Category Archives: Uncategorized

Introducing… WinTAP

As part of my GCIA Gold project & paper that was recently published, Defensive Depth, in collaboration with New Tribes Mission USA, funded the development of WinTAP, a Daemonlogger clone for Windows.

The first iteration of WinTAP was a proof of concept that was essentially a .NET wrapper around WinPcap.  This worked well, but performance was not as well as could be hoped for.  The next iteration took the proof of concept, and instead of using WinPcap, implemented WinTAP as a kernel mode driver, using NDIS 6.0.  This allowed for much better performance and stability.

From the official description:

WinTap is a packet sniffer and soft-tap developed to mirror packets flowing through an Ethernet interface. It is purely based on the NDIS which allows us to sniff packets and rewrite them to a second interface acting as a soft-tap. WinTap consists of two components,

1. NDIS 6.0 based protocol driver.
2. User mode soft-tap.

These two act in tandem to create a soft-tap, where the protocol driver sniffs the traffic and delivers to the user mode application. User mode application does the redirection logic and returns the packets to be rewritten to second interface.

WinTAP is licensed under GPL 2; source can be found on Github.


Tagged , , ,

A Preview…

Between a new baby, moving to Florida, and working on my MSISE, it has been a crazy 8 months….  I have a couple new posts that I am working on:


1) Teaching Digital Security to End Users – A New Framework


2) Distributed IDS: OSSIM vs. Security Onion  – Or, why I am going with SO


I hope to get these out within the next 6 weeks.

Stay Tuned.


Accepted to STI + More…

Just a quick personal update:

I was just recently accepted to the SANS Technology Institute to pursue my MSISE (MS of Information Security Engineering).  With my previous coursework/certifications being accepted, I am currently halfway through the program–I am expecting to do a couple classes a year, and to finish the program by 2015.

With this being the case, I am currently working on my GCIA Gold….


Tagged ,

Book Review: The Tangled Web – A Guide to Securing Modern Web Applications

Amazon just posted my 5 star review of  The Tangled Web – A Guide to Securing Modern Web Applications by Michal Zalewski.  (Reposted here)

I have to say, I wasn’t quite sure what to expect when I received a review copy, as there seems to be a glut of “Securing Web Apps” books out there, and from what I have seen, not that many great ones.  However, Zalewski is well-known within the security industry, so I had higher than normal expectations.

Zalewski starts out with his take on Information Security Management, and this small section probably deserves its own blog post entirely, but suffice to say that Zalewski is a pragmatist in this area–indeed, his 3 principles that he prescribes are:

1) Learning from (preferably other people’s) mistakes

2) Developing tools to detect and correct problems

3) Planning to have everything compromised.

Though I would agree with all three, the third principle resonates the strongest with me,  as this is one of Richard Bejitlich’s favorite things to say, and I have taken it to heart.

With the intro to Information Security out of the way, Zalewski takes the reader through a brief history of the web, and the evolution of the threat.  This was one of my favorite sections of the book, as it gave the much needed context to the issue of web security.

Being very young when the first browser wars started (1995ish), I have never understood why it mattered for web security…. Understanding the Wild Wild West-esqueness of those early days, and how each browser tried to one-up each other on web features, brings much clarity to why the security landscape of the web is so pockmarked with half-forgotten/half-thought out features that can be exploited for much gain.

Zalewski then moves from history to an anatomy of the web, picking apart the very structure of the web: URLs, HTTP, HTML, CSS, Scripting, etc…  This is great reference material for a theoretical and practical understanding of what makes up the web from a technical standpoint–Zalewski continually points out differences in how different browsers implement specific features.

The rest of the book delves into web and browser-specific security issues, starting with a great treatise on one of the foundational security principles of the Web, Same-Origin Policy.

I will most likely be writing a couple other blog posts on some of the specific security issues that are dealt with here.

The book finishes with some time dedicated to looking forward to future security mechanisms that are on the horizon, along with the pros and cons of them.

All in all, a fantastic book on the current state of affairs for web security, and one which I cannot help but classify as 5 stars.

A couple closing thoughts:

-The security engineering cheat sheets at the end of each chapter is a great way to keep it practical…. I am thinking about finding a way to pull all of the cheat sheets together for a small booklet to refer back to.

-This was the first epub book I have read on my iPad, and I throughly enjoyed it…. Thanks to No Starch for providing epubs and not just pdfs!



Passed the GIAC GCIA Exam…

Last month I passed the GIAC GCIA (Intrusion Analyst). I found the exam to be much more difficult than my previous GIAC Exams, primary for two reasons:

1) There were a number of tools that had been discussed in the class… There were a number of questions on the exam about these tools–Not “In what situation would you use this tool?” questions, but “What syntax would you use to get this output?” type questions. Most of the syntactical answers were esoteric switches that were neither mentioned in class, nor in my study books, which was why it was very frustrating to find it on the exam. I flagged these questions for review by GIAC, as I don’t think that they were legitimate.

2) The other reason why this exam was more difficult, was that a number of the questions requried a bit of actual work & calculation, instead of just looking up the right answer–Though this made the exam much more difficult, I thought it was a great change from my previous GIAC exams, as it took it one step closer to real life experience, rather than just “multiple-guess.”

I will be working on my GCIA Gold next.



