TaoSecurity Blog

In the past I've run several security teams, such as the Air Force CERT's detection crew and the MSSP division of a publicly traded company. In those positions I was always interested in assessing the performance of my security analysts. The CNN article TSA tester slips mock bomb past airport security contains several lessons which apply to this domain. Jason, a covert tester for the Transportation Security Administration, has been probing airport weaknesses for five years, beginning with big mock bombs before switching to ever smaller devices as the TSA adapts to evolving terrorist threats ... Even before the September 11, 2001, terror attacks, government agencies deployed "red teams" such as this one to look for holes in airport security ... But instead of running from tests, the agency has embraced the idea that testing has a value that goes beyond measuring the performance of individual screeners . Tests, the TSA says, can show systemwide security vulnerabiliti

If you read Colin Percival's blog you will notice he posted a message about Depenguinator 2.0 . This is a method to convert a Linux system to FreeBSD remotely. Colin tested the script using Ubuntu 7.10. I have a few Red Hat 8.0 systems and one or more Fedora Core 4 systems that I would like to convert to FreeBSD 7.0. I tried using Depenguinator 2.0 to convert a test CentOS 5.1 system to FreeBSD 7.0, but I ran into multiple problems. These included difficulty installing Depenguinator dependencies and possible interference from SELinux capabilities. If someone wants to try testing Depenguinator 2.0 on a Red Hat 8.0 system or a Fedora Core 4 system, please do so and let me know how it goes. Thank you.

I was determined to start 2008 right by having a NoVA Sec meeting in January. Thursday night is our last chance, but thanks to last-minute coordination with Dowless and Associates we have a meeting location. The next NoVA Sec meeting will take place 1930 Thursday 31 January 2008 at Dowless and Associates: 13873 Park Center Rd. Suite 450 Herndon, VA 20171 Devin will speak and demo his One Laptop Per Child (OLPC) box. Our host is requesting a list of names of attendees, so please RSVP via email (taosecurity at gmail dot com) by end of day Wednesday 30 January 2008. Thank you. Remember, there are no dues and no requirements for membership. We do leave certifications, FISMA, the certification and accreditation (C&A) process, and related items in the parking lot. Note: I am only cross-posting this one NoVA Sec announcement because it has been a while since we held a NoVA Sec meeting. I will post future announcements only on the NoVA Sec blog and mailing list .

If you read the headline of today's Washington Post story French Bank Says Trader Hacked Computers you might get the impression that Société Générale trader Jerome Kerviel is some kind of shellcoding ninja, Web 2.0 JavaScript samurai, or at the very least a script kiddie who can run Metasploit with the best of the certified ethical hackers. The truth of the matter is probably mixed. Kerviel is most likely a fraudster who took advantage of trading processes and controls. The best source I've found so far is the Reuters article FACTBOX: Rise and fall of the SocGen rogue trader . It outlines the fraud thus: * The alleged fraud, as outlined by the bank, included a genuine long position in regulated stock market index futures, contracts bought in the hope that prices would rise. * Usually an arbitrageur hedges such a long position with an equal and opposite sale, or short position, reaping a profit from any gaps between the values of the two transactions. * The SocGen trader

I've started listening to the Economist Audio Edition on my iPod while running. Last week I listened to a special report on Corporate Social Responsibility . I was struck by the language used and issues discussed in the report. Here are a few excepts. First, from Just good business : Why the boom [in CSR initiatives]? For a number of reasons, companies are having to work harder to protect their reputation — and, by extension, the environment in which they do business... CSR is now made up of three broad layers, one on top of the other. The most basic is traditional corporate philanthropy... [T]he second layer of CSR... is a branch of risk management ... So, often belatedly, companies respond by trying to manage the risks. They talk to NGOs and to governments, create codes of conduct and commit themselves to more transparency in their operations. Increasingly, too, they get together with their competitors in the same industry in an effort to set common rules, spread the risk an

Amazon.com just posted my four star review of The Best of FreeBSD Basics by Dru Lavigne. From the review : In mid-2004 I reviewed Dru Lavigne's book BSD Hacks, which I really enjoyed. 3 1/2 years later I am pleased to say that Dru's latest book, The Best of FreeBSD Basics (TBOFB), is another excellent resource for FreeBSD users. I really wish this book had been available in 2000 when I started using FreeBSD! If you are a beginner to intermediate FreeBSD user, you will find this book invaluable. If you are an advanced user, you may find a helpful tip or two as well.

