Friday, March 10, 2006

Reviews of Software Piracy Exposed, Phishing Exposed, Stealing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network: How to Own an Identity, and Insider Threat Posted

Amazon.com just posted my four star review of Software Piracy Exposed. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I loved Software Piracy Exposed (SPE), despite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lack of good technical review, copyediting, and proofreading. I liked SPE because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author did original investigative reporting to gain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trust of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pirate underground. By infiltrating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scene, he brought an unprecedented level of access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 common reader. That is real threat reporting, which for me compensates for rough presentation.

Amazon.com just posted my five star review of Phishing Exposed by Lance James of Secure Science. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

Phishing Exposed is a powerful analysis of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 many severe problems present in Web-based activities. Phishing Exposed is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r threat-centric title from Syngress. The book presents research conducted by Secure Science Corporation as a way to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary. The author demonstrates his own attacks against multiple popular e-commerce sites as a way to show how phishers accomplish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir goals. I was surprised by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent to which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author could repeatedly abuse high-profile financial sites, and for that reason I highly recommend reading Phishing Exposed.

Amazon.com just posted my four star review of Stealing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network: How to Own an Identity. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I reviewed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first Stealing book in May 2003, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second in September 2004. I liked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two earlier books, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 third book -- Stealing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network: How to 0wn an Identity (STNHT0AI) -- is also a fun read. The book is most impressive when it outlines plausible scenarios for identity cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft, penetrating wireless networks, and compromising Hushmail. Although some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 writing is rough, I still recommend reading this book.

Amazon.com just posted my four star review of Insider Threat. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

Those who want to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of internal attackers should read Insider Threat. The book combines general recommendations to detect and thwart internal attackers with case studies discussing fraud, espionage, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r unfortunate events. Insider Threat could benefit from a tighter focus and better presentation of material, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 core message is still noteworthy.

Review of Hacking Exposed: Cisco Networks Posted

Amazon.com just posted my four star review of McGraw-Hill/Osborne's Hacking Exposed: Cisco Networks. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I've always been a fan of Osborne's Hacking Exposed books (although subjects like "Computer Forensics" don't seem to fit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spirit of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 series). I previously read Wi-Foo: The Secrets of Wireless Hacking by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same authors who wrote Hacking Exposed: Cisco Networks (HECN). Comparing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two books, I agree with previous reviewer Sean E. Connelly; I think HECN was rushed to market. The book needs better technical review, proofreading, and copyediting as well. Nevercá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365less, I still recommend reading HECN -- it's a unique book on a critical subject.

Snort 2.6 BETA on FreeBSD

This week Sourcefire released Snort 2.4.4 and Snort 2.6 BETA. Because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 a ports tree freeze is in effect in preparation for FreeBSD 5.5 and 6.1, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort port will not be updated to 2.4.4 soon. If you want to install 2.4.4 using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree, make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following changes to /usr/ports/security/snort/Makefile:

orr:/usr/ports/security/snort$ diff Makefile.orig Makefile
9,10c9,10
< PORTVERSION= 2.4.3
< PORTREVISION= 1
---
> PORTVERSION= 2.4.4
> #PORTREVISION= 1

Make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se changes to distinfo:

orr:/usr/ports/security/snort$ diff distinfo.orig distinfo
1,6c1,3
< MD5 (snort-2.4.3.tar.gz) = 5c3c8c69f2459bbe0c1f2057966c88a7
< SHA256 (snort-2.4.3.tar.gz) = 4f3aa911234a9fc4beb5ba9b0fe88f1e3af0fcbfe84d4448415f049b9791bc65
< SIZE (snort-2.4.3.tar.gz) = 2733590
< MD5 (snort-2.4.3.tar.gz.sig) = 680b271bb3fe67bd28d41d5a3886865a
< SHA256 (snort-2.4.3.tar.gz.sig) = a7fa680662124e6f95eb87b88e09a0ec7ae394f6845f4a1eada4626066da12d0
< SIZE (snort-2.4.3.tar.gz.sig) = 65
---
> MD5 (snort-2.4.4.tar.gz) = fe82febd153e121369788b3aaa05d415
> SHA256 (snort-2.4.4.tar.gz) = 9d34822e68d6c5bfd98c41f14bf9185424691824b220d70366c40f0477e9d9a7
> SIZE (snort-2.4.4.tar.gz) = 2825060

You can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n build cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port with 'make', 'make install', and end up running Snort 2.4.4.:

$ snort -V

,,_ -*> Snort! <*-
o" )~ Version 2.4.4 (Build 28)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old default logging mode.

