Posts

Showing posts from August, 2007

Japan v China

Image
I couldn't make this up. Thanks to SANS Newsbites for catching the article Japan Military Homes, Ship Raided Over Data Leak . The homes of several serving members of Japan's Maritime Self Defense Force (JMSDF) and a destroyer were raided as part of an investigation into a leak of sensitive military data from a computer, Japan's Kyodo News reported Tuesday. Officers from the Kanagawa prefectural police force and the JMSDF's own criminal investigations unit are investigating the leak of information related to the Aegis missile defense system, the sea-based Standard Missile-3 interceptor system and the reconnaissance satellite data exchange Link 16 system. The Aegis leak first came to light in March this year when police were conducting an immigration-related investigation into the Chinese wife of a JMSDF officer . During the search they came across the data, which included the radar and transmission frequencies of the Aegis system. The officer wasn't authorized to b

Lessons from the Military

Image
Jay Heiser is a smart guy, but I don't know why he became so anti-military when he wrote Military mindset no longer applicable in our line of work last year. He wrote in part: The business world should stop looking to the defense community for direction on information security. I used to believe that the practice of information security owed a huge debt to the military. I couldn't have been more wrong... The business world doesn't need the defense community to help it develop secure technology, and, whenever it accepts military ideas, it winds up with the wrong agenda... It's time our profession stops playing war games and gets in touch with its business roots. I found two responses, Opinion: Military security legacy is one of innovation, integrity and Opinion: The importance of a military mindset , countering Mr. Heiser. I also found poll results showing 77% of respondents answered "absolutely critical" or "somewhat important" when reading the

Economist on Models

Image
I intended to stay quiet on risk models for a while, but I read the following Economist articles and wanted to note them here for future reference. From "Statistics and climatology: Gambling on tomorrow": Climate models have lots of parameters that are represented by numbers... The particular range of values chosen for a parameter is an example of a Bayesian prior assumption, since it is derived from actual experience of how the climate behaves — and may thus be modified in the light of experience. But the way you pick the individual values to plug into the model can cause trouble ... Climate models have hundreds of parameters that might somehow be related in this sort of way. To be sure you are seeing valid results rather than artefacts of the models, you need to take account of all the ways that can happen. That logistical nightmare is only now being addressed, and its practical consequences have yet to be worked out. But because of their philosophical training in the rigo

More Thoughts on FAIR

Image
My post Thoughts on FAIR has attracted some attention, but as often the case some readers choose to obscure my point by overlaying their own assumptions. In this post I will try to explain my problems with FAIR in as simplistic a manner as possible. Imagine if someone proposed the following model for assessing force: F=ma (Yes, this is Newton's Second Law , and yes, I am using words like "model" and "assess" to reflect the risk assessment modeling problem.) I could see two problems with using this model to assess force. Reality check : The model does not reflect reality. In other words, an accurate measurement of mass times an accurate measurement of acceleration does not result in an accurate measurement of force. Input check : To accurately measure force, the values for m and a must not be arbitrary. Otherwise, the value for F is arbitrary. With respect to FAIR, I make the following judgments. Reality check : The jury is out on whether FAIR reflects reali

DoD Digital Security Spending

Image
I found the article Is IT security getting short shrift? to be a good reference for other large organizations contemplating digital security spending. In addition to the chart above, this text is illuminating: Despite the growing number of attacks on military networks, securing enough money for information assurance programs is still a hard sell at the Defense Department, former Pentagon officials say. “It’s been the source of enormous frustration,” Linton Wells said in a recent interview in which he recounted some of the difficulties he faced during his four-year tenure as principal deputy assistant secretary of Defense for networks and information integration... [C]onvincing senior budget officials from the military services to spend money in that area is a continuing challenge, Wells said. “What they say is, ‘Look, we’re all short on money for things we want to buy — ships, planes, tanks, whatever. Show me how this $2 million you want to put on this today is going to turn cell C17

Germany v China

Image
Thanks to the Dark Reading story China's Premier 'Gravely Concerned' by Hack on Germany I learned of recent digital economic espionage conducted by China against Germany. I found the most authoritative reference on the event to be published by the magazine that broke the story, which is currently running an article titled Merkel's China Visit Marred by Hacking Allegations : German Chancellor Angela Merkel was all smiles after meeting Chinese Premier Wen Jiabao on Monday, praising relations between the two countries as open and constructive. But her visit has been marred by a report in SPIEGEL that a large number of computers in the German chancellery as well as the foreign, economy and research ministries had been infected with Chinese spy software. Germany's domestic intelligence service, the Office for the Protection of the Constitution, discovered the hacking operation in May, the magazine reported in its new edition, published Monday... The so-called "T

