Round 5 of Netwars has begun. What is Netwars? It's a network security game sponsored by SANS designed to help you learn how to handle real-world scenarios, sharpen your skills, and learn new techniques for penetrating (and therefore learning to defend) your network.
Full information is available at the SANS Netwars site found here.
Thursday, December 17, 2009
Friday, December 11, 2009
DNSCAP
I was doing some analysis of dns traffic, and using BPF's to pull certain fields out of the header today, when I did a search for a better header diagram than the one I had. I stumbled upon a program called dnscap. Don't know how I missed this great little tool, but it's part of my toolkit now.
dnscap is a sniffer, like tcpdump, but specifically written to parse dns. It's available from the Domain Name Systems Operations Analysis and Research Center (known as DNS-OARC), found here. If you do analysis on dns traffic on a regular basis, or even if you only have an occasional need to, I recommend you grab a copy and put it on your analysis boxes. If you're running Fedora, it's available via yum, and may be in the repositories for other flavors as well...
Here's part of the man page..
NAME
dnscap - DNS network traffic capture utility
SYNOPSIS
dnscap [-ad1g?6vs] [-i if ...] [-o file] [-l vlan ...] [-p port]
[-x pat ...] [-m [quir]] [-h [ir]] [-e [ny]] [-q host ...]
[-r host ...] [-b base [-k cmd]] [-t lim] [-c lim]
DESCRIPTION
dnscap is a network capture utility designed specifically for DNS traf-
fic. It normally produces binary data in pcap(3) format, either on stan-
dard output or in successive dump files (based on the -b command line
option.) This utility is similar to tcpdump(1), but has finer grained
packet recognition tailored to DNS transactions and protocol options.
dnscap is expected to be used for gathering continuous research or audit
traces.
Wednesday, November 25, 2009
Network Miner 0.91
Jim Clausing posted an article on the Storm Center diary today about some updates to network security tools (Jim is always all over that.. he's sort of the Tim "The Tool Man" Taylor of the NetSec world) and mentioned there was an update to Network Miner. I'd never looked at it before, that I remember, so I downloaded the latest version. What a neat tool. It runs on Windows, and uses Winpcap (it doesn't install Winpcap but if you do NetSec you'd probably already have it installed.) Just unzip the archive and fire it up. Tell it what interface to monitor, and it begins to track host connections to your box, showing the IP, fingerprint of the OS, frames received, files transferred, images, messages, credentials, sessions, DNS requests, any clear text and even what it deems anomalies. Very nice. I'll definitely keep this one in my toolkit for Windows hosts. You can get the latest version at SourceForge and if you don't have Winpcap, get that here.
Friday, November 20, 2009
NSA helped with Windows 7 development
According to Richard Schaeffer, information assurance director for the NSA, the agency worked with Microsoft and the DoD to enhance security in Windows 7. The agency was also involved in Windows Vista, XP and Windows 2000.
Full article from Computerworld here.
Full article from Computerworld here.
Monday, November 2, 2009
Summary of Cyber Security Awareness Month Articles
Each day last month, which was Cyber Security Awareness Month, the handlers at the Internet Storm Center wrote a diary article drilling down on a particular port or set of ports and the app that uses them. Now that it's done, what we've ended up with is a nice 31 chapter primer on common ports. So the Director, Marcus Sachs, made a summary page to that end. Link is here. Enjoy.
Tuesday, October 27, 2009
Windows 7
I hate to admit this. I really do. I'm running Windows 7, and liking it. On two boxes, even.
My impressions so far are that it's:
1) Fast. Fast for Windows, at least. My 7 boxes boot up much faster than Vista ever did, and even faster than XP. I've made no changes so far as to reducing the "eye candy" settings, and everything I run on it loads quickly.
2) Friendlier. Much friendlier than Vista. No longer am I inundated with security pop-ups for every task I try to do. File sharing and copying and moving files and directories aren't the nightmare they were under Vista.
3) Backwards Compatible. Every program I ran under Vista and XP has worked so far under 7. Out of the box, with no downloads or wizards suggesting a work around (with the exception of my printer, and the Vista driver works just fine).
4) Easy to install. Easiest ever. and a nice little bonus.. Windows 7 install (at least if you had a previous Vista installation) saves a copy of user data from your profile and other programs under a directory called Windows.old. And any directories created under system root are saved and written back out. Some folks will gripe about this. But consider the number of users who might have saved all their pictures in a directory called Pics off the root. And forgot to back them up in their haste to try out 7. This feature just saved all those photos of the trip to the Ozarks last summer. I like it. I can always go back and whack them later (I do Carbonite PLUS regular backups to a USB hard drive, but I like the protection anyway).
So, I might change my mind in a month, but so far it looks like a win for Microsoft to me. I've been frustrated with the bloatware from Redmond just like everyone else, from Windows 3.1 WFW to Vista, and let anyone in earshot know it. And as a network security guy, I'll still use Linux each day as much or more than Windows. But fair is fair. If you're going to bash 'em when they screw up, let's also commend them when they get it right.
I just hope I'm not retracting this whole post in a month or two. Finger crossed.
My impressions so far are that it's:
1) Fast. Fast for Windows, at least. My 7 boxes boot up much faster than Vista ever did, and even faster than XP. I've made no changes so far as to reducing the "eye candy" settings, and everything I run on it loads quickly.
2) Friendlier. Much friendlier than Vista. No longer am I inundated with security pop-ups for every task I try to do. File sharing and copying and moving files and directories aren't the nightmare they were under Vista.
3) Backwards Compatible. Every program I ran under Vista and XP has worked so far under 7. Out of the box, with no downloads or wizards suggesting a work around (with the exception of my printer, and the Vista driver works just fine).
4) Easy to install. Easiest ever. and a nice little bonus.. Windows 7 install (at least if you had a previous Vista installation) saves a copy of user data from your profile and other programs under a directory called Windows.old. And any directories created under system root are saved and written back out. Some folks will gripe about this. But consider the number of users who might have saved all their pictures in a directory called Pics off the root. And forgot to back them up in their haste to try out 7. This feature just saved all those photos of the trip to the Ozarks last summer. I like it. I can always go back and whack them later (I do Carbonite PLUS regular backups to a USB hard drive, but I like the protection anyway).
So, I might change my mind in a month, but so far it looks like a win for Microsoft to me. I've been frustrated with the bloatware from Redmond just like everyone else, from Windows 3.1 WFW to Vista, and let anyone in earshot know it. And as a network security guy, I'll still use Linux each day as much or more than Windows. But fair is fair. If you're going to bash 'em when they screw up, let's also commend them when they get it right.
I just hope I'm not retracting this whole post in a month or two. Finger crossed.
Monday, October 26, 2009
China Cranks Up Cyber Spying Against US
From the Wall Street Journal:
October 23, Wall Street Journal – (International) China expands cyberspying in U.S., report says. The Chinese government is ratcheting up its cyberspying operations against the U.S., a congressional advisory panel found, citing an example of a carefully orchestrated campaign against one U.S. company that appears to have been sponsored by Beijing.
The unnamed company was just one of several successfully penetrated by a campaign of cyberespionage, according to the U.S.-China Economic and Security Review Commission report to be released Thursday. Chinese espionage operations are “straining the U.S. capacity to respond,” the report concludes. The bipartisan commission, formed by Congress in 2000 to investigate the security implications of growing trade with China, is made up largely of former U.S. government officials in the national security field.
The commission contracted analysts at defense giant Northrop Grumman Corp. to write the report. The analysts would not name the company described in the case study, describing it only as “a firm involved in high-technology development.” The report did not provide a damage assessment and did not say specifically who was behind the attack against the U.S. company. But it said the company’s internal analysis indicated the attack originated in or came through China. The report concluded the attack was likely supported, if not orchestrated, by the Chinese government, because of the “professional quality” of the operation and the technical nature of the stolen information, which is not easily sold by rival companies or criminal groups. The operation also targeted specific data and processed “extremely large volumes” of stolen information, the report said. Attacks like that cited in the report hew closely to a blueprint frequently used by Chinese cyberspies, who in total steal $40 billion to $50 billion in intellectual property from U.S. organizations each year, according to U.S. intelligence agency estimates provided by a person familiar with them.
In the highly organized cyberspy scheme that drained valuable research and development information from a U.S. company, the report said, the hackers “operated at times using a communication channel between a host with an [Internet] address located in the People’s Republic of China and a server on the company’s internal network.” Source: http://online.wsj.com/article/SB125616872684400273.html 10.
October 23, Wall Street Journal – (International) China expands cyberspying in U.S., report says. The Chinese government is ratcheting up its cyberspying operations against the U.S., a congressional advisory panel found, citing an example of a carefully orchestrated campaign against one U.S. company that appears to have been sponsored by Beijing.
