Showing posts from June, 2008

Pascal Meunier Is Right About Virtualization

I love Pascal Meunier's post Virtualization Is Successful Because Operating Systems Are Weak : It occurred to me that virtual machine monitors (VMMs) provide similar functionality to that of operating systems... What it looks like is that we have sinking boats, so we’re putting them inside a bigger, more powerful boat, virtualization... I’m now not convinced that a virtualization solution + guest OS is significantly more secure or functional than just one well-designed OS could be, in theory... I believe that all the special things that a virtualization solution does for functionality and security, as well as the “new” opportunities being researched, could be done as well by a trustworthy, properly designed OS. Please read the whole post to see all of Pascal's points. I had similar thoughts on my mind when I wrote the following in my post NSM vs Encrypted Traffic, Plus Virtualization : [R]eally nothing about virtualization is new. Once upon a time computers could only run one

Verizon Study Continues to Demolish Myths

I just read Patching Conundrum by Verizon's Russ Cooper. Wow, keep going guys. As in before, I recommend reading the whole post. Below are my favorite excerpts: Our data shows that in only 18% of cases in the hacking category (see Figure 11) did the attack have anything to do with a “patchable” vulnerability. Further analysis in the study (Figure 12) showed that 90% of those attacks would have been prevented had patches been applied that were six months in age or older! Significantly, patching more frequently than monthly would have mitigated no additional cases. Given average current patching strategies, it would appear that strategies to patch faster are perhaps less important than strategies to apply patches more comprehensively... To summarize the findings in our “Control Effectiveness Study”, companies who did a great job of patching (or AV updates) did not have statistically significant less hacking or malicious code experience than companies who said they did an average

Logging Web Traffic with Httpry

I don't need to tell anyone that a lot of interesting command-and-control traffic is sailing through our Web proxies right now. I encourage decent logging for anyone using Web proxies. Below are three example entries from a Squid access.log. This is "squid" format with entries for user-agent and referer tacked to the end. Incidentally here is a diff of my Squid configuration that shows how I set up Squid. r200a# diff /usr/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf.orig 632,633c632,633 < acl our_networks src < http_access allow our_networks --- > #acl our_networks src > #http_access allow our_networks 936c936 < http_port --- > http_port 3128 1990,1992d1989 < logformat squid-extended %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt "%{Referer}>h" "%{User-Agent}>h" < < 2022c2019 < access_log /usr

Sourcefire Best of Open Source Security Conference

Sourcefire is sponsoring a Best of Open Source Security (BOSS) conference 8-10 February in Las Vegas, NV, with the main activities happening on 9-10 February. Sourcefire is holding the event simultaneously with their annual users conference. I am on the committee evaluating speakers so I look forward to seeing what people want to present.

Verizon Business Report Speaks Volumes

This morning I attended a call discussing the new Verizon Business 2008 Data Breach Investigations Report . I'd like to quote the linked blog post and a previous article titled I Was an Anti-MSS Zealot , both of which I recommend reading in their entirety. First I cite some background on the study. Verizon Business began an initiative in 2007 to identify a comprehensive set of metrics to record during each data compromise investigation. As a result of this effort, we pursued a post-mortem examination of over 500 security breach and data compromise engagements between 2004 and 2007 which provided us with the vast amount of factual evidence used to compile this study. This data covers 230 million compromised records. Amongst these are roughly one-quarter of all publicly disclosed data breaches in both 2006 and 2007, including three of the five largest data breaches ever reported. The Verizon Business 2008 Data Breach Investigations Report contains first-hand information on actual

House of Representatives v China

Thanks to one of my colleagues for pointing out Lawmaker says Chinese hacked Capitol computers : By PETE YOST and LARA JAKES JORDAN – 3 hours ago WASHINGTON (AP) — A congressman said Wednesday the FBI has found that four of his government computers have been hacked by sources working out of China. Rep. Frank Wolf, a Virginia Republican, said that similar incidents — also originating from China — have taken place on computers of other members of the House and at least one House committee. A spokesman for Wolf said the four computers in his office were being used by staff members working on human rights issues and that the hacking began in August 2006. Wolf is a longtime critic of the Chinese government's human rights record. The congressman suggested the problem probably goes further. "If it's been done in the House, don't you think that they're doing the same thing in the Senate?" he asked. For a record of others hacked by China, see my earlier posts .

Publicity: BSD Associate Examinations

I was asked to mention the following BSD Associate examinations will take place at the following three events : RMLL: Mont-de-Marsan, France, Jul 02, 2008 OpenKyiv 2008: Kiev, Ukraine, Aug 02, 2008 LinuxWorld: San Francisco, CA, Aug 06-07, 2008 From the BSDA description: The BSDA certification is designed to be an entry-level certification on BSD Unix systems administration. Testing candidates with a general Unix background, but less than six months of work experience as a BSD systems administrator (or who wish to obtain employment as a BSD systems administrator) will benefit most from this certification. Human resource departments should consider the successful BSDA certified applicant to be knowledgeable in the daily maintenance of existing BSD systems under the direction and supervision of a more senior administrator.

The Best Single Day Class Ever

I had the great fortune to attend Edward Tufte 's one day class Presenting Data and Information . I only knew Tufte from advertisements in the Economist. For example, the image at left was frequently used as an ad in the print magazine. I had not read any of his books although I knew of his criticism of PowerPoint, specifically with respect to the Challenger disaster. This was the best one day class I have ever taken. It profoundly altered the way I think about presenting information and making arguments. If any part of your professional life involves delivering presentations, you must attend this class. It's a complete bargain for the price. I would like to see every professional at my company take this course. Following Tufte's advice would provide the single biggest productivity improvement and corresponding "return on investment" we are likely to see in my tenure. There is no way for me to summarize Tufte's course. You should attend yourself

NoVA Sec Meeting Memory Analysis Notes

On 24 April we were lucky to have Aaron Walters of Volatile Systems speak to our NoVA Sec group on memory analysis. I just found my notes so I'd like to post a few thoughts. There is no way I can summarize his talk. I recommend seeing him the next time he speaks at a conference. Aaron noted that the PyFlag forensics suite has integrated the Volatility Framework for memory analysis. Aaron also mentioned FATkit and VADtools . In addition to Aaron speaking, we were very surprised to see George M. Garner, Jr., author of Forensic Acquisition Utilities and KnTTools with KnTList . George noted that he wrote FAU at the first SANSFIRE, in 2001 in DC (which I attended too) after hearing there was no equivalent way to copy Windows memory using dd, as one could with Unix. George sets the standard for software used to acquire memory from Windows systems, so using his KnTTools to collect memory for analysis by KnTList and/or Volatility Framework is a great approach. While Aaron'

Recycling Security Technology

Remember when IDS was supposed to be dead? I thought it was funny to see the very same inspection technologies that concentrated on inbound traffic suddenly turned around to watch outbound traffic. Never mind that the so-called "IPS" that rendered the "IDS" dead used the same technology. Now, thanks to VMware VMsafe APIs, vendors looking for something else to do with their packet inspection code can watch traffic between VMs, as reported by the hypervisor. We've seen Solera, Altor, and others jump into this space. It's popular and helpful to wonder if having the ability to monitor traffic on the ESX server is a feature or product. I consider it a feature . The very same code that can be found in products from Sourcefire and other established players is likely to be much more robust than something a startup is going to assemble, assuming the startup isn't using Snort anyway! Once the traditional plug-into-the-wire vendors hear of this requiremen

Intel Premier IT Magazine on "War Gaming"

Intel Premier IT Magazine published an article titled Wargaming: How Intel Creates a Company-Wide Security Force . (Access granted after registration with whatever you want to input.) What Intel calls "war gaming" sounds like three activities. For reference I differentiated between Threat and Attack Models last year. Threat Modeling: Identifying parties with the capabilities and intentions to exploit a vulnerability in an asset Attack Modeling: Identifying vectors by which any threat could exploit an asset; i.e., the identity of the threat is irrelevant -- the method matters here Adversary Imagination and Simulation: The former involves thinking about how an adversary would act like a threat and perform an attack. The latter is actually acting as the threat upon production assets. The article mentions doing the latter for computer concerns. I am not a big fan of adversary imagination as the end result of any activity. It's far too likely to rest on untested assumpt

