Saturday, February 28, 2009

Using Responsible Person Records for Asset Management

Today while spending some time at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book store with my family, I decided to peruse a copy Craig Hunt's TCP/IP Network Administration. It covers BIND software for DNS. I've been thinking about my post Asset Management Assistance via Custom DNS Records. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book I noticed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:



"Responsible Person" record? That sounds perfect. I found RFC 1183 from 1990 introduced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se.

I decided to try setting up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se records on a VM running FreeBSD 7.1 and BIND 9. The VM had IP 172.16.99.130 with gateway 172.16.99.2. I followed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 example in Building a Server with FreeBSD 7.

First I made changes to named.conf as shown in this diff:

# diff /var/named/etc/namedb/named.conf /var/named/etc/namedb/named.conf.orig
132c132
< // zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; };
---
> zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; };
274,290d273
< zone "example.com" {
< type master;
< file "master/example.com";
< allow-transfer { localhost; };
< allow-update { key rndc-key; };
< };
<
< zone "99.16.172.in-addr.arpa" {
< type master;
< file "master/example.com.rev";
< allow-transfer { localhost; };
< allow-update { key rndc-key; };
< };
< key "rndc-key" {
< algorithm hmac-md5;
< secret "4+IlE0Z/oHoHok9EnVwkUw==";
< };

To generate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last section I ran cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

# rndc-confgen -a
wrote key file "/etc/namedb/rndc.key"
# cat rndc.key >> named.conf

Next I created /var/named/etc/namedb/master/example.com:

# cat example.com
$TTL 3600

example.com. IN SOA host.example.com. root.example.com. (

1 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL

;DNS Servers
example.com. IN NS host.example.com.

;Machine Names
host.example.com. IN A 172.16.99.130
gateway.example.com. IN A 172.16.99.2

;Aliases
www IN CNAME host.example.com.

;MX Record
example.com. IN MX 10 host.example.com.

;RP Record
host.example.com. IN RP taosecurity.email.com. sec-con.example.com.
gateway.example.com. IN RP networkteam.email.com. net-con.example.com.

;TXT Record
sec-con.example.com. IN TXT "Richard Bejtlich"
sec-con.example.com. IN TXT "Employee ID 1234567890"
sec-con.example.com. IN TXT "Norcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rn VA office"
net-con.example.com. IN TXT "Network Admin"
net-con.example.com. IN TXT "Group ID 0987"
net-con.example.com. IN TXT "DC office"

Then I created /var/named/etc/namedb/master/example.com.rev:
# cat example.com.rev 
$TTL 3600

99.16.172.in-addr.arpa. IN SOA host.example.com. root.example.com. (

1 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL

;DNS Servers
99.16.172.in-addr.arpa. IN NS host.example.com.

;Machine IPs
1 IN RP networkteam.email.com. net-con.example.com.
2 IN PTR gateway.example.com.
130 IN PTR host.example.com.
130 IN PTR www.example.com.

;RP Record
2 IN RP networkteam.email.com. net-con.example.com.
13 IN RP taosecurity.email.com. sec-con.example.com.

If you caught my ommission, I'll point it out near cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post.

Finally I edited /etc/resolv.conf so it pointed only to 127.0.0.1, and restarted named:

# /etc/rc.d/named restart
Stopping named.
Starting named.

Now I was able to query cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name server.

# dig @127.0.0.1 version.bind chaos txt | grep version.bind
; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 version.bind chaos txt
;version.bind. CH TXT
version.bind. 0 CH TXT "9.4.2-P2"
version.bind. 0 CH NS version.bind.

Let's do zone transfers for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 forward and reverse zones.

# dig @127.0.0.1 axfr example.com.

; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 axfr example.com.
; (1 server found)
;; global options: printcmd
example.com. 3600 IN SOA host.example.com. root.example.com. 1 10800 3600 604800 86400
example.com. 3600 IN MX 10 host.example.com.
example.com. 3600 IN NS host.example.com.
gateway.example.com. 3600 IN RP networkteam.email.com. net-con.example.com.
gateway.example.com. 3600 IN A 172.16.99.2
host.example.com. 3600 IN RP taosecurity.email.com. sec-con.example.com.
host.example.com. 3600 IN A 172.16.99.130
net-con.example.com. 3600 IN TXT "Network Admin"
net-con.example.com. 3600 IN TXT "Group ID 0987"
net-con.example.com. 3600 IN TXT "DC office"
sec-con.example.com. 3600 IN TXT "Richard Bejtlich"
sec-con.example.com. 3600 IN TXT "Employee ID 1234567890"
sec-con.example.com. 3600 IN TXT "Norcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rn VA office"
www.example.com. 3600 IN CNAME host.example.com.
example.com. 3600 IN SOA host.example.com. root.example.com. 1 10800 3600 604800 86400
;; Query time: 41 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 1 04:22:57 2009
;; XFR size: 15 records (messages 1, bytes 480)

# dig @127.0.0.1 axfr 99.16.172.in-addr.arpa.

; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 axfr 99.16.172.in-addr.arpa.
; (1 server found)
;; global options: printcmd
99.16.172.in-addr.arpa. 3600 IN SOA host.example.com. root.example.com. 1 10800 3600 604800 86400
99.16.172.in-addr.arpa. 3600 IN NS host.example.com.
1.99.16.172.in-addr.arpa. 3600 IN RP networkteam.email.com. net-con.example.com.
13.99.16.172.in-addr.arpa. 3600 IN RP taosecurity.email.com. sec-con.example.com.
130.99.16.172.in-addr.arpa. 3600 IN PTR host.example.com.
130.99.16.172.in-addr.arpa. 3600 IN PTR www.example.com.
2.99.16.172.in-addr.arpa. 3600 IN RP networkteam.email.com. net-con.example.com.
2.99.16.172.in-addr.arpa. 3600 IN PTR gateway.example.com.
99.16.172.in-addr.arpa. 3600 IN SOA host.example.com. root.example.com. 1 10800 3600 604800 86400
;; Query time: 27 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 1 04:26:36 2009
;; XFR size: 9 records (messages 1, bytes 380)

Now let's pretend we have a security incident involving 172.16.99.2. You want to know who owns it. Let's query for RP records.

VirtualBSD# host -t rp 172.16.99.2
2.99.16.172.in-addr.arpa domain name pointer gateway.example.com.

Ok, I see that I get a PTR record for 172.16.99.2. I can look for a RP record for that hostname.

# host -t rp gateway.example.com.
gateway.example.com has RP record networkteam.email.com. net-con.example.com.

That worked. I see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 email address for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Responsible Person is networkteam@email.com (you have to imagine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 @ instead of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 . cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re), and I also get indication of a TXT record. I query for that next.

# host -t txt net-con.example.com.
net-con.example.com descriptive text "Network Admin"
net-con.example.com descriptive text "Group ID 0987"
net-con.example.com descriptive text "DC office"

Great, I have some additional details on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network team.

What if I try 172.16.99.130?

# host -t rp 172.16.99.130
130.99.16.172.in-addr.arpa domain name pointer www.example.com.
130.99.16.172.in-addr.arpa domain name pointer host.example.com.

# host -t RP www.example.com.
www.example.com is an alias for host.example.com.
host.example.com has RP record taosecurity.email.com. sec-con.example.com.

# host -t TXT sec-con.example.com.
sec-con.example.com descriptive text "Richard Bejtlich"
sec-con.example.com descriptive text "Employee ID 1234567890"
sec-con.example.com descriptive text "Norcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rn VA office"

How about 172.16.99.1?

# host -t rp 172.16.99.1
1.99.16.172.in-addr.arpa has no PTR record

That was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 error in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 example.com.rev file I posted earlier. Or is it an error? Maybe not:

# host -t rp 1.99.16.172.in-addr.arpa
1.99.16.172.in-addr.arpa has RP record networkteam.email.com. net-con.example.com.

If we query for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP in in-addr.arpa format, we can find a RP record. So, it's possible to have IPs without hostnames in your DNS and still have RP records. You just need to know how to ask for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

I think this is really promising. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very least, an DNS admin responsible for hosts in a certain subnet could add RP records, like that of 172.16.99.1, for every host. This would probably work best for servers, but it should be possible to extend it to hosts with dynamic DNS assignments.

