Inuk Digital Security

Unintended consequences

2009-01-25T23:25:00.003-05:00

One of the blogs that I follow is the Freakanomics Blog; the Freakanomics bloggers often deal with unintended consequences of actions that people take.

For example, this post posits that banning bottled water at schools in an effort to combat pollution will likely have an unintended consequence of an increase in sales of bottled soft drinks. Not only will there be a negligible reduction in pollution, soft drinks are obviously not as good for the body as water, so there will be health repercussions as well.

What does this have to do with technology? I have been thinking a bit about Microsoft's decision that they will be cutting thousands of jobs and the types of unintended consequences that this will create.

We already know Microsoft's track record when it comes to digital security, so I am predicting right here that Microsoft's job cuts will have negative unintended consequences in the digital security realm.

I am not an expert on the economy, I don't have ESPN and I usually don't make too many predictions, so I could be wrong, but I could be right.

Technology scares

2009-01-21T16:28:00.004-05:00

About a year and a half ago, while waiting in line to use an ATM, the ATM froze-up and revealed that the operating system in use was Windows NT 4.0 Embedded. Not only was this in 2007, but the ATM was a new model that the bank was promoting as their new intelligent and feature-rich bank machine.

This used to be one of my favorite anecdotes about technology uses that not only irked me, but actually scared me.

That was until today when I read this story on Seclists.org.

The crux of this story is that a hospital disabled Windows Updates on their computers because some of their systems used Automatic Updates and rebooted during surgery. You read that right. Strangely the story focuses on how the hospital in question made itself more vulnerable to the Conficker/Downadup worm and not on the questionable use of Windows for critical hospital systems.

My immediate reaction to reading this was disgust and I had to question the necessity of using Microsoft Windows for critical hospital systems that have a life and death impact.

Trusted Source blog?

2009-01-20T16:07:00.003-05:00

As I've said before, I am a big Secure Computing proponent because these were the firewalls that I cut my digital security teeth on. When Secure Computing introduced their Trusted Source blog, I was fairly impressed and followed fairly regularly.

In a previous post I mentioned that Secure Computing was being acquired by McAfee; curiously the last Trusted Source blog post is about the aforementioned acquisition. That post is available here.

You know what they say about coincidences right?

Three questions answered...

2009-01-19T23:02:00.003-05:00

Richard Bejtlich was kind enough to answer my three questions on his blog recently. Thanks Richard!

There is one point to question number two that is very pointed and quite important when I consider why I do this type of work.

Richard stated that you are an analyzer of dashboards and not data if you cannot:

"Research activity for which there is no indicator, i.e., you can only see indicators and not any activity for which an alert did not fire"

For me personally, it is very important to be able to research traffic that did not generate an alert using my intuition and NSM knowledge. I should point out that this intuition is enhanced when digital situational awareness (DSA) and emotional investment is present.

One of the things that I have learned over the course of my career is not to place 100% trust in any one device or application. NSM principles tell you that the system will lie to you and the logs will lie to you and applications will also lie to you or will have deficiencies that encumber your investigations.

However if you have full-content data and are free to extract session and statistical data it is possible to detect attacks or malicious traffic that were not present in the alert data. This is why NSM is much more powerful than traditional IDS, but having the leeway and know-how to deviate from alert data necessary for this to be successful.

ArcSight ESM

2009-01-19T22:41:00.003-05:00

I have been making good use of my ArcSight Certified Security Analyst (ACSA) certification this week as we have recently deployed ESM 4.0 at work and though I remain somewhat skeptical, I would like to state that I am coming around and may someday be an ArcSight believer.

Though this SIEM/SEM will never replace my preference for Snort and Sguil, the impossibility of using my preferred architecture at my current job is forcing my hand. So far ArcSight is doing a good enough job of coalescing disparate alert and other data such as syslog, etc into a single console and making it easy to perform analysis and escalations.

MSSP: Internal vs. External

2009-01-19T21:18:00.003-05:00

There is a very interesting post on Richard Bejtlich's blog that debates the merits of internal and external managed security services. Richard's post was inspired by a reader of his blog researching the differences between building an in-house security department and contracing out to an MSSP.

This is a fascinating question for me because I am currently employed at an MSSP and have previously developed and deployed an internal Network Security Monitoring solution using Snort, Sguil and other Open Source tools.

Personally I think that if an organization is capable and willing to invest in developing its own internal managed security service, that this is the preferred choice. Keep in mind that it is possible to have an in-house managed security service and still contract 24x7 monitoring and other digital security tasks to an MSSP.

I know my opinion may seem somewhat heretical, but ultimately there are three areas that an MSSP cannot succeed in as well as a well trained and well run internal security department.

1. MSSP's cannot attain unadulterated digital situational awareness (DSA).

This is primarily because of a diffusion of authority that stymies efficiency and creates inertia through endless meetings and red tape. This is what I like to refer to as "ITIL Hell".

When you are running your own internal managed security service, you are afforded the luxury of autonomy and can therefore act quickly and efficiently in the company's best interest.

2. Lack of DSA creates a disconnect between the time of detection and time of notification and escalation of incidents because of the lack of context into client networks; for example it is sometimes difficult to distinguish traffic from different parter networks, etc.

Many times organizations are not always forthcoming with this information and this further slows escalation because analysts are forced to try to best-guess whether the traffic is legitimate or not.

3. There is no emotional investment in the ultimate digital security of a client's network. This does not mean that an MSSP does not care about client networks, but when an analyst is working different shifts each week and has alert data from many client networks to monitor it is impossible to care for one client more than another.

This lack of emotional investment may be the difference in going the proverbial extra mile during the analysis. Couple this with lack of context and lack of DSA and it is easy to understand why an MSSP is not as efficient at defending an enterprise when compared to an internal managed security service does.

So what does this all mean? Well that depends entirely on the personnel and organization. If the organization is both capable and willing to invest in developing an internal security department and has the good fortune of having capable personnel that have the emotional investment to build a defensible network architecture, then contracting security out to an MSSP is probably not the answer.

The reality is that many organizations do not have the capability or willingness, or perhaps do not have the personnel to do effective 24x7 Network Security Monitoring. This is the market that contracting out to an MSSP's is the right choice for.

First post 2009 and 1 year blog anniversary

2009-01-09T15:10:00.002-05:00

As if by design this is the first post of 2009 and the 1 year anniversary of my first blog post! I had 35 posts in 2008, some moderately more interesting than others, but overall I enjoy blogging and intend to continue blogging and then some in 2009.

For the 3 people that regularly read this blog, I hope there is something here that helped out.

MySQL 5 and create_sguildb.sql script

2008-12-31T12:40:00.002-05:00

While installing Sguil on my main desktop using the NSMNow scripts, I encountered many moderately vexing challenges. I did not encounter any challenges installing Sguil on my notebook, so this added to my frustration. I am running Ubuntu 8.10 on my desktop and 7.10 on my notebook. This post will deal with the challenges that I encountered configuring the sguildb using the create_sguidb.sql script.

While attempting to use the create_sguildb.sql script I encountered the following MySQL error:

inuk-x@shell:~$ mysql -u sguil -p -D sguildb < create_sguildb.sql
Enter password:
ERROR 1064 (42000) at line 55: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to usenear '--)' at line 1

Fortunately a quick Google search produced a forum question that gave me enough information to figure out that there must be something wrong with the comments in the create_sguildb.sql script, so another Google search produced the answer from the MySQL 5.0 Reference Manual.

