Showing posts from May, 2007

I Have Seen the Future, and It Is Monitored

Today I spoke at the ISS World Spring 2007 conference in Alexandria, VA. ISS stands for Intelligence Support Systems. The speakers, attendees, and vendors are part of or support legal and government agencies that perform Lawful Intercept (LI) and associated monitoring activities. Many attendees appeared to be from county, state, and federal law enforcement agencies (LEAs). Others were wired and wireless service providers who are responsible for fulfilling LI requests. This was a very different crowd. Even when cops attend security conferences (like Fed, I mean Black, Hat) the vibe is different. At security cons it's seen to be cool if one has mad offensive sk1llz. This group was all about acquiring the information needed to go to court to convict bad guys. One theme immediately grabbed my attention, and it's going to eventually affect every entity that provides technological services : Today lawful intercept monitors lines. Tomorrow lawful intercept will monitor servic

Interview with Designing BSD Rootkits Author

If you like rootkits and/or FreeBSD try reading this interview with Designing BSD Rootkits author Joseph Kong . This amazes me: Could you introduce yourself? Joseph Kong: I am a relatively young (24 years old) self-taught computer enthusiast who enjoys working (or playing, depending on how you look at it) in the field of computer security; specifically, at the low-level... When did you hear about rootkits for the first time? Joseph Kong: The first time I heard the term "rootkits" was in 2004--straight out of the mouth of Greg Hoglund, who was at the time promoting his new book Exploiting Software: How to Break Code. That's actually how I got into rootkit programming. Thanks Greg. :) Wow. Zero to book on rootkits in 3 years -- that's cool. Now for a bit of wisdom: Do you know any anti-rootkit tool/product for *BSD? I know a lot of people who refer to rootkits and rootkit-detectors as being in a big game of cat and mouse. However, it's really more like follow t

Owning the Platform

At AusCERT last week one of the speakers mentioned the regular autumn spike in malicious traffic from malware-infested student laptops joining the university network. Apparently this university supports the variety of equipment students inevitably bring to school, because they require or at least expect students to possess computing hardware. The university owns the infrastructure, but the students own the platform. This has been the norm at universities for years. A week earlier I attended a different session where the "consumerization" of information technology was the subject. I got to meet Greg Shipley from Neohapsis, incidentally -- great guy. This question was asked: if companies don't provide cellphones for employees, why do companies provide laptops? Extend this issue a few years into the future and you see that many of our cellphones will be as powerful as our laptops are now. If you consider the possibility of server-centric, thin client computing, most

Electronic Discovery Resources

The Economist recently published Electronic discovery: Of bytes and briefs . To summarize: As technology changes the way people communicate, the legal system is stumbling to keep up. The “discovery” process, whereby both parties to a lawsuit share relevant documents with each other, used to involve physically handing over a few boxes of papers. But now that most documents are created and stored electronically, it is mostly about retrieving files from computers. This has two important consequences... First, e-discovery is more intrusive than the traditional sort... Second, e-discovery is more burdensome than the old sort. I think I first mentioned ediscovery last year in Forensics Warnings from CIO Magazine . I am acquainting myself with the intrusiveness and burden of this process in preparation for some new work. The article mentioned the Institute for the Advancement of the American Legal System (IAALS), which published Navigating the Hazards of E-Discovery: A Manual for Judges

MRAPs Lose to Arms Race

Three weeks ago I wrote about Vulnerability-Centric Security regarding the Mine Resistant Ambush Protected (MRAP) vehicle, the US Army's replacement for the Hummvee pictured at left. I consider the MRAP an example of the failures of vulnerability-centric security. This morning USA Today's story MRAPs can't stop newest weapon validates my thoughts: New military vehicles that are supposed to better protect troops from roadside explosions in Iraq aren't strong enough to withstand the latest type of bombs used by insurgents, according to Pentagon documents and military officials. As a result, the vehicles need more armor added to them, according to a January Marine Corps document provided to USA TODAY... "Ricocheting hull fragments, equipment debris and the penetrating slugs themselves shred vulnerable vehicle occupants who are in their path," said the document... EFPs are explosives capped by a metal disk. The blast turns the disk into a high-speed slug that

Review of Inside the Machine Posted just posted my four star review of Inside the Machine . From the review : Let me say that I wish I could give this book 4 1/2 stars. It's just shy of 5 stars, but I couldn't place this book alongside some of my favorite 5-star books of all time. Still, I really enjoyed reading Inside the Machine -- it's a great book that will answer many questions for the devoted technical reader. At the end of the review I mention Scott Mueller's Upgrading and Repairing PCs . In a nice show of synchronicity, the chapter from Scott's book on Microprocessor Types and Specifications is available online in .pdf format.

