Saturday, 26 July 2008


The Portsentry Daemon binds to a selection of unused network ports. The goal is to log any attempts to access those ports. Portsentry can also do any of the following when it recieves a packet to a port it is monitoring:

  1. "Null route" the packet to nowhere,
  2. add a block rule to the local firewall (a cheap IDS/IPS to block hosts attacking you), or
  3. run an arbitary command defined in the configration.
You would use this on ports that are commonly attacked to detect attacks on your systems. An example would be monitoring access to TCP 1433 inside a network. An employee or contractor who is "looking around" the network for SQL servers without authorisation may end up being logged as accessing this system. As no access to this port on the Portsentry system should ever occur, it is at the least worth asking the question why the individual was connecting to it...

Portsentry can be used to detect half-open and other sealth scans against a network and host.

Details on how to configure Portsentry may be found at:

Friday, 25 July 2008

What's Sudo

Sudo is a means of changing UNIX security from the all or nothing to a structured and granular means of allowing selected tasks to run. This has been replicated in Windows as the "runas" command.

What SUDO does is:

  • To allow an normal user (non-root account) to run individual commands with root privilages - but restricted to only that command.
  • The User still authenticates with their own password - they do not need to have the root password.
  • Separate commands may be given to different users and groups and the privilaged modes of one use do not need to be the same as another.
  • It allows the creation of roles.
  • All commands are logged against the user (not root).
  • Any unauthorised command creates an alert that can be emailed to monitor activity.

There are a list of other similar programs to SUDO at:

SUDO is still the most widely used program of its type.

To use a command with privilage, the user simply types the command they wish to execute using SUDO. For instance:

"sudo /bin/lsof"

SUDO helps to provide:

  1. Accountability,
  2. Least privilege (through roles), and
  3. termination.

When a users leaves, their access is not set such as a root accoutn and the system can run as normal. Further, a copy of the settings (like a role) makes it simple to move another person into the role of the last user.

Not last, but all for this post, SUDO supports many forms of authentication and can time stampto minimise the number of times that a user needs to enter a password into the system.

Wednesday, 23 July 2008

Evidence Collection and Volitility

Electronic evidence varies in its volitility. Some evidence (such as memory), is far less robust than other evidence (such as a backup tape or CD). For this reason, it is crucial to ensure that the evidence is collected in the order of most to least volatile.

When evidence is "equally volatile", collect that which is deemed the most important item first.

If a system is live, snapshop the memory and running processes. Collect all of the volatile evidence PRIOR to turning the host off. When you have collected all the evidence and it is time that a system is shutdown, do so hard when possible. In a clean shutdown, the drive is written to. Swap files are purged, TMP filesystems are cleansed.

When collecting evidence, do so in the following order:

  1. Memory (RAM, then other types such as flash)
  2. Swap and Page File data
  3. Network information and Tables (Arp entries, Routing tables, DNS Cache, etc)
  4. Process tables and Kernal Statistics
  5. The TMP file system (tempory file systems)
  6. Disk Blocks
  7. Remote logging and data from monitoring systems (eg. external syslog)
  8. Physical Configuration data and Network Topography, cabling etc
  9. External drive devices (Eg. Flash drives, USB Sticks etc)
  10. Backup Media such as Magnetic Tapes
  11. CD ROM, DVD Rom (etc) media types
  12. Other Read Only Media

Mess it up and at the least you lose evidence, at the worst, you can have the evidence made inadmissible.

What I have been up to.

The 2008 SANS Awards for Finding Coding Books with Secure programming Flaws

(July 22, 2008, Washington, DC)
Four individuals were recognize today for their excellent descriptions of insecure code found in programming texts.

1. Craig Wright of BDO Kendalls in Australia was the overall winner with two first place winners and two honorable mentions. He found errors in:
a. The Complete Reference: C 4th Ed. (Osbourne) (Particularly good for showing how to find bugs using Safari service)
b. Programming Embedded Systems in C and C++ (O’Reilly)
c. C Primer Plus, Third Edition (SAMS)
d. C in a Nutshell (O’Reilly)
2. Dr. James Walden of Northern Kentucky University won a first place award for errors found in “Introduction to Java Programming, 7th edition” (Pearson Prentice Hall )
3. Brian Zaugg won an honorable mention for found errors in Beginning Ruby: from Novice to Professional (Apress)
4. Scott March of Interweb Technologies won an honorable mention for errors found in Beginning ASP Databases (Wrox)

Their entries will be published at the SANS sites next week. Their prizes ranged from $200 to $700. We’ll have another context in the Fall so keep looking for them.

Special thanks to Brian Chess of Fortify Technologies who pointed out the need to find these security flaws and served as primary judge for the competition.

First Place Winners
Introduction to Java Programming, 7th edition (Pearson Prentice Hall ) (Walden)
The Complete Reference: C 4th Ed. (Osbourne) (Particularly good for showing how to find bugs using Safari service) (Wright)
Programming Embedded Systems in C and C++ (O’Reilly) (Wright)

Honorable Mention
Beginning Ruby: from Novice to Professional (Apress) (Zaugg)
Beginning ASP Databases (Wrox) (March)
C Primer Plus, Third Edition (SAMS) (Wright)
C in a Nutshell (O’Reilly) (Wright)

Sunday, 20 July 2008

Early Morning Images

A Pear tree in the early morning displaying its glory.
And the morning wildlife ...
Yet the early bird is still asleep...