It turns out that this error is being generated because double-dash style comments in MySQL 5 require a minimum of one whitespace or control character after the second dash. Lines 55, 57, 58, 71, 72, 79, 80, 88, 89, 210, 211 and 234 of the create_sguildb.sql script do not follow this new syntax.

Comparing a modified create_sguildb.sql file with the original produces the following output:

inuk-x@shell:~$ diff sguil-0.7.0/server/sql_scripts/create_sguildb.sql.modified sguil/server/sql_scripts/create_sguildb.sql.original
55c55
< -- ); --- > --);
57,58c57,58
< -- CREATE TABLE tcphdr < -- ( --- > --CREATE TABLE tcphdr
> --(
71,72c71,72
< -- CREATE TABLE udphdr < -- ( --- > --CREATE TABLE udphdr
> --(
79,80c79,80
< -- CREATE TABLE icmphdr < -- ( --- > --CREATE TABLE icmphdr
> --(
88,89c88,89
< -- CREATE TABLE data < -- ( --- > --CREATE TABLE data
> --(
210,211c210,211
< -- CREATE TABLE sancp < -- ( --- > --CREATE TABLE sancp
> --(
234c234
< -- ); --- > --);

Once I modified this script with the proper comment syntax, I was able to run the script properly and create the sguildb.

Three questions...

2008-12-29T23:25:00.005-05:00

I am in a somewhat philosophical mood and three questions have been on my mind since work today; I do not necessarily have the answers, but instead will ask the questions and perhaps address them at another time.

1. Are all alert data created equal?

This question originates with my employment at an MSSP where we process many types of alert data from Dragon IDS, Cisco IPS and ISS. Snort and Sourcefire strangely are underrepresented. My question is if Dragon IDS, Cisco IPS, ISS, Snort and Sourcefire all looked at the same full-content data, would they all produce the same results? I think not and would like to empirically verify this theory.

2. When is an analyst no longer an analyzer of data but an analyzer of dashboards?

This question also originates with my employment at an MSSP because like I said, we process so many disparate alert types and there is only so much time in a shift that it is challenging for an analyst to really spend quality time with a piece of data and conclusively determine what happened. Therefore the analysts evolve into analyzers of dashboards instead of data in order to promptly assess alerts and determine if there was a legitimate attack or not.

3. If all you have is alert data, can you positively confirm that you have been compromised?

I know the answer to this one, but am including it for emphasis of the point that alert data alone does not lend itself to digital situational awareness. Alert data + session data is the bare minimum as far as I am concerned. At least with this combination you can observe the egress sessions, in other words, what did the attacker do next?

ArcSight Certified Security Analyst

2008-12-29T22:56:00.003-05:00

Apparently I am now an ArcSight Certified Security Analyst (ACSA). I say this in a non-facetious manner, as much as that is possible. As I have stated previously, I am employed at an MSSP and ArcSight ESM 4.0 is the new SIEM/SEM that my employer is deploying in order to manage and corelate all of the data from the various security devices that we manage and operate.

Actually, I attained this certification a month ago and meant to post about it, but am only getting to it now because I didn't quite know how to broach the subject. You see this is a curious situation because in order to attain the aforementioned ACSA certification, I did not have to write and pass an exam like the other certifications that I have attained over my career.

All that was necessary was completion of an onsite course instructed by ArcSight, demonstrating an understanding of the logic used to differentiate events and correlation of events and demonstrating an understanding of the set of tools that comprise ArcSight ESM.

Again, there is no real purpose to this post except to point out the odd method of attaining the ACSA certification compared to traditional certifications.

That said, ever since I moved to the MSSP I have not been able to use Sguil, and I have not been able to come up with a method of inputting non-Snort alert data into Sguil, so therefore I am stuck with ArcSight and am relunctantly awaiting my opportunity to kick the proverbial tires and see what this product can do in production.

Network security tools

2008-12-20T02:47:00.002-05:00

As I blogged about yesterday, I am pumped about receiving my copy of the Nmap Network Scanning book. While thinking about the impact that Nmap has had on my digital security career, I decided to list a few other tools that have changed the way that I operate as a digital security dude.

The criteria for these tools is (1)the tool changed the way that I operated as a digital security professional and (2)I still use the tool daily at my job. This list is non-exhaustive and in arbitrary order.

1. Nmap
2. tcpdump
3. Netcat
4. Snort
5. Argus

Notice that full-content, session and alert data are all represented. I thought about including Sguil, but that is more of a suite of tools than a single tool and I think that 5 makes a better list than 6 or 7.

Digital Situational Awareness

2008-12-19T23:06:00.011-05:00

I just read Richard Bejtlich's Traffic Talk 3 about knowing your network and attaining digital situational awareness. Digital situational awareness is a fundamental aspect of Network Security Monitoring (NSM) and is a major difference between traditional information security and Network Security Monitoring.

The Traffic Talk contains an interesting hypothesis that uses NSM data to determine the importance of an asset or data in an organization that I had never considered before.

Richard's hypothesis of importance contends that (emphasis added):

1. More important servers are accessed by more people than servers of lesser importance.
2. More important servers are accessed by "more important people"; servers of lesser importance are ignored by "more important people."
3. More important servers are accessed at a higher frequency than servers of lesser importance.

What does this mean? This means that you can calculate the importance of an asset such as a server or a file by using the access data of that asset as a metric. The more times that an asset is accessed by subjects, the importance of that asset to your organization increases. Additionally, the more important the subject accessing the asset also increases the importance of the asset. I think that the latter applies more to assets such as files, etc as it is easier to identify the subject.

Say you are running Citrix MetaFrame to deliver your applications to your users and you want to know what applications or services are the most used on your network. What are your options besides using something like SysTrack to audit your MetaFrame farm.

Fortunately if you are performing NSM you have a plethora of data to choose from. The following statistics are conjectural and are based on experience and memory, however the methodology is sound.

You look at your statistical data and notice that TCP comprises 70% of your network traffic, UDP 20% and ICMP 10%; of the TCP traffic you notice that ICA comprises 20%, HTTP/S comprises 40%, SMTP comprises 15%, Microsoft-DS comprises 20% and the remaining 5% is miscelleneous.

While inspecting your session data to determine exactly which MetaFrame, web, mail and file servers generate the most traffic, you notice that one particular file server is accessed more than others. You consult your inventory and confirm that this is your primary file server and the abundance of SMB traffic is legitimate.

While reviewing all session traffic besides SMB, you notice that the file server is communicating on some strange ports at strange times of the day. You decide to take a closer look at this server and discover that your primary file server has some unauthorized applications installed that are generating the odd traffic that is present in the session data. You are now able to make an appropriate decision with the data available to you.

Nmap book

2008-12-19T22:48:00.002-05:00

I just received my copy of the Nmap Network Scanning book today. This is a book that I have been waiting on with baited breath since Fyodor announced that he was writing this book in 2003.

Nmap has a special place in my heart and is a tool that I still utilize daily. I remember when I first began studying for my GCFW certification in 2003 that it was my mastery of Nmap and tcpdump on the command line that really gave me the confidence to go forward in my digital security career and helped me to understand my networks in new and exciting ways.

I look forward to learning new aspects of one my favorite tools from the perspective of the tools author over the Christmas holidays.

