Saturday, July 30, 2005

Notes for USENIX Security Students

In a few hours I will be teaching Network Security Monitoring with Open Source Tools at USENIX Security in Baltimore, MD. I have two items of interest for my students concerning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir slides.

First, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real ring buffer syntax has changed. My first book, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real slide, use this syntax:

tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real -n -i -s -a duration:3600 -b 24 -w

The new syntax requires a filesize whenever -b (ring buffer mode) is invoked, like so:

tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real -n -i -s -a filesize:1000000 -a duration:3600 -b 24 -w

Also, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a slide missing before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Trafshow screen shot. It should look like this.

ISS Pursues Lynn Presentation Copies

It looks like I spoke too soon about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Lynn affair being closed. ISS is now pursuing Web sites posting Mike Lynn's presentation. For example, Rick Forno has removed his copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Lynn slides after receiving a cease-and-desist letter from lawyers representing ISS. The document (.pdf), by DLA Piper Rudnick Gray Cary US LLP attorney Andrew P. Valentine features this piece of exceptional grammar:

"The posting is located on your [Forno's] website... and relates to a presentation that ISS decided not go give [sic] at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat 2005 USA Conference in Las Vegas, Nevada."

The letter also states

"On Wednesday, ISS and Cisco sued Mr. Lynn and Black Hat for claims of copyright infringement, misappropriation of trade secrets, and breach of employment agreement in connection with improper distribution of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 material. On Thursday, Judge Jeffrey White of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States District Court for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Norcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rn District of California issued a permanent injunction preventing furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r distribution of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 material...

We also understand that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unlawful distribution of this information is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject of a federal investigation."

I wonder how ISS and Cisco will handle Web sites located outside of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US, like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 disLEXia 3000 blog? Maximillian Dornseif makes several good points in his blog, including asking whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slides Lynn showed at Black Hat are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as those now circulating on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web.

The "stipulated permanent injunction" faxed to Rick Forno contains an interesting paragraph:

"Lynn... acknowledges that ISS did not authorize him to present [his talk] and which he had notified ISS he would not present. In particular, ISS had directed no presentation or live demonstration would be made which included disassembled Cisco code and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 'pointers'. (ISS and Cisco stipulate that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had prepared an alternative presentation designed to discuss Internet security, including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flaw which Lynn had identified, but without revealing Cisco code or pointers which might help enable third parties to exploit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flaw, but were informed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would not be allowed to present that presentation at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference)."

I assume Jeff Moss was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 party that would not allow ISS and Cisco to present at Black Hat.

It looks like Cisco employee John Noh wrote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 injunction?

Update: Check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 photographs of slides from Mike's talk posted at Tom's Networking.

Friday, July 29, 2005

New Cisco Advisory and Statements

I guess we can wrap up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco and ISS vs. Mike Lynn and Black Hat saga by mentioning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Cisco security advisory released today: IPv6 Crafted Packet Vulnerability, which states:

"(IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 device may reload or be open to furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r exploitation."

Assuming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se details are correct -- and who knows now? -- this is not an earth-shattering discovery. However, this may have been a sample vulnerability Mike demonstrated to explain his technique. He may have picked this vulnerability because he thought it would not affect much of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, but he needed to let people know that his technique was already in use by malicious parties.

Cisco's main security page addresses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Lynn affair directly as well.

This Reuters article quotes Jeff Moss:

" Jeff Moss, president of Black Hat, predicted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ruling would have a dampening effect on security enthusiasts.

People will say, Why would we tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public about this if we're going to be sued? We're just going to post this anonymously,' he said. 'Who is going to tell Cisco about a problem now?'"

Who indeed. Good work, Cisco. You've just alienated anyone who would consider quietly approaching you with vulnerability details. You've probably also stirred up an army of independent researchers who will look for new holes in IOS.

The real tragedy is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability of all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprises running Cisco gear, to include all of my clients. It's time for me to figure out better ways to monitor Cisco equipment for signs of compromise. The protected domain or boundary does not start inside your border router -- it must now include that router, as it remains at risk of direct attack. How long before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first router-based worm, I wonder?

Mike Lynn Presentation Online

Rick Forno has posted a .pdf of Mike Lynn's presentation. So much for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 removal of pages from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat books by Cisco goons! This is a pacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365tic charade that public relations personnel and lawyers should study in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future. Cisco and ISS have handled this in exactly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong way. Did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y ever think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could supress information at a hacker convention, of all places? Bruce Schneier has weighed in as well:

"Despite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir thuggish behavior, this has been a public-relations disaster for Cisco. Now it doesn't matter what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y say -- we won't believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. We know that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public-relations department handles cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security vulnerabilities, and not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engineering department. We know that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y think squelching information and muzzling researchers is more important than informing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public. They could have shown that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir customers first, but instead cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y demonstrated that short-sighted corporate interests are more important than being a responsible corporate citizen."

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comments on Bruce's blog says

"Mike's roommate just let me know that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FBI is investigating Mike and is currently seizing his stuff. Also, no one has any information on his whereabouts.

Posted by: jim at July 29, 2005 10:29 AM"

Update: FBI involvement confirmed: Wired reports Whistleblower Faces FBI Probe:

"The FBI is investigating a computer security researcher for criminal conduct after he revealed that critical systems supporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internet and many networks have a serious software flaw that could allow someone to crash or take control of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 routers.

Mike Lynn, a former researcher at Internet Security Systems, said he was tipped off late Thursday night that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FBI was investigating him for violating trade secrets belonging to his former employer, ISS...

Lynn's lawyer, Jennifer Granick, confirmed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FBI told her it was investigating her client.

Granick said, however, that she thought cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agency was simply following through on a complaint it received when Cisco and ISS filed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir lawsuit against Lynn and that it didn't come after her client reached his settlement. She didn't know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 complaint but said it was probably something to do with intellectual property and that it most likely came from Cisco or ISS.

'The investigation has to do with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presentation,' she said, 'but what crime that could possibly be is unknown because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y haven’t found any (evidence against him).'

She hadn't spoken with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. attorney in charge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 investigation but said she thought it was possible that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 investigation would wind down soon for lack of evidence, now that Lynn had reached an agreement with Cisco and ISS.

'There's no arrest warrant for (Lynn) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are no charges filed and no case pending,' Granick said. 'There may never be. But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y got a complaint and as a result cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were doing some investigation.'
...
Lynn said that if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case was not dropped, he thought it unlikely that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FBI would try to arrest him this weekend.

'I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y got burned with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Dmitry Sklyarov case,' he said."

Mike Lynn Settles

It appears Black Hat presenter Mike Lynn has avoided personal disaster, acccording to Brian Krebs:

"Under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms of a permanent injunction signed by a federal judge this afternoon, Lynn will be forever barred from discussing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 details about his research into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerabilities he claimed to have discovered in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 widely used Cisco hardware."

I recommend reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of Brian Krebs' story for details.

I saw this NANOG post refer to a FrSIRT advisory, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 relevant FrSIRT page has been removed (though not without trace).

In case anyone has forgotten, I remember attending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presentation by FX of Phenoelit.de at Black Hat USA 2003 involving heap-based overflows in Cisco IOS. It was an extension of work he presented at Black Hat USA 2002. His Ultimaratio page has more info, and he published a Phrack article and an exploit for Cisco IOS 11.x.

Maybe Mike Lynn's mistake was working for a security company (ISS) and with a vendor (Cisco) and being a US citizen? Nothing bad happened to FX before, during, of after his presentation. Was FX's vulnerabilities considered too old to be a problem, but Mike's too recent?

I've been poking around at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco Web site, and I noticed that in April and May cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y began a massive removal of old IOS images. This product bulletin 2863, Cisco IOS Software Center Update: Effective April 2005 (.pdf) outlines cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process, and this Cisco IOS Software Center Update Q&A (.pdf) answers questions on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clean-up. While this could have been planned well before Mike Lynn notified Cisco of his discoveries, it's also possible Cisco took steps to remove vulnerable IOS images because of his findings. Eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way, removing old vulnerable images is an excellent idea.

Update: I found a few interesting NANOG posts by James Baldwin, who is in Las Vegas and spoke to Mike Lynn. According to Mr. Baldwin, "Lynn did not have NDA access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco source." Lynn "developed this information based on publicly available IOS images. There were no illegal acts committed in gaining this information nor was any proprietary information provided for its development." Cisco had initially approved this talk. My [Baldwin's] understanding is that this has been fixed and no current IOS images were vulnerable to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 techniques he was describing. ISS, Lynn, and Cisco had been working togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r for months on this issue before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk."