Clueless Consultants

I'm seeing a common "business of security" theme today, following my post The Peril of Speaker-Sponsors . Ira Winkler writes in If You Have to Ask, You Shouldn't Be Asking : [S]omeone once attended a presentation that I gave on penetration testing, and then contacted me a year later with an e-mail that basically said, “I finally talked a client into letting me perform a pen test. I don’t know what to do, how to do it, what to charge, or any special legal language that should be in the contract.” My response was basically, “You shouldn’t do the work...” In today’s message, a consultant from a very large integration firm sent out a message saying that one of their clients wants to scope out integration of a NOC/SOC. He gave a very wide variety of requirements for the facility, and then wanted feedback from a wide variety of people not associated with his company. While I am normally all for helping out a colleague, this person should have either sought this info inside

Bejtlich on Sites Collide Podcast

Tyrel McMahan interviewed me at CONFidence for his Sites Collide podcast. It's in QuickTime format. We talk about what smaller businesses should do with regards to monitoring and I discuss ideas from my conference presentation. Thanks to Tyrel for the interview .

Security Language

Gunnar Peterson's post on the new Common Attack Pattern Enumeration and Classification (CAPEC) project reminded me that MITRE is hosting a ton of these sorts of frameworks. Most of them are listed at so I intend to refer to that portal from now on. It would be great to see related projects cooperate with MITRE's work. For example, the Web Application Security Consortium "Threat" Classification should be renamed to be an attack classification, consistent with the MITRE CAPEC enumeration. Similarly, it would be nice to see the Open Web Application Security Project Top Ten speak in terms of "attacks" rather than "flaws." Overall I would like to see some rigorous thought applied to the use of security terms. For example, a recent SANS NewsBites said: We are planning for the 2007 Top20 Internet Security Threats report. If you have any experience with Top20 reports over the past six years, could you tell us whethe

The Peril of Speaker-Sponsors

One of the interesting aspects of being an independent consultant is having other companies think TaoSecurity exists as a mighty corporate entity with plenty of cash to spend. This has exposed me to some of the seedier aspects of corporate life, namely "speaker-sponsorship." Have you ever attended a keynote address, or other talk at a conference, and wondered how such a person could ever have been accepted to speak? There's a good chance that person paid for the slot. Two instances of this come to mind. First, several months ago I was contacted by the producer of a television program to appear on their show. The program was hosted by Terry Bradshaw (no kidding) and was looking for speakers to discuss the state of the digital security market. This sounded like it was almost too good to be true, and guess what -- it was. A few minutes into the conversation with the producer I learned that TaoSecurity would be expected to pay a $15,000 sponsorship fee to "defray

Attacker 3.0

Gunnar Peterson mentioned a few terms that, for me, brilliantly describe the problem we face in digital security. To paraphrase Gunnar, the digital world consists of the following: Security 1.0 Web 2.0 Attacker 3.0 To that might I add the following: Government -1.0 User 0.5 Application Developer 2.5 What do I mean by all of this? Government -1.0 : in general, hopelessly clueless legislation leads to worse security than without such legislation -- often due to unintended consequences User 0.5 : users are largely unaware and essentially helpless, but I wouldn't expect them to improve -- I'm not an automobile designer or electrical engineer, yet I can drive my car and watch TV Security 1.0 : security tools and techniques are just about good enough to address yesterday's attacks Web 2.0 : this is what is here, with more on the way -- essentially indefensible applications all running over port 80 TCP (or at least HTTP) that no developer really understands and for which no on

