Posts

Showing posts from 2013

Linux Covert Channel Explains Why NSM Matters

Image
I just read a post by Symantec titled Linux Back Door Uses Covert Communication Protocol . It describes a new covert channel on Linux systems. A relevant excerpt follows: [T]he attackers devised their own stealthy Linux back door to camouflage itself within the Secure Shell (SSH) and other server processes. This back door allowed an attacker to perform the usual functionality—such as executing remote commands—however, the back door did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the back door code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”). After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded. :!;.UKJP9NP2PAO4 Figure. Example of injected command The attacker could then make normal connection re...

Mozilla Lightbeam Add-On Shows Risk of Third Party Sites

Image
The slide above shows an experiment I just conducted using the Lightbeam addon with NoScript . The image at left shows the results of visiting nhl.com, nfl.com, mlb.com, and google.com while NoScript is denying JavaScript and similar content. The image at left shows the results of visiting nhl.com, nfl.com, mlb.com, and google.com while NoScript is disabled to allow JavaScript and similar content. The Lightbeam add-on renders the primary and third party Web sites visited in each case. When NoScript is denying Javascript and similar content, only 9 third party sites are called in order to render the 4 primary Web sites. When NoScript is disabled to allow JavaScript and similar content, 66 third party Web sites are called. Only a few minutes after taking the original images, the count for the second case increased from 66 to 90. Why is this a problem? From a security perspective: The more third party Web sites required to render a primary site, the more opportunities int...

Bejtlich Teaching at Black Hat West Coast Trainings

Image
I'm pleased to announce that I will be teaching at  Black Hat West Coast Trainings  9-10 December 2013 in Seattle, Washington. This is a brand new class, only offered thus far in Las Vegas in July 2013. I posted  Feedback from Network Security Monitoring 101 Classes  last month as a sample of the student feedback I received. Several students asked for a more complete class outline. So, in addition to the outline posted currently by Black Hat, I present the following that shows what sort of material I cover in my new class. Please note that discounted registration ends 11:59 pm EDT October 24th. You can  register here . I have only one session available in Seattle and fewer seats than in Las Vegas, so please plan accordingly. Thank you. OVERVIEW Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you are a beginner, and need answers to these questions, Network Security Monitoring...

Feedback from Network Security Monitoring 101 Classes

Image
At Black Hat in Las Vegas I taught two Network Security Monitoring 101 (NSM101) classes. This is a new class that I developed this year, after retiring the third edition of my TCP/IP Weapons School. Once again I was glad to have Steve Andres from Special Ops Security there to help students with questions and lab issues. I wanted to share some feedback from the classes, in case any of you are considering attending an upcoming edition. Currently I'm scheduled to teach at Black Hat Seattle on 9-10 December. I plan to continue offering my class through Black Hat as they expand their training location offerings. Student feedback from NSM101 included: Great tools, fun labs, very prepared -- a lot of experience from interesting real world scenarios. This course was everything I hoped for and more. Very impressive considering the course is new. One of the best training classes I have ever taken. Richard hosted an exemplary class. I thought the class was excellent, and ...

President Obama Is Right On US-China Hacking

Image
I strongly recommend watching the excerpt on the Charlie Rose show titled Obama: Blunt Conversation With China on Hacking . I reproduced the relevant part of the transcript below and added emphasis to key points. CHARLIE ROSE: Speaking of pushing back, what happened when you pushed back on the question of hacking and serious allegations that come from this country that believe that the Chinese are making serious strides and hacking not only private sector but public sector ? BARACK OBAMA: We had a very blunt conversation about cyber security. CHARLIE ROSE: Do they acknowledge it? BARACK OBAMA: You know, when you’re having a conversation like this I don’t think you ever expect a Chinese leader to say "You know what? You’re right. You caught us red-handed." CHARLIE ROSE: You got me. Yes. BARACK OBAMA: We’re just stealing all your stuff and every day we try to figure out how we can get into Apple -- CHARLIE ROSE: But do they now say "Look? S...