Jeremiah Grossman timelines recent digital security

2008-12-17T16:55:00.008-05:00

I just read an excellent post where Jeremiah Grossman creates a timeline of network and application security events. The network security events in the timeline begins with the Morris Worm in 1988 and concludes with PCI Standards in 2006. I will only touch on the network security events as most of my experience has been network centric, first as a network administrator and then a firewall and router administrator and finally as an intrusion analyst and incident handler.

While reading the timeline, I was struck by how closely I can remember these events and how easy it was to associate them with a particular year. Also curious was the fact that I can remember working on similar projects or dealing with similar issues at work during these timelines. I was in college in 2001 when the Code Red and Nimda worm's were bringing down Microsoft IIS servers everywhere and can still remember the chaos that these worms caused, however the first incidents that I dealt with solely as the security dude at my job were the SQL Slammer and Blaster worms in 2003. I remember these incidents because even though we operated a fairly closed network, laptop computers infected on home networks were the vector that allowed the worms to migrate to our network. Fortunately we were using application filtering firewalls and were able to detect and contain the worms via extrusion detection.

I would like to digress and point out that modern devices that are labeled IPS' are really glorified Layer 7 firewalls and that the oncoming ubiquity of Unified Threat Management will make this distinction less and less clear, except maybe to vendors and marketers that are trying to sell something.

While my own timeline deviated to more IDS centric projects from 2005 to 2008, I still remember cutting my teeth using Nmap, Nessus and a plethora of Windows based network scanners to perform network mapping and ad-hoc vulnerability assessments in 2004 and 2005, no doubt part of the trend of in-house vulnerability assessments and penetration testing.

Strangely, Jeremiah's timeline for network security ends in 2006 while the software security continues on into 2007 and concludes with the question of what is next in 2009 and beyond? I suppose that with the ubiquitous adoption of cloud computing the line between network and software will blur and much of digital security will be software security.

Interestingly 2007's Mass SQL Injection attacks were categorized with software security events instead of network security. I would posit that this is an example of the new hybrid network/software security because while the affects of SQL Injection attacks are felt on the software as a service side of things, the actual attack is still carried out on a network somewhere.

New virtualization platform

2008-12-13T18:28:00.005-05:00

I have been using VMware Server as my virtualization platform for the past several years. I got my first taste of virtualization as a method for testing and research while studying for my GCIH certification in 2005/2006.

I have recently been made aware of an alternative virtualization platform named VirtualBox.

I have been using VirtualBox on my home system for the past several weeks and am happy to announce that this platform performs very well and is open source and is very simple to install. I remember the headaches that I encountered while trying to get VMware Professional and later VMware Server to work with my Slackware desktop in 2006.

I used the apt repositories to install VirtualBox on my workstation.

inuk-x@shell$ sudo apt-get install virtualbox
[sudo] password for inuk-x:

inuk-x@shell$ which virtualbox
/usr/bin/virtualbox

Ad-hoc traffic assessment using Windows tools

2008-12-08T22:42:00.036-05:00

It has been my experience since working for an MSSP that there are many situations where I am asked to perform an analysis without the NSM tools that I am used to working with. I have had to alter NSM methodologies within a construct that is not as appreciative of open source security tools than I am. The theme of this post is one such example where I was limited to Windows XP, Wireshark and Cygwin. Hopefully there is something here that someone will find useful.

Recently I had to perform a traffic assessment on a set of libpcap trace files that were stored on a notebook in a remote location. Normally I prefer to do traffic assessments on my Linux system using NSM tools such as Argus and tcpdstat for gleaning session and statistical data respectively, however in this case I was limited to the Windows XP notebook because of time restraints.

The traffic was collected via the Wireshark application, so I knew that options were available for my traffic assessment because Wireshark comes with a command line tool named tshark that is capable of enumerating various statistical outputs from trace files.

The "-z io,phs" and "-z conv" options are what I used to extract statistical and session data respectively from the trace files. Wireshark refers to these options as Protocol Hierarchy Statistics and Conversations Statistics.

The following descriptions are from the tshark man pages:

-z
Get TShark to collect various types of statistics and display the
result after finishing reading the capture file. Use the -q flag
if you’re reading a capture file and only want the statistics
printed, not any per-packet information.

-z io,phs[,filter]

Create Protocol Hierarchy Statistics listing both number of packets
and bytes. If no filter is specified the statistics will be
calculated for all packets. If a filters is specified statistics
will be only calculated for those packets that match the filter.

-z conv,type[,filter]

Create a table that lists all conversations that could be seen in
the capture. type specifies which type of conversation we want to
generate the statistics for; currently the supported ones are

"eth" Ethernet
"fc" Fibre Channel
"fddi" FDDI
"ip" IP addresses
"ipx" IPX addresses
"tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
"tr" Token Ring
"udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported

If the optional filter string is specified, only those packets that
match the filter will be used in the calculations.

In the following arbitrary example, I will demonstrate the Protocol Hierarchy and Conversation Statistics options on a libpcap trace file named capture_trace.lpc. Please note that the data within the examples have been sanitized for privacy and space limitations and that the procedures demonstrated have been truncated from a full tactical traffic assessment.

First I will gather the statistical data, or Protocol Hierarchy Statistics so that I will have a holistic picture of all of the traffic captured in the trace file.

C:\Program Files\Wireshark>tshark.exe -r capture_trace.lpc -nqz io,phs
===================================================================
Protocol Hierarchy Statistics
Filter: frame

frame frames:44618 bytes:6702467
eth frames:44618 bytes:6702467
ip frames:44618 bytes:6702467
icmp frames:27802 bytes:2927625
tcp frames:11084 bytes:2863203
pop frames:3459 bytes:1267156
smtp frames:1419 bytes:528234
imf frames:95 bytes:5700
ftp frames:126 bytes:10724
ftp-data frames:628 bytes:715254
dns frames:2 bytes:931
udp frames:5732 bytes:911639
dcerpc frames:135 bytes:74266
messenger frames:135 bytes:74266
dns frames:4129 bytes:679726
data frames:82 bytes:26042
echo frames:296 bytes:31376
ntp frames:17 bytes:1530
isakmp frames:1058 bytes:95246
http frames:3 bytes:525
cldap frames:12 bytes:2928
===================================================================

By looking at the above data, I can quickly surmise that TCP and ICMP compose 43 and 44 percent of the traffic, while UDP composes 14 percent. Further targeted analysis of the protocols contained in the trace file is now an option as I know where I should be focusing my attention.

For example, say that I am in interested in seeing all SMTP sessions, or conversations as Wireshark calls it, I would use the tshark -z conv,tcp,"tcp.port==25" command with the following results.

