Showing posts from October, 2009

Bejtlich and Bradley on SANS Webcast Monday 2 Nov

Ken Bradley and I will conduct a Webcast for SANS on Monday 2 Nov at 1 pm EST. Check out the sign-up page. I've reproduced the introduction here. Every day, intruders find ways to compromise enterprise assets around the world. To counter these attackers, professional incident detectors apply a variety of host, network, and other mechanisms to identify intrusions and respond as quickly as efficiently as possible. In this Webcast, Richard Bejtlich, Director of Incident Response for General Electric, and Ken Bradley, Information Security Incident Handler for the General Electric Computer Incident Response Team, will discuss professional incident detection. Richard will interview Ken to explore his thoughts on topics like the following: How does one become a professional incident detector? What are the differences between working as a consultant or as a member of a company CIRT? How have the incident detection and response processes changed over the last decade? What challenge

Partnerships and Procurement Are Not the Answer

The latest Federal Computer Week magazine features an article titled Cyber warfare: Sound the alarm or move ahead in stride? I'd like to highlight a few excerpts. Military leaders and analysts say evolving cyber threats will require the Defense Department to work more closely with experts in industry ... Indeed, the Pentagon must ultimately change its culture, say independent analysts and military personnel alike. It must create a collaborative environment in which military, civilian government and, yes, even the commercial players can work together to determine and shape a battle plan against cyber threats... Ok, that sounds nice. Everyone wants to foster collaboration and communication. Join hands and sing! “Government may be a late adopter, but we should be exploiting its procurement power ,” said Melissa Hathaway, former acting senior director for cyberspace for the Obama administration, at the ArcSight conference in Washington last month... Hmm, "procurement p

Initial Thoughts on Cloud A6

I'm a little late to this issue, but let me start by saying I read Craig Balding's RSA Europe 2009 Presentation this evening. In it he mentioned something called the A6 Working Group. I learned this is related to several blog posts and a Twitter discussion. In brief: In May, Chris Hoff posted Incomplete Thought: The Crushing Costs of Complying With Cloud Customer “Right To Audit” Clauses , where Chris wrote Cloud providers I have spoken to are being absolutely hammered by customers acting on their “ right to audit ” clauses in contracts. In June, Craig posted Stop the Madness! Cloud Onboarding Audits - An Open Question... where he wondered Is there an existing system/application/protocol whereby I can transmit my policy requirements to a provider, they can respond in real-time with compliance level and any additional costs, with less structured/known requirements responded to by a human (but transmitted the same way)? Later in June, Craig posted in Vulnerability Scanni

Wednesday is Last Day for Discounted SANS Registration

In my off time I'm still busy organizing the SANS WhatWorks in Incident Detection Summit 2009 , taking place in Washington, DC on 9-10 Dec 09. The agenda page should be updated soon to feature all of the speakers and panel participants. Wednesday is the last day to register at the discounted rate . I wrote the following to provide more information on the Summit and explain its purpose. All of us want to spend our limited information technology and security funds on the people, products, and processes that make a difference. Does it make sense to commit money to projects when we don’t know their impact? I’m not talking about fuzzy “return on investment” (ROI) calculations or fabricated “risk” ratings. Don’t we all want to know how to find intruders, right now, and then concentrate on improvements that will make it more difficult for bad guys to disclose, degrade, or deny our data? To answer this question, I’ve teamed with SANS to organize a unique event -- the SANS WhatWor

Review of Hacking Exposed: Web 2.0 Posted

Image just posted my three star review of Hacking Exposed: Web 2.0 by Rich Cannings, Himanshu Dwivedi, Zane Lackey, et al. From the review : I have to agree with the other 3-star reviews of Hacking Exposed: Web 2.0 (HEW2). This book just does not stand up to the competition, such as The Web Application Hacker's Handbook (TWAHH) or Web Security Testing Cook (WSTC). I knew this book was in trouble when I was already reading snippets mentioning JavaScript arrays in the introduction. That set the tone for the book: compressed, probably rushed, mixing material of differing levels of difficulty. For example, p 8 mentions using prepared statements as a defense against SQL injection. However, only a paragraph on the topic appears, with no code samples (unlike TWAHH). Note: McGraw-Hill Osborne provided me a free review copy.

Review of Web Security Testing Cookbook Posted

Image just posted my five star review of Web Security Testing Cookbook by Paco Hope and Ben Walther. From the review : I just wrote five star reviews of The Web Application Hacker's Handbook (TWAHH) and SQL Injection Attacks and Defense (SIAAD). Is there really a need for another Web security book like Web Security Testing Cookbook (WSTC)? The answer is an emphatic yes. While TWAHH and SIAAD include offensive and defensive material helpful for developers, those books are more or less aimed at assessment professionals. WSTC, on the other hand, is directed squarely at Web developers. In fact, WSTC is specifically written for those who incorporate unit testing into their software development lifecycle. I believe anyone developing Web applications would benefit from reading WSTC. Note: O'Reilly provided me a free review copy.

