Posts

Showing posts from April, 2007

Help SANS with Security Career Stories

The latest issue of the SANS @Risk (link will work shortly) newsletter contains this request: Project In Which You Might Contribute: Career models for information security. If you know of someone who has accomplished a lot in security by exploiting deep technical skills, and moved up in their organizations, please write is a little note about them to apaller [at] sans [dot] org. We have been asked by five different publications for articles or interviews on how to make a successful career in information security. A couple of the editors have heard that security folks with soft skills are no longer in demand and they want to hear about models of success for people with more technical backgrounds. No names or companies will be disclosed without written permission. If you can share a story, please email Alan Paller as indicated above. This is another opportunity for the technical people of the security world to make our mark.

Open Source Training

I'd like to mention a few notes on training for open source software that appeared on my radar recently. The first is Wireshark University , the result of collaboration among Laura Chappell and her Protocol Analysis Institute , Gerald Combs ( Wireshark author), and CACE Technologies , maintainers/developers of WinPcap and AirPcap . WiresharkU is offering a certification and four DVD-based courses , along with live training delivered through another vendor. WiresharkU's content looks pretty simple, but I guess beginners need to start somewhere. If you want to understand more advanced security-related network traffic, I recommend one of my TCP/IP Weapons School classes, offered at Techno Security in Myrtle Beach, SC in June; USENIX 2007 in Santa Clara, CA in June; and Black Hat Training in Las Vegas, NV in July. On a related Wireshark note, a client recently asked why Lua was required on a sensor he built. He had heard about Lua and Snort 3.0 but was running Snort ...

What Should the Feds Do

Recently I discussed Federal digital security in Initial Thoughts on Digital Security Hearing . Some might think it's easy for me to critique the Feds but difficult to propose solutions. I thought I would try offering a few ideas, should I be called to testify on proposed remedies. For a long-term approach, I recommend the steps offered in Security Operations Fundamentals . Those are operational steps to be implemented on a site-by-site basis, and completing all of them across the Federal government would probably take a decade. In the short term (over the next 12 months) I recommend the following. These ideas are based on the plan the Air Force implemented over fifteen years ago, partially documented in Network Security Monitoring History along with more recent initiatives. Identify all Federal networks and points of connectivity to the Internet. This step should already be underway, along with the next one, as part of OMB IPv6 initiative . The Feds must recognize the s...

Two Pre-reviews

I'm going to spend more time hanging in the sky over the coming weeks, so I plan to read and review many books. Publishers were kind enough to send two which I look forward to reading. The first is Designing BSD Rootkits by Joseph Kong. I mentioned this book last year . Publisher No Starch quotes me as saying "If you understand C and want to learn how to manipulate the FreeBSD kernel, Designing BSD Rootkits is for you. Peer into the depths of a powerful operating system and bend it to your will!" The second book I plan to read is IT Auditing: Using Controls to Protect Information Assets by Chris Davis, Mike Schiller, and Kevin Wheeler. Contrary to what you might think, I am not instinctively at odds with auditors. In fact, I believe working with them is more productive than working against them. I hope this book, published by McGraw-Hill/Osborne , helps me understand their world.

Initial Thoughts on Digital Security Hearing

Image
Several news outlets are reporting on the hearing I mentioned in my post When FISMA Bites . There following excerpts appear in Lawmakers decry continued vulnerability of federal computers : The network intrusions at State and Commerce follow years of documented failure to comply with the Federal Information Security Management Act (FISMA), which requires agencies to maintain a complete inventory of network devices and systems. Government and industry officials at the hearing acknowledged a disconnect between FISMA's intent and effecting improved network security. "The current system that provides letter grades seems to have no connection to actual security," said Rep. Zoe Lofgren, D-Calif. (emphasis added) WOW -- does Zoe Lofgren read my blog? Some lawmakers are considering whether the Department of Homeland Security should be given primary responsibility for overseeing federal network security, but officials at DHS and elsewhere suggested that wouldn't be the bes...

Pirates in the Malacca Strait

Given my recent post Taking the Fight to the Enemy Revisted , does this AP report sound familiar? Countries lining the Malacca Strait have vastly improved security in the strategic shipping route over the last five years, the top U.S. commander in the Pacific said on Monday... Attacks in the Malacca Strait have been on the decline with only 11 cases last year compared to 18 in 2005 and 38 in 2004, according to the International Maritime Bureau, a martime watchdog... Indonesia, Malaysia and Singapore began stepping up their surveillance by coordinating sea patrols in 2004 and following with air patrols a year later. Last August, the British insurance market Lloyd's lifted its "war-risk" rating for the waterway, saying the safety of the 550-mile-long strait had improved due to long-term security measures. (emphasis added) Despite this development, Malaysia is looking for alternatives to shipping when transporting oil, according to this article : A proposed oil pipeline pr...