Thoughts on FAIR

Image
You knew I had risk on my mind given my recent post Economist on the Peril of Models . The fact is I just flew to Chicago to teach my last Network Security Operations class, so I took some time to read the Risk Management Insight white paper An Introduction to Factor Analysis of Information Risk (FAIR) . I needed to respond to Risk Assessment Is Not Guesswork , so I figured reading the whole FAIR document was a good start. I said in Brothers in Risk that I liked RMI's attempts to bring standardized terms to the profession, so I hope they approach this post with an open mind. I have some macro issues with FAIR as well as some micro issues. Let me start with the macro issue by asking you a question: Does breaking down a large problem into small problems, the solutions to which rely upon making guesses, result in solving the large problem more accurately? If you answer yes, you will like FAIR. If you answer no, you will not like FAIR. FAIR defines risk as Risk - the probable f

Economist on the Peril of Models

Image
Anyone who has been watching financial television stations in the US has seen commentary on the state of our markets with respect to subprime mortgages. I'd like to cite the 21 July 2007 issue of the Economist to make a point that resonates with digital security. Both [Bear Stearns] funds had invested heavily in securities backed by subprime mortgages... On July 17th it admitted that there “is effectively no value left” in one of the funds, and “very little value left” in the other. Such brutal clarity is, however, a rarity in the world of complex derivatives . Investors may now know what the two Bear Stearns funds are worth. But accountants are still unsure how to put a value on the instruments that got them into trouble. This reminds me of a data breach -- instant clarity. Traditionally, a company's accounts would record the value of an asset at its historic cost (ie, the price the company paid for it). Under so-called “fair value” accounting, however, book-keepers can now

Experts: IDS is here to stay

Image
Imagine my surprise when I read Experts: IDS is here to stay : Conventional wisdom once had it that intrusion prevention systems (IPS) would eliminate the need for intrusion defense systems (IDS). But with threats getting worse by the day and IT pros needing every weapon they can find, the IDS is alive and well. "IPS threatened to hurt the IDS market but IDS is better equipped to inspect malware," said Chris Liebert, a security analyst with Boston-based Yankee Group Research Inc. "IPS specializes in blocking, so each still have their own uses, and that's why IDS is still around." IDS is now part of a larger intrusion defense arsenal that includes vulnerability management and access control technology. In fact, one analyst believes standalone IDS products will still be in demand five years from now while IPS technology will likely be folded in firewall products. "In the long term, I do not think IPS devices will remain as separate products," said Eric M

What Hackers Learn that the Rest of Us Don't

I read a great article in the July/August 2007 IEEE Security and Privacy magazine titled "What Hackers Learn that the Rest of Us Don't" by Sergey Bratus. He contrasts developers and academic programs with what "hackers" do. For example: Developers are under pressue to follow standard solutions, or the path of least resistance to "just making it work." Developers tend to be implicity trained away from exploring underlying APIs because the extra time investment rarely pays off. Developers often receive a limited view of the API, with few or hardly any details about its implementation. Developers are de facto trained to ignore or avoid infrequent border cases and might not understand their effects. Developers might receive explicit directions to ignore specific problems as being in other developers' domains. Developers often lack tools for examining the full state of the system, let alone changing it outside of the limited API. I really resonated w

Abe Singer Highlights from USENIX Class

Image
I didn't get to attend Abe Singer's talk Incident Response either, but again I managed to get a copy of his slides. They confirmed what I planned to do with my new company CIRT (fortunately), but I wanted to highlight some elements that I hadn't given much thought until I saw them in Abe's slides. Abe pointed out that it's important to have incident response policies in place prior to an incident. I had always thought in terms of a plan, tools, and team, but not policies. Let me list a few items to explain. Using language Abe secured for his university as a template, I plan to try to gain approval for something like this as a blanket incident detection and response policy at my company: The Director of Incident Response and authorized designees have the authority to take actions necessary to contain, detect, and respond to computer incidents involving company assets. These actions will be consistent with company policies and applicable laws. Please note the ori

Marcus Ranum Highlights from USENIX Class

Image
Because I was teaching at USENIX Security this month I didn't get to attend Marcus Ranum's tutorial They Really Are Out to Get You: How to Think About Computer Security . I did manage to read a copy of Marcus' slides. Because he is one of my Three Wise Men of digital security, I thought I would share some of my favorite excerpts. Some of the material paraphrases his slides to improve readability here. Marcus asked how can one make decisions when likelihood of attack, attack consequences, target value, and countermeasure cost are not well understood. His answer helps explain why so many digital security people quote Sun Tzu: The art of war is a problem domain in which successful practitioners have to make critical decisions in the face of similar intangibles. I would add that malicious adversaries are also present in war, but not present in certain other scenarios misapplied to security (like car analogies ) where intelligent adversaries aren't present. Marcus con

