Showing posts from February, 2008

Microsoft Protocols Programs

Thanks to Robert Graham for pointing me to the fact that Microsoft has started a Protocols Program . This project includes thousands of pages of documentation (in .pdf format, w00t) divided into categories like Microsoft Communications Protocol Program (MCPP, for "server software that interoperates with Windows desktop operating systems") and Microsoft [Work Group] Server Protocol Program (WSPP, for "server software that interoperates with Microsoft Windows server and desktop operating systems to provide file, print, and user and group administration services"). I am frankly astounded by the number of documents available. and are 314 MB total. I am probably going to follow the recommendations in the [MS-DOCO]: Windows Protocols Documentation Roadmap that outlines what to read and in which order. That means starting with [MS-PROTO]: Windows Protocols Overview and [MS-SYS]: Windows System Overvi

First They Came for Bandwidth...

One of the problems with being a defender is a tendency towards a lack of imagination. As I've maintained for years, sophisticated intruders are unpredictable -- so much so that I call them intrupreneurs . Most defense is reactive (filling holes in the highway instead of deploying flying cars), with Attacker 3.0 outgunning Security 1.0. This came to mind when I read Ukrainian Hacker Makes a Killing in Stock Market Fraud by Kim Zetter. She writes: The case involves a Ukrainian engineering consultant named Oleksandr Dorozhko who is alleged to have hacked into a computer belonging to IMS Health, a company that provides market research to the pharmaceutical and health care industries. Through the computer breach, Dorozhko apparently obtained advance information about a negative earnings announcement that IMS was to make a few hours later on October 17, 2007. He quickly purchased 630 put options for IMS Health, betting that the price of IMS shares, which were then trading at $30 e

Three Capabilities, Three Companies

Recently I've been working to augment my team's detection and response capabilities. I've identified three functions for which I've turned to the commercial software community for assistance. I'd like to highlight three capabilities and three companies which may be able to meet my requirements. First, I need high-end network forensics . I plan to use my open source tools to do a good deal of collection and some analysis, but in certain cases I need more content-centric capabilities. For example, it would not be easy for me to extract certain types of application layer content (think documents, email attachments, and the like) using some of my tools. I am also not the only person who may need to do this work, so a collaboration- and non-expert-friendly system is needed. For this I am taking a close look at NetWitness NextGen . I recently bought a copy of Investigator Field Edition . You can think of this product as a network forensics-equivalent of a hard dri

Snort Report 13 Posted

My 13th Snort Report titled How to use shared object rules in Snort is posted. From the start of the article: Shared object (SO) rules were introduced in Snort 2.6.0 in early 2006 to provide a means to obscure the exact detection mechanism used in the rule and allow for more flexible detection criteria. However, for the most part, organizations have continued to rely upon traditional Snort rules. This may be about to change, in light of a recent security advisory from Sourcefire. Let's take a look at how to get shared object rules working on Snort sensors. If you have questions on Snort you'd like me to try to answer, please post them as comments here. Thank you.

Review of The Dark Visitor

In this post I review The Dark Visitor (TDV) by Scott J. Henderson, owner of the blog of the same name -- The Dark Visitor . Scott generously sent me a copy of his book after I found his blog and learned what the book discussed. The term "dark visitor" is Henderson's translation of the Chinese characters for "hacker". TDV is a fascinating book, and if I could have reviewed it at I would have rated it 4 out of 5 stars. TDV is the only book I have found devoted exclusively to the Chinese underground. Once in a while I write about China in my blog, but Mr. Henderson's knowledge of the Chinese scene is amazing. What is more remarkable is his comment that all the information one needs to understand Chinese hackers is simply out in the open! The language barrier and cultural differences are probably the most significant challenges for Westerners trying to understand Chinese hackers. TDV focuses on culture, history, and personalities. Many Chin

ShmooCon Ticket on eBay

I've had a change of plans and won't be able to attend ShmooCon this weekend, so I just listed my ShmooCon ticket on eBay . If you have any questions please contact me.

Review of Router Security Strategies Posted

Image just posted my four star review of Router Security Strategies: Securing IP Network Traffic Planes by Gregg Schudel and David J. Smith. From the review : Router Security Strategies (RSS) is the sort of Cisco security book I like to read. Some of you were surprised by my three star review of another recent Cisco security book -- LAN Switch Security (LSS). I suggest the authors of that book take a look at RSS as a model for writing a second edition of LSS. RSS is well-organized, very clear, and backed by plenty of actionable command syntax. Were it not for a tendency to unnecessarily repeat and summarize material, I would have rated RSS five stars. Nevertheless, anyone operating Cisco routers would do well to consider how RSS approaches the network security problem.

Wired on Air Force Cyber Command

Kudos to Marty Graham of Wired for writing Welcome to Cyberwar Country, USA . This is original reporting on the Air Force Cyber Command , focusing on the question of where to formally house the command. I personally hope it is located near Washington, DC. Given that the JTF-GNO and NSA are nearby, it would make sense for the Air Force to be physically close to coordinate work and draw on local talent.

Reminder: Last Day for Web Registration for Bejtlich's Black Hat DC 2008 Training

I just wanted to remind interested readers that Black Hat was kind enough to invite me back to teach TCP/IP Weapons School at Black Hat DC 2008 on 18-19 February 2008, at the Westin Washington DC City Center. This is currently my only scheduled TCP/IP Weapons School training class in 2008. The cost for this single two-day class is now $2400, and online registration is supposed to close today. Register while seats are still available -- both of my sessions in Las Vegas sold out. Thank you.

NSM at the Endpoint

For many years I've advocated Network Security Monitoring (NSM) as a powerful way to improve digital situational awareness in an independent, self-reliant, and cost-effective manner. NSM relies on watching network traffic to identify suspicious and malicious activity, which prompts incident response and remediation activities. An underlying assumption is that the asset of interest is using a network you own and have adequately instrumented. What do you do if you do not own the network? Consider the following situation. First, a company laptop is connected via wired Ethernet to the company LAN. Here, traffic from the laptop out to the Internet can be assumed to traverse a link monitored by a NSM sensor. No problem. Second, the user moves the laptop outdoors, and the link switches to using a company WLAN. Here, the traffic from the laptop out to the Internet eventually reaches the same wired link used in the first scenario, and hence is monitored by the same NSM sensor. Again

Review of Beginning Perl, 2nd Ed Posted

Image just posted my five star review of Beginning Perl, 2nd Ed by James Lee . From the review : I read Beginning Perl, 2nd Ed (BP2E) to gain some familiarity with Perl 5. I do not plan to really write anything in Perl, but I find myself using other people's code quite a bit! In those situations I would like to know how the code works. I also enjoy being able to make small changes if the code does not work as expected. Perl is basically everywhere, so it pays to understand it to some degree. Later this year Apress will publish Beginning Perl 6 , the 3rd Ed of this book, also by James Lee. I hope to read that too.