Prof Starbird Mathematics Courses

I'm a big fan of courses produced by The Teaching Company , so I bet similarly-minded blog readers might also enjoy such courses. My favorite instructor is Prof Michael Starbird . I noticed that three of his four courses are on sale until 14 June: Change and Motion: Calculus Made Clear Meaning from Data: Statistics Made Clear What Are the Chances? Probability Made Clear When I say "sale" I mean "buy these now or wait another year until they are on sale again," because a course currently selling for $69.95 will be $254.95 most of the year. I took all sorts of math courses through college and probability and statistics courses through graduate school, but I never developed the sense of understanding that Prof Starbird conveyed. After watching Prof Starbird's first course, The Joy of Thinking: The Beauty and Power of Classical Mathematical Ideas , my wife and I visited Prof Starbird at his office at the University of Texas. I don't think he ever had a &

Brief Thought on FreeBSD Update

Since I do not run X on my FreeBSD servers, and my laptop now runs Ubuntu (heretical but productive, I know), I have not been affected by the update of to 7.2 on FreeBSD. I read Updating Firefox 2 and FreeBSD 6.2 and the response Not everybody will be happy with the upgrade . Basically there's a difference of opinion concerning the appropriateness of radically changing a key addition to the operating system mid-stream, i.e., during the life of 6.2. If I were running FreeBSD 6.2 with X, I probably would have tried avoiding 7.2 if possible. Losing X is a very disruptive event if the upgrade fails, and with so many ports affected it would be very invasive. I would have waited until the release of FreeBSD 6.3 or 7.0 before using 7.2. Alternatively, I might have reinstalled 6.2 without, and then added it and all other software as packages. I understand the developers wanting to get 7.2 into users hands as soon as possible, given the amount of wo

Another Anti-Virus Problem, Again

In February I blogged about a vulnerability in a Trend Micro product that exposed systems "protected" by this anti-virus software to remote exploitation. Symantec provides another example that running anti-virus is not cost free : Symantec false positive cripples thousands of Chinese PCs . Now, according to Symantec may compensate Chinese users hit by buggy update , Symantec may pay companies affected by its botched signature update. Trend Micro apparently had a similar problem in 2005, before I was blogging about these dangers; it cost TM $8.2 million. Please keep these stories in mind when you hear people claim that adding any security software to a system is automatically good and justified because of "defense in depth." On a related note, this story pointed me towards the English language edition of the Chinese Internet Security Response Team blog .

Reminder: Time Running Out for Bejtlich at GFIRST

I'll be teaching and speaking at the 2007 GFIRST conference in Orlando, FL in June 2007. This is pro-bono since DHS isn't paying airfare, hotel, meals, or a speaking honorarium. On Monday 25 June 2007 I'll be teaching two half-day tutorials. The first will cover Network Incident Response and the second will cover Network Forensics . On Tuesday 26 June at 1415 I will deliver the talk I gave at Shmoocon -- Traditional IDS Should Be Dead . I spoke at the 2006 and 2005 GFIRST conferences as well. GFIRST still hasn't updated their training page to reflect my class, but I will be there teaching.

Reminder: Early Registration Ends Soon for Bejtlich at SANSFIRE 2007

I'll be teaching a special one-day course, Enterprise Network Instrumentation , at SANSFIRE 2007 in Washington, DC on 25 July 2007. ENI is a one-day course designed to teach all methods of network traffic access. If you have a network you need to monitor, ENI will teach you what equipment is available (hubs, switch SPAN ports, taps, bypass switches, matrix switches, and so on) and how to use it effectively. Everyone else assumes network instrumentation is a given. ENI teaches the reality and provides practical solutions. Please register while there are still seats available. My class is the day before all the six-day tracks begin. If you register before 6 June you will save $250. If you register by 27 June you will save $150. If you take this one-day class with a full SANS track my class only costs $450. Please note SANS set all of these prices and schedules. This is the only time I'll be teaching this class in 2007. Thank you. Update: I cancelled the class. If you

