Posts

Showing posts from September, 2009

6th Issue of BSD Magazine

Image
The 6th issue of BSD Magazine is available now. This edition has several great articles. I liked Jan Stedehouder's article on Triple booting Windows 7, Ubuntu 9.04 and PC-BSD 7.1 , Christian Brueffer's article on FreeBSD Security Event Auditing , and the Questions and Answer Session of the BSD Certification Group Community with Dru Lavigne and Mikel King. I've been working with the editor at BSD Magazine to publish my articles on keeping FreeBSD up-to-date, so I expect to see them in print within the next few months.

Hakin9 Extended Edition in Stores

Image
Hakin9 published an "extended edition" magazine recently. This "best of" issue is 218 pages long and contains a nice selection of past articles. Although the writing isn't as uniformly smooth as one would find in the late, great Sys Admin magazine, I continue to find interesting articles in Hakin9. (By "smooth" I mean that articles written by non-native speakers tend to reflect that English isn't their first language. Hakin9 might consider hiring a native English copyeditor to rework articles prior to publication.) There's really no other printed security periodical like Hakin9. The technical level is higher than that of 2600 magazine, for example. You don't find articles on security management like you might in Information Security Magazine or SC Magazine, either.

Security Information and Event Management (SIEM) Position in GE-CIRT

Image
My team just opened a position for a Security Information and Event Management professional. This candidate will report to me in GE-CIRT but take daily direction from our SIM leader and our Lead Incident Handler. We're looking for a technical person who can not only administer our SIM, but also help our team implement our detection and response objectives and use cases in our SIM and related infrastructure. This candidate will sit in our new Advanced Manufacturing & Software Technology Center in Van Buren Township, Michigan. If interested, search for job 1087025 at ge.com/careers or go to the job site to get to the search function a little faster. I am available to answer questions on the role or forward them to our SIM leader. You can reach me by posting a comment here and providing an email address where I can contact you. Thank you.

Information Security Position in GE Aviation

Image
My colleagues in GE Aviation are looking for a candidate for a client computing architect. The focus will be Microsoft Windows platforms. According to the hiring manager, the following are desired: 50% leadership / 50% technical mix Strong leadership, program management, and influence skills Strong communication skills; the candidate will work with business and Corporate teams Security and technical skills, such as a strong command of Windows features and defenses If interested, search for job 1055733 at ge.com/careers or go to the job site to get to the search function a little faster. Please do not contact me directly. Thank you.

Open Source Vulnerability Disclosure with FreeBSD

Image
The purpose of this post is not to bash Microsoft, but I am going to point out why I prefer relying on open source platforms, especially for sensitive systems. One of the advantages of the open source model is that anyone can identify and evaluate changes. This is especially true of open source projects like FreeBSD . Let's look at a recent security advisory in ntpd to demonstrate what I mean. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:11.ntpd Security Advisory The FreeBSD Project Topic: ntpd stack-based buffer-overflow vulnerability Category: contrib Module: ntpd Announced: 2009-06-10 Credits: Chris Ries Affects: All supported versions of FreeBSD. Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE) 2009-06-10 10:31:11 UT...

Microsoft Updates MS09-048 to Show XP Vulnerable to 2 of 3 CVEs

Image
Microsoft published a Major Revision of MS09-048 to show that Windows XP Service Pack 2 and Windows XP Service Pack 3* are now Affected Software . This is an important development. It is significant to acknowledge that an operating system is vulnerable despite the potential to add a countermeasure . In other words, countermeasures do not remove vulnerabilities. The company also updated the FAQ: If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it? By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability . The denial of service attacks require a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Additionally, Windows XP Service Pack 2 and later operating systems ...

MS09-048 on Windows XP: Too Hard to Fix

Image
This is a follow-up to MS09-048 is Microsoft's Revenge Against XP in the Enterprise . Everyone is talking about how Windows 2000 will not receive a patch for MS09-048: If Microsoft Windows 2000 Service Pack 4 is listed as an affected product, why is Microsoft not issuing an update for it? The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems , making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component. The product of such a rearchitecture effort would be sufficiently incompatible with Microsoft Windows 2000 Service Pack 4 that there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system. Let's think about that for a minute. Vista...

MS09-048 is Microsoft's Revenge Against XP in the Enterprise

Image
MS09-048 worries me. Non-Affected Software Operating System Windows XP Service Pack 2 and Windows XP Service Pack 3* How are default configurations of Windows XP not affected by this vulnerability? By default , Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability . For the denial of service to succeed, an affected system must have a listening service with an exception in the client firewall. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. Someone please tell me I am misinterpreting this. It looks to me like this is bad news for the enterprise that operates any listening services on their Windows XP systems. Oh, I don't know, maybe...

Review of Windows Forensic Analysis 2nd Ed Posted

Image
Amazon.com just published my five star review of Windows Forensic Analysis, 2nd Ed by Harlan Carvey . From the review : I read and reviewed the 1st Ed of this book in July 2007 , and I just finished reading Windows Forensic Analysis 2nd Ed (WFA2E) this weekend. If your job involves investigating Windows systems, you must read this book. It's as simple as that. There is no substitute for this book. It also perfectly complements other solid forensics works already published. Great work again, Harlan!

Bejtlich Speaking at Information Security Summit

Image
My boss Grady Summers, GE CISO, and I will be presenting one of the keynotes at the Information Security Summit , 29-30 October, in Warrensville Heights, Ohio. Our topic is "CISO + CIRT = Success." In 2007, the CISO of General Electric decided to invest in a dedicated program to detect and respond to intrusions, as a centralized, global function within GE. Since then, GE has built a Computer Incident Response Team (CIRT), deployed dozens of sensors acorss the company, aggregated billions of log records, and institutionalized its detection and response processes. In this presentation, the CISO of GE (Grady Summers) and GE's Director of Incident Response (Richard Bejtlich) will describe their experience with this process. I am really excited about the pre-conference training at this event. I will participate in Introduction to Malware Dissection by Tyler Hudak , GE-CIRT's reverse engineer. This is a two day course for less than $500. You cannot beat the quality...

Bejtlich Speaking at DojoCon

Image
I will be presenting one of the keynotes at DojoCon , 6-7 November in Maryland. This should be a good event. Follow @dojocon for updates. Marcus Carey is organizing it.

Extreme Asymmetry in Network Attack and Defense

Image
As usual, Gunter Ollmann posted a great story on the Damballa blog titled Want to rent an 80-120k DDoS Botnet? He writes: [T]his particular operator is offering a botnet of between 80k and 120k hosts capable of launching DDoS attacks of 10-100Gbps – which is more than enough to take out practically any popular site on the Internet. The price for this service? $200 per 24 hours – oh, and there’s a 3 minute try-before-you-buy. Someone please tell me how much it costs to provision equipment and services sufficient to sustain network operations during a 10-100 Gbps DDoS attack . I bet it is much more than $200 per day. This extreme level of asymmetry demonstrates another reason why intruders have the upper hand in network attack and defense. Situations like this remind me that an insurance model might work. Insurance works when many contribute but few suffer simultaneous disasters. Perhaps organizations could buy insurance policies to cover losses due to DDoS, rather than provision...

Registration for VizSec 2009 Open

Image
The program for VizSec 09 has been posted. It looks like a great event. I served on the program committee. Bill Cheswick's keynote looks excellent. I'm not sure if I will be attending or not, but check it out if you're looking for ways to integrate visualization into your security operations. I am most interested in 1) handling large data sets and 2) visualizing something other than layer 3 and 4 information.