The unnamed company was just one of several successfully penetrated by a campaign of cyberespionage, according to the U.S.-China Economic and Security Review Commission report to be released Thursday. Chinese espionage operations are “straining the U.S. capacity to respond,” the report concludes. The bipartisan commission, formed by Congress in 2000 to investigate the security implications of growing trade with China, is made up largely of former U.S. government officials in the national security field.
The commission contracted analysts at defense giant Northrop Grumman Corp. to write the report. The analysts would not name the company described in the case study, describing it only as “a firm involved in high-technology development.” The report did not provide a damage assessment and did not say specifically who was behind the attack against the U.S. company. But it said the company’s internal analysis indicated the attack originated in or came through China. The report concluded the attack was likely supported, if not orchestrated, by the Chinese government, because of the “professional quality” of the operation and the technical nature of the stolen information, which is not easily sold by rival companies or criminal groups. The operation also targeted specific data and processed “extremely large volumes” of stolen information, the report said. Attacks like that cited in the report hew closely to a blueprint frequently used by Chinese cyberspies, who in total steal $40 billion to $50 billion in intellectual property from U.S. organizations each year, according to U.S. intelligence agency estimates provided by a person familiar with them.
In the highly organized cyberspy scheme that drained valuable research and development information from a U.S. company, the report said, the hackers “operated at times using a communication channel between a host with an [Internet] address located in the People’s Republic of China and a server on the company’s internal network.” Source: http://online.wsj.com/article/SB125616872684400273.html 10.
Thursday, October 22, 2009
One Packet Fingerprint
Interesting concept from Packet Maestro Mike Poor (I'm doing a refresh on the audio from SANS Sec 503 Intrusion Detection In-Depth). Mike notes how an ICMP request packet could differentiate between a Unix/Linux box and Windows box, with one packet. Here's how. ICMP packets use a type and code. For some , like type 3, which is a Destination Unreachable error message, the code is relevant and tells you why it was unreachable (port unreachable, host unreachable, etc.) With echo request and reply packets, the code is irrelevant, and is set to 0. A Windows box will reply to a request by changing the type from 8, request, to 0, reply, but also sets the code to 0. Unix and Linux ignores the code field since it's not used and leaves it's value at what ever the request was set to. So by crafting an echo request packet with the code set to a non-zero value, you can look at the reply and determine the OS. Code reset to 0, Windows. Code set to the original value, Unix/Linux. This of course, assumes the box is one of the two operating systems and the stack hasn't been mucked with to respond differently. Ofir Arkin explains this technique and other ways to use ICMP for recon in the paper found here.
Wednesday, October 21, 2009
Rapid 7 Buys Metasploit
It was announced this morning that Rapid 7, a network vulnerability and penetration testing company, purchased the Metasploit open source framework product from it's creator, H.D. Moore, and brought him on board as CSO and Chief Architect for development of the product. Congratulations to H.D. and kudos and thanks for the years of offering the product to the network security community to test and assess their infrastructure. The CEO's press release can be found here. Metasploit will continue to be offered as open source..
Monday, October 19, 2009
Ford Engineer Charged With Trade Secret Theft
Think monitoring those USB devices being plugged into your company computers isn't important?
Xiang Dong Yu, also known as Mike Yu was arrested as he attempted to re-enter the United States through O'Hare, charged with copying over 4,000 design documents off of Ford's network and taking them to China and attempting to use them to secure a job. Details here.
Xiang Dong Yu, also known as Mike Yu was arrested as he attempted to re-enter the United States through O'Hare, charged with copying over 4,000 design documents off of Ford's network and taking them to China and attempting to use them to secure a job. Details here.
Monday, October 12, 2009
Recert
I'm about to take my re-certification test for GCIH. Amazing how much has changed, and how much you forget in four years. Great stuff, Ed. Thanks!
Wednesday, October 7, 2009
DDoS Blocking?
From Network World:
October 5, Network World - (International) Prototype security software blocks DDoS attacks. Researchers have come up with host-based security software that blocks distributed denial-of-service attacks without swamping the memory and CPU of the host machines.The filtering, called identity-based privacy-protected access control (IPCAF), can also prevent session hijacking, dictionary attacks and man-in-the-middle attacks, say researchers at Auburn University in their paper, “Modeling and simulations for Identity-Based Privacy-Protected Access Control Filter (IPCAF) capability to resist massive denial of service attacks.” This new method is suggested as a replacement for IP-address filtering, which is sometimes used to block DDoS attacks but is problematic because IP addresses can be spoofed, says a professor of electrical and computer engineering at Auburn and lead author of the paper. The method also greatly reduces the resources attacked machines have to expend in order to figure out whether requests are legitimate, he says. Under IPCAF authorized users and the servers they try to reach receive a one-time user ID and password to authenticate to each other. After that they cooperate to generate pseudo IDs and packet-field values for each successive packet so packets get authenticated one at a time. The receiving machines simply check the field value in each packet in order to decide whether to reject it. Only after the filter value checks out are more memory and CPU resources allocated to further process the packets, the professor says. IPCAF runs on servers and client machines and does its work with negligible impact on performance of the machines involved, he says. For instance, the CPU on a machine running IPCAF and processing legitimate requests during testing was 10.21 percent. That rose to 11.78 percent when the same machine was under attack, the professor says. Source: http://www.computerworld.com/s/article/9138982/Prototype_security_software_blocks _DDoS_attacks
October 5, Network World - (International) Prototype security software blocks DDoS attacks. Researchers have come up with host-based security software that blocks distributed denial-of-service attacks without swamping the memory and CPU of the host machines.The filtering, called identity-based privacy-protected access control (IPCAF), can also prevent session hijacking, dictionary attacks and man-in-the-middle attacks, say researchers at Auburn University in their paper, “Modeling and simulations for Identity-Based Privacy-Protected Access Control Filter (IPCAF) capability to resist massive denial of service attacks.” This new method is suggested as a replacement for IP-address filtering, which is sometimes used to block DDoS attacks but is problematic because IP addresses can be spoofed, says a professor of electrical and computer engineering at Auburn and lead author of the paper. The method also greatly reduces the resources attacked machines have to expend in order to figure out whether requests are legitimate, he says. Under IPCAF authorized users and the servers they try to reach receive a one-time user ID and password to authenticate to each other. After that they cooperate to generate pseudo IDs and packet-field values for each successive packet so packets get authenticated one at a time. The receiving machines simply check the field value in each packet in order to decide whether to reject it. Only after the filter value checks out are more memory and CPU resources allocated to further process the packets, the professor says. IPCAF runs on servers and client machines and does its work with negligible impact on performance of the machines involved, he says. For instance, the CPU on a machine running IPCAF and processing legitimate requests during testing was 10.21 percent. That rose to 11.78 percent when the same machine was under attack, the professor says. Source: http://www.computerworld.com/s/article/9138982/Prototype_security_software_blocks _DDoS_attacks
Cyber Security Awareness Month
October is Cyber Security Awareness Month, and the Internet Storm Center is posting a series of daily diary entries, each featuring a different port and it's uses and misuses.
Check it out at here.
Check it out at here.
Hotmail\Windows Live Passwords
Thousands of Windows Live accounts were compromised a few days ago, confirmed by Microsoft. Gmail and Yahoo accounts were also affected. If you use any of those services, it's be prudent to change your password, though Microsoft reported they shut down their affected accounts and were working with users to get them reactivated....
Great Book
I'm currently reading "Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks by Michal Zalewski. It's a great book, and comes highly recommended from people like Stephen Northcutt and Richard Bejtlich. I'd definitely recommend checking it out.
Tuesday, October 6, 2009
HIDS
My last post on IDS will be a high level description of Host Based Intrusion Detection.
Host Based Intrusion Detection, or HIDS, is a sensor that is based on the monitored device itself, as the name suggests. Whereas a NIDS monitors an entire network segment, and all of the hosts that talk on it, a HIDS watches for activity on one computer.
There are several ways that a HIDS accomplishes this. The first one is by monitoring the logs from the application that the server hosts. A policy will be applied to the HIDS telling it where the log file resides, what format it's in, how often it rotates and other config settings, such as whether the HIDS needs to do conversion from evasion tactics, like using uuencoding or hex equivalents to mask strings. The log is tailed and compared to signatures, like a NIDS, and if a pattern matched the software alerts.
Host based also does system integrity checking, similar to Tripwire. Certain key system files are monitored for things like their MD5 sum, file creation and modification times and size. If a file is modified or removed, the system will send an alert. The system can also monitor the system logs (like Event Viewer on a Windows box or logfiles in var/log on a Linux box) and alert on certain entries. It can aslo monitor the registry on a Windows box for certain key modifications or new entries, like a new process added to the Run key.
And lastly, the HIDS may have the ability to monitor the kernel of the system itself. If a process puts a system call or interrupts hook into the kernel, which could be indicative of a rootkit, the program can alert and identify the location on the file system of the process that initiated it.