Bejtlich Teaching Network Security Operations in Chicago

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Chicago, IL on 27-29 August 2007. This is a public class, although I will be speaking at the 30 August meeting of the Chicago Electronic Crimes Task Force . Please register here . The early discount applies to registrations before midnight 27 July. ISSA members get an additional discount on top of the early registration discount. Network Security Operations addresses the following topics: Network Security Monitoring NSM theory Building and deploying NSM sensors Accessing wired and wireless traffic Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger, Daemonlogger Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records Sguil ( Case studies, personal war stories, and attendee partic

Bejtlich Teaching Network Security Operations in Cincinnati

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Cincinnati, OH on 21-23 August 2007. The Cincinnati ISSA chapter is hosting the class. Please register here . The early discount applies to registrations before 20 July. ISSA members get an additional discount on top of the early registration discount. Network Security Operations addresses the following topics: Network Security Monitoring NSM theory Building and deploying NSM sensors Accessing wired and wireless traffic Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger, Daemonlogger Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records Sguil ( Case studies, personal war stories, and attendee participation Network Incident Response Simple steps to take now that make incident

4000 Helpful Votes at

Last week the "Helpful Votes" count for my reviews reached the 4,000 count. I hit 3,000 in January 2006 and 1,500 in December 2003. Since reaching the 3,000 mark I've read and reviewed 55 additional books. Thank you to everyone who votes my reviews "helpful." If you want to see what I have on my shelf and plan to read next, please check out my reading list . If you want to see the books I hope to see soon, please visit my Wish List . If you want general recommendations read my Listmania Lists . In 2005 Bookbool published my favorite 10 books from the past 10 years . My reading pace has slowed since becoming an independent consultant and father of two, but I try to read when flying hither and non.

Bejtlich Teaching at USENIX Security

USENIX just posted details on USENIX Security 2007 , 6-10 August in Boston, MA. I will be teaching TCP/IP Weapons School, Layers 4-7 on 6-7 June. This is a sequel to TCP/IP Weapons School, Layers 2-3 at USENIX Annual 2007 in Santa Clara, CA on 21-22 June and TCP/IP Weapons School, Layers 2-3 at Techno Security 2007 in Myrtle Beach, CA on 6-7 June. The 2 day class I'm teaching at Black Hat on 28-29 and 30-31 July is a condensed version (2 days) of the 4 day series (broken into layers 2-3 and 4-7) for USENIX. I also plan to teach this condensed edition at ForenSec in Regina, SK in September.

Snort Report 6 Posted

My sixth Snort Report -- Output options for Snort data has been posted. From the introduction: Output modes are the methods by which Snort reports its findings when run in IDS mode. As discussed in the first Snort Report, Snort can also run in sniffer and packet logger modes. In sniffer mode, Snort writes traffic directly to the console. As a packet logger, Snort writes packets to disk in Libpcap format. This article describes output options for IDS mode, called via the -c [snort.conf] switch. Only IDS mode offers output options. This is the first of two Snort Reports in which I address output options. Without output options, consultants and VARs can't produce Snort data in a meaningful manner. Because output options vary widely, it's important to understand the capabilities and limitations of different features. In this edition of Snort Report, I describe output options available from the command line and their equivalent options (if available) in the snort.conf file. I don

Heading Home from Australia

My whirlwind Australia trip is coming to a close. I'll be boarding a flight from Sydney to LAX soon. I'd like to thank Christian Heinrich and John Dale from Secure Agility for hosting me in Sydney and to everyone at AusCERT for helping me with my classes in Gold Coast. I'd like to briefly record a few thoughts on the AusCERT conference. Andrea Barisani gave a great talk on the compromise of December 2003. He emphasized that preventing incidents is nice, but security monitoring and awareness are absolutely critical. I need to try his Tenshi log monitoring tool. Greg Castle introduced his Whitetrash whitelisting Web redirector for Squid. I think his approach is very innovative and I plan to try Whitetrash with my lab Squid proxy. Mike showed how Google Mobile could avoid some URL inspectors, with URLs like . Mike Newton from Stanford explained his Argus infrastructure, which collects 35 GB of

