TaoSecurity Blog

Jofny's comment on my post Unify Against Threats asked the following: So, Richard, I'm curious which security people - who are decision makers at a business level - are focusing on vulnerabilities and not threats? If there are people like that, they really need to be fired. This comment was on my mind when I read the story FBI: US Business and Government are Targets of Cyber Theft in the latest SANS NewsBites : Assistant Director in charge of the US FBI's Cyber Division Shawn Henry said that US government and businesses face a "significant threat" of cyber attacks from a number of countries around the world. Henry did not name the countries, but suggested that there are about two dozen that have developed cyber attack capabilities with the intent of using those capabilities against the US. The countries are reportedly interested in stealing data from targets in the US. Henry said businesses and government agencies should focus on shoring up their systems' se

At my keynote at the 2008 SANS Forensics and IR Summit I emphasized the need for a change in thinking among security practitioners. To often security and IT groups have trouble relating to other stakeholders in an organization because we focus on vulnerabilities. Vulnerabilities are inherently technical, and they mean nothing to others who might also care about security risks, like human resources, physical security, audit staff, legal staff, management, business intelligence, and others. I used the following slide to make my point: My point is that security people should stop framing our problems in terms of vulnerabilities or exploits when speaking with anyone outside our sphere of influence. Rather, we should talk in terms of threats . This focuses on the who and not the what or how . This requires a different mindset and a different data set. The business should create a strategy for dealing with threats, not with vulnerabilities or exploits. Notice I said "busines

One feature which most Unix systems possess, and that most Windows systems lack, is a native means to manage non-base applications. If I install packages through apt-get or a similar mechanism on Ubuntu, the package manager notifies me when an update is needed and it's easy for me to install them. Windows does not natively offer this function, so third party solutions must be installed. I had heard about Secunia's vulnerability scanning offerings , but I had never tried them. I decided to try the online version (free for anyone) and then the personal version on a home laptop I hadn't booted recently. You can see the results for the online scanner below. All that was needed was a JRE install to get these results. The online scanner noticed I was running an older version of Firefox, and I needed to apply recent Microsoft patches. The fact that it checked Adobe Flash and Acrobat Reader was important, since those are popular exploit vectors. Next I tried the personal ver

Amazon.com just posted my five star review of OSSEC HIDS Guide . From the review : I'm surprised no one has offered serious commentary on the only book dedicated to OSSEC, an incredible open source host-based intrusion detection system. I first tried OSSEC in early 2007 and wrote in my blog : "OSSEC is really amazing in the sense that you can install it and immediately it starts parsing system logs for interesting activity." Stephen Northcutt of SANS quotes this post in his foreword to the book on p xxv. Once you start using OSSEC, especially with the WebUI, you'll become a log addict. OSSEC HIDS Guide (OHG) is your ticket to taking OSSEC to the next level, even though a basic installation will make you stronger and smarter. I'm not kidding about the log addict part. I find myself obsessively hitting the refresh button on my browser when viewing the OSSEC WebUI, even though it refreshes itself. Sad.

I just happened to notice a change to my Amazon.com reviews page . If you look at the image on the left, you'll see two numbers: "New Reviewer Rank: 481" and "Classic Reviewer Rank: 434". I found the following explanation: You may have noticed that we've recently changed the way top reviewers are ranked. As we've grown our selection at Amazon over the years, more and more customers have come to share their experiences with a wide variety of products. We want our top reviewer rankings to reflect the best of our growing body of customer reviewers, so we've changed the way our rankings work. Here's what's different: Review helpfulness plays a larger part in determining rank. Writing thousands of reviews that customers don't find helpful won't move a reviewer up in the standings. The more recently a review is written, the greater its impact on rank. This way, as new customers share their experiences with Amazon's ever-widening selec

I'm back with another look at security event correlation . This time it's a June 2008 review of SIEM technology by Greg Shipley titled SIEM tools come up short . The majority of the article talk about non-correlation issues, but I found this section relevant to my ongoing analysis: "Correlation" has long been the buzzword used around event reduction, and all of the products we tested contained a correlation engine of some sort. The engines vary in complexity, but they all allow for basic comparisons: if the engine sees A and also sees B or C, then it will go do X. Otherwise, file the event away in storage and move onto the next. We'd love to see someone attack the event reduction challenge with something creative like Bayesian filtering, but for now correlation-based event reduction appears to be the de facto standard... Ok, that sounds like "correlation" to me. Let's see an example. For example, one of the use cases we tackled was the monitoring

