TaoSecurity Blog

It's the end of the year, which means it's time to name the winner of the Best Book Bejtlich Read award for 2009! Although I've been reading and reviewing digital security books seriously since 2000, this is only the fourth time I've formally announced a winner; see 2008 , 2007 , and 2006 . 2009 was a slow year, due to a general lack of long-haul air travel (where I might read a whole book on one leg) and the general bleed-over from my day work into my outside-work time. My ratings for 2009 can be summarized as follows: 5 stars: 6 books 4 stars: 5 books 3 stars: 4 books 2 stars: 0 books 1 stars: 0 books Here's my overall ranking of the five star reviews; this means all of the following are excellent books. 6. Vi(1) Tips by Jacek Artymiak; devGuide.net. Every Unix admin should know how to use vi(1), and Jacek's book provides the right balance of commands and examples. 5. Web Security Testing Cookbook: Systematic Techniques to F

Matt Olney and I spoke about the role of a Product Security Incident Response Team ( PSIRT ) at my SANS Incident Detection Summit this month. I asked if he would share his thoughts on how software vendors should handle vulnerability discovery in their software products. I am really pleased to report that Matt wrote a thorough, public blog post titled Matt's Guide to Vendor Response . Every software vendor must read and heed this post. "Software vendor" includes any company that sells a product that runs software, whether it is a PC, mobile device, or a hardware platform executing firmware. Hmm, that includes just about everyone these days, except the little old ladies selling fabric at the hobby store. Seriously, let's make 2010 the year of the PSIRT -- the year companies make dealing with vulnerabilities in their software an operational priority. I'm not talking about "building security in" -- that's been going on for a while. Until I can

A comment on my last post, Reminder: Bejtlich Teaching at Black Hat DC 2010 , a reader asked: I am trying to get my company sponsorship for your class at Black Hat. However, I was ask to justify between your class and SANS 503, Intrusion Detection In-Depth. Would you be able to provide some advice? That's a good question, but it's easy enough to answer. The overall point to keep in mind is that TCP/IP Weapons School 2.0 is a new class, and when I create a new class I design it to be different from everything that's currently on the market. It doesn't make sense to me to teach the same topics, or use the same teaching techniques, found in classes already being offered. Therefore, when I first taught TWS2 at Black Hat DC last year, I made sure it was unlike anything provided by SANS or other trainers. Beyond being unique, here are some specific points to consider. I'm sure I'll get some howls of protest from the SANS folks, but they have their own platform t

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year. First up is Black Hat DC 2010 Training on 31 January and 01 February 2010 at Grand Hyatt Crystal City in Arlington, VA. I will be teaching TCP/IP Weapons School 2.0 . Registration is now open. Black Hat set five price points and deadlines for registration, but only these three are left. Regular ends 15 Jan Late ends 30 Jan Onsite starts at the conference Seats are filling -- it pays to register early! If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of the PowerPoint slide p

Taking another look at my notes, I found a bunch of quotes from speakers that I thought you might like to hear. "If you think you're not using a MSSP, you already are. It's called anti-virus." Can anyone claim that, from the CIRTs and MSSPs panel? Seth Hall said "Bro is a programming language with a -i switch to sniff traffic." Seth Hall said "You're going to lose." Matt Olney agreed and expanded on that by saying "Hopefully you're going to lose in a way you recognize." Matt Olney also said "Give your analyst a chance." ["All we are sayyy-ing..."] Matt Jonkman said "Don't be afraid of blocking." It's not 2004 anymore. Matt emphasized the utility of reputation when triggering signatures, for example firing an alert when an Amazon.com-style URL request is sent to a non-Amazon.com server. Ron Shaffer said "Bad guys are following the rules of your network to accomplish their mission.&q

I took a few notes at the SANS Incident Detection Summit keynote by Tony Sager last week. I thought you might like to see what I recorded. All of the speakers made many interesting comments, but it was really only during the start of the second day, when Tony spoke, when I had time to write down some insights. If you're not familiar with Tony, he is chief of the Vulnerability Analysis and Operations (VAO) Group in NSA. These days, the US goes to war with its friends (i.e., allies fight with the us against a common adversary). However, the US doesn't know its friends until the day before the war, and not all of the US' friends like each other. These realities complicate information assurance. Commanders have been trained to accept a certain level of error in physical space. They do not expect to know the exact number of bullets on hand before a battle, for example. However, they often expect to know exactly how many computers they have at hand, as well as their state