CALEA Mania

CALEA is the Communications Assistance for Law Enforcement Act . I wrote about CALEA three years ago in Excellent Coverage of Wiretapping : CALEA requires telecommunications carriers to allow law enforcement "to intercept, to the exclusion of any other communications, all wire and electronic communications carried by the carrier" and "to access call-identifying information," among other powers. A lot has happened since then. Basically, all facilities-based broadband access providers and interconnected VoIP service providers must be CALEA-compliant by 14 May 2007. This means a lot of companies, of all sizes, are scrambling to deploy processes and tools to collect information in accordance with the law, as well as filing the right reports with the FCC . If you're affected by CALEA I don't think you'll learn much from this post. However, those who do not work for ISPs might like to know a little bit about what is happening. (Note: I am not perso...

War in the Third Domain

Recently I wrote Taking the Fight to the Enemy Revisited that mentioned air power concepts as they relate to information warfare. The Air Force Association just published a story by Hampton Stephens titled War in the Third Domain . I found several points quoteworthy. When the Air Force formed Air Force Space Command in 1982, it marked formal recognition that space was a distinct operating arena. The first commander, Gen. James V. Hartinger, said, “Space is a place. ... It is a theater of operations, and it was just a matter of time until we treated it as such..." The Air Force has come to recognize cyberspace, like “regular” space, as an arena of human activity—including armed activity. It is, to reprise Hartinger, a theater of operations... Though Cyber Command has not yet reached full major command status, it already is providing combat capabilities in cyberspace to the unified US Strategic Command and combatant commanders, according to Air Force officials. Cyber Command has ...

Why UTM Will Win

Image
We know how many words a picture is worth. The figure at left, from Boxed In by Information Security magazine, shows why Unified Threat Management appliances are going to replace all the middleboxes in the modern enterprise. At some point the UTM will be the firewall, so the gold UTM box above will also disappear. In some places even the firewall will disappear and all network security functions will collapse into switches and/or routers . I'd like to show one other diagram from the story. Figures like these, showing which products and their "features," are another reason UTM will replace point product middleboxes. "Hey, I read in this magazine that product X checks 7 boxes, but product Y only checks 3. Let's look at product X." These are the sorts of figures that people who are not security experts and are not interested in or capable of assessing security products like. Just because I think this is going to happen (or is happening -- look at wh...

Threat Advantages

My post Fight to Your Strengths listed some of the advantages a prepared enterprise might possess when facing an intruder. I thought it helpful to list a few advantages I see for intruders. Initiative : By virtue of being on the offensive, intruders have the initiative. Unless threats are being apprehended, prosecuted, and incarcerated, intruders are free to pick the victim, the time and nature of the attack, the means of command and control (if desired), and many other variables. Defenders can limit the enemy's freedom of maneuver, but the intruder retains the initiative. Flexibility : Intruders have extreme flexibility. Especially on targets where stealth is not a big deal, intruders can experiment with a variety of exploitation and control tools and tactics. Defenders, on the other hand, have to take special care when applying patches, performing memory- or host-based forensics, and other administrative duties. Defenders have to conform to organizational policies and user...

USENIX HotBots Papers Posted

If you want to read recent good research on bot nets, visit the USENIX HotBots workshop site. They've posted all the speakers' papers for visitors to read for free. Several look very interesting.

Fight to Your Strengths

Image
Recently I mentioned the History Channel show Dogfights . One episode described air combat between fast, well-turning, lightly-armored-and-gunned Japanese Zeroes and slower, poor-turning, heavily-armored-and-gunned American F6F Hellcats. The Marine Top Gun instructor/commentator noted the only way the Hellcat could beat the Zero was to fight to its strengths and not fight the sort of battle the Zero would prefer. Often this meant head-to-head confrontations where the Hellcat's superior armor and guns would outlast and pummel the Zero. When I studied American Kenpo in San Antonio, TX, my instructor Curtis Abernathy expressed similar sentiments. He said "Make the opponent fight your fight. Don't try to out-punch a boxer. Don't try to out-kick a kicker. Don't try to wrestle a grappler." And so on. I thought about these concepts today waiting in another airport. I wondered what sorts of strengths network defenders might have, and if we could try forcin...

When FISMA Bites

After reading State Department to face hearing on '06 security breach I realized when FISMA might actually matter: combine repeated poor FISMA scores (say three F's and one D+) with publicly reported security breaches , and now Congress is investigating the State Department: In a letter sent to Secretary of State Condoleeza Rice on April 6, committee Chairman Bennie Thompson asked the department to provide specific information regarding how quickly department security specialists detected the attack, whether the department knows how long the attackers had access to the network and what other systems may have been compromised during the attack. The three-page letter also asks the department to provide evidence that it completely eliminated any malicious software the attackers may have planted, as well as documentation of all of the communications between State and the Department of Homeland Security regarding the incident. I'm going to keep an eye on the Subcommittee on E...

