TaoSecurity Blog

I've been trying to describe to management how close various individual information assets (primarily computers -- desktops, laptops, etc.) are to the doomsday scenario of sensitive data exfiltrated by unauthorized parties . This isn't the only type of incident that worries me, but it's the one I decided to tackle first. I view this situation as a continuum, rather than a "risk" rating. I'm trying summarize the state of affairs for an individual asset rather than "model risk." In the far left column I've listed some terms that may be unfamiliar. The first three rows bear "Vuln" ratings. I list these because some of my businesses consider the discovery of a vulnerability in an asset to be an "incident" by itself. Traditional incident detectors and responders don't think this way, but I wanted to include this aspect of our problem set. For these first three rows, I consider these assets to exist without any discoverab

I was very surprised to read REMARKS BY THE PRESIDENT ON SECURING OUR NATION'S CYBER INFRASTRUCTURE , delivered yesterday. TaoSecurity Blog had received a copy of the President's prepared remarks, but about 2/3 of the way through the live version the President went off-copy. For the sake of my readers I've published the material the President omitted. ...And last year we had a glimpse of the future face of war. As Russian tanks rolled into Georgia, cyber attacks crippled Georgian government websites. The terrorists that sowed so much death and destruction in Mumbai relied not only on guns and grenades but also on GPS and phones using voice-over-the-Internet. [Here is where the Presidential train left the tracks.] When considering cyber security, we must recognize that our problems are multi-dimensional . The first dimension involves the information assets we are trying to protect . Cyber security requires protecting information inputs, information outputs, and informa

This is a follow-up to my post Response for Daily Dave . I realized I had a similar exchange three years ago, summarized in my post Response to Daily Dave Thread . Since I don't seem to be making much progress in this debate, I decided to render it in two slides. First, I think everyone is familiar with the Defender's Dilemma. The intruder only needs to exploit one of the victims in order to compromise the enterprise. You might argue that this isn't true for some networks, but in most places if you gain a foothold it's quickly game over elsewhere. What Dave and company don't seem to appreciate is that there is a similar problem for attackers. I call it the Intruder's Dilemma. The defender only needs to detect one of the indicators of the intruder’s presence in order to initiate incident response within the enterprise. What's interesting about this reality is that it applies to a single system or to a collection of systems. Even if the intruder only compr

Bill Blunden was kind enough to send me a copy of his new book The Rookit Arsenal . I plan to read it in a few months, due to my schedule and reading backlog. According to Bill, readers of the book will learn how to do the following: Hook kernel structures on multi-processor systems Use a kernel debugger to reverse system internals Inject call gates to create a back door into Ring-0 Use detour patches to sidestep group policy Modify privilege levels on Vista by altering kernel objects Utilize bootkit technology Defeat live incident response and post-mortem forensics Implement code armoring to protect your deliverables Establish covert channels using the WSK and NDIS 6.0 I am interested in the anti-forensics material, as you might imagine. I first learned about Bill's work when he produced this presentation on rootkits . Slide 34 caught my attention: That's pretty c

Recently on the Daily Dave mailing list, Dave Aitel posted the following: ...The other thing that keeps coming up is memory forensics. You can do a lot with it today to find trojan .sys's that hackers are using - but it has a low ceiling I think. Most rootkits "hide processes", or "hide sockets". But it's an insane thing to do in the kernel. If you're in the kernel, why do you need a process at all? For the GUI? What are we writing here, MFC trojans? There's not a ton of entropy in the kernel, but there's enough that the next generation of rootkits is going to be able to avoid memory forensics as a problem they even have to think about. The gradient here is against memory forensics tools - they have to do a ton of work to counteract every tiny thing a rootkit writer does. With exploits it's similar. Conducting memory forensics on userspace in order to find traces of CANVAS shellcode is a losing game in even the medium run. Anything thorough

I'm positive many of you are familiar with the idea that there are benefits to detecting software security defects early. [Image reference: Software Security Engineering: A Guide for Project Managers .] In other words, it is ultimately cheaper to design, code, sell, and support a more secure software product than a more insecure software product. Achieving this goal requires recognizing this advantage, investing in developers and processes that work, and dealing with exceptions (defects) as soon as possible through detection and response capabilities, even including customer-facing organizations (like PSIRTs ). I'm not aware of any studies supporting the following assertion, but I would be interested in feedback if you know any. I think it should be obvious that it's also cheaper to design, build, run, and support more secure computing assets than more insecure computing assets. In other words: It is not cheaper to run legacy platforms, operating systems, and applica

