Posts

Showing posts from June, 2010

Digital Forensics Magazine

Image
I just learned of a new resource for digital forensics practitioners -- Digital Forensics Magazine . They just published their third issue. This appears to be a high quality publication with authors like Mark D. Rasch (The Fourth Amendment: Cybersearches, Particularity and Computer Forensics), Solera's Steve Shillingford (It's Not About Prevention), and others. Check it out!

Comments on Sharkfest Presentation Materials

Image
I saw that presentations from Sharkfest 2010 are now posted. This is the third year that CACE Technologies has organized this conference. I've had conflicts each of the last three years, but I think I need to reserve the dates for 2011 when they are available. In this post I wanted to mention a few slides that looked interesting. Jasper Bongertz presented Wireshark vs the Cloud (.pdf) I reviewed this presentation to see if anyone is doing something novel regarding monitoring Cloud environments. In the slide at right you see his first option is to install a monitoring tool inside a VM. That's standard. In the next slide you see his second option is to select a link upstream from the VM server and tap that line. That's standard too. I know of some cloud providers who use this strategy and then filter the results. You will likely need some robust equipment, depending on active the link is. In the last slide you see that future options include ensuring that the virtu...

Dealing with Security Instrumentation Failures

Image
I noticed three interesting blog posts that address security instrumentation failures. First, security software developer Charles Smutz posted Flushing Out Leaky Taps : How many packets does your tapping infrastructure drop before ever reaching your network monitoring devices? How do you know? I’ve seen too many environments where tapping problems have caused network monitoring tools to provide incorrect or incomplete results. Often these issues last for months or years without being discovered, if ever... One thing to keep in mind when worrying about loss due to tapping is that you should probably solve, or at least quantify, any packet loss inside your network monitoring devices before you worry about packet loss in the taps. You need to have strong confidence in the accuracy of your network monitoring devices before you use data from them to debug loss by your taps. Remember, in most network monitoring systems there are multiple places where packet loss is reported... I’m not going ...

CloudShark, Another Packet Repository in the Cloud

Image
I've been interested in online packet tools for several years, dating back to my idea for OpenPacket.org , then continuing with Mu Dynamics' cool site Pcapr.net , which I profiled in Traffic Talk 10 . Yesterday I learned of CloudShark , which looks remarkably similar to Wireshark but appears as a Web application. I generated the picture at right by downloading a trace showing FTP traffic from pcapr.net , then uploading it to CloudShark. Apparently CloudShark renders the trace by invoking Tshark, then building the other Wireshark-like components separately. You can access the trace at this link . CloudShark says: While the URLs to your decode session are not publicly shared, we make no claims that you data is not viewable by other CloudShark users. For now, if you want to protect sensitive data in your capture files, don't use CloudShark. Using Tshark is pretty clever, though it exposes the CloudShark back end to the variety of vulnerabilities that get fixed with every ...

All Aboard the NSM Train?

Image
It was with some small amusement that I read the following two press releases recently: First, from May, NetWitness® and ArcSight Partner to Provide Increased Network Visibility : NetWitness, the world leader in advanced threat detection and real-time network forensics, announced certification by ArcSight (NASD: ARST) of compliance with its Common Event Format (CEF) standard. ArcSight CEF certification ensures seamless interoperability and support between NetWitness’ industry-leading threat management solution and ArcSight’s security information and event management (SIEM) platform. Let me parse the market-speak. This is another indication that an ArcSight user can click on an event in the SIM console and access network traffic captured by NetWitness. Second, from June, Solera Networks™ and Sourcefire™ Announce Partnership : Solera Networks, a leading network forensics products and services company today announced its partnership with Sourcefire, Inc. (Nasdaq:FIRE), the creators of SN...

Mike Cloppert on Defining APT Campaigns

Image
Please stop what you're doing and read Mike Cloppert's latest post Security Intelligence: Defining APT Campaigns . Besides very clearly and concisely explaining how to think about APT activity, Mike includes some original Tufte-esque figures to demonstrate APT attribution and moving up the kill chain.

Full Disclosure for Attacker Tools

Image
The idea of finding vulnerabilities in tools used by attackers is not new. It's part of the larger question of aggressive network self defense that I first discussed here in 2005 when reviewing a book of that title. (The topic stretches back to 2002 and before, before this blog was born.) If you follow my blog's offense label you'll see other posts, such as More Aggressive Network Self Defense that links to an article describing Joel Eriksson's vulnerability research into Bifrost and other remote access trojans. What's a little more interesting now is seeing Laurent Oudot releasing 13 security advisories for attacker tools. Laurent writes: For example, we gave (some of) our 0days against known tools like Sniper Backdoor, Eleonore Exploit Pack, Liberty Exploit Pack, Lucky Exploit Pack, Neon Exploit Pack, Yes Exploit Pack... If you're not familiar with these sorts of tools, see an example described by Brian Krebs at A Peek Inside the ‘Eleonore’ Browser Ex...

Can Someone Do the Afghanistan Math?

I'm sure most of you have read the NY Times story U.S. Identifies Vast Mineral Riches in Afghanistan : The United States has discovered nearly $1 trillion in untapped mineral deposits in Afghanistan, far beyond any previously known reserves and enough to fundamentally alter the Afghan economy and perhaps the Afghan war itself, according to senior American government officials... Instead of bringing peace, the newfound mineral wealth could lead the Taliban to battle even more fiercely to regain control of the country... The mineral deposits are scattered throughout the country, including in the southern and eastern regions along the border with Pakistan that have had some of the most intense combat in the American-led war against the Taliban insurgency. I'd like to make two points. First, I see dollars and a security problem. Can someone do the Afghanistan math? In other words, how much should be spent on security in Afghanistan in order to yield a worthwhile "return on i...

