Wednesday, August 31, 2005

Changes Ahead for FreeBSD LiveCDs

There's plenty of activity in FreeBSD-land cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days. Colin Percival has become cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new FreeBSD Security Officer. FreeBSD 6.0-BETA3 is available, and we might see 6.0-RELEASE by late September.

I just learned of a new FreeBSD LiveCD by Matt Olander called BSDLive, which fits on a business card CD (media sleeve available). This is a great advocacy item. I booted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .iso in VMWare and saw it runs FreeBSD 5.4-RELEASE-p6. It boots into X.org 6.8.2.

I will be glad when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logo contest are announced!

One cannot talk about FreeBSD LiveCDs without mentioning FreeSBIE. Unfortunately, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last official release happened in December. Sguil 0.5.3 is only one day younger! However, a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeSBIE mailing list shows that Dario Freni is busy working on integrating FreeSBIE into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main FreeBSD source tree. I do not think we will see this in 6.0, but perhaps 6-STABLE will have it shortly after 6.0.

Frenzy is an alternative FreeBSD LiveCD that I have not yet tried. Frenzy 0.3 is based on FreeBSD 5.2.1 (fairly old), but a version using 5.4 appears to be available soon.

I look forward to seeing FreeSBIE integrated into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source tree, as that will undoubtedly make it easier to create FreeBSD LiveCDs.

Tuesday, August 30, 2005

Interview with Def Con CTF Winning Team Member Vika Felmetsger

Earlier this month I congratulated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Def Con Capture The Flag winners from Giovanni Vigna's team. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contestants, Vika Felmetsger, was kind enough to answer questions about her experience and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role she played on team Shellphish. I thought I would publish Vika's thoughts in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hopes that she could provide an example of how one becomes a serious security practitioner.


Richard (R): What is your experience with security, and what are your interests?

Vika (V): I am starting my second year as a computer science Ph. D. student at UCSB, where I work as a research assistant in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Reliable Software Group (RSG).

Everybody in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group works on various computer security areas and my current focus is web application security. Even though now security is a part of my everyday life, I am still pretty new to this area.

As an undergraduate student at UCSB I learned some security basics, however, my real introduction to practical security, and hacking in particular, was last fall when I took "Network Security and Intrusion Detection," which is a class taught by my graduate advisor Prof. Giovanni Vigna.

In this class I learned various techniques that can be used to break cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of computer systems, how to detect attacks, and how to protect a system against possible attacks.

Most importantly, as a part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 classwork, every student was able to apply cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 learned techniques to write actual exploits to attack various vulnerabilities in real programs within a testbed network.

Also, during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class, I participated in two Capture The Flag (CTF) exercises (which are organized every year by Prof. Vigna) where, togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r students in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class, I could practice attacking ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r systems as well as defending my team's system. As a result, after that class, I had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 background necessary to furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r develop my hacking skills on my own as well as be able to work on various security problems.

Later I was very lucky to be involved in setting up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UCSB International CTF which was organized by Prof. Vigna on June 10th, 2005. This provided me with a valuable experience being on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organizers' side and helped me to improve my system administration, networking, and network traffic analysis skills.

R: How did you join team Shellphish?

V: Hmmm, I did not really join cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team ... Everybody in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RSG is a member of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Shellphish team :-).

R: Did you have a specific role on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team? If yes, can you describe it?

V: During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DefCon CTF I was a "human IDS." I was analyzing (using scripts and manually) network traffic in real time looking for attacks on our system. This helped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team to discover many successful attacks on our system, find out which particular vulnerabilities were exploited, patch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system, and even reuse some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r teams.

[Note: Against sophisticated intruders, only human analysts can prevail.]

R: What was it like to compete at Def Con? Did it meet your expectations?

V: I was dreaming about competing at DefCon cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole year and it certainly met my best expectations! :-) I don't have enough words to describe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 feeling that I had sitting 3 days straight in front of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 computer when I was absolutely consumed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game. That is something everybody should experience for him/herself ;-).

