You can download it from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

The following information is extracted from Doug’s Security Onion blog:

What is it?

The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?

The Security Onion LiveCD is based on Xubuntu 9.04 and contains Snort 2.8.4.1, Snort 3.0.0b3 (Beta), sguil, idswakeup, nmap, metasploit, scapy, hping, fragroute, fragrouter, netcat, paketto, tcpreplay, and many other security tools.

What can it be used for?

-The Security Onion LiveCD can be used for Intrusion Detection. Simply boot the CD and double-click either the Snort-Sguil or SnortSP-Sguil desktop shortcuts. The Snort and Sguil daemons will then start, listening on eth0 for any suspicious traffic and creating alerts in the Sguil console.

-The Security Onion LiveCD can be used to test an Intrusion Detection System. Simply boot the CD and use the included tools (such as nmap, metasploit, idswakeup, scapy, hping, and others) to test your existing IDS or to test the included Snort 2.8.4.1 and Snort 3.0 Beta 3.

-The Security Onion LiveCD can be used to install an Intrusion Detection System. Simply boot the CD and double-click the Install desktop shortcut. For more information about installation, please see the README desktop shortcut.

I haven’t had a chance to download it yet, but I will definitely give it a try over the next few days. I’m very interested in trying out the IDS installation feature and see how it compares to other Sguil installation scripts like NSMnow. I’m currently working on the deployment of a good number of Sguil servers/sensors and NSMnow has reduced significantly the time needed to get them up and running. Hence, any new development on this topic is more than welcome.

I will keep posting my findings on this new exciting tool!

… and if you think you are a competent programmer, please don’t flame at me and listen to Ron’s last sentence!

Enjoy and happy Friday!

I’m writing this post while seated on a train going from Birmingham’s International Airport to Banbury, a small town located in the heart of Oxfordshire. It’s only a 40 minutes trip but I really enjoy it, especially if I have a good album to listen to (like that of The Script I’m listening now), some coffee and the nice view of the English countryside I can see through the window right now.

I come to Banbury very often, like once every two or three months, most of the times to hold meetings with my team colleagues, to support ISO 27001 audits or to conduct onsite assessments. None of those are the main purpose of my visit this time. After delivering a new one-day session on Incident Response and Computer Forensics at my employer’s European offices in Leiden (the Netherlands), Bochum (Germany) and Warrington (UK), it’s now Banbury’s turn.

The goal of this sessions is to train our ICT staff on how to best react to security incidents while preserving volatile and non-volatile evidence, but at the same time to give them an overview on what Computer Forensics is all about, so they can understand the importance of handling digital evidence appropriately.

While I’ve run similar sessions in the past, I’m particularly happy with the new material that I’ve put together this time, and the feedback I’m getting from the people that have attended this sessions (more than 25 so far) confirms me that.

I can’t give much detail on its content now (and I will tell you why in a bit) but all I can say is that the training is now packed with hands-on exercises that uses a virtual machine as a portable forensics lab and the image of a compromised Windows 2003 Server as the target of the analysis. It’s based on a real-case scenario and illustrates the methods and the tools that are typically used throughout the course of a real computer forensic investigation. Really useful and fun stuff!

The reason why I can’t give much detail now is because earlier this year, Ewa Dudzic, Editor in Chief of Hakin9 magazine, invited me to write an introductory article on Computer Forensics for their well-known and prestigious magazine, and that article is actually based on the content of the training described above. Now I’m glad to see that the current issue of the magazine announces that the first part of my two-series article will be published in the next issue of Hakin9, that is 4/2009. The article will not just include a step-by-step guide to forensic response and investigation but also references to all the tools and images you can use to set up your own forensic lab and do the exercises at home. Stay tuned, as I will post more details on that as soon as the article is released.

In the meantime I will carry on with my ‘European tour’ that I expect to finish at my home office later in May. Remote locations like India and Sydney might come next, possibly during the second half of 2010.

No doubt, one of the best things about delivering this training is that it’s given me the opportunity to spend more time with colleagues from different geographies and, why not, to have some fun after work. As you can see in the pictures below, I even had the opportunity to watch a live game at Old Trafford!

