Posts

Showing posts from December, 2009

Best Book Bejtlich Read in 2009

Image
It's the end of the year, which means it's time to name the winner of the Best Book Bejtlich Read award for 2009! Although I've been reading and reviewing digital security books seriously since 2000, this is only the fourth time I've formally announced a winner; see 2008 , 2007 , and 2006 . 2009 was a slow year, due to a general lack of long-haul air travel (where I might read a whole book on one leg) and the general bleed-over from my day work into my outside-work time. My ratings for 2009 can be summarized as follows: 5 stars: 6 books 4 stars: 5 books 3 stars: 4 books 2 stars: 0 books 1 stars: 0 books Here's my overall ranking of the five star reviews; this means all of the following are excellent books. 6. Vi(1) Tips by Jacek Artymiak; devGuide.net. Every Unix admin should know how to use vi(1), and Jacek's book provides the right balance of commands and examples. 5. Web Security Testing Cookbook: Systematic Techniques to F

Every Software Vendor Must Read and Heed

Image
Matt Olney and I spoke about the role of a Product Security Incident Response Team ( PSIRT ) at my SANS Incident Detection Summit this month. I asked if he would share his thoughts on how software vendors should handle vulnerability discovery in their software products. I am really pleased to report that Matt wrote a thorough, public blog post titled Matt's Guide to Vendor Response . Every software vendor must read and heed this post. "Software vendor" includes any company that sells a product that runs software, whether it is a PC, mobile device, or a hardware platform executing firmware. Hmm, that includes just about everyone these days, except the little old ladies selling fabric at the hobby store. Seriously, let's make 2010 the year of the PSIRT -- the year companies make dealing with vulnerabilities in their software an operational priority. I'm not talking about "building security in" -- that's been going on for a while. Until I

Difference Between Bejtlich Class and SANS Class

Image
A comment on my last post, Reminder: Bejtlich Teaching at Black Hat DC 2010 , a reader asked: I am trying to get my company sponsorship for your class at Black Hat. However, I was ask to justify between your class and SANS 503, Intrusion Detection In-Depth. Would you be able to provide some advice? That's a good question, but it's easy enough to answer. The overall point to keep in mind is that TCP/IP Weapons School 2.0 is a new class, and when I create a new class I design it to be different from everything that's currently on the market. It doesn't make sense to me to teach the same topics, or use the same teaching techniques, found in classes already being offered. Therefore, when I first taught TWS2 at Black Hat DC last year, I made sure it was unlike anything provided by SANS or other trainers. Beyond being unique, here are some specific points to consider. I'm sure I'll get some howls of protest from the SANS folks, but they have their own plat

Reminder: Bejtlich Teaching at Black Hat DC 2010

Image
Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year. First up is Black Hat DC 2010 Training on 31 January and 01 February 2010 at Grand Hyatt Crystal City in Arlington, VA. I will be teaching TCP/IP Weapons School 2.0 . Registration is now open. Black Hat set five price points and deadlines for registration, but only these three are left. Regular ends 15 Jan Late ends 30 Jan Onsite starts at the conference Seats are filling -- it pays to register early! If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of the PowerP

Favorite Speaker Quotes from SANS Incident Detection Summit

Image
Taking another look at my notes, I found a bunch of quotes from speakers that I thought you might like to hear. "If you think you're not using a MSSP, you already are. It's called anti-virus." Can anyone claim that, from the CIRTs and MSSPs panel? Seth Hall said "Bro is a programming language with a -i switch to sniff traffic." Seth Hall said "You're going to lose." Matt Olney agreed and expanded on that by saying "Hopefully you're going to lose in a way you recognize." Matt Olney also said "Give your analyst a chance." ["All we are sayyy-ing..."] Matt Jonkman said "Don't be afraid of blocking." It's not 2004 anymore. Matt emphasized the utility of reputation when triggering signatures, for example firing an alert when an Amazon.com-style URL request is sent to a non-Amazon.com server. Ron Shaffer said "Bad guys are following the rules of your network to accomplish their mis