Breach Pain

Several stories involving companies victimized by intruders came to light at the same time. It's important to remember not to blame the victim , like the fool editor at Slashdot implied by writing Contractor Folds After Causing Breaches . The company in question, Verus Inc., didn't "cause breaches" -- it suffered them. Some bad guy stealing data caused the breaches. Read Medical IT Contractor Folds After Breaches at Dark Reading for the details. New details on TJX came to light this week in stories like TJ Maxx Breach Costs Soar by Factor of 10 (Company had to absorb $118M of losses in Q2 alone) and The TJX Effect . The second article says this: Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electr

Speaking of Bad Guys

Image
I wanted to bring a few threat-oriented stories to your attention if you hadn't seen them. I'm also recording them here because I abhor bookmarks. It's important to remember that we're fighting people, not code. We can take away their sticks but they will find another to beat us senseless. An exploit or malware is a tool; a person is a threat. Dark images like the alley on the right first described in Analog Security is Threat-Centric remind us how dangerous the Internet can be to our data, and potentially our lives. Report: Web 'Mean Streets' Pervasive : This is a story about a great new Honeynet Project report on Malicious web Servers . From the news story: If you still think avoiding risky sites keeps you safe on the Web, think again: Newly released research from the Honeynet Project & Research Alliance shows that even seemingly "safe" sites can infect you... The Honeynet Project also found that IE6 SP2 was the most likely browser versio

Loving the SSH

Image
I read about GotoSSH.com courtesy of Risk Management Insight . I found a post by the author here , talking about the site being a Ruby on Rails application. terminal23 has a few comments too. How can this possibly be for real? I mean, why isn't it just "givemeallyourpasswords.com"? I would love to see who is using this service. Speaking of SSH, one of my Black Hat students brought a SSH v2-capable man-in-the-middle tool to my attention called mitm-ssh by Claes M Nyberg of darklab.org . I gave it a spin on my Ubuntu box. The only problem I had to overcome was not having /usr/local/include/linux/ available, as shown by this error: In file included from mitm-ssh.c:96: netfilter.h:8:26: error: linux/config.h: No such file or directory mitm-ssh.c: In function ‘mitm_ssh’: mitm-ssh.c:512: warning: unused variable ‘a’ mitm-ssh.c: In function ‘target_connect’: mitm-ssh.c:796: warning: pointer targets in passing argument 1 of ‘packet_get_raw’ differ in signedness make:

Change the Plane

Image
Call me militaristic, but I love the History Channel series Dogfights . I hope the Air Force Academy builds an entire class around the series. I just finished watching an episode titled "Gun Kills of Vietnam." The show featured two main engagements. Both demonstrated a concept I described in Fight to Your Strengths . In the first battle two A-1H Skyraiders (prop planes) shot down a MiG-17 (a jet) using their cannons. The Skyraiders survived their initial encounter with the MiG by out-turning it at low speeds. They made the MiG fight their fight, and the MiG lost. In the second battle, an F-4 flown by pilot by Darrell "Dee" Simmonds and backseater George McKinney Jr. downed another MiG-17 using their gun. In that fight, the slower but more maneuverable MiG-17 was out-turning the F-4. In the show McKinney said a less experienced pilot would have fought the MiG's fight by trying to turn with the MiG, probably giving the MiG an opportunity to down the F

Scanning with Flash

Image
Thanks to Rsnake I learned of a proof of concept for Flash scanning . I had to enable Javascript and have Adobe Flash installed. I used Firefox within Ubuntu 6.10. In the traffic you can see my host sending the following after finishing the three way handshake. 09:31:34.348028 IP 192.168.2.8.44235 > 10.1.13.4.21: P 1:24(23) ack 1 win 1460 0x0000: 4500 004b 1f24 4000 4006 41d4 c0a8 0208 E..K.$@.@.A..... 0x0010: 0a01 0d04 accb 0015 f31e fbd2 a8ce 608e ..............`. 0x0020: 8018 05b4 df9f 0000 0101 080a 0018 e4f5 ................ 0x0030: ea84 369b 3c70 6f6c 6963 792d 6669 6c65 ..6. 0x0040: 2d72 6571 7565 7374 2f3e 00 -request/>. More to come, I'm sure. On a related note, read Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF by Justin Schuh and XSRF^2 by Dan Kaminsky.

