Friday, June 30, 2006

Tuning Snort Article in Sys Admin Magazine

Keep an eye on your local news stands or mail box for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 August 2006 issue of Sys Admin magazine. They published an article I wrote titled Tuning Snort. I describe simple steps one should take with Snort to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of unwanted alerts. I used a beta of Snort 2.6.0 when writing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article a few months ago.

Thursday, June 29, 2006

Jones Withstands Defense Attorneys

I've been covering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Duronio trial in which my friend Keith Jones is testifying as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government's star forensic witness. Today's story describes how Keith explained his findings while being attacked by defense attorneys. This excerpt is priceless:

At one point, [defense attoryney] Adams laid out a scenario in which someone could have created a backdoor in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UBS system, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n deleted it before a backup was done to capture it. When he asked Jones if he, personally, could do such a thing, Jones replied, "I could do a lot of things. That's why I'm hired to do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 investigation."

Bamm! Nice response Jones.

It has been crucial to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prosecution's case that Jones is not a self-proclaimed "hacker." This report shows how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defense pursued Karl Kasper, aka "John Tan," ex-@Stake, ex-L0pht "hacker," for signing official documents as "John Tan" instead of using his real name. UBS hired @Stake to perform forensics before bringing Foundstone onto cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby getting Keith involved.

All cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wanna-be hacker kiddies should remember that grown-ups don't trust cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opinions of "hackers" in courts of law.

Incidentally, I don't think Keith is a CISSP; at least he is not listed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization's member directory.

Update: Keith told me he is a CISSP. He must be a stealth one like me.

Binary Upgrade of FreeBSD 6.0 to 6.1

Several months ago I posted how I used Colin Percival's freebsd-update program to perform a binary upgrade from FreeBSD 5.4 to 6.0 remotely over SSH. Thanks to Colin's latest work, I was able to successfully perform a binary upgrade from FreeBSD 6.0 to 6.1 remotely over SSH.

hacom:/root/upgrade# uname -a
FreeBSD hacom.taosecurity.com 6.0-SECURITY FreeBSD 6.0-SECURITY #0:
Tue Apr 18 08:56:09 UTC 2006
root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386

hacom:/root# fetch http://www.daemonology.net/freebsd-upgrade-6.0-to-6.1/upgrade-6.0-to-6.1.tgz
upgrade-6.0-to-6.1.tgz 0% of 4706 kB
hacom:/root# sha256 upgrade-6.0-to-6.1.tgz
SHA256 (upgrade-6.0-to-6.1.tgz) = 29075fc5711e0b20d879c69d12bbe5414c1c56d597c8116da7acc0d291116d2f
hacom:/root# tar -xzvf upgrade-6.0-to-6.1.tgz
x upgrade
x upgrade/upgrade.sh
x upgrade/6.1-index
x upgrade/6.0-index
hacom:/root# cd upgrade
hacom:/root/upgrade# ./upgrade.sh^M^M
Examining system... done.

The following components of FreeBSD seem to be installed:
kernel|generic world|base world|dict world|doc world|manpages

The following components of FreeBSD do not seem to be installed:
kernel|smp src|base src|bin src|contrib src|crypto src|etc src|games
src|gnu src|include src|krb5 src|libexec src|lib src|release src|rescue
src|sbin src|secure src|share src|sys src|tools src|ubin src|usbin
world|catpages world|games world|info world|proflibs^M

Does this look reasonable (y/n)? y

Examining system (this will take a bit longer)... done.