I recently received copies of the last three issues of Hakin9 magazine. There are many good articles being published these days. One of my favorites appears in the 3/2009 issue, titled Automating Malware Analysis, by Tyler Hudak. Tyler is our team's reverse engineer and he authors the The Security Shoggoth blog. Check out the magazine! Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Earlier today I listed to the Talk Forensics podcast featuring Harlan Carvey. I thought it was interesting to hear a forensics expert discuss the sorts of cases he has been working. Harlan mentioned how he witnessed intruders integrate obfuscation techniques into their SQL injection attacks. These techniques successfully achieved their goals while introducing a secondary effect: their anti-forensic nature complicated analysis. Harlan mentioned how previously one could search Web server logs for SQL DECLARE statements, but after obfuscation was introduced the analyst had to be more diligent. Harlan also mentioned that TaoSecurity Blog helped inspire him to start his Windows Incident Response blog, which is probably the best blog on the subject. Thanks Harlan! Also, I'm looking forward to Harlan's second edition of Windows Forensic Analysis . If you check the link you'll see that Syngress has introduced a new cover scheme, their first in probably 10 years. Finally,

If you want the real deal on Kylin, the best public discussion is probably taking place at the Dark Visitor Blog . As you might expect of a blog that's run by people who actually speak Chinese and follow that country's scene, the story there is more believable than the sensationalism posted elsewhere. I downloaded and tried installing KYLIN-2.1-1A.iso but didn't get far. It seems far newer versions are available if you know where to look. Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Last fall I wrote Tips for PSIRTs , pointing to a new CERT document giving advice for Product Security Incident Response Teams. Today I read Adobe shifts to Microsoft patching process, incident response plan by Robert Westervelt. The company maintains an Adobe Secure Software Engineering Team and an Adobe Product Security Incident Response Team . All of this is a sign that Adobe is getting serious about product security. It mirrors Microsoft's evolution, and I am glad to see it happening. I'd like to be able to do a search for "Oracle PSIRT" or "Apple PSIRT" and get real results. The Google Online Security Blog isn't a real PSIRT, either. Just as you should have a CIRT if you use computers, you should have a PSIRT if you sell software. Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Congratulations to Lackland AFB in San Antonio, Texas for being chosen to host the headquarters for 24th Air Force , a "cyber numbered Air Force." Lackland is home to the AF ISR Agency (previously AIA), the AF Information Operations Center (previously AFIWC), and the 33rd Network Warfare Squadron (previously the 33 IOS, and before that the AFCERT). It's been six years since I visited the place, but I think it's a great choice for the 24th. Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

In my first book The Tao of Network Security Monitoring , published in July 2004, I tried to trace the origin of the "80% myth". In the following section reprinted from pages 31-34, and newly annotated now, I document what this means for insider vs outsider threat. (This section is also posted here at Informit.com .) OUTSIDERS VERSUS INSIDERS: WHAT IS NSM’S FOCUS? This book is about network security monitoring. I use the term network to emphasize the book’s focus on traffic and incidents that occur over wires, radio waves, and other media. This book does not address intruders who steal data by copying it onto a USB memory stick or burning it to a CD-ROM. Although the focus for much of the book is on outsiders gaining unauthorized access, it pertains equally well to insiders who transfer information to remote locations. In fact, once an outsider has local access to an organization, he or she looks very much like an insider. [10] Should this book (and NSM) pay more attention

Last year I posted Verizon Business Report Speaks Volumes , providing excerpts that resonated with me. Verizon released another edition last month, with plenty of commentary on their blog and elsewhere. I wanted to record a few highlights here for my own reference but also to counter arguments I continue to see elsewhere about the so-called prevalence of insider threats. This is a polite way of trying to demolish the most deeply entrenched urban myth in security history. This shows the 2009 results. This is an historical way to look at breach source data. The following chart is the one that insider threat proponents will try to use to justify their position. It shows that, on average, a breach caused by a single insider will result in many more records being stolen than one caused by an outsider. Incidentally, this is what I have said previously as well! However, when looking at the problem in aggregate, outsiders cause more damage . If the big red dot doesn't say it all, I

I received an email with the following notice today: Amazon CloudFront Adds Access Logging Capability : AWS today released access logs for Amazon CloudFront. Access logs are activity records that show you details about every request delivered through Amazon CloudFront. They contain a comprehensive set of information about requests for your content, including the object requested, the date and time of the request, the edge location serving the request, the client IP address, the referrer and the user agent. It’s easy to get started using access logs: you just specify the name of the Amazon S3 bucket you want to use to store the logs when you configure your Amazon CloudFront distribution. There are no fees for using the access logs, beyond normal Amazon S3 charges to write, store and retrieve the logs. The Amazon Elastic MapReduce team has also built a sample application, CloudFront LogAnalyzer, that will analyze your Amazon CloudFront access logs. This tool lets you use the power of Ama

