TaoSecurity Blog

I noticed Craig Balding's post Podcast: Cloud Computing, Software Development, Testing and Security , so I just listened to all three segments. Readers of this blog may choose to concentrate on the third segment, Cloud computing's effect on application security . Craig is a thought leader on cloud security so I enjoy hearing his ideas. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Although there is not a version of Splunk compiled natively for FreeBSD 7.0, I was told to try using Splunk 3.4.1 on FreeBSD 7.0 via FreeBSD's compat6x libraries. I did the following: freebsd70:/usr/local/src# pkg_add -v splunk-3.4.1-45588-freebsd-6.1-intel.tgz Requested space: 106458852 bytes, free space: 1565927424 bytes in /var/tmp/instmp.HhNhQk Running pre-install for splunk-3.4.1-45588-freebsd-6.1-intel.. extract: Package name is splunk-3.4.1-45588-freebsd-6.1-intel extract: CWD to /opt extract: /opt/splunk/README.txt extract: /opt/splunk/bin/btool extract: /opt/splunk/bin/bunzip2 ...edited... extract: /opt/splunk/splunk-3.4.1-45588-FreeBSD-i386-manifest extract: CWD to . Running post-install for splunk-3.4.1-45588-freebsd-6.1-intel.. ---------------------------------------------------------------------- Splunk has been installed in: /opt/splunk To start Splunk, run the command: /opt/splunk/bin/splunk start To use the Splunk Web interface, point your browser

In March I posted Ten Themes From Recent Conferences , which included the following: Permanent compromise is the norm, so accept it. I used to think digital defense was a cycle involving resist -> detect -> respond -> recover. Between recover and the next attack there would be a period where the enterprise could be considered "clean." I've learned now that all enterprises remain "dirty" to some degree , unless massive and cost-prohibitive resources are directed at the problem. We can not stop intruders, only raise their costs . Enterprises stay dirty because we can not stop intruders, but we can make their lives more difficult. I've heard of some organizations trying to raise the $ per MB that the adversary must spend in order to exfiltrate/degrade/deny information.‏ (emphasis added) Since then I've grappled with this idea of how to define the win . If you used to define the win as detecting and ejecting all intruders from your enterprise, y

I think this is fascinating: a map depicting naval piracy . One of the most interesting aspects of this map is that it concerns commercial entities (i.e. ships carrying cargo) and anyone can quickly learn the fate of each vessel. It's a giant incident map for 2008. Previous years (2007, 2006) are also available. The closest equivalent for digital security is probably the narrative of the Breach Blog and similar sites. Only when we can openly talk about this problem and share lessons learned can we improve. We still need a National Digital Security Board . Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Last month I reviewed Marty Raffy's great book Applied Security Visualization . Recently I've been considering ways to describe systems in my environment using visual means instead of text. I decided to try sharing the following visualization, which I call a Digital Asset Scorecard. I've created a zipped .ppt explaining this idea, but I'll share it here as well. The Digital Asset Scorecard for a single system is shown below. As you will see shortly, each cell of the box is color-coded depending on its state. Here I use blue and tan to separate categories of elements. The blue section began as a 4 x 4 table. I merged certain cells as a way to show that some elements (like Assurance) is more important than others (like Base, aka Baselined). These are completely subjective; you could change them, remove them, add them, and so on. On a single slide I can show 16 systems. The choice of a 4 x 4 arrangement is deliberate; it's a /28. This will make sense later. I

My post Managing Security in Economic Downturns mentioned wrapping everything in metrics to justify your security operation. I decided to peruse the past proceedings of the Workshop on the Economics of Information Security for ideas. I was mostly interested in works explaining how to show value derived from security operations. (Remember value is mainly or exclusively cost avoidance.) I am really interested in knowing how much it costs to maintain and defend an information infrastructure vs what it costs to exploit it. I found the following to be previous work in related areas. Optimally Securing Enterprise Information Systems and Assets by Vineet Kumar, Rahul Telang, Tridas Mukhopadhyay, Carnegie Mellon University Assessing the Value of Investments in Network Security Operations: A Systems Analytics Approach by Jonathan Griffin, Brian Monahan, David Pym, Mike Wonham, and Mike Yearworth, HP Laboratories Understanding and Influencing Attackers' Decisions: Implications for S

Yesterday Businessweek posted a fascinating and lengthy report titled Network Security Breaches Plague NASA . This part will sound familiar to many readers. By early 1999 the volume of intrusions had grown so worrisome that Thomas J. Talleur, the most senior investigator specializing in cyber-security in the Inspector General's office at NASA, wrote a detailed "network intrusion threat advisory..." Talleur, now 59, retired in December 1999, frustrated that his warnings weren't taken more seriously. Five months after his advisory was circulated internally, the Government Accountability Office, the investigative arm of Congress, released a public report reiterating in general terms Talleur's concerns about NASA security. But little changed, he says in an interview. "There were so many intrusions and hackers taking things we had on servers, I felt like the Dutch boy with his finger in the dike," he explains, sitting on the porch of his home near Savannah,