To try Snort 2.6 BETA, you'll need to follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se steps. First, you need cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 devel/automake19, devel/libtool15, and devel/autoconf259 installed.

Now check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort BETA from CVS.

cvs -d:pserver:anonymous@cvs.snort.org:/cvsroot login
cvs -d:pserver:anonymous@cvs.snort.org:/cvsroot co -r SNORT_2_6 snort
cd snort

Make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following changes to autojunk.sh:

orr:/home/richard/snort$ diff autojunk.sh.orig autojunk.sh
3,7c3,7
< libtoolize --automake --copy
< aclocal -I m4
< autoheader
< automake --add-missing --copy
< autoconf
---
> libtoolize15 --automake --copy
> aclocal19 -I m4 -I /usr/local/share/aclocal
> autoheader259
> automake19 --add-missing --copy
> autoconf259

These changes are needed because of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 names used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools that build Snort, as shown by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following directory listings:

# ls -al /usr/local/bin/libtoolize*
-r-xr-xr-x 1 root wheel 10784 Feb 6 04:08 /usr/local/bin/libtoolize15
# ls -al /usr/local/bin/aclocal*
-r-xr-xr-x 1 root wheel 19737 Feb 6 19:47 /usr/local/bin/aclocal19
# ls -al /usr/local/bin/autoheader*
-r-xr-xr-x 1 root wheel 8141 Feb 6 17:55 /usr/local/bin/autoheader259
# ls -al /usr/local/bin/automake*
-r-xr-xr-x 1 root wheel 222000 Feb 6 19:47 /usr/local/bin/automake19
# ls -al /usr/local/bin/autoconf*
-r-xr-xr-x 1 root wheel 7672 Feb 6 17:55 /usr/local/bin/autoconf259

You've got to make one more change, to src/dynamic-plugins/sf_engine/Makefile.am. Change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two instances of 'cp $< $@' to 'cp $? $@' as shown below.

orr:/home/richard/snort/src/dynamic-plugins/sf_engine$ diff Makefile.am.orig Makefile.am
28c28
< cp $< $@
---
> cp $? $@
31c31
< cp $< $@
---
> cp $? $@

When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se changes are made, run 'sh autojunk.sh' from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort directory. You'll see some errors, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not fatal.

orr:/home/richard/snort$ sh autojunk.sh
configure.in:170: warning: underquoted definition of SN_CHECK_DECL
run info '(automake)Extending aclocal'
or see http://sources.redhat.com/automake/automake.html#Extending-aclocal
configure.in:203: warning: underquoted definition of SN_CHECK_DECLS
configure.in:303: warning: underquoted definition of FAIL_MESSAGE
/usr/X11R6/share/aclocal/gtk.m4:7: warning: underquoted definition of AM_PATH_GTK
/usr/local/share/aclocal/glib.m4:8: warning: underquoted definition of AM_PATH_GLIB
/usr/local/share/aclocal/audiofile.m4:12: warning: underquoted definition of AM_PATH_AUDIOFILE
/usr/local/share/aclocal/ao.m4:9: warning: underquoted definition of XIPH_PATH_AO
/usr/local/share/aclocal/aalib.m4:12: warning: underquoted definition of AM_PATH_AALIB

After that, run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

./configure
make
make install

Remember you'll probably want to run 'make install' as root.

When done, Snort 2.6 BETA will be installed.

orr:/home/richard/snort$ snort -V

,,_ -*> Snort! <*-
o" )~ Version 2.6.0 (Build 48)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.

Let us know how you find Snort 2.6. Thank you to Steven Sturges from Sourcefire for getting this to work for me!

