Showing posts from April, 2010

Blame the Bullets, not PowerPoint

Blog readers probably know I am not a big fan of PowerPoint presentations. I sympathize with many points in the recent article We Have Met the Enemy and He Is PowerPoint , which resurrects the December 2009 story by Richard Engel titled So what is the actual surge strategy? I think it is important to focus, however, on the core problem with PowerPoint presentations: bullets. Bullets are related to the main PowerPoint problem, which is having the medium drive the message rather than having the message drive the medium . When you create a PowerPoint presentation that relies on bullets to deliver a message, you essentially cripple the intellect of anyone attending the presentation. I thought about this yesterday while listening to Johnny Cash. Let's imagine Johnny wanted to explain the devotion someone feels for his significant other. If his default thinking involved creating a PowerPoint presentation every time he wanted to communicate, the bullets might look something like

Review of The Rootkit Arsenal Posted

Image just posted my five star review of The Rootkit Arsenal by Bill Blunden . I received this book last year but didn't get a chance to finish it until this week, thanks to several long plane flights. From the review : Disclaimer: Bill mentions me and my book "Real Digital Forensics" on pages xxvi and 493. He sent me a free review copy of his book. "Wow." That summarizes my review of "The Rootkit Arsenal" (TRA) by Bill Blunden. If you're a security person and you plan to read one seriously technical book this year, make it TRA. If you decide to really focus your attention, and try the examples in the book, you will be able to write Windows rootkits. Even without taking a hands-on approach, you will learn why you can't trust computers to defend themselves or report their condition in a trustworthy manner.

Snort Near Real Time Detection Project

I don't think many people noticed this story, but on Thursday Sourcefire Labs published A New Detection Framework on the VRT blog and a NRT page on their labs site. I had a small part in this development due to the Incident Detection Summit I organized late last year. Sourcefire sent an army of developers (I think they had the biggest contingent) to the conference and clearly enjoyed participating . During the event they spoke to participants from multiple security teams and had follow-up discussions with several of us. One item we emphasized with Sourcefire was the need for analysis of file contents, not just network traffic. As Matt mentions in his latest post, Mike Cloppert and his team have used these approaches very effectively and have even published components of their work as open source projects like Vortex by Charles Smutz . In my NSM in products post last year I called this extracted content and listed it as one of the forms of NSM data. What does this m

Thoughts on New OMB FISMA Memo

I read the new OMB memorandum M-10-15 , "FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management." This InformationWeek article pretty well summarizes the memo, but I'd like to share a few thoughts. Long-time blog readers should know I've been writing about FISMA for five years, calling it a "joke," a "a jobs program for so-called security companies without the technical skills to operationally defend systems," and other kind words. Any departure from the previous implementation is a welcome change. However, it's critical to remember that control monitoring is not threat monitoring . Let's take a look at the OMB letter to see if we can see what is really changing for FISMA implementation. For FY 2010, FISMA reporting for agencies through CyberScope, due November 15, 2010, will follow a three-tiered approach: 1. Data feeds directly from security management tools 2. Governme

Still Looking for Infrastructure Administrator for GE-CIRT

Two months ago I posted Information Security Jobs in GE-CIRT and Other GE Teams . I've almost filled all of the roles, or have candidates for all roles in play, with the exception of one -- Information Security Infrastructure Engineer (1147859) . We're looking for someone to design, build, and run infrastructure to support GE-CIRT functions. As you might expect, we don't need someone with Windows experience. Beyond Unix-like operating systems, we are interested in someone with MySQL experience. You must be a US citizen who lives near our Michigan AMSTC or can relocate on your own cost. If you are interested, please visit and apply for role 1147859. Thank you.

