System iNetwork

Book Reviews

December 6, 2005

New CERT Guide: Botnets as a Vehicle for Online Crime

If you've spent much time at all analyzing network traffic, you've run into an infamous plague swarming the Internet known as botnets -- the interconnected web of compromised PCs that virus writers use for intelligence gathering and distributed denial of service attacks. But unless you've actually disassembled botnet code, you likely don't have much information about how botnets work. The Computer Emergency Response Team (CERT) whitepaper Botnets as a Vehicle for Online Crime is a first-rate tutorial on the motivations and mechanics of botnets. It should be required reading for all network professionals.

The paper's authors, CERT staffers Nicholas Ianelli and Aaron Hackworth, start out by describing why botnets are such a big draw for hackers. The main reason is one you likely haven't considered: A botnet is essentially a very large, highly distributed, supercomputer. With a botnet, a hacker commands a vast computing resource that rivals those of even the largest government agencies (unless, of course, those agencies themselves are using botnets). Hackers use this computational powerhouse to crack passwords, distribute warez (stolen software), and attack other networks.

Next, the paper details how a hacker starts up a botnet. The valuable information here is that you can greatly reduce your vulnerability to botnets by ensuring that a few well-known, but readily countered exploits do not exist in your network: The Windows RPC, LSA, and DLL buffer overflow bugs. You can block the other common infiltration technique -- social engineering -- by educating your users about phishing and e-mail attachment dangers. The reason that botnets flourish is that the vast majority of Internet users and education and home broadband users fail to invoke these protections.

The authors then dive into a detailed description of various botnet mechanisms, including autorooting and exploit scanning, port redirection, registry mining, key logging, screen capturing, and IRC bouncing. The breadth and depth of botnet tools is sobering, and illustrates how serious the botnet problem has become. The technical discussion also shows how botnet command and control mechanisms work, giving you a fascinating hackers-eye view of botnet manipulation.

Put this on your professional development reading schedule immediately.

http://www.cert.org/archive/pdf/Botnets.pdf

Posted by mbeckman on December 6, 2005 at 7:55 AM

November 14, 2005

New CERT Guide: First Responders Guide - Advanced Topics

Network intrusion detection is usually under the purview of network administrators. But once an intrusion has been discovered, who is responsible for assessing the damage? In many organizations, that task also falls to the network admin staff. Most network technologists have a good working knowledge of computer systems, so this is not unreasonable. However, few of us write code for a living, so constructing a toolkit for intrusion assessment is not something at which we're likely to excel.

With the Computer Emergency Response Team (CERT) First Responders Guide to Computer Forensics: Advanced Topics, you don't have to be a code wizard. This 169-page tutorial gives you hands-on instruction for analyzing compromised systems using existing tools, and shows you how to safely install additional utilities for deeper analysis.

The document is organized into five chapters, which it calls "modules", covering log file analysis, process characterization, disk image management, process capture, and spoofed e-mail decoding. Each of these chapters represents one step in the system dissection process that is forensic analysis. The authors don't tell you the basics of forensic analysis -- how to isolate, take offline, and safely access an infected system. But that knowledge is widely available. These writers focus on the meat and potatoes of system investigation, which any IT professional needs to know to be a competent network protector.

The first chapter immediately launches into the use of two open source utilities, Swatch and Microsoft Log Parser, as forensic analysis tools. Swatch, or Simple Watcher, analyzes Unix system logs for significant events. While often used for realtime analysis and notification, in its forensic roll it serves to conduct a post-mortem autopsy of stored logs. Swatch's primary value is sifting through logs for interesting events that can lead you more directly to the original point of entry by an intruder. Microsoft Log Parser is a similar tool tailored to processing Windows logs, including event logs, IIS and Apache Web server logs, XML-formatted logs, and Windows NetMon capture files. Log Parser can also perform some analysis on registry entries and Active Directory objects.

The first chapter focuses on post-mortem analysis, but that's not necessarily the starting point for a first responder tracing a network intrusion. Sometimes you're just reacting to a suspected penetration, and need to learn if a particular system has been hit. If a compromised system is still running when the intrusion is detected, the best practice is to isolate that system and then inspect it while it's in operation to learn what hacker processes are active.