Review of SQL Injection Attacks and Defense Posted

Image just posted my five star review of SQL Injection Attacks and Defense by Justin Clarke, et al. From the review : I just finished reviewing The Web Application Hacker's Handbook, calling it a "Serious candidate for Best Book Bejtlich Read 2009." SQL Injection Attacks and Defense (SIAAD) is another serious contender for BBBR09. In fact, I recommend reading TWAHH first because it is a more comprehensive overview of Web application security. Next, read SIAAD as the definitive treatise on SQL injection. Syngress does not have a good track record when it comes to books with multiple authors -- SIAAD has ten! -- but SIAAD is clearly a winner. SIAAD is another serious contender for Best Book Bejtlich Read 2009. Note: Syngress provided me a free review copy.

Review of The Web Application Hacker's Handbook Posted

Image just posted my five star review of The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto. From the review : The Web Application Hacker's Handbook (TWAHH) is an excellent book. I read several books on Web application security recently, and this is my favorite. The text is very well-written, clear, and thorough. While the book is not suitable for beginners, it is accessible and easy to read for those even without Web development or assessment experience. TWAHH is a serious candidate for Best Book Bejtlich Read 2009. Note: Wiley provided me a free review copy.

"Protect the Data" from the Evil Maid

I recently posted "Protect the Data" from Whom? . I wrote: [P]rivate citizens (and most organizations who are not nation-state actors) do not have a chance to win against a sufficiently motivated and resourced high-end threat. Joanna Rutkowska provides a great example of the importance of knowing the adversary in her post Evil Maid goes after TrueCrypt! , a follow-up to her January post Why do I miss Microsoft BitLocker? Her post describes how she and Alex Tereshkin implemented a physical attack against laptops with TrueCrypt full disk encryption. They implemented the attack (called "Evil Maid") as a bootable USB image that an intruder would use to boot a target laptop. Evil Maid hooks the TrueCrypt function that asks the user for a passphrase on boot, then stores the passphrase for later physical retrieval. The scenario is this: User leaves laptop alone in hotel room. Attacker enters room, boots laptop with Evil Maid, and compromises TrueCrypt loader.

Report on Chinese Government Sponsored Cyber Activities

Today's Wall Street Journal features the following story: China Expands Cyberspying in U.S., Report Says by Siobhan Gorman. I've reprinted an excerpt below and highlighted interested aspects. I can vouch for the quality of the Northrop Grumman team that wrote this report and for their experience in this arena. Congressional Advisory Panel in Washington Cites Apparent Campaign by Beijing to Steal Information From American Firms WASHINGTON -- The Chinese government is ratcheting up its cyberspying operations against the U.S., a congressional advisory panel found, citing an example of a carefully orchestrated campaign against one U.S. company that appears to have been sponsored by Beijing. The unnamed company was just one of several successfully penetrated by a campaign of cyberespionage, according to the U.S.-China Economic and Security Review Commission report to be released Thursday. Chinese espionage operations are "straining the U.S. capacity to respond,"

DojoCon to Stream Talks Live

As I mentioned last month I will be speaking at DojoCon , on Saturday 7 November at Capitol College in Laurel, MD. Organizer Marcus Carey asked me to share the following: DojoCon will Stream Live all of the talks on the Internet for free as they happen. I believe this is first time a group of speakers of this caliber will be available to the information security community for free. We are also offering real-life attendees the full conference for $150 for both days and a one-day pass (Either Friday or Saturday) for $85.

Bejtlich Teaching at Black Hat DC 2010

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year. First up is Black Hat DC 2010 Training on 31 January and 01 February 2010 at Grand Hyatt Crystal City in Arlington, VA. I will be teaching TCP/IP Weapons School 2.0 . Registration is now open. Black Hat set five price points and deadlines for registration. Super Early ends 15 Nov Early ends 1 Dec Regular ends 15 Jan Late ends 30 Jan Onsite starts at the conference With an $800 difference between Super Early and Onsite, it pays to register early! If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format a

"Protect the Data" -- What Data?

This is another follow-on from my "Protect the Data" Idiot! post. If you think about the "protect the data" mindset, it's clearly a response to the sorts of data loss events that involve "records" -- credit card records, Personally Identifiable Information (PII), and the like. In fact, there's an entire "product line" built around this problem: data loss prevention . I wrote about DLP earlier this year in response to the rebranding effort taken by vendors to make whatever they sold part of the DLP "solution." What's interesting to me about "protect the data" in this scenario is this: "what data?" Is your purpose in life to keep PII or other records in a database? That's clearly a big problem, but it doesn't encompass the whole security problem. What about the following? Credentials used to access systems. For example, intruders often compromise service accounts that have wide-ranging

"Protect the Data" Where?