This is is a very simple, high level overview of IDS. If you are new to network security or just interested in learning more, there are tons of good books on the subject. One of the better ones I've read is "Network Intrusion Detection" by Stephen Northcutt and Judy Novak. Stephen also co-authored "Intrusion Signatures and Analysis", which I consider to be the companion work, and would recommend reading both.
Host Based Intrusion Detection, or HIDS, is a sensor that is based on the monitored device itself, as the name suggests. Whereas a NIDS monitors an entire network segment, and all of the hosts that talk on it, a HIDS watches for activity on one computer.
There are several ways that a HIDS accomplishes this. The first one is by monitoring the logs from the application that the server hosts. A policy will be applied to the HIDS telling it where the log file resides, what format it's in, how often it rotates and other config settings, such as whether the HIDS needs to do conversion from evasion tactics, like using uuencoding or hex equivalents to mask strings. The log is tailed and compared to signatures, like a NIDS, and if a pattern matched the software alerts.
Host based also does system integrity checking, similar to Tripwire. Certain key system files are monitored for things like their MD5 sum, file creation and modification times and size. If a file is modified or removed, the system will send an alert. The system can also monitor the system logs (like Event Viewer on a Windows box or logfiles in var/log on a Linux box) and alert on certain entries. It can aslo monitor the registry on a Windows box for certain key modifications or new entries, like a new process added to the Run key.
And lastly, the HIDS may have the ability to monitor the kernel of the system itself. If a process puts a system call or interrupts hook into the kernel, which could be indicative of a rootkit, the program can alert and identify the location on the file system of the process that initiated it.
This is is a very simple, high level overview of IDS. If you are new to network security or just interested in learning more, there are tons of good books on the subject. One of the better ones I've read is "Network Intrusion Detection" by Stephen Northcutt and Judy Novak. Stephen also co-authored "Intrusion Signatures and Analysis", which I consider to be the companion work, and would recommend reading both.
Thursday, September 24, 2009
Tuning The IDS
In tuning your IDS, you might want to take the "low hanging fruit" approach first. Once you have the system up and running, and your alerting is working properly, start by finding signatures that generate a lot of alerts and can be positively confirmed as false positives. For example, say you get a ton of ICA alerts to a Citrix Server. That is the function of the server, so that type of traffic is expected and normal.
How do you want to tune this? You want to be efficient and not make the system inspect any more traffic than it has to, and also be mindful you don't do it in a way that filters out traffic you might want to see. You might decide to change the signature and modify it so it only alerts on connections from external or non-trusted networks to an internal host. This would affect all Citrix Servers on your network, which might be what you want. You need to determine risk vs efficiency here.
Or you might want to apply a filter to only your internal sensors for any traffic to that server(s). If you want even less risk, you might write your filter to ignore only your internal network segments going to those servers.
You may maintain different sets of signatures for different types of sensors, too. You could have a library for external Internet servers, another for internal servers, and yet another for the corporate frame or intranet. By doing so you can exclude signatures that would require a lot of tuning. It all depends on your risk model for that connection.
Another way to tune out alerts you may not care about would be to disable ones not relevant to your network. If all of your Internet facing servers run Windows, you could disable signatures for exploits against Linux or Solaris. If you're strictly a IIS shop, you may not care about blind attacks against Apache Web servers. On the other hand, it IS hostile traffic directed at you. You have to determine how much risk you're willing to accept to increase the performance of your system.
I've heard of network security admins who say they're not willing to accept ANY risk, and they want to run every signature available for their system. This is a really bad idea for a couple of reasons.
Tuning is done primarily for two reasons. One, to filter out the background noise of false positives or true positives that have no effect on you, and two, to streamline the performance of your sensors. Each signature you apply means your sensor has to inspect packets traversing it for those particular attributes. Running all signatures puts a huge load on your sensors, and generates so many alerts it's very difficult to focus on the relevant ones.
There are a lot of ways to tune an IDS, and you won't ever reach a point where you sit back and say "I'm finally done tuning this thing.."
An IDS needs constant care, maintenance and tuning. If you're the lone network security person where you work, you may find you spend a significant part of your day working on it. It will need tuning as new signatures are added, new circuits are deployed and new applications are rolled out. Oh, and on top of all this, you need to allow a little time to actually LOOK at the alerts. That's pretty important too!
How do you want to tune this? You want to be efficient and not make the system inspect any more traffic than it has to, and also be mindful you don't do it in a way that filters out traffic you might want to see. You might decide to change the signature and modify it so it only alerts on connections from external or non-trusted networks to an internal host. This would affect all Citrix Servers on your network, which might be what you want. You need to determine risk vs efficiency here.
Or you might want to apply a filter to only your internal sensors for any traffic to that server(s). If you want even less risk, you might write your filter to ignore only your internal network segments going to those servers.
You may maintain different sets of signatures for different types of sensors, too. You could have a library for external Internet servers, another for internal servers, and yet another for the corporate frame or intranet. By doing so you can exclude signatures that would require a lot of tuning. It all depends on your risk model for that connection.
Another way to tune out alerts you may not care about would be to disable ones not relevant to your network. If all of your Internet facing servers run Windows, you could disable signatures for exploits against Linux or Solaris. If you're strictly a IIS shop, you may not care about blind attacks against Apache Web servers. On the other hand, it IS hostile traffic directed at you. You have to determine how much risk you're willing to accept to increase the performance of your system.
I've heard of network security admins who say they're not willing to accept ANY risk, and they want to run every signature available for their system. This is a really bad idea for a couple of reasons.
Tuning is done primarily for two reasons. One, to filter out the background noise of false positives or true positives that have no effect on you, and two, to streamline the performance of your sensors. Each signature you apply means your sensor has to inspect packets traversing it for those particular attributes. Running all signatures puts a huge load on your sensors, and generates so many alerts it's very difficult to focus on the relevant ones.
There are a lot of ways to tune an IDS, and you won't ever reach a point where you sit back and say "I'm finally done tuning this thing.."
An IDS needs constant care, maintenance and tuning. If you're the lone network security person where you work, you may find you spend a significant part of your day working on it. It will need tuning as new signatures are added, new circuits are deployed and new applications are rolled out. Oh, and on top of all this, you need to allow a little time to actually LOOK at the alerts. That's pretty important too!
Wednesday, September 23, 2009
IDS Detection
The most common way an IDS detects malicious traffic is through the use of signatures. A signature is a string that the IDS looks for in a packet and does a comparison for. If the string matches, the IDS alerts. The string can be a simple ASCII string, such as "cat /etc/passwd", or it can be a regular expression which allows much more granular control, or a binary match.
There are many ways to evade signature-based detection, using different forms of encoding, fragmentation, and other forms. IDS must be able to combat these methods to ensure what it sees will match what the packet ultimately looks like when it reaches the destination host.
Some IDS use pre-processors, modules that massage the data before running it through the rules base for efficiency. For example, if an attacker fragments his traffic with overlapping fragments (a fragment that overwrites part of a previous fragment) an IDS has to be able to reconstruct that packet the same way the host that receives it would. Some systems favor the original fragment that would have been overwritten, and some the fragment that overwrites the previous. Knowing which way your server will reconstruct this traffic is very important. Snort, for example, reassembles the packets both ways, since you may have Windows-based, Unix-based or other operating systems on the host. Others, like Dragon, force you to choose one method or the other. As long as all the systems on a segment being monitored are all on the same platform, this isn't a problem.
Signatures also specify other attributes, like which direction the packet is coming from, ports, protocols and more. Each one tunes the signature to be more specific, eliminating possible false positives.
The IDS engine does detection with built-in parameters that doesn't require a separate signature. For example, there may be an ICMP module in your IDS that alerts on packets over a certain size, or a certain number of packets in a time frame all going to one host to detect a ping flood. It may look for scanning by keeping track of the number of different hosts an external address tries to connect to one one port, or the number of ports on one host it tries to connect to (port sweeps and port scans).
Stateful inspection is important here. An IDS needs to be able to keep track of state to determine if packets are part of an existing connection or a new connection. Shell code being bounced off a server without a connection ever being made might cause the analyst to take notice and investigate what else the attacker might be doing, whereas shell code being passed on an established TCP connection would be cause to take action immediately.
Anomaly-based detection uses profiles to try and establish a baseline of what is "normal" traffic, and alerts you when traffic not fitting that profile occurs. Let's say you have a Web server that is primarily used by a few customers in the same country as you, in the morning hours Monday through Friday. The rest of the time there is little to no traffic to the box. Then one Saturday morning at 3:00 AM, the box is inundated with traffic from another country. There may be nothing in that traffic that triggers a signature or the IDS engine, but the deviation from the norm is curious at the least and probably alarming. Anomaly detection tries to determine events of this type.
This is obviously a very simplistic overview. There is much more that could be said for each type of detection, and other types like heuristics, protocol-decoding, etc., that you can read about if you'd like to learn more.
There are many ways to evade signature-based detection, using different forms of encoding, fragmentation, and other forms. IDS must be able to combat these methods to ensure what it sees will match what the packet ultimately looks like when it reaches the destination host.
