Internet Storm Center Infocon Status The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.

Dec 11, 2006

An Open Letter to the Open Source Community

Sorry for the delay between posts. Between the whole holiday season thing, having a cold, having a 1st birthday for my younger daughter, etc., time sorta got away from me. So I figure I'll get things restarted with something that has irked me for quite some time, and it came to the surface again this morning.

This morning, I got an IM from a friend of mine. Here it is: "...but I'm NOT using ANYTHING called Ubuntu: Feisty Fawn. What kind of idiot slapped that on?" My friend touched upon something that is, I think, indicative of a significant hurdle that Open Source projects will need to overcome if they ever expect to be taken seriously and to ever have even the tiniest chance of being able to step out of the shadows. Before I dive in, let me state for the record that I am a die-hard member of the Open Source community. I am an ardent supporter of Open Source; if there is an Open Source equivalent for something, I'm using it. That being the case, while the following may come of as a bit vitriolic here and there, it is not to be taken as a slap at the Open Source community in general. It is merely an attempt at a wake-up call to the community members, and, hopefully, a call to action.

In short, I humbly ask the Open Source Community to please, please, please stop giving software (and branches, tags, and sub-versions thereof) stupid names. Seriously. I know that you may think it is funny, but it really isn't. The aforementioned "Feisty Fawn" thing just illustrates the point. There are tons of such names out there, ranging from absurd to, quite frankly, offensive. Every place I've worked, I have been a major advocate for Open Source software. It is very difficult to be taken seriously in meetings with management when you say "I have a potential solution," and then explain that your solution involves the use of Feisty Fawn, Tiny Sofa, Oinkmaster, BitchX, SheepShaver, awffull, lame, moomps, seahorse, smeg, gimp, spit, yoltia, suck, torsmo, valknut, vomit, and/or zile. Naming things, whether we're talking about naming software, children, or pets, can be a difficult process. When giving something a name, though, you have to ask yourself a few simple questions.

  1. Am I using this name because I think it is clever or cute? If the answer is "yes," then keep looking. You might think it is cute or particularly clever today, but odds are that you won't always find it so amusing. (Here I cite a person my sister-in-law knows whose first name is Frodo. Yeah, as in Baggins. I'm sure Frodo's parents thought the name was funny and probably even a little cute. I've got a dollar, though, that says if we asked our friend Frodo what he thought of his name, he'd have a somewhat different opinion.)
  2. Am I using this name because it is an inside joke? This is really just a slight variation on the previous question. Again, if you answer "yes," do yourself and everyone else a favor and keep looking.
  3. Is this a name that I'll be happy with 10 years from now? This one seems pretty obvious, but I'm always shocked at the number of people who don't really think this one all the way through.
  4. Is this name something I would be embarrassed to say in front of my grandmother? I like to call this one "the grandma rule." Here I cite such names as "suck" and "vomit." Inherently offensive? Not necessarily. Good names for software? Not even close.
  5. And finally, is this a name that I'll get tired of hearing?
While we're still on the subject of what is and isn't good naming style for an Open Source project, let me touch briefly on the subject of acronyms or initials. In general, try to avoid it. Sometimes it works, take PERL and even NATO for example. Most of the time, though, it doesn't. It usually ends up producing some sort of gibberish that is difficult to spell, impossible to pronounce, and equally impossible to remember. Even in cases where you can pronounce and remember the acronym, it still may be a bad idea. The definitive example of this is GIMP (GNU Image Manipulation Program). This acronym is derogatory and offensive. I can hear people already "but it was a joke," (see question #2, above) or "it isn't intended to be insulting." To this I reply that, in general, things operate not on reality but on the perception of reality. It may not have originally been intended to be insulting, but it is. So change it, simple as that. Ethereal successfully changed its name to Wireshark, so if they can do it, so can GIMP. (The Wireshark name change came about for legal reasons so they had no choice but to change, but the name change concept applies equally well to GIMP.) And then, of course, we have the matter of recursive acronyms. Once upon a time, this was a strange tradition and apparently seemed like a good idea at the time. Here are a few examples of recursive acronyms: GNU stands for "GNU's Not Unix." Clever, huh? And PHP stands for "PHP Hypertext Preprocessor." And LAME stands for "LAME Ain't an MP3 Encoder." Please oh please oh please put an end to this. It never was funny or clever and over time, it has only become more and more annoying.