Management by Fact: Flight Data Recorder for Windows

Whenever I fly I use the time to read ;login: magazine from USENIX . Chad Verbowksi 's article The Secret Lives of Computers Exposed: Flight Data Recorder for Windows in the April 2007 issue was fascinating. (Nonmembers can't access it until next year -- sorry.) Chad describes FDR: Flight Data Recorder (FDR) collects events with virtually no system impact, achieves 350:1 compression (0.7 bytes per event), and analyzes a machine day of events in 3 seconds (10 million events per second) without a database. How is this possible, you ask? It turns out that computers tend to do highly repetitive tasks, which means that our event logs (along with nearly all other logs from Web servers, mail servers, and application traces) consist of highly repetitive activities. This is a comforting fact, because if they were truly doing 28 million distinct things every day it would be impossible for us to manage them. Ok, that's cool by itself. However, the insights gained from these lo...

Exaggerated Insider Threats

I got a chance to listen to Adam Shostack 's talk at ShmooCon. When I heard him slaughter my name my ears perked up. (It's "bate-lik".) :) I hadn't seen his slides (.pdf) until now, but I noticed he cited my post Of Course Insiders Cause Fewer Security Incidents where I questioned the preponderance of insider threats . I thought Adam's talk was good, although he really didn't support the title of his talk. It seemed more like "security breaches won't really hurt you," rather than breaches benefitting you. That's fine though. When he mentioned my post he cited a new paper titled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006 by Phil Howard and Kris Erickson. Adam highlighted this excerpt 60 percent of the incidents involved organizational mismanagement as a way to question my assertion that insiders account for fewer intrusions than outsiders. At t...

Bejtlich Teaching at USENIX Annual

USENIX just posted details on USENIX Annual 2007 in Santa Clara, CA, 17-22 June 2007. I'll be teaching Network Security Monitoring with Open Source Tools and TCP/IP Weapons School (layers 2-3) day one and day two . I will most likely teach layers 4-7 for USENIX at USENIX Security in Boston, MA, 6-10 August 2007. Register before 1 June to get the best deal. I hope to see you there or at another training event this year!

It Takes a Thief

Image
Yesterday I watched an episode of the Discovery Channel series It Takes a Thief . This is the essence of the show: Business or homeowners agree to have the physical security of their property tested. Former thieves case the target, then rob it blind. Victims review videotape showing how thieves accomplished their task. Victims exhibit shock and awe. Hosts help victims improve the physical security of their property. Former thieves conduct a second robbery to assess the improved security measures. I have mixed feelings about the show. First, I'm not thrilled by the attention given to the former thieves. Reading this question and answer session with them made me uneasy. I justify watching the show and mentioning it here because the lessons for security are helpful. However, it seems to be rewarding criminal behavior and glorifying theft. I would feel better if these guys acted more like Frank Abagnale (who has had to deal with controversy in our industry). Mr. Abagnale alwa...

Brief Thoughts on Security Education

Once in a while I get requests from blog readers for recommendations on security education. I am obviously biased because I offer training independently, in private and public forums. However, I've attended or spoken at just about every mainstream security forum, so I thought I would provide a few brief thoughts on the subject. First, decide if you want to attend training , briefings , or classes . I consider training to be an event of at least 1/2 day or longer. Anything less than 1/2 day is a briefing, and is probably part of a conference. Some conferences include training, so the two topics are not mutually exclusive. Classes include courses offered by .edu's. Training events focus on a specific problem set or technology, for an extended period of time. Training is usually a stand-alone affair. For example, when I prepared for my CCNA , took a week-long class by Global Net Training . If I choose to pursue the CCNP I will return to GNT for more training. I seldom a...

FISMA Dogfights

Image
My favorite show on The History Channel is Dogfights . Although I wore the US Air Force uniform for 11 years I was not a pilot. I did get "incentive" rides in T-37, F-16D, and F-15E jets as a USAFA cadet. Those experiences made me appreciate the rigor of being a fighter pilot. After watching Dogfights and learning from pilots who fought MiGs over North Vietnam, one on six, I have a new appreciation for their line of work. All that matters in a dogfight is winning, which means shooting down your opponent or making him exit the fight. A draw happens when both adversaries decide to fight another day. If you lose a dogfight you die or end up as a prisoner of war. If you're lucky you survive ejection and somehow escape capture. Winning a dogfight is not all about pilot skill vs pilot skill. Many of the dogfights I watched involved American pilots who learned enemy tactics and intentions from earlier combat. Some of the pilots also knew the capabilities of enemy aircr...