Some IDS use pre-processors, modules that massage the data before running it through the rules base for efficiency. For example, if an attacker fragments his traffic with overlapping fragments (a fragment that overwrites part of a previous fragment) an IDS has to be able to reconstruct that packet the same way the host that receives it would. Some systems favor the original fragment that would have been overwritten, and some the fragment that overwrites the previous. Knowing which way your server will reconstruct this traffic is very important. Snort, for example, reassembles the packets both ways, since you may have Windows-based, Unix-based or other operating systems on the host. Others, like Dragon, force you to choose one method or the other. As long as all the systems on a segment being monitored are all on the same platform, this isn't a problem.
Signatures also specify other attributes, like which direction the packet is coming from, ports, protocols and more. Each one tunes the signature to be more specific, eliminating possible false positives.
The IDS engine does detection with built-in parameters that doesn't require a separate signature. For example, there may be an ICMP module in your IDS that alerts on packets over a certain size, or a certain number of packets in a time frame all going to one host to detect a ping flood. It may look for scanning by keeping track of the number of different hosts an external address tries to connect to one one port, or the number of ports on one host it tries to connect to (port sweeps and port scans).
Stateful inspection is important here. An IDS needs to be able to keep track of state to determine if packets are part of an existing connection or a new connection. Shell code being bounced off a server without a connection ever being made might cause the analyst to take notice and investigate what else the attacker might be doing, whereas shell code being passed on an established TCP connection would be cause to take action immediately.
Anomaly-based detection uses profiles to try and establish a baseline of what is "normal" traffic, and alerts you when traffic not fitting that profile occurs. Let's say you have a Web server that is primarily used by a few customers in the same country as you, in the morning hours Monday through Friday. The rest of the time there is little to no traffic to the box. Then one Saturday morning at 3:00 AM, the box is inundated with traffic from another country. There may be nothing in that traffic that triggers a signature or the IDS engine, but the deviation from the norm is curious at the least and probably alarming. Anomaly detection tries to determine events of this type.
This is obviously a very simplistic overview. There is much more that could be said for each type of detection, and other types like heuristics, protocol-decoding, etc., that you can read about if you'd like to learn more.
Friday, September 18, 2009
IDS Monitoring
How do you monitor the network with an IDS?
There are a couple of different ways, depending on what segment you wish to monitor and your budget. The first way is via a network tap. A tap is a device that sits in-line and duplicates all packets to another interface or multiple interfaces for monitoring.
There are several different types of taps: passive or active, half duplex or full, single device or multiple.
A passive tap allows you to monitor all packets going through the device by copying the packets to one port (full-duplex) or two (half-duplex). Full duplex taps must use a time of arrival algorithm to aggregate the stream on the monitoring port. Simplex taps use two monitoring ports, once for each network port. You must use channel bonding on the monitoring device to aggregate them back into one stream.
An active tap allows you to put packets from the monitoring device back through the tap onto the network. This is used for active response in IDS, that is, shooting down certain traffic you wish to stop. This is usually done by sending spoofed RST (reset) packets to both ends of the connection and tearing it down.
Some taps (called regeneration taps by some vendors) can regenerate the traffic stream to multiple network ports, allowing more than device to monitor it. You may, for example, use a four device tap at an Internet ingress point, and patch one port to your IDS, another to a packet auditing system like IDABench or Shadow, another to an analysis/statistics box for the network team and leave the fourth available for some future use, such as vendor troubleshooting.
SPAN ports, or port mirroring, are done on the switch. A span port is a switch port that is set up to receive copies of all packets seen by another port. Though easy to set up and not requiring any additional cost, there are disadvantages to span ports as opposed to taps. Span ports can drop packets such as runt packets (undersized), giants (oversized packets), and packets with CRC errors. Also, if a switch gets overloaded and experiences high utilization, the SPAN port will be the first place the switch will start dropping packets. If you are under an attack that creates large amounts of traffic, you may start losing packets at the very time it's critical to see them.
In the next post, I'll cover the different ways an IDS can detect malicious traffic.
There are a couple of different ways, depending on what segment you wish to monitor and your budget. The first way is via a network tap. A tap is a device that sits in-line and duplicates all packets to another interface or multiple interfaces for monitoring.
There are several different types of taps: passive or active, half duplex or full, single device or multiple.
A passive tap allows you to monitor all packets going through the device by copying the packets to one port (full-duplex) or two (half-duplex). Full duplex taps must use a time of arrival algorithm to aggregate the stream on the monitoring port. Simplex taps use two monitoring ports, once for each network port. You must use channel bonding on the monitoring device to aggregate them back into one stream.
An active tap allows you to put packets from the monitoring device back through the tap onto the network. This is used for active response in IDS, that is, shooting down certain traffic you wish to stop. This is usually done by sending spoofed RST (reset) packets to both ends of the connection and tearing it down.
Some taps (called regeneration taps by some vendors) can regenerate the traffic stream to multiple network ports, allowing more than device to monitor it. You may, for example, use a four device tap at an Internet ingress point, and patch one port to your IDS, another to a packet auditing system like IDABench or Shadow, another to an analysis/statistics box for the network team and leave the fourth available for some future use, such as vendor troubleshooting.
SPAN ports, or port mirroring, are done on the switch. A span port is a switch port that is set up to receive copies of all packets seen by another port. Though easy to set up and not requiring any additional cost, there are disadvantages to span ports as opposed to taps. Span ports can drop packets such as runt packets (undersized), giants (oversized packets), and packets with CRC errors. Also, if a switch gets overloaded and experiences high utilization, the SPAN port will be the first place the switch will start dropping packets. If you are under an attack that creates large amounts of traffic, you may start losing packets at the very time it's critical to see them.
In the next post, I'll cover the different ways an IDS can detect malicious traffic.
Thursday, September 17, 2009
IDS - The Intrusion Detection System
I'm going to take the next few posts to talk about IDS, Intrusion Detection Systems. I'll discuss it from the ground up for those who are new to Network Security.
An Intrusion Detection System is a host or piece of software that monitors either network traffic streams or logs and processes on one box for malicious activity. There are two distinct types of systems, NIDS and HIDS.
NIDS - Network Intrusion Detection System: A NIDS monitors network traffic. It can be placed about anywhere there is a need for it, but the most common placement is at an ingress point where Internet traffic comes into the network. There is some debate as to the optimal placement at an Internet choke point, as to whether it should monitor inside the firewalls or outside, but my experience is most experts agree if you only have one, inside is better. (Having one inside and one outside is, of course, even better).
There are several reasons for this. A NIDS that is placed inside the firewall is seeing traffic that was not dropped (either by design or unintentionally) by the various layers of border perimeter defenses. That traffic has traversed one or more border routers and was not prohibited by Access Control Lists, and has successfully passed one or more firewalls without being blocked by a rule. The assumption is this is normal, wanted traffic such as a customer accessing your web site. However, since ACL's block certain IP's and firewalls allow traffic to certain IP's on certain ports, this may just as easily be someone trying to exploit a vulnerability in the web sites application code. For discussion purposes, we're assuming the firewall in question isn't a multi-purpose appliance with IDS on board. Some firewall software also has a limited IDS signature set built in that may catch and block certain very well known attacks. A lot of network administrators are hesitant to run even this limited functionality because of the fear of blocking legitimate traffic by mistake.
A NIDS outside the firewall would alert as well. But you would be uncertain without checking logs on the firewall or a packet auditing system whether the traffic was allowed, or blocked by the firewall. With an internal IDS, you know instantly.
Another very good reason to have an internal NIDS is for tracing back internal compromises and outbreaks/infections. Let's say one of your end user desktop PC's get's popped and becomes part of a bot net. The code on the machine begins to connect out to the botnet controller to notify it that it's under control and to download other software or receive instructions. Assuming you use internal RFC 1918 IP addressing, that traffic will route out to your firewall, be translated to the hide address of your firewall and on to the Internet. Let's say your hide address is 66.66.66.1.
All hosts on your internal network would get translated to this IP address going out to the Internet.
A NIDS outside your firewall would only see the packets after they had been translated. Which of the desktops is infected and calling out to the botnet? Again, you'd have to rely on logs on your network infrastructure equipment, which is not only time consuming, but depending on how logging is set up, may not even help you. Because of sheer size of full logging, a lot of shops only log drops on the firewall and denies on routers, not allowed packets. A a packet that is accepted may not (probably not) even be logged.
But your internal NIDS sees the packets before the firewall, and hence, before they are translated, so your alert will identify the internal IP address, allowing you to easily trace back to the machine and do your incident response and shut it down.
In the next few posts, I'll cover different ways to monitor traffic, the different ways an IDS detects malicious traffic or activity, a few basics on tuning sensors and what Host-based Intrusion Detection is.
An Intrusion Detection System is a host or piece of software that monitors either network traffic streams or logs and processes on one box for malicious activity. There are two distinct types of systems, NIDS and HIDS.