Incidentally, RP records do not seem very popular on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. If you find any in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wild, please let me know.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Sample Lab from TCP/IP Weapons School 2.0 Posted

Several of you have asked me to explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference between TCP/IP Weapons School (TWS), which I first taught at USENIX Security 2006, and TCP/IP Weapons School 2.0 (TWS2), which I first taught at Black Hat DC 2009 Training last week. This post will explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 differences, with an added bonus.


  1. I have retired TWS, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class I taught from 2006-2008. I am only teaching TWS2 for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foreseeable future.

  2. TWS2 is a completely brand-new class. I did not reuse any material from TWS, my older Network Security Operations class, or anything else.

  3. TWS2 offers zero slides. Students receive three handouts and a DVD. The handouts include an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide. The DVD contains a virtual machine with all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools and evidence needed to complete cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs, along with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network and memory evidence as stand-alone files.

  4. TWS2 is heavily lab-focused. I've been teaching professionally since 2002, and I've recognized that students prefer doing to staring and maybe listening! Everyone who leaves TWS2 has had hands-on experience investigating computer incidents in an educational environment.

  5. TWS2 is designed for beginner-to-intermediate attendees. Some advanced people will like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 material too, although I can't promise to please everyone. I built cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest people could learn by trying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs, but follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teacher's guide (which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y receive) if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need extra assistance. More advanced students are free to complete cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs any way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y see fit, preferably never looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teacher's guide until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs are done. This system worked really well in DC last week.

  6. TWS2 uses multiple forms of evidence. Solving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs relies heavily on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network traffic provided with each case, but some questions can only be answered by reviewing Snort alerts, or session data, or system logs provided via Splunk, or even memory captures analyzed with tools like Volatility or whatever else cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student brings to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case.

  7. TWS2 comes home with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student and teaches an investigative mindset. Unlike classes that dump a pile of slides on you, TWS2 essentially delivers a book in courseware form. I use (*gasp*) whole sentences, even paragraphs, to describe how to solve labs. By working cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student learns how to be an investigator, racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than just watching or listening to investigative cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ories. I am using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same material to teach analysts on my team how to detect and respond to intrusions.


To provide a better sense of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class, I've posted materials from one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 labs here. The .zip contains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student workbook for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teacher's guide for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 individual network trace file for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case. There is no way for me to include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 4 GB compressed VM that students receive, but by reviewing this material you'll get some idea of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of this class.

My next session of TCP/IP Weapons School 2.0 will take place in Amsterdam on 14-15 April 2009 at Black Hat Europe 2009. Seats are already filling.

The last sessions of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year will take place in Las Vegas on 25-26 and 27-28 July 2009 at Black Hat USA 2009. Registration for training at that location will open this week, I believe.

I am not teaching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class publicly anywhere else in 2009. I do not offer private classes to anyone, except internally within GE (and those are closed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public).

If you have any questions on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se classes, please post cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m here. Thank you.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Friday, February 27, 2009

Inputs vs Outputs, or Why Controls Are Not Sufficient

I have a feeling my post Consensus Audit Guidelines Are Still Controls is not going to be popular in certain circles. While tidying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 house this evening I came across my 2007 edition of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Economist's Pocket World in Figures. Flipping through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pages I found many examples of inputs (think "control-compliant") vs outputs (think "field-assessed").

I'd like to share some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m with you in an attempt to better communicate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ideas my last post.

  • Business creativity and research


    • Input(s): Total expenditures on research and development, % of GDP

    • Output(s): Number of patents granted (per X people)


  • Education


    • Input(s): Education spending, % of GDP; school enrolment

    • Output(s): Literacy rate


  • Life expectancy, health, and related categories


    • Input(s): Health spending, % of GDP; population per doctor; number of hospital beds per citizen; (also add in air quality, drinking and smoking rates, etc.)

    • Output(s): Death rates; infant mortality; and so on...


  • Crime and punishment


    • Input(s): Total police per X population

    • Output(s): Crime rate



Is this making sense?


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Consensus Audit Guidelines Are Still Controls

Blog readers know that I think FISMA Is a Joke, FISMA Is a Jobs Program, and if you fought FISMA Dogfights you would always die in a burning pile of aerial debris.

Now we have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Consensus Audit Guidelines (CAG) published by SANS. You can ask two questions: 1) is this what we need? and 2) is it at least a step in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right direction?

Answering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first question is easy. You can look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 graphic I posted to see that CAG is largely anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r set of controls. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, this is more control-compliant "security," not field-assessed security. Wait, you might ask, doesn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CAG say this?

What makes this document effective is that it reflects knowledge of actual attacks and defines controls that would have stopped those attacks from being successful. To construct cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document, we have called upon cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people who have first-hand knowledge about how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks are being carried out.

That excerpt means that CAG defines defensive activities that are believed to be effective by various security practitioners. I am not doubting that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se practitioners are smart. I am not doubting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir skills. What I am trying to say is that implementing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 controls in CAG does not tell you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 score of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game. CAG is all about inputs. After implementing CAG you still do not know any outputs. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, you apply controls (an "X"), but what is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outcome (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Y"). The controls may or may not be wonderful, but if you are control-compliant you do not have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information produced by field-assessed security.

Does anyone real think we do not have controls already? The CAG itself shows how it maps against NIST SP 800-53 Rev 3 Controls. Five are shown below as an example.



For example, looking at CAG, how many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se strike you as something you didn't already know about?

Critical Controls Subject to Automated Measurement and Validation:

  1. Inventory of Authorized and Unauthorized Hardware.

  2. Inventory of Authorized and Unauthorized Software.

  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

  4. Secure Configurations of Network Devices Such as Firewalls and Routers.

  5. Boundary Defense

  6. Maintenance and Analysis of Complete Security Audit Logs

  7. Application Software Security

  8. Controlled Use of Administrative Privileges

  9. Controlled Access Based On Need to Know

  10. Continuous Vulnerability Testing and Remediation

  11. Dormant Account Monitoring and Control

  12. Anti-Malware Defenses

  13. Limitation and Control of Ports, Protocols and Services

  14. Wireless Device Control

  15. Data Leakage Protection


Additional Critical Controls (not directly supported by automated measurement and validation):

  1. Secure Network Engineering

  2. Red Team Exercises

  3. Incident Response Capability

  4. Data Recovery Capability

  5. Security Skills Assessment and Training to Fill Gaps



Don't get me wrong. If you are not implementing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se controls already, you should do so. That will still not tell you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 score of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game. If you want to see exactly what I proposed, I differentiated between control-compliance "security" and field-assessed security in my post Controls Are Not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Solution to Our Problem.

So, to answer my second question, CAG is a step in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right direction away from FISMA. It doesn't change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game, especially if you are already implementing NIST guidance.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Wednesday, February 25, 2009

Asset Management Assistance via Custom DNS Records

In my post Black Hat DC 2009 Wrap-Up, Day 2 I mentioned enjoying Dan Kaminsky's talk. His thoughts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scalability of DNS made an impression on me. I thought about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Team Cymru Malware Hash Registry returns custom DNS responses for malware researchers, for example. In this post I am interested in knowing if any blog readers have encountered problems similar to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones I will describe next, and if yes, did you / could you use DNS to help mitigate it?

When conducting security operations to detect and respond to incidents, my team follows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CAER approach. Escalation is always an issue, because it requires identifying a responsible party. If you operate a defensible network it will be inventoried and claimed, but getting to that point is difficult.

The problem is this: you have an IP address, but how do you determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner? Ideally you have access to a massive internal asset database, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems of maintaining such a system can be daunting. The more sites, departments, businesses, etc. in play, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more difficult it is to keep necessary information in a single database. Even a federated system runs into problems, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re must be a way to share information, submit queries, keep data current, and so on.