The following files from FreeBSD 6.0 have been modified since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were
installed, but will be deleted or overwritten by new versions:
/.cshrc /root/.cshrc /usr/share/man/whatis

The following files from FreeBSD 6.0 have been modified since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were
installed, and will not be touched:
/etc/hosts /etc/manpath.config /etc/master.passwd /etc/motd /etc/passwd
/etc/pwd.db /etc/shells /etc/spwd.db /etc/ttys /var/db/locate.database
/var/log/sendmail.st

The following files from FreeBSD 6.0 have been modified since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were
installed, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 changes in FreeBSD 6.1 will be merged into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
existing files:
/etc/group

Does this look reasonable (y/n)? y

Preparing to fetch files... done.
Fetching 1729 patches....10....20....30....40....edited...1720.... done.
Applying patches... done.
Fetching 433 files....10....20....30....40....50....60...edited...done.
Decompressing and verifying... done.
Attempting to automatically merge configuration files... done.

The following changes, which occurred between FreeBSD 6.0 and FreeBSD
6.1, have been merged into /etc/group:
--- merge/old/etc/group Thu Jun 29 07:03:59 2006
+++ merge/new/etc/group Thu Jun 29 07:04:00 2006
@@ -41,5 +41,6 @@
student8:*:1012:
student9:*:1013:
student10:*:1014:
student11:*:1015:
richard:*:1016:
+audit:*:77:
Does this look reasonable (y/n)? y

Installing new kernel into /boot/GENERIC... done.
Moving /boot/kernel to /boot/kernel.old... done.
Moving /boot/GENERIC to /boot/kernel... done.
Removing schg flag from existing files... done.
Installing new non-kernel files... done.
Removing left-over files from FreeBSD 6.0... done.
To start running FreeBSD 6.1, reboot.
hacom:/root/upgrade# reboot

hacom# freebsd-update fetch
Fetching updates signature...
Fetching updates...
Fetching hash list signature...
Fetching hash list...
Examining local system...
Fetching updates...
/boot/kernel/smbfs.ko...
/usr/libexec/sendmail/sendmail...
/usr/sbin/ypserv...
Updates fetched

To install cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se updates, run: '/usr/local/sbin/freebsd-update install'
hacom# freebsd-update install
Backing up /boot/kernel/smbfs.ko...
Installing new /boot/kernel/smbfs.ko...
Backing up /usr/libexec/sendmail/sendmail...
Installing new /usr/libexec/sendmail/sendmail...
Backing up /usr/sbin/ypserv...
Installing new /usr/sbin/ypserv...
hacom# reboot

hacom:/home/richard$ uname -a
FreeBSD hacom.taosecurity.com 6.1-RELEASE FreeBSD 6.1-RELEASE #0:
Sun May 7 04:32:43 UTC 2006
root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386

I like it. Easy, fast, no compiling and it works. Kudos to Colin!

Tuesday, June 27, 2006

Great Firewall of China Uses TCP Resets

This blog post about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Great Firewall of China by Cambridge University researchers is fascinating:

It turns out [caveat: in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 specific cases we’ve closely examined, YMMV] that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keyword detection is not actually being done in large routers on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 borders of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chinese networks, but in nearby subsidiary machines. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se machines detect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keyword, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do not actually prevent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packet containing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keyword from passing through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main router (this would be horribly complicated to achieve and still allow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 router to run at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 necessary speed). Instead, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se subsiduary machines generate a series of TCP reset packets, which are sent to each end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 connection. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resets arrive, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end-points assume cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are genuine requests from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r end to close cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 connection — and obey. Hence cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 censorship occurs.

So China is censoring its citizens using ten-year-old technology. How long before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y upgrade?

Update: Tom Ptacek shows this story is old news. Great historical insights Tom!

Jones Connects with Jury

Keith Jones is connecting with his jury, according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest Information Security article on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Duronio trial:

Jones, trying to explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 jury, said to think of a Looney Tunes cartoon where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's an alarm clock attached to a bundle of dynamite. The alarm clock is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trigger, he told cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 laughing jury, while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dynamite and resulting explosion make up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 payload.

This excerpt tells me two facts. (1) Jones is using terminology cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 jury can understand. (2) The jury is listening to him. I'm looking forward to reading about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defense's cross-examination, which should be happening now.