So what conclusions can we draw from all of this? Basically, take care when naming Open Source projects. If Open Source is ever to come into its own, it must be taken seriously by those who develop it. While GIMP and PHP and Oinkmaster may have become serious, production-quality software, their names suggest that at the early stage, they were each named because someone thought it was funny. If we, as members of the Open Source community, want our efforts, our software, and our plight to be taken seriously by the industry at large, we must first take ourselves seriously. This is the root of much of the resistance to Open Source software. Even Microsoft's previous attempts at disinformation about Open Source software hinge upon this. How could we expect others to take us seriously when we (apparently) don't even take ourselves seriously? Am I saying that Open Source software needs to become stuffy and boring? Of course not. But the Weltanschauung of the industry at large stems predominantly from how we perceive ourselves. Times have changed and as Darwin suggests, we must either adapt or die. As such, we must treat our work within the Open Source community with care and humility, and perhaps even a touch of reverence. To do otherwise is a disservice to our work, to ourselves, and to our community.

References
Don't Kill the Penguin!
Recursive Acronym
Ubuntu Development Code Names

Nov 14, 2006

About @#$%ing time...

Microsoft has finally released a Hotfix for the Windows XP Wireless Client, and all I can say is that it is about friggin' time. Internet Storm Center has a description of the Hotfix HERE. Among other things, this fix addresses one of the most annoying things (from a Windows XP wireless perspective) I've encountered in a long time: the random Windows XP wireless network. If you've ever used Kismet in the vicinity of Windows XP machines, you know what I'm talking about. Not only does XP continue to cycle through its list of preferred wireless networks (leaks far too much information and makes it waaaaaaay too easy to determine whose laptop you're looking at), but you also get the weird random SSID strings. If you just let Kismet run for days or weeks at a time, it isn't at all uncommon to have a list of several hundred or even several thousand probe requests just because of this odd XP behavior. Here's a little piece from the Hotfix page:

In Windows XP with Service Pack 2, Wireless Auto Configuration tries to match preferred wireless networks to wireless networks that broadcast their network name. If no network matches a preferred wireless network, Wireless Auto Configuration sends probe requests to determine whether the preferred networks are nonbroadcast networks. In this manner, a Windows XP wireless client advertises its list of preferred wireless networks. An observer may monitor these probe requests and configure a wireless network by using a name that matches a preferred wireless network. If the wireless network is not secured, this network could enable unauthorized connections to the computer.
I understand Microsoft's intent in designing their wireless client to work this way. Obviously, they are trying to make the connection to wireless networks easy. They've made it easy at the expense of security. And on an OS that is notoriously difficult to protect without extensive 3rd party software.

By strange coincidence, this Hotfix was released almost to the day of the 5th anniversary of the release of Windows XP. This unusual wireless behavior has been a known issue since that time. Why in the world did it take 5 years to release a fix for this? Ok, I grant you that some of the other things that this Hotfix addresses weren't big issues 5 years ago. But that strange "parking" behavior? C'mon. If I'm a Bad Guy, all I have to do is sit in the parking lot with Kismet running and listen for Windows XP machines to start cycling through their list of preferred networks. Depending upon the number and frequency of these probes, I can start making some fairly educated guesses about these wireless clients, and with a little extra effort on my part, I could setup my trusty Linux laptop in AP mode and start trying to trick unsuspecting users into connecting to me, at which time I can start collecting usernames and passwords and whatnot. If I'm so inclined, I can then take this information and compare it to data that I pull down from and I can even start making guesses about where these users are located and places they frequent, based solely on this hemorraghing of information from the Windows XP Wireless Client. If you use Windows XP wirelessly, install this Hotfix immediately. In addition, be very careful with who you are talking to wirelessly. You never know who might be listening.