C:\Program Files\Wireshark>tshark.exe -r capture_trace.lpc -nqz conv,tcp,"tcp.port==25"
TCP Conversations
Filter:tcp.port==25
<- -> Total
Frames Bytes | Frames Bytes Frames Bytes
192.168.106.78:2232 <-> 172.16.145.21:25 364 26125 430 224602 794 250727
192.168.106.78:2272 <-> 172.16.145.21:25 72 5177 77 39228 149 44405
192.168.106.78:2548 <-> 172.16.145.21:25 59 4307 70 34534 129 38841
192.168.106.78:2389 <-> 172.16.145.21:25 45 3287 50 24642 95 27929
192.168.106.78:2565 <-> 172.16.145.21:25 42 3017 41 19774 83 22791
192.168.106.78:2275 <-> 172.16.145.21:25 40 2897 41 19798 81 22695
192.168.106.78:2733 <-> 172.16.145.21:25 27 2027 34 15050 61 17077
192.168.106.78:2237 <-> 172.16.145.21:25 29 2147 32 14908 61 17055
192.168.106.95:4030 <-> 172.16.145.21:25 22 1630 30 25281 52 26911
192.168.106.78:2792 <-> 172.16.145.21:25 24 1757 23 10044 47 11801
192.168.106.78:2766 <-> 172.16.145.21:25 24 1757 23 10006 47 11763
192.168.106.78:2801 <-> 172.16.145.21:25 22 1637 23 10006 45 11643
192.168.106.78:2243 <-> 172.16.145.21:25 22 1637 23 10038 45 11675
192.168.106.78:2804 <-> 172.16.145.21:25 17 1247 14 5174 31 6421
192.168.106.78:2811 <-> 172.16.145.21:25 14 1101 16 5272 30 6373
192.168.106.78:2788 <-> 172.16.145.21:25 15 1127 14 5160 29 6287
192.168.106.78:2771 <-> 172.16.145.21:25 15 1127 14 5166 29 6293
192.168.106.78:2743 <-> 172.16.145.21:25 15 1127 14 5186 29 6313
192.168.106.78:2235 <-> 172.16.145.21:25 15 1127 14 5218 29 6345
192.168.106.95:3425 <-> 172.16.145.21:25 14 1114 15 2475 29 3589
10.19.126.247:1622 <-> 192.168.106.78:25 0 0 3 186 3 186
10.19.126.247:1596 <-> 192.168.106.66:25 0 0 3 186 3 186
10.19.126.247:1725 <-> 192.168.106.127:25 0 0 2 124 2 124
10.19.126.247:1677 <-> 192.168.106.107:25 0 0 2 124 2 124
10.19.126.247:1672 <-> 192.168.106.101:25 0 0 2 124 2 124
10.19.126.247:1670 <-> 192.168.106.102:25 0 0 2 124 2 124
10.250.6.30:3699 <-> 192.168.106.127:25 0 0 1 62 1 62
10.250.6.30:3698 <-> 192.168.106.127:25 0 0 1 62 1 62
10.250.6.30:3556 <-> 192.168.106.107:25 0 0 1 62 1 62
10.250.6.30:3552 <-> 192.168.106.101:25 0 0 1 62 1 62

The primary methods that I use the -z conv option is to print all conversations using the "-z conv,ip" option, print all TCP sessions using the "-z conv,tcp" option and print all UDP traffic using the "-z conv,udp" option. For the TCP and UDP options, standard Wireshark filters are available such as "tcp.port==80" or "udp.port==53" or "ip.addr==192.168.10.10".

As has just been demonstrated, if you are stuck in the confines of Windows and only have Wireshark available, it is possible to extract some useful data and perform some NSM analysis.

McAfee to acquire Secure Computing Corporation

2008-09-24T16:45:00.003-04:00

I guess I've really been under a rock lately, but I just became aware of the news that Secure Computing Corporation is about to be acquired by McAfee. The news release can be found here.

This is newsworthy to me because I cut my firewall teeth on Secure Computing's SideWinder 5.2.x firewall and became quite competent with the SideWinder G2 and SideWinder 7 firewalls, so I have a slight bias when it comes to Secure Computing's proxy firewalls.

This news is slightly disconcerting because Secure Computing's firewalls will no doubt be bundled with McAfee's other products and the tight (read secure) product will suffer for it.

I understand that this is a business decision and since I no longer actively support Secure Computing firewalls, I shall take a wait and see approach.

BackTrack 3

2008-09-23T11:45:00.002-04:00

This is a little late, I guess I've been under a rock or something, but BackTrack 3 was released this past July. I have been using the beta version on my USB drive for several months and intend to download the final version immediately. I will post results at a later date.

Database monitoring

2008-09-22T13:38:00.006-04:00

I follow the Info Security News via RSS and came across this interesting article on Oracle security today.

The article deals specifically with Oracle databases, and is a little light on details, but the same can be said for MySQL, MS-SQL, or any other relational database used to store data. One point that I would like to make is that the need for network and application security monitoring is as relevant as it ever has been.

In the past year I have had the opportunity to work with Imperva's SecureSphere database monitoring appliances for inline database monitoring and while it is obvious that this product is not a panacea, used in tandem with Network Security Monitoring (NSM) methodologies it is possible to get effective visibility into both network and user activities.

Other information on Oracle and database in-security can be found here, here, and here.

Regular posting

2008-09-22T13:20:00.004-04:00

For those of you wandering why I have not been posting regularly it comes down to three items.

1. I have changed locations of employment and have been busy acclimating myself
2. I have been busy training for my first marathon and the training has consumed my free time
3. Blogging is very hard work

Yes I have changed employers and now work in the pseudo-cloud security field. Here is an interesting blog that I began following this year that is related to Cloud Security Computing. I will discuss more about this field in future posts.

I am happy to report that I have completed my first marathon after 18 weeks and 500 miles of road work; the race did not go according to plan, but I completed it and can now call myself a marathoner.

Yes, blogging is very hard work that has to compete for time with my other obligations, duties and hobbies. So no excuses here, however now that we are into fall I should have more time to sit in front of my computer in the evenings and discuss the things that pique my interest.

Sguil 0.7.0 working

2008-04-01T14:58:00.002-04:00

Finally, after considerable toil, I have successfully upgraded from Sguil 0.6.1 to Sguil 0.7.0 using Snort 2.8.0.2 on my main NSM sensor. Due to the introduction of new components such as the various agents, the upgrade process was slightly challenging.

However, thanks in large part to Hanashi's Instant NSM documentation and the documentation I created during my initial foray in 2006, I was able to figure things out for myself.

One sensor down, eight to go; I will post updates when all my upgrades have been completed.

Sguil 0.7.0 released

2008-03-26T09:48:00.002-04:00

Sguil 0.7.0 has officially been released. Announcement's here and here.

I have been experimenting with the CVS version of Sguil 0.7.0 and the CVS version of Instant NSM for a couple of weeks and have been slowly working out the issues with the disparate components (ie. tcllib, tcl/tls, tcl/tk, etc).

I have been using Sguil 0.6.1 in production since May 2006 without any issues, and decided a couple of months ago to begin experimenting with the newer version alongside newer versions of Snort.

I will post more info after successfully deploying Sguil 0.7.0 in production later this week.

Thoughts on Newfoundland data theft

2008-02-22T13:12:00.003-05:00

Thanks to this CBC article, I became aware of another incident in the province of Newfoundland. In this incident, the personal information of 28,000 schoolchildren was compromised when laptops containing the aforesaid data were stolen.

My immediate question was why was the database stored on a laptop, then I remembered when taking SANS Security 503 (GCIA), the instructor indicated that he usually would go after the DBA/developer's desktop when pen-testing because they usually contained a copy of the targeted database and were often easier prey than the target.

Other tidbits revealed in the article:

1. The theft occurred on Sunday, but was not reported until Thursday
2. The data in question was extracted from a production database and stored on the laptop
3. The hard drives were not encrypted

Additionally, the assumption that the thieves are not interested in the data contained on the laptops is very naive and dangerous. It appears that the authorities are either not taking this incident very seriously or they are grossly oblivious to the potential severity of this incident. The fact is that the names, addresses, phone numbers, health care numbers and parental information of 28,000 students in 56 schools in two regions was compromised; this is no small matter.