Review of Nmap in the Enterprise Posted

Image just published my 3 star review of Nmap in the Enterprise by Angela Orebaugh and Becky Pinkard. From the review : Initially I hoped Nmap in the Enterprise (NITE) would live up to its title. I was excited to see "Automate Tasks with the Nmap Scripting Engine (NSE)" on the cover, in addition to the "Enterprise" focus. It turns out that beyond a few command line options of which I was not previously aware, and some good info on interpreting OS fingerprinting output in Ch 6, I didn't learn much by reading NITE. If you are new to Nmap or network scanning you will probably like NITE, but if you want a real enterprise focus or information on NSE you will be disappointed.

Review of No Tech Hacking Posted

Image just posted my 4 star review of No Tech Hacking by Johnny Long. From the review : No Tech Hacking (NTH) again demonstrates that the fewer the number of authors a Syngress book advertises, the better the book. With security star Johnny Long as the main author, the book adds a section in Ch 5 (Social Engineering) by Techno Security organizer Jack Wiles. The "special contributors" no doubt worked with Johnny to answer his questions, but it's clear that relying on a primary author resulted in a better-than-average Syngress title. (Harlan Carvey's Windows Forensic Analysis is another example of this phenomenon.)

Review of Botnets Posted

Image just posted my 2 star review of Botnets by Craig Schiller, et al. From the review : I am wary of Syngress books that consist of a collection of contributions. The quality of the books usually decreases as the number of authors increases. Botnets is no exception, unfortunately. You will probably enjoy chapters by Gadi Evron (Ch 3, Alternative Botnet C&Cs) and Carsten Willems (Ch 10, Using Sandbox Tools for Botnets). I was initially interested in the book because of chapters on Ourmon (Chs 6-9, by Jim Binkley, tool developer). That leaves half the book not worth reading.

Review of Building a Server with FreeBSD 7

If you look at the reviews of Building a Server with FreeBSD 7 by Bryan Hong, you'll see my review for the self-published Building an Internet Server With FreeBSD 6 Posted , which I gave 4 our of 5 stars. No Starch took the first edition, worked with the author, and published this new book using FreeBSD 7.0 as the base OS. If I could post a new review at, I would also give this book 4 out of 5 stars. I think BASWF7 is an excellent companion to Absolute FreeBSD, 2nd Ed by Michael Lucas. Much of my original review pertains to this new edition. The majority of the book explores how to get a variety of popular open source applications running on FreeBSD 7.0 using the ports tree. For each application, the following sections usually appear: summary, resources, required, optional, preparation, install, configure, testing, utilities, config files, log files, and notes. I am really confident I could sit down with the appropriate chapter and get a previously unfamiliar

FX on Cisco IOS Rootkits

I saw FX speak on Cisco IOS forensics at Black Hat DC 2008 . I just got a chance to read his excellent post On IOS Rootkits . I was impressed to read FX's pointer to his company's Cisco Incident Response - CIR Online Service , with a specific report run on Sebastian 'topo' Muniz's IOS rootkit. Also, consider this from FX's post: Now that some people actually talk about IOS rootkits, interesting tidbits show up. One person asked me if we have tested CIR with the Russian IOS rootkit that was for sale a few years ago. No, we didn't, but good to know that these exist. Russian IOS rootkit... interesting. How much proof do we need to Monitor our routers ?