Latest Plane Reading

I'm on the road again, en route to Gold Coast for AusCERT, followed by a public course on Network Security Monitoring in Sydney on Friday 25 May 2007. There are still seats left -- check it out if you want to attend! Here are a few thoughts on items I read on my flight from IAD to LAX. The latest Cisco IP Journal article on DNS Infrastructure by Steve Gibbard is awesome. Read it if you really want to understand global DNS in a few pages. The Hotbots paper Peer-to-Peer Botnets (.pdf) is awesome. I question the use of PerilEyez for forensic work, but I haven't tried it before. I need to check out Trojan.Peacomm and Kademlia . Baller Herbst has helpful CALEA docs . I also liked the Aqsacom LAWFUL INTERCEPTION FOR IP NETWORKS White Paper (.pdf). Kudos to Matt Blaze for more cool research, specifically his co-authored paper The Eavesdropper's Dilemma . If you think you're doing network forensics you need to develop a strategy to address his conclusion: Interne

It's Only a Flesh Wound

The slide above is from Gartner analyst Greg Young's 2006 presentation at the Gartner IT Security Summit 2006, Deconfusicating Network Intrusion Prevention (.pdf). "Deconfusicating" appears to be a fake synonym for simplifying. I bet that was supposed to confuse an IDS, but not an IPS. Funny that stopping an attack requires detecting it, but never mind. Someone recently recommended I read this presentation, so I took a look. It's basically a push for Gartner's vision of "Next Generation Firewalls" (NGFW), which I agree are do-everything boxes that will eventually collapse into security switches or Steinnon-esque "secure network fabric." The funny thing about all those IPS deployments is that I continue to hear about organizations that utilize only a fraction or none of the IPS blocking capability, and instead use them as -- wait for it -- IDS. Hmm. That still doesn't account for the major problem with a prevention-only mindset. Le

Thoughts on Latest CISSP Requirements Change

You all know I am a big fan of the CISSP certification. (If you don't recognize that as sarcasm, please read some old posts.) I wasn't going to comment on the press release (ISC)²® to Increase Requirements for CISSP® Credential to Validate Information Security Expertise , but no one else really has. First, a little history. The last time a requirements change was announced was January 2002, in the press release (ISC)² TO IMPLEMENT NEW CISSP REQUIREMENTS IN 2003 . That article stated: requirements for the Certified Information Systems Security Professional (CISSP) certification, effective Jan. 1, 2003. As of that date, the minimum experience requirement for certification will be four years or three years with a college degree or equivalent life experience. The current requirements for the CISSP call for three years of experience... The "equivalent life experience" provision is intended for mature professionals who did not obtain a college degree but are in

Database Forensics

Database ninja David Litchfield told me he posted the latest in a series of lengthy articles on investigating Oracle database incidents. Specifically, he asked me to review the newest article on Live Response (.pdf) given my background. I recommend checking out the whole set of articles at Database Security . Speaking of database security, I got a chance to see Alexander Kornbrust of Red-Database-Security GmbH talk about Oracle (in)security at CONFidence 2007 . His talk reminded me of comments Thomas Ptacek once made about certain software being indefensible ten years ago, whereas now we have a fighting chance with some software. After hearing Alex's talk I think Oracle belongs in the indefensible category. Oracle appears to be at least five years behind their peer group in terms of producing "secure" code. (I put "secure" in quotation marks because I don't believe anything is really "secure," but on relative terms Oracle seems far behind

Third of the Three Wise Men

I just listened to my third of the Three Wise Men, Ross Anderson , courtesy of Gary McGraw's Silver Bullet Podcast . This is another must-heed. During the podcast Prof. Anderson mentioned the following: With respect to secure software development: As tools improve, we continue to "build bigger and better disasters." That echoes a theme in my previous posts. "If someone is going to call themselves a security engineer, then they have to learn how things fail." This means studying history and contemporary security disasters. That's an argument for my National Digital Security Board . Prof. Anderson mentioned potential compulsory registration for security professionals in the UK as a consequence of legislation requiring the registration of bouncers at clubs. Beware such an event here. Talk about unintended consequences. Finally, Prof. Anderson warned of vulnerabilities in Near Field Communication (NFC) technology. For goodness sake, can we slow down the

