review!) How would your policies and procedures fare? The fol

Ubiquitous Monitoring on the Horizon

In January I wrote The Revolution Will Be Monitored . Today I read Careful, the Boss Is Watching : Recently, software vendor Ascentive LLC installed its new BeAware employee monitoring application on all the PCs at one of its new corporate clients. The corporation notified its employees that their Web surfing habits -- as well as their email, instant messaging, and application usage -- were now being monitored and recorded. "Internet usage at the corporation dropped by 90 percent almost overnight," recalls Adam Schran, CEO of Ascentive. "As soon as employees knew they were being monitored, they changed their behavior." Wow, what a bandwidth saver. Who needs to upgrade the T-3 when you actually take measures to enforce your stated security policy? The story continues: While tools for tracking employee network usage have been available for years, emerging products such as BeAware take monitoring to a whole new level. The new BeAware 6.7 lets managers track workers

Wine on Ubuntu

I'm finding more reasons to like running Ubuntu on the desktop. Two of my favorite Windows applications are MWSnap (a simple screen capture tool) and Irfanview (a simple image viewer and editor). (Gimp fans, please spare me your comments. I can't stand that program. It's a bulldozer when all I need is a garden shovel.) I poked around looking for native Linux programs that might suit my needs, but then I thought "What about using Wine to run the Windows binaries on Linux?" I'd never used Wine before, but it was only an 'apt-get install wine' away from appearing on my Ubuntu laptop. I first tried Irfanview, but I ran into the same issues as described here . After creating /home/richard/wine and putting mfc42.dll there with installation binaries for Irfanview and MWSnap, I was able to run Wine in that directory and install both programs. Wine ended up creating the following directory structure. richard@neely:~/.wine/drive_c/Program Files$ ls -a

ShmooCon Talk

If you're attending ShmooCon this weekend you may have seen I am scheduled to speak at the same time as security ninjas Joe Stewart and Billy Hoffman. It's bad enough that people have to choose between Joe and Billy, my involvement as a third talk aside. Joe and I asked the ShmooCon organizers if it might be possible to switch me to another slot, since I would like to see Joe's talk too. Based on feedback from many of you, you also want to see Joe's talk. Unfortunately, the ShmooCon organizers did not find a way to change the schedule. This is really bad because Billy is releasing Jikto at ShmooCon, so choosing between Joe and Billy is another lousy decision. Given the feedback from you I've heard, I'm considering my options. They are: Talk at 1300 as scheduled. Give up my slot and volunteer to speak at 1200 Saturday during lunch. Give up my slot and volunteer to speak after the keynote Friday night. Other ideas? What are your thoughts on this? Is it wort

Proactive vs Reactive Security

Whenever I hear someone talk about the merits of "proactive" security vs "reactive" security I will politely nod, but you may notice a tightening of my jaw. I can't stand these sorts of comparisons. When I hear people praise proactive measures they're usually talking about "stopping attacks" rather than "watching them." Since a good portion of my technical life is spent cleaning up the messes left by people who put faith in preventing intrusions, I am a little jaded. Before I go any further, believe me , I would much rather not have intrusions occur at all. I would much rather prevent than detect and respond to intrusions. The fact of the matter is that intrusions still happen and that proactive measures aren't always that great. In fact, sometimes so-called proactive measures are worse than reactive or passive ones. How can that be? Kelly Jackson Higgins' latest article Grab Fingerprint, Then Attack provides an example.

Security Bloggers Network

I noticed security ninja and fellow former Foundstoner Mark Curphey mentioned me in a post on his departure from the Security Bloggers Network . You may wonder why I never joined SBN. When I was asked to join in December, I politely declined. I saw no benefit to myself or my readers to joining some kind of meta-feed hosted by Feedburner. Not joining SBN was probably as popular as my personal LinkedIn policy since it means I exercise some discretion regarding the parties with whom I associate. My personal version of SBN is my Bloglines subscription. Anything I care to read is there. I probably only pay attention to 2/3 to 3/4 of the feeds on that list, so in some cases the lesser-noticed feeds are acting like bookmarks. (In other words, some of my friends may have blogs but I don't necessarily care that they trimmed their cat's toenails last weekend.) I think it's healthy to have discussions about the state of our "security community." Debate is one of

Programming and Digital Security

Image
I received the following question recently, so I thought I would anonymize the person asking the question but post my response publicly. I have a question regarding programming languages and their relation to computer security research. I would appreciate your input on the following. In order for one to be able to "contribute" to security research, do you feel it is necessary for one to become familiar with programming languages? I am fascinated by computer security and have read several books about stages of attack, malware, and defenses but have not read any books containing any code as I do not understand it. I therefore feel as if I am of no use if I cannot write tools or examine exploits on my own. I would again really appreciate your input on this, and if you recommend learning programming languages, do you believe one can get away with knowing just one or do you feel an understanding of several is necessary (and if so, which one[s] would you suggest)? These are great q