Forensic analysis resources

2008-02-22T10:46:00.002-05:00

Harlan Carvey has just posted an excellent list of resources on forensics analysis training that is quite extensive and very useful. More importantly, the list of resources are categorized and do not cost anything but the time and effort required to learn something new.

Update on alleged Quebec network attack

2008-02-22T10:16:00.002-05:00

After I posted on this alleged incident yesterday, I discovered that there was an entry on Slashdot that referenced a separate CBC article than the one I referenced.

Interestingly Slashdot refers to the incident as the Largest Hacking Scam in Canadian History. Nice to see that Slashdot refrains from the sensational reporting style that is common in the media.

The updated CBC article is also light on the details, considering that this is supposedly the largest hacking scam in Canadian history I would expect that there would be more than a couple of articles that are garnering little interest.

The CBC article does state that the alleged attackers from Quebec compromised systems in other countries, notably Brazil and Poland to setup websites for use in phishing/data theft operations.

Thoughts on alleged Quebec network attack

2008-02-21T10:54:00.005-05:00

First off, to address one of my colleagues, no the so-called allure of this blog has not worn off, I have just been very busy in the evenings for the past few weeks and have not been able to dedicate the time to post anything meaningful. I do not believe in just posting anything that is not at least useful, interesting or thought provoking, so I would rather not post anything than post for the sake of it.

I first heard of this story yesterday evening while watching the National; I had a difficult time finding the article on CBC this morning as it was buried under the technology section, but here it is.

There is not a lot of information in the article, but it basically states that 16 individuals were arrested in Quebec for allegedly attacking and compromising millions of computers in hundreds of countries for the purpose of data theft. The article, and I am sure that most other media pieces will use the term hack to describe the incident. I will instead use the terms attack and compromise for the sake of technical accuracy. I will not digress into a discussion on the negative connotations associated with hack/hacking/hacker, but suffice it to say I prefer the terms attack/attacking/attacker.

The reason that I am commenting on this article is because it is becoming evident that more and more of these types of incidents are occurring within Canada. It can be evidenced from this post and the CBC articles linked to within. This trend proves that Canada is not exempt from these types of incidents and that the governments and corporations are:

A. Possibly increasing vigilance and network visibility
B. Possibly detecting more attacks than in the past
C. Possibly reporting more attacks than in the past

I would suggest that it is likely a combination of the three scenarios that is occurring.

The article is extremely light on details and hopefully there will be more brought to light over the next couple of days; I will provide more comments and opinions then.

Thoughts on N.L. government data breach

2008-02-11T22:03:00.000-05:00

Thanks to this SANS NewsBites newsletter, I became aware of a data breach involving Government of Newfoundland assets and peer to peer (P2P) software. The corresponding CBC articles are here, here and here. These CBC articles are dated February 1 and January 28, 2008 respectively.

Interestingly, there is an older CBC article from November 24, 2007 here that may provide the initial indications that there may be other serious incidents occuring in the Government of Newfoundland. By reading all of the articles, it appears that the incident from the November 24, 2007 article was the impetus for hiring the information security organization that discovered the second incident.

In the interest of keeping this brief and my not wanting to disect each article, it appears that in both incidents government contractors removed government assets and government data from the Government of Newfoundland, thereby violating the confidentiality of Newfoundland citizens.

In fact, in the November 24 article it states that the system removed was a personal computer (PC) and does not say that it was a notebook, therfore making the incident all the more bizarre. I cannot imagine how the contractor was able to walk out of the workplace with a PC in hand and not be questioned by anyone, unless of course physical security is something that is not taken seriously at the Government of Newfoundland, which is probably the case.

The subsequent articles state that the contractor in question installed a P2P application on a government PC and therefore exposed government data on the public Internet. I will disect the following paragraphs from the February 1, 2008 CBC article:

Kennedy said the information was exposed for more than three weeks, but said that does not necessarily mean any of the details are now in the hands of potential identity thieves.

This is a classic attempt at denial by saying absolutely nothing at all. Yes it is true that it is possible that no data was breached, but unless you can prove that no data was breached, you have to assume that it was, especially since the data was available for more than 3 weeks. If the Government of Newfoundland was practicing Network Security Monitoring (NSM), the analysis of session and full-content data with Sguil could prove whether or not any data was accessed.

The article states that the data was available for 3 weeks, but since the government does not practice NSM, we have to assume that it is possible that the data was available much longer and that the government was only aware of it for 3 weeks.

"The file sharing program allows for access of various information that's on an individual's computer. It doesn't mean it will be accessed," Kennedy told reporters.

Again, this is double speak for we do not know if any data has been accessed, but unless someone can prove to us that it has happened, we will deny it, classic security by obscurity.

"If the security company in New York had not identified this breach, it may never have come to light", he said.

If the goverment were practicing NSM with trained analysts, they could have discovered this incident themselves and properly mitigated the damage done to Newfoundland citizen's personal information and to the reputation of the government.

It can be reasonably assumed that if incidents like this are occurring at the Government of Newfoundland, it is also occurring at most of the provincial and territorial governments.

Practical BackTrack Usage Part I

2008-02-02T18:15:00.000-05:00

I have been working on a challenge this week that has taken more of my time than I care to admit. A colleague's hard drive crashed leaving the system unbootable. My colleague was very concerned about the years of family photographs that were on the hard drive and asked if I could help retrieve them.

I figured that this would be a good exercise and decided that I would use BackTrack 3.0 beta to find all of the pictures and then move them to a different machine where they could be burned to DVD for my colleague. After a bit of research, I decided that I would boot the machine into the live Linux environment, mount the hard drive, find all applicable files and use netcat and tar to move the files to the other machine.

This process requires two systems, the first the malfunctioned system and BackTrack 3.o and the second my Linux desktop. The primary commands that will be used are the find, tar and netcat commands. I will refer to these systems as the sending system (contains the files to be moved) and the receiving system (where the files will be moved). The naming convention for the sending system will be bt# and the naming convention for the receiving system will be inuk-x@shell$.

After booting to the live CD, I ensure that the hard drive has been mounted and confirm the presence of netcat. Since BackTrack 3.0 mounts local hard disks in read/write mode automatically it is not necessary to manually mount it.

bt ~ # mount
aufs on / type aufs (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/hda1 on /mnt/hda1 type ntfs (rw,noatime,quiet,umask=0,check=s,shortmask=mix

bt ~ # which netcat
bt ~ # /usr/local/bin/netcat

First it is necessary to setup a netcat listener on any arbitrary port on the receiving system and pipe the netcat listener into the tar command with the -x (extract) function. This command instructs the receiving system to listen on local tcp port 2222 and use the tar command to extract the incoming file.

inuk-x@shell$ netcat -l -p 2222 | tar -x

The next part is a two step process. This is what presented me the most challenge because the spaces in the filenames cannot be passed to the tar command. I struggled with this section until I found this posting that more or less dealt with the same challenge that I was facing. The first step is to search for any applicable files and create a list of the files.

bt ~ # find /mnt/hda1 -iwholename "*.jpg" | grep -v "Temporary \
Internet" > /tmp/filelist.txt

This command searches the /mnt/hda1 directory for all files ending in .jpg and redirects the output to /tmp/filelist.txt. The -iwholename will do a case insensitive search and grep -v will omit any files located in any Temporary Internet directories. The next step is to run the tar command retrieving the files in /tmp/filelist.txt and piping the output into the netcat command.

bt ~ # tar -cf - -T /tmp/filelist.txt | netcat 192.168.1.1 2222

This will create a tar of the files listed in filelist.txt and will use the netcat command to send the tar file to the receiving machine on tcp port 2222. The -T option instructs tar to get files from filelist.txt and since I am piping the tar command into netcat, the solo dash after the -cf function is used instead of a filename.

