Posts

Showing posts from June, 2007

Bejtlich Teaching at Forensec Canada 2007

I just wrapped up teaching at GFIRST and the number of events left on my TaoSecurity training page are dwindling. My last scheduled event open to the general public will take place at Forensec Canada 2007 in Regina, SK on 15-16 September 2007. This is a great opportunity to attend some excellent forensics training, since the conference (17-18 September) follows my class, and MANDIANT's Incident Response Management class wraps up the event on 19-20 September. Each class only holds 12 students. I am teaching TCP/IP Weapons School, covering layers 2-7 in two days. This is the same class as the one I am teaching at Black Hat USA 2007 in Las Vegas. One of my two Black Hat training sessions is already full and the second is close (since it is colored in yellow on the registration page). Those of you who attended TCP/IP Weapons School layers 2-3 in Santa Clara last week may want to join me at USENIX Security 2007 in Boston on 6-7 August. I will be teaching layers 4-7 there in-de...

Three Reviews Posted

Image
I'm happy to announce three new Amazon.com reviews, partially due to my flights between Washington Dulles and San Jose for USENIX 2007. The first is two stars (yes, unfortunately) for Practical Packet Analysis by Chris Sanders . From the review: To use "American Idol" lingo, you've already read reviews by Randy Jackson and Paula Abdul. It's time for the truth from Simon Cowell -- Practical Packet Analysis (PPA) is a disaster. I am not biased against books for beginners; see my five star review of Computer Networking by Jeanna Matthews. I am not biased against author Chris Sanders; he seems like a nice guy who is trying to write a helpful book. I am not a misguided newbie; I've written three books involving traffic analysis. I did not skim the book; I read all of it on a flight from San Jose to Washington Dulles. I do not dislike publisher No Starch; I just wrote a five star review for Designing BSD Rootkits by Joseph Kong. PPA is written for beginners, or ...

Internet Traffic Study

Image
I found this press release from Ellacoya Networks to be interesting. HTTP is approximately 46% of all traffic on the network. P2P continues as a strong second place at 37% of total traffic. Newsgroups (9%), non-HTTP video streaming (3%), gaming (2%) and VoIP (1%) are the next widely used applications. Breaking down application types within HTTP, the data reveals that traditional Web page downloads (i.e. text and images) represent 45% of all Web traffic. Streaming video represents 36% and streaming audio 5% of all HTTP traffic. YouTube alone comprises approximately 20% of all HTTP traffic, or nearly 10% of all traffic on the Internet. There's some dispute regarding these numbers with respect to HTTP vs P2P, but overall I found these numbers surprising. I am surprised by the high newsgroups count -- is alt.whatever that significant?

Frame Check Sequence Recorded in STP

Image
This evening I was preparing to teach day 2 of my TCP/IP Weapons School class at USENIX. I decided I wanted to get a trace of Spanning Tree Protocol (STP) so I connected back to a box in my lab and ran Tshark. When I brought the trace back to my desktop to view in Wireshark, I saw the following: How/why Tshark capture the FCS for this frame? I looked at other traffic (i.e., non-STP traffic) and did not see a FCS. The only other interesting aspect of this frame is the fact that it is pure 802.3 and not 802.3 with a LLC SNAP header, like this CDP frame: I usually see 802.3 with a LLC SNAP header or just Ethernet II. Does anyone have any ideas?

Open Source Initiative Stands Up

Thanks to this Slashdot article I learned of this blog post by Michael Tiemann , president of the Open Source Initiative . Essentially he writes: Enough is enough. Open Source has grown up. Now it is time for us to stand up. I believe that when we do, the vendors who ignore our norms will suddenly recognize that they really do need to make a choice: to label their software correctly and honestly, or to license it with an OSI-approved license that matches their open source label. This is great. I wrote Real Open Source in April and I am glad OSI is joining this battle. It will be interesting to see how they proceed. Perhaps they can start by "naming names," i.e., listing companies or projects claiming to be "open source" but not using an Open Source license . Incidentally, reading the Slashdot post is worthwhile, if only to see Bruce Perens respond to arguments opposing OSI's position.