A Clueful Interview

If you have ten minutes and want to be genuinely more informed when it's over, read Federico Biancuzzi's excellent interview of Nate Lawson titled Racing Against Reversers . I found this comment interesting: Q: It sounds as security through obscurity has some admirers among the DRM designers. What is the role of "secrets" in a DRM system? A: In software protection, obscurity is everything. You're ultimately depending on the attacker to not be able to just "see" the key or how the protection works. That sounds weak and against normal security principles but actually works quite well in practice, if you're good at it. I think that insight echoes what I said in Fight to Your Strengths last year: Apparently several people with a lot of free time have been vigorously arguing that "security through obscurity" is bad in all its forms, period. I don't think any rational security professional would argue that relying only upon security throug

NSM vs Encrypted Traffic Revisited

My last post What Would Galileo Think was originally the first part of this post, but I decided to let it stand on its own. This post is now a follow on to NSM vs Encrypted Traffic, Plus Virtualization and Snort Report 16 Posted . I received several questions, which I thought deserved a new post. I'm going to answer the first with Galileo in mind. LonerVamp asked: So can I infer that you would prefer to MITM encrypted channels where you can, so to inspect that traffic on the wire? :) On a related note, Ivan Ristic asked: Richard, how come you are not mentioning passive SSL decryption as an option? I thought I had answered those questions when I said: If you loosen your trust boundary, maybe you monitor at the perimeter. If you permit encrypted traffic out of the perimeter, you need to man-in-the-middle the traffic with a SSL accelerator. If you trust the endpoints outside the perimeter, you don't need to. Let's reconsider that statement with Galileo in mind. Originall

What Would Galileo Think

I love history. Studying the past constantly reminds me that we are not any smarter than our predecessors, although we have more knowledge available. The challenge of history is to apply its lessons to modern problems in time to positively impact those problems. I offer this post in response to some of the reporting from the Gartner Security Summit 2008 , where pearls of wisdom like the following appear: What if your network could proactively adapt to threats and the needs of the business? That’s the vision of the adaptive security infrastructure unveiled by Gartner here today. Neil MacDonald, vice president and fellow at Gartner, says this is the security model necessary to accommodate the emergence of multiple perimeters and moving parts on the network, and increasingly advanced threats targeting enterprises. “We can’t control everything [in the network] anymore,” MacDonald says. That’s why a policy-based security model that is contextual makes sense, he says. “The next generation

Phone Book Full Disclosure

The following story is all over the local media. From the Hagerstown (MD) Herald-Mail , which broke the story: A mistake by Verizon that led to the printing of about 12,500 unlisted or nonpublished telephone numbers and corresponding addresses in a telephone book has prompted fear and anger in some of those affected... In March, Verizon inadvertently sold the numbers to Ogden Directory Inc. for publication in the phone book... The phone books were in the process of being distributed by the post office, but Ogden officials last week asked that distribution be halted after the problem was discovered. [T]he publication of the phone numbers can be rectified by Verizon providing new numbers, but the damage caused by publishing addresses is irreversible. If you need examples why this is a big deal, please read the article. When I heard this story yesterday, I thought: "I would not have known about this if the local media did not report it." I wondered if it would have been more ap

Old School Layer 2 Hacking

When I designed my TCP/IP Weapons School class my intent was to teach TCP/IP at an advanced level using traffic generated by security tools. I thought the standard approach of showing all normal traffic was boring. Sometimes students (or those on the sidelines) wonder why I should bother teaching a technique like ARP spoofing at all, when layer 7 attacks are what the cool kids are doing these days. One answer is below. Ref: Sunbelt Blog How could this happen? It turns out it wasn't the fault of the Metasploit Project. Rather, a server in the same VLAN as the Metasploit Project was compromised and used to ARP spoof the gateway of the Metasploit Project Web site. See Full Disclosure: Re: Metasploit - Hack ? and this for details. HD Moore responded to the incident by adding the proper MAC address for his Web hoster's gateway as a static entry to his ARP cache. This is a great example of a cloud security problem. You host your content at a third party, and you rely upon

Snort Report 16 Posted

My 16th Snort Report titled When Snort Is Not Enough has been posted. From the article: [I]t's important to understand how a network intrusion detection system (IDS) like Snort and techniques based upon its use fit into a holistic detection and response operation. Placing Snort within an entire security program is too broad a topic to cover in this Snort Report. Rather, let's consider when a tool like Snort is independently helpful and when you should support Snort with complementary tools and techniques.