Dan made a key point during his talk: one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reasons DNS scales so well is that edge organizations maintain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own records, without having to constantly notify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 core. Also, anyone can query cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system, and get results from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 (presumably) right source.

With this in mind, would it make sense to internally deploy custom DNS records that identify asset owners?

In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words:

  1. Mandate by policy that all company assets must be registered in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internal company DNS.

  2. Add extensions of some type that provide information like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following, at a minimum:


    • Asset owner name and/or employee number

    • Owning business unit

    • Date record last updated


  3. Periodically, statistically survey IP addresses observed via network monitoring to determine if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir custom DNS records exist and validate that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are accurate


These points assume that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is already a way to associate an employee name or number with a contact method such as email address and/or phone number, as would be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case with a Global Address List.

Is anyone doing this? If not, do you have ideas for identifying asset owners when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scale of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem is measured in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hundreds of thousands?


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Tuesday, February 24, 2009

HD Moore on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Necessity of Disclosure

HD Moore posted a great defense of full disclosure in his article The Best Defense is Information on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest Adobe vulnerability.

The strongest case for information disclosure is when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 benefit of releasing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information outweighs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possible risks. In this case, like many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad guys already won. Exploits are already being used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wild and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world is just now taking notice doesn't mean that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are new vulnerabilities. At this point, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best strategy is to raise awareness, distribute cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 relevant information, and apply pressure on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor to release a patch.

Adobe has scheduled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 patch for March 11th. If you believe that Symantec notified cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m on February 12th, this is almost a full month from news of a live exploit to a vendor response. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor involved was Microsoft, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press would be tearing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m apart right now. What part of "your customers are being exploited" do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y not understand?



Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Buck Surdu and Greg Conti Ask "Is It Time for a Cyberwarfare Branch?"

The latest issue of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Information Assurance Technology Analysis Center's IANewsletter features "Army, Navy, Air Force, and Cyber -- Is It Time for a Cyberwarfare Branch of [cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365] Military?" by COL John "Buck" Surdu and LTC Gregory Conti. I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se excerpts enlightening.

The Army, Navy, and Air Force all maintain cyberwarfare components, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se organizations exist as ill-fitting appendages that attempt to operate in inhospitable cultures where technical expertise is not recognized, cultivated, or completely understood. The services have developed effective systems to build traditional leadership and management skills. They are quite good at creating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best infantrymen, pilots, ship captains, tank commanders, and artillerymen, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do little to recognize and develop technical expertise. As a result, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army, Navy, and Air Force hemorrhage technical talent, leaving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Nation’s military forces and our country under-prepared for both cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ongoing cyber cold war and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likelihood of major cyberwarfare in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future...

The skill sets required to wage cyberwar in this complex and ill-defined environment are distinct from waging kinetic war. Both cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kinetic and non-kinetic are essential components of modern warfare, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 status quo of integrating small cyberwarfare units directly into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existing components of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 armed forces is insufficient...

The cultures of today’s military services are fundamentally incompatible with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 culture required to conduct cyberwarfare... The Army, Navy, and Air Force are run by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir combat arms officers, ship captains, and pilots, respectively. Understandably, each service selects leaders who excel at conducting land, sea, and air battles and campaigns. A deep understanding and respect for cyberwarfare by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se leaders is uncommon.

To understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 culture clash evident in today’s existing militaries, it is useful to examine what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se services hold dear -- skills such as marksmanship, physical strength, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to jump out of airplanes and lead combat units under enemy fire. Accolades are heaped upon those who excel in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se areas. Unfortunately, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se skills are irrelevant in cyberwarfare...

The culture of each service is evident in its uniforms. Consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 awards, decorations, badges, patches, tabs, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r accoutrements authorized for wear by each service. Absent is recognition for technical expertise. Echoes of this ethos are also found in disadvantaged assignments, promotions, school selection, and career progression for those who pursue cyberwarfare expertise, positions, and accomplishments...

Evidence to back cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se assertions is easy to find. From a recent service academy graduate who desired more than anything to become part of a cyberwarfare unit but was given no ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r option than to leave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service after his initial commitment, to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 placement of a service’s top wireless security expert in an unrelated assignment in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 middle of nowhere, to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PhD whose mission was to prepare PowerPoint slides for a flag officer -- tales of skill mismanagement abound...

[W]e are arguing that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se cultures inhibit (and in some cases punish) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 development of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical expertise needed for this new warfare domain.... Only by understanding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 culture of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical workforce can a cyberwarfare organization hope to succeed... High-and-tight haircuts, morning physical training runs, rigorously enforced recycling programs, unit bake sales, and second-class citizen status are unlikely to attract and retain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best and brightest people.


I agree with almost all of this article. When I left cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force in early 2001, I was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 31st of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last 32 eligible company grade officers in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Information Warfare Center to separate from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than take a new nontechnical assignment. The only exception was a peer who managed to grab a job at NSA. The ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 31 all left to take technical jobs in industry because we didn't want to become protocol officers in Guam or logitisics officers in a headquarters unit.

Please read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole article before commenting, if you choose to do so. I selected only a few points but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Monday, February 23, 2009

More Information on CNCI

In response to my post Black Hat DC 2009 Wrap Up, Day 1, a commenter shared a link to a Fairfax Chamber of Commerce briefing by Boeing on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Comprehensive National Cybersecurity Initiative (CNCI) that I last mentioned in FCW on Comprehensive National Cybersecurity Initiative. I've extracted a few slides below to highlight several points.

The first slide I share shows abbreviated definitions for Computer Network Defense, Computer Network Exploitation, and Computer Network Attack. These mirror what I cited in China Cyberwar, or Not? in late 2007.



The second slide supports what I said in my Predicitons for 2008 post: Expect greater military involvement in defending private sector networks. Notice DNI and DoJ are said to be "authorized to conduct domestic intrusion detection," and DNI and DoD are allowed "involvement with domestic networks."



The three phased approach is displayed next. Note mentions of deployment of sensors, counter-intrusion plans, and deterrence.



Finally, this slide lists cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 seven "emphasis areas" for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new program.



Thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 anonymous commenter for directing me to this public link.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

VirtualBSD: FreeBSD 7.1 Desktop in a VM

Want to try FreeBSD 7.1 in a comfortable, graphical desktop, via a VMWare VM? If your answer is yes, visit www.virtualbsd.info and download cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir 1.5 GB VM. I tried it last night and got it working with VMware 1.0.8 by making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following adjustments:

Edit VirtualBSD.vmx to say

#virtualHW.version = "6"
virtualHW.version = "4"

and VirtualBSD.vmdk to say

#ddb.virtualHWVersion = "6"
ddb.virtualHWVersion = "4"

and you will be able to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM on VMware Server 1.0.8.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Sunday, February 22, 2009

Black Hat Briefings Justify Supporting Retrospective Security Analysis

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tenets of Network Security Monitoring, as repeated in Network Monitoring: How Far?, is collect as much data as you can, given legal, political, and technical means (and constraints) because that approach gives you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best chance to detect and respond to intrusions. The Black Hat Briefings always remind me that such an approach makes sense. Having left cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talks, I have a set of techniques for which I can now mine my logs and related data sources for evidence of past attacks.

Consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se examples:

  • Given a set of memory dumps from compromised machines, search cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snorting Memory techniques for activity missed when those dumps were first collected.

  • Review Web proxy logs for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presence of IDN in URIs.

  • Query old BGP announcements for signs of past MITM attacks.


You get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea. The key concept is that none of us are smart enough to know how a certain set of advanced threats are exploiting us right now, or how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y exploited us in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past. Once we get a clue to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir actions, we can mine our security evidence for indicators of that activity. When we find signs of malicious activity we can focus our methods and expand our view until we have a better idea of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope of an incident.

