Monday, March 26, 2012

Inside a Commission Hearing on the Chinese Threat

This morning I testified at the U.S.-China Economic and Security Review Commission at a hearing on Developments in China’s Cyber and Nuclear Capabilities. In the picture taken by Mrs Bejtlich (thanks for attending!) I'm seated at the far right. To my left is Nart Villeneuve. To his left is Jason Healey.

As stated on their Web site, the U.S. Congress created the U.S.-China Economic and Security Review Commission in October 2000 with the legislative mandate to monitor, investigate, and submit to Congress an annual report on the national security implications of the bilateral trade and economic relationship between the United States and the People’s Republic of China, and to provide recommendations, where appropriate, to Congress for legislative and administrative action. The Commission holds hearings to solicit testimony from subject matter experts and builds on those hearings to produce an excellent annual report.

You can access the 2011 report on the Commission Web site, and even request a printed copy if you'd prefer to read paper.

A few weeks ago the Commission staff requested that I answer a set of questions, and I provided a draft response last Monday. When I testified each of us had seven minutes to make a statement, after which the Commissioners asked questions. The testimony posted online is the "extended" version of my remarks. I used an abridged version when speaking today, but didn't read it verbatim.

After we each made a seven minute statement, the Commissioners asked a round of questions. Each received about five minutes. We tried to keep to the rotation, which as you might expect was tough. Several questions were fairly complicated (like discussing the costs and benefits of "the cloud") so it was difficult to be anything near complete when responding. A few Commissioners were interested in supply chain questions and the problems posed by Chinese made telecommunications equipment.

I expect an audio recording of the event to be available at the Commission Web site within the next few weeks. Once that is posted I'll review it and share a few more thoughts on the Mandiant Blog.

In addition to my wife, thanks also to the members of the local computer network defense and intelligence communities who attended the briefing and said hello!

Wednesday, March 14, 2012

Impressions: Fuzzing

Fuzzing by Michael Sutton, Adam Greene and Pedram Amini struck me as a good overview of many types of fuzzing techniques. If you read the reviews, particularly the verdict by Chris Gates, you'll see what I mean. For my purposes, the degree to which the authors covered the material was just right. If you're more in the trenches with this topic, you would probably want more from a book on fuzzing.

I liked the following aspects of the book: integration of history, real examples, diversity of approaches, case studies, and examples. I thought the book was easy to read and well presented. Paired with more specific, newer books on finding vulnerabilities, I think Fuzzing is a winner.

My only real dislike involved the quotes by former US President George W. Bush at the start of each chapter. I thought they were irrelevant and a distraction.

Tuesday, March 13, 2012

Impressions: Hunting Security Bugs

I don't hunt security bugs for a living, but I've worked on teams that do and I find the process important to understand. A defender should appreciate the work that an adversary must perform in order to discover a vulnerability and weaponize an exploit. That is the spirit with which I read Hunting Security Bugs by Tom Gallagher, Bryan Jeffries, and Lawrence Landauer. When the book was published in 2006 all the authors worked at Microsoft and Microsoft Press published the book. (Yes, I did wait a long time to take a look at this title...)

Despite the passage of time, I thought HSB stood up very well. Most of the problems discussed in the book and the techniques to find them should still work today. The targets have changed somewhat (XP was the target in the book; Windows 7 would be more helpful today -- thought not everywhere).

Again, this is an impression and not a review, so I only offer thoughts and not opinions or judgements on the text. From what I saw, the book appears well written with helpful diagrams and screen shots. It covers a lot of surface area and ways to exploit it.

One note for the history buffs: the foreword says:

When Jesse James, the famous outlaw of the American West, was asked why he robbed banks, he replied, Thats where the money is.

I'm sure most of you think that Willie Sutton said that, not Jesse James. According to Snopes neither of them said it:

While lore would have it that the bank robber replied "Because that's where the money is" to that common question, Sutton denied ever having said it. "The credit belongs to some enterprising reporter who apparently felt a need to fill out his copy," wrote Sutton in his autobiography. "I can't even remember where I first read it. It just seemed to appear one day, and then it was everywhere."

But back to the book -- should you buy it? If your job involves finding vulnerabilities in Windows software (and this book does have more of a Windows slant), I would take a close look at it.

Monday, March 12, 2012

Impressions: The Web Application Hacker's Handbook, 2nd Ed

In late 2009 I reviewed the first edition of The Web Application Hacker's Handbook. It was my runner-up for Best Book Bejtlich Read 2009. Now authors Dafydd Stuttard and Marcus Pinto have returned with The Web Application Hacker's Handbook, 2nd Ed.

