Sunday, April 25, 2010

Day 2 at LinuxFest

Another great day at Linux Fest! I attended excellent presentations on Digital Forensics by Hal Pomeranz and Brian Pate (2 hours), both of which were very useful and felt very "hands on".  I can't say enough good things about LinuxFest. The organizers are doing Whatcom County business development a tremendous favor.  In reality, I think the Chamber of Commerce and the City of Bellingham should be helping to fund this volunteer supported event every quarter.  Talent comes from all over the Northwest: Seattle, Portland,  Tri-Cities, Olympia, Bothell, Mt. Vernon, you name it.  I made contacts, met vendors, passed out business cards and had great discussions. Learned a lot as well.

Thank you LinuxFest NorthWest!!!!

Saturday, April 24, 2010

Brilliant Day 1 at LinuxFest NorthWest

I had a brilliant first day at LinuxFest NorthWest. I sat through five presentations on privacy and computer security in Haskell 115 at Bellingham Technical College. Brian Alseth of ACLU of Washington delivered the usual terrifying description of how data mining is  destroying privacy.  John Lock talked about Web Commerce Security. Gary Smith of PNL gave and excellent talk on Linux Server Hardening. Hal Pomeranz finished up the day with two hours on SE Linux. Wow! What a beast SE Linux is...

LinuxFest...a great thing.

Wednesday, April 21, 2010

Joanna Rutkowska and ITL and "Security by Isolation"

A day spent reading the research of Joanna Rutkowska and her Invisible Things Lab is a day spent improving your IQ. Ms. Rutkowska is famous for describing vulnerabilities in SMM, BIOS, and VM hypervisors.  In short, rather than attack the Operating System (although she has done some of that as well), she and her team attack the layer between the Operating System and the hardware; specifically rings -1, -2, -3 to use her terminology.  Her work has led her to some drastic conclusions about hardware and digital security.  In Joanna's universe, it is not that "game is over" but that the digital industry has never really fielded a team that could win yet. To do something about this, she and her team have developed a  customized version of Linux (Qubes-OS); partitioning off OS components into VMs to prevent the spread of malware through the access of "universal privilege" (my own term).

What do I mean by "universal privilege"? [Beware, the author's own untutored verbiage is to follow...] Computers are strange but beautiful machines.  When the first computational devices were built, we wanted to send in questions and retrieve answers. After computer scientists achieved this breakthrough, they spent the next half century attempting to generate increasing profits by increasing the speed at which answers to their questions would be returned. And they did a damn fine job at this. The increase in computational speed has to count as the single greatest technical advancement of our species by this point in history. Watch any movie about the Hubble or the Mars Rover and ask yourself: How would that happen without digital data? We have designed our computational efforts as if we were children with thirsty minds and ravenous social needs; ready to exercise our "universal privilege" to discuss/communicate/download whatever our minds and souls desire.

Security is mainly the story of protection. Secrecy is mainly the story of compartmentalization. In contrast to the development of computational speed, we've done a poor job at protection and compartmentalization of computers and their networks.  In fact, we've been so concerned about the spread of information, we've done everything possible to unleash the flow of digital data across the world.  PCs and Servers are now everywhere, in every complex product, in every country. Our computer networks are now the most tangible and real-time evidence of our civilization. Computers still retain all of the "strange and beautiful" architecture designed upon the premise that we want very little between our computers and fast answers to our questions.  We are by nature social creatures with unbounded curiosity and potentially unbounded need for "end to end" trust. Unfortunately, the reality of unconstrained digital response has helped created powerful  offensive weaponry in the untrustworthy world we live in.

So now back to universal privilege and Joanna Rutkowska and her team at Invisible Things Lab.  Eschewing (in part) the drive for secure code and secure micro-kernels, Joanna and her team attempt to do the following: 

"Qubes implements Security by Isolation approach. To do this, Qubes utilizes virtualization technology, to be able to isolate various programs from each other, and even sandbox many system-level components, like networking or storage subsystem, so that their compromise don’t affect the integrity of the rest of the system."

They achieve this "security by isolation" by compartmentalizing their OS into secure virtual machines. It is a  timely idea. As if to prove this, the NSF gave a $1.5 M dollar grant to an University of Illinois researcher nearly days after ITL's announcement of Qubes to do something similar. "Security by isolation" is an ancient concept thoroughly deployed by computer and software architecture at all levels. There are numerous examples: CPUs break down access to the processor into "Rings" (0-3).  Operating Systems break down execution in kernel and userland and then compartmentalize execution further. Some kernels just boot the most basic OS components, (Most desktop OS kernels are monolithic). Software compartmentalizes (perhaps 'componentizes') itself into functions, system calls, objects, and libraries. Some software, like Java and C#, works hard at making code live in a secure 'sandbox'. Part of the developmental reason for object oriented programming (originally) was (marginally) security-based: 'encapsulation'. Networking software has followed the trend of security by compartmentalization from switch fabric to firewalls to NAC. Hosted services, in some very real sense, are a form of "security by isolation".

In reality, we continue to invent "security by isolation" in kernels, software layers, networks, network components, firewalls, and virtual machines. As processor speed grows in an untrustworthy world, the desktop and network will always continue to need the most advanced compartmentalization to protect them from the expanding digitized world. To this end, our "universal privilege" to keep asking questions of each other will always be haunted by the necessity of  "security by isolation".

Sunday, April 18, 2010

tcpslice II

More uses for tcpslice, ipsumdump, BASH 4.1 :

[This gives you today's top source IP and source IP Port combination: 

/usr/sbin/tcpslice `date +%Y"y"%m"m"%d"d"` $BASH_ARGV | ipsumdump --no-headers -sD - 

./ | sort -nr | uniq -c | sort -nr
     13 7959
      3 5900
      3 23
      3 8085
      3 5900
      2 23 ...