Netcat will not terminate on its own and does not indicate progress, therefore I run tcpdump on the receiving machine to monitor for indications of the last file. Any tool that monitors traffic flow such as trafshow, bmon, etc, will work just as well, but I am a packet head, therefore I usually use tcpdump for everything. Alternatively, you can use the -q option if using /usr/bin/nc. The -q option instructs netcat to wait n seconds after EOF and then quit. The GNU netcat installed on BackTrack does not support the -q option.

inuk-x@shell$ sudo tcpdump -nni eth0 'port 2222'

Once I see that the traffic has stopped flowing, I use ctrl-c on the sending system to gracefully punt the netcat session on both systems. Now any pictures that were present on the malfunctioned system are moved to the receiving system in the original directories and can be burned to DVD for my colleague.

Oracle non-patching

2008-01-25T12:21:00.000-05:00

I know that I am late to this topic, I prefer to measure my responses and I wanted to wait until I spoke with some Oracle DBAs that I know before sharing my thoughts on the topic of Oracle DBAs electing to not apply Critical Patch Updates (CPU) in their environments.

I just re-read Richard Bejtlich's post on this topic and would like to add my perspective. As usual, Richard is very succinct in his discussion of this topic especially regarding the general avoidance of certain aspects of security operations and the fact that visibility is everything.

There is a series of commercials for a meteorologist in Ontario that uses the tagline "If you can't see it, you can't track it" to promote their ability to predict the weather. I find the commercials to be extremely corny and I may be off about the exact wording of the tagline, however the general premise can translate to network security as well. If you do not have visibility into your networks, you cannot track your systems (or data). If you cannot track your systems (situational awareness), you cannot defend them.

Back to the topic of Oracle non-patching, when discussing this with the DBAs that I know, I was slightly surprised by the reasoning that they gave me. Besides the usual concerns about downtime, testing, etc, a common answer was that because the Oracle databases were not on the Internet and were behind firewalls, the systems were not at significant risk. This answer surprised me and worries me because the trend towards client-side attacks is increasing and the browser really is the new operating system when it comes to exploit vectors. I plan to post on an example of a malicious Shockwave Flash file from an ad-server discovered on one of my networks using NSM tactics. In the meantime, here is an example from Richard's blog.

This answer came from DBAs from different companies, so this attitude is not exclusive to one organization. I suspect that this opinion is more prevalent than is immediately realized. Back to Richard's post again, the only defense left is detection and response. The only way that action will be taken is during the containment, eradication and recovery phases of incident handling. We can only hope that visibility exists in the architecture to properly identify the said incident.

BackTrack 3.0 beta on USB stick

2008-01-23T20:09:00.000-05:00

I have been using the BackTrack live Linux security CD for a couple of years for various incident response and vulnerability/penetration testing projects. Over the years I have demo'd many different live *NIX security CD's from Trinux to Helix to Hex, and BackTrack is without a doubt my favorite live CD. BackTrack is based on Slax, so I am very comfortable using the live CD because of my experience with Slackware. This fact should encourage everyone to try as many distro's as possible in order to become comfortable with as many disparate environments as possible.

I usually carry around a couple of live CD's for daily use, but CD's cannot be updated and are only useful until a newer version is released. I recently got myself a 2 GB USB stick and decided that I would try to install BackTrack on the USB stick. Thanks to this how-to on the BackTrack Wiki, I was able to get BackTrack 2 on my USB stick.

BackTrack 3.0 beta was released in mid-December and I am happy to say that the procedures for installing BackTrack 2 on a USB stick work for BackTrack 3.0 beta as well. Here are the steps that I followed:

First I inserted the BackTrack 3.0 beta CD and plugged the 2 GB USB stick onto my notebook. Next, I mounted and verified both devices.

inuk-x@shell$ sudo mount -t iso9660 -o ro /dev/cdrom /mnt/cdrom
inuk-x@shell$ sudo mount -t vfat -o rw /dev/sdb1 /mnt/usb
inuk-x@shell$ mount
/dev/scd0 on /mnt/cdrom type iso9660 (ro)
/dev/sdb1 on /mnt/usb type vfat (rw)

So far, so good. Now we must copy the BT3 and boot directories from the BackTrack CD to the root of the USB stick; because the CD is just under 700 MB, this process takes several minutes.

inuk-x@shell$ sudo cp -rp /mnt/cdrom/* /mnt/usb
inuk-x@shell$ du -h /mnt/usb/boot /mnt/usb/BT3
160K /mnt/usb/boot/dos
128K /mnt/usb/boot/isolinux
288K /mnt/usb/boot/syslinux
6.7M /mnt/usb/boot/
691M /mnt/usb/BT3/base
4.2M /mnt/usb/BT3/modules
32K /mnt/usb/BT3/optional
32K /mnt/usb/BT3/rootcopy
768K /mnt/usb/BT3/tools/win
1.3M /mnt/usb/BT3/tools
696M /mnt/usb/BT3

Now that we have confirmed the existence of the files on the USB stick, it is time to make the USB stick bootable. This procedure is somewhat important because it is possible to corrupt your own master boot record (MBR) if the shell script is invoked from the incorrect directory. Following these next steps makes the USB stick bootable by creating an MBR on the USB stick, please be sure to invoke the shell script from the mounted USB directory only.

inuk-x@shell$ cd /mnt/usb/boot
inuk-x@shell$ sudo ./bootinst.sh

Follow the instructions on the shell prompt and the shell script will make the USB stick bootable with BackTrack 3.0 beta. Having the BackTrack live CD on a USB stick is very helpful because it is no longer necessary to carry around CD's and it is possible to demo beta versions without having to create coasters. Obviously this procedure assumes that the system that you are attempting to boot to supports booting to a USB device; for older systems that do not support this feature, the CD is still necessary.

I will create a post in the future with miscellaneous BackTrack usage. As an aside, the Offensive Security 101 course offered by Offensive-Security looks intriguing and I am considering taking this course later this year, probably in Q3.

Ideas for future posts...

2008-01-22T00:02:00.000-05:00

This post is just a reminder to myself to create posts for the following subjects:

1. TrueCrypt usage
2. BackTrack 3 Beta usage
3. Tactical Traffic Assessment methodologies

This list is not exhaustive, but are recent subjects that I intend to post on.

GPG/PGP/FireGPG and Gmail

2008-01-21T23:19:00.001-05:00

I have been using my Gmail account for my personal e-mail for the past few years and I do not even bother with my ISP mail anymore, except to receive my ISP's propaganda. One of the limitations of web-based mail that has challenged me for the past year and a half was the lack of GPG/PGP support.

A couple of weeks ago I decided to re-google for GPG and Gmail and was surprised to discover FireGPG, a Mozilla Firefox add-on. I was immediately intrigued by this add-on, but because of the sensitive nature of signature and encryption of e-mail, I was reluctant to just use any application, especially one that I had just heard about, but this did not deter my curiosity.

I was pleased to discover that FireGPG was referenced in the Gnu Privacy Guard Wikipedia page, but this was still not enough to convince me to use this add-on. Last week while reading the Irongeek.com blog, I discovered a tutorial on using GPG/FireGPG and Gmail. It is now obvious to me that FireGPG has been gaining steam and is becoming more widely used because a Google search for FireGPG returns many pages about FireGPG.

