On Friday, June 25th, I headed from Madison to the McKinley Marina in Milwaukee, WI to begin a sailing race (The Queen’s Cup) across Lake Michigan to Grand Haven, MI. The vessel for the trip was a 37′ Hunter 376. It’s a fine vessel, with a forward berth, an aft berth, a modest galley, and ample room in the cabin itself to sit or sleep. The trip across Lake Michigan was 76 nautical miles, which translates to 87 miles. We departed the Marina at around 5:00PM and headed to the start of the race. We waited with the other sailboats, which numbered about 170, until the start time of our class which was about 6:30PM. Once the race began we took down the jib and put up the spinnaker (a large triangular head sail that swings out opposite the mainsail) since we were running before the wind. The wind was excellent, around 15 knots, and the boat began cruising between 8-10 knots. The water was calm with maybe 1 foot waves and the weather was pleasant as well. At around 9:00PM after a gorgeous sunset, we took down the spinnaker and put the jib back up. At this point, Jon and I went under to catch some sleep until 1:00AM when we would relieve Ken and Dennis. Coming back up at 1:00AM, the wind had died down some – around 8/9 knots – and we were doing 4/5 knots. Ken and Dennis pointed out a huge freighter off in the distance. These ships follow a specific line and have the right of way. They also do around 35 knots, so it is imperative that they somebody is on watch for them at all times. Ken and Dennis went under the deck to sleep and Jon and I were on watch until 5:00AM. At this time of night the view was amazing. No land was in sight, there were lights of other sailboats off in the distance, there was no noise except the sound of the wind against the sails and the sound of the boat moving over the water. The sky was breathtaking. I can’t remember the last time I was able to see so many stars. The moon was with us for a bit before it set. We didn’t have to move the sails but Jon adjusted our direction by a few degrees to bring us back on course. When 5:00AM came around I was feeling delerious and definitely ready for sleep. I slept until 9:00AM and when I returned to the deck Grand Haven was a few miles out. We crossed the finish line of the race and motored in to the marina shortly thereafter where we found a open slot on the pier and tied up. Then it was vacation time: food, exploration of Grand Haven, beer, stogies, sun, frisbee, and naps. Later in the evening we went out for more drinks, got kicked out of a bar (no comment), and then crashed at 1:00AM. I slept until about 9:00AM and woke up to the boat being around 10 miles out and headed back to Milwaukee. Since there was paltry wind (4 knots) we motored back (the boat is diesel equipped) to Milwaukee in order to make it there at a decent time. It was a relaxing trip back, fairly uneventful. We pulled in to the marina in Milwaukee at about 4:30PM and I headed back to Madison. Now, I can’t quite call myself a sailor but I can certainly say I’ve sailed. And it was fantastic.
Richard Bejtlich received permission to post
chapter 10 of his upcoming book “The Tao of
Network Security Monitoring”. The chapter is 28 pages long and is entitled “Alert
Data: NSM Using Sguil”. Rich is also teaching a module based upon the book, Network Security Monitoring with Open Source Tools, in this years USENIX Security
Symposium in San Diego Aug 9th-13th.
A useful website on Oracle security is at http://www.petefinnigan.com
SANS GIAC has posted my GCIA certification status as #716. My practical should be posted when the current students have completed their practical assignment. In retrospect, it took me 73 days (Oct 31 – Jan 12) to complete my GCFW and 96 days (Jan 15 – Apr 17) to complete my GCIA. I plan on eventually obtaining the CISSP and have recently been mulling over the idea of getting an MBA in information assurance. At this point its fairly hard to find advanced academic degrees that focus on the corporate and physical sides of security. The NSA has a list of 50 schools that they dub “Centers of Academic Excellence in Information Assurance Education”. The list is a logical starting place but it would be tough to stop working and start a two-year degree or do them simultaneously. I’ve recently read that Carnegie Mellon has been working to develop an institute for working information security professionals. Carnegie Mellon currently has two master’s-level programs under their Information Networking Institute that are a good continuing education starting point: Master of Science in Information Networking and Master of Science in Information Security Technology and Management.
I got in touch with one of the leaders of the SCADA HoneyNet Project, Venkat Pothamsetty, to let him know of the problems I encountered running the PLC scripts. He sent me an email saying he made some fixes and put out a new release – 0.2. According to the project page the News & Updates section mentions “6/01/04/(released version 0.2) – Fixed the bug regarding the absense of modbusHdrs.py, included sample nmap OS fingerprints of some PLCs, included a test file to generate custom Modbus packets to test the modbusSrvr.py implementation”. Venkat also stated that they are thinking about having a PHP scipt simulate the webserver because java applets will not allow the users who downloaded it to connect back to the server. And mistakenly, I was trying to use ‘java’ to run the java applet when I really need to be using ‘appletviewer’ and including the applet in a webpage to be downloaded. I will test out the Modbus server (modbusSrvr.py script) with the Modbus packet generator (modbusScanner.py script) soon and report the results. The stack.txt file included in 0.2 contains the TCP/IP NMAP fingerprint of two PLC’s: an ADAM 6500 and Modicon. As an aside, both of the project leaders of the SCADA HoneyNet Project are employees of Cisco and part of their Critical Infrastructure Assurance Group (CIAG) research team. There are some interesting projects and tools released from CIAG.