Defcon 16 and Podcasters’ Meetup Info

If you haven’t already heard about the meetup and are going to Defcon, there will be a meetup on Saturday, August 9th in the skybox which the folks at i-hacked.com reserved.  You can find the full information at mubix’s site located here.

While I won’t be attending Defcon, three of our crew will be.  Chris Mills, Jay Mueller, and Rob Fuller.  Keep an eye out for them as at some point they will likely be wearing their SecuraBit T-Shirts and passing out free stickers.  Jay should have a backpack full of t-shirts to sell should you want one.  I am sending off the box today to him, so any further donations to the site for them will be filled by him either by shipping it to you or giving it to you in person at Defcon.

Episode 8 will be delayed until the Wednesday after Defcon, though we expect at least one more SecuraByte in the interim.

Thanks for listening!

SecuraBit Episode 7

On this episode of SecuraBit, we talk to Chris Eng and Chris Wysopal from Veracode about SOURCE Boston, as well as Jennifer Leggio about Twitter and more:

I’m going to be installing wiki software and recruiting some folks to help us do proper full show notes for each episode.  We’re also looking for people to help out with the forums, IRC, and research for technical segments.  If you can contribute in any way we’ll make sure you get recognized.

Direct link to show here.

Remember to hit up the T-Shirt and Sticker page.  Soon I will remove the T-Shirt donate link as I will be shipping the box of T-Shirts to Jay to take with him to Defcon.  Hit us up on the forums, or at irc.freenode.net #securabit.  Thanks for listening!

SecuraByte Episode 2

Last night we decided to discuss a little more on the DNS vulnerability issue that’s been the hot topic everywhere in terms of detection and defense.  Thanks to guest Chris Wilson for his invaluable insight into the snort signature we were provided by alexkirk in #snort on irc.freenode.net.

We also discussed detection of encrypted traffic on a network, and some of the implications of it.

Direct link to the mp3 is here.

Apologies for Chris Wilson’s audio, his speakers were on unbeknown-st to us, and I cleaned it up as best I could. 🙂

Also, the stickers are finally in!  Get your T-Shirts and stickers here!

OpenPacket

I came across these guys a month or so back when I was looking at topics for one of our shows, and I don’t remember whether I touched on them or not, but this project is definitely worth a second look.  Their community seems small right now, but the idea behind what they’re doing seems like common sense to me, and I’m not aware of anyone else out there collecting packet captures from anyone who wants to upload one.

Obviously, be careful what you download, but if we can get some traffic their way and get people to upload both malicious and normal traffic captures to them, I think it will end up being an extremely useful resource for anyone who uses packet data for their job, such as writing snort signatures!

Their site is https://www.openpacket.org.  Remember that this isn’t for uploading 10 gigs of traffic you captured off of your neighbor’s wifi, and don’t submit your own traffic that includes your paypal and online banking sessions either. :)  Make sure you have permission if you’re going to be submitting a capture with information someone other than you generated.

Latest Snort signature to detect DNS vulnerability

As many of you already know this DNS vulnerability has taken the community as a whole by storm. For you snort guys out there, here is the latest DNS signature that may help you detect such activity.  Props to alexkirk from the #snort channel for hooking us up!

Implement at your own risk! Simply cut and paste as it looks pretty nasty below:

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:”DNS large number of NXDOMAIN replies – possible DNS cache poisoning”; byte_test:1,&,3,3; classtype:misc-attack; reference:cve,2008-0087; reference:url,www.microsoft.com/technet/security/bulletin/MS08-020.mspx; reference:cve,2008-1447;
reference:url,www.microsoft.com/technet/security/bulletin/MS08-037.mspx; threshold: type threshold, track by_src, count 1000, seconds 30;)

Hope this helps!

SecuraByte Episode 1: DNS Haiku

Today we introduce a new portion of the show: SecuraBytes. SecuraBytes are unannounced episodes, they could be last minute interviews or just more beer induced security speak. So, without further ado, here is the first SecuraByte from the SecuraBit Podcast.