Finally, There was no source or proof of concept code released and duplicating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information would only provide you a method to increase cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 severity of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r potential exploits. It does not create any new exploits. Moreover, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fix for this was already released and you have not been able to download a vulnerable version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software for months however cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was no indication from Cisco regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 severity of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 required upgrade. That is to say, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y knew in April that arbitrary code execution was possible on routers, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had it fixed by May, and we're hearing about it now and if Cisco had its way we might still not be hearing about it."

I guess that explains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IOS clean-up. Lynn might have shown a way to develop exploits based on analyzing differences in IOS images. According to Cisco's End User License Agreement:

"Customer shall have no right, and Customer specifically agrees not to:...

(iii) reverse engineer or decompile, decrypt, disassemble or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Software to human-readable form, except to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise expressly permitted under applicable law notwithstanding this restriction;"

Maybe Cisco is enforcing its EULA in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most draconian method it can imagine?

Thursday, July 28, 2005

Snort 2.4 Released

Snort 2.4.0 has been released. Here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release notes. The obvious change in this release is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 removal of all rules from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort-2.4.0.tar.gz tarball. The rules are available separately. Marty assures me that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rule download page will have rules available for non-subscriber and non-registered Snort users by close of business today.

Update: All rules are available -- even those for unregistered users. Nice work Sourcefire.

Distributed Traffic Collection with Pf Dup-To

The following is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r excerpt from my upcoming book titled Extrusion Detection: Security Monitoring for Internal Intrusions. I learned yesterday that it should be available cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last week in November, around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 26th.

We’ve seen network taps that make copies of traffic for use by multiple monitoring systems. These copies are all exactly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same, however. There is no way using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 taps just described to send port 80 TCP traffic to one sensor, and all ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r traffic to anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sensor. Commercial solutions like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Top Layer IDS Balancer provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capability to sit inline and copy traffic to specified output interfaces, based on rules defined by an administrator. Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re a way to perform a similar function using commodity hardware? Of course!

The Pf firewall introduced in Chapter 2 offers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dup-to keyword. This function allows us to take traffic that matches a Pf rule and copy it to a specified interface. Figure 4-17 demonstrates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 simplest deployment of this sort of system.

Figure 4-17. Simple Pf Dup-To Deployment

First we must build a Pf bridge to pass and copy traffic. Here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /etc/pf.conf.dup-to file we will use.

int_if="sf0"
ext_if="sf1"
l80_if="sf2"
l80_ad="1.1.1.80"
lot_if="sf3"
lot_ad="2.2.2.2"

pass out on $int_if dup-to ($l80_if $l80_ad) proto tcp from any
port 80 to any
pass in on $int_if dup-to ($l80_if $l80_ad) proto tcp from any
to any port 80

pass out on $int_if dup-to ($lot_if $lot_ad) proto tcp from any
port !=80 to any
pass in on $int_if dup-to ($lot_if $lot_ad) proto tcp from any
to any port !=80

pass out on $int_if dup-to ($lot_if $lot_ad) proto udp from
any to any
pass in on $int_if dup-to ($lot_if $lot_ad) proto udp from
any to any

pass out on $int_if dup-to ($lot_if $lot_ad) proto icmp from
any to any
pass in on $int_if dup-to ($lot_if $lot_ad) proto icmp from
any to any

To understand this configuration file, we should add some implementation details to our simple Pf dup-to diagram. Figure 4-18 adds those details.

Figure 4-18. Simple Pf Dup-To Implementation Details

First consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interfaces involved on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pf bridge:

  • Interface sf0 is closest to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intranet. It is completely passive, with no IP address.

  • Interface sf1 is closest to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. It is also completely passive, with no IP address.

  • Interface sf2 will receive copies of port 80 TCP traffic sent to it by Pf. It bears cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arbitrary address 1.1.1.79. Access to this interface by ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hosts should be denied by firewall rules, not shown here.

  • Interface sf3 will receive copies of all non-port 80 TCP traffic, as well as UDP and ICMP, sent to it by Pf. (For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purposes of this simple deployment, we are not considering ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r IP protocols.) It bears cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arbitrary address 2.2.2.1. Access to this interface by ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hosts should be denied by firewall rules, not shown here.


Now consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two sensors.

  • Sensor 1 uses its interface sf2 to capture traffic sent to it from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pf bridge. It bears cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arbitrary IP address 1.1.1.80. Access to this interface by ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hosts should be denied by firewall rules, not shown here.

  • Sensor 2 uses its interface sf3 to capture traffic sent to it from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pf bridge. It bears cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arbitrary address 2.2.2.2. Access to this interface by ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hosts should be denied by firewall rules, not shown here.


One would have hoped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pf dup-to function could send traffic to directly connected interfaces without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 involement of any IP addresses. Unfortunately, my testing revealed that assigning IP addresses to interfaces on both sides of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link is required. I used OpenBSD 3.7, but future versions may not have this requirement.

With this background, we can begin to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /etc/pf.conf.dup-to file.

  • The first set of declarations define macros for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interfaces and IP addresses used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scenario.

  • The first set of pass commands tell Pf to send port 80 TCP traffic to 1.1.1.80, which is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packet capture interface on sensor 1. Two rules are needed; one for inbound traffic, and one for outbound traffic.

  • The second set of pass commands tell Pf to send all non-port 80 TCP traffic to 2.2.2.2, which is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packet capture interface on sensor 2. Again two rules are needed.

  • The third and fourth set of pass commands send UDP and ICMP traffic to 2.2.2.2 as well.


Before testing this deployment, ensure Pf is running, and that all interfaces are appropriately configured and enabled. To test our distributed collection system, we retrieve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Google home page using Wget.

$ wget http://www.google.com/index.html
--10:19:50-- http://www.google.com/index.html
=> `index.html'
Resolving www.google.com... 64.233.187.99, 64.233.187.104
Connecting to www.google.com[64.233.187.99]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 1,983 --.--K/s

10:19:51 (8.96 MB/s) - `index.html' saved [1983]

Here is what sensor 1 sees on its interface sf2:

10:18:58.122543 IP 172.17.17.2.65480 > 64.233.187.99.80:
S 101608113:101608113(0) win 32768

10:18:58.151066 IP 64.233.187.99.80 > 172.17.17.2.65480:
S 2859013924:2859013924(0) ack 101608114 win 8190
10:18:58.151545 IP 172.17.17.2.65480 > 64.233.187.99.80:
. ack 1 win 33580
10:18:58.153027 IP 172.17.17.2.65480 > 64.233.187.99.80:
P 1:112(111) ack 1 win 33580
10:18:58.184169 IP 64.233.187.99.80 > 172.17.17.2.65480:
. ack 112 win 8079
10:18:58.185384 IP 64.233.187.99.80 > 172.17.17.2.65480:
. ack 112 win 5720
10:18:58.189840 IP 64.233.187.99.80 > 172.17.17.2.65480:
. 1:1431(1430) ack 112 win 5720
10:18:58.190344 IP 64.233.187.99.80 > 172.17.17.2.65480:
P 1431:2277(846) ack 112 win 5720
10:18:58.190483 IP 64.233.187.99.80 > 172.17.17.2.65480:
F 2277:2277(0) ack 112 win 5720
10:18:58.192706 IP 172.17.17.2.65480 > 64.233.187.99.80:
. ack 2277 win 32734
10:18:58.192958 IP 172.17.17.2.65480 > 64.233.187.99.80:
. ack 2278 win 32734
10:18:58.204719 IP 172.17.17.2.65480 > 64.233.187.99.80:
F 112:112(0) ack 2278 win 33580
10:18:58.232685 IP 64.233.187.99.80 > 172.17.17.2.65480:
. ack 113 win 5720

Here is what sensor 2 sees on its interface sf3.

10:18:58.089226 IP 172.17.17.2.65364 > 192.168.2.7.53:
64302+ A? www.google.com. (32)
10:18:58.113853 IP 192.168.2.7.53 > 172.17.17.2.65364:
64302 3/13/13 CNAME www.l.google.com.,
A 64.233.187.99, A 64.233.187.104 (503)

As we planned, sensor 1 only saw port 80 TCP traffic, while sensor 2 saw everything else. In this case, “everything else” meant a DNS request for www.google.com. So why build a distributed collection system? This section presented a very simple deployment scenario, but you can begin to imagine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possibilities. Network security monitoring (NSM) advocates collecting alert, full content, session, and statistical data. That can be a great amount of strain on a single sensor, even if only full content data is collected.