Wednesday, March 08, 2006

Improved Bridging for Monitoring in FreeBSD

FreeBSD developer Christian S.J. Peron wrote to me about two commits that improve support for bonding interfaces for use with network taps. He writes:


Let's say that you have a GigE copper tap, and you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two monitor cables coming into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD network analyzer on interfaces em0 and em1. You can aggregate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two links into one logical bridge interface to monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m:

ifconfig bridge0 create
ifconfig bridge0 addm em0 addm em1 up
tcpdump -i bridge0

This basically turns em0 and em1 into switch ports. If you want to use this bridge specifically to aggregate one or more network interfaces and pass cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packets off to BPF and return, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you can turn off cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridging functionality.

ifconfig bridge0 monitor

This prevents cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge code from looking up which port a certain hardware address is attached to, or broadcasting packets out all ports in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event it doesn't know. Essentially, it short circuits cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridging code, which saves a number of mutex acquisitions, list traversals, reducing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 load.

We have done this in places which use firewall clusters, I.E. 2 or 3 different PIX firewalls running VRRP

ifconfig bridge0 create
ifconfig bridge0 addm em0 addm em1 addm em2 addm em3 addm em4 addm em5 up monitor

snort -i bridge0

This way, snort works regardless of which firewall has failed over. The bridge is in monitor mode, so it's not actually trying to TX packets out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r interfaces, it just passes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packets it receives to BPF and returns.


This is neat. We won't see it in FreeBSD 6.1, but probably 6.2. Before 6.2, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se features will appear in STABLE.

Binary Upgrade of FreeBSD 5.4 to 6.0

Yesterday I took control of a system running FreeBSD 5.4. I wanted to upgrade it to FreeBSD 6.0. I considered using cvsup to upgrade cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 userland and kernel, but I wanted an easier way. I also wanted to end up with a completely GENERIC system that would work well with freebsd-update.

I decided to follow Colin Percival's FreeBSD 5.4 to FreeBSD 6.0 binary upgrade instructions. This process worked flawlessly. I am not going to repeat cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 steps here, but I will point out a few details.

In step 2 of his process, Colin uses freebsd-update to create a base-modified file. Mine had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se contents:

# cat base-modified
/.cshrc
/boot/defaults/loader.conf
/boot/kernel/kernel
/boot/kernel/linker.hints
/etc/group
/etc/hosts
/etc/manpath.config
/etc/master.passwd
/etc/motd
/etc/passwd
/etc/pwd.db
/etc/shells
/etc/spwd.db
/etc/ttys
/root/.cshrc
/usr/share/man/cat1/crontab.1.gz
/usr/share/man/cat1/tcpdump.1.gz
/usr/share/man/cat1/uname.1.gz
/usr/share/man/cat8/ifconfig.8.gz
/usr/share/man/whatis
/var/db/locate.database
/var/log/auth.log
/var/log/cron
/var/log/debug.log
/var/log/lastlog
/var/log/maillog
/var/log/sendmail.st
/var/log/wtmp
/var/run/utmp

The first three files are associated with this system running a modified 5.4 kernel. I did not want to preserve those changes. I wanted to preserve all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 changes to files in /etc/, as those are important -- password files and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like. I did not care about changes to files in /usr. I preserved files in /var that related to logs.

I decided to make a new version with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se contents.

# cat base-modified.final
/.cshrc
/etc/group
/etc/hosts
/etc/manpath.config
/etc/master.passwd
/etc/motd
/etc/passwd
/etc/pwd.db
/etc/shells
/etc/spwd.db
/etc/ttys
/root/.cshrc
/var/log/auth.log
/var/log/cron
/var/log/debug.log
/var/log/lastlog
/var/log/maillog
/var/log/sendmail.st
/var/log/wtmp
/var/run/utmp

In step 14, Colin recommends recompiling all installed ports. I decided to simply pkg_delete all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. I will add back new packages when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 upgrade process is finished.

