TaoSecurity Blog

I'm hiring for my team (GE-CIRT) again. The following summarizes open positions: Information Security Incident Handler (1145304); serious skills required Information Security Incident Analyst (1147842); intermediate skills required Information Security Event Analyst (1147849); extreme willingness to learn required Security Assurance Team Senior Analyst (1147811); intermediate skills required Security Assurance Team Analyst (1147853); extreme willingness to learn required Information Security Infrastructure Engineer (1147859); serious Unix and open source system and database administration skills required Roles 1-3 involve incident detection and response. Roles 4-5 involve threat analysis, Red-Blue teaming, and internal consulting. Role 6 supports team systems. All roles have a bias towards hiring into our beautiful Advanced Manufacturing and Software Technology System in Michigan. I already have five guys working there and expect to have at least a dozen more on our team work

I just finished watching Cyber Shockwave, in the form of a two hour CNN rendition of the 16 February 2010 simulation organized by the Bipartisan Policy Center (BPC). The event simulated, in real time, a meeting of the US National Security Council, with former government, military, and security officials role-playing various NSC participants. The simulation was created by former CIA Director General Michael Hayden and the BPC’s National Security Preparedness Group, led by the co-chairs of the 9/11 Commission, Governor Thomas Kean and Congressman Lee Hamilton. The fake NSC meeting was held in response to a fictitious "cyber attack" against US mobile phones, primarily caused by a malicious program called "March Madness." For more details, read the press releases here , or tune into CNN at 1 am, 8 pm, or 11 pm EST on Sunday, or 1 am EST on Monday. In this post I'd like to capture a few thoughts. Others have already criticized the technical realism of this exer

Amazon.com just posted my five star review of Intelligence: From Secrets to Policy, 4th Ed by Mark Lowenthall . From the review : I was an Air Force military intelligence officer in the late 1990s. I've been working in computer security since then. I read Intelligence, 4th Ed (I4E) to determine if I could recommend this book to those who doubt or don't understand the US intelligence community (IC). I am very pleased to say that I4E is an excellent book for those with little to no intelligence experience. I also found I4E to be a great way to catch up on changes in the IC, particularly since Congress passed the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA). I4E is a great book -- check it out!

A blog reader emailed the following question. We recently had a CISO change, and in the process of doing an initial ops review and looking at organizational structure, one of the questions the new CISO has is about the viability of offshoring incident response... I would be very interested in your views on this matter, and would appreciate any feedback you can offer. As background, I've been involved in incident response in many different capacities: top-level military CERT, managed security services provider, fly-away consultant, government contractor, independent consultant, and top-level corporate CIRT. In other words, I've worked in insourced and outsourced environments. I strongly advocate insourced or internal, professional incident response teams. Many technical people fixate on the technical aspects of security, as you might expect. While technical expertise is critical, it is also critical to understand the client. Depending on the size and complexity of the clien

A blog and book reader emailed the following question: I am an info sec undergrad and have been granted a scholarship to continue my studies towards a phd with the promise of DoD service at the other end. It is critical for me to research and select the most important area of security from the Defense Department's perspective. My question to you is this: Drawing upon your knowledge, what specific area(s) of information security do you feel will be most critical in the next several years (especially in the eyes of the Dept. of Defense)? I post this question because I'm sure blog readers will contribute interesting comments. For my part, I'm really interested in the following: characterizing network traffic. In other words, develop tools and techniques to describe what is happening on the network . (I'm sure a few commercial vendors think they are doing this already, but nothing approaches the level that we really need.) Without understanding what is happening, we ca

Once in a while I'm asking my Thoughts on Military Service . An anonynous blog reader sent the following questions. It's been a while since I wore the uniform, but at least some of you readers might care to offer your own thoughts? I'll try to answer what I can. I got into IT after graduating from college with non-technical majors and decided that I was actually interested in areas of practical science, such as: physical computing, engineering (mechanical, electrical, and design), robotics, aerospace, and programming. IT was a great primer for some practical work experience, but after my stint with [a security company] I'm evaluating if I want to acquire more direct technical training with the things I'm passionate about. So, here's my barrage of questions; please feel free to answer however you want, I'm simply organizing the thoughts rumbling around in my head. If I left anything relevant out, which I'm certain I did, then please mention it. 1) W