Nov 8, 2006

Tools of the Trade, Part III

A few more "must-have" tools to keep on hand:

  • 3D Traceroute (). Portable! Gotta have a good traceroute program, and 3D Traceroute is about as good as it gets.
  • Sam Spade (). Fantastic tool for IP lookups, DNS info, etc., etc. The site appears to be unavailable at the moment, but the Sam Spade tool is available for download at lots of sites around the net.
  • Wireshark (). A quality packet sniffer is just something you must have. You can't even hope to dig into what is going on throughout your network if you don't have a good packet sniffer. Formerly known as Ethereal, Wireshark is the cream of the crop.
  • Cygwin (). Cygwin provides a Linux-like environment in Windows. If you can afford the disk space, it is probably worth doing a full install. Tons of tools that we know and love from Linux now available in Windows. For me, it makes life much less stressful.

Mapping wireless networks

I recently had reason to do a little wireless investigation at work. There was some concern that there may be a wireless access point attached to the network that had been setup insecurely. So I grabbed my laptop and my USB GPS device and scampered off like a kid on his way to the candy store. I did some passive investigation from the parking lot with and . If you aren't familiar with these tools, I can't recommend them strongly enough. When using these tools together, the WiFi data you can collect is amazing, especially if you use them in conjunction with GPS. Ok, so you've got this data....now what? That's where comes into play. WiGLE, the Wireless Geographic Logging Engine, is a clearing house for files collected by people all over the world when wardriving, warwalking, wardancing, or warskippingaboutlikealoon. You upload your file to the WiGLE site and it crunches the data and makes the results available for download. Using one of the WiGLE clients (I really like the Java-based client, JiGLE), you can download data for any number of areas and it gives you maps and locations of all of the identified APs. JiGLE allows you to view area polygons, displaying the coverage area of a given AP, as shown here:



With a little bit of effort, you can even import JiGLE data into Google Earth. Now that, friends and neighbors, is cool; simple as that. WiGLE is a great tool to have in your back pocket.

Nov 6, 2006

Who says network people aren't funny?

I was working on a couple ideas for a few new posts and I happened to blindly stumble across this story: . With a title like that, I had to investigate. Ahhhhh.....good humor. Don't get me wrong, it won't have you howling with laughter or anything, but it was just the thing to lighten up an otherwise dreary Monday morning.

Nov 1, 2006

Nifty tool

Like any self-respecting techno-geek, I'm always on the lookout for new tools. I love to comb through or , looking for new and interesting software. Ever since released VMware Server as a free product earlier this year, I've spent a lot of time messing with it, trying new and interesting ways to use it, etc. I've been doing some really interesting stuff with it recently (I'll make an extensive post on this at some point in the near future), and have downloaded and experimented with dozens of the free . Just when I thought that VMware couldn't be any cooler, I found this: VMware Converter. It essentially takes an image of a running Windows machine and creates a virtual machine. They claim that you can image a hot machine without actually disturbing the machine being imaged. And it can all be done over Ethernet. And (this is arguably the best part), it is free. It can also create VMs from older VMware formats, Symantec Bacukp Exec System Recovery, and Microsoft Virtual Server/Virtual PC. I haven't had a chance to extensively test this yet, but assuming it lives up to their claims, this has so much potential, I don't even know where to being.

Kudos to the VMware folks.

Oct 31, 2006

Well Said

Let me begin by saying that I've be a big fan of Richard Bejtlich's TaoSecurity blog for quite a while. If you've never visited his site, go there now. Truly excellent information from a man who clearly knows what he's talking about.

I started this morning as I do every morning: by reading about 2 dozen security related RSS feeds. After glancing at the latest crop of exploits and vulnerabilities, I saw that there was a new post on TaoSecurity. Bejtlich does a fantastic job of responding to a number of posts made on the DailyDave list. In short, he responds to a number of assertions that traditional IDS (particularly ) is of no value.

<rant>
My feeling is that if you think it is of no value, it is probably because you aren't using it correctly, aren't using it in the proper manner, and/or aren't using it in the correct location. It reminds me of when I was a kid and used to try to help my dad when he was working on the car or the lawnmower or whatever. I remeber him telling me that "a lot of it boils down to using the right tool for the right job." Can you just throw a Snort sensor any ol' place on your network and expect it to do everything? Of course not. You place them strategically, significantly modifying the rules policy based on where you're placing them and what you intend the primary purpose of the sensor to be. Should you use Snort or Bro or SHADOW exclusively? Again, of course not. The key here is an integrated approach, using a number of different tools that cover a lot of different potential attack vectors and have all of the logs and alerts sent back to a central aggregation point for detailed analysis. Event correlation using something like (see my previous post) can go an awfully long way toward providing accurate detection of anomolies.
</rant>

Thanks, Richard, for a great, thought-provoking post on your blog.

