TaoSecurity Blog

Time is an important aspect of Network Security Monitoring. If you don't pay close attention to the time shown in your evidence, and recognize what it means, it's possible you could misinterpret the values you see. My students and I encountered this issue in TCP/IP Weapons School at Black Hat this week. Let's look at the first ICMP packet in one of our labs. I'm going to show the output using the Hd tool and then identify and decode the field that depicts time. In the following output, 2d 0c 65 49 occupies the part of the packet where Libpcap has added a timestamp. Hd output: $ hd icmp.sample.pcap 00000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |................| 00000010 ea 05 00 00 01 00 00 00 2d 0c 65 49 5f bf 0c 00 |........-.eI_...| 00000020 4a 00 00 00 4a 00 00 00 00 0c 29 82 11 33 00 50 |J...J.....)..3.P| 00000030 56 c0 00 01 08 00 45 00 00 3c 02 77 00 00 80 01 |V.....E..<.w....| 00000040 ea f1 c0 a8 e6 01 c0 a8 e6 05 08 00 43 5c 07 0

Amazon.com just published by two star review of Digital Forensics for Network, Internet, and Cloud Computing by Terrence V. Lillard and company. From the review : Digital Forensics for Network, Internet, and Cloud Computing (DFFNIACC) is one of the worst books I've read in the last few years. You may wonder why I bothered reading a two star book. Blame a flight from the east coast to Las Vegas and not much else to read during those five hours! DFFNIACC is a jumbled collection of incoherent thoughts, loosely bound by the idea of "forensics" but clearly not subjected to any real planning or oversight. This book is very similar to the Syngress book "Botnets" which I gave 2 stars in 2008, and as you might expect features one of the same authors. Save your money and skip DFFNIACC; only the chapter on NetFlow and another offering a general overview of NetWitness are worth reading.

Amazon.com just published my three star review of Virtualization and Forensics by Dianne Barrett and Gregory Kipper. From the review : "Virtualization and Forensics" (VAF) offers "a digital forensic investigator's guide to virtual environments" as its subtitle. Eric Cole's introduction says "How do we analyze the [virtual] systems forensically since standard methods no longer work? Let me introduce a key piece of research and literature, VAF." I disagree with Eric's claim: I did not find VAF to be a compelling resource for forensic investigators of virtual environments. If an author writes a book on virtual forensics, I would expert more advice on how to accomplish the task, and less description of virtual environments. Unfortunately, VAF spends most of its time talking about virtual systems and not enough time helping investigators analyze them.

Amazon.com just published my two star review of Digital Triage Forensics: Processing the Digital Crime Scene by Stephen Pearson and Richard Watson. From the review : I have to preface this review by saying my criticism of this book should not be taken as criticism of the brave men and women who put their lives on the line fighting for our freedom in Southwest Asia (SWA). I'm reviewing the book "Digital Triage Forensics" (DTF), not the people who wrote it or the people who rely on the concepts therein. DTF is a misleading, disappointing book. The subtitle is "processing the digital crime scene." The back cover says "the expert's model for investigating cyber crimes," and it claims "now corporations, law enforcement, and consultants can benefit from the unique perspectives of the experts who pioneered DTF." That sounds promising, right? It turns out that DTF is essentially a handbook for Weapon Intelligence Teams (WITs) who deploy to Iraq

It's clear to me that Dell needs a Product Security Incident Response Team, or PSIRT . Their response to the malware shipping with R410 replacement motherboards is not what I would like to see from a company of their size and stature. Take a look at this Dell Community thread to see what I mean. It's almost comical. These are a few problems I see: They are informing the public of this malware problem using phone calls, not a posting on a Web site. A customer thinks he's being scammed and posts a question to a support forum. Someone named "DELL-Matt M" replies: "The service phone call you received was in fact legitimate... We have assembled a customer list and are directly contacting customers like you through a call campaign. On the call, you should be provided a phone number to call if you have additional questions. Hopefully you received this on your call. If not, let me know and we’ll get it to you as soon as possible so you have all of the follow-up

Amazon.com just posted my three star review of The Watchman by Jonathan Littman. From the review : The Watchman by Jonathan Littman is a tough book to review. The author states that he started writing a book about Kevin Poulsen (The Watchman), then delayed that project to write a book about Kevin Mitnick (The Fugitive Game, or TFG). After finishing TFG, the author returned to the Poulsen book. Unfortunately, it seems that the approach that the author took in TFG (recounting direct telephone conversations with Kevin Mitnick) didn't translate well for The Watchman. Whereas TFG covers the part of the time Mitnick was on the run and speaking with the author, The Watchman tries to tell the overall story of Kevin Poulsen's life. The end result is not likely to reflect reality as well as a story where the author was a first-hand participant. It seems several of the main characters in The Watchman, most notable Poulsen himself, disagree with their portrayal in the book. Nevertheless,

Amazon.com just posted my four star review of The Fugitive Game by Jonathan Littman. From the review : "The Fugitive Game" (TFG) recounts author Jonathan Littman's discussions with Kevin Mitnick, largely while the latter evaded authorities in the mid-1990s. This book is unlike others about Kevin, because the author describes multiple lengthy telephone conversations. As much as one can trust the author to reproduce them faithfully, these exchanges provide insights into Kevin's thoughts and feelings regarding his position as the so-called "greatest computer criminal in the world," according to dubious New York Times reporting.