This gives you today's top source IP and source IP location:

/usr/sbin/tcpslice `date +%Y"y"%m"m"%d"d"` $BASH_ARGV |
for i in `ipsumdump --no-headers -s -`
     do echo $i : $(printf "%s" `./ $i | awk -F":" '{print $2}' | awk -F"," '{print $1","$2","$3}' ` ) 

./ | sort -nr | uniq -c | sort -nr
     13 : NL,07,Amsterdam
     12 : CN,22,Beijing
      4 : CN,32,Chengdu
      3 : RU,43,Lipetsk
      3 : US,NH,Nashua
      3 : IPAddressnotfound,,
      2 : US,WA,Bothell ...

where '' is:
geoiplookup -f /usr/local/share/GeoIP/GeoLiteCity.dat $1

I note that file names like this '' don't process through tcpslice.

Wednesday, April 14, 2010


Tcpslice is a useful tool from LBL network group that allows you to carve up a large pcap file format into time slices. 
To look at the start and finish time stamps of the entire pcap file in various time formats:
tcpslice -r  Mon Mar  8 11:08:09 2010        Mon Apr  5 09:09:37 2010
tcpslice -t  2010y03m08d11h08m09s660222u     2010y04m05d09h09m37s390876u
tcpslice -R  1268075289.660222       1270483777.390876
To return data from a particular time slice to a file with BPF filters use syntax like this: 
tcpslice 1257347146.060 1257347146.061 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host'
(Check out bothunter logs for more examples like this..)
In this example, I want all the packets that are not IPv6 for one date:
/usr/sbin/tcpslice 2010y04m05d | /usr/sbin/tcpdump -r - 'not(ip6)' | less
reading from file -, link-type EN10MB (Ethernet)
01:06:17.290514 IP > S 1607742099:1607742099(0) win 65535 
01:40:16.181816 IP > SWE 498716114:498716114(0) win 5840
01:40:19.172942 IP > SWE 498716114:498716114(0) win 5840
01:44:01.423708 IP hn.kd.ny.adsl.x11 > S 833421312:833421312(0) win 16384
03:37:06.073237 IP > S 1175613974:1175613974(0) ack 143375003 win 14420
04:07:03.019711 IP > S 363594672:363594672(0) win 8192 ...
Now I want all ms-sql-s destination packets from the ingress pcap that are not IPv6 for all of March:
/usr/sbin/tcpslice 2010y04m01d 2010y04m31d | /usr/sbin/tcpdump -r - -n 'dst port(1433)'
reading from file -, link-type EN10MB (Ethernet)
18:33:42.614843 IP > S 908984320:908984320(0) win 16384
23:38:50.771853 IP > S 47316992:47316992(0) win 16384
03:35:18.351118 IP > S 640548864:640548864(0) win 16384
11:09:45.631103 IP > S 1613627392:1613627392(0) win 16384
00:47:21.207593 IP > S 648937472:648937472(0) win 16384
08:56:05.732622 IP > S 47316992:47316992(0) win 16384
18:06:53.798198 IP > S 648937472:648937472(0) win 16384 ...
Something similar, but a little cleaner, can be done with ipsumdump:

/usr/sbin/tcpslice 2010y04m01d 2010y04m31d | ipsumdump -tsD | grep -w 1433
1270172022.614843 1433 
1270190330.771853 1433 
1270204518.351118 1433 
1270231785.631103 1433 
1270280841.207593 1433 
1270310165.732622 1433 
1270343213.798198 1433 ...

Saturday, April 10, 2010

One year anniversary

Today is the one year anniversary of this blog. This is my 48th post in that time period. According to Google Analytics, 1,250 “absolute unique visitors” have provided for 1,566 visits from 781 unique cities from 78 unique countries. 72 page titles were viewed a total of 2,241 times. Here are some of the most popular pages:

Actually, I have no idea what to make of any of these numbers. 

Monday, April 5, 2010

More fun with ipsumdump

More fun with ipsumdump. Below, sorting March ingress by COUNT(SIP), COUNT(SPort), Sorted GeoIP location. All very fast.

ipsumdump -s --no-headers |
sort -nr | uniq -c | sort -nr | less



ipsumdump -S --no-headers |
sort -nr | uniq -c | sort -nr

   6523 80
   1669 443
   1220 12200
    553 63585
    468 19150
    459 19099
    238 6000
    198 19135
    156 19134
     93 21
     46 110
     34 5242
     30 9875
     21 52079
     21 35356
     20 1935

for i in `ipsumdump -s --no-headers |
             sort -nr | uniq |sort -nr`
             echo $i ` $i | awk -F: '{print $2$3}'`
done CN, N/A, N/A, N/A, 35.000000, 105.000000, 0, 0 CN, 04, Wuxi, N/A, 31.577200, 120.293900, 0, 0 CN, 04, Wuxi, N/A, 31.577200, 120.293900, 0, 0 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0 CN, 11, Xupu, N/A, 27.909401, 110.585800, 0, 0 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0

Friday, April 2, 2010

"One Page Checklist for Securing and Cleaning a Malware Infected Windows PC"

In this process, you are looking for outbound and inbound communication and connection attempts that seem suspicious – data transfers that you can not account for, processes that seem inexplicable, or unsigned files. You may or may not see logon attempts, registry changes, file creation, file access, file permission changes. You may need to correlate Network Monitor logs with network ingress and egress firewall logs. Additional info at: