TaoSecurity Blog

I'd like to congratulate the Wireshark team for releasing Wireshark 1.0.0 . As the news item says, it's been nearly 10 years in the making. I started using Ethereal in 1999 at the AFCERT with data collected from our ASIM sensors. It's a great time for network security monitoring right now! With Sguil 0.7.0 released there's a lot of attention from high level players. It's cool.

A friend of mine from my days at Ball Aerospace named John Ward wrote a book titled Practical Data Analysis and Reporting with BIRT . John was responsible for writing the reports we provided to customers of our network security monitoring service. He used that experience as a reason to learn more about BIRT , the Business Intelligence and Reporting Tools Eclipse-based reporting system. If you have any interest in using an open source product to create reports, check out Practical Data Analysis and Reporting with BIRT . I think you can get moving with BIRT using this book faster than you can with the longer titles from AWL. John's blog contains many posts on using BIRT to design and create reports as well.

I would like to note two articles on security spending. I learned of the first by listening to the audio edition of The Economist , specifically Anti-terrorist spending: Feel safer now? . The article summarizes a report ( Transnational Terrorism , [.pdf]) by The Copenhagen Consensus , a think tank that analyzes government spending. The Economist says: The authors of the study calculate that worldwide spending on homeland security has risen since 2001 by between $65 billion (if security is narrowly defined) and over $200 billion a year (if one includes the Iraq and Afghan wars). But in either case the benefits are far smaller. Terrorism, the authors say, has a comparatively small impact on economic activity, reducing GDP in affected countries by perhaps $17 billion in 2005. So although the number of terrorist attacks has fallen, and fewer people have been injured, the imputed economic benefits are limited — just a tenth of the costs. That does not necessarily mean the extra spending...

...and there was much rejoicing. Sguil 0.7.0 is now available for download . Sguil is an open source interface to statistical, alert, session, and full content data written by Bamm Visscher. A great way to quickly see the differences between 0.6.1 and 0.7.0 is to visit the NSM Wiki Sguil Overview and check out the diagrams near the bottom of the page. I've been using Sguil 0.7.0 from CVS for several weeks in production and it's working well. I plan to create a new virtual machine with Sguil 0.7.0 on FreeBSD 7.0. Shortly you will be able to buy a copy of the new BSD Magazine featuring my article Sguil 0.7.0 on FreeBSD 7.0 also. Check out the release announcement for more details.

I've been advocating increased digital situational awareness via network security monitoring and related enterprise visibility initiatives for several years. Recently I read a Harvard Business Review case study called Leading Change: Why Transformation Efforts Fail by John P. Kotter. His eight stage process for creating a major change include: Establish a sense of urgency. Create a guiding coalition. Develop a vision and strategy. Communicate the change vision. Empower broad-based action. Generate short-term wins. Consolidate gains and produce more change. Anchor new approaches in the culture. Failure to follow these eight steps often result in failed change efforts. Kotter notes for item 1 that the goal is to make the status quo seem more dangerous than launching into the unknown... When is the urgency rate high enough? [T]he answer is when about 75% of a company's management is honestly convinced that business-as-usual is totally unacceptable. Consid...

The more I learn about e-discovery, the less I think it's a security problem. The vast majority of e-discovery issues are pure Information Lifecycle Management (ILM) concerns. The one area where I think security has a role is countering the subject's utilization of anti-forensics and counter-forensics (defined previously as attacking evidence and attacking tools, respectively). I was reminded of this opinion while reading Find What You're Looking For? in Information Security magazine. Take a look at these Evidence Sources, for example. Given the data sources depicted in the figure, why should information security have anything to do with e-discovery? I'll answer that question: history and tradition. In the "old days," internal investigations primarily meant imaging hard drives, reviewing content for disgusting images or incriminating documents, and producing them for management. Only the security team had the necessary expertise for this exercise. To...