By building a distributed collection system, NSM data can be forwarded to independent systems built specially for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tasks at hand. In our example, we offloaded heavy Web surfing activity to one sensor, and sent all ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r traffic to a separate sensor.

We also split cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic passing function from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic recording function. The Pf bridge in Figure 4-18 is not performing any disk input/output (IO) operations. The kernel is handling packet forwarding, which can be done very quickly. The independent sensors are accepting traffic split out by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pf bridge. The sensors can be built to perform fast disk IO. This sort of sensor load-balancing provides a way to apply additional hardware to difficult packet collection environments.

Free Michael Lynn

Ex-ISS X-Force researcher Mike Lynn is in a world of hurt right now. Yesterday he delivered a briefing at Black Hat on Cisco security flaws. Lynn decided to resign from ISS instead of complying with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wishes of his employer and Cisco to keep his discoveries quiet. For a lot more detail, I strongly recommend reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Brian Krebs Security Fix blog hosted by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Washington Post. Krebs is in Las Vegas and has spoken with Lynn, who "has been served with a temporary restraining order designed to prevent him from discussing any more details about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flaw...[and] is sheduled to appear in federal district court at 8:00 a.m. Thursday." (!) I think it's time to start a Free Michael Lynn campaign to pay for his legal bills.

Update: Within this Slashdot thread is a comment by someone claiming to be Mike Lynn. Here is Cisco's statement. Also, SecurityFocus has a good article with this statement:

"Lynn outlined a way to take control of an IOS-based router, using a buffer overflow or a heap overflow, two types of memory vulnerabilities. He demonstrated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attack using a vulnerability that Cisco fixed in April. While that flaw is patched, he stressed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attack can be used with any serious buffer overrun or heap overflow, adding that running code on a router is a serious threat."

What is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n? Maybe this?

"During his presentation, Lynn outlined an eight step process using any known, but unpatched flaw, to compromise a Cisco IOS-based router. While he did not publish any vulnerabilities, Lynn said that finding new flaws would not be hard."

Good grief. The outcome of this situation could be very important for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future of security research.

Update 2: Here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 relevant text on reverse engineering from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Digital Millennium Copyright Act.

Wednesday, July 27, 2005

Snort "Not Eliligible" for Zero Day Initiative

I recently wrote about TippingPoint's Zero Day Initiative (ZDI), a pay-for-vulnerabilities program. Thank you to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 poster (whom I will keep anonymous) for notifying me of this article Vendors Compete for Hacker Zero Days by Kevin Murphy. It features this quote:

"[C]ompetitors will have to sign agreements to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effect that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will not irresponsibly disclose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information, and that any data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y provide to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own customers cannot be easily reverse engineered into an attack, he [3Com’s David Endler] said.

"'Some technology based on Snort would not be eligible because Snort by its nature is open,' Endler said, referring to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 open-source IDS software. 'But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are products based on Snort that are closed. We’ll have to take it on a case-by-case basis.'"

This means Sourcefire will never be able to learn of ZDI vulnerabilities. Any registered Snort user can download Sourcefire VRT rules and see everything except rules younger than five days old. VRT subscribers have access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest rules immediately.

It sounds to me like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only "technology based on Snort" that would be "eligible" would be sensors provided by a managed security services provider, or sensors sold without access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 console and rule sets. Such vendors could add ZDI-inspired rules but never let users see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

I never thought for a minute TippingPoint would do anything to help Sourcefire, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are two major competitors in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 (misnamed) IPS market.

Tuesday, July 26, 2005

Public Network Security Operations Class

I am happy to announce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first public Network Security Operations class is tentatively scheduled for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last week in September, starting Tuesday 27 September and ending Friday 30 September. The class is tentatively scheduled to be held at Nortel PEC in Fairfax, VA. I plan to offer 13 seats to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public, at a cost of $2995 per seat.

The course offers four sections, one per day:

  1. Network Security Monitoring: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory, tools, and techniques to detect sophisticated intruders

  2. Network Incident Response: network-centric means to contain and remediate intrusions

  3. Network Forensics: collect, protect, analyze, and present network-based evidence to prosecute or repel intruders

  4. Live Fire Exercises: apply cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 preceding three days of skills in an all-day, all-lab environment


More information is contained in eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 color .pdf or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 grayscale .pdf flyers.

Once I have confirmed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 location and time, I will post those details at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TaoSecurity training page.

Interested parties should email me: richard at taosecurity dot com. Once I have set up payment processing, those who pay first will receive seats first. Those who only email cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir intent to attend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class will be contacted as alternates if paying students fail to follow through for some reason. Therefore, it is worthwhile to signal your intention to attend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class, if you are so interested.

I look forward to seeing you in Fairfax in September!

Unable to Specify Interface for TCP Portmapper

I'm crushed. Today while working on a FreeBSD system with multiple interfaces, I noticed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 portmapper (rpcbind) listening where I didn't think it should be.

# sockstat -4 | grep rpcbind
root rpcbind 354 10 udp4 127.0.0.1:111 *:*
root rpcbind 354 11 udp4 10.0.0.1:111 *:*
root rpcbind 354 12 udp4 *:1007 *:*
root rpcbind 354 13 tcp4 *:111 *:*

The UDP version was listening on interface 10.0.0.1 as I expected. What was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TCP version doing listening on all interfaces? Also, what was port 1007 UDP doing?

I checked my /etc/rc.conf file to see if I had messed up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 synatx.

rpcbind_enable="YES"
rpcbind_flags="-h 10.0.0.1"

That looked ok to me. I double-checked with /etc/defaults/rc.conf.

# grep "^rpcbind" /etc/defaults/rc.conf
rpcbind_enable="NO" # Run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 portmapper service (YES/NO).
rpcbind_program="/usr/sbin/rpcbind" # path to rpcbind, if you want a different one.
rpcbind_flags="" # Flags to rpcbind (if enabled).

I finally looked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 man page and clarified cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -h switch.

-h Specify specific IP addresses to bind to for UDP requests. This
option may be specified multiple times and is typically necessary
when running on a multi-homed host. If no -h option is speci-
fied, rpcbind will bind to INADDR_ANY, which could lead to prob-
lems on a multi-homed host due to rpcbind returning a UDP packet
from a different IP address than it was sent to. Note that when
specifying IP addresses with -h, rpcbind will automatically add
127.0.0.1 and if IPv6 is enabled, ::1 to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 list.

OH NO. It only mentions UDP and not TCP. That's why I'm crushed. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 characteristics I like about FreeBSD (and Unix in general) is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 granular control over services enabled via simple text files. I should have been able to tell both UDP and TCP rpcbind versions to listen on a specified interface. That doesn't seem possible.

Now my only alternative is to firewall cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interfaces where I do not want rpcbind to listen. That's a lousy solution in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Unix world. :(

Human Error Results in Being 0wn3d

Bill Brenner's article in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 July 2005 Information Security magazine clued me in to a press release by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Computing Technology Industry Association (CompTIA). They announced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir third annual CompTIA Study on IT Security and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Workforce. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press release:

"Human error, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r alone or in combination with a technical malfunction, was blamed for four out of every five IT security breaches (79.3 percent), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 study found. That figure is not statistically different from last year."

This study and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2004 edition appear to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r reports that claim 80% of security breaches are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 result of human error. Note cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CompTIA study says "Human error, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r alone or in combination with a technical malfunction," is to blame.

Nevercá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365less, I am not surprised by this figure. I rarely perform an incident response for an organization that is beaten by a zero day exploit in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands of an uber 31337 h@x0r. In most cases someone poorly configures a server, or doesn't patch it, or makes an honest mistake. The fact is many IT systems are complicated, and none are getting simpler. Administrators have too many responsibilities and too few resources. They are often directed by managers who have decided to weigh "business realities" more important than security. The enterprise is not running a defensible network architecture and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 level of network awareness is marginal or nonexistent. No network security or host integrity monitoring is done.

In such an environment, it is easy to see how a lapse in a firewall rule, a misapplied patch, or an incorrect application setting can provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foothold a worm or attacker needs.

So what is my answer? No amount of preventative measures will ever stop all intrusions. I recommend applying as much protection as your resources will allow, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n monitor everywhere you can. If your monitoring doesn't help you identify a policy failure and/or intrusion, it will at least provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evidence needed to remediate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n better prevent and/or detect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future.