Keep your eyes open for the latest printed BSD Magazine , with my article Keeping FreeBSD Up-To-Date: OS Essentials . This article is something like 18 pages long, because at the last minute the publishers had several authors withdraw articles. The publishers decided to print the extended version of my article, so it's far longer than I expected! We're currently editing the companion piece on keeping FreeBSD applications up-to-date. I expect to also submit an article on running Sguil on FreeBSD 8.0 when I get a chance to test the latest version in my lab.

We had a great SANS WhatWorks in Incident Detection Summit 2009 this week! About 100 people attended. I'd like to thank those who joined the event as attendees; those who participated as keynotes (great work Ron Gula and Tony Sager), guest moderators (Rocky DeStefano, Mike Cloppert, and Stephen Windsor), speakers, and panelists; Debbie Grewe and Carol Calhoun from SANS for their excellent logistics and planning, along with our facilitators, sound crew, and staff; our sponsors, Allen Corp., McAfee, NetWitness, and Splunk; and also Alan Paller for creating the two-day "WhatWorks" format. I appreciate the feedback from everyone who spoke to me. It sounds like the mix of speakers and panels was a hit. I borrowed this format from Rob Lee and his Incident Repsonse and Computer Forensics summits, so I am glad people liked it. I think the sweet spot for the number of panelists might be 4 or 5, depending on the topic. If it's more theoretical, with a greater chance of

My main personal workstation is a Thinkpad x60s . As I wrote in Triple-Boot Thinkpad x60s , I have Windows XP, Ubuntu Linux, and FreeBSD installed. However, I rarely use the FreeBSD side. I haven't run FreeBSD on the desktop for several years, but I like to keep FreeBSD on the laptop in case I encounter a situation on the road where I know how to solve a problem with FreeBSD but not Windows or Linux. (Yes I know about [insert favorite VM product here]. I use them. Sometimes there is no substitute for a bare-metal OS.) When I first installed FreeBSD on the x60s (named "neely" here), the wireless NIC, an Intel(R) PRO/Wireless 3945ABG, was not supported on FreeBSD 6.2. So, I used a wireless bridge. That's how the situation stayed until I recently read M.C. Widerkrantz's FreeBSD 7.2 on the Lenovo Thinkpad X60s . It looked easy enough to get the wireless NIC running now that it was supported by the wpi driver. I had used freebsd-update to upgrade the 6.2 to

I know many of us work in large, diverse organizations. The larger or more complex the organization, the more difficult it is to enforce uniform security countermeasures. The larger the population to be "secure," the more likely exceptions will bloom. Any standard tends to devolve to the least common denominator. There are some exceptions, such as FDCC , but I do not know how widespread that standard configuration is inside the government. Beyond the difficulty of applying a uniform, worthwhile standard, we run into the diversity vs monoculture argument from 2005. I tend to side with the diversity point of view, because diversity tends to increase the cost borne by an intruder. In other words, it's cheaper to develop exploitation methods for a target who 1) has broadly similar, if not identical, systems and 2) publishes that standard so the intruder can test attacks prior to "game day." At the end of the day, the focus on uniform standards is a manifest

Apparently there's been a wave of house burglaries in a nearby town during the last month. As you might expect, local residents responded by replacing windows with steel panels, front doors with vault entrances, floors with pressure-sensitive plates, and whatever else "security vendors" recommended. Town policymakers created new laws to mandate locking doors, enabling alarm systems, and creating scorecards for compliance. Home builders decided they needed to adopt "secure building" practices so all these retrofitted measures were "built in" future homes. Oh wait, this is the real world! All those vulnerability-centric measures I just described are what too many "security professionals" would recommend. Instead, police identified the criminals and arrested them. From Teen burglary ring in Manassas identified : Two suspects questioned Friday gave information about the others, police said. Now this crew is facing prosecution. That's

With the announcement of FreeBSD 8.0 , it seems like a good time to donate to the FreeBSD Foundation , a US 501(c)3 charity. The Foundation funds and manages projects, sponsors FreeBSD events, Developer Summits and provides travel grants to FreeBSD developers. It also provides and helps maintain computers and equipment that support FreeBSD development and improvements. I just donated $100. Will anyone match me? Thank you!