Latest Plane Reading

Image
Tuesday afternoon I flew from Washington Dulles to San Jose, to teach at USENIX 2007 . En route I read a few interesting articles that I'd like to mention. When I saw NWC mention the Omni Virtual Network Service , I thought something cool might be on hand. Their Web site states: The migration to blade chassis-based virtual servers has created a new blind spot in the enterprise: the traffic between virtual servers in the same blade chassis. This “invisible traffic” never crosses any network segment where it can be easily captured. As a result, engineers have little or no visibility into the traffic among virtual servers... A new addition to the OmniAnalysis Platform, the Omni Virtual Network Service is a lightweight traffic-capture service that enables IT engineers to capture and analyze traffic on virtual servers... The Omni Virtual Network Service is a small, lightweight service that runs on any Windows XP or Windows 2003 virtual server. Oh... so Omni implemented remote capture ...

More on Enterprise Data Centralization

I'd like to respond to a few comments to my post Enterprise Data Centralization . The first paragraph includes the following: However, I haven't written about a natural complement to thin client computing -- enterprise data centralization. In this world, the thin client is merely a window to a centralized data store (sufficiently implemented according to business continuity processes and methods like redundancy, etc.) . The bolded part is my answer to those who think my "centralization" plan means building the Mother of All Storage Servers/Networks. Please. Do you think I would really advocate that? The bolded part is my shorthand for saying I do NOT mean to build the Mother of All Storage Servers/Networks. Instead, I envision something similar to the way Google operates. One of you used Google as an example of data decentralization. Sure, the data is decentralized at the level of bits on media, but it's exceptionally centralized where it matters -- the user...

Hired Gun No More

Image
The June 2007 Information Security Magazine features a story called When to Call in the Hired Guns . The magazine includes a chart titled VAR Excellence (.pdf) that mentions TaoSecurity . The selection process seems to have no method to its madness; I only recognize a few of the other companies. Furthermore, I did not pay anything for the listing. I don't like to see TaoSecurity listed as a "VAR" since I don't sell any products as a regular business offering. It's funny to see TaoSecurity listed in a chart like this, two weeks before I start working at GE. Now, it would be nice if Information Security Magazine would reinstate my subscription. They dropped me last year, even though I write the Snort Report for a sister publication. I even know a former contributing editor (with his name printed at the beginning of the magazine) who is no longer getting a subscription!

Web-Centric Short-Term Incident Containment

Image
You may have read Large Scale European Web Attack from Websense and other news sources. One or more Italian Web hosting companies have been compromised, and the contents of the Web sites they host have been modified. Malicious IFRAMEs like the one below are being added to Web sites. These IFRAMEs like to malicious code hosting by a third party under the control of the intruder. When an innocent Web browser visits the compromised Web site, the browser is attacked by the contents of the IFRAME. This is not a new problem. I responded to an intrusion in 2003 that used the same technique. It's the reason why I discussed having the capability to use an extrusion method to modify traffic as it leaves a site. This is an example of Short Term Incident Containment. This technique does not remediate the compromised Web sites or Web servers. It does help clean malicious traffic before it reaches Web browsers. I suggest using Netsed or Snort in inline mode to replace the malic...

Enterprise Data Centralization

I've written about thin client computing for several years. However, I haven't written about a natural complement to thin client computing -- enterprise data centralization. In this world, the thin client is merely a window to a centralized data store (sufficiently implemented according to business continuity processes and methods like redundancy, etc.). That vision can be implemented today, albeit really only where low-latency, uninterrupted, decent bandwidth is available. Thanks to EDD Blog I just read an article that makes me think legal forces will drive the adoption of this strategy: Opinion: Data Governance Will Eclipse CIO Role by Jay Cline. He writes: In response to the new U.S. Federal Rules on Civil Procedure regarding legal discovery, for example, several general counsels have ordered the establishment of centralized "litigation servers" that store copies of all of the companies’ electronic files. They think this is the only way to preserve and chea...

DHS Einstein Demonstrates Value of Session Data

If you're looking for case studies to show management to justify collecting session data, check out Einstein keeps an eye on agency networks . I've known about this program for several years but waited until a high-profile story like this to mention it in my blog. Basically: Since 2004, Einstein has monitored participating agencies’ network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting traffic information summaries at agency gateways, Einstein gives US-CERT analysts and participating agencies a big-picture view of bad activity on federal networks. US-CERT’s security analysts use Einstein data to correlate cross-agency security incidents. Participating agencies can go to a secure Web portal to view their own network gateway data. Einstein doesn’t eliminate the need for intrusion-detection systems on agencies’ networks, said Mike Witt, deputy director of US-CERT. But the 24-hour monitoring program does give i...