Link

Oct 28, 2006

Tools of the Trade, Part II

Since I just posted Part I yesterday, I'll keep this one brief. I just found a great new tool (well....new to me, anyway), so I thought I'd make a quick update.

  • Keyfinder (http://www.magicaljellybean.com/). Portable! Need to find out the key that was used to register Windows or Office on a particular machine? Keyfinder is the tool to use.
  • AbiWord (). Portable! A great, cross-platform simple word processor. If you need something more heavy duty, you'll want to use Open Office, but if you just need a relatively simple, solid word processor, look no further.

Oct 27, 2006

Before I forget...

Be sure to check out the blog of a friend of mine, Integrity IT Solutions. His blog is more Windows-centric than mine, but like it or not, we live in a Windows world. (At least for the time being....I patiently await the day when Linux finally rises to slay the great Redmond dragon.) Great stuff and definitely worth a look.

Tools of the Trade, Part I

Things have been a little slow of late, so I thought I'd start a recurring feature: Tools of the Trade. I'll go over the tools that I use and things that I like to keep on hand. I'm a big fan of squirreling things away for later use. The trick is, of course, to remember what you've squirreled away so you can use it when the time comes. Some of these tools are portable (i.e. you can run them from a USB drive), and of course, some aren't. I'll try to identify which tools are portable, because if you're at all like me, you like to keep a nice supply of heavy-duty tools at the ready. In my experience, it pays to be prepared. During the course of this series, I'll also mention non-software tools and items that you'll want to keep around. Some are obvious (a screwdriver, for example) and some aren't (nail polish, for example......I'll go over that one another time). Also, these tools are in no particular order. That being said, let's dive in.

  • Nmap (). This is one of those tools that I simply can't function without. If you aren't familiar with nmap, learn it. If you're already familiar with it, read the docs again. Seriously. I make it a point to re-read the docs fairly regularly, partly because it changes a little bit from version to version, but also because it does so many things, I can't remember them all.
  • Perl (). Ok, technically it doesn't have to be perl. Really any serious scripting language will do. (Ruby, Python, etc., etc.) The point is that you'll want to be very proficient in at least one cross-platform scripting language. It has saved my bacon more times than I can count.
  • Notepad++ (). Portable! A very robust text editor. If you're looking for a fancy word processor, you're looking in the wrong place. Notepad++ is a great editor that supports having multiple documents open simultaneously (I curse you, Windows Notepad) and it knows how to handle both Windows and *NIX line endings (again, I curse you, Windows Notepad). It supports syntax highlighting for lots of languages and is easily enhanced by way of plugins.
  • Subversion (). Version control. Why version control, you ask? Personally, I hate ever having to do the same work twice, so any time I have a config file or script or something that I've put some effort into, it goes under version control. That way, if I manage to fubar the file (any SysAdmin or programmer who tells you they've never done that is lying), I can retrieve any previous version with no effort.
  • WinMerge (). Portable! Have two text files that you want to compare for differences? WinMerge is the tool for you. In my opinion, the best Windows-based comparison program.
If you have any tools that you think should be added to the list, email me at sifukurt AT yahoo DOT com.

Oct 20, 2006

Argus + GraphViz = Very Cool

Sometimes, it is really handy to be able to get a bird's eye view of your network traffic. I've used (and continue to use) and I love it. It provides great reporting, but sometimes the bird's eye view is necessary. That's where and come into play. Here is the description of Argus from the website:
Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information.
The data that it collects on your network traffic (and it can monitor multiple interfaces simultaneously) is impressive. Argus runs as a daemon process and then you can use the client tools to extract the data from the Argus log. You can either dump the entire log or you can use filter the results for a specifc time period, or a specific host, or for a specific type of traffic. This data, then, you can feed to GraphViz to generate your graphs. The image below is generated using a Perl script that I wrote (using the Perl's GraphViz module, available at any mirror) using Argus data over a 1 hour period.


