What is Toluu?
Toluu is a free service for sharing the feeds you read and discovering new ones.		 Get Invite

TaoSecurity

Richard Bejtlich's blog on digital security and the practices of network security monitoring, incident response, and forensics.


Happy 6th Birthday TaoSecurity BlogYesterday
taosecurity_small.pngToday, 8 January 2009, is the 6th birthday of TaoSecurity Blog. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. 2339 posts (averaging 390 per year) later, I am still blogging.

I don't have any changes planned here. I plan to continue blogging, especially with respect to network security monitoring, incident detection and response, network forensics, and FreeBSD when appropriate. I especially enjoy reading your comments and engaging in informed dialogues. Thanks for joining me these 6 years -- I hope to have a ten year post in 2013!

Don't forget -- today is Elvis Presley's birthday. Coincidence? You decide.

The image shows Elvis training with Ed Parker, founder of





Metasploit 3.2 on Windows XPJanuary 5
I've been an infrequent yet admiring user of Metasploit for about four years, but I've never tried it on Windows. It strikes me as being something I "just shouldn't do," like running Nmap on Windows or (shudder) Snort on Windows. However, while preparing labs for my upcoming class, I thought I would give version 3.2 a try. It worked very well, at least for the simple test I ran.

After installing the .exe and launching the new app, I saw this window:



I decided to try exploiting a vulnerable Samba server:









Recommendation for an Introduction to UnixJanuary 5
freebsd.pngA regular blog reader asked me for recommendations on books to learn Unix, and which Unix to learn. I still remember asking my "Unix and Solaris Fundamentals" instructor in 1997 to recommend a book on Unix for me. I thought I would share my response here.

I think, as a beginner, you have to decide what you want to learn. I'll try to keep this description generic yet answer the reader's question. The person who asked the question requested an emphasis on the command line, rather than administration using GUIs.

51lcrjsVnnL._AA200_.jpgAs you might have guessed, I recommend trying FreeBSD. In fact FreeBSD 7.1 was released today. FreeBSD is a great OS for beginners, especially those who want to rely on the command line.

I am reluctant to suggest trying to learn a new OS without a good reference, but luckily a modern and thorough book arrived a little over a year ago. Michael Lucas' book Absolute BSD, 2nd Ed is probably the best pure introductions to Unix administration available. (I mean that of all the books out there, reg





IPv6 Tunnel on Windows XP Using Freenet6January 5
Almost two years ago I described testing IPv6 using Freenet6 on FreeBSD. This morning I decided to try the same on Windows XP and document the process here.

I needed to use a tunnel method like Freenet6 because the test host is behind NAT.

First, visit go6.net and click "Free IPv6 Connectivity with Freenet6". Register yourself a user account. To install on my Windows XPSP3 32-bit system I downloaded "Gateway6 Client 6.0-BETA4 Windows Installer 32-bit". I installed and accepted the defaults:



When I first tried installing the software I got an error which denied installing the TUN driver. I had to back out of the installation and change this local group policy key using gpedit.msc:











BGPMon On Illegitimate Route AnnouncementJanuary 2
bgpmon4.jpgIn November I posted BGPMon on BGP Table Leak by Companhia de Telecomunicacoes do Brasil Central. A lot of people saw that activity but the overall effect was negligible to nonexistent.

Yesterday I received a more personalized alert from BGPMon:

You Receive this email because you are subscribed to BGPmon.net.
For more details about these updates please visit:
http://bgpmon.net/showupdates.php

====================
WithDraw of More Specific (Code: 23)
2 number of peer(s) detected this updates for your prefix 3.0.0.0/8:
Update details: 2009-01-01 08:33 (UTC)
3.3.3.3/32
====================
Possible Prefix Hijack (Code: 11)
2 number of peer(s) detected this updates for your prefix 3.0.0.0/8:
Update details: 2009-01-01 08:31 (UTC)
3.3.3.3/32
Announced by: AS15475 (NOL)
Transit AS: 8452 (TEDATA TEDATA)
ASpath: 29073 9009 19151 4788 8452 15475

Checking WHOIS data for AS15475 shows:

% Information related to 'AS15475'

aut-num: AS15475
as-name: NOL
descr: Nile Online
descr: Giza,Egypt
descr: For any abuse complain contact abuse@nile-online.com

So, an ISP