NIDS - Network Intrusion Detection System: A NIDS monitors network traffic. It can be placed about anywhere there is a need for it, but the most common placement is at an ingress point where Internet traffic comes into the network. There is some debate as to the optimal placement at an Internet choke point, as to whether it should monitor inside the firewalls or outside, but my experience is most experts agree if you only have one, inside is better. (Having one inside and one outside is, of course, even better).
There are several reasons for this. A NIDS that is placed inside the firewall is seeing traffic that was not dropped (either by design or unintentionally) by the various layers of border perimeter defenses. That traffic has traversed one or more border routers and was not prohibited by Access Control Lists, and has successfully passed one or more firewalls without being blocked by a rule. The assumption is this is normal, wanted traffic such as a customer accessing your web site. However, since ACL's block certain IP's and firewalls allow traffic to certain IP's on certain ports, this may just as easily be someone trying to exploit a vulnerability in the web sites application code. For discussion purposes, we're assuming the firewall in question isn't a multi-purpose appliance with IDS on board. Some firewall software also has a limited IDS signature set built in that may catch and block certain very well known attacks. A lot of network administrators are hesitant to run even this limited functionality because of the fear of blocking legitimate traffic by mistake.
A NIDS outside the firewall would alert as well. But you would be uncertain without checking logs on the firewall or a packet auditing system whether the traffic was allowed, or blocked by the firewall. With an internal IDS, you know instantly.
Another very good reason to have an internal NIDS is for tracing back internal compromises and outbreaks/infections. Let's say one of your end user desktop PC's get's popped and becomes part of a bot net. The code on the machine begins to connect out to the botnet controller to notify it that it's under control and to download other software or receive instructions. Assuming you use internal RFC 1918 IP addressing, that traffic will route out to your firewall, be translated to the hide address of your firewall and on to the Internet. Let's say your hide address is 66.66.66.1.
All hosts on your internal network would get translated to this IP address going out to the Internet.
A NIDS outside your firewall would only see the packets after they had been translated. Which of the desktops is infected and calling out to the botnet? Again, you'd have to rely on logs on your network infrastructure equipment, which is not only time consuming, but depending on how logging is set up, may not even help you. Because of sheer size of full logging, a lot of shops only log drops on the firewall and denies on routers, not allowed packets. A a packet that is accepted may not (probably not) even be logged.
But your internal NIDS sees the packets before the firewall, and hence, before they are translated, so your alert will identify the internal IP address, allowing you to easily trace back to the machine and do your incident response and shut it down.
In the next few posts, I'll cover different ways to monitor traffic, the different ways an IDS detects malicious traffic or activity, a few basics on tuning sensors and what Host-based Intrusion Detection is.
Tuesday, September 15, 2009
Nice...really nice!
September 13, Ars Technica – (International) FTC forces Sears, Kmart out of the spyware business. The Federal Trade Commission (FTC) has busted a strange set of spyware purveyors — U.S. retailing giants Sears and Kmart. The FTC recently approved its final consent order against the companies (which share the same owner) over an episode that can only be chalked up to incompetence of a truly epic scope. Sears Holding Management Company decided that it could really use a lot more marketing data to fuel its decision-making process, so it began offering visitors to sears.com and kmart.com a special invite — sign up for “My SHC Community,” download a piece of “research” software, and earn 10 American dollars. All one had to do was turn over to the company every single bit of information about one’s Web browsing. This was not just about the websites visited, or even about specific URLs; the “research” software transmitted the complete contents of a browsing session, even secure sessions. This meant that Sears and its data collection partner would have access to the “contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails,” said the FTC. Among other things — the software also collected non-Web information about the user’s personal computer. Sears did tell people that it would track their “online browsing,” but when security researchers looked into the software in early 2008, they charged that the disclosure was mostly buried in legalese. Under the settlement with the FTC, Sears has now agreed to destroy all data gained from the experiment and stop collecting data from any software still running in the wild. In addition, if it wants to do any tracking in the future, the company has committed to “clearly and prominently disclose the types of data the software will monitor, record, or transmit. This disclosure must be made prior to installation and separate from any user license agreement. Sears must also disclose whether any of the data will be used by a third party.” Source: http://arstechnica.com/tech-policy/news/2009/09/ftc-forces-sears-kmart-out-ofthe- spyware-business.ars
Monday, September 14, 2009
New Vista Worm Possible?
There's a discussion about the possibility of a new Vista worm here. Microsoft hasn't released a patch for it, and it's estimated there are 200 million Vista boxes on the Internet which could be possible targets.
Apple Patches
Apple releases 47 patches for iPhones, Macs, Quicktime.. Link here. While it's a very good thing Apple is patching their software, you have to wonder about the perception that Apple's stuff isn't as insecure as the rest of devices and software out there. That is a large number of patches...
Security Update 2009-005, link , is starting to look like Microsoft's Black Tuesday, isn't it?
Security Update 2009-005, link , is starting to look like Microsoft's Black Tuesday, isn't it?
Thursday, September 3, 2009
Mandatory Messenger Upgrade Coming
September 1, SCMagazine – (International) Microsoft mandates Messenger upgrade for security flaws. Users of Microsoft’s Windows Live Messenger instant messaging software soon will be required to upgrade to the latest version to close vulnerabilities that could enable an attacker to execute remote code. On September 1, Microsoft pushed out the newest version, Windows Live Messenger 14.0.8089. The upgrade addressed vulnerabilities in Microsoft’s Active Template Library (ATL), used in the development of the IM program, the company said in a blog post on August 27. Microsoft is not aware of any attacks currently targeting the ATL vulnerability in Live Messenger, a Microsoft spokesperson told SCMagazineUS.com on September 1. Beginning in the middle of this month, users of Messenger versions 8.1, 8.5 and 14.0 must upgrade, with a deadline of the end of October. Users will be prompted to install the new version when they sign into one of the vulnerable versions of Live Messenger, Microsoft said. If users do not upgrade, they may not be able to connect to the IM service. “It will take several weeks for the upgrade process to be completed, as the upgrade will be rolled out to customers over the course of several weeks,” Microsoft said. Users of Live Messenger version 14.0 will not see any visible changes with the upgrade. But for users of Windows Live Messenger versions 8.1 or 8.5, the update also includes additional non-security features, Microsoft said. The vulnerabilities in ATL affect not only Live Messenger but numerous programs developed with ATL. In late July, Microsoft issued two out-of-band security patches to address the ATL bugs in http://www.scmagazineus.com/microsoft-mandates-messenger-upgrade-forsecurity- flaws/article/147932/
Friday, August 28, 2009
apache.org Hacked
apache.org was down this morning due to a compromise. The attackers reportedly got in with a compromised SSH key used for backups. Info from Apache Foundation here. They are back up and running..
Emergency Internet Bill - Give Obama Power to Knock Private Companies off the Internet??
A bill proposed this spring giving the White House power to knock private sector companies off the Internet in a so-called "cyber security emergency" has civil liberties and Internet groups concerned. A new version has been drafted by aides of Democrat Jay Rockefeller from Virginia. CNET got their hands on a copy and says it's still troubling due to it's vagueness.
Details from CNET can be found here.
Details from CNET can be found here.
Thursday, August 27, 2009
Highlights of IBM Security Report
August 26, Network World – (International) Trojan attacks up, phishing attacks down this year, IBM finds. Spam-based phishing attacks declined noticeably during the first half of the year, but cyber-criminals may simply be shifting to other technologies found to be more effective in stealing personal data, according to IBM in its semi-annual security threat report. “The decline in phishing and increases in other areas (such as banking Trojans) indicate the attackers may be moving their resources to other methods to obtain the gains that phishing once achieved,” is the explanation offered in the “IBM Internet Security Systems 2009 Mid-Year Trend & Risk Report.” It says Russia is the top country of origin for phishing e-mails, with 7.2 percent share, while China is the top hosting country for spam URLs. IBM’s semi-annual security report presents a broad view of trends based on its own analysis of volumes of sensor data, Web crawling technologies and other resources used to gather information through its Internet Security Systems division. In the first half of 2009, 55 percent of the new malware seen was Trojans, an increase of 9 percent over last year, the report says. Trojan malware, which includes components called downloaders and info- stealers, are mainly being used in the form of “public-available toolkits” that are “easy to use” by criminals, the report points out. The number of malicious Web links used to trick users into downloading malware or visiting dangerous sites has increased, up 508 percent in the first half of 2009 in comparison to the number discovered in the first half of 2008, says the report. The U.S. is the top country where such malicious Web links can be found, accounting for 36 percent of known malicious links, with China holding the second spot. Source: http://www.networkworld.com/news/2009/082609-ibm-malware-trojans.html
If You Use Google Chrome, Time To Upgrade..