Note from Black Hat on ARP Spoofing Malware

Image
During my classes I mentioned seeing a post on malware that performs ARP spoofing to inject malicious IFRAMEs on Web pages returned to anyone browsing the Web on the same segment. I found it -- ARP Cache Poisoning Incident by Neil Carpenter. Thanks to Earl Crane for taking the picture of a few ex-Foundstoners who met after the talk by Keith Jones and Rohyt Belani.

Reviews on Managing Cybersecurity Resources and Security Metrics Posted

Image
Thanks to my travel to USENIX Security this week I managed to read two great non-technial security books. Amazon.com just posted my four star review of Managing Cybersecurity Resources . From the review: Managing Cybersecurity Resources (MCR) is an excellent book. I devoured it in one sitting on a weather-extended flight from Washington-Dulles to Boston. MCR teaches security professionals how to think properly about making security resource allocation decisions by properly defining terms, concepts, and models. The only problem I have with MCR is the reason I subtracted one star: its recommended strategy, cost-benefit analysis, relies upon estimated probabilities of loss and cost savings that are unavailable to practically every security manager. Without these figures, constructing cost-benefit equations as recommended by MCR is impossible in practice. Nevertheless, I still strongly recommend reading this unique and powerful book. I heavily cite passages in Managing Cybersecurit

Must-Read Post on Virtualized Switches

Image
While visiting Hoff's blog I saw his post VMware to Open Development of ESX Virtual Switches to Third Parties...Any Guess Who's First? . You must read this. The question I have, as with all new "features," is this: is visibility built in? Will I have access to a "virtual tap"? Can I trust it? We'll see.

Human Weapon

Image
In FISMA Dogfights I mentioned my favorite show on the History Channel is Dogfights . A very close second, if not an equal, is the new series Human Weapon . I don't recall another regular television series devoted exclusively to martial arts. If you wonder why I bother posting about a martial arts show, see my post Fight to Your Strengths . On a related subject, based on other stories in the security blogosphere, I expect to see a martial arts rumble at the next Black Hat in 2008. I better get my shoulder fixed and start training again.

CIO Magazine on IP Theft

Image
CIO magazine, which features an impossible-to-navigate Web site but decent print version, published Hacked: The Rising Threat of Intellectual Property Theft and What You Can Do About It by Stephanie Overby. I liked these excerpts: “There’s a ceiling on how much money can be made by stealing identities,” says Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, an independent nonprofit institute set up at the request of the federal government to examine the economic and strategic consequences of cyberattacks. “You can actually steal the business—its processes, its internal negotiating memos, its merchandising plans, all the information it uses to create value. That’s a very large payoff.” I agree, but what's up with the USCCU Web site ? I had to find an archive from February 2006 to see what this group does. Spend a little of that DHS money on a Web site, folks. CIOs may be less aware of the threat to IP than to their systems, and therefore less pr

Pervasive Security Monitoring

Image
After Black Hat I've been thinking of how to address gaining insight into the security state of the enterprise. My first book addressed how to detect and response to intrusions using traffic sources in the form of network security monitoring. I've talked about gaining pervasive network awareness several times as well. Recently I've talked about security application instrumentation and several times over the years I've discussed why I am not anti-log . I am beginning to formulate my thoughts on what I'm calling Pervasive Security Monitoring . I don't have a formal definition yet, but the concept will extend past NSM data sources (traffic) into reports on the state of platforms, OS, applications, and data. The dictionary definition , to become spread throughout all parts of , captures the concept fairly well at this stage. I noticed Cisco and a few others used the term pervasive security awareness , but it's used as a way to encourage employees to be

Minneapolis Bridge Lessons for Digital Security

Image
The Minneapolis bridge collapse is a tragedy. I had two thoughts that related to security. If the bridge collapsed due to structural or design flaws, the proper response is to investigate the designers, contractors, inspectors, and maintenance personnel from a safety and negligence perspective. Based on the findings architectural and construction changes plus new safety operations might be applied in the future. This is a technical and operational response. If the bridge collapsed due to attack, the proper response is to investigate, apprehend, proseceute, and incarcerate the criminals. Redesigning bridges to withstand bomb attack is unlikely. This is a threat reduction and deterrence response. Do you agree with that assessment? If yes, why do you think response 1 (try to improve the "bridge" and similar operations) is the response to every digital security attack (i.e., case 2)? My short answer: everyone blames the victim, not the criminal. The NTSB is on scene in Min