This strategy is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only one that has ever worked for digital intrusion victims who are constrained to purely defensive operations. A better alternative, as outlined in The Best Cyber Defense, is to conduct aggressive counterintelligence to find out what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enemy knows about you. Since that tactic is outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast majority of us, we should adopt a mindset, toolset, and tactics that enable retrospective security analysis -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to review past evidence for indicators of modern attacks.

If you only rely on your security products to produce alerts of any type, or blocks of any type, you will consistently be "protected" from only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most basic threats. Advanced threats know how to evade many defenses because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y test and hone cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir techniques before deploying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wild.

NSM has always implemented retrospective security analysis, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea applies to a wide variety of security evidence.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Black Hat DC 2009 Wrap-Up, Day 2

This is a follow-up to Black Hat DC 2009 Wrap-Up, Day 1.

  • I started day two with Dan Kaminsky. I really enjoyed his talk. I am not sure how much of it was presented last year, since I missed his presentation in Las Vegas. However, I found his comparison of DNS vs SSL infrastructures illuminating. The root name servers are stable, dependable, centrally coordinated, and guaranteed to be around in ten years. We know what root name servers to trust, and we can add new hosts to our domains without requesting permission from a central authority. Contrast that with certificate authorities. They have problems, cannot all be trusted, and come and go as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir owning companies change. We do not always know what CAs to trust, but we must continuously consult cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m whenever we change infrastructure.

    Dan asked "are we blaming business people when really our engineering is poor?" I thought that was a really interesting question. Imagine that instead of being a security engineer, you're a housing engineer. Which of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following display poor engineering?



    It should be clear that you can't answer that question just by looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engineering process. You have to consider a variety of constraints, external factors, and so on. The fact that so much of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet is broken says nothing about engineering, because engineering is seldom done for engineering's sake: engineering always servers anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r master, often a business mission.

  • After Dan I saw Prajakta Jagdale explain problems with applications code in Flash. I should not have been surprised to see Flash .swf files containing hardcoded usernames and passwords. Didn't we talk about this 10 years ago for generic Web pages? Show me any new feature-rich programming environment and you can probably find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same generic design and implementation flaws of a decade ago.

  • I watched some of Paul Wouters' talk on defending DNS, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 poor guy was really sick and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk was boring. I had to leave early for a work call anyway.

  • Earl Zmijewski from Renesys gave one of my two favorite talks of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference. He explains how to detect BGP Man-in-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-Middle attacks, described in this Renesys blog post. Earl's investigative method was impressive, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of his talk involved describing how he developed a methodology to identify potential BGP MITM attacks. One clue appears in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 diagram below, where it is unusual for a low-level player like Pilosoft to appear to be carrying traffic between two bigger players.



    Earl emphasized that routing is based on trust. There is really no way to validate that routes received via BGP are legitimate. (Note: With 270,000 routes in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 global BGP tables, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are 45,000 updates per minute on a slow day. On Monday when AS 47868 decided to torpedo cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, updates arrived at 4 million per minute.) Individual BGP-speaking routers don't really need to know entire paths to route; paths are really used to drop routes via loop detection. (Path lengths are used to select routes, however.)

    The key to identifying BGP MITM is to realize that although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast majority of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet will be fooled by an artificial route during a BGP MITM attack, a legitimate path must be maintained in order for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker to get intercepted traffic to its ultimate intended destinaton. By comparing routes seen across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet for a victim AS with routes seen by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legitimate path, one can identify BGP MITM attacks. You can look for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hints, like violations of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 valley property shown below.



    I recommend reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog post and linked slides for more information.

  • David Litchfield's talk on Oracle forensics was interesting. Oracle is like a file system unto itself, so you can bring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same mindset to analyzing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 variety of files Oracle uses during operation. This evidence is present by default.

  • I concluded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Briefings with Peter Silberman from Mandiant. His blog post describes his talk, which involved converting Snort signatures into strings for searching memory on victim systems. This technique can be used to discover remnants of attacks in system memory, or evidence of malware still resident in memory. His implementation relies on XPath if one wishes to write new signatures, and I am not familiar with that system now.


Overall I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talks very informative and balanced across a variety of issues, from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CPU level all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way up to BGP.

Looking ahead, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat Europe 2009 speakers list looks much different, and I hope to be able to see at least some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talks after I teach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Black Hat DC 2009 Wrap-Up, Day 1

I taught cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first edition of TCP/IP Weapons School 2.0 at Black Hat DC 2009 Training in Arlington, VA last week to 31 students. Thanks to Steve Andres from Special Ops Security and Joe Klein from Command Information for helping as teaching assistants, and to Ping Look and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole Black Hat staff for making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class successful.

I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class went well and I am looking forward to teaching at Black Hat Europe 2009 Training in April. Very soon I will post a sample lab from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class on this blog so you can get a feeling for this class, since it is completely new and totally slide-free.

I hope to blog a little more now that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class is done. I spent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast majority of my free time over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last three months preparing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new class, even completing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coursework three days before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class, printing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 books and burning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DVDs myself. I expect preparations for Amsterdam and eventually Las Vegas to be easier.

After my training I attended Black Hat DC 2009 Briefings. Without doubt, Black Hat is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best security conference I attend. Jeff Moss and company consistently put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best players on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field, year after year. Just as I wrote a Black Hat DC 2008 Wrap-Up, I'd like to do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same for 2009. You can access slide decks, and in some cases, video recordings, of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Briefings here.

  • I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Briefings with Paul Kurtz, who emphasized 1) increased intelligence community (IC) involvement in our industry; 2) explicit cyber weapon development; and 3) defining authority for a "cyber Katrina." The IC needs to contribute attribution to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cyber picture, similar to its role in counter-terrorism actions. Attribution facilitates deterrence, a topic which I will address independently later. If you object to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "militarization of cyber space," Paul's answer is simple: "Too late."

    The US needs a) a strategy to defeat adversaries with cyber weapons; b) a governance model for command and control; c) treaties with allies; d) more open discussion, unlike cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CNCI; and e) hack-back authority to trace attacks technically as an alternative or enhancement to IC attribution techniques or to disable malicious systems.

  • Moxie Marlinspike reiterated his SSL Basic Constraints vulnerability (CVE 2002-0862 of 2002.



    He cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n outlined ways to degrade SSL encryption by modifying traffic that links to HTTPS sites (via his "sslstrip" tool), along with clever ways to abuse International Domain Names (IDN). Steve Andres advised I configure Firefox using about:config -> network.IDN_show_punycode = true to always cause IDN sites to render in Punycode -- e.g. as http://www.xn--mnchhausen-9db.at/ and not http://www.münchhausen.at/ . I found it interesting that Moxie tested his SSL techniques by running a Tor exit node. See Dan Kaminsky's post for some good commentary.

  • I watched some of Michael Muckin's talk on Windows Vista Security Internals, but I checked out early to meet some friends for lunch away from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference.

  • I returned to see Joanna Rutkowska and Rafal Wojtczukl continue to abuse Intel. I found Joanna's comment about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wisdom of addressing vulnerabilities in System Management Mode (SMM) by writing a new SMM Transfer Monitor (STM). If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SMM has vulnerabilities that can be monitored by a STM, what ensures cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 STM doesn't have vulnerabilities that require monitoring? Details are posted on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Invisible Things blog, including a paper, and not just slides.

    I must really praise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for writing a paper on this subject, using full sentences and paragraphs. After attending The Best Single Day Class Ever last year, I have made a point to congratulate anyone who resists cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 temptation to consider PowerPoint as a legitimate means of communication, especially as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir sole means of communication. The next time you doubt your ability to write a paper instead of a PowerPoint slide, remember that Joanna and Rafal aren't even native English speakers, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y managed to describe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work in a paper!

    Their presentation raised interesting issues regarding engaging security researchers. Invisible Things Lab researches two types of security problems: design flaws and implementation flaws. Intel (and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vendors) provide both. Intel wants ITL to sign a NDA before it will share details of its designs. ITL prefers to not be bound by NDA. Clearly, Intel's latest initiative suffers severe design flaws. By not engaging ITL, Intel has wasted many man-months of research and implementation. Was that worth not engaging ITL because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would not sign cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NDA? If Intel is serious about security, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need to work around this legal and intellectual property problem. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y only care about security cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ater, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can pretend to care about security but bring a flawed product to market.