Amazon.com just posted my four star review of At Large by David H. Freedman and Charles C. Mann. From the review : "At Large" is a "hacking" book published during the mid-1990s, but it doesn't address the characters usually considered to be the "stars" of that era. Rather, At Large tells the tale of a single-minded and possibly mentally-challenged intruder who infiltrated a large number of sensitive US networks. While I didn't find the characters or story particularly compelling, I did note a number of points that remain true even today. For this reason you are likely to learn more from a book like At Large than a similar title, such as "Masters of Deception" (which I reviewed recently and gave 3 stars).

Amazon.com just posted my five star review of The Cuckoo's Egg by Cliff Stoll. From the review : Cliff Stoll's "The Cuckoo's Egg" (TCE) is the best real-life digital incident detection and response book ever written. I know something about this topic; I've written books on the subject and have taught thousands of students since 2000. I've done detection and IR since 1998, starting in the military, then as a consultant and defense contractor, and now as director of IR for a Fortune 5 company. If you're not an incident detector/responder, you're probably going to read TCE as a general enthusiast or maybe an IT professional. You'll like the book. If you're a security professional, you'll love it.

Amazon.com just posted my four star review of Code Version 2.0 by Lawrence Lessig. From the review : Code Version 2.0 (CV2) is a compelling and insightful book. Author Lawrence Lessig is a very deep thinker who presents arguments in a complete and methodical manner. I accept his thesis that "cyberspace" has abandoned its tradition as an ungovernable, anonymous playground and risks becoming the most regulated and "regulable" "place" in which one could spend any time. This position has been strengthened by recent news events, such as the White House's "National Strategy for Trusted Identities in Cyberspace (NSTIC) that outlines this vision to reduce cybersecurity vulnerabilities through the use of trusted digital identities." Lessig maintains that code is making such regulation possible, and anyone who cares about privacy and freedom needs to start paying attention.

Amazon.com just posted my four star review of Crypto by Steven Levy. From the review : Steven Levy's "Crypto" is a fascinating look at part of the story of modern cryptography, at least from the point of view of key non-government cryptographers. The author clearly conducted plenty of research into the lives of certain individuals, such as Whit Diffie and Marty Hellmen, the RSA trio, and other entrepreneurs. Unlike some other reviewers, I thought the text was lively enough and the book kept my attention throughout. My only real concern is the obvious bias against the concerns of government cryptographers. If you doubt the bias, it starts on the cover: "How the Code Rebels Beat the Government - Saving Privacy in the Digital Age." Regardless, if you are a security professional or just have an interest in digital privacy, you will enjoy reading Crypto.

Amazon.com just posted my two star review of The Illusion of Due Diligence by Jeffrey Bardin. From the review : I have mixed feelings about Jeffrey Bardin's "The Illusion of Due Diligence" (TIODD). I did read the whole book. However, I am not sure I would advise others to read it. TIODD struck me as a collection of stories describing how bad choices can lead to difficult situations. Some of the bad choices are the author's, so I have trouble sympathizing with him. Still, I was continuously amazed that the author would choose to record his professional life story in print, especially given the reader's ability to reassemble the true names behind the pseudonyms. Overall, I consider TIODD to be a curiosity that would keep your attention mainly for the "train wreck" aspect of the author's security career.

If you've read the blog for a while you know I promote threat-centric security in addition to vulnerability-centric security. I think both approaches are needed, but I find a lot of security shops ignore threat-centric approaches. But in this brief post I'd like to talk about one skill you're likely to need in a threat-centric team. Clearly knowledge of programming languages is helpful for vulnerability-centric security. Those who can program in the right languages can help identify vulnerabilities, develop exploits, and do other code-centric work. Different skills are needed for threat-centric security, however. If a programming language is helpful for vulnerability-centric operations, then a foreign language is helpful for threat-centric operations. Specifically, analysts will find it useful to read and potentially speak the language used by their adversaries. It is likely that while learning a foreign language, and more importantly maintaining or improving that s

