Sunday, January 15, 2006

DoD CyberCrime Conference Wrap-Up

I attended two conferences last week. The first was the 2006 DoD Cybercrime Conference in Palm Harbor, FL. I spoke there in 2000 while still a captain at the AFCERT, and in 2005 as a civilian. This year I delivered presentations on network incident response and network forensics.

I started the conference on Tuesday afternoon by listening to Alan Paller from SANS. His talk included a "hacking demo" showing a firewall compromised by an IMAP vulnerability, followed by a Red Hat 4.2 box allowing a direct root login with no password, thanks to an unspecified exploit. He also displayed a screen shots of rootshell.com, warforge.com, and NetBus 1.6. What do all of those items have in common? How about the fact that they all went out of style prior to 2000?

In reality, I'm not sure which of the following worries me more:

  1. Seeing Alan present a demo where an OS from 1997 is 0wn3d.

  2. Seeing law enforcement, military, and government audience members taking notes as if something new was being described.


Apart from his demo, I thought Alan made a few interesting remarks, like the following:

  • "A firewall is a steel door on a cardboard house." That is an interesting twist on the old "crunchy perimeter" cliche.

  • "The national cyber defense strategy of the United States it to blame the user." Alan then asked "Which user -- the grandmother or the eight-year-old?" Good point.

  • "Network owners, ISPs, system and software vendors are the only ones who can make cyberspace significantly safer for all of us." Alan also blames system integrators who deliver "solutions" to agencies.


I had a chance to ask Alan why he praises the Air Force contract with Microsoft, while never mentioning the Navy's move to thin clients. Alan was kind enough to call me "one of the good guys," and to say that thin clients are an option that should be explored.

After hearing Alan speak I wandered around until I met a few friends from my AFCERT days. Next I attended Johnny Long's expose of hacking as portrayed in the movies. Parts of it were hilarious. He put a ton of work into that presentation. I next saw the screenwriter of the movie "Enemy of the State" talk about how to portray villains on screen. After an uncomfortably long video clip showing Hitler rant about "one People, one Reich, one Fuehrer," I decided to leave the talk early to visit some friends in St. Petersburg.

I started Wednesday by presenting my own material at 0930. I wanted to see Kerry Long from the Army Research Lab discuss a project called Interrogator, but I missed it. Thankfully Kerry tracked me down and even sat through my second presentation. During lunch he described his talk.

Interrogator is a means to filter, collect, compress, and centrally store network traffic. The problem his project addresses is one I hadn't considered before. Let's say you are a network security vendor. If you want the military to test your product, you probably want them to deploy your gear on a production network. That is usually your only deployment model.

The military does not want to put your device on the network. They would rather test it in a lab. However, lab traffic usually doesn't match production traffic very well. Interrogator allows Kerry to pull large quantities of traffic to a central, trusted location (his lab), where it can be replayed on an isolated network. A security device in the lab can then inspect the traffic.

After lunch I gave a second talk, and then I listened to Jennifer Christianson discuss tips and tricks for host-based forensics. She basically reminded me that anybody can talk the talk of doing forensics (or any other technical job), but you have to do it on a daily basis to really know what you are doing. It's been a while since I had to do any host-based forensics, so I was reminded of the importance of regular hands-on problem-solving tasks. The next talk absolutely justified me paying my way to the conference and not leaving immediately after my talks. I listened to Dr. Nasir Memon from Polytechnic University in Brooklyn, NY describe ForNet. This is the coolest project I have heard of in years.

ForNet summarizes network traffic it observes on the wire. Dr. Memon described summarizing 1-2 TB of network traffic down to 20 GB. He uses a system of hashing and statistical probabilities involving Bloom Filters to describe the traffic. This does not mean one can inspect that 20 GB of traffic and see original packets. Rather, one can query ForNet and ask "have you ever seen traffic that looks like this?" "This" could be the payload of a worm, part of an email, a movie, and so on.

Beyond summarizing traffic, ForNet tracks a variety of characteristics about what it sees. It collects a form of extended session data called NeoFlow that includes a judgment about the type of data seen. For example, if ForNet samples traffic from a stream it can identify it as being encrypted, or text, or audio, or video, and so on. One could then query for "all audio sessions" and find people trading music. The ForNet team has used this function to query for forms of data that should not be expected from certain systems. If a server should not communicate with encryption, but it does, perhaps it is compromised.

This is an amazing achievement. I suggest reading the papers on the ForNet Web site. You may also find this .ppt interesting. Keep an eye on this blog as well; Dr. Memon invited me to visit his lab in New York and see ForNet in action. He hopes to release ForNet (written in C, maybe runs on BSD already!) as an open source project.