August 25, CNET News – (International) Google patches severe Chrome vulnerabilities. Google has fixed two high-severity vulnerabilities in the stable version of its Chrome browser that could have let an attacker remotely take over a person’s computer. With one attack on Google’s V8 JavaScript engine, malicious JavaScript on a Web site could let an attacker gain access to sensitive data or run arbitrary code on the computer within a Chrome protected area called the sandbox, Google said in a blog post Tuesday. With the other, a page with XML-encoded information could cause a browser tab crash that could let an attacker run arbitrary code within the sandbox. Chrome 2.0.172.43 (click to download for Windows) fixes the issues and another medium-severity issue. Once Chrome is installed, it retrieves updates automatically and applies them when people restart the browser. Google won’t release details of the vulnerabilities until “a majority of users are up to date with the fix,” a engineering program manager said in the blog post. Source: http://news.cnet.com/8301-30685_3-10317320-264.html
Friday, August 21, 2009
Exploding IPods? Yikes!
August 18, San Francisco Chronicle – (International) Apple looking into reports of exploding iPhone/iPod Touches. Apple’s iPhones and iPod Touches are being examined by the European Commission after a few incidents in which the devices exploded. There are reportedly two incidents in France involving an iPhone and one in Britain with an iPod Touch. A spokesperson for the commission said that Apple was cooperating and labeled the incidents “isolated.” An Apple spokesperson told Reuters that the company was aware of the reports but would not comment until receiving more information. In one case, a teenager in France was hurt when an iPhone overheated, hissed and shattered, sending glass into the boy’s eyes. A similar incident in Britain reportedly occurred with an iPod Touch that exploded and flew into the air. KIRO TV in Seattle obtained 800 pages of documents from the Consumer Product Safety Commission that found there have been 15 reports of burn and fire-related incidents involving iPods. Last year, after the Japanese government warned of fire risks from iPod Nanos, Apple offered to replace batteries in some of the devices. Source here.
Thursday, August 20, 2009
ITOC Data Set
U.S. Army ITOC has released to the public the data sets of their recent 2009 Inter-Service Academy Cyber Defense Competition, which puts the military academies up against an NSA Red Team. If you would like to download them, they are available here. Full download is about 14 Gigs worth. Enjoy!
New Network Forensics Puzzle
In the tradition of the Ed Skoudis Hacker Challenges, Jonathan Ham of the ISC has put out a Network Forensics Puzzle. Info on the ISC site here. this is more than just a little bit of fun for packet heads, this is free, hands on training.
Wednesday, August 12, 2009
WordPress Vulnerability
Vulnerabilities found in WordPress software of a nasty variety. Allows a reset of the administrator password. As blogs are used more and more for political reasons, and especially by people living under repressive regimes, this could be bad news for theses folks, even more than the blogger who writes about gardening or his love of jazz music. If you use the software, WordPress has released a security release version, 2.8.4, found here.
Wednesday, July 29, 2009
Typo in Code Caused Latest ActiveX Vulnerability
It's the case of the missing ampersand... article from CNet here
Bind 9 Vulnerability
New vuln discovered in Bind 9. Summary is a crafted dynamic update for a zone the server is master over can make bind go bye-bye, Won't work against slaves.. Details here. If you are running Bind 9, especially externally facing, check into patching ASAP...
Wednesday, July 22, 2009
Interesting New Service from TippingPoint
TippingPoint is now offering an Emergency Response Service for businesses without IDS/IPS. If I read their data sheets correctly, a network manager would call TippingPoint once they ascertained they were under attack or experienced a breach (a little late to the dance if the breach has already occurred, but no matter) and the Emergency Response Team would deploy a fully set up system consisting of an IPS sensor and a management station (within 24-72 hours). It would remain in place for two to a maximum of four weeks, after which time they would "work with the organization to determine long term security requirements and appropriate solutions". This is done on a complimentary basis... I don't see anything about obligation to purchase products or services after the deployment has ended, but I have to believe there would be one. It wouldn't be cheap at all to rush a well-paid team of security engineers and product to a site within three days and have the system up and running (not to mention the possible liability if the IPS blocks legitimate traffic and SLA's are missed). Interesting...
Info about the service found here
Info about the service found here
Adobe Screw Up Could Leave You Vulnerable (or 0wn3d)
Adobe has been delivering an out-of-date version of Reader on it's Web site, leaving users at risk to several vulnerabilities the company has already patched. Secunia discovered at least 14(!) vulns that were patched by the company in the last two months. The version is 9.1, released back in March. There was no response to a Computerworld request for comment.
It's bad enough when software vendors release buggy code that leaves your system at risk. It's even worse when they cover the fact up and sit on their hands until pressured to fix their product. But to fix the bugs, then not QA the process of updating the software on their download site is almost unbelievable, had it not just happened. I'm thinking this will be good news to vendors who offer non-Adobe alternatives Acrobat, as it should be. Irresponsible corporate behavior should lead to loss of revenue..
LINK
It's bad enough when software vendors release buggy code that leaves your system at risk. It's even worse when they cover the fact up and sit on their hands until pressured to fix their product. But to fix the bugs, then not QA the process of updating the software on their download site is almost unbelievable, had it not just happened. I'm thinking this will be good news to vendors who offer non-Adobe alternatives Acrobat, as it should be. Irresponsible corporate behavior should lead to loss of revenue..
LINK
Friday, July 17, 2009
Patch Firefox Now
Mozilla has released Firefox 3.5.1 to address the JIT compiler bug. If you disabled JIT, re-enable it after upgrading...
Thursday, July 16, 2009
Nmap 5.0 Released
Fyodor has released version of of the ubiquitous nmap scanner... small writeup about it here from the folks at the Internet Storm Center... Or just go straight to www.insecure.org and grab your copy...
Paypal Update
Paypal contacted Johnny Long and is taking care of his issues. Wonder if had anything to do with all the tweeting, blogging and friends of a friend inside Paypal making it public? However, it happened, it's good news. A good man doing a good thing to help others...
Link
Link
Tuesday, July 7, 2009
Handlers Pages
Some of the Storm Center handlers have their own handlers pages separate from the diaries... you can find more detailed information on topics there than is covered in the (necessarily) brief diary entries. The link is here.
Tuesday, June 30, 2009
SANS@Night Presentations
Monday, June 22, 2009
Recert
Just signed up to recertify for my GCIH. Of all the SANS certs, I'm thinking the changes in the material for this one will be huge (that's Certified Incident Handler).
Day one of the course covers the seven steps of incident handling, procedures, putting together your team, etc. The next six are all exploits. I certified back in January of 2006, which means I took the material mid-2005. And, as good a job as Ed Skoudis does keeping his courseware up to date, parts of it were probably dated as they came off the printing press. Things just change just toooo rapidly.
Recerts for SANS are every four years. Obviously this isn't often enough to really keep you on top of what you need to know. Listservs and web sites help some, like the Storm Center, Security Focus, Emerging Threats, etc. but it's mostly top level info.
You still have to dig further to really understand the mechanics. And it takes time. And there's a huge amount of it. How do you really keep up-to-date?
Day one of the course covers the seven steps of incident handling, procedures, putting together your team, etc. The next six are all exploits. I certified back in January of 2006, which means I took the material mid-2005. And, as good a job as Ed Skoudis does keeping his courseware up to date, parts of it were probably dated as they came off the printing press. Things just change just toooo rapidly.
Recerts for SANS are every four years. Obviously this isn't often enough to really keep you on top of what you need to know. Listservs and web sites help some, like the Storm Center, Security Focus, Emerging Threats, etc. but it's mostly top level info.
You still have to dig further to really understand the mechanics. And it takes time. And there's a huge amount of it. How do you really keep up-to-date?
Friday, June 19, 2009
SANSFIRE
Hope all the attendees at SANSFire are having a GREAT time and learning much. Judy Novak had a three hour mini-course on packet crafting using scapy. If you don't know of Judy, she's one of the really top notch intrusion analysts in the world today.
Used to work for the military, now with Sourcefire. Co-authored a really good book with Stephen Northcutt on intrusion analysis (see my reading list to the right on this blog).
Used to work for the military, now with Sourcefire. Co-authored a really good book with Stephen Northcutt on intrusion analysis (see my reading list to the right on this blog).
Wednesday, June 10, 2009
Patch Away
It's patching time again. Microsoft has released no less than 10 new security patches, Adobe released new patches the same day (and will now release theirs the same day as Microsoft going forward which is the 2nd Tuesday of the month) and now Sun has released Java 6 update 14. Tons of info out there so I won't bother with links except one, isc.sans.org, the SANS Internet Storm Center that has diary articles up on all three now.
Monday, June 8, 2009
Obama Chooses BlackHat Head for Department of Homeland Security's Advisory Council
Obama has tapped the head of BlackHat to sit on the Department of Homeland Security's Advisory Council (HSAC). This is being portrayed as choosing a hacker for a high level security position, but I think that's overstating the facts, for once. Jeff Moss, whose handle is Dark Tangent, has by his own words been out of the hacking scene since high school or thereabouts. He's not a convicted hacker, like Kevin Mitnik, and was never charged for breaking into any networks that I'm aware of. And since those days he's worked for Ernst and Young, SCC, gotten a degree in criminal justice and taken BlackHat and transformed it into partial SANS-style security training (along with the hackers conference, which is well attended by law enforcement and three letter agencies). Details are here.