In my last post Security Event Correlation: Looking Back, Part 1 I discussed a story from November 2000 about security event correlation. I'd like to now look at Intrusion Detection FAQ: What is the Role of Security Event Correlation in Intrusion Detection? by Steven Drew, hosted by SANS. A look at the Internet Archive shows this article present as of August 2003, so we'll use that to date it. [A]s pointed out by Steven Northcutt of SANS, deploying and analyzing a single device in an effort to maintain situational awareness with respect to the state of security within an organization is the "computerized version of tunnel vision" . Security events must be analyzed from as many sources as possible in order to assess threat and formulate appropriate response... This paper will demonstrate to intrusion analysts why correlative analysis must occur in order to understand the complete scope of a security incident. Ok, let's go. I'll summarize the article rathe

I've been thinking about the term "correlation" recently. I decided to take a look back to determine just what this term was supposed to mean when it first appeared on the security scene. I found Thinking about Security Monitoring and Event Correlation by Billy Smith of LURHQ, written in November 2000. He wrote: Security device logging can be extensive and difficult to interpret... Along with lack of time and vendor independent tools, false positives are another reason why enterprise security monitoring in not easy... The next advance in enterprise security monitoring will be to capture the knowledge and analytical capabilities of human security experts for the development of an intelligent system that performs event correlation from the logs and alerts of multiple security technologies. Ok, so far so good. For example Company A has a screening router outside of their firewall that protects their corporate network and a security event monitoring system with reliable ar

One of my favorite all-time security books is Security Engineering by Prof Ross Anderson, which I read and reviewed in 2002. Earlier this year Wiley published Security Engineering, 2nd Ed . The first edition was a 612 page soft cover; the second edition is a massive 1040 page hard cover. To learn more about the new edition, I recommend visiting Ross' book page . This title should be included in every academic security program. Cambridge University uses each of the three parts of the tome in three separate computer security classes, as noted on the book page. If you're in a formal security program and you've never heard of this book, ask your professors why it's not included. If your professors have never heard of this book, ask yourself why you are studying in that program. Three years ago I posted What the CISSP Should Be , offering NIST SP 800-27, Rev. A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security) as the ba

Practical UNIX and Internet Security, 2nd Ed (pub Apr 96) by Simson Garfinkel and Gene Spafford was the first computer security book I ever read. I bought it in late 1997 after hearing about it in a "UNIX and Solaris Fundamentals" class I took while on temporary assignment to JAC Molesworth . Although I never formally listed it in my Amazon.com reviews , I did list it first in my Favorite 10 Books of the Last 10 years in 2007. Since reading that book, I've read and reviewed over 270 technical books, mostly security but some networking and programming titles. In 2008 I've only read 15 so far, but I'm getting serious again with plans to read 16 more by the end of the year. (We'll see how well I do. I only read 25 last year, but my yearly low was 17 in 2000. My yearly high was 52 in 2006, when I flew all over the world for TaoSecurity LLC and read on each flight.) Security books are on my mind because I had a conversation with a book publisher this week.

Amazon.com just posted my five star review of Applied Security Visualization by Raffy Marty . From the review : Last year I rated Greg Conti's Security Data Visualization as a five star book. I said that five star books 1) change the way I look at a problem, or properly introduce me to thinking about a problem for which I have little or no frame of reference; 2) have few or no technical errors; 3) make the material actionable; 4) include current research and reference outside sources; and 5) are enjoyable reads. Raffy Marty's Applied Security Visualization (ASV) scores well using these measures, and I recommend reading it.

I've been mulling strategies for putting Windows Event Logs into Splunk. Several options exist. Deploy Splunk in forwarding mode on the Windows system. Deploy a Syslog agent on the Windows system. Deploy OSSEC on the Windows system and sending OSSEC output to Splunk. Deploy Windows Log Parser to send events via Syslog on a periodic basis . Retrieve Windows Event Logs periodically using WMIC . Retrieve Windows Event Logs using another application, like LogLogic Lasso or DAD . I'd done number 2 before using NTSyslog , so I decided to see what might be newer as far as deploying Syslog agents on Windows goes. I installed DataGram SyslogAgent , a free Syslog agent onto a Windows XP VM. It was very easy to set up. I pointed it toward a free Splunk instance running on my laptop and got results like the following. I noticed some odd characters inserted in the log messages, but nothing too extraordinary. Next I tried the other modern free Syslog agent for Windows, SNARE . Developmen