Last month I attended my first Workshop on the Economics of Information Security (WEIS 2010) at Harvard. It was cool to visit and it reminded me that I probably spent too much time playing ice hockey and learning martial arts during graduate school, and not enough time taking advantage of the "Hah-vahd experience." Oh well, as Mr Shaw said, "Youth is wasted on the young." So what about WEIS? I attended because of the "big brains" in the audience. Seriously, how often do you get Dan Geer, Ross Anderson, Whit Diffie, Bruce Schneier, Hal Varian, etc., in the same room? I should have taken a picture. Dumb security groupie. I'll share a few thoughts. Tracey Vispoli from Chubb Insurance spoke about cyber insurance. Wow, what an interesting perspective. She said the industry has "no expected loss data" and "no financial impact data." Put that in your pipe and smoke it, Annualized Loss Expectancy (ALE) fans! So how does Chubb p

Last week I spoke at the third SANS WhatWorks Summit in Forensics and Incident Response in DC, organized and led by Rob Lee. As usual, Rob did a wonderful job bringing together interesting speakers and timely topics. I thought my presentation on "CIRT-level Response to Advanced Persistent Threat" went well and I enjoyed participating on the "APT Panel Discussion." I wanted to share a few thoughts from the event. This is just the sort of event I like to attend. It's almost more about the participants than the presentation content. I found plenty of peers interested in sharing leading practices. I hope to continue a relationship with several other CIRT leaders I met (or saw again) at SANS. Props to Kris Harms and Nick Harbour for starting their talk with a printed handout as reference for an in-class IR exercise , during a 1 hour talk! I kid you not. What a great way to make a point about the need for OpenIOC . Kevin Mandia called existing IR report wri

I know some of us worry that the advent of the "cloud" will spell the end of Network Security Monitoring and related network-centric visibility and instrumentation measures. I have a proposal for any network forensics vendors reading this blog: get in the cloud! For example, imagine you are a proxy-in-the-cloud (PITC) provider, like ScanSafe , now owned by Cisco. You provide a Web portal to your customers so they can see what bad sites employees were not allowed to visit. But what about all the subtle traffic that evaded your filters, block lists, heuristics, and other defensive mechanisms? What about the insider stealing intellectual property, indistinguishable from a "normal employee?" How does your abuse-centric Web portal address the sorts of threats that really matter? To me, one answer is to deploy a network forensics solution like NetWitness or Solera in front of your PITC infrastructure. The PITC vendor must have a way to identify legitimate clients

I know some of you pay attention to what Gartner says, or more probably, your management does. I found this new report How to Build a Computer Security Incident Response Team by Jeffrey Wheatman, Rob McMillan, and Andrew Walls helpful if you need external validation from a source your management is likely to recognize. You need a Gartner account to breach the paywall. I wanted to provide a few reasons why you might want to buy it and share it: It is becoming increasingly common for auditors, regulators and other stakeholders to require organizations to formalize their responses to security events ... Even smaller organizations with limited legal and regulatory requirements can gain significant benefits in risk mitigation from the implementation of a basic security incident response team. Following the phased approach outlined in this research will guide clients on how to best assess their needs and implement a response team that will satisfy all stakeholders... A competent and adeq

My article Understanding the Advanced Persistent Threat provides an overview of APT . It's the cover story in the July 2010 Information Security Magazine . From the article: The term advanced persistent threat, or APT, joined the common vocabulary of the information security profession in mid-January, when Google announced its intellectual property had been the victim of a targeted attack originating from China. Google wasn't alone; more than 30 other technology firms, defense contractors and large enterprises had been penetrated by hackers using an array of social engineering, targeted malware and monitoring technologies to quietly access reams of sensitive corporate data. Google's public admission put a high-profile face on targeted attacks and the lengths attackers would go to gain access to proprietary corporate and military information. It also kicked off a spate of vendor marketing that promised counter-APT products and services that have only served to cloud the i

Everyone's been talking about cyberwar this week, thanks in part to the Economist coverage. Many of the comments on my posts and elsewhere discuss the need for definitions. I thought it might be useful to refer to an authoritative source on war for the United States: DoD Joint Publication 1: Doctrine for the Armed Forces of the United States ( .pdf ), known as JP 1. Incidentally, back in 1997 as an Air Force 1Lt straight from intelligence school, I worked on doctrine publications like this for Air Intelligence Agency, specifically the early doctrine on information warfare, like the August 1998 publication of Air Force Doctrine Document 2-5: Information Operations ( .pdf ). What does JP 1 say about war? War is socially sanctioned violence to achieve a political purpose . In its essence, war is a violent clash of wills. War is a complex, human undertaking that does not respond to deterministic rules. Clausewitz described it as “the continuation of politics by other means” [Boo