Pre-Order The Practice of Network Security Monitoring Before Price Hike

Image
When my publisher and I planned and priced my new book The Practice of Network Security Monitoring , we assumed the book would be about 250 pages. As we conclude the copyediting process and put print in layout format, it's clear the book will be well over 300. The current estimate is 328, but I think it could approach 350 pages. Because of the much larger page count, the publisher and I agreed to reprice the book. The price will rise from the current list of $39.95 for paperback and $31.95 for ebook to $49.95 for paperback and $39.95 for ebook. However, those prices will not go into effect until next Friday, June 21st. That means if you preorder at the NoStarch.com Web site before next Friday, you will get the current lower prices. Furthermore, use preorder code NSM101 to save 30% off list. If you use NSM101 as your discount code it shows No Starch that you got word of this from me. Those of you who already preordered have already taken advantage of this deal. Thanks for ...

Practice of Network Security Monitoring Table of Contents

Image
Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monitoring . The TOC has only solidified in the last day or so. I delayed responding until I completed all of the text, which I did this weekend. You can preorder the book through No Starch . Please consider using the discount code NSM101 to save 30%. I'm still on track to publish by July 22, 2013, in time to teach two sessions of my new course, Network Security Monitoring 101 , in Las Vegas. I'll be using the new book's themes for inspiration but will likely have to rebuild all the labs. I expect the book to approach the 350 page mark, exceeding my initial estimates for 256 pages and 7 chapters. Here's the latest Table of Contents. Part I, “Getting Started,” introduces NSM and how to think about sensor placement. Chapter 1, “NSM Rationale,” explains why NSM matters, to help you gain the support needed to deploy NSM in your envi...

Bejtlich Teaching New Class at Black Hat in July

Image
I'm pleased to announce I will teach two sessions of a brand-new two day class at Black Hat USA 2013 this summer. The new class is Network Security Monitoring 101 . From the overview: Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you are a beginner, and need answers to these questions, Network Security Monitoring 101 (NSM101) is the newest Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. NSM101 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats. Best of all, this class is designed *for beginners*: all you need is a desire to learn and a laptop ready to run a few virtual machines. Instructor Richard Bejtlich has taug...

Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days

Image
Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report . In the twelve days that followed publication on the evening of Monday the 18th, I've been very pleased by the amount of constructive commentary and related research published online. In this post I'd like to list those contributions that I believe merit attention, in the event you missed them the first time around. These sorts of posts are examples of what the security community can do to advance our collective capability to counter digital threats. Please note I avoided mass media accounts, interviews with Mandiant team members, and most general commentary. They are listed in no particular order. Seth Hall (Bro): Watching for the APT1 Intelligence Jason Wood (SecureIdeas): Reading the Mandiant APT1 Report Chris Sanders: Making the Mandiant APT1 Report Actionable Symantec: APT1: Q&A on Attacks by the Comment Crew Tekdefense (NoVA Infosec): MASTIFF Analysis of APT...

Recovering from Suricata Gone Wild

Recently I tried interacting with one of my lab Security Onion sensors running the Suricata IDS. I found the Sguil server was taking a really long time to offer services on port 7734 TCP. Since I hadn't worked with this lab system in a while, I guessed that there might be too many uncategorized events in the Sguil database. I dusted off an old blog post titled More Snort and Sguil Tuning from 2006 and took a look at the system. First I stopped the NSM applications on the server. sudo service nsm stop Stopping: securityonion * stopping: sguil server [ OK ] Stopping: HIDS * stopping: ossec_agent (sguil) [ OK ] Stopping: Bro stopping ds61so-eth1-1 ... stopping proxy ... stopping manager ... Stopping: ds61so-eth1 * stopping: netsniff-ng (full packet data) [ OK ] * stopping: pcap_agent (sguil) [ OK ] * stopping: snort_agent (sguil) [ OK ] * stoppi...

Using Bro to Log SSL Certificates

Image
I remember using an older version of Bro to log SSL certificates extracted from the wire. The version shipped with Security Onion is new and that functionality doesn't appear to be enabled by default. I asked Seth Hall about this capability, and he told me how to get Bro to log all SSL certs that it sees. Edit /opt/bro/share/bro/site/local.bro to contain the changes as shown below. diff -u /opt/bro/share/bro/site/local.bro.orig /opt/bro/share/bro/site/local.bro --- /opt/bro/share/bro/site/local.bro.orig 2013-02-23 01:54:53.291457193 +0000 +++ /opt/bro/share/bro/site/local.bro 2013-02-23 01:55:16.151996423 +0000 @@ -56,6 +56,10 @@ # This script enables SSL/TLS certificate validation. @load protocols/ssl/validate-certs +# Log certs per Seth +@load protocols/ssl/extract-certs-pem +redef SSL::extract_certs_pem = ALL_HOSTS; + # If you have libGeoIP support built in, do some geographic detections and # logging for SSH traffic. @load protocols/ssh/geo-data Restart Bro. ...