Thanks to Thorsten Holz for pointing out that the latest online CWSandbox provides network traffic in Libpcap format for recently submitted malware samples. I decided to give this feature a try, so I searched the Spam folder for one of my Gmail accounts. I found a suitable "Watch yourserlf in this video man)" email from 10 hours ago and followed the link. I was quickly reminded by Firefox 3 that visiting this site was a Bad Idea. It took me a little while to navigate past my NoScript and Firefox 3 warnings to get to a point where I could actually hurt myself. After downloading the "viewer.exe" file, I uploaded it to CWSandbox. That site told me: The sample you have submitted has already been analysed. Please see the sample detail page for further information. If you visit that page you'll find a PCAP link. I took a quick look at the file with Argus and filtered out port 1900 traffic. $ argus -r analysis_612050.pcap -w analysis_612050.pcap.arg $ ra -n -r

Often when I teach classes where students attain shell access to a Windows target, students ask "now what?" I found the blog post Command-Line Kung Fu by SynJunkie to be a great overview of common tasks using tools available within cmd.exe. It's nothing new, but I thought the author did a good job outlining the options and showing what they look like in his lab.

The October issue of Information Security Magazine brought CMU's Perspectives Firefox plug-in to my attention. By now most of us are annoyed when we visit a Web site like OpenRCE.org that presents a self-signed SSL certification. Assuming we trust the site, we manually add an exception and waste a few seconds of our lives. I probably wouldn't follow this process for my online bank, but for a site like OpenRCE.org it seems like overkill. Leveraging history appears to be one answer to this problem. That's what Perspectives does. As stated in this CMU article : Perspectives employs a set of friendly sites, or "notaries," that can aid in authenticating websites for financial services, online retailers and other transactions requiring secure communications. By independently querying the desired target site, the notaries can check whether each is receiving the same authentication information, called a digital certificate, in response. If one or more notaries rep

Last week I attended at spoke at the 2008 SANS WhatWorks in Incident Response and Forensic Solutions Summit organized by Rob Lee. The last SANS event I attended was the 2006 SANS Log Management Summit . I found this IR and forensics event much more valuable, and I'll share a few key points from several of the talks. Steve Shirley from the DoD Cyber Crime Center (DC3) said "Security dollars are not fun dollars." In other words, what CIO/CTO wants to spend money on security when he/she could buy iPhones? Rob Lee noted than an Incident Response Team (IRT) needs the independence to take actions during an emergency. I've called this authority the ability to declare a "Network State of Emergency" (NSOE). When certain preconditions are met, the IRT can ask a business owner to declare a NSOE, just like a state governor can declare a state of emergency during a forest fire or other natural disaster. The IRT can then exercise predefined powers (like host

Mike Fratto's article New Protocols Secure Layer 2 caught my attention: [T]wo protocols -- IEEE 802.1AE-2006, Media Access Control Security, known as MACsec; and an update to 802.1X called 802.1X-REV -- will help secure Layer 2 traffic on the wire... 802.1AE ensures the integrity and privacy of data between peers at Layer 2. The enhancements in 802.1X-REV automate the authentication and key management requirements for 802.1AE. 802.1AE protects data in transit on a hop-by-hop basis... ensuring that the frames are not altered between Layer 2 devices such as switches, routers, and hosts. I think the diagram explains 802.1AE well, and Mike notes the problems with this approach: The default encryption algorithm, AES-GCM, will require a hardware upgrade in network infrastructure and host network interface cards... [A]ny products that transparently process network traffic, like load balancers, traffic shapers, and network analyzers, will be blind to 802.1AE-protected traffic. That's

Thanks to Jeremy Stretch's blog for pointing me to BGPMon.net , a free route monitoring service. This looks like a bare bones, free alternative to Renesys , my favorite commercial vendor in this space. I created an account at BGPMon.net and decided to watch for route advertisements for Autonomous System (AS) 80 , which corresponds to the 3.0.0.0/8 network my company operates. The idea is that if anyone decides to advertise more specific routes for portions of that net block, and the data provided to BGPMon.net by the Réseaux IP Européens (RIPE) Routing Information Service (RIS) notices the advertisements, I will get an email. I noticed that RIPE RIS provides dashboards for the 3.0.0.0/8 prefix or AS 80 with interesting data.