Update: I found this Infonetics Research press release that stated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

"In Infonetics Research’s latest study, The Costs of Enterprise Downtime, North American Vertical Markets 2005, 230 companies with more than 1,000 employees each from five vertical markets—finance, healthcare, transportation/logistics, manufacturing, and retail—were surveyed about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network downtime...

'The finance and manufacturing verticals are bleeding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average financial institution experiencing 1,180 hours of downtime per year, costing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m 16% of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir annual revenue, or $222 million, and manufacturers are losing an average of 9% of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir annual revenue,' said Jeff Wilson, principal analyst of Infonetics Research and author of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 study...

Human error is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cause of at least a fifth of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 downtime costs for all five verticals, and almost a third for financial institutions; this can only be fixed by adding and improving IT processes...

Security downtime is not a major issue anywhere, though it reaches 8% of costs within financial organizations."

New RSS Feed

My RSS feed from 2rss.com is reporting "Bandwidth Limit Exceeded. The server is temporarily unable to service your request due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site owner reaching his/her bandwidth limit. Please try again later." Those looking for a new RSS feed can use http://feeds.feedburner.com/Taosecurity. I will try to get this new icon on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog template when Blogger cooperates.


SC Magazine IPS Reviews

Recently I received cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new SC Magazine and noticed a new Group Test addressing so-called intrusion prevention systems. The reviewer was Christopher Moody, but I was unable to get any sort of background information on him. He has written most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent SC Magazine Group Tests, however. As you can read in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story, or in this press release, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sourcefire IS-2000 won SC Magazine's "Best Buy" award. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

< "Its high level of protection and simple rule writing using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort engine make it a good standalone product. But it is when it is used as part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 3D System that it really takes off. Sourcefire’s Defense Center provides excellent centralized management and reporting, and its Real-time Network analysis appliance gives a wider look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network to help secure it."

The Top Talyer IPS 5500 Attack Mitigator was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SC Magazine Recommended product, even though it had a "small attack signature database compared to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r products." Review readers will notice that all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 heavyweight IPS vendors were listed, including TippingPoint and ISS. In addition to Sourcefire, three (perhaps four) ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r products were Snort-based: Countersnipe, Barbedwire, and V-Secure. (I suspect XSGuard is Snort-based too, but I have no proof.) Did you notice that none of those three are part of Sourcefire's Certified Snort Integrator program? That means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not allowed to apply VRT rule updates to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products.

Overall I do not have that much confidence in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review. I trust someone like Greg Shipley who seems to ask cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right questions and back cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m up with real tests. See his recent firewall round-up as an example; at least cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y mention testing methodologies. I suspect Mr. Moody was limited by page space, but he could have provided more detail on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SC Magazine Web site. I do think that Snort + RNA is incredibly powerful, and I doubt cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a better solution available. I just don't think SC Magazine makes its judgements in a manner I find most helpful.

On a related note, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Source Snort Rules Consortium (OSSRC) is online; consider joining.

Monday, July 25, 2005

Thoughts on Web Application Security Consortium

Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than post to his own blog, Aaron Higbee decided to bait me with a link to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web Application Security Consortium's Web Security Threat Classification guide. Uh oh, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's that magic word -- "threat." Immediately I suspected this document's use of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word "threat" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 title might be problematic, as I doubted it would be a classification of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parties with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities and intentions to exploit vulnerabilities in assets.

The document description states "The Web Security Threat Classification is a cooperative effort to clarify and organize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threats to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of a web site. The members of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se issues. Application developers, security professionals, software vendors, and compliance auditors will have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to access a consistent language for web security related issues."

That sounds to me like an open invitation for a debate on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir language!

Before you get too cross with me, note that I was pleasantly surprised to see most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content correctly framed as "attacks." Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r content was not labelled correctly. Here are a few examples, which I will let you assess before I suggest an alternative way of looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se issues.

  1. A Brute Force attack is an automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key.

  2. Insufficient Aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticate.

  3. Weak Password Recovery Validation is when a web site permits an attacker to illegally obtain, change or recover anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r user's password.

  4. Credential/Session Prediction is a method of hijacking or impersonating a web site user.


Can you guess which terms are vulnerabilities, and which are attacks? The attacks are easy; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are 1 and 4. The document authors correctly call number 1 an "attack" in its description. The vulnerabilities are items 2 and 3. These are easy to spot, too. The document authors didn't want to call cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se conditions vulnerabilities, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y bailed out by using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phrases "occurs when" and "is when". This is a sure sign that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term is not an attack, but is something else. Here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vulnerabilities in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document, listed as "attacks":

  1. Insufficient Authorization is when a web site permits access to sensitive content or functionality that should require increased access control restrictions.

  2. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.

  3. Automatic directory listing/indexing is a web server function that lists all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files within a requested directory if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 normal base file is not present.

  4. Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system.

  5. Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually.

  6. Insufficient Process Validation is when a web site permits an attacker to bypass or circumvent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intended flow control of an application.


So, that's a great list. Add those six items and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 earlier two and you have eight total vulnerabilities. At this point I would recommend breaking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document into two sections: (1) Vulnerabilities and (2) Attacks. The document itself should be renamed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web Vulnerability and Attack Classification Guide.

If you think for a moment you can even pair attacks properly labelled in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 relabelled vulnerabilities above. Consider item two in this second list -- Insufficient Session Expiration. Its extended description says

"Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. Insufficient Session Expiration increases a web site's exposure to attacks that steal or impersonate ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r users."

Notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "exposure"? That's a vulnerability that can be exploited by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following attacks listed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guide:

  • Session Fixation is an attack technique that forces a user's session ID to an explicit value. [me: like old session credentials?]

  • Credential/Session Prediction is a method of hijacking or impersonating a web site user. [me: by predicting old session credentials?]

  • Abuse of Functionality is an attack technique that uses a web site's own features and functionality to consume, defraud, or circumvents access controls mechanisms. [me: like insufficient session expiration?]


So cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re you go Aaron. I've probably angered twenty-odd more security professionals by debating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security classification program. (At least I know Mike Shema on that list, and he owes me for leaving to attend a concert during an incident response!) I'm hoping that this quote from Pete Lindstrom (who recently emailed with a link to his blog) is accurate:

"'The need for consistent technical terminology for web related security issues has a significant impact on risk assessment and remediation activities,' Pete Lindstrom, research director of Spire Security, said in a statement Monday. 'Establishing a standard approach for identifying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se issues, along with a common terminology that everyone can adhere to, will help to thwart cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 increasing security risks associated with Web applications.'"

I would also say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web Application Security Consortium's Distributed Open Proxy Honeypots (aka "proxypot") is an awesome idea. Again, I have no issue with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical work by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se groups, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y far outweigh anything I have done in those fields. However, I would be very happy to see industry-wide consistency in core security terms.

Lancope's Take on NetFlow

Earlier this year I had a chance to try a Lancope Stealthwatch appliance. Recently Adam Powers from Lancope weighed in on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 focus-ids list with ways NetFlow records can be best utilized for security purposes. This is part of a thread started by Andy Cuff (aka Talisker). To hear more from Lancope, check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir WebEx Wednesday at 11 AM eastern.

David Sames started a second interesting focus-ids thread about IDS evaluation. The thread evolved into a discussion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 functions of various security devices. After a great post by Devdas Bhagat, I joined cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fray. You can even see a vendor say I make "wrongheaded argument[s]". Oooh, scary. :)

Thoughts on TippingPoint Zero Day Initiative Program

Through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 accursed Slashdot I learned of Tipping Point's Zero Day Initiative program. (Incidentally, I just figured out that Slashdot is like Saturday Night Live: we all remember it being a lot better years ago, it stinks now, yet we still watch.) According to this CNet story by Joris Evers, which cites TippingPoint's rationale for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program:

"'We want to reward and encourage independent security research, promote and ensure responsible disclosure of vulnerabilities and provide 3Com customers with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world's best security protection,' David Endler, director of security research at TippingPoint, said in an interview."

This program is similar to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 iDEFENSE Vulnerability Contributor Program launched in 2002 amidst much fanfare. This April 2003 interview with iDEFENSE VPC Manager Sunil James is also enlightening. Part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VCP is a retention reward program that paid a $3,000 bonus to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Danish CIRT and $1,000 to l0rd_yup for vulnerabilities reported to iDEFENSE in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first quarter of 2005. Some iDEFENSE advisories give anonymous credit to vulnerability discovers, like Sophos Anti-Virus Zip File Handling DoS Vulnerability, while ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs name cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir sources, like Lord Yup in Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow Vulnerability. In some cases iDEFENSE Labs finds cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hole, as in Adobe Acrobat Reader UnixAppOpenFilePerform() Buffer Overflow Vulnerability.

