Saturday, January 19, 2008

Security Anecdote Theatre, episode 4

Imagine you are the king of a maritime nation, a nation at war with other maritime powers. And most goods and materials which aren't local must be shipped by sea. And, your navy is pretty well bogged down fighting wars and trying to protect your maritime trade in it's spare time. Meanwhile, your rival's slow, fat merchant vessels come and go in safety because you simply cannot spare the men and ships to disrupt trade in a meaningful way.Letter of Marque

You could raise taxes and conscript more men, build more ships and train more sailors and soldiers. But, that would be an enormous burden to an already burdened kingdom, possibly leading to bankruptcy

Or, you could devise a scheme where others would assume the burden of raising and manning the fleet to disrupt your enemy's trade- in exchange for a cut of the proceeds and the blessing of the Crown. Thus was devised one of the most famous (and/or infamous) traditions in naval history, sailing under a letter of marque- more commonly known as privateering.

So what's the security angle? Risk, of course. Risk Analysis, Risk Avoidance, and Risk Transference. Of course, if you don't know what your risks are, you can't make informed decisions. Then you can ask yourself: Do you need all that risk, or can you avoid some it by making changes in your operations? Can't afford to build another navy or properly secure your data? Maybe you can find someone to do it for you for a reasonable price.

Risk Analysis, Risk Avoidance, and Risk Transference- without the risk of scurvy.


Sunday, January 13, 2008

Wireshark and the path to network enlightenment

Most network and network security pros know about Wireshark, the protocol analyzer formerly known as Ethereal.

Their website says this about Wireshark:

"Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions."

That's not hubris on their part, Wireshark is an amazing tool. Actually, Wireshark is an amazing set of tools- and not just useful for packet capture and protocol analysis, but also invaluable for learning about networks at the packet level.

In addition to the full GUI version of Wireshark, the suite also includes TShark, the command-line version of Wireshark and:

  • dumpcap a small program which only purpose is to capture network traffic, while keeping advanced features like capturing to multiple files

  • capinfos is a program that reads a saved capture file and returns any or all of several statistics about that file

  • editcap edit and/or translate the format of capture files

  • mergecap merges multiple capture files into one

  • text2pcap generates a capture file from an ASCII hexdump of packets

There have been numerous tutorials written on how to use Wireshark/Ethereal and a few books, but I think the best thing to do is download the latest version of Wireshark, install it and start playing.

To perform your first capture, just launch Wireshark, then click Capture > Interfaces, you will see a list of available interfaces, click the Start button next to one showing packet activity. You should now be capturing traffic, so open a web browser and watch for packets to appear in Wireshark. No packets? Don't worry, you card/driver may not support promiscuous mode captures- just stop the capture, go back to the list of interfaces and click Options instead of start, now clear the checkbox next to "Capture packets in promiscuous mode" and click Start.

Once you have some web traffic, click Capture > Stop to end the current capture. Now, take a look in the top (Packet List) section, find a packet tagged as HTML in the protocol column, right-click it and select "Follow TCP Stream" and you'll get a text box showing the contents of your capture decoded in (maybe) readable form. Now, start playing with options until you are really confused or hopelessly stuck.

This is when you can dive into a tutorial or book and get a series of "Aha!" moments, and you'll be hooked.

There are a few more very good resources:

You can also check out the introduction to Wireshark presentation (2MB PDF) I delivered the the Boston Area Windows Server User Group.

Once you start poking around with packet captures you will see things you "kinda knew" like three-way handshakes, but displayed in plain text on you monitor, not abstractly wandering around your brain.

The path to network enlightenment awaits you...


Tuesday, January 8, 2008

Stupid Politicians, again.

I'm not surprised, but it is still aggravating. Cory Nachreiner over at WatchGuard Wire has a good writeup of the latest news on the UK's attempts to ban "hacker tools". The key issue is summarized well in Cory's article:

"At first glance, that may not seem so alarming. After all, hacking tools are bad, right? Well...not necessarily. Almost every security researcher or pen-tester I have ever met uses applications and scripts that could easily qualify as hacking tools. Security researchers regularly use applications like Wireshark, nmap, and Metasploit either to find or test for network and computer vulnerabilities. Unfortunately, attackers also use these tools regularly for their own nefarious purposes. Banning such tools would simply hamper security research in the UK. Meanwhile, the bad guys -- no strangers to breaking the law -- would still download and use these outlawed hacking tools anyway."

They'll have to pry my Wireshark from my cold, down eth0...


Joining the cult of Blackberry, or the dangers of geeks with toys.

I drank the Kool-Aid.  I have joined the cult of the CrackBerry. Not once, but twice.  An 8830 for personal and consulting use and a work-issued Pearl.

Where's the security implication, you ask?  Well, there are a few of them which spring to mind.  First, there's the temptation to use the thing while driving.  Not just while driving, mind you- but while driving along Route 128.  This is truly unsafe.  The second is a real infosec risk, the risk of geeks with toys.  What could it hurt to download random apps and run them on my 'Berry?  Why worry about an SSH client from an unknown developer, what risk could that pose?  I have a new toy, and I want to play.  I have resisted the temptation to install any unknown apps (so far), but what about those weaker-willed geeks who succumb to the lure of tempting apps for their 'Berries?  And then there is the whole data loss/leakage issue.  I monitor five email accounts on my personal BlackBerry and another one on my work 'Berry- no chance to lose anything important there, eh?

What to do about it?  My usual advice applies here- stop and think before you do something potentially inappropriate.  Weigh the risks and act accordingly.  Don't be afraid of the toys, but use them carefully.

And, no, I did not write this on the Berry while in traffic.



Tuesday, January 1, 2008


I missed the first round of ShmooCon tickets and got shut out in the second round- but scored a ticket today. Now to see if the Shmoos invite me to participate in the labs.

See you there?