Notes from Tony Sager Keynote at SANS

Image
I took a few notes at the SANS Incident Detection Summit keynote by Tony Sager last week. I thought you might like to see what I recorded. All of the speakers made many interesting comments, but it was really only during the start of the second day, when Tony spoke, when I had time to write down some insights. If you're not familiar with Tony, he is chief of the Vulnerability Analysis and Operations (VAO) Group in NSA. These days, the US goes to war with its friends (i.e., allies fight with the us against a common adversary). However, the US doesn't know its friends until the day before the war, and not all of the US' friends like each other. These realities complicate information assurance. Commanders have been trained to accept a certain level of error in physical space. They do not expect to know the exact number of bullets on hand before a battle, for example. However, they often expect to know exactly how many computers they have at hand, as well as their

Keeping FreeBSD Up-to-Date in BSD Magazine

Image
Keep your eyes open for the latest printed BSD Magazine , with my article Keeping FreeBSD Up-To-Date: OS Essentials . This article is something like 18 pages long, because at the last minute the publishers had several authors withdraw articles. The publishers decided to print the extended version of my article, so it's far longer than I expected! We're currently editing the companion piece on keeping FreeBSD applications up-to-date. I expect to also submit an article on running Sguil on FreeBSD 8.0 when I get a chance to test the latest version in my lab.

Thanks for a Great Incident Detection Summit

Image
We had a great SANS WhatWorks in Incident Detection Summit 2009 this week! About 100 people attended. I'd like to thank those who joined the event as attendees; those who participated as keynotes (great work Ron Gula and Tony Sager), guest moderators (Rocky DeStefano, Mike Cloppert, and Stephen Windsor), speakers, and panelists; Debbie Grewe and Carol Calhoun from SANS for their excellent logistics and planning, along with our facilitators, sound crew, and staff; our sponsors, Allen Corp., McAfee, NetWitness, and Splunk; and also Alan Paller for creating the two-day "WhatWorks" format. I appreciate the feedback from everyone who spoke to me. It sounds like the mix of speakers and panels was a hit. I borrowed this format from Rob Lee and his Incident Repsonse and Computer Forensics summits, so I am glad people liked it. I think the sweet spot for the number of panelists might be 4 or 5, depending on the topic. If it's more theoretical, with a greater chance o

Troubleshooting FreeBSD Wireless Problem

Image
My main personal workstation is a Thinkpad x60s . As I wrote in Triple-Boot Thinkpad x60s , I have Windows XP, Ubuntu Linux, and FreeBSD installed. However, I rarely use the FreeBSD side. I haven't run FreeBSD on the desktop for several years, but I like to keep FreeBSD on the laptop in case I encounter a situation on the road where I know how to solve a problem with FreeBSD but not Windows or Linux. (Yes I know about [insert favorite VM product here]. I use them. Sometimes there is no substitute for a bare-metal OS.) When I first installed FreeBSD on the x60s (named "neely" here), the wireless NIC, an Intel(R) PRO/Wireless 3945ABG, was not supported on FreeBSD 6.2. So, I used a wireless bridge. That's how the situation stayed until I recently read M.C. Widerkrantz's FreeBSD 7.2 on the Lenovo Thinkpad X60s . It looked easy enough to get the wireless NIC running now that it was supported by the wpi driver. I had used freebsd-update to upgrade the 6.2 to

Let a Hundred Flowers Blossom

Image
I know many of us work in large, diverse organizations. The larger or more complex the organization, the more difficult it is to enforce uniform security countermeasures. The larger the population to be "secure," the more likely exceptions will bloom. Any standard tends to devolve to the least common denominator. There are some exceptions, such as FDCC , but I do not know how widespread that standard configuration is inside the government. Beyond the difficulty of applying a uniform, worthwhile standard, we run into the diversity vs monoculture argument from 2005. I tend to side with the diversity point of view, because diversity tends to increase the cost borne by an intruder. In other words, it's cheaper to develop exploitation methods for a target who 1) has broadly similar, if not identical, systems and 2) publishes that standard so the intruder can test attacks prior to "game day." At the end of the day, the focus on uniform standards is a man