Watching Manchester Utd vs Porto live at Old Trafford, the Theatre of Dreams! (UEFA Champions League 2009)

Great time riding through the streets of Leiden, in the Netherlands

Thanks Andy and Paul for such a great time

Besides that, there are plenty of rumours about a possible Conficker attack on 1st April. I know you may think it’s all hype or scaremongering, and it might well be. But, if you run a large corporate network I’m sure you don’t want to sit down and wait until 1st April to find out.

If that’s the case, you have to know that the Honeynet Project has been working on a way to detect Conficker-infected machines and that they have just released a scanner for this task. The scanner is available as a python script and as a windows .exe executable, and can be used to scan a single host or a whole network range.

When run it on my mac the output looked like this:

# ./scs.py 192.168.1.1 192.168.1.254

———————————-
Simple Conficker Scanner
———————————-
scans selected network ranges for
conficker infections
———————————-
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de
———————————-

No resp.: 192.168.1.1:445/tcp.
No resp.: 192.168.1.82:445/tcp.
No resp.: 192.168.1.80:445/tcp.
No resp.: 192.168.1.81:445/tcp.
No resp.: 192.168.1.95:445/tcp.
192.168.1.99 seems to be clean.
192.168.1.101 seems to be clean.
192.168.1.85 seems to be clean.
192.168.1.97 seems to be clean.
192.168.1.106 seems to be clean.

Alternatively, popular scanners like nmap, Nessus and others have quickly updated their plugins to support Conficker detection. At the moment, Nmap 4.85beta5 has all the scripts included, and it’s now ready for download at http://nmap.org/download.html. If you’re are running a Unix-like system you probably want to update nmap from svn:

$ svn co –username=guest –password=” svn://svn.insecure.org/nmap
$ cd nmap
$ ./configure && make
$ sudo make install

Then run nmap using the new NSE script:

$ nmap –script=smb-check-vulns –script-args=safe=1 -p445 -d <target>

As of Nessus, use plugin #36036 to detect any variant of Conficker.

The Honeynet Project has also released Snort signatures to detect Conficker.A and Conficker.B traffic. Make sure you update your IDS sensors with these signatures and be ready to monitor your console over the next few days. If you don’t have any IDS technology in place (I will resist the temptation to ask you why by now) but you have access to a network span port, you can still plug any Unix-like box in and run ngrep like this:

$ sudo ngrep -qd eth0 -W single -s 900 -X
<insert shellcode string from here>
‘tcp port 445 and dst net <local network range>‘

Further details about Conficker fingerprint and the detection methods and tools can be found here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker

Good luck.

That’s been what I call my ‘SANS itinerary’ since I started this exciting journey back in June 2007. It all started at SANS Secure Europe, in Brussels, where I took my first SANS class with Jess Garcia, CEO of One eSecurity and a good friend of mine. It was SECURITY 508, System Forensics, Investigation & Response, an awesome track created by Rob Lee on one of the most interesting and hot topics of Information Security. It’s been almost two years since then, but now I realize the tremendous positive influence that event had in my career as a security professional.

Early on the first day, I could see that was a different kind of training, far different from all the training sessions I had attended before, including the well-known CISSP bootcamp and vendor specific training like Checkpoint’s and others I took in the past. Unlike those, this was real hands-on training, with lots of exercises and challenges, including the use of several virtual machines and an arsenal of security tools you can take home with you. Also, the amount of material you receive throughout a 6-day course is awesome. Someone described it like “drinking directly from a fire hose”. Actually, I can’t describe it better.

Add to that a friendly, relaxed but yet professional atmosphere, and the multiple opportunities you get for both networking and sheer knowledge with attendees and instructors and you will understand why Brussels was only the start.

With Carlos Fragoso and Richard Fadul at SANS Secure Europe 2007 in Brussels

Next came London, in December 2007. That time I chose the challenging SECURITY 503: Intrusion Detection In-Depth. I don’t exaggerate if I say this is the most advanced course in network intrusion detection and traffic analysis that has ever been taught, and by far the most valuable course I’ve ever taken. The quality of the material is outstanding (I keep using it as a valuable reference) and the fact that I had Dr. Johannes Ullrich (Chief Research Officer for the SANS Institute and responsible of the Internet Storm Center) as instructor was really a plus. Even if you knew nothing about IDS I guarantee the first thing you will do when you’re back home is setting up a Snort sensor or even deploying a Sguil NSM System!