Amazon.com just posted my three star review of Time Based Security by Winn Schwartau. From the review : Time Based Security (TBS) was largely written 10 years ago. The author gave me a copy about 3 years ago at a security conference. What's remarkable about the concept of TBS is that it was as relevant 10 years ago as it is today. The "risk avoidance" idea and "fortress mentality" described in TBS are as prevalent in this decade as they were in the 1990s, and they continue to fail us. TBS, as an alternative approach, is a powerful way to estimate the security posture of an asset. However, TBS the book is not the best way to make this argument (hence the three star rating). I would like to see TBS (published in 1999, but including older material) rewritten as a tenth anniversary edition and released in digital format, perhaps as a digital Short Cut. I recommend reading the whole review. I heavily quoted the parts I liked. I also just updated the links in my

In Predictions for 2008 in included the following: 3) Expect increased awareness of external threats and less emphasis on insider threats. Maybe this is just wishful thinking, but the recent attention on botnets, malware professionalization, organized criminal cyber enterprises, and the like seems to be helping direct some attention away from inside threats. This may be premature for 2008, but I expect to see more coverage of outsiders again. Today I saw the SANS Top Ten Cyber Security Menaces for 2008 . (I thought using the term "menace" neatly sidesteps trying to classify these items using traditional terms, since the list mixes threats, attacks, tools, and so on.) Here is the "consensus list," according to 12 "cyber security veterans," in ranked order: Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities - Especially On Trusted Web Sites Increasing Sophistication And Effectiveness In Botnets Cyber Espionage Efforts By Wel

Thanks to SANS Newsbites (probably the best weekly security round-up around) for pointing me to the story Two-thirds of Oracle DBAs don't apply security patches . They are all citing this Sentrigo press release , which I will quote directly: Sentrigo, Inc., an innovator in database security software, today announced survey results indicating that most Oracle database administrators do not apply the Critical Patch Updates (CPUs) that Oracle issues on a quarterly basis... When asked: “Have you installed the latest Oracle CPU?” – Just 31 people, or ten percent of the 305 respondents, reported that they applied the most recently issued Oracle CPU. When asked: “Have you ever installed an Oracle CPU?” – 206 out of 305 OUG attendees surveyed, or 67.5 percent of the respondents said they had never applied any Oracle CPU. Of course, Sentrigo has a business reason for reporting these figures: Sentrigo created Hedgehog, a host-based database activity monitoring and protection software solut

I'm not sure if this is real: CIA Admits Cyberattacks Blacked Out Cities : The CIA on Friday admitted that cyberattacks have caused at least one power outage affecting multiple cities outside the United States . Alan Paller, director of research at the SANS Institute, said that CIA senior analyst Tom Donahue confirmed that online attackers had caused at least one blackout... Paller said that Donahue presented him with a written statement that read , "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the

Almost one month ago I wrote Predictions for 2008 . They included 2) Expect greater military involvement in defending private sector networks. and 4) Expect greater attention paid to incident response and network forensics, and less on prevention. Relevant to number 2, today I read Intelligence Chief Proposes Wide Cyber Surveillance , which says: US National Intelligence Director says government should be able to tap all email, file transfers, and Web searches.. In an interview scheduled to be published in Monday's forthcoming edition of The New Yorker, McConnell offers some insight into his long-awaited draft U.S. Cyber-Security Policy... To accomplish his plan, the government must have the ability to read all the information crossing the Internet in the United States -- in order to protect it from abuse. The plan gives government agencies the right to monitor email, file transfers, and even Web searches, according to reports. McConnell's proposals also include reducing the

Amazon.com just posted my four star review of Security Power Tools by a team of authors, mostly from Juniper. From the review : I am probably the first reviewer to have read the vast majority of Security Power Tools (SPT). I do not think the other reviewers are familiar with similar books like Anti-Hacker Toolkit, first published in 2002 and most recently updated in a third edition (AHT3E) in Feb 2006. (I doubt the SPT authors read or even were aware of AHT3E.) SPT has enough original material that I expect at least some of it will appeal to many readers, justifying four stars. On the other hand, a good portion of the material (reviewed previously as "the most up-to-date tools") offers nothing new and in some cases is several years old.