  • I really enjoyed Michael Sutton's talk on vulnerabilities and exposures of persistent Web browser storage. He outlined issues with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 four methods listed in this figure.



    I was interested in hearing how one could perform persistent client-side cross-site scripting by inserting malicious Javascript into a user's cookies. An intruder could perform a similar attack, called client-side SQL injection, against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 databases maintained by Gears and HTML 5 implementations.

  • I finished day one by attending Adam Laurie's discussion of satellite hacking. I was most impressed by his application of visualization to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem of deciding what channels were worth observing.


I'll wrap up day two shortly.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Thursday, February 19, 2009

Thoughts on Air Force Blocking Internet Access

Last year I wrote This Network Is Maintained as a Weapon System, in response to a story on Air Force blocks of blogging sites. Yesterday I read Air Force Unplugs Bases' Internet Connections by Noah Shachtman:

Recently, internet access was cut off at Maxwell Air Force Base in Alabama, because personnel at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 facility "hadn't demonstrated — in our view at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 headquarters — cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir capacity to manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network in a way that didn't make everyone else vulnerable," [said] Air Force Chief of Staff Gen. Norton Schwartz.

I absolutely love this. While in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT I marvelled at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Marine Corps' willingness to take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same actions when one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir sites did not take appropriate defensive actions.

Let's briefly describe what needs to be in place for such an action to take place.

  1. Monitored. Those who wish to make a blocking decision must have some evidence to support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir action. The network subject to cutoff must be monitored so that authorities can justify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir decision. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network to be cut off is attacking ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r networks, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 targets of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks should also be monitored and use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir data to justify action.

  2. Inventoried. The network to be cut off must be inventoried. The network must be understood so that a decision to block gateways A and B doesn't leave unknown gateways C and D free to continue conducting malicious activity.

  3. Controlled. There must be a way to implement cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 block.

  4. Claimed. The authorities must know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owners of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 misbehaving network and be able to contact cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

  5. Command and Control. The authorities must be able to exercise authority over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 misbehaving network.

You might notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first four items are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first four elements of my Defensible Network Architecture 2.0 of a year ago.

Number five is very important. Those deciding to take blocking action must be able to exercise a block despite objections by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site. The site is likely to use terms like "mission critical," "business impact," "X dollars per hour," etc. The damage caused by leaving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malicious network able to attack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise must exceed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impact of lost network connectivity to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 misbehaving network.

It is usually much easier to wrap impact around a network outage than it is to determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cost of sustaining and suffering network attacks. Loss of availability is usually easier to measure than losses of confidentiality or integrity. The easiest situation is one where downtime confronts downtime, i.e., cutting off a misbehaving site will allow its targets to restore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir networks. This would be true of a malicious site conducting a DoS attack against ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs; terminating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 offending denies his network availability but restores cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victim's availability. That is why sites are most likely to allow network cutoffs when rogue code in one site is aggressively scanning or DoS'ing a target, resulting in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target losing services.

Does your enterprise have a policy that allows cutting off misbehaving subnets?


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Sunday, February 15, 2009

Back from Bro Workshop

Last week I attended cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bro Hands-On Workshop 2009. Bro is an open source network intrusion detection and traffic characterization program with a lineage stretching to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mid-1990s. I finally met Vern Paxson in person, which was great. I've known who Vern was for about 10 years but never met him or heard him speak.

I first covered Bro in The Tao of Network Security Monitoring in 2004 with help from Chris Manders. About two years ago I posted Bro Basics and Bro Basics Follow-Up here. I haven't used Bro in production but after learning more about it in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 workshop I would be comfortable using some of Bro's default features.

I'm not going to say anything right now about using Bro. I did integrate Bro analysis into most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cases in my all-new TCP/IP Weapons School 2.0 class at Black Hat this year. If TechTarget clears me for writing again in 2009 I will probably write some Bro articles for Traffic Talk.



Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Tuesday, February 10, 2009

Last Day to Register Online for TCP/IP Weapons School 2.0 in DC

Black Hat was kind enough to invite me back to teach a new 2-day course at Black Hat DC 2009 Training on 16-17 February 2009 at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Hyatt Regency Crystal City in Arlington, VA. This class, completely new for 2009, is called TCP/IP Weapons School 2.0. This is my only scheduled class on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 east coast of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States in 2009.

The short description says:

This hands-on, lab-centric class by Richard Bejtlich focuses on collection, detection, escalation, and response for digital intrusions.

Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 truth? If you need answers to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se questions, TCP/IP Weapons School 2.0 (TWS2) is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 investigative mindset not found in classes that focus solely on tools. TWS2 is hands-on, lab-centric, and grounded in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats.


Online registration ends 11 Feb, and appears to restart onsite on 16 Feb.

If you've attended previous classes, even TCP/IP Weapons School, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new class is brand new and you're definitely welcome back. We have a few seats still left. Thank you.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

New Online Packet Repository

As of a few weeks ago I am no longer involved with OpenPacket.org. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reasons is a great new online packet repository sponsored and run by Mu Dynamics called Pcapr. I've had an account cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re for a few months, but it looks like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site is now open to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general public. Check it out -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a lot of cool features already.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Thursday, February 05, 2009

Benefits of Removing Administrator Access in Windows

I think most security people advocate removing administrator rights for normal Windows users, but I enjoy reading even a cursory analysis of this "best practice" as published by BeyondTrust and reported by ComputerWorld. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press release:

BeyondTrust’s findings show that among cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2008 Microsoft vulnerabilities given a "critical" severity rating, 92 percent shared cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same best practice advice from Microsoft to mitigate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability: "Users whose accounts are configured to have fewer user rights on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system could be less impacted than users who operate with administrative user rights." This language, found in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Mitigating Factors" portion of Microsoft’s security bulletins, also appears as a recommendation for reducing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat from nearly 70 percent of all vulnerabilities reported in 2008.

Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r key findings from BeyondTrust’s report show that removing administrator rights will better protect companies against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploitation of:

* 94 percent of Microsoft Office vulnerabilities reported in 2008
* 89 percent of Internet Explorer vulnerabilities reported in 2008
* 53 percent of Microsoft Windows vulnerabilities reported in 2008.

I'd like to take this a step furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Let's compare a system operated by a user with no administrator rights -- but no antivirus -- against a system operated by an administrator *with* antivirus. I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 no administrator rights system would survive more often, albeit not without some failures. Anyone know of a study like that?


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

More on Weaknesses of Models

I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Economist;

Edmund Phelps, who won cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Nobel prize for economics in 2006, is highly critical of today’s financial services.

"Risk-assessment and risk-management models were never well founded," he says. "There was a mystique to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea that market participants knew cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 price to put on this or that risk.

But it is impossible to imagine that such a complex system could be understood in such detail and with such amazing correctness... cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 requirements for information... have gone beyond our abilities to gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r it."


This is absolutely cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem I mentioned in Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Questions Sound? and Wall Street Clowns and Their Models. Phelps could easily be describing information security models.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Tuesday, February 03, 2009

Notes on Installing Sguil Using FreeBSD 7.1 Packages

It's been a while since I've looked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil ports for FreeBSD, so I decided to see how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y work.

In this post I will talk about installing a Sguil sensor and server on a single FreeBSD 7.1 test VM using packages shipped with FreeBSD 7.1.

To start with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system had no packages installed.

After running pkg_add -vr sguil-sensor, I watched what was added to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system. I'm only going to document that which I found interesting.