I checked in with the #emerging-threats IRC channel a few minutes ago and saw a link to www.openinfosecfoundation.org : October 16, 2008 (LAFAYETTE, Ind.) – The Open Information Security Foundation (OISF, www.openinfosecfoundation.org) is proud to announce its formation, made possible by a grant from the U.S. Department of Homeland Security (DHS). The OISF has been chartered and funded by DHS to build a next-generation intrusion detection and prevention engine. This project will consider every new and existing technology, concept and idea to build a completely open source licensed engine. Development will be funded by DHS, and the end product will be made available to any user or organization. According to Matt Jonkman, this project will not be a fork of existing code. The idea is to take a new approach, not just replicate something like Snort. While I am excited by this development, I don't think it's the project I would have wanted to fund right now. Open source users alre

My second edition of Traffic Talk , titled Using Wireshark and Tshark display filters for troubleshooting , has been posted. From the article: Welcome to the second installment of Traffic Talk, a regular SearchNetworkingChannel.com series for network solution providers and consultants who troubleshoot business networks. In these articles we examine a variety of open source network analysis tools. In this edition we explore Wireshark and Tshark display filters. Display filters are one of the most powerful, and sometimes misunderstood, features of the amazing Wireshark open source protocol analyzer. After reading this tip you'll understand how to use display filters for security and network troubleshooting.

I was disappointed to read in Air Force senior leaders take up key decisions that Air Force Cyber Command is effectively dead: Leadership also decided to establish a Numbered Air Force for cyber operations within Air Force Space Command and discussed how the Air Force will continue to develop capabilities in this new domain and train personnel to execute this new mission. Apparently that unit will be 24th Air Force. Since the Numbered Air Force is the unit by which the service presents combat forces to Unified Combatant Commanders in wartime, it makes some sense for cyber to at least be organized in that manner. I guess the Air Force believes it needs to get its house in order before trying to establish a new command. The Air Force is also suffering the adverse effects of the way it advertised itself, essentially stealing the spotlight by not appearing "Joint" enough. I am most concerned with the effect of not having Cyber Command upon the proposed cyber career field .

Brian Robinson's FCW article Unlocking the national cybersecurity initiative caught my attention. I found these excerpts interesting, although my late 2007 article Feds Plan to Reduce, Then Monitor discussed the same issues. The cybersecurity initiative launched by the Bush administration earlier this year remains largely cloaked in secrecy, but it’s already clear that it could have a major and far-reaching effect on government IT operations in the future. Everything from mandated security measures and standard desktop configurations across government to a recast Federal Information Security Management Act (FISMA) could influence the way agencies buy and manage their IT. Overseeing all of this will be a central office run by the Homeland Security Department, the first time that the government’s efforts in cybersecurity will run through a single office tasked with coordinating the work of separate federal cybersecurity organizations... [First was the] creation of a National Cybe

As we approach the end of the year, I'm looking to see if my Predictions for 2008 are materializing. My third prediction was: Expect increased awareness of external threats and less emphasis on insider threats. Accordingly, I was happy to see the story Targeted Attacks, DNS Issues Hit Home in New CSI Report contain the following subtitle: Insider abuse shows marked drop-off in 13th annual survey by Computer Security Institute Ho ho, what does that mean? While some threats are on the increase, CSI also found that others are on the downturn. Insider abuse dropped from 59 percent in 2007 to 44 percent in 2008, the largest shift recorded in this year's survey. "I think there was a lot of hype around this last year, and now it's coming back to reality," Richardson says. Insider abuse numbers hovered at around 42 percent to 48 percent in 2005 and 2006 and then spiked last year, he noted. (emphasis added) I noted the annual CSI study supported my position on the prev

Earlier this year I wrote First They Came for Bandwidth , where I described the motivation behind different sorts of attacks in an historical context: First they came for bandwidth... These are attacks on availability , executed via denial of service attacks starting in the mid 1990's and monetized later via extortion. Next they came for secrets... These are attacks on confidentiality , executed via disclosure of sensitive data starting in the late 1990's and monetized as personally identifiable information and accounts for sale in the underground. Now they are coming to make a difference... These are attacks on integrity , executed by degrading information starting at the beginning of this decade. When I wrote those words, the sorts of attacks on integrity I imagined involved changes to legitimate data. As is often the case with predictions, the reality has taken a similar but not exact direction. Attacks upon integrity are currently appearing as the introduction of outrigh