TaoSecurity Blog

My only public Network Security Operations class scheduled for 2006 begins in two weeks. The class is almost full, but I have a few seats left. I've published new prices: Register by 5 June 2006: $2595/student Register by noon on 12 June 2006: $2695/student I will not be able to accept any more students past noon on Monday 12 June. ISSA members receive a 10% discount. This week I will also teach a one day course on Network Security Monitoring with Open Source Tools at the USENIX 2006 Annual Technical Conference in Boston, MA on Friday, 2 June 2006. This is the course to attend if you want to learn the essential components of network security monitoring. We will use tools on my Sguil VM in this class. Later this summer I will teach a brand new, two day course called TCP/IP Weapons School at USENIX Security 2006 in Vancouver, BC on 31 July and 1 August 2006. Are you a junior security analyst or an administrator who wants to learn more about TCP/IP? Are you afraid to be

CIO Magazine absolutely hammered government IT in its lengthy story Federal I.T. Flunks Out . You wouldn't read that news in FCW. Commenting on the problem is this former IRS CIO: "Ultimately this is a security threat," says John Reece, a former IRS CIO and now a consultant to the federal government. "If we can't get beyond the legacy systems we have today, while our enemies are starting off with state-of-the-art technology, what's going to happen is they're going to absolutely tear us to pieces again." Wrong. It's not a security threat. Poor IT management is a vulnerability. Argh.

I thought three examples of threats, with corresponding vulnerabilities, etc., might help convince those who doubt the proper use of these terms. Let's start with a mythical example: Achilles . I'll use Achilles' point of view. Risk: Death of Achilles. Asset: Achilles' life. Vulnerability: Achilles' heel. (Achilles was invulnerable, save the portion of his heel where his mother held while dipping him in the River Styx. This is the most popular version of the myth.) Threat: Paris, who shot Achilles in the heel with an arrow. Exploit: The arrow show by Paris. Let's now look at an example from one of the best movies of all time: The Karate Kid . I'll use Daniel's point of view. Risk: Loss of tournament, thereby letting Johnny Lawrence win. Asset: Daniel LaRusso's fighting ability. Vulnerability: Leg injured in previous fight. Threat: Johnny Lawrence. Exploit: Strike to the injured leg. Man, that was funny. Here is the third example, from Star War

It's time once again to talk about threats! Yes, you guessed it. While reading back issues of FCW I encountered good -- and bad -- uses of the term "threat." Mostly, threat was used where vulnerability should have appeared. Let's briefly review the definition I provided in my books : A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset that could lead to exploitation. For example, an intruder (the threat) exploits a hole (the vulnerability) in Microsoft IIS to gain remote control of a Web server. In other words, threats exploit vulnerabilities. I've written about proper use of the term threat many times before. Let's look at a few examples from FCW that show why it's important to use the right term when communicating among security professionals. First, consider the article Cybersecurity research plan identifies threats . The story discusses the Federal Plan for

I've had a chance to read issues of Federal Computer Weekly delivered while I was on vacation. I like reading FCW because it gives me some insight into the madness found inside the Beltway. I enjoyed reading Wanted: Information assurance-savvy people , which discussed DoD's plans for certifying IT staff. I've examined this issue before. Here's a quote by someone who understands the problems with DoD's plan: Alan Paller, director of research at the SANS Institute, said DOD should have no problem meeting its initial target of 80,000-plus employees trained and accredited in information assurance. But he doesn’t think the baseline certification that DOD requires will produce a workforce capable of securing the military’s systems. “The problem is that the bulk of the certifications don’t teach people how to do security,” Paller said. “Certified people will be able to talk about security, but they won’t know how to do it — to actually encrypt data and do the necessar

Sometimes I read configuration guides that advise installing anti-virus products on servers. Since I don't run Windows servers in production environments, I can usually ignore such advice. The proponents of the "anti-virus everywhere" mindset think that adding anti-virus is, at the very least, a "defense-in-depth" measure. This was debated last year , actually. A lesson I learned from the excellent book Protect Your Windows Network is that "defense-in-depth" is not a cost-free justification for security measures. Every configuration and installation aspect of a system provides benefits as well as costs. Something implemented for "defense-in-depth" (whether truly believed to be helpful, or ignorantly applied) may turn out to harm a system. Thanks to Harlan Carvey , I learned of another example of a defense-in-depth technique damaging security. This is the worst of all possible worlds -- adding a security measure that results in massive

Apparently the Defense Security Service has resumed "processing initial Secret requests." That is "security officer"-speak meaning DSS is again working on requests for Secret clearances from people who have not held them before. The notice continues: " DISCO [Defense Industrial Security Clearance Office] will begin processing initial Top Secret requests and periodic reinvestigation requests for both Secret and Top Secret upon receipt of additional funding." That means those who have not held a Top Secret clearance but require one will still wait. Also in the queue are those needing a periodic reinvestigation for their Secret or TS clearance. The Washington Post noted that Congressman Davis planned to hold a hearing a week ago on the affair, but I can't find any transcripts. I thought the comments in the SANS Newsbites Vol 8 Issue 41 (link will work shortly) were astute: Editor's Note (Pescatore): What is really needed is a review to det