Practical Network Security Monitoring Book on Schedule

Image
First the good news: my new book Practical Network Security Monitoring is on track, and you can pre-order with a 30% discount using code NSM101 . I'm about 1/3 of the way through writing the book. Since I announced the project last month, I've submitted chapters 1, 2, and 3. They are in various stages of review by No Starch editors and my technical editors. I seem to be writing more than I expected, despite trying to keep the book at an introductory level. I find that I want to communicate the topic sufficiently to make my point, but I try to avoid going too deeply into related areas. I'm also encountering situations where I have to promise to explain some concepts later, rather than explain everything immediately. I believe once I get the first chapter ironed out with the editor, the rest will be easier to digest. I'm taking a fairly methodical approach (imagine that), so once the foundation in chapter 1 is done the rest is more straightforward. I'm keeping a...

On Thought Leadership and Non-Technical Relevance

Image
A reader left a comment on my post 2012: The Year I Changed What I Read . He said: Richard, it's interesting to note that your career has shifted from "pure" technology to more of a thought leadership role where you can leverage your training and interest in history, political science, etc. I wonder if you ever expected to become such a public figure in the whole debate about China when you first started with infosec? Your career path is an encouraging example for others to follow. Even though I work in technology, I also have a sociology/political science background and I've been wondering how I can leverage those interests, especially as I get older and cheaper/hungrier techies continue to enter the industry. Thank you for your comment and question. I will try to answer here. I did not plan to become a "public" figure, and I don't necessarily consider myself exceptionally "public" now. I just reviewed my TaoSecurity news page to see wh...

How to Win This TCP/IP Book

Image
Last week I wished this blog happy tenth birthday and announced plans for a new book on network security monitoring . I also mentioned a contest involving a book give-away. I finally figured out a good way to select a winner, and it involves your participation in my current writing project! Thanks to No Starch Press I have a brand-new, shrink-wrapped copy of The TCP/IP Guide , a mammoth 1616 page hardcover book by Charles M. Kozierok. Here's what you have to do to try to win this book: submit a case study on how network security monitoring helped you detect, respond to, and contain an intrusion in your environment . You don't have to reveal your organization, but I want to know some general information like the number of users and computers. Readers need to know the sort of environment where NSM worked for you, but I don't want you to reveal your organization (unless you want to). Tell the reader what happened, what NSM data you used, how you used it, and how you ha...

Bejtlich's New Book: Planned for Summer Publication

Image
Nearly ten years after I started writing my first book , the Tao of Network Security Monitoring , I'm pleased to announce that I just signed a contract to write a new book for No Starch titled Network Security Monitoring in Minutes . From the book proposal: Network Security Monitoring in Minutes provides the tactics, techniques, and procedures for maximum enterprise defense in a minimum amount of time. Network Security Monitoring (NSM) is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. Network Security Monitoring in Minutes teaches information technology and security staff how to leverage powerful NSM tools and concepts immediately. Using open source software and vendor-neutral methods, the author applies lessons he first began applying to military networks in 1998. After reading this book, the audience will be able to integrate the same winning approaches to better defend his or her company’s data and networks. Net...

Happy 10th Birthday TaoSecurity Blog

Image
Today, 8 January 2013, is the 10th birthday of TaoSecurity Blog ! I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone working for Kevin Mandia. Today I am Chief Security Officer at Mandiant , back working for Kevin Mandia. (It's a small world.) With 2905 posts published over these 10 years, I am still blogging -- but much less. Looking at all 10 years of blogging, I averaged 290 per year, but in the age of Twitter (2009-2012) I averaged only 144 blog posts per year. Last year I wrote 60 times. Why the drop over the years? First, I "blame" my @taosecurity Twitter account. With over 15,000 followers, easy posting from mobile devices, and greater interactivity, Twitter is an addictive platform. However, I really enjoy Twitter and make the trade-off gladly. It would be nice to become a verified user though, with access to two-factor or two-step authentication. Second, blogging used to be the primary way I could s...