The sguil-sensor-0.7.0_2 package installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following into /usr/local.

x bin/sguil-sensor/log_packets.sh
x bin/sguil-sensor/example_agent.tcl
x bin/sguil-sensor/pcap_agent.tcl
x bin/sguil-sensor/snort_agent.tcl
x etc/sguil-sensor/example_agent.conf-sample
x etc/sguil-sensor/pcap_agent.conf-sample
x etc/sguil-sensor/snort_agent.conf-sample
x etc/sguil-sensor/log_packets.conf-sample
x share/doc/sguil-sensor <- multiple files, omitted here
x etc/rc.d/example_agent
x etc/rc.d/pcap_agent
x etc/rc.d/snort_agent

Note that you have to copy

pcap_agent.conf-sample
log_packets.conf-sample
snort_agent.conf-sample

to

pcap_agent.conf
log_packets.conf
snort_agent.conf

and edit each, prior to starting

pcap_agent.tcl
log_packets.sh
snort_agent.tcl

via

rc.d/pcap_agent
cron
rc.d/snort_agent

Also, as noted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration options, PADS and SANCP are not installed by default, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 package doesn't include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m:

===> The following configuration options are available for sguil-sensor-0.7.0_2:
SANCP=off (default) "Include sancp sensor"
PADS=off (default) "Include pads sensor"
===> Use 'make config' to modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se settings


The snort-2.8.2.1_1 package installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

x man/man8/snort.8.gz
x bin/snort
x etc/snort/classification.config-sample
x etc/snort/gen-msg.map-sample
x etc/snort/reference.config-sample
x etc/snort/sid-msg.map-sample
x etc/snort/snort.conf-sample
x etc/snort/threshold.conf-sample
x etc/snort/unicode.map-sample
x src/snort_dynamicsrc/bitop.h
x src/snort_dynamicsrc/debug.h
x src/snort_dynamicsrc/pcap_pkthdr32.h
x src/snort_dynamicsrc/preprocids.h
x src/snort_dynamicsrc/profiler.h
x src/snort_dynamicsrc/sf_dynamic_common.h
x src/snort_dynamicsrc/sf_dynamic_meta.h
x src/snort_dynamicsrc/sf_dynamic_preproc_lib.c
x src/snort_dynamicsrc/sf_dynamic_preproc_lib.h
x src/snort_dynamicsrc/sf_dynamic_preprocessor.h
x src/snort_dynamicsrc/sf_snort_packet.h
x src/snort_dynamicsrc/sf_snort_plugin_api.h
x src/snort_dynamicsrc/sfghash.h
x src/snort_dynamicsrc/sfhashfcn.h
x src/snort_dynamicsrc/sfsnort_dynamic_detection_lib.c
x src/snort_dynamicsrc/sfsnort_dynamic_detection_lib.h
x src/snort_dynamicsrc/str_search.h
x src/snort_dynamicsrc/stream_api.h
x lib/snort/dynamicengine/libsf_engine.so
x lib/snort/dynamicengine/libsf_engine.so.0
x lib/snort/dynamicengine/libsf_engine.la
x lib/snort/dynamicengine/libsf_engine.a
x lib/snort/dynamicrules/lib_sfdynamic_example_rule.so
x lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0
x lib/snort/dynamicrules/lib_sfdynamic_example_rule.la
x lib/snort/dynamicrules/lib_sfdynamic_example_rule.a
x lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.a
x lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.la
x lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so
x lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so.0
x lib/snort/dynamicpreprocessor/libsf_dcerpc_preproc.a
x lib/snort/dynamicpreprocessor/libsf_dcerpc_preproc.la
x lib/snort/dynamicpreprocessor/libsf_dcerpc_preproc.so
x lib/snort/dynamicpreprocessor/libsf_dcerpc_preproc.so.0
x lib/snort/dynamicpreprocessor/libsf_dns_preproc.a
x lib/snort/dynamicpreprocessor/libsf_dns_preproc.la
x lib/snort/dynamicpreprocessor/libsf_dns_preproc.so
x lib/snort/dynamicpreprocessor/libsf_dns_preproc.so.0
x lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.a
x lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.la
x lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.so
x lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
x lib/snort/dynamicpreprocessor/libsf_smtp_preproc.a
x lib/snort/dynamicpreprocessor/libsf_smtp_preproc.la
x lib/snort/dynamicpreprocessor/libsf_smtp_preproc.so
x lib/snort/dynamicpreprocessor/libsf_smtp_preproc.so.0
x lib/snort/dynamicpreprocessor/libsf_ssh_preproc.a
x lib/snort/dynamicpreprocessor/libsf_ssh_preproc.la
x lib/snort/dynamicpreprocessor/libsf_ssh_preproc.so
x lib/snort/dynamicpreprocessor/libsf_ssh_preproc.so.0
x lib/snort/dynamicpreprocessor/libsf_ssl_preproc.a
x lib/snort/dynamicpreprocessor/libsf_ssl_preproc.la
x lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so
x lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so.0
x share/examples/snort/classification.config-sample <- copied to classification.config
x share/examples/snort/create_db2
x share/examples/snort/create_mssql
x share/examples/snort/create_mysql
x share/examples/snort/create_oracle.sql
x share/examples/snort/create_postgresql
x share/examples/snort/gen-msg.map-sample <- copied to gen-msg.map
x share/examples/snort/reference.config-sample <- copied to reference.config
x share/examples/snort/sid-msg.map-sample <- copied to sid-msg.map
x share/examples/snort/snort.conf-sample <- copied to snort.conf
x share/examples/snort/threshold.conf-sample <- copied to threshold.conf
x share/examples/snort/unicode.map-sample <- copied to unicode.map
x share/doc/snort <- multiple files, omitted here
x etc/rc.d/snort

These are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration options for Snort.

===> The following configuration options are available for snort-2.8.2.2_2:
DYNAMIC=on (default) "Enable dynamic plugin support"
FLEXRESP=off (default) "Flexible response to events"
FLEXRESP2=off (default) "Flexible response to events (version 2)"
MYSQL=off (default) "Enable MySQL support"
ODBC=off (default) "Enable ODBC support"
POSTGRESQL=off (default) "Enable PostgreSQL support"
PRELUDE=off (default) "Enable Prelude NIDS integration"
PERPROFILE=off (default) "Enable Performance Profiling"
SNORTSAM=off (default) "Enable output plugin to SnortSam"
===> Use 'make config' to modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se settings

I'm glad dynamic plugin support is enabled, but disappointed to see performance profiling disabled. The --enable-timestats option isn't available via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port at all, apparently.

The FreeBSD port/package can't ship with rules, so you need to download your own rules from Sourcefire, along with any Emerging Threats rules you might want to enable. You cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n need to edit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort.conf file to account for your HOME_NET and rule preferences.

The barnyard-sguil-0.2.0_5 package installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

x bin/barnyard
x etc/barnyard.conf-sample <- copied to etc/barnyard.conf by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port
x share/doc/barnyard <- multiple files, omitted here
x etc/rc.d/barnyard

I noticed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 barnyard.conf only contained

output sguil

Usually we need something like this:

output sguil: sensor_name sensornamegoeshere

When done cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following packages are installed:

tao# pkg_info
barnyard-sguil-0.2.0_5 An output system for Snort (patched for sguil)
mysql-client-5.0.67_1 Multithreaded SQL database (client)
pcre-7.7_1 Perl Compatible Regular Expressions library
sguil-sensor-0.7.0_2 Sguil is a network security monitoring program
snort-2.8.2.1_1 Lightweight network intrusion detection system
tcl-8.4.19,1 Tool Command Language
tclX-8.4_1 Extended TCL
tcltls-1.6 SSL extensions for TCL; dynamicly loadable

Because I want this test system to host cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil server too, I decided to move to that phase of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 testing.

Before add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil-server package, I need to install MySQL server 5.0. This is due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration options:

===> The following configuration options are available for sguil-server-0.7.0_2:
MYSQL50=off (default) "Install mysql50 server"
===> Use 'make config' to modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se settings

I assume this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port maintainer prefers running MySQL on one system and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil server on anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

Therefore, I install MySQL server 5.0 using pkg_add -vr mysql50-server.