I'm a shareholder in Ball Corporation , thanks to the compensation plan I joined as an employee many years ago. Last week I received the company 10-K in the mail. I thought about my last reference to the form 10-k in my post CIO Magazine 20 Minute Miracles and Real Risks . I wondered if any of the Risk Factors in the 10-K could be used to justify a digital security program? Let's look at each of them. If you're not familiar with Ball, it's mainly a manufacturer of packaging products, although a section is an aerospace company (where I worked). The loss of a key customer could have a significant negative impact on our sales... [Our] [c]ontracts are terminable under certain circumstances, such as our failure to meet quality or volume requirements... The primary customers for our aerospace segment are U.S. government agencies or their prime contractors... Our contracts with these customers are subject to several risks, including funding cuts and delays, technical unc...

I blogged recently about various conferences I've attended. I considered what I had seen and found ten themes to describe the state of affairs and some general strategies for digital defense. Your enterprise has to be of a certain size and complexity for these items to hold true. For example, I do not expect item one to hold true for my lab network since the user base, number of assets, and nature of the assets is so small. Furthermore, I heavily instrument the lab (that's the purpose of it) so I am less likely to suffer item one. Still, organizations that use their network for business purposes (i.e., the network is not an end unto itself) will probably find common ground in these themes. Permanent compromise is the norm, so accept it. I used to think digital defense was a cycle involving resist -> detect -> respond -> recover. Between recover and the next attack there would be a period where the enterprise could be considered "clean." I've learn...

I liked CIO Magazine's article 20 Things You Can Do In 20 Minutes to Be More Successful at Work by Stephanie Overby. Several excerpts follow. Grab the annual 10-K reports that your top competitors have filed with the Securities and Exchange Commission and read the section called "Management's Discussion and Analysis." That's where the CEO (through corporate lawyers) describes what happened to the company in the past year, good and bad. By scanning that material, you can immediately get a better understanding of the competition. Sit down right now and reschedule all your internal IT meetings for just 20 minutes... "There's only about 15 minutes to 30 minutes of true productivity in most meetings, even though meetings are typically set up for an hour," says Michael Hites, CIO of New Mexico State University, who once placed a 30-minute limit on all meetings. "The idea is that it forces you and your meeting buddies to prepare and focus." Hite...

We all know how security has been baked into virtualization projects from day 0. Ok, enough joking. Given our history with virtualization I'm a little scared when I read stories like Dawn of the App Aware Network that show switches becoming giant VM servers. If you didn't think of your routers and switches already as computers, you won't be able to ignore it once they are running such complex applications. I am looking forward to seeing who manages these beasts: network team or server team? Who will get blamed for poor performance? I love how these products are supposed to solve problems when the end result could be greater conflict within the IT department. I guess it won't matter when company IT departments aren't running these devices at all, since IT will be a service offered by an outsourced providers.

Better late than never, I suppose. I taught TCP/IP Weapons School at Black Hat DC 2008 last month, and I also attended two days of briefings (many available in the archives ). The briefings began with Jerry Dixon from Team Cymru , which appears to now offer commercial services related to large scale Internet monitoring and infrastructure issues. Jerry noted several problems hampering security efforts, including lack of a dedicated security operations team (CIRT) and lack of network cognizance . I really like the idea of "cognizance," since one word is always better than the two word version -- "situational awareness." Jerry thought the Federal government's plan to reduce network gateways and monitor traffic at those points made sense. The image at right is a small snapshot of Team Cymru's Internet Malicious Activity Map . I think visualizations like this are interesting. I was glad to see my class A dark. Special Agent Andy Fried from the US Treaur...

Over the last several months I've accumulated several pages of notes after attending a variety of conferences. I thought I would present a few cogent points here. As with most of my posts, I record thoughts for future reference. If you'd rather not read a collection of ideas, please tune in later. I attended the 28 Nov 07 meeting of the Infragard Nation's Capital chapter. I found the talk by Waters Edge Consulting CEO Jeffrey Ritter to be interesting. Mr. Writter is a lawyer and self-proclaimed "pirate" who works for the defendant by attacking every aspect of the adversary's case. As more lawyers become "cyber-savvy" I expect to encounter more of his type. Mr. Ritter offered three rules of defense. That which is unrecorded did not occur. That which is undocumented does not exist. That which is unaudited is vulnerable. He also said "Litigation isn't about the truth... it's about getting money." He offered three questions to...