Digital security practitioners should fight today's battles while preparing for the future. I don't know what that future looks like, and neither does anyone else. However, I'd like to capture a few thoughts here. This is a mix of what I think will happen, plus what I would like to see happen. If I'm lucky (or good) the future will reflect these factors, for which I am planning. A few caveats: I don't have an absolute time factor for these, and I'm not considering these my "predictions for 2009." This is not an endorsement of the Jericho Forum . I think it makes sense to plan for the environment I will describe next because it will be financially attractive, but not necessarily universally security-enhancing (or even smart). Virtual Private Network (VPN) connections will disappear. For many readers this is nothing groundbreaking, but bring up the possibility with a networking team and they stare in bewilderment. Is there any reason why a remo

You don't need to read this blog for news on the global economic depression. However, several people have asked me what it means for security teams, especially when Schneier Agrees: Security ROI is "Mostly Bunk" . No one can generate cash by running a security team; the best we can do is save money. If your security team generates cash, you're either a MSSP, a collection agency of some sort (these do exist, believe it or not!), in need of being spun-off, or not accounting for all of your true costs. Putting the ROI debate aside, these are tough economic times. Assuming we can all stay employed, we might be able to work the situation to our advantage. Nothing motivates management like a financial argument. See if one or more of the following might work to your advantage, because of the downturn. Promote centralization and consolidation. The more large organizations I've joined, consulted for, or met, the more I see that successful ones have centralized, cons

If your company sells software, you probably need to have a Product Security Incident Response Team (PSIRT). The PSIRT should act as the single point of contact for any user of your product to report and coordinate security problems with your software product. Examples of PSIRTs include: Cisco Product Security Incident Response Team Microsoft Security Response Center Intel Product Security Center I think you can tell how serious a company takes security by the way they promote their PSIRT, obscure its existence, or not even operate one. Try comparing Oracle to Cisco, for example. If you're looking to start a PSIRT, Chad Dougherty's Recommendations to vendors for communicating product security information post on the CERT blog is a great start. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

My 21st Snort Report titled Understanding Snort's Unified2 output has been posted. From the article: Welcome to the 21st edition of the Snort Report! In July 2007 I described Snort's Unified output, first released in July 2001 with Snort 1.8.0. Unified output allows Snort to write sets of data to a sensor's hard drive. Writing to the hard drive, instead of performing database inserts, allows Snort to operate faster and minimize packet loss. Unified2 output first appeared in Snort 2.8.0, released in September 2007. I came across this comparison of Unified and Unified2 format at SecurixLive.com but didn't get to include it in my article. If you're worried about the Barnyard2 implementation at SecurixLive having licensing issues, the author is addressing those as we speak; he did not intend to cause any trouble. So, I am looking forward to seeing greater adoption of Unified2 formats once solutions like those in my article are tested. Richard Bejtlich is teaching

I found the article Internet thieves make big money stealing corporate info in USA Today to be very interesting. In the past year, cybercriminals have begun to infiltrate corporate tech systems as never before. Knowing that some governments and companies will pay handsomely for industrial secrets, data thieves are harvesting as much corporate data as they can, in anticipation of rising demand ... Elite cybergangs can no longer make great money stealing and selling personal identity data. Thousands of small-time, copycat data thieves have oversaturated the market, driving prices to commodity levels. Credit card account numbers that once fetched $100 or more, for instance, can be had for $10 or less, says Gunter Ollmann, chief security strategist at IBM ISS, IBM's tech security division. Who buys stolen business data? Brett Kingstone, founder of Super Vision International (now Nexxus Lighting), an Orlando-based industrial lighting manufacturer, knows the answer all too well. In 20

I read this great story by Sharon Gaudin titled Laid-off sysadmin arrested for threatening company's servers : A systems administrator was arrested in New Jersey today for allegedly trying to extort money and even good job references out of a New York-based mutual fund company that had just laid him off... Viktor Savtyrev, of Old Bridge, N.J., was arrested at his home Monday morning. He faces two charges under the federal cyberextortion statute... Late in the morning of Thursday, Nov. 6, Savtyrev allegedly used a Gmail account to e-mail the company's general counsel and three other employees, saying he was "not satisfied with the terms" of his severance, according to FBI Special Agent Gerald Cotellesse in the complaint. Savtyrev allegedly threatened to cause extensive damage to the company's computer servers if it would not increase his severance pay, extend his medical coverage and provide "excellent" job references. The sysadmin also threatened to aler

