Tuesday, October 27, 2009

Windows 7

I hate to admit this. I really do. I'm running Windows 7, and liking it. On two boxes, even.
My impressions so far are that it's:
1) Fast. Fast for Windows, at least. My 7 boxes boot up much faster than Vista ever did, and even faster than XP. I've made no changes so far as to reducing the "eye candy" settings, and everything I run on it loads quickly.
2) Friendlier. Much friendlier than Vista. No longer am I inundated with security pop-ups for every task I try to do. File sharing and copying and moving files and directories aren't the nightmare they were under Vista.
3) Backwards Compatible. Every program I ran under Vista and XP has worked so far under 7. Out of the box, with no downloads or wizards suggesting a work around (with the exception of my printer, and the Vista driver works just fine).
4) Easy to install. Easiest ever. and a nice little bonus.. Windows 7 install (at least if you had a previous Vista installation) saves a copy of user data from your profile and other programs under a directory called Windows.old. And any directories created under system root are saved and written back out. Some folks will gripe about this. But consider the number of users who might have saved all their pictures in a directory called Pics off the root. And forgot to back them up in their haste to try out 7. This feature just saved all those photos of the trip to the Ozarks last summer. I like it. I can always go back and whack them later (I do Carbonite PLUS regular backups to a USB hard drive, but I like the protection anyway).
So, I might change my mind in a month, but so far it looks like a win for Microsoft to me. I've been frustrated with the bloatware from Redmond just like everyone else, from Windows 3.1 WFW to Vista, and let anyone in earshot know it. And as a network security guy, I'll still use Linux each day as much or more than Windows. But fair is fair. If you're going to bash 'em when they screw up, let's also commend them when they get it right.
I just hope I'm not retracting this whole post in a month or two. Finger crossed.

Monday, October 26, 2009

China Cranks Up Cyber Spying Against US

From the Wall Street Journal:

October 23, Wall Street Journal – (International) China expands cyberspying in U.S., report says. The Chinese government is ratcheting up its cyberspying operations against the U.S., a congressional advisory panel found, citing an example of a carefully orchestrated campaign against one U.S. company that appears to have been sponsored by Beijing.
The unnamed company was just one of several successfully penetrated by a campaign of cyberespionage, according to the U.S.-China Economic and Security Review Commission report to be released Thursday. Chinese espionage operations are “straining the U.S. capacity to respond,” the report concludes. The bipartisan commission, formed by Congress in 2000 to investigate the security implications of growing trade with China, is made up largely of former U.S. government officials in the national security field.
The commission contracted analysts at defense giant Northrop Grumman Corp. to write the report. The analysts would not name the company described in the case study, describing it only as “a firm involved in high-technology development.” The report did not provide a damage assessment and did not say specifically who was behind the attack against the U.S. company. But it said the company’s internal analysis indicated the attack originated in or came through China. The report concluded the attack was likely supported, if not orchestrated, by the Chinese government, because of the “professional quality” of the operation and the technical nature of the stolen information, which is not easily sold by rival companies or criminal groups. The operation also targeted specific data and processed “extremely large volumes” of stolen information, the report said. Attacks like that cited in the report hew closely to a blueprint frequently used by Chinese cyberspies, who in total steal $40 billion to $50 billion in intellectual property from U.S. organizations each year, according to U.S. intelligence agency estimates provided by a person familiar with them.
In the highly organized cyberspy scheme that drained valuable research and development information from a U.S. company, the report said, the hackers “operated at times using a communication channel between a host with an [Internet] address located in the People’s Republic of China and a server on the company’s internal network.” Source: http://online.wsj.com/article/SB125616872684400273.html 10.

Thursday, October 22, 2009

One Packet Fingerprint

Interesting concept from Packet Maestro Mike Poor (I'm doing a refresh on the audio from SANS Sec 503 Intrusion Detection In-Depth). Mike notes how an ICMP request packet could differentiate between a Unix/Linux box and Windows box, with one packet. Here's how. ICMP packets use a type and code. For some , like type 3, which is a Destination Unreachable error message, the code is relevant and tells you why it was unreachable (port unreachable, host unreachable, etc.) With echo request and reply packets, the code is irrelevant, and is set to 0. A Windows box will reply to a request by changing the type from 8, request, to 0, reply, but also sets the code to 0. Unix and Linux ignores the code field since it's not used and leaves it's value at what ever the request was set to. So by crafting an echo request packet with the code set to a non-zero value, you can look at the reply and determine the OS. Code reset to 0, Windows. Code set to the original value, Unix/Linux. This of course, assumes the box is one of the two operating systems and the stack hasn't been mucked with to respond differently. Ofir Arkin explains this technique and other ways to use ICMP for recon in the paper found here.