Month of Owned Corporations

Thanks to Gadi Evron for pointing me towards the 30 Days of Bots project happening at Support Intelligence . SI monitors various data sources to identify systems conducting attacks and other malicious activity. Last fall they introduced their Digest of Abuse (DOA) report which lists autonomous system numbers of networks hosting those systems. SI published the latest DOA report Monday and they are now using that data to illustrate individual companies hosting compromised systems. They started with 3M , then moved to Thomson Financial , AIG , and now Aflac . For these examples SI cites corporate machines sending spam, among other activities. Brian Krebs reported on other companies exhibiting the same behavior based on his conversations with SI. This is the kind of metric I like to see. Who cares about percentage of machines with anti-virus, blah blah. Instead, consider these: is my company -- or agency -- listed on the SI DOA report? If so, how high? Is that ranking high...

FISMA 2006 Scores

Image
There are FISMA scores for 2006, along with 2005, 2004 , and 2003 -- some of which I discussed previously. What I wrote earlier still stands: Notice that these grades do not reflect the effectiveness of any of these security measurements. An agency could be completely 0wn3d (compromised in manager-speak) and it could still receive high scores. I imagine it is difficult to grade effectiveness until a common set of security metrics is developed, including ways to count and assess incidents. I still believe FISMA is a joke and a jobs program for so-called security companies without the technical skills to operationally defend systems. The only benefit I've seen from FISMA is that low-scoring agencies are being embarrassed into doing more certification and accreditation. C&A is a waste of time and money. However, if security staff can redirect some of that time and money into technical security work that really makes a difference, then FISMA is indirectly helping agencies w...

Bejtlich Speaking at Secure Development World

On 13 September 2007 at 0915 I will discuss the Self-Defeating Network at the Secure Development World conference in Alexandria, VA. I was invited to speak even though I am not exactly "active" in the secure programming arena. The conference organizers asked me to speak from the operational point of view so developers understand what end users want and need. The list of speakers already looks good -- check it out.

Training an IDS

Image
Thanks to the newly named Threat Level I read Women at Love Field 'Acting Suspiciously' and Airport Watch Figure Confirms Terrorist Tie . You can obviously make up your own mind about these two, but I'm glad the police were alert enough to grab them. Here's a few choice quotes. I promise to tie this to digital security. "I'm a trained sniper and proud of it," Ms. Al-Homsi said in an interview Thursday after first refusing to comment on whether she has any terrorism ties. She then said no. Unless this is a lie, I doubt this lady received training in the US military. So where else would she be trained to be a sniper? She said that she practices her rifle skills at the Alpine Shooting Range in Fort Worth. An employee confirmed that she's been going there for years. "In all the Muslim garb, shooting an assault weapon, it seemed at first like she was trying to draw attention," said Dave Rodgers. " But then she came out so much, it bec...

Burning CDs on Ubuntu

Sometimes this blog is just a place for me to take notes on tasks I want to repeat in the future, like burning CDs. In this case I'm running Ubuntu and using the new portable Sony DRX-S50U Multi-Format DVD Burner I bought to accompany my Thinkpad x60s on the road. First I created an .iso of the files I wanted on the CD-R. richard@neely:/var/tmp$ mkisofs -J -R -o /data/shmoocon2007hack.iso shmoocon2007/ INFO: UTF-8 character encoding detected by locale settings. Assuming UTF-8 encoded filenames on source filesystem, use -input-charset to override. Using shmoo000.pca;1 for /shmoocon_hack_rd2_timeadj.pcap (shmoocon_hack_rd1_timeadj.pcap) 1.68% done, estimate finish Wed Apr 11 21:23:45 2007 ...truncated... Second I asked cdrecord to find the burner. richard@neely:/var/tmp$ sudo cdrecord -scanbus Cdrecord-Clone 2.01.01a03 (i686-pc-linux-gnu) Copyright (C) 1995-2005 Joerg Schilling NOTE: this version of cdrecord is an inofficial (modified) release of cdrecord ...

Network Security Monitoring History

Image
Recently a network forensics vendor was kind enough to spend some time on a WebEx-type session describing their product. I try to stay current with technology so I can offer suggestions to clients with budgets for commercial products. During the talk the presenter was very excited by his company's capability to collect all traffic and examine it later for troubleshooting and security purposes. He implied this was a "new capability in this space," so I asked if he had read any of my books. He said no, but he did read my blog. It occurred to me that it might be helpful to reprint the history of NSM I wrote for Tao of Network Security Monitoring . I'm doing this for three reasons. First, I want people to know that the ideas I've been publicly evangalizing since 2002 actually date back 10, perhaps 13 years earlier. I take credit for paying attention to smart people with whom I worked when I first started in this field. I don't take credit for inventing the...