I forgot to mention another thought in my last post "Protect the Data" from Whom? Intruders are not mindly attacking systems to access data. Intruders direct their efforts toward the sources that are easiest and cheapest to exploit. This produces an interesting corollary. Once other options have been eliminated, the ultimate point at which data will be attacked will be the point at which it is useful to an authorized user. For example, if a file is only readable once it has been decrypted in front of a user, that is where the intruder will attack once his other options have been exhausted. This means that the only way to completely "protect data" is to make it unusable. If data is not usable then it doesn't need to exist, so that means intruders will always be able to access data if they are sufficiently resourced and motivated, as explained in my first post on this subject.

"Protect the Data" from Whom?

This is a follow-on from my "Protect the Data" Idiot! post. Another question to consider when someone says "protect the data" is this: "from whom?" The answer makes all the difference. I remember a conversation I overheard or read involving Marcus Ranum and a private citizen discussing threats from nation-state actors. Questioner: How do you protect yourself from nation-state actors? MJR: You don't. Q: What do you do then? MJR: You lose. In other words, private citizens (and most organizations who are not nation-state actors) do not have a chance to win against a sufficiently motivated and resourced high-end threat. The only actors who have a chance of defending themselves against high-end threats are other nation-state actors. Furthermore, the defenders don't necessarily have a defensive advantage over average joes because the nation-state possesses superior people, products, or processes. Many nation-state actors are deficient in a

"Protect the Data" Idiot!

The 28 September 2009 issue of InformationWeek cited a comment posted to one of their forums . I'd like to cite an excerpt from that comment. [W]e tend to forget the data is the most critical asset. yet we spend inordinate time and resources trying to protect the infrastructure, the perimeter... the servers etc. I believe and [sic] information-centric security approach of protecting the data itself is the only logical approach to keep it secure at rest, in motion and in use. (emphasis added) I hear this "protect the data" argument all the time. I think it is one of the most misinformed comments that one can make. I think of Chris Farley smacking his head saying "IDIOT!" when I hear "protect the data." "Oh right, that's what we should have been doing for the last 10, 20, 30 years -- protect the data! I feel so stupid to have not done that! IDIOT!" "Protect the data" represents a nearly fatal understanding of infor

NSM in Products

A blog reader recently asked: I've been tasked with reevaluating our current NSM / SIEM implementation, and I see that you posted about a NetFlow book you are techediting for Lucas. My question is this, Outside of Sguil, what do you prefer/recommend in the way of NSM products/solutions? Our current NSM uses a modified version NetFlow and our Networking team also uses Cisco Netflow elsewhere... While I find it useful to collect header data, the current implementation lacks payload information. So while we may be able to turn back the clock to look at flows for a given duration, its not always possible to see valuable contents... Another wall I have hit with NetFlow is that the communication of the protocol takes place in somewhat of a half duplex manner (I.E. it is possible to receive the response flow before you receive the request flow) thus making it difficult to assure a particular direction without some processing... I have yet to see a blog post covering any consolidated

Technical Visibility Levels

It's no secret that I think technical visibility is the key to trustworthy technology. Via Twitter I wrote The trustworthiness of a digital asset is limited by the owner's capability to detect incidents compromising the integrity of that asset. This topic has consumed me recently as relatively closed but IP-enabled systems proliferate. This ranges from handheld computers (iPhone, Blackberry, etc.) all the way to systems hosted in the cloud. How are we supposed to trust any of them? One of the first problems we should address is how to describe the level of technical visibility afforded by these technologies. The following is very rough and subject to modification, but I'm thinking in these terms right now. Level 0. System status available only by observing explicit failure. Level 1. Anecdotal status reporting or limited status reporting. Level 2. Basic status reporting via portal or other non-programmatic interface. Level 3. Basic logging of system state, perfo

Hakin9 5/2009 Issue

I just received a review copy of the 5/2009 issue of Hakin9 magazine . Several articles look interesting, such as Windows Timeline Analysis by Harlan Carvey, The Underworld of CVV Dumping by Julian Evans, and a few others on malware analysis and ASLR. Check it out!

Incident Handler, Incident Analyst, Threat Analyst, and Developer Positions in GE-CIRT

My team just opened five more positions. These candidates will report to me in GE-CIRT. Information Security Incident Handler (1093498) Information Security Incident Analyst (two openings, 1093494) Cyber Threat Analyst (1093497) Information Security Software Developer (1093499) These candidates will sit in our new Advanced Manufacturing & Software Technology Center in Van Buren Township, Michigan. We don't have any flexibility regarding the location for these positions, and all five must be US citizens. No security clearance is required however! If interested, search for the indicated job numbers at or go to the job site to get to the search function a little faster. We are being deluged by applicants for the SIEM role , so your best bet is to apply online and let me find you after reading your resume. Thank you.

Traffic Talk 7 Posted

I just noticed that my 7th edition of Traffic Talk , titled How to deploy NetFlow v5 and v9 probes and analyzers , was posted on 28 September. I submitted it back in mid-August but it's on the Web now. On a related note, I am tech editing a forthcoming book on NetFlow by Michael Lucas titled Network Flow Analysis . Michael is probably my favorite technical author, so keep an eye open for his book in May 2010.