Hope for Air Force Cyberoperators

Last November I wrote about the Air Force Cyberspace Command . I said: I'd like to see the new Cyberspace Command sponsor a new Air Force Specialty Code (AFSC) for information warriors. The current Intel or Comm paradigm isn't suitable. Today I read Air Force moves to populate Cyberspace Command : The Air Force is developing plans for a dedicated force to populate the ranks of the service’s new Cyberspace Command, its commanding general said today. Lt. Gen. Robert Elder, commander of the 8th Air Force and chief of the new command, said the service will finish deliberations on a force structure for the command within a year and then start filling those positions. Once service officials have laid out career paths and training guidelines for the jobs, Elder said, recruits will be able to join what he called the Air Force’s cyberforce just as they could opt to become fighter pilots or navigators. I hope this "cyberforce" is an AFSC for "cyberoperators." These ...

Seats for Bejtlich at Black Hat 2007 Filling

I'll be teaching two sessions of TCP/IP Weapons School, Black Hat Edition at Black Hat in Las Vegas, 28-29 July and 30-31 July 2007. This is the same class, just offered twice. The second session is already wait-listed. The only remaining seats are available for the first session. Thank you.

Why Digital Security?

Today I received the following email: Hi Richard, (Sorry for my bad English, i speak French...) I'm one of your blog readers and i have just a little question about your (Ex) job, Consultant in IT security... I'm very interested by IT security and i want to get a degree in this. In France, we have to write "motivation letter" to show why we are interested by the diploma. That's why i write to you to know a few things that you do in your job, what is interesting and what is boring ?? I figured I would say a few words here and then let all of you blog readers post your ideas too. Likes: Constant learning Defending victims from attackers -- some kind of desire for justice Community that values learning (but not necessarily education -- there's a difference) Working with new technology Financially rewarding for those with valuable skills Dislikes: Constantly changing landscape requires specialization and potential loss of big picture Most attackers remain at large...

Two Pre-Reviews

I'd like to mention two books that publishers were kind enough to send me recently. I plan to read these during upcoming flights or as part of my new, structured reading regimen that will accompany my plans for the second half of 2007. The first book is Windows Forensic Analysis Including DVD Toolkit by Harlan Carvey . I expect to learn a lot about Windows forensics reading this book. I do not perform host-based forensics regularly so I think Harlan's experience will be appreciated. The second book is Practical Packet Analysis by Chris Sanders . I'm reading this book for the same reason I read Computer Networking by Jeanna Matthews -- I want to see if it is a good book for beginners. The content of Chris' book seems very simple, but it might be just the right book for people starting their network traffic inspection careers. Incidentally, if you like the approach of using Ethereal/Wireshark to look at traffic that the author explains, you should look at Jeann...

Security Application Instrumentation

Image
Last year I mentioned ModSecurity in relation to a book by its author. As mentioned on the project Web site, "ModSecurity is an open source web application firewall that runs as an Apache module." In a sense Apache is both defending itself and reporting on attacks against itself. I consider these features to be forms of security application instrumentation . In a related development, today I learned about PHPIDS : PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending...

Threat Model vs Attack Model

Image
This is just a brief post on terminology. Recently I've heard people discussing "threat models" and "attack models." When I reviewed Gary McGraw's excellent Software Security I said the following: Gary is not afraid to point out the problems with other interpretations of the software security problem. I almost fell out of my chair when I read his critique on pp 140-7 and p 213 of Microsoft's improper use of terms like "threat" in their so-called "threat model." Gary is absolutely right to say Microsoft is performing "risk analysis," not "threat analysis." (I laughed when I read him describe Microsoft's "Threat Modeling" as "[t]he unfortunately titled book" on p 310.) I examine this issue deeper in my reviews of Microsoft's books. In other words, what Microsoft calls "threat modeling" is actually a form of risk analysis. So what is a threat model? Four years ago I wrote Thre...

I'm Not Dead

Image
Several of you leaving comments, posting your own blog entries, and sending me email seem to think my job at General Electric means I am dead. I am not dead, God willing. Let me reprint the second-to-last paragraph from that post: What about writing here, or articles, or books? My boss supports my blogging and writing. I have never made a practice of posting "Look what I found at this client!" and he does not expect me to start doing so at GE. You can expect to read more about the sorts of techniques I'm using to address security concerns but never incident specifics or any information which would compromise my relationship with GE. The same goes for articles and books. I plan to continue writing the Snort Report and eventually write the new works listed on my books page. This blog has never been a site for "tell-all" activity. I don't discuss specifics about clients, or national security matters, or private information shared in a confidential ma...