Wednesday, October 21, 2009

Rapid 7 Buys Metasploit

It was announced this morning that Rapid 7, a network vulnerability and penetration testing company, purchased the Metasploit open source framework product from it's creator, H.D. Moore, and brought him on board as CSO and Chief Architect for development of the product. Congratulations to H.D. and kudos and thanks for the years of offering the product to the network security community to test and assess their infrastructure. The CEO's press release can be found here. Metasploit will continue to be offered as open source..

Monday, October 19, 2009

Ford Engineer Charged With Trade Secret Theft

Think monitoring those USB devices being plugged into your company computers isn't important?
Xiang Dong Yu, also known as Mike Yu was arrested as he attempted to re-enter the United States through O'Hare, charged with copying over 4,000 design documents off of Ford's network and taking them to China and attempting to use them to secure a job. Details here.

Monday, October 12, 2009


I'm about to take my re-certification test for GCIH. Amazing how much has changed, and how much you forget in four years. Great stuff, Ed. Thanks!

Wednesday, October 7, 2009

DDoS Blocking?

From Network World:
October 5, Network World - (International) Prototype security software blocks DDoS attacks. Researchers have come up with host-based security software that blocks distributed denial-of-service attacks without swamping the memory and CPU of the host machines.The filtering, called identity-based privacy-protected access control (IPCAF), can also prevent session hijacking, dictionary attacks and man-in-the-middle attacks, say researchers at Auburn University in their paper, “Modeling and simulations for Identity-Based Privacy-Protected Access Control Filter (IPCAF) capability to resist massive denial of service attacks.” This new method is suggested as a replacement for IP-address filtering, which is sometimes used to block DDoS attacks but is problematic because IP addresses can be spoofed, says a professor of electrical and computer engineering at Auburn and lead author of the paper. The method also greatly reduces the resources attacked machines have to expend in order to figure out whether requests are legitimate, he says. Under IPCAF authorized users and the servers they try to reach receive a one-time user ID and password to authenticate to each other. After that they cooperate to generate pseudo IDs and packet-field values for each successive packet so packets get authenticated one at a time. The receiving machines simply check the field value in each packet in order to decide whether to reject it. Only after the filter value checks out are more memory and CPU resources allocated to further process the packets, the professor says. IPCAF runs on servers and client machines and does its work with negligible impact on performance of the machines involved, he says. For instance, the CPU on a machine running IPCAF and processing legitimate requests during testing was 10.21 percent. That rose to 11.78 percent when the same machine was under attack, the professor says. Source: http://www.computerworld.com/s/article/9138982/Prototype_security_software_blocks _DDoS_attacks

Cyber Security Awareness Month

October is Cyber Security Awareness Month, and the Internet Storm Center is posting a series of daily diary entries, each featuring a different port and it's uses and misuses.
Check it out at here.

Hotmail\Windows Live Passwords

Thousands of Windows Live accounts were compromised a few days ago, confirmed by Microsoft. Gmail and Yahoo accounts were also affected. If you use any of those services, it's be prudent to change your password, though Microsoft reported they shut down their affected accounts and were working with users to get them reactivated....

Great Book

I'm currently reading "Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks by Michal Zalewski. It's a great book, and comes highly recommended from people like Stephen Northcutt and Richard Bejtlich. I'd definitely recommend checking it out.

Tuesday, October 6, 2009


My last post on IDS will be a high level description of Host Based Intrusion Detection.
Host Based Intrusion Detection, or HIDS, is a sensor that is based on the monitored device itself, as the name suggests. Whereas a NIDS monitors an entire network segment, and all of the hosts that talk on it, a HIDS watches for activity on one computer.
There are several ways that a HIDS accomplishes this. The first one is by monitoring the logs from the application that the server hosts. A policy will be applied to the HIDS telling it where the log file resides, what format it's in, how often it rotates and other config settings, such as whether the HIDS needs to do conversion from evasion tactics, like using uuencoding or hex equivalents to mask strings. The log is tailed and compared to signatures, like a NIDS, and if a pattern matched the software alerts.
Host based also does system integrity checking, similar to Tripwire. Certain key system files are monitored for things like their MD5 sum, file creation and modification times and size. If a file is modified or removed, the system will send an alert. The system can also monitor the system logs (like Event Viewer on a Windows box or logfiles in var/log on a Linux box) and alert on certain entries. It can aslo monitor the registry on a Windows box for certain key modifications or new entries, like a new process added to the Run key.
And lastly, the HIDS may have the ability to monitor the kernel of the system itself. If a process puts a system call or interrupts hook into the kernel, which could be indicative of a rootkit, the program can alert and identify the location on the file system of the process that initiated it.
This is is a very simple, high level overview of IDS. If you are new to network security or just interested in learning more, there are tons of good books on the subject. One of the better ones I've read is "Network Intrusion Detection" by Stephen Northcutt and Judy Novak. Stephen also co-authored "Intrusion Signatures and Analysis", which I consider to be the companion work, and would recommend reading both.

Blog Archive