I just uploaded a video that some readers might find entertaining. This video shows the United States Air Force Computer Emergency Response Team (AFCERT) in 2000. Kelly AFB, Security Hill, and Air Intelligence Agency appear. The colonel who leads the camera crew into room 215 is James Massaro, then commander of the Air Force Information Warfare Center. The old Web-based interface to the Automated Security Incident Measurement (ASIM) sensor is shown, along with a demo of the "TCP reset" capability to terminate TCP-based sessions. We have a classic quote about a "digital Pearl Harbor" from Winn Schwartau, "the nation's top information security analyst." Hilarious, although Winn nails the attribution and national leadership problems; note also the references to terrorists in this pre-9/11 video. "Stop the technology madness!" Incidentally, if the programs shown were "highly classified," they wouldn't be in this video! I was trave

If any lawyers want to contribute to this, please do. In my post Shodan: Another Step Towards Intrusion as a Service , some comments claim "negligence" as a reason why intruders aren't really to blame. I thought I would share this case from Tort Law , page 63: In Stansbie v Troman [1948] 2 All ER 48 the claimant, a householder, employed the defendant, a painter. The claimant had to be absent from his house for a while and he left the defendant working there alone. Later, the defendant went out for two hours leaving the front door unlocked. He had been warned by the claimant to lock the door whenever he left the house. While the house was empty someone entered it by the unlocked front door and stole some of the claimant's posessions. The defendant was held liable for the claimant's loss for, although the criminal action of a third party was involved, the possibility of theft from an unlocked house was one which should have occurred to the defendant. So, the

Amazon.com just posted my three star review of Martin Libicki's Cyberdeterrence and Cyberwar . I've reproduced the review in its entirety here because I believe it is important to spread the word to any policy maker who might read this blog or be directed here. I've emphasized a few points for readability. As background, I am a former Air Force captain who led the intrusion detection operation in the AFCERT before applying those same skills to private industry, the government, and other sectors. I am currently responsible for detection and response at a Fortune 5 company and I train others with hands-on labs as a Black Hat instructor. I also earned a master's degree in public policy from Harvard after graduating from the Air Force Academy. Martin Libicki's Cyberdeterrence and Cyberwar (CAC) is a weighty discussion of the policy considerations of digital defense and attack. He is clearly conversant in non-cyber national security history and policy, and that knowl

If you haven't seen Shodan yet, you're probably not using Twitter as a means to stay current on security issues. Shoot, I don't even follow anyone and I heard about it. Basically a programmer named John Matherly scanned a huge swath of the Internet for certain TCP ports (80, 21, 23 at least) and published the results in a database with a nice Web front-end. This means you can put your mind in Google hacking mode, find vulnerable platforms, maybe add in some default passwords (or not), and take over someone's system. We're several steps along the Intrusion as a Service (IaaS) path already! Incidentally, this idea is not new. I know at least one company that sold a service like this in 2004. The difference is that Shodan is free and open to the public. Shodan is a dream for those wanting to spend Thanksgiving looking for vulnerable boxes, and a nightmare for their owners. I would not be surprised if shodan.surtri.com disappears in the next few days after r

This story is so awesome. Hacks of Chinese Temple Were Online Kung Fu, Abbot Says A hacker who posted a fake message on the Web site of China's famous Shaolin Temple repenting for its commercial activities was just making a mean joke, the temple's abbot was cited as saying by Chinese state media Monday. That and previous attacks on the Web site were spoofs making fun of the temple, Buddhism and the abbot himself, Shi Yongxin was cited as telling the People's Daily. "We all know Shaolin Temple has kung fu," Shi was quoted as saying. "Now there is kung fu on the Internet too, we were hacked three times in a row." Why am I not surprised that a Shaolin monk has a better grasp of the fundamentals of computer security than some people in IT? Bonus: Props to anyone who recognizes the title of this post.