Review of Handbook of Digital Forensics and Investigation Posted

Image just posted my four star review of Handbook of Digital Forensics and Investigation by Eoghan Casey and colleagues. From the review : I've probably read and reviewed a dozen or so good digital forensics books over the last decade, and I've written a few books on that topic or related ones. The Handbook of Digital Forensics and Investigation (HODFAI) is a solid technical overview of multiple digital forensics disciplines. This book will introduce the reader to a variety of topics and techniques that a modern investigator is likely to apply in the enterprise. Because the book is a collection of sections by multiple authors, some of the coverage is uneven. Nevertheless, I recommend HODFAI as a single volume introduction to modern digital forensics.

Review of The Victorian Internet Posted

Image just posted my five star review of The Victorian Internet by Tom Standage. From the review : Tom Standage mentions chronocentricity on p 213 as "the egotism that one's own generation is poised on the very cusp of history." Comparing modern times to the past, he says "if any generation has the right to claim that it bore the full bewildering, world-shrinking brunt of such a revolution, it is not us -- it is our nineteenth-century forbears." Commentator Gary Hoover defines chronocentricity as being "obsessed with our own era, considering it the most important or most dynamic time ever." Being a history major, I find The Victorian Internet (TVI) to be an enlightening antidote to chronocentricity, and I recommend it to anyone trying to better understand modern times through the lens of history.

Measurement Over Models

Most blog readers know I strongly prefer measurement over models. In digital security, I think too many practitioners prefer to substitute their own opinions for data, i.e., "defense by belief" instead of "defense by fact." I found an example of a conflict between the two mindsets in Test flights raise hope for European air traffic : Dutch airline KLM said inspection of an airliner after a test flight showed no damage to engines or evidence of dangerous ash concentrations. Germany's Lufthansa also reported problem-free test flights... "We hung up filters in the engines to filter the air. We checked whether there was ash in them and all looked good," said a KLM spokeswoman. "We've also checked whether there was deposit on the plane, such as the wings. Yesterday's plane was all well..." German airline Air Berlin was quoted as expressing irritation at the way the shutdown was decided. "We are amazed that the results of the tes

Vulnerable Sites Database: More Intrusion as a Service

Last year I blogged about Shodan , and today thanks to Team Cymru I learned of the latest evolution of Intrusion as a Service. It's called the Vulnerable Sites Database . According to the site, to be listed as a vulnerable site a submitter must provide "1. site name 2. vulnerability or JPG proof." This reminds me of a Web defacement archive where the submitter demonstrates having defaced a Web site, but with we get details like "local file inclusion" or "SQL injection." All we need now is to pair the search capability of a site like Shodan with the vulnerability data for an entire site as provided by the Vulnerable Sites Database. How about a cross-reference against sites currently whitelisted by Web proxy providers and others who use reputation to permit access? Something like: Select sites where the reputation is GOOD, that are hosted in the US, and are vulnerable to SQL injection? Next, exploit vulnerable sites and use them

"Cyber insecurity is the paramount national security risk."

Thanks to @borroff I read a fascinating article titled Cybersecurity and National Policy by Dan Geer. The title of my blog post is an excerpt from this article, posted in the Harvard National Security Journal on 7 April. This could be my favorite article of the year, and it proves to me that Dan Geer's writing has the highest signal-to-noise ratio of any security author, period. (Personal note: I remember seeing Dan speak at a conference, and he apologized for reading his remarks rather than speaking extemporaneously. He said he respected our time too much to not read his remarks, since he wanted to conserve time and words.) I've reproduced my favorite excerpts and tried to thus summarize his argument. First, security is a means, not an end . Therefore, a cybersecurity policy discussion must necessarily be about the means to a set of desirable ends and about affecting the future. Accordingly, security is about risk management, and the legitimate purpose of risk man