Next I stopped MySQL via /usr/local/etc/rc.d/mysql stop. This is critical for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next step in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process.

I installed sguil-server next via pkg_add -vr sguil-server.

The sguil-server-0.7.0_2 package installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

x bin/archive_sguildb.tcl
x bin/incident_report.tcl
x bin/sguild
x etc/sguil-server/autocat.conf-sample
x etc/sguil-server/sguild.access-sample
x etc/sguil-server/sguild.conf-sample
x etc/sguil-server/sguild.email-sample
x etc/sguil-server/sguild.queries-sample
x etc/sguil-server/sguild.reports-sample
x etc/sguil-server/sguild.users-sample
x lib/sguil-server/SguildAccess.tcl
x lib/sguil-server/SguildAutoCat.tcl
x lib/sguil-server/SguildClientCmdRcvd.tcl
x lib/sguil-server/SguildConnect.tcl
x lib/sguil-server/SguildCreateDB.tcl
x lib/sguil-server/SguildEmailEvent.tcl
x lib/sguil-server/SguildEvent.tcl
x lib/sguil-server/SguildGenericDB.tcl
x lib/sguil-server/SguildGenericEvent.tcl
x lib/sguil-server/SguildHealthChecks.tcl
x lib/sguil-server/SguildLoaderd.tcl
x lib/sguil-server/SguildMysqlMerge.tcl
x lib/sguil-server/SguildPadsLib.tcl
x lib/sguil-server/SguildQueryd.tcl
x lib/sguil-server/SguildReportBuilder.tcl
x lib/sguil-server/SguildSendComms.tcl
x lib/sguil-server/SguildSensorAgentComms.tcl
x lib/sguil-server/SguildSensorCmdRcvd.tcl
x lib/sguil-server/SguildTranscript.tcl
x lib/sguil-server/SguildUtils.tcl
x share/sguil-server/create_ruledb.sql
x share/sguil-server/create_sguildb.sql
x share/sguil-server/migrate_event.tcl
x share/sguil-server/migrate_sancp.tcl
x share/sguil-server/sancp_cleanup.tcl
x share/sguil-server/update_0.7.tcl
x share/sguil-server/update_sguildb_v5-v6.sql
x share/sguil-server/update_sguildb_v6-v7.sql
x share/sguil-server/update_sguildb_v7-v8.sql
x share/sguil-server/update_sguildb_v8-v9.sql
x share/sguil-server/update_sguildb_v9-v10.sql
x share/sguil-server/update_sguildb_v10-v11.sql
x share/sguil-server/update_sguildb_v11-v12.sql
x share/doc/sguil-server/CHANGES
x share/doc/sguil-server/FAQ
x share/doc/sguil-server/INSTALL
x share/doc/sguil-server/INSTALL.openbsd
x share/doc/sguil-server/LICENSE.QPL
x share/doc/sguil-server/OPENSSL.README
x share/doc/sguil-server/TODO
x share/doc/sguil-server/UPGRADE
x share/doc/sguil-server/USAGE
x share/doc/sguil-server/sguildb.dia
x etc/rc.d/sguild

What came next was very interesting. The port maintainer created a script to help set up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server. I'll show relevant excerpts.

Running pre-install for sguil-server-0.7.0_2..
This sguild install script creates a "turnkey" install
of sguild, including configuing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database and conf files
and user accounts so that sguild can be started immediately.

You may have already done all this (especially if this is an upgrade)
and may not be interested in iterating through cert creation and
everything else that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script does.

This portion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script creates user and group accounts named "sguil".
Would you like to opt out of this portion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 install script
n
==> Pre-installation configuration of sguil-server-0.7.0_2
User 'sguil' create successfully.
sguil:*:1002:1002::0:0:User &:/home/sguil:/usr/sbin/nologin
...edited...
Running post-install for sguil-server-0.7.0_2..
This sguild install script creates a "turnkey" install
of sguild, including configuing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database and conf files
and user accounts so that sguild can be started immediately.

You may have already done all this (especially if this is an upgrade)
and may not be interested in iterating through cert creation and
everything else that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script does.

Would you like to opt out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire install script
and configure sguild manually yourself?
n
There are a few things that need to be done to complete cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 install.
First, you need to create certs so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ssl connections between server and
sensors will work, you need to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 account to access it and
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tables for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database and you need to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directories where all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
data will be stored. (You will also need to edit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conf files for your setup.)


If you haven't already done this, I can do it for you now.
Would you like to create certs now? (y for yes, n for no)
y
Creating /usr/local/etc/sguil-server/certs ....
First we need to create a password-protected CA cert.

(The Common Name should be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FQHN of your squil server.)
Generating a 1024 bit RSA private key
.....++++++
.......................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will be a default value,
If you enter '.', cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:VA
Locality Name (eg, city) []:M
Organization Name (eg, company) [Internet Widgits Pty Ltd]:T
Organizational Unit Name (eg, section) []:O
Common Name (eg, YOUR name) []:R
Email Address []:o

Please enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following 'extra' attributes
to be sent with your certificate request
A challenge password []:sguil
An optional company name []:
Now we need to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual certificate for your server.
Signature ok
subject=/C=US/ST=VA/L=M/O=T/OU=O/CN=R/emailAddress=o
Getting CA Private Key
Enter pass phrase for privkey.pem:
Finally, we need to move cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certs to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 '/usr/local/etc/sguil-server/certs}' directory
and clean up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port directory as well.
mv: rename /a/ports/security/sguil-server/sguild.key to /usr/local/etc/sguil-server/certs/sguild.key:
No such file or directory
mv: rename /a/ports/security/sguil-server/sguild.pem to /usr/local/etc/sguil-server/certs/sguild.pem:
No such file or directory
rm: /a/ports/security/sguil-server/CA.pem: No such file or directory
rm: /a/ports/security/sguil-server/privkey.pem: No such file or directory
rm: /a/ports/security/sguil-server/sguild.req: No such file or directory
rm: /a/ports/security/sguil-server/file.sr1: No such file or directory

Those errors happen because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script was written with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assumption that it would be run from a ports installation, not a package installation. I emailed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports maintainer to see if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem can be fixed.

Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation of mysql brand new and unaltered?
By default, when mysql is installed, it creates five accounts.
None of those accounts are protected by passwords. That needs to be corrected.
The five accounts are:
root@localhost
root@127.0.0.1
root@tao.taosecurity.com
@localhost
@tao.taosecurity.com
I can remove all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 accounts except root@localhost (highly recommended)
and I can set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 password for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 root@localhost account. (If you get an error
don't worry about it. The account may not have been created to begin with.
Would you like me to do that now?
y
Enabling mysql in /etc/rc.conf and starting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server.....
It appears that mysql is already enabled!

The mysql pid is ....
Starting mysql.
Deleting users from mysql......
All done deleting.......
What would you like root@localhost's password to be?
root
Would you like to bind mysql to localhost so it only listens on that address?

y
The mysql pid is 1694.....
Stopping mysql.
Waiting for PIDS: 1694.
Starting mysql.
Would you like to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database to store all nsm data?

y
NOTE: If you're upgrading, you do NOT want to do this! You want to upgrade.
./+INSTALL: cannot open /work/a/ports/security/sguil-server/work/sguil-0.7.0/server/sql_scripts/create_sguildb.sql:
No such file or directory

This error is similar to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous error. I also emailed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port maintainer.

Would you like to create a user "sguild@localhost" for database access?

y
Please enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 password that you want to use for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguild account.

sguil
Creating account for sguild with access to sguildb.....
Would you like to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data directory and all its subdirectories?

y
What do you want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main directory to be?
(Be sure to include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full path to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory - e.g. /var/nsm)
/var/nsm
The main directory will be named '/var/nsm'.
Creating /var/nsm ....
Creating /var/nsm/archives ....
Creating /var/nsm/rules ....
Creating /var/nsm/load ....
Would you like to enable sguild in /etc/rc.conf?

y
iWriting to /etc/rc.conf....