I have found the tutorials on Irongeek to be very informative and helpful in the past, so I decided to watch this tutorial and give FireGPG a try this evening. The tutorial is excellent and very easy to follow; I thought that Adrian's comment that people will not use encryption unless it is easy to use when discussing the GNU Privacy Assistant to be very precise.

I am very pleased with the FireGPG add-on and will continue to use it to sign and encrypt my Gmail messages.

Studying for CISSP

2008-01-18T22:18:00.000-05:00

I have officially started studying for the CISSP certification exam, opting to take SANS' Management 414 course via the on-demand format. I have met success with other SANS courses (tracks 2, 3 and 4) and decided that since I am comfortable self-studying with SANS materials that this would be a good choice.

I received access to the online material last week and have been listening to the audio files during my commutes to and from work and finally received the printed material today. I have decided that I will write the exam on March 29 in Toronto.

Snort out-of-line

2008-01-18T11:16:00.000-05:00

Thinking back to yesterday's post on Snort-inline mode versus Snort-offline mode, the best term that I could come up with as the opposite of Snort-inline was Snort-out-of-line.

The reason that this makes sense to me is because "out" is the opposite of "in", therefore it is appropriate that if something is not "inline", it is "out-of-line". Like I said yesterday, I will keep an open mind about the terminology, but "offline" just does not feel right to me to describe this mode.

What does anyone else think?

Snort podcast

2008-01-17T20:39:00.000-05:00

I just finished listening to a podcast about Snort with Richard Bejtlich of TaoSecurity and I have to say that it was quite informative. Although the podcast was quite Snort-centric, it was nice to hear Richard champion other Network Security Monitoring tools such as Bro-IDS and Sguil.

Richard presents an excellent overview of intrusion detection in general and Snort specifically, however I found it curious that Richard uses the term Snort-offline to refer to Snort's primary active intrusion detection mode. Richard also refers to this term in his November 29, 2007 Snort Report. I would not have necessarily associated offline with the opposite of inline because when I hear offline, I think of using Snort to read a Libpcap capture file (tcpdump, et al) during a tactical traffic assessment. In fact, googling for "snort-offline" returns many pages about using Snort to read Libpcap trace files.

Thinking about this, I believe that offline is more of an antithesis to online, which is not the same as inline, so I cannot immediately think of a more succinct term for the antithesis of inline, but I will keep an open mind and can probably be influenced to use this terminology if it becomes a part of the lingua franca.

That aside, the podcast was very informative and is a must listen for anyone that is interested in the IDS and NSM space. At the risk of embarrassing myself, this podcast is technically the first podcast that I have ever listened to. For a guy that works with technology, I am really a little old school and behind the times when it comes to some things, but I'm trying to rectify all of that in 2008.

iPod and Linux...

2008-01-14T00:44:00.000-05:00

Upon completing the installation and configuration of our new Toshiba U300 notebook I decided that I would get my new iPod shuffle to work on my notebook with gobuntu 7.10.

I spent about a half hour Googling for Ubuntu and iPod and came across this article on LINUX Journal that basically states that you must configure your iPod on Windows (or Mac) before you can use it with Linux. I thought to myself, "this is 2008, surely you must be able to configure an iPod on Linux without having to use Windows!".

It turns out that this is true, but challening. The first thing I do is plug my iPod shuffle into a spare USB port on my notebook and confirm that the system recognizes it.

inuk-x@shell$ cat /var/log/messages | grep -i ipod
3 23:21:20 mycomputer kernel: [*************] scsi 2:0:0:0: Direct-Access Apple iPod 2.70 PQ: 0 ANSI: 2

OK, so the iPod has been recognized by my system. Now I need an application to interface with my iPod. Upon further Googling, I learn of an application titled Gtkpod, which according to Wikipedia is the iTunes for *NIX.

inuk-x@shell$ sudo apt-cache search gtkpod
gnupod-tools - command-line tools for the iPod family of portable music players
gpixpod - Organize photos on your iPod, freely!
gtkpod - manage songs and playlists on an Apple iPod
gtkpod-aac - manage songs and playlists on an Apple iPod

inuk-x@shell$ sudo apt-get install gtkpod
inuk-x@shell$ which gtkpod
inuk-x@shell$ /usr/bin/gtkpod

Now I must mount the iPod:

inuk-x@shell$ sudo mkdir /mnt/shuffle
inuk-x@shell$ sudo mount -t vfat /dev/sdb /mnt/shuffle
inuk-x@shell$ ls /mnt/shuffle
iPod_Control

Now that the iPod has been mounted, I run gtkpod and select New iPod from the Playlists field and select File > Add Files. From the Add Files to "New iPod" dialog box I navigate to my MP3 files, choose a random file and select Open. What happens next is interesting. The following error is displayed:

Transfer of 'RANDOM.mp3' failed. Error opening '/mnt/shuffle/iPod_Control/Music/F01/gtkpodRANDOM.mp3' for writing (Permission denied).

Should be easy enough to correct, just change the ownership on the /mnt/shuffle directory.

inuk-x@shell$ ls -lh /mnt/shuffle
drwxr-xr-x 5 root root 8.0K 2008-01-13 22:50 iPod_Control

inuk-x@shell$ chown -R user.user /mnt/shuffle
chown: changing ownership of `/media/shuffle/iPod_Control/iTunes/firsttime': Operation not permitted

TRUNCATED

Changing the permissions on the directory is unsuccessful as well. I Google for the permissions error and come across a suggestion in an Ubuntu forum to run Gtkpod as the root user, so I will give that a try.

inuk-x@shell$ sudo gtkpod

This launches Gtkpod, but I am not able to load the iPod using the Load iPod(s) button. Selecting this does nothing. OK, I figure that I will su to root and launch Gtkpod from there.

inuk-x@shell$ su -
Password:
root@shell# gtkpod
(gtkpod:8583): Gtk-WARNING **: cannot open display:

I have come across this before with other applications and the only way to run them as the root user was to log into the computer as root and not just launch the application from a root console. I am sure that there is someone out there that knows much more about Linux than I that can explain why this did not work much better than I can.

I then must select the "Allow local system administrator login" box from the Security tab on the Login Window Preferences. Then I am able to login as the root user on the system. I log off of my regular account and log in as root.

Once I am logged in as the root user, Gtkpod works very well and I am able to add music to my iPod shuffle without having to use Windows, which happens to be one of my missions in 2008. While working on this challenge this evening I commented to my spouse that it is getting to the point that you cannot get through life without having to use Windows and I abhor this fact.

I feel a rant coming on here, so I will end this post by stating that I am quite pleased that I was able to get my iPod shuffle working with Linux without having to resort to Windows. Now my next challenge is my Garmin Forerunner.

Toshiba Satellite U300

2008-01-13T19:47:00.000-05:00

Just got back from Futureshop after exchanging the HP Pavilion tx1000 notebook with a Toshiba Satellite U300 notebook. This particular notebook is very nice and compact as well, so far so good. Unfortunately we appear to be stuck with Windows Vista Home Premium. When I look at the notebook I imagine installing Linux, but as it is not my notebook, there is nothing I can do about it.

HP Pavilion tx1000

2008-01-13T13:24:00.000-05:00

I picked up an HP Pavilion tx1000 tablet notebook for my spouse from Futureshop last weekend and I am here to report that I will be returning it and trading down for a more practical notebook this afternoon.