Last thing I can say about this course is that I actually enjoyed it three times: first at the live event, second when I went through the entire courseware and exercises again to prepare for the GIAC exam, and third, when listened to the mp3 files of Mike Poor teaching the same material in a different venue. Two instructors for the price of one!

The same was true of my third stop, SANS Sydney in November 2008. This time it was SECURITY 560: Network Penetration Testing and Ethical Hacking, delivered by Mike Poor (I was looking forward to meeting him!!) and authored by Ed Skoudis.

While this is described by SANS as “one of the most technically rigorous courses offered by the SANS Institute”, I had some advantage with this one. While my previous experience in areas like Forensics and IDS was limited, I had been doing penetration testing at different professional levels for more than 8 years. Although I was certainly familiar with many topics and tools like Nessus, Nmap, Metasploit and others, there were plenty of advanced tips and tricks that made this course worth the money. I will just tell you that the section on Windows command line kung fu for pentesters and the exercises on password cracking using advanced Netcat relays will leave you breathless!

Ultimate hacking with Damian Grace and Robert Di Pietro at Mike Poor’s class in Sydney!

Then again, I enjoyed listening to Ed Skoudis’ mp3 files while commuting to work for the last couple of months before I took my GPEN exam. Thanks Ed for making traffic jams a lot more bearable!

My GIAC Certs: GCFA, GCIA and GPEN. Watch the 99% score on the last one!

As I said before, so far this journey has given me the opportunity not just to receive top quality training from some of the best security instructors in the world, but also to meet great professionals, colleagues and friends that make you feel part of a unique security community. Some of the people I’ve had the opportunity to meet and even hang out with includes Jess Garcia, Mike Poor, Johannes Ullrich, Raul Siles, David Perez, John Fitzgerald, Pieter Danhieux, Richard Fadul, Carlos Fragoso, Almerindo Graziano, Jonathan Ham, Justin Clarke, Robert Di Pietro, Chris Mewett, Damian Grace, etc… and many others I am fortunate to keep in touch with.

Now, the next stop in my ‘SANS itinerary’ will be Amsterdam in May this year. This time I’m proud to say that I’ve been selected to facilitate at SECURITY 542: Web App Penetration Testing and Ethical Hacking, a new 6-day track written by Kevin Johnson and focused on finding and exploiting web application attack vectors. Seth Misenar will deliver this track at SANS Secure Europe 2009 in Amsterdam.

Best thing this time is that, in addition to attending the course, as a room facilitator I will have the opportunity to work closer with all the instructors (specially with Seth) and other fellow team members.

I look forward to that!

Many sites reported on the issue, from antivirus vendors to security professional’s blogs and online magazines. Whilst most of them just echoed what others said, some shed more light on it posting some interesting notes and only a few did an in-depth analysis worth of mention, the most relevant being:

• Sergio Hernando’s Blog (in Spanish)
• Dancho Danchev’s Blog
• Sophos
• Trend Micro
• The Register
• The Web Hacking Incidents Database
• CyberCrime Updates Blog
• Hackers Center Blog
• Net-Security
• Kriptopolis (in Spanish)

It’s interesting to note that all of them gave credit to my post as the first report on the issue, all except one: Trend Micro. The reason became clear when I read Paul Baccas’s post on SophosLabs:

“The interesting thing from my point of view is that Ismael’s screenshot (on Passionate about Information Security) suggests he is using Sophos Anti-Virus for Mac.”

So, there you go. It’s obvious that Trend Micro didn’t want to include a link to a post that included a screenshot of Sophos for Mac picking up the virus. Awesome!

On the other hand, it’s fair to say that Trend Micro posted an excellent report on the incident, including updates on their analysis:

Trend Micro Advanced Threats Analyst Ryan Flores also revealed that there is inserted code in the compromised websites that injects pages that look like blog entries into the compromised sites’ domain. The inserted pages contain various pharma information. Flores then states that this is possibly an SEO poisoning scheme, or a plot to use the legitimate domains of the compromised websites to evade spam filters.

…

Though no trace of malware was found in the other links, Trend Micro Antivirus Engineer Edgardo Diaz, Jr.suggests that this is possibly an advertisement scam or a massive malware attack in its early stage. This would also explain why parts of this threat do not appear to be fully functional. He warns, though, that since the website is already compromised, it’s just a matter of modifying the tags to turn the seemingly “non-malicious” injection of code into a full-blown malware attack.