“Introducing haiku-DNS: [laughing corruption collapsing kittens gallop nectars forgiving] = usa.gov” – Chris

Wesley McGrew of McGrew Security, Martin McKeay of the Network Security Blog / Podcast, and some guy named Joel joined Rob Fuller and Anthony Gartner last night to discuss the DNS vulnerability leakage that happened about quitting time yesterday (7/21). We discuss the leak, how the vulnerability works, mitigating, and the potential it has on mass scales. Every one of the gentlemen that joined us, and we here at SecuraBit urge you to patch as soon as possible. If you need further information, please check the following links:

Direct link to this episode:HERE

Check to see if you are vulnerable: http://www.doxpara.com/

In depth explanation of the vulnerability:
http://www.mcgrewsecurity.com/?p=151

Dan’s niece Sarah spells it out for us:
http://www.youtube.com/watch?v=XDKw8ny6IcM

More supporting links:
http://www.mckeay.net/2008/07/21/patch-dns-now/
http://www.matasano.com/log/mtso/
http://www.doxpara.com/?p=1176
http://blogs.zdnet.com/security/?p=1520

SecuraBit Episode 6

On this episode of SecuraBit Chris, Jay, and the crew discuss:

Major DNS vulnerability patched!
Check your DNS vulnerability status here!
BackTrack 3:  Hard Drive?
More BT3 goodness! (Courtesy of pure_hate)
Andy’s Trip to Spain!
Various other things, and if you haven’t noticed by now.. bloopers!

We also want to announce that our T-Shirts have arrived, which you can get here! Stickers will be available very soon!  As always, hit up the forums and start talking security with other professionals, pop into our irc at irc.freenode.net #securabit (cloaks coming soon!), and send any feedback to [email protected] or through the contact page on the site here!

Thanks for listening!

Direct Link since the player won’t work is here!!!

[display_podcast]

T-Shirts and Stickers!

The t-shirts are in! Thanks to Christine for the hours she put into pulling off the deal! GET THEM HERE! We have a fairly limited quantity (about 40) available, and for a $15 donation we’ll ship one to you! DEFCON 16 is coming up fast, so if you want to be wearing one of our shirts at the event you may want to get one now. Whatever we don’t unload here will be going with Jay and Chris to the conference and who knows how long those will last!

Pics:

Hey!
Back!

On a side note, Ep 6 will definitely be out today, we apologize for the delay and we’ll never be a week late again.

Episode 6 Streaming Notice, T-Shirts and Stickers!

We’ll be recording Episode 6 tomorrow night at 7:30PM EST (July 9th).  Also, we’ll be streaming live once again via hak5radio.  Join us on IRC at irc.freenode.net #securabit for chat and details on the stream URL.

There are T-Shirts and Stickers on the way.  We’ll be selling them on the site here so keep watch for the next couple weeks before DEFCON so you can get yours before you go up there!

SnortSP 3.0 Available now!

I know Im a few days late, however Snort Security Platform (SnortSP) 3.0 Beta is available from Snorts website. SnortSP 3.0 is the software platform which has traffic analysis engine modules that plug into SnortSP.  It still runs on the 2.8.2 detection platform but it runs as a SnortSP engine module.

Some of the major features include:

  • Shell-based user interface with embedded scripting language
  • Native IPv6, MPLS and GRE support
  • Native support for inline operation
  • More subsystem plugin types such as data acquisition modules, decoders and traffic analyzers
  • Multithreaded execution model – multiple analysis engines may operate simultaneously on the same traffic
  • Performance increases

Ive been messing around with it for a few days now and have found it to be an entirely different program altogether as the syntax and commands to get it up and running can become rather of a headache when first starting out. Overall though I like the idea of multiple detection analysis engines as well as the shell-based interface therefore preventing you from simply killing the snort process inadvertently.  Anyways, thought Id let you all know that its there now for all your sniffing needs!