I found Interrogator and ForNet to be exciting ways to focus network security monitoring on application-level data, in an age where bandwidth is always an issue. Products like Sniffer InfiniStream work by collecting vast amounts of traffic in raw form, but they tend to be expensive. These projects also reminded me to watch the Network Trace Archival and Retrieval (NTAR) project for developments.

I ended Wednesday by participating in a book signing. I sat for an hour, signed one book, and gave copies of my three books away to a few stalwart visitors.

On Thursday I started the day learning of the hoops that legal folk have to jump through to get data from ISPs and online companies like Yahoo!. I then listened to Michael Davis from the Army Developmental Test Command talk about IPv6.

The IPv6 talk reminded me to ask this question: who reading this blog has a native IPv6 connection? In other words, you're not talking IPv6 through a tunnel. If you have such a connection, would anyone be willing to give me a shell account on a box with native IPv6 connectivity? I could figure out how to use a tunnel service to escape my IPv4 Comcast connection and connect to the shell account. I am looking for a place to learn more about IPv6.

After the IPv6 presentation I heard researchers from Lucent describe their "RouterShield," which was unfortunately more boring than I expected. The pair did make a good point when they said too much or too little traffic from a host can be suspicious. I also heard news of a project at the University of Wisconsin called Nemean that received press for creating Snort signatures.

Cynthia Hetherington's talk was very good. She outlined ways to gather information on people using the Internet and pay-for-use databases. She also explained six steps to take to reduce one's public profile. She said we will have to begin using the techniques pioneered by "celebrities and fraud artists" if we wish to protect our identities.

I ended the say seeing Kevin Mandia discuss malware analysis. He said a recent foresnics case involved 54 binaries, of which 29 were non-public, 44 were not detected by anti-virus, and 10 were packed by four different methods. He reported another case where the intruder overwrote IIS Web logs. Kevin described cases where dumping memory with dd revealed indicators of many compromised systems. Kevin also said he's used dd to duplicate hard drives of live machines, which he then analyzed using EnCase. He mentioned a tool called PEView and Immunity's libdisassemble.

Before I left for the airport I got a chance to discuss future directions for Kevin's company. I recommend keeping an eye on Red Cliff's Web site, especially in mid-February, for some exciting changes.

Overall I thought DoD Cybercrime was a great conference. I hope to speak next year. Did anyone else attend? If so, what are your thoughts?

4 comments:

Anonymous said...

Interrogator sounds like CITI's Packet Vault.

Richard Bejtlich said...

I have heard of that project. Packet Vault does not appear to make any special effort to reduce traffic, perhaps beyond simple compression?

Eric said...

Hi Richard, I attended the conference too and share your sentiments on two fronts: Alan Paller and Dr. Nasir Memon. Alan gets so much ink as Director of SANS, yet I don't know why. His presentation demonstrated little technical understanding, particularly during his woeful attack demonstration. On the subject of real threats, he certainly can't pass on an opportunity to mention Titan Rain, but continues to give the impression SANS had something to do with the Titan Rain investigation. "As best as we can tell..." he says. Who's "we"? Did those alleged Guondong province hackers also hit isc.sans.org? Or did SANS obtain access to forensic evidence from gov't/mil systems? If so, why?

It was troublesome how many conferees I overheard lauding his presentation and suggesting organizing further presentations.

On to Dr. Memon, who gave two phenomenal presentations. I had heard of ForNet prior to this conference, but had no idea how it could work. It simply blew me away. The distinction that ForNet doesn't store full packet contents opens fascinating legal opportunities. Wouldn't storing a hash of a packet fall under the pen register/trap and trace clauses of wiretap laws? Could LEO have a wiretap enacted on an individual, but use ForNet to identify if any other parties are trafficking the same information on the wire? The DOJ lawyers who presented Patriot Act trespasser wiretapping should give the good Professor a ring.

His second presentation on reassembling files from individual pieces was also very interesting. He reduced reassembling a file to solving a Hamiltonian graph. All your chunks are nodes on a graph, and the statistical likelihood that two pieces connect is the weight on that segment. Now, find the path with the highest weight.

Cheers to Dr. Memon and all his grad students for research par excellence! And cheers to the DC3 for another fantastic conference!

Anonymous said...

>I sat for an hour, signed one
>book, and gave copies of my three
>books away to a few stalwart
>visitors.

This is why I would trust Richard's opinion on security matters above that of many others; he has integrity! [to say what no other book author likes to say]