I'd like to briefly comment on a few ideas that appeared on lists I read. First, in this Daily Dave post from June, Dave Aitel writes: So when I gave the FIRST talk, one of the questions was "What is the solution?" ... Immunity sees lots of success (and has for many years) with organizations that have done high level instrumentations [sic] against their applications, and then used powerful data mining tools to look at that data... So what you see is the start up of what I like to call the "Application SOC". It's like a network SOC, but way more expensive, and with the chance of being actually useful! On a related note, after discussing iTunes fraud, Stephen Northcutt adds the following comments in this SANS Newsbites post from yesterday: I think we are seeing more and more market demand for a new type of MSSP, a cross between (1) a software security and quality consultant, (2) a monitoring company that focuses primarily on web logs and probably has some of

Today the Ponemon Institute announced results of a survey they conducted titled Growing Risk of Advanced Threats: Study of IT Practitioners in the United States . Unfortunately, this survey looks like it is mainly the blind asking the blind to describe a threat neither really understands. For example, the survey states: While the definition of what constitutes an advanced threat still varies within the industry, for purposes of this research we have defined an advanced threat as a methodology employed to evade an organization’s present technical and process countermeasures which relies on a variety of attack techniques as opposed to one specific type. The predominant majority of these threats are represented by unknown, zero-day attacks, but there are increasingly many instances where known attacks are being re-engineered and repackaged to extend their usefulness. If this survey stuck with this definition, and didn't mention Advanced Persistent Threat , then I could possibly liv

Does anyone remember this story from April 2009? Computer Spies Breach Fighter-Jet Project Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever -- according to current and former government officials familiar with the attacks... In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft... "There's never been anything like it," this person said, adding that other military and civilian agencies as well as private companies are affected. "It's everything that keeps this country going..." Former U.S. officials say the attacks appear to have originated in China... Six current and former officials familiar with the matter confirmed that the fighter program had been repeatedly broken into... A w

A number of people, inside and outside the security world, think that any discussion of real threats is a manufactured justification for intrusive government action. Their argument is simple. The government wants to control the people, or obtain a resource, or pursue some objective that could not be reasonably achieved if transparently presented to the citizenry. The government "propaganda machine," sometimes in coordination with "the media" and "big business," "manufactures" a "crisis" whose only solution is increased government power. The people acquiesce in order to preserve their safety, and the government achieves its objective. As a result, those who see the world in this manner treat any discussion of real threats as step 2 in this process towards decreased liberty via increased government power. Those who seek to inform the citizenry of real threats are dismissed as sowing "FUD." This is a tragedy, because it means

Volume 13 Number 1 of the Cisco IP Journal features a fascinating DNS troubleshooting article titled "Rolling Over DNSSEC Keys" by George Michaelson, APNIC, Patrick Wallstrõm, .SE, Roy Arends, Nominet, and Geoff Huston, APNIC. It's one of the best articles I've ever read in IPJ. You should subscribe (it's free) if you like this blog. In the article, the authors investigate a surge of DNS traffic suffered by a secondary DNS server that is authoritative for a number of subdomains of the in-addr.arpa zone. The article explains what happens next. I can cut to the chase with the following quotes: In other words, in this example scenario with stale Trust Anchor keys in a local client's resolver, a single attempt to validate a single DNS response will cause the client to send a further 844 queries , and each .com Name Server to receive 56 DNSKEY RR queries and 4 DS RR queries... The problem with key rollover and local management of trust keys appears to be found

Volume 13 Issue 2 of IATAC's IA Newsletter features an article titled Apples and Oranges: Operating and Defending the Global Information Grid by Dr Robert F Mills, Maj Michael Birdwell, and Maj Kevin Beeker. The article nicely argues for refocusing DoD's "NETOPS" and "CND" missions, where the former is defined currently as activities conducted to operate and defend the Global Information Grid and the latter is defined currently as actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks. After spending years to "converge" the two missions, the authors argue DoD needs to separate them (as I understand the Air Force has done, bringing back the AFCERT for example). I'd like to present selected excerpts with my own emphasis. Cyberspace is a contested, warfighting domain, but we’re not really treating it as such, partly because our language and doctrine have not

At the FIRST conference last month, Dave Aitel said something to the effect that DEP and ASLR are the only two noteworthy technologies produced by Microsoft since starting their security initiative. Forgive me Dave if I messed that up, and feel free to respond! I thought that was interesting after reading the post DEP / ASLR Neglected in Popular Programs by Secunia. The figure at left summarizes their findings over time. The report concludes thus: DEP and ASLR support, although usually trivial to implement, is overlooked by a large number of application developers. The requirement for an additional call to "SetProcessDEPPolicy()" proved confusing to almost all vendors, resulting in late implementation of DEP when running on Windows XP. Some developers have over time made their applications compatible with DEP, but overall the implementation process has proven slow and uneven between OS versions. ASLR support is on the other hand improperly implemented by almost all vendo