I mentioned the idea of host integrity assessment in my post Controls Are Not the Solution to Our Problem . The idea is to sample live devices (laptops, desktops, servers, routers, switches -- anything that runs a network-enabled operating system) to see if they are trustworthy . (They may be trusted , but that does not make them trustworthy .) I described how I might determine trustworthiness, or integrity , in Three Capabilities, Three Companies . I'd like to expand on these thoughts with five metrics. Before showing the security metrics, I'd like to introduce an analogy. Imagine a city with an understaffed, under-resourced, and possibly unappreciated fire department. The FD would like to prevent fires, but it spends most of its time responding to fires. How should city leadership decide how to staff and resource the FD? (There is no way to eliminate fires, at least no way that could ever be financed using any foreseeable resources. Even if people lived in concrete c...

The March 2008 Information Security Magazine features an article titled Consolidation: Plague or Progress , where Bruce Schneier continues his Face-Off series with one of my Three Wise Men, Marcus Ranum. Marcus echoes the point I made in my review of Geekonomics concerning the merits of open source projects: Most of us have had a product suddenly go extinct--to be followed shortly by a sales call from the vendor that fired the fatal shot--in spite of the fact that we depended on it and paid 20 percent annual maintenance... To me, it's the best argument for do-it-yourself or integrating open source technologies into your product choices. Remember: the big argument that's levied against open source is "Who is going to maintain it?" That argument stacks up pretty neatly against, "Is this product going to exist tomorrow?" I liked that thought, but I became more interested in Bruce's counterpoint on security industry consolidation. This echoed what I rep...

Black Hat was kind enough to invite me back to teach TCP/IP Weapons School at Black Hat USA 2008 on 2-3 and 4-5 August 2008, at Caesars Palace, Las Vegas, NV. These are my last scheduled training classes in 2008. I plan to rewrite and augment the class in my off time (late at night, basically!) for these two offerings. The cost for the two-day class is $2200 until 1 May, $2400 until 1 July, $2600 until 31 July, and $2900 starting 1 August. (I don't set the prices.) Register while seats are still available -- both of my sessions in Las Vegas last year sold out, and I sold out in DC last month too. Thank you.

I've previously spoken at the Techno Security 2005 and Techno Security 2006 conferences, and I taught Network Security Operations at Techno Security 2007 . I'll be back at Techno Security 2008 teaching Network Security Operations (NSO) on Saturday 31 May 2008 at the Myrtle Beach Marriott Resort at Grande Dunes , a great family vacation spot. This is the only planned offering of NSO in 2008. I'll attend the conference after the one day class. I can accommodate 25 students and each seat costs $995 for the one day class. They great news about registering for NSO is that if you sign up for the class, you get a free ticket to the entire Techno Security 2008 conference. Early registration for Techno costs $1195 and ends 31 March 2008, so signing up for my class is a great deal all around. If you'd like to register for my NSO class, please check out the details here and return the registration form (.pdf) to me as quickly as you can. The deadline for registration...

Sandra Kay Miller interviewed me for the July 2007 issue of Access Control and Security Solutions magazine, but I forget about it until now. The interview describes my security experiences and my thoughts on working at GE.

Amazon.com just posted my four star review of Professional Xen Virtualization by William von Hagen. From the review : I really enjoyed reading Professional Xen Virtualization (PXV). The book answered exactly the right questions for me, a person who had no Xen experience but wanted to give the product a try. If you are looking for a book on Xen internals, you should read The Definitive Guide to the Xen Hypervisor by David Chisnall. If you are less concerned about source-code-level details but still want to learn a lot about Xen, you will definitely enjoy PXV.