I was very lucky to be a part of such an amazing team, to work togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people whom I highly respect and from whom I have so many things to learn. What can be better?

When we came to DefCon this year, we did not care that much about winning, we simply wanted to enjoy ourselves doing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things that everybody in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team is fascinated with. And, it certainly worked out perfectly!

R: Do you plan to compete next year?

V: Of course.

R: What advice could you give to those who might like to compete, or have skills like yours?

V: Well, I am probably not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best person to give advices right now because I am still have a long way to go myself, but if you ask ;-) ...

Knowing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory is not enough, you need to practice everything that you read about hacking or security (I don't mean attacking real systems, of course ;-).

There are many ways to do it, for example, install known vulnerable software on your own machine and write an exploit for it.

Also, even if you don't think that you have enough skills to actually compete at Defcon, sign up for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quals anyway and try it for yourself.

From my own experience, I can say that I learned many practical things from this year quals, not to mention that it was incredibly fun :-). Also, what I am planning on working now is to improve my scripting skills which are very important when competing in real time.


Thanks to Vika for responding to my questions.

If you like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se sorts of interviews, let me know. I plan to incorporate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se sorts of stories into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TaoSecurity Podcast, when I get time to launch it.

Request for Help with OpenPacket.org

Earlier this month I announced work on OpenPacket.org, a free site providing quality network traffic traces to researchers, analysts, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r members of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital security community.

We are looking for help in two areas:

  1. Open source content management systems (CMS) experience: We believe we will use a CMS to accept, moderate, and present traffic captures to users. We need help planning and deploying a CMS that will meet our needs.

  2. Open source database experience: We will use an open source database like MySQL or PostgreSQL, as compatible with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CMS we choose. We need help planning and deploying a database schema, and we will need guidance on configuring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database properly. Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OpenPacket.org crew has database experience as it relates to supporting intrusion detection sensors, but storing and retrieving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of data we have in mind is probably outside our daily routine.


We have ideas for additional OpenPacket.org functionality, but providing ways to accept, moderate, and present traces in Libpcap format is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary goal of our first version of OpenPacket.org.

If you are interested in helping with eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r subject, please email richard at taosecurity dot com.

If you have any comments, as always cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are welcome here. Thank you.

Monday, August 29, 2005

How Do You Use Taps?

How do you use taps? Specifically, do any of you use Net Optics taps? If yes, I would like to speak with you through email. I'm interested in your thoughts on any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se subjects:

  • How did you justify buying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se products?

  • Did you encounter any installation issues?

  • How are you using taps?

  • What alternatives did you consider?

  • Did taps help you learn more about any intrusions, or help you prevent or mitigate intrusions?


I appreciate any feedback you might have. Please email richard at taosecurity dot com. Thank you.

Speaking at Net Optics Think Tank on 21 September

I will be speaking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next Net Optics Think Tank at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Hilton Santa Clara in Santa Clara, CA on 21 September 2005. I will discuss network forensics, with a preview of material in my next two books, Real Digital Forensics and Extrusion Detection: Security Monitoring for Internal Intrusions. I had a good time speaking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last Think Tank, where I met several blog readers.

Sunday, August 28, 2005

Real Threat Reporting

In an environment where too many people think that flaws in SSH or IIS are "threats," (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're vulnerabilities), it's cool to read a story about real threats. Nathan Thornbourgh's story in Time, The Invasion Of The Chinese Cyberspies (And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Man Who Tried to Stop Them), examines Titan Rain, a so-called "cyberespionage ring" first mentioned by Bradley Graham in last week's Washington Post.

The Time story centers on Shawn Carpenter, an ex-Navy and now ex-Sandia National Laboratories security analyst. The story says:

"As he had almost every night for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous four months, he worked at his secret volunteer job until dawn, not as Shawn Carpenter, mid-level analyst, but as Spiderman—cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 apt nickname his military-intelligence handlers gave him—tirelessly pursuing a group of suspected Chinese cyberspies all over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world. Inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 machines, on a mission he believed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. government supported, he clung unseen to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 walls of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir chat rooms and servers, secretly recording every move cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snoopers made, passing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army and later to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FBI.