This is also an excellent book, although I did not read it thoroughly enough to warrant a review. On p xxix the authors note that 30% of the book is "new or extensively revised" and 70% of the book has "minor or no modifications." I was very impressed to see the authors outline changes by chapter on pages xxx-xxxii. That is not common in second editions, in my experience.

The book is very thorough and introduces technology along with attacks and defenses. Their "hack steps" sections provide a playbook for assessing Web applications. Some sections even mention logging and/or alerting -- I'd like to see more of that here and elsewhere! The book also includes end-of-chapter questions with answers posted on the book Web site,

Speaking of the Web site, the authors also post source code, links to tools, and checklists, plus labs costing a $7/hour fee. That is a new approach I haven't seen elsewhere, but I think it's an interesting idea.

At 912 pages WAHH2E offers a ton of content written in a clear and convincing style. Great work guys. My only concern was their refusal to cite sources. That makes a real difference in my mind; give credit where credit is due in the third edition.

Sunday, March 11, 2012

Impressions: Web Application Security: A Beginner's Guide

As you might remember, when I write impressions of a book it means I didn't read the book thoroughly enough (in my mind) to write a review. In that spirit, I read Web Application Security: A Beginner's Guide by Bryan Sullivan and Vincent Liu. I liked the book because the authors spend the time explaining the technology in question. For example, I appreciated the discussion on the same origin policy, featuring memorable advice like "the same origin policy can't stop you from sending a request; it can only stop you from reading the response" (p 175).

I had one small issue with the book, and that involved its introduction to Microsoft's STRIDE model. I blogged about this years ago in Someone Please Explain Threats to Microsoft. The Web sec book says on p 36:

STRIDE is a threat classification system originally designed by Microsoft security engineers. STRIDE does not attempt to rank or prioritize vulnerabilities... instead, the purpose of STRIDE is only to classify vulnerabilities according to their potential effects. This is immensely useful information to have when threat modeling an application...

To see my critique of STRIDE, please see my linked post. Basically, STRIDE is best describe as "bad stuff," and includes a mix of attacks and vulnerabilities with no real "threats."

Nevertheless, if you're looking for a compact and detail-packed exploration of Web application security, take a look at Web Application Security: A Beginner's Guide.

By the way, I've written alot about confusing terms like "threat," "vulnerability," "risk," etc. over the years. One of my earliest posts provides background -- The Dynamic Duo Discuss Digital Risk if you are so inclined.

Tuesday, March 06, 2012

Review of SSH Mastery Posted just published my five star review of SSH Mastery by Michael W. Lucas. From the review:

This is not an unbiased review. Michael W. Lucas cites my praise for two of his previous books, and mentions one of my books in his text. I've also stated many times that MWL is my favorite technical author. With that in mind, I am pleased to say that SSH Mastery is another must-have, must-read for anyone working in IT. I imagine that most of us use OpenSSH and/or PuTTY every day, but I am sure each of us will learn something about these tools and the SSH protocol after reading SSH Mastery.

Monday, March 05, 2012

Bejtlich's Take on RSA 2012

Last week I attended RSA 2012 in San Francisco. I believe it was my third RSA conference; I noted on my TaoSecurity News page speaking at RSA in 2011 and 2006.

This year I spoke at the Executive Security Action Forum on a panel moderated by PayPal CISO Michael Barrett alongside iDefense GM Rick Howard and Lockheed Martin CISO Chandra McMahon. I thought our panel offered value to the audience, as did much of the remainder of the event.

Most of the speakers and attendees (about 100 people) appeared to have accepted the message that prevention eventually fails and that modern security is more like a counterintelligence operation than an IT operation.

After ESAF (all day Monday) I divided my time among the following: speaking to visitors to the Mandiant booth, discussing security issues with reporters and industry analysts, and walking the RSA exposition floor. I also attended the Wednesday panel where one of our VPs, Grady Summers, explained how to deal with hacktivists.

Speaking of the RSA floor, I took the photo at left praising the 55 new vendors appearing at the exposition for the first time. I counted 13 I recognized as "established" companies or organizations (Airwatch, CyberMaryland, Diebold, FireHost, Fluke Networks, Global Knowledge,, Good Technology, Nexcom, PhishMe, Prolexic Technologies, Qosmos, and West Coast Labs). I didn't recognize the other 42. There were probably dozens more who were not first-time RSA vendors that I wouldn't recognize either.

I suppose there are different ways to think about this situation. A positive way would be to view these new companies as signs of innovation. However, I didn't really see much that struck me as new or innovative. For example, a company specializing in password resets doesn't really get the heart pumping.

Another point of view could be that the presence of so many new companies means venture capital is active again. I saw plenty of that at work for certain companies who I know have just rebranded, relaunched, or have been resuscitated in recent months. Several of them sported mammoth booths and plenty else. They must figure that if they have 7 or 8 figures to spend, they're going to put it into marketing!

I was in some ways overwhelmed by the number of attendees. I saw references to over 20,000 people attending RSA 2012. I believe many of them wore $100 (or even free, courtesy of vendors) "expo only" passes. With 20,000 people willing to participate in a security event, that tells me my @taosecurity Twitter follower count (over 11,000 today) has more room to grow. I would not have expected to rise much beyond 10,000 when I started Tweeting.

One of the best aspects of RSA 2012 was the Security Bloggers Meetup, which I was able to attend in person as I blogged previously.

My buzzphrase of the conference was "big data." To me, "big data" sounds like SIEM warmed over. I'll have more to say on this topic in future posts.

I'll probably return to RSA next year on behalf of my company, and again I will focus on the exposition and non-session activities. It's the only place where you can see so many security vendors in one place.

What did you think of RSA this year?

Sunday, March 04, 2012

Keep CIRT and Internal Investigations Separate

A recent issue of the Economist featured an article titled Corporate fraud: Mind your language -- How linguistic software helps companies catch crooks. It offered the following excerpts:

To spot staff with the incentive to steal (over and above the obvious fact that money is quite useful), anti-fraud software scans e-mails for evidence of money troubles...

Ernst & Young (E&Y), a consultancy, offers software that purports to show an employee’s emotional state over time: spikes in trend-lines reading “confused”, “secretive” or “angry” help investigators know whose e-mail to check, and when. Other software can help firms find potential malefactors moronic enough to gripe online, says Jean-Fran├žois Legault of Deloitte, another consultancy...

Dick Oehrle, the chief linguist on the project, explains how it works. First, the algorithm digests a big bundle of e-mails to get used to employees’ language. Then human lawyers code the same e-mails, sorting things as irrelevant, relevant or serious. The human feedback and the computers’ results are then reconciled, so the system gets smarter. Mr Oehrle says the lawyers also learn from the computers (presumably such things as empathy and the difference between right and wrong).

To find employees with the opportunity to steal, the software looks for what snoops call “out of band” events: messages such as “call my mobile” or “come by my office” suggest a desire to talk without being overheard. E-mails between an employee and an outsider that contain the words “beer”, “Facebook” or “evening” can suggest a personal relationship...

Employers without such technology are “operating blind”, says Alton Sizemore, a former fraud detective at America’s FBI... [N]early all giant financial firms now run anti-fraud linguistic software, but fewer than half of medium-sized or small financial firms do...

Prospective users typically pay for a single “snapshot” search of 12 months of company records, according to APEX Analytix, a developer of the software in Greensboro, North Carolina. For a company with 10,000 employees, this costs about $45,000. Unless a company is very small, evidence of fraud almost always surfaces, convincing clients to sign up for a yearly package that costs three or four times as much as a spot-check, says John Brocar of APEX Analytix.

Why spend the money... If a company shows it has systems in place to detect this kind of thing, and starts investigating before outsiders do, it may have an easier time in court.

When I read this story it reminded me of my advice to keep CIRT and Internal Investigations separate. Notice the repeated mention of "lawyers" in the Economist story. There is no reason for this sort of technology or responsibility to reside in the Computer Incident Response Team. CIRTs should focus on external threats. Internal Investigations should focus on internal threats, e.g. employees, contractors, and other authorized parties who may perform unauthorized activities. II should collaborate closely with legal and human resources and should not use CIRT tools or techniques. This separation of duties was invaluable when I ran GE-CIRT because we could reassure constituents that our analysts focused on bad guys outside the company, not our own users.

Saturday, March 03, 2012

TaoSecurity Blog Wins Most Educational Security Blog

I'm pleased to announce that TaoSecurity Blog won Most Educational Security Blog at the 2012 Social Security Bloggers Awards. I attended the event held near RSA and spent time talking with a lot of security bloggers and security people in general.

I'd like to thank the sponsors of the event, depicted on the photo of the back of the T-shirt at left. Props to whomever designed the shirt -- it's one of my favorites. The award itself looks great, and the gift certificate to the Apple store will definitely help with an iPad 3, as intended!

Long-time readers may remember that I won Best Non-Technical Blog at the same event in 2009.

Winning this award has given me a little more motivation to blog this year. I admit that communicating via Twitter as @taosecurity is much more seductive due to the presence of followers and the immediate feedback!

Speaking of Twitter, SC Magazine named @taosecurity as one of their 5 to follow, which I appreciate.

And speaking of SC Magazine, they awarded my company Mandiant their best security company award.