In late 2007 I blogged Max Ray Butler in Trouble Again . Please see that post and Kevin Poulsen's June 2009 story for details. According to ComputerWorld , you don't want to be Max Ray Butler: A former security researcher turned criminal hacker has been sentenced to 13 years in federal prison for hacking into financial institutions and stealing credit card account numbers. Max Ray Butler, who used the hacker pseudonym Iceman, was sentenced Friday morning in U.S. District Court in Pittsburgh on charges of wire fraud and identity theft. In addition to his 13-year sentence, Butler will face five years of supervised release and must pay US$27.5 million in restitution to his victims, according to Assistant U.S. Attorney Luke Dembosky, who prosecuted the case for the federal government. Dembosky believes the 13 year sentence is the longest-ever handed down for hacking charges. Butler, also known as Max Vision, pleaded guilty to wire fraud charges in June last year. In an odd coinc

I'm wondering if this story resonates with anyone. Imagine a group of undersea divers. They are swimming in the ocean doing some sort of productive activity, maybe retrieving treasure, or doing research, or something else. The divers receive instructions from managers in a boat. Suddenly one of the divers is attacked by a shark. It tears right through his diving suit. There's blood in the water. The managers see the blood but tell the divers to keep doing their work. The injured diver attracts other sharks. Now the other divers are being attacked. The managers tell the divers to keep working. It's a disaster. Divers are severely injured, and some are dying. In the boat some generalist first responders see the blood, and recommend putting the divers in protective cages. They aren't sure exactly what is happening so they fall back on the standard operating procedures. A few of the divers seek shelter in the cages. Now the managers are howling that the divers ar

I read Hacker 'Mudge' gets DARPA job by Elinor Mills: Peiter Zatko--a respected hacker known as "Mudge"--has been tapped to be a program manager at DARPA, where he will be in charge of funding research designed to help give the U.S. government tools needed to protect against cyberattacks, CNET has learned. Zatko will become a program manager in mid-March within the Strategic Technologies Office at DARPA (Defense Advanced Research Projects Agency), which is the research and development office for the Department of Defense. His focus will be cybersecurity... Another lure of the job was the budget he will have. Zatko said he doesn't know exactly how much of the $3.5 billion a year DARPA spends to fund research he will oversee but said it's likely to be a "good chunk." A hacker in charge of your tax dollars? I think that's... great! I'm pleased to see someone with the right mindset and experience making decisions on next-generation digital se

It started with this post by M.D.Mufambisi to the pen-list list: Im designing an SMS baking application but i need to research on the security risks involved first... What are the risks around this application? How are such applications normally subverted? Are there any case studies someone can point me to? After a few responses, Craig Wright chimed in : The solution needs to be based on risk. Where a system uses an SMS response with a separate system (such as a web page), the probability that the banking user is compromised and a fraud is committed, P(Compromise), can be calculated as: P(Compromise) = P(C.SMS) x P(C.PIN) Where: P(C.SMS) is the probability of compromising the SMS function and P(C.PIN) is the compromise of the user authentication method Craig followed up with a blog post : Many people feel that it is not feasible to model risk quantitatively. This of course is blatantly false. In the past, many of the calculations have been computationally infeasible at wors

I found this article by John M. Kamensky to be interesting: Teresa Amabile and Steven Kramer, in a recent Harvard Business Review article called “What Really Motivates Workers,” tell managers: “The key to motivation turns out to be largely within your control.” Their advice? “ Scrupulously avoid impeding progress .” Amabile and Kramer surveyed more than 600 managers and then conducted a multiyear study of hundreds of knowledge workers , asking them to keep daily diaries to discover the top motivator of performance. Not surprisingly, managers and workers came to different conclusions. Managers were asked to rank the impact of five workplace factors commonly considered significant motivators : recognition, incentives, interpersonal support, support for making progress and clear goals. “ Recognition for good work” topped their list. However, the recognition factor was ranked dead last by workers . The researchers found that workers ranked “support for making progress” as their No. 1 moti

I was not surprised to read China’s hawks demand cold war on the US in the Times Online. [A]lmost 55% of those [in China] questioned for Global Times, a state-run newspaper, agree that “ a cold war will break out between the US and China ”... An independent survey of Chinese-language media for The Sunday Times has found army and navy officers predicting a military showdown and political leaders calling for China to sell more arms to America’s foes... “ This time China must punish the US ,” said Major-General Yang Yi, a naval officer. “ We must make them hurt .” A major-general in the People’s Liberation Army (PLA), Luo Yuan, told a television audience that more missiles would be deployed against Taiwan. And a PLA strategist, Colonel Meng Xianging, said China would “qualitatively upgrade” its military over the next 10 years to force a showdown “when we’re strong enough for a hand-to-hand fight with the US” ... As a crescendo of strident nationalistic rhetoric swirls through the Chines