I liked this interview with Marcus Ranum titled Marcus Ranum on Network Security : Q: In your opinion, what is the current weakest link in the network security chain that will need to be dealt with next year and beyond? MJR: There are two huge problems: Software development and network awareness. The software development aspect is pretty straightforward. Very few people know how to write good code and even fewer know how to write secure code. Network awareness is more subtle. All through the 1990s until today, organizations were building massive networks and many of them have no idea whatsoever what's actually out there, which systems are crucial, which systems hold sensitive data, etc. The 1990s were this period of i rrational exuberance from a security standpoint - I think we are going to be paying the price for that, for a long time indeed. Not knowing what's on your network is going to continue to be the biggest problem for most security practitioners... The real best pra

Last month I posted BGPMon.net Watches BGP Announcements for Free . I said: I created an account at BGPMon.net and decided to watch for route advertisements for Autonomous System (AS) 80, which corresponds to the 3.0.0.0/8 network my company operates. The idea is that if anyone decides to advertise more specific routes for portions of that net block, and the data provided to BGPMon.net by the Réseaux IP Européens (RIPE) Routing Information Service (RIS) notices the advertisements, I will get an email. Well, that started happening last night: You Receive this email because you are subscribed to BGPmon.net. For more details about these updates please visit: http://bgpmon.net/showupdates.php ==================== Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix 3.0.0.0/8: Update details: 2008-11-11 01:55 (UTC) 3.0.0.0/8 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit AS: 27664 (CTBC Multimídia) ASpath: 27664 16735

Black Hat was kind enough to invite me back to teach a new 2-day course at Black Hat Europe 2009 Training on 14-15 April 2009 at the Mövenpick City Centre in Amsterdam, Netherlands. This class, completely new for 2009, is called TCP/IP Weapons School 2.0 . This is my only scheduled class outside the United States in 2009. The short description says: This hands-on, lab-centric class by Richard Bejtlich focuses on collection, detection, escalation, and response for digital intrusions. Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you need answers to these questions, TCP/IP Weapons School 2.0 (TWS2) is the Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. TWS2 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversarie

Black Hat was kind enough to invite me back to teach a new 2-day course at Black Hat DC 2009 Training on 16-17 February 2009 at the Hyatt Regency Crystal City in Arlington, VA. This class, completely new for 2009, is called TCP/IP Weapons School 2.0 . This is my only scheduled class on the east coast of the United States in 2009. The short description says: This hands-on, lab-centric class by Richard Bejtlich focuses on collection, detection, escalation, and response for digital intrusions. Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you need answers to these questions, TCP/IP Weapons School 2.0 (TWS2) is the Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. TWS2 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against ad

Yesterday I read A successor is born... Securix-NSM 1.0 . Securix-NSM is a Debian-based live CD that is the fastest way I've ever seen for a new user to try Sguil . All you have to do is download the 280 MB .iso, boot it, and follow the quick start documentation . Those steps are basically: Open a terminal. Execute 'sudo nsm start'. Double-click on the Sguil client icon. Log into Sguil. To test Sguil, I executed 'apt-get install lynx' then visited www.testmyids.com. In the screenshot you'll see the default Sguil installation generated two alerts. I was able to generate a transcript and launch Wireshark. However, SANCP session records did not appear to be inserted into the database although SANCP was running. I suggest trying Securix-NSM if you'd like to try using Sguil but have no experience setting it up.

I recently received a copy of the 2nd issue of BSD Magazine . This edition has a heavy OpenBSD focus, which is nice considering OpenBSD 4.4 was released last week. I have it on good authority that the next issue of the magazine will focus on NetBSD and be available in December. When I can say more I will post details on my blog.

This evening I was very happy to attend a live taping of CNBC's Fast Money program in Washington, DC. Several years ago my wife and I saw a live taping of CNN's old Crossfire program, but this event took place in a huge hall with over 2,000 audience members. Before the broadcast Fast Money host Dylan Ratigan addressed us and shared his thoughts on current economic conditions. He said that a lack of transparency was a fundamental problem on Wall Street and in Washington, DC. He stated he is on a crusade to obtain from those in power the information investors and citizens need to make sound decisions. This point resonated with me. Looking at the financial wreckage around us, I remembered my post Bankers: Welcome to Our World . I wondered if I might have to write a post where bankers tell digital security people "welcome to our world." In other words, what bubbles of false security have we encouraged thanks to low security spending, lack of management interest, an