I don't equate this to Corporation XYZ hiring a blackhat right out of his former career to be their Chief Security Officer even to be a ethical hacker doing gigs for third party assessment. It's a long road from Jeff's high school career of using phreaking to get some long distance phone calls out of AT&T. The first ethical hack I ever sat on in used a ex-blackhat as the main pen tester. As he sat in front of five or six laptops running different exploits against our network, he entertained us with stories of his former life and the places he had broken into. He worked for a very, very large telecom who happens to have three letters in their name.
I just don't see a person who as a kid did some Cap'n Crunch style phreaking being in that same category. I think Jeff's paid his dues, and as much as I hate to grudgingly admit it, I think this pick by Obama is pretty good, unlike a whole slew of them that had me wondering what he was thinking (can you say tax-evading cabinet members?)
I don't equate this to Corporation XYZ hiring a blackhat right out of his former career to be their Chief Security Officer even to be a ethical hacker doing gigs for third party assessment. It's a long road from Jeff's high school career of using phreaking to get some long distance phone calls out of AT&T. The first ethical hack I ever sat on in used a ex-blackhat as the main pen tester. As he sat in front of five or six laptops running different exploits against our network, he entertained us with stories of his former life and the places he had broken into. He worked for a very, very large telecom who happens to have three letters in their name.
I just don't see a person who as a kid did some Cap'n Crunch style phreaking being in that same category. I think Jeff's paid his dues, and as much as I hate to grudgingly admit it, I think this pick by Obama is pretty good, unlike a whole slew of them that had me wondering what he was thinking (can you say tax-evading cabinet members?)
Friday, June 5, 2009
SANSFIRE 2009
Another SansFire is fast approaching (June 13th) and for the second year in a row I'll be staying home. The economy and my company being bought out by another, much larger one have conspired to put my training cycle on an indefinite hold. I work for a really security conscious organization that unfortunately is too large to consider third party training of much value (so I hear, it's SO big I have little insight outside of my own location).
One of the backfire issues with really big companies that put a large amount of resources into network/information security is that there is the assumption they can do all things better in-house than third parties like SANS. The training I've received so far since working for them has been all very basic stuff, and all dealing with policy/regulation/awareness. No technical training whatsoever (and I haven't been able to find any that exists except for developers), so my only choice is to go back to self-education.
If you go to SansFire this year (I see they've moved the venue to Baltimore this time), please really both enjoy it and get everything you possibly can out of it. Hit the BoF sessions, the SANS@Night free training, and the ISC presentations. And sure, have a beer with your fellow NetSec folks. That's part of the reason the live events are so good, isn't it? Networking and sharing info back and forth after the classrooms have all closed for the day.
You never know, next year you may be sitting on the sidelines like me and wishing you were there. Get it while you can!
One of the backfire issues with really big companies that put a large amount of resources into network/information security is that there is the assumption they can do all things better in-house than third parties like SANS. The training I've received so far since working for them has been all very basic stuff, and all dealing with policy/regulation/awareness. No technical training whatsoever (and I haven't been able to find any that exists except for developers), so my only choice is to go back to self-education.
If you go to SansFire this year (I see they've moved the venue to Baltimore this time), please really both enjoy it and get everything you possibly can out of it. Hit the BoF sessions, the SANS@Night free training, and the ISC presentations. And sure, have a beer with your fellow NetSec folks. That's part of the reason the live events are so good, isn't it? Networking and sharing info back and forth after the classrooms have all closed for the day.
You never know, next year you may be sitting on the sidelines like me and wishing you were there. Get it while you can!
Friday, May 15, 2009
OLE2 Fragmentation Befuddles Most AV Vendors
BreakingPoint Labs has discovered heavily fragmenting Office documents causes AV and IDS products to miss exploits embedded in them the majority of the time. Writeup by H.D. here.
it's important to note that Sourcefire's Office Cat tool uses the OLE API to parse the stream and find the exploit regardless of how fragmented it is.
it's important to note that Sourcefire's Office Cat tool uses the OLE API to parse the stream and find the exploit regardless of how fragmented it is.
Viruses Adopt New Stealthier Methods
As reported by Kapersky Labs, it's been discovered that a new variant of Sinowal or Torpig is writing itself to the hosts Master Boot Record and is avoiding AV detection. It's been spreading via Web sites and through the previously reported Adobe Reader vulnerabilities. Writeup in ZDNet found here.
Thursday, May 14, 2009
Tips For Budding Packet Jockeys
If you are interested in becoming a packet jockey, i.e. getting into the Network Security side of IT Security, there's a lot of things you'll need to learn to do your job properly.
I started in this field coming over in IT from the desktop support side, so I didn't have a lot of networking or scripting experience. To make things even more interesting, there were NO IT security folks at the time. I was the first and not only learned by OTJ training, I determined what that job was and gave myself the training!
If I were to list what I think someone interested in getting into NetSec could look at learning, based on my past experience and what I learned after I DID get some real training, I'd suggest the list below.
1. Linux - Although a lot of network security tools have been ported over to Windows, a whole lot more have not and most of them run much better on Linux anyway.
If you are going to do serious intrusion analysis, you're going to have to learn Linux. In following posts I'll suggest some ways to learn each of the items I list if training through a company isn't an option (or you haven't landed a job yet).
2. tcpdump - There are more esoteric tools one can use, like Wireshark, but to learn packet analysis, you need a tool that doesn't do all the decoding for you. Once you are familiar with all the protocol headers and start to learn what is normal and what is anomalous, Wireshark and commercial tools can decode just about any protocol you'll see. I still use tcpdump 99% of the time because I can easily filter it and script it to parse the packets as they are captured.
3. Snort. If you want to do IDS, learning to set up, maintain and use Snort will help with about any other one you'll encounter. Once you have a Snort install loaded and start looking at alerts, you'll soon learn to determine what are false positives, what is normal traffic that can be filtered and what needs your attention. And it's a never-ending process as new attacks are released and the Bad Guys learn new ways to broach your defenses. Also, learning to write Snort signatures will really help you learn how to analyze packets as you find out what needs to be looked at and where.
4. Logs - Once you begin looking at packets, you'll need to learn to correlate them with logging from network devices and servers. A central syslog server will allow the aggregation of logs from different devices. To familiarize yourself, working with some open source tool like swatch is helpful. There are newer, better tools but using swatch will help you learn to install from source and use simple reg ex to filter.
5. Parsing tools - Packet sniffing tools record a LOT of packets. Using BPF's (Berkeley Packet Filters) with tcpdump will help a lot to narrow down what you need to see, but you'll need further filtering to refine your results or logs for analysis or to share with others. awk and sed can help a lot to pull out relevant parts of your packet data. Learning some shell scripting or better yet, a little bit of Perl will allow you to write some scripts to run your data through and find EOI's, Events of Interest.
I started in this field coming over in IT from the desktop support side, so I didn't have a lot of networking or scripting experience. To make things even more interesting, there were NO IT security folks at the time. I was the first and not only learned by OTJ training, I determined what that job was and gave myself the training!
If I were to list what I think someone interested in getting into NetSec could look at learning, based on my past experience and what I learned after I DID get some real training, I'd suggest the list below.
1. Linux - Although a lot of network security tools have been ported over to Windows, a whole lot more have not and most of them run much better on Linux anyway.
If you are going to do serious intrusion analysis, you're going to have to learn Linux. In following posts I'll suggest some ways to learn each of the items I list if training through a company isn't an option (or you haven't landed a job yet).
2. tcpdump - There are more esoteric tools one can use, like Wireshark, but to learn packet analysis, you need a tool that doesn't do all the decoding for you. Once you are familiar with all the protocol headers and start to learn what is normal and what is anomalous, Wireshark and commercial tools can decode just about any protocol you'll see. I still use tcpdump 99% of the time because I can easily filter it and script it to parse the packets as they are captured.
3. Snort. If you want to do IDS, learning to set up, maintain and use Snort will help with about any other one you'll encounter. Once you have a Snort install loaded and start looking at alerts, you'll soon learn to determine what are false positives, what is normal traffic that can be filtered and what needs your attention. And it's a never-ending process as new attacks are released and the Bad Guys learn new ways to broach your defenses. Also, learning to write Snort signatures will really help you learn how to analyze packets as you find out what needs to be looked at and where.
4. Logs - Once you begin looking at packets, you'll need to learn to correlate them with logging from network devices and servers. A central syslog server will allow the aggregation of logs from different devices. To familiarize yourself, working with some open source tool like swatch is helpful. There are newer, better tools but using swatch will help you learn to install from source and use simple reg ex to filter.