Thus far I have not heard much discussion about iDEFENSE's program, although it seems like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 payout to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability researchers is dwarfed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value earned by iDEFENSE. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise I have not heard too many condemnations of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pay-for-bugs program and I have not heard of anyone suing iDEFENSE over a vulnerability produced through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir VCP.

Looking at some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 details of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TippingPoint Zero Day Initiative, I found this item in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir FAQ amusing:

"Since 3Com and TippingPoint customers are protected prior to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 disclosure, are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y aware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability?

In order to maintain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secrecy of a researcher's vulnerability discovery until a product vendor can develop a patch, 3Com and TippingPoint customers are only provided a generic description of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 filter provided but are not informed of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability. Once details are made public in coordination with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product vendor, TippingPoint's Digital Vaccine® service for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Intrusion Prevention System provides an updated description so that customers can identify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appropriate filters that were protecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, 3Com and TippingPoint will be protected from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability in advance, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will not be able to tell from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 description what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability is."

Anyone who reads this blog knows I think this sort of "protection through secrecy" is ridiculous. If I can't figure out how a product is making its decision to "protect" me, I will try to avoid it. I certainly wouldn't want it blocking traffic on my behalf. What about anti-virus software, you ask? I don't run it on my servers!

This is also funny:

"Why are you giving advance notice of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability information you've bought to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security vendors, including competitors?

We are sharing with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security vendors in an effort to do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most good with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information we have acquired. We feel we can still maintain a competitive advantage with respect to our customers while facilitating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protection of a customer base larger than our own.

What types of security vendors are eligible for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advanced notice?

In order to qualify for advanced notice, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security vendors must be in a position to remediate or provide protection of vulnerabilities with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir solution, while not revealing details of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability itself to customers. The security vendor's product must also be resistant to discovery of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability through trivial reverse engineering. An example of such a vendor would be an Intrusion Prevention System, Intrusion Detection System, Vulnerability Scanner or Vulnerability Management System vendor."

I am eager to see what vendors can live up to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se requirements. Snort rules won't, and neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r will Nessus NASL scripts.

I am uneasy about programs like this. Consider modifying Mr. Endler's statement in this manner:

"We want to reward and encourage independent security research, promote and ensure responsible creation of viruses and provide our customers with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world's best security protection."

A virus is malware launched by a threat; it's not a vulnerability. Publication of a vulnerability does not explicitly mean publication of new code to be used by threats. Still, it's not that difficult to move from vulnerability disclosure to exploit creation.

TippingPoint is basically paying researchers to justify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor's existence. No vulnerabilities = no need to buy a TippingPoint IPS. More vulnerabilities means more opportunities for threats to craft exploit code, and that justifies buying more IPSs.

How is this different from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mozilla Bug Bounty program, you might ask? When Mozilla pays researchers to report vulnerabilities in Mozilla code, Mozilla is effectively outsourcing its security quality assurance program. This is done to improve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software released by Mozilla. When TippingPoint pays researchers to report vulnerabilities in anyone's software, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n keeps those vulnerabilities to itself (followed by limited disclosure), TippingPoint is justifying its product's existence.

You might also wonder what I think of Microsoft's $250,000 bonus to those who expose virus writers. I have no problems with such a program, and I see it as anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way to remove threats from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 streets.

Sourcefire Certified Snort Integrator Program

Did you see Sourcefire's press release on its Certified Snort Integrator Program? If you're not in this program, and you use Snort to provide services or products to third parties, you can't deploy or sell sensors with Sourcefire VRT rule sets. The only exception involves major release versions of Snort, e.g., 2.3.0 or 2.4.0, each of which are packaged with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest rules at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day of release.

The press release says "charter members of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program include: Astaro, BRConnection, Catbird Networks, Counterpane Internet Security, e-Cop, Netreo, NTT DATA CORPORATION (Japan), ProtectPoint, SecurePipe, StillSecure, VarioSecure Networks, VeriSign, Voyant Strategies and WatchGuard."

If you own a Snort-based appliance or contract with a third party to provide Snort-based services, is your vendor on this list? If not, ask your vendor why not, and how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y intend to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir rules up-to-date. If you run Snort on your own to protect your own enterprise, this new program does not affect you. You can still register to become a VRT rules user for free and get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest rules five days after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are provided to VRT subscribers.

1000th Post


This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1000th TaoSecurity Blog post. Thankfully, after being broken for months, Blogger fixed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post tracking counter in time for me to notice this milestone.

I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog on 8 January 2003 as a place to post word of new Amazon.com book reviews. I haven't read a new book since May, because I have been extremely busy launching my new company TaoSecurity. I plan to resume reading books very shortly, probably starting with Extreme Exploits.

The blog has now evolved into a place where I record tips on using FreeBSD and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r operating systems and applications. I also post thoughts on network security monitoring and related security topics. I constantly refer back to posts here to remember how I configured a program or what my thoughts were on a certain subject. I detest keeping bookmarks, so I try to store anything of value here. A bookmark has no context and says nothing about how or why I recorded it. In brief, this blog helps me keep a grip on developments in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tech world.

Looking ahead, I have two new projects in store: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TaoSecurity Podcast and a resource I'm calling OpenPacket.org. You can expect to read more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fourth quarter of this year. I appreciate everyone who reads this blog and I especially enjoy reading your comments and emails. Our next milestone is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog's third birthday in January, so I hope to see you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n!

FreeBSD Status Report Second Quarter 2005

The latest FreeBSD Status Report makes for interesting reading. Many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ongoing tasks are Google Summer of Code projects. Nmap author Fyodor posted that Google is spending $2 million to fund projects this summer, including ten for Nmap itself. I highly commend Google for devoting a small portion of its market capitalization to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se coding efforts.

  • Emily Boyd will redesign FreeBSD.org. Previous work includes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PostgreSQL Web site. Previews are posted here.

  • Dario Freni is reengineering and rewriting FreeSBIE to include it in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source tree.

  • Andre Oppermann is trying to raise enough money to fund three full months of dedicated development on improving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TCP/IP stack. I will contact cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD Foundation to see if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will accept tax-deductible donations on his behalf.

  • Chris Jones is working on making gvinum ready for prime time.

  • Andrew Thompson has an OpenBSD-like if_bridge interface ready for FreeBSD 6.0.

  • Andrew Turner is integrating into FreeBSD cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSD Installer originally used in DragonFly BSD and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n FreeSBIE.

  • Brian Wilson is working on journalling for UFS. This Slashdot post examines different journalling options.


There are also many improvements in SMP and TrustedBSD that will appear in FreeBSD 6.0, probably in September.

Friday, July 22, 2005

Ron Gula Podcast

I finally got a chance to listen to a new podcast with Ron Gula. Sondra Schneider from Security University interviewed Ron. The podcast lasts about 26 minutes and discusses Ron's experience as a NSA red team aggressor and his work at BBN.

I specifically liked Ron's discussion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference between access control and monitoring. He said making a firewall change affects customer service level agreements; hence, firewalls were part of operations as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had direct impact on moving packets. Monitoring was typically not an operational function, because it was passive and was not access control. Ron said IPSs need to be treated as part of operations (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are a firewall, after all) because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y block traffic.

Ron also pointed out confusion between credit card cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft and identity cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft. Some people consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two events to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same. This is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case, since recovering from a stolen credit card is much easier.

Here is Ron's bio, for those of you not familiar with him.

Ron Gula - President and Chief Technical Officer, Tenable Network Security

Mr. Gula was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original author of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Dragon IDS and CTO of Network Security Wizards which was acquired by Enterasys Networks. At Enterasys, Mr. Gula was Vice President of IDS Products and worked with many top financial, government, security service providers and commercial companies to help deploy and monitor large IDS installations. Mr. Gula was also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Director of Risk Mitigation for US Internetworking and was responsible for intrusion detection and vulnerability detection for one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first application service providers. Mr. Gula worked for BBN and GTE Internetworking where he conducted security assessments as a consultant, helped to develop one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first commercial network honeypots and helped develop security policies for large carrier-class networks. Mr. Gula began his career in information security while working at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Security Agency conducting penetration tests of government networks and performing advanced vulnerability research. Mr. Gula has a BS from Clarkson University and a MSEE from University of Soucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rn Illinois. Ron Gula was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recipient of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2004 Techno Security Conference "Industry Professional of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Year" award.