I tried SinFP today. It's a host fingerprinting tool by Patrice Auffret, owner of the cat. The SinFP feature I find interesting is its lack of using odd packets (a la Nmap ) to discover remote operating systems. I tried installing SinFP using CPAN on FreeBSD 6.0, but I got the following errors. cpan> install Net::SinFP CPAN: Storable loaded ok LWP not available Fetching with Net::FTP: ftp://archive.progeny.com/CPAN/authors/01mailrc.txt.gz Going to read /usr/local/cpan/sources/authors/01mailrc.txt.gz LWP not available Fetching with Net::FTP: ftp://archive.progeny.com/CPAN/modules/02packages.details.txt.gz Going to read /usr/local/cpan/sources/modules/02packages.details.txt.gz Database was generated on Sun, 21 May 2006 09:26:33 GMT HTTP::Date not available There's a new CPAN.pm version (v1.87) available! [Current version is v1.7602] You might want to try install Bundle::CPAN reload cpan without quitting the current session. It should be a seamless u

I haven't been blogging for the past two weeks because my family and I were traveling in Europe. Part of our trip included speaking at the University of Cambridge Computer Laboratory Security Group Seminar Series in Cambridge, UK, on network security monitoring . This was the same group I mentioned in February . I'd like to thank Saar Drimer and Stephen Lewis for arranging my visit. I was fortunate enough to have Professor Ross Anderson , author of Security Engineering , and Frank Stajano , author of Security for Ubiquitous Computing , in the audience. I had lunch with FreeBSD core team developer Robert Watson and Netdude developer Christian Kreibich , both of whom I had wanted to meet for a while. Jolyon Clulow and Steven Murdoch were kind enough to show my family and me the various colleges. As a result of this trip, my family and me are strongly inclined to pursue the PhD program , starting in the fall of 2007. I have a busy week of consulting lined up, but I

Two publishers were kind enough to send me review copies of two of their new books. The first is Windows Forensics: The Field Guide for Corporate Computer Investigations by Chad Steel, published by Wiley . This book looks like more of an introductory text that does not delve too deeply into any single set of specifics. I'm worried that the section that mentions sniffing network traffic talks about "vampire taps." Hello early 1990s and coax cable. The second book is Hacker's Challenge 3 by David Pollino, Bill Pennington, Tony Bradley, and Himanshu Dwivedi. published by Osborne . I liked the first two books in this series. I think scenarios to test analytical skills are good ways for people to learn security skills. Here's hoping this set of 20 stories offers a mix of problems and solutions.

Amazon.com just posted my four star review of The Database Hacker's Handbook by NGS Software members David Litchfield, Chris Anley, John Heasman, and Bill Grindlay. From the review : The Database Hacker's Handbook (TDHH) is unique for two reasons. First, it is written by experts who spend their lives breaking database systems. Their depth of knowledge is unparalleled. Second, TDHH addresses security for Oracle, IBM DB2, IBM Informix, Sybase ASE, MySQL, Microsoft SQL Server, and PostgreSQL. No other database security book discusses as many products. For this reason, TDHH merits four stars. If a second edition of the book addresses some of my later suggestions, five stars should be easy to achieve.

I've written about problems with security clearances before. Now I read Pentagon Halts Contractor Clearances . I recommend reading the article for details, but the bottom line is this sort of failure requires Congressional investigation. A private company with the same sorts of operational disasters would be without clients and bankrupt by now. The Federal government justs plods along.

My alma mater, the United States Air Force Academy won the sixth annual Cyber Defense Exercise last month. The aggressors were members of NSA's Red Team, and the cadets were the defenders. I'd like to attend one of these exercises and monitor the activities using Sguil . Please send email to taosecurity at gmail dot com if you have any connections. Go Air Force!

Here's an informative and scary article titled Forensic Felonies . It warns of a new Georgia law that may require incident response and forensics investigators to be licensed private investigators. Article author Mark Rasch notes: Georgia is not the only state that requires private investigators or private detectives to be licensed. Indeed, the Georgia law is in fact modeled after similar laws in California, Arizona, Utah, Nevada, Texas, Delaware, and New York – just to name a few. In each of these cases, the law requires that a person providing the defined "investigative" services for remuneration be licensed in that state as a Private Investigator. Good grief. This has to be promoted by criminal elements. What a great way to keep security experts from helping identify and remove threats? It's probably also a play by the Private Investigator community to get their hands on more security work. That's similar to an argument I heard from a lawyer once that al

I found another article containing unrealistic expectations for IT staff. It's in the 1 May 2006 issue of CIO Magazine , titled The Postmodern Manifesto . It begins this way: The service-fulfillment model for IT is dying. A new philosophy of innovation and productivity is being born. Here’s what CIOs need to do to usher in a new age of IT. Excuse me? IT as a service is already dying? I know plenty of shops who are only now jumping on the service bandwagon. I guess magazines like CIO have an incentive to write about whatever they consider to be "new," since people want to stay "on the edge." Let's see what advice this article provides. The Postmodern IT Department will be smaller, more distributed and dependent on a tightly integrated supply chain of vendors. It will be in desperate need of multitalented specialists who have in-depth technology knowledge but who can also create new products and capabilities that businesspeople might never have envision

On my flights to and from the GFIRST 2006 conference this week, I got a chance to read the manual for Snort 2.6.0RC1 . The most obvious addition to Snort 2.6 is the ability to add preprocessors, detection capabilities, and rules as dynamically loadable modules. This feature is activated by running configure with the --enable-dynamicplugin switch. Preprocessors and detection capabilities are more of an issue for Snort developers, since few Snort users code their own features. The advantage of the dynamic engine is that developers can write their own modules without having to patch Snort itself. Most Snort users customize Snort by writing their own rules. Beginning with Snort 2.6.0RC1, the new C-style rule language is in place. If you read the snort_manual.pdf included with snort-2.6.0RC1.tar.gz, you will see a discussion of the new format starting in section 5.1.5 (Dynamic Rules). Here is an example of a rule in the old format: alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET