Posts

Showing posts from September, 2010

Why Neither the US Nor China Admits Cyberwar

Image
Why won't the US or China (or even Russia) admit we're engaged in cyberwar? I have a theory based on historical precedent, involving all three countries: the Korean War. Since my time in the Air Force I knew that US pilots had directly engaged Russian pilots in the skies over Korea in the 1950s. This was an "open secret." Recently I watched the NOVA episode Missing in MiG Alley , which confirmed this fact: NARRATOR: For 40 years, Russia's role in Korea remained a secret. Now, one of the Soviets' top aces, Sergei Kramarenko, can finally talk about his exploits in MiG Alley. SERGEI KRAMARENKO: (Russian dialogue) INTERPRETER: It was a secret mission, neither before nor after the war were we allowed to reveal that we were going to fly for the North Koreans...against the Americans. It was top secret. SERGEI KRAMARENKO: (Russian dialogue) INTERPRETER: We were told that in case we were shot down beyond the front line we had to kill ourselves. Not to surrender wa...

On the Other Side of an Advanced Persistent Threat

Image
I found these excerpts from yesterdays DEBKAfile story An alarmed Iran asks for outside help to stop rampaging Stuxnet malworm to be interesting: Tehran this week secretly appealed to a number of computer security experts in West and East Europe with offers of handsome fees for consultations on ways to exorcize the Stuxnet worm spreading havoc through the computer networks and administrative software of its most important industrial complexes and military command centers... The impression debkafile sources gained Wednesday, Sept. 29 from talking to European computer experts approached for aid was that the Iranians are getting desperate. Not only have their own attempts to defeat the invading worm failed, but they made matters worse: The malworm became more aggressive and returned to the attack on parts of the systems damaged in the initial attack. One expert said: "The Iranians have been forced to realize that they would be better off not 'irritating' the invader because...

Why Russia and China Think We're Fighting Cyberwar Now

Image
Thanks to the Team Cymru news feed for pointing me to Emerging Cyberthreats and Russian Views on Information Warfare and Information Operations by Roland Heickerö of the Swedish Defence Research Agency . I found this content in pages 23-24, "Differences and similarities between Russian, US and Chinese views on IW," to be really interesting: In order to understand the Russian view in a wider context, a comparison has been made with Russia’s most important competitors – the USA and China – and their approach to information operations... All three countries agree on the important role information has in today’s conflicts. Over time its importance will grow. The USA has influenced the mindsets of the others, especially regarding ideas about information superiority and information dominance, as well as command and control warfare. Information adds a new dimension to warfare and IW weapons could be used offensively and defensively to protect a country’s own information resources ...

Kundra IPv6 Memo

Image
I've written a few posts on IPv6 here. I read the short Transition to IPv6 Memo (.pdf) written by Federal CTO Vivek Kundra. I'd like to comment on two of the assumptions he makes in that memo: The Federal government must transition to IPv6 in order to... 1. Reduce complexity and increase transparency of Internet services by eliminating the architectural need to rely on Network Address Translation (NAT) technologies; 2. Enable ubiquitous security services for end-to-end network communications that will serve as the foundation for securing future Federal IT systems; I find the first point laughable. Anyone who has even obliquely worked with IPv6 knows that adopting the protocol will massively increase complexity , whether IPv6 is used natively or especially if it's used in a conjunction with IPv4. Take a few minutes to look at all the extra addresses an IPv6-enabled system provides to see what I mean. Complexity and unfamiliarity with configuring IPv6 will introduce ex...

Five Reasons "dot-secure" Will Fail

Image
Thom Shanker reported in Cyberwar Chief Calls for Secure Computer Network the following this week: The new commander of the military’s cyberwarfare operations is advocating the creation of a separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet . The officer, Gen. Keith B. Alexander, suggested that such a heavily restricted network would allow the government to impose greater protections for the nation’s vital, official on-line operations. General Alexander labeled the new network “a secure zone, a protected zone.” Others have nicknamed it “dot-secure.” It would provide to essential networks like those that tie together the banking, aviation, and public utility systems the kind of protection that the military has built around secret military and diplomatic communications networks — although even these are not completely invulnerable. I'd like to share five reason why ...

Thoughts on "Cyber Weapons"

Image
With all the activity concerning Stuxnet, I've been thinking about "cyber weapons." You might recognize the image at left as coming from the venerable rootkit.com site operated by Greg Hoglund since 1999 (for real -- check out archive.org !) When Greg started that site I remember a lot of people complaining about cyber weapons and putting offensive tools in the wrong hands. Now with tools like Metasploit and Ronin , people are bound to worry about the same issues. It would be terrible to see valuable tools get painted with the same "ban the guns" prescriptions I expect to hear when Stuxnet becomes more popular in the media. So, in this post I'd like to share a few thoughts on differentiating security tools from cyber weapons (CWs). These are just my thoughts so I'd be interested in feedback. Some of them may be controversial and I could probably argue the opposite case for some of the items. Operators develop CWs privately. I don't think a ...

Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York

Image
I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-day events will be held in Seattle, WA on 28 Sep 10 and in New York on 16 Nov 10. Currently the Emerging Threats site shows details for the Seattle event, where I will discuss What Is Advanced Persistent Threat, and What Can You Do About It? On a related note, Robert RSnake Hansen will offer two sessions in Seattle. I want to talk to him about ending his blog -- 12 posts left as of today! Tweet

NYCBSDCon 2010 Registration Open

Image
Registration for NYCBSDCon 2010 is now open. As usual George and friends have assembled a great schedule ! If you're in the New York city area or within travel distance, check it out. Tweet

Someone Is Not Paying Attention

Image
I enjoy reading InformationWeek because it gives me a chance to keep in touch with broader IT trends, and the content is usually solid. The cover story for last week's issue was End Users: Ignore Them At Your Peril (sorry about the odd link; the original is here but requires registration). I started reading the article by Michael Healey of Yeoman Technology Group, but quickly realized Mr Healey is clearly out of touch with the reality of the modern security environment. He writes: Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky... Are we really less secure than we were 10 years ago? Probably not. Much like watching cable news will make you think the world is burning and people are coming to snatch your kids, today's level of security awareness has altered the psyche of IT. This new awareness is coupled with very real regulatory requirements, such as new Massachusetts privacy laws that require tougher disclo...

NetWitness Minidecoder in Action

Image
Many TaoSecurity Blog readers are undoubtedly familiar with NetWitness . Several weeks ago I met with their CEO and CTO to discuss their products and services. They were kind enough to later provide me with a device that they ship to their engineers to provide testing and experimentation with their product. Here I call it a "Minidecoder," but you can think of it as "NetWitness in an EeeBox PC" (specifically the EeeBox PC EB1012). As you can see in the diagram, it only has one onboard NIC, and that is used for management. To access traffic, NetWitness provided a Trendnet TU2-ET100 USB to 10/100Mbps Adapter. To try the Minidecoder, I paired it with the DualComm device mentioned in my last post. I basically tapped the Minidecoder's own management port and then generated some basic traffic from the Minidecoder's Linux shell. The sensor also saw its own management traffic, as well as broadcast traffic passed by the wireless bridge to which it was connecte...

DualComm Port Mirroring Switch

Image
John He from DualComm Technology was kind enough to send me one of his company's port-mirroring switches, namely the DCGS-2005 pictured with its box at left. In the figure, I have port 1 going to a computer I want to monitor. Port 2 is going to the uplink (or access switch) for that computer. Port 5 (at the far right) is going to a sensor. The idea behind this device is to provide a plug-and-play alternative to network taps. I thought this system was interesting because it acts somewhat like a port aggregating tap, in the sense that two ports are used for accessing the network but only one port is needed by the sensor. Note that only port 1 is mirrored to port 5 . (The manual confirms this, and I did some limited testing. The words on the tap imply ports 1 - 4 are all mirrored.) This is a one-for-one copy. If you connect to ports 2 and 3, 2 and 4, or 3 and 4, you will not see any unicast traffic on port 5. This device is also different in that in requires a USB connectio...

A Book for the Korean Cyber Armies

Image
I've got a book for the Korean cyber armies, North and South. That's right, it's my first book , The Tao of Network Security Monitoring , now published in Korean! Apparently my publisher just decided to translate and deliver this new edition to Korea. Can anyone who reads Korean comment on how they translated my name? I've known for a while there is also a Spanish edition, but I've never seen it. I asked to see one of those too. I have to admit that seeing these foreign language editions motivate me to try to write another solo book. However, I'm just not sure how I would find the time. Tweet

India v China

Image
Some of you may remember my "X vs China" series of posts of 2007, where I discussed multiple high profile cases where various nations noted their disapproval of China's exploitation of their networks. (That's right, 2007 -- three years before the January festivities.) This morning I read Hostile nations trying to steal India's defence secrets , by Rajit Pandit of India's Economic Times. He writes: Even as Chinese and Pakistani online espionage agents continue their attempts to hack into Indian computer systems, hostile intelligence agencies are also trying to steal defence secrets through use of computer storage media (CSM) devices like pen drives, removable hard disks, CDs, VCDs and the like. The Intelligence Bureau has sounded a red alert about "intelligence officers of a hostile country'' encouraging their "assets'' working in Indian defence establishments to use CSM devices to pilfer classified information from computer network...

One Page to Share with Your Management

Image
I thought this brief question-and-answer session, Richard Clarke: Preparing For A Future Cyberwar by Kim S. Nash extracted the essence of advanced persistent threat problems and how to address them. I'd like to publish the whole article, but instead I'll highlight my favorite sections: Nash: How can the federal government protect companies? Clarke: Do more. As a matter of law and policy, the federal government should actively counter industrial espionage. Most U.S. government counterintelligence operations are focused on intelligence against the government, not companies, and most of those are focused on spies. It's a very 20th-century approach. Until someone makes law or policy changes that say the U.S. Cyber Command can defend AT&T or Bank of America, it doesn't have the legal authority to do that. I think it should. The government also has to explain the threat to corporations. Also: Clarke: Until CEOs and boards of directors are faced with black-and-white evi...

The Inside Scoop on DoD Thinking

Image
I wanted to help put some of you in the mindset of a DoD person when reading recent news, namely Defense official discloses cyberattack and Pentagon considers preemptive strikes as part of cyber-defense strategy , both by Washington Post reporter Ellen Nakashima. I'll assume you read both articles and the references. Deputy Defense Secretary Lynn's article (covered by the first Post story) is significant, perhaps for reasons that aren't obvious. First, when I wore the uniform, the fact that a classified system suffered a compromise was itself classified. To this day I cannot say if a classified system I used ever suffered a compromise of any kind. Readers might be kind enough to say if this policy is still in effect today. So, to publicly admit such a widespread event -- one that affected classified systems -- that is a big deal. Second, Lynn said "this previously classified incident was the most significant breach of U.S. military computers ever." That is...

Review of Hacking Exposed: Wireless, 2nd Ed Posted

Image
Amazon.com just posted my five star review of Hacking Exposed: Wireless, 2nd Ed by Johnny Cache, Joshua Wright and Vincent Liu. From the review : I reviewed the first edition of Hacking Exposed: Wireless (HEW) in May 2007, and offered four stars. Three years later I can confidently say that Hacking Exposed: Wireless, 2nd Ed (HEW2) is a solid five star book. After reading my 2007 review, I believe the authors took my suggestions seriously, and those of other reviewers, and produced HEW2, the best book on wireless security available. If you want to understand wireless -- and not just 802.11, but also Bluetooth, ZigBee, and DECT -- HEW2 is the book for you. I forgot to mention in my review that this new edition appears to be a substantial rewrite, not a minor editing of old chapters! I didn't do a chapter-by-chapter comparison. I did read the whole book, which the publisher provided as a review copy. Tweet