As I write this post I'm reminded of General Hayden's advice: "Cyber" is difficult to understand, so be charitable with those who don't understand it, as well as those who claim "expertise." It's important to remember that plenty of people are trying to act in a positive manner to defend important assets, so in that spirit I offer the following commentary. Thanks to John Bambanek's SANS post I read NIST Drafts Cybersecurity Guidance by InformationWeek's J. Nicholas Hoover. The article discusses the latest draft of SP 800-37 Rev. 1: DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach . I suspected this to be problematic given NIST's historical bias towards "controls," which I've criticized in Controls Are Not the Solution to Our Problem and Consensus Audit Guidelines Are Still Controls . The subtext for the article was: The National Institute for Standar

One of the presentations I delivered at the Information Security Summit last month discussed Network Security Monitoring. The Security Justice guys recorded audio of the presentation and posted it here as Network Security Monitoring and Incident Response. The audio file is InfoSec2009_RichardBejtlich.mp3.

I just noticed that my 8th edition of Traffic Talk , titled How to use user-agent strings as a network monitoring tool , was posted this week. It's a simple concept that plenty of NSM practitioners implement, and I highly recommend it.

Last year at this time I wrote a series of posts on security event correlation . I offered the following definition in the final post: Security event correlation is the process of applying criteria to data inputs, generally of a conditional ("if-then") nature, in order to generate actionable data outputs. Since then what I have found is that products and people still claim this as a goal, but for the most part achieving it remains elusive. Please also see that last post for what SEC is not , i.e., SEC is not simply collection (of data sources), normalization (of data sources), prioritization (of events), suppression (via thresholding), accumulation (via simple incrementing counters), centralization (of policies), summarization (via reports), administration (of software), or delegation (of tasks). So is SEC anything else? Based on some operational uses I have seen, I think I can safely introduce an extension to "true" SEC: applying information from one or more data

I was asked to help locate two candidates for positions in the GE Smart Grid initiative. We're looking for an Embedded Hardware Penetration Tester (1080237) and an Embedded Firmware Penetration Tester (1080236). If interested, search for the indicated job numbers at ge.com/careers or go to the job site to get to the search function a little faster. I don't have any other information on these jobs, so please work through the job site. Thank you. Update Mon 16 Nov : As noted by Charlene in the comments below, the jobs are no longer posted. If I hear they are back I will post an update here. Update Wed 18 Nov : I was just told the jobs are either open or will be soon. Thank you.

I found the new 60 Minutes update on information warfare to be interesting. I fear that the debate over whether or not "hackers" disabled Brazil's electrical grid will overshadow the real issue presented in the story: advanced persistent threats are here, have been here, and will continue to be here. Some critics claim APT must be a bogey man invented by agencies arguing over how to gain greater control over the citizenry. Let's accept agencies are arguing over turf. That doesn't mean the threat is not real. If you refuse to accept the threat exists, you're simply ignorant of the facts. That might not be your fault, given policymakers' relative unwillingness to speak out. If you want to get more facts on this issue, I recommend the Northrop Grumman report I mentioned last month.

I had the distinct privilege to attend a keynote by retired Air Force General Michael Hayden , most recently CIA director and previously NSA director. NetWitness brought Gen Hayden to its user conference this week, so I was really pleased to attend that event. I worked for Gen Hayden when he was commander of Air Intelligence Agency in the 1990s; I served in the information warfare planning division at that time. Gen Hayden offered the audience four main points in his talk. "Cyber" is difficult to understand, so be charitable with those who don't understand it, as well as those who claim "expertise." Cyber is a domain like other warfighting domains (land, sea, air, space), but it also possesses unique characteristics. Cyber is man-made, and operators can alter its geography -- even potentially to destroy it. Also, cyber conflicts are more likely to affect other domains, whereas it is theoretically possible to fight an "all-air" battle, or an &quo

After I spoke at the Information Security Summit in Ohio last month, the guys at the Security Justice podcast interviewed me and Tyler Hudak . You can listen to the archive here . It was fairly loud in the room but you'd never know it listening to the audio. Great work guys. We discuss open source software, vulnerability research and disclosure, product security incident response teams (PSIRTs), input vs output metrics, insourcing vs outsourcing, and building an incident response team.

Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud security . I thought the conference was excellent and many people posted their thoughts to #dojocon on Twitter.