The guide's second chapter shows you how to characterize the processes on a system to determine if evil programming is afoot. If it is, you can then proceed to isolate the system and begin vivisection. The authors show how to use intrinsic OS utilities such as grep to search out the alterations in running processes, and then employ the forensic workbench combo First Responder Utility (FRU) and Forensic Server Project (FSP). These tools, written by security researcher Harlan Carvey, are a client/server pair that extract data from compromised systems and archive it safely off-platform.

Chapter three explains the use of the Unix dd (disk-to-disk) utility to slice up hard drive data for transfer en masse to another medium, for later reconstruction in its original byte-for-byte condition. This is an important evidence preservation step, since you'll eventually want to reformat the compromised system's hard drive and put the system back into production. The dd-archived data let you continue analysis in a safe Petri-dish environment.

In Chapter four you learn how to capture potential evidence from a live computer by recording the state of malicious processes. An interesting real-world example of the value of these techniques was the recent uncovering of the Sony Digital Rights Management "root kit" by Mark Russinovich. Here you learn how to use the netcat (nc) utility for Windows and Unix process analysis: finding the owning processes of network sockets, locating their executables on disk, and capturing the data being moved by those processes.

The final chapter is a mini-tutorial on parsing spoofed e-mail headers. This knowledge is important because e-mail is one of the primary vectors for virus and worm infection, and perpetrators almost always try to obscure the path back to them by spoofing message headers. However, careful analysis of headers will always lead you to the machine originating the message, which lets you ultimately cut off one path of future infection. Of course, if you own the offending mail server, you then have to repeat the whole forensic process on that machine.

Despite the word "advanced" in the document title, this report provides minimum-level knowledge that every network administrator should possess. But the information isn't strictly for newbies. Even if you think you understand these procedures, you'll likely find some hidden nuggets of wisdom new to you.

http://www.cert.org/archive/pdf/05hb003.pdf

Posted by mbeckman on November 14, 2005 at 8:26 AM

October 28, 2005

Hot Off The Press: Perfect Passwords

There are two sets of passwords I must deal with in my life: my own and everyone else's. Users constantly forget their passwords, or mistype them because they're so CoNv0Lut3d, and only a technologist can resolve the problem for them. My own problem isn't not remembering my passwords, but being confident in them. I just don't think there is as much variation in the passwords I use to prevent massive data exposure should one of my passwords be compromised. I need something to educate my users -- and myself -- about the best means of password construction. Mark Burnett's book Perfect Passwords: Selection, Protection, and Authentication (2005 Syngress), aims to do just that.

Burnett knows a lot about passwords, because he's analyzed over a million of them. His research shows that most passwords are much less secure than their users believe. We all know people who choose passwords like "LetMeIn" with the misplaced expectation that they've hit on the perfect code. We're not so naive.

More sophisticated users employ password "strategies" -- little systems for creating passwords that presumably nobody will figure out. For example, a character substitution strategy that replaces certain letters with similar-looking digits (e.g., "s3cr3t5" mutated from "secrets") seems like it should be a vast improvement over ordinary dictionary words as passwords. Burnett shows how far wrong that intuition can be, by demonstrating the vulnerability of that and myriad other supposedly safe password strategies.

Sometimes users have random character string passwords forced upon them by well-meaning systems, but users can rarely commit such strings to memory and thus resort to writing them down, which leaves even complex passwords open to sudden compromise. Or a system can try to demand complexity by insisting that passwords contain a mix of letters and numbers -- a requirement most users readily circumvent. Even the common practice of frequently changing passwords is foiled by users making minor, but predictable, modifications to their previous password.

The solution to the password problem, Burnett points out, is understanding the ways hackers crack passwords, and knowing how to predict the vulnerabilities of a given password strategy. Armed with this information, and the handy tips the author provides, you can create passwords that are secure, compliant with strict password policies, and still memorable. And you'll be well equipped to train users in safer password strategies to boot.

http://www.syngress.com/catalog/?pid=3420

Posted by mbeckman on October 28, 2005 at 8:39 AM | Comments (3)

October 13, 2005

Hot Off the O'Reilly Press: Switching to VoIP

Voice over IP has been around for years, and many were wondering when it would grow up. It just did. VoIP slammed through adolescence over the last year or so and is now a "newly mature" technology with many benefits and rapidly dropping deployment costs. But if you're new to the technology, it can be hard to get your arms around. That's where O'Reilly's new book "Switching to VoIP" fills a void. This gem of a techno primer by Theodore Wallingford explains VoIP better than any other book I've seen to date.