I just wanted to remind interested readers that Black Hat was kind enough to invite me back to teach TCP/IP Weapons School at Black Hat DC 2008 on 18-19 February 2008, at the Westin Washington DC City Center. This is currently my only scheduled training class in 2008. As you can see from the course description I will focus on OSI model layers 2-5 and add material on network security operations, like monitoring, incident response, and forensics. The cost for this single two-day class is now $2200 until 8 February (three weeks from now), when online registration closes and the price increases to $2400. Register while seats are still available -- both of my sessions in Las Vegas sold out. Thank you.

About a month ago I recorded a podcast for SearchSecurityChannel.com . It's a series of frequently asked questions. SSC is for the "channel," which means "vendors," but everything in the podcast applies to Snort operators. You should be able to reach the podcast via this link . Note that when I recorded the podcast we didn't know that Emerging Threats would replacing Bleeding Threats.

I wrote a 4 star review of review of the first edition of Network Security Assessment by Chris McNab in May 2004. I read the second edition and tried to post a three star review at Amazon.com. Unfortunately, Amazon.com would not let me post a new review because I reviewed the first edition. Therefore, here is my review: In May 2004 I reviewed the first edition of Network Security Assessment (NSA1). Almost four years later, the second edition (NSA2) is basically the same book. This makes sense, given the majority of the action in digital security over the last 5-6 years has occurred at the application layer, not the network layer. (For reference, OWASP -- the Open Web Application Security Project -- was created in 2002.) The end result is the material in NSA2 is a foundation for higher level assessments. While NSA2 contains chapters on Assessing Web Servers and Assessing Web Applications, it doesn't devote enough depth to change the focus of the book. In some ways NSA2 is

Four years ago when I wrote The Tao of Network Security Monitoring I introduced the term defensible network architecture . I expanded on the concept in my second book, Extrusion Detection . When I first presented the idea, I said that a defensible network is an information architecture that is monitored, controlled, minimized, and current. In my opinion, a defensible network architecture gives you the best chance to resist intrusion, since perfect intrusion prevention is impossible. I'd like to expand on that idea with Defensible Network Architecture 2.0. I believe these themes would be suitable for a strategic, multi-year program at any organization that commits itself to better security. You may notice the contrast with the Self-Defeating Network and the similarities to my Security Operations Fundamentals . I roughly order the elements in a series from least likely to encounter resistance from stakeholders to most likely to encounter resistance from stakeholders. A D

I received the following question from a blog reader. I am interested in hearing what you think. I'm team lead for a small private-sector security operations team. We are fortunate that we have a reasonably interesting and attractive work environment, readily available financial resources, and a relatively manageable event load. We've been trying to hire a mid to senior level analyst position for at least a year now, and have been having absolutely no luck whatsoever. The job responsibilities mainly consist of analyzing events from the SEM and NSM stacks, documenting and resolving incidents, and conducting regular vulnerability management operations. A majority of the applications we get seem to come from security "architects" who may have some product deployment experience, but little to no applicative analysis skills necessary to un-haystack the needles, or pursue an incident to closure. Very few of the interviewees can even get past the technical phone screen, wh

Today, 8 January 2008, is the fifth birthday of TaoSecurity Blog . I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. 2087 posts (averaging 417 per year !?!) later, I am still blogging. My pace has slowed during the last few months, mainly because I have been spending more time reading in my off hours. I have also found less really gripping security events to report. I try not to jump on the bandwagon, so if you see a lot of coverage for a certain event I will probably not report it. I might chime in if there's an uncovered angle or I particularly want to record my thoughts on the issue. I plan to continue blogging, especially with respect to network security monitoring, incident detection and response, network forensics, and FreeBSD when appropriate. I especially enjoy reading your comments and engaging in informed dialogues. Thanks for joining me these five years -- I hope to have a ten year post in 2013! Don't fo