Know Your Tools

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network forensics portion of my Network Security Operations class I cover a variety of reasons to validate that one's tools operate as expected. I encountered anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r example of this today while capturing network traffic from a wireless adapter.

I explained several months ago how I use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ndis0 interface with a Linksys WPC54G adapter. This is a wrapper for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows driver packaged with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NIC.

Here I am pinging anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r wireless host.

$ ping -c 3 192.168.2.31
PING 192.168.2.31 (192.168.2.31): 56 data bytes
64 bytes from 192.168.2.31: icmp_seq=0 ttl=128 time=71.342 ms
64 bytes from 192.168.2.31: icmp_seq=1 ttl=128 time=95.017 ms
64 bytes from 192.168.2.31: icmp_seq=2 ttl=128 time=15.499 ms

--- 192.168.2.31 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss

No problems, right? Now I start Tcpdump in anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r window, and ping again. First, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ping results.

$ ping -c 3 192.168.2.31
PING 192.168.2.31 (192.168.2.31): 56 data bytes
64 bytes from 192.168.2.31: icmp_seq=0 ttl=128 time=44.392 ms
64 bytes from 192.168.2.31: icmp_seq=0 ttl=128 time=45.865 ms (DUP!)
64 bytes from 192.168.2.31: icmp_seq=1 ttl=128 time=66.001 ms
64 bytes from 192.168.2.31: icmp_seq=1 ttl=128 time=66.273 ms (DUP!)
64 bytes from 192.168.2.31: icmp_seq=2 ttl=128 time=88.457 ms

--- 192.168.2.31 ping statistics ---
3 packets transmitted, 3 packets received, +2 duplicates, 0% packet loss
round-trip min/avg/max/stddev = 44.392/62.198/88.457/16.152 ms

What? Why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dupes? Here is what Tcpdump saw:

$ sudo tcpdump -n -i ndis0 -s 1515 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ndis0, link-type EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet), capture size 1515 bytes
09:37:26.226020 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 45571, seq 0, length 64
09:37:26.268487 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 45571, seq 0, length 64
09:37:26.270302 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 45571, seq 0, length 64
09:37:26.271772 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 45571, seq 0, length 64
09:37:27.227215 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 45571, seq 1, length 64
09:37:27.292627 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 45571, seq 1, length 64
09:37:27.293116 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 45571, seq 1, length 64
09:37:27.293409 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 45571, seq 1, length 64
09:37:28.228061 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 45571, seq 2, length 64
09:37:28.316227 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 45571, seq 2, length 64
09:37:28.316428 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 45571, seq 2, length 64
09:37:28.316718 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 45571, seq 2, length 64
^C
12 packets captured
38 packets received by filter
0 packets dropped by kernel

I sniffed traffic on 192.168.2.31, and that box did not see nor send duplicates.

I had no idea what was happening. Then I remembered a recent Undeadly.org story about compromising Windows systems through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir wireless drivers. I realized my ndis0 interface is just a wrapper for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potentially lousy Windows driver shipped with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wireless NIC.

I have a second idea. Perhaps Tcpdump should not be in promiscuous mode when capturing wireless traffic? I've encountered issues with this on Windows XP, namely Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real/Wireshark recommends disabling promiscuous mode when capturing wireless traffic. Let's see what happens if I ping again while sniffing with -p.

$ ping -c 3 192.168.2.31
PING 192.168.2.31 (192.168.2.31): 56 data bytes
64 bytes from 192.168.2.31: icmp_seq=0 ttl=128 time=447.891 ms
64 bytes from 192.168.2.31: icmp_seq=1 ttl=128 time=105.004 ms
64 bytes from 192.168.2.31: icmp_seq=2 ttl=128 time=22.260 ms

--- 192.168.2.31 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 22.260/191.718/447.891/184.264 ms

Looks good. Here's Tcpdump's view.