5. Parsing tools - Packet sniffing tools record a LOT of packets. Using BPF's (Berkeley Packet Filters) with tcpdump will help a lot to narrow down what you need to see, but you'll need further filtering to refine your results or logs for analysis or to share with others. awk and sed can help a lot to pull out relevant parts of your packet data. Learning some shell scripting or better yet, a little bit of Perl will allow you to write some scripts to run your data through and find EOI's, Events of Interest.
Wednesday, May 13, 2009
Adobe Patches Released
Adobe has released patches for a critical vulnerability in Adobe Reader (including one version for Linux) and Adobe Acrobat. You can read the bulletin here as well as download the patch for your version and platform. Or you can simply open up Reader and go to Help, Check for Updates. Either way, suggest you patch as soon as possible.
Sunday, May 10, 2009
Happy Mothers Day!
Happy Momma's Day to all the NetSec mothers who parse packets by day and fix boo boos and read bedtime stories by night!
Wednesday, May 6, 2009
Adobe Patch
Adobe has announced it will release a patch next week for the zero-day flaw in Acrobat and Reader. Versions to be fixed:
Windows Adobe Reader versions 7, 8 and 9
Windows Acrobat versions 7, 8 and 9
Mac: versions 8 and 9
Linux: versions 8 and 9
The chief security researcher from F-Secure even went so far as to recommend that users uninstall Reader and install an alternative .pdf viewer, noting that six vulnerabilities have been found in the software.
This might be a good strategy for home users, but I seriously doubt any corporate environments of any size would go through the evaluation process, uninstall of Reader, installation of a new product and training needed to do this, especially now that Adobe has made the announcement of the forthcoming patch.
Windows Adobe Reader versions 7, 8 and 9
Windows Acrobat versions 7, 8 and 9
Mac: versions 8 and 9
Linux: versions 8 and 9
The chief security researcher from F-Secure even went so far as to recommend that users uninstall Reader and install an alternative .pdf viewer, noting that six vulnerabilities have been found in the software.
This might be a good strategy for home users, but I seriously doubt any corporate environments of any size would go through the evaluation process, uninstall of Reader, installation of a new product and training needed to do this, especially now that Adobe has made the announcement of the forthcoming patch.
Daily Podcasts
The SANS Internet Storm Center puts out a daily podcast, a mini, 5 minute summary of what's happening and what to be aware of in the NetSec world. This is in addition to their lengthier full podcast put out on a less regualr basis. The recordings are done by Johannes Ullrich, Chief Research Officer for SANS and the original founder of Dshield. Here's a link to all the "Stormcasts" as they are called.
Link
They are very informative and definitely worth the listen.
Link
They are very informative and definitely worth the listen.
Friday, May 1, 2009
H1N1 (the virus formerly known as swine)
With all the coverage of the swine, er, H1N1 flu outbreak, might be a good time to find out what your companies procedures are in case of a pandemic outbreak. And have a talk with your manager and find out what the realistic expectations are as far as staffing the data center, NOC, desktop support, etc. Most companies want anyone who even thinks they might be infected to stay home, but the IT functions have to keep chugging along as always. If you have remote access, but haven't used it in a while, this would be a good time to log in and make sure your client version is up-to-date, and changed passwords or passphrases have been updated as well and you can get to every area of the network you need to if you should have to work from home.
I telecommute twice a week anyway, so I know I'm good. =-)
I telecommute twice a week anyway, so I know I'm good. =-)
Tuesday, April 21, 2009
Security Dashboard at Security Database
There's a nice Security Dashboard for recently discovered vulnerabilities located at http://www.security-database.com/dashboard.php. Includes info on Microsoft, Cisco, CVE, Sun and several flavors of Linux...
Monday, April 13, 2009
Secureworks Research Tools
Secureworks, a network security services company, has a page of free tools available here for the network security professional. Amazingly you do not need to fill out a contact form to download the tools.
Thursday, April 2, 2009
TCPKill
A handy item to have in the NetSec toolkit is the tcpkill app. Part of the dsniff suite written by dugsong (http://monkey.org/~dugsong/dsniff/), this tool allows you to reset tcp connections. It does this by sending spoofed reset packets to each end of the connection.
That sounds rather black hat, you might think. Why would a legitimate network security analyst need such a tool? Consider this scenario: a desktop on your network has been compromised with a password stealing trojan and there is an active connection with an unknown host spawned by the malware. Faster than you can run to the box and pull the plug, faster than you can get emergency permission to have the port disabled, you can use tcpkill to knock down that connection, and keep it knocked down until the box is pulled offline.
tcpkill is very easy to use. The syntax is tcpkill -i . It supports any bpf.
Say your compromised box is at 10.1.1.1 and you have an interface that monitors a span port on an edge switch (you should monitor at a chok e point for your Internet connection so you could shoot down any external connection, if that's your goal).
You would run the command tcpkill -i eth0 'host 10.1.1.1'. This would shoot down any connections from 10.1.1.1 that the monitoring point sees. If that's too draconian and you only want to shoot down that unknown connect, use a bpf to specify both hosts such as 'host 10.1.1.1 and host x.x.x.x'. That's all there is to it.
Fortunately tcpkill (and dsniff) only run on Linux flavors, which reduces the chances of someone using it in a rogue fashion on your internal network.
That sounds rather black hat, you might think. Why would a legitimate network security analyst need such a tool? Consider this scenario: a desktop on your network has been compromised with a password stealing trojan and there is an active connection with an unknown host spawned by the malware. Faster than you can run to the box and pull the plug, faster than you can get emergency permission to have the port disabled, you can use tcpkill to knock down that connection, and keep it knocked down until the box is pulled offline.
tcpkill is very easy to use. The syntax is tcpkill -i
Say your compromised box is at 10.1.1.1 and you have an interface that monitors a span port on an edge switch (you should monitor at a chok e point for your Internet connection so you could shoot down any external connection, if that's your goal).
You would run the command tcpkill -i eth0 'host 10.1.1.1'. This would shoot down any connections from 10.1.1.1 that the monitoring point sees. If that's too draconian and you only want to shoot down that unknown connect, use a bpf to specify both hosts such as 'host 10.1.1.1 and host x.x.x.x'. That's all there is to it.
Fortunately tcpkill (and dsniff) only run on Linux flavors, which reduces the chances of someone using it in a rogue fashion on your internal network.
Thursday, February 26, 2009
Quick convert
Looking at packets on a *nix box and need to do a quick hex to decimal conversion?
Use bc, the command line UNIX calculator. Here's how...
Start bc with the command line 'bc -l'. The -l option loads in the standard math libraries needed for anything but the simplest tasks. You'll see something like this:
[jeff@paradigm ~]$ bc -l
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
Now change your number base with ibase. ibase allows you to change what numbering system you use for input, obase does the same for output. Since we want to convert hex, we set it to 16:
ibase = 16
Now type your hex number in and bc will convert it to decimal.
[jeff@paradigm ~]$ bc -l
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
ibase = 16
0028
40
I just converted the value in bytes 2 and 3 of an IP header, the total length field to decimal, showing me I have a 40 byte packet.
Use bc, the command line UNIX calculator. Here's how...
Start bc with the command line 'bc -l'. The -l option loads in the standard math libraries needed for anything but the simplest tasks. You'll see something like this:
[jeff@paradigm ~]$ bc -l
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
Now change your number base with ibase. ibase allows you to change what numbering system you use for input, obase does the same for output. Since we want to convert hex, we set it to 16:
ibase = 16
Now type your hex number in and bc will convert it to decimal.
[jeff@paradigm ~]$ bc -l
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
ibase = 16
0028
40
I just converted the value in bytes 2 and 3 of an IP header, the total length field to decimal, showing me I have a 40 byte packet.
Thursday, February 12, 2009
BackTrack 4 Released
BackTrack 4, a security testing bootable live image has been released. This is the beta of version 4; stable version 3 is still available.
Links for the ISO and the VM image are found here...
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-iso
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-vm
Links for the ISO and the VM image are found here...
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-iso
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-vm
Tuesday, January 27, 2009
American Consulate Sells Filing Cabinet With US Government Information
Unbelievably, the American Consulate in Jerusalem sold a filing cabinet with "Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information" at an auction. Details here
Wednesday, January 7, 2009
Home User Network Security Site
Here's a great idea from Peter Giannoulis and the folks at The Academy (www.theacademypro.com): A NetSec site for the home user, aimed at the non-technical, less savvy average user. Given the exponential rise of malware and the hijacking of millions of home PC's by botnets, it couldn't have been more timely.
Check it out at www.theacademyhome.com, and please, send the link to family, friends, co-workers.. anyone who uses the Internet but isn't an IT pro or doesn't have the technical skills needed to do it securely.
Check it out at www.theacademyhome.com, and please, send the link to family, friends, co-workers.. anyone who uses the Internet but isn't an IT pro or doesn't have the technical skills needed to do it securely.
Subscribe to:
Posts (Atom)