After following Colin's directions, I ended up with a system running FreeBSD 6.0 RELEASE. I was able to use freebsd-update to apply binary updates of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kernel and userland. I did all of this remotely over OpenSSH. Very cool -- thanks Colin!

Monday, March 06, 2006

Public NSO Class Planned 13-16 June 2006

TaoSecurity is proud to offer its only scheduled public Network Security Operations class of 2006 with consultant, author, and teacher Richard Bejtlich.

This four day class, normally presented only to private government, military, and commercial groups, will be taught personally by Mr. Bejtlich from 13-16 June 2006 at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Nortel Government Solutions facility in Fairfax, VA. Students will learn network security monitoring, incident response, and forensics in a hands-on environment that combines lecture with lab work.


Class fees:


  • Register by 1 April 2006: $2395/student

  • Register by 1 May 2006: $2595/student

  • Register by 1 June 2006: $2795/student


ISSA Chapter members receive a 10% discount on registration.


This class only seats 20 students -- register today by contacting Richard via email: richard at taosecurity dot com.


Details of each day's events can be downloaded from www.taosecurity.com/training.html.

Listening to Audio CDs on FreeBSD

Today I received a CD from Convention CDs, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company that recorded my presentation at RSA 2006 last month. The company Web site is basically blank, but if you want to order a copy of my talk "Traffic-Centric Incident Response and Forensics" you can send email to sales at conventioncds dot com. My CD bears number CD 94-2006, which may be its product number. I get no compensation from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se CDs.

I needed a way to listen to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CD in FreeBSD, so I decided to go a low-impact approach and use xmcd. I could not find a precompiled package, but after adding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packages needed for building cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port a quick build. I had to run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following configuration routine before I could listen to CDs.

# /usr/X11R6/lib/X11/xmcd/config/config.sh

Xmcd version 3.3.2 Configuration Program
Setting up for host: orr.taosecurity.com
----------------------------------------

*** CDDB(R) ACCESS CONFIGURATION ***

If your system has Internet connectivity and functional
domain name service (DNS), you should answer 'y' to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next
question. If this system is not linked to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet at all,
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n answer 'n'.

Would you like to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free Internet CDDB(R) service
for album/track information? [y] n

Internet CDDB server access is disabled.
To enable it later, run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /usr/X11R6/lib/X11/xmcd/config/config.sh
script again.


*** DRIVE CONFIGURATION ***

Configuring drive 0...

Does this drive use a SCSI interface? [n] n

Non-SCSI drives are currently supported only on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
following platforms:

BSDI/WindRiver BSD/OS
Compaq/HP Tru64 UNIX, Digital UNIX
FreeBSD
HP-UX
IBM AIX
Linux
NetBSD
OpenBSD
QNX
SCO Open Server
Sun Solaris

Do you want to continue? [y] y

Are you using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SCSI Emulation (ATAPI-CAM) interface? [n]

Enter device path: [/dev/acd0]

Please select a Device Interface Method:

1. SunOS/Solaris/Linux/QNX ioctl method
2. FreeBSD/NetBSD/OpenBSD ioctl method
3. IBM AIX IDE ioctl method
4. BSDI/WindRiver BSD/OS ATAPI
5. SCO Open Server ATAPI BTLD
6. Compaq/HP Tru64 UNIX, Digital UNIX ATAPI
7. HP-UX ATAPI
8. Linux SCSI Emulation for ATAPI drives
9. FreeBSD ATAPI-CAM for ATAPI drives
q. quit (abort configuration)

Enter choice: [1] 2

Is your drive on /dev/acd0 a multi-disc changer? [n]
Standard CD drives have a 2048-byte block size.
Does this drive have a non-standard block size? [n]

The configuration disables cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se features:
- The channel routing control.

The CDDA configuration has been set as follows:
- Extraction: FreeBSD ioctl
- Playback: Open Sound System (OSS)

Creating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /usr/X11R6/lib/X11/xmcd/config/acd0 file...

Do you have more CD drives on your system? [n]

Xmcd set-up is now complete.

Please read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DRIVES file supplied with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 xmcd
distribution for hardware configuration information
about specific drives.

That was it. I can listen to audio CDs on FreeBSD now.