The book starts out with an essential introduction to the differences between legacy business phone systems, such as Key systems and PBXs, and VoIP switching. If you aren't familiar with such terms as POTS, trunk, T1, TDM, Dial Plan, ACH, and the like, Wallingford's first five chapters will give you a thorough grounding in telco talk. He also introduces the idea of running a Linux computer as an enterprise PBX, which will be shocking to some, but turns out to be very doable using the open-source VoIP software called Asterisk.

The book then dives into the details of VoIP signaling and transport, various sound encoding algorithms, and a checklist of issues you should address before rolling out a new VoIP implementation. For example, are your users ready to accept a major paradigm shift in their voice communications? Is your network beefy enough to accommodate the increased traffic of VoIP, and can you give VoIP packets the priority they need to maintain call quality and reliability? Do you have special security or regulatory compliance needs?

All these factors affect the cost and time to deploy VoIP. Wallingford helps you make a business case for (or against) VoIP, and if VoIP is in your future, explains how to construct a competent implementation plan, including vendor RFPs for equipment and software acquisition.

Once you begin rolling out a VoIP system, you'll encounter technical problems. Wallingford addresses these with seven chapters on operational topics: QoS, security and monitoring, troubleshooting tools, PSTN trunk issues, network infrastructure, legacy applications, and common problems. These chapters concentrate valuable old-hand VoIP deployment experience that you'd have to spend years accumulating on your own.

The book ends with chapters summarizing VoIP vendors and services, and the Asterisk open-source product. Three appendices provide handy references to SIP transactions, AGI commands, and Asterisk management APIs.

If you're seriously considering VoIP in your enterprise, this is the go-to book. It's available both in print and through O'Reilly's excellent Safari online book reading service.

http://www.oreilly.com/catalog/switchingvoip

Posted by mbeckman on October 13, 2005 at 8:47 AM

May 2, 2005

Hot Off the O'Reilly Press: Network Security Tools

I'm a firm believer in open-source network security tools, both because they tend to be ahead of commercial products in paving new security roads, and because the experience they give you with security management is valuable in making intelligent commericial product choices. Alas, until recently you've had to do all your own research when setting up such open-source tools as Etherreal, Nessus, and nMap. But now you can avoid a lot of trial and error testing thanks to the new O'Reilly tome Network Security Tools, by Nitesh�Dhanjani and Justin�Clarke.

Network Security Tools is a valuable survey of the field of open-source security utilities, including such popular programs as Nessus, the vulnerability scanner; and Ettercap, an Ethernet packet capture utility. The book also covers Nikto, a Web-server scanner; Metaspoit, a test bed for developing and exercising exploit code; and a wide assortment of sniffers, port scanners, and security assessment tools.

The book explains how to write plug-ins for these tools so that you can extend them for your own applications, as well as how to remediate some common Web-based vulnerabilities. The authors explain how root kits work so you'll be able to spot them on infected machines and safely disarm them.

O'Reilly publishes the sample code for the book online so that you can readily test the authors' examples. I do wish the example code had better commenting, but when combined with the text you should have no problem understanding it. If you're experimenting with open-source security applications -- as you should be -- this volume will save you time and give you valuable insight into the security tool-building process.

http://www.oreilly.com/catalog/networkst/

Posted by mbeckman on May 2, 2005 at 8:51 AM

March 31, 2005

Hot Off the O'Reilly Press: IPv6 Network Administration

IPv6 is coming! IPv6 is coming!

OK, maybe not as fast as we once thought, but it is coming. IPv6 is the replacement for IPv4, which has been running out of address space for a while now, and which has a mess of secrurity flaws that are the main reasons for such vermin as spam and viruses. IPv6 may not get here before you die, but just in case it does, you're well advised to be up to speed on it. And a great way to get up to speed is this new O'Reilly tome by Niall Murphy and David Malone.