If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguild.conf file does not exist, I will create and edit it now.

Preparing to edit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguild.conf file......
You still need to review all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conf files and configure sguil
per your desired setup before starting sguild. Refer to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port docs in
/usr/local/share/doc/sguil-server before proceeding.

Right now, all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conf files except sguild.conf are set to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defaults.
...edited...

That ends cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for user input. The final step advises cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user on ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r required changes.

***********************************
* !!!!!!!!!!! WARNING !!!!!!!!!!! *
***********************************

PLEASE NOTE: If you are upgrading from a previous version,
read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UPGRADE doc (in /usr/local/share/doc/sguil-server) before proceeding!!!
Some noteworthy changes in version 0.7.0:
SSL is now required for server, sensor and client.
The sguild.conf and sguild.email files have changed.
You MUST run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 upgrade_0.7.tcl script to clean up and
prepare cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database before running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new version. BE SURE
TO BACK UP YOUR DATABASE BEFORE PROCEEDING!!!

If you had existing config files in /usr/local/etc/sguil-server
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were not overwritten. If this is a first time install, you
must copy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample files to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corresponding conf file and
edit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various config files for your site. See cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 INSTALL
doc in /usr/local/share/doc/sguil-server for details. If this is an upgrade, replace
your existing conf file with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new one and edit accordingly.

The sql scripts for creating database tables were placed in
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /usr/local/share/sguil-server/ directory. PLEASE
NOTE: LOG_DIR is not set by this install. You MUST create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
correct LOG_DIRS and put a copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort rules you use in
LOG_DIR/rules.

The sguild, archive_sguildb.tcl and incident_report.tcl scripts
were placed in /usr/local/bin/. The incident_report.tcl
script is from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contrib section. There is no documentation
and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script's variables must be edited before it is used.

A startup script, named sguild.sh was installed in
/usr/local/etc/rc.d/. To enable it, edit /etc/rc.conf
per cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructions in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script.

NOTE: Sguild now runs under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil user account not root!

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se packages installed.

tao# pkg_info
barnyard-sguil-0.2.0_5 An output system for Snort (patched for sguil)
mysql-client-5.0.67_1 Multithreaded SQL database (client)
mysql-server-5.0.67_1 Multithreaded SQL database (server)
mysqltcl-3.05 TCL module for accessing MySQL databases based on msqltcl
p0f-2.0.8 Passive OS fingerprinting tool
pcre-7.7_1 Perl Compatible Regular Expressions library
sguil-sensor-0.7.0_2 Sguil is a network security monitoring program
sguil-server-0.7.0_2 Sguil is a network security monitoring program
snort-2.8.2.1_1 Lightweight network intrusion detection system
tcl-8.4.19,1 Tool Command Language
tclX-8.4_1 Extended TCL
tcllib-1.10_1 A collection of utility modules for Tcl
tcltls-1.6 SSL extensions for TCL; dynamicly loadable
tcpflow-0.21_1 A tool for capturing data transmitted as part of TCP connec

If I wanted to go from here to actually run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil server, I would have to manually create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database and certificates. Once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script is fixed I shouldn't have to do that.

The major configuration issue that remains is ensuring that data is being written to logical locations. This primarily means pcap data is stored in a partition that can accommodate it, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database is located in a partition that can handle growing tables.

I think it should be clear at this point that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 easiest way to try Sguil is to use NSMNow. I recommend that only for demo installations, although you can tweak cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation to put what you want in locations you like.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Monday, February 02, 2009

Data Leakage Protection Thoughts

"Data Leakage Protection" (DLP) appears to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hot product everybody wants. I was asked to add to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SearchSecurity section I wrote two years ago, but I'm not really interested. I mentioned "extrusion" over five years ago in What Is Extrusion Detection?

This InformationWeek story had an interesting take:

What constitutes DLP? Any piece of backup software, disk encryption software, firewall, network access control appliance, virus scanner, security event and incident management appliance, network behavior analysis appliance--you name it--can be loosely defined as a product that facilitates DLP.

For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purposes of this Rolling Review, we will define enterprise DLP offerings as those that take a holistic, multitiered approach to stopping data loss, including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to apply policies and quarantine information as it rests on a PC (data in use), as it rests on network file systems (data at rest), and as it traverses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 LAN or leaves cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corporate boundary via some communication protocol (data in motion).

Locking down access to USB ports or preventing files from being printed or screen-captured isn't enough anymore; organizations require true content awareness across all channels of communication and across all systems.


Wow. Cue a giant product rebranding effort. "Yes, we do DLP!!"

I tried to capture my concerns in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following two figures.

I usually approach security issues from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point of view of a security analyst, meaning someone who has operational responsibilities. I don't just deploy security infrastructure. I don't just keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security infrastructure functioning. I am usually cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 person who has to do something with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 output of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security infrastructure.

In this respect I can see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world in two states: 1) block/filter/deny or 2) inspect and log.

As a security analyst, B/F/D is generally fairly simple. Once a blocking decision is made, I don't care that much. Sure, you might want to know why someone tried to do something that ended up resulting in a B/F/D condition, but since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target is unaffected I don't really care.

Consider this diagram.


As a security analyst, inspect and log is much more complicated. Nothing is blocked, but I am told that a suspicious or malicious activity was permitted. Now I really need to know what someone successfully completed an act that resulted in a permitted yet inspected and logged condition, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target could be negatively affected.

Consider this diagram.


Some might naively assume that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solution to this problem is just to forget inspection and logging and just block/filter/deny everything. Good luck trying that in an operational setting! How often do we hear about so-called "IPS" running in passive mode? How many fancy "DLP" products are running now in alert-only mode?

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk of discussing too many topics at once, let me also contribute this: is it just me, or are we security people continuously giving ground to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary? In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words:

  1. Let's stop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m at our firewall.

  2. Well, we have to let some traffic through. Our IPS will catch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad guy.

  3. Shoot, that didn't work. Ok, when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad guy tries to steal our data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DLP system will stop him.

  4. Darn, DLP is for "stopping stupid." At least when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad guy gets cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data back to his system our Digital Rights Management (DRM) will keep him from reading it. (Right.)


I guess my thoughts on DLP can be distilled to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

  1. DLP is "workable" (albeit of dubious value nevercá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365less) if you run it solely in a B/F/D mode.

  2. As soon as you put DLP is inspect and log mode, you need to hire an army of analysts to make sense of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 output.

  3. The amount of asset understanding to run DLP in eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r mode is likely to be incredibly large, unless you so narrowly scope it as to make me question why you bought a new product to enforce such a policy.

  4. DLP is not going to stop anyone who is not stupid.


Is anyone else hearing demand for DLP, and what are you saying?


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Sunday, February 01, 2009

Humans, Not Computers, Are Intrusion Tolerant

Several years ago I mentioned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 human firewall project as an example of a security awareness-centric defensive measure. I thought it ironic that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project was dead by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time I looked into it.

On a similar note, I was considering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea of intrusion tolerance recently, loosely defined as having a system continue to function properly despite being compromised. A pioneer in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field describes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept thus:

Classical security-related work has on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand privileged, with few exceptions, intrusion prevention... [With intrusion tolerance, i]nstead of trying to prevent every single intrusion, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are allowed, but tolerated: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system triggers mechanisms that prevent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusion from generating a system security failure.

It occurred to me recently that, in one sense, we have already fielded intrusion tolerant systems. Any computer operated, owned, or managed by a person who doesn't care about its integrity is an intrusion tolerant system.

People tolerate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusion for various reasons, such as:

  1. "I don't think any threats are attacking me."

  2. "I don't see my system or information being disclosed / degraded / denied."

  3. "I don't have anything valuable on my system."


All of those are false, but intrusion tolerant systems (meaning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 human plus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hardware and software) tolerate intrusions. What's worse is that modern threats understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se parameters and seek to work within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than do something stupid like open and close a CD-ROM tray or waste bandwidth, tipping off cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 human by interfering with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.