Updated 5:49 PM: BKDR_TDSS.CG drops a rootkit that is then injected into SVCHOST.EXE. While injected, the rootkit attempts to connect to several websites to send and receive information.

Updated February 1, 2009: At this time, BKDR_TDSS.CG is also downloading an encrypted configuration file. Once decrypted, this file appears to contain commands to download other dll files and an updated copy of TDSSserv.sys, load certain modules from the dll files, upload log files (which contain error logs, process lists, and OS details), display popup ads, prevent security software from running, and set command delays. While the content of the files from the download URLs are not the same every time, this backdoor does keep accessing from the list of URLs even after completing its routine–so it may eventually get to access all URLs (except of course the currently inaccessible ones) it needs to achieve all mentioned functionalities.

I didn’t check the website for a while, but as of yesterday, embajadaindida.com redirects to embassyindia.es, a new domain that hosts a new website. This confirms what I was told by the Consul of India in Madrid when I called to report the incident last week. Back then I was told that the old compromised website was going to be replaced by a new one in the coming days.

Whether all these news pushed them to deploy it before they planned I don’t know, but at least we’re all glad that action was taken and that the site seems to be clean, by now…

Earlier this morning I was alerted to this problem by a colleague who was trying to access www (dot) embajadaindia (dot) com to sort out some paperwork related to my employer’s offices in India. When tried to load the site, the Desktop Antivirus displayed the following pop-up alert:

The alert description is fairly self-explanatory, though a quick look at the source code erases all doubt:

Everything indicates that the site was compromised and those invisible iframe tags appended to the index.php (and possibly other files too) to load multiple pieces of malware from the following domains:

• msn-analytics.net
• pinoc.org
• wsxhost.net

Obviously, do not visit any of these sites as, at the very least, it is known that they have facilitated the distribution of malicious software in the past. In fact, Google’s Safe Browsing Diagnostic page reports that one of those has hosted malicious sofware that has infected at least 33 domains in the last 90 days, as shown below.

Although the attack vector is still unknown, it’s likely to be due to either weak directory and file permissions or to a vulnerability in any of their PHP scripts. Actually, similar effects were reported to the Joomla! discussion forum back in September last year, so I guess we must be dealing with the same kind of attack.

I’ve personally reported this security issue to the Embassy of India in Spain, and it’s expected they will be taking some action to remove the iframe tags sooner rather than later. In the meantime, please DO NOT VISIT THE SITE.

I’m not usually very excited about posting on LinkedIn Discussion Groups. On top of that, I don’t even have the time to blog anything on my own site. However, I could not resist to write a comment on that discussion about what the best IDS system is. Not when I read the following comment:

Actually the idea of an IDS system has been obsolete for a few years now. Given the latest events in the security area, there are plenty of traffic anomalies far more advanced than relatively-simple signatures out there to deal with.

The best approach nowadays is the IPS (Intrusion Prevention Systems) which would not only detect and inform IT management of the attack events but will also apply the necessary countermeasures to them. Most important of all, this must happen at wire-speed with ASIC-based systems.

Ok, I understand that IPS vendors and resellers have the right to claim what they want, but saying that “the idea of an IDS system has been obsolete for a few years now” is simply too much for me.

Just in case you are not registered with LinkedIn, the following is the comment I’ve just added to that discussion:

I respect everyone’s comments and views, but obviously some of the above are clearly biased. It’s not the first time we hear comments like “actually the idea of an IDS system has been obsolete for a few years now”.

Back in 2003, Gartner analyst Richard Stiennon stated, “IDSs have failed to provide value relative to its costs and will be obsolete by 2005″. Well, although I understand that claim (keep reading), many security analysts will tell you that IDS is very much alive and recent findings like those covered in the “Verizon Business 2008 Data Breach Investigations Report” support this (see http://securityblog.verizonbusiness.com/2008/06/10/2008-data-breach-investigations-report).

First thing to know is that IPS and IDS are different things and that they fit in different layers of the Defense In-Depth strategy and in different phases of the well known Assessment-Prevention-Detection-Reaction loop. IPS devices are meant for intrusion prevention and always run “inline”, very much like firewalls, whilst IDSs (whether network or host based) are passive solutions obviously designed for intrusion detection. Both technologies are complementary and should be part of a holistic security strategy. In many scenarios you will not be able to prevent and stop all attacks with a 100% accuracy. Thus, when prevention fails, what else is left? Detection and then reaction.