Tagged ,

GSEC Gold Paper Accepted: Securely Integrating iOS Devices into the Business Environment

This past weekend, I was put on notice that my GSEC Gold paper was accepted and published by SANS. Here is the abstract:

“Driven primarily by the end user, iOS devices continue to inundate businesses at an ever-increasing rate.  Because these devices are housing sensitive organizational data, it is imperative that it is understood what risks to the organization are involved in allowing users to utilize these devices for business.  Ascertaining what the risks are, and what the compensating controls would be, should be a critical component of any business risk assessment. The security features of the device itself, how applications are utilized on the device, and the actual usage of the device needs to be evaluated. Beyond the aforementioned areas, a major consideration that needs to be taken into account is whether the device is personally owned or business owned, as well as how it is managed, as these will be the primary factors by which controls are evaluated to manage the incurred risk.  Finally, users need to be made aware of the risks, and trained in what their responsibility is to reduce the risk to an acceptable level.”

Here is a link to the paper.


Tagged , , ,

Websense Policy Server Install & ~High Latency

I thought I would document this issue, in the hopes that it might help those of you that run into it:

Working for a client, in the last 6 months, I have rolled out Websense Web Security to 3 remote sites, all pointing to the Websense Policy Broker (think mothership) at the central location.  (Websense Web Security 7.5.1 on Server 2008 SP2 Hyper-V VM)

One of the interesting issues I ran into at the remote sites was that no matter what I did, the installs would error out if I pointed the install to connect back to the central location.

the following components have failed to install correctly;

policy server: package deployment failed; wbsn.policyserver




package deployment failed; wbsn.policyserver

The error message seemed to indicate that it was a firewall or network communication error.  Unfortunately, tech support was not being very helpful, so I started doing some googling, and came across this interesting thread.

“it took a lot of time but this usually happens when the latency time is larger than 30 ms it’s what we noticed anyway… it’s not a lot but if you ping the remote site and the ping time is 30ms> there is a good chance you’ll get this error. everywhere we had 30ms>  we got this error.”

Come to find out, this was the issue, which is pretty bizzare, as 30ms latency is really not that bad….  All I had to do was following these instructions:

Install only the policy server, even when it fails it gets installed, so go look under services to see if you have policy server.

If you don’t have it under services then go in the programfiles/websense/bin you should have a policyserver.exe or something like that now if you do policyserver.exe -i (install) this should install policy server as a service.

so if you go back into services you should see the policy server installed. if not then I can’t help it has worked for me so far with many installs.

Once you have policy server installed you can install all the other components.



pfSense 2 Cookbook: A Technical Review

Because of my background in pfSense, about 6 months ago I was approached by Packt Publishing, asking if I would be willing to be a technical reviewer for an upcoming book they were publishing on pfSense 2. No pay, just a couple of free books from their library, and a bio in the front of the pfSense book. Why not, right?

Being the first time I have done something like this, I thought it was pretty good opportunity to get a feel for what it was like to review a pre-published technical book like this.  I was a little surprised at how much input I had, as I felt like my comments were well-received, and that I actually did have a hand in shaping parts of the book,

Well, the long and short of it, is that I enjoyed the experience, and I would recommend the pfSense 2 Cookbook to anyone looking for a practical guide to configuring pfSense 2.


Tagged ,

How to Filter & Cross-Reference ISA logs for OWA Account Lockouts

Recently I was alerted that a client had a user’s Active Directory account that was being locked out continually, even within 60 seconds of the account being unlocked. Looking at the Domain Controller logs, we were able to trace where the authentication attempt was being made from–One of the ISA servers, which means that someone was trying to login to OWA with this user’s credentials, and was continually locking the account, as the password wasn’t correct.

You would have thought this would have been a simple look-it-up-in-the-logs, but looking at the ISA logs was very frustrating, as I could never find the right variable to filter on to find out where the attempts were coming from.

Well, I eventually figured out how to do it, so I wrote up a quick procedure, for posterity:

From beginning to end:

1) Find which Domain Controller is being used to authenticate the credentials (look for event 539 or 4625), and look at the logs to see which ISA server the authentication attempts are coming from.

2) Filter the target ISA logs on the following parameter:

HTTP Status Code = 1909

This is the HTTP status code that is generated when an account cannot be logged on because it is locked out. (Attempting to logon to OWA for this specific case)

3) Cross-reference the time stamps on the previous ISA lockout logs to the DC’s logs to make sure you have the right lockout logs

4) After verifying, look at the ISA lockout logs for the source IP from where the authentication attempts are coming from.

5) Nuke IP from Orbit.


Tagged , ,

Joomla! is becoming a liability… Or not.

I host a number of Joomla! websites. Most of them are 1.5, though I still have a client that is on the 1.0.x branch. (Tell me about it!) None of the extensions are up to date.

I also host a number of WordPress blogs. All of them, as well as the installed plugins, are all up to date to the most recent release.

Over the last couple years of keeping Joomla! & WordPress installs updated, I have gotten to the point where I was about to stop hosting Joomla! installs, as I still have to manually upload & update both the core files & the extensions. WordPress has had this feature since December 2008! (Since version 2.7)

With the ever-increasing mass hacks made possible by vulnerable, out of date Joomla! plugins + absent ability to easily keep those plugins updated, I was about to toss in the towel for Joomla!, and declare it too much of a risk to run on my server, when I noticed that the recently released Joomla! 1.6 finally adds this much needed feature of automagically finding core & plugin updates & installing them–The catch of course is that the plugin developers have to setup their plugin to allow this.

So yes, there is hope for all you Joomla! fans out there, though the fact that it took them so long to add this feature is quite disconcerting to say the least…


Tagged ,