$ sudo tcpdump -n -i ndis0 -s 1515 -p icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ndis0, link-type EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet), capture size 1515 bytes
09:42:00.415428 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 49411, seq 0, length 64
09:42:00.863206 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 49411, seq 0, length 64
09:42:01.416462 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 49411, seq 1, length 64
09:42:01.521373 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 49411, seq 1, length 64
09:42:02.417306 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 49411, seq 2, length 64
09:42:02.439481 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 49411, seq 2, length 64
^C
6 packets captured
38 packets received by filter
0 packets dropped by kernel

There it is. So, if I don't want to see duplicate traffic, I should disable promiscuous mode.

There's one more wrinkle, though. If I ping a wired host from this wireless host, I don't see duplicates.

$ ping -c 3 192.168.2.12
PING 192.168.2.12 (192.168.2.12): 56 data bytes
64 bytes from 192.168.2.12: icmp_seq=0 ttl=64 time=4.044 ms
64 bytes from 192.168.2.12: icmp_seq=1 ttl=64 time=1.060 ms
64 bytes from 192.168.2.12: icmp_seq=2 ttl=64 time=0.987 ms

--- 192.168.2.12 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.987/2.030/4.044/1.424 ms

Now Tcpdump's view:

$ sudo tcpdump -n -i ndis0 -s 1515 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ndis0, link-type EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet), capture size 1515 bytes
09:44:27.934368 IP 192.168.2.5 > 192.168.2.12: ICMP echo request, id 53763, seq 0, length 64
09:44:27.938290 IP 192.168.2.12 > 192.168.2.5: ICMP echo reply, id 53763, seq 0, length 64
09:44:28.934994 IP 192.168.2.5 > 192.168.2.12: ICMP echo request, id 53763, seq 1, length 64
09:44:28.935969 IP 192.168.2.12 > 192.168.2.5: ICMP echo reply, id 53763, seq 1, length 64
09:44:29.935846 IP 192.168.2.5 > 192.168.2.12: ICMP echo request, id 53763, seq 2, length 64
09:44:29.936732 IP 192.168.2.12 > 192.168.2.5: ICMP echo reply, id 53763, seq 2, length 64
^C
6 packets captured
10 packets received by filter
0 packets dropped by kernel

Weird.

For one last idea I tested capture using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 native wi0 driver and an older 802.11b SMC NIC. Here I ping while sniffing in promiscuous mode:

$ ping -c 3 192.168.2.31
PING 192.168.2.31 (192.168.2.31): 56 data bytes
64 bytes from 192.168.2.31: icmp_seq=0 ttl=128 time=95.359 ms
64 bytes from 192.168.2.31: icmp_seq=1 ttl=128 time=16.461 ms
64 bytes from 192.168.2.31: icmp_seq=2 ttl=128 time=39.406 ms

--- 192.168.2.31 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 16.461/50.409/95.359/33.136 ms

No problem. Tcpdump's view:

$ sudo tcpdump -n -i wi0 -s 1515 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wi0, link-type EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet), capture size 1515 bytes
09:46:57.049509 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 62723, seq 0, length 64
09:46:57.144750 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 62723, seq 0, length 64
09:46:58.050287 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 62723, seq 1, length 64
09:46:58.066660 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 62723, seq 1, length 64
09:46:59.051137 IP 192.168.2.5 > 192.168.2.31: ICMP echo request, id 62723, seq 2, length 64
09:46:59.090452 IP 192.168.2.31 > 192.168.2.5: ICMP echo reply, id 62723, seq 2, length 64
^C
6 packets captured
181 packets received by filter
0 packets dropped by kernel

The issue must be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NIC driver.

This affects cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 captures I posted when I tested SinFP. Those duplicates must have been introduced by my NIC driver, Gomor.

The bottom line is you have to know your tools.

Monday, June 26, 2006

Details on Freenode Incident

If you're looking for details on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Freenode incident, check out Regular Ramblings. This single Slashdot post claims Ettercap was involved. I was online at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time as well.