I'm using a somewhat automated process in order to keep my FreeBSD 6.0 server free from obvious flaws and vulnerabilities. I use the unoffical (as in not supported by the Freebsd security team) program Freebsd-update to detect, fetch and install binary versions of patches when available.

FreeBSD Update is a system for automatically building, distributing, fetching, and applying binary security updates for FreeBSD. This makes it possible to easily track the FreeBSD security branches without the need for fetching the source tree and recompiling (except on the machine building the updates, of course). Updates are cryptographically signed; they are also distributed as binary diffs using my binary diff tool, which dramatically reduces the bandwidth used

This system serves me with an e-mail when patches are available. The binary nature of this system is especially nice, since my host is somewhat slow, and applying these patches just takes a moment compared to what a recompilation would take. This system can actually be compared to Debian's APT.

Freebsd-update is not part of the base system, which means it has to be installed afterwards. Luckily, it is available as a package, and we use pkg-add with the suffix -r to fetch the package from a remote source. (if you are running cornshell, csh, use rehash to make the command available after installation)

onesome# pkg-add -r freebsd-update

Now copy the default configuration-file in place

onesome# cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf

Freebsd-update is now ready to be used, and patches is checked for availability and fetched if executed with the fetch-switch.

onesome# freebsd-update fetch
Fetching updates signature...
Fetching hash list signature...
Examining local system...
Fetching updates...
/boot/kernel/ipfw.ko...
/usr/bin/cpio...
/usr/bin/edit...
/usr/bin/ee...
/usr/bin/ree...
/usr/bin/texindex...
/usr/share/man/man1/cpio.1.gz...
Updates fetched

In this case, 7 updates/patches were available. We use freebsd-update install to install them

onesome# freebsd-update install
Backing up /boot/kernel/ipfw.ko...
Installing new /boot/kernel/ipfw.ko...
Backing up /usr/bin/cpio...
Installing new /usr/bin/cpio...
Backing up /usr/bin/edit...
Installing new /usr/bin/edit...
Backing up /usr/bin/ee...
Recreating hard link from /usr/bin/edit to /usr/bin/ee...
Backing up /usr/bin/ree...
Recreating hard link from /usr/bin/edit to /usr/bin/ree...
Backing up /usr/bin/texindex...
Installing new /usr/bin/texindex...
Backing up /usr/share/man/man1/cpio.1.gz...
Installing new /usr/share/man/man1/cpio.1.gz...

The boot/kernel/ipfw.ko affects the kernel, which makes a reboot appropriate for the patch to be activated.

In order to find out about available patches, I run freebsd-update with the cron-argument. The following row in /etc/crontab checks for patches every night at 5, and delivers an e-mail to root (which I have forwarded to an active mail-account) if patches are found .

0 5 * * * root /usr/local/sbin/freebsd-update cron

The mail does the same thing and has the same output as freebsd-update fetch, with the mail-part as extra functionality. I recommend checking out the manpage for freebsd-update, as it has more functionality than what I've presented here (like rollbacks).

I've ordered a network hub for placement centrally in my local network. Until now i've been running a low-end switch which has done a great job shuffling packets from and to my computers in the network. However, I miss some functionality.

While testing applications and tools I feel the need to be able to passively monitor all parts of the traffic on the network. The traditionall way of doing this is either by having a switch with mirror-functionality (often referred to as a SPAN-port available on high-end switches) or by using a network TAP, which basically is a small device similar to a hub but with very few ports.

Hubs (multiport bridges) as we all know have some issues due to traffic being duplicated on all ports, which causes huge amounts of collisions on a busy day. However, this is not really an issue for me, as I mainly run one or two computers at the same time, with none performing bandwidth-intensive tasks. A hub will give me the functionality I'm looking for, for a low price when compared to the other alternatives.

I've ordered a Linksys ETHERFAST 5 PORT 10/100DESKTOP, and I hope to get it later today.

The WMF-vulnerability was a necessary evil for the industry, i think. But still, it seems that many fails to take the lesson. Some argue that the vulnerability was drastically overrated and exaggerated - You know, "there were no major incidents" and "this vulnerability wasn't wormable due to the need for user intervention". They fail to see the picture.

Today I read a paper-issue of the Swedish magazine Computer Sweden, where two chief security officers from to large companies commented on Microsoft's way of handling the issue. They give them an "OK", with the above "quotes" acting as some sort of evidence. What is it with people and automated attack code? Just because a "vulnerability" isn't wormable doesn't mean it can't do damage. This vulnerability was EXTREMELY easy to exploit in an directed structured attack - Which if successfull would do loads more damage than a worm which mainly clog our networks, or spyware that mostly install software that slows down our computers - Worms, spyware and viruses are far from the worst-case scenario. I bet almost anyone would go for the bait of a carefully crafted mail (use your imagination) with a seemingly related image. Now imagine you won't notice the difference with observing an exploited image from a ordinary one. No errors, no lagg - Nothing. This is more than possible.

People seems to have the idea of hackers being dumb, altough the same people cannot for the world understand how the blackhat side of Security works. How are encrypted data broken without access to the key? How does reverse engineering and heap-based exploits work? How did someone manage to take down our IIS-server, or place an FTP warez distribution site on our DMZ? I wonder if people focus on automated attacks simply because they are simple to analyse, to understand, and to document - They are more or less static. A directed attack will have it own characteristics, simply because each network looks different, runs different services et cetera, and thus cannot be understood by passively observing some security-related mailing list or news site that happens to discuss the exploit.

I've also seen people saying "the antivirus software were successfull in detecting attacks at the vulnerability". This also shows a lack of understanding in the relationship between vulnerability, exploit and how signature based systems does it. This WMF-vulnerability was detected by antivirus-softwares and most intrusion detection systems by signatures based on the exploits, not on the actual vulnerability. That's why a single signature didn't detect different exploits, and why new versions of the exploits avoided detection. Again, the antivirus software only detected the attacks that were clearly public, but a modification of one of the available exploits would probably go through without detection. Smart attackers won't publish their exploit-code on some webpage, or send it in a mail to thousands of persons. They will use it in a directed attack, against a chosen victim.

This whole issue reminds me on something i read before Christmas. Three people from security-related companies were interviewed for comments on 2005 as a year of security. The Security Officer from the antivirus company Trend Micro said something like "2005 was a good year for security, without the traditional summer-worms". Talk about being narrow sighted. We have never seen so many serious computer breaches as in 2005. How many times did you read "20 000 customers credit card information stolen" during 2005? I can almost promise you that these were the effects of directed attacks, and not by worms, viruses or spyware.

Update
I just came across Wikipedia's coverage of the WMF-vulnerability. This is the best one i've seen yet, and features all aspects of vulnerability, patches, history et cetera

Update
The british parlament was hacked during the Christmas days. The attackers exploited the WMF-flaw by carefully crated e-mails to a number of persons. This is an example of a directed attack. An it was not even that sophisticated.