FreeBSD Quality

The topic of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality of FreeBSD has recently appeared in several places. Earlier this week SecurityFocus reported on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of a study by Coverity. From Coverity's 27 June 2005 press release:

Coverity "released software defect and security vulnerability results for FreeBSD 6.0... [and] found 306 software defects in FreeBSD's 1.2 million lines of code, or an average of 0.25 defects per 1,000 lines of code."

That is interesting, considering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 study well over a month ago, before 6.0 was even in BETA status. Also:

"FreeBSD security is getting better very quickly - over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course of a year, FreeBSD's code size doubled, while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 total number of defects went down by 50%."

The SecurityFocus story made this observation:

"Not all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential flaws found by analysis tools are security holes. For FreeBSD, while 306 problems were flagged by Coverity's software, only 5 issues could be triggered by user input. The software classified anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 12 vulnerabilities as buffer overruns, anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r potentially serious security issue. The FreeBSD project has analyzed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flaws and fixed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues."

For some commentary on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 study, check out this OSNews.com thread.

Over on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 freebsd-stable mailing list, Alexey Yakimovich started a Quality of FreeBSD thread by complaining about ATA errors. I thought Robert Watson's reply provided very useful insights into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems of operating system development and testing.

Thursday, July 21, 2005

Visa and AmEx Pull cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Plug on CardSystems

Thanks to Richard Stiennon for informing me that Visa and American Express will no longer allow CardSystems Solutions to process cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir credit cards. I am stunned, but in a good way. If companies begin to take security seriously, I will be very pleased. If this turns into a rationale to justify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current "compliance = security" mindset, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n nothing will change and more organizations will be compromised.

The CardSystems news page reported yesterday that "John Perry, President and CEO of CardSystems "look[s] forward to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opportunity to share CardSystems' story with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 [Congressional] Subcommittee." I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press release by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 House Financial Services Subcommittee on Oversight and Investigations saying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hearing is today at 10 am.

BSD Certification Group Publishes Survey Results

Yesterday cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSD Certification Group published cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir task analysis survey. The 147 page report is available here.

I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se excerpts interesting:

The survey saw an "often expressed desire to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eventual certifications emphasize advanced achievement and mastery of Unix knowledge in general and BSD usage in particular. Yet, desires that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certification be difficult to obtain were balanced by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concern to not neglect younger, enter level candidates or those more experienced who are coming to BSD from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r computing platforms."

"A proposition that specific knowledge of all BSDs be required was rejected by most in favor of emphasis on general Unix concepts, with an understanding of how and why BSD is unique. 'Linux vs. BSD' style topics were commonly rejected. A focus on BSD similarities instead of BSD differences was more often expressed. Interestingly, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 least preference was for coverage of only a single BSD."

Among all respondents, almost 78% used FreeBSD, almost 41% used OpenBSD, almost 16% used NetBSD, and almost 4% used DragonFly BSD. The "Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r BSD" group was bigger than DragonFly at almost 7%! Many Darwin and Mac OS users reported in as "ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r."

A huge portion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 survey involves reproducing survey taker comments. I am not sure how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document itself was created, but I cannot use Adobe Reader to highlight and copy text into documents like this blog. The .pdf is also not searchable.

The survey represents a massive amount of work by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSD Certification Group and I thank cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir efforts! You can read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press release here.

Tuesday, July 19, 2005

Excerpt from Network Forensics Chapter

A crucial component of using trusted tools and techniques is ensuring that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network evidence collected by a sensor can be read and analyzed in anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r environment. This may seem like an obvious point, but consider my recent dismay when I tried to analyze cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following trace supposedly captured in Libpcap format. I started by using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Capinfos command packaged with Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real. On a regular trace, Capinfos lists output like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

bourque:/home/analyst$ capinfos goodtrace
File name: goodtrace
File type: libpcap (tcpdump, Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, etc.)
Number of packets: 1194
File size: 93506 bytes
Data size: 213308 bytes
Capture duration: 342.141581 seconds
Start time: Thu Jun 23 14:55:18 2005
End time: Thu Jun 23 15:01:01 2005
Data rate: 623.45 bytes/s
Data rate: 4987.60 bits/s
Average packet size: 178.65 bytes

On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trace in question, Capinfos produced this odd output.

bourque:/home/analyst$ capinfos bad2.tcpdump.052705
capinfos: An error occurred after reading 1 packets from
"bad2.tcpdump.052705": File contains a record that's not valid.
(pcap: File has 1701147252-byte packet, bigger than
maximum of 65535)

That’s disturbing. Something is wrong with this trace. Tcpdump can’t read anything beyond one packet.

bourque:/home/analyst$ tcpdump -n -r bad2.tcpdump.052705
reading from file bad2.tcpdump.052705, link-type EN10MB
(Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet)
16:57:20.259256 IP 192.160.62.68.45626 > 5.9.153.222.25:
P 2134566659:2134567683(1024) ack 3376746668 win 24840
tcpdump: pcap_loop: bogus savefile header

Something is wrong with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad2.tcpdump.052705 trace. Perhaps I could use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Editcap program, also bundled with Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, to convert it from its present form to something recognizable by Tcpdump?

bourque:/home/analyst$ editcap -v bad2.tcpdump.052705
File bad2.tcpdump.052705 is a Nokia libpcap (tcpdump) capture file.

That looks promising. The bad2.tcpdump.052705 file may be a trace captured from a Nokia version of Libpcap. Editcap reports it understands cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following five variations on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Libcap format:

  • libpcap - libpcap (tcpdump, Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, etc.)

  • rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump)

  • suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)

  • modlibpcap - modified libpcap (tcpdump)

  • nokialibpcap - Nokia libpcap (tcpdump)


The four options after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first represent various vendor tweaks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Libpcap library. They are nothing but a source of headaches for network investigators and security vendors. However, perhaps we can use Editcap to convert from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reported Nokia variant to a standard Libpcap format.

bourque:/home/analyst$ editcap bad2.tcpdump.052705
bad2.tcpdump.052705.lpc
editcap: An error occurred while reading "bad2.tcpdump.052705":
File contains a record that's not valid.
(pcap: File has 1701147252-byte packet, bigger than maximum
of 65535)

Unfortunately, that process fails. For a last ditch try at reading this data, we move cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trace to a Windows system equipped with Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WinPcap library.

D:\>Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real -n -r bad2.tcpdump.052705
1 0.000000 e0:a6:08:00:45:00 -> 50:c8:00:0d:65:18 LLC I,
N(R)=0, N(S)=32; DSAP b2 Group, SSAP SNA Command
tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real: "bad2.tcpdump.052705" appears to be damaged or corrupt.
(pcap: File has 1701147252-byte packet, bigger than maximum
of 65535)

Again, we are unable to read this trace. This is an extreme example of collecting traffic on one system and not being able to read it elsewhere. All is not completely lost, however. The raw file itself is still available. Using a hex viewer like hd, we can see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 raw file contents.

bourque:/home/analyst$ hd bad2.tcpdump.052705 > bad2.tcpdump.052705.hd

bourque:/home/analyst$ less bad2.tcpdump.052705.hd

...edited...
4d 49 4d 45 2d 76 65 72 73 69 6f 6e 3a 20 31 2e MIME-version: 1.
30 0d 0d 0a 58 2d 4d 49 4d 45 4f 4c 45 3a 20 50 0...X-MIMEOLE: P
72 6f 64 75 63 65 64 20 42 79 20 4d 69 63 72 6f roduced By Micro
73 6f 66 74 20 4d 69 6d 65 4f 4c 45 20 56 36 2e soft MimeOLE V6.
30 30 2e 32 39 30 30 2e 32 31 38 30 0d 0d 0a 58 00.2900.2180...X
2d 4d 61 69 6c 65 72 3a 20 4d 69 63 72 6f 73 6f -Mailer: Microso
66 74 20 4f 75 74 6c 6f 6f 6b 2c 20 42 75 69 6c ft Outlook, Buil
64 20 31 30 2e 30 2e 36 36 32 36 0d 0d 0a 43 6f d 10.0.6626...Co
6e 74 65 6e 74 2d 74 79 70 65 3a 20 6d 75 6c 74 ntent-type: mult
69 70 61 72 74 2f 72 65 70 6f 72 74 3b 0d 0d 0a ipart/report;...
20 62 6f 75 6e 64 61 72 79 3d 22 2d 2d 2d 2d 3d boundary="----=
5f 4e 65 78 74 50 61 72 74 5f 30 30 30 5f 30 30 _NextPart_000_00
...truncated...