To continue my "v China" series of blog posts, I note the following: Chinese hack into White House network : Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials, a senior US official told the Financial Times. On each occasion, the cyber attackers accessed the White House computer system for brief periods, allowing them enough time to steal information before US computer experts patched the system. US government cyber intelligence experts suspect the attacks were sponsored by the Chinese government because of their targeted nature. But they concede that it is extremely difficult to trace the exact source of an attack beyond a server in a particular country. ”We are getting very targeted Chinese attacks so it stretches credulity that these are not directed by government-related organisations,” said the official. The official said the Chinese cyber attacks had the hallmarks of the “grain of sa

This my final post discussing security event correlation (SEC) for now. (When I say SAC I do not mean the Simple Event Correlator [SEC] tool.) Previously I looked at some history regarding SEC, showing that the ways people thought about SEC really lacked rigor. Before describing my definition of SEC, I'd like to state what I think SEC is not . So, in my opinion -- you may disagree -- SEC is not : Collection (of data sources): Simply putting all of your log sources in a central location is not correlation. Normalization (of data sources): Converting your log sources into a common format, while perhaps necessary for correlation (according to some), is not correlation. Prioritization (of events): Deciding what events you most care about is not correlation. Suppression (via thresholding): Deciding not to see certain events is not correlation. Accumulation (via simple incrementing counters: Some people consider a report that one has 100 messages of the same type to be correlation.

Many readers have been asking me to comment on Marcus Ranum 's keynote titled Cyberwar is Bullshit at Hack In The Box Security Conference 2008 - Malaysia . (What a great conference; I think we are seeing the Asia-Pacific area really grow its digital security community. You can access the conference materials here . I'd like to point out my friend CS Lee spoke about NSM at the event.) The article Don’t waste funds preparing for cyberwars summarized Marcus' talk as follows: The billions of dollars spent on researching cyberwarfare can be put to better use because cyberwar is never going to be as effective as conventional war, said an IT ­security expert. Marcus Ranum, chief security officer of Tenable Network Security said cyberattacks aren’t a good force multiplier in an actual war. Many people, he said, talk about cyberspace as if it can be a new form of battlefield but this is not possible because you can’t occupy and hold cyberspace as you would a piece of enemy te

Given my recent posts like Whither Air Force Cyber? I felt the need to comment on Noah Shachtman's story Air Force Aims to 'Rewrite Laws of Cyberspace' : The Air Force is fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear. So now the service is looking to restore its advantage on the virtual battlefield by doing nothing less than the rewriting the "laws of cyberspace." Four years ago I wrote Thoughts on the United States Air Force Computing Plans : I was asked my thoughts on the US Air Force's new computing deal with Microsoft. In short, Microsoft will provide core server software, maintenance and upgrade support, and Dell will supply more than 525,000 Microsoft desktop Windows and Office software licenses to the Air Force... So instead of taking a serious look at the root cause of its patching and exploitation costs (both financial and in mission impact), the Air

I've previously posted Taking the Fight to the Enemy and Taking the Fight to the Enemy, Revisited . I agreed with sentiments like the following, quoted in my posts: The best defense against cyberattacks on U.S. military, civil and commercial networks is to go on the offensive, said Marine Gen. James Cartwright, commander of the Strategic Command (Stratcom), said March 21 in testimony to the House Armed Services Committee. “History teaches us that a purely defensive posture poses significant risks,” Cartwright told the committee. He added that if “we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests...” I found this idea echoed in the book Enemies: How America's Foes Steal Our Vital Secrets--and How We Let It Happen by Bill Gertz which I mentioned in Counterintellig

My 20th Snort Report titled Using Snort 2.8.3 to inspect HTTP traffic has been posted. From the article: Solution provider takeaway: Solution providers will learn new features in Snort 2.8.3 to improve the granularity of inspecting HTTP traffic. Welcome to the 20th edition of the Snort Report! In July, we described new features in Snort 2.8.2 and how to identify them when compared to Snort 2.8.0 and intervening releases. Since then, Snort 2.8.2.1, 2.8.2.2 and 2.8.3 have arrived. In this issue of the Snort Report, we'll use the previously explained techniques to learn what's new in Snort 2.8.3, and then try those techniques ourselves.

Amazon.com just posted my five star review of Malware Forensics . From the review : Malware Forensics is an awesome book. Last year Syngress published Harlan Carvey's 5-star Windows Forensic Analysis, and now we get to enjoy this new title by James Aquilina, Eoghan Casey, and Cameron Malin, plus technical editing by Curtis Rose. I should disclose that I co-wrote a forensics book with Curtis Rose, and I just delivered a guest lecture in a class taught by Eoghan Casey. However, I still call books as I see them, regardless of the author. (Check out my review of Security Sage's Guide to Hardening the Network Infrastructure for proof.) I can confidently say that anyone interested in learning how to analyze malware, or perform incident response, will benefit from reading Malware Forensics.