Light Bulbs Slowly Illuminating at NASA?

Image
I've seen a few glimmers of hope appearing in the .gov space recently, so I wanted to note them here. Linda Cureton in her NASA CIO blog said: We have struggled in the area of cyber security because of our belief that we are able to obtain this ideal state called – secure . This belief leads us to think for example, that simply by implementing policies we will generate the appropriate actions by users of technology and will have as a result a secure environment. This is hardly the truth. Not to say that policies are worthless, but just as the 55 mph speed limit has value though it does not eliminate traffic fatalities, the policies in and of themselves do not eliminate cyber security compromises. Army General Keith Alexander, the nation's first military cyber commander, described situational awareness as simply knowing what systems' hackers are up to . He goes on to say that with real-time situational awareness, we are able to know what is going on in our networks...

NITRD: "You're going the wrong way!"

Image
If you remember the great 1980's movie "Planes, Trains, and Automobiles" the title of this post will make sense. When Steve Martin and John Candy are driving down the wrong side of the highway, another motorist yells "You're going the wrong way!" They deluded pair reply "How do they know where we're going?" I am starting to feel like the motorist yelling "You're going the wrong way!" and I'm telling Federal research efforts like the Federal Networking and Information Technology Research and Development (NITRD) Program . This program describes itself thusly: The NITRD Program is the primary forum by which the US Government coordinates its unclassified networking and information technology (IT) research and development (R&D). Fourteen Federal agencies, including all of the large science and technology agencies, are formal members of the NITRD Program, whose combined 2010 networking and IT R&D budgets totaled more than...

June 2010 Hakin9 Magazine Published

Image
The new June 2010 Hakin9 has been published in .pdf form. It looks like they replaced the registration-based download with a link straight to the .pdf -- nice. The article Testing Flash Memory Forensic Tools – part two looks interesting, and I always like reading whatever Matt Jonkman writes. Check it out -- it's free!

"Untrained" or Uncertified IT Workers Are Not the Primary Security Problem

Image
There's a widespread myth damaging digital security policy making. As with most security myths it certainly seems "true," until you spend some time outside the policy making world and think at the level where real IT gets done. The myth is this: "If we just had a better trained and more professional IT corps, digital security would improve." This myth is the core of the story White House Commission Debates Certification Requirements For Cybersecurity Pros . It says in part: A commission set up to advise the Obama administration on cybersecurity policy is considering recommending certification and training for federal IT security employees and contractors . The Commission on Cybersecurity for the 44th Presidency, which in December 2008 issued its Securing Cyberspace for the 44th Presidency report to Congress, is currently working on a sequel to that report, due sometime in late June or early July. The commission, made up of a who's who of experts and polic...

Publicly Traded Companies Read This Blog

Image
I think some publicly traded companies read this blog! Ok, maybe I'm dreaming, but consider the story After Google hack, warnings pop up in SEC filings by Robert McMillan: Five months after Google was hit by hackers looking to steal its secrets, technology companies are increasingly warning their shareholders that they may be materially affected by hacking attempts designed to take valuable intellectual property . In the past few months Google, Intel, Symantec and Northrop Grumman -- all companies thought to have been targets of a widespread spying operation -- have added new warnings to their U.S. Securities and Exchange Commission filings informing investors of the risks of computer attacks ... Google warned that it could lose customers following a breach, as users question the effectiveness of its security. "Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and often are not recognized until launc...

Simple Questions, Difficult Answers

Image
Recently I had a discussion with one of the CISOs in my company. He asked a simple question: "Can you tell me when something bad happens to any of my 100 servers?" That's a very reasonable question. Don't get hung up on the wording. If it makes you feel better, replace "something bad happens to" with "an intruder compromises," or any other wording that conveys the question in a way you like. It's a simple question, but the answer is surprisingly difficult. Let's consider the factors that affect answering this question. We need to identify the servers. We will almost certainly need IP addresses. How many IP addresses does each server have? What connectivity does each IP address provide? Are they IPv4, IPv6, both? Are they static or dynamic? (Servers should be static, but that is unfortunately not universal.) We will probably need hostnames. How many hostnames does each server have? What DNS entries exist? Extrapolate from the IP questi...

Reminder for Incident Responders

Image
I found this post [Dailydave] How to pull a dinosaur out of a hat in 2010 by Dave Aitel to contain two warnings for incident responders: I do know that reliably owning Wireshark on Windows 7 is priceless. and So many otherwise very cautious people don't realize that RDP is like giving your passwords away to the remote machine. So we had to write a trojan that stole the passwords as people RDP'd in and we installed it for demos on various client sites. The first is a reminder that intruders sometimes practice counter-forensics , i.e., attacking defensive tools. In fact, the post I just linked from 2007 mentions Wireshark vulnerabilities. Some things never change. The second is a reminder that gaining remote access to suspected intrusion victims is a risky gambit. If you suspect a system is compromised, and you connect to it, expect trouble. This applies across the spectrum of intruders, from mindless malware to advanced persistent threat. Your best bet is to gather as much...