The hackers he was stalking, part of a cyberespionage ring that federal investigators code-named Titan Rain, first caught Carpenter's eye a year earlier when he helped investigate a network break-in at Lockheed Martin in September 2003. A strikingly similar attack hit Sandia several months later, but it wasn't until Carpenter compared notes with a counterpart in Army cyberintelligence that he suspected cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat. Methodical and voracious, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se hackers wanted all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could find, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were getting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m by penetrating secure computer networks at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 country's most sensitive military bases, defense contractors and aerospace companies."

I read this and thought, "Whoa, this guy is saying too much. Game over for him." Then I read this:

"[T]he Army passed Carpenter and his late-night operation to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FBI. He says he was a confidential informant for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FBI for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next five months. Reports from his cybersurveillance eventually reached cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 highest levels of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bureau's counterintelligence division, which says his work was folded into an existing task force on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks. But his FBI connection didn't help when his employers at Sandia found out what he was doing. They fired him and stripped him of his Q clearance, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Department of Energy equivalent of top-secret clearance. Carpenter's after-hours sleuthing, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y said, was an inappropriate use of confidential information he had gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365red at his day job. Under U.S. law, it is illegal for Americans to hack into foreign computers.

Carpenter is speaking out about his case, he says, not just because he feels personally maligned—although he filed suit in New Mexico last week for defamation and wrongful termination. The FBI has acknowledged working with him: evidence collected by TIME shows that FBI agents repeatedly assured him he was providing important information to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Less clear is whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r he was sleuthing with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tacit consent of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government or operating as a rogue hacker. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bureau was also investigating his actions before ultimately deciding not to prosecute him."

Now I understand why Time has all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se details!

I would like more technical clarification of this point:

"When he uncovered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Titan Rain routers in Guangdong, he carefully installed a homemade bugging code in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary router's software. It sent him an e-mail alert at an anonymous Yahoo! account every time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gang made a move on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Net. Within two weeks, his Yahoo! account was filled with almost 23,000 messages, one for each connection cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Titan Rain router made in its quest for files."

What does this mean? It sounds like Carpenter took control of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 routers and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, what?

I cite this story because it talks about how sophisticated threats operate:

"Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data to way stations in South Korea, Hong Kong or Taiwan before sending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to mainland China. They always made a silent escape, wiping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir electronic fingerprints clean and leaving behind an almost undetectable beacon allowing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to re-enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 machine at will. An entire attack took 10 to 30 minutes."

That's how professionals work.

Saturday, August 27, 2005

Teaching Pentagon Security Analysts with Special Ops Security

Prior to attending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM class this week, I spent two days teaching security analysts from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon with instructors from Special Ops Security. (The class was four days, but I was only present for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first two.) I think we offered some unique perspectives on security. Steve Andres, author of Security Sage's Guide to Hardening cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network Infrastructure spoke about hardening network infrastructure on day one. I taught network security monitoring on day two, with hands-on labs. Erik Birkholz, author of Special Ops: Host and Network Security for Microsoft, Unix, and Oracle taught methods to attack Windows systems on day three. Concluding with day four, SQL Server Security author Chip Andrews taught Web application security.

In addition to getting a copy of Erik's book, class attendees also received individually numbered challenge coins. This was Steve's idea. A challenge coin is usually a unit-specific coin that military members should carry at all times. The reasons why are documented at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous link. As one might expect with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military, an excuse to buy a drink is usually involved. (The same goes for wearing a hat backwards, and so on.)

My coin is pictured here. Through a total act of good karma, Steve gave me coin 41. He didn't know that 41 was my favorite number (aside from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "94" that my USAFA training burned into my brain). I use 41 on my hockey jerseys since it was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number I was given on my high school cross-country team. Thanks Steve, and Special Ops Security! We'll most likely teach this multi-discplinary course again. Contact me via richard at taosecurity dot com if you're interested.