Thanks to Sensepost for reporting this story last month. They describe an advisory published by Charles Miller and Dino Dai Zovi whereby arbitrary characters in Second Life are digitally mindjacked and robbed. By walking on "land" owned by an attacker, and having Second Life configured to automatically display video, a victim's avatar and computer can be exploited via the November 2007 Quicktime vulnerability . In the YouTube video you can see "Sussy McBride" be freeze, shout "I got hacked," and give her money to the attacker. I am fascinated by this story because it is the natural progression from a 2006 post Security, A Human Problem describing a Second Life denial of service attack. In that post I said: First, it demonstrates that client-side attacks remain a human problem and less of a technical problem. Second, I expect at some point these virtual worlds will need security consultants, just like the physical world. I wonder if someone cou

Amazon.com just posted my five star review of Virtual Honeypots by Niels Provos and Thorsten Holz. From the review : It's fairly difficult to find good books on digital defense. Breaking and entering seems to be more exciting than protecting victims. Thankfully, Niels Provos and Thorsten Holz show that defense can be interesting and innovative too. Their book Virtual Honeypots is your ticket for deploying defensive resources that will provide greater digital situational awareness.

My 12th Snort Report titled Snort Frequently Asked Questions is posted. From the start of the article: Service provider takeaway: Snort isn't perfect. In this tip, service providers will learn the answers to frequently asked questions about Snort's usage and limitations. In this edition of the Snort Report, I address some of the questions frequently asked by service providers who are users or potential users of Snort. I say "potential users" because some people hear about Snort and wonder if it can solve a particular problem. Here I hope to provide realistic expectations for service providers using Snort. Again, please note I did not write the words "Snort isn't perfect." The editor did. This is one of the aspects of the Snort Report I do not control. In this article I address these questions. Can I use Snort to protect a network from denial-of-service attacks? Can Snort decode encrypted traffic? Can Snort detect layer 2 attacks? Can Snort log flow

Taking a look at posts from the last year, I realized I forgot to mention a few events. First, Kai Roer wrote a security profile of me using a question-and-answer format. Second, Chris Byrd posted an interview with me that covers different ground. Finally, TechTarget and Addison-Wesley asked me to read a portion of my book Extrusion Detection , specifically the beginning of chapter 2. It is listed as the February 5, 2007 feature in their 2007 podcast archive. Thank you to Kai, Chris, and TechTarget/AW for these resources.

You may have already heard about Tiger Team on the former Court TV (now TruTV , but I finally watched both episodes this weekend on my TiVo. I liked the "WWJD40D", "Core Impact", and "I am an Infosec Sellout" T-shirts. I especially liked the injection of time-based security into the jewelry heist scenario, where the tiger team was slowed by 15 minutes because they tried brute-forcing a keypad lock. I contacted several PR reps at TruTV and asked about Tiger Team's future. One of them wrote back: Thank you for your email and interest in Tiger Team. Tiger Team was a special and likely won't be returning. Please let me know if I can assist you with anything else. That is a real shame -- I hope TruTV reconsiders.

I just wanted to remind interested readers that Black Hat was kind enough to invite me back to teach TCP/IP Weapons School at Black Hat DC 2008 on 18-19 February 2008, at the Westin Washington DC City Center. This is currently my only scheduled training class in 2008. As you can see from the course description I will focus on OSI model layers 2-5 and add material on network security operations, like monitoring, incident response, and forensics. The cost for this single two-day class is now $2200 until 8 February, when online registration closes and the price increases. Register while seats are still available -- both of my sessions in Las Vegas sold out. Thank you.

In May 2006 I wrote Avoid Incident Response and Forensics Work in These States after reading a great article by Mark Rasch about states requiring some digital forensics consultants to have private investigator licenses. One of my colleagues pointed me to a new article titled http://www.baselinemag.com/article2/0,1540,2242720,00.asp by Deb Radcliff. From the article: Under pending legislation in South Carolina, digital forensic evidence gathered for use in a court in that state must be collected by a person with a PI license or through a PI licensed agency... Otherwise, digital evidence collected by unlicensed practitioners could be excluded from criminal and civil court cases. Worse yet, those caught practicing without a license could face criminal prosecution... South Carolina isn't alone in considering regulating digital forensics and restricting the practice to licensed PIs. Georgia, New York, Nevada, North Carolina, Texas, Virginia and Washington are some of the states goin