I've been blogging about various cyber command proposals for a few years, but right now there is some real movement at the combatant command level. Ellen Nakashima's article Cyber-Command May Help Protect Civilian Networks offers the latest details. The Pentagon is considering whether to create a new cyber-command that would oversee government efforts to protect the military's computer networks and would also assist in protecting the civilian government networks, the head of the National Security Agency said yesterday [Tuesday]. The new command would be headquartered at Fort Meade, the NSA's director, Lt. Gen. Keith B. Alexander, told the House Armed Services terrorism subcommittee. Alexander, who is a front-runner to assume control of the command if it is created, said its focus would be to better protect the U.S. military's computers by marrying the offensive and defensive capabilities of the military and the NSA. Through the command, the NSA would also provid

This post titled If you can't, how can we? described a problem I had not previously considered regarding identifying vulnerabilities. ("VDB" refers to Vulnerability Database.) Steve Christey w/ CVE recently posted that trying to keep up with Linux Kernel issues was getting to be a burden. Issues that may or may not be security related, even Kernel devs don’t fully know... Lately, Mozilla advisories are getting worse as they clump a dozen issues with "evidence of memory corruption" into a single advisory, that gets lumped into a single CVE. Doesn’t matter that they can be exploited separately or that some may not be exploitable at all. Reading the bugzilla entries that cover the issues is headache-inducing as their own devs frequently don’t understand the extent of the issues. Oh, if they make the bugzilla entry public. If the Linux Kernel devs and Mozilla browser wonks cannot figure out the extent of the issue, how are VDBs supposed to? ... VDBs deal with thou

In my post Thoughts on 2009 CDX I described my initial reaction to the Cyber Defense Exercise from the point of view of seeing the white and red cells in action. Thanks to this press release I learned the outcome of the event: The National Security Agency/Central Security Service (NSA/CSS) is pleased to announce that the United States Military Academy at West Point has won the 2009 Cyber Defense Exercise (CDX) trophy for the third year in a row. I found more detail here : The USMA team won the exercise for the third year in a row––West Point’s fifth win since the competition began in 2001. That means they successfully fended off the NSA hackers better than the U.S. Naval Academy, U.S. Air Force Academy, U.S. Coast Guard Academy, U.S. Merchant Marine Academy, the Naval Postgraduate School, the Air Force Institute of Technology and Royal Military College of Canada... "We had large attacks against our e-mail and Web server from multiple (Internet protocol) addresses (all NSA Red T

In my last post I mentioned physics. Longtime blog readers might remember a thread from 2007 which ended with Final Question on FAIR , where I was debating the value of numerical outputs from so-called "risk assessments." Last weekend I attended the 2009 Berkshire Hathaway Shareholder meeting courtesy of Gunnar Peterson . He mentioned two terms used by Berkshire's Charlie Munger that now explains the whole numerical risk assessment approach perfectly: Physics Envy , resulting in false precision : In October of 2003 Charlie Munger gave a lecture to the economics students at the University of California at Santa Barbara in which he discussed problems with the way that economics is taught in universities.One of the problems he described was based on what he called "Physics Envy." This, Charlie says, is "the craving for a false precision. The wanting of formula..." The problem, Charley goes on, is, "that it's not going to happen by and large i

Last week while flying home from the midwest I listened to the fifth Rearguard Security podcast , featuring Dan Geer. If you like my blog you will enjoy the entire podcast. This was my favorite quote, from Dan: "Internet security is quite possibly the most intellectually challenging profession on the planet ... for two reasons... complexity... and rate of change [are] your enemy. Take that, quantum physics!! You might also like the line used to introduce the podcast: The Rearguard Security podcast: where the elite meet to share a sense of defeat. Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Last month Tony Sager was kind enough to invite me to visit NSA's Cyber Defense Exercise (CDX), an annual computer defense drill where cadets from the nation's military service academies defend training networks from red teams. I first mentioned CDX in 2003 and attended a great briefing on CDX summarized by my 2006 post Comments on SANS CDX Briefing . For this event I drove to Elkridge, MD and visited the defense contractor hosting the CDX white and red cells. The red team conducts adversary simulation against the cadet teams while the white cell runs the exercise and keeps score. NSA did a great job hosting visitors, ranging from lowly bloggers like yours truly, all the way up to multi-star generals and their staffs. I'd like to mention a few points which caught my attention. This is the second year that the participants were given a budget. This means that making changes to the architecture they were defending, such as installing software and taking other actions, i

The registration process for my TCP/IP Weapons School 2.0 class at Black Hat USA 2009 continues to be active. Several people have asked for something they could show their managers to explain the course in one page, so I created a class outline in .pdf format . No, this is not a malicious .pdf! I am also available to answer questions on the class, so please feel free to ask here. Based on the feedback from my DC and Amsterdam sessions earlier this year, students are enjoying the new lab-centric format which focuses on teaching hands-on skills and an investigative mindset. In Amsterdam I also used a new question-and-answer approach where I "batched" questions asked by the students during the labs, and then set aside separate time to just answer questions on whatever security topic the students wanted to discuss. Remember I also posted a Sample Lab a few months ago to give one example of the format used by this new class. After Black Hat USA I will not be training aga