Response to Dan Geer Article on APT

A few people sent me a link to Dan Geer's article Advanced Persistent Threat . Dan is one of my Three Wise Men, along with Ross Anderson and Gene Spafford. I'll reproduce a few excerpts and respond. Let us define the term for the purpose of this article as follows: A targeted effort to obtain or change information by means that are difficult to discover, difficult to remove, and difficult to attribute. That describes APT's methodology, but APT is not an effort -- it's a proper noun, i.e., a specific party. Given that the offense has the advantage of no legacy drag, the offense's ability to insert innovation into its product mix is unconstrained. By contrast, the CIO who does the least that can be gotten away with only increases the frequency of having to do something, not the net total work deficit pending. In other words, the offense expends work whenever innovation is needed; the defense expends work each day and never catches up. This "least expensiv

Last Chance for TCP/IP Weapons School 2.0 in Las Vegas

Yesterday I returned home from teaching TCP/IP Weapons School 2.0 in Barcelona for Black Hat. I'd like to thank Black Hat and my students for a great class. I believe the current format, which is a mix of methodology, labs, and answering whatever questions the students have, in about 15-20 minute spontaneous presentations, is working really well. I plan to retire the current cases this year, and develop TWS3 with new cases for teaching in 2011. My last class of the year will be at Black Hat USA 2010 Training on 25-28 July 2010 at Caesars Palace in Las Vegas, NV. I will be teaching two sessions of TCP/IP Weapons School 2.0 , one on the weekend and one during the week. Registration is now open. Black Hat has four remaining price points and deadlines for registration. Early ends 1 May Regular ends 1 Jul Late ends 22 Jul Onsite starts at the conference Seats are filling -- it pays to register early! If you review the Sample Lab I posted last year, this class is all abo

Bejtlich on Visible Risk Podcast

My friend Rocky DeStefano from Visible Risk posted the video (streaming) and audio (.mp3, 124 MB) of a discussion he hosted on advanced persisten threat. Myself, Mike Cloppert, Rob Lee, and Shawn Carpenter discussed APT for about an hour on video and about an hour and a half on audio. Let Rocky know what you think as a comment here or via Twitter to @visiblerisk . One comment -- slightly before the 24:00 mark, Rob made a remark about "what you and I respond to in the Air Force was laughable at this point, compared to what we're seeing today, actual intelligence being pulled back, potential nation state actors, potential organized crime, earning thousands or millions of dollars..." I disagree with part of that comment and agree with part of that comment. For the "disagree" part: Rob was stationed in the 609th, which was not the AFCERT. In the AFCERT we detected and responded to nation state activity of the caliber we see today. I don't know what the

Defense Security Service Publishes 2009 Report on "Targeting U.S. Technologies"

Thanks to Team Cymru I learned of a new Defense Security Service report titled Targeting U.S. Technologies: A Trend Analysis of Reporting from Defense Industry . The report seems to be the 2009 edition, which covers reporting from 2008. I'll have to watch for a 2010 version. From the report: The Defense Security Service (DSS) works with defense industry to protect critical technologies and information. Defense contractors with access to classified material are required to identify and report suspicious contacts and potential collection attempts as mandated in the National Industrial Security Program Operating Manual (NISPOM). DSS publishes this annual report based on an analysis of suspicious contact reports (SCRs) that DSS considers indicative of efforts to target defense-related information. The executive summary offers these bullet points: East Asia and Pacific-originated contacts continued to generate the greatest number of suspicious reports attributable to a specif

BeyondTrust Report on Removing Administrator: Correct?

Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis . The report offers several interesting conclusions: [R]emoving administrator rights will better protect companies against the exploitation of: 90% of critical Windows 7 vulnerabilities reported to date 100% of Microsoft Office vulnerabilities reported in 2009 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009 64% of all Microsoft vulnerabilities reported in 2009 Initially I was pleased to read these results. Then I read BeyondTrust's methodology. This report uses information found in the individual Security Bulletins to classify vulnerabilities by Severity Rating, Vulnerability Impact, Affected Software, as well as to determine if removing administrator rights will mitigate a vulnerability. A vulnerability is considered mitigated by removing administrator rights if the following sentence is located in the Security Bulletin’s Mitigating