Unfortunately this promising and svelte hybrid notebook did not live up to the promise and is not particularly functional for business use. This unit is equipped with Windows Vista Home Premium (a fact that I was willing to overlook as I would not be the main user), 2 GB of RAM and a 250 GB hard drive.

The primary features that made this model attractive was the small size (12.1" screen) as this made for easy carrying, rotating monitor (useful for showing presentations with clients) and the tablet features such as the touchscreen (again useful for dealing with clients). We were able to overlook the negatives such as the fuzzy sceen and scrunched keyboard because we understood that this was a trade-off for the touchsceen and small size.

After happily spending my Saturday evening and into early Sunday morning configuring this notebook and learning about the features such as the touchscreen and biometric scanner, I handed off the notebook to my spouse for her business use. Unfortunately this notebook proved to be flaky in production as it continually had difficulty rendering web pages at inopportune times such as when dealing with clients.

I spent this morning troubleshooting the wireless configuration and could not determine the root of the problems. I was successful in pinging the loopback, NIC and gateway addresses and was even successful in pinging various Internet hosts by IP addresses, so this leads me to conclude that the networking and routing works fine.

However, the web pages would perpetually hang and eventually time-out. A Google search revealed that perhaps the problem was with Vista and IE 7's anti-phishing and protected mode features. I disabled both features and still no luck. Tried the Opera browser and met the same results.

Ultimately, time is at a premium and we cannot settle on a product that works one day and not the next for no apparent reason. We only have 14 days to exchange at Futureshop, so we made the decision to downgrade this morning and I will be sure to work on getting the new notebook with Windows XP as we have not had any challenges with Windows XP.

I am in the middle of restoring the factory image on the Pavilion notebook right now and once complete will head out to Futureshop. Alas, it was a good idea and looked promising, but did not live up to the hype.

Perl Scripting for Windows Security

2008-01-12T23:39:00.000-05:00

I just received my copy of the Perl Scripting for Windows Security book from Amazon yesterday. I heard about this book from Harlan Carvey's Windows Incident Response blog and was immediately intrigued. I have long been an advocate of using Perl for information security analysis, however I do not consider myself an expert Perl programmer by any means, just a guy that has written and borrowed many small Perl and shell scripts that help me perform my tasks.

Being a better programmer, both interpretive and general purpose programming languages has long been a goal of mine, but life, time and my laziness have contributed to my yearly progression/regression cycles. I have been working on a Windows logfile parser for the past couple of years and have many working copies that do many different things. This logfile parser was inspired by the old calamaris.pl Squid Proxy parser. Once I have completed Perl Scripting for Windows Security I will return to my Windows log parser project and probably start fresh and perform a full re-write. I will post my finished script on this site.

The title for the book on Amazon's site is a bit of a misnomer because Amazon lists the book as Perl Scripting for IT Security and the book that I received is titled Perl Scripting for Windows Security. Additionally, the covers are different. I will admit that I was thrown off by the title on the Amazon page and was expecting a different (less Windows, more generic) book. However, I am satisfied that this book will be helpful in both Windows incident handling and finally becoming a better Perl programmer.

Thoughts on gobuntu installation

2008-01-12T23:04:00.000-05:00

Here are some of my brief initial thoughts of gobuntu 7.10. I installed gobuntu 7.10 on an older HP notebook the other night; the notebook contains an Intel Pentium M processor running at 1.86 GHz and 512 MB of RAM. Hardly blazing speeds, but ample power for Linux and definately more power than other notebooks I have happily run Linux under.

PROS:

--> Text based install. This was a refreshing change from the graphical installation and cartoonish feel. It was a nice throw-back feature that reminded me of an older Red Hat or Slackware installation.
--> Faster startup. I still have to edit the /boot/grub/menus.lst file to disable the splash/quiet installation (this so-called feature is painfully slow), but overall the green and black logo is a nice touch and the startup is slightly faster than other Ubuntu distros.

CONS:

--> Default window manager. As I previously stated, I am not fond of Gnome, however it was easy enough to install Xfce4 when the installation was complete.
--> Limited package sources. OK, I know that this is actually philosophically inline with gobuntu's mission to only provide "free" software, so this is not really a legitimate CON, but I'm still including it here so that I could have at least two PROS and CONS. This was easy enough to correct after running diff on /etc/apt/sources.list and the sources.list file on a "non-free" Ubuntu distro.

I am very happy that this gobuntu installation was able to find my wireless card and could run in full capacity because I have experienced challenges with Broadcom and Atheros cards having limited functionality due to Ubuntu's restricted drivers feature.

I have three goals that if I am able to accomplish with this gobuntu installation will make me very happy:

1. Get my iPod to work with Ubuntu.
2. Get my Garmin Forerunner to work with Ubuntu.
3. Get my corporate VPN to work with Ubuntu.

Number 1 is probably the most likely to be met with success and should be accomplished by 13-JAN-08 with little to no challenges. Number 2 should work in theory because Ubuntu recognizes my Garmin Forerunner when I connect, but I have yet had no success with getting this to work. Number 3 should also work in theory as well, but I am having some challenges because of the lack of a working VPN client. I am giving kvpnc the old scholastic attempt, but have not met with success as of yet.

Overall I am happy with gobuntu 7.10 and will likely leave this distro on my notebook for the time being, especially if I am able to load all of my NSM and analysis tools on the notebook.

I will periodically update on my experiences.

gobuntu installation

2008-01-10T23:01:00.000-05:00

Tonight I am performing a gobuntu 7.10 installation on my notebook. Today is actually the first time that I have heard of this Ubuntu derivative and truthfully I find the idea to be quite intriguing.

I am originally a Red Hat user, eventually moved to Slackware when I decided that I really wanted to learn Linux and in the past year have migrated my home systems to the Ubuntu distributions for various reasons including learning something new (Debian vs. Red Hat vs. Slackware) and good old fashioned human laziness.

Ubuntu has very good hardware support and requires little hands on configuration compared to Slackware. This is why I always return to Slackware when I sense my technical skills are atrophying and I feel that I need to "get back in shape" so to speak. I will admit that I tried and failed to install Linux From Scratch (LFS) and had minimal success with Gentoo.

I have primarly standardized my NSM sensors on the CentOS distribution for various reasons such as ease of installation and the fact that the distribution is based on Red Hat Enterprise Linux (RHEL); a fact that made it easier to convince my supervisors that open source was OK for use, a battle that I am sure many others have fought.

In the past year and a half I have pretty much standardized on Ubuntu on my personal systems. I am not particularly fond of Gnome, so I used Kubuntu at first, but eventually settled on Xubuntu with either the Enlightenment, Xfce or Fluxbox window manager because I favor a light, minimal working environment.

Once I have completed the gobuntu installation I will post my thoughts on the distribution and post configurations performed.

My first post

2008-01-09T23:32:00.000-05:00

This is my first post on this 09-JAN-08. I figured that since it is 2008 and technically we are in the 21st century that I would get with the times this year and get myself a cell phone and finally post to a blog.

Well, I haven't got a cell phone yet, but here is the blog. Like other technically oriented blogs that I read, I will mainly use this space as a repository for my thoughts and technical details for projects that I am working on, problems that I am trying to solve and whatever else might be challenging me at the time.

It is my intention to eventually post the documentation and various Perl and shell scripts regarding network security monitoring that I have created over the past couple of years and thereby give back to the Information Security and hopefully help out someone the same way that other blogs helped me out during my initiation to the Information Security profession.