One for Ken Belva

I mentioned Ken Belva's thoughts in Thoughts on Virtual Trust last year. If you don't know Ken's thoughts on "virtual trust" please read that post before continuing further. I refrained from pointing a finger at Ken's Apple DRM example after Steve Jobs posted his Thoughts on Music , where DRM won't apply to Apple music (thereby depriving Ken of one of his case studies and questioning his logic). Now I'd really like an answer to this article: Retailers Fuming Over Card Data Security Rules; Claim PCI standard shifts burden to them, could alienate customers . Here are a few excerpts: Several retailers last week bristled at having to comply with the Payment Card Industry (PCI) Data Security Standard, complaining that they carry an unfair burden in securing credit card data. In interviews and speeches at the annual ERIexchange conference here, retail executives also complained that implementing the PCI standard is costly and could alienate customers ......

Cisco Router as DNS Server Demonstrates Functional Aggregation

Did you know that a sufficiently new Cisco router can be a DNS server ? Apparently this functionality is not that new (dating from 2005), but I did not hear of it until I saw the article Cisco Router: The Swiss Army Knife of Network Services . I think this is a good example of what I may start calling "functional aggregation," whereby features previously provided on separate servers are collapsed to one box. I know others call that "convergence," but that term applies to so many topics (voice + video + data, etc.) that I'll use FA here. It doesn't matter anyway, because some marketing drone will invent a catchy name that everyone will end up using at some point. One interesting aspect of this story is that it points to a simple blog post called Use your Cisco router as a primary DNS server that shows how easy it is to configure this feature. That post is then followed by a new article called Protecting the primary DNS server on your router , which expla...

Bejtlich Joining General Electric as Director of Incident Response

Image
Two years ago this month I left my corporate job to focus on being an independent consultant through TaoSecurity . Today I am pleased to announce a new professional development. Starting next month I will be joining General Electric as Director of Incident Response, based near Manassas, VA, working for GE's Chief Information Security Officer, Grady Summers at GE HQ in Fairfield, CT. My new boss reads my blog and contacted me after reading my Security Responsibilities post five months ago. He has created the new Director position as a single corporate focal point for incident response, threat assessment, and ediscovery, working with GE's six business units and corporate HQ security staff. Grady reports to GE's Chief Technology Officer, Greg Simpson, and works closely with GE's Chief Security Officer, Brig Gen (USAF, ret) Frank Taylor. I will be building a team and I am pleased to have already met my first team member, a forensic investigator. I am very excited ab...

Triple-Boot Thinkpad x60s

Image
Many years ago I thought multibooting operating systems was quite the cool thing to do. This was before VMware when my budget was tighter and so was my living space. Recently with my new laptop configuration I moved to an all-Ubuntu setup, upon which I loaded VMware Server. VMware Server had Windows XP and FreeBSD 6.2 VMs at its disposal. I've spent nearly all my time in Ubuntu, never really needing to turn to Windows or FreeBSD for desktop work. With the arrival of Ubuntu 7.04, I decided to try a new approach with my laptop. The OEM HDD was 60 GB, which is somewhat small given my use of VMs. Furthermore, I fairly regularly buy brand new hard drives when I make major operating system shifts. I think the best backup I could ever have is an entire old hard drive, and HDDs are cheap compared to the value of the data on them. Moving from 6.10 to 7.04 seemed like a good time to replace the 60 GB HDD with a Seagate Momentus 5400.3 ST9160821AS 160GB 5400 RPM 8MB Cache Serial ATA1...

PowerLite S4 Multimedia Projector

This week I taught TCP/IP Weapons School, Layers 2-3 at Techno Security 2007 in Myrtle Beach, SC. I enjoyed teaching the class, especially since several students were repeat customers. Two were even alumni from classes I taught at Foundstone five years ago! Because the cost of renting a projector and screen from the hotel (and even from rentacomputer.com) seemed outrageous, I decided to buy my own. I purchased an Epson PowerLite S4 Multimedia Projector and Da-Lite 72263 Versatol Tripod Screen 70"x70" Matte White with Keystone Elim for use in the class. I was extremely pleased with both. In fact, right after I bought the Epson projector I saw it covered in a USA TODAY review, which helped validate my purchase. If you're in the market for a projector and screen combination for less than $800 (or even $700 if you're not time-crunched, as I was) then I think you'll like these products.