Second of the Three Wise Men

I just blogged about a new podcast by the first of my Three Wise Men, namely Marcus Ranum . My second of the Three Wise Men for today is Dan Geer. I just noticed his testimony to the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology last month has been published . This is another must-heed collection of smart ideas. Brian Krebs summarized the hearing in his story Nation's Cyber Plan Outdated, Lawmakers Told . Dr. Geer's testimony included this gem: I urge the Congress to put explaining the past, particularly for the purpose of assigning blame, behind itself. Demanding report cards, legislating under the influence of adrenaline, imagining that cybersecurity is an end rather than merely a means — all these and more inevitably prolong a world in which we are procedurally correct but factually stupid. Amen. Also: Information security is perhaps the hardest technical field on the planet. Nothing is stable, surprise is constant, and all defenders work at

RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls

All you fans of mindlessly blocking ICMP traffic are going to be in trouble if you try that strategy with IPv6. Luckily this month RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls was just published. This Informational RFC provides concrete guidance using these categories: Traffic That Must Not Be Dropped Traffic That Normally Should Not Be Dropped Traffic That Will Be Dropped Anyway -- No Special Attention Needed Traffic for Which a Policy Should Be Defined Traffic That Should Be Dropped Unless a Good Case Can Be Made This is a nice reference for those who wish to implement some degree of control over ICMPv6, which is an integral part of IPv6 and not something one can blindly block.

CONFidence Wrap-Up

This morning I delivered a talk at CONFidence 2007 in Krakow, Poland. I'd like to thank Andrzej Targosz and Jacek Artymiak for being the best hosts I've met at any conference. They got me at the airport, took me to dinner (along with dozens of others), and will take me to the airport (at 0430 no less!) tomorrow. I spent a good amount of time with Anton Chuvakin, Daniel Cid, and Stefano Zanero, which was very cool. I'd like to mention two talks. First, I watched Paweł Pokrywka talk about a neat way to discovery layer two LAN topology with crafted ARP packets. Unfortunately, his talk was in Polish and I didn't exactly learn how he does it! I spoke to Paweł briefly before my own talk, and he said he plans to release a paper (in English) and his code (called Etherbat), so I look forward to seeing both. Second, I attended Dinis Cruz's talk on buffer overflows in .NET and ASP.NET. I'm afraid I can't say anything intelligent about his talk. Dinis is a co

Thoughts on Rear Guard Security Podcast

I just listened to the first episode of Marcus Ranum 's new podcast Rear Guard Security . A previous commenter got it right; it's like listening to an academic lecture. If that gives you a negative impression, I mean Marcus is a good academic lecturer. These are the sorts of lessons you might buy through The Teaching Company , for example. Marcus isn't talking about the latest and greatest m4d sk1llz that 31337 d00ds use to 0wn j00. Instead, he's questioning the very fundamentals of digital security and trying to equip the listener with deep understandings of difficult problems. Most vendors will hate what he says and others will think he's far too pessimistic. I think Marcus is largely right because (although he doesn't say this outright) he believes vulnerability-centric security is doomed to failure. (I noticed Matt Franz thinks I may be right, too.) When you realize that nothing you do will ultimately remove all vulnerabilities, you've got to

LBNL/ICSI Enterprise Tracing Project

Thanks to ronaldo in #snort-gui I learned about the LBNL/ICSI Enterprise Tracing Project . According to the site: A goal of this project is to characterize internal enterprise traffic recorded at a medium-sized site, and to determine ways in which modern enterprise traffic is similar to wide-area Internet traffic, and ways in which it is quite different. We have collected packet traces that span more than 100 hours of activity from a total of several thousand internal hosts. This wealth of data, which we are publicly releasing in anonymized form, spans a wide range of dimensions. I decided to take a look at this data through the lens of Structured Traffic Analysis, which I discuss in Extrusion Detection and (IN)SECURE Magazine . I downloaded lbl-internal.20041004-1303.port001.dump.anon and took the following actions. First I ran capinfos to get a sense of the nature of the trace. $ sha256 lbl-internal.20041004-1303.port001.dump.anon > lbl-internal.20041004-1303.port001.dump.ano