However, an IDS is not that different to an IPS from a technology point of view. Take Snort as an example, which is the most widely deployed intrusion detection solution in the world and actively used by large organisations like DARPA, GSA, NIST, NSA as well as the US Armed Forces. Get Snort running in inline-mode with active-response enabled and you have an IPS. Same product but different configuration sitting in a different place on your network. So take and IDS, put it inline and get a third party to manage it and there you have your IPS. Now you understand why most vendors will tell you that IDS is dead.

However, I can understand why many people still claim that IDS is dead. Many fail to understand that an IDS is not a “Plug and Play” device. The state of the art of IDS has not yet evolved to a point where they can be plugged and work accurately right out of the box, and it won’t be for a while. It is imperative to have a trained and competent analyst (or team of analysts) tunning, updating, examining and investigating the output from the IDS. Do you have the resources to do that? Well, that should be part of the cost analysis of implementing any IDS/IPS solution. Now, with many IPS devices a big chunk of that work can be externalised on a third-party, namely Managed Security Services Providers (MSSP).

As far as what solution is right for your site, it is a decision that depends on your site configuration, your team skills, your network bandwidth, your budget, organisation’s risk appetite, just to name a few. I would suggest to combine both IPS and IDS solutions, implementing them in different parts of your network as part of a comprehensive Defense in Depth strategy.

Finally, I recommend you have a look at open-source solutions like Snort, Bro (not all IDS are signature-based only) or even more advanced NSM solutions like Sguil (I really like this one), Hex, etc… See if you have the necessary skills and resources to implement and maintain them, as it won’t be easy. Otherwise hire a specialist to help you out with the implementation if you decide to go down that route.

As of commercial IPS solutions I have a very good feedback from Juniper devices. Also check with your firewall vendor, as integrating firewall and IPS management under the same console makes sense.

Feel free to flame me if I’m wrong.

Whatever you did, and despite the amount of money you spent, one thing is for sure: if you are reading this it’s safe to assume that you are still interested in reading about good infosec stuff, aren’t you?

Keep reading then and have a look at the following links containing a few interesting security tools, new forensic challenges and even a new Multi-Boot Security Live DVD:

• DFRWS 2008 Rodeo (forensic challenge): The 8th annual Digital Forensic Research Conference was held from August 11 to 13, 2008 in Baltimore, MD. A key element of this conference is the “forensic rodeo”, a challenge where conference attendees form teams to solve a digital forensic problem. The DRFWS has made the materials for the 2008 Forensic Rodeo available on their website for educational purposes and to support further research in memory analysis and file carving. The scenario description and the image files can be downloaded http://www.dfrws.org/2008/rodeo.shtml
• The Open Computer Forensics Architecture (OCFA): OCFA is a modular computer forensic framework developed by the Dutch National Policy Agency meant to be used in large investigations. If you want to give a try you can download the required packages from their main site: http://ocfa.sourceforge.net/
• Splunk: Splunk is a log archiving product that allows to search, navigate, alert and report on all logs in real time. Plus it’s free and available for all platforms on http://www.splunk.com/download
• Multi-Boot Security LiveCD DVD: A new all-in-one multipurpose LiveDVD that combines some of the very popular LiveCD ISOs already available on the Internet:
  • Backtrack 3
  • Damn Small Linux 4.2.5
  • Knoppix 5.1.1
  • Ophcrack 1.2.2 (with 720 mb tables)
  • Puppy Linux 3.01
  • and a few more…

I’m currently downloading the 4GB MultiISO .torrent file and will it give a try soon. Shame that Helix is not part of the DVD, but still looks like a handy tool to have in your Incident Response jump bag.

Enjoy and good luck with you holiday blues!

Now that my body is starting to recuperate from the 8 hours time difference, I’ve decided to upload a few pictures to the Photos area. There aren’t that many at the moment, but I’ll keep uploading more as I go.

Before arriving, a friend told me that Sydney was his second favourite city in the world (after Boston) and I can understand why he thinks so. Sydney seems to be a young, modern and vibrant city that has an interesting mix from Europe, Asia and America. Also people seem to be quite open and friendly.

Still have a week left in the land ‘Down Under’ so hopefully will have time over the weekend to do the tourist again and take some more pics to show you.