I color coded the arrows (or "edges" in GraphViz terms). The blue edges are TCP traffic, red is UDP, green is ICMP, and magenta is ARP. For TCP and UDP traffic, I've labeled the edges with the destination port. The only potential downside is that the resulting image can be a little large. Since Argus tracks all of your network traffic, this could be an invaluable tool in the face of some sort of security incident or virus outbreak.

Oct 12, 2006

OSSEC Host-based Intrusion Detection

I've used a lot of different file integrity monitoring programs (Samhain, Osiris, and Tripwire just to name a few), and I've messed with a number of different programs for log parsing and event correlation. Then I found , which takes all of these things to an entirely new level. Now instead of having to manage multiple different softare packages, I can do it in one. But that's not the coolest thing. OSSEC will allow you to monitor syslog and Windows event logs as well as Apache, IIS, Snort, and numerous other logs from a single location, and it has a very robust set of rules to do event correlation. If you are so inclined, you can even take advantage of the Active Response option and have OSSEC disable accounts, drop in firewall rules, etc., etc. Plus it does file integrity monitoring on top of it all.

The server must be installed on a Linux or UNIX box, but the agent installs on just about anything, including the ubiquitous Windows platform. The agents can be configured to encrypt all of their communication with the server, or for systems that you can't install the agent (networking gear, for example), you can configure syslog on these devices to forward their syslog entries to the OSSEC server. OSSEC then seemlessly integrates all of these and creates a single, cohesive alerts file as well as breaking down alerts into daily files for easy review. Overall, very impressive. My only complaint is the reporting. The alerts file is fairly straight forward, but it is a flat text file. OSSEC comes with a few contrib scripts that will generate some text reports for you, but again, just flat text files. Ideally, I'd like to see a way to generate HTML reports (both summary and detailed reports) that are much better for sending to management and/or those who are less technically inclined. I suspect I'll probably end up writing such a tool myself as I have been unable to find one.

At any rate, OSSEC is very powerful and very cool. It does a lot of stuff very effectively, very thoroughly, and relatively easily. Check it out.

Oct 6, 2006

Gratuitous Self-Promotion

I've had several occasions over the last couple weeks to refer people to a paper that I wrote that is published at Infosecwriters.com. The paper is entitled "Securing Network Communication with Stunnel, OpenSSH, and OpenVPN." If you have need to secure your communication on a small or even modestly large basis, take a look at it. I included configs that you can copy and paste. The paper is compiled from many hours of tinkering with configs for various purposes. It doesn't take the place of the full docs for these tools, but it'll get you up and running in short order.

The Metasploit Project

I love Metasploit, and it just keeps getting better and better. If you haven't already done so, head over to Metasploit and check it out.

Read more at www.metasploit.com/

Top 100 Security Tools

Not exactly the cutting edge of new information, but I was just combing through this list again today so I thought I'd mention it here. If you haven't already, you really owe it to yourself to check out the Top 100 Security Tools. Great list of tools and well worth your time.


Oct 4, 2006

SnortSam, where have you been all my life?

I have been using for years and years. A couple years ago I started messing with Snort_inline. Great concept, works beautifully. The downside is that Snort only works in inline mode when used in conjunction with iptables. Recently I was tinkering with a Linux box in VMware's and I was trying to get Snort_inline to work, alas to no avail. (Side note: if you haven't played with Virtual Server, you don't know what you're missing. Go get it now and download some of the Virtual Appliances. You won't be disappointed.) So I decided to take a look at , a tool that I've had on my list of things to mess with for ages, but I just never got around to it. One word: wow. The possibilities for things you can do with Snort and SnortSam are nearly endless. It took a few minutes to get configured correctly and there were a couple of failed attempts on my part before I finally got it configured the way I wanted. All told about 20 minutes. It affords the opportunity to leverage just about any existing infrastructure and quickly create a full-blown IPS network. SnortSam is now on my short list of invaluable tools.

Apr 26, 2006

SecuriTeam.com™

I love this site. Loads of great vulnerability info.

Read more at www.securiteam.com/