Although Tcpdump and related Libpcap tools cannot read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trace due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presence of corruption or a non-standard format, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ASCII content can still be read.

It would have helped to have known more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system and tools used to capture cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad2.tcpdump.052705 trace when trying to decode it. Therefore, I recommend saving data like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following and bundling it with traces when shared with investigators: On a Unix system, record Uname, Tcpdump, and Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real versions.

bourque:/home/analyst$ uname -a
FreeBSD bourque.taosecurity.com 5.4-RELEASE FreeBSD
5.4-RELEASE #0: Thu Jun 23 14:29:51 EDT 2005
root@bourque.taosecurity.com:/usr/obj/usr/src/sys/BOURQUE i386

bourque:/home/analyst$ tcpdump -V
tcpdump version 3.8.3
libpcap version 0.8.3

bourque:/home/analyst$ tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real -v
tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real 0.10.11
Compiled with GLib 1.2.10, with libpcap 0.8.3, with libz 1.2.2,
without libpcre, without UCD-SNMP or Net-SNMP, without ADNS.
NOTE: this build doesn't support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "matches" operator for
Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real filter syntax.
Running with libpcap version 0.8.3 on FreeBSD 5.4-RELEASE.

On Windows, use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sysinternals program Psinfo to record system information, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n obtain version numbers from any installed packet capture programs like Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real.

D:\>c:\progra~1\pstools\psinfo

PsInfo v1.63 - Local and remote system information viewer
Copyright (C) 2001-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

System information for \\ORR:
Uptime: 0 days 0 hours 45 minutes 49 seconds
Kernel version: Microsoft Windows 2000, Uniprocessor
Product type: Professional
Product version: 5.0
Service pack: 4
Kernel build number: 2195
Registered organization: TaoSecurity
Registered owner: Richard Bejtlich
Install date: 5/15/2005, 3:08:21 PM
Activation status: Not applicable
IE version: 6.0000
System root: C:\WINNT
Processors: 1
Processor speed: 750 MHz
Processor type: Intel Pentium III
Physical memory: 384 MB
Video driver: ATI Mobility M3

D:\>"c:\Program Files\Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real\Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real" -v
tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real 0.10.11
Compiled with GLib 2.4.7, with WinPcap (version unknown), with
libz 1.2.2,with libpcre 4.4, with Net-SNMP 5.1.2, with ADNS.
Running with WinPcap (3.0) on Windows 2000 Service Pack 4,
build 2195.

Saving this information to a text file in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory where network packets are recorded may save anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r investigator time and frustration when analyzing traces. This information also provides more solid footing when defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collection process to a legal body or human resources panel.

Monday, July 18, 2005

Scary New Dangers in Cyberspace

I sometimes watch TV, and I happened to catch a story on ABC World News Tonight called "Your Computer's Stealth Identity Thief." I listened carefully and learned about something scary called a "keylogger." I even saw some cool shots of Symantec's cyber ninjas tapping away on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir uber-31337 keyboards. I really paid attention to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tips to help protect [my]self against key logging, spyware, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r computer viruses like "Do not click OK on pop-up windows without first reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m thoroughly." The next time I see a pop-up that says "It's ok, I won't 0wn j00," I'll feel better!

Obviously I am jaded by stories about old technology. For pete's sake, Bugbear from mid-2003 had a keylogger built in. I'm sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are even older examples out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

Worse, none of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "tips" mention cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 steps that would really make a difference, in order of least to most impact on change of user habits:

  • Patch your system.

  • Don't browse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web or read email as administrator or root.

  • Use an alternative Web browser and mail client.

  • Don't run Windows.


Instead we're told to " Use a firewall to help prevent any unauthorized computer activity." Good grief.

News from Visa on Payment Card Industry Standards

Today I got an email from Visa about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir participation in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Payment Card Industry standards. They wrote:

"A key component of PCI Data Security Standard implementation success is merchant and service provider compliance. When Standard requirements are enforced, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can provide a well-aimed defense against data exposure and compromise. This is why on-site PCI validation assessments performed by Visa-approved Qualified Data Security Companies (QDSC) have become increasingly critical in today’s environment. The proficiency with which a QDSC conducts an assessment can have a tremendous impact on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consistent and proper application of PCI measures, and controls. Given this very important fact, Visa is modifying its process to qualify security companies that choose to take on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of a QDSC...

At a high level, to meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new qualification requirements, security companies must: (a) apply as a firm for qualification in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program; (b) provide documentation of financial stability, technical capability, and industry experience; (c) qualify individual employees to perform cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assessments; and (d) execute an agreement with Visa governing performance.

We are now accepting applications for PCI Qualified Data Security Companies. Those new and existing companies that wish to begin or continue participating need to qualify through this new process and submit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new qualification application by August 18, 2005."

The Visa CISP assessors (check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 URL -- it says "accessors") page lists 30 companies currently certified by Visa as Qualified Data Security Company (QDSC).

Does anyone want to share thoughts on this program?

Stiennon on Enforcement

Richard Stiennon's blog makes a great point today. He says

"The entire IT security market is focused on protections. This is great as more and more protections by default are deployed. But I believe that enforcement actions must be taken as well. There is some sign that cooperation between enforcement agencies in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UK, Israel, and Russia have been effective. The most important was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breaking up of a ring of cyber-extortionists in 2003 that dramatically slowed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of DDOS incidents.

As it will be a while before prosperity finds its way to every corner of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 globe it is imperative that law enforcement agencies start working togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r to track down and jail cyber criminals now."

He is completely correct. Remember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk equation: Risk = Threat x Vulnerability X Cost (of asset). We security practitioners (and our clients) can only really influence cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability aspect of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equation. We can't usually decrease cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of an asset, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Only those in law enforcement or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military can take direct action against threats. The only real way to eliminate risk is to eliminate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat. No amount of countermeasures can remove all vulnerabilities and keep a determined adversary from exploiting a target. Making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat go to zero is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only way to make risk go to zero.

Stiennon also points out a fascinating Privacy Rights Clearinghouse chronology of data breaches since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ChoicePoint incident.

Sunday, July 17, 2005

Draft of Extrusion Detection Submitted for Copyeditin

I am happy to report that I just submitted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 final draft of my next book Extrusion Detection: Security Monitoring for Internal Intrusions to my publisher, Addison-Wesley. The new book is a sequel to The Tao of Network Security Monitoring: Beyond Intrusion Detection. I think readers will find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new book very interesting. Thus far my reviewers have provided positive feedback.

For those interested in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mechanics of book writing: I thought of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea last summer, just after my first book arrived. I signed a contract in November, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n began writing in January. My first due date was 1 April for half cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book in draft form, followed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book in draft form by 1 June. I've been working on addressing reviewer feedback since late June, and now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book is ready for copyediting.

The chapter-level table of contents is listed next.

  1. Network Security Monitoring Revisited

  2. Defensible Network Architecture

  3. Extrusion Detection Illustrated

  4. Enterprise Network Instrumentation

  5. Layer 3 Network Access Control (by Ken Meyers)

  6. Traffic Threat Assessment

  7. Network Incident Response

  8. Network Forensics

  9. Traffic Threat Assessment Case Study

  10. Malicious Bots (by Mike Heiser)



Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se elements:

  • Foreword by Marcus Ranum

  • Preface

  • Appendix A. Collecting Session Data in an Emergency

  • Appendix B. Minimal Snort Installation Guide

  • Appendix C. Survey of Enumeraiton Methods (by Ron Gula)

  • Appendix D. Open Source Host Enumeration (by Rohyt Belani)



I'm estimating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book will be between 450 and 500 pages, but I usually err on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 low side. Expect to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book on shelves in December 2005 or January 2006. I'll probably provide excerpts as publication approaches as well.

You can also get a thorough look at material from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new book at day two of my class at USENIX Security in two weeks. If I am accepted to USENIX LISA in December, I hope to teach three days. The third day will also be based on Extrusion.

Friday, July 15, 2005

FreeBSD 6.0-BETA1 Available

The availability of FreeBSD 6.0-BETA1 was just announced. I am excited to see this release approaching. Here are a few excerpts from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release announcement thread that may be of interest.

  • Colin Percival: "The FreeBSD Security Team will support FreeBSD 5.x until at least cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end
    of September 2007."