There have been a lot of books and articles about IPv6 over the last few years. They all warn (a bit too ambitiously, it turns out) of the impending demise of IPv4, and they all sing the praises of IPv6: enough address space to give every star in the sky a public IP, ironclad security, the end of address spoofing, seamless interplanetary roaming, and Quality of Service up the wazoo. But none of these prior publications ever told you how, exactly, to make the transition to IPv6. This book does exactly that. In fact, its motto is "The chief thing is not to study, but to do."

The book starts out with the obligatory IPv6 background story. You can skim the first chapter if you're already a believer. But then Murphy and Malone do something completely uncalled for: They sing the praises of IPv4. Unlike their Chicken Little predecessors, these authors acknowledge that IPv4's death has been greatly exaggerated. They expound on the amazing resilience of the IPv4 Internet, which has scaled far beyond the protocol's original designers. They tell the tale of life-saving workarounds, such as network address translation and auto configuration, which bought time for us all. And they talk about IPv4's future. Yes, there is one!

In chapter 3 the writers roll up their sleeves and dig into the meat and potatoes of IPv6. This is necessary, if somewhat dry, knowledge, but Murphy and Malone liven up the discussions with wry quotes and footnotes. A classic one on the dangers of underestimating user needs: "As Bill Gates is alleged to have said, '640k should be enough for anybody.'" The authors point out some non-obvious features of IPv6, such as the lack of broadcast addresses -- multicast packets are used to accomplish the same functions more effectively, and more safely. This chapter spares no subject, covering every IPv6 protocol aspect: packet and address formats, header compression, routing, security, QoS, and mobile capabilities.

Once you understand the basics (I had to read Chapter 3 several times to get the hang of it), you're ready to deploy an IPv6 network, right? Wrong. IPv6 is not a seat-of-your-pants endeavor. You must plan your network design carefully, and the authors show you how to do that in Chapter 4. You'll learn how to get IPv6 address space, how to connect to the IPv6 Internet, and what you'll need to do to transition your existing infrastructure to IPv6 without crashing the network. It's sort of like doing brain surgery on yourself. While you're driving on the freeway. During rush hour. The authors provide helpful examples.

In Chapter 5 you finally get to configure something! This discussion explains the nuances of Linux, Macintosh, Unix and Windows configuration, router setup, troubleshooting procedures, and the proverbial Gotchas waiting for the unwary. Only after reading this chapter you'll be wary and wily, and IPv6-qualified.

The remaining chapters cover maintaining and monitoring IPv6 networks, details of how IPv6 effects the most popular IP services, such as HTTP, FTP, and SMTP, and the intricacies of coding IPv6 applications.

No IPv6 book is complete without a prediction of future events. This one is no different, other than that the authors are brutally realistic. They point out, with classic understatement, that IPv6 still has a few loose ends, such as DNS. Then they pontificate on some of the future new applications that IPv6 might spawn. Thankfully, they refrain from putting a date to the IPv4 Apocalypse -- the first pundits I've seen take this high road.

You must own this book. Or get into real estate.

http://www.oreilly.com/catalog/ipv6na/

Posted by mbeckman on March 31, 2005 at 11:46 AM

January 31, 2005

Quick Cure for Friend and Neighbor Annoyances

Are you the neighborhood network guru, constantly pressed into service to solve DSL, WiFi, virus and spyware problems? Do distant relatives call you late at night, asking for you to just "tune up" their computers over the phone? Have you longed for a T-shirt that says "No, I will not fix your computer"? The next time you're faced with a needy user asking you to provide a shortcut to Reading the Friendly Manual, you can direct them to one of O'Reilly's two new tomes: Internet Annoyances and Home Networking Annoyances.

The subtitles for these books are "How to Fix the Most ANNOYING Things", about Going Online and About Your Home Network, respectively. Instead of fishing through your friend's, relative's, or neighbor's computer mess to solve their problem, teach them to fish using exerpts from one of these volumes. Better yet, point them to http://www.ora.com and show them how easily they can buy the books online!