Recently a blog reader asked the following: You frequently mention "fraud, waste, and abuse" in your writing ( for example ), most often to say that NSM is not intended to address FWA. One thing I've been wondering though--why is fraud in there? I can see waste (employee burning time/resources on ESPN.com or Google Video) or abuse (pornography, etc), but Fraud seems to be in a different class. If someone is using the network to commit a crime, why shouldn't that be in scope? Indeed, preventing loss (monetary, reputational, of intellectual property) is really the bottom line for a strong security program, correct? My stance on this question dates back to my days in the AFCERT. Let me explain by starting with some definitions from AFI90-301 (.pdf): Fraud: Any intentional deception designed to unlawfully deprive the Air Force of something of value or to secure from the Air Force for an individual a benefit, privilege, allowance, or consideration to which he or she is n...

If you missed it last month, you can watch Matt Jonkman's Faster Snorting Webinar at the Endace Web site. Matt posted answers to various questions posed by readers and you can download his slides or whitepapers if interested.

The latest issue of Hakin9 has been published. This is a subscription magazine published in Europe. Articles which caught my attention include Programming with Libpcap - Sniffing the network from our own application by Luis Martin Garcia, Reverse Engineering Binaries by Aditya K. Sood aka 0kn0ck, and Writing IPS Rules – Part 4 by Matthew Jonkman.

Recently a blog reader asked me an interesting question. He wanted to know if it would be possible to replace the variety of network traffic inspection and analysis products with a single box running multiple applications. He was interested in some sort of common interface to packets that could perform the collection function and make traffic available to other products. There are several ways to look at this issue. First, one can do that already using a commodity hardware platform. It is possible to run multiple traffic inspection applications against a single interface now, but one has to be careful as the number of applications increases. We use this approach with Sguil, where Snort listens to generate alerts, SANCP listens to create session records, Daemonlogger listens to log full content data, PADS listens to generate host records, and so on. Second, one could buy a fairly open packet capture box and create virtual interfaces which provide a traffic stream to applications. ...

In preparation for my career as an Air Force intelligence officer, I earned a bachelor of science degree in history at the Air Force Academy. (Yes, not a bachelor of arts degree. Because of the number of core engineering, math and science classes -- 12 I think? -- the degree is "science". At a civilian school I would have qualified for a minor in engineering, so I was told.) I really enjoy history because anyone who takes a minute to look backwards realizes 1) nothing is new; 2) we are not smarter than our predecessors; and 3) we enjoy the same successes and suffer the same mistakes. With this background you might expect me to like reading Michael Assante's paper Infrastructure Protection in the Ancient World . (The link points to a summary written for CSO magazine. You can learn a little more about Michael at INL employee to advise next U.S. president on cybersecurity .) I did indeed find the paper interesting because it compares the security of Roman aqueducts w...

The reason so many security researchers can run their l33t 0-day attacks on Web appz is that they (usually) don't have to worry about the underlying network layers failing them. I've always been more interested in network plumbing, particularly at the WAN and backbone levels. If you sympathize, you must read the Renesys Blog . Posts like Pakistan Hijacks YouTube and Iran Is Not Disconnected are primers on how the Internet works. Those guys rock.

2003 : "IDSs [intrusion detection systems] have failed to provide value relative to its costs and will be obsolete by 2005." (Gartner, "Gartner Information Security Hype Cycle Declares Intrusion Detection Systems a Market Failure") 2008 : "Our adversaries are very adept at hiding attacks in normal traffic. The only true way to protect our networks is to have an intrusion detection system ." (Robert Jamison, Under Secretary of the National Protection and Programs Directorate at DHS) I will have more to say about this in a future Snort Report .

I've been very busy the last two weeks, and this week is no different. I expect to resume my regular blogging schedule gradually this week and more next week. I'm posting to ask if anyone in the Air Force could send me an image like that posted at left, except taken when trying to visit TaoSecurity Blog . I think it would make a great laptop background if sufficiently large and high-quality. Thank you!