  • Colin Percival: "If I was deploying a new server today, I'd install FreeBSD 5.4. If I were planning on installing a new server next month, I'd install FreeBSD 6.0-BETA-whatever-number-we're-up-to-by-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n."

  • Scott Long: "There will be a 5.5 release this fall and possibly a 5.6 a few months after that. Per cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 standard procedure, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security team will support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 branch for 2 years after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 final release. There will likely be ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r developers who have an interest in backporting changes to RELENG_5 for some time to come, just as has been done with RELENG_4. So cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 earliest that RELENG_5 will be de-supported is late 2007."

  • Scott Long: "Part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purpose of moving quickly on to RELENG_6 is so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 migration work for users from 5.x to 6.x is very small. 6.x is really just an evolutionary step from 5.x, not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 life-altering revolutionary step that 4.x->5.x was. It should be quite easy to deploy and maintain 5.x and 6.x machines side-by-side and migrate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need arises. We don't want people to be stranded on RELENG_5 like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were with RELENG_4. 6.x offers everything of 5.x, but with better performance and (hopefully) better stability. If you're thinking about evaluating 5.x, give 6.0 a try also."


The release schedule shows a 15 August release announcement, but I expect to see 6.0 RELEASE in mid-September. I am sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD release team will want 6.0 to be a solid product, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 todo list still contains multiple important outstanding issues.

New Libpcap and Tcpdump Available

Yesterday Libpcap 0.9.3 and Tcpdump 3.9.3 were released at Tcpdump.org. The changelog lists "Support for sending packets" as a new feature. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest release since 0.8.3/3.8.3 in March last year. I hope to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD ports tree updated to include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se new versions, although eventually cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will be imported into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 base system.

Thursday, July 14, 2005

Network Trace Archival and Retrieval

I don't pay close enough attention to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pcap mailing lists. While doing research on WinPcap, I learned of a new project hosted at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WinPcap site called Network Trace Archival and Retrieval (NTAR). The Web site says "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main objective of NTAR is to provide an extensible way to store and retrieve network traces to mass storage."

I found this post by NTAR developer Gianluca Varenni make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 claim that NTAR is "a working prototype of a library that reads and writes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PCAP-NG format." PCAP-NG is a reference to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PCAP Next Generation Dump File Format as documented in an expired RFC Draft.

If you would like to learn more about NTAR, check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NTAR-workers mailing list. Searches of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tcpdump-workers mailing list show references to PCAP-NG back in February 2005, although a search of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real-dev mailing list has a mention in October 2003!

Auditors in Charge, but 0wn3d Anyway

I read in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest SC Magazine this comment from Lloyd Hession, CSO of Radianz.

"'What is really happening is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 head of security is losing control over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security agenda, which is being co-opted by audit and this umbrella of controls...

The ability to decide which security projects get funded is being taken out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security officer's hands...

This focus on regulatory issues is causing a loss of control over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security agenda, which is being pushed and dictated by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audit and controls group and meeting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 requirements of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 regulation."

I see this focus on "controls" as more of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "prevention first and foremost" strategy that ignores cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of detection and response. I had this reaction when I saw Dr. Ron Ross of NIST speak at a recent ISSA meeting. The NIST documents seem to focus on prevention through controls, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y stop.

The unfortunate truth is that prevention eventually fails, as readers of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog and my books know. While researching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Institute of Internal Auditors Web site, I came across this article which supports my cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory. Here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 findings of Does Risk Management Curb Security Incidents? in brief.

  • Are organizations that have conducted an information security risk assessment less, more, or equally likely to have a documented information security policy? Yes.

  • Are organizations that have a documented information security policy less, more, or equally likely to implement system security measures? Yes.

  • Are organizations that have a documented information security policy less, more, or equally likely to implement information security compliance measures? Yes.

  • Are organizations that have a documented information security policy less, more, or equally likely to have an information security awareness program? Yes.

  • Are organizations that employ information security compliance measures, an information security awareness program, and system security measures less, more, or equally likely to experience security incidents? An analysis of variance (ANOVA) test failed to support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hypocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365sis (H5) that businesses that employ such programs and measures suffered fewer security incidents.


This is pacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365tically amusing. So, perform a risk assessment, document security policy, be compliant, teach awareness, and still be 0wn3d. It seems to me that, at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very least, some attention needs to be paid to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 detection and response functions. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise, a lot of money will continue to be spent on prevention, and organizations won't be any more "secure."

PS: The reference cited by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IIA article is available here. I originally visited cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IIA to learn more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Global Technology Audit Guides.

Net Optics Seminar on Passive Monitoring Access

I just received word that Net Optics will be hosting a free seminar titled Fundamentals of Passive Monitoring Access. It will start at 0830 on Wednesday 3 August 2005 at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Hilton Santa Clara in Santa Clara, CA. You will notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 seminar description uses terms like pervasive network awareness and defensible network, which I described when I spoke at Net Optics in May. I am scheduled to speak again at a Net Optics event in September in California. I will post details when available.

Verisign to Acquire iDEFENSE

The 45 survivors at iDEFENSE must be breathing a sigh of relief. Verisign will buy iDEFENSE for $40 million. That is $100 million less than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cost to acquire Guardent in December 2003. Verisign has over 3,500 employees according to its fact sheet, and it seems to be making ever bigger advances into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security market. I would be interested in hearing from any iDEFENSE insiders (anonymously here) what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y think of this acquisition.

Wednesday, July 13, 2005

How Do You Read TaoSecurity Blog?

Would anyone care to mention how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y read this blog? I ask because an owner of a site that aggregates blog postings thoughtfully asked my permission to include TaoSecurity Blog content on his site. I said I preferred to not have this blog's content aggregated and posted elsewhere. I prefer readers to visit this site directly or use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 provided XML or RSS links. What are your thoughts?

How to Misuse an Intrusion Detection System

I was dismayed to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following thread in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email:

(jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels)

(washington|london|new york)

Here is part of my reply to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bleeding-Sigs thread.

These rules are completely inappropriate.

First, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no digital security aspect of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se rules, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "provider exception" of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wiretap act is likely nullified. Without obtaining consent from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end users (and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby protection under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "consent exception"), that means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS is conducting a wiretap. The administrator could go to jail, or at least expose himself and his organization to a lawsuit from an intercepted party.

Second, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manner in which most people deploy Snort would not yield much insight regarding why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se rules triggered. At best a normal Snort user would get a packet containing content that caused Snort to alert. That might be enough to determine no real "terrorism" is involved, but it might also be enough to begin an "investigation" that stands on dubious grounds due to my first point.

Third, does anyone think real terrorists use any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 words listed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules? If anyone does, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have no experience with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 counter-terrorism world.

An IDS should be used to provide indicators of security incidents. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise, it becomes difficult to justify its operation, legally and ethically.

Unfortunately, I saw both rules (at least commented out) in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest bleeding ruleset.

What do you think?

New Desktop Computing Variant from ClearCube

Clued in by Slashdot I learned of this ZDNet article on ClearCube. This company sells "blade desktops." Users see have a device ClearCube calls a "user port" on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir desk. Remotely connected to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user port by Cat 5, fiber, or IP is a "PC blade" mounted in a "cage" sitting in a server room or data center. Smart management software allows administrators to switch user ports from blade desktop to blade desktop if one fails.

The following diagram explains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same concepts in a single figure.

Regular blog readers may remember my enthusiasm for thin clients like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sun Ray and wonder how I view cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se blade desktops. For casual users who surf cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web, read email, and use office software, blade desktops are overkill. I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sun Ray is a better solution. For those who need Microsoft products, I imagine a solution incorporating VMWare would be appropriate.

I see blade desktops as a possible way to provide dedicated hardware to power users. For example, in my last job our engineers did not think a thin client would work for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Each software engineer needed a dedicated PC with tons of RAM, a fast CPU, and big hard drives to run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own instances of VMWare and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r software. A few of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m using thin clients connected to a single server would quickly consume too many resources. Instead, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could each get a blade desktop.

Removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual PC from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work space eliminates physical security threats and makes it more difficult to steal data, assuming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "user port" USB ports could be disabled.

Tuesday, July 12, 2005

Chip Andrews Webcasts on SQL Server Security

Chip Andrews of SQLSecurity.com and co-founder of Special Ops Security will present his fourth Webcast on SQL Server Security tomorrow morning. I hadn't heard about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se previously, but I am sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are excellent. Chip was also author of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 excellent SQL security book pictured at left, SQL Server Security.