Internet Annoyances, by Preston Gralla, covers email annoyances, such as spam, as well as frequently asked questions about the email clients Outlook 2003, Outlook Express 6, Eudora 6, and Gmail. It also discusses internet connection problems, home networking basics, wireless and remote access, and web hosting adventures. A general browser section covers everything users need to know about blocking pop-up ads, preventing spyware, and efficiently surfing the web. A special AOL chapter discusses the foibles of that peculiar enviroment. Other chapters talk about instant messaging, Google, Amazon, eBay, Yahoo, and even cyber citizenship. This book covers 99.999% of all annoying user questions, leaving you free to answer the .001% of actually hard queries.

Kathy Ivens' Home Networking Annoyances provides the same 99.999% completeness for networking questions, ranging from Ethernet and connector problesm to phone, power, and wireless networks. It goes into great detail on Windows user management and network troubleshooting, covering even such esoteric concepts (for home users) as mapped drives, network printing, and network design. Extensive chapters on security give step-by-step instructions for choosing and deploying firewalls, blocking viruses and spyware, and keeping out network snoops. The chapter on backups gives you an out when the worst happens and a user's computer is completely erased. Just point to that section and say "What, you didn't do this?"

Both books are written in a lively, accesible style that any non-expert reader can readily navigate. For more information on either book, including a sample chapter, visit:

http://www.oreilly.com/catalog/internetannoy/toc.pdf

http://www.oreilly.com/catalog/homenetannoy/toc.pdf

Oh, and for that "No, I will not fix your computer" T-Shirt, go to ThinkGeek.com:

http://www.thinkgeek.com/tshirts/frustrations/388b/

Posted by mbeckman on January 31, 2005 at 8:23 AM

December 15, 2004

Book Review- Wi-Foo: The Secrets of Wireless Hacking

Wi-Foo: The Secrets of Wireless Hacking
(Vladimirov, Andrew, et. Al; Addison Wesley, June 2004; ISBN 0-321-20217-1, 592 pages)

There are a lot of WiFi security books out there, but most of them are shallow rehashes of basic security issues without a lot of hands-on depth.

One test I use to test the mettle of a WiFi security tome is to see what is says about VPN encryption. If you don�t already know, VPN encryption is the only way to reliably protect WiFi network traffic; WEP, WPA, and 802.11i all have serious flaws that make them vulnerable to attack.

Most WiFi guides make only a passing reference to VPN encryption. Wi-Foo passes my test by incorporating an entire chapter on VPNs, with detailed instructions on setting up VPN protection using open source components. This definitely piqued my interest in the rest of the book, and I wasn�t disappointed with what I found.

Wi-Foo is an insiders guide to securing wireless networks, taking the point of view of an attacker. The book teaches you about 802.11 network hardware software, and then graphically illustrates WiFi vulnerabilities by giving you detailed instructions on exploiting them. Some might worry that this amounts to a hacker�s instruction manual, but trust me � the real hackers have had this information for a long time.

Wi-Foo gives you a clear description of hacker processes without forcing you to go through the trouble of digging up the information online � something most hackers are willing to spend hours doing, but which most network security administrators can�t afford. The book describes Wardriving � the act of traveling around a city looking for victim networks � and how to attack prospective victims once you�ve found them. It then explains how to effectively thwart such attacks, how to select appropriate encryption algorithms for a given application, and how to monitor your now-secure network for intrusion attempts and potential breakins.

A series of appendices provide handy reference material on WiFi equipment and utilities, and an extremely useful penetration test plan that you can employ immediately to test your own WiFi security.

I�ve looked at every WiFi security book currently in U.S. publication, and this one is by far the best of the breed. It�s essential reading for every network security guru. If you aren�t a guru and don�t think you need all the information in this huge volume, it�s worth adding to your O�Reilly Safari bookshelf for a month of online reading.

The publisher�s site:

http://www.aw-bc.com/catalog/academic/product/0,1144,0321202171,00.html

Read the book online at O�Reilly�s Safari library:

http://safari.oreilly.com/JVXSL.asp?xmlid=0321202171

Posted by mbeckman on December 15, 2004 at 1:17 PM | Comments (0)