Some of you may remember me mentioning the 2008 SANS WhatWorks in Incident Response and Forensic Solutions Summit organized by Rob Lee. I provided the keynote and really enjoyed listening to the presentations, which Rob has graciously made available at http://files.sans.org/summit/forensics08/ . One of the presentations, by Mandiant consultant Wendi Rafferty and then-Mandiant consultant (now GE-CIRT incident handler) Ken Bradley, was titled Slaying the Red Dragon . As you can see from the first two slides shown at left, this was presentation explicitly addressed advanced persistent threat . I didn't mention it originally because it discusses a specific attack vector. However, it's been over 18 months since the presentation was made. Therefore, to show that APT is "not a new term" but also to share some technical insights, I thought it acceptable to advertise this presentation. By the way, the presentations from the 2009 event are posted at http://files.sans.org

Amazon.com just posted my five star review of The Book of Xen by Chris Takemura and Luke S. Crawford. From the review : The Book of Xen (TBOX) is a great book for Linux system administrators who want to deploy Xen. The authors ground their recommendations in over four years of experience running Xen to support Internet-facing virtual private servers. I found their writing style to be very engaging; it reminded me of reading any one of Michael Lucas' No Starch books. If you know your way around Linux and want to deploy Xen in production, TBOX is the book for you. Thank you to No Starch for providing me a free review copy.

There's finally some good reporting on advanced persistent threat appearing in various news sources. A new Christian Science Monitor story, one by Federal Computer Week , and one by Wired are making progress in raising awareness. Unfortunately, there's plenty of Tweeting and blogging by people who refuse to understand what is happening or are not capable of understanding what is happening. From now on, rather than repeat myself trying to answer these misconceptions, I decided to consolidate them here. Myth 1. APT is a "new term," invented by Mandiant. Reality: Mandiant did not invent the term. The Air Force did in 2006. More info: What Is APT and What Does It Want? Myth 2. APT is "not new." Reality: APT is only new to people who have not been involved with the problem. If you look solely at offender and motive, and exclude defender, means, and opportunity, you're likely to think APT is not new; you'd be wrong. Just performing an Attri

I'm involved in one degree or another with three somewhat academically-oriented conferences this year. I wanted to post notices of the call for papers for each event. First is DFRWS 2010 on 2-4 Aug in Portland, Oregon. I am on the Technical Program Committee but will not attend due to a family conflict. The CFP ends 28 Feb. Next is VizSec 2010 on 14 Sep in Ottawa, Ontario. I am on the Program Committee and plan to attend. The CFP for full papers ends 30 Apr. Last but not least is RAID 2010 on 15-17 Sep in Ottawa, Ontario. I like the fact this conference is held in conjunction with VizSec, so I will probably attend. The CFP ends 4 Apr.

In December 2007 I wrote Predictions for 2008 . They included 2) Expect greater military involvement in defending private sector networks; 3) Expect increased awareness of external threats and less emphasis on insider threats; and 4) Expect greater attention paid to incident response and network forensics, and less on prevention. All three of those predictions are being fulfilled by the Google v China incident as demonstrated by this Washington Post story by Ellen Nakashima titled Google to enlist NSA to help it ward off cyberattacks : The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity. Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks , according to cybersecurity experts familiar with the matter. The objective i

AFP is one of the few news outlets that correctly focused on the key aspect of testimony by US Director of National Intelligence Dennis Blair at yesterday's US Senate Select Committee on Intelligence hearing . In his testimony, DNI Blair began his Annual Threat Assessment of the US Intelligence Community with the following. I highlight "began" because this section wasn't buried in the middle of the document. He discussed digital threats right from the start. The national security of the United States, our economic prosperity, and the daily functioning of our government are dependent on a dynamic public and private information infrastructure... This critical infrastructure is severely threatened. The recent intrusions reported by Google are a stark reminder of the importance of these cyber assets, and a wake-up call to those who have not taken this problem seriously ... I am here today to stress that, acting independently, neither the US Government nor the priva

I just noticed that my 9th edition of Traffic Talk , titled Testing Snort with Metasploit , was posted. From the article: Security and networking service providers are often asked whether their solutions are working as expected. Two years ago, I wrote How to test Snort , which concentrated on reasons for testing and ways to avoid doing poor testing. In this article, prompted by recent discussions among networking professionals, I show how to combine several tools in a scenario where I test Snort with Metasploit.