Thanks to everyone who attended the Bejtlich and Bradley Webcast for SANS yesterday. We recorded that Webcast (audio is now available ) to start a discussion concerning professional incident detection. I'm pleased to publish the following tentative speaker list for the SANS WhatWorks in Incident Detection Summit 2009 on 9-10 Dec in Washington, DC. We'll publish all of this information, plus the biographies for the speakers, on the agenda site , but I wanted to share what I have with you. Day One (9 Dec) Keynote: Ron Gula Briefing: Network Security Monitoring dev+user: Bamm Visscher, David Bianco Panel: CIRTs and MSSPs, moderate by Rocky DeStefano: Michael Cloppert, Nate Richmond, Jerry Dixon, Tyler Hudak, Matt Richard, Jon Ramsey Cyberspeak Podcast live during lunch with Bret Padres and Ovie Carroll Briefing: Bro introduction: Seth Hall Panel: Enterprise network detection tools and tactics, potentially with a guest moderator: Ron Shaffer, Matt Olney, Nate Richmond, Matt J

Ken Bradley and I will conduct a Webcast for SANS on Monday 2 Nov at 1 pm EST. Check out the sign-up page. I've reproduced the introduction here. Every day, intruders find ways to compromise enterprise assets around the world. To counter these attackers, professional incident detectors apply a variety of host, network, and other mechanisms to identify intrusions and respond as quickly as efficiently as possible. In this Webcast, Richard Bejtlich, Director of Incident Response for General Electric, and Ken Bradley, Information Security Incident Handler for the General Electric Computer Incident Response Team, will discuss professional incident detection. Richard will interview Ken to explore his thoughts on topics like the following: How does one become a professional incident detector? What are the differences between working as a consultant or as a member of a company CIRT? How have the incident detection and response processes changed over the last decade? What challenges make

The latest Federal Computer Week magazine features an article titled Cyber warfare: Sound the alarm or move ahead in stride? I'd like to highlight a few excerpts. Military leaders and analysts say evolving cyber threats will require the Defense Department to work more closely with experts in industry ... Indeed, the Pentagon must ultimately change its culture, say independent analysts and military personnel alike. It must create a collaborative environment in which military, civilian government and, yes, even the commercial players can work together to determine and shape a battle plan against cyber threats... Ok, that sounds nice. Everyone wants to foster collaboration and communication. Join hands and sing! “Government may be a late adopter, but we should be exploiting its procurement power ,” said Melissa Hathaway, former acting senior director for cyberspace for the Obama administration, at the ArcSight conference in Washington last month... Hmm, "procurement power.&q

I'm a little late to this issue, but let me start by saying I read Craig Balding's RSA Europe 2009 Presentation this evening. In it he mentioned something called the A6 Working Group. I learned this is related to several blog posts and a Twitter discussion. In brief: In May, Chris Hoff posted Incomplete Thought: The Crushing Costs of Complying With Cloud Customer “Right To Audit” Clauses , where Chris wrote Cloud providers I have spoken to are being absolutely hammered by customers acting on their “ right to audit ” clauses in contracts. In June, Craig posted Stop the Madness! Cloud Onboarding Audits - An Open Question... where he wondered Is there an existing system/application/protocol whereby I can transmit my policy requirements to a provider, they can respond in real-time with compliance level and any additional costs, with less structured/known requirements responded to by a human (but transmitted the same way)? Later in June, Craig posted in Vulnerability Scanning

In my off time I'm still busy organizing the SANS WhatWorks in Incident Detection Summit 2009 , taking place in Washington, DC on 9-10 Dec 09. The agenda page should be updated soon to feature all of the speakers and panel participants. Wednesday is the last day to register at the discounted rate . I wrote the following to provide more information on the Summit and explain its purpose. All of us want to spend our limited information technology and security funds on the people, products, and processes that make a difference. Does it make sense to commit money to projects when we don’t know their impact? I’m not talking about fuzzy “return on investment” (ROI) calculations or fabricated “risk” ratings. Don’t we all want to know how to find intruders, right now, and then concentrate on improvements that will make it more difficult for bad guys to disclose, degrade, or deny our